Cisco IOS XE
This tutorial contains a configuration example for setting up an IPsec tunnel between Cisco IOS XE and Cloudflare. For this tutorial, the tested Cisco IOS XE software was version 17.03.07.
You should replace peer addresses with the Anycast IP addresses assigned to your account. For example:
- Anycast 01:
162.159.###.###
- Anycast 02:
172.64.###.###
The following is a Cisco IOS XE configuration example:
crypto ikev2 proposal CF_MAGIC_WAN_IKEV2_PROPOSALencryption aes-cbc-256integrity sha512 sha384 sha256group 14 5!crypto ikev2 policy CF_MAGIC_WAN_IKEV2_POLICYmatch fvrf anyproposal CF_MAGIC_WAN_IKEV2_PROPOSAL!crypto ikev2 keyring CF_MAGIC_WAN_KEYRINGpeer GCP_CSR_IPSEC01address 162.159.###.###pre-shared-key hbGnJzFMqwltb###############BapXCOwsGZz2NMg!peer GCP_CSR_IPSEC02address 172.64.###.###pre-shared-key 1VscPp0LPFAcZ###############HOdN-1cUgKVduL4!!!crypto ikev2 profile CF_MAGIC_WAN_01match identity remote address 162.159.###.### 255.255.255.255identity local fqdn ad329f56###############bbe898c0a0.33145236.ipsec.cloudflare.comauthentication remote pre-shareauthentication local pre-sharekeyring local CF_MAGIC_WAN_KEYRINGno config-exchange request!crypto ikev2 profile CF_MAGIC_WAN_02match identity remote address 172.64.###.### 255.255.255.255identity local fqdn 83f9c418###############29b3f97049.33145236.ipsec.cloudflare.comauthentication remote pre-shareauthentication local pre-sharekeyring local CF_MAGIC_WAN_KEYRINGno config-exchange request!!!!crypto ipsec profile CF_MAGIC_WAN_01set security-association lifetime kilobytes disableset security-association replay disableset pfs group14set ikev2-profile CF_MAGIC_WAN_01!crypto ipsec profile CF_MAGIC_WAN_02set security-association lifetime kilobytes disableset security-association replay disableset pfs group14set ikev2-profile CF_MAGIC_WAN_02!!!!interface Tunnel101ip address 10.252.2.35 255.255.255.254ip mtu 1450ip tcp adjust-mss 1350tunnel source 10.141.0.9tunnel mode ipsec ipv4tunnel destination 162.159.###.###tunnel path-mtu-discoverytunnel protection ipsec profile CF_MAGIC_WAN_01!interface Tunnel102ip address 10.252.2.37 255.255.255.254ip mtu 1450ip tcp adjust-mss 1350tunnel source 10.141.0.9tunnel mode ipsec ipv4tunnel destination 172.64.###.###tunnel path-mtu-discoverytunnel protection ipsec profile CF_MAGIC_WAN_02!interface GigabitEthernet1ip address dhcpip nat outsidenegotiation autono mop enabledno mop sysid!interface GigabitEthernet2ip address 10.10.0.35 255.255.255.0negotiation autono mop enabledno mop sysid
Diagnostic output: show crypto session detail
cisco-csr1000v#show crypto session detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, T - cTCP encapsulationX - IKE Extended Authentication, F - IKE FragmentationR - IKE Auto Reconnect, U - IKE Dynamic Route UpdateS - SIP VPNInterface: Tunnel101Profile: CF_MAGIC_WAN_01Uptime: 00:15:16Session status: UP-ACTIVEPeer: 162.159.###.### port 500 fvrf: (none) ivrf: (none)Phase1_id: 162.159.###.###Desc: (none)Session ID: 6IKEv2 SA: local 10.141.0.9/500 remote 162.159.###.###/500 ActiveCapabilities:(none) connid:1 lifetime:23:44:44IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 2, origin: crypto mapInbound: #pkts dec'ed 28110 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2684Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2684Interface: Tunnel102Profile: CF_MAGIC_WAN_02Uptime: 00:14:59Session status: UP-ACTIVEPeer: 172.64.###.### port 500 fvrf: (none) ivrf: (none)Phase1_id: 172.64.###.###Desc: (none)Session ID: 7IKEv2 SA: local 10.141.0.9/500 remote 172.64.###.###/500 ActiveCapabilities:(none) connid:2 lifetime:23:45:01IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 2, origin: crypto mapInbound: #pkts dec'ed 27586 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2701Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2701
Diagnostic output: show crypto session remote <ANYCAST 01>
detail
cisco-csr1000v#show crypto session remote 162.159.###.### detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, T - cTCP encapsulationX - IKE Extended Authentication, F - IKE FragmentationR - IKE Auto Reconnect, U - IKE Dynamic Route UpdateS - SIP VPNInterface: Tunnel101Profile: CF_MAGIC_WAN_01Uptime: 00:15:45Session status: UP-ACTIVEPeer: 162.159.###.### port 500 fvrf: (none) ivrf: (none)Phase1_id: 162.159.###.###Desc: (none)Session ID: 6IKEv2 SA: local 10.141.0.9/500 remote 162.159.###.###/500 ActiveCapabilities:(none) connid:1 lifetime:23:44:15IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 2, origin: crypto mapInbound: #pkts dec'ed 29000 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2655Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2655
Diagnostic output: show crypto session remote <ANYCAST 02>
detail
cisco-csr1000v#show crypto session remote 172.64.###.### detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, T - cTCP encapsulationX - IKE Extended Authentication, F - IKE FragmentationR - IKE Auto Reconnect, U - IKE Dynamic Route UpdateS - SIP VPNInterface: Tunnel102Profile: CF_MAGIC_WAN_02Uptime: 00:17:10Session status: UP-ACTIVEPeer: 172.64.###.### port 500 fvrf: (none) ivrf: (none)Phase1_id: 172.64.###.###Desc: (none)Session ID: 7IKEv2 SA: local 10.141.0.9/500 remote 172.64.###.###/500 ActiveCapabilities:(none) connid:2 lifetime:23:42:50IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0Active SAs: 2, origin: crypto mapInbound: #pkts dec'ed 31639 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2569Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2569