Skip to content

IpsecTunnel

Source: src/Cloudflare/MagicTransit/IpsecTunnel.ts

A Magic Transit / Magic WAN IPsec tunnel between Cloudflare and a customer device.

Requires a Magic Transit or Magic WAN subscription on the account — accounts that are not onboarded receive a typed MagicTransitNotOnboarded error (Cloudflare code 1012).

The tunnel name is unique per account and immutable in practice — changing it triggers a replacement. The psk is write-only: Cloudflare never returns it, so the configured value is carried in state.

Creating an IPsec tunnel

Section titled “Creating an IPsec tunnel”

Basic tunnel with a provided PSK

const tunnel = yield* Cloudflare.IpsecTunnel("branch", {
  name: "branch-ipsec-1",
  cloudflareEndpoint: "203.0.113.1",
  customerEndpoint: "198.51.100.1",
  interfaceAddress: "10.213.0.10/31",
  psk: alchemy.secret.env.IPSEC_PSK,
});

Tunnel with replay protection and health checks

const tunnel = yield* Cloudflare.IpsecTunnel("branch", {
  name: "branch-ipsec-1",
  cloudflareEndpoint: "203.0.113.1",
  interfaceAddress: "10.213.0.10/31",
  replayProtection: true,
  healthCheck: { enabled: true, rate: "mid" },
});