connections {
    loopback4 {
        version = 1
        local_addrs = LOOPBACKv4
        remote_addrs = %any4
        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048

        local {
            auth = pubkey
            certs = FQHOSTNAME.crt
            id = "C=US, O=Wit, CN=FQHOSTNAME"
        }
        remote {
            auth = pubkey
            id = "C=US, O=Wit, CN=*"
        }

        children {
            loopback4 {
                interface = lo,feth+
                remote_ts = IPSEC_IPV4_SUBNETS
                local_ts = LOOPBACKv4
                mode = transport
                start_action = trap
                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
            }
        }
    }

    loopback6 {
        version = 1
        local_addrs = LOOPBACKv6
        remote_addrs = %any6
        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048

        local {
            auth = pubkey
            certs = FQHOSTNAME.crt
            id = "C=US, O=Wit, CN=FQHOSTNAME"
        }
        remote {
            auth = pubkey
            id = "C=US, O=Wit, CN=*"
        }

        children {
            loopback6 {
                interface = lo,feth+
                remote_ts = IPSEC_IPV6_SUBNETS
                local_ts = LOOPBACKv6
                mode = transport
                start_action = trap
                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
            }
        }
    }
}