Cisco IOS XE
This tutorial contains a configuration example for setting up an IPsec tunnel between Cisco IOS XE and Cloudflare. For this tutorial, the tested Cisco IOS XE software was version 17.03.07.
You should replace peer addresses with the Anycast IP addresses assigned to your account. For example:
- Anycast 01:
162.159.###.### - Anycast 02:
172.64.###.###
The following is a Cisco IOS XE configuration example:
Diagnostic output: show crypto session detail
Diagnostic output: show crypto session remote <ANYCAST 01> detail
Diagnostic output: show crypto session remote <ANYCAST 02> detail
Troubleshooting
If you notice connectivity issues after rebooting your Cisco router, your IPsec Security Associations (SAs) might be out of sync. Cisco recommends that you enable the Invalid Security Parameter Index (SPI) recovery feature to solve this issue. To do so, add the following lines to your configuration file:
Refer to Cisco’s documentation for more information.