Creates an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.
Operation description
By default, an IPsec-VPN connection created by calling the CreateVpnAttachment
operation is not associated with a resource. You can associate an IPsec-VPN connection with a transit router by calling the CreateTransitRouterVpnAttachment operation.
Prerequisites
Before you create an IPsec-VPN connection, make sure that you created a customer gateway in the region where you want to create the IPsec-VPN connection. For more information, see CreateCustomerGateway .
If you want to add BGP configurations to an IPsec-VPN connection, make sure that an autonomous system number (ASN) is assigned to the customer gateway.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:CreateVpnAttachment | create |
|
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
RegionId | string | Yes | The region ID of the IPsec-VPN connection. You can call the DescribeRegions operation to query the most recent region list. | cn-hangzhou |
Name | string | No | The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with | nametest |
CustomerGatewayId | string | Yes | The ID of the customer gateway. | cgw-p0w2jemrcj5u61un8**** |
NetworkType | string | No | The network type of the IPsec-VPN connection. Valid values:
| public |
LocalSubnet | string | Yes | The CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported:
| 10.1.1.0/24,10.1.2.0/24 |
RemoteSubnet | string | Yes | The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported:
| 10.1.3.0/24,10.1.4.0/24 |
EffectImmediately | boolean | No | Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:
| false |
IkeConfig | string | No | The configurations of Phase 1 negotiations:
| {"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"} |
IpsecConfig | string | No | The configurations of Phase 2 negotiations:
| {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400} |
BgpConfig | string | No | The Border Gateway Protocol (BGP) configurations:
Note
| {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"} |
HealthCheckConfig | string | No | The health check configuration:
| {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"} |
AutoConfigRoute | boolean | No | Specifies whether to automatically configure routes. Valid values:
| true |
EnableDpd | boolean | No | Specifies whether to enable the dead peer detection (DPD) feature. Valid values:
| true |
EnableNatTraversal | boolean | No | Specifies whether to enable NAT traversal. Valid values:
| true |
RemoteCaCert | string | No | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
| 123e4567-e89b-12d3-a456-4266**** |
Tags | array<object> | No | The tag value. The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with Each tag key corresponds to one tag value. You can specify up to 20 tag values in each call. | |
object | No | |||
Key | string | No | The tag key. The tag key cannot be an empty string. It can be at most 64 characters in length, and cannot contain You can specify at most 20 tag keys in each call. | TagKey |
Value | string | No | The tag value. The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with Each tag key corresponds to one tag value. You can specify at most 20 tag values in each call. | TagValue |
ResourceGroupId | string | No | The ID of the resource group to which the IPsec-VPN connection belongs.
| rg-acfmzs372yg**** |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "88187252-0E26-3C4D-9D1D-32A04454EBBA",
"VpnConnectionId": "vco-p0wb09rama8qwwgfn****",
"Name": "nametest",
"CreateTime": 1658201810000,
"Code": "200",
"Success": true,
"Message": "successful"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The PFS parameter set for the IPsec-VPN connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnRouteEntry.BackupRoute | Validate backup route entry failed. | Active/standby routes failed authentication. |
400 | VpnRouteEntry.InvalidWeight | Invalid route entry weight value. | The weight specified for the route is invalid. |
400 | InvalidParameter.VpnConnectionName | The specified vpn connection name is invalid. | The VPN connection name does not meet the requirements. |
400 | QuotaExceeded.PolicyBasedRoute | The maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s. | The quota of policy-based routes is reached. Existing routes: %s. Routes to be created: %s. Quota: %s. |
400 | MissingParameter.TunnelCidr | The parameter TunnelCidr is mandatory when BGP is enabled. | You must specify the tunnel CIDR block when you enable BGP. |
400 | MissingParam.CustomerGatewayAsn | Asn of customer gateway is mandatory when BGP is enabled. | The ASN of the customer gateway cannot be empty when you enable BGP. |
400 | IllegalParam.LocalAsn | The specified LocalAsn is invalid. | The local ASN is invalid. |
400 | InvalidParameter.BgpConfig | The specified BgpConfig is invalid. | The error message returned because the BGP configuration is invalid. |
400 | IllegalParam.TunnelCidr | The specified TunnelCidr is invalid. | The TunnelCidr parameter is set to an invalid value. |
400 | InvalidLocalBgpIp.Malformed | The specified LocalBgpIp is malformed. | The local BGP IP address is in an abnormal state. |
400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | The specified "LocalSubnet" (%s) is invalid. |
400 | IllegalParam.RemoteSubnet | The specified "RemoteSubnet" (%s) is invalid. | The specified "RemoteSubnet" (%s) is invalid. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The local BGP IP address is invalid. |
400 | OperationFailed.MissCertificate | The VPN connecton has not associated any certificates. | The error message returned because the VPN gateway is not associated with a certificate. |
400 | MissingParam.RemoteId | The remote ID is mandatory when creating national standard VPN connection. | The error message returned because the peer ID is not specified. You must specify the peer ID when you create a VPN connection encrypted by SM. |
400 | IllegalParam.EnableBgp | VPN connection must enable BGP when VPN gateway has enabled BGP. | The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway. |
400 | Forbidden.TagKey.Duplicated | The specified tag key already exists. | The tag resources are duplicate. |
400 | SizeLimitExceeded.TagNum | The maximum number of tags is exceeded. | The number of tags has reached the upper limit. |
400 | InvalidParameter.TagValue | The specified parameter TagValue is invalid. | The error message returned because the specified tag value is invalid. |
400 | InvalidParameter.TagKey | The specified parameter TagKey is invalid. | The error message returned because the specified tag key is invalid. |
400 | Duplicated.TagKey | The specified parameter TagKey is duplicated. | The error message returned because the specified tag key already exists. |
400 | InternalError | The request processing has failed due to some unknown error, exception or failure. | An internal error occurred. |
400 | InvalidTunnelCidr.Malformed | The specified TunnelCidr is malformed. | The specified tunnel CIDR block is invalid. |
400 | OperationFailed.NoAvailableAmount | The available amount of your account is less than 0, please recharge before attempting to purchase. | Your account balance is negative. Top up your account before you can make a purchase. |
400 | OperationUnsupported.EnableBgp | Current region does not support enable BGP. | The error message returned because the current region does not support BGP. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
404 | InvalidCustomerGatewayInstanceId.NotFound | The specified customer gateway instance id does not exist. | The specified customer gateway does not exist. Check whether the ID of the customer gateway is correct. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-05-10 | The Error code has changed | View Change Details |
2023-10-19 | API Description Update. The Error code has changed. The request parameters of the API has changed | View Change Details |
2023-08-09 | API Description Update. The Error code has changed | View Change Details |