Quick question on IPSec Transform Set Operation


With a site-to-site VPN, once the Phase 2 SAs are created and traffic is moving back and forward between sites, I am wondering about the operation of the Transform Set. Suppose we are running ESP-3DES and SHA-1 as the transform for Phase 2, I know the physical packet structure will then look like this:


Layer 5-7 / TCP/UDP Header / IP Header //   ESP Header / New IP Header

^^^^^^^^^^^^^^^^^^^^^^^^^^ Encrypted Payload


However, my question is - after the packet has been encrypted by IPSec - does the entire Packet (Cipher) then run through a SHA-1 HASH process and get appended somewhere in the above packet


Does the SHA-1 process run BEFORE encryption over the original packet and end up getting encrypted somewhere inside the Encrypted payload??

Where does the Hashed information get stored - Layer 5-7???




  • Hi,

       Since you are using hashing with IPSec in order to make sure packets are not modified in transit, first you perform encryption and afterwards hashing; hashing is done from the ESP header, ESP trailer and payload; at the destination, you first check the hash and if all good you do decryption.




  • Hi Cristian,

    Thank you for the answer and the link, it was quite helpful.
    Yes, I kind of thought that was the way it worked alright, but just wanted to be sure. It's kind of handy when you see it all laid out like that, helps picture it a lot better. I've seen several resources and people get these concepts wrong and I just think its important to be sure how these things really do work, at least on the surface level anyway :)

    I spent a bit of time learning the Diffie Hellman algorithm and process too, don't ask why - I guess it just interested me lol :)

    Thanks again,



Sign In or Register to comment.