IPSec ESP tunnel mode encrypts the entire IP packet, including the IP header itself. This allows the system to hide as much information as possible from potential eavesdroppers.

Since an IP header is required on a packet that needs to be routed across a network, a new IP header is placed on the packet. The IP addresses used for this new IP header are obtained from the security association, which is set up by the administrator.