All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::VPC::VpnConnection

Last Updated:Dec 21, 2023

ALIYUN::VPC::VpnConnection is used to create an IPsec-VPN connection.

Syntax

{
  "Type": "ALIYUN::VPC::VpnConnection",
  "Properties": {
    "IpsecConfig": Map,
    "Name": String,
    "IkeConfig": Map,
    "HealthCheckConfig": Map,
    "VpnGatewayId": String,
    "CustomerGatewayId": String,
    "RemoteSubnet": String,
    "LocalSubnet": String,
    "EffectImmediately": Boolean,
    "EnableTunnelsBgp": Boolean,
    "RemoteCaCertificate": String,
    "BgpConfig": Map,
    "AutoConfigRoute": Boolean,
    "EnableDpd": Boolean,
    "EnableNatTraversal": Boolean,
    "TunnelOptionsSpecification": List
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

Name

String

No

Yes

The name of the IPsec-VPN connection.

The name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, periods (.), underscores (_), and hyphens (-).

IkeConfig

Map

No

Yes

The configurations of Phase 1 negotiations.

For more information, see IkeConfig properties.

IpsecConfig

Map

No

Yes

The configurations of Phase 2 negotiations.

For more information, see IpsecConfig properties.

HealthCheckConfig

Map

No

No

The health check configurations.

For more information, see HealthCheckConfig properties.

VpnGatewayId

String

Yes

No

The ID of the VPN gateway.

None.

CustomerGatewayId

String

No

No

The ID of the customer gateway.

None.

RemoteSubnet

String

Yes

Yes

The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

LocalSubnet

String

Yes

Yes

The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

EffectImmediately

Boolean

No

Yes

Specifies whether to immediately start IPsec negotiations.

Valid values:

  • true: immediately starts IPsec negotiations after the configurations of the IPsec-VPN connection are complete.

  • false (default): starts IPsec negotiations when inbound traffic is detected.

EnableTunnelsBgp

Boolean

No

No

Specifies whether to enable Border Gateway Protocol (BGP) for tunnels.

Valid values:

  • true

  • false

RemoteCaCertificate

String

No

No

The certificate authority (CA) certificate of the peer.

None.

BgpConfig

Map

No

Yes

The BGP configurations of the tunnel.

For more information, see BgpConfig properties.

AutoConfigRoute

Boolean

No

Yes

Specifies whether to automatically configure routes.  

Valid values:

  • false  

  • true (default)  

EnableDpd

Boolean

No

Yes

Specifies whether to enable dead peer detection (DPD) for the IPsec-VPN connection.

Valid values:

  • true: enables DPD for the IPsec-VPN connection.

    The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP Security Associations (SAs) and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted.

  • false: disables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection does not send DPD packets.

EnableNatTraversal

Boolean

No

Yes

Specifies whether to enable NAT traversal for the tunnel.

Valid values:

  • false

  • true

TunnelOptionsSpecification

List

No

No

The tunnel configurations of the IPsec-VPN connection.

For more information, see TunnelOptionsSpecification properties.

IkeConfig syntax

"IkeConfig": {
  "RemoteId": String,
  "Psk": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeAuthAlg": String,
  "IkeEncAlg": String,
  "IkePfs": String,
  "IkeLifetime": Integer,
  "LocalId": String
}

IkeConfig properties

Property

Type

Required

Editable

Description

Constraint

RemoteId

String

No

Yes

The identifier of the customer gateway.

The identifier can be up to 100 characters in length. The default value is the public IP address of the customer gateway.

Psk

String

No

Yes

The pre-shared key that is used for authentication between the VPN gateway and the customer gateway.

The key can be up to 100 characters in length. By default, a random value is generated. You can also specify a pre-shared key.

IkeVersion

String

No

Yes

The version of the Internet Key Exchange (IKE) protocol.

Valid values:

  • ikev1 (default)

  • ikev2

IkeMode

String

No

Yes

The negotiation mode of IKEv1.

Valid values:

  • main (default)

  • aggressive

IkeAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 1 negotiations.

Valid values:

  • md5 (default)

  • sha1

IkeEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 1 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IkePfs

String

No

Yes

The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations.

Valid values:

  • group1

  • group2 (default)

  • group5

  • group14

  • group24

IkeLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 1 negotiations.

Valid values: 0 to 86400.

Default value: 86400.

LocalId

String

No

Yes

The identifier of the VPN gateway.

The identifier can be up to 100 characters in length. The default value is the public IP address of the VPN gateway.

IpsecConfig syntax

"IpsecConfig": {
  "IpsecAuthAlg": String,
  "IpsecEncAlg": String,
  "IpsecLifetime": Integer,
  "IpsecPfs": String
}

IpsecConfig properties

Property

Type

Required

Editable

Description

Constraint

IpsecAuthAlg

String

No

Yes

The authentication algorithm that is used in Phase 2 negotiations.

Valid values:

  • md5 (default)

  • sha1

IpsecEncAlg

String

No

Yes

The encryption algorithm that is used in Phase 2 negotiations.

Valid values:

  • aes (default)

  • aes192

  • aes256

  • des

  • 3des

IpsecLifetime

Integer

No

Yes

The SA lifetime that is determined by Phase 2 negotiations.

Valid values: 0 to 86400.

Unit: seconds.

Default value: 86400.

IpsecPfs

String

No

Yes

The DH key exchange algorithm that is used in Phase 2 negotiations.

Valid values:

  • group1

  • group2 (default)

  • group5

  • group14

  • group24

HealthCheckConfig syntax

"HealthCheckConfig": {
  "Enable": Boolean,
  "Dip": Boolean,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer,
  "Policy": String 
}   

HealthCheckConfig properties

Property

Type

Required

Editable

Description

Constraint

Enable

Boolean

No

Yes

Specifies whether to enable the health check feature.

Valid values:

  • true

  • false

If you set this property to true, you must specify other parameters in this table.

Interval

Integer

No

Yes

The interval between two consecutive health check retries.

Unit: seconds.

Retry

Integer

No

Yes

The maximum number of health check retries.

None.

Dip

String

No

Yes

The IP address of the data center that can be accessed through the IPsec connection.

None.

Sip

String

No

Yes

The IP address that can be accessed from the data center through the IPsec connection.

None.

Policy

String

No

No

Specifies whether to withdraw published routes when the health check fails.  

None.

BgpConfig syntax

"BgpConfig": {
  "TunnelCidr": String,
  "LocalBgpIp": String,
  "EnableBgp": Boolean,
  "LocalAsn": Number
}   

BgpConfig properties

Property

Type

Required

Editable

Description

Constraint

TunnelCidr

String

No

Yes

The BGP CIDR block of the tunnel.

None.

LocalBgpIp

String

No

Yes

The BGP address on the Alibaba Cloud side.

None.

EnableBgp

Boolean

No

No

Specifies whether to enable BGP for the tunnel.  

Valid values:

  • true

  • false  

Default value: false.

LocalAsn

Number

No

Yes

The autonomous system number (ASN) of the tunnel on the Alibaba Cloud side.

None.

TunnelOptionsSpecification syntax

"TunnelOptionsSpecification": [
  {
    "RemoteCaCertificate": String,
    "CustomerGatewayId": String,
    "TunnelBgpConfig": Map,
    "TunnelIpsecConfig": Map,
    "EnableDpd": Boolean,
    "TunnelIkeConfig": Map,
    "EnableNatTraversal": Boolean,
    "Role": String
  }
]

TunnelOptionsSpecification properties

Property

Type

Required

Editable

Description

Constraint

RemoteCaCertificate

String

No

No

The CA certificate of the tunnel peer.

This property is returned only if the VPN gateway is of the ShangMi (SM) type.

CustomerGatewayId

String

No

Yes

The ID of the customer gateway that is associated with the tunnel.

None.

TunnelBgpConfig

Map

No

Yes

The BGP configurations of the tunnel.

For more information, see TunnelBgpConfig properties.

TunnelIpsecConfig

Map

No

No

The configurations of Phase 2 negotiations.

For more information, see TunnelIpsecConfig properties.

EnableDpd

Boolean

No

Yes

Specifies whether to enable DPD for the IPsec-VPN connection.

Valid values:

  • true: enables DPD for the IPsec-VPN connection.

    The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted.

  • false: disables DPD for the IPsec-VPN connection. The initiator of the IPsec-VPN connection does not send DPD packets.

TunnelIkeConfig

Map

No

Yes

The configurations of Phase 1 negotiations.

For more information, see TunnelIkeConfig properties.

EnableNatTraversal

Boolean

No

Yes

Specifies whether to enable NAT traversal for the IPsec-VPN connection.

Valid values:

  • true: enables NAT traversal for the IPsec-VPN connection.

    After you enable NAT traversal, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.

  • false: disables NAT traversal for the IPsec-VPN connection.

Role

String

No

Yes

The role of the tunnel.

Valid values:

  • master: The tunnel is an active tunnel.

  • slave: The tunnel is a standby tunnel.

TunnelBgpConfig syntax

"TunnelBgpConfig": {
  "TunnelCidr": String,
  "LocalAsn": Number,
  "LocalBgpIp": String
}   

TunnelBgpConfig properties

Property

Type

Required

Editable

Description

Constraint

TunnelCidr

String

No

Yes

The BGP CIDR block of the tunnel.

None.

LocalBgpIp

String

No

Yes

The BGP address on the Alibaba Cloud side.

None.

LocalAsn

Number

No

Yes

The ASN of the tunnel on the Alibaba Cloud side.

None.

TunnelIpsecConfig syntax

"TunnelIpsecConfig": {
  "IpsecAuthAlg": String,
  "IpsecEncAlg": String,
  "IpsecPfs": String,
  "IpsecLifetime": Integer
}   

TunnelIpsecConfig properties

Property

Type

Required

Editable

Description

Constraint

IpsecAuthAlg

String

No

Yes

The authentication algorithm in the IPsec phase.

None.

IpsecEncAlg

String

No

Yes

The encryption algorithm in the IPsec phase.

None.

IpsecPfs

String

No

Yes

The lifetime of the IPsec phase.

Unit: seconds.

IpsecLifetime

Integer

No

Yes

The ASN of the tunnel on the Alibaba Cloud side.

None.

TunnelIkeConfig syntax

"TunnelIkeConfig": {
  "Psk": String,
  "IkePfs": String,
  "LocalId": String,
  "IkeVersion": String,
  "IkeAuthAlg": String,
  "IkeMode": String,
  "RemoteId": String,
  "IkeLifetime": Integer,
  "IkeEncAlg": String
}   

TunnelIkeConfig properties

Property

Type

Required

Editable

Description

Constraint

Psk

String

No

Yes

The pre-shared key.

None.

IkePfs

String

No

Yes

The DH group in the IKE phase.

None.

LocalId

String

No

Yes

The identifier of the tunnel on the Alibaba Cloud side.

None.

IkeVersion

String

No

Yes

The version of the IKE protocol.

Valid values:

  • ikev1

  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

IkeAuthAlg

String

No

Yes

The authentication algorithm in the IKE phase.

None.

IkeMode

String

No

Yes

The IKE negotiation mode.

Valid values:

  • main: This mode offers higher security during negotiations.

  • aggressive: This mode is faster and has a higher success rate.

RemoteId

String

No

Yes

The identifier of the tunnel peer.

None.

IkeLifetime

Integer

No

Yes

The lifetime of the IKE phase.

Unit: seconds.

IkeEncAlg

String

No

Yes

The encryption algorithm in the IKE phase.

None.

Return values

Fn::GetAtt

  • VpnConnectionId: the ID of the IPsec-VPN connection.

  • Status: the state of the IPsec-VPN connection.

  • PeerVpnConnectionConfig: the VPC connection configurations of the peer.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  LocalSubnet:
    Type: String
    Description: >-
      A network segment on the VPC side that needs to be interconnected with the
      local IDC for the second phase negotiation.

      Multiple network segments are separated by commas, for example:
      192.168.1.0/24, 192.168.2.0/24.
  EffectImmediately:
    Type: Boolean
    Description: >-
      Whether to delete the currently negotiated IPsec tunnel and re-initiate
      the negotiation. Value:

      True: Negotiate immediately after the configuration is complete.

      False (default): Negotiate when traffic enters.
    AllowedValues:
      - 'True'
      - 'true'
      - 'False'
      - 'false'
    Default: false
  RemoteSubnet:
    Type: String
    Description: >-
      The network segment of the local IDC is used for the second phase
      negotiation.

      Multiple network segments are separated by commas, for example:
      192.168.3.0/24, 192.168.4.0/24.
  CustomerGatewayId:
    Type: String
    Description: The ID of the user gateway.
  VpnGatewayId:
    Type: String
    Description: ID of the VPN gateway.
  IpsecConfig:
    Type: Json
    Description: Configuration information for the second phase negotiation.
  HealthCheckConfig:
    Type: Json
    Description: Whether to enable the health check configuration.
  IkeConfig:
    Type: Json
    Description: Configuration information for the first phase of negotiation.
  Name:
    Type: String
    Description: >-
      The name of the IPsec connection.

      The length is 2-128 characters and must start with a letter or Chinese. It
      can contain numbers, periods (.), underscores (_) and dashes (-), but
      cannot start with http:// or https:// .
    MinLength: 2
    MaxLength: 128
Resources:
  VpnConnection:
    Type: 'ALIYUN::VPC::VpnConnection'
    Properties:
      LocalSubnet:
        Ref: LocalSubnet
      EffectImmediately:
        Ref: EffectImmediately
      RemoteSubnet:
        Ref: RemoteSubnet
      CustomerGatewayId:
        Ref: CustomerGatewayId
      VpnGatewayId:
        Ref: VpnGatewayId
      IpsecConfig:
        Ref: IpsecConfig
      HealthCheckConfig:
        Ref: HealthCheckConfig
      IkeConfig:
        Ref: IkeConfig
      Name:
        Ref: Name
Outputs:
  Status:
    Description: Status of the IPsec connection.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - Status
  PeerVpnConnectionConfig:
    Description: Peer vpc connection config.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - PeerVpnConnectionConfig
  VpnConnectionId:
    Description: ID of the IPsec connection.
    Value:
      'Fn::GetAtt':
        - VpnConnection
        - VpnConnectionId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters.",
      "AllowedValues": [
        "True",
        "true",
        "False",
        "false"
      ],
      "Default": false
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": "The ID of the user gateway."
    },
    "VpnGatewayId": {
      "Type": "String",
      "Description": "ID of the VPN gateway."
    },
    "IpsecConfig": {
      "Type": "Json",
      "Description": "Configuration information for the second phase negotiation."
    },
    "HealthCheckConfig": {
      "Type": "Json",
      "Description": "Whether to enable the health check configuration."
    },
    "IkeConfig": {
      "Type": "Json",
      "Description": "Configuration information for the first phase of negotiation."
    },
    "Name": {
      "Type": "String",
      "Description": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// .",
      "MinLength": 2,
      "MaxLength": 128
    }
  },
  "Resources": {
    "VpnConnection": {
      "Type": "ALIYUN::VPC::VpnConnection",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "VpnGatewayId": {
          "Ref": "VpnGatewayId"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "Name": {
          "Ref": "Name"
        }
      }
    }
  },
  "Outputs": {
    "Status": {
      "Description": "Status of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "Status"
        ]
      }
    },
    "PeerVpnConnectionConfig": {
      "Description": "Peer vpc connection config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "PeerVpnConnectionConfig"
        ]
      }
    },
    "VpnConnectionId": {
      "Description": "ID of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnConnection",
          "VpnConnectionId"
        ]
      }
    }
  }
}