AH or not-AH has nothing to do with VPN or end-to-end IPsec use. As Steve Bellovin has pointed out on numerous occasions, the IP header in transport-mode ESP can be "authenticated" merely by doing a compare of the source and destination addresses against static state in the SA... - Bill