Creates an IPsec server.

Prerequisites

Before you create an IPsec server, you must create a VPN gateway and enable the SSL-VPN feature for the VPN gateway. For more information, see CreateVpnGateway.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateIpsecServer

The operation that you want to perform. Set the value to CreateIpsecServer.

ClientIpPool String Yes 10.XX.XX.0/24

The client CIDR block. It refers to the CIDR block that is allocated to the virtual interface of the client.

Note The client CIDR block must not overlap with the CIDR block of the virtual private cloud (VPC).
LocalSubnet String Yes 192.XX.XX.0/24

The local CIDR block. It refers to the CIDR block of the VPC that is used to connect with the client.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

RegionId String Yes cn-hangzhou

The ID of the region where the VPN gateway is deployed.

VpnGatewayId String Yes vpn-bp17lofy9fd0dnvzv****

The ID of the VPN gateway.

IpSecServerName String No test

The name of the IPsec server.

The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

EffectImmediately Boolean No true

Specifies whether you want the configuration to immediately take effect. Valid values:

  • true: initiates negotiations after the configuration is completed.
  • false: initiates negotiations when inbound traffic is detected.
IkeConfig String No {"IkeVersion":"ikev2","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400}

The configuration of Phase 1 negotiations.

  • IkeVersion: The IKE version. Valid values: ikev1 and ikev2. Default value: ikev2.
  • IkeMode: The IKE negotiation mode. Default value: main.
  • IkeEncAlg: The encryption algorithm that is used in Phase 1 negotiations. Default value: aes.
  • IkeAuthAlg: The authentication algorithm that is used in Phase 1 negotiations. Default value: sha1.
  • IkePfs: The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Default value: group2.
  • IkeLifetime: The SA lifetime as a result of Phase 1 negotiations. Default value: 86400. Unit: seconds.
  • LocalId: The ID of the IPsec server. Both fully qualified domain names (FQDNs) and IP addresses are supported. By default, it is the public IP address of the VPN gateway.
  • RemoteId: The ID of the peer. Both FQDNs and IP addresses are supported. By default, this parameter is not specified.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configuration of Phase 2 negotiations.

  • IpsecEncAlg: The encryption algorithm that is used in Phase 2 negotiations. Default value: aes.
  • IpsecAuthAlg: The authentication algorithm that is used in Phase 2 negotiations. Default value: sha1.
  • IpsecPfs: If you set this parameter, the system forwards packets of all protocols. This parameter specifies the Diffie-Hellman exchange algorithm that is used in Phase 2 negotiations. Default value: group2.
  • IpsecLifetime: The SA lifetime as a result of Phase 2 negotiations. Default value: 86400. Unit: seconds.
PskEnabled Boolean No true

Specifies whether to enable pre-shared key authentication. Only when you set the parameter to true, pre-shared key authentication is enabled.

Psk String No 123456

The pre-shared key.

The pre-shared key is used to authenticate the VPN gateway and the client. By default, the system generates a random string that is 16 bits in length. You can also specify the pre-shared key. The value must be 1 to 100 characters in length.

ClientToken String No d7d24a21-f4ba-4454-9173-b38****

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the value, but you must ensure that it is unique among different requests. The token can contain only ASCII characters and cannot exceed 64 characters in length.

DryRun String No false

Specifies whether to only precheck the request. Valid values:

  • true: only prechecks the request. After the request passes the check, the system does not create the IPsec server. The system checks whether the required parameters are set, whether the values are in valid formats, and the service limits. If the request fails the check, error messages are returned. If the request passes the check, the DryRunOperation error code is returned.
  • false (default): prechecks the request. After the request passes the check, the system creates the IPsec server.

Response parameters

Parameter Type Example Description
CreationTime String 2021-02-22T03:24:28Z

The time when the IPsec server was created.

T is used as a delimiter. Z indicates that the time is in UTC.

IpsecServerId String iss-bp1jougp8cfsbo8y9****

The ID of the IPsec server.

IpsecServerName String test

The name of the IPsec server.

RegionId String cn-hangzhou

The ID of the region where the VPN gateway is deployed.

RequestId String 690A967E-D4CD-4B69-8C78-94FE828BA10B

The ID of the request.

VpnGatewayId String vpn-bp17lofy9fd0dnvzv****

The ID of the VPN gateway.

Examples

Sample requests

http(s)://[Endpoint]/? Action=CreateIpsecServer
&ClientIpPool=10.XX.XX.0/24
&LocalSubnet=192.XX.XX.0/24
&RegionId=cn-hangzhou
&VpnGatewayId=vpn-bp17lofy9fd0dnvzv****
&<Common request parameters>

Sample success responses

XML format

<CreateIpsecServerResponse>
  <RequestId>690A967E-D4CD-4B69-8C78-94FE828BA10B</RequestId>
  <VpnGatewayId>vpn-bp17lofy9fd0dnvzv****</VpnGatewayId>
  <IpsecServerId>iss-bp1jougp8cfsbo8y9****</IpsecServerId>
  <CreationTime>2021-02-22T03:24:28Z</CreationTime>
  <RegionId>cn-hangzhou</RegionId>
</CreateIpsecServerResponse>

JSON format

{
"RequestId": "690A967E-D4CD-4B69-8C78-94FE828BA10B",
"VpnGatewayId": "vpn-bp17lofy9fd0dnvzv****",
"IpsecServerId": "iss-bp1jougp8cfsbo8y9****",
"CreationTime": "2021-02-22T03:24:28Z",
"RegionId": "cn-hangzhou"
}

Error codes

HttpCode Error code Error message Description
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. To acquire the required permissions, submit a ticket.
400 OperationUnsupported.IPsecServer The current version of the VPN gateway does not support IPsec server. The error message returned because the version of the VPN gateway does not support IPsec servers.
404 InvalidVpnGatewayInstanceId.NotFound The specified vpn gateway instance id does not exist. The error message returned because the specified VPN gateway does not exist. You can check whether the configuration of the VPN gateway is valid.
400 VpnGateway.SslVpnDisabled The VPN gateway has not enabled SSL VPN. The error message returned because the SSL-VPN feature is disabled for the VPN gateway.
400 VpnGateway.Configuring The specified service is configuring. The error message returned because the operation is not allowed when the specified service is being configured. Try again later.
400 VpnGateway.FinancialLocked The specified service is financial locked. The error message returned because the service is suspended due to overdue payments. Top up your account first.
400 OperationFailed.IPsecServerExist An IPsec server already exists in the VPN gateway. The error message returned because an IPsec server is already associated with the specified VPN gateway.
400 IllegalParam.LocalSubnet The specified "LocalSubnet" (%s) is invalid. The error message returned because LocalSubnet is set to an invalid value.
400 QuotaExceeded.VpnRouteEntry The number of route entries to the VPN gateway in the VPC routing table has reached the quota limit. The error message returned because the number of routes that point to the VPN gateway in the VPC route table reaches the quota.

For a list of error codes, visit the API Error Center.