Skip to main content
Version: 0.5.2

VPN Tunnel

VPN Tunnels in Aruba Cloud provide secure, encrypted site-to-site connections between your VPC and remote networks (such as on-premises data centers or other clouds).

Commands

List VPN Tunnels

acloud network vpntunnel list [flags]

Flags:

  • --project-id string - Project ID (uses context if not specified)
  • --limit int - Maximum number of results to return
  • --offset int - Number of results to skip

Example:

acloud network vpntunnel list
acloud network vpntunnel list --project-id 68398923fb2cb026400d4d31

Output:

NAME         ID                        REGION        TYPE         STATUS
vpn-prod 1234567890abcdef ITBG-Bergamo Site-To-Site Active

Get VPN Tunnel Details

acloud network vpntunnel get <vpn-tunnel-id> [flags]

Flags:

  • --project-id string - Project ID (uses context if not specified)

Example:

acloud network vpntunnel get 1234567890abcdef

Create VPN Tunnel

acloud network vpntunnel create [flags]

Required Flags:

  • --name string - Name for the VPN tunnel
  • --region string - Region code (e.g., ITBG-Bergamo)
  • --peer-ip string - Peer client public IPv4 address
  • --vpc-uri string - VPC URI (/projects/{project-id}/providers/Aruba.Network/vpcs/{vpc-id})
  • --elastic-ip-uri string - Elastic IP URI (/projects/{project-id}/providers/Aruba.Network/elasticIps/{eip-id})
  • --subnet-cidr string or --subnet-name string - VPN subnet CIDR or name (one is required)

Optional Flags:

  • --tags strings - Tags (comma-separated)
  • --vpn-type string - VPN type (default: Site-To-Site)
  • --protocol string - VPN protocol (default: ikev2)
  • --billing-period string - Billing period: Hour, Month, Year (default: Hour)

IKE Group Flags:

  • --ike-lifetime int32 - IKE lifetime in seconds (0–86400)
  • --ike-encryption string - IKE encryption algorithm (see Encryption algorithms)
  • --ike-hash string - IKE hash algorithm (see Hash algorithms)
  • --ike-dh-group string - IKE DH group number: 1, 2, 5, or 1432
  • --ike-dpd-action string - IKE DPD action: trap, clear, restart
  • --ike-dpd-interval int32 - IKE DPD interval in seconds (2–86400)
  • --ike-dpd-timeout int32 - IKE DPD timeout in seconds (2–86400)

Authentication (PSK) Flags:

  • --psk string - Pre-shared key secret (max 50 chars)
  • --psk-cloud-site string - PSK ID for the Aruba (cloud) side (3–100 chars, alphanumeric, - and .)
  • --psk-onprem-site string - PSK ID for the customer (on-prem) side (3–100 chars, alphanumeric, - and .)

ESP Group Flags:

  • --esp-lifetime int32 - ESP lifetime in seconds (30–86400)
  • --esp-encryption string - ESP encryption algorithm (default: aes256; see Encryption algorithms)
  • --esp-hash string - ESP hash algorithm (see Hash algorithms)
  • --esp-pfs string - ESP PFS group (see PFS groups)

Example:

acloud network vpntunnel create \
--name my-tunnel \
--region ITBG-Bergamo \
--peer-ip 203.0.113.1 \
--vpc-uri /projects/<proj-id>/providers/Aruba.Network/vpcs/<vpc-id> \
--subnet-cidr 10.241.0.0/24 \
--subnet-name my-vpn-subnet \
--elastic-ip-uri /projects/<proj-id>/providers/Aruba.Network/elasticIps/<eip-id> \
--ike-lifetime 3600 \
--ike-encryption aes256 \
--ike-hash sha256 \
--ike-dh-group 14 \
--ike-dpd-action restart \
--ike-dpd-interval 10 \
--ike-dpd-timeout 30 \
--psk my-pre-shared-key \
--psk-cloud-site psk-aruba-side \
--psk-onprem-site psk-customer-side \
--esp-lifetime 1800 \
--esp-encryption aes256 \
--esp-hash sha256 \
--esp-pfs enable \
--billing-period Hour

Update VPN Tunnel

Only --name and --tags are updatable. All other fields (IKE, ESP, subnet) are immutable after creation.

acloud network vpntunnel update <vpn-tunnel-id> [flags]

Flags:

  • --name string - New name for the VPN tunnel
  • --tags strings - New tags (comma-separated)
  • --project-id string - Project ID (uses context if not specified)

Example:

acloud network vpntunnel update 1234567890abcdef --name new-name --tags env=prod

Delete VPN Tunnel

acloud network vpntunnel delete <vpn-tunnel-id> [flags]

Flags:

  • -y, --yes - Skip confirmation prompt
  • --dry-run - Validate existence without deleting
  • --project-id string - Project ID (uses context if not specified)

Example:

acloud network vpntunnel delete 1234567890abcdef --yes

Valid Enum Values

The CLI validates enum fields client-side before sending the request, so typos return a clear error immediately.

Encryption Algorithms

Valid for both --ike-encryption and --esp-encryption:

ValueDescription
aes128128-bit AES-CBC
aes192192-bit AES-CBC
aes256256-bit AES-CBC
aes128ctr128-bit AES-COUNTER
aes192ctr192-bit AES-COUNTER
aes256ctr256-bit AES-COUNTER
aes128ccm64128-bit AES-CCM with 64-bit ICV
aes192ccm64192-bit AES-CCM with 64-bit ICV
aes256ccm64256-bit AES-CCM with 64-bit ICV
aes128ccm96128-bit AES-CCM with 96-bit ICV
aes192ccm96192-bit AES-CCM with 96-bit ICV
aes256ccm96256-bit AES-CCM with 96-bit ICV
aes128ccm128128-bit AES-CCM with 128-bit ICV
aes192ccm128192-bit AES-CCM with 128-bit ICV
aes256ccm128256-bit AES-CCM with 128-bit ICV
aes128gcm64128-bit AES-GCM with 64-bit ICV
aes192gcm64192-bit AES-GCM with 64-bit ICV
aes256gcm64256-bit AES-GCM with 64-bit ICV
aes128gcm96128-bit AES-GCM with 96-bit ICV
aes192gcm96192-bit AES-GCM with 96-bit ICV
aes256gcm96256-bit AES-GCM with 96-bit ICV
aes128gcm128128-bit AES-GCM with 128-bit ICV
aes192gcm128192-bit AES-GCM with 128-bit ICV
aes256gcm128256-bit AES-GCM with 128-bit ICV
aes128gmacNull encryption with 128-bit AES-GMAC
aes192gmacNull encryption with 192-bit AES-GMAC
aes256gmacNull encryption with 256-bit AES-GMAC
3des168-bit 3DES-EDE-CBC
blowfish128128-bit Blowfish-CBC
blowfish192192-bit Blowfish-CBC
blowfish256256-bit Blowfish-CBC
camellia128128-bit Camellia-CBC
camellia192192-bit Camellia-CBC
camellia256256-bit Camellia-CBC
camellia128ctr128-bit Camellia-COUNTER
camellia192ctr192-bit Camellia-COUNTER
camellia256ctr256-bit Camellia-COUNTER
camellia128ccm64128-bit Camellia-CCM with 64-bit ICV
camellia192ccm64192-bit Camellia-CCM with 64-bit ICV
camellia256ccm64256-bit Camellia-CCM with 64-bit ICV
camellia128ccm96128-bit Camellia-CCM with 96-bit ICV
camellia192ccm96192-bit Camellia-CCM with 96-bit ICV
camellia256ccm96256-bit Camellia-CCM with 96-bit ICV
camellia128ccm128128-bit Camellia-CCM with 128-bit ICV
camellia192ccm128192-bit Camellia-CCM with 128-bit ICV
camellia256ccm128256-bit Camellia-CCM with 128-bit ICV
serpent128128-bit Serpent-CBC
serpent192192-bit Serpent-CBC
serpent256256-bit Serpent-CBC
twofish128128-bit Twofish-CBC
twofish192192-bit Twofish-CBC
twofish256256-bit Twofish-CBC
cast128128-bit CAST-CBC
chacha20poly1305256-bit ChaCha20/Poly1305 with 128-bit ICV

Hash Algorithms

Valid for both --ike-hash and --esp-hash:

ValueDescription
md5MD5 HMAC
md5_128MD5-128 HMAC
sha1SHA1 HMAC
sha1_160SHA1-160 HMAC
sha256SHA2-256-128 HMAC
sha256_96SHA2-256-96 HMAC
sha384SHA2-384-192 HMAC
sha512SHA2-512-256 HMAC
aesxcbcAES XCBC
aescmacAES CMAC
aes128gmac128-bit AES-GMAC
aes192gmac192-bit AES-GMAC
aes256gmac256-bit AES-GMAC

DH Groups

Valid for --ike-dh-group:

ValueDescription
1Diffie-Hellman group 1 (modp768)
2Diffie-Hellman group 2 (modp1024)
5Diffie-Hellman group 5 (modp1536)
14Diffie-Hellman group 14 (modp2048)
15Diffie-Hellman group 15 (modp3072)
16Diffie-Hellman group 16 (modp4096)
17Diffie-Hellman group 17 (modp6144)
18Diffie-Hellman group 18 (modp8192)
19Diffie-Hellman group 19 (ecp256)
20Diffie-Hellman group 20 (ecp384)
21Diffie-Hellman group 21 (ecp521)
22Diffie-Hellman group 22 (modp1024s160)
23Diffie-Hellman group 23 (modp2048s224)
24Diffie-Hellman group 24 (modp2048s256)
25Diffie-Hellman group 25 (ecp192)
26Diffie-Hellman group 26 (ecp224)
27Diffie-Hellman group 27 (ecp224bp)
28Diffie-Hellman group 28 (ecp256bp)
29Diffie-Hellman group 29 (ecp384bp)
30Diffie-Hellman group 30 (ecp512bp)
31Diffie-Hellman group 31 (curve25519)
32Diffie-Hellman group 32 (curve448)

DPD Actions

Valid for --ike-dpd-action:

ValueDescription
trapHold the SA and re-initiate on traffic
clearClose the SA immediately
restartRe-negotiate the SA immediately

PFS Groups

Valid for --esp-pfs:

ValueDescription
enableInherit DH group from the IKE group
dh-group1Use Diffie-Hellman group 1 (modp768)
dh-group2Use Diffie-Hellman group 2 (modp1024)
dh-group5Use Diffie-Hellman group 5 (modp1536)
dh-group14Use Diffie-Hellman group 14 (modp2048)
dh-group15Use Diffie-Hellman group 15 (modp3072)
dh-group16Use Diffie-Hellman group 16 (modp4096)
dh-group17Use Diffie-Hellman group 17 (modp6144)
dh-group18Use Diffie-Hellman group 18 (modp8192)
dh-group19Use Diffie-Hellman group 19 (ecp256)
dh-group20Use Diffie-Hellman group 20 (ecp384)
dh-group21Use Diffie-Hellman group 21 (ecp521)
dh-group22Use Diffie-Hellman group 22 (modp1024s160)
dh-group23Use Diffie-Hellman group 23 (modp2048s224)
dh-group24Use Diffie-Hellman group 24 (modp2048s256)
dh-group25Use Diffie-Hellman group 25 (ecp192)
dh-group26Use Diffie-Hellman group 26 (ecp224)
dh-group27Use Diffie-Hellman group 27 (ecp224bp)
dh-group28Use Diffie-Hellman group 28 (ecp256bp)
dh-group29Use Diffie-Hellman group 29 (ecp384bp)
dh-group30Use Diffie-Hellman group 30 (ecp512bp)
dh-group31Use Diffie-Hellman group 31 (curve25519)
dh-group32Use Diffie-Hellman group 32 (curve448)
disableDisable PFS

Shell Auto-completion

The get, update, and delete commands support auto-completion for VPN tunnel IDs.