Oracle Cloud
This tutorial provides information and examples of how to configure IPsec between Cloudflare Magic WAN and an Oracle Cloud Site-to-site VPN.
You need a pre-shared key to establish the IPsec tunnel. You can use the following code to create a random key:
    const a = new Uint8Array(48);    crypto.getRandomValues(a);    let base64String = btoa(String.fromCharCode.apply(null, a));
    base64String = base64String.replace(/\+/g, '')                   .replace(/\//g, '')                   .replace(/=/g, '');
    console.log(base64String.substring(0, 32));You can try this code in the Workers playground ↗.
- Go to Networking > Customer connectivity, and select Customer-premises equipment.
- Select Create CPE.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
- IP Address: Enter your Cloudflare anycast IP address.
- CPE vendor information: Select Other.
 
- Select Create CPE.
- Go to Networking > Customer connectivity, and select Dynamic routing gateways.
- Select Create Dynamic routing gateways.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
 
- Select Create Dynamic routing gateways.
- Go to Networking > Customer connectivity, and select Site-to-Site VPN.
- Select Create IPsec connection.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
- Customer-premises equipment: Select the CPE you have created in step 1.
- Dynamic routing gateways: Select the DRG you have created in step 2.
- Routes to your on-premises network: Enter a CIDR range you want to route to Magic WAN.
- Tunnel 1
- Name: Enter a name.
- Select Provide custom shared secret.
- Enter the pre-shared key you created in the Prerequisites section.
- IKE version: IKEv2
- Routing type: Static routing
- IPv4 inside tunnel interface - CPE:  Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is 10.200.1.0/31.
- IPv4 inside tunnel interface - Oracle: Enter the internal tunnel IP on the Oracle side of the IPsec tunnel. In this example, it is 10.200.1.1/31. This matches with the Cloudflare side for this tunnel.- Select Show advanced options
- Select Phase one (ISAKMP) configuration
- Select Set custom configurations
- Custom encryption algorithm: AES_256_CBC
- Custom authentication algorithm: SHA2_256
- Custom Diffie-Hellman group: GROUP20
- IKE session key lifetime in seconds: 86400
 
- Select Phase two (IPsec) configuration
- Select Set custom configurations
- Custom encryption algorithm: AES_256_CBC
- HMAC_SHA2_256_128: HMAC_SHA2_256_128
- IPsec session key lifetime in seconds: 28800
- Perfect forward secrecy Diffie-Hellman group: GROUP20
 
 
 
- Tunnel 2
- Repeat the above steps for Tunnel 2. Select the right IP for IPv4 inside tunnel interface - CPE: 10.200.2.0/31and IPv4 inside tunnel interface - Oracle:10.200.2.1/31
 
- Repeat the above steps for Tunnel 2. Select the right IP for IPv4 inside tunnel interface - CPE: 
 
- Select Create IPsec connection
After configuring the Oracle Site-to-site VPN connection and the tunnels as mentioned above, go to the Cloudflare dashboard and create the corresponding IPsec tunnel and static routes on the Magic WAN side.
- Refer to Add tunnels to learn how to add an IPsec tunnel. When creating your IPsec tunnel, make sure you define the following settings:
- Tunnel name: Enter a name.
- Interface address: Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is 10.200.1.0/31.
- Customer endpoint: The Oracle VPN public IP address.
- Cloudflare endpoint: Enter your Cloudflare anycast IP address.
- Health check type: Request
- Health check direction: Unidirectional
- Health check target: Default
- Pre-shared key: Choose Use my own pre-shared key, and enter the pre-shared key you created in the Prerequisites section.
- Replay protection: Enabled.
 
- Select Add tunnels.
- Repeat the above steps for Tunnel 2. Chose the same Cloudflare anycast IP address and select the right IP for Interface address: 10.200.2.0/31
The static route in Magic WAN should point to the appropriate virtual machine (VM) subnet you created inside your Oracle Virtual Cloud Network (VCN). For example, if your VM has a subnet of  192.168.192.0/26, you should use it as the prefix for your static route.
To create a static route:
- Refer to Create a static route to learn how to create one.
- In Prefix, enter the subnet for your VM. For example, 192.xx.xx.xx/24.
- For the Tunnel/Next hop, choose the IPsec tunnel you created in the previous step.
- Repeat the steps above for the second IPsec tunnel you created.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark