IPsec separates its protection policy from its enforcement mechanisms. You can enforce IPsec policies in the following places:
On a system-wide level
On a per-socket level
You use the ipsecconf(1M) command to configure system-wide policy.
IPsec applies system-wide policy to incoming datagrams and outgoing datagrams. You can apply some additional rules to outgoing datagrams, because of the additional data that is known by the system. Inbound datagrams can be either accepted or dropped. The decision to drop or accept an inbound datagram is based on several criteria, which sometimes overlap or conflict. Conflicts are resolved by determining which rule is parsed first. Except when a policy entry states that traffic should bypass all other policy, the traffic is automatically accepted. Outbound datagrams are either sent with protection or without protection. If protection is applied, the algorithms are either specific or non-specific.
Policy that normally protects a datagram can be bypassed. You can either specify an exception in system-wide policy, or you can request a bypass in per-socket policy. For intra-system traffic, policies are enforced, but actual security mechanisms are not applied. Instead, the outbound policy on an intra-system packet translates into an inbound packet that has had those mechanisms applied.