Modifies a VPN tunnel.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:ModifyTunnelAttribute | update | *VpnConnection acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId} |
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate a token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the value of RequestId as the client token. The value of RequestId is different for each API request.
| 02fb3da4-130e-11e9-8e44-0016e04115b |
TunnelOptionsSpecification | object | No | The tunnel configurations. | |
EnableDpd | boolean | No | Specifies whether to enable dead peer detection (DPD). Valid values:
| true |
EnableNatTraversal | boolean | No | Specifies whether to enable NAT traversal. Valid values:
| true |
RemoteCaCertificate | string | No | The peer certificate authority (CA) certificate when you want to attach the IPsec connection to a virtual private network (VPN) gateway that uses a ShangMi (SM) certificate. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
TunnelBgpConfig | object | No | The Border Gateway Protocol (BGP) configurations of the tunnel. If the BGP feature is not enabled for the tunnel, you must call the ModifyVpnConnectionAttribute operation to enable the feature and configure BGP. | |
LocalAsn | long | No | The local autonomous system number (ASN). Valid values: 1 to 4294967295. | 65530 |
LocalBgpIp | string | No | The BGP IP address of the tunnel. The address needs to be an IP address within the TunnelCidr. | 169.254.11.1 |
TunnelCidr | string | No | The CIDR block of the tunnel. The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note
The CIDR block of the IPsec tunnel for each IPsec-VPN connection on a VPN gateway must be unique.
| 169.254.11.0/30 |
TunnelIkeConfig | object | No | The configurations of IKE Phase 1. | |
IkeAuthAlg | string | No | The authentication algorithm that is used in IKE Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. | sha1 |
IkeEncAlg | string | No | The encryption algorithm that is used in IKE Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. | aes |
IkeLifetime | long | No | The SA lifetime as a result of Phase 1 negotiations. Unit: seconds Valid values: 0 to 86400. | 86400 |
IkeMode | string | No | The negotiation mode of IKE. Valid values:
| main |
IkePfs | string | No | The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. | group2 |
IkeVersion | string | No | The version of the IKE protocol. Valid values: ikev1 and ikev2. | ikev2 |
LocalId | string | No | The tunnel identifier. The identifier can be up to 100 characters in length and cannot contain spaces. It supports fully qualified domain names (FQDNs) and IP addresses. The default value is the IP address of the tunnel. | 47.XX.XX.87 |
Psk | string | No | The pre-shared key that is used to verify identities between the tunnel and peer.
Note
The pre-shared key that is configured for the tunnel and the tunnel peer must be the same. Otherwise, the system cannot establish the tunnel.
| 123456**** |
RemoteId | string | No | The peer identifier. The identifier can be up to 100 characters in length, and cannot contain spaces. It supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel. | 47.XX.XX.207 |
TunnelIpsecConfig | object | No | The configurations of IPsec Phase 2. | |
IpsecAuthAlg | string | No | The authentication algorithm that is used in IPsec Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. | sha1 |
IpsecEncAlg | string | No | The encryption algorithm that is used in IPsec Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. | aes |
IpsecLifetime | long | No | The SA lifetime as a result of Phase 2 negotiations. Unit: seconds Valid values: 0 to 86400. | 86400 |
IpsecPfs | string | No | The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. | group2 |
CustomerGatewayId | string | No | The ID of the customer gateway associated with the tunnel. | cgw-1nmwbpgrp7ssqm1yn**** |
RegionId | string | No | The ID of the region in which the IPsec connection is established. You can call the DescribeRegions operation to query the region ID. | cn-hangzhou |
VpnConnectionId | string | Yes | The ID of the IPsec connection. | vco-gw69vm1i71y354**** |
TunnelId | string | Yes | The tunnel ID. | tun-gbyz2e070xzo93**** |
Response parameters
Examples
Sample success responses
JSON
format
{
"TunnelId": "tun-gbyz2e070xzo93****",
"RequestId": "E6F36FF0-9544-3AEE-8673-A4647D50064C",
"TunnelIkeConfig": {
"IkeAuthAlg": "sha1",
"IkeEncAlg": "aes",
"IkeLifetime": 86400,
"IkeMode": "main",
"IkePfs": "group2",
"IkeVersion": "ikev2",
"LocalId": "47.XX.XX.87",
"Psk": "123456****",
"RemoteId": "47.XX.XX.207"
},
"TunnelIpsecConfig": {
"IpsecAuthAlg": "sha1",
"IpsecEncAlg": "aes",
"IpsecLifetime": 86400,
"IpsecPfs": "group2"
},
"TunnelBgpConfig": {
"EnableBgp": true,
"LocalAsn": 65530,
"LocalBgpIp": "169.254.11.1",
"PeerAsn": 65531,
"PeerBgpIp": "169.254.11.2",
"TunnelCidr": "169.254.11.0/30"
},
"EnableNatTraversal": true,
"EnableDpd": true,
"RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
"CustomerGatewayId": "cgw-p0wx48ayhrygitm80****",
"Role": "master",
"ZoneNo": "cn-hangzhou-h",
"InternetIp": "47.XX.XX.87",
"State": "active"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | VpnGateway.Configuring | The specified service is configuring. | The service is being configured. Try again later. |
400 | VpnGateway.FinancialLocked | The specified service is financial locked. | The service is suspended due to overdue payments. Top up your account first. |
400 | InvalidName | The name is not valid | The name format is invalid. |
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | Route conflicts exist. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The PFS parameter set for the IPsec-VPN connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigs | IPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration. | The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway. |
400 | VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlap | Traffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap. | The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap. |
400 | IllegalParam.LocalAsn | The param of LocalAsn is illegal | The LocalAsn parameter is set to an invalid value. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The local BGP IP address is invalid. |
400 | VpnGateway.task.conflict | The VPN is in the configuration state, please wait a while before operating. | The VPN is in the configuration state, please wait a while before operating. |
400 | ModifyIkeV1WithMultiRoutes.Invalid | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. | Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You do not have the permissions to manage the specified resource. Apply for the permissions and try again. |
404 | InvalidVpnConnectionInstanceId.NotFound | The specified vpn connection instance id does not exist. | The specified vpn connection instance id does not exist. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-10-24 | The Error code has changed | View Change Details |
2024-01-04 | API Description Update. The Error code has changed | View Change Details |
2023-08-21 | The Error code has changed | View Change Details |