Tunnel Mode with ESP When ESP is used in tunnel mode, the original IP header is protected because the entire original IP datagram is encrypted (see Figure 6-2). With ESP authentication mechanism, the original IP datagram and the ESP header are included; however, the new IP header is not included in the authentication. When both authentication and encryption are selected, encryption is performed first, before authentication on the initiator. On the responder, authentication occurs before the decryption. One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Before decrypting the packet, the receiver can detect the problem and potentially reduce the impact of denial-of-service attacks.