Cloudflare Docs
Magic WAN
Cloudflare Docs
Magic WAN
GitHub icon
Edit this page on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Magic WAN
  3. ...
  4. ...
  5. Third-party integration
  6. Furukawa Electric FITELnet

Furukawa Electric FITELnet

This tutorial describes how to configure the Furukawa Electric’s FITELnet F220 and F70 devices to connect to Cloudflare Magic WAN via IPsec tunnels. The use cases described in this tutorial are for both east-west (branch to branch) and north-south (Internet-bound).

​​ Testing environment

These configurations were tested on FITELnet F220 and F70 series with the following firmware versions:

  • F220 series: Version 01.11(00)
  • F70 series: Version 01.09(00)

​​ IPsec configuration

​​ Magic WAN configuration

  1. Go to the Cloudflare dashboard and select your account.
  2. Go to Magic WAN > Configuration.
  3. From the Tunnels tab, select Create.
  4. For the first IPsec tunnel, ensure the following settings are defined (refer to Add tunnels for information on settings not mentioned here):
    • Tunnel name: FITEL-tunnel-1
    • Interface address: Enter 10.0.0.1/31 for your first tunnel.
    • Customer endpoint: This setting is not required unless your router is using an IKE ID of type ID_IPV4_ADDR.
    • Cloudflare endpoint: The Cloudflare Anycast IP assigned to you by your account team.
    • Pre-shared key: Create a pre-shared key for your first tunnel.
  5. For the second IPsec tunnel, make the same changes as you did for the first tunnel, and ensure these additional setting is defined:
    • Tunnel name: FITEL-tunnel-2
    • Interface address: Enter 10.0.0.3/31 for your second tunnel.
    • Customer endpoint: This setting is not required unless your router is using an IKE ID of type ID_IPV4_ADDR.
    • Cloudflare endpoint: The Cloudflare Anycast IP assigned to you by your account team.
    • Pre-shared key: Create a pre-shared key for your second tunnel.

​​ FITELnet router configuration

​​ Router 1 settings

Use the CLI to configure these settings:

interface Tunnel 1
 ip address 10.0.0.0 255.255.255.254
 tunnel mode ipsec map MAP1
 link-state sync-sa
exit
!


crypto ipsec policy IPsec_POLICY
 set security-association always-up
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1460
 set mss 1350
 set ip df-bit 0
 set ip fragment post
 ! if there is a NAT router between Cloudflare and FITELnet,
 ! add the two udp-encapsulation options below
 set udp-encapsulation nat-t keepalive interval 30 always-send
 set udp-encapsulation-force
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp keepalive
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 10 delay 1
crypto ipsec replay-check disable
!
crypto isakmp policy ISAKMP_POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 14400
 hash sha sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF1
 ! set the value of FQDN ID for self-identify
 self-identity fqdn <FQDN-ID-TUNNEL01>
 set isakmp-policy ISAKMP_POLICY
 set ipsec-policy IPsec_POLICY
 set peer <CLOUDFLARE-ANYCAST-ADDRESS>
 ike-version 2
 local-key <PRE-SHARED-KEY-TUNNEL01>
exit
!
crypto map MAP1 ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF1
exit
!

​​ Router 2 settings

Use the CLI to configure these settings:

interface Tunnel 2
 ip address 10.0.0.2 255.255.255.254
 tunnel mode ipsec map MAP1
 link-state sync-sa
exit
!


crypto ipsec policy IPsec_POLICY
 set security-association always-up
 set security-association lifetime seconds 28800
 set security-association transform-keysize aes 256 256 256
 set security-association transform esp-aes esp-sha256-hmac
 set mtu 1460
 set mss 1350
 set ip df-bit 0
 set ip fragment post
 ! if there is a NAT router between Cloudflare and FITELnet,
 ! add the two udp-encapsulation options below
 set udp-encapsulation nat-t keepalive interval 30 always-send
 set udp-encapsulation-force
exit
!
crypto ipsec selector SELECTOR
 src 1 ipv4 any
 dst 1 ipv4 any
exit
!
crypto isakmp keepalive
crypto isakmp log sa
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 10 delay 1
crypto ipsec replay-check disable
!
crypto isakmp policy ISAKMP_POLICY
 authentication pre-share
 encryption aes
 encryption-keysize aes 256 256 256
 group 14
 lifetime 14400
 hash sha sha-256
 initiate-mode aggressive
exit
!
crypto isakmp profile PROF1
 ! set the value of FQDN ID for self-identify
 self-identity fqdn <FQDN-ID-TUNNEL02>
 set isakmp-policy ISAKMP_POLICY
 set ipsec-policy IPsec_POLICY
 set peer <CLOUDFLARE-ANYCAST-ADDRESS>
 ike-version 2
 local-key <PRE-SHARED-KEY-TUNNEL02>
exit
!
crypto map MAP1 ipsec-isakmp
 match address SELECTOR
 set isakmp-profile PROF1
exit
!

​​ Static route configuration

To configure routes for east-west (branch to branch) connections, refer to the following settings.

​​ Magic WAN

  1. Go to the Cloudflare dashboard and select your account.
  2. Go to Magic WAN > Configuration.
  3. From the Static Routes tab, select Create.
  4. For the first route, ensure the following settings are defined (refer to Configure static routes to learn about settings not mentioned here):
  • Prefix: 192.168.0.0/24
  • Tunnel/Next hop: FITEL-tunnel-1 / 10.0.0.0
  1. For the second route, ensure the following settings are defined:
  • Prefix: 192.168.1.0/24
  • Tunnel/Next hop: FITEL-tunnel-2 / 10.0.0.2

​​ FITELnet router configuration

​​ Router 1

Use the CLI to configure these settings:

ip route 192.168.0.0 255.255.255.0 tunnel 1

​​ Router 2

Use the CLI to configure these settings:

ip route 192.168.1.0 255.255.255.0 tunnel 2

​​ Connection test

​​ IPsec status

In the FITELnet router CLI, you can run show crypto sa to check the status of the IPsec security associations (SAs). Total number of ISAKMP/IPSEC SA shows the number of established SAs.

show crypto sa


  IKE_SA
    Mode: <I>
    Local IP : <LOCAL_IP>/500
    Local ID : <LOCAL_ID> (ipv4)
    Remote IP : anycast-address/500
    Remote ID : anycast-address (ipv4)
    Local Authentication method : Pre-shared key
    Remote Authentication method : Pre-shared key
    Encryption algorithm : aes256-cbc
    Hash algorithm : hmac-sha256-128
    Diffie-Hellman group : 14 (2048 bits)
    Initiator Cookie : aaaaaaaa bbbbbbbb
    Responder Cookie : cccccccc dddddddd
    Life time : 6852/14400 sec
    DPD : on


  CHILD_SA <I>
    Selector :
      0.0.0.0/0 ALL ALL <---> 0.0.0.0/0 ALL ALL
    Interface : tunnel 1
    Peer IP : anycast-address/500
    Local IP : xxx.xxx.xxx.xxx/500
    Encryption algorithm : AES-CBC/256
    Authentication algorithm : HMAC-SHA2-256
    Life time : 22868/28800 sec
    PFS : off ESN : off
    IN
      SPI : eeeeeeee
      Packets       : 0
      Octets        : 0
      Replay error  : 0
      Auth error    : 0
      Padding error : 0
      Rule error    : 0
    OUT
      SPI : ffffffff
      Packets       : 0
      Octets        : 0
      Seq lapped    : 0


  Total number of ISAKMP SA 1
  Total number of IPSEC SA 1

​​ Route Status

In the FITELnet router CLI, you can run show ip route to check the route information. A * in the route information indicates that the route information is valid.

show ip route


Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       B - BGP, T - Tunnel, i - IS-IS, V - VRRP track,
       Iu - ISAKMP SA up, It - ISAKMP tunnel route, Ip - ISAKMP l2tpv2-ppp
       Dc - DHCP-client, L - Local Breakout
       > - selected route, * - FIB route, p - stale info


<snip>
S > * 192.168.1.0/24 [100/0] is directly connected, Tunnel1
<snip>
#