Hello David
You’re correct. The IPsec suite uses two protocols for security - AH and ESP.
AH provides data integrity, data origin authentication, and an optional anti-replay service. However, it does not provide any encryption, so the data is not encrypted, which means it’s not confidential.
On the other hand, ESP provides the same services as AH but also provides confidentiality by encrypting the data. So, if you need to encrypt user data, you should use ESP instead of AH.
So in that light, I’d like to revise my statement in the previous post. IKE Phase 2 is responsible for negotiating and establishing Security Associations (SAs) used by protocols such as ESP and AH to apply encryption and other security features. Which protocol is used depends upon the configuration.
For more information on a comparison of AH and ESP, take a look at this NetworkLessons note titled IPSec - ESP vs AH.
I hope this has been helpful!
Laz