ALIYUN::VPC::IpsecServer is used to create an IPsec-VPN server.
Syntax
{
"Type": "ALIYUN::VPC::IpsecServer",
"Properties": {
"LocalSubnet": String,
"EffectImmediately": Boolean,
"ClientIpPool": String,
"VpnGatewayId": String,
"IpsecConfig": Map,
"Psk": String,
"IkeConfig": Map,
"IpsecServerName": String,
"PskEnabled": Boolean
}
}Properties
| Property | Type | Required | Editable | Description | Constraint |
|---|---|---|---|---|---|
| LocalSubnet | String | Yes | Yes | The local CIDR block. It refers to the CIDR block of the virtual private cloud (VPC) that is used to connect with the client. | Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. |
| EffectImmediately | Boolean | No | Yes | Specifies whether to delete the current IPsec tunnel and reinitiate negotiations. | Default value: false. Valid values:
|
| VpnGatewayId | String | Yes | No | The ID of the VPN gateway. | None |
| IpsecConfig | Map | No | Yes | The configurations of Phase 2 negotiations. | For more information, see IpsecConfig properties. |
| IkeConfig | Map | No | Yes | The configurations of Phase 1 negotiations. | For more information, see IkeConfig properties. |
| ClientIpPool | String | Yes | Yes | The CIDR block to be allocated to the virtual network interface of the client. It is not the CIDR block where the client resides. | When the client accesses the server by using an SSL-VPN connection, the VPN gateway
selects an IP address from the specified CIDR block and assigns it to the client.
This CIDR block cannot conflict with the CIDR block specified by LocalSubnet. |
| IpsecServerName | String | No | Yes | The name of the IPsec-VPN connection. | The name must be 2 to 128 characters in length and can contain letters, digits, periods
(.), underscores (_), and hyphens (-). It must start with a letter and cannot start
with http:// or https://.
|
| Psk | String | No | Yes | The pre-shared key. | The key is used for authentication between the VPN gateway and the customer gateway.
You can specify a key or use the default key that is randomly generated by the system. The key can be up to 100 characters in length. |
| PskEnabled | Boolean | No | Yes | Specifies whether to enable pre-shared key authentication. | Valid values:
|
IpsecConfig syntax
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}IpsecConfig properties
| Property | Type | Required | Editable | Description | Constraint |
|---|---|---|---|---|---|
| IpsecPfs | String | No | Yes | The Diffie-Hellman key exchange algorithm used in Phase 2 negotiations. If you set this parameter, the system forwards packets of all protocols. | Default value: group2. Valid values:
|
| IpsecEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 2 negotiations. | Default value: aes. Valid values:
|
| IpsecAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 2 negotiations. | Default value: sha1. Valid values:
|
| IpsecLifetime | Integer | No | Yes | The Security Association (SA) lifetime as a result of Phase 2 negotiations. | Valid values: 0 to 86400.
Unit: seconds. Default value: 86400. |
IkeConfig syntax
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"IkePfs": String
}IkeConfig properties
| Property | Type | Required | Editable | Description | Constraint |
|---|---|---|---|---|---|
| IkeAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 1 negotiations. | Default value: sha1. Valid values:
|
| LocalId | String | No | Yes | The ID of the VPN gateway. | The ID can be up to 100 characters in length. The default value is the public IP address of the VPN gateway. |
| IkeEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 1 negotiations. | Default value: aes. Valid values:
|
| IkeVersion | String | No | Yes | The version of the Internet Key Exchange (IKE) protocol. | Default value: ikev2. Valid values:
|
| IkeMode | String | No | Yes | The IKE negotiation mode. | Default value: main. Valid values:
|
| IkeLifetime | Integer | No | Yes | The SA lifetime as a result of Phase 1 negotiations. | Valid values: 0 to 86400.
Unit: seconds. Default value: 86400. |
| RemoteId | String | No | Yes | The ID of the customer gateway. | The ID can be up to 100 characters in length. The default value is the public IP address of the customer gateway. |
| IkePfs | String | No | Yes | The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. | Default value: group2. Valid values:
|
Response parameters
Fn::GetAtt
- IpsecServerId: the ID of the IPsec-VPN server.
- IpsecServerName: the name of the IPsec-VPN server.
Examples
JSON format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": "The local network segment refers to the network segment on the VPC side that needs to be interconnected with the client network segment. Use half-width commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24."
},
"EffectImmediately": {
"Type": "Boolean",
"Description": "true: Apply the new configuration and trigger a reconnection immediately. \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection may cause the network to be unavailable for a brief moment)",
"AllowedValues": [
"True",
"true",
"False",
"false"
]
},
"ClientIpPool": {
"Type": "String",
"Description": "Client network segment refers to the address segment that assigns access addresses to the virtual network card of the client. Note: The client network segment cannot conflict with the VPC side network segment."
},
"VpnGatewayId": {
"Type": "String",
"Description": "VPN gateway instance ID."
},
"IpsecConfig": {
"Type": "Json",
"Description": "Negotiation parameter configuration in the second phase."
},
"Psk": {
"Type": "String",
"Description": "Pre-Shared key. Used for identity authentication between the VPN gateway and the client. A 16-bit random string is randomly generated by default, or you can manually specify the key. The length is limited to 100 characters."
},
"IkeConfig": {
"Type": "Json",
"Description": "Negotiation parameter configuration in the first phase."
},
"IpsecServerName": {
"Type": "String",
"Description": "The value must be 2 to 128 characters in length and start with a letter or Chinese character. It can contain digits, underscores (_), and hyphens (-)."
},
"PskEnabled": {
"Type": "Boolean",
"Description": "Whether to enable the pre-shared key authentication method. Only the value is true, which means that the pre-shared key authentication mode is enabled.",
"AllowedValues": [
"True",
"true",
"False",
"false"
]
}
},
"Resources": {
"IpsecServer": {
"Type": "ALIYUN::VPC::IpsecServer",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"ClientIpPool": {
"Ref": "ClientIpPool"
},
"VpnGatewayId": {
"Ref": "VpnGatewayId"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"Psk": {
"Ref": "Psk"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"IpsecServerName": {
"Ref": "IpsecServerName"
},
"PskEnabled": {
"Ref": "PskEnabled"
}
}
}
},
"Outputs": {
"IpsecServerId": {
"Description": "IPsec server ID.",
"Value": {
"Fn::GetAtt": [
"IpsecServer",
"IpsecServerId"
]
}
},
"IpsecServerName": {
"Description": "IPsec server name.",
"Value": {
"Fn::GetAtt": [
"IpsecServer",
"IpsecServerName"
]
}
}
}
}YAML format
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
ClientIpPool:
Description: 'Client network segment refers to the address segment that assigns
access addresses to the virtual network card of the client. Note: The client
network segment cannot conflict with the VPC side network segment.'
Type: String
EffectImmediately:
AllowedValues:
- 'True'
- 'true'
- 'False'
- 'false'
Description: "true: Apply the new configuration and trigger a reconnection immediately.\
\ \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection\
\ may cause the network to be unavailable for a brief moment)"
Type: Boolean
IkeConfig:
Description: Negotiation parameter configuration in the first phase.
Type: Json
IpsecConfig:
Description: Negotiation parameter configuration in the second phase.
Type: Json
IpsecServerName:
Description: The value must be 2 to 128 characters in length and start with a
letter or Chinese character. It can contain digits, underscores (_), and hyphens
(-).
Type: String
LocalSubnet:
Description: 'The local network segment refers to the network segment on the VPC
side that needs to be interconnected with the client network segment. Use half-width
commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24.'
Type: String
Psk:
Description: Pre-Shared key. Used for identity authentication between the VPN
gateway and the client. A 16-bit random string is randomly generated by default,
or you can manually specify the key. The length is limited to 100 characters.
Type: String
PskEnabled:
AllowedValues:
- 'True'
- 'true'
- 'False'
- 'false'
Description: Whether to enable the pre-shared key authentication method. Only
the value is true, which means that the pre-shared key authentication mode is
enabled.
Type: Boolean
VpnGatewayId:
Description: VPN gateway instance ID.
Type: String
Resources:
IpsecServer:
Properties:
ClientIpPool:
Ref: ClientIpPool
EffectImmediately:
Ref: EffectImmediately
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
IpsecServerName:
Ref: IpsecServerName
LocalSubnet:
Ref: LocalSubnet
Psk:
Ref: Psk
PskEnabled:
Ref: PskEnabled
VpnGatewayId:
Ref: VpnGatewayId
Type: ALIYUN::VPC::IpsecServer
Outputs:
IpsecServerId:
Description: IPsec server ID.
Value:
Fn::GetAtt:
- IpsecServer
- IpsecServerId
IpsecServerName:
Description: IPsec server name.
Value:
Fn::GetAtt:
- IpsecServer
- IpsecServerName