Thoughts on adding IPsec/site to site VPN data to netbox
918 views
Skip to first unread message
Brandon Hurrle
Aug 17, 2017, 11:40:33 AM8/17/17
to NetBox
I work for a healthcare system, and we have a lot of site to site vpn's/IPsec tunnels. Currently we capture and document the settings for each of these in a spreadsheet, the first sheet laid out as below and then a tab with IP info for what is allowed on either side and then another tab with the ports allowed. My ideal setup would be to create a site called "ABC Clinic" and have a spot in there for IPsec or tunnel or whatever we could call it, and that would display the settings between the two sites as below. There could be a field to associate the IP's and ports with the connection as well. Just spitballing, this might be out of scope. But I'm trying my best to move away from spreadsheets for any and all of our documentation. Thanks.
| IPsec Configuration |
||
| GOAL (S): Site to Site VPN between companies to allow transfer of medical images. |
||
| Site (LAN) -to- Site (LAN) VPN connection to allow imaging transfers between | ||
| My Networking Technical Contact | Their Networking Technical Contact | |
Name: Phone Number: Email Address: Name: Help Desk Phone: Email: |
Name: Phone Number: Email Address: Name: Help Desk Phone: Email: |
|
| Network Appliance | Other Comapny |
my company |
| Brand, model, version, etc… | Checkpoint (R7730) | Cisco 5510 ASA |
| Routing Policy | ||
| VPN Mode: Transport or Tunnel (ESP) | Tunnel (ESP) | Tunnel (ESP) |
| Authentication Header (Yes /No) | No | Default No |
| Peer IP / End Point Address | X.X.X.X | X.X.X.X |
| Remote Network IP Address | See IP Address Tab | See IP Address Tab |
| Disposition (Default Secure) | Yes | Yes |
| Phase 1 (Main Mode) | ||
| Device IP Address(es) | See IP address Tab | See IP address Tab |
| Authentication (MD5 or SHA1) | SHA1 | SHA1 |
| Encryption (3DES or AES-128, 192, 256) | AES-256 | AES-256 |
| Diffie-Hellman group (1,2 or 3) | Group 2 | Group 2 |
| Security Association Lifetime (ex. Default 0 Kilobytes, 24 hrs) | 24 hours , 86,400 seconds | 24 hours , 86,400 seconds |
| Optional: Enable Aggressive Mode? Yes or No | No | No |
| Phase 2 | ||
| (SAP) Security Association Proposal (Default ESP) | ESP | ESP |
| Authentication (MD5 or SHA1) | SHA1 | SHA1 |
| Encryption (3DES or AES-128, 256) | AES-256 | AES-256 |
| Shared Key Name (12 characters minimum) | xxxxxxxxx | xxxxxxxxx |
| Optional: Enable Perfect Forward Secrecy? Yes or No | No | No |
| Force Key Expiration? Yes or No | Yes | Yes |
| Security Association Lifetime | 3600 seconds / 1 hour | 3600 seconds / 1 hour |
| ICMP Type 0 & 8 (ping, trace route) | yes | Yes |
Dave Noonan
Aug 18, 2017, 7:39:51 AM8/18/17
to NetBox
As a work around you might try treating the tunnels as circuits. Invent a circuit ID from the end-point info and stash the config in the comments box. You could treat the far end as the Provider which would give you a place to put their contact info.
Not a perfect solution but it might work for now.
Regards,
Dave
Reply all
Reply to author
Forward
0 new messages