Updating a VPN Connection
Function
This API is used to update a VPN connection with a specified connection ID.
Calling Method
For details, see Calling APIs.
URI
PUT /v5/{project_id}/vpn-connection/{vpn_connection_id}
Parameter |
Type |
Mandatory |
Description |
---|---|---|---|
project_id |
String |
Yes |
Specifies a project ID. You can obtain the project ID by referring to Obtaining the Project ID. |
vpn_connection_id |
String |
Yes |
Specifies a VPN connection ID. |
Request
- Request parameters
Table 2 Request parameters Parameter
Type
Mandatory
Description
vpn_connection
Yes
Specifies the VPN connection object.
Table 3 UpdateVpnConnectionRequestBodyContent Parameter
Type
Mandatory
Description
name
String
No
- Specifies the name of a VPN connection.
- The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), hyphens (-), and periods (.).
cgw_id
String
No
- Specifies a customer gateway ID.
- The value is a UUID containing 36 characters.
peer_subnets
Array of String
No
- Specifies an IPv4 customer subnet.
- Constraints:
- This parameter is not required when the IP protocol version is IPv6 or when attachment_type of the VPN gateway is set to er and style is set to policy or bgp.
- Reserved VPC CIDR blocks such as 100.64.0.0/10 and 214.0.0.0/8 cannot be used as customer subnets.
- A maximum of 50 customer subnets can be configured for each VPN connection.
peer_subnets_v6
Array of String
No
- Specifies an IPv6 customer subnet.
- Constraints:
- This parameter is not required when the IP protocol version is IPv4 or when attachment_type of the VPN gateway is set to er and style is set to policy or bgp.
- A maximum of 50 customer subnets can be configured for each VPN connection.
tunnel_local_address
String
No
- Specifies the tunnel interface address configured on the VPN gateway in route-based mode, for example, 169.254.76.1/30.
- Constraints:
The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx.
The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_peer_address.
The address needs to be a host address in a CIDR block.
tunnel_peer_address
String
No
- Specifies the tunnel interface address configured on the customer gateway device in route-based mode, for example, 169.254.76.1/30.
- Constraints:
The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx.
The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_local_address.
The address needs to be a host address in a CIDR block.
psk
String
No
- Specifies a pre-shared key. When the IKE version is v2 and only this parameter is modified, the modification does not take effect.
This parameter cannot be updated when flavor is set to GM for the VPN gateway.
- The value is a string of 8 to 128 characters, which must contain at least three types of the following: uppercase letters, lowercase letters, digits, and special characters (~!@#$%^()-_+={ },./:;).
policy_rules
Array of PolicyRule object
No
Specifies IPv4 policy rules.
A maximum of five policy rules can be specified. This parameter is mandatory only when style is set to policy and ip_version of the VPN gateway is set to ipv4.
policy_rules_v6
Array of PolicyRule object
No
Specifies IPv6 policy rules.
A maximum of five policy rules can be specified. This parameter is mandatory only when style is set to policy and ip_version of the VPN gateway is set to ipv6.
ikepolicy
UpdateIkePolicy object
No
Specifies the IKE policy object.
ipsecpolicy
UpdateIpsecPolicy object
No
Specifies the IPsec policy object.
Table 4 PolicyRule Parameter
Type
Mandatory
Description
rule_index
Integer
No
- Specifies a rule ID, which is used to identify the sequence in which the rule is configured. You are advised not to set this parameter.
- The value ranges from 0 to 50.
- The value of rule_index in each policy rule must be unique. The value of rule_index in ResponseVpnConnection may be different from the value of this parameter. This is because if multiple destination CIDR blocks are specified, the VPN service generates a rule for each destination CIDR block.
source
String
No
- Specifies a source CIDR block. The IP protocol version (IPv4) of the CIDR block must be the same as that of the VPN gateway.
- The value of source in each policy rule must be unique.
destination
Array of String
No
Table 5 UpdateIkePolicy Parameter
Type
Mandatory
Description
ike_version
String
No
- Specifies the IKE version.
- Value range:
- When flavor is set to GM for the VPN gateway, the value can only be v1.
- In other scenarios, the value can be v1 or v2.
- Default value:
- When flavor is set to GM for the VPN gateway, the default value is v1.
- In other scenarios, the default value is v2.
phase1_negotiation_mode
String
No
- Specifies the negotiation mode.
- Value range:
When flavor is set to GM for the VPN gateway, the value can only be main.
In other scenarios, the value can be main or aggressive.
main: ensures high security during negotiation.
aggressive: ensures fast negotiation and a high negotiation success rate.
- This parameter takes effect only for IKEv1.
authentication_algorithm
String
No
- Specifies an authentication algorithm. The modification of this field takes effect only after SAs in phase 1 are aged.
- Value range:
- When flavor is set to GM for the VPN gateway, the value can only be sm3.
- In other scenarios, the value can be sha2-512, sha2-384, sha2-256, sha1, or md5.
Exercise caution when using sha1 and md5 as they have low security.
encryption_algorithm
String
No
- Specifies an encryption algorithm. The modification of this field takes effect only after SAs in phase 1 are aged.
- Value range:
When flavor is set to GM for the VPN gateway, the value can only be sm4.
In other scenarios, the value can be aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.
Exercise caution when using 3des as it has low security.
dh_group
String
No
- Specifies the DH group used for key exchange in phase 1. The modification of this field takes effect only after SAs in phase 1 are aged.
This parameter cannot be modified when flavor is set to GM for the VPN gateway.
- The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21.
Exercise caution when using group1, group2, group5, or group14 as they have low security.
lifetime_seconds
Integer
No
- Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated. The modification of this field takes effect only after SAs in phase 1 are aged.
- The value ranges from 60 to 604800, in seconds.
local_id_type
String
No
local_id
String
No
- Specifies the local ID.
This parameter cannot be modified when flavor is set to GM for the VPN gateway.
- The value can contain a maximum of 255 case-sensitive characters, including letters, digits, and special characters (excluding & < > [ ] \). Spaces are not supported. Set this parameter when local_id_type is set to fqdn. The value must be the same as that of peer_id on the peer device.
peer_id_type
String
No
peer_id
String
No
- Specifies the peer ID.
This parameter cannot be modified when flavor is set to GM for the VPN gateway.
- The value can contain a maximum of 255 case-sensitive characters, including letters, digits, and special characters (excluding & < > [ ] \). Spaces are not supported. Set this parameter when peer_id_type is set to fqdn. The value must be the same as that of local_id on the peer device.
dpd
UpdateDpd object
No
Specifies the DPD object.
Table 6 UpdateDpd Parameter
Type
Mandatory
Description
timeout
Integer
No
- Specifies the interval for retransmitting DPD packets.
- The value ranges from 2 to 60, in seconds. The default value is 15.
interval
Integer
No
- Specifies the DPD idle timeout period.
- The value ranges from 10 to 3600, in seconds. The default value is 30.
msg
String
No
- Example requests
- Update the customer subnet.
PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id} { "vpn_connection": { "peer_subnets": [ "192.168.1.0/24" ] } }
- Update a policy rule.
PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id} { "vpn_connection": { "policy_rules": [{ "rule_index": 1, "source": "10.0.0.0/24", "destination": [ "192.168.1.0/24" ] }] } }
- Update the SA lifetime.
PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id} { "vpn_connection": { "ikepolicy": { "lifetime_seconds": 3600 }, "ipsecpolicy": { "lifetime_seconds": 3600 } } }
- Update the connection name.
PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id} { "vpn_connection": { "name": "vpn_connection_name" } }
- Update the customer subnet.
Response
- Response parameters
Returned status code 200: successful operation
Table 8 Parameters in the response body Parameter
Type
Description
vpn_connection
ResponseVpnConnection object
Specifies the VPN connection object.
request_id
String
Specifies a request ID.
Table 9 ResponseVpnConnection Parameter
Type
Description
id
String
- Specifies a VPN connection ID.
- The value is a UUID containing 36 characters.
name
String
- Specifies the name of a VPN connection.
- The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), and hyphens (-).
vgw_id
String
- Specifies a VPN gateway ID.
- The value is a UUID containing 36 characters.
vgw_ip
String
- Specifies an EIP ID or private IP address of the VPN gateway.
- The value is a UUID containing 36 characters or an IPv4 address in dotted decimal notation (for example, 192.168.45.7).
style
String
cgw_id
String
- Specifies a customer gateway ID.
- The value is a UUID containing 36 characters.
peer_subnets
Array of String
Specifies an IPv4 customer subnet. This parameter is not returned when attachment_type of the VPN gateway is set to ER and style is set to BGP or POLICY or when the IP protocol version of the VPN gateway is IPv6.
peer_subnets_v6
Array of String
Specifies an IPv6 customer subnet. This parameter is not returned when attachment_type of the VPN gateway is set to ER and style is set to BGP or POLICY or when the IP protocol version of the VPN gateway is IPv4.
tunnel_local_address
String
Specifies the tunnel interface address configured on the VPN gateway in route-based mode. This parameter is valid only when style is STATIC or BGP.
tunnel_peer_address
String
Specifies the tunnel interface address configured on the customer gateway device in route-based mode. This parameter is valid only when style is STATIC or BGP.
enable_nqa
Boolean
- Specifies whether NQA is enabled. This parameter is returned only when style is STATIC.
- The value can be true or false.
policy_rules
Array of PolicyRule objects
Specifies IPv4 policy rules, which are returned only when style is set to POLICY and ip_version of the VPN gateway is set to ipv4.
policy_rules_v6
Array of PolicyRule object
Specifies IPv6 policy rules, which are returned only when style is set to POLICY and ip_version of the VPN gateway is set to ipv6.
ikepolicy
IkePolicy object
Specifies the IKE policy object.
ipsecpolicy
IpsecPolicy object
Specifies the IPsec policy object.
created_at
String
- Specifies the time when the VPN connection is created.
- The UTC time format is yyyy-MM-ddTHH:mm:ssZ.
updated_at
String
- Specifies the last update time.
- The UTC time format is yyyy-MM-ddTHH:mm:ssZ.
enterprise_project_id
String
- Specifies an enterprise project ID.
- The value is a UUID containing 36 characters. The value must be the same as the enterprise project ID of the VPN gateway specified by vgw_id.
connection_monitor_id
String
- Specifies the ID of a VPN connection monitor. This parameter is available only when a connection monitor is created for a VPN connection.
- The value is a UUID containing 36 characters.
ha_role
String
- For a VPN gateway in active-standby mode, master indicates the active connection, and slave indicates the standby connection. For a VPN gateway in active-active mode, the value of ha_role can only be master.
- The default value is master.
tags
Array of VpnResourceTag objects
Specifies a tag list.
Table 10 PolicyRule Parameter
Type
Description
rule_index
Integer
- Specifies a rule ID.
- The value ranges from 0 to 50.
source
String
Specifies a source CIDR block.
destination
Array of String
Specifies a destination CIDR block. An example IPv4 CIDR block is 192.168.52.0/24. An example IPv6 CIDR block is 16af:cacc:1097::/48. A maximum of 50 destination CIDR blocks can be returned for each policy rule.
Table 11 IkePolicy Parameter
Type
Description
ike_version
String
- Specifies the IKE version.
- The value can be v1 or v2.
phase1_negotiation_mode
String
authentication_algorithm
String
- Specifies an authentication algorithm.
- The value can be sm3, sha2-512, sha2-384, sha2-256, sha1, or md5.
encryption_algorithm
String
- Specifies an encryption algorithm.
- The value can be sm4, aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.
dh_group
String
- Specifies the DH group used for key exchange in phase 1. This parameter is not available when flavor is set to GM for the VPN gateway.
- The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21.
authentication_method
String
lifetime_seconds
Integer
- Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated.
- The value ranges from 60 to 604800, in seconds.
local_id_type
String
- Specifies the local ID type. This parameter is not available when flavor is set to GM for the VPN gateway.
- Value range:
- ip
- fqdn
local_id
String
Specifies the local ID. When local_id_type is set to ip, the VPN gateway IP address corresponding to the VPN connection is returned. When local_id_type is set to fqdn, the local ID specified during VPN connection creation or update is returned.
This parameter is not available when flavor is set to GM for the VPN gateway.
peer_id_type
String
- Specifies the peer ID type. This parameter is not available when flavor is set to GM for the VPN gateway.
- Value range:
- ip
- any
- fqdn
peer_id
String
Specifies the peer ID. When peer_id_type is set to ip, the IP address of the customer gateway is returned. When peer_id_type is set to fqdn, the peer ID specified during VPN connection creation or update is returned. When peer_id_type is set to any, no data is returned.
This parameter is not available when flavor is set to GM for the VPN gateway.
dpd
Dpd object
Specifies the DPD object.
Table 12 Dpd Parameter
Type
Description
timeout
Integer
- Specifies the interval for retransmitting DPD packets.
- The value ranges from 2 to 60, in seconds.
interval
Integer
- Specifies the DPD idle timeout period.
- The value ranges from 10 to 3600, in seconds.
msg
String
Table 13 IpsecPolicy Parameter
Type
Description
authentication_algorithm
String
- Specifies an authentication algorithm.
- The value can be sm3, sha2-512, sha2-384, sha2-256, sha1, or md5.
encryption_algorithm
String
- Specifies an encryption algorithm.
- The value can be sm4, aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.
pfs
String
Specifies the DH key group used by PFS.
- The value can be group1, group2, group5, group14, group15, group16, group19, group20, group21, or disable.
transform_protocol
String
lifetime_seconds
Integer
- Specifies the lifetime of a tunnel established over an IPsec connection.
- The value ranges from 30 to 604800, in seconds.
encapsulation_mode
String
Table 14 VpnResourceTag Parameter
Type
Description
key
String
- Specifies a tag key.
- The value is a string of 1 to 128 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).
value
String
- Specifies a tag value.
- The value is a string of 0 to 255 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).
- Example responses
- Response to the request for updating a VPN connection
{ "vpn_connection": { "id": "98c5af8a-demo-a8df-va86-ae2280a6f4c3", "name": "vpn-1655", "vgw_id": "b32d91a4-demo-a8df-va86-e907174eb11d", "vgw_ip": "0c464dad-demo-a8df-va86-c22bb0eb0bde", "style": "POLICY", "cgw_id": "5247ae10-demo-a8df-va86-dd36659a7f5d", "peer_subnets": ["192.168.1.0/24"], "tunnel_local_address": "169.254.56.225/30", "tunnel_peer_address": "169.254.56.226/30", "policy_rules": [{ "rule_index": 1, "source": "10.0.0.0/24", "destination": [ "192.168.1.0/24" ] }], "ikepolicy": { "ike_version": "v2", "authentication_algorithm": "sha2-256", "encryption_algorithm": "aes-128", "dh_group": "group15", "authentication_method": "pre-share", "lifetime_seconds": 86400, "local_id_type": "ip", "local_id": "10.***.***.134", "peer_id_type": "ip", "peer_id": "88.***.***.164", "dpd": { "timeout": 15, "interval": 30, "msg": "seq-hash-notify" } }, "ipsecpolicy": { "authentication_algorithm": "sha2-256", "encryption_algorithm": "aes-128", "pfs": "group15", "transform_protocol": "esp", "lifetime_seconds": 3600, "encapsulation_mode": "tunnel" }, "created_at": "2022-11-26T13:41:34.626Z", "updated_at": "2022-11-26T13:41:34.626Z", "enterprise_project_id": "0", "ha_role": "master" }, "request_id": "f91082d4-6d49-479c-ad1d-4e552a9f5cae" }
- Response returned when a frozen VPN connection fails to be updated
{ "error_code": "VPN.0001", "error_msg": "invalid request: ILLEGAL not allowed update vpnConnection", "request_id": "8c833634-4560-7897-7740-a7462f5bcbd4" }
- Response to the request for updating a VPN connection
Status Codes
For details, see Status Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot