<P> The IPsec protocols AH and ESP can be implemented in a host - to - host transport mode, as well as in a network tunneling mode . </P> <P> In transport mode, only the payload of the IP packet is usually encrypted or authenticated . The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value . The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers . </P> <P> A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT - T mechanism . </P> <P> In tunnel mode, the entire IP packet is encrypted and authenticated . It is then encapsulated into a new IP packet with a new IP header . Tunnel mode is used to create virtual private networks for network - to - network communications (e.g. between routers to link sites), host - to - network communications (e.g. remote user access) and host - to - host communications (e.g. private chat). </P>

Protocol that can be protect traffic inside a vpn tunnel