conn clear
	type=passthrough
	authby=never
	left=192.1.2.23
	right=%group
	auto=ondemand

conn oe-base-server
	type=tunnel
	#retransmit-interval=15000 # slow retransmits
	# left
	left=192.1.2.23
	leftcert=east
	leftid=%fromcert
	# right
	rightid=%fromcert
        rightrsasigkey=%cert
	authby=rsasig
	right=%opportunisticgroup
	ikev2=insist
	overlapip=yes

conn clear-or-private
	also=oe-base-server
	failureshunt=passthrough
	negotiationshunt=passthrough
	auto=add

conn private-or-clear
	also=oe-base-server
	failureshunt=passthrough
	negotiationshunt=passthrough
	auto=ondemand

conn private
	also=oe-base-server
	failureshunt=drop
	negotiationshunt=hold
	auto=ondemand

conn block
	type=reject
	authby=never
	left=192.1.2.23
	right=%group
	auto=ondemand

# conn packetdefault is no longer used
include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common