All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::VPC::VpnAttachment

Last Updated:Oct 29, 2024

ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection and associate it with a transit router.

Syntax

{
  "Type": "ALIYUN::VPC::VpnAttachment",
  "Properties": {
    "LocalSubnet": String,
    "CustomerGatewayId": String,
    "AutoConfigRoute": Boolean,
    "Name": String,
    "EffectImmediately": Boolean,
    "BgpConfig": Map,
    "RemoteSubnet": String,
    "RemoteCaCert": String,
    "IpsecConfig": Map,
    "NetworkType": String,
    "HealthCheckConfig": Map,
    "EnableNatTraversal": Boolean,
    "IkeConfig": Map,
    "EnableDpd": Boolean
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

LocalSubnet

String

Yes

Yes

The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported for the IPsec-VPN connection:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is Protected Data Flows.

Example: 10.1.1.0/24,10.1.2.0/24.

CustomerGatewayId

String

Yes

No

The ID of the customer gateway.

None.

AutoConfigRoute

Boolean

No

Yes

Specifies whether to automatically configure routes.

Valid values:

  • true (default)

  • false

Name

String

No

Yes

The name of the IPsec-VPN connection.

None.

EffectImmediately

Boolean

No

Yes

Specifies whether to immediately start IPsec negotiations.

Valid values:

  • true: immediately starts IPsec negotiations after the configuration is complete.

  • false (default): starts IPsec negotiations when inbound traffic is received.

BgpConfig

Map

No

Yes

The Border Gateway Protocol (BGP) configurations.

For more information, see BgpConfig properties.

Note

Before you configure BGP, we recommend that you familiarize yourself with the implementation mechanism and the limits of BGP dynamic routing. For more information, see VPN Gateway supports BGP dynamic routing.

We recommend that you use a private autonomous system number (ASN) to establish a connection with Alibaba Cloud over BGP. For more information about the range of private ASNs, see the relevant documentation.

Example:

{"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

RemoteSubnet

String

Yes

Yes

The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported for the IPsec-VPN connection:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is Protected Data Flows.

Example: 10.1.3.0/24,10.1.4.0/24.

RemoteCaCert

String

No

No

The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

Example:

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

IpsecConfig

Map

No

Yes

The configurations of Phase 2 negotiations.

For more information, see IpsecConfig properties.

Example:

{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

NetworkType

String

No

No

The network type of the IPsec-VPN connection.

Valid values:

  • public (default): an encrypted connection over the Internet

  • private: an encrypted connection over a private network

HealthCheckConfig

Map

No

Yes

The health check configurations.

For more information, see HealthCheckConfig properties.

Example:

{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

EnableNatTraversal

Boolean

No

Yes

Specifies whether to enable NAT traversal.

Valid values:

  • true (default): enables NAT traversal. After you enable NAT traversal, the initiator does not check the UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.

  • false: disables NAT traversal.

IkeConfig

Map

No

Yes

The configurations of Phase 1 negotiations.

For more information, see IkeConfig properties.

EnableDpd

Boolean

No

Yes

Specifies whether to enable the dead peer detection (DPD) feature.

Valid values:

  • true (default): enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP Security Associations (SAs) and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted.

  • false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.

BgpConfig syntax

"BgpConfig": {
  "EnableBgp": Boolean,
  "LocalAsn": Number,
  "TunnelCidr": String,
  "LocalBgpIp": String
}

BgpConfig properties

Property

Type

Required

Editable

Description

Constraint

EnableBgp

Boolean

No

No

Specifies whether to enable the BGP feature.

Valid values:

  • true

  • false (default)

LocalAsn

Number

No

Yes

The ASN on the Alibaba Cloud side.

Valid values: 1 to 4294967295. Default value: 45104.

TunnelCidr

String

No

Yes

The CIDR block of the IPsec-VPN tunnel.

The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

LocalBgpIp

String

No

Yes

The BGP IP address on the Alibaba Cloud side.

The IP address must fall within the CIDR block range of the IPsec-VPN tunnel.

IpsecConfig syntax

"IpsecConfig": {
  "IpsecPfs": String,
  "IpsecEncAlg": String,
  "IpsecAuthAlg": String,
  "IpsecLifetime": Integer
}

IpsecConfig properties

Property

Type

Required

Editable

Description

Constraint

IpsecPfs

String

No

Yes

The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations.

Valid values:

  • disabled

  • group1

  • group2 (default)

  • group5

  • group14

IpsecEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 2 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IpsecAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 2 negotiations.

Valid values:

  • md5 (default)

  • sha1

  • sha256

  • sha384

  • sha512

IpsecLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 2 negotiations.

Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

HealthCheckConfig syntax

"HealthCheckConfig": {
  "Policy": String,
  "Enable": Boolean,
  "Dip": String,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer
}

HealthCheckConfig properties

Property

Type

Required

Editable

Description

Constraint

Policy

String

No

Yes

Specifies whether to withdraw published routes when the health check fails.

Valid values:

  • revoke_route (default): withdraws published routes when the health check fails.

  • reserve_route: does not withdraw published routes when the health check fails.

Enable

Boolean

No

Yes

Specifies whether to enable the health check feature.

Valid values:

  • true

  • false (default)

Dip

String

No

Yes

The destination IP address that is used for health checks.

Specify the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection.

Retry

Integer

No

Yes

The maximum number of health check retries.

Default value: 3.

Sip

String

No

Yes

The source IP address that is used for health checks.

Specify the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.

Interval

Integer

No

Yes

The interval between two consecutive health check retries.

Unit: seconds. Default value: 3.

IkeConfig syntax

"IkeConfig": {
  "IkeAuthAlg": String,
  "LocalId": String,
  "IkeEncAlg": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeLifetime": Integer,
  "RemoteId": String,
  "Psk": String,
  "IkePfs": String
}

IkeConfig properties

Property

Type

Required

Editable

Description

Constraint

IkeAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 1 negotiations.

Valid values:

  • md5 (default)

  • sha1

  • sha256

  • sha384

  • sha512

LocalId

String

No

Yes

The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

The identifier can be up to 100 characters in length. By default, this property is empty.

IkeEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 1 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IkeVersion

String

No

Yes

The version of the IKE protocol.

Valid values:

  • ikev1 (default)

  • ikev2

IkeMode

String

No

Yes

The negotiation mode.

Valid values:

  • main (default)

  • aggressive

IkeLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 1 negotiations.

Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

RemoteId

String

No

Yes

The identifier of the IPsec-VPN connection on the data center side.

The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway.

Psk

String

No

Yes

The pre-shared key that is used for identity authentication between the VPN gateway and the data center.

The following limits apply:

  • The pre-shared key must be 1 to 100 characters in length, and can contain letters, digits, and the following characters: ~ ! ` @ # $ % ^ & * ( ) _ - + = { } [ ] | ; : ' , . < > / ?

  • If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key.

Note

The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.

IkePfs

String

No

Yes

The DH key exchange algorithm that is used in Phase 1 negotiations.

Valid values:

  • group1 (default)

  • group2

  • group5

  • group14

Return values

Fn::GetAtt

  • InternetIp: the gateway address of the IPsec-VPN connection.  

  • VpnAttachmentId: the ID of the IPsec-VPN connection.

  • PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      AutoConfigRoute:
        Description:
          en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
            \ (default) \nfalse"
        Type: Boolean
      BgpConfig:
        AssociationPropertyMetadata:
          Parameters:
            EnableBgp:
              Description:
                en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
                  \ values: true and false. Default value: false."
              Type: Boolean
            LocalAsn:
              Description:
                en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
                  Default value: 45104.'
              MaxValue: 4294967295
              MinValue: 1
              Type: Number
            LocalBgpIp:
              Description:
                en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
                  \ fall within the CIDR block of the IPsec tunnel."
              Type: String
            TunnelCidr:
              Description:
                en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
                  169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
                  length.
              Type: String
        Description:
          en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
            \ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
            \ we recommend that you learn about how BGP works and its limits. For more\
            \ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
            \ that you use a private ASN to establish a connection with Alibaba Cloud\
            \ over BGP. \nRefer to the relevant documentation for the private ASN range."
        Type: Json
      CustomerGatewayId:
        Description:
          en: The ID of the user gateway.
        Type: String
      EffectImmediately:
        Default: false
        Description:
          en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
            the negotiation. Value:
    
            True: Negotiate immediately after the configuration is complete.
    
            False (default): Negotiate when traffic enters.'
        Type: Boolean
      EnableDpd:
        Description:
          en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
            \ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
            \ DPD packets to verify the existence and availability of the peer. If no\
            \ response is received from the peer within a specified period of time, the\
            \ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
            \ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
            \ DPD packets."
        Type: Boolean
      EnableNatTraversal:
        Description:
          en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
            \ After NAT traversal is enabled, the initiator does not check the UDP ports\
            \ during IKE negotiations and can automatically discover NAT gateway devices\
            \ along the VPN tunnel. \nfalse"
        Type: Boolean
      HealthCheckConfig:
        AssociationPropertyMetadata:
          Parameters:
            Dip:
              Type: String
            Enable:
              Type: Boolean
            Interval:
              Type: Number
            Policy:
              Description:
                en: Whether to revoke published routes when the health check fails.
              Type: String
            Retry:
              Type: Number
            Sip:
              Type: String
        Description:
          en: Whether to enable the health check configuration.
        Type: Json
      IkeConfig:
        AssociationPropertyMetadata:
          Parameters:
            IkeAuthAlg:
              AllowedValues:
              - md5
              - sha1
              - sha256
              - sha384
              - sha512
              - sm3
              Description:
                en: "The authentication algorithm negotiated in the first phase. \nIf\
                  \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
                  \ and the default value is md5.\nIf the VPN gateway instance type is\
                  \ national secret type, The value is sm3 (default value)."
              Type: String
            IkeEncAlg:
              AllowedValues:
              - aes
              - aes192
              - aes256
              - des
              - 3des
              - sm4
              Description:
                en: "The authentication algorithm negotiated in the first phase. \nIf\
                  \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
                  \ and the default value is aes.\nIf the VPN gateway instance type is\
                  \ national secret type, The value is sm4 (default value)."
              Type: String
            IkeLifetime:
              Default: 86400
              Description:
                en: The life cycle of the SA negotiated in the first phase. The value
                  ranges from 0 to 86400, in seconds. The default value is 86400.
              MaxValue: 86400
              MinValue: 0
              Type: Number
            IkeMode:
              AllowedValues:
              - main
              - aggressive
              Default: main
              Description:
                en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
              Type: String
            IkePfs:
              AllowedValues:
              - group1
              - group2
              - group5
              - group14
              - group24
              Default: group2
              Description:
                en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
                  Value: group1|group2|group5|group14|group24, default value: group2.'
              Type: String
            IkeVersion:
              AllowedValues:
              - ikev1
              - ikev2
              Default: ikev1
              Description:
                en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
              Type: String
            LocalId:
              Description:
                en: ID of the VPN gateway. The length is limited to 100 characters. The
                  default value is the public IP address of the VPN gateway.
              MaxLength: 100
              Type: String
            Psk:
              Description:
                en: Used for identity authentication between the IPsec VPN gateway and
                  the user gateway. It is generated randomly by default, or you can specify
                  the key manually. The length is limited to 100 characters.
              MaxLength: 100
              Type: String
            RemoteId:
              Description:
                en: ID of the user gateway. The length is limited to 100 characters. The
                  default value is the public IP address of the user gateway.
              MaxLength: 100
              Type: String
        Description:
          en: Configuration information for the first phase of negotiation.
        Type: Json
      IpsecConfig:
        AssociationPropertyMetadata:
          Parameters:
            IpsecAuthAlg:
              AllowedValues:
              - md5
              - sha1
              - sha256
              - sha384
              - sha512
              - sm3
              Description:
                en: "The authentication algorithm negotiated in the first phase. \nIf\
                  \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
                  \ and the default value is md5.\nIf the VPN gateway instance type is\
                  \ national secret type, The value is sm3 (default value)."
              Type: String
            IpsecEncAlg:
              AllowedValues:
              - aes
              - aes192
              - aes256
              - des
              - 3des
              - sm4
              Description:
                en: "The authentication algorithm negotiated in the second phase. \nIf\
                  \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
                  \ and the default value is aes.\nIf the VPN gateway instance type is\
                  \ national secret type, The value is sm4 (default value)."
              Type: String
            IpsecLifetime:
              Default: 86400
              Description:
                en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
                  phase. The value ranges from 0 to 86400, in seconds. The default value
                  is 86400.'
              MaxValue: 86400
              MinValue: 0
              Type: Number
            IpsecPfs:
              AllowedValues:
              - disabled
              - group1
              - group2
              - group5
              - group14
              - group24
              Default: group2
              Description:
                en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
                  used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
                  default value: group2.'
              Type: String
        Description:
          en: Configuration information for the second phase negotiation.
        Type: Json
      LocalSubnet:
        Description:
          en: 'A network segment on the VPC side that needs to be interconnected with
            the local IDC for the second phase negotiation.
    
            Multiple network segments are separated by commas, for example: 192.168.1.0/24,
            192.168.2.0/24.'
        Type: String
      Name:
        Description:
          en: 'The name of the IPsec connection.
    
            The length is 2-128 characters and must start with a letter or Chinese. It
            can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
            start with http:// or https:// .'
        MaxLength: 128
        MinLength: 2
        Type: String
      NetworkType:
        AllowedValues:
        - public
        - private
        Description:
          en: 'The network type of the IPsec connection. Value: public|private.'
        Type: String
      RemoteCaCert:
        Description:
          en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
            \ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
            \ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
            \ when a standard VPN gateway is used to create the IPsec-VPN connection."
        Type: String
      RemoteSubnet:
        Description:
          en: 'The network segment of the local IDC is used for the second phase negotiation.
    
            Multiple network segments are separated by commas, for example: 192.168.3.0/24,
            192.168.4.0/24.'
        Type: String
    Resources:
      VpnAttachment:
        Properties:
          AutoConfigRoute:
            Ref: AutoConfigRoute
          BgpConfig:
            Ref: BgpConfig
          CustomerGatewayId:
            Ref: CustomerGatewayId
          EffectImmediately:
            Ref: EffectImmediately
          EnableDpd:
            Ref: EnableDpd
          EnableNatTraversal:
            Ref: EnableNatTraversal
          HealthCheckConfig:
            Ref: HealthCheckConfig
          IkeConfig:
            Ref: IkeConfig
          IpsecConfig:
            Ref: IpsecConfig
          LocalSubnet:
            Ref: LocalSubnet
          Name:
            Ref: Name
          NetworkType:
            Ref: NetworkType
          RemoteCaCert:
            Ref: RemoteCaCert
          RemoteSubnet:
            Ref: RemoteSubnet
        Type: ALIYUN::VPC::VpnAttachment
    Outputs:
      InternetIp:
        Description: The gateway IP address of the IPsec connection.
        Value:
          Fn::GetAtt:
          - VpnAttachment
          - InternetIp
      PeerVpnAttachmentConfig:
        Description: Peer vpc Attachment config.
        Value:
          Fn::GetAtt:
          - VpnAttachment
          - PeerVpnAttachmentConfig
      VpnAttachmentId:
        Description: ID of the IPsec attachment.
        Value:
          Fn::GetAtt:
          - VpnAttachment
          - VpnAttachmentId
                            
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "LocalSubnet": {
          "Type": "String",
          "Description": {
            "en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
          }
        },
        "CustomerGatewayId": {
          "Type": "String",
          "Description": {
            "en": "The ID of the user gateway."
          }
        },
        "AutoConfigRoute": {
          "Type": "Boolean",
          "Description": {
            "en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
          }
        },
        "Name": {
          "Type": "String",
          "Description": {
            "en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
          },
          "MinLength": 2,
          "MaxLength": 128
        },
        "EffectImmediately": {
          "Type": "Boolean",
          "Description": {
            "en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
          },
          "Default": false
        },
        "BgpConfig": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "EnableBgp": {
                "Type": "Boolean",
                "Description": {
                  "en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
                }
              },
              "LocalAsn": {
                "Type": "Number",
                "Description": {
                  "en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
                },
                "MinValue": 1,
                "MaxValue": 4294967295
              },
              "TunnelCidr": {
                "Type": "String",
                "Description": {
                  "en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
                }
              },
              "LocalBgpIp": {
                "Type": "String",
                "Description": {
                  "en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
                }
              }
            }
          },
          "Type": "Json",
          "Description": {
            "en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
          }
        },
        "RemoteSubnet": {
          "Type": "String",
          "Description": {
            "en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
          }
        },
        "RemoteCaCert": {
          "Type": "String",
          "Description": {
            "en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
          }
        },
        "IpsecConfig": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "IpsecPfs": {
                "Type": "String",
                "Description": {
                  "en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
                },
                "AllowedValues": [
                  "disabled",
                  "group1",
                  "group2",
                  "group5",
                  "group14",
                  "group24"
                ],
                "Default": "group2"
              },
              "IpsecEncAlg": {
                "Type": "String",
                "Description": {
                  "en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
                },
                "AllowedValues": [
                  "aes",
                  "aes192",
                  "aes256",
                  "des",
                  "3des",
                  "sm4"
                ]
              },
              "IpsecAuthAlg": {
                "Type": "String",
                "Description": {
                  "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
                },
                "AllowedValues": [
                  "md5",
                  "sha1",
                  "sha256",
                  "sha384",
                  "sha512",
                  "sm3"
                ]
              },
              "IpsecLifetime": {
                "Type": "Number",
                "Description": {
                  "en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
                },
                "MinValue": 0,
                "MaxValue": 86400,
                "Default": 86400
              }
            }
          },
          "Type": "Json",
          "Description": {
            "en": "Configuration information for the second phase negotiation."
          }
        },
        "NetworkType": {
          "Type": "String",
          "Description": {
            "en": "The network type of the IPsec connection. Value: public|private."
          },
          "AllowedValues": [
            "public",
            "private"
          ]
        },
        "HealthCheckConfig": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "Policy": {
                "Type": "String",
                "Description": {
                  "en": "Whether to revoke published routes when the health check fails."
                }
              },
              "Enable": {
                "Type": "Boolean"
              },
              "Dip": {
                "Type": "String"
              },
              "Retry": {
                "Type": "Number"
              },
              "Sip": {
                "Type": "String"
              },
              "Interval": {
                "Type": "Number"
              }
            }
          },
          "Type": "Json",
          "Description": {
            "en": "Whether to enable the health check configuration."
          }
        },
        "EnableNatTraversal": {
          "Type": "Boolean",
          "Description": {
            "en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
          }
        },
        "IkeConfig": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "IkeAuthAlg": {
                "Type": "String",
                "Description": {
                  "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
                },
                "AllowedValues": [
                  "md5",
                  "sha1",
                  "sha256",
                  "sha384",
                  "sha512",
                  "sm3"
                ]
              },
              "LocalId": {
                "Type": "String",
                "Description": {
                  "en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
                },
                "MaxLength": 100
              },
              "IkeEncAlg": {
                "Type": "String",
                "Description": {
                  "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
                },
                "AllowedValues": [
                  "aes",
                  "aes192",
                  "aes256",
                  "des",
                  "3des",
                  "sm4"
                ]
              },
              "IkeVersion": {
                "Type": "String",
                "Description": {
                  "en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
                },
                "AllowedValues": [
                  "ikev1",
                  "ikev2"
                ],
                "Default": "ikev1"
              },
              "IkeMode": {
                "Type": "String",
                "Description": {
                  "en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
                },
                "AllowedValues": [
                  "main",
                  "aggressive"
                ],
                "Default": "main"
              },
              "IkeLifetime": {
                "Type": "Number",
                "Description": {
                  "en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
                },
                "MinValue": 0,
                "MaxValue": 86400,
                "Default": 86400
              },
              "RemoteId": {
                "Type": "String",
                "Description": {
                  "en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
                },
                "MaxLength": 100
              },
              "Psk": {
                "Type": "String",
                "Description": {
                  "en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
                },
                "MaxLength": 100
              },
              "IkePfs": {
                "Type": "String",
                "Description": {
                  "en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
                },
                "AllowedValues": [
                  "group1",
                  "group2",
                  "group5",
                  "group14",
                  "group24"
                ],
                "Default": "group2"
              }
            }
          },
          "Type": "Json",
          "Description": {
            "en": "Configuration information for the first phase of negotiation."
          }
        },
        "EnableDpd": {
          "Type": "Boolean",
          "Description": {
            "en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
          }
        }
      },
      "Resources": {
        "VpnAttachment": {
          "Type": "ALIYUN::VPC::VpnAttachment",
          "Properties": {
            "LocalSubnet": {
              "Ref": "LocalSubnet"
            },
            "CustomerGatewayId": {
              "Ref": "CustomerGatewayId"
            },
            "AutoConfigRoute": {
              "Ref": "AutoConfigRoute"
            },
            "Name": {
              "Ref": "Name"
            },
            "EffectImmediately": {
              "Ref": "EffectImmediately"
            },
            "BgpConfig": {
              "Ref": "BgpConfig"
            },
            "RemoteSubnet": {
              "Ref": "RemoteSubnet"
            },
            "RemoteCaCert": {
              "Ref": "RemoteCaCert"
            },
            "IpsecConfig": {
              "Ref": "IpsecConfig"
            },
            "NetworkType": {
              "Ref": "NetworkType"
            },
            "HealthCheckConfig": {
              "Ref": "HealthCheckConfig"
            },
            "EnableNatTraversal": {
              "Ref": "EnableNatTraversal"
            },
            "IkeConfig": {
              "Ref": "IkeConfig"
            },
            "EnableDpd": {
              "Ref": "EnableDpd"
            }
          }
        }
      },
      "Outputs": {
        "InternetIp": {
          "Description": "The gateway IP address of the IPsec connection.",
          "Value": {
            "Fn::GetAtt": [
              "VpnAttachment",
              "InternetIp"
            ]
          }
        },
        "VpnAttachmentId": {
          "Description": "ID of the IPsec attachment.",
          "Value": {
            "Fn::GetAtt": [
              "VpnAttachment",
              "VpnAttachmentId"
            ]
          }
        },
        "PeerVpnAttachmentConfig": {
          "Description": "Peer vpc Attachment config.",
          "Value": {
            "Fn::GetAtt": [
              "VpnAttachment",
              "PeerVpnAttachmentConfig"
            ]
          }
        }
      }
    }