For interface-based IPsec, IPsec SA negotiation blocking can only be removed if the peer offers a wildcard selector. If a wildcard selector is offered then the wildcard route will be added to the routing information base with the distance/priority value configured in the phase1 and, if that is the route with the lowest distance, it will be installed into the forwarding information base.

In a case where this occurs, it is important to ensure that the distance value on the phase1 is set appropriately.