All Products
Search
Document Center

Virtual Private Cloud:DescribeVpnConnections

Last Updated:Aug 29, 2024

Queries IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
vpc:DescribeVpnConnectionslist
  • VpnConnection
    acs:vpc:{#regionId}:{#accountId}:vpnconnection/*
  • VpnConnection
    acs:vpc:{#regionId}:{#accountId}:vpnconnection/{#VpnConnectionId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The ID of the region where the IPsec-VPN connection is created.

You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
VpnGatewayIdstringNo

The ID of the VPN gateway.

vpn-bp1q8bgx4xnkx****
CustomerGatewayIdstringNo

The ID of the customer gateway.

cgw-bp1mvj4g9kogw****
PageNumberintegerNo

The number of the page to return. Default value: 1.

1
PageSizeintegerNo

The number of entries to return on each page. Default value: 10. Valid values: 1 to 50.

10
VpnConnectionIdstringNo

The ID of the IPsec-VPN connection.

vco-bp10lz7aejumd****
Tagarray<object>No

The tag value.

The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

Each tag key corresponds to one tag value. You can specify up to 20 tag values in each call.

objectNo

The tag value.

KeystringNo

The tag key. The tag key cannot be an empty string.

It can be at most 64 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

You can specify at most 20 tag keys in each call.

TagKey
ValuestringNo

The tag value.

The tag value can be an empty string and cannot exceed 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

Each tag key corresponds to one tag value. You can specify at most 20 tag values in each call.

TagValue
ResourceGroupIdstringNo

The ID of the resource group to which the IPsec-VPN connection belongs.

You can call the ListResourceGroups operation to query the resource group ID.

rg-acfmzs372yg****

Response parameters

ParameterTypeDescriptionExample
object

The response parameters.

PageSizeinteger

The number of entries returned per page.

10
RequestIdstring

The request ID.

238752DC-0693-49BE-9C85-711D5691D3E5
PageNumberinteger

The page number.

1
TotalCountinteger

The total number of entries returned.

2
VpnConnectionsarray<object>

The information about the IPsec-VPN connection.

object
Statusstring

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations succeeded.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations succeeded.
ipsec_sa_established
EnableNatTraversalboolean

Indicates whether NAT traversal is enabled for the IPsec-VPN connection.

  • true

    After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the IPsec tunnel.

  • false

true
RemoteCaCertificatestring

The certificate authority (CA) certificate of the peer.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
CreateTimelong

The timestamp generated when the IPsec-VPN connection was established. Unit: milliseconds.

This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

1492753817000
EffectImmediatelyboolean

Indicates whether IPsec negotiations immediately start.

  • true: Negotiations are reinitiated after the configuration is changed.
  • false: Negotiations are reinitiated after traffic is detected.
true
VpnGatewayIdstring

The ID of the VPN gateway.

vpn-bp1q8bgx4xnkm****
LocalSubnetstring

The CIDR block on the Alibaba Cloud side.

Multiple CIDR blocks are separated by commas (,).

192.168.0.0/16,172.17.0.0/16
VpnConnectionIdstring

The ID of the IPsec-VPN connection.

vco-bp10lz7aejumd****
RemoteSubnetstring

The CIDR block of the data center.

Multiple CIDR blocks are separated by commas (,).

10.0.0.0/8,172.16.0.0/16
CustomerGatewayIdstring

The ID of the customer gateway associated with the IPsec-VPN connection.

cgw-bp1mvj4g9kogw****
Namestring

The name of the IPsec-VPN connection.

nametest
EnableDpdboolean

Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values:

  • true

    The initiator of the IPsec-VPN connection sends DPD packets to check the existence and availability of the peer. If no feedback is received from the peer within a specific period of time, the connection fails. Then, the ISAKMP security association (SA), IPsec SA, and IPsec tunnel are deleted.

  • false

true
IkeConfigobject

The configurations of Phase 1 negotiations.

RemoteIdstring

The identifier of the IPsec-VPN connection on the Alibaba Cloud side.

139.17.XX.XX
IkeLifetimelong

The lifetime in the IKE phase. Unit: seconds.

86400
IkeEncAlgstring

The encryption algorithm in the IKE phase.

aes
LocalIdstring

The identifier of the IPsec-VPN connection on the data center side.

116.64.XX.XX
IkeModestring

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkeVersionstring

The version of the IKE protocol.

  • ikev1
  • ikev2

Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used.

ikev1
IkePfsstring

The DH group in the IKE phase.

group2
Pskstring

The pre-shared key.

pgw6dy7****
IkeAuthAlgstring

The authentication algorithm in the IKE phase.

sha1
IpsecConfigobject

The configurations of Phase 2 negotiations.

IpsecAuthAlgstring

The authentication algorithm in the IPsec phase.

sha1
IpsecLifetimelong

The lifetime in the IPsec phase. Unit: seconds.

86400
IpsecEncAlgstring

The encryption algorithm in the IPsec phase.

aes
IpsecPfsstring

The DH group in the IPsec phase.

group2
VcoHealthCheckobject

The health check configuration of the IPsec-VPN connection.

Statusstring

The state of the health check. Valid values:

  • success
  • failed
success
Dipstring

The destination IP address.

192.168.0.1
Intervalinteger

The interval between two consecutive health checks. Unit: seconds.

2
Retryinteger

The maximum number of health check retries.

3
Sipstring

The source IP address.

192.168.0.50
Enablestring

Indicates whether the health check feature is enabled.

  • true
  • false
true
Policystring

Indicates whether advertised routes are withdrawn when the health check fails.

  • revoke_route: Advertised routes are withdrawn.
  • reserve_route: Advertised routes are not withdrawn.
revoke_route
VpnBgpConfigobject

The BGP configuration of the IPsec-VPN connection.

Statusstring

The negotiation state of the BGP routing protocol. Valid values:

  • success
  • false
success
PeerBgpIpstring

The BGP IP address of the peer.

169.254.10.1
TunnelCidrstring

The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The subnet mask of the CIDR block must be 30 bits in length.

169.254.10.0/30
LocalBgpIpstring

The BGP IP address on the Alibaba Cloud side.

169.254.10.2
PeerAsnlong

The ASN of the peer.

65530
LocalAsnlong

The ASN on the Alibaba Cloud side.

65531
AuthKeystring

The authentication key of the BGP routing protocol.

AuthKey****
AttachTypestring

The type of resource that is associated with the IPsec-VPN connection. Valid values:

  • CEN: indicates that the IPsec-VPN connection is associated with a transit router of a Cloud Enterprise Network (CEN) instance.
  • NO_ASSOCIATED: indicates that the IPsec-VPN connection is not associated with any resource.
  • VPNGW: indicates that the IPsec-VPN connection is associated with a VPN gateway.
CEN
NetworkTypestring

The network type of the IPsec-VPN connection. Valid values:

  • public
  • private
public
AttachInstanceIdstring

The ID of the CEN instance to which the transit router belongs.

cen-lxxpbpalc776qz****
Specstring

The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s.

1000M
Statestring

The association state of the IPsec-VPN connection. Valid values:

  • active: The IPsec-VPN connection is associated with a VPN gateway.
  • init: The IPsec-VPN connection is not associated with any resource and is being initialized.
  • attaching: The IPsec-VPN connection is being associated with a transit router.
  • attached: The IPsec-VPN connection is associated with a transit router.
  • detaching: The IPsec-VPN connection is being disassociated from a transit router.
  • financialLocked: The IPsec-VPN connection is locked due to overdue payments.
  • provisioning: The IPsec-VPN connection is being prepared.
  • updating: The IPsec-VPN connection is being updated.
  • Upgrading: The IPsec-VPN connection is being upgraded.
  • deleted: The IPsec-VPN connection is deleted.
attached
TransitRouterIdstring

The ID of the transit router with which the IPsec-VPN connection is associated.

tr-p0we2edef9qr44a85****
TransitRouterNamestring

The name of the transit router.

nametest
CrossAccountAuthorizedboolean

Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:

  • true
  • false
false
InternetIpstring

The gateway IP address of the IPsec-VPN connection.

Note This parameter is returned only if the IPsec-VPN connection is associated with a transit router.
10.XX.XX.10
Tagarray<object>

The list of tags to be added to the IPsec-VPN connection.

object

The tags added to the IPsec-VPN connection.

Keystring

The tag key of the IPsec-VPN connection.

TagKey
Valuestring

The tag value of the IPsec-VPN connection.

TagValue
TunnelOptionsSpecificationarray<object>

The tunnel configuration of the IPsec-VPN connection.

Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode.

object

The tunnel configuration of the IPsec-VPN connection.

TunnelIdstring

The tunnel ID.

tun-opsqc4d97wni27****
CustomerGatewayIdstring

The ID of the customer gateway associated with the tunnel.

cgw-p0wy363lucf1uyae8****
EnableDpdstring

Indicates whether the DPD feature is enabled for the tunnel. Valid values:

  • false
  • true
true
EnableNatTraversalstring

Indicates whether NAT traversal is enabled for the tunnel. Valid values:

  • false
  • true
true
InternetIpstring

The tunnel IP address.

47.21.XX.XX
RemoteCaCertificatestring

The CA certificate of the tunnel peer.

This parameter is returned only if the VPN gateway is of the SM type.

-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----
Rolestring

The tunnel role. Valid values:

  • master: The tunnel is an active tunnel.
  • slave: The tunnel is a standby tunnel.
master
Statestring

The tunnel status. Valid values:

  • active
  • updating
  • deleting
active
Statusstring

The state of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations succeeded.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations succeeded.
ipsec_sa_established
TunnelBgpConfigobject

The BGP configurations.

BgpStatusstring

The negotiation state of BGP. Valid values:

  • success
  • false
success
LocalAsnstring

The ASN on the Alibaba Cloud side.

65530
LocalBgpIpstring

The BGP address on the Alibaba Cloud side.

169.254.10.1
PeerAsnstring

The ASN of the tunnel peer.

65531
PeerBgpIpstring

The BGP IP address of the tunnel peer.

169.254.10.2
TunnelCidrstring

The BGP CIDR block of the tunnel.

169.254.10.0/30
TunnelIkeConfigobject

The configuration of Phase 1 negotiations.

IkeAuthAlgstring

The authentication algorithm in the IKE phase.

sha1
IkeEncAlgstring

The encryption algorithm in the IKE phase.

aes
IkeLifetimestring

The lifetime in the IKE phase. Unit: seconds.

86400
IkeModestring

The IKE negotiation mode.

  • main: This mode offers higher security during negotiations.
  • aggressive: This mode is faster and has a higher success rate.
main
IkePfsstring

The DH group in the IKE phase.

group2
IkeVersionstring

The version of the IKE protocol.

ikev1
LocalIdstring

The identifier of the tunnel on the Alibaba Cloud side.

47.21.XX.XX
Pskstring

The pre-shared key.

123456****
RemoteIdstring

The identifier of the tunnel peer.

47.42.XX.XX
TunnelIpsecConfigobject

The configurations of Phase 2 negotiations.

IpsecAuthAlgstring

The authentication algorithm in the IPsec phase.

sha1
IpsecEncAlgstring

The encryption algorithm in the IPsec phase.

aes
IpsecLifetimestring

The lifetime in the IPsec phase. Unit: seconds.

86400
IpsecPfsstring

The DH group in the IPsec phase.

group2
ZoneNostring

The zone of the tunnel.

ap-southeast-5a
EnableTunnelsBgpboolean

Indicates whether BGP is enabled for the tunnel. Valid values:

  • true
  • false
true
ResourceGroupIdstring

The ID of the resource group to which the IPsec-VPN connection belongs.

You can call the ListResourceGroups operation to query the resource group information.

rg-acfmzs372yg****

Examples

Sample success responses

JSONformat

{
  "PageSize": 10,
  "RequestId": "238752DC-0693-49BE-9C85-711D5691D3E5",
  "PageNumber": 1,
  "TotalCount": 2,
  "VpnConnections": {
    "VpnConnection": [
      {
        "Status": "ipsec_sa_established",
        "EnableNatTraversal": true,
        "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
        "CreateTime": 1492753817000,
        "EffectImmediately": true,
        "VpnGatewayId": "vpn-bp1q8bgx4xnkm****",
        "LocalSubnet": "192.168.0.0/16,172.17.0.0/16",
        "VpnConnectionId": "vco-bp10lz7aejumd****",
        "RemoteSubnet": "10.0.0.0/8,172.16.0.0/16",
        "CustomerGatewayId": "cgw-bp1mvj4g9kogw****",
        "Name": "nametest",
        "EnableDpd": true,
        "IkeConfig": {
          "RemoteId": "139.17.XX.XX",
          "IkeLifetime": 86400,
          "IkeEncAlg": "aes",
          "LocalId": "116.64.XX.XX",
          "IkeMode": "main",
          "IkeVersion": "ikev1",
          "IkePfs": "group2",
          "Psk": "pgw6dy7****",
          "IkeAuthAlg": "sha1"
        },
        "IpsecConfig": {
          "IpsecAuthAlg": "sha1",
          "IpsecLifetime": 86400,
          "IpsecEncAlg": "aes",
          "IpsecPfs": "group2"
        },
        "VcoHealthCheck": {
          "Status": "success",
          "Dip": "192.168.0.1",
          "Interval": 2,
          "Retry": 3,
          "Sip": "192.168.0.50",
          "Enable": "true",
          "Policy": "revoke_route"
        },
        "VpnBgpConfig": {
          "Status": "success",
          "PeerBgpIp": "169.254.10.1",
          "TunnelCidr": "169.254.10.0/30",
          "LocalBgpIp": "169.254.10.2",
          "PeerAsn": 65530,
          "LocalAsn": 65531,
          "AuthKey": "AuthKey****"
        },
        "AttachType": "CEN",
        "NetworkType": "public",
        "AttachInstanceId": "cen-lxxpbpalc776qz****",
        "Spec": "1000M",
        "State": "attached",
        "TransitRouterId": "tr-p0we2edef9qr44a85****",
        "TransitRouterName": "nametest",
        "CrossAccountAuthorized": false,
        "InternetIp": "10.XX.XX.10",
        "Tag": {
          "Tag": [
            {
              "Key": "TagKey",
              "Value": "TagValue"
            }
          ]
        },
        "TunnelOptionsSpecification": {
          "TunnelOptions": [
            {
              "TunnelId": "tun-opsqc4d97wni27****",
              "CustomerGatewayId": "cgw-p0wy363lucf1uyae8****",
              "EnableDpd": "true",
              "EnableNatTraversal": "true",
              "InternetIp": "47.21.XX.XX",
              "RemoteCaCertificate": "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE-----",
              "Role": "master",
              "State": "active",
              "Status": "ipsec_sa_established",
              "TunnelBgpConfig": {
                "BgpStatus": "success",
                "LocalAsn": "65530",
                "LocalBgpIp": "169.254.10.1",
                "PeerAsn": "65531",
                "PeerBgpIp": "169.254.10.2",
                "TunnelCidr": "169.254.10.0/30"
              },
              "TunnelIkeConfig": {
                "IkeAuthAlg": "sha1",
                "IkeEncAlg": "aes",
                "IkeLifetime": "86400",
                "IkeMode": "main",
                "IkePfs": "group2",
                "IkeVersion": "ikev1",
                "LocalId": "47.21.XX.XX",
                "Psk": "123456****",
                "RemoteId": "47.42.XX.XX"
              },
              "TunnelIpsecConfig": {
                "IpsecAuthAlg": "sha1",
                "IpsecEncAlg": "aes",
                "IpsecLifetime": "86400",
                "IpsecPfs": "group2"
              },
              "ZoneNo": "ap-southeast-5a"
            }
          ]
        },
        "EnableTunnelsBgp": true,
        "ResourceGroupId": "rg-acfmzs372yg****"
      }
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400Forbidden.TagKey.DuplicatedThe specified tag key already exists.The tag resources are duplicate.
400SizeLimitExceeded.TagNumThe maximum number of tags is exceeded.The number of tags has reached the upper limit.
400InvalidParameter.TagValueThe specified parameter TagValue is invalid.The error message returned because the specified tag value is invalid.
400InvalidParameter.TagKeyThe specified parameter TagKey is invalid.The error message returned because the specified tag key is invalid.
400Duplicated.TagKeyThe specified parameter TagKey is duplicated.The error message returned because the specified tag key already exists.
403Forbbiden.SubUserUser not authorized to operate on the specified resource as your account is created by another user.You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again.
403ForbiddenUser not authorized to operate on the specified resource.You do not have the permissions to manage the specified resource. Apply for the permissions and try again.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-10-19The Error code has changed. The request parameters of the API has changed. The response structure of the API has changedView Change Details
2023-08-01API Description Update. The Error code has changed. The response structure of the API has changedView Change Details
2023-06-30The Error code has changed. The response structure of the API has changedView Change Details
2023-06-13The Error code has changed. The response structure of the API has changedView Change Details
2023-05-04The Error code has changedView Change Details