IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
Basically in Tunnel mode, which is the default mode on Cisco routers, the original source and destination IP addresses are encrypted and an ESP header is added followed by a new IP header. The new IP header will have the source and destination IP addresses from the tunnel interfaces.
In Transport mode only the data is encrypted, and the original IP header is places in front of the ESP header.
In short, if the encrypted traffic isn't the endpoint of the tunnel, tunnel mode will be used.
From an earlier discussion on networking-forum:
"Tunnel mode vs. transport mode simply determines how the devices terminating the "tunnel" treat it. For example, if two PCs establish an IPsec connection between each other solely for the purpose of encrypting traffic originating from one PC destined to the other, that would be a transport mode connection. If two routers establish an IPsec connection between each other for the purpose of acting as gateways for their local LAN to access the remote LAN, that would be a tunnel mode connection.
Transport mode IPsec is typically only used between two servers for the purpose of encrypting a data channel just between the two servers. Tunnel mode is much more frequently used, and is always the mode for site-to-site connections between routers." - ibarrere