Queries IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeVpnConnections

The operation that you want to perform. Set the value to DescribeVpnConnections.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

VpnGatewayId String No vpn-bp1q8bgx4xnkx****

The ID of the VPN gateway.

CustomerGatewayId String No cgw-bp1mvj4g9kogw****

The ID of the customer gateway.

PageNumber Integer No 1

The number of the page to return. Default value: 1.

PageSize Integer No 10

The number of entries to return on each page. Default value: 10. Valid values: 1 to 50.

VpnConnectionId String No vco-bp15oes1py4i6****

The ID of the IPsec-VPN connection.

Response parameters

Parameter Type Example Description
VpnConnections Array of VpnConnection

The list of IPsec-VPN connections.

VpnConnection
IkeConfig Struct

The configurations of Phase 1 negotiations.

IkeAuthAlg String sha1

The IKE authentication algorithm.

IkeEncAlg String aes

The IKE encryption algorithm.

IkeLifetime Long 86400

The IKE lifetime. Unit: seconds.

IkeMode String main

The IKE negotiation mode.

IkePfs String group2

The DH group.

IkeVersion String ikev1

The version of the IKE protocol.

LocalId String 116.XX.XX.64

The identifier of the local side. The default value is the IP address of the VPN gateway. The value can be a fully qualified domain name (FQDN) or an IP address.

Psk String pgw6dy7****

The pre-shared key.

RemoteId String 139.XX.XX.167

The ID of the customer gateway. By default, it is the IP address of the customer gateway. The value can be an FQDN or an IP address.

IpsecConfig Struct

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The IPsec authentication algorithm.

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecLifetime Long 86400

The IPsec lifetime. Unit: seconds.

IpsecPfs String group2

The DH group.

VpnConnectionId String vco-bp10lz7aejumd****

The ID of the IPsec-VPN connection.

CustomerGatewayId String cgw-bp1mvj4g9kogw****

The ID of the customer gateway.

VpnGatewayId String vpn-bp1q8bgx4xnkm****

The ID of the VPN gateway.

Name String nametest

The name of the IPsec-VPN connection.

LocalSubnet String 192.168.0.0/16,172.17.0.0/16

The CIDR block of the VPC.

CIDR blocks are separated with commas (,).

RemoteSubnet String 10.0.0.0/8,172.16.0.0/16

The CIDR block of the data center.

CIDR blocks are separated with commas (,).

CreateTime Long 1492753817000

The timestamp generated when the IPsec-VPN connection was established.

Status String ipsec_sa_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations were successful.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations were successful.
EffectImmediately Boolean true

Indicates whether the connection immediately takes effect. Valid values:

  • true: Negotiations are reinitiated when the configuration is changed.
  • false: Negotiations are reinitiated when traffic is detected. When negotiations are reinitiated, transient connections may occur.
EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled. Valid values:

  • true: DPD is enabled.

    The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted.

  • false: DPD is disabled. The IPsec initiator does not send DPD packets.
EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled. Valid values:

  • true: NAT traversal is enabled.

    After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.

  • false: NAT traversal is disabled.
RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW****

The CA certificate of the peer.

VcoHealthCheck Struct

The health check configurations.

Dip String 192.168.0.1

The destination IP address.

Enable String true

Indicates whether health checks are enabled. Valid values:

  • true: enabled
  • false: disabled
Interval Integer 2

The time interval between two consecutive health checks. Unit: seconds.

Retry Integer 3

The number of times that health check packets are resent.

Sip String 192.168.0.50

The source IP address.

Status String success

The status of the health check. Valid values:

  • failed: abnormal
  • success: normal
VpnBgpConfig Struct

The configurations of the BGP routing protocol.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

LocalAsn Long 45104

The autonomous system number (ASN) on the Alibaba Cloud side.

LocalBgpIp String 169.XX.XX.32

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 65530

The ASN of the peer.

PeerBgpIp String 169.XX.XX.30

The BGP IP address of the peer.

Status String success

The negotiation status of the BGP routing protocol.

  • success: normal
  • false: abnormal
TunnelCidr String 169.254.10.0/30

The CIDR block of the IPsec tunnel. The CIDR block belongs to 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

TotalCount Integer 2

The total number of entries returned.

PageNumber Integer 1

The page number of the returned page.

PageSize Integer 10

The number of entries returned per page.

RequestId String 238752DC-0693-49BE-9C85-711D5691D3E5

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeVpnConnections
&RegionId=cn-hangzhou
&<Common request parameters>

Sample success responses

XML format

<DescribeVpnConnectionsResponse>
  <TotalCount>2</TotalCount>
  <RequestId>238752DC-0693-49BE-9C85-711D5691D3E5</RequestId>
  <PageSize>10</PageSize>
  <PageNumber>1</PageNumber>
  <VpnConnections>
        <VpnConnection>
              <LocalSubnet>10.0.0.0/8</LocalSubnet>
              <Status>ipsec_sa_established</Status>
              <CustomerGatewayId>cgw-gw8usu4zsk23pf69f****</CustomerGatewayId>
              <CreateTime>1590495160000</CreateTime>
              <Name>VPN1-CGW22</Name>
              <EffectImmediately>false</EffectImmediately>
              <RemoteSubnet>192.168.0.0/16</RemoteSubnet>
              <VcoHealthCheck>
                    <Status>failed</Status>
                    <Enable>true</Enable>
                    <Dip>192.168.0.1</Dip>
                    <Sip>192.168.0.2</Sip>
                    <Retry>2</Retry>
                    <Interval>2</Interval>
              </VcoHealthCheck>
              <VpnGatewayId>vpn-gw8bvv722zwjht7ia****</VpnGatewayId>
              <IpsecConfig>
                    <IpsecPfs>group2</IpsecPfs>
                    <IpsecEncAlg>aes</IpsecEncAlg>
                    <IpsecAuthAlg>sha1</IpsecAuthAlg>
                    <IpsecLifetime>86400</IpsecLifetime>
              </IpsecConfig>
              <VpnConnectionId>vco-gw8tylx7hvwhl7tu8****</VpnConnectionId>
              <IkeConfig>
                    <IkeAuthAlg>sha1</IkeAuthAlg>
                    <LocalId>8.XX.XX.192</LocalId>
                    <IkeEncAlg>aes</IkeEncAlg>
                    <IkeVersion>ikev1</IkeVersion>
                    <IkeMode>main</IkeMode>
                    <IkeLifetime>86400</IkeLifetime>
                    <Psk>123456</Psk>
                    <RemoteId>8.XX.XX.146</RemoteId>
                    <IkePfs>group2</IkePfs>
              </IkeConfig>
              <VpnBgpConfig>
                    <Status>success</Status>
                    <LocalAsn>45104</LocalAsn>
                    <TunnelCidr>169.254.10.0/30</TunnelCidr>
                    <PeerBgpIp>169.XX.XX.30</PeerBgpIp>
                    <PeerAsn>65531</PeerAsn>
                    <LocalBgpIp>169.XX.XX.32</LocalBgpIp>
              </VpnBgpConfig>
        </VpnConnection>
        <VpnConnection>
              <LocalSubnet>192.168.0.0/16</LocalSubnet>
              <Status>ipsec_sa_established</Status>
              <CustomerGatewayId>cgw-gw819u3zrifo8m5iz****</CustomerGatewayId>
              <CreateTime>1590495260000</CreateTime>
              <Name>VPN2-CGW1</Name>
              <EffectImmediately>false</EffectImmediately>
              <RemoteSubnet>10.0.0.0/8</RemoteSubnet>
              <VcoHealthCheck>
                    <Status>success</Status>
                    <Enable>true</Enable>
                    <Dip>192.168.0.1</Dip>
                    <Sip>192.168.0.56</Sip>
                    <Retry>2</Retry>
                    <Interval>2</Interval>
              </VcoHealthCheck>
              <VpnGatewayId>vpn-gw8uofjyg2db32o89****</VpnGatewayId>
              <IpsecConfig>
                    <IpsecPfs>group2</IpsecPfs>
                    <IpsecEncAlg>aes</IpsecEncAlg>
                    <IpsecAuthAlg>sha1</IpsecAuthAlg>
                    <IpsecLifetime>86400</IpsecLifetime>
              </IpsecConfig>
              <VpnConnectionId>vco-gw837v1ybfh74b6dy****</VpnConnectionId>
              <IkeConfig>
                    <IkeAuthAlg>sha1</IkeAuthAlg>
                    <LocalId>8.XX.XX.146</LocalId>
                    <IkeEncAlg>aes</IkeEncAlg>
                    <IkeVersion>ikev1</IkeVersion>
                    <IkeMode>main</IkeMode>
                    <IkeLifetime>86400</IkeLifetime>
                    <Psk>123456</Psk>
                    <RemoteId>8.XX.XX.192</RemoteId>
                    <IkePfs>group2</IkePfs>
              </IkeConfig>
              <VpnBgpConfig>
                    <Status>success</Status>
                    <LocalAsn>45104</LocalAsn>
                    <TunnelCidr>169.254.10.0/30</TunnelCidr>
                    <PeerBgpIp>169.254.XX.XX</PeerBgpIp>
                    <PeerAsn>65530</PeerAsn>
                    <LocalBgpIp>169.254.XX.XX</LocalBgpIp>
              </VpnBgpConfig>
        </VpnConnection>
  </VpnConnections>
</DescribeVpnConnectionsResponse>

JSON format

{
    "TotalCount": 2,
    "RequestId": "238752DC-0693-49BE-9C85-711D5691D3E5",
    "PageSize": 10,
    "PageNumber": 1,
    "VpnConnections": {
        "VpnConnection": [
            {
                "LocalSubnet": "10.0.0.0/8",
                "Status": "ipsec_sa_established",
                "CustomerGatewayId": "cgw-gw8usu4zsk23pf69f****",
                "CreateTime": 1590495160000,
                "Name": "VPN1-CGW22",
                "EffectImmediately": false,
                "RemoteSubnet": "192.168.0.0/16",
                "VcoHealthCheck": {
                    "Status": "failed",
                    "Enable": "true",
                    "Dip": "192.168.0.1",
                    "Sip": "192.168.0.2",
                    "Retry": 2,
                    "Interval": 2
                },
                "VpnGatewayId": "vpn-gw8bvv722zwjht7ia****",
                "IpsecConfig": {
                    "IpsecPfs": "group2",
                    "IpsecEncAlg": "aes",
                    "IpsecAuthAlg": "sha1",
                    "IpsecLifetime": 86400
                },
                "VpnConnectionId": "vco-gw8tylx7hvwhl7tu8****",
                "IkeConfig": {
                    "IkeAuthAlg": "sha1",
                    "LocalId": "8.XX.XX.192",
                    "IkeEncAlg": "aes",
                    "IkeVersion": "ikev1",
                    "IkeMode": "main",
                    "IkeLifetime": 86400,
                    "Psk": "123456",
                    "RemoteId": "8.XX.XX.146",
                    "IkePfs": "group2"
                },
                "VpnBgpConfig": {
                    "Status": "success",
                    "LocalAsn": 45104,
                    "TunnelCidr": "169.254.10.0/30",
                    "PeerBgpIp": "169.XX.XX.30",
                    "PeerAsn": 65531,
                    "LocalBgpIp": "169.XX.XX.32"
                }
            },
            {
                "LocalSubnet": "192.168.0.0/16",
                "Status": "ipsec_sa_established",
                "CustomerGatewayId": "cgw-gw819u3zrifo8m5iz****",
                "CreateTime": 1590495260000,
                "Name": "VPN2-CGW1",
                "EffectImmediately": false,
                "RemoteSubnet": "10.0.0.0/8",
                "VcoHealthCheck": {
                    "Status": "success",
                    "Enable": "true",
                    "Dip": "192.168.0.1",
                    "Sip": "192.168.0.56",
                    "Retry": 2,
                    "Interval": 2
                },
                "VpnGatewayId": "vpn-gw8uofjyg2db32o89****",
                "IpsecConfig": {
                    "IpsecPfs": "group2",
                    "IpsecEncAlg": "aes",
                    "IpsecAuthAlg": "sha1",
                    "IpsecLifetime": 86400
                },
                "VpnConnectionId": "vco-gw837v1ybfh74b6dy****",
                "IkeConfig": {
                    "IkeAuthAlg": "sha1",
                    "LocalId": "8.XX.XX.146",
                    "IkeEncAlg": "aes",
                    "IkeVersion": "ikev1",
                    "IkeMode": "main",
                    "IkeLifetime": 86400,
                    "Psk": "123456",
                    "RemoteId": "8.XX.XX.192",
                    "IkePfs": "group2"
                },
                "VpnBgpConfig": {
                    "Status": "success",
                    "LocalAsn": 45104,
                    "TunnelCidr": "169.254.10.0/30",
                    "PeerBgpIp": "169.XX.XX.30",
                    "PeerAsn": 65530,
                    "LocalBgpIp": "169.XX.XX.32"
                }
            }
        ]
    }
}

Error codes

HttpCode Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. To acquire the required permissions, submit a ticket.

For a list of error codes, visit the API Error Center.