ipsec_tunnels
Creates, updates, deletes, gets or lists an ipsec_tunnels resource.
Overview
| Name | ipsec_tunnels |
| Type | Resource |
| Id | cloudflare.magic_transit.ipsec_tunnels |
Fields
The following fields are returned by SELECT queries:
- get
- list
List IPsec tunnel details response
| Name | Datatype | Description |
|---|---|---|
ipsec_tunnel | object |
List IPsec tunnels response
| Name | Datatype | Description |
|---|---|---|
id | string | Identifier (example: c4a7362d577a6c3019a474fd6f485821) |
name | string | The name of the IPsec tunnel. The name cannot share a name with other tunnels. (example: IPsec_1) |
allow_null_cipher | boolean | When true, the tunnel can use a null-cipher (ENCR_NULL) in the ESP tunnel (Phase 2). |
automatic_return_routing | boolean | True if automatic stateful return routing should be enabled for a tunnel, false otherwise. Requires the coupler_integration account flag to be enabled; requests setting this to true without that flag will be rejected. |
bgp | object | |
bgp_status | object | |
cloudflare_endpoint | string | The IP address assigned to the Cloudflare side of the IPsec tunnel. (example: 203.0.113.1) |
created_on | string (date-time) | The date and time the tunnel was created. (example: 2017-06-14T00:00:00Z) |
custom_remote_identities | object | |
customer_endpoint | string | The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. (example: 203.0.113.1) |
description | string | An optional description forthe IPsec tunnel. (example: Tunnel for ISP X) |
health_check | object | |
interface_address | string | A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. (example: 192.0.2.0/31) |
interface_address6 | string | A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 (example: 2606:54c1:7:0:a9fe:12d2:1:200/127) |
modified_on | string (date-time) | The date and time the tunnel was last modified. (example: 2017-06-14T05:20:00Z) |
psk_metadata | object | The PSK metadata that includes when the PSK was generated. |
replay_protection | boolean | If true, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | ipsec_tunnel_id, account_id | x-magic-new-hc-target | Lists details for a specific IPsec tunnel. |
list | select | account_id | x-magic-new-hc-target | Lists IPsec tunnels associated with an account. |
psk_generate | insert | ipsec_tunnel_id, account_id | Generates a Pre Shared Key for a specific IPsec tunnel used in the IKE session. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. After a PSK is generated, the PSK is immediately persisted to Cloudflare's edge and cannot be retrieved later. Note the PSK in a safe place. | |
create | insert | account_id, name, cloudflare_endpoint, interface_address | x-magic-new-hc-target | Creates a new IPsec tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. |
update | replace | ipsec_tunnel_id, account_id, name, cloudflare_endpoint, interface_address | x-magic-new-hc-target | Updates a specific IPsec tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. |
bulk_update | replace | account_id | x-magic-new-hc-target | Update multiple IPsec tunnels associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. |
delete | delete | ipsec_tunnel_id, account_id | x-magic-new-hc-target | Disables and removes a specific static IPsec Tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
ipsec_tunnel_id | string | |
x-magic-new-hc-target | boolean | If true, the health check target in the response body will be presented using the new object format. Defaults to false. |
SELECT examples
- get
- list
Lists details for a specific IPsec tunnel.
SELECT
ipsec_tunnel
FROM cloudflare.magic_transit.ipsec_tunnels
WHERE ipsec_tunnel_id = '{{ ipsec_tunnel_id }}' -- required
AND account_id = '{{ account_id }}' -- required
AND x-magic-new-hc-target = '{{ x-magic-new-hc-target }}'
;
Lists IPsec tunnels associated with an account.
SELECT
id,
name,
allow_null_cipher,
automatic_return_routing,
bgp,
bgp_status,
cloudflare_endpoint,
created_on,
custom_remote_identities,
customer_endpoint,
description,
health_check,
interface_address,
interface_address6,
modified_on,
psk_metadata,
replay_protection
FROM cloudflare.magic_transit.ipsec_tunnels
WHERE account_id = '{{ account_id }}' -- required
AND x-magic-new-hc-target = '{{ x-magic-new-hc-target }}'
;
INSERT examples
- psk_generate
- create
- Manifest
Generates a Pre Shared Key for a specific IPsec tunnel used in the IKE session. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes. After a PSK is generated, the PSK is immediately persisted to Cloudflare's edge and cannot be retrieved later. Note the PSK in a safe place.
INSERT INTO cloudflare.magic_transit.ipsec_tunnels (
ipsec_tunnel_id,
account_id
)
SELECT
'{{ ipsec_tunnel_id }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
Creates a new IPsec tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes.
INSERT INTO cloudflare.magic_transit.ipsec_tunnels (
automatic_return_routing,
bgp,
cloudflare_endpoint,
custom_remote_identities,
customer_endpoint,
description,
health_check,
interface_address,
interface_address6,
name,
psk,
replay_protection,
account_id,
x-magic-new-hc-target
)
SELECT
{{ automatic_return_routing }},
'{{ bgp }}',
'{{ cloudflare_endpoint }}' /* required */,
'{{ custom_remote_identities }}',
'{{ customer_endpoint }}',
'{{ description }}',
'{{ health_check }}',
'{{ interface_address }}' /* required */,
'{{ interface_address6 }}',
'{{ name }}' /* required */,
'{{ psk }}',
{{ replay_protection }},
'{{ account_id }}',
'{{ x-magic-new-hc-target }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: ipsec_tunnels
props:
- name: ipsec_tunnel_id
value: "{{ ipsec_tunnel_id }}"
description: Required parameter for the ipsec_tunnels resource.
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the ipsec_tunnels resource.
- name: automatic_return_routing
value: {{ automatic_return_routing }}
description: |
True if automatic stateful return routing should be enabled for a tunnel, false otherwise. Requires the `coupler_integration` account flag to be enabled; requests setting this to `true` without that flag will be rejected.
default: false
- name: bgp
value:
customer_asn: {{ customer_asn }}
extra_prefixes:
- "{{ extra_prefixes }}"
md5_key: "{{ md5_key }}"
- name: cloudflare_endpoint
value: "{{ cloudflare_endpoint }}"
description: |
The IP address assigned to the Cloudflare side of the IPsec tunnel.
- name: custom_remote_identities
value:
fqdn_id: "{{ fqdn_id }}"
- name: customer_endpoint
value: "{{ customer_endpoint }}"
description: |
The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
- name: description
value: "{{ description }}"
description: |
An optional description forthe IPsec tunnel.
- name: health_check
value:
enabled: {{ enabled }}
rate: "{{ rate }}"
target:
effective: "{{ effective }}"
saved: "{{ saved }}"
type: "{{ type }}"
direction: "{{ direction }}"
- name: interface_address
value: "{{ interface_address }}"
description: |
A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.
- name: interface_address6
value: "{{ interface_address6 }}"
description: |
A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
- name: name
value: "{{ name }}"
description: |
The name of the IPsec tunnel. The name cannot share a name with other tunnels.
- name: psk
value: "{{ psk }}"
description: |
A randomly generated or provided string for use in the IPsec tunnel.
- name: replay_protection
value: {{ replay_protection }}
description: |
If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction.
default: false
- name: x-magic-new-hc-target
value: {{ x-magic-new-hc-target }}
description: If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false.
description: If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false.
REPLACE examples
- update
- bulk_update
Updates a specific IPsec tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes.
REPLACE cloudflare.magic_transit.ipsec_tunnels
SET
automatic_return_routing = {{ automatic_return_routing }},
bgp = '{{ bgp }}',
cloudflare_endpoint = '{{ cloudflare_endpoint }}',
custom_remote_identities = '{{ custom_remote_identities }}',
customer_endpoint = '{{ customer_endpoint }}',
description = '{{ description }}',
health_check = '{{ health_check }}',
interface_address = '{{ interface_address }}',
interface_address6 = '{{ interface_address6 }}',
name = '{{ name }}',
psk = '{{ psk }}',
replay_protection = {{ replay_protection }}
WHERE
ipsec_tunnel_id = '{{ ipsec_tunnel_id }}' --required
AND account_id = '{{ account_id }}' --required
AND name = '{{ name }}' --required
AND cloudflare_endpoint = '{{ cloudflare_endpoint }}' --required
AND interface_address = '{{ interface_address }}' --required
AND x-magic-new-hc-target = {{ x-magic-new-hc-target}}
RETURNING
errors,
messages,
result,
success;
Update multiple IPsec tunnels associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes.
REPLACE cloudflare.magic_transit.ipsec_tunnels
SET
-- No updatable properties
WHERE
account_id = '{{ account_id }}' --required
AND x-magic-new-hc-target = {{ x-magic-new-hc-target}}
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete
Disables and removes a specific static IPsec Tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes.
DELETE FROM cloudflare.magic_transit.ipsec_tunnels
WHERE ipsec_tunnel_id = '{{ ipsec_tunnel_id }}' --required
AND account_id = '{{ account_id }}' --required
AND x-magic-new-hc-target = '{{ x-magic-new-hc-target }}'
;