Quick question on IPSec Transform Set Operation
With a site-to-site VPN, once the Phase 2 SAs are created and traffic is moving back and forward between sites, I am wondering about the operation of the Transform Set. Suppose we are running ESP-3DES and SHA-1 as the transform for Phase 2, I know the physical packet structure will then look like this:
Layer 5-7 / TCP/UDP Header / IP Header // ESP Header / New IP Header
^^^^^^^^^^^^^^^^^^^^^^^^^^ Encrypted Payload
However, my question is - after the packet has been encrypted by IPSec - does the entire Packet (Cipher) then run through a SHA-1 HASH process and get appended somewhere in the above packet
Does the SHA-1 process run BEFORE encryption over the original packet and end up getting encrypted somewhere inside the Encrypted payload??
Where does the Hashed information get stored - Layer 5-7???