In IPsec, which mode encrypts the payload to protect data while the packet is transmitted within a LAN?

Protecting the actual data while keeping the original network addressing usable for local routing is accomplished by ESP in transport mode. In this mode, only the payload (and the ESP trailer) is encrypted, so the IP header stays in the clear and routers on the LAN can continue to forward the packet as usual. This makes transport mode ideal for end-to-end communication within a single network, where you want confidentiality without wrapping the entire packet. In contrast, ESP in tunnel mode encrypts the entire original IP packet and adds a new IP header, which is typical for gateway-to-gateway VPNs. AH provides integrity without encryption, so it doesn’t meet the requirement to encrypt the payload, and IKE is a key-exchange protocol, not a mode of IPsec data protection.