Prerequisites for IP Security
Although the Cisco ASR 901 Router supports the IPsec feature, it is supported only on the A901-6CZ-FS-D and A901-6CZ-FS-A PIDs.
For the IPsec and NAT/PAT to work on the ASR 901S router a physical loopback connection is required from the management port to any available Gigabit port before issuing the following command in configuration mode:
platform mgmt loopback interface GigabitEthernet0/4.
In this case, the physical connection is between the management port and Gigabit port 0/4.