Security is always been my favorite subject and best track when it comes to Cisco (CCIE)… You will learn alot but things needs to be very clear and understandable, and all Security Terms are only depends on how much you learn or understand from blogs and books.

Obviously there are many books which writes pages on each topics, but do they worth spending time on it ? The answer is either Yes or either No. If you are new and fresh in IT field and security is your passion you will have Yes as your answer but those with whole bunch of experience and management skills with on-field experience will select No as the answer. So here in this topic i would like to brief the worlds toughest subject (IPSec) in simple word and much understandable words. let’s begin:

IPSec’s main objective is to provide security services for IP Packets at the network layer. These services includes Access Control, Data Integrity, Authentication, Protection against replay and Data Confidentiality, so keep in mind that among all CIA terms it is not providing Availability of the data, it only ensure the confidentiality and Integrity.

IPSec has two modes which are as follow:

1. IPSec Transport Mode:

In Transport Mode, an IPSec header (discussed later) is inserted between the IP Header and the Upper Layer protocol Header as shown below:


In this mode, the IP Header is the same as that of the original IP Packet except for the IP Protocol field, which is changed to ESP (50) or AH (51), and the IP header checksum, which is recalculated. IPSec assumes that IP endpoints are reachable. In this mode, the destination IP address in the IP header is not changed by the source IPSec endpoint; therefore, this mode can only be used to protect packets in scenarios in which the IP endpoints and the IPSec endpoints are the same.

NOTE: NAT Translation of packets between IPSec peers is the limitation in Transport Mode, and for most hardware encryption engines, it is less efficient to encrypt transport mode than tunnel mode, because Transport mode requires displacement of the IP Header to make room for the ESP or AH header.

2. IPSec Tunnel Mode:

In Tunnel mode, the original IP Packet is encapsulated in another IP datagram, and an IPSec header (AH or ESP) is inserted between the outer and inner headers. Because of this encapsulation with an “outer” IP packet, tunnel mode can be used to provide security services between sites on behalf of IP nodes behind the gateway router at each site.


IPSec has two security protocols, which are ESP (Encapsulating Security Payload) and AH (Authentication Header) which provides security for IP Datagram.

1. Encapsulating Security Payload (ESP):

ESP provides confidentiality, data integrity, and optional data origin authentication and anti-replay services. It provide these services by encryption original payload and encapsulating the packet between a header and a trailer as stated below:


SPI (Security parameter index) is the ESP header which is 32-bit value, that combined with the destination address and protocol in the preceding IP header, identifies the Security Association (SA) to be used to process the packet.
Sequence Number is a unique monotonically increasing number inserted into the header by the sender. Sequence Number along with the sliding receive window, provide anti-replay services.
– The data being protected/encrypted is in the payload data field. The algorithm which used to encrypt the payload may require an initialization vector (IV), which is also carried in the data payload.
Padding in the ESP header is the addition of bits to the ESP header; number of bits to be padded depends on the encryption algorithms used.
Authentication digest in the ESP header is used to verify data integrity.

ESP is identified by a value of 50 in the IP header. The ESP header is inserted after the IP Header and before the Upper Layer protocol Header. The IP header itself could be a new IP Header in tunnel mode or the original IP Packet’s header in transport mode.

Below is the IP Packet protected by ESP in transport Mode:


Below is the IP Packet protected by ESP in Tunnel Mode:


2. Authentication Header (AH):

Authentication Header provides connectionless integrity, data authentication, and optional replay protection but, unlike ESP, it does not provide confidentiality. The header is much simpler as below:


Payload length field int the AH header indicates the length of the header.
Reserved Field is not used, and is therefore set to 0.
– The SPI and Sequence Number have the same significance as in ESP.
Authentication digest has one key difference from ESP. With AH, authentication is provided to the IP header in addition to the payload. As AH creates the authentication data on the entire packet, including the IP header, some of the IP fields will change in transit; therefore, all those fields in the IP header that may change in transit are zeroed out before the authentication digest is hashed.

AH is an IP protocol, identified by a value of 51 in IP header. The next header field indicates what follows the AH header. In transport mode, it will be the value of the upper layer protocol being protected. In Tunnel mode this Value is 4.

Below is the IP packets protected by AH in Transport Mode:

 AH TransportMode

Below is the IP Packets protected by AH in Tunnel Mode:

 AH TunnelMode

AH in transport mode is useful if the communication endpoints are also the IPSec endpoints. In Tunnel Mode, AH encapsulates the IP packet and an additional IP Header is added before the AH header. Since there is no Confidentiality in this mode, and AH mode is not too useful.

I hope i will defined and briefed these parts, and they are as simple as simple language, so enjoy studying and labbing Security.


Print Friendly, PDF & Email