====== IPSec policy ======

===== Policy Format =====
Policy format is **__direction__ [__priority__ __specification__] __policy__**
  * ''discard'' means that packets will be dropped if they match the policy.
  * ''entrust'' means to consult the SPD defined by setkey(8).
  * ''bypass'' means to bypass the IPsec processing.  (the packet will be transmitted in clear).  This is for privileged sockets.
  * ''ipsec'' means that the matching packets are subject to IPsec processing.  ipsec can be followed by one or more **request** strings, which are formatted as below:

===== Request Format =====
Request format for IPSec is **__protocol__ / __mode__ / __src__ - __dst__ [/ __level__]**.

  * **protocol** is either ''ah'', ''esp'', or ''ipcomp''.
  * **mode** is either ''transport'' or ''tunnel''.
  * **src** and **dst** specifies the IPsec endpoint. **src** always means the "sending node" and **dst** always means the "receiving node". Therefore, when direction is //in//, **dst** is this node and **src** is the other node (peer). If mode is transport, both src and dst can be omitted.

**level** must be set to one of the following: **default**, **use**, **require**, or **unique**. 
 
  * **default** means that the kernel should consult the system default policy defined by sysctl(8), such as net.inet.ipsec.esp_trans_deflev. See ipsec(4) regarding the system default.  
  * **use** means that a relevant SA can be used when available, since the kernel may perform IPsec operation against packets when possible. In this case, packets can be transmitted in clear (when SA is not available), or encrypted (when SA is available).  
  * **require** means that a relevant SA is required, since the kernel must perform IPsec operation against packets. 
  * **unique** is the same as require, but adds the restriction that the SA for outbound traffic is used only for this policy.
 
You may need the identifier in order to relate the policy and the SA when you define the SA by manual keying.  You can put the decimal number as the identifier after unique like unique: number.  number must be between 1 and 32767 .

If the request string is kept unambiguous, level and slash prior to level can be omitted.  However, it is encouraged to specify them explicitly to avoid unintended behavior.  If level is omitted, it will be interpreted as default.