Cloudflare 中文文档

Cloudflare 中文文档

Overview
Prerequisites
Get started
On-ramps
Configuration
Manual configuration

How to

Configure tunnel endpoints
Configure static routes
Update tunnel health checks frequency
Run traceroute

Third-party integration

Alibaba Cloud VPN Gateway
Amazon AWS Transit Gateway
Aruba EdgeConnect Enterprise
Cisco IOS XE
Cisco SD-WAN
Fortinet
Furukawa Electric FITELnet
Google Cloud VPN
Microsoft Azure
Palo Alto Networks NGFW
pfSense
SonicWall
Sophos Firewall
strongSwan
VyOS

Configure with Connector

Configure hardware Connector

SFP+ port information

Configure virtual Connector
Network options

Application-aware policies

Breakout traffic
Prioritized traffic

DHCP options

DHCP relay
DHCP server
DHCP static address reservation

Enable NAT for a subnet
Network segmentation
Routed subnets

Maintenance

Deactivate Magic WAN Connector
Heartbeat
Interrupt window

Device metrics
Reference
Troubleshooting

Configure cloud on-ramps
Common settings

Check tunnel health in the dashboard
Configure Magic Tunnel health alerts
Enable Magic user roles
Security filters
Zero Trust integration
Cloudflare Gateway
Cloudflare Tunnel
WARP
Network Interconnect (CNI)
Analytics
Site Analytics
Network Analytics
Traceroutes
Packet captures
Querying Magic WAN tunnel bandwidth analytics with GraphQL
Querying Magic WAN tunnel health check results with GraphQL
Reference
Anti-replay protection
Bandwidth measurement
Device compatibility
GRE and IPsec tunnels
Magic Tunnels background information
Traffic steering
Tunnel health checks
Legal
Changelog
Glossary

VyOS

This tutorial contains configuration information and a sample template for using a VyOS device with an IPsec configuration.

Notes

vti <NAME_OF_VTI_INTERFACE — Specifies the virtual tunnel interface of the IPsec tunnel.
esp-group <NAME_OF_ESP_GROUP> - Defines the ESP group for encrypted traffic defined by the tunnel or defines a particular ESP policy or profile.
ike-group <NAME_OF_IKE_GROUP> - Defines IKE group to use for key exchanges or defines a particular IKE policy or profile.
The IP addresses of the IPsec tunnel interfaces on both ends of the tunnel should be a pair of private IP addresses (RFC 1918) on the same /31 or /30 subnet, essentially specifying a point-to-point link.
The IPsec tunnel endpoint on this VyOS router is the <IP_ADDR_OF_UPLINK_INTF_TO_INTERNET/WAN>.
The IP address of the IPsec tunnel endpoint on the Cloudflare side is the Anycast IP address provided by Cloudflare.
This router is configured to initiate the IPsec tunnel connection.

Configuration parameters

Phase 1

Encryption
- AES-GCM with 128-bit or 256-bit key length
Integrity
- SHA512

Phase 2

Encryption
- AES-GCM with 128-bit or 256-bit key length
Integrity
- SHA512
PFS group
- DH group 14 (2048-bit MODP group)

Configuration template