# this file is dynamic and managed by wit-network-config, any changes will be lost

config setup
    #strictcrlpolicy = yes
    cachecrls = yes


conn %default
    keyexchange = ikev2
    keyingtries = %forever
    mobike = no
    dpdtimeout = 10
    dpddelay = 2
    dpdaction = hold
    #closeaction = clear
    #rekeyfuzz = 100%
    ikelifetime = 4h
    margintime = 12m
    reauth = no
    type = transport
    ike = aes256-sha512-modp4096!
    esp = aes256-sha512-modp4096!
    leftcert = FQHOSTNAME.crt
    leftid = "C=US, O=Wit, CN=FQHOSTNAME"
    rightid = "C=US, O=Wit, CN=*"
    rightid2 = "C=US, O=Wit, OU=DCs, OU=PhyNodes, OU=ipsec, CN=*"
    auto = route


conn local4
    left = LOOPBACKv4
    leftsubnet = LOOPBACKv4
    right = LOOPBACKv4
    rightsubnet = LOOPBACKv4
    authby = never
    type = passthrough


conn local6
    left = LOOPBACKv6
    leftsubnet = LOOPBACKv6
    right = LOOPBACKv6
    rightsubnet = LOOPBACKv6
    authby = never
    type = passthrough


conn loopback4
    left = LOOPBACKv4
    leftsubnet = LOOPBACKv4
    right = IPSEC_IPV4_SUBNETS
    rightsubnet = IPSEC_IPV4_SUBNETS


conn loopback6
    left = LOOPBACKv6
    leftsubnet = LOOPBACKv6
    right = %any6
    rightsubnet = IPSEC_IPV6_SUBNETS