Which mode of IPsec is specifically designed to protect only the data of a packet?

Transport mode in IPsec is designed specifically to protect the data within the packet itself while leaving the original packet headers intact. This means that only the payload—the actual data being transmitted—is encrypted and/or authenticated. This approach is useful for end-to-end communication between two hosts, where only the data needs to be secured, without changing the routing information contained in the IP header.

In contrast, tunnel mode encapsulates the entire original packet within a new packet, thereby protecting both the header and the payload. This is particularly useful for site-to-site VPN connections, where it is necessary to ensure the security of the entire packet as it traverses an external network. The other options mentioned do not pertain to established IPsec modes and thus are not applicable in this context.