You use the ipsecconf command to configure the IPsec policy for a host.
When you run the command to configure the policy, the system creates
the IPsec policy entries in the kernel. The system uses these entries
to check the policy on all outbound and inbound IP datagrams. Forwarded datagrams
are not subjected to policy checks that are added by using this command.
The ipsecconf command also configures the security policy database (SPD).
You must become superuser or assume an equivalent role to invoke the
ipsecconf command. The command accepts entries that protect traffic in both directions. The
command also accepts entries that protect traffic in only one direction.
Policy entries with a format of local address and remote address can protect
traffic in both directions with a single policy entry. For example, entries that
contain the patterns laddr host1 and raddr host2 protect traffic in both directions, if
no direction is specified for the named host. Thus, you need only one
policy entry for each host.
Policy entries with a format of source address to destination address protect traffic
in only one direction. For example, a policy entry of the pattern saddr host1 daddr host2
protects inbound traffic or outbound traffic, not both directions. Thus, to protect traffic
in both directions, you need to pass the ipsecconf command another entry, as in
saddr host2 daddr host1.
The ipsecpolicy.conf file is deleted when the system shuts down. To ensure that
the IPsec policy is active when the machine boots, you can create an
IPsec policy file, /etc/inet/ipsecinit.conf. This file is read when the network services
are started. For instructions on how to create an IPsec policy file, see
Protecting Traffic With IPsec (Task Map).