IPSec - ESP vs AH

In the context of IPSec, when choosing between ESP and AH, you will almost always choose ESP. ESP can almost be thought of as providing a superset of what AH provides. So it delivers the benefits of AH and more. So if you can use ESP, always choose it over AH.

The only advantage that AH has is that it uses fewer resources (CPU, memory, network bandwidth). It would be preferable to use AH only in special cases where data confidentiality is not a requirement and system resources are limited. In the past, when some WAN connections were on the order of several Kb per second, and CPU and memory on network devices were limited, it made sense to use AH. In today’s networks however, with high data capacity and high-performance network equipment, the option to use AH is slowly fading.

So unless there is a very specialized use case, it is preferrable to always use ESP over AH.