All Products
Search
Document Center

VPN Gateway:ModifyTunnelAttribute

Last Updated:Nov 13, 2024

Modifies a VPN tunnel.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:ModifyTunnelAttributeupdate
  • VpnConnection
    acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate a token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the value of RequestId as the client token. The value of RequestId is different for each API request.
02fb3da4-130e-11e9-8e44-0016e04115b
TunnelOptionsSpecificationobjectNo

The tunnel configurations.

EnableDpdbooleanNo

Specifies whether to enable the dead peer detection (DPD) feature. Valid values:

  • true: DPD is enabled. The IPsec initiator sends DPD packets to verify the existence and availability of the IPsec peer. If no response is received from the peer within a specified period of time, the IPsec peer is considered disconnected. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.
  • false: DPD is disabled. The IPsec initiator does not send DPD packets.
true
EnableNatTraversalbooleanNo

Specifies whether to enable NAT traversal. Valid values:

  • true: NAT traversal is enabled. After NAT traversal is enabled, the initiator does not check the UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.
  • false: NAT traversal is disabled.
true
RemoteCaCertificatestringNo

The peer certificate authority (CA) certificate when you want to attach the IPsec connection to a virtual private network (VPN) gateway that uses a ShangMi (SM) certificate.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
TunnelBgpConfigobjectNo

The Border Gateway Protocol (BGP) configurations of the tunnel.

If the BGP feature is not enabled for the tunnel, you must call the ModifyVpnConnectionAttribute operation to enable the BGP feature for the tunnel and configure BGP.

LocalAsnlongNo

The local autonomous system number (ASN). Valid values: 1 to 4294967295.

65530
LocalBgpIpstringNo

The BGP IP address of the tunnel. The IP address must fall into the CIDR block of the tunnel.

169.254.11.1
TunnelCidrstringNo

The CIDR block of the tunnel.

The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

169.254.11.0/30
TunnelIkeConfigobjectNo

The configurations of IKE Phase 1.

IkeAuthAlgstringNo

The authentication algorithm that is used in IKE Phase 1 negotiations.

  • Valid values when the IPsec connection is attached to a standard VPN gateway: md5, sha1, sha256, sha384, and sha512.
  • Valid values when the IPsec connection is attached to a VPN gateway that uses an SM certificate: sm3.
sha1
IkeEncAlgstringNo

The encryption algorithm that is used in IKE Phase 1 negotiations.

  • Valid values when the IPsec connection is attached to a standard VPN gateway: aes, aes192, sha256, des, and 3des.
  • Valid values when the IPsec connection is attached to a VPN gateway that uses an SM certificate: sm4.
aes
IkeLifetimelongNo

The SA lifetime that is used in IKE Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400.

86400
IkeModestringNo

The IKE negotiation mode. Valid values:

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkePfsstringNo

The Diffie-Hellman (DH) key exchange algorithm that is used in IKE Phase 1 negotiations. Valid values: group1, group2, group5, and group14.

group2
IkeVersionstringNo

The IKE version. Valid values: ikev1 and ikev2.

ikev2
LocalIdstringNo

The tunnel identifier. The identifier can be up to 100 characters in length, and supports fully qualified domain names (FQDNs) and IP addresses. The default identifier is the tunnel IP address.

47.XX.XX.87
PskstringNo

The pre-shared key that is used to verify identities between the tunnel and peer.

  • It must be 1 to 100 characters in length, and can contain letters, digits, and the following characters: ~!`@#$%^&*()_-+={}[]|;:',.<>/?
  • If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system.
Note The pre-shared key that is configured for the tunnel and the tunnel peer must be the same. Otherwise, the system cannot establish the tunnel.
123456****
RemoteIdstringNo

The peer identifier. The identifier can be up to 100 characters in length, and supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel.

47.XX.XX.207
TunnelIpsecConfigobjectNo

The configurations of IPsec Phase 2.

IpsecAuthAlgstringNo

The authentication algorithm that is used in IPsec Phase 2 negotiations.

  • Valid values when the IPsec connection is attached to a standard VPN gateway: md5, sha1, sha256, sha384, and sha512.
  • Valid values when the IPsec connection is attached to a VPN gateway that uses an SM certificate: sm3.
sha1
IpsecEncAlgstringNo

The encryption algorithm that is used in IPsec Phase 2 negotiations.

  • Valid values when the IPsec connection is attached to a standard VPN gateway: aes, aes192, sha256, des, and 3des.
  • Valid values when the IPsec connection is attached to a VPN gateway that uses an SM certificate: sm4.
aes
IpsecLifetimelongNo

The SA lifetime that is used in IPsec Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.

86400
IpsecPfsstringNo

The DH key exchange algorithm that is used in IPsec Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.

group2
RegionIdstringNo

The ID of the region in which the IPsec connection is established.

You can call the DescribeRegions operation to query the region ID.

cn-hangzhou
VpnConnectionIdstringYes

The ID of the IPsec connection.

vco-gw69vm1i71y354****
TunnelIdstringYes

The tunnel ID.

tun-gbyz2e070xzo93****

Response parameters

ParameterTypeDescriptionExample
object

The returned data.

TunnelIdstring

The tunnel ID.

tun-gbyz2e070xzo93****
RequestIdstring

The request ID.

E6F36FF0-9544-3AEE-8673-A4647D50064C
TunnelIkeConfigobject

The Phase 1 configuration.

IkeAuthAlgstring

The IKE authentication algorithm.

sha1
IkeEncAlgstring

The IKE encryption algorithm.

aes
IkeLifetimelong

The IKE lifetime. Unit: seconds.

86400
IkeModestring

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkePfsstring

The DH group.

group2
IkeVersionstring

The IKE version.

  • ikev1
  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks.

ikev2
LocalIdstring

The tunnel identifier. The identifier supports FQDNs and IP addresses. The default value is the tunnel IP address.

47.XX.XX.87
Pskstring

The pre-shared key.

123456****
RemoteIdstring

The peer identifier. The identifier supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel.

47.XX.XX.207
TunnelIpsecConfigobject

The configurations of IPsec Phase 2.

IpsecAuthAlgstring

The IPsec authentication algorithm.

sha1
IpsecEncAlgstring

The IPsec encryption algorithm.

aes
IpsecLifetimelong

The IPsec lifetime. Unit: seconds.

86400
IpsecPfsstring

The DH group.

group2
TunnelBgpConfigobject

The BGP configuration.

EnableBgpboolean

Indicates whether the BGP feature is enabled. Valid values:

  • true
  • false
true
LocalAsnlong

The local ASN.

65530
LocalBgpIpstring

The BGP IP address of the tunnel.

169.254.11.1
PeerAsnlong

The peer ASN.

65531
PeerBgpIpstring

The BGP IP address of the peer.

169.254.11.2
TunnelCidrstring

The CIDR block to which the tunnel BGP IP address belongs.

169.254.11.0/30
EnableNatTraversalboolean

Indicates whether NAT traversal is enabled. Valid values:

  • false
  • true
true
EnableDpdboolean

Indicates whether DPD is enabled. Valid values:

  • false
  • true
true
RemoteCaCertificatestring

The peer CA certificate when a VPN gateway that uses an SM certificate is used to create the IPsec connection.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
CustomerGatewayIdstring

The ID of the customer gateway associated with the customer gateway.

cgw-p0wx48ayhrygitm80****
Rolestring

The tunnel role. Valid values:

  • master
  • slave
master
ZoneNostring

The tunnel zone.

cn-hangzhou-h
InternetIpstring

The tunnel IP address.

47.XX.XX.87
Statestring

The tunnel status. Valid values:

  • active
  • updating
  • deleting
active

Examples

Sample success responses

JSONformat

{
  "TunnelId": "tun-gbyz2e070xzo93****",
  "RequestId": "E6F36FF0-9544-3AEE-8673-A4647D50064C",
  "TunnelIkeConfig": {
    "IkeAuthAlg": "sha1",
    "IkeEncAlg": "aes",
    "IkeLifetime": 86400,
    "IkeMode": "main",
    "IkePfs": "group2",
    "IkeVersion": "ikev2",
    "LocalId": "47.XX.XX.87",
    "Psk": "123456****",
    "RemoteId": "47.XX.XX.207"
  },
  "TunnelIpsecConfig": {
    "IpsecAuthAlg": "sha1",
    "IpsecEncAlg": "aes",
    "IpsecLifetime": 86400,
    "IpsecPfs": "group2"
  },
  "TunnelBgpConfig": {
    "EnableBgp": true,
    "LocalAsn": 65530,
    "LocalBgpIp": "169.254.11.1",
    "PeerAsn": 65531,
    "PeerBgpIp": "169.254.11.2",
    "TunnelCidr": "169.254.11.0/30"
  },
  "EnableNatTraversal": true,
  "EnableDpd": true,
  "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
  "CustomerGatewayId": "cgw-p0wx48ayhrygitm80****",
  "Role": "master",
  "ZoneNo": "cn-hangzhou-h",
  "InternetIp": "47.XX.XX.87",
  "State": "active"
}

Error codes

HTTP status codeError codeError messageDescription
400VpnGateway.ConfiguringThe specified service is configuring.The service is being configured. Try again later.
400VpnGateway.FinancialLockedThe specified service is financial locked.The service is suspended due to overdue payments. Top up your account first.
400InvalidNameThe name is not validThe name format is invalid.
400VpnRouteEntry.AlreadyExistsThe specified route entry is already exist.The route already exists.
400VpnRouteEntry.ConflictThe specified route entry has conflict.Route conflicts exist.
400NotSupportVpnConnectionParameter.IpsecPfsThe specified vpn connection ipsec Ipsec Pfs is not support.The PFS parameter set for the IPsec-VPN connection is not supported.
400NotSupportVpnConnectionParameter.IpsecAuthAlgThe specified vpn connection ipsec Auth Alg is not support.The authentication algorithm specified for the IPsec-VPN connection is not supported.
400VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigsIPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration.The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway.
400VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlapTraffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap.The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap.
400IllegalParam.LocalAsnThe param of LocalAsn is illegalThe LocalAsn parameter is set to an invalid value.
400IllegalParam.LocalBgpIpThe specified LocalBgpIp is invalid.The local BGP IP address is invalid.
400VpnGateway.task.conflictThe VPN is in the configuration state, please wait a while before operating.The VPN is in the configuration state, please wait a while before operating.
400ModifyIkeV1WithMultiRoutes.InvalidFailed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.
403Forbbiden.SubUserUser not authorized to operate on the specified resource as your account is created by another user.You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404InvalidVpnConnectionInstanceId.NotFoundThe specified vpn connection instance id does not exist.The specified vpn connection instance id does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-10-24The Error code has changedView Change Details
2024-01-04API Description Update. The Error code has changedView Change Details
2023-08-21The Error code has changedView Change Details