All Products
Search
Document Center

VPN Gateway:ModifyVpnConnectionAttribute

最終更新日:Dec 20, 2024

Modifies the configuration of an IPsec-VPN connection.

Operation description

  • If you want to modify a IPsec-VPN connection in dual-tunnel mode, call the ModifyVpnConnectionAttribute operation. You can modify the required parameters and the following request parameters:

    ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, AutoConfigRoute, TunnelOptionsSpecification, and EnableTunnelsBgp.

  • If you want to modify a IPsec-VPN connection in single-tunnel mode, call the ModifyVpnConnectionAttribute operation. You can modify the required parameters and the following request parameters:

    ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, IkeConfig, IpsecConfig, HealthCheckConfig, AutoConfigRoute, EnableDpd, EnableNatTraversal, BgpConfig, and RemoteCaCertificate.

  • ModifyVpnConnectionAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and modifies the configuration of the IPsec-VPN connection in the backend. You can call the DescribeVpnGateway operation to query the status of a VPN gateway.

    • If the VPN gateway is in the updating state, the configuration of the IPsec-VPN connection is being modified.
    • If the VPN gateway is in the active state, the configuration of the IPsec-VPN connection is modified.
  • You cannot repeatedly call the ModifyVpnConnectionAttribute operation for the same VPN gateway within the specified period of time.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:ModifyVpnConnectionAttributeupdate
*VpnConnection
acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The ID of the region in which the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query the most recent region list.

cn-shanghai
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The request ID may be different for each request.
02fb3da4-130e-11e9-8e44-0016e04115b
VpnConnectionIdstringYes

The ID of the IPsec-VPN connection.

vco-bp1bbi27hojx80nck****
NamestringNo

The name of the IPsec-VPN connection.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

nametest
LocalSubnetstringNo

The CIDR block used to connect the virtual private cloud (VPC) to the data center. The CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
10.1.1.0/24,10.1.2.0/24
RemoteSubnetstringNo

The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
10.2.1.0/24,10.2.2.0/24
EffectImmediatelybooleanNo

Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:

  • true: immediately starts IPsec negotiations after the configuration takes effect.
  • false: IPsec negotiations start when inbound traffic is detected.
false
IkeConfigstringNo

This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode.

The configurations of Phase 1 negotiations:

  • IkeConfig.Psk: The pre-shared key that is used for identity authentication between the VPN gateway and the on-premises data center.

    • The key cannot contain space characters. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~!`@#$%^&*()_-+={}[]|;:',.<>/?
    • If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is automatically generated by the system.

    **

    Description The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the on-premises data center. Otherwise, connections between the on-premises data center and the VPN gateway cannot be established.

  • IkeConfig.IkeVersion: the version of the Internet Key Exchange (IKE) protocol. Valid values: ikev1 and ikev2.

    Compared with IKEv1, IKEv2 simplifies the security association (SA) negotiation process and provides better support for scenarios with multiple CIDR blocks.

  • IkeConfig.IkeMode: the negotiation mode of IKE. Valid values: main and aggressive.

    • main: This mode offers higher security during negotiations.
    • aggressive: This mode supports faster negotiations and a higher success rate.
  • IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations.

    Valid values: aes, aes192, aes256, des, and 3des.

  • IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations.

    Valid values: md5, sha1, sha256, sha384, and sha512.

  • IkeConfig.IkePfs: the Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.

  • IkeConfig.IkeLifetime: the SA lifetime as a result of Phase 1 negotiations. Unit: seconds Valid values: 0 to 86400.

  • IkeConfig.LocalId: the identifier of the VPN gateway. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the VPN gateway.

  • IkeConfig.RemoteId: the identifier of the customer gateway. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the customer gateway.

{"Psk":"pgw6dy7d1i8i****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"116.64.XX.XX","RemoteId":"139.18.XX.XX"}
IpsecConfigstringNo

You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection.

The configuration of Phase 2 negotiations:

  • IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations.

    Valid values: aes, aes192, aes256, des, and 3des.

  • IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations.

    Valid values: md5, sha1, sha256, sha384, and sha512.

  • IpsecConfig. IpsecPfs: the DH key exchange algorithm that is used in Phase 1 negotiations. If you specify this parameter, packets of all protocols are forwarded. Valid values: disabled, group1, group2, group5, and group14.

  • IpsecConfig. IpsecLifetime: the SA lifetime that is determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.

{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
HealthCheckConfigstringNo

You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection.

The health check configuration:

  • HealthCheckConfig.enable: specifies whether to enable health checks. Valid values: true and false.
  • HealthCheckConfig.dip: the destination IP address that is used for health checks.
  • HealthCheckConfig.sip: the source IP address that is used for health checks.
  • HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds.
  • HealthCheckConfig.retry: the maximum number of health check retries.
{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3"}
AutoConfigRoutebooleanNo

Specifies whether to automatically advertise routes. Valid values:

  • true
  • false
true
EnableDpdbooleanNo

You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection.

Specifies whether to enable the dead peer detection (DPD) feature. Valid values:

  • true:: enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within a specific period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.
  • false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.
true
EnableNatTraversalbooleanNo

You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection.

Specifies whether to enable NAT traversal. Valid values:

  • true After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
  • false
true
BgpConfigstringNo

This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode.

BGP configuration:

  • BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values: true and false.

  • BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295.

    You can enter a value in two segments separated by a period (.). Each segment is 16 bits in length. Enter the number in each segment in decimal format.

    For example, if you enter 123.456, the ASN is 8061384. The ASN is calculated by using the following formula: 123 × 65536 + 456 = 8061384.

  • BgpConfig.TunnelCidr: The CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

    Note The CIDR block of the IPsec tunnel for each IPsec-VPN connection on a VPN gateway must be unique.
  • LocalBgpIp: the BGP address on the Alibaba Cloud side. It must be an IP address that falls within the CIDR block of the IPsec tunnel.

Note
  • This parameter is required when the VPN gateway has dynamic BGP enabled.
  • Before you add BGP configurations, we recommend that you learn about how BGP dynamic routing works and the limits. For more information, see Configure BGP dynamic routing.
  • We recommend that you use a private ASN to establish BGP connections to Alibaba Cloud. For information about the range of private ASNs, see the relevant documentation.
  • {"EnableBgp":"true","LocalAsn":"65530","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
    RemoteCaCertificatestringNo

    You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection.

    If the VPN gateway uses a ShangMi (SM) certificate, you can modify the CA certificate used by the IPsec peer.

    If the VPN gateway does not use an SM certificate, you cannot specify this parameter.

    -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
    TunnelOptionsSpecificationarray<object>No

    The tunnel configurations.

    You can specify parameters in the TunnelOptionsSpecification array when you modify the configurations of an IPsec-VPN connection in dual-tunnel mode. You can modify the configurations of both the active and standby tunnels of the IPsec-VPN connection.

    objectNo

    The tunnel configurations.

    TunnelIdstringNo

    The tunnel ID.

    tun-opsqc4d97wni27****
    CustomerGatewayIdstringNo

    The ID of the customer gateway associated with the tunnel.

    cgw-1nmwbpgrp7ssqm1yn****
    RolestringNo

    The tunnel role. Valid values:

    • master: The tunnel is an active tunnel.
    • slave: The tunnel is a standby tunnel.
    master
    EnableDpdbooleanNo

    Specifies whether to enable the Dead Peer Detection (DPD) feature for the tunnel. Valid values:

    • true: enables DPD. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within the specified period of time, the connection fails. In this case, ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted.
    • false: disables DPD. The initiator of the IPsec-VPN connection does not send DPD packets.
    true
    EnableNatTraversalbooleanNo

    Specifies whether to enable NAT traversal for the tunnel. Valid values:

    • true: enables NAT traversal. After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.
    • false: disables NAT traversal.
    true
    RemoteCaCertificatestringNo

    If the VPN gateway uses an SM certificate, you can modify the CA certificate used by the IPsec peer.

    If the VPN gateway does not use an SM certificate, this parameter is not supported.

    -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
    TunnelBgpConfigobjectNo

    The Border Gateway Protocol (BGP) configurations of the tunnel.

    LocalAsnlongNo

    The ASN of the tunnel on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104.

    Note You can specify this parameter only if EnableTunnelsBgp is set to true.
    • Before you add BGP configurations, we recommend that you learn about how BGP dynamic routing works and the limits. For more information, see Configure BGP dynamic routing.

    • We recommend that you use a private ASN to establish BGP connections to Alibaba Cloud. For information about the range of private ASNs, see the relevant documentation.

    65530
    LocalBgpIpstringNo

    The BGP IP address of the tunnel on the Alibaba Cloud side. The address is an IP address that falls within the BGP CIDR block.

    169.254.10.1
    TunnelCidrstringNo

    The BGP CIDR block of the tunnel.

    The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30.

    Note The BGP CIDR block of each tunnel must be unique on a VPN gateway.
    169.254.10.0/30
    TunnelIkeConfigobjectNo

    The configurations of Phase 1 negotiations.

    IkeAuthAlgstringNo

    The authentication algorithm that is used in Phase 1 negotiations.

    Valid values: md5, sha1, sha256, sha384, and sha512.

    md5
    IkeEncAlgstringNo

    The encryption algorithm that is used in Phase 1 negotiations.

    Valid values: aes, aes192, aes256, des, and 3des.

    aes
    IkeLifetimelongNo

    The SA lifetime as a result of Phase 1 negotiations. Unit: seconds Valid values: 0 to 86400.

    86400
    IkeModestringNo

    The negotiation mode of IKE. Valid values:

    • main: This mode offers higher security during negotiations.
    • aggressive: This mode supports faster negotiations and a higher success rate.
    main
    IkePfsstringNo

    The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.

    group2
    IkeVersionstringNo

    The version of the IKE protocol. Valid values: ikev1 and ikev2.

    Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks.

    ikev1
    LocalIdstringNo

    The identifier on the Alibaba Cloud side, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the tunnel.

    LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive.

    47.21.XX.XX
    PskstringNo

    The pre-shared key, which is used for identity authentication between the tunnel and the tunnel peer.

    • The key cannot contain space characters. The key must be 1 to 100 characters in length, and can contain digits, letters, and the following special characters: ~!\`@#$%^&*()_-+={}[]|;:',.<>/?
    • If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is automatically generated by the system.
    Note The tunnel and the tunnel peer must use the same pre-shared key. Otherwise, the tunnel cannot be built.
    123456****
    RemoteIdstringNo

    The identifier of the tunnel peer, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the customer gateway that is associated with the tunnel.

    RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive.

    47.42.XX.XX
    TunnelIpsecConfigobjectNo

    The configurations of Phase 2 negotiations.

    IpsecAuthAlgstringNo

    The authentication algorithm that is used in Phase 2 negotiations.

    Valid values: md5, sha1, sha256, sha384, and sha512.

    md5
    IpsecEncAlgstringNo

    The encryption algorithm that is used in Phase 2 negotiations.

    Valid values: aes, aes192, aes256, des, and 3des.

    aes
    IpsecLifetimeintegerNo

    The SA lifetime as a result of Phase 2 negotiations. Unit: seconds Valid values: 0 to 86400.

    86400
    IpsecPfsstringNo

    The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations.

    Valid values: disabled, group1, group2, group5, and group14.

    group2
    EnableTunnelsBgpbooleanNo

    You can specify this parameter if you modify the configuration of a dual-tunnel IPsec-VPN connection.

    Specifies whether to enable BGP for the tunnel. Valid values: true and false.

    true

    Response parameters

    ParameterTypeDescriptionExample
    object

    The returned data.

    EnableNatTraversalboolean

    Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values: Valid values:

    • false
    • true

    This parameter is returned only for single-tunnel IPsec-VPN connections.

    true
    CreateTimelong

    The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

    This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

    1492753817000
    EffectImmediatelyboolean

    Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values:

    • true: IPsec negotiations immediately start after the configuration takes effect.
    • false: IPsec negotiations start when inbound traffic is detected.
    false
    VpnGatewayIdstring

    The ID of the VPN gateway.

    vpn-bp1q8bgx4xnkm2ogj****
    LocalSubnetstring

    The CIDR block on the VPC side.

    10.1.1.0/24,10.1.2.0/24
    RequestIdstring

    The request ID.

    7DB79D0C-5F27-4AB5-995B-79BE55102F90
    VpnConnectionIdstring

    The ID of the IPsec-VPN connection.

    vco-bp1bbi27hojx80nck****
    Descriptionstring

    The description of the IPsec-VPN connection.

    description
    RemoteSubnetstring

    The CIDR block on the data center side.

    10.2.1.0/24,10.2.2.0/24
    CustomerGatewayIdstring

    The ID of the customer gateway associated with the IPsec-VPN connection.

    This parameter is returned only for single-tunnel IPsec-VPN connections.

    cgw-p0w2jemrcj5u61un8****
    Namestring

    The name of the IPsec-VPN connection.

    nametest
    EnableDpdboolean

    Indicates whether the DPD feature is enabled for the IPsec-VPN connection. Valid values:

    • false
    • true

    This parameter is returned only for single-tunnel IPsec-VPN connections.

    true
    IkeConfigobject

    The configuration of Phase 1 negotiations.

    IkeConfig parameters are returned only for single-tunnel IPsec-VPN connections.

    RemoteIdstring

    The identifier on the data center side. The default value is the IP address of the customer gateway. The value can be a FQDN or an IP address.

    139.18.XX.XX
    IkeLifetimelong

    The lifetime in the IKE phase. Unit: seconds.

    86400
    IkeEncAlgstring

    The encryption algorithm in the IKE phase.

    aes
    LocalIdstring

    The identifier on the VPC side. The default value is the IP address of the VPN gateway. The value can be an FQDN or an IP address.

    116.64.XX.XX
    IkeModestring

    The IKE negotiation mode.

    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.
    main
    IkeVersionstring

    The version of the IKE protocol.

    • ikev1
    • ikev2

    Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

    ikev1
    IkePfsstring

    The DH group in the IKE phase.

    group2
    Pskstring

    The pre-shared key.

    pgw6dy7d1i8i****
    IkeAuthAlgstring

    The authentication algorithm in the IKE phase.

    sha1
    IpsecConfigobject

    The configuration of Phase 2 negotiations.

    IpsecConfig parameters are returned only for single-tunnel IPsec-VPN connections.

    IpsecAuthAlgstring

    The authentication algorithm in the IPsec phase.

    sha1
    IpsecLifetimelong

    The lifetime in the IPsec phase. Unit: seconds.

    86400
    IpsecEncAlgstring

    The encryption algorithm in the IPsec phase.

    aes
    IpsecPfsstring

    The DH group in the IPsec phase.

    group2
    VcoHealthCheckobject

    The health check configuration.

    VcoHealthCheck parameters are returned only for single-tunnel IPsec-VPN connections.

    Dipstring

    The destination IP address.

    192.168.1.1
    Intervalinteger

    The interval between two consecutive health checks. Unit: seconds.

    3
    Retryinteger

    The maximum number of health check retries.

    3
    Sipstring

    The source IP address that is used for health checks.

    10.1.1.1
    Enablestring

    Indicates whether the health check feature is enabled for the IPsec-VPN connection.

    • true
    • false
    true
    VpnBgpConfigobject

    The BGP configuration.

    VpnBgpConfig parameters are returned only for single-tunnel IPsec-VPN connections.

    Statusstring

    The negotiation state of BGP. Valid values:

    • success: normal
    • false: abnormal
    success
    PeerBgpIpstring

    The BGP IP address of the data center.

    169.254.11.2
    TunnelCidrstring

    The BGP CIDR block of the IPsec-VPN connection.

    169.254.11.0/30
    EnableBgpstring

    Indicates whether BGP is enabled. Valid values:

    • true
    • false
    true
    LocalBgpIpstring

    The BGP IP address on the Alibaba Cloud side.

    169.254.11.1
    PeerAsninteger

    The ASN on the data center side.

    65531
    LocalAsninteger

    The ASN on the Alibaba Cloud side.

    65530
    TunnelOptionsSpecificationarray<object>

    The tunnel configuration of the IPsec-VPN connection.

    TunnelOptionsSpecification parameters are returned only for dual-tunnel IPsec-VPN connections.

    TunnelOptionsobject

    The tunnel configurations of the IPsec-VPN connection.

    CustomerGatewayIdstring

    The ID of the customer gateway associated with the tunnel.

    cgw-p0wy363lucf1uyae8****
    EnableDpdboolean

    Indicates whether the DPD feature is enabled for the tunnel. Valid values:

    • false
    • true
    true
    EnableNatTraversalboolean

    Indicates whether NAT traversal is enabled for the tunnel. Valid values:

    • false
    • true
    true
    InternetIpstring

    The IP address on the Alibaba Cloud side.

    47.21.XX.XX
    RemoteCaCertificatestring

    The CA certificate of the tunnel peer.

    This parameter is returned only if the VPN gateway is of the SM type.

    -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
    Rolestring

    The tunnel role. Valid values:

    • master: The tunnel is an active tunnel.
    • slave: The tunnel is a standby tunnel.
    master
    Statestring

    The tunnel status. Valid values:

    • active
    • updating
    • deleting
    active
    TunnelBgpConfigobject

    The BGP configuration.

    LocalAsnlong

    The ASN of the tunnel on the Alibaba Cloud side.

    65530
    LocalBgpIpstring

    The BGP IP address of the tunnel on the Alibaba Cloud side.

    169.254.10.1
    PeerAsnlong

    The ASN of the tunnel peer.

    65531
    PeerBgpIpstring

    The BGP IP address of the tunnel peer.

    169.254.10.2
    TunnelCidrstring

    The BGP CIDR block of the tunnel.

    169.254.10.0/30
    TunnelIdstring

    The tunnel ID.

    tun-opsqc4d97wni27****
    TunnelIkeConfigobject

    The configuration of Phase 1 negotiations.

    IkeAuthAlgstring

    The authentication algorithm in the IKE phase.

    sha1
    IkeEncAlgstring

    The encryption algorithm in the IKE phase.

    aes
    IkeLifetimelong

    The lifetime in the IKE phase. Unit: seconds.

    86400
    IkeModestring

    The IKE negotiation mode.

    • main: This mode offers higher security during negotiations.
    • aggressive: This mode is faster and has a higher success rate.
    main
    IkePfsstring

    The DH group in the IKE phase.

    group2
    IkeVersionstring

    The version of the IKE protocol.

    ikev1
    LocalIdstring

    The identifier of the tunnel on the Alibaba Cloud side.

    47.21.XX.XX
    Pskstring

    The pre-shared key.

    123456****
    RemoteIdstring

    The identifier of the tunnel peer.

    47.42.XX.XX
    TunnelIpsecConfigobject

    The configuration of Phase 2 negotiations.

    IpsecAuthAlgstring

    The authentication algorithm in the IPsec phase.

    sha1
    IpsecEncAlgstring

    The encryption algorithm in the IPsec phase.

    aes
    IpsecLifetimelong

    The lifetime in the IPsec phase. Unit: seconds.

    86400
    IpsecPfsstring

    The DH group in the IPsec phase.

    group2
    ZoneNostring

    The zone of the tunnel.

    ap-southeast-5a
    EnableTunnelsBgpboolean

    Indicates whether BGP is enabled for the tunnel. Valid values:

    • true
    • false

    This parameter is returned only by dual-tunnel IPsec-VPN connections.

    true
    ResourceGroupIdstring

    The ID of the resource group to which the IPsec-VPN connection belongs.

    The IPsec-VPN connection and the VPN gateway associated with the IPsec-VPN connection belong to the same resource group. You can call the ListResourceGroups operation to query resource groups.

    rg-acfmzs372yg****

    Examples

    Sample success responses

    JSONformat

    {
      "EnableNatTraversal": true,
      "CreateTime": 1492753817000,
      "EffectImmediately": false,
      "VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
      "LocalSubnet": "10.1.1.0/24,10.1.2.0/24",
      "RequestId": "7DB79D0C-5F27-4AB5-995B-79BE55102F90",
      "VpnConnectionId": "vco-bp1bbi27hojx80nck****",
      "Description": "description",
      "RemoteSubnet": "10.2.1.0/24,10.2.2.0/24",
      "CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
      "Name": "nametest",
      "EnableDpd": true,
      "IkeConfig": {
        "RemoteId": "139.18.XX.XX",
        "IkeLifetime": 86400,
        "IkeEncAlg": "aes",
        "LocalId": "116.64.XX.XX",
        "IkeMode": "main",
        "IkeVersion": "ikev1",
        "IkePfs": "group2",
        "Psk": "pgw6dy7d1i8i****",
        "IkeAuthAlg": "sha1"
      },
      "IpsecConfig": {
        "IpsecAuthAlg": "sha1",
        "IpsecLifetime": 86400,
        "IpsecEncAlg": "aes",
        "IpsecPfs": "group2"
      },
      "VcoHealthCheck": {
        "Dip": "192.168.1.1",
        "Interval": 3,
        "Retry": 3,
        "Sip": "10.1.1.1",
        "Enable": "true"
      },
      "VpnBgpConfig": {
        "Status": "success",
        "PeerBgpIp": "169.254.11.2",
        "TunnelCidr": "169.254.11.0/30",
        "EnableBgp": "true",
        "LocalBgpIp": "169.254.11.1",
        "PeerAsn": 65531,
        "LocalAsn": 65530
      },
      "TunnelOptionsSpecification": {
        "TunnelOptions": [
          {
            "CustomerGatewayId": "cgw-p0wy363lucf1uyae8****",
            "EnableDpd": true,
            "EnableNatTraversal": true,
            "InternetIp": "47.21.XX.XX",
            "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
            "Role": "master",
            "State": "active",
            "TunnelBgpConfig": {
              "LocalAsn": 65530,
              "LocalBgpIp": "169.254.10.1",
              "PeerAsn": 65531,
              "PeerBgpIp": "169.254.10.2",
              "TunnelCidr": "169.254.10.0/30"
            },
            "TunnelId": "tun-opsqc4d97wni27****",
            "TunnelIkeConfig": {
              "IkeAuthAlg": "sha1",
              "IkeEncAlg": "aes",
              "IkeLifetime": 86400,
              "IkeMode": "main",
              "IkePfs": "group2",
              "IkeVersion": "ikev1",
              "LocalId": "47.21.XX.XX",
              "Psk": "123456****",
              "RemoteId": "47.42.XX.XX"
            },
            "TunnelIpsecConfig": {
              "IpsecAuthAlg": "sha1",
              "IpsecEncAlg": "aes",
              "IpsecLifetime": 86400,
              "IpsecPfs": "group2"
            },
            "ZoneNo": "ap-southeast-5a"
          }
        ]
      },
      "EnableTunnelsBgp": true,
      "ResourceGroupId": "rg-acfmzs372yg****"
    }

    Error codes

    HTTP status codeError codeError messageDescription
    400VpnGateway.ConfiguringThe specified service is configuring.The service is being configured. Try again later.
    400VpnGateway.FinancialLockedThe specified service is financial locked.The service is suspended due to overdue payments. Top up your account first.
    400InvalidNameThe name is not validThe name format is invalid.
    400VpnRouteEntry.AlreadyExistsThe specified route entry is already exist.The route already exists.
    400VpnRouteEntry.ConflictThe specified route entry has conflict.Route conflicts exist.
    400NotSupportVpnConnectionParameter.IpsecPfsThe specified vpn connection ipsec Ipsec Pfs is not support.The PFS parameter set for the IPsec-VPN connection is not supported.
    400NotSupportVpnConnectionParameter.IpsecAuthAlgThe specified vpn connection ipsec Auth Alg is not support.The authentication algorithm specified for the IPsec-VPN connection is not supported.
    400VpnRouteEntry.ConflictSSLThe specified route entry has conflict with SSL client.The route conflicts with the SSL client.
    400VpnRouteEntry.BackupRouteValidate backup route entry failed.Active/standby routes failed authentication.
    400VpnRouteEntry.InvalidWeightInvalid route entry weight value.The weight specified for the route is invalid.
    400QuotaExceeded.PBRThe policy-based routes has reached the upper limit.The number of policy-based routes has reached the upper limit.
    400OperationUnsupported.SetDPDCurrent version of the VPN does not support setting DPD.The VPN gateway version does not support DPD.
    400OperationUnsupported.SetNatTraversalCurrent version of the VPN does not support setting NAT traversal.The VPN gateway version does not support NAT traversal.
    400QuotaExceeded.PolicyBasedRouteThe maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s.The quota of policy-based routes is reached. Existing routes: %s. Routes to be created: %s. Quota: %s.
    400MissingParameter.TunnelCidrThe parameter TunnelCidr is mandatory when BGP is enabled.You must specify the tunnel CIDR block when you enable BGP.
    400OperationUnsupported.EnableBgpCurrent version of the VPN does not support enable BGP.The current version of the VPN gateway does not support BGP.
    400MissingParam.CustomerGatewayAsnAsn of customer gateway is mandatory when BGP is enabled.The ASN of the customer gateway cannot be empty when you enable BGP.
    400IllegalParam.LocalAsnThe specified LocalAsn is invalid.The local ASN is invalid.
    400IllegalParam.BgpConfigThe specified BgpConfig is invalid.The BGP configuration is invalid.
    400IllegalParam.EnableBgpVPN connection must enable BGP when VPN gateway has enabled BGP.The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway.
    400IllegalParam.TunnelCidrThe specified TunnelCidr is invalid.The TunnelCidr parameter is set to an invalid value.
    400InvalidLocalBgpIp.MalformedThe specified LocalBgpIp is malformed.The local BGP IP address is in an abnormal state.
    400IllegalParam.LocalBgpIpThe specified LocalBgpIp is invalid.The local BGP IP address is invalid.
    400IllegalParam.LocalSubnetThe specified "LocalSubnet" (%s) is invalid.The specified "LocalSubnet" (%s) is invalid.
    400IllegalParam.RemoteSubnetThe specified "RemoteSubnet" (%s) is invalid.The specified "RemoteSubnet" (%s) is invalid.
    400OperationFailed.CenLevelNotSupportWhen the VPC to which the VPN gateway belongs is attached to a FULL-mode CEN, the VPN gateway cannot enable BGP.When the VPC to which the VPN gateway belongs is attached to a FULL-mode CEN, the VPN gateway cannot enable BGP.
    400InvalidTunnelCidr.MalformedThe specified TunnelCidr is malformed.The specified tunnel CIDR block is invalid.
    400CustomerGateway.ConflictRouteEntryThe specified customer gateway has conflict with route entry.The customer gateway conflicts with the current routes.
    400VpnTask.CONFLICTVpn task has conflict.The VPN operation conflicts. Try again later.
    400OperationFailed.RouteConflictWithIPsecServerOperation failed because the route to create conflicts with the client IP pool of the IPsec server.Operation failed because the route to create conflicts with the client IP pool of the IPsec server.
    400IllegalParam.TunnelIdThe specified TunnelId is invalid.TunnelId is set to an invalid value.
    400IllegalParam.RoleThe specified Role is invalid.Role is set to an invalid value.
    400VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigsIPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration.The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway.
    400VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlapTraffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap.The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap.
    400ModifyIkeV1WithMultiRoutes.InvalidFailed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.
    403Forbbiden.SubUserUser not authorized to operate on the specified resource as your account is created by another user.You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
    403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
    404InvalidVpnConnectionInstanceId.NotFoundThe specified vpn connection instance id does not exist.The specified vpn connection instance id does not exist.
    500OperationFailed.RouteConflictWithIPsecServerOperation failed because the specified route conflicts with IPsec server.The route conflicts with the IPsec server.

    For a list of error codes, visit the Service error codes.

    Change history

    Change timeSummary of changesOperation
    2024-10-24The Error code has changedView Change Details
    2024-01-04API Description Update. The Error code has changedView Change Details
    2023-10-23The Error code has changedView Change Details
    2023-10-19The API operation is not deprecated.. The Error code has changed. The response structure of the API has changedView Change Details
    2023-08-01API Description Update. The Error code has changed. The response structure of the API has changedView Change Details
    2023-06-30The Error code has changed. The request parameters of the API has changed. The response structure of the API has changedView Change Details