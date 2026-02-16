This guide provides information and examples of how to configure Cloudflare WAN (formerly Magic WAN) with Internet Protocol Security (IPsec) tunnels in conjunction with Fortinet FortiGate firewalls.
The FortiGate configuration settings presented here support bidirectional health checks as required by Cloudflare WAN. However, they do not factor in any other traffic flows outside of the tunnel health checks. The configuration may need to be adjusted based on your current FortiGate configuration.
Testing Environment
The FortiGate configuration was tested on two different FortiGate firewalls:
FortiGate Virtual Appliance version 7.0.8, running on VMware ESXi 6.5
FortiGate FG80F, version 7.0.12
Cloudflare WAN configuration
To set up Cloudflare WAN, add IPsec tunnels and static routes to your Cloudflare account using the dashboard or API.
Before proceeding, ensure that you have the anycast IPs associated with your account. Check with your Cloudflare account team if you do not yet have them.
IPsec Tunnels
Cloudflare recommends customers configure two IPsec tunnels per firewall/router - one to each of the two anycast IP addresses.
Follow the Add tunnels instructions to create the required IPsec tunnels with the following options:
Health check type: Change to Request.
Replay Protection: Do not change from the default setting.
Static routes
Add two static routes to define the IP address space that exists behind the IPsec tunnels - one to each of the two IPsec tunnels defined in the previous section.
By default, the static routes are defined with the priority set to 100. Cloudflare leverages Equal Cost Multipath Routing (ECMP) and will load balance the traffic equally across the two tunnels. If you prefer to use an Active/Passive model, you can leave the default value for the first route set to 100, and set the value for the second tunnel to 150 (higher value is a lower priority).
For the first route, ensure the following settings are defined:
Prefix: Specify the RFC1918 ↗ subnet that exists behind the first IPsec tunnel you have defined in the previous section.
Tunnel/Next hop: Select your first tunnel (Tunnel 01 of 02).
For the second route, ensure the following settings are defined:
Prefix: Specify the RFC1918 ↗ subnet that exists behind the second IPsec tunnel defined in the previous section.
Tunnel/Next hop: Select your second tunnel (Tunnel 02 of 02).
Fortinet FortiGate configuration
Enable asymmetric routing
Enable asymmetric routing for ICMP to ensure health checks work as expected. This option is required. Otherwise, the tunnel health checks, which are critical for proper Cloudflare WAN functionality, will not work as designed.
For route-based IPsec configurations, you will need to disable anti-replay protection. The following command disables anti-replay protection globally, but you can also do this per firewall policy. Refer to Fortinet's documentation on anti-replay support per policy ↗ to learn more.
IPsec tunnels
IPsec tunnels leverage a route-based site-to-site Virtual Private Network (VPN) model. This model relies on the use of virtual tunnel interfaces and routing to define the traffic that flows across the IPsec tunnels.
Configure two IPsec tunnels using the phase1-interface and phase2-interface objects.
The following examples assume wan1 is the external/egress interface of the FortiGate firewall.
Add Phase 1 interfaces
MWAN_IPsec_Tun1 corresponds to Tunnel 01 of 02 added earlier in the Cloudflare section of the configuration. MWAN_IPsec_Tun2 corresponds to Tunnel 02 of 02 added earlier in the Cloudflare section of the configuration.
Add Phase 2 interfaces
Add two phase2-interfaces - one for each of the two phase1-interfaces as follows:
Network interfaces
Virtual tunnel interfaces
Configure the virtual tunnel interfaces that were automatically added when specifying the set net-device enable within the phase1-interface settings.
These are the only settings that should need to be added to the virtual tunnel interfaces:
ip: The local IP address (specify with a /32 netmask - 255.255.255.255).
remote-ip: The value associated with the interface address specified earlier in the IPsec tunnels section (specify with a /31 netmask - 255.255.255.254).
alias: This value is optional.
The following examples assume wan1 is the external/egress interface of the FortiGate firewall.
Validate communication across virtual tunnel interfaces
Once the virtual tunnel interfaces have been configured, you should be able to ping the IP address associated with the remote-ip attribute.
The following examples show successful results from pinging across both virtual tunnel interfaces:
MWAN_IPsec_Tun1
MWAN_IPsec_Tun2
Zone objects (optional)
This sample configuration assumes there are three zones configured on the FortiGate firewall. These zone objects are used in the policies referenced later in this document:
Trust_Zone: Contains the LAN interface(s).
Untrust_Zone: Contains the WAN interface.
Cloudflare_Zone: Contains both IPsec Tunnel interfaces.
Create an Address Object that contains all Cloudflare IPv4 subnets. Copy and paste the following CLI commands into an SSH terminal to create the objects automatically:
Add security policy
Add a firewall rule to permit the ICMP traffic associated with the reply style bidirectional health checks.
Policy-based routing
Add policy-based routing rules to ensure traffic associated with bidirectional health checks received over an IPsec tunnel returns across the same tunnel.
Add two policy-based routing rules, one for each of the two IPsec tunnels.
Monitor Cloudflare IPsec tunnel health checks
The Cloudflare dashboard monitors the health of all anycast tunnels on your account that route traffic from Cloudflare to your origin network. Refer to Check tunnel health in the dashboard for more information.
Troubleshooting
Packet Capture
Packet captures determine whether the policy-based routing rules are working as expected.
Traffic ingressing Tunnel 01 of 02 should egress the same tunnel, as shown in the following example:
Conversely, traffic ingressing Tunnel 02 of 02 should egress the same tunnel:
Flow Debugging
Flow debugging helps determine whether traffic is ingressing/egressing the firewall via the expected path. It provides more detail than the sniffer packet captures in the previous section, but creates substantial logging and should only be enabled when absolutely necessary.
Additionally, customers will likely need to contact Fortinet technical support for assistance with interpreting the flow debug logs, as well as to obtain recommendations in terms of how to configure FortiGate to ensure flows are routed correctly based on the application's requirements.
Disable Flow Debugging
The typical use of CTRL + C will not stop Flow Debugging.
You can disable Flow Debugging simply by typing the following at any point while the debug logs are scrolling by: