IPSec provides a set of cryptographic protections for IP traffic. To provide security for the Layer 3 traffic, IPSec defines two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). These protocols provide data and identity protection for each IP packet.
The AH protocol provides data origin authentication, data integrity, and antireplay protection for the entire IP packet, except for the fields in the IP header that are allowed to change in transit. AH protocol does not provide encryption. AH protocol is useful when the requirement is only to verify data integrity, but not to maintain data confidentiality.
The ESP protocol provides data confidentiality with encryption, data origin authentication, data integrity, and antireplay protection. ESP protocol can be implemented without encryption also. Although ESP provides an adequate level of authentication and encryption, it does so only for part of the IP packet, and excludes the IP header.
In addition to AH and ESP, the Services Router allows you to use a hybrid of AH and ESP protocols for protecting traffic. The hybrid of AH and ESP protocols, known as a protocol bundle, allows you to combine the benefits of both protocols and overcome their shortcomings.