ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.
Syntax
{
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": String,
"CustomerGatewayId": String,
"AutoConfigRoute": Boolean,
"Name": String,
"EffectImmediately": Boolean,
"BgpConfig": Map,
"RemoteSubnet": String,
"RemoteCaCert": String,
"IpsecConfig": Map,
"NetworkType": String,
"HealthCheckConfig": Map,
"EnableNatTraversal": Boolean,
"IkeConfig": Map,
"EnableDpd": Boolean
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
LocalSubnet | String | Yes | Yes | The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.1.0/24,10.1.2.0/24. |
CustomerGatewayId | String | Yes | No | The ID of the customer gateway. | None. |
AutoConfigRoute | Boolean | No | Yes | Specifies whether to automatically configure routes. | Valid values:
|
Name | String | No | Yes | The name of the IPsec-VPN connection. | None. |
EffectImmediately | Boolean | No | Yes | Specifies whether the configurations of the IPsec-VPN connection immediately take effect. | Valid values:
|
BgpConfig | Map | No | Yes | The Border Gateway Protocol (BGP) configurations. | For more information, see BgpConfig properties. Note Before you add BGP configurations, we recommend that you familiarize yourself with the work mechanism and the limits of BGP dynamic routing. For more information, see Configure routes for an IPsec-VPN connection. We recommend that you use a private autonomous system number (ASN) to establish BGP connections to Alibaba Cloud. For more information about the range of private ASNs, see the relevant documentation. Example:
|
RemoteSubnet | String | Yes | Yes | The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.3.0/24,10.1.4.0/24. |
RemoteCaCert | String | No | No | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. | Example:
|
IpsecConfig | Map | No | Yes | The configurations of Phase 2 negotiations. | For more information, see IpsecConfig properties. Example:
|
NetworkType | String | No | No | The network type of the IPsec-VPN connection. | Valid values:
|
HealthCheckConfig | Map | No | Yes | The health check configurations. | For more information, see HealthCheckConfig properties. Example:
|
EnableNatTraversal | Boolean | No | Yes | Specifies whether to enable the NAT traversal feature. | Valid values:
|
IkeConfig | Map | No | Yes | The configurations of Phase 1 negotiations. | For more information, see IkeConfig properties. |
EnableDpd | Boolean | No | Yes | Specifies whether to enable the dead peer detection (DPD) feature. | Valid values:
|
BgpConfig syntax
"BgpConfig": {
"EnableBgp": Boolean,
"LocalAsn": Number,
"TunnelCidr": String,
"LocalBgpIp": String
}
BgpConfig properties
Property | Type | Required | Editable | Description | Constraint |
EnableBgp | Boolean | No | No | Specifies whether to enable the BGP feature. | Valid values:
|
LocalAsn | Number | No | Yes | The ASN on the Alibaba Cloud side. | Valid values: 1 to 4294967295. Default value: 45104. |
TunnelCidr | String | No | Yes | The CIDR block of the IPsec-VPN tunnel. | The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. |
LocalBgpIp | String | No | Yes | The BGP IP address on the Alibaba Cloud side. | The IP address must fall within the CIDR block range of the IPsec-VPN tunnel. |
IpsecConfig syntax
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}
IpsecConfig properties
Property | Type | Required | Editable | Description | Constraint |
IpsecPfs | String | No | Yes | The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 2 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
HealthCheckConfig syntax
"HealthCheckConfig": {
"Policy": String,
"Enable": Boolean,
"Dip": String,
"Retry": Integer,
"Sip": String,
"Interval": Integer
}
HealthCheckConfig properties
Property | Type | Required | Editable | Description | Constraint |
Policy | String | No | Yes | Specifies whether to withdraw published routes when the health check fails. | Valid values:
|
Enable | Boolean | No | Yes | Specifies whether to enable the health check feature. | Valid values:
|
Dip | String | No | Yes | The destination IP address that is used for health checks. | Specify the IP address on the data center side with which the VPC can communicate based on the IPsec-VPN connection. |
Retry | Integer | No | Yes | The maximum number of health check retries. | Default value: 3. |
Sip | String | No | Yes | The source IP address that is used for health checks. | Specify the IP address on the VPC side with which the data center can communicate based on the IPsec-VPN connection. |
Interval | Integer | No | Yes | The interval between two consecutive health check retries. | Unit: seconds. Default value: 3. |
IkeConfig syntax
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"Psk": String,
"IkePfs": String
}
IkeConfig properties
Property | Type | Required | Editable | Description | Constraint |
IkeAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 1 negotiations. | Valid values:
|
LocalId | String | No | Yes | The identifier of the IPsec-VPN connection on the Alibaba Cloud side. | The identifier can be up to 100 characters in length. This property is empty by default. |
IkeEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 1 negotiations. | Valid values:
|
IkeVersion | String | No | Yes | The version of the IKE protocol. | Valid values:
|
IkeMode | String | No | Yes | The negotiation mode. | Valid values:
|
IkeLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 1 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
RemoteId | String | No | Yes | The identifier of the IPsec-VPN connection on the data center side. | The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway. |
Psk | String | No | Yes | The pre-shared key that is used for identity authentication between the VPN gateway and the data center. | The following limits apply:
Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway. |
IkePfs | String | No | Yes | The DH key exchange algorithm that is used in Phase 1 negotiations. | Valid values:
|
Return values
Fn::GetAtt
InternetIp: the gateway address of the IPsec-VPN connection.
VpnAttachmentId: the ID of the IPsec-VPN connection.
PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.
Examples
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AutoConfigRoute:
Description:
en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
\ (default) \nfalse"
Type: Boolean
BgpConfig:
AssociationPropertyMetadata:
Parameters:
EnableBgp:
Description:
en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
\ values: true and false. Default value: false."
Type: Boolean
LocalAsn:
Description:
en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
Default value: 45104.'
MaxValue: 4294967295
MinValue: 1
Type: Number
LocalBgpIp:
Description:
en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
\ fall within the CIDR block of the IPsec tunnel."
Type: String
TunnelCidr:
Description:
en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
length.
Type: String
Description:
en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
\ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
\ we recommend that you learn about how BGP works and its limits. For more\
\ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
\ that you use a private ASN to establish a connection with Alibaba Cloud\
\ over BGP. \nRefer to the relevant documentation for the private ASN range."
Type: Json
CustomerGatewayId:
Description:
en: The ID of the user gateway.
Type: String
EffectImmediately:
Default: false
Description:
en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
the negotiation. Value:
True: Negotiate immediately after the configuration is complete.
False (default): Negotiate when traffic enters.'
Type: Boolean
EnableDpd:
Description:
en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
\ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
\ DPD packets to verify the existence and availability of the peer. If no\
\ response is received from the peer within a specified period of time, the\
\ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
\ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
\ DPD packets."
Type: Boolean
EnableNatTraversal:
Description:
en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
\ After NAT traversal is enabled, the initiator does not check the UDP ports\
\ during IKE negotiations and can automatically discover NAT gateway devices\
\ along the VPN tunnel. \nfalse"
Type: Boolean
HealthCheckConfig:
AssociationPropertyMetadata:
Parameters:
Dip:
Type: String
Enable:
Type: Boolean
Interval:
Type: Number
Policy:
Description:
en: Whether to revoke published routes when the health check fails.
Type: String
Retry:
Type: Number
Sip:
Type: String
Description:
en: Whether to enable the health check configuration.
Type: Json
IkeConfig:
AssociationPropertyMetadata:
Parameters:
IkeAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IkeEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IkeLifetime:
Default: 86400
Description:
en: The life cycle of the SA negotiated in the first phase. The value
ranges from 0 to 86400, in seconds. The default value is 86400.
MaxValue: 86400
MinValue: 0
Type: Number
IkeMode:
AllowedValues:
- main
- aggressive
Default: main
Description:
en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
Type: String
IkePfs:
AllowedValues:
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
Value: group1|group2|group5|group14|group24, default value: group2.'
Type: String
IkeVersion:
AllowedValues:
- ikev1
- ikev2
Default: ikev1
Description:
en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
Type: String
LocalId:
Description:
en: ID of the VPN gateway. The length is limited to 100 characters. The
default value is the public IP address of the VPN gateway.
MaxLength: 100
Type: String
Psk:
Description:
en: Used for identity authentication between the IPsec VPN gateway and
the user gateway. It is generated randomly by default, or you can specify
the key manually. The length is limited to 100 characters.
MaxLength: 100
Type: String
RemoteId:
Description:
en: ID of the user gateway. The length is limited to 100 characters. The
default value is the public IP address of the user gateway.
MaxLength: 100
Type: String
Description:
en: Configuration information for the first phase of negotiation.
Type: Json
IpsecConfig:
AssociationPropertyMetadata:
Parameters:
IpsecAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IpsecEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the second phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IpsecLifetime:
Default: 86400
Description:
en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
phase. The value ranges from 0 to 86400, in seconds. The default value
is 86400.'
MaxValue: 86400
MinValue: 0
Type: Number
IpsecPfs:
AllowedValues:
- disabled
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
default value: group2.'
Type: String
Description:
en: Configuration information for the second phase negotiation.
Type: Json
LocalSubnet:
Description:
en: 'A network segment on the VPC side that needs to be interconnected with
the local IDC for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.1.0/24,
192.168.2.0/24.'
Type: String
Name:
Description:
en: 'The name of the IPsec connection.
The length is 2-128 characters and must start with a letter or Chinese. It
can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
start with http:// or https:// .'
MaxLength: 128
MinLength: 2
Type: String
NetworkType:
AllowedValues:
- public
- private
Description:
en: 'The network type of the IPsec connection. Value: public|private.'
Type: String
RemoteCaCert:
Description:
en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
\ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
\ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
\ when a standard VPN gateway is used to create the IPsec-VPN connection."
Type: String
RemoteSubnet:
Description:
en: 'The network segment of the local IDC is used for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.3.0/24,
192.168.4.0/24.'
Type: String
Resources:
VpnAttachment:
Properties:
AutoConfigRoute:
Ref: AutoConfigRoute
BgpConfig:
Ref: BgpConfig
CustomerGatewayId:
Ref: CustomerGatewayId
EffectImmediately:
Ref: EffectImmediately
EnableDpd:
Ref: EnableDpd
EnableNatTraversal:
Ref: EnableNatTraversal
HealthCheckConfig:
Ref: HealthCheckConfig
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
LocalSubnet:
Ref: LocalSubnet
Name:
Ref: Name
NetworkType:
Ref: NetworkType
RemoteCaCert:
Ref: RemoteCaCert
RemoteSubnet:
Ref: RemoteSubnet
Type: ALIYUN::VPC::VpnAttachment
Outputs:
InternetIp:
Description: The gateway IP address of the IPsec connection.
Value:
Fn::GetAtt:
- VpnAttachment
- InternetIp
PeerVpnAttachmentConfig:
Description: Peer vpc Attachment config.
Value:
Fn::GetAtt:
- VpnAttachment
- PeerVpnAttachmentConfig
VpnAttachmentId:
Description: ID of the IPsec attachment.
Value:
Fn::GetAtt:
- VpnAttachment
- VpnAttachmentId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": {
"en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
}
},
"CustomerGatewayId": {
"Type": "String",
"Description": {
"en": "The ID of the user gateway."
}
},
"AutoConfigRoute": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
}
},
"Name": {
"Type": "String",
"Description": {
"en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
},
"MinLength": 2,
"MaxLength": 128
},
"EffectImmediately": {
"Type": "Boolean",
"Description": {
"en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
},
"Default": false
},
"BgpConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"EnableBgp": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
}
},
"LocalAsn": {
"Type": "Number",
"Description": {
"en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
},
"MinValue": 1,
"MaxValue": 4294967295
},
"TunnelCidr": {
"Type": "String",
"Description": {
"en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
}
},
"LocalBgpIp": {
"Type": "String",
"Description": {
"en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
}
}
}
},
"Type": "Json",
"Description": {
"en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
}
},
"RemoteSubnet": {
"Type": "String",
"Description": {
"en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
}
},
"RemoteCaCert": {
"Type": "String",
"Description": {
"en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
}
},
"IpsecConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IpsecPfs": {
"Type": "String",
"Description": {
"en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"disabled",
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
},
"IpsecEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IpsecAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"IpsecLifetime": {
"Type": "Number",
"Description": {
"en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the second phase negotiation."
}
},
"NetworkType": {
"Type": "String",
"Description": {
"en": "The network type of the IPsec connection. Value: public|private."
},
"AllowedValues": [
"public",
"private"
]
},
"HealthCheckConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Whether to revoke published routes when the health check fails."
}
},
"Enable": {
"Type": "Boolean"
},
"Dip": {
"Type": "String"
},
"Retry": {
"Type": "Number"
},
"Sip": {
"Type": "String"
},
"Interval": {
"Type": "Number"
}
}
},
"Type": "Json",
"Description": {
"en": "Whether to enable the health check configuration."
}
},
"EnableNatTraversal": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
}
},
"IkeConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IkeAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"LocalId": {
"Type": "String",
"Description": {
"en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
},
"MaxLength": 100
},
"IkeEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IkeVersion": {
"Type": "String",
"Description": {
"en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
},
"AllowedValues": [
"ikev1",
"ikev2"
],
"Default": "ikev1"
},
"IkeMode": {
"Type": "String",
"Description": {
"en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
},
"AllowedValues": [
"main",
"aggressive"
],
"Default": "main"
},
"IkeLifetime": {
"Type": "Number",
"Description": {
"en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
},
"RemoteId": {
"Type": "String",
"Description": {
"en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
},
"MaxLength": 100
},
"Psk": {
"Type": "String",
"Description": {
"en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
},
"MaxLength": 100
},
"IkePfs": {
"Type": "String",
"Description": {
"en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the first phase of negotiation."
}
},
"EnableDpd": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
}
}
},
"Resources": {
"VpnAttachment": {
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"CustomerGatewayId": {
"Ref": "CustomerGatewayId"
},
"AutoConfigRoute": {
"Ref": "AutoConfigRoute"
},
"Name": {
"Ref": "Name"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"BgpConfig": {
"Ref": "BgpConfig"
},
"RemoteSubnet": {
"Ref": "RemoteSubnet"
},
"RemoteCaCert": {
"Ref": "RemoteCaCert"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"NetworkType": {
"Ref": "NetworkType"
},
"HealthCheckConfig": {
"Ref": "HealthCheckConfig"
},
"EnableNatTraversal": {
"Ref": "EnableNatTraversal"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"EnableDpd": {
"Ref": "EnableDpd"
}
}
}
},
"Outputs": {
"InternetIp": {
"Description": "The gateway IP address of the IPsec connection.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"InternetIp"
]
}
},
"VpnAttachmentId": {
"Description": "ID of the IPsec attachment.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"VpnAttachmentId"
]
}
},
"PeerVpnAttachmentConfig": {
"Description": "Peer vpc Attachment config.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"PeerVpnAttachmentConfig"
]
}
}
}
}