August 13, 2008

A hands-on look at Vyatta Community Edition 4 networking software

Author: Cory Buford

Vyatta offers hardware and open source software for enterprise-level network infrastructure. Vyatta can turn any 32-bit x86 machine with at least one network interface into a network appliance that handles routing, firewall, and VPN tasks. The company released Vyatta Community Edition 4 in April, with improved scalability and feature enhancements. Large enterprises now have a low-cost alternative to proprietary hardware like the Cisco 7200.

Most of the things that you can do with a Cisco box, you can do also with Vyatta software, and, unlike Cisco IOS, you don't have to worry about a Vyatta software license, which saves you at least $1,000 compared to comparable Cisco equipment.

Vyatta supports several types of network interface hardware, such as the common 10/100/1000 NIC, T1/T3/E1 cards and, in this version, 10 Gigabit Ethernet, bringing Vyatta to the enterprise level. It supports standard network protocols such as RIPv2, OSPFv2, and BGPv4 for routing; PPP, 802.1Q, MLPPP, Frame Relay, HDLC, GRE, and PPPoE for encapsulation; IPSEC, L2TP, PPTP, and RADIUS for security; DHCP server/relay and NAT for IP management; VRRP and VPN clustering for high availability; MLPPP and ECMP for load balancing; priority and classful queuing for QOS; and a stateful inspection firewall. Because it uses standard protocols, Vyatta can interact with network devices from Cisco, Juniper, and any other vendor whose products also use network standards.

For administration, Vyatta includes an integrated command-line interface that can be accessed through Telnet and SSHv2. In previous versions, you could also manage the box through a Web GUI, and this will be available for version 4 in the third quarter of 2008. To ease network troubleshooting, the tcpdump and Wireshark packet sniffers are also included. To keep a record of log or monitor events, Vyatta offers Syslog and SNMPv2c support, but not the tools themselves. To gather information through syslog, you can easily use free syslog servers like Kiwi and use Nagios or MRTG to gather information via SNMPv2c.

The biggest change in the latest release is a redesigned shell called FusionCLI based on the bash command shell. It looks like the previous version's XORP shell, but is more powerful and will simplify future development. FusionCLI is different from the Cisco IOS CLI, but will feel familiar to those using the Juniper OS CLI. Other features new to this release are remote access VPN, WAN link load balancing, ECMP, PPPoE, role-based user access, and tunnel interfaces. Improvements in this release include the routing protocols (RIP, OSPF, and BGP), DHCP client reliability, and additional QoS traffic shaping mechanisms. For complete details on its features, refer to the software datasheets.

All of these features are available for free in the community edition, but major bug fixes and updates are available only in six-month intervals. If you want priority updates and support, you can buy a subscription plan.

Configuring advanced features

To start configuring Vyatta Community Edition 4, you must first download it from the developer's site. You can either download it in ISO format or as a VMware appliance version. I chose the ISO format and burned it to a CD.

You can deploy Vyatta as a live CD, install it on your hard drive, or make a bootable USB. I installed Vyatta on the disk, in a VMware virtual machine with an allocated disk space of 1024MB, 512MB of RAM, and two virtual NICs which are bridged by two physical NICs. The physical hardware is an Intel Core 2 Duo with 2GB of RAM. To install the software, boot the live CD, log in, and run the command install-system. In most cases, you can choose the default Auto option, then restart your computer after the installation.

After logging in after boot-up, enter the command configure to configure the router. If you need any help with the commands, as in Cisco IOS, type ? or press Tab for auto completion. I first test to see if Vyatta detects my network interfaces by using the command show interfaces. With the network interfaces detected properly, I configure the basic setup to include the IP address setting of the interfaces, NAT, and a simple static routing. Below, is a brief list of basic settings that I used. Those familiar with Juniper OS CLI will find that Vyatta CLI commands have almost the same pattern. All changes that you make in Vyatta must be enabled with the command commit. After you configure the settings, use the command save to store the configuration permanently.

vyatta@vyatta# edit interfaces ethernet eth0
vyatta@vyatta# set description outside
vyatta@vyatta# set address - IP address of eth0
vyatta@vyatta# edit interfaces ethernet eth1
vyatta@vyatta# set description internal
vyatta@vyatta# set address - IP address of eth1
vyatta@vyatta# set protocols static route next-hop - static route to access outside
vyatta@vyatta# set service nat rule 1
vyatta@vyatta# edit service nat rule 1
vyatta@vyatta# set type masquerade
vyatta@vyatta# set outbound-interface eth0 - indicates that all outbound traffic will use eth0 address
vyatta@vyatta# set protocols all
vyatta@vyatta# set source network
vyatta@vyatta# set destination address
vyatta@vyatta# commit

After setting up the basic configuration, we can proceed to Vyatta's more advanced configuration. Since we're concerned with security, we must set some firewall policies. To do that, first enable the firewall with the set firewall command. We can then create a firewall rule set with the name "test," then add to it firewall policies or rules.

vyatta@vyatta# set firewall name test
vyatta@vyatta# edit firewall name test
vyatta@vyatta# set rule 1
vyatta@vyatta# edit rule 1
vyatta@vyatta# set source address
vyatta@vyatta# set protocol tcp
vyatta@vyatta# set destination address
vyatta@vyatta# set destination port ftp
vyatta@vyatta# set action reject
vyatta@vyatta# commit
vyatta@vyatta# edit firewall name test
vyatta@vyatta# set rule 2
vyatta@vyatta# edit rule 2
vyatta@vyatta# set source address
vyatta@vyatta# set destination address
vyatta@vyatta# set action accept

The commands above construct a simple firewall policy in which any traffic from source address, which is our internal network, to any destination (indicated by is allowed, but traffic with destination protocols accessing "ftp" is blocked or rejected. The firewall policy will be useless if we do not bind it to the appropriate network interface. In this case, since it is an internal network going to an outside network, the intended direction of the policy is outbound.

vyatta@vyatta# edit interfaces ethernet eth0
vyatta@vyatta# set firewall out name test
vyatta@vyatta# commit

When testing the configuration, I tried accessing FTP sites using port 21 on the Internet -- to no avail. This means that the firewall is working properly.

Now we can set up a simple site-to-site IPSec VPN. VPN connections consist of two levels, known as Phase 1 and Phase 2. Phase 1 establishes the security parameter agreement. Phase 2 utilizes these parameters to raise the VPN tunnel. In setting up VPN connections, all parameters in Phase 1 and Phase 2 should be the same as they are at the other end of the connection. Even a single dissimilar parameter will cause the VPN connection to fail.

vyatta@vyatta# set vpn ipsec
vyatta@vyatta# edit vpn ipsec
vyatta@vyatta# set ipsec-interfaces
vyatta@vyatta#edit ipsec-interfaces
vyatta@vyatta# set interface eth0
vyatta@vyatta# set ike-group p1
vyatta@vyatta# edit ike-group p1
vyatta@vyatta# set lifetime 7200
vyatta@vyatta# set ike-group p1 proposal 1
vyatta@vyatta# edit ike-group p1 proposal 1
vyatta@vyatta# set encryption 3des
vyatta@vyatta# set hash md5
vyatta@vyatta# set dh-group 2
vyatta@vyatta# set esp-group p2
vyatta@vyatta# edit esp-group p2
vyatta@vyatta# set lifetime 1800
vyatta@vyatta# set esp-group p2 proposal 1
vyatta@vyatta# edit esp-group p2 proposal 1
vyatta@vyatta# set encryption 3des
vyatta@vyatta# set hash md5
vyatta@vyatta# set site-to-site
vyatta@vyatta# edit site-to-site
vyatta@vyatta# set peer - public address of the remote network
vyatta@vyatta# edit peer
vyatta@vyatta# set authentification pre-shared-secret myvpn - using pre-shared key as authentication
vyatta@vyatta# set ike-group p1
vyatta@vyatta# set local-ip - public address of Vyatta
vyatta@vyatta# set tunnel 1
vyatta@vyatta# edit tunnel 1
vyatta@vyatta# set local-subnet - internal address of Vyatta
vyatta@vyatta# set remote-subnet - internal address of the remote network
vyatta@vyatta# set esp-group p2
vyatta@vyatta# commit

Looking at the commands establishing IPSec VPN, the first thing to do is to configure the Phase 1 and Phase 2 parameters. To accomplish Phase 1, parameters like encryption algorithm (3des) for security, hash algorithm (md5) for integrity, and secured generation of shared secret (Diffie-Hellman Group 2) are needed. Encryption might include AES, DES, or 3DES in the case of Vyatta. Hash algorithm may be either MD5 or SHA-1. For Diffie-Hellman, group 2 and 5 are commonly used. So in this case, I used a combination of 3des-md5 dh-group2 as my Phase 1 parameters; though you could also use aes-md5 dh-group2. For more information on the whole VPN process in detail, read the National Institute of Standards and Technology's Special Publication 800-77. There are other encryption and hash algorithms available, but as the number of key bits of the algorithm you use increases, so too does the overhead, consuming more bandwidth.

In Phase 2, we use the ESP protocol. Authentication Header is another Phase 2 protocol, but it is not supported in Vyatta, since AH provides only data integrity and authentication while ESP provides data integrity, authentication, and encryption, resulting in higher confidentiality of data. Although references will not directly state that ESP is better, the added encryption capability is really a great benefit. For more on the decline of AH, please read pages 30-36 of the NIST Special Publication 800-77 and "Securing Data in Transit with IPSec" on

Returning to Phase 2, we use 3des-md5 here as well. You can choose a different algorithm if you wish, but be sure the same parameters, or settings, are applied on the other end of the VPN. After we've set the parameters, we bind them to a network interface -- in most cases, to the public interface. Next, enter the peer address or the public address of the other side and configure its authentication. I chose pre-shared authentication and used the passphrase "myvpn." Lastly, we indicate the local and remote private networks that will be tunneled through in the VPN connection. Enter commit, and we now have a working VPN.

The configurations discussed in this article are fairly simple. If you want a more comprehensive configuration, Vyatta's documentation site offers a complete command reference for registered users.

Wrapping it up

Vyatta Community Edition 4 is a good low-cost alternative to proprietary network hardware. If you want to use Vyatta in compute-intensive applications like VPNs or multiple routing and firewall policies, follow Vyatta's hardware guidelines. As a minimum, a machine with a 1GHz processor with 512MB of RAM and 1GB of disk space is recommended, allowing you to use a machine that today costs $100 or less for Vyatta's basic features.

Vyatta shows promise in the enterprise arena. Although I'm a Cisco fan when it comes to big enterprise networks, using Vyatta on small and medium-sized networks and familiarizing yourself with it is a good idea for now and may give you a big advantage in the future.


  • Networking
  • Security
Click Here!