the reason is lack of additional IP encapsulation header with transport mode. When a cleartext IP packet is fragmented prior to IPSec encapsulation and then fragmented en-route once again, two headers are required to properly maintain double fragmentation.
When using IPsec tranport mode, it is impossible due to just one IP header used. You need to use another tunneling layer inside IPsec - e.g. GRE or IPIP, like DMVPN does - or use IPsec tunnel mode (effectively the same, but native to IPSec).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...