Which IPSec protocol provides integrity protection for packet headers, data, and user authentication but does not encrypt?

The protocol that provides integrity protection for packet headers, data, and user authentication without encryption is the Authentication Header (AH). AH is designed specifically to provide authentication and integrity for IP packets, ensuring that the data has not been altered during transmission.

AH achieves this by using cryptographic hashes to validate the data, including the packet header. This ensures that the sender's identity is confirmed and that the payload has not been tampered with. However, unlike the Encapsulating Security Payload (ESP), AH does not provide encryption. Therefore, the data remains in plaintext, which can be a consideration in contexts where confidentiality is critical.

In the context of the other options, ESP does provide encryption along with integrity, thus making it unsuitable for this particular question about protocols that specifically do not encrypt. ISAKMP is a framework used for establishing security associations and does not offer integrity or encryption on its own; rather, it supports protocols like AH and ESP. IPsec Tunnel Mode is a configuration mode for ESP or AH that encapsulates entire IP packets for secure transmission, but it does not independently provide the features described.

Thus, the choice of AH aligns with the requirement of integrity protection without encryption, making it the correct answer.