IPSec transport mode is used between cryptographic peers - for example, between two Windows 2000 workstations running the IPSec clients. Transport mode is for peer-to-peer tunneling, leaving the source and destination addresses of the peer end-points in the open.
Tunnel mode, as the name implies, provides proxy tunneling between entire networks. When you create a VPN between two routers, to encrypt traffic between networks over the Internet, you need to use IPSec tunnel mode. IPSec tunnel mode will encapsulate the entire IP packet, as produced by a workstation on the internal network, and place a routable IP header in front of the encapsulated packet. The encapsulated header will use the outside interface (public) IP addresses of the Internet connected routers as the source and destination address. Thus, the packet is completely routable across the Internet.