In many documents on http://www.microsoft.com/isaserver/techinfo/guidan…n.mspx Clint Denham includes a section that briefly describes how IPSec works in tunnel mode. When using Encapsulating Security Payload (ESP), traffic is typically encrypted using Data Encryption Standard (DES) or Triple DES (3DES) and authenticated with SHA1 or MD5. However, you can specify to use Null Encryption, that is no encryption at all, so that the packet structure with ESP can be seen as it traverses the network. Unfortunately, neither of those documents explains how to enable ESP Null Encryption on ISA 2004 in a site-to-site VPN scenario. If you want to know how to do that, read on.
Check out http://users.skynet.be/spouseele/ESPNullEncrypt/IS…on.htm for full details on how to enable IPSec null encryption on ISA firewall site to site VPN tunnel.