IPSec in tunnel model with AH&ESP: position of original IP header?

IPSec in tunnel model with AH&ESP: position of original IP header?

I am studying IPSec in tunnel mode when first applying ESP and then AH and am wondering about the position of the original IP header. I see two options:

1. IP header (crypto), AH header, ESP header, IP header (comm), ...
2. IP header (crypto), AH header, IP header (comm), ESP header, ...

where "IP header (crypto/comms)" is the IP header for the cryptographic/communication endpoints. Option 1. makes more sense to me since the communication IP addresses would also be encrypted.