ModifyTunnelAttribute - VPN Gateway - Alibaba Cloud Documentation Center

Modifies a VPN tunnel.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:ModifyTunnelAttribute	update	*VpnConnection `acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}`	none	none

Request parameters

Parameter	Type	Required	Description	Example
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. You can use the client to generate a token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the value of RequestId as the client token. The value of RequestId is different for each API request.	02fb3da4-130e-11e9-8e44-0016e04115b
TunnelOptionsSpecification	object	No	The tunnel configurations.
EnableDpd	boolean	No	Specifies whether to enable dead peer detection (DPD). Valid values: true The IPsec initiator sends DPD packets to check the IPsec peer is alive. If no response is received from the peer within a specified period of time, the IPsec peer is considered disconnected. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. false: DPD is disabled. The IPsec initiator does not send DPD packets.	true
EnableNatTraversal	boolean	No	Specifies whether to enable NAT traversal. Valid values: true: enables NAT traversal. After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec-VPN tunnel. false: disables NAT traversal.	true
RemoteCaCertificate	string	No	The peer certificate authority (CA) certificate when you want to attach the IPsec connection to a virtual private network (VPN) gateway that uses a ShangMi (SM) certificate.	-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
TunnelBgpConfig	object	No	The Border Gateway Protocol (BGP) configurations of the tunnel. If the BGP feature is not enabled for the tunnel, you must call the ModifyVpnConnectionAttribute operation to enable the feature and configure BGP.
LocalAsn	long	No	The local autonomous system number (ASN). Valid values: 1 to 4294967295.	65530
LocalBgpIp	string	No	The BGP IP address of the tunnel. The address needs to be an IP address within the TunnelCidr.	169.254.11.1
TunnelCidr	string	No	The CIDR block of the tunnel. The CIDR block must fall within 169.254.0.0/16 and the mask of the CIDR block must be 30 bits in length. The CIDR block cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The CIDR block of the IPsec tunnel for each IPsec-VPN connection on a VPN gateway must be unique.	169.254.11.0/30
TunnelIkeConfig	object	No	The configurations of IKE Phase 1.
IkeAuthAlg	string	No	The authentication algorithm that is used in IKE Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.	sha1
IkeEncAlg	string	No	The encryption algorithm that is used in IKE Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des.	aes
IkeLifetime	long	No	The SA lifetime as a result of Phase 1 negotiations. Unit: seconds Valid values: 0 to 86400.	86400
IkeMode	string	No	The negotiation mode of IKE. Valid values: main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.	main
IkePfs	string	No	The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.	group2
IkeVersion	string	No	The version of the IKE protocol. Valid values: ikev1 and ikev2.	ikev2
LocalId	string	No	The tunnel identifier. The identifier can be up to 100 characters in length and cannot contain spaces. It supports fully qualified domain names (FQDNs) and IP addresses. The default value is the IP address of the tunnel.	47.XX.XX.87
Psk	string	No	The pre-shared key that is used to verify identities between the tunnel and peer. The key must be 1 to 100 characters in length, and can contain digits, and letters. It cannot contain spaces. ~!`@#$%^&()_-+={}[]\|;:',.<>/? If you do not specify a pre-shared key, the system randomly generates a 16-bit string as the key. You can call the DescribeVpnConnection operation to query the pre-shared key that is automatically generated by the system. Note* The pre-shared key that is configured for the tunnel and the tunnel peer must be the same. Otherwise, the system cannot establish the tunnel.	123456****
RemoteId	string	No	The peer identifier. The identifier can be up to 100 characters in length, and cannot contain spaces. It supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel.	47.XX.XX.207
TunnelIpsecConfig	object	No	The configurations of IPsec Phase 2.
IpsecAuthAlg	string	No	The authentication algorithm that is used in IPsec Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.	sha1
IpsecEncAlg	string	No	The encryption algorithm that is used in IPsec Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des.	aes
IpsecLifetime	long	No	The SA lifetime as a result of Phase 2 negotiations. Unit: seconds Valid values: 0 to 86400.	86400
IpsecPfs	string	No	The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.	group2
CustomerGatewayId	string	No	The ID of the customer gateway associated with the tunnel.	cgw-1nmwbpgrp7ssqm1yn****
RegionId	string	No	The ID of the region in which the IPsec connection is established. You can call the DescribeRegions operation to query the region ID.	cn-hangzhou
VpnConnectionId	string	Yes	The ID of the IPsec connection.	vco-gw69vm1i71y354****
TunnelId	string	Yes	The tunnel ID.	tun-gbyz2e070xzo93****

Response parameters

Parameter	Type	Description	Example
	object	The returned data.
TunnelId	string	The tunnel ID.	tun-gbyz2e070xzo93****
RequestId	string	The request ID.	E6F36FF0-9544-3AEE-8673-A4647D50064C
TunnelIkeConfig	object	The Phase 1 configuration.
IkeAuthAlg	string	The IKE authentication algorithm.	sha1
IkeEncAlg	string	The IKE encryption algorithm.	aes
IkeLifetime	long	The IKE lifetime. Unit: seconds.	86400
IkeMode	string	The IKE negotiation mode. main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.	main
IkePfs	string	The DH group.	group2
IkeVersion	string	The IKE version. ikev1 ikev2 Compared with IKEv1, IKEv2 simplifies the SA negotiation process and provides better support for scenarios with multiple CIDR blocks.	ikev2
LocalId	string	The tunnel identifier. The identifier supports FQDNs and IP addresses. The default value is the tunnel IP address.	47.XX.XX.87
Psk	string	The pre-shared key.	123456****
RemoteId	string	The peer identifier. The identifier supports FQDNs and IP addresses. The default identifier is the IP address of the customer gateway associated with the tunnel.	47.XX.XX.207
TunnelIpsecConfig	object	The configurations of IPsec Phase 2.
IpsecAuthAlg	string	The IPsec authentication algorithm.	sha1
IpsecEncAlg	string	The IPsec encryption algorithm.	aes
IpsecLifetime	long	The IPsec lifetime. Unit: seconds.	86400
IpsecPfs	string	The DH group.	group2
TunnelBgpConfig	object	The BGP configuration.
EnableBgp	boolean	Indicates whether the BGP feature is enabled. Valid values: true false	true
LocalAsn	long	The local ASN.	65530
LocalBgpIp	string	The BGP IP address of the tunnel.	169.254.11.1
PeerAsn	long	The peer ASN.	65531
PeerBgpIp	string	The BGP IP address of the peer.	169.254.11.2
TunnelCidr	string	The CIDR block to which the tunnel BGP IP address belongs.	169.254.11.0/30
EnableNatTraversal	boolean	Indicates whether NAT traversal is enabled. Valid values: false true	true
EnableDpd	boolean	Indicates whether DPD is enabled. Valid values: false true	true
RemoteCaCertificate	string	The peer CA certificate when a VPN gateway that uses an SM certificate is used to create the IPsec connection.	-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
CustomerGatewayId	string	The ID of the customer gateway associated with the customer gateway.	cgw-p0wx48ayhrygitm80****
Role	string	The tunnel role. Valid values: master slave	master
ZoneNo	string	The tunnel zone.	cn-hangzhou-h
InternetIp	string	The tunnel IP address.	47.XX.XX.87
State	string	The tunnel status. Valid values: active updating deleting	active

Examples

Sample success responses

JSONformat

{
  "TunnelId": "tun-gbyz2e070xzo93****",
  "RequestId": "E6F36FF0-9544-3AEE-8673-A4647D50064C",
  "TunnelIkeConfig": {
    "IkeAuthAlg": "sha1",
    "IkeEncAlg": "aes",
    "IkeLifetime": 86400,
    "IkeMode": "main",
    "IkePfs": "group2",
    "IkeVersion": "ikev2",
    "LocalId": "47.XX.XX.87",
    "Psk": "123456****",
    "RemoteId": "47.XX.XX.207"
  },
  "TunnelIpsecConfig": {
    "IpsecAuthAlg": "sha1",
    "IpsecEncAlg": "aes",
    "IpsecLifetime": 86400,
    "IpsecPfs": "group2"
  },
  "TunnelBgpConfig": {
    "EnableBgp": true,
    "LocalAsn": 65530,
    "LocalBgpIp": "169.254.11.1",
    "PeerAsn": 65531,
    "PeerBgpIp": "169.254.11.2",
    "TunnelCidr": "169.254.11.0/30"
  },
  "EnableNatTraversal": true,
  "EnableDpd": true,
  "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
  "CustomerGatewayId": "cgw-p0wx48ayhrygitm80****",
  "Role": "master",
  "ZoneNo": "cn-hangzhou-h",
  "InternetIp": "47.XX.XX.87",
  "State": "active"
}

Error codes

HTTP status code	Error code	Error message	Description
400	VpnGateway.Configuring	The specified service is configuring.	The service is being configured. Try again later.
400	VpnGateway.FinancialLocked	The specified service is financial locked.	The service is suspended due to overdue payments. Top up your account first.
400	InvalidName	The name is not valid	The name format is invalid.
400	VpnRouteEntry.AlreadyExists	The specified route entry is already exist.	The route already exists.
400	VpnRouteEntry.Conflict	The specified route entry has conflict.	Route conflicts exist.
400	NotSupportVpnConnectionParameter.IpsecPfs	The specified vpn connection ipsec Ipsec Pfs is not support.	The PFS parameter set for the IPsec-VPN connection is not supported.
400	NotSupportVpnConnectionParameter.IpsecAuthAlg	The specified vpn connection ipsec Auth Alg is not support.	The authentication algorithm specified for the IPsec-VPN connection is not supported.
400	VpnConnectionParamInvalid.SameVpnAndCgwDifferentIkeConfigs	IPSec connections associated with the same user gateway and VPN gateway should have the same pre-shared key and IKE configuration.	The pre-shared key and IKE parameters must be the same for IPsec-VPN connections that are associated with the same VPN gateway and customer gateway.
400	VpnConnectionParamInvalid.SameVpnAndCgwTrafficSelectorOverlap	Traffic selectors of IPSec connections associated with the same user gateway and VPN gateway should not overlap.	The protected data flows of IPsec-VPN connections that are associated with the same VPN gateway and customer gateway cannot overlap.
400	IllegalParam.LocalAsn	The param of LocalAsn is illegal	The LocalAsn parameter is set to an invalid value.
400	IllegalParam.LocalBgpIp	The specified LocalBgpIp is invalid.	The local BGP IP address is invalid.
400	VpnGateway.task.conflict	The VPN is in the configuration state, please wait a while before operating.	The VPN is in the configuration state, please wait a while before operating.
400	ModifyIkeV1WithMultiRoutes.Invalid	Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.	Failed to modify VPN connection parameters. Multi-network is configured while using IkeV1 protocol.
403	Forbbiden.SubUser	User not authorized to operate on the specified resource as your account is created by another user.	You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403	Forbidden	User not authorized to operate on the specified resource.	You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404	InvalidVpnConnectionInstanceId.NotFound	The specified vpn connection instance id does not exist.	The specified vpn connection instance id does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-10-24	The Error code has changed	View Change Details
2024-01-04	API Description Update. The Error code has changed	View Change Details
2023-08-21	The Error code has changed	View Change Details