cloudflare · ricardomacas · Jan 23, 2025 · Jan 27, 2025 · Jan 27, 2025 · Jan 27, 2025
@@ -55,10 +55,12 @@ Additionally, you also need to configure the necessary route table entries for t
    - **IKE Version**: `ikev2`
    - **Startup action**: **Start**
    - **DPD timeout action**: `Restart`
+   - **IKE (Phase 1) lifetime**: `86400`
+   - **IPsec (Phase 2) lifetime**: `28800`
 
 9. Select **Save changes**.
 
-10. Repeat the steps above to configure the second VPN connection. Use the second outside IP address, and make the appropriate changes to IP addresses as well when configuring Cloudflare's side of the tunnel.
+10. Repeat the steps above to configure the second VPN connection. Use the second outside IP address, and make the appropriate changes to IP addresses as well when configuring Cloudflare's side of the tunnel. We recommend setting the lifetimes of the second tunnel to one hour less than the primary tunnel. This prevents both tunnels from executing their critical control plane operations at the same time. 
 
 :::note
 ECMP over two VPN tunnels is not supported with a static routing configuration. You will need to configure dynamic routing for the VPN between the transit gateway and the customer gateway device. Refer to [AWS documentation](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html) for more information.
@@ -80,7 +82,7 @@ After configuring the AWS transit gateway VPN connection and the tunnel as menti
    - **Health check direction**: Choose **Bidirectional**
    - **Replay protection**: Select **Enabled**.
 2. Select **Save**.
-3. Repeat the above steps for `tunnel02`. Chose the same prefix, but select the second IPsec tunnel for **Tunnel/Next hop**.
+3. Repeat the above steps for `tunnel02`. Choose the second anycast IP for your endpoint.
 
 ### Static routes
 

@@ -55,12 +55,14 @@ crypto ikev2 profile CF_MAGIC_WAN_02
 !
 crypto ipsec profile CF_MAGIC_WAN_01
  set security-association lifetime kilobytes disable
+ set security-association lifetime seconds 28800
  set security-association replay disable
  set pfs group20
  set ikev2-profile CF_MAGIC_WAN_01
 !
 crypto ipsec profile CF_MAGIC_WAN_02
  set security-association lifetime kilobytes disable
+ set security-association lifetime seconds 25200
  set security-association replay disable
  set pfs group14
  set ikev2-profile CF_MAGIC_WAN_02

@@ -142,7 +142,7 @@ fortigate # config vpn ipsec phase1-interface
     edit "MWAN_IPsec_Tun2"
         set interface "wan1"
         set ike-version 2
-        set keylife 86400
+        set keylife 82800
         set peertype any
         set net-device enable
         set proposal aes256gcm-prfsha512 aes256gcm-prfsha384 aes256gcm-prfsha256
@@ -176,7 +176,7 @@ fortigate # config vpn ipsec phase2-interface
         set proposal aes256gcm aes128gcm
         set dhgrp 20
         set replay disable
-        set keylifeseconds 28800
+        set keylifeseconds 25200
         set auto-negotiate enable
         set keepalive enable
     next

@@ -15,6 +15,7 @@ This tutorial contains configuration information and a sample template for using
 - The IPsec tunnel endpoint on this VyOS router is the `<IP_ADDR_OF_UPLINK_INTF_TO_INTERNET/WAN>`.
 - The IP address of the IPsec tunnel endpoint on the Cloudflare side is the anycast IP address provided by Cloudflare.
 - This router is configured to initiate the IPsec tunnel connection.
+- Configure every endpoint with at least two tunnels, using both anycast IPs provided by Cloudflare. When configuring the second redundant tunnel, use a value that does not overlap with the primary tunnel for the IKE/ESP lifetime configuration. For example, for the primary ESP lifetime of 8 hours as suggested, use 7 hours for the backup tunnel. This ensures they do not rekey at the same time in case of a control plane disruption.
 
 ## Configuration parameters
 
@@ -43,7 +44,7 @@ This tutorial contains configuration information and a sample template for using
 set interfaces vti <name of the vti interface> address
 '<PRIVATE_IP_ADDRESS_OF_IPSEC_TUNNEL_INTERFACE>'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> compression 'disable'
-set vpn ipsec esp-group <NAME_OF_ESP_GROUP> lifetime '86400'
+set vpn ipsec esp-group <NAME_OF_ESP_GROUP> lifetime '28800'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> mode 'tunnel'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> pfs 'enable'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> proposal 1 encryption 'aes256gcm128'
@@ -54,7 +55,7 @@ set vpn ipsec ike-group <NAME_OF_IKE_GROUP> dead-peer-detection interval '30'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> dead-peer-detection timeout '120'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> ikev2-reauth 'no'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> key-exchange 'ikev2'
-set vpn ipsec ike-group <NAME_OF_IKE_GROUP> lifetime '28800'
+set vpn ipsec ike-group <NAME_OF_IKE_GROUP> lifetime '86400'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> mobike 'disable'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 dh-group '20'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 encryption 'aes256gcm128'

@@ -179,6 +179,7 @@ The Child SA. Sometimes referred to as Phase 2 as per IKEv1 language.
 - If your router is behind NAT and requires NAT traversal (NAT-T), then your router must initiate IKE communication on port `4500`. Most devices support configuring NAT-T to begin on port `4500` (exceptions include at least some versions of the Cisco ASA). NAT-T is not supported for IKE sessions which begin on port `500` and then switch to port `4500`.
 - (Uncommon) Extended Sequence Numbers (ESN) must be disabled.
 - If your tunnels need replay protection, enable Dead Peer Detection (DPD) in your router and select the option that restarts your IKE session when a DPD timeout occurs. This "restart" option ensures that the connection can recover in the event that a Cloudflare server goes offline. If your router does not expose this setting, check the router documentation for its dead peer detection behavior.
+- Your tunnels should be set to a reasonable key lifetime for IKE (24 hours) and IPsec (8 hours) to protect against control plane disruption. Additionally, for a device with two tunnels, there needs to be a small lifetime difference between them (1 hour) to ensure redundancy, so that both tunnels won't attempt to renew their key at the same time. For example, to configure IPsec lifetime, set `TUNNEL_1` with the recommended 8 hours and `TUNNEL_2` with a shorter non-overlaping IPsec lifetime of 7 hours.
 
 </Details>
 

@@ -47,9 +47,9 @@ You can use GRE or IPsec tunnels to onboard your traffic to {props.productName},
 IPsec tunnels only support Internet Key Exchange version 2 (IKEv2).
 :::
 
-#### IPsec supported ciphers
+#### IPsec supported configuration
 
-Refer to <a href={props.tunnelsAndEncapsulationPagePath}>Tunnels and encapsulation</a> to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the <a href={props.ciphersPagePath}>supported ciphers for IPsec</a>.
+Refer to <a href={props.tunnelsPath}>Tunnels and encapsulation</a> to learn more about the technical requirements for GRE and IPsec tunnels used in {props.productName}. In this page, you can also find the <a href={props.ciphersPath}>supported ciphers for IPsec</a>. We recommend a IKE lifetime of 24 hours and a IPsec lifetime of 8 hours. When configuring a redundant tunnel, we propose configuring it with a non-overlapping lifetime to ensure that at least one of the tunnels remains available in case of a control plane disruption. As an example, this can be achieved by configuring the primary tunnel with an IPsec lifetime of 8 hours, and the secondary backup with an IPsec lifetime of 7 hours.
 
 #### Anti-replay protection