conn private-or-clear
        # Prefer IPsec, allow cleartext 
        rightrsasigkey=%cert
        right=%opportunisticgroup
        rightca=%same
        left=%defaultroute
        leftcert=CENTOS-171
        leftid=%fromcert
        narrowing=yes
        ikev2=insist
	#authby=rsasig
        auto=ondemand
	type=tunnel
	negotiationshunt=drop
        failureshunt=passthrough