conn clear
        type=passthrough
        authby=never
        left=%defaultroute
        right=%group
        auto=ondemand

conn oe-base-server
	retransmit-interval=15000 # slow retransmits
	type=tunnel
	narrowing=yes
	# left
	left=%defaultroute
	leftid=%null
        leftauth=null
	leftmodecfgclient=yes
	leftcat=yes
	# right
	rightauth=rsasig
	rightrsasigkey=%cert
	rightid=%fromcert
	right=%opportunisticgroup

conn clear-or-private
	also=oe-base-server
	failureshunt=passthrough
	negotiationshunt=passthrough
	auto=add

conn private-or-clear
	also=oe-base-server
	failureshunt=passthrough
	negotiationshunt=passthrough
	auto=ondemand

conn private
	also=oe-base-server
	failureshunt=drop
	negotiationshunt=drop
	auto=ondemand

conn block
        type=reject
        authby=never
        left=%defaultroute
        right=%group
        auto=ondemand