diff --git a/devel/yaml_api.md b/devel/yaml_api.md
index be29a25..ea9dd3c 100644
--- a/devel/yaml_api.md
+++ b/devel/yaml_api.md
@@ -1400,6 +1400,10 @@ The `libreswan` section, nmstate provides these properties:
  * `psk`: String. The Pre-Shared-Key. Please consider to use x509/PKI
    authentication in production system. In query, this property will be
    shown as `<_password_hid_by_nmstate>` for security concern.
+ * `rightsubnet`: String. Please explicitly set it when using in host-to-host
+   mode.
+ * `leftmodecfgclient`: yes|no. Please explicitly set it to `no` when using in
+   host-to-host mode.
 
 Except the `psk` property, all other properties are libreswan specific options,
 please refer to the manpage of `ipsec.conf` for detail meaning of them.
diff --git a/features/ipsec.md b/features/ipsec.md
index 3b5630e..32cc8ec 100644
--- a/features/ipsec.md
+++ b/features/ipsec.md
@@ -3,6 +3,7 @@
 * [IPsec x509/PKI authentication example](#ipsec-x509pki-authentication-example)
 * [IPsec RSA authentication example](#ipsec-rsa-authentication-example)
 * [IPsec PSK authentication example](#ipsec-psk-authentication-example)
+* [IPSec Host-to-Host/P2P tunnel](#ipsec-host-to-hostp2p-tunnel)
 
 <!-- vim-markdown-toc -->
 
@@ -76,3 +77,46 @@ interfaces:
 ```
 
 The PSK method should be only used for test/develop purpose.
+
+# IPSec Host-to-Host/P2P tunnel
+
+By default, NetworkManager libreswan plugin is expecting client-server IPSec
+tunnel. In order to get it works for P2P(Host-to-Host) IPSec tunnel, please
+explicitly set `rightsubnet` to remote /32 IPv4 address and
+`leftmodecfgclient: no`.
+
+For example, assuming remote IPSec host IP is `192.0.2.155` and local IP is
+`192.0.2.248`
+
+```yml
+interfaces:
+- name: hosta_conn
+  type: ipsec
+  libreswan:
+    left: 192.0.2.248
+    leftid: 'hosta.example.org'
+    leftcert: hosta.example.org
+    leftmodecfgclient: no
+    right: 192.0.2.155
+    rightid: 'hostb.example.org'
+    rightsubnet: 192.0.2.155/32
+    ikev2: insist
+```
+
+This result in P2P policy been created in `ip xfrm`:
+
+```bash
+[fge@c9s ~]$ sudo ip xfrm policy
+src 192.0.2.248/32 dst 192.0.2.155/32
+    dir out priority 1753281 ptype main
+    tmpl src 192.0.2.248 dst 192.0.2.155
+        proto esp reqid 16389 mode tunnel
+src 192.0.2.155/32 dst 192.0.2.248/32
+    dir fwd priority 1753281 ptype main
+    tmpl src 192.0.2.155 dst 192.0.2.248
+        proto esp reqid 16389 mode tunnel
+src 192.0.2.155/32 dst 192.0.2.248/32
+    dir in priority 1753281 ptype main
+    tmpl src 192.0.2.155 dst 192.0.2.248
+        proto esp reqid 16389 mode tunnel
+```