Skip to content
Cloudflare Docs

Configure tunnel endpoints

Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Shortly after your onboarding kickoff call, Cloudflare will assign two Cloudflare endpoint addresses that you can use as the tunnel destinations on your network location's routers/endpoints.

Before you begin

Before creating a tunnel, make sure you have the following information:

  • Cloudflare endpoint addresses: Provided by Cloudflare after your onboarding kickoff call.
  • Customer endpoint IP: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf (typically provided by your ISP). Not required if using Cloudflare Network Interconnect or for IPsec tunnels (unless your router uses an IKE ID of type ID_IPV4_ADDR).
  • Interface address: A /31 (recommended) or /30 subnet from RFC 1918 private IP space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or 169.254.240.0/20(this address space is also a link-local address).

Ways to onboard traffic to Cloudflare

GRE and IPsec tunnels

You can use GRE or IPsec tunnels to onboard your traffic to Magic WAN, and set them up through the Cloudflare dashboard or the API. If you use the API, you need your account ID and API key.

Choose between GRE and IPsec

FeatureGREIPsec
EncryptionNoYes
AuthenticationNoPre-shared key (PSK)
Setup complexitySimplerRequires PSK exchange
Best forTrusted networks, CNI connectionsInternet-facing connections requiring encryption

Refer to Tunnels and encapsulation to learn more about the technical requirements for both tunnel types.

IPsec supported ciphers

Refer to supported ciphers for IPsec for a complete list. IPsec tunnels only support Internet Key Exchange version 2 (IKEv2).

Anti-replay protection

If you use Magic WAN and anycast IPsec tunnels, we recommend disabling anti-replay protection. Cloudflare disables this setting by default. However, you can enable it through the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.

Refer to Anti-replay protection for more information on this topic, or Add IPsec tunnels to learn how to enable this feature.

Network Interconnect (CNI)

Beyond GRE and IPsec tunnels, you can also use Network Interconnect (CNI) to onboard your traffic to Magic WAN. Refer to Network Interconnect (CNI) for more information.

Add tunnels

  1. Log in to Cloudflare One, and go to Networks.
  2. Go to Connectors > WAN Tunnels, and select Create.
  3. On the Add Tunnel page, choose either a GRE tunnel or IPsec tunnel.
  1. In Name, give your tunnel a descriptive name. This name must be unique, cannot contain spaces or special characters, and cannot be shared with other tunnels.
  2. (Optional) Give your tunnel a description in Description.
  3. In IPv4 Interface address, enter the internal IP address for your tunnel along with the interface's prefix length (/31 or /30). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using a /31 subnet, as it provides the most efficient use of IP address space.

Expand the section below for your tunnel type to complete the configuration:

GRE tunnel

  1. In Customer GRE endpoint, enter your router's public IP address. You do not need this value if you use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare provides it.

  2. In Cloudflare GRE endpoint, enter the anycast address you received from your account team.

  3. (Optional) Leave the default values for TTL and MTU, or customize them for your network.

  4. (Optional) Configure health check settings. Expand the following to learn more about each option:

    Health check options
    • Tunnel health checks: Enabled by default. If you disable tunnel health checks, your tunnels appear 100% down in your tunnel health dashboard even when working. Cloudflare keeps sending traffic through the tunnel without the means to detect if the tunnel goes down. You must set up your own system to detect down tunnels, as Cloudflare cannot warn you about down tunnels. Refer to Tunnel health checks for more information.
    • Health check rate: If you keep tunnel health checks enabled, choose a health check rate for your tunnel. Available options are Low, Medium, and High.
    • Health check type: Defaults to Reply and to creating an ICMP (Internet Control Message Protocol) reply. If your firewall drops this type of packet because it assumes the packet is an attack, change this option to Request which creates an ICMP request. Refer to Tunnel health checks for more information.
    • Health check direction: Defaults to bidirectional for Magic WAN. Refer to Bidirectional vs unidirectional health checks for more details.
    • Health check target: The customer end of the tunnel. This field is only visible when Health check direction is set to Unidirectional.

  5. (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels.

  1. (Optional) Select Automatic return routing if you are setting up this tunnel for a site that only needs to send traffic to and receive responses from Cloudflare, and does not need to receive traffic from other sites in your WAN. Refer to Configure Automatic Return Routing for more information.
  1. To add multiple tunnels, select Add GRE tunnel for each new tunnel.
  1. After adding your tunnel information, select Add tunnels.
  1. (Optional) Select Allow BGP (Border Gateway Protocol) peering (beta) if you want to dynamically exchange routes between your network and Cloudflare. This feature requires Unified Routing (beta).
    BGP is recommended for environments with frequently changing routes or when you need automatic failover. Refer to Configure BGP routes for more information.

IPsec tunnel

  1. (Optional) In Customer endpoint, enter your router's public IP address. This value is only required if your router uses an IKE ID of type ID_IPV4_ADDR.

  2. In Cloudflare endpoint, enter the anycast address you received from your account team.

  3. (Optional) Configure health check settings. Expand the following to learn more about each option:

    Health check options
    • Tunnel health checks: Enabled by default. If you disable tunnel health checks, your tunnels appear 100% down in your tunnel health dashboard even when working. Cloudflare keeps sending traffic through the tunnel without the means to detect if the tunnel goes down. You must set up your own system to detect down tunnels, as Cloudflare cannot warn you about down tunnels. Refer to Tunnel health checks for more information.
    • Health check rate: If you keep tunnel health checks enabled, choose a health check rate for your tunnel. Available options are Low, Medium, and High.
    • Health check type: Defaults to Reply and to creating an ICMP (Internet Control Message Protocol) reply. If your firewall drops this type of packet because it assumes the packet is an attack, change this option to Request which creates an ICMP request. Refer to Tunnel health checks for more information.
    • Health check direction: Defaults to bidirectional for Magic WAN. Refer to Bidirectional vs unidirectional health checks for more details.
    • Health check target: The customer end of the tunnel. This field is only visible when Health check direction is set to Unidirectional.

  4. If you do not have a pre-shared key yet:

    1. Select Add pre-shared key later.
    2. (Optional) We recommend you test your tunnel configuration before officially adding it. To test the tunnel, select Test tunnels.
    3. Select Add tunnels.
    4. The Cloudflare dashboard loads the list of tunnels you have configured. The IPsec tunnel you just created displays a warning triangle icon to indicate it is not yet functional. Select Edit.
    5. Choose Generate a new pre-shared key > Update and generate a pre-shared key. Save the key to a safe place, and select Done.

  5. If you already have a pre-shared key:

    1. Select Use my own pre-shared key.
    2. Paste your key in Your pre-shared key.
    3. (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels.
    4. Select Add tunnels.

  6. (Optional) Enable Replay protection if you have devices that do not support disabling it. Refer to Anti-replay protection for more information.

  1. (Optional) Select Automatic return routing if you are setting up this tunnel for a site that only needs to send traffic to and receive responses from Cloudflare, and does not need to receive traffic from other sites in your WAN. Refer to Configure Automatic Return Routing for more information.
  1. To add multiple tunnels, select Add IPsec tunnel for each new tunnel.
  1. After adding your tunnel information, select Add tunnels.
  1. (Optional) Select Allow BGP (Border Gateway Protocol) peering (beta) if you want to dynamically exchange routes between your network and Cloudflare. This feature requires Unified Routing (beta).
    BGP is recommended for environments with frequently changing routes or when you need automatic failover. Refer to Configure BGP routes for more information.

Bidirectional vs unidirectional health checks

To check for tunnel health, Cloudflare sends a health check probe consisting of ICMP (Internet Control Message Protocol) reply packets to your network. Cloudflare needs to receive these probes to know if your tunnel is healthy.

Cloudflare defaults to bidirectional health checks for Magic WAN, and unidirectional health checks for Magic Transit (direct server return). However, routing unidirectional ICMP reply packets over the Internet to Cloudflare is sometimes subject to drops by intermediate network devices, such as stateful firewalls. Magic Transit customers with egress traffic can modify this setting to bidirectional.

Legacy bidirectional health checks

For customers using the legacy health check system with a public IP range, Cloudflare recommends:

  • Configuring the tunnel health check target IP address to one within the 172.64.240.252/30 prefix range.
  • Applying a policy-based route that matches packets with a source IP address equal to the configured tunnel health check target (for example 172.64.240.253/32), and route them over the tunnel back to Cloudflare.

Next steps

Now that you have set up your tunnel endpoints, you need to configure routes to direct your traffic through Cloudflare. You have two routing options:

  • Static routes: Best for simple, stable networks where routes rarely change. You manually define each route.
  • BGP peering: Best for dynamic environments with frequently changing routes, multiple prefixes, or when you need automatic failover. Requires enabling BGP on your tunnel during creation.

Refer to Configure routes for detailed instructions on both options.

After configuring your routes, you need to set up a site.

Troubleshooting

If you experience issues with your tunnels: