The ESP and AH Protocols

A Security Protocol must be used to process traffic between Peers once parameters and key material have become available. Two options have been defined for use with IPsec. The first being the Authentication Header protocol ( "AH" ) and the second being the Encapsulating Security Payload Protocol ( "ESP" ). While AH can be used to provide message authentication, ESP can be used to provide encryption as well as message authentication.

The only transport protocol currently supported by the Shrew Soft VPN Client is the ESP protocol.

Both Transport Protocols offer two modes of operation. These are referred to as Transport and Tunnel mode. Transport mode is used to protect the data contained within an IP packet payload. Tunnel mode is used to protect an entire IP datagram by encrypting the original header along with the payload data. This encrypted data is then encapsulated in a new IP datagram using header information that is suitable for public network routing. Since Tunnel mode retains the original IP header information, it can be used to process network traffic on behalf of other hosts. This allows an IPsec Peer to function as a security gateway by encrypting and encapsulating all traffic that matches a security policy and then forwarding the protected traffic to an appropriate Peer gateway. The packets are decapsulated and decrypted and then routed to the final destination based on the original IP header information.

The only mode of operation currently supported by the Shrew Soft VPN Client is Tunnel mode.