# certificate config Vesselin
conn clear
        type=passthrough
        # temp workaround
        #authby=never
        left=%defaultroute
        right=%group
	auto=ondemand

conn private
	rightid=%fromcert
        rightca=%same
        leftcert=hostcert
        leftid=%fromcert
	type=transport
	authby=rsasig
	left=%defaultroute
	right=%opportunisticgroup
	# if we fail hard, we might as well hold traffic during IKE too
	negotiationshunt=hold
	failureshunt=drop
	ikev2=insist
	auto=ondemand

conn private-or-clear
	rightid=%fromcert
        rightca=%same
        leftcert=hostcert
        leftid=%fromcert
	type=transport
	authby=rsasig
	left=%defaultroute
	right=%opportunisticgroup
	# if we fail hard, we might as well hold traffic during IKE too
	negotiationshunt=drop
	failureshunt=passthrough
      	keyingtries=1
        retransmit-timeout=2s
	ikev2=insist
	auto=ondemand
	
conn clear-or-private
	rightid=%fromcert
        rightca=%same
        leftcert=hostcert
        leftid=%fromcert
	type=transport
	authby=rsasig
	left=%defaultroute
	right=%opportunisticgroup
	# if we fail hard, we might as well hold traffic during IKE too
	negotiationshunt=drop
	failureshunt=passthrough
      	keyingtries=2
        retransmit-timeout=3s
	ikev2=insist
	auto=add