IPSec supports Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. The differences between these protocols are:
AH: provides data origin authentication, data integrity check, and the anti-replay services. The sender performs the hash algorithm on the IP payload and all header fields of an IP packet except for variable fields to generate a message digest. The receiver recalculates the message digest according to the received IP packet and compares the two message digests to determine whether the IP packet has been modified during transmission. AH does not encrypt the IP payload. AH is applicable to transmit non-confidential data.
ESP: encrypts the IP payload in addition to providing all the functions of AH. ESP can encrypt and authenticate the IP payload but does not protect the IP packet header. ESP can be used to transmit confidential data.
AH and ESP can be used independently or together. When AH and ESP are used together, ESP encapsulation and then AH encapsulation are performed on an IP packet to enhance security.