The signature portion of a packet indicates where the packet was signed for integrity and authentication. The encrypted part of a data packet represents information protected by confidentiality.
Because the new tunnel header is added to the packet, everything after the ESP header (except the ESP authentication trailer) will be signed, because these contents are encapsulated in the tunnel packet at this time. The original header is placed after the ESP header. Before encryption, the ESP trailer is appended to the whole packet. Everything after the ESP header is encrypted except the end of ESP authentication. This includes the original header, which is now considered part of the data part of the packet.
Then, the entire ESP payload is encapsulated in a new unencrypted tunnel header. The information in the new tunnel header is only used to send packets from the source address to the tunnel endpoint.
If the packet is sent through a public network, it will be routed to the IP address of the gateway receiving the intranet. The gateway decrypts the packet, discards the ESP header, and routes the packet to the intranet computer using the original IP header.
When tunneling, ESP and AH can be used together to provide confidentiality for tunnel IP packets and integrity and authentication for the whole packet.