The Encapsulating Security Payload (ESP) is designed to offer privacy to data. Depending on which algorithm is used, it can offer integrity and authentication as well.

The ESP comes in two different forms.

  1. Transport mode encrypts the transport layer of the OSI model, or host-to-host to TCP/IP model, and the application layers.
  2. Tunnel mode encrypts the network layer of the OSI model, or internetwork layer to TCP/IP model, and the application layers. Tunnel mode also adds a new IP and ESP header to the packet.