The kernel implements experimental policy management code. You can manage the IPsec policy in two ways. One is to configure per-socket policy using setsockopt(2). The other is to configure kernel packet filter-based policy using PF_KEY interface, via setkey(8). In both cases, IPsec policy must be specified with syntax described in ipsec_set_policy(3).
With setsockopt(2), you can define IPsec policy in per-socket basis. You can enforce particular IPsec policy onto packets that go through particular socket.
With setkey(8) you can define IPsec policy against packets, using sort of packet filtering rule. Refer to setkey(8) on how to use it.
In the latter case, "default" policy is allowed for use with setkey(8). By configuring policy to default, you can refer system-wide sysctl(8) variable for default settings. The following variables are available. 1 means "use", and 2 means "require" in the syntax.