Authentication header (AH) and encapsulating security payload (ESP) in IPsec VPNs
After an IPsec VPN tunnel is established, any traffic going through the tunnel is sent either as Authentication Header (AH) or Encapsulating Security Payload (ESP) packets.
- The IPsec AH protocol does not provide data encryption, so plain AH does not result in a VPN in the full meaning of the word. Anyone who can intercept the packets in transit can see the
transferred data. AH can be used to provide authentication and data integrity in communications that do not need encryption.
There is rarely any need to use AH alone. AH alone can be used when no encryption is required for the data, but ESP with Null encryption can also be used to achieve the same purpose. AH cannot be used if there is a NAT device between VPN gateway endpoints.
- The IPsec ESP protocol provides authentication, encryption, and integrity checking, providing secure data transfer. This protocol is what is usually meant with the term VPN, as the transferred data is hidden from outsiders.
As a general guideline, use ESP for any normal VPN tunneling (data encapsulated in ESP payload).
- The IPsec standards also support a combination of ESP and AH. However, this option does not provide significant security improvements in the type of VPNs the Forcepoint NGFW establishes.