Authentication Header (AH): provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality because it does not encrypt the data. AH uses a hash algorithm to sign the packet for integrity.
Encapsulating Security Payload (ESP): provide confidentiality for the payload in addition to authentication and anti-replay. ESP does not sign the entire packet, just the payload (data).
They can be used together to provide protection.