Last Updated: 2021-05-16
Short for "IP security"
The way these two modes are distinguished is by the "next protocol" header. For tunneling it will be IP. For transport it will be TCP (or something at that level).
On arrival at destination (and authentication etc.) it gets converted into an IP datagram which gets injected into the usual routing process. Often the endpoint is treated as a virtual network interface (like localhost or ethernet)
Open up ports 50/51 TCP and 500 UDP
Why? Because the checksum used in AH includes the IP address field. This, however, changes at the NAT stage when transforming (say) from a public IP address to a local network one (192.168..). Because the NAT machine won't know the IPSEC secret key, it won't be able to recreate a valid checksum, meaning that the AH packet will fail to validate on the other end.
It knows that you connected to another IP address on the other end of the tunnel, but it does not know what website or data you requested via that other end of the tunnel