Create an IPsec connection.

Request parameters

Name Type Required Description
Action String Yes

The action to perform. Valid value:

CreateVpnConnection

RegionId String Yes

The region of the IPsec connection.

You can obtain the region ID by calling the DescribeRegions API.

ClientToken String No

A client token used to guarantee the idempotence of requests. 

This parameter value is generated by the client and must be unique. It cannot exceed 64 ASCII characters.

CustomerGatewayId String Yes

The ID of the customer gateway.

VpnGatewayId String Yes The ID of the VPN gateway.
Name String No

The name of the IPsec connection.

The name can contain from 2 to 128 characters including a-z, A-Z, 0-9, underlines, and hyphens. The name must start with an English letter, but cannot start with http://  or https://.

LocalSubnet string Yes The CIDR block of the VPC to be connected with the local data center. This parameter is used for phase-two negotiation. Separate multiple CIDR blocks by commas (,). For example, 192.168.1.0/24, 192.168.2.0/24.
RemoteSubnet String Yes The CIDR block of the local data center. This parameter is used for phase-two negotiation. Separate multiple CIDR blocks by commas (,). For example, 92.168.3.0/24, 192.168.4.0/24.
EffectImmediately Boolean  No
Whether to delete a successfully negotiated IPsec tunnel and initiate a negotiation again. Valid value:
  • true: Negotiate immediately after the configuration is completed.

  • false (default): Negotiate when there is incoming traffic.

IkeConfig JSON String No
The configurations of phase-one negotiation:
  • IkeConfig.Psk: Used for authentication between the IPsec VPN gateway and the customer gateway. This parameter is generated randomly by default and can contain up to 100 characters. You can also manually specify the key.

  • IkeConfig.IkeVersion: The version of the IKE protocol. Valid value: ikev1 | ikev2. Default value: ikev1.

  • IkeConfig. IkeMode: The negotiation mode of IKE V1.  Valid value: main  (main mode) | aggressive (aggressive mode) . Default value: main.

  • Ikeconfig. IkeEncAlg: The encryption algorithm of phase-one negotiation. Valid value: aes | aes192 | aes256 | des | 3des. Default value: aes.

  • IkeConfig.IkeAuthAlg: The authentication algorithm of phase-one negotiation. Valid value: md5 | sha1. Default value: sha.

  • IkeConfig.IkePfs: The Diffie-Hellman key exchange algorithm used by phase-one negotiation. Valid value: group1 | group2 | group5 | group14 | group24. Default value: group2.

  • IkeConfig.IkeLifetime: The SA lifecycle as the result of phase-one negotiation. The valid value of n is [0, 86400], the unit is second and the default value is 86400.

  • IkeConfig.LocalIdIPsec: The identification of the VPN gateway. This parameter can contain up to 100 characters and the default value is the public IP address of the VPN gateway.

  • IkeConfig.RemoteId: The identification of the customer gateway. This parameter can contain up to 100 characters and the default value is the public IP address of the customer gateway.

IpsecConfig JSON String No
The configurations of phase-two negotiation:
  • IpsecConfig.IpsecEncAlg: The encryption algorithm of phase-two negotiation. Valid value: aes | aes192 | aes256 | des | 3des. Default value: aes.

  • IpsecConfig. IpsecAuthAlg: The authentication algorithm of phase-two negotiation. Valid value: md5 | sha1. Default value: sha1.

  • IpsecConfig. IpsecPfs: Forward packets of all protocols. The Diffie-Hellman key exchange algorithm used by phase-one negotiation. Valid value: group1 | group2 | group5 | group14 | group24. Default value: group2.

  • IpsecConfig. IpsecLifetime: The SA lifecycle as the result of phase-two negotiation. The valid value is [0, 86400], the unit is second and the default value is 86400.

Response parameters

Name Type Description
RequestId String The ID of the request.
VpnConnectionId String The ID of the IPsec connection.
CreateTime Long The time when the IPsec connection was created.
Name String The name of the IPsec connection.

Examples

Request example

https://vpc.aliyuncs.com/?Action=CreateVpnConnection
&RegionID=cn-beijing
&CustomerGatewayId=cgw-bp1jrawp82av6bws9h2ut
&VpnGatewayId=vpn-bp1q8bgx4xnkm2ogj0fiu
&LocalSubnet=10.1.1.0/24
&RemoteSubnet=192.1.1.0/24
&CommonParameters
Response example
  • XML format

    <? xml version="1.0" encoding="UTF-8" ? >
    <CreateVpnConnectionResponse>
        <VpnConnectionId>vco-bp1bbi27hojx80nck9k1i</VpnConnectionId>
        <CreateTime>1493363928000</CreateTime>
    </CreateVpnConnectionResponse>
  • JSON format

    {
        "VpnConnectionId":"vco-bp1bbi27hojx80nck9k1i",
        "CreateTime":1493363928000,
    }