This tutorial contains a configuration example for setting up an IPsec tunnel between Cisco IOS XE and Cloudflare. For this tutorial, the tested Cisco IOS XE software was version 17.03.07.
You should replace peer addresses with the anycast IP addresses assigned to your account. For example:
Anycast 01 : 162.159.###.###
Anycast 02 : 172.64.###.###
The following is a Cisco IOS XE configuration example:
crypto ikev2 proposal CF_MAGIC_WAN_IKEV2_PROPOSAL
integrity sha512 sha384 sha256
crypto ikev2 policy CF_MAGIC_WAN_IKEV2_POLICY
proposal CF_MAGIC_WAN_IKEV2_PROPOSAL
crypto ikev2 keyring CF_MAGIC_WAN_KEYRING
pre-shared-key hbGnJzFMqwltb###############BapXCOwsGZz2NMg
pre-shared-key 1VscPp0LPFAcZ###############HOdN-1cUgKVduL4
crypto ikev2 profile CF_MAGIC_WAN_01
match identity remote address 162.159.###.### 255.255.255.255
identity local fqdn ad329f56###############bbe898c0a0.33145236.ipsec.cloudflare.com
authentication remote pre-share
authentication local pre-share
keyring local CF_MAGIC_WAN_KEYRING
no config-exchange request
crypto ikev2 profile CF_MAGIC_WAN_02
match identity remote address 172.64.###.### 255.255.255.255
identity local fqdn 83f9c418###############29b3f97049.33145236.ipsec.cloudflare.com
authentication remote pre-share
authentication local pre-share
keyring local CF_MAGIC_WAN_KEYRING
no config-exchange request
crypto ipsec profile CF_MAGIC_WAN_01
set security-association lifetime kilobytes disable
set security-association replay disable
set ikev2-profile CF_MAGIC_WAN_01
crypto ipsec profile CF_MAGIC_WAN_02
set security-association lifetime kilobytes disable
set security-association replay disable
set ikev2-profile CF_MAGIC_WAN_02
ip address 10.252.2.35 255.255.255.254
tunnel destination 162.159.###.###
tunnel path-mtu-discovery
tunnel protection ipsec profile CF_MAGIC_WAN_01
ip address 10.252.2.37 255.255.255.254
tunnel destination 172.64.###.###
tunnel path-mtu-discovery
tunnel protection ipsec profile CF_MAGIC_WAN_02
interface GigabitEthernet1
interface GigabitEthernet2
ip address 10.10.0.35 255.255.255.0
Diagnostic output: show crypto session detail
cisco-csr1000v#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
Session status: UP-ACTIVE
Peer: 162.159.###.### port 500 fvrf: (none) ivrf: (none)
Phase1_id: 162.159.###.###
IKEv2 SA: local 10.141.0.9/500 remote 162.159.###.###/500 Active
Capabilities:(none) connid:1 lifetime:23:44:44
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 28110 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2684
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2684
Session status: UP-ACTIVE
Peer: 172.64.###.### port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.64.###.###
IKEv2 SA: local 10.141.0.9/500 remote 172.64.###.###/500 Active
Capabilities:(none) connid:2 lifetime:23:45:01
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 27586 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2701
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2701
Diagnostic output: show crypto session remote <ANYCAST 01>
detail
cisco-csr1000v#show crypto session remote 162.159.###.### detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
Session status: UP-ACTIVE
Peer: 162.159.###.### port 500 fvrf: (none) ivrf: (none)
Phase1_id: 162.159.###.###
IKEv2 SA: local 10.141.0.9/500 remote 162.159.###.###/500 Active
Capabilities:(none) connid:1 lifetime:23:44:15
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 29000 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2655
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2655
Diagnostic output: show crypto session remote <ANYCAST 02>
detail
cisco-csr1000v#show crypto session remote 172.64.###.### detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
Session status: UP-ACTIVE
Peer: 172.64.###.### port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.64.###.###
IKEv2 SA: local 10.141.0.9/500 remote 172.64.###.###/500 Active
Capabilities:(none) connid:2 lifetime:23:42:50
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 31639 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2569
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2569
If you notice connectivity issues after rebooting your Cisco router, your IPsec Security Associations (SAs) might be out of sync. Cisco recommends that you enable the Invalid Security Parameter Index (SPI) recovery feature to solve this issue. To do so, add the following lines to your configuration file:
crypto isakmp invalid-spi-recovery
Refer to Cisco's documentation ↗ for more information.
Thank you for helping improve Cloudflare's documentation!