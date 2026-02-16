Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Shortly after your onboarding kickoff call, Cloudflare will assign two Cloudflare endpoint addresses that you can use as the tunnel destinations on your network location's routers/endpoints.

Before you begin

Before creating a tunnel, make sure you have the following information:

Cloudflare endpoint addresses : Provided by Cloudflare after your onboarding kickoff call.

: Provided by Cloudflare after your onboarding kickoff call. Customer endpoint IP : A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf (typically provided by your ISP). Not required if using Cloudflare Network Interconnect or for IPsec tunnels (unless your router uses an IKE ID of type ID_IPV4_ADDR ).

: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf (typically provided by your ISP). Not required if using Cloudflare Network Interconnect or for tunnels (unless your router uses an ID of type ). Interface address: A /31 (recommended) or /30 subnet from RFC 1918 private IP space ( 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 ) or 169.254.240.0/20 (this address space is also a link-local address).

Warning Make sure the interface address prefixes are always within the allowed Cloudflare ranges, especially for cloud service providers that might automatically generate prefixes for you. Otherwise, the tunnel will not work.

Ways to onboard traffic to Cloudflare

GRE and IPsec tunnels

You can use GRE or IPsec tunnels to onboard your traffic to Cloudflare WAN, and set them up through the Cloudflare dashboard or the API. If you use the API, you need your account ID and API key.

Choose between GRE and IPsec

Feature GRE IPsec Encryption No Yes Authentication No Pre-shared key (PSK) Setup complexity Simpler Requires PSK exchange Best for Trusted networks, CNI connections Internet-facing connections requiring encryption

Refer to Tunnels and encapsulation to learn more about the technical requirements for both tunnel types.

IPsec supported ciphers

Refer to supported ciphers for IPsec for a complete list. IPsec tunnels only support Internet Key Exchange version 2 (IKEv2).

Anti-replay protection

If you use Cloudflare WAN and anycast IPsec tunnels, we recommend disabling anti-replay protection. Cloudflare disables this setting by default. However, you can enable it through the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.

Refer to Anti-replay protection for more information on this topic, or Add IPsec tunnels to learn how to enable this feature.

Network Interconnect (CNI)

Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to Cloudflare WAN. Refer to Network Interconnect (CNI) for more information.

Add tunnels

Warning Cloudflare Network Firewall rules apply to Internet Control Message Protocol (ICMP) traffic. If you enable Cloudflare Network Firewall, ensure your rules allow ICMP traffic sourced from Cloudflare public IPs. Otherwise, health checks will fail. Refer to Cloudflare Network Firewall rules for more information.

Bidirectional vs unidirectional health checks

To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply packets ↗ to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy.

Cloudflare defaults to bidirectional health checks for Cloudflare WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional.

Legacy bidirectional health checks

For customers using the legacy health check system with a public IP range, Cloudflare recommends:

Configuring the tunnel health check target IP address to one within the 172.64.240.252/30 prefix range.

prefix range. Applying a policy-based route that matches packets ↗ with a source IP address equal to the configured tunnel health check target (for example 172.64.240.253/32 ), and route them over the tunnel back to Cloudflare.

Next steps

Now that you have set up your tunnel endpoints, you need to configure routes to direct your traffic through Cloudflare. You have two routing options:

Static routes : Best for simple, stable networks where routes rarely change. You manually define each route.

: Best for simple, stable networks where routes rarely change. You manually define each route. BGP peering: Best for dynamic environments with frequently changing routes, multiple prefixes, or when you need automatic failover. Requires enabling BGP on your tunnel during creation.

Refer to Configure routes for detailed instructions on both options.

After configuring your routes, you need to set up a site.

Troubleshooting

If you experience issues with your tunnels: