diff --git a/devel/yaml_api.md b/devel/yaml_api.md
index ea9dd3c..fcda31c 100644
--- a/devel/yaml_api.md
+++ b/devel/yaml_api.md
@@ -1404,6 +1404,8 @@ The `libreswan` section, nmstate provides these properties:
    mode.
  * `leftmodecfgclient`: yes|no. Please explicitly set it to `no` when using in
    host-to-host mode.
+ * `type`: `transport` or `tunnel`. The `tunnel` is the default value if not
+   defined.
 
 Except the `psk` property, all other properties are libreswan specific options,
 please refer to the manpage of `ipsec.conf` for detail meaning of them.
diff --git a/features/ipsec.md b/features/ipsec.md
index 32cc8ec..86e3c48 100644
--- a/features/ipsec.md
+++ b/features/ipsec.md
@@ -4,6 +4,7 @@
 * [IPsec RSA authentication example](#ipsec-rsa-authentication-example)
 * [IPsec PSK authentication example](#ipsec-psk-authentication-example)
 * [IPSec Host-to-Host/P2P tunnel](#ipsec-host-to-hostp2p-tunnel)
+* [IPsec transport mode](#ipsec-transport-mode)
 
 <!-- vim-markdown-toc -->
 
@@ -120,3 +121,29 @@ src 192.0.2.155/32 dst 192.0.2.248/32
     tmpl src 192.0.2.155 dst 192.0.2.248
         proto esp reqid 16389 mode tunnel
 ```
+
+# IPsec transport mode
+
+By default, nmstate is using `type: tunnel` mode, you may specific
+`type: transport` like:
+
+```yml
+---
+interfaces:
+- name: hosta_conn
+  type: ipsec
+  ipv4:
+    enabled: true
+    dhcp: true
+  libreswan:
+    type: transport
+    ipsec-interface: "99"
+    left: 192.0.2.251
+    leftid: '%fromcert'
+    leftcert: hosta.example.org
+    right: 192.0.2.151
+    rightid: '%fromcert'
+    ikev2: insist
+    ikelifetime: 24h
+    salifetime: 24h
+```