ESP is used primarily for data confidentiality and authentication. It uses a symmetric key algorithm, such as DES or AES, to encrypt data payloads.
AH is used primarily for authentication and integrity. It uses a hashing algorithm, such as MD5 or SHA1, to ensure that data payloads have not been modified in transit. Both ESP and AH provide robust security for IPsec communication channels.
The protocol authenticates both endpoints of the communication channel. This is done using cryptographic keys or digital certificates that prove each endpoint’s identity.
Once authenticated, ESP encrypts data payloads using a symmetric key algorithm. The encrypted data payload is then encapsulated with the necessary IPsec headers. AH also adds an additional layer of security by using a hashing algorithm to add an integrity check to each packet. This ensures that no malicious modifications have been made to the data in transit.
All of this information is sent over an encrypted IPsec channel which provides end-to-end security for communication.