IPSec (2nd Edition)

The next header field indicates the type of data that is contained in the payload data field what ESP is actually protecting. If ESP is applied in transport mode (Figure 5.2), the ESP header is placed between the IP header and the upper-layer protocol header and the next header field will indicate the type of upper-level protocol that follows, for example TCP would be six (6).If ESP is applied in tunnel mode (Figure 5.3), an entire IP datagram is encapsulated by another IP datagram and the ESP header is placed between the two. In tunnel mode the next header field with therefore be the value four (4) for IPv4 or fourty-one (41) for IPv6, indicating IP-in-IP encapsulation.