VYATTA, INC.
| Vyatta System
AMI
INSTALLING THE SYSTEM/USER GUIDE
Vyatta
Suite 200
1301 Shoreway Road
Belmont, CA 94002
vyatta.com
650 413 7200
1 888 VYATTA 1 (US and Canada)
COPYRIGHT
Copyright © 2005–2012 Vyatta, Inc. All rights reserved. Vyatta reserves the right to make changes to software, hardware, and documentation without notice. For the most recent version of documentation, visit the Vyatta web site at vyatta.com.
PROPRIETARY NOTICES
Vyatta is a registered trademark of Vyatta, Inc.
Hyper‐V is a registered trademark of Microsoft Corporation.
VMware, VMware ESX, and VMware server are trademarks of VMware, Inc.
XenServer, and XenCenter are trademarks of Citrix Systems, Inc.
All other trademarks are the property of their respective owners.
RELEASE DATE: October 2012
DOCUMENT REVISION. 6.5R1 v01
RELEASED WITH: 6.5R1 PART NO. A0‐0243‐10‐0005
iii
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Organization of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Vyatta Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 1 Installing the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Learning About AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Creating a VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Modifying the Default Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Obtaining and Launching the Vyatta AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Obtaining the Vyatta AMI from the EC2 Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Obtaining the Vyatta AMI from the AWS Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assigning an AWS Elastic IP Address to the Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Accessing the Instance Remotely. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Terminating an Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 2 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Creating a NAT Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configure the Vyatta AMI Instance for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the Default Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Allow the Instance to Be Used for NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Create a Private Subnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Associate a Route Table with the Private Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Launch an Instance into the Private Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Access the Private Instance Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Verify the Instance is Working as Expected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . 55
Configure the VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Modify the Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Create a Customer Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Create a Virtual Private Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Attach the Virtual Private Gateway to the VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Create a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
iv
Download the VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configure the Vyatta VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Verify VPN Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Configure Routing on the VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Verify End‐to‐End Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Additional Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Creating a Site‐to‐site IPsec VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Creating a Site‐to‐site OpenVPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating a Remote Access VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 3 Upgrading the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Release‐Specific Upgrade Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Before Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Upgrading a Vyatta AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Upgrading the System Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Sample Session for “upgrade system image”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Upgrading the Full Vyatta AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Chapter 4 Installation and Upgrade Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
add system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
clone system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
delete system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
install image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
install system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
rename system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
set system image default‐boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
show system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
upgrade system image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
v
Preface
On the Vyatta Subscription Edition, the Vyatta system is available as an Amazon
Machine Image (AMI) for use with Amazon Web Services (AWS).
This feature is available only in the Vyatta Subscription Edition.
This document explains how to obtain the Vyatta AMI and launch it into a Virtual
Private Cloud (VPC) within the AWS cloud, and then how to configure AWS such
that you can access the Vyatta system remotely. It also provides examples of how to
configure the Vyatta system for various uses, and how to upgrade a Vyatta AMI
system.
This preface provides information about using this guide. The following topics are
presented:
Vyatta System
•
Intended Audience
•
Organization of This Guide
•
Document Conventions
•
Vyatta Publications
6.5R1 v01
Installing the System/User Guide: AMI
Intended Audience vi
Intended Audience
This guide is intended for experienced system and network administrators.
Depending on the functionality to be used, readers should have specific knowledge
in the following areas:
•
Networking and data communications
•
TCP/IP protocols
•
General router configuration
•
Routing protocols
•
Network administration
•
Network security
•
IP services
Organization of This Guide
This guide has the following chapters:
Chapter
Description
Page
Chapter 1: Installing the System
This chapter describes the Vyatta AMI and how to install it within the Amazon Web Services cloud.
1
Chapter 2: Configuration Examples
This chapter presents examples for configuring a Vyatta AMI instance for a variety of scenarios.
37
Chapter 3: Upgrading the System
This chapter explains how to upgrade Vyatta system software on a Vyatta AMI in Amazon Web Services.
83
Chapter 4: Installation and Upgrade Commands
This chapter describes installation and upgrade commands.
88
Glossary
Vyatta System
101
6.5R1 v01
Installing the System/User Guide: AMI
Document Conventions vii
Document Conventions
This guide uses the following advisory paragraphs, as follows.
WARNING Warnings alert you to situations that may pose a threat to personal safety. CAUTION Cautions alert you to situations that might cause harm to your system or damage to equipment, or that may affect service.
NOTE Notes provide information you might need to avoid problems or configuration errors.
This document uses the following typographic conventions.
Monospace
Examples, command-line output, and representations of
configuration nodes.
bold Monospace
Your input: something you type at a command line.
bold
Commands, keywords, and file names, when mentioned
inline.
Objects in the user interface, such as tabs, buttons, screens,
and panes.
Vyatta System
italics
An argument or variable where you supply a value.
<key>
A key on your keyboard, such as <Enter>. Combinations of
keys are joined by plus signs (“+”), as in <Ctrl>+c.
[ key1 | key2]
Enumerated options for completing a syntax. An example is
[enable | disable].
num1–numN
A inclusive range of numbers. An example is 1–65535, which
means 1 through 65535, inclusive.
arg1..argN
A range of enumerated values. An example is eth0..eth3,
which means eth0, eth1, eth2, or eth3.
arg[ arg...]
arg[,arg...]
A value that can optionally represent a list of elements (a
space-separated list and a comma-separated list, respectively).
6.5R1 v01
Installing the System/User Guide: AMI
Vyatta Publications viii
Vyatta Publications
Full product documentation is provided in the Vyatta technical library. To see what
documentation is available for your release, see the Guide to Vyatta Documentation.
This guide is posted with every release of Vyatta software and provides a great
starting point for finding the information you need.
Additional information is available on www.vyatta.com and www.vyatta.org.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
1
Chapter 1: Installing the System
This chapter describes the Vyatta AMI and how to install it within the Amazon Web
Services cloud.
This chapter presents the following topics:
Vyatta System
•
Introduction
•
Before You Begin
•
Installation Options
•
Creating a VPC
•
Modifying the Default Security Group
•
Obtaining and Launching the Vyatta AMI
•
Assigning an AWS Elastic IP Address to the Instance
•
Accessing the Instance Remotely
•
Terminating an Instance
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Introduction 2
Introduction
Amazon Web Services (AWS) is Amazon’s cloud computing service. AWS provides
the tools and infrastructure required by businesses to run computing environments
“within the cloud.”
When you operate a computing environment within the cloud, you reduce capital
expenditures to a minimum, and you gain the ability to easily scale up or down your
compute resources as required. You pay as you go and you pay only for the resources
you use.
AWS provides a number of different products and services to enable businesses to
build the environments they require. At the core of AWS is the Amazon Machine
Image (AMI). An AMI is a virtual machine image. You instantiate a copy of the
image as virtual machine instances within the AWS cloud. A variety of AMIs are
available from a number of vendors. The Vyatta AMI is a version of the Vyatta
Subscription Edition system packaged to run in the AWS cloud. You can obtain the
Vyatta AMI from Amazon’s AWS Marketplace.
The Amazon Elastic Compute Cloud (EC2) is the AWS infrastructure within which
all AMIs are launched. EC2 allows you to easily obtain and scale compute capacity
as required.
A Virtual Private Cloud (VPC) allows you to provision a virtual private network
within the AWS cloud. A VPC allows you to define a virtual network topology within
which you can create subnets, select IP addresses, and configure routing tables and
network gateways.
This document explains how to obtain and launch the Vyatta AMI into a VPC within
the AWS cloud and to configure AWS such that you can access the Vyatta system
remotely. It also provides examples of how to configure the Vyatta system to act as
a NAT gateway, a site-to-site IPsec VPN endpoint, a site-to-site OpenVPN endpoint,
and a remote access IPsec VPN server.
Before You Begin
To use this guide, and to deploy the Vyatta system within the AWS environment, you
must be conversant with AWS and virtual private clouds (VPCs). This guide assumes
you are thoroughly familiar with at least the following AWS documentation:
•
http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/
•
http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/
You should also be conversant with the AWS services you will be using. You can find
AWS documentation at http://aws.amazon.com/documentation/.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Before You Begin 3
This document also assumes the following:
Amazon Web Services Account
•
You have an AWS account. Sign up for an AWS account at
http://aws.amazon.com/.
•
You are able to log on to the AWS Management Console.
Amazon Web Services Skills
•
You have mastered general AWS skills, including the following:
— Creating a VPC subnet
— Creating and attaching an Amazon VPC Internet Gateway to the VPC
— Setting up routing in the VPC to enable traffic to flow between the VPC
subnet and the Internet
— Setting up a security group to control inbound and outbound traffic for the
instances launched within the VPC
— Launching an AMI instance (either Linux/UNIX or Windows) into the VPC
— Creating a key pair and assigning it to an instance
— Assigning an Elastic IP address to an instance
— Connecting to an instance remotely using SSH (for Linux/UNIX instances) or
RDP (for Windows instances)
Learning About AWS
It is beyond the scope of this guide to describe how to use AWS. Before trying to use
a Vyatta AMI with AWS, review the AWS documentation shown in Table 1-1.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Installation Options 4
Table 1‐1 Amazon Web Services Reference Documentation
What
Where
AWS
Introduction to AWS webinar in the Solutions playlist
http://aws.amazon.com/resources/webinars/
AWS documentation library
http://aws.amazon.com/documentation/
Amazon EC2
Amazon EC2 documentation index
http://aws.amazon.com/documentation/ec2/
Amazon EC2 Getting Started Guide
http://docs.amazonwebservices.com/AWSEC2/latest/
GettingStartedGuide/
Amazon EC2 User Guide
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/
Amazon VPC documentation index
http://aws.amazon.com/documentation/vpc/
Amazon VPC
Amazon VPC Getting Started Guide
http://docs.amazonwebservices.com/AmazonVPC/latest/
GettingStartedGuide/
Amazon VPC User Guide
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/
Installation Options
This document describes how to install a Vyatta AMI into a Virtual Private Cloud
(VPC) within the AWS environment as this how it is most likely to be deployed. For
evaluation purposes, it is possible to simply launch the Vyatta AMI directly into the
EC2 infrastructure - not within a VPC. This simplifies installation as a number of the
steps described below can be eliminated. To do this, go directly to “Obtaining the
Vyatta AMI from the AWS Marketplace” on page 20 and perform only steps 1 to 5.
Creating a VPC
Before you obtain a Vyatta AMI you need to create a VPC that it can be launched
into. You can create a VPC with a single public subnet by following the steps outlined
in the Amazon VPC Getting Started Guide at
http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Modifying the Default Security Group 5
The example that follows assumes that you are logged in to the AWS Management
Console and have completed the steps in the Amazon VPC Getting Started Guide.
These steps create a VPC that provides for addresses in the range of 10.0.0.0/16 and
a public subnet in the range of 10.0.0.0/24. The example uses these addresses, but
any private IP address ranges defined in RFC 1918 (that is, 10.0.0.0/8,
172.16.0.0/12, or 192.168.0.0/16) can be used.
Modifying the Default Security Group
Security groups provide the policies that control traffic flow and access for EC2
instances and instances within aVPC. EC2 security groups and VPC security groups
are independent of one another. EC2 security groups cannot be used for instances
within a VPC, and VPC security groups cannot be used for EC2 instances (that is,
instances not associated with a VPC). Vyatta AMI instances are launched into VPCs
so they use VPC security groups.
The default VPC security group allows instances within the VPC to communicate
with one another and to access the Internet, but it does not allow remote access to
the AMI instance(s) you’ll be creating within the VPC. To provide remote SSH access
into the VPC, either create a new security group, or modify the default security
group. This example modifies the default security group to allow SSH access from
anywhere.
NOTE This example allows SSH access from anywhere for testing purposes only. In general, it is best to restrict SSH access to source addresses that you control. Change the port to something other than 22 or 2222. Also, make sure you change the default password on all devices in your network.
To modify the default security group to allow SSH access
1
Vyatta System
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Modifying the Default Security Group 6
2
In the left navigation pane, select Security Groups. The Security Groups page
opens on the right.
3
Select the default security group. The details for the default security group appear
at the bottom of the page.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Modifying the Default Security Group 7
4
Select the Inbound tab. The default inbound rule appears. This rule provides
access between the instances that use this security group.
5
In the Create a new rule: field, select SSH from the drop-down menu.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 6
Modifying the Default Security Group 8
In the Source: field, enter 0.0.0.0/0 and click Add Rule. The rule appears in the
rule table to the right. Click Apply Rule Changes to apply the rule change. The
security group now allows SSH access from anywhere.
The default VPC security group does not allow instances within the VPC to respond
to pings (ICMP echo requests) from remote devices. In many cases this is desireable.
For our testing purposes, it is desirable to determine that an instance is reachable so
we want to allow ICMP traffic. This example modifies the default security group to
allow incoming ICMP traffic from anywhere.
To modify the default security group to allow ICMP traffic 1
Vyatta System
In the Create a new rule: field of the Inbound tab, select All ICMP from the
drop-down menu.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 2
Vyatta System
Modifying the Default Security Group 9
In the Source: field, enter 0.0.0.0/0 and click Add Rule. The rule appears in the
rule table to the right. Click Apply Rule Changes to apply the rule change. The
security group now allows ICMP traffic from anywhere.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 10
NOTE If you wish to enable access to the Vyatta Web GUI, you must add a rule that allows HTTPS (port 443) access. You must also configure the HTTPS service on the Vyatta system using the set service https command in configuration mode.
Obtaining and Launching the Vyatta AMI
This section presents the following topics:
•
Obtaining the Vyatta AMI from the EC2 Console
•
Obtaining the Vyatta AMI from the AWS Marketplace
The Vyatta AMI comes preconfigured as a standard Vyatta Subscription Edition
system with some additional configuration changes to ease installation and access
within AWS:
•
Vyatta System
The eth0 interface is configured to use DHCP. The IP address can be specified
when launching the instance. If not specified, AWS assigns one automatically.
The IP address is in the range of private addresses for the subnet into which it is
launched.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 11
•
SSH access is configured.
•
The host-name is set to VyattaAMI.
It is supported as either a Small (m1.small), Medium (m1.medium), or Large
(m1.Large) instance within AWS and is provided with persistent Amazon Elastic
Block Storage (EBS).
There are two different ways to purchase the Vyatta AMI, depending on your
business needs: as a term contract from Vyatta, and on a pay-as-you-go basis from
the AWS Marketplace.
Purchasing a term contract from Vyatta is more cost-effective for longer-term usage.
If you have purchased a term contract from Vyatta, you obtain the Vyatta AMI from
the EC2 console. To do this, see “Obtaining the Vyatta AMI from the EC2 Console”
on page 11.
Accessing the Vyatta AMI on a pay-as-you-go basis from the AWS Marketplace
provides a flexible alternative to a term contract. If you wish to use the Vyatta AMI
on a pay-as-you-go basis, you obtain it from the AWS Marketplace. To do this, see
“Obtaining the Vyatta AMI from the AWS Marketplace” on page 20.
i
Obtaining the Vyatta AMI from the EC2 Console
When you purchase a Vyatta AMI term contract, you must provide Vyatta with your
AWS account number so that Vyatta can share the Vyatta AMI with you in the AWS
environment.
To obtain and launch the Vyatta AMI from the EC2 Console
Vyatta System
1
Click EC2 on the AWS Management Console Home page. The Amazon EC2
Console Dashboard page appears.
2
Select AMIs in the left navigation pane. The Amazon Machine Images page opens
on the right.
3
In the Viewing: field, select Private Images, All Platforms, and specify
vyatta-AMI as the search string. Vyatta AMIs are listed.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 4
Vyatta System
Obtaining and Launching the Vyatta AMI 12
Select a Vyatta AMI and click Launch at the top of the Amazon Machine Images
page. The Request Instances Wizard opens at the Instance Details step.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 5
Vyatta System
Obtaining and Launching the Vyatta AMI 13
Select an Instance Type other than Micro in order to launch the Vyatta AMI
instance into a VPC. Then, in the Launch Instances area, select VPC and select
the subnet in the VPC that you wish to launch the instance into.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 6
Vyatta System
Obtaining and Launching the Vyatta AMI 14
Click Continue to configure additional instance details.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 7
Vyatta System
Obtaining and Launching the Vyatta AMI 15
If you wish to use a static IP address, specify the address in the IP Address field.
If you wish to include more than one network interface, specify the number you
wish to include in the Number of Network Interfaces field and configure them as
required. Click Continue to configure additional instance details.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 8
Vyatta System
Obtaining and Launching the Vyatta AMI 16
If you wish to modify the storage configuration, click the Edit button and
configure it as required. Click Continue to configure additional instance details.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 9
Obtaining and Launching the Vyatta AMI 17
If you wish to add tags (for example, a name) to your instance, specify a Key and
an associated Value. In this case we have chosen a name of R1. Click Continue
to move to the Create Key Pair page.
10 At this point, you can select Proceed without a Key Pair if a secure connection to
your Vyatta AMI instance is not required. For our example, we will create a key
pair. Select Create a new Key Pair. Enter a name for the key pair in the Enter a
name for your key pair field (in this case we entered “R1key”). Click the Create
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 18
& Download you Key Pair button. Save the .pem key pair file. You will move to
the Configure Firewall page.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 19
11 In the Choose one or more of your existing Security Groups area, select a security
group that you created earlier. Click Continue to move to the Review page.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 20
12 Review that the information that you have configured is correct. Click the
Launch button to launch the Vyatta AMI instance into your VPC. The Launch
Instance Wizard page appears.
13 Click Close to return to the Amazon EC2 Console. At this point the Vyatta AMI
instance is running within your VPC. The next step is to assign an Elastic IP
address to the Vyatta AMI instance. See “Assigning an AWS Elastic IP Address
to the Instance” on page 33.
Obtaining the Vyatta AMI from the AWS Marketplace
If you intend to use the Vyatta AMI on a pay-as-you-go basis, you must obtain it
from the Amazon AWS Marketplace. The AWS Marketplace can be accessed once
you are logged on to AWS.
To obtain and launch the Vyatta AMI from the AWS Marketplace
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Obtaining and Launching the Vyatta AMI 21
1
Go to the AWS Marketplace at https://aws.amazon.com/marketplace/ and click
Sign on at the top of the page. The AWS Marketplace main page appears.
2
In the Search AWS Marketplace field at the top of the page, enter Vyatta and click
GO.
3
Select the 64-bit Vyatta AMI for the current Vyatta release. The Vyatta Virtual
Router/Firewall/VPN page appears.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Obtaining and Launching the Vyatta AMI 22
4
Click Continue. The Launch on EC2: Vyatta Virtual Router/Firewall/VPN page
appears.
5
At this point, if you wish to simply create an instance of the Vyatta AMI within
the EC2 infrastructure, you can click Launch with 1-Click and follow the
prompts. You can then access the Vyatta AMI instance using an SSH client and
specifying the assigned DNS name. For the examples that follow, we want to
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 23
launch the instance into a VPC. To do this, select the Launch with EC2 Console
tab.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 6
Vyatta System
Obtaining and Launching the Vyatta AMI 24
Click the Launch with EC2 Console button next to the AWS region you wish to
launch it in. The Request Instances Wizard appears at the Choose and AMI page
in the EC2 console.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 7
Vyatta System
Obtaining and Launching the Vyatta AMI 25
Click Continue to move to the Install Details page.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 8
Vyatta System
Obtaining and Launching the Vyatta AMI 26
Select an Instance Type other than Micro in order to launch the Vyatta AMI
instance into a VPC. Then, in the Launch Instances area, select VPC and select
the subnet in the VPC that you wish to launch the instance into.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System 9
Vyatta System
Obtaining and Launching the Vyatta AMI 27
Click Continue to configure additional instance details.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 28
10 If you wish to use a static IP address, specify the address in the IP Address field.
If you wish to include more than one network interface, specify the number you
wish to include in the Number of Network Interfaces field and configure them as
required. Click Continue to configure additional instance details.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 29
11 If you wish to modify the storage configuration, click the Edit button and
configure it as required. Click Continue to configure additional instance details.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 30
12 If you wish to add tags (for example, a name) to your instance, specify a Key and
an associated Value. In this case we have chosen a name of R1. Click Continue
to move to the Create Key Pair page.
13 At this point, you can select Proceed without a Key Pair if a secure connection to
your Vyatta AMI instance is not required. For our example, we will create a key
pair. Select Create a new Key Pair. Enter a name for the key pair in the Enter a
name for your key pair field (in this case we entered “R1key”). Click the Create
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 31
& Download you Key Pair button. Save the .pem key pair file. You will move to
the Configure Firewall page.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Obtaining and Launching the Vyatta AMI 32
14 In the Choose one or more of your existing Security Groups area, select a security
group that you created earlier. Click Continue to move to the Review page.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Assigning an AWS Elastic IP Address to the Instance 33
15 Review that the information that you have configured is correct. Click the
Launch button to launch the Vyatta AMI instance into your VPC. The Launch
Instance Wizard page appears.
16 Click Close to return to the Amazon EC2 Console. At this point the Vyatta AMI
instance is running within your VPC. The next step is to assign an Elastic IP
address to the Vyatta AMI instance. See “Assigning an AWS Elastic IP Address
to the Instance” on page 33.
Assigning an AWS Elastic IP Address to the Instance
In order to access the instance remotely you assign it an AWS Elastic IP address.
To assign an Elastic IP address
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Elastic IPs. The Addresses pane opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Assigning an AWS Elastic IP Address to the Instance 34
3
If you don’t already have an Elastic IP address available, click Allocate New
Address. The Allocate New Address dialog opens.
4
In the EIP used in: field, select VPC. Click Yes, Allocate. A new Elastic IP address
appears on the Addresses page.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Vyatta System
Assigning an AWS Elastic IP Address to the Instance 35
5
Select the Elastic IP address to be associated with the instance you launched.
Click Associate Address. The Associate Address dialog opens.
6
In the Instance: field, select the instance that you launched above. Click Yes,
Associate. The Elastic IP address is associated with the instance that you created.
This association appears on the Addresses pane.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 1: Installing the System Accessing the Instance Remotely 36
Accessing the Instance Remotely
After you have modified the security group associated with the instance to allow
access from SSH and you have provided the instance with an Elastic IP address, you
can test your access to it.
1
On a remote machine, open an SSH session. As the destination address, provide
the Elastic IP address you associated with the instance.
NOTE On Linux/UNIX systems use the ssh command. On Windows machines use a program such as putty for SSH access.
2
Once connected you will see the login as: prompt. To use the default login
credentials, log on as user vyatta with password vyatta. You will be prompted to
change the password.
Terminating an Instance
If you terminate a Vyatta instance, make sure you also remove the storage volume
attached to the instance (unless you wish to reuse it). Unless you explicitly delete the
storage volume, you are charged for it.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
37
Chapter 2: Configuration Examples
This chapter presents examples for configuring a Vyatta AMI instance for a variety
of scenarios.
This chapter presents the following topics:
Vyatta System
•
Creating a NAT Device
•
Creating a Site-to-site IPsec VPN Connection to a VPC with a Virtual Tunnel
Interface
•
Creating a Site-to-site IPsec VPN Connection
•
Creating a Site-to-site OpenVPN Connection
•
Creating a Remote Access VPN Connection
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 38
Creating a NAT Device
At the end of the installation procedure described in Chapter 1: Installing the System,
the following prerequisites for the examples in this chapter were completed:
•
A Vyatta AMI instance was launched into an existing VPC with a single public
subnet.
•
The default security group was modified to allow SSH access and ICMP traffic.
•
An Elastic IP address was assigned to the instance’s sole interface.
•
Remote SSH access was tested.
In this example, the following steps are completed:
•
The Vyatta AMI instance is configured as a Network Address Translation (NAT)
device.
•
A new subnet is created within the VPC.
•
A routing table is configured so that the subnet can route traffic through the
Vyatta NAT device.
•
A new instance is launched within the new subnet.
•
Remote access to the instance in the new subnet is tested using SSH.
The following diagram shows the configuration that is created.
Internet
Internet
Gateway
Private subnet
10.0.1.0/24
Public subnet
R
10.0.0.0/24
Remote client
NAT (R1)
10.0.0.10
184.72.119.76 (EIP)
10.0.1.20
VPC
10.0.0.0/16
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 39
Configure the Vyatta AMI Instance for NAT
To configure the Vyatta AMI instance to act as a NAT device
1
Using SSH and the Vyatta AMI instance’s Elastic IP address, log on to the Vyatta
AMI instance .
2
Enter configuration mode.
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# 3
Change the hostname to R1 to identify the instance.
vyatta@vyatta# set system host‐name R1
[edit]
vyatta@vyatta#
The command prompt changes to reflect the new host name the next time you
log in.
4
Configure masquerade NAT for outbound traffic from subnet 10.0.1.0/24. (This
network address represents the private subnet to be created in a later step.)
vyatta@vyatta# set nat source rule 10 outbound‐interface eth0
[edit]
vyatta@vyatta# set nat source rule 10 source address 10.0.1.0/24
[edit]
vyatta@vyatta# set nat source rule 10 translation address masquerade
[edit]
vyatta@vyatta#
5
Configure destination NAT to provide remote access to an instance in the private
subnet. The NAT rule will pass connections to port 3333 to address 10.0.1.20
port 22. (This instance will be launched in a later step.)
vyatta@vyatta# set nat destination rule 20 destination port 3333
[edit]
vyatta@vyatta# set nat destination rule 20 inbound‐interface eth0
[edit]
vyatta@vyatta# set nat destination rule 20 translation address 10.0.1.20
[edit]
vyatta@vyatta# set nat destination rule 20 translation port 22
[edit]
vyatta@vyatta# set nat destination rule 20 protocol tcp
[edit]
vyatta@vyatta#
6
Commit and save the changes.
vyatta@vyatta# commit
[edit]
vyatta@vyatta# save
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 40
Saving configuration to ‘/config/config.boot’...
Done
[edit]
vyatta@vyatta# 7
View the NAT-related changes.
vyatta@vyatta# show nat
destination {
rule 20 {
destination {
port 3333
}
inbound‐interface eth0
protocol tcp
translation {
address 10.0.1.20
port 22
}
}
}
source {
rule 10 {
outbound‐interface eth0
source {
address 10.0.1.0/24
}
translation {
address masquerade
}
}
}
[edit]
vyatta@vyatta# 8
Exit configuration mode and then exit the login session.
vyatta@vyatta# exit
exit
vyatta@vyatta:~$ exit
logout
The SSH session terminates.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 41
Modify the Default Security Group
This example modifies the default security group to allow port 3333 access from
anywhere. Connections to the Elastic IP address on port 3333 are translated by the
Vyatta NAT device and then routed to the private instance that will be created in a
later step.
To modify the default security group to allow port 3333 access
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Security Groups. The Security Groups page
opens on the right.
3
Select the default security group. The details for the default security group appear
at the bottom of the page.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Vyatta System
Creating a NAT Device 42
4
Select the Inbound tab. The current inbound rules appear.
5
In the Create a new rule: field, select Custom TCP rule from the drop-down list.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples 6
Creating a NAT Device 43
In the Port Range: field, enter 3333. In the Source: field, enter 0.0.0.0/0 and click
Add Rule. The rule appears in the rule table to the right. Click Apply Rule
Changes to apply the rule change. The security group now allows port 3333
access from anywhere.
Allow the Instance to Be Used for NAT
In order for the instance to be used as a NAT device, source and destination address
checking must be disabled.
To disable source and destination address checking: Vyatta System
1
Click EC2 on the AWS Management Console Home page. The Amazon EC2
Console Dashboard page appears.
2
In the left navigation pane, select Instances. The My Instances page opens.
3
Right-click the row containing the Vyatta NAT1 instance. Select Change Source
/ Dest Check from the right-click menu. The Change Source / Dest. Check dialog
opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples 4
Creating a NAT Device 44
Make sure that Current Setting: is set to Enabled. Click Yes, Disable. The
instance no longer checks source and destination address.
Create a Private Subnet
Create a new subnet within the VPC. This subnet will be made private in a later step.
To create a private subnet: Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
On the left navigation pane, select Subnets. The Subnets page opens.
3
Click Create Subnet. The Create Subnet dialog opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples 4
Creating a NAT Device 45
In the CIDR Block: field, enter 10.0.1.0/24 and click Yes, Create.
This subnet must be within the 10.0.0.0/16 range that was defined for the VPC,
but outside the 10.0.0.0/24 range configured for the public subnet.
The new subnet appears in the list of subnets.
Associate a Route Table with the Private Subnet
This step enables access to instances within the private subnet in the VPC, and access
from the private subnet to the Internet through the newly-created Vyatta NAT
device.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 46
To associate a route table with the private subnet: Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Route Tables. The Route Tables page opens.
3
Select the route table that was created when you created the new subnet and click
the Associations tab. The Associations tab opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Vyatta System
Creating a NAT Device 47
4
In the Subnet field, select the subnet that was just created (in this case
10.0.1.0/24) and click the Associate button. The Associate Route Table dialog
appears.
5
In the Associate Route Table dialog, click Yes, Associate. The route table is
associated with the 10.0.1.0/24 subnet.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 48
Launch an Instance into the Private Subnet
Now that the private subnet 10.0.1.0/24 has been defined, we can launch an instance
into it. Although the example launches another Vyatta AMI instance, any instance
type could be launched. This example assumes that the Vyatta AMI is obtained from
the EC2 Console, but it could also be obtained from the AWS Marketplace.
To launch a Vyatta AMI instance into the private subnet
Vyatta System
1
Click EC2 on the AWS Management Console Home page. The Amazon EC2
Console Dashboard page appears.
2
In the left navigation pane, select AMIs. The Amazon Machine Images page
opens on the right.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Vyatta System
Creating a NAT Device 49
3
In the Viewing: field, select Private Images, All Platforms and specify vyatta-AMI
as the search string. Vyatta AMIs are listed.
4
Select a Vyatta AMI and click Launch at the top of the Amazon Machine Images
page. The Request Instances Wizard starts at the Instance Details step.
5
Select Large (m1.large) as the Instance Type:.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 50
NOTE If you select Micro (t1.micro, 613 MB) you will not be able to launch the instance into your VPC.
Vyatta System
6
In the Launch Instances section, select VPC.
7
In the Subnet: field, select the 10.0.1.0/24 subnet for attaching the instance to
and click Continue. The Advanced Instance Options page opens.
8
In the IP Address: field, enter 10.0.1.20 and click Continue. The Storage Device
Configuration page opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples 9
Creating a NAT Device 51
The Add Tags page appears. If you wish to change the size of the storage deveice
associated with the instance, click the Edit button. In most cases, this is not
necessary. Click Continue. The add key page opens.
10 In the Value column to the right of the Name key, enter VyattaPrivate and click
Continue. The Create Key Pair page opens.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 52
11 Select Choose from your existing Key Pairs and select an existing key pair from
the Your existing Key Pairs drop-down list. Click Continue. The Configure
Firewall page opens.
12 Select the default security group and click Continue. The Review page opens.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 53
13 Review the details for the instance you are creating. When you are satisfied, click
Launch. The instance starts. Click Close.
14 To view the status of the newly launched instance, select Instances on the left
navigation pane within the EC2 tab.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a NAT Device 54
Access the Private Instance Remotely
Since the default security group is associated with the instance, remote SSH
connections will be allowed through to it.
To access the instance remotely using SSH
1
On a remote machine, open an SSH session. As the destination, use the Elastic IP
address you associated with the Vyatta NAT instance. Specify 3333 as the port.
The Vyatta NAT device has been configured to translate any connections to port
3333 to address 10.0.1.20 port 22. This connection is routed to the instance
created within the private subnet.
NOTE On Linux/UNIX systems use the ssh command. On Windows machines use a program such as putty for SSH access.
2
Once connected you will see the login as: prompt. Log on to the instance using
the default credentials: user vyatta with password vyatta.
Verify the Instance is Working as Expected
Once you are logged into the system, issue the following commands to confirm that
it is working as expected.
To confirm that the instance is working as expected
1
Confirm the IP address that is associated with the Ethernet interface.
vyatta@vyatta:~$ show interfaces
Codes: S ‐ State, L ‐ Link, u ‐ Up, D ‐ Down, A ‐ Admin Down
Interface IP Address S/L Description
‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
eth0 10.0.1.20/24 u/u
lo 127.0.0.1/8 u/u
::1/128
vyatta@vyatta:~$ 2
Confirm the information that has been provided by the Amazon DHCP server.
vyatta@vyatta:~$ show dhcp client leases
interface : eth0
ip address : 10.0.1.20 [Active]
subnet mask: 255.255.255.0
router : 10.0.1.1
name server: 10.0.0.2
dhcp server: 10.0.1.1
lease time : 3600
last update: Wed Aug 31 19:25:23 GMT 2011
expiry : Wed Aug 31 20:25:23 GMT 2011
reason : RENEW
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 55
vyatta@vyatta:~$ 3
Confirm that the instance has access to the Internet using ping (press <Ctrl>+c to
stop the output).
vyatta@vyatta:~$ ping www.vyatta.com
PING www.vyatta.com (76.74.103.45) 56(84) bytes of data.
64 bytes from www.vyatta.com (76.74.103.45): icmp_req=1 ttl=46 time=74.4 ms
64 bytes from www.vyatta.com (76.74.103.45): icmp_req=2 ttl=46 time=74.5 ms
^C
‐‐‐ www.vyatta.com ping statistics ‐‐‐
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 74.492/74.502/74.513/0.273 ms
vyatta@vyatta:~$ ^C
vyatta@vyatta:~$ Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Interface
This section presents the following topics:
•
Configure the VPC
•
Configure the Vyatta VPN Gateway
•
Verify VPN Connectivity
•
Configure Routing on the VPC
•
Verify End-to-End Connectivity
•
Additional Considerations
In this example, two site-to-site IPsec VPN connections are created between a Vyatta
VPN Gateway and an AWS Virtual Private Gateway attached to an AWS VPC. The
IPsec VPN connections are from 72.21.209.193 and 72.21.209.225 on the Virtual
Private Gateway, to 173.8.163.106 on the Vyatta VPN Gateway. Virtual tunnel
interfaces are used on the Vyatta device. The IPsec VPN connections use subnets
169.254.255.72/30 and 169.254.255.76/30 and addresses on these subnet are
assigned to these interfaces. The example assumes that Vyatta NAT instances and
instances within private subnets have been created within the VPCs according to the
steps in “Creating a NAT Device” on page 38. It also assumes that an
Internet-connected Vyatta system is available to act as the Vyatta VPN Gateway. The
following diagram shows the configuration.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 56
Internet
72.21.209.193
Virtual
Private
Gateway
Internet
Gateway
72.21.209.225
173.8.163.106
eth0
Vyatta VPN
Gateway
eth1 .254
Private subnet
10.0.1.0/24
Public subnet
R
10.0.0.0/24
176.16.10.0/24
NAT (R1)
10.0.0.10
184.72.119.76 (EIP)
10.0.1.20
VPC
10.0.0.0/16
Configure the VPC
This section presents the following topics:
•
Modify the Security Group
•
Create a Customer Gateway
•
Create a Virtual Private Gateway
•
Attach the Virtual Private Gateway to the VPC
•
Create a VPN Connection
•
Download the VPN Configuration
Modify the Security Group
To allow inbound Internet Key Exchange (IKE), Encapsulating Security Payload
(ESP), and IPsec NAT-T, add three rules to the default VPC security group in the
VPC. The first inbound rule (for IKE) allows UDP traffic on port 500 from any
source (0.0.0.0/0). The second inbound rule (for ESP) is a Custom protocol rule and
allows IP protocol 50 traffic from any source (0.0.0.0/0). The third inbound rule (for
IPsec NAT-T) allows UDP traffic on port 4500 from any source (0.0.0.0/0). See
“Modify the Default Security Group” on page 41 as a reference.
Create a Customer Gateway
The Customer Gateway configuration in the VPC defines how to connect to the
Vyatta VPN Gateway.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 57
To create a Customer Gateway
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Customer Gateways. The Create Customer
Gateway dialog opens.
3
In the Routing drop-down menu, select Dynamic.
4
In the BGP ASN field, enter the BGP Autonomous System Number that the
Vyatta VPN Gateway will use. This should be a private ASN if BGP is not in use
on this device or within the network. This should be a public ASN if this device
is already running BGP with a public ASN or if this device will be advertising the
VPC subnet to other BGP speaking routers on the network via iBGP. In this
example, we're choosing the default private ASN value of 65000.
5
In the IP Address field, enter the public Internet facing IP address of the Vyatta
VPN Gateway.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 58
6
Click Yes, Create. A newly created Customer Gateway will appear with a State
of “available”.
Create a Virtual Private Gateway
The Virtual Private Gateway is the VPN Gateway on the AWS side of the VPN
connection.
To create a Virtual Private Gateway
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Virtual Private Gateways. The Virtual Private
Gateways page opens.
3
Click Create Virtual Private Gateway at the top of the page. The Create Virtual
Private Gateway dialog opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 59
4
Click Yes, Create. The Virtual Private Gateway is created and configured based
on the Customer Gateway configuration. A newly created Virtual Private
Gateway will appear with a State of “available”. Take note of the Virtual Private
Gateway ID (e.g. vgw-********) for use later when creating the VPN
Connection.
Attach the Virtual Private Gateway to the VPC
The Virtual Private Gateway must be attached to the VPC before it can be used.
To attach the Virtual Private Gateway to the VPC
Vyatta System
1
At the top of the Virtual Private Gateways page, click Attach to VPC. The Create
Attach to VPC dialog opens.
2
In the VPC drop-down menu, select the VPC to attach the Virtual Private
Gateway to.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 60
3
Click Yes, Attach. The VPC appears in the VPC column next to the Virtual
Private Gateway attached to it.
Create a VPN Connection
Once the Customer Gateway and Virtual Private Gateway are created and the Virtual
Private Gateway is attached to the VPC, a VPN Connection can be created.
To create a VPN Connection
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select VPN Connections. The VPN Connections page
opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 61
Vyatta System
3
Click Create VPN Connection at the top of the page. The Create VPN
Connection dialog opens.
4
In the Virtual Private Gateway dropdown menu, select the Virtual Private
Gateway created in “Create a Virtual Private Gateway” on page 58.
5
In the Customer Gateway dropdown menu, select the Customer Gateway created
in “Create a Customer Gateway” on page 56.
6
This example uses dynamic routing. Select Use dynamic routing (requires BGP)
under the Specify the routing for the VPN Connection heading.
7
Click Yes, Create. The new VPN Connection appears on the VPN Connections
page with a State of “available”.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 62
NOTE If you select the VPN Connection, you will notice that there are two tunnels created and that both show a Status of DOWN. This is expected. This will be the case until the remote end of the connection (the Vyatta VPN Gateway) is configured and has established a set of VTI tunnels and a BGP peering session with AWS.
Download the VPN Configuration
AWS provides a configuration file to assist in configuring the remote end of the VPN
for a variety of 3rd part routers, including Vyatta. This file can be retrieved from the
VPN Connections page.
To download the VPC Configuration
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select VPN Connections. The VPN Connections page
opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 63
3
Click Download Configuration at the top of the page. The Download
Configuration dialog opens.
4
In the Vendor drop-down menu, select “Vyatta”.
5
In the Platform drop-down menu, select “Vyatta Network OS”.
6
In the Software drop-down menu, select “Vyatta Network OS 6.5+”.
7
Click Yes, Download. Open the downloaded configuration file.
Configure the Vyatta VPN Gateway
The downloaded configuration file contains Vyatta configuration commands that are
used to configure the Vyatta VPN Gateway so that it can communicate with the AWS
Virtual Private Gateway. These commands must be copied and pasted into a
configuration session on the Vyatta VPN Gateway then committed and saved.
To configure the Vyatta VPN Gateway using the downloaded configuration file
Vyatta System
1
Login to the Vyatta VPN Gateway.
2
Enter configuration mode by issuing the configure command.
3
For each command in the downloaded configuration file, copy the command and
paste it into the Vyatta VPN Gateway login session.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 64
NOTE In order to advertise subnet 172.16.10.0/24 to the VPC, change the command:
set protocols bgp 65000 network 0.0.0.0/0
to
set protocols bgp 65000 network 172.16.10.0/24
4
When you have copied and pasted all command, enter the commit command to
commit the configuration, then enter the save command to save the
configuration. At this point, the pertinent parts of the configuration on the
Vyatta VPN Gateway looks as follows:
vyatta@R2# show interfaces ethernet
ethernet eth0 {
address 173.8.163.106/28
duplex auto
hw‐id 00:90:fb:1b:85:d9
smp_affinity auto
speed auto
}
ethernet eth1 {
address 172.16.10.254/24
duplex auto
hw‐id 00:90:fb:1b:85:d8
smp_affinity auto
speed auto
}
[edit]
vyatta@R2# show interfaces vti
vti vti0 {
address 169.254.255.74/30
description "VPC tunnel 1"
mtu 1436
}
vti vti1 {
address 169.254.255.78/30
description "VPC tunnel 2"
mtu 1436
}
[edit]
vyatta@R2# show vpn
ipsec {
esp‐group AWS {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 65
hash sha1
}
}
ike‐group AWS {
dead‐peer‐detection {
action restart
interval 15
timeout 30
}
lifetime 28800
proposal 1 {
dh‐group 2
encryption aes128
hash sha1
}
}
ipsec‐interfaces {
interface eth0
}
site‐to‐site {
peer 72.21.209.193 {
authentication {
mode pre‐shared‐secret
pre‐shared‐secret vDoG59257kDPSHjQNFb_ZpPPFFpFx2Nw
}
description "VPC tunnel 1"
ike‐group AWS
local‐address 173.8.163.106
vti {
bind vti0
esp‐group AWS
}
}
peer 72.21.209.225 {
authentication {
mode pre‐shared‐secret
pre‐shared‐secret X9ypqOk2Pcbs1IRWSG9gDb2UYYMUa3pK
}
description "VPC tunnel 1"
ike‐group AWS
local‐address 173.8.163.106
vti {
bind vti1
esp‐group AWS
}
}
}
}
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 66
[edit]
vyatta@R2# show protocols bgp
bgp 65000 {
neighbor 169.254.255.73 {
remote‐as 7224
soft‐reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
neighbor 169.254.255.77 {
remote‐as 7224
soft‐reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
network 172.16.10.0/24{
}
}
[edit]
vyatta@R2# Verify VPN Connectivity
The two VPN tunnels between the AWS Virtual Private Gateway and the Vyatta VPN
Gateway should come up at this point. You can verify that the tunnels are up in
operational mode on the Vyatta system. The commands and their output should look
similar to the following:
vyatta@R2:~$ show vpn ipsec sa statistics
Peer ID / IP Local ID / IP
‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐
72.21.209.193 173.8.163.106
Description: VPC tunnel 1
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 67
Tunnel Dir Source Network Destination Network Bytes
‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐
vti in 0.0.0.0/0 0.0.0.0/0 35604
vti out 0.0.0.0/0 0.0.0.0/0 35703
Peer ID / IP Local ID / IP
‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐
72.21.209.225 173.8.163.106
Description: VPC tunnel 1
Tunnel Dir Source Network Destination Network Bytes
‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐
vti in 0.0.0.0/0 0.0.0.0/0 6888
vti out 0.0.0.0/0 0.0.0.0/0 6888
vyatta@R2:~$ show interfaces
Codes: S ‐ State, L ‐ Link, u ‐ Up, D ‐ Down, A ‐ Admin Down
Interface IP Address S/L Description
‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐ ‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
eth0 173.8.163.106/28 u/u
eth1 172.16.10.254/24 u/u
lo 127.0.0.1/8 u/u
::1/128
vti0 169.254.255.74/30 u/u VPC tunnel 1
vti1 169.254.255.78/30 u/u VPC tunnel 2
vyatta@R2:~$ show ip bgp summary
BGP router identifier 172.16.10.254, local AS number 65000
IPv4 Unicast ‐ max multipaths: ebgp 1 ibgp 1
RIB entries 3, using 192 bytes of memory
Peers 2, using 5048 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.255.73 4 7224 7712 7655 0 0 0 21:16:06 1
169.254.255.77 4 7224 7685 7627 0 0 0 21:11:20 1
Total number of neighbors 2
vyatta@R2:~$ show ip bgp
BGP table version is 0, local router ID is 172.16.10.254
Status codes: s suppressed, d damped, h history, * valid, > best, i ‐ internal,
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 68
r RIB‐failure, S Stale, R Removed
Origin codes: i ‐ IGP, e ‐ EGP, ? ‐ incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.0.0.0/16 169.254.255.77 0 7224 i
*> 169.254.255.73 0 7224 i
*> 172.16.10.0/24 0.0.0.0 1 32768 i
Total number of prefixes 2
On the AWS side, on the VPN Connections page, you will see that the two tunnels
now have a Status of “UP”.
Configure Routing on the VPC
At this point the VPN connections are up but routes learned from BGP are not
propogated.
To propogate routes on the VPC
Vyatta System
1
Click VPC on the AWS Management Console Home page. The Amazon VPC
Console Dashboard page appears.
2
In the left navigation pane, select Route Tables. The Route Tables page opens.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 69
Vyatta System
3
Select the Route Table that is associated with the VPC subnets that will be
reached over the VPN tunnels. More than just one Route Table may need to be
updated. The default VPC Route Table is the Main table. Any subnet that is not
associated to a Route Table will use the Main table.
4
Select the Route Propagation tab for the selected Route Table.
5
In the Virtual Private Gateways drop-down menu, select the VPN Gateway that
was created “Create a Virtual Private Gateway” on page 58.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 70
6
Click Add. The Virtual Private Gateway will be added to the list of Virtual
Private Gateways that are allowed to update the route table.
7
Select the Routes tab to view the routes learned from the Virtual Private
Gateway.
Verify End‐to‐End Connectivity
Test the configuration by pinging a device in one private subnet (10.0.1.20) from a
device in the other private subnet. In this case, we will ping from the Vyatta VPN
Gateway but specify that the source address is the IP address associated with eth1
(172.16.10.254).
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection to a VPC with a Virtual Tunnel Inter‐ 71
vyatta@R2:~$ ping 10.0.1.20 interface 172.16.10.254
PING 10.0.1.20 (10.0.1.20) from 172.16.10.254 : 56(84) bytes of data.
64 bytes from 10.0.1.20: icmp_req=1 ttl=62 time=99.9 ms
64 bytes from 10.0.1.20: icmp_req=2 ttl=62 time=79.9 ms
64 bytes from 10.0.1.20: icmp_req=3 ttl=62 time=79.9 ms
64 bytes from 10.0.1.20: icmp_req=4 ttl=62 time=89.9 ms
64 bytes from 10.0.1.20: icmp_req=5 ttl=62 time=89.9 ms
^C
‐‐‐ 10.0.1.20 ping statistics ‐‐‐
5 packets transmitted, 5 received, 0% packet loss, time 4039ms
rtt min/avg/max/mdev = 79.989/87.987/99.986/7.491 ms
vyatta@R2:~$ Additional Considerations
In order to prevent advertising the eBGP learned VPC subnet back to the VPC, you
can configure a route-map and apply it to both sessions. The configuration looks as
follows:
vyatta@R2# show policy
prefix‐list internal {
rule 10 {
action permit
prefix 172.16.10.0/24
}
}
route‐map AWS {
rule 10 {
action permit
match {
ip {
address {
prefix‐list internal
}
}
}
}
}
[edit]
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection 72
vyatta@R2# show protocols bgp
bgp 65000 {
neighbor 169.254.255.73 {
remote‐as 7224
route‐map {
export AWS
}
soft‐reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
neighbor 169.254.255.77 {
remote‐as 7224
route‐map {
export AWS
}
soft‐reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
network 172.16.10.0/24 {
}
}
[edit]
Creating a Site‐to‐site IPsec VPN Connection
In this example, a site-to-site IPsec VPN connection is created between the NAT
devices in separate VPCs. It assumes that Vyatta NAT instances and instances within
private subnets have been created within the VPCs according to the steps in
“Creating a NAT Device” on page 38. The following diagram shows the
configuration.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection 73
Internet
Internet
Gateway
Private subnet
10.0.1.0/24
R
10.0.1.20
Internet
Gateway
Public subnet
Private subnet
10.0.0.0/24
172.16.1.0/24
NAT (R1)
10.0.0.10
184.72.119.76 (EIP)
172.16.1.20
VPC
10.0.0.0/16
Public subnet
R
172.16.0.0/24
NAT (R2)
172.16.0.10
184 .72.120.221 (EIP)
VPC
172.16.0.0/16
To allow inbound Internet Key Exchange (IKE), Encapsulating Security Payload
(ESP), and IPsec NAT-T, add three rules to the default VPC security group in each
VPC. The first inbound rule (for IKE) allows UDP traffic on port 500 from any
source (0.0.0.0/0). The second inbound rule (for ESP) is a Custom protocol rule and
allows IP protocol 50 traffic from any source (0.0.0.0/0). The third inbound rule (for
IPsec NAT-T) allows UDP traffic on port 4500 from any source (0.0.0.0/0). See
“Modify the Default Security Group” on page 41 as a reference.
To provide an IPsec VPN endpoint on the NAT device R1, configure it as follows:
vyatta@R1# show vpn
ipsec {
esp‐group ESP‐1W {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike‐group IKE‐1W {
lifetime 3600
proposal 1 {
encryption aes256
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection 74
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec‐interfaces {
interface eth0
}
nat‐networks {
allowed‐network 0.0.0.0/0 {
exclude 10.0.0.0/16
}
}
nat‐traversal enable
site‐to‐site {
peer 184.72.120.221 {
authentication {
id @Router1
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
remote‐id @Router2
}
connection‐type initiate
default‐esp‐group ESP‐1W
ike‐group IKE‐1W
local‐address 10.0.0.10
tunnel 1 {
allow‐nat‐networks disable
allow‐public‐networks disable
local {
subnet 10.0.0.0/16
}
remote {
subnet 172.16.0.0/16
}
}
}
}
}
[edit]
vyatta@R1# To provide an IPsec VPN endpoint on the NAT device R2, configure it as follows:
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection 75
vyatta@R2# show vpn
ipsec {
esp‐group ESP‐1E {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike‐group IKE‐1E {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec‐interfaces {
interface eth0
}
nat‐networks {
allowed‐network 0.0.0.0/0 {
exclude 172.16.0.0/16
}
}
nat‐traversal enable
site‐to‐site {
peer 184.72.119.76 {
authentication {
id @Router2
mode pre‐shared‐secret
pre‐shared‐secret test_key_1
remote‐id @Router1
}
connection‐type initiate
default‐esp‐group ESP‐1E
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site IPsec VPN Connection 76
ike‐group IKE‐1E
local‐address 172.16.0.10
tunnel 1 {
allow‐nat‐networks disable
allow‐public‐networks disable
local {
subnet 172.16.0.0/16
}
remote {
subnet 10.0.0.0/16
}
}
}
}
}
[edit]
vyatta@R2# Test the configuration by pinging a device in one private subnet (10.0.1.20) from a
device in the other private subnet (172.16.1.20).
vyatta@vyatta:~$ ping 10.0.1.20
PING 10.0.1.20 (10.0.1.20) 56(84) bytes of data.
64 bytes from 10.0.1.20: icmp_req=1 ttl=64 time=0.439 ms
64 bytes from 10.0.1.20: icmp_req=2 ttl=64 time=0.572 ms
64 bytes from 10.0.1.20: icmp_req=3 ttl=64 time=0.430 ms
64 bytes from 10.0.1.20: icmp_req=4 ttl=64 time=0.448 ms
^C
‐‐‐ 10.0.1.20 ping statistics ‐‐‐
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.430/0.472/0.572/0.059 ms
vyatta@vyatta:~$ While this example shows a site-to-site IPsec VPN connection between sites in two
different VPCs, the sites can also be located in non-VPC locations (for example, a
branch office or a data center).
For further information on IPsec VPN configuration, please see the Vyatta VPN
Reference Guide.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site OpenVPN Connection 77
Creating a Site‐to‐site OpenVPN Connection
In this example, a site-to-site OpenVPN connection is created between the NAT
devices in separate VPCs. It assumes that Vyatta NAT instances and instances within
private subnets have been created within the VPCs according to the steps in
“Creating a NAT Device” on page 38. The following diagram shows the
configuration.
Internet
Internet
Gateway
Private subnet
10.0.1.0/24
R
10.0.1.20
Internet
Gateway
Public subnet
Private subnet
10.0.0.0/24
172.16.1.0/24
NAT (R1)
10.0.0.10
184.72.119.76 (EIP)
172.16.1.20
VPC
10.0.0.0/16
Public subnet
R
172.16.0.0/24
NAT (R2)
172.16.0.10
184 .72.120.221 (EIP)
VPC
172.16.0.0/16
To allow inbound OpenVPN traffic, add one rule to the default VPC security group
in each VPC. This inbound rule allows UDP traffic on port 1194 from any source
(0.0.0.0/0). See “Modify the Default Security Group” on page 41 as a reference.
To provide an OpenVPN endpoint on the NAT device R1, configure it as follows:
vyatta@R1# show interfaces openvpn
openvpn vtun0 {
local‐address 192.168.200.1 {
}
mode site‐to‐site
remote‐address 192.168.200.2
remote‐host 184.72.120.221
shared‐secret‐key‐file /config/auth/secret
}
[edit]
vyatta@R1# Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Site‐to‐site OpenVPN Connection 78
NOTE The shared secret key file is created using generate vpn openvpn <filename> and then copied to both systems.
To provide a route on R1 to the remote network via the OpenVPN tunnel, configure
it as follows:
vyatta@R1# show protocols static
interface‐route 172.16.0.0/16 {
next‐hop‐interface vtun0 {
}
}
[edit]
vyatta@R1# To provide an OpenVPN endpoint on the NAT device R2, configure it as follows:
vyatta@R2# show interfaces openvpn
openvpn vtun0 {
local‐address 192.168.200.2 {
}
mode site‐to‐site
remote‐address 192.168.200.1
remote‐host 184.72.119.76
shared‐secret‐key‐file /config/auth/secret
}
[edit]
vyatta@R2# To provide a route on R2 to the remote network via the OpenVPN tunnel, configure
it as follows:
vyatta@R2# show protocols static
interface‐route 10.0.0.0/16 {
next‐hop‐interface vtun0 {
}
}
[edit]
vyatta@R2# Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Remote Access VPN Connection 79
Test the configuration by pinging a device in one private subnet (10.0.1.20) from a
device in the other private subnet (172.16.1.20).
vyatta@vyatta:~$ ping 10.0.1.20
PING 10.0.1.20 (10.0.1.20) 56(84) bytes of data.
64 bytes from 10.0.1.20: icmp_req=1 ttl=64 time=0.439 ms
64 bytes from 10.0.1.20: icmp_req=2 ttl=64 time=0.572 ms
64 bytes from 10.0.1.20: icmp_req=3 ttl=64 time=0.430 ms
64 bytes from 10.0.1.20: icmp_req=4 ttl=64 time=0.448 ms
^C
‐‐‐ 10.0.1.20 ping statistics ‐‐‐
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.430/0.472/0.572/0.059 ms
vyatta@vyatta:~$ While this example shows a site-to-site OpenVPN connection between sites in two
different VPCs, the sites can also be located in non-VPC locations (for example, a
branch office or a data center).
For further information on OpenVPN configuration, please see the Vyatta VPN
Reference Guide.
Creating a Remote Access VPN Connection In this example, a Remote Access VPN connection is created between a remote client
and the NAT device in a VPC. It assumes that a Vyatta NAT instance and an instance
within a private subnet have been created within the VPC according to the steps in
“Creating a NAT Device” on page 38. The following diagram shows the
configuration.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Remote Access VPN Connection 80
Internet
Internet
Gateway
Private subnet
10.0.1.0/24
Public subnet
R
10.0.0.0/24
Remote access
client
NAT (R1)
10.0.0.10
184.72.119.76 (EIP)
10.0.1.20
VPC
10.0.0.0/16
To allow inbound Remote Access VPN traffic, add a rule to the default VPC security
group. This inbound rule allows TCP traffic on port 1723 from any source
(0.0.0.0/0). See “Modify the Default Security Group” on page 41 as a reference.
To provide a remote access server on the NAT device R1, configure it as follows:
vyatta@R1# show vpn pptp
remote‐access {
authentication {
local‐users {
username test {
password test
}
}
mode local
}
client‐ip‐pool {
start 10.0.1.100
stop 10.0.1.150
}
outside‐address 10.0.0.10
}
[edit]
vyatta@R1# To configure a PPTP VPN client on a Windows XP SP2 system (the remote access
client in this example), use the Windows “New Connection Wizard,” as follows:
1
Vyatta System
In Windows, select Start > Control Panel > Network Connections.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Remote Access VPN Connection 81
2
Click Create a new connection. The New Connection Wizard launches. Click
Next.
3
Select Connect to the network at my workplace. Click Next.
4
Select Virtual Private Network connection. Click Next.
5
Enter a name for the connection; for example, “Vyatta-PPTP.” Click Next.
6
Select Do not dial the initial connection. Click Next.
7
Enter the Elastic IP address. Click Next.
8
Select Do not use my smart card. Click Next.
9
Click Finish.
To connect to the VPN server, double-click the VPN connection icon, enter your user
name (“test” in the example) and password (“test” in the example), and then click
Connect. You can use the show interfaces and show vpn remote-access operational
commands on the Vyatta VPN server to display the connected user on an interface
named “pptpX,” where X is an integer.
NOTE You must make sure that nothing is blocking packets with protocol GRE or TCP port 1723 between the remote client and the VPN server . (Check firewall settings, home gateway, DSL modem, ISP, and so on.)
Test the configuration by pinging a device in the private network from the remote
client (in this case, from the command line of the Windows client).
C:\> ping 10.0.1.20
Pinging 10.0.1.20 with 32 bytes of data:
Reply from 10.0.1.20: bytes=32 time=1ms TTL=64
Reply from 10.0.1.20: bytes=32 time<1ms TTL=64
Reply from 10.0.1.20: bytes=32 time<1ms TTL=64
Reply from 10.0.1.20: bytes=32 time<1ms TTL=64
Ping statistics for 10.0.1.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli‐seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\ > While this example shows a remote access VPN connection, OpenVPN can also be
configured for remote access connections.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 2: Configuration Examples Creating a Remote Access VPN Connection 82
For further information on Remote Access VPN configuration, please see the Vyatta
VPN Reference Guide.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
83
Chapter 3: Upgrading the System
This chapter explains how to upgrade Vyatta system software on a Vyatta AMI in
Amazon Web Services.
In this chapter:
Vyatta System
•
Release-Specific Upgrade Information
•
Before Upgrading
•
Upgrading a Vyatta AMI
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 3: Upgrading the System Release‐Specific Upgrade Information 84
Release‐Specific Upgrade Information
Your system may have special upgrade considerations, depending on the release.
For release-specific upgrade information, and to ensure that configuration
information is correctly preserved across upgrade, consult the Release Notes for your
release.
Before Upgrading
Before upgrading:
•
Save your existing configuration file for reference. Your configuration file is
named config.boot and is located in the directory /config.
•
Make sure you have enough space on your root partition to load the image. You
can determine the amount of space available using the show system storage
command.
Upgrading a Vyatta AMI
The Vyatta AMI is supported only for the Vyatta Subscription Edition.
The Vyatta AMI consists of the following:
•
The Vyatta virt ISO
•
Other AMI-specific modifications and optimizations.
The way you upgrade a Vyatta AMI system depends on what part of the image has
changed. Table 3-1 shows the upgrade options for Vyatta AMI.
Table 3‐1 Upgrade options for Vyatta AMI systems
What has changed:
What you need to upgrade:
The virt ISO
Upgrade just the virt ISO. You can use the upgrade system image command. Use the procedure given in Upgrading the System Image.
AMI‐specific modifications
Upgrade the full AMI. Use the procedure given in Upgrading the Full Vyatta AMI
You’re not sure
Use the procedure given in Upgrading the System Image. The system will detect whether anything else in the AMI has changed and will alert you if you need to upgrade the full AMI.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 3: Upgrading the System Upgrading a Vyatta AMI 85
Upgrading the System Image
The upgrade system image command provides a simplified, streamlined upgrade
process. If the upgrade system image command is executed, the system automatically
does all of the following:
•
Finds the most recent stable Vyatta Subscription Edition virt ISO image
•
Downloads the image
•
Installs the image
•
Migrates configuration files from the running system
•
Sets the new image as the default boot image.
The new image is run the next time the system reboots.
To upgrade using the “upgrade system image” command
1
At the command prompt, issue the upgrade system image command. Follow the
prompts; see the sample session given in Example 3-1.
2
When the install has completed, reboot the system using the reboot command.
The system restarts using the new system image.
Sample Session for “upgrade system image”
Example 3-1 shows a session where the upgrade system image command is used to
upgrade to the latest system image.
NOTE You will not be prompted for your repository username and password if they are already configured within the entitlement system.
Example 3‐1 Upgrading a system image vyatta@vyatta:~$ upgrade system image
Vyatta image upgrade utility.
Please enter repository username: testco
Please enter repository password: testpassword
Checking for updated images on the Vyatta repository...
I have found a newer system image on the Vyatta repository.
The new image is version: VSE6.4‐2012.02.09
Would you like to upgrade to this image? [Yes/No] yes
OK... Starting process to upgrade system image.
Trying to fetch ISO file from http://packages.vyatta.com/vyatta‐supported/iso/stable/vyatta‐livecd‐vir
t_VSE6.4‐2012.02.09_i386.iso
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 196M 100 196M 0 0 489k 0 0:06:49 0:06:49 ‐‐:‐‐:‐‐ 559k
ISO download succeeded.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 3: Upgrading the System Upgrading a Vyatta AMI 86
Checking for digital signature file...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 189 100 189 0 0 169 0 0:00:01 0:00:01 ‐‐:‐‐:‐‐ 2333
Found it. Checking digital signature...
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: Signature made Mon Feb 6 16:42:22 2012 GMT+8 using DSA key ID 9436A9F8
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Good signature from "Autobuild <autobuild@vyatta.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1B49 FE0A 0239 706A C6D4 13B0 04A2 5B93 9436 A9F8
Digital signature is valid.
Checking MD5 checksums of files on the ISO image...OK.
Done!
What would you like to name this image? [VSE6.4‐2012.02.09]: <Enter>
OK. This image will be named: VSE6.4‐2012.02.09
Installing "VSE6.4‐2012.02.09" image.
Copying new release files...
Would you like to save the current configuration
directory and config file? (Yes/No) [Yes]: <Enter>
Copying current configuration...
Would you like to save the SSH host keys from your
current configuration? (Yes/No) [Yes]: <Enter>
Copying SSH keys...
Setting up grub configuration...
Done.
Upgrading the Full Vyatta AMI
When AMI-specific content in the Vyatta AMI changes, you must perform an
upgrade to the new Vyatta AMI, using the procedure in this section.
To upgrade the Vyatta AMI.
Vyatta System
1
Save your current system configuration (/config) to a separate location on your
network.
2
Using the new Vyatta AMI, create a new Vyatta virtual machine in your AWS
environment. Use the instructions given in Chapter 1: Installing the System,
starting in the section“Obtaining and Launching the Vyatta AMI” on page 10 .
3
Perform initial configuration of the new virtual machine and test the installation
to verify connectivity on the network.
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 3: Upgrading the System 4
Shut down the old system so it does not conflict with the new system.
5
Load the configuration you saved onto the new Vyatta virtual machine.
6
Make the following modification to the loaded configuration:
•
7
Vyatta System
Upgrading a Vyatta AMI 87
For each Ethernet interface, delete the hardware ID. (In configuration mode,
use the delete interface ethernet ethx hw-id command, where ethx is the name
of the Ethernet interface).
Reboot the system using the reboot command. The system restarts using the new
configuration.
6.5R1 v01
Installing the System/User Guide: AMI
88
Chapter 4: Installation and Upgrade Commands
This chapter describes installation and upgrade commands.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 89
This chapter presents the following commands.
Configuration Commands
None.
Operational Commands
add system image
Adds a binary system image to the currently running system.
clone system image
Creates a copy of a Vyatta system image installed on the local system or on a remote system.
delete system image
Deletes a Vyatta system image.
install image
Installs a Vyatta system image, using a binary system image.
install system
Installs Vyatta system software, using a traditional layout of files.
rename system image
Renames a Vyatta system image.
set system image default‐boot
Selects a Vyatta system image to be run when the system is next rebooted.
show system image
Displays a list of Vyatta system images installed on the system.
upgrade system image
Upgrades the currently running system to the latest version.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 90
add system image
Adds a binary system image to the currently running system.
Syntax
add system image {iso-filename | iso-URL [username username password password]}
Command Mode
Operational mode.
Parameters
iso-filename
The name of the Vyatta system image file to be added.
iso-URL
The URL location of the Vyatta system image file to be added.
username
Optional. The username required to login to the remote system at
the specified URL location.
password
Optional. The password required to login to the remote system at
the specified URL location. If the username is specified, then a
password must also be specified.
Default
None.
Usage Guidelines
Use this command to add a binary Vyatta system image to the currently running
system. A system image can be added to a system that was installed using a
disk-based install (using the install system command) or an image-based install
(using the install image command). Once added, it will be set as the new default boot
image and will be run the next time the system is booted.
The command will validate the MD5 checksums of the files contained in the ISO
image to ensure that it has not been corrupted. In addition, it will not allow more
than a single copy of an image to exist on the same system.
The iso-filename or iso-URL argments provide the source for the ISO image file.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 91
NOTE If you are accessing the ISO image on the web, in most browsers right‐clicking the link to the file will provide access to the URL which can then be copied and pasted as the iso‐URL argument to this command.
The following table shows the syntax for file specification for different file locations.
Table 4‐1 Location
Specification
An absolute path
For iso‐filename use standard UNIX file specification.
A relative path
For iso‐filename you can also specify the path name relative to the current directory.
FTP server
Use the following syntax for the iso‐URL argument:
ftp://user:passwd@host/image‐file
where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the FTP server, and image‐file is the ISO image file, including the path. Alternatively, the username and password can be specified as username and password arguments to the add system image command.
If you do not specify user and passwd you are prompted for them.
SCP server
Use the following syntax for the iso‐URL argument:
scp://user:passwd@host/image‐file
where user is the username on the host, passwd is the password associated with the username, host is the host name or IP address of the SCP server, and image‐file is the ISO image file, including the path. Alternatively, the username and password can be specified as username and password arguments to the add system image command.
If you do not specify user and passwd you will be prompted for them.
HTTP server
Use the following syntax for the iso‐URL argument:
http://host/image‐file
where host is the host name or IP address of the HTTP server and image‐file is the ISO image file, including the path.
TFTP server
Use the following syntax for the iso‐URL argument:
tftp://host/image‐file
where host is the host name or IP address of the TFTP server, and image‐file is the ISO image file, including the path relative to the TFTP root directory.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 92
clone system image
Creates a copy of a Vyatta system image installed on the local system or on a remote
system.
Syntax
clone system image [user@host:]source-image-name new-image-name [clean]
Availability
Vyatta Subscription Edition.
Command Mode
Operational mode.
Parameters
user
The user name on a remote host. Required for remote host
access via SCP. Not required for cloning a local system
image.
host
The hostname or IP address of a remote host. Required for
remote host access using SCP. Not required for cloning a
local system image.
source_image-name
The name of the system image to be copied. The source
image can exist on the local system or a remote system.
new-image-name
The name of the new (copied) system image. An image with
this name must not already exist on the system.
clean
Creates an empty read-write directory tree for the new
image. This creates a new image that is functionally
equivalent to the source image as it existed when it was
originally installed.
Default
None.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 93
Usage Guidelines
Use this command to create a copy of a system image installed on the local system or
on a remote system to the local system.
If user@host is specified, the image is fetched from the named host using the SCP
protocol. If user@host is omitted, the source-image-name is the name of an image
that already exists on the system. The new-image-name is the image name that the
system uses for the clone. There must be no image by that name already existing on
the system.
Command completion is performed for local image names if user@host is not
specified. No command completion is performed on remote image names if
user@host is specified.
If the clean argument is omitted, the command copies the squashfs file being used by
the image named source-image-name as well as the read-write directory tree of
source-image-name. If the clean argument is given, then the read-write directory tree
of source-image-name is NOT copied. Instead, an empty read-write directory tree is
created for the new image. This creates a new image that is functionally equivalent
to the source image as it existed when it was initially installed.
Images created by this command behave the same as images installed by the install
image or the add system image commands.
The https and ssh services must both be enabled on the remote Vyatta system in order
for the clone system image command to work properly. The https service is enabled
using set service https in Configuration mode. The ssh service is enabled using set
service ssh in Configuration mode.
NOTE This command is only available in the Vyatta Subscription Edition.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 94
delete system image
Deletes a Vyatta system image.
Syntax
delete system image [image-name]
Command Mode
Operational mode.
Parameters
image-name
The name of the Vyatta system image to be deleted.
Default
When used with no options, the system prompts for the image to delete.
Usage Guidelines
Use this command to delete a Vyatta system image from the local disk drive.
The image and all of its local files, including its Vyatta configuration file, are all
destroyed. Since this command is destructive, the system prompts for confirmation.
Command completion displays all valid completions for the image-name argument.
If the image-name argument is omitted, the system displays a list of available images
and prompts you to select one.
If the system was originally installed in disk-based mode, an image-name option is
available that you can use to direct that the disk-based installation should be deleted.
The system does not allow you to delete the currently running system image.
However, the system does allow you to delete the image currently selected to be run
at the next reboot. If you choose this, the system uses the currently running image
when the system is next rebooted.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 95
install image
Installs a Vyatta system image, using a binary system image.
Syntax
install image
Command Mode
Operational mode.
Parameters
None.
Default
None.
Usage Guidelines
Use this command to install a Vyatta system binary image.
This command is similar to the install system command in functionality. Once the
installation is complete you can add multiple Vyatta versions into the same partition,
using the add system image command, and you can then choose which version to
boot, using the set system image default-boot command. This allows you to move
easily between different versions of the system.
If you have a new system and want to install the Vyatta system from scratch, you can
boot the Vyatta LiveCD and then run the install image command to install the image
on the LiveCD to the disk. The install image command operates similarly to the
install system command—it creates and formats a new disk partition and then
installs the image to the partition while preserving the system configuration.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 96
install system
Installs Vyatta system software, using a traditional layout of files.
Syntax
install system
Command Mode
Operational mode.
Parameters
None.
Default
None.
Usage Guidelines
Use this command to install Vyatta software from a LiveCD onto a persistent device
such as a hard disk.
NOTE Vyatta recommends using the install image command over the install system command.
If you have a new system and want to install the Vyatta system from scratch, you can
boot the Vyatta LiveCD and then run the install system command to install the
system on the LiveCD to the disk. The install system command operates similarly to
the install image command—it creates and formats a new disk partition and then
installs the system to the partition while preserving the system configuration.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 97
rename system image
Renames a Vyatta system image.
Syntax
rename system image old-image-name new-image-name
Command Mode
Operational mode.
Parameters
old-image-name
The name of an existing Vyatta system image to be renamed.
new-image-name
The new name of the Vyatta system image.
Default
None.
Usage Guidelines
Use this command to rename a Vyatta system image.
The old name must match the name of an image on the system. The system does not
allow you to rename the currently running system image. The new system image
name cannot be in use by another image.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 98
set system image default‐boot
Selects a Vyatta system image to be run when the system is next rebooted.
Syntax
set system image default-boot [image-name]
Command Mode
Operational mode.
Parameters
image-name
The name of the Vyatta system image to be run when the system is
rebooted.
Default
If used with no image name specified, the system displays a list of available images
and prompts you to select one.
Usage Guidelines
Use this command to specify which Vyatta system image is to be run when the system
is next rebooted.
When multiple system images have been installed using the add system image
command, you can use this command to direct the system to boot from a specific
system image the next time it is restarted.
Command completion displays all valid completions for the image-name argument.
If the image-name argument is omitted, the system displays a list showing all images
installed on the system and prompts you to select one. If the system was originally
installed in disk-based mode, then a special image-name option is available so that
you can select the disk-based system as the default system from which to boot.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 99
show system image
Displays a list of Vyatta system images installed on the system.
Syntax
show system image [storage | version]
Command Mode
Operational mode.
Parameters
storage
Display the amount of disk space used by each image.
version
Include the image version number in the display of system images.
Default
None.
Usage Guidelines
Use this command to display a list of all Vyatta system images currently installed on
the system.
The command output identifies the image that is currently running, as well as the
image that has been selected to run when the system is next rebooted. If the system
was originally installed in disk-based mode, then one of the image names identifies
that installation.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Chapter 4: Installation and Upgrade Commands 100
upgrade system image
Upgrades the currently running system to the latest version.
Syntax
upgrade system image
Availability
Vyatta Subscription Edition.
Command Mode
Operational mode.
Parameters
None.
Default
None.
Usage Guidelines
Use this command to upgrade the Vyatta system image to the latest release. It is the
preferred method of system upgrade. The system image can be upgraded on a system
that was installed using a disk-based install (using the install system command) or an
image-based install (using the install image command or from a virtual machine
template). Once the new image is added to the system, the configuration from the
currently running system can be migrated. Also, the new image will be set as the new
default boot image and will be run the next time the system is booted.
The command will validate the MD5 checksums of the files contained in the ISO
image to ensure that it has not been corrupted. In addition, it will not allow more
than a single copy of an image to exist on the same system.
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
101
Glossary
ACL
access control list
ADSL
Asymmetric Digital Subscriber Line
AMI
Amazon Machine Image
API
Application Programming Interface
AS
autonomous system
ARP
Address Resolution Protocol
AWS
Amazon Web Services
BGP
Border Gateway Protocol
BIOS
Basic Input Output System
BPDU
Bridge Protocol Data Unit
CA
certificate authority
CCMP
AES in counter mode with CBC-MAC
CHAP
Challenge Handshake Authentication Protocol
CLI
command-line interface
DDNS
dynamic DNS
DHCP
Dynamic Host Configuration Protocol
DHCPv6
Dynamic Host Configuration Protocol version 6
DLCI
data-link connection identifier
DMI
desktop management interface
DMZ
demilitarized zone
DN
distinguished name
DNS
Domain Name System
DSCP
Differentiated Services Code Point
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
102
DSL
Digital Subscriber Line
eBGP
external BGP
EBS
Amazon Elastic Block Storage
EC2
Amazon Elastic Compute Cloud
EGP
Exterior Gateway Protocol
ECMP
equal-cost multipath
ESP
Encapsulating Security Payload
FIB
Forwarding Information Base
FTP
File Transfer Protocol
GRE
Generic Routing Encapsulation
HDLC
High-Level Data Link Control
I/O
Input/Ouput
ICMP
Internet Control Message Protocol
IDS
Intrusion Detection System
IEEE
Institute of Electrical and Electronics Engineers
IGP
Interior Gateway Protocol
IPS
Intrusion Protection System
IKE
Internet Key Exchange
IP
Internet Protocol
IPOA
IP over ATM
IPsec
IP security
IPv4
IP Version 4
IPv6
IP Version 6
ISP
Internet Service Provider
KVM
Kernel-Based Virtual Machine
L2TP
Layer 2 Tunneling Protocol
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
103
LACP
Link Aggregation Control Protocol
LAN
local area network
LDAP
Lightweight Directory Access Protocol
LLDP
Link Layer Discovery Protocol
MAC
medium access control
MIB
Management Information Base
MLPPP
multilink PPP
MRRU
maximum received reconstructed unit
MTU
maximum transmission unit
NAT
Network Address Translation
ND
Neighbor Discovery
NIC
network interface card
NTP
Network Time Protocol
OSPF
Open Shortest Path First
OSPFv2
OSPF Version 2
OSPFv3
OSPF Version 3
PAM
Pluggable Authentication Module
PAP
Password Authentication Protocol
PAT
Port Address Translation
PCI
peripheral component interconnect
PKI
Public Key Infrastructure
PPP
Point-to-Point Protocol
PPPoA
PPP over ATM
PPPoE
PPP over Ethernet
PPTP
Point-to-Point Tunneling Protocol
PTMU
Path Maximum Transfer Unit
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
104
PVC
permanent virtual circuit
QoS
quality of service
RADIUS
Remote Authentication Dial-In User Service
RHEL
Red Hat Enterprise Linux
RIB
Routing Information Base
RIP
Routing Information Protocol
RIPng
RIP next generation
Rx
receive
S3
Amazon Simple Storage Service
SLAAC
Stateless Address Auto-Configuration
SNMP
Simple Network Management Protocol
SMTP
Simple Mail Transfer Protocol
SONET
Synchronous Optical Network
SSH
Secure Shell
SSID
Service Set Identifier
STP
Spanning Tree Protocol
TACACS+
Terminal Access Controller Access Control System Plus
TBF
Token Bucket Filter
TCP
Transmission Control Protocol
TKIP
Temporal Key Integrity Protocol
ToS
Type of Service
TSS
TCP Maximum Segment Size
Tx
transmit
UDP
User Datagram Protocol
VHD
virtual hard disk
vif
virtual interface
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
105
VLAN
virtual LAN
VPC
Amazon virtual private cloud
VPN
Virtual Private Network
VRRP
Virtual Router Redundancy Protocol
WAN
wide area network
WAP
wireless access point
WPA
Wired Protected Access
Vyatta System
6.5R1 v01
Installing the System/User Guide: AMI
Download PDF