!
! Century Systems NXR-530 Series ver 21.16.10 (build 7/14:05 09 03 2026)
!
hostname nxr530
ssh-server enable
ssh-server ip forbidden-access-wan
ssh-server ipv6 forbidden-access-wan
http-server enable
http-server ip forbidden-access-wan
http-server ipv6 forbidden-access-wan
no rest http enable
rest http ip forbidden-access-wan
rest http ipv6 forbidden-access-wan
no rest https enable
rest https ip forbidden-access-wan
rest https ipv6 forbidden-access-wan
!
!
!
!
!
ipv6 forwarding
fast-forwarding enable
!
!
!
!
!
ipsec priority-ignore enable
!
l2tp udp source-port 40001
!
!
ipsec local policy 1
 address ip
 udp port 4500
 self-identity fqdn xxx.zzz.ipsec.cloudflare.com
!
ipsec local policy 2
 address ip
 udp port 4500
 self-identity fqdn yyy.zzz.ipsec.cloudflare.com
!
!
ipsec isakmp policy 1
 description Cloudflare_WAN-IPsecTunnel1
 version 2
 authentication pre-share IPsecKEY
 hash sha256
 encryption aes256
 group 20
 lifetime 86400
 remote address ip 192.0.2.1
 remote udp port 4500
 local policy 1
!
ipsec isakmp policy 2
 description Cloudflare_WAN-IPsecTunnel2
 version 2
 authentication pre-share IPsecKEY
 hash sha256
 encryption aes256
 group 20
 lifetime 86400
 remote address ip 192.0.2.2
 remote udp port 4500
 local policy 2
!
!
ipsec tunnel policy 1
 description Cloudflare_WAN-IPsecTunnel1
 no set anti-replay-check
 set transform esp-aes256 esp-sha256-hmac
 set pfs group20
 set key-exchange isakmp 1
 set sa lifetime 28800
 match address IPsec_ACL
!
ipsec tunnel policy 2
 description Cloudflare_WAN-IPsecTunnel2
 no set anti-replay-check
 set transform esp-aes256 esp-sha256-hmac
 set pfs group20
 set key-exchange isakmp 2
 set sa lifetime 28800
 match address IPsec_ACL
!
!
interface tunnel 1
 description Cloudflare_WAN-IPsecTunnel1
 ip address 10.10.10.100/31
 ip tcp adjust-mss auto
 tunnel mode ipsec ipv4
 tunnel protection ipsec policy 1
!
interface tunnel 2
 description Cloudflare_WAN-IPsecTunnel2
 ip address 10.10.10.104/31
 ip tcp adjust-mss auto
 tunnel mode ipsec ipv4
 tunnel protection ipsec policy 2
!
interface ethernet 0
 ip address 192.168.10.1/24
!
interface ethernet 1
 ip address dhcp
 ip tcp adjust-mss auto
 ipsec policy 1
 ipsec policy 2
!
interface ethernet 2
 no ip address
!
dns
 service enable
!
!
syslog
 local enable
 exit-syslog
!
!
!
system led ext 0 signal-level mobile 0
!
!
!
!
!
!
!
ip route 192.0.2.1/32 dhcp ethernet 1
ip route 192.0.2.2/32 dhcp ethernet 1
ip route 0.0.0.0/0 tunnel 1
ip route 0.0.0.0/0 tunnel 2
ip route 0.0.0.0/0 null 254
!
!
!
ipsec access-list IPsec_ACL ip any any
!
!
!
end