HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Overview
Encapsulating Security Payload (ESP)
Chapter 1 37
Nested ESP in AH
An ESP packet can be nested within an AH packet. For example, a
3DES-CBC ESP packet can be nested within an HMAC-MD5 packet.
IPSec uses 3DES-CBC to build an ESP packet with the payload data
encrypted using a symmetric key. IPSec then nests the ESP packet
within an AH packet, using a second symmetric key. All the contents of
the packet are authenticated, except the mutable fields of the IP header.
IPv6
The packet layouts and procedures for authenticated ESP and nested
ESP in AH are the same for IPv6, except that the IP headers may include
header extensions.
Figure 1-8 Nested ESP in AH