ALIYUN::VPC::VpnAttachment类型用于创建IPsec连接,用于绑定转发路由器实例。
语法
{
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": String,
"CustomerGatewayId": String,
"AutoConfigRoute": Boolean,
"Name": String,
"EffectImmediately": Boolean,
"BgpConfig": Map,
"RemoteSubnet": String,
"RemoteCaCert": String,
"IpsecConfig": Map,
"NetworkType": String,
"HealthCheckConfig": Map,
"EnableNatTraversal": Boolean,
"IkeConfig": Map,
"EnableDpd": Boolean,
"EnableTunnelsBgp": Boolean,
"TunnelOptionsSpecification": List,
"ResourceGroupId": String,
"TunnelBandwidth": String
}
}属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
LocalSubnet | String | 是 | 是 | 需要和本地数据中心互通的VPC侧的网段,用于第二阶段协商。 | 多个网段之间用半角逗号(,)分隔,例如:192.168.1.0/24,192.168.2.0/24。 关于IPsec连接路由模式的说明:
示例值:10.1.1.0/24,10.1.2.0/24。 |
CustomerGatewayId | String | 否 | 否 | 用户网关ID。 | 无 |
AutoConfigRoute | Boolean | 否 | 是 | 是否自动配置路由。 | 取值:
|
Name | String | 否 | 是 | IPsec连接的名称。 | 无 |
EffectImmediately | Boolean | 否 | 是 | 选择IPsec连接的配置是否立即生效。 | 取值:
|
BgpConfig | Map | 否 | 是 | BGP的配置信息。 | 更多信息。请参见BgpConfig属性。 说明 在添加 BGP 配置前,建议您先了解 BGP 动态路由功能的工作机制和使用限制。更多信息,请参见配置IPsec连接路由。 建议您使用自治系统号的私有号码与阿里云建立 BGP 连接。自治系统号的私有号码范围请自行查阅文档。 示例值: |
RemoteSubnet | String | 是 | 是 | 需要和VPC互通的本地数据中心侧的网段,用于第二阶段协商。 | 多个网段之间用半角逗号(,)分隔,例如:192.168.3.0/24,192.168.4.0/24。 关于IPsec连接路由模式的说明:
示例值:10.1.3.0/24,10.1.4.0/24 |
RemoteCaCert | String | 否 | 否 | 国密型VPN网关创建IPsec连接时,对端的CA证书。 | 示例值: |
IpsecConfig | Map | 否 | 是 | 第二阶段协商的配置信息。 | 更多信息,请参见IpsecConfig属性。 示例值: |
EnableTunnelsBgp | Boolean | 否 | 否 | 创建双隧道模式的 IPsec-VPN 连接时支持配置该参数。 是否为隧道开启 BGP 功能。 | 无 |
TunnelOptionsSpecification | List | 否 | 否 | 配置隧道信息列表。 | 更多信息,请参考TunnelOptionsSpecification属性。 |
ResourceGroupId | String | 否 | 否 | 资源组ID。 | 无 |
TunnelBandwidth | String | 否 | 否 | 用于说明 VPN 单条隧道的带宽规格。 | 取值:
|
NetworkType | String | 否 | 否 | IPsec连接的网络类型。 | 取值:
|
HealthCheckConfig | Map | 否 | 是 | 健康检查配置信息。 | 更多信息,请参见HealthCheckConfig属性。 示例值: |
EnableNatTraversal | Boolean | 否 | 是 | 是否开启NAT穿越功能。 | 取值:
|
IkeConfig | Map | 否 | 是 | 第一阶段协商的配置信息。 | 更多信息,请参见IkeConfig属性。 |
EnableDpd | Boolean | 否 | 是 | 是否开启DPD(对等体存活检测)功能。 | 取值:
|
BgpConfig语法
"BgpConfig": {
"EnableBgp": Boolean,
"LocalAsn": Number,
"TunnelCidr": String,
"LocalBgpIp": String
}BgpConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
EnableBgp | Boolean | 否 | 否 | 是否开启BGP功能。 | 取值:
|
LocalAsn | Number | 否 | 是 | 阿里云侧的自治系统号。 | 自治系统号取值范围:1~4294967295。默认值:45104。 |
TunnelCidr | String | 否 | 是 | IPsec隧道网段。 | 该网段需是一个在169.254.0.0/16内的掩码长度为30的网段。 |
LocalBgpIp | String | 否 | 是 | 阿里云侧的BGP地址。 | 该地址为IPsec隧道网段内的一个IP地址。 |
IpsecConfig语法
"IpsecConfig": {
"IpsecPfs": String,
"IpsecEncAlg": String,
"IpsecAuthAlg": String,
"IpsecLifetime": Integer
}IpsecConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IpsecPfs | String | 否 | 是 | 第二阶段协商使用的Diffie-Hellman密钥交换算法。 | 取值:
|
IpsecEncAlg | String | 否 | 是 | 第二阶段协商的加密算法。 | 取值:
|
IpsecAuthAlg | String | 否 | 是 | 第二阶段协商的认证算法。 | 取值:
|
IpsecLifetime | Integer | 否 | 是 | 第二阶段协商出的SA的生存周期。 | 单位:秒。取值范围:0~86400。默认值:86400。 |
TunnelOptionsSpecification语法
"TunnelOptionsSpecification": {
"TunnelIndex": Integer,
"TunnelBgpConfig": Map,
"TunnelIkeConfig": Map,
"EnableNatTraversal": Boolean,
"TunnelIpsecConfig": Map,
"CustomerGatewayId": String,
"EnableDpd": Boolean
}TunnelOptionsSpecification属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
TunnelIndex | Integer | 否 | 否 | 隧道的创建顺序。 | 取值:
|
TunnelBgpConfig | Map | 否 | 否 | 为隧道添加 BGP 配置。 | 更多信息,请参考TunnelBgpConfig属性。 说明 当您为 IPsec 连接开启 BGP 功能后(即指定 EnableTunnelsBgp 参数的值为 true)需要配置该参数。 |
TunnelIkeConfig | Map | 否 | 否 | 第一阶段协商的配置信息。 | 更多信息,请参考TunnelIkeConfig属性。 |
EnableNatTraversal | Boolean | 否 | 否 | 创建单隧道模式的 IPsec-VPN 连接时支持配置该参数。 | 取值:
|
TunnelIpsecConfig | Map | 否 | 否 | 第二阶段协商的配置信息。 | 更多信息,请参考TunnelIpsecConfig属性。 |
CustomerGatewayId | String | 否 | 否 | 用户网关 ID。 | 说明 仅创建单隧道模式 IPsec-VPN 连接时需配置本参数,且本参数必填。 |
EnableDpd | Boolean | 否 | 否 | 创建单隧道模式的 IPsec-VPN 连接时支持配置该参数。 是否开启 DPD(对等体存活检测)功能。 | 取值:
|
TunnelIkeConfig语法
"TunnelIkeConfig": {
"IkeVersion": String,
"RemoteId": String,
"IkeEncAlg": String,
"IkeLifetime": Integer,
"IkeMode": String,
"Psk": String,
"IkeAuthAlg": String,
"IkePfs": String,
"LocalId": String
}TunnelIkeConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IkeVersion | String | 否 | 否 | IKE 协议的版本。 | 取值:ikev1 或 ikev2。默认值:ikev2。 相对于 IKEv1 版本,IKEv2 版本简化了 SA 的协商过程并且对于多网段的场景提供了更好的支持。 |
RemoteId | String | 否 | 否 | 隧道对端的标识。 | 用于第一阶段的协商。长度限制为 100 个字符,不能包含空格。默认值为隧道关联的用户网关的 IP 地址。 RemoteId 支持 FQDN 格式,如果您使用 FQDN 格式,协商模式建议选择为 aggressive(野蛮模式)。 |
IkeEncAlg | String | 否 | 否 | 第一阶段协商的加密算法。 | 取值:aes、aes192、aes256、des 或 3des。默认值:aes。 |
IkeLifetime | Integer | 否 | 否 | 第一阶段协商出的 SA 的生存周期。 | 单位:秒。 取值范围:0~86400。默认值:86400。 |
IkeMode | String | 否 | 否 | IKE 版本的协商模式。 | 取值:
|
Psk | String | 否 | 否 | 预共享密钥。 | 用于隧道与隧道对端之间的身份认证。
说明 隧道及隧道对端的预共享密钥需一致,否则系统无法正常建立隧道。 |
IkeAuthAlg | String | 否 | 否 | 第一阶段协商的认证算法。 | 取值:md5、sha1、sha256、sha384、sha512。默认值:sha1。 |
IkePfs | String | 否 | 否 | 第一阶段协商使用的 Diffie-Hellman 密钥交换算法。 | 默认值:group2。 |
LocalId | String | 否 | 否 | 隧道本端(阿里云侧)的标识。 | 用于第一阶段的协商。长度限制为 100 个字符,不能包含空格。默认值为隧道的 IP 地址。 LocalId 支持 FQDN 格式,如果您使用 FQDN 格式,协商模式建议选择为 aggressive(野蛮模式)。 |
TunnelBgpConfig语法
"TunnelBgpConfig": {
"LocalAsn": Integer,
"LocalBgpIp": String,
"TunnelCidr": String
}TunnelBgpConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
LocalAsn | Integer | 否 | 否 | 隧道本端(阿里云侧)的自治系统号。 | 自治系统号取值范围:1~4294967295。默认值:45104。 说明 建议您使用自治系统号的私有号码与阿里云建立 BGP 连接。自治系统号的私有号码范围请自行查阅文档。 |
LocalBgpIp | String | 否 | 否 | 隧道本端(阿里云侧)的 BGP 地址。 | 该地址为 BGP 网段内的一个 IP 地址。 |
TunnelCidr | String | 否 | 否 | 隧道的 BGP 网段。 | 该网段需是一个在 169.254.0.0/16 内的掩码长度为 30 的网段,且不能是 169.254.0.0/30、169.254.1.0/30、169.254.2.0/30、169.254.3.0/30、169.254.4.0/30、169.254.5.0/30、169.254.6.0/30 和 169.254.169.252/30。 说明 一个 IPsec 连接下两个隧道的隧道网段不能相同。 |
TunnelIpsecConfig语法
"TunnelIpsecConfig": {
"IpsecAuthAlg": String,
"IpsecLifetime": Integer,
"IpsecEncAlg": String,
"IpsecPfs": String
}TunnelIpsecConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IpsecAuthAlg | String | 否 | 否 | 第二阶段协商的认证算法。 | 取值:md5、sha1、sha256、sha384、sha512。默认值:sha1。 |
IpsecLifetime | Integer | 否 | 否 | 第二阶段协商出的 SA 的生存周期。 | 单位:秒。 取值范围:0~86400。默认值:86400。 |
IpsecEncAlg | String | 否 | 否 | 第二阶段协商的加密算法。 | 取值:aes、aes192、aes256、des 或 3des。默认值:aes。 |
IpsecPfs | String | 否 | 否 | 第二阶段协商使用的 Diffie-Hellman 密钥交换算法。 | 默认值:group2。 取值:disabled、group1、group2、group5、group14。 |
HealthCheckConfig语法
"HealthCheckConfig": {
"Policy": String,
"Enable": Boolean,
"Dip": String,
"Retry": Integer,
"Sip": String,
"Interval": Integer
}HealthCheckConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
Policy | String | 否 | 是 | 健康检查失败时是否撤销已发布的路由。 | 取值:
|
Enable | Boolean | 否 | 是 | 是否开启健康检查。 | 取值:
|
Dip | String | 否 | 是 | 健康检查的目的IP地址。 | 输入VPC侧通过IPsec连接可以访问的本地数据中心的IP地址。 |
Retry | Integer | 否 | 是 | 健康检查的重试发包次数。 | 默认值:3。 |
Sip | String | 否 | 是 | 健康检查的源IP地址。 | 输入本地数据中心通过IPsec连接可以访问的VPC侧的IP地址。 |
Interval | Integer | 否 | 是 | 健康检查的重试间隔时间。 | 单位:秒。默认值:3。 |
IkeConfig语法
"IkeConfig": {
"IkeAuthAlg": String,
"LocalId": String,
"IkeEncAlg": String,
"IkeVersion": String,
"IkeMode": String,
"IkeLifetime": Integer,
"RemoteId": String,
"Psk": String,
"IkePfs": String
}IkeConfig属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IkeAuthAlg | String | 否 | 是 | 第一阶段协商的认证算法。 | 取值:
|
LocalId | String | 否 | 是 | IPsec连接阿里云侧的标识。 | 长度限制为100个字符。默认值为空。 |
IkeEncAlg | String | 否 | 是 | 第一阶段协商的加密算法。 | 取值:
|
IkeVersion | String | 否 | 是 | IKE协议的版本。 | 取值:
|
IkeMode | String | 否 | 是 | 协商模式。 | 取值:
|
IkeLifetime | Integer | 否 | 是 | 第一阶段协商出的SA的生存周期。 | 单位:秒。取值范围:0~86400。默认值:86400。 |
RemoteId | String | 否 | 是 | IPsec连接本地数据中心侧的标识。 | 长度限制为100个字符,默认值为用户网关的IP地址。 |
Psk | String | 否 | 是 | 预共享密钥,用于VPN网关与本地数据中心之间的身份认证。 | 限制:
说明 IPsec连接侧的预共享密钥需和本地数据中心侧的认证密钥一致,否则本地数据中心和VPN网关之间无法建立连接。 |
IkePfs | String | 否 | 是 | 第一阶段协商使用的Diffie-Hellman密钥交换算法。 | 取值:
|
返回值
Fn::GetAtt
InternetIp:IPsec连接的网关地址。
VpnAttachmentId:IPsec连接ID。
PeerVpnAttachmentConfig:IPsec连接配置。
示例
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AutoConfigRoute:
Description:
en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
\ (default) \nfalse"
Type: Boolean
BgpConfig:
AssociationPropertyMetadata:
Parameters:
EnableBgp:
Description:
en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
\ values: true and false. Default value: false."
Type: Boolean
LocalAsn:
Description:
en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
Default value: 45104.'
MaxValue: 4294967295
MinValue: 1
Type: Number
LocalBgpIp:
Description:
en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
\ fall within the CIDR block of the IPsec tunnel."
Type: String
TunnelCidr:
Description:
en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
length.
Type: String
Description:
en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
\ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
\ we recommend that you learn about how BGP works and its limits. For more\
\ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
\ that you use a private ASN to establish a connection with Alibaba Cloud\
\ over BGP. \nRefer to the relevant documentation for the private ASN range."
Type: Json
CustomerGatewayId:
Description:
en: The ID of the user gateway.
Type: String
EffectImmediately:
Default: false
Description:
en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
the negotiation. Value:
True: Negotiate immediately after the configuration is complete.
False (default): Negotiate when traffic enters.'
Type: Boolean
EnableDpd:
Description:
en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
\ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
\ DPD packets to verify the existence and availability of the peer. If no\
\ response is received from the peer within a specified period of time, the\
\ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
\ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
\ DPD packets."
Type: Boolean
EnableNatTraversal:
Description:
en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
\ After NAT traversal is enabled, the initiator does not check the UDP ports\
\ during IKE negotiations and can automatically discover NAT gateway devices\
\ along the VPN tunnel. \nfalse"
Type: Boolean
HealthCheckConfig:
AssociationPropertyMetadata:
Parameters:
Dip:
Type: String
Enable:
Type: Boolean
Interval:
Type: Number
Policy:
Description:
en: Whether to revoke published routes when the health check fails.
Type: String
Retry:
Type: Number
Sip:
Type: String
Description:
en: Whether to enable the health check configuration.
Type: Json
IkeConfig:
AssociationPropertyMetadata:
Parameters:
IkeAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IkeEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IkeLifetime:
Default: 86400
Description:
en: The life cycle of the SA negotiated in the first phase. The value
ranges from 0 to 86400, in seconds. The default value is 86400.
MaxValue: 86400
MinValue: 0
Type: Number
IkeMode:
AllowedValues:
- main
- aggressive
Default: main
Description:
en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
Type: String
IkePfs:
AllowedValues:
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
Value: group1|group2|group5|group14|group24, default value: group2.'
Type: String
IkeVersion:
AllowedValues:
- ikev1
- ikev2
Default: ikev1
Description:
en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
Type: String
LocalId:
Description:
en: ID of the VPN gateway. The length is limited to 100 characters. The
default value is the public IP address of the VPN gateway.
MaxLength: 100
Type: String
Psk:
Description:
en: Used for identity authentication between the IPsec VPN gateway and
the user gateway. It is generated randomly by default, or you can specify
the key manually. The length is limited to 100 characters.
MaxLength: 100
Type: String
RemoteId:
Description:
en: ID of the user gateway. The length is limited to 100 characters. The
default value is the public IP address of the user gateway.
MaxLength: 100
Type: String
Description:
en: Configuration information for the first phase of negotiation.
Type: Json
IpsecConfig:
AssociationPropertyMetadata:
Parameters:
IpsecAuthAlg:
AllowedValues:
- md5
- sha1
- sha256
- sha384
- sha512
- sm3
Description:
en: "The authentication algorithm negotiated in the first phase. \nIf\
\ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
\ and the default value is md5.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm3 (default value)."
Type: String
IpsecEncAlg:
AllowedValues:
- aes
- aes192
- aes256
- des
- 3des
- sm4
Description:
en: "The authentication algorithm negotiated in the second phase. \nIf\
\ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
\ and the default value is aes.\nIf the VPN gateway instance type is\
\ national secret type, The value is sm4 (default value)."
Type: String
IpsecLifetime:
Default: 86400
Description:
en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
phase. The value ranges from 0 to 86400, in seconds. The default value
is 86400.'
MaxValue: 86400
MinValue: 0
Type: Number
IpsecPfs:
AllowedValues:
- disabled
- group1
- group2
- group5
- group14
- group24
Default: group2
Description:
en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
default value: group2.'
Type: String
Description:
en: Configuration information for the second phase negotiation.
Type: Json
LocalSubnet:
Description:
en: 'A network segment on the VPC side that needs to be interconnected with
the local IDC for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.1.0/24,
192.168.2.0/24.'
Type: String
Name:
Description:
en: 'The name of the IPsec connection.
The length is 2-128 characters and must start with a letter or Chinese. It
can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
start with http:// or https:// .'
MaxLength: 128
MinLength: 2
Type: String
NetworkType:
AllowedValues:
- public
- private
Description:
en: 'The network type of the IPsec connection. Value: public|private.'
Type: String
RemoteCaCert:
Description:
en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
\ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
\ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
\ when a standard VPN gateway is used to create the IPsec-VPN connection."
Type: String
RemoteSubnet:
Description:
en: 'The network segment of the local IDC is used for the second phase negotiation.
Multiple network segments are separated by commas, for example: 192.168.3.0/24,
192.168.4.0/24.'
Type: String
Resources:
VpnAttachment:
Properties:
AutoConfigRoute:
Ref: AutoConfigRoute
BgpConfig:
Ref: BgpConfig
CustomerGatewayId:
Ref: CustomerGatewayId
EffectImmediately:
Ref: EffectImmediately
EnableDpd:
Ref: EnableDpd
EnableNatTraversal:
Ref: EnableNatTraversal
HealthCheckConfig:
Ref: HealthCheckConfig
IkeConfig:
Ref: IkeConfig
IpsecConfig:
Ref: IpsecConfig
LocalSubnet:
Ref: LocalSubnet
Name:
Ref: Name
NetworkType:
Ref: NetworkType
RemoteCaCert:
Ref: RemoteCaCert
RemoteSubnet:
Ref: RemoteSubnet
Type: ALIYUN::VPC::VpnAttachment
Outputs:
InternetIp:
Description: The gateway IP address of the IPsec connection.
Value:
Fn::GetAtt:
- VpnAttachment
- InternetIp
PeerVpnAttachmentConfig:
Description: Peer vpc Attachment config.
Value:
Fn::GetAtt:
- VpnAttachment
- PeerVpnAttachmentConfig
VpnAttachmentId:
Description: ID of the IPsec attachment.
Value:
Fn::GetAtt:
- VpnAttachment
- VpnAttachmentId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"LocalSubnet": {
"Type": "String",
"Description": {
"en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
}
},
"CustomerGatewayId": {
"Type": "String",
"Description": {
"en": "The ID of the user gateway."
}
},
"AutoConfigRoute": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
}
},
"Name": {
"Type": "String",
"Description": {
"en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
},
"MinLength": 2,
"MaxLength": 128
},
"EffectImmediately": {
"Type": "Boolean",
"Description": {
"en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
},
"Default": false
},
"BgpConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"EnableBgp": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
}
},
"LocalAsn": {
"Type": "Number",
"Description": {
"en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
},
"MinValue": 1,
"MaxValue": 4294967295
},
"TunnelCidr": {
"Type": "String",
"Description": {
"en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
}
},
"LocalBgpIp": {
"Type": "String",
"Description": {
"en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
}
}
}
},
"Type": "Json",
"Description": {
"en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
}
},
"RemoteSubnet": {
"Type": "String",
"Description": {
"en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
}
},
"RemoteCaCert": {
"Type": "String",
"Description": {
"en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
}
},
"IpsecConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IpsecPfs": {
"Type": "String",
"Description": {
"en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"disabled",
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
},
"IpsecEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IpsecAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"IpsecLifetime": {
"Type": "Number",
"Description": {
"en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the second phase negotiation."
}
},
"NetworkType": {
"Type": "String",
"Description": {
"en": "The network type of the IPsec connection. Value: public|private."
},
"AllowedValues": [
"public",
"private"
]
},
"HealthCheckConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Whether to revoke published routes when the health check fails."
}
},
"Enable": {
"Type": "Boolean"
},
"Dip": {
"Type": "String"
},
"Retry": {
"Type": "Number"
},
"Sip": {
"Type": "String"
},
"Interval": {
"Type": "Number"
}
}
},
"Type": "Json",
"Description": {
"en": "Whether to enable the health check configuration."
}
},
"EnableNatTraversal": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
}
},
"IkeConfig": {
"AssociationPropertyMetadata": {
"Parameters": {
"IkeAuthAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
},
"AllowedValues": [
"md5",
"sha1",
"sha256",
"sha384",
"sha512",
"sm3"
]
},
"LocalId": {
"Type": "String",
"Description": {
"en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
},
"MaxLength": 100
},
"IkeEncAlg": {
"Type": "String",
"Description": {
"en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
},
"AllowedValues": [
"aes",
"aes192",
"aes256",
"des",
"3des",
"sm4"
]
},
"IkeVersion": {
"Type": "String",
"Description": {
"en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
},
"AllowedValues": [
"ikev1",
"ikev2"
],
"Default": "ikev1"
},
"IkeMode": {
"Type": "String",
"Description": {
"en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
},
"AllowedValues": [
"main",
"aggressive"
],
"Default": "main"
},
"IkeLifetime": {
"Type": "Number",
"Description": {
"en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
},
"MinValue": 0,
"MaxValue": 86400,
"Default": 86400
},
"RemoteId": {
"Type": "String",
"Description": {
"en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
},
"MaxLength": 100
},
"Psk": {
"Type": "String",
"Description": {
"en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
},
"MaxLength": 100
},
"IkePfs": {
"Type": "String",
"Description": {
"en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
},
"AllowedValues": [
"group1",
"group2",
"group5",
"group14",
"group24"
],
"Default": "group2"
}
}
},
"Type": "Json",
"Description": {
"en": "Configuration information for the first phase of negotiation."
}
},
"EnableDpd": {
"Type": "Boolean",
"Description": {
"en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
}
}
},
"Resources": {
"VpnAttachment": {
"Type": "ALIYUN::VPC::VpnAttachment",
"Properties": {
"LocalSubnet": {
"Ref": "LocalSubnet"
},
"CustomerGatewayId": {
"Ref": "CustomerGatewayId"
},
"AutoConfigRoute": {
"Ref": "AutoConfigRoute"
},
"Name": {
"Ref": "Name"
},
"EffectImmediately": {
"Ref": "EffectImmediately"
},
"BgpConfig": {
"Ref": "BgpConfig"
},
"RemoteSubnet": {
"Ref": "RemoteSubnet"
},
"RemoteCaCert": {
"Ref": "RemoteCaCert"
},
"IpsecConfig": {
"Ref": "IpsecConfig"
},
"NetworkType": {
"Ref": "NetworkType"
},
"HealthCheckConfig": {
"Ref": "HealthCheckConfig"
},
"EnableNatTraversal": {
"Ref": "EnableNatTraversal"
},
"IkeConfig": {
"Ref": "IkeConfig"
},
"EnableDpd": {
"Ref": "EnableDpd"
}
}
}
},
"Outputs": {
"InternetIp": {
"Description": "The gateway IP address of the IPsec connection.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"InternetIp"
]
}
},
"VpnAttachmentId": {
"Description": "ID of the IPsec attachment.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"VpnAttachmentId"
]
}
},
"PeerVpnAttachmentConfig": {
"Description": "Peer vpc Attachment config.",
"Value": {
"Fn::GetAtt": [
"VpnAttachment",
"PeerVpnAttachmentConfig"
]
}
}
}
}