Encapsulating security payload

The encapsulating security payload (ESP) encrypts traffic with use of encryption algorithms, such as 3DES, AES-CBC, and AES-CTR. The security association specifies the algorithm and key used in ESP.

The encapsulating security payload can protect origin authenticity, integrity, and confidentiality of packets. ESP supports encryption-only and authentication-only configurations. The IPsec feature inserts the ESP header after the IP header and before the next layer protocol header in transport mode. Transport mode with ESP encrypts or authenticates only the payload of the IP packet.

Tunnel mode encrypts or authenticates the entire IP packet, including the IP header and data, to provide a secure hop between two hosts, two routers, or a router and a host.

The following figures display the original IP packet and an IP packet with ESP.

Click to expand in new window
Original IP packet
Click to expand in new window
ESP in transport mode