IPsec : Why do you combine ESP & AH ?

Hi there,

AH ensures authentication & integrity. ESP ensures the same with encryption.

In this case, why do you mix ESP & AH if ESP does the same than AH ?

Thanks in advance,

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

spd3432

AH ensures authentication & integrity.

-- True

ESP ensures the same with encryption.

-- False

ESP can ensure the authentication and integrity but alone only encrypts the IP data packet ensuring confidentiality.

cyberguypr

ESP provides confidentiality, which AH does not provide.

Rens-

Hi spd3432 !

Thank you for your quick reply.

ESP can ensure the authentication and integrity but alone only encrypts the IP data packet ensuring confidentiality.

Ok but what can be the advantage to mix AH & ESP ? AH authentication & integrity "method" is better than ESP ?

QHalo

cyberguypr gave you the answer more or less. AH doesn't have the ability to provide confidentiality. So when the packet is encapsulated, it looks like this.

([AH]{ESP header}|data|{ESP Trailer}{ESP Auth}) = Packet

There's more in there but that's the basic gist of it.

http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm

This should help you.