diff --git a/NEWS b/NEWS
index 72dd42823..a3e6b4655 100644
--- a/NEWS
+++ b/NEWS
@@ -3,9 +3,11 @@ strongswan-4.0.6
 
 - IKEv2: Support for reauthentication when rekeying
 
+- IKEv2: Support for transport and (experimental!) BEET mode
+
 - fixed most (all?) bugs related to byte order
 
-- a lot of bugfixes
+- a lot of other bugfixes
 
 
 strongswan-4.0.5
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 3459a3b46..57e9cf93a 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -845,6 +845,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_XAUTH_RSASIG	LELEM(19)	/* do we support XAUTH????RSA? */
 #define POLICY_XAUTH_SERVER	LELEM(20)	/* are we an XAUTH server? */
 #define POLICY_DONT_REAUTH	LELEM(21)	/* don't reauthenticate on rekeying, IKEv2 only */
+#define POLICY_BEET		LELEM(22)	/* bound end2end tunnel, IKEv2 */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
diff --git a/src/starter/confread.c b/src/starter/confread.c
index cc2c98186..03b223878 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -388,6 +388,8 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 			conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
 			if (streq(kw->value, "tunnel"))
 				conn->policy |= POLICY_TUNNEL;
+			else if (streq(kw->value, "beet"))
+				conn->policy |= POLICY_BEET;
 			else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
 				conn->policy |= POLICY_SHUNT_PASS;
 			else if (streq(kw->value, "drop"))
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index dc81acf8a..9d4e0a13a 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -194,7 +194,18 @@ int starter_stroke_add_conn(starter_conn_t *conn)
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
 	msg.add_conn.auth_method = (conn->policy & POLICY_PSK)?
 		SHARED_KEY_MESSAGE_INTEGRITY_CODE : RSA_DIGITAL_SIGNATURE;
-	msg.add_conn.mode = (conn->policy & POLICY_TUNNEL) ? 1 : 0;
+	if (conn->policy & POLICY_TUNNEL)
+	{
+		msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
+	}
+	else if (conn->policy & POLICY_BEET)
+	{
+		msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
+	}
+	else
+	{
+		msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
+	}
  
 	if (conn->policy & POLICY_DONT_REKEY)
 	{