Modifies a VPN tunnel.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:ModifyTunnelAttribute | update | *VpnConnection acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId} |
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate a token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the value of RequestId as the client token. The value of RequestId is different for each API request.
| 02fb3da4-130e-11e9-8e44-0016e04115b |
TunnelOptionsSpecification | object | No | The tunnel configurations. | |
EnableDpd | boolean | No | Specifies whether to enable the dead peer detection (DPD) feature. Valid values:
| true |
EnableNatTraversal | boolean | No | Specifies whether to enable NAT traversal. Valid values:
| true |
RemoteCaCertificate | string | No | The peer certificate authority (CA) certificate when you want to attach the IPsec connection to a virtual private network (VPN) gateway that uses a ShangMi (SM) certificate. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
TunnelBgpConfig | object | No | The Border Gateway Protocol (BGP) configurations of the tunnel. If the BGP feature is not enabled for the tunnel, you must call the ModifyVpnConnectionAttribute operation to enable the BGP feature for the tunnel and configure BGP. | |
LocalAsn | long | No | The local autonomous system number (ASN). Valid values: 1 to 4294967295. | 65530 |
LocalBgpIp | string | No | The BGP IP address of the tunnel. The IP address must fall into the CIDR block of the tunnel. | 169.254.11.1 |
TunnelCidr | string | No | The CIDR block of the tunnel. The CIDR block must fall into 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. | 169.254.11.0/30 |
TunnelIkeConfig | object | No | The configurations of IKE Phase 1. | |
IkeAuthAlg | string | No | The authentication algorithm that is used in IKE Phase 1 negotiations.
| sha1 |
IkeEncAlg | string | No | The encryption algorithm that is used in IKE Phase 1 negotiations.
| aes |
IkeLifetime | long | No | The SA lifetime that is used in IKE Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400. | 86400 |
IkeMode | string | No | The IKE negotiation mode. Valid values:
| main |
IkePfs | string | No | The Diffie-Hellman (DH) key exchange algorithm that is used in IKE Phase 1 negotiations. Valid values: group1, group2, group5, and group14. | group2 |
IkeVersion | string | No | The IKE version. Valid values: ikev1 and ikev2. | ikev2 |
LocalId | string | No | The tunnel identifier. The identifier can be up to 100 characters in length, and supports fully qualified domain names (FQDNs) and IP addresses. The default identifier is the tunnel IP address. | 47.XX.XX.87 |
Psk | string | No | The pre-shared key that is used to verify identities between the tunnel and peer.
Note
The pre-shared key that is configured for the tunnel and the tunnel peer must be the same. Otherwise, the system cannot establish the tunnel.
| 123456**** |
RemoteId | string | No | The peer identifier. The identifier can be up to 100 characters in length, and supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel. | 47.XX.XX.207 |
TunnelIpsecConfig | object | No | The configurations of IPsec Phase 2. | |
IpsecAuthAlg | string | No | The authentication algorithm that is used in IPsec Phase 2 negotiations.
| sha1 |
IpsecEncAlg | string | No | The encryption algorithm that is used in IPsec Phase 2 negotiations.
| aes |
IpsecLifetime | long | No | The SA lifetime that is used in IPsec Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400. | 86400 |
IpsecPfs | string | No | The DH key exchange algorithm that is used in IPsec Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. | group2 |
RegionId | string | No | The ID of the region in which the IPsec connection is established. You can call the DescribeRegions operation to query the region ID. | cn-hangzhou |
VpnConnectionId | string | Yes | The ID of the IPsec connection. | vco-gw69vm1i71y354**** |
TunnelId | string | Yes | The tunnel ID. | tun-gbyz2e070xzo93**** |
Response parameters
Examples
Sample success responses
JSON
format
{
"TunnelId": "tun-gbyz2e070xzo93****",
"RequestId": "E6F36FF0-9544-3AEE-8673-A4647D50064C",
"TunnelIkeConfig": {
"IkeAuthAlg": "sha1",
"IkeEncAlg": "aes",
"IkeLifetime": 86400,
"IkeMode": "main",
"IkePfs": "group2",
"IkeVersion": "ikev2",
"LocalId": "47.XX.XX.87",
"Psk": "123456****",
"RemoteId": "47.XX.XX.207"
},
"TunnelIpsecConfig": {
"IpsecAuthAlg": "sha1",
"IpsecEncAlg": "aes",
"IpsecLifetime": 86400,
"IpsecPfs": "group2"
},
"TunnelBgpConfig": {
"EnableBgp": true,
"LocalAsn": 65530,
"LocalBgpIp": "169.254.11.1",
"PeerAsn": 65531,
"PeerBgpIp": "169.254.11.2",
"TunnelCidr": "169.254.11.0/30"
},
"EnableNatTraversal": true,
"EnableDpd": true,
"RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
"CustomerGatewayId": "cgw-p0wx48ayhrygitm80****",
"Role": "master",
"ZoneNo": "cn-hangzhou-h",
"InternetIp": "47.XX.XX.87",
"State": "active"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | VpnGateway.Configuring | The specified service is configuring. | The service is being configured. Try again later. |
400 | VpnGateway.FinancialLocked | The specified service is financial locked. | The service is suspended due to overdue payments. Top up your account first. |
400 | InvalidName | The name is not valid | The name format is invalid. |
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The PFS parameter set for the IPsec-VPN connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigs | IPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration. | The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlap | Traffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap. | The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap. |
400 | IllegalParam.LocalAsn | The param of LocalAsn is illegal | The LocalAsn parameter is set to an invalid value. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The local BGP IP address is invalid. |
400 | VpnGateway.task.conflict | The VPN is in the configuration state, please wait a while before operating. | The VPN is in the configuration state, please wait a while before operating. |
400 | ModifyIkeV1WithMultiRoutes.Invalid | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
404 | InvalidVpnConnectionInstanceId.NotFound | The specified vpn connection instance id does not exist. | The specified vpn connection instance id does not exist. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-10-24 | The Error code has changed | View Change Details |
2024-01-04 | API Description Update. The Error code has changed | View Change Details |
2023-08-21 | The Error code has changed | View Change Details |