Cloudflare Docs
Magic-Wan
Visit Magic WAN on GitHub
Set theme to dark (⇧+D)

Cisco Viptela SD-WAN

Cloudflare partners with Cisco’s 8000k router SD-WAN solution to provide users with an integrated solution. The Viptela appliances (physical and virtual) manage subnets associated with branch offices and cloud instances. Anycast Tunnels – GRE and IPsec – are set up between these appliances and Cloudflare to securely route Internet-bound traffic. This tutorial describes how to configure the Cisco 8000k router in the SD-WAN mode for north-south (Internet-bound) use cases.

​​ Prerequisites

Before setting up a connection between Cisco Viptela and Cloudflare, you must have:

  • Purchased Magic WAN and Secure Web Gateway.
  • Cloudflare provision Magic WAN and Secure Web Gateway.
  • Received two Cloudflare tunnel endpoints (Anycast IP address) assigned to Magic WAN.
  • Cisco 8000k SD-WAN appliances (physical or virtual). This ensures specific Internet-bound traffic from the sites' private networks is routed over the Anycast GRE tunnels to Secure Web Gateway to enforce a user’s specific web access policies.
  • A static IP pair to use with the tunnel endpoints. The static IPs should be /31 addresses separate from the IPs used in the subnet deployment. The software version used on Cisco was 20.6.2/17.6.2.

​​ Example scenario

For the purpose of this tutorial, the integration will refer to a scenario with one branch office with subnets.

GRE tunnel configuration

The central branch office has a 192.168.30.0/24 network with the SD-WAN appliance terminating the Anycast GRE tunnel.

Table of routing information for central  branch

IPsec tunnel configuration

The central branch office has a 192.168.30.0/24 network with the SD-WAN appliance terminating the Anycast IPsec tunnel.

Table of routing information for central  branch

​​ 1. Create a SIG template on Cisco vManage

Cisco vManage is Cisco’s SD-WAN management tool that is used to manage all the SD-WAN appliances in branch offices.

GRE tunnel configuration

For this example scenario, a non-default template for SIG-Branch was created.

Traffic flow diagram for GRE

To create a Secure Internet Gateway (SIG) using vManage:

  1. From Cisco vManage under Configuration, click Generic and Add Tunnel.
  2. Refer to the table below for the setting fields and their options.
SettingType/Detail
Global TemplateFactory_Default_Global_CISCO_Template
Cisco BannerFactory_Default_Retail_Banner
PolicyBranch-Local-Policy

Transport & Management VPN settings

SettingType/Detail
Cisco VPN 0GCP-Branch-VPN0
Cisco Secure Internet GatewayBranch-SIG-GRE-Template
Cisco VPN Interface EthernetGCP-Branch-Public-Internet-TLOC
Cisco VPN Interface EthernetGCP-VPN0-Interface
Cisco VPN 512Default_AWS_TGW_CSR_VPN512_V01

Basic Information settings

SettingType/Detail
Cisco SystemDefault_BootStrap_Cisco_System_Template
Cisco LogingDefault_Logging_Cisco_V01
Cisco AAAAWS-Branch-AAA-Template
Cisco BFDDefault_BFD_Cisco-V01
Cisco OMPDefault_AWS_TGW_CSR_OMP_IPv46_…
Cisco SecurityDefault_Security_Cisco_V01

When creating the Feature Template, you can choose values that apply globally or that are device specific. For example, the Tunnel Source IP Address, Interface Name and fields from Update Tunnel are device specific and should be chosen accordingly.

IPsec tunnel configuration

For this example scenario, a non-default template for SIG-Branch-IPsec-Template was created.

Traffic flow diagram for IPsec

To create a Secure Internet Gateway (SIG) using vManage:

  1. From Cisco vManage under Configuration, click Generic and Add Tunnel.
  2. Refer to the table below for the setting fields and their options.
SettingType/Detail
Tunnel TypeIPsec
Interface Name (1..255)Global
DescriptionIP
Tunnel Source IP AddressDevice-Specific
IPv4 addressesDevice-Specific
Tunnel Route-via InterfaceDevice-Specific
Tunnel Destination IP Address/FQDN(Ipsec)Device-Specific
Preshared keyDevice-Specific
IPsec Rekey Interval (under advanced options)Default
IPsec Replay WindowDefault
IPSec Cipher SuiteGlobal (AES 256 CBC SHA 256)
Perfect Forward SecrecyGlobal (Group-14 2048-bit modulus)

​​ 2. (IPsec only) Create a non-default feature template

For compatibility, you will need to disable replay protection, which is not an option through the templates, by creating a CLI template in addition to the feature template created in the previous step.

CLI configuration used to disable replay

In the image above, replay is disabled and the local key-id is set to a variable so that a Cloudflare tunnel ID with the format xxxxxx_YYYYYYY can be added.

​​ 3. Create tunnels in vManage

GRE tunnel configuration

From vManage, click Configuration > Templates. You should see the newly created template where you will update the device values.

Because the template was created to add GRE tunnels, you only need to update the device values. Note that VPN0 is the default, and the WAN interface used to build the tunnel must be part of VPN0.

Update template fields for GRE tunnel

IPsec tunnel configuration

From vManage, click Configuration > Templates. You should see the newly created template where you will update the device values.

In the example below, the template is the GCP-Branch-Template. Note that VPN0 is the default, and the WAN interface used to build the tunnel needs to be part of VPN0.

Update template fields for IPsec tunnel

​​ 4. Create tunnels in Cloudflare

GRE tunnel configuration

Refer to Configure tunnel endpoints for more information on creating a GRE tunnel.

Established GRE tunne in Cloudflash dashboard

IPsec tunnel configuration

For additional information on creating IPsec tunnels, refer to API documentation for IPsec tunnels.

  • X-Auth-Email: Your Cloudflare email ID
  • X-Auth-Key: Seen in the URL (dash.cloudflare.com//….)
  • Account key: Global API token in Cloudflare dashboard
  1. Test new IPsec tunnel creation

    Request
    curl -X POST "https://api.cloudflare.com/client/v4/accounts/<account_id>/magic/ipsec_tunnels?validate_only=true" \
    -H "X-Auth-Email: [email protected]" \
    -H "X-Auth-Key: XXXXXXXXXX" \
    -H "Content-Type: application/json" \
    --data '{"ipsec_tunnels":[{"name":"IPSec_cisco","customer_endpoint":"35.239.85.133","cloudflare_endpoint":"172.64.241.205","interface_address":"10.49.0.11/31","description":"Tunnel for Cisco 8000v"}]}'
  2. Create new IPSec tunnel

    Request
    curl -X POST "https://api.cloudflare.com/client/v4/accounts/<account_id>/magic/ipsec_tunnels?validate_only=true" \
    -H "X-Auth-Email: [email protected]" \
    -H "X-Auth-Key: XXXXXXXXXX" \
    -H "Content-Type: application/json" \
    --data '{"ipsec_tunnels":[{"name":"IPSec_cisco","customer_endpoint":"35.239.85.133","cloudflare_endpoint":"172.64.241.205","interface_address":"10.49.0.11/31","description":"Tunnel for Cisco 8000v"}]}'
    Response
    {
    "result": {
    "ipsec_tunnels": [
    {
    "id": "XXXXXXXXXX",
    "interface_address": "10.49.0.11/31",
    "created_on": "2022-05-03T23:03:19.104194Z",
    "modified_on": "2022-05-03T23:03:19.104194Z",
    "name": "IPsec_cisco",
    "cloudflare_endpoint": "172.64.241.205",
    "customer_endpoint": "35.239.85.133",
    "description": "Tunnel for Cisco 8000v",
    "health_check": {
    "enabled": true,
    "target": "35.239.85.133",
    "type": "reply"
    }
    }
    ]
    },
    "success": true,
    "errors": [],
    "messages": []
    }
  3. Generate Pre Shared Key (PSK) for Tunnel

Use the tunnel ID from the response in Step 2. Save the pre-shared key generated in this step as you will need it to set up tunnels on the Orchestrator.

Request
curl -X POST "https://api.cloudflare.com/client/v4/accounts/<account_id>/magic/ipsec_tunnels/<tunnel_id>/psk_generate?validate_only=true" \
-H "X-Auth-Email: [email protected]" \
-H "X-Auth-Key: XXXXXXXXXX" \
-H "Content-Type: application/json"
Response
{
"result": {
"ipsec_id": "<ipsec_id>",
"ipsec_tunnel_id": "<tunnel_id>",
"psk": "XXXXXXXXXX",
"psk_metadata": {
"last_generated_on": "2022-05-06T17:37:03.70965667Z"
}
},
"success": true,
"errors": [],
"messages": []
}

​​ 5. Define static routes

GRE tunnel configuration

Refer to Configure static routes for more information on configuring your static routes.

Established GRE static routes in Cloudflare dashboard

IPsec tunnel configuration

Define static routes on the 8000v router so Cloudflare can route traffic between sites.

For the purpose of the tutorial, create a route for the subnet 10.1.2.0/24 on the GCP branch to be routed via the established IPSec tunnel between the 8000v appliance and Cloudflare

Refer to Configure static routes for more information on configuring your static routes.

​​ 6. Validate traffic flow

GRE tunnel configuration

In the example below, a request for neverssl.com was issued, which has a Cloudflare policy blocking traffic to neverssl.com.

On the client VM (192.168.30.3), a blocked response is visible.

cURL example for a request to neverssl.com

A matching blocked log line is visible from the Cloudflare logs.

A blocked log from Gateway Activity Log in the Cloudflare dashboard

Validate east-west traffic

The example shows a client in AWS (10.1.2.23), which can ping the private IP of the router in GCP (192.168.30.3).

The traceroute shows the path going from the client (10.1.2.23)
→ to the AWS lan0 IP on the EdgeConnect (10.1.2.47)
→ to the Cloudflare private IPSec endpoint IP (10.0.0.10)
→ to the GCP private tunnel endpoint IP (10.49.0.10)
→ to the GCP workload (192.168.30.3).

This validates the east-west traffic flow through Cloudflare Magic WAN.

East-west traffic ping

IPsec tunnel configuration

​To validate traffic flow from the local subnet through Cloudflare’s Secure Web Gateway, perform a curl as shown in the example below.

On the client VM (192.168.30.3), a blocked response is visible.

cURL example to validate traffic with a blocked response

You can validate the request went through Gateway with the presence of the Cf-Team response header, or by looking at the logs in the dashboard under Logs > Gateway > HTTP.

Blocked response in Secure Web Gateway

You can also verify traffic flow through the established IPSec tunnel on the Cisco Device Dashboard > Interface.

Traffic flow in Cisco’s device dashboard