All Products
Search
Document Center

Virtual Private Cloud:DescribeVpnConnection

Last Updated:Mar 04, 2024

Queries the detailed information about an IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:DescribeVpnConnectionRead
  • VpnConnection
    acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The ID of the region where the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
VpnConnectionIdstringYes

The ID of the IPsec-VPN connection.

vco-bp1bbi27hojx80nck****

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

Statusstring

The state of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations succeeded.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations succeeded.
ike_sa_not_established
RemoteCaCertificatestring

The certificate authority (CA) certificate of the peer.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW****
EnableNatTraversalboolean

Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values:

  • true
  • false

After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

true
CreateTimelong

The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

1492753817000
EffectImmediatelyboolean

Indicates whether IPsec negotiations immediately start after the configuration takes effect. Valid values:

  • true: Negotiations are reinitiated after the configuration is changed.
  • false: Negotiations are reinitiated after traffic is detected.
true
VpnGatewayIdstring

The ID of the VPN gateway.

vpn-bp1q8bgx4xnkm2ogj****
LocalSubnetstring

The CIDR block on the Alibaba Cloud side.

Multiple CIDR blocks are separated by commas (,).

10.0.0.0/8
RequestIdstring

The request ID.

F2310D45-BCF6-4E2E-9082-B4503844BA4C
VpnConnectionIdstring

The ID of the IPsec-VPN connection.

vco-bp1bbi27hojx80nck****
RemoteSubnetstring

The CIDR block on the data center side.

Multiple CIDR blocks are separated by commas (,).

192.168.0.0/16
CustomerGatewayIdstring

The ID of the customer gateway associated with the IPsec-VPN connection.

cgw-bp1mvj4g9kogwwcxk****
Namestring

The name of the IPsec-VPN connection.

ipsec1
EnableDpdboolean

Indicates whether the dead peer detection (DPD) feature is enabled for the IPsec-VPN connection. Valid values:

  • false
  • true

After you enable the DPD feature, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP security association (SA), IPsec SA, and IPsec tunnel are deleted.

true
IkeConfigobject

The configuration of Phase 1 negotiations.

RemoteIdstring

The identifier of the IPsec-VPN connection on the data center side.

139.34.XX.XX
IkeLifetimelong

The lifetime in the IKE phase. Unit: seconds.

86400
IkeEncAlgstring

The encryption algorithm in the IKE phase.

aes
LocalIdstring

The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

116.28.XX.XX
IkeModestring

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkeVersionstring

The version of the IKE protocol.

  • ikev1
  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

ikev1
IkePfsstring

The Diffie-Hellman (DH) group in the IKE phase.

group2
Pskstring

The pre-shared key.

pgw6dy****
IkeAuthAlgstring

The authentication algorithm in the IKE phase.

sha1
IpsecConfigobject

The configuration of Phase 2 negotiations.

IpsecAuthAlgstring

The authentication algorithm in the IPsec phase.

sha1
IpsecLifetimelong

The lifetime in the IPsec phase. Unit: seconds.

86400
IpsecEncAlgstring

The encryption algorithm in the IPsec phase.

aes
IpsecPfsstring

The DH group in the IPsec phase.

group2
VcoHealthCheckobject

The health check information about the IPsec-VPN connection.

Statusstring

The state of the health check. Valid values:

  • failed
  • success: normal
failed
Dipstring

The destination IP address.

10.0.0.1
Intervalinteger

The interval between two consecutive health checks. Unit: seconds.

3
Retryinteger

The maximum number of health check retries.

3
Sipstring

The source IP address.

192.168.1.1
Enablestring

Indicates whether the health check feature is enabled for the IPsec-VPN connection. Valid values:

  • false
  • true
true
Policystring

Indicates whether advertised routes are withdrawn when the health check fails. Valid values:

  • revoke_route: Advertised routes are withdrawn.
  • reserve_route: Advertised routes are not withdrawn.
revoke_route
VpnBgpConfigobject

The Border Gateway Protocol (BGP) configuration of the IPsec-VPN connection.

Statusstring

The negotiation state of the BGP routing protocol. Valid values:

  • success: normal
  • failed
success
PeerBgpIpstring

The BGP IP address of the peer.

169.254.11.1
TunnelCidrstring

The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

169.254.11.0/30
EnableBgpstring

Indicates whether BGP is enabled. Valid values:

  • true
  • false
true
LocalBgpIpstring

The BGP IP address on the Alibaba Cloud side.

169.254.11.2
PeerAsnlong

The autonomous system number (ASN) of the peer.

65530
LocalAsnlong

The ASN on the Alibaba Cloud side.

65531
AuthKeystring

The authentication key of the BGP routing protocol.

AuthKey****
AttachTypestring

The type of the resource that is associated with the IPsec-VPN connection. Valid values:

  • CEN: indicates that the IPsec-VPN connection is associated with a transit router of a Cloud Enterprise Network (CEN) instance.
  • NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with any resource.
  • VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
CEN
NetworkTypestring

The network type of the IPsec-VPN connection. Valid values:

  • public: an encrypted connection over the Internet
  • private: an encrypted connection over private networks
public
AttachInstanceIdstring

The ID of the CEN instance to which the transit router belongs.

cen-lxxpbpalc776qz****
Specstring

The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s.

1000M
Statestring

The association state of the IPsec-VPN connection. Valid values:

  • active: The IPsec-VPN connection is associated with a VPN gateway.
  • init: The IPsec-VPN connection is not associated with any resource and is being initialized.
  • attaching: The IPsec-VPN connection is being associated with a transit router.
  • attached: The IPsec-VPN connection is associated with a transit router.
  • detaching: The IPsec-VPN connection is being disassociated from a transit router.
  • financialLocked: The IPsec-VPN connection is locked due to overdue payments.
  • provisioning: The IPsec-VPN connection is being prepared.
  • updating: The IPsec-VPN connection is being updated.
  • Upgrading: The IPsec-VPN connection is being upgraded.
  • deleted: The IPsec-VPN connection is deleted.
attached
ZoneNostring

The ID of the zone where the IPsec-VPN connection is deployed.

You can call DescribeZones to query zone IDs and mapping between zone IDs and zone names.

ap-southeast-2b
InternetIpstring

The gateway IP address of the IPsec-VPN connection.

47.XX.XX.162
TransitRouterIdstring

The ID of the transit router with which the IPsec-VPN connection is associated.

tr-p0we2edef9qr44a85****
TransitRouterNamestring

The name of the transit router.

nametest
CrossAccountAuthorizedboolean

Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:

  • true
  • false
false
Tagsobject []

The list of tags added to the IPsec-VPN connection.

Keystring

The tag key.

TagKey
Valuestring

The tag value.

TagValue
TunnelOptionsSpecificationobject []

The tunnel configuration of the IPsec-VPN connection.

Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode.

TunnelIdstring

The tunnel ID.

tun-opsqc4d97wni27****
CustomerGatewayIdstring

The ID of the customer gateway associated with the tunnel.

cgw-p0wy363lucf1uyae8****
EnableDpdstring

Indicates whether the DPD feature is enabled for the tunnel. Valid values:

  • false
  • true
true
EnableNatTraversalstring

Indicates whether NAT traversal is enabled for the tunnel. Valid values:

  • false
  • true
true
InternetIpstring

The tunnel IP address.

47.21.XX.XX
RemoteCaCertificatestring

The CA certificate of the tunnel peer.

This parameter is returned only if the VPN gateway is of the ShangMi (SM) type.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
Rolestring

The tunnel role. Valid values:

  • master: The tunnel is an active tunnel.
  • slave: The tunnel is a standby tunnel.
master
Statestring

The tunnel status. Valid values:

  • active
  • updating
  • deleting
active
Statusstring

The state of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations succeeded.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations succeeded.
ipsec_sa_established
TunnelBgpConfigobject

The BGP configurations.

BgpStatusstring

The negotiation state of BGP. Valid values:

  • success
  • false
success
LocalAsnstring

The ASN on the Alibaba Cloud side.

65530
LocalBgpIpstring

The BGP address on the Alibaba Cloud side.

169.254.10.1
PeerAsnstring

The ASN of the tunnel peer.

65531
PeerBgpIpstring

The BGP IP address of the tunnel peer.

169.254.10.2
TunnelCidrstring

The BGP CIDR block of the tunnel.

169.254.10.0/30
TunnelIkeConfigobject

The configuration of Phase 1 negotiations.

IkeAuthAlgstring

The authentication algorithm in the IKE phase.

sha1
IkeEncAlgstring

The encryption algorithm in the IKE phase.

aes
IkeLifetimestring

The lifetime in the IKE phase. Unit: seconds.

86400
IkeModestring

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkePfsstring

The Diffie-Hellman (DH) group in the IKE phase.

group2
IkeVersionstring

The version of the IKE protocol.

ikev1
LocalIdstring

The identifier of the tunnel on the Alibaba Cloud side.

47.21.XX.XX
Pskstring

The pre-shared key.

123456****
RemoteIdstring

The identifier of the tunnel peer.

47.42.XX.XX
TunnelIpsecConfigobject

The configurations of Phase 2 negotiations.

IpsecAuthAlgstring

The authentication algorithm in the IPsec phase.

sha1
IpsecEncAlgstring

The encryption algorithm in the IPsec phase.

aes
IpsecLifetimestring

The lifetime in the IPsec phase. Unit: seconds.

86400
IpsecPfsstring

The DH group in the IPsec phase.

group2
ZoneNostring

The zone where the tunnel is deployed.

You can call DescribeZones to query zone IDs.

ap-southeast-5a
EnableTunnelsBgpboolean

Indicates whether BGP is enabled for the tunnel. Valid values:

  • true
  • false
true
ResourceGroupIdstring

The ID of the resource group to which the IPsec-VPN connection belongs.

You can call the ListResourceGroups operation to query the resource group information.

rg-acfmzs372yg****

Examples

Sample success responses

JSONformat

{
  "Status": "ike_sa_not_established",
  "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW****",
  "EnableNatTraversal": true,
  "CreateTime": 1492753817000,
  "EffectImmediately": true,
  "VpnGatewayId": "vpn-bp1q8bgx4xnkm2ogj****",
  "LocalSubnet": "10.0.0.0/8",
  "RequestId": "F2310D45-BCF6-4E2E-9082-B4503844BA4C",
  "VpnConnectionId": "vco-bp1bbi27hojx80nck****",
  "RemoteSubnet": "192.168.0.0/16",
  "CustomerGatewayId": "cgw-bp1mvj4g9kogwwcxk****",
  "Name": "ipsec1",
  "EnableDpd": true,
  "IkeConfig": {
    "RemoteId": "139.34.XX.XX",
    "IkeLifetime": 86400,
    "IkeEncAlg": "aes",
    "LocalId": "116.28.XX.XX",
    "IkeMode": "main",
    "IkeVersion": "ikev1",
    "IkePfs": "group2",
    "Psk": "pgw6dy****",
    "IkeAuthAlg": "sha1"
  },
  "IpsecConfig": {
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400,
    "IpsecEncAlg": "aes",
    "IpsecPfs": "group2"
  },
  "VcoHealthCheck": {
    "Status": "failed",
    "Dip": "10.0.0.1",
    "Interval": 3,
    "Retry": 3,
    "Sip": "192.168.1.1",
    "Enable": "true",
    "Policy": "revoke_route"
  },
  "VpnBgpConfig": {
    "Status": "success",
    "PeerBgpIp": "169.254.11.1",
    "TunnelCidr": "169.254.11.0/30",
    "EnableBgp": "true",
    "LocalBgpIp": "169.254.11.2",
    "PeerAsn": 65530,
    "LocalAsn": 65531,
    "AuthKey": "AuthKey****"
  },
  "AttachType": "CEN",
  "NetworkType": "public",
  "AttachInstanceId": "cen-lxxpbpalc776qz****",
  "Spec": "1000M",
  "State": "attached",
  "ZoneNo": "ap-southeast-2b",
  "InternetIp": "47.XX.XX.162",
  "TransitRouterId": "tr-p0we2edef9qr44a85****",
  "TransitRouterName": "nametest",
  "CrossAccountAuthorized": false,
  "Tags": {
    "Tag": [
      {
        "Key": "TagKey",
        "Value": "TagValue"
      }
    ]
  },
  "TunnelOptionsSpecification": {
    "TunnelOptions": [
      {
        "TunnelId": "tun-opsqc4d97wni27****",
        "CustomerGatewayId": "cgw-p0wy363lucf1uyae8****",
        "EnableDpd": "true",
        "EnableNatTraversal": "true",
        "InternetIp": "47.21.XX.XX",
        "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
        "Role": "master",
        "State": "active",
        "Status": "ipsec_sa_established",
        "TunnelBgpConfig": {
          "BgpStatus": "success",
          "LocalAsn": "65530",
          "LocalBgpIp": "169.254.10.1",
          "PeerAsn": "65531",
          "PeerBgpIp": "169.254.10.2",
          "TunnelCidr": "169.254.10.0/30"
        },
        "TunnelIkeConfig": {
          "IkeAuthAlg": "sha1",
          "IkeEncAlg": "aes",
          "IkeLifetime": "86400",
          "IkeMode": "main",
          "IkePfs": "group2",
          "IkeVersion": "ikev1",
          "LocalId": "47.21.XX.XX",
          "Psk": "123456****",
          "RemoteId": "47.42.XX.XX"
        },
        "TunnelIpsecConfig": {
          "IpsecAuthAlg": "sha1",
          "IpsecEncAlg": "aes",
          "IpsecLifetime": "86400",
          "IpsecPfs": "group2"
        },
        "ZoneNo": "ap-southeast-5a"
      }
    ]
  },
  "EnableTunnelsBgp": true,
  "ResourceGroupId": "rg-acfmzs372yg****"
}

Error codes

HTTP status codeError codeError messageDescription
403Forbbiden.SubUserUser not authorized to operate on the specified resource as your account is created by another user.You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.
404InvalidVpnConnectionInstanceId.NotFoundThe specified vpn connection instance id does not exist.The specified vpn connection instance id does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-10-19The API operation is not deprecated.. The Error code has changed. The response structure of the API has changedsee changesets
Change itemChange content
API Deprecation DescriptionThe API operation is not deprecated..
Error CodesThe Error code has changed.
    delete Error Codes: 403
    delete Error Codes: 404
Output ParametersThe response structure of the API has changed.
2023-08-01API Description Update. The Error code has changed. The response structure of the API has changedsee changesets
Change itemChange content
API DescriptionAPI Description Update.
Error CodesThe Error code has changed.
    delete Error Codes: 403
    delete Error Codes: 404
Output ParametersThe response structure of the API has changed.
2023-06-30The Error code has changed. The response structure of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 403
    delete Error Codes: 404
Output ParametersThe response structure of the API has changed.
2023-06-13The Error code has changed. The response structure of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 403
    delete Error Codes: 404
Output ParametersThe response structure of the API has changed.
2023-05-04The Error code has changed. The response structure of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 403
    delete Error Codes: 404
Output ParametersThe response structure of the API has changed.