All Products
Search
Document Center

:DescribeVpnConnections

最終更新日:Aug 25, 2023

Queries IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes DescribeVpnConnections

The operation that you want to perform. Set the value to DescribeVpnConnections.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query the most recent region list.

VpnGatewayId String No vpn-bp1q8bgx4xnkx****

The ID of the VPN gateway.

CustomerGatewayId String No cgw-bp1mvj4g9kogw****

The ID of the customer gateway.

PageNumber Integer No 1

The number of the page to return. Default value: 1.

PageSize Integer No 10

The number of entries per page. Default value: 10. Valid values: 1 to 50.

VpnConnectionId String No vco-bp10lz7aejumd****

The ID of the IPsec-VPN connection.

Tag.N.Key String No TagKey

The key of tag N to add to the resource. The tag key cannot be an empty string.

It can be up to 64 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

You can specify at most 20 tag keys in each call.

Tag.N.Value String No TagValue

The value of tag N to add to the resource.

The tag value can be an empty string. The tag value can be up to 128 characters in length and cannot contain http:// or https://. The tag value cannot start with acs: or aliyun.

Each tag key corresponds to one tag value. You can specify up to 20 tag values in each call.

Response parameters

Parameter

Type

Example

Description

PageSize Integer 10

The number of entries per page.

RequestId String 238752DC-0693-49BE-9C85-711D5691D3E5

The request ID.

PageNumber Integer 1

The number of the returned page.

TotalCount Integer 2

The total number of entries returned.

VpnConnections Array of VpnConnection

The information about the IPsec-VPN connection.

VpnConnection
Status String ipsec_sa_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.

  • ike_sa_established: Phase 1 negotiations succeeded.

  • ipsec_sa_not_established: Phase 2 negotiations failed.

  • ipsec_sa_established: Phase 2 negotiations succeeded.

EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values:

  • true

    After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

  • false

RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

The CA certificate of the peer.

CreateTime Long 1492753817000

The timestamp that indicates the time when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

EffectImmediately Boolean true

Indicates whether IPsec negotiations immediately start.

  • true: Negotiations are reinitiated after the configuration is changed.
  • false: Negotiations are reinitiated when traffic is detected.
VpnGatewayId String vpn-bp1q8bgx4xnkm****

The ID of the VPN gateway.

LocalSubnet String 192.168.0.0/16,172.17.0.0/16

The CIDR block on the Alibaba Cloud side.

CIDR blocks are separated by commas (,).

VpnConnectionId String vco-bp10lz7aejumd****

The ID of the IPsec-VPN connection.

RemoteSubnet String 10.0.0.0/8,172.16.0.0/16

The CIDR block on the data center side.

CIDR blocks are separated by commas (,).

CustomerGatewayId String cgw-bp1mvj4g9kogw****

The ID of the customer gateway associated with the IPsec-VPN connection.

Name String nametest

The name of the IPsec-VPN connection.

EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values:

  • true

    The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted.

  • false

IkeConfig Object

The configuration of Phase 1 negotiations.

RemoteId String 139.17.XX.XX

The identifier on the Alibaba Cloud side.

IkeLifetime Long 86400

The lifetime in the IKE phase. Unit: seconds.

IkeEncAlg String aes

The encryption algorithm in the IKE phase.

LocalId String 116.64.XX.XX

The identifier on the data center side.

IkeMode String main

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
IkeVersion String ikev1

The IKE version.

  • ikev1
  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

IkePfs String group2

The DH group in the IKE phase.

Psk String pgw6dy7****

The pre-shared key.

IkeAuthAlg String sha1

The authentication algorithm in the IKE phase.

IpsecConfig Object

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The authentication algorithm in the IPsec phase.

IpsecLifetime Long 86400

The lifetime in the IPsec phase. Unit: seconds.

IpsecEncAlg String aes

The encryption algorithm in the IPsec phase.

IpsecPfs String group2

The DH group in the IPsec phase.

VcoHealthCheck Object

The health check configuration of the IPsec-VPN connection.

Status String success

The status of the health check.

  • success
  • failed
Dip String 192.168.0.1

The destination IP address.

Interval Integer 2

The interval between two consecutive health checks. Unit: seconds.

Retry Integer 3

The maximum number of health check retries.

Sip String 192.168.0.50

The source IP address.

Enable String true

Indicates whether health checks are enabled. Valid values:

  • true

  • false

Policy String revoke_route

Indicates whether advertised routes are withdrawn when the health check fails. Valid values:

  • revoke_route
  • reserve_route
VpnBgpConfig Object

The BGP configuration of the IPsec-VPN connection.

Status String success

The negotiation status of the BGP routing protocol. Valid values:

  • success

  • false

PeerBgpIp String 169.254.10.1

The BGP IP address of the peer.

TunnelCidr String 169.254.10.0/30

The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

LocalBgpIp String 169.254.10.2

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 65530

The autonomous system number (ASN) of the peer.

LocalAsn Long 65531

The ASN on the Alibaba Cloud side.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

AttachType String CEN

The type of resource that is associated with the IPsec-VPN connection. Valid values:

  • CEN: indicates that the IPsec-VPN connection is associated with a transit router of a Cloud Enterprise Network (CEN) instance.
  • NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with a resource.
  • VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
NetworkType String public

The network type of the IPsec-VPN connection. Valid values:

  • public
  • private
AttachInstanceId String cen-lxxpbpalc776qz****

The ID of the CEN instance to which the transit router belongs.

Spec String 1000M

The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s.

State String attached

The association status of the IPsec-VPN connection. Valid values:

  • active
  • init
  • attaching
  • attached
  • detaching
  • financialLocked
  • provisioning
  • updating
  • upgrading
  • deleted
TransitRouterId String tr-p0we2edef9qr44a85****

The ID of the transit router with which the IPsec-VPN connection is associated.

TransitRouterName String nametest

The name of the transit router.

CrossAccountAuthorized Boolean false

Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:

  • true
  • false
InternetIp String 10.XX.XX.10

The gateway IP address of the IPsec-VPN connection.

Note

This parameter is returned only when the IPsec-VPN connection is associated with a transit router.

Tag Array of Tag

The list of tags added to the IPsec-VPN connection.

Tag
Key String TagKey

The key of tag N.

Value String TagValue

The value of tag N.

TunnelOptionsSpecification Array of TunnelOptions

The tunnel configuration of the IPsec-VPN connection.

Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode.

TunnelOptions
TunnelId String tun-opsqc4d97wni27****

The tunnel ID.

CustomerGatewayId String cgw-p0wy363lucf1uyae8****

The ID of the customer gateway associated with the tunnel.

EnableDpd String true

Indicates whether DPD is enabled for the tunnel. Valid values:

  • false
  • true
EnableNatTraversal String true

Indicates whether NAT traversal is enabled for the tunnel. Valid values:

  • false
  • true
InternetIp String 47.21.XX.XX

The tunnel IP address.

RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

The CA certificate of the tunnel peer.

This parameter is returned only if the VPN gateway is of the ShangMi (SM) type.

Role String master

The tunnel role. Valid values:

  • master
  • slave
State String active

The tunnel status. Valid values:

  • active
  • updating
  • deleting
Status String ipsec_sa_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.

  • ike_sa_established: Phase 1 negotiations succeeded.

  • ipsec_sa_not_established: Phase 2 negotiations failed.

  • ipsec_sa_established: Phase 2 negotiations succeeded.

TunnelBgpConfig Object

The BGP configuration.

BgpStatus String success

The negotiation status of BGP. Valid values:

  • success
  • false
LocalAsn String 65530

The ASN on the Alibaba Cloud side.

LocalBgpIp String 169.254.10.1

The BGP IP address on the Alibaba Cloud side.

PeerAsn String 65531

The peer ASN.

PeerBgpIp String 169.254.10.2

The peer BGP IP address.

TunnelCidr String 169.254.10.0/30

The BGP CIDR block of the tunnel.

TunnelIkeConfig Object

The configuration of Phase 1 negotiations.

IkeAuthAlg String sha1

The authentication algorithm in the IKE phase.

IkeEncAlg String aes

The encryption algorithm in the IKE phase.

IkeLifetime String 86400

The lifetime in the IKE phase. Unit: seconds.

IkeMode String main

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
IkePfs String group2

The DH group in the IKE phase.

IkeVersion String ikev1

The IKE version.

LocalId String 47.21.XX.XX

The identifier on the Alibaba Cloud side.

Psk String 123456****

The pre-shared key.

RemoteId String 47.42.XX.XX

The peer identifier.

TunnelIpsecConfig Object

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The authentication algorithm in the IPsec phase.

IpsecEncAlg String aes

The encryption algorithm in the IPsec phase.

IpsecLifetime String 86400

The lifetime in the IPsec phase. Unit: seconds.

IpsecPfs String group2

The DH group in the IPsec phase.

ZoneNo String ap-southeast-5a

The zone of the tunnel.

EnableTunnelsBgp Boolean true

The BGP status of the tunnel. Valid values:

  • true
  • false

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeVpnConnections
&RegionId=cn-hangzhou
&VpnGatewayId=vpn-bp1q8bgx4xnkx****
&CustomerGatewayId=cgw-bp1mvj4g9kogw****
&PageNumber=1
&PageSize=10
&VpnConnectionId=vco-bp10lz7aejumd****
&Tag=[{"Key":"TagKey","Value":"TagValue"}]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeVpnConnectionsResponse>
    <PageSize>10</PageSize>
    <RequestId>238752DC-0693-49BE-9C85-711D5691D3E5</RequestId>
    <PageNumber>1</PageNumber>
    <TotalCount>2</TotalCount>
    <VpnConnections>
        <Status>ipsec_sa_established</Status>
        <EnableNatTraversal>true</EnableNatTraversal>
        <RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- </RemoteCaCertificate>
        <CreateTime>1492753817000</CreateTime>
        <EffectImmediately>true</EffectImmediately>
        <VpnGatewayId>vpn-bp1q8bgx4xnkm****</VpnGatewayId>
        <State>active</State>
        <LocalSubnet>192.168.0.0/16,172.17.0.0/16</LocalSubnet>
        <VpnConnectionId>vco-bp10lz7aejumd****</VpnConnectionId>
        <RemoteSubnet>10.0.0.0/8,172.16.0.0/16</RemoteSubnet>
        <CustomerGatewayId>cgw-bp1mvj4g9kogw****</CustomerGatewayId>
        <Name>nametest</Name>
        <EnableDpd>true</EnableDpd>
        <IkeConfig>
            <RemoteId>139.17.XX.XX</RemoteId>
            <IkeLifetime>86400</IkeLifetime>
            <IkeEncAlg>aes</IkeEncAlg>
            <LocalId>116.64.XX.XX</LocalId>
            <IkeMode>main</IkeMode>
            <IkeVersion>ikev1</IkeVersion>
            <IkePfs>group2</IkePfs>
            <Psk>pgw6dy7****</Psk>
            <IkeAuthAlg>sha1</IkeAuthAlg>
        </IkeConfig>
        <IpsecConfig>
            <IpsecAuthAlg>sha1</IpsecAuthAlg>
            <IpsecLifetime>86400</IpsecLifetime>
            <IpsecEncAlg>aes</IpsecEncAlg>
            <IpsecPfs>group2</IpsecPfs>
        </IpsecConfig>
        <VcoHealthCheck>
            <Status>success</Status>
            <Dip>192.168.0.1</Dip>
            <Interval>2</Interval>
            <Retry>3</Retry>
            <Sip>192.168.0.50</Sip>
            <Enable>true</Enable>
        </VcoHealthCheck>
        <VpnBgpConfig>
            <Status>success</Status>
            <PeerBgpIp>169.254.10.1</PeerBgpIp>
            <TunnelCidr>169.254.10.0/30</TunnelCidr>
            <LocalBgpIp>169.254.10.2</LocalBgpIp>
            <PeerAsn>65530</PeerAsn>
            <LocalAsn>65531</LocalAsn>
            <AuthKey>AuthKey****</AuthKey>
        </VpnBgpConfig>
        <Tag>
            <Key>TagKey</Key>
            <Value>TagValue</Value>
        </Tag>
    </VpnConnections>
</DescribeVpnConnectionsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "PageSize" : 10,
  "RequestId" : "238752DC-0693-49BE-9C85-711D5691D3E5",
  "PageNumber" : 1,
  "TotalCount" : 2,
  "VpnConnections" : [ {
    "Status" : "ipsec_sa_established",
    "EnableNatTraversal" : true,
    "RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- ",
    "CreateTime" : 1492753817000,
    "EffectImmediately" : true,
    "VpnGatewayId" : "vpn-bp1q8bgx4xnkm****",
    "State" : "active",
    "LocalSubnet" : "192.168.0.0/16,172.17.0.0/16",
    "VpnConnectionId" : "vco-bp10lz7aejumd****",
    "RemoteSubnet" : "10.0.0.0/8,172.16.0.0/16",
    "CustomerGatewayId" : "cgw-bp1mvj4g9kogw****",
    "Name" : "nametest",
    "EnableDpd" : true,
    "IkeConfig" : {
      "RemoteId" : "139.17.XX.XX",
      "IkeLifetime" : 86400,
      "IkeEncAlg" : "aes",
      "LocalId" : "116.64.XX.XX",
      "IkeMode" : "main",
      "IkeVersion" : "ikev1",
      "IkePfs" : "group2",
      "Psk" : "pgw6dy7****",
      "IkeAuthAlg" : "sha1"
    },
    "IpsecConfig" : {
      "IpsecAuthAlg" : "sha1",
      "IpsecLifetime" : 86400,
      "IpsecEncAlg" : "aes",
      "IpsecPfs" : "group2"
    },
    "VcoHealthCheck" : {
      "Status" : "success",
      "Dip" : "192.168.0.1",
      "Interval" : 2,
      "Retry" : 3,
      "Sip" : "192.168.0.50",
      "Enable" : "true"
    },
    "VpnBgpConfig" : {
      "Status" : "success",
      "PeerBgpIp" : "169.254.10.1",
      "TunnelCidr" : "169.254.10.0/30",
      "LocalBgpIp" : "169.254.10.2",
      "PeerAsn" : "65530",
      "LocalAsn" : 65531,
      "AuthKey" : "AuthKey****"
    },
    "Tag" : [ {
      "Key" : "TagKey",
      "Value" : "TagValue"
    } ]
  } ]
}

Error codes

HttpCode

Error code

Error message

Description

400 Forbidden.TagKey.Duplicated The specified tag key already exists. The tag resources are duplicate.
400 SizeLimitExceeded.TagNum The maximum number of tags is exceeded. The number of tags has reached the upper limit.
400 InvalidParameter.TagValue The specified parameter TagValue is invalid. The tag value is invalid.
400 InvalidParameter.TagKey The specified parameter TagKey is invalid. The tag key is invalid.
400 Duplicated.TagKey The specified parameter TagKey is duplicated. The tag key already exists.
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.

For a list of error codes, see Service error codes.