The AH provides the authentication and integrity of the data packets as they are passed along the IPSec VPN tunnel. However, it does not provide any confidentiality (encryption) of the data being sent across the tunnel. Instead, it hashes the datagram (header and data). The datagram and its hash value are sent across the tunnel, the receiver can then perform hashing and verify whether the contents of the datagram have been modified during transmission. This process verifies the authenticity of the message.

AH has the ability to use the anti-replay features to prevent a malicious user re-sending packets that have already been seen and passed through the tunnel.

The following describes how the AH encodes the datagram:

• As the router or the firewall prepares the IP packet or datagram, it is hashed using a one-way function to provide integrity.
• An AH is constructed using the hash value and is attached to the original IP packet/datagram. In other words, we can say is it encapsulated with the AH.
• This new packet will be sent across the IPSec VPN tunnel to the other VPN peer.
• When the recipient device receives the new datagram, it hashes the IP header and the data. Then it compares the generated hash value with the hash within the AH. If both hash values matches, the integrity and authenticity of the datagram was maintained: