ALIYUN::VPC::VpnAttachment类型用于创建IPsec连接,用于绑定转发路由器实例。
语法
{
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": String,
"CustomerGatewayId": String,
"AutoConfigRoute": Boolean,
"Name": String,
"EffectImmediately": Boolean,
"BgpConfig": Map,
"RemoteSubnet": String,
"RemoteCaCert": String,
"IpsecConfig": Map,
"NetworkType": String,
"HealthCheckConfig": Map,
"EnableNatTraversal": Boolean,
"IkeConfig": Map,
"EnableDpd": Boolean
}
}属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
LocalSubnet | String | 是 | 是 | 需要和本地数据中心互通的VPC侧的网段,用于第二阶段协商。 | 多个网段之间用半角逗号(,)分隔,例如:192.168.1.0/24,192.168.2.0/24。 关于IPsec连接路由模式的说明:
示例值:10.1.1.0/24,10.1.2.0/24。 |
CustomerGatewayId | String | 是 | 否 | 用户网关ID。 | 无 |
AutoConfigRoute | Boolean | 否 | 是 | 是否自动配置路由。 | 取值:
|
Name | String | 否 | 是 | IPsec连接的名称。 | 无 |
EffectImmediately | Boolean | 否 | 是 | 选择IPsec连接的配置是否立即生效。 | 取值:
|
BgpConfig | Map | 否 | 是 | BGP的配置信息。 | 更多信息。请参见BgpConfig属性。 说明 在添加 BGP 配置前,建议您先了解 BGP 动态路由功能的工作机制和使用限制。更多信息,请参见配置IPsec连接路由。 建议您使用自治系统号的私有号码与阿里云建立 BGP 连接。自治系统号的私有号码范围请自行查阅文档。 示例值: |
RemoteSubnet | String | 是 | 是 | 需要和VPC互通的本地数据中心侧的网段,用于第二阶段协商。 | 多个网段之间用半角逗号(,)分隔,例如:192.168.3.0/24,192.168.4.0/24。 关于IPsec连接路由模式的说明:
示例值:10.1.3.0/24,10.1.4.0/24 |
RemoteCaCert | String | 否 | 否 | 国密型VPN网关创建IPsec连接时,对端的CA证书。 | 示例值: |
IpsecConfig | Map | 否 | 是 | 第二阶段协商的配置信息。 | 更多信息,请参见IpsecConfig属性。 示例值: |
NetworkType | String | 否 | 否 | IPsec连接的网络类型。 | 取值:
|
HealthCheckConfig | Map | 否 | 是 | 健康检查配置信息。 | 更多信息,请参见HealthCheckConfig属性。 示例值: |
EnableNatTraversal | Boolean | 否 | 是 | 是否开启NAT穿越功能。 | 取值:
|
IkeConfig | Map | 否 | 是 | 第一阶段协商的配置信息。 | 更多信息,请参见IkeConfig属性。 |
EnableDpd | Boolean | 否 | 是 | 是否开启DPD(对等体存活检测)功能。 | 取值:
|
BgpConfig语法
"BgpConfig": {
"EnableBgp": Boolean,
"LocalAsn": Number,
"TunnelCidr": String,
"LocalBgpIp": String
}BgpConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
EnableBgp | Boolean | 否 | 否 | 是否开启BGP功能。 | 取值:
|
LocalAsn | Number | 否 | 是 | 阿里云侧的自治系统号。 | 自治系统号取值范围:1~4294967295。默认值:45104。 |
TunnelCidr | String | 否 | 是 | IPsec隧道网段。 | 该网段需是一个在169.254.0.0/16内的掩码长度为30的网段。 |
LocalBgpIp | String | 否 | 是 | 阿里云侧的BGP地址。 | 该地址为IPsec隧道网段内的一个IP地址。 |
IpsecConfig语法
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}IpsecConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IpsecPfs | String | 否 | 是 | 第二阶段协商使用的Diffie-Hellman密钥交换算法。 | 取值:
|
IpsecEncAlg | String | 否 | 是 | 第二阶段协商的加密算法。 | 取值:
|
IpsecAuthAlg | String | 否 | 是 | 第二阶段协商的认证算法。 | 取值:
|
IpsecLifetime | Integer | 否 | 是 | 第二阶段协商出的SA的生存周期。 | 单位:秒。取值范围:0~86400。默认值:86400。 |
HealthCheckConfig语法
"HealthCheckConfig": {
"Policy": String,
"Enable": Boolean,
"Dip": String,
"Retry": Integer,
"Sip": String,
"Interval": Integer
}HealthCheckConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
Policy | String | 否 | 是 | 健康检查失败时是否撤销已发布的路由。 | 取值:
|
Enable | Boolean | 否 | 是 | 是否开启健康检查。 | 取值:
|
Dip | String | 否 | 是 | 健康检查的目的IP地址。 | 输入VPC侧通过IPsec连接可以访问的本地数据中心的IP地址。 |
Retry | Integer | 否 | 是 | 健康检查的重试发包次数。 | 默认值:3。 |
Sip | String | 否 | 是 | 健康检查的源IP地址。 | 输入本地数据中心通过IPsec连接可以访问的VPC侧的IP地址。 |
Interval | Integer | 否 | 是 | 健康检查的重试间隔时间。 | 单位:秒。默认值:3。 |
IkeConfig语法
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"Psk": String,
"IkePfs": String
}IkeConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IkeAuthAlg | String | 否 | 是 | 第一阶段协商的认证算法。 | 取值:
|
LocalId | String | 否 | 是 | IPsec连接阿里云侧的标识。 | 长度限制为100个字符。默认值为空。 |
IkeEncAlg | String | 否 | 是 | 第一阶段协商的加密算法。 | 取值:
|
IkeVersion | String | 否 | 是 | IKE协议的版本。 | 取值:
|
IkeMode | String | 否 | 是 | 协商模式。 | 取值:
|
IkeLifetime | Integer | 否 | 是 | 第一阶段协商出的SA的生存周期。 | 单位:秒。取值范围:0~86400。默认值:86400。 |
RemoteId | String | 否 | 是 | IPsec连接本地数据中心侧的标识。 | 长度限制为100个字符,默认值为用户网关的IP地址。 |
Psk | String | 否 | 是 | 预共享密钥,用于VPN网关与本地数据中心之间的身份认证。 | 限制:
说明 IPsec连接侧的预共享密钥需和本地数据中心侧的认证密钥一致,否则本地数据中心和VPN网关之间无法建立连接。 |
IkePfs | String | 否 | 是 | 第一阶段协商使用的Diffie-Hellman密钥交换算法。 | 取值:
|
返回值
Fn::GetAtt
InternetIp:IPsec连接的网关地址。
VpnAttachmentId:IPsec连接ID。
PeerVpnAttachmentConfig:IPsec连接配置。
示例
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AutoConfigRoute:
Description:
en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
\ (default) \nfalse"
Type: Boolean
BgpConfig:
AssociationPropertyMetadata:
Parameters:
EnableBgp:
Description:
en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
\ values: true and false. Default value: false."
Type: Boolean
LocalAsn:
Description:
en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
Default value: 45104.'
MaxValue: 4294967295
MinValue: 1
Type: Number
LocalBgpIp:
Description:
en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
\ fall within the CIDR block of the IPsec tunnel."
Type: String
TunnelCidr:
Description:
en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
length.
Type: String
Description:
en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
\ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
\ we recommend that you learn about how BGP works and its limits. For more\
\ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
\ that you use a private ASN to establish a connection with Alibaba Cloud\
\ over BGP. \nRefer to the relevant documentation for the private ASN range."
Type: Json
CustomerGatewayId:
Description:
en: The ID of the user gateway.
Type: String
EffectImmediately:
Default: false
Description:
en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
the negotiation. Value:
True: Negotiate immediately after the configuration is complete.
False (default): Negotiate when traffic enters.'
Type: Boolean
EnableDpd:
Description:
en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
\ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
\ DPD packets to verify the existence and availability of the peer. If no\
\ response is received from the peer within a specified period of time, the\
\ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
\ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
\ DPD packets."
Type: Boolean
EnableNatTraversal:
Description:
en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
\ After NAT traversal is enabled, the initiator does not check the UDP ports\
\ during IKE negotiations and can automatically discover NAT gateway devices\
\ along the VPN tunnel. \nfalse"
Type: Boolean
HealthCheckConfig:
AssociationPropertyMetadata:
Parameters:
Dip:
Type: String
Enable:
Type: Boolean
Interval:
Type: Number
Policy:
Description:
en: Whether to revoke published routes when the health check fails.
Type: String
Retry:
Type: Number
Sip:
Type: String
Description:
en: Whether to enable the health check configuration.
Type: Json
IkeConfig:
AssociationPropertyMetadata:
Parameters:
IkeAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IkeEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IkeLifetime:
Default: 86400
Description:
en: The life cycle of the SA negotiated in the first phase. The value
ranges from 0 to 86400, in seconds. The default value is 86400.
MaxValue: 86400
MinValue: 0
Type: Number
IkeMode:
AllowedValues:
- main
- aggressive
Default: main
Description:
en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
Type: String
IkePfs:
AllowedValues:
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
Value: group1|group2|group5|group14|group24, default value: group2.'
Type: String
IkeVersion:
AllowedValues:
- ikev1
- ikev2
Default: ikev1
Description:
en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
Type: String
LocalId:
Description:
en: ID of the VPN gateway. The length is limited to 100 characters. The
default value is the public IP address of the VPN gateway.
MaxLength: 100
Type: String
Psk:
Description:
en: Used for identity authentication between the IPsec VPN gateway and
the user gateway. It is generated randomly by default, or you can specify
the key manually. The length is limited to 100 characters.
MaxLength: 100
Type: String
RemoteId:
Description:
en: ID of the user gateway. The length is limited to 100 characters. The
default value is the public IP address of the user gateway.
MaxLength: 100
Type: String
Description:
en: Configuration information for the first phase of negotiation.
Type: Json
IpsecConfig:
AssociationPropertyMetadata:
Parameters:
IpsecAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IpsecEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the second phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IpsecLifetime:
Default: 86400
Description:
en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
phase. The value ranges from 0 to 86400, in seconds. The default value
is 86400.'
MaxValue: 86400
MinValue: 0
Type: Number
IpsecPfs:
AllowedValues:
- disabled
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
default value: group2.'
Type: String
Description:
en: Configuration information for the second phase negotiation.
Type: Json
LocalSubnet:
Description:
en: 'A network segment on the VPC side that needs to be interconnected with
the local IDC for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.1.0/24,
192.168.2.0/24.'
Type: String
Name:
Description:
en: 'The name of the IPsec connection.
The length is 2-128 characters and must start with a letter or Chinese. It
can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
start with http:// or https:// .'
MaxLength: 128
MinLength: 2
Type: String
NetworkType:
AllowedValues:
- public
- private
Description:
en: 'The network type of the IPsec connection. Value: public|private.'
Type: String
RemoteCaCert:
Description:
en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
\ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
\ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
\ when a standard VPN gateway is used to create the IPsec-VPN connection."
Type: String
RemoteSubnet:
Description:
en: 'The network segment of the local IDC is used for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.3.0/24,
192.168.4.0/24.'
Type: String
Resources:
VpnAttachment:
Properties:
AutoConfigRoute:
Ref: AutoConfigRoute
BgpConfig:
Ref: BgpConfig
CustomerGatewayId:
Ref: CustomerGatewayId
EffectImmediately:
Ref: EffectImmediately
EnableDpd:
Ref: EnableDpd
EnableNatTraversal:
Ref: EnableNatTraversal
HealthCheckConfig:
Ref: HealthCheckConfig
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
LocalSubnet:
Ref: LocalSubnet
Name:
Ref: Name
NetworkType:
Ref: NetworkType
RemoteCaCert:
Ref: RemoteCaCert
RemoteSubnet:
Ref: RemoteSubnet
Type: ALIYUN::VPC::VpnAttachment
Outputs:
InternetIp:
Description: The gateway IP address of the IPsec connection.
Value:
Fn::GetAtt:
- VpnAttachment
- InternetIp
PeerVpnAttachmentConfig:
Description: Peer vpc Attachment config.
Value:
Fn::GetAtt:
- VpnAttachment
- PeerVpnAttachmentConfig
VpnAttachmentId:
Description: ID of the IPsec attachment.
Value:
Fn::GetAtt:
- VpnAttachment
- VpnAttachmentId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": {
"en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
}
},
"CustomerGatewayId": {
"Type": "String",
"Description": {
"en": "The ID of the user gateway."
}
},
"AutoConfigRoute": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
}
},
"Name": {
"Type": "String",
"Description": {
"en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
},
"MinLength": 2,
"MaxLength": 128
},
"EffectImmediately": {
"Type": "Boolean",
"Description": {
"en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
},
"Default": false
},
"BgpConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"EnableBgp": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
}
},
"LocalAsn": {
"Type": "Number",
"Description": {
"en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
},
"MinValue": 1,
"MaxValue": 4294967295
},
"TunnelCidr": {
"Type": "String",
"Description": {
"en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
}
},
"LocalBgpIp": {
"Type": "String",
"Description": {
"en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
}
}
}
},
"Type": "Json",
"Description": {
"en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
}
},
"RemoteSubnet": {
"Type": "String",
"Description": {
"en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
}
},
"RemoteCaCert": {
"Type": "String",
"Description": {
"en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
}
},
"IpsecConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IpsecPfs": {
"Type": "String",
"Description": {
"en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"disabled",
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
},
"IpsecEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IpsecAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"IpsecLifetime": {
"Type": "Number",
"Description": {
"en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the second phase negotiation."
}
},
"NetworkType": {
"Type": "String",
"Description": {
"en": "The network type of the IPsec connection. Value: public|private."
},
"AllowedValues": [
"public",
"private"
]
},
"HealthCheckConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Whether to revoke published routes when the health check fails."
}
},
"Enable": {
"Type": "Boolean"
},
"Dip": {
"Type": "String"
},
"Retry": {
"Type": "Number"
},
"Sip": {
"Type": "String"
},
"Interval": {
"Type": "Number"
}
}
},
"Type": "Json",
"Description": {
"en": "Whether to enable the health check configuration."
}
},
"EnableNatTraversal": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
}
},
"IkeConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IkeAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"LocalId": {
"Type": "String",
"Description": {
"en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
},
"MaxLength": 100
},
"IkeEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IkeVersion": {
"Type": "String",
"Description": {
"en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
},
"AllowedValues": [
"ikev1",
"ikev2"
],
"Default": "ikev1"
},
"IkeMode": {
"Type": "String",
"Description": {
"en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
},
"AllowedValues": [
"main",
"aggressive"
],
"Default": "main"
},
"IkeLifetime": {
"Type": "Number",
"Description": {
"en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
},
"RemoteId": {
"Type": "String",
"Description": {
"en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
},
"MaxLength": 100
},
"Psk": {
"Type": "String",
"Description": {
"en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
},
"MaxLength": 100
},
"IkePfs": {
"Type": "String",
"Description": {
"en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the first phase of negotiation."
}
},
"EnableDpd": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
}
}
},
"Resources": {
"VpnAttachment": {
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"CustomerGatewayId": {
"Ref": "CustomerGatewayId"
},
"AutoConfigRoute": {
"Ref": "AutoConfigRoute"
},
"Name": {
"Ref": "Name"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"BgpConfig": {
"Ref": "BgpConfig"
},
"RemoteSubnet": {
"Ref": "RemoteSubnet"
},
"RemoteCaCert": {
"Ref": "RemoteCaCert"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"NetworkType": {
"Ref": "NetworkType"
},
"HealthCheckConfig": {
"Ref": "HealthCheckConfig"
},
"EnableNatTraversal": {
"Ref": "EnableNatTraversal"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"EnableDpd": {
"Ref": "EnableDpd"
}
}
}
},
"Outputs": {
"InternetIp": {
"Description": "The gateway IP address of the IPsec connection.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"InternetIp"
]
}
},
"VpnAttachmentId": {
"Description": "ID of the IPsec attachment.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"VpnAttachmentId"
]
}
},
"PeerVpnAttachmentConfig": {
"Description": "Peer vpc Attachment config.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"PeerVpnAttachmentConfig"
]
}
}
}
}