You are right.
AH provides ONLY authentication/integrity - with hashes (SHA1 or MD5).
ESP can provide confidentality AND/OR integrity, authentication.
As IPsec policy settings allow the following settings:
- AH
- AH & ESP
- ESP
i think (but not sure) it means the following:
- AH: Authentication headers to be used
- AH & ESP: ESP with confidentality and authentication/integrity
- ESP: ESP with confidentality only
I will check what's the thruput with AH&ESP settings.
Sadly no specification found about encryption engine, and also no info about accelerated algorithm. It also not mentioned if Hasing is accelerated or not.
(for example
http://oldwiki.openwrt.org/HardwareAcce ... rypto.html says BCM5365 chip support to accelerate AES,DES, HMAC-SHA1 for 75mbps, but simple SHA1 seems not to be accelerated - only supported(?))
I will check on monday what's the thruput and CPU usage with AH / AH&ESP/ ESP and post here.