ESP can be used in two modes: transport and tunnel mode.
In transport mode, the IP header of the original packet is left unchanged and the ESP header, encrypted data and both trailers are inserted.
The IP header contains the unchanged IP address. Transport mode can therefore only be used between two end points, for example for the remote configuration of a router. It cannot be used for the connectivity of networks via the Internet—this would require a new IP header with the public IP address of the recipient. In such cases, ESP can be used in tunnel mode.
In tunnel mode, the entire packet including the original IP header is encrypted and authenticated and the ESP header and trailers are added at the entrance of the tunnel. A new IP header is added to this new packet, this time with the public IP address of the recipient at the end of the tunnel.
