GRE/IPSEC tunnels behind Magic Transit GRE tunnel

We’re having a problem after enabling Cloudflare in any of our datacenters. When we enable CF by advertising our networks through them, our organization’s datacenter-to-datacenter GRE+IPSEC tunnels go down. We also lose our IPSEC VPNs to our partners over the public internet.

We have tried having Cloudflare clear the “don’t fragment bit” on our traffic. We’ve also tested lowering the MTU then customizing (lowering) both MSS and MTU after carefully calculating the bytes.

Cloudflare’s GRE tunnels are implemented at our data center’s internet facing routers. We worked through the initial configs with Cloudflare without a problem. They had us adjust the MSS on the internet facing interfaces. I’m pasting a basic representation of our layout. Behind our internet edge devices where the Cloudflare GRE tunnels terminate, lies the bulk of our infrastructure.

In the diagram below I’ve pointed out where our WAN routers utilize a GRE+IPSEC tunnel for connectivity between our datacenters. These tunnels go down when Cloudflare’s Magic Transit is scrubbing traffic. Other tunnels (which I didn’t draw) go down as well. For instance, hanging off of the switches (blue ‘SW’) we have firewalls. Those firewalls have IPSEC VPNs with external partners over the public internet.

After the don’t fragment bit clearing didn’t work, and neither does lowering MSS, I’m stumped at the moment. I’m looking for any suggestions or diagnostic steps I could take to resolve.

Anybody who is using Cloudflare’s Magic Transit I think will understand the diagram: