IPSec can be used in tunnel mode to build VPNs which connect a road-warrior to subnet of hosts through a gateway. This typically makes use of internal IP address spaces, making things complicated. Additionally, all traffic goes through a VPN gateway which is a natural bottleneck.
How can i configure IPSec in a way that my road-warrior connects to any host in this specified subnet using transport mode encryption. Essentially i want to replace a tunnel mode VPN with a separate transport mode VPN to each host in the subnet. Ideally without having separate VPN configuration entries and manual starting of the VPNs. I looked at the strongswan/libreswan documentation, but could not find anything. I imaging a wildcard config with certificate based authentication were all hosts have certificate from a common CA.
Is this not the way the transport mode part of IPSec is supposed to be used? Especially with an all-IPv6 network the additional complexity of private IP ranges is inefficient.