diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index 3025104..f4ab19d 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -709,7 +709,8 @@
 # Keymaster
 /dev/ut_keymaster u:object_r:ut_keymaster_device:s0
 
-#Ipsec
+# Ipsec
+/(system\/vendor|vendor)/bin/ipsec		u:object_r:ipsec_exec:s0
 /(system\/vendor|vendor)/bin/ipsec_mon u:object_r:ipsec_mon_exec:s0
 
 # IMS
diff --git a/non_plat/ipsec.te b/non_plat/ipsec.te
new file mode 100644
index 0000000..c1d6f86
--- /dev/null
+++ b/non_plat/ipsec.te
@@ -0,0 +1,19 @@
+type ipsec_exec, exec_type, file_type, vendor_file_type;
+type ipsec, domain;
+
+allow ipsec proc_net:file write;
+allow ipsec { property_socket dnsproxyd_socket fwmarkd_socket }:sock_file write;
+allow ipsec { node port }:{ udp_socket rawip_socket } { node_bind name_bind };
+
+allow ipsec init:unix_stream_socket connectto;
+allow ipsec epdg_wod:unix_stream_socket { read write connectto };
+allow ipsec epdg_wod:fd use;
+
+allow ipsec self:capability { kill net_bind_service net_admin };
+allow ipsec self:{ netlink_route_socket netlink_xfrm_socket } { read write create bind nlmsg_read nlmsg_write };
+allow ipsec self:tcp_socket { read write create getattr connect getopt };
+allow ipsec self:capability2 wake_alarm;
+
+allow ipsec devpts:chr_file { read write open };
+
+set_prop(ipsec, mtk_wod_prop)