diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat
deleted file mode 100644
index 4d0a63d80..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
-sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 8679a23a4..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
-
-conn nat-t
- leftcert=aliceCert.pem
- leftid=alice@strongswan.org
- leftfirewall=yes
- right=192.168.0.2
- rightid=@sun.strongswan.org
- type=transport
- auto=add
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 11b0b2db9..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- left=192.168.0.2
- leftcert=sunCert.pem
- leftid=@sun.strongswan.org
- leftfirewall=yes
-
-conn nat-t
- right=%any
- type=transport
- auto=add
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
similarity index 82%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt
rename to testing/tests/ikev2/host2host-transport-nat/description.txt
index fc7186c53..71e151ca6 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -1,6 +1,6 @@
An IPsec transport-mode connection between the natted host alice and gateway sun
-is successfully set up. leftfirewall=yes automatically inserts iptables-based firewall
-rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+is successfully set up. The updown script automatically inserts iptables-based firewall
+rules that let pass the protected traffic. In order to test the host-to-host tunnel
alice pings sun.
Note: This scenario also demonstrates two problems with transport-mode and NAT traversal:
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
new file mode 100644
index 000000000..1f4ea6564
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -0,0 +1,16 @@
+alice::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+# this won't work due to the IPsec policy on sun for the NAT's public IP
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::expect-connection host-host
+venus::swanctl --initiate --child host-host 2> /dev/null
+venus::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=.* remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+# now traffic goes via the newer SA between sun and venus
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e760a2022
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ host-host {
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = aliceCert.pem
+ id = alice@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
similarity index 100%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules
rename to testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..01b5ac28d
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+ host-host {
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
similarity index 100%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf
rename to testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0fdb9b25b
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+ host-host {
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = venusCert.pem
+ id = venus.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ host-host {
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-x25519
+ mode = transport
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
similarity index 58%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat
rename to testing/tests/ikev2/host2host-transport-nat/posttest.dat
index 80a3c7b7d..58df9091d 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
@@ -1,6 +1,6 @@
-alice::ipsec stop
-venus::ipsec stop
-sun::ipsec stop
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+sun::systemctl stop strongswan
alice::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
similarity index 60%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat
rename to testing/tests/ikev2/host2host-transport-nat/pretest.dat
index f7054cda0..222eee5e0 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -4,11 +4,9 @@ sun::iptables-restore < /etc/iptables.rules
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-sun::expect-connection nat-t
-alice::expect-connection nat-t
-alice::ipsec up nat-t
-venus::expect-connection nat-t
-venus::ipsec up nat-t
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
+sun::expect-connection host-host
+alice::expect-connection host-host
+alice::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf b/testing/tests/ikev2/host2host-transport-nat/test.conf
similarity index 91%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf
rename to testing/tests/ikev2/host2host-transport-nat/test.conf
index 8c2facefd..817550391 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf
+++ b/testing/tests/ikev2/host2host-transport-nat/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun alice venus moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1