The authentication header (AH) authenticates IP traffic and ensures you connect with who you want to connect. The authentication header can detect if data is altered in transit and protect against replay attacks. The authentication header does not encrypt traffic.
IP datagram sender authentication by HMAC or MAC
IP datagram integrity assurance by HMAC or MAC
Replay detection and protection by sequence number
The IPsec feature inserts the AH header after the IP header in transport mode. Transport mode with AH authenticates only the payload of the IP packet.
Tunnel mode authenticates the entire IP packet, including the IP header and data, to provide a secure hop between two hosts, two routers, or a router and a host.
You can apply AH alone, or in combination with the Encapsulating Security Payload (ESP).
The following figures show an original IP packet and an IP packet with an AH header.