Tunnel Mode and Transport mode - IPsec VPN Tutorial
When using Encapsulating Security Payload (ESP), you can specify one of two modes in which ESP operates in, which are tunnel mode or transport mode.
Tunnel mode encrypts the whole packet and is used for the establishment of site-to-site VPN tunnels, when securing communication between VPN gateway devices. Tunnel mode provides security for the entire original IP packet, protecting the headers and payload.
The other mode ESP can be configured to operate in is Transport mode, which is not as secure as tunnel mode as it only encrypts the data portion of the packet and not the whole packet like tunnel mode does.
Transport mode is commonly used between two different workstations running VPN software. Transport mode protects the payload of the packet and the higher layer protocols. Transport mode leaves the original IP addresses open in clear text. Using transport mode, the final destination never tends to be a gateway or a router like tunnel mode, but generally the host itself. Transport mode provides security to the higher layer protocols only.
Further Reading
Wikipedia's guide to IPSec