In evaluating ways to enhance customer side security, I've been looking in to enabling PPP encryption for PPPoE sessions.
I've been testing with an RB450 that is connected by direct fast ethernet to one of my main PPPoE servers.
On the RB450 client, i've set the profile on the pppoe client to "default encryption".
On the ROS PPPoE server (an x86 machine), I've set the profile to "encryption=yes" (this should allow both encrypted and non-encrypted links). Note that I am using RADIUS for AAA.
When the RB450 logs in, no encryption is established.
When I set "encryption=required" on the pppoe server, the log indicates "Encryption negotiation not possible".
PPPoE server profile:
Code: Select all
name="pppoe" local-address=x.x.x.2 remote-address=pppoe use-mpls=default use-compression=default
use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=no
dns-server=x.x.x.10,x.x.x.11
Code: Select all
service-name="pppoe" interface=LAN max-mtu=1400 max-mru=1400 mrru=disabled
authentication=chap,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0
default-profile=pppoe
Code: Select all
name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes
Code: Select all
R name="pppoe-out1" max-mtu=1480 max-mru=1480 mrru=disabled
interface=ether5 user="USERNAME" password="PASSWORD"
profile=default-encryption service-name="" ac-name=""
add-default-route=yes dial-on-demand=no use-peer-dns=yes
allow=chap,mschap2
My interpretation of the documentation is that to enable PPPoE encryption, I should merely need to set "encryption=yes" on both sides, and MPE stateless encryption should be negotiated.
