Creates an IPsec connection.

Debug

By using API Explorer, you can easily debug APIs, automatically generate SDK code examples, and quickly search for APIs.

Request parameters

Parameter Type Required? Example value Description
Action String Yes CreateVpnConnection

The action to perform. Valid value:

CreateVpnConnection

CustomerGatewayId String Yes vpn-bp1q8bgx4xnkm2ogj0fiu

The ID of the customer gateway.

LocalSubnet string Yes 1.1.1.0/24,1.1.2.0/24 The CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiation. Separate multiple CIDR blocks with commas (,). For example, 192.168.1.0/24, 192.168.2.0/24.
RegionId String Yes cn-shanghai

The region of the IPsec connection.

You can obtain the region ID by calling the DescribeRegions API.

RemoteSubnet String Yes 1.1.1.0/24,1.1.2.0/24 The CIDR block of the on-premises data center. This parameter is used for phase two negotiation. Separate multiple CIDR blocks by commas (,). For example, 92.168.3.0/24, 192.168.4.0/24.
VpnGatewayId String Yes vpn-bp1q8bgx4xnkm2ogj0fiu The ID of the VPN Gateway.
ClientToken String No 02fb3da4-130e-11e9-8e44-0016e04115b

A client token used to guarantee the idempotence of requests. 

This parameter value is generated by the client and must be unique. It must be 1 to 64 ASCII characters in length.

EffectImmediately Boolean  No false
Indicates whether to delete a successfully negotiated IPsec tunnel and initiate a negotiation again. Valid values:
  • true: Negotiate immediately after the configuration is completed.

  • false (default): Negotiate when inbound traffic is detected.

IkeConfig JSON String No ikev1
The configurations of phase one negotiation:
  • IkeConfig.Psk: Used for authentication between the IPsec VPN gateway and the customer gateway. This parameter is generated randomly by default and can contain up to 100 characters. You can also manually specify the key.

  • IkeConfig.IkeVersion: The version of the IKE protocol. Valid values: ikev1 | ikev2. Default value: ikev1.

  • IkeConfig. IkeMode: The negotiation mode of IKE V1.  Valid values: main  (main mode) | aggressive (aggressive mode) . Default value: main.

  • Ikeconfig. IkeEncAlg: The encryption algorithm of phase one negotiation. Valid values: aes | aes192 | aes256 | des | 3des. Default value: aes.

  • IkeConfig.IkeAuthAlg: The authentication algorithm of phase one negotiation. Valid values: md5 | sha1. Default value: sha.

  • IkeConfig.IkePfs: The Diffie-Hellman key exchange algorithm used by phase one negotiation. Valid values: group1 | group2 | group5 | group14 | group24. Default value: group2.

  • IkeConfig.IkeLifetime: The SA lifecycle as the result of phase-one negotiation. Value range of n: 0 to 86400. Default value: 86400. Unit: Seconds.

  • IkeConfig.LocalIdIPsec: The identification of the VPN gateway. This parameter can contain up to 100 characters. Default value: the public IP address of the VPN Gateway.

  • IkeConfig.RemoteId: The identification of the customer gateway. This parameter can contain up to 100 characters. Default value: the public IP address of the customer gateway.

IpsecConfig JSON String No aes
The configurations of phase two negotiation:
  • IpsecConfig.IpsecEncAlg: The encryption algorithm of phase two negotiation. Valid values: aes | aes192 | aes256 | des | 3des. Default value: aes.

  • IpsecConfig. IpsecAuthAlg: The authentication algorithm of phase two negotiation. Valid values: md5 | sha1. Default value: sha1.

  • IpsecConfig. IpsecPfs: Forward packets of all protocols. The Diffie-Hellman key exchange algorithm used by phase one negotiation. Valid values: group1 | group2 | group5 | group14 | group24. Default value: group2.

  • IpsecConfig. IpsecLifetime: The SA lifetime value resulting from phase two negotiation. Valid value: [0, 86400]. Default value: 86400. Unit: seconds.

Name String No IPsec

The name of the IPsec connection.

The name must be 2 to 128 characters in length and contain letters, numbers, periods (.), underscores (_), and hyphens (-). The name must start with a letter. It cannot start with http:// or https://.

Response parameters

Parameter Type Example value Description
VpnConnectionId String vco-bp15oes1py4i66rmdnc7k

The ID of the IPsec connection.

CreateTime Long 1544666102000

The time at which the IPsec connection was created.

Name String test

The name of the IPsec connection.

RequestId String 082AD562-B8DB-4BB2-861F-DA1FCA01FD76

The ID of the request.

Examples

Request example


https://vpc.aliyuncs.com/?Action=CreateVpnConnection
&CustomerGatewayId=vpn-bp1q8bgx4xnkm2ogj0fiu
&LocalSubnet=1.1.1.0/24,1.1.2.0/24
&RegionId=cn-shanghai
&RemoteSubnet=1.1.1.0/24,1.1.2.0/24
&VpnGatewayId=vpn-bp1q8bgx4xnkm2ogj0fiu
&<CommonParameters>
Response example
  • XML format

    <CreateVpnConnectionResponse>
      <VpnConnectionId>vco-bp1bbi27hojx80nck9k1i</VpnConnectionId>
      <CreateTime>1493363928000</CreateTime>
    </CreateVpnConnectionResponse>
    
  • JSON format

    {
    	"VpnConnectionId":"vco-bp15oes1py4i66rmdnc7k",
    	"CreateTime":1544666102000
    }

Error codes

HTTP status code Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are not authorized to operate on this resource.
403 Forbidden User not authorized to operate on the specified resource. You are not authorized to operate on this resource.
400 Resource.QuotaFull The quota of resource is full The resource quota has been reached.
404 InvalidCustomerGatewayInstanceId.NotFound The specified customer gateway instance id does not exist. The specified instance does not exist.
404 InvalidVpnGatewayInstanceId.NotFound The specified vpn gateway instance id does not exist. The specified VPN Gateway does not exist.
400 InvalidVpnConnection.AlreadyExists Vpn connection already exists. The VPN connection already exists.
400 VpnGateway.Configuring The specified service is configuring. The specified service is being configured.
400 VpnGateway.FinancialLocked The specified service is financial locked. The specified service is locked due to insufficient account balance.

See common error codes