Discover Cryptography News
The IP Security Protocol, Part 2
The original packet is transparently encrypted by the IPSec layer before being sent and decrypted on the receiving side. An eavesdropper capturing packets in any intermediate node will not be able to recover the original contents of the packet (or, at least, he should not be able to do it in a reasonable amount of time).
The link for this article located at Linux Journal is no longer available.