Updated on 2024-08-23 GMT+08:00

Updating a VPN Connection

Function

This API is used to update a VPN connection with a specified connection ID.

Calling Method

For details, see Calling APIs.

URI

PUT /v5/{project_id}/vpn-connection/{vpn_connection_id}

Table 1 Parameter description

Parameter

Type

Mandatory

Description

project_id

String

Yes

Specifies a project ID. You can obtain the project ID by referring to Obtaining the Project ID.

vpn_connection_id

String

Yes

Specifies a VPN connection ID.

Request

  • Request parameters
    Table 2 Request parameters

    Parameter

    Type

    Mandatory

    Description

    vpn_connection

    UpdateVpnConnectionRequestBodyContent object

    Yes

    Specifies the VPN connection object.

    Table 3 UpdateVpnConnectionRequestBodyContent

    Parameter

    Type

    Mandatory

    Description

    name

    String

    No

    • Specifies the status of a VPN connection.
    • The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), hyphens (-), and periods (.).

    cgw_id

    String

    No

    • Specifies a customer gateway ID.
    • The value is a UUID containing 36 characters.

    peer_subnets

    Array of String

    No

    • Specifies a customer subnet.
    • Constraints:

      This parameter is not required when the association mode of the VPN gateway is set to er and style is set to policy or bgp. This parameter is mandatory in other scenarios.

      Reserved VPC CIDR blocks such as 100.64.0.0/10 and 214.0.0.0/8 cannot be used as customer subnets.

      A maximum of 50 customer subnets can be configured for each VPN connection.

    tunnel_local_address

    String

    No

    • Specifies the tunnel interface address configured on the VPN gateway in route-based mode, for example, 169.254.76.1/30.
    • Constraints:

      The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx.

      The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_peer_address.

      The address needs to be a host address in a CIDR block.

    tunnel_peer_address

    String

    No

    • Specifies the tunnel interface address configured on the customer gateway device in route-based mode, for example, 169.254.76.1/30.
    • Constraints:

      The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx.

      The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_local_address.

      The address needs to be a host address in a CIDR block.

    psk

    String

    No

    • Specifies a pre-shared key. When the IKE version is v2 and only this parameter is modified, the modification does not take effect.

      This parameter cannot be updated when flavor is set to GM for the VPN gateway.

    • The value is a string of 8 to 128 characters, which must contain at least three types of the following: uppercase letters, lowercase letters, digits, and special characters (~!@#$%^()-_+={ },./:;).

    policy_rules

    Array of PolicyRule objects

    No

    • Specifies policy rules.
    • A maximum of five policy rules can be specified. Set this parameter only when style is set to policy.

    You can obtain the style value of a VPN connection by querying the VPN connection.

    ikepolicy

    UpdateIkePolicy object

    No

    Specifies the IKE policy object.

    ipsecpolicy

    UpdateIpsecPolicy object

    No

    Specifies the IPsec policy object.

    Table 4 PolicyRule

    Parameter

    Type

    Mandatory

    Description

    rule_index

    Integer

    No

    • Specifies a rule ID, which is used to identify the sequence in which the rule is configured. You are advised not to set this parameter.
    • The value ranges from 0 to 50.
    • The value of rule_index in each policy rule must be unique. The value of rule_index in ResponseVpnConnection may be different from the value of this parameter. This is because if multiple destination CIDR blocks are specified, the VPN service generates a rule for each destination CIDR block.

    source

    String

    No

    • Specifies a source CIDR block.
    • The value of source in each policy rule must be unique.

    destination

    Array of String

    No

    • Specifies a destination CIDR block.

      For example, a destination CIDR block can be 192.168.52.0/24.

    • A maximum of 50 destination CIDR blocks can be configured in each policy rule.
    Table 5 UpdateIkePolicy

    Parameter

    Type

    Mandatory

    Description

    ike_version

    String

    No

    • Specifies the IKE version.
    • Value range:
      • When flavor is set to GM for the VPN gateway, the value can only be v1.
      • In other scenarios, the value can be v1 or v2.
    • Default value:
      • When flavor is set to GM for the VPN gateway, the default value is v1.
      • In other scenarios, the default value is v2.

    phase1_negotiation_mode

    String

    No

    • Specifies the negotiation mode.
    • Value range:

      When flavor is set to GM for the VPN gateway, the value can only be main.

      In other scenarios, the value can be main or aggressive.

      main: ensures high security during negotiation.

      aggressive: ensures fast negotiation and a high negotiation success rate.

    • This parameter takes effect only for IKEv1.

    authentication_algorithm

    String

    No

    • Specifies an authentication algorithm. The modification of this field takes effect only after SAs in phase 1 are aged.
    • Value range:
      • When flavor is set to GM for the VPN gateway, the value can only be sm3.
      • In other scenarios, the value can be sha2-512, sha2-384, sha2-256, sha1, or md5.

      Exercise caution when using sha1 and md5 as they have low security.

    encryption_algorithm

    String

    No

    • Specifies an encryption algorithm. The modification of this field takes effect only after SAs in phase 1 are aged.
    • Value range:

      When flavor is set to GM for the VPN gateway, the value can only be sm4.

      In other scenarios, the value can be aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.

      Exercise caution when using 3des as it has low security.

    dh_group

    String

    No

    • Specifies the DH group used for key exchange in phase 1. The modification of this field takes effect only after SAs in phase 1 are aged.

      This parameter cannot be modified when flavor is set to GM for the VPN gateway.

    • The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21.

      Exercise caution when using group1, group2, group5, or group14 as they have low security.

    lifetime_seconds

    Integer

    No

    • Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated. The modification of this field takes effect only after SAs in phase 1 are aged.
    • The value ranges from 60 to 604800, in seconds.

    local_id_type

    String

    No

    • Specifies the local ID type.

      This parameter cannot be modified when flavor is set to GM for the VPN gateway.

    • Value range:
      • ip
      • fqdn

    local_id

    String

    No

    • Specifies the local ID.

      This parameter cannot be modified when flavor is set to GM for the VPN gateway.

    • The value can contain a maximum of 255 case-sensitive characters, including letters, digits, and special characters (excluding & < > [ ] \). Spaces are not supported. Set this parameter when local_id_type is set to fqdn. The value must be the same as that of peer_id on the peer device.

    peer_id_type

    String

    No

    • Specifies the peer ID type.

      This parameter cannot be modified when flavor is set to GM for the VPN gateway.

    • Value range:
      • ip
      • fqdn

    peer_id

    String

    No

    • Specifies the peer ID.

      This parameter cannot be modified when flavor is set to GM for the VPN gateway.

    • The value can contain a maximum of 255 case-sensitive characters, including letters, digits, and special characters (excluding & < > [ ] \). Spaces are not supported. Set this parameter when peer_id_type is set to fqdn. The value must be the same as that of local_id on the peer device.

    dpd

    UpdateDpd object

    No

    Specifies the DPD object.

    Table 6 UpdateDpd

    Parameter

    Type

    Mandatory

    Description

    timeout

    Integer

    No

    • Specifies the interval for retransmitting DPD packets.
    • The value ranges from 2 to 60, in seconds. The default value is 15.

    interval

    Integer

    No

    • Specifies the DPD idle timeout period.
    • The value ranges from 10 to 3600, in seconds. The default value is 30.

    msg

    String

    No

    • Specifies the format of DPD packets.
    • Value range:

      seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify.

      seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash.

      The default value is seq-hash-notify.

    Table 7 UpdateIpsecPolicy

    Parameter

    Type

    Mandatory

    Description

    authentication_algorithm

    String

    No

    • Specifies an authentication algorithm. Exercise caution when using SHA1 and MD5 as they have low security. The modification of this field takes effect only after SAs in phase 2 are aged.
    • Value range:

      When flavor is set to GM for the VPN gateway, the value can only be sm3.

      In other scenarios, the value can be sha2-512, sha2-384, sha2-256, sha1, or md5.

    encryption_algorithm

    String

    No

    • Specifies an encryption algorithm. Exercise caution when using 3DES as it has low security. The modification of this field takes effect only after SAs in phase 2 are aged.
    • Value range:

      When flavor is set to GM for the VPN gateway, the value can only be sm4.

      In other scenarios, the value can be aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.

    pfs

    String

    No

    • Specifies the DH key group used by PFS.

      This parameter does not take effect and cannot be modified when flavor is set to GM for the VPN gateway.

    • The value can be group1, group2, group5, group14, group15, group16, group19, group20, group21, or disable. The default value is group15.

      Exercise caution when using group1, group2, group5, or group14 as they have low security.

    transform_protocol

    String

    No

    • Specifies the transfer protocol.
    • Value range:

      esp: encapsulating security payload protocol

      The default value is esp.

    lifetime_seconds

    Integer

    No

    • Specifies the lifetime of a tunnel established over an IPsec connection. The modification of this field takes effect only after SAs in phase 2 are aged.
    • The value ranges from 30 to 604800, in seconds. The default value is 3600.

    encapsulation_mode

    String

    No

    • Specifies the packet encapsulation mode.
    • Value range:

      tunnel: encapsulates packets in tunnel mode.

      The default value is tunnel.

  • Example requests
    1. Update the customer subnet.
      PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}
      
      {
          "vpn_connection": {
              "peer_subnets": [
                  "192.168.1.0/24"
              ]
          }
      }
    2. Update a policy rule.
      PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}
      
      {
          "vpn_connection": {
              "policy_rules": [{
                  "rule_index": 1,
                  "source": "10.0.0.0/24",
                  "destination": [
                      "192.168.1.0/24"
                  ]
              }]
          }
      }
    3. Update the SA lifetime.
      PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}
      
      {
          "vpn_connection": {
              "ikepolicy": {
                  "lifetime_seconds": 3600
              },
              "ipsecpolicy": {
                  "lifetime_seconds": 3600
              }
          }
      }
    4. Update the connection name.
      PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}
      
      {
          "vpn_connection": {
              "name": "vpn_connection_name"
          }
      }

Response

  • Response parameters

    Returned status code 200: successful operation

    Table 8 Parameters in the response body

    Parameter

    Type

    Description

    vpn_connection

    ResponseVpnConnection object

    Specifies the VPN connection object.

    request_id

    String

    Specifies a request ID.

    Table 9 ResponseVpnConnection

    Parameter

    Type

    Description

    id

    String

    • Specifies a VPN connection ID.
    • The value is a UUID containing 36 characters.

    name

    String

    • Specifies a VPN connection name. If no VPN connection name is specified, the system automatically generates one.
    • The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), and hyphens (-).

    vgw_id

    String

    • Specifies a VPN gateway ID.
    • The value is a UUID containing 36 characters.

    vgw_ip

    String

    • Specifies an EIP ID or private IP address of the VPN gateway.
    • The value is a UUID containing 36 characters or an IPv4 address in dotted decimal notation (for example, 192.168.45.7).

    style

    String

    • Specifies the connection mode.
    • Value range:

      POLICY: policy-based mode

      STATIC: static routing mode

      BGP: BGP routing mode

      POLICY-TEMPLATE: policy template mode

    cgw_id

    String

    • Specifies a customer gateway ID.
    • The value is a UUID containing 36 characters.

    peer_subnets

    Array of String

    Specifies a customer subnet. This parameter is not returned when the association mode of the VPN gateway is ER and style is BGP or POLICY.

    tunnel_local_address

    String

    Specifies the tunnel interface address configured on the VPN gateway in route-based mode. This parameter is valid only when style is STATIC or BGP.

    tunnel_peer_address

    String

    Specifies the tunnel interface address configured on the customer gateway device in route-based mode. This parameter is valid only when style is STATIC or BGP.

    enable_nqa

    Boolean

    • Specifies whether NQA is enabled. This parameter is returned only when style is STATIC.
    • The value can be true or false.

    policy_rules

    Array of PolicyRule objects

    Specifies policy rules, which are returned only when style is set to POLICY.

    ikepolicy

    IkePolicy object

    Specifies the IKE policy object.

    ipsecpolicy

    IpsecPolicy object

    Specifies the IPsec policy object.

    created_at

    String

    • Specifies the time when the VPN connection is created.
    • The UTC time format is yyyy-MM-ddTHH:mm:ss.SSSZ.

    updated_at

    String

    • Specifies the last update time.
    • The UTC time format is yyyy-MM-ddTHH:mm:ss.SSSZ.

    enterprise_project_id

    String

    • Specifies an enterprise project ID.
    • The value is a UUID containing 36 characters. The value must be the same as the enterprise project ID of the VPN gateway specified by vgw_id.

    connection_monitor_id

    String

    • Specifies the ID of a VPN connection monitor. This parameter is available only when a connection monitor is created for a VPN connection.
    • The value is a UUID containing 36 characters.

    ha_role

    String

    • For a VPN gateway in active-standby mode, master indicates the active connection, and slave indicates the standby connection. For a VPN gateway in active-active mode, the value of ha_role can only be master.
    • The default value is master.

    tags

    Array of VpnResourceTag objects

    Specifies a tag list.

    Table 10 PolicyRule

    Parameter

    Type

    Description

    rule_index

    Integer

    • Specifies a rule ID.
    • The value ranges from 0 to 50.

    source

    String

    Specifies a source CIDR block.

    destination

    Array of String

    Specifies a destination CIDR block. For example, a destination CIDR block can be 192.168.52.0/24. A maximum of 50 destination CIDR blocks can be returned for each policy rule.

    Table 11 IkePolicy

    Parameter

    Type

    Description

    ike_version

    String

    • Specifies the IKE version.
    • The value can be v1 or v2.

    phase1_negotiation_mode

    String

    • Specifies the negotiation mode. This parameter is available only when the IKE version is v1.
    • Value range:

      main: ensures high security during negotiation.

      aggressive: ensures fast negotiation and a high negotiation success rate.

    authentication_algorithm

    String

    • Specifies an authentication algorithm.
    • The value can be sm3, sha2-512, sha2-384, sha2-256, sha1, or md5.

    encryption_algorithm

    String

    • Specifies an encryption algorithm.
    • The value can be sm4, aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.

    dh_group

    String

    • Specifies the DH group used for key exchange in phase 1. This parameter is not available when flavor is set to GM for the VPN gateway.
    • The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21.

    authentication_method

    String

    • Specifies the authentication method used during IKE negotiation.
    • Value range:

      pre-share: pre-shared key

      digital-envelope-v2: SM digital envelope

    lifetime_seconds

    Integer

    • Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated.
    • The value ranges from 60 to 604800, in seconds.

    local_id_type

    String

    • Specifies the local ID type. This parameter is not available when flavor is set to GM for the VPN gateway.
    • Value range:
      • ip
      • fqdn

    local_id

    String

    Specifies the local ID. When local_id_type is set to ip, the VPN gateway IP address corresponding to the VPN connection is returned. When local_id_type is set to fqdn, the local ID specified during VPN connection creation or update is returned.

    This parameter is not available when flavor is set to GM for the VPN gateway.

    peer_id_type

    String

    • Specifies the peer ID type. This parameter is not available when flavor is set to GM for the VPN gateway.
    • Value range:
      • ip
      • any
      • fqdn

    peer_id

    String

    Specifies the peer ID. When peer_id_type is set to ip, the IP address of the customer gateway is returned. When peer_id_type is set to fqdn, the peer ID specified during VPN connection creation or update is returned. When peer_id_type is set to any, no data is returned.

    This parameter is not available when flavor is set to GM for the VPN gateway.

    dpd

    Dpd object

    Specifies the DPD object.

    Table 12 Dpd

    Parameter

    Type

    Description

    timeout

    Integer

    • Specifies the interval for retransmitting DPD packets.
    • The value ranges from 2 to 60, in seconds.

    interval

    Integer

    • Specifies the DPD idle timeout period.
    • The value ranges from 10 to 3600, in seconds.

    msg

    String

    • Specifies the format of DPD packets.
    • Value range:

      seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify.

      seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash.

    Table 13 IpsecPolicy

    Parameter

    Type

    Description

    authentication_algorithm

    String

    • Specifies an authentication algorithm.
    • The value can be sm3, sha2-512, sha2-384, sha2-256, sha1, or md5.

    encryption_algorithm

    String

    • Specifies an encryption algorithm.
    • The value can be sm4, aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.

    pfs

    String

    Specifies the DH key group used by PFS.

    • The value can be group1, group2, group5, group14, group15, group16, group19, group20, group21, or disable.

    transform_protocol

    String

    • Specifies the transfer protocol.
    • Value range:

      esp: encapsulating security payload protocol

    lifetime_seconds

    Integer

    • Specifies the lifetime of a tunnel established over an IPsec connection.
    • The value ranges from 30 to 604800, in seconds.

    encapsulation_mode

    String

    • Specifies the packet encapsulation mode.
    • Value range:

      tunnel: encapsulates packets in tunnel mode.

    Table 14 VpnResourceTag

    Parameter

    Type

    Description

    key

    String

    • Specifies a tag key.
    • The value is a string of 1 to 128 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).

    value

    String

    • Specifies a tag value.
    • The value is a string of 0 to 255 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).
  • Example responses
    1. Response to the request for updating a VPN connection
      {
          "vpn_connection": {
              "id": "98c5af8a-demo-a8df-va86-ae2280a6f4c3",
              "name": "vpn-1655",
              "vgw_id": "b32d91a4-demo-a8df-va86-e907174eb11d",
              "vgw_ip": "0c464dad-demo-a8df-va86-c22bb0eb0bde",
              "style": "POLICY",
              "cgw_id": "5247ae10-demo-a8df-va86-dd36659a7f5d",
              "peer_subnets": ["192.168.1.0/24"],
              "tunnel_local_address": "169.254.56.225/30",
              "tunnel_peer_address": "169.254.56.226/30",
              "policy_rules": [{
                  "rule_index": 1,
                  "source": "10.0.0.0/24",
                  "destination": [
                      "192.168.1.0/24"
                  ]
              }],
              "ikepolicy": {
                  "ike_version": "v2",
                  "authentication_algorithm": "sha2-256",
                  "encryption_algorithm": "aes-128",
                  "dh_group": "group15",
                  "authentication_method": "pre-share",
                  "lifetime_seconds": 86400,
                  "local_id_type": "ip",
                  "local_id": "10.***.***.134",
                  "peer_id_type": "ip",
                  "peer_id": "88.***.***.164",
                  "dpd": {
                      "timeout": 15,
                      "interval": 30,
                      "msg": "seq-hash-notify"
                  }
              },
              "ipsecpolicy": {
                  "authentication_algorithm": "sha2-256",
                  "encryption_algorithm": "aes-128",
                  "pfs": "group15",
                  "transform_protocol": "esp",
                  "lifetime_seconds": 3600,
                  "encapsulation_mode": "tunnel"
              },
              "created_at": "2022-11-26T13:41:34.626Z",
              "updated_at": "2022-11-26T13:41:34.626Z",
              "enterprise_project_id": "0",
              "ha_role": "master"
          },
          "request_id": "f91082d4-6d49-479c-ad1d-4e552a9f5cae"
      }
    2. Response returned when a frozen VPN connection fails to be updated
      {
          "error_code": "VPN.0001",
          "error_msg": "invalid request: ILLEGAL not allowed update vpnConnection",
          "request_id": "8c833634-4560-7897-7740-a7462f5bcbd4"
      }

Status Codes

For details, see Status Codes.