Modifies the configurations of an IPsec VPN connection.

Make the API call

You can use OpenAPI Explorer to make API calls, search for API calls, perform debugging, and generate SDK example code.

Request parameters

Parameter Type Required? Example value Description
Action String  Yes ModifyVpnConnectionAttribute

The name of this action. Value: ModifyVpnConnectionAttribute

RegionId String Yes cn-shanghai

The region of the IPsec VPN connection.

To query the region ID, call DescribeRegions.

VpnConnectionId String  Yes vco-bp1bbi27hojx80nck****

The ID of the IPsec VPN connection.

ClientToken String No 02fb3da4-130e-11e9-8e44-0016e04115b

The client token that guarantees the idempotence of the request.

The value of this parameter is generated by the client. The value must be unique among different requests and must be 1 to 64 ASCII characters in length.

Name String No IPsec

The name of the IPsec VPN connection.

The name must be 2 to 128 characters in length. It must start with a letter and can contain numbers, periods (.), underscores (_), and hyphens (-). It cannot start with http:// or https://.

LocalSubnet String No 1.1.1.0/24,1.1.2.0/24

The CIDR block of the VPC to be connected with the on-premises data center. This parameter is used for phase two negotiations.

Separate multiple CIDR blocks with commas (,). For example, 192.168.1.0/24, 192.168.2.0/24.

RemoteSubnet String No 1.1.1.0/24,1.1.2.0/24

The CIDR block of the on-premises data center. This parameter is used for phase two negotiations.

Separate multiple CIDR blocks by commas (,). For example, 192.168.3.0/24,192.168.4.0/24.

EffectImmediately Boolean No false

Indicates whether to delete a successfully negotiated IPsec VPN tunnel and initiate the negotiation again. Valid values:

  • true: Negotiate immediately after the configuration is completed.
  • false (default): Negotiate when inbound traffic is detected.
IkeConfig String No {"IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400}

The configurations of phase one negotiations:

  • IkeConfig.Psk: Used for authentication between the IPsec VPN gateway and the customer gateway. This parameter is generated randomly by default. You can also manually specify the key. It can contain up to 100 characters.
  • IkeConfig.IkeVersion: The version of the IKE protocol. Valid values: ikev1 | ikev2. Default value: ikev1.
  • IkeConfig. IkeMode: The negotiation mode of IKE V1. Valid values: main (main mode) | aggressive (aggressive mode) . Default value: main.
  • IkeConfig.IkeEncAlg: The encryption algorithm of phase one negotiations. Valid values: aes|aes192|aes256|des|3des. Default value: aes.
  • IkeConfig.IkeAuthAlg: The authentication algorithm of phase one negotiations. Valid values: md5|sha1. Default value: sha.

    IkeConfig.IkePfs: The Diffie-Hellman key exchange algorithm used by phase one negotiations. Valid values: group1|group2|group5|group14|group24. Default value: group2.

  • IkeConfig.IkeLifetime: The SA lifecycle as the result of phase one negotiations. Value range: 0~86400. Default value: 86400. Unit: Second.
  • IkeConfig.LocalIdIPsec: The identification of the VPN gateway. This parameter can contain up to 100 characters and the default value is the public IP address of the VPN gateway.
  • IkeConfig.RemoteId: The identification of the VPN gateway. This parameter can contain up to 100 characters and the default value is the public IP address of the VPN gateway.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configurations of phase two negotiations:

  • IpsecConfig.IpsecEncAlg: The encryption algorithm of phase two negotiations. Valid values: aes|aes192|aes256|des|3des. Default value: aes.
  • IpsecConfig. IpsecAuthAlg: The authentication algorithm of phase two negotiations. Valid values: md5|sha1. Default value: sha1.
  • IpsecConfig. IpsecPfs: Forward packets of all protocols. The Diffie-Hellman key exchange algorithm used by phase one negotiations. Valid values: group1|group2|group5|group14|group24. Default value: group2.
  • IpsecConfig. IpsecLifetime: The SA lifetime value resulting from phase two negotiations. Value range: 0~86400. Default value: 86400. Unit: Second.
HealthCheckConfig String No {"enable":"true","dip":"192.168.xx.2","sip":"192.168.xx.2","interval":"3","retry":"3"}

The health check configurations:

  • HealthCheckConfig.enable: Indicates whether to enable health check. Valid values: true|false (default).
  • HealthCheckConfig. dip: The destination IP address of the health check.
  • HealthCheckConfig.sip: The source IP address of the health check.
  • HealthCheckConfig.interval: The health check retry interval. Unit: Second.
  • HealthCheckConfig.retry: The number of retries for the health check.
AutoConfigRoute Boolean No true

Indicates whether to automatically propagate routes. Valid values:

  • true (default): Routes are propagated automatically.
  • false: Not automatically propagate routes.

Response parameters

Parameter Type Example value Description
RequestId String 7DB79D0C-5F27-4AB5-995B-79BE55102F90

The ID of the request.

VpnConnectionId String vco-bp1bbi27hojx80nck****

The ID of the IPsec VPN connection.

CustomerGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the customer gateway.

VpnGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the VPN Gateway.

Name String test

The name of the IPsec VPN connection.

Description String description

The description information.

LocalSubnet String 1.1.1.0/24,1.1.2.0/24

The CIDR block of the VPC.

RemoteSubnet String 1.1.1.0/24,1.1.2.0/24

The CIDR block of the on-premises data center.

CreateTime Long 1492753817000

The time at which the IPsec VPN connection was created.

EffectImmediately Boolean false

Indicates whether the IPsec VPN connection takes effect immediately.

IkeConfig Struct

The configurations of phase one negotiations.

Psk String pgw6dy7d1i8in7x5

The pre-shared key.

IkeVersion String ikev1

The IKE version.

IkeMode String main

The IKE mode. Both main mode and aggressive mode are supported.The main mode features high security. If NAT traversal is enabled, we recommend that you select the aggressive mode.

IkeEncAlg String aes

The IKE encryption algorithm.

IkeAuthAlg String sha1

The IKE authentication algorithm. Both sha1 and MD5 are supported.

IkePfs String group2

The DH group. Valid values: group1, group2, group5, group14, and group24.

IkeLifetime Long 86400

The IKE lifetime.

LocalId String 116.62.69.64

The local ID. It is the IP address of the VPN Gateway by default. Both FQDN and IP formats are supported.

RemoteId String 139.196.32.167

The peer ID. It is the IP address of the customer gateway by default. Both FQDN and IP formats are supported.

IpsecConfig Struct

The configurations of phase two negotiations:

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecAuthAlg String sha1

The IPsec authentication algorithm. Both sha1 and md5 are supported.

IpsecPfs String group2

The DH group.

IpsecLifetime Long 86400

The IPsec lifetime.

VcoHealthCheck Struct

Configurations of health check.

Enable String true

Indicates whether to enable health check.

  • true: Enable
  • false: Disable
Sip String 2.2.2.xx

The source IP address.

Dip String 1.1.1.xx

The destination IP address.

Interval Integer 3

The retry interval of health check. Unit: Second.

Retry Integer 1

The number of retries for sending health check packets.

Examples

Request example

https://vpc.aliyuncs.com/?Action=ModifyVpnConnectionAttribute
&RegionId=cn-shanghai
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&<CommonParameters>

Response example

XML format

<ModifyVpnConnectionAttributeResponse>
      <Name>connection-test</Name>
      <CustomerGatewayId>cgw-bp1pvpl9r9adju6l5****</CustomerGatewayId>
      <RemoteSubnet>2.2.2.0/24</RemoteSubnet>
      <IpsecConfig>
            <IpsecLifetime>86400</IpsecLifetime>
            <IpsecAuthAlg>sha1</IpsecAuthAlg>
            <IpsecPfs>group2</IpsecPfs>
            <IpsecEncAlg>aes</IpsecEncAlg>
      </IpsecConfig>
      <EffectImmediately>false</EffectImmediately>
      <VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
      <CreateTime>1492753580000</CreateTime>
      <VpnConnectionId>vco-bp1bbi27hojx8****</VpnConnectionId>
      <RequestId>57070A3D-38F2-40A6-A1C9-DB14542EF54D</RequestId>
      <LocalSubnet>10.10.10.10/24</LocalSubnet>
      <IkeConfig>
            <IkeEncAlg>aes</IkeEncAlg>
            <RemoteId>139.196.32.xx</RemoteId>
            <IkePfs>group2</IkePfs>
            <IkeAuthAlg>sha1</IkeAuthAlg>
            <Psk>pgw6dy7d1i8i****</Psk>
            <IkeMode>main</IkeMode>
            <IkeLifetime>86400</IkeLifetime>
            <IkeVersion>ikev1</IkeVersion>
            <LocalId>116.62.69.xx</LocalId>
      </IkeConfig>
</ModifyVpnConnectionAttributeResponse>

JSON format

{
    "Name": "vpn connection test",
    "CustomerGatewayId": "cgw-bp1pvpl9r9adju6l5****",
    "RemoteSubnet": "2.2.2.0/24",
    "IpsecConfig": {
        "IpsecLifetime": 86400,
        "IpsecAuthAlg": "sha1",
        "IpsecPfs": "group2",
        "IpsecEncAlg": "aes"
    },
    "EffectImmediately": false,
    "VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
    "CreateTime": 1492753817000,
    "VpnConnectionId": "vco-bp10lz7aejumd2vxo****",
    "RequestId": "7DB79D0C-5F27-4AB5-995B-79BE55102F90",
    "LocalSubnet": "1.1.1.0/24,1.1.2.0/24",
    "IkeConfig": {
        "IkeEncAlg": "aes",
        "RemoteId": "139.196.32.xx",
        "IkePfs": "group2",
        "IkeAuthAlg": "sha1",
        "Psk": "pgw6dy7d1i8i****",
        "IkeMode": "main",
        "IkeLifetime": 86400,
        "IkeVersion": "ikev1",
        "LocalId": "116.62.69.xx"
    }
}

Errors

HTTP status code Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are not authorized to operate on this resource.
403 Forbidden User not authorized to operate on the specified resource. You are not authorized to operate on this resource.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The specified VPN connection does not exist.
400 VpnGateway.Configuring The specified service is configuring. The specified service is being configured.
400 VpnGateway.FinancialLocked The specified service is financial locked. The specified service is locked due to insufficient account balance.
400 InvalidName The name is not valid The name format is invalid.

For a list of error codes, visit the API Error Center.