IPsec

IPsec secures traffic at the network layer and underpins most site-to-site VPNs. Tunnel mode encrypts the entire original packet (gateway-to-gateway); transport mode encrypts only the payload (host-to-host). Within IPsec, AH provides authentication and integrity only, while ESP provides confidentiality plus integrity — ESP is the one normally used.