ALIYUN::VPC::IpsecServer类型用于创建IPsec服务端。
语法
{
"Type": "ALIYUN::VPC::IpsecServer",
"Properties": {
"LocalSubnet": String,
"EffectImmediately": Boolean,
"ClientIpPool": String,
"VpnGatewayId": String,
"IpsecConfig": Map,
"Psk": String,
"IkeConfig": Map,
"IpsecServerName": String,
"PskEnabled": Boolean
}
}属性
| 属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
|---|---|---|---|---|---|
| LocalSubnet | String | 是 | 是 | 本端网段,指需要和客户端网段互连的VPC侧的网段。 | 多个网段之间用半角逗号(,)分隔,例如:192.168.1.0/24,192.168.2.0/24。 |
| EffectImmediately | Boolean | 否 | 是 | 是否删除当前已协商成功的IPsec隧道并重新发起协商。 | 取值:
|
| VpnGatewayId | String | 是 | 否 | VPN网关ID。 | 无 |
| IpsecConfig | Map | 否 | 是 | 第二阶段协商的配置信息。 | 更多信息,请参见IpsecConfig属性。 |
| IkeConfig | Map | 否 | 是 | 第一阶段协商的配置信息。 | 更多信息,请参见IkeConfig属性。 |
| ClientIpPool | String | 是 | 是 | 客户端网段,为客户端虚拟网卡分配访问地址的地址段,不是指客户端已有的内网网段。 | 当客户端通过SSL-VPN连接访问本端时,VPN网关会从指定的客户端网段中分配一个IP地址给客户端使用。
该网段不能与LocalSubnet地址段冲突。 |
| IpsecServerName | String | 否 | 是 | IPsec连接的名称。 | 长度为2~128个字符,必须以英文字母或汉字开头,不能以http://或https://开头。可包含英文字母、汉字、数字、半角句号(.)、下划线(_)和短划线(-)。
|
| Psk | String | 否 | 是 | 预共享密钥认证方式。 | 用于IPsec VPN网关与用户网关之间的身份认证。
默认情况下会随机生成,也可以手动指定密钥。 长度不超过100个字符。 |
| PskEnabled | Boolean | 否 | 是 | 是否开启预共享密钥认证方式。 | 取值:
|
IpsecConfig语法
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}IpsecConfig属性
| 属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
|---|---|---|---|---|---|
| IpsecPfs | String | 否 | 是 | 转发所有协议的报文。第二阶段协商使用的Diffie-Hellman密钥交换算法。 | 取值:
|
| IpsecEncAlg | String | 否 | 是 | 第二阶段协商的加密算法。 | 取值:
|
| IpsecAuthAlg | String | 否 | 是 | 第二阶段协商的认证算法。 | 取值:
|
| IpsecLifetime | Integer | 否 | 是 | 第二阶段协商出的SA的生存周期。 | 取值范围:0~86,400。
单位:秒。 默认值:86,400。 |
IkeConfig语法
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"IkePfs": String
}IkeConfig属性
| 属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
|---|---|---|---|---|---|
| IkeAuthAlg | String | 否 | 是 | 第一阶段协商的认证算法。 | 取值:
|
| LocalId | String | 否 | 是 | VPN网关的标识。 | 长度不超过100个字符,默认值为VPN网关的公网IP地址。 |
| IkeEncAlg | String | 否 | 是 | 第一阶段协商的加密算法。 | 取值:
|
| IkeVersion | String | 否 | 是 | IKE协议的版本。 | 取值:
|
| IkeMode | String | 否 | 是 | IKE版本的协商模式。 | 取值:
|
| IkeLifetime | Integer | 否 | 是 | 第一阶段协商出的SA的生存周期。 | 取值范围:0~86,400。
单位:秒。 默认值:86,400。 |
| RemoteId | String | 否 | 是 | 用户网关的标识。 | 长度不超过100个字符,默认值为用户网关的公网IP地址。 |
| IkePfs | String | 否 | 是 | 第一阶段协商使用的Diffie-Hellman密钥交换算法 | 取值:
|
返回值
Fn::GetAtt
- IpsecServerId:IPsec服务端ID。
- IpsecServerName:IPsec服务端名称。
示例
JSON格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": "The local network segment refers to the network segment on the VPC side that needs to be interconnected with the client network segment. Use half-width commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24."
},
"EffectImmediately": {
"Type": "Boolean",
"Description": "true: Apply the new configuration and trigger a reconnection immediately. \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection may cause the network to be unavailable for a brief moment)",
"AllowedValues": [
"True",
"true",
"False",
"false"
]
},
"ClientIpPool": {
"Type": "String",
"Description": "Client network segment refers to the address segment that assigns access addresses to the virtual network card of the client. Note: The client network segment cannot conflict with the VPC side network segment."
},
"VpnGatewayId": {
"Type": "String",
"Description": "VPN gateway instance ID."
},
"IpsecConfig": {
"Type": "Json",
"Description": "Negotiation parameter configuration in the second phase."
},
"Psk": {
"Type": "String",
"Description": "Pre-Shared key. Used for identity authentication between the VPN gateway and the client. A 16-bit random string is randomly generated by default, or you can manually specify the key. The length is limited to 100 characters."
},
"IkeConfig": {
"Type": "Json",
"Description": "Negotiation parameter configuration in the first phase."
},
"IpsecServerName": {
"Type": "String",
"Description": "The value must be 2 to 128 characters in length and start with a letter or Chinese character. It can contain digits, underscores (_), and hyphens (-)."
},
"PskEnabled": {
"Type": "Boolean",
"Description": "Whether to enable the pre-shared key authentication method. Only the value is true, which means that the pre-shared key authentication mode is enabled.",
"AllowedValues": [
"True",
"true",
"False",
"false"
]
}
},
"Resources": {
"IpsecServer": {
"Type": "ALIYUN::VPC::IpsecServer",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"ClientIpPool": {
"Ref": "ClientIpPool"
},
"VpnGatewayId": {
"Ref": "VpnGatewayId"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"Psk": {
"Ref": "Psk"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"IpsecServerName": {
"Ref": "IpsecServerName"
},
"PskEnabled": {
"Ref": "PskEnabled"
}
}
}
},
"Outputs": {
"IpsecServerId": {
"Description": "IPsec server ID.",
"Value": {
"Fn::GetAtt": [
"IpsecServer",
"IpsecServerId"
]
}
},
"IpsecServerName": {
"Description": "IPsec server name.",
"Value": {
"Fn::GetAtt": [
"IpsecServer",
"IpsecServerName"
]
}
}
}
}YAML格式
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
ClientIpPool:
Description: 'Client network segment refers to the address segment that assigns
access addresses to the virtual network card of the client. Note: The client
network segment cannot conflict with the VPC side network segment.'
Type: String
EffectImmediately:
AllowedValues:
- 'True'
- 'true'
- 'False'
- 'false'
Description: "true: Apply the new configuration and trigger a reconnection immediately.\
\ \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection\
\ may cause the network to be unavailable for a brief moment)"
Type: Boolean
IkeConfig:
Description: Negotiation parameter configuration in the first phase.
Type: Json
IpsecConfig:
Description: Negotiation parameter configuration in the second phase.
Type: Json
IpsecServerName:
Description: The value must be 2 to 128 characters in length and start with a
letter or Chinese character. It can contain digits, underscores (_), and hyphens
(-).
Type: String
LocalSubnet:
Description: 'The local network segment refers to the network segment on the VPC
side that needs to be interconnected with the client network segment. Use half-width
commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24.'
Type: String
Psk:
Description: Pre-Shared key. Used for identity authentication between the VPN
gateway and the client. A 16-bit random string is randomly generated by default,
or you can manually specify the key. The length is limited to 100 characters.
Type: String
PskEnabled:
AllowedValues:
- 'True'
- 'true'
- 'False'
- 'false'
Description: Whether to enable the pre-shared key authentication method. Only
the value is true, which means that the pre-shared key authentication mode is
enabled.
Type: Boolean
VpnGatewayId:
Description: VPN gateway instance ID.
Type: String
Resources:
IpsecServer:
Properties:
ClientIpPool:
Ref: ClientIpPool
EffectImmediately:
Ref: EffectImmediately
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
IpsecServerName:
Ref: IpsecServerName
LocalSubnet:
Ref: LocalSubnet
Psk:
Ref: Psk
PskEnabled:
Ref: PskEnabled
VpnGatewayId:
Ref: VpnGatewayId
Type: ALIYUN::VPC::IpsecServer
Outputs:
IpsecServerId:
Description: IPsec server ID.
Value:
Fn::GetAtt:
- IpsecServer
- IpsecServerId
IpsecServerName:
Description: IPsec server name.
Value:
Fn::GetAtt:
- IpsecServer
- IpsecServerName