All Products
Search
Document Center

:DescribeVpnConnection

最終更新日:Aug 15, 2023

Queries the detailed information about an IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes DescribeVpnConnection

The operation that you want to perform. Set the value to DescribeVpnConnection.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query the most recent region list.

VpnConnectionId String Yes vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

Response parameters

Parameter

Type

Example

Description

Status String ike_sa_not_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.

  • ike_sa_established: Phase 1 negotiations were successful.

  • ipsec_sa_not_established: Phase 2 negotiations failed.

  • ipsec_sa_established: Phase 2 negotiations were successful.

RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW****

The CA certificate of the peer.

EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled for the IPsec-VPN connection.

  • true

  • false

After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.

CreateTime Long 1492753817000

The timestamp that indicates when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

EffectImmediately Boolean true

Indicates whether IPsec negotiations immediately start.

  • true: Negotiations are reinitiated after the configuration is changed.

  • false: Negotiations are reinitiated when traffic is detected.

VpnGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the VPN gateway.

LocalSubnet String 10.0.0.0/8

The CIDR block on the Alibaba Cloud side.

CIDR blocks are separated with commas (,).

RequestId String F2310D45-BCF6-4E2E-9082-B4503844BA4C

The request ID.

VpnConnectionId String vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

RemoteSubnet String 192.168.0.0/16

The CIDR block on the data center side.

CIDR blocks are separated with commas (,).

CustomerGatewayId String cgw-bp1mvj4g9kogwwcxk****

The ID of the customer gateway associated with the IPsec-VPN connection.

Name String ipsec1

The name of the IPsec-VPN connection.

EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values:

  • false

  • true

After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.

IkeConfig Object

The configurations of Phase 1 negotiations.

RemoteId String 139.34.XX.XX

The identifier on the data center side.

IkeLifetime Long 86400

The lifetime in the IKE phase. Unit: seconds.

IkeEncAlg String aes

The encryption algorithm in the IKE phase.

LocalId String 116.28.XX.XX

The identifier on the Alibaba Cloud side.

IkeMode String main

The IKE negotiation mode. Valid values:

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
IkeVersion String ikev1

The IKE version.

  • ikev1
  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

IkePfs String group2

The DH group in the IKE phase.

Psk String pgw6dy****

The pre-shared key.

IkeAuthAlg String sha1

The authentication algorithm in the IKE phase.

IpsecConfig Object

The configurations of Phase 2 negotiations.

IpsecAuthAlg String sha1

The authentication algorithm in the IPsec phase.

IpsecLifetime Long 86400

The lifetime in the IPsec phase. Unit: seconds.

IpsecEncAlg String aes

The encryption algorithm in the IPsec phase.

IpsecPfs String group2

The DH group in the IPsec phase.

VcoHealthCheck Object

The health check information about the IPsec-VPN connection.

Status String failed

The health check status. Valid values:

  • failed

  • success

Dip String 10.0.0.1

The destination IP address.

Interval Integer 3

The interval of health check retries. Unit: seconds.

Retry Integer 3

The maximum number of health check retries.

Sip String 192.168.1.1

The source IP address.

Enable String true

Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values:

  • false

  • true

Policy String revoke_route

Indicates whether advertised routes are withdrawn when the health check fails.

  • revoke_route
  • reserve_route
VpnBgpConfig Object

The BGP configuration of the IPsec-VPN connection.

Status String success

The negotiation status of the BGP routing protocol.

  • success

  • failed

PeerBgpIp String 169.254.11.1

The BGP IP address of the peer.

TunnelCidr String 169.254.11.0/30

The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

EnableBgp String true

The status of the BGP routing protocol. Valid values:

  • true

  • false

LocalBgpIp String 169.254.11.2

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 65530

The autonomous system number (ASN) of the peer.

LocalAsn Long 65531

The ASN on the Alibaba Cloud side.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

AttachType String CEN

The type of resource that is associated with the IPsec-VPN connection. Valid values:

  • CEN: indicates that the IPsec-VPN connection is associated with a transit router of a Cloud Enterprise Network (CEN) instance.
  • NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with a resource.
  • VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
NetworkType String public

The network type of the IPsec-VPN connection. Valid values:

  • public
  • private
AttachInstanceId String cen-lxxpbpalc776qz****

The ID of the CEN instance to which the transit router belongs.

Spec String 1000M

The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s.

State String attached

The association status of the IPsec-VPN connection. Valid values:

  • active: The IPsec-VPN connection is associated with a VPN gateway.
  • init: The IPsec-VPN connection is not associated with a resource and is being initialized.
  • attaching: The IPsec-VPN connection is being associated with a transit router.
  • attached: The IPsec-VPN connection is associated with a transit router.
  • detaching: The IPsec-VPN connection is being disassociated from a transit router.
  • financialLocked: The IPsec-VPN connection is locked due to overdue payments.
  • provisioning: The IPsec-VPN connection is being prepared.
  • updating: The IPsec-VPN connection is being updated.
  • upgrading: The IPsec-VPN connection is being upgraded.
  • deleted: The IPsec-VPN connection is deleted.
ZoneNo String ap-southeast-2b

The ID of the zone where the IPsec-VPN connection is deployed.

You can call DescribeZones to query zone IDs.

InternetIp String 47.XX.XX.162

The gateway IP address of the IPsec-VPN connection.

TransitRouterId String tr-p0we2edef9qr44a85****

The ID of the transit router with which the IPsec-VPN connection is associated.

TransitRouterName String nametest

The name of the transit router.

CrossAccountAuthorized Boolean false

Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:

  • true
  • false
Tags Array of Tag

The list of tags added to the IPsec-VPN connection.

Tag
Key String TagKey

The key of tag N.

Value String TagValue

The value of tag N.

TunnelOptionsSpecification Array of TunnelOptions

The tunnel configuration of the IPsec-VPN connection.

Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode.

TunnelOptions
TunnelId String tun-opsqc4d97wni27****

The tunnel ID.

CustomerGatewayId String cgw-p0wy363lucf1uyae8****

The ID of the customer gateway associated with the tunnel.

EnableDpd String true

Indicates whether DPD is enabled for the tunnel. Valid values:

  • false
  • true
EnableNatTraversal String true

Indicates whether NAT traversal is enabled for the tunnel.

  • false
  • true
InternetIp String 47.21.XX.XX

The tunnel IP address.

RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----

The CA certificate of the tunnel peer.

This parameter is returned only if the VPN gateway is of the ShangMi (SM) type.

Role String master

The tunnel role. Valid values:

  • master
  • slave
State String active

The tunnel status. Valid values:

  • active
  • updating
  • deleting
Status String ipsec_sa_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.

  • ike_sa_established: Phase 1 negotiations were successful.

  • ipsec_sa_not_established: Phase 2 negotiations failed.

  • ipsec_sa_established: Phase 2 negotiations were successful.

TunnelBgpConfig Object

The BGP configurations.

BgpStatus String success

The negotiation status of BGP. Valid values:

  • success
  • false
LocalAsn String 65530

The ASN on the Alibaba Cloud side.

LocalBgpIp String 169.254.10.1

The BGP IP address on the Alibaba Cloud side.

PeerAsn String 65531

The peer ASN.

PeerBgpIp String 169.254.10.2

The peer BGP IP address.

TunnelCidr String 169.254.10.0/30

The BGP CIDR block of the tunnel.

TunnelIkeConfig Object

The configurations of Phase 1 negotiations.

IkeAuthAlg String sha1

The authentication algorithm in the IKE phase.

IkeEncAlg String aes

The encryption algorithm in the IKE phase.

IkeLifetime String 86400

The lifetime in the IKE phase. Unit: seconds.

IkeMode String main

The IKE negotiation mode. Valid values:

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
IkePfs String group2

The DH group in the IKE phase.

IkeVersion String ikev1

The IKE version.

LocalId String 47.21.XX.XX

The identifier on the Alibaba Cloud side.

Psk String 123456****

The pre-shared key.

RemoteId String 47.42.XX.XX

The peer identifier.

TunnelIpsecConfig Object

The configurations of Phase 2 negotiations.

IpsecAuthAlg String sha1

The authentication algorithm in the IPsec phase.

IpsecEncAlg String aes

The encryption algorithm in the IPsec phase.

IpsecLifetime String 86400

The lifetime in the IPsec phase. Unit: seconds.

IpsecPfs String group2

The DH group in the IPsec phase.

ZoneNo String ap-southeast-5a

The zone where the tunnel is deployed.

You can call DescribeZones to query zone IDs.

EnableTunnelsBgp Boolean true

The BGP status of the tunnel. Valid values:

  • true
  • false

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeVpnConnection
&RegionId=cn-hangzhou
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeVpnConnectionResponse>
    <Status>ike_sa_not_established</Status>
    <RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW****</RemoteCaCertificate>
    <EnableNatTraversal>true</EnableNatTraversal>
    <CreateTime>1492753817000</CreateTime>
    <EffectImmediately>true</EffectImmediately>
    <VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
    <State>active</State>
    <LocalSubnet>10.0.0.0/8</LocalSubnet>
    <RequestId>F2310D45-BCF6-4E2E-9082-B4503844BA4C</RequestId>
    <VpnConnectionId>vco-bp1bbi27hojx80nck****</VpnConnectionId>
    <RemoteSubnet>192.168.0.0/16</RemoteSubnet>
    <CustomerGatewayId>cgw-bp1mvj4g9kogwwcxk****</CustomerGatewayId>
    <Name>ipsec1</Name>
    <EnableDpd>true</EnableDpd>
    <IkeConfig>
        <RemoteId>139.34.XX.XX</RemoteId>
        <IkeLifetime>86400</IkeLifetime>
        <IkeEncAlg>aes</IkeEncAlg>
        <LocalId>116.28.XX.XX</LocalId>
        <IkeMode>main</IkeMode>
        <IkeVersion>ikev1</IkeVersion>
        <IkePfs>group2</IkePfs>
        <Psk>pgw6dy****</Psk>
        <IkeAuthAlg>sha1</IkeAuthAlg>
    </IkeConfig>
    <IpsecConfig>
        <IpsecAuthAlg>sha1</IpsecAuthAlg>
        <IpsecLifetime>86400</IpsecLifetime>
        <IpsecEncAlg>aes</IpsecEncAlg>
        <IpsecPfs>group2</IpsecPfs>
    </IpsecConfig>
    <VcoHealthCheck>
        <Status>failed</Status>
        <Dip>10.0.0.1</Dip>
        <Interval>3</Interval>
        <Retry>3</Retry>
        <Sip>192.168.1.1</Sip>
        <Enable>true</Enable>
    </VcoHealthCheck>
    <VpnBgpConfig>
        <Status>success</Status>
        <PeerBgpIp>169.254.11.1</PeerBgpIp>
        <TunnelCidr>169.254.11.0/30</TunnelCidr>
        <EnableBgp>true</EnableBgp>
        <LocalBgpIp>169.254.11.2</LocalBgpIp>
        <PeerAsn>65530</PeerAsn>
        <LocalAsn>65531</LocalAsn>
        <AuthKey>AuthKey****</AuthKey>
    </VpnBgpConfig>
</DescribeVpnConnectionResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "Status" : "ike_sa_not_established",
  "RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW****",
  "EnableNatTraversal" : true,
  "CreateTime" : 1492753817000,
  "EffectImmediately" : true,
  "VpnGatewayId" : "vpn-bp1q8bgx4xnkm2ogj****",
  "State" : "active",
  "LocalSubnet" : "10.0.0.0/8",
  "RequestId" : "F2310D45-BCF6-4E2E-9082-B4503844BA4C",
  "VpnConnectionId" : "vco-bp1bbi27hojx80nck****",
  "RemoteSubnet" : "192.168.0.0/16",
  "CustomerGatewayId" : "cgw-bp1mvj4g9kogwwcxk****",
  "Name" : "ipsec1",
  "EnableDpd" : true,
  "IkeConfig" : {
    "RemoteId" : "139.34.XX.XX",
    "IkeLifetime" : 86400,
    "IkeEncAlg" : "aes",
    "LocalId" : "116.28.XX.XX",
    "IkeMode" : "main",
    "IkeVersion" : "ikev1",
    "IkePfs" : "group2",
    "Psk" : "pgw6dy****",
    "IkeAuthAlg" : "sha1"
  },
  "IpsecConfig" : {
    "IpsecAuthAlg" : "sha1",
    "IpsecLifetime" : 86400,
    "IpsecEncAlg" : "aes",
    "IpsecPfs" : "group2"
  },
  "VcoHealthCheck" : {
    "Status" : "failed",
    "Dip" : "10.0.0.1",
    "Interval" : 3,
    "Retry" : 3,
    "Sip" : "192.168.1.1",
    "Enable" : "true"
  },
  "VpnBgpConfig" : {
    "Status" : "success",
    "PeerBgpIp" : "169.254.11.1",
    "TunnelCidr" : "169.254.11.0/30",
    "EnableBgp" : "true",
    "LocalBgpIp" : "169.254.11.2",
    "PeerAsn" : 65530,
    "LocalAsn" : 65531,
    "AuthKey" : "AuthKey****"
  }
}

Error codes

HttpCode

Error code

Error message

Description

403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The specified IPsec connection does not exist. Check whether the ID of the IPsec connection is valid.

For a list of error codes, see Service error codes.