Creates an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.

Usage notes

By default, an IPsec-VPN connection created by calling the CreateVpnAttachment operation is not associated with a resource. You can associate an IPsec-VPN connection with a transit router by calling the CreateTransitRouterVpnAttachment operation.

Prerequisites

Before you create an IPsec-VPN connection, make sure that you created a customer gateway in the region where you want to create the IPsec-VPN connection. For more information, see CreateCustomerGateway.

If you want to add BGP configurations to an IPsec-VPN connection, make sure that an autonomous system number (ASN) is assigned to the customer gateway.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateVpnAttachment

The operation that you want to perform. Set the value to CreateVpnAttachment.

RegionId String Yes ap-southeast-2

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

Name String No nametest

The name of the IPsec-VPN connection.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

CustomerGatewayId String Yes cgw-p0w2jemrcj5u61un8****

The ID of the customer gateway.

NetworkType String No public

The network type of the IPsec-VPN connection. Valid values:

  • public (default)
  • private
LocalSubnet String Yes 10.1.1.0/24,10.1.2.0/24

The CIDR block on the VPC side. The CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
RemoteSubnet String Yes 10.1.3.0/24,10.1.4.0/24

The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
EffectImmediately Boolean No false

Specifies whether to immediately start IPsec negotiations. Valid values:

  • true: immediately starts IPsec negotiations after the configuration is complete.
  • false (default): starts IPsec negotiations when inbound traffic is received.
IkeConfig String No {"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}

The configuration of Phase 1 negotiations:

  • IkeConfig.Psk: The pre-shared key that is used for authentication between the VPN gateway and the data center.
    • The key must be 1 to 100 characters in length and can contain digits, letters, and the following characters: 
      ~!`@#$%^&*()_-+={}[]|;:',.<>/?
    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system.
      Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
  • IkeConfig.IkeVersion: the version of the IKE protocol. Valid values: ikev1 and ikev2. Default value: ikev1.
  • IkeConfig.IkeMode: the negotiation mode. Valid values: main and aggressive. Default value: main.
  • IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes.
  • IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. Default value: md5.
  • IkeConfig.IkePfs: The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. Default value: group2.
  • IkeConfig.IkeLifetime: the SA lifetime determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400. Default value: 86400.
  • IkeConfig.LocalId: the identifier on the Alibaba Cloud side. The identifier cannot exceed 100 characters in length. This parameter is empty by default.
  • IkeConfig.RemoteId: the identifier on the data center side. The identifier cannot exceed 100 characters in length. The default value is the IP address of the customer gateway.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configurations of Phase 2 negotiations:

  • IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. Default value: aes.
  • IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. Default value: md5.
  • IpsecConfig. IpsecPfs: the Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14. Default value: group2.
  • IpsecConfig. IpsecLifetime: the SA lifetime that is determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400. Default value: 86400.
BgpConfig String No {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

The Border Gateway Protocol (BGP) configuration:

  • BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values: true and false. Default value: false.
  • BgpConfig.LocalAsn: the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104.
  • BgpConfig.TunnelCidr: the CIDR block of the IPsec tunnel. The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.
  • LocalBgpIp: the BGP IP address on the Alibaba Cloud side. This IP address must fall within the CIDR block of the IPsec tunnel.
Note
  • Before you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see BGP dynamic routing.
  • We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.
HealthCheckConfig String No {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

The health check configuration:

  • HealthCheckConfig.enable: specifies whether to enable health checks. Valid values: true and false. Default value: false.
  • HealthCheckConfig.dip: the destination IP address that is used for health checks. Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
  • HealthCheckConfig.sip: the source IP address that is used for health checks. Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
  • HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds. Default value: 3.
  • HealthCheckConfig.retry: the maximum number of health check retries. Default value: 3.
  • HealthCheckConfig.Policy: specifies whether to withdraw published routes when health checks fail. Valid values:
    • revoke_route (default): withdraws published routes.
    • reserve_route: does not withdraw published routes.
AutoConfigRoute Boolean No true

Specifies whether to automatically configure routes. Valid values:

  • true (default)
  • false
EnableDpd Boolean No true

Specifies whether to enable the dead peer detection (DPD) feature. Valid values:

  • true (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted.
  • false
EnableNatTraversal Boolean No true

Specifies whether to enable NAT traversal. Valid values:

  • true (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.
  • false
RemoteCaCert String No -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

ClientToken String No 123e4567-e89b-12d3-a456-4266****

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
Tags.N.Key String No TagKey

The tag key. The tag key cannot be an empty string.

It can be at most 64 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

You can specify at most 20 tag keys in each call.

Tags.N.Value String No TagValue

The tag value.

The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

Each tag key corresponds to one tag value. You can specify at most 20 tag values in each call.

Response parameters

Parameter Type Example Description
RequestId String 88187252-0E26-3C4D-9D1D-32A04454EBBA

The request ID.

VpnConnectionId String vco-p0wb09rama8qwwgfn****

The ID of the IPsec-VPN connection.

Name String nametest

The name of the IPsec-VPN connection.

CreateTime Long 1658201810000

The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

Code String 200

The status code returned by the current operation. 200 indicates that the operation is successful.

Success Boolean true

Indicates whether the current operation is successful.

  • true
  • false
Message String successful

The information returned by the current operation.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateVpnAttachment
&RegionId=ap-southeast-2
&Name=nametest
&CustomerGatewayId=cgw-p0w2jemrcj5u61un8****
&NetworkType=public
&LocalSubnet=10.1.1.0/24,10.1.2.0/24
&RemoteSubnet=10.1.3.0/24,10.1.4.0/24
&EffectImmediately=false
&IkeConfig={"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
&IpsecConfig={"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
&BgpConfig={"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
&HealthCheckConfig={"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
&AutoConfigRoute=true
&EnableDpd=true
&EnableNatTraversal=true
&ClientToken=123e4567-e89b-12d3-a456-4266****
&Tags=[{"Key":"TagKey","Value":"TagValue"}]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateVpnAttachmentResponse>
    <RequestId>88187252-0E26-3C4D-9D1D-32A04454EBBA</RequestId>
    <VpnConnectionId>vco-p0wb09rama8qwwgfn****</VpnConnectionId>
    <Name>nametest</Name>
    <CreateTime>1658201810000</CreateTime>
    <Code>200</Code>
    <Success>true</Success>
    <Message>successful</Message>
</CreateVpnAttachmentResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "88187252-0E26-3C4D-9D1D-32A04454EBBA",
  "VpnConnectionId" : "vco-p0wb09rama8qwwgfn****",
  "Name" : "nametest",
  "CreateTime" : 1658201810000,
  "Code" : "200",
  "Success" : true,
  "Message" : "successful"
}

Error codes

HttpCode Error code Error message Description
400 VpnRouteEntry.AlreadyExists The specified route entry is already exist. The error message returned because the route already exists.
400 VpnRouteEntry.Conflict The specified route entry has conflict. The error message returned because the specified route conflicts with an existing route.
400 NotSupportVpnConnectionParameter.IpsecPfs The specified vpn connection ipsec Ipsec Pfs is not support. The error message returned because the specified Perfect Forward Secrecy (PFS) parameter set for the IPsec connection is not supported.
400 NotSupportVpnConnectionParameter.IpsecAuthAlg The specified vpn connection ipsec Auth Alg is not support. The error message returned because the authentication algorithm specified for the IPsec-VPN connection is not supported.
400 VpnRouteEntry.BackupRoute Validate backup route entry failed. The error message returned because active/standby routes failed authentication.
400 VpnRouteEntry.InvalidWeight Invalid route entry weight value. The error message returned because the weight specified for the route is invalid.
400 InvalidParameter.VpnConnectionName The specified vpn connection name is invalid. The error message returned because the VPN connection name does not meet the requirements.
400 QuotaExceeded.PolicyBasedRoute The maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s. The error message returned because the number of policy-based routes reaches the upper limit. The maximum number of routes that you can create is %s. The number of existing routes is %s. You are creating %s routes.
400 MissingParameter.TunnelCidr The parameter TunnelCidr is mandatory when BGP is enabled. The error message returned because you must set the tunnel CIDR block when you enable BGP.
400 MissingParam.CustomerGatewayAsn Asn of customer gateway is mandatory when BGP is enabled. The error message returned because the ASN of the customer gateway cannot be empty when you enable BGP.
400 IllegalParam.LocalAsn The specified LocalAsn is invalid. The error message returned because the local ASN is invalid.
400 InvalidParameter.BgpConfig The specified BgpConfig is invalid. The error message returned because the BGP configuration is invalid.
400 IllegalParam.TunnelCidr The specified TunnelCidr is invalid. The error message returned because the TunnelCidr parameter is set to an invalid value.
400 InvalidLocalBgpIp.Malformed The specified LocalBgpIp is malformed. The error message returned because the local BGP IP address is in an abnormal state.
400 IllegalParam.LocalSubnet The specified "LocalSubnet" (%s) is invalid. The error message returned because LocalSubnet (%s) is set to an invalid value.
400 IllegalParam.RemoteSubnet The specified "RemoteSubnet" (%s) is invalid. The error message returned because RemoteSubnet (%s) is set to an invalid value.
400 IllegalParam.LocalBgpIp The specified LocalBgpIp is invalid. The error message returned because the local BGP IP address is invalid.
400 OperationFailed.MissCertificate The VPN connecton has not associated any certificates. The error message returned because the VPN gateway is not associated with a certificate.
400 MissingParam.RemoteId The remote ID is mandatory when creating national standard VPN connection. The error message returned because the peer ID is not specified. You must specify the peer ID when you create a VPN connection encrypted by SM.
400 IllegalParam.EnableBgp VPN connection must enable BGP when VPN gateway has enabled BGP. The error message returned because the VPN connection must use BGP if BGP is enabled for the VPN gateway.
400 Forbidden.TagKey.Duplicated The specified tag key already exists. The error message returned because the tag key already exists.
400 SizeLimitExceeded.TagNum The maximum number of tags is exceeded. The error message returned because the number of tags exceeds the upper limit.
400 InvalidParameter.TagValue The specified parameter TagValue is invalid. The error message returned because the specified tag value is invalid.
400 InvalidParameter.TagKey The specified parameter TagKey is invalid. The error message returned because the specified tag key is invalid.
400 Duplicated.TagKey The specified parameter TagKey is duplicated. The error message returned because the specified tag key already exists.
400 InternalError The request processing has failed due to some unknown error, exception or failure. The error message returned because an internal error has occurred.
400 InvalidTunnelCidr.Malformed The specified TunnelCidr is malformed. The error message returned because the specified tunnel CIDR block is abnormal.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.
404 InvalidCustomerGatewayInstanceId.NotFound The specified customer gateway instance id does not exist. The error message returned because the specified customer gateway does not exist. Check whether the ID of the customer gateway is correct.

For a list of error codes, see Service error codes.