Queries IPsec-VPN connections.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeVpnConnections

The operation that you want to perform. Set the value to DescribeVpnConnections.

RegionId String Yes cn-hangzhou

The ID of the region where the IPsec-VPN connection is established.

You can call the DescribeRegions operation to query the most recent region list.

VpnGatewayId String No vpn-bp1q8bgx4xnkx****

The ID of the VPN gateway.

CustomerGatewayId String No cgw-bp1mvj4g9kogw****

The ID of the customer gateway.

PageNumber Integer No 1

The number of the page to return. Default value: 1.

PageSize Integer No 10

The number of entries to return on each page. Default value: 10. Valid values: 1 to 50.

VpnConnectionId String No vco-bp15oes1py4i6****

The ID of the IPsec-VPN connection.

Response parameters

Parameter Type Example Description
PageSize Integer 10

The number of entries returned per page.

RequestId String 238752DC-0693-49BE-9C85-711D5691D3E5

The ID of the request.

PageNumber Integer 1

The page number of the returned page.

TotalCount Integer 2

The total number of entries returned.

VpnConnections Array of VpnConnection

The list of IPsec-VPN connections.

VpnConnection
Status String ipsec_sa_established

The status of the IPsec-VPN connection. Valid values:

  • ike_sa_not_established: Phase 1 negotiations failed.
  • ike_sa_established: Phase 1 negotiations were successful.
  • ipsec_sa_not_established: Phase 2 negotiations failed.
  • ipsec_sa_established: Phase 2 negotiations were successful.
EnableNatTraversal Boolean true

Indicates whether NAT traversal is enabled. Valid values:

  • true: NAT traversal is enabled.

    After NAT traversal is enabled, the initiator does not check the UDP ports during IKE negotiations and can automatically discover NAT gateway devices along the VPN tunnel.

  • false: NAT traversal is disabled.
RemoteCaCertificate String -----BEGIN CERTIFICATE----- MIIB7zCCAZW****

The CA certificate of the peer.

CreateTime Long 1492753817000

The timestamp generated when the IPsec-VPN connection was established.

EffectImmediately Boolean true

Indicates whether the connection immediately takes effect. Valid values:

  • true: Negotiations are reinitiated when the configuration is changed.
  • false: Negotiations are reinitiated when traffic is detected. When negotiations are reinitiated, transient connections may occur.
VpnGatewayId String vpn-bp1q8bgx4xnkm****

The ID of the VPN gateway.

LocalSubnet String 192.168.0.0/16,172.17.0.0/16

The CIDR block on the VPC side.

CIDR blocks are separated with commas (,).

VpnConnectionId String vco-bp10lz7aejumd****

The ID of the IPsec-VPN connection.

RemoteSubnet String 10.0.0.0/8,172.16.0.0/16

The CIDR block of the data center.

CIDR blocks are separated with commas (,).

CustomerGatewayId String cgw-bp1mvj4g9kogw****

The ID of the customer gateway.

Name String nametest

The name of the IPsec-VPN connection.

EnableDpd Boolean true

Indicates whether dead peer detection (DPD) is enabled. Valid values:

  • true: DPD is enabled.

    The initiator of the IPsec-VPN connection sends DPD packets to verify the existence and availability of the peer. If no feedback is received from the peer within a specified period of time, the connection fails. ISAKMP SA and IPsec SA are deleted. The security tunnel is also deleted.

  • false: DPD is disabled. The IPsec initiator does not send DPD packets.
IkeConfig Object

The configurations of Phase 1 negotiations.

RemoteId String 139.17.XX.XX

The identifier of the peer. The default value is the IP address of the VPN gateway. The value can be a fully qualified domain name (FQDN) or an IP address.

IkeLifetime Long 86400

The IKE lifetime. Unit: seconds.

IkeEncAlg String aes

The IKE encryption algorithm.

LocalId String 116.64.XX.XX

The identifier of the local side. The default value is the IP address of the VPN gateway. The value can be an FQDN or an IP address.

IkeMode String main

The IKE negotiation mode.

IkeVersion String ikev1

The version of the IKE protocol.

IkePfs String group2

The DH group.

Psk String pgw6dy7****

The pre-shared key.

IkeAuthAlg String sha1

The IKE authentication algorithm.

IpsecConfig Object

The configuration of Phase 2 negotiations.

IpsecAuthAlg String sha1

The IPsec authentication algorithm.

IpsecLifetime Long 86400

The IPsec lifetime. Unit: seconds.

IpsecEncAlg String aes

The IPsec encryption algorithm.

IpsecPfs String group2

The DH group.

VcoHealthCheck Object

The health check configurations.

Status String success

The status of the health check. Valid values:

  • failed: abnormal
  • success: normal
Dip String 192.168.0.1

The destination IP address.

Interval Integer 2

The interval between two consecutive health checks. Unit: seconds.

Retry Integer 3

The maximum number of health check retries.

Sip String 192.168.0.50

The source IP address.

Enable String true

Indicates whether health checks are enabled. Valid values:

  • true: enabled
  • false: disabled
VpnBgpConfig Object

The configurations of the BGP routing protocol.

Status String success

The negotiation status of the BGP routing protocol. Valid values:

  • success: normal
  • false: abnormal
PeerBgpIp String 169.30.XX.XX

The BGP IP address of the peer.

TunnelCidr String 169.254.10.0/30

The CIDR block of the IPsec tunnel. The CIDR block belongs to 169.254.0.0/16. The mask of the CIDR block is 30 bits in length.

LocalBgpIp String 169.32.XX.XX

The BGP IP address on the Alibaba Cloud side.

PeerAsn Long 6***1

The autonomous system number (ASN) of the peer.

LocalAsn Long 45104

The ASN on the Alibaba Cloud side.

AuthKey String AuthKey****

The authentication key of the BGP routing protocol.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeVpnConnections
&RegionId=cn-hangzhou
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeVpnConnectionsResponse>
    <PageSize>10</PageSize>
    <RequestId>238752DC-0693-49BE-9C85-711D5691D3E5</RequestId>
    <PageNumber>1</PageNumber>
    <TotalCount>2</TotalCount>
    <VpnConnections>
        <Status>ipsec_sa_established</Status>
        <EnableNatTraversal>true</EnableNatTraversal>
        <RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW****</RemoteCaCertificate>
        <CreateTime>1492753817000</CreateTime>
        <EffectImmediately>true</EffectImmediately>
        <VpnGatewayId>vpn-bp1q8bgx4xnkm****</VpnGatewayId>
        <LocalSubnet>192.168.0.0/16,172.17.0.0/16</LocalSubnet>
        <VpnConnectionId>vco-bp10lz7aejumd****</VpnConnectionId>
        <RemoteSubnet>10.0.0.0/8,172.16.0.0/16</RemoteSubnet>
        <CustomerGatewayId>cgw-bp1mvj4g9kogw****</CustomerGatewayId>
        <Name>nametest</Name>
        <EnableDpd>true</EnableDpd>
        <IkeConfig>
            <RemoteId>139.17.XX.XX</RemoteId>
            <IkeLifetime>86400</IkeLifetime>
            <IkeEncAlg>aes</IkeEncAlg>
            <LocalId>116.64.XX.XX</LocalId>
            <IkeMode>main</IkeMode>
            <IkeVersion>ikev1</IkeVersion>
            <IkePfs>group2</IkePfs>
            <Psk>pgw6dy7****</Psk>
            <IkeAuthAlg>sha1</IkeAuthAlg>
        </IkeConfig>
        <IpsecConfig>
            <IpsecAuthAlg>sha1</IpsecAuthAlg>
            <IpsecLifetime>86400</IpsecLifetime>
            <IpsecEncAlg>aes</IpsecEncAlg>
            <IpsecPfs>group2</IpsecPfs>
        </IpsecConfig>
        <VcoHealthCheck>
            <Status>success</Status>
            <Dip>192.168.0.1</Dip>
            <Interval>2</Interval>
            <Retry>3</Retry>
            <Sip>192.168.0.50</Sip>
            <Enable>true</Enable>
        </VcoHealthCheck>
        <VpnBgpConfig>
            <Status>success</Status>
            <PeerBgpIp>169.30.XX.XX</PeerBgpIp>
            <TunnelCidr>169.254.10.0/30</TunnelCidr>
            <LocalBgpIp>169.32.XX.XX</LocalBgpIp>
            <PeerAsn>6***1</PeerAsn>
            <LocalAsn>45104</LocalAsn>
            <AuthKey>AuthKey****</AuthKey>
        </VpnBgpConfig>
    </VpnConnections>
</DescribeVpnConnectionsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "PageSize" : 10,
  "RequestId" : "238752DC-0693-49BE-9C85-711D5691D3E5",
  "PageNumber" : 1,
  "TotalCount" : 2,
  "VpnConnections" : [ {
    "Status" : "ipsec_sa_established",
    "EnableNatTraversal" : true,
    "RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW****",
    "CreateTime" : 1492753817000,
    "EffectImmediately" : true,
    "VpnGatewayId" : "vpn-bp1q8bgx4xnkm****",
    "LocalSubnet" : "192.168.0.0/16,172.17.0.0/16",
    "VpnConnectionId" : "vco-bp10lz7aejumd****",
    "RemoteSubnet" : "10.0.0.0/8,172.16.0.0/16",
    "CustomerGatewayId" : "cgw-bp1mvj4g9kogw****",
    "Name" : "nametest",
    "EnableDpd" : true,
    "IkeConfig" : {
      "RemoteId" : "139.17.XX.XX",
      "IkeLifetime" : 86400,
      "IkeEncAlg" : "aes",
      "LocalId" : "116.64.XX.XX",
      "IkeMode" : "main",
      "IkeVersion" : "ikev1",
      "IkePfs" : "group2",
      "Psk" : "pgw6dy7****",
      "IkeAuthAlg" : "sha1"
    },
    "IpsecConfig" : {
      "IpsecAuthAlg" : "sha1",
      "IpsecLifetime" : 86400,
      "IpsecEncAlg" : "aes",
      "IpsecPfs" : "group2"
    },
    "VcoHealthCheck" : {
      "Status" : "success",
      "Dip" : "192.168.0.1",
      "Interval" : 2,
      "Retry" : 3,
      "Sip" : "192.168.0.50",
      "Enable" : "true"
    },
    "VpnBgpConfig" : {
      "Status" : "success",
      "PeerBgpIp" : "169.30.XX.XX",
      "TunnelCidr" : "169.254.10.0/30",
      "LocalBgpIp" : "169.32.XX.XX",
      "PeerAsn" : "6***1",
      "LocalAsn" : 45104,
      "AuthKey" : "AuthKey****"
    }
  } ]
}

Error codes

HttpCode Error code Error message Description
403 Forbbiden.SubUser User not authorized to operate on the specified resource as your account is created by another user. The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you are unauthorized to perform this operation on the specified resource. Apply for the required permissions and try again.

For a list of error codes, visit the API Error Center.