From 6ec864e8d3a08ce2aa4ec68e24e86bfdffb42fb4 Mon Sep 17 00:00:00 2001
From: aapostoliuk <108394744+aapostoliuk@users.noreply.github.com>
Date: Mon, 28 Jul 2025 15:51:55 +0300
Subject: [PATCH] Updated site-to-site IPsec VPN documentation (#1660)

* Updated site-to-site IPsec VPN documentation

Added general theoretical IPsec documentation.
Changed site-to-site IPsec VPN documentation.
Added steps for configuration.
Added documentation for troubleshooting site-to-site IPsec VPN.
Backported from https://github.com/vyos/vyos-documentation/pull/1653

---------

Co-authored-by: aapostoliuk <aapostoliuk@vyos.io>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
---
 docs/_static/images/ESP_AH.png                | Bin 0 -> 35607 bytes
 .../images/IPSec_close_action_settings.jpg    | Bin 70253 -> 0 bytes
 .../images/IPSec_close_action_settings.png    | Bin 0 -> 22371 bytes
 docs/configuration/vpn/dmvpn.rst              |   2 +-
 docs/configuration/vpn/index.rst              |   4 +-
 docs/configuration/vpn/ipsec.rst              | 657 ----------------
 docs/configuration/vpn/ipsec/index.rst        |  20 +
 .../configuration/vpn/ipsec/ipsec_general.rst | 308 ++++++++
 .../vpn/ipsec/site2site_ipsec.rst             | 729 ++++++++++++++++++
 .../vpn/ipsec/troubleshooting_ipsec.rst       | 323 ++++++++
 docs/configuration/vpn/site2site_ipsec.rst    | 427 ----------
 11 files changed, 1383 insertions(+), 1087 deletions(-)
 create mode 100644 docs/_static/images/ESP_AH.png
 delete mode 100644 docs/_static/images/IPSec_close_action_settings.jpg
 create mode 100644 docs/_static/images/IPSec_close_action_settings.png
 delete mode 100644 docs/configuration/vpn/ipsec.rst
 create mode 100644 docs/configuration/vpn/ipsec/index.rst
 create mode 100644 docs/configuration/vpn/ipsec/ipsec_general.rst
 create mode 100644 docs/configuration/vpn/ipsec/site2site_ipsec.rst
 create mode 100644 docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
 delete mode 100644 docs/configuration/vpn/site2site_ipsec.rst

diff --git a/docs/_static/images/ESP_AH.png b/docs/_static/images/ESP_AH.png
new file mode 100644
index 0000000000000000000000000000000000000000..6075c3f46d3fa464f8304bacf03daaabe0eaaade
GIT binary patch
literal 35607
zcmc$`byyuuy6(M*K!OH`V8Jc8dkF6C?(XhM2=4Cg?zXVt?yd`W2`&pci}!tJX3yR;
z`|NYB^Ic#6L9>9auBvXTp1ObcQ$e!QA_%Y_VF3UDf|#hFJOJ?O5CDK$diM(QlgIZ0
z>X6fGhp%Fa@7}#zT9;V^06qc41o;(RQ;$|$zM%Cj!TjDel|RYFeU~b4DJtkEdzAdn
zJex@OG_w#HS>lN1%w)i#v?`OV7doCom>60P`AwCsZ{{a?LAftq*uQYxceMEcexSY0
zqq%u}=s6x89<A}%*0Z(_=%R;*g50_?SW&?Rat36MMs~cM!Jm9zetyjl{TgyQ@`Z<n
zoaSM$;UT9=Bt|UANtYlg{{+A+f{R#C)C>Sz0bCw_V89#DLw@y(7t8ni$M=4n`6pjD
z*Dvl!#0VwSTS(jp6T0EXf9U<I!ZPlYVH8pmu89te@)L8>79E+#%~oVDEV{F6r$1Ny
zD9#V&_NIZ<<x|yx0laW3R-?)2uj@3);gOLMsW3;6Ff|uKbwx!a8Wp*RWrN@^y1+YW
zWr12mNM$~s^<cxtVAMK|2KuQqT}ZD6x!>L2`KUPGxB>OPPo-yuLN_8niO?G^bp<?+
z9%ZRMTfMZ|!qW`8s~dd0;u+-s8GO7e<^}Iqx0K>}(>0jpfdOw57au$H0X-<2&Ps=Q
zFx7<KbYtUKJBr9Z(X~Pekx3;D4t^e-V>RYoAL8sL)NT~Wt2A#kKlXIWi2qn;GWK*x
z2NxKKWhXx#mElu)vM{!&Cnn|wFog|O#RBh%>9cD40>)L_=zS?i-LEOW<Sur(|56Dy
zx{%*ODBY#g0(O^|5TWxvdwjpD1!Z6lb6&QesjnZ3NNcYlD@20Hx>q(Yi_7qPdJQbE
zGEScCCeIxh{D%8rD{QfjF$!o*Y0_T)=J7nFL7#|h^LmyN)i~YT<lfgS!?WFp_}J%M
ztP^Z9C2?lI<I}%D?H7pbuhWb{YuHVxEg@b%om1U=ST_M3?d%kEa_hU!L6A<NRYU1v
zO}5MCv};a==)|(AvU3#oRVbTc3;`8v`th<BcV1x5^WKI{CnU%`T-w#4b#v4wobw{V
zH7`&CM+S1ArAB{aAJ@oLR5n-PI8TC+a)-Bounjn-#2;IYCSoLG+k-<NkS``JW+Vep
zn2?}%1BqI~3Bnlg54Uu=Y$I2eIcney!cUq|qQ*W1tzNrmHtPZ(tBq*Al!R_FNVkl=
za&6TcX4qcS;oC8m{N9dYzq$r3J?2@dJUvX6a+LTif&1#uj;opM+dtzMl25G=$^Se(
zZkQ#Z3Pw_GV*J#`zazq8xp`GuNYBPq@kKM*DlWaSR^<r?-m~CgD{b5|h8`O=K{rd5
zLh?+b;`!<Rq`^AIZO&=6UM0R<j?(O_o_uV{e%b!v7&o;Wp)#hHa`#mT-sjM1b6$C|
zGPVl*W4tsU*Tv!xJ3mV<6~H(J<jF@(O`hgTxe>{wCkBctH+jvStSnKtoV&E+-YBP1
zOG=W#&NEJme){kZzV9R$Z6YMMcA1DMdQNuTKG1NhNz;vpXt1P-UImn`;n5?mg>KU3
zmd5`;dv9eJ#J>32TNUUyuveZ)FeQoZN1#^ALTjBivj!6A5j>kiY=ocM#zD|_XO&kJ
z9BwXzYnNo6+CD^d;Be(q`z+lItlqo~^N0_x<;F^uzrP9mIJ6rO$Kp+&iY_LJj!Vkp
zP&2wf7-aVO&}U*PvczX_kuKRfpSFuITH%z(Y$jhj*zGMkoKj#pJN0F+P>PLYY#!fC
zb*(&Ch#lW3&Ysumvzs<T*^CP_;1`w7ZHWn`Hu<Ja6Shy<_4}mNRu_woZv^p|J}x!^
zV^Pt)=o%M+N6s+E9}CD;)O~X@A5I>w58UM)^wPg*D76h{ZO6H44*Dd-jD3(Z?yftG
z;&>H;-0Ec5{+Xl@Nv0*@C}J~?B+cHcJ&nFtgRM_%=s8g=z$>k`qBJwmvjh5OUS|_Y
zTI*r=*!%Df|3WiQSts}|1m|uym9+gGVp&$_@ZtIbc=m+FYV1KJ(Tz#&>C~X=xuoc!
zDlISUdHgsgBXneFNLR;3KAvdDYJPtSgDKxxZ-JA*%?>#$>Da@(Kh7&?c!EA-%T!vB
zQc=qh8>u2-Np*BvPS#3&x6t&UM36gBEJIJu$^ro$9Z=bs&<11c=>J*U1bkW@cFl+O
z!0e?<zR;~fe*Ju=nJgjL&9XNIid?33<=f+`Yqq>>Vu@iDk>PUk(yODHDWXRnFn2m!
zNH|<~IoWWcnd<yzwHe=<?9?-L4Y&FIzGG&3W=@56K-ciLg-WJ|9~4GE5xI@F_dYir
z%~%*(TY?db%-!`E1w9f&3(1=o6uOtf5L4!{Z`V!v+)4*3p8Lf*6X!!{KDS3W8==zS
zouIJAAsDO<vb0ZI7RV~%y2Oq}GqmW(DG^M-IbRcY8R{vHy}<4>d%p_{IGDhE#_W<~
z(zz7*c75V>SU;a}7bLpWxjz?EPG`cggECNvpnh-{F<hO;^qDm{u$Cs(IYXUKG19Jj
zF?~9Z9@%aSDE)9Od(@&f>KlO^b@tP$IbOqToz-Q;H+^AkeKwheuX)SRXpm0nq`9`V
z<#Nu>jzmcC_&9Z`SPU6irs|>GFK;`~Xe+mvx?*tALjvhm?;<`Tt#GG2F1`)wj{H3w
zwv!qnvYcIM-{r#h&6OK<*|@#L<$wm-<m4rXJc@w8YKQY+YUaGs+)qLT(uM|%3LA{g
z>W;KY%w5-zvFxgpcNNi)c_jY<)NT-8V7SFt&5htx4lg%<80|F(?R-e<*<QIpJ89c8
z$R0l%$LQE{4?OB9fJGI<R&?!`JK@wDszauhuYqN6l%NYKa-?U79y{RjPOrnrgRx3#
zCGIn?wND%LVQZe?gd>QYII>}~m@;mVc$}MemfzSShjGOXJ!&4-tN~(fHj{sUPC`oR
z-~CX8b6Ep>({k^4YiU4B&bQxDhNF|jc`&G;=w?R7HM=`ToIukDbc`&x6b^X@P|aC=
z%3AL)F*PfhcACS)AlvA-y<1#X#|#j*AI>_gIv2S=d^~AN+`FlaN;hXol%^?GRMoa=
z96I<#8bkiL<freO*LUJ_@X6_rI7~%BJ6!x@Li2hbu!#PsS8l)IHnB_GLt^Evr&k-j
zwDYb1%3*1(VbQ_ZHk|hI)g-olMF%0#et12O=8q$h1HAEZ%-$ZeP|ZW&yySNULB;if
zoU5x`p#av!y`c>sR6rqgfZp#I!NSn4^$$_96s5b)J!&===y7qy5)4>!`hu2JMJ^|c
z%0;XMs!BsXxo7HY7kASi2-#Gwa4R5FFbQvnE2l8tEn}TDJ8#A8Zt;!8XGEuCqdMC1
zOSxS_IF&LT%N0M35vE9Ff3Sb#{+jiJuw<|JMh_Qvt?sQn_QxoAnWlUb+<>Lo{zj|g
zlw$QK;xGY$m~|KC9X9#09V4JdH-?3jwDZ^gyw^AdWmMPmW-3nOg%rHH+v1#_6*vSk
za^LQ|7O^7%fRUa6mkMO^w|JV&stIFrct?$Q@|MniVDxRDMrx$jB!CPgNL==Xhoadd
ztn$;t1FTKgF|y4hQGN1?0}nEh?Q)%_j!$dGsikiL!HN4f%0b8l2FZ|!Es)q`!*Sv2
ztQ9A{0HyPX4%{|q2f1QL3-G(?zyscYU`SH>Ue-QY^kF}Ed?QdmYou7CwIY1PFaRj+
zcr9Lfx;oSD9-KfzXE@spwli|6FiXRzH5r_5Wka<`zX}676}ocS*^M+qg31Ff-vMCF
zg5qz&DN6jYU_LEWz_+r&6Kw;g!q?=4^UvF^yKxTr^H)|Hk+OENr0tM8$eJK9A@%C7
ze{Ua)TWHU9!C4-I8dTEmiz?#2U^som(5eYK<oU{2Qleyc)wk1{ZeX=R8r>MFA==W1
z3p78!^K{Zmu?q4<vZ|d(P#QmF5wro>2Q*EINO2`Cv|hE=G-w}ORz|Iwv)s;e)eJW4
zr&#C$Ms&J{edUhzILvGL{f+{IZq)0p399XGPwM*Orx{FGFGt!uc78Ebq|9x`w&6Xb
zl|6>8`-{KVE}47kQVnAcYPEkdb6$dC@~O4j_UJzrH-vnsi66r&q*3@B+;$Fr5-338
zTMw(mXSjkXK=#)p5gAz=@h#c$NLZ%fpj*e6Q=!6mOK@ka)tj@lq@}rT)kwY(#=x`4
z=QI)oW9(pm{pi|dYa^<tGEt{P20gx4Tt`*@R0y&(&h^o5X`MqbO*<l&BdobWNr+*v
zdyfHBTq)OI_hhscl}s)TmxJNW8}k-(_k03!$zW_#Q&C5$<!LoS5&zmXPlPAiJiGE4
z4M^C+khh`{zO+nv2@r|zudnzNLywHl68B;p0zQXgJzn_hSfO&ee6I8!{+aG9=Zd;<
zg8WEA?Gr2JaXt^!y=?Cbh)6qk!sKi->tJMTtjxO@c{}Uy8o`*3hdKN`XT9gvR^XJ$
zQ{p&wh#Z>%&{(-^SUld<6DM^ITau)>n$|$`yHnnNSOxwaXy4LfUQ_FP4zF!)*{I#%
z{oX-@6rNGjSO{B0;qRyjLBHWu2~C_yaVrEV@l)mQ)A^{t!BZ8*5n90QXM~sz?s*=U
zqm#+@I+Z&i^;%LQlsu;;x0`86Vxe$$sk?%2Dcr52uf!1~es2N!WYBixxQI};H8{$2
zm_(nDPiGfqPAzvITPhP8n}7daFhC9plF5DvIJK*$I%Xx~B-Mp<(%LM>;{0+rv4^UT
zj-{d%RW}&?S|}4KDh7d}+<N2bLVW&SJYB^BZE_8W-eZM@^a-xPq;pEj-^n#fW(ZRJ
z#zGQAH@+I%v;f96nTN-ZB3Jl>DkS_qpAJ!T!2S`p2~iS3qAc>`Yr=w6b?&e%>Ss6Q
zJYErD{vZkN@Ac+>1NR(eK?8zN8p0pnzj^h2eO@by$UTarn<h(DxXCvtszn%dcA=@c
zBgKk(2i`?1P)T1c%(t1`5tdbi7EruB;Cuc#IfKhrI3r$EL|l}%*exMQg@R!(0qh2h
zGk-LO_wQ1gnw%|<#6w4wa}$n6-K?@c>cp%WUEyMDQOG*A@A?)|wy7elT*VU6Z|yQ(
zZs%@q1S2oI&C+$+w@$3Cq?S;n5s*mej+(&Ly|+VZhtS;6=ECZDri=;Z2<ek#oE?*p
zp^i3F*@bjR#A3Gxwe$R&oC(_N8WQrYc*h{9Ota~m!SK`a3i{f`#Yfv|qrPA!w~(9&
z_`~XWM4k2{QwpIZ7a!~yld|RfL!V&=G;M9Zz9%I06Bi?g=8!JnFucYIW>ZhJhW6?g
zN3XK1nW~cjFX@8}Y~Ahr$EndWh2|mQ3=JkThs#<8w(GFz-cJr*7KL$mppq6^1372?
zVeo!f6`fcGv5xTPP_OgkMW_A#gpw>}FZ200JPTC1xKhV?Q9`y`@%U)xpcI1Aqjxmg
zG0QP33x><M<YPS+G)vFs>y5p=^O5BuylzP|C!2MK)6g_m4<g13lh_zILV}AJ(#<ku
z1i_bnaa0vUs>j29R6|cQPLL5ThxIIa%WpY)<Lx(L6_5daUGJ7rz9CwFNpVU4+_A+c
zGCC$w;)JMevqFa|vaherelsNQh%i3$C#1THoqz4cg0FRzihpgprBqwX*PJcx<pKj)
z)Xu+|(uJ(+zj^&1tnv;2T+vH8%V?X9ik}R?0W1StTunRZ|B?n6{uBd3|L3~FUnTbI
zLTdDXQ<eYg3mK(Wpq$ri*`-$A0={t?VC6%Ei*eb%Hzbks1FWCail1=j?uA(N2I&Bt
z+T_dECKBy$e^)mC`R3EiNdCwnlL|GkqVWY;qck+#FHdP}umvP9pD)U<q$Tv^MMi>=
zmuG~ooc=f}Cp)7U)pzO!X?UjgG&A(Y_4-NGtM6avbtQD&<@W1Kxl*Lw{(wx8Arknz
zd^d^IAK*cr<gG2*XG{^4`9G*6*+2v4{qzT9<Qos+$4f}7lAU8O0?vGqKRnrP5okX^
zP%vuF>#LvBZRT$6eyibglf&+4+9I=bT>l?aX&RS{^>g7U?A64|J)v}4gTX?z1B2Qh
zZJIAygwLmVEWZh|9kH`Wh}h)4zI;Da_(;wpQg$fYJdq<3fj?2u${l5nG$i-(!D{Jx
zV(c%e<B;*l<k=-Q!*TA>q~OdK-d+8<()~0~6j?yBWv+OVk#F(($fVgcLFH1zKahfN
ze<v#rF+PnQ+80;(`Q+lrYd!8n8?%9~x(5HEYwW}&<~%4c@FnEAGppu^=wc$MGX>|F
z%E|e~Yx$S)9PMA<Jbuo`R6#s#`4Hv%8G3DqL0|7EhdgM(l?UpJK@qL5-p?%FIpQWz
zXcCLTu;@s?@AIk{dcvuf-S%%tzctu^+8!IaRI)AHu*hzt0-O8x(Ghc2HfrB;lihDE
z6JAK~st?~etvB4MV5rjZoU1CT8_y_5=x;LA-^;i>vzy&DC4S9c8>rgvVq2cGza_T4
zdGi+3WT2cL*iTF8Y24-C_5Q(IcoGT+&z~LFGq#H!yP-ikiT(oKWV&q%Ojfv}#y8=f
zv^(TNxh-NtJw7`(5lJeKTzi^35>pmYb8APbJ^Fye;Xw-5RiOok$+&@5LF#Ez5$n$L
zNnz2om37f}vYd7T&xf9Sw+l7Tg4JkjWa}aSMDx)gx^>58`ndgqpB5Q82okZ~O0>ui
zYU@MF^Te4OKgvJUMd;2dH+~pQZIv$+McZ!D(<hMfO^<)=v6n3Ke7s}9AUC3-@Hc%%
z1@kHZW}nB-*Ce(ukazYYK(yQ(vIwNv0$oHj5eHmP%sjf=(pme1^1zha8U8&*be&zD
zF9(r!?#}eKYId!4i4C+i_l9A9F6$a(%GKsdErYo}G?@*O7zpZYiDt9`bCqk+uXryo
zCbSi2gU3+pL(b*3{euG8tL@GGS*gQ$;8l5K%N(UEALd6ye86T473J*}d(=SZD`83D
zma&PEC;J#yYjrEW4)6UPo!zTI4!cqEbE~_FUBtsXsfx)n!W3=J>M*8OSD=Pq@bA{g
z*@H7EY8B{iOfTS$359uo@1c&Ip0%^~_r@(sW%uk!?K>O#-)ZMDF0VAsD;KFm;ek74
z*-^*q1j$Ov(`iL;|D^NWwSa(9J6dyYOWJBc;k?}UeqwUv`3?CMd>5r8JS8XQ#zLCy
z^BtX{Wjn-i)9x1s6RQ(<0R?41EENjEF$6$iN-=gQ`_(FX1J-1`m(y;>5aGW4BAWNk
zL+iO%1zv#_=fTd)alM;wM&`tU@o%Gos>l|9*aQI*Vu(<da2Yx0uz^9|3Zsz^e>9tA
z6|t|uoq<|`j*NWfh_F~}8^~U^gk4K2E{$fqYh)56DkS3DmsNe7U08^jgdV;MkM{pe
z5u*7gMW_@Z%e{xrCN;DkblGmk$jh6BEwz$Dr*g@<b&yeg9g?3?G-MmNHSHmzURRW$
zug%}{6}{ZpPI)gZgcX!XA>mVOWR~ZQvFV-4HV$rizG(TVUUF&*_@-3+keux1b@(s?
zk7CqFm$9W?e|D6Y@?4XidG6P@@xE4RJ1EdzpL;e;>sEiZ$z#{wh3Znv8q2n1N4@7x
zzpR5V!<Cuu;;MwaBRyc&T2na_bS3FSG>95>-YsZPGK#+a;Y^*nK3ZkNj`CScnpdDZ
ztK~9Rk*KUbxvXm_VwEJ_m0*FOk9r_uYtfsl!*1@J&v;T#hy0kDnu18DvV-S(?$%cU
z^VzK#<lffDtx`0Tp#QWX{KR20K=(tyqLBW=-SxVy&O>U6=^5R4RWkM&ta|ipPUT~1
zVz$ZW2;S-wthr#EpG%3&3v|PAzOU~IEz(k-24YI`|9lQAcvQY2_?6=7IT$Abcdv0C
z7-)^J$pUKLvVQIM{w5H}YQ=W=iH??txyDNdp{cq`GTi@;M8tteJnNv`xVP(Yoi*OU
z4NWm+mV+w!o(dUBf6_!%aY<c3=q;dB_KxRU5Yj!^lEkHRU85brLO@V4aj(gKd>JR5
zKWH;xW{w|jGDbTju%NtHH5S=<=5SWz86Ca72{>rFkwbanQ;Pi%#!9|3d`dUyY_x2*
z;?ivz&*69E(8}*0a*tJL)_~1fUegx@TJbMIni=)}9k3*D68Q|SPwAXN`k`z(vMWD3
zR9K1WN$k}oN$eTb{SS$X8@m|mBJ)%@(X`(l_VSIq3@j7z>k3kAcvPMi=O9?oka8Hl
z3>)Fgk;H-7)=Tz{*yq&*n;8q;l!L+c4|Nu|-#!kO=(Z10p5qb;mD#X1NuNxFdUq-#
zRTI7P%y4|ZzY0rXd|P%Q4PJe=%S1<xDo>iBuZb?`TUvWFww8Zvq(w>DKO0G<(v;jp
zh-B^9pjj&JbpO<pKigI~2l(Y4$C&uz_EUzB(7mq+{9bt(jgVmXZ}8<lzt1B$!Dm>v
z)t$4jdZ3X*Iz41gz5aQo(=IHmicl-U^PI8deoTua4Ve#LyUMw)^^QRBB}!cK#s&#p
zUuh8?+qA2|X|b4}_>z?Oc;4hlz!VMGP9J%5T>7g47xKqG5?PC+C>8iP&|^G5^2flY
zmErp1Y1MZat7hqJkqym;MRx2ZA>dn=sd?A;pfh1{EWnB>{u@oq|J&a+u|@7SDlqqJ
z@A;OzjUaP5`<(I&ZzKI*?dy0lB&_o9FM%nR3*o%3?zxd{RTREvd3iQpp2Rx83bz`H
ztNlmKtYlz|x5a5<dO4k1h(j<oEk?zTEV4TK2imsxIA=@}O2WcSw!=Vf62{{);2W^y
z()m*X*ShWO&tMI9``!y1rV9ytOSchAN)V~d+Fl3y?6|GPP_SPfJZ?oi=5{}h<TAnS
zBQW%po01c{TTz^aM14wJLe!sX8h^uCdwPRfQhb!g<r97f>8YnZ8Pm0u)>V5bQMv!e
z24*<ZJRaMp2`;AkJY)2D(EG-Xi6Hia)&%$NM#J5H3M!UffMi<Xe=EH?$);ZYKF~|w
zOahs>#B6>r3Lr@3Sia~$+08$h!;JcGbh){i{~KM-Joz=?{hZ<R_#c73g^s4Uc3zmX
z6RKUYjfj6q`N*RpOl+*V&jX#)-xa#@>wm~|^8ZSnyNWXVIun<W6WzOQeOqNmB?;G)
zyL@&zgI70~={Oje&95VoBgNZrXk}VsW~+El!@E;Cxhn4hrISGy8iUuScf(0dqgL!5
z@a+etORJ;*yoGI`C@|+3I^h#I${mLJ($CKBBk>%NmQ`U54Oz*x%G8U;Y$7X+^*-#<
zmmi>ujo4LrP97vVIl?EiTA&?cjP!xIa|tJ)i;yTwRy89mxMp<+B3>vZ=+kF+2hJ<X
zpDx#x$y;@nyhv<wuQJ98+#?#?VrnA~Ikc<juf;qu&KyHIr}gv~c4zK25gdbhvdUXa
zXM5s!54a82i?2e;nr%zm_8B^DK_3|Lmcu|4lxkuvpS=QL3K8m!>BCC-854~qCwWI9
z%c}TV*CIWpM9f3tdQ}ViYSgc^c=L^qEASC%&PoB{kjSdlcyir?mMo0%It(6KotstW
z{tduXn71V$jGc0CExQBg*><AaH<F-VL%m!``P`-DCdvrlg@FLoZ|(}tNH}`@w|D5P
z{!7HGxk8pK&AaYIf@_TyO>Ix^e4qtr8NTH!0BRf*FN}BcJAmvdyFHn7f))X&dEJeQ
z@bhh*?2{G#nfdBlfYThk0llQQvAsOxus2@#ZMqPj%N%vP=`<81WHx}FtlMy}@r#aY
z+9|t6MZfjBoPS!OKN^EhOuN4{sDX9xL~n|d#&j&U%EN|ii|PQ!=}`8}du=1x1?meP
zvm|tklSxg{mrox|BW^G3pacXZi%*NoA<LLgi5q7v@rMiOd>4uORP-zE0a|ctP~UQ?
znghZ{G7(dM>OLoIrm2i3>CZJ-@qg`+i+}jD$Te;(B_^iLzO1MLKS9Zpi^_-!yiZM3
z6`TEv=>SzmXeFTBoaKglMC9-Rm9i$F+Kp~sH6@aiM!S>L*rCO7IIDy#V@zePZXuri
zc3c?8OYQBWw!q~zjY}ez*K}=6(uxL%%i}Ol8VP5=OxZW0m8qnKy521SW}KS^a_c)<
zVc`k_KW+~;eih!Gr{l&fVt+p^pe8T|nS8|w)b8?J-kuGdA4z2&TG;n^UCt~QMR7lP
z3M2ityOt4eCIlA5rcCm$^u6nqo#KO6-aXlC#02F-u8tnfA=E7hH-aq;`6A$ga*ngi
z8z59!%;SI2_0Xwl0Ywm9&y>KgqVR8C03Ypshz3YPrLC!t(W8+R8YEFUo_FAk4!0Zg
zT|j@*&?%JjH>KCL#N_71+=^Q@g^rwB&@k0;XBs)wK{=txxp~Uf<MmU~@1H;T2cujJ
zJQBlBJ~$T{BE{Hw9L5e<pg>zLx~P-)^f^5Wo~p8eT5}xbTN5;7cx5e{Y=zm##=R1J
zP|Q$~6>c9+|Fxv2RuAO?`cO=}M*f$OH>2k57vXv0SkGfwUj9ptfPGSVm)*$A5vo5Q
zv37aa@8KY-U9cxaVmRB?LPou)EK6)Dy8RB13k4Y>pR4%?7A8Y<U=f6*4$%gtgO#%?
zAJreet1-{6k0LmeRnd5F&v-@Hz(Z1;t!7t0uW^lKx%6^p+8o;W5I;VE{5BbqW28^-
zt-gAQpQ^cntcNs+2E%`IdNcRB_DI8MFex#bp?f*qm-DD#gdZ4w?ki`jFNV9_hKN>C
z<nW6%dwrD^CaPECYzMO)r`X7Ha(c99XcF0RN^1kN=1~2{>lZJh!TW?np0ih9940aa
zYFffq+<#khziV;;(PcFkLA6_Y*l9b*2P!%;yW$dU)LNU2#|z5Iy-&iXq$HYTm{i#Q
zV5f)x_9>AO6m;wCHq8D;LmUQ?@qXDJm5U;`ilWs2B%q{pfsmfLJqYOu8EP3YCh~bs
z-MBP2zAM^Gsck|=i|hD+-gZC6m*vRcheTCx-ffiLCTR6lIi~WZY9o-UO_`2^A^mq^
z_+Yh;I5stge}iRAVTvvf)DqVY>dSj@;kbiG4mh8Tkq@d}Ja>cD6v|F`Z?*tmWDBd1
z!AE=dJug(>0zYcyBvWhia!Y(^jiT^8`Iv39Zmt-jbFOf9!%w6%E)xo~(FIwkG7j1N
zrQl&iBpH@wB%~{oOqGwqePJc2d(ZKw@E46rN6S#M`Sx4>1pOgVYja!Y_`xl6dw-aD
zAG8{6i-PIxRGx=KPdk>n)v-7G!FlMl9lk?bhSRL>Oi`UcT@AreO7nxw<8!l<p7w5{
zm-C}aU)YMfZhF$NflEOWnCM0CeHz<Z@AX!;UgSGo=KPN!)Bq%U-1|}6dfqAOMQ@8u
z!@BT}*Ey1yJnT=%iZ=SKt<X%1cW2L{SjvXbW-4v<)w<iYC`+K1)cP!;@vZ|XI=;bT
z3tiK5J2B?`nvG0~)9ZMv5|dhj2}|U4(L?Sp-;xAt-s?|6flCv{GbbQTe;3mcy;Wh?
z2S%IOdH{06#ide>5l_4a!cEAs;lNPv^>Ur%{&h$d5s?*KffSfcl3~tN>6xbjO4-@+
zjD*HeEaZi+7}7&-yT3TCFQ;y<Oen&yq>$HX$Rqq&Tn1gtr!gup5Q1t3`i%_TJ{~L!
zYa>8mONNk}{bji!_Wh1gAvPxzy<TkLP-3|aVRkc?5Onu~@t8duUX-XN3#b@9h>G-O
z<A37%`DgVm`7*ubNX}kH8vt<bc!6J7e;S86u>Q0P_5QyS`M!@K<KZ12yc~<ucu<jo
z`}_OO&d$8NyiH9_QY)C>$RH-AgHLR1bA5e%qod^#3A86CCrl=zmIwGyqC_k#EFK=<
z(>AcQoZQ6B3=1bGu*l=h_?yaV;%V`(UpxKaFn7i>K#-EZnGYwkSlnOk=jZ3c!ot23
zE&Kx>nwN%$=W$NQXQkdsL&4<@z}!$zugYvHKT9Bh)ky^K@jW9}VcF%SBOM)`ipm@e
z68?vYYNMfg>y^dnv{#X`6B83!Ku5|ukA-TZ`uh6E`zwn@S}0~lLwZ>@NCOB73H!qF
zxE%Ln6%}K@f9F@YdG`fnB%KEgk=?GZuVct%lob>#4j_IjC`0<+Nhl~NL_|dNh6v-g
zkZ-lyJcHEeKCS;H>aNXAL!Rm{-hU{S%r3)+7vbhDC+%;xrxiaPM>X8!Fbk(Tt_E$|
z^6oPs$}N7CE1rABLS8Y=sd(o~DfipiBH-f8=@c38iyZP!nC`%C*k}VY^C>ykQ6I`1
z7g2=hDri(~kBugF335u`QqHVicwycsmkGp;@lgPNC47N?J>G)Ocf*6i;n5eb#+cB8
zpO319OXhaG&HQWs$L`a@p@Bg{(#`UftR$MtegpQSD=z<76M05pFl2?hUeyakjp#aL
zGZ+gaVNh7?oLAD=MWmpK$JU(fL<DJgz?`<E5K6-@Gc}V(bgd&KdOTDG5>kOC9UjIo
zvxT1Hlol>THMc+H`MIT)s^GV0tWKMJ0H~8e-rNyvg%8fhw)1QtgzAUY?>-NpHAjDB
zOf<tSjKHA4U|4$xhY+c>XU(~)&H8{F%%q_Ye%pua88Tx)dS3Is)o*jz9x(Yf3CTW8
zW$b1VMWAXH%uQ_l?zeBT=Qh!CpJ{2FCBR;Ay*+QSo7C)7oQFBfz!sL;deg9X&l)Zp
zX3|eN?HHQ$oRK87()P!07E9}3P9r5vPTo?-!1-=!uAN)#WAAhnAXo!d!s5W;9e@Uv
z5$oH|k=8uRX<t6$`?k59i@1wrT96pJPj>Hkl=Dt<wdOG*r+m{}>~-%1ls5TMSm0%Z
z41A81$_dZVeWq%{lX7y?+qgDZcf2EylE+dzP`w!`F;;c2L#q+azOpgjD(5WS$j#A2
z*X{{<E}2Q24hl!fAmJ;|)>qA;bth$6{l}&p#;M+q>BxX@C@%s!pioV^8@+-3qGI}y
zTL&d5Z02DUB+l&Bo-i=xtwEY)MoQh~_WbF_%3L{}e*MlNnkZX(6Z7zQ9xnwM&5}59
zP|l%-vAb9tvhdDUK1kylXhAK2K1rk}pYGiEm<sRhg;t^d?3b#t{lQ${Mqb&xhma^*
z!IDOWfczC8lM#X$m^FG%PoA19>MqJrPpn^#K4+S7F0hMib}23!2UAHRa$kTZ5}H@-
z+qzNXmF*??RG{JhBq@`-(Vgayb>8j%CM^8O8(ygOB6x<=S94d1_M8mhnMVt{eA?B@
zal40K&Tr|cpD4uh1_>P{M{3JgLPbpiVK?z_TOO)o003E@mrAHe%C9X@ACu$WiI*G7
z3hkHJv>jIM94I7+Nx))C)i?Ef#PHu&0|goJ+VF{uOjcuP%S)$!dV=MKShZZLvE5Fn
zgPX{C7QEz4D2sPs#tG^(^?9vE4)!nnBOK?%5l65ceh;g7CN*>|Mc87a7G=cr9~x)d
zgL9uR_{59*{j@6_-zlJ;O%jkj&^zY31*Fza6RE90^C<v61yvRU0B}K5*#xB2j(6e#
z8rOJ{w_3(+(ZTXF6+Z*9<UCcUam=Uknh_HeMxG8dbOq1!Ca{a4jpBj@&t!5|YbTjb
za-};HF{j&VfWu%aB_u-W5bxM8?mF0o4aM!1P=G<gzXo~kKiSVePYM6$Z0WC&s*=^I
z%$A)%?E?}3kPP?vnw;Z*i)J8zCa*e@-(L4$dP>I<VY&i^_KVcsk_=7B?#9oWoHHsg
z+8eFfP*N)7W)_zdJ@bm8giKCW!%~l->{1k(7x%OE%Xs}^I<@PngVX~cwZ+t{yUM%F
zqYSayL0i6;q@!Ai|6~0_-?QmvH?aAzi|_FE$9l?XZo(Y3_YOmkqO9Nk4wsq^u5ev&
zhKHnC|21T8%`BSs`X@xQi&Sl?u(XaKow6!%osps-c_$+?rr}XP)%ltlx_&(}HnZky
z8W-eB07_Z80lm<^ORLOJi*Su*Pu!cT0vT1|V;j6~xkJur>&rdJBynj*Cj)Vb+E2fH
zSgQBBtnuv{2KhP!2D<Inndf&=Rj5?7D02*JI?>YWo<`L3fEQ>Nx6vQt3H3KhK+=kk
z^-HbS1cgI-M`ln+gNIPCtqd{1l;Ur8)KwEevNRqOmN3?V15Y$~BvFm2H*`9b`}Q<V
z(e7^b1;xy_d4aEwmwdQ9NrClJJ8kdnT-qNt${H^_jBX;?I5=#+F7rrNEFQ>Na`!4f
z@1GEm)9_&`^wT%Z*wA@C-Ml(9Yv*H1blUUTtm~YMNNxE=oL^~O#gd3dXYv$~+8XV*
zK3DDshiw-;htgJ~BHoH0Nom!hjZ?;DS6G7GzH1p_l7~suGnCZcO)d0rrp_YX3>0*E
z==hzAG*(c)5X-|Bb8%QUg%BZjoeYv|cpimm5>#}Lr%H{7+@LMY!qj=nsS>L4Z1E3l
z635|@CmTgE=+M>8n+(lE19LsjlJT@OGN+%NEP%SIdD?ifzBD-YTn+cQZs#tuyoOCm
zr9Tz)%9PV-NH?)I(r1isCmeTCMCInNqqPy+JK>}t)<+hjpzR$J+{+Q-8kKy}<AvIK
zeA?*T;RrSw(!4JYKH-z-H!`13M_+e(FbzFZC5Ku1?t8Q|nq-9K;5Zf+_>lhuPsg@G
zLnL&&>TPj#`z?<8^+pJ<)&&z9i{Yjdnuj;I>TuvHN)iKo$9NY#P@>#y|4!0lyS?L=
z%b?8adx)Is^OawJoW%w`%o6E&ymTY~MAATSv+fVO2&`WxTKm=gsZKk%Y{_udDXrl+
zF3&<yJXtmoZQI=4;{Kj#Onh?U;OkIuqj#0B5ay}~lCu2SNQsDt$Sy&8{eiwFVOKKh
z+i}N(*p5JjQ!Tp?LaPN8m!~G&Xxaj)b(2w$g!?n_fZb|Jj_u`W;A4|wx;q~ouqd?U
z5M(^pEPoJb*nN*06ZEP+lo{pSn^#>`%|t?%M3giQYM%ZoITR25*=2Tiho#WZ_*7)U
z?asf95@|uEzb9*=vWfIpg|u#svXf|aToQ*mmIn0g7H8t{3T&2Z9CNoj#$zYjMW$7G
z`ASRAeAlJCUpXEpsPk#<eoRz88)=XafXkK%uUo>6m6rUGAaVM{MX)7rr#wFUM5{fJ
z;XbrOv7eOUG>RxDX>l%UQFOZ<7Bg|3^28?9+eglvQ{*ufJMVHF7#O_julcAj>pkJf
z<b;hFmFj*fR>FEEKTKVyTKLtpM=gtucG1(Ivt)#;>_7Nj`GB4u!qdoMGa06h$mlNa
zXYWd|Nd|3ocn4Z7Hy0$>o=tf8^U{Ga2~n4vA#a?@$a3bBMGPCbOy}5nnkKDq-)_6?
zHq0rsx6PxT5`#CzK|TMUV2Bv&jY_fN%^N;dlci%m=1y0kfM}^dqz&g=HgMae$nO%;
zmFgdl2I+0@eCozOQSY@WXUMUPq4;1Q9ZC(#cefyLc`fPpPSYN#;`>qt{^mQY1sy!S
zc14YlX*xIM_mRLyp7_%Z^{~bF;)a^bKQ`{t->;*N!o);QUT7=u*IZDD$<gB-m`Dwj
zF9eP=;%g%{RHcH?kQ0O1|D+e`iIoq6P|W_EEo6zeneAi3_T;#2S4)+wf`WcQ>C`YI
zt?Ssa?B4UcH{XaWx*>SM7iaEAtRg<19USHikMH`&%Y7SBYs?mc%d|x;*8AmTv6P&G
zG+^8B3lAkwV>0mmevlM96h4Do0R8z9|8nIWDuSBy_w+9ZVtU4gYjq^Pdf5SUv~o~p
z6IW}y7bAgf*h~w+1bmUya}fBv%pJi}LF*1P+gS?Lu#WxUwbm?n$?6#lrdbpeBq^TM
zTNjsbSnnuo^fr6)IzG;^<_l$^{H^e@szz(%xuFgAx;d3-j8K01-Z<uP3;**ShlaA?
zx6_yto%S|6h5SsXRWlHn53!brXp*Joqp|Y&rR$5YYPq)6QulMK^Y)AV_I55)-1Kk6
z;$E#!?-4R+nbwWz!fyC_KB4a;;WK15*Vm&VBX^xn6~H`Ro$5R>_+Ifg!{DZ!&K+eu
z54&~Ex8bwmm`G#gwib<A_5V9#?s*NQ$1aDVks4+{^DS)zV~3`eO5W)T{2SI#?)eYa
zFl=4>xx|RYqNly49*+ST6?t1_zY=JF(^elr>wafc?8CKGzf#Y%%MCKR(wx<9+hK)y
zsC1L)xfnoflADuhXJl9d{SGHb!6|y<z9Lm`DMG-_Bj2B*?hM^EYN1m6?;XA4e|PkP
z+KFl$&Z(rm<(1_lvzL(&e;MX?8#&j}n}fft{PDl~v`zTGK@;*8LrAa=v0?egu((aE
zG3pk@{SLFVE24seDxkT9KcK`VzeV3cLrnGe6(Agl?qw0b3i_;?^HpzFc3)SYBxA<q
zf!l&c9BGl!LnM60bel8o+1feBsXpHDvNU1ztlpkeW~xB$uoy4B#B$ta4KHAX^Y9Uv
zWO|dxVO=pPPxrbB!<l${qclJT=>m7`fwwsYH-LicVQqLl9Vwoj&8a;TVoC-t4KLO%
z9Lqnm)ThO=-wi<F!w`dMndVAQ2JTP9)_isZ$j&9M{~NRL+kcpavHJN;Q@;V`OOr@$
z<<F_CYTFvo!&`#moxP+6igX~>Onhpe-1gN|bBGjMr0lytoh?qfedXU=im1uxHrcL4
z!K&(h<XwO$-@rR*&$7K;m}}RB<2|BF1&@p@qU<vtU6)f%OPZ}b^QNDYvFadat3q!%
zs-SeSj1Jr7z$SBkI<4G9au82OXGP9qh>=Oiw=G^c#nalS<Cc_}H(b2Erw><oQR9Gi
z?eN0SuDXluNZTZjR6^-AQ1<smdBW%ikFd!t;s1tK_>AAXPi70?SY2|=eWW1*TyN0B
zduQL6;UWeE{`{)v#Y#2mo>Ea*s;Cv*5r{&puOQayFjp^LhaFV-ANfQ!5PJUiNA4|S
zVMqXbkDvyzm!V_`apUD6dL{w6efgU8S6IeLF#>?s)#{ik_k|acekHSX^(UQWPi6l9
zupGN3CHxFUVi}l_?A0ZSez6=+jjh+SFj{MX^NZu3MK?$IwO+q5RW`iE3%d(buX0N|
z!Kms{kBLe9V88#X*Q_L%$9ZvoNI51Ktp}!5Q!L=rX_IZYfmpZ9m~|f&;w#GPM6gWX
zjrvdU;vx~2t&I~aUB`&-7pB0A4=khT5}K8v^T+QCh``+-(jpczZ|*#H)$QvTeX{c(
z07l8t+gp9C#n*sublp)*cEF?i+f{@yh4*?L6@KS77v`;)YfO6Z`BBrLSKbR*<)~?`
zD2H_}2-)c`V(Xs(CP;|TM}8l{lCwb?Zjs68Xf@@1Q}Dg;3a274DdslE1BzFn%kV$K
zkA^fOjp#|iI_(tI&*Bp0<8J@}W@00@$|~&X?=c^ap6y#M200Xt?(1np3z@s4pC?)&
z&Cz2_{KJd|p&B0D84++;MEdexDo*H-privWVz*8+s^K=N4^83w{wx=b$9vG=Av@!Y
zWFRrsQlSN_U8{(wvD1r)zi=tR=`CsXr&Qc%)FUySEx@}ot`sx2TXMK)DS_*0niJMm
z`op_|&>bAlHJrw4zBn*^Qg)iwimoBZc+X>*+n|oXdp%m3+zQYsgxc*WOitS8MGTXq
zWuA>2@xphO$j02Dk#mA-FCN0hUs*lbfY`rzkZnTuC!UHdq`CK6t-l-^wtMld(l6tn
z%qT&^o**b@pm|R)+?NBk6dM>mI>Q<c4it1cT06Lqn|b`hdcXBu4e@@0$bWAko)n~d
z{SU-YeDd~|5h1ao--UtE{gGm8q4_=VoZ-f%4*`$i^U>t?WLhZuemVH573}heKGS2p
z)2%it4Z^X_3knvTQ1RxorTUZ~w_m8Oc-vM*BzGAHx*_27x_xi+^D3~2k3Ecji#38P
zYes11?L#rG1D1-emeZidI&lV9niWz?3AODsOnB`KhqM}j7NEN5HO-A1VY~Ylo!r?5
zN<*cqPGITM8P%AUkxhRcN!j%5c<v>w%tJWd5NpCpO7T6UPcsR9LUOHUZ<fFXov5(T
zlp?EP$9k+lf%&{>9?9P0G6k{<F|0~6kXafU!Q2&UtHFxrP57kPm9{m{-IuEEPVAM$
zFE?6GV!2X+lIs`kn5tt4%!#d+<LqR6^XE}9#L^je2477UppU!+3W48rwBw8r-8wUQ
zLcHO@?*2+hUOCoy59!Fr=;%8rGF4m7m({S`3+gn0h0mVaFGOw~rJ>YSiGu|4u5*?6
z{e&NvWZ7cRbL7fd#UlU*khX;QoD)>E7iG!shyQTR$VqwJCbL?uUG)C(I62ZjdWh_>
zk$QSDeESQo&w!cyvHGxqrG)jNUN4<6AuzC-_+RJH$&J6tzoq(@;32=|UxNqv`|hgb
zpv9l1WO`>Pw01+m4RQJ`4k{Y*{eY3LzN<+7b5$BhtIzm9m&MK`_S$}ZBajESveR)v
z49A=wxe<}=)Ek&gB_Ix@pOQ7PXvq6m`$hJFqBE7x5KhS*L?M%yD2di$lq+`^Ji92?
z$?dP&?rAq;gxKs9h@H)5*CY^Xt&K8QX*jr4`Cd3j>&S!#pJ_mqkB+BIG+!$X^P45F
zIja5MMj7q30|~jd<^~3a4GbmGqc#n@;Wy(fJ!NN47cal8nKLtQnccimmPJAy^~cT{
zy$0^)^aBQ0i<>UFgo440Gz;dlr)i&xqXz4ttl{SN(1RLfGnc)pQ{S}aVb24_>ef$=
zW1oin=u#hu5~xn_rc59?4u4>iLC*5b;-X1YgEEBb>P?Th1dh*x(xGmA+cejt`%YU!
zvIEJs6-8PJ;hs$&sb*7zbr!0CkvI(6=6jKLL8K=r3NZnnt3q7#jYI|}DsQ&7O`Y~v
zHW$9$6!`O%S<>A+3DZ|EVhHp(U9+DxFWFvYEiNEE*?RQjo%?_sl`TYG``gli)0$ni
zh9q~Yz~8yBAup?@FYhD5!10e8-?sm3gSH-DWlJ6$!kuL%EFVm^J<=kmV*QIIG;FyR
zZ3n=QPk+3<akuBx(ZEJF^R~+Eq6Q5{9qZl<Wj*77duQ?^{Cd{5+1k~e?p*@#gXM#H
zj$H7Pm#%GgJ1~@MY+!Lsa8Qw>LKidh(w~R7(vtNidd3ZN4^xU>ywJrX*EW!>7r>eW
z%W#8e-HUnF7+v{^H}J)0D>SLpPNM&Zii53|?$6l}HRoVHZxfYF5QOIwpZbD?qg(y}
z!wsU*1!5}BvHu<RNO$pqOa_2ktpB-yRUme1+J{f-QVW^Fj1dXUqhJ3$<M~Cax&9mX
z_$x*Fe_rr^%B_A;`K>{1$D5l|)2#r&z{bf5J|5o6bn7=`C~Wv?DR=k#yNli9qoezq
z(~61;&@@Dt9hijJa%r`I^9u`ix3^n6JFHGFnUs1)B86q+<FYn3rz{q;vE0keE)^jm
z5>w9a0VLz++d~ajOUmartF0aZh<N6@y5qH4Kghnn@D4UMm&shQ^z?M86^Qn0KEJs5
zbTy~*2NFRxRqWTzRGyrgdj0Cv^2$n7AK=S{o`uEX(Gj=qFF-CG%Db0J_MArl{F;@V
ztPa5$01{D0N5=$Ot#=>-C`PPXZV128*47p@w6OtAdqDx-ZyX#@eR$XQc&+gOe)E?i
z_}ju9(y6)x|D_whgeA`H;?20O_`Dyy6HTfWSzV2o#Il=oBM<Mo%LU?R*Sh~pqH%->
zsDy?*n?f=EhY<<PX=WjE&mSQ4ImN=g?Yg&c<*lFZhYezt66BA0KrVJRGY}jyO#JH0
z&^L&_XfFG(d?UJbgr{LVpn2||D6MFhxK)=h1t71OQ@k{NKDw%^8XEREai<^)ZoXU!
z_2v%G++B{55ftif3Hz;TuoBd_ew9+SD;%wwdQkVp>ZrKP0VXzn0G_s_t?OoXwS()_
z_(K#sgYDQ+IyYhfo9@Y3Uv}pWl1KRS-PhW^c3nKyFMsm_R8x822T|9J#m;OyRcpIF
zc)O!!d;yq>Li#OJU6Oyku1gQ($<}}F0rPa`<2!{dtSK8ArSXZ3h>EIzWQ2x-$jo4u
zZ_eqc@p%1FXopcy?~ZeHcdCXqG-9!eZLMx^_51!(-VR8TT6)popuuvaC&BL@jKcxK
zIGi>&qI=<D%8wGA)NkhITRIET&!2BD2m+8kH|jcm64OlGTD+L8@49gsEN*o4R4sb^
zmwW?3G{1-olHxYiTxqcyAw`4YSy8Y>z1yVKR&#(;BcuG0b8=KuAzopeUxcdk6Y=t?
ze5Xpi8h^r5)+^zZ@@0?umN_uv`C}P#7i_UNdhFBujWSs6<b`nv3Cy}4<d--lGd&Dg
zfoeo_o?Q3{l?a&<VkN|lmCX3oQX0N%^`^fNj)_WKCh2EcuM9MRDKA95{^Dd$RNmN=
z<db)@dlxNgS-Ru$q@2AEZk6=D*05u#Qy&<#UFGZdN=c3*mvntf%?&J^y6xdSkl!}S
zHPR4MaasFu1YcDg%^eU}80T)%dI{G)Um9Lzd%s$nQ&rV5vv(ftrnIPn>Jd{dPmPEi
zm8x&iM8^vU824P)AORE>->$6q+|)U*I(4o<wl^3#o-cpvZt{#M9vinwW@3!av~e4G
z_&r;OC3|+EwAnM|yF$WeEuf)r#peu*g|b*)FVmTD<5wBqek=MXx_m!$zsz_Tn!r@R
zv{Bt-_ttIxk$~=lmM5R*g{Qz&X2C{0iJjfq2*XR)z6MDmbO?Z?a}@p%gXQ+fd;CeP
zGY}VANa1xg;=(hl>2<(pCbphEz>4W+!zikw42d8NIX!uV2S;1TwKUa=(C@Bu;;n!u
zhD_(nDrgQe?$zMzQTeAhB&9sghQ3;sl7cZD-bpQL4rY_#HdFzDv@)$;!Gm3rb6`^8
zGVlKLLqs%{ebyXxosBt>_I=k+0{?L4)5w^3b;U&ifN4}EEec@TkDcaTuKH_2g<~Un
z+iR5ep<xwyx#ANILSZxlj4S^|$NloIZN-}Q`-4yl-p`x@Gno*|At01}TOennzK`u9
zPp&r%XAV-++VP4jJ`Q<dB$2Bs&<AA)H0A(P@4wK6F8)95bMaqBAIO;WKiVMUuM1UE
zfXeKt$?>_6g_0>_bW0=QUsRkPS^?&3R%KE1xah4XubBMH78!qTl<~LiGN=dshCu!V
z93uXI!TvI4>_0M2;s}YTMkRv1&yS2e!?VMs$#W`dw>gxGV==vDAgi4rs#5N*z#K^M
zK@?$D1*!LM(p*U3cVfwkuE+}E7YxW3*8^uluMyf9A;!tVQ<!9&Bm_s^J3&RoreJ@5
z5VptbnDZeVS_s$3GtYT7HR4j8Of_r1Etm?b@&b3Hh(&Xy;Jjq<P=!KPSKO8Qx+ynZ
z#F|~KxcVCv4;!A$4o3to-XF8*QqUdD`bwLmQJ0(=*)jqH6-{t&P0E{M>91FlGUCh9
z^Cs`EM^9PA)z|(^TjA)5eZIVGsWah<W2GhCD;;k{_Wr?sw;FDw(M(XE#PS74KmgL5
z&vJx+C2V%Upc({&cs$TPMO!^P$<!cPZ3osCRPdIvd{&Zc`Zhoc*&BiJc5%3+F1D#k
zvwze;!|OR@<WX86N<i=rj#5sI+}iAIBj&aVNm(%uc#aC|a;e~{&kg6O$+Ed#VS)*F
zTWP^BxIA7vwLCU~XHyjat={@)dgv8jJ6^ktSKo+pIz#7|B!N3Iwun<+#{-+2H+bMG
z)O>bnyvd?mdIOf?QydU6)R~o}72dA&UfD`8B+2DpI?Pa?+w3A}D0R5Zph06q?vS(<
zX%-lhrSjl@{Y+$r?Cyf1bLe|d?0UX4tg7F4F@|^2T1!+_JZQIHX?E4LxS}y^9OMc0
z-2O;+F}hBVa1|lx0T)MT?RIimcqalq!N?KR4f=UNFB>*@Q<XTRax~&mNsky2l5s`w
zG#cjrpGh&)3>W+`i?Fp<PRxcuif@j&%q|RZHsDe7TsbcIwvOUH!?!!rX!Zvxw8Z~T
zYn4B^`X*_%d9`TTCH8mVBNO`<@Zr;HO)5D#D1dAoLOW@&t;^Gj|9TjK87z56L$5Z>
ze8}|af4f<U(BG0_{>^43LBV?lW&Ef`*FjpxH9&hk4DB|I3o2_nDnoh(lLlHH<=$g$
zdnjbP+5np?&Q_~p^Zt4xCUSV3aVZ^_wN#$(L3uXZYP?*#BesdG)eRFr4X|}&G8Q!&
zl-sRP@|-lhn0{{{lQWUlLGis^zFb_l<f+u*tC7}(Bya4*#kwtl?2dozUk}AMT`Hlk
z_{2wQ#3r0GN(y#I#VIh=s@Was{W|z=p7%cH{~&$l#_a?KFOjQsm#uYi2-2|1+WkD@
zC0p!E$A&<(bq{da%;sz5a`-?x^GIKG2zR=w_+wX;%&oNYBf-4ZbCB*D*Ead-oBAz1
z0)@K+3l#MBmUEv&xZM>u8npa8L5QvE%E#l?6cvWGv&om<Zc<eWG}!0%Rxo_vhAR%>
z=`-#lVr2F=$6ShcqE#xD5;Zp;6&3aS{GYK<!;mFHGlg@Yt6GA^yFc+Kzaw(y4}O(R
z@#)hF7yDpG8^NCKv@PxsPrJ<W@$eBhSM%>mwuTtIYMmO|>?u|+xC~cI_Va~7Vg@cY
zIy$C_uA_<IN48ZJ9n)ofJ+hyxGxf}|7H%>#b#30^b{R^}diy8MMd+=!%bB(L<n{U?
zCM>c(x9&Yk%ZJSU>|{Ekr6d-u?3Q_uaj4U=6?<vyO^boCPhiOH?yzx4!!BFdBQbXc
zXF!zl4BJObM(>UexCUbDCOT}A)$+7S7MieH5<kE@Jv$<{^Oh-FQvZ$rRohzz#IdyL
z-vb0ffFOYcmk9)dyF0<%3GQyeT>=CR?(S~EZE$yjJHZ{oAcOM`=Q-y*`|Pv3|J@I7
ze;A-=rs=BgzUr>Jes|TDwokk5XK^is1X;jD&;G@M>NlKE*aXg#uHLR^pGl7&`>0Xx
zya9nw)16`Z@^<(QAfUEH$H%wqJ7{ClfE?Lq1`GGablbS3v^2f>G7Mkw_m;*5T2`mb
z%O3t5PJp?fX<A|NFuv@v_c>wdn*rMp7gRb1wM4bd9Zx!@u<pUub}7@|af*f|jr6dw
ziW@i4u<c<3OMHH8v3RlqTp`KsF0F=Z6;V3lPiERG>vOL9obcv&06`@N-A3EpfHvXo
zHG3>h*m#l3lPAh*t8*j=csv-A5(dxp6S!_NsbTzg7U)uMnQzy%TkHy$x~%JHX!0#M
zU4{dz9{JGt;_4?f)WrNBQ`yEX_O!d_G%E~{EFY3V+veUuSF0lv8W-JdlqDL0UUdlO
zg3@2+<LNo2q0>7VUW3Ay%JR5VkQkKX?t<X}abzB+sWtn#o5zI>g=j^HtNQ3yMcW!G
z#sv8x{8}M5ZNG<iuM^vLA&*Cj6`Xs0W`K{zRg#>5oDTgONdV4djKPK?3Rj#LH6<ww
z;>XeP5g7RcdivEyxE1o%r;UAO(aW!Ij`_VGOE9^|ykBDbrN_ZJ3kf9;$>~tG7o=-e
zUyctb+-<kAyCNPpCEoj7xcF48ILmK?sFkq-``%_Q9@-R$v{iikK7ii7oeVaV+UAX%
zV`=Lv8s*329V<-id?X=#VWe<$DLx!8b>Y#il$#pyC{2o+(wUcTILC$aO<J2}W^sAM
zwWlbg#PL0Tk@E{lCCnV;x<IPX+0}M3EZTP!)d0Xr6&46FyrxE@-?!+hR(9ZODo(~V
zBdvWh#?lfLic}|8gPD4$uC0`G&^;Gc39acbTKouF90`@5A%aMZdbeEM+Prn|Gl?U;
z5)@04%(H0};|Sb8kj2}y8jJf>scHX!fbU1>Y4ko`M3>P7x1K_Zvg*3hDj_cTbiwLJ
zPP0xM9LDc&`iO}w+28V9aX9^)_zA0%4t7OENEO=~q=cmNsLkCC5hoT<ORLg(dtXf=
z-{$G|?Mn)}$HI{SY2{w-6!y$Vf&)RRp(3Y+6~&ZFURP6FxGZKk2LY7K(r-nA?O(sm
zz7FkjSr<%ppZZMicOuC7QE+b<Z7mh<dur=|NfJWmptrV~j@A5p+wzc)Q8Ac2_~iGE
z@j&~+#tYxP$woM$u<stT>~mbj3wv<BjgLGo?a|a3!mVzX;4ylB8>Qth-CjX#@@I(R
z62Y}mRP15j9u980J5@FB1SBY~KDClgEwOS}HD%0@mb9-+UalW*t1*hO4(P?$HXk>t
zKPkF3ELgM%x`&Owc$LZV`;co1I-Z`ztv_Y^l^gpoMA*4^)mVDB!U??6JSTamHmp+N
zOpbtlOZSKwdq=FNP=~8YceLDMn%t`n02oUZlD^#C5A$?`&EoMc(YiQEKFlzkq-}@X
zTHd|j!~^br`F*cue+O*Ar~o(;wyezgXxh*$TqKZ-?`hCyUL_98IZsgutrGr-*-=1%
z8mM;7GVQmyqvlDS!J#bTY4dCL$@w?Bib{frfLelCNFpXIAkgT6Y(E9u#i9VT*}jv%
z5gaz0CE!~AEpUk>BSxIXL)x{}Zg7EA8sb1pKBm150#`c4+O$5}yp%si45l<c==2`}
zAt`3N<Eg8JLPBTO&q2$y+3GZ8cfGkSChvy#gydlXy&v*bUZ=!F$DqSH=gtmx9Zh!$
zCN$5)niM%1y%3DWY~dl@KuWA}@4<ox9H8maw}n!EM*xsmJ6$8YC3(OwZm$ocJu&;Z
zIK!k`T??<Mmaxn=+5uZtAcHD(m56q&@P*xlC)6LYPjgAA>1r))FYk6PjRR0rSDqB_
zy3AH9`J7wqk>}%`<X|cu-+r`c2FER(5F=CVhuUAHI0{I+9YK6}b==5;)PH8J3Fo2$
z(2=?uJSe!a6DP>>-FsZtjp}4x_a>9>TK`b+yD#c4jg0?19<wihLs{BVUQ-ks&?EWA
z`+?RccpCvZkRi%=q{|?%HV+5uti_N}<dA)F?5rbO3L@IFh!*vJsJaU@-ip6(@H29$
z?t+%@zOFY99{j@BZ}sCL$J(83VI^BOrg8E(F)x8xy`(n5n?tGCUdpdNI`?xH5jFK3
zTP~WyMN=AFr5>d^4sVq{-^B<EX{k!6C$RI9^ccs-E$M2BYt_@wReZ4x5>=BgXvjrV
zR6ITvGIgaR-co;(bnqGQGUQ(WFpIgqxI_M-m$iWV^wnCu**gDi6j;%9%$&kHTh-*H
z9W_1DOn4X{O7@0w(rV$t9={V?o%7@2WrBL3i|E+Iw;r*`d^PPG!;f%&*R%a&?~TN)
zFSXh%ljCni-DGY+%F+A$4{hTb5-(Etfm!#PnEZ7T!&t8X=(AN%gPa!0<$bs!qo8SJ
zk)>85&Cw6RlD-H*Qsx6)qq{!!Q(NnaFMj&`JnD(qa#w|*w%$+`(D{)SKd{m>F>j2Q
zj_b{L%@``XLOdc!5cj|$OPnJ)OcJ=1Hk1g1L*n9tFz_qRe8gpLH>!BHF9kL8h^{g1
zjqOD3?PV#0Ki0cswa8-k4-ZO($Qi<Z8kKK>iyh=rE3J8PT(+YGYTYZd!G7$Qy5!$@
zg5PFNI_Zo>DR_xlyLL(93Pjcbbqq&w{v_%ygXGVGCev%pA&=#3w~lmA{84Upos}I{
zIng|)Pt)t@5ci}`dACUlA;e28THfGFj8I<dH`y7lnQ;Qp52(V4d-?~zb2Yf-G=o65
zJt{#b`B?0(i$?03GWmXYwk$&Ffw(9_h)(&7FVD8)`)`ge*f~;uv$A)N-WT`Bt5KE8
z9!*Ry6TbmzoLX<njGry3B0AxC>k|S4T)(2TI^E7~j!p%&%}pBWdJkgKQ^AW4r=klH
zPR~H}1}3}8M*6Dl)zj*!ubk7&&>U>S&YYpSerA#IhYw86wJtnAMV<=^Ev^#zs&k1K
zdZwez^kA>UGU?<(OiG~W;%jWC^;%G|n1!7&SXFsvbuGW<cy;Nn#j$>6+`631Hd@_#
z?XW14?=fvfG8xpEmDR`-6MNiHUf!rtj9RDAK)t%CL0IIMvUh+Icyk?<ENN&G*1D!v
zr;P~=_*i)*=;@4E8*-6|#y6_jZh34F6#Xzfg}-V{Y3ZgEIo&n1^`KEoN@iKLXxa*&
zo0Aiz-PztWyp5|M_*fm<yNZ^RO#2ADjbtvvSFQ|c=8cpqEuZ;HRrG3g#J_6UacA~e
zqp;!iX_#D|g~C*P(O^N%Q%T|V45-+qO|KnNDrEB(pH6?J20PzIZouyy{V#MSPAKs{
zzU_ZII6O>Uv_v?V<oamJEraoDR6mwQ_V{y~P47s)8uCji{??nl*p#aDAE}qZ<F-38
z?D-ehh^fV8#3T?83>mrok}hnYF|LOk6PWm&LgDTM5dK<;99ktgE%)zDMGZYYM?tR!
z%M&-Fl{GfQrB)wH)6Y*BqcGygT$?;H+N)nSu2N4w$J1seFk1{^^-jx8RFs7@|9A|@
ztXkpzs`B&bzVdr%xzp`>EV+utJVuy%A!6m336V6hVQF&B1)h<ZQOep$tB?N*m{J#n
zwmZ^xHZ`z8!9M1CD-uv38J@|}>%B0vkD$2k?Q!)eqp_4y@ZuUod&0ldLVIP<xl0cZ
zqCVm8v+HlJ8mgsIRqP-x9M^3}A5YR}HXOt&#6@tV`XGj}>+Ex?+uAH>eyijwDBtVu
zR&_Qs=|iZ}+A_8F%cx5YGnlir=W^(L{jN{k^jq2@c%tJ$WrIX@q7z=9q13H6Q0lYg
zRTA!EI`V?2b%;Q3*eB_1*QTswuJ#cJo5!}Y?c37z*cb<qX_UHcpwA`6L{#D$gu~k*
zIqy4G68nO1Yrko1{M#A0E%!JFpUn?&k)nmQ(#9epz!uOOKvv9x;}>4J#g8+pyDQf*
z+po|nK!kOs7dU->!(ng+Y!USbpQ7R~8@^Fd&s(vXgARHkYSucx=}~O^rbo#afMeB$
zD$REjtR9%{r@h^5=?aa71Fvbv<A|rmXcumGV-JHYODY-P>=>yjV^yo00}I)1iikWe
zjbBh$Wp-yv^}^Y*v~Go4xHPMB>X|yl)1rlsQ+TolaGY?55;$0ezLAT-G(IEur*y@<
zZIIJ)vH?!7+4oI69#vL?K(X&XjSt~*aWD<!l^&8?OD0`*%e5~S-VrUCod<qzJE1wd
zj8Ak?<f*YLD1PVKVx4w5zP<184((^q@JqI4-_`W)W(<7m*>8vCtKQypxZ6$L&I(<Z
z_@=vup})xxbmZ9^GE8(@o6Ua?JFX=H%1o%G3KN!CGB?yPFt0z)J^Fp~dy&mBJF9cd
z#Gt9&m9qAA_E2je(~t;J8N|_p725DAApaIW>8kQkT}KQ${frq3E*=1oD5K0`bM-!T
z9WP+pYnZ&yv3q+N$uJf5L@Xg((b{P>oSqp-!{PlqiXM&BY<n_)&Og%{SF?4@$dX(-
zS-<3?P@H8EVy_yOJwL7GQ1EN~CH9PAF(dV#XqiRyyv&k<(um|%ttF}-OY00KTU04*
zOhx!Tvn`*}f!ayFUzLtt61bwbn+T<Hzi|W&>Sa8&*+7S#_^D4(-AosV0lx8;j`xFg
zrzjs@$ySU!b-l;IYo?0AOg)i;+(t#KA(cQUrL1vYJmnJP2|U}|$*{e`_nv3@&dhPz
zB{LrI{rh##u+N9oBc8V9RS;TI=!X?uyA7j`f@C;p;bQP%dFMgF!Y?#>7|GOfn$dwU
zt|m9Bqp0}VzGwXep27g2_gF_%S%i|XA8@kbLzzdw*f$!pGgwqcrwx&CMzY>lvNmxo
zhEqz-Kvn&z&f`zhYP;%d^C8)D{HX_n{1<X?zi@^E?|27OtfqdkA*kzgSzU=>Dnuhl
zY1Mwwn2p0I2(fQ<Qy!w)8juXd0045pizV=n{n$@wli;)B3Pl|c5tdVFspqQU{21#U
zIdrYKITI26{h)Q?zwWNG6U+FK14Uj2hT3N$I9y2CGgkw;P?zvZii(PGMmWzR;E9>f
ziyp{6;#w<xvg?gLXXD_u{cJSm{yQs=Dsvc%UtMOZ4K4Q#vbb;PcqMV(9F4?EQ4UTd
zcHt4#@hf%NjtzJM1FHV8#k8blwf2Qyl3<XU$_O@uo<a2i+`m6nD3{6Sb&yzB($+T4
zEH3m}Sopvaqcn8Os3(Bm=AqOfotrlPLOPyExNVg5tC8pfm&t94;oM?MV|kvMi%68N
zA?a!)F<aJXi%2j#L=Uk!EvDMu|ELH$A0=~4jM1r=1Dls4=;7k(0_JTeH%ga=re{+^
za2^X>$2z14(}7jk(uM42kl_A^a@oSrr0C*cEX%v2&lzPpDH7~O85``@ZR<3<#u1vP
z^ejJVM#szZik)3w9cJY60>x~d9CYeczijjZ3mie>S`MGjmE74{+k69@&pY9Xp3Wsq
z_^)28X6{$0Ip}^;w9SiO|Ju=?SuoDpu<*s?@IVCSVp&KYQvp899B=6reN_hH92@)V
za^6B?Yp0(<z)~z2fRXf$^-^=E@oE>oS9@RlVsm;r`eF5t{STE>W`#`TtnDy?d!L3Z
z;l;-HHH7p*yh5!4YL!RVw2p;e>y~~YhdfnSaKtuH?QgI=w0;3ztf?Rf$zN~%8o}@o
zK?}&xwv2+DKGqG7bwxz^ekyS(-1ot5A>CThr*`*p<5k_$fwLU%#D=Z3Sj92)lDP5d
zUr9iDC((S|{9Ar<(h^N>f$IE`oY_{**{ZqP@i_`x!D^3_%gQE|^FR3J+3s7?76CFt
ze%pdFjxBB}H?V?3|C`H*U_*z$hgS~Lx70<sf=>UkLF1*+&Q^ZUZZO)!F}(`6e@ZtE
zRcu`J23vMBFR!gmx{)zi9@fwS%7Gk(251X^?%)@&E1vKMEUkk()nu9O*>F-fc{^ht
zUz#2Q6VMj+)T3<O`cB5C%XzKcoNh@?<8cI5zTWZnVexTrC93T=f#9jF*<|}8^dk5G
z1Y+kHqiyTnJJnJc35H?6px;`>s?4%nkFzNfdu?;>Q0W}VihaEAc770UQRg_wUNMu4
zit*O*k~hhjR0_EUd8qg9<3Om(ks(QSEkld1Oeh1^+r5<ppR+3>>2XrCr*gkv&kz6K
zuiqhh*Y$L7fOMsK%lo0%7eWE(LgHBp?szmph`@jsSSAe6ALuzmBYNo29m2dxog~mt
z1iLf%3qHSbsfXbI{Ki2i3Ig;`q3P}hibVyfOUz^F-fSX~sHfmfUT735gs6bF`sY`E
z{k7x&dTjsaFclb3^zu2beLmuUIDiFQ>S#nn#EuI+x)3Y{|MQl)*1FdOJ<lQ$2?+@z
zBBGc-w)+!gA@N`0;^NZjTu#vJxajEU`x7a-0BY{{(^#pa-j@gQg@wCN7aXRex3_n6
zG<+>x2=P_Uz`y`B1p>}DKR>^wrY1Z*JS~l&oqI+JT7LP~`}=##xe7NoH(sB|v^6hi
z&CsC|@o<=q5%BWzdb<QX{Z=9iIFJw*hYA>U``to{2<-U=JydNii+6?g>(fq>9uY^!
z+V=ML(o*VQh2n_7$FsAuWL^(8!2HruOJieFax(Pmzgv`e;h}}D`v@%_4b8~#@NjRh
z@pO^G{Ryg&_>Uh8M|PWiw3_u+;H|;yDg_7V#hR{%W)G^UsCYwQfn=Ydu?FCmOk%>{
zS1lRz@0a%l;Z3h;Jb~fw&Z3wEq^-W|yZ)`1G-+ZAgC;o>3TK5WA>)WOQBI2XG*o5t
zR;<Hqh16|6bHY;$p|~LE6%y}=FBDmBA)SkK`tW<ZfvVyI6+gW7GR{SD_4!?qwP4Zs
z?^FK<)YGZ2ROxG!Laq4ESFuy|5_rAQGSiRBJ$Z7|I`GoWHFYa2a|)-ByRA^|R8GRK
z3del|{w2xfsx7q`BVv5^VMSjJ)mIwH-_CWo9V9rpsu`Y1gFs7-q?#q`m82AdZ}gU$
z9PjQ2yf)4#;M2bUjx7yhLiA&VW^S?5yvce@&p!8VjO}sP*4#EiDO{klKw?IiKWe^5
zQG5IZiv+#FqDV-G4gKkQB2t+;Ee`B&hMzzq6cVy-ZZIurZ~%GrF_W6ok=dsvIkDY=
zFw<08GeDKG#i18C*=6SgkptRYm%F=3uR``IseLJvT*|k`##I^8uUm16*Z~C+Wz8x|
zN744$$mA;9@Kz=k9gO{l2kixMs$?fvPsVHU4IhjdpBm00){~`WRSNni#Kh=$luFAt
z%Fc5J=@gk@Bg$Vh-amYDzBt_kvL&wdqXQp1pwA!KKwB@uO*><5{>vcp_`x`xTZkQM
zVK`o_H6hJy$V7bIOu+m$yd4lS`ErOM_vC>vNt)_Y#}s5lwD&?x6JnSs$A2987Yo3C
z^Kox@_?MVQghM~%ZEmr&{pE`7jN0cB&tcMWg{DsSr{*tr>h7|tz?OQ3ngzNpzlW~N
z-FXzXxV*#9qZy?Obz(1oC0S=JaL{|5|HCVoL`7Nzs(@>6*k4Hl->!Lv7)qBU6W(I8
zN}2Ttn+dNVJ1d~pu+TqrzeI=ig*mS;8AN8KBByyzzHC)#Wdc(e8OH$wASuY=_Pq*^
z#q_p%Tr`s^EH>dHCwGU$9v~;OEqx>CCpOCKK?DF4B+P$SaG?LGIj_n}Y~>y~KeRsf
zysd;L@M<@2xf$g4jcO|3zR$TR6Eb-_DB<xIZ_J_&o>Tk0bHl5jZlT`mu0Fmy>8oI`
z!SQDYx!w+~4-7PPK`+3X*L<73bIhUq{K&VBMu&2#s-yVOIYNrp6LXAGkA+4@v?xEm
z2WGw~689py-ft&-5m1B#eY^u+yiLaSW)`q~?ERWE!>*Et5Rqzd<o;BC-evtZ6?<XD
z*pn6@gW&{7xr$m4LVfpX{iK3iCfIV+krVyE$kfAwgpB{K&Q_he8e*d-OtT$w^*bqT
zNZCBY%B&P6b+ge`6F%IwxyV$V3CFm1p?XXw15<oB==N9l!U0vz&ukfIeUqVuHj~Gc
z!TNWLADTGh-yiVsD<WPBH<kc|5LvqiWkLsICWwnfD<4pT&&z*EORARKhzSA6sA<{G
zs4r%S%S0&}t#(&o2PMN~sP=NzG>c>6uh`B?lL7|;@B>nhh#JjEwarwcE}hUrNxTgI
z>W*Zfjm;*c?Dv;w@BTkpj{iyB|E=k<OU%qX-QMm!)ybL_784T_6|G*d@^*Ov<a>S)
zrj?D1wxEg6Tie_Fj$G|`ej0`r7VcXE(NKAGb9K!tEIe=FMs%Xq!hQu*CgtZ}8y_F<
z?%sroK0wdb_Q~f7;sZ^9zCXdXka2Xphys2p@o{!^)T%P*EmFw6UiuKw{PJ0}001<!
z$kX<xjI~w)?T*PwaKoB+HxI%kbToz}0E#(VISUK-K*LEdFRz;w>}fY>`gR(hS95VO
zWjnVY`nW!{>9ioDq@-kE_;Kq!ayVCcW~-0ZVAvl)Di#5ieR`;n-(R2E+uPrtU<j?e
zcy9Hut=R6?e4f0(TOp~b_|GMai;Hu7ym#~P@VFmAd`0qCJAG|!@o#P9-?jMh{gf%^
z&w2YyX`-W`k?=D}<e;@-D9N8n&NI(1RHXgfz$*+aF6mMYa3z{hp6e0EXZo?(pxi1C
z`WIjbY5&m(=d0{oTgRn7OD+yVHk0GZjH~L0FHBu>6+}ZMh<!;;iMoaNO4@p9y>{a@
zN_|#MnG&!9D&XzpcT?8o((ET|w){~f2#crZck+@##v}VPcS?#{G=Ul4*Rejhwk)FP
zp?_DPmg5`QimIdihd$F}u2qqeP5k5R@Yk68BWF3>NDI(?|CZMHaS${8S(3+R4U>P>
z)w#i6-~H|w%R*k#kEJu}w}JDy=^ez2+==bB_dm8!;xVf6l{WE~8|Y+aTyNH=o|Xp4
z{H^a}T=ZjQ98?!x!Zs>95;f@9b1js(F#WTEIFFA&?pw$idg}0L?$;=RZs_eN3`F@L
zbF863HTj;^R<7RZ#~y{y9I^FEq;|#w`E_){=JJ_WuNhUWmKWN>e(=}JuJ{^J{8CC(
z99!-&_G@+2!-rho`TVK=(%`Sh-_36)UwBPiB=@=a8P*&^dcPw#CGyD!;yRt4b{Hw*
z!e#`*-+enAufnbPC^1)+!mAcbECv87`}duqk_5=#nZHimVUTKCr>8>&_$DES0|5FM
zjQYOS8?ds(ly<NH0ck-OUoaf3k%bPjdAJV4W2A>d^a6V*+Yx)>4Y;8?rVI-J5X8i=
z231bx5SW<j+y<eMya2%MSgXWtUi*KK!-1+Y73E4Ek5G~3IyADAr_aqYtayX-F7XrW
z4XtP9*>cUR{7d|hN7AF$o<7b_PfV+epAi5|q&gIdQ35;dURTa}P4%8$3hMu^y%r`r
zl7bkoZpZ{g4$eE|R*3L~iin=WNQHrg1uD}+-F*VLGn*R8DJGQ7{0a|Mt0bGl{J6K;
zOn1{~oegrU<x5m0Z2AQc&FyRV9HY`P18}}0HI~*n2$BV>)X7e}fzclUW@yQ@TY8Mj
zEL_vu0!6Xu$H!lz?v-7m=S-ND#;#b;=cMcFCg=u7i?I|=1A{SyXgi#u(S=$u{uDy?
z&*8Ex3(5p%{y#ZaqRyr2zA<~Hsd$!SqM;ahznx;h%@Qc39llZhO#XrT1Ik}=T4@;^
zn~D{SiU)Uz)zi%SK0w~k6%DFe_!y3?hRk&Zr>gIGn%oa=kJ}455iCMxMzUe_15=`P
zVslu`)it!acf#2wu`Wj5y3SY!$hSOKd(<xyDSlCe9^};T#3drw6>iC^J_k6ocHR&a
z;IzVDQTy)}XlVI=3FrS!lq;wv=wAGEG=BT6E>7*u6lWWMh4ZWa`@SF$kGD&9>cH@@
zKS?jLA9i)tzrNN1=Q=(9Q<uWpD^xh)oeB1jR2p5{E_vmwDFC2Ek~wx`%}0_tT3HES
zk3(KP%}h1F?F%6)HG87^Pe&Omp&U7Wb-Rp_r0pN}4oL*7b&<~<j+2>LUYwoHPbO3{
zv{#Sv@B;68bys;*ZL@mki<t`}>KIsvTOKWVN~_J^inK;kuXHmHA1sx*pSCu-<x-gh
z5iz@A8qK^s?FCs8Klf%<%DkA}XxY;jIO}a!j**)Mbzui;ef<xgsL~v+&Yn!nLK$LD
z2_3X{YXwy9_8|bkgz0v2`<y!Bc0Nz*8Gj;gM0Im?e<77>gTMu0+wsM5or?U`)ooxa
z`^#w-y1X3fPJcuUs47q2)zbU#8(OhCB<SScv8t@C_6Jl6*9M}n&YjRBWq}OF;q%Qo
zW0<zd@Bso^61Krj-)f`2h3u7XX4rIAD$OfleRu@`2-!>+1qlLv(_ZY?-}Vi%wDS%_
zya}s*t_*6$+;27P7N#<schIwy{4whK+IhIp^X9H$cwBF5dFD`UY$En6OU3C_SS;)#
zhu7onH`hLtR9vZ9j!}lFql4T)`8g7GTw8~pOO|c(>ofAYs5B7TnfeAC!ewGtHs%*U
z=eLkN*CqB?h+)S!Lov&yJ2Fo=bORKE^(@V^d8g4BLNR*xmpqafOeqHpmSB<vQNif6
zuI0*n0M*0RVv3(ob$c5ad<!weDBS67*Qso)9z1}wR-QVaS1=`8SKeGfXpvo(Wh+RU
z+K8V{c0^P2eL!;#JWrcE`Hc_tVQlUcYK~WXj^S4Am*DVn$na1YGE(R;Dd&Rs($?Ia
zvCBT{U`k(0?azo!VUMI?H0|Suww-I!yYj@foy5_7BZnqPL-9B_w%X*iYe_0SA8xeD
zth1B%I@|36K)~B$x79KyFz^fqxz(HW-P5~_ULfT=jXMRqBaWX$J75{;{|l5<%{i4r
z7QL9lw_u(9ykgL6i=oQ_pbbjEuJV~V!xoVle|kPQXQH3I;SgrePPw*_GD#}JkAft=
zYK(JHO?^wXUm60J+fc}F3YJh4H4-yS;^6?<JS(H8x6vQGbO`NkY#wVFMN<w8=Q2>n
zi<$(IzxK12X|+u|H?Dh*`vIvFP}H8}bUh5-hU?V1Y=#=s(T$Pb{m5vQt4yX^-g*$X
ztqg+>B97Q;*zi01bvM^VAPoAXqlkapgb+J?wxa}cSB{zEf2;kW-O@El<yKuIsl&D^
zNXaM0`>Ce+eNb7M9(H1anl3|KKQrXqKl8#5`)Qm%{giY$r66|=E$cw3gZ_@1jps2Y
zF)=lLkL~&~lA_xI|6PH&+3}~|s@&&cb!c~W7<Hjio!zg{`t}{)+5DHSns_k-XB!<I
zlboQ1+_!hOAX7L1WFqNRwo4uDC2sjiS@Xu+IO9pp5FO2m7kiyw-pJQCSg@{d*<Y(y
z^}2r51vb!^CwT&^V#+Qze#AqUJwu$jG_m5x{2h_}0HoW<WKN}B%~-3wiu?^aAQ071
zSu^`Fcn$xOemSCXyUi%-+UKySF^47{kQFkuzd_rc`E;X%ATY15`ROfm^XH^kt@>qX
zLf0a8&seF3>ta`<X>q`J7~&)B0GRX}<B(HIWKU~+*x^?F5ViK^lt4?bg07Np^hV3*
zT~MrtPvTf;rkqVf9T#@G_WAkucf*OjvuxgU5vO*g^h-A9&Y5DaHr+K%5<$bU6=QZB
zSn+5^&6(%FfA(kAWQXEzvn?*rmzG=lMos=;n4|TMj~<4Ia~GBTwgml1^J97Kn?;#K
zzue#;q?@DPIQ_ajy$Dy&_-E;zPbke2s7vdsC?J>$MYr*;gJEzI9QX|{K(+U~x9glu
z8f7kTyZN_#W!hbv1%}zRT|q_0hS_E=yo)u&MU`a}(8Mv&<@SG#$ark#*OHtgV=8lL
z$SBrFqWE^7Dp2fL1kZxR#0NajITr`L9phb}!U~lvy~9GTi1~eHLI_RU{gFFmhhVsY
z+0xq-m2tX%*czr=MGxRre4c=-WvNI0+ZO&g8}1_e)wfhgpEg6~j-A-2-s`Gii5dm3
zfu(P%^1&JXmUy~`WFxyj1jS7c@KOzerglw}j;1TTOG7Wg2Ail)^;TqQUN>&380Xvm
zTMfjUe72K@qP$9Yj5W4l#5~^axJPJALeNG+C$d(nNw{5%U#oe4Z=5A28&`Uf)4AMV
zVPINBseE+wyV&=XB1wwsuNK)(u=#K_GBUw*(|9ExH9RcdguX*ogVGd`Dr#2@JX6!U
zic4;W*BI3gEXJ4_{i%xg0+)QxH!O0pC5ZLg4W|8_GnnyLSCwaPGe1R-@BZPD<K=Xy
zr#H`)x@56I!MAF01^d1DDCOqM1mHujj#CMBKw}&aVbVA;f{4UmpB4zK|G*U?m&Xd!
z+*w@ea-SKg#q^nMzy7f6lY~^|H=6_HpyoHNnau?S(wD^ov8EGQS)F~aluVMSLeaPJ
zsD#ememm{*XSyt?(s{AsZ!hmRkx1Oe{t}1XBYKqKwO{N*a|LMrN0nDo{L_Hqwp^4J
z29jYqg#QbNyXAqtF*I$0_3+Co9d#JUA*49hp7^^~Jq;sRB-Gq3c>4Qh3GHrsrf%SU
zDy=L)oGP6ASJgnHsZUt>|H#77*2-pi`YOJ8PkV1ULBn!Yx{LNw)B1R-_(A?r;F9jI
z$|Eg#n%a^ZI3E6AvoICZ0gK9WQ)}(IPg7~ptIqsB>^^?ruc!^cMcbIL)3uHNG#E<-
zuf{!>U-6$wmZYiC$An>;(WjUcBq2c7_K&vqG;{z1*`cY>TpV^m2$CK3T44~cnY!@c
zqTMckgcx0lJpeG2;`CY2<hS@;Qj0h68`7rQQYlfB-4X=fp(sq1nwTd--C^%b_vS(k
zE1{P!_&cKQQ|M3XGV-yyBo3GO^P%=xndZye7D9o#39he`Frk05FM`mXWs&5WP8FAD
zMq<kc7UXcFc2~!_5d+-TlTaEu%5sZ|l<#o?=s)m}eQ8EyX$g$X=bt$1(3DR}ebww@
zqlTH^S9}R^d4^xSzb(%`=9Q!R0MQ)Q$P0KpZ`OTwPRHo<Vqa$#ElI|!;!_x*BxWEs
ztY{)mJ{a|ev@ZEnc<b8Ec-gDS-~#<sAnntjD4TV!ATO5!n<41;oFd^=t>mi<V`tb{
zu}mY<8ahQ^fpbwS`BV*fr3yZ67nYsWkJV$!ber61_*ha9f3CvHOLcKg|Gqj<6`4q^
zxI}DVRAP0%qUBP2?CqX&|5QRWju;Y8c7Ln+h(7%K9g055aMHJ46mtp2j~g!i@`q**
zqD!1a9FF^|W@>jZio)uuNsuNNQf-=BJ8t#%-k|pSq*{SC_tgI$c%hE^C-9PSeSY!^
z(J3QKyO*|iSni3_@clF8V%(BL4ILIEgWfLt{0)=6=?AbG!!O-t+b5Ta?bqgIT|=Pb
zDD_Pe5_aMHV;)@%v>Mlue0d<O42MMt%{>KbS_jHM`IdbcC4Fccg)wTrbTtNQCj|5~
zz7SVV(TI$4&oayDj@mb5c_WSRefCg9?#!I+RxVwpJpIYN)i_~2J(}4Oc=pq9Uq$T^
zXULbN?GmF74ajX#x(n7GE}Lc_vK-pY50!q}hj`6OzMr@cLEI+Jye^i}P`x{A`4RCT
zH>NOb#X9!UVkf_VYVqW9-hxh08J30PQ(Pd;vgb2o06QL#AquG6Fae6$hbLwt#^i0y
zftqmz(I>XUk{psmjANJ-mlaWB;-jNt;E<Y+J#|#i!R0Kgs9=yzZEG$Jm}vadPEIuk
zDJN$kmM~V!6UT2-9lpb%C{8!ZGjnOZB3uiXqb8m7ig`PZo)w{q3Ip#xWN3e2n>MMl
z7Fmudi3r69a_J7`AP{v1ctR5~j~PeYbuC7zS0qxMPuDDR<#r#(-y~yW-y@BX;|;nD
zXL3QEn@S0Uscv$w_fXJfzmd-`GA!f5QDz$Xd2B_f2osOT@AMPp7pB}X>x?2g`bs{#
znQRZrd?SA`my9rK%lfz3Pbhzw3F*q`h;3USFh^$kBZ3%a+YWhSGXG^Gn1?tZTs3_@
zySRy;%(ZTH$wU+5cD(5En-jEm;3*cI!u4=?wzL0f&2qnrzI`hMJHFn7S}46I)q}yv
zTwm1$x~b|Pw{|VMFgd6n>!c=i4~<$(yr{Fw;T>rzmtHzc2+ievR|Xm0n_N8;#{Q=>
z1N%+LMroAv+A-fDSC%eglPG#DVVZ?y(gw^SDO;-Pk?~HA+*ZQ)<UyNj>122IsYA{v
zVGY7{kQ>Qw+Mq~IPxtX7UF4S0owX%v?QE$F$*QcfIi@YsKl(;gR8&LEkDf}huz+Mt
zkVjM~bQ>}_MN_e!eF^X_fvkp&DvvA^F)yjZ00ZP9#a=HmS6*1Zf7teyJD)w(XqneH
zdIDdNH+&w_SXn%;{lVnc{*D@PP^0Wh-4=*!^algsSLu*A%$(zQZ~Qi_l~}mpe(s!K
zwz{HR2b)8#q&6hzT<<n1H5C-%ou~pMP|e@NM`hL$N@CIchIP<bh(O>t^<W42%A=iX
zOSNkK&FsByTr(@wx}AVJw;QW(=>;lL7aVS~yun~F(t)!W6M4qdf~=CTki$G#xDt0l
zr6!}p{!CZrq?|3EWbuoXg1<o-t$IaC<J@d>uEzLp^p9yyw<7x5c6<?5GlfBFu?d9G
zH8N-!7@7fiEANJy+pYWR@6=zDtN&MMjElFZOma@r;z1!XU-4_uW75d{NqR?#nP+gQ
zp=SAHSHx#)0xBXChK<|6!0$<Fr|mFU6#QY*={$xh_A8<>vA9lWK4COCFS-qOc5)#x
z7F-&GlFcrT!v^@ND*X4C40Smbo*$_9SAUK&)8e>ezO&*zfJBH4Mkc%;JAU-`s$1F3
zfSsnD2JPtB+jLd-p+N{y#OW>hfT&c}LbBFwW?%MH46ZA4fxt{l5m^xteKW1I#?}*N
z7LO5><FRjPw0dV7=#XkxW^t0#QLB8Lf$-_ojG}kMM^)|tF*v?I{-9q9T{s_3yJ#W0
zE4Hpr3<{rc1e}lB`p<|@IKv4$t*PUq;$H^_PC0%#$6IqRHUe844T1w+s;x#;<MH-c
zd`)u^kcL_KT`zA8pE_DmWW_MJI2ecU47a4K4HXVEuVvmcGo{{{<3<D9=4%Q@V!i8T
z=J29t!qtqRw9Zy;^XW|Dktu#}1aY(DcBN?0UOdtql_n8hrug;ZM#OsujmU&VX1DlJ
zu?Qb$TDn$GzmXOS%D$bNTEo*Bf=xg1hTbr(seS?uCv95p3BxDYr#Pw36XqHFdzX0{
zE+ykS^Lz~46Q>P9@{e!;^|SR^(Nw2(_tJ*UOes;flONh~Ump4vZkpfo9P!c@rE1DC
zSLz(p>=`$oO4%T@{sF9jRsT1@N-NE3Bn`fb=u}hb^y{Yd|G=&kURmRP3Pb>Ocv06)
zzm|ELr69-dgVtg)bl!?H{~%8{96{<tx>llltKpARY}7JIOx?-~0Uzh&F+wXpZh1eG
z7x--TwmgY)gGiV}d<wemCUJgA=+g7<D&_L3mc4l{;iw8z@QBbi+a~Is#-iw?J31(@
z;81yjb(ynA30b>_QA9t_d}$m@eOa|X%(|h=EIQ5v7(aNuZT{7V(4D0D_w85S^EyO(
zKZ{lFL!}1)2I-{h+p+B}Z{*6%YwNamTWIC3J6{?R0il@pbWibC)#umt9_M^|R0)ng
zy&<tMsV1ll+4CDduM=)Z5PV!;$uC-En~3U64~}XY1eMjY%|aCo)eQ~mrgb6&8adUz
ze}fY3Osl^_>PYu&et!w}Py=}({@N04;=YQBQYcT!Hs@=U`GIu9T7A?rahNG{xkY?i
z2=fKSxcec)C}rCE!?0A+a+?$>)udiX*gM(b6ecKXT+t9UB!$FT9b@nU;9CT$xA^*W
z*2`a5>ls{98aJndG0HtP8G*OH?<E-+5zPo)Sz0YJ^IIMo+f;0&S9?iq(jcrls|W(j
zKhh%fK9Cn+zcVte5g3)vMS~HzV8r3ofil>V=S=?vq~hM47-v)q#d+U~jV=8;0_jI{
z9(MZ2lz7r9ts1e)-0^*vq#=Q!;%oPg(y1YH$_+J8^o+<)U&O3V^X*0E=xL?aVU(bA
zQ1eh4fUOt}8T7imVXpq~P?h!x;k>qYRVCuGqSDu!Z0%fgO;d`hQ_A~-TT47|#7(9v
z4GSuvy_)i-rPtp3(SKqp0@?mB=NE1aU6XLqeQE^ft&fl4XDo1UtJGLekwc^y_vEk2
z^S-|z$ztJWekoAg&hyES?$vKf-iD+X>N)RsyHgKr@h8dhaRI39V(CexK#eH`;Lo6+
z%>3jhQ9H=2_~sOHlb?SWx>dWIldojC4=vT+1lFV_a@wS~P6*eq@HfO1EUrVLq=>5k
zg4UT)w*`&P5bU7F#NJZc7g?NT*g-VEdQxB82ycu8!jskBFjX5}8LsJFCZD*oLRiTz
zMKy4V5M?xYJ>X2o|H-caiZYB^d)(h^EiJP&U!^6CmPp}_E!8{u4}-q3-+G5r*Ew->
z180r(bJy%MBiKt7&!udGp&^^<my5KD4_LER!EQCxn++4`2(yWafuK9}F$ceyg8sJ%
zPc0Bf?%k}vSe9wYOC9c+vx3zVOAiWaY<~Van||6+U80qRtW?h-{fmrgP8(CUq^VU`
zPA`{(bnr=(3x7)6wOicfhwUdq7tR0BbK~VPE?w4!Xt=dh8%}*op$=n?iTx8k<ln|L
z+Z&k5a#vZR&nl@TrC${4rJFjoRB}LW!rz3~3Httt=F2A(Pc(JC#D_y@wpL>R{>Jv8
zRyo|6Jy>zWq37k^RiXvMKRK4dX5RFF<yaaspO#B&pFTPbFHSq*j_AiG5fk)1rZxR`
zpO`Txc9}6^D7^?6V(K10Uhp0`cOwUA_uD{D+d1Xt637Q~UYz>l6GR47?KM+7SH3%2
zU1#UrT7jWPU><}73}5BCD18PDCCI*%eX5-oQYbt0ScTO}ZJxudje@7uK?nWwb*})W
zAf2OZnZN`d__Hw6%Kt`&EGRy+`;E;#IRK!pk)+*0E`k$^bYTOXj+!}1M{YvsU9GF&
z?|;5#t0Q#JIYpZ}!W+BSxV*yC&KO<-1T>b#*eCMzqy0gs%p#L_L&HTV1oAfp0rhO4
zJEs3_u=_voC4YElo?bbGPRjg0QJ+74uaemCH_Gz=FWd6T+uK`F@lCtOSE%!#1^q2`
z)W*jRYV}zt{KM!hkWDWsDCj$FgIYfHiLtTFHp?7PZ}Q^e;wr8`o)E)=>Th6VZVnp&
zodSZ_a+b#11qm47-ab>RmdWo!1Rx+JR4e<;Xfa)+ie!jj3QJ`L03c;b2n#Ah5tqEY
zJk181rsihwGrST2bvq{)7Tivjo1jMNXu}2+S(#CimzP&jsjIEsauI_L#(xb735kf1
zmC`&TLJ`su78P}OcUN5->5+rlCq*6{9309%o~I`#d~RSPUf$N{f9WqD2A%uibh&AB
zd;2XqItc|u|LF;|M7BGdo6uc#-Ve8ohJ9Zi=8IlEmmNy{nA9x%VQt85@9w(nvD5x_
z!O{l9pl9$;D(R0ad-n3b;93A3gBN!16Yh+h9kE$ym7ncQ2k`K|K>Vy!l@3vz`bq3;
z=LyMl{2#ni+ef*uMi;RP;zP+_!?r3~Qp(;)i;awXO2)eog(W}v%=NXGwuGyNa4KBw
zN`IQfJ!mS#e)MgcUPnJjk2BW7JbeQjB-*Yy!|j?kJ=`xJ<FK&9vMCHp&O@d>+RF)g
zNt6RCTJXk8UQ~bVT$(Wf`0IVwa0Ba;2gPnSDA<hIG&mVTne4VQ>-EpSNg*NqnOOhg
zx32vV_q}xq9J^bWeRJsaAj>JUNMVWmmv>qjga&+eh=b7v!1GziRhtFUKT?{t9>M(d
z(6tGbbaXoCb^!q8gqnpTs+vomlc}Ga;Ee@QOlYSym{v*iH1<z#bsl?mikUhB$%{Bz
zGu~~Irl<Gvq%af=_M2b{QE9Lk;!&)y)~}IJaf3-s#``jI)_hw@ng2F~yVqyIW!qXp
zedNg+WavsBs}#S_c=0nDd3@TUl;aR&Ht8)X+EG;p3~cuqh<Nnk>Dd8a0^SEaBLq-G
zZ=U3d-K6&7*F+vu@}$%g-`IMswt02AzX(4@b9H?RdJBkzZcFD@0M}%?wH+>2!Whx@
z_EFOd_u=R4!~C`kAJQ$D>0j(ui00+ncg$<x0S9H9-=pnx%iakYu_^-<v?Ert-k*Qy
zHa-%hu7}1r5|%DFu(n(UlT0hHc)I|gT%4SQP)ELU*jFTATPA>m+#bjm$ux3MA7k7r
zvit^*5d%*F;-?+gO*1O>^cyAspw|H^w?GntrU{Ak1f<TGG9z<%<@G>48%FpQm|EMk
zwBLs3bE2ADGOSaKj6Yj4m313y)$i;He4?V?kOBb0AM!<7HUvnf-JV^-fM)fX28yS&
z7#*LD(7F6)q6N%TrLehEUW9_7;I0a+3Ej$TMS5*oHxryzaie$EW|(NT)aJD`q(9P;
zWx!a>R#JqMRQe*YcRNbJ8+pwXbnPyBwreU#oM`o6K2_pos4~pYdaoE~RdY2nG7|6i
z{tZ~dH*|XUD|D_}L4m#Yu4e~tx^-aWcPfm=IXx;?d0Xy#)-TIghI4ne>DV@<^Pqtf
zx=l+Mv(O^AiQ1r%clJMUsPG;<z19lK|0||tPjE`8j<#b(8$e=NHSIJW`g+Q`HLf~G
z$|SReQ9eVJMcXp){KzE*x(*kq(!xL~8edxZin&?r)u=S*(%gtH^TMo93mJQ%qHsDS
z2q|0jR|zci1P#B~#~M_VUA!#$X~_?_;Ym#s8xwEw7>y19M3vRf_f$@(`TW33|D}^>
zj{I!Q7H383ScglhE-v*{8sL$`VUf_^kecmNO&pZ4*k=9*zn0D_fD7&~2661a0U`gN
zjmcl0>>tYVCrP>So|1B~zdr~HloVw|M#@3g*;(3->Ud^alp{w?ULqiHad7M%9$H#j
zJ`*f6%uGy^b8{|Vz96EY7}YF5F~AM}XQ<@`ASxrndv}bGp1yK-JQL10EG+Dq7vcUU
zPuhMD4l6CSyc~xvWB^?OV0LP1(>4*E7&>ASm1S77fX{Bj<MYS^B~;{tIJvkoc-$0)
zg#6YB1wDPAA4Bl@Idm~b5D4V?2h<X<*gH9CKUbl>*&hjQcQ##g(S4qq)e>w%La*b+
zIw;8k5YW*fdbAec74!CPgZjgO#>Pe{-4cn%3Y}O%$n!b(sHph<-jkod9ok;;dR+Z(
zp+}tg4F<yk@bU4b%M@6j73-Nj{U4bY`BEmY1k7++$lz9|_rNla&r{MeTLF3XKSaFG
z|AADP@wv+7Q)gEn6$NLTSfr9)-WA<r)!G?O6iO1Ygv;ChAv8{Z;Ehe3Ei1F(`sh@j
z=Cs32RbVMd@3#)JQT+72tGnDd4e`&w_o)*=c({#667G`80LmY9GoYcKnQFwE$yE3q
zWC@Kd`0Lf(J>L(VOr2K#552txdxJQ#3VscxqX2|XoI3DUw=}By5|g3tXvOe27`i--
z5HIX=^EF+--ewv>Ty6&zl?DO^De37EWnw=&QD?fD>TEDVe$<Zm8b-{`_{dO}i!W0?
z4p+o>;=)4=KVzclq;VT|d2UO&=<GzvU-E4XP3fx^cyVm!|0~$izAyWyuqW4yh5aWL
zxA`~yy)z@3CjBE)vNrf=ZZS8h82zr;&ErqmeKb4tJ^~-HcShC{>_(hYiz+2=9e51L
zilLNYSER8newMN8a9y%%>m0ZLd`b-8Lzm7aB#Q&+aPDLAGWX*%yOrML?yOp14QJXE
zI>|?i(-&R2<7P-!4)iV5@AO{3b+8JgmYj4dGZ~-R8U_j!6=wed6i%Q2&9y+&wf~P?
zODw`i1bNjMs9Q*4_CDve1|98?e!@<^&ow{@z@WFP%E}qRKOi3RoXHR~`5Kv&tnoKA
zf<bh81yAS@-|?f70Gi~!e)oMhL*`@on)n5=zU{BOn$o+(v)MkTnNwp?kSrbW>xj?Y
z(XqIL^-W4nb@PsY?_Gp;we{VVHFXdpoPX$llGSEjmH_wnpqJ1wOKUD}&26g(>U2{2
zRclpqjX-_SzX~E3-}TjCi<73v4Eac{E(DTFT$n8JhV|4K3eRJ*$}?T+43=@Te<w3{
ztNBJi6BsHQ)J%ZrR9(}`iyo7SL=RrH`Zp2~go+KM`U7hzI($~fJU>2n|Cv4ESeaf7
zew_5F*PQLjnkc@p`<rDOmg%l~B<KIY{_tP`9se`g!u>J8o$QZtX$NJM;-(g}dNox4
z8k|v@vwh+nWt1<~e*})mGf!H6P9dk2Dz)qfDR8sE^E$w1T;KvN{%B`<ERFX22Yg-i
wW6wU-?R8zA=0P&KM5WTky*>q(JQAB&ie7$7qxuY;Edd}QA}d@Wr04hl0r=wvsQ>@~

literal 0
HcmV?d00001

diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
deleted file mode 100644
index a4e258cc18e25efebebb05c6bba901c27ae56b6e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 70253
zcmeFZ30PBUx-J?;MMXrEK}Cp)B8ouCSPBv+M5Hi+0s=y+M8+6WDno#f<xqlvNFxQ5
zAVfew2oM=UBtW8!0wOXc5`>UMkSUNbgg~aVtlg*gx!rZ|>3#O@bI<9$7p&)5ELK+j
z`Fp?jd%s`)Nj?JEa{jFSS;(qYs~{Ng2O?)f_S#|s{U8uWN5~-v1hO9d-&TkMc(n@r
z`TdX&LQX?guUhr(_s@sIT7_@Nx;1MQ)+(-3RQz_X-=MT%{rZjT6%{usZ``P~2|N@x
zY*ta;wE5fhx0ihT__t4iznj)8uK)JLzwMB}fvB!u9kWJRVbxy9YSmQ=s;lHp5GYvI
zwP20DRqD^js?`c>)~*AKv{4CsfV2fHzJkJPu&`^_tO1{n2LBIPqq=tMo+BsMZFBlb
zaqmqvle@_|>vd0+zg2hc=I=ATcI)1TjT)NUckJA+cR>H(Av1Fe%kPgKJAKCXtlc^L
z^Or8WxVl|&_wc#y>*pU37<4-%G%Oqw5qbZY2Qje^<KmyB{F<7U{@c@x+`Je01%)q*
ziYqFsNY&)mHI#<NrskH`cWv!Gy?y<3#-{-$o5TGwI`(yZVp1?SzpyA=5-qQMtJf-s
z!oO7OFE#tCdZ~i-S`GHW8pUt*TD3YHJQY;etle{D-PV&%ia*`lw%6qDdbLx@IpuFR
z=$bn7)vw*^-l(z9jJ;p*t!ls5?C-1Cz5k_}{iS06S}!JKlfo*n^AuDeFo;x=8?O)f
zuk#<#23*-b>}|gP+t>;@<d?=49SuHS_$QzOxDiAb!U6}#xGr-BZfK$w?btDOLi>UG
zD8T=WUki-C!WzmU4P}jT$m4D~M7fRcCQDFkU`Y;5!$dqtWd46W_#f0f9g<_BMmFrx
zF;p|_7pxPTrS37%@x{?1spxd{F5^ejesRAU_>`CB-r1=CPkM@2!e&wEb1YmAxtE9g
zK=F^O($;O-8OVn|9u?~q`l^4{qE9tid0vn2s0j}xRv3&znRYVgHt|t8WWYu+D@(;(
zyJOWQ@`2x%Ll(~4?36>;roM7W%S$;V#!Lj0L(b%}iLz}L2uV==p?JtV;=dmKN3_6l
zo@_(MNIjJOm1i&Z3Ru~kQV<a7h)-JhY3<{z8)-uR4FB;%UWM5zx7((c9g-iAQ!C4E
zLM1sQrA=B6n|?lyUx^)eS#*J@IobYGp6YW+JY6~D;C1OUIb<4-S&~D}*BwE)xwXTp
zk|g;l!rO94MKqTsJ;ZN@L@V2>U0h{*3s9w6Vi0W0ILV$o%>B!<uD-hH;_A2@+b<5r
zgG7ztsDgxBx`%L+!+xKq33I5Snp6)t<PKGD9Htf`o+7GDrbUv<GGBh4u-xWZJ<hGE
zPR)It5We)p_Bwi|0yGNBT5^c@-SS#n^*C-<+)kB7gX1<_?|#FOPoa)y8RsfZ$&zTV
z&y?m(>uF6NcydT(bpLZ$9je<_4dP@QL9Z2iV6FJo<=iP{hbCdQCRB-sGPZUUKJ<-0
zZe;MnpX?U~H(V+vw?FEv9TmSPoX|<IHAlR6F<A1*I<Z#G=`SbLM)nq%i-1)hkp8N@
zO%Ayz-AFAarUF0GmaXxF+hpyV<K&Q+xCaOquvNab%s=6Y(3kbV=F;E;U9z^NBw&Hi
zsJ<AA%@d!KL)zV8{xI=@;p1{h4{_5)#gF}SaEV&)DN$AtCgDxE$L16Pq6ye|gWIRo
zyyDgf-J+Mki8I>xR(SBqCG)z9!M)Nv>~|L)ckXkXFXj<T3GaYF_$QXVG|$?JEr)D9
z%^~i>!UXu3A75AY*4eR-pEW>^^ZWyt$Z-4I><zho@p^-Y;iP2uu)dCvjzYt(MC>;4
z8E;IQ%0QtlUk+(T$Ls7Rr*LiZ*jcw&O<`mYm50-Yv{xjDmsKbaUDC|H`ync0?`U;R
z@OhKv)G?UKBA|+Erj_f|LmRyuI5FiMARZ4T!D8FLHt}8#Ul}Z`c}Z~a3$>@Vp(CuF
zDCUj4dA(HarHaz%fe|@Gq=&eJ)q>rf-P3RVQ*<fDvgI~rCE7!L(IInIb+Y$U*N^k8
z_HOLd7e|uw{<ur+ac)6n^q8-*4N+iWFZ0n&Nt=Q^S|6Lk*GtYaw3=9-o=nE6>1g(Q
zOb~UJ95VEuj19ZipsmJI``z7wif3Gl(4nIM>;Y+fTEFd<`BDVd6^M`2QREwN?3#@~
zu{Z@qoGxt)oEv)&@Q*fbSXxO>AgRQ8TlQjojgrDw*~M_WOO1^dmCNt}_IoaZh^qMd
z8Rp<C7?Q}ukKiTh>1@SDZ67wG39f<kfXCvDMYnBfuRqR^l9a7YhOQbfr40?+{$O&x
zwyprx-j1BY-vM65B=O-KK%&QNO_b?kFA5$|pRJt57mGSB-<$E$X=|^0HQ0>abmYKq
z?=nZP2O_S`gq7t93#GrA0nA?ZFE%^+7lEyqhy|&0uSaia^tuT{lA)21?vl2H6X?`?
z>y^0daY;#gd%t-~y0KAPp=fHVAm(PRGrhBbx`<9Ie2-V6s$f!tV**x-<LS$yw*sHH
z)wIo6x0@rt`YR&OrizK~iGx1Kb?D#*Ipp1`v54#bzIF3H%$Kz`^A?(K0FklVTVf0g
zf>U>wM2q6k;4qBWIovIoxJKrW<=os{;!|JqO7kJTx=YQ$y1GnkX*9$d8uT6#D9AP>
zvROMZwO8m>w1+g!I+aka5)xzWP2JAe-OCZ&Zw7~b0!eHY;by$G*qRRbC#SlNExVy9
zSbY%!{F-|(<q%^<(Ip4+M~Nl7R=-MW2`3MYG8+;|s^QqqIXPq-wsR?in4d{y%m)TZ
z%9^Ueaba_{-4O%OEPymj7C_n17UMV_eNk!|u4h=eJEtE69dCgx)*DQb-b(xrDZ8A$
z+nF7UK2$q>J-sU`GtedVY1(D4+MneRbZ77scj*odrED|bg46G_Hq9Bg+1S6Jzc3Uz
z^Pv+f4i67_axkpq(u~`6afL~q1&@I6z&e1XcE{LpU=Jl%yG8RHMl4oWuyMwdr7p6x
zW8~gHDOgjPo8PjC@g7spa$6!Gt(Ek~hL$qOb#8LV8kQ)Ot8B%g<9}u@R%Z$l&h~~J
zccy=sFy!{4rVW`&=yH@}w@J~^ys6|J?GUlUeQr1do-4t&I$LJ-4$C2U$<etko(cyJ
zorG0yl&s|!B#BRmdf(uct(Ed8=UUk+534hbYF>H`fA-$%7+s7&cn<&YFm2G~S{B(9
zmWfYBPOwCJ&5V}q)J@1pbc>;46Vp(b#8Dz3Hal_*;SPPFiKovFY#XfqLctOhE<BoR
z>a4w8a-KJDYJQqa6zK_5xC!_TNC$xxXDm*j+Ysq6ZonNfxLi@qAR#pXv%%rQft?>X
zFw-$FI!zbbL3;YM-c)!)njx_i8%U0)G|G0NJmz_f${<QXVexRiFu%n6!(aiW=Bdm-
zm5P`t{{1Mu9R0~^ind%Rhitw~x;aN4^%voHOAJKYxGKypE|F(zkuPZEe2uw*)fB8+
zU~L!(@ZOi!qP)>5cOs>#>{*Ebo$8MAb*)AWS9kW9y2W7(gd?J6G1g0RgugJXDXK4X
zZ{?FO2x1?iY<7x>j{MM>q9QNvArEQJOt7(`zbAabA|#&fRl-mJI?9nunG*2U+StYf
z*MleNm2y;6v3{b^0uh0;=I6SddPRDvK3wI4A*iFU(HD+$5%>Ujm3x)5bRiJuNSKvF
z)Z~zn%wa`AY1h5kx&y_cTDImx8=VO#|8YQM>)lySc@3$D7B0IZa8#rBo}AM?)Uj>(
zMr}G0+t(NU2~icY93&H~<(HJ!58*p;ad>UX8EFnIu<IAZ>bf2L*(PswQDNaEYYR@l
zgI&MwHV3}Bjq5PG*(eiq98-l~UL&{9S~eQe@VX^b=U~Ke1<6H}SBC3`L12CW)5Mq0
zXoatmSXPT1OM)n_1TOF}(wkNqptJifEL3PP=rENq`uN;a{8EKw`aY%dbR1KxGbP&)
z&2POZ#ed-|_fZd1GEf){NpeY#Y%JNw8Y~`6zwFu1?6_6y0xsEyk(GX3X_foIdE<tG
zH32GA-3f0aL2I)L6v^6FXKs0a(O3<{Q>1ja@}7JZ%J4_q8)?;3H3KqF^souRMoMsr
zLe$gFq;phB=}1|r%q~aP3R|~N<j60hPtLb^9}^UmbC8}W2j_Z$UZqhEh5g)%hu&tH
ziqtaIn0tOX5qN;42jOEDzQ-D~#mW|+-_cj1DIQJNQ9a+;x@ggu%R!?q=i{C0!j9xS
zwpc{r|8D%_>UZ~_5&V3s)4v4(_5B@Q0#+<uD~Ggwk$u7oFNVOSrxy;b6jNQK_vDZ-
zbHEL_SpV1oS<Z@jw98*`=>LdG|0%Bj2tT^@_s@6n(Bhq#6z*&bK2~M}LZS{@%<w+G
z#?z8ORk+Rr6k-1;HCL#jfBhNH)wP$yWbsIl$VK(}uaYA~o{Ah|=N=0B*MlH7-3enS
z0s+9vu@0idf@vrEsQ59&tqad@p;f`8+P(~#7D`tV06uIk&5=XKr;KR)!9XbY1oUJ#
z!UkyEDf<Ze?V;%i5vnRlkSE*D5XQ<Oc_kD%q!IN3NQ6Wy+G3aGkWEPOX*r~u?gg-`
zdtfa|A|C`3DtlZp1v)X+$uhH53)<>)3&1LwnS;OtzAkBSm1nbRAhLv-DTi#FvY)57
z<p*e7tC2%odvuM(?fvzC^U6Cm_j9S(zbUBQ-_{tivN?Wv{%?v3{i`}Fj2|=j3NjP_
z&w~DSm7l9TA1C7fsu4kq_*WIaqxlEUGRAJ&U%VHIsMM<z=(-CIB$ZM3Vp2HXHR!S+
zk6$QeJH6X>_wsJ2YUp3+q&mJpJVp+U|7W6F6-K28WS3y2z<_!$ILgG)h>LC=D{x5x
z0J_N)2B4{*5Ux<4KVKcM|DXC)NngM({~#mDA=lkNBCeOW7=039JOP_~Dn-iPmEq-(
z!okUvd;h#F<lo7z+8}y>QPUNMG}#Lz7UAUn#kE-43(!CJUnGk6QUDnqO_<yW(a(+l
zPkh$U;$T}tjDOKt-)HT}Np$W#&7VoqWEwAOk>_|N*FNXur^+VJ)^u25i))`gyyytQ
z=%j$W7@kg>j-QZ2R-&oImj>KHAl_!@D-ghyP7NQ<Z1UJ;qn<S4jmI$uS!XDbg8+(U
znf3K+$DDAU7WUb#53yMio+okQUr6P^RS<7W0*;MRyeAk!9z|&|Tq`flLZ&|yR#71-
z$-nY*fWq_t%;BbzBux?AQ84?<qM_oIa&li)bP(NBYwBokh~>reF-P~_9CCNRyF#zW
zAb9)5;Uc&&N?>NQjYOhbM++=3-p%iosIz}dn{s*P^K%;NeYwZUB>=c3Xt9h2ZTbi3
zeb`8>w^<)-q^1YgMrLI1$z=PbfLwfo<89NcU}%GFo6g%{>_zoiruh!%jn<?}chZWL
zRnCz3V~NPZE1stVeS9{04xZe&=JEQEs536w>X%o=i-w^C3Y@Pz1%W;F5N3+A4ZC0P
zYvip@0UmC5a>-dCzqv54q&U@49%MQX>UL0AL7uopA)&g>?IpPEqq;O@?K2cKPy5BE
zPXRZ{sftZqn@<{GZuz>1R}yPA)6a*YIbmsovP|O8bCnYPk|71}N`X-l@@3$XD}!#C
zeE6f6XZyYw_I6({ZJevKReaAsk+CrS#<pjC3qG3uPf)Onw!>v|chy8$SwYM&y?>{>
zZ)$_xPW?7NpY9X0Co~E7M6=?v7^v_^zFD@OKn{tk>e@6ub?D?S@)Pz<LD<GWHEtap
zOMUw5;hO~0ZEuL{1uDE*jxp2jQXPMGn(>^8Df|9<lxNpN$|p=6^aX`CBn-RiP~2Vv
z+fSY$8!@sBZja!nEptUmtsqyeg^Vl&X~*9}5o(wRs<eupv!6c((&NMl>(gg=ao83F
zb$02cLOMmz)v7WW<KnoP<toMF)UTra`q4kZMHfipR8)hOo3c)-mJusEGz!1st2s=(
zBF&ORd}#`}cA3WO9*JgdYk?dRaGrcDRZ>w;&o8}th$prkdSBA>*+KTXq*G!r$9N8s
z*d{YftB#008Q+h^_+G~hg&&S*MYsdC@Z38#H~Rn|=oVa8<YMbXz#pONF4|MJKPo{E
zSv6T+C)-5dALbf<?$T1m4PMvm4LKydhHSl+;m<b}u5@FgxUaDa+)@>1k%Qp8tzSZ8
z<ig93lar-MmX7uC&j>r#jqB$LOPuqIlrJ(f>?VE^Pj$p9X%mLq$V9|dS;g9W^azcQ
z_@vrgPty~3pHG}O$OB7eQt?r-*a@*`AOO&UUDH*O=vp2tY^6O2yX&%G=qiA*%|8C*
z;)kw4obS+iNsxRuWCAAv+%eY%1{v2Whmg|m$RR;pD#Hkjv4>{*G3(sHD?Me;qmFx?
zc&!^gFpJu+WL`&`ewP<!Qk$LuS(yC)G_9Rr9N}yLIGuhUhW}><e$HOq8%$iqkCmtu
zvK5<DVl2H)daO?py)l6vbc5q3u?GkxkzW|A>Il)6p=F^4iSH&qy2s@wb|-gVQ71;#
zJgT}u_<W6ayo~lE096qk_&QC_849r3mx&PV4@JGiq%_!Q36L1TwXeHsuww_Os;@Md
z*KeeYq?rNvwrV-rJNmr~gtQKUU-zS{T4;m_Iu>n<7Dr<ZYebhKxNGSo;<Oaz>bUW%
zBd{r`h_gOak?Gu46;>_l7N0&laj01s%~RTNVvZWw#ej{xz$;?S`K`8suzb)oH#!K`
z)f+#!VOUmYUffKuDT_OdAK(?5lLvJvKPjzeV_ZfJw>}R`+bvrMTsLs1ZbdSy@RjIh
zhmLxO=AC{yLS;8@=nx}mz;HJv<zh80+WAVU|AT_mt=mZfbcgU?>mGIr{pJDn0GgJK
zav)GC#^5gqSV=}^v`3kBd)TvD$YY18-#PAtZVXa&P##)L)-WA5D<A4maIiwNR)6*~
zu&TP87skjCXA$T7;zO3x>j!8x7WEc=V&o6fIvb53#5xi}2WYUr>6;S}87nlGQgiYU
zpQbb@cdx5{vUqBJFk0A#{e&f;bw6Zw#dg@uUkbxQ`A+Ejb6D#-fh{Axtjf#MfzGo&
z`f_mUm_}ZHkcY3d_iQzN$-?rx{r$BLV=Wguwh~I>-|+Sj-eTcmOUY$X0#_N%^$=-@
z?HGFmV@aGSXlyvMKUSEQQ#e6EHQ$dbh;hH+yn-M(nAr<s5~Mnv*Iz%ZT(;)|0|ZVu
zZ-?Ntt0=Jud%T|iD6;jD^%_I0Y4N0oZ%Yoka6IzYrSM~^ZKMoO-{cIQaG%>Yn~p1)
zqhWJ&pOTV=exnsDuiwtQCeq6~CG>YIDyKkzbVqWKA=@cxZAO(LciN<n9L=d_l!mgD
zgEI7reD+Ny2IB{o(z?B^;A6RObmQulwXS=zM$7z#LDIUzK;SHMs&#lh7#Dd)h4O)z
z5HCk=--6-kGmOKtL?iQkX<7u&zW9LjHd1w(IY#xVAFHPOBLgq%K~%&xLAPVEqByRj
z(&;2;Pc5PXCiZki%Eg#f9CtG$VWMn0^(igXqAjI8;@%nGBfkCNln~JCV#QE(F*M<v
zC`Vw`jNcTh5+l<RDBhRAo{x8f1Z`G$v6sDnXmQ8S!Okrlj{Z{|JyYE``G*^cbyoIj
z9;Z5Mmt_vlT)mM69<kHQGg|Y~<cj_-C+F|}5Yp8#gh^6@^#<`ik>2sB*5Tcx?i(}v
z#O8^w?Os#+%V06XJ<Q#`S3i8drk|Wqw|QosOXl^-A$2Jp(q}mJAKuga<8skDqI-rN
zRkdZJs)t#(=L$2!tE5w5&sEM!pVQE@N|HT-Ha_&h0?&;T+Z?F6FR4LCYrwGcS@4y^
zOG}#?lx;Sv%m#af1FPS$3?n*e(?~9q**?Z{m*$&yX!|(0+VgNbFk$YO8qyAIvS3-E
z(%n+<%fUsc3G|XjedY*snl%Cp0B>RZB#dSw1&9ryr<NI6=LZ_03;aIMfBs>*=kxjZ
zEVGKrbF8NR&llH58#`2gTo^=ZX(6MmtiDfMZ#ZK6Sl`JlDEE-0xR_?tPxv3=uD^3!
z5t_UWVh|H@XKIn0fM9d<8tmB~_K`pvbABJE)uXqcb{CJ_-vk{d*Vtb}&j9L?JhfHx
z56HY&fs*h<niZ6(a5m{G{|0avp@u#9BhP2!^+N!1qJxTDH`CiZHVAApQ<`J+%2Wl9
zQv?c)79RBb#etOJq@pu=mDJvutz*nd)9#)#`@N$3=+W3wj`6447e$twgjo$-m-k+>
z$cq@XO-gX)_czyii7cBgv_@6Y54lZO)<#beEaKsuQ2fkCMS7K6Crgnw@;uFQ_*jn&
zD)HnmGTwqHgqd>K!UI?MvymBMYsWpf@Ipb(wc6#gv-{HwQf2yXrO~>7gL{+@D4M^K
zeWYzIl__Jj=yi?}#492{mVKi3q5;n+`oeJE4kr^KpW?9Fs#;P;i#onGyom=pFMx^k
z?HY(%us5ZTB{$g!rHQYX8H)*5d@4!vxv?L7U&nQI9lVT4^_<n|&$<xo)_&0YLksW-
zT$B-t5+!c5=gB^6`(kNj<H~z)DBYjL|3HW+9M^o3aC<9a`1B1SJ%BU0y5jTs<m$0T
zY!W$D`T`iqI|iTbEkW9wdW%|+FztYB6};m|$pHd9ls!v+8)zEQh1Pykm(u=vK5y>H
zeze8+Hi34X?<988WXbJP*?T;x`fi~p^g4s8FG`zr;!EtqgJNACEDRkR+Er`QXI1(I
zKAegk5;~KT1!SS8=t=ewQ5z>w^DQ}h?~^GG`Cgq*?nE^u^^v8=;^WM~JllvbX7l@;
z+7r>Cq+lIGp5`!fvQLkvk^)$H;SOhnKfyl<Tf8uYn;%94DEK;z$`1nDrH9rRm@gs`
z@pdt#RXnYR$gGwUvR{u@(yRPu2FIHhrnIW2h25wt<Y3#m{gES7J>ado42lUq$<NMX
zcObT7l0#>;nn$wE_gib1H5OqaM;gDrGrFOi&dg134;au*Gc!4y(|fCkXf3+Wci<Mr
za0LCWF(LR}SH^A3M1{9YrkKF}#b^yi^Ra^aMi0<868vvQ84r|p4eGk2rbR{ldTxN7
z>ghM5#70af3U0HrQ#g24(4i?7{F<oP5)Eyo*u@4*BG4SesEgg8?I=&y0R;>+U*x;r
z&iB|FcKuqr>F16^>%Ro0)dFF1h(#Iot7v1^vR2d-I+eF<s8VkIlNgIV%!f9$NsNmy
z_njXLKddO5fbWPs*;f{FeD548+a-UdNWJ#Tz*Wo4&3j&FABFYoUIwCcW&<wOxs3@y
zE_02Ho+q$tl0(*uD%tQB<M<4C6Iy)|RDTc(BtbO(?ETT+MXQ*nyiiA*<E{tyd>2vC
z#9>^Zxci(NOiS*D*_EQ`Om*8``Xep|-wy>ZiPI-9^|*Q>muKe>JK3tK{r{@UaciM!
zh#JL?xR115HfDj;RRT*e`UvV`k`e*7YGp!`&ZhoQ2XQ^+LME=)-t1Uu9T0W#;Dd(%
zp^PBg(lvNm7VkC<iWy^iugW2#i;(D(wpbe2RQ^1Wk+wAu{seN(fn~tlN|NX_45hMi
z5K*Zj({j8mhotwdT3o9R#)Kt%@YS(WHR1qBPAeCHG;+rzjJ-)(1sl)Dy@!cV=3O$x
zMa4cfw+=akAA@5;7o2H+P>DsxS2@HObbo&_6@ol>ZmRe@P@h)CfGtO#fL?S$7=z<z
zhd2P}J}><Z;4_hU2{rG3Z;90tN-=i!0vBOQcv0Xnl$0KOTR3FlNw}WoXmfj8^Vd^X
zf*->VxnH`)LscAG@IhGrV@kZ8m<~3~Up1)HANA24o9DSy#2>Y&-5+!kWaVD`GVljY
z3jNz&QkdLmFbb+m{$>mSf89sVRbJ}<!wPKLl)bN4qLt$v#3U_drxyeY%ovvGw-0~k
z*_5|`=o8OHr-16z2MZ=@$rzW~@@4N=l%EZ2CD#$~@x%J0G}z`-+jmu`BWn)yUw4(6
zAMyAq^P~+C@i@Z(>S2Ct>rwNh!3H{fJJ!6CVlS~Q#$4Or$;QPCDt=9O?X`*eEjS#S
zhFqdlA=pp!h#$K)Ozm`~v7?lRHc!E+-NB{Z(`ASE+oSwq(eJuVu%$YzTJq>~6<ujI
z?I*O7L_<)O{XLzejO4(ZJ;yT)Xgfu@mtXg}>~O<sJS;B1;%UKJw0M^w<?-g-P{m+m
zdvgdZL4&%A3i1W_Zb(A0#X^}j{wgWS?X|18B&|e-G!_%QUS!r)4=&MSXyD}WGrTRt
z@mZ2>aCfSxI~M~q>A;d&GVX~OKadCHkPR+N@w95+xofevn{Nw=M{>kA4A;48l<)cM
zY8koQlQ>0|C@ko<LaWG)Nim2mX2gw{lvddW5CF%U&n~YUU&*dTB3}kU7h5z#BY=@Z
zeY9<`KxizmPLG<@Vso62_+`+sGQp{C=La&<N9gJ9l^gFr?-h1tPB*s}Tk@_$V$OGa
zt0w{#A(eK#i!ANfd%exzlJFFhDcg3JlT--=mKNfTg>crggf{(6@rUnN4v+52C<o*9
zc>E@`&0g7Omg0<!VL&<3+oT($BW6`T!=>aKm0d{8%A@g__Nlq9R~4qwvsnyLMzLiW
zyaI@%v60xf%!8dP(LD}}w0BaCTG8@|r}5^1jJ{zr{<CASI5Kb@K_v!PGpj%8go&+d
zg&o!F^V7fhNk3m;g?hXY!3B+P0jRav3ga&JCpNG%K=6S+3*-cSoOJCtB>fWjQ<ztW
zbf|yXZUh=@0~MSt=ab*8#3Z~J!ocjML<z#jKexUjI%b$@2y@HYeWjW=m*#3%8O#zX
zha&h+@XbN^&9Xx{W(K;^^ZSq;=J5N&+xkPluOjFnOkg}mX9IE4p{<X=b=Lm{VXmU`
z(4m<^5R`aPzbr}~I@Y{4t^k{gZxFbQf5B3Qfx*OBV29)+A<#xyuyjx2S&WI6lsb2v
zrSn3SvdouIgC=LDyDesCQ3Y*c2kg-#4o3n5prZZOn6@!u%!eAJlvo+eV_j#Bfs#ff
z3I~W(Mn>~nTcHE2tGz$~@ebv|;<HM}kt}02xZ0%@3?r)z3qMpa&6}x3H@{5C+&7Q*
zw!8052=5{V!3MTnm1apSK@(gjinuM%J>8A9<t|&p12SgtzN0{cS132FU)}euTl`mE
zLMUiC=mrt%S#uquFEf{dSF9q0ACa8iVp{To9~h}z>&u5Vfsn#+M5$|ysL~ZwL7Rb#
z;OB{X%#=f~2Qn&wU=`lyGBkiCMa8-96Zf{EMh|=tyA9jueVa_UjiUSKd$7LT*)<|N
z7e=OErf<nq8YTL}^TBG~gZ-g_p5aU3Zev|7FBd#vcWBVV(+tPh%OvSbYqJCQloPCv
zRF|`bj&HE-rCA*kn0b`qn^}=FmqX@7$stM|vMqqf9>zAv6yKI@Q>k3W^An`^SYj)G
zkTf&0L1dBr+s2k@t(1aig9R^^D$p~Jvpt{AM|Jh*FOh&ZVi?D=b#}D``s9oNooIc4
z9kJ(Cy6er7AffPZwbL<M!^Vg*8pT~NZij5L>SZm}w-f=9oB`)$GqBNpN~Xy$1GWYn
zdxEa)3n6?W8V0A&%-CP^OJqpt#18x?O?Dly6&3*dG=z=L136!d6uwUrgLx)$l$K>)
z|Ej-gd|}zk7eTEy)}W&^$7G9<if?G3rc@2)JG&Lv!$iNq-=WJPnz<xVzZru6*b`IT
z*pRleYuorS-}jYGOY7gYFKv3?y_eW&V7WxdHJc$#vxbZi^ilia&IsJ0ul?TO2)Gv`
zIU<S>UmK8U((7E<iMmbc-a46xWa8qKgU{yHL}x}vIBTrV@$g`n^xadc?-04K4EG)8
zYzKQNDPc@t7sKXfzeuYXn1UCbprCrLR_w3c-!f}RcTL;xSSoG_9jv{@csIOSpv*{u
zjeyMLW)l3NOsNMX31O<(owT&s#&nO=vZDQ|?UU8T{QUM++KqcHS+?R*Z+kIpLet}G
zOBY1;F5KpN2Ko&`JILFhUzM}0#~)3wjbMMG4b3lV?MH~$w9^`|iXx8M9;ijnI9D!)
z^+&9s9vJYPz3CV|dwLd}d`Q@XCm6E*$4ealMj^wzBO&3q<prI+m15T%^QzLdO&6QT
zmXr25=j9a>Ox`^zC8bqSjc^~St3;~`2fQ)jRvi`o@v?l_K*?9eVrI03RT1zy(X_Z0
zs30w)`4s5D7(%3H$GcA5jb7KuJy;jY#e~`>KTo;pbxG_Y7VkG~#4Y-NrjHF>l6hE+
zE<YuBHrQ+vrE+M4Q_X4K)}p8UlsCBVli2tNKqXf&dzaB<{PIe49IdJ|uj3`N<UA#o
zY4h=6X>G_R9?7*Tt*oO0h!!qXQ*)va{luDlV(G#H?1Ifc?00;Cr^+AxdQxyUAxG5M
zK>2d0D==cUm&cH<(P-#U4Zw6mJjJ=X5|zm!lpsa8C$2z*j(&*^5CsNX0u3r0LkHQR
z<9m0jt?3E1&y?;_<PWl{XVX_tXa<4H`kFuSjnetE!tY7Fp!8Pd2T>NgnL!E+sdqci
zpJr-2MJo-rcLw^R5BGqu(bh5}`Iyz2?&4`wF=?US<=l&f_3yZ#F`ONQzM+w93v!?_
zp#}-jQKx|e9{geAjTKz&^A2eT;b>R~RBT+;df;+6BBTBq6$%d0yOa10SOiz9c{1s|
zzzv)O0gg7xGR*{b-xP|gt-f!$e|XW|r=mOzYK1Ui+Aq297n4f)v2R%9Gk}U&zW~|<
z8)yNIsvHuTp1rYe(V<!KPew+DBrW}Yzi!_C7Nr)IK6>@?uhFUh1+xF|bqoIQb7cOw
z#DofP#7D?Jdhd}I%OTf5<RFJ^!8&bDLUUBM1@dkJI;m*G`i%3H_B-aD*zXTTq~x6&
ziu|ZZ2Ay6o#o-@zt^%izWLvGw!IB3GseDW2kVOst&^OfuC?&R{eW}DT5JC@@9O8sl
zX7v3p7h{#H?1T1srbE<2ZpIF$WbVxxFZdeu8G|ps3q;=@BN6Z5_S6b2r`tFV&=^K~
zO8r>Qh?nb8BWtCy4&9jK<|@D@(+cQ99w*eM-}6|RjE5|{jTB1M6zm0-O;PAr*tR;W
zV(bo4`AvMKD9Sr)ABj<&rnQiD61a(d7R=1_M{wf|`ix=zh}f0%<^%wGRRoepI>#y#
z-raAy6_CawG-QTNd#1t7-Ozl3+eraU7|loUEcugD4WOdh^o5Af$aq{)pOynj^-0Ek
zdB}=9cu~@^_q)(wmj~FvP<|3OeOiO+e`kh-W-76dzx>+3>|ZfXw1%xNYX20pHPz8x
zQ}koqb^Pc>Bg9O%uuR8}jOi63MYjdUoOLN2mMTW!t<7$M>;3sa%7?rh=1|a1Kzj3a
zNZ?*Dk*0!i657aHYmJfVdu_8vY-{_G;yKCbwE0Yr=N%fX8pL)TyzUpBSv}*2swE^y
zpTUqxt7QF=j?&iqi!mwA-M(TYa?Yg2Y~hqQ^z~p(>FkXHm+WC%Iiw(gM0@ZQ7qn1p
zp)Au)t`sSbcq*S7o@BknZHpP}a?fn~*+C~cxZ-s2hsP<1yc^5GS=#+$h+&gj1IzdQ
z<>(RRbzLp#!~0@wySW05e18pmMDhM-4iTZKZC1?+o#gkJ<owjs9n}OYp19Ma&q<2I
z{|P`4$8JJ5fmQ<+Lt9(tSd7Fei=sw=4M-1ea38S>wT=O=>9e$$WjSm$fOSg8g3@3E
zz3gc~Q>%4q1hI~ow9|M`-8nM{fENw+nb^C_GML34@=8?;o7*h&S1QAGur^7YxXP!S
zcBVJdR!{Dfy`pylMOViyDuxl}CFNZ=dfMB@V9AGc3&x~_XG?0`gV1q^N<<?u(Pm#y
zXwr7DD{zPVt29{!!&5u8OBX+650Zl)jGhh13}13bR^=v^e$ke^&rE^@gj3Bb1!hd6
z6w8NI;-eu`UhdP~#8Q;+^@tzstCthBs+>&sR@1M0u|fm*tUDpFb(0>=V@Y{|$6UTX
zG`3+C!~OmK<WS^w<6PbHQx^|+>(|Ma)G=l}E!36tGH*o+e0LPT3#-M)H^H|AL=M-m
z5u2tmzCQ3rc5W75>iv=Ox_f5F&9TAu$u1?J>QSk;gLsdulWNLGG@~CP)ToE-M{2+z
zhj`ipoyrb<je<G!+;E{YhkReVq`B|3FWVn}9r3hZJuJ5}dX=qe?~iG<coSJOj1ND)
zZNxh+^d*MdKvMy|2m-KEl+tv}f~Jv?9-iS<kVhCooK|x)Jyp>(nW8+2H{uPtQx~J`
zT2uyDZ=h9rcz=Ho6ewU|tr`?8HM&G+cX#RH_dJAnyi)fNS?u8DmtW*Lz7pCzI@)AW
zU0uFoEZgl0_knu2X{BX*F+t)o4+dze4<yinq6mpvLiEQQp}gZ>ycwJxa(seqc$^_B
z>A&Jgpn*vNNnxI-j+ob%=048!c&XDM17z0XaWqE`X@!9+Y=vE;XY{3JkmColbv84r
zTs5532ftdO&XuA{Ij&FKwMH+;?DIoY2;OiXMKC}g`pL7g1owfZ<TofwxvA#Jt&cWw
zxp!)i-Lp4TcGP;1CNvxzBc71r<&YnV%98y84radDqq<b!z$uSo+ZYS<A3G#$|6-NR
zf|E~xipM2j&H577T=ytCqkis=HCGrRO}ADO9}-zOs=T4Br6!?o$)csb=azQHl)?m8
zy@t+vL_Hm>tEjcCk39bGNG<z)_12_~ZilT0rnec(QsLhOhoI|fJG*>Vr2#5l1OAbJ
z=_5!K{vG<|f6p`D_{}vla>$cTu@^9a1f;fgmVYkGh1uo9ED}SSMwUbRJR3t7*Z#Zn
zEkUV}m3SSf{rHW}!#W-ilJCj(1-vrzfIYT0zAaP+94<+80@eoazHuA<^OJ_bq_%8i
zTQDuKD<1J`LJZ}t&28n(u5P%g*^F2pm?T7A9;yOvOaxLr^#<q7n{-fQfo1X%a(Yr<
z;T|9U*bEWpz3mmF&WaF75ylpuA!~TV;6u_a$WE3+A*nl3)1~=A{lshu0Jgwr3LF2(
zxXxc}C3?(atHhgcNE|C<FI8IFC<)Hgm5W`U<>R`n$itM%fc)jB&m5P6U@=f~NhBf(
zbi2WUtYvL^lkd+t3u^rQdvp7YG`=<tA4+w*DQoK!mbfXC$HdlDm-ZR2Za^Ipt@;;X
zzB(8^LR5Xd3tD#8hSMdO!K<+jo^80!LU-G3LqW%yTls?n9%o9A_wnX<=aMt-SWOC`
zi8S)MSpHIL4@U8AhE1u!lT+Ok#>dB6*c)X$2?j~DV6VDF8<q6g5AB_j4F*_JhbIQc
zP3OIKMR}l*!Uz%K$Y)CEGXYcwbI(wmTJYLY5P0O+;<>uPk|Wa5%0$wF${YAV>suIz
zi0<U^yY67k3o-t-?jCG5De+PIB}-Oz#MP>l4`0*LT>a4;pA$No?AcFtP57#`JR}j<
zlQD+p5HLeVhSXgFr>;n}3n-7%qXb5;rleE(S4@{seTn^xdQS_$^(Dlj`c*3$8I+)Q
z<jh^&IJF-Sy&QiYM(F$Zr)~aconPNp0`+$iFVS%}A_=du2;C^^ZKT-6TU(YKNQo$z
zOpCjX`nkU1@%nc#6Y{Vt<S`Q5GQh^VUYbQU!8JV&rfvyJ2e#X2c|IaH($s=z0_&b!
z$f1H{!h2S|?ZwyCG@ss4O40+Oz4RGy15l9l0ZdmMw63lf+>$^zN9s~SrlAWl_fG;2
znFnzpuCg6&A@HT-0bI~hv4F+&5$@+hc|Wd1FFh=o4WVfUSdZfjKbCnq3O3&x7?LH0
z;lF=GHdLCu=a`2@pV02VBv5<^POlB);T{EqX#f0)>LX@LZsE5}ws_`B-p@>j6%&^-
zsBqDJ@kvRfG=@angt2VS-qDLYZk%Ku%4glPcF6bk6h*GgI|T$ArLnG5r`G-Ef+{W3
zF5`ul;Qi1G*Tc^Q555K0U3ljuZgyoL2gbbA<O<truH~LrTh2e5rS*0sapPsHWNJGY
z?C&f5K@K6-f2M^#S-<m+2@2FV$sszp0Y@QpfN{1mw&6B51$$X={8`?~%RkNAr1;nD
z@AvYYp^lf@ToNy}rh8|Jzn3-WsEXEdm6CQKyn<L;sQN*w+lh5(j=w{_doop`0cOLM
zSC0UB%ok1)!fPvR|BTa_>TWRcEO!%R-Rk%!|6$T<8(q-h0c-X4^tY?GhB&CmjU$X3
zky>&T8^qBk0&OgNGTcbCUe_>}Dk}N)#dgA&-@&byf9^DVeM!eXsTFLs;8}^f0Y{Tp
zQzWt*Vco@Q`m?(pu-1iWQUpnHBu%lStki6-L+D@-f*4}X{;Af~GNV(w<n`RAQd|aZ
zXa(K~)5g8mG2p|SkyA)ONi=^U^URY?5$WmhLp(&qnVc6-*xLz(X(jFNN+m~$>A(mJ
zI^gh@#)q>83~`#$TK{IpQ!CNo&8{mCex;xmd#%*SM^0LP_|YLG5$DxW*UmC9HH6?E
z`~%&yZ?50}CKv6Gyv*OfTFnmh4yO~od55q?4Z;3DJBMcg&^dfZ6MBHsRwwjUw|}d1
z_`BThkJ23s8YTW>PrH&SH*YNw;sySp&Tdjl8-)_jefO~{983Yo{A^OGvdmrGc3|!K
zQb^?2IILrV$m&c@zj@->R)^lhmpW@Gby+{&TO*sV-BL{R5NIVaEt^@;9i_N!6GsA9
zHpQxNy>J8c?(`g_7Cg<NKsNQR+qQKWs6Cq`HtFO7TRcVgIR&q%)^x+`^V19SipgxL
zHkhL^+?Ig$mF+0>PZ8H5=`R(!aGJ8tl>?2$E%qFPsl?OGI5Uc4x{fa0%b)6tu1m%e
zwCfNH?Q20tE3#UqkJaYSwm9lo!L|gJ4@aj;2CaSxi=Tq0%OVHgKdP`jAU@aL-`jmc
z#|1^i+Do&;N_&Q}uKY*99DV;eiG4w#*kP_YvbaV}y-J&I?*}F7N;W1UB-i^MGd(6W
z3Y3Fb%$4b0Z9V>LJtsr2Df!%yC2g1Dpb^}D+=mt8B+?gwa$-vk8?oK9wL)b}z|8JC
zCM|UTvWL|}+NV@6pq4y)QL)m=TL~#XB`O@bf%g{`=C?-Vv^HQmPLq>M-i-JO8DmfS
zDWf0TGzkZWhynbiIB@yY2neI3rAPa}{N!yn_BIr0(z&TkIvTos<>I>3zgGDC2mKBG
zLvrHx@c1848Gj?I`8yKoYBM1Ed1n5<t3o^f29|yUwQE&>2eqJgK7fRSsMh|^sMZMz
zqS^{$X<F4cRNIvLcca=2Q1`5up|6|)Ns=N)?H|RnsTLA+4^AO~qAe^%zPx&xqYPZ&
zkG`%t6XuXG^-Fc!XDi}N|4_L4=fOyWkg}1^v}QXK5+e$`aDCojZt-(QygotyUsFI{
z%OMF+E$k7#L*rBtCew}F`_oei0aIN?wyXfU^!J?TaXcVaC746P)W=|&KoE4Z<Ul|7
zqmSq8Hcb1d<sjzv*^{?lo;#Af@4giZbg&94E9_+5WrwCbMNh?Nm0u;WexWMgUi!2z
zTdyw##@8=#N|#X_<dCa`N|77izY$owaP%<ND!=s_S!HbK>e0Yp(gxsbY14<!eHB2}
zbmxg($5{<YJ8|6#A4E@!jS|=c$1tXiOBc$|Wj$Er@S<X58u5n70BwoTS7*tNwtSnR
zT$Y;m$$i4ZD?Y+iSpBENTTbDJKv|P3@n84z_!nJSaK89^`;o+3TyK$Y3CM^Ot~z}6
z4&<o7PWI!+{N_t7javQCi?2*z0t-2$);r%85;1$9hFrf;daJh)+?S#XFFJv>4H@>T
zn}>f5pj2{YUc~PRV1srYblC^4ixdXQO_hUInxLBTrS#O2EAEpSUUOz{8tFeDe)U75
z<Z$9#1>>m))=*G5y)2%Mp=3;DYbTQJL8o+!mzC}Mp&Dvq<X|>yR9x;rHJ+J%u9Blq
zG!@y39Yx_BYLP|4UKR%3EG!!H!rXR$<Qb$|b~NNFFWYzpx$PK0@_zc45w2|9sYQ0R
zxm!AfG(jjOLY;eTv$%t&g1?Z_)wvIvn{bz(T(f9<lX4wz5NylUt1t5k)Qr3uwqjFM
zY?K!v4E#cRGIZ$&xRIUs%<%P>Er#!k9{%zqIMv3ncEIgN3-vg&$q}5kB%()V96+%s
zWh1rSu6|rZos~m=NOz9gdr$lL^l0`5@5@hnoD+}NHc_3ef_<+QXJ$oB_ihcGR&zVR
zPvEq~3R>A?nH-|Bw|#WZ)W%u=pFh?anjC(VS$&LP<gPUfL6&qX{Cl>UvO$2zBOGY+
zla|q@Ni<pRuojre^G#53AY77$W=_dEJmru{LpJ4qmPvM~RQkmORYlg^YPadTobcoi
z{kFTFc)lWT0DZD@TnB977OPSYk?k@B5zZ5Rh4GCBU%_vQ(wqkG+8K&rppvAa2e!O7
z=@0JRvAL5=1^)0we|YmB{C3uhtEJd<a9Pt61?EZIMLA*<QFxQ<&B+X%Jb}sO`tr=*
zj5#{H=ue+NwV8fJwWxEPJNM{adwVmo`j3ixFcEx}mo#kyRPY23!FhvV?p0Ni>|D{!
z3ykqzapJ+gFQ{enr2^U|uJKlkZUY!wu0wK@)(izkB4PnQ{3c0QHC!{`;#(o0JihXS
zZ1cTQ=P|XWEfYzE4)o#i5zpY%3@1`HA&9Cf0=QBO6qJ3#1B<U5T56e9Y-NuxY>3C)
z;(QH2Ihj>z>=rBipsJ0ch4f}Ni<{}xekk8%b^s}R>^8Dm4jDT2t&70WvC36x8Ys0o
zaFDMs25yb=-~}*et4_l_iM%x@;i05Ad^}mMk25@FDn$Z3@8HNfX=VtT=>Vepjb>TU
zH-Ji&6nH}^AQw&?`=K*0z{9t3@8lAy(A_b(6Wrx)oZ)mrfWGVRXHA{G298fBk?va=
zR8-Ctcg4`uY}Sit4P*_CgAq9rZT=4wmHX4g)UoF7WOJ=4)0g%deW`l_M(6UX16|VJ
z1qtu}OWOkDqc#w{_@#%P9J23HtVA6Ux_3#Qk>99DzK{HN&k3GkSPODwX>rD9^jklV
z0(7#?y?@J~JCyK$)*!`$4fhbtr1z611Jk5JaAxlVXZ8q<nIs$#8H?>@U_7(paV&q9
z^R*GGgLK7frmdi0jnsp$`i*kPh)trqn|Nv_wTFY|T51L4+b?B%5Rv~cWPp0B<f@1}
zLc62039Sl}e8ZZ2cq}({cQhQ)|Gf8bkDK_R-_w3eOW&bRNSK;i7dXI$#smJc$DTrP
zQaAoSc%XlK3jz|YU}`rw*se*_zz(GOgW;F&fA2x3Ke~BQF<x?7WI{EQf`W}esCuA{
zb}!aZpw)nbeAMIH34d{Nkfs!yQ>%0{`m;Qz=WB1AO~s*#6^DolU|ZoZ@V8*J0~8!m
zl48KroE?>dC85`s>?0qs3VhbZYSG;y;Q4v-O-#nf<WglEn{rUs@#SDd%-r`}*R5UU
zvM(^c%Qt*uD2MC-X9Y;1Y9xcruf`HZE=^Zmg^B{<cXk2&r@u|0f@hcau|lP|pX!M{
zAh$^6j=%;?X5Ye;4M|<fBE6*%L~{bqfn8R*u9Qn$WypxF^IF~PLv_a@UYK@`4Lcm$
zEq3`baf@vFA(wf)mlO&uPo*{P0N78*q|bc#Vys6}<J^HJdhaPP?r)SGvH>Gdh1Jgk
zRSfu?4MY5yuneQjPfg(;Lix_<0XPSCmz1P3jO&H2{)xmmod4=I#%52z)S=cxYS&)8
z@2Cyr?(Tzbq>bc)0|sa?j=@3s1$glf66H)de>fAJ&+ND@P_YZl*1vY;Pc`nT4(cbf
zir3wKQ<P*`^$dSG{VUM9b-5;Gm?1%-J5G<P4D6QZfl9!XZwk%_xazOM=i*a916|dE
zwZo7mye@|f!uY8-g(;eY)`|EV%eY=4?7-;2MO-TYT8jHJ6<HVT6(Xt5ialiMC}6~s
z2EDA@1&41M3tLM4Z$6)#t50oatqhd9<i%d!+_}pE1+jIBvyfJ>_%5u00HWks;T!0;
zQ3P8)Vh@fYaNRuz?q~O_6fdn5D1nz>;tMkCt7_pF(#GrXK0%>JecBg$m@CH-;bAzS
zRpl)v1P@Y#%nA0Ql&I32r6xJCWi{16d?{#>;qMGG;nLLCjY32fkjs;G%>kniaMYI9
ziMZd0YtW)Yv(v8{Wfv}usQh;`2%3XexQ^XGTRV2uf1e3j1`#a2XLO5^<;%%%R|$Fr
zf6@s7n#aaZG++G6Q8Xx+`^(@0{@|v%E%d~{=>ux37S{TLF$)UtOO;hA+_mrULcK-v
zCbFg*$nLzs4~P4Z+@`#3i*TQqK+^e7lKmvI=xOxN;Nrrpc0+>JXfgivXQJWU3~0wb
z-+vEy)dy9lijUfJwQ&q@(Nhpa-YglU;gLV`BX;UM0j0H)C}yy)AA+4076D@-YELLr
zq&e0uf^Jy{pLTv{*!?|B*%3x*mf^sy_Li3J>b9R*L*WCO;wcaOCYXP;CR<j2;GwaR
zxr#cbeZu0ZDE3Nd_HsJZ#CEPEOaS!ir)t!%j)xeu$;`fmkom9{IYd#U(jZgqmDqxN
z>Nxh9?|<EAPVP0l;rzkV1u%ay9HDjVv!wRYY%u}l>JPtCrqzU43*wR8(p+l;?kvyv
zfJ`-O+oc|xx58*vfcSbfdThCt>V>~PNJa*;meSGhjpGm~-~hU%ImG`?5RC6i+we(p
z66rz_g$-+y1xlD8Oj44eTXVvpA@j_udWoYJB2bc>DYJ16OSoO)S>3`+$MY|uHBM^e
zlpJWNji`ebh=hn(9>)420o-j!N}JYL+A?Tf(L(RCI#t$nD@kV}EU(xA_7i_z=qYG@
zD;_X|ZIGPrUBJhhAa4f=0-s>Kf<p;v+3d1{%9!ODY|@^>h_Knp@W%(PyL~3?tp+|3
zIz?Wv7_gFhtxOwTVv|Z0xDDD6g*i#{82~MM<!D4LjX5AOJGFG)GZ3gp@N1k&S>%Z&
z7`+88u@Kg<r{LQrY<BatpV`=She~0M)jQ87b5zKIE2K_|YFF@7lwsXg+pPqv^PMP)
zdE9^om_m^tEr8vC$LnktAvm2Hj0Oty0Ztd=@5<+1&=qJ61*T`X7QW1XmCYP2aXsso
ztVa%w3dk_dxa`l&l$vskr>|kr9O8B)U8bLD&oJ-wu@`Jk4As7q8sZ72K3sDg?~)~}
zJtGv(Jk1Mt2}M;H8OOnXlHTUn#YiF|I9<B}S7IO61yD|%EE)(<_RkNP$oGma?%Z2}
zOiyO;3=KM{Uqdp5guTVZ@54bl(E;9i`}+ZK%ZXkp&A_A8R8T3~n4Blk60|-Hu}TuT
ze#gS7?*Z4b#~oKhamc*MOFsxFZt(+Mdm1TAH*OUZKF|sK9=$AG8aST9b>kWO@M%IP
zx{bj^B&zjcl@xZ`E0W%(U7AmgOZHNCPpvjJFdp{!!Vn?^OTSpVb5L$?VOy<XY?=uE
z0_>%xo1ZcEi^`NI%={8EC2XqM)Ah;sxywebljZ@bRCJc-Y2gCjh`=@egybBEU8tg)
zmwJd#r1hv&G>##>Y}CW|p1}hm>SZyj(M1T_RD$F_udGF<M*MRSbnV$<mWK5X<cNsP
z@0^Wa=*>rV5J-!q*<E02BULLjX2N<3NCu0<s|M0)@DEu0%QPiXUUOtjCJ})(58y2*
zv9`XwInt%$DI&CyD{Z455}o$kEgiiw;2ySIZqw%0>FUDj79|LGP(>4{q65vu9j%-$
z)5dgf%^sFrH?152kD15~EW?NNE|VY8g}i!~y$FNRyW!^O381p;aotU}mm5fdQ}+hQ
zjQA}@IiCZ<cj6M+z_e?hM#x-t)Kl-Vi43pWYH8-QfM8W=fQ?Tv7#NI#(F(^eqw>X5
zB9tiGpHGx+EN9ChP)x5wj~_bL(ixN6Ae=u_&1WR>uqTU73F*X8Ve|#2zT0&0M_ozx
z@uu_RZM3noxLS64Ge`ym^3(6*js!&>&Q{}R5o2da&3su_8T=(8h`ywe?69#DEeyz;
z??v()XP45)KEEf_jKJ?ew^l`O1T#ouIcb@t7=L(AK@ac8O8)b5D%CaNUEFM$&X`MT
zG7h~EP#O;FoFmRm)r#Et74R6?D#`JY*P#h9nT;#T)I^=4H5+!-=8~_Zu~nB^O6O)=
zP*YM~->6zIIhA(F9OnyI$rQ6e8%b)(7rO<{5>CGmX-iDabFX?%;<gK_JXV<R+aJ^2
zx}&q#ktkP2&wio?Nf-SQ=|GL!eTlC0Pb8v>?4t&4YaNOMZnPKM?1B5!ib>E;MG!x;
zp>_SLl6?O@J+W7#mr2RNa?SR~7XB#wZT~u#4|G=<X+5i`1I)2BX44XPnuX!^^l<CM
z2Fumq=Q`Etcw@;T`RR`9@o-^s+UqIw7Re9NtU=#~VXO!L21-U+ZO1_!wFI_G%Dur5
zLKsMbc<rqBi+>XTjj}Tr`E$c#GcWT$l%k6~Td=hc?;QE;-X@1wk3A6Va|T{bmU=zF
z5SzLN$hHDG<e_GhNA!mrw($<nf_K)Z^NziZAfww;jOdR!#=`xsh$W;RLzpOVd($TC
z5O~@@p0Z7>E__s_<^QA$-LBw0sNCc6-`IQasHU>LZ=4xNQ4vuQ5fGSB5v4lPMnIy2
zsK_9ShALzf>4uEbf`nu&fDnNJ2N+-=O7D>pq7V}43L?@HNq~?bC?zDJgaawQ+k2mS
z?|sVqto1AJTJJw`8IpZ+&e>=0Z}}85%%mEkG3|iD&k^kf?IN^!704h?OS2@$OM87v
zW&Mb+=TTLNp6v0-uEs0Qt>cf9Zl%LK;$>PLVgsOc)Pn`#E%eJ@^0&0cXWHM6Nc7%e
zO|f)KrFhAulCzZ%7KjNxvSAgCZA|OCk|Ns~7<uZ}&NaWgbxUVH%jqMT-93v#*{Z)T
zBjP{H?WBA+5u<EBxJ=s!p+xzOgUh*FnPWbK^*w=<@1jC=C`U^dxd|oDb0tMvn~JbD
zLF+7;R<qb})1>Hk2*jZAe~oBhoH<(U+aIJwHgYK??SIL@^^UZ3exGu#u=ysPb~jxw
zWc%tEc_xg(3FUs4d*5?bAm2)YGz!t$wu0ffG7c`0y`u_apAX$0P>Ak{{$yy@k+_BX
zKp&j3pF_CgXE}>>kfWNrrb{-^u^Q+lQJwTpQs4F&SRE~X0Zb|VDp-e>njnr4UX9N0
z9A9c%$J_gIX*(PY9B+l*x*Z>rF3s*aD1`M{dG;K@f*7HV0ZK(6ezrIw_y+gatTP3=
z12lN+2y4etzry}{g{x4JZzQw{>C|B2y})pqWW!R<kMAUEPq42MAXbdMiNbC~>vD`z
zD$ps8P_|58FfgaJYY=l;p*16;QJU1e^1HpwaE=fA+^gCmV$U?G&UKtEIFH-v202X}
zYSxMsDz^cU?tyTwLs|V6iaw_)SE<eN1Tph#QbyWiud#%iF5y}I6VK5qMd<wZH8;I~
z1I-&(n(v<=?(dfTOF*|lwv{F}01uL`{$KI}tuJ|j%J)bwRLPo(@tyIr@2>o}bE1p?
zgV;_50LMT$gY3Hxt0yNKnQF(wRH=KRRgZd7@XWlm6*ouIWkDl6>`ZR{Jy&15C?Bs6
z$kAD=#FhVjK^(x^*)sN7PA5my2$BVW&0fc&L#R)_&~7Gj*^BP9V4~O%1yq5_adZEL
z=FUf~0q(VdP*-}dnzrn~xC<_=zKt4$x(IT$YqH)|RW0pz)6WT<$haG6_6FDeQgiG{
z2OpCk^S#%EJ~Dg%1lYU^K<VXsQ{rV?tUk*fu9arv=F`!L&vK4?>c5&}3(BqaKg<2t
z2Ocv4LJ25{o|WjOZ2c_vt`6)H64f@a>oV-@<U(ox_k;gGy*yxkZIf8|hVG-wwEM3;
zkG<b@(B*smGi|?}VzsPR$NdKm6~qkKMERc7S*_iW?l=8irpg$9L7H`lg??Fc%eLkY
zP_!_{wOoRI@Pbsq8boY`t$UsX<WNw$DrluG8$h6Bu@NvFgr>OGQUOt_V51GDCI%*P
z47+ks9!#|V`>}s}K~jKMz?uFM`auRoIb64mu>08>zaG64iK2}()pPY@L8YeQ6)ctx
zN;VK;y{lE@(=s2gZf&ETeAex$@JwEx&0X}H-lPRKrS9>9q)x_<9E%`6(aRMPwpaO^
zk=nl>^&CB5XK?%58({}Fx@nbz2UZkWGrOl|)bsVecW)AfuQfv4Rj9tcD6U5ug$$Rb
zha+Mwl!FkP&G5MGoo@#0IVXOyrfN0%q^z8$QEE}5C!>Vr*X5`U*g+3$5%(2FpUX26
zzqB#QnTmH9cE?mX<i4nVff(~L7VC@q`1{{&TJ7K`=cz%eMQ)=|nrK#axSHB^&Hq}7
zSJ0ifr{?qshiC`4qC7vh;oOD;NVp%eymI)>n2bqKoDg8~RcEVaRbO)z@OV!}nA1Bx
zpM+1S!W(wu{B0Gy^-uORzymV7*CKhNq+B4>18ZmEI-TNiJ18eOV!oR0eeTfmoOD;~
zBAvMyKul94?*TZ7jKk`u)5cWNr<}%m^z}{j3PQaPH9&an&J=lx2O`cgc9Hq1kr+?J
z7zb9)ECy#B9Ub-PL;a%eo?qwpS?-K)o=zjODK&M9*>l;+l}MN>8Sl<uei7eGWd&(B
zbhVv;wa8Q$uI<j=ZV-#N<!Mn|W>i#osl(SMjv*O>_QAE8n&GE6+~KK=kSX6%goq3I
zC_M=C@+Hmj>!ACWng$FE<6^PQ-x>6Z16SQi*=?fVUm%Wrmb=|=@Ti9b&&r_CCRXR!
zlSweHcAK{H+#SU{f`vp!>#)$K&R22h7%|@Uaw4LRRdcz)9UJcMVc0WWU-cq$^%2@a
z6d;Vt6`%gpxH27A;7|h*h)_bc`s^5`Nxw?1>RRp@DciKFE{OOCpen)F%CCR;FgWNS
zSsv`GF20?fm&;phND-VRy35`plu%SPW4x;eMb?Y7U-qq!Q5T)?B5fW?pU=DyfPK$^
z9k57y7M170XOX9i$kJyvny&@bz`??)x))V26G<D1O!b<H%wQHZ&mAlGFwYYjGDoRU
zgY8sQnnCHS%IYTS9jHpYA7Z%*FBEa@`Z1@<-2-X6LqIbd{}lbS{={XEL8GvT1{iVh
zbEBUZixM4qQx4V+2Ltu$Fg;DqEKvZx%G$(-%ioT%5W3(i1F+^bLeoa$hmx>$Q8U*e
zI@%t2E+ZJ<^zgfMpDgBP>id3j`kqyM=*_`-b~DwLB%7-(km0P5tM7R>-+~qFthEMb
zu5V*o!3es*?Qw^ezLpw|Y@<3nL4C)bC*JNgEAWV#Ik3N@M)Oi(vP*j8K_{<A2om7|
z#dyM;ZbnqLEmugwU3@p6-w$|uI#W{}&FwWOD$NhqjgC5e-7X&2@%2rZVkWGjiH~Y9
zC!v<W32o()R%xgMZUZ#Va`)OAgK&84My(gC3|CgOLTox8Ro$+x5S92PX)KTz=28V`
zUm_lA%dfx`paIwxZ*=0vHmsiTce1y3-B9HuwecC<>`>nL>{xNSVYc0sge;xBLvB-<
z5Tob1l>=kh?mQjAz%8Dw8N;#&+vX*@Pv;!D`U!><`{?kZ8M+`)wRTq7n{|LfM+W>x
z>b{!a{#outn0utrSQFJ_PPS8WL-4T+wuMUK<n-Vxeh4Xk_B?r^b<(M^?s<Z!XB&NW
z^W(PtWPznV(ihd(4WwGzh$D<H_4qEOt<aK(VE&HttQKsT;u>9iVydzhilBSRi;s=@
z-ar|Cj7U(E#HGVaP`T-muD*g*QIs$`NLv}ktrVVZqw)Cr9IM>C1A+@jdrCdbV*j+g
zGsg1LGtN?$G&wtgSSy@*ZB0b$bA&0Y9tq>4G8$!@bDX5j*7_)6U+1_I!*C^OllGR`
zY`=s}1)=#t`oS^bF*TPw{K#&~VYT_XeGN|3DiYPZjqA_5CE!o+MJ)8=_DeH?oTeO&
z6ZYe8x#xI(RDc~0$VydnCx|PWLZ-&Zw-**+57~9eRb2i~OoTv2DhUE2)zFgd;EJL}
z2l19)jXT?oS!vsA7oM)0jLv`V>Sj$$2dgl1+#x2A+rxhE)B@W<GTi=lsS8A2Habvr
zr>n=+!L>`T`fxWJGN{2ynaE1>PnA6+&uP|WH6(ThF<ewrSbxFW$;l4fM|z%yv`X?7
z7bTC5_xAFew6785><|7vINNI)A63GK2T)kS&+~IJV?A{rq?4Gk7Zna1ZQf1}A}KOE
zJug1A!nQ16PI)|#*_jZXKf7nfh_C0;&>VL}Qu2Pbc7Aarb=dQ^IXfF`C3}P00Sh7v
zyB=k>HInc0jSMNrQAJS5>eYJ;=i$fpLq$WrOCihR1fTjq30qG$F(S>}asIV;y7&l2
zJLM!)P=U^sX#h@SOqa+b@D>7MbGONKh89$cmb~{qmA#`S9#%=$z~$ANgm~q+hF%Si
zz|nI=Ls<btO<Wab8T6o@6F@3luNsF{932^%b+u5<o-SLQVIIoe05+J%xIz7}wJaQk
zM{<R-g8!(4;6i0lf}%wdF~mj_I^(;BvB)0}8RqwAPJ8x%M8LU37UhXyFEgOP-2u=?
z(H}K~5_gMOjCRpDTHKlOS<Zmzm(l$!kakSMARCG+z7Sn#Xm)GT#To6|xH6&ltf9l?
zrW&OL^V%NO*f5?D9nqip!xEepb!U7@0(Q>eVd_4K2?&r{Q?{PUheFTR^qcnFb~of*
z+gau_+_#$BREOyuZ#*wIjl}MNF1#JvpVFqKnfwDIXn)|d*o#(58HFHqyTn1P@4>)8
ztPkO!>`$dnwnxfT&c@<Cxr32q3Lrw~2K=A)F{Q^VeM&Pj4RBIj5>S7hzd4U&P4wY!
z1n{1?{Z8QZZBt}j37^2iS7I@=N!S_yIJUvW`|}Jz4U!)h{9oit{|a9D*R<{bxpeF|
zuw&@rruHD}oTO<)1%UU;r#DA)yCi9SyKwLI=757!bCi-~SETHcuNVNIM)U+US+-#S
z=*<78+H(I*!>qMv+17;5a{Ku&X<|d{PT;V@T#uuHg2zNXPT-dEhyY-T%yr{fZDq`X
zLP*>S)T)wGgjO#-B+j@S<3Z{eRYg6wtMg|Qy3f_J*2*8Yy&CU1v@RzV<Wn8M?Xkjy
zLa)W{vR8E2UYldpj|+of$~rQJU^PCh3AUf{V}DHpYx?@YYlFG0k?}JczWAV$H>8!K
zzr#NLEg3-Njl>S}<goGMdkJ<z^OTagY<SD4X!TY+{8~RlT-}`eOV4|Tqn#XP4kxJN
zTFf(NWm}t{L#Y$cI)w71j8wYqPf5SYCro9Xl`OtkYas4ozy&FyI6+ruma)NdQx5(_
zsKZ*grqboRl`ALA$Ve%#NzzT@RexeZ?iKI#-%?Gny}$-wu^}|rC6pDM?fy2WI<U?x
zudG<>MI6V*_bQ;G_-a7ur5hp=g`R!8Fc+km!!(Xz&2#AK#B(hFp=q#V<8)r4<=A^-
zk0nvE(y-Q0VPfZ<C17(2@is@%E}Ez|^^Rmx(N#>vtw7^H%GvFYXi*0dTo-1~NsXa@
z!=ShUO}@0$?od+j3cw!fHzn-&l*z*Om&`^4h6mpwr86)WDyvB8p3?|Q#pSuYy#o?^
z6mokJSf6){jM_zoWSY<DwV66L9=YU>b>Erp?vC~KT?=~qwA6FPCG_fOuVNLc(WJ+q
zx@=zn&BVkcW|*jnVgkjb$xtJL0Ck4UFdTk!8ES&FH{JD5`F%|X7Ztt#vs{E>*__@x
z`C`mzC<`ny53s5^9zydPpZvfGP@KE!)m>9PEiR?CzhSplESW_$6CVP^;6R6Kt0+=?
zn?&PiTQIYum=`2fyTf#c^=u_eR$i<%@2{@lWX|IYA<qsMnV!(4C`!1Y%Y5?tVD(1h
z%o1Fk?@d}G39)K}<6F7bT$Im~?3Mm$Z747_HZl!9Vq{izabYODV$G3WR;ERxKF4Kc
zMxNHVgo|})-ufS;xc?-pwqXkNqQ3|o%fRc%ZXrrWz?gi2-pNcp%l+Ob0k5@3xNNBn
z<o7?&(^mS&MV<d(&G}E&SCxz*lCYxn7tqUlX@Y)iAKy6u1$~6yKb<k<Lw!+qBi*Kd
z_fL@y>b1w}4owtd-oGM(6!V^!Buo$yFWxNcrfz5y9!k+pGV6PQ-AAc;7u!vJYDV!m
zQFo#%&Bix2g16-M%_uxF#P{+NS@OlI>Klk6t%O~3figLp7oI|?0zG?-UCF4&_YP&I
z^ZJO>$+V+4t~kVY^~xT>vC=4ii8?soH_L>HlKHxF3|5G&?B(+D-xm{}Hox-A>uVDg
zIU9tmrTb?bWnua0$e^CZY&q$pf3I%$UrDw84G`}y@K4tS*^oBb71W|e&dfOutn|$B
zf;+QUd-Bn?ZK9IP!cFzJX|u=!YYj%&K*Y^+$K2_^o~WfAgiSQk6lI{M)p8MYOYpJP
zMzbFiDD(tO9n59LRXqEpWzeic;V0*tmPrp7*z2ds&Yh_gmrwlT0Xa9%8X_)?VU(a@
zafD1fX<l(lkiw~I*+$!Lty_U>XJ2v3`7peKzA)wDvQ{;(<~oH~ju(@bVXcS<-l~ww
zgq4y4WYM+`i<MXv758{q{X}vIM#o&}Ku~&@Ok$?}Mu)zVpC^gWNGzm<vb~;c$@ld7
zX4|v<!(lTwzdb{G@owB~MC6cjR>82cjEqXx(>EGVpM@_WfZCk`+I153=&7(e1y_l&
zfXaM!b@)%B6uL7SbM_NoD>7^AUFkibH4u{8A8Fp3wB-7oulP1vEIOVkwh%pjhx8ZZ
z(q5}};I_D*57SIkv7Mz`6%x)zgb=fk*lXe;as5{!O_fv*VoxB}N-&jIlRxWX+4;Ei
z^dVAn&2tBQaN!9}%`Gm7a5Lh+U<m&e9eeq_KmAutI~DEUOjdJd@)YIl?aqpR-fnyB
z&!s-^P??j*zhMgqaf!5=@f2>KN*}jx^Q<djyCmw?n?`z)`r4h87;;0`s;h$xVoMnw
zqQt`+rc=cZ==&3PAAk){?sm2<*?*@e)OD5(izn_SYen$K-OsU&dyGEGL=0lUAW1*Q
z|3cg>oeMM|AGlx7&~-nMsurmax{EH=iLzEr@3+Ch4}G4KpPxx|`*8Brr!!lhow$-H
zaEufkAGX;!tE%4Ba^g0-6?HJltSi<`B}!s}?Eqe6h`iS<u>eCcUg(v(BUSl;1CuK_
zT7#y_LZ9vOIPtL!x9=+E*$nf~M0$3?o%dtJg=*E*MM*8L#*?N73q);|?0inD8LBoS
z8Se}tEGi0Q=?dOKjgN5=`r&I0lB%VK_g_dIU$GgFp;b{uO})^o?}0?Aa2#`5*i7rO
z$th~As?HcEGms!86|?n29*awdbNmINTvwg}hOZr@jIj`4-gm{;YxFX!ma&=S8CjVp
z#f9C<`l-0NjzehWZ<l;0h@sx+<f=No3yX%WxMW;>SkM>ogZRzZdr9y3uhuDNK^x2o
zZ*g&!rcSEB?J*6}z2BOBo8qle<9oAu88z<xipC~P$>trrc_r^{i<xIpD0R=4uOB2I
zyjYsJN$#Sh;nn|M{9=O;5`dophagRL0u`H?)i$#)qV)e?#(es{xIiVmDq8{bU2(@#
zW?KxGs2p@FpmCq-H*4B~;gNy9tfi<+w)<)u#@)`6oA1EUB|KwL>1RwtN*`IK$g+$-
zZO}6wxjpBG=V={)(uKBe!#Au-^19k1)y*3C=c;&`2TsdoC0{7Yk&<KP>7V6n$(;aw
zr%nUtJJ$+VUE$?P#$D<rkC9RIWT&^X;HKsMT94P&L8A3LW0pL>D}iH?wNuzH3en)Z
zac2f-pCX_Z(Bj(Q`USKD<D{B`>?MmeDKFcnhyWN<eMB2hix*COr1gWKqocVwDdpaB
zvxQ5Hi$lj^apFvfdsgPw($WSoIRwd~#Us4{gMFt!%sqRL<fM#_1cE0Fip5jD46IB%
zzwy~Fr^UhOwZQ}Rfeo-+@-ZGFJ6U#0GvYW6x`EV}#iJf+L%*2eWakQGY8vN1%RT)!
zzoS&3+tv5A#7W=<lr61ICY`oG_%^1erT1*MHxU)(@AoQkq4rJks~jI+zfrbcEy)8y
z2y?)x?K3?>LTrTU+OS6lcprn^QKpXP6@T134R;C1;`+fK2Uj4)EO%V<+28h|B*zY=
zv6rkcKZB&<ZpCN0MLTW5t8DN~-tdH=^|XBx@k`Tb5aS9kEnf+==V5|Bp^q)HZL%S@
z2*w-pV>^mndYeR1Z<|C5UM%dwR0-(f-4iIa(l*bGe=9tjY<+;!Ebn&1Q_<-P9XUVG
z#}_Xz7NyfI#?<SK=xgbbmj*Z=Zb#y3#_^>rd&RCtHb#!$ym}>kJvru{agwe7wKYF0
zh!{(|##ewe+U{WS1;Fzp`EkJ~QO$^(n;SHFh1^g_PEgsOcsR}X%IS;c<rO42Jdmm@
zeJ<HpD7iFbt?a`^$iL?5<F>*QtC-^UJ)#H`+nPeVKvztH_U}n1jqN@AJQ2ZF5#HwD
z92Eq`?9(8CYwH|W5L9(NRF&zxE}Lr*Rg_xvyg)KtoQ`9|#1#?;>8yo}!drW?C~I(9
z4ETuSq=pgJHK|8&9Na%&#YQLTcJ^MFfHwSDZf$>~Qv#yizm0w0#2R~4`0<`Z_aH!)
z2dj@&;q`i^*M1rgCbAd(SW^BGk(6Gct%^NJZbRLp>IlP={=738U}^Z4hz!X5QD?}y
zR2^=Y8LU^qW6^?<V@=Zq4i@i=_AnhHZsP>6{{2Bypc`Jgf1PEBS<szI^<b{@E(!QA
zBO+je3~(cDl!uJc*l%iw!{<B$eKNwvQ!xuoS(y>+%xU;2sYs|h`SC7x+j!t_=(f&0
zWkGId{d{)VolYXkM`uZ2ueQCmk?%WBh!poofkYzJ?^aqy1@bN8@8<Gh@Z{P3&677{
zql4`yC}Fp~5khTUc?yC*Q!9U(sSJ*2FsLxjnKA(iQMlJRs8vb{Yt^F?a}MH9;O={C
z)X}ZICXKg3uJ%Kk*GbKEGq9Zmm-za_&jJU>EO<^3dCcSZo$RQ61j#X@$N#ii7_Wdw
zthh&fq?n-LP#`%2)fCR^!EW6$#v831o(y?&t?^hpfUN6;c_2DI%khXwy&TWry&<M_
z!MwUez1{WNWKM4u*DYNIyD-G2MbO7qgBuFMafp@?+3A%j8Oc?8;jAbGDyc$uSfAn$
z_868(4rwVgI(UllZjz=LXSK_3$jwO><{jygn;h8&spo7Km@7d-rF*o+DBK>{ytjZM
zdo*0Z`a8p(4KPGwwBw$I04VK;+~3!CC}MH4UP8TYr=v25JYOI@(81nKN>RtP3X*P8
zY&m77C-fNS<FR*RN;_@^&_%B!H9N&WkokFTIlY9Nmy9~_%UaXDsHzXir~dfhTnVEn
zM$zNNx@d(qEoBJx^!=y(n!23bWfl*3GS)Bb5u=Pyw}OyB3x@_K_lk4|M<Y;F?j<Lz
zMvy0Q?*{%X2)2)u)JvQ)WZN(}sLHra8(<74U224Se2+od4~W3uX0aPG?FKmmVGqO4
zsk^ye$j}d`y7PX?Vb0EmrSAIp;mr4IQ80O`wd6+q7yb&jxLN4r%uwwl>_D{MDT%!h
zThvm}cg?&A=fACd<|a8Id{<EuUsdaJ)K65WzD8=6KzDwFfWRSiXlSbjP}M2G;3BKq
zC@kj)iFanw?w#NBZFRlZih8Wv-gnO~Zc1ZrexFdJ)=q4~U64Mu-cTrk3D~i`<vl5<
z1j)78vecWXYK{5Go?lk=&6f_XO6RLtURhXVQ-sj{%A=eM+v$No1!Atx-+%h{&?DBW
z_Y9G62Ecn*qH1X&EWmh&ZVE-2gTs3iCsR$E2Y&7!(B9ZG5nZ*P;gZ+tqu+}$`_SaJ
zKk}Hq9{!K6b$vTAS*p5ENk&2=S0&0l9IX<eCBGvLh{JnU*}7}(ZyN9s9;#4{N12)3
zxE5`mOg?ZSWAaUs&XV_N-Fdtb=A~A1-xFDSb-x37<wXf#TOfW}Kb)U+>Mz7}6&Kl}
zp*h`t;b8LKYd`W2H2jrS@k9aMDe(tS5=absIJ{N7brct=-HO#1JiC78Y1vhS9TlOm
zYT~!-R(wXtOGclK5y+Pk=Ct=o>|!{$5ki|eO_^BbAMI${x&Ejxcp_%gm2g)l(vz{$
z3t6z|b?hZYq5(V@j6VNWNg#VCDBwIK?6J20qLWotLIwhL!7e?UvN(*_DCqZ@#NLe=
zqr4?-bcXB*^Vg#&FbzVa6xDeE;HhVQmb**aW)!E<Wpii{$1SDrzcE)db33V_e3bW`
zx<;KdtRwb%KNXu}J7pWB8JC@32o?z8F<c~it?^@`Sx(6i<`mH;GUP>bW>|7lZO<-V
zf`xgz-CFSQKd~Wm4hEavOx|<am-$jkFS&G5``FxPxo6%Lf&=a3aRXo{>4*}LT`1|*
zBqjNAPZHy<<n%mitf<DT%ExL_W@F&4G3|#gsm4!qNp?p&HbQrcCDu?6hef<c+a11X
z$NQOe(#srMq5jg_$7Q8E#(rs{WbV9L&1uvjqO1M6t1W~rvUl1_E1=BJYHNfgQjV7&
z>ZyWVCOQ0ZP&S9Wwpc5j@?HB<`3?fM3i{j%)P43o*v~6V)LpY=f;x8Z2(eeN+R<2t
zYduxi{uF-s9Q}~r68s9L0d&A3gGK>$@TN3_7LpQABfZJaO^I7k7&Gn|*Io<n+dS8h
zR1C$RvTFD&S2*%o-0>qj;>s9EZWTy!(T@Mj9=yU>o*^Y|6}@F&Y#InLdV;>*OmfSP
zHuwG3VQ;$DvDpg~nwqyaO<ns9*>5}S7C160c_AgNC?&8r1LdW@U+<{imzkr>$0xa&
zonB7BB{yA!e>&b<_<jrK<mygl{>a(ASszID_utlilcTNwqheD8p&rH~OtK%~>JQ!b
z;Se+=SA-YvU?x5E-U9(35WY&cH6l;F`2{st<wfE$Exp3AwBDligF|tfO8!E^Hz&_p
zX_GL=#rhay0hWBLEKplfvax8^HG4#8uo{8YuD=(x;+%FSd{g)%6R(@uzDo&9=G~JK
zd#CaaNFP&Gpf+wkH0J{OgEH|IVPoZ1YuhLe%YNnJx2XqzjVUTP#yx%@X>fYYefOgs
zo6C<){pox8N^v10?cyqi(PYE8?Hv8X>kCKP(qKJ3tKF!a*CU;MCHje^q0Ej|8VT0n
zRwcP6+}by}e>Q1?ki1i3mBN{-PAZh9iCSYKG``z7xaPOYYh`}w-JR;Rb^hKiL63Mu
zN4kT!4N?<-g_h^&wx77%*_auR`HqXzcH*A!xjJZlDU`zsr<=N&DP$D~{}7Uc>3(RW
z;|w2y{qZqi)Gj*LQS;~!$2hTndga5tG#Vnxo*n#}<>&>c*H3A_C_-HbG%J36yFSxf
zy6dp%#XA?zT{=1Q?>#wggANPOVn$6W-48L<-W|}OE=rAh(~$WrLHWcVxNt_D@tfuf
z0;C}}0%9N$$)MZirD(u6Q-UNzy6Fom3N4+(8C>Uq+DF@rcm>Ei|9kpcUs%zPfPgco
zHEjdSNg|pIJh-T8e<hjygW}YGKr#7`^<Csa$}jkPc@zvtEB;<f<zGkl))zbAUPnRS
zeU|gtUH}-Hp0lEIA%f{CbLeYP67LPymL6kYlz-~_7Pf;w30a7J(fCepJpmgi&MHDV
zEe)1hk0T4veyi<@{syY9X<p18l|qxAU2p3=Z9dv1I~@o%pMnz$O3UV?cjV8|s?>2$
zg{mE}dzK&ZPVI<!<9N%4Ob-7Udh4w5wwQb48!3a!;t~Jm0q&KEhNxX55vJca8NVr$
zICvm-FY9YF&vvqRTDzkr*ohffa2+2wISmj)ZdxC=N#QDbtSg=h$<JU8NO!qYI|;Df
z4F=TUcD$8wI>OafXmYv{%8HtR_+&KRY4F<c$NEL>)rh(tgG&xHR0gXs4$iCsKJT<+
zbe_wC3`umUY|9v*Ta*kU7(Pq<F7LfifiRNepYk0Eu?tN;HMl}hnq5Sv;o=Xp*&JgS
zBExlGJg*DZXNBW0X1pCiGIhoKE}duPyXCGTSNeXHZKPY<Pl7Tex~?VfDD*Ux8)NHO
zGcYBTZ)eMOl+4r}bnc$}I#AG7=+&!dKoox*Q?C@mN64MDE0^Gao&g=)#aLgWO=IxF
zk6us`r|%JMWIa>VK+t5w@~(pmk;z$YGan)$_IOv4bC#!`KNlm5bAld;<|{Cjm5gJx
zZxgF~y0EVSGf!**gtOukD98z-M$CPC$ZuSwgAhv$_vCM%)xVu$>df?LUCMu(YRu0t
z)|aZeM!wCV&gIu7r_okOw2Ng?C8`aCSlTNn9-K~Wh)vJrW>9iqbYyRTJn3}LqapT5
zpo@)KdfMCR1L1ni?u-DThjrQhV+S8Sdc!hbqcv6Eb0mC2i3A)rHH@V&9*@MtOh|Q|
z20#s#Vsfj>aM^{P)^V%wr)LGy%+=aDKnsexXu<USxTcL7wv11z&oxGP9SWYq@d6Es
zhMZq(#0+H!k5zQn81vQOxvEnLN;e5*M?WCko)R1rLUvI6u*FiRgVHcqUb_HC7s10&
z`~&5+QaU{UdzavnHL~nxwf~#KRYY!@bmt;&K304J9nV>9??9*qggTZ7;x<{Eak9d<
zd>j0SI!F7W*em-g27pNntVDGoYiiU*#xraScHa<1TdX2EGC;yB@QkkvV)RRxWA5W8
z1x`UTA&LE##}>|bHARqt1vm-5lH|<(abN*eP3R%jB~0gv>X3F`Z&<F<R8Px{CO#3s
zPTyo!I1DbHTO+pP<f}<2Jg$D>sYP6f5sq_Mke6HZe)PnB%h^{A7I%4EB&~UERDb`%
zT2}CVD0DabYozt5Ta)~F8*`znM3<lxrfL4#z}h&x%05aIb0Yu6fRW3=2olQ11+`4n
zI|THFKg%89iIrQtj}8I`f)#MoNx3EJ)xBDuDC?Z`>H27^r(eMPrLrkKbIRAHoT>_C
z<wH&Fvi<#GEPnlLo^oSipUeGMXjzXzgK%{JR62asPS5;<A0h`eK1%9S$5fB4uHo7q
zgx511Wai*l)36Z*(H)^u8$Th4YV>Y8=gNR=8#=h{*zB&8jH70)Hcv%Orq9<hTwL5D
zd46MyCNWb)11J!*b#MxXGQ~Nj?5Qxi1wc<*V=USNVGk%8dtQ_UTJ+n9@t#eAVRNiM
z4y4=kkqQ!2!>bv{o?YZmNR_(B&Eh5yO-6YZH^UTgsZ;D4LR$qa7FHJ-ALeBP+w1wh
zON7UxDVJ0#)&D$lqP?!1VqTj1BMtU?Ykt(F`7@_|eG!)`HBGpF36&B%y0s26W*X?p
z)YcE7c-HZVL*p|g=Md4x8LVt3aM8|+z_22Xc(Z!v7p8GsYxV?LlIP!%B37lC0c+Us
zpw+ElOTNbjrq}<JCnXJ6jOv~L+jig)ws%K~hr=zCs9#u5BSR&6o9u}h*7D-(n4h3k
zK`~6-9b-_}FH?b7C!2?@VO$4<+Ck=2?u&+~%4)vpbVI_o_V4tKM;5A!l8W${AnQ*2
zZ1mjW6@B|BS&?m)yTf4Zg+C{*kva17o<d~~?AI__{4Wx>fg6w$CrJ;fVLR|d5Y$m6
zeLT-c1*2lHtGDfL?cNE%tX<7jmDTTT8@;GOJ%8pigMsVC(%h{s**@V31=-e~5{W#d
zBfzyr=6wsfTBI1;s0G;Q4HL14B~JJjfj4j^+8<@Hi#6sH6}H%70$WH|`K9l$KO6-Y
zs!Dd}PkKtTC>lak%N^~uCYT(Q-Ns{3zlBnSd)Td(Ht9!lUU@pzx1nM_Uhv&+q4!Yj
z@)47Ti>_b9SNLj}4b6hLHG&GRMclIXZg=RwIf2E)DWU3vL-hJFEZf0;&%mrzK)8ZE
z^5dDj4>)4j5u1U^S42kumzO9{cB-#-DQ%McG(goshlsiIagt-!W;RWe#&WE=%%i!B
zP3%BC>eh|y@SzIp{#V_#T?d1|uJ`Xjt~$F$dRjntB90cQ?mf6_A2>D>gIzM7KuC7;
z+hO$|Xq%B3B>}^skqY`~R<u3i)B<kH9zuSHKMv&^x$7#6c{QeR?Qz}7*@ty{p;P|)
zqLVjCm^QIC=vkborupVZwpcK{e|RqRL0h!l>5FTBJae6nJY~ERu(JF4@0FF*Aid3m
zppB^s;X9Sa7=tap41q4ty6g^iLrHHW&iFM#_#Bv+-M^Sm=@O+$D`ncUS2Cq|Pv|aJ
zAE{zoA~w&tQMziGOu7ZQOcAO2PN60d$p`&D4rUAVbBHNy@~trgX4m|np!hoblfc>;
zb5i(?XWYPIHDrp;#l>2)h@vMTpeHabWLp(DuzTLe!B(WyMz;iR<#^Z4M6kzf`zCu`
z1v8($?&o{o354jy3@3Hq6&HQW`#R2tpbeCYw2H((q3^v#ZGVMf;bOg28Z(R)TPvH*
ztSS$#S0=Jwj>E~)qqt`85%CGx8|(&YI%fO0mOwr(4D5@61Lqm4PJ3oTR*vLM2QGwY
zW_u>ELPIiK12x3M;}@@346PA4Y@T!?2liF)s=9F-dtU%mUSL!OyUz=$T5dW#&nE#V
zbny|>CXIj)^@uck(M{ZUhUs3B=O3k&yM39JKn`*{Rtqim5Hjv!526*|5URMPYSvqG
z*zl$i$*RgG3R6lnRPSEk4sc;+UTV8==H^bhsu)iQ@#QX>lZX##HQEnlnzNyhjo9Nc
z_fWy4^w^*?Ia;c4h0Wcv;t;L)qi#y*DT52o`bgS6fog-j@0)6Uz$y_sXGwkuOVrZt
zm+g?f0fAh&v6|b+jL1c{ksPHy(eX>&Yr};n8GC+uy~uM2uR}g6lF->CU2j*m?CVJJ
zGC9>uN*^_IjSvINkIV1OP|%S(GXTH%u>KIFEv$9ggGM;u+bulQJw8?3UN<ccceFo*
zbVNp&W-RKCFvBUMG$Ehlo{0h&Fu^4yrOd%=0^@r&`!QFCj48%}lU8`+t?taTMmdG!
z@?xF#-qNegu4$(ay|v?qqFCLyG2~h~FebqHC55_4%dp>}xmHy=VFXpo@mfJ_p`*UE
z*y_0v>G;@K1ac>mf)Ca=32|M+F7S;ZAMqhfp!9dc<rpUp6JsLuu8I-x+hmFi)4m;Z
z7LAToNwUY=W>lo4H|F3GveRX%d5m%I(!w6qR!@5zncFl)b84=_9W6um9-gI1Ga;{n
zP+&oI>7i^tc97m+c>!N~6{A6ckV+~0g?Bvz4C!0ESbga_FFXsAd{X@SYS-{a(m8Ul
zF;Y+`ni<4?D>*4xh_65^b9H~cCTw*ueqaXM#T+>m%q>bhl$)_TZrYtU73>?BF}|)J
zHL_FY*nhrkQiKrv#NPFZ2|Uf{4AbW5R_uPrF-pMb^cc!an_<?QocGNXpXnaCmVE>>
z5^`v4cU?z~yPAhrWtEQz<Ouh$UYIQ)&I{%_OgPQwOt4ZmGaXR6kE}HdLKrJEn7CgZ
zcE!Xo#3pZ?7v@Aced*bTy-mI4Z5_;EYrqy+cgv=fFW4Z`Bx4KFsytP3K;UONIU7SX
z>}7*YUbvcKeQmPG@W;<`=LRumr~uYLM^(mTZ}!6U_~wYJ?%Mk5hb%RVsHEMf6kmYy
z-U>u}Fxs3oip2!`A%LHzJk%L7WVD#OG`Osb2!;>JHa#)&n4Q-6!DZYvL5=yb=W#Fo
zbs)Syrw=s8#3|Y{VE#C#++9U%ucYW!1iMf-3xl1C(aEyO3#1`K=A5mIT~nM!g5d|3
z8{w$B^HnvEgZN9A?+Z&LyZqt8L(Lq*L+@_|gcbsx`hytTjN`&KqhD*wc1Bp%H`Gpd
zbLJPukKdGap?1BYH&y#Ajif2gmY(I{qpjxXGb8#D5yLrGQVgr8gz#KhwA=bt7%0ZH
zHI}rEX*>5z^e3xAJF@8&p&W>^6G)b8KQvs?fcrI*bKX98_yO~9IJY=$>gVtPN}2D{
z1Us_|*K%HB0-QT++2C4)qU+p*K9H8vX1ictDXDl);hN#P=hZz;o^aQDIybV6v=r+K
zOv`h|tTVZ~l3o3jYXUZ>`2%hX&M(T$>8m-*ynNuu!#FE8zDukk_FqS5BWfLFSzmW3
zRIR>;q5CbPb{aH2u7m=`8|U&gGC5vT#CtZIB>M5Ku$@NMUZqgvOLM1SAI*XQM)qyv
zKO5e~G|Uuc>jru-hv7DkRZ|9OL)Qz(mRZZqv|T<8&4drUHDk)GtEfPTYf180V03CJ
z3o{cb_QDPAnTiumn`dzEQ-f+|QUe?6-lph}+xd$Vu!GHoFUEUUEvmbRp?I+=1a|q2
z6UN&>80f7mjJ!+nE$-|q4A!`Ce^P1lo9b?%UFc3f_|i_Y9;IQRnl7C^R%b7c#=doB
z*VBGoj@bj`dpBVX0(XpcuP4U}H`&im!lNS-j4Jv04NbwGzx%UZAhWW(8hVtCd*5L@
z5Z_3E`oCmjEr^*CNj*tEaL=BmJ|nN7)vI2I)ILTgw(8FfikeC%k}`C%V=BdwH|<#J
zzoid46;&<T$M9b~3hdqz98HGipqo*SM4qy+O|<nAQW$-n3XKV<L)XBn<aD0J)!eV*
za(%rabvyq!9J|t+vg)2aVzUxsC-9sk+y@%-pu47y!&5eJV^llF)rJORstby|ir(z{
z#m2cC>v~o4>b<Y^(M{E^y@b8EiQEXB;2BBjA$udnDMnz+ty(fAGm}$79)AMvUkkHL
zALPBclJ(({+f7vWAV;O@Ps9`qKyGa`9-_)awOuVVl6))=yKByM(6BmlQeQ1^?j`kL
zD&e|;Yo&$T1@;m@x=xy)L##G5-cKPV2i$Ofnq^yXAjC!S-Tj%9d&;ePQfinE7MTaB
z&Z;Bo3z0A1$}KoubG{OJk<?L{T3CB>;0QeZ>x@UKt8o)&&U&BHdNTA@Ld?8f5Il>;
zO6<VWLjV-UI<Xw)62OCe{1I|`I)~kzxT7Ih__Zf5x^>}gYk(Qj#&K^|^3y##J^GpO
z(E-`==HbF+CswFzYiv2T#d}*nNn0}jw`sZgtoY#UdS@n1c-_!uQRw_*ZOc<zvtJ4D
zY*Vie-^5<`!q}a;SrRJwGB~b(0QLvLYI`tlA83xGPx4S)Ctxa(J5DRd`HTcv`Vn?N
zcHAA&<}}EAGFo?GF)mx}!n{&b`f-99ZX(^%xXTl_!-ymd<}OEqPUoLmio*2X-`CCR
z$B)*MEgVA_I$`s+2mKat(Bhs~oO`d*j864?2x;Niu`p^f%c5v7!u34wY<lkt<REpH
zU*7!Zi*Wkup7bVzz62QAsUt-NfVF2hh&bFfjP9*K!EO4%7eeEQ*2qKIMt(2)IYZaX
z={135-*K4L_PV`;UmqiW7q!dSOL~ub5O_X=iVse()S<nzvR)syJD9mKNy0A*a*R=&
z?LqFo$LaB4Z7zCz%P;o85j89Ls9ezMecTODz=ZTWv{lT`g@i|!*&KC5nv*xS&rI2U
zn0Yo+{_LjR4aIF+FHHMTYQEWa_?`3*n+-}M_=)8E6K)hQE<x=*I*4hdXd`ZiUAK6~
zY{&0Ax~HB@PRcO7_%v%<e1(-(pmVLW^PGCb%GFU>CK6fT;N^TQ)3o`|hFZ+)$e=wd
zuFi8|<JsnSHp&-mtU1?v_uRXilya$^-Y>)Z(tPh&$e)Ng^76*O=oSFD{P}MIe*fM7
z|Knc&8m<$!m<3vFIFX&TClK#rZ~Gs}$p1x$@E=IK{Y8iMKT)Z7O_U9=7rn8Yaqrto
z0VpA3y}6unR+JAKqIm6%B+rzw_bjNI`_>&7tM&0bHE{=<e;y7S4_^VUn!u^**i0Jc
zXK776Om5ERJK>oG&O?mOEuzOrfXB*oyiv^^vi*j-Q4fdRynUNz#6>v6>?y!{FJ?cf
z_yZ~vIJMCB)knuzbdK*5&>oqJkIVWu7QZNJDLu8V$vv|C{G)P~duF8A@p2DemnEr!
zfJV}{Vj~!RMrNh0hVh2(h6`|ASes#Mok@HzO03I?kE?`njGs4>C@<pJVyuily)t!W
zQS01(6DyNLWBum5-o{3Lf=hPFOQ0GGHML;BhKkAqL|}K+w7r^nS(uV&WQIp5un)dF
z<%?a7tnD%Q{%!4Oh}XF5y3vYbH;Y<5Ak&0!KT^bYdGQ4!qd0%N!nNN<PN#?tlcQW-
zfYQ~K9ClF5@HoqLx)K*psAK$U1JswC2Qa!5D0#@oo^BCC?K#(9HIF2cjXIZ{55jSo
zQ){%ia!VATkyw3}OYautt?*b=H!?r<3(3h;6Lc5wa&#4%oK0~MevGpY+@9%!`=&8I
zh20_3CfCNC(RU{~Ab(uZp^#XbZFN<>we2)N|8s;JmE(^E7rMBJm$<|`_W*=^P8|r!
zsIOS7mPp_fA>pB!LQ&)0U80edS5?-3?6F7(k&pdiR)%3BXs^A~R>b)e<S?oO;R;If
zkamkq`57HHDFd|qs`=|wW+kopTq<1V;=4wp4Dmr}0mu}~HnhZO-vu2s?M-LPj+t=-
zJnX31<ezdHOx6xJiKZGBWJ{MHkzQyTev~0Tpp|%E3Ac+Um4Ns^=RM|t(8^Kx<0rEE
zaA)i-;U;7G!0Z#Xqfv;PL#TRuR!Ia)`KAM^{tWf{TA4CdXw4GAg~cTCg#g?Jj4_wE
z4|+<0m7$~C8%vm`xZUF(qv$kl*OkP#Bie9sfYEfaexSQ-(R98?zv3pb*5)t}_A%~!
zUC$7ffG$3F#xyeWndNvYs?-c`KGv(6om7)^J%lA4mhnz;2_rNPI~k)+)udB4Of>tn
z^<dXaL|zLC!6yjJ5B`zQ7roSBX4&rUgpg@}T+VdR6)8I*5;VV7y|#OF3vmpI@|4u}
zrKMJi*zHp!6Tm6lxn;}RvE%#i^}#bc$f|~>^hi2=K5gxo!DZ`h^C``0%yX$zV|w~S
zunpD4(!z!MW~DB|4r^roNC0e$^>N}zaTd3tcl$IqxU?EOQsH<DrRVU=t9R`=zLAOM
zqi=GG#t^RF7<s{oWvr&VM3r;=af?6$x$(w;;YgTUwoXDC>w~nr{^vtO%qF<&!Z2bV
zwimaZdKevfwqN2nq5TaMZ!cKCIWP}M8uSI0BYbP(vw{Kxhk89p4i@flpztb8J125w
zC<_B1!wfrAo6yD+QmR1T7ZHX0RtV!YsjY$Yon>!@H4uIJS8|8|FowJ;Z9Et!m30_6
zpXRIfH5`IV7uZ=?k5$xrM7w%?dkVmSwJxILFH-3IgK>Pv=ai-xhDE~0AyM}tO=xv?
z*8+~x`=VkP$59zzwA)u2<y>#9kDy)mWY?82UDy$z(1slw_nuNDFD!T<6d@l+0X9X8
zP&gy9^d^M7?e`dY`J0`FiAlo{9PahzO|NXw%zrO)Umkg>sZp|*^l^H5&0S}076Up8
zTWO9^f^e`)rZ{X3K!zL9ksMUKX%0?tB*0s*vEOHar$bK9xs;xtjveYbXr;>YzUd%x
zS+j{8n?mfy>djGi2`xGr1j!YeA8d|7DICW=A3bFwUV29is_Qjjt5v18+i1R?8H-%^
zC-~c>?ln)1n|Kil=opA!!qm+S&6hg0<OL~sV^bHu!4i5{aP-Vg_bhixfu6~s>C>o8
zafOsQG;E^^`CqMJ@Q4(vr{kXJnuxhuPS<v)&M8b8c!t;-^FPall@o0E>2NI1r3v(1
z<gc*Vb!H_2V^N-i`8H=By9r@0owlLpP6>-&l-d;qWqK&aWpap{F%Hj#7I?!Desvzp
zUzA*-QYd=nbxp;6YBa}4UF|xu3Da~Hx;xpoVH9&ifWhvkQ*^?MO78kQ=))c|Qyzs-
zV7Fqb)|B<V$J=W=4zx_6$fH8Qi^}p161Sa{W??m;%bf9|38_9nSl<hyZ3({MJ7ntM
zxSg(OzBU4PFCt%A9Lu_-I*ph>EDT!1#NSKI1$h}6>aJ~l8)hQD@7S$?3VgzB*;VMO
z7`_X6g+(%QFNOoG3T}L@;#|*o6KFZb=?2V5gV!@{)G*2*hHec!^w{3(dT<5at@2~j
zaCp<0_d-B^M$~oJ>;?B5$f{f5fnRlZT_`VKslRl(aJ*8<0s^!P-7G*Q@8B!qK8<-a
zw^B?de5%XDUJ?Z5!CHoB9TmU)VqeVgiv(0j*m`B;QL<!v^V`C&6aQ7GR|yXo2~S`f
zFuLM1vT<6S(*wz^ry~IU)fksEDWBIlk?wNi{)I4PH~jaC!{Xv5CFnMYnA!k&A|AXz
z%Hg2y7zhi*t=WUOn}Cl30d&k}jB*hd-~FZSH3i!L@v;P^FBJAepzodB50G96=^waH
zzkQ)8e;q=Dcrm8{od7h${`P%s!L-tsFROm}^8PPh2C>G)zYP1gfA})$&tFDOMSmI9
z=--a|H}C%kqjuQnf?I7MIRV8?_P`$E<cdKL<%saIU0iguqw`@6w}F+-MO(js;eMG{
zKlI)vIPxA`27VVkGaiSMI!xda<|zln_K-K5bKym)lgP`WBZ8qAHG$h{Wz+5!z6l;|
zKSrCPuK}lPYuX)ZdnIl!+QJ^X%fa(hy$9-fp=XBoAN6(%+VlDrGIHl^iZT!tn1A+U
z+xrjh1+HgY?Nx6-TT3q+UgWLLn*jcl*<-PT$X~dzx$gl|7A4ySQDuRqC-5(_Omnyg
z2|q>X>ML(SMp~>tkMH%0pZ_S120q+`qz?ikQpp@*o6OLyWqKUa=(wa)T~Tx9V_tuH
zw*DO0R`cl9Gg2Nc;@1<@=-4`P)Is!Qvf20oj|6w+o0y?>+m)chv^KPC)2#OoP$-wU
zLE=H`U+Gn~ZBA*!9wJeahgX0vP=|;6wWWw-Rc+@>d&GUlsGg?Vb2y+Jt~&Q+c3kH_
z)Y1^hGMJ*G^1xYGt@G(5QmM<8s7kVx0gjg78~@Q4F)rzCpcsoPglFQ#&Jv}eLr}CJ
zldC?Lk)3&;H$5C~9Pi592xPq}4%cpp4mz;VA=8Q9EES{lbQ==jBe|YaH>J}uexGw0
zEBpHx_Z8g)SRjzhQ-a9F7}zlNTeP-=aJn9EMBp^_-li*htZBSq_IsFAR#(-?d|f`v
zxv<9yh4MU@fYFLmT?RQOlh_X1Fas2%cWSk@x!zf+RPUHTvVL-TBnz&%8Pntnd5TG3
zIR&}moI0w-DTTIa!A1ibbc2e74xN^9b)4oPR%@gxfFU!h55$;U$+?nX(-p+LZMT*8
zBJT)8d_3X+>V6C{S+++g--cpZbUFxT`?%nSJOsP&7|dhHS_Nb(vAtZUuhF$U!<+l@
z&JA=V7co!9&;QmSuHcW_2k}I(Y(wUm(Q>CMn&S!h`=a3HXqgf&?~~XTxGm7yaPpF?
zgErc;>>buSi_lB%c9~9ssp%KNo2oEL)5w4-HM*+{*xrs+#B|Dd5$eSi$ftpkstg7w
zKS$g$T^hYGx9?(p^>n1)8XWE#F-?3!1V-xWQ{xrF91gqPF<SH|=>?Q9Suu8<ab6(*
zYdxN)(Y}YFx|2!>%N}A{_xOi?bIG&ad+E|W&p-p)0|$dQXoD(bAWwhNHCDDA^V3iy
z#tbTY3fO$TQvAe{K(r9ui7<mr@^awl6=OXmv+VK1-$rMtz}3_mKopl5<mEvtPGAjx
zkF<eT<u-@2r|%G2oR~BYif3qE2wW?5BrxI9r`aT|wFOth5nc&jy%~t@)1M!!5iN*W
z;EsJ{?*gk|DeWtXg5W?WQ17h=wG4z3=30RSmY@N5Qi2McC}~H0{gTIbxgg69)*jH)
zudPEOn;IA$SaZN*v=wDTc%g~d#tA=uf+CD;(ZsbicyuLNZ=!A-C?2}eM2Z+N$j=xU
zUmVzU*7wYiZ#pQTI2or~r!OGtY4~L&W~j&-N-vaHLEj72+3ne|w&)y%=p<WC@A%yl
zmG)DwvUN&W*W#kfH1qw=RnpxoPBx9HO|Wm3^r{%GuDSCELyw<#Bn8i*T3~ecfmx@G
zvUgZbVMWk-dP)LCK8E83J5$TpKWqwgdOE_`H*$4w^;h@jcPZ8#^vuuc4NnIY33JTr
z2^h196WL)Lub%SA`g@`NOPl?I<j1!}p1e>8p<>Z=j=%X3O3(8_dVxJGTD7~k=_7(~
zhzS+jNz8>xUAVoH3qqI26EIcu{no~Ki9TY7O=|Sh(LjdHw}Z<(=jqw?VZ()iLs8rW
zICFUTh95j3Gqk+HpLc1ZhtFJW6Fm~TJ^(u|7p4e3e%YuS>no!R@}3q1X&F=RU(AlY
zGFZ(?<Z&Cw&$oQ6-&z~BkofkQ`RK<YrkBjc)p5<Dq|ByYY@yq4oYzph<ZyWb7mKSm
z2Afkdqp_EE4--DYR=bM6JvpCU>9L1|Dy3$bPb2g=*CG}PA8_d+ayNUdx|6br!5Ldf
z`BLiv`jX35O-Ol}%H09N#l+r%`lbCtlV~IpjxfdqEY=qDx~t~_vntyEk@dAgiH(4?
zK;|mCI`*4-86C=7x(HCNOgddh+-FeTT}tDbTyZYzyKsz;Yhej%Ze>y?ne0R-L35Jc
z5`l>j)kD$Z?;s=1P_BFeIBfK5Y+s27(qvZsi<b-2qrJ+oowq1S)i*=`iD=Mn?_*(N
z;za=hDHYV6<3@~uPT9<0SAH#~8*y%MBrV1<&c@w6zkUrXsaRx`Vc*~Y?BpBSTW|Bs
zF3X~6l2D&J{K4A})R<lOdk4L#d}8fV4&0MjfW4`4BPl}4W8bN)>%!Oyx+dc#yFn>-
zwGoyO#!4CCPh5DGw2___h1&Qrnc^PeIc<NbjTN}V67+fa3%I%12(67^_f(a2<A9Bl
zPyP&ha~Pp!M!1=4VHrEWNVv`a-Y@7cE^j#5KH3+v^8W8Y%p?0|3@2p5I3Sv>Q<Cn|
z1_AhlBjdB2Cb9JJlP~10zyC|Y-+v!iamxWp*Z*td3R9RlvMpjksOSn*AwCY_IUnza
z(YDR05>!odEu$*}{Uf3yNYvj--p+qdJ&1x7vG*C^3<b`#wY@Yyzy|fOkfjEh0tfhi
zM!@|K{?#^y`ec`3f<D=+5<G5M%*kHANBu{fjsKGI`L_k3e+*0di`~@UW0?MBbd?^-
zWyrrk^0Q#iQ%-ZlaCQBdy<C{P+QFps`v)IRPTTJ~SzS%3(950$cXlfof(h|0{W18n
zPy)v*)ak+XEfjmsi{c>_*M$UM@{7ddo>JNox8W4%B-Il4Zdi~5d|hH}f%dTqul}NZ
z0<LwVa8MRUe87erX0;{HfVsVKGGW;aa|i^|h>HNs6&sD*{S_A>xQht`REG+Vg>2V4
z2qO&uJp6&eWQkM}v4tkc9D=P~^Jdw}p))1lA~a#2f*>Fi_J9iZpq{NT&esrVkJ!4l
zq9i&iN-{Us24Lo(1H?pCyPVe5smeHxaVc)G_5Xz5n4iP(@9f1I*N$UO3ijYpx=P^%
zkPC;n8#f56_qIOI=KU}B-UO`4vrQYOi(0o*WK*c5E{L+Fm91rqRuPdRg0hB?y0FHO
zsw@FQQda~-iWKq+LMn)?A+jV95)x$**+kYr0)zzF2_!5bkP!dd_x)z(ecR4A^UwVM
zcg%dp=y8bVh<Tno_jX<9b)M&Cj!}wY(=|SNjoUACexlG3KL}ofaTA@)h7d!D<_W~K
zw)^fbKUV|EYtc$d=ZRhqH%{k2a`<qya%Z6AbOq-(U;e4A17I}a(`$EF{_FW*JV0<=
zF~5ET7X+A~H4$;g{zRV!)P>P0qC;|hoZWhvLKPCP+=~rt^{=E6s=V8Hk6B$oquN?T
zxAYutz>D?S)8u*oY>+p=qw+vgtY_yKxyt_ar>q?>6_A=F;4mrdP<*`o!hYnMAYzfw
z8c7KPJ%~ctU<y#_Hv>4fp9oQQF~e_=l}Mh-+fW_5ruLfQIqsQC?i&Vt#XXlUw-7}v
z@<leFvMUh>i8hZ~Ncz&EOF@J}z4%#TYg3L!x`_q4*#4wxZ+b49wi7vs*q@NXc&6z2
zXy#Y1W)6g=+R)J-$EpX)xETH!F`C`1+Q{A%(#=XL$Ddha<!q~*a<^)&@dy!tD7~LJ
zMk!E0Mz<RXwQtWxP*kUD!m4wpQ%xFk9v2Mhx08EZR{RgSJw(9eEj=IQ|8qmIXjRcS
za*Rw}3TJhP$N9#cZ2<Hl6@z19OuRAgtmO0R6yn!hgSJ9;qj~8s29g?1798IO(}9Hr
zz$wYx#-=)Cy!K8bamPz;v$D5$@4Q}RX+4!zF%dz%xfj=uO7Q&I0&fT+cl0t0G7b4$
zxk=`~IErZ?+i`hkZaP=PF{)S(>2fdigy)SR_S7)ca*U=ZCur&cX6_A?KMpDJNV&%j
zL24Y60P}e>a$gqEI$R4H!E8T8uHMedY0O**hb>5Ay6E92S)#aI;+rF!+k~Kbl@O(-
z*!9j5atjvY<Z9UA(pB2k#nqG^-#Hjl88>d5IaB!Y&OOf940Dg;_s*Z&W|(pcbjMKn
zM=|T){!Ia=$Vfh6;TwP*Nqws@>w9~EO#wJAws-+7Mtc^VHUT9kfI8pg#LxD>{n;n{
zJ74>6qh$X3?Ehc;yDE|WXDL0W6_g4UPu{CYflln1>%I3XOT^QZ!r(uB^8f3(eRMy`
zP%~hV{Bk4fl%zwUeqlziDbYf8C%#R2h%P%SH2FS|*@HWDEfizBRT$#h=JM)MzRRz3
zE$k^z6ZK`&v~}*95S;JYf+&T?VLnKh3qXoKCV+R`fbEDlgztFTSnOxg6mRPRUH?8J
zz~hD>YYbD_I_6h4p9%2RC&iGY_bMB4Mv}!BIw`jlXu*(fqyLwEdl$-<hCJI%MFsx6
z)R&0*!m#2K4!D<Avq(v|)a8S?q!Oewstx{|Yt|cp4I9O7t^jhYm*tUB?{+t<`Nz9x
za5B^c4VF+%_xz?BB@;+yUJ@#U>KPqcSa|~%dP`wdFyc%o8Z=hJU>G~XR&zY%#R)Zz
zm~@X!=I7l))ut3)k0H*kJ3{qm*p@l_m3s>3g3=r)=W!VMX~^NSRt+@Uq)|C#Sy91#
zuc8@+{0L0rENkr>%01pdQ}kH4{n%(wW2;#Wr-8MHeo}<9Zz`VBiJ80Uij;PTixk)F
z;=VbeXCpVoHxNF5uX0Hjamw|x$we2T>K7*~QNss&=Sc1n)w@rp#)pwV{Lr<udNwNK
zVclM6tAFFaL7x6=An=c&%wLtEAaphY{#!{>6xiu|^9WN~c}E~;{u8~l{;Sfm|9SKM
z*9qSr{mFYa{rTEKjm>kBN_T=B$Y1&mUJ=%u3%q*F|Ezh}f9SRU8Lj_!qx4TB_dlZr
zfVzM2<M<a*!k^6Se|lzr|MNd6dH8pJ`rlva!{7gBwEi=rrMYOO(EK1q-N{l{z8c;y
zyDqj~Xp@Z!UV~id?&M0}_X`~j8DAViF%F%bpIe}xO5VDkb?LL~&t`XitokQSnAkad
z*?y8j3qDF$XgEsWaacM)hQNv!OFM)G_fi^QyJsYop;o@84>uC?`~B)e#tZKsNH6s?
z&p4i*KA(pqo=;^zHdOgDx2S*rYn96hfJDkmFcyv0Fz;IhpU*%Z3c%qCk=v`ZlqLmw
zzkakB^}!wB5Nw?YdMb~?*7dtfrgaq8WhtNvrGkIsZ@ylx+%D^G(A(3?(i_AbqDt-%
zM`5bic;|Er^u}dj<#iLq^JAr5=FeJgz7CQnGXn7G_}7rCM-UohRwN)L_!8om+1n=Z
zhku^dad`Sn4f?b^5K}pLGPTkeAG0Cd>l%LU_?w;SDtbl#!D;{dW$@8o`4d1;|L($i
zCMd^HgZXO?g`6Hu87TH|09o;kS!|lrah<Y6xW(3Gec2oxEshuJr`)en{Q?_<G=ykQ
zwqmff7O{)680WXwX|IjJLk+oGWbw02b7aj$sA5Nn^sy{i9;R$wLpB1w;jS))s&-02
zoMXN9hDRy3G;3H3ZNcxfZ1E{c)pY6P+XnIZPr?G%LjQwZNK0Y6QNF}GOx==Dozuhv
z)y3WeE>}XHKAG7Xx+B+YzoBU1apV?8*7cg7?PLGMtpaZ|3`o9>u!?cE{3n^g=!S_T
zi}p=UZ}FP4tRubVXy@b45ux=SBrma|+}onY$mmov=9|I$o%pGR8EVP0ffOxkHUNeT
z26am7wEDHC+vg<_H$wYr{ENRp`of(TUrrQjolDO>ID0+oqM7OG!MB?T|HeRWh|T)7
z0u)tJFM^^<+eGjg>j$U~4Er+jRt=(?H-vMST|-^jRo@6rFwP5KyJ-@gaa$k*MQMcl
zM8ohwAE^Cq-{Dq_pjM?>8DFyh^hNXu$)>gWZ+ceUU~|2iaFm&X1=2_xu{14ccWv3t
zJRbZN!~I}s?tKej!srqFaf-r{^pd@1garC5abX2eP*)M^LlnBegPJM^3Hz2LsM5xl
zB)&ZfBKyy}31UqcfH%HhBCLHH!j^3z36AU{h`EG~?^PzrI6#H1%WeHzMQ?k77^6(&
z)WZ~p#-Q{TN~qJ$12)zB0GjgR9Qa(AU@NH5O{zTwQLG{1wn_lN7Jq+Tmo({HnblrR
zOcG>UBK=b!6ad&@AJ~GRj_*}|I{^@&pNo_lzyD+v8Su`ImG1><t@sCMB1A{w2z1e~
ztzr9R`N9LNZa17`07R<wpk&;kz+fIfd#&}#B6Qf{W>j0c)awtAgIWaO9e=O`97(o%
zukz7Z#Rs_PAFlrq$R~gIZ6SYrBz*;nJu$HLkIngt4X$E<PSrw`*L5(;j|*gHHX{FU
z+5bYL;P{7|`wu;n2<2z8Gyy*$6XlP^_yg<Mz=9Cc54DNY06)9FPtE%u=h$=7U0B6R
zyzN<hP2bHOGOJgfq3r>}?K=DEHOX@07Pd(PaySvu(#n{lw;$0HI7D-1dnJMM!jAf>
zCw(Rtx)m-0`D&F*WFH`Fdp$!Bz9vjOy4%@8nmt9Gtom2t=4iUeNODy!aQqpha^+|N
zQ{tEa6?U2%MW@W=EFc;H^3(loo|8U~u+8PjZr5a`J|I|R<k0>1OExA6<X$$%*V1P_
z%jt^E0}fYVf1Cmw8vt-i{ekKqs_WhN7`Y4EBJrT$j+HhLwbNiL7lx|QLglO*+5^Fk
zo%aIw@Q?HE6R1+xb%ejJNx4Iio%^s9V1g>;b^x6F$^eFT+X2kO-DKClU!0DAKj(hi
z#+IRBHwjCgED#$A+`x)!3I?QuZW)-^4k!Uhsi}ojL{fjZG9mx4_J2MM{_7vEn)mxV
z>-qg6`NJYr90G?=IoOR2@tXKPh}f5X2lUpQZ%~adR~XC4Fdl2~kT3Q@=f%$Pau3vv
zHx<e$O0L@e%WSKhz(@+uMOFG-2FzV_IH${HkHxgES9KaR`VGjA{?eab-3;AZNWAT#
za-jzL-{fh4P4oBTkn)GYLY@8lUBm77^W)>Dp8@+B`jNuD76m%t@#_5d*0@#Yb}c8x
zHbHKM^$vJFz#U!BW~xe#xyUW4f@Hl3OuJ?sywuB+qJVB|rk#9(oZn~Uq58AESs!z^
z#OR#tq7Z#*#_xG~g-%mEHR-A6^PX`2Hy0ipYFVEWy*pS6oTDomn#PBY==J^^$K1cf
zC7Pqa7na`O5@UC)p7p6XSvbWyD9QRkR1}S}lImq`?5G;Lg-L(XR_>rRPi%YWtthVh
z*#-$wpv9QFw4D;iB%GOm_Ls1u#nZp|%&$e?r@r~)dF4Y;B?PiJC@k*#7>C=~klm-~
z!_zf4)+^n6AegpAKj#|9!1pS#m=zCH;qNEvf7#ufGr?A9bx3!}wt~p*N7+rW7t-|}
zWUG1hv6nFlPyGIB@J*h!9HJ<`eb;*B<HOC2H;zZgB9T=sy=&k7eyaT8OSgkYEfq3|
zVE4yOPTlqfIFs`3a0XU{Hu+6rlIV!pVwk)4VA`0+84cCYw||_f|A)4W|1TEFe|{6~
z_^>Y7OP=_@ZlV{#CW@kq>GzgMdLiFT>*y6dozXh{6VcM@(6z1WyEkjLgP7=Vk&pA=
zA|D~@jUrZV;TuAa(mN=-wwrWA5fPRpd|q+)XizD7mDLfq1?`keVAK-ZQX<C!ct`Zs
z9j*{Q#vAbzXqjuCEOU6+*|KL}!1Kyq?!@Z;<w<Y>{Q@lUJGXA-Cx|~Yb4A+7YQxx}
zfW~0|l~}<cY7w?6w8PEiGUKOMeTikR+NF$Lh{y`=i?X|~$?^fK5?m4WXFK%<2sNk<
z%$sR<pK1OM+=i$AbyxJM{JSP!rP~*Gg%z{^c)s<pbY+eL<ff@_`a}G6-iGsbp6I#3
ztvi^9lx-m+|1jtNFAAIRs>(jL*a>nArVYZ`krY)~9j6Jh{hds8^bP@nEpw1;Aoh>2
zY3cTyr|kJ}vYLkvMOGRe_Cs8LuW|;pVhH0M8yO7N#2e!dZ(*v~{`F`^!T-0r{eONU
z|5u6zI=W#fFhOeC-$hCZ8uq(~{a*i+dQ9kiXg}dMAEVB_&*6Vb?@aGHn*QU}Co!B&
z#Q;5+qhFA6av+@;lP3s@hSbeTH_ju2SvG$Z(@$^I2`d*2?2i}RArn5&E(`u)+&ON;
zL`0&l{3s~+?ps7?c@tM+kuk*;v=P<(!rXr`pElBNB0|w4*@51?OR4>Drt8bkg>p-g
zci9VjP$a49a}aI09MSWVLwNb5S)#ahU$PrPpwaalvOJ;gmFJbCd<|UeLLu7-v+iB&
zr3Z#fA5e>Dz?w$KG)<y@N}Sy|K@@HeZJBYas9MNoPNH)@eYjG*ilUb7S@lWJBD6A4
zXjsk0v45`rd*aE$cIdI*D#q4UxeZDb>UE=T*vTV+8Ga(YcasF2yekVMCaVOyox@oO
zw-PjhC48P^+?Qr%#rb2uO0OzPTX?w-cQ~vP#|GJlMFFcmz7zo6X(oXdx_T*+i!USf
z_KMdhcuR3^yF_8O1xallfykQaQubl`u&)aDZxx#c38W!TyDsOTSeaDlA4fVTIk)IL
zbtT%>fSYqrFACAZ@Vb0bw0L-(KYwQ95V&={DEW6JBk3L4fX;efZ&i^GfrmC70(?-G
z8^KW8B0&zcDo>k@2Cd(!BCT7z^zZ%i+AlUm^f|7B>o`(u)vm*z?z*n*?+);Qt+dvF
ztu#3{0!tF9{k1`rmy&IfvTo&cL@(jr3Pk)bjuM8H{p`&MyjR)}9N|S}y?z#mwOOff
z<tP5x{sE&YtG2GU2+INrVY0+mWySa3YyB-A3SjbiEq;n&*Pn9-lyBC*NAOqrfE<_Q
z5Sxw-D*<;p1GuplG}+2WLBFY<`s=fOri3U?b=n{FMh*pg@x$m{%SN?(rxfu?tu@r_
z-!h@uUXcT8#H$K2eJs#-Fi-wcTK)Y$b9E=)$sPk@LPIlpUe`U%q33+pys+D3tVh4R
zI{m_>#B;Y1X=9lNfdSmRa$cyS_pRId$d-cuLcyKr#OwNa`=O#p=i|@ypu@Ag7IIt<
zPmg;fYOHF~=2Fw6tXkL&t&YD$XZ`w5=GUI8x9krDv+Vn99nL@D#}&`i#So>Z$&g<p
z>lrh%V!zqJ7Qo%Bd48LIU~E-7H&|Lydqj^Q*HX^c55w;Llqy?+bJ;^fSC{}}Xlqh#
z@bC0DlkX(FRu^ior*J!z_kE?Ie?a(*UJx#xAII(MDN}8?;3O%WjVTIum~?1i4kOz_
zSzq*D_y0t$Lul4wfQ+rAfv|>S{if=fo7g0~IVv&`Ab(y?QAcr*KX%%}f=u%WSH^7F
zL3j2CMfG2QNGqnd6t^EaaX9RCe{NnSGv!R>eW4bA+v~FUu%VXL>d;dgcE?TL2D7;?
z(U3(h^_3BvtJ&;odU<(e!o>6E&m-;|g?kLXndKW67taNT=AdHRwrY5uCXS+Eemy4W
zS?+=WQ>yKLLts21H~yv4kg|57!>A42!n2Cb0={ne(7s|&C9RJa`X@w54lllx@WUip
zq^I>I9U<>vbE2RO?_46DZ$fw4RzihGwXWa;@?P6_d{h0`8LpWn<ZJZHbnDhKs*4BX
zh|Zm&fLdnOMW=W5JIok=ZP-IzD4xr8cS79%20ftTF$SX_|K7EqFT7?ooKjD$pvX<j
z&5Q`l(&FB!%#93`FnLFldwH5j%lg*l2+V;#<TtxL(rNTIHZb9(SgcnQ-nA<M^wD2l
zNSKT-I9N5?xa$B#eW>)^VeX0cm4_c$SR6YKR7pPpU4@0x!{V!dw#aCdB>~TSEfAjm
zC{J0}=%sqI)d=st=fGwmR{+YC`Lius3gDcyGcpiMUC2lWY>-s1$A7w$ib>oI6h#|{
zmAQ@BkTL!soxY6&9XnPQg4e3n9QyJjP@lSDF3~OL(sC=P4Q=JtW+r8Q=&W?02>XRI
z$5O#|^)0@@8vu1gDHbZArv!ADMc6r5pjvGT3%d8ieF6dk(|<#k(Bc+E4#RKw7ICS-
zZX@Lm{%h<7v}$9H-dlxRuAjAS4W4pdbGh^$x!NZec(?<jwAE19cASBja$~gXtfROi
ze(6{7dRBkPg{ISq8@kbhdA487dMxAx9uIWjlFJE<v#yTqGqMuAwt4c&r`hZhl36<P
z27iY_9Syva{P(g`nugVSsoUKb8}R#xe&xwuQSW<4yr8>RMNU?>Xg=VzT<;?=77p;O
z%4O71$^cS8O3ImQdgbMB%albGqB8Xgf<{+yR|EugXB6hs0=L`H$U*MO3O_>e$sGfE
z0f;VIBeF`lTk)|N`f~lO2TKfsPy<1%=t}RhQS!c%^m5{v0OOYKovFT_gL8b#c_x3j
z&|XXV2C0hQghUR?j9%cki{suD7Sk&xGfm1!`oa=3!<Npy^V~Lmti0W$msc#WwO<O_
zZPnL~lk(^6ugNwQfFkuZi9x+Jk3YGx21zj2Wvqr@k}(KEk@Ks2zc?Cu=|r&dLr@!-
zN&CviZ+MfLjN6`|3wB!W`eT;qhu$)R51y#k@utCeV~IuYY)#ai-z0Iwc>7+>;v<xZ
zxWXy=gI3K_m#fJYy~Cbd{_}J%bZk&PVSpn5Fhl#rGr;&~1i4Y>dZw2J=hZ@v)5~)f
z$A{#c1WnR-ASO%R8!L=|$=;;+>Fwh#W{3cAPZ`eiM}7`L<dC02zi>1xF?{aikq$>4
zo|E&<+_N)%30}_~2cs}+)RcJT2Aq>by8*fZ>-A!doeZ3qx6eR!Qd743hw6CUqgdFG
zD&PaIai0@Er%h>&zTzCJe6y+_+}*-o^m+_z`%MIBs5C>S{bWGKf0eTrvFTL|wc44j
zJ3QnUVrH3Yw=m#r_(MhOLU9eb+u6v$XrI}UVMN@aD{?#8#>JO01$V~9u$$xJx#v@+
zdHMFqVSUy&a~tk<AFFJQ^thwx8GtU?L5K*|C4BH*q~8c9Y-<{UZD<nkRfmB%ddfN1
zmwZ1fyzEV7{pTH~hdi=*F^05>K&4^TEHMI8yFbeyLxPV|zzN0nXJxv=WaMc6#7q80
zEd7<gDYer=1ZmV^vM)#g8?+F6L)zha|FiR`Nqy(+XGe|Lzdk4%<1wx_(h70VUJFVx
zNfQ_oS<VOz?o(Aa@&>UpE^_pp+A9~Y2~j52(pOuLSqw3rQ1)+YBLzG91S~v!$ZJnW
z&O$Ws9m-E6P1pB{%cvuy&!&fW(!t>$yi#MqT*F<R3mkq{V;;)O=0)<E?d#KBU3eW?
zR6W?P0_*G7c7t|~?Ny?Evr;#Qbz*2s;#;@~Qj?Hzkaz)&Ooi1@A6*cpuOTP!tddJ1
zr~TNRbn;?M4pP1W8}Ht$RGrDN&L}EILBz?}CgfYPDb=We!9+PDPGQMiK98y%RJ<x?
z3}v3+Et*-i`ymtXU+`uiv;*<tIliCdY5WMn>V>+0SxPQ8<Gso$pE7OtyZfJ_q94Sy
zl+G;F%z1KofavuE2NT3W>(2Nc%MX!SU$*jcA8yOYnEJTgysXRF$dJ;$?{!-nKl<Ur
zOrlaP8xR)*`q-7T1ez9S);aE-0T-7Mr}WB7=2@xmqR@kk;%NAzz%>)x5WDS-*VwO~
z#F%KK0u19A&<kA8`MOVO*DQ8?Y5%pPAZbtMvg>x)jcK3DR7UbXcZtPZcHz;W&oZRF
z!s@{L136yDBNlz=tg#cN^S8NWR7s_f4U)o*L%`s?@9{`$Y|8EsHu@Q-%s33^5>VjZ
z|1vm`K@U%VcRk5~tJdd(dm0$I7~mz})Cl<?vQ%J34l<3%Sc5ui`W=%A`Eg&nxnztz
z=}X2#dZ}r$4s9ZGh(2#dh^eX~-C^zifR;k~ZDEi5>33#%r@QPs0yK~Vk)?&?4XjRi
z;lm3Fkq3HL)#W7~u9+>a9UsQ;;>ng)R~gzQV0zhpHzr{i)?20e3GTb@WfN!5XFb53
zh*6&$RV?dUsb8_a&3YIC>%XkuXCipcT*OfWJzXkVXqPFbL(}h7j^bYvRH;SA%Lj2+
zim(KD51=ABr_Am&f3KoFjD0XuA7b*rh>I9*-?pQ}klawp4mpu}A;+YR=TXw5a1z_R
zw1<j8uorIubhAhgv9u_1Wu*o&o`$i@9;<I1XLi-S?qnuI-@IvMM76J!IKF^=4*XyX
z>S#5px0mc7^)Z_F0pVzh>+!2+Bu$>3O>@{$Ts9sU$Yn=AEPmXsStdn3Wk0mo*S6$~
zP{!(hVC+WE&yIl@a~J6OUFYkn%p9SFQZ&~evEPl_TN3)6LG<12rztx3r{Fhe+0Y4D
zxXRu@m|64&ZwyZtr3(pFj*3T=m&i3mA8ctzUnNFg!xPp3QRm6DU&Qp$;|hJJEMx3$
zak__x8oG}LrtY&jHCbBPQp|Yhkq$h?iqem#VSYPd>h7eg;Z={<Sbu`w7Yx~DtFMF2
z5<aaK0MoXZnI!&BS<vxL5ysR6ttB){w&xyv+(Yg~?2bepZ`~hO3NS|F<SyKP3BS>+
zOSvJ`n%*Ef=E;<G3Z{fTm-#2V&zE=3!%xUBd1b&&G7zo%U8)VDFJdfM$5%bV?;&bo
z@F|(PNc-?2TX1o9i_sWqz()F5LKJ;8I{%3bzqVil2en<9{~Yper#=(O>T{oSIeZXk
zn)ijwQg^Xj*oF=Ylf_7q*7CfT;>3EvQb)YC>b+%Gm5@lhE<tU0TE`<f{Z)RUjbB{O
zK{d+x=LvgVv-vAO%(iRwISkeKCp(~Gd0<qw=^l_$DU0Q^Zn6^RtcJ8;(CiUf3g_m}
z(mod0cYkR*mtf?;xcaK?elahyavveG%1B5^f~eUd<+ive39ZPqBwu#(RR+LrjPgOZ
z#OC}et*e8BGxR?8<%|LS)r+n+?cqL}cuyV`KaUZ1>`?g2prgsLFIW&sL{lSF4VCk8
z53p!%lI*^H`;jyz8`zH+pO*f@d-3)($Eh3<WprGg&*dM|Z8nNlLd2Tw`nsovNr}i3
z`^UMg{k^cuY)#x&nb+ttyU$)f)ZeCC_{_zsUTG(OnuU%-8Lx=FsXbOPvG6Inloim<
zK;K7nR#Y&jYCUZDHvn19-VhiAMV45ln5!mnfI#4UmwnG#%H5?}Rrfyf@`mRLJGP=g
z8NR~rxTNI`k4!)Q)(jI6S2#*R*en?oOmPZUNv>{4GX-}2v8ioDG4?|JOZz>tmrtjC
z^MB=(W3ScwZ@R(rXF8Bt7Rv%S=!~wqfk<a+nCHfH+HBP7Mf^S~K_-_#rCD8g4Xo$H
ztIYVD5!=r?aH!d_@MqoO0~T>kRU#+z$@9lEjFNUfWb!Q|6Ri*}N$Pv4YDvUVS*TJN
zaF7f-(9g!DMHTZxIvIY0$38xhVzg_whllpORlCAS;qpUgL@R6ukmKJcMW6@;(_iQ}
zlG~Xj#@cGubB>P4^bfy?^Ipw*`^1=gOm%tSq!rMRC8NB1t6;aS8y+-oOe^5>LR~b6
zo_S_K^#^?D$LGgtjGR86^-j$^P$@<UVGR`S%cUVbzVO83k?+h2@%DP0Im!~*;B?NS
zcMtX3GN1g1VdSv{blU8D6~m)CW@hX+#l=;5^G93PhA3~pBilQ!2a~4bFb=ru;yl3G
zC2;Alz;J}ia90ejR{^yX?puu7^aI&7m#PdW>Zj~PRm*{S!Si$1InmrnQ8^J5+x&;*
z+6tFG*4OwpmL`YkaAo^=wfR}!;laj_U(g@${G7wOXOZc<6y({Gg%YdQg-+ENt7XM*
z_SfT8gVvM<*JZmC%+@Bz0+#gIdzG1b;EB-bNu8pO`+o~^fCd@J1pIYYl!?^e@`i%{
z4ww1g(L9XmBao{wI7R*i7^0<7yFbmgDd`IBJYR*6q@ZDbC$?Vbnrv%87(wb}oAw$j
z&YC{VpR|nR2R+!CUll0-vh~`RjG?*Q^oL=QC8j;RWrwTwd)7&c4Wp_FTK0!~nW}=_
zXB)YvatBbv7!ZJ@XXcq1r2o`BexMH|+kDgULg!)ja!r)N*s8dDtsBz=xT+a>SID7U
z$n`nJ(NZj?-rihBAN>pUP&oNC;_$qC=2k|LX!gOJmXlz(WkD%Co|-X`7TFgNVyZ78
zCW&m1j$k&+7L_}8L+S`S=9ZFeT>Eg*vA<2T4pzDB3d`>j^r8FUO&M<%ywH5}<lU9~
zDO5-lCv*NKY$LYdWlVg$h3jWBq`O#I9=<|fLktr?rA2X6p_vP<TMsm)=C2Msj55RV
zV~VFqm8ANiYl3w84GeSZ2(M#fe+89w-97<x;9*!xTWiHYS_`7Ijc*7R^|w=y2gnGj
zLNslUiEd?J=9TPEMr*xB4S=sVTFe%(<1Z`F7q?3(Wm7dn#3bcct$BP4QQ}cs-_RNE
zWv^>(g_WmXzgAu@32ZecS73Pq?^S|2zQj4m9L0R^XMN_nltiL0A;I)==`2%UIAa&H
zSWipRI8CE-xTQ6?v{Mgk8Bs>gV^#10UU>4%3OFu1ezr)tEmdx+0m1MbQyWEpEmnX4
zG4q@aGDbwZv_M4R_)+t?Uit{(qhP`|TWHW@8OEUtXOkN;l7xV{R5`=pKQ%r~-|OIk
z{7WUSMB(AZ?@(@JUngN^)&^zAq)ReNu|F0$YH*Kf1U559%AIlxav!4@cbZi1>lt6D
zPp*2#^`7e6ZX9!q6;M}6UOH9LY?%9IvZZL+dSi~g9SHTSi)EuigJj#C{Lkl>Waic8
z6b<Lxfk_&OZ0JpHnVJDr&liI-Mz8q;H<cd;=%E$#S{X$e2%M1FI!;2DYap4qzD!Yb
z3YEGR^Cu(eR_$RDb652rCOgKe!X{f8VVnRt*&R!gVq{UHDQdwrH0lThXiy98c<%3<
z$Amlk%$cVr(~r~UCfj$E;94ug`f{xukur?MgfcMQ3fU{Iu(#2%!5O8EN~wZ%Orusz
z^2#g9Hs30?_?O|f3ixU6C-yzjnHFB~1h<D?<4Kp1)2aIqXv`}e^2AG$mcsYBq$8<R
zxlcwA?jF8*{>e+>=Fx7=3w`){^b`AswP=XQlB|xwW)hZ27RWIdw%;`DQ>JzaHd79-
z5vSaqqms|gvM;lVPB)yhD3#XDnDLh8YDJM6!pdrHz=IgZ4On>r`(&D=fo5VNM%bH&
zuwCtzM}?cilcFuY^}2YVr~1;OM`R_mg&&bwk|}Yc^(l5Bli6Ry!dYyB0`?AfQ?i*l
z$<kJY%kJ7@M&C&`{jB`zha5;EL~YoiU`i@+K3_8=+Tn3SXwX`+e^TywVxWT6Bf;EQ
zVt?u5`?A<~y;xV57k6sIq8`jtxY^U2G!`&KJMPI_fn(a;{BUOCq4AXBkV<Uqu`E}P
zsm{C`E%vj_?cWFT9tOHF{7>|g%)&6~1O_}JGo^Z`6q)FJ*6>OdFAgrx;>`usc_MjS
z%u9JnLh>j9;)f-=${J0RQD5flt5v>9aY<`L{)jTDSj4v*<B!#poJ!sshPYpRw+Q1W
zxl<A=4r(N675we-WB=~)clG}3kN+Z}jw0@ms)rE7DZzw+3Q(vCwJ7M{yPz}QA$R3k
zqIu)1?^SB~E6k3p$ob65dDcfV-E*?X=+Rix2HEL}R~aD{s$V!ifwKy>%wFOWjdMcF
z`T|zrbCn)O2N&L}z@ZBkMSVla)u~m;UWMmP|180ZXcwpg%Ul$3pHsyXuXZ>I{$hf2
zj71kr6>Z4LhW;XLHhg(S{dGsRful<qh$pkcA?g+#fXRbDh`Y?}jzB}}$>NT4&UVl<
zJ*-31{+c)I#QC?WJzhirA&~6y2UYhm8S|MQsZmdR&hd~TL!h<i+~X%RTH1P$x8u(w
zpOWp#82w*ew4Tfsmo6R{s;D&FI~T_{gsz};n;?}b_3T8wue%ivLgYs>XoI!#ej!aK
zqafFJ$ltrz#@g7u#yo-ceH#Nl7C3Y~oc_RhB7jnM=gI&}#0K_@ow5J{Do*ue)|qqV
z%3jGnhoVr9mOC?pLnH(x9>_2eEff&97>alc#q{C8vcyEge4}Rtx<+5B&I0`GE7!Y7
zDGUW$`wlfw@``X#b@gN1_W;_I`+#$@)xX{S5A=DjpOvpj3l6}3XEsy<QIen~{1O0~
zx~}f!5Tq7ZKwNSq_I%WXf9r49tJn-Q&6)go5q^LYyrwxemyJmtj%e_llN{g+2L-4x
z<UN8aNJR<#kj9+-blKxk=og_Za~Yy&$bv-?4n!Cs)wQ4b3@_-0WRJ!NMj7^(su{LY
zQ;C6mn$hjI1i&b{lcSy0aCnOFxnk?nX5nPc_A4TDUGFSk$G{-x>>~MCVBjEy5jkEo
z#_tfD-z(*$vCH`BDSuJ86vI-?JMPy^+-2>-GG5Yw6|0CK&~q_rI6Fn-x)e`oaZ>%;
zFW*n~UtNJ77BPJ;2Hd<*tl*WizL9ZWapUG5OKcj>%5M6Br18#DvXOfq8mA^vTZ%&o
zrd(hm;?^s9r=|+{C9R8ATtt3wfrodtTU6ZjQ5ZONUJ%r5opWdW_lR9@MTjoemnJ{q
zPwQCJ_P!y4j*hbnHD(Uf8x^wws~LF`%It)AMd*4T<bmp-?;n0Uhv|~Hiu@6n9BB1T
zuXS9UcQp(;k!r~>1O0`3=pGU50s&(=?uXG_h6saT8$rIpeJ`<U=(x{TQ<{hRo-Qen
zMc98i?SuiB1ic%en;QkO5#8jnTxNCmp6;=#n(ObP(sNd`5mAj)&0VM|s5ZV+hw`(+
zpcJ$ne91DVy<LK-x|D?4n|B#>1$7Z30=rwJopw9~y{)up+*cInF|?rQ?ZZw;ugPL1
z$6mz{?lN5f_9IJb@cs7a`Qp$R6Y|(tW?p4Mx>?@ItV_nNRF)^YcfbkqP#0KlSBQQj
zB>u|M^WZH}m9h6N$6Y{thTONv`2ooKp|=3xNU=5QapUNA6P$;@^^0k(8iNG9!4Njj
zOY-s2^Ao%wzo~oOJ_Ba1J1XpwTTKUiEDPFoqB7ZaE}PD-CmxV!@HOqfLIKH&YJ3#u
z>dR}R@PeC-+B>|--L06*T_XBIznP)8v07=^>*?kNPFK#S>lw<O3S-ut2>?TUj@tzK
zJ;&auO+-NJrL?P#X2&JFJaQd)2I)pm=WD40_!$ddF=kc*=7eA(F(MgLKfFPVze&d4
zBuJk=E|~0-(tR^lhLz!kiCuGP<LFsl)_DFw1iYpK>|60Qdk+m+k+at$6)E=>aS|K<
zbrSQF0!IN<9hG4nmL>M&pG_3byOYkPxQ0Y*Jx2tDoKw*r+|TsWd!GyzC(!3ixo_8>
zQYf%MitIEKHUfiSg=?I1G8+o^{*;BP24Y6r+NHPhNQQ5EZF@t99m9FT&$K5ZfqDCq
z$EDCUIWYP96sId@ar^l7{$GgM@xXS={}tEH%=tzyS~QHb5I7u1lvkC$dCdlHtnyyc
z2!DViVAoT&&G<s&Sr8fIXs6<2mIZ1%>=>0w>(xyEmE3SLvEsw-+{^L|Eu3PLgmbK!
z+mJ}#8T!ZrMT9Luz`9Nl6Qng_t#phqWf#g5nEah6D4e;1idpW<-_R(kT8nJGoBNP!
z;|acP)>XK%8#)3(+KV0pY_1z2?pT;KSe781SLILZ=}E#f?aD}6<>$jCe!K=^Y+6t|
z)yFpkk7iqn$kljXX|t_CzCGh&u_dv9mj9Gjo1HyCceU@+z7&)I3452!ETkJM09;;E
zHLs3Ex=3;oEVD`hKK3*#TqUz>K_h2#`suO3`=#W?4M0+TZhdlr0&4_<;Oi}2a`sky
z!7FxEd;;#Me4mUX+)!{!aenl(**TV88N==sy>t*o>R)jx)@O3>8O1D=+I;mqox7j6
zX-@qef^ANyvJiF54n&VqRArE+oNs$dm!UWP_ek`6Vp0;J7Fo#$#(R#_tp9G@`Ufrs
z(mWkJPlN*FpF{brLRC><clb&#zU4BDi|#DLziF?1%%?{YtD`Q<86^+JL9@N$Q9;w4
z<!tSG)<<I3_$9)QJxQJ*8?}Ku$GPo1tob}a&C`S1#<r%nwEKLY<r{6WGR%)?KQ!Q)
z6%nqSL5|OMWGJqYu_aP?AI_{88`NNLE%7fGy53gq<5=k0A>lQ>=X)(|bmQ#d(E?gJ
z*C=||IPo3z{=orcSVy`CQvMzGSX0hd9Hrj0b<<s2Q(zgBnvXb8y_?@yd$yrc*0pO^
z2O;&e()#)(%J8)ZZx*WIq~5~V<!M5?K-xGdDh;8F@<Z5Rog=aEt)z;AtczP$V}%LQ
zxs$w>q^pz`p0>OM_-p}IS`aKAP<|E2LhQ|Yy$wK$3bt7SZ`ls&K(A!7hUNVBbT!0^
z)1u}0YSuVeBYmhZMFF~gBL>~?&qVRjcu#9G)H&XvOH?XKYo%2te3f8j2Auedt1(hk
z+k2HT<f<7V5hgVbg{<wF={0Kk-Aj|dX3sV5%-8eI5&eCQ>K_VLdp=b9{wlw}@WEFz
zbt|~@XK_u+#6KzjBjx)*U%EovH{fJ;J_VGbCrjRzbPz5PRxMQTz@&#lkZVqwF`6nD
z6%LYo&`2$QZQ?Fv-vc;elk4-IpyTqk)Z=en61ZII!u+cgHQWUWan?ctl!aes379#$
zphkiSI)k=4RS7yunQLb><_trsY`dE9EV#AJswew!iD3n;cdg#L3ynMaWXKzNY<GM1
zk}JmcG$Z3U=t0aL2ndzL!uoxil$w1-BXZyvLsF+=J{t<Q!hiX!bB;3GwOy|Z>&yR4
z0^d*Hmb&{cr{fAel-_R8?(@94$aKb)GjE>c_9&p!4!?|fK4H#ILaH+{(M5pm%8+S0
z#|!4;tD3{|CA-sm7g0pIWloH5LE4o~18Nt~4cSD$R{>|^G&^EZq6bp?8;P<^VSQcA
za)}HnNV$b`62uw#SN19{{ub(cC#49%k1kycuc4Nf!$a_1zb1?ima;DTl^Eg}NUrTQ
zxi%mN_RK-ekviDL7aZ%Ssh`J_S=Xac5b0RyXU#iWrAg7aB6q8FPZVY^q9P6qn<X@X
zeKFRi9W){nccj?w!EUOLT+?UAla9Te6X|!4S6ttvrU^xt=?uG?4CufE6G5|whY!_=
zVR6u*sWm?57zo8LuR#}V8Kc^w2_Z%X*E<M~kLwS51!6>P$*BwCO?MSYt=fodp+x78
z5mO;!K8|Bd=kc0Bv*^-c_hM+)%<!i5a$EJ$ttQ$oOo{3pg_&flXV;!yeX%FKl*gUP
zL^*}hT{bjUT4ml#oeNsE_wYnhiN(qWU%NZC7ArS^2_5G4OkoI6738A@4=*#5Pw9Fy
zlOiJ+wCBP3C)wc@FFNgeUD|l+n8Hw`YItpsV5sRfW?v1f6JtK!HQ}7pJeDII%3XNq
zA4srxNSwE^`U^i6MD9=FHn_wTXRxq786(|d(+loWJ5uyiJE689Akf1GHKtB)wp+Pv
zt6##Ms=@X3p(AKKpUjZU5e`U0@2uC}PlguJE)<<*(pKdG++`V047TKT@=Cp(QN6w8
z+rZvZ<I_Yuml!Y10iCMS=d>nTYvWj6Sv&G`hGtu#&D0fzwtRCx_S&oAO&luhE@_9Y
z&o%L^t@W2W<X4YqebNQr+L9L%IQMu($-b0f*3`;zMgaE><wJ6Eyi(>9eI5m<8xRB*
z=HPSIN&ILfqkPIY)ViYdlmwnX*tyrH*x}kWW7L9zk-BU1lWu1!ae44e+P$>YMdAwx
zH_KaQ0H9PGiPb$(6-3*Aiv97NZGb&x_pN84E1R|ZeT=z6pMt>QG8W(=wK{nqL*rVO
zv!kRpfX}D%*~*(u+rcdGOlj29>sdB|%600d+pA({Y&>f$E2HU$*DDUBz*w%8qF~m<
zyjPF|c&`*V;oVT!oX;Dc&e<<Hk@i&PKL7FypXmkODq+A1sveik>e%)JPfO!?+;HF!
z?_t(>QI%?ciZhj&If{_bQ<%ZxNxHpW7lBq*%9C&G5@;Uq#$^RF2YfWO-_$IQaY=;n
zxM}K`YSf8tdixNr`Bt=l76RGfp!{KswHe>ZRtJh|++Gam&ZlabD!F+yLuq6JIbB1m
zc^j5jkvM}IbiQI7<#xELWTEjBqsw5Iu!tn+vJ7Qi$os&e@7l;NCNw`Zla?M!nYMnz
zIB%bi4hjhqA1QZ0Z*OEc8&?cM+q#Q$0lmej(gZWbuEfXZBNS$tHe?@?0P!fp_w?#n
zbe&T$t&{^XXdCt(TDZK*p3ii>N2+Y6H>PL=v-Xrr3=(X$g%s7sD?vfzN#sQosbX*y
zZBddxRNJ7cUiCG*UHxzs7|8J<%%~S{X-bxMV%lE1h9}y`f&M;~e(TvR>rlOKCGGc<
z;)IYb3cXrpEv>U4`||SUw6h6r7fh3losBN9Mz(a$^J)-`ER+B#N*Qe>X@z>mEGL)c
z=UZNnEh#IH9Z^-2sh$#x8Y_%SwK*}l&R;&Wt|UA;@XB>h*6RR5TG!L{1ciQ?<JFwK
zEQ!HAb$4+s=eC8bsMfIq?cO&&DpEfM63GXZbG)&`jypu&shVn@+4NagR2lY|r+DQa
zey`%R?Dpen?w7-QaxHox_oaqqMeY-_@-`YXajGS6g>HX2379O*#|?C!{(6i^63(v?
zb+1*2qw$-eojG<RB;I?K#s`X%X^v_BVpvL53FxC1vz$@>SO)d#4DYS!W~O8e&k4t4
z(e9f<e0)TRNB{tbpeB(6UX857vJ^4OLE@ThYHP{KIS9@U^yRA9&7!<6L5>EYl36k6
zEKShNS`RHf#UJz?6|CPdUw3{L$=VB8U&sXiulp`9A&%8Q^9v>FgkNd87_IZ9+}M)#
z%Mo(5reY`ub-0*OW0<?PQs40@S78CHL<GEDrUxp->&Yxq*vbZ9&y%_5+-DzqMfM_i
z9-(=0m@!N(U;M0ghLWuu!}NThm>pc?|DF&AI$eE7Xnuve3{K&UG|-6Rxe>SUPfZ0V
z>g&0%cVqZ1fO#@r4&FIs#4`fZGB{=RJLC=a@@gqzs^*l+(y0O=Otl}&s9)iFmIR>+
zLt^q7++kn8;}wk&TT6`c@<8jQ(v}wfaLKQ32cK4ZpK!5hkaT>G2VwYD;L~bi<sI+H
zfl?7#yGm!F7Oonh+(%N&g%@Hwrt6ifv%i>MrO#=v#L`$puS;vQQ(lm^PD=4x?{_<$
zL&kp-?f>Pm2$;f|GfPI%BggsjJC{}gU>OUr$bL5uGF{1j`ejM^J3<9#cEzf0yI0fj
z!9L@qScn$x2M(LIj5RNbuclH5K87Fr^sKF$lVRx<Owc8lE>~zPt;RKpR7t;$w?u}}
zGskG;&x`U(i-HO#*M{bj3Xf?paQ&?A0CV@%)35J!nyp@beXq4zllVNhfSyhqB(H8F
zz&K~$gactORPcrv6c?Jaqw8H|Pt{JQMKt;fD;7nz|1KyUG~^CU9>{<Ga9{w}yldcL
zW+9-98_Iy}OufN6HaIGC(B80{=+vt(*;q-S_zn4(ifHWM+Dsq!4a05a`wUCWEQk0O
zG5H#smRAW6Y@6zl<@|d7=aXy8w=z%X3v~$^-oSO$v7u%R#43T$t5(^aeel(S)V+hV
zJhk*F(4xl!kVDy(psnBLnJAs7N$4`aX}VTPfOH+xV12(fVtWm3e(xd7c+Sb(KyKUJ
zmQwJW=gC+zWHyg^mQTD_(P9H^Vxs~r(a$L_^PN$frdd*cq-UO}CFFHjlvFU_ZPK*k
z-44}J(e87}K3QX{S&@dydcwBLitUeOQLb+>RlBX~t+c&-zw5MUUEe$7EI(U0=zzI~
zI_#?PdHdqAFO#%ek}5+F@O^U&X8S4BYi%OXqKzLPc@>KmRl!TXV;Tg-o<FZoBgcOF
z;25rjgSy&$n93*ZH7?`Wqs-a07}9ugj_LYcrH-uIp>x)tGs5|^CA(d=b}0K);daN9
zHEAvmT-sSb-$4hHhOO((L!4`7=)tz$=_NP%@_Ll&{Fn52{AQU~o!+7D<z$27m0k1Z
zahkaAE|^$3Y$(eqE2B+qq5oQ3nnVwsLoo0nf7ul=&q3xiB1e2uPa_Phxn!LZ^HwRQ
zeHmWq%Ai0@rema>-v|$PTaN=BYSLO*(3xjm53!?4SKyJnjz#g;4Et&=|4_=Q(ugJh
zQy~3s{ro*Al5&-@y_fKAJ&Zm3JslLG?=5{a<uO8pXoK>hmy9wxqZ)q|2kTxU+*!+K
zCEL;OUZxn38nn@<4ewg$U$i9!=rms2VYI64!ic@hWx$7LniT<Z10MEf6SuEAPc{nL
z{JLtILxsCxM{1~v+e3s735a2MbPzrDw{r>kl^L5Yb1g;FrR5CHS`20kmA*SgTkP1#
zRs)n5V14|J;M?#kLc(2$7R9_Z7PR>dD(||Gbc|Y)DHw5de9rsQMoa&JNxNaCbul#z
zn<p)iJs#nIhAlZ>(;1%a^$M>pvB*e?EeqDu>4}K5-)%X)q1wf%DmFSt^3a1xq~DJW
zNW09C;z}knS7yBg*$9ix<YkOTh;?sMqV6k8oyP1QWLRg!#!6?);HU-(6RmRTQnix@
zlQT$O5QU}6zXbfmmoe$&lob2DzOn+}zU~H{lq4aWp5nz~9QRIZcdcAc9`RQD3LZ&a
zu*{{k&y1g)Bwiv8VPprwmoV+@M*3RbYo2n8L4?6e)s4f!%7bFa{fK#86i3IUj4p6h
zo#r-@9~}x^$w9wL2<zhOw>XUL<C;%*Ru#`1LgzR%nTh<Ww>K8%T`j9E4Q6d{fqEir
zPIHz;2UcEM+8=OC2=Jm;^$r9%sZTh%EKug?B?`Ivg;A-hczryv+eMh7<20HgJE`8#
zJW8;9V|Uf&9UX2FagGLuL1#;(k@2&`XHT@X-4l&_<>K^ZaI3m?(>0q8O<Coum^=Ab
zq)Ew+h?+zvA6l{DeoKi1dRu5Q+gNRHWmw?gY#TR9$soKmL>S}v@{9N({8ut)tgw}`
z8QUtj{}`woSV`-Zo9>WpEsA9&p3K|mzR@?enRS<33^zv=@2_k$hDWxt#}~S*88V*4
zaTL}7`yvFk9sa_4JN;I8w*B;^ETeAm4BA(^z!x0~P5$)lddB{gz^R7@fgyNrmJ20H
zNT1#MSmDK#G(bmTcXc4~czvrZA^MY(wbUCO=dxy}&=XbUFwPY-hi!(<8dDlMo_#00
zBH~<7Qfqn^JmuV5T%6>SmzlR;rK9pf7bh3`!#Iy=o+tg!UkNd6G%RUhp(&{b9V@Kk
z1CM~Y%mQaDc7qFNR0bc%!cvs`Wx$E%3;XXv_4a1H#2@Sg+x-_Z>lRM^+MU!Z5$FPH
zZ|{wgeYJ1;7MK$e0oScg7n%0R(}!>;*Nc<~e6dJjP=o4r9(FhAjYT?BT~*V$ycM2c
zf&8NJLh(vhV+?(>W*!=N!J|S}%ulsVS17XC$*}WmRarN(Z|;di`yTl+?now#xAc1c
ztDLP#$%fOLMP->jk7F}Pmk+5|I@3<BgdyaYyjgqkbpW+WD8=5sB!MMYk+#aZBv2sa
zbl%z;(ZxJ^c-HH1W!=g*#^sGWPGu}M>K4<+&~qJbHKB4sz3;j-ATE7|l21cWZRdqS
zq5z5e8{TOAU8c1?geOCeFpGZ5;NBrdUyBCK*k?-+-+SBkR69^paU2g~OEx@4ITdN<
zJdfPT(&hpx%w|F7+yRsgs<qwBbJ*=kfZXJrb|S-rIB#yqjvX6PAS25aN96}(Q4Klj
zGD=>1G}#d)0jOegqIZTfLaOF%1#smEDlB4))f>v989}wxKmBR{Q(^&}ccQHsv!fwj
zDeXm2uZ>l##z}i@ELiOPl+7|X$u%Lp34LLrQ4d0hr?Eb&lsL@Ys<B&7pOBJ!$=UB{
zR@zCpv}h-2*0wT0CkqG&@bFBJng_0=2)TDCa-$OLRWI%Jkd-L^18mTV$@IhA1_FYy
zaw?Uh?*h6|`VS1{INwHyjNO{3bTcz!^il><zK<)r_KIl5h26J}%f()md&R}f)b(j+
zJPS$lXRKDRv!n$2ehh5h|KME4fxw7M{d37V{Ac`lz~87Z5db6{TVJ=fa%+zI-O~IQ
zAzcH_g^pTzKdo3rmR0gv(Z<{N8KJSdm~?fcFhuWe?d5L8@&TkSY79g`sS_(OT0vsg
zh-XUiG&la1a@Pz;XRPlYNAHmMO<9F3sRcR6N_)(JPiyb+n|FCOzqk)Q%?{?4_Tx9M
zSKI3=9K=?)P0Z!4o9l(yDB<bHBk=5FXT;L{0$yCsRwG6sg-~gFz`5{}$4NT871~bi
zMMRYtl%rtfWL6Pckkv{6d8jcCA&7?NsA{ZNyjgUA4i_e0Q*Vqwn`AbKG=3=3tT6U>
zFFlo1?aQu5_QUG<+r!L@OqM%#hPsE?L!V13oQn93*NnNhq^d!dD+_e<unHz4D$EO$
zo?+qLljt`m4_TR7Es5`6<SaxgE=M9iVX3x@AIWlsi|*833sr3tj7O}1`_z_hwejU0
z5vb*-r~8lxI1^}wRKbg~ig3{M<KHF@J^m({UAFe<|JO1RANSu7u!<(bknG1#F8wN8
zGoT1CjI)orlqR^-lG^cn0sqeY2*MN+&(iDGuOT)>dU>^%`44iVr$TdF8X%V(lFx>V
zCKTQ8Rf^X+9StD5*>XsTN>bf2(?<~y?%1nI3~n!xV>-Mf_pcX)>e%N;#f?`^bxrqG
zG@|oY{oM_+u2!rjUo9<K5D|hU9ka-%vb?j;nVq;0;4|+xoq60^kG8g9tdzjZc(!l9
zGn8vGwvc~v*u#g+Oo(h=Q6BGS9avAEoi{H*01(Aic6$V}oi~}G)QeL+#;76!TH~je
zj-RWgJx4{`(l3ReGY{>GoC~~k0#RMXjw+ZTd?*}8BOR2EMBIgSrUDdawq68#hxo8B
z(|#+R8uEj`iUg7*<dl`6-KTzZt~IeOIjEo~;5hI*7>leH4~NCLSdib)3~u1g2jouC
zbM}b&ckp{cxyP-au(tFqXT>6}xrCT_PW|?r7P#p4zz%?|20%4It5`<%CpkXjJY|Vp
zlbC2R2*Is6&OKzNnF%qq=om^nHS7%?n4N1BY0qVN>lkp0s<SSjm$y3$=7^;Vo9ANk
zyC^TN$@n9#AJ7rmRu00e{LdP-b&OXYUY`hD)SV9-T0GY(h+NgwBd#hpwZb+NFs^DS
zlAbLj*B_hp0&gqsNZQx4BX)iZ*4c~N9llB~<<6jKmF8Xj(}}Ee<yOCxJ2A$&S^gF?
z_S%XcWCIfV2rFw;4xhgh<8=pz{;j>l+dJEIoeEWL1eKSIMuR3D#27h_VyW+J#~8>!
zrlIC#P^tPeF+Z89N(m*X+3&|zObGh1;on-olfOfgMenGwUe|^6s)PVfM@Vg4_gq3`
zD>WMl$oR7fLE?&qy1u4YO8XiyKC$9yn&7*6lZ#zdJrM!k=|Z}5b?)(~bBW{Q-kh=3
zsJ(|ZcZB3~Ti52F6*a$ds+@rS45M0>i(REyS(Fg7ix+HfTHB4^Fo<o5^S9ajWAEG!
z=(7qRYD4Ae_F4pv14<qbido>up0S=6eIhwKl2Z`0={{VbECq@!X+cp4p}$Yt6P?E&
z;8HuOS?$$CQL1_L`a&ED<*)*aVOT=}I{yrI3#TpMZP!~lCoxDg&$g-~;y=65;g!K}
zRW?^+vt~t7?1jMoXSw_47A@xn+xQkPzu_BV5af3po%v*D+^A!`Lp87&S*Jz>^7}1`
zpA{Xhf5&qeZ+TtFir|nyMDbq5Y(8`4%8EJK1~*KyV+qge`9%LO#0vkJ@&jT8`S&1J
z552|`H+l}NC_`sqA@OvXwrRDb?&PIjQ=Ixp`}fV}w=svP8>4^B)_ybCLSoX-$&*)B
z2%q;&F7XE#$GXatIxf5WN;|}5Z=6jGa78r1{wla9DkW_kV;lyYulXzOAU;yFhfIR3
z(RLFVd$Gatn`vLjUE}<2ifA|2;`yC(m%;~2OW8(NZQ##(4}Ef9i*$8rE$sv}qt}+Q
zP`R%97dFZnnUp~&pGaW~&W9pDk4UzkIZ>4kspq2S9@>+lq_62Onk^dZ1|6s@ANrBj
z%JsAVPkUD$)zp=Tadc{tA_KB0P+}F?0>rXcmW)uO*wVCEwor%*6eK{(s1TqKx3U^+
zi;4s>!xBajlEacj43Lo!Vx>$JDZzk*gd#+fG!Y075<;(M=9DvvXQutL$N!SNb6(#2
z-FKJw-EYAyI)3#&0L;(gdyrQ6ySO)Jn54do6LIlr+m6GL1-hNX)Xq?sHm9*{G@X=J
zFo<%`*|7&juZ_$KleOf~7i3|ulCO+!B-=Pam0+XSd=KUH(H26oC^~qVys6*1z7{Rq
zYu(xwY_iC7^ebt+d#*~9SB+D<wUPVK>Y5rzBe6f@!8RMGQmDyjGkJ5@RZ0duGA1&L
znahgVMKq3UQXJH<1lYC@c-l@Bg>5B;%=+uPm-5l0N?EqOyjX+B*G<INNJgvI_lk@Z
zn4TP*x*Q5bY<dE&y|ez5edbVlYD4tgi9C%l^&nnNU6yy$eaz&d7l=qKtcYwHU=flb
z#u!1CBF-fS^BKQk43iSo-#GGdQ_<67rWx5Ev6!s^^J%ODxJtCh963QI!MH4fwX_XC
zDX}XR6N)#_LT5Njaq{{|KyFLFG=RLK=4TQa4wbc`!*&V6nY#*_6bUR#j}i?1GJx-)
za2%wER1~`$*TnMMJHu>7eMk<K5yn88+XnQdnnreJS%gFE(r9>By+nWjf!YVIDRpI6
zVF24Ym)4P*HuwmoacBhg&Dm^u|B9X+P8Fi#5`#bzhJOwv8}s6CCgtTf_c=L6FJO(J
z*+N|h?b-E4t6x8^qFXP>O=BbC)k0rQ%sZ7?T(_-{P%8MBz@GSL8K8F9)hKy7t_vI(
z>+YZh(%xAv_rySZwf^=!&G9JvUh?L9(ZQy~*%Zrg#;ETIyOU_%o5s%k;884u6|DZ>
zzeS!7YoKcbs={*~?80ty_V9eaCJzxhC^@R2DqyK!)`C@^rydY+wN+@ZB=zw%`bUvV
z*wY|<3#b0;Jx@4z2Cn)HJ1abvgCt%c(JV4czZL6iS^&rTTp<`--X019xhRP`OZEPj
zG=I;jo-YG<Ks8DOzL$YR&K}RxUqah&4k7ZbpNND^^URsSu<U<)zk#t(R1`2*YT6Ki
zktCZDN>2I;;oi4(?+)s=L-9QHeS~~I3?5#bL}xJxZts2D{S+Q~@mII%7d@|^e>Z!H
zl}Zbv*+Eg)X*{wpf08TAEv4yekq;E@Rt7_`TSIiK;=@=5kzM9vGVZ{n^>@caL6#>2
zPQALo|6TMK;E#Dl#Du85dIUnKN&($r3$>FE?VD_^;^f<2aTPakoUgmkpRVX-I!uLx
z;KZ@jq7&$o{`*Q2yLz)OsRj&q9_~)J_IOPt;%-G;pIejmzv{(#j9?xBPX^8sTBB@<
zVY;}EP8WU~Y`IuI{*lP}lOA&RRHm@8bfNOvdJFaL6}@lldl4EKoxE&Km;Lw{){5fD
z4}cee+oc%!%w%Ej)$N@u!94yOMQrYk@5eLG!j=-=J`C0wC!{Z5$65rYY4+KQ8_J|f
z`x3A>U6m>kcz(z>#m7ha9vNy@kol}rNNJM=0`8Xgv+HL#7Atupb@fh6*Su2zYK^g<
z0oM;xf-HInITs{oj5@Cy67;L~3;AN33f;vf{KNa6dtn31<#kPsf~;`x{uZ<Dw7)1P
zGz#}9MQ>>nPv>`NMURTrHm0nG<@^bVaW`8?rvHgB)TS`nbPwq_OFwy#FxxH<@0pU#
zyLbXblasM+bBCfsDC#xLXwmiOyS8Cm`JhS;%>u=)zUtbsJM5_3w+A2r11P5vKrApY
zNnUcz2fL@Y?Y>^oyW>INxZ|gFrQ|ZCGPH*9%rG|?7?}gVt{=wV0}9IN$@5y1WQ_Jq
zh}PY^j4;yy0dn02k_BLs3EE$uakY+~-i3rC@~!w1ezYp9$nR6tmhcCZEkXj0Z!sd9
zivNyMZ_M3zncX8h*RQpWYWWWx;1wvQjW<=tBl)QQ{J2>Ryz=VA!!_4Hx;6IiD2ov)
z#ifJt-Jrzr;H(wW-3jik+5*TyuN(0<Ke{%6VDZzqE5^Q$Y?8kn&k57{zdPMND0j8c
zw3fp0wm@N(NXBNN=lO5plTgZnuahWJFRz^RszW9m92RTBee2CGGh_Ux=nMb9UFm1@
z23t?SW6~5m%kb%@^(}h}Lc(_kt^YA)3Us<4^=`WI0ui7pFe0!dQV&%9O`4OcULYj|
zbVqdk<nFw4`7#5c@kG4tioat3Vk>`mo=IOToup|^X26Jsj$gN2J_pmscMEz+eH4k2
zHJ-#rCIBVVapp!8f80x1Yx|d$e|d*kGJFPdxUU%c?NuL&Hx}l5;Xjw!*bRz@QWuI3
z`;r`+6JVLqiGi)bJJiP$55*;d=5^FKLFFMB`w-~9YDXVW7sJVVqvBd;{&*U<Zof!r
z2j-8I20$?VLd9RUKw1+f$^(J5rlq>XVLcac3@ba20Vg#+4+h!ZV=umO9{K`j4S2i9
zR6L!&2ST@(mRx(%52M>w#Y4`0t_6#y(_sc+E(O!>AO4K{a1V320?u6!<*YKnMrx$E
zLv_MC<2~=Uj<J<CSOyfPgmDNPQW1ym$sWfxhhy4PEEb~N;+|MuxY@Tz-F3v4C@rVw
Zu8Vs`Bmb}Y|Ml^;JI5cOF6&kv{sOaw>+b*n

diff --git a/docs/_static/images/IPSec_close_action_settings.png b/docs/_static/images/IPSec_close_action_settings.png
new file mode 100644
index 0000000000000000000000000000000000000000..531643f7f7a628cf2e5ef4888e748ba970ac7c16
GIT binary patch
literal 22371
zcmeFZS5(wZ(=Upspo9?x$peyekjxMTBxezjjO2_kf@F~}A~|Oe$s$3J92G&3C^;iC
zfI}1zkTmQb@O_`}{q{b4or`mE);asa=UM;h?&|8Q>QKL`B1}_Vfe?=p4+{&6P)Siv
z8w=~QDHayCz%^{}i<8+EV(`C9?%E16SY`dxDDZK`=APO;EUfp@_$TI9!S{7n#YgT~
zSdezize`_SiY&3PbpI&H-P3tyvN78ojkHZ$IS?6pALaK>icTXei`tHlhwyjK4X;5p
z%Ho~4TAXF>dspwlK9}CYULMqpZqQg&!Mff@P>E-p`}Lj!>RrS&)85&3PtRS6nZCXm
z-}ipkC3uu_oAY8nWXiW}9b7KqWI1$uvZ&G`wYW%wUd8asD-F96nw6bh5*^)Cxo=-R
zHAjJs#Yu}I`XxXanH_-ka&So3D==AGqe3VsoT6F0E@5edAqoDirX|8-V`Et{cUM+c
za1n^itPJ`s%S%{Eui)2;5ZcY?!WDx>2^6mnBXo0<R%oi(`Hc9G=zOrwatu<-udF#h
z1J+Begb?$=<>_;7?AevYQoM{Javd@+H>HDG$K|zeGzS&RBjDGtP<No%>`;$})33xR
z-tZatpQ0hU1tP2=z=<LvRUUTbc|t7Y(vW!p`0pL7JlW^)6uUe?jsit=2Wm};0`r1S
z{~ztTtb$l8mkL-qT#giS;C*kO3QKtub0G(_Ecl=0biH!PfaXnKF40~!^FZkW16A67
zYeSB&*bwV#MFdt1-w++I0!-(d0};gH9Sn*C#$s8-LIS<Ap;61F_pZ5TO&>N{AN6+S
z2~8VZ?!W1k@f~*Xu}k+Pa#c&jdA94YGGxHC^+|F>_b}aGp{H!EKyW`QMT-YXlcJ|o
z)Ps}+Z^kFw8gugyF(M_Z?l^>W+VShZE+wjUp7C8Ns`k@}0$OHcfMW0F%Oc{#LQyP2
zF?LV7>F^nDrCxh?JB4V$F4BNx>dhRiVp$G1m(uQ-((#V-?1U4}zWD7SI;^}1_%+Tu
zP<D3m`*JzboNiOWT{3<((?S)xB990Q74+cAu%?89a_EG1@5d{}@>9JZaej<N&RUxd
zJfMSOOMg{Fw7nS0iH~4bL>%Q->jzeU>b9@U%Qq<YLzP~3P>1ur{pM<lW`DBQ>Fi!<
z5hZhBae<S==67I(Ln#OOG+m)yN~L#|l<~^)3myxRyAX{mi;)-hnL(XG>YgqxuPNMx
z{^hfGZ+-B(bD3G%Zf;C^d9d)8Y>y7Pf?o!)#}ql$w>IDILL=;d^-%>h9<?lvMP|^7
zyej^eI<*q580t}j>H63I(u#o)gSIx<xye5VG8_ZT$!k{ylEf?u3&lJ9SH;q>UV(oP
z;*b0*?*Bh^{hr^xs<Nmdb#@Ye6TO}7k2XC!Z4izPXheL$m@OfSNE1~teXQf~RApeJ
z%5AYuN2;NOc5Za%_^2JR6L5C=#MYX|)Q$VqQfHsVu2OzG&GyB4HUpn1uWeXL-XE2H
zfc<#8C2MUw+Gpu(;W&P<*Qn)dWDmj`Rlhg18V5EdG*9+>yj+yY*@Kel0Q;in&kjZ!
z`VQC5#NMK#&sLN$Gk6Yc94C8J&)I$OnQi&HjrH6LXj8d$erx~e7SUR%bLps`-STm@
z$Nq1r)8pa6-i#I`TtKWDGC+9g4p*LR8v`nLT#sqlS>rTLxy;lsdEjg}fHl;5d7EkF
zlPCi_<zF_;6z>zQd?DIJPu2S$nxZZ43h;m7Ii$rpry)(70spB6t_Q*)I<q^#Zp^F!
zWoaO%wq8ZV^FUx!&r`u+dl~%0;s^ZU&_l7Ytid5mAP2jG)eE*G`AcA9Dc}U=B?9L!
zFaQ4`^#7QQLRsg8(Q9W;EIWJCQW-vxSXkuXmQ0b=He)4g;JF@Uf{%sO2@Zngm%hGT
zK|p6ZKxbO=w6r_lfhNFtX_hd!C`&_)ja6_Tc11N;N)q`IsMr9gSO9&|U=6NT0;J?c
z0}e*_arj=YK%rop@T!%J&dtxC1)Tlf+~2R+>bs0(rVYAKH=Atj?6^5OZLF@o)h=G&
z*m7}lYHk|odWrSC8yJeL4h;=n$fs}Lw5kpKDC?S=XJ=-_xk$w_)w5#&Wh@j?mqcws
zQ&rUi_QWO~ave_6abY26m#r>fZ0{8j(ov{<OP=eUnjy;)czsyUx4};)_mkq{wQO;)
zBEUj+Y#iA{DMGBVq_KzSVp!snFPc6BNz~t!y=ZD<1x=UT|Bm_zNEC3rO~{Cl;m2xI
zfL*C9Ir>vKq3y;8CcwG}zKcffX{o6lot$`bFM8>No653(X=$mmv$LZkBzat0A%_CX
z5m-K7-q9b{dfw`b(Pk`QqU#)-Oe`Fv;kWeJ1TH_90JqF)Y13aiA@FPOv<sBGyIDaK
z6KJxxths0+j|NTBohlbilYqy!ZaT{9@?aiSuuSc^;lESRfGI+a{w}jU1`@c$SMZla
z5d0<T^w&m--aPud+MT4>e555w+NCzEJXzIfxX7iT3*ypqv5>nGL+11<7ko(jUwjkb
z|81v<h48Dtm>`=!{WVKg{+VnZ+Q5Hf)((+0q+?5^>6D*(k}WlEYW&&pW9r$)4XqM_
z@jpKrw-gaK-*GXq<PH*G)yu+qMTCn&E@w!|s@2_e{*yRB2%l4Rs%|6Afc}}j@$L<2
zWEu2{Voh#>IBCf8{cA?`cW+IpR>H7Y^V%aGXmPqq>3KerxT<{FQ@h8FW>m+}v!eJH
z^B(FuJ34Mqz1^^aEFW2{X`3~`xXnGt{477pG?Rnsc{n`f2}7;J3WWAe^i_y(cX7c~
zLy%gCaIpri-ga`Z?sb=s+6i$s(mA4P!zRT>lUPPzHmZ8#k`q#2IT7VjMyD5A1EzPI
zl>A`K&`=MUn`TW;f;bCaU)8rV@dNFL{2y)ve|;Tk&x?F_yUBGAhfnxTGs6hM^V^CD
z3Sr968R<`Vj12_0hs;MbATWlnX887xMJkJQ+nsKBmQ}me!j`W^+-LI&WEId*X@p)W
zb3SDso4V3MnlpOJgg((cZgXnSB%kBJN{P5wM+d&`Wwf7PSLzZ33ypo+QdSL_*}QBa
zZ?@9z=YK3)ktk7CUe3nE10+~%t7o~M|JJnnXq;XE^<dg<^YQ`?8atYkg$7&q4wSNY
zjHvdC#=t;`OrZ8o91vVg(%iB-!v1pF1f0Bp2iJ^!DCeUh0)NoHnu$bNpsBHOw~`<!
zNM={xz&o7>3VT0b`lf){+v8drX`XCQEM#RVDQ;k3p!wtlQ|@4fs)`G7p)A)dA=%ZT
zoHPklM4$k<Ep8i4p6ng$eB|vngVYKt{>1sR!n22aW`41)a!Vh#aHKTI9k&K4+1syT
z5rBP!&B|nR1?*yda8U7DYO;Bq?yZ!Y`0aM4e+3G_s<@RWD}DEM!pSm~1caLpic^~*
z1b)UmV;yZ&*}S|coU2iT_rYe-mW2h6E^{-9MgKI)S@EC=C`&u+qq_ZpI=j{6fHcBb
z;5F`tLH|8#lXkPb@EP?_{(cKwC1VD%)f4FnJWD0TE#W9lTb$?c7>IfC{e-y8L4HNC
zTj3cz?fkgJ&N4fE4|pv)xbPg6)#UnU*T)|{;eB8mzpx(^R(BeDwT9ZZ5US(qFvWe@
zXIw9Z5VIbk#-Rli3Z>VkXX>}zLDqV9y0yZ^q`;gh9d`@;!Cu0M$d<H<waM?%chyeD
zcY|4o_?)XBp#)^X>4aC4Z5wY;E4ezLl^1do4{zd1afR&#oQ?;aE+w0K+mI-Ji<UzF
zBxHY{v#yMAQwrFhwAnG8SdR`kS(G}RKO6YAy=|T2>f^K45lJD}S^P^i07mz!gHyYz
zedI;gX;d$bdgwH+2d~j<!QlhWDj6zGmCWZW0Sg0T286mpwSun&(+#Q(Bt%91T5D>m
zs}2xnD(VHl`Z;4>n4TStw;uMnG~K((oA4B+DY@@OT=B4c-sP$HK;P!lZ2OV5`Pp}~
z&L3{P)LsSAkKc#W*YZ4GM(m4c5O7`FG^@Ka<7jIcCdN?bZR>!(*GawM2uvBA`%=^y
zzVC$I?y2X_u6;%QR_Bbt2@B1W#hi_eiU~jWqy)v9zsRrb7eCz|JaP5i-aIvUum2mn
zi$v$w_T^Yc<`tF1jNhq2wj=}^fo->ISu6b1kp6pqY*REN$==7;A#8U(SS>heO&9&3
zPHeGrv77O{o2i^%xx3JQG}e!Pxb$wO&dX791h%JJJAEt%lS@-XR9r$4jm18n*xWZw
zn^i95qFa13Bwp{swoc>h=&WvPOY@oWX78gc^CIP!k1a^;P7bw>_oiX)*y*W9F)v;i
z>dtIjO=~pV_00RyUAOg^UY+d_IeUB{){(xb-Tch7)z>y5Yg!{xJ>CYP2t^SI-GP3B
z-C}0cR+N5M-7xB{;1-$}S><N2_2##KZbhw>L(U{S`_@%jme9)O7j^l_Pw4J%vppz3
zz|@~V6YQ-YveRd+zl4Pb%jSi{uTcRbX1Gog#{p|@VI=6LNHj2fn9313e0;S3tvAFv
zTrRl%exYo6g3-ie<GYN6)m!uBC2C<iw|;^LXQPV1XL~UI@(|rR)1=I;P|MHWjRzw?
z=cH;~-uCS(FCxo?05`X^7F?g8Tt6iEK6Fy{4Jh)o=Q@j}lX8AJ3RVK15c+B%5iRTj
zwJ>mdKO)jo_O~yZ*GyuaXCQl=e<9r0gBjO}lj7KzEr4T+k@hde&DVoXw-VxF8S-Q&
zfPX`vWvfn`Z;8Y|mk+i%N!su|HVQ8}STG^DCIyt3NYavnwfS}~Rvf4gJ_EJ++<?0S
z1Q2+aRe%RC-;x{<!hD7)TIURk^DB4r;#`o6e={gf1wOA|d=7(FQSf==;<GA7PBusM
zQodyhfH*MYDYR^(WZ5Wi7|xex#!Zs;G$GDh9GpYo@kA=U6SWj#t=wI4<zjfaxqHsx
z(UG^4Q>Hc_=z-z5jh=}#ZD77Rz(qf&-iX`9Y3m)C$9{PUAOnPbPDW!$vtn?Dk|fPE
zf=xiLWHfhi@xWnCtRouqxpC1aiN11>^RSyspnR!mP@I)1TU$BQ=|X_|^v#1OL#x1!
zy?6v3D2Fcn{TbG+9G5yZ>)$-<XAke;aZ=K$=K$?Ee|fd*^2tfn=KD^6zOp+KCOP%#
zg);p4meL9rlAdBzT6#06%0@wc|6(C{maUl2mlv97`)XN*`BeP7%vVbNUllPFc}XvX
zQIZ^jA!i28a*SFnJKo~;CBy}SS0ZNNF<fz<w9okg@6&V5F6TY4El42f{j0eM1Cw)V
zz^T9piBFAh3L76oK=dzxr{V0F<t+bYSF-nfI49o4>|XTOo!_3%51y46J4^Yz;Az@)
zw2z=|@mo6j(J1Q@*l7EGnzkwRap*&4J}=B<6|NV&s($KoH~I7+Y~Xk(RqEO^^;^G(
z=j2L?u1g53bJh=@EC!$l&Nk;yw*WUGe=Xw{dk10mPVu`H)kD)~zfma<KY3}A_LAIy
z#%<B#_nmz?XgxkLJ?V+}QSNSgaj^p4u#SRuUO(dDS767?oqP#6Av^16ZSZ}aK)^|U
zv5I(oM_9(Gxp{_kPW|NRjn=dF))SuAcOz5Lgn$nHzv!eCt@tkSXcD)7C#!vxR?el*
zs1)Fwb4YtOOnWw(YzmM$QlN;Ozk-l68rfwQ543r4y+q{F6Wds=Z)^ewXMeuXww|nV
zxY7Mf2;^NGt0S@hT40+r{HdAJ1qEIrW2pYE3%wA?>ER{?pKq2+m%oh$GSQve)Bm0B
zOIzs8t(o)|3jfnJ)8WxTD_5SoF4(*zD55`bZ||cXQ}j?Xib@uoLmQX$sSl2Jn6YGm
zi;)Nk*efyhBE}*D_XOCZmxkz`D_uwe*a<J&1z*5>Wxg;h;B&O)T`&$H#uPvv9J|=S
z&5ge>ePC}G*9K#wfSBsV#{Yj8Q6&#gPpdz!r=Ad(A75y#V#lxXUc<ni*or%+2lK73
z=)#-ipWg#Z21_N+_S;WQ#uelnHY7*^4hUFN#LdG$F}Mic+vj7*d48XN0TTlh{_`v4
z<=J@~)p^^0`x>!<T&M>l#t|xn@Fj8}EDZhejeTw&o^k4(`?ce{r00GqkgvtReZf&W
z(=N+=ZIn;XrQ8dJ>6d!=1Ox=w*c9rpOW0XzTW@Y`)EaC^(%rPipj)z7H&3*8Mn@CL
zt}ArW+qph@GP&W=Jo@|uz!0F(+?#Du<pntE+r=@c*flfOvU8tE6@Yd?3JFT*u1-6_
zMdPb;SBe)12QaRiUV7dYb6)^fRQgQMy)IGUbO8rClJw#EC%A1epT<dA=bwk?bf0r2
z8DF%T`@>FVxBOYc2KOdyvQKxCTYodR9Ieiuqz5btzVLH)c5d?jHL4eYUI{>lo1T11
z|Fc@sdeYPCC_rf<hE<?gc)`NQ6F6)8N%rYvcJnKYB7Gvw^2=M%Q)_tld>yd};{DJ4
zS<8&uiA(e7{o1*T^27D2fu@d%(W9e=aVmk<KOH=nxk$0xoU6~hzt~5*dF@?a5aJ@i
z<bD`jppE<yE5=KUaI9Ra)s~6A0UUh2pWAddAeZ<pFC<afnFJ^I#&rJk8#D6C4tLK5
zF=$Pm?7}&40Kb3?ypm7PW!ZHtd?@GKQm#EYM;yA!eG@UBc<0wg36Kt#fMY`%>c=BT
zN3a`^z>Kdh=j(Vk2uEoi*%reCo;-Qt=FOh%=%!Hiq4n&z^?=#U%F|PCZoj9bB-wx~
zotB9s5m)rn?ymdR%iU!c^s-A+`HuXYhnAl&lHxLF!ofKc`iV-z=Jnc>^Ya16o0*>z
z78e&Ezke1)Vr**KGtFHa*4L-jU1wvnQtB}+Cd{$7qaB~?eE>R=h<=KXC*FD)OX@Y<
zF*a6{aaEKo(mFon8db`L2acl3hGb`D=bI|C3asb&`6u>RT{owqq5?sXS(5=VjpF#@
zgmm2{-iVWtEU`r8`~4xl&qTOL4NFOLuc=zupD#AgP8HS!(2uFPmiqeb1{OY9?8)uz
z?friB!eKQjoGu$2;Vf^3AWk;Y@DQ1W!+d$kV6R^8b4`tWE@<~Z8=jn;M5866Ln>8&
z94}kv=(^;26>4Tv)YPEJAL()@TU}$*qd5|n31(YoJ0C_OS15~e>8Pq&j3+MVr*CJ(
zb#!tWr?k5wS5KU%e9-9QBiFtj@BX2&(XdSC+RH96v2*|5qL_Xthk%LJ#bt>hZ5%h&
z%hS_ydV0EaDLExOE6dA1g~6===_?`CN<{RYSIYNzb+lIM8L?eOeL{xn91&ihew-^T
z;U01+pSd}5jn|Z$n|pu%ps`2wQmL+kg+)+QEYFggm!Cy0S2p#vm-;VBhUxMx$J1R*
znvYKQ8ia2Hz@vvZ4RSox{meUCAw4~PbS2ru^wg~FQ@4;t_^Voe<d=noZylq8+eG29
z%CNkIcPi=#ZZPdTX;{L?#TKK(ipI64!pN_)v$H@-&A}vhs2ppi+}0L8n$vVY@@cKn
zEfMxX%J#Y(qImK1EpK<VcrB{EOQG(mbNm@o%fTPA+`iR9KCN~RNF;HjK#sHb4{m^E
zG_`~_Ju)>d7jK4>Wnx>p+pLg%`SNAXIY#&x7k4Fj{B6^ErZ)1$mG?X?$M*;m%8}u+
zo(24_-XFFfgw$Lb)lKU@J9IxCz28fkaX61As{ZO433@t*p?Jmek?VQwd*j&}352+n
zTDBhEy(!MOY>7_>@A~hV`EbthLX~;!JsVu+Tb2$r{h>-PII?*5w{skoe^}>KJOv)!
z29B4zyZeKQDQ6FFamn7>!bK<xGqVvLV&`Bg|0Q<=h_!vm)tc|?ZS($Sx2tX88!u%I
zBD$5k`yYG|E|=2#@?C*BOv8R^0T(7bTYLstKJNSd?sk2d<Zw20Qk#X)vIkA`W%IsV
zfAk5BAeu&Q#7%D#uWz`Z*>2jxzyP)$z@Er4Ehc8NA_Gx+KFvx(xsm1VTlbp$4%ORH
zs;%*{CcirfB*T28=avcOMu?PNCtqa5bM`_Mn<iyl{M-DNHmA3xViP*g;*a32w*!=H
z3m3RJ+dk)83R6U0dH0b(aN#O*bAEDRD6vU;TZ4M;LeePGmED;KR;c#50EA1@%V`g<
zmCovya0xife%{ct54D&`#&OaKqO&PA;~A#vnt8b&rODrGl>)Jv5D{w?7l-Y5le#H7
z;|3fZt|VL6R@D*RF=Ut0sjaC2tY!-d<JT^+Z}aNOztDHphZ9l;%bWf;5Q=?)tJmtQ
zwi|C%n5#h?&ZgyStKV|ZEVfHNZ{9DYv`eSLM5?-@e1i>O4O>@A*v}cOHeuD-#XZ#A
zQr>Rn9OODZ%-Nqa!Eql6-Vej!|235Jn}R|xN@Juv-`fxG@b~`4G{V4LtHWyYB|M@h
zJ=({|XATmhAx7)LBbk)8VG<2bp^9brUUyFeAXnHHtF9gYKx7IKdm;W)-5o_YZ3>QF
zJ0e>OiJNo!C+zQizA@#sSL7WsAOvLuT~%Xm4f6oj7z<3VHfk3ccI;J7L{YEi+t*8m
z6%!7d7mm-*POs=`?`)nPS2x=C9bV@@nCb60opAN`_$a&7G(9^lR$o_K>$4hk`O;ll
zd4!@Mj(k*_>>MxZ12sX+l)ZgAnsnr|E5XCk&}o`YBZnpDr@c2Lgx6e{q8V8d-_y%#
z{};KDsUk4ZHgylAl1}@31;GTjoJVVoPfnH3_<mJiQ}u3kZbOCV>@NsG{6q@`6%nT`
zdF`be8|mp(<s5X`j8K2yXT`Nk@rT$l&w+!``D8o8RKH(L7}_F`8MTmUVrlg33OqRU
zo=v^I2(s4=VHxm|_cD&bTGgV$6Q^vjBOL`x5B)j31VoEtZr?8Wkvr!q<F_=RM{F>L
zr{1}7f8_(kyIc^x+>}$ul5;Y91^=mBI{5Bs_Jn`F=iO6>yBYAKtX4TS@PwCk>C8BR
z|0$kjf~H9iEvVfe%GnKP+nme{a=Zt_K@DQXL8AN1M+fqDwx;yWTL3l}{s*^=AwHg}
z$9Ho_x(9h(gVpxXaBoT;V@$TKOr<W|&a>MJGzHM|mrg?Jcp=tY&1xBtYPhfwi6X*&
zpBEbCTl38$$P4H!9Bz9>7&>MU?j?tm)RB~wV1O=XrbDvHj;K_+Djf4=@zJ`K>5%5I
zbwiJwM}L7iwtnjW8JJ56OomuB#lZC^=%LG5dF^Xo-Ak)q+aON;8>hv<Pua={n><;c
zD+uK1`(+oV6;5b_?jBWNSBp8!(Zf4W_Oi$Tge(Q}&?*&fi#0^2UGq}gEegp8Z5TR>
zw6>&04GQGR%F#pV)kqWKBI9;k1Q?DL5e0Nm`dcVo27iIsxt7QG*e0d@bLurGjuvT~
ziSZVUn}z70X`%3!ih1pve>T9oqQvxcl_S^hbZ;Eo72<roY@$y<uy5D&q{Gw~m8s#&
zH2%)0eooMla45%45dmD)-WT&CP1hF{zr^)3LD$!Jy#4$Z*H32Fe7nM`s&=dQB8PWN
z3`#gW{WnRtt9YhG@??i&AUDI{DOas;@DG(UYISMuO#C#`vo~zSrAki+x1$M}Txhpl
zT>Qg76{egL^ODs_0-@Oef#me7s2I2{&JZ1N%c|Pe&E+)^alG8@eW&5a)scNc?Xq}%
zsZ53P>Vs29%X9ZpzgzrG>|!9Yy)BN5F%UIbm>lDfIcbVS?**%>n^K8s#6+}dg$I!v
zxw`-lu(2UY<5y6Bm62AOySv!fAlDwQytrtwmNS=A`Hug%GEx>M03tWBiik&MC%g>C
zB`Y%mlumnBw$b^1#!gv@R0_1&LZ16-Yyx5dmv{=#Y8IXwDksIex$d%FM>h@C6$@=;
z8)`&4H<!N2nPI8Zs*7lKWZ;s7GNWS^iHlrZSEc+U8|^%kC*g`;^xxTeD!_WNsX{4G
z#zXB$G=s%gm6Bu4tr>~ha+<V`<0BJi{JxLV<MhMkN5b;02~9p)Fz!*tMpH=v<$;a2
zyImEd+jw7Rn0<weYI4_=5crK*{505#hzFJV7BN74S?2Ob`sHUzu=EJdp|!6(8`06F
zyUGlOA<Ij%E!r)2qmtrWvJC*j)gPO|CTgnAC-+<;xwL-*F5*TWj(4eYfrO#$cOwIo
zxvJ)z-djK~m65RiW_4q;cZrx^&SbriaXW`jx@bm;wg0ZX@eJg2h`h>Hy7g-Ceu?ld
zC5{V2?6lHEIZu<-sDVQfsZab)zOUe@=S|WF%Fbf>mWlY83ZXMp^!iUHj{yJS3nsa9
zpLhBy#D>iI9K>+IV}q00I<HCz5kDPEaCev_4M59vI!l#LTL=cIRYi7jQ<eH?O=zBk
zW2b8qYwhA5Kh>q~C7H6UJ2j(sZZ!|&!kx0iy*-mw)6+J$cN?A%w_>?q#j&i4a87>u
zGZ}GET?3yuh4u>~zlk-mOo-emOZ8_guNG?8C8kbEliD24;>p=2n2t8IvIoJXsapPy
zV;A`^MAtWLChpI$4};vBz|8iD7;a(XoJV^{vG{6@x={27pTjzS*}li5A+<dC8QlOh
zUiT8AFd&-w=z6biQqwi8=D02PO6_tviKIa)t>iQ1?%k^0%1jpM+bEQ$J}PlD*}HZ$
z8N%`jYH)>8f%Bk<DM%L`CHKs9C%<NdAKf-{Kgh4-{x`(JD+lrR{mUgqVR@%fv4L=M
zf7}_K(SwqfR{;U^ExXs}DXJ|8zs|>A+fr#6N%HQbO=)EP@wp?+L8_e_8;rW!7<C^Q
zpBRE78Q#c-*SAXft2`<Y0Nw`16zx|7t?!1<;BzZ-y`0(VT3@iN^E1P3zZx`o<jf%a
zno?xE?kq&g(BXD<{iRlleB}N2U<C|N9I^6&wVE7m+7w+=+%W<dWlA|mQOi2*k=Wn^
zsc(VBgoMeF&h&Q*fJ|@DwsMl6ZG3s;2aA9~KOK9-&(ZEZHS0^AOI=XbQn)pDCWl)f
zBw!@e5LS`0&%aK8!qxR+drKO#y(dI_f97o|oy9lCM~EneEEk0fqw$pMWLTOiasGFR
zIafZiqw<{5PPnIw$1^)y12xzQHw|;--sD_EPSWPnn@<^Ycbh~Pt{#1uI&yt9Vl8+#
z(q_W{XS&<Z^pvlw!{)um%YEwJ0l{f-WUa-^bH;xAiT+kojRI$#2ZTR24>yWK;4FUi
zD5!;-EO<A+ffs|VC%A@ma=CGrE?}FQq0L&4T1cF3tg1AhUO|u$O;x(q6glZUiBg{b
zP%H4G@pVFztA|MqhnGjulky1RZ|QjWCfC|e6`<We(aa*e)j125-_)*r7RWL`*7_n<
zB`zg4QZy;LK~7(AO3?W7h}0Sc5`k7z6^HP@+)g{&2w3Z6yxAlq-p;|WfCsHoTpSqp
zxH~nLN<7g!f*>K8sr=#0GdMGw*2-|2MRdfCE(uU!^ZK^l<d}Tmj!>5xOOlU%Voz0h
zr=nPY0eUnYArkjZ;;rc0$f`FjiRS#(nIGd8@b3Pg9H=;L+a6%smGVsag|;0LvixYd
zrTPp}0vIa;j9v4^-vt?FV85thqh1X`m#mpC$J{-G?>CLyr)^RS*}TEP%EXhHnY<y6
z(iF+fRH5B%DzDD>)*H7D|LEP%DnjB%XB#OQaB6UN^Ia^%cDlO1Sq_J$A)T_!B1KKP
zpN;Y-|1VwAFp?=T-aon@T!fcTzhOoaH}f0hCVCRY4*G{0+s<diHLdA`Yp}vSg+c|E
zrvw<t7`aMYC;IaHDcwu$oytkC$^KMGtSH#;UDOx02Jn!jI+-epfLyP4MXu!Wki$|W
ze8Ouo?%($fFi2H(?}Fdz^`70&<S@`TQUDP8&kia_EFsHR65<|MuUM)4bIGjm@?S>f
zlB6kUDVtmu<1zgAm5b3~s**xtKYJ}7MHVLpl{TUK?;S*yJgb`kfb3Nb6sGjAhXDRM
zwe>QK@mN2AZjqc7yOrQg_4ob<3x7m{svYuN>SxYP+zzpBP2ilT%twxbjq#toI8n`=
zWNEnh$g0IggNlTi*e!z=PZkP#CSaWZ-0#5V@mVA$Mr7P85{!~ZIOfMs-Fvv0dS)lQ
zEW2)Ju>Ti^jS}ZiH$69h(zn2$5ra^e)JeP4vq)YEROe9Qk~~XL@}-dFZ`wN#tCiTi
z9wMiHmkq`C=$6@*$A0_Q3&-{0*!Xy}RIJ30<E_>MN^{+zR6<q(g`_xId#F<Ljvv68
zvW?Q`9>Qe)b67|V`pCh>?3*u$_RT%+Re-_$@%v))ExYT~+3JC{hamCx${t1<^~^mU
zj{U3E1-$#1q>hEhO65seTn7>qJ#Jb6S<iS98-0Vz%a!%tJXN3LL3NBnweDKBG!K+F
zwUzsWLDq;54fQK&*vzbyxK!;?c{-ID1?m@a{l~ALUDKC#!r*lVIT)PChz2$Ph#Tm(
zKlbk!@DO}@j9}>i@Jcy8LpJ*N?to`>WJkX2Q-nn0QC)5A$_Ccqhw5f`w}<r5vY2xK
zi7iH*8*1zvG|7gc#BjEq^Y8{FBpH$~rVJBru7imqZ)!z#&#r7t*Ln_c)sJ(sLzPqN
z*d$0Ue77-SA)d{*dF{7%FgO&i;Ls?)HfF640AN)DmH}AuJRbMFEhAk9GEp2!YE%YF
zy?p`)Ajda&B5SwiypE+I^|Vxyx>P)IkVXO-j@`X+)7|g9RztH(lFSF~4{xWjF|A}8
zRn<s{kod!NqF=tPt_gmgKwD!G2#JpJh#o-Bt>m}YyNFa?LXq#J`oz!cf2~?uTk9*$
z9CAOlx_2Y-ZhE%=QCPqwAEvwkmDc3`Y-<o|s4O=r*DHw@rj;^54$h-D=F#W_3=VdG
z?$_#~MXBzAdb<D)%9RM)V;}OTBjLpR0DU?+`yhWTNzBaUrYH4e=u9ip+S}EwpQivh
zzBxCCMvb1jmvEzEXdMkg)C+w)JZj#**J33>YTH*EWQ6?gHq0`>%o}5*EiPtgXc(W>
zTHWmD>gpOn(oNM;UCrgvlJVm4_B-8jjk%Rjl%|Yy>1ZS8Lt!DI=DA3t`i6$7nYrd-
zAzCWvp-w{#RkUN?^w#)v^R&H_lV8xvS1+Anow;Vy#-b6jKkqL+V4I!qAw2s1dqjd^
z=eiMdd0BZeOM%9mo7c2elOZOqQ)w%Zc1tZUn=HJ;t$w{(Q2(arRX2Jhyi3VWfHMAf
z%fbLuIl$?I51&7YhX<3*vvfKCcP@@J#!_8h9vnJ0yml?>N@CR3S<4I>4hK(b7n`md
zq7JlC15%PTS(H$Un`*R)mG>pzZLP1bZ*D5fAM_(+C2gTJ(A#(+UkX{&6_1b-o(dB6
z^;{L;2%3Dzp2+yp$jIo~7CxUW=7p_|@^_^DJ(LrJX3w@mw)b_+E_PZ67Rnvc)8gYb
zB9d>c62CplY47mkOXO0@i=q1IRK4x*l&KMT=;rBJTcahyGp-VTtmdKmiHC{hq^&F?
z^IlGUUzk#M(-J->Fm%!#sELWm=H|vtIzAQkzRgXO_s^JFIC2#1QG;yUDitvt$e%kN
z4nAL|Z}DlIzTFv9-)><RX6QZ$XXj|Nd@yu3W94h+52r*8h^Th4&X_Qsf^f8Obg8}Z
zY11XEC3x^T{#_o!FWqklcEfty)~^rx;y-RUECuemhq0)i9jKdj@j~%XZG8S+OLTOL
z?b{)r16=sKc<b+$x;SUfG#g0@FtsT~82;I%o6MN`o|TTV=3kW`9!=2SvCfujkNh--
zet7t1DCW|@vDan%(4x^-984_n_^)Jk@w$Du^+IPv3%LY(RF%8A4@t{ioRPD?<|r-a
zzJ2?)H2QR=f=CfDB;DZFJnK{R6qy@+<#Xu<)J;0c*u<pNi6qK7duiAnq*Kl$3>1g=
zhfewJzMnh%GXbmPEOjAO&X4mX>Y~|8HP5XGco-YCAfcrj!o?w9{4g~S1FP@acN<DR
z#F&^yi$)mUPW{Wa7=}$Y4k;amM!P#uJiC$2w*eoKz$rQ$oRDfYo}WO@*LA;kt8Z$o
zt$p9@13&n|{QQf&g0qs!HN>l#rG{n=XTQUODe)FB&EnsGQhe@>by0|li^o;DyFQTM
z5Vm|)GM2m}N6}FHSLjVk{mss*Igd1z$GQ*LX&sSH+pxQCGU}7d*7r`sf@3!+V<Gu^
zK9{y1UH!Zm9i2|Q&%{6)-cfANq#p;I+SAj^hrJDczFyjKH{Pj*g~nkekr5hK+SOZ(
z8GwugzugJWBzwc-LN{^+g)ia?z1a2rH=?8FngdKlSib^TnNo5@tY0d!tW$hT?s1Ma
z(8`0G*)qGUT|V5&AOmKpfbx-T5?Q`wwr}~t(hg$Qxcr!24+4R3mpRJ^#0zFXLOy`Z
z3nd=U>^ol--aM{<AMg-lKcG+cGe66PG4~Jf(>obXiveuXczR|E29s*=d*VRhHccr>
zZLln%RI}ml=8FAT0sD>b<D`M%kkfcihqYVE9+K<cxUb+FzJKm)wMOW(lX*kik9+Sx
z+Yg_}ZZSR%Tn5`DzD^^@D`X~zSI4#`CPLr2>x-MxE3nhpt4>^)8W%q?-+;K67;(3n
z8pg*;jCe8(<+zsP9bA8d#Hz<)3@K9i(ZYRK>rMAE8nrxky<ErixDZ6p5wxaJDo^W$
zmG~OH9F=?ncJROUwDQyoW24CTboJuC%sx<&)aWU+5zPupU)}FcTqXY<nP95^WunzT
zChCdzJh^zU=C_JDj{xEhF+cs+SI?6QP3XLOmYk9s*D3~2-toPe@v+i}yR;^qm0BKV
zIqVgD#xHNBM*vju;70V@8$LD<!_*NnlwP8*XMOCS(WYCD#J*Q}`~%fYiC`rDrM$wl
zRdbxxbIe0);zE<|+5d}Y+jx|3#E&hXD&D>EgfTmAc3>Ddx|?xBcNt5+BJ5T)FDvvr
zO!6EMCJUdv8A_<wl<a-x{5GJqbLyr;@kPYSs~Rbh+@n}lkn}(__R{wIxhHPs1O3{S
z>Mh5+;XMrKe)}val$JI-3qeEMSs=Tx|Lmy}+*@6KU6CY4lfFIL*R7#UC^OmH`?Eta
zk5~LsX-lyX)9ZPO+NH}SGwJrFS#Pa=>ptj-@l*bynO&F}wXM08fCIG{6#hxB65s`0
z)M}n#p}0|9BeyT#xFXT}OP!3=V)8twq^C0HR-cCqdT(TOi+EPWk*RimUGsX*{QR`k
z_klOaw3$IX!|9-Gja_wTZ5X^hIhgqBh*TJ7c82Aj*c%$7-Yf6F#h&e)ORZ_+7TzfC
zn6s%{jyt`chkM*CtQKc$#SK}MmA<<Bfx0kweDLG0!H~+FeW68BVV4_Tnm>0!w8van
z+T{Nx7r>3-BE6FXX`;Jhx-uqq#+2l<1L-;qaPYBV%1*9e&DXYb@{=9PJX*5ano*B|
z7;iGs<wiB-33ru@YEj&Oe5u^373r7c**N<Y*MIL(Uw8;booGEYcjY%B>b6_(&KsA!
zT}n8?URF;!PocE>=O0HQ=_^gag}1T~^7#XZeq}KJENl+b)gtzG?rr*g9;RVnK$<XI
z9zL!XM1Qg`>*iVl?;(xIs0ao$7M~pq-fh56Sj00zieyUvQN5mgtSh!vf6{sc3;Icp
zYMrT_^6Cy4Id0YbU*#wu8EDEbl2UcmH)VG2?iFVH@4%ScRMa1j9y*ku`z#ya*V-t<
z)ez=K%#~~m=URL((~M>r%AuHnv)T+tBS1(tmNXr*tE19ya1rYZ&U*=x(}l1B`ssFy
zqq-&@(!8qzyF$dqyeevXh(Gd~_fJRZn`H<5N{+w5Mm~UIP8$#9Tmo6?l48I6c~C^s
zd38lAYR|9-t`O@!!TzC1n){gh{E%f3WQXpLw!Tz_2|UmEj0<wtf9_laZb21M8puY#
zl07_6PK^M0_2=JNZuxN_Y*=ZYGkF{p7y?j5Os}^IO>4Zb&x5fbhrt%4G+>oHZEUWp
zs_N_OTU&G3YO%cpVof4LIUw@^YyDxF4k(9G*U%^#ee3z)Lztm$OG^tK?PLEu*?163
zp6JTD2uzav?f=;3To}F47o@}WP0qu|yCA8<cefAZ?KW*QN949N4w#nvJWvsC-vpDq
zlV+Pt6j#@@?d;`L#1#FQ_G*Eo2XfY5EZcn1+Lg|6Pv}Erc6*IkP5lPgm-E|WE%bF@
z3510ygf>$krL1klO+dybCm|!`iL=?OCy$FmtcP;E0I6^~3jRJvk!j2%1#W*ps&D9s
z2-o5s$ou`?kN(lv{>>U~#?7A}NI4JnU(D}PXA>1exlTQKY#w5LmJ!a=aw;?vVwCI0
zJW?%xOv7gx1^+1??@m}ovhns?QYbg$sBPQY<aQ+D$J9^6wt)k`qu@ua;zO{+Xvg)d
z$rvB@b19!7$kiymnmu2~&?>20qBWB}M%kF#NQRdgmLKseJ~3`-?&xq$c(Zw=wOM}7
zaQ5cMR<a)7*2#(EN)Vfp*oSa~*wlj?<d@MWU0Yg<TleI+Jo^l7b!}iLN_Qqg<Ser(
zHVkq(=sB#_5bER5-;Ypno5^oo-j;t-K@i(36^-KnSW0hX{T^`u4}BBEp|;^FMS#xc
zn~zbWZ~k!f+#Cm7UIF{g!Xp!yhnfAyo8G<8O09yVvGs?frJk@&*3Uy+>gYG;-qylf
z$Cx|kzh-tXj4*n-{%2&0ahX-1gc$k?(Y@k7XhUznl|O8D(^?gA_jIt){so!FugBVd
zL8b`QLc8D_2t(6uSd_ApZJi^W*!(UAqx)kRbJe2d^a|Kn5AdS~wHB)>=LC!M+SydP
z7aCnongs{>yy=_X|9QyV5QMvhMuSqP%=IpXqWs)rbzX&>N0|=I9C8`QFC~e;*?-K$
z3Fo(fMWFKL)_)BRen^A=A(KfF7_%vPD%<y?Jn@^?T*fbKKLaPfI!^nld*}22JjUQg
zAeX9b<ORd;u4fwryXcIM?sv9&%vGE|W>_DUB4ejLz{CB2$wzJxP86H=52Fz4(MNCG
zOySvKFJIiOiXkjMM|?JKXhp1b_jmkoF|XS#YA2tayrPi*UjegKLrhIc+X#;Ai7Pv=
z39h_%wT=ejW7yS*-72*1PM4F|{v74MVqC<tAA>vt0ut+<vWV?4zFnBe#Y=fV_->`e
zob1&aKZ7yH%s~uY&tbjn-r3R6Pybb8>_D~q_*;GRW}nR?Hr4yIoHB0jl@g>EZxAFA
z=)EL6w}F-rkY#pBbs*A9hH&<#Y+b8SByzskRDAF9LamgDMQfvN%RT>=d1abrr!TXH
zm$@vMNA%FXf;oijAG?({zpJNzgiYar*cKeAG=lSiA*(kJY@%SXrm|Z<WdbP-vcrC2
z%#;C`>8E;MqagI#J!7ZhIi>2!#}!#V8-M5<TE~9uj+gIcuak=sw4#s-OYit+N@`>x
zf&ri?bG)2@G-d&LGK!Iy$c`8158Aq@CMShCLj~uFZQ?A=!JXRGYN!vcC&n`N`Z`L*
z&|U2x7H_}r>s)XVXcts~$t{BeE6@5aYVbvC;(CFs3q9E%s=kZE^N!$dfvf{s*9|?C
zld>qBW{!Pvp1HMEwkBruz<<6ObmY4Dsj~ltcBLJwfZ@yYBhD=RJmuxC3jjMdSedB0
zcm!Nrwobl@WwUubd-e+^p)Cg!0GXE+FXY-y(L2eeOMRxNqozvIjFig>S3cjMl{^tX
zJ2DM8%=eUe@C&5YU;;fRtqQLc5zJt@x_`Do_S5&@%x-VSw>-U1(;Ih=4;)xn5)$2)
zfBbmt<hNM#3_Y}3)5zDEr(@Y~p(lJ9HOL66R`BYn_?DtZHuje0bV@y)X((wS>f^$k
zhlvR@9Er;5A*FpA&5u!s`^9?`nidfmeefT2DA$L7C+&I)O9*~qVn=PFCsgC%A?XWJ
zSRbw05Z;KMD=pp1n$4UO=4K}p^>o8gLV(ON%*CQl7cE;rAhc0N=}2Smbe$skMjv=c
z8#Z|XFTT55DJ^9Avy>?IKu1T%arNG(d)t4?JiJXka~EWr8EiEBEtDr?;B}zh4|Az-
zfCw5)${QpkQ*O*X$bH~%H!uDc@scG!x%4z%0Ke~%8lvBHpr<XcJ|7tgifPjox<lNe
z%1YEkP2I*;owg8=VLU`$d*a27r%zWXTM!}KAG2FLiW)VT{UTrZd#2&7&;Wa65D9)C
zg%W}R@%{*2lpGhWQeEXH+pmtQH!k%=`gT8haMfysu^<#)$Nn$Iyu0AE^q^qZy76FW
z{j0><qQ%>g<#z?`x5K%a#$i0AWd!VQEknMRKN+B9cz+dvLy#IL(9qnn8~<|FiZm?~
z*RAXx$?)UU8i9lno!mfh6P7&Mj=cOM4W+Piaft+;Um`d9#VSQRlH(fH*&byUKV*~*
z`G=8|yOv*nEk;Q9a0rM|sPvd@CI=Cbn!qwNRb)PL42nFiSKy-fK&j+2)q+%UDz-TZ
ztPjUI)(v0oK~QiqAz~nU9U2Ii`Q}Ah(k?MjH+3~WRJHyQSIHnX@sB1VQgxf7--?@f
zAR-VkVAY=ZCW^7?EDWN0aaa#`S+j`-16KTDGZUOMv$I~AIHEe-$@9&oAX9Cb-=)h)
zIY*RPT#e`x0NzE4)$=QP?cNRSj}cbG`OQaSBl>rjgUNmlhbtlYCR`kyt*a8KWnf0P
z6CpmU-ZN8&ZBj<r4z;zlYw022EauIM1=^GEUwqYZJMCe@t7o5t?_C=%n#^wXCvGn0
zWuZKxqS%yLRg^yv{utPo4k;O3{kX7z2{(5538{3`<+VS2GHjkZD<&cd@{UY!WgwZ^
z*)AJ2;v#2J5`cW_N7;gz#vk~7w1u1kxS!JG*baK`6=<K8^F&4km{j09vg<xWpoJKs
zEaB1iQTB`Pid?KFRGn-pEbBf6_xJbDmzTOgGp*{+*FdLqYv?Yw%T{fTXOm<w_0(a7
z&olo;bRt82=WIN93KCeJ#89vc%!`FAhby}u$yCLEF!G+;X&Fmey{DGWg|jAl-GvpF
zWOsp_qdxyd&Z`P!LH$^LRW`^(yM}TN$y4~yaEeGCoA%sFI*L{`_d<T|Mm72uNeID8
zqi7*Yi05IB<a|rq%;n}e^>g(;&c+fVA<G<S`Q1D>J!J?Tz#)GVgb{;6hRua;6kErV
zQA1tb#LQ%)pMAGi!ayJzA&seO^Z_;zujGx|*OB+N^WX?<{U+{|GYRv$Fd)UFP$Tal
zLrKXIfPpQ_^gu<e+<v^uw>gw%&Bhs3xVJR}3Nnc&g)Ctd+ws1?0Is!j{aKVu71xg8
z1q*N@6pP!pZkAU!5QRHRy=x|2*F~+Saar_63w+DQ0+{ZDli>0r5zDXA`JL=63}e$E
zzy8UN$@$=<-|-%`2P5nLzV=Se8%D<4cR7VYRv@xdzp32L%4+Ka9%ca!2-Ow3H|zpE
zD`t3oxdg1|hOgos?wb)aV3BCBQfV~J>bT8gu_9BfV=z4dY93;v2i-O)H%xe`G0Z=b
z1kA_ExIe#}k0cse_*x%*V@ZZXqBgu%V=aU$>yC9s#_Q_HPapf*JA&R)b>X50gJeN*
z9l_@qHcyzBmMv*$Vw~*HRSp)YLW5@2Y&^}=;}P~GdpAGehwiGdQ!ujJSC53<tL53b
zsnwtCD+v$y5d-QSqv?j3YQ=i+`<Bm#Kf05ti2b<z`b%0`!=3Av4re-L<-^1DQtRnA
zFVI7__3W-fIbq7LU#trY-Z>|NYV|g0f>am_gMpr{P&Kejy@6{el^t{0h9ta~8g71q
z>YFAt`%wY@$LdE5+uQGrtb`Ran>Kcqd)Q)#wI;+Q0lu+?!%iubVN32#3ld0i9(NJM
zHfA?*vI(RcD?@ThY!D5fy|Woz>jEyH?&Q$<Z6RA)Jhi40qRm4xtNXZ2*jkZJ^D|<T
z&8*PmRhImQneCazdu{?G7o5drAYO)&rA6{EAqGeJ@57R>Ku~rAeNjfHwAlu6_Zb<o
z=7bs36s2RGy?j@EKc2hexLZ|CyKWqs*|%uZ=4M|PZ{l>1f|Po*JE6T-)a3;#1|5~a
zsZ^FFIMkk3_%tJ6dAT@;@5k(ewdMD0-;jVuTD?4*uK`|M$4e~(J6WcBqsOM+&MMr$
zw{TX+HJkWJL2fMhOFI5kOGYn>2evhD&&75JWxIN`x;HyuR-N=&Zg2NxoH}yxl`l>F
z*^a@g%ADnaU($imoL3kMoctN#9^;45gzKB<Wu*kE@iEi6mqM(kmAmQSd%ZjSZ{RZ5
znTDvA9=dog?UI*&Fj-|Dbejth#h)vb+d7H3FdR`)7KY`@K}X<4fyF#=rj9*Rwn@NO
zJIeF!F61*&@vGl**JxhpcaomHR?t9!*&=r>)$bFU)w2ss8(~zl5<bo4mA{{MUZE_z
zOn{VUPh~$2vF-tfAxLMZz?3<Y^Vuw0evTjoIDhn;lFL1qqS((dqBm;k<BKstD3O0U
zt|Vv5xW6w#!`SnYivRpfW>p=s400wT`}#g@E-ZYpQSOfYx!T5e!4P+h;rmEdf#hU;
z+cMn}pJUuDVZ4O6c#tY@bzx0Lb>JEg(%uoxN520r!<32!jmn-n)1=4EMQxE{Y8%A4
z8ekP5rx|0=J&R-RjedK=mTMa()pKkh>!PGo6jL5yBMb8J1JCv6KFOF@95JybEY@sL
zB5VU7(VgCZCMdAbwA~b(YA#I0lx3`7()cfi@e8U~>zz&>+hNF&y(oilg1^|oOC)Rk
zwSWr~$s_rP3y!-=7^;u|%VKU9l4j@tW}Ec?5s)57!Qf1c+%xZTw9nySUP2SmKW$Za
zjBNe2D7Kg1Go3Z-<s%{a$isig^<FE~7H1WxZHT)DA`eQh_B^7scVq_tExTTl*1;Ln
z9urATBRiS4vdOi7c%wjC%WW<7wKx5<<WIN$nb-XKKV2)XfO-ayxC1tjs{TI<X6C&2
zZ=nz;z5cgtTvz#rfncWpL!Ry*;k<8YL9=&`n+9wMV(&x)(*cD9ya<BGxjPh$xy9qy
zyx2g}>_E~{T{i6EYJpxrdfLF#%8ihGuwaK5fw4kR=1$J^TQ#JRjrTU_4GN&mC{I)I
zG#;4o0+nH&^8#r8+gSx|jzF6Lmw6sIb53jfLKA`8N2eLh0H?7UA?WMvz%RKCgH8tg
zH7WC1=UR9`fU9c-Nd9`@e7bNW;8)An^y+FsuN59{ZWDV!oNxK7d)`B%(NR%I!n4Db
z>}KK^VKC7GsN~Wt8I=?j^*Y|1-P|mjsdRC6&WdSptLNN00jb@~%LN44OKu@g+!yjn
z$inX{1rLpaqS+<Fa@~@->(T~4SGzce=)Q}JiN#ZWAV{6dq@uXfUidj#Cg<0Vw#9d&
zgr1(B$VkEl?}EY6ST^t{Bp%d`PfyQFNk}YhD+z)0W+x|?`Q#qIuP(c>Wi4O{aJZb_
z0CNM3?*;tY^wWmfPh(@CV8YW!o>?gkWJMouFLLEB_s*30KY6myT-e3f0ILM05+zT4
zB<gSO?uK~Lv6R3~tp_tM8B3V{T-E2oRQ?IiEiT4aRq=26NA#BHmVj`?0ME&b75LB9
zdIsZWO;&M<*1^&DprT7(*|~lRleItINWs9exw$EXAL3lDG3z7)-^*Z6?pdRv+E7m}
zi~0=;bBdj7^;jL1Mt*I6?urfy3IdItz1NG&TJGx&<hQryhL<=rz=l8>S0qx`$IqRC
zuDubLL61H0>v46pe95rIAT^>a%K`rM9j3G^&TwPDA0m~LZAvS-?$4R{&~H*K|E0X%
zfLH@e7f52QORZ*fv&HXttnrv0(LXS70D%~0(gay!H#A%V%LIQ_<sHMpM072azoOLm
z+tIhdS@MnJ8zlt6;6%TCvABu*ojuOw0p1?|zP{_Tez6*uyx}k2jT<NXm7X3sIVDs<
z7b_#Hum38s|LaeR6kodM)_i&5TS0#lDTwhbIs9oJri!&|_Mzm9fQi{fjg=*1bBDE^
zvLPL*=%q}fpFdYSUzafWfx4so`K_Lq`szNHC(Bt!@gHlK8jid;@tkk|)8qbTX{ma7
zMRi|HswbaiRscLy70+4gzqAvk&Z5VJWUV)E;~Cn}_EhU8)A8T>4=zGgX^P0DLwnr?
zEqA1uruZ6;&U5gWBZbZB_Xz#b-m~cj6{*7NdJ0FNR4RPNI6YxHqAe!Xk-}J_1mz0K
zv%^Jsf%$@xDegR33tmfRei3LCb?2L*9LHzm^Q5PJI6{)QFVtwPi0CxyQnh{nGa~3t
z@%A-bH<6*r#xsVZK&{;0(dmsPVmFXRK{0t(nVsxdWsBu6o7{QjLQOQTDit?wkZxXb
z9irNIwj3GY+O4HF|FV(d(f01R%giLYA@(>fb;#@!R4w?g5{7c_lJmv)jgMx|<XZ6n
zm*pBh4^+K~DMy^dmiqlnZW4h(WS)f6e`cXAJ~nja>F>n$Q4|0EaqKd#0LOnYFQliZ
zm%~gi;YGoklKw(e*$=AE-^6Ce%bkqkxDQo&c18?MnHqGR{K+hTB|YNNJ+a>JQOuLW
z;IVM7_ZUdzM<BeiG8$sLrpbl;96Ldj>yJ1*74sqe?2S??dsJv?5d%f$O5b&!!NQ;%
zF8eCFkIY&eax|{C3i0c9)c+GR*I7<Jt3Oj>p?>xlJ0@)d{m$fb!KaM8B^S%OGeBu}
z{t7NBfm3ce`AtW@N|~8U2oI8{C&O<pOe_R$OAy*?x%+fadOy|@=`Z?HarJC3|J&gg
zeEC4N4!kYiU##k;cTA%;wf-9(rbuMuXBmRL93_7A=-X(lBse50L6YT1qIj2&m)ss%
zPvgs4SJpQ+#6L6gzIN`st*B$1xB9?tGQYm_v?tgJ&kgUHho=Scv?*2nu3x6`-edcO
z>C-JgpM@SG?)nYT-1}>FP}Cqr4e1lJRVt&lpF*9EKIUDjH4|k~VOK4F(t}eGGy7vp
z7`14`{e0O;S8e<B!|5AkBGx=lfc|44dH{JL1~trNVnYj$yI7Mmrby!;UpAQ_vetY<
z3$H*6_?sc?d|zTv;xX=opqTtC0IoxE0C3%N?=R*M*Pk8bdZi`Sr6p|2Wn|M*@HATW
zC*cbP0VW_mVE2ES;9HA9S*G1fh;3TLrCllcHM9_Ha0|~Qu=8e*gnjqx#8!rzbIHEN
zTze5xyq@38=IyoIBqLyhv8VDhRaMhwjj^|FfO$j!t^C!qH8o#uW$Z6)b&>U-!>em;
zX$xvfK}e$l0=+cWe8O{xAdr#leHia3{f9+lB8~#(H~W)0X0Sp3lZeHS2w|}%0fACx
zsCu1t4x1|FT2=E?@W&c#N&lT6`1=D&vq*j_N3N9QN$<^4=Ba5Bg4AxXXaAl@R-JSY
zLTGqyp_&qiA!2tI6#DwNv!lqhBXiwMf8SMb^nTmi0Td$-6TtbqrK=#Rf!`SxI#1nV
z+(ypURB{)y$&z1Cu&e)Hq6KnIE|!+9-@Z`4NBw%mk5O|QT;$<aS8fQrt6Qz{f0S~y
zVM(1~xb0d?SIup1ra7~cO`E2PHcJ6rmidtqwnA;Fm9q&drXZ+9_H9lxYUY(6xgzK6
zOw0_J2)auvzlNELiYP>CD2Aj&h(_+kTASB??(ezIb<X>q^St-_yw7vrH^6e^et>&o
z2^Vb~V%o1&6A~)uvIRn2NY3i)HB`2r)lB!t3|UJHoq2vMzT3{RBNH50mX3Fh`~A3O
zlXhi@dEXOv)#RAc9~j-GhCjM+PIM4pQsmp{$rdNg4!sHKZD1}SNS1@R@xQ;z&AQ{(
z-y?VpWnUApI_OoC!!P&X0IVvEVD<9c8?fqmCDIwIvg;G`$KQm<>&M-`!sA_vz4LUG
zzSZP_ysXKT4f~Y;Zm!+sjGl|%K#V)(s<-UcA8rxZ4zrtRM~tQa=+8F0#`b}uz{1Ga
z*{nXf&Q0uuLw?!#>s`AI&2!$RsLIppvD7_X(X=hAS)Y<&as!$ajrVQ(o>^q_V;msK
zHp)%_it2~k7cc)Bk~Zo6X=+VVkZ(7>OCGZ}KezElHA=GIqo*r)H)bc?^Ffh$<j?5l
z?cA_`H32?f4BTZ9<YPWXYhR8CFb!bFDs)jt^NjDjUVmErpZN#6)4LeO!{7@b763=y
z9JFHra5`nNcNsbVft$DG_q4^23a{gtpZqS}^55m5sUI9X9pZA~&#LO}*`)_o4S1Bp
z)SecLM$7zXt3I>KxNH5t3zU{YsXpoGQPog70}U3<KU?rU8#qO0W;99J?=lU#!v^Im
z#yYn}nE+d)vMsp^y6zd=$dPUdm*|b^B~&{5#=>|!*EfHgQAB{c9V5R}+kQ?3ckO0J
z7`jX8&Pc8me7I92^uaa<8Ue1hmQ!b_JF8%mRe3gRiNH<6gNqvU=1#z4UWnp$nBaz1
zfOH86{Zq$vbMP3{W>3O|by;X@-8*(fpl(Y=I|D|&pG1Ga>CB%WlgMs=r#*?4C6V*B
zVzHMe@Bx`h{G%lw&z_w$4CoE*zLi7D=f84xT!*YPS?BixmA7+pO8x_xHdW1uxFlf>
z(gc!C)5Fj2{4O{~)AZBuq=A<X`&I~`hH^+@j<bQbd7dJt8_>cK^);#33+07COeZ$A
zm<DVmOibMC(hQ|cl!;U%E7wC0MJd9gN&c^=YNJzBUo9HS6WyQnlTS`|fNawYkVz&#
zBeHG^fj`H?v!!<feXtMM0>eqO=2fp}-OI3!=gwD1C)<!*s_qV^A0(twgQYl?mVBFi
zjJ7Xv5Xpu;_kVuik6n*QS~}CnLh1-4X%SmDT5w;0B+&|J$YI=Y#j+Q5$qHm`TA0jf
z6F#;yr=ZAd?q2fnlWP4V@8GGB4cA+(M-Zr|z|$iUtI!qH<gw1@gB-_Cc_k2SD5=H^
zG*i`Nn&uX#It{4yhKd-jB0QNwBofp!K>nfa<R6Rci$J#O5W!aMD&@v<NQO$ol{D~+
z!%5^A@cS-btgFl^)N*F87>b(rP1SQan121U<Mxi>Dd`b39X&xY6MDaW!Fx_+F<|Lx
z?>?r)l|vq75HVgApP+trC@b6-yE7HUj7zP&?QF7X7GRS234z53m#Rrjz`+kzhyC{L
zS5l-klmrxoRO$?nel<#`<jwXvOm<EIkb^+b;}4rgNBAshs5fDPtgVr-bAwy6x<vZw
zY*F@@axcicffZavYjB_K=Dp|iMza=#pde@FNQ&;6f~%&_j+YA?EvkNsg70ecYT(qe
z$<+E|hNRG&L4~!fuiIUem=A_W;}7y?D@j_4x^HBqtbcGtiAiKTeQ8~~cBG!Z?;2!h
z4zkih+mEbO(nHKW>4~kCdVbf1Jau!~z>$jjj8xrmEYBt2)J}?0SWvUu$pZw3q`cQx
zpn3eQ*wW>&8wXP32G54P2Z$Mb79D%(hO_N)XWPP01|8WQL6GFJ2j&*A0Px8zOtu4(
z%H%z)UJ;QZMQ~t0we)Y`##^D##Wxxq^RY~7)f$V)EoK<ls<vo-&(pwP;wYl1PY&^m
zm*J2>RcB~37@XnSc&c_fXs+U61$UV@VXVYGdMP-iuJ?F+RTEPto)oy(<>hwx1|y>w
z`#F42;DKjNN4$dcQy77Kx}$)QaL(m{kmVNkg4e-xdH+vP4RM>k$Z~cu9UF}}+$kEh
zyPzQzgCz(W3~LnUoovP4<P2qL76FXA=CXXx<N$i5uE8d<J)?rspT-?UR<TEf>b4C@
z$=BS%(hr+1_rXRPjL{~Nj0!2dblIHANXZw``M_HxGlOz@zRjMhD7$*w-;a^uQ8n7o
z<E`pFvZk~p2<eMy{V3=gY}9!BxKiqc#_j|y#N%Q3rz7l}1uxCwO!*pqD7|$)GY53)
hmMn>W)LlMrd-Ejndgi=247kuP3D^;`owY6c#9t)b+B^UN

literal 0
HcmV?d00001

diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index b60b33f2..fa08f115 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -40,7 +40,7 @@ Configuration
 * Please refer to the :ref:`tunnel-interface` documentation for the individual
   tunnel related options.
 
-* Please refer to the :ref:`ipsec` documentation for the individual IPSec
+* Please refer to the :ref:`ipsec_general` documentation for individual IPSec
   related options.
 
 .. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret>
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index 3cd9e50d..12bcc6f0 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -7,7 +7,7 @@ VPN
    :maxdepth: 1
    :includehidden:
 
-   ipsec
+   ipsec/index
    l2tp
    openconnect
    pptp
@@ -22,4 +22,4 @@ pages to sort
    :includehidden:
 
    dmvpn
-   site2site_ipsec
+
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
deleted file mode 100644
index 5e44312d..00000000
--- a/docs/configuration/vpn/ipsec.rst
+++ /dev/null
@@ -1,657 +0,0 @@
-.. _ipsec:
-
-#####
-IPsec
-#####
-
-:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
-SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
-to protect the traffic inside a tunnel.
-
-An advantage of this scheme is that you get a real interface with its own
-address, which makes it easier to setup static routes or use dynamic routing
-protocols without having to modify IPsec policies. The other advantage is that
-it greatly simplifies router to router communication, which can be tricky with
-plain IPsec because the external outgoing address of the router usually doesn't
-match the IPsec policy of a typical site-to-site setup and you would need to
-add special configuration for it, or adjust the source address of the outgoing
-traffic of your applications. GRE/IPsec has no such problem and is completely
-transparent for applications.
-
-GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
-easy to implement between VyOS and virtually any other router.
-
-For simplicity we'll assume that the protocol is GRE, it's not hard to guess
-what needs to be changed to make it work with a different protocol. We assume
-that IPsec will use pre-shared secret authentication and will use AES128/SHA1
-for the cipher and hash. Adjust this as necessary.
-
-.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
-  adapters have known issues with GRE processing.
-
-**************************************
-IKE (Internet Key Exchange) Attributes
-**************************************
-
-IKE performs mutual authentication between two parties and establishes
-an IKE security association (SA) that includes shared secret information
-that can be used to efficiently establish SAs for Encapsulating Security
-Payload (ESP) or Authentication Header (AH) and a set of cryptographic
-algorithms to be used by the SAs to protect the traffic that they carry.
-https://datatracker.ietf.org/doc/html/rfc5996
-
-In VyOS, IKE attributes are specified through IKE groups.
-Multiple proposals can be specified in a single group.
-
-VyOS IKE group has the next options:
-
-* ``close-action`` defines the action to take if the remote peer unexpectedly
-  closes a CHILD_SA:
-
- * ``none`` set action to none (default);
-
- * ``trap`` installs a trap policy for the CHILD_SA;
-
- * ``start`` tries to immediately re-create the CHILD_SA;
-
-* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
-  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
-  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
-  liveliness of the IPsec peer:
-
- * ``action`` keep-alive failure action:
-
-  * ``trap``  installs a trap policy, which will catch matching traffic
-    and tries to re-negotiate the tunnel on-demand;
-
-  * ``clear`` closes the CHILD_SA and does not take further action (default);
-
-  * ``restart`` immediately tries to re-negotiate the CHILD_SA
-    under a fresh IKE_SA;
-
- * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
-
- * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
-
-* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
-  the peer. In IKEv1, reauthentication is always done.
-  Setting this parameter enables remote host re-authentication during an IKE
-  rekey.
-
-* ``key-exchange`` which protocol should be used to initialize the connection
-  If not set both protocols are handled and connections will use IKEv2 when
-  initiating, but accept any protocol version when responding:
-
- * ``ikev1`` use IKEv1 for Key Exchange;
-
- * ``ikev2`` use IKEv2 for Key Exchange;
-
-* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
-
-* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
-  and enabled by default.
-
-* ``mode`` IKEv1 Phase 1 Mode Selection:
-
- * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
-   (Recommended Default);
-
- * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
-   aggressive mode is much more insecure compared to Main mode;
-
-* ``proposal`` the list of proposals and their parameters:
-
- * ``dh-group`` dh-group;
-
- * ``encryption`` encryption algorithm;
-
- * ``hash`` hash algorithm.
-
- * ``prf`` pseudo-random function.
-
-***********************************************
-ESP (Encapsulating Security Payload) Attributes
-***********************************************
-
-ESP is used to provide confidentiality, data origin authentication,
-connectionless integrity, an anti-replay service (a form of partial sequence
-integrity), and limited traffic flow confidentiality.
-https://datatracker.ietf.org/doc/html/rfc4303
-
-In VyOS, ESP attributes are specified through ESP groups.
-Multiple proposals can be specified in a single group.
-
-VyOS ESP group has the next options:
-
-* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
-  allows compressing the content of IP packets.
-
-* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
-  Number of bytes transmitted over an IPsec SA before it expires;
-
-* ``life-packets`` ESP life in packets <1000-26843545600000>.
-  Number of packets transmitted over an IPsec SA before it expires;
-
-* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
-  How long a particular instance of a connection (a set of
-  encryption/authentication keys for user packets) should last,
-  from successful negotiation to expiry;
-
-* ``mode`` the type of the connection:
-
- * ``tunnel`` tunnel mode (default);
-
- * ``transport`` transport mode;
-
-* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
-  connection's keying channel and defines a Diffie-Hellman group for PFS:
-
- * ``enable`` Inherit Diffie-Hellman group from IKE group (default);
-
- * ``disable`` Disable PFS;
-
- * ``< dh-group >`` defines a Diffie-Hellman group for PFS;
-
-* ``proposal`` ESP-group proposal with number <1-65535>:
-
- * ``encryption`` encryption algorithm (default 128 bit AES-CBC);
-
- * ``hash`` hash algorithm (default sha1).
-
- * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote
-   peer must re-key before expiration.
-
-***********************************************
-Options (Global IPsec settings) Attributes
-***********************************************
-
-* ``options``
-
- * ``disable-route-autoinstall`` Do not automatically install routes to remote
-    networks;
-
- * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
-    FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
-    Cisco brand devices allow negotiating a local traffic selector (from
-    strongSwan's point of view) that is not the assigned virtual IP address if
-    such an address is requested by strongSwan. Sending the Cisco FlexVPN
-    vendor ID prevents the peer from narrowing the initiator's local traffic
-    selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
-    instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
-    template but should also work for GRE encapsulation;
-
- * ``interface`` Interface Name to use. The name of the interface on which
-    virtual IP addresses should be installed. If not specified the addresses
-    will be installed on the outbound interface;
-
- * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma
-    separated list of virtual IPs to request in IKEv2 configuration payloads or
-    IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an
-    arbitrary address, specific addresses may be defined. The responder may
-    return a different address, or none at all. Define the ``virtual-address``
-    option to configure the IP address in a site-to-site hierarchy.
-
-*************************
-IPsec policy matching GRE
-*************************
-
-The first and arguably cleaner option is to make your IPsec policy match GRE
-packets between external addresses of your routers. This is the best option if
-both routers have static external addresses.
-
-Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
-and the RIGHT router is 203.0.113.45
-
-On the LEFT:
-
-.. code-block:: none
-
-  # GRE tunnel
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 source-address 192.0.2.10
-  set interfaces tunnel tun0 remote 203.0.113.45
-  set interfaces tunnel tun0 address 10.10.10.1/30
-
-  ## IPsec
-  set vpn ipsec interface eth0
-
-  # Pre-shared-secret
-  set vpn ipsec authentication psk vyos id 192.0.2.10
-  set vpn ipsec authentication psk vyos id 203.0.113.45
-  set vpn ipsec authentication psk vyos secret MYSECRETKEY
-
-  # IKE group
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
-
-  # ESP group
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
-
-  # IPsec tunnel
-  set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
-  set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
-
-  set vpn ipsec site-to-site peer right ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
-
-  set vpn ipsec site-to-site peer right local-address 192.0.2.10
-  set vpn ipsec site-to-site peer right remote-address 203.0.113.45
-
-  # This will match all GRE traffic to the peer
-  set vpn ipsec site-to-site peer right tunnel 1 protocol gre
-
-On the RIGHT, setup by analogy and swap local and remote addresses.
-
-
-Source tunnel from dummy interface
-==================================
-
-The scheme above doesn't work when one of the routers has a dynamic external
-address though. The classic workaround for this is to setup an address on a
-loopback interface and use it as a source address for the GRE tunnel, then setup
-an IPsec policy to match those loopback addresses.
-
-We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
-RIGHT router has a dynamic address on eth0.
-
-The peer names RIGHT and LEFT are used as informational text.
-
-**Setting up the GRE tunnel**
-
-On the LEFT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.1/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.1/30
-  set interfaces tunnel tun0 source-address 192.168.99.1
-  set interfaces tunnel tun0 remote 192.168.99.2
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.2/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.2/30
-  set interfaces tunnel tun0 source-address 192.168.99.2
-  set interfaces tunnel tun0 remote 192.168.99.1
-
-**Setting up IPSec**
-
-However, now you need to make IPsec work with dynamic address on one side. The
-tricky part is that pre-shared secret authentication doesn't work with dynamic
-address, so we'll have to use RSA keys.
-
-First, on both routers run the operational command "generate pki key-pair
-install <key-pair name>". You may choose different length than 2048 of course.
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-LEFT
-  Enter private key type: [rsa, dsa, ec] (Default: rsa)
-  Enter private key bits: (Default: 2048)
-  Note: If you plan to use the generated key on this router, do not encrypt the private key.
-  Do you want to encrypt the private key with a passphrase? [y/N] N
-  Configure mode commands to install key pair:
-  Do you want to install the public key? [Y/n] Y
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-  Do you want to install the private key? [Y/n] Y
-  set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
-  [edit]
-
-Configuration commands for the private and public key will be displayed on the
-screen which needs to be set on the router first.
-Note the command with the public key
-(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
-Then do the same on the opposite router:
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-RIGHT
-
-Note the command with the public key
-(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
-
-Now the noted public keys should be entered on the opposite routers.
-
-On the LEFT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-
-Now you are ready to setup IPsec. You'll need to use an ID instead of address
-for the peer.
-
-On the LEFT (static address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication mode rsa
-  set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
-  set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer RIGHT connection-type respond
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
-
-On the RIGHT (dynamic address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication mode rsa
-  set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
-  set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
-  set vpn ipsec site-to-site peer LEFT connection-type initiate
-  set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer LEFT local-address any
-  set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
-  set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
-
-
-*******************************************
-IKEv2 IPSec road-warriors remote-access VPN
-*******************************************
-
-Internet Key Exchange version 2, IKEv2 for short, is a request/response
-protocol developed by both Cisco and Microsoft. It is used to establish and
-secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
-road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
-or remote-access/road-warrior mode, secures the server-side with another layer
-by using an x509 signed server certificate.
-
-Key exchange and payload encryption is still done using IKE and ESP proposals
-as known from IKEv1 but the connections are faster to establish, more reliable,
-and also support roaming from IP to IP (called MOBIKE which makes sure your
-connection does not drop when changing networks from e.g. WIFI to LTE and back).
-
-This feature closely works together with :ref:`pki` subsystem as you required
-a x509 certificate.
-
-Example
-=======
-
-This example uses CACert as certificate authority.
-
-.. code-block::
-
-  set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
-  set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
-
-After you obtain your server certificate you can import it from a file on the
-local filesystem, or paste it into the CLI. Please note that when entering the
-certificate manually you need to strip the ``-----BEGIN KEY-----`` and
-``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
-in a single line without line breaks (``\n``).
-
-To import it from the filesystem use:
-
-.. code-block::
-
-  import pki certificate <name> file /path/to/cert.pem
-
-In our example the certificate name is called vyos:
-
-.. code-block::
-
-  set pki certificate vyos certificate 'MIIE45s...'
-  set pki certificate vyos private key 'MIIEvgI...'
-
-After the PKI certs are all set up we can start configuring our IPSec/IKE
-proposals used for key-exchange end data encryption. The used encryption
-ciphers and integrity algorithms vary from operating system to operating
-system. The ones used in this post are validated to work on both Windows 10
-and iOS/iPadOS 14 to 17.
-
-.. code-block::
-
-  set vpn ipsec esp-group ESP-RW compression 'disable'
-  set vpn ipsec esp-group ESP-RW lifetime '3600'
-  set vpn ipsec esp-group ESP-RW pfs 'disable'
-  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
-
-  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
-  set vpn ipsec ike-group IKE-RW lifetime '7200'
-  set vpn ipsec ike-group IKE-RW mobike 'enable'
-  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
-  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
-
-Every connection/remote-access pool we configure also needs a pool where
-we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
-Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
-and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
-DNS nameservers down for our clients to use with their connection.
-
-.. code-block::
-
-  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
-  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
-  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
-  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
-
-VyOS supports multiple IKEv2 remote-access connections. Every connection can
-have its own dedicated IKE/ESP ciphers, certificates or local listen address
-for e.g. inbound load balancing.
-
-We configure a new connection named ``rw`` for road-warrior, that identifies
-itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
-signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
-specified IKE/ESP groups and also link the IP address pool to draw addresses
-from.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
-  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
-  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
-  set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
-  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
-  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
-  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
-
-VyOS also supports (currently) two different modes of authentication, local and
-RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
-following commands.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
-  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
-
-If you feel better forwarding all authentication requests to your enterprises
-RADIUS server, use the commands below.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
-  set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
-
-Client Configuration
-====================
-
-Configuring VyOS to act as your IPSec access concentrator is one thing, but
-you probably need to setup your client connecting to the server so they can
-talk to the IPSec gateway.
-
-Microsoft Windows (10+)
------------------------
-
-Windows 10 does not allow a user to choose the integrity and encryption ciphers
-using the GUI and it uses some older proposals by default. A user can only
-change the proposals on the client side by configuring the IPSec connection
-profile via PowerShell.
-
-We generate a connection profile used by Windows clients that will connect to
-the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
-`vpn.vyos.net`.
-
-.. note:: Microsoft Windows expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
-
-   ==== <snip> ====
-   Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
-   Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
-   ==== </snip> ====
-
-As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
-encryption ciphers and integrity algorithms we will validate the configured
-IKE/ESP proposals and only list the compatible ones to the user — if multiple
-are defined. If there are no matching proposals found — we can not generate a
-profile for you.
-
-When first connecting to the new VPN the user is prompted to enter proper
-credentials.
-
-Apple iOS/iPadOS (14.2+)
-------------------------
-
-Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
-all available VPN options via the device GUI.
-
-If you want, need, and should use more advanced encryption ciphers (default
-is still 3DES) you need to provision your device using a so-called "Device
-Profile". A profile is a simple text file containing XML nodes with a
-``.mobileconfig`` file extension that can be sent and opened on any device
-from an E-Mail.
-
-Profile generation happens from the operational level and is as simple as
-issuing the following command to create a profile to connect to the IKEv2
-access server at ``vpn.vyos.net`` with the configuration for the ``rw``
-remote-access connection group.
-
-.. note:: Apple iOS/iPadOS expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
-
-  ==== <snip> ====
-  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-  <plist version="1.0">
-  ...
-  </plist>
-  ==== </snip> ====
-
-In the end, an XML structure is generated which can be saved as
-``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
-be imported.
-
-During profile import, the user is asked to enter its IPSec credentials
-(username and password) which is stored on the mobile.
-
-Operation Mode
-==============
-
-.. opcmd:: show vpn ike sa
-
-   Show all currently active IKE Security Associations.
-
-.. opcmd:: show vpn ike sa nat-traversal
-
-   Show all currently active IKE Security Associations (SA) that are using
-   NAT Traversal.
-
-.. opcmd:: show vpn ike sa peer <peer_name>
-
-   Show all currently active IKE Security Associations (SA) for a specific
-   peer.
-
-.. opcmd:: show vpn ike secrets
-
-   Show all the configured pre-shared secret keys.
-
-.. opcmd:: show vpn ike status
-
-   Show the detailed status information of IKE charon process.
-
-.. opcmd:: show vpn ipsec connections
-
-   Show details of all available VPN connections
-
-.. opcmd:: show vpn ipsec policy
-
-   Print out the list of existing crypto policies
-
-.. opcmd:: show vpn ipsec sa
-
-   Show all active IPsec Security Associations (SA)
-
-.. opcmd:: show vpn ipsec sa detail
-
-   Show a detailed information of all active IPsec Security Associations (SA)
-   in verbose format.
-
-.. opcmd:: show vpn ipsec state
-
-   Print out the list of existing in-kernel crypto state
-
-.. opcmd:: show vpn ipsec status
-
-   Show the status of running IPsec process and process ID.
-
-.. opcmd:: restart ipsec
-
-   Restart the IPsec VPN process and re-establishes the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site all
-
-   Reset all site-to-site IPSec VPN sessions. It terminates all active
-   child_sa and reinitiates the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site peer <name>
-
-   Reset all tunnels for a given peer, can specify tunnel or vti interface.
-   It terminates a specific child_sa and reinitiates the connection.
-
-.. opcmd:: show log ipsec
-
-   Show logs for IPsec
diff --git a/docs/configuration/vpn/ipsec/index.rst b/docs/configuration/vpn/ipsec/index.rst
new file mode 100644
index 00000000..b19ffcfe
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/index.rst
@@ -0,0 +1,20 @@
+#####
+IPsec
+#####
+
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+   ipsec_general
+   site2site_ipsec
+   troubleshooting_ipsec
+
+pages to sort
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
new file mode 100644
index 00000000..bf0d7668
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -0,0 +1,308 @@
+.. _ipsec_general:
+
+#########################
+IPsec General Information
+#########################
+
+***********************
+Information about IPsec
+***********************
+
+IPsec is the framework used to secure data.
+IPsec accomplishes these goals by providing authentication,
+encryption of IP network packets, key exchange, and key management.
+VyOS uses strongSwan for its IPsec implementation.
+
+**Authentication Header (AH)** is defined in  :rfc:`4302`. It creates
+a hash using the IP header and data payload, and prepends it to the
+packet. This hash is used to validate that the data has not been
+changed during transfer over the network.
+
+**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
+It provides encryption and authentication of the data.
+
+
+There are two IPsec modes:
+    **IPsec Transport Mode**:
+        In transport mode, an IPSec header (AH or ESP) is inserted
+        between the IP header and the upper layer protocol header.
+
+    **IPsec Tunnel Mode:**
+        In tunnel mode, the original IP packet is encapsulated in
+        another IP datagram, and an IPsec header (AH or ESP) is
+        inserted between the outer and inner headers.
+
+.. figure:: /_static/images/ESP_AH.png
+   :scale: 80 %
+   :alt: AH and ESP in Transport Mode and Tunnel Mode
+
+***************************
+IKE (Internet Key Exchange)
+***************************
+The default IPsec method for secure key negotiation is the Internet Key
+Exchange (IKE) protocol. IKE is designed to provide mutual authentication
+of systems, as well as to establish a shared secret key to create IPsec
+security associations. A security association (SA) includes all relevant
+attributes of the connection, including the cryptographic algorithm used,
+the IPsec mode, the encryption key, and other parameters related to the
+transmission of data over the VPN connection.
+
+IKEv1
+=====
+
+IKEv1 is the older version and is still used today. Nowadays, most
+manufacturers recommend using IKEv2 protocol.
+
+IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
+(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
+of ESP Packets), :rfc:`3706` (DPD)
+
+IKEv1 operates in two phases to establish these IKE and IPsec SAs:
+    * **Phase 1** provides mutual authentication of the IKE peers and
+      establishment of the session key. This phase creates an IKE SA (a
+      security association for IKE) using a DH exchange, cookies, and an
+      ID exchange. Once an IKE SA is established, all IKE communication
+      between the initiator and responder is protected with encryption
+      and an integrity check that is authenticated. The purpose of IKE
+      phase 1 is to facilitate a secure channel between the peers so that
+      phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
+      Main and Aggressive.
+
+        * **Main Mode** is used for site-to-site VPN connections.
+        
+        * **Aggressive Mode** is used for remote access VPN connections.
+
+    * **Phase 2** provides for the negotiation and establishment of the
+      IPsec SAs using ESP or AH to protect IP data traffic.
+
+IKEv2
+=====
+
+IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
+IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
+fewer messages are exchanged during the establishment of the VPN and
+additional security capabilities are available.
+
+
+IKE Authentication
+==================
+
+VyOS supports 3 authentication methods.
+    * **Pre-shared keys**: In this method, both peers of the IPsec
+      tunnel must have the same preshared keys.
+    * **Digital certificates**: PKI is used in this method.
+    * **RSA-keys**: If the RSA-keys method is used in your IKE policy,
+      you need to make sure each peer has the other peer’s public keys.
+
+*************************
+DPD (Dead Peer Detection)
+*************************
+
+This is a mechanism used to detect when a VPN peer is no longer active.
+This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
+DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
+are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
+every configured interval. The remote peer is considered unreachable
+if no response to these packets is received within the DPD timeout.
+In IKEv2, DPD sends messages every configured interval. If one request
+does not receive a response, strongSwan executes its retransmission algorithm with
+its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
+
+*****************
+Configuration IKE
+*****************
+
+IKE (Internet Key Exchange) Attributes
+======================================
+
+VyOS IKE group has the next options:
+
+.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
+
+  Defines the action to take if the remote peer unexpectedly
+  closes a CHILD_SA:
+
+ * **none** - Set action to none (default),
+ * **trap** - Installs a trap policy (IPsec policy without Security
+   Association) for the CHILD_SA and traffic matching these policies
+   will trigger acquire events that cause the daemon to establish the
+   required IKE/IPsec SAs.
+ * **start** - Tries to immediately re-create the CHILD_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
+
+  Whether rekeying of an IKE_SA should also reauthenticate
+  the peer. In IKEv1, reauthentication is always done.
+  Setting this parameter enables remote host re-authentication
+  during an IKE rekey.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
+
+  Which protocol should be used to initialize the connection
+  If not set both protocols are handled and connections will
+  use IKEv2 when initiating, but accept any protocol version
+  when responding:
+
+ * **ikev1** - Use IKEv1 for Key Exchange.
+ * **ikev2** - Use IKEv2 for Key Exchange.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
+
+  IKE lifetime in seconds <0-86400> (default 28800).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> mode
+
+  IKEv1 Phase 1 Mode Selection:
+
+ * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
+   (Recommended Default).
+ * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
+   protocol aggressive mode is much more insecure compared to Main mode.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
+
+  Diffie-Hellman algorithm group. Default value is **2**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
+
+  Pseudo-random function.
+
+
+DPD (Dead Peer Detection) Configuration
+=======================================
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
+
+  Action to perform for this CHILD_SA on DPD timeout.
+
+  * **trap** - Installs a trap policy (IPsec policy without Security
+    Association), which will catch matching traffic and tries to
+    re-negotiate the tunnel on-demand.
+  * **clear** - Closes the CHILD_SA and does not take further action
+    (default).
+  * **restart** - Immediately tries to re-negotiate the CHILD_SA
+    under a fresh IKE_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
+
+  Keep-alive interval in seconds <2-86400> (default 30).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
+
+  Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
+
+ESP (Encapsulating Security Payload) Attributes
+===============================================
+
+In VyOS, ESP attributes are specified through ESP groups.
+Multiple proposals can be specified in a single group.
+
+VyOS ESP group has the next options:
+
+.. cfgcmd:: set vpn ipsec esp-group <name> compression
+
+  Enables the  IPComp(IP Payload Compression) protocol which allows
+  compressing the content of IP packets.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
+
+  Do not locally initiate a re-key of the SA, remote peer must
+  re-key before expiration.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
+
+  ESP life in bytes <1024-26843545600000>. Number of bytes
+  transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
+
+  ESP life in packets <1000-26843545600000>.
+  Number of packets transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
+
+  ESP lifetime in seconds <30-86400> (default 3600).
+  How long a particular instance of a connection (a set of
+  encryption/authentication keys for user packets) should last,
+  from successful negotiation to expiry.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
+
+  The type of the connection:
+
+  * **tunnel** - Tunnel mode (default).
+  * **transport** - Transport mode.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
+
+  Whether Perfect Forward Secrecy of keys is desired on the
+  connection's keying channel and defines a Diffie-Hellman group for
+  PFS:
+
+ * **enable** - Inherit Diffie-Hellman group from IKE group (default).
+ * **disable** - Disable PFS.
+ * **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+Global IPsec Settings
+=====================
+
+.. cfgcmd:: set vpn ipsec interface <name>
+
+  Interface name to restrict outbound IPsec policies. There is a possibility
+  to specify multiple interfaces. If an interfaces are not specified, IPsec
+  policies apply to all interfaces.
+
+
+.. cfgcmd:: set vpn ipsec log level <number>
+
+  Level of logging. Default value is **0**.
+
+.. cfgcmd:: set vpn ipsec log subsystem <name>
+
+  Subsystem of the daemon.
+
+Options
+=======
+
+.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
+
+  Do not automatically install routes to remote
+  networks.
+
+.. cfgcmd:: set vpn ipsec options flexvpn
+
+  Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
+  FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
+  Cisco brand devices allow negotiating a local traffic selector (from
+  strongSwan's point of view) that is not the assigned virtual IP address if
+  such an address is requested by strongSwan. Sending the Cisco FlexVPN
+  vendor ID prevents the peer from narrowing the initiator's local traffic
+  selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
+  instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
+  template but should also work for GRE encapsulation.
+
+.. cfgcmd:: set vpn ipsec options interface <name>
+
+  Interface Name to use. The name of the interface on which
+  virtual IP addresses should be installed. If not specified the addresses
+  will be installed on the outbound interface.
+
+.. cfgcmd:: set vpn ipsec options virtual-ip
+
+  Allows the installation of virtual-ip addresses.
diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
new file mode 100644
index 00000000..80dfa423
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -0,0 +1,729 @@
+.. _size2site_ipsec:
+
+######################
+IPsec Site-to-Site VPN
+######################
+
+****************************
+IPsec Site-to-Site VPN Types
+****************************
+
+VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
+IPsec VPN.
+
+Policy-based VPN
+================
+
+Policy-based VPN is based on static configured policies. Each policy creates
+individual IPSec SA. Traffic matches these SAs encrypted and directed to the
+remote peer.
+
+Route-Based VPN
+===============
+
+Route-based VPN is based on secure traffic passing over Virtual Tunnel
+Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
+
+******************************
+Configuration Site-to-Site VPN
+******************************
+
+Requirements and Prerequisites for Site-to-Site VPN
+===================================================
+
+**Negotiated parameters that need to match**
+
+Phase 1
+ * IKE version
+ * Authentication
+ * Encryption
+ * Hashing
+ * PRF
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+Phase 2
+ * Encryption
+ * Hashing
+ * PFS
+ * Mode (tunnel or transport)
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+ * Remote and Local networks in SA must be compatible on both peers
+
+Configuration Steps for Site-to-Site VPN
+========================================
+
+The next example shows the configuration one of the router participating in
+IPsec VPN.
+
+Tunnel information:
+    * Phase 1:
+        * encryption: AES256
+        * hash: SHA256
+        * PRF: SHA256
+        * DH: 14
+        * lifetime: 28800
+    * Phase 2:
+        * IPsec mode: tunnel
+        * encryption: AES256
+        * hash: SHA256
+        * PFS: inherited from DH Phase 1
+        * lifetime: 3600
+    * If Policy based VPN is used
+        * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
+    * If Route based VPN is used
+        * IP of the VTI interface is 10.0.0.1/30
+
+.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
+
+**1. Configure ike-group (IKE Phase 1)**
+
+.. code-block:: none
+
+    set vpn ipsec ike-group IKE close-action 'start'
+    set vpn ipsec ike-group IKE key-exchange 'ikev1'
+    set vpn ipsec ike-group IKE lifetime '28800'
+    set vpn ipsec ike-group IKE proposal 10 dh-group '14'
+    set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
+    set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
+    set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
+
+**2. Configure ESP-group (IKE Phase 2)**
+
+.. code-block:: none
+
+    set vpn ipsec esp-group ESP lifetime '3600'
+    set vpn ipsec esp-group ESP mode 'tunnel'
+    set vpn ipsec esp-group ESP pfs 'enable'
+    set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
+    set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
+
+**3. Specify interface facing to the protected destination.**
+
+.. code-block:: none
+
+    set vpn ipsec interface eth0
+
+**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
+    set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
+    set vpn ipsec authentication psk PSK-KEY secret 'vyos'
+
+To set base64 secret encode plaintext password to base64 and set secret-type
+
+.. code-block:: none
+
+    echo -n "vyos" | base64
+    dnlvcw==
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
+    set vpn ipsec authentication psk PSK-KEY secret-type base64
+
+
+**5. Configure peer and apply IKE-group and esp-group to peer.**
+
+.. code-block:: none
+
+    set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
+    set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
+    set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
+    set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
+    set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
+
+    Peer selects the key from step 4 according to local-id/remote-id pair.
+
+**6. Depends to vpn type (route-based vpn or policy-based vpn).**
+
+   **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
+
+    .. code-block:: none
+
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
+
+   **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
+
+    .. code-block:: none
+
+        set interfaces vti vti1 address 10.0.0.1/30
+        set vpn ipsec site-to-site peer PEER1 vti bind vti1
+        set vpn ipsec options disable-route-autoinstall
+
+    Create routing between local networks via VTI interface using dynamic or
+    static routing.
+
+    .. code-block:: none
+
+        set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
+
+Initiator and Responder Connection Types
+========================================
+
+In Site-to-Site IPsec VPN it is recommended that one peer should be an
+initiator and the other - the responder. The initiator actively establishes
+the VPN tunnel. The responder passively waits for the remote peer to
+establish the VPN tunnel. Depends on selected role it is recommended
+select proper values for close-action and DPD action.
+
+The result of wrong value selection can be unstable work of the VPN.
+ * Duplicate CHILD SA creation.
+ * None of the VPN sides initiates the tunnel establishment.
+
+Below flow-chart could be a quick reference for the close-action
+combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_close_action_settings.png
+
+Similar combinations are applicable for the dead-peer-detection.
+
+Detailed Configuration Commands
+===============================
+
+PSK Key Authentication
+----------------------
+
+.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface
+
+  ID for authentication generated from DHCP address
+  dynamically.
+
+.. cfgcmd:: set vpn ipsec authentication psk id <id>
+
+  static ID's for authentication. In general local and remote
+  address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret <secret>
+
+  A predefined shared secret used in configured mode
+  ``pre-shared-secret``. Base64-encoded secrets are allowed if
+  `secret-type base64` is configured.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret-type <type>
+
+  Specifies the secret type:
+
+  * **plaintext** - Plain text type (default value).
+  * **base64** - Base64 type.
+
+Peer Configuration
+------------------
+
+Peer Authentication Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode>
+
+  Mode for authentication between VyOS and remote peer:
+
+  * **pre-shared-secret** - Use predefined shared secret phrase.
+  * **rsa** - Use simple shared RSA key.
+  * **x509** - Use certificates infrastructure for authentication.
+
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id>
+
+  ID for the local VyOS router. If defined, during the authentication
+  it will be send to remote peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id>
+
+  ID for remote peer, instead of using peer name or
+  address. Useful in case if the remote peer is behind NAT
+  or if ``mode x509`` is used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
+
+  Name of PKI key-pair with local private key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>
+
+  Name of PKI key-pair with remote public key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>
+
+  Local private key passphrase.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>
+
+  Use local ID from x509 certificate. Cannot be used when
+  ``id`` is defined.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>
+
+  Name of CA certificate in PKI configuration. Using for authenticating
+  remote peer in x509 mode.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>
+
+  Name of certificate in PKI configuration, which will be used
+  for authenticating local router on remote peer.
+
+.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
+
+  Private key passphrase, if needed.
+
+Global Peer Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type>
+
+  Operational mode defines how to handle this connection process.
+
+  * **initiate** - does initial connection to remote peer immediately
+    after configuring and after boot. In this mode the connection will
+    not be restarted in case of disconnection, therefore should be used
+    only together with DPD or another session tracking methods.
+  * **respond** - does not try to initiate a connection to a remote
+    peer. In this mode, the IPsec session will be established only
+    after initiation from a remote peer. Could be useful when there
+    is no direct connectivity to the peer due to firewall or NAT in
+    the middle of the local and remote side.
+  * **none** - loads the connection only, which then can be manually
+    initiated or used as a responder configuration.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
+
+  Name of ESP group to use by default for traffic encryption.
+  Might be overwritten by individual settings for tunnel or VTI
+  interface binding.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description>
+
+  Description for this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface>
+
+  Specify the interface which IP address, received from DHCP for IPSec
+  connection with this peer, will be used as ``local-address``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation
+
+  Force encapsulation of ESP into UDP datagrams. Useful in case if
+  between local and remote side is firewall or NAT, which not
+  allows passing plain ESP packets between them.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name>
+
+  Name of IKE group to use for key exchanges.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address>
+
+  Local IP address for IPsec connection with this peer.
+  If defined ``any``, then an IP address which configured on interface with
+  default route will be used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address>
+
+  Remote IP address or hostname for IPsec connection. IPv4 or IPv6
+  address is used when a peer has a public static IP address. Hostname
+  is a DNS name which could be used when a peer has a public IP
+  address and DNS name, but an IP address could be changed from time
+  to time.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size>
+
+  IPsec replay window to configure for CHILD_SAs
+  (default: 32), a value of 0 disables IPsec replay protection.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address>
+
+  Defines a virtual IP address which is requested by the initiator and
+  one or several IPv4 and/or IPv6 addresses are assigned from multiple
+  pools by the responder. The wildcard addresses 0.0.0.0 and ::
+  request an arbitrary address, specific addresses may be defined.
+
+CHILD SAs Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Policy-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+Every configured tunnel under peer configuration is a new CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
+
+  Disable this tunnel.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name>
+
+  Specify ESP group for this CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number>
+
+  Priority for policy-based IPsec VPN tunnels (lowest value more
+  preferable).
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name>
+
+  Define the protocol for match traffic, which should be encrypted and
+  send to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network>
+
+  IP network at the local side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number>
+
+  Local port number. Have effect only when used together with
+  ``prefix``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network>
+
+  IP network at the remote side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number>
+
+  Remote port number. Have effect only when used together with
+  ``prefix``.
+
+Route-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+To configure route-based VPN it is enough to create vti interface and
+bind it to the peer. Any traffic, which will be send to VTI interface
+will be encrypted and send to this peer. Using VTI makes IPsec
+configuration much flexible and easier in complex situation, and
+allows to dynamically add/delete remote networks, reachable via a
+peer, as in this mode router don't need to create additional SA/policy
+for each remote network.
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall.
+
+.. code-block:: none
+
+  set vpn ipsec options disable-route-autoinstall
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface>
+
+  VTI interface to bind to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name>
+
+  ESP group for encrypt traffic, passed this VTI interface.
+
+Traffic-selectors parameters for traffic that should pass via vti
+interface.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
+
+  Local prefix for interesting traffic.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network>
+
+  Remote prefix for interesting traffic.
+
+IPsec Op-mode Commands
+======================
+
+.. opcmd:: show vpn ike sa
+
+  Shows active IKE SAs information.
+
+.. opcmd:: show vpn ike secrets
+
+  Shows configured authentication keys.
+
+.. opcmd:: show vpn ike status
+
+  Shows Strongswan daemon status.
+
+.. opcmd:: show vpn ipsec connections
+
+  Shows summary status of all configured IKE and IPsec SAs.
+
+.. opcmd:: show vpn ipsec sa [detail]
+
+  Shows active IPsec SAs information.
+
+.. opcmd:: show vpn ipsec status
+
+  Shows status of IPsec process.
+
+.. opcmd:: show vpn ipsec policy
+
+  Shows the in-kernel crypto policies.
+
+.. opcmd:: show vpn ipsec state
+
+  Shows the in-kernel crypto state.
+
+.. opcmd:: show log ipsec
+
+  Shows IPsec logs.
+
+.. opcmd:: reset vpn ipsec site-to-site all
+
+  Clear all ipsec connection and reinitiate them if VyOS is configured
+  as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name>
+
+  Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
+  configured as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number>
+
+  Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
+  initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number>
+
+  Clear IPsec SA which is map to vti interface of this peer and
+  reinitiate it if VyOS is configured as initiator.
+
+.. opcmd:: restart ipsec
+
+  Restart Strongswan daemon.
+
+*********
+Examples:
+*********
+
+Policy-Based VPN Example
+========================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
+
+
+Show status of policy-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     1254    25633
+
+
+  vyos@srv-gw0:~$ show vpn ipsec sa
+  Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  --------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-tunnel-0  up       20m42s    0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection      State    Type    Remote address    Local TS        Remote TS       Local id    Remote id    Proposal
+  --------------  -------  ------  ----------------  --------------  --------------  ----------  -----------  ----------------------------------
+  PEER1           up       IKEv1   10.0.1.2          -               -               10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-tunnel-0  up       IPsec   10.0.1.2          192.168.1.0/24  192.168.0.0/24  10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+
+If there is SNAT rules on eth0, need to add exclude rule
+
+.. code-block:: none
+
+  # PEER1 side
+  set nat source rule 10 destination address '192.168.1.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.0.0/24'
+
+  # PEER2 side
+  set nat source rule 10 destination address '192.168.0.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.1.0/24'
+
+
+Route-Based VPN Example
+=======================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* 'vti0' interface IP: `10.100.100.1/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Role: Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* 'vti0' interface IP: `10.100.100.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Role: Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set interfaces vti vti0 address '10.100.100.1/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime  '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set interfaces vti vti0 address '10.100.100.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
+
+Show status of route-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     404     27650
+
+  vyos@PEER2:~$ show vpn ipsec sa
+  Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-vti     up       3m28s     0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection    State    Type    Remote address    Local TS    Remote TS    Local id    Remote id    Proposal
+  ------------  -------  ------  ----------------  ----------  -----------  ----------  -----------  ----------------------------------
+  PEER1         up       IKEv2   10.0.1.2          -           -            10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-vti     up       IPsec   10.0.1.2          0.0.0.0/0   0.0.0.0/0    10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+                                                 ::/0        ::/0
diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
new file mode 100644
index 00000000..fdeb347d
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
@@ -0,0 +1,323 @@
+.. _troubleshooting_ipsec:
+
+######################################
+Troubleshooting Site-to-Site VPN IPsec
+######################################
+
+************
+Introduction
+************
+
+This document describes the methodology to monitor and troubleshoot
+Site-to-Site VPN IPsec.
+
+Steps for troubleshooting problems with Site-to-Site VPN IPsec:
+ 1. Ping the remote site through the tunnel using the source and
+    destination IPs included in the policy.
+ 2. Check connectivity between the routers using the ping command
+    (if ICMP traffic is allowed).
+ 3. Check the IKE SAs' statuses.
+ 4. Check the IPsec SAs' statuses.
+ 5. Check logs to view debug messages.
+
+**********************
+Checking IKE SA Status
+**********************
+
+The next command shows IKE SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     162     27023
+
+This command shows the next information:
+ - IKE SA status.
+ - Selected IKE version.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - NAT-T.
+ - ID and IP of both peers.
+ - A-Time: established time, L-Time: time for next rekeying.
+
+**************************
+IPsec SA (CHILD SA) Status
+**************************
+
+The next commands show IPsec SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ -------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+ PEER-tunnel-1  up       16m30s    168B/168B       2/2               192.168.1.2       192.168.1.2  AES_CBC_128/HMAC_SHA1_96/MODP_2048
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa detail
+ PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
+   local  '192.168.0.1' @ 192.168.0.1[4500]
+   remote '192.168.1.2' @ 192.168.1.2[4500]
+   AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+   established 4054s ago, rekeying in 23131s
+   PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
+     installed 1065s ago, rekeying in 1998s, expires in 2535s
+     in  c5821882,    168 bytes,     2 packets,    81s ago
+     out c433406a,    168 bytes,     2 packets,    81s ago
+     local  10.0.0.0/24
+     remote 10.0.1.0/24
+
+These commands show the next information:
+ - IPsec SA status.
+ - Uptime and time for the next rekeing.
+ - Amount of transferred data.
+ - Remote and local ID and IP.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - Mode (tunnel or transport).
+ - Remote and local prefixes which are use for policy.
+
+There is a possibility to view the summarized information of SAs' status
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec connections
+ Connection     State    Type    Remote address    Local TS     Remote TS    Local id     Remote id    Proposal
+ -------------  -------  ------  ----------------  -----------  -----------  -----------  -----------  ----------------------------------
+ PEER           up       IKEv2   192.168.1.2       -            -            192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+ PEER-tunnel-1  up       IPsec   192.168.1.2       10.0.0.0/24  10.0.1.0/24  192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+
+**************************
+Viewing Logs for Debugging
+**************************
+
+If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
+using logs ``show log ipsec``
+
+The next example of the successful IPsec connection initialization.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show log ipsec
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+ Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+
+************************
+Troubleshooting Examples
+************************
+
+IKE PROPOSAL are Different
+==========================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder Side:
+
+.. code-block:: none
+
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
+ Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
+ Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
+ Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
+
+The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
+On the Responder side there is concrete information where is mismatch.
+Encryption **AES_CBC_128** is configured in IKE policy on the responder 
+but **AES_CBC_256** is configured on the initiator side.
+
+PSK Secret Mismatch
+===================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder:
+
+.. code-block:: none
+
+ Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
+ Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
+ Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
+
+The notification **AUTHENTICATION_FAILED** means that the authentication
+is failed. There is a reason to check PSK on both side.
+
+ESP Proposal Mismatch
+=====================
+
+The output of **show** commands shows us that IKE SA is established but
+IPSec SA is not.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     158     26817
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
+
+The next step is checking debug logs.
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
+ Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
+
+There are messages: **NO_PROPOSAL_CHOSEN** and
+**failed to establish CHILD_SA** which refers that the problem is in
+the IPsec(ESP) proposal mismatch.
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
+ Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
+
+Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
+is configured on the initiator side.
+
+Prefixes in Policies Mismatch
+=============================
+
+As in previous situation, IKE SA is in up state but IPsec SA is not up.
+According to logs we can see **TS_UNACCEPTABLE** notification. It means
+that prefixes (traffic selectors) mismatch on both sides
+
+Initiator:
+
+.. code-block:: none
+
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+ Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+
+Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
+responder side.
+
+
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
deleted file mode 100644
index 78cadfb5..00000000
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ /dev/null
@@ -1,427 +0,0 @@
-.. _size2site_ipsec:
-
-Site-to-Site
-============
-
-Site-to-site mode provides a way to add remote peers, which could be configured
-to exchange encrypted information between them and VyOS itself or
-connected/routed networks.
-
-To configure site-to-site connection you need to add peers with the
-``set vpn ipsec site-to-site peer <name>`` command.
-
-The peer name must be an alphanumeric and can have hypen or underscore as
-special characters. It is purely informational.
-
-Each site-to-site peer has the next options:
-
-* ``authentication`` - configure authentication between VyOS and a remote peer.
-  Suboptions:
-
- * ``psk`` - Preshared secret key name:
-
-  * ``dhcp-interface`` - ID for authentication generated from DHCP address
-    dynamically;
-  * ``id`` - static ID's for authentication. In general local and remote
-    address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
-  * ``secret`` - predefined shared secret. Used if configured mode
-    ``pre-shared-secret``;
-
-
- * ``local-id`` - ID for the local VyOS router. If defined, during the
-   authentication
-   it will be send to remote peer;
-
- * ``mode`` - mode for authentication between VyOS and remote peer:
-
-  * ``pre-shared-secret`` - use predefined shared secret phrase;
-
-  * ``rsa`` - use simple shared RSA key. The key must be defined in the
-    ``set vpn rsa-keys`` section;
-
-  * ``x509`` - use certificates infrastructure for authentication.
-
- * ``remote-id`` - define an ID for remote peer, instead of using peer name or
-   address. Useful in case if the remote peer is behind NAT or if ``mode x509``
-   is used;
-
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
-   in the ``set vpn rsa-keys`` section;
-
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
-
- * ``x509`` - options for x509 authentication mode:
-
-  * ``ca-cert-file`` - CA certificate file. Using for authenticating
-    remote peer;
-
-  * ``cert-file`` - certificate file, which will be used for authenticating
-    local router on remote peer;
-
-  * ``crl-file`` - file with the Certificate Revocation List. Using to check if
-    a certificate for the remote peer is valid or revoked;
-
-  * ``key`` - a private key, which will be used for authenticating local router
-    on remote peer:
-
-   * ``file`` - path to the key file;
-
-   * ``password`` - passphrase private key, if needed.
-
-* ``connection-type`` - how to handle this connection process. Possible
-  variants:
-
- * ``initiate`` - does initial connection to remote peer immediately after
-   configuring and after boot. In this mode the connection will not be restarted
-   in case of disconnection, therefore should be used only together with DPD or
-   another session tracking methods;
-
- * ``respond`` - does not try to initiate a connection to a remote peer. In this
-   mode, the IPSec session will be established only after initiation from a
-   remote peer. Could be useful when there is no direct connectivity to the
-   peer due to firewall or NAT in the middle of the local and remote side.
-
- * ``none`` - loads the connection only, which then can be manually initiated or
-   used as a responder configuration.
-
-* ``default-esp-group`` - ESP group to use by default for traffic encryption.
-  Might be overwritten by individual settings for tunnel or VTI interface
-  binding;
-
-* ``description`` - description for this peer;
-
-* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
-  connection with this peer, instead of ``local-address``;
-
-* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
-  Useful in case if between local and remote side is firewall or NAT, which not
-  allows passing plain ESP packets between them;
-
-* ``ike-group`` - IKE group to use for key exchanges;
-
-* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
-  Can be used only with IKEv2.
-  Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
-
-* ``local-address`` - local IP address for IPSec connection with this peer.
-  If defined ``any``, then an IP address which configured on interface with
-  default route will be used;
-
-* ``remote-address`` - remote IP address or hostname for IPSec connection.
-  IPv4 or IPv6 address is used when a peer has a public static IP address.
-  Hostname is a DNS name which could be used when a peer has a public IP
-  address and DNS name, but an IP address could be changed from time to time.
-
-* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
-  it to a peer:
-
- * ``disable`` - disable this tunnel;
-
- * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
-
- * ``local`` - define a local source for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at local side.
-
- * ``protocol`` - define the protocol for match traffic, which should be
-   encrypted and send to this peer;
-
- * ``remote`` - define the remote destination for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at remote side.
-
-* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
-  be send to VTI interface will be encrypted and send to this peer. Using VTI
-  makes IPSec configuration much flexible and easier in complex situation, and
-  allows to dynamically add/delete remote networks, reachable via a peer, as in
-  this mode router don't need to create additional SA/policy for each remote
-  network:
-
- * ``bind`` - select a VTI interface to bind to this peer;
-
- * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
-   interface.
-
-* ``virtual-address`` - Defines a virtual IP address which is requested by the
-  initiator and one or several IPv4 and/or IPv6 addresses are assigned from
-  multiple pools by the responder.
-
-Examples:
-------------------
-
-IKEv1
-^^^^^
-
-Example:
-
-* WAN interface on `eth1`
-* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
-  there is no client or server roles)
-* left local_ip: `198.51.100.3` # server side WAN IP
-* right subnet: `10.0.0.0/24` site2,remote office side
-* right local_ip: `203.0.113.2` # remote office side WAN IP
-
-.. code-block:: none
-
-  # server config
-  set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
-
-  # remote office config
-  set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
-
-Show status of new setup:
-
-.. code-block:: none
-
-  vyos@srv-gw0:~$ show vpn ike sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-     -----  -------  ----    -------  -----  ------  ------
-     up     aes256   sha1    5        no     734     3600
-
-  vyos@srv-gw0:~$ show vpn ipsec sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
-     ------  -----  -------------  -------  ----    -----  ------  ------  -----
-     0       up     7.5M/230.6K    aes256   sha1    no     567     1800    all
-
-If there is SNAT rules on eth1, need to add exclude rule
-
-.. code-block:: none
-
-  # server side
-  set nat source rule 10 destination address '10.0.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '192.168.0.0/24'
-
-  # remote office side
-  set nat source rule 10 destination address '192.168.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '10.0.0.0/24'
-
-To allow traffic to pass through to clients, you need to add the following
-rules. (if you used the default configuration at the top of this page)
-
-.. code-block:: none
-
-  # server side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
-
-  # remote office side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
-
-IKEv2
-^^^^^
-
-Example:
-
-* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
-* left public_ip:172.18.201.10
-* right local_ip: 172.18.202.10 # right side WAN IP
-
-Imagine the following topology
-
-.. figure:: /_static/images/vpn_s2s_ikev2_c.png
-   :scale: 50 %
-   :alt: IPSec IKEv2 site2site VPN
-
-   IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
-
-**LEFT:**
-* WAN interface on `eth0.201`
-* `eth0.201` interface IP: `172.18.201.10/24`
-* `vti10` interface IP: `10.0.0.2/31`
-* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
-
-**RIGHT:**
-* WAN interface on `eth0.202`
-* `eth0.201` interface IP: `172.18.202.10/24`
-* `vti10` interface IP: `10.0.0.3/31`
-* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
-
-.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
-   gives you additional information for using /31 subnets on point-to-point
-   links.
-
-**LEFT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
-  set interfaces dummy dum0 address '10.0.11.1/24'
-  set interfaces vti vti10 address '10.0.0.2/31'
-
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.201'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
-
-**RIGHT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
-  set interfaces dummy dum0 address '10.0.12.1/24'
-  set interfaces vti vti10 address '10.0.0.3/31'
-
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.202'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
-
-Key Parameters:
-
-* ``authentication local-id/remote-id`` - IKE identification is used for
-  validation of VPN peer devices during IKE negotiation. If you do not configure
-  local/remote-identity, the device uses the IPv4 or IPv6 address that
-  corresponds to the local/remote peer by default.
-  In certain network setups (like ipsec interface with dynamic address, or
-  behind the NAT ), the IKE ID received from the peer does not match the IKE
-  gateway configured on the device. This can lead to a Phase 1 validation
-  failure.
-  So, make sure to configure the local/remote id explicitly and ensure that the
-  IKE ID is the same as the remote-identity configured on the peer device.
-
-* ``disable-route-autoinstall`` - This option when configured disables the
-  routes installed in the default table 220 for site-to-site ipsec.
-  It is mostly used with VTI configuration.
-
-* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
-  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
-  are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, trap, and restart all activate DPD and determine the action to
-  perform on a timeout.
-  With ``clear`` the connection is closed with no further actions taken.
-  ``trap`` installs a trap policy, which will catch matching traffic and tries
-  to re-negotiate the connection on demand.
-  ``restart`` will immediately trigger an attempt to re-negotiate the
-  connection.
-
-* ``close-action = none | clear | trap | start`` - defines the action to take
-  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
-  values). A closeaction should not be used if the peer uses reauthentication or
-  uniqueids.
-
-  When the close-action option is set on the peers, the connection-type
-  of each peer has to considered carefully. For example, if the option is set
-  on both peers, then both would attempt to initiate and hold open multiple
-  copies of each child SA. This might lead to instability of the device or
-  cpu/memory utilization.
-
-  Below flow-chart could be a quick reference for the close-action
-  combination depending on how the peer is configured.
-
-.. figure:: /_static/images/IPSec_close_action_settings.jpg
-
-  Similar combinations are applicable for the dead-peer-detection.