# Opportunistic IPsec using DNSSEC and supporting an address
# pool for clients behind NAT (Client Address Translation, cat)
#
conn clear-or-private
	leftckaid=YourCKAID
	left=%defaultroute
        leftaddresspool=100.64.0.1-100.64.255.254
	leftid=@YOURFQDN
	leftauth=rsasig
	leftmodecfgclient=yes
        leftcat=yes
	right=%opportunisticgroup
	rightauth=null
	rightid=%null
        #narrowing=yes
        negotiationshunt=passthrough
        failureshunt=passthrough
        ikev2=insist
	type=tunnel
        auto=add