ModifyVpnAttachmentAttribute - Virtual Private Cloud - Alibaba Cloud Documentation Center

Modifies the configuration of an IPsec-VPN connection.

Operation description

ModifyVpnAttachmentAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task to modify the configuration of an IPsec-VPN connection in the background. You can call the DescribeVpnConnection operation to query the status of the task.
- If the IPsec-VPN connection is in the updating state, the configuration of the IPsec-VPN connection is being modified.
- If the IPsec-VPN connection is in the attached state, the configuration of the IPsec-VPN connection is modified.
You cannot call the ModifyVpnAttachmentAttribute operation again on the same IPsec-VPN connection before the previous operation is complete.
When you call the ModifyVpnAttachmentAttribute operation, take note of the following items:
- If the IPsec-VPN connection is associated with a transit router, you cannot change the type of the gateway connected to the IPsec-VPN connection.
- If the IPsec-VPN connection is not associated with a resource, you cannot change the type of the gateway connected to the IPsec-VPN connection or the customer gateway connected to the IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:ModifyVpnAttachmentAttribute	update	VpnConnections acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}	none	none

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the region in which the IPsec-VPN connection is established. You can call the DescribeRegions operation to query the most recent region list.	cn-hangzhou
VpnConnectionId	string	Yes	The ID of the IPsec-VPN connection.	vco-p0w5112fgnl2ihlmf****
Name	string	No	The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with `http://` or `https://`.	nametest
LocalSubnet	string	No	The CIDR block of the virtual private cloud (VPC) that communicates with the data center. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.	10.1.1.0/24,10.1.2.0/24
RemoteSubnet	string	No	The CIDR block of the data center that communicates with the VPC. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.	10.1.3.0/24,10.1.4.0/24
EffectImmediately	boolean	No	Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values: true: immediately starts IPsec negotiations after the configuration is complete. false: starts IPsec negotiations when inbound traffic is detected.	false
IkeConfig	string	No	The configuration of Phase 1 negotiations: IkeConfig.Psk: The pre-shared key that is used for authentication between the VPN gateway and the data center. The pre-shared key must be 1 to 100 characters in length and can contain letters, digits, and the following characters: ~ ! ` @ # $ % ^ & * () _ - + = {} [] \| ; : ' , . < > / ? If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system. Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway. IkeConfig.IkeVersion: the Internet Key Exchange (IKE) version. Valid values: ikev1 and ikev2. IkeConfig.IkeMode: the negotiation mode. Valid values: main and aggressive. IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IkeConfig.IkePfs: the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. IkeConfig.IkeLifetime: the security association (SA) lifetime determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400. IkeConfig.LocalIdIPsec: the identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier can be up to 100 characters in length. IkeConfig.RemoteId: the identifier of the IPsec-VPN connection on the data center side. The identifier can be up to 100 characters in length.	{"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
IpsecConfig	string	No	The configuration of Phase 2 negotiations: IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IpsecConfig. IpsecPfs: the DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. IpsecConfig. IpsecLifetime: the SA lifetime determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.	{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
BgpConfig	string	No	The Border Gateway Protocol (BGP) configuration: BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values: true false BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295. You can enter the ASN in two segments. Separate the first 16 bits of the ASN from the remaining 16 bits with a period (.). Enter the number in each segment in decimal format. For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384. BgpConfig.TunnelCidr: the CIDR block of the IPsec tunnel. The CIDR block falls within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. LocalBgpIp: the BGP IP address on the Alibaba Cloud side. This IP address must fall within the CIDR block of the IPsec tunnel. Note Before you configure BGP, we recommend that you learn how BGP dynamic routing works and the limits of using BGP dynamic routing. For more information, see BGP dynamic routing . We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.	{"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
HealthCheckConfig	string	No	The health check configurations: HealthCheckConfig.enable: specifies whether to enable the health check feature. Valid values: true false HealthCheckConfig.dip: the destination IP address that is used for health checks. Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection. HealthCheckConfig.sip: the source IP address that is used for health checks. Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection. HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds. HealthCheckConfig.retry: the maximum number of health check retries. HealthCheckConfig.Policy: specifies whether to withdraw advertised routes when health checks fail. Valid values: revoke_route reserve_route	{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
AutoConfigRoute	boolean	No	Specifies whether to automatically configure routes. Valid values: true false	true
EnableDpd	boolean	No	Specifies whether to enable the dead peer detection (DPD) feature. Valid values: true: enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within a specific period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.	true
EnableNatTraversal	boolean	No	Specifies whether to enable NAT traversal. Valid values: true After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. false	true
RemoteCaCert	string	No	The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.	c20ycDI1NnYxIENBIChURVNUIFN****
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The request ID may be different for each request.	123e4567-e89b-12d3-a456-4266****
NetworkType	string	No	The network type of the IPsec-VPN connection. Valid values: public: an encrypted connection over the Internet private: an encrypted connection over private networks	public
CustomerGatewayId	string	No	The customer gateway associated with the IPsec-VPN connection.	cgw-p0w2jemrcj5u61un8****

Response parameters

Parameter	Type	Description	Example
	object	The response parameters.
VpnConnectionId	string	The ID of the IPsec-VPN connection.	vco-p0w5112fgnl2ihlmf****
CustomerGatewayId	string	The ID of the customer gateway associated with the IPsec-VPN connection.	cgw-p0w2jemrcj5u61un8****
VpnGatewayId	string	The ID of the VPN gateway associated with the IPsec-VPN connection.	vpn-p0wa1c1018pmeb6cu****
Name	string	The name of the IPsec-VPN connection.	nametest
Description	string	The description of the IPsec-VPN connection.	desctest
LocalSubnet	string	The CIDR block of the VPC with which the data center can communicate.	10.1.1.0/24,10.1.2.0/24
RemoteSubnet	string	The CIDR block of the data center with which the VPC can communicate.	10.1.3.0/24,10.1.4.0/24
IkeConfig	object	The configuration of Phase 1 negotiations.
Psk	string	The pre-shared key that is used for identity authentication between the VPN gateway and the data center. Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.	1234***
IkeVersion	string	The version of the IKE protocol.	ikev1
IkeMode	string	The negotiation mode.	main
IkeEncAlg	string	The encryption algorithm that is used in Phase 1 negotiations.	aes
IkeAuthAlg	string	The authentication algorithm that is used in Phase 1 negotiations.	sha1
IkePfs	string	The DH key exchange algorithm that is used in Phase 1 negotiations.	group2
IkeLifetime	long	The SA lifetime that is determined by Phase 1 negotiations. Unit: seconds.	86400
LocalId	string	The identifier of the IPsec-VPN connection on the Alibaba Cloud side.	47.XX.XX.1
RemoteId	string	The identifier of the IPsec-VPN connection on the data center side.	47.XX.XX.2
IpsecConfig	object	The configuration of Phase 2 negotiations.
IpsecEncAlg	string	The encryption algorithm that is used in Phase 2 negotiations.	aes
IpsecAuthAlg	string	The authentication algorithm that is used in Phase 2 negotiations.	md5
IpsecPfs	string	The DH key exchange algorithm that is used in Phase 2 negotiations.	group2
IpsecLifetime	long	The SA lifetime that is determined by Phase 2 negotiations. Unit: seconds.	86400
CreateTime	long	The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.	1658201810000
EffectImmediately	boolean	Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values: true false	false
Status	string	The state of the IPsec-VPN connection. Valid values: ike_sa_not_established: Phase 1 negotiations failed. ike_sa_established: Phase 1 negotiations succeeded. ipsec_sa_not_established: Phase 2 negotiations failed. ipsec_sa_established: Phase 2 negotiations succeeded.	ike_sa_not_established
VcoHealthCheck	object	The health check configuration of the IPsec-VPN connection.
Enable	string	Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values: true false	true
Sip	string	The source IP address that is used for health checks.	10.1.1.1
Dip	string	The destination IP address that is used for health checks.	192.168.1.1
Interval	integer	The interval between two consecutive health check retries. Unit: seconds.	3
Retry	integer	The maximum number of health check retries.	3
Policy	string	Indicates whether advertised routes are withdrawn when the health check fails. Valid values: revoke_route: Advertised routes are withdrawn. reserve_route: Advertised routes are not withdrawn.	revoke_route
EnableDpd	boolean	Indicates whether the DPD feature is enabled for the IPsec-VPN connection. Valid values: true false	true
EnableNatTraversal	boolean	Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values: true false	true
VpnBgpConfig	object	The BGP configuration of the IPsec-VPN connection.
EnableBgp	string	Indicates whether BGP is enabled for the IPsec-VPN connection. Valid values: true false	true
TunnelCidr	string	The CIDR block of the IPsec tunnel.	169.254.11.0/30
LocalBgpIp	string	The BGP IP address on the Alibaba Cloud side.	169.254.11.1
PeerBgpIp	string	The BGP IP address on the data center side.	169.254.11.2
LocalAsn	long	The ASN on the Alibaba Cloud side.	45104
PeerAsn	long	The ASN on the data center side.	65535
Status	string	The negotiation state of BGP. Valid values: success: normal false: abnormal	false
AttachType	string	The type of the resource that is associated with the IPsec-VPN connection. Valid values: CEN: The IPsec-VPN connection is associated with a transit router. VPNGW: The IPsec-VPN connection is associated with a VPN gateway. NO_ASSOCIATED: The IPsec-VPN connection is not associated with any resource.	CEN
NetworkType	string	The network type of the IPsec-VPN connection. Valid values: public: an encrypted connection over the Internet private: an encrypted connection over private networks	public
AttachInstanceId	string	The ID of the Cloud Enterprise Network (CEN) instance to which the transit router associated with the IPsec-VPN connection belongs.	cen-c2r3m3zxkumoqz****
Spec	string	The bandwidth specification of the IPsec-VPN connection. A value of M in the response indicates Mbit/s.	1000M
ResourceGroupId	string	The ID of the resource group to which the IPsec-VPN connection belongs. You can call the ListResourceGroups operation to query resource groups.	rg-acfmzs372yg****
RequestId	string	The request ID.	35822A84-867F-3936-A2E6-A4C4E3ED11C0

Examples

Sample success responses

JSONformat

{
  "VpnConnectionId": "vco-p0w5112fgnl2ihlmf****",
  "CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
  "VpnGatewayId": "vpn-p0wa1c1018pmeb6cu****",
  "Name": "nametest",
  "Description": "desctest",
  "LocalSubnet": "10.1.1.0/24,10.1.2.0/24",
  "RemoteSubnet": "10.1.3.0/24,10.1.4.0/24",
  "IkeConfig": {
    "Psk": "1234***",
    "IkeVersion": "ikev1",
    "IkeMode": "main",
    "IkeEncAlg": "aes",
    "IkeAuthAlg": "sha1",
    "IkePfs": "group2",
    "IkeLifetime": 86400,
    "LocalId": "47.XX.XX.1",
    "RemoteId": "47.XX.XX.2"
  },
  "IpsecConfig": {
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "md5",
    "IpsecPfs": "group2",
    "IpsecLifetime": 86400
  },
  "CreateTime": 1658201810000,
  "EffectImmediately": false,
  "Status": "ike_sa_not_established",
  "VcoHealthCheck": {
    "Enable": "true",
    "Sip": "10.1.1.1",
    "Dip": "192.168.1.1",
    "Interval": 3,
    "Retry": 3,
    "Policy": "revoke_route"
  },
  "EnableDpd": true,
  "EnableNatTraversal": true,
  "VpnBgpConfig": {
    "EnableBgp": "true",
    "TunnelCidr": "169.254.11.0/30",
    "LocalBgpIp": "169.254.11.1",
    "PeerBgpIp": "169.254.11.2",
    "LocalAsn": 45104,
    "PeerAsn": 65535,
    "Status": "false"
  },
  "AttachType": "CEN",
  "NetworkType": "public",
  "AttachInstanceId": "cen-c2r3m3zxkumoqz****",
  "Spec": "1000M",
  "ResourceGroupId": "rg-acfmzs372yg****",
  "RequestId": "35822A84-867F-3936-A2E6-A4C4E3ED11C0"
}

Error codes

HTTP status code	Error code	Error message	Description
400	VpnConnection.Configuring	The specified service is configuring.	The service is being configured. Try again later.
400	VpnConnection.FinancialLocked	The specified service is financial locked.	The error message returned because the service is locked due to overdue payments.
400	InvalidName	The name is not valid	The name format is invalid.
400	VpnRouteEntry.AlreadyExists	The specified route entry is already exist.	The route already exists.
400	VpnRouteEntry.Conflict	The specified route entry has conflict.	Route conflicts exist.
400	NotSupportVpnConnectionParameter.IpsecPfs	The specified vpn connection ipsec Ipsec Pfs is not support.	The PFS parameter set for the IPsec-VPN connection is not supported.
400	NotSupportVpnConnectionParameter.IpsecAuthAlg	The specified vpn connection ipsec Auth Alg is not support.	The authentication algorithm specified for the IPsec-VPN connection is not supported.
400	VpnRouteEntry.BackupRoute	Validate backup route entry failed.	Active/standby routes failed authentication.
400	VpnRouteEntry.InvalidWeight	Invalid route entry weight value.	The weight specified for the route is invalid.
400	MissingParameter.TunnelCidr	The parameter TunnelCidr is mandatory when BGP is enabled.	You must specify the tunnel CIDR block when you enable BGP.
400	OperationUnsupported.EnableBgp	Current region does not support enable BGP.	The error message returned because the current region does not support BGP.
400	MissingParam.CustomerGatewayAsn	Asn of customer gateway is mandatory when BGP is enabled.	The ASN of the customer gateway cannot be empty when you enable BGP.
400	IllegalParam.LocalAsn	The specified LocalAsn is invalid.	The local ASN is invalid.
400	IllegalParam.BgpConfig	The specified BgpConfig is invalid.	The BGP configuration is invalid.
400	IllegalParam.TunnelCidr	The specified TunnelCidr is invalid.	The TunnelCidr parameter is set to an invalid value.
400	InvalidLocalBgpIp.Malformed	The specified LocalBgpIp is malformed.	The local BGP IP address is in an abnormal state.
400	IllegalParam.LocalBgpIp	The specified LocalBgpIp is invalid.	The local BGP IP address is invalid.
400	IllegalParam.LocalSubnet	The specified "LocalSubnet" (%s) is invalid.	The specified "LocalSubnet" (%s) is invalid.
400	IllegalParam.RemoteSubnet	The specified "RemoteSubnet" (%s) is invalid.	The specified "RemoteSubnet" (%s) is invalid.
400	CustomerGateway.ConflictRouteEntry	The specified customer gateway has conflict with route entry.	The customer gateway conflicts with the current routes.
400	IllegalParam.NetworkType	The specified NetworkType (%s) is invalid.	The network type is invalid.
400	InvalidTunnelCidr.Malformed	The specified TunnelCidr is malformed.	The specified tunnel CIDR block is invalid.
400	InvalidVpnGatewayInstanceId.NotFound	The specified vpn gateway instance id does not exist.	The specified VPN gateway does not exist. Check whether the specified VPN gateway is valid.
400	Resource.QuotaFull	The resources you are operating have reached the upper limit of the quota. Please increase the quota or use other solutions to avoid it according to the VPN operation document.	The resources you are operating have reached the upper limit of the quota. Please refer to the VPN operation document to increase the quota or use other schemes to avoid it.
400	CreateDbrRoutesQuotaFull.QuotaFull	The number of created destination routes exceeds the quota limit.	The number of created destination routes exceeds the quota limit.
400	CreatePbrRoutesQuotaFull.QuotaFull	The number of policy routes exceeds the quota limit.	The number of policy routes exceeds the quota limit.
403	Forbbiden.SubUser	User not authorized to operate on the specified resource as your account is created by another user.	You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403	Forbidden	User not authorized to operate on the specified resource.	You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404	InvalidVpnConnectionInstanceId.NotFound	The specified vpn connection instance id does not exist.	The specified vpn connection instance id does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-01-04	The Error code has changed	View Change Details
2023-10-19	API Description Update. The Error code has changed. The response structure of the API has changed	View Change Details