ModifyVpnAttachmentAttribute - VPN Gateway - Alibaba Cloud Documentation Center

Modifies the configuration of an IPsec-VPN connection.

Operation description

When you modify a IPsec-VPN connection in dual-tunnel mode, you can configure the following parameters in addition to the required request parameters: ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, AutoConfigRoute, TunnelOptionsSpecification array, and EnableTunnelsBgp.
When you modify a IPsec-VPN connection in single tunnel mode, you can configure the following parameters in addition to the required request parameters: ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, IkeConfig, IpsecConfig, HealthCheckConfig, AutoConfigRoute, EnableDpd, EnableNatTraversal, BgpConfig, and CustomerGatewayId.
ModifyVpnAttachmentAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeVpnConnection operation to query the status of the task:
- If the IPsec-VPN connection is in the updating state, the IPsec-VPN connection is being modified.
- If the IPsec-VPN connection is in the attached state, the IPsec-VPN connection is modified.
You cannot concurrently call ModifyVpnAttachmentAttribute within the specified period of time.
You cannot call ModifyVpnAttachmentAttribute to modify the gateway type of an IPsec-VPN connection.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:ModifyVpnAttachmentAttribute	update	*VpnConnections `acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}`	none	none

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the region in which the IPsec-VPN connection is established. You can call the DescribeRegions operation to query the most recent region list.	cn-hangzhou
VpnConnectionId	string	Yes	The ID of the IPsec-VPN connection.	vco-p0w5112fgnl2ihlmf****
Name	string	No	The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with `http://` or `https://`.	nametest
LocalSubnet	string	No	The CIDR block of the virtual private cloud (VPC) that communicates with the data center. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.	10.1.1.0/24,10.1.2.0/24
RemoteSubnet	string	No	The CIDR block of the data center that communicates with the VPC. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.	10.1.3.0/24,10.1.4.0/24
EffectImmediately	boolean	No	Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values: true: immediately starts IPsec negotiations after the configuration is complete. false: starts IPsec negotiations when inbound traffic is detected.	false
IkeConfig	string	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. The configuration of Phase 1 negotiations: IkeConfig.Psk: The pre-shared key that is used for identity authentication between the Alibaba Cloud IPsec connection and the on-premises data center. The key must be 1 to 100 characters in length, and can contain digits, and letters. The key cannot contain spaces. ~!`@#$%^&()_-+={}[]\|;:',.<>/? If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is automatically generated by the system. Note* The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the on-premises data center. Otherwise, connections between the on-premises data center and the VPN gateway cannot be established. IkeConfig.IkeVersion: the version of the Internet Key Exchange (IKE) protocol. Valid values: ikev1 and ikev2. IkeConfig.IkeMode: the negotiation mode. Valid values: main and aggressive. IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IkeConfig.IkePfs: the Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. IkeConfig.IkeLifetime: the SA lifetime as a result of Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400. IkeConfig.LocalId: the identifier on the Alibaba Cloud side. The identifier cannot exceed 100 characters in length and cannot contain spaces. IkeConfig.RemoteId: the identifier of the data center. It cannot exceed 100 characters in length and cannot contain spaces.	{"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
IpsecConfig	string	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. The configuration of Phase 2 negotiations: IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IpsecConfig. IpsecPfs: the Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. IkeConfig.IkeLifetime: the SA lifetime determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.	{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
BgpConfig	string	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. BGP configuration: BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values: true false BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295. You can enter a value in two segments separated by a period (.). Each segment is 16 bits in length. Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is 8061384. The ASN is calculated by using the following formula: 123 × 65536 + 456 = 8061384. BgpConfig.TunnelCidr: The CIDR block of the IPsec tunnel. The CIDR block must fall into 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. LocalBgpIp: the BGP address on the Alibaba Cloud side. It must be an IP address that falls within the CIDR block of the IPsec tunnel. Note Before you add BGP configurations, we recommend that you learn about how BGP works and the limits. For more information, see Configure BGP dynamic routing. We recommend that you use a private ASN to establish BGP connections to Alibaba Cloud. Refer to the relevant documentation for the private ASN range.	{"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
HealthCheckConfig	string	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. The health check configurations: HealthCheckConfig.enable: specifies whether to enable the health check feature. Valid values: true false HealthCheckConfig.dip: the destination IP address configured for health checks. Specify the IP address of the data center with which the VPC can access through the IPsec-VPN connection. HealthCheckConfig.sip: the source IP address configured for health checks. The IP address of the VPC with which the data center can access through the IPsec-VPN connection. HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds. HealthCheckConfig.retry: the maximum number of health check retries. HealthCheckConfig.Policy: specifies whether to withdraw advertised routes when health checks fail. Valid values: revoke_route reserve_route	{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
AutoConfigRoute	boolean	No	Specifies whether to automatically configure routes. Valid values: true false	true
EnableDpd	boolean	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. Specifies whether to enable dead peer detection (DPD). Valid values: true: enables DPD. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within the specified period of time, the connection fails. In this case, ISAKMP SA and IPsec SA are deleted, along with the security tunnel. false: disables DPD. The initiator of the IPsec-VPN connection does not send DPD packets.	true
EnableNatTraversal	boolean	No	This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. Specifies whether to enable NAT traversal. Valid values: true: enables NAT traversal. After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel. false: disables NAT traversal.	true
RemoteCaCert	string	No	The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.	c20ycDI1NnYxIENBIChURVNUIFN****
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The request ID may be different for each request.	123e4567-e89b-12d3-a456-4266****
NetworkType	string	No	The network type of the IPsec-VPN connection. Valid values: public: an encrypted connection over the Internet private: an encrypted connection over private networks	public
CustomerGatewayId	string	No	The customer gateways to be associated with the IPsec-VPN connections. Note Only single-tunnel IPsec-VPN connections support this parameter.	cgw-p0w2jemrcj5u61un8****
TunnelOptionsSpecification	array<object>	No	The tunnel configurations. You can specify parameters in the TunnelOptionsSpecification array when you modify the configurations of an IPsec-VPN connection in dual-tunnel mode. You can modify the configurations of the two tunnels of the IPsec-VPN connection.
	object	No	The tunnel configuration.
TunnelId	string	No	The tunnel ID.	tun-0jod7plwf2a0o9lvu****
CustomerGatewayId	string	No	The ID of the customer gateway that is associated with the tunnel. Note This parameter is only supported in dual-tunnel IPsec-VPN connections.	cgw-p0w2jemrcj5u61un8****
TunnelIndex	integer	No	The order in which the tunnel was created. 1: Tunnel 1. 2: Tunnel 2.	1
EnableDpd	boolean	No	Specifies whether to enable the Dead Peer Detection (DPD) feature for the tunnel. Valid values: true: enables DPD. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within the specified period of time, the connection fails. In this case, ISAKMP SA and IPsec SA are deleted along with the security tunnel. false: disables DPD. The initiator of the IPsec-VPN connection does not send DPD packets.	true
EnableNatTraversal	boolean	No	Specifies whether to enable NAT traversal for the tunnel. Valid values: true: enables NAT traversal. After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel. false: disables NAT traversal.	true
TunnelBgpConfig	object	No	Add BGP configurations for the tunnel. Note If you enable BGP for an IPsec-VPN connection, you must set EnableTunnelsBgp parameter to true.
LocalAsn	long	No	The autonomous system number (ASN) of the tunnel on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104. Note We recommend that you use a private ASN to establish BGP connections to Alibaba Cloud. Refer to the relevant documentation for the private ASN range.	65530
LocalBgpIp	string	No	The BGP IP address of the tunnel on the Alibaba Cloud side. The address is an IP address that falls within the BGP CIDR block.	169.254.10.1
TunnelCidr	string	No	The BGP CIDR block of the tunnel. The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The two tunnels of an IPsec connection must use different CIDR blocks.	169.254.10.0/30
TunnelIkeConfig	object	No	The configuration of Phase 1 negotiations.
IkeAuthAlg	string	No	The authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.	sha1
IkeEncAlg	string	No	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des.	aes
IkeLifetime	long	No	The SA lifetime as a result of Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400.	86400
IkeMode	string	No	The negotiation mode of IKE. Valid values: main and aggressive. main: This mode offers higher security during negotiations. aggressive: This mode is faster with a higher success rate.	main
IkePfs	string	No	The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.	group2
IkeVersion	string	No	The version of the IKE protocol. Valid values: ikev1 and ikev2. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks.	ikev2
LocalId	string	No	The identifier of the tunnel on the Alibaba Cloud side, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain spaces. LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive.	47.XX.XX.1
Psk	string	No	The pre-shared key that is used for identity authentication between the tunnel and the tunnel peer. The key must be 1 to 100 characters in length, and can contain digits, and letters. The key cannot contain spaces. ~!\`@#$%^&()_-+={}[]\|;:',.<>/? If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. You can call the DescribeVpnAttachments operation to query the pre-shared key that is automatically generated by the system. Note* The tunnel and the tunnel peer must use the same pre-shared key. Otherwise, the tunnel cannot be established.	123456****
RemoteId	string	No	The identifier of the tunnel peer, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain spaces. RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive.	47.XX.XX.2
TunnelIpsecConfig	object	No	The configuration of Phase 2 negotiations.
IpsecAuthAlg	string	No	The authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.	sha1
IpsecEncAlg	string	No	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des.	aes
IpsecLifetime	integer	No	The SA lifetime as a result of Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.	86400
IpsecPfs	string	No	The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.	group2
EnableTunnelsBgp	boolean	No	You can specify this parameter if you modify the configuration of a dual-tunnel IPsec-VPN connection. Specifies whether to enable the BGP feature for the tunnel. Valid values: true and false. Note Before you add BGP configurations, we recommend that you learn about how BGP works and the limits. For more information, see Configure BGP dynamic routing.	false

Response parameters

Parameter	Type	Description	Example
	object	The response parameters.
VpnConnectionId	string	The ID of the IPsec-VPN connection.	vco-p0w5112fgnl2ihlmf****
CustomerGatewayId	string	The ID of the customer gateway associated with the IPsec-VPN connection. This parameter is returned only for single-tunnel IPsec-VPN connections.	cgw-p0w2jemrcj5u61un8****
VpnGatewayId	string	The ID of the VPN gateway that is associated with the IPsec-VPN connection. vpn-not-exist: The IPsec-VPN connection is not associated with a VPN Gateway.	vpn-p0wa1c1018pmeb6cu****
Name	string	The name of the IPsec-VPN connection.	nametest
Description	string	The description of the IPsec-VPN connection.	desctest
LocalSubnet	string	The CIDR block on the Alibaba Cloud side that communicates with the on-premises data center is required, such as CIDR blocks of VPCs.	10.1.1.0/24,10.1.2.0/24
RemoteSubnet	string	The CIDR block of the on-premises data center that communicates with Alibaba Cloud is required.	10.1.3.0/24,10.1.4.0/24
IkeConfig	object	The configuration of Phase 1 negotiations. IkeConfig parameters are returned only for single-tunnel IPsec-VPN connections.
Psk	string	Enter a pre-shared key that is used for identity authentication between Alibaba Cloud and the data center. Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the on-premises data center. Otherwise, connections between the on-premises data center and Alibaba Cloud cannot be established.	1234***
IkeVersion	string	The version of the IKE protocol. ikev1 ikev2 Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks.	ikev1
IkeMode	string	The IKE negotiation mode. main: This mode offers higher security during negotiations. aggressive: This mode is faster with a higher success rate.	main
IkeEncAlg	string	The encryption algorithm that is used in Phase 1 negotiations.	aes
IkeAuthAlg	string	The authentication algorithm that is used in Phase 1 negotiations.	sha1
IkePfs	string	The DH key exchange algorithm that is used in Phase 1 negotiations.	group2
IkeLifetime	long	The SA lifetime that is determined by Phase 1 negotiations. Unit: seconds.	86400
LocalId	string	The identifier of the IPsec-VPN connection on the Alibaba Cloud side.	47.XX.XX.1
RemoteId	string	The identifier of the IPsec-VPN connection on the data center side.	47.XX.XX.2
IpsecConfig	object	The configuration of Phase 2 negotiations. IpsecConfig parameters are returned only for single-tunnel IPsec-VPN connections.
IpsecEncAlg	string	The encryption algorithm that is used in Phase 2 negotiations.	aes
IpsecAuthAlg	string	The authentication algorithm that is used in Phase 2 negotiations.	md5
IpsecPfs	string	The DH key exchange algorithm that is used in Phase 2 negotiations.	group2
IpsecLifetime	long	The SA lifetime that is determined by Phase 2 negotiations. Unit: seconds.	86400
CreateTime	long	The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.	1658201810000
EffectImmediately	boolean	Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values: true false	false
Status	string	The state of the IPsec-VPN connection. Valid values: ike_sa_not_established: Phase 1 negotiations failed. ike_sa_established: Phase 1 negotiations succeeded. ipsec_sa_not_established: Phase 2 negotiations failed. ipsec_sa_established: Phase 2 negotiations succeeded.	ike_sa_not_established
VcoHealthCheck	object	The health check configurations of the IPsec-VPN connection. VcoHealthCheck parameters are returned only for single-tunnel IPsec-VPC connections.
Enable	string	Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values: true false	true
Sip	string	The source IP address that is used for health checks.	10.1.1.1
Dip	string	The destination IP address that is used for health checks.	192.168.1.1
Interval	integer	The interval between two consecutive health check retries. Unit: seconds.	3
Retry	integer	The maximum number of health check retries.	3
Policy	string	Indicates whether advertised routes are withdrawn when the health check fails. Valid values: revoke_route: Advertised routes are withdrawn. reserve_route: Advertised routes are not withdrawn.	revoke_route
EnableDpd	boolean	Indicates whether the DPD feature is enabled for the IPsec-VPN connection. true: The feature is enabled. false: The feature is disabled. This parameter is returned only for single-tunnel IPsec-VPN connections.	true
EnableNatTraversal	boolean	Specifies whether to enable NAT traversal for the IPsec-VPN connection. true: The feature is enabled. false: The feature is disabled. This parameter is returned only for single-tunnel IPsec-VPN connections.	true
VpnBgpConfig	object	The BGP configurations of the IPsec-VPN connection. VpnBgpConfig parameters are returned only for single-tunnel IPsec-VPN connections.
EnableBgp	string	Indicates whether BGP is enabled for the IPsec-VPN connection. Valid values: true false	true
TunnelCidr	string	The CIDR block of the IPsec tunnel.	169.254.11.0/30
LocalBgpIp	string	The BGP IP address on the Alibaba Cloud side.	169.254.11.1
PeerBgpIp	string	The BGP IP address on the data center side.	169.254.11.2
LocalAsn	long	The ASN on the Alibaba Cloud side.	45104
PeerAsn	long	The ASN on the data center side.	65535
Status	string	The negotiation state of BGP. Valid values: success: normal false: abnormal	false
AttachType	string	The type of the resource that is associated with the IPsec-VPN connection. Valid values: CEN: The IPsec-VPN connection is associated with a transit router. VPNGW: The IPsec-VPN connection is associated with a VPN gateway. NO_ASSOCIATED: The IPsec-VPN connection is not associated with any resource.	CEN
NetworkType	string	The network type of the IPsec-VPN connection. Valid values: public: an encrypted connection over the Internet private: an encrypted connection over private networks	public
AttachInstanceId	string	The ID of the Cloud Enterprise Network (CEN) instance to which the transit router associated with the IPsec-VPN connection belongs.	cen-c2r3m3zxkumoqz****
Spec	string	The bandwidth specification of the IPsec-VPN connection. A value of M in the response indicates Mbit/s.	1000M
ResourceGroupId	string	The ID of the resource group to which the IPsec-VPN connection belongs. You can call the ListResourceGroups operation to query resource groups.	rg-acfmzs372yg****
TunnelOptionsSpecification	array<object>	The tunnel configurations of the IPsec-VPN connection. TunnelOptionsSpecification parameters are returned only for dual-tunnel IPsec-VPN connections.
TunnelOptions	object	The tunnel configurations.
CustomerGatewayId	string	The ID of the customer gateway that is associated with the tunnel.	cgw-p0w2jemrcj5u61un8****
EnableDpd	boolean	Whether the DPD feature is enabled for the tunnel. true: The feature is enabled. false: The feature is disabled.	true
EnableNatTraversal	boolean	Indicates whether traversal feature is enabled for the tunnel. Valid values: true: The feature is enabled. false: The feature is disabled.	true
InternetIp	string	The IP address on the Alibaba Cloud side.	47.XX.XX.66
Role	string	The tunnel role. Valid values: master: The tunnel is an active tunnel. slave: The tunnel is a standby tunnel.	master
TunnelId	string	The tunnel ID.	tun-0jod7plwf2a0o9lvu****
TunnelIndex	integer	The order in which the tunnel was created. 1: Tunnel 1. 2: Tunnel 2.	1
State	string	The status of the tunnel. Valid values: active: The tunnel is active. updating: The tunnel is being updated. deleting: The tunnel is being deleted.	active
TunnelBgpConfig	object	BGP configuration.
LocalAsn	long	The ASN on the Alibaba Cloud side.	65530
LocalBgpIp	string	The BGP IP address of the tunnel on the Alibaba Cloud side.	169.254.10.1
PeerAsn	long	The ASN of the tunnel peer.	65531
PeerBgpIp	string	The BGP IP address of the tunnel peer.	169.254.10.2
TunnelCidr	string	The BGP CIDR block of the tunnel.	169.254.10.0/30
TunnelIkeConfig	object	The configurations of Phase 1 negotiations.
IkeAuthAlg	string	The authentication algorithm in the IKE phase.	sha1
IkeEncAlg	string	The encryption algorithm in the IKE phase.	aes
IkeLifetime	long	The lifetime in the IKE phase. Unit: seconds.	86400
IkeMode	string	The negotiation mode of IKE. Valid values: main: This mode offers higher security during negotiations. aggressive: This mode is faster with a higher success rate.	main
IkePfs	string	The Diffie-Hellman (DH) group in the IKE phase.	group2
IkeVersion	string	The version of the IKE protocol.	ikev2
LocalId	string	The identifier of the tunnel on the Alibaba Cloud side.	47.XX.XX.1
Psk	string	The pre-shared key.	123456****
RemoteId	string	The peer identifier.	47.XX.XX.2
TunnelIpsecConfig	object	The configurations of Phase 2 negotiations.
IpsecAuthAlg	string	The authentication algorithm in the IPsec phase.	sha1
IpsecEncAlg	string	The encryption algorithm in the IPsec phase.	aes
IpsecLifetime	long	The lifetime in the IPsec phase. Unit: seconds.	86400
IpsecPfs	string	The DH group in the IPsec phase.	group2
EnableTunnelsBgp	boolean	Specifies whether to enable Border Gateway Protocol (BGP) for tunnels. true: The feature is enabled. false: The feature is disabled. This parameter is returned only by dual-tunnel IPsec-VPN connections.	false
RequestId	string	The request ID.	35822A84-867F-3936-A2E6-A4C4E3ED11C0

Examples

Sample success responses

JSONformat

{
  "VpnConnectionId": "vco-p0w5112fgnl2ihlmf****",
  "CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
  "VpnGatewayId": "vpn-p0wa1c1018pmeb6cu****",
  "Name": "nametest",
  "Description": "desctest",
  "LocalSubnet": "10.1.1.0/24,10.1.2.0/24",
  "RemoteSubnet": "10.1.3.0/24,10.1.4.0/24",
  "IkeConfig": {
    "Psk": "1234***",
    "IkeVersion": "ikev1",
    "IkeMode": "main",
    "IkeEncAlg": "aes",
    "IkeAuthAlg": "sha1",
    "IkePfs": "group2",
    "IkeLifetime": 86400,
    "LocalId": "47.XX.XX.1",
    "RemoteId": "47.XX.XX.2"
  },
  "IpsecConfig": {
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "md5",
    "IpsecPfs": "group2",
    "IpsecLifetime": 86400
  },
  "CreateTime": 1658201810000,
  "EffectImmediately": false,
  "Status": "ike_sa_not_established",
  "VcoHealthCheck": {
    "Enable": "true",
    "Sip": "10.1.1.1",
    "Dip": "192.168.1.1",
    "Interval": 3,
    "Retry": 3,
    "Policy": "revoke_route"
  },
  "EnableDpd": true,
  "EnableNatTraversal": true,
  "VpnBgpConfig": {
    "EnableBgp": "true",
    "TunnelCidr": "169.254.11.0/30",
    "LocalBgpIp": "169.254.11.1",
    "PeerBgpIp": "169.254.11.2",
    "LocalAsn": 45104,
    "PeerAsn": 65535,
    "Status": "false"
  },
  "AttachType": "CEN",
  "NetworkType": "public",
  "AttachInstanceId": "cen-c2r3m3zxkumoqz****",
  "Spec": "1000M",
  "ResourceGroupId": "rg-acfmzs372yg****",
  "TunnelOptionsSpecification": [
    {
      "CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
      "EnableDpd": true,
      "EnableNatTraversal": true,
      "InternetIp": "47.XX.XX.66",
      "Role": "master",
      "TunnelId": "tun-0jod7plwf2a0o9lvu****",
      "TunnelIndex": 1,
      "State": "active",
      "TunnelBgpConfig": {
        "LocalAsn": 65530,
        "LocalBgpIp": "169.254.10.1",
        "PeerAsn": 65531,
        "PeerBgpIp": "169.254.10.2",
        "TunnelCidr": "169.254.10.0/30"
      },
      "TunnelIkeConfig": {
        "IkeAuthAlg": "sha1",
        "IkeEncAlg": "aes",
        "IkeLifetime": 86400,
        "IkeMode": "main",
        "IkePfs": "group2",
        "IkeVersion": "ikev2",
        "LocalId": "47.XX.XX.1",
        "Psk": "123456****",
        "RemoteId": "47.XX.XX.2"
      },
      "TunnelIpsecConfig": {
        "IpsecAuthAlg": "sha1",
        "IpsecEncAlg": "aes",
        "IpsecLifetime": 86400,
        "IpsecPfs": "group2"
      }
    }
  ],
  "EnableTunnelsBgp": false,
  "RequestId": "35822A84-867F-3936-A2E6-A4C4E3ED11C0"
}

Error codes

HTTP status code	Error code	Error message	Description
400	VpnConnection.Configuring	The specified service is configuring.	The service is being configured. Try again later.
400	VpnConnection.FinancialLocked	The specified service is financial locked.	The error message returned because the service is locked due to overdue payments.
400	InvalidName	The name is not valid	The name format is invalid.
400	VpnRouteEntry.AlreadyExists	The specified route entry is already exist.	The route already exists.
400	VpnRouteEntry.Conflict	The specified route entry has conflict.	Route conflicts exist.
400	NotSupportVpnConnectionParameter.IpsecPfs	The specified vpn connection ipsec Ipsec Pfs is not support.	The PFS parameter set for the IPsec-VPN connection is not supported.
400	NotSupportVpnConnectionParameter.IpsecAuthAlg	The specified vpn connection ipsec Auth Alg is not support.	The authentication algorithm specified for the IPsec-VPN connection is not supported.
400	VpnRouteEntry.BackupRoute	Validate backup route entry failed.	Active/standby routes failed authentication.
400	VpnRouteEntry.InvalidWeight	Invalid route entry weight value.	The weight specified for the route is invalid.
400	MissingParameter.TunnelCidr	The parameter TunnelCidr is mandatory when BGP is enabled.	You must specify the tunnel CIDR block when you enable BGP.
400	OperationUnsupported.EnableBgp	Current region does not support enable BGP.	The error message returned because the current region does not support BGP.
400	MissingParam.CustomerGatewayAsn	Asn of customer gateway is mandatory when BGP is enabled.	The ASN of the customer gateway cannot be empty when you enable BGP.
400	IllegalParam.LocalAsn	The specified LocalAsn is invalid.	The local ASN is invalid.
400	IllegalParam.BgpConfig	The specified BgpConfig is invalid.	The BGP configuration is invalid.
400	IllegalParam.EnableBgp	VPN connection must enable BGP when VPN gateway has enabled BGP.	The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway.
400	IllegalParam.TunnelCidr	The specified TunnelCidr is invalid.	The TunnelCidr parameter is set to an invalid value.
400	InvalidLocalBgpIp.Malformed	The specified LocalBgpIp is malformed.	The local BGP IP address is in an abnormal state.
400	IllegalParam.LocalBgpIp	The specified LocalBgpIp is invalid.	The local BGP IP address is invalid.
400	IllegalParam.LocalSubnet	The specified "LocalSubnet" (%s) is invalid.	The specified "LocalSubnet" (%s) is invalid.
400	IllegalParam.RemoteSubnet	The specified "RemoteSubnet" (%s) is invalid.	The specified "RemoteSubnet" (%s) is invalid.
400	CustomerGateway.ConflictRouteEntry	The specified customer gateway has conflict with route entry.	The customer gateway conflicts with the current routes.
400	IllegalParam.NetworkType	The specified NetworkType (%s) is invalid.	The network type is invalid.
400	InvalidTunnelCidr.Malformed	The specified TunnelCidr is malformed.	The specified tunnel CIDR block is invalid.
400	VpnGateway.Configuring	The specified service is configuring.	The service is being configured. Try again later.
400	VpnTask.CONFLICT	Vpn task has conflict.	The VPN operation conflicts. Try again later.
400	ModifyIkeV1WithMultiRoutes.Invalid	Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.	Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.
400	InvalidVpnGatewayInstanceId.NotFound	The specified vpn gateway instance id does not exist.	The specified VPN gateway does not exist. Check whether the specified VPN gateway is valid.
400	Resource.QuotaFull	The resources you are operating have reached the upper limit of the quota. Please increase the quota or use other solutions to avoid it according to the VPN operation document.	The resources you are operating have reached the upper limit of the quota. Please refer to the VPN operation document to increase the quota or use other schemes to avoid it.
400	CreateDbrRoutesQuotaFull.QuotaFull	The number of created destination routes exceeds the quota limit.	The number of created destination routes exceeds the quota limit.
400	CreatePbrRoutesQuotaFull.QuotaFull	The number of policy routes exceeds the quota limit.	The number of policy routes exceeds the quota limit.
403	Forbbiden.SubUser	User not authorized to operate on the specified resource as your account is created by another user.	You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403	Forbidden	User not authorized to operate on the specified resource.	You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404	InvalidVpnConnectionInstanceId.NotFound	The specified vpn connection instance id does not exist.	The specified vpn connection instance id does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-11-28	The Error code has changed. The request parameters of the API has changed	View Change Details
2024-11-26	The Error code has changed. The response structure of the API has changed	View Change Details
2024-11-25	The Error code has changed. The request parameters of the API has changed	View Change Details
2024-10-24	The Error code has changed. The request parameters of the API has changed. The response structure of the API has changed	View Change Details
2024-01-04	The Error code has changed	View Change Details
2023-10-19	API Description Update. The Error code has changed. The response structure of the API has changed	View Change Details