I understand that it's not possible to have Authentication Header with a regular NAT, because it messes with the IP header protected by AH. How about proxies? Do they change anything in the packet?
Would it be possible to use AH in transport mode on an IPSec channel between proxies?
"Proxy" is a generic term. If you mean a Web proxy, then that kind normally operates at the "application data" level: the client system opens a TCP connection to the proxy, and the proxy opens another connection to the target server (or next proxy in case of chaining). The proxy relays data back and forth, but no IP header. By definition, IPSec stops at the proxy. A Web proxy does not "modify" packets, it eats them whole; and then it may resend the packet contents, reassembled and split again, as brand new IP packets unrelated to the previous ones.
You can use IPSec to protect communications between the client system and the proxy. You can use IPSec to protect communications between two proxies. But IPSec will never give you any guarantee that the data was unmodified by the proxy; only that it was not altered in transit between the client and the proxy and/or between the two proxies.
In fact, proxies are, by definition, meant to alter the data, e.g. by answering the request themselves with a copy of an older response, without talking to the actual server. This is by design.
