Modifies the configuration of an IPsec-VPN connection.
Usage notes
- ModifyVpnAttachmentAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeVpnConnection operation to query the status of the task.
- If the IPsec-VPN connection is in the updating state, it indicates that the IPsec-VPN connection is being modified.
- If the IPsec-VPN connection is in the attached state, it indicates that the IPsec-VPN connection is modified.
- You cannot repeatedly call the ModifyVpnAttachmentAttribute operation within a specific period of time.
- When you call the ModifyVpnAttachmentAttribute operation, take note of the following items:
- If the IPsec-VPN connection is associated with a transit router, you cannot change the type of the gateway connected to the IPsec-VPN connection.
- If the IPsec-VPN connection is not associated with a resource, you cannot change the type of the gateway connected to the IPsec-VPN connection or the customer gateway connected to the IPsec-VPN connection.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | ModifyVpnAttachmentAttribute | The operation that you want to perform. Set the value to ModifyVpnAttachmentAttribute. |
RegionId | String | Yes | ap-southeast-2 | The ID of the region where the IPsec-VPN connection is established. You can call the DescribeRegions operation to query the most recent list of regions. |
VpnConnectionId | String | Yes | vco-p0w5112fgnl2ihlmf**** | The ID of the IPsec-VPN connection. |
Name | String | No | nametest | The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length and cannot start with |
LocalSubnet | String | No | 10.1.1.0/24,10.1.2.0/24 | The CIDR block on the virtual private cloud (VPC) side. The CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported:
|
RemoteSubnet | String | No | 10.1.3.0/24,10.1.4.0/24 | The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported:
|
EffectImmediately | Boolean | No | false | Specifies whether to immediately start IPsec negotiations after the configuration takes effect. Valid values:
|
IkeConfig | String | No | {"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"} | The configuration of Phase 1 negotiations:
|
IpsecConfig | String | No | {"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400} | The configurations of Phase 2 negotiations:
|
BgpConfig | String | No | {"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"} | The Border Gateway Protocol (BGP) configurations:
Note
|
HealthCheckConfig | String | No | {"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"} | The health check configurations:
|
AutoConfigRoute | Boolean | No | true | Specifies whether to automatically configure routes. Valid values:
|
EnableDpd | Boolean | No | true | Specifies whether to enable the dead peer detection (DPD) feature. Valid values:
|
EnableNatTraversal | Boolean | No | true | Specifies whether to enable NAT traversal. Valid values:
|
RemoteCaCert | String | No | c20ycDI1NnYxIENBIChURVNUIFN**** | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. |
ClientToken | String | No | 123e4567-e89b-12d3-a456-4266**** | The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request. |
NetworkType | String | No | public | The network type of the IPsec-VPN connection. Valid values:
|
CustomerGatewayId | String | No | cgw-p0w2jemrcj5u61un8**** | The customer gateway associated with the IPsec-VPN connection. |
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
VpnConnectionId | String | vco-p0w5112fgnl2ihlmf**** | The ID of the IPsec-VPN connection. |
CustomerGatewayId | String | cgw-p0w2jemrcj5u61un8**** | The ID of the customer gateway associated with the IPsec-VPN connection. |
VpnGatewayId | String | vpn-p0wa1c1018pmeb6cu**** | The ID of the VPN gateway associated with the IPsec-VPN connection. |
Name | String | nametest | The name of the IPsec-VPN connection. |
Description | String | desctest | The description of the IPsec-VPN connection. |
LocalSubnet | String | 10.1.1.0/24,10.1.2.0/24 | The CIDR block on the VPC side. |
RemoteSubnet | String | 10.1.3.0/24,10.1.4.0/24 | The CIDR block on the data center side. |
IkeConfig | Object | The configurations of Phase 1 negotiations. |
|
Psk | String | 1234*** | The pre-shared key that was used for identity authentication between the VPN gateway and the data center. Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway. |
IkeVersion | String | ikev1 | The version of the IKE protocol. |
IkeMode | String | main | The negotiation mode. |
IkeEncAlg | String | aes | The encryption algorithm that was used in Phase 1 negotiations. |
IkeAuthAlg | String | sha1 | The authentication algorithm that was used in Phase 1 negotiations. |
IkePfs | String | group2 | The Diffie-Hellman key exchange algorithm that was used in Phase 1 negotiations. |
IkeLifetime | Long | 86400 | The SA lifetime that was determined by Phase 1 negotiations. Unit: seconds. |
LocalId | String | 47.XX.XX.1 | The identifier on the Alibaba Cloud side. |
RemoteId | String | 47.XX.XX.2 | The identifier on the data center side. |
IpsecConfig | Object | The configurations of Phase 2 negotiations. |
|
IpsecEncAlg | String | aes | The encryption algorithm that was used in Phase 2 negotiations. |
IpsecAuthAlg | String | md5 | The authentication algorithm that was used in Phase 2 negotiations. |
IpsecPfs | String | group2 | The Diffie-Hellman key exchange algorithm that was used in Phase 2 negotiations. |
IpsecLifetime | Long | 86400 | The SA lifetime that was determined by Phase 2 negotiations. Unit: seconds. |
CreateTime | Long | 1658201810000 | The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
EffectImmediately | Boolean | false | Indicates whether IPsec negotiations immediately start. Valid values:
|
Status | String | ike_sa_not_established | The status of the IPsec-VPN connection. Valid values:
|
VcoHealthCheck | Object | The health check configurations of the IPsec-VPN connection. |
|
Enable | String | true | Indicates whether the health check feature is enabled for the IPsec-VPN connection.
|
Sip | String | 10.1.1.1 | The source IP address that was used for health checks. |
Dip | String | 192.168.1.1 | The destination IP address that was used for health checks. |
Interval | Integer | 3 | The interval between two consecutive health check retries. Unit: seconds. |
Retry | Integer | 3 | The maximum number of health check retries. |
Policy | String | revoke_route | Indicates whether published routes are withdrawn when the health check fails.
|
EnableDpd | Boolean | true | Indicates whether the DPD feature is enabled for the IPsec-VPN connection.
|
EnableNatTraversal | Boolean | true | Indicates whether NAT traversal is enabled for the IPsec-VPN connection.
|
VpnBgpConfig | Object | The BGP configurations of the IPsec-VPN connection. |
|
EnableBgp | String | true | Indicates whether BGP is enabled for the IPsec-VPN connection.
|
TunnelCidr | String | 169.254.11.0/30 | The CIDR block of the IPsec tunnel. |
LocalBgpIp | String | 169.254.11.1 | The BGP IP address on the Alibaba Cloud side. |
PeerBgpIp | String | 169.254.11.2 | The BGP IP address on the data center side. |
LocalAsn | Long | 45104 | The ASN on the Alibaba Cloud side. |
PeerAsn | Long | 65535 | The ASN on the data center side. |
Status | String | false | The negotiation status of BGP.
|
AttachType | String | CEN | The type of resource that is associated with the IPsec-VPN connection.
|
NetworkType | String | public | The network type of the IPsec-VPN connection.
|
AttachInstanceId | String | cen-c2r3m3zxkumoqz**** | The ID of the Cloud Enterprise Network (CEN) instance to which the transit router associated with the IPsec-VPN connection belongs. |
Spec | String | 1000M | The bandwidth specification of the IPsec-VPN connection. M in the response indicates Mbit/s. |
RequestId | String | 35822A84-867F-3936-A2E6-A4C4E3ED11C0 | The request ID. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=ModifyVpnAttachmentAttribute
&RegionId=ap-southeast-2
&VpnConnectionId=vco-p0w5112fgnl2ihlmf****
&Name=nametest
&LocalSubnet=10.1.1.0/24,10.1.2.0/24
&RemoteSubnet=10.1.3.0/24,10.1.4.0/24
&EffectImmediately=false
&IkeConfig={"Psk":"1234****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"47.XX.XX.1","RemoteId":"47.XX.XX.2"}
&IpsecConfig={"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
&BgpConfig={"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
&HealthCheckConfig={"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}
&AutoConfigRoute=true
&EnableDpd=true
&EnableNatTraversal=true
&ClientToken=123e4567-e89b-12d3-a456-4266****
&NetworkType=public
&CustomerGatewayId=cgw-p0w2jemrcj5u61un8****
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<ModifyVpnAttachmentAttributeResponse>
<VpnConnectionId>vco-p0w5112fgnl2ihlmf****</VpnConnectionId>
<CustomerGatewayId>cgw-p0w2jemrcj5u61un8****</CustomerGatewayId>
<Name>nametest</Name>
<Description>desctest</Description>
<LocalSubnet>10.1.1.0/24,10.1.2.0/24</LocalSubnet>
<RemoteSubnet>10.1.3.0/24,10.1.4.0/24</RemoteSubnet>
<IkeConfig>
<Psk>1234***</Psk>
<IkeVersion>ikev1</IkeVersion>
<IkeMode>main</IkeMode>
<IkeEncAlg>aes</IkeEncAlg>
<IkeAuthAlg>sha1</IkeAuthAlg>
<IkePfs>group2</IkePfs>
<IkeLifetime>86400</IkeLifetime>
<LocalId>47.XX.XX.1</LocalId>
<RemoteId>47.XX.XX.2</RemoteId>
</IkeConfig>
<IpsecConfig>
<IpsecEncAlg>aes</IpsecEncAlg>
<IpsecAuthAlg>md5</IpsecAuthAlg>
<IpsecPfs>group2</IpsecPfs>
<IpsecLifetime>86400</IpsecLifetime>
</IpsecConfig>
<CreateTime>1658201810000</CreateTime>
<EffectImmediately>false</EffectImmediately>
<Status>ike_sa_not_established</Status>
<VcoHealthCheck>
<Enable>true</Enable>
<Sip>10.1.1.1</Sip>
<Dip>192.168.1.1</Dip>
<Interval>3</Interval>
<Retry>3</Retry>
<Policy>revoke_route</Policy>
</VcoHealthCheck>
<EnableDpd>true</EnableDpd>
<EnableNatTraversal>true</EnableNatTraversal>
<VpnBgpConfig>
<EnableBgp>true</EnableBgp>
<TunnelCidr>169.254.11.0/30</TunnelCidr>
<LocalBgpIp>169.254.11.1</LocalBgpIp>
<PeerBgpIp>169.254.11.2</PeerBgpIp>
<LocalAsn>45104</LocalAsn>
<PeerAsn>65535</PeerAsn>
<Status>false</Status>
</VpnBgpConfig>
<AttachType>CEN</AttachType>
<NetworkType>public</NetworkType>
<AttachInstanceId>cen-c2r3m3zxkumoqz****</AttachInstanceId>
<Spec>1000M</Spec>
<RequestId>35822A84-867F-3936-A2E6-A4C4E3ED11C0</RequestId>
</ModifyVpnAttachmentAttributeResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"VpnConnectionId" : "vco-p0w5112fgnl2ihlmf****",
"CustomerGatewayId" : "cgw-p0w2jemrcj5u61un8****",
"Name" : "nametest",
"Description" : "desctest",
"LocalSubnet" : "10.1.1.0/24,10.1.2.0/24",
"RemoteSubnet" : "10.1.3.0/24,10.1.4.0/24",
"IkeConfig" : {
"Psk" : "1234***",
"IkeVersion" : "ikev1",
"IkeMode" : "main",
"IkeEncAlg" : "aes",
"IkeAuthAlg" : "sha1",
"IkePfs" : "group2",
"IkeLifetime" : 86400,
"LocalId" : "47.XX.XX.1",
"RemoteId" : "47.XX.XX.2"
},
"IpsecConfig" : {
"IpsecEncAlg" : "aes",
"IpsecAuthAlg" : "md5",
"IpsecPfs" : "group2",
"IpsecLifetime" : 86400
},
"CreateTime" : 1658201810000,
"EffectImmediately" : false,
"Status" : "ike_sa_not_established",
"VcoHealthCheck" : {
"Enable" : "true",
"Sip" : "10.1.1.1",
"Dip" : "192.168.1.1",
"Interval" : 3,
"Retry" : 3,
"Policy" : "revoke_route"
},
"EnableDpd" : true,
"EnableNatTraversal" : true,
"VpnBgpConfig" : {
"EnableBgp" : "true",
"TunnelCidr" : "169.254.11.0/30",
"LocalBgpIp" : "169.254.11.1",
"PeerBgpIp" : "169.254.11.2",
"LocalAsn" : 45104,
"PeerAsn" : 65535,
"Status" : "false"
},
"AttachType" : "CEN",
"NetworkType" : "public",
"AttachInstanceId" : "cen-c2r3m3zxkumoqz****",
"Spec" : "1000M",
"RequestId" : "35822A84-867F-3936-A2E6-A4C4E3ED11C0"
}
Error codes
HttpCode | Error code | Error message | Description |
---|---|---|---|
400 | VpnConnection.Configuring | The specified service is configuring. | The operation is not allowed when the specified service is being configured. Try again later. |
400 | VpnConnection.FinancialLocked | The specified service is financial locked. | The service is locked due to overdue payments. |
400 | InvalidName | The name is not valid | The format of the name is invalid. |
400 | VpnRouteEntry.AlreadyExists | The specified route entry is already exist. | The route already exists. |
400 | VpnRouteEntry.Conflict | The specified route entry has conflict. | The specified route conflicts with an existing route. |
400 | NotSupportVpnConnectionParameter.IpsecPfs | The specified vpn connection ipsec Ipsec Pfs is not support. | The specified Perfect Forward Secrecy (PFS) parameter set for the IPsec-VPN connection is not supported. |
400 | NotSupportVpnConnectionParameter.IpsecAuthAlg | The specified vpn connection ipsec Auth Alg is not support. | The authentication algorithm specified for the IPsec-VPN connection is not supported. |
400 | VpnRouteEntry.BackupRoute | Validate backup route entry failed. | Active/standby routes failed authentication. |
400 | VpnRouteEntry.InvalidWeight | Invalid route entry weight value. | The weight specified for the route is invalid. |
400 | MissingParameter.TunnelCidr | The parameter TunnelCidr is mandatory when BGP is enabled. | You must set the tunnel CIDR block when you enable BGP. |
400 | OperationUnsupported.EnableBgp | Current region does not support enable BGP. | The current region does not support BGP. |
400 | MissingParam.CustomerGatewayAsn | Asn of customer gateway is mandatory when BGP is enabled. | The ASN of the customer gateway cannot be empty when you enable BGP. |
400 | IllegalParam.LocalAsn | The specified LocalAsn is invalid. | The local ASN is invalid. |
400 | IllegalParam.BgpConfig | The specified BgpConfig is invalid. | The BGP configuration is invalid. |
400 | IllegalParam.TunnelCidr | The specified TunnelCidr is invalid. | TunnelCidr is set to an invalid value. |
400 | InvalidLocalBgpIp.Malformed | The specified LocalBgpIp is malformed. | The local BGP IP address is in an abnormal state. |
400 | IllegalParam.LocalBgpIp | The specified LocalBgpIp is invalid. | The local BGP IP address is invalid. |
400 | IllegalParam.LocalSubnet | The specified "LocalSubnet" (%s) is invalid. | LocalSubnet (%s) is set to an invalid value. |
400 | IllegalParam.RemoteSubnet | The specified "RemoteSubnet" (%s) is invalid. | RemoteSubnet (%s) is set to an invalid value. |
400 | CustomerGateway.ConflictRouteEntry | The specified customer gateway has conflict with route entry. | The customer gateway conflicts with the current routes. |
400 | IllegalParam.NetworkType | The specified NetworkType (%s) is invalid. | The network type is invalid. |
400 | InvalidTunnelCidr.Malformed | The specified TunnelCidr is malformed. | The specified tunnel CIDR block is invalid. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again. |
404 | InvalidVpnConnectionInstanceId.NotFound | The specified vpn connection instance id does not exist. | The specified IPsec-VPN connection does not exist. Check whether the ID of the IPsec-VPN connection is valid. |
For a list of error codes, see Service error codes.