{"id":987,"date":"2016-05-09T21:03:11","date_gmt":"2016-05-09T21:03:11","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2016\/05\/09\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter\/"},"modified":"2023-01-06T17:08:15","modified_gmt":"2023-01-06T17:08:15","slug":"how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html","title":{"rendered":"Create Site to Site VPN Between AWS &#038; Vyatta vRouter"},"content":{"rendered":"<p>Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud.<\/p>\n<p>Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from the VPN is then controlled via the use of a policy.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-662efb3763103\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-662efb3763103\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Encryption_Domain\" title=\"Encryption Domain\">Encryption Domain<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Local\" title=\"Local\">Local<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Remote\" title=\"Remote\">Remote<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#AWS\" title=\"AWS\">AWS<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#VPC\" title=\"VPC\">VPC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Steps\" title=\"Steps\">Steps<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Vyatta\" title=\"Vyatta\">Vyatta<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Interfaces\" title=\"Interfaces\">Interfaces<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Tunnel_Interfaces\" title=\"Tunnel Interfaces\">Tunnel Interfaces<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#WAN_LoadBalancing\" title=\"WAN LoadBalancing\">WAN LoadBalancing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#NAT_Exemption\" title=\"NAT Exemption\">NAT Exemption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Routes\" title=\"Routes\">Routes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Phase_12_Parameters\" title=\"Phase 1\/2 Parameters\">Phase 1\/2 Parameters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Peers\" title=\"Peers\">Peers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Access_Policy\" title=\"Access Policy\">Access Policy<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Show_Commands\" title=\"Show Commands\">Show Commands<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Confirm_Phase_1\" title=\"Confirm Phase 1\">Confirm Phase 1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#Confirm_Phase_2\" title=\"Confirm Phase 2\">Confirm Phase 2<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\/#VTI_WAN_Loadbalance_Status\" title=\"VTI WAN Loadbalance Status\">VTI WAN Loadbalance Status<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Encryption_Domain\"><\/span>Encryption Domain<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>First of all for our example lets look at the encryption domain that will be used within this article.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Local\"><\/span>Local<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table class=\"table table-bordered table-condensed\">\n<thead>\n<tr>\n<th>Local Endpoint<\/th>\n<th>Local VTI<\/th>\n<th>Local Peer<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>192.168.3.0\/24<\/td>\n<td>169.254.20.254\/30\u00a0(VTI1)<\/td>\n<td>133.1.1.100<\/td>\n<\/tr>\n<tr>\n<td>192.168.3.0\/24<\/td>\n<td>169.254.20.138\/30 (VTI2)<\/td>\n<td>133.1.1.100<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><span class=\"ez-toc-section\" id=\"Remote\"><\/span>Remote<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table class=\"table table-bordered table-condensed\">\n<thead>\n<tr>\n<th>Remote Endpoint<\/th>\n<th>Remote VTI<\/th>\n<th>Remote Peer<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>10.0.1.0\/24<\/td>\n<td>169.254.20.253\/30 (VTI1)<\/td>\n<td>52.48.97.50<\/td>\n<\/tr>\n<tr>\n<td>10.0.1.0\/24<\/td>\n<td>169.254.20.137\/30 (VTI2)<\/td>\n<td>52.50.142.56<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span class=\"ez-toc-section\" id=\"AWS\"><\/span>AWS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"VPC\"><\/span>VPC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>VPN Connectivity into AWS is performed via the creation of Virtual Private Gateways. These are configured within an AWS VPC.<\/p>\n<p>What is VPC ? VPC (Virtual Private Cloud) allows you to create virtual networks within AWS. This allows you to logically separate resources, add additional security, configure networking attributes (such as routing tables etc) along with build VPNs from your remote site into your AWS solution.<\/p>\n<p>AWS VPNs are route based. This means that Virtual Tunnel Interfaces (VTIs) are created on the AWS side. Additionally you will also observe that only a single SA is generated.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Steps\"><\/span>Steps<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Within the AWS Management Portal and within VPC,<\/p>\n<ul>\n<li>Create a <strong>VPC<\/strong> (Virtual Private Cloud \/ Your VPCs \/ Create VPC)<\/li>\n<li>Create a <strong>Customer Gateway<\/strong> (VPN Connections \/ Customer Gateway)\n<ul>\n<li>Routing : Static<\/li>\n<li>IP Address : Local Peer IP<\/li>\n<\/ul>\n<\/li>\n<li>Create a <strong>Virtual Private Gateway<\/strong> &#8211; (VPN Connections \/ Virtual Private Gateway)<\/li>\n<li>Create a <strong>VPN Connection<\/strong>\u00a0 &#8211; (VPN Connections \/ VPN Connections). Please note there is a Download Configuration icon. This will allow you to download the VPN configuration in a number of formats i.e Cisco ASA etc.\n<ul>\n<li>Virtual Private Gateway : Select previously created gateway<\/li>\n<li>Customer Gateway : Select previously created gateway<\/li>\n<li>Routing Options : Static<\/li>\n<li>Static IP Prefixes : Local Endpoint (192.168.3.0\/24)<\/li>\n<\/ul>\n<\/li>\n<li>Update <strong>Virtual Private Cloud<\/strong> (Virtual Private Cloud \/ Route Tables ) go to the routing table hosting your subnet (i.e 10.0.1.0\/24). Within Route Propagation edit the route that shows the vgw-xxxxx and enable Propagate. This will propagate a route for the endpoint you previously added within your Static IP Prefixes.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Vyatta\"><\/span>Vyatta<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Interfaces\"><\/span>Interfaces<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>First of all we configure the outside and inside interfaces.<\/p>\n<pre class=\"prettyprint\">set interfaces ethernet eth2 address '133.1.1.100\/24'\r\nset interfaces ethernet eth2 if-id 'public'\r\nset interfaces ethernet eth5 address '192.168.3.2\/24'\r\nset interfaces ethernet eth5 if-id 'INSIDE-192.168.3.0\/24'<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Tunnel_Interfaces\"><\/span>Tunnel Interfaces<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Each of the virtual tunnel interfaces (VTI) are then configured.<\/p>\n<pre class=\"prettyprint\">set interfaces vti vti1 address '169.254.20.254\/30'\r\nset interfaces vti vti1 description 'VPC tunnel 1'\r\nset interfaces vti vti2 address '169.254.20.138\/30'\r\nset interfaces vti vti2 description 'VPC tunnel 2'<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"WAN_LoadBalancing\"><\/span>WAN LoadBalancing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Next we configure WAN loadbalancing. This provides the ability to set one VTI as primary and the other as backup, via the use of weights. We then monitor the VTIs on the remote (AWS) side of the VPN. Should the monitor fail the backup VTI is promoted to master.<\/p>\n<pre class=\"prettyprint\">set load-balancing wan 'disable-source-nat'<\/pre>\n<p>set load-balancing wan interface-health vti1 failure-count &#8216;5&#8217;<br \/>\nset load-balancing wan interface-health vti1 nexthop &#8216;169.254.20.253&#8217;<br \/>\nset load-balancing wan interface-health vti1 success-count &#8216;1&#8217;<br \/>\nset load-balancing wan interface-health vti1 test 10 resp-time &#8216;5&#8217;<br \/>\nset load-balancing wan interface-health vti1 test 10 target &#8216;169.254.20.253&#8217;<br \/>\nset load-balancing wan interface-health vti1 test 10 ttl-limit &#8216;1&#8217;<br \/>\nset load-balancing wan interface-health vti1 test 10 type &#8216;ping&#8217;<br \/>\nset load-balancing wan interface-health vti2 failure-count &#8216;5&#8217;<br \/>\nset load-balancing wan interface-health vti2 nexthop &#8216;169.254.20.137&#8217;<br \/>\nset load-balancing wan interface-health vti2 success-count &#8216;1&#8217;<br \/>\nset load-balancing wan interface-health vti2 test 10 resp-time &#8216;5&#8217;<br \/>\nset load-balancing wan interface-health vti2 test 10 target &#8216;169.254.20.137&#8217;<br \/>\nset load-balancing wan interface-health vti2 test 10 ttl-limit &#8216;1&#8217;<br \/>\nset load-balancing wan interface-health vti2 test 10 type &#8216;ping&#8217;<\/p>\n<p>set load-balancing wan rule 10 &#8216;failover&#8217;<br \/>\nset load-balancing wan rule 10 inbound-interface &#8216;eth5&#8242;<br \/>\nset load-balancing wan rule 10 interface vti1 weight &#8217;10&#8217;<br \/>\nset load-balancing wan rule 10 interface vti2 weight &#8216;1&#8217;<br \/>\nset load-balancing wan rule 10 protocol &#8216;all&#8217;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"NAT_Exemption\"><\/span>NAT Exemption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>NAT\u00a0Exemption is configured to ensure that traffic is sent over the VPN tunnel using the real IPs.<\/p>\n<pre class=\"prettyprint\">set nat source rule 10 destination address '10.0.1.0\/24'\r\nset nat source rule 10 'exclude'\r\nset nat source rule 10 outbound-interface 'eth2'\r\nset nat source rule 10 source address '192.168.3.0\/24'\r\nset nat source rule 20 destination address '192.168.3.0\/24'\r\nset nat source rule 20 'exclude'\r\nset nat source rule 20 outbound-interface 'eth2'\r\nset nat source rule 20 source address '10.0.1.0\/24'<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Routes\"><\/span>Routes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Routes for the remote endpoint via each of the VTIs are then configured.<\/p>\n<pre class=\"prettyprint\">set protocols static interface-route 10.0.1.0\/24 next-hop-interface 'vti1'\r\nset protocols static interface-route 10.0.1.0\/24 next-hop-interface 'vti2'<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Phase_12_Parameters\"><\/span>Phase 1\/2 Parameters<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The phase 1 and phase 2 parameters as then defined.<\/p>\n<pre class=\"prettyprint\">set vpn ipsec esp-group AWS compression 'disable'\r\nset vpn ipsec esp-group AWS lifetime '3600'\r\nset vpn ipsec esp-group AWS mode 'tunnel'\r\nset vpn ipsec esp-group AWS pfs 'enable'\r\nset vpn ipsec esp-group AWS proposal 1 encryption 'aes128'\r\nset vpn ipsec esp-group AWS proposal 1 hash 'sha1'<\/pre>\n<p>set vpn ipsec ike-group AWS dead-peer-detection action &#8216;restart&#8217;<br \/>\nset vpn ipsec ike-group AWS dead-peer-detection interval &#8217;15&#8217;<br \/>\nset vpn ipsec ike-group AWS dead-peer-detection timeout &#8217;30&#8217;<br \/>\nset vpn ipsec ike-group AWS lifetime &#8216;28800&#8217;<br \/>\nset vpn ipsec ike-group AWS proposal 1 dh-group &#8216;2&#8217;<br \/>\nset vpn ipsec ike-group AWS proposal 1 encryption &#8216;aes128&#8217;<br \/>\nset vpn ipsec ike-group AWS proposal 1 hash &#8216;sha1&#8217;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Peers\"><\/span>Peers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>For each peer we define the pre shared key, associate the phase1\/2 policies and bind the relating VTI.<\/p>\n<pre class=\"prettyprint\">set vpn ipsec ipsec-interfaces interface 'eth2'\r\nset vpn ipsec site-to-site peer 52.48.97.50 authentication mode 'pre-shared-secret'\r\nset vpn ipsec site-to-site peer 52.48.97.50 authentication pre-shared-secret &lt;pre_shared_key&gt;\r\nset vpn ipsec site-to-site peer 52.48.97.50 connection-type 'initiate'\r\nset vpn ipsec site-to-site peer 52.48.97.50 description 'VPC tunnel 1'\r\nset vpn ipsec site-to-site peer 52.48.97.50 ike-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.48.97.50 local-address '133.1.1.100'\r\nset vpn ipsec site-to-site peer 52.48.97.50 vti bind 'vti1'\r\nset vpn ipsec site-to-site peer 52.48.97.50 vti esp-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.50.142.56 authentication mode 'pre-shared-secret'\r\nset vpn ipsec site-to-site peer 52.50.142.56 authentication pre-shared-secret &lt;pre_shared_key&gt;\r\nset vpn ipsec site-to-site peer 52.50.142.56 connection-type 'initiate'\r\nset vpn ipsec site-to-site peer 52.50.142.56 description 'VPC tunnel 2'\r\nset vpn ipsec site-to-site peer 52.50.142.56 ike-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.50.142.56 local-address '133.1.1.100'\r\nset vpn ipsec site-to-site peer 52.50.142.56 vti bind 'vti2'\r\nset vpn ipsec site-to-site peer 52.50.142.56 vti esp-group 'AWS'<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Access_Policy\"><\/span>Access Policy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Finally we ensure traffic from our local endpoint is permitted through our access policy.<\/p>\n<pre class=\"prettyprint\">set firewall name INSIDE default-action 'drop'\r\nset firewall name INSIDE rule 10 action 'accept'\r\nset firewall name INSIDE rule 10 protocol 'all'<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Show_Commands\"><\/span>Show Commands<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Confirm_Phase_1\"><\/span>Confirm Phase 1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"prettyprint\">vyatta@vyatta:~$ show vpn ike sa\r\nPeer ID \/ IP                            Local ID \/ IP\r\n------------                            -------------\r\n52.50.142.56                            133.1.1.100\r\n\r\n    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time\r\n    -----  -------  ----  -------  -----  ------  ------\r\n    up     aes256   sha1  2        no     2012    86400<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Confirm_Phase_2\"><\/span>Confirm Phase 2<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"prettyprint\">vyatta@vyatta:~$ show vpn ipsec sa\r\nPeer ID \/ IP                            Local ID \/ IP\r\n------------                            -------------\r\n52.50.142.56                            133.1.1.100\r\n\r\n    Tunnel  State  Bytes Out\/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto\r\n    ------  -----  -------------  -------  ----  -----  ------  ------  -----\r\n    1       up     0.0\/0.0        aes256   sha1  no     2030    3600    all<\/pre>\n<p>Further information can be obtained via<span class=\"codeinline\">\u00a0show vpn ipsec sa [details | statistics ]<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"VTI_WAN_Loadbalance_Status\"><\/span>VTI WAN Loadbalance Status<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"prettyprint\">vyatta@vyatta:~$ show wan-load-balance \r\nInterface:  vti1\r\n  Status:  active\r\n  Last Status Change:  Mon May  9 20:42:40 2016\r\n  +Test:  ping  Target: 169.254.20.253\r\n    Last Interface Success:  0s \r\n    Last Interface Failure:  9h32m10s   \r\n    # Interface Failure(s):  0\r\n\r\nInterface:  vti2\r\n  Status:  active\r\n  Last Status Change:  Mon May  9 20:42:40 2016\r\n  +Test:  ping  Target: 169.254.20.137\r\n    Last Interface Success:  0s \r\n    Last Interface Failure:  9h32m10s   \r\n    # Interface Failure(s):  0<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) &#8230; <a title=\"Create Site to Site VPN Between AWS &#038; Vyatta vRouter\" class=\"read-more\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\" aria-label=\"Read more about Create Site to Site VPN Between AWS &#038; Vyatta vRouter\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":854,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Create Site to Site VPN Between AWS &amp; Vyatta vRouter - Fir3net<\/title>\n<meta name=\"description\" content=\"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Create Site to Site VPN Between AWS &amp; Vyatta vRouter - Fir3net\" \/>\n<meta property=\"og:description\" content=\"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\" \/>\n<meta property=\"og:site_name\" content=\"Fir3net\" \/>\n<meta property=\"article:published_time\" content=\"2016-05-09T21:03:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-06T17:08:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"158\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Rick Donato\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rick Donato\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\"},\"author\":{\"name\":\"Rick Donato\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\"},\"headline\":\"Create Site to Site VPN Between AWS &#038; Vyatta vRouter\",\"datePublished\":\"2016-05-09T21:03:11+00:00\",\"dateModified\":\"2023-01-06T17:08:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\"},\"wordCount\":738,\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg\",\"articleSection\":[\"Vyatta Routing\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\",\"url\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\",\"name\":\"Create Site to Site VPN Between AWS & Vyatta vRouter - Fir3net\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg\",\"datePublished\":\"2016-05-09T21:03:11+00:00\",\"dateModified\":\"2023-01-06T17:08:15+00:00\",\"description\":\"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,\",\"breadcrumb\":{\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg\",\"width\":158,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.fir3net.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Networking\",\"item\":\"https:\/\/www.fir3net.com\/networking\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Routers\",\"item\":\"https:\/\/www.fir3net.com\/networking\/routers\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Vyatta Routing\",\"item\":\"https:\/\/www.fir3net.com\/networking\/routers\/vyatta-routers\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Create Site to Site VPN Between AWS &#038; Vyatta vRouter\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.fir3net.com\/#website\",\"url\":\"https:\/\/www.fir3net.com\/\",\"name\":\"Fir3net\",\"description\":\"Keeping you in the know\",\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.fir3net.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.fir3net.com\/#organization\",\"name\":\"Fir3net\",\"url\":\"https:\/\/www.fir3net.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"width\":390,\"height\":88,\"caption\":\"Fir3net\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\",\"name\":\"Rick Donato\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"caption\":\"Rick Donato\"},\"description\":\"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Create Site to Site VPN Between AWS & Vyatta vRouter - Fir3net","description":"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html","og_locale":"en_US","og_type":"article","og_title":"Create Site to Site VPN Between AWS & Vyatta vRouter - Fir3net","og_description":"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,","og_url":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html","og_site_name":"Fir3net","article_published_time":"2016-05-09T21:03:11+00:00","article_modified_time":"2023-01-06T17:08:15+00:00","og_image":[{"width":158,"height":150,"url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg","type":"image\/jpeg"}],"author":"Rick Donato","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rick Donato","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#article","isPartOf":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html"},"author":{"name":"Rick Donato","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037"},"headline":"Create Site to Site VPN Between AWS &#038; Vyatta vRouter","datePublished":"2016-05-09T21:03:11+00:00","dateModified":"2023-01-06T17:08:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html"},"wordCount":738,"publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"image":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage"},"thumbnailUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg","articleSection":["Vyatta Routing"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html","url":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html","name":"Create Site to Site VPN Between AWS & Vyatta vRouter - Fir3net","isPartOf":{"@id":"https:\/\/www.fir3net.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage"},"image":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage"},"thumbnailUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg","datePublished":"2016-05-09T21:03:11+00:00","dateModified":"2023-01-06T17:08:15+00:00","description":"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs,","breadcrumb":{"@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#primaryimage","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/2014\/06\/images_articles_vyatta-5400-vrouter-small.jpg","width":158,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.fir3net.com\/Routers\/Brocade\/how-to-create-a-site-to-site-vpn-between-aws-and-a-vyatta-vrouter.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fir3net.com\/"},{"@type":"ListItem","position":2,"name":"Networking","item":"https:\/\/www.fir3net.com\/networking"},{"@type":"ListItem","position":3,"name":"Routers","item":"https:\/\/www.fir3net.com\/networking\/routers"},{"@type":"ListItem","position":4,"name":"Vyatta Routing","item":"https:\/\/www.fir3net.com\/networking\/routers\/vyatta-routers"},{"@type":"ListItem","position":5,"name":"Create Site to Site VPN Between AWS &#038; Vyatta vRouter"}]},{"@type":"WebSite","@id":"https:\/\/www.fir3net.com\/#website","url":"https:\/\/www.fir3net.com\/","name":"Fir3net","description":"Keeping you in the know","publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fir3net.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fir3net.com\/#organization","name":"Fir3net","url":"https:\/\/www.fir3net.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","width":390,"height":88,"caption":"Fir3net"},"image":{"@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037","name":"Rick Donato","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","caption":"Rick Donato"},"description":"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders."}]}},"_links":{"self":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/987"}],"collection":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/comments?post=987"}],"version-history":[{"count":2,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/987\/revisions"}],"predecessor-version":[{"id":3475,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/987\/revisions\/3475"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media\/854"}],"wp:attachment":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media?parent=987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/categories?post=987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/tags?post=987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}