IPSec uses two protocols to secure communications at the IP layer:
Authentication Header (AH)—A security protocol for authenticating the source of an IP packet and verifying the integrity of its content
Encapsulating Security Payload (ESP)—A security protocol for encrypting the entire IP packet (and authenticating its content)
The Authentication Header (AH) protocol provides a means to verify the authenticity/integrity of the content and origin of a packet. You can authenticate the packet by the checksum calculated via a hash-based message authentication code (HMAC) using a secret key and either MD5 or SHA-1 hash functions.
Message Digest version 5 (MD5)
Secure Hash Algorithm-1 (SHA-1)
For more information on MD5 and SHA-1 hashing algorithms, see the following RFCs: (MD5) 1321, 2403; (SHA-1) 2404. For information on HMAC, see RFC 2104.
The Encapsulating Security Payload (ESP) protocol provides a means to ensure privacy (encryption), and source authentication and content integrity (authentication). ESP in tunnel mode encapsulates the entire IP packet (header and payload), and then appends a new IP header to the now encrypted packet. This new IP header contains the destination address needed to route the protected data through the network.
With ESP, you can encrypt and authenticate, encrypt only, or authenticate only. For encryption, you can choose either of the following encryption algorithms:
Data Encryption Standard (DES)
Advanced Encryption Standard (AES)
For authentication, you can use either MD5 or SHA-1 algorithms.