IPsec protection policies can be applied at the following levels:
IPsec applies the system-wide policy to outbound packets and inbound packets that match an IPsec policy rule. The rule can specify a particular algorithm or allow a one of several algorithms. You can apply additional rules to outbound packets because of the additional data that is known by the system.
Inbound packets are either accepted or dropped. The decision to drop or accept an inbound packet is based on several criteria. If the criteria overlap or conflict, the rule that is parsed first is used.
For traffic within a system including zones on a shared-IP address, policies are enforced but actual security mechanisms are not applied. Instead, the outbound policy on an intra-system packet translates into an inbound packet that has had those mechanisms applied. For exclusive-IP zones, policy is enforced and actual security mechanisms are applied.