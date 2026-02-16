strongSwan
This tutorial explains how to set up strongSwan along with Cloudflare WAN (formerly Magic WAN). You will learn how to configure strongSwan, configure an IPsec tunnel, and create Policy-Based Routing (PBR).
Configure the bidirectional health checks target for Cloudflare WAN. For this tutorial, use
172.64.240.252 as the target IP address, and
type as the request.
This can be set up with the API. For example:
- Install strongSwan ↗. For example, open the console and run:
- Open
/etc/strongswan.confand add the following settings:
- Open
/etc/ipsec.confand add the following settings:
-
Create a virtual tunnel interface (VTI) with the IP configured as the target for Cloudflare's health checks (
172.64.240.252) to route IPsec packets. Open
/etc/strongswan.d/.
-
Create a script called
ipsec-vti.shand add the following:
Create Policy-Based Routing (PBR) to redirect returning traffic through the IPsec tunnel. Without it, the ICMP replies to the health probes sent by Cloudflare will be returned through the Internet, instead of the same IPsec tunnel.
This tutorial uses iproute2 ↗ to route IP packets from
172.64.240.252 to the tunnel interface.
-
Open
/etc/iproute2/.
-
Edit the
rt_tablesfile to add a routing table number and name. In this example, use
viatunicmpas the name and
200as the number for the routing table.
- Add a rule to match the routing table. This rule instructs the system to use routing table
viatunicmpif the packet's source address is
172.64.240.252:
- Add a route to the
viatunicmprouting table. This is the default route through the interface
vti0in the
viatunicmptable.
- Start IPsec. You can also
stop,
restart, and show the
statusfor the IPsec connection:
Use tcpdump to investigate the status of health checks originated from Cloudflare.
In this example, the outgoing Internet interface shows that the IPsec encrypted packets (ESP) from Cloudflare's health check probes (both the request and response) are going through the IPsec tunnel.
Run tcpdump on
vti0 to check the decrypted packets.