Virtualizing Vyatta on the cloud

Vyatta is the underdog in the great world of routing. For long, corporations have been tied down on expensive and proprietary hardware. With Vyatta, it runs on standard x86 hardware and can accomplish what a Cisco router can, and attain better performance without the bloated cost.

OK, enough of the sales pitch (they aren’t paying me for this).


Vyatta, is an operating system, which has been built on top of Debian (Lenny for the most recent). Much of the linux commands can still be used, once out of Vyatta mode. When setting up Vyatta on your machine, you generally need the boot disk. In the hosted environment industry, you generally do not see Vyatta from the options of OS to choose from during instance creation.

If I could simply do a [yum install vyatta] or [aptitude install vyatta], I wouldn’t be sweating this bit at all. This posed somewhat of a problem. To my luck, Robert from Vyatta has posted an image of Vyatta for the Amazon EC2.

(don’t forget to choose the AKI and ARI during instance creation)

AMI: ami-c5e502ac
AKI: aki-a88d6ac1
ARI: ari-a98d6ac0

The overall setup here is quite different than the Windows/Dynamips/Cisco setup I tried in the previous post.

Vyatta Router on a Virtualized Environment


I’ve worked with Vyatta before. Basic configurations were quick to get into. They also provide you with documentation that includes configuration steps. Getting VPN going was also quick.

VPN Configuration

vpn {
     ipsec {
          esp-group ESP-Name {
               compression disable
               lifetime 3600
               mode tunnel
               pfs enable
               proposal 1 {
                    encryption aes256
                    hash sha1
          ike-group IKE-Name {
               aggressive-mode disable
               lifetime 3600
               proposal 1 {
                    encryption aes256
                    hash sha1
          ipsec-interfaces {
               interface eth0
          site-to-site {
               peer {
                    authentication {
                         mode pre-shared-secret
                         pre-shared-secret Your-Secret
                    ike-group IKE1
                    tunnel 1 {
                         allow-nat-networks disable
                         allow-public-networks disable
                         esp-group ESP-Name

Some Errors

I struggled with getting VPN to communicate with the outside world. At times, I would get an error saying that Vyatta was unable to start pluto. I also overlooked opening ports 500 and 4500 on the firewall.


To start, make sure you open port 500. Just in case the other side requires 4500, also open that port. Amazon lets through the ESP protocol, and you won’t have to worry about it. Finally, when all is said and done, start the VPN process. This is the one command that held me back for over a day.

clear vpn ipsec-process


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>