All Products
Search
Document Center

VPN Gateway:ModifyVpnAttachmentAttribute

更新時間:Nov 13, 2024

Modifies the configuration of an IPsec-VPN connection.

Operation description

  • ModifyVpnAttachmentAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task to modify the configuration of an IPsec-VPN connection in the background. You can call the DescribeVpnConnection operation to query the status of the task.

    • If the IPsec-VPN connection is in the updating state, the configuration of the IPsec-VPN connection is being modified.
    • If the IPsec-VPN connection is in the attached state, the configuration of the IPsec-VPN connection is modified.
  • You cannot call the ModifyVpnAttachmentAttribute operation again on the same IPsec-VPN connection before the previous operation is complete.

  • When you call the ModifyVpnAttachmentAttribute operation, take note of the following items:

    • If the IPsec-VPN connection is associated with a transit router, you cannot change the type of the gateway connected to the IPsec-VPN connection.
    • If the IPsec-VPN connection is not associated with a resource, you cannot change the type of the gateway connected to the IPsec-VPN connection or the customer gateway connected to the IPsec-VPN connection.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:ModifyVpnAttachmentAttributeupdate
  • VpnConnections
    acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The ID of the region in which the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
VpnConnectionIdstringYes

The ID of the IPsec-VPN connection.

vco-p0w5112fgnl2ihlmf****
NamestringNo

The name of the IPsec-VPN connection.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

nametest
LocalSubnetstringNo

The CIDR block of the virtual private cloud (VPC) that communicates with the data center. The CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
10.1.1.0/24,10.1.2.0/24
RemoteSubnetstringNo

The CIDR block of the data center that communicates with the VPC. This CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
10.1.3.0/24,10.1.4.0/24
EffectImmediatelybooleanNo

Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:

  • true: immediately starts IPsec negotiations after the configuration is complete.
  • false: starts IPsec negotiations when inbound traffic is detected.
false
IkeConfigstringNo

The configuration of Phase 1 negotiations:

  • IkeConfig.Psk: The pre-shared key that is used for authentication between the VPN gateway and the data center.

    • The pre-shared key must be 1 to 100 characters in length and can contain letters, digits, and the following characters: ~ ! ` @ # $ % ^ & * () _ - + = {} [] | ; : ' , . < > / ?

    • If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system.

    Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
  • IkeConfig.IkeVersion: the Internet Key Exchange (IKE) version. Valid values: ikev1 and ikev2.

  • IkeConfig.IkeMode: the negotiation mode. Valid values: main and aggressive.

  • IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des.

  • IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.

  • IkeConfig.IkePfs: the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.

  • IkeConfig.IkeLifetime: the security association (SA) lifetime determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400.

  • IkeConfig.LocalIdIPsec: the identifier of the IPsec-VPN connection on the Alibaba Cloud side. The identifier can be up to 100 characters in length.

  • IkeConfig.RemoteId: the identifier of the IPsec-VPN connection on the data center side. The identifier can be up to 100 characters in length.

{"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
IpsecConfigstringNo

The configuration of Phase 2 negotiations:

  • IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des.
  • IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.
  • IpsecConfig. IpsecPfs: the DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.
  • IpsecConfig. IpsecLifetime: the SA lifetime determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.
{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
BgpConfigstringNo

The Border Gateway Protocol (BGP) configuration:

  • BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values:

    • true
    • false
  • BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295.

    You can enter the ASN in two segments. Separate the first 16 bits of the ASN from the remaining 16 bits with a period (.). Enter the number in each segment in decimal format.

    For example, if you enter 123.456, the ASN is: 123 × 65536 + 456 = 8061384.

  • BgpConfig.TunnelCidr: the CIDR block of the IPsec tunnel. The CIDR block falls within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

  • LocalBgpIp: the BGP IP address on the Alibaba Cloud side. This IP address must fall within the CIDR block of the IPsec tunnel.

Note
  • Before you configure BGP, we recommend that you learn how BGP dynamic routing works and the limits of using BGP dynamic routing. For more information, see BGP dynamic routing .
  • We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.
  • {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
    HealthCheckConfigstringNo

    The health check configurations:

    • HealthCheckConfig.enable: specifies whether to enable the health check feature. Valid values:

      • true
      • false
    • HealthCheckConfig.dip: the destination IP address that is used for health checks. Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.

    • HealthCheckConfig.sip: the source IP address that is used for health checks. Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.

    • HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds.

    • HealthCheckConfig.retry: the maximum number of health check retries.

    • HealthCheckConfig.Policy: specifies whether to withdraw advertised routes when health checks fail. Valid values:

      • revoke_route
      • reserve_route
    {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
    AutoConfigRoutebooleanNo

    Specifies whether to automatically configure routes. Valid values:

    • true
    • false
    true
    EnableDpdbooleanNo

    Specifies whether to enable the dead peer detection (DPD) feature. Valid values:

    • true: enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within a specific period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.
    • false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.
    true
    EnableNatTraversalbooleanNo

    Specifies whether to enable NAT traversal. Valid values:

    • true After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
    • false
    true
    RemoteCaCertstringNo

    The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

    c20ycDI1NnYxIENBIChURVNUIFN****
    ClientTokenstringNo

    The client token that is used to ensure the idempotence of the request.

    You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

    Note If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The request ID may be different for each request.
    123e4567-e89b-12d3-a456-4266****
    NetworkTypestringNo

    The network type of the IPsec-VPN connection. Valid values:

    • public: an encrypted connection over the Internet
    • private: an encrypted connection over private networks
    public
    CustomerGatewayIdstringNo

    The customer gateway associated with the IPsec-VPN connection.

    cgw-p0w2jemrcj5u61un8****

    Response parameters

    ParameterTypeDescriptionExample
    object

    The response parameters.

    VpnConnectionIdstring

    The ID of the IPsec-VPN connection.

    vco-p0w5112fgnl2ihlmf****
    CustomerGatewayIdstring

    The ID of the customer gateway associated with the IPsec-VPN connection.

    cgw-p0w2jemrcj5u61un8****
    VpnGatewayIdstring

    The ID of the VPN gateway associated with the IPsec-VPN connection.

    vpn-p0wa1c1018pmeb6cu****
    Namestring

    The name of the IPsec-VPN connection.

    nametest
    Descriptionstring

    The description of the IPsec-VPN connection.

    desctest
    LocalSubnetstring

    The CIDR block of the VPC with which the data center can communicate.

    10.1.1.0/24,10.1.2.0/24
    RemoteSubnetstring

    The CIDR block of the data center with which the VPC can communicate.

    10.1.3.0/24,10.1.4.0/24
    IkeConfigobject

    The configuration of Phase 1 negotiations.

    Pskstring

    The pre-shared key that is used for identity authentication between the VPN gateway and the data center.

    Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
    1234***
    IkeVersionstring

    The version of the IKE protocol.

    ikev1
    IkeModestring

    The negotiation mode.

    main
    IkeEncAlgstring

    The encryption algorithm that is used in Phase 1 negotiations.

    aes
    IkeAuthAlgstring

    The authentication algorithm that is used in Phase 1 negotiations.

    sha1
    IkePfsstring

    The DH key exchange algorithm that is used in Phase 1 negotiations.

    group2
    IkeLifetimelong

    The SA lifetime that is determined by Phase 1 negotiations. Unit: seconds.

    86400
    LocalIdstring

    The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

    47.XX.XX.1
    RemoteIdstring

    The identifier of the IPsec-VPN connection on the data center side.

    47.XX.XX.2
    IpsecConfigobject

    The configuration of Phase 2 negotiations.

    IpsecEncAlgstring

    The encryption algorithm that is used in Phase 2 negotiations.

    aes
    IpsecAuthAlgstring

    The authentication algorithm that is used in Phase 2 negotiations.

    md5
    IpsecPfsstring

    The DH key exchange algorithm that is used in Phase 2 negotiations.

    group2
    IpsecLifetimelong

    The SA lifetime that is determined by Phase 2 negotiations. Unit: seconds.

    86400
    CreateTimelong

    The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

    This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

    1658201810000
    EffectImmediatelyboolean

    Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values:

    • true
    • false
    false
    Statusstring

    The state of the IPsec-VPN connection. Valid values:

    • ike_sa_not_established: Phase 1 negotiations failed.
    • ike_sa_established: Phase 1 negotiations succeeded.
    • ipsec_sa_not_established: Phase 2 negotiations failed.
    • ipsec_sa_established: Phase 2 negotiations succeeded.
    ike_sa_not_established
    VcoHealthCheckobject

    The health check configuration of the IPsec-VPN connection.

    Enablestring

    Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values:

    • true
    • false
    true
    Sipstring

    The source IP address that is used for health checks.

    10.1.1.1
    Dipstring

    The destination IP address that is used for health checks.

    192.168.1.1
    Intervalinteger

    The interval between two consecutive health check retries. Unit: seconds.

    3
    Retryinteger

    The maximum number of health check retries.

    3
    Policystring

    Indicates whether advertised routes are withdrawn when the health check fails. Valid values:

    • revoke_route: Advertised routes are withdrawn.
    • reserve_route: Advertised routes are not withdrawn.
    revoke_route
    EnableDpdboolean

    Indicates whether the DPD feature is enabled for the IPsec-VPN connection. Valid values:

    • true
    • false
    true
    EnableNatTraversalboolean

    Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values:

    • true
    • false
    true
    VpnBgpConfigobject

    The BGP configuration of the IPsec-VPN connection.

    EnableBgpstring

    Indicates whether BGP is enabled for the IPsec-VPN connection. Valid values:

    • true
    • false
    true
    TunnelCidrstring

    The CIDR block of the IPsec tunnel.

    169.254.11.0/30
    LocalBgpIpstring

    The BGP IP address on the Alibaba Cloud side.

    169.254.11.1
    PeerBgpIpstring

    The BGP IP address on the data center side.

    169.254.11.2
    LocalAsnlong

    The ASN on the Alibaba Cloud side.

    45104
    PeerAsnlong

    The ASN on the data center side.

    65535
    Statusstring

    The negotiation state of BGP. Valid values:

    • success: normal
    • false: abnormal
    false
    AttachTypestring

    The type of the resource that is associated with the IPsec-VPN connection. Valid values:

    • CEN: The IPsec-VPN connection is associated with a transit router.
    • VPNGW: The IPsec-VPN connection is associated with a VPN gateway.
    • NO_ASSOCIATED: The IPsec-VPN connection is not associated with any resource.
    CEN
    NetworkTypestring

    The network type of the IPsec-VPN connection. Valid values:

    • public: an encrypted connection over the Internet
    • private: an encrypted connection over private networks
    public
    AttachInstanceIdstring

    The ID of the Cloud Enterprise Network (CEN) instance to which the transit router associated with the IPsec-VPN connection belongs.

    cen-c2r3m3zxkumoqz****
    Specstring

    The bandwidth specification of the IPsec-VPN connection.

    A value of M in the response indicates Mbit/s.

    1000M
    ResourceGroupIdstring

    The ID of the resource group to which the IPsec-VPN connection belongs.

    You can call the ListResourceGroups operation to query resource groups.

    rg-acfmzs372yg****
    RequestIdstring

    The request ID.

    35822A84-867F-3936-A2E6-A4C4E3ED11C0

    Examples

    Sample success responses

    JSONformat

    {
      "VpnConnectionId": "vco-p0w5112fgnl2ihlmf****",
      "CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
      "VpnGatewayId": "vpn-p0wa1c1018pmeb6cu****",
      "Name": "nametest",
      "Description": "desctest",
      "LocalSubnet": "10.1.1.0/24,10.1.2.0/24",
      "RemoteSubnet": "10.1.3.0/24,10.1.4.0/24",
      "IkeConfig": {
        "Psk": "1234***",
        "IkeVersion": "ikev1",
        "IkeMode": "main",
        "IkeEncAlg": "aes",
        "IkeAuthAlg": "sha1",
        "IkePfs": "group2",
        "IkeLifetime": 86400,
        "LocalId": "47.XX.XX.1",
        "RemoteId": "47.XX.XX.2"
      },
      "IpsecConfig": {
        "IpsecEncAlg": "aes",
        "IpsecAuthAlg": "md5",
        "IpsecPfs": "group2",
        "IpsecLifetime": 86400
      },
      "CreateTime": 1658201810000,
      "EffectImmediately": false,
      "Status": "ike_sa_not_established",
      "VcoHealthCheck": {
        "Enable": "true",
        "Sip": "10.1.1.1",
        "Dip": "192.168.1.1",
        "Interval": 3,
        "Retry": 3,
        "Policy": "revoke_route"
      },
      "EnableDpd": true,
      "EnableNatTraversal": true,
      "VpnBgpConfig": {
        "EnableBgp": "true",
        "TunnelCidr": "169.254.11.0/30",
        "LocalBgpIp": "169.254.11.1",
        "PeerBgpIp": "169.254.11.2",
        "LocalAsn": 45104,
        "PeerAsn": 65535,
        "Status": "false"
      },
      "AttachType": "CEN",
      "NetworkType": "public",
      "AttachInstanceId": "cen-c2r3m3zxkumoqz****",
      "Spec": "1000M",
      "ResourceGroupId": "rg-acfmzs372yg****",
      "RequestId": "35822A84-867F-3936-A2E6-A4C4E3ED11C0"
    }

    Error codes

    HTTP status codeError codeError messageDescription
    400VpnConnection.ConfiguringThe specified service is configuring.The service is being configured. Try again later.
    400VpnConnection.FinancialLockedThe specified service is financial locked.The error message returned because the service is locked due to overdue payments.
    400InvalidNameThe name is not validThe name format is invalid.
    400VpnRouteEntry.AlreadyExistsThe specified route entry is already exist.The route already exists.
    400VpnRouteEntry.ConflictThe specified route entry has conflict.Route conflicts exist.
    400NotSupportVpnConnectionParameter.IpsecPfsThe specified vpn connection ipsec Ipsec Pfs is not support.The PFS parameter set for the IPsec-VPN connection is not supported.
    400NotSupportVpnConnectionParameter.IpsecAuthAlgThe specified vpn connection ipsec Auth Alg is not support.The authentication algorithm specified for the IPsec-VPN connection is not supported.
    400VpnRouteEntry.BackupRouteValidate backup route entry failed.Active/standby routes failed authentication.
    400VpnRouteEntry.InvalidWeightInvalid route entry weight value.The weight specified for the route is invalid.
    400MissingParameter.TunnelCidrThe parameter TunnelCidr is mandatory when BGP is enabled.You must specify the tunnel CIDR block when you enable BGP.
    400OperationUnsupported.EnableBgpCurrent region does not support enable BGP.The error message returned because the current region does not support BGP.
    400MissingParam.CustomerGatewayAsnAsn of customer gateway is mandatory when BGP is enabled.The ASN of the customer gateway cannot be empty when you enable BGP.
    400IllegalParam.LocalAsnThe specified LocalAsn is invalid.The local ASN is invalid.
    400IllegalParam.BgpConfigThe specified BgpConfig is invalid.The BGP configuration is invalid.
    400IllegalParam.TunnelCidrThe specified TunnelCidr is invalid.The TunnelCidr parameter is set to an invalid value.
    400InvalidLocalBgpIp.MalformedThe specified LocalBgpIp is malformed.The local BGP IP address is in an abnormal state.
    400IllegalParam.LocalBgpIpThe specified LocalBgpIp is invalid.The local BGP IP address is invalid.
    400IllegalParam.LocalSubnetThe specified "LocalSubnet" (%s) is invalid.The specified "LocalSubnet" (%s) is invalid.
    400IllegalParam.RemoteSubnetThe specified "RemoteSubnet" (%s) is invalid.The specified "RemoteSubnet" (%s) is invalid.
    400CustomerGateway.ConflictRouteEntryThe specified customer gateway has conflict with route entry.The customer gateway conflicts with the current routes.
    400IllegalParam.NetworkTypeThe specified NetworkType (%s) is invalid.The network type is invalid.
    400InvalidTunnelCidr.MalformedThe specified TunnelCidr is malformed.The specified tunnel CIDR block is invalid.
    400InvalidVpnGatewayInstanceId.NotFoundThe specified vpn gateway instance id does not exist.The specified VPN gateway does not exist. Check whether the specified VPN gateway is valid.
    400Resource.QuotaFullThe resources you are operating have reached the upper limit of the quota. Please increase the quota or use other solutions to avoid it according to the VPN operation document.The resources you are operating have reached the upper limit of the quota. Please refer to the VPN operation document to increase the quota or use other schemes to avoid it.
    400CreateDbrRoutesQuotaFull.QuotaFullThe number of created destination routes exceeds the quota limit.The number of created destination routes exceeds the quota limit.
    400CreatePbrRoutesQuotaFull.QuotaFullThe number of policy routes exceeds the quota limit.The number of policy routes exceeds the quota limit.
    403Forbbiden.SubUserUser not authorized to operate on the specified resource as your account is created by another user.You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
    403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
    404InvalidVpnConnectionInstanceId.NotFoundThe specified vpn connection instance id does not exist.The specified vpn connection instance id does not exist.

    For a list of error codes, visit the Service error codes.

    Change history

    Change timeSummary of changesOperation
    2024-10-24The Error code has changed. The request parameters of the API has changed. The response structure of the API has changedView Change Details
    2024-01-04The Error code has changedView Change Details
    2023-10-19API Description Update. The Error code has changed. The response structure of the API has changedView Change Details