ALIYUN::VPC::VpnAttachment is used to create an IPsec-VPN connection. After you create the IPsec-VPN connection, you can associate the IPsec-VPN connection with a transit router.
Syntax
{
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": String,
"CustomerGatewayId": String,
"AutoConfigRoute": Boolean,
"Name": String,
"EffectImmediately": Boolean,
"BgpConfig": Map,
"RemoteSubnet": String,
"RemoteCaCert": String,
"IpsecConfig": Map,
"NetworkType": String,
"HealthCheckConfig": Map,
"EnableNatTraversal": Boolean,
"IkeConfig": Map,
"EnableDpd": Boolean,
"EnableTunnelsBgp": Boolean,
"TunnelOptionsSpecification": List,
"ResourceGroupId": String,
"TunnelBandwidth": String
}
}Properties
Property | Type | Required | Editable | Description | Constraint |
LocalSubnet | String | Yes | Yes | The CIDR blocks on the virtual private cloud (VPC) side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.1.0/24,10.1.2.0/24. |
CustomerGatewayId | String | No | No | The ID of the customer gateway. | None. |
AutoConfigRoute | Boolean | No | Yes | Specifies whether to automatically configure routes. | Valid values:
|
Name | String | No | Yes | The name of the IPsec-VPN connection. | None. |
EffectImmediately | Boolean | No | Yes | Specifies whether the configurations of the IPsec-VPN connection immediately take effect. | Valid values:
|
BgpConfig | Map | No | Yes | The Border Gateway Protocol (BGP) configurations. | For more information, see BgpConfig properties. Note Before you add BGP configurations, we recommend that you familiarize yourself with the work mechanism and the limits of BGP dynamic routing. For more information, see Configure routes. We recommend that you use a private autonomous system number (ASN) to establish BGP connections to Alibaba Cloud. For more information about the range of private ASNs, see the relevant documentation. Example: |
RemoteSubnet | String | Yes | Yes | The CIDR blocks on the data center side. The CIDR blocks are used in Phase 2 negotiations. | Separate multiple CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported for the IPsec-VPN connection:
Example: 10.1.3.0/24,10.1.4.0/24. |
RemoteCaCert | String | No | No | The peer CA certificate when a ShangMi (SM) VPN gateway is used to create the IPsec-VPN connection. | Example: |
IpsecConfig | Map | No | Yes | The configurations of Phase 2 negotiations. | For more information, see IpsecConfig properties. Example: |
EnableTunnelsBgp | Boolean | No | No | This parameter applies when you create an IPsec-VPN connection in dual-tunnel mode. Specifies whether to enable BGP for the tunnels. | None |
TunnelOptionsSpecification | List | No | No | A list of tunnel configurations. | For more information, see TunnelOptionsSpecification properties. |
ResourceGroupId | String | No | No | The ID of the resource group. | None |
TunnelBandwidth | String | No | No | The bandwidth specification for a single tunnel. | Valid values:
|
NetworkType | String | No | No | The network type of the IPsec-VPN connection. | Valid values:
|
HealthCheckConfig | Map | No | Yes | The health check configurations. | For more information, see HealthCheckConfig properties. Example: |
EnableNatTraversal | Boolean | No | Yes | Specifies whether to enable the NAT traversal feature. | Valid values:
|
IkeConfig | Map | No | Yes | The configurations of Phase 1 negotiations. | For more information, see IkeConfig properties. |
EnableDpd | Boolean | No | Yes | Specifies whether to enable the dead peer detection (DPD) feature. | Valid values:
|
BgpConfig syntax
"BgpConfig": {
"EnableBgp": Boolean,
"LocalAsn": Number,
"TunnelCidr": String,
"LocalBgpIp": String
}BgpConfig properties
Property | Type | Required | Editable | Description | Constraint |
EnableBgp | Boolean | No | No | Specifies whether to enable the BGP feature. | Valid values:
|
LocalAsn | Number | No | Yes | The ASN on the Alibaba Cloud side. | Valid values: 1 to 4294967295. Default value: 45104. |
TunnelCidr | String | No | Yes | The CIDR block of the IPsec-VPN tunnel. | The CIDR block must belong to 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. |
LocalBgpIp | String | No | Yes | The BGP IP address on the Alibaba Cloud side. | The IP address must fall within the CIDR block range of the IPsec-VPN tunnel. |
IpsecConfig syntax
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}IpsecConfig properties
Property | Type | Required | Editable | Description | Constraint |
IpsecPfs | String | No | Yes | The Diffie-Hellman (DH) key exchange algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 2 negotiations. | Valid values:
|
IpsecLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 2 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
TunnelOptionsSpecification syntax
"TunnelOptionsSpecification": {
"TunnelIndex": Integer,
"TunnelBgpConfig": Map,
"TunnelIkeConfig": Map,
"EnableNatTraversal": Boolean,
"TunnelIpsecConfig": Map,
"CustomerGatewayId": String,
"EnableDpd": Boolean
}TunnelOptionsSpecification parameters
Parameter | Type | Required | Update allowed | Description | Constraints |
TunnelIndex | Integer | No | No | The index of the tunnel. | Valid values:
|
TunnelBgpConfig | Map | No | No | The BGP configuration for the tunnel. | For more information, see TunnelBgpConfig properties. Note This parameter is required when you enable BGP for the IPsec connection (that is, when you set the EnableTunnelsBgp parameter to true). |
TunnelIkeConfig | Map | No | No | The phase 1 negotiation configuration. | For more information, see TunnelIkeConfig properties. |
EnableNatTraversal | Boolean | No | No | This parameter applies when you create an IPsec connection in single-tunnel mode. | Valid values:
|
TunnelIpsecConfig | Map | No | No | The phase 2 negotiation configuration. | For more information, see TunnelIpsecConfig properties. |
CustomerGatewayId | String | No | No | The ID of the Customer Gateway. | Note This parameter is required only when you create an IPsec connection in single-tunnel mode. |
EnableDpd | Boolean | No | No | This parameter applies when you create an IPsec connection in single-tunnel mode. Specifies whether to enable DPD (dead peer detection). | Valid values:
|
TunnelIkeConfig syntax
"TunnelIkeConfig": {
"IkeVersion": String,
"RemoteId": String,
"IkeEncAlg": String,
"IkeLifetime": Integer,
"IkeMode": String,
"Psk": String,
"IkeAuthAlg": String,
"IkePfs": String,
"LocalId": String
}TunnelIKEConfig properties
Parameter | Type | Required | Updatable | Description | Constraints |
IKEVersion | String | No | No | The version of the IKE protocol. | Valid values: ikev1 and ikev2. Default value: ikev2. Compared to IKEv1, IKEv2 simplifies SA negotiation and provides better support for scenarios with multiple CIDR blocks. |
RemoteId | String | No | No | The identifier for the remote peer. | For Phase 1 negotiation, the value can be up to 100 characters long and cannot contain spaces. The default value is the IP address of the customer gateway associated with the tunnel. RemoteId supports the FQDN format. If you use the FQDN format, set the negotiation mode to aggressive. |
IKEEncAlg | String | No | No | The encryption algorithm for Phase 1 negotiation. | Valid values: aes, aes192, aes256, des, and 3des. Default value: aes. |
IKELifetime | Integer | No | No | The Phase 1 security association (SA) lifetime. | Unit: seconds. Value range: 0 to 86400. Default value: 86400. |
IKEMode | String | No | No | The IKE negotiation mode. | Valid values:
|
Psk | String | No | No | The pre-shared key. | Used for authentication between the tunnel and its remote peer.
Note The tunnel and its remote peer must use the same pre-shared key. Otherwise, a connection cannot be established. |
IKEAuthAlg | String | No | No | The authentication algorithm for Phase 1 negotiation. | Valid values: md5, sha1, sha256, sha384, and sha512. Default value: sha1. |
IKEPfs | String | No | No | The Diffie-Hellman key exchange algorithm for Phase 1 negotiation. | Default value: group2. |
LocalId | String | No | No | The identifier for the tunnel's local end (the Alibaba Cloud side). | For Phase 1 negotiation, the value can be up to 100 characters long and cannot contain spaces. The default value is the IP address of the tunnel. LocalId supports the FQDN format. If you use the FQDN format, set the negotiation mode to aggressive. |
TunnelBgpConfig syntax
"TunnelBgpConfig": {
"LocalAsn": Integer,
"LocalBgpIp": String,
"TunnelCidr": String
}TunnelBgpConfig properties
Parameter | Type | Required | Update allowed | Description | Constraints |
LocalAsn | Integer | No | No | The autonomous system number (ASN) for the Alibaba Cloud side of the tunnel. | Valid values: 1 to 4294967295. Default: 45104. Note Use a private autonomous system number to establish the BGP connection. For the private ASN range, refer to the relevant documentation. |
LocalBgpIp | String | No | No | The BGP address for the Alibaba Cloud side of the tunnel. | The address must be an IP address within the BGP CIDR block. |
TunnelCidr | String | No | No | The tunnel CIDR block. | The CIDR block must have a prefix length of 30 and be within the 169.254.0.0/16 range, and cannot be 169.254.0.0/30, 169.254.1.0/30, 169.254.2.0/30, 169.254.3.0/30, 169.254.4.0/30, 169.254.5.0/30, 169.254.6.0/30, or 169.254.169.252/30. Note The two tunnels of an IPsec connection must use different tunnel CIDR blocks. |
TunnelIpsecConfig syntax
"TunnelIpsecConfig": {
"IpsecAuthAlg": String,
"IpsecLifetime": Integer,
"IpsecEncAlg": String,
"IpsecPfs": String
}TunnelIpsecConfig properties
Parameter | Type | Required | Updatable | Description | Constraints |
IpsecAuthAlg | String | No | No | The authentication algorithm for phase 2 negotiation. | Valid values: md5, sha1, sha256, sha384, or sha512. Default: sha1. |
IpsecLifetime | Integer | No | No | The lifetime of the security association (SA) for phase 2 negotiation. | Unit: seconds. Range: 0 to 86400. Default: 86400. |
IpsecEncAlg | String | No | No | The encryption algorithm for phase 2 negotiation. | Valid values: aes, aes192, aes256, des, or 3des. Default: aes. |
IpsecPfs | String | No | No | The Diffie-Hellman key exchange algorithm for phase 2 negotiation. | Default: group2. Valid values: disabled, group1, group2, group5, or group14. |
HealthCheckConfig syntax
"HealthCheckConfig": {
"Policy": String,
"Enable": Boolean,
"Dip": String,
"Retry": Integer,
"Sip": String,
"Interval": Integer
}HealthCheckConfig properties
Property | Type | Required | Editable | Description | Constraint |
Policy | String | No | Yes | Specifies whether to withdraw published routes when the health check fails. | Valid values:
|
Enable | Boolean | No | Yes | Specifies whether to enable the health check feature. | Valid values:
|
Dip | String | No | Yes | The destination IP address that is used for health checks. | Specify the IP address on the data center side with which the VPC can communicate based on the IPsec-VPN connection. |
Retry | Integer | No | Yes | The maximum number of health check retries. | Default value: 3. |
Sip | String | No | Yes | The source IP address that is used for health checks. | Specify the IP address on the VPC side with which the data center can communicate based on the IPsec-VPN connection. |
Interval | Integer | No | Yes | The interval between two consecutive health check retries. | Unit: seconds. Default value: 3. |
IkeConfig syntax
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"Psk": String,
"IkePfs": String
}IkeConfig properties
Property | Type | Required | Editable | Description | Constraint |
IkeAuthAlg | String | No | Yes | The authentication algorithm that is used in Phase 1 negotiations. | Valid values:
|
LocalId | String | No | Yes | The identifier of the IPsec-VPN connection on the Alibaba Cloud side. | The identifier can be up to 100 characters in length. This property is empty by default. |
IkeEncAlg | String | No | Yes | The encryption algorithm that is used in Phase 1 negotiations. | Valid values:
|
IkeVersion | String | No | Yes | The version of the IKE protocol. | Valid values:
|
IkeMode | String | No | Yes | The negotiation mode. | Valid values:
|
IkeLifetime | Integer | No | Yes | The SA lifetime that is determined by Phase 1 negotiations. | Unit: seconds. Valid values: 0 to 86400. Default value: 86400. |
RemoteId | String | No | Yes | The identifier of the IPsec-VPN connection on the data center side. | The identifier can be up to 100 characters in length. The default value is the IP address of the customer gateway. |
Psk | String | No | Yes | The pre-shared key that is used for identity authentication between the VPN gateway and the data center. | The following limits apply:
Note The pre-shared key of the IPsec-VPN connection must be the same as the authentication key of the data center. Otherwise, you cannot establish a connection between the data center and the VPN gateway. |
IkePfs | String | No | Yes | The DH key exchange algorithm that is used in Phase 1 negotiations. | Valid values:
|
Return values
Fn::GetAtt
InternetIp: the gateway address of the IPsec-VPN connection.
VpnAttachmentId: the ID of the IPsec-VPN connection.
PeerVpnAttachmentConfig: the configurations of the IPsec-VPN connection.
Examples
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AutoConfigRoute:
Description:
en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
\ (default) \nfalse"
Type: Boolean
BgpConfig:
AssociationPropertyMetadata:
Parameters:
EnableBgp:
Description:
en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
\ values: true and false. Default value: false."
Type: Boolean
LocalAsn:
Description:
en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
Default value: 45104.'
MaxValue: 4294967295
MinValue: 1
Type: Number
LocalBgpIp:
Description:
en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
\ fall within the CIDR block of the IPsec tunnel."
Type: String
TunnelCidr:
Description:
en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
length.
Type: String
Description:
en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
\ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
\ we recommend that you learn about how BGP works and its limits. For more\
\ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
\ that you use a private ASN to establish a connection with Alibaba Cloud\
\ over BGP. \nRefer to the relevant documentation for the private ASN range."
Type: Json
CustomerGatewayId:
Description:
en: The ID of the user gateway.
Type: String
EffectImmediately:
Default: false
Description:
en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
the negotiation. Value:
True: Negotiate immediately after the configuration is complete.
False (default): Negotiate when traffic enters.'
Type: Boolean
EnableDpd:
Description:
en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
\ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
\ DPD packets to verify the existence and availability of the peer. If no\
\ response is received from the peer within a specified period of time, the\
\ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
\ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
\ DPD packets."
Type: Boolean
EnableNatTraversal:
Description:
en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
\ After NAT traversal is enabled, the initiator does not check the UDP ports\
\ during IKE negotiations and can automatically discover NAT gateway devices\
\ along the VPN tunnel. \nfalse"
Type: Boolean
HealthCheckConfig:
AssociationPropertyMetadata:
Parameters:
Dip:
Type: String
Enable:
Type: Boolean
Interval:
Type: Number
Policy:
Description:
en: Whether to revoke published routes when the health check fails.
Type: String
Retry:
Type: Number
Sip:
Type: String
Description:
en: Whether to enable the health check configuration.
Type: Json
IkeConfig:
AssociationPropertyMetadata:
Parameters:
IkeAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IkeEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IkeLifetime:
Default: 86400
Description:
en: The life cycle of the SA negotiated in the first phase. The value
ranges from 0 to 86400, in seconds. The default value is 86400.
MaxValue: 86400
MinValue: 0
Type: Number
IkeMode:
AllowedValues:
- main
- aggressive
Default: main
Description:
en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
Type: String
IkePfs:
AllowedValues:
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
Value: group1|group2|group5|group14|group24, default value: group2.'
Type: String
IkeVersion:
AllowedValues:
- ikev1
- ikev2
Default: ikev1
Description:
en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
Type: String
LocalId:
Description:
en: ID of the VPN gateway. The length is limited to 100 characters. The
default value is the public IP address of the VPN gateway.
MaxLength: 100
Type: String
Psk:
Description:
en: Used for identity authentication between the IPsec VPN gateway and
the user gateway. It is generated randomly by default, or you can specify
the key manually. The length is limited to 100 characters.
MaxLength: 100
Type: String
RemoteId:
Description:
en: ID of the user gateway. The length is limited to 100 characters. The
default value is the public IP address of the user gateway.
MaxLength: 100
Type: String
Description:
en: Configuration information for the first phase of negotiation.
Type: Json
IpsecConfig:
AssociationPropertyMetadata:
Parameters:
IpsecAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IpsecEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the second phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IpsecLifetime:
Default: 86400
Description:
en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
phase. The value ranges from 0 to 86400, in seconds. The default value
is 86400.'
MaxValue: 86400
MinValue: 0
Type: Number
IpsecPfs:
AllowedValues:
- disabled
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
default value: group2.'
Type: String
Description:
en: Configuration information for the second phase negotiation.
Type: Json
LocalSubnet:
Description:
en: 'A network segment on the VPC side that needs to be interconnected with
the local IDC for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.1.0/24,
192.168.2.0/24.'
Type: String
Name:
Description:
en: 'The name of the IPsec connection.
The length is 2-128 characters and must start with a letter or Chinese. It
can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
start with http:// or https:// .'
MaxLength: 128
MinLength: 2
Type: String
NetworkType:
AllowedValues:
- public
- private
Description:
en: 'The network type of the IPsec connection. Value: public|private.'
Type: String
RemoteCaCert:
Description:
en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
\ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
\ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
\ when a standard VPN gateway is used to create the IPsec-VPN connection."
Type: String
RemoteSubnet:
Description:
en: 'The network segment of the local IDC is used for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.3.0/24,
192.168.4.0/24.'
Type: String
Resources:
VpnAttachment:
Properties:
AutoConfigRoute:
Ref: AutoConfigRoute
BgpConfig:
Ref: BgpConfig
CustomerGatewayId:
Ref: CustomerGatewayId
EffectImmediately:
Ref: EffectImmediately
EnableDpd:
Ref: EnableDpd
EnableNatTraversal:
Ref: EnableNatTraversal
HealthCheckConfig:
Ref: HealthCheckConfig
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
LocalSubnet:
Ref: LocalSubnet
Name:
Ref: Name
NetworkType:
Ref: NetworkType
RemoteCaCert:
Ref: RemoteCaCert
RemoteSubnet:
Ref: RemoteSubnet
Type: ALIYUN::VPC::VpnAttachment
Outputs:
InternetIp:
Description: The gateway IP address of the IPsec connection.
Value:
Fn::GetAtt:
- VpnAttachment
- InternetIp
PeerVpnAttachmentConfig:
Description: Peer vpc Attachment config.
Value:
Fn::GetAtt:
- VpnAttachment
- PeerVpnAttachmentConfig
VpnAttachmentId:
Description: ID of the IPsec attachment.
Value:
Fn::GetAtt:
- VpnAttachment
- VpnAttachmentId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": {
"en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
}
},
"CustomerGatewayId": {
"Type": "String",
"Description": {
"en": "The ID of the user gateway."
}
},
"AutoConfigRoute": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
}
},
"Name": {
"Type": "String",
"Description": {
"en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
},
"MinLength": 2,
"MaxLength": 128
},
"EffectImmediately": {
"Type": "Boolean",
"Description": {
"en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
},
"Default": false
},
"BgpConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"EnableBgp": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
}
},
"LocalAsn": {
"Type": "Number",
"Description": {
"en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
},
"MinValue": 1,
"MaxValue": 4294967295
},
"TunnelCidr": {
"Type": "String",
"Description": {
"en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
}
},
"LocalBgpIp": {
"Type": "String",
"Description": {
"en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
}
}
}
},
"Type": "Json",
"Description": {
"en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
}
},
"RemoteSubnet": {
"Type": "String",
"Description": {
"en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
}
},
"RemoteCaCert": {
"Type": "String",
"Description": {
"en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
}
},
"IpsecConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IpsecPfs": {
"Type": "String",
"Description": {
"en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"disabled",
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
},
"IpsecEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IpsecAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"IpsecLifetime": {
"Type": "Number",
"Description": {
"en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the second phase negotiation."
}
},
"NetworkType": {
"Type": "String",
"Description": {
"en": "The network type of the IPsec connection. Value: public|private."
},
"AllowedValues": [
"public",
"private"
]
},
"HealthCheckConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Whether to revoke published routes when the health check fails."
}
},
"Enable": {
"Type": "Boolean"
},
"Dip": {
"Type": "String"
},
"Retry": {
"Type": "Number"
},
"Sip": {
"Type": "String"
},
"Interval": {
"Type": "Number"
}
}
},
"Type": "Json",
"Description": {
"en": "Whether to enable the health check configuration."
}
},
"EnableNatTraversal": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
}
},
"IkeConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IkeAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"LocalId": {
"Type": "String",
"Description": {
"en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
},
"MaxLength": 100
},
"IkeEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IkeVersion": {
"Type": "String",
"Description": {
"en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
},
"AllowedValues": [
"ikev1",
"ikev2"
],
"Default": "ikev1"
},
"IkeMode": {
"Type": "String",
"Description": {
"en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
},
"AllowedValues": [
"main",
"aggressive"
],
"Default": "main"
},
"IkeLifetime": {
"Type": "Number",
"Description": {
"en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
},
"RemoteId": {
"Type": "String",
"Description": {
"en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
},
"MaxLength": 100
},
"Psk": {
"Type": "String",
"Description": {
"en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
},
"MaxLength": 100
},
"IkePfs": {
"Type": "String",
"Description": {
"en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the first phase of negotiation."
}
},
"EnableDpd": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
}
}
},
"Resources": {
"VpnAttachment": {
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"CustomerGatewayId": {
"Ref": "CustomerGatewayId"
},
"AutoConfigRoute": {
"Ref": "AutoConfigRoute"
},
"Name": {
"Ref": "Name"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"BgpConfig": {
"Ref": "BgpConfig"
},
"RemoteSubnet": {
"Ref": "RemoteSubnet"
},
"RemoteCaCert": {
"Ref": "RemoteCaCert"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"NetworkType": {
"Ref": "NetworkType"
},
"HealthCheckConfig": {
"Ref": "HealthCheckConfig"
},
"EnableNatTraversal": {
"Ref": "EnableNatTraversal"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"EnableDpd": {
"Ref": "EnableDpd"
}
}
}
},
"Outputs": {
"InternetIp": {
"Description": "The gateway IP address of the IPsec connection.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"InternetIp"
]
}
},
"VpnAttachmentId": {
"Description": "ID of the IPsec attachment.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"VpnAttachmentId"
]
}
},
"PeerVpnAttachmentConfig": {
"Description": "Peer vpc Attachment config.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"PeerVpnAttachmentConfig"
]
}
}
}
}