All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::VPC::VpnAttachment

Last Updated:Nov 26, 2024

ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.

Syntax

{
  "Type": "ALIYUN::VPC::VpnAttachment",
  "Properties": {
    "LocalSubnet": String,
    "CustomerGatewayId": String,
    "AutoConfigRoute": Boolean,
    "Name": String,
    "EffectImmediately": Boolean,
    "BgpConfig": Map,
    "RemoteSubnet": String,
    "RemoteCaCert": String,
    "IpsecConfig": Map,
    "NetworkType": String,
    "HealthCheckConfig": Map,
    "EnableNatTraversal": Boolean,
    "IkeConfig": Map,
    "EnableDpd": Boolean
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

LocalSubnet

String

Yes

Yes

The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported for the IPsec-VPN connection:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

  • If you set LocalSubnet and RemoteSubnet to CIDR blocks other than 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Protected Data Flows.

Example: 10.1.1.0/24,10.1.2.0/24.

CustomerGatewayId

String

Yes

No

The ID of the customer gateway.

None.

AutoConfigRoute

Boolean

No

Yes

Specifies whether to automatically configure routes.

Valid values:

  • true (default)

  • false

Name

String

No

Yes

The name of the IPsec-VPN connection.

None.

EffectImmediately

Boolean

No

Yes

Specifies whether the configurations of the IPsec-VPN connection immediately take effect.

Valid values:

  • true: The configurations of the IPsec-VPN connection immediately take effect. In this case, IPsec negotiations are started immediately the configurations of the IPsec-VPN connection are complete.

  • false (default): The configurations of the IPsec-VPN connection do not immediately take effect. In this case, IPsec negotiations are started when inbound traffic is received.

BgpConfig

Map

No

Yes

The Border Gateway Protocol (BGP) configurations.

For more information, see BgpConfig properties.

Note

Before you add BGP configurations, we recommend that you familiarize yourself with the work mechanism and the limits of BGP dynamic routing. For more information, see Configure routes for an IPsec-VPN connection.

We recommend that you use a private autonomous system number (ASN) to establish BGP connections to Alibaba Cloud. For more information about the range of private ASNs, see the relevant documentation.

Example:

{"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

RemoteSubnet

String

Yes

Yes

The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported for the IPsec-VPN connection:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

  • If you set LocalSubnet and RemoteSubnet to CIDR blocks other than 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Protected Data Flows.

Example: 10.1.3.0/24,10.1.4.0/24.

RemoteCaCert

String

No

No

The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

Example:

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

IpsecConfig

Map

No

Yes

The configurations of Phase 2 negotiations.

For more information, see IpsecConfig properties.

Example:

{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

NetworkType

String

No

No

The network type of the IPsec-VPN connection.

Valid values:

  • public (default): Internet. The IPsec-VPN connection serves as an encrypted communication tunnel over the Internet.

  • private: private network. The IPsec-VPN connection serves as an encrypted communication tunnel over a private network.

HealthCheckConfig

Map

No

Yes

The health check configurations.

For more information, see HealthCheckConfig properties.

Example:

{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

EnableNatTraversal

Boolean

No

Yes

Specifies whether to enable the NAT traversal feature.

Valid values:

  • true (default): enables the NAT traversal feature. After you enable this feature, the initiator does not check the UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.

  • false: disables the NAT traversal feature.

IkeConfig

Map

No

Yes

The configurations of Phase 1 negotiations.

For more information, see IkeConfig properties.

EnableDpd

Boolean

No

Yes

Specifies whether to enable the dead peer detection (DPD) feature.

Valid values:

  • true (default): enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no valid response is received from the peer within a specified period of time, the connection fails. ISAKMP Security Associations (SAs) and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted.

  • false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.

BgpConfig syntax

"BgpConfig": {
  "EnableBgp": Boolean,
  "LocalAsn": Number,
  "TunnelCidr": String,
  "LocalBgpIp": String
}

BgpConfig properties

Property

Type

Required

Editable

Description

Constraint

EnableBgp

Boolean

No

No

Specifies whether to enable the BGP feature.

Valid values:

  • true

  • false (default)

LocalAsn

Number

No

Yes

The ASN on the Alibaba Cloud side.

Valid values: 1 to 4294967295. Default value: 45104.

TunnelCidr

String

No

Yes

The CIDR block of the IPsec-VPN tunnel.

The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

LocalBgpIp

String

No

Yes

The BGP IP address on the Alibaba Cloud side.

The IP address must fall within the CIDR block range of the IPsec-VPN tunnel.

IpsecConfig syntax

"IpsecConfig": {
  "IpsecPfs": String,
  "IpsecEncAlg": String,
  "IpsecAuthAlg": String,
  "IpsecLifetime": Integer
}

IpsecConfig properties

Property

Type

Required

Editable

Description

Constraint

IpsecPfs

String

No

Yes

The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations.

Valid values:

  • disabled

  • group1

  • group2 (default)

  • group5

  • group14

IpsecEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 2 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IpsecAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 2 negotiations.

Valid values:

  • md5 (default)

  • sha1

  • sha256

  • sha384

  • sha512

IpsecLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 2 negotiations.

Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

HealthCheckConfig syntax

"HealthCheckConfig": {
  "Policy": String,
  "Enable": Boolean,
  "Dip": String,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer
}

HealthCheckConfig properties

Property

Type

Required

Editable

Description

Constraint

Policy

String

No

Yes

Specifies whether to withdraw published routes when the health check fails.

Valid values:

  • revoke_route (default): withdraws published routes when the health check fails.

  • reserve_route: does not withdraw published routes when the health check fails.

Enable

Boolean

No

Yes

Specifies whether to enable the health check feature.

Valid values:

  • true

  • false (default)

Dip

String

No

Yes

The destination IP address that is used for health checks.

Specify the IP address on the data center side with which the VPC can communicate based on the IPsec-VPN connection.

Retry

Integer

No

Yes

The maximum number of health check retries.

Default value: 3.

Sip

String

No

Yes

The source IP address that is used for health checks.

Specify the IP address on the VPC side with which the data center can communicate based on the IPsec-VPN connection.

Interval

Integer

No

Yes

The interval between two consecutive health check retries.

Unit: seconds. Default value: 3.

IkeConfig syntax

"IkeConfig": {
  "IkeAuthAlg": String,
  "LocalId": String,
  "IkeEncAlg": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeLifetime": Integer,
  "RemoteId": String,
  "Psk": String,
  "IkePfs": String
}

IkeConfig properties

Property

Type

Required

Editable

Description

Constraint

IkeAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 1 negotiations.

Valid values:

  • md5 (default)

  • sha1

  • sha256

  • sha384

  • sha512

LocalId

String

No

Yes

The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

The identifier can be up to 100 characters in length. This property is empty by default.

IkeEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 1 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IkeVersion

String

No

Yes

The version of the IKE protocol.

Valid values:

  • ikev1 (default)

  • ikev2

IkeMode

String

No

Yes

The negotiation mode.

Valid values:

  • main (default)

  • aggressive

IkeLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 1 negotiations.

Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

RemoteId

String

No

Yes

The identifier of the IPsec-VPN connection on the data center side.

The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway.

Psk

String

No

Yes

The pre-shared key that is used for identity authentication between the VPN gateway and the data center.

The following limits apply:

  • The pre-shared key must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: ~ ! ` @ # $ % ^ & * ( ) _ - + = { } [ ] | ; : ' , . < > / ?

  • If you do not specify a pre-shared key, the system randomly generates a 16-character string as the pre-shared key.

Note

The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.

IkePfs

String

No

Yes

The DH key exchange algorithm that is used in Phase 1 negotiations.

Valid values:

  • group1 (default)

  • group2

  • group5

  • group14

Return values

Fn::GetAtt

  • InternetIp: the gateway address of the IPsec-VPN connection.  

  • VpnAttachmentId: the ID of the IPsec-VPN connection.

  • PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.

Examples

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AutoConfigRoute:
    Description:
      en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
        \ (default) \nfalse"
    Type: Boolean
  BgpConfig:
    AssociationPropertyMetadata:
      Parameters:
        EnableBgp:
          Description:
            en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
              \ values: true and false. Default value: false."
          Type: Boolean
        LocalAsn:
          Description:
            en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
              Default value: 45104.'
          MaxValue: 4294967295
          MinValue: 1
          Type: Number
        LocalBgpIp:
          Description:
            en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
              \ fall within the CIDR block of the IPsec tunnel."
          Type: String
        TunnelCidr:
          Description:
            en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
              169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
              length.
          Type: String
    Description:
      en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
        \ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
        \ we recommend that you learn about how BGP works and its limits. For more\
        \ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
        \ that you use a private ASN to establish a connection with Alibaba Cloud\
        \ over BGP. \nRefer to the relevant documentation for the private ASN range."
    Type: Json
  CustomerGatewayId:
    Description:
      en: The ID of the user gateway.
    Type: String
  EffectImmediately:
    Default: false
    Description:
      en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
        the negotiation. Value:

        True: Negotiate immediately after the configuration is complete.

        False (default): Negotiate when traffic enters.'
    Type: Boolean
  EnableDpd:
    Description:
      en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
        \ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
        \ DPD packets to verify the existence and availability of the peer. If no\
        \ response is received from the peer within a specified period of time, the\
        \ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
        \ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
        \ DPD packets."
    Type: Boolean
  EnableNatTraversal:
    Description:
      en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
        \ After NAT traversal is enabled, the initiator does not check the UDP ports\
        \ during IKE negotiations and can automatically discover NAT gateway devices\
        \ along the VPN tunnel. \nfalse"
    Type: Boolean
  HealthCheckConfig:
    AssociationPropertyMetadata:
      Parameters:
        Dip:
          Type: String
        Enable:
          Type: Boolean
        Interval:
          Type: Number
        Policy:
          Description:
            en: Whether to revoke published routes when the health check fails.
          Type: String
        Retry:
          Type: Number
        Sip:
          Type: String
    Description:
      en: Whether to enable the health check configuration.
    Type: Json
  IkeConfig:
    AssociationPropertyMetadata:
      Parameters:
        IkeAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IkeEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IkeLifetime:
          Default: 86400
          Description:
            en: The life cycle of the SA negotiated in the first phase. The value
              ranges from 0 to 86400, in seconds. The default value is 86400.
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IkeMode:
          AllowedValues:
          - main
          - aggressive
          Default: main
          Description:
            en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
          Type: String
        IkePfs:
          AllowedValues:
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
              Value: group1|group2|group5|group14|group24, default value: group2.'
          Type: String
        IkeVersion:
          AllowedValues:
          - ikev1
          - ikev2
          Default: ikev1
          Description:
            en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
          Type: String
        LocalId:
          Description:
            en: ID of the VPN gateway. The length is limited to 100 characters. The
              default value is the public IP address of the VPN gateway.
          MaxLength: 100
          Type: String
        Psk:
          Description:
            en: Used for identity authentication between the IPsec VPN gateway and
              the user gateway. It is generated randomly by default, or you can specify
              the key manually. The length is limited to 100 characters.
          MaxLength: 100
          Type: String
        RemoteId:
          Description:
            en: ID of the user gateway. The length is limited to 100 characters. The
              default value is the public IP address of the user gateway.
          MaxLength: 100
          Type: String
    Description:
      en: Configuration information for the first phase of negotiation.
    Type: Json
  IpsecConfig:
    AssociationPropertyMetadata:
      Parameters:
        IpsecAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IpsecEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the second phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IpsecLifetime:
          Default: 86400
          Description:
            en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
              phase. The value ranges from 0 to 86400, in seconds. The default value
              is 86400.'
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IpsecPfs:
          AllowedValues:
          - disabled
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
              used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
              default value: group2.'
          Type: String
    Description:
      en: Configuration information for the second phase negotiation.
    Type: Json
  LocalSubnet:
    Description:
      en: 'A network segment on the VPC side that needs to be interconnected with
        the local IDC for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.1.0/24,
        192.168.2.0/24.'
    Type: String
  Name:
    Description:
      en: 'The name of the IPsec connection.

        The length is 2-128 characters and must start with a letter or Chinese. It
        can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
        start with http:// or https:// .'
    MaxLength: 128
    MinLength: 2
    Type: String
  NetworkType:
    AllowedValues:
    - public
    - private
    Description:
      en: 'The network type of the IPsec connection. Value: public|private.'
    Type: String
  RemoteCaCert:
    Description:
      en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
        \ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
        \ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
        \ when a standard VPN gateway is used to create the IPsec-VPN connection."
    Type: String
  RemoteSubnet:
    Description:
      en: 'The network segment of the local IDC is used for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.3.0/24,
        192.168.4.0/24.'
    Type: String
Resources:
  VpnAttachment:
    Properties:
      AutoConfigRoute:
        Ref: AutoConfigRoute
      BgpConfig:
        Ref: BgpConfig
      CustomerGatewayId:
        Ref: CustomerGatewayId
      EffectImmediately:
        Ref: EffectImmediately
      EnableDpd:
        Ref: EnableDpd
      EnableNatTraversal:
        Ref: EnableNatTraversal
      HealthCheckConfig:
        Ref: HealthCheckConfig
      IkeConfig:
        Ref: IkeConfig
      IpsecConfig:
        Ref: IpsecConfig
      LocalSubnet:
        Ref: LocalSubnet
      Name:
        Ref: Name
      NetworkType:
        Ref: NetworkType
      RemoteCaCert:
        Ref: RemoteCaCert
      RemoteSubnet:
        Ref: RemoteSubnet
    Type: ALIYUN::VPC::VpnAttachment
Outputs:
  InternetIp:
    Description: The gateway IP address of the IPsec connection.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - InternetIp
  PeerVpnAttachmentConfig:
    Description: Peer vpc Attachment config.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - PeerVpnAttachmentConfig
  VpnAttachmentId:
    Description: ID of the IPsec attachment.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - VpnAttachmentId
                        
{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": {
        "en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
      }
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the user gateway."
      }
    },
    "AutoConfigRoute": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
      }
    },
    "Name": {
      "Type": "String",
      "Description": {
        "en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
      },
      "MinLength": 2,
      "MaxLength": 128
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
      },
      "Default": false
    },
    "BgpConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "EnableBgp": {
            "Type": "Boolean",
            "Description": {
              "en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
            }
          },
          "LocalAsn": {
            "Type": "Number",
            "Description": {
              "en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
            },
            "MinValue": 1,
            "MaxValue": 4294967295
          },
          "TunnelCidr": {
            "Type": "String",
            "Description": {
              "en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
            }
          },
          "LocalBgpIp": {
            "Type": "String",
            "Description": {
              "en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
            }
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
      }
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": {
        "en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
      }
    },
    "RemoteCaCert": {
      "Type": "String",
      "Description": {
        "en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
      }
    },
    "IpsecConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IpsecPfs": {
            "Type": "String",
            "Description": {
              "en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "disabled",
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          },
          "IpsecEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IpsecAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "IpsecLifetime": {
            "Type": "Number",
            "Description": {
              "en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the second phase negotiation."
      }
    },
    "NetworkType": {
      "Type": "String",
      "Description": {
        "en": "The network type of the IPsec connection. Value: public|private."
      },
      "AllowedValues": [
        "public",
        "private"
      ]
    },
    "HealthCheckConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Whether to revoke published routes when the health check fails."
            }
          },
          "Enable": {
            "Type": "Boolean"
          },
          "Dip": {
            "Type": "String"
          },
          "Retry": {
            "Type": "Number"
          },
          "Sip": {
            "Type": "String"
          },
          "Interval": {
            "Type": "Number"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Whether to enable the health check configuration."
      }
    },
    "EnableNatTraversal": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
      }
    },
    "IkeConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IkeAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "LocalId": {
            "Type": "String",
            "Description": {
              "en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
            },
            "MaxLength": 100
          },
          "IkeEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IkeVersion": {
            "Type": "String",
            "Description": {
              "en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
            },
            "AllowedValues": [
              "ikev1",
              "ikev2"
            ],
            "Default": "ikev1"
          },
          "IkeMode": {
            "Type": "String",
            "Description": {
              "en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
            },
            "AllowedValues": [
              "main",
              "aggressive"
            ],
            "Default": "main"
          },
          "IkeLifetime": {
            "Type": "Number",
            "Description": {
              "en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          },
          "RemoteId": {
            "Type": "String",
            "Description": {
              "en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
            },
            "MaxLength": 100
          },
          "Psk": {
            "Type": "String",
            "Description": {
              "en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
            },
            "MaxLength": 100
          },
          "IkePfs": {
            "Type": "String",
            "Description": {
              "en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the first phase of negotiation."
      }
    },
    "EnableDpd": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
      }
    }
  },
  "Resources": {
    "VpnAttachment": {
      "Type": "ALIYUN::VPC::VpnAttachment",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "AutoConfigRoute": {
          "Ref": "AutoConfigRoute"
        },
        "Name": {
          "Ref": "Name"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "BgpConfig": {
          "Ref": "BgpConfig"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "RemoteCaCert": {
          "Ref": "RemoteCaCert"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "NetworkType": {
          "Ref": "NetworkType"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "EnableNatTraversal": {
          "Ref": "EnableNatTraversal"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "EnableDpd": {
          "Ref": "EnableDpd"
        }
      }
    }
  },
  "Outputs": {
    "InternetIp": {
      "Description": "The gateway IP address of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "InternetIp"
        ]
      }
    },
    "VpnAttachmentId": {
      "Description": "ID of the IPsec attachment.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "VpnAttachmentId"
        ]
      }
    },
    "PeerVpnAttachmentConfig": {
      "Description": "Peer vpc Attachment config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "PeerVpnAttachmentConfig"
        ]
      }
    }
  }
}