Palo Alto Networks NGFW

This tutorial includes the steps required to configure IPsec tunnels to connect a Palo Alto Networks Next-Generation Firewall (NGFW) to Cloudflare Magic WAN through a Layer 3 deployment.

Software version tested

PAN-OS 9.1.14-h4

Use Cases

Magic WAN: Connecting two or more locations with RFC-1918 ↗ private non-routable address space.
Magic WAN with Cloudflare Zero Trust (Gateway egress): Same as Magic WAN, with the addition of outbound Internet access from Magic WAN protected sites egressing the Cloudflare edge network.

Prerequisites

This tutorial assumes you have a standalone NGFW with two network interfaces:

One in a trust security zone (Trust_L3_Zone) with an RFC-1918 ↗ non-Internet routable IP address (internal network);
And the other in an untrust security zone (Untrust_L3_Zone) with a legally routable IP address (Internet facing).

Additionally, there must be a default gateway set on the Virtual Router (default) pointing to the router of your Internet service provider(s).

Environment

The following IP addresses are used throughout this tutorial. Any legally routable IP addresses have been replaced with IPv4 Address Blocks Reserved for Documentation (RFC5737 ↗) addresses within the 203.0.113.0/24 subnet.

Description	Address	Address
NGFW external interface	`203.0.113.254/24`
NGFW internal interface	`10.1.100.254/24`
Local trust subnet (LAN)	`10.1.100.0/24`
NGFW tunnel interface 01	`10.252.2.26/31` (Cloudflare side)	`10.252.2.27/31` (NGFW side)
NGFW tunnel interface 02	`10.252.2.28/31` (Cloudflare side)	`10.252.2.29/31` (NGFW side)
Magic WAN anycast IP	`162.159.66.164`	`172.64.242.164`
Magic WAN health check anycast IP	`172.64.240.253`	`172.64.240.254`
VLAN0010 - remote Magic WAN site	`10.1.10.0/24`
VLAN0020 - remote Magic WAN site	`10.1.20.0/24`

Cloudflare Magic WAN

Magic IPsec Tunnels

Use the Cloudflare dashboard or API to configure two IPsec Tunnels. The settings mentioned in Add IPsec tunnels below are used for the IPsec tunnels referenced throughout the remainder of this guide.

These are the target IP addresses for bidirectional tunnel health checks:

172.64.240.253: Use with the primary IPsec tunnel.
172.64.240.254: Use with the secondary IPsec tunnel.

Add IPsec tunnels

Follow the Add tunnels instructions to create the required IPsec tunnels with the following options:
- Tunnel name: SFO_IPSEC_TUN01
- Interface address: 10.252.2.96/31
- Customer endpoint: 203.0.113.254
- Cloudflare endpoint: 162.159.66.164
- Health check rate: Low (default value is Medium)
- Health check type: Reply
- Health check target: Custom (default is Default)
- Target address: 172.64.240.253
Select Add pre-shared key later > Add tunnels.
Repeat the process to create a second IPsec tunnel with the following options:
- Tunnel name: SFO_IPSEC_TUN02
- Interface address: 10.252.2.98/31
- Customer endpoint: 203.0.113.254
- Cloudflare endpoint: 172.64.242.164
- Health check rate: Low (default value is Medium)
- Health check type: Reply
- Health check target: Custom (default is Default)
- Target address: 172.64.240.254

Generate Pre-shared keys

When you create IPsec tunnels with the option Add pre-shared key later, the Cloudflare dashboard will show you a warning indicator:

Select Edit to edit the properties of each tunnel.
Select Generate a new pre-shared key > Update and generate pre-shared key.
Copy the pre-shared key value for each of your IPsec tunnels, and save these values somewhere safe. Then, select Done.

IPsec identifier - FQDN (Fully Qualified Domain Name)

After creating your IPsec tunnels, the Cloudflare dashboard will list them under the Tunnels tab. Select the arrow (>) on each of your IPsec tunnel to collect the FQDN ID value from each of them. The FQDN ID value will be required when configuring IKE Phase 1 on the Palo Alto Networks Next-Generation Firewall.

Take note of the FQDN ID value for each of your IPsec tunnels

Magic Static Routes

If you refer to the Environment section, you will notice there is one subnet within Trust_L3_Zone: 10.1.100.0/24.

Create a static route for each of the two IPsec tunnels configured in the previous section, with the following settings (settings not mentioned here can be left with their default settings):

Tunnel 01

Description: SFO_VLAN100_01
Prefix: 10.1.100.0/24
Tunnel/Next hop: SFO_IPSEC_TUN01

Tunnel 02

Description: SFO_VLAN100_02
Prefix: 10.1.100.0/24
Tunnel/Next hop: SFO_IPSEC_TUN02

Add static routes for each of the IPsec tunnels you created in the previous step

Palo Alto Networks Next-Generation Firewall

Tag	Color
`Trust_L3_Zone`	Green
`Untrust_L3_Zone`	Red
`Cloudflare_L3_Zone`	Orange

Objects

The use of Address and Address Group objects wherever possible is strongly encouraged. These objects ensure that configuration elements that reference them are defined accurately and consistently.

Any configuration changes should be applied to the objects and will automatically be applied throughout the remainder of the configuration.

Address Objects

Name	Type	Address	Tags
`CF_Health_Check_Anycast_01`	IP Netmask	`172.64.240.253`	`Cloudflare_L3_Zone`
`CF_Health_Check_Anycast_02`	IP Netmask	`172.64.240.254`	`Cloudflare_L3_Zone`
`CF_Magic_WAN_Anycast_01`	IP Netmask	`162.159.66.164`	`Cloudflare_L3_Zone`
`CF_Magic_WAN_Anycast_02`	IP Netmask	`172.64.242.164`	`Cloudflare_L3_Zone`
`CF_MWAN_IPsec_VTI_01_Local`	IP Netmask	`10.252.2.27/31`	`Cloudflare_L3_Zone`
`CF_MWAN_IPsec_VTI_01_Remote`	IP Netmask	`10.252.2.26`	`Cloudflare_L3_Zone`
`CF_MWAN_IPsec_VTI_02_Local`	IP Netmask	`10.252.2.29/31`	`Cloudflare_L3_Zone`
`CF_MWAN_IPsec_VTI_02_Remote`	IP Netmask	`10.252.2.28`	`Cloudflare_L3_Zone`
`CF_WARP_Client_Prefix`	IP Netmask	`100.96.0.0/12`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_01`	IP Netmask	`173.245.48.0/20`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_02`	IP Netmask	`103.21.244.0/22`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_03`	IP Netmask	`103.22.200.0/22`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_04`	IP Netmask	`103.31.4.0/22`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_05`	IP Netmask	`141.101.64.0/18`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_06`	IP Netmask	`108.162.192.0/18`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_07`	IP Netmask	`190.93.240.0/20`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_08`	IP Netmask	`188.114.96.0/20`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_09`	IP Netmask	`197.234.240.0/22`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_10`	IP Netmask	`198.41.128.0/17`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_11`	IP Netmask	`162.158.0.0/15`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_12`	IP Netmask	`104.16.0.0/13`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_13`	IP Netmask	`104.24.0.0/14`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_14`	IP Netmask	`172.64.0.0/13`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_15`	IP Netmask	`131.0.72.0/22`	`Cloudflare_L3_Zone`
`Internet_L3_203-0-113-254--24`	IP Netmask	`203.0.113.254/24`	`Untrust_L3_Zone`
`VLAN0010_10-1-10-0--24`	IP Netmask	`10.1.10.0/24`	`Cloudflare_L3_Zone`
`VLAN0020_10-1-20-0--24`	IP Netmask	`10.1.20.0/24`	`Cloudflare_L3_Zone`
`VLAN0100_10-1-100-0--24`	IP Netmask	`10.1.100.0/24`	`Trust_L3_Zone`
`VLAN0100_L3_10-1-100-254--24`	IP Netmask	`10.1.10.254/24`	`Trust_L3_Zone`

Use the Palo Alto Networks Next-Generation Firewall command-Line to set the objects:

set address CF_Health_Check_Anycast_01 ip-netmask 172.64.240.253
set address CF_Health_Check_Anycast_01 tag Cloudflare_L3_Zone
set address CF_Health_Check_Anycast_02 ip-netmask 172.64.240.254
set address CF_Health_Check_Anycast_02 tag Cloudflare_L3_Zone
set address CF_Magic_WAN_Anycast_01 ip-netmask 162.159.66.164
set address CF_Magic_WAN_Anycast_01 tag Cloudflare_L3_Zone
set address CF_Magic_WAN_Anycast_02 ip-netmask 172.64.242.164
set address CF_Magic_WAN_Anycast_02 tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_01_Local ip-netmask 10.252.2.27/31
set address CF_MWAN_IPsec_VTI_01_Local tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_02_Local ip-netmask 10.252.2.29/31
set address CF_MWAN_IPsec_VTI_02_Local tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_01_Remote ip-netmask 10.252.2.26
set address CF_MWAN_IPsec_VTI_01_Remote tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_02_Remote ip-netmask 10.252.2.28
set address CF_MWAN_IPsec_VTI_02_Remote tag Cloudflare_L3_Zone
set address CF_WARP_Client_Prefix ip-netmask 100.96.0.0/12
set address CF_WARP_Client_Prefix tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_01 ip-netmask 173.245.48.0/20
set address Cloudflare_IPv4_01 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_02 ip-netmask 103.21.244.0/22
set address Cloudflare_IPv4_02 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_03 ip-netmask 103.22.200.0/22
set address Cloudflare_IPv4_03 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_04 ip-netmask 103.31.4.0/22
set address Cloudflare_IPv4_04 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_05 ip-netmask 141.101.64.0/18
set address Cloudflare_IPv4_05 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_06 ip-netmask 108.162.192.0/18
set address Cloudflare_IPv4_06 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_07 ip-netmask 190.93.240.0/20
set address Cloudflare_IPv4_07 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_08 ip-netmask 188.114.96.0/20
set address Cloudflare_IPv4_08 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_09 ip-netmask 197.234.240.0/22
set address Cloudflare_IPv4_09 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_10 ip-netmask 198.41.128.0/17
set address Cloudflare_IPv4_10 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_11 ip-netmask 162.158.0.0/15
set address Cloudflare_IPv4_11 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_12 ip-netmask 104.16.0.0/13
set address Cloudflare_IPv4_12 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_13 ip-netmask 104.24.0.0/14
set address Cloudflare_IPv4_13 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_14 ip-netmask 172.64.0.0/13
set address Cloudflare_IPv4_14 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_15 ip-netmask 131.0.72.0/22
set address Cloudflare_IPv4_15 tag Cloudflare_L3_Zone
set address Internet_L3_203-0-113-254--24 ip-netmask 203.0.113.254/24
set address Internet_L3_203-0-113-254--24 tag Untrust_L3_Zone
set address VLAN0010_10-1-10-0--24 ip-netmask 10.1.10.0/24
set address VLAN0010_10-1-10-0--24 tag Trust_L3_Zone
set address VLAN0020_10-1-20-0--24 ip-netmask 10.1.20.0/24
set address VLAN0020_10-1-20-0--24 tag Trust_L3_Zone
set address VLAN0100_10-1-100-0--24 ip-netmask 10.1.100.0/24
set address VLAN0100_10-1-100-0--24 tag Trust_L3_Zone
set address VLAN0100_L3_10-1-100-254--24 ip-netmask 10.1.100.254/24
set address VLAN0100_L3_10-1-100-254--24 tag Trust_L3_Zone

Address Group object

The Address Group object used in this configuration provides a single object representation of the entire Cloudflare IPv4 public address space.

Name	Type	Addresses	Tags
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_01`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_02`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_03`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_04`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_05`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_06`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_07`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_08`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_09`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_10`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_11`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_12`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_13`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_14`	`Cloudflare_L3_Zone`
`Cloudflare_IPv4_Static_Grp`	Static	`Cloudflare_IPv4_15`	`Cloudflare_L3_Zone`

Use the Palo Alto Networks Next-Generation Firewall command-Line to set the address group object:

set address-group Cloudflare_IPv4_Static_Grp static [ Cloudflare_IPv4_01 Cloudflare_IPv4_02 Cloudflare_IPv4_03 Cloudflare_IPv4_04 Cloudflare_IPv4_05 Cloudflare_IPv4_06 Cloudflare_IPv4_07 Cloudflare_IPv4_08 Cloudflare_IPv4_09 Cloudflare_IPv4_10 Cloudflare_IPv4_11 Cloudflare_IPv4_12 Cloudflare_IPv4_13 Cloudflare_IPv4_14 Cloudflare_IPv4_15 ]
set address-group Cloudflare_IPv4_Static_Grp tag Cloudflare_L3_Zone

Interface Mgmt - Network Profiles

Interface Mgmt profiles control what traffic is allowed to the firewall, as opposed to through the firewall.

Adding an Interface Mgmt profile to the tunnel interfaces will provide the ability to ping the Virtual Tunnel Interface on your firewall(s).

Set up via dashboard

You can define an Interface Management Profile to allow ping from the dashboard:

Go to Network Profiles > Interface Mgmt.
In the Network tab select Add.
Create profiles to allow Ping, and in the Network Services group select Ping.

Set up via command line

You can also use the command line to allow ping:

set network profiles interface-management-profile Allow_Ping userid-service no
set network profiles interface-management-profile Allow_Ping ping yes

Network Interfaces

Palo Alto Networks Next-Generation Firewall (NGFW) is configured with two Ethernet interfaces:

Interface	Interface Type	IP Address	Virtual Router
ethernet1/1	Layer3	`10.1.100.254/24`	default
ethernet1/2	Layer3	`203.0.113.254/24`	default

Set up via dashboard

Follow the guidance on the images below to set up the Ethernet interfaces through the dashboard.

ethernet1/1: `Trust_L3_Zone`

Name	Option	Value
ethernet1/1	Interface Type	Layer3
	Netflow Profile	None
Config tab	Virtual Router	default
	Security Zone	Trust_L3_Zone
IPv4 tab	Type	Static
	IP	`VLAN0100_L3_10-1-100-254--24` address object
Advanced tab	Management Profile	Mgmt_Services

ethernet1/2: `Untrust_L3_Zone`

Name	Option	Value
ethernet1/2	Interface Type	Layer3
	Netflow Profile	None
Config tab	Virtual Router	default
	Security Zone	Untrust_L3_Zone
IPv4 tab	Type	Static
	IP	`Internet_L3_203-0-113-254--24` address object
Advanced tab	Management Profile	Allow_Ping
	MTU	`576 - 1500`
	Adjust TCP MSS	Enable
	IPv4 MSS Adjustment	`64`

After setting up your Ethernet interfaces, they should show up on the overview page:

Set up via command line

You can also use the command line to set up the Ethernet interfaces.

set network interface ethernet ethernet1/1 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/1 layer3 lldp enable no
set network interface ethernet ethernet1/1 layer3 ip VLAN0100_L3_10-1-100-254--24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Mgmt_Services
set network interface ethernet ethernet1/2 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/2 layer3 lldp enable no
set network interface ethernet ethernet1/2 layer3 ip Internet_L3_203-0-113-254--24
set network interface ethernet ethernet1/2 layer3 interface-management-profile Allow_Ping
set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss enable yes
set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss ipv4-mss-adjustment 64

Tunnel interfaces

Establishing IPsec Tunnels to Cloudflare Magic WAN requires two tunnel interfaces - one to each of the two Cloudflare anycast IP addresses. You also have to ensure that Allow_Ping is bound to both tunnel adapters in Advanced > Managementt Profile.

Review the images below for more information.

Set up via dashboard

tunnel.1 - `Cloudflare_L3_Zone`

Name	Option	Value
tunnel.1	Netflow Profile	None
Config tab	Virtual Router	default
	Security Zone	Cloudflare_L3_Zone
IPv4 tab	IP	`CF_MWAN_IPsec_VTI_01_Local` address object
Advanced tab	Management Profile	Allow_Ping
	MTU	`1450`

tunnel.2 - `Cloudflare_L3_Zone`

Name	Option	Value
tunnel.2	Netflow Profile	None
Config tab	Virtual Router	default
	Security Zone	Cloudflare_L3_Zone
IPv4 tab	IP	`CF_MWAN_IPsec_VTI_02_Local` address object
Advanced tab	Management Profile	Allow_Ping
	MTU	`1450`

After setting up your Tunnel interfaces, they should show up on the overview page:

Set up via command line

You can also set up your tunnels in the command line:

set network interface tunnel units tunnel.1 ip CF_MWAN_IPsec_VTI_01_Local
set network interface tunnel units tunnel.1 mtu 1450
set network interface tunnel units tunnel.1 interface-management-profile Allow_Ping
set network interface tunnel units tunnel.2 ip CF_MWAN_IPsec_VTI_02_Local
set network interface tunnel units tunnel.2 mtu 1450
set network interface tunnel units tunnel.2 interface-management-profile Allow_Ping

Zones

The Palo Alto Networks Next-Generation Firewall (NGFW) used to create this tutorial includes the following zones and corresponding network interfaces:

Zone	Interface	Interface
`Trust_L3_Zone`	ethernet1/1
`Untrust_L3_Zone`	ethernet1/2
`Cloudflare_L3_Zone`	tunnel.1	tunnel.2

The tunnel interfaces are placed in a separate zone to facilitate the configuration of more granular security policies. The use of any other zone for the tunnel interfaces will require adapting the configuration accordingly.

Set up via dashboard

`Trust_L3_zone`

Name	Option	Value
`Trust_L3_zone`	Log setting	None
	Type	Layer3
	Interfaces	ethernet1/1
	Zone Protection Profile	None

`Untrust_L3_zone`

Name	Option	Value
`Untrust_L3_zone`	Log setting	None
	Type	Layer3
	Interfaces	ethernet1/2
	Zone Protection Profile	Untrust_Zone_Prof

`Cloudflare_L3_zone`

Name	Option	Value
`Cloudflare_L3_zone`	Log setting	None
	Type	Layer3
	Interfaces	tunnel.1 tunnel.2
	Zone Protection Profile	None

The Palo Alto interface showing the Tunnel Interfaces overview section

Set up via command line

You can also use the command line to associate zones and interfaces:

set zone Trust_L3_Zone network layer3 ethernet1/1
set zone Untrust_L3_Zone network layer3 ethernet1/2
set zone Cloudflare_L3_Zone network layer3 [ tunnel.1 tunnel.2 ]

Apply Changes

This would be a good time to save and commit the configuration changes made so far. Once complete, make sure you test basic connectivity to and from the firewall.

IKE crypto profile Phase 1

Add a new IKE crypto profile to support the required parameters for Phase 1.

Multiple DH groups and authentication settings are defined in the desired order. Palo Alto Networks Next-Generation Firewall (NGFW) will automatically negotiate the optimal settings based on specified values.

Set up via dashboard

Name	Option	Value
`CF_IKE_Crypto_CBC`	DH Group	group20
	Authentication	sha512 sha384 sha256
	Encryption	aes-256-cbc
	Key Lifetime	24 hours
	IKEv2 Authentication Multiple	`0`

Set up via command line

You can also set up the crypto profile for Phase 1 via the command line:

set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC hash [ sha512 sha384 sha256 ]
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC dh-group [ group20 ]
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC lifetime hours 24
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC authentication-multiple 0

IPsec crypto profile Phase 2

Add a new IPsec crypto profile to support the required parameters for Phase 2.

Multiple Authentication settings are defined in the desired order. Palo Alto Networks Next-Generation Firewall (NGFW) will automatically negotiate the optimal settings based on specified values.

Set up via dashboard

Name	Option	Value
`CF_IPsec_Crypto_CBC`	Encryption	aes-256-cbc
	Authentication	sha256 sha1
	DH Group	group20
	Lifetime	8 hours

Set up via command line

You can also set up the IPsec crypto profile for Phase 2 via the command line:

set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp authentication [ sha256 sha1 ]
set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp encryption aes-256-cbc
set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC dh-group group20

IKE Gateways

Define two IKE Gateways to establish the two IPsec tunnels to Cloudflare. Make sure to define the following values:

Set up via dashboard

Tunnel 1 settings: `CF_Magic_WAN_IKE_01`

Tab	Option	Value
General tab	Name	`CF_Magic_WAN_IKE_01`
	Version	IKEv2 only mode. Make sure both IKE Gateways are based only on this setting.
	Local IP Address	`Internet_L3_203-0-113-254--24`
	Peer address	`CF_Magic_WAN_Anycast_01`
	Pre-Shared Key	This value can be obtained from the Cloudflare dashboard - value is unique per tunnel.
	Local Identification	FQDN (hostname). You can obtain this value from the Cloudflare Dashboard - value is unique per tunnel.
	Peer Identification	None
Advanced tab	IKE Crypto Profile	CF_IKE_Crypto_CBC
	Liveness Check	The default value (five seconds) is sufficient. This setting is used to periodically determine if there are any underlying connectivity issues that may adversely affect the creation of Phase 1 Security Associations.

Tunnel 2 settings: `CF_Magic_WAN_IKE_02`

Tab	Option	Value
General tab	Name	`CF_Magic_WAN_IKE_02`
	Version	IKEv2 only mode. Make sure both IKE Gateways are based only on this setting.
	Local IP Address	`Internet_L3_203-0-113-254--24`
	Peer address	`CF_Magic_WAN_Anycast_02`
	Pre-Shared Key	This value can be obtained from the Cloudflare dashboard - value is unique per tunnel.
	Local Identification	FQDN (hostname). You can obtain this value from the Cloudflare Dashboard - value is unique per tunnel.
	Peer Identification	None
Advanced tab	IKE crypto profile	CF_IKE_Crypto_CBC
	Liveness Check	The default value (five seconds) is sufficient. This setting is used to periodically determine if there are any underlying connectivity issues that may adversely affect the creation of Phase 1 Security Associations.

Set up via command line

Tunnel 1 settings: `CF_Magic_WAN_IKE_01`

set network ike gateway CF_Magic_WAN_IKE_01 protocol ikev1 dpd enable yes
set network ike gateway CF_Magic_WAN_IKE_01 protocol ikev2 dpd enable yes
set network ike gateway CF_Magic_WAN_IKE_01 protocol ikev2 ike-crypto-profile CF_IKE_Crypto_CBC
set network ike gateway CF_Magic_WAN_IKE_01 protocol version ikev2
set network ike gateway CF_Magic_WAN_IKE_01 local-address ip Internet_L3_203-0-113-254--24
set network ike gateway CF_Magic_WAN_IKE_01 local-address interface ethernet1/2
set network ike gateway CF_Magic_WAN_IKE_01 protocol-common nat-traversal enable no
set network ike gateway CF_Magic_WAN_IKE_01 protocol-common fragmentation enable no
set network ike gateway CF_Magic_WAN_IKE_01 peer-address ip CF_Magic_WAN_Anycast_01
set network ike gateway CF_Magic_WAN_IKE_01 authentication pre-shared-key key -AQ==Xdcd9ir5o5xhjuIH---------------------HsRoVf+M0TTG4ja3EzulN37zMOwGs
set network ike gateway CF_Magic_WAN_IKE_01 local-id id 28de99ee57424ee0a1591384193982fa.33145236.ipsec.cloudflare.com
set network ike gateway CF_Magic_WAN_IKE_01 local-id type fqdn
set network ike gateway CF_Magic_WAN_IKE_01 disabled no

Tunnel 2 settings: `CF_Magic_WAN_IKE_02`

set network ike gateway CF_Magic_WAN_IKE_02 protocol ikev1 dpd enable yes
set network ike gateway CF_Magic_WAN_IKE_02 protocol ikev2 dpd enable yes
set network ike gateway CF_Magic_WAN_IKE_02 protocol ikev2 ike-crypto-profile CF_IKE_Crypto_CBC
set network ike gateway CF_Magic_WAN_IKE_02 protocol version ikev2
set network ike gateway CF_Magic_WAN_IKE_02 local-address ip Internet_L3_203-0-113-254--24
set network ike gateway CF_Magic_WAN_IKE_02 local-address interface ethernet1/2
set network ike gateway CF_Magic_WAN_IKE_02 protocol-common nat-traversal enable no
set network ike gateway CF_Magic_WAN_IKE_02 protocol-common fragmentation enable no
set network ike gateway CF_Magic_WAN_IKE_02 peer-address ip CF_Magic_WAN_Anycast_02
set network ike gateway CF_Magic_WAN_IKE_02 authentication pre-shared-key key -AQ==rvwEulxx7wLBl---------------------swSeJPXxxM2cfPbt7q4HZZGZZ8
set network ike gateway CF_Magic_WAN_IKE_02 local-id id b87322b0915b47158667bf1653990e66.33145236.ipsec.cloudflare.com
set network ike gateway CF_Magic_WAN_IKE_02 local-id type fqdn
set network ike gateway CF_Magic_WAN_IKE_02 disabled no

IPsec Tunnels

With the IKE Gateways defined, the next step is to configure two IPsec Tunnels - one corresponding to each of the two IKE Gateways configured in the previous section.

Prerequisites

There are a few prerequisites you should be aware of before continuing:

Do not configure Proxy IDs. Magic WAN IPsec tunnels are based on the route-based VPN model. Proxy IDs are used with policy-based VPNs.
Disable Replay Protection, under the Advanced Options.
Disable Tunnel Monitor. It can cause undesirable results. Tunnel Monitor is a Palo Alto Networks proprietary feature that assumes there are Palo Alto Networks Next-Generation Firewall devices on both sides of the IPsec tunnel. Also, Tunnel Monitor is intended for use with IPsec tunnels based on IKEv1 (Magic WAN IPsec tunnels are based on IKEv2).

Set up via dashboard

Tunnel 1 settings: `CF_Magic_WAN_IPsec_01`

Name	Option	Value
`CF_Magic_WAN_IPsec_01`	Tunnel interface	tunnel.1
	IKE Gateway	CF_Magic_WAN_IKE_01
	IPsec crypto profile	CF_IKE_Crypto_CBC
	Enable Replay Protection	Disable

Palo Alto Networks NGFW

Software version tested

Use Cases

Prerequisites

Environment

Cloudflare Magic WAN

Magic IPsec Tunnels

Add IPsec tunnels

Generate Pre-shared keys

IPsec identifier - FQDN (Fully Qualified Domain Name)

Magic Static Routes

Tunnel 01

Tunnel 02

Palo Alto Networks Next-Generation Firewall

Tags

Objects

Address Objects

Address Group object

Interface Mgmt - Network Profiles

Set up via dashboard

Set up via command line

Network Interfaces

Set up via dashboard

ethernet1/1: Trust_L3_Zone

ethernet1/2: Untrust_L3_Zone

Set up via command line

Tunnel interfaces

Set up via dashboard

tunnel.1 - Cloudflare_L3_Zone

tunnel.2 - Cloudflare_L3_Zone

Set up via command line

Zones

Set up via dashboard

Trust_L3_zone

Untrust_L3_zone

Cloudflare_L3_zone

Set up via command line

Apply Changes

IKE crypto profile Phase 1

Set up via dashboard

Set up via command line

IPsec crypto profile Phase 2

Set up via dashboard

Set up via command line

IKE Gateways

Set up via dashboard

Tunnel 1 settings: CF_Magic_WAN_IKE_01

Tunnel 2 settings: CF_Magic_WAN_IKE_02

Set up via command line

Tunnel 1 settings: CF_Magic_WAN_IKE_01

Tunnel 2 settings: CF_Magic_WAN_IKE_02

IPsec Tunnels

Prerequisites

Set up via dashboard

Tunnel 1 settings: CF_Magic_WAN_IPsec_01

ethernet1/1: `Trust_L3_Zone`

ethernet1/2: `Untrust_L3_Zone`

tunnel.1 - `Cloudflare_L3_Zone`

tunnel.2 - `Cloudflare_L3_Zone`

`Trust_L3_zone`

`Untrust_L3_zone`

`Cloudflare_L3_zone`

Tunnel 1 settings: `CF_Magic_WAN_IKE_01`

Tunnel 2 settings: `CF_Magic_WAN_IKE_02`

Tunnel 1 settings: `CF_Magic_WAN_IKE_01`

Tunnel 2 settings: `CF_Magic_WAN_IKE_02`

Tunnel 1 settings: `CF_Magic_WAN_IPsec_01`