Creates an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.
Usage notes
By default, an IPsec-VPN connection created by calling the CreateVpnAttachment
operation is not associated with a resource. You can associate an IPsec-VPN connection with a transit router by calling the CreateTransitRouterVpnAttachment operation.
Prerequisites
Before you create an IPsec-VPN connection, make sure that you created a customer gateway in the region where you want to create the IPsec-VPN connection. For more information, see CreateCustomerGateway.
If you want to add BGP configurations to an IPsec-VPN connection, make sure that an autonomous system number (ASN) is assigned to the customer gateway.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | CreateVpnAttachment | The operation that you want to perform. Set the value to CreateVpnAttachment. |
RegionId | String | Yes | ap-southeast-2 | The ID of the region where the IPsec-VPN connection is established. You can call the DescribeRegions operation to query the most recent region list. |
Name | String | No | nametest | The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with |
CustomerGatewayId | String | Yes | cgw-p0w2jemrcj5u61un8**** | The ID of the customer gateway. |
NetworkType | String | No | public | The network type of the IPsec-VPN connection. Valid values:
|
LocalSubnet | String | Yes | 10.1.1.0/24,10.1.2.0/24 | The CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported:
|
RemoteSubnet | String | Yes | 10.1.3.0/24,10.1.4.0/24 | The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported:
|
EffectImmediately | Boolean | No | false | Specifies whether to immediately start IPsec negotiations. Valid values:
|
IkeConfig | String | No | {"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"} | The configuration of Phase 1 negotiations:
|
IpsecConfig | String | No | {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400} | The configurations of Phase 2 negotiations:
|
BgpConfig | String | No | {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"} | The Border Gateway Protocol (BGP) configuration:
Note
|
HealthCheckConfig | String | No | {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"} | The health check configuration:
|
AutoConfigRoute | Boolean | No | true | Specifies whether to automatically configure routes. Valid values:
|
EnableDpd | Boolean | No | true | Specifies whether to enable the dead peer detection (DPD) feature. Valid values:
|
EnableNatTraversal | Boolean | No | true | Specifies whether to enable NAT traversal. Valid values:
|
RemoteCaCert | String | No | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. |
ClientToken | String | No | 123e4567-e89b-12d3-a456-4266**** | The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request. |
Tags.N.Key | String | No | TagKey | The tag key. The tag key cannot be an empty string. It can be at most 64 characters in length, and cannot contain You can specify at most 20 tag keys in each call. |
Tags.N.Value | String | No | TagValue | The tag value. The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with Each tag key corresponds to one tag value. You can specify at most 20 tag values in each call. |
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
RequestId | String | 88187252-0E26-3C4D-9D1D-32A04454EBBA | The request ID. |
VpnConnectionId | String | vco-p0wb09rama8qwwgfn**** | The ID of the IPsec-VPN connection. |
Name | String | nametest | The name of the IPsec-VPN connection. |
CreateTime | Long | 1658201810000 | The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
Code | String | 200 | The status code returned by the current operation. 200 indicates that the operation is successful. |
Success | Boolean | true | Indicates whether the current operation is successful.
|
Message | String | successful | The information returned by the current operation. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=CreateVpnAttachment
&RegionId=ap-southeast-2
&Name=nametest
&CustomerGatewayId=cgw-p0w2jemrcj5u61un8****
&NetworkType=public
&LocalSubnet=10.1.1.0/24,10.1.2.0/24
&RemoteSubnet=10.1.3.0/24,10.1.4.0/24
&EffectImmediately=false
&IkeConfig={"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
&IpsecConfig={"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
&BgpConfig={"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
&HealthCheckConfig={"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
&AutoConfigRoute=true
&EnableDpd=true
&EnableNatTraversal=true
&ClientToken=123e4567-e89b-12d3-a456-4266****
&Tags=[{"Key":"TagKey","Value":"TagValue"}]
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<CreateVpnAttachmentResponse>
<RequestId>88187252-0E26-3C4D-9D1D-32A04454EBBA</RequestId>
<VpnConnectionId>vco-p0wb09rama8qwwgfn****</VpnConnectionId>
<Name>nametest</Name>
<CreateTime>1658201810000</CreateTime>
<Code>200</Code>
<Success>true</Success>
<Message>successful</Message>
</CreateVpnAttachmentResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "88187252-0E26-3C4D-9D1D-32A04454EBBA",
"VpnConnectionId" : "vco-p0wb09rama8qwwgfn****",
"Name" : "nametest",
"CreateTime" : 1658201810000,
"Code" : "200",
"Success" : true,
"Message" : "successful"
}
Error codes
HttpCode | Error code | Error message | Description |
---|---|---|---|
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The error message returned because the route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | The error message returned because the specified route conflicts with an existing route. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The error message returned because the specified Perfect Forward Secrecy (PFS) parameter set for the IPsec connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The error message returned because the authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnRouteEntry.BackupRoute | Validate backup route entry failed. | The error message returned because active/standby routes failed authentication. |
400 | VpnRouteEntry.InvalidWeight | Invalid route entry weight value. | The error message returned because the weight specified for the route is invalid. |
400 | InvalidParameter.VpnConnectionName | The specified vpn connection name is invalid. | The error message returned because the VPN connection name does not meet the requirements. |
400 | QuotaExceeded.PolicyBasedRoute | The maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s. | The error message returned because the number of policy-based routes reaches the upper limit. The maximum number of routes that you can create is %s. The number of existing routes is %s. You are creating %s routes. |
400 | MissingParameter.TunnelCidr | The parameter TunnelCidr is mandatory when BGP is enabled. | The error message returned because you must set the tunnel CIDR block when you enable BGP. |
400 | MissingParam.CustomerGatewayAsn | Asn of customer gateway is mandatory when BGP is enabled. | The error message returned because the ASN of the customer gateway cannot be empty when you enable BGP. |
400 | IllegalParam.LocalAsn | The specified LocalAsn is invalid. | The error message returned because the local ASN is invalid. |
400 | InvalidParameter.BgpConfig | The specified BgpConfig is invalid. | The error message returned because the BGP configuration is invalid. |
400 | IllegalParam.TunnelCidr | The specified TunnelCidr is invalid. | The error message returned because the TunnelCidr parameter is set to an invalid value. |
400 | InvalidLocalBgpIp.Malformed | The specified LocalBgpIp is malformed. | The error message returned because the local BGP IP address is in an abnormal state. |
400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | The error message returned because LocalSubnet (%s) is set to an invalid value. |
400 | IllegalParam.RemoteSubnet | The specified "RemoteSubnet" (%s) is invalid. | The error message returned because RemoteSubnet (%s) is set to an invalid value. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The error message returned because the local BGP IP address is invalid. |
400 | OperationFailed.MissCertificate | The VPN connecton has not associated any certificates. | The error message returned because the VPN gateway is not associated with a certificate. |
400 | MissingParam.RemoteId | The remote ID is mandatory when creating national standard VPN connection. | The error message returned because the peer ID is not specified. You must specify the peer ID when you create a VPN connection encrypted by SM. |
400 | IllegalParam.EnableBgp | VPN connection must enable BGP when VPN gateway has enabled BGP. | The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway. |
400 | Forbidden.TagKey.Duplicated | The specified tag key already exists. | The error message returned because the tag key already exists. |
400 | SizeLimitExceeded.TagNum | The maximum number of tags is exceeded. | The error message returned because the number of tags exceeds the upper limit. |
400 | InvalidParameter.TagValue | The specified parameter TagValue is invalid. | The error message returned because the specified tag value is invalid. |
400 | InvalidParameter.TagKey | The specified parameter TagKey is invalid. | The error message returned because the specified tag key is invalid. |
400 | Duplicated.TagKey | The specified parameter TagKey is duplicated. | The error message returned because the specified tag key already exists. |
400 | InternalError | The request processing has failed due to some unknown error, exception or failure. | The error message returned because an internal error has occurred. |
400 | InvalidTunnelCidr.Malformed | The specified TunnelCidr is malformed. | The error message returned because the specified tunnel CIDR block is abnormal. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | The error message returned because you are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again. |
404 | InvalidCustomerGatewayInstanceId.NotFound | The specified customer gateway instance id does not exist. | The error message returned because the specified customer gateway does not exist. Check whether the ID of the customer gateway is correct. |
For a list of error codes, see Service error codes.