Function

This API is used to update a VPN connection with a specified connection ID.

Calling Method

For details, see Calling APIs.

URI

PUT /v5/{project_id}/vpn-connection/{vpn_connection_id}

**Table 1** Parameter description
Parameter	Type	Mandatory	Description
project_id	String	Yes	Specifies a project ID. You can obtain the project ID by referring to Obtaining the Project ID.
vpn_connection_id	String	Yes	Specifies a VPN connection ID.

Request

Request parameters

**Table 2** Request parameters
Parameter	Type	Mandatory	Description
vpn_connection	UpdateVpnConnectionRequestBodyContent object	Yes	Specifies the VPN connection object.

**Table 3** UpdateVpnConnectionRequestBodyContent
Parameter	Type	Mandatory	Description
name	String	No	Specifies the name of a VPN connection. The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), hyphens (-), and periods (.).
cgw_id	String	No	Specifies a customer gateway ID. The value is a UUID containing 36 characters.
peer_subnets	Array of String	No	Specifies an IPv4 customer subnet. Constraints: This parameter is not required when attachment_type of the VPN gateway is set to er and style is set to policy or bgp. Reserved VPC CIDR blocks such as 100.64.0.0/10, 100.64.0.0/12, and 214.0.0.0/8 cannot be used as customer subnets. The reserved CIDR blocks vary according to regions and are subject to those displayed on the console. If you need to use 100.64.0.0/10 or 100.64.0.0/12, submit a service ticket. A maximum of 50 customer subnets can be configured for each VPN connection.
tunnel_local_address	String	No	Specifies the tunnel interface address configured on the VPN gateway in route-based mode, for example, 169.254.76.1/30. Constraints: The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx. The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_peer_address. The address needs to be a host address in a CIDR block.
tunnel_peer_address	String	No	Specifies the tunnel interface address configured on the customer gateway device in route-based mode, for example, 169.254.76.1/30. Constraints: The first 16 bits must be 169.254, and the value cannot be 169.254.195.xxx. The mask length must be 30, and the address must be in the same CIDR block as the value of tunnel_local_address. The address needs to be a host address in a CIDR block.
enable_hub	Boolean	No	Specifies whether to enable branch interconnection. The value can be true or false. The default value is false. Set this parameter only when style is set to BGP.
psk	String	No	Specifies a pre-shared key. When the IKE version is v2 and only this parameter is modified, the modification does not take effect. The value is a string of 8 to 128 characters, which must contain at least three types of the following: uppercase letters, lowercase letters, digits, and special characters (~!@#$%^*()-_+={ },./:;).
policy_rules	Array of PolicyRule object	No	Specifies IPv4 policy rules. A maximum of five policy rules can be specified. This parameter is mandatory only when style is set to policy and ip_version of the VPN gateway is set to ipv4.
ikepolicy	UpdateIkePolicy object	No	Specifies the IKE policy object.
ipsecpolicy	UpdateIpsecPolicy object	No	Specifies the IPsec policy object.

**Table 4** PolicyRule
Parameter	Type	Mandatory	Description
source	String	No	The value of source in each policy rule must be unique.
destination	Array of String	No	Specifies a destination CIDR block. The IP protocol version (IPv4) of the CIDR block must be the same as that of the VPN gateway. An example IPv4 CIDR block is 192.168.52.0/24. A maximum of 50 destination CIDR blocks can be configured in each policy rule.

**Table 5** UpdateIkePolicy
Parameter	Type	Mandatory	Description
ike_version	String	No	Specifies the IKE version. Value range: v1 and v2 Default value: v2
phase1_negotiation_mode	String	No	Specifies the negotiation mode. Value range: main: ensures high security during negotiation. aggressive: ensures fast negotiation and a high negotiation success rate. This parameter takes effect only for IKEv1.
authentication_algorithm	String	No	Specifies an authentication algorithm. The modification of this field takes effect only after SAs in phase 1 are aged. Value range: sha2-512, sha2-384, sha2-256, sha1, md5 Exercise caution when using sha1 and md5 as they have low security.
encryption_algorithm	String	No	Specifies an encryption algorithm. The modification of this field takes effect only after SAs in phase 1 are aged. Value range: aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, 3des Exercise caution when using 3des, aes-128, aes-192, and aes-256 as they have low security.
dh_group	String	No	Specifies the DH group used for key exchange in phase 1. The modification of this field takes effect only after SAs in phase 1 are aged. The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21. Exercise caution when using group1, group2, group5, or group14 as they have low security.
lifetime_seconds	Integer	No	Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated. The modification of this field takes effect only after SAs in phase 1 are aged. The value ranges from 60 to 604800, in seconds.
local_id_type	String	No	Specifies the local ID type. Value range: ip fqdn (currently not supported)
local_id	String	No	Specifies the local ID. Constraints: When local_id_type is set to ip, this parameter is optional. If it is set, the value must be an IPv4 address.
peer_id_type	String	No	Specifies the peer ID type. Value range: ip fqdn (currently not supported)
peer_id	String	No	Specifies the peer ID. Constraints: When local_id_type is set to ip, this parameter is optional. If it is set, the value must be an IPv4 address.
dpd	UpdateDpd object	No	Specifies the DPD object.

**Table 6** UpdateDpd
Parameter	Type	Mandatory	Description
timeout	Integer	No	Specifies the interval for retransmitting DPD packets. The value ranges from 2 to 60, in seconds. The default value is 15.
interval	Integer	No	Specifies the DPD idle timeout period. The value ranges from 10 to 3600, in seconds. The default value is 30.
msg	String	No	Specifies the format of DPD packets. Value range: seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify. seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash. The default value is seq-hash-notify.

**Table 7** UpdateIpsecPolicy
Parameter	Type	Mandatory	Description
authentication_algorithm	String	No	Specifies an authentication algorithm. Exercise caution when using SHA1 and MD5 as they have low security. The modification of this field takes effect only after SAs in phase 2 are aged. Value range: sha2-512, sha2-384, sha2-256, sha1, md5
encryption_algorithm	String	No	Specifies an encryption algorithm. Exercise caution when using 3des, aes-128, aes-192, and aes-256 as they have low security. The modification of this field takes effect only after SAs in phase 2 are aged. Value range: aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, 3des
pfs	String	No	Specifies the DH key group used by PFS. The value can be group1, group2, group5, group14, group15, group16, group19, group20, group21, or disable. The default value is group15. Exercise caution when using group1, group2, group5, or group14 as they have low security.
transform_protocol	String	No	Specifies the transfer protocol. Value range: esp: encapsulating security payload protocol The default value is esp.
lifetime_seconds	Integer	No	Specifies the lifetime of a tunnel established over an IPsec connection. The modification of this field takes effect only after SAs in phase 2 are aged. The value ranges from 30 to 604800, in seconds. The default value is 3600.
encapsulation_mode	String	No	Specifies the packet encapsulation mode. Value range: tunnel: encapsulates packets in tunnel mode. The default value is tunnel.

Example requests

Update the customer subnet.

PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}

{
    "vpn_connection": {
        "peer_subnets": [
            "192.168.1.0/24"
        ]
    }
}

Update a policy rule.

PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}

{
    "vpn_connection": {
        "policy_rules": [{           
            "source": "10.0.0.0/24",
            "destination": [
                "192.168.1.0/24"
            ]
        }]
    }
}

Update the SA lifetime.

PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}

{
    "vpn_connection": {
        "ikepolicy": {
            "lifetime_seconds": 3600
        },
        "ipsecpolicy": {
            "lifetime_seconds": 3600
        }
    }
}

Update the connection name.

PUT https://{Endpoint}/v5/{project_id}/vpn-connection/{vpn_connection_id}

{
    "vpn_connection": {
        "name": "vpn_connection_name"
    }
}

Response

Response parameters

Returned status code 200: successful operation

**Table 8** Parameters in the response body
Parameter	Type	Description
vpn_connection	ResponseVpnConnection object	Specifies the VPN connection object.
request_id	String	Specifies a request ID.

**Table 9** ResponseVpnConnection
Parameter	Type	Description
id	String	Specifies a VPN connection ID. The value is a UUID containing 36 characters.
name	String	Specifies the name of a VPN connection. The value is a string of 1 to 64 characters, which can contain digits, letters, underscores (_), and hyphens (-).
vgw_id	String	Specifies a VPN gateway ID. The value is a UUID containing 36 characters.
vgw_ip	String	Specifies an EIP ID or private IP address of the VPN gateway. The value is a UUID containing 36 characters or an IPv4 address in dotted decimal notation (for example, 192.168.45.7).
style	String	Specifies the connection mode. Value range: POLICY: policy-based mode STATIC: static routing mode BGP: BGP routing mode
cgw_id	String	Specifies a customer gateway ID. The value is a UUID containing 36 characters.
peer_subnets	Array of String	Specifies an IPv4 customer subnet. This parameter is not returned when attachment_type of the VPN gateway is set to ER and style is set to BGP or POLICY.
tunnel_local_address	String	Specifies the tunnel interface address configured on the VPN gateway in route-based mode. This parameter is valid only when style is STATIC or BGP.
tunnel_peer_address	String	Specifies the tunnel interface address configured on the customer gateway device in route-based mode. This parameter is valid only when style is STATIC or BGP.
enable_nqa	Boolean	Specifies whether NQA is enabled. This parameter is returned only when style is STATIC. The value can be true or false.
enable_hub	Boolean	Specifies whether branch interconnection is enabled. This parameter is returned only when style is BGP. The value can be true or false.
policy_rules	Array of PolicyRule objects	Specifies IPv4 policy rules, which are returned only when style is set to POLICY and ip_version of the VPN gateway is set to ipv4.
ikepolicy	IkePolicy object	Specifies the IKE policy object.
ipsecpolicy	IpsecPolicy object	Specifies the IPsec policy object.
created_at	String	Specifies the time when the VPN connection is created. The UTC time format is yyyy-MM-ddTHH:mm:ss.SSSZ.
updated_at	String	Specifies the last update time. The UTC time format is yyyy-MM-ddTHH:mm:ss.SSSZ.
enterprise_project_id	String	Specifies an enterprise project ID. The value is a UUID containing 36 characters. The value must be the same as the enterprise project ID of the VPN gateway specified by vgw_id.
connection_monitor_id	String	Specifies the ID of a VPN connection monitor. This parameter is available only when a connection monitor is created for a VPN connection. The value is a UUID containing 36 characters.
ha_role	String	For a VPN gateway in active/standby mode, master indicates the active connection, and slave indicates the standby connection. For a VPN gateway in active-active mode, the value of ha_role can only be master. The default value is master.
tags	Array of VpnResourceTag objects	Specifies a tag list.
eip_id	String	Specifies an EIP ID or private IP address of the VPN gateway. The value is a UUID containing 36 characters or an IPv4 address in dotted decimal notation (for example, 192.168.45.7). This parameter has been deprecated, but is retained for compatibility purposes. Using this parameter is not recommended.
type	String	Specifies the connection mode. Value range: POLICY: policy-based mode ROUTE: routing mode This parameter has been deprecated, but is retained for compatibility purposes. Using this parameter is not recommended.
route_mode	String	Specifies the routing mode. Value range: static: static routing mode bgp: BGP routing mode This parameter has been deprecated, but is retained for compatibility purposes. Using this parameter is not recommended.

**Table 10** PolicyRule
Parameter	Type	Description
source	String	Specifies a source CIDR block.
destination	Array of String	Specifies a destination CIDR block. An example IPv4 CIDR block is 192.168.52.0/24. A maximum of 50 destination CIDR blocks can be returned for each policy rule.

**Table 11** IkePolicy
Parameter	Type	Description
ike_version	String	Specifies the IKE version. The value can be v1 or v2.
phase1_negotiation_mode	String	Specifies the negotiation mode. This parameter is available only when the IKE version is v1. Value range: main: ensures high security during negotiation. aggressive: ensures fast negotiation and a high negotiation success rate.
authentication_algorithm	String	Specifies an authentication algorithm. The value can be sha2-512, sha2-384, sha2-256, sha1, or md5.
encryption_algorithm	String	Specifies an encryption algorithm. The value can be aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.
dh_group	String	Specifies the DH group used for key exchange in phase 1. The value can be group1, group2, group5, group14, group15, group16, group19, group20, or group21.
authentication_method	String	Specifies the authentication method used during IKE negotiation. Value range: pre-share: pre-shared key
lifetime_seconds	Integer	Specifies the SA lifetime. When the lifetime expires, an IKE SA is automatically updated. The value ranges from 60 to 604800, in seconds.
local_id_type	String	Specifies the local ID type. Value range: ip fqdn (currently not supported)
local_id	String	Specifies the local ID. When local_id_type is set to ip, the local ID specified when the VPN connection is created or updated is returned. If no local ID is specified, the VPN gateway IP address corresponding to the VPN connection is returned.
peer_id_type	String	Specifies the peer ID type. Value range: ip any fqdn (currently not supported)
peer_id	String	Specifies the peer ID. When peer_id_type is set to ip, the peer ID specified when the VPN connection is created or updated is returned. If no peer ID is specified, the IP address of the customer gateway is returned.
dpd	Dpd object	Specifies the DPD object.

**Table 12** Dpd
Parameter	Type	Description
timeout	Integer	Specifies the interval for retransmitting DPD packets. The value ranges from 2 to 60, in seconds.
interval	Integer	Specifies the DPD idle timeout period. The value ranges from 10 to 3600, in seconds.
msg	String	Specifies the format of DPD packets. Value range: seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify. seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash.

**Table 13** IpsecPolicy
Parameter	Type	Description
authentication_algorithm	String	Specifies an authentication algorithm. The value can be sha2-512, sha2-384, sha2-256, sha1, or md5.
encryption_algorithm	String	Specifies an encryption algorithm. The value can be aes-256-gcm-16, aes-128-gcm-16, aes-256, aes-192, aes-128, or 3des.
pfs	String	Specifies the DH key group used by PFS. The value can be group1, group2, group5, group14, group15, group16, group19, group20, group21, or disable.
transform_protocol	String	Specifies the transfer protocol. Value range: esp: encapsulating security payload protocol
lifetime_seconds	Integer	Specifies the lifetime of a tunnel established over an IPsec connection. The value ranges from 30 to 604800, in seconds.
encapsulation_mode	String	Specifies the packet encapsulation mode. Value range: tunnel: encapsulates packets in tunnel mode.

**Table 14** VpnResourceTag
Parameter	Type	Description
key	String	Specifies a tag key. The value is a string of 1 to 128 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).
value	String	Specifies a tag value. The value is a string of 0 to 255 characters that can contain digits, letters, Spanish characters, Portuguese characters, spaces, and special characters (_ . : = + - @).

Example responses

Response to the request for updating a VPN connection

{
    "vpn_connection": {
        "id": "98c5af8a-demo-a8df-va86-ae2280a6f4c3",
        "name": "vpn-1655",
        "vgw_id": "b32d91a4-demo-a8df-va86-e907174eb11d",
        "vgw_ip": "0c464dad-demo-a8df-va86-c22bb0eb0bde",
        "style": "POLICY",
        "cgw_id": "5247ae10-demo-a8df-va86-dd36659a7f5d",
        "peer_subnets": ["192.168.1.0/24"],
        "tunnel_local_address": "169.254.56.225/30",
        "tunnel_peer_address": "169.254.56.226/30",
        "policy_rules": [{
            "source": "10.0.0.0/24",
            "destination": [
                "192.168.1.0/24"
            ]
        }],
        "ikepolicy": {
            "ike_version": "v2",
            "authentication_algorithm": "sha2-256",
            "encryption_algorithm": "aes-128",
            "dh_group": "group15",
            "authentication_method": "pre-share",
            "lifetime_seconds": 86400,
            "local_id_type": "ip",
            "local_id": "10.***.***.134",
            "peer_id_type": "ip",
            "peer_id": "88.***.***.164",
            "dpd": {
                "timeout": 15,
                "interval": 30,
                "msg": "seq-hash-notify"
            }
        },
        "ipsecpolicy": {
            "authentication_algorithm": "sha2-256",
            "encryption_algorithm": "aes-128",
            "pfs": "group15",
            "transform_protocol": "esp",
            "lifetime_seconds": 3600,
            "encapsulation_mode": "tunnel"
        },
        "created_at": "2025-06-26T13:41:34.626Z",
        "updated_at": "2025-06-26T13:41:34.626Z",
        "enterprise_project_id": "0",
        "ha_role": "master"
    },
    "request_id": "f91082d4-6d49-479c-ad1d-4e552a9f5cae"
}

Response returned when a frozen VPN connection fails to be updated

{
    "error_code": "VPN.0001",
    "error_msg": "invalid request: ILLEGAL not allowed update vpnConnection",
    "request_id": "8c833634-4560-7897-7740-a7462f5bcbd4"
}

Status Codes

For details, see Status Codes.

Updating a VPN Connection

Function

Calling Method

URI

Request

Response

Status Codes