Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted.