There are two modes of ESP that are used - Transport mode and
            Tunnel mode.

            In transport mode, a new ESP header is inserted between the
            original IP header and the transport layer header. The ESP
            header provides for authentication and integrity, just like AH,
            but the data in the packet is also encrypted, providing data
            confidentiality.

            In tunnel mode, a new IP header is created. This header is based
            on the IP addresses of the two ends of the IPsec tunnel. Most
            times, IPsec is used from network to network instead of between
            two end-user devices. This means that the ends of the IPsec
            tunnel are at a firewall or VPN concentrator instead of at the
            end-user device. The original IP header is encrypted along with
            the rest of the packet - this provides authentication, integrity,
            confidentiality, and also helps hide the identity of the true sender
            and receiver of the message.