Which IPsec mode is commonly used for site-to-site VPNs?

In IPsec, the mode determines how much of the original IP packet is protected and how the packet is delivered between endpoints. For site-to-site VPNs, you want to connect two networks across a public network by creating a secure tunnel between gateways. Tunneling mode encrypts and authenticates the entire original IP packet and then encapsulates it inside a new IP packet, so the two gateways can route traffic between the entire networks as if they were directly connected. This makes it the standard choice for network-to-network connections. Transport mode, on the other hand, protects only the payload of the IP packet and leaves the original header unchanged, which is more suitable for host-to-host communication rather than linking two networks. So it isn’t commonly used for site-to-site VPNs. The idea of using both modes isn’t typical for a single site-to-site connection, and neither is appropriate here because one mode clearly fits the network-to-network scenario.