I don't know how many of you guys use IPX these days, but I had to pull together some config that encrypted inter-site communications that used private addressing (untrusted service provider) on LAN interfaces, and supported IPX. In the end I settled on a design using DMVPNs to dynamically mesh the inter-site IP communication and ran a p2p GRE tunnel over the DMVPN tunnels to communication via IPX.

The topology included high availability for the DMVPN through the use of a second hub site (DMVPN has a hub/spoke topology). Public routing was conducted using BGP (MPLS cloud), private routing used OSPF and IPX routing used EIGRP.

I've included some config of a hub and spoke site for perusal of anyone that's interested.

Hub site:

ipx routing 000b.bee7.5ae1
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntransform esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set vpntransform
!
interface Tunnel1
ip address 10.0.0.254 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip ospf network broadcast
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile dmvpn
!
interface Tunnel2
no ip address
ipx network 11
tunnel source Loopback0
tunnel destination 192.168.1.1
!
interface Loopback0
ip address 192.168.254.1 255.255.255.0
ipx network CC
!
router ospf 1
router-id 192.168.254.1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
router bgp 65300
no synchronization
bgp log-neighbor-changes
network 192.168.34.0
neighbor 192.168.34.1 remote-as 65400
no auto-summary
!
ipx router eigrp 1
network all
log-neighbor-changes


Spoke Site

ipx routing 0015.63e6.5520
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpnkey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpntransform esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set vpntransform
!
interface Tunnel1
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp map multicast 192.168.34.2
ip nhrp map 10.0.0.254 192.168.34.2
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.254
ip nhrp cache non-authoritative
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile dmvpn
!
interface Tunnel2
no ip address
ipx network 11
tunnel source Loopback0
tunnel destination 192.168.3.1
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ipx network AA
!
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 10.10.10.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
router bgp 65100
no synchronization
bgp log-neighbor-changes
network 192.168.14.0
neighbor 192.168.14.1 remote-as 65400
no auto-summary

Spoke#show ip route ospf
192.168.254.0/32 is subnetted, 1 subnets
O 192.168.254.1 [110/11112] via 10.0.0.254, 18:57:23, Tunnel1

Spoke#show ipx route
Codes: C - Connected primary network, c - Connected secondary network
S - Static, F - Floating static, L - Local (internal), W - IPXWAN
R - RIP, E - EIGRP, X - External, A - Aggregate
s - seconds, u - uses, U - Per-user static/Unknown, H - Hold-down

3 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C 11 (TUNNEL), Tu2
C AA (UNKNOWN), Lo0
E CC [297372416/0] via 11.000b.bee7.5ae1, age 18:23:31,
11u, Tu2

Spoke#ping ipx CC.000b.bee7.5ae1

Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to CC.000b.bee7.5ae1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms