Reference Manual for the ProSafe VPN Firewall FVS114
C-4 Virtual Private Networking
202-10098-01, April 2005
The ESP header is inserted into the packet between the IP header and any subsequent packet 
contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt 
the ESP header, nor does it encrypt the ESP authentication.
Authentication Header (AH)
AH provides authentication and integrity, which protect against data tampering, using the same 
algorithms as ESP. AH also provides optional anti-replay protection, which protects against 
unauthorized retransmission of packets. The authentication header is inserted into the packet 
between the IP header and any subsequent packet contents. The payload is not touched. 
Although AH protects the packet’s origin, destination, and contents from being tampered with, the 
identity of the sender and receiver is known. In addition, AH does not protect the data’s 
confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP 
protects data confidentiality. For added protection in certain cases, AH and ESP can be used 
together. In the following table, IP HDR represents the IP header and includes both source and 
destination IP addresses.
Figure C-2:  Original packet and packet with IPSec Authentication Header
IKE Security Association
IPSec introduces the concept of the Security Association (SA). An SA is a logical connection 
between two devices transferring data. An SA provides data protection for unidirectional traffic by 
using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs, 
which together provide a protected, full-duplex data channel.
The SAs allow an enterprise to control exactly which resources may communicate securely, 
according to security policy. To do this an enterprise can set up multiple SAs to enable multiple 
secure VPNs, as well as define SAs within the VPN to support different departments and business 
partners.