Creates an IPsec VPN connection.

Make the API call

You can use OpenAPI Explorer to make API calls, search for API calls, perform debugging, and generate SDK example code.

Request parameters

Parameter Type Required? Example value Description
Action String Yes CreateVpnConnection

The name of this action. Value: CreateVpnConnection

CustomerGatewayId String Yes vpn-bp1q8bgx4xnk****

The ID of the customer gateway.

LocalSubnet String Yes 1.1.1.0/24,1.1.2.0/24

The CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiations.

Separate multiple CIDR blocks with commas (,). For example, 192.168.1.0/24, 192.168.2.0/24.

RegionId String Yes cn-shanghai

The region of the IPsec VPN connection. To query the region ID, call DescribeRegions.

RemoteSubnet String Yes 1.1.1.0/24,1.1.2.0/24

The CIDR block of the on-premises data center. This parameter is used for phase two negotiations.

Separate multiple CIDR blocks by commas (,). For example, 192.168.3.0/24,192.168.4.0/24.

VpnGatewayId String Yes vpn-bp1q8bgx4xnkm****

The ID of the VPN Gateway.

ClientToken String No 02fb3da4-130e-11e9-8e44-001****

The client token. It is used to ensure the idempotence of the request.

This parameter value is generated by the client and must be unique. It must be 1 to 64 ASCII characters in length.

Name String No IPsec

The name of the IPsec VPN connection.

The name must be 2 to 128 characters in length and can contain letters, numbers, periods (.), underscores (_), and hyphens (-). The name must start with a letter, and cannot start with http:// or https://.

EffectImmediately Boolean No false

Indicates whether to delete a successfully negotiated IPsec VPN tunnel and initiate the negotiation again. Valid values:

  • true: Negotiate immediately after the configuration is completed.
  • false (default): Negotiate when inbound traffic is detected.
IkeConfig String No {"IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400}

The configurations of phase one negotiations:

  • IkeConfig.Psk: Used for authentication between the IPsec VPN Gateway and the customer gateway. This parameter is generated randomly by default. You can also manually specify the key. It can contain up to 100 characters.
  • IkeConfig.IkeVersion: The version of the IKE protocol. Valid values: ikev1|ikev2. Default value: ikev1.
  • IkeConfig. IkeMode: The negotiation mode of IKE V1. Valid values: main|aggressive. Default value: main.
  • Ikeconfig. IkeEncAlg: The encryption algorithm of phase one negotiations. Valid values: aes|aes192|aes256|des|3des. Default value: aes.
  • IkeConfig.IkeAuthAlg: The authentication algorithm of phase one negotiations. Valid values: md5|sha1. Default value: md5.
  • IkeConfig.IkePfs: The Diffie-Hellman key exchange algorithm used by phase one negotiations. Valid values: group1|group2|group5|group14|group24. Default value: group2.
  • IkeConfig.IkeLifetime: The SA lifetime as the result of phase one negotiations. Value range: 0~86400. Unit: Second. Default value: 86400.
  • IkeConfig.LocalIdIPsec: The identification of the VPN gateway. This parameter can contain up to 100 characters. By default, it is the public IP address of the VPN Gateway.
  • IkeConfig.RemoteId: The identification of the customer gateway. This parameter can contain up to 100 characters. By default, it is the public IP address of the customer gateway.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configurations of phase two negotiations:

  • IpsecConfig.IpsecEncAlg: The encryption algorithm of phase two negotiations. Valid values: aes|aes192|aes256|des|3des. Default value: aes.
  • IpsecConfig. IpsecAuthAlg: The authentication algorithm of phase two negotiations. Valid values: md5|sha1. Default value: md5.
  • IpsecConfig. IpsecPfs: Forward packets of all protocols. The Diffie-Hellman key exchange algorithm used by phase two negotiations. Valid values: group1|group2|group5|group14|group24. Default value: group2.
  • IpsecConfig. IpsecLifetime: The SA lifetime value resulting from phase two negotiations. Value range: 0~86400. Unit: Second. Default value: 86400.
HealthCheckConfig String No {"enable":"true","dip":"192.168.xx.2","sip":"192.168.xx.2","interval":"3","retry":"3"}

The health check configurations:

  • HealthCheckConfig.enable: Indicates whether to enable health check. Valid values: true|false (default).
  • HealthCheckConfig. dip: The destination IP address of the health check.
  • HealthCheckConfig.sip: The source IP address of the health check.
  • HealthCheckConfig.interval: The health check retry interval. Unit: Second.
  • HealthCheckConfig.retry: The number of retries for the health check.
AutoConfigRoute Boolean No true

Indicates whether to automatically configure routes. Valid values:

  • true (default): Routes are configured automatically.
  • false: Routes are not configured automatically.

Response parameters

Parameter Type Example value Description
RequestId String 082AD562-B8DB-4BB2-861F-DA1FCA01FD76

The ID of the request.

VpnConnectionId String vco-bp15oes1py4i6****

The ID of the IPsec VPN connection.

Name String test

The name of the IPsec VPN connection.

CreateTime Long 1544666102000

The time at which the IPsec VPN connection was created.

Examples

Request example

http(s)://[Endpoint]/? Action=CreateVpnConnection
&CustomerGatewayId=vpn-bp1q8bgx4xnk****
&LocalSubnet=1.1.1.0/24,1.1.2.0/24
&RegionId=cn-shanghai
&RemoteSubnet=1.1.1.0/24,1.1.2.0/24
&VpnGatewayId=vpn-bp1q8bgx4xnkm****
&<CommonParameters>

Response example

XML format

<CreateVpnConnectionResponse>
      <VpnConnectionId>vco-bp1bbi27hojx8****</VpnConnectionId>
      <CreateTime>1493363928000</CreateTime>
</CreateVpnConnectionResponse>

JSON format

{
    "CreateTime": 1544666102000,
    "VpnConnectionId": "vco-bp15oes1py4i6****"
}

Errors

HTTP status code Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are not authorized to operate on this resource.
403 Forbidden User not authorized to operate on the specified resource. You are not authorized to operate on this resource.
400 Resource.QuotaFull The quota of resource is full The resource quota has been reached.
404 InvalidCustomerGatewayInstanceId.NotFound The specified customer gateway instance id does not exist. The specified instance does not exist.
404 InvalidVpnGatewayInstanceId.NotFound The specified vpn gateway instance id does not exist. The specified VPN Gateway does not exist.
400 InvalidVpnConnection.AlreadyExists Vpn connection already exists. The VPN connection already exists.
400 VpnGateway.Configuring The specified service is configuring. The specified service is being configured.
400 VpnGateway.FinancialLocked The specified service is financial locked. The specified service is locked due to insufficient account balance.

For a list of error codes, visit the API Error Center.