Queries IPsec-VPN connections.
Debugging
Request parameters
Parameter |
Type |
Required |
Example |
Description |
Action | String | Yes | DescribeVpnConnections | The operation that you want to perform. Set the value to DescribeVpnConnections. |
RegionId | String | Yes | cn-hangzhou | The ID of the region where the IPsec-VPN connection is created. You can call the DescribeRegions operation to query the most recent region list. |
VpnGatewayId | String | No | vpn-bp1q8bgx4xnkx**** | The ID of the VPN gateway. |
CustomerGatewayId | String | No | cgw-bp1mvj4g9kogw**** | The ID of the customer gateway. |
PageNumber | Integer | No | 1 | The number of the page to return. Default value: 1. |
PageSize | Integer | No | 10 | The number of entries per page. Default value: 10. Valid values: 1 to 50. |
VpnConnectionId | String | No | vco-bp10lz7aejumd**** | The ID of the IPsec-VPN connection. |
Tag.N.Key | String | No | TagKey | The key of tag N to add to the resource. The tag key cannot be an empty string. It can be up to 64 characters in length, and cannot contain You can specify at most 20 tag keys in each call. |
Tag.N.Value | String | No | TagValue | The value of tag N to add to the resource. The tag value can be an empty string. The tag value can be up to 128 characters in length and cannot contain Each tag key corresponds to one tag value. You can specify up to 20 tag values in each call. |
Response parameters
Parameter |
Type |
Example |
Description |
PageSize | Integer | 10 | The number of entries per page. |
RequestId | String | 238752DC-0693-49BE-9C85-711D5691D3E5 | The request ID. |
PageNumber | Integer | 1 | The number of the returned page. |
TotalCount | Integer | 2 | The total number of entries returned. |
VpnConnections | Array of VpnConnection | The information about the IPsec-VPN connection. |
|
VpnConnection | |||
Status | String | ipsec_sa_established | The status of the IPsec-VPN connection. Valid values:
|
EnableNatTraversal | Boolean | true | Indicates whether NAT traversal is enabled for the IPsec-VPN connection. Valid values:
|
RemoteCaCertificate | String | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- | The CA certificate of the peer. |
CreateTime | Long | 1492753817000 | The timestamp that indicates the time when the IPsec-VPN connection was established. Unit: milliseconds. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC. |
EffectImmediately | Boolean | true | Indicates whether IPsec negotiations immediately start.
|
VpnGatewayId | String | vpn-bp1q8bgx4xnkm**** | The ID of the VPN gateway. |
LocalSubnet | String | 192.168.0.0/16,172.17.0.0/16 | The CIDR block on the Alibaba Cloud side. CIDR blocks are separated by commas (,). |
VpnConnectionId | String | vco-bp10lz7aejumd**** | The ID of the IPsec-VPN connection. |
RemoteSubnet | String | 10.0.0.0/8,172.16.0.0/16 | The CIDR block on the data center side. CIDR blocks are separated by commas (,). |
CustomerGatewayId | String | cgw-bp1mvj4g9kogw**** | The ID of the customer gateway associated with the IPsec-VPN connection. |
Name | String | nametest | The name of the IPsec-VPN connection. |
EnableDpd | Boolean | true | Indicates whether dead peer detection (DPD) is enabled for the IPsec-VPN connection. Valid values:
|
IkeConfig | Object | The configuration of Phase 1 negotiations. |
|
RemoteId | String | 139.17.XX.XX | The identifier on the Alibaba Cloud side. |
IkeLifetime | Long | 86400 | The lifetime in the IKE phase. Unit: seconds. |
IkeEncAlg | String | aes | The encryption algorithm in the IKE phase. |
LocalId | String | 116.64.XX.XX | The identifier on the data center side. |
IkeMode | String | main | The IKE negotiation mode.
|
IkeVersion | String | ikev1 | The IKE version.
Compared with IKEv1, IKEv2 simplifies the SA negotiation process and is more suitable for scenarios in which multiple CIDR blocks are used. |
IkePfs | String | group2 | The DH group in the IKE phase. |
Psk | String | pgw6dy7**** | The pre-shared key. |
IkeAuthAlg | String | sha1 | The authentication algorithm in the IKE phase. |
IpsecConfig | Object | The configuration of Phase 2 negotiations. |
|
IpsecAuthAlg | String | sha1 | The authentication algorithm in the IPsec phase. |
IpsecLifetime | Long | 86400 | The lifetime in the IPsec phase. Unit: seconds. |
IpsecEncAlg | String | aes | The encryption algorithm in the IPsec phase. |
IpsecPfs | String | group2 | The DH group in the IPsec phase. |
VcoHealthCheck | Object | The health check configuration of the IPsec-VPN connection. |
|
Status | String | success | The status of the health check.
|
Dip | String | 192.168.0.1 | The destination IP address. |
Interval | Integer | 2 | The interval between two consecutive health checks. Unit: seconds. |
Retry | Integer | 3 | The maximum number of health check retries. |
Sip | String | 192.168.0.50 | The source IP address. |
Enable | String | true | Indicates whether health checks are enabled. Valid values:
|
Policy | String | revoke_route | Indicates whether advertised routes are withdrawn when the health check fails. Valid values:
|
VpnBgpConfig | Object | The BGP configuration of the IPsec-VPN connection. |
|
Status | String | success | The negotiation status of the BGP routing protocol. Valid values:
|
PeerBgpIp | String | 169.254.10.1 | The BGP IP address of the peer. |
TunnelCidr | String | 169.254.10.0/30 | The BGP CIDR block of the IPsec-VPN connection. The CIDR block falls within 169.254.0.0/16. The mask of the CIDR block is 30 bits in length. |
LocalBgpIp | String | 169.254.10.2 | The BGP IP address on the Alibaba Cloud side. |
PeerAsn | Long | 65530 | The autonomous system number (ASN) of the peer. |
LocalAsn | Long | 65531 | The ASN on the Alibaba Cloud side. |
AuthKey | String | AuthKey**** | The authentication key of the BGP routing protocol. |
AttachType | String | CEN | The type of resource that is associated with the IPsec-VPN connection. Valid values:
|
NetworkType | String | public | The network type of the IPsec-VPN connection. Valid values:
|
AttachInstanceId | String | cen-lxxpbpalc776qz**** | The ID of the CEN instance to which the transit router belongs. |
Spec | String | 1000M | The bandwidth specification of the IPsec-VPN connection. Unit: Mbit/s. |
State | String | attached | The association status of the IPsec-VPN connection. Valid values:
|
TransitRouterId | String | tr-p0we2edef9qr44a85**** | The ID of the transit router with which the IPsec-VPN connection is associated. |
TransitRouterName | String | nametest | The name of the transit router. |
CrossAccountAuthorized | Boolean | false | Indicates whether the IPsec-VPN connection is associated with a transit router that belongs to another Alibaba Cloud account. Valid values:
|
InternetIp | String | 10.XX.XX.10 | The gateway IP address of the IPsec-VPN connection. Note
This parameter is returned only when the IPsec-VPN connection is associated with a transit router. |
Tag | Array of Tag | The list of tags added to the IPsec-VPN connection. |
|
Tag | |||
Key | String | TagKey | The key of tag N. |
Value | String | TagValue | The value of tag N. |
TunnelOptionsSpecification | Array of TunnelOptions | The tunnel configuration of the IPsec-VPN connection. Parameters in TunnelOptionsSpecification are returned only if you query IPsec-VPN connections in dual-tunnel mode. |
|
TunnelOptions | |||
TunnelId | String | tun-opsqc4d97wni27**** | The tunnel ID. |
CustomerGatewayId | String | cgw-p0wy363lucf1uyae8**** | The ID of the customer gateway associated with the tunnel. |
EnableDpd | String | true | Indicates whether DPD is enabled for the tunnel. Valid values:
|
EnableNatTraversal | String | true | Indicates whether NAT traversal is enabled for the tunnel. Valid values:
|
InternetIp | String | 47.21.XX.XX | The tunnel IP address. |
RemoteCaCertificate | String | -----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- | The CA certificate of the tunnel peer. This parameter is returned only if the VPN gateway is of the ShangMi (SM) type. |
Role | String | master | The tunnel role. Valid values:
|
State | String | active | The tunnel status. Valid values:
|
Status | String | ipsec_sa_established | The status of the IPsec-VPN connection. Valid values:
|
TunnelBgpConfig | Object | The BGP configuration. |
|
BgpStatus | String | success | The negotiation status of BGP. Valid values:
|
LocalAsn | String | 65530 | The ASN on the Alibaba Cloud side. |
LocalBgpIp | String | 169.254.10.1 | The BGP IP address on the Alibaba Cloud side. |
PeerAsn | String | 65531 | The peer ASN. |
PeerBgpIp | String | 169.254.10.2 | The peer BGP IP address. |
TunnelCidr | String | 169.254.10.0/30 | The BGP CIDR block of the tunnel. |
TunnelIkeConfig | Object | The configuration of Phase 1 negotiations. |
|
IkeAuthAlg | String | sha1 | The authentication algorithm in the IKE phase. |
IkeEncAlg | String | aes | The encryption algorithm in the IKE phase. |
IkeLifetime | String | 86400 | The lifetime in the IKE phase. Unit: seconds. |
IkeMode | String | main | The IKE negotiation mode.
|
IkePfs | String | group2 | The DH group in the IKE phase. |
IkeVersion | String | ikev1 | The IKE version. |
LocalId | String | 47.21.XX.XX | The identifier on the Alibaba Cloud side. |
Psk | String | 123456**** | The pre-shared key. |
RemoteId | String | 47.42.XX.XX | The peer identifier. |
TunnelIpsecConfig | Object | The configuration of Phase 2 negotiations. |
|
IpsecAuthAlg | String | sha1 | The authentication algorithm in the IPsec phase. |
IpsecEncAlg | String | aes | The encryption algorithm in the IPsec phase. |
IpsecLifetime | String | 86400 | The lifetime in the IPsec phase. Unit: seconds. |
IpsecPfs | String | group2 | The DH group in the IPsec phase. |
ZoneNo | String | ap-southeast-5a | The zone of the tunnel. |
EnableTunnelsBgp | Boolean | true | The BGP status of the tunnel. Valid values:
|
Examples
Sample requests
http(s)://[Endpoint]/?Action=DescribeVpnConnections
&RegionId=cn-hangzhou
&VpnGatewayId=vpn-bp1q8bgx4xnkx****
&CustomerGatewayId=cgw-bp1mvj4g9kogw****
&PageNumber=1
&PageSize=10
&VpnConnectionId=vco-bp10lz7aejumd****
&Tag=[{"Key":"TagKey","Value":"TagValue"}]
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<DescribeVpnConnectionsResponse>
<PageSize>10</PageSize>
<RequestId>238752DC-0693-49BE-9C85-711D5691D3E5</RequestId>
<PageNumber>1</PageNumber>
<TotalCount>2</TotalCount>
<VpnConnections>
<Status>ipsec_sa_established</Status>
<EnableNatTraversal>true</EnableNatTraversal>
<RemoteCaCertificate>-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- </RemoteCaCertificate>
<CreateTime>1492753817000</CreateTime>
<EffectImmediately>true</EffectImmediately>
<VpnGatewayId>vpn-bp1q8bgx4xnkm****</VpnGatewayId>
<State>active</State>
<LocalSubnet>192.168.0.0/16,172.17.0.0/16</LocalSubnet>
<VpnConnectionId>vco-bp10lz7aejumd****</VpnConnectionId>
<RemoteSubnet>10.0.0.0/8,172.16.0.0/16</RemoteSubnet>
<CustomerGatewayId>cgw-bp1mvj4g9kogw****</CustomerGatewayId>
<Name>nametest</Name>
<EnableDpd>true</EnableDpd>
<IkeConfig>
<RemoteId>139.17.XX.XX</RemoteId>
<IkeLifetime>86400</IkeLifetime>
<IkeEncAlg>aes</IkeEncAlg>
<LocalId>116.64.XX.XX</LocalId>
<IkeMode>main</IkeMode>
<IkeVersion>ikev1</IkeVersion>
<IkePfs>group2</IkePfs>
<Psk>pgw6dy7****</Psk>
<IkeAuthAlg>sha1</IkeAuthAlg>
</IkeConfig>
<IpsecConfig>
<IpsecAuthAlg>sha1</IpsecAuthAlg>
<IpsecLifetime>86400</IpsecLifetime>
<IpsecEncAlg>aes</IpsecEncAlg>
<IpsecPfs>group2</IpsecPfs>
</IpsecConfig>
<VcoHealthCheck>
<Status>success</Status>
<Dip>192.168.0.1</Dip>
<Interval>2</Interval>
<Retry>3</Retry>
<Sip>192.168.0.50</Sip>
<Enable>true</Enable>
</VcoHealthCheck>
<VpnBgpConfig>
<Status>success</Status>
<PeerBgpIp>169.254.10.1</PeerBgpIp>
<TunnelCidr>169.254.10.0/30</TunnelCidr>
<LocalBgpIp>169.254.10.2</LocalBgpIp>
<PeerAsn>65530</PeerAsn>
<LocalAsn>65531</LocalAsn>
<AuthKey>AuthKey****</AuthKey>
</VpnBgpConfig>
<Tag>
<Key>TagKey</Key>
<Value>TagValue</Value>
</Tag>
</VpnConnections>
</DescribeVpnConnectionsResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"PageSize" : 10,
"RequestId" : "238752DC-0693-49BE-9C85-711D5691D3E5",
"PageNumber" : 1,
"TotalCount" : 2,
"VpnConnections" : [ {
"Status" : "ipsec_sa_established",
"EnableNatTraversal" : true,
"RemoteCaCertificate" : "-----BEGIN CERTIFICATE----- MIIB7zCCAZW**** -----END CERTIFICATE----- ",
"CreateTime" : 1492753817000,
"EffectImmediately" : true,
"VpnGatewayId" : "vpn-bp1q8bgx4xnkm****",
"State" : "active",
"LocalSubnet" : "192.168.0.0/16,172.17.0.0/16",
"VpnConnectionId" : "vco-bp10lz7aejumd****",
"RemoteSubnet" : "10.0.0.0/8,172.16.0.0/16",
"CustomerGatewayId" : "cgw-bp1mvj4g9kogw****",
"Name" : "nametest",
"EnableDpd" : true,
"IkeConfig" : {
"RemoteId" : "139.17.XX.XX",
"IkeLifetime" : 86400,
"IkeEncAlg" : "aes",
"LocalId" : "116.64.XX.XX",
"IkeMode" : "main",
"IkeVersion" : "ikev1",
"IkePfs" : "group2",
"Psk" : "pgw6dy7****",
"IkeAuthAlg" : "sha1"
},
"IpsecConfig" : {
"IpsecAuthAlg" : "sha1",
"IpsecLifetime" : 86400,
"IpsecEncAlg" : "aes",
"IpsecPfs" : "group2"
},
"VcoHealthCheck" : {
"Status" : "success",
"Dip" : "192.168.0.1",
"Interval" : 2,
"Retry" : 3,
"Sip" : "192.168.0.50",
"Enable" : "true"
},
"VpnBgpConfig" : {
"Status" : "success",
"PeerBgpIp" : "169.254.10.1",
"TunnelCidr" : "169.254.10.0/30",
"LocalBgpIp" : "169.254.10.2",
"PeerAsn" : "65530",
"LocalAsn" : 65531,
"AuthKey" : "AuthKey****"
},
"Tag" : [ {
"Key" : "TagKey",
"Value" : "TagValue"
} ]
} ]
}
Error codes
HttpCode |
Error code |
Error message |
Description |
400 | Forbidden.TagKey.Duplicated | The specified tag key already exists. | The tag resources are duplicate. |
400 | SizeLimitExceeded.TagNum | The maximum number of tags is exceeded. | The number of tags has reached the upper limit. |
400 | InvalidParameter.TagValue | The specified parameter TagValue is invalid. | The tag value is invalid. |
400 | InvalidParameter.TagKey | The specified parameter TagKey is invalid. | The tag key is invalid. |
400 | Duplicated.TagKey | The specified parameter TagKey is duplicated. | The tag key already exists. |
403 | Forbbiden.SubUser | User not authorized to operate on the specified resource as your account is created by another user. | You are unauthorized to perform this operation on the specified resource. You can apply for the required permissions and try again. |
403 | Forbidden | User not authorized to operate on the specified resource. | You are unauthorized to perform this operation on the specified resource. Acquire the required permissions and try again. |
For a list of error codes, see Service error codes.