ESP and AH are two entirely different protocols.
Most (just about all, really) IPsec connections use Encapsulating Security Payload, which means IP data packets are encrypted and then encapsulated inside ESP packets. ESP is used for both tunneling and host-to-host transport connections.
Authentication Header is a rare beast, as it doesn't encrypt anything, but instead just signs the data packets and place the data and the corresponding signature inside an AH packet. AH doesn't offer confidentiality, but does ensure integrity since no third party can modify the packets without invalidating the signature.
ESP is IP protocol 50, while AH is IP protocol 51. Blocking both these will not necessarily prevent IPsec connections, as most IPsec-capable systems support NAT Traversal (NAT-T), which encapsulate ESP packets inside UDP packets, using port 4500 by default. Today, most ESP connections end up using UDP encapsulation, since that's the only way IPsec can work in scenarios involving NAT.
In addition, IPsec connections are usually negotiated using the IKE/ISAKMP protocol, which has been assigned UDP port 500. Manual keying without ISAKMP is possible, but cumbersome and less secure, and therefore highly uncommon.
Regarding the original question about how firewall admins should deal with IPsec traffic, that's a bit difficult to answer without any context:
- If you need to allow IPsec tunnels, you'd usually open UDP ports 500 and 4500 as well as allowing IP protocol 50. The latter is often necessary even if NAT-T is used, since some IPsec implementations will only switch to NAT-T after "regular" ESP has been tried and rejected.
- If you want to prevent IPsec from working, blocking the aforementioned ports and protocols will usually do the trick. However, a user controlling both endpoints could easily change the port numbers.
- If the idea is to block any kind of tunneling, you're in for a rough ride. IPsec is only one of many tunneling protocols, and others include HTTP, SSTP (which looks exactly like HTTPS, right down to the TCP port number), DNS and even ICMP (ping). Sure, you can block all these, but then no-one will be able to access the Internet at all.
Personally, in "implicit deny" scenarios, I will not allow IPsec-related protocols and ports unless there's an explicitly stated request, approved by management.
But I know that if some user behind the firewall is hellbent on establishing a tunnel to a host outside the network, s/he is probably going to succeed. A clear, written corporate policy, IDS/monitoring, and audits are needed to detect and deal with unauthorized and/or malicious network activity.