POST /accounts/{account_id}/magic/ipsec_tunnels

Creates a new IPsec tunnel associated with an account. Use ?validate_only=true as an optional query parameter to only run validation without persisting changes.

Servers

https://api.cloudflare.com/client/v4

Path parameters

Name	Type	Required	Description
`account_id`	String	Yes

Request headers

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"
`x-magic-new-hc-target`	Boolean	No	If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false.

Request body fields

Name	Type	Required	Description
`custom_remote_identities`	Object	No
`custom_remote_identities.fqdn_id`	String	No	A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `<custom label>.<account ID>.custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint.
`bgp`	Object	No
`bgp.md5_key`	String	No	MD5 key to use for session authentication. Note that this is not a security measure. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is only supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: ASCII alphanumerics: `[a-zA-Z0-9]` Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= \|` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected.
`bgp.extra_prefixes[]`	Array	No	Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table.
`bgp.customer_asn`	Integer	Yes	ASN used on the customer end of the BGP session
`customer_endpoint`	String	No	The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
`name`	String	Yes	The name of the IPsec tunnel. The name cannot share a name with other tunnels.
`description`	String	No	An optional description forthe IPsec tunnel.
`cloudflare_endpoint`	String	Yes	The IP address assigned to the Cloudflare side of the IPsec tunnel.
`replay_protection`	Boolean	No	If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. Default value: false
`psk`	String	No	A randomly generated or provided string for use in the IPsec tunnel.
`automatic_return_routing`	Boolean	No	True if automatic stateful return routing should be enabled for a tunnel, false otherwise. Default value: false
`interface_address6`	String	No	A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127
`interface_address`	String	Yes	A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255.

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.