diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 449b23d5ac..ff0bdee51f 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -1994,7 +1994,7 @@
         <term><varname>InterfaceId=</varname></term>
         <listitem>
           <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
-          Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
+          Can be decimal or hexadecimal, valid range is 1-0xffffffff. This is mandatory.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
diff --git a/src/network/netdev/xfrm.c b/src/network/netdev/xfrm.c
index 05844b8321..a961d8fef2 100644
--- a/src/network/netdev/xfrm.c
+++ b/src/network/netdev/xfrm.c
@@ -14,6 +14,7 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
 
         x = XFRM(netdev);
 
+        assert(x);
         assert(link || x->independent);
 
         r = sd_netlink_message_append_u32(message, IFLA_XFRM_LINK, link ? link->ifindex : LOOPBACK_IFINDEX);
@@ -27,10 +28,28 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
         return 0;
 }
 
+static int xfrm_verify(NetDev *netdev, const char *filename) {
+        Xfrm *x;
+
+        assert(netdev);
+        assert(filename);
+
+        x = XFRM(netdev);
+
+        assert(x);
+
+        if (x->if_id == 0)
+                return log_netdev_warning_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+                                                "%s: Xfrm interface ID cannot be zero.", filename);
+
+        return 0;
+}
+
 const NetDevVTable xfrm_vtable = {
         .object_size = sizeof(Xfrm),
         .sections = NETDEV_COMMON_SECTIONS "Xfrm\0",
         .fill_message_create = xfrm_fill_message_create,
+        .config_verify = xfrm_verify,
         .create_type = NETDEV_CREATE_STACKED,
         .iftype = ARPHRD_NONE,
 };
diff --git a/test/test-network/conf/25-xfrm-independent.netdev b/test/test-network/conf/25-xfrm-independent.netdev
index b2378849d1..b54c659d83 100644
--- a/test/test-network/conf/25-xfrm-independent.netdev
+++ b/test/test-network/conf/25-xfrm-independent.netdev
@@ -4,4 +4,5 @@ Kind=xfrm
 Name=xfrm99
 
 [Xfrm]
+InterfaceId=0x99
 Independent=yes
diff --git a/test/test-network/conf/25-xfrm.netdev b/test/test-network/conf/25-xfrm.netdev
index 353bfb7003..8e1d5c8122 100644
--- a/test/test-network/conf/25-xfrm.netdev
+++ b/test/test-network/conf/25-xfrm.netdev
@@ -1,4 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [NetDev]
 Kind=xfrm
-Name=xfrm99
+Name=xfrm98
+
+[Xfrm]
+InterfaceId=0x98
diff --git a/test/test-network/conf/netdev-link-local-addressing-yes.network b/test/test-network/conf/netdev-link-local-addressing-yes.network
index 0cc9cfa96b..ea1811bbfd 100644
--- a/test/test-network/conf/netdev-link-local-addressing-yes.network
+++ b/test/test-network/conf/netdev-link-local-addressing-yes.network
@@ -18,7 +18,7 @@ Name=geneve99
 Name=ifb99
 Name=ipiptun99
 Name=nlmon99
-Name=xfrm99
+Name=xfrm98 xfrm99
 Name=vxlan98
 Name=hogehogehogehogehogehoge
 
diff --git a/test/test-network/conf/xfrm.network b/test/test-network/conf/xfrm.network
index c852601733..19f22146f8 100644
--- a/test/test-network/conf/xfrm.network
+++ b/test/test-network/conf/xfrm.network
@@ -4,4 +4,4 @@ Name=dummy98
 
 [Network]
 IPv6AcceptRA=no
-Xfrm=xfrm99
+Xfrm=xfrm98
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 9a2a839b40..4fcae28ce3 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -886,6 +886,7 @@ class NetworkctlTests(unittest.TestCase, Utilities):
 class NetworkdNetDevTests(unittest.TestCase, Utilities):
 
     links_remove_earlier = [
+        'xfrm98',
         'xfrm99',
     ]
 
@@ -1797,20 +1798,21 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities):
     @expectedFailureIfModuleIsNotAvailable('xfrm_interface')
     def test_xfrm(self):
         copy_unit_to_networkd_unit_path('12-dummy.netdev', 'xfrm.network',
-                                        '25-xfrm.netdev', 'netdev-link-local-addressing-yes.network')
+                                        '25-xfrm.netdev', '25-xfrm-independent.netdev',
+                                        'netdev-link-local-addressing-yes.network')
         start_networkd()
 
-        self.wait_online(['xfrm99:degraded', 'dummy98:degraded'])
+        self.wait_online(['dummy98:degraded', 'xfrm98:degraded', 'xfrm99:degraded'])
 
-        output = check_output('ip link show dev xfrm99')
+        output = check_output('ip -d link show dev xfrm98')
         print(output)
+        self.assertIn('xfrm98@dummy98:', output)
+        self.assertIn('xfrm if_id 0x98 ', output)
 
-    @expectedFailureIfModuleIsNotAvailable('xfrm_interface')
-    def test_xfrm_independent(self):
-        copy_unit_to_networkd_unit_path('25-xfrm-independent.netdev', 'netdev-link-local-addressing-yes.network')
-        start_networkd()
-
-        self.wait_online(['xfrm99:degraded'])
+        output = check_output('ip -d link show dev xfrm99')
+        print(output)
+        self.assertIn('xfrm99@lo:', output)
+        self.assertIn('xfrm if_id 0x99 ', output)
 
     @expectedFailureIfModuleIsNotAvailable('fou')
     def test_fou(self):