Modifies the configuration of an IPsec-VPN connection.
Operation description
-
If you want to modify a IPsec-VPN connection in dual-tunnel mode, call the
ModifyVpnConnectionAttribute
operation. You can modify the required parameters and the following request parameters:ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, AutoConfigRoute, TunnelOptionsSpecification, and EnableTunnelsBgp.
-
If you want to modify a IPsec-VPN connection in single-tunnel mode, call the
ModifyVpnConnectionAttribute
operation. You can modify the required parameters and the following request parameters:ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, IkeConfig, IpsecConfig, HealthCheckConfig, AutoConfigRoute, EnableDpd, EnableNatTraversal, BgpConfig, and RemoteCaCertificate.
-
ModifyVpnConnectionAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and modifies the configuration of the IPsec-VPN connection in the backend. You can call the DescribeVpnGateway operation to query the status of a VPN gateway.
- If the VPN gateway is in the updating state, the configuration of the IPsec-VPN connection is being modified.
- If the VPN gateway is in the active state, the configuration of the IPsec-VPN connection is modified.
-
You cannot repeatedly call the ModifyVpnConnectionAttribute operation for the same VPN gateway within the specified period of time.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:ModifyVpnConnectionAttribute | update | *VpnConnection acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId} |
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
RegionId | string | Yes | The ID of the region in which the IPsec-VPN connection is created. You can call the DescribeRegions operation to query the most recent region list. | cn-shanghai |
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the value of RequestId as the value of ClientToken. The request ID may be different for each request.
| 02fb3da4-130e-11e9-8e44-0016e04115b |
VpnConnectionId | string | Yes | The ID of the IPsec-VPN connection. | vco-bp1bbi27hojx80nck**** |
Name | string | No | The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with | nametest |
LocalSubnet | string | No | The CIDR block used to connect the virtual private cloud (VPC) to the data center. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported:
| 10.1.1.0/24,10.1.2.0/24 |
RemoteSubnet | string | No | The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported:
| 10.2.1.0/24,10.2.2.0/24 |
EffectImmediately | boolean | No | Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:
| false |
IkeConfig | string | No | This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. The configurations of Phase 1 negotiations:
| {"Psk":"pgw6dy7d1i8i****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"116.64.XX.XX","RemoteId":"139.18.XX.XX"} |
IpsecConfig | string | No | You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection. The configuration of Phase 2 negotiations:
| {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400} |
HealthCheckConfig | string | No | You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection. The health check configuration:
| {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3"} |
AutoConfigRoute | boolean | No | Specifies whether to automatically advertise routes. Valid values:
| true |
EnableDpd | boolean | No | You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection. Specifies whether to enable the dead peer detection (DPD) feature. Valid values:
| true |
EnableNatTraversal | boolean | No | You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection. Specifies whether to enable NAT traversal. Valid values:
| true |
BgpConfig | string | No | This parameter is supported if you modify the configurations of an IPsec-VPN connection in single-tunnel mode. BGP configuration:
Note
| {"EnableBgp":"true","LocalAsn":"65530","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"} |
RemoteCaCertificate | string | No | You can specify this parameter if you modify the configuration of a single-tunnel IPsec-VPN connection. If the VPN gateway uses a ShangMi (SM) certificate, you can modify the CA certificate used by the IPsec peer. If the VPN gateway does not use an SM certificate, you cannot specify this parameter. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
TunnelOptionsSpecification | array<object> | No | The tunnel configurations. You can specify parameters in the TunnelOptionsSpecification array when you modify the configurations of an IPsec-VPN connection in dual-tunnel mode. You can modify the configurations of both the active and standby tunnels of the IPsec-VPN connection. | |
object | No | The tunnel configurations. | ||
TunnelId | string | No | The tunnel ID. | tun-opsqc4d97wni27**** |
CustomerGatewayId | string | No | The ID of the customer gateway associated with the tunnel. | cgw-1nmwbpgrp7ssqm1yn**** |
Role | string | No | The tunnel role. Valid values:
| master |
EnableDpd | boolean | No | Specifies whether to enable the Dead Peer Detection (DPD) feature for the tunnel. Valid values:
| true |
EnableNatTraversal | boolean | No | Specifies whether to enable NAT traversal for the tunnel. Valid values:
| true |
RemoteCaCertificate | string | No | If the VPN gateway uses an SM certificate, you can modify the CA certificate used by the IPsec peer. If the VPN gateway does not use an SM certificate, this parameter is not supported. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
TunnelBgpConfig | object | No | The Border Gateway Protocol (BGP) configurations of the tunnel. | |
LocalAsn | long | No | The ASN of the tunnel on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104. Note
You can specify this parameter only if EnableTunnelsBgp is set to true.
| 65530 |
LocalBgpIp | string | No | The BGP IP address of the tunnel on the Alibaba Cloud side. The address is an IP address that falls within the BGP CIDR block. | 169.254.10.1 |
TunnelCidr | string | No | The BGP CIDR block of the tunnel. The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note
The BGP CIDR block of each tunnel must be unique on a VPN gateway.
| 169.254.10.0/30 |
TunnelIkeConfig | object | No | The configurations of Phase 1 negotiations. | |
IkeAuthAlg | string | No | The authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. | md5 |
IkeEncAlg | string | No | The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. | aes |
IkeLifetime | long | No | The SA lifetime as a result of Phase 1 negotiations. Unit: seconds Valid values: 0 to 86400. | 86400 |
IkeMode | string | No | The negotiation mode of IKE. Valid values:
| main |
IkePfs | string | No | The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. | group2 |
IkeVersion | string | No | The version of the IKE protocol. Valid values: ikev1 and ikev2. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks. | ikev1 |
LocalId | string | No | The identifier on the Alibaba Cloud side, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the tunnel. LocalId supports fully qualified domain names (FQDNs). If you use an FQDN, we recommend that you set the negotiation mode to aggressive. | 47.21.XX.XX |
Psk | string | No | The pre-shared key, which is used for identity authentication between the tunnel and the tunnel peer.
Note
The tunnel and the tunnel peer must use the same pre-shared key. Otherwise, the tunnel cannot be built.
| 123456**** |
RemoteId | string | No | The identifier of the tunnel peer, which is used in Phase 1 negotiations. The identifier cannot exceed 100 characters in length and cannot contain space characters. The default value is the IP address of the customer gateway that is associated with the tunnel. RemoteId supports FQDNs. If you use an FQDN, we recommend that you set the negotiation mode to aggressive. | 47.42.XX.XX |
TunnelIpsecConfig | object | No | The configurations of Phase 2 negotiations. | |
IpsecAuthAlg | string | No | The authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. | md5 |
IpsecEncAlg | string | No | The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. | aes |
IpsecLifetime | integer | No | The SA lifetime as a result of Phase 2 negotiations. Unit: seconds Valid values: 0 to 86400. | 86400 |
IpsecPfs | string | No | The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. | group2 |
EnableTunnelsBgp | boolean | No | You can specify this parameter if you modify the configuration of a dual-tunnel IPsec-VPN connection. Specifies whether to enable BGP for the tunnel. Valid values: true and false. | true |
Response parameters
Examples
Sample success responses
JSON
format
{
"EnableNatTraversal": true,
"CreateTime": 1492753817000,
"EffectImmediately": false,
"VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
"LocalSubnet": "10.1.1.0/24,10.1.2.0/24",
"RequestId": "7DB79D0C-5F27-4AB5-995B-79BE55102F90",
"VpnConnectionId": "vco-bp1bbi27hojx80nck****",
"Description": "description",
"RemoteSubnet": "10.2.1.0/24,10.2.2.0/24",
"CustomerGatewayId": "cgw-p0w2jemrcj5u61un8****",
"Name": "nametest",
"EnableDpd": true,
"IkeConfig": {
"RemoteId": "139.18.XX.XX",
"IkeLifetime": 86400,
"IkeEncAlg": "aes",
"LocalId": "116.64.XX.XX",
"IkeMode": "main",
"IkeVersion": "ikev1",
"IkePfs": "group2",
"Psk": "pgw6dy7d1i8i****",
"IkeAuthAlg": "sha1"
},
"IpsecConfig": {
"IpsecAuthAlg": "sha1",
"IpsecLifetime": 86400,
"IpsecEncAlg": "aes",
"IpsecPfs": "group2"
},
"VcoHealthCheck": {
"Dip": "192.168.1.1",
"Interval": 3,
"Retry": 3,
"Sip": "10.1.1.1",
"Enable": "true"
},
"VpnBgpConfig": {
"Status": "success",
"PeerBgpIp": "169.254.11.2",
"TunnelCidr": "169.254.11.0/30",
"EnableBgp": "true",
"LocalBgpIp": "169.254.11.1",
"PeerAsn": 65531,
"LocalAsn": 65530
},
"TunnelOptionsSpecification": {
"TunnelOptions": [
{
"CustomerGatewayId": "cgw-p0wy363lucf1uyae8****",
"EnableDpd": true,
"EnableNatTraversal": true,
"InternetIp": "47.21.XX.XX",
"RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
"Role": "master",
"State": "active",
"TunnelBgpConfig": {
"LocalAsn": 65530,
"LocalBgpIp": "169.254.10.1",
"PeerAsn": 65531,
"PeerBgpIp": "169.254.10.2",
"TunnelCidr": "169.254.10.0/30"
},
"TunnelId": "tun-opsqc4d97wni27****",
"TunnelIkeConfig": {
"IkeAuthAlg": "sha1",
"IkeEncAlg": "aes",
"IkeLifetime": 86400,
"IkeMode": "main",
"IkePfs": "group2",
"IkeVersion": "ikev1",
"LocalId": "47.21.XX.XX",
"Psk": "123456****",
"RemoteId": "47.42.XX.XX"
},
"TunnelIpsecConfig": {
"IpsecAuthAlg": "sha1",
"IpsecEncAlg": "aes",
"IpsecLifetime": 86400,
"IpsecPfs": "group2"
},
"ZoneNo": "ap-southeast-5a"
}
]
},
"EnableTunnelsBgp": true,
"ResourceGroupId": "rg-acfmzs372yg****"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | VpnGateway.Configuring | The specified service is configuring. | The service is being configured. Try again later. |
400 | VpnGateway.FinancialLocked | The specified service is financial locked. | The service is suspended due to overdue payments. Top up your account first. |
400 | InvalidName | The name is not valid | The name format is invalid. |
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The PFS parameter set for the IPsec-VPN connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnRouteEntry.ConflictSSL | The specified route entry has conflict with SSL client. | The route conflicts with the SSL client. |
400 | VpnRouteEntry.BackupRoute | Validate backup route entry failed. | Active/standby routes failed authentication. |
400 | VpnRouteEntry.InvalidWeight | Invalid route entry weight value. | The weight specified for the route is invalid. |
400 | QuotaExceeded.PBR | The policy-based routes has reached the upper limit. | The number of policy-based routes has reached the upper limit. |
400 | OperationUnsupported.SetDPD | Current version of the VPN does not support setting DPD. | The VPN gateway version does not support DPD. |
400 | OperationUnsupported.SetNatTraversal | Current version of the VPN does not support setting NAT traversal. | The VPN gateway version does not support NAT traversal. |
400 | QuotaExceeded.PolicyBasedRoute | The maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s. | The quota of policy-based routes is reached. Existing routes: %s. Routes to be created: %s. Quota: %s. |
400 | MissingParameter.TunnelCidr | The parameter TunnelCidr is mandatory when BGP is enabled. | You must specify the tunnel CIDR block when you enable BGP. |
400 | OperationUnsupported.EnableBgp | Current version of the VPN does not support enable BGP. | The current version of the VPN gateway does not support BGP. |
400 | MissingParam.CustomerGatewayAsn | Asn of customer gateway is mandatory when BGP is enabled. | The ASN of the customer gateway cannot be empty when you enable BGP. |
400 | IllegalParam.LocalAsn | The specified LocalAsn is invalid. | The local ASN is invalid. |
400 | IllegalParam.BgpConfig | The specified BgpConfig is invalid. | The BGP configuration is invalid. |
400 | IllegalParam.EnableBgp | VPN connection must enable BGP when VPN gateway has enabled BGP. | The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway. |
400 | IllegalParam.TunnelCidr | The specified TunnelCidr is invalid. | The TunnelCidr parameter is set to an invalid value. |
400 | InvalidLocalBgpIp.Malformed | The specified LocalBgpIp is malformed. | The local BGP IP address is in an abnormal state. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The local BGP IP address is invalid. |
400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | The specified "LocalSubnet" (%s) is invalid. |
400 | IllegalParam.RemoteSubnet | The specified "RemoteSubnet" (%s) is invalid. | The specified "RemoteSubnet" (%s) is invalid. |
400 | OperationFailed.CenLevelNotSupport | When the VPC to which the VPN gateway belongs is attached to a FULL-mode CEN, the VPN gateway cannot enable BGP. | When the VPC to which the VPN gateway belongs is attached to a FULL-mode CEN, the VPN gateway cannot enable BGP. |
400 | InvalidTunnelCidr.Malformed | The specified TunnelCidr is malformed. | The specified tunnel CIDR block is invalid. |
400 | CustomerGateway.ConflictRouteEntry | The specified customer gateway has conflict with route entry. | The customer gateway conflicts with the current routes. |
400 | VpnTask.CONFLICT | Vpn task has conflict. | The VPN operation conflicts. Try again later. |
400 | OperationFailed.RouteConflictWithIPsecServer | Operation failed because the route to create conflicts with the client IP pool of the IPsec server. | Operation failed because the route to create conflicts with the client IP pool of the IPsec server. |
400 | IllegalParam.TunnelId | The specified TunnelId is invalid. | TunnelId is set to an invalid value. |
400 | IllegalParam.Role | The specified Role is invalid. | Role is set to an invalid value. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigs | IPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration. | The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlap | Traffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap. | The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap. |
400 | ModifyIkeV1WithMultiRoutes.Invalid | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
404 | InvalidVpnConnectionInstanceId.NotFound | The specified vpn connection instance id does not exist. | The specified vpn connection instance id does not exist. |
500 | OperationFailed.RouteConflictWithIPsecServer | Operation failed because the specified route conflicts with IPsec server. | The route conflicts with the IPsec server. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-10-24 | The Error code has changed | View Change Details |
2024-01-04 | API Description Update. The Error code has changed | View Change Details |
2023-10-23 | The Error code has changed | View Change Details |
2023-10-19 | The API operation is not deprecated.. The Error code has changed. The response structure of the API has changed | View Change Details |
2023-08-01 | API Description Update. The Error code has changed. The response structure of the API has changed | View Change Details |
2023-06-30 | The Error code has changed. The request parameters of the API has changed. The response structure of the API has changed | View Change Details |