This is a discussion on Internet Protocol Security Methods within the Operating systems forums, part of the Tutorials category; Internet Protocol Security Methods If an IPsec rule requires the hosts to negotiate security, and it is using one or ...
Internet Protocol Security Methods
If an IPsec rule requires the hosts to negotiate security, and it is using one or both of two methods: Encapsulated Security Payload (ESP) or Authentication Header (AH).
ESP can provide both confidentiality (via encryption) and integrity (via signatures). Both the encryption and signature include the payload and TPC/UDP header of each packet, but not the IP address, which means that with supporting technologies such as NAT Traversal (NAT-T), ESP traffic can be sent across NAT devices. It is also possible to use null encryption with ESP, which means that each packet is signed but not encrypted. Similar to AH, this means that you can be confident that the traffic has not been tampered with while en route between hosts. This is the default method when you select to authenticate sessions between two hosts.
AH ensures message integrity via digital signatures calculated on the entire packet, including the IP header (which includes the source and destination IP addresses). AH has two significant limitations: it provides no confidentiality because it does not support data encryption, and AH traffic cannot traverse NAT devices because these devices change the IP address of the internal host on each packet before forwarding them.