Application Note

GRE Tunneling IPX over ISDN

Network-to-User Business Unit

Abstract

This document presents a solution for generic routing encapsulation (GRE) tunneling Internetwork Packet Exchange (IPX) over Integrated Services Digital Network (ISDN). This tunneling allows a customer to connect a remote IPX network to a central site without routing IPX on all the intervening routers. The assumption is that IP is up and routing between the two end nodes. Sample connectivity configurations for this network are provided at the end of the document. More information about configuring encryption is provided in the Dialup Encryption Solution Guide.

Figure 1: Network Map

IPX Connectivity for Central Router

The step is to turn on IPX on the central site router. It is connected via Ethernet 1/1 to IPX network 1681140, which uses the Enhanced Interior Gateway Routing Protocol (IGRP) with the autonomous system number. The steps follow:

1. Turn on IPX routing:

central7206#conf t

Enter configuration commands, one per line. End with CNTL/Z.

central7206(config)#ipx routing

2. Assign IPX network 1681140 to Ethernet 1/1

central7206(config-if)#interface ethernet 1/1

central7206(config-if)#ipx network 1681140

3. Turn on Enhanced IGRP AS 2, with network 1681140.

central7206(config-if)#ipx router eigrp 2

central7206(config-ipx-route)#network 1681140

central7206(config-ipx-route)#exit

central7206#

%SYS-5-CONFIG_I: Configured from console by console

4. Use show IPX routes to ensure that the protocol is working.

central7206# show ipx route

Codes: C - Connected primary network, c - Connected secondary network

       S - Static, F - Floating static, L - Local (internal), W - IPXWAN

       R - RIP, E - EIGRP, N - NLSP, X - External, A - Aggregate

       s - seconds, u - uses

40 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C     1681140 (NOVELL-ETHER), Et1/1

E     DAD [269340160/2] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/1

E     BABE [269340160/2] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/1

E     DADE [269337600/2] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/1

E     16814 [309760/0] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/0

E     16818 [309760/0] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/0

E     16820 [286720/0] via 1681140.00e0.f727.1b66, age 00:00:09, 1u, Et1/0

GRE Tunnel

The second procedure is to set up the GRE tunnel and route IPX through it to the Cisco 1600. This procedure involves creating the tunnel interface on both routers. The Ethernet 0 of the Cisco 1600 and the Ethernet 1/1 of the Cisco 7206 are the endpoints of the tunnel. It will be a simple IP GRE tunnel.

1. Configure the tunnel interface of the Cisco 7206:

central7206#conf t

Enter configuration commands, one per line. End with CNTL/Z.

central7206(config)#interface tunnel 0

central7206(config-if)#tunnel source e 1/1

central7206(config-if)#tunnel destination 192.168.113.2

central7206(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

2. Configure the tunnel interface of the Cisco 1600:

home1600#conf t

Enter configuration commands, one per line. End with CNTL/Z.

home1600(config)#interface tunnel 0

home1600(config-if)#tunnel source Ethernet 0

home1600(config-if)#tunnel destination 192.168.114.2

home1600(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

IPX through GRE

1. Enable IPX routing on the Cisco 1600:

home1600(config)#ipx routing

home1600(config)ipx router rip

home1600(config-ipx-router)#network 1681130

home1600(config-ipx-router)#network 1681131

2. Turn on the IPX networks on its Ethernet and tunnel interfaces:

home1600(config)#interface ethernet 0

home1600(config-if)#ipx network 1681130

home1600(config-if)#interface tunnel 0

home1600(config-if)#ipx network 1681131

3. Turn on IPX network 1681131 on the tunnel interface of the Cisco 7206:

central7206(config)#interface tunnel 0

central7206(config-if)#ipx network 1681131

4. Turn on IPX Routing Information Protocol (RIP) on the Cisco 7206, and enable route redistribution:

central7206(config)#ipx router rip

central7206(config-ipx-route)#redistribute eigrp 2

central7206(config-ipx-route)#network 1681131

central7206(config-ipx-route)#ipx router eigrp 2

central7206(config-ipx-route)#redistribute rip

5. Run show IPX routes on the Cisco 1600 to ensure that routing is working:

home1600#show ipx route

Codes: C - Connected primary network, c - Connected secondary network

       S - Static, F - Floating static, L - Local (internal), W - IPXWAN

       R - RIP, E - EIGRP, N - NLSP, X - External, A - Aggregate

       s - seconds, u - uses

43 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C     1681130 (NOVELL-ETHER), Et0

C     1681131 (TUNNEL), Tu0

R        DAD [155/03] via 1681131.0010.1179.6c00, 33s, Tu0

R       BABE [155/03] via 1681131.0010.1179.6c00, 34s, Tu0

R       DADE [155/03] via 1681131.0010.1179.6c00, 34s, Tu0

R      16814 [151/01] via 1681131.0010.1179.6c00, 34s, Tu0

R      16818 [151/01] via 1681131.0010.1179.6c00, 34s, Tu0

R      16820 [151/01] via 1681131.0010.1179.6c00, 34s, Tu0

R      16830 [151/01] via 1681131.0010.1179.6c00, 34s, Tu0

IPX Snapshot Routing

When IPX is up and routing, you will want to switch to snapshot routing through the tunnel unless you want the Basic Rate Interface (BRI) line to be up all the time.

1. Establish snapshot service on the tunnel interface of the Cisco 7206:

central7206(config)#interface tunnel 0

central7206(config-if)#snapshot server 10

2. Establish the tunnel interface on the Cisco 1600 as a snapshot client.

home1600(config)#interface tunnel 0

home1600(config-if)#snapshot client 10 240

Encrypting the Tunnel Interface

1. Generate and exchange keys:

2. Create crypto maps and crypto access lists:

3. Apply them to both the incoming physical and the tunnel interfaces:

4. Ping through to be certain that the encryption is working. Note that this may fail a couple of times while the initial session is being established. Debug crypto session-management and debug crypto engine may be useful commands for watching and debugging the process:

home1600# ping 1681140.0010.1179.6c09

Translating "1681140.0010.1179.6c09"

Type escape sequence to abort.

Sending 5, 100-byte IPX cisco Echoes to 1681140.0010.1179.6c09, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms

Caveats

Note that in this example, the central network is exposed between the time IPX routing is turned on to the Cisco 1600 and the time encryption is established. Therefore, care must be taken to ensure that nothing is compromised. One way to do this might be to turn off the Enhanced IGRP process on the central router until encryption has been configured.

Careful tuning of IPX snapshot routing and the session key timeouts could be used to configure the router to automatically establish encryption sessions at appropriate times; say, for instance, at the beginning of the working day and at lunch. Be aware that it could also cause problems if the connection establishment takes long enough that the snapshot burst is not fully received before the timeout.

Before and After Configurations

Cisco 7206 Configuration

hostname central7206

!

enable secret 5 $1$/0gr$u4bdVrIC6lNGGJRTdVBrb0

enable password cisco

!

ipx routing 0010.1179.6c00

!

crypto public-key homekey 03306184

 519F5C0A 695230E2 42342C69 87F96E7A 60A6FCE1 9E617B07 CFEF19D8 0CE9DA93

 8D8F23A4 13F5942F 5F1E5016 5F0ADB2A CFE50E40 2F51096E AD00EE7E C8E80018

 quit

!

crypto map homemap 10

 set algorithm des

 set peer homekey

 match address 105

!

interface Tunnel0

 no ip address

 ipx network 1681131

 snapshot server 10

 tunnel source Ethernet1/1

 tunnel destination 192.168.113.2

 crypto map homemap

!

interface Ethernet1/0

 ip address 192.168.112.6 255.255.255.0

 no mop enabled

 crypto map homemap

!

interface Ethernet1/1

 ip address 192.168.114.2 255.255.255.0

 ipx network 1681140

 no mop enabled

!

router eigrp 1

 redistribute connected

 network 192.168.112.0

 network 192.168.114.0

!

no ip classless

access-list 105 permit gre host 192.168.114.2 host 192.168.113.2

!

ipx router eigrp 2

 network 1681120

 network 1681140

!

line con 0

line aux 0

line vty 0 4

 password pms

 login

!

end

Cisco 1600 Configuration

hostname home1600

enable password pms

username central5200 password 7 13151A01

no ip domain-lookup

ipx routing 0060.5cbb.f59a

isdn switch-type basic-5ess

!

crypto public-key centralkey 004E0C7E

 A39659EB AF1EA202 D46E9145 3D7D0C31 DB291437 980F851B 7757AA79 469C6328

 958298CF 5CC2AC10 DCB62E85 DA690620 E6A8AFBC 1077D3A4 48B1C96E 19A84862

 quit

!

crypto map centralmap 10

 set algorithm des

 set peer centralkey

 match address 105

!

interface Tunnel0

 no ip address

 ipx network 1681131

 snapshot client 10 240

 tunnel source Ethernet0

 tunnel destination 192.168.114.2

 crypto map centralmap

!

interface Ethernet0

 ip address 192.168.113.2 255.255.255.0

ipx network 1681130

!

interface BRI0

 ip unnumbered Ethernet0

 encapsulation ppp

 dialer idle-timeout 300

 dialer map ip 192.168.112.3 name central5200 95552001

 dialer hold-queue 100

 dialer load-threshold 5

 dialer-group 1

 no fair-queue

 ppp multilink

 crypto map centralmap

!

ip classless

ip route 0.0.0.0 0.0.0.0 BRI0 192.168.112.3

access-list 101 permit ip any any

access-list 105 permit gre host 192.168.113.2 host 192.168.114.2

no cdp run

!

dialer-list 1 protocol ip list 101

!

line con 0

 exec-timeout 0 0

 password pms

 login

line vty 0 4

 password pms

 login

Cisco 5200 Configuration

hostname central5200

!

enable password pms

!

username home1600 password pms

no ip domain-lookup

isdn switch-type primary-5ess

!

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 pri-group timeslots 1-24

 no shutdown

!

interface Ethernet0

 ip address 192.168.112.3 255.255.255.0

 no mop enabled

 no shutdown

!

interface Serial0:23

 ip unnumbered Ethernet0

 encapsulation ppp

 no keepalive

 dialer idle-timeout 6000

 dialer hold-queue 100

 dialer-group 1

 no fair-queue

 no cdp enable

 ppp authentication chap

 ppp multilink

 no shutdown

!

router eigrp 1

 redistribute connected

 network 192.168.112.0

!

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.112.1

access-list 101 permit ip any any

no cdp run

!

dialer-list 1 protocol ip list 101

!

line con 0

 exec-timeout 0 0

 password pms

 login

line 1 48

line aux 0

 password pms

 login

line vty 0 4

 password pms

 login

!

end