config setup
    #strictcrlpolicy=yes
    cachecrls=yes


conn %default
    #keyexchange=ikev2
    keyingtries=%forever
    dpdtimeout=10
    dpddelay=2
    dpdaction=hold
    #closeaction=none
    #rekeyfuzz = 100%
    ikelifetime = 4h
    margintime = 12m
    reauth = no
    type=transport
    ike=aes256-sha512-modp4096!
    esp=aes256-sha512-modp4096!
    leftcert=FQHOSTNAME.crt
    leftid="C=US, O=Wit, CN=FQHOSTNAME"
    rightid="C=US, O=Wit, CN=*"
    auto=route


conn local4
    left=LOOPBACKv4
    leftsubnet=LOOPBACKv4
    right=LOOPBACKv4
    rightsubnet=LOOPBACKv4
    auth=none
    type=passthrough


conn loopback4
    left=LOOPBACKv4
    leftsubnet=LOOPBACKv4
    right=IPSEC_IPV4_SUBNETS
    rightsubnet=IPSEC_IPV4_SUBNETS


conn local6
    left=LOOPBACKv6
    leftsubnet=LOOPBACKv6
    right=LOOPBACKv6
    rightsubnet=LOOPBACKv6
    auth=none
    type=passthrough


conn loopback6
    left=LOOPBACKv6
    leftsubnet=LOOPBACKv6
    right=%any6
    rightsubnet=IPSEC_IPV6_SUBNETS