The benefit of using the AH is it protects the external IP header information and the data contents of the datagram.

In tunnel mode, a new IP header is created and added to the datagram. The new IP header is encapsulated on the datagram, protecting the original IP header.

In transport mode, the authentication header is encapsulated to the datagram only: