Modifies the configuration of an IPsec-VPN connection.

Usage notes

  • ModifyVpnAttachmentAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeVpnConnection operation to query the status of the task.
    • If the IPsec-VPN connection is in the updating state, it indicates that the IPsec-VPN connection is being modified.
    • If the IPsec-VPN connection is in the attached state, it indicates that the IPsec-VPN connection is modified.
  • You cannot repeatedly call the ModifyVpnAttachmentAttribute operation within a specific period of time.
  • When you call the ModifyVpnAttachmentAttribute operation, take note of the following items:
    • If the IPsec-VPN connection is associated with a transit router, you cannot change the type of the gateway connected to the IPsec-VPN connection.
    • If the IPsec-VPN connection is not associated with a resource, you cannot change the type of the gateway connected to the IPsec-VPN connection or the customer gateway connected to the IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyVpnAttachmentAttribute

The operation that you want to perform. Set the value to ModifyVpnAttachmentAttribute.

RegionId String Yes ap-southeast-2

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent list of regions.

VpnConnectionId String Yes vco-p0w5112fgnl2ihlmf****

The ID of the IPsec-VPN connection.

Name String No nametest

The name of the IPsec-VPN connection.

The name must be 1 to 100 characters in length and cannot start with http:// or https://.

LocalSubnet String No 10.1.1.0/24,10.1.2.0/24

The CIDR block on the virtual private cloud (VPC) side. The CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
RemoteSubnet String No 10.1.3.0/24,10.1.4.0/24

The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations.

Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24.

The following routing modes are supported:

  • If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode.
  • If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
EffectImmediately Boolean No false

Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:

  • true: immediately starts IPsec negotiations after the configuration is complete.
  • false: starts IPsec negotiations when inbound traffic is detected.
IkeConfig String No {"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}

The configuration of Phase 1 negotiations:

  • IkeConfig.Psk: The pre-shared key that is used for authentication between the VPN gateway and the data center.
    • It must be 1 to 100 characters in length, and can contain digits, letters, and the following characters: 
      ~!`@#$%^&*()_-+={}[]|;:',.<>/?
    • If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system.
      Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
  • IkeConfig.IkeVersion: the version of the IKE protocol. Valid values: ikev1 and ikev2.
  • IkeConfig.IkeMode: the negotiation mode. Valid values: main and aggressive.
  • IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des.
  • IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.
  • IkeConfig.IkePfs: the Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.
  • IkeConfig.IkeLifetime: the security association (SA) lifetime that is determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400.
  • IkeConfig.LocalIdIPsec: the identifier on the Alibaba Cloud side. The identifier cannot exceed 100 characters in length.
  • IkeConfig.RemoteId: the identifier on the data center side. The identifier cannot exceed 100 characters in length.
IpsecConfig String No {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

The configurations of Phase 2 negotiations:

  • IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des.
  • IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.
  • IpsecConfig. IpsecPfs: the Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.
  • IpsecConfig. IpsecLifetime: the SA lifetime determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.
BgpConfig String No {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

The Border Gateway Protocol (BGP) configurations:

  • BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values:
    • true
    • false
  • BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295.
  • BgpConfig.TunnelCidr: the CIDR block of the IPsec tunnel. The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.
  • LocalBgpIp: the BGP IP address on the Alibaba Cloud side. This IP address must fall within the CIDR block of the IPsec tunnel.
Note
  • Before you configure BGP, we recommend that you learn about how BGP works and the limits. For more information, see BGP dynamic routing.
  • We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.
HealthCheckConfig String No {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

The health check configurations:

  • HealthCheckConfig.enable: specifies whether to enable health checks. Valid values:
    • true
    • false
  • HealthCheckConfig.dip: the destination IP address that is used for health checks. Enter the IP address on the data center side that the VPC can communicate with through the IPsec-VPN connection.
  • HealthCheckConfig.sip: the source IP address that is used for health checks. Enter the IP address on the VPC side that the data center can communicate with through the IPsec-VPN connection.
  • HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds.
  • HealthCheckConfig.retry: the maximum number of health check retries.
  • HealthCheckConfig.Policy: specifies whether to withdraw published routes when health checks fail. Valid values:
    • revoke_route: withdraw published routes when health checks fail.
    • reserve_route: does not withdraw published routes when health checks fail.
AutoConfigRoute Boolean No true

Specifies whether to automatically configure routes. Valid values:

  • true
  • false
EnableDpd Boolean No true

Specifies whether to enable the dead peer detection (DPD) feature. Valid values:

  • true The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted.
  • false
EnableNatTraversal Boolean No true

Specifies whether to enable NAT traversal. Valid values:

  • true: enables NAT traversal. When NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.
  • false: disables NAT traversal.
RemoteCaCert String No c20ycDI1NnYxIENBIChURVNUIFN****

The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection.

ClientToken String No 123e4567-e89b-12d3-a456-4266****

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
NetworkType String No public

The network type of the IPsec-VPN connection. Valid values:

  • public: an encrypted connection over the Internet.
  • private: an encrypted connection over private networks.
CustomerGatewayId String No cgw-p0w2jemrcj5u61un8****

The customer gateway associated with the IPsec-VPN connection.

Response parameters

Parameter Type Example Description
VpnConnectionId String vco-p0w5112fgnl2ihlmf****

The ID of the IPsec-VPN connection.

CustomerGatewayId String cgw-p0w2jemrcj5u61un8****

The ID of the customer gateway associated with the IPsec-VPN connection.

VpnGatewayId String vpn-p0wa1c1018pmeb6cu****

The ID of the VPN gateway associated with the IPsec-VPN connection.

Name String nametest

The name of the IPsec-VPN connection.

Description String desctest

The description of the IPsec-VPN connection.

LocalSubnet String 10.1.1.0/24,10.1.2.0/24

The CIDR block on the VPC side.

RemoteSubnet String 10.1.3.0/24,10.1.4.0/24

The CIDR block on the data center side.

IkeConfig Object

The configurations of Phase 1 negotiations.

Psk String 1234***

The pre-shared key that was used for identity authentication between the VPN gateway and the data center.

Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway.
IkeVersion String ikev1

The version of the IKE protocol.

IkeMode String main

The negotiation mode.

IkeEncAlg String aes

The encryption algorithm that was used in Phase 1 negotiations.

IkeAuthAlg String sha1

The authentication algorithm that was used in Phase 1 negotiations.

IkePfs String group2

The Diffie-Hellman key exchange algorithm that was used in Phase 1 negotiations.

IkeLifetime Long 86400

The SA lifetime that was determined by Phase 1 negotiations. Unit: seconds.

LocalId String 47.XX.XX.1

The identifier on the Alibaba Cloud side.

RemoteId String 47.XX.XX.2

The identifier on the data center side.

IpsecConfig Object

The configurations of Phase 2 negotiations.

IpsecEncAlg String aes

The encryption algorithm that was used in Phase 2 negotiations.

IpsecAuthAlg String md5

The authentication algorithm that was used in Phase 2 negotiations.

IpsecPfs String group2

The Diffie-Hellman key exchange algorithm that was used in Phase 2 negotiations.

IpsecLifetime Long 86400

The SA lifetime that was determined by Phase 2 negotiations. Unit: seconds.

CreateTime Long 1658201810000

The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

EffectImmediately Boolean false

Indicates whether IPsec negotiations immediately start. Valid values:

  • true
  • false
Status String ike_sa_not_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations succeeded.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations succeeded.
VcoHealthCheck Object

The health check configurations of the IPsec-VPN connection.

Enable String true

Indicates whether the health check feature is enabled for the IPsec-VPN connection.

  • true
  • false
Sip String 10.1.1.1

The source IP address that was used for health checks.

Dip String 192.168.1.1

The destination IP address that was used for health checks.

Interval Integer 3

The interval between two consecutive health check retries. Unit: seconds.

Retry Integer 3

The maximum number of health check retries.

Policy String revoke_route

Indicates whether published routes are withdrawn when the health check fails.

  • revoke_route: Published routes were withdrawn when the health check failed.
  • reserve_route: Published routes were not withdrawn when the health check failed.
EnableDpd Boolean true

Indicates whether the DPD feature is enabled for the IPsec-VPN connection.

  • true
  • false
EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled for the IPsec-VPN connection.

  • true
  • false
VpnBgpConfig Object

The BGP configurations of the IPsec-VPN connection.

EnableBgp String true

Indicates whether BGP is enabled for the IPsec-VPN connection.

  • true
  • false
TunnelCidr String 169.254.11.0/30

The CIDR block of the IPsec tunnel.

LocalBgpIp String 169.254.11.1

The BGP IP address on the Alibaba Cloud side.

PeerBgpIp String 169.254.11.2

The BGP IP address on the data center side.

LocalAsn Long 45104

The ASN on the Alibaba Cloud side.

PeerAsn Long 65535

The ASN on the data center side.

Status String false

The negotiation status of BGP.

  • success
  • false
AttachType String CEN

The type of resource that is associated with the IPsec-VPN connection.

  • CEN: indicates that the IPsec-VPN connection is associated with a transit router.
  • VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
  • NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with a resource.
NetworkType String public

The network type of the IPsec-VPN connection.

  • public
  • private
AttachInstanceId String cen-c2r3m3zxkumoqz****

The ID of the Cloud Enterprise Network (CEN) instance to which the transit router associated with the IPsec-VPN connection belongs.

Spec String 1000M

The bandwidth specification of the IPsec-VPN connection.

M in the response indicates Mbit/s.

RequestId String 35822A84-867F-3936-A2E6-A4C4E3ED11C0

The request ID.

Examples

Sample requests

http(s)://[Endpoint]/?Action=ModifyVpnAttachmentAttribute
&RegionId=ap-southeast-2
&VpnConnectionId=vco-p0w5112fgnl2ihlmf****
&Name=nametest
&LocalSubnet=10.1.1.0/24,10.1.2.0/24
&RemoteSubnet=10.1.3.0/24,10.1.4.0/24
&EffectImmediately=false
&IkeConfig={"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
&IpsecConfig={"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
&BgpConfig={"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
&HealthCheckConfig={"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
&AutoConfigRoute=true
&EnableDpd=true
&EnableNatTraversal=true
&ClientToken=123e4567-e89b-12d3-a456-4266****
&NetworkType=public
&CustomerGatewayId=cgw-p0w2jemrcj5u61un8****
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyVpnAttachmentAttributeResponse>
    <VpnConnectionId>vco-p0w5112fgnl2ihlmf****</VpnConnectionId>
    <CustomerGatewayId>cgw-p0w2jemrcj5u61un8****</CustomerGatewayId>
    <Name>nametest</Name>
    <Description>desctest</Description>
    <LocalSubnet>10.1.1.0/24,10.1.2.0/24</LocalSubnet>
    <RemoteSubnet>10.1.3.0/24,10.1.4.0/24</RemoteSubnet>
    <IkeConfig>
        <Psk>1234***</Psk>
        <IkeVersion>ikev1</IkeVersion>
        <IkeMode>main</IkeMode>
        <IkeEncAlg>aes</IkeEncAlg>
        <IkeAuthAlg>sha1</IkeAuthAlg>
        <IkePfs>group2</IkePfs>
        <IkeLifetime>86400</IkeLifetime>
        <LocalId>47.XX.XX.1</LocalId>
        <RemoteId>47.XX.XX.2</RemoteId>
    </IkeConfig>
    <IpsecConfig>
        <IpsecEncAlg>aes</IpsecEncAlg>
        <IpsecAuthAlg>md5</IpsecAuthAlg>
        <IpsecPfs>group2</IpsecPfs>
        <IpsecLifetime>86400</IpsecLifetime>
    </IpsecConfig>
    <CreateTime>1658201810000</CreateTime>
    <EffectImmediately>false</EffectImmediately>
    <Status>ike_sa_not_established</Status>
    <VcoHealthCheck>
        <Enable>true</Enable>
        <Sip>10.1.1.1</Sip>
        <Dip>192.168.1.1</Dip>
        <Interval>3</Interval>
        <Retry>3</Retry>
        <Policy>revoke_route</Policy>
    </VcoHealthCheck>
    <EnableDpd>true</EnableDpd>
    <EnableNatTraversal>true</EnableNatTraversal>
    <VpnBgpConfig>
        <EnableBgp>true</EnableBgp>
        <TunnelCidr>169.254.11.0/30</TunnelCidr>
        <LocalBgpIp>169.254.11.1</LocalBgpIp>
        <PeerBgpIp>169.254.11.2</PeerBgpIp>
        <LocalAsn>45104</LocalAsn>
        <PeerAsn>65535</PeerAsn>
        <Status>false</Status>
    </VpnBgpConfig>
    <AttachType>CEN</AttachType>
    <NetworkType>public</NetworkType>
    <AttachInstanceId>cen-c2r3m3zxkumoqz****</AttachInstanceId>
    <Spec>1000M</Spec>
    <RequestId>35822A84-867F-3936-A2E6-A4C4E3ED11C0</RequestId>
</ModifyVpnAttachmentAttributeResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "VpnConnectionId" : "vco-p0w5112fgnl2ihlmf****",
  "CustomerGatewayId" : "cgw-p0w2jemrcj5u61un8****",
  "Name" : "nametest",
  "Description" : "desctest",
  "LocalSubnet" : "10.1.1.0/24,10.1.2.0/24",
  "RemoteSubnet" : "10.1.3.0/24,10.1.4.0/24",
  "IkeConfig" : {
    "Psk" : "1234***",
    "IkeVersion" : "ikev1",
    "IkeMode" : "main",
    "IkeEncAlg" : "aes",
    "IkeAuthAlg" : "sha1",
    "IkePfs" : "group2",
    "IkeLifetime" : 86400,
    "LocalId" : "47.XX.XX.1",
    "RemoteId" : "47.XX.XX.2"
  },
  "IpsecConfig" : {
    "IpsecEncAlg" : "aes",
    "IpsecAuthAlg" : "md5",
    "IpsecPfs" : "group2",
    "IpsecLifetime" : 86400
  },
  "CreateTime" : 1658201810000,
  "EffectImmediately" : false,
  "Status" : "ike_sa_not_established",
  "VcoHealthCheck" : {
    "Enable" : "true",
    "Sip" : "10.1.1.1",
    "Dip" : "192.168.1.1",
    "Interval" : 3,
    "Retry" : 3,
    "Policy" : "revoke_route"
  },
  "EnableDpd" : true,
  "EnableNatTraversal" : true,
  "VpnBgpConfig" : {
    "EnableBgp" : "true",
    "TunnelCidr" : "169.254.11.0/30",
    "LocalBgpIp" : "169.254.11.1",
    "PeerBgpIp" : "169.254.11.2",
    "LocalAsn" : 45104,
    "PeerAsn" : 65535,
    "Status" : "false"
  },
  "AttachType" : "CEN",
  "NetworkType" : "public",
  "AttachInstanceId" : "cen-c2r3m3zxkumoqz****",
  "Spec" : "1000M",
  "RequestId" : "35822A84-867F-3936-A2E6-A4C4E3ED11C0"
}

Error codes

HttpCode Error code Error message Description
400 VpnConnection.Configuring The specified service is configuring. The operation is not allowed when the specified service is being configured. Try again later.
400 VpnConnection.FinancialLocked The specified service is financial locked. The service is locked due to overdue payments.
400 InvalidName The name is not valid The format of the name is invalid.
400 VpnRouteEntry.AlreadyExists The specified route entry is already exist. The route already exists.
400 VpnRouteEntry.Conflict The specified route entry has conflict. The specified route conflicts with an existing route.
400 NotSupportVpnConnectionParameter.IpsecPfs The specified vpn connection ipsec Ipsec Pfs is not support. The specified Perfect Forward Secrecy (PFS) parameter set for the IPsec-VPN connection is not supported.
400 NotSupportVpnConnectionParameter.IpsecAuthAlg The specified vpn connection ipsec Auth Alg is not support. The authentication algorithm specified for the IPsec-VPN connection is not supported.
400 VpnRouteEntry.BackupRoute Validate backup route entry failed. Active/standby routes failed authentication.
400 VpnRouteEntry.InvalidWeight Invalid route entry weight value. The weight specified for the route is invalid.
400 MissingParameter.TunnelCidr The parameter TunnelCidr is mandatory when BGP is enabled. You must set the tunnel CIDR block when you enable BGP.
400 OperationUnsupported.EnableBgp Current region does not support enable BGP. The current region does not support BGP.
400 MissingParam.CustomerGatewayAsn Asn of customer gateway is mandatory when BGP is enabled. The ASN of the customer gateway cannot be empty when you enable BGP.
400 IllegalParam.LocalAsn The specified LocalAsn is invalid. The local ASN is invalid.
400 IllegalParam.BgpConfig The specified BgpConfig is invalid. The BGP configuration is invalid.
400 IllegalParam.TunnelCidr The specified TunnelCidr is invalid. TunnelCidr is set to an invalid value.
400 InvalidLocalBgpIp.Malformed The specified LocalBgpIp is malformed. The local BGP IP address is in an abnormal state.
400 IllegalParam.LocalBgpIp The specified LocalBgpIp is invalid. The local BGP IP address is invalid.
400 IllegalParam.LocalSubnet The specified "LocalSubnet" (%s) is invalid. LocalSubnet (%s) is set to an invalid value.
400 IllegalParam.RemoteSubnet The specified "RemoteSubnet" (%s) is invalid. RemoteSubnet (%s) is set to an invalid value.
400 CustomerGateway.ConflictRouteEntry The specified customer gateway has conflict with route entry. The customer gateway conflicts with the current routes.
400 IllegalParam.NetworkType The specified NetworkType (%s) is invalid. The network type is invalid.
400 InvalidTunnelCidr.Malformed The specified TunnelCidr is malformed. The specified tunnel CIDR block is invalid.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. You are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The specified IPsec-VPN connection does not exist. Check whether the ID of the IPsec-VPN connection is valid.

For a list of error codes, see Service error codes.