Transport and tunnel mode

Transport: IP [ESP: payload]
Tunnel: IP [ESP: IP payload]

Transport: peer to peer
Tunnel: for VPNs
Transport mode is simpler, and desirable
Tunnel mode is invisible from end node

((The internet cloud))
  |               |
router 1        router 2
  |               |
==+===          ==+==
  |               |
end1            end2

IP(router1->router2) [ESP: IP(end1->end2) payload]