AH Tunnel Mode

The only difference between AH tunnel mode and ESP tunnel mode is how the packet is handled. As shown in Figure 8.11, AH signs the entire packet for integrity, including the new Tunnel Header (ESP does not sign the tunnel header), and encryption is not provided by AH.

Figure 8.11 AH Tunnel Mode

ESP and AH can be combined to provide tunneling which includes both integrity for the entire packet, and confidentiality for the original IP packet, which contains the data being sent.