Symantec™ Security Gateways Reference Guide - Sawmill

94 Understanding VPN tunnelsIPsec standardAlthough AH guarantees that the data has not changed, it does not hide or encrypt the data. Additionally,the AH header is calculated based on all packet information. The IP header, protocol header and protocoldata are all sampled, and the ICV is built from this information. Because AH uses this method, it can only beused when connections do not use network address translation (NAT). Regardless of the transportationmode used, with NAT, the IP header would have one of its addresses changed. When the packet reaches itsdestination, the computed ICV does not match the original ICV, and the packet is discarded.Figure 7-6 shows packets using the AH protection mechanism in both transport and tunnel modes, andwhat portion of the packet is protected.Figure 7-6AH-protected IP datagram in transport and tunnel modesEncapsulating security payload (ESP)ESP provides confidentiality, data integrity, data source authentication, and replay protection to most ofthe IP datagram by inserting an ESP header after the IP header and any IP options, and appending an ESPtrailer. The IP datagram payload is an upper-layer protocol with its respective data, or another entire IPdatagram. The ESP header is not encrypted but a portion of the ESP trailer is. Enough of the ESP trailer (theauthentication portion) is in clear text to allow the decrypting system to process the packet.Note: ESP is the most commonly used data integrity method.