Queries the detailed information about an IPsec-VPN connection.
Debugging
Request parameters
Parameter |
Type |
Required |
Example |
Description |
Action | String | Yes | DescribeVpnConnection | The operation that you want to perform. Set the value to DescribeVpnConnection. |
RegionId | String | Yes | cn-hangzhou | The ID of the region where the IPsec-VPN connection is created. You can call the DescribeRegions operation to query the most recent region list. |
VpnConnectionId | String | Yes | vco-bp1bbi27hojx80nck**** | The ID of the IPsec-VPN connection. |
Response parameters
Parameter |
Type |
Example |
Description |
Status | String | ike_sa_not_established | The status of the IPsec-VPN connection. Valid values:
|
RemoteCaCertificate | String | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** | The CA certificate of the peer. |
EnableNatTraversal | Boolean | true | Indicates whether NAT traversal is enabled for the IPsec-VPN connection.
After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel. |
CreateTime | Long | 1492753817000 | The timestamp that indicates when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
EffectImmediately | Boolean | true | Indicates whether IPsec negotiations immediately start.
|
VpnGatewayId | String | vpn-bp1q8bgx4xnkm2ogj**** | The ID of the VPN gateway. |
LocalSubnet | String | 10.0.0.0/8 | The CIDR block on the Alibaba Cloud side. CIDR blocks are separated with commas (,). |
RequestId | String | F2310D45-BCF6-4E2E-9082-B4503844BA4C | The request ID. |
VpnConnectionId | String | vco-bp1bbi27hojx80nck**** | The ID of the IPsec-VPN connection. |
RemoteSubnet | String | 192.168.0.0/16 | The CIDR block on the data center side. CIDR blocks are separated with commas (,). |
CustomerGatewayId | String | cgw-bp1mvj4g9kogwwcxk**** | The ID of the customer gateway associated with the IPsec-VPN connection. |
Name | String | ipsec1 | The name of the IPsec-VPN connection. |
EnableDpd | Boolean | true | Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values:
After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted. |
IkeConfig | Object | The configurations of Phase 1 negotiations. |
|
RemoteId | String | 139.34.XX.XX | The identifier on the data center side. |
IkeLifetime | Long | 86400 | The lifetime in the IKE phase. Unit: seconds. |
IkeEncAlg | String | aes | The encryption algorithm in the IKE phase. |
LocalId | String | 116.28.XX.XX | The identifier on the Alibaba Cloud side. |
IkeMode | String | main | The IKE negotiation mode. Valid values:
|
IkeVersion | String | ikev1 | The IKE version.
Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used. |
IkePfs | String | group2 | The DH group in the IKE phase. |
Psk | String | pgw6dy**** | The pre-shared key. |
IkeAuthAlg | String | sha1 | The authentication algorithm in the IKE phase. |
IpsecConfig | Object | The configurations of Phase 2 negotiations. |
|
IpsecAuthAlg | String | sha1 | The authentication algorithm in the IPsec phase. |
IpsecLifetime | Long | 86400 | The lifetime in the IPsec phase. Unit: seconds. |
IpsecEncAlg | String | aes | The encryption algorithm in the IPsec phase. |
IpsecPfs | String | group2 | The DH group in the IPsec phase. |
VcoHealthCheck | Object | The health check information about the IPsec-VPN connection. |
|
Status | String | failed | The health check status. Valid values:
|
Dip | String | 10.0.0.1 | The destination IP address. |
Interval | Integer | 3 | The interval of health check retries. Unit: seconds. |
Retry | Integer | 3 | The maximum number of health check retries. |
Sip | String | 192.168.1.1 | The source IP address. |
Enable | String | true | Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values:
|
Policy | String | revoke_route | Indicates whether advertised routes are withdrawn when the health check fails.
|
VpnBgpConfig | Object | The BGP configuration of the IPsec-VPN connection. |
|
Status | String | success | The negotiation status of the BGP routing protocol.
|
PeerBgpIp | String | 169.254.11.1 | The BGP IP address of the peer. |
TunnelCidr | String | 169.254.11.0/30 | The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The mask of the CIDR block is 30 bits in length. |
EnableBgp | String | true | The status of the BGP routing protocol. Valid values:
|
LocalBgpIp | String | 169.254.11.2 | The BGP IP address on the Alibaba Cloud side. |
PeerAsn | Long | 65530 | The autonomous system number (ASN) of the peer. |
LocalAsn | Long | 65531 | The ASN on the Alibaba Cloud side. |
AuthKey | String | AuthKey**** | The authentication key of the BGP routing protocol. |
AttachType | String | CEN | The type of resource that is associated with the IPsec-VPN connection. Valid values:
|
NetworkType | String | public | The network type of the IPsec-VPN connection. Valid values:
|
AttachInstanceId | String | cen-lxxpbpalc776qz**** | The ID of the CEN instance to which the transit router belongs. |
Spec | String | 1000M | The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s. |
State | String | attached | The association status of the IPsec-VPN connection. Valid values:
|
ZoneNo | String | ap-southeast-2b | The ID of the zone where the IPsec-VPN connection is deployed. You can call DescribeZones to query zone IDs. |
InternetIp | String | 47.XX.XX.162 | The gateway IP address of the IPsec-VPN connection. |
TransitRouterId | String | tr-p0we2edef9qr44a85**** | The ID of the transit router with which the IPsec-VPN connection is associated. |
TransitRouterName | String | nametest | The name of the transit router. |
CrossAccountAuthorized | Boolean | false | Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:
|
Tags | Array of Tag | The list of tags added to the IPsec-VPN connection. |
|
Tag | |||
Key | String | TagKey | The key of tag N. |
Value | String | TagValue | The value of tag N. |
TunnelOptionsSpecification | Array of TunnelOptions | The tunnel configuration of the IPsec-VPN connection. Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode. |
|
TunnelOptions | |||
TunnelId | String | tun-opsqc4d97wni27**** | The tunnel ID. |
CustomerGatewayId | String | cgw-p0wy363lucf1uyae8**** | The ID of the customer gateway associated with the tunnel. |
EnableDpd | String | true | Indicates whether DPD is enabled for the tunnel. Valid values:
|
EnableNatTraversal | String | true | Indicates whether NAT traversal is enabled for the tunnel.
|
InternetIp | String | 47.21.XX.XX | The tunnel IP address. |
RemoteCaCertificate | String | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- | The CA certificate of the tunnel peer. This parameter is returned only if the VPN gateway is of the ShangMi (SM) type. |
Role | String | master | The tunnel role. Valid values:
|
State | String | active | The tunnel status. Valid values:
|
Status | String | ipsec_sa_established | The status of the IPsec-VPN connection. Valid values:
|
TunnelBgpConfig | Object | The BGP configurations. |
|
BgpStatus | String | success | The negotiation status of BGP. Valid values:
|
LocalAsn | String | 65530 | The ASN on the Alibaba Cloud side. |
LocalBgpIp | String | 169.254.10.1 | The BGP IP address on the Alibaba Cloud side. |
PeerAsn | String | 65531 | The peer ASN. |
PeerBgpIp | String | 169.254.10.2 | The peer BGP IP address. |
TunnelCidr | String | 169.254.10.0/30 | The BGP CIDR block of the tunnel. |
TunnelIkeConfig | Object | The configurations of Phase 1 negotiations. |
|
IkeAuthAlg | String | sha1 | The authentication algorithm in the IKE phase. |
IkeEncAlg | String | aes | The encryption algorithm in the IKE phase. |
IkeLifetime | String | 86400 | The lifetime in the IKE phase. Unit: seconds. |
IkeMode | String | main | The IKE negotiation mode. Valid values:
|
IkePfs | String | group2 | The DH group in the IKE phase. |
IkeVersion | String | ikev1 | The IKE version. |
LocalId | String | 47.21.XX.XX | The identifier on the Alibaba Cloud side. |
Psk | String | 123456**** | The pre-shared key. |
RemoteId | String | 47.42.XX.XX | The peer identifier. |
TunnelIpsecConfig | Object | The configurations of Phase 2 negotiations. |
|
IpsecAuthAlg | String | sha1 | The authentication algorithm in the IPsec phase. |
IpsecEncAlg | String | aes | The encryption algorithm in the IPsec phase. |
IpsecLifetime | String | 86400 | The lifetime in the IPsec phase. Unit: seconds. |
IpsecPfs | String | group2 | The DH group in the IPsec phase. |
ZoneNo | String | ap-southeast-5a | The zone where the tunnel is deployed. You can call DescribeZones to query zone IDs. |
EnableTunnelsBgp | Boolean | true | The BGP status of the tunnel. Valid values:
|
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeVpnConnection
&RegionId=cn-hangzhou
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&Common request parameters
Sample success responses
XML format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribeVpnConnectionResponse>
<Status>ike_sa_not_established</Status>
<RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW****</RemoteCaCertificate>
<EnableNatTraversal>true</EnableNatTraversal>
<CreateTime>1492753817000</CreateTime>
<EffectImmediately>true</EffectImmediately>
<VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
<State>active</State>
<LocalSubnet>10.0.0.0/8</LocalSubnet>
<RequestId>F2310D45-BCF6-4E2E-9082-B4503844BA4C</RequestId>
<VpnConnectionId>vco-bp1bbi27hojx80nck****</VpnConnectionId>
<RemoteSubnet>192.168.0.0/16</RemoteSubnet>
<CustomerGatewayId>cgw-bp1mvj4g9kogwwcxk****</CustomerGatewayId>
<Name>ipsec1</Name>
<EnableDpd>true</EnableDpd>
<IkeConfig>
<RemoteId>139.34.XX.XX</RemoteId>
<IkeLifetime>86400</IkeLifetime>
<IkeEncAlg>aes</IkeEncAlg>
<LocalId>116.28.XX.XX</LocalId>
<IkeMode>main</IkeMode>
<IkeVersion>ikev1</IkeVersion>
<IkePfs>group2</IkePfs>
<Psk>pgw6dy****</Psk>
<IkeAuthAlg>sha1</IkeAuthAlg>
</IkeConfig>
<IpsecConfig>
<IpsecAuthAlg>sha1</IpsecAuthAlg>
<IpsecLifetime>86400</IpsecLifetime>
<IpsecEncAlg>aes</IpsecEncAlg>
<IpsecPfs>group2</IpsecPfs>
</IpsecConfig>
<VcoHealthCheck>
<Status>failed</Status>
<Dip>10.0.0.1</Dip>
<Interval>3</Interval>
<Retry>3</Retry>
<Sip>192.168.1.1</Sip>
<Enable>true</Enable>
</VcoHealthCheck>
<VpnBgpConfig>
<Status>success</Status>
<PeerBgpIp>169.254.11.1</PeerBgpIp>
<TunnelCidr>169.254.11.0/30</TunnelCidr>
<EnableBgp>true</EnableBgp>
<LocalBgpIp>169.254.11.2</LocalBgpIp>
<PeerAsn>65530</PeerAsn>
<LocalAsn>65531</LocalAsn>
<AuthKey>AuthKey****</AuthKey>
</VpnBgpConfig>
</DescribeVpnConnectionResponse>
JSON format
HTTP/1.1 200 OK
Content-Type:application/json
{
"Status" : "ike_sa_not_established",
"RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW****",
"EnableNatTraversal" : true,
"CreateTime" : 1492753817000,
"EffectImmediately" : true,
"VpnGatewayId" : "vpn-bp1q8bgx4xnkm2ogj****",
"State" : "active",
"LocalSubnet" : "10.0.0.0/8",
"RequestId" : "F2310D45-BCF6-4E2E-9082-B4503844BA4C",
"VpnConnectionId" : "vco-bp1bbi27hojx80nck****",
"RemoteSubnet" : "192.168.0.0/16",
"CustomerGatewayId" : "cgw-bp1mvj4g9kogwwcxk****",
"Name" : "ipsec1",
"EnableDpd" : true,
"IkeConfig" : {
"RemoteId" : "139.34.XX.XX",
"IkeLifetime" : 86400,
"IkeEncAlg" : "aes",
"LocalId" : "116.28.XX.XX",
"IkeMode" : "main",
"IkeVersion" : "ikev1",
"IkePfs" : "group2",
"Psk" : "pgw6dy****",
"IkeAuthAlg" : "sha1"
},
"IpsecConfig" : {
"IpsecAuthAlg" : "sha1",
"IpsecLifetime" : 86400,
"IpsecEncAlg" : "aes",
"IpsecPfs" : "group2"
},
"VcoHealthCheck" : {
"Status" : "failed",
"Dip" : "10.0.0.1",
"Interval" : 3,
"Retry" : 3,
"Sip" : "192.168.1.1",
"Enable" : "true"
},
"VpnBgpConfig" : {
"Status" : "success",
"PeerBgpIp" : "169.254.11.1",
"TunnelCidr" : "169.254.11.0/30",
"EnableBgp" : "true",
"LocalBgpIp" : "169.254.11.2",
"PeerAsn" : 65530,
"LocalAsn" : 65531,
"AuthKey" : "AuthKey****"
}
}
Error codes
HttpCode |
Error code |
Error message |
Description |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again. |
404 | InvalidVpnConnectionInstanceId.NotFound | The specified vpn connection instance id does not exist. | The specified IPsec connection does not exist. Check whether the ID of the IPsec connection is valid. |
For a list of error codes, see Service error codes.