In AH:
a) Transport Mode:
Entire packet Authenticated
b) Tunnel Mode:
Entire packet authenticated
https://imgur.com/a/yfnyRxn
In ESP:
1) Transport Mode:
Only ESPH-ESPT authenticated
Original IP Header not authenticated.
2) Tunnel Mode:
Only ESPH-ESPT authenticated
New IP Header not authenticated.
https://imgur.com/a/TawV5KA
Why is this difference found in them? Is there a reason behind them? Why not authenticate all of the packet? What problem would it create?
And why is there no such thing called AH auth but there's ESP Auth? Shouldn't AH Auth data also be in the figure shown above?
Also, Is there a reason why the modes are named "Tunnel" And "Transport"?
Source:https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security
Found a good summary of the differences: https://www.ibm.com/docs/en/zos/2.3.0?topic=ipsec-ah-esp-protocols
AH auth would be redundant: Authentication Header auth. Rather, AH is auth, nothing more. ESP can provide richer functions, but you may want to use AH and ESP together to have the functions ESP brings enclosed in the full auth we get with AH.