cat > /etc/ipsec.conf << EOF
config setup
    strictcrlpolicy=yes

ca {{ authority.namespace }}
    auto=add
    cacert=/etc/certidude/authority/{{ authority.namespace }}/ca_cert.pem

conn client-to-site
    auto=start
    right={{ authority.namespace }}
    rightsubnet=0.0.0.0/0
    rightca="{{ session.authority.certificate.distinguished_name }}"
    left=%defaultroute
    leftcert=/etc/certidude/authority/{{ authority.namespace }}/host_cert.pem
    leftsourceip=%config
    leftca="{{ session.authority.certificate.distinguished_name }}"
    keyexchange=ikev2
    keyingtries=%forever
    dpdaction=restart
    closeaction=restart
    ike=aes256-sha384-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
    esp=aes128gcm16-aes128gmac-{% if session.authority.certificate.algorithm == "ec" %}ecp384{% else %}modp2048{% endif %}!
EOF

echo ": {% if session.authority.certificate.algorithm == "ec" %}ECDSA{% else %}RSA{% endif %} {{ authority.namespace }}.pem" > /etc/ipsec.secrets

ipsec restart