All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::VPC::VpnAttachment

    Document Center

    Resource Orchestration Service:ALIYUN::VPC::VpnAttachment

    Last Updated:Dec 12, 2023

    ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection and associate it with a transit router.

    Syntax

    {
  "Type": "ALIYUN::VPC::VpnAttachment",
  "Properties": {
    "LocalSubnet": String,
    "CustomerGatewayId": String,
    "AutoConfigRoute": Boolean,
    "Name": String,
    "EffectImmediately": Boolean,
    "BgpConfig": Map,
    "RemoteSubnet": String,
    "RemoteCaCert": String,
    "IpsecConfig": Map,
    "NetworkType": String,
    "HealthCheckConfig": Map,
    "EnableNatTraversal": Boolean,
    "IkeConfig": Map,
    "EnableDpd": Boolean
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    LocalSubnet

    String

    Yes

    Yes

    The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations.

    Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

    The following routing modes are supported for the IPsec-VPN connection:

    • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

    • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is Protected Data Flows.

    Example: 10.1.1.0/24,10.1.2.0/24.

    CustomerGatewayId

    String

    Yes

    No

    The ID of the customer gateway.

    None.

    AutoConfigRoute

    Boolean

    No

    Yes

    Specifies whether to automatically configure routes.

    Valid values:

    • true (default)

    • false

    Name

    String

    No

    Yes

    The name of the IPsec-VPN connection.

    None.

    EffectImmediately

    Boolean

    No

    Yes

    Specifies whether to immediately start IPsec negotiations.

    Valid values:

    • true: immediately starts IPsec negotiations after the configuration is complete.

    • false (default): starts IPsec negotiations when inbound traffic is received.

    BgpConfig

    Map

    No

    Yes

    The Border Gateway Protocol (BGP) configurations.

    For more information, see BgpConfig properties.

    Note

    Before you configure BGP, we recommend that you familiarize yourself with the implementation mechanism and the limits of BGP dynamic routing. For more information, see VPN Gateway supports BGP dynamic routing.

    We recommend that you use a private autonomous system number (ASN) to establish a connection with Alibaba Cloud over BGP. For more information about the range of private ASNs, see the relevant documentation.

    Example:

    {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

    RemoteSubnet

    String

    Yes

    Yes

    The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations.

    Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

    The following routing modes are supported for the IPsec-VPN connection:

    • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is Destination Routing Mode.

    • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is Protected Data Flows.

    Example: 10.1.3.0/24,10.1.4.0/24.

    RemoteCaCert

    String

    No

    No

    The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

    Example:

    -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

    IpsecConfig

    Map

    No

    Yes

    The configurations of Phase 2 negotiations.

    For more information, see IpsecConfig properties.

    Example:

    {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

    NetworkType

    String

    No

    No

    The network type of the IPsec-VPN connection.

    Valid values:

    • public (default): an encrypted connection over the Internet

    • private: an encrypted connection over a private network

    HealthCheckConfig

    Map

    No

    Yes

    The health check configurations.

    For more information, see HealthCheckConfig properties.

    Example:

    {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

    EnableNatTraversal

    Boolean

    No

    Yes

    Specifies whether to enable NAT traversal.

    Valid values:

    • true (default): enables NAT traversal. After you enable NAT traversal, the initiator does not check the UDP ports during Internet Key Exchange (IKE) negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel.

    • false: disables NAT traversal.

    IkeConfig

    Map

    No

    Yes

    The configurations of Phase 1 negotiations.

    For more information, see IkeConfig properties.

    EnableDpd

    Boolean

    No

    Yes

    Specifies whether to enable the dead peer detection (DPD) feature.

    Valid values:

    • true (default): enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP Security Associations (SAs) and IPsec SAs are deleted. The IPsec-VPN tunnel is also deleted.

    • false: disables the DPD feature. The initiator of the IPsec-VPN connection does not send DPD packets.

    BgpConfig syntax

    "BgpConfig": {
  "EnableBgp": Boolean,
  "LocalAsn": Number,
  "TunnelCidr": String,
  "LocalBgpIp": String
}

    BgpConfig properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    EnableBgp

    Boolean

    No

    No

    Specifies whether to enable the BGP feature.

    Valid values:

    • true

    • false (default)

    LocalAsn

    Number

    No

    Yes

    The ASN on the Alibaba Cloud side.

    Valid values: 1 to 4294967295. Default value: 45104.

    TunnelCidr

    String

    No

    Yes

    The CIDR block of the IPsec-VPN tunnel.

    The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

    LocalBgpIp

    String

    No

    Yes

    The BGP IP address on the Alibaba Cloud side.

    The IP address must fall within the CIDR block range of the IPsec-VPN tunnel.

    IpsecConfig syntax

    "IpsecConfig": {
  "IpsecPfs": String,
  "IpsecEncAlg": String,
  "IpsecAuthAlg": String,
  "IpsecLifetime": Integer
}

    IpsecConfig properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    IpsecPfs

    String

    No

    Yes

    The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations.

    Valid values:

    • disabled

    • group1

    • group2 (default)

    • group5

    • group14

    IpsecEncAlg

    String

    No

    Yes

    The encryption algorithm that is used in Phase 2 negotiations.

    Valid values:

    • aes (default)

    • aes192

    • aes256

    • des

    • 3des

    IpsecAuthAlg

    String

    No

    Yes

    The authentication algorithm that is used in Phase 2 negotiations.

    Valid values:

    • md5 (default)

    • sha1

    • sha256

    • sha384

    • sha512

    IpsecLifetime

    Integer

    No

    Yes

    The SA lifetime that is determined by Phase 2 negotiations.

    Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

    HealthCheckConfig syntax

    "HealthCheckConfig": {
  "Policy": String,
  "Enable": Boolean,
  "Dip": String,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer
}

    HealthCheckConfig properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Policy

    String

    No

    Yes

    Specifies whether to withdraw published routes when the health check fails.

    Valid values:

    • revoke_route (default): withdraws published routes when the health check fails.

    • reserve_route: does not withdraw published routes when the health check fails.

    Enable

    Boolean

    No

    Yes

    Specifies whether to enable the health check feature.

    Valid values:

    • true

    • false (default)

    Dip

    String

    No

    Yes

    The destination IP address that is used for health checks.

    Specify the IP address of the data center with which the VPC can communicate based on the IPsec-VPN connection.

    Retry

    Integer

    No

    Yes

    The maximum number of health check retries.

    Default value: 3.

    Sip

    String

    No

    Yes

    The source IP address that is used for health checks.

    Specify the IP address of the VPC with which the data center can communicate based on the IPsec-VPN connection.

    Interval

    Integer

    No

    Yes

    The interval between two consecutive health check retries.

    Unit: seconds. Default value: 3.

    IkeConfig syntax

    "IkeConfig": {
  "IkeAuthAlg": String,
  "LocalId": String,
  "IkeEncAlg": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeLifetime": Integer,
  "RemoteId": String,
  "Psk": String,
  "IkePfs": String
}

    IkeConfig properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    IkeAuthAlg

    String

    No

    Yes

    The authentication algorithm that is used in Phase 1 negotiations.

    Valid values:

    • md5 (default)

    • sha1

    • sha256

    • sha384

    • sha512

    LocalId

    String

    No

    Yes

    The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

    The identifier can be up to 100 characters in length. By default, this property is empty.

    IkeEncAlg

    String

    No

    Yes

    The encryption algorithm that is used in Phase 1 negotiations.

    Valid values:

    • aes (default)

    • aes192

    • aes256

    • des

    • 3des

    IkeVersion

    String

    No

    Yes

    The version of the IKE protocol.

    Valid values:

    • ikev1 (default)

    • ikev2

    IkeMode

    String

    No

    Yes

    The negotiation mode.

    Valid values:

    • main (default)

    • aggressive

    IkeLifetime

    Integer

    No

    Yes

    The SA lifetime that is determined by Phase 1 negotiations.

    Unit: seconds. Valid values: 0 to 86400. Default value: 86400.

    RemoteId

    String

    No

    Yes

    The identifier of the IPsec-VPN connection on the data center side.

    The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway.

    Psk

    String

    No

    Yes

    The pre-shared key that is used for identity authentication between the VPN gateway and the data center.

    The following limits apply:

    • The pre-shared key must be 1 to 100 characters in length, and can contain letters, digits, and the following characters: ~ ! ` @ # $ % ^ & * ( ) _ - + = { } [ ] | ; : ' , . < > / ?

    • If you do not specify a pre-shared key, the system generates a random 16-character string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system.

    Note

    The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.

    IkePfs

    String

    No

    Yes

    The DH key exchange algorithm that is used in Phase 1 negotiations.

    Valid values:

    • group1 (default)

    • group2

    • group5

    • group14

    Return values

    Fn::GetAtt

    • InternetIp: the gateway address of the IPsec-VPN connection.  

    • VpnAttachmentId: the ID of the IPsec-VPN connection.

    • PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.

    Examples

    • YAML format 

      ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AutoConfigRoute:
    Description:
      en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
        \ (default) \nfalse"
    Type: Boolean
  BgpConfig:
    AssociationPropertyMetadata:
      Parameters:
        EnableBgp:
          Description:
            en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
              \ values: true and false. Default value: false."
          Type: Boolean
        LocalAsn:
          Description:
            en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
              Default value: 45104.'
          MaxValue: 4294967295
          MinValue: 1
          Type: Number
        LocalBgpIp:
          Description:
            en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
              \ fall within the CIDR block of the IPsec tunnel."
          Type: String
        TunnelCidr:
          Description:
            en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
              169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
              length.
          Type: String
    Description:
      en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
        \ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
        \ we recommend that you learn about how BGP works and its limits. For more\
        \ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
        \ that you use a private ASN to establish a connection with Alibaba Cloud\
        \ over BGP. \nRefer to the relevant documentation for the private ASN range."
    Type: Json
  CustomerGatewayId:
    Description:
      en: The ID of the user gateway.
    Type: String
  EffectImmediately:
    Default: false
    Description:
      en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
        the negotiation. Value:

        True: Negotiate immediately after the configuration is complete.

        False (default): Negotiate when traffic enters.'
    Type: Boolean
  EnableDpd:
    Description:
      en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
        \ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
        \ DPD packets to verify the existence and availability of the peer. If no\
        \ response is received from the peer within a specified period of time, the\
        \ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
        \ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
        \ DPD packets."
    Type: Boolean
  EnableNatTraversal:
    Description:
      en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
        \ After NAT traversal is enabled, the initiator does not check the UDP ports\
        \ during IKE negotiations and can automatically discover NAT gateway devices\
        \ along the VPN tunnel. \nfalse"
    Type: Boolean
  HealthCheckConfig:
    AssociationPropertyMetadata:
      Parameters:
        Dip:
          Type: String
        Enable:
          Type: Boolean
        Interval:
          Type: Number
        Policy:
          Description:
            en: Whether to revoke published routes when the health check fails.
          Type: String
        Retry:
          Type: Number
        Sip:
          Type: String
    Description:
      en: Whether to enable the health check configuration.
    Type: Json
  IkeConfig:
    AssociationPropertyMetadata:
      Parameters:
        IkeAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IkeEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IkeLifetime:
          Default: 86400
          Description:
            en: The life cycle of the SA negotiated in the first phase. The value
              ranges from 0 to 86400, in seconds. The default value is 86400.
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IkeMode:
          AllowedValues:
          - main
          - aggressive
          Default: main
          Description:
            en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
          Type: String
        IkePfs:
          AllowedValues:
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
              Value: group1|group2|group5|group14|group24, default value: group2.'
          Type: String
        IkeVersion:
          AllowedValues:
          - ikev1
          - ikev2
          Default: ikev1
          Description:
            en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
          Type: String
        LocalId:
          Description:
            en: ID of the VPN gateway. The length is limited to 100 characters. The
              default value is the public IP address of the VPN gateway.
          MaxLength: 100
          Type: String
        Psk:
          Description:
            en: Used for identity authentication between the IPsec VPN gateway and
              the user gateway. It is generated randomly by default, or you can specify
              the key manually. The length is limited to 100 characters.
          MaxLength: 100
          Type: String
        RemoteId:
          Description:
            en: ID of the user gateway. The length is limited to 100 characters. The
              default value is the public IP address of the user gateway.
          MaxLength: 100
          Type: String
    Description:
      en: Configuration information for the first phase of negotiation.
    Type: Json
  IpsecConfig:
    AssociationPropertyMetadata:
      Parameters:
        IpsecAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IpsecEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the second phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IpsecLifetime:
          Default: 86400
          Description:
            en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
              phase. The value ranges from 0 to 86400, in seconds. The default value
              is 86400.'
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IpsecPfs:
          AllowedValues:
          - disabled
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
              used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
              default value: group2.'
          Type: String
    Description:
      en: Configuration information for the second phase negotiation.
    Type: Json
  LocalSubnet:
    Description:
      en: 'A network segment on the VPC side that needs to be interconnected with
        the local IDC for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.1.0/24,
        192.168.2.0/24.'
    Type: String
  Name:
    Description:
      en: 'The name of the IPsec connection.

        The length is 2-128 characters and must start with a letter or Chinese. It
        can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
        start with http:// or https:// .'
    MaxLength: 128
    MinLength: 2
    Type: String
  NetworkType:
    AllowedValues:
    - public
    - private
    Description:
      en: 'The network type of the IPsec connection. Value: public|private.'
    Type: String
  RemoteCaCert:
    Description:
      en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
        \ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
        \ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
        \ when a standard VPN gateway is used to create the IPsec-VPN connection."
    Type: String
  RemoteSubnet:
    Description:
      en: 'The network segment of the local IDC is used for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.3.0/24,
        192.168.4.0/24.'
    Type: String
Resources:
  VpnAttachment:
    Properties:
      AutoConfigRoute:
        Ref: AutoConfigRoute
      BgpConfig:
        Ref: BgpConfig
      CustomerGatewayId:
        Ref: CustomerGatewayId
      EffectImmediately:
        Ref: EffectImmediately
      EnableDpd:
        Ref: EnableDpd
      EnableNatTraversal:
        Ref: EnableNatTraversal
      HealthCheckConfig:
        Ref: HealthCheckConfig
      IkeConfig:
        Ref: IkeConfig
      IpsecConfig:
        Ref: IpsecConfig
      LocalSubnet:
        Ref: LocalSubnet
      Name:
        Ref: Name
      NetworkType:
        Ref: NetworkType
      RemoteCaCert:
        Ref: RemoteCaCert
      RemoteSubnet:
        Ref: RemoteSubnet
    Type: ALIYUN::VPC::VpnAttachment
Outputs:
  InternetIp:
    Description: The gateway IP address of the IPsec connection.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - InternetIp
  PeerVpnAttachmentConfig:
    Description: Peer vpc Attachment config.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - PeerVpnAttachmentConfig
  VpnAttachmentId:
    Description: ID of the IPsec attachment.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - VpnAttachmentId

    • JSON format 

      {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": {
        "en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
      }
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the user gateway."
      }
    },
    "AutoConfigRoute": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
      }
    },
    "Name": {
      "Type": "String",
      "Description": {
        "en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
      },
      "MinLength": 2,
      "MaxLength": 128
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
      },
      "Default": false
    },
    "BgpConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "EnableBgp": {
            "Type": "Boolean",
            "Description": {
              "en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
            }
          },
          "LocalAsn": {
            "Type": "Number",
            "Description": {
              "en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
            },
            "MinValue": 1,
            "MaxValue": 4294967295
          },
          "TunnelCidr": {
            "Type": "String",
            "Description": {
              "en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
            }
          },
          "LocalBgpIp": {
            "Type": "String",
            "Description": {
              "en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
            }
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
      }
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": {
        "en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
      }
    },
    "RemoteCaCert": {
      "Type": "String",
      "Description": {
        "en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
      }
    },
    "IpsecConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IpsecPfs": {
            "Type": "String",
            "Description": {
              "en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "disabled",
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          },
          "IpsecEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IpsecAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "IpsecLifetime": {
            "Type": "Number",
            "Description": {
              "en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the second phase negotiation."
      }
    },
    "NetworkType": {
      "Type": "String",
      "Description": {
        "en": "The network type of the IPsec connection. Value: public|private."
      },
      "AllowedValues": [
        "public",
        "private"
      ]
    },
    "HealthCheckConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Whether to revoke published routes when the health check fails."
            }
          },
          "Enable": {
            "Type": "Boolean"
          },
          "Dip": {
            "Type": "String"
          },
          "Retry": {
            "Type": "Number"
          },
          "Sip": {
            "Type": "String"
          },
          "Interval": {
            "Type": "Number"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Whether to enable the health check configuration."
      }
    },
    "EnableNatTraversal": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
      }
    },
    "IkeConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IkeAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "LocalId": {
            "Type": "String",
            "Description": {
              "en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
            },
            "MaxLength": 100
          },
          "IkeEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IkeVersion": {
            "Type": "String",
            "Description": {
              "en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
            },
            "AllowedValues": [
              "ikev1",
              "ikev2"
            ],
            "Default": "ikev1"
          },
          "IkeMode": {
            "Type": "String",
            "Description": {
              "en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
            },
            "AllowedValues": [
              "main",
              "aggressive"
            ],
            "Default": "main"
          },
          "IkeLifetime": {
            "Type": "Number",
            "Description": {
              "en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          },
          "RemoteId": {
            "Type": "String",
            "Description": {
              "en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
            },
            "MaxLength": 100
          },
          "Psk": {
            "Type": "String",
            "Description": {
              "en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
            },
            "MaxLength": 100
          },
          "IkePfs": {
            "Type": "String",
            "Description": {
              "en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the first phase of negotiation."
      }
    },
    "EnableDpd": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
      }
    }
  },
  "Resources": {
    "VpnAttachment": {
      "Type": "ALIYUN::VPC::VpnAttachment",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "AutoConfigRoute": {
          "Ref": "AutoConfigRoute"
        },
        "Name": {
          "Ref": "Name"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "BgpConfig": {
          "Ref": "BgpConfig"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "RemoteCaCert": {
          "Ref": "RemoteCaCert"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "NetworkType": {
          "Ref": "NetworkType"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "EnableNatTraversal": {
          "Ref": "EnableNatTraversal"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "EnableDpd": {
          "Ref": "EnableDpd"
        }
      }
    }
  },
  "Outputs": {
    "InternetIp": {
      "Description": "The gateway IP address of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "InternetIp"
        ]
      }
    },
    "VpnAttachmentId": {
      "Description": "ID of the IPsec attachment.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "VpnAttachmentId"
        ]
      }
    },
    "PeerVpnAttachmentConfig": {
      "Description": "Peer vpc Attachment config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "PeerVpnAttachmentConfig"
        ]
      }
    }
  }
}