Does the identity filter need to be configured on an AR configured with IPSec

Generally, you may not configure an identity filter set when configuring IPSec on an AR router. In some special scenarios, for example, an IPSec over DSVPN application, multiple mGRE tunnel interfaces are configured on the Hub which provides only one IP address for Spoke access. The mGRE tunnel interfaces use the same source address or source interface. In this scenario, the AR router needs to determine the mGRE tunnel interface of each IKE packet based on parameters in the identity filter set. If no identity filter set is configured, the IPSec tunnel cannot be established.

Scroll to top