Contents x
    Global WAN Solution with Cloudflare MagicWAN
    • 23 Apr 2023
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Global WAN Solution with Cloudflare MagicWAN

    • Updated on 23 Apr 2023
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Overview

    Cloudflare MagicWAN enables customers to easly replace global MPLS or other dedicated connections, using Cloudflare's dedicated global backbone. The solution requires a local IPSec router (compatible with the Cloudflare MagicWAN solution).

    ZPE Nodegrid appliances are tested and validated with the Cloudflare MagicWAN solution. The combination of Cloudflare and Nodegrid SR appliances provide customers with an easyily deployed global solution, fully managed with the ZPE Cloud SaaS system).

    The customer builds IPSec tunnels from each location to the closest Cloudflare POP. From there, traffic is transported on the Cloudflare backbone.

    First, talk with your Cloudflare representative on the deployment of Cloudflare Magic WAN. The provided onboarding document includes IPs for the IPsec/GRE connection to access your Cloudflare account.

    NOTE: This guide describes connection of one site to Cloudflare with MagicWAN. Use the same process to connect multiple locations to the same MagicWAN instance.

    Prerequisites

    Before begining with the implementation, the customer should have the following information ready.

    SettingComment
    Nodegrid Public IP AddressStatic Public IP
    Nodegrid Internal IP AddressInternal network accessable through Cloudflare WAN
    Tunnel Peer to Peer Address/31 network for peer to peer connection
    Cloudflare Multicast AddressIP addresses provided by Cloudflare
    Cloudflare RoutesRoutes to be routed to Cloudflare MagicWAN
    User IDCreated by Cloudflare after tunnel configuration

    image.png

    Cloudflare MagicWAN Configuration

    1. Connect to your Cloudflare account and go to: Magic WAN
      cloudflare-magic-wan

    2. Click on Configure for Manage Magic WAN Configuration
      cloudflare-magic-wan-tunnel-add

    3. Click Create to create a IPSec Tunnel for Site A. Provide the following details

    SettingValueComment
    Tunnel NameNAMETunnel Name
    DescriptionDESCRIPTIONTunnel Description
    Interface AddressINTERNAL TUNNEL IPInternal tunnel IP address, must be part of a /31 network. The entered IP address, is assigned to the Cloudflare tunnel side
    Customer endpointPUBLIC NODEGRID IP ADDRESSStatic IP address assigned to Nodegrid
    Cloudflare endpointPUBLIC CLOUDFLARE IP ADDRESSSThis IP address is provided by Cloudflare during the account setup
    Pre-shared keyPRE-SHARED KEYProvide a pre-shared secret

    cloudflare-magic-wan-tunnel-configuration1

    1. After the tunnel is added, go to Static Routes.
    2. Click +CREATE.

    cloudflare-magic-wan-route-add

    1. Provide the following details :
    SettingValueComment
    DescriptionDESCRIPTIONRoute Description
    PrefixROUTE PREFIXProvide a routing prefix for Site A
    Tunnel/Next hopTUNNEL NEXT HOPSelect the tunnel next hop, which was created for Site A
    Priority100Provide the route priority, default is 100
    Region codeALL RegionsSelect the region to which the routes should be pushed, by default select all

    cloudflare-magic-wan-route-config

    1. Deployments of tunnels and routes take a few minutes to complete within the Cloudflare enviorment.
    2. Copy the User ID from the Tunnel information page,
      Should have the format ipsec@f5407d8db1a542b196c59f6d04ba8bd1.123456789.ipsec.cloudflare.com

    Nodegrid MagicWAN Configuration

    To configure MagicWAN on a Nodegrid device requires the following steps:

    1. Prepare the Nodegrid for IPSec configuration with a VTI interface.
    2. Create a IPSec IKE Profile.
    3. Create a IPSec tunnel for MagicWAN.
    4. Create static routes (if needed).

    Prepare Nodegrid

    1. Login to the Nodegrid WebUI as admin user
    2. Go to Network :: Settings.
    3. Enable and confirm the following settings
    SettingValueComment
    Enable IPv4 IP ForwardEnabledEnables routing stack for IPv4 traffic
    Enable IPv6 IP ForwardEnabledEnables routing stack for IPv6 traffic
    Reverse Path FilteringLoose ModeThis must be set to Loose Mode (Recommended) or Disabled to avoid IPSec specific issues

    image.png

    Create a MagicWAN IKE Profile

    1. Go to Network :: VPN :: IPSec.
    2. In the IPSec section, scroll to Global
    3. Select Enable Virtual Tunnel Interface.
    4. Click Save.
      image.png
    5. In the IPSec section, go to IKE Profile.
    6. Click ADD
    7. Provide the following settings for the Cloudflare MagicWAN profile
    SettingValueComment
    Profile NameCloudflareMagicWANProfile Name
    IKE VersionIKEv2
    Phase 1 - EncryptionAES-CBC256
    Phase 1 - AuthenticationSHA256
    Phase 1 - Diffie-Hellman GroupGroup14 (MODP2048)
    Phase 1 - Lifetime3600
    Phase 2 - Authentication ProtocolESP
    Phase 2 - EncryptionAES-CBC256
    Phase 2 - AuthenticationSHA256
    Phase 2 - PFS GroupGroup14 (MODP2048)
    Phase 2 - Lifetime28800
    Advanced Settings - Enable Dead Peer DetectionEnabled
    Advanced Settings - Number of Retries5
    Advanced Settings - Interval2
    Advanced Settings - Actionrestart
    Advanced Settings - MTU1400
    1. Click on Save

    image.png

    image.png

    Create IPSec tunnel

    1. In the IPSec section navigate to Tunnel
    2. Click ADD.
    3. Create the tunnel and provide the following details
    SettingValueComment
    NameMagicWANName for the Tunnel
    Initiate TunnelStartDefine when the tunnel should start. Recommended is on start up of teh Nodegrid (Start)
    IKE ProfileCloudflareMagicWANSelect the newly create profile
    Authentication Method - Pre-Shared KeyPRE-SHARED KEYProvide the same pre-shared key which was used during the Cloudflare configuration
    Left IDUSER IDUse the User ID from the Cloudflare Tunnel configuration which has the format ipsec@f5407d8db1a542b196c59f6d04ba8bd1.123456789.ipsec.cloudflare.com
    Left AddressINTERFACESelect the interface which responds to the Nodegrid Public IP address, i.e. %eth0
    Left Source IP AddressNODEGRID TUNNEL IP ADDRESS
    Left SubnetLocal NetworkLocal Network, which will be reachable through the tunnel, this must include the IP address range used for for Left Source IP
    Right IDCLOUDFLARE PUBLIC IP ADDRESS
    Right AddressCLOUDFLARE PUBLIC IP ADDRESS*
    Right Source IP AddressCLOUDFLARE TUNNEL IP ADDRESS
    Right SubnetTUNNEL NETWORKSNetworks which will be reachable through the tunnel
    Enable Virtual Tunnel InterfaceEnabled
    Mark-1use the default value of -1
    Interfacecloudflaretunnel interface name
    Automatically create VTI routesEnabledEnable this option to create routes based on the provided subnet information
    Share VTI with other connectionsEnabled
    1. Click Save (saves and activates the IPSec Tunnel).
    2. To confirm the IPSec tunnel state, on the Tunnel page, check the connection state.

    Note: It can be required to enforce the MSS size for the MagicWAN tunnel. Follow the below steps to enforce the MSS and make it persistent.

    • Navigate to the root shell
    • navigate to /etc/scripts/auditing
    • create a new file called enforce-mss.sh' with vi enforce-mss-clamping.sh
    • enter the following text into the file
    #!/bin/bash
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
    • save the changes with :wq!
    • make the file executable with chmod +x enforce-mss.sh
    • Asign the script now to either the system Start Up event (101) or the IPSec Start Event (162)
    • In the WebUI, Navigate to Audit :: Events : Event List
    • Click on the Event ID 162
    • Select the script from the drop down list for the field Action Script
    • Click on Save
    • Restart the IPSec Tunnel to make teh change effective or directly excute the script from the root shell with /etc/scripts/auditing/enforce-mss.sh

    Nodegrid Configuration via import_settings

    An alternative process is to aply a predefined configuration with the import_settings command.

    1. Open a console connection as a admin user.
    2. Run the command import_settings.
    3. Paste in the prepared configuration.
    4. Press CTRL+D to apply the configuartion.

    In the below example replace the following values:

    • secret
    • left_id
    • left_address
    • left_source_ip_address
    • left_subnet
    • right_id
    • right_address
    • right_source_ip_address
    • right_subnet

    Here is the full Nodegrid configuration:

    /settings/network_settings enable_ipv4_ip_forward=yes
/settings/network_settings enable_ipv6_ip_forward=no
/settings/network_settings reverse_path_filtering=loose_mode
/settings/ipsec/ike_profile/CloudflareMagicWAN profile_name=CloudflareMagicWAN
/settings/ipsec/ike_profile/CloudflareMagicWAN ike_version=ikev2
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_1_mode=main
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_1_encryption=aes-cbc256
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_1_authentication=sha256
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_1_diffie-hellman_group=group_14
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_1_lifetime=3600
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_2_authentication_protocol=esp
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_2_encryption=aes_cbc256
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_2_authentication=sha2_256
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_2_pfs_group=group_14
/settings/ipsec/ike_profile/CloudflareMagicWAN phase_2_lifetime=28800
/settings/ipsec/ike_profile/CloudflareMagicWAN enable_dead_peer_detection=yes
/settings/ipsec/ike_profile/CloudflareMagicWAN dead_peer_detection_number_of_retries=5
/settings/ipsec/ike_profile/CloudflareMagicWAN dead_peer_detection_interval=2
/settings/ipsec/ike_profile/CloudflareMagicWAN dead_peer_detection_action=restart
/settings/ipsec/ike_profile/CloudflareMagicWAN mtu=1400

/settings/ipsec/tunnel/Cloudflare name=Cloudflare
/settings/ipsec/tunnel/Cloudflare initiate_tunnel=ignore
/settings/ipsec/tunnel/Cloudflare ike_profile=CloudflareMagicWAN
/settings/ipsec/tunnel/Cloudflare authentication_method=pre-shared_key
/settings/ipsec/tunnel/Cloudflare secret=********
/settings/ipsec/tunnel/Cloudflare left_id=Y.Y.Y.Y
/settings/ipsec/tunnel/Cloudflare left_address=%eth0
/settings/ipsec/tunnel/Cloudflare left_source_ip_address=192.168.50.1/31
/settings/ipsec/tunnel/Cloudflare left_subnet=192.168.50.1/31, 172.0.0.0/24
/settings/ipsec/tunnel/Cloudflare right_id=Z.Z.Z.Z
/settings/ipsec/tunnel/Cloudflare right_address=Z.Z.Z.Z
/settings/ipsec/tunnel/Cloudflare right_source_ip_address=192.168.105.0
/settings/ipsec/tunnel/Cloudflare right_subnet=192.168.50.0/31,10.0.0.0/8
/settings/ipsec/tunnel/Cloudflare enable_monitoring=no
/settings/ipsec/tunnel/Cloudflare enable_virtual_tunnel_interface=yes
/settings/ipsec/tunnel/Cloudflare vti_mark=-1
/settings/ipsec/tunnel/Cloudflare vti_interface=cloudflare
/settings/ipsec/tunnel/Cloudflare automatically_create_vti_routes=yes
/settings/ipsec/tunnel/Cloudflare share_vti_with_other_connections=yes
    Was this article helpful?
    What's Next
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence