conn clear-or-private
	leftid=%fromcert
	leftrsasigkey=%cert
	# nickname of your letsencrypt certificate imported to NSS
	leftcert=east
	leftauth=rsasig
	left=%defaultroute
	#leftmodecfgclient=yes
	#
	rightid=%null
	rightauth=null
	right=%opportunisticgroup
	#
	negotiationshunt=passthrough
	failureshunt=passthrough
	type=tunnel
	ikev2=insist
	sendca=issuer
	auto=add
	#
	rightaddresspool=10.0.10.1-10.0.10.200
	rightmodecfgclient=yes