--- title: Yamaha RTX Router description: Integrate Yamaha RTX Router with Zero Trust networking. image: https://developers.cloudflare.com/zt-preview.png --- [Skip to content](#%5Ftop) ### Tags [ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/yamaha.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Yamaha RTX Router This tutorial describes how to configure the Yamaha RTX840 and RTX1300 series router to connect to Cloudflare WAN (formerly Magic WAN) via IPsec tunnels. ## Testing environment These configurations were tested on the Yamaha RTX840 and RTX1300 series with the following firmware versions: * **RTX840 series**: 23.02.02 * **RTX1300 series**: 23.00.17 ## Cloudflare WAN configuration You need to add IPsec tunnels and static routes to your Cloudflare account via the Cloudflare dashboard. Before proceeding, ensure that you have the anycast IPs assigned to your account. You can find them in the Cloudflare dashboard under **Address Space** \> [**Leased IPs** ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). ### IPsec tunnels 1. Follow the [Add tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/#add-tunnels) instructions to create the required IPsec tunnel. When creating your IPsec tunnel, make sure you define the following settings: * **Tunnel name**: Enter your tunnel name. In this example, it is `RTX840-vpn01`. * **Interface address**: Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is `172.30.223.2/31`. * **Customer endpoint**: Enter the WAN IP address of your RTX router. In our example, this is `194.xx.xx.xx`. This is the fixed public IPv4 address you get from your ISP for your internet service. * **Cloudflare endpoint**: One of the Cloudflare anycast IP addresses assigned to your account. * **Health check rate**: _Medium_. * **Health check type**: _Request_. * **Health check direction**: _Bidirectional_. * **Health check target**: _Default_. * **Pre-shared key**: Select **Use my own pre-shared key** and paste a secure key of your own. * **Replay protection**: Do not check the box, to keep this disabled. 2. After you create your tunnel, the Cloudflare dashboard will load a list of tunnels set up for your account. Select the IPsec tunnel you have just created, and check the following setting: * **FQDN ID**: Copy this ID and save it. You will need it when configuring the IPsec tunnel on your RTX router. ### Static routes Static routes are required for any networks that will be reached via the IPsec tunnel. In our example, there is one network: `172.16.2.0/24`. Follow the [Configure static routes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-routes/) instructions to create a static route (settings not mentioned here can be left with their default values): * **Description**: `RTX840-lan01` * **Prefix**: `172.16.2.0/24` * **Tunnel/Next hop**: _RTX840-vpn01_ ## RTX router configuration Use the CLI to configure these settings. ### Route settings ``` ip route default gateway tunnel 1 ip route gateway ip route < ISP's DNS server IP > gateway ``` ### LAN settings ``` ip lan1 address 172.16.2.254/24 ``` ### Wired WAN settings ``` ip lan2 address 194.xx.xx.xx/29 ip lan2 nat descriptor 1000 ``` ### IPsec VPN main side settings ``` tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes256-cbc sha256-hmac anti-replay-check=off ipsec ike version 1 2 ipsec ike duration ipsec-sa 1 3600 ipsec ike duration isakmp-sa 1 28800 ipsec ike encryption 1 aes256-cbc ipsec ike group 1 modp2048 ipsec ike hash 1 sha256 ipsec ike keepalive log 1 off ipsec ike keepalive use 1 on rfc4306 10 6 ipsec ike local address 1 194.xx.xx.xx ipsec ike log 1 key-info message-info payload-info ipsec ike local name 1 fqdn ipsec ike pfs 1 on ipsec ike proposal-limitation 1 on ipsec ike pre-shared-key 1 text ipsec ike remote address 1 ipsec ike remote name 1 ipv4-addr ip tunnel address 172.30.223.3/31 ip tunnel tcp mss limit auto tunnel enable 1 ipsec auto refresh on ! Note: 172.30.223.3/31 is internal tunnel IP on the RTX side. ``` Explain Code ### NAT settings ``` nat descriptor type 1000 masquerade nat descriptor address outer 1000 primary nat descriptor masquerade static 1000 1 194.xx.xx.xx udp 500 nat descriptor masquerade static 1000 2 194.xx.xx.xx esp ``` ### DHCP settings ``` dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 172.16.2.2-172.16.2.191/24 ``` ### DNS settings ``` dns host lan1 dns server select 1 any . dns private address spoof on ``` ## Connection test In the Yamaha RTX router CLI, you can run `show ipsec sa` and `show status tunnel` to check the status of the IPsec VPN. ### `show ipsec sa` ``` Total: isakmp:1 send:1 recv:1 sa sgw isakmp connection dir life[s] remote-id ------------------------------------------------------------------------------------------ 1 1 - ike - 27384 (Cloudflare Anycast IP) 2 1 1 tun[0001]esp send 2185 (Cloudflare Anycast IP) 3 1 1 tun[0001]esp recv 2185 (Cloudflare Anycast IP) ``` Explain Code ### `show status tunnel 1` ``` TUNNEL[1]: Description: Interface type: IPsec Current status is Online. from 2025/12/08 13:14:20. 20 minutes 56 seconds connection. Maximum Transmission Unit(MTU): IPv4: 1280 octets IPv6: 1280 octets Received: (IPv4) 171847 packets [58823472 octets] (IPv6) 0 packet [0 octet] Transmitted: (IPv4) 154224 packets [19191955 octets] (IPv6) 0 packet [0 octet] IKE keepalive: [Type]: rfc4306 [Status]: OK [Next send]: 1 sec after ``` Explain Code ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/networks/","name":"Networks"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/networks/connectors/","name":"Connectors"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/","name":"Configuration"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/","name":"Third-party integration"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/yamaha/","name":"Yamaha RTX Router"}}]} ```