Greetings,
In evaluating ways to enhance customer side security, I’ve been looking in to enabling PPP encryption for PPPoE sessions.
I’ve been testing with an RB450 that is connected by direct fast ethernet to one of my main PPPoE servers.
On the RB450 client, i’ve set the profile on the pppoe client to “default encryption”.
On the ROS PPPoE server (an x86 machine), I’ve set the profile to “encryption=yes” (this should allow both encrypted and non-encrypted links). Note that I am using RADIUS for AAA.
When the RB450 logs in, no encryption is established.
When I set “encryption=required” on the pppoe server, the log indicates “Encryption negotiation not possible”.
PPPoE server profile:
name="pppoe" local-address=x.x.x.2 remote-address=pppoe use-mpls=default use-compression=default
use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=no
dns-server=x.x.x.10,x.x.x.11
PPPoE Server configuration:
service-name="pppoe" interface=LAN max-mtu=1400 max-mru=1400 mrru=disabled
authentication=chap,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0
default-profile=pppoe
PPPoE client profile:
name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes
PPPoE client configuration:
R name="pppoe-out1" max-mtu=1480 max-mru=1480 mrru=disabled
interface=ether5 user="USERNAME" password="PASSWORD"
profile=default-encryption service-name="" ac-name=""
add-default-route=yes dial-on-demand=no use-peer-dns=yes
allow=chap,mschap2
Is there something I’m missing? There’s nothing in the wiki that indicates any other configuration is required; such as RADIUS server configuration.
My interpretation of the documentation is that to enable PPPoE encryption, I should merely need to set “encryption=yes” on both sides, and MPE stateless encryption should be negotiated.