use ALIYUN::VPC::VpnConnection to create an IPsec-VPN connection - Resource Orchestration Service

ALIYUN::VPC::VpnConnection is used to create an IPsec-VPN connection.

Syntax

{
  "Type": "ALIYUN::VPC::VpnConnection",
  "Properties": {
    "IpsecConfig": Map,
    "Name": String,
    "IkeConfig": Map,
    "HealthCheckConfig": Map,
    "VpnGatewayId": String,
    "CustomerGatewayId": String,
    "RemoteSubnet": String,
    "LocalSubnet": String,
    "EffectImmediately": Boolean,
    "EnableTunnelsBgp": Boolean,
    "RemoteCaCertificate": String,
    "BgpConfig": Map,
    "AutoConfigRoute": Boolean,
    "EnableDpd": Boolean,
    "EnableNatTraversal": Boolean,
    "TunnelOptionsSpecification": List
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
Name	String	No	Yes	The name of the IPsec-VPN connection.	The name must be 2 to 128 characters in length. It must start with a letter and cannot start with `http://` or `https://`. It can contain letters, digits, periods (.), underscores (_), and hyphens (-).
IkeConfig	Map	No	Yes	The configurations of Phase 1 negotiations.	For more information, see IkeConfig properties.
IpsecConfig	Map	No	Yes	The configurations of Phase 2 negotiations.	For more information, see IpsecConfig properties.
HealthCheckConfig	Map	No	No	The health check configurations.	For more information, see HealthCheckConfig properties.
VpnGatewayId	String	Yes	No	The ID of the VPN gateway.	None.
CustomerGatewayId	String	No	No	The ID of the customer gateway.	None.
RemoteSubnet	String	Yes	Yes	The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations.	Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.
LocalSubnet	String	Yes	Yes	The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations.	Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.
EffectImmediately	Boolean	No	Yes	Specifies whether to immediately start IPsec negotiations.	Valid values: true: immediately starts IPsec negotiations after the configurations of the IPsec-VPN connection are complete. false (default): starts IPsec negotiations when inbound traffic is detected.
EnableTunnelsBgp	Boolean	No	No	Specifies whether to enable Border Gateway Protocol (BGP) for tunnels.	Valid values: true false
RemoteCaCertificate	String	No	No	The certificate authority (CA) certificate of the peer.	None.
BgpConfig	Map	No	Yes	The BGP configurations of the tunnel.	For more information, see BgpConfig properties.
AutoConfigRoute	Boolean	No	Yes	Specifies whether to automatically configure routes.	Valid values: false true (default)
EnableDpd	Boolean	No	Yes	Specifies whether to enable dead peer detection (DPD) for the IPsec-VPN connection.	Valid values: true: enables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP Security Associations (SAs) and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted. false: disables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection does not send DPD packets.
EnableNatTraversal	Boolean	No	Yes	Specifies whether to enable NAT traversal for the tunnel.	Valid values: false true
TunnelOptionsSpecification	List	No	No	The tunnel configurations of the IPsec-VPN connection.	For more information, see TunnelOptionsSpecification properties.

IkeConfig syntax

"IkeConfig": {
  "RemoteId": String,
  "Psk": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeAuthAlg": String,
  "IkeEncAlg": String,
  "IkePfs": String,
  "IkeLifetime": Integer,
  "LocalId": String
}

IkeConfig properties

Property	Type	Required	Editable	Description	Constraint
RemoteId	String	No	Yes	The identifier of the customer gateway.	The identifier can be up to 100 characters in length. The default value is the public IP address of the customer gateway.
Psk	String	No	Yes	The pre-shared key that is used for authentication between the VPN gateway and the customer gateway.	The key can be up to 100 characters in length. By default, a random value is generated. You can also specify a pre-shared key.
IkeVersion	String	No	Yes	The version of the Internet Key Exchange (IKE) protocol.	Valid values: ikev1 (default) ikev2
IkeMode	String	No	Yes	The negotiation mode of IKEv1.	Valid values: main (default) aggressive
IkeAuthAlg	String	No	Yes	The authentication algorithm that is used in Phase 1 negotiations.	Valid values: md5 (default) sha1
IkeEncAlg	String	No	Yes	The encryption algorithm that is used in Phase 1 negotiations.	Valid values: aes (default) aes192 aes256 des 3des
IkePfs	String	No	Yes	The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations.	Valid values: group1 group2 (default) group5 group14 group24
IkeLifetime	Integer	No	Yes	The SA lifetime that is determined by Phase 1 negotiations.	Valid values: 0 to 86400. Default value: 86400.
LocalId	String	No	Yes	The identifier of the VPN gateway.	The identifier can be up to 100 characters in length. The default value is the public IP address of the VPN gateway.

IpsecConfig syntax

"IpsecConfig": {
  "IpsecAuthAlg": String,
  "IpsecEncAlg": String,
  "IpsecLifetime": Integer,
  "IpsecPfs": String
}

IpsecConfig properties

Property	Type	Required	Editable	Description	Constraint
IpsecAuthAlg	String	No	Yes	The authentication algorithm that is used in Phase 2 negotiations.	Valid values: md5 (default) sha1
IpsecEncAlg	String	No	Yes	The encryption algorithm that is used in Phase 2 negotiations.	Valid values: aes (default) aes192 aes256 des 3des
IpsecLifetime	Integer	No	Yes	The SA lifetime that is determined by Phase 2 negotiations.	Valid values: 0 to 86400. Unit: seconds. Default value: 86400.
IpsecPfs	String	No	Yes	The DH key exchange algorithm that is used in Phase 2 negotiations.	Valid values: group1 group2 (default) group5 group14 group24

HealthCheckConfig syntax

"HealthCheckConfig": {
  "Enable": Boolean,
  "Dip": Boolean,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer,
  "Policy": String 
}

HealthCheckConfig properties

Property	Type	Required	Editable	Description	Constraint
Enable	Boolean	No	Yes	Specifies whether to enable the health check feature.	Valid values: true false If you set this property to true, you must specify other parameters in this table.
Interval	Integer	No	Yes	The interval between two consecutive health check retries.	Unit: seconds.
Retry	Integer	No	Yes	The maximum number of health check retries.	None.
Dip	String	No	Yes	The IP address of the data center that can be accessed through the IPsec connection.	None.
Sip	String	No	Yes	The IP address that can be accessed from the data center through the IPsec connection.	None.
Policy	String	No	No	Specifies whether to withdraw published routes when the health check fails.	None.

BgpConfig syntax

"BgpConfig": {
  "TunnelCidr": String,
  "LocalBgpIp": String,
  "EnableBgp": Boolean,
  "LocalAsn": Number
}

BgpConfig properties

Property	Type	Required	Editable	Description	Constraint
TunnelCidr	String	No	Yes	The BGP CIDR block of the tunnel.	None.
LocalBgpIp	String	No	Yes	The BGP address on the Alibaba Cloud side.	None.
EnableBgp	Boolean	No	No	Specifies whether to enable BGP for the tunnel.	Valid values: true false Default value: false.
LocalAsn	Number	No	Yes	The autonomous system number (ASN) of the tunnel on the Alibaba Cloud side.	None.

TunnelOptionsSpecification syntax

"TunnelOptionsSpecification": [
  {
    "RemoteCaCertificate": String,
    "CustomerGatewayId": String,
    "TunnelBgpConfig": Map,
    "TunnelIpsecConfig": Map,
    "EnableDpd": Boolean,
    "TunnelIkeConfig": Map,
    "EnableNatTraversal": Boolean,
    "Role": String
  }
]

TunnelOptionsSpecification properties

Property	Type	Required	Editable	Description	Constraint
RemoteCaCertificate	String	No	No	The CA certificate of the tunnel peer.	This property is returned only if the VPN gateway is of the ShangMi (SM) type.
CustomerGatewayId	String	No	Yes	The ID of the customer gateway that is associated with the tunnel.	None.
TunnelBgpConfig	Map	No	Yes	The BGP configurations of the tunnel.	For more information, see TunnelBgpConfig properties.
TunnelIpsecConfig	Map	No	No	The configurations of Phase 2 negotiations.	For more information, see TunnelIpsecConfig properties.
EnableDpd	Boolean	No	Yes	Specifies whether to enable DPD for the IPsec-VPN connection.	Valid values: true: enables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted. false: disables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection does not send DPD packets.
TunnelIkeConfig	Map	No	Yes	The configurations of Phase 1 negotiations.	For more information, see TunnelIkeConfig properties.
EnableNatTraversal	Boolean	No	Yes	Specifies whether to enable NAT traversal for the IPsec-VPN connection.	Valid values: true: enables NAT traversal for the IPsec-VPN connection. After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel. false: disables NAT traversal for the IPsec-VPN connection.
Role	String	No	Yes	The role of the tunnel.	Valid values: master: The tunnel is an active tunnel. slave: The tunnel is a standby tunnel.

TunnelBgpConfig syntax

"TunnelBgpConfig": {
  "TunnelCidr": String,
  "LocalAsn": Number,
  "LocalBgpIp": String
}

TunnelBgpConfig properties

Property	Type	Required	Editable	Description	Constraint
TunnelCidr	String	No	Yes	The BGP CIDR block of the tunnel.	None.
LocalBgpIp	String	No	Yes	The BGP address on the Alibaba Cloud side.	None.
LocalAsn	Number	No	Yes	The ASN of the tunnel on the Alibaba Cloud side.	None.

TunnelIpsecConfig syntax

"TunnelIpsecConfig": {
  "IpsecAuthAlg": String,
  "IpsecEncAlg": String,
  "IpsecPfs": String,
  "IpsecLifetime": Integer
}

TunnelIpsecConfig properties

Property	Type	Required	Editable	Description	Constraint
IpsecAuthAlg	String	No	Yes	The authentication algorithm in the IPsec phase.	None.
IpsecEncAlg	String	No	Yes	The encryption algorithm in the IPsec phase.	None.
IpsecPfs	String	No	Yes	The lifetime of the IPsec phase.	Unit: seconds.
IpsecLifetime	Integer	No	Yes	The ASN of the tunnel on the Alibaba Cloud side.	None.

TunnelIkeConfig syntax

"TunnelIkeConfig": {
  "Psk": String,
  "IkePfs": String,
  "LocalId": String,
  "IkeVersion": String,
  "IkeAuthAlg": String,
  "IkeMode": String,
  "RemoteId": String,
  "IkeLifetime": Integer,
  "IkeEncAlg": String
}

TunnelIkeConfig properties

Property	Type	Required	Editable	Description	Constraint
Psk	String	No	Yes	The pre-shared key.	None.
IkePfs	String	No	Yes	The DH group in the IKE phase.	None.
LocalId	String	No	Yes	The identifier of the tunnel on the Alibaba Cloud side.	None.
IkeVersion	String	No	Yes	The version of the IKE protocol.	Valid values: ikev1 ikev2 Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.
IkeAuthAlg	String	No	Yes	The authentication algorithm in the IKE phase.	None.
IkeMode	String	No	Yes	The IKE negotiation mode.	Valid values: main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.
RemoteId	String	No	Yes	The identifier of the tunnel peer.	None.
IkeLifetime	Integer	No	Yes	The lifetime of the IKE phase.	Unit: seconds.
IkeEncAlg	String	No	Yes	The encryption algorithm in the IKE phase.	None.

Return values

Fn::GetAtt

VpnConnectionId: the ID of the IPsec-VPN connection.
Status: the state of the IPsec-VPN connection.
PeerVpnConnectionConfig: the VPC connection configurations of the peer.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  LocalSubnet:
    Type: String
    Description: >-
      A network segment on the VPC side that needs to be interconnected with the
      local IDC for the second phase negotiation.

      Multiple network segments are separated by commas, for example:
      192.168.1.0/24, 192.168.2.0/24.
  EffectImmediately:
    Type: Boolean
    Description: >-
      Whether to delete the currently negotiated IPsec tunnel and re-initiate
      the negotiation. Value:

      True: Negotiate immediately after the configuration is complete.

      False (default): Negotiate when traffic enters.
    AllowedValues:
      - 'True'
      - 'true'
      - 'False'
      - 'false'
    Default: false
  RemoteSubnet:
    Type: String
    Description: >-
      The network segment of the local IDC is used for the second phase
      negotiation.

      Multiple network segments are separated by commas, for example:
      192.168.3.0/24, 192.168.4.0/24.
  CustomerGatewayId:
    Type: String
    Description: The ID of the user gateway.
  VpnGatewayId:
    Type: String
    Description: ID of the VPN gateway.
  IpsecConfig:
    Type: Json
    Description: Configuration information for the second phase negotiation.
  HealthCheckConfig:
    Type: Json
    Description: Whether to enable the health check configuration.
  IkeConfig:
    Type: Json
    Description: Configuration information for the first phase of negotiation.
  Name:
    Type: String
    Description: >-
      The name of the IPsec connection.

      The length is 2-128 characters and must start with a letter or Chinese. It
      can contain numbers, periods (.), underscores (_) and dashes (-), but
      cannot start with http:// or https:// .
    MinLength: 2
    MaxLength: 128
Resources:
  VpnConnection:
    Type: 'ALIYUN::VPC::VpnConnection'
    Properties:
      LocalSubnet:
        Ref: LocalSubnet
      EffectImmediately:
        Ref: EffectImmediately
      RemoteSubnet:
        Ref: RemoteSubnet
      CustomerGatewayId:
        Ref: CustomerGatewayId
      VpnGatewayId:
        Ref: VpnGatewayId
      IpsecConfig:
        Ref: IpsecConfig
      HealthCheckConfig:
        Ref: HealthCheckConfig
      IkeConfig:
        Ref: IkeConfig
      Name:
        Ref: Name
Outputs:
  Status:
    Description: Status of the IPsec connection.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - Status
  PeerVpnConnectionConfig:
    Description: Peer vpc connection config.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - PeerVpnConnectionConfig
  VpnConnectionId:
    Description: ID of the IPsec connection.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - VpnConnectionId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters.",
      "AllowedValues": [
        "True",
        "true",
        "False",
        "false"
      ],
      "Default": false
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": "The ID of the user gateway."
    },
    "VpnGatewayId": {
      "Type": "String",
      "Description": "ID of the VPN gateway."
    },
    "IpsecConfig": {
      "Type": "Json",
      "Description": "Configuration information for the second phase negotiation."
    },
    "HealthCheckConfig": {
      "Type": "Json",
      "Description": "Whether to enable the health check configuration."
    },
    "IkeConfig": {
      "Type": "Json",
      "Description": "Configuration information for the first phase of negotiation."
    },
    "Name": {
      "Type": "String",
      "Description": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// .",
      "MinLength": 2,
      "MaxLength": 128
    }
  },
  "Resources": {
    "VpnConnection": {
      "Type": "ALIYUN::VPC::VpnConnection",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "VpnGatewayId": {
          "Ref": "VpnGatewayId"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "Name": {
          "Ref": "Name"
        }
      }
    }
  },
  "Outputs": {
    "Status": {
      "Description": "Status of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "Status"
        ]
      }
    },
    "PeerVpnConnectionConfig": {
      "Description": "Peer vpc connection config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "PeerVpnConnectionConfig"
        ]
      }
    },
    "VpnConnectionId": {
      "Description": "ID of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "VpnConnectionId"
        ]
      }
    }
  }
}