This tutorial describes how to configure the Furukawa Electric’s FITELnet F220 and F70 devices to connect to Cloudflare Magic WAN via IPsec tunnels. The use cases described in this tutorial are for both east-west (branch to branch) and north-south (Internet-bound).
These configurations were tested on FITELnet F220 and F70 series with the following firmware versions:
F220 series : Version 01.11(00)
F70 series : Version 01.09(00)
Go to the Cloudflare dashboard ↗ and select your account.
Go to Magic WAN > Configuration .
From the Tunnels tab, select Create .
For the first IPsec tunnel, ensure the following settings are defined (refer to Add tunnels for information on settings not mentioned here):
Tunnel name : FITEL-tunnel-1
Interface address : Enter 10.0.0.1/31
for your first tunnel.
Customer endpoint : This setting is not required unless your router is using an IKE ID of type ID_IPV4_ADDR
.
Cloudflare endpoint : The Cloudflare anycast IP assigned to you by your account team.
Pre-shared key : Create a pre-shared key for your first tunnel.
For the second IPsec tunnel, make the same changes as you did for the first tunnel, and ensure these additional setting is defined:
Tunnel name : FITEL-tunnel-2
Interface address : Enter 10.0.0.3/31
for your second tunnel.
Customer endpoint : This setting is not required unless your router is using an IKE ID of type ID_IPV4_ADDR
.
Cloudflare endpoint : The Cloudflare anycast IP assigned to you by your account team.
Pre-shared key : Create a pre-shared key for your second tunnel.
FITELnet router configuration
Use the CLI to configure these settings:
ip address 10.0.0.0 255.255.255.254
tunnel mode ipsec map MAP1
crypto ipsec policy IPsec_POLICY
set security-association always-up
set security-association lifetime seconds 28800
set security-association transform-keysize aes 256 256 256
set security-association transform esp-aes esp-sha256-hmac
! if there is a NAT router between Cloudflare and FITELnet,
! add the two udp-encapsulation options below
set udp-encapsulation nat-t keepalive interval 30 always-send
set udp-encapsulation-force
crypto ipsec selector SELECTOR
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 10 delay 1
crypto ipsec replay-check disable
crypto isakmp policy ISAKMP_POLICY
encryption-keysize aes 256 256 256
crypto isakmp profile PROF1
! set the value of FQDN ID for self-identify
self-identity fqdn <FQDN-ID-TUNNEL01>
set isakmp-policy ISAKMP_POLICY
set ipsec-policy IPsec_POLICY
set peer <CLOUDFLARE-ANYCAST-ADDRESS>
local-key <PRE-SHARED-KEY-TUNNEL01>
crypto map MAP1 ipsec-isakmp
Use the CLI to configure these settings:
ip address 10.0.0.2 255.255.255.254
tunnel mode ipsec map MAP1
crypto ipsec policy IPsec_POLICY
set security-association always-up
set security-association lifetime seconds 28800
set security-association transform-keysize aes 256 256 256
set security-association transform esp-aes esp-sha256-hmac
! if there is a NAT router between Cloudflare and FITELnet,
! add the two udp-encapsulation options below
set udp-encapsulation nat-t keepalive interval 30 always-send
set udp-encapsulation-force
crypto ipsec selector SELECTOR
crypto isakmp log session
crypto isakmp log negotiation-fail
crypto isakmp negotiation always-up-params interval 100 max-initiate 10 max-pending 10 delay 1
crypto ipsec replay-check disable
crypto isakmp policy ISAKMP_POLICY
encryption-keysize aes 256 256 256
crypto isakmp profile PROF1
! set the value of FQDN ID for self-identify
self-identity fqdn <FQDN-ID-TUNNEL02>
set isakmp-policy ISAKMP_POLICY
set ipsec-policy IPsec_POLICY
set peer <CLOUDFLARE-ANYCAST-ADDRESS>
local-key <PRE-SHARED-KEY-TUNNEL02>
crypto map MAP1 ipsec-isakmp
Static route configuration
To configure routes for east-west (branch to branch) connections, refer to the following settings.
Go to the Cloudflare dashboard ↗ and select your account.
Go to Magic WAN > Configuration .
From the Static Routes tab, select Create .
For the first route, ensure the following settings are defined (refer to Configure static routes to learn about settings not mentioned here):
Prefix : 192.168.0.0/24
Tunnel/Next hop : FITEL-tunnel-1 / 10.0.0.0
For the second route, ensure the following settings are defined:
Prefix : 192.168.1.0/24
Tunnel/Next hop : FITEL-tunnel-2 / 10.0.0.2
FITELnet router configuration
Use the CLI to configure these settings:
ip route 192.168.0.0 255.255.255.0 tunnel 1
Use the CLI to configure these settings:
ip route 192.168.1.0 255.255.255.0 tunnel 2
In the FITELnet router CLI, you can run show crypto sa
to check the status of the IPsec security associations (SAs). Total number of ISAKMP/IPSEC SA
shows the number of established SAs.
Local IP : <LOCAL_IP>/500
Local ID : <LOCAL_ID> (ipv4)
Remote IP : anycast-address/500
Remote ID : anycast-address (ipv4)
Local Authentication method : Pre-shared key
Remote Authentication method : Pre-shared key
Encryption algorithm : aes256-cbc
Hash algorithm : hmac-sha256-128
Diffie-Hellman group : 14 (2048 bits)
Initiator Cookie : aaaaaaaa bbbbbbbb
Responder Cookie : cccccccc dddddddd
Life time : 6852/14400 sec
0.0.0.0/0 ALL ALL <---> 0.0.0.0/0 ALL ALL
Peer IP : anycast-address/500
Local IP : xxx.xxx.xxx.xxx/500
Encryption algorithm : AES-CBC/256
Authentication algorithm : HMAC-SHA2-256
Life time : 22868/28800 sec
Total number of ISAKMP SA 1
Total number of IPSEC SA 1
In the FITELnet router CLI, you can run show ip route
to check the route information. A *
in the route information indicates that the route information is valid.
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
B - BGP, T - Tunnel, i - IS-IS, V - VRRP track,
Iu - ISAKMP SA up, It - ISAKMP tunnel route, Ip - ISAKMP l2tpv2-ppp
Dc - DHCP-client, L - Local Breakout
> - selected route, * - FIB route, p - stale info
S > * 192.168.1.0/24 [100/0] is directly connected, Tunnel1