IPSec has two different modes: transport mode and tunnel mode.
Only the tunnel mode can be used
https://en.wikipedia.org/wiki/IPsec
In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a
new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for
network-to-network communications (e.g. between routers to link sites), host-to-network
communications (e.g. remote user access) and host-to-host communications (e.g. private chat).
Incorrect answers:
Encapsulating Security Payload (ESP) authentication must be used. ESP in transport mode does not
provide integrity and authentication for the entire IP packet. However, in Tunnel Mode, where the
entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded
to the whole inner IP packet (including the inner header) while the outer header (including any outer
IPv4 options or IPv6 extension headers) remains unprotected.
IPSec does not involve gateways. Wrong.
Only transport mode can be used. Transport mode, the default mode for IPSec, provides for end-to-
end security. It can secure communications between a client and a server. When using the transport
mode, only the IP payload is encrypted.
