A security administrator is configuring IPsec VPN between two sites. The data transmitted includes sensitive financial records. The administrator wants to ensure both confidentiality and integrity of the data, and also wants to authenticate the source. Which IPsec protocol and mode should be used?
ESP provides encryption and integrity, and tunnel mode encrypts the entire packet, suitable for site-to-site VPN.
Why this answer
ESP (Encapsulating Security Payload) provides both confidentiality and integrity (optionally authentication). AH only provides integrity and authentication but not confidentiality. Transport mode encrypts only the payload, while tunnel mode encrypts the entire IP packet.
For site-to-site VPN, tunnel mode is typically used.