Why Use IPSEC AH vs ESP?

AH can be easily inspected by firewalls. ESP with NULL is similar but (AFAIK) the firewall doesn't know that it's the NULL cipher and has no easy way to tell after a connection has been established.

So if you want authentication only then that's a plus for AH.


In my experience, and in EXTREMELY rare cases, I have found a provider or some hop between endpoints that blocks ESP (IP protocol 50). A tunnel successfully establishes, but no traffic gets through. When I see this happen and rule out standard probable causes, I look to AH.

I've used AH to 'prove' that to providers to get them to at least check their end. If it cannot be corrected, it at least provides a transport mechanism in those rare cases where ESP hasn't worked.

Tags:

Ipsec