config setup #strictcrlpolicy = yes cachecrls = yes conn %default #keyexchange = ikev2 keyingtries = %forever dpdtimeout = 10 dpddelay = 2 dpdaction = hold #closeaction = none #rekeyfuzz = 100% ikelifetime = 4h margintime = 12m reauth = no type = transport ike = aes256-sha512-modp4096! esp = aes256-sha512-modp4096! leftcert = FQHOSTNAME.crt leftid = "C=US, O=Wit, CN=FQHOSTNAME" rightid = "C=US, O=Wit, CN=*" auto = route conn local4 left = LOOPBACKv4 leftsubnet = LOOPBACKv4 right = LOOPBACKv4 rightsubnet = LOOPBACKv4 auth = none type = passthrough conn loopback4 left = LOOPBACKv4 leftsubnet = LOOPBACKv4 right = IPSEC_IPV4_SUBNETS rightsubnet = IPSEC_IPV4_SUBNETS conn local6 left = LOOPBACKv6 leftsubnet = LOOPBACKv6 right = LOOPBACKv6 rightsubnet = LOOPBACKv6 auth = none type = passthrough conn loopback6 left = LOOPBACKv6 leftsubnet = LOOPBACKv6 right = %any6 rightsubnet = IPSEC_IPV6_SUBNETS