connections {

   home {
      local_addrs  = {{ strongswan_rw[inventory_hostname].local_addrs }}
      remote_addrs = {{ strongswan_home_addrs }}

      local {
         auth = pubkey
         certs = {{ inventory_hostname }}-cert.der
         id = {{ inventory_hostname }}.trygvis.io
      }
      remote {
         auth = pubkey
         id = {{ strongswan_remote_id }}
      }
      children {
         home {
            remote_ts = {{ strongswan_ts }}

#            updown = /usr/local/libexec/ipsec/_updown iptables
            esp_proposals = aes128-sha256-x25519
         }
      }
      version = 2
      proposals = aes128-sha256-x25519
   }
}

authorities {
   strongswan {
      cacert = ca-cert.der
      crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
   }
}