IPSec and AH and ESP combine them in one command

Unanswered Question
Apr 15th, 2007


Since IPSec defines two protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol.

I find I am some how not getting my mind around why cisco combine two different protcols like this command below:

RTA(config)#crypto ipsec transform-set secure ah-md5-hmac esp-des-hmac

As you can see AH protocol is used for authentication and ESP is used for encryption!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 04/17/2007 - 22:52


AH is not used that much in the real world in terms of IPSEC VPN's. The reason being that AH does not work well with NAT and ESP has it's own form of authentcation built in which although not quite as rigorous as AH is adequate for most people.

However if you really wanted to use ESP purely for encryption and wanted to rely on AH for auhentication then Cisco give you the option to do that. As i say, not commonly used in the real world.




This Discussion