Usage notes

If you want to modify a dual-tunnel IPsec-VPN connection, call the ModifyVpnConnectionAttribute operation, which also supports the following optional parameters:

ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, AutoConfigRoute, TunnelOptionsSpecification, and EnableTunnelsBgp.
If you want to modify a single-tunnel IPsec-VPN connection, you can call the ModifyVpnConnectionAttribute operation, which also supports the following optional parameters:

ClientToken, Name, LocalSubnet, RemoteSubnet, EffectImmediately, IkeConfig, IpsecConfig, HealthCheckConfig, AutoConfigRoute, EnableDpd, EnableNatTraversal, BgpConfig, and RemoteCaCertificate.
ModifyVpnConnectionAttribute is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call the DescribeVpnGateway operation to query the status of a VPN gateway. The status of the VPN gateway indicates whether the IPsec-VPN connection is modified.
- If the VPN gateway is in the updating state, the IPsec-VPN connection is being modified.
- If the VPN gateway is in the active state, the IPsec-VPN connection is modified.
You cannot call the ModifyVpnConnectionAttribute operation again on the same VPN gateway to modify the configuration of an IPsec-VPN connection before the previous operation is complete.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter	Type	Required	Example	Description
Action	String	Yes	ModifyVpnConnectionAttribute	The operation that you want to perform. Set the value to ModifyVpnConnectionAttribute.
RegionId	String	Yes	cn-shanghai	The region ID of the IPsec-VPN connection. You can call the DescribeRegions operation to query the IDs of available regions.
ClientToken	String	No	02fb3da4-130e-11e9-8e44-0016e04115b	The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.
VpnConnectionId	String	Yes	vco-bp1bbi27hojx80nck****	The ID of the IPsec-VPN connection.
Name	String	No	nametest	The name of the IPsec-VPN connection. The name must be 1 to 100 characters in length, and cannot start with `http://` or `https://`.
LocalSubnet	String	No	10.1.1.0/24,10.1.2.0/24	The CIDR block on the virtual private cloud (VPC) side. The CIDR block is used in Phase 2 negotiations. Separate CIDR blocks with commas (,). Example: 192.168.1.0/24,192.168.2.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
RemoteSubnet	String	No	10.2.1.0/24,10.2.2.0/24	The CIDR block on the data center side. This CIDR block is used in Phase 2 negotiations. Separate CIDR blocks with commas (,). Example: 192.168.3.0/24,192.168.4.0/24. The following routing modes are supported: If you set LocalSubnet and RemoteSubnet to 0.0.0.0/0, the routing mode of the IPsec-VPN connection is set to Destination Routing Mode. If you set LocalSubnet and RemoteSubnet to specific CIDR blocks, the routing mode of the IPsec-VPN connection is set to Protected Data Flows.
EffectImmediately	Boolean	No	false	Specifies whether to immediately start IPsec negotiations. Valid values: true: immediately starts IPsec negotiations after the configuration takes effect. false: starts IPsec negotiations when inbound traffic is detected.
IkeConfig	String	No	{"Psk":"pgw6dy7d1i8i****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"116.64.XX.XX","RemoteId":"139.18.XX.XX"}	This parameter is supported by single-tunnel IPsec-VPN connections. The configurations of Phase 1 negotiations: IkeConfig.Psk: the pre-shared key that is used for authentication between the VPN gateway and the data center. It must be 1 to 100 characters in length, and can contain letters, digits, and the following characters: ~!`@#$%^&()_-+={}[]\|;:',.<>/? If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system. > The IPsec-VPN connection and the data center must use the same pre-shared key. Otherwise, the data center fails to connect to the VPN gateway. IkeConfig.IkeVersion: the version of the IKE protocol. Valid values: ikev1* and ikev2. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used. IkeConfig.IkeMode: the negotiation mode of IKE. Valid values: main and aggressive. main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate. IkeConfig.IkeEncAlg: the encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, aes256, and 3des. IkeConfig.IkeAuthAlg: the authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IkeConfig.IkePfs: the Diffie-Hellman (DH) key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14. IkeConfig.IkeLifetime: the security association (SA) lifetime that is determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400. IkeConfig.LocalId: the identifier of the VPN gateway. The identifier cannot exceed 100 characters in length. The default value is the IP address of the VPN gateway. IkeConfig.RemoteId: the identifier of the customer gateway. The identifier cannot exceed 100 characters in length. The default value is the IP address of the customer gateway.
IpsecConfig	String	No	{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}	This parameter is supported by single-tunnel IPsec-VPN connections. The configurations of Phase 2 negotiations: IpsecConfig.IpsecEncAlg: the encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des. IpsecConfig. IpsecAuthAlg: the authentication algorithm that is used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512. IpsecConfig. IpsecPfs: the DH key exchange algorithm that is used in Phase 1 negotiations. If you specify this parameter, packets of all protocols are forwarded. Valid values: disabled, group1, group2, group5, and group14. IpsecConfig. IpsecLifetime: the SA lifetime that is determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.
HealthCheckConfig	String	No	{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3"}	This parameter is supported by single-tunnel IPsec-VPN connections. The health check configuration: HealthCheckConfig.enable: specifies whether to enable health checks. Valid values: true and false. HealthCheckConfig.dip: the destination IP address that is used for health checks. HealthCheckConfig.sip: the source IP address that is used for health checks. HealthCheckConfig.interval: the interval between two consecutive health checks. Unit: seconds. HealthCheckConfig.retry: the maximum number of health check retries.
AutoConfigRoute	Boolean	No	true	Specifies whether to automatically advertise routes. Valid values: true: yes false: no
EnableDpd	Boolean	No	true	This parameter is supported by single-tunnel IPsec-VPN connections. Specifies whether to enable the dead peer detection (DPD) feature. Valid values: true: enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted. false: disables DPD. The IPsec initiator does not send DPD packets.
EnableNatTraversal	Boolean	No	true	This parameter is supported by single-tunnel IPsec-VPN connections. Indicates whether NAT traversal is enabled. Valid values: true: yes After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. false: disables NAT traversal.
BgpConfig	String	No	{"EnableBgp":"true","LocalAsn":"65530","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}	This parameter is supported by single-tunnel IPsec-VPN connections. The Border Gateway Protocol (BGP) configuration: BgpConfig.EnableBgp: specifies whether to enable BGP. Valid values: true and false. BgpConfig.LocalAsn: the autonomous system number (ASN) on the Alibaba Cloud side. Valid values: 1 to 4294967295. BgpConfig.TunnelCidr: the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. Note The tunnel CIDR block of each IPsec-VPN connection on a VPN gateway must be unique. LocalBgpIp: the BGP IP address on the Alibaba Cloud side. This IP address must fall within the CIDR block of the IPsec tunnel. Note This parameter is required when the VPN gateway has dynamic BGP enabled. Before you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see BGP dynamic routing supported by VPN gateways. We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.
RemoteCaCertificate	String	No	-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----	This parameter is supported by single-tunnel IPsec-VPN connections. If the VPN gateway uses a ShangMi (SM) certificate, you can modify the CA certificate used by the IPsec peer. If the VPN gateway does not use an SM certificate, this parameter is not supported.
TunnelOptionsSpecification.N.TunnelId	String	No	tun-opsqc4d97wni27****	TunnelOptionsSpecification parameters are supported by dual-tunnel IPsec-VPN gateways. You can modify both the active and standby tunnels of the IPsec-VPN connection. The tunnel ID.
TunnelOptionsSpecification.N.EnableDpd	Boolean	No	true	Specifies whether to enable DPD for the tunnel. Valid values: true: enables the DPD feature. The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted. false: disables DPD. The IPsec initiator does not send DPD packets.
TunnelOptionsSpecification.N.EnableNatTraversal	Boolean	No	true	Specifies whether to enable NAT traversal for the tunnel. Valid values: true: yes After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. false: disables NAT traversal.
TunnelOptionsSpecification.N.RemoteCaCertificate	String	No	-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----	If the VPN gateway uses an SM certificate, you can modify the CA certificate used by the IPsec peer. If the VPN gateway does not use an SM certificate, this parameter is not supported.
TunnelOptionsSpecification.N.TunnelBgpConfig.LocalAsn	Long	No	65530	The local ASN (Alibaba Cloud side). Valid values: 1 to 4294967295. Default value: 45104. Note You can set or modify this parameter if BGP is enabled for the IPsec-VPN connection (EnableTunnelsBgp is set to true). Before you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing. We recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. Refer to the relevant documentation for the private ASN range.
TunnelOptionsSpecification.N.TunnelBgpConfig.LocalBgpIp	String	No	169.254.10.1	The local BGP address (Alibaba Cloud side). The BGP address is an IP address that falls into the BGP CIDR block.
TunnelOptionsSpecification.N.TunnelBgpConfig.TunnelCidr	String	No	169.254.10.0/30	The BGP CIDR block. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. Note The BGP CIDR block of each tunnel on a VPN gateway must be unique.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkeAuthAlg	String	No	md5	The authentication algorithm that is used in Phase 1 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkeEncAlg	String	No	aes	The encryption algorithm that is used in Phase 1 negotiations. Valid values: aes, aes192, aes256, des, and 3des.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkeLifetime	Long	No	86400	The SA lifetime that is determined by Phase 1 negotiations. Unit: seconds. Valid values: 0 to 86400.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkeMode	String	No	main	The IKE negotiation mode. Valid values: main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkePfs	String	No	group2	The DH key exchange algorithm that is used in Phase 1 negotiations. Valid values: group1, group2, group5, and group14.
TunnelOptionsSpecification.N.TunnelIkeConfig.IkeVersion	String	No	ikev1	The version of the IKE protocol. Valid values: ikev1 and ikev2. Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.
TunnelOptionsSpecification.N.TunnelIkeConfig.LocalId	String	No	47.21.XX.XX	The local identifier (Alibaba Cloud side) used for Phase 1 negotiation. The identifier cannot exceed 100 characters in length. The default identifier is the tunnel IP address. You can set LocalId to a fully qualified domain name (FQDN). In this case, we recommend that you set Negotiation Mode to aggressive.
TunnelOptionsSpecification.N.TunnelIkeConfig.Psk	String	No	123456****	The pre-shared key that is used for authentication between the tunnel and peer. It must be 1 to 100 characters in length, and can contain letters, digits, and the following characters: ~!\`@#$%^&()_-+={}[]\|;:',.<>/? If you do not specify a pre-shared key, the system generates a random 16-bit string as the pre-shared key. You can call the DescribeVpnConnection operation to query the pre-shared key that is generated by the system. Note* Make sure that the tunnels and peers use the same pre-shared key. Otherwise, tunnel communication cannot be established.
TunnelOptionsSpecification.N.TunnelIkeConfig.RemoteId	String	No	47.42.XX.XX	The peer identifier used for Phase 1 negotiation. The identifier cannot exceed 100 characters in length. The default identifier is the IP address of the customer gateway. You can set RemoteId to an FQDN. In this case, we recommend that you set Negotiation Mode to aggressive.
TunnelOptionsSpecification.N.TunnelIpsecConfig.IpsecAuthAlg	String	No	md5	The authentication algorithm that was used in Phase 2 negotiations. Valid values: md5, sha1, sha256, sha384, and sha512.
TunnelOptionsSpecification.N.TunnelIpsecConfig.IpsecEncAlg	String	No	aes	The encryption algorithm that is used in Phase 2 negotiations. Valid values: aes, aes192, aes256, des, and 3des.
TunnelOptionsSpecification.N.TunnelIpsecConfig.IpsecLifetime	Integer	No	86400	The SA lifetime that is determined by Phase 2 negotiations. Unit: seconds. Valid values: 0 to 86400.
TunnelOptionsSpecification.N.TunnelIpsecConfig.IpsecPfs	String	No	group2	The DH key exchange algorithm that is used in Phase 2 negotiations. Valid values: disabled, group1, group2, group5, and group14.
EnableTunnelsBgp	Boolean	No	true	This parameter is supported by dual-tunnel IPsec-VPN connections. Specifies whether to enable BGP for the tunnel. Valid values: true and false.

Response parameters

Parameter	Type	Example	Description
EnableNatTraversal	Boolean	true	Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values: false true This parameter is returned only for single-tunnel IPsec-VPN connections.
CreateTime	Long	1492753817000	The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.
EffectImmediately	Boolean	false	Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values: true: IPsec negotiations immediately start after the configuration takes effect. false: IPsec negotiations start when inbound traffic is detected.
VpnGatewayId	String	vpn-bp1q8bgx4xnkm2ogj****	The ID of the VPN gateway.
LocalSubnet	String	10.1.1.0/24,10.1.2.0/24	The CIDR block on the VPC side.
RequestId	String	7DB79D0C-5F27-4AB5-995B-79BE55102F90	The request ID.
VpnConnectionId	String	vco-bp1bbi27hojx80nck****	The ID of the IPsec-VPN connection.
Description	String	description	The description of the IPsec-VPN connection.
RemoteSubnet	String	10.2.1.0/24,10.2.2.0/24	The CIDR block on the data center side.
CustomerGatewayId	String	cgw-p0w2jemrcj5u61un8****	The ID of the customer gateway that is associated with the IPsec-VPN connection. This parameter is returned only for single-tunnel IPsec-VPN connections.
Name	String	nametest	The name of the IPsec-VPN connection.
EnableDpd	Boolean	true	Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values: false true This parameter is returned only for single-tunnel IPsec-VPN connections.
IkeConfig	Object		The configuration of Phase 1 negotiations. IkeConfig parameters are returned only for single-tunnel IPsec-VPN connections.
RemoteId	String	139.18.XX.XX	The identifier on the data center side. The default value is the IP address of the customer gateway. The value can be a FQDN or an IP address.
IkeLifetime	Long	86400	The lifetime in the IKE phase. Unit: seconds.
IkeEncAlg	String	aes	The encryption algorithm in the IKE phase.
LocalId	String	116.64.XX.XX	The identifier on the VPC side. The default value is the IP address of the VPN gateway. The value can be an FQDN or an IP address.
IkeMode	String	main	The IKE negotiation mode. main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.
IkeVersion	String	ikev1	The version of the IKE protocol. ikev1 ikev2 Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.
IkePfs	String	group2	The DH group in the IKE phase.
Psk	String	pgw6dy7d1i8i****	The pre-shared key.
IkeAuthAlg	String	sha1	The algorithm in the IKE phase.
IpsecConfig	Object		The configuration of Phase 2 negotiations. IpsecConfig parameters are returned only for single-tunnel IPsec-VPN connections.
IpsecAuthAlg	String	sha1	The authentication algorithm in the IPsec phase.
IpsecLifetime	Long	86400	The lifetime in the IPsec phase. Unit: seconds.
IpsecEncAlg	String	aes	The encryption algorithm in the IPsec phase.
IpsecPfs	String	group2	The DH group in the IPsec phase.
VcoHealthCheck	Object		The health check configurations. VcoHealthCheck parameters are returned only for single-tunnel IPsec-VPN connections.
Dip	String	192.168.1.1	The destination IP address.
Interval	Integer	3	The interval between two consecutive health checks. Unit: seconds.
Retry	Integer	3	The maximum number of health check retries.
Sip	String	10.1.1.1	The source IP address for health checks.
Enable	String	true	Indicates whether the health check feature is enabled for the IPsec-VPN connection. true false
VpnBgpConfig	Object		The BGP configuration. VpnBgpConfig parameters are returned only for single-tunnel IPsec-VPN connections.
Status	String	success	The negotiation status of BGP. Valid values: success false
PeerBgpIp	String	169.254.11.2	The BGP IP address of the data center.
TunnelCidr	String	169.254.11.0/30	The BGP CIDR block of the IPsec-VPN connection.
EnableBgp	String	true	Indicates whether BGP is enabled. true false
LocalBgpIp	String	169.254.11.1	The BGP IP address of Alibaba Cloud.
PeerAsn	Integer	65531	The ASN on the data center side.
LocalAsn	Integer	65530	The ASN of Alibaba Cloud.
TunnelOptionsSpecification	Array of TunnelOptions		The tunnel configurations of the IPsec-VPN connection. TunnelOptionsSpecification parameters are returned only for dual-tunnel IPsec-VPN connections.
TunnelOptions
CustomerGatewayId	String	cgw-p0wy363lucf1uyae8****	The ID of the customer gateway that is associated with the tunnel.
EnableDpd	Boolean	true	Indicates whether DPD is enabled for the tunnel. Valid values: false true
EnableNatTraversal	Boolean	true	Indicates whether NAT traversal is enabled for the tunnel. Valid values: false true
InternetIp	String	47.21.XX.XX	The IP address on the Alibaba Cloud side.
RemoteCaCertificate	String	-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----	The CA certificate used by the IPsec peer. This parameter is returned only by VPN gateways that use SM certificates.
Role	String	master	The tunnel role. Valid values: master slave
State	String	active	The tunnel status. Valid values: active updating deleting
TunnelBgpConfig	Object		The BGP configurations.
LocalAsn	Long	65530	The local ASN (Alibaba Cloud side).
LocalBgpIp	String	169.254.10.1	The local BGP address (Alibaba Cloud side).
PeerAsn	Long	65531	The peer ASN.
PeerBgpIp	String	169.254.10.2	The peer BGP address.
TunnelCidr	String	169.254.10.0/30	The BGP CIDR block of the tunnel.
TunnelId	String	tun-opsqc4d97wni27****	The tunnel ID.
TunnelIkeConfig	Object		The configuration of Phase 1 negotiations.
IkeAuthAlg	String	sha1	The algorithm in the IKE phase.
IkeEncAlg	String	aes	The encryption algorithm in the IKE phase.
IkeLifetime	Long	86400	The lifetime in the IKE phase. Unit: seconds.
IkeMode	String	main	The IKE negotiation mode. main: This mode offers higher security during negotiations. aggressive: This mode is faster and has a higher success rate.
IkePfs	String	group2	The DH group in the IKE phase.
IkeVersion	String	ikev1	The version of the IKE protocol.
LocalId	String	47.21.XX.XX	The local identifier (Alibaba Cloud side).
Psk	String	123456****	The pre-shared key.
RemoteId	String	47.42.XX.XX	The peer identifier.
TunnelIpsecConfig	Object		The configuration of Phase 2 negotiations.
IpsecAuthAlg	String	sha1	The authentication algorithm in the IPsec phase.
IpsecEncAlg	String	aes	The encryption algorithm in the IPsec phase.
IpsecLifetime	Long	86400	The lifetime in the IPsec phase. Unit: seconds.
IpsecPfs	String	group2	The DH group in the IPsec phase.
ZoneNo	String	ap-southeast-5a	The zone of the tunnel.
EnableTunnelsBgp	Boolean	true	Indicates whether BGP is enabled for the tunnel. Valid values: true false This parameter is returned only by dual-tunnel IPsec-VPN connections.

Examples

Sample requests

http(s)://[Endpoint]/?Action=ModifyVpnConnectionAttribute
&RegionId= cn-shanghai
&ClientToken=02fb3da4-130e-11e9-8e44-0016e04115b
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&Name=nametest
&LocalSubnet=10.1.1.0/24,10.1.2.0/24
&RemoteSubnet=10.2.1.0/24,10.2.2.0/24
&EffectImmediately=false
&IkeConfig={"Psk":"pgw6dy7d1i8i****","IkeVersion":"ikev1","IkeMode":"main","IkeEncAlg":"aes","IkeAuthAlg":"sha1","IkePfs":"group2","IkeLifetime":86400,"LocalId":"116.64.XX.XX","RemoteId":"139.18.XX.XX"}
&IpsecConfig={"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}
&HealthCheckConfig={"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3"}
&AutoConfigRoute=true
&EnableDpd=true
&EnableNatTraversal=true
&BgpConfig={"EnableBgp":"true","LocalAsn":"65530","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyVpnConnectionAttributeResponse>
    <EnableNatTraversal>true</EnableNatTraversal>
    <CreateTime>1492753817000</CreateTime>
    <EffectImmediately>false</EffectImmediately>
    <VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
    <LocalSubnet>10.1.1.0/24,10.1.2.0/24</LocalSubnet>
    <RequestId>7DB79D0C-5F27-4AB5-995B-79BE55102F90</RequestId>
    <VpnConnectionId>vco-bp1bbi27hojx80nck****</VpnConnectionId>
    <Description>description</Description>
    <RemoteSubnet>10.2.1.0/24,10.2.2.0/24</RemoteSubnet>
    <CustomerGatewayId>cgw-p0w2jemrcj5u61un8****</CustomerGatewayId>
    <Name>nametest</Name>
    <EnableDpd>true</EnableDpd>
    <IkeConfig>
        <RemoteId>139.18.XX.XX</RemoteId>
        <IkeLifetime>86400</IkeLifetime>
        <IkeEncAlg>aes</IkeEncAlg>
        <LocalId>116.64.XX.XX</LocalId>
        <IkeMode>main</IkeMode>
        <IkeVersion>ikev1</IkeVersion>
        <IkePfs>group2</IkePfs>
        <Psk>pgw6dy7d1i8i****</Psk>
        <IkeAuthAlg>sha1</IkeAuthAlg>
    </IkeConfig>
    <IpsecConfig>
        <IpsecAuthAlg>sha1</IpsecAuthAlg>
        <IpsecLifetime>86400</IpsecLifetime>
        <IpsecEncAlg>aes</IpsecEncAlg>
        <IpsecPfs>group2</IpsecPfs>
    </IpsecConfig>
    <VcoHealthCheck>
        <Dip>192.168.1.1</Dip>
        <Interval>3</Interval>
        <Retry>3</Retry>
        <Sip>10.1.1.1</Sip>
        <Enable>true</Enable>
    </VcoHealthCheck>
    <VpnBgpConfig>
        <Status>success</Status>
        <PeerBgpIp>169.254.11.2</PeerBgpIp>
        <TunnelCidr>169.254.11.0/30</TunnelCidr>
        <EnableBgp>true</EnableBgp>
        <LocalBgpIp>169.254.11.1</LocalBgpIp>
        <PeerAsn>65531</PeerAsn>
        <LocalAsn>65530</LocalAsn>
    </VpnBgpConfig>
</ModifyVpnConnectionAttributeResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "EnableNatTraversal" : true,
  "CreateTime" : 1492753817000,
  "EffectImmediately" : false,
  "VpnGatewayId" : "vpn-bp1q8bgx4xnkm2ogj****",
  "LocalSubnet" : "10.1.1.0/24,10.1.2.0/24",
  "RequestId" : "7DB79D0C-5F27-4AB5-995B-79BE55102F90",
  "VpnConnectionId" : "vco-bp1bbi27hojx80nck****",
  "Description" : "description",
  "RemoteSubnet" : "10.2.1.0/24,10.2.2.0/24",
  "CustomerGatewayId" : "cgw-p0w2jemrcj5u61un8****",
  "Name" : "nametest",
  "EnableDpd" : true,
  "IkeConfig" : {
    "RemoteId" : "139.18.XX.XX",
    "IkeLifetime" : 86400,
    "IkeEncAlg" : "aes",
    "LocalId" : "116.64.XX.XX",
    "IkeMode" : "main",
    "IkeVersion" : "ikev1",
    "IkePfs" : "group2",
    "Psk" : "pgw6dy7d1i8i****",
    "IkeAuthAlg" : "sha1"
  },
  "IpsecConfig" : {
    "IpsecAuthAlg" : "sha1",
    "IpsecLifetime" : 86400,
    "IpsecEncAlg" : "aes",
    "IpsecPfs" : "group2"
  },
  "VcoHealthCheck" : {
    "Dip" : "192.168.1.1",
    "Interval" : 3,
    "Retry" : 3,
    "Sip" : "10.1.1.1",
    "Enable" : "true"
  },
  "VpnBgpConfig" : {
    "Status" : "success",
    "PeerBgpIp" : "169.254.11.2",
    "TunnelCidr" : "169.254.11.0/30",
    "EnableBgp" : "true",
    "LocalBgpIp" : "169.254.11.1",
    "PeerAsn" : 65531,
    "LocalAsn" : 65530
  }
}

Error codes

HttpCode	Error code	Error message	Description
400	VpnGateway.Configuring	The specified service is configuring.	The operation is not allowed when the specified service is being configured. Try again later.
400	VpnGateway.FinancialLocked	The specified service is financial locked.	The service is suspended due to overdue payments. Top up your account first.
400	InvalidName	The name is not valid	The format of the name is invalid.
400	VpnRouteEntry.AlreadyExists	The specified route entry is already exist.	The route already exists.
400	VpnRouteEntry.Conflict	The specified route entry has conflict.	The specified route conflicts with an existing route.
400	NotSupportVpnConnectionParameter.IpsecPfs	The specified vpn connection ipsec Ipsec Pfs is not support.	The PFS parameter set for the IPsec-VPN connection is not supported.
400	NotSupportVpnConnectionParameter.IpsecAuthAlg	The specified vpn connection ipsec Auth Alg is not support.	The specified authentication algorithm in the IPsec connection is not supported.
400	VpnRouteEntry.ConflictSSL	The specified route entry has conflict with SSL client.	The route conflicts with the SSL client.
400	VpnRouteEntry.BackupRoute	Validate backup route entry failed.	Active/standby routes failed authentication.
400	VpnRouteEntry.InvalidWeight	Invalid route entry weight value.	The specified weight of the route is invalid.
400	QuotaExceeded.PBR	The policy-based routes has reached the upper limit.	The number of policy-based routes has reached the upper limit.
400	OperationUnsupported.SetDPD	Current version of the VPN does not support setting DPD.	The current version of the VPN gateway does not support DPD.
400	OperationUnsupported.SetNatTraversal	Current version of the VPN does not support setting NAT traversal.	The current version of the VPN gateway does not support NAT traversal.
400	QuotaExceeded.PolicyBasedRoute	The maximum number of policy-based routes is exceeded. Existing routes: %s. Routes to be created: %s. Maximum routes: %s.	The number of policy-based routes reaches the upper limit. The maximum number of routes that you can create is %s. The number of existing routes is %s. You are creating %s routes.
400	MissingParameter.TunnelCidr	The parameter TunnelCidr is mandatory when BGP is enabled.	You must specify the tunnel CIDR block when you enable BGP.
400	OperationUnsupported.EnableBgp	Current version of the VPN does not support enable BGP.	The current version of the VPN gateway does not support BGP.
400	MissingParam.CustomerGatewayAsn	Asn of customer gateway is mandatory when BGP is enabled.	The ASN of the customer gateway cannot be empty when you enable BGP.
400	IllegalParam.LocalAsn	The specified LocalAsn is invalid.	The local ASN is invalid.
400	IllegalParam.BgpConfig	The specified BgpConfig is invalid.	The BGP configuration is invalid.
400	IllegalParam.EnableBgp	VPN connection must enable BGP when VPN gateway has enabled BGP.	The IPsec-VPN connection must use BGP if BGP is enabled for the VPN gateway.
400	IllegalParam.TunnelCidr	The specified TunnelCidr is invalid.	TunnelCidr is set to an invalid value.
400	InvalidLocalBgpIp.Malformed	The specified LocalBgpIp is malformed.	The local BGP IP address is in an abnormal state.
400	IllegalParam.LocalBgpIp	The specified LocalBgpIp is invalid.	The local BGP IP address is invalid.
400	IllegalParam.LocalSubnet	The specified "LocalSubnet" (%s) is invalid.	LocalSubnet (%s) is set to an invalid value.
400	IllegalParam.RemoteSubnet	The specified "RemoteSubnet" (%s) is invalid.	RemoteSubnet is set to an invalid value.
400	OperationFailed.CenLevelNotSupport	When the VPC to which the VPN gateway belongs is attached to a FULL-mode CEN, the VPN gateway cannot enable BGP.	You cannot enable BGP for the VPN gateway when the FULL mode is enabled for the Cloud Enterprise Network (CEN) instance to which the VPC of the VPN gateway is attached.
400	InvalidTunnelCidr.Malformed	The specified TunnelCidr is malformed.	The specified tunnel CIDR block is invalid.
400	CustomerGateway.ConflictRouteEntry	The specified customer gateway has conflict with route entry.	The customer gateway conflicts with the current routes.
400	VpnTask.CONFLICT	Vpn task has conflict.	The VPN operation is conflicting. Try again later.
403	Forbbiden.SubUser	User not authorized to operate on the specified resource as your account is created by another user.	You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
403	Forbidden	User not authorized to operate on the specified resource.	You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
404	InvalidVpnConnectionInstanceId.NotFound	The specified vpn connection instance id does not exist.	The specified IPsec connection does not exist. Check whether the ID of the IPsec connection is valid.
500	OperationFailed.RouteConflictWithIPsecServer	Operation failed because the specified route conflicts with IPsec server.	The route conflicts with the IPsec server.

For a list of error codes, see Service error codes.