IPsec protection policies can be applied at the following levels:
System-wide level
Per-socket level
IPsec applies the system-wide policy to outbound packets and inbound packets that match an IPsec policy rule. The rule can specify a particular algorithm or allow a one of several algorithms. You can apply additional rules to outbound packets because of the additional data that is known by the system.
Inbound packets are either accepted or dropped. The decision to drop or accept an inbound packet is based on several criteria. If the criteria overlap or conflict, the rule that is parsed first is used.
You can specify exceptions to an IPsec policy that otherwise applies to most packets. That is, you can bypass an IPsec policy. The bypass can be system-wide or per-socket.
For traffic within a system including zones on a shared-IP address, policies are enforced but actual security mechanisms are not applied. Instead, the outbound policy on an intra-system packet translates into an inbound packet that has had those mechanisms applied. For exclusive-IP zones, policy is enforced and actual security mechanisms are applied.
You use the ipsecinit.conf file and the ipsecconf command to configure IPsec policies. For details and examples, see the ipsecconf(1M) man page and Chapter 7, Configuring IPsec.