ALIYUN::VPC::VpnAttachment

ALIYUN::VPC::VpnAttachment类型用于创建IPsec连接,用于绑定转发路由器实例。

语法

{
  "Type": "ALIYUN::VPC::VpnAttachment",
  "Properties": {
    "LocalSubnet": String,
    "CustomerGatewayId": String,
    "AutoConfigRoute": Boolean,
    "Name": String,
    "EffectImmediately": Boolean,
    "BgpConfig": Map,
    "RemoteSubnet": String,
    "RemoteCaCert": String,
    "IpsecConfig": Map,
    "NetworkType": String,
    "HealthCheckConfig": Map,
    "EnableNatTraversal": Boolean,
    "IkeConfig": Map,
    "EnableDpd": Boolean
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

LocalSubnet

String

需要和本地数据中心互通的VPC侧的网段,用于第二阶段协商。

多个网段之间用半角逗号(,)分隔,例如:192.168.1.0/24,192.168.2.0/24。

关于IPsec连接路由模式的说明:

  • 如果LocalSubnetRemoteSubnet均输入为0.0.0.0/0,则表示您使用目的路由模式。

  • 如果LocalSubnetRemoteSubnet均输入具体的网段,则表示您使用感兴趣流模式。

示例值:10.1.1.0/24,10.1.2.0/24。

CustomerGatewayId

String

用户网关ID。

AutoConfigRoute

Boolean

是否自动配置路由。

取值:

  • true(默认值):自动配置路由。

  • false:不自动配置路由。

Name

String

IPsec连接的名称。

EffectImmediately

Boolean

选择IPsec连接的配置是否立即生效。

取值:

  • true:是,配置完成后系统立即进行IPsec协议协商。

  • false(默认值):否,当有流量进入时系统才进行IPsec协议协商。

BgpConfig

Map

BGP的配置信息。

更多信息。请参见BgpConfig属性

说明

在添加 BGP 配置前,建议您先了解 BGP 动态路由功能的工作机制和使用限制。更多信息,请参见配置IPsec连接路由

建议您使用自治系统号的私有号码与阿里云建立 BGP 连接。自治系统号的私有号码范围请自行查阅文档。

示例值:

{"EnableBgp":"true","LocalAsn":"45104","TunnelCidr":"169.254.11.0/30","LocalBgpIp":"169.254.11.1"}

RemoteSubnet

String

需要和VPC互通的本地数据中心侧的网段,用于第二阶段协商。

多个网段之间用半角逗号(,)分隔,例如:192.168.3.0/24,192.168.4.0/24。

关于IPsec连接路由模式的说明:

  • 如果LocalSubnetRemoteSubnet均输入为0.0.0.0/0,则表示您使用目的路由模式。

  • 如果LocalSubnetRemoteSubnet均输入具体的网段,则表示您使用感兴趣流模式。

示例值:10.1.3.0/24,10.1.4.0/24

RemoteCaCert

String

国密型VPN网关创建IPsec连接时,对端的CA证书。

示例值:

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

IpsecConfig

Map

第二阶段协商的配置信息。

更多信息,请参见IpsecConfig属性

示例值:

{"IpsecEncAlg":"aes","IpsecAuthAlg":"sha1","IpsecPfs":"group2","IpsecLifetime":86400}

NetworkType

String

IPsec连接的网络类型。

取值:

  • public(默认值):公网,表示IPsec连接通过公网建立加密通信通道。

  • private:私网,表示IPsec连接通过私网建立加密通信通道。

HealthCheckConfig

Map

健康检查配置信息。

更多信息,请参见HealthCheckConfig属性

示例值:

{"enable":"true","dip":"192.168.1.1","sip":"10.1.1.1","interval":"3","retry":"3","Policy": "revoke_route"}

EnableNatTraversal

Boolean

是否开启NAT穿越功能。

取值:

  • true(默认值):开启NAT穿越功能。开启后,IKE协商过程会删除对UDP端口号的验证过程,同时实现对VPN隧道中NAT网关设备的发现功能。

  • false:不开启NAT穿越功能。

IkeConfig

Map

第一阶段协商的配置信息。

更多信息,请参见IkeConfig属性

EnableDpd

Boolean

是否开启DPD(对等体存活检测)功能。

取值:

  • true(默认值):开启DPD功能。IPsec发起端会发送DPD报文用来检测对端的设备是否存活,如果在设定时间内未收到正确回应则认为对端已经断线,IPsec将删除ISAKMP SA和相应的IPsec SA,安全隧道同样也会被删除。

  • false:不开启DPD功能,IPsec发起端不会发送DPD探测报文。

BgpConfig语法

"BgpConfig": {
  "EnableBgp": Boolean,
  "LocalAsn": Number,
  "TunnelCidr": String,
  "LocalBgpIp": String
}

BgpConfig属性

属性名称

类型

必须

允许更新

描述

约束

EnableBgp

Boolean

是否开启BGP功能。

取值:

  • true:开启BGP功能

  • false(默认值):关闭BGP功能。

LocalAsn

Number

阿里云侧的自治系统号。

自治系统号取值范围:1~4294967295。默认值:45104

TunnelCidr

String

IPsec隧道网段。

该网段需是一个在169.254.0.0/16内的掩码长度为30的网段。

LocalBgpIp

String

阿里云侧的BGP地址。

该地址为IPsec隧道网段内的一个IP地址。

IpsecConfig语法

"IpsecConfig": {
  "IpsecPfs": String,
  "IpsecEncAlg": String,
  "IpsecAuthAlg": String,
  "IpsecLifetime": Integer
}

IpsecConfig属性

属性名称

类型

必须

允许更新

描述

约束

IpsecPfs

String

第二阶段协商使用的Diffie-Hellman密钥交换算法。

取值:

  • disabled

  • group1

  • group2(默认值)

  • group5

  • group14

IpsecEncAlg

String

第二阶段协商的加密算法。

取值:

  • aes(默认值)

  • aes192

  • aes256

  • des

  • 3des

IpsecAuthAlg

String

第二阶段协商的认证算法。

取值:

  • md5(默认值)

  • sha1

  • sha256

  • sha384

  • sha512

IpsecLifetime

Integer

第二阶段协商出的SA的生存周期。

单位:秒。取值范围:0~86400。默认值:86400

HealthCheckConfig语法

"HealthCheckConfig": {
  "Policy": String,
  "Enable": Boolean,
  "Dip": String,
  "Retry": Integer,
  "Sip": String,
  "Interval": Integer
}

HealthCheckConfig属性

属性名称

类型

必须

允许更新

描述

约束

Policy

String

健康检查失败时是否撤销已发布的路由。

取值:

  • revoke_route(默认值):撤销已发布的路由。

  • reserve_route:不撤销已发布的路由。

Enable

Boolean

是否开启健康检查。

取值:

  • true:开启健康检查

  • false(默认值):关闭健康检查。

Dip

String

健康检查的目的IP地址。

输入VPC侧通过IPsec连接可以访问的本地数据中心的IP地址。

Retry

Integer

健康检查的重试发包次数。

默认值:3

Sip

String

健康检查的源IP地址。

输入本地数据中心通过IPsec连接可以访问的VPC侧的IP地址。

Interval

Integer

健康检查的重试间隔时间。

单位:秒。默认值:3

IkeConfig语法

"IkeConfig": {
  "IkeAuthAlg": String,
  "LocalId": String,
  "IkeEncAlg": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeLifetime": Integer,
  "RemoteId": String,
  "Psk": String,
  "IkePfs": String
}

IkeConfig属性

属性名称

类型

必须

允许更新

描述

约束

IkeAuthAlg

String

第一阶段协商的认证算法。

取值:

  • md5(默认值)

  • sha1

  • sha256

  • sha384

  • sha512

LocalId

String

IPsec连接阿里云侧的标识。

长度限制为100个字符。默认值为空。

IkeEncAlg

String

第一阶段协商的加密算法。

取值:

  • aes(默认值)

  • aes192

  • aes256

  • des

  • 3des

IkeVersion

String

IKE协议的版本。

取值:

  • ikev1(默认值)

  • ikev2

IkeMode

String

协商模式。

取值:

  • main(默认值)

  • aggressive

IkeLifetime

Integer

第一阶段协商出的SA的生存周期。

单位:秒。取值范围:0~86400。默认值:86400

RemoteId

String

IPsec连接本地数据中心侧的标识。

长度限制为100个字符,默认值为用户网关的IP地址。

Psk

String

预共享密钥,用于VPN网关与本地数据中心之间的身份认证。

限制:

  • 密钥长度为1~100个字符,支持数字、大小写英文字母以及以下字符。~!`@#$%^&*()_-+={}[]|;:',.<>/?

  • 若您未指定预共享密钥,系统会随机生成一个16位的字符串作为预共享密钥。

说明

IPsec连接侧的预共享密钥需和本地数据中心侧的认证密钥一致,否则本地数据中心和VPN网关之间无法建立连接。

IkePfs

String

第一阶段协商使用的Diffie-Hellman密钥交换算法。

取值:

  • group1(默认值)

  • group2

  • group5

  • group14

返回值

Fn::GetAtt

  • InternetIp:IPsec连接的网关地址。 

  • VpnAttachmentId:IPsec连接ID。

  • PeerVpnAttachmentConfig:IPsec连接配置

示例

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AutoConfigRoute:
    Description:
      en: "Specifies whether to automatically configure routes. Valid values:\ntrue\
        \ (default) \nfalse"
    Type: Boolean
  BgpConfig:
    AssociationPropertyMetadata:
      Parameters:
        EnableBgp:
          Description:
            en: "Specifies whether to enable the BGP feature for the tunnel. \nValid\
              \ values: true and false. Default value: false."
          Type: Boolean
        LocalAsn:
          Description:
            en: 'the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295.
              Default value: 45104.'
          MaxValue: 4294967295
          MinValue: 1
          Type: Number
        LocalBgpIp:
          Description:
            en: "the BGP IP address on the Alibaba Cloud side. \nThis IP address must\
              \ fall within the CIDR block of the IPsec tunnel."
          Type: String
        TunnelCidr:
          Description:
            en: the CIDR block of the IPsec tunnel. The CIDR block must fall within
              169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in
              length.
          Type: String
    Description:
      en: "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required\
        \ when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP,\
        \ we recommend that you learn about how BGP works and its limits. For more\
        \ information, see VPN Gateway supports BGP dynamic routing.\nWe recommend\
        \ that you use a private ASN to establish a connection with Alibaba Cloud\
        \ over BGP. \nRefer to the relevant documentation for the private ASN range."
    Type: Json
  CustomerGatewayId:
    Description:
      en: The ID of the user gateway.
    Type: String
  EffectImmediately:
    Default: false
    Description:
      en: 'Whether to delete the currently negotiated IPsec tunnel and re-initiate
        the negotiation. Value:

        True: Negotiate immediately after the configuration is complete.

        False (default): Negotiate when traffic enters.'
    Type: Boolean
  EnableDpd:
    Description:
      en: "Specifies whether to enable the dead peer detection (DPD) feature. Valid\
        \ values: \ntrue (default) The initiator of the IPsec-VPN connection sends\
        \ DPD packets to verify the existence and availability of the peer. If no\
        \ response is received from the peer within a specified period of time, the\
        \ connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel\
        \ is also deleted. \nfalse: disables DPD. The IPsec initiator does not send\
        \ DPD packets."
    Type: Boolean
  EnableNatTraversal:
    Description:
      en: "Specifies whether to enable NAT traversal. Valid values: \ntrue (default)\
        \ After NAT traversal is enabled, the initiator does not check the UDP ports\
        \ during IKE negotiations and can automatically discover NAT gateway devices\
        \ along the VPN tunnel. \nfalse"
    Type: Boolean
  HealthCheckConfig:
    AssociationPropertyMetadata:
      Parameters:
        Dip:
          Type: String
        Enable:
          Type: Boolean
        Interval:
          Type: Number
        Policy:
          Description:
            en: Whether to revoke published routes when the health check fails.
          Type: String
        Retry:
          Type: Number
        Sip:
          Type: String
    Description:
      en: Whether to enable the health check configuration.
    Type: Json
  IkeConfig:
    AssociationPropertyMetadata:
      Parameters:
        IkeAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IkeEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IkeLifetime:
          Default: 86400
          Description:
            en: The life cycle of the SA negotiated in the first phase. The value
              ranges from 0 to 86400, in seconds. The default value is 86400.
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IkeMode:
          AllowedValues:
          - main
          - aggressive
          Default: main
          Description:
            en: 'Negotiation mode for IKE V1. Value: main|aggressive, default: main.'
          Type: String
        IkePfs:
          AllowedValues:
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Diffie-Hellman key exchange algorithm used in the first phase negotiation.
              Value: group1|group2|group5|group14|group24, default value: group2.'
          Type: String
        IkeVersion:
          AllowedValues:
          - ikev1
          - ikev2
          Default: ikev1
          Description:
            en: 'The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1.'
          Type: String
        LocalId:
          Description:
            en: ID of the VPN gateway. The length is limited to 100 characters. The
              default value is the public IP address of the VPN gateway.
          MaxLength: 100
          Type: String
        Psk:
          Description:
            en: Used for identity authentication between the IPsec VPN gateway and
              the user gateway. It is generated randomly by default, or you can specify
              the key manually. The length is limited to 100 characters.
          MaxLength: 100
          Type: String
        RemoteId:
          Description:
            en: ID of the user gateway. The length is limited to 100 characters. The
              default value is the public IP address of the user gateway.
          MaxLength: 100
          Type: String
    Description:
      en: Configuration information for the first phase of negotiation.
    Type: Json
  IpsecConfig:
    AssociationPropertyMetadata:
      Parameters:
        IpsecAuthAlg:
          AllowedValues:
          - md5
          - sha1
          - sha256
          - sha384
          - sha512
          - sm3
          Description:
            en: "The authentication algorithm negotiated in the first phase. \nIf\
              \ the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512,\
              \ and the default value is md5.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm3 (default value)."
          Type: String
        IpsecEncAlg:
          AllowedValues:
          - aes
          - aes192
          - aes256
          - des
          - 3des
          - sm4
          Description:
            en: "The authentication algorithm negotiated in the second phase. \nIf\
              \ the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des,\
              \ and the default value is aes.\nIf the VPN gateway instance type is\
              \ national secret type, The value is sm4 (default value)."
          Type: String
        IpsecLifetime:
          Default: 86400
          Description:
            en: 'IpsecLifetime: The life cycle of the SA negotiated in the second
              phase. The value ranges from 0 to 86400, in seconds. The default value
              is 86400.'
          MaxValue: 86400
          MinValue: 0
          Type: Number
        IpsecPfs:
          AllowedValues:
          - disabled
          - group1
          - group2
          - group5
          - group14
          - group24
          Default: group2
          Description:
            en: 'Forwards all protocol packets. The Diffie-Hellman key exchange algorithm
              used in the first phase negotiation, the value: group1|group2|group5|group14|group24,
              default value: group2.'
          Type: String
    Description:
      en: Configuration information for the second phase negotiation.
    Type: Json
  LocalSubnet:
    Description:
      en: 'A network segment on the VPC side that needs to be interconnected with
        the local IDC for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.1.0/24,
        192.168.2.0/24.'
    Type: String
  Name:
    Description:
      en: 'The name of the IPsec connection.

        The length is 2-128 characters and must start with a letter or Chinese. It
        can contain numbers, periods (.), underscores (_) and dashes (-), but cannot
        start with http:// or https:// .'
    MaxLength: 128
    MinLength: 2
    Type: String
  NetworkType:
    AllowedValues:
    - public
    - private
    Description:
      en: 'The network type of the IPsec connection. Value: public|private.'
    Type: String
  RemoteCaCert:
    Description:
      en: "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish\
        \ the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway\
        \ is used to establish the IPsec-VPN connection. \nYou can ignore this parameter\
        \ when a standard VPN gateway is used to create the IPsec-VPN connection."
    Type: String
  RemoteSubnet:
    Description:
      en: 'The network segment of the local IDC is used for the second phase negotiation.

        Multiple network segments are separated by commas, for example: 192.168.3.0/24,
        192.168.4.0/24.'
    Type: String
Resources:
  VpnAttachment:
    Properties:
      AutoConfigRoute:
        Ref: AutoConfigRoute
      BgpConfig:
        Ref: BgpConfig
      CustomerGatewayId:
        Ref: CustomerGatewayId
      EffectImmediately:
        Ref: EffectImmediately
      EnableDpd:
        Ref: EnableDpd
      EnableNatTraversal:
        Ref: EnableNatTraversal
      HealthCheckConfig:
        Ref: HealthCheckConfig
      IkeConfig:
        Ref: IkeConfig
      IpsecConfig:
        Ref: IpsecConfig
      LocalSubnet:
        Ref: LocalSubnet
      Name:
        Ref: Name
      NetworkType:
        Ref: NetworkType
      RemoteCaCert:
        Ref: RemoteCaCert
      RemoteSubnet:
        Ref: RemoteSubnet
    Type: ALIYUN::VPC::VpnAttachment
Outputs:
  InternetIp:
    Description: The gateway IP address of the IPsec connection.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - InternetIp
  PeerVpnAttachmentConfig:
    Description: Peer vpc Attachment config.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - PeerVpnAttachmentConfig
  VpnAttachmentId:
    Description: ID of the IPsec attachment.
    Value:
      Fn::GetAtt:
      - VpnAttachment
      - VpnAttachmentId
                        
{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": {
        "en": "A network segment on the VPC side that needs to be interconnected with the local IDC for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.1.0/24, 192.168.2.0/24."
      }
    },
    "CustomerGatewayId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the user gateway."
      }
    },
    "AutoConfigRoute": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to automatically configure routes. Valid values:\ntrue (default) \nfalse"
      }
    },
    "Name": {
      "Type": "String",
      "Description": {
        "en": "The name of the IPsec connection.\nThe length is 2-128 characters and must start with a letter or Chinese. It can contain numbers, periods (.), underscores (_) and dashes (-), but cannot start with http:// or https:// ."
      },
      "MinLength": 2,
      "MaxLength": 128
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": {
        "en": "Whether to delete the currently negotiated IPsec tunnel and re-initiate the negotiation. Value:\nTrue: Negotiate immediately after the configuration is complete.\nFalse (default): Negotiate when traffic enters."
      },
      "Default": false
    },
    "BgpConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "EnableBgp": {
            "Type": "Boolean",
            "Description": {
              "en": "Specifies whether to enable the BGP feature for the tunnel. \nValid values: true and false. Default value: false."
            }
          },
          "LocalAsn": {
            "Type": "Number",
            "Description": {
              "en": "the ASN on the Alibaba Cloud side. Valid values: 1 to 4294967295. Default value: 45104."
            },
            "MinValue": 1,
            "MaxValue": 4294967295
          },
          "TunnelCidr": {
            "Type": "String",
            "Description": {
              "en": "the CIDR block of the IPsec tunnel. The CIDR block must fall within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length."
            }
          },
          "LocalBgpIp": {
            "Type": "String",
            "Description": {
              "en": "the BGP IP address on the Alibaba Cloud side. \nThis IP address must fall within the CIDR block of the IPsec tunnel."
            }
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "The Border Gateway Protocol (BGP) configuration.\nThis parameter is required when the VPN gateway has dynamic BGP enabled.\nBefore you configure BGP, we recommend that you learn about how BGP works and its limits. For more information, see VPN Gateway supports BGP dynamic routing.\nWe recommend that you use a private ASN to establish a connection with Alibaba Cloud over BGP. \nRefer to the relevant documentation for the private ASN range."
      }
    },
    "RemoteSubnet": {
      "Type": "String",
      "Description": {
        "en": "The network segment of the local IDC is used for the second phase negotiation.\nMultiple network segments are separated by commas, for example: 192.168.3.0/24, 192.168.4.0/24."
      }
    },
    "RemoteCaCert": {
      "Type": "String",
      "Description": {
        "en": "The peer CA certificate when a ShangMi (SM) VPN gateway is used to establish the IPsec-VPN connection. \nThis parameter is required when an SM VPN gateway is used to establish the IPsec-VPN connection. \nYou can ignore this parameter when a standard VPN gateway is used to create the IPsec-VPN connection."
      }
    },
    "IpsecConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IpsecPfs": {
            "Type": "String",
            "Description": {
              "en": "Forwards all protocol packets. The Diffie-Hellman key exchange algorithm used in the first phase negotiation, the value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "disabled",
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          },
          "IpsecEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the second phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IpsecAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "IpsecLifetime": {
            "Type": "Number",
            "Description": {
              "en": "IpsecLifetime: The life cycle of the SA negotiated in the second phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the second phase negotiation."
      }
    },
    "NetworkType": {
      "Type": "String",
      "Description": {
        "en": "The network type of the IPsec connection. Value: public|private."
      },
      "AllowedValues": [
        "public",
        "private"
      ]
    },
    "HealthCheckConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Whether to revoke published routes when the health check fails."
            }
          },
          "Enable": {
            "Type": "Boolean"
          },
          "Dip": {
            "Type": "String"
          },
          "Retry": {
            "Type": "Number"
          },
          "Sip": {
            "Type": "String"
          },
          "Interval": {
            "Type": "Number"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Whether to enable the health check configuration."
      }
    },
    "EnableNatTraversal": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable NAT traversal. Valid values: \ntrue (default) After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. \nfalse"
      }
    },
    "IkeConfig": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "IkeAuthAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is md5|sha1|sha256|sha384|sha512, and the default value is md5.\nIf the VPN gateway instance type is national secret type, The value is sm3 (default value)."
            },
            "AllowedValues": [
              "md5",
              "sha1",
              "sha256",
              "sha384",
              "sha512",
              "sm3"
            ]
          },
          "LocalId": {
            "Type": "String",
            "Description": {
              "en": "ID of the VPN gateway. The length is limited to 100 characters. The default value is the public IP address of the VPN gateway."
            },
            "MaxLength": 100
          },
          "IkeEncAlg": {
            "Type": "String",
            "Description": {
              "en": "The authentication algorithm negotiated in the first phase. \nIf the VPN gateway instance type is normal, the value is aes|aes192|aes256|des|3des, and the default value is aes.\nIf the VPN gateway instance type is national secret type, The value is sm4 (default value)."
            },
            "AllowedValues": [
              "aes",
              "aes192",
              "aes256",
              "des",
              "3des",
              "sm4"
            ]
          },
          "IkeVersion": {
            "Type": "String",
            "Description": {
              "en": "The version of the IKE protocol. Value: ikev1|ikev2, default: ikev1."
            },
            "AllowedValues": [
              "ikev1",
              "ikev2"
            ],
            "Default": "ikev1"
          },
          "IkeMode": {
            "Type": "String",
            "Description": {
              "en": "Negotiation mode for IKE V1. Value: main|aggressive, default: main."
            },
            "AllowedValues": [
              "main",
              "aggressive"
            ],
            "Default": "main"
          },
          "IkeLifetime": {
            "Type": "Number",
            "Description": {
              "en": "The life cycle of the SA negotiated in the first phase. The value ranges from 0 to 86400, in seconds. The default value is 86400."
            },
            "MinValue": 0,
            "MaxValue": 86400,
            "Default": 86400
          },
          "RemoteId": {
            "Type": "String",
            "Description": {
              "en": "ID of the user gateway. The length is limited to 100 characters. The default value is the public IP address of the user gateway."
            },
            "MaxLength": 100
          },
          "Psk": {
            "Type": "String",
            "Description": {
              "en": "Used for identity authentication between the IPsec VPN gateway and the user gateway. It is generated randomly by default, or you can specify the key manually. The length is limited to 100 characters."
            },
            "MaxLength": 100
          },
          "IkePfs": {
            "Type": "String",
            "Description": {
              "en": "Diffie-Hellman key exchange algorithm used in the first phase negotiation. Value: group1|group2|group5|group14|group24, default value: group2."
            },
            "AllowedValues": [
              "group1",
              "group2",
              "group5",
              "group14",
              "group24"
            ],
            "Default": "group2"
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Configuration information for the first phase of negotiation."
      }
    },
    "EnableDpd": {
      "Type": "Boolean",
      "Description": {
        "en": "Specifies whether to enable the dead peer detection (DPD) feature. Valid values: \ntrue (default) The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. ISAKMP SAs and IPsec SAs are deleted. The IPsec tunnel is also deleted. \nfalse: disables DPD. The IPsec initiator does not send DPD packets."
      }
    }
  },
  "Resources": {
    "VpnAttachment": {
      "Type": "ALIYUN::VPC::VpnAttachment",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "CustomerGatewayId": {
          "Ref": "CustomerGatewayId"
        },
        "AutoConfigRoute": {
          "Ref": "AutoConfigRoute"
        },
        "Name": {
          "Ref": "Name"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "BgpConfig": {
          "Ref": "BgpConfig"
        },
        "RemoteSubnet": {
          "Ref": "RemoteSubnet"
        },
        "RemoteCaCert": {
          "Ref": "RemoteCaCert"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "NetworkType": {
          "Ref": "NetworkType"
        },
        "HealthCheckConfig": {
          "Ref": "HealthCheckConfig"
        },
        "EnableNatTraversal": {
          "Ref": "EnableNatTraversal"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "EnableDpd": {
          "Ref": "EnableDpd"
        }
      }
    }
  },
  "Outputs": {
    "InternetIp": {
      "Description": "The gateway IP address of the IPsec connection.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "InternetIp"
        ]
      }
    },
    "VpnAttachmentId": {
      "Description": "ID of the IPsec attachment.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "VpnAttachmentId"
        ]
      }
    },
    "PeerVpnAttachmentConfig": {
      "Description": "Peer vpc Attachment config.",
      "Value": {
        "Fn::GetAtt": [
          "VpnAttachment",
          "PeerVpnAttachmentConfig"
        ]
      }
    }
  }
}