Which statement about IPsec tunnel mode is correct?

IPsec tunnel mode is designed for gateway-to-gateway (network-to-network) VPNs, where the entire original IP packet is encapsulated inside a new IP header. Because the outer header is what firewalls and routers see, these devices can treat the tunnel as a single secure path between two gateways, filtering on the gateway endpoints and the standard IPsec ports (and NAT traversal can use UDP 4500). This makes tunnel mode comparatively firewall-friendly since you manage access at the gateway level rather than configuring rules for every internal host. Host-to-host protection, by contrast, is characteristic of transport mode, where only the payload is protected and the original IP header remains intact, enabling end-to-end protection between specific hosts. Since tunnel mode targets gateway-to-gateway communications, the statement about firewall-friendliness best captures its typical advantage, not the notion of end-to-end host protection.