diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat
deleted file mode 100644
index 4d0a63d80..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
-alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
-sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 8679a23a4..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-
-conn nat-t
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=192.168.0.2
-	rightid=@sun.strongswan.org
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 11b0b2db9..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	left=192.168.0.2
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn nat-t
-	right=%any
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 281da123f..000000000
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
-}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
similarity index 82%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt
rename to testing/tests/ikev2/host2host-transport-nat/description.txt
index fc7186c53..71e151ca6 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -1,6 +1,6 @@
 An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b> and gateway <b>sun</b>
-is successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
-rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+is successfully set up. The updown script automatically inserts iptables-based firewall
+rules that let pass the protected traffic. In order to test the host-to-host tunnel
 <b>alice</b> pings <b>sun</b>.<br/>
 <b>Note:</b> This scenario also demonstrates two problems with transport-mode and NAT traversal:
 <ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
new file mode 100644
index 000000000..1f4ea6564
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -0,0 +1,16 @@
+alice::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_ALICE local-port=4500 local-id=alice@strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_ALICE/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun::  swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=alice@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+# this won't work due to the IPsec policy on sun for the NAT's public IP
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::expect-connection host-host
+venus::swanctl --initiate --child host-host 2> /dev/null
+venus::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_VENUS local-port=4500 local-id=venus.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_VENUS/32] remote-ts=\[PH_IP_SUN/32]::YES
+sun::  swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=.* remote-id=venus.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[PH_IP_SUN/32] remote-ts=\[PH_IP_MOON/32]::YES
+# now traffic goes via the newer SA between sun and venus
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
+sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e760a2022
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   host-host {
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
similarity index 100%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/sun/etc/iptables.rules
rename to testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/iptables.rules
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..01b5ac28d
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+
+   host-host {
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
similarity index 100%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/hosts/venus/etc/ipsec.conf
rename to testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/ipsec.conf
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..ad4c18e43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0fdb9b25b
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   host-host {
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         host-host {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-x25519
+            mode = transport
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
similarity index 58%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat
rename to testing/tests/ikev2/host2host-transport-nat/posttest.dat
index 80a3c7b7d..58df9091d 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/posttest.dat
@@ -1,6 +1,6 @@
-alice::ipsec stop
-venus::ipsec stop
-sun::ipsec stop
+alice::systemctl stop strongswan
+venus::systemctl stop strongswan
+sun::systemctl stop strongswan
 alice::iptables-restore < /etc/iptables.flush
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
similarity index 60%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat
rename to testing/tests/ikev2/host2host-transport-nat/pretest.dat
index f7054cda0..222eee5e0 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -4,11 +4,9 @@ sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
 moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-sun::expect-connection nat-t
-alice::expect-connection nat-t
-alice::ipsec up nat-t
-venus::expect-connection nat-t
-venus::ipsec up nat-t
+sun::systemctl start strongswan
+alice::systemctl start strongswan
+venus::systemctl start strongswan
+sun::expect-connection host-host
+alice::expect-connection host-host
+alice::swanctl --initiate --child host-host 2> /dev/null
diff --git a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf b/testing/tests/ikev2/host2host-transport-nat/test.conf
similarity index 91%
rename from testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf
rename to testing/tests/ikev2/host2host-transport-nat/test.conf
index 8c2facefd..817550391 100644
--- a/testing/tests/ikev2-stroke-bye/host2host-transport-nat/test.conf
+++ b/testing/tests/ikev2/host2host-transport-nat/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun alice venus moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1