Queries the details of an IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeVpnConnection

The operation that you want to perform. Set the value to DescribeVpnConnection.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

VpnConnectionId String Yes vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

Response parameters

Parameter Type Example Description
VpnConnectionId String vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

CustomerGatewayId String cgw-bp1mvj4g9kogwwcxk****

The ID of the customer gateway.

VpnGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the VPN gateway.

Name String ipsec1

The name of the IPsec-VPN connection.

LocalSubnet String 10.0.0.0/8

The CIDR block of the VPC.

CIDR blocks are separated with commas (,).

RemoteSubnet String 192.168.0.0/16

The CIDR block of the data center.

CIDR blocks are separated with commas (,).

CreateTime Long 1492753817000

The timestamp generated when the IPsec-VPN connection was established.

Status String ike_sa_not_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations were successful.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations were successful.
EffectImmediately Boolean true

Indicates whether the IPsec-VPN connection immediately takes effect. Valid values:

  • true: Negotiations are reinitiated when the configuration is changed.
  • false: Negotiations are reinitiated when traffic is detected. When negotiations are reinitiated, transient connections may occur.
EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled. Valid values:

  • false: disabled
  • true: enabled

After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.

EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled. Valid values:

  • true: NAT traversal is enabled.
  • false: NAT traversal is disabled.

After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.

IkeConfig Struct

The configurations of Phase 1 negotiations.

IkeAuthAlg String sha1

The IKE authentication algorithm.

IkeEncAlg String aes

The IKE encryption algorithm.

IkeLifetime Long 86400

The IKE lifetime. Unit: seconds.

IkeMode String main

The IKE negotiation mode.

IkePfs String group2

The DH group.

IkeVersion String ikev1

The version of the IKE protocol.

LocalId String 116.XX.XX.6

The identifier of the local side. The default value is the IP address of the VPN gateway. The value can be a fully qualified domain name (FQDN) or an IP address.

Psk String pgw6dy****

The pre-shared key.

RemoteId String 139.XX.XX.6

The ID of the customer gateway. By default, it is the IP address of the customer gateway. The value can be an FQDN or an IP address.

IpsecConfig Struct

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The IPsec authentication algorithm.

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecLifetime Long 86400

The IPsec lifetime. Unit: seconds.

IpsecPfs String group2

The DH group.

RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW****

The CA certificate of the peer.

RequestId String F2310D45-BCF6-4E2E-9082-B4503844BA4C

The ID of the request.

VcoHealthCheck Struct

The information about health checks.

Dip String 10.0.0.1

The destination IP address.

Enable String true

Indicates whether health checks are enabled. Valid values:

  • false: disabled
  • true: enabled
Interval Integer 3

The interval of health check retries. Unit: seconds.

Retry Integer 3

The number of times that health check packets are resent.

Sip String 192.168.1.1

The source IP address.

Status String failed

The status of the health check. Valid values:

  • failed: abnormal
  • success: normal
VpnBgpConfig Struct

The configurations of the BGP routing protocol.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

EnableBgp String true

The negotiation status of the BGP routing protocol. Valid values:

  • true: enabled
  • false: disabled
LocalAsn Long 45014

The autonomous system number (ASN) on the Alibaba Cloud side.

LocalBgpIp String 169.XX.XX.32

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 65530

The ASN of the peer.

PeerBgpIp String 169.XX.XX.30

The BGP IP address of the peer.

Status String true

The negotiation status of the BGP routing protocol.

  • success: normal
  • false: abnormal
TunnelCidr String 169.254.11.0/30

The CIDR block of the IPsec tunnel. The CIDR block belongs to 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

Examples

Sample requests

https://vpc.aliyuncs.com/?Action=DescribeVpnConnection
&RegionId=cn-hangzhou
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&<Common request parameters>

Sample success responses

XML format 

<DescribeVpnConnectionResponse>
  <LocalSubnet>10.0.0.0/8</LocalSubnet>
  <Status>ipsec_sa_established</Status>
  <RequestId>6FBAE985-A938-49CB-9129-621AA3A88728</RequestId>
  <CustomerGatewayId>cgw-gw8usu4zsk23pf69f****</CustomerGatewayId>
  <CreateTime>1590495160000</CreateTime>
  <Name>VPN1-CGW22</Name>
  <EffectImmediately>false</EffectImmediately>
  <RemoteSubnet>192.168.0.0/16</RemoteSubnet>
  <VcoHealthCheck>
        <Status>success</Status>
        <Enable>false</Enable>
        <Dip></Dip>
        <Sip></Sip>
        <Retry>0</Retry>
        <Interval>0</Interval>
  </VcoHealthCheck>
  <VpnGatewayId>vpn-gw8bvv722zwjht7ia****</VpnGatewayId>
  <IpsecConfig>
        <IpsecPfs>group2</IpsecPfs>
        <IpsecEncAlg>aes</IpsecEncAlg>
        <IpsecAuthAlg>sha1</IpsecAuthAlg>
        <IpsecLifetime>86400</IpsecLifetime>
  </IpsecConfig>
  <VpnConnectionId>vco-gw8tylx7hvwhl7tu8****</VpnConnectionId>
  <EnableNatTraversal>true</EnableNatTraversal>
  <EnableDpd>true</EnableDpd>
  <IkeConfig>
        <IkeAuthAlg>sha1</IkeAuthAlg>
        <LocalId>8.XX.XX.192</LocalId>
        <IkeEncAlg>aes</IkeEncAlg>
        <IkeVersion>ikev1</IkeVersion>
        <IkeMode>main</IkeMode>
        <IkeLifetime>86400</IkeLifetime>
        <Psk>123456</Psk>
        <RemoteId>8.XX.XX.146</RemoteId>
        <IkePfs>group2</IkePfs>
  </IkeConfig>
  <VpnBgpConfig>
        <Status>success</Status>
        <EnableBgp>true</EnableBgp>
        <LocalAsn>45104</LocalAsn>
        <TunnelCidr>169.254.10.0/30</TunnelCidr>
        <PeerBgpIp>169.XX.XX.30</PeerBgpIp>
        <PeerAsn>65530</PeerAsn>
        <LocalBgpIp>169.XX.XX.32</LocalBgpIp>
  </VpnBgpConfig>
</DescribeVpnConnectionResponse>

JSON format 

{
    "LocalSubnet": "10.0.0.0/8",
    "Status": "ipsec_sa_established",
    "RequestId": "6FBAE985-A938-49CB-9129-621AA3A88728",
    "CustomerGatewayId": "cgw-gw8usu4zsk23pf69f****",
    "CreateTime": 1590495160000,
    "Name": "VPN1-CGW22",
    "EffectImmediately": false,
    "RemoteSubnet": "192.168.0.0/16",
    "VcoHealthCheck": {
        "Status": "success",
        "Enable": "false",
        "Dip": "",
        "Sip": "",
        "Retry": 0,
        "Interval": 0
    },
    "VpnGatewayId": "vpn-gw8bvv722zwjht7ia****",
    "IpsecConfig": {
        "IpsecPfs": "group2",
        "IpsecEncAlg": "aes",
        "IpsecAuthAlg": "sha1",
        "IpsecLifetime": 86400
    },
    "VpnConnectionId": "vco-gw8tylx7hvwhl7tu8****",
    "EnableNatTraversal": true,
    "EnableDpd": true,
    "IkeConfig": {
        "IkeAuthAlg": "sha1",
        "LocalId": "8.XX.XX.192",
        "IkeEncAlg": "aes",
        "IkeVersion": "ikev1",
        "IkeMode": "main",
        "IkeLifetime": 86400,
        "Psk": "123456",
        "RemoteId": "8.XX.XX.146",
        "IkePfs": "group2"
    },
    "VpnBgpConfig": {
        "Status": "success",
        "EnableBgp": "true",
        "LocalAsn": 45104,
        "TunnelCidr": "169.254.10.0/30",
        "PeerBgpIp": "169.XX.XX.30",
        "PeerAsn": 65530,
        "LocalBgpIp": "169.XX.XX.32"
    }
}

Error codes

HttpCode Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. To acquire the required permissions, submit a ticket.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The error message returned because the specified IPsec-VPN connection does not exist. Check whether the ID of the IPsec-VPN connection is valid.

For a list of error codes, visit the API Error Center.