Modifies the configuration of an IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyVpnConnectionAttribute

The operation that you want to perform. Set the value to ModifyVpnConnectionAttribute.

RegionId String Yes cn-shanghai

The ID of region where the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query region IDs.

VpnConnectionId String Yes vco-bp1bbi27hojx80nck****

The name of the IPsec-VPN connection.

ClientToken String No 02fb3da4-130e-11e9-8e44-0016e04115b

The client token is used to ensure the idempotence of the request.

The value of this parameter is generated by a client. The value must be unique among different requests and must be 1 to 64 ASCII characters in length.

Name String No IPsec

The name of the IPsec-VPN connection.

The name must be 2 to 128 characters in length, and can contain, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter. The name cannot start with http:// or https://.

LocalSubnet String No 1.1.1.0/24,1.1.2.0/24

The CIDR block of the virtual private cloud (VPC) that you want to connect to the on-premises data center. This parameter is used for Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

RemoteSubnet String No 1.1.1.0/24,1.1.2.0/24

The CIDR block of the on-premises data center. This parameter is used for Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

EffectImmediately Boolean No false

Specifies whether to delete the current IPsec-VPN connection and re-initiate the negotiations. Valid values:

  • true: re-initiates the negotiations after the configuration is completed.
  • false (default): re-initiates the negotiations when inbound traffic is detected.
IkeConfig String No {"IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400}

The configuration of Phase 1 negotiations:

  • IkeConfig.Psk: the pre-shared key used for authentication between the IPsec-VPN gateway and the customer gateway. You can specify a key or use the default key that is randomly generated by the system. The key must be 1 to 100 characters in length.
  • IkeConfig.IkeVersion: the version of the IKE protocol. Valid values: IKEv1 and IKEv2. Default value: IKEv1.
  • IkeConfig.IkeMode: the negotiation mode of IKE V1. Valid values: main and aggressive. Default value: main.
  • IkeConfig.IkeEncAlg: the encryption algorithm of Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes.
  • IkeConfig.IkeAuthAlg: the authentication algorithm of Phase 1 negotiations. Valid values: md5 and sha1. Default value: sha.

    IkeConfig.IkePfs: the Diffie-Hellman key exchange algorithm used by Phase 1 negotiations. Valid values: group1, group2, group5, group14, and group24. Default value: group2.

  • IkeConfig.IkeLifetime: the SA lifetime as a result of Phase 1 negotiations. Valid values: 0 to 86400. Unit: seconds. Default value: 86400.
  • IkeConfig.LocalIdIPsec: the identifier of the VPN gateway. This parameter can contain up to 100 characters. By default, it is the public IP address of the VPN gateway.
  • IkeConfig.RemoteId: the identifier of the customer gateway. This parameter can contain up to 100 characters. The default value is the public IP address of the customer gateway.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configuration of Phase 2 negotiations:

  • IpsecConfig.IpsecEncAlg: the encryption algorithm of Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes.
  • IpsecConfig. IpsecAuthAlg: the authentication algorithm used in Phase 2 negotiations. Valid values: MD5 and SHA1. Default value: SHA1.
  • IpsecConfig. IpsecPfs: the Diffie-Hellman group for perfect forward secrecy (PFS). The Diffie-Hellman key exchange algorithm used in Phase 1 negotiations. Valid values: group1, group2, group5, group14, and group24. Default value: group2.
  • IpsecConfig. IpsecLifetime: the SA lifetime as a result of Phase 2 negotiations. Valid values: 0 to 86400. Unit: seconds. Default value: 86400.
HealthCheckConfig String No {"enable":"true","dip":"192.168.xx.2","sip":"192.168.xx.2","interval":"3","retry":"3"}

The health check configuration:

  • HealthCheckConfig.enable: specifies whether to enable health checks. Valid values: true and false. Default value: false..
  • HealthCheckConfig.dip: the destination IP address configured for health checks.
  • HealthCheckConfig.sip: the source IP address configured for health checks.
  • HealthCheckConfig.interval: the interval between health check retries. Unit: seconds.
  • HealthCheckConfig.retry: the maximum number of health check retries.
AutoConfigRoute Boolean No true

Specifies whether to automatically advertise route entries. Valid values:

  • true (default): Route entries are automatically advertised.
  • false: Route entries are not automatically advertised.
EnableDpd Boolean No true

Specifies whether to enable dead peer detection (DPD). Valid values:

  • true (default): enables the DPD feature. The IPsec initiator sends DPD packets to verify the existence and availability of the IPsec peer. If no feedback is received from the peer within a specified period of time, the IPsec peer is considered disconnected. Consequently, the ISAKMP SA, IPsec SA, and IPsec-VPN connection are deleted.
  • false: disables the DPD feature. The IPsec initiator does not send DPD packets.
EnableNatTraversal Boolean No true

Specifies whether to enable NAT traversal. Valid values:

  • true (default): enables NAT traversal. After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN connection.
  • false: disables NAT traversal.

Response parameters

Parameter Type Example Description
VpnConnectionId String vco-bp1bbi27hojx80nck****

The name of the IPsec-VPN connection.

CustomerGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the customer gateway.

VpnGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the VPN gateway.

Name String test

The name of the IPsec-VPN connection.

LocalSubnet String 1.1.1.0/24,1.1.2.0/24

The CIDR block of the VPC.

RemoteSubnet String 1.1.1.0/24,1.1.2.0/24

The CIDR block of the on-premises data center.

CreateTime Long 1492753817000

The time when the IPsec-VPN connection was created.

Description String description

The description of the IPsec-VPN connection.

EffectImmediately Boolean false

Indicates whether IPsec-VPN negotiations are initiated immediately. Valid values:

  • true: Negotiations are initiated after the configuration is completed.
  • false (default): Negotiations are initiated when inbound data transfer is detected.
EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled. Valid values:

  • false: DPD is disabled.
  • true: DPD is enabled.
EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled. Valid values:

  • false: NAT traversal is disabled.
  • true: NAT traversal is enabled.
IkeConfig Struct

The configuration of Phase 1 negotiations.

IkeAuthAlg String sha1

The IKE authentication algorithm.

IkeEncAlg String aes

The IKE encryption algorithm.

IkeLifetime Long 86400

The IKE lifetime.

IkeMode String main

The IKE mode.

IkePfs String group2

The DH group.

IkeVersion String ikev1

The IKE version.

LocalId String 116.xx.xx.64

The ID of the VPN gateway. By default, it is the IP address of the VPN gateway. Both FQDN and IP formats are supported.

Psk String pgw6dy7d1i8i****

The pre-shared key.

RemoteId String 139.xx.xx.167

The ID of the customer gateway. By default, it is the IP address of the customer gateway. Both FQDN and IP formats are supported.

IpsecConfig Struct

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The IPsec authentication algorithm. Both SHA-1 and MD5 are supported.

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecLifetime Long 86400

The IPsec lifetime.

IpsecPfs String group2

The DH group.

RequestId String 7DB79D0C-5F27-4AB5-995B-79BE55102F90

The ID of the request.

VcoHealthCheck Struct

The health check configuration.

Dip String 1.1.1.xx

The destination IP address.

Enable String true

Specifies whether health check is enabled. Valid values:

  • true: Health check is enabled.
  • false: Health check is disabled.
Interval Integer 3

The time interval of health check retries. Unit: seconds.

Retry Integer 1

The number of attempts for resending health check probes.

Sip String 2.2.2.xx

The source IP address specified for health checks.

Examples

Sample requests

https://vpc.aliyuncs.com/?Action=ModifyVpnConnectionAttribute
&RegionId=cn-shanghai
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&<Common request parameters>

Sample success responses

XML format

<ModifyVpnConnectionAttributeResponse>
      <Name>vpn</Name>
      <CustomerGatewayId>cgw-bp1pvpl9r9adju6l5****</CustomerGatewayId>
      <RemoteSubnet>2.2.2.0/24</RemoteSubnet>
      <IpsecConfig>
            <IpsecLifetime>86400</IpsecLifetime>
            <IpsecAuthAlg>sha1</IpsecAuthAlg>
            <IpsecPfs>group2</IpsecPfs>
            <IpsecEncAlg>aes</IpsecEncAlg>
      </IpsecConfig>
      <EffectImmediately>false</EffectImmediately>
      <VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
      <CreateTime>1492753817000</CreateTime>
      <VpnConnectionId>vco-bp10lz7aejumd2vxo****</VpnConnectionId>
      <RequestId>57070A3D-38F2-40A6-A1C9-DB14542EF54D</RequestId>
      <LocalSubnet>1.1.1.0/24,1.1.2.0/24</LocalSubnet>
      <IkeConfig>
            <IkeEncAlg>aes</IkeEncAlg>
            <RemoteId>139.196.32.xx</RemoteId>
            <IkePfs>group2</IkePfs>
            <IkeAuthAlg>sha1</IkeAuthAlg>
            <Psk>pgw6dy7d1i8i****</Psk>
            <IkeMode>main</IkeMode>
            <IkeLifetime>86400</IkeLifetime>
            <IkeVersion>ikev1</IkeVersion>
            <LocalId>116.62.69.xx</LocalId>
      </IkeConfig>
</ModifyVpnConnectionAttributeResponse>

JSON format

{
    "Name": "vpn",
    "CustomerGatewayId": "cgw-bp1pvpl9r9adju6l5****",
    "RemoteSubnet": "2.2.2.0/24",
    "IpsecConfig": {
        "IpsecLifetime": 86400,
        "IpsecAuthAlg": "sha1",
        "IpsecPfs": "group2",
        "IpsecEncAlg": "aes"
    },
    "EffectImmediately": false,
    "VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
    "CreateTime": 1492753817000,
    "VpnConnectionId": "vco-bp10lz7aejumd2vxo****",
    "RequestId": "7DB79D0C-5F27-4AB5-995B-79BE55102F90",
    "LocalSubnet": "1.1.1.0/24,1.1.2.0/24",
    "IkeConfig": {
        "IkeEncAlg": "aes",
        "RemoteId": "139.196.32.xx",
        "IkePfs": "group2",
        "IkeAuthAlg": "sha1",
        "Psk": "pgw6dy7d1i8i****",
        "IkeMode": "main",
        "IkeLifetime": 86400,
        "IkeVersion": "ikev1",
        "LocalId": "116.62.69.xx"
    }
}

Error codes

HttpCode Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform the operation on the specified resource. You can apply for the permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform the operation on the specified resource. To acquire the required permissions, submit a ticket.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The error message returned because the specified IPsec-VPN connection does not exist. You can check whether the configuration of the IPsec-VPN connection is valid.
400 VpnGateway.Configuring The specified service is configuring. The error message returned because the operation is not allowed when the specified service is being configured. Try again later.
400 VpnGateway.FinancialLocked The specified service is financial locked. The error message returned because the service is suspended due to overdue payments. Add funds before you enable the service.
400 InvalidName The name is not valid The error message returned because the format of the specified name is invalid.

For a list of error codes, visit the API Error Center.