| object | | |
Status | string | The state of the IPsec-VPN connection. Valid values:
- ike_sa_not_established: Phase 1 negotiations failed.
- ike_sa_established: Phase 1 negotiations succeeded.
- ipsec_sa_not_established: Phase 2 negotiations failed.
- ipsec_sa_established: Phase 2 negotiations succeeded.
| ike_sa_not_established |
RemoteCaCertificate | string | The certificate authority (CA) certificate of the peer. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** |
EnableNatTraversal | boolean | Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values:
After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel. | true |
CreateTime | long | The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.
This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. | 1492753817000 |
EffectImmediately | boolean | Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values:
- true: Negotiations are reinitiated after the configuration is changed.
- false: Negotiations are reinitiated after traffic is detected.
| true |
VpnGatewayId | string | The ID of the VPN gateway. | vpn-bp1q8bgx4xnkm2ogj**** |
LocalSubnet | string | The CIDR block on the Alibaba Cloud side.
Multiple CIDR blocks are separated by commas (,). | 10.0.0.0/8 |
RequestId | string | | F2310D45-BCF6-4E2E-9082-B4503844BA4C |
VpnConnectionId | string | The ID of the IPsec-VPN connection. | vco-bp1bbi27hojx80nck**** |
RemoteSubnet | string | The CIDR block on the data center side.
Multiple CIDR blocks are separated by commas (,). | 192.168.0.0/16 |
CustomerGatewayId | string | The ID of the customer gateway associated with the IPsec-VPN connection. | cgw-bp1mvj4g9kogwwcxk**** |
Name | string | The name of the IPsec-VPN connection. | ipsec1 |
EnableDpd | boolean | Indicates whether the dead peer detection (DPD) feature is enabled for the IPsec-VPN connection. Valid values:
After you enable the DPD feature, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP security association (SA), IPsec SA, and IPsec tunnel are deleted. | true |
IkeConfig | object | The configuration of Phase 1 negotiations. | |
RemoteId | string | The identifier of the IPsec-VPN connection on the data center side. | 139.34.XX.XX |
IkeLifetime | long | The lifetime in the IKE phase. Unit: seconds. | 86400 |
IkeEncAlg | string | The encryption algorithm in the IKE phase. | aes |
LocalId | string | The identifier of the IPsec-VPN connection on the Alibaba Cloud side. | 116.28.XX.XX |
IkeMode | string | The IKE negotiation mode.
- main: This mode offers higher security during negotiations.
- aggressive: This mode is faster and has a higher success rate.
| main |
IkeVersion | string | The version of the IKE protocol.
Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used. | ikev1 |
IkePfs | string | The Diffie-Hellman (DH) group in the IKE phase. | group2 |
Psk | string | | pgw6dy**** |
IkeAuthAlg | string | The authentication algorithm in the IKE phase. | sha1 |
IpsecConfig | object | The configuration of Phase 2 negotiations. | |
IpsecAuthAlg | string | The authentication algorithm in the IPsec phase. | sha1 |
IpsecLifetime | long | The lifetime in the IPsec phase. Unit: seconds. | 86400 |
IpsecEncAlg | string | The encryption algorithm in the IPsec phase. | aes |
IpsecPfs | string | The DH group in the IPsec phase. | group2 |
VcoHealthCheck | object | The health check information about the IPsec-VPN connection. | |
Status | string | The state of the health check. Valid values:
| failed |
Dip | string | The destination IP address. | 10.0.0.1 |
Interval | integer | The interval between two consecutive health checks. Unit: seconds. | 3 |
Retry | integer | The maximum number of health check retries. | 3 |
Sip | string | | 192.168.1.1 |
Enable | string | Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values:
| true |
Policy | string | Indicates whether advertised routes are withdrawn when the health check fails. Valid values:
- revoke_route: Advertised routes are withdrawn.
- reserve_route: Advertised routes are not withdrawn.
| revoke_route |
VpnBgpConfig | object | The Border Gateway Protocol (BGP) configuration of the IPsec-VPN connection. | |
Status | string | The negotiation state of the BGP routing protocol. Valid values:
| success |
PeerBgpIp | string | The BGP IP address of the peer. | 169.254.11.1 |
TunnelCidr | string | The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length. | 169.254.11.0/30 |
EnableBgp | string | Indicates whether BGP is enabled. Valid values:
| true |
LocalBgpIp | string | The BGP IP address on the Alibaba Cloud side. | 169.254.11.2 |
PeerAsn | long | The autonomous system number (ASN) of the peer. | 65530 |
LocalAsn | long | The ASN on the Alibaba Cloud side. | 65531 |
AuthKey | string | The authentication key of the BGP routing protocol. | AuthKey**** |
AttachType | string | The type of the resource that is associated with the IPsec-VPN connection. Valid values:
- CEN: indicates that the IPsec-VPN connection is associated with a transit router of a Cloud Enterprise Network (CEN) instance.
- NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with any resource.
- VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
| CEN |
NetworkType | string | The network type of the IPsec-VPN connection. Valid values:
- public: an encrypted connection over the Internet
- private: an encrypted connection over private networks
| public |
AttachInstanceId | string | The ID of the CEN instance to which the transit router belongs. | cen-lxxpbpalc776qz**** |
Spec | string | The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s. | 1000M |
State | string | The association state of the IPsec-VPN connection. Valid values:
- active: The IPsec-VPN connection is associated with a VPN gateway.
- init: The IPsec-VPN connection is not associated with any resource and is being initialized.
- attaching: The IPsec-VPN connection is being associated with a transit router.
- attached: The IPsec-VPN connection is associated with a transit router.
- detaching: The IPsec-VPN connection is being disassociated from a transit router.
- financialLocked: The IPsec-VPN connection is locked due to overdue payments.
- provisioning: The IPsec-VPN connection is being prepared.
- updating: The IPsec-VPN connection is being updated.
- Upgrading: The IPsec-VPN connection is being upgraded.
- deleted: The IPsec-VPN connection is deleted.
| attached |
ZoneNo | string | The ID of the zone where the IPsec-VPN connection is deployed.
You can call DescribeZones to query zone IDs and mapping between zone IDs and zone names. | ap-southeast-2b |
InternetIp | string | The gateway IP address of the IPsec-VPN connection. | 47.XX.XX.162 |
TransitRouterId | string | The ID of the transit router with which the IPsec-VPN connection is associated. | tr-p0we2edef9qr44a85**** |
TransitRouterName | string | The name of the transit router. | nametest |
CrossAccountAuthorized | boolean | Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:
| false |
Tags | object [] | The list of tags added to the IPsec-VPN connection. | |
Key | string | | TagKey |
Value | string | | TagValue |
TunnelOptionsSpecification | object [] | The tunnel configuration of the IPsec-VPN connection.
Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode. | |
TunnelId | string | | tun-opsqc4d97wni27**** |
CustomerGatewayId | string | The ID of the customer gateway associated with the tunnel. | cgw-p0wy363lucf1uyae8**** |
EnableDpd | string | Indicates whether the DPD feature is enabled for the tunnel. Valid values:
| true |
EnableNatTraversal | string | Indicates whether NAT traversal is enabled for the tunnel. Valid values:
| true |
InternetIp | string | | 47.21.XX.XX |
RemoteCaCertificate | string | The CA certificate of the tunnel peer.
This parameter is returned only if the VPN gateway is of the ShangMi (SM) type. | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- |
Role | string | The tunnel role. Valid values:
- master: The tunnel is an active tunnel.
- slave: The tunnel is a standby tunnel.
| master |
State | string | The tunnel status. Valid values:
| active |
Status | string | The state of the IPsec-VPN connection. Valid values:
- ike_sa_not_established: Phase 1 negotiations failed.
- ike_sa_established: Phase 1 negotiations succeeded.
- ipsec_sa_not_established: Phase 2 negotiations failed.
- ipsec_sa_established: Phase 2 negotiations succeeded.
| ipsec_sa_established |
TunnelBgpConfig | object | | |
BgpStatus | string | The negotiation state of BGP. Valid values:
| success |
LocalAsn | string | The ASN on the Alibaba Cloud side. | 65530 |
LocalBgpIp | string | The BGP address on the Alibaba Cloud side. | 169.254.10.1 |
PeerAsn | string | The ASN of the tunnel peer. | 65531 |
PeerBgpIp | string | The BGP IP address of the tunnel peer. | 169.254.10.2 |
TunnelCidr | string | The BGP CIDR block of the tunnel. | 169.254.10.0/30 |
TunnelIkeConfig | object | The configuration of Phase 1 negotiations. | |
IkeAuthAlg | string | The authentication algorithm in the IKE phase. | sha1 |
IkeEncAlg | string | The encryption algorithm in the IKE phase. | aes |
IkeLifetime | string | The lifetime in the IKE phase. Unit: seconds. | 86400 |
IkeMode | string | The IKE negotiation mode.
- main: This mode offers higher security during negotiations.
- aggressive: This mode is faster and has a higher success rate.
| main |
IkePfs | string | The Diffie-Hellman (DH) group in the IKE phase. | group2 |
IkeVersion | string | The version of the IKE protocol. | ikev1 |
LocalId | string | The identifier of the tunnel on the Alibaba Cloud side. | 47.21.XX.XX |
Psk | string | | 123456**** |
RemoteId | string | The identifier of the tunnel peer. | 47.42.XX.XX |
TunnelIpsecConfig | object | The configurations of Phase 2 negotiations. | |
IpsecAuthAlg | string | The authentication algorithm in the IPsec phase. | sha1 |
IpsecEncAlg | string | The encryption algorithm in the IPsec phase. | aes |
IpsecLifetime | string | The lifetime in the IPsec phase. Unit: seconds. | 86400 |
IpsecPfs | string | The DH group in the IPsec phase. | group2 |
ZoneNo | string | The zone where the tunnel is deployed.
You can call DescribeZones to query zone IDs. | ap-southeast-5a |
EnableTunnelsBgp | boolean | Indicates whether BGP is enabled for the tunnel. Valid values:
| true |
ResourceGroupId | string | The ID of the resource group to which the IPsec-VPN connection belongs.
You can call the ListResourceGroups operation to query the resource group information. | rg-acfmzs372yg**** |