Under the tunnel IPsec mode, the entire IP packet is encrypted and authenticated. This encrypted IP packet is then encapsulated into a new IP packet with a new IP header. Basically, it encrypts the entire IP traffic before the transfer of packets.
With tunnel mode, the entire original IP packet is protected by IPsec. This means that the IPsec wraps the original packet, encrypts it, adds a new IP header, and sends it to the other side of the VPN tunnel-IPsec peer.