Queries the details of an IPsec-VPN connection.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeVpnConnection

The operation that you want to perform. Set the value to DescribeVpnConnection.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

VpnConnectionId String Yes vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

Response parameters

Parameter Type Example Description
Status String ike_sa_not_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations were successful.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations were successful.
RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW****

The CA certificate of the peer.

EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled. Valid values:

  • true: NAT traversal is enabled.
  • false: NAT traversal is disabled.

After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.

CreateTime Long 1492753817000

The timestamp generated when the IPsec-VPN connection was established.

EffectImmediately Boolean true

Indicates whether the IPsec-VPN connection immediately takes effect. Valid values: Valid values:

  • true: Negotiations are reinitiated when the configuration is changed.
  • false: Negotiations are reinitiated when traffic is detected. When negotiations are reinitiated, transient connections may occur.
VpnGatewayId String vpn-bp1q8bgx4xnkm2ogj****

The ID of the VPN gateway.

LocalSubnet String 10.0.0.0/8

The CIDR block on the VPC side.

CIDR blocks are separated with commas (,).

RequestId String F2310D45-BCF6-4E2E-9082-B4503844BA4C

The ID of the request.

VpnConnectionId String vco-bp1bbi27hojx80nck****

The ID of the IPsec-VPN connection.

RemoteSubnet String 192.168.0.0/16

The CIDR block of the data center.

CIDR blocks are separated with commas (,).

CustomerGatewayId String cgw-bp1mvj4g9kogwwcxk****

The ID of the customer gateway.

Name String ipsec1

The name of the IPsec-VPN connection.

EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled. Valid values:

  • false: disabled
  • true: enabled

After you enable DPD, the initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no response is received from the peer within a specified period of time, the connection fails. Then, the ISAKMP SA, IPsec SA, and IPsec tunnel are deleted.

IkeConfig Object

The configurations of Phase 1 negotiations.

RemoteId String 139.34.XX.XX

The identifier of the peer. The default value is the IP address of the VPN gateway. The value can be a fully qualified domain name (FQDN) or an IP address.

IkeLifetime Long 86400

The IKE lifetime. Unit: seconds.

IkeEncAlg String aes

The IKE encryption algorithm.

LocalId String 116.28.XX.XX

The identifier of the local side. The default value is the IP address of the VPN gateway. The value can be an FQDN or an IP address.

IkeMode String main

The IKE negotiation mode.

IkeVersion String ikev1

The version of the IKE protocol.

IkePfs String group2

The DH group.

Psk String pgw6dy****

The pre-shared key.

IkeAuthAlg String sha1

The IKE authentication algorithm.

IpsecConfig Object

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The IPsec authentication algorithm.

IpsecLifetime Long 86400

The IPsec lifetime. Unit: seconds.

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecPfs String group2

The DH group.

VcoHealthCheck Object

The information about health checks.

Status String failed

The status of the health check. Valid values:

  • failed: abnormal
  • success: normal
Dip String 10.0.0.1

The destination IP address.

Interval Integer 3

The interval of health check retries. Unit: seconds.

Retry Integer 3

The maximum number of health check retries.

Sip String 192.168.1.1

The source IP address.

Enable String true

Indicates whether health checks are enabled. Valid values:

  • false: disabled
  • true: enabled
VpnBgpConfig Object

The configurations of the BGP routing protocol.

Status String success

The negotiation status of the BGP routing protocol. Valid values:

  • success: normal
  • failed: abnormal
PeerBgpIp String 169.18.XX.XX

The BGP IP address of the peer.

TunnelCidr String 169.254.11.0/30

The CIDR block of the IPsec tunnel. The CIDR block belongs to 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

EnableBgp String true

The negotiation status of the BGP routing protocol. Valid values:

  • true: enabled
  • false: disabled
LocalBgpIp String 169.32.XX.XX

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 65530

The autonomous system number (ASN) of the peer.

LocalAsn Long 45014

The ASN on the Alibaba Cloud side.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

Examples

Sample requests

https://vpc.aliyuncs.com/?Action=DescribeVpnConnection
&RegionId=cn-hangzhou
&VpnConnectionId=vco-bp1bbi27hojx80nck****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeVpnConnectionResponse>
    <Status>ike_sa_not_established</Status>
    <RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW****</RemoteCaCertificate>
    <EnableNatTraversal>true</EnableNatTraversal>
    <CreateTime>1492753817000</CreateTime>
    <EffectImmediately>true</EffectImmediately>
    <VpnGatewayId>vpn-bp1q8bgx4xnkm2ogj****</VpnGatewayId>
    <LocalSubnet>10.0.0.0/8</LocalSubnet>
    <RequestId>F2310D45-BCF6-4E2E-9082-B4503844BA4C</RequestId>
    <VpnConnectionId>vco-bp1bbi27hojx80nck****</VpnConnectionId>
    <RemoteSubnet>192.168.0.0/16</RemoteSubnet>
    <CustomerGatewayId>cgw-bp1mvj4g9kogwwcxk****</CustomerGatewayId>
    <Name>ipsec1</Name>
    <EnableDpd>true</EnableDpd>
    <IkeConfig>
        <RemoteId>139.34.XX.XX</RemoteId>
        <IkeLifetime>86400</IkeLifetime>
        <IkeEncAlg>aes</IkeEncAlg>
        <LocalId>116.28.XX.XX</LocalId>
        <IkeMode>main</IkeMode>
        <IkeVersion>ikev1</IkeVersion>
        <IkePfs>group2</IkePfs>
        <Psk>pgw6dy****</Psk>
        <IkeAuthAlg>sha1</IkeAuthAlg>
    </IkeConfig>
    <IpsecConfig>
        <IpsecAuthAlg>sha1</IpsecAuthAlg>
        <IpsecLifetime>86400</IpsecLifetime>
        <IpsecEncAlg>aes</IpsecEncAlg>
        <IpsecPfs>group2</IpsecPfs>
    </IpsecConfig>
    <VcoHealthCheck>
        <Status>failed</Status>
        <Dip>10.0.0.1</Dip>
        <Interval>3</Interval>
        <Retry>3</Retry>
        <Sip>192.168.1.1</Sip>
        <Enable>true</Enable>
    </VcoHealthCheck>
    <VpnBgpConfig>
        <Status>success</Status>
        <PeerBgpIp>169.18.XX.XX</PeerBgpIp>
        <TunnelCidr>169.254.11.0/30</TunnelCidr>
        <EnableBgp>true</EnableBgp>
        <LocalBgpIp>169.32.XX.XX</LocalBgpIp>
        <PeerAsn>65530</PeerAsn>
        <LocalAsn>45014</LocalAsn>
        <AuthKey>AuthKey****</AuthKey>
    </VpnBgpConfig>
</DescribeVpnConnectionResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "Status" : "ike_sa_not_established",
  "RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW****",
  "EnableNatTraversal" : true,
  "CreateTime" : 1492753817000,
  "EffectImmediately" : true,
  "VpnGatewayId" : "vpn-bp1q8bgx4xnkm2ogj****",
  "LocalSubnet" : "10.0.0.0/8",
  "RequestId" : "F2310D45-BCF6-4E2E-9082-B4503844BA4C",
  "VpnConnectionId" : "vco-bp1bbi27hojx80nck****",
  "RemoteSubnet" : "192.168.0.0/16",
  "CustomerGatewayId" : "cgw-bp1mvj4g9kogwwcxk****",
  "Name" : "ipsec1",
  "EnableDpd" : true,
  "IkeConfig" : {
    "RemoteId" : "139.34.XX.XX",
    "IkeLifetime" : 86400,
    "IkeEncAlg" : "aes",
    "LocalId" : "116.28.XX.XX",
    "IkeMode" : "main",
    "IkeVersion" : "ikev1",
    "IkePfs" : "group2",
    "Psk" : "pgw6dy****",
    "IkeAuthAlg" : "sha1"
  },
  "IpsecConfig" : {
    "IpsecAuthAlg" : "sha1",
    "IpsecLifetime" : 86400,
    "IpsecEncAlg" : "aes",
    "IpsecPfs" : "group2"
  },
  "VcoHealthCheck" : {
    "Status" : "failed",
    "Dip" : "10.0.0.1",
    "Interval" : 3,
    "Retry" : 3,
    "Sip" : "192.168.1.1",
    "Enable" : "true"
  },
  "VpnBgpConfig" : {
    "Status" : "success",
    "PeerBgpIp" : "169.18.XX.XX",
    "TunnelCidr" : "169.254.11.0/30",
    "EnableBgp" : "true",
    "LocalBgpIp" : "169.32.XX.XX",
    "PeerAsn" : 65530,
    "LocalAsn" : 45014,
    "AuthKey" : "AuthKey****"
  }
}

Error codes

HttpCode Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.
404 InvalidVpnConnectionInstanceId.NotFound The specified vpn connection instance id does not exist. The error message returned because the specified IPsec-VPN connection does not exist. Check whether the ID of the IPsec-VPN connection is valid.

For a list of error codes, visit the API Error Center.