The ESP and AH Protocols

A Security Protocol must be used to process traffic between IPsec peers once parameters have been negotiated and key material has been generated. Two protocol options have been defined for use with IPsec. The first being the Authentication Header protocol ( "AH" ) and the second being the Encapsulating Security Payload protocol ( "ESP" ). While AH can be used to provide message authentication, ESP can be used to provide both encryption and message authentication.

The only transport protocol currently supported by the Shrew Soft VPN Client is the ESP protocol.

Both Transport Protocols offer two modes of operation. These are referred to as Transport and Tunnel mode. Transport mode is used to protect the data contained within an IP packet payload. Tunnel mode is used to protect an entire IP datagram by encrypting the original header along with the payload data. This encrypted data is then encapsulated in a new IP datagram using header information that is suitable for public network routing. Since Tunnel mode retains the original IP header information, it can be used to process network traffic on behalf of other hosts. This allows an IPsec Peer to function as a security gateway by encrypting and encapsulating all traffic that matches a security policy and then forwarding the protected traffic to an appropriate Peer gateway. The received packets are then decapsulated, decrypted and then routed to the final destination based on the original IP header information.

The only mode of operation currently supported by the Shrew Soft VPN Client is Tunnel mode.