--- /dev/null
+
+version 2.0
+
+config setup
+ interfaces=%defaultroute
+ nat_traversal=yes # required on both ends
+ uniqueids=yes # makes sense on client, not server
+ hidetos=no
+
+conn %default
+ authby=rsasig
+ keyingtries=3
+ keyexchange=ike
+ left=%defaultroute
+ leftrsasigkey=%cert
+ rightrsasigkey=%cert
+ dpdtimeout=30 # keepalive must arrive within
+ dpddelay=5 # secs before keepalives start
+ compress=no # breaks double nat installations
+ pfs=yes
+
+conn sample
+ leftca=%same
+ leftcert=my.certificate.crt
+ leftsourceip=192.168.10.1
+ leftsubnet=192.168.10.0/24
+ right=my.vpn.concentrator.net.
+ rightca=%same
+ rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net"
+ rightsourceip=192.168.11.1
+ rightsubnet=192.168.11.0/24
+ dpdaction=hold
+ auto=start
+