From a973ead6423b7e8099e72738cf8c963e6b68eecd Mon Sep 17 00:00:00 2001
From: aapostoliuk <108394744+aapostoliuk@users.noreply.github.com>
Date: Thu, 3 Jul 2025 17:54:26 +0300
Subject: [PATCH] Updated site-to-site IPsec VPN documentation (#1653)

Added general theoretical IPsec documentation.
Changed site-to-site IPsec VPN documentation. Added steps for configuration.
Added documentation for troubleshooting site-to-site IPsec VPN.
---
 docs/_static/images/ESP_AH.png                | Bin 0 -> 35607 bytes
 .../images/IPSec_close_action_settings.jpg    | Bin 62330 -> 0 bytes
 .../images/IPSec_close_action_settings.png    | Bin 0 -> 22371 bytes
 docs/configuration/vpn/dmvpn.rst              |   2 +-
 docs/configuration/vpn/index.rst              |   4 +-
 docs/configuration/vpn/ipsec.rst              | 657 ----------------
 docs/configuration/vpn/ipsec/index.rst        |  21 +
 .../configuration/vpn/ipsec/ipsec_general.rst | 308 ++++++++
 .../vpn/{ => ipsec}/remoteaccess_ipsec.rst    |   0
 .../vpn/ipsec/site2site_ipsec.rst             | 729 ++++++++++++++++++
 .../vpn/ipsec/troubleshooting_ipsec.rst       | 323 ++++++++
 docs/configuration/vpn/site2site_ipsec.rst    | 433 -----------
 12 files changed, 1383 insertions(+), 1094 deletions(-)
 create mode 100644 docs/_static/images/ESP_AH.png
 delete mode 100644 docs/_static/images/IPSec_close_action_settings.jpg
 create mode 100644 docs/_static/images/IPSec_close_action_settings.png
 delete mode 100644 docs/configuration/vpn/ipsec.rst
 create mode 100644 docs/configuration/vpn/ipsec/index.rst
 create mode 100644 docs/configuration/vpn/ipsec/ipsec_general.rst
 rename docs/configuration/vpn/{ => ipsec}/remoteaccess_ipsec.rst (100%)
 create mode 100644 docs/configuration/vpn/ipsec/site2site_ipsec.rst
 create mode 100644 docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
 delete mode 100644 docs/configuration/vpn/site2site_ipsec.rst

diff --git a/docs/_static/images/ESP_AH.png b/docs/_static/images/ESP_AH.png
new file mode 100644
index 0000000000000000000000000000000000000000..6075c3f46d3fa464f8304bacf03daaabe0eaaade
GIT binary patch
literal 35607
zcmc$`byyuuy6(M*K!OH`V8Jc8dkF6C?(XhM2=4Cg?zXVt?yd`W2`&pci}!tJX3yR;
z`|NYB^Ic#6L9>9auBvXTp1ObcQ$e!QA_%Y_VF3UDf|#hFJOJ?O5CDK$diM(QlgIZ0
z>X6fGhp%Fa@7}#zT9;V^06qc41o;(RQ;$|$zM%Cj!TjDel|RYFeU~b4DJtkEdzAdn
zJex@OG_w#HS>lN1%w)i#v?`OV7doCom>60P`AwCsZ{{a?LAftq*uQYxceMEcexSY0
zqq%u}=s6x89<A}%*0Z(_=%R;*g50_?SW&?Rat36MMs~cM!Jm9zetyjl{TgyQ@`Z<n
zoaSM$;UT9=Bt|UANtYlg{{+A+f{R#C)C>Sz0bCw_V89#DLw@y(7t8ni$M=4n`6pjD
z*Dvl!#0VwSTS(jp6T0EXf9U<I!ZPlYVH8pmu89te@)L8>79E+#%~oVDEV{F6r$1Ny
zD9#V&_NIZ<<x|yx0laW3R-?)2uj@3);gOLMsW3;6Ff|uKbwx!a8Wp*RWrN@^y1+YW
zWr12mNM$~s^<cxtVAMK|2KuQqT}ZD6x!>L2`KUPGxB>OPPo-yuLN_8niO?G^bp<?+
z9%ZRMTfMZ|!qW`8s~dd0;u+-s8GO7e<^}Iqx0K>}(>0jpfdOw57au$H0X-<2&Ps=Q
zFx7<KbYtUKJBr9Z(X~Pekx3;D4t^e-V>RYoAL8sL)NT~Wt2A#kKlXIWi2qn;GWK*x
z2NxKKWhXx#mElu)vM{!&Cnn|wFog|O#RBh%>9cD40>)L_=zS?i-LEOW<Sur(|56Dy
zx{%*ODBY#g0(O^|5TWxvdwjpD1!Z6lb6&QesjnZ3NNcYlD@20Hx>q(Yi_7qPdJQbE
zGEScCCeIxh{D%8rD{QfjF$!o*Y0_T)=J7nFL7#|h^LmyN)i~YT<lfgS!?WFp_}J%M
ztP^Z9C2?lI<I}%D?H7pbuhWb{YuHVxEg@b%om1U=ST_M3?d%kEa_hU!L6A<NRYU1v
zO}5MCv};a==)|(AvU3#oRVbTc3;`8v`th<BcV1x5^WKI{CnU%`T-w#4b#v4wobw{V
zH7`&CM+S1ArAB{aAJ@oLR5n-PI8TC+a)-Bounjn-#2;IYCSoLG+k-<NkS``JW+Vep
zn2?}%1BqI~3Bnlg54Uu=Y$I2eIcney!cUq|qQ*W1tzNrmHtPZ(tBq*Al!R_FNVkl=
za&6TcX4qcS;oC8m{N9dYzq$r3J?2@dJUvX6a+LTif&1#uj;opM+dtzMl25G=$^Se(
zZkQ#Z3Pw_GV*J#`zazq8xp`GuNYBPq@kKM*DlWaSR^<r?-m~CgD{b5|h8`O=K{rd5
zLh?+b;`!<Rq`^AIZO&=6UM0R<j?(O_o_uV{e%b!v7&o;Wp)#hHa`#mT-sjM1b6$C|
zGPVl*W4tsU*Tv!xJ3mV<6~H(J<jF@(O`hgTxe>{wCkBctH+jvStSnKtoV&E+-YBP1
zOG=W#&NEJme){kZzV9R$Z6YMMcA1DMdQNuTKG1NhNz;vpXt1P-UImn`;n5?mg>KU3
zmd5`;dv9eJ#J>32TNUUyuveZ)FeQoZN1#^ALTjBivj!6A5j>kiY=ocM#zD|_XO&kJ
z9BwXzYnNo6+CD^d;Be(q`z+lItlqo~^N0_x<;F^uzrP9mIJ6rO$Kp+&iY_LJj!Vkp
zP&2wf7-aVO&}U*PvczX_kuKRfpSFuITH%z(Y$jhj*zGMkoKj#pJN0F+P>PLYY#!fC
zb*(&Ch#lW3&Ysumvzs<T*^CP_;1`w7ZHWn`Hu<Ja6Shy<_4}mNRu_woZv^p|J}x!^
zV^Pt)=o%M+N6s+E9}CD;)O~X@A5I>w58UM)^wPg*D76h{ZO6H44*Dd-jD3(Z?yftG
z;&>H;-0Ec5{+Xl@Nv0*@C}J~?B+cHcJ&nFtgRM_%=s8g=z$>k`qBJwmvjh5OUS|_Y
zTI*r=*!%Df|3WiQSts}|1m|uym9+gGVp&$_@ZtIbc=m+FYV1KJ(Tz#&>C~X=xuoc!
zDlISUdHgsgBXneFNLR;3KAvdDYJPtSgDKxxZ-JA*%?>#$>Da@(Kh7&?c!EA-%T!vB
zQc=qh8>u2-Np*BvPS#3&x6t&UM36gBEJIJu$^ro$9Z=bs&<11c=>J*U1bkW@cFl+O
z!0e?<zR;~fe*Ju=nJgjL&9XNIid?33<=f+`Yqq>>Vu@iDk>PUk(yODHDWXRnFn2m!
zNH|<~IoWWcnd<yzwHe=<?9?-L4Y&FIzGG&3W=@56K-ciLg-WJ|9~4GE5xI@F_dYir
z%~%*(TY?db%-!`E1w9f&3(1=o6uOtf5L4!{Z`V!v+)4*3p8Lf*6X!!{KDS3W8==zS
zouIJAAsDO<vb0ZI7RV~%y2Oq}GqmW(DG^M-IbRcY8R{vHy}<4>d%p_{IGDhE#_W<~
z(zz7*c75V>SU;a}7bLpWxjz?EPG`cggECNvpnh-{F<hO;^qDm{u$Cs(IYXUKG19Jj
zF?~9Z9@%aSDE)9Od(@&f>KlO^b@tP$IbOqToz-Q;H+^AkeKwheuX)SRXpm0nq`9`V
z<#Nu>jzmcC_&9Z`SPU6irs|>GFK;`~Xe+mvx?*tALjvhm?;<`Tt#GG2F1`)wj{H3w
zwv!qnvYcIM-{r#h&6OK<*|@#L<$wm-<m4rXJc@w8YKQY+YUaGs+)qLT(uM|%3LA{g
z>W;KY%w5-zvFxgpcNNi)c_jY<)NT-8V7SFt&5htx4lg%<80|F(?R-e<*<QIpJ89c8
z$R0l%$LQE{4?OB9fJGI<R&?!`JK@wDszauhuYqN6l%NYKa-?U79y{RjPOrnrgRx3#
zCGIn?wND%LVQZe?gd>QYII>}~m@;mVc$}MemfzSShjGOXJ!&4-tN~(fHj{sUPC`oR
z-~CX8b6Ep>({k^4YiU4B&bQxDhNF|jc`&G;=w?R7HM=`ToIukDbc`&x6b^X@P|aC=
z%3AL)F*PfhcACS)AlvA-y<1#X#|#j*AI>_gIv2S=d^~AN+`FlaN;hXol%^?GRMoa=
z96I<#8bkiL<freO*LUJ_@X6_rI7~%BJ6!x@Li2hbu!#PsS8l)IHnB_GLt^Evr&k-j
zwDYb1%3*1(VbQ_ZHk|hI)g-olMF%0#et12O=8q$h1HAEZ%-$ZeP|ZW&yySNULB;if
zoU5x`p#av!y`c>sR6rqgfZp#I!NSn4^$$_96s5b)J!&===y7qy5)4>!`hu2JMJ^|c
z%0;XMs!BsXxo7HY7kASi2-#Gwa4R5FFbQvnE2l8tEn}TDJ8#A8Zt;!8XGEuCqdMC1
zOSxS_IF&LT%N0M35vE9Ff3Sb#{+jiJuw<|JMh_Qvt?sQn_QxoAnWlUb+<>Lo{zj|g
zlw$QK;xGY$m~|KC9X9#09V4JdH-?3jwDZ^gyw^AdWmMPmW-3nOg%rHH+v1#_6*vSk
za^LQ|7O^7%fRUa6mkMO^w|JV&stIFrct?$Q@|MniVDxRDMrx$jB!CPgNL==Xhoadd
ztn$;t1FTKgF|y4hQGN1?0}nEh?Q)%_j!$dGsikiL!HN4f%0b8l2FZ|!Es)q`!*Sv2
ztQ9A{0HyPX4%{|q2f1QL3-G(?zyscYU`SH>Ue-QY^kF}Ed?QdmYou7CwIY1PFaRj+
zcr9Lfx;oSD9-KfzXE@spwli|6FiXRzH5r_5Wka<`zX}676}ocS*^M+qg31Ff-vMCF
zg5qz&DN6jYU_LEWz_+r&6Kw;g!q?=4^UvF^yKxTr^H)|Hk+OENr0tM8$eJK9A@%C7
ze{Ua)TWHU9!C4-I8dTEmiz?#2U^som(5eYK<oU{2Qleyc)wk1{ZeX=R8r>MFA==W1
z3p78!^K{Zmu?q4<vZ|d(P#QmF5wro>2Q*EINO2`Cv|hE=G-w}ORz|Iwv)s;e)eJW4
zr&#C$Ms&J{edUhzILvGL{f+{IZq)0p399XGPwM*Orx{FGFGt!uc78Ebq|9x`w&6Xb
zl|6>8`-{KVE}47kQVnAcYPEkdb6$dC@~O4j_UJzrH-vnsi66r&q*3@B+;$Fr5-338
zTMw(mXSjkXK=#)p5gAz=@h#c$NLZ%fpj*e6Q=!6mOK@ka)tj@lq@}rT)kwY(#=x`4
z=QI)oW9(pm{pi|dYa^<tGEt{P20gx4Tt`*@R0y&(&h^o5X`MqbO*<l&BdobWNr+*v
zdyfHBTq)OI_hhscl}s)TmxJNW8}k-(_k03!$zW_#Q&C5$<!LoS5&zmXPlPAiJiGE4
z4M^C+khh`{zO+nv2@r|zudnzNLywHl68B;p0zQXgJzn_hSfO&ee6I8!{+aG9=Zd;<
zg8WEA?Gr2JaXt^!y=?Cbh)6qk!sKi->tJMTtjxO@c{}Uy8o`*3hdKN`XT9gvR^XJ$
zQ{p&wh#Z>%&{(-^SUld<6DM^ITau)>n$|$`yHnnNSOxwaXy4LfUQ_FP4zF!)*{I#%
z{oX-@6rNGjSO{B0;qRyjLBHWu2~C_yaVrEV@l)mQ)A^{t!BZ8*5n90QXM~sz?s*=U
zqm#+@I+Z&i^;%LQlsu;;x0`86Vxe$$sk?%2Dcr52uf!1~es2N!WYBixxQI};H8{$2
zm_(nDPiGfqPAzvITPhP8n}7daFhC9plF5DvIJK*$I%Xx~B-Mp<(%LM>;{0+rv4^UT
zj-{d%RW}&?S|}4KDh7d}+<N2bLVW&SJYB^BZE_8W-eZM@^a-xPq;pEj-^n#fW(ZRJ
z#zGQAH@+I%v;f96nTN-ZB3Jl>DkS_qpAJ!T!2S`p2~iS3qAc>`Yr=w6b?&e%>Ss6Q
zJYErD{vZkN@Ac+>1NR(eK?8zN8p0pnzj^h2eO@by$UTarn<h(DxXCvtszn%dcA=@c
zBgKk(2i`?1P)T1c%(t1`5tdbi7EruB;Cuc#IfKhrI3r$EL|l}%*exMQg@R!(0qh2h
zGk-LO_wQ1gnw%|<#6w4wa}$n6-K?@c>cp%WUEyMDQOG*A@A?)|wy7elT*VU6Z|yQ(
zZs%@q1S2oI&C+$+w@$3Cq?S;n5s*mej+(&Ly|+VZhtS;6=ECZDri=;Z2<ek#oE?*p
zp^i3F*@bjR#A3Gxwe$R&oC(_N8WQrYc*h{9Ota~m!SK`a3i{f`#Yfv|qrPA!w~(9&
z_`~XWM4k2{QwpIZ7a!~yld|RfL!V&=G;M9Zz9%I06Bi?g=8!JnFucYIW>ZhJhW6?g
zN3XK1nW~cjFX@8}Y~Ahr$EndWh2|mQ3=JkThs#<8w(GFz-cJr*7KL$mppq6^1372?
zVeo!f6`fcGv5xTPP_OgkMW_A#gpw>}FZ200JPTC1xKhV?Q9`y`@%U)xpcI1Aqjxmg
zG0QP33x><M<YPS+G)vFs>y5p=^O5BuylzP|C!2MK)6g_m4<g13lh_zILV}AJ(#<ku
z1i_bnaa0vUs>j29R6|cQPLL5ThxIIa%WpY)<Lx(L6_5daUGJ7rz9CwFNpVU4+_A+c
zGCC$w;)JMevqFa|vaherelsNQh%i3$C#1THoqz4cg0FRzihpgprBqwX*PJcx<pKj)
z)Xu+|(uJ(+zj^&1tnv;2T+vH8%V?X9ik}R?0W1StTunRZ|B?n6{uBd3|L3~FUnTbI
zLTdDXQ<eYg3mK(Wpq$ri*`-$A0={t?VC6%Ei*eb%Hzbks1FWCail1=j?uA(N2I&Bt
z+T_dECKBy$e^)mC`R3EiNdCwnlL|GkqVWY;qck+#FHdP}umvP9pD)U<q$Tv^MMi>=
zmuG~ooc=f}Cp)7U)pzO!X?UjgG&A(Y_4-NGtM6avbtQD&<@W1Kxl*Lw{(wx8Arknz
zd^d^IAK*cr<gG2*XG{^4`9G*6*+2v4{qzT9<Qos+$4f}7lAU8O0?vGqKRnrP5okX^
zP%vuF>#LvBZRT$6eyibglf&+4+9I=bT>l?aX&RS{^>g7U?A64|J)v}4gTX?z1B2Qh
zZJIAygwLmVEWZh|9kH`Wh}h)4zI;Da_(;wpQg$fYJdq<3fj?2u${l5nG$i-(!D{Jx
zV(c%e<B;*l<k=-Q!*TA>q~OdK-d+8<()~0~6j?yBWv+OVk#F(($fVgcLFH1zKahfN
ze<v#rF+PnQ+80;(`Q+lrYd!8n8?%9~x(5HEYwW}&<~%4c@FnEAGppu^=wc$MGX>|F
z%E|e~Yx$S)9PMA<Jbuo`R6#s#`4Hv%8G3DqL0|7EhdgM(l?UpJK@qL5-p?%FIpQWz
zXcCLTu;@s?@AIk{dcvuf-S%%tzctu^+8!IaRI)AHu*hzt0-O8x(Ghc2HfrB;lihDE
z6JAK~st?~etvB4MV5rjZoU1CT8_y_5=x;LA-^;i>vzy&DC4S9c8>rgvVq2cGza_T4
zdGi+3WT2cL*iTF8Y24-C_5Q(IcoGT+&z~LFGq#H!yP-ikiT(oKWV&q%Ojfv}#y8=f
zv^(TNxh-NtJw7`(5lJeKTzi^35>pmYb8APbJ^Fye;Xw-5RiOok$+&@5LF#Ez5$n$L
zNnz2om37f}vYd7T&xf9Sw+l7Tg4JkjWa}aSMDx)gx^>58`ndgqpB5Q82okZ~O0>ui
zYU@MF^Te4OKgvJUMd;2dH+~pQZIv$+McZ!D(<hMfO^<)=v6n3Ke7s}9AUC3-@Hc%%
z1@kHZW}nB-*Ce(ukazYYK(yQ(vIwNv0$oHj5eHmP%sjf=(pme1^1zha8U8&*be&zD
zF9(r!?#}eKYId!4i4C+i_l9A9F6$a(%GKsdErYo}G?@*O7zpZYiDt9`bCqk+uXryo
zCbSi2gU3+pL(b*3{euG8tL@GGS*gQ$;8l5K%N(UEALd6ye86T473J*}d(=SZD`83D
zma&PEC;J#yYjrEW4)6UPo!zTI4!cqEbE~_FUBtsXsfx)n!W3=J>M*8OSD=Pq@bA{g
z*@H7EY8B{iOfTS$359uo@1c&Ip0%^~_r@(sW%uk!?K>O#-)ZMDF0VAsD;KFm;ek74
z*-^*q1j$Ov(`iL;|D^NWwSa(9J6dyYOWJBc;k?}UeqwUv`3?CMd>5r8JS8XQ#zLCy
z^BtX{Wjn-i)9x1s6RQ(<0R?41EENjEF$6$iN-=gQ`_(FX1J-1`m(y;>5aGW4BAWNk
zL+iO%1zv#_=fTd)alM;wM&`tU@o%Gos>l|9*aQI*Vu(<da2Yx0uz^9|3Zsz^e>9tA
z6|t|uoq<|`j*NWfh_F~}8^~U^gk4K2E{$fqYh)56DkS3DmsNe7U08^jgdV;MkM{pe
z5u*7gMW_@Z%e{xrCN;DkblGmk$jh6BEwz$Dr*g@<b&yeg9g?3?G-MmNHSHmzURRW$
zug%}{6}{ZpPI)gZgcX!XA>mVOWR~ZQvFV-4HV$rizG(TVUUF&*_@-3+keux1b@(s?
zk7CqFm$9W?e|D6Y@?4XidG6P@@xE4RJ1EdzpL;e;>sEiZ$z#{wh3Znv8q2n1N4@7x
zzpR5V!<Cuu;;MwaBRyc&T2na_bS3FSG>95>-YsZPGK#+a;Y^*nK3ZkNj`CScnpdDZ
ztK~9Rk*KUbxvXm_VwEJ_m0*FOk9r_uYtfsl!*1@J&v;T#hy0kDnu18DvV-S(?$%cU
z^VzK#<lffDtx`0Tp#QWX{KR20K=(tyqLBW=-SxVy&O>U6=^5R4RWkM&ta|ipPUT~1
zVz$ZW2;S-wthr#EpG%3&3v|PAzOU~IEz(k-24YI`|9lQAcvQY2_?6=7IT$Abcdv0C
z7-)^J$pUKLvVQIM{w5H}YQ=W=iH??txyDNdp{cq`GTi@;M8tteJnNv`xVP(Yoi*OU
z4NWm+mV+w!o(dUBf6_!%aY<c3=q;dB_KxRU5Yj!^lEkHRU85brLO@V4aj(gKd>JR5
zKWH;xW{w|jGDbTju%NtHH5S=<=5SWz86Ca72{>rFkwbanQ;Pi%#!9|3d`dUyY_x2*
z;?ivz&*69E(8}*0a*tJL)_~1fUegx@TJbMIni=)}9k3*D68Q|SPwAXN`k`z(vMWD3
zR9K1WN$k}oN$eTb{SS$X8@m|mBJ)%@(X`(l_VSIq3@j7z>k3kAcvPMi=O9?oka8Hl
z3>)Fgk;H-7)=Tz{*yq&*n;8q;l!L+c4|Nu|-#!kO=(Z10p5qb;mD#X1NuNxFdUq-#
zRTI7P%y4|ZzY0rXd|P%Q4PJe=%S1<xDo>iBuZb?`TUvWFww8Zvq(w>DKO0G<(v;jp
zh-B^9pjj&JbpO<pKigI~2l(Y4$C&uz_EUzB(7mq+{9bt(jgVmXZ}8<lzt1B$!Dm>v
z)t$4jdZ3X*Iz41gz5aQo(=IHmicl-U^PI8deoTua4Ve#LyUMw)^^QRBB}!cK#s&#p
zUuh8?+qA2|X|b4}_>z?Oc;4hlz!VMGP9J%5T>7g47xKqG5?PC+C>8iP&|^G5^2flY
zmErp1Y1MZat7hqJkqym;MRx2ZA>dn=sd?A;pfh1{EWnB>{u@oq|J&a+u|@7SDlqqJ
z@A;OzjUaP5`<(I&ZzKI*?dy0lB&_o9FM%nR3*o%3?zxd{RTREvd3iQpp2Rx83bz`H
ztNlmKtYlz|x5a5<dO4k1h(j<oEk?zTEV4TK2imsxIA=@}O2WcSw!=Vf62{{);2W^y
z()m*X*ShWO&tMI9``!y1rV9ytOSchAN)V~d+Fl3y?6|GPP_SPfJZ?oi=5{}h<TAnS
zBQW%po01c{TTz^aM14wJLe!sX8h^uCdwPRfQhb!g<r97f>8YnZ8Pm0u)>V5bQMv!e
z24*<ZJRaMp2`;AkJY)2D(EG-Xi6Hia)&%$NM#J5H3M!UffMi<Xe=EH?$);ZYKF~|w
zOahs>#B6>r3Lr@3Sia~$+08$h!;JcGbh){i{~KM-Joz=?{hZ<R_#c73g^s4Uc3zmX
z6RKUYjfj6q`N*RpOl+*V&jX#)-xa#@>wm~|^8ZSnyNWXVIun<W6WzOQeOqNmB?;G)
zyL@&zgI70~={Oje&95VoBgNZrXk}VsW~+El!@E;Cxhn4hrISGy8iUuScf(0dqgL!5
z@a+etORJ;*yoGI`C@|+3I^h#I${mLJ($CKBBk>%NmQ`U54Oz*x%G8U;Y$7X+^*-#<
zmmi>ujo4LrP97vVIl?EiTA&?cjP!xIa|tJ)i;yTwRy89mxMp<+B3>vZ=+kF+2hJ<X
zpDx#x$y;@nyhv<wuQJ98+#?#?VrnA~Ikc<juf;qu&KyHIr}gv~c4zK25gdbhvdUXa
zXM5s!54a82i?2e;nr%zm_8B^DK_3|Lmcu|4lxkuvpS=QL3K8m!>BCC-854~qCwWI9
z%c}TV*CIWpM9f3tdQ}ViYSgc^c=L^qEASC%&PoB{kjSdlcyir?mMo0%It(6KotstW
z{tduXn71V$jGc0CExQBg*><AaH<F-VL%m!``P`-DCdvrlg@FLoZ|(}tNH}`@w|D5P
z{!7HGxk8pK&AaYIf@_TyO>Ix^e4qtr8NTH!0BRf*FN}BcJAmvdyFHn7f))X&dEJeQ
z@bhh*?2{G#nfdBlfYThk0llQQvAsOxus2@#ZMqPj%N%vP=`<81WHx}FtlMy}@r#aY
z+9|t6MZfjBoPS!OKN^EhOuN4{sDX9xL~n|d#&j&U%EN|ii|PQ!=}`8}du=1x1?meP
zvm|tklSxg{mrox|BW^G3pacXZi%*NoA<LLgi5q7v@rMiOd>4uORP-zE0a|ctP~UQ?
znghZ{G7(dM>OLoIrm2i3>CZJ-@qg`+i+}jD$Te;(B_^iLzO1MLKS9Zpi^_-!yiZM3
z6`TEv=>SzmXeFTBoaKglMC9-Rm9i$F+Kp~sH6@aiM!S>L*rCO7IIDy#V@zePZXuri
zc3c?8OYQBWw!q~zjY}ez*K}=6(uxL%%i}Ol8VP5=OxZW0m8qnKy521SW}KS^a_c)<
zVc`k_KW+~;eih!Gr{l&fVt+p^pe8T|nS8|w)b8?J-kuGdA4z2&TG;n^UCt~QMR7lP
z3M2ityOt4eCIlA5rcCm$^u6nqo#KO6-aXlC#02F-u8tnfA=E7hH-aq;`6A$ga*ngi
z8z59!%;SI2_0Xwl0Ywm9&y>KgqVR8C03Ypshz3YPrLC!t(W8+R8YEFUo_FAk4!0Zg
zT|j@*&?%JjH>KCL#N_71+=^Q@g^rwB&@k0;XBs)wK{=txxp~Uf<MmU~@1H;T2cujJ
zJQBlBJ~$T{BE{Hw9L5e<pg>zLx~P-)^f^5Wo~p8eT5}xbTN5;7cx5e{Y=zm##=R1J
zP|Q$~6>c9+|Fxv2RuAO?`cO=}M*f$OH>2k57vXv0SkGfwUj9ptfPGSVm)*$A5vo5Q
zv37aa@8KY-U9cxaVmRB?LPou)EK6)Dy8RB13k4Y>pR4%?7A8Y<U=f6*4$%gtgO#%?
zAJreet1-{6k0LmeRnd5F&v-@Hz(Z1;t!7t0uW^lKx%6^p+8o;W5I;VE{5BbqW28^-
zt-gAQpQ^cntcNs+2E%`IdNcRB_DI8MFex#bp?f*qm-DD#gdZ4w?ki`jFNV9_hKN>C
z<nW6%dwrD^CaPECYzMO)r`X7Ha(c99XcF0RN^1kN=1~2{>lZJh!TW?np0ih9940aa
zYFffq+<#khziV;;(PcFkLA6_Y*l9b*2P!%;yW$dU)LNU2#|z5Iy-&iXq$HYTm{i#Q
zV5f)x_9>AO6m;wCHq8D;LmUQ?@qXDJm5U;`ilWs2B%q{pfsmfLJqYOu8EP3YCh~bs
z-MBP2zAM^Gsck|=i|hD+-gZC6m*vRcheTCx-ffiLCTR6lIi~WZY9o-UO_`2^A^mq^
z_+Yh;I5stge}iRAVTvvf)DqVY>dSj@;kbiG4mh8Tkq@d}Ja>cD6v|F`Z?*tmWDBd1
z!AE=dJug(>0zYcyBvWhia!Y(^jiT^8`Iv39Zmt-jbFOf9!%w6%E)xo~(FIwkG7j1N
zrQl&iBpH@wB%~{oOqGwqePJc2d(ZKw@E46rN6S#M`Sx4>1pOgVYja!Y_`xl6dw-aD
zAG8{6i-PIxRGx=KPdk>n)v-7G!FlMl9lk?bhSRL>Oi`UcT@AreO7nxw<8!l<p7w5{
zm-C}aU)YMfZhF$NflEOWnCM0CeHz<Z@AX!;UgSGo=KPN!)Bq%U-1|}6dfqAOMQ@8u
z!@BT}*Ey1yJnT=%iZ=SKt<X%1cW2L{SjvXbW-4v<)w<iYC`+K1)cP!;@vZ|XI=;bT
z3tiK5J2B?`nvG0~)9ZMv5|dhj2}|U4(L?Sp-;xAt-s?|6flCv{GbbQTe;3mcy;Wh?
z2S%IOdH{06#ide>5l_4a!cEAs;lNPv^>Ur%{&h$d5s?*KffSfcl3~tN>6xbjO4-@+
zjD*HeEaZi+7}7&-yT3TCFQ;y<Oen&yq>$HX$Rqq&Tn1gtr!gup5Q1t3`i%_TJ{~L!
zYa>8mONNk}{bji!_Wh1gAvPxzy<TkLP-3|aVRkc?5Onu~@t8duUX-XN3#b@9h>G-O
z<A37%`DgVm`7*ubNX}kH8vt<bc!6J7e;S86u>Q0P_5QyS`M!@K<KZ12yc~<ucu<jo
z`}_OO&d$8NyiH9_QY)C>$RH-AgHLR1bA5e%qod^#3A86CCrl=zmIwGyqC_k#EFK=<
z(>AcQoZQ6B3=1bGu*l=h_?yaV;%V`(UpxKaFn7i>K#-EZnGYwkSlnOk=jZ3c!ot23
zE&Kx>nwN%$=W$NQXQkdsL&4<@z}!$zugYvHKT9Bh)ky^K@jW9}VcF%SBOM)`ipm@e
z68?vYYNMfg>y^dnv{#X`6B83!Ku5|ukA-TZ`uh6E`zwn@S}0~lLwZ>@NCOB73H!qF
zxE%Ln6%}K@f9F@YdG`fnB%KEgk=?GZuVct%lob>#4j_IjC`0<+Nhl~NL_|dNh6v-g
zkZ-lyJcHEeKCS;H>aNXAL!Rm{-hU{S%r3)+7vbhDC+%;xrxiaPM>X8!Fbk(Tt_E$|
z^6oPs$}N7CE1rABLS8Y=sd(o~DfipiBH-f8=@c38iyZP!nC`%C*k}VY^C>ykQ6I`1
z7g2=hDri(~kBugF335u`QqHVicwycsmkGp;@lgPNC47N?J>G)Ocf*6i;n5eb#+cB8
zpO319OXhaG&HQWs$L`a@p@Bg{(#`UftR$MtegpQSD=z<76M05pFl2?hUeyakjp#aL
zGZ+gaVNh7?oLAD=MWmpK$JU(fL<DJgz?`<E5K6-@Gc}V(bgd&KdOTDG5>kOC9UjIo
zvxT1Hlol>THMc+H`MIT)s^GV0tWKMJ0H~8e-rNyvg%8fhw)1QtgzAUY?>-NpHAjDB
zOf<tSjKHA4U|4$xhY+c>XU(~)&H8{F%%q_Ye%pua88Tx)dS3Is)o*jz9x(Yf3CTW8
zW$b1VMWAXH%uQ_l?zeBT=Qh!CpJ{2FCBR;Ay*+QSo7C)7oQFBfz!sL;deg9X&l)Zp
zX3|eN?HHQ$oRK87()P!07E9}3P9r5vPTo?-!1-=!uAN)#WAAhnAXo!d!s5W;9e@Uv
z5$oH|k=8uRX<t6$`?k59i@1wrT96pJPj>Hkl=Dt<wdOG*r+m{}>~-%1ls5TMSm0%Z
z41A81$_dZVeWq%{lX7y?+qgDZcf2EylE+dzP`w!`F;;c2L#q+azOpgjD(5WS$j#A2
z*X{{<E}2Q24hl!fAmJ;|)>qA;bth$6{l}&p#;M+q>BxX@C@%s!pioV^8@+-3qGI}y
zTL&d5Z02DUB+l&Bo-i=xtwEY)MoQh~_WbF_%3L{}e*MlNnkZX(6Z7zQ9xnwM&5}59
zP|l%-vAb9tvhdDUK1kylXhAK2K1rk}pYGiEm<sRhg;t^d?3b#t{lQ${Mqb&xhma^*
z!IDOWfczC8lM#X$m^FG%PoA19>MqJrPpn^#K4+S7F0hMib}23!2UAHRa$kTZ5}H@-
z+qzNXmF*??RG{JhBq@`-(Vgayb>8j%CM^8O8(ygOB6x<=S94d1_M8mhnMVt{eA?B@
zal40K&Tr|cpD4uh1_>P{M{3JgLPbpiVK?z_TOO)o003E@mrAHe%C9X@ACu$WiI*G7
z3hkHJv>jIM94I7+Nx))C)i?Ef#PHu&0|goJ+VF{uOjcuP%S)$!dV=MKShZZLvE5Fn
zgPX{C7QEz4D2sPs#tG^(^?9vE4)!nnBOK?%5l65ceh;g7CN*>|Mc87a7G=cr9~x)d
zgL9uR_{59*{j@6_-zlJ;O%jkj&^zY31*Fza6RE90^C<v61yvRU0B}K5*#xB2j(6e#
z8rOJ{w_3(+(ZTXF6+Z*9<UCcUam=Uknh_HeMxG8dbOq1!Ca{a4jpBj@&t!5|YbTjb
za-};HF{j&VfWu%aB_u-W5bxM8?mF0o4aM!1P=G<gzXo~kKiSVePYM6$Z0WC&s*=^I
z%$A)%?E?}3kPP?vnw;Z*i)J8zCa*e@-(L4$dP>I<VY&i^_KVcsk_=7B?#9oWoHHsg
z+8eFfP*N)7W)_zdJ@bm8giKCW!%~l->{1k(7x%OE%Xs}^I<@PngVX~cwZ+t{yUM%F
zqYSayL0i6;q@!Ai|6~0_-?QmvH?aAzi|_FE$9l?XZo(Y3_YOmkqO9Nk4wsq^u5ev&
zhKHnC|21T8%`BSs`X@xQi&Sl?u(XaKow6!%osps-c_$+?rr}XP)%ltlx_&(}HnZky
z8W-eB07_Z80lm<^ORLOJi*Su*Pu!cT0vT1|V;j6~xkJur>&rdJBynj*Cj)Vb+E2fH
zSgQBBtnuv{2KhP!2D<Inndf&=Rj5?7D02*JI?>YWo<`L3fEQ>Nx6vQt3H3KhK+=kk
z^-HbS1cgI-M`ln+gNIPCtqd{1l;Ur8)KwEevNRqOmN3?V15Y$~BvFm2H*`9b`}Q<V
z(e7^b1;xy_d4aEwmwdQ9NrClJJ8kdnT-qNt${H^_jBX;?I5=#+F7rrNEFQ>Na`!4f
z@1GEm)9_&`^wT%Z*wA@C-Ml(9Yv*H1blUUTtm~YMNNxE=oL^~O#gd3dXYv$~+8XV*
zK3DDshiw-;htgJ~BHoH0Nom!hjZ?;DS6G7GzH1p_l7~suGnCZcO)d0rrp_YX3>0*E
z==hzAG*(c)5X-|Bb8%QUg%BZjoeYv|cpimm5>#}Lr%H{7+@LMY!qj=nsS>L4Z1E3l
z635|@CmTgE=+M>8n+(lE19LsjlJT@OGN+%NEP%SIdD?ifzBD-YTn+cQZs#tuyoOCm
zr9Tz)%9PV-NH?)I(r1isCmeTCMCInNqqPy+JK>}t)<+hjpzR$J+{+Q-8kKy}<AvIK
zeA?*T;RrSw(!4JYKH-z-H!`13M_+e(FbzFZC5Ku1?t8Q|nq-9K;5Zf+_>lhuPsg@G
zLnL&&>TPj#`z?<8^+pJ<)&&z9i{Yjdnuj;I>TuvHN)iKo$9NY#P@>#y|4!0lyS?L=
z%b?8adx)Is^OawJoW%w`%o6E&ymTY~MAATSv+fVO2&`WxTKm=gsZKk%Y{_udDXrl+
zF3&<yJXtmoZQI=4;{Kj#Onh?U;OkIuqj#0B5ay}~lCu2SNQsDt$Sy&8{eiwFVOKKh
z+i}N(*p5JjQ!Tp?LaPN8m!~G&Xxaj)b(2w$g!?n_fZb|Jj_u`W;A4|wx;q~ouqd?U
z5M(^pEPoJb*nN*06ZEP+lo{pSn^#>`%|t?%M3giQYM%ZoITR25*=2Tiho#WZ_*7)U
z?asf95@|uEzb9*=vWfIpg|u#svXf|aToQ*mmIn0g7H8t{3T&2Z9CNoj#$zYjMW$7G
z`ASRAeAlJCUpXEpsPk#<eoRz88)=XafXkK%uUo>6m6rUGAaVM{MX)7rr#wFUM5{fJ
z;XbrOv7eOUG>RxDX>l%UQFOZ<7Bg|3^28?9+eglvQ{*ufJMVHF7#O_julcAj>pkJf
z<b;hFmFj*fR>FEEKTKVyTKLtpM=gtucG1(Ivt)#;>_7Nj`GB4u!qdoMGa06h$mlNa
zXYWd|Nd|3ocn4Z7Hy0$>o=tf8^U{Ga2~n4vA#a?@$a3bBMGPCbOy}5nnkKDq-)_6?
zHq0rsx6PxT5`#CzK|TMUV2Bv&jY_fN%^N;dlci%m=1y0kfM}^dqz&g=HgMae$nO%;
zmFgdl2I+0@eCozOQSY@WXUMUPq4;1Q9ZC(#cefyLc`fPpPSYN#;`>qt{^mQY1sy!S
zc14YlX*xIM_mRLyp7_%Z^{~bF;)a^bKQ`{t->;*N!o);QUT7=u*IZDD$<gB-m`Dwj
zF9eP=;%g%{RHcH?kQ0O1|D+e`iIoq6P|W_EEo6zeneAi3_T;#2S4)+wf`WcQ>C`YI
zt?Ssa?B4UcH{XaWx*>SM7iaEAtRg<19USHikMH`&%Y7SBYs?mc%d|x;*8AmTv6P&G
zG+^8B3lAkwV>0mmevlM96h4Do0R8z9|8nIWDuSBy_w+9ZVtU4gYjq^Pdf5SUv~o~p
z6IW}y7bAgf*h~w+1bmUya}fBv%pJi}LF*1P+gS?Lu#WxUwbm?n$?6#lrdbpeBq^TM
zTNjsbSnnuo^fr6)IzG;^<_l$^{H^e@szz(%xuFgAx;d3-j8K01-Z<uP3;**ShlaA?
zx6_yto%S|6h5SsXRWlHn53!brXp*Joqp|Y&rR$5YYPq)6QulMK^Y)AV_I55)-1Kk6
z;$E#!?-4R+nbwWz!fyC_KB4a;;WK15*Vm&VBX^xn6~H`Ro$5R>_+Ifg!{DZ!&K+eu
z54&~Ex8bwmm`G#gwib<A_5V9#?s*NQ$1aDVks4+{^DS)zV~3`eO5W)T{2SI#?)eYa
zFl=4>xx|RYqNly49*+ST6?t1_zY=JF(^elr>wafc?8CKGzf#Y%%MCKR(wx<9+hK)y
zsC1L)xfnoflADuhXJl9d{SGHb!6|y<z9Lm`DMG-_Bj2B*?hM^EYN1m6?;XA4e|PkP
z+KFl$&Z(rm<(1_lvzL(&e;MX?8#&j}n}fft{PDl~v`zTGK@;*8LrAa=v0?egu((aE
zG3pk@{SLFVE24seDxkT9KcK`VzeV3cLrnGe6(Agl?qw0b3i_;?^HpzFc3)SYBxA<q
zf!l&c9BGl!LnM60bel8o+1feBsXpHDvNU1ztlpkeW~xB$uoy4B#B$ta4KHAX^Y9Uv
zWO|dxVO=pPPxrbB!<l${qclJT=>m7`fwwsYH-LicVQqLl9Vwoj&8a;TVoC-t4KLO%
z9Lqnm)ThO=-wi<F!w`dMndVAQ2JTP9)_isZ$j&9M{~NRL+kcpavHJN;Q@;V`OOr@$
z<<F_CYTFvo!&`#moxP+6igX~>Onhpe-1gN|bBGjMr0lytoh?qfedXU=im1uxHrcL4
z!K&(h<XwO$-@rR*&$7K;m}}RB<2|BF1&@p@qU<vtU6)f%OPZ}b^QNDYvFadat3q!%
zs-SeSj1Jr7z$SBkI<4G9au82OXGP9qh>=Oiw=G^c#nalS<Cc_}H(b2Erw><oQR9Gi
z?eN0SuDXluNZTZjR6^-AQ1<smdBW%ikFd!t;s1tK_>AAXPi70?SY2|=eWW1*TyN0B
zduQL6;UWeE{`{)v#Y#2mo>Ea*s;Cv*5r{&puOQayFjp^LhaFV-ANfQ!5PJUiNA4|S
zVMqXbkDvyzm!V_`apUD6dL{w6efgU8S6IeLF#>?s)#{ik_k|acekHSX^(UQWPi6l9
zupGN3CHxFUVi}l_?A0ZSez6=+jjh+SFj{MX^NZu3MK?$IwO+q5RW`iE3%d(buX0N|
z!Kms{kBLe9V88#X*Q_L%$9ZvoNI51Ktp}!5Q!L=rX_IZYfmpZ9m~|f&;w#GPM6gWX
zjrvdU;vx~2t&I~aUB`&-7pB0A4=khT5}K8v^T+QCh``+-(jpczZ|*#H)$QvTeX{c(
z07l8t+gp9C#n*sublp)*cEF?i+f{@yh4*?L6@KS77v`;)YfO6Z`BBrLSKbR*<)~?`
zD2H_}2-)c`V(Xs(CP;|TM}8l{lCwb?Zjs68Xf@@1Q}Dg;3a274DdslE1BzFn%kV$K
zkA^fOjp#|iI_(tI&*Bp0<8J@}W@00@$|~&X?=c^ap6y#M200Xt?(1np3z@s4pC?)&
z&Cz2_{KJd|p&B0D84++;MEdexDo*H-privWVz*8+s^K=N4^83w{wx=b$9vG=Av@!Y
zWFRrsQlSN_U8{(wvD1r)zi=tR=`CsXr&Qc%)FUySEx@}ot`sx2TXMK)DS_*0niJMm
z`op_|&>bAlHJrw4zBn*^Qg)iwimoBZc+X>*+n|oXdp%m3+zQYsgxc*WOitS8MGTXq
zWuA>2@xphO$j02Dk#mA-FCN0hUs*lbfY`rzkZnTuC!UHdq`CK6t-l-^wtMld(l6tn
z%qT&^o**b@pm|R)+?NBk6dM>mI>Q<c4it1cT06Lqn|b`hdcXBu4e@@0$bWAko)n~d
z{SU-YeDd~|5h1ao--UtE{gGm8q4_=VoZ-f%4*`$i^U>t?WLhZuemVH573}heKGS2p
z)2%it4Z^X_3knvTQ1RxorTUZ~w_m8Oc-vM*BzGAHx*_27x_xi+^D3~2k3Ecji#38P
zYes11?L#rG1D1-emeZidI&lV9niWz?3AODsOnB`KhqM}j7NEN5HO-A1VY~Ylo!r?5
zN<*cqPGITM8P%AUkxhRcN!j%5c<v>w%tJWd5NpCpO7T6UPcsR9LUOHUZ<fFXov5(T
zlp?EP$9k+lf%&{>9?9P0G6k{<F|0~6kXafU!Q2&UtHFxrP57kPm9{m{-IuEEPVAM$
zFE?6GV!2X+lIs`kn5tt4%!#d+<LqR6^XE}9#L^je2477UppU!+3W48rwBw8r-8wUQ
zLcHO@?*2+hUOCoy59!Fr=;%8rGF4m7m({S`3+gn0h0mVaFGOw~rJ>YSiGu|4u5*?6
z{e&NvWZ7cRbL7fd#UlU*khX;QoD)>E7iG!shyQTR$VqwJCbL?uUG)C(I62ZjdWh_>
zk$QSDeESQo&w!cyvHGxqrG)jNUN4<6AuzC-_+RJH$&J6tzoq(@;32=|UxNqv`|hgb
zpv9l1WO`>Pw01+m4RQJ`4k{Y*{eY3LzN<+7b5$BhtIzm9m&MK`_S$}ZBajESveR)v
z49A=wxe<}=)Ek&gB_Ix@pOQ7PXvq6m`$hJFqBE7x5KhS*L?M%yD2di$lq+`^Ji92?
z$?dP&?rAq;gxKs9h@H)5*CY^Xt&K8QX*jr4`Cd3j>&S!#pJ_mqkB+BIG+!$X^P45F
zIja5MMj7q30|~jd<^~3a4GbmGqc#n@;Wy(fJ!NN47cal8nKLtQnccimmPJAy^~cT{
zy$0^)^aBQ0i<>UFgo440Gz;dlr)i&xqXz4ttl{SN(1RLfGnc)pQ{S}aVb24_>ef$=
zW1oin=u#hu5~xn_rc59?4u4>iLC*5b;-X1YgEEBb>P?Th1dh*x(xGmA+cejt`%YU!
zvIEJs6-8PJ;hs$&sb*7zbr!0CkvI(6=6jKLL8K=r3NZnnt3q7#jYI|}DsQ&7O`Y~v
zHW$9$6!`O%S<>A+3DZ|EVhHp(U9+DxFWFvYEiNEE*?RQjo%?_sl`TYG``gli)0$ni
zh9q~Yz~8yBAup?@FYhD5!10e8-?sm3gSH-DWlJ6$!kuL%EFVm^J<=kmV*QIIG;FyR
zZ3n=QPk+3<akuBx(ZEJF^R~+Eq6Q5{9qZl<Wj*77duQ?^{Cd{5+1k~e?p*@#gXM#H
zj$H7Pm#%GgJ1~@MY+!Lsa8Qw>LKidh(w~R7(vtNidd3ZN4^xU>ywJrX*EW!>7r>eW
z%W#8e-HUnF7+v{^H}J)0D>SLpPNM&Zii53|?$6l}HRoVHZxfYF5QOIwpZbD?qg(y}
z!wsU*1!5}BvHu<RNO$pqOa_2ktpB-yRUme1+J{f-QVW^Fj1dXUqhJ3$<M~Cax&9mX
z_$x*Fe_rr^%B_A;`K>{1$D5l|)2#r&z{bf5J|5o6bn7=`C~Wv?DR=k#yNli9qoezq
z(~61;&@@Dt9hijJa%r`I^9u`ix3^n6JFHGFnUs1)B86q+<FYn3rz{q;vE0keE)^jm
z5>w9a0VLz++d~ajOUmartF0aZh<N6@y5qH4Kghnn@D4UMm&shQ^z?M86^Qn0KEJs5
zbTy~*2NFRxRqWTzRGyrgdj0Cv^2$n7AK=S{o`uEX(Gj=qFF-CG%Db0J_MArl{F;@V
ztPa5$01{D0N5=$Ot#=>-C`PPXZV128*47p@w6OtAdqDx-ZyX#@eR$XQc&+gOe)E?i
z_}ju9(y6)x|D_whgeA`H;?20O_`Dyy6HTfWSzV2o#Il=oBM<Mo%LU?R*Sh~pqH%->
zsDy?*n?f=EhY<<PX=WjE&mSQ4ImN=g?Yg&c<*lFZhYezt66BA0KrVJRGY}jyO#JH0
z&^L&_XfFG(d?UJbgr{LVpn2||D6MFhxK)=h1t71OQ@k{NKDw%^8XEREai<^)ZoXU!
z_2v%G++B{55ftif3Hz;TuoBd_ew9+SD;%wwdQkVp>ZrKP0VXzn0G_s_t?OoXwS()_
z_(K#sgYDQ+IyYhfo9@Y3Uv}pWl1KRS-PhW^c3nKyFMsm_R8x822T|9J#m;OyRcpIF
zc)O!!d;yq>Li#OJU6Oyku1gQ($<}}F0rPa`<2!{dtSK8ArSXZ3h>EIzWQ2x-$jo4u
zZ_eqc@p%1FXopcy?~ZeHcdCXqG-9!eZLMx^_51!(-VR8TT6)popuuvaC&BL@jKcxK
zIGi>&qI=<D%8wGA)NkhITRIET&!2BD2m+8kH|jcm64OlGTD+L8@49gsEN*o4R4sb^
zmwW?3G{1-olHxYiTxqcyAw`4YSy8Y>z1yVKR&#(;BcuG0b8=KuAzopeUxcdk6Y=t?
ze5Xpi8h^r5)+^zZ@@0?umN_uv`C}P#7i_UNdhFBujWSs6<b`nv3Cy}4<d--lGd&Dg
zfoeo_o?Q3{l?a&<VkN|lmCX3oQX0N%^`^fNj)_WKCh2EcuM9MRDKA95{^Dd$RNmN=
z<db)@dlxNgS-Ru$q@2AEZk6=D*05u#Qy&<#UFGZdN=c3*mvntf%?&J^y6xdSkl!}S
zHPR4MaasFu1YcDg%^eU}80T)%dI{G)Um9Lzd%s$nQ&rV5vv(ftrnIPn>Jd{dPmPEi
zm8x&iM8^vU824P)AORE>->$6q+|)U*I(4o<wl^3#o-cpvZt{#M9vinwW@3!av~e4G
z_&r;OC3|+EwAnM|yF$WeEuf)r#peu*g|b*)FVmTD<5wBqek=MXx_m!$zsz_Tn!r@R
zv{Bt-_ttIxk$~=lmM5R*g{Qz&X2C{0iJjfq2*XR)z6MDmbO?Z?a}@p%gXQ+fd;CeP
zGY}VANa1xg;=(hl>2<(pCbphEz>4W+!zikw42d8NIX!uV2S;1TwKUa=(C@Bu;;n!u
zhD_(nDrgQe?$zMzQTeAhB&9sghQ3;sl7cZD-bpQL4rY_#HdFzDv@)$;!Gm3rb6`^8
zGVlKLLqs%{ebyXxosBt>_I=k+0{?L4)5w^3b;U&ifN4}EEec@TkDcaTuKH_2g<~Un
z+iR5ep<xwyx#ANILSZxlj4S^|$NloIZN-}Q`-4yl-p`x@Gno*|At01}TOennzK`u9
zPp&r%XAV-++VP4jJ`Q<dB$2Bs&<AA)H0A(P@4wK6F8)95bMaqBAIO;WKiVMUuM1UE
zfXeKt$?>_6g_0>_bW0=QUsRkPS^?&3R%KE1xah4XubBMH78!qTl<~LiGN=dshCu!V
z93uXI!TvI4>_0M2;s}YTMkRv1&yS2e!?VMs$#W`dw>gxGV==vDAgi4rs#5N*z#K^M
zK@?$D1*!LM(p*U3cVfwkuE+}E7YxW3*8^uluMyf9A;!tVQ<!9&Bm_s^J3&RoreJ@5
z5VptbnDZeVS_s$3GtYT7HR4j8Of_r1Etm?b@&b3Hh(&Xy;Jjq<P=!KPSKO8Qx+ynZ
z#F|~KxcVCv4;!A$4o3to-XF8*QqUdD`bwLmQJ0(=*)jqH6-{t&P0E{M>91FlGUCh9
z^Cs`EM^9PA)z|(^TjA)5eZIVGsWah<W2GhCD;;k{_Wr?sw;FDw(M(XE#PS74KmgL5
z&vJx+C2V%Upc({&cs$TPMO!^P$<!cPZ3osCRPdIvd{&Zc`Zhoc*&BiJc5%3+F1D#k
zvwze;!|OR@<WX86N<i=rj#5sI+}iAIBj&aVNm(%uc#aC|a;e~{&kg6O$+Ed#VS)*F
zTWP^BxIA7vwLCU~XHyjat={@)dgv8jJ6^ktSKo+pIz#7|B!N3Iwun<+#{-+2H+bMG
z)O>bnyvd?mdIOf?QydU6)R~o}72dA&UfD`8B+2DpI?Pa?+w3A}D0R5Zph06q?vS(<
zX%-lhrSjl@{Y+$r?Cyf1bLe|d?0UX4tg7F4F@|^2T1!+_JZQIHX?E4LxS}y^9OMc0
z-2O;+F}hBVa1|lx0T)MT?RIimcqalq!N?KR4f=UNFB>*@Q<XTRax~&mNsky2l5s`w
zG#cjrpGh&)3>W+`i?Fp<PRxcuif@j&%q|RZHsDe7TsbcIwvOUH!?!!rX!Zvxw8Z~T
zYn4B^`X*_%d9`TTCH8mVBNO`<@Zr;HO)5D#D1dAoLOW@&t;^Gj|9TjK87z56L$5Z>
ze8}|af4f<U(BG0_{>^43LBV?lW&Ef`*FjpxH9&hk4DB|I3o2_nDnoh(lLlHH<=$g$
zdnjbP+5np?&Q_~p^Zt4xCUSV3aVZ^_wN#$(L3uXZYP?*#BesdG)eRFr4X|}&G8Q!&
zl-sRP@|-lhn0{{{lQWUlLGis^zFb_l<f+u*tC7}(Bya4*#kwtl?2dozUk}AMT`Hlk
z_{2wQ#3r0GN(y#I#VIh=s@Was{W|z=p7%cH{~&$l#_a?KFOjQsm#uYi2-2|1+WkD@
zC0p!E$A&<(bq{da%;sz5a`-?x^GIKG2zR=w_+wX;%&oNYBf-4ZbCB*D*Ead-oBAz1
z0)@K+3l#MBmUEv&xZM>u8npa8L5QvE%E#l?6cvWGv&om<Zc<eWG}!0%Rxo_vhAR%>
z=`-#lVr2F=$6ShcqE#xD5;Zp;6&3aS{GYK<!;mFHGlg@Yt6GA^yFc+Kzaw(y4}O(R
z@#)hF7yDpG8^NCKv@PxsPrJ<W@$eBhSM%>mwuTtIYMmO|>?u|+xC~cI_Va~7Vg@cY
zIy$C_uA_<IN48ZJ9n)ofJ+hyxGxf}|7H%>#b#30^b{R^}diy8MMd+=!%bB(L<n{U?
zCM>c(x9&Yk%ZJSU>|{Ekr6d-u?3Q_uaj4U=6?<vyO^boCPhiOH?yzx4!!BFdBQbXc
zXF!zl4BJObM(>UexCUbDCOT}A)$+7S7MieH5<kE@Jv$<{^Oh-FQvZ$rRohzz#IdyL
z-vb0ffFOYcmk9)dyF0<%3GQyeT>=CR?(S~EZE$yjJHZ{oAcOM`=Q-y*`|Pv3|J@I7
ze;A-=rs=BgzUr>Jes|TDwokk5XK^is1X;jD&;G@M>NlKE*aXg#uHLR^pGl7&`>0Xx
zya9nw)16`Z@^<(QAfUEH$H%wqJ7{ClfE?Lq1`GGablbS3v^2f>G7Mkw_m;*5T2`mb
z%O3t5PJp?fX<A|NFuv@v_c>wdn*rMp7gRb1wM4bd9Zx!@u<pUub}7@|af*f|jr6dw
ziW@i4u<c<3OMHH8v3RlqTp`KsF0F=Z6;V3lPiERG>vOL9obcv&06`@N-A3EpfHvXo
zHG3>h*m#l3lPAh*t8*j=csv-A5(dxp6S!_NsbTzg7U)uMnQzy%TkHy$x~%JHX!0#M
zU4{dz9{JGt;_4?f)WrNBQ`yEX_O!d_G%E~{EFY3V+veUuSF0lv8W-JdlqDL0UUdlO
zg3@2+<LNo2q0>7VUW3Ay%JR5VkQkKX?t<X}abzB+sWtn#o5zI>g=j^HtNQ3yMcW!G
z#sv8x{8}M5ZNG<iuM^vLA&*Cj6`Xs0W`K{zRg#>5oDTgONdV4djKPK?3Rj#LH6<ww
z;>XeP5g7RcdivEyxE1o%r;UAO(aW!Ij`_VGOE9^|ykBDbrN_ZJ3kf9;$>~tG7o=-e
zUyctb+-<kAyCNPpCEoj7xcF48ILmK?sFkq-``%_Q9@-R$v{iikK7ii7oeVaV+UAX%
zV`=Lv8s*329V<-id?X=#VWe<$DLx!8b>Y#il$#pyC{2o+(wUcTILC$aO<J2}W^sAM
zwWlbg#PL0Tk@E{lCCnV;x<IPX+0}M3EZTP!)d0Xr6&46FyrxE@-?!+hR(9ZODo(~V
zBdvWh#?lfLic}|8gPD4$uC0`G&^;Gc39acbTKouF90`@5A%aMZdbeEM+Prn|Gl?U;
z5)@04%(H0};|Sb8kj2}y8jJf>scHX!fbU1>Y4ko`M3>P7x1K_Zvg*3hDj_cTbiwLJ
zPP0xM9LDc&`iO}w+28V9aX9^)_zA0%4t7OENEO=~q=cmNsLkCC5hoT<ORLg(dtXf=
z-{$G|?Mn)}$HI{SY2{w-6!y$Vf&)RRp(3Y+6~&ZFURP6FxGZKk2LY7K(r-nA?O(sm
zz7FkjSr<%ppZZMicOuC7QE+b<Z7mh<dur=|NfJWmptrV~j@A5p+wzc)Q8Ac2_~iGE
z@j&~+#tYxP$woM$u<stT>~mbj3wv<BjgLGo?a|a3!mVzX;4ylB8>Qth-CjX#@@I(R
z62Y}mRP15j9u980J5@FB1SBY~KDClgEwOS}HD%0@mb9-+UalW*t1*hO4(P?$HXk>t
zKPkF3ELgM%x`&Owc$LZV`;co1I-Z`ztv_Y^l^gpoMA*4^)mVDB!U??6JSTamHmp+N
zOpbtlOZSKwdq=FNP=~8YceLDMn%t`n02oUZlD^#C5A$?`&EoMc(YiQEKFlzkq-}@X
zTHd|j!~^br`F*cue+O*Ar~o(;wyezgXxh*$TqKZ-?`hCyUL_98IZsgutrGr-*-=1%
z8mM;7GVQmyqvlDS!J#bTY4dCL$@w?Bib{frfLelCNFpXIAkgT6Y(E9u#i9VT*}jv%
z5gaz0CE!~AEpUk>BSxIXL)x{}Zg7EA8sb1pKBm150#`c4+O$5}yp%si45l<c==2`}
zAt`3N<Eg8JLPBTO&q2$y+3GZ8cfGkSChvy#gydlXy&v*bUZ=!F$DqSH=gtmx9Zh!$
zCN$5)niM%1y%3DWY~dl@KuWA}@4<ox9H8maw}n!EM*xsmJ6$8YC3(OwZm$ocJu&;Z
zIK!k`T??<Mmaxn=+5uZtAcHD(m56q&@P*xlC)6LYPjgAA>1r))FYk6PjRR0rSDqB_
zy3AH9`J7wqk>}%`<X|cu-+r`c2FER(5F=CVhuUAHI0{I+9YK6}b==5;)PH8J3Fo2$
z(2=?uJSe!a6DP>>-FsZtjp}4x_a>9>TK`b+yD#c4jg0?19<wihLs{BVUQ-ks&?EWA
z`+?RccpCvZkRi%=q{|?%HV+5uti_N}<dA)F?5rbO3L@IFh!*vJsJaU@-ip6(@H29$
z?t+%@zOFY99{j@BZ}sCL$J(83VI^BOrg8E(F)x8xy`(n5n?tGCUdpdNI`?xH5jFK3
zTP~WyMN=AFr5>d^4sVq{-^B<EX{k!6C$RI9^ccs-E$M2BYt_@wReZ4x5>=BgXvjrV
zR6ITvGIgaR-co;(bnqGQGUQ(WFpIgqxI_M-m$iWV^wnCu**gDi6j;%9%$&kHTh-*H
z9W_1DOn4X{O7@0w(rV$t9={V?o%7@2WrBL3i|E+Iw;r*`d^PPG!;f%&*R%a&?~TN)
zFSXh%ljCni-DGY+%F+A$4{hTb5-(Etfm!#PnEZ7T!&t8X=(AN%gPa!0<$bs!qo8SJ
zk)>85&Cw6RlD-H*Qsx6)qq{!!Q(NnaFMj&`JnD(qa#w|*w%$+`(D{)SKd{m>F>j2Q
zj_b{L%@``XLOdc!5cj|$OPnJ)OcJ=1Hk1g1L*n9tFz_qRe8gpLH>!BHF9kL8h^{g1
zjqOD3?PV#0Ki0cswa8-k4-ZO($Qi<Z8kKK>iyh=rE3J8PT(+YGYTYZd!G7$Qy5!$@
zg5PFNI_Zo>DR_xlyLL(93Pjcbbqq&w{v_%ygXGVGCev%pA&=#3w~lmA{84Upos}I{
zIng|)Pt)t@5ci}`dACUlA;e28THfGFj8I<dH`y7lnQ;Qp52(V4d-?~zb2Yf-G=o65
zJt{#b`B?0(i$?03GWmXYwk$&Ffw(9_h)(&7FVD8)`)`ge*f~;uv$A)N-WT`Bt5KE8
z9!*Ry6TbmzoLX<njGry3B0AxC>k|S4T)(2TI^E7~j!p%&%}pBWdJkgKQ^AW4r=klH
zPR~H}1}3}8M*6Dl)zj*!ubk7&&>U>S&YYpSerA#IhYw86wJtnAMV<=^Ev^#zs&k1K
zdZwez^kA>UGU?<(OiG~W;%jWC^;%G|n1!7&SXFsvbuGW<cy;Nn#j$>6+`631Hd@_#
z?XW14?=fvfG8xpEmDR`-6MNiHUf!rtj9RDAK)t%CL0IIMvUh+Icyk?<ENN&G*1D!v
zr;P~=_*i)*=;@4E8*-6|#y6_jZh34F6#Xzfg}-V{Y3ZgEIo&n1^`KEoN@iKLXxa*&
zo0Aiz-PztWyp5|M_*fm<yNZ^RO#2ADjbtvvSFQ|c=8cpqEuZ;HRrG3g#J_6UacA~e
zqp;!iX_#D|g~C*P(O^N%Q%T|V45-+qO|KnNDrEB(pH6?J20PzIZouyy{V#MSPAKs{
zzU_ZII6O>Uv_v?V<oamJEraoDR6mwQ_V{y~P47s)8uCji{??nl*p#aDAE}qZ<F-38
z?D-ehh^fV8#3T?83>mrok}hnYF|LOk6PWm&LgDTM5dK<;99ktgE%)zDMGZYYM?tR!
z%M&-Fl{GfQrB)wH)6Y*BqcGygT$?;H+N)nSu2N4w$J1seFk1{^^-jx8RFs7@|9A|@
ztXkpzs`B&bzVdr%xzp`>EV+utJVuy%A!6m336V6hVQF&B1)h<ZQOep$tB?N*m{J#n
zwmZ^xHZ`z8!9M1CD-uv38J@|}>%B0vkD$2k?Q!)eqp_4y@ZuUod&0ldLVIP<xl0cZ
zqCVm8v+HlJ8mgsIRqP-x9M^3}A5YR}HXOt&#6@tV`XGj}>+Ex?+uAH>eyijwDBtVu
zR&_Qs=|iZ}+A_8F%cx5YGnlir=W^(L{jN{k^jq2@c%tJ$WrIX@q7z=9q13H6Q0lYg
zRTA!EI`V?2b%;Q3*eB_1*QTswuJ#cJo5!}Y?c37z*cb<qX_UHcpwA`6L{#D$gu~k*
zIqy4G68nO1Yrko1{M#A0E%!JFpUn?&k)nmQ(#9epz!uOOKvv9x;}>4J#g8+pyDQf*
z+po|nK!kOs7dU->!(ng+Y!USbpQ7R~8@^Fd&s(vXgARHkYSucx=}~O^rbo#afMeB$
zD$REjtR9%{r@h^5=?aa71Fvbv<A|rmXcumGV-JHYODY-P>=>yjV^yo00}I)1iikWe
zjbBh$Wp-yv^}^Y*v~Go4xHPMB>X|yl)1rlsQ+TolaGY?55;$0ezLAT-G(IEur*y@<
zZIIJ)vH?!7+4oI69#vL?K(X&XjSt~*aWD<!l^&8?OD0`*%e5~S-VrUCod<qzJE1wd
zj8Ak?<f*YLD1PVKVx4w5zP<184((^q@JqI4-_`W)W(<7m*>8vCtKQypxZ6$L&I(<Z
z_@=vup})xxbmZ9^GE8(@o6Ua?JFX=H%1o%G3KN!CGB?yPFt0z)J^Fp~dy&mBJF9cd
z#Gt9&m9qAA_E2je(~t;J8N|_p725DAApaIW>8kQkT}KQ${frq3E*=1oD5K0`bM-!T
z9WP+pYnZ&yv3q+N$uJf5L@Xg((b{P>oSqp-!{PlqiXM&BY<n_)&Og%{SF?4@$dX(-
zS-<3?P@H8EVy_yOJwL7GQ1EN~CH9PAF(dV#XqiRyyv&k<(um|%ttF}-OY00KTU04*
zOhx!Tvn`*}f!ayFUzLtt61bwbn+T<Hzi|W&>Sa8&*+7S#_^D4(-AosV0lx8;j`xFg
zrzjs@$ySU!b-l;IYo?0AOg)i;+(t#KA(cQUrL1vYJmnJP2|U}|$*{e`_nv3@&dhPz
zB{LrI{rh##u+N9oBc8V9RS;TI=!X?uyA7j`f@C;p;bQP%dFMgF!Y?#>7|GOfn$dwU
zt|m9Bqp0}VzGwXep27g2_gF_%S%i|XA8@kbLzzdw*f$!pGgwqcrwx&CMzY>lvNmxo
zhEqz-Kvn&z&f`zhYP;%d^C8)D{HX_n{1<X?zi@^E?|27OtfqdkA*kzgSzU=>Dnuhl
zY1Mwwn2p0I2(fQ<Qy!w)8juXd0045pizV=n{n$@wli;)B3Pl|c5tdVFspqQU{21#U
zIdrYKITI26{h)Q?zwWNG6U+FK14Uj2hT3N$I9y2CGgkw;P?zvZii(PGMmWzR;E9>f
ziyp{6;#w<xvg?gLXXD_u{cJSm{yQs=Dsvc%UtMOZ4K4Q#vbb;PcqMV(9F4?EQ4UTd
zcHt4#@hf%NjtzJM1FHV8#k8blwf2Qyl3<XU$_O@uo<a2i+`m6nD3{6Sb&yzB($+T4
zEH3m}Sopvaqcn8Os3(Bm=AqOfotrlPLOPyExNVg5tC8pfm&t94;oM?MV|kvMi%68N
zA?a!)F<aJXi%2j#L=Uk!EvDMu|ELH$A0=~4jM1r=1Dls4=;7k(0_JTeH%ga=re{+^
za2^X>$2z14(}7jk(uM42kl_A^a@oSrr0C*cEX%v2&lzPpDH7~O85``@ZR<3<#u1vP
z^ejJVM#szZik)3w9cJY60>x~d9CYeczijjZ3mie>S`MGjmE74{+k69@&pY9Xp3Wsq
z_^)28X6{$0Ip}^;w9SiO|Ju=?SuoDpu<*s?@IVCSVp&KYQvp899B=6reN_hH92@)V
za^6B?Yp0(<z)~z2fRXf$^-^=E@oE>oS9@RlVsm;r`eF5t{STE>W`#`TtnDy?d!L3Z
z;l;-HHH7p*yh5!4YL!RVw2p;e>y~~YhdfnSaKtuH?QgI=w0;3ztf?Rf$zN~%8o}@o
zK?}&xwv2+DKGqG7bwxz^ekyS(-1ot5A>CThr*`*p<5k_$fwLU%#D=Z3Sj92)lDP5d
zUr9iDC((S|{9Ar<(h^N>f$IE`oY_{**{ZqP@i_`x!D^3_%gQE|^FR3J+3s7?76CFt
ze%pdFjxBB}H?V?3|C`H*U_*z$hgS~Lx70<sf=>UkLF1*+&Q^ZUZZO)!F}(`6e@ZtE
zRcu`J23vMBFR!gmx{)zi9@fwS%7Gk(251X^?%)@&E1vKMEUkk()nu9O*>F-fc{^ht
zUz#2Q6VMj+)T3<O`cB5C%XzKcoNh@?<8cI5zTWZnVexTrC93T=f#9jF*<|}8^dk5G
z1Y+kHqiyTnJJnJc35H?6px;`>s?4%nkFzNfdu?;>Q0W}VihaEAc770UQRg_wUNMu4
zit*O*k~hhjR0_EUd8qg9<3Om(ks(QSEkld1Oeh1^+r5<ppR+3>>2XrCr*gkv&kz6K
zuiqhh*Y$L7fOMsK%lo0%7eWE(LgHBp?szmph`@jsSSAe6ALuzmBYNo29m2dxog~mt
z1iLf%3qHSbsfXbI{Ki2i3Ig;`q3P}hibVyfOUz^F-fSX~sHfmfUT735gs6bF`sY`E
z{k7x&dTjsaFclb3^zu2beLmuUIDiFQ>S#nn#EuI+x)3Y{|MQl)*1FdOJ<lQ$2?+@z
zBBGc-w)+!gA@N`0;^NZjTu#vJxajEU`x7a-0BY{{(^#pa-j@gQg@wCN7aXRex3_n6
zG<+>x2=P_Uz`y`B1p>}DKR>^wrY1Z*JS~l&oqI+JT7LP~`}=##xe7NoH(sB|v^6hi
z&CsC|@o<=q5%BWzdb<QX{Z=9iIFJw*hYA>U``to{2<-U=JydNii+6?g>(fq>9uY^!
z+V=ML(o*VQh2n_7$FsAuWL^(8!2HruOJieFax(Pmzgv`e;h}}D`v@%_4b8~#@NjRh
z@pO^G{Ryg&_>Uh8M|PWiw3_u+;H|;yDg_7V#hR{%W)G^UsCYwQfn=Ydu?FCmOk%>{
zS1lRz@0a%l;Z3h;Jb~fw&Z3wEq^-W|yZ)`1G-+ZAgC;o>3TK5WA>)WOQBI2XG*o5t
zR;<Hqh16|6bHY;$p|~LE6%y}=FBDmBA)SkK`tW<ZfvVyI6+gW7GR{SD_4!?qwP4Zs
z?^FK<)YGZ2ROxG!Laq4ESFuy|5_rAQGSiRBJ$Z7|I`GoWHFYa2a|)-ByRA^|R8GRK
z3del|{w2xfsx7q`BVv5^VMSjJ)mIwH-_CWo9V9rpsu`Y1gFs7-q?#q`m82AdZ}gU$
z9PjQ2yf)4#;M2bUjx7yhLiA&VW^S?5yvce@&p!8VjO}sP*4#EiDO{klKw?IiKWe^5
zQG5IZiv+#FqDV-G4gKkQB2t+;Ee`B&hMzzq6cVy-ZZIurZ~%GrF_W6ok=dsvIkDY=
zFw<08GeDKG#i18C*=6SgkptRYm%F=3uR``IseLJvT*|k`##I^8uUm16*Z~C+Wz8x|
zN744$$mA;9@Kz=k9gO{l2kixMs$?fvPsVHU4IhjdpBm00){~`WRSNni#Kh=$luFAt
z%Fc5J=@gk@Bg$Vh-amYDzBt_kvL&wdqXQp1pwA!KKwB@uO*><5{>vcp_`x`xTZkQM
zVK`o_H6hJy$V7bIOu+m$yd4lS`ErOM_vC>vNt)_Y#}s5lwD&?x6JnSs$A2987Yo3C
z^Kox@_?MVQghM~%ZEmr&{pE`7jN0cB&tcMWg{DsSr{*tr>h7|tz?OQ3ngzNpzlW~N
z-FXzXxV*#9qZy?Obz(1oC0S=JaL{|5|HCVoL`7Nzs(@>6*k4Hl->!Lv7)qBU6W(I8
zN}2Ttn+dNVJ1d~pu+TqrzeI=ig*mS;8AN8KBByyzzHC)#Wdc(e8OH$wASuY=_Pq*^
z#q_p%Tr`s^EH>dHCwGU$9v~;OEqx>CCpOCKK?DF4B+P$SaG?LGIj_n}Y~>y~KeRsf
zysd;L@M<@2xf$g4jcO|3zR$TR6Eb-_DB<xIZ_J_&o>Tk0bHl5jZlT`mu0Fmy>8oI`
z!SQDYx!w+~4-7PPK`+3X*L<73bIhUq{K&VBMu&2#s-yVOIYNrp6LXAGkA+4@v?xEm
z2WGw~689py-ft&-5m1B#eY^u+yiLaSW)`q~?ERWE!>*Et5Rqzd<o;BC-evtZ6?<XD
z*pn6@gW&{7xr$m4LVfpX{iK3iCfIV+krVyE$kfAwgpB{K&Q_he8e*d-OtT$w^*bqT
zNZCBY%B&P6b+ge`6F%IwxyV$V3CFm1p?XXw15<oB==N9l!U0vz&ukfIeUqVuHj~Gc
z!TNWLADTGh-yiVsD<WPBH<kc|5LvqiWkLsICWwnfD<4pT&&z*EORARKhzSA6sA<{G
zs4r%S%S0&}t#(&o2PMN~sP=NzG>c>6uh`B?lL7|;@B>nhh#JjEwarwcE}hUrNxTgI
z>W*Zfjm;*c?Dv;w@BTkpj{iyB|E=k<OU%qX-QMm!)ybL_784T_6|G*d@^*Ov<a>S)
zrj?D1wxEg6Tie_Fj$G|`ej0`r7VcXE(NKAGb9K!tEIe=FMs%Xq!hQu*CgtZ}8y_F<
z?%sroK0wdb_Q~f7;sZ^9zCXdXka2Xphys2p@o{!^)T%P*EmFw6UiuKw{PJ0}001<!
z$kX<xjI~w)?T*PwaKoB+HxI%kbToz}0E#(VISUK-K*LEdFRz;w>}fY>`gR(hS95VO
zWjnVY`nW!{>9ioDq@-kE_;Kq!ayVCcW~-0ZVAvl)Di#5ieR`;n-(R2E+uPrtU<j?e
zcy9Hut=R6?e4f0(TOp~b_|GMai;Hu7ym#~P@VFmAd`0qCJAG|!@o#P9-?jMh{gf%^
z&w2YyX`-W`k?=D}<e;@-D9N8n&NI(1RHXgfz$*+aF6mMYa3z{hp6e0EXZo?(pxi1C
z`WIjbY5&m(=d0{oTgRn7OD+yVHk0GZjH~L0FHBu>6+}ZMh<!;;iMoaNO4@p9y>{a@
zN_|#MnG&!9D&XzpcT?8o((ET|w){~f2#crZck+@##v}VPcS?#{G=Ul4*Rejhwk)FP
zp?_DPmg5`QimIdihd$F}u2qqeP5k5R@Yk68BWF3>NDI(?|CZMHaS${8S(3+R4U>P>
z)w#i6-~H|w%R*k#kEJu}w}JDy=^ez2+==bB_dm8!;xVf6l{WE~8|Y+aTyNH=o|Xp4
z{H^a}T=ZjQ98?!x!Zs>95;f@9b1js(F#WTEIFFA&?pw$idg}0L?$;=RZs_eN3`F@L
zbF863HTj;^R<7RZ#~y{y9I^FEq;|#w`E_){=JJ_WuNhUWmKWN>e(=}JuJ{^J{8CC(
z99!-&_G@+2!-rho`TVK=(%`Sh-_36)UwBPiB=@=a8P*&^dcPw#CGyD!;yRt4b{Hw*
z!e#`*-+enAufnbPC^1)+!mAcbECv87`}duqk_5=#nZHimVUTKCr>8>&_$DES0|5FM
zjQYOS8?ds(ly<NH0ck-OUoaf3k%bPjdAJV4W2A>d^a6V*+Yx)>4Y;8?rVI-J5X8i=
z231bx5SW<j+y<eMya2%MSgXWtUi*KK!-1+Y73E4Ek5G~3IyADAr_aqYtayX-F7XrW
z4XtP9*>cUR{7d|hN7AF$o<7b_PfV+epAi5|q&gIdQ35;dURTa}P4%8$3hMu^y%r`r
zl7bkoZpZ{g4$eE|R*3L~iin=WNQHrg1uD}+-F*VLGn*R8DJGQ7{0a|Mt0bGl{J6K;
zOn1{~oegrU<x5m0Z2AQc&FyRV9HY`P18}}0HI~*n2$BV>)X7e}fzclUW@yQ@TY8Mj
zEL_vu0!6Xu$H!lz?v-7m=S-ND#;#b;=cMcFCg=u7i?I|=1A{SyXgi#u(S=$u{uDy?
z&*8Ex3(5p%{y#ZaqRyr2zA<~Hsd$!SqM;ahznx;h%@Qc39llZhO#XrT1Ik}=T4@;^
zn~D{SiU)Uz)zi%SK0w~k6%DFe_!y3?hRk&Zr>gIGn%oa=kJ}455iCMxMzUe_15=`P
zVslu`)it!acf#2wu`Wj5y3SY!$hSOKd(<xyDSlCe9^};T#3drw6>iC^J_k6ocHR&a
z;IzVDQTy)}XlVI=3FrS!lq;wv=wAGEG=BT6E>7*u6lWWMh4ZWa`@SF$kGD&9>cH@@
zKS?jLA9i)tzrNN1=Q=(9Q<uWpD^xh)oeB1jR2p5{E_vmwDFC2Ek~wx`%}0_tT3HES
zk3(KP%}h1F?F%6)HG87^Pe&Omp&U7Wb-Rp_r0pN}4oL*7b&<~<j+2>LUYwoHPbO3{
zv{#Sv@B;68bys;*ZL@mki<t`}>KIsvTOKWVN~_J^inK;kuXHmHA1sx*pSCu-<x-gh
z5iz@A8qK^s?FCs8Klf%<%DkA}XxY;jIO}a!j**)Mbzui;ef<xgsL~v+&Yn!nLK$LD
z2_3X{YXwy9_8|bkgz0v2`<y!Bc0Nz*8Gj;gM0Im?e<77>gTMu0+wsM5or?U`)ooxa
z`^#w-y1X3fPJcuUs47q2)zbU#8(OhCB<SScv8t@C_6Jl6*9M}n&YjRBWq}OF;q%Qo
zW0<zd@Bso^61Krj-)f`2h3u7XX4rIAD$OfleRu@`2-!>+1qlLv(_ZY?-}Vi%wDS%_
zya}s*t_*6$+;27P7N#<schIwy{4whK+IhIp^X9H$cwBF5dFD`UY$En6OU3C_SS;)#
zhu7onH`hLtR9vZ9j!}lFql4T)`8g7GTw8~pOO|c(>ofAYs5B7TnfeAC!ewGtHs%*U
z=eLkN*CqB?h+)S!Lov&yJ2Fo=bORKE^(@V^d8g4BLNR*xmpqafOeqHpmSB<vQNif6
zuI0*n0M*0RVv3(ob$c5ad<!weDBS67*Qso)9z1}wR-QVaS1=`8SKeGfXpvo(Wh+RU
z+K8V{c0^P2eL!;#JWrcE`Hc_tVQlUcYK~WXj^S4Am*DVn$na1YGE(R;Dd&Rs($?Ia
zvCBT{U`k(0?azo!VUMI?H0|Suww-I!yYj@foy5_7BZnqPL-9B_w%X*iYe_0SA8xeD
zth1B%I@|36K)~B$x79KyFz^fqxz(HW-P5~_ULfT=jXMRqBaWX$J75{;{|l5<%{i4r
z7QL9lw_u(9ykgL6i=oQ_pbbjEuJV~V!xoVle|kPQXQH3I;SgrePPw*_GD#}JkAft=
zYK(JHO?^wXUm60J+fc}F3YJh4H4-yS;^6?<JS(H8x6vQGbO`NkY#wVFMN<w8=Q2>n
zi<$(IzxK12X|+u|H?Dh*`vIvFP}H8}bUh5-hU?V1Y=#=s(T$Pb{m5vQt4yX^-g*$X
ztqg+>B97Q;*zi01bvM^VAPoAXqlkapgb+J?wxa}cSB{zEf2;kW-O@El<yKuIsl&D^
zNXaM0`>Ce+eNb7M9(H1anl3|KKQrXqKl8#5`)Qm%{giY$r66|=E$cw3gZ_@1jps2Y
zF)=lLkL~&~lA_xI|6PH&+3}~|s@&&cb!c~W7<Hjio!zg{`t}{)+5DHSns_k-XB!<I
zlboQ1+_!hOAX7L1WFqNRwo4uDC2sjiS@Xu+IO9pp5FO2m7kiyw-pJQCSg@{d*<Y(y
z^}2r51vb!^CwT&^V#+Qze#AqUJwu$jG_m5x{2h_}0HoW<WKN}B%~-3wiu?^aAQ071
zSu^`Fcn$xOemSCXyUi%-+UKySF^47{kQFkuzd_rc`E;X%ATY15`ROfm^XH^kt@>qX
zLf0a8&seF3>ta`<X>q`J7~&)B0GRX}<B(HIWKU~+*x^?F5ViK^lt4?bg07Np^hV3*
zT~MrtPvTf;rkqVf9T#@G_WAkucf*OjvuxgU5vO*g^h-A9&Y5DaHr+K%5<$bU6=QZB
zSn+5^&6(%FfA(kAWQXEzvn?*rmzG=lMos=;n4|TMj~<4Ia~GBTwgml1^J97Kn?;#K
zzue#;q?@DPIQ_ajy$Dy&_-E;zPbke2s7vdsC?J>$MYr*;gJEzI9QX|{K(+U~x9glu
z8f7kTyZN_#W!hbv1%}zRT|q_0hS_E=yo)u&MU`a}(8Mv&<@SG#$ark#*OHtgV=8lL
z$SBrFqWE^7Dp2fL1kZxR#0NajITr`L9phb}!U~lvy~9GTi1~eHLI_RU{gFFmhhVsY
z+0xq-m2tX%*czr=MGxRre4c=-WvNI0+ZO&g8}1_e)wfhgpEg6~j-A-2-s`Gii5dm3
zfu(P%^1&JXmUy~`WFxyj1jS7c@KOzerglw}j;1TTOG7Wg2Ail)^;TqQUN>&380Xvm
zTMfjUe72K@qP$9Yj5W4l#5~^axJPJALeNG+C$d(nNw{5%U#oe4Z=5A28&`Uf)4AMV
zVPINBseE+wyV&=XB1wwsuNK)(u=#K_GBUw*(|9ExH9RcdguX*ogVGd`Dr#2@JX6!U
zic4;W*BI3gEXJ4_{i%xg0+)QxH!O0pC5ZLg4W|8_GnnyLSCwaPGe1R-@BZPD<K=Xy
zr#H`)x@56I!MAF01^d1DDCOqM1mHujj#CMBKw}&aVbVA;f{4UmpB4zK|G*U?m&Xd!
z+*w@ea-SKg#q^nMzy7f6lY~^|H=6_HpyoHNnau?S(wD^ov8EGQS)F~aluVMSLeaPJ
zsD#ememm{*XSyt?(s{AsZ!hmRkx1Oe{t}1XBYKqKwO{N*a|LMrN0nDo{L_Hqwp^4J
z29jYqg#QbNyXAqtF*I$0_3+Co9d#JUA*49hp7^^~Jq;sRB-Gq3c>4Qh3GHrsrf%SU
zDy=L)oGP6ASJgnHsZUt>|H#77*2-pi`YOJ8PkV1ULBn!Yx{LNw)B1R-_(A?r;F9jI
z$|Eg#n%a^ZI3E6AvoICZ0gK9WQ)}(IPg7~ptIqsB>^^?ruc!^cMcbIL)3uHNG#E<-
zuf{!>U-6$wmZYiC$An>;(WjUcBq2c7_K&vqG;{z1*`cY>TpV^m2$CK3T44~cnY!@c
zqTMckgcx0lJpeG2;`CY2<hS@;Qj0h68`7rQQYlfB-4X=fp(sq1nwTd--C^%b_vS(k
zE1{P!_&cKQQ|M3XGV-yyBo3GO^P%=xndZye7D9o#39he`Frk05FM`mXWs&5WP8FAD
zMq<kc7UXcFc2~!_5d+-TlTaEu%5sZ|l<#o?=s)m}eQ8EyX$g$X=bt$1(3DR}ebww@
zqlTH^S9}R^d4^xSzb(%`=9Q!R0MQ)Q$P0KpZ`OTwPRHo<Vqa$#ElI|!;!_x*BxWEs
ztY{)mJ{a|ev@ZEnc<b8Ec-gDS-~#<sAnntjD4TV!ATO5!n<41;oFd^=t>mi<V`tb{
zu}mY<8ahQ^fpbwS`BV*fr3yZ67nYsWkJV$!ber61_*ha9f3CvHOLcKg|Gqj<6`4q^
zxI}DVRAP0%qUBP2?CqX&|5QRWju;Y8c7Ln+h(7%K9g055aMHJ46mtp2j~g!i@`q**
zqD!1a9FF^|W@>jZio)uuNsuNNQf-=BJ8t#%-k|pSq*{SC_tgI$c%hE^C-9PSeSY!^
z(J3QKyO*|iSni3_@clF8V%(BL4ILIEgWfLt{0)=6=?AbG!!O-t+b5Ta?bqgIT|=Pb
zDD_Pe5_aMHV;)@%v>Mlue0d<O42MMt%{>KbS_jHM`IdbcC4Fccg)wTrbTtNQCj|5~
zz7SVV(TI$4&oayDj@mb5c_WSRefCg9?#!I+RxVwpJpIYN)i_~2J(}4Oc=pq9Uq$T^
zXULbN?GmF74ajX#x(n7GE}Lc_vK-pY50!q}hj`6OzMr@cLEI+Jye^i}P`x{A`4RCT
zH>NOb#X9!UVkf_VYVqW9-hxh08J30PQ(Pd;vgb2o06QL#AquG6Fae6$hbLwt#^i0y
zftqmz(I>XUk{psmjANJ-mlaWB;-jNt;E<Y+J#|#i!R0Kgs9=yzZEG$Jm}vadPEIuk
zDJN$kmM~V!6UT2-9lpb%C{8!ZGjnOZB3uiXqb8m7ig`PZo)w{q3Ip#xWN3e2n>MMl
z7Fmudi3r69a_J7`AP{v1ctR5~j~PeYbuC7zS0qxMPuDDR<#r#(-y~yW-y@BX;|;nD
zXL3QEn@S0Uscv$w_fXJfzmd-`GA!f5QDz$Xd2B_f2osOT@AMPp7pB}X>x?2g`bs{#
znQRZrd?SA`my9rK%lfz3Pbhzw3F*q`h;3USFh^$kBZ3%a+YWhSGXG^Gn1?tZTs3_@
zySRy;%(ZTH$wU+5cD(5En-jEm;3*cI!u4=?wzL0f&2qnrzI`hMJHFn7S}46I)q}yv
zTwm1$x~b|Pw{|VMFgd6n>!c=i4~<$(yr{Fw;T>rzmtHzc2+ievR|Xm0n_N8;#{Q=>
z1N%+LMroAv+A-fDSC%eglPG#DVVZ?y(gw^SDO;-Pk?~HA+*ZQ)<UyNj>122IsYA{v
zVGY7{kQ>Qw+Mq~IPxtX7UF4S0owX%v?QE$F$*QcfIi@YsKl(;gR8&LEkDf}huz+Mt
zkVjM~bQ>}_MN_e!eF^X_fvkp&DvvA^F)yjZ00ZP9#a=HmS6*1Zf7teyJD)w(XqneH
zdIDdNH+&w_SXn%;{lVnc{*D@PP^0Wh-4=*!^algsSLu*A%$(zQZ~Qi_l~}mpe(s!K
zwz{HR2b)8#q&6hzT<<n1H5C-%ou~pMP|e@NM`hL$N@CIchIP<bh(O>t^<W42%A=iX
zOSNkK&FsByTr(@wx}AVJw;QW(=>;lL7aVS~yun~F(t)!W6M4qdf~=CTki$G#xDt0l
zr6!}p{!CZrq?|3EWbuoXg1<o-t$IaC<J@d>uEzLp^p9yyw<7x5c6<?5GlfBFu?d9G
zH8N-!7@7fiEANJy+pYWR@6=zDtN&MMjElFZOma@r;z1!XU-4_uW75d{NqR?#nP+gQ
zp=SAHSHx#)0xBXChK<|6!0$<Fr|mFU6#QY*={$xh_A8<>vA9lWK4COCFS-qOc5)#x
z7F-&GlFcrT!v^@ND*X4C40Smbo*$_9SAUK&)8e>ezO&*zfJBH4Mkc%;JAU-`s$1F3
zfSsnD2JPtB+jLd-p+N{y#OW>hfT&c}LbBFwW?%MH46ZA4fxt{l5m^xteKW1I#?}*N
z7LO5><FRjPw0dV7=#XkxW^t0#QLB8Lf$-_ojG}kMM^)|tF*v?I{-9q9T{s_3yJ#W0
zE4Hpr3<{rc1e}lB`p<|@IKv4$t*PUq;$H^_PC0%#$6IqRHUe844T1w+s;x#;<MH-c
zd`)u^kcL_KT`zA8pE_DmWW_MJI2ecU47a4K4HXVEuVvmcGo{{{<3<D9=4%Q@V!i8T
z=J29t!qtqRw9Zy;^XW|Dktu#}1aY(DcBN?0UOdtql_n8hrug;ZM#OsujmU&VX1DlJ
zu?Qb$TDn$GzmXOS%D$bNTEo*Bf=xg1hTbr(seS?uCv95p3BxDYr#Pw36XqHFdzX0{
zE+ykS^Lz~46Q>P9@{e!;^|SR^(Nw2(_tJ*UOes;flONh~Ump4vZkpfo9P!c@rE1DC
zSLz(p>=`$oO4%T@{sF9jRsT1@N-NE3Bn`fb=u}hb^y{Yd|G=&kURmRP3Pb>Ocv06)
zzm|ELr69-dgVtg)bl!?H{~%8{96{<tx>llltKpARY}7JIOx?-~0Uzh&F+wXpZh1eG
z7x--TwmgY)gGiV}d<wemCUJgA=+g7<D&_L3mc4l{;iw8z@QBbi+a~Is#-iw?J31(@
z;81yjb(ynA30b>_QA9t_d}$m@eOa|X%(|h=EIQ5v7(aNuZT{7V(4D0D_w85S^EyO(
zKZ{lFL!}1)2I-{h+p+B}Z{*6%YwNamTWIC3J6{?R0il@pbWibC)#umt9_M^|R0)ng
zy&<tMsV1ll+4CDduM=)Z5PV!;$uC-En~3U64~}XY1eMjY%|aCo)eQ~mrgb6&8adUz
ze}fY3Osl^_>PYu&et!w}Py=}({@N04;=YQBQYcT!Hs@=U`GIu9T7A?rahNG{xkY?i
z2=fKSxcec)C}rCE!?0A+a+?$>)udiX*gM(b6ecKXT+t9UB!$FT9b@nU;9CT$xA^*W
z*2`a5>ls{98aJndG0HtP8G*OH?<E-+5zPo)Sz0YJ^IIMo+f;0&S9?iq(jcrls|W(j
zKhh%fK9Cn+zcVte5g3)vMS~HzV8r3ofil>V=S=?vq~hM47-v)q#d+U~jV=8;0_jI{
z9(MZ2lz7r9ts1e)-0^*vq#=Q!;%oPg(y1YH$_+J8^o+<)U&O3V^X*0E=xL?aVU(bA
zQ1eh4fUOt}8T7imVXpq~P?h!x;k>qYRVCuGqSDu!Z0%fgO;d`hQ_A~-TT47|#7(9v
z4GSuvy_)i-rPtp3(SKqp0@?mB=NE1aU6XLqeQE^ft&fl4XDo1UtJGLekwc^y_vEk2
z^S-|z$ztJWekoAg&hyES?$vKf-iD+X>N)RsyHgKr@h8dhaRI39V(CexK#eH`;Lo6+
z%>3jhQ9H=2_~sOHlb?SWx>dWIldojC4=vT+1lFV_a@wS~P6*eq@HfO1EUrVLq=>5k
zg4UT)w*`&P5bU7F#NJZc7g?NT*g-VEdQxB82ycu8!jskBFjX5}8LsJFCZD*oLRiTz
zMKy4V5M?xYJ>X2o|H-caiZYB^d)(h^EiJP&U!^6CmPp}_E!8{u4}-q3-+G5r*Ew->
z180r(bJy%MBiKt7&!udGp&^^<my5KD4_LER!EQCxn++4`2(yWafuK9}F$ceyg8sJ%
zPc0Bf?%k}vSe9wYOC9c+vx3zVOAiWaY<~Van||6+U80qRtW?h-{fmrgP8(CUq^VU`
zPA`{(bnr=(3x7)6wOicfhwUdq7tR0BbK~VPE?w4!Xt=dh8%}*op$=n?iTx8k<ln|L
z+Z&k5a#vZR&nl@TrC${4rJFjoRB}LW!rz3~3Httt=F2A(Pc(JC#D_y@wpL>R{>Jv8
zRyo|6Jy>zWq37k^RiXvMKRK4dX5RFF<yaaspO#B&pFTPbFHSq*j_AiG5fk)1rZxR`
zpO`Txc9}6^D7^?6V(K10Uhp0`cOwUA_uD{D+d1Xt637Q~UYz>l6GR47?KM+7SH3%2
zU1#UrT7jWPU><}73}5BCD18PDCCI*%eX5-oQYbt0ScTO}ZJxudje@7uK?nWwb*})W
zAf2OZnZN`d__Hw6%Kt`&EGRy+`;E;#IRK!pk)+*0E`k$^bYTOXj+!}1M{YvsU9GF&
z?|;5#t0Q#JIYpZ}!W+BSxV*yC&KO<-1T>b#*eCMzqy0gs%p#L_L&HTV1oAfp0rhO4
zJEs3_u=_voC4YElo?bbGPRjg0QJ+74uaemCH_Gz=FWd6T+uK`F@lCtOSE%!#1^q2`
z)W*jRYV}zt{KM!hkWDWsDCj$FgIYfHiLtTFHp?7PZ}Q^e;wr8`o)E)=>Th6VZVnp&
zodSZ_a+b#11qm47-ab>RmdWo!1Rx+JR4e<;Xfa)+ie!jj3QJ`L03c;b2n#Ah5tqEY
zJk181rsihwGrST2bvq{)7Tivjo1jMNXu}2+S(#CimzP&jsjIEsauI_L#(xb735kf1
zmC`&TLJ`su78P}OcUN5->5+rlCq*6{9309%o~I`#d~RSPUf$N{f9WqD2A%uibh&AB
zd;2XqItc|u|LF;|M7BGdo6uc#-Ve8ohJ9Zi=8IlEmmNy{nA9x%VQt85@9w(nvD5x_
z!O{l9pl9$;D(R0ad-n3b;93A3gBN!16Yh+h9kE$ym7ncQ2k`K|K>Vy!l@3vz`bq3;
z=LyMl{2#ni+ef*uMi;RP;zP+_!?r3~Qp(;)i;awXO2)eog(W}v%=NXGwuGyNa4KBw
zN`IQfJ!mS#e)MgcUPnJjk2BW7JbeQjB-*Yy!|j?kJ=`xJ<FK&9vMCHp&O@d>+RF)g
zNt6RCTJXk8UQ~bVT$(Wf`0IVwa0Ba;2gPnSDA<hIG&mVTne4VQ>-EpSNg*NqnOOhg
zx32vV_q}xq9J^bWeRJsaAj>JUNMVWmmv>qjga&+eh=b7v!1GziRhtFUKT?{t9>M(d
z(6tGbbaXoCb^!q8gqnpTs+vomlc}Ga;Ee@QOlYSym{v*iH1<z#bsl?mikUhB$%{Bz
zGu~~Irl<Gvq%af=_M2b{QE9Lk;!&)y)~}IJaf3-s#``jI)_hw@ng2F~yVqyIW!qXp
zedNg+WavsBs}#S_c=0nDd3@TUl;aR&Ht8)X+EG;p3~cuqh<Nnk>Dd8a0^SEaBLq-G
zZ=U3d-K6&7*F+vu@}$%g-`IMswt02AzX(4@b9H?RdJBkzZcFD@0M}%?wH+>2!Whx@
z_EFOd_u=R4!~C`kAJQ$D>0j(ui00+ncg$<x0S9H9-=pnx%iakYu_^-<v?Ert-k*Qy
zHa-%hu7}1r5|%DFu(n(UlT0hHc)I|gT%4SQP)ELU*jFTATPA>m+#bjm$ux3MA7k7r
zvit^*5d%*F;-?+gO*1O>^cyAspw|H^w?GntrU{Ak1f<TGG9z<%<@G>48%FpQm|EMk
zwBLs3bE2ADGOSaKj6Yj4m313y)$i;He4?V?kOBb0AM!<7HUvnf-JV^-fM)fX28yS&
z7#*LD(7F6)q6N%TrLehEUW9_7;I0a+3Ej$TMS5*oHxryzaie$EW|(NT)aJD`q(9P;
zWx!a>R#JqMRQe*YcRNbJ8+pwXbnPyBwreU#oM`o6K2_pos4~pYdaoE~RdY2nG7|6i
z{tZ~dH*|XUD|D_}L4m#Yu4e~tx^-aWcPfm=IXx;?d0Xy#)-TIghI4ne>DV@<^Pqtf
zx=l+Mv(O^AiQ1r%clJMUsPG;<z19lK|0||tPjE`8j<#b(8$e=NHSIJW`g+Q`HLf~G
z$|SReQ9eVJMcXp){KzE*x(*kq(!xL~8edxZin&?r)u=S*(%gtH^TMo93mJQ%qHsDS
z2q|0jR|zci1P#B~#~M_VUA!#$X~_?_;Ym#s8xwEw7>y19M3vRf_f$@(`TW33|D}^>
zj{I!Q7H383ScglhE-v*{8sL$`VUf_^kecmNO&pZ4*k=9*zn0D_fD7&~2661a0U`gN
zjmcl0>>tYVCrP>So|1B~zdr~HloVw|M#@3g*;(3->Ud^alp{w?ULqiHad7M%9$H#j
zJ`*f6%uGy^b8{|Vz96EY7}YF5F~AM}XQ<@`ASxrndv}bGp1yK-JQL10EG+Dq7vcUU
zPuhMD4l6CSyc~xvWB^?OV0LP1(>4*E7&>ASm1S77fX{Bj<MYS^B~;{tIJvkoc-$0)
zg#6YB1wDPAA4Bl@Idm~b5D4V?2h<X<*gH9CKUbl>*&hjQcQ##g(S4qq)e>w%La*b+
zIw;8k5YW*fdbAec74!CPgZjgO#>Pe{-4cn%3Y}O%$n!b(sHph<-jkod9ok;;dR+Z(
zp+}tg4F<yk@bU4b%M@6j73-Nj{U4bY`BEmY1k7++$lz9|_rNla&r{MeTLF3XKSaFG
z|AADP@wv+7Q)gEn6$NLTSfr9)-WA<r)!G?O6iO1Ygv;ChAv8{Z;Ehe3Ei1F(`sh@j
z=Cs32RbVMd@3#)JQT+72tGnDd4e`&w_o)*=c({#667G`80LmY9GoYcKnQFwE$yE3q
zWC@Kd`0Lf(J>L(VOr2K#552txdxJQ#3VscxqX2|XoI3DUw=}By5|g3tXvOe27`i--
z5HIX=^EF+--ewv>Ty6&zl?DO^De37EWnw=&QD?fD>TEDVe$<Zm8b-{`_{dO}i!W0?
z4p+o>;=)4=KVzclq;VT|d2UO&=<GzvU-E4XP3fx^cyVm!|0~$izAyWyuqW4yh5aWL
zxA`~yy)z@3CjBE)vNrf=ZZS8h82zr;&ErqmeKb4tJ^~-HcShC{>_(hYiz+2=9e51L
zilLNYSER8newMN8a9y%%>m0ZLd`b-8Lzm7aB#Q&+aPDLAGWX*%yOrML?yOp14QJXE
zI>|?i(-&R2<7P-!4)iV5@AO{3b+8JgmYj4dGZ~-R8U_j!6=wed6i%Q2&9y+&wf~P?
zODw`i1bNjMs9Q*4_CDve1|98?e!@<^&ow{@z@WFP%E}qRKOi3RoXHR~`5Kv&tnoKA
zf<bh81yAS@-|?f70Gi~!e)oMhL*`@on)n5=zU{BOn$o+(v)MkTnNwp?kSrbW>xj?Y
z(XqIL^-W4nb@PsY?_Gp;we{VVHFXdpoPX$llGSEjmH_wnpqJ1wOKUD}&26g(>U2{2
zRclpqjX-_SzX~E3-}TjCi<73v4Eac{E(DTFT$n8JhV|4K3eRJ*$}?T+43=@Te<w3{
ztNBJi6BsHQ)J%ZrR9(}`iyo7SL=RrH`Zp2~go+KM`U7hzI($~fJU>2n|Cv4ESeaf7
zew_5F*PQLjnkc@p`<rDOmg%l~B<KIY{_tP`9se`g!u>J8o$QZtX$NJM;-(g}dNox4
z8k|v@vwh+nWt1<~e*})mGf!H6P9dk2Dz)qfDR8sE^E$w1T;KvN{%B`<ERFX22Yg-i
wW6wU-?R8zA=0P&KM5WTky*>q(JQAB&ie7$7qxuY;Edd}QA}d@Wr04hl0r=wvsQ>@~

literal 0
HcmV?d00001

diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
deleted file mode 100644
index 6996f857f46e882620de1277d159fd83ca0be24b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 62330
zcmeFZ2V9fgmNyy%1Zkmnh)9*H(iDNHh=_;?D!r(HG$A4_)Tl^r0s;!sK|o5Rgies&
zq&KM{q4$IuAS5@=z2AIu-uKMhGv9o3?>Fa6$o|1E>^#p}d#%0p`mgekev#$?%=hkS
z-vLliPynFh9{_0zpaGyfbLRJ({GuYiscEUHsi>&wXlTyTGSD$F(9_Y=GcvI<GcvI-
z(bF??GPAI;b8v7l0J*q1*|}NSIoN++go2X%9V+T`)YRwL8R;3>|J^Ur4*(18nP4hL
zN{S1BGb|L8EEJ?x00;n}pe9rMo8bTFMRA5q<5?Qob9D6N2?%Du8460uGgOqnsV2|%
zC;uNn#X`+0bou64HvMNb7hKt|yp7GI6~0y4#9=Uq6_J1b`rSD?PA+a9UQsb|iHnj7
zib~2?uc>I<*1V&2SNq<h$4?B6j7?0fZERoI**iG8xqEneLA`wf-v<SUgocI3#eYml
zO#1XWIV(FS_iJ8$!MC#V3Pfd9bxmz^OKV$uM`u^}(D2CU*!ZuBNi=4DVR31BWpxd=
zv%9x{aEL!T{>>K!fb#!l>z_IM179p;zRpllQBu+T=8NKt7kN;!P*DqAKFfMjpXQk>
z+l4D{Y1wbZW|lUc6P7o?ay)-MNXIFnfELC5X6>Ii``Z|M_rJv1KQs0}`I-bUP*RYE
zN67*J15O`hg-Zbbd;DjtK?_bUx?Xv%u^iTX6T>KV>*T?<@X5UcDVVa0vh!?<r?RZ;
zu<+O$Wr-4DB3DvN%&~+ZCkfCrT15hIX%Xb)LO^>DRb@zkz(NR7_RV!4sZbIiXc0S4
z45tZd#CkZB0BwUL0DTX-<CGmp51U(?A^{>Ym}bK<V6?a2RT3cUEgC`)FoWUTVa+>u
zR}w&zvKfU}sU!g~E0k4P)iHQWD<<$t2GooMpfN-dEI`<LBtLBM2DXaGRNRQK1#GVT
zJ<ulH5^!n2&l)1r{<e5^a)G%qNu<_!+KVnKa#QpiV7|222OyCZ{&zW~mK!5y1%~SN
zP7DabWn=C=YNq`}7C39;#CGwJ{o%QaF9Joho&BcAto3pjJwj@Fv)l=%sxAqTT@emg
z1EcQ~z$8E>SBn*1f~=Mp39<&tV@Uwwdn-oRTo#H12rX$32h2DA_r(7l%Y*BmsL~uJ
zsNo*XAEf6Rn>i#h<J0waHeaHRv+l3>_zHZ>por6+uTk6{MWZNS3uOTVumky3)baD-
z!fE@zTQd%)$H$WZ;&#{wVp|LwY-RI8!_Z$**ZpLPtT%L0G_7gZ233W>L46;L!UMXz
zG4#WE4y8vAi2gsqwZm;62OVAbuow!Gm5-yS%D|`S;4~Y49_#KYW6dmdZKXea`PR$!
zF+qN<h%WsW?dF{mm>DejWWf2<hXjZ}`JAW8kphRt>tKH>#jPcknrL}=Fh-tzM6C2S
z7IDqrGKtw=kpRly3zx_^6D}2t#3Rr$vb$|cRmmfUWq3<&@lnFc4Cknr!60j!XXPA_
zPP<>=E<44z{#~Xy+7*Yt5FurEz!?&t%jPtL1lX_}Zrp3jGpZgB@uMaI;<`?5k^sN@
z^I)qH58$rkd;PxO-{JVPln?J=8^gdmo-o?R4P%@#F?vXXa?Gg-=1>RXHFs3!O4s?0
zdr>-PZ@99a4124n_<eNJK=?#8eCci~Mt^B5`Wi==4fql_+^2*RW7Jd!44wR%P^4Aj
zl*W$Z{LKH|blp<0_HGF$58dYrwy`47w?&!JgWn&sgeTR)#`j48CWNG%+j0~iMzk-d
z@vQr%c!#CLXeI<Sv&#EXWklX#GKZN2crklFk*o97P=$9`)%T<CQC)n65!ll)IM!&+
z^Ba<}9`_)-7+Q$2T@I!ccsip;rJ-L-z1h2wcK=alXt(W47cWESR=Q)~yQiO3rLw!w
zDWTgQ5ve+w;|n;2<fzf19@hdZZD-MPZTCg>XNz5L@|k5@DFIJA#5WqyI>mhLyfRCf
zC6+6K!Xpphr%9ri93P9-PkrN@1{b7DuYElFQU|#4gYx{?P-8BE1PGqo^D9G~tk=<(
z7$UdjFeZeWtc{AH9vg3~w|=_wut4>T$nko;4E%fxjCRxAx3J;$Zik>y#kgf3w7cT<
zkEhjX%M3`zil-bWK~G+}CE(mJc`a6xs3s)+h$;|sYGp9IhZ1m5@&7q_|L|BxxcB@%
zi~J>X4%gK83(QU^KT52y9#$`m1VD?7sOn(Ae9(8-4NDOts=D6%{dO*`@*S+2{PuO>
zCCic)m64^zjp6AG3S>XWk}Kv;W8+9gVpV<M!-^62utcdsvru!@*Fqk)ox<5tXU<Xa
z8jLm{=T|q@`t^_NvJOpIcJ}qQJ6u;vKADFk*6t%u%G*`t=4Pzt)9P?^TPGNr2vs$j
z5XAz&>zR}GyycU{SyL^7F5;9#_1xI$Qnqb#YCfO%ggLz_6dD!mM=|FF3r~}c(Z*H6
ztsCY;?$sv9c2DcP6o14Z9V!Afsa&vD{{+8>quJ=laWX|_=1)ND+K9aA#^DnCZ377I
z&3I#*NUfzl)$B6E8yq=--OmBbZ(|-{;XxH}N<8E~mKbC!n3BC(x$5NLz~tG+8z~vN
z1Ksjg(|zo&t&KuArs&KD82Rk)nx6NqtlwPp%Gxa(&U4?l>m<96@OmpWhzHtYhKtU{
z$+gtJw&Y8tY!_tvfLc+p4bNhhQ~32o-dU1pt;6>2oY06hPdaE@9RD^WV9+y3@WQBU
zg_(eI%lPDL<F!XkfZYo(o`=W0iL<$E8F?%I3*BK1TR;ylFicU#JHAa_W=H|Z+;_-3
z9_&7&Ej)~%iM`cRt>7&E{D!(KLu_zY|0C1nstpuc;Q3TXVi|&<6ma=_#V}lE^Q&><
zq?CQ+tJ8G)kLUS!%o6x1+HB^1?#X2loX3~Pb+(4A<LbB44#`T|ee6CcZrwt>;Fu;^
zjc-=xTru@(1+hY{Th#f>knUJic*ge;S@G&b4-;94i_7yg%_kuMkr0te0wJrR@W3ev
zLx-0$D8~ooI{G+|rsXN9JWd{6OdZ{CPe<^IRr?y*{|q-7__Fx!tZJO2n%9BL_i>Q{
z521NIE(heLp_eJTg0jQgGMEvU%?QY4bGZ*s6TDu_1G~MsMdBw2ig>4Nf)sXl)%0dv
z_3oBPLp^dtmKU?OgVFdbmV9UN3vT5%C_YmeQ|G(hNK9}iZYoYWnLSRcM;ej<LoZ1H
z0l&j(EQk&dYz1-Fd*do~P+<YGgT)nAY>2O6PC09Eh(KVJ`p~V7`Y<-PcS5h8gRV^_
ziq#Km;^%Sn^9!@|L!eu@-~tyUW5u|K4vcc$Fq!|*$jw|Am^`fG%J2@f_qzK7^4v$4
zd3(4v)@ozhbzUwkoo}Df$OxDI{^dS|?VEzB#r(w7I_ItCQCJkPr>@sZ=}gSw$Htzw
zYe>n{6oPzl7rG~v?!*YoRES;&Z4_TOz!rC#^>8Hh5F@)TXtT!>zTI$l&arvAtIx6Z
zsBx!7@5FWHbQ7Eurx<^j=e#WiKJg9+J0-q6+HSRCQCEO!{Xp_#qv4s*Z$l(NtNLYs
zaovw=laHK+S1$~1dHUztDy^%p%*tK<q~6wf)Tu}ljsQla1Bu)Os|0r|0jO0I4k|`G
z=y`}U3YXrOI$<<WJW}s>rT$q(VR8<V8a)>2EbJ+@;sCQH0jQ__z%cp;#}zy3If|9z
zsE4pk$maRia@0SXSR(<K&IIv!ZesGgP9*WLN7(I1X+;u%6`$Rvk{+%QrXbbeYg`|+
z{j}`WL^$9>(Pf5GmkURs)KyRQr6vt$Q76xJ`Z42{$b-XMQE<U=5@0HYP*g!aC?-?A
zno!h@@9U+g4h4nA{j~BOU$uC7c@(1>`fM*pwTp<`NNS7QJbUcPF*E9~)UGC{hbRv%
z*MzV(2lW{T0T@njhEk?+1}Uz;+P|1Tji260f77^Q0=5UA@a%1$UUnGWQv9<M=p=vR
z?-k7dyS%{Pp5VVRRP*NK2#I==Kw`W9brRsdsfTYA)a!@Uk#u?m=rr=!i}<Nx?U48H
z5)%G~x>C(V5wdSNLAXEylv=l<j<4T^yTc{$HCQWS{M&gwI%r|btU^-LWcyn?*z>rr
zDI9CP9K&Yv@5=bkFn)VV0#w*j)@Rjc6WLL1@MGE6<l|f1ny3J4PQfF{VTL{{g2)D}
z{f(Ms_)ZM|5sb5OrKX1jc%K@BCr2#kAeiw}u4^!Cd?^XQ3)uIO>IS2A38v(L#j+fc
z)e}6gMYz})VYO$zNCGrJ=pfirj;_FeLr-O#6EWgTBVPL#2@nOsekIDl2HlcKfOFSD
zxD23CR{dir4Mqz3xn31)&%f^ULT<8y$YLgU$t>w|7;XQIbdLYcV(?$mGeA=~XsQ24
zqW(b74MDi3_aBM+BRv4029Cu)5cS6eqFCEA`uK-c`ojVZoFV+#!-rqN%VA;qcq{LD
zMlEC9<22bZRlWSS{FzzpX98(s(PMnJ4`WlSC(Z<1gX{i%LV<q;-T>Lj3Ku^x(zua6
zNdm04V;V~84aSLj8U`dl8O(_U$m0t?sQtU$$bW0x3a4Xrq{gU2>^g-Lzqm+EuD8j+
z7WNe7PQ(uyk6o+bPXAC!^VhKQe=E}8ut~~QwJ{cQO~)Kdh+>q+R|h5SrRmverC%BM
z-&jm#<@f0b0=h&1x&UuAI3X=KmjtjOl3k()${d>>bC>bicdAZ{6xDnzOxx9H{jMQu
zRI;ZtD#?J^-W(*~+c#6a?CEMbgC+r(9cCp5Hawy(Y+XN<J?5xJ)V*K2mh~*bU2Qa&
zR`?yQaNrGIc7092KkDFkWH|J4e^c`C{)lsS{qXiPU#Ap@q}Mup1x9xSny3Qz3q6(^
zS&3@)AfTee9v@Ur^~t<WXwM|xO5>*DLLd)N?CxFR)srrh$94r7z>XQN18y8Ys_Ky+
zZB5OH2v#k3{Gh&!C%wm?8Jr9s=SzXbS2Kxv?kS!`+1Z^<wWH20x;!=6#M{PxS>o|+
z{h)_5Hvp6zyWa>xxWiTuhjO%^E~aG;%p#LtIZSqiX>$zd@3wGh)>S88al!sPilFD}
z`^Df{J%hlb;eJvV`Z2_G>XJ`+HUTPw)^54gl-m}qI%@H3GZAehfG*8Fz@dsHz0|t@
zy*|D=ZA>j9l`2+`K17>6GT4xxS<Cg&0EH&|!+)&7A<))pn7Grg8pgnK(OV?;-8Tsy
zk@x|M**793kd8){dU<T)O@F&K)6tTMyb$9toun2WVP?*&1GYJ@?@~Nw)t)m-T(bfp
zU}0QFyjo2SvH~9Z$vgyyZ)bIx27~1nSwb3I<9FJ2Y@X$q4q)|u%v`@Yp46r;I#N>a
zF&}w}_n_=sKzGq=>x#E9ua|*enO%gp<vlVOy!~$C<mLmZhtPF+{W*tA4>CP?$u68m
zz?TIr`ZJaH?x;IZ>JXbfO6Jk1W)uTKYACl9yOdlBvv-x5nT{T|u<SmoI<fTH(uf3b
z=u!*e7#+Mptz;Z$KYNYECaTHs4i5wHp;oR+IADh_CQzlSrRT^4^4_Ojo%hOh9XGVh
zO;cSu+^=^(OX0l^Ld(m6i(Nf;_J{Cn^Tf{>MjtReG+Va@%N6yDHCe1=%>YXob>KyR
zQkSqDB=qB?6EQu;6{X6U;dgt$cF<2JXL4P|CbGnNEB=*{<&%MZtw)`<LT?vXZV0q-
z%y}NbSk-AZi0#Sin54HDfKq(^gT|>bmN(ivvgSeclof6q@sy`dU+DJwgGm6+dO4i+
zgX$XWQjV-xxhvyAx+~vJ-)9$jc1q5_5)?mpDnDZ5c0(YDUH=C4f8jy<U_g7-@>w=<
z2nF;Y0T_BPGGIew&EVta50<iF0i4I$HzzpKp7u`H7@oaK6<w5Ta+4eW;FSqCQ#Cw(
z2~UB^JW(S6hx3LI7Zt52dl|=y(Y<WuDz=+LDcYM0cjbiA&X*OWLr-^vgKVWK4Up@@
zIG<#RytCVI0?qNSgB2neF9<m|4Snk&g({nxElH6Hv_H&#r1Q1O%q{Oz!01wf?W;6H
z%=@c+>W&5eCpv!DhX^ux(09A0wH2i!isFOCbJas~2K(?)3uL!5gSyYp+jcLVx$Q*H
z1k1jyFY*%%)}vXg4fNy3nICfT_NI>i+6RWl_h1aZ-|4J+IHS0pbLEbWhw;$9#_c|n
zkLeP)<KpyIIQ1k!!r!sq68Crvsn!>ih5t$d==r}g*2<dB?ojKk;oNy(VF&H$^m2*R
zxg_1D5N_b?4X@cjEf*fSY$c1{!PRYwA6`^kEvtixezO}gL<tfY-R9~@0QS@uI?l4q
z>l<8`W*rWd4hJn*Go7Qp#1?m?oy<=FlNt!Ezls~&Ou>`N=vC}YUyXW=Y^t48ep9Z6
zM!{;8p_k|QBM#;^#fm}cL9W>#oeTzU=2vc(76k-lTz@FSmjnpYXkl|W&Iu45-cNy0
z&p2|T9IFu(6^Rq?<L+#`Q~{UkLy-=8GdBbui&n~;;~nPp!UQFexTxj#Uk5mMEwTOa
z8EaggapoOPc@|x&<8ItG&_K59&W{uCOwkE)Z?aMMisXJR@EY8iAzm5IMNE9|-D&G`
z+(7lZnFO3e6>n6jS?ir<5a{!vcCEbYj!DTLiEnUi1vd*<xsv@Cfaf2vo+d&KJg-3X
z1xM7a1qy1ai(tVp!A+zD!4hW`T#;)#<Zc1dtG8(!cBweM#rJu!)+ib(%OP;K^O*-D
zZ=A?XqM_-cx~QKRIc0#OZ$pX>?X}h$i(_XC@=Uut_^luLo+}Yan`RBrn!2#za3=Hh
z=cme7HVIP0s?Uo2d~l6Xh;3?f==D1z6#{a)!<Z2{XYu-kxn$hpZsMegKJD(fJ=2eZ
zN7a{YwCI(#mycuu4o0hn7M;3eu9JZYM5+*ywO(Gg(eIKKE_vgxdh#VY7_Bx4y`S*F
z_!Ha%IA;n~)S}rBj@;_Hq>6{P-qa5Xc82SE-#-Mg5wC+%;Q>HAPnY0*TVUuuRcF%+
zzPL7SyC9Sj&^QX<31)7z7hr2TUd19K>^$Zn0%e7A!Fy_OY01{Nq9Zw>o7QuLo$vkF
zU{xdjMjBNOoQp966zTJYH|T?uh&uJ4#rT~!bCKqyEhuI1&VaOKth?e$00ka`h6f#s
zALs=uMEHyStVy(z=1lZH*P|^RsnflXX3=FmJ+5<u#dNa8+L;kiad~R0`Q24?*sUxH
zZn}(D0RE?sEB;{gUV)jB^edL?$Pm+LvqnZJa_mZ?rNqDj=i$K|8R@^|NCX?_8fl!)
z?xXZ?2x<b`^*H@Nwg`N2o@^d^5v}TrK6#<EQbQ4dvR76s-Llced5K+a^L-IpWDE_w
zUpZ1yx9+U-pys9sm*?xE(tCN?QUyXG)rz<3BOc;GUUR($>y~)k!j8FA1B{-^wnnnB
zQc!;B^-o<dX?JX_$L#5pJz3o|fY7Y^h^F)k(cJbrTeKd?;fkL+uDFY3Y65jn<ogJU
zD*gK`fHmN(Um2_Z?B%fr&p$__meqyuS)j8}<ws*Bir4*l`EDCJt=C<1!9>UwCWb2+
z`7QHbT2C7t98V1xm}MLFbHhSfCpp8M4rUB@xX0*WmxX6<=XWf<W`6~IH2Kx2y!1+K
zgneOAz)(8SUEuY}y}B_u^}#&HbGd75H?wE^o${uyhGxx}Ytd`E6p2NKB#b_I0POzN
zjQ@Oc*MV%TT@V}}`!V7nt;sHdqS5i0C>^ELgHLF;B?WD{v?<YDuICxo$JEW;f-sQx
z0b)qJ6>j%l#SjMq%;Chv<zw!oD(N!sq+^^A!P&ga2JgFh<bT<OsEoIm7a0u@TKDk^
zc`-T(;l+Dd4R1JaZDuDECx__St9O3JNeUN)zdUE6%)TCc_S^NLMoTTZl#nY&mX<#5
z-$xg|<qqm3jVfg$lUGjsVhpPB6X<^6<hqehNd?4U+=SQ}+@munC)&Vvbh+oiwklFv
z=I2}PPE(N|_ZPJiH_hQ;U?;tEs|SLh+QH5JsHcvC!Z9u5p6eNo+Fp70tatf!oem(^
zK+kUFujK}AnZI$0!*RV+7hf&Kr&(}zSRjTFaGu_LN5cSK<S=?nwxVM=D@?P#3b=UN
zZ;zrg?&6cj6)sHEJF~2K&G~KmiS^naSf#Qha40V<tjOIgowe<oqcSJ`Gmg4K3kwTo
zJB|7>)w;7orFHp+vQnR$Nr1gA5<r>BcIScVb~bX{fxzYj3qZ*RSaqv7mn2`8%T!E{
znLRt8sw)=cTWBu&Q<-Jbd{*<TMNi(uw04yZmvRA1Rn^Ds7?z$3Rom9{%jU-de*XCZ
z{k3sxvx)<X+h?FX9fs<{V{p055$S;Q)2lvwrZe3(_7G>*BVKvI!#m8AKLwuXiGDU(
z$B$_7=5y0sqGlQUVm7mVC^xovuiNGFgw^gK;c!PllilF|-|_;a&k(^DmyHpRMhZ{h
zADLhU!!q$!t)O48w2D@^s*<i?x`!4zhqU}z_iLrz1a6IuAINQTkpLP=<Ygv^AV5Tu
z0UE@h<;By86HO9eU=iC$wk9%KBtW7&>^X4|ws*}>j_j-IkYj<1sQ_OK4ov#5#tN%b
zCM$Xp02?;~JF?UIuY1YS>zjOfqq5R2axa}rmcOTLa>n)3)tPnc$N!9s{pcLM9vc|^
zY#@0DxM4LZM+}h*A_4H)j$lH0_6gTP1i1vL2Mr^#n#Pa-(kqmcD{yvV+i4aFu<{yj
zMULwxW|IItD&SI>ed94dlDz6@(R>nMr|*qgNjOgLAM%nB`Xj{(zVs36C;2aniU+zB
zdt2XKoxgF#<kJ^`nl4m#yd#E{U>Um+z_9wNC%be)u2sN?%R+{NMy#8^D5(gDJM&?g
zXsUc~2f}5%ehiLI*FVjF24RLO@g(YskpMTN`rp6&d{^>t45m=p6W^L7qaa)^1TU&c
z=@HP-LDUS3SJe#XhMCSfX&D90cXU65Q@alHKcu0?9?n@t%r!U@bPFtI@f{uVnc4(>
zxJr*Z``g;9?102Uepq4HW1lV6acvKrR5Pc#bYSziy5yh?LH8;nXM}7v-E1fD*7w9&
ztpTGu6O*pv2tN~S^9lMv%8A07vK5Q_4EPDoVEs^|mGjaj@mIR(iSLnvpo!>i6*r;i
z(siY|piCzznAz0vZrK`;>;;)A9|u4(_k(M2a?OG~IO^!2B52|5Aq3gM#qSM65Zupd
zs!4zn*YdNlAG}s<es{4k?<N=hG%%@Lx0D7%N9G@m2vzN5dP>A89q{RYHqj6~XK>x9
zCyf@&(BA@%roli5jaordlN|&R4a*(m*!f-12H1CL>Hs3#J=Gqtt*CL}i)|$e<I&h-
zh~R2L0W`XQZYxQ;aWeLtNI1G=!SFe^tJu)vv_^TRrBLzfva4VuYZAH#avgQEd%z%m
zHE-r>3kl%Tm{6N;)-%7&aP#YGZDgA8koEAs>S^#MJd4Ewqx9iOk6daph*}h1yrV{u
zhu7;6<i{O+nv4lny_t)T(KBJt^~#y;@L+Zw)oE|F@p*yd9v~>@tR;uMt(W)6GwnyO
zgQIKrD|pRrH`+zBBapGy=OSM+X-`E4a3D@J9mZz`aCVylc5_qiLzC-2k_9%Wef(?q
zk~WjVJY+k&6Jh02(X=8GJh?w>9w%8eVyV>v9-yRx(kt9afP@JWV9tftZ<GX}+^}LG
z+{GqEDbk++fzUk7ad^eSgtzloN9O6CmlN$GkDotW9%qjt%ZeU@M&H31h9V`T>g_}H
zLpJMNzZ~&Z&7(MW(gNpx+2Hz{bszL&w%@pHJ@Xd9o`wVxIGybpE0xM<-t=&6AT26~
zcp_wfbbdbieo>tn<tH)>vqhcLofo*$V~Bg?h?UK?b1FY^v|{D^0iwF1vm922f`Vl9
zu&zeVFORQ#Z##o~8j{Rn{bg$lkH}zC=EP#JbUhJ;$P4z<w!^rgb)tZljRSs~PMN)S
z;-MRxI&IPex5saO4xQvRqHVCTuax`wOE4P)3A1Fz8fIEQ!+<#KlNtAqrW~9K)-Fxy
zymE`YQ}Uyx|EtqHT%aTc_y&1#YKq=?`#HWXJM2P)eJnF-HRv_XdHw~@r3RWG<RhX4
zhL*ygk_&R>Pk<+OCysiXAiTC}G3poUMZ`vmU;mNU)RHx%rxAvG@jXv$r5zIRM4SY8
zGwiuD=5++Vjl%K6>dC3_A7A0*0xzP}$gxyw02td5I5BRC6O7NgVy3pvc<)&1waj3G
z;G>3+PTt!FGZY>?3r{vFTTP9^_fq_gZjWs2N69XF-So|y7QuF_*jk)31Zj|W4Fz@*
z8js=H*h5|%CMWNbhkvNF^@cl^LZE1_%0kBtet)z}*E{d!vD$P>e0DpE9w8T538N=+
zY0d9NV5q`Q!_HPYXKPyXCp+iBFDQI_9Q-j(|Hfk1eo3?$WKwUdpz9dbje6ZM<kW+U
zQQk-G9;&$=gkp_C0<M_(T^&Kp$hMdy>BK*>_A0o^qFa>t>{oA{uaNiUnA-O{^3ju4
z-1e8Co>NxwX2aG4C5BvqkDaR9iV8122`#FbZ0gA{2Yve9{#vTZ51ii%4;Z#&M&d$3
zqzO_OHJu;Ia_V7f)5=j)%?HebMcrq*pXkl%4~$b|iG9A?d{DDFhNiUsAC|&(V{nf6
zMSrpBoa1}`sy%hD!0TNdj(rIWS-EwuPqMFR9wXS3x8nEDso9KmqkP{v4Q=asI)n7#
zZE(uUV(VOZBthNd`l{`_p-#sS-s7ydm#!HoplUt~m>2`@+Mb^aufc4GT5{rH5NB6R
zI_nCN_uZ17<T(#te6gVsaqTnrS@mY5DE1pcH2%OEzolrMt&I`GfkNl&jV@Pa$OTNf
z9&m($zG%m@gv#OgqqPesAH>hgn9U#5Ib&jY@LJ8YqE@skjkbDRP<KaXSLXw_gBD7)
zX(2$(uHWcGw@*F%6n9QM^|p0aSDpP*3E@7<YvVH_h<#*QqWS<%JXjTsV{379@R?1u
z#xOD+UoxFtQcUJ~92v~hdB|{$pV_JR8FsrB{I+`ts=hXlQ4X}`A)oAzOv#2gEH@bd
zFyos5Za?-6Us#Sj_wnf?n2kSOPfO$3x$>cUGpBjo^NvRScKHs+kCQ!eToEnt)b)D8
z#6^%#wiLVM+2J=*6Ke}`KIi0tXn4CGJ;5+|)7`A=!stu07nxa(mk^cN<ec(M@(gx;
z<Co;jlTU6I4SvHXH_h=tW8B%)+~VlMVn5@m7|$5cy9E}f#CxbqFRH0z8tPbf`Q8b+
z1X<-e;I%YP^O9P|tc`Gx7JJBn-?|6-q^Il08dX_~7liLBKO6tu8h(byk;hE`s4mGr
ztS|Qe5#uE(2VVG~Zv;cU3|f!V$#tTo(9yHq?Bg&7I>#hpd&DvG3z(E?y`KTp{7<gY
zp=<-&Sse+etHUO4Ku+Zyo@{zx(#zq5=yVWxBSV?^x#HV@ASZ4!klU)qo?mun?MZCA
z24xeK7YACUV`DxaPyaC83@=kOg;&8i@cP2fInwUneNHFddNThG$ddqRAD-GJMy=1<
zX8@V7Mja;tI;|h@8tuuN<1LK>UFlMHMi&gp@p7uDF=dTIFRAud)gNH2GM?prD%jlq
zhzq#;v)qHZIMs`b9mVSDEDf6NN@3yKlmc&y8wLEpSXApaQ-21&P_um8JuK7{Q6G8L
z2;?#HJ96*wJ92L+uN+7e^P{pLa#h#i;d90zDrXB`XIl=>0~SnYuF-pDSGXm_zo9A~
zimn0*4=KWfk<2)`P-(?YtL9p<!V+UQhl1JFfnGNV31GfxE1mw9;~Nq*G;Znq(xEcY
z)alua$<Vg}15X*uZ`-tQz72D(Y1h8m>(<Cfl!aPh5UC?b&<Opk2{=CA!6;S{K}?su
z^1Qn0!?_F3hyzU<cbDpTl^72%J;MTnWwwOU<d_^T_c9Wai(ZRH-i$lYw2fPQFe_&J
zg7N%O=<{<6qj&;1x24#8on^Jsp>X;~VmYdaRy>hix{FUc>Swq`r@<?FC6(kxP0;x2
z5zYQF(M}Pa9<0uUwaoJ^fciH32nOb(_-AHTlV2(gP1`IVMu*e8t?AxvWbzY3%Bo8W
zau0@t(|OyO@%mXgPenTK9&EQ?e^JXTvAG~X=zD&G_6k(geZFm2kBtuU`Zmk0+q-xC
zQciV=%S4FmfG8)f71e+*KD<L)psIr%Z&p_rDN+P7Lya`YAsc)ixnsF`8m=-meQtaz
zaUtsOjkGlR%sQ_heH0l`=t30wztB}0(zTqWL4-WCXP?%jPq2%!X`d_7Klkv}y~sUw
zhgzo3+2(6pyaA~W)~@+_2Ps|78OF0q&fn5(-UBQuvr3k_n%@r4{bqjs=xtO9RQV>3
zGxMvXX<EovN1wC=q4WoJ$cku(my5!D7*FbK^|hNNKs2xg!eWn<!r4U;UL8xP$&C~H
z9TrzEJaTrjcH!1w_P*iueCXaro0c>?gM|2~eWt^AH7`}`x%3U(S3GOGFPzOjO>mT;
z2MSg6H)t`69(<8DMqjvEB78gfZc8@x2N(Kww|73{+0Yg=Dkwn6Y-$Q$*rEasds+p%
z!i|WaEg2Id?u4<w@o#gPo^G>)$h5T<P_YQbY1=&g7JgQT6$)V5pWnoVSmBEmCcT<A
zWf=_yO|nutRGQ0HDmSiAz0p7^TkYT0j181fHCV|WG{Z6#AD%wgZ5LF*<~4&EHGSda
zKo)4|!bN8Y5BF>b-G>&|GkqOzO0(j8D9jb>!K}oqY>T4H&0s2ZFzkvDjx(d?d{E?;
z4*N5LE)sI^Ty@-x-1;-e8HE;b_0uo0vcRJ{%y`Ikz`e!NbR9ArMfa#YOYQL15A|^J
zY2-T2x7~i%@Mh?kAYLhlH1477VRUSLPfGBM#HFnVJN?(=MTP{oHuM@i-2V^({`aK7
zpm`hQ0EAfM9PoGtb}At1Yw^cV$f2Bn&jtS%<_casQ6T|3S8=<<Zc5l{%00Lfoc%Nv
zw&0FGA^~hE8uxm0jS&CgEHzCE;US&|ogOwm;3Rj@$b@h2lNX2y-{T4BEiervT>o*w
zxbIr{6ZdOiS#P*{3dSyqc$PSisr*t)u2dU9tDlFu4A$o-T?I{Y>eOuZUAxkOlwIyw
zwYoicgTFGY#9>x+$k{{p0&(i`u<QpNh_~I99)^6ME46X7hiBnN3DCd;2!zq`&{7z$
zMGlWMzQ*XOZ)@2z)H3B0;+IX&s1|VVC!dMwk``Ijhg#1MO*)OGvEyU2wXxgnTr!KM
z9o`a2_eaec$dU1<B6<8rdS&{tAGdD^BK|pf&(Y&|3!hHTC)D2d2?<kFC^Jd#Mj)bi
zoeH~rH6dpx$@+3BKWBjEk)`uIB%0SQWd9Ib72<x<$d6xkEX5u~Akrqxgly|R$0Rv{
zKt8w55jou2tZ!!d-N(=Mh-J!blQsKVXL)5TFcd*G^T8&;OEmn_S^@GU+wScaj&*ek
zyc;?_X!49bl7n1)ZE^KlLiSs22OF@DwndnOh;^5jXv}MS%AP$kX!Gf4O$k-hi%iZ%
z*07fK0N=T%u4hhN5)hvWX?(VRiDfzGM&x+4*;JbYgq`{JhbGqd(N{+#v);Y|2ml1W
z-TRMso01ib9F<!bCs2?8mU`rNy_|nix<7oD0d)E=?P>hWoR}1-Z5B8{@JFBY(zhmS
zrqyIy%64r)&?e76cy@nZ1D@ZfvN3F9r`SF1Xn}>osEqru!~;mEAXB6bUf!yKjADYa
z$S8*X2-ufF5$d9S@EOW6?x&3JLZ^pYy{sB45i1|t+b!20P&DQpH~0?GE=Daq^u5}x
z{N(vHxIqa$2G#_k_cJ~b?JIUxjBa>F0-WDwaggV;c<^HxT$>v3G-t=!d9d>Aq9b7C
z8@b)XbX7@y7G>UIYj=i6th)Mx7Qf>)>7Ne(f?w;UTCJGXFZ$6p463S?tc;=9gB$%6
z(t%FNemI9DHj7V-pEP0gsj+X_uau?<G}ULH<i2>KrXF*mih^QxP$u|}!lrrp>Kv2e
zdKsH2P{@YBgU3fQyB3`_B!G!)>_CxgGN3O4QxzT{uRIaJ;xN#W(byy2%IHJG`^w;&
z6Q5t<>~}T3i$I#gs3^oVc?syrC08NG6-c4l<n6XJ<?35W>KDgNUerql?7f<!s*HGh
zlK+J3?T3!!y##&Upobifp8_rca{sqg3<6U~fS22o!tJ24#*hlRQ1Z^+tT&kp-3p2c
zbwBV7Uix+S#=E79H_kIo+%Ynws=vX}CBBTpi|cLbWBQ}H0zi0gbPSV5HXhWJ?4%2K
zsw!TZp6L>9jD@hqBntdAj`NE9j#P@1+62ZJBI(DGT<f#ExY3b^D?a-<$-Wwgc?n;h
zdec(aC1^9$-8`SKR@mA&mzGYadhJA=AS`(9#1JK5Zr+u@ereXMp|~|S%s5<2{HL{X
z0u2veMB2FvZ`9#`H=FE#Y&e|Wq!dw0?+xtWAvv0Vf3o=Zxw^?g0tn~*0G~+ElK@|x
z4I4`SoYnj{YVQB_dVKiRG2|uD#l2&#cST^d^e6@*>lC`Uv$w89zRx)K`B)M_b)I4R
z>DwCu2e}0kD`WDrYh164CvMa&R@aa>mebnLy8wTuUNL+;9C~sI%G&1aUWu;PFS^yt
zs>0?>!+3e`g~S&Rmyc6=!LOZ?->XzbD^g&h?uhN4FTZ@`<D3E;mU{gFb6s2L#a^42
zJ4F}X3XM!b&)nSi{p_NMV(G549YZLwnlt-+d&Nnvn}2>Od)?Gh0_zz&FQrg5S~ND_
z?To!&WZ>jQBp6&|h}z2Goy>Z3HPl0nn|v&%zQB!#j1x`IKN)pSntqi8VAz`^_BmBy
z^CI`G_#BpYH5;Q3M4jU@y1VEPwVBbe!RqS(`x3L(My9<@--i~alV(xC*2^Wo_M;Tv
zyUn>9%@q|8dx8Z&t=|v~)AW81W<fMkg2X#GrCh(t(PNy&#4b_%=xyb%5HB&&5ihVz
zSUC>Jb}BT{@V0hiT+Hb~N=0~6wy&>oztRL4|0ikge=Y$1A6oh^fB&awtW+wlD*B}=
zwcS_qHRfqu!OVh5hs*S~h8N7j3`Jf{w=6QWh}g_$s7YmIdw9&E)Ie)N{?6mDe!?ex
zO)^OM=VuChCz#DUv;8=R){nvG%cJ@_vzxr_U|U+e?}n65B+q3qcF)&a<8<y~6EF^;
z<?EJ030@jmtKp(G&!TzSU0GpOLQf7Adv)`n{TL-fA>}vqDjnO*#f9c2F!o9V@GR_5
zDgz4-RDe<cYN(90scgQ3QuwLU`-%iWCEgKDZTJ;`gMWm`fdjQdW}!oS4z(KY*uEHf
zD%%ZNm$ST&eq}l99oCLRzOH)u$h_xN@h?(RdMMjjygAR(9<jpyirVB4%`_O<0Dkol
zm~6pZg9ec$<p}gM?Wfj~!?<&ox(yGXas1)D<V@dI!qjiaG6Lr+1IZZjvn3yxv?cJ1
z6YN9U$mUIQ=ZCb*rL%g6{8GMxh?Rt1M<0tcL|(sjzG;iEt;)y5S<EF|ZCaZil@Sjx
zSXB$Vca+A|z?&AACxdQy{z4+~8u&%^HT&w7m>M;u0h%Ix^N>KI_^O~xoxftDKVK`0
z>}rLD?rkH<%RLf(B6<e{WhdiS|FgP|Lr)KxykGKu(!VVv{`&1;be6i$o6C|fJ)6IL
zIXgMcpFb~_>96)>Oq(gyEuf0+$Uxg=kh;>MX!d2wjQ0I}^Ybry;5|{T0)fZG#$q2X
zi4vz4q-rTHC@MHJbIQWe$98nIH+#0dfY+=7DB{vrcBST#$o;_QrCn5SYMu=}ltMkT
zFM`lQtL~FcgY^CkuV>A$9Hj!A!poqM%jTO;X}cbcP?{<H3k~}BKb-=nH!)5&;W6n4
z5BYwZ@F)KSjn;pg@Q(fy3C7<hT=M_TgkOxmpNLZ}tL<RD_`>Td9gRr*FQY^fpv9O#
zuG-G(BEvy)=S&2Mc>RW8p{BPHK{2KYcr2X`B&S32$s(Swfc>92)spMvJ{0l*=M}C_
z@4$;Fn_W#(m-DDb#D7}8nQIl#A2B#s8mzHX7MH_(x0sxXbOMo^C{5Hs<jl6dH3`sR
zPi~wp#S4*Jo#M&96On@xOz@17O<5T}36HFSEG3@|TNUggb2C@cfMWz*biszRd(69I
ztJY8>i=pQ+-9tqiHUrror3XudqX*%Z;<3iGWee3!j?wd4*rZVBh2eVE#7%76JVy3S
zvZ?(J$IwC&PlMToPca*d2Zgjq4WTa{(o!q^e-l~phc$8s-s*l|>JA&_dio~YtY*cs
zbBC>b5|PNmIlo=p^_FFHaZI}&5X#iv-;89d8dX*F&No>dyTV6Lf9)>UZi<fg1u-`E
zdoS)zDBlqg*_qgrn*iU&E~Q}lIr`_e`JtdzUjE9;9`yw5a7%xl{VVfe7>diR?h|8=
z7{}NZc<FOl+MQk>@xMtsG_N-w&ytgpaXN#h>*Yr#W;5kPL?deOP}}d+FnkC8H}U*g
z>)W8^6B2;Y8mmE!5GUtn36jz<{3ZxH2Bre9l=*?ll^$6gBtY~4&40qovwDAam5^5W
z0$d$>ycHe>I-}4}i$7^5N{(dWI&0$kZ;v^{#qI{j78HEQacPyXyIIHGLosbM!VVxG
zBY$N)hc=S)$9UgtB{(J(rh^@eD=9?~OML}$D5kaw;_lGL|FTO4Ol8#<5_vo3LQXmL
zLdZJ&*q8*sO@h%y0kp6|8$66070`?!Hy>vJpZv`;)o?WLhRyMtxOnr@AsIwE*Qy}b
zun2a0iUqWh^i>KQcgq+gdFT4$>SX{^!Xl`AHXc2d&IP@)tA&rBt5!8SxHe@u<R^fZ
z%J<W8BSvD}$841kS<eZ7D&&#Pnzqw?sL_Q$e*P<)E9OsfchHom@rLgbw&A`q8opNK
zUK1VvvEkA3McDf*P^aegZ!1K;YAh(m#id>tCa@i$dO>VhvAWsJ#cRBXUK{BZ``CN9
zvn<T!18ve3-bwsr&^tZC#V~aynYXyL)%!>}r}OHQG7mlx99sz|#4#DaM(}bcL~dbM
z3bjuHOj^$wg;vODY1iO;=M<_ME91rtBifWGnrjn8wLe78;XXLZ(G!P2XH<pJslpoN
z`2IO<8HJv!FEhOfkDl7tM4h?#Tm<k%q7T5csbeG=wXY3Z?K$?-8F@e$^qoq<EmSRR
z{=&w*CwtovycGH5{1i!exobpZ)03XJVDXRE+XQYRRfp1G303{`y*sK%r4iU!q9ES4
ziLCVGm=m01<yaSy9*(ehK(BM^%IsgeHEW@CG&yTRBz$-myBQVsnB@*TAR>lbxbr84
z$o{j|)F>@1RMhD`NL;DYJlOS}9=oy_7&x{zd3>+;(4qTqN2@y)-V(YQz!P=Teg8BA
zj8-0w32QwcW!I<tqYrZV1Xa4+v*U-Fp5H)P5z65MbbsSUe!t12cb&*$Xpxv6_AyCO
z>rrjhy!bKkZ{D;+JZlw334i4f()zP8qF6(i8T>BV;ekW8GRw+?yn0++&qrS!AN}-&
zV!!0f`n+OVy=K*$jF@(>E0R?QK}GW?R{$+SX$!Vyr@s!BOH@XktU~099hujV@*`lh
z*oZac3g4ZWp5aZtnEi(~@3ibbl>0`11gs*3ozhgSY2Llm{Q7BHIm`oU@?2Pi&6%R*
zo<C1z-br&Y)EYgTiat3UbrG!|SJjZ*Ofnhyr2Xp7wa0VP+QepRj!|;R^i`SyKCsX}
zK$(0B2kq&eK^Y-OH)Ts&$CCq1HO~CN2G1H^<X+Hi=h_A^QAjt;xT(avBj^6rFW3iM
zJh4kU{hT*zd>Y@~|9QEdu`vKTwP4MCZDzze5h?1AAfz_(0kc)V%^y?_JjK!962q<z
z36C<xi`cb(h_bo*>4&Wa_}L8TbN}(6(EacC(YmXR_A)+-bt7Cqa9!vV2y0_7W9Jy4
zHgSFv{36^KeJSX&Lhz-wTtjmt$Gdk^L;<`R#){_W@r$5&K3^cMQl{vRF)~`T@vY6r
zUJ;h*idm~f8@u)uo&@gvmv4T=&z1as&KX%(U(Wx;8RNjI2bP~ksF!1_V3oZ`hf|Xu
zmBZ5}t+u1cZTFD1mV{y{$naLude5nO9{GE9kI1E)MT%DREuios#B~eFsRzRdaD|yg
zuN!X{8+}N)(rrNL>*w9?pJ(D}Qt+Q~5$&~hLHjc*j7%LGxPZ^TIiJrs7AxkA8F}e2
z$MHmcf371Pd&&Moo^0;-x;i};KOU9Y0t};pfb)i;)cT2lL9=@$lXQv9bK1I(RonVC
z42?pPKPf4Ld1{k>oa(eDL&9YhQEX;2_;gcFDS`cxPfyFs&92q2d+4~y%L5ha)K_0m
zeW!Z^(4VM*>C6xy{(IjmbYZ45s6{8Uet!lCU%*H*EYPFZ?0yoFC3MSOH0H!`+yHl9
zNm)<$c3Fkz!+P)P=4y(ZOTo|CLG?xh^-eh1DRL1cogz@c#H6cm(rmTGAb8ZcbvN^2
zH^uo)5tb1{R)QSPFs9JSXqFEboK9Y7NQIZmH{C47KG{|&`f1Y_bF?~=;yn_dZ{F}e
zdRv9t)<BLS&*H1@m6`S4A^KmQi`l?!RVREu`$RwBFn|m02(#-yZtSTtgDfPq*1@cX
ziSW<<xaRF9D;M?a*bPh2?IBskLXEt&TYLQse10qG?yj^;R#)Uca%xm#9!T*uqY$!T
z-yFw1eRBJQ!?nJeI}Y}u(^)l(UWQXMN}5Y{@PsvgxTBoy>{`#P?6d}^l=brvz~FaV
zbxO8|z7B3o>3%<<H0!vmA=3L<1a<B5Z7)E+k}G#tv6)p!n)tXv;ihmqQKo!+&#YL*
zLd8r?Uh9OSnpL(v&d%YhDDI25rNO(Ocfk@*q$Z|(!Hs4C>7yO=zV$Qv1SJBjkl!u{
z=GZG`HC9w4qR#($U&kqI53c}b(<rbI)}+^6w7eA?BNXX4oqg}^$C9nbmE_~hPamVl
z>!2=x5Aw}Z3d(5vs+%7r*rOk}gxR|IR4Y=OD=uP5mXE%sHv08lULW8aRckwI!GuES
z?3Dgs@kUO0u#_{q+4KWCZ~O5p6@C2q%ZJ)bW@$7%7T_R1X(BgPFdp5xe~uwJAcf-{
zs*SgB@dB;r6X$Lq4`55MCQl(bNiLyr$B6{kY<PJe0^RjSk!{Ai*H$zEvX*{ERZjQ~
z1*O3>>O`qc`qpy=v^he?Q`30~Ji$*(^6Y2TvC>y(RudM9EO?FlRdRFYd0b4GqCd!R
zTxP?x38D~1f1>1@>-+{WlIHjIIh7OQPMd-8=1HCZt#5`ysIe@gwdc^nCLeH=^bpFh
z%q-?&Rg+3wyjkNRCibok#N)zup^<t!>_X7z7r5n+$0R_}!@@!{S>I^ZIf_*T2{5ZT
zqi^sqjSW{4F&}kxcBKk8+nV>XG_vS>)uBk#_fFKt_p?<}eX6=x)PwPTio!`<*9?5P
z;*?<d*GtiU)<GYh{tlPCQ%^7eg_$nDHS5HUzU%*5(2P&H8<x!QilX|xZKmo@%WL2K
z44^?)ee>=?4*qi9jE=Jx&g(~F)n%m#p_JCjyDR>5pI-yVGXIKi@<x>#s&@}p)#fjy
zJ+{fFKlBx!jsaE}KcKwnp8l)%)1pRe?3bOWrgmE4@PPCThgzD@3LyPzCFg-U-*CW{
zUMK6ECT24;W1E5H1WfcLr7RxN*h;`zi|VC@sXrgZe|F#s@&xZTU(aus8c%4kN*Aq%
zAO3t45s%!041d-Q;6L20n%PZn@&(gDp9JtY5P60bddxPZ+S4RM42Sma3Wr0ttOFmO
z<1gT*(q5Fl>E%}5)6r8|4FRB_%H-$KAc1S9Y9TGD7n~ta(#DMk>Xn_8G7Fp7k8KBi
z{oS5;X-JoK=Xo^zq?o)7N!DO1J>mLWNG{Zytw&4|fv9C)ri+@|T4anh=Qnm}ShK^K
zZi}7*y@$~$TsMQ0+e>~Zc}*hnBBok-?;;1C5&09Gv>rP4CC-C3KjNLtFF#xd^8LJn
zEI9q>o?;=6CVow}ir8!9wr5=%?)s{OJ{7Y7YnO-EJe~Sg6yGN}eOJWRe$l?k^Y$d0
z{m5St<)7V5`#@J+hzHSXF}K!XcFXcmE{OozCD!^Bb1Yi@2~7<C8FHLg`<qeA8}d|4
zJ=;H_gknPr`DS%>Y-2b=;+gUlla=IN#6lOd?IWSPGocUr0zEG$QdXCY{ksFOs*esl
zNPyVk`Q_7(XGwrzr3A}y%RlEY|IOGwLpmp{v#^K+82^YmmMQFk*@78X4nbwxO{=y;
zFKrSC0@>x)r-Y<+KZ?Y;cEJsBc7*WS{!?#Va>!t^8aQ#CsB1TeIt@!!CVptSAwULa
z7kogc6cyw@sACA^=X|`^(;xvdl+wwGHgXUl$VvYO4;UM^0^2)FE?&fPg0a~|7BwL8
z%_NL?rh~{)tO>9o<2iBi-W=c~=fZxFflhM_{`MaDn3CMuf~N=J4H4`V<VOh7rjdcr
z4QDd?qp&6)h+s6^0J(;pk?bYRNyE^lBM;B&{o~Q{85r#D>uq3Mk;1)rhoK~~lP<RN
z{CuG4zm}GVCT;4|nLB_PpC@qMP4AfGExX$J)aBAmfi_=fa*}}DTycIo*y`Y+g50SD
z8C(8IoS?rDWwE0KrTD)TCp+v9l0@WZFr@#5H1+=^$+4_AS73iBO|8F>q?BnmpzHq}
zQsxl-?^Rw_#e9Rhcw&RA1NO&Kcth<D(wJEFw_dfB)3uXHB>^5{{Z<|38?GsQd~r^&
z;f1NL(sS+hC9neHaG1LJp0#E1{bcT~XK_5)CeLH<sk&qoUgSO>IKpy+`@_#97Lihw
zF1~zQ_iGHm^MTWk)+6fidj9BZBK3Ixe65@UQB=$LRQmmoU;KZlJGpHO8l48}WD;}{
zHKW-B`zJi)+FEhUb;cV}NviWoyTG_-8|siJ>=XqUa=^eINsU0H7}q2!)unV+R#qUA
zx0W#XIi=W{v%7@o=moyLq7VnL84vq8V*Py7Q}e&(y1uS`U)JJmXP0L_ZKW-8J1l7<
zw%zXRl}mFO6YU!|PxL}3)ypCCa_6As+Cz3Yx|LOLC%4>5J%&fM=F-qaxobmLx(6kM
zQUi=$pF4lCePkZ@8b91ZR28JJu3>RFthHzlguomp-?Q{cU(uA1yKqBq>uxMn2aiD!
z{=!EOpCh8F|Mpg6Jl~Ywy4BA3;!<?n{JdSD%$`5+5pSKjnNxt{YLA1R>aMw}<Na7^
z{ml5E7DWuU8t;lOf6%;x;`ifBzLT1tY5<dZSew>9Ns(usl2`MdY=K>bcMbJR8$BOh
z76!0tx>^G95R4g&1uADcQc>+JLi{!65piPtHLCrK>>wdOjE0E>xWx2G*xM~m{dq08
z#fsUCaC;b`6LpDRLiO1<$FJ53TF&)jXSo+BJ-ywk04_WW6um5U@p`&)yNB+(GwTbt
zQ!BS2390FG$lZpJdEonHZ0C5Ae#*v+%_8bLV{@6+S_2KU2n|r0?UD9Qt8Zo0uMUM$
z!c%NK)Ns93rl4NMzqsSqax|t7S~6cPLj7j4?A-g}8l{eMHyVSCV4fWqr=KuRbg9t0
zNH!(ka>@+a?re4<r#;4$?&WJI6X{8`k?&CO72tFIwR7Iqh-ydPQ!Y3;QpKXOAqNV6
zGK`=HF;6*e=dN1{J8S8WWQEhb4~a8bj8>)><{s{s^b}jVpIYn~zumLbC_`LttQ#TY
zx`V^M>9Lay<Zd>OW>WyYsRCir%A0ab4qQtf7?ORaqPFM7DYH<K(?t>Z(@>Jl@w-9y
zV*3-`T55cG#;VV`5k&!8x%bJbW2q3ql&|I$yE^P8Q4F5lB8f(k!Y(#c%#rvft9{Te
zKcjhCKbc~=ckrSV4IG2=ymsPoFFY@BWB1mEtK5eio<NG_%aVDSM^2Qtv0UK<kVh6Y
zOo0dCT`^;4<z3<HRLzMob6PJKd34*xBlJ7n`@+umQjIvqoajDs&Hr8UbG!GBuH=$i
zTdY7wTF3T#7Xy@`R|LfGk31+AZYeO=wR2)HR0h62WRX(%z|AQy*`3LE_%d_nawN`-
z$bw6Zoi7$e2=HRGH-{W#a&;mcoWBM?eyRFeQ?e-bJGi-<iB^qPabZ>f?}0Ik;kOTv
z7;z6O<q{M_j+IE8LM`@ItaMLAZg!^@3$q){n!I8NSvvosR*e$9g&bFxC)Yk~6`(;?
z_;B4@lgsxw4H{a{PEzr`$Npq@xie3PlFM8?K4|Qp8OFg}Qy_W1ehr&2>cf~y{C;L$
zbiFqE^np~bteV(Pzh3l#zxs-X>Nwx6K%vk(HC|7wQWy{4HqFCYQCzB`bK9H3MULw>
zwJ$3NEXr?6NgJ5M3T{2QE81|@HTH{*-8&qpCF0adAD^D<XqW_=;5|rn@^HY2B?3N7
zPc<_`9yX0>#<D(aR{J7&lUtR4(5c+-92ONJr_kx5`UC^vTs7SrW9=$6M*O@*>lNEB
z6fH^>N!cf9U8sE+-iS{&^UERrU*x@aTvP3u?;S(|sTO)ys&uJJi-=N0Kv8-Vks1-{
zEf56h9RwbNfKsJP??k#Z>7kc|4gv`^K#1>h&zU{XejaD`>^<k4IrDk{f~?O<R<iDU
z-S^dg-wV~NR_CRlKnK9hd{-Oo5cGJ#{I#j-Pf|=m!j<ubF!n+lg|~;N{x_PLhPYXF
zrSXWHC};cCw|+oWL>j(3{}8?{*DDsKkd%`*V_?!*nig$Q8^t{_Z9qC*nfQ$Q>0+0>
z7pAKNMrYjKe2w}3d~gYOgnIbEz4}qh;Ek=9C3EXX0}#O?63x@g@ppUlodiu|S~Ey<
zLc&E4axt*bMzH7vvR?%M1nnhdTu0=)#jJW*_)e{b+{5cl*w^Vd36IBNo0_MPX}9C}
z5!Cp}_<+_aShL9}d<AcaB~`(^OgcPDP<P6ob%Nwfs#rJFfxq8tjN9k}d0a2s!gB!%
zg!x7+Pha}wK~|?syM&cPH?BA*XT(MeVaenNsAej*S9Z0%*H+5T6-+bHk1oBe+MXnR
zo@}d*b>^X;T1eS(jFn`P`9(*lzK{pvk{j7U<fV1gsc?7hT@|NB4*0@p_wEnSXTe6y
zPOxh!+4^I<dg%<u+=;IE&(j|sCyd1uvM=rWAk#oER2R-j_{Xl^8;PT}&~@Mf5luL0
z{Ey$YF}<^j<C<sXcs9DUO6fQb&}O6#S?f7irR$sbMB{Ic_3OsNA?CZ@>_7;%999Bb
z?^6FKz*;nat{of?_xpy}m4!lq&-I@_u^uj*TKkXWxWs%N8M^|T;DcouLWKPS_{Gk#
zR7N1|kk@wpM48HiAOyGo`i4J1r8f}!#`;93e6a2!Jdh<UlTZPOq>KP>&-Smm>wi4+
z_^)|y!49y!=rJi&9Qf96KEl@T`<VI}5vDS#Rok^E_t5)(=drnO?9jzmHOGtO%~8eA
zrB7Lp=*xOc9df6NqN)Nr8U^B(x3ASaBHhrXLz$O#MK@o=8{w27SYkAP<>v;hWQN1=
zzA>46?Mq4gb9Qx+9nQX>l+d=^bGw4Ge}mHg<-ICG003EaY;b}|O0nJHNm^uxFjXrF
zC^}Ms(cL0Ij(IfGUmgx4!?mGm_vB?<_#&Z-X|9?&zBPmVtQ0;;=sVy#(OawvFLA19
z_J~E5+M05>hOgFmM6tk$#D&?iZ;GC&vEV7DCll~}@@1$4W<&{#2{2WeM2!}ERgS&P
z7Be$SuZz}Qq6BovJ?RUB7fuAf<&DbQVGvxV)d`(*tXlBS6cQ;4H{znhwlEL@Z?bSj
zr-6eCm#2mePGrx?+_+?~C;pnZ#`g>RhN`Z`4D01P%<q0j#d<U@NhQ(2Y;s~<kvnBS
z^%A%Da_58L$At4@Gm&JsIN4Pn2^epQ^y)-2?g(?%M>FYoCV3{ds)g`xkfGlBE3pRL
z$}bVQUKOmK8+R>ON@!QDMfa(*I^Ty<z<&ygD8Oy#SK_?#RP$RIv(vdoWmI$9qG^&;
z`(L*Wi8Yt-6PIBb!YYA9!r5N-+eeaAD-IG!2)Vd7|F-&fQr<d7$3`ox1o6F^gqCzR
zr*EbCN~xzoTt)O-?SK-<&&>BqO`|9#P<z<Tpla5A*OA^6uJ}Y}^r=JjVa;1;Y|N3L
zqn_0KBT~@?MDPj2n|r(Kz_Oa<)<2i;xdQ1;7(a@y;kL<)<o|xb?eA3dvfn6%b+38K
z5V{FK{ahX!F8~mHV)T<Kh;ckiICBB;WwM$+rvET&45&l?Q?kAB7vA^36(#)Qi?YHZ
z8XZ2U@|L3XkwR!Jm)%vft{inS<FID}n=6^@rb;>&P5f1FeJzzgOKS80z`XtlVtHZ3
z3hQ+4W{hHjLUTM1l{1#-?fsnHu4^PW8~y7zZMcb-V3?;FliQ2vfiE!J!~OH|U`8BO
zhHe#nA~B^{jH*YFTIo?Ce;2r(({}?%Z!g5cDk_^V;-2_o_058&&9U~vCGSU;x~Y>d
zlK(cqskTNf`!f8>ElHvin!nca{<A<Xy44KYW;vWTN-`-)Hm&a@Idlg%f|to^eRUu>
z5=SUGziK-mGI5`YCkW)t24y<+@N`5SZQU>NRJ}9oIt%GCIto1aZCk1f6ZD~;9u9Gk
zaUa%hdh~GPQ}>k$wFj)%x=U?RTfmnI@_u`0p8a$p%*)@nS`^uU@=(osGe6@~+_yWN
zdvs;QZ%&cxW>qLK*;@LAK?hfD>UC*v-Z=XPi}JFd=V1z3gR%+T3hK8dK~O<l+`>+n
z8Dscni+5D<T$=TT!pYWPrk92)^Ve+|NrT22CpO5s9(*tCQoIHwAH+KptD;R6H}+Zx
zx8IyoLZ@9ovXp;-mVG0;;c^L3$hZjdcTZRD89aizVzpb4^f1Q#+U&us<0oi_5Qmxd
z={q2)gK8rUUcN#r)Dm=a*k92<v%t=%D!L(edV|?vx%s2T>j1S^#a4#T6SY<Jbd=Z^
z#(sgn%(f=W`7KD7i5qi4ci7E`4W>~wTG>18tE$xyWnI%)nP?SkJ7HzYrcRmdOa=_?
zt8jtz#3BPo_47T=rkYV<rn#F6MTJ6EapAJtIx4z}@1ol;dC?L%hv(&N8u`^Z@^q&9
zI($-M9X4*Pt`I6H?_B1NOynlf*VAKDI?sOJ<lh2JjYl0BB>P+DddX&kqSlz0aPH*;
z1u2#3bX@IQd;-l;v!e>#+S5m*Kys(GXRMJ_+z_ua!ZmVD=!)o-^@i*bUT*A)%}R}B
z7fs@3aOwS;y71k(+Y5<&0r#onRaz3?MFx;<P&xEddOYf;94abP%VC#!r28)NlF|lQ
zso<z0<s420ZK{l_&SMYg>r{s-cr$AXIBRK*a!56B?5K7TFG~{54Vlot!P-x0K4&BD
zV1~}oU?tzHTKRoxbM<w|<KWJU>!Kp`+u?fAW+4k<oK=lU#{FiS1O-W7MG1xF?tQh8
zTMPIuiVa)hf)WNZT%iMfv2-9R^<twb+5i{d+2S8OdNT73Fu%;GjfXUKYcS@K&Afg`
z9r}(7KR`5KO=7j${-w=zCs)L4_H_o!fP-~EW=wP3!Yn(RsPahhev=|cog;+t{(!U7
zXgXkj4U%RU;Mtq7FNfx#s-u?U4?f3(X(mZD1<p~cEQ6)mXm-@QGRY74Eu!aW!}*c?
zS&#CWL3B?kL7=r8`~NAB9_gRWoKjjOVrgF<Fd~3h9AImXL?@Vy|A%YauTW?IsFcDa
zxjlx#1gEW9sVPpj?bffeC3z;xRIz+q#1zqddm=P?l{L0@$JD`Vpnc$&oxlv6(AfbV
z^&?3lB|nA%?`HS1MNwLNhW@_zsg3f9j*NTZB)Yo$tQk6XFw|oJGCbJ5NQ1voiok7o
zNClxw*>N^s%8Yx_=9ldh*`rb6ttZ9%daZhl+&AKa(c-e+gCrby0XdEnCV2~Bi<CM7
zf+bl5I<}ZI%5*Vc`od3vij%Q3nXb=fxVH9sp)yqmhs?<-v+56fQPBw()w!QtAiw_2
z*(H6VP*$`ZfG{WAYeKrlT(v#Pjj?RlG73t>KQW%(GVNbcE7E<9xY^CfIyC>4zJc*)
zxz%^r+6!z5fp&Zz?;eAD>JHu)_iO`#oRA%YoUu1eOyf;-6#b^bP@`)0#))RWRW0Ik
zbGYX<fsen*hj-|cE8UhqN2Q5^G2vic^jFM1T}(%yN>;4F40XfXi*->iKv#ldV_7Jv
zWfx+M{O-8S|D6je3gN;~=0s<yge#6$Z3%3rdO+_hBZ8p$&)!#ijITOXoJOuEo8bac
zj^yj~@RAy|DVOT-4tWG*^Az_Xz`3{1UGB49Pk;&yr**PMNL-Li%a$yfFWmeRu3jze
zK{+_gQSF&0XN*MLqjlJMNmCll%8|+~n+|Da-}g5h9qb@z!LR6G?nj?OBRI(mfR1zi
zAX<1{mnel1E_buded=5ENu#$Q<R(j#7QgVELe4t|mK6QxDNF&E@`KyR*Q5}k>5Q0c
zZ$~^gJNJ<5Z8su9c+FJgqlm!Hd-r>e16RxfYY(zuoBgHzVg$r_K!FsQ@rQe^`p212
z47-9?!DIxoCA72i54rL^3QE=i*cF_LXK!~bjvDK3ZkCk|juJ$$*D&(|2WfuDSvLub
zynbK0`o2phFC%Lo;W$Y;Wu7hGUP-XyJ*CZD=Amm4`{Oj__}g(QHOD{2Bn48{93F*L
zYLaa0M!1!H%vZiz__ZNX(VB_dhSizmzA07|m>mn<MVVOA(ET)WW2B%xJaJ!d>-PC`
zm*lA0Uzw$6Aq%Fam-i%ebWD03`n3P|{M0#a?0j$|%g=oa=p*G?Ox=nKP<G2V>u{tk
zQhG+0=Fjb~MYMLqD|yKR)|v%m0zM{ma^Rkr!?05-xTnIS%^5&6l73?L&1qdWa<yJp
zAuRg&TH8c1WD1AaYL=E|mF^Z!8O|DA9L;(!-h9k-?gDWxgZuY|)f`vXSEZXcIdBI>
zF`^iVQ1d>=OJS|EibaaEAiZQ*k}z>)7peNK@C_N$Arpb6EoyP{)nFC2o2JEHr2&Yg
z3eO!vi?=Ev$j2=4PfOe-bG5-q6SWZPvI^q0J5sxOZH}QCmxZ7b7{N|JCKk1gR|gFK
zRtn!I%D%EaERwUiGp5|189y2(nIhL4T%$vvzujZG>ub&pk#uB<%sQ9t9cYrCfk|zJ
zo5d|`iBCV+{SM{a<PBq(;sL*~db2gU)NFqF!RB7l>Es5{M+cE@B;N73w02lLs%RY6
ztKE(TpZ7fKa`v=Af!m{0JDoT5{ABCP!}nT6^QLmr-h0F)M;giA6FDD?@?gr1Gt@Ir
zR5z_7P+-T~AEO*Y*l&$N-CXj4=QH8soF{a>+G(PxDA_|y1(kGJw(rezhgQ=N3wHB<
z_@OW9p)ZCb7^>@trjk>E3-+q>z<ZFI4>pV`F7kYh*D&ULH$5#!^4f@h5H(}7`f}44
z%7-b=2-$a_W)rkd&f1_TFladp(@t<Mugui!IFkAH-Mx(Ky(Oy-jMa+mO1wK^Yti!u
z$mhPGOi7c>?cChsIx_$VKZhLXb<2y}%Lw)pf<DIueG(0Cl=_IPKGkC9tSyVte2T&Q
zu_tx1ObTa<44XvVx4xWp^Yxu8pU%3q6PxQxr7{j(F;rdQeB<Wo4OeH(qjY=~q<lt)
zR~j#<)h1|PrO;1yF5IyV6ZyDT`>OOo9vf%o3GB<}nICUC63AzndjH!l_JlV@80}@{
z7A>jMxBZ%yTAlCn2T}kj3Ux#6gs`*KjRS&&$u%Q|&u3f9`<arYpP4qg$|He-+IR>@
zC6JVhuA+##y6`Q6CQ9UE+=qIs?ot#DpzSdrF;`G|m2HwS+tLsh?3ypnaSEO?#zl{J
z%*i1|6uCUnGdne-RcdeD;Vv&S_F2Rpy5qjd;D^(9nL&NE0FbvdhWt6^ep*+X=!FMj
zQ2i1kSo<87{GhztDO73o%8bikD1ci4diDgGG2rxS671;XXEtS4{jy5!U8ImXev{v<
zYoQgCOK%zPcTW}EDnb8CK;Q<Ga=soBU`Kf~8}So&iW1Jv<7jm1#{H-vk8#%tHWH?u
zuU5EZLJsKpTo|eurH7@#$mvA+_--Bt9N%Gld8&B@Cb?bnx_K}`ruMp=kAli$-i-Vj
z`H49YSL&M#;pzwC;sH(KWsT+w{S;`@knKwF6+3$Gl{nW1>x$+etEeVwvW4gm(Mn5~
zY>6u~o1H^i0Rii|7>O?)BT!Y$Q?3jWTsR=rvoqoZUHFWMO<N#p*XQ2<lIX3UgBQeY
zp+qA(564v-;JxM}xKXHF;T;DlIpX(zC$r7Z>ee>jz3Q_i9{lvXC`fTW?5p$+p$<$4
zfGh%;$@+mvMP|I%S-Rsg)@`mT3kM$-7GG?0F*M4_$rj8RaJo8Oe@{ey&>{9_ydhm<
zw^-rs%Ts1Gr0tvxlgb6P1ClxgpiC}EvWcr@%BnhXc><?|)Vv~E`M~dMFY$DKH?;YB
z;`plYQN<{+mh26$Y0L^@^<(BcF9)9ao$8D*v>zFECwd7p&<YD<j)`0zEyBCGS<$V&
zHP^1vkh`_RCCXUo8ftR!TI;ri=JoO-gg|_QlOnaf88=p;G#E;n>6v@lq89{JE}pZ8
zn^qN#dt8u8v4|!kj8P5=5Oc|82$i)zqhlJVvjtb|_~Rweg|JI@Q<6hwM(RRHy>fef
zoe2YVk$dq*lk&N9lM@mFLn<NEi(ok`H?Y4V>6oOc#6ww!<+nx-9sT`j$i%`q12f~M
zw#sB8kq;@n7rDxW+0Q~K;&w|&ZOVstw0VmXkKFwZ=1Q%fp=V0cDz}hZH4ar~J4u^Q
z;?AOz4#97Y0_^o;?U@5S3)?R`c|aHvS%<0gmLv+SssohdoSojk7_S|d!5pCmf(f)Z
zYf);P_Jf%FL(k!Mixok$aqNc7>SQzOpoX$93pOC44%fsd_F8MhTD$KWstJb^kMGl+
z`@K9#yipV7z}0CaKc!a(Y)^3Lyx-ggKx1t87W=NsRrLbLfN~7>W9<ST(*IU{B*U?}
z!|M)Tv6zrA(TEijlXw%pvG#8c&cD;R;N0(y)BMVKHv4m6;{SZQzi}09j*o#+fxqAI
z02BhJ;rsS`8DX$p1-v8>_|2Ioq;B&Q7nWYb(ylMeN7mPby7hBB9h3CcR;nH;Dv|8J
zzNjPC=%O{!x_;hS_Tu^2YQwuV$pOxwQnSqDgA<tf@`n?tGux3fnpAn+g(z)3MG-<D
zCTKP(;n0z?56&=|8L0_zc)e?4_(AWcgpjgbltJ{}BS6NhCylt`R>}Y=^YrM@Bd`(L
ztIBKBM;^p?=`_?uuRV;RWDqFji$%!Xj6I#CRa5CXQp0QH_M;&&G&$ege0<b)vTJsy
zmxEPZRcE8}gjphq(`B6nwF-`)a}K3?b>;^{8-m8Oe&+CaLIcMQNWD!|qbbUqR`uM5
z(P6S9EN5Q2Ml?tzp=4f}YFa~xWDd=ltbP9O^{A!mw|mZ8f0LUhS~CjHLDO8?Y-Yof
zhVvpzgoTUd4Y1?E@l#`CY!fQgWnGq%(I2Oeq7u(NB;j+8d7T-9gSCi`;J0baH^2P=
zW#B1nJvn0BXc*S##7}uvr?#$`veOb~FdlC;$5x78v-=`54gH3wvIUH;U--hAViHD6
z!j*y3u=D`xo^X&NTtXXse$qkyy6a10+i`|uX19qHqkEp$qOu=f|8TaTnNd#+7GGWO
z5zveN0YVO&pSlogcy@Txr~K#v9kKr6vSX?ur=9b$EZ!R&SmhwnW`y(c&0UB4=Eg2t
zq)>jl=Jv*r(?(yXphKPSl?=YBU>bV4)U#l*UGXwfYE9~lyc0Qa3RX+PYsKAJ7mf^&
za^zceo^PIH+SBgetyXAVGzOZwU3i;(^Q@_OZr$POc1q@5;#*34mnirb+&Fb31lvc2
z7V5*S3|69E=)(EJ?~r|^j3&Nupa+V6OKy_i(Uo@$gy(j(w+{qU_HHPQuiBQLRr#KN
z_tb9X2!YpxG(IFj<jN-_n~8=cLmEB%%2ISopg4Ln<=A^ZpSApSyu<ft{OjFTVlet&
zkg`EVhx*l1QbiKRCY?jwSA`ysi^nB$F}AFS?+6I?ekyXXu1l*{BA1MpzS#OE{<T67
zL?DAU!xY8@KC6pQ{GOb=l)UD-{c+*Aq|p?cyRFHrj;NB<FqZRzPke58>~PCAc5(Ii
zw{uzYaV9k(dfMkY3i{C*WDxJw!=s@6UJbX(p%sK(W1&uhLEmMAR%jRB(e$O`yp>~P
z4yCpFj*QSsA2xk$0Mf`X$kX3AZRpXt!DLKH#B~1k9VzN$w5g22n3S*dx7BY=!`5n|
z&vz%Gd7eqSOq?V=vhVY`-n)G*@=dGzaI&+z0*vh&x!rzO#9}XiD9Gw)zJ!+_Yg9l#
zlRCS()Lez3j>}e9?6ivPDRx=?QohR?z%?7-vYRlfe;JiQ=^4>F1e`8qT*`oR)Q)J;
zgFom+&0dhADAai8Fx)0DYUd<mzq$OZfWPmSWvu_1&3%U(x7B+afF@@^{;h1^X&-+Z
zc1-I8CV}2|L}>?~sHEA#+w}@pdTG6PmD#3*;v4-XUl(Lst{hvEH!#>I>X5NjSxw<m
zH5;+)A3wCYAap<11Z=F#_ga+Sh>T!)#bwtWtVP7_u*$?Vn#1Se?5m~RV!mtG2rO04
znz#ViXH)5eQYnl+KFJX%E1D1m(z1g)kl_NAKQ@X`mF#w;jQ={#6{R7;{)IBZj0=c!
zMw&_D-k_wgbTw}*M(|X{>mD+2vpUC8!Hr8DOO;7`Ge(S$Ee&Y_(m}49Na{PP4uyJK
z9W>MRIFGLDiB<|NjMp1sEr<(HQxqG?K<iE1;ZWm+oJsY(^(m+<nWpmBT{!>qx_Y}=
z9<{NMlTQ}zH*?Kd+Lm=h9=+GwvYWO+7;n8wo&Q)YoyA`>Z@zi5=2e`r<!HA6K95%%
z6p?ZyS4XEbUdx5ZjGHN9!)=}VD(>k*>&$Lsr(1h23GZGYzVMzNXqAw>byN7LjfNVq
zmD}JpA)J_!e8^#HluhTHK*YVWN*BH)&b_Sg)xOwTi`eroMD$d?UN}+xevIY-4P<U8
zUcg4D=0INK+}qmVMQ~&g&spwAI{4=Rt6;fL>^Eq;Me&tZg1lrr%8${alRNDUbGI<7
zk>BNQa%XTA4~Kw65BC_bcm7s&@yUuiB=s6?^`@Of*b6;Q+49hqCzadl#XPd{uP3_!
zdUNGgjdjg-^n;sDd33^~dTFy+zA%i)(P=pQg|kmmj^R`o0tY2d1nHAOYwNO^e8p_j
zLinX+z=ojLkahS)=wkg{%V!1L6yN%me2LAZFg}M~sVLo};B9NHJbcf#UgcvpDg3K4
zPwULQ@Nm!4ZI)4fl~(`uBqGvYvtFI8o(3Q|pCbobs@~hlf4tJL0^~J^0Z(uj5=8r0
z$Cg%~11o`^e@nQuR<>a#Foqt9_t-5K)-^INoOEi}!*GggUL$PW00((J9Os}@ly~0o
z!Z>~@(cXUk!tu(+#khcPGOEua<wTB~7A1)$p=xIzD`|)~16xlti&vu>y##_IT2IIf
zMJ`FZce`A>E@yyP&+f|_aYEN7U_3g^nNma*CG0<UXWyJ>075u4ed{@#Tscb<hN1=>
zD7ouDm3zo04%AK?2L)bW@LK}PlzCpg(nh>*XnCbBcJ~Ebk7qe{X?Zq+!)Sw_xJzCR
z3(SSrYqCZ49&Zo&W!jABzQbu{E=^7sU7hRjIFzcW4!->`2(H;++-u-(k*rff@1T5`
zFf4x?HBV=+$cO0)lNa_yHK-j>G|>}S>`Ioa;tshnEMCjOx^qkqic&{Q`?8#0t;j2#
zN^P)n<G2cOcMnaOcOE;^&U(U!=T3O*MoMbzoz3n$xJIVjtQU)ZDCi($=&{B0A)_Mc
zquT-p^STiX_@Tk(RE}<`5FcYtDBsna2`@5Ld?IqHYIr<b+d1Xbgd4Y8i@nTYxQp{Y
zK<DbK<|0;Pn>Q1J3%2KBfU42PZ)eHP!@TlK)u@!O5MC170I4^H+b7s*P^a@aDD=H~
zg;e&uHf6+T&i|F~>kp8wzuNE^*fvVg?Y$WzW<0df$3roO1R-1+vhc=is`K^Sy>gcP
zkEX+3&JJM|YVI=K(e^9(nDHk~xEwU%O7>wummVgkIq3Y$t(78dzXz8DRqe%yw=L)2
z2QTJ&#!%vUaZ#8|1;wLQK~$PM0Y+ixO`T;~G(Tgge4+oHvw%sPr2B5=r#U+kUbTU*
z*|)lBRSl$%){pujNB8$<H<H@VCUe;I0h<d@F!V!{cGT@`Gb*3sBG7N?t7WbF5H!4)
zcYZwDSK=t0$Yy^#jxH5Tc`D#Ay|hi!@Vb+1U0x77JkYMlIV=gR`xLl{*0Rm;osaX7
z*y%3ng3FX|Rm%Ey@2zmYxNO3$L#KD_9L?Y#a%h8m`Mn4#>n3OVL}?Uy)d?l+^VDk&
zdBE+wb6Dtk&zWn->qU=zSS1~2GnqJ)@hrmz!x1K_QHTiUxCoUKi6d^G<Hn2yy9plc
z_E`-1_0vooo$G7s&j@(JC%2JbEDQ#p3HYUoXgK7l4%=9HaEPAqg5TGbu8)*{gsR|%
zAQ+&deL4rG-Hd4*sF0xYp4(XI>{1RVu5;+SYr3l~`MB$i7-xe(T8>L?W;GOCDUy(H
z3jhbfAyB1aT*xDzPa#3Y7Bvx%YkX`Bw%>NzWd+>4T7JV)1UZ*(__{}15F4OPXG|E*
zpyI<sRVTncb)dFhcUu;l^g^iGRUG8$u6D5&Up=S$X7@c?&TAP*Gh>sp_?;?EWfiP@
z@dun}7lH3oE6=3>=hEIYKY4zxQ8d-dXwF?V@H>_>wk<`!kH>Q6Tn?tADeYj>jW@o=
z#=%^hOTEO{c_(ky29}OAPuZjZo<y~J%wdLC-kSGzUdh~Ce=c88@fO<jfn2SU%w_eJ
z2cK1!KMB3CyZ4g(rN<uE?A_DDq@kCtvywF-^7nZWUd1vYsclYej)$iZ?8_rT%It5~
zh_deJ-A~MF57!8q>21Nq92&@W1vj$EdQzYg=GJ76k~J6JSS;bZJzqWLx(2)U0|aAK
zn=m;`UE%Lt{s1jG3ibocTuV=O^n9Dy1&qA6YPi+7NTnm0ai#Po(dYCr)!(kgY+a>~
zW2_6m#IW2l!L)rtz1czfOw<vdiqM3?WuZC88p*pc4s&TWV3Zw%KvADgbIDfrTU`+@
zQ12bir7ekLa^17q&W<u(P|k##qX8!8Wan}9$b+iNqa7g53ZE+3GD{;0*NhOsQ0137
zMQ%cDawfyvl*-p1zKxZ+@s$#LtL1n!0AS9eItJSNiM2<PTjnUSvjJLLZrQkw>^FC8
zQ|KW+?}A+@3yhgAUr}b2z5K1T#r*sx2MwOsA$t@44jzO__c~PnWMY4A_%^q-#*4aI
zMb}>D*Z?4#$~2Wl&MUH>H;g>yZa!-8-t^UL->scCo<(%-V5X+*9N1T{lD5Z$!9b%*
z*mIq*Ff;PdXP&)nNQ2Sui=g;%<mJ^qkQ;n{FyYEUsUt=^x={hk)#eTdasX9@Y_R+F
zrh{|qdqrh6Y~nPO5<TxPd2%wldG17lZH!?!wUR~)%%Ty%J&LyB*%o!3NYbFvY!WT{
z#+8~k&tk=dTBr5dqFZ3**pl&B@HLuln`hovYb4FrLbHIc8hst{^w4phe#+CrR2};R
zG$0s-_+ByItSSJQq%1{owUkA9oPmRZ>vw2=k{(JkULovLqZr!E#IdjHP^oMjEzKNA
z5vT(DN0*WUZ4X~ITxH}tPd)zPiSmkvd*|NXnrKnZ_)ysO3SlD$*$F;53d$SjHBOzs
zGJ`AVdRkLMe#j8z=UDtz#rg_a_7wGNR^ryxpu?)Ec?IO0`%2Y*Q;FU7uGg$D5>R9L
zHAORMoYhpSOM;m+T;&A|?bF#uGRKH8=HVm8BQJv0--7yGKdT_;Od^YKc&Zu1{FbX(
zQZNu|&fd(qVNUd_@d>I}qBYF<WF^_grf^MB*z}1;Qx*J>kw<JMLSg!-;_gCg12KcD
zwQ1ExQZofE#VLDJSr?aV$zJAk-f4Zr){jX8A}6Cd_adHYwKo3w50F#W`#>AA%RfL~
zCg%v<E@qRs!;>E%Bg|Pwg#6RPs|rUU@{+F87t+72m!N9l<6Alk?fnv0xue8{K0bA5
z5yGE=Nl!|)=Y8XYGDnhOt-UZ+_vY2ylJPFs)Dv^u<(ygjldceX9-C|<Bd_Ty1PgD5
zTYg{MMe7jFw^N8I^3~_ZQN(hQFLedFl+AD`^sKol)-PgV{-WK{#Sd$k4V{gtZ{<i!
z8Tw(3b6w0v19fdG%E1C40VU@L(H<T1<?eN8O=UFg;hfa4WHR<Fd<ru4PLbh?ebyPh
zoJTNneOoPjtTD&&y4tc}vuQbrmFxZhDIR$I-+Da7-e2A>s1G?Lq*~++uu69laZDD^
z(Yx_X@9c2XpgP58A<Sj(^SkeFj%+6qRv`+ESv*WF(^?2Y!;>c0F~56=ik(n^!95UQ
zMuvnwVJn9upWLtNZ=0G)4N8XEx8CjK$Mlg|KdRMv5b%XWG0?=Z1?a+SpFu@n2GE03
z%@q!4iZteLa_2{dUsA;;F}~xr$`bG1+tQs;25G73lG=VREU$<xP;Y~*Sv(Mry4Cq=
zi!(D^@am&~5?4apAys;;Km!OKCc)$2{l)C@s{f8kt<u}LWWZ9H2YMrun*z-$o6$|o
zjf?0k3T-<4t>)zAsu-gr(uDHLYW<6hVEt=;MGCgWMWr{eX@#C`i|i>V2UWc>$yqu{
zbvJ$o*R%(|3Ogd_ds*m{NY%+Zix8X+**zCYDPr`B%;`M&+L~`ygb%dC0e6u??ZuvD
z&DcvIjmL5R75T=UTiiA?!`1nRKf!qv^UHhGQ842?+}56=2R0;>598N>j+iBFAF(%o
zf$@uT0J0UVBg*pm42Nlb5+)KsyOUYUTvzm&l;6Kc0+po}4H(6yQk+ZcoJ{@5LOmu3
znRztFgXC!r(Wo=zik@4}tM%|i-q~HUvDx;x@b&hQoH<ZTA>mbhVwKj2u+k958fVr_
zj>uj6%HiZ8&G2F7^=&{}LXB6zl)iO6?WLk<lU0nc@XDy1T1Q?s?od=2X?lF;)veVk
zsoayDJ%r4%&%qd7|Bl&w?{0ZG(0<uy-!C7(SArX82U9==7ZntQs<s%~?Q9%eSd-Iv
z9UL{IXG`LlM6cD?>Zh{`6&Yw;Qd*{e>QJI>x$v93)dHB#G^`jkD!J~O^}3m{0{i}C
zJI6^3E@d2Q{8&xCwzVSUY`gWY15ri87*q<g*V;@`*-!--F2Sz8<j6gOqQ%I|>ow{a
zvg0vYl7+Z|{2WXkVA)dOsO8>a27>ovsB^lX$gWG@GzxpLYUe1d^8Ll4VlLc!{$%sm
z&xa=`E2j}?rGQ7U&DHD<geqRE#|BqruU}qc=c_<=W{7+gNstK}QLe0bt5Gq~P*(<5
zXGBqtMf5+eb$kjI$Ig>i0o5gLF>MN0O|a6RTnp1g^&9spXRST0MssQ!)voC^g?34X
z$K8Ha@Pb>8xVkwAtLhKExoBPCc-hlMeSE4vr8qj@lCInT{fpcKIrXW!t`Ga4s<eX%
zSH>kRvh5Y=huo;RO{!KWL@IGF0tcS=4IjVE@rd8nu;i|A>CR!30j9OF@3^`9S?bs<
zc#}Z0bXtg@uf-5jY_OIO>px?qi%T>t7Pj<mNnMnxvl8WIxOq<(UvrU5#h~z&PDh;K
z?gn!vM!p=Xp49sgs~UdLBs<mC!mO2dZemkneYcytTXahFMG~L>yZk5y>b`L22g`eA
z>oWd$sn_*)f!GA^{h`I1b|1e#zurxLUXZ5u^z+jTtqaeHhChreGUHS`nB6n-HWlfH
zq##rZ?vqpVc7y$NpF#YW3vZB#fsUQN&=PuM7WYySrH##7r+io!n7Nhl4-gODy*j2H
zPwG~HHyCfc%HD)#bNsIFM@|^5)s!YU$ZS>k=FrO}oyui#i9;vuk`6?x(yh;*JD@;Z
zfpQFS=ryG3)Y`6ACas_<gnC(r?=ej`&?zNtXlZ(IOu8#SHoar`MHI<V5m9;rIz;c`
z<x`ec2U^U%FOr&TxOQk~XJL0CD%&bt$$_~uTwUn(2avcr-wZre#LV3IcuuplWx{B0
z&l_44j~^QVDgoY_4YZrdV)a8xq4$e%E^3(SL`(VvNcN_Lfp8Jc)dbgNR<CwRAJw!b
z(s)1fl!`W>)45T4LcZtz8bj}EcvtworlRSSEp$KgoP+fAs?6g~g4(<9O5Ap_RxHx*
z#ZLIz=V|c5iyEnNF_%0cYU8hj!lcVL+%KERpO4jQ-FUE6kgh<QV^WW4j`Afbr1}<T
z=|o+0^OLG@x%eE_o10=>M;V+Hdp7>052Tu=5t{{$JClS41{Rfd_nO=!a}Vv2(g3NI
zss&-u_7n5a1Hrdt^{Ef5D+ckm(UWct);G3!ZL7~p4mjf(S6clIcN?s3*0WlMH3LCc
z$=g6jC0{9@SrQ*z%uEEt0bN+^?4W2IrQ93K67iNga_IXky`h-W((TeuKrlPlk7gJu
z=Y=}uAh%62qS|DrAKuzuv#d%B1to`yAh`viRWUISUS(jqTBbA$rY3M2%H`Eh)!L;`
zUf%rh^j%+se{E~eLw|S6hEgfJO^;<j`gi8rGnFa~E{2(}HzdhRETjpxYI03bbo0g2
z253YnKdNm?8Da+t)wH&|NDOZ#489oz$$ZL8aM);fW+w-r|NV=I(+leyCv02Zx?Xwy
z6Q)p8+#9FM^OWvz(^RoFUL_|k(NUqH3>=-eDd+F=6^b4|+oXNKtKyC^5GAZg3Uz6=
zi4mlqr)UzC7(MoG>5|fU>fjm}DuMu9XYdUmc$;5G;OZ55Vcmn!D?lNz=q1=%su2K%
z#%kjL%P0V`&k0E9j!qm2A~AnF&{Pus_f9(m-uLIzejfdsPx}W?J08(H3y1QcW}W9d
z5adgMdF`~AdTS|~0=FoGOeR|(2}jTAaekb-9hT*EwmoL4jXU#NFx8p9gX_vvT`<)`
zYx9n@UwUAJA!K$`e~Mo7e-;;mFRLYk)ej(>0}H%6V=T~A;;WitLJn2Jvg?#CQ)YL|
zI|SGZzJ3X2Z+}GM{n?E&Tm17^u2?%rM~UKj&zgl1--?BArL0qwFaY2vukONScdDXp
z%o5M6A<d0>D}Nj8Mk-Z@SzTNST1<1o-^@2M!%1|-sx~jSrgPp8-m_)0<K%o-7YZ9t
zGfW<5<0l?oinEAHn|w_B%G%N&w4q)q45(t577j2{t6|V<CANO@0RxXm_BY=SNqO2B
zz&Ex9Uz;w@SH8LNIvYCe)afir7$h)^Hrio~JG`Y6pSx-F7Cr)3BqnNpw;0Q=>Ai$#
zyo1HJ(_|!s?{S2~t5dK~z8pDwYJc&&ZmPx7L~=ulVuyTYy~69VJ#zRgO%Kh#631mO
zu3W~<O%(RbQ@mu^QG39Amk{s9;&NZH6tI@T8=KQrqG9PYLwHjwl*SJb-I}{1f77GG
zdY*4tlpYoNvjMU6)L*t<-2uCv=-6}6%CltST1Q$v=7a~o<DYmIAg9<mb0|GVh~Lxt
zS09o>EQ!nZOH=VyS@!gE6u5lMt~TkWQAkvyZmFsHx@<NxcZEU!>Vsk%FP;t2xQkU!
zBcB^yQ968FrL}gXvDh!F2VlTsE|tCo8r--QY)s9Td~`#>F5_-(G_#H6892m=phmAN
z9ZG9om#Bxt%vK6Pqo2r7s4F#B1Ez!Pfxhots<4AZrB~I|4^W`@3E;*wn6LF~plt&8
zVGM?zIzWWN8-VVLK2<0QbNST9_I<<SS@wm%&vM4GG_#6{gQlj+mJq4_z9FE|U9dWD
zVn8N8lTbSbM0{Hc8(fCjd6K?|7Jb`jTnN<;0QTHyG=UA=LSQbd{XBXtNf%<6{5U~7
zR!PV<?wZ|pmM46MP9Rg<cK{t!+U_gS(k$6Ph00*DLs%x9g4=9b_quPhjGuYQ^ws!q
z%{^3Sbr1y6=HHTl&E_B26X1M~Pxp@@&*4?77mCxG+^PsZ1bsQ!dAtEewY|F0oD6Va
z2?7wY+$CFhHbXFIa>~5NeLAf;@}OnEM7w>yilg<6^ot)4)+#RwuYjfkx2@$KxcWXv
zx~n?t@poUbFq~9-)P6NE65Z^AY!qBH4{N@T&6woqWWP~6MqmecZp}HRp0=Le{o7NX
z1{2d+EwmUF-Owkl+iI58s*_y$xlj$HWNFwuDZqw9afFz0MHp0IvXMiYUMR!;$?Ny0
zdh=QiLl@(%pT8}*!!F+`Bc2rF{=OzW*#}>=R6640C)XsJHtoRU>wvpYD26t9`PSUW
z1!Y653A@vVgRflWd?<YHi+(?N`rGjp!J1ToAPUy|Pj2uYQWIw+JKp$!*T-mwLuEYB
zYz&>UB&8pWG?r%UtC_Q}PPOsUe)rPtDTJ=K+&&KZRGLn>j&sz*u9PimI=8i+G#7uI
zfwgkwSEsq<X+T6iLLgp3<6=cm3h3i5k%)b!R3lR{Al62g#5iFC#?dP^A3WtuG&yuI
zb7`5~XIYu11~Z!sH)qwkE>xyVro{8-P^>V1alHAC{_^{Kl`D20$A+ddOY;rDd~^~p
zZ*ca#a=Zx<m2BEkUe6$h-oxa@@QyymjEC(zUe?I%T{7#+-neWkRg}W@B2!w9W%(5g
zY2dmkmDfu%w%UrboDZYL``s490OW^STGNa5g2h~N_)xnERYRiTSCb`@=cK$%ECxs+
zd2r6mhEefBb!wi`$9SLK?j-)_N@Hmg{#i5d$I!vZhIvdv%pwGTvaNfzu3Cj)%)^<@
zi=;9L#sat$NGpuY)!+b3w|Qwj?jb?9xS29pCjKy->=8qfa#xQ(d@qzB<~gvKd?M3Q
z%qs_`QFBMMYXhN+>I+^MiiFh-MajCTA1HUtIdyozD1Lx!z*P9#$c*;!8ir<Z?04+3
z2fHwqxacVRa<JMRBH>IR{Ou$V={8_w#qRRS(->{DrDWlfw<+xm<;7We2H!4v^*kDO
z*?#D1PyJ`xB1?<uqj*57F1uFAF`>U;9wHfGDn0OpK6q~S+%@<HT2*lwepkKJ8xVUu
zAuu8qO3%ocVP}NYAE1b=KfEr5{P&+!s({M}u(S%e$7sY`S;X7Mn~=;62~Tt<QX|w%
zMfh?sDjeUZB6B^XwYeBzMCTxuxG;`{9+He7pzNckL|d-E(}(;qDfahXd*)XC0P%fX
zm_Ow^StY!8g&)>qH6a9T<rc)D_QAl}t#zp_*I(eueuXgm>oKA~H>UUnx$v**3%W#f
z45i(i_~5I3Up*Sdp5;4MdICL47fcPDi;9RzSObWPfpVn2MT||mFx&m=4D=S?lS-w~
zW#oPe`x4QhT!*+|#$ok2z_yv-xQbYlLy6+A&cb$ey)|ixR_6cq7{}kf{Qt)(Qg}Wr
z*CX@miyhu1X%xQe`?JhXZgG6~s-g5hO?1rhHl-zsKyi>wcnYdAyQlNG*)e;Sh;a15
z(bl)UUck`S3fhB|pbHLvm}Z`NK>f8WO@R5qGMeV>D&!}00xLn#3S3A&^YRS*0lGIe
z{_ha-O+wlS-Zo#swE(^^dX}C_Z%%s8A@^mMlN}#p(#6=YYq8IuYhM7m=Y0@#T_L0+
z#{Z=exEgAUp@p^W@`dg158z4U_8$X9=_^1(J?4FIFkquJ-oU!t_tkE#?~~0ILnOL@
zNaRv)d-XkOT~MbCBwcbNooc$?Sc(q$zKI$Lg%5keJJEYB%?bfxNd#fcX^~9Bony=Q
zmvmOH0kx-z$!yXGAE;NtG5O7+xZVYbZ}K8<0^59u<*_9$0##_p+-AEVb@oY=CxKmj
zp_^KJUa7-JD+Xvs8=?WUqb=NY(AKI~5@JYl5&GN{lEsyO?acv+zsO(Fe<q~u1JUdZ
zIAbT9Jo8?+LeJz!=hx?$hMviIrybtvdo6lR)r++Vf`2F&SA#RgGA!ou;gUb8FNl(M
zf5pfImkvyeB%Ia<e`Kd7+oUSfT_w?{C35KiS4!%eaW-I*+cd8@hAE2ISkeI)sL;y(
z8)e9o{XkY#LJIG()-A35GtxubjE<Ay($Hq{O}oV{vy11E=^Vjaq#>1Eqyo>YxKoy%
z0R7iqQKWC=4>tw2vQrH<bKtxO?qZNJRv&GV5#<zYiWh>p*?Y3`x4jd(i{T*qg3f}1
zkGd-7-uROO&D?)Y!~fIj^_M0#l{NUcepEml@6HI&JvDvfXNO7tf2h{#|INCqfAUAr
z(Bc4EBA*gQgV5Nh1n^ZHAXA$izi{jRRg?LvzbcP<l$b~Zs5}*$P9+8w&a{9wU?ftt
z1dffPD@@ysU`bvW^~NhNUgJATHF2RF%{Bb98bWD;KfCx4V-Q<ZbQz%z@;q1x<y2H@
z<SX-@%4ou4k>moz*{yjH*SmC@cc(l|%W~tNM;c8RW+}Sn*c%6->e+^ndMWhF^sYy5
ztizSIi^#ri&^+>@LtlZ?;nFZ^&Aph^4kU9;aL(C`A3H9Pr(<fJ6T^<&x|p`86tnLY
z@q$vQY>+h1bFpiV6$e30NBMLZjU@$UO)n_S0@bxM-q%-?Tm}V}f5Q+-Ee~$a(<&;U
zpnNt?n8Gi^ZdmC$dlq9v<WWVLQ}v|Qt)x}q0J4xKH$|c|_<k`>yWX5AwxrMr%hxry
zM_pIcUPzs;{n)}*g6$JfQ0j7xaD%xi-2awn5R4dq4dYGGIVgFQpf}2>o)1Le`#thE
z#9@BumAj^A$#VLc1<`^{zbhmC)c^oOSv$vLvY!gv@}Iu>y299Bc<aJHK-V|`+3q7C
zTye%%|6l9o@c&2*{GX2C|9MhlwZk%YT{+GpHhbGSPI!@j4`%$2u;~GuxG~`_7|0lW
z{{R>ZC)#d*;UsCmzN!M~qIXn)1Xg|f6VM6w?+op)hWlTS{mFQ8L&L}M=^=rz?-`pJ
zCr-nV|5)YyD^>IV9q{^}?|kDEv<*Iuv_<q}7fVVAtNJH&@4sJ||K@){HJkJU6dTim
zIOS)C5fWzgf$WXn@ciy&oD9G^B?gdB!#)L|!}@<@fd6o={4XTGzp!^f|2lU6*}uQA
zWq&0M{)Y>De;@t(`M><1?tkeowub)@8t|*>^zR<~AG|x4vYi!H#e^ze#z_?7Do}~-
zU;vNv8fMQXy*;B%lH<V0>*HbGl$PSguY06YK+U*xuIA55ZUi6V1#DUl9kNA-9eIi|
z53JPSxM=KIYOZ(#%lrB5tfrL>TUuJ>P)p;5yDJj{4T7=b<hQ1437`LqZJ_9=W)f5(
z64UJ!GXgiG`F!6@v)*{gdd_EIaoArT^2cYe)W1<3NW7lMfs3Ipa9(IlW1wH#`?;$j
zW&rxq;dwvuuoV?gh7^tqzH-xZRyE0Z`~6mFxgRzDVaOswTN+EJJ6!WHDtGf{Y9WiS
zn!t=g8DCH0m^#IZ2rFeqVzPWZh}7=CEcyOlQgMJn_qVHS;ne0H$6@|iqg2LQFe9)9
z5<wqed`wI{!5z|bTq9CZOozP1d7*iif}^$TczJZK^#tp<TO&btz*_vJtY_~CH#`xG
zA+5$>4qV0kN=%<OKFTfI_ONeQo}QH~-H?UdvOCzfr=WpZp8q!A#6SCJWR=X#uGb5n
z%?3r-Cx15X7NQsAjGU3p7i6?-P2!|XC$S~|TJ@*o^Xkkz=CNadQAn3I6<(=s+_AD)
zv8@H*J$U7stq(_>`b>&ec4=5%37|*}S5ADM!DSUp<%__KcWPs=e(~lAn^tceOwg}3
zo^U-=wyh0kIL_QV7f;ti_q<L{or{l_Xn5$C;PAhC-JnTs14|osvTzxRn_oa~+~Yh>
z*oZHB36f86^KG#`c~q?Ms`}3-0S6t16Q!NK`BiBzB?*_pQRrb;=lR-(r_XaYP^u^W
zebnua@Ayg2*Rb^?LR?eT^!NeB_4CI;(Q>Z39Ct2&fcmwdG0YwzWB`C%ETDn9Js_yU
zpx-ud!XXb(i2@^F1d$Th^YtH~Jrs~<_S47n6FLCHezkR)fG@>8x&X$Rn$v*SpqK#y
zHDC?l>cJ>Cs63zq+-n2lZq@t%p*L0!MS$RjBK`c)GORV`yD69e6-Mmz09OV9e#sv%
zpY0e0reRV8Aha!{0n}xVKs<MB{`YU<n5c*0amKKDpoEzmblh-gic`kuADUxT+oLS+
zVON8!V6+>#=plXG8uQNvZ|a2gSJ%qr8>0)j1_aIT0wUiHoEK1tyc!I{IQ`|*2mbv}
z2TVPRLe%ORO*#|6kLp1D05PcIMM^_5_7y#Cet<~n0V1NQ$?xyT<Fg3hO#?wSXUFE4
z59BaReKR|3@EDbWX9e<<SXbEp?8}={hoCjN+L4`$s$(y!Aa1wBCuX?6g6X*R^nX9f
zb%;w)(P1f#H~Dt9@^WZ?CFzsS-y&#xX5acd33z8MT}}^ygZAqM-{BzW%@{^cZ`Dyw
z4NZu4U4r)Lhsb4mwET<GQ=uGF*rb!`zX$dJl;r~qGdR^YEX=w!S#~bR8G!3j<}FDy
zt62j^2c79OTkIgoTpikhtBrossmQ)s_95kKp5|J$rv#xpB|d+g=4E&=2BA8fD;u1{
zh-C=12F*ZZ;X)M+-n`D&weLLy-5f6lV6nfSd;h~{2Th;j)cE0Jj7&%Av`tGh*RZ@H
zY8j&%zI3V`ULt&8d(N=?716sSnq8K+WCf~<7I9I236pp;93;=M#SXIQNIpH)!rVc7
z(;nFq8ZK4<@&kb=^^$)-4gT)K{@=XT{9~7oB1Mx1;dNg>8v>kT`@J^_Y(e`^YL<#1
zezl^PpmLb;aN))@)%z8xtl7Pn)H7f8vql7~uoozOQsjWZqhrt-I~O+f<2PKCUWx8E
zJy-}7?$2F_jK7Rj`|Xo3UTHAh<!863|16e;t_7-vWzS>lOh7r(0M&JlM&dV{Cpf-K
z$8GK9k$Va!-+PFyYmq<4Pn<Q5cR<aPi&Ht84evWI3P@3WT^Jbg`AM++<Jw!m&JK9$
z15|=d)hU!m<!R&0K?{4^B`mC!@y&)|CyRsR)4yNq{tvAF|JaE9Y4bS-AI{)tFcpX8
z;{;awLM&-(H3M8EH`X55vR+PS&DaTP02QUjdvxz!ewQDYI`|K^CM#giqi<$fm-VfR
zN{*5jgxEl?w4J}Sf$WLv{2)-^j|YK3KDse~-2Uo*zy4>PG61em28HA4E&_Fj7D)2^
zVQ*af^B5HV%^CwPbNvB2#sIk{gdl;INc)eA)_=$K=YMA#)cXn=ejYDE?r1hwk2)Bj
zY^qYMl=rQ;^*H|5I)M1O>DMXvpo-`#G>UOb7MRtrMbmDn0<wk1E=AowNKhP0E?P#!
znXCikokRC#!JNKrG3Mg>$*5RWS?yh(>ezt6hmkr4VQgb#$(Z7kU-);8sYZJQAzYsB
z@Qd1{`4+fPD{@89j#*}OyEWKzHkd3}tS3k5c>1-x2pOsQC#W7qE6(+BoN#kcsN@mq
zW9=Ac)c6L4b>W|O=8?*IvNdmoOrwc4B)$7ru`;EXp;?%7#eZuKoy+)>LBR2cP2bJs
z_wzvY_ba6TjXxVCLw`0p^#67q{BQjRU@=8uzpn@yyanKhkPXW#k%l!&17E?d6(|x+
zbJKubm-{UZda81aO<8&Yy>ijedYVu)z8;Ua!+92f06+wY6(sc+I}zx+_kYn){4XvQ
z|B#&u5bXj1*?P7#K^n8w-uJq!qtLj5;{%Q9^ZKs^J<5WV!K9oqM$4}nWwOoh49?i;
z>0kQXrYc-7p7H5=t(TB?i>c1QqhYozjP7iodwq0#pOGL*T!5+z(3~p?()3Q2CYh=h
zr1X`v{I59$z&p^T@>U5^9yPtFZ*0dX_Wdp#VK{dk-~z$`tGUz=woiPARi*`p<apam
z{`67dS%lS>AD|L4NNI^SiUS`Xa{<VpT>-Qu_jugi0XaWw6VC*#N-SM;kZ@<e-r*di
z(8o8@qwA_lx%7f`B$MSrtk$+fVBl9O*}n!}3X;965~F4li#tZeX671H9VlvPBm|P5
zWi`{O-}=sfZkEnibM*R{(C`Lr8kh4I;r_;0@cF=Zak?Q~k<lt-3xRq+8GrqlozO~P
zEw!z#Z%%YNELL3CP?ql0{BlKB?7TD0<2%ex|B{L_tWOTz-{N~ZT)Ej0BXFb}ul90r
zqJO1aWmxPhBjbI`ZZ@FS_5l!ur`ARxda*R<2h_B4leamxSZ=)m$H(+Eu{SQFy72ED
z!#EC(EP-UI(|FdeU3oJ{EXxWm4l}DQAmaF*<}fJBAI58egYSp$!9p{3b(&dW<32z<
zm&YEoY5RAghk}vFX7k8&Vv9DZ+*|+%U9LwQ)31aVtSFHH5KHkL3!*27qd*>n%$9iM
z)8F~5e~nlP_U$w~#%QOzd)i5#zN&{3eDrte))QAeGIq^!0R*JI=$SygzZ~<=aT1hh
zBk+tsA3M4!rnnsbR{UzUETyqpvqJe=^u1&MZ%k@m7ZwBV+YPO-z5HwPSnr8v)<dA-
z++`D%uJZcmZ!2<)>B|c#t#qmeZFJ~+&(&HBU)^Fw7PCL2eQa326S}`cr3?|taXPf!
zF8Np<R4wreu78mk|6x(+PWOVx^%%}Q$-n-zq9%^^saFWE!l?<9<Gpnm*z+cB;pCpw
zo@moLPLgAu$Yp26mo}Vl^6#+Lw3sJrVs)tLpc<bRysb^U4!8+YYl*8cVB#*ebz~fh
zZ*ZK5>1Y0#cV(uJaa_SfE#;-~j7xdAZ}*>ld@T+Gfdvj8>>>ieyF3FwKo)6$yQL*V
zOEfcd-v$?G{uxse_z5DL4R{74t~mCM6^BTIiEU0w^(XEH;xFe1B~#s1f@r^5YlP|;
zd|R7UzR@X8_BC(tfydZSen@M$fMCN{$y39UlHBO2DOx)oxHWm)r++CN;)d&27hSY1
zps%0JIcUFZoRV{Onxb~afP2?S{0>LcbcNGbIhO|3Mb@#CpLaA4m#mrEKF-de@qXj*
zFm7Jmak-|KGI}khfkn$mhLKd>b?NaEn~2@N1PGpvRcV;gXf%$N=Ija;p?t!Yr;K0N
z=KQvBP75SY1lRmjSe89qE<8?!9a4s}U_UD8Kd5#3-g1$2gN&p>kYY_rg9XxSv*%F4
zWta)QTxW2OnuaStcAO2{OHi8!q$ro&elq{_bJJ38<d(!d3W~TJ>BXZYc@jN;b`Q24
zv#g`T_^)e{o<}HR$sCx?n@ICB5HiZfGlFpcOq<YT1yn3jft<i(fR_24rzqh|lKIIs
z!J=QRLqsbawCTR)UFjDvjVFnO#E%=DhZ@NvjxWmLE4G#@;WL_7g~G|izupy(zt$q>
zOp^*#8|A~nij|yDzV@5#M!^v%@KuGPqj3!%c?s^M$ZH;)$v59qs@Gw%oGkl&DbS*n
zwsT^`OCwTSyj_4~#mc5))FB>C&$)CZnv9!Wm3CI5)tf!Mnj&v)$~RygBUSZVRh3#t
z<^R{-cLz23wq0UDK$>&`0g<9~M2bpNkuD;=1c(TT5JEse0t65hkS-wb69lB!P^5$&
z>C$@(B@lW~r~yKL`@G-oyZgOm_x-*<c4lYx8~(^7lX+%%azFQdUFV$ZoM*<B?%S7M
z#TDvAUaIspjE*Lw!y$MyiFq{6Y5KHw5v2Knq_<FmP+s)cSeH9zINjJ=wHyP#K$%3d
z!4Izqzb(HL`%8@d_oVj7vXwiYh-w3{3DUjN$|FoK`A$m9gk^N9KNROkxDs2?a93kx
zL$0Q+Oxh^`*HO-P)1iM*B@(|2$h_yziZ)ZJT9coLc_5lgRz`|nq5MA3-283u*dx)d
z-#6VdrUek*BW}<8?BwECgAZVgeV!CG@wy`m)lPsH(=w}T^X<}tyt!Gk*(R*-Sv6*e
z@7=_BAL0nRvyb)PT~fJ#A_RsiX=gd>c{zIJZdke;OXW&MOL`R{-xNEqOJtk5soi+S
z8S>0E7W(z#kIQ1E1jhD>0AWD0?4g#_$}2e{H~SnCS~ZB9kT^ig@te2md3Zay?R?4j
z_I%Rf`#gF3SG%uf2$=_N)Qn2<1||hNqB5*!3GVK>>jY4j!h@43R`#X%0i*>%^CLoa
zG2;3bLNmju?)>Xp8pCPhis%(NH)=YzW{UaPw1#9MN2qEM_LL-kr^Fh22nhrN8_j|c
z+C{`rwLy|xAWnDE({F$WyMAxZ>Ga_E?Fkd8%bn-DZ-nUcZU^fo$L?jb*E^760>_5~
zU2s?+oePwti*&}df}1`gJ3qS$Cl0IG3H?HOTU<g@NV9OfjW&+woVIDd-HN5v%bZ)=
zgF`gqwVE9Kkjllk<d5kx*q+61W7?<}DZaQd`BTcMhN`f{JRLc($2Wy1YoxnL79Sjr
zEU+JqToD(HR<1W_ey#ZRQsV7K%XcU*SfgOd;n4ZnuIJduJ{mWDZg}D=w2($QCPng6
zXx(MloVztPKLXp5OIbaW%#+LM&v2*Q=)CcIMZv=ThHGEBmA%~qn((3pKcr^IoH*Vr
zG>_m~@4Ya&Oc2V$Amv1$%cI-dt`dvyyOf@l^l=Iy#$N80#dZ3HoL({}1}^w}Jl110
zz|X}7W_I3APKJ(sG6ab&rMAc${#gEFl}G!qs5*^nSQcQ?Mj$!n(>(H*Aa+aBnf{5)
ztk-eBPOg1=T;-->a=`Z8Ow?>WF!l5lnG_2=7JF4qFtAZLkulK63*e;3_f9tr$h{L)
zdh)apQ^`)f*Jgjmiv4b@`0|6kSNFzS?UmYD{bu|e!gfSSh&>PKly<!u-<EVqZ}<?B
zBE1(;d38lA+d}4oZ7bc!kFo8(<n){=r@K8oQQ7S7J@;m`stMw@OYg*Y9^I(8E0~rY
zrzdsfkbd-KG@y&>=zZuGZnp=l&?8a*n&jyE=zhP<J)McKLJ}@j`v_!!Z#YO#Q@2qm
zN#@;IrHU6`vb+F(*u)Kowebp!WsdArrW!iNO}t3#-ZZMIs*9#>oq5tFBF5zCV9MP!
zGj-KDJ$R>zj~iamY{Q%0UbhVhN0QnS)151Uk&PrHR8<Ws`jQ|)re4-QVc+CqQ;ROo
z4)+?p(E`xi9rjVmDr>g-s*@vbq&YjGOqsM@O5?n#r*u9h+I{!BJzjzVB>F&iTA^2x
zVCUjFNso+)cMUr-*Lq<WacSuZ)0MGbCuV~t8mA9@NV^kbE)5~6iRpNZWzX2=24ZmT
zHo;^reIcFN(#8slnIWcI4@Y%m;Ao@dL7$Pr@mu2qfvj%_&~F6UT5H~iAYAD;u+#|U
z{7MCPV&cC3Xvu+uC3tJH_^|8HqH@g7i~jO4vnKcNd7UMnLUX~eI5&E4uB4y_h2l38
zmg+zP{XzY<@W#8^nzGuT;ab88>3&*-1kqmbinxZyfF&TK^wz=W#$QRwbV~G9`F3Sj
zv_~JM#UCSXzWtPfE>8Q`hISrzJESpby>y-oOraFy+|C@{-S-UuduL>*vl?ECC%OZp
z9Naj~bN@+zW540GcDTyNpt_WW&;lyndcJdk=tkauPQ?9v<@V2OxqSFXV_@^}lF(V%
z5u^1}bdnUTt9e3b$<K-S`GJOl?hEy89%lz3*6FqTdBSm0L*RSss?17Y+eHaV4hw>5
zUdG1hyX=<DwmOY;JG$XkiUgsmU}nYq_YStz3)BuTAG==Pg6monx~hnF-hqp{5oa-6
zPH%<AD$FrLjj7FL`@??zWud?AA6RgX?y8F7DJzEqz(`=**c13>4J3Y{PSPJ4*a+ZL
zaG{?AZbHah!zHflv`9Y9RFVl-Te`}RimJ?;i_1nrjWg+z_l>uF)=1X=rSKS>f6^yU
zG?O*lw3|n$3KY?&GB*b*3XwU{=1Tdztge3Yt?5bI*Jgw7F&c5>$0z`KU+Vk`U59{I
zVf&gtN($^xzb3z({e}7DhHS;qnDv=YeKYBH<kvQ(SiD?tP-L<n8i7zRB`FfHpLcCe
zCrk-9RG5ZbfTTj+-p)&UKxN37hA+Ywt-u`UsHm><Jk$dj5`YPX!#<-{uIK36QHOrJ
z^wt~6MiA5SL2ddaMpj$SAJKPu-*P6svHfE3lc*$AXu405Iu%P?bOMbK49@NStl9RV
z6CF^GUrlU;7j>gbx;{8R&uWk!UpodkrI?hG?oNNpN*is5crdJI-Z$(1qNY{<-X^a(
zK$OrK;uW#3WRL@I+H7&MTb0|Xa?G;^cX|q`n=gcFOAcp=B|eC_V|Uw~J{V$C=e>R&
zP{#u3^+!kpPMHmm&h%@!6RwpYF#X1ybVWlQDsBPru52xD&+pCDOS2y+c*0-(8H%8J
z>d-G=;fCx(s1lANn{HdeIn+|xym@)+>qZV0&vlI}D=Q(>@sM}b<sF6V5_K$SL@-;(
zlTV`bG!L9MiPq@4fxQ{M9Q2_-T6LXIP0x$|XN8{V)57AVdWwtDd1<Y+xl>@!hN+u1
zMxSjgrwt;0uVrB|_PT?Gx!dE**EB8hP+fHbLnt9dr>=<*yps`VH(!739o{{Dy+lX<
z8s$jOE1K?mPzTB^?k6I59PqHuBs+q2@d2^H)_uXd0$-9)(C3{uW!a^?Jd4rM{Vg0e
z__WE4ma9N0WrgB`HiSxb(?{yOlDiUcUdjfOXZ*(4=6P8Ns0gwcB!HzVrmb%wMNh3I
z)TAL^y)tNOCvjN-OKa76$9&TDzJpz5bZGKH`UkS`D8d%ssWv9(W4LJK8OI&A7^xu)
z&w)p#XkG=q#!*qE-Oq3ad>-Y|vK*D)eM|TB4;7sk<pxf~Z7u>&JQM)W9);9D{QFOW
z(o+AUIH`>z!1V}iz|Pn+0S!Wd*a*;EsV+6@0Z_##_|!y*;+-6hOYSSL_;`a8U=9WE
zv>Ys{l)A=!-*no-Pgj=~-jEx`dl3<Kx$x{;uBM>wdkqd=tT|WAUnT}2yn<B(dSFhe
zGGaDh@D6IsRs2@m#<lE(DG}?Q58Bt2?1y-S`p#Wbf$t*PCF~r|-yD!&drB;=W-?eC
zrzY-nlZK%KYe)xKP`6h03{{!DqP3c=g&c=>ck$u?!s%Ui+f%dqf*e|Nx5oL$5ce|R
z>1QDQVFXAy3YnIN(~Ww#Zye-udBBl3<C@RZeCp(Cq8O8zi<l#}l*F<yYo<{@Eagcr
zxv$;utwhpAQhX798`!fIJIo+=1OJGV(N}h+Ed{EWCVZO;cP&t=xi3so-*sYMC&*>n
zGiyxhY+V;jqw@Wu#C*C-sy+$aJUx+%8a8ZLmfX?bMW2v)6HoRwJ1ln^`93u8WlwLu
z8yfI0uykf`5+Eo}&TvO~ML(_NO3l<440;-ETm*B!z_98P?$5DsREyiCCPH3Rjmp*{
z+?AV<at-WFJQFuZ9Y=mpNAlO!Hu{;yj(sD10XylnN1GoX^D!!k`7FR2<WxgEeHtFH
zD>d@!QYZIGPlxb}mA%{_DU}0qydOG-$kzMc(;Pv{rpnJS(Wgez(%t=_&2RANQk?#!
zM(gAKKPiGr7hFpQ{CCq~o9L4h33&`w8sSTD*usF@RIjbQg^U{#o#^g4PmrbJbt=m1
z%wNIht1GJ|QTlZ+%&l%R^s{PpKeCzDNAW5XIAUN8y0~pfYhG&wrt|e_K-tkX3($Eq
z_eU?mm!BQ50zL5$wf=~4m8Mq7DFUoT0~(Pk<po3|wNbBk!N}<s^&=UH^KHKkzWnY6
zIhi^L+;3$X969{AIZiox0Dd#TS4ZT7or2gqHa7J`w4oQj{|Ni0{fJS(Rr*cDvJT)U
zJO>#d9YTxh5|M#sn4Z(Kge}C$(Y*yzVnP1;!^8rZw`v<bFU#$toYs&KwcNy(%HT(~
zVg)zf{-Iw}n0a_q?yvAsZkJaV2erYrp9Y5C9)VV_RXt!Iyo^3ml9zC-c{1lB#IT}v
zd)GT;!F?CSOO0P%$@3`C|Ka4Zp<tt*?k)5cD&AytCBiSE$HjrJR#k)|^3^xh_lSF5
zxX%b(g;3dV4VqWCW6a|^gzFzymaxC7|J5w;aWL8aoq;I^`yrg<1IA7mk2Wq%_y?Q;
zF!_9w%_W@F_ES6>$f{vv-UI@oRc^<6{$3n&)P=xfw<}m4l?Wtoi(mbXeBbGcIaM$n
za;f_LGW?WJ<-X*t`bbxYX>nH`?hp4uUbqh~CP(Yjt?gUPO?72Yb~*Wrq-|WOR^w?4
z<@DjW{#wy2KK|DMQuK3)d5dz~*|6pL#u8>P-XC<9;_Khv*(?1gg)<1Q0_IF--rR@C
zlNJ4_4GuvuKLPhy)z|XdFm$)q-qd@^oFoAVMIpQ2_N!Ca708@YQX8fb9dYm{1*?AU
zw9}CDTZtbufk$u`%K^9GhDjZs-Vpt{UHX>AHGQJ`0jw-VYAc1WylP;Y9z7M`bMGV#
zmV&yDT|u1H?W{gnDIA#Rqnm|i@-g=<^a;b5TI%h_1<S)q2BBiXf0W>*wdN0m3+2Og
zQ74+DbnHgz=y5G_41Hd&-|jz`h*xFTEK~?3OTmlC%+>+Qx~<8Z)v;_%Meb}>KRYRl
zPM}w7qK#imB*a>{wNc1;aD<gMKo<2`5n44B=&E7;5EwhHVh@(ndX2E|j;u5i+{36t
z1n+h9_MVl{hHxic<zPFopW_^sl#rvf@GRn#@S>8jX*pUmT>eZ^84>w_-`Js|B}Qjp
zLgfZrx1Fm!x3riDRv)VZNoQhC&-6o_=C8JY75JHGbyx5u{<*VhxY$qKRfp1&G|-MD
z@)$}gIUogI#D;j*xVS9U(^5@W-AeMVu&kFg(qF#Cq1PEa%@q{sc40#gGNf+g{VM!t
zc@Ki)Pl^~u_Q1)W{J^zln=l)1JeaJcWbr43on*$J6j_wMLi~Vp)Ze-R`+%F%PncH$
z6Q6!05G}zS{?8C36ycHyda!{8r>v_Jy3Li7mg4RXVYt_19QKWaXYZF;2(hOXW156#
zv>v}jD5)sKLTnfs{%FnLgn2RKT25+>bkark@XjpJx^qzwMKxyp`K{VRfkytyI;==J
z=~Jbc!q`yOs3le}n0}*NDA7e~_k!S(yhpsw^a+`p>`i)jFf6nD73>&jjTUp-fOq71
zVh&5&w)M>juS*v;)2Y=Nk1W?uvlGiLpNPLol@tuNFkI|S$iDvlVJz<;)q{RQViiu;
zr=-EDs3+gq_j!t)gLfco0mfPt1(fvRn3KIQ&tr$`S~^m?T*TKe6p^fsYxItPX<kU`
z1x}b~<U*r>@u(~=w|i%=MI@)HnNBIsK}h<MfYXie*H!q{mH@#C2{|OF<y5|)cxvlR
zKFcq!Rjy4D^mZ%u>(7NS0jdukX8y2sqRs9&sIhvcTP#8F3^W1j#=x37-@`+V2<g!z
zZ36pV%PCe1%wSz?YUUdn>3U#4jAJi<7T@Q{Q`9Q!(%Wx2UuIh?ouO4~J4U_*e)I5o
zhCFg%+mc7VQ#bBtv+dL~(a-|%g_9>k<9n~qWyv)+EzZT{xru-qME!QIzW=cR4<Wz;
zBm)c3XW?pll6_=O5*=_*vm~!ssEL?Te2{*;Yf-iHwgj6~x{oDwo2~$bf(=+A5%7dq
z+5|HJc6$Lz_})`z2)lsEkQXT5v(ck{-}$)iLnm}aU3T2Qi?UYcrs()yY^Yf9vRQsT
zK03h*Z>VQYa>vo@8xW|1OB~^Ogv))r1!5qYZ@5oQw=j?Sp`V=D!pp?k{n$U^QOyBt
zX%8yF)NdXt4RyOR>(a|y=d{1`+ltj7WOA!^GejUmP9+Mz+mgmJCP%NUjqixb*?1VT
zTWw=8sZKYcnBw6RT}ZoJs~Fa`5+1u6nORpPB^9w>*E9_sx&zqS>Vp(dw@*NN$JnBi
zV;h2e0bq>KdKC6!(`>x@9hMQ-pj{%lR1bQ4{Gw<!;N<(=XoYu_KQET3thHMbQ<OVf
z!9?wYQd(l3Ro#cpU&(1jGIJ0Xtge%+h8(Is+{xbQmeh)lbn&&5m-&=>e&o>k7zU!v
zom)ed^ita4)RuFC<rUFPH=dng<gR92wMrDdFSv>{9%|wws<zg>&dPIAVI4eZR5i3l
zRVVs-O1FDb-wZP_rn)YO_=VSVy4^dy+efUGJNA%DK5%|h`g-gTB{iRk=2k_IsjA}V
z(!GE*hKMHi@=(yY7q`Dh>qL^}C*Ry0xzV>)>Ov(`27<53(y`hJpKsZ|pWZ70@QycP
zW<z97A__cQQX-q`U(8>nr!)Lo+fF@Q4E6mYT}=Ojeg;jpwe9T5s>7=FpD2aIA=ztI
z*OPj~<wY&n$`g#rWvHm$9I$TdKC2jaai|!TxY<<k^@31iFGSGw!td^~n|l{XBKmWt
zHh~d=S!IHw&~+l{&`iaL7+c_sramlXYtDdwG}rY(NXm%_k4Y_$s&vZCi5psLNOHFM
z*(FS7;#6l#yYKd>@arkGIyLC$z#ZGUmX{j`-d9;$+Bc5hZb}?}^Mn>slbfg!cZ+PF
zb@fU7HPH)(khPHE;`A41eiqYJ$8k{d=qn?sug@2Gw;WwH-W~M4T0_$#_!k-#3`Qzr
zuC67UrWc6lPU}iMy#A`r@M^56==;UXF@NyV6rX@48j{aWkjK`bkzq`8{^+W2QQq-e
z?8+AT+&2&ByS#$JS08IM4pl+Dtw-ggsGKoTW7S#tdhjH(L;^_3P?NS?>yOHqy_WoJ
zd3ihqIP{@vxE#G&i??q`QBL(ooUTZcfo=@<obykJL6-~ItFf|rsFOB?KW1u*$>2Nm
zrZDygz<5;d`#5^KK%2%Kxz(VmarN_2)jLmJ9E`V~1vO)oDIMOZG9W}2tZjBph7fnN
zoVapUb}O;wPK3uwXDJ>quNQrZOG|q`NRZ*zlFGnU2^DWtk7G`S*^6)x66;@e0@Ak$
zSw<GWGcB8Lspk)7m$ixyzC>YvX2$uqD0zMO0{KB;7dHWQ{y`GR<uZh#-q8pa$LIqx
zHv_)2tP|q|9`xzwKPhJUy0f#T|0<*}-en5>jV=I29E;JX7m!^21P)TfY5KV@K+gT(
zqQC_(0bZPU@Zj?xarD6xGYhNq7S$6WUSQC&Oel%`S!eUkCDk^|Q59}HIj_h{Oo^TS
z=d4!IXd(YAswPT!UgRO;=ZBrYu<RRiH{)BOSsOOYqmogH>6ZysllP|C!&T+7y=u92
z#pHkcP`rQq>loCd<wdK#?P_O%T-6BInzWZGYo?m~Xyd{7s~$$wgdtSDaJwwnHRkn-
zbyJMXv9$O*H*L;{t6f(ca$am3xeYH;?9Gh7jrjVy9;wQGehM1Nvv%rwk}Wi(9B>G$
z2NQ+WOCu0Y$UdKJxN@b~b&_(<RKqaDbl-}5GwkI)JKNrJ%<mT&9{l?c;&%|~3JN6w
zLzcZ?-uPzI=MbeHjaK?e=+JAn)j7=eMfDzY_gFR_NXA-hO%^r1IE(xdyhy*6yxZ)j
zY`6i6Qf%`*4tZTy9`k&ZTPuz2%=2!6G2=?x8IQ?#np=BV`r{@OOkH|&y$|wb`A~xa
zj*s>YVV&Rv&2cjNbu<9uN-&{yr^^+_wClDReD2T|&4!6sca@atcN`y%WT9M12a7$F
zoSxuiK<QU~c7#LN5mteE;!_1^xIv~|)>r&R(p{pX$@nnY$=2c%L^*j2WnKKyk4Ag$
z`7c)3?tyBg4fi<zNb!ywR6&E_FdOL|v*2$?zT-vvYA`JFZOijR(OQW;{Du34X5h;%
z61z*a_&GF^c*n}J)zSM($PwAP*DWuJ$yQ0`tC#*4B?s;cZ=a8KLOd4E#IOuK88gMG
zho0lP{p!g+yxO-!%0j+W?`dtc?I?SsISb*Nz)6dn%h=@!^}3Z4G9TVAFzGW~cX7Pb
ze{q0u9mUoE5f{a63d)JwZ9Nq_kgwiTzmRfmgIVk7_`Qp#in+$XeJh!$U0PxaPBV(c
z;fTwZY`ABa1@U!BsvZyNUz&AV7gXO)&0&E8CE8rj%MP3xsRpXYF|SvWf+RwW8ws#5
zxv7SST*?n6o`4Kk-DM?cHM&@-Z?M_!SKD{fsnA{-1gz1y18Majl&CPTlLl3L9+w7X
zaXd2hXW7l0_F=DM*(^R}0|e#$?gA4-QG>5`m>vS@-7ZAgH=MphyXTaIo?p*X`yIeX
zG8$E40nS9rfzKIb6FbnR8$G4k`8gGxez)?bx_>$N2;O$HZA6Fta*>)X**U{eMJus*
z!8pQVLU$*Ohj%5n0QglR_x;pNGtD2Z!YAniPioI`C*~r@0q!U;(CJeg&~rSm8rgw)
zNw~I5tEaaPO*>1mW6QdKBeIq?K5a7<7CFAV7pE^LoQ~J&=FCnqA_${#!g?xD$(}RA
zH;j`v6Q2AQ*jv!sF}|}eyw68_Tnp{5_lRsviz)!EEKLlUZ!R5@UnLvFHBFf9534Rq
zH6qGLEClWjZ?4Yw`oM-#wp2z4Nj?^V<YM|*$5|xm^g<Gry}nUP-q-rA7;r2%1jn}9
z2*7T<Nn^rStiMx0y))xV9nUKQX?w9sKOO2|;*U0usBg%Mzj>9Z=9RkhG(urS;x*nS
zOnC}+_1E|jDAoN|<wa(P6CXv50P6;_aheR#hcQA<Pr<Z$TuzDslI*K{nJYJbi4*bd
z-8X)RG!Z*{yBpAM=Bso}{jP|n5&ckbJt#o_gmZZ1#W7hzRhNwZwrq2UP@RY0?Boa#
zBFI%G^docN%s9W#vR#7Lth7*{S@|6#gZk&Bm%Z(zB2yW!lI#gj>#Am(3ZQJuVIz`K
zAvs<Psb;O!zMkcGY<YT*!#4<Jw~vb|OB3}I)ewylB$h!~qQlsZm((?h{uucPpYsB*
z6(CSKsV{c&{nc8RMO%}{@53{UuM$WsAI>z<!+;;!E(_p-TR)OLOztVPR^t+s%m8Tm
ztX7UcmM-k~G=?xx&rJ1Ms{zVlKf>4ajVQL-nL2qiCEKYgQ5g_5s}TWIN;Qm6A8MpV
zFp0$QW)*-oEKP&_ZJmXy_K4v=uj9miPu5aq*hT@)VU7znNSqWf#Gp4$(v(bgmD7d8
zY^z3~*<nz-I60U|>T;l5kSgLb)mdik8u=n-2J&L#6deJ;3iKL0Dw{gdkQ1nhDaP~a
znm`EkB9$n2!0gg{&To$l)_D1bUgGCI=B~5%2_|CvD^1H~+c-o&v$Eg3@E!OwZW<#Y
zj{%rBRBGmV9b)%b1AFFu!UYHbZbj?=y+&f<JK{c|REQ!7kejvw527C)`2G`(RXBxM
zANf{bm(E`xdh1<4(U4Fy{0|@HUqTk1MyErH){o^C#tGI_)=viqU@}zNb}!Y$MCL!x
zT;{VZR~L>qwbRS<^w~+lGd4f8$#Trs%)?q?Ei?t$ClpTGw`aaQB~(J0Wh?HQch{az
zo_K_G7&8q$p4VgU=VK6Lzn~e)^7?D8lj=}soNdQj?|`j@6O`}aO5Ih_5&%X3kJwMW
z11A5_jQ058iEyvRCv*MNK&6{=p5f1)E~ZNdvNO+$613NFV^d%kt##syH0_LN;#muj
zPwQVa3fWPdmfob?Ny)b|x5`ve$V-LYQt1%Q&VXhY#>xDMP7JqBf=JbZ_V@x-Cyan`
zUfl&+b5~pID`VR`o}<H#AE3kP5`_)XOhaLS#cyl`Q*8vZc3~Z?8BDca{je%yM0hl7
z462^6l-z#apCw+sct5nSCU(}2JB&J;Li_%J+>C+d;kp0rF5~7N09+mmM2rLgNeRy@
z#w2W7R!t*}tIv3*CgiwN^_D)S&r;RKX&CpgRB3Upau(Sz6YYSm?J`!^FHg;1?%+#A
zVAV!)&Ulv0QwBt(-#0<~CvG|g6klklF4h%_oB&Yq1ATUq6#h7>O3Yu)=mSCOM=&zD
zKefPW@;APm?p5rMSh}#-)R=_JX%8Os^Ibx4Fa!fDF4^kTI_;bIh<U1%LG91viT+o^
z*+y!&e#e$8briD%bGsEq?}b~7tDx@xCNsiy*oQDY@*wZwmo?SZa4A=T*U|GI@BdN!
zeqco=)J}2_ysD}occm1s*^C)WOovFOdO0V`)8@2FrWVXvJR1*}mRL&UG+2%de5YX>
z_gqH1WFuU)bby4NYwc|tX<*4%JI%?>u+43C07kE)L}x(D0^y_5w#*$2zb+U=(nZ?k
zSm0Mf4t8nY;GHb>&{N|4l0&VH>6EjnwXgKWdwq|QqIbwm=Yh)V4(P*4vB(M4rE)ke
zxv@(1{36%Z=HI@*;`^_XD*tEHj8Ez+DX9RxWf}1&g-&+qv(kGFz%zEJa2{b0xNiLQ
z!sJ9^7jE|kyrMloqzWHT3>eYJ&n}rVKQ5jg5KR8Ga((p+ja{sI-KTG?3Q2eS7g3j}
zMvFd;2e7o}Lr$af@`y<`c-%&={FwMbSccZF1?$b%j$un-k+v@y7`bhYSKTht;wDag
zVat%1j8$K$h$?@^wlv`(&+Ek<RX9fO8B2Aqe6cRro3K1J*|<vQ?%@SH%rzPN8lm@B
zDy#Iv=j4YxqdfFdo>w*z*yD?)Cuf}NG~&JdToU6ogg_OxtWghc@=0V`(9nm@qJqY;
zB(|Ya_8qO#LtT0ey_cKSn1sr%qX@CAi@%=v#U_01xSEh)#k2hd-eN)G{-{3$ds$7;
z{QP5l*Nbv=r$Lja7f^F-WN`SN*r;g;m_$Cc-NXObo>4G7yKDW`Y$g+}c}&73ZXdrT
zS*35Fd(amH-xQ?$BJ<Xa93rXOFuAA#T?dAOg>#vs)9ZHTmi~L|LmV|0Ch}sB>?w6a
z91ZrO<D0=ZkS~W0X&M6aE#S6Lm^!kgv}nre4f|>GPbzv=jyA1gw9L;P_dQqoeW*2!
z%B6K93r@lD!#sl2QS!znE)_5N10{Cty)-TLM_8Ov7GFYHfnb4MUEMAX+)|$wGn3O%
zUjz@|Spmy~W-aX<Z(n#)?0!p~>pc}y=7+b>&EsI`!)Y=jOs`lakqmSTLFdk-z(u}J
zD5%*3GP0(^k8j5w*`yy44;1}{kIfsC?_Nvlt%<{^gYID6OnjI|uKUky+a!az;nN*y
zx5iwQZUDGG&#mrpr|4R!a#wv#nv|Ta(T&)XJ4GlNwl8s{+dU!WIP`l<#|UA9EEFeo
z%_&(k?D;uZYovrfnzleGC!$yK)jfWZ8!rpB@~5SZLtajl1~9Zubou2F^V)cM>f^e(
zY1cg`s{2Up7t1R@nBNe1->=ZRjOv?Mwk|7$)$e(q*kDr=^M&e2fwYL@KPePym&rE?
zQeg++Ylvs{V@pF`jSsQLgAxlvyW$SXVji;Nzt~=<P&xk5OC9BL)2!tjvrf__=y$wW
zPrFAjjbR8;y0@TM@B>H|2r+FKHJrIp>siBG_{hD{;F+QQ525#gN!jB~SJoenXB0d?
zZK|Lw`BBa1RIa@k_duv3`2qhQ4Y8HE&ouJenm9dT>*+XgQbCqxpG)OlV#ZN+nGhpn
zf9b-RHjdr*)5kZjmb08*Jj@g;HoR3vb#v!c|3f){^mz)nDeQO_kv?U%TbfgCU4?=+
zk#*a!><#X8VCE|SoA3Y$mS)$V#efY&k4hHDWJWFgxVW3&w(-4x+@%`CM<=NbmAm)`
zJ|?Bxyy@a0bDVh<jWfpOyw3>zS1#~8d+D{Pd}<nyfltvItxV@}+Ox9B=9Qj3+UNf9
z1_cr--)nj%)y0+mhl1b{uAci1`}o|Q7jfl39)U_I+D#L|QcV~#{}l4@T;ep%c0rW`
zzS`*>5AijE`!dq16<ayA>eZvtx8qtb@501!%l4C{O$rVXT{qufaIb%RQX1SOZUa|n
zQQ^eT#VMs~8r6>P+U%cQJ+{22#*n!g^K%NPAwC>bQztsV6!#?Ewu-2EB^9aX0qis2
z5znyQ6vLE9m1)<vc^6Xrs{f=A+rEmt-T%AdvS685)i*sgyn;?u`7nphxK|X5@$l=0
zxC!&0aIR&;4bw!pxi(81A@Sxy*8Ry(HzG$5z!UoW6C*p?B)!rkEZNfcaO3Syg!2Sr
zknGv!S>x^I<m}|g@hi|kttQ6&ExvjPk6fggOl5r%)6Ptu8?Wny2X%a%e4OxzCxbsK
zKWfK-8VL>)p+XG}!#mrVds(Pt`<k;GKgEa2u6_%{ewU_GxY!irgLf9oKY)C00O53@
zfx3{y81Vjl+Qwry<KD>lC-}>+K0nFUVR=c-YJa^!0Wa_rKbk1To>y$6oLejP*<`oG
z(9EwuBAG@(zBl3J7O`KAm-+>(F|_xjdStgDP_A#<zxq`mL(1lf4mL*0AN5e`5>Z8;
z=1&S}kGl`s_FQS;d6pag(O`$5bUQbt;m#xBTdgbiXQSQYM-0@(wwE1_-_U?gcMJY6
z0@$O(2+Ppc0KU;fNU-CFmT^!4n{UEX@khtMN?8eM83ZbGA~$Xp)W!^lR{HC<SOyRM
z9GOoOOS$6rYDjaXG8!e|<nVfm@#Zz^`@EYzP7E1N%E(@bT*KOsHaA^}>Ghju*C742
zL=GsBAHTgDx&y?f`ki02miHH()=OKVjP9oqxNB>{Z}zp2r_hzl>Lo8Ix!>Sz<b+q=
zVjx=A*K-s3;EwU9y4$65$YTgl!Thcwz@p@8OJ!rIs)OzLLM!VPlJ%VDARqnR#d%+~
zG+C9OTxFHCS8)W4*Wy=J4hJw|7IE~9#zB>6$~CUU7>9z#`NX7Wfct7~+M*A{tSNX{
zOgV+kyPMDb>$L{kMiy(Llw+Z_u6rIl#s=RzVS0BR^U;Z=1??IlCmKYWOt&kn2okgb
zEi@f>*P9s;6<~73><<;fmDCoXyviyP5|v0%IPcW<qG4f%EC1KFY4ZYj_}%MWLdH?c
zVzqK(>%=*7o#(r4Y}$99msye#K%;tu4Vcl73{cus#V101%|c9tW7NZ$S5)aX>M-Cw
zaWUyA#|rDj&8jajTM@;s$%|3v<WNFHt8d#wuhb4??%JGqeR(v2BvlA*XUK4|WV#z|
zu05AyCe&m@ahpwNb3Q7#k(8vuJ#mPpq>V6l*_j`l!}iohv+m)<Z-*F07wl0*X1$cu
z#?)-PB2*px7N$HE6B1XSCy!43uFx0g5>%JJHq1V!&10V0S>n<6w27l<kK~W2C)KT?
ztgx!Bz|plwV5C9#j_o%1ES$?PS_~o#vYdN7e_9g*pEiYz&uRU*_loC<Ht!ssK036A
zdTNz6#Gr8@kOiSdK!4aGnNUuIxOf8IzHvvG!Ks-Pq_W`W#)`^JD2hHRWl;S3j8<S0
zeL*IPrfS3sP4Ar4Bta0aR|r+p%u~<Tb-ooX9GvlH>Q>OD55+3)dcQpmZGMU2<s_=X
z7MzekF(HXo2;KUKObX3OW2>k(y?mK2R($wYk+gB5nL#I~iD;p^j!dMVMSyDb?6za6
z!Q+~)2Z7)u5|8Yf4<pduhx>+p2;d>=S`b*}xz77gt>3)X<yfoXyY|Ls56tOG1wZZ3
zDWC}V>4VRzX0eDzgw7AHNF3oV{`_<!*?M_4{m7wmkX!K&{(IN$vG-2a%v2k|Vw5Vo
z{qmc{z<J)F%=Pg)|Gu3Z<Rs`#1<_X#s*amJ;<RA=ipU>K&6G27+35h(aoHne8VjHt
z+W`0!($lWIzMQE*XT1w&mznb|E(chNG<FB`+Rxc71RP7$PPn=!RSZ>$A!d?KHhB<f
z=w2fo88gfV*;kX4b6lFp_aQ(4-oI#$ry=ki-ALq>9<f=L@SL{DOm1;NX_pN*lvMCj
zcG7TC!RA)#7{j6%gFuGF#G$G!jBt>bYu($_kok(vTQT<prTVUc>jIAaUT*#?$iSou
zC&jo<79aHD;V`WR_1$}c@&l#3dzGm*tMhZ|n&#y_YJn;fT@Ms}!uHw@TG&xr#klYU
zyzF=aWFASVFHQn|4!~9R3@|ve$4x%kz{usaXD9BTtk=o>)V-4+4UfMYi`wDAO2C)`
z2Ged@!`ckraCu^aql5j0-VZ|?L<+He1xin8-hm&X9fMG=CZ-nBFW4Pso_HIPSoF-)
z(8E;&oW!g)_6gITH|fxtYW<219;*cNmr>STPq~*Zu2Vcon3>LPBHn`uR}@;Wr-=|a
zLS4KdLEZqJuGe<=v4<puH^Y$ZU`1iR-R1Iw8R@oi@E$=Wkp#<I@S0eyHGSue)$f|a
zD!w~$aRXm(Qi9k})=cCMSEV!dV)XJb)2*><6PO%wdz8JMw_HPz%OzJ#uKARkg6jj(
zdJI56eg=k^B08FAv@4Nft#{X7w0a0u$IVzjmy*b)H2L(qpe%AnbULVmgS!x*IaD2I
z@3of`ll%3Vi4l53N?Luwd0CTIkG|-OJuT-{>Ilv?`t-!Wo?2(&Yskylm{0_x!vfO7
zWb8*xUD~c;$T%nI=t)h`RsIXcFTb><O|4Psq=-BjI2{7?w(R*$P8tU8<Z9F=8Kwbs
zI)db_AC2d~EqhviY3m2$x>aDO)QLa<AW|q(pCCs#?}&vG0f<x()`2~uuKSZ>2x>eX
zUoR}8F8H5C#_fj$2}*Az*MJq1Hjh`Q@WK8a5-t`*)c5q1P$tpmt0oo0z0`kdtfoZV
zbcea66&g8z_jGvaXXgL66z|_tzW?^#MA^=~9DkJLRp4x9Fl7!{Dni0iu7)edKe_?%
zVd*D#u*|BPJDorj$YQBxDFFWD*=XlMRD?z)mMZEAJOs3^Q^*v5wfV4^r|ndvdr|CU
zEl<(loquY^QK~=;16p~ph0b$tV1Rtsv{b89h1i-m+iaIfOlz6btxspLIj;u2F|Lfa
ztc0<(6h;>_^#sjyQ2A1<=NI~_lsn+)C8rHWT(cU>Yaa_LT&rI8Ql^%B`_Gk-f1Td>
zd(l+=!-WPRw<Z;0hCKRB3zVw$sKTjwLibqGb=mXYSJk%iVy%==?$l0vGR2|JUoY~n
zUiTFTPNa+iC#yKf3EDQ_Y-|ZK`ot$ByG;1_OYGz(OgO$s=Zboz>jr*CAyceKjJL(=
z;L3YN9g*_i@fvX&J%X;6#6*7IJh(ZM|4;ATUn!K#@J@o`U&2Bu*Sxt(azwOlwPe3h
z(3TDT6fL*W-$`+2LyyAo?-c-6uof@_7VgpPMsLEdZ1*C~|M{uh1ExNuDE>&kqf3{8
zh|md#e_Sm8OcM}D)2+m|sO;V1JsBibdV5^f=lX){t8Wcmi{PWhgzpKPRig*}6pEOC
zb-(_WKQeQ-2_)#);_|mily+z5Y9I&DukYt^zwY1bCBM(VTjE<0=_z|*;|TB#*!?$p
z>FeLh7jCRZDqYHg;}iq8uM6tdn_?k>PGXO}TxNUU7SP?B@l<XuaY2YrESyM?g^0oY
zd|t1sMwV?4UsrdLAVX_E7#{!}za0*CDpI#frajmtYXDK`F=6Pn+|6{N)Cl^7tC1_5
zVn3Z|ssc;^WTun^&ZD0L+EHiK1#@BwIo!1t5P6;}0uyOPL;3$-U#;K(`!U&V6naP>
zXfmc`?c++e=bL8Ei=~Z@F4G9(U6=}wQ)IF}|6k@Fe;uj$cdr*#PeYp<?>lpFkom^E
z^r@|99wd4V3+h*NFD=zS7FF_#_Thi5+?5~rUpN0huxQ^A<xf#NB+W&sYw!;P#9~V=
z@r5tG_fg^Uwp$>onvy>$^hThvezbnvv~OItwg)xY8mO5B3<gD`DT-wOapLTMCpUeT
ze0_&MPQ=dQRjf{f>jhIo>Bm(0c|(tQ0hIizDZNk%nJJKYGk~S~_N|s~t-MNo>sb98
zAMS3YXjVy)#Q0bOhx8^?@!-6`Jvm=F)(fku_+kVgIZ;;tSc&EUKsfq)G_a+dpm5GQ
z>j7+jr`~`N#VpI<5ijuWYG)hvz{qQW#IcSgMQQ$jaXIXN|7XnrtBxd{p+mS=)RX-e
z1o;Za(}?ZYwj!tjBUb048}_S(`S%y)ricD<bN|cfZwD`G;nIw%tN<*DwSAy94{v;p
zyUoL^V90s>ox{!XKHzt_w4hS%c-E+jQwWnlqC><!Z|!{ZNA+CrAjbKx|JM`vA2~KY
z;!AC6P9&Rz;Ne<~bLP-ue!DFm=$<MABo7}LBn!JVJ)@a3U6Zy>nl9=IvxKB1btq_y
n#r68jxG7$+ru;wdmH$}_<Nx~pzc8EncjwUmtM}@{pHu%0R_IZn

diff --git a/docs/_static/images/IPSec_close_action_settings.png b/docs/_static/images/IPSec_close_action_settings.png
new file mode 100644
index 0000000000000000000000000000000000000000..531643f7f7a628cf2e5ef4888e748ba970ac7c16
GIT binary patch
literal 22371
zcmeFZS5(wZ(=Upspo9?x$peyekjxMTBxezjjO2_kf@F~}A~|Oe$s$3J92G&3C^;iC
zfI}1zkTmQb@O_`}{q{b4or`mE);asa=UM;h?&|8Q>QKL`B1}_Vfe?=p4+{&6P)Siv
z8w=~QDHayCz%^{}i<8+EV(`C9?%E16SY`dxDDZK`=APO;EUfp@_$TI9!S{7n#YgT~
zSdezize`_SiY&3PbpI&H-P3tyvN78ojkHZ$IS?6pALaK>icTXei`tHlhwyjK4X;5p
z%Ho~4TAXF>dspwlK9}CYULMqpZqQg&!Mff@P>E-p`}Lj!>RrS&)85&3PtRS6nZCXm
z-}ipkC3uu_oAY8nWXiW}9b7KqWI1$uvZ&G`wYW%wUd8asD-F96nw6bh5*^)Cxo=-R
zHAjJs#Yu}I`XxXanH_-ka&So3D==AGqe3VsoT6F0E@5edAqoDirX|8-V`Et{cUM+c
za1n^itPJ`s%S%{Eui)2;5ZcY?!WDx>2^6mnBXo0<R%oi(`Hc9G=zOrwatu<-udF#h
z1J+Begb?$=<>_;7?AevYQoM{Javd@+H>HDG$K|zeGzS&RBjDGtP<No%>`;$})33xR
z-tZatpQ0hU1tP2=z=<LvRUUTbc|t7Y(vW!p`0pL7JlW^)6uUe?jsit=2Wm};0`r1S
z{~ztTtb$l8mkL-qT#giS;C*kO3QKtub0G(_Ecl=0biH!PfaXnKF40~!^FZkW16A67
zYeSB&*bwV#MFdt1-w++I0!-(d0};gH9Sn*C#$s8-LIS<Ap;61F_pZ5TO&>N{AN6+S
z2~8VZ?!W1k@f~*Xu}k+Pa#c&jdA94YGGxHC^+|F>_b}aGp{H!EKyW`QMT-YXlcJ|o
z)Ps}+Z^kFw8gugyF(M_Z?l^>W+VShZE+wjUp7C8Ns`k@}0$OHcfMW0F%Oc{#LQyP2
zF?LV7>F^nDrCxh?JB4V$F4BNx>dhRiVp$G1m(uQ-((#V-?1U4}zWD7SI;^}1_%+Tu
zP<D3m`*JzboNiOWT{3<((?S)xB990Q74+cAu%?89a_EG1@5d{}@>9JZaej<N&RUxd
zJfMSOOMg{Fw7nS0iH~4bL>%Q->jzeU>b9@U%Qq<YLzP~3P>1ur{pM<lW`DBQ>Fi!<
z5hZhBae<S==67I(Ln#OOG+m)yN~L#|l<~^)3myxRyAX{mi;)-hnL(XG>YgqxuPNMx
z{^hfGZ+-B(bD3G%Zf;C^d9d)8Y>y7Pf?o!)#}ql$w>IDILL=;d^-%>h9<?lvMP|^7
zyej^eI<*q580t}j>H63I(u#o)gSIx<xye5VG8_ZT$!k{ylEf?u3&lJ9SH;q>UV(oP
z;*b0*?*Bh^{hr^xs<Nmdb#@Ye6TO}7k2XC!Z4izPXheL$m@OfSNE1~teXQf~RApeJ
z%5AYuN2;NOc5Za%_^2JR6L5C=#MYX|)Q$VqQfHsVu2OzG&GyB4HUpn1uWeXL-XE2H
zfc<#8C2MUw+Gpu(;W&P<*Qn)dWDmj`Rlhg18V5EdG*9+>yj+yY*@Kel0Q;in&kjZ!
z`VQC5#NMK#&sLN$Gk6Yc94C8J&)I$OnQi&HjrH6LXj8d$erx~e7SUR%bLps`-STm@
z$Nq1r)8pa6-i#I`TtKWDGC+9g4p*LR8v`nLT#sqlS>rTLxy;lsdEjg}fHl;5d7EkF
zlPCi_<zF_;6z>zQd?DIJPu2S$nxZZ43h;m7Ii$rpry)(70spB6t_Q*)I<q^#Zp^F!
zWoaO%wq8ZV^FUx!&r`u+dl~%0;s^ZU&_l7Ytid5mAP2jG)eE*G`AcA9Dc}U=B?9L!
zFaQ4`^#7QQLRsg8(Q9W;EIWJCQW-vxSXkuXmQ0b=He)4g;JF@Uf{%sO2@Zngm%hGT
zK|p6ZKxbO=w6r_lfhNFtX_hd!C`&_)ja6_Tc11N;N)q`IsMr9gSO9&|U=6NT0;J?c
z0}e*_arj=YK%rop@T!%J&dtxC1)Tlf+~2R+>bs0(rVYAKH=Atj?6^5OZLF@o)h=G&
z*m7}lYHk|odWrSC8yJeL4h;=n$fs}Lw5kpKDC?S=XJ=-_xk$w_)w5#&Wh@j?mqcws
zQ&rUi_QWO~ave_6abY26m#r>fZ0{8j(ov{<OP=eUnjy;)czsyUx4};)_mkq{wQO;)
zBEUj+Y#iA{DMGBVq_KzSVp!snFPc6BNz~t!y=ZD<1x=UT|Bm_zNEC3rO~{Cl;m2xI
zfL*C9Ir>vKq3y;8CcwG}zKcffX{o6lot$`bFM8>No653(X=$mmv$LZkBzat0A%_CX
z5m-K7-q9b{dfw`b(Pk`QqU#)-Oe`Fv;kWeJ1TH_90JqF)Y13aiA@FPOv<sBGyIDaK
z6KJxxths0+j|NTBohlbilYqy!ZaT{9@?aiSuuSc^;lESRfGI+a{w}jU1`@c$SMZla
z5d0<T^w&m--aPud+MT4>e555w+NCzEJXzIfxX7iT3*ypqv5>nGL+11<7ko(jUwjkb
z|81v<h48Dtm>`=!{WVKg{+VnZ+Q5Hf)((+0q+?5^>6D*(k}WlEYW&&pW9r$)4XqM_
z@jpKrw-gaK-*GXq<PH*G)yu+qMTCn&E@w!|s@2_e{*yRB2%l4Rs%|6Afc}}j@$L<2
zWEu2{Voh#>IBCf8{cA?`cW+IpR>H7Y^V%aGXmPqq>3KerxT<{FQ@h8FW>m+}v!eJH
z^B(FuJ34Mqz1^^aEFW2{X`3~`xXnGt{477pG?Rnsc{n`f2}7;J3WWAe^i_y(cX7c~
zLy%gCaIpri-ga`Z?sb=s+6i$s(mA4P!zRT>lUPPzHmZ8#k`q#2IT7VjMyD5A1EzPI
zl>A`K&`=MUn`TW;f;bCaU)8rV@dNFL{2y)ve|;Tk&x?F_yUBGAhfnxTGs6hM^V^CD
z3Sr968R<`Vj12_0hs;MbATWlnX887xMJkJQ+nsKBmQ}me!j`W^+-LI&WEId*X@p)W
zb3SDso4V3MnlpOJgg((cZgXnSB%kBJN{P5wM+d&`Wwf7PSLzZ33ypo+QdSL_*}QBa
zZ?@9z=YK3)ktk7CUe3nE10+~%t7o~M|JJnnXq;XE^<dg<^YQ`?8atYkg$7&q4wSNY
zjHvdC#=t;`OrZ8o91vVg(%iB-!v1pF1f0Bp2iJ^!DCeUh0)NoHnu$bNpsBHOw~`<!
zNM={xz&o7>3VT0b`lf){+v8drX`XCQEM#RVDQ;k3p!wtlQ|@4fs)`G7p)A)dA=%ZT
zoHPklM4$k<Ep8i4p6ng$eB|vngVYKt{>1sR!n22aW`41)a!Vh#aHKTI9k&K4+1syT
z5rBP!&B|nR1?*yda8U7DYO;Bq?yZ!Y`0aM4e+3G_s<@RWD}DEM!pSm~1caLpic^~*
z1b)UmV;yZ&*}S|coU2iT_rYe-mW2h6E^{-9MgKI)S@EC=C`&u+qq_ZpI=j{6fHcBb
z;5F`tLH|8#lXkPb@EP?_{(cKwC1VD%)f4FnJWD0TE#W9lTb$?c7>IfC{e-y8L4HNC
zTj3cz?fkgJ&N4fE4|pv)xbPg6)#UnU*T)|{;eB8mzpx(^R(BeDwT9ZZ5US(qFvWe@
zXIw9Z5VIbk#-Rli3Z>VkXX>}zLDqV9y0yZ^q`;gh9d`@;!Cu0M$d<H<waM?%chyeD
zcY|4o_?)XBp#)^X>4aC4Z5wY;E4ezLl^1do4{zd1afR&#oQ?;aE+w0K+mI-Ji<UzF
zBxHY{v#yMAQwrFhwAnG8SdR`kS(G}RKO6YAy=|T2>f^K45lJD}S^P^i07mz!gHyYz
zedI;gX;d$bdgwH+2d~j<!QlhWDj6zGmCWZW0Sg0T286mpwSun&(+#Q(Bt%91T5D>m
zs}2xnD(VHl`Z;4>n4TStw;uMnG~K((oA4B+DY@@OT=B4c-sP$HK;P!lZ2OV5`Pp}~
z&L3{P)LsSAkKc#W*YZ4GM(m4c5O7`FG^@Ka<7jIcCdN?bZR>!(*GawM2uvBA`%=^y
zzVC$I?y2X_u6;%QR_Bbt2@B1W#hi_eiU~jWqy)v9zsRrb7eCz|JaP5i-aIvUum2mn
zi$v$w_T^Yc<`tF1jNhq2wj=}^fo->ISu6b1kp6pqY*REN$==7;A#8U(SS>heO&9&3
zPHeGrv77O{o2i^%xx3JQG}e!Pxb$wO&dX791h%JJJAEt%lS@-XR9r$4jm18n*xWZw
zn^i95qFa13Bwp{swoc>h=&WvPOY@oWX78gc^CIP!k1a^;P7bw>_oiX)*y*W9F)v;i
z>dtIjO=~pV_00RyUAOg^UY+d_IeUB{){(xb-Tch7)z>y5Yg!{xJ>CYP2t^SI-GP3B
z-C}0cR+N5M-7xB{;1-$}S><N2_2##KZbhw>L(U{S`_@%jme9)O7j^l_Pw4J%vppz3
zz|@~V6YQ-YveRd+zl4Pb%jSi{uTcRbX1Gog#{p|@VI=6LNHj2fn9313e0;S3tvAFv
zTrRl%exYo6g3-ie<GYN6)m!uBC2C<iw|;^LXQPV1XL~UI@(|rR)1=I;P|MHWjRzw?
z=cH;~-uCS(FCxo?05`X^7F?g8Tt6iEK6Fy{4Jh)o=Q@j}lX8AJ3RVK15c+B%5iRTj
zwJ>mdKO)jo_O~yZ*GyuaXCQl=e<9r0gBjO}lj7KzEr4T+k@hde&DVoXw-VxF8S-Q&
zfPX`vWvfn`Z;8Y|mk+i%N!su|HVQ8}STG^DCIyt3NYavnwfS}~Rvf4gJ_EJ++<?0S
z1Q2+aRe%RC-;x{<!hD7)TIURk^DB4r;#`o6e={gf1wOA|d=7(FQSf==;<GA7PBusM
zQodyhfH*MYDYR^(WZ5Wi7|xex#!Zs;G$GDh9GpYo@kA=U6SWj#t=wI4<zjfaxqHsx
z(UG^4Q>Hc_=z-z5jh=}#ZD77Rz(qf&-iX`9Y3m)C$9{PUAOnPbPDW!$vtn?Dk|fPE
zf=xiLWHfhi@xWnCtRouqxpC1aiN11>^RSyspnR!mP@I)1TU$BQ=|X_|^v#1OL#x1!
zy?6v3D2Fcn{TbG+9G5yZ>)$-<XAke;aZ=K$=K$?Ee|fd*^2tfn=KD^6zOp+KCOP%#
zg);p4meL9rlAdBzT6#06%0@wc|6(C{maUl2mlv97`)XN*`BeP7%vVbNUllPFc}XvX
zQIZ^jA!i28a*SFnJKo~;CBy}SS0ZNNF<fz<w9okg@6&V5F6TY4El42f{j0eM1Cw)V
zz^T9piBFAh3L76oK=dzxr{V0F<t+bYSF-nfI49o4>|XTOo!_3%51y46J4^Yz;Az@)
zw2z=|@mo6j(J1Q@*l7EGnzkwRap*&4J}=B<6|NV&s($KoH~I7+Y~Xk(RqEO^^;^G(
z=j2L?u1g53bJh=@EC!$l&Nk;yw*WUGe=Xw{dk10mPVu`H)kD)~zfma<KY3}A_LAIy
z#%<B#_nmz?XgxkLJ?V+}QSNSgaj^p4u#SRuUO(dDS767?oqP#6Av^16ZSZ}aK)^|U
zv5I(oM_9(Gxp{_kPW|NRjn=dF))SuAcOz5Lgn$nHzv!eCt@tkSXcD)7C#!vxR?el*
zs1)Fwb4YtOOnWw(YzmM$QlN;Ozk-l68rfwQ543r4y+q{F6Wds=Z)^ewXMeuXww|nV
zxY7Mf2;^NGt0S@hT40+r{HdAJ1qEIrW2pYE3%wA?>ER{?pKq2+m%oh$GSQve)Bm0B
zOIzs8t(o)|3jfnJ)8WxTD_5SoF4(*zD55`bZ||cXQ}j?Xib@uoLmQX$sSl2Jn6YGm
zi;)Nk*efyhBE}*D_XOCZmxkz`D_uwe*a<J&1z*5>Wxg;h;B&O)T`&$H#uPvv9J|=S
z&5ge>ePC}G*9K#wfSBsV#{Yj8Q6&#gPpdz!r=Ad(A75y#V#lxXUc<ni*or%+2lK73
z=)#-ipWg#Z21_N+_S;WQ#uelnHY7*^4hUFN#LdG$F}Mic+vj7*d48XN0TTlh{_`v4
z<=J@~)p^^0`x>!<T&M>l#t|xn@Fj8}EDZhejeTw&o^k4(`?ce{r00GqkgvtReZf&W
z(=N+=ZIn;XrQ8dJ>6d!=1Ox=w*c9rpOW0XzTW@Y`)EaC^(%rPipj)z7H&3*8Mn@CL
zt}ArW+qph@GP&W=Jo@|uz!0F(+?#Du<pntE+r=@c*flfOvU8tE6@Yd?3JFT*u1-6_
zMdPb;SBe)12QaRiUV7dYb6)^fRQgQMy)IGUbO8rClJw#EC%A1epT<dA=bwk?bf0r2
z8DF%T`@>FVxBOYc2KOdyvQKxCTYodR9Ieiuqz5btzVLH)c5d?jHL4eYUI{>lo1T11
z|Fc@sdeYPCC_rf<hE<?gc)`NQ6F6)8N%rYvcJnKYB7Gvw^2=M%Q)_tld>yd};{DJ4
zS<8&uiA(e7{o1*T^27D2fu@d%(W9e=aVmk<KOH=nxk$0xoU6~hzt~5*dF@?a5aJ@i
z<bD`jppE<yE5=KUaI9Ra)s~6A0UUh2pWAddAeZ<pFC<afnFJ^I#&rJk8#D6C4tLK5
zF=$Pm?7}&40Kb3?ypm7PW!ZHtd?@GKQm#EYM;yA!eG@UBc<0wg36Kt#fMY`%>c=BT
zN3a`^z>Kdh=j(Vk2uEoi*%reCo;-Qt=FOh%=%!Hiq4n&z^?=#U%F|PCZoj9bB-wx~
zotB9s5m)rn?ymdR%iU!c^s-A+`HuXYhnAl&lHxLF!ofKc`iV-z=Jnc>^Ya16o0*>z
z78e&Ezke1)Vr**KGtFHa*4L-jU1wvnQtB}+Cd{$7qaB~?eE>R=h<=KXC*FD)OX@Y<
zF*a6{aaEKo(mFon8db`L2acl3hGb`D=bI|C3asb&`6u>RT{owqq5?sXS(5=VjpF#@
zgmm2{-iVWtEU`r8`~4xl&qTOL4NFOLuc=zupD#AgP8HS!(2uFPmiqeb1{OY9?8)uz
z?friB!eKQjoGu$2;Vf^3AWk;Y@DQ1W!+d$kV6R^8b4`tWE@<~Z8=jn;M5866Ln>8&
z94}kv=(^;26>4Tv)YPEJAL()@TU}$*qd5|n31(YoJ0C_OS15~e>8Pq&j3+MVr*CJ(
zb#!tWr?k5wS5KU%e9-9QBiFtj@BX2&(XdSC+RH96v2*|5qL_Xthk%LJ#bt>hZ5%h&
z%hS_ydV0EaDLExOE6dA1g~6===_?`CN<{RYSIYNzb+lIM8L?eOeL{xn91&ihew-^T
z;U01+pSd}5jn|Z$n|pu%ps`2wQmL+kg+)+QEYFggm!Cy0S2p#vm-;VBhUxMx$J1R*
znvYKQ8ia2Hz@vvZ4RSox{meUCAw4~PbS2ru^wg~FQ@4;t_^Voe<d=noZylq8+eG29
z%CNkIcPi=#ZZPdTX;{L?#TKK(ipI64!pN_)v$H@-&A}vhs2ppi+}0L8n$vVY@@cKn
zEfMxX%J#Y(qImK1EpK<VcrB{EOQG(mbNm@o%fTPA+`iR9KCN~RNF;HjK#sHb4{m^E
zG_`~_Ju)>d7jK4>Wnx>p+pLg%`SNAXIY#&x7k4Fj{B6^ErZ)1$mG?X?$M*;m%8}u+
zo(24_-XFFfgw$Lb)lKU@J9IxCz28fkaX61As{ZO433@t*p?Jmek?VQwd*j&}352+n
zTDBhEy(!MOY>7_>@A~hV`EbthLX~;!JsVu+Tb2$r{h>-PII?*5w{skoe^}>KJOv)!
z29B4zyZeKQDQ6FFamn7>!bK<xGqVvLV&`Bg|0Q<=h_!vm)tc|?ZS($Sx2tX88!u%I
zBD$5k`yYG|E|=2#@?C*BOv8R^0T(7bTYLstKJNSd?sk2d<Zw20Qk#X)vIkA`W%IsV
zfAk5BAeu&Q#7%D#uWz`Z*>2jxzyP)$z@Er4Ehc8NA_Gx+KFvx(xsm1VTlbp$4%ORH
zs;%*{CcirfB*T28=avcOMu?PNCtqa5bM`_Mn<iyl{M-DNHmA3xViP*g;*a32w*!=H
z3m3RJ+dk)83R6U0dH0b(aN#O*bAEDRD6vU;TZ4M;LeePGmED;KR;c#50EA1@%V`g<
zmCovya0xife%{ct54D&`#&OaKqO&PA;~A#vnt8b&rODrGl>)Jv5D{w?7l-Y5le#H7
z;|3fZt|VL6R@D*RF=Ut0sjaC2tY!-d<JT^+Z}aNOztDHphZ9l;%bWf;5Q=?)tJmtQ
zwi|C%n5#h?&ZgyStKV|ZEVfHNZ{9DYv`eSLM5?-@e1i>O4O>@A*v}cOHeuD-#XZ#A
zQr>Rn9OODZ%-Nqa!Eql6-Vej!|235Jn}R|xN@Juv-`fxG@b~`4G{V4LtHWyYB|M@h
zJ=({|XATmhAx7)LBbk)8VG<2bp^9brUUyFeAXnHHtF9gYKx7IKdm;W)-5o_YZ3>QF
zJ0e>OiJNo!C+zQizA@#sSL7WsAOvLuT~%Xm4f6oj7z<3VHfk3ccI;J7L{YEi+t*8m
z6%!7d7mm-*POs=`?`)nPS2x=C9bV@@nCb60opAN`_$a&7G(9^lR$o_K>$4hk`O;ll
zd4!@Mj(k*_>>MxZ12sX+l)ZgAnsnr|E5XCk&}o`YBZnpDr@c2Lgx6e{q8V8d-_y%#
z{};KDsUk4ZHgylAl1}@31;GTjoJVVoPfnH3_<mJiQ}u3kZbOCV>@NsG{6q@`6%nT`
zdF`be8|mp(<s5X`j8K2yXT`Nk@rT$l&w+!``D8o8RKH(L7}_F`8MTmUVrlg33OqRU
zo=v^I2(s4=VHxm|_cD&bTGgV$6Q^vjBOL`x5B)j31VoEtZr?8Wkvr!q<F_=RM{F>L
zr{1}7f8_(kyIc^x+>}$ul5;Y91^=mBI{5Bs_Jn`F=iO6>yBYAKtX4TS@PwCk>C8BR
z|0$kjf~H9iEvVfe%GnKP+nme{a=Zt_K@DQXL8AN1M+fqDwx;yWTL3l}{s*^=AwHg}
z$9Ho_x(9h(gVpxXaBoT;V@$TKOr<W|&a>MJGzHM|mrg?Jcp=tY&1xBtYPhfwi6X*&
zpBEbCTl38$$P4H!9Bz9>7&>MU?j?tm)RB~wV1O=XrbDvHj;K_+Djf4=@zJ`K>5%5I
zbwiJwM}L7iwtnjW8JJ56OomuB#lZC^=%LG5dF^Xo-Ak)q+aON;8>hv<Pua={n><;c
zD+uK1`(+oV6;5b_?jBWNSBp8!(Zf4W_Oi$Tge(Q}&?*&fi#0^2UGq}gEegp8Z5TR>
zw6>&04GQGR%F#pV)kqWKBI9;k1Q?DL5e0Nm`dcVo27iIsxt7QG*e0d@bLurGjuvT~
ziSZVUn}z70X`%3!ih1pve>T9oqQvxcl_S^hbZ;Eo72<roY@$y<uy5D&q{Gw~m8s#&
zH2%)0eooMla45%45dmD)-WT&CP1hF{zr^)3LD$!Jy#4$Z*H32Fe7nM`s&=dQB8PWN
z3`#gW{WnRtt9YhG@??i&AUDI{DOas;@DG(UYISMuO#C#`vo~zSrAki+x1$M}Txhpl
zT>Qg76{egL^ODs_0-@Oef#me7s2I2{&JZ1N%c|Pe&E+)^alG8@eW&5a)scNc?Xq}%
zsZ53P>Vs29%X9ZpzgzrG>|!9Yy)BN5F%UIbm>lDfIcbVS?**%>n^K8s#6+}dg$I!v
zxw`-lu(2UY<5y6Bm62AOySv!fAlDwQytrtwmNS=A`Hug%GEx>M03tWBiik&MC%g>C
zB`Y%mlumnBw$b^1#!gv@R0_1&LZ16-Yyx5dmv{=#Y8IXwDksIex$d%FM>h@C6$@=;
z8)`&4H<!N2nPI8Zs*7lKWZ;s7GNWS^iHlrZSEc+U8|^%kC*g`;^xxTeD!_WNsX{4G
z#zXB$G=s%gm6Bu4tr>~ha+<V`<0BJi{JxLV<MhMkN5b;02~9p)Fz!*tMpH=v<$;a2
zyImEd+jw7Rn0<weYI4_=5crK*{505#hzFJV7BN74S?2Ob`sHUzu=EJdp|!6(8`06F
zyUGlOA<Ij%E!r)2qmtrWvJC*j)gPO|CTgnAC-+<;xwL-*F5*TWj(4eYfrO#$cOwIo
zxvJ)z-djK~m65RiW_4q;cZrx^&SbriaXW`jx@bm;wg0ZX@eJg2h`h>Hy7g-Ceu?ld
zC5{V2?6lHEIZu<-sDVQfsZab)zOUe@=S|WF%Fbf>mWlY83ZXMp^!iUHj{yJS3nsa9
zpLhBy#D>iI9K>+IV}q00I<HCz5kDPEaCev_4M59vI!l#LTL=cIRYi7jQ<eH?O=zBk
zW2b8qYwhA5Kh>q~C7H6UJ2j(sZZ!|&!kx0iy*-mw)6+J$cN?A%w_>?q#j&i4a87>u
zGZ}GET?3yuh4u>~zlk-mOo-emOZ8_guNG?8C8kbEliD24;>p=2n2t8IvIoJXsapPy
zV;A`^MAtWLChpI$4};vBz|8iD7;a(XoJV^{vG{6@x={27pTjzS*}li5A+<dC8QlOh
zUiT8AFd&-w=z6biQqwi8=D02PO6_tviKIa)t>iQ1?%k^0%1jpM+bEQ$J}PlD*}HZ$
z8N%`jYH)>8f%Bk<DM%L`CHKs9C%<NdAKf-{Kgh4-{x`(JD+lrR{mUgqVR@%fv4L=M
zf7}_K(SwqfR{;U^ExXs}DXJ|8zs|>A+fr#6N%HQbO=)EP@wp?+L8_e_8;rW!7<C^Q
zpBRE78Q#c-*SAXft2`<Y0Nw`16zx|7t?!1<;BzZ-y`0(VT3@iN^E1P3zZx`o<jf%a
zno?xE?kq&g(BXD<{iRlleB}N2U<C|N9I^6&wVE7m+7w+=+%W<dWlA|mQOi2*k=Wn^
zsc(VBgoMeF&h&Q*fJ|@DwsMl6ZG3s;2aA9~KOK9-&(ZEZHS0^AOI=XbQn)pDCWl)f
zBw!@e5LS`0&%aK8!qxR+drKO#y(dI_f97o|oy9lCM~EneEEk0fqw$pMWLTOiasGFR
zIafZiqw<{5PPnIw$1^)y12xzQHw|;--sD_EPSWPnn@<^Ycbh~Pt{#1uI&yt9Vl8+#
z(q_W{XS&<Z^pvlw!{)um%YEwJ0l{f-WUa-^bH;xAiT+kojRI$#2ZTR24>yWK;4FUi
zD5!;-EO<A+ffs|VC%A@ma=CGrE?}FQq0L&4T1cF3tg1AhUO|u$O;x(q6glZUiBg{b
zP%H4G@pVFztA|MqhnGjulky1RZ|QjWCfC|e6`<We(aa*e)j125-_)*r7RWL`*7_n<
zB`zg4QZy;LK~7(AO3?W7h}0Sc5`k7z6^HP@+)g{&2w3Z6yxAlq-p;|WfCsHoTpSqp
zxH~nLN<7g!f*>K8sr=#0GdMGw*2-|2MRdfCE(uU!^ZK^l<d}Tmj!>5xOOlU%Voz0h
zr=nPY0eUnYArkjZ;;rc0$f`FjiRS#(nIGd8@b3Pg9H=;L+a6%smGVsag|;0LvixYd
zrTPp}0vIa;j9v4^-vt?FV85thqh1X`m#mpC$J{-G?>CLyr)^RS*}TEP%EXhHnY<y6
z(iF+fRH5B%DzDD>)*H7D|LEP%DnjB%XB#OQaB6UN^Ia^%cDlO1Sq_J$A)T_!B1KKP
zpN;Y-|1VwAFp?=T-aon@T!fcTzhOoaH}f0hCVCRY4*G{0+s<diHLdA`Yp}vSg+c|E
zrvw<t7`aMYC;IaHDcwu$oytkC$^KMGtSH#;UDOx02Jn!jI+-epfLyP4MXu!Wki$|W
ze8Ouo?%($fFi2H(?}Fdz^`70&<S@`TQUDP8&kia_EFsHR65<|MuUM)4bIGjm@?S>f
zlB6kUDVtmu<1zgAm5b3~s**xtKYJ}7MHVLpl{TUK?;S*yJgb`kfb3Nb6sGjAhXDRM
zwe>QK@mN2AZjqc7yOrQg_4ob<3x7m{svYuN>SxYP+zzpBP2ilT%twxbjq#toI8n`=
zWNEnh$g0IggNlTi*e!z=PZkP#CSaWZ-0#5V@mVA$Mr7P85{!~ZIOfMs-Fvv0dS)lQ
zEW2)Ju>Ti^jS}ZiH$69h(zn2$5ra^e)JeP4vq)YEROe9Qk~~XL@}-dFZ`wN#tCiTi
z9wMiHmkq`C=$6@*$A0_Q3&-{0*!Xy}RIJ30<E_>MN^{+zR6<q(g`_xId#F<Ljvv68
zvW?Q`9>Qe)b67|V`pCh>?3*u$_RT%+Re-_$@%v))ExYT~+3JC{hamCx${t1<^~^mU
zj{U3E1-$#1q>hEhO65seTn7>qJ#Jb6S<iS98-0Vz%a!%tJXN3LL3NBnweDKBG!K+F
zwUzsWLDq;54fQK&*vzbyxK!;?c{-ID1?m@a{l~ALUDKC#!r*lVIT)PChz2$Ph#Tm(
zKlbk!@DO}@j9}>i@Jcy8LpJ*N?to`>WJkX2Q-nn0QC)5A$_Ccqhw5f`w}<r5vY2xK
zi7iH*8*1zvG|7gc#BjEq^Y8{FBpH$~rVJBru7imqZ)!z#&#r7t*Ln_c)sJ(sLzPqN
z*d$0Ue77-SA)d{*dF{7%FgO&i;Ls?)HfF640AN)DmH}AuJRbMFEhAk9GEp2!YE%YF
zy?p`)Ajda&B5SwiypE+I^|Vxyx>P)IkVXO-j@`X+)7|g9RztH(lFSF~4{xWjF|A}8
zRn<s{kod!NqF=tPt_gmgKwD!G2#JpJh#o-Bt>m}YyNFa?LXq#J`oz!cf2~?uTk9*$
z9CAOlx_2Y-ZhE%=QCPqwAEvwkmDc3`Y-<o|s4O=r*DHw@rj;^54$h-D=F#W_3=VdG
z?$_#~MXBzAdb<D)%9RM)V;}OTBjLpR0DU?+`yhWTNzBaUrYH4e=u9ip+S}EwpQivh
zzBxCCMvb1jmvEzEXdMkg)C+w)JZj#**J33>YTH*EWQ6?gHq0`>%o}5*EiPtgXc(W>
zTHWmD>gpOn(oNM;UCrgvlJVm4_B-8jjk%Rjl%|Yy>1ZS8Lt!DI=DA3t`i6$7nYrd-
zAzCWvp-w{#RkUN?^w#)v^R&H_lV8xvS1+Anow;Vy#-b6jKkqL+V4I!qAw2s1dqjd^
z=eiMdd0BZeOM%9mo7c2elOZOqQ)w%Zc1tZUn=HJ;t$w{(Q2(arRX2Jhyi3VWfHMAf
z%fbLuIl$?I51&7YhX<3*vvfKCcP@@J#!_8h9vnJ0yml?>N@CR3S<4I>4hK(b7n`md
zq7JlC15%PTS(H$Un`*R)mG>pzZLP1bZ*D5fAM_(+C2gTJ(A#(+UkX{&6_1b-o(dB6
z^;{L;2%3Dzp2+yp$jIo~7CxUW=7p_|@^_^DJ(LrJX3w@mw)b_+E_PZ67Rnvc)8gYb
zB9d>c62CplY47mkOXO0@i=q1IRK4x*l&KMT=;rBJTcahyGp-VTtmdKmiHC{hq^&F?
z^IlGUUzk#M(-J->Fm%!#sELWm=H|vtIzAQkzRgXO_s^JFIC2#1QG;yUDitvt$e%kN
z4nAL|Z}DlIzTFv9-)><RX6QZ$XXj|Nd@yu3W94h+52r*8h^Th4&X_Qsf^f8Obg8}Z
zY11XEC3x^T{#_o!FWqklcEfty)~^rx;y-RUECuemhq0)i9jKdj@j~%XZG8S+OLTOL
z?b{)r16=sKc<b+$x;SUfG#g0@FtsT~82;I%o6MN`o|TTV=3kW`9!=2SvCfujkNh--
zet7t1DCW|@vDan%(4x^-984_n_^)Jk@w$Du^+IPv3%LY(RF%8A4@t{ioRPD?<|r-a
zzJ2?)H2QR=f=CfDB;DZFJnK{R6qy@+<#Xu<)J;0c*u<pNi6qK7duiAnq*Kl$3>1g=
zhfewJzMnh%GXbmPEOjAO&X4mX>Y~|8HP5XGco-YCAfcrj!o?w9{4g~S1FP@acN<DR
z#F&^yi$)mUPW{Wa7=}$Y4k;amM!P#uJiC$2w*eoKz$rQ$oRDfYo}WO@*LA;kt8Z$o
zt$p9@13&n|{QQf&g0qs!HN>l#rG{n=XTQUODe)FB&EnsGQhe@>by0|li^o;DyFQTM
z5Vm|)GM2m}N6}FHSLjVk{mss*Igd1z$GQ*LX&sSH+pxQCGU}7d*7r`sf@3!+V<Gu^
zK9{y1UH!Zm9i2|Q&%{6)-cfANq#p;I+SAj^hrJDczFyjKH{Pj*g~nkekr5hK+SOZ(
z8GwugzugJWBzwc-LN{^+g)ia?z1a2rH=?8FngdKlSib^TnNo5@tY0d!tW$hT?s1Ma
z(8`0G*)qGUT|V5&AOmKpfbx-T5?Q`wwr}~t(hg$Qxcr!24+4R3mpRJ^#0zFXLOy`Z
z3nd=U>^ol--aM{<AMg-lKcG+cGe66PG4~Jf(>obXiveuXczR|E29s*=d*VRhHccr>
zZLln%RI}ml=8FAT0sD>b<D`M%kkfcihqYVE9+K<cxUb+FzJKm)wMOW(lX*kik9+Sx
z+Yg_}ZZSR%Tn5`DzD^^@D`X~zSI4#`CPLr2>x-MxE3nhpt4>^)8W%q?-+;K67;(3n
z8pg*;jCe8(<+zsP9bA8d#Hz<)3@K9i(ZYRK>rMAE8nrxky<ErixDZ6p5wxaJDo^W$
zmG~OH9F=?ncJROUwDQyoW24CTboJuC%sx<&)aWU+5zPupU)}FcTqXY<nP95^WunzT
zChCdzJh^zU=C_JDj{xEhF+cs+SI?6QP3XLOmYk9s*D3~2-toPe@v+i}yR;^qm0BKV
zIqVgD#xHNBM*vju;70V@8$LD<!_*NnlwP8*XMOCS(WYCD#J*Q}`~%fYiC`rDrM$wl
zRdbxxbIe0);zE<|+5d}Y+jx|3#E&hXD&D>EgfTmAc3>Ddx|?xBcNt5+BJ5T)FDvvr
zO!6EMCJUdv8A_<wl<a-x{5GJqbLyr;@kPYSs~Rbh+@n}lkn}(__R{wIxhHPs1O3{S
z>Mh5+;XMrKe)}val$JI-3qeEMSs=Tx|Lmy}+*@6KU6CY4lfFIL*R7#UC^OmH`?Eta
zk5~LsX-lyX)9ZPO+NH}SGwJrFS#Pa=>ptj-@l*bynO&F}wXM08fCIG{6#hxB65s`0
z)M}n#p}0|9BeyT#xFXT}OP!3=V)8twq^C0HR-cCqdT(TOi+EPWk*RimUGsX*{QR`k
z_klOaw3$IX!|9-Gja_wTZ5X^hIhgqBh*TJ7c82Aj*c%$7-Yf6F#h&e)ORZ_+7TzfC
zn6s%{jyt`chkM*CtQKc$#SK}MmA<<Bfx0kweDLG0!H~+FeW68BVV4_Tnm>0!w8van
z+T{Nx7r>3-BE6FXX`;Jhx-uqq#+2l<1L-;qaPYBV%1*9e&DXYb@{=9PJX*5ano*B|
z7;iGs<wiB-33ru@YEj&Oe5u^373r7c**N<Y*MIL(Uw8;booGEYcjY%B>b6_(&KsA!
zT}n8?URF;!PocE>=O0HQ=_^gag}1T~^7#XZeq}KJENl+b)gtzG?rr*g9;RVnK$<XI
z9zL!XM1Qg`>*iVl?;(xIs0ao$7M~pq-fh56Sj00zieyUvQN5mgtSh!vf6{sc3;Icp
zYMrT_^6Cy4Id0YbU*#wu8EDEbl2UcmH)VG2?iFVH@4%ScRMa1j9y*ku`z#ya*V-t<
z)ez=K%#~~m=URL((~M>r%AuHnv)T+tBS1(tmNXr*tE19ya1rYZ&U*=x(}l1B`ssFy
zqq-&@(!8qzyF$dqyeevXh(Gd~_fJRZn`H<5N{+w5Mm~UIP8$#9Tmo6?l48I6c~C^s
zd38lAYR|9-t`O@!!TzC1n){gh{E%f3WQXpLw!Tz_2|UmEj0<wtf9_laZb21M8puY#
zl07_6PK^M0_2=JNZuxN_Y*=ZYGkF{p7y?j5Os}^IO>4Zb&x5fbhrt%4G+>oHZEUWp
zs_N_OTU&G3YO%cpVof4LIUw@^YyDxF4k(9G*U%^#ee3z)Lztm$OG^tK?PLEu*?163
zp6JTD2uzav?f=;3To}F47o@}WP0qu|yCA8<cefAZ?KW*QN949N4w#nvJWvsC-vpDq
zlV+Pt6j#@@?d;`L#1#FQ_G*Eo2XfY5EZcn1+Lg|6Pv}Erc6*IkP5lPgm-E|WE%bF@
z3510ygf>$krL1klO+dybCm|!`iL=?OCy$FmtcP;E0I6^~3jRJvk!j2%1#W*ps&D9s
z2-o5s$ou`?kN(lv{>>U~#?7A}NI4JnU(D}PXA>1exlTQKY#w5LmJ!a=aw;?vVwCI0
zJW?%xOv7gx1^+1??@m}ovhns?QYbg$sBPQY<aQ+D$J9^6wt)k`qu@ua;zO{+Xvg)d
z$rvB@b19!7$kiymnmu2~&?>20qBWB}M%kF#NQRdgmLKseJ~3`-?&xq$c(Zw=wOM}7
zaQ5cMR<a)7*2#(EN)Vfp*oSa~*wlj?<d@MWU0Yg<TleI+Jo^l7b!}iLN_Qqg<Ser(
zHVkq(=sB#_5bER5-;Ypno5^oo-j;t-K@i(36^-KnSW0hX{T^`u4}BBEp|;^FMS#xc
zn~zbWZ~k!f+#Cm7UIF{g!Xp!yhnfAyo8G<8O09yVvGs?frJk@&*3Uy+>gYG;-qylf
z$Cx|kzh-tXj4*n-{%2&0ahX-1gc$k?(Y@k7XhUznl|O8D(^?gA_jIt){so!FugBVd
zL8b`QLc8D_2t(6uSd_ApZJi^W*!(UAqx)kRbJe2d^a|Kn5AdS~wHB)>=LC!M+SydP
z7aCnongs{>yy=_X|9QyV5QMvhMuSqP%=IpXqWs)rbzX&>N0|=I9C8`QFC~e;*?-K$
z3Fo(fMWFKL)_)BRen^A=A(KfF7_%vPD%<y?Jn@^?T*fbKKLaPfI!^nld*}22JjUQg
zAeX9b<ORd;u4fwryXcIM?sv9&%vGE|W>_DUB4ejLz{CB2$wzJxP86H=52Fz4(MNCG
zOySvKFJIiOiXkjMM|?JKXhp1b_jmkoF|XS#YA2tayrPi*UjegKLrhIc+X#;Ai7Pv=
z39h_%wT=ejW7yS*-72*1PM4F|{v74MVqC<tAA>vt0ut+<vWV?4zFnBe#Y=fV_->`e
zob1&aKZ7yH%s~uY&tbjn-r3R6Pybb8>_D~q_*;GRW}nR?Hr4yIoHB0jl@g>EZxAFA
z=)EL6w}F-rkY#pBbs*A9hH&<#Y+b8SByzskRDAF9LamgDMQfvN%RT>=d1abrr!TXH
zm$@vMNA%FXf;oijAG?({zpJNzgiYar*cKeAG=lSiA*(kJY@%SXrm|Z<WdbP-vcrC2
z%#;C`>8E;MqagI#J!7ZhIi>2!#}!#V8-M5<TE~9uj+gIcuak=sw4#s-OYit+N@`>x
zf&ri?bG)2@G-d&LGK!Iy$c`8158Aq@CMShCLj~uFZQ?A=!JXRGYN!vcC&n`N`Z`L*
z&|U2x7H_}r>s)XVXcts~$t{BeE6@5aYVbvC;(CFs3q9E%s=kZE^N!$dfvf{s*9|?C
zld>qBW{!Pvp1HMEwkBruz<<6ObmY4Dsj~ltcBLJwfZ@yYBhD=RJmuxC3jjMdSedB0
zcm!Nrwobl@WwUubd-e+^p)Cg!0GXE+FXY-y(L2eeOMRxNqozvIjFig>S3cjMl{^tX
zJ2DM8%=eUe@C&5YU;;fRtqQLc5zJt@x_`Do_S5&@%x-VSw>-U1(;Ih=4;)xn5)$2)
zfBbmt<hNM#3_Y}3)5zDEr(@Y~p(lJ9HOL66R`BYn_?DtZHuje0bV@y)X((wS>f^$k
zhlvR@9Er;5A*FpA&5u!s`^9?`nidfmeefT2DA$L7C+&I)O9*~qVn=PFCsgC%A?XWJ
zSRbw05Z;KMD=pp1n$4UO=4K}p^>o8gLV(ON%*CQl7cE;rAhc0N=}2Smbe$skMjv=c
z8#Z|XFTT55DJ^9Avy>?IKu1T%arNG(d)t4?JiJXka~EWr8EiEBEtDr?;B}zh4|Az-
zfCw5)${QpkQ*O*X$bH~%H!uDc@scG!x%4z%0Ke~%8lvBHpr<XcJ|7tgifPjox<lNe
z%1YEkP2I*;owg8=VLU`$d*a27r%zWXTM!}KAG2FLiW)VT{UTrZd#2&7&;Wa65D9)C
zg%W}R@%{*2lpGhWQeEXH+pmtQH!k%=`gT8haMfysu^<#)$Nn$Iyu0AE^q^qZy76FW
z{j0><qQ%>g<#z?`x5K%a#$i0AWd!VQEknMRKN+B9cz+dvLy#IL(9qnn8~<|FiZm?~
z*RAXx$?)UU8i9lno!mfh6P7&Mj=cOM4W+Piaft+;Um`d9#VSQRlH(fH*&byUKV*~*
z`G=8|yOv*nEk;Q9a0rM|sPvd@CI=Cbn!qwNRb)PL42nFiSKy-fK&j+2)q+%UDz-TZ
ztPjUI)(v0oK~QiqAz~nU9U2Ii`Q}Ah(k?MjH+3~WRJHyQSIHnX@sB1VQgxf7--?@f
zAR-VkVAY=ZCW^7?EDWN0aaa#`S+j`-16KTDGZUOMv$I~AIHEe-$@9&oAX9Cb-=)h)
zIY*RPT#e`x0NzE4)$=QP?cNRSj}cbG`OQaSBl>rjgUNmlhbtlYCR`kyt*a8KWnf0P
z6CpmU-ZN8&ZBj<r4z;zlYw022EauIM1=^GEUwqYZJMCe@t7o5t?_C=%n#^wXCvGn0
zWuZKxqS%yLRg^yv{utPo4k;O3{kX7z2{(5538{3`<+VS2GHjkZD<&cd@{UY!WgwZ^
z*)AJ2;v#2J5`cW_N7;gz#vk~7w1u1kxS!JG*baK`6=<K8^F&4km{j09vg<xWpoJKs
zEaB1iQTB`Pid?KFRGn-pEbBf6_xJbDmzTOgGp*{+*FdLqYv?Yw%T{fTXOm<w_0(a7
z&olo;bRt82=WIN93KCeJ#89vc%!`FAhby}u$yCLEF!G+;X&Fmey{DGWg|jAl-GvpF
zWOsp_qdxyd&Z`P!LH$^LRW`^(yM}TN$y4~yaEeGCoA%sFI*L{`_d<T|Mm72uNeID8
zqi7*Yi05IB<a|rq%;n}e^>g(;&c+fVA<G<S`Q1D>J!J?Tz#)GVgb{;6hRua;6kErV
zQA1tb#LQ%)pMAGi!ayJzA&seO^Z_;zujGx|*OB+N^WX?<{U+{|GYRv$Fd)UFP$Tal
zLrKXIfPpQ_^gu<e+<v^uw>gw%&Bhs3xVJR}3Nnc&g)Ctd+ws1?0Is!j{aKVu71xg8
z1q*N@6pP!pZkAU!5QRHRy=x|2*F~+Saar_63w+DQ0+{ZDli>0r5zDXA`JL=63}e$E
zzy8UN$@$=<-|-%`2P5nLzV=Se8%D<4cR7VYRv@xdzp32L%4+Ka9%ca!2-Ow3H|zpE
zD`t3oxdg1|hOgos?wb)aV3BCBQfV~J>bT8gu_9BfV=z4dY93;v2i-O)H%xe`G0Z=b
z1kA_ExIe#}k0cse_*x%*V@ZZXqBgu%V=aU$>yC9s#_Q_HPapf*JA&R)b>X50gJeN*
z9l_@qHcyzBmMv*$Vw~*HRSp)YLW5@2Y&^}=;}P~GdpAGehwiGdQ!ujJSC53<tL53b
zsnwtCD+v$y5d-QSqv?j3YQ=i+`<Bm#Kf05ti2b<z`b%0`!=3Av4re-L<-^1DQtRnA
zFVI7__3W-fIbq7LU#trY-Z>|NYV|g0f>am_gMpr{P&Kejy@6{el^t{0h9ta~8g71q
z>YFAt`%wY@$LdE5+uQGrtb`Ran>Kcqd)Q)#wI;+Q0lu+?!%iubVN32#3ld0i9(NJM
zHfA?*vI(RcD?@ThY!D5fy|Woz>jEyH?&Q$<Z6RA)Jhi40qRm4xtNXZ2*jkZJ^D|<T
z&8*PmRhImQneCazdu{?G7o5drAYO)&rA6{EAqGeJ@57R>Ku~rAeNjfHwAlu6_Zb<o
z=7bs36s2RGy?j@EKc2hexLZ|CyKWqs*|%uZ=4M|PZ{l>1f|Po*JE6T-)a3;#1|5~a
zsZ^FFIMkk3_%tJ6dAT@;@5k(ewdMD0-;jVuTD?4*uK`|M$4e~(J6WcBqsOM+&MMr$
zw{TX+HJkWJL2fMhOFI5kOGYn>2evhD&&75JWxIN`x;HyuR-N=&Zg2NxoH}yxl`l>F
z*^a@g%ADnaU($imoL3kMoctN#9^;45gzKB<Wu*kE@iEi6mqM(kmAmQSd%ZjSZ{RZ5
znTDvA9=dog?UI*&Fj-|Dbejth#h)vb+d7H3FdR`)7KY`@K}X<4fyF#=rj9*Rwn@NO
zJIeF!F61*&@vGl**JxhpcaomHR?t9!*&=r>)$bFU)w2ss8(~zl5<bo4mA{{MUZE_z
zOn{VUPh~$2vF-tfAxLMZz?3<Y^Vuw0evTjoIDhn;lFL1qqS((dqBm;k<BKstD3O0U
zt|Vv5xW6w#!`SnYivRpfW>p=s400wT`}#g@E-ZYpQSOfYx!T5e!4P+h;rmEdf#hU;
z+cMn}pJUuDVZ4O6c#tY@bzx0Lb>JEg(%uoxN520r!<32!jmn-n)1=4EMQxE{Y8%A4
z8ekP5rx|0=J&R-RjedK=mTMa()pKkh>!PGo6jL5yBMb8J1JCv6KFOF@95JybEY@sL
zB5VU7(VgCZCMdAbwA~b(YA#I0lx3`7()cfi@e8U~>zz&>+hNF&y(oilg1^|oOC)Rk
zwSWr~$s_rP3y!-=7^;u|%VKU9l4j@tW}Ec?5s)57!Qf1c+%xZTw9nySUP2SmKW$Za
zjBNe2D7Kg1Go3Z-<s%{a$isig^<FE~7H1WxZHT)DA`eQh_B^7scVq_tExTTl*1;Ln
z9urATBRiS4vdOi7c%wjC%WW<7wKx5<<WIN$nb-XKKV2)XfO-ayxC1tjs{TI<X6C&2
zZ=nz;z5cgtTvz#rfncWpL!Ry*;k<8YL9=&`n+9wMV(&x)(*cD9ya<BGxjPh$xy9qy
zyx2g}>_E~{T{i6EYJpxrdfLF#%8ihGuwaK5fw4kR=1$J^TQ#JRjrTU_4GN&mC{I)I
zG#;4o0+nH&^8#r8+gSx|jzF6Lmw6sIb53jfLKA`8N2eLh0H?7UA?WMvz%RKCgH8tg
zH7WC1=UR9`fU9c-Nd9`@e7bNW;8)An^y+FsuN59{ZWDV!oNxK7d)`B%(NR%I!n4Db
z>}KK^VKC7GsN~Wt8I=?j^*Y|1-P|mjsdRC6&WdSptLNN00jb@~%LN44OKu@g+!yjn
z$inX{1rLpaqS+<Fa@~@->(T~4SGzce=)Q}JiN#ZWAV{6dq@uXfUidj#Cg<0Vw#9d&
zgr1(B$VkEl?}EY6ST^t{Bp%d`PfyQFNk}YhD+z)0W+x|?`Q#qIuP(c>Wi4O{aJZb_
z0CNM3?*;tY^wWmfPh(@CV8YW!o>?gkWJMouFLLEB_s*30KY6myT-e3f0ILM05+zT4
zB<gSO?uK~Lv6R3~tp_tM8B3V{T-E2oRQ?IiEiT4aRq=26NA#BHmVj`?0ME&b75LB9
zdIsZWO;&M<*1^&DprT7(*|~lRleItINWs9exw$EXAL3lDG3z7)-^*Z6?pdRv+E7m}
zi~0=;bBdj7^;jL1Mt*I6?urfy3IdItz1NG&TJGx&<hQryhL<=rz=l8>S0qx`$IqRC
zuDubLL61H0>v46pe95rIAT^>a%K`rM9j3G^&TwPDA0m~LZAvS-?$4R{&~H*K|E0X%
zfLH@e7f52QORZ*fv&HXttnrv0(LXS70D%~0(gay!H#A%V%LIQ_<sHMpM072azoOLm
z+tIhdS@MnJ8zlt6;6%TCvABu*ojuOw0p1?|zP{_Tez6*uyx}k2jT<NXm7X3sIVDs<
z7b_#Hum38s|LaeR6kodM)_i&5TS0#lDTwhbIs9oJri!&|_Mzm9fQi{fjg=*1bBDE^
zvLPL*=%q}fpFdYSUzafWfx4so`K_Lq`szNHC(Bt!@gHlK8jid;@tkk|)8qbTX{ma7
zMRi|HswbaiRscLy70+4gzqAvk&Z5VJWUV)E;~Cn}_EhU8)A8T>4=zGgX^P0DLwnr?
zEqA1uruZ6;&U5gWBZbZB_Xz#b-m~cj6{*7NdJ0FNR4RPNI6YxHqAe!Xk-}J_1mz0K
zv%^Jsf%$@xDegR33tmfRei3LCb?2L*9LHzm^Q5PJI6{)QFVtwPi0CxyQnh{nGa~3t
z@%A-bH<6*r#xsVZK&{;0(dmsPVmFXRK{0t(nVsxdWsBu6o7{QjLQOQTDit?wkZxXb
z9irNIwj3GY+O4HF|FV(d(f01R%giLYA@(>fb;#@!R4w?g5{7c_lJmv)jgMx|<XZ6n
zm*pBh4^+K~DMy^dmiqlnZW4h(WS)f6e`cXAJ~nja>F>n$Q4|0EaqKd#0LOnYFQliZ
zm%~gi;YGoklKw(e*$=AE-^6Ce%bkqkxDQo&c18?MnHqGR{K+hTB|YNNJ+a>JQOuLW
z;IVM7_ZUdzM<BeiG8$sLrpbl;96Ldj>yJ1*74sqe?2S??dsJv?5d%f$O5b&!!NQ;%
zF8eCFkIY&eax|{C3i0c9)c+GR*I7<Jt3Oj>p?>xlJ0@)d{m$fb!KaM8B^S%OGeBu}
z{t7NBfm3ce`AtW@N|~8U2oI8{C&O<pOe_R$OAy*?x%+fadOy|@=`Z?HarJC3|J&gg
zeEC4N4!kYiU##k;cTA%;wf-9(rbuMuXBmRL93_7A=-X(lBse50L6YT1qIj2&m)ss%
zPvgs4SJpQ+#6L6gzIN`st*B$1xB9?tGQYm_v?tgJ&kgUHho=Scv?*2nu3x6`-edcO
z>C-JgpM@SG?)nYT-1}>FP}Cqr4e1lJRVt&lpF*9EKIUDjH4|k~VOK4F(t}eGGy7vp
z7`14`{e0O;S8e<B!|5AkBGx=lfc|44dH{JL1~trNVnYj$yI7Mmrby!;UpAQ_vetY<
z3$H*6_?sc?d|zTv;xX=opqTtC0IoxE0C3%N?=R*M*Pk8bdZi`Sr6p|2Wn|M*@HATW
zC*cbP0VW_mVE2ES;9HA9S*G1fh;3TLrCllcHM9_Ha0|~Qu=8e*gnjqx#8!rzbIHEN
zTze5xyq@38=IyoIBqLyhv8VDhRaMhwjj^|FfO$j!t^C!qH8o#uW$Z6)b&>U-!>em;
zX$xvfK}e$l0=+cWe8O{xAdr#leHia3{f9+lB8~#(H~W)0X0Sp3lZeHS2w|}%0fACx
zsCu1t4x1|FT2=E?@W&c#N&lT6`1=D&vq*j_N3N9QN$<^4=Ba5Bg4AxXXaAl@R-JSY
zLTGqyp_&qiA!2tI6#DwNv!lqhBXiwMf8SMb^nTmi0Td$-6TtbqrK=#Rf!`SxI#1nV
z+(ypURB{)y$&z1Cu&e)Hq6KnIE|!+9-@Z`4NBw%mk5O|QT;$<aS8fQrt6Qz{f0S~y
zVM(1~xb0d?SIup1ra7~cO`E2PHcJ6rmidtqwnA;Fm9q&drXZ+9_H9lxYUY(6xgzK6
zOw0_J2)auvzlNELiYP>CD2Aj&h(_+kTASB??(ezIb<X>q^St-_yw7vrH^6e^et>&o
z2^Vb~V%o1&6A~)uvIRn2NY3i)HB`2r)lB!t3|UJHoq2vMzT3{RBNH50mX3Fh`~A3O
zlXhi@dEXOv)#RAc9~j-GhCjM+PIM4pQsmp{$rdNg4!sHKZD1}SNS1@R@xQ;z&AQ{(
z-y?VpWnUApI_OoC!!P&X0IVvEVD<9c8?fqmCDIwIvg;G`$KQm<>&M-`!sA_vz4LUG
zzSZP_ysXKT4f~Y;Zm!+sjGl|%K#V)(s<-UcA8rxZ4zrtRM~tQa=+8F0#`b}uz{1Ga
z*{nXf&Q0uuLw?!#>s`AI&2!$RsLIppvD7_X(X=hAS)Y<&as!$ajrVQ(o>^q_V;msK
zHp)%_it2~k7cc)Bk~Zo6X=+VVkZ(7>OCGZ}KezElHA=GIqo*r)H)bc?^Ffh$<j?5l
z?cA_`H32?f4BTZ9<YPWXYhR8CFb!bFDs)jt^NjDjUVmErpZN#6)4LeO!{7@b763=y
z9JFHra5`nNcNsbVft$DG_q4^23a{gtpZqS}^55m5sUI9X9pZA~&#LO}*`)_o4S1Bp
z)SecLM$7zXt3I>KxNH5t3zU{YsXpoGQPog70}U3<KU?rU8#qO0W;99J?=lU#!v^Im
z#yYn}nE+d)vMsp^y6zd=$dPUdm*|b^B~&{5#=>|!*EfHgQAB{c9V5R}+kQ?3ckO0J
z7`jX8&Pc8me7I92^uaa<8Ue1hmQ!b_JF8%mRe3gRiNH<6gNqvU=1#z4UWnp$nBaz1
zfOH86{Zq$vbMP3{W>3O|by;X@-8*(fpl(Y=I|D|&pG1Ga>CB%WlgMs=r#*?4C6V*B
zVzHMe@Bx`h{G%lw&z_w$4CoE*zLi7D=f84xT!*YPS?BixmA7+pO8x_xHdW1uxFlf>
z(gc!C)5Fj2{4O{~)AZBuq=A<X`&I~`hH^+@j<bQbd7dJt8_>cK^);#33+07COeZ$A
zm<DVmOibMC(hQ|cl!;U%E7wC0MJd9gN&c^=YNJzBUo9HS6WyQnlTS`|fNawYkVz&#
zBeHG^fj`H?v!!<feXtMM0>eqO=2fp}-OI3!=gwD1C)<!*s_qV^A0(twgQYl?mVBFi
zjJ7Xv5Xpu;_kVuik6n*QS~}CnLh1-4X%SmDT5w;0B+&|J$YI=Y#j+Q5$qHm`TA0jf
z6F#;yr=ZAd?q2fnlWP4V@8GGB4cA+(M-Zr|z|$iUtI!qH<gw1@gB-_Cc_k2SD5=H^
zG*i`Nn&uX#It{4yhKd-jB0QNwBofp!K>nfa<R6Rci$J#O5W!aMD&@v<NQO$ol{D~+
z!%5^A@cS-btgFl^)N*F87>b(rP1SQan121U<Mxi>Dd`b39X&xY6MDaW!Fx_+F<|Lx
z?>?r)l|vq75HVgApP+trC@b6-yE7HUj7zP&?QF7X7GRS234z53m#Rrjz`+kzhyC{L
zS5l-klmrxoRO$?nel<#`<jwXvOm<EIkb^+b;}4rgNBAshs5fDPtgVr-bAwy6x<vZw
zY*F@@axcicffZavYjB_K=Dp|iMza=#pde@FNQ&;6f~%&_j+YA?EvkNsg70ecYT(qe
z$<+E|hNRG&L4~!fuiIUem=A_W;}7y?D@j_4x^HBqtbcGtiAiKTeQ8~~cBG!Z?;2!h
z4zkih+mEbO(nHKW>4~kCdVbf1Jau!~z>$jjj8xrmEYBt2)J}?0SWvUu$pZw3q`cQx
zpn3eQ*wW>&8wXP32G54P2Z$Mb79D%(hO_N)XWPP01|8WQL6GFJ2j&*A0Px8zOtu4(
z%H%z)UJ;QZMQ~t0we)Y`##^D##Wxxq^RY~7)f$V)EoK<ls<vo-&(pwP;wYl1PY&^m
zm*J2>RcB~37@XnSc&c_fXs+U61$UV@VXVYGdMP-iuJ?F+RTEPto)oy(<>hwx1|y>w
z`#F42;DKjNN4$dcQy77Kx}$)QaL(m{kmVNkg4e-xdH+vP4RM>k$Z~cu9UF}}+$kEh
zyPzQzgCz(W3~LnUoovP4<P2qL76FXA=CXXx<N$i5uE8d<J)?rspT-?UR<TEf>b4C@
z$=BS%(hr+1_rXRPjL{~Nj0!2dblIHANXZw``M_HxGlOz@zRjMhD7$*w-;a^uQ8n7o
z<E`pFvZk~p2<eMy{V3=gY}9!BxKiqc#_j|y#N%Q3rz7l}1uxCwO!*pqD7|$)GY53)
hmMn>W)LlMrd-Ejndgi=247kuP3D^;`owY6c#9t)b+B^UN

literal 0
HcmV?d00001

diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index e58eecbc..59f5af1e 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -146,7 +146,7 @@ NHRP protocol configuration
 IPSEC configuration
 ==============================
 
-* Please refer to the :ref:`ipsec` documentation for the individual IPSec
+* Please refer to the :ref:`ipsec_general` documentation for the individual IPSec
   related options.
 
 .. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action'
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index cf825a63..d0121abd 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -7,7 +7,7 @@ VPN
    :maxdepth: 1
    :includehidden:
 
-   ipsec
+   ipsec/index
    l2tp
    openconnect
    pptp
@@ -22,5 +22,3 @@ pages to sort
    :includehidden:
 
    dmvpn
-   site2site_ipsec
-   remoteaccess_ipsec
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
deleted file mode 100644
index 5e44312d..00000000
--- a/docs/configuration/vpn/ipsec.rst
+++ /dev/null
@@ -1,657 +0,0 @@
-.. _ipsec:
-
-#####
-IPsec
-#####
-
-:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
-SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
-to protect the traffic inside a tunnel.
-
-An advantage of this scheme is that you get a real interface with its own
-address, which makes it easier to setup static routes or use dynamic routing
-protocols without having to modify IPsec policies. The other advantage is that
-it greatly simplifies router to router communication, which can be tricky with
-plain IPsec because the external outgoing address of the router usually doesn't
-match the IPsec policy of a typical site-to-site setup and you would need to
-add special configuration for it, or adjust the source address of the outgoing
-traffic of your applications. GRE/IPsec has no such problem and is completely
-transparent for applications.
-
-GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
-easy to implement between VyOS and virtually any other router.
-
-For simplicity we'll assume that the protocol is GRE, it's not hard to guess
-what needs to be changed to make it work with a different protocol. We assume
-that IPsec will use pre-shared secret authentication and will use AES128/SHA1
-for the cipher and hash. Adjust this as necessary.
-
-.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
-  adapters have known issues with GRE processing.
-
-**************************************
-IKE (Internet Key Exchange) Attributes
-**************************************
-
-IKE performs mutual authentication between two parties and establishes
-an IKE security association (SA) that includes shared secret information
-that can be used to efficiently establish SAs for Encapsulating Security
-Payload (ESP) or Authentication Header (AH) and a set of cryptographic
-algorithms to be used by the SAs to protect the traffic that they carry.
-https://datatracker.ietf.org/doc/html/rfc5996
-
-In VyOS, IKE attributes are specified through IKE groups.
-Multiple proposals can be specified in a single group.
-
-VyOS IKE group has the next options:
-
-* ``close-action`` defines the action to take if the remote peer unexpectedly
-  closes a CHILD_SA:
-
- * ``none`` set action to none (default);
-
- * ``trap`` installs a trap policy for the CHILD_SA;
-
- * ``start`` tries to immediately re-create the CHILD_SA;
-
-* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
-  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
-  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
-  liveliness of the IPsec peer:
-
- * ``action`` keep-alive failure action:
-
-  * ``trap``  installs a trap policy, which will catch matching traffic
-    and tries to re-negotiate the tunnel on-demand;
-
-  * ``clear`` closes the CHILD_SA and does not take further action (default);
-
-  * ``restart`` immediately tries to re-negotiate the CHILD_SA
-    under a fresh IKE_SA;
-
- * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
-
- * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
-
-* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
-  the peer. In IKEv1, reauthentication is always done.
-  Setting this parameter enables remote host re-authentication during an IKE
-  rekey.
-
-* ``key-exchange`` which protocol should be used to initialize the connection
-  If not set both protocols are handled and connections will use IKEv2 when
-  initiating, but accept any protocol version when responding:
-
- * ``ikev1`` use IKEv1 for Key Exchange;
-
- * ``ikev2`` use IKEv2 for Key Exchange;
-
-* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
-
-* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
-  and enabled by default.
-
-* ``mode`` IKEv1 Phase 1 Mode Selection:
-
- * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
-   (Recommended Default);
-
- * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
-   aggressive mode is much more insecure compared to Main mode;
-
-* ``proposal`` the list of proposals and their parameters:
-
- * ``dh-group`` dh-group;
-
- * ``encryption`` encryption algorithm;
-
- * ``hash`` hash algorithm.
-
- * ``prf`` pseudo-random function.
-
-***********************************************
-ESP (Encapsulating Security Payload) Attributes
-***********************************************
-
-ESP is used to provide confidentiality, data origin authentication,
-connectionless integrity, an anti-replay service (a form of partial sequence
-integrity), and limited traffic flow confidentiality.
-https://datatracker.ietf.org/doc/html/rfc4303
-
-In VyOS, ESP attributes are specified through ESP groups.
-Multiple proposals can be specified in a single group.
-
-VyOS ESP group has the next options:
-
-* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
-  allows compressing the content of IP packets.
-
-* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
-  Number of bytes transmitted over an IPsec SA before it expires;
-
-* ``life-packets`` ESP life in packets <1000-26843545600000>.
-  Number of packets transmitted over an IPsec SA before it expires;
-
-* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
-  How long a particular instance of a connection (a set of
-  encryption/authentication keys for user packets) should last,
-  from successful negotiation to expiry;
-
-* ``mode`` the type of the connection:
-
- * ``tunnel`` tunnel mode (default);
-
- * ``transport`` transport mode;
-
-* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
-  connection's keying channel and defines a Diffie-Hellman group for PFS:
-
- * ``enable`` Inherit Diffie-Hellman group from IKE group (default);
-
- * ``disable`` Disable PFS;
-
- * ``< dh-group >`` defines a Diffie-Hellman group for PFS;
-
-* ``proposal`` ESP-group proposal with number <1-65535>:
-
- * ``encryption`` encryption algorithm (default 128 bit AES-CBC);
-
- * ``hash`` hash algorithm (default sha1).
-
- * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote
-   peer must re-key before expiration.
-
-***********************************************
-Options (Global IPsec settings) Attributes
-***********************************************
-
-* ``options``
-
- * ``disable-route-autoinstall`` Do not automatically install routes to remote
-    networks;
-
- * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
-    FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
-    Cisco brand devices allow negotiating a local traffic selector (from
-    strongSwan's point of view) that is not the assigned virtual IP address if
-    such an address is requested by strongSwan. Sending the Cisco FlexVPN
-    vendor ID prevents the peer from narrowing the initiator's local traffic
-    selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
-    instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
-    template but should also work for GRE encapsulation;
-
- * ``interface`` Interface Name to use. The name of the interface on which
-    virtual IP addresses should be installed. If not specified the addresses
-    will be installed on the outbound interface;
-
- * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma
-    separated list of virtual IPs to request in IKEv2 configuration payloads or
-    IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an
-    arbitrary address, specific addresses may be defined. The responder may
-    return a different address, or none at all. Define the ``virtual-address``
-    option to configure the IP address in a site-to-site hierarchy.
-
-*************************
-IPsec policy matching GRE
-*************************
-
-The first and arguably cleaner option is to make your IPsec policy match GRE
-packets between external addresses of your routers. This is the best option if
-both routers have static external addresses.
-
-Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
-and the RIGHT router is 203.0.113.45
-
-On the LEFT:
-
-.. code-block:: none
-
-  # GRE tunnel
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 source-address 192.0.2.10
-  set interfaces tunnel tun0 remote 203.0.113.45
-  set interfaces tunnel tun0 address 10.10.10.1/30
-
-  ## IPsec
-  set vpn ipsec interface eth0
-
-  # Pre-shared-secret
-  set vpn ipsec authentication psk vyos id 192.0.2.10
-  set vpn ipsec authentication psk vyos id 203.0.113.45
-  set vpn ipsec authentication psk vyos secret MYSECRETKEY
-
-  # IKE group
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
-
-  # ESP group
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
-
-  # IPsec tunnel
-  set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
-  set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
-
-  set vpn ipsec site-to-site peer right ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
-
-  set vpn ipsec site-to-site peer right local-address 192.0.2.10
-  set vpn ipsec site-to-site peer right remote-address 203.0.113.45
-
-  # This will match all GRE traffic to the peer
-  set vpn ipsec site-to-site peer right tunnel 1 protocol gre
-
-On the RIGHT, setup by analogy and swap local and remote addresses.
-
-
-Source tunnel from dummy interface
-==================================
-
-The scheme above doesn't work when one of the routers has a dynamic external
-address though. The classic workaround for this is to setup an address on a
-loopback interface and use it as a source address for the GRE tunnel, then setup
-an IPsec policy to match those loopback addresses.
-
-We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
-RIGHT router has a dynamic address on eth0.
-
-The peer names RIGHT and LEFT are used as informational text.
-
-**Setting up the GRE tunnel**
-
-On the LEFT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.1/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.1/30
-  set interfaces tunnel tun0 source-address 192.168.99.1
-  set interfaces tunnel tun0 remote 192.168.99.2
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.2/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.2/30
-  set interfaces tunnel tun0 source-address 192.168.99.2
-  set interfaces tunnel tun0 remote 192.168.99.1
-
-**Setting up IPSec**
-
-However, now you need to make IPsec work with dynamic address on one side. The
-tricky part is that pre-shared secret authentication doesn't work with dynamic
-address, so we'll have to use RSA keys.
-
-First, on both routers run the operational command "generate pki key-pair
-install <key-pair name>". You may choose different length than 2048 of course.
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-LEFT
-  Enter private key type: [rsa, dsa, ec] (Default: rsa)
-  Enter private key bits: (Default: 2048)
-  Note: If you plan to use the generated key on this router, do not encrypt the private key.
-  Do you want to encrypt the private key with a passphrase? [y/N] N
-  Configure mode commands to install key pair:
-  Do you want to install the public key? [Y/n] Y
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-  Do you want to install the private key? [Y/n] Y
-  set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
-  [edit]
-
-Configuration commands for the private and public key will be displayed on the
-screen which needs to be set on the router first.
-Note the command with the public key
-(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
-Then do the same on the opposite router:
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-RIGHT
-
-Note the command with the public key
-(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
-
-Now the noted public keys should be entered on the opposite routers.
-
-On the LEFT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-
-Now you are ready to setup IPsec. You'll need to use an ID instead of address
-for the peer.
-
-On the LEFT (static address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication mode rsa
-  set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
-  set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer RIGHT connection-type respond
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
-
-On the RIGHT (dynamic address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication mode rsa
-  set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
-  set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
-  set vpn ipsec site-to-site peer LEFT connection-type initiate
-  set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer LEFT local-address any
-  set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
-  set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
-
-
-*******************************************
-IKEv2 IPSec road-warriors remote-access VPN
-*******************************************
-
-Internet Key Exchange version 2, IKEv2 for short, is a request/response
-protocol developed by both Cisco and Microsoft. It is used to establish and
-secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
-road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
-or remote-access/road-warrior mode, secures the server-side with another layer
-by using an x509 signed server certificate.
-
-Key exchange and payload encryption is still done using IKE and ESP proposals
-as known from IKEv1 but the connections are faster to establish, more reliable,
-and also support roaming from IP to IP (called MOBIKE which makes sure your
-connection does not drop when changing networks from e.g. WIFI to LTE and back).
-
-This feature closely works together with :ref:`pki` subsystem as you required
-a x509 certificate.
-
-Example
-=======
-
-This example uses CACert as certificate authority.
-
-.. code-block::
-
-  set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
-  set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
-
-After you obtain your server certificate you can import it from a file on the
-local filesystem, or paste it into the CLI. Please note that when entering the
-certificate manually you need to strip the ``-----BEGIN KEY-----`` and
-``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
-in a single line without line breaks (``\n``).
-
-To import it from the filesystem use:
-
-.. code-block::
-
-  import pki certificate <name> file /path/to/cert.pem
-
-In our example the certificate name is called vyos:
-
-.. code-block::
-
-  set pki certificate vyos certificate 'MIIE45s...'
-  set pki certificate vyos private key 'MIIEvgI...'
-
-After the PKI certs are all set up we can start configuring our IPSec/IKE
-proposals used for key-exchange end data encryption. The used encryption
-ciphers and integrity algorithms vary from operating system to operating
-system. The ones used in this post are validated to work on both Windows 10
-and iOS/iPadOS 14 to 17.
-
-.. code-block::
-
-  set vpn ipsec esp-group ESP-RW compression 'disable'
-  set vpn ipsec esp-group ESP-RW lifetime '3600'
-  set vpn ipsec esp-group ESP-RW pfs 'disable'
-  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
-
-  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
-  set vpn ipsec ike-group IKE-RW lifetime '7200'
-  set vpn ipsec ike-group IKE-RW mobike 'enable'
-  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
-  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
-
-Every connection/remote-access pool we configure also needs a pool where
-we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
-Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
-and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
-DNS nameservers down for our clients to use with their connection.
-
-.. code-block::
-
-  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
-  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
-  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
-  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
-
-VyOS supports multiple IKEv2 remote-access connections. Every connection can
-have its own dedicated IKE/ESP ciphers, certificates or local listen address
-for e.g. inbound load balancing.
-
-We configure a new connection named ``rw`` for road-warrior, that identifies
-itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
-signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
-specified IKE/ESP groups and also link the IP address pool to draw addresses
-from.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
-  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
-  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
-  set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
-  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
-  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
-  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
-
-VyOS also supports (currently) two different modes of authentication, local and
-RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
-following commands.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
-  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
-
-If you feel better forwarding all authentication requests to your enterprises
-RADIUS server, use the commands below.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
-  set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
-
-Client Configuration
-====================
-
-Configuring VyOS to act as your IPSec access concentrator is one thing, but
-you probably need to setup your client connecting to the server so they can
-talk to the IPSec gateway.
-
-Microsoft Windows (10+)
------------------------
-
-Windows 10 does not allow a user to choose the integrity and encryption ciphers
-using the GUI and it uses some older proposals by default. A user can only
-change the proposals on the client side by configuring the IPSec connection
-profile via PowerShell.
-
-We generate a connection profile used by Windows clients that will connect to
-the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
-`vpn.vyos.net`.
-
-.. note:: Microsoft Windows expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
-
-   ==== <snip> ====
-   Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
-   Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
-   ==== </snip> ====
-
-As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
-encryption ciphers and integrity algorithms we will validate the configured
-IKE/ESP proposals and only list the compatible ones to the user — if multiple
-are defined. If there are no matching proposals found — we can not generate a
-profile for you.
-
-When first connecting to the new VPN the user is prompted to enter proper
-credentials.
-
-Apple iOS/iPadOS (14.2+)
-------------------------
-
-Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
-all available VPN options via the device GUI.
-
-If you want, need, and should use more advanced encryption ciphers (default
-is still 3DES) you need to provision your device using a so-called "Device
-Profile". A profile is a simple text file containing XML nodes with a
-``.mobileconfig`` file extension that can be sent and opened on any device
-from an E-Mail.
-
-Profile generation happens from the operational level and is as simple as
-issuing the following command to create a profile to connect to the IKEv2
-access server at ``vpn.vyos.net`` with the configuration for the ``rw``
-remote-access connection group.
-
-.. note:: Apple iOS/iPadOS expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
-
-  ==== <snip> ====
-  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-  <plist version="1.0">
-  ...
-  </plist>
-  ==== </snip> ====
-
-In the end, an XML structure is generated which can be saved as
-``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
-be imported.
-
-During profile import, the user is asked to enter its IPSec credentials
-(username and password) which is stored on the mobile.
-
-Operation Mode
-==============
-
-.. opcmd:: show vpn ike sa
-
-   Show all currently active IKE Security Associations.
-
-.. opcmd:: show vpn ike sa nat-traversal
-
-   Show all currently active IKE Security Associations (SA) that are using
-   NAT Traversal.
-
-.. opcmd:: show vpn ike sa peer <peer_name>
-
-   Show all currently active IKE Security Associations (SA) for a specific
-   peer.
-
-.. opcmd:: show vpn ike secrets
-
-   Show all the configured pre-shared secret keys.
-
-.. opcmd:: show vpn ike status
-
-   Show the detailed status information of IKE charon process.
-
-.. opcmd:: show vpn ipsec connections
-
-   Show details of all available VPN connections
-
-.. opcmd:: show vpn ipsec policy
-
-   Print out the list of existing crypto policies
-
-.. opcmd:: show vpn ipsec sa
-
-   Show all active IPsec Security Associations (SA)
-
-.. opcmd:: show vpn ipsec sa detail
-
-   Show a detailed information of all active IPsec Security Associations (SA)
-   in verbose format.
-
-.. opcmd:: show vpn ipsec state
-
-   Print out the list of existing in-kernel crypto state
-
-.. opcmd:: show vpn ipsec status
-
-   Show the status of running IPsec process and process ID.
-
-.. opcmd:: restart ipsec
-
-   Restart the IPsec VPN process and re-establishes the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site all
-
-   Reset all site-to-site IPSec VPN sessions. It terminates all active
-   child_sa and reinitiates the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site peer <name>
-
-   Reset all tunnels for a given peer, can specify tunnel or vti interface.
-   It terminates a specific child_sa and reinitiates the connection.
-
-.. opcmd:: show log ipsec
-
-   Show logs for IPsec
diff --git a/docs/configuration/vpn/ipsec/index.rst b/docs/configuration/vpn/ipsec/index.rst
new file mode 100644
index 00000000..e454e2f6
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/index.rst
@@ -0,0 +1,21 @@
+#####
+IPsec
+#####
+
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+   ipsec_general
+   site2site_ipsec
+   remoteaccess_ipsec
+   troubleshooting_ipsec
+
+pages to sort
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
new file mode 100644
index 00000000..18d974c9
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -0,0 +1,308 @@
+.. _ipsec_general:
+
+#########################
+IPsec General Information
+#########################
+
+***********************
+Information about IPsec
+***********************
+
+IPsec is the framework used to secure data.
+IPsec accomplishes these goals by providing authentication,
+encryption of IP network packets, key exchange, and key management.
+VyOS uses Strongswan package to implement IPsec.
+
+**Authentication Header (AH)** is defined in  :rfc:`4302`. It creates
+a hash using the IP header and data payload, and prepends it to the
+packet. This hash is used to validate that the data has not been
+changed during transfer over the network.
+
+**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
+It provides encryption and authentication of the data.
+
+
+There are two IPsec modes:
+    **IPsec Transport Mode**:
+        In transport mode, an IPSec header (AH or ESP) is inserted
+        between the IP header and the upper layer protocol header.
+
+    **IPsec Tunnel Mode:**
+        In tunnel mode, the original IP packet is encapsulated in
+        another IP datagram, and an IPsec header (AH or ESP) is
+        inserted between the outer and inner headers.
+
+.. figure:: /_static/images/ESP_AH.png
+   :scale: 80 %
+   :alt: AH and ESP in Transport Mode and Tunnel Mode
+
+***************************
+IKE (Internet Key Exchange)
+***************************
+The default IPsec method for secure key negotiation is the Internet Key
+Exchange (IKE) protocol. IKE is designed to provide mutual authentication
+of systems, as well as to establish a shared secret key to create IPsec
+security associations. A security association (SA) includes all relevant
+attributes of the connection, including the cryptographic algorithm used,
+the IPsec mode, the encryption key, and other parameters related to the
+transmission of data over the VPN connection.
+
+IKEv1
+=====
+
+IKEv1 is the older version and is still used today. Nowadays, most
+manufacturers recommend using IKEv2 protocol.
+
+IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
+(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
+of ESP Packets), :rfc:`3706` (DPD)
+
+IKEv1 operates in two phases to establish these IKE and IPsec SAs:
+    * **Phase 1** provides mutual authentication of the IKE peers and
+      establishment of the session key. This phase creates an IKE SA (a
+      security association for IKE) using a DH exchange, cookies, and an
+      ID exchange. Once an IKE SA is established, all IKE communication
+      between the initiator and responder is protected with encryption
+      and an integrity check that is authenticated. The purpose of IKE
+      phase 1 is to facilitate a secure channel between the peers so that
+      phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
+      Main and Aggressive.
+
+        * **Main Mode** is used for site-to-site VPN connections.
+        
+        * **Aggressive Mode** is used for remote access VPN connections.
+
+    * **Phase 2** provides for the negotiation and establishment of the
+      IPsec SAs using ESP or AH to protect IP data traffic.
+
+IKEv2
+=====
+
+IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
+IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
+fewer messages are exchanged during the establishment of the VPN and
+additional security capabilities are available.
+
+
+IKE Authentication
+==================
+
+VyOS supports 3 authentication methods.
+    * **Pre-shared keys**: In this method, both peers of the IPsec
+      tunnel must have the same preshared keys.
+    * **Digital certificates**: PKI is used in this method.
+    * **RSA-keys**: If the RSA-keys method is used in your IKE policy,
+      you need to make sure each peer has the other peer’s public keys.
+
+*************************
+DPD (Dead Peer Detection)
+*************************
+
+This is a mechanism used to detect when a VPN peer is no longer active.
+This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
+DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
+are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
+every configured interval. The remote peer is considered unreachable
+if no response to these packets is received within the DPD timeout.
+In IKEv2, DPD sends messages every configured interval. If one request
+is not responded, Strongswan execute its retransmission algorithm with
+its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
+
+*****************
+Configuration IKE
+*****************
+
+IKE (Internet Key Exchange) Attributes
+======================================
+
+VyOS IKE group has the next options:
+
+.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
+
+  Defines the action to take if the remote peer unexpectedly
+  closes a CHILD_SA:
+
+ * **none** - Set action to none (default),
+ * **trap** - Installs a trap policy (IPsec policy without Security
+   Association) for the CHILD_SA and traffic matching these policies
+   will trigger acquire events that cause the daemon to establish the
+   required IKE/IPsec SAs.
+ * **start** - Tries to immediately re-create the CHILD_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
+
+  Whether rekeying of an IKE_SA should also reauthenticate
+  the peer. In IKEv1, reauthentication is always done.
+  Setting this parameter enables remote host re-authentication
+  during an IKE rekey.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
+
+  Which protocol should be used to initialize the connection
+  If not set both protocols are handled and connections will
+  use IKEv2 when initiating, but accept any protocol version
+  when responding:
+
+ * **ikev1** - Use IKEv1 for Key Exchange.
+ * **ikev2** - Use IKEv2 for Key Exchange.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
+
+  IKE lifetime in seconds <0-86400> (default 28800).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> mode
+
+  IKEv1 Phase 1 Mode Selection:
+
+ * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
+   (Recommended Default).
+ * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
+   protocol aggressive mode is much more insecure compared to Main mode.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
+
+  Dh-group. Default value is **2**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
+
+  Pseudo-random function.
+
+
+DPD (Dead Peer Detection) Configuration
+=======================================
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
+
+  Action to perform for this CHILD_SA on DPD timeout.
+
+  * **trap** - Installs a trap policy (IPsec policy without Security
+    Association), which will catch matching traffic and tries to
+    re-negotiate the tunnel on-demand.
+  * **clear** - Closes the CHILD_SA and does not take further action
+    (default).
+  * **restart** - Immediately tries to re-negotiate the CHILD_SA
+    under a fresh IKE_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
+
+  Keep-alive interval in seconds <2-86400> (default 30).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
+
+  Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
+
+ESP (Encapsulating Security Payload) Attributes
+===============================================
+
+In VyOS, ESP attributes are specified through ESP groups.
+Multiple proposals can be specified in a single group.
+
+VyOS ESP group has the next options:
+
+.. cfgcmd:: set vpn ipsec esp-group <name> compression
+
+  Enables the  IPComp(IP Payload Compression) protocol which allows
+  compressing the content of IP packets.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
+
+  Do not locally initiate a re-key of the SA, remote peer must
+  re-key before expiration.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
+
+  ESP life in bytes <1024-26843545600000>. Number of bytes
+  transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
+
+  ESP life in packets <1000-26843545600000>.
+  Number of packets transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
+
+  ESP lifetime in seconds <30-86400> (default 3600).
+  How long a particular instance of a connection (a set of
+  encryption/authentication keys for user packets) should last,
+  from successful negotiation to expiry.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
+
+  The type of the connection:
+
+  * **tunnel** - Tunnel mode (default).
+  * **transport** - Transport mode.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
+
+  Whether Perfect Forward Secrecy of keys is desired on the
+  connection's keying channel and defines a Diffie-Hellman group for
+  PFS:
+
+ * **enable** - Inherit Diffie-Hellman group from IKE group (default).
+ * **disable** - Disable PFS.
+ * **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+Global IPsec Settings
+=====================
+
+.. cfgcmd:: set vpn ipsec interface <name>
+
+  Interface name to restrict outbound IPsec policies. There is a possibility
+  to specify multiple interfaces. If an interfaces are not specified, IPsec
+  policies apply to all interfaces.
+
+
+.. cfgcmd:: set vpn ipsec log level <number>
+
+  Level of logging. Default value is **0**.
+
+.. cfgcmd:: set vpn ipsec log subsystem <name>
+
+  Subsystem of the daemon.
+
+Options
+=======
+
+.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
+
+  Do not automatically install routes to remote
+  networks.
+
+.. cfgcmd:: set vpn ipsec options flexvpn
+
+  Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
+  FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
+  Cisco brand devices allow negotiating a local traffic selector (from
+  strongSwan's point of view) that is not the assigned virtual IP address if
+  such an address is requested by strongSwan. Sending the Cisco FlexVPN
+  vendor ID prevents the peer from narrowing the initiator's local traffic
+  selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
+  instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
+  template but should also work for GRE encapsulation.
+
+.. cfgcmd:: set vpn ipsec options interface <name>
+
+  Interface Name to use. The name of the interface on which
+  virtual IP addresses should be installed. If not specified the addresses
+  will be installed on the outbound interface.
+
+.. cfgcmd:: set vpn ipsec options virtual-ip
+
+  Allows the installation of virtual-ip addresses.
diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst
similarity index 100%
rename from docs/configuration/vpn/remoteaccess_ipsec.rst
rename to docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst
diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
new file mode 100644
index 00000000..80dfa423
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -0,0 +1,729 @@
+.. _size2site_ipsec:
+
+######################
+IPsec Site-to-Site VPN
+######################
+
+****************************
+IPsec Site-to-Site VPN Types
+****************************
+
+VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
+IPsec VPN.
+
+Policy-based VPN
+================
+
+Policy-based VPN is based on static configured policies. Each policy creates
+individual IPSec SA. Traffic matches these SAs encrypted and directed to the
+remote peer.
+
+Route-Based VPN
+===============
+
+Route-based VPN is based on secure traffic passing over Virtual Tunnel
+Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
+
+******************************
+Configuration Site-to-Site VPN
+******************************
+
+Requirements and Prerequisites for Site-to-Site VPN
+===================================================
+
+**Negotiated parameters that need to match**
+
+Phase 1
+ * IKE version
+ * Authentication
+ * Encryption
+ * Hashing
+ * PRF
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+Phase 2
+ * Encryption
+ * Hashing
+ * PFS
+ * Mode (tunnel or transport)
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+ * Remote and Local networks in SA must be compatible on both peers
+
+Configuration Steps for Site-to-Site VPN
+========================================
+
+The next example shows the configuration one of the router participating in
+IPsec VPN.
+
+Tunnel information:
+    * Phase 1:
+        * encryption: AES256
+        * hash: SHA256
+        * PRF: SHA256
+        * DH: 14
+        * lifetime: 28800
+    * Phase 2:
+        * IPsec mode: tunnel
+        * encryption: AES256
+        * hash: SHA256
+        * PFS: inherited from DH Phase 1
+        * lifetime: 3600
+    * If Policy based VPN is used
+        * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
+    * If Route based VPN is used
+        * IP of the VTI interface is 10.0.0.1/30
+
+.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
+
+**1. Configure ike-group (IKE Phase 1)**
+
+.. code-block:: none
+
+    set vpn ipsec ike-group IKE close-action 'start'
+    set vpn ipsec ike-group IKE key-exchange 'ikev1'
+    set vpn ipsec ike-group IKE lifetime '28800'
+    set vpn ipsec ike-group IKE proposal 10 dh-group '14'
+    set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
+    set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
+    set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
+
+**2. Configure ESP-group (IKE Phase 2)**
+
+.. code-block:: none
+
+    set vpn ipsec esp-group ESP lifetime '3600'
+    set vpn ipsec esp-group ESP mode 'tunnel'
+    set vpn ipsec esp-group ESP pfs 'enable'
+    set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
+    set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
+
+**3. Specify interface facing to the protected destination.**
+
+.. code-block:: none
+
+    set vpn ipsec interface eth0
+
+**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
+    set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
+    set vpn ipsec authentication psk PSK-KEY secret 'vyos'
+
+To set base64 secret encode plaintext password to base64 and set secret-type
+
+.. code-block:: none
+
+    echo -n "vyos" | base64
+    dnlvcw==
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
+    set vpn ipsec authentication psk PSK-KEY secret-type base64
+
+
+**5. Configure peer and apply IKE-group and esp-group to peer.**
+
+.. code-block:: none
+
+    set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
+    set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
+    set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
+    set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
+    set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
+
+    Peer selects the key from step 4 according to local-id/remote-id pair.
+
+**6. Depends to vpn type (route-based vpn or policy-based vpn).**
+
+   **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
+
+    .. code-block:: none
+
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
+
+   **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
+
+    .. code-block:: none
+
+        set interfaces vti vti1 address 10.0.0.1/30
+        set vpn ipsec site-to-site peer PEER1 vti bind vti1
+        set vpn ipsec options disable-route-autoinstall
+
+    Create routing between local networks via VTI interface using dynamic or
+    static routing.
+
+    .. code-block:: none
+
+        set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
+
+Initiator and Responder Connection Types
+========================================
+
+In Site-to-Site IPsec VPN it is recommended that one peer should be an
+initiator and the other - the responder. The initiator actively establishes
+the VPN tunnel. The responder passively waits for the remote peer to
+establish the VPN tunnel. Depends on selected role it is recommended
+select proper values for close-action and DPD action.
+
+The result of wrong value selection can be unstable work of the VPN.
+ * Duplicate CHILD SA creation.
+ * None of the VPN sides initiates the tunnel establishment.
+
+Below flow-chart could be a quick reference for the close-action
+combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_close_action_settings.png
+
+Similar combinations are applicable for the dead-peer-detection.
+
+Detailed Configuration Commands
+===============================
+
+PSK Key Authentication
+----------------------
+
+.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface
+
+  ID for authentication generated from DHCP address
+  dynamically.
+
+.. cfgcmd:: set vpn ipsec authentication psk id <id>
+
+  static ID's for authentication. In general local and remote
+  address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret <secret>
+
+  A predefined shared secret used in configured mode
+  ``pre-shared-secret``. Base64-encoded secrets are allowed if
+  `secret-type base64` is configured.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret-type <type>
+
+  Specifies the secret type:
+
+  * **plaintext** - Plain text type (default value).
+  * **base64** - Base64 type.
+
+Peer Configuration
+------------------
+
+Peer Authentication Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode>
+
+  Mode for authentication between VyOS and remote peer:
+
+  * **pre-shared-secret** - Use predefined shared secret phrase.
+  * **rsa** - Use simple shared RSA key.
+  * **x509** - Use certificates infrastructure for authentication.
+
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id>
+
+  ID for the local VyOS router. If defined, during the authentication
+  it will be send to remote peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id>
+
+  ID for remote peer, instead of using peer name or
+  address. Useful in case if the remote peer is behind NAT
+  or if ``mode x509`` is used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
+
+  Name of PKI key-pair with local private key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>
+
+  Name of PKI key-pair with remote public key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>
+
+  Local private key passphrase.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>
+
+  Use local ID from x509 certificate. Cannot be used when
+  ``id`` is defined.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>
+
+  Name of CA certificate in PKI configuration. Using for authenticating
+  remote peer in x509 mode.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>
+
+  Name of certificate in PKI configuration, which will be used
+  for authenticating local router on remote peer.
+
+.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
+
+  Private key passphrase, if needed.
+
+Global Peer Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type>
+
+  Operational mode defines how to handle this connection process.
+
+  * **initiate** - does initial connection to remote peer immediately
+    after configuring and after boot. In this mode the connection will
+    not be restarted in case of disconnection, therefore should be used
+    only together with DPD or another session tracking methods.
+  * **respond** - does not try to initiate a connection to a remote
+    peer. In this mode, the IPsec session will be established only
+    after initiation from a remote peer. Could be useful when there
+    is no direct connectivity to the peer due to firewall or NAT in
+    the middle of the local and remote side.
+  * **none** - loads the connection only, which then can be manually
+    initiated or used as a responder configuration.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
+
+  Name of ESP group to use by default for traffic encryption.
+  Might be overwritten by individual settings for tunnel or VTI
+  interface binding.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description>
+
+  Description for this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface>
+
+  Specify the interface which IP address, received from DHCP for IPSec
+  connection with this peer, will be used as ``local-address``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation
+
+  Force encapsulation of ESP into UDP datagrams. Useful in case if
+  between local and remote side is firewall or NAT, which not
+  allows passing plain ESP packets between them.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name>
+
+  Name of IKE group to use for key exchanges.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address>
+
+  Local IP address for IPsec connection with this peer.
+  If defined ``any``, then an IP address which configured on interface with
+  default route will be used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address>
+
+  Remote IP address or hostname for IPsec connection. IPv4 or IPv6
+  address is used when a peer has a public static IP address. Hostname
+  is a DNS name which could be used when a peer has a public IP
+  address and DNS name, but an IP address could be changed from time
+  to time.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size>
+
+  IPsec replay window to configure for CHILD_SAs
+  (default: 32), a value of 0 disables IPsec replay protection.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address>
+
+  Defines a virtual IP address which is requested by the initiator and
+  one or several IPv4 and/or IPv6 addresses are assigned from multiple
+  pools by the responder. The wildcard addresses 0.0.0.0 and ::
+  request an arbitrary address, specific addresses may be defined.
+
+CHILD SAs Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Policy-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+Every configured tunnel under peer configuration is a new CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
+
+  Disable this tunnel.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name>
+
+  Specify ESP group for this CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number>
+
+  Priority for policy-based IPsec VPN tunnels (lowest value more
+  preferable).
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name>
+
+  Define the protocol for match traffic, which should be encrypted and
+  send to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network>
+
+  IP network at the local side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number>
+
+  Local port number. Have effect only when used together with
+  ``prefix``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network>
+
+  IP network at the remote side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number>
+
+  Remote port number. Have effect only when used together with
+  ``prefix``.
+
+Route-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+To configure route-based VPN it is enough to create vti interface and
+bind it to the peer. Any traffic, which will be send to VTI interface
+will be encrypted and send to this peer. Using VTI makes IPsec
+configuration much flexible and easier in complex situation, and
+allows to dynamically add/delete remote networks, reachable via a
+peer, as in this mode router don't need to create additional SA/policy
+for each remote network.
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall.
+
+.. code-block:: none
+
+  set vpn ipsec options disable-route-autoinstall
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface>
+
+  VTI interface to bind to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name>
+
+  ESP group for encrypt traffic, passed this VTI interface.
+
+Traffic-selectors parameters for traffic that should pass via vti
+interface.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
+
+  Local prefix for interesting traffic.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network>
+
+  Remote prefix for interesting traffic.
+
+IPsec Op-mode Commands
+======================
+
+.. opcmd:: show vpn ike sa
+
+  Shows active IKE SAs information.
+
+.. opcmd:: show vpn ike secrets
+
+  Shows configured authentication keys.
+
+.. opcmd:: show vpn ike status
+
+  Shows Strongswan daemon status.
+
+.. opcmd:: show vpn ipsec connections
+
+  Shows summary status of all configured IKE and IPsec SAs.
+
+.. opcmd:: show vpn ipsec sa [detail]
+
+  Shows active IPsec SAs information.
+
+.. opcmd:: show vpn ipsec status
+
+  Shows status of IPsec process.
+
+.. opcmd:: show vpn ipsec policy
+
+  Shows the in-kernel crypto policies.
+
+.. opcmd:: show vpn ipsec state
+
+  Shows the in-kernel crypto state.
+
+.. opcmd:: show log ipsec
+
+  Shows IPsec logs.
+
+.. opcmd:: reset vpn ipsec site-to-site all
+
+  Clear all ipsec connection and reinitiate them if VyOS is configured
+  as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name>
+
+  Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
+  configured as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number>
+
+  Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
+  initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number>
+
+  Clear IPsec SA which is map to vti interface of this peer and
+  reinitiate it if VyOS is configured as initiator.
+
+.. opcmd:: restart ipsec
+
+  Restart Strongswan daemon.
+
+*********
+Examples:
+*********
+
+Policy-Based VPN Example
+========================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
+
+
+Show status of policy-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     1254    25633
+
+
+  vyos@srv-gw0:~$ show vpn ipsec sa
+  Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  --------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-tunnel-0  up       20m42s    0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection      State    Type    Remote address    Local TS        Remote TS       Local id    Remote id    Proposal
+  --------------  -------  ------  ----------------  --------------  --------------  ----------  -----------  ----------------------------------
+  PEER1           up       IKEv1   10.0.1.2          -               -               10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-tunnel-0  up       IPsec   10.0.1.2          192.168.1.0/24  192.168.0.0/24  10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+
+If there is SNAT rules on eth0, need to add exclude rule
+
+.. code-block:: none
+
+  # PEER1 side
+  set nat source rule 10 destination address '192.168.1.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.0.0/24'
+
+  # PEER2 side
+  set nat source rule 10 destination address '192.168.0.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.1.0/24'
+
+
+Route-Based VPN Example
+=======================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* 'vti0' interface IP: `10.100.100.1/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Role: Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* 'vti0' interface IP: `10.100.100.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Role: Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set interfaces vti vti0 address '10.100.100.1/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime  '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set interfaces vti vti0 address '10.100.100.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
+
+Show status of route-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     404     27650
+
+  vyos@PEER2:~$ show vpn ipsec sa
+  Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-vti     up       3m28s     0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection    State    Type    Remote address    Local TS    Remote TS    Local id    Remote id    Proposal
+  ------------  -------  ------  ----------------  ----------  -----------  ----------  -----------  ----------------------------------
+  PEER1         up       IKEv2   10.0.1.2          -           -            10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-vti     up       IPsec   10.0.1.2          0.0.0.0/0   0.0.0.0/0    10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+                                                 ::/0        ::/0
diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
new file mode 100644
index 00000000..fdeb347d
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
@@ -0,0 +1,323 @@
+.. _troubleshooting_ipsec:
+
+######################################
+Troubleshooting Site-to-Site VPN IPsec
+######################################
+
+************
+Introduction
+************
+
+This document describes the methodology to monitor and troubleshoot
+Site-to-Site VPN IPsec.
+
+Steps for troubleshooting problems with Site-to-Site VPN IPsec:
+ 1. Ping the remote site through the tunnel using the source and
+    destination IPs included in the policy.
+ 2. Check connectivity between the routers using the ping command
+    (if ICMP traffic is allowed).
+ 3. Check the IKE SAs' statuses.
+ 4. Check the IPsec SAs' statuses.
+ 5. Check logs to view debug messages.
+
+**********************
+Checking IKE SA Status
+**********************
+
+The next command shows IKE SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     162     27023
+
+This command shows the next information:
+ - IKE SA status.
+ - Selected IKE version.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - NAT-T.
+ - ID and IP of both peers.
+ - A-Time: established time, L-Time: time for next rekeying.
+
+**************************
+IPsec SA (CHILD SA) Status
+**************************
+
+The next commands show IPsec SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ -------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+ PEER-tunnel-1  up       16m30s    168B/168B       2/2               192.168.1.2       192.168.1.2  AES_CBC_128/HMAC_SHA1_96/MODP_2048
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa detail
+ PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
+   local  '192.168.0.1' @ 192.168.0.1[4500]
+   remote '192.168.1.2' @ 192.168.1.2[4500]
+   AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+   established 4054s ago, rekeying in 23131s
+   PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
+     installed 1065s ago, rekeying in 1998s, expires in 2535s
+     in  c5821882,    168 bytes,     2 packets,    81s ago
+     out c433406a,    168 bytes,     2 packets,    81s ago
+     local  10.0.0.0/24
+     remote 10.0.1.0/24
+
+These commands show the next information:
+ - IPsec SA status.
+ - Uptime and time for the next rekeing.
+ - Amount of transferred data.
+ - Remote and local ID and IP.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - Mode (tunnel or transport).
+ - Remote and local prefixes which are use for policy.
+
+There is a possibility to view the summarized information of SAs' status
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec connections
+ Connection     State    Type    Remote address    Local TS     Remote TS    Local id     Remote id    Proposal
+ -------------  -------  ------  ----------------  -----------  -----------  -----------  -----------  ----------------------------------
+ PEER           up       IKEv2   192.168.1.2       -            -            192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+ PEER-tunnel-1  up       IPsec   192.168.1.2       10.0.0.0/24  10.0.1.0/24  192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+
+**************************
+Viewing Logs for Debugging
+**************************
+
+If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
+using logs ``show log ipsec``
+
+The next example of the successful IPsec connection initialization.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show log ipsec
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+ Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+
+************************
+Troubleshooting Examples
+************************
+
+IKE PROPOSAL are Different
+==========================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder Side:
+
+.. code-block:: none
+
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
+ Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
+ Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
+ Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
+
+The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
+On the Responder side there is concrete information where is mismatch.
+Encryption **AES_CBC_128** is configured in IKE policy on the responder 
+but **AES_CBC_256** is configured on the initiator side.
+
+PSK Secret Mismatch
+===================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder:
+
+.. code-block:: none
+
+ Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
+ Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
+ Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
+
+The notification **AUTHENTICATION_FAILED** means that the authentication
+is failed. There is a reason to check PSK on both side.
+
+ESP Proposal Mismatch
+=====================
+
+The output of **show** commands shows us that IKE SA is established but
+IPSec SA is not.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     158     26817
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
+
+The next step is checking debug logs.
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
+ Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
+
+There are messages: **NO_PROPOSAL_CHOSEN** and
+**failed to establish CHILD_SA** which refers that the problem is in
+the IPsec(ESP) proposal mismatch.
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
+ Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
+
+Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
+is configured on the initiator side.
+
+Prefixes in Policies Mismatch
+=============================
+
+As in previous situation, IKE SA is in up state but IPsec SA is not up.
+According to logs we can see **TS_UNACCEPTABLE** notification. It means
+that prefixes (traffic selectors) mismatch on both sides
+
+Initiator:
+
+.. code-block:: none
+
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+ Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+
+Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
+responder side.
+
+
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
deleted file mode 100644
index 400aff29..00000000
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ /dev/null
@@ -1,433 +0,0 @@
-.. _size2site_ipsec:
-
-Site-to-Site
-============
-
-Site-to-site mode provides a way to add remote peers, which could be configured
-to exchange encrypted information between them and VyOS itself or
-connected/routed networks.
-
-To configure site-to-site connection you need to add peers with the
-``set vpn ipsec site-to-site peer <name>`` command.
-
-The peer name must be an alphanumeric and can have hypen or underscore as
-special characters. It is purely informational.
-
-Each site-to-site peer has the next options:
-
-* ``authentication`` - configure authentication between VyOS and a remote peer.
-  If pre-shared-secret mode is used, the secret key must be defined in 
-  ``set vpn ipsec authentication`` and suboptions:
-
- * ``psk`` - Preshared secret key name:
-
-  * ``dhcp-interface`` - ID for authentication generated from DHCP address
-    dynamically;
-  * ``id`` - static ID's for authentication. In general local and remote
-    address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
-  * ``secret`` - a predefined shared secret used in configured mode
-    ``pre-shared-secret``. Base64-encoded secrets are allowed if
-    `secret-type base64` is configured;
-  * ``secret-type`` - specifies the secret type, either ``plaintext`` or
-    ``base64``. Default to ``plaintext``;
-
-
- * ``local-id`` - ID for the local VyOS router. If defined, during the
-   authentication
-   it will be send to remote peer;
-
- * ``mode`` - mode for authentication between VyOS and remote peer:
-
-  * ``pre-shared-secret`` - use predefined shared secret phrase;
-
-  * ``rsa`` - use simple shared RSA key.
-
-  * ``x509`` - use certificates infrastructure for authentication.
-
- * ``remote-id`` - define an ID for remote peer, instead of using peer name or
-   address. Useful in case if the remote peer is behind NAT or if ``mode x509``
-   is used;
-
- * ``rsa`` - options for RSA authentication mode:
-
-  * ``local-key`` - name of PKI key-pair with local private key
-
-  * ``remote-key`` - name of PKI key-pair with remote public key
-
-  * ``passphrase`` - local private key passphrase
-
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
-
- * ``x509`` - options for x509 authentication mode:
-
-  * ``ca-certificate`` - CA certificate in PKI configuration. Using for 
-    authenticating remote peer;
-
-  * ``certificate`` - certificate file in PKI configuration, which will be used
-    for authenticating local router on remote peer;
-
-  * ``passphrase`` - private key passphrase, if needed.
-
-* ``connection-type`` - how to handle this connection process. Possible
-  variants:
-
- * ``initiate`` - does initial connection to remote peer immediately after
-   configuring and after boot. In this mode the connection will not be restarted
-   in case of disconnection, therefore should be used only together with DPD or
-   another session tracking methods;
-
- * ``respond`` - does not try to initiate a connection to a remote peer. In this
-   mode, the IPSec session will be established only after initiation from a
-   remote peer. Could be useful when there is no direct connectivity to the
-   peer due to firewall or NAT in the middle of the local and remote side.
-
- * ``none`` - loads the connection only, which then can be manually initiated or
-   used as a responder configuration.
-
-* ``default-esp-group`` - ESP group to use by default for traffic encryption.
-  Might be overwritten by individual settings for tunnel or VTI interface
-  binding;
-
-* ``description`` - description for this peer;
-
-* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
-  connection with this peer, instead of ``local-address``;
-
-* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
-  Useful in case if between local and remote side is firewall or NAT, which not
-  allows passing plain ESP packets between them;
-
-* ``ike-group`` - IKE group to use for key exchanges;
-
-* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
-  Can be used only with IKEv2.
-  Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
-
-* ``local-address`` - local IP address for IPSec connection with this peer.
-  If defined ``any``, then an IP address which configured on interface with
-  default route will be used;
-
-* ``remote-address`` - remote IP address or hostname for IPSec connection.
-  IPv4 or IPv6 address is used when a peer has a public static IP address.
-  Hostname is a DNS name which could be used when a peer has a public IP
-  address and DNS name, but an IP address could be changed from time to time.
-
-* ``replay-window`` - IPsec replay window to configure for this CHILD_SA 
-  (default: 32), a value of 0 disables IPsec replay protection
-
-* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
-  it to a peer:
-
- * ``disable`` - disable this tunnel;
-
- * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
-
- * ``local`` - define a local source for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at local side.
-
- * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value 
-   more preferable)
-
- * ``protocol`` - define the protocol for match traffic, which should be
-   encrypted and send to this peer;
-
- * ``remote`` - define the remote destination for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at remote side.
-
-* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
-  be send to VTI interface will be encrypted and send to this peer. Using VTI
-  makes IPSec configuration much flexible and easier in complex situation, and
-  allows to dynamically add/delete remote networks, reachable via a peer, as in
-  this mode router don't need to create additional SA/policy for each remote
-  network:
-
- * ``bind`` - select a VTI interface to bind to this peer;
-
- * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
-   interface.
-
-* ``virtual-address`` - Defines a virtual IP address which is requested by the
-  initiator and one or several IPv4 and/or IPv6 addresses are assigned from
-  multiple pools by the responder.
-
-Examples:
-------------------
-
-IKEv1
-^^^^^
-
-Example:
-
-* WAN interface on `eth1`
-* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
-  there is no client or server roles)
-* left local_ip: `198.51.100.3` # server side WAN IP
-* right subnet: `10.0.0.0/24` site2,remote office side
-* right local_ip: `203.0.113.2` # remote office side WAN IP
-
-.. code-block:: none
-
-  # server config
-  set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
-
-  # remote office config
-  set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
-
-Show status of new setup:
-
-.. code-block:: none
-
-  vyos@srv-gw0:~$ show vpn ike sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-     -----  -------  ----    -------  -----  ------  ------
-     up     aes256   sha1    5        no     734     3600
-
-  vyos@srv-gw0:~$ show vpn ipsec sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
-     ------  -----  -------------  -------  ----    -----  ------  ------  -----
-     0       up     7.5M/230.6K    aes256   sha1    no     567     1800    all
-
-If there is SNAT rules on eth1, need to add exclude rule
-
-.. code-block:: none
-
-  # server side
-  set nat source rule 10 destination address '10.0.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '192.168.0.0/24'
-
-  # remote office side
-  set nat source rule 10 destination address '192.168.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '10.0.0.0/24'
-
-To allow traffic to pass through to clients, you need to add the following
-rules. (if you used the default configuration at the top of this page)
-
-.. code-block:: none
-
-  # server side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
-
-  # remote office side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
-
-IKEv2
-^^^^^
-
-Example:
-
-* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
-* left public_ip:172.18.201.10
-* right local_ip: 172.18.202.10 # right side WAN IP
-
-Imagine the following topology
-
-.. figure:: /_static/images/vpn_s2s_ikev2_c.png
-   :scale: 50 %
-   :alt: IPSec IKEv2 site2site VPN
-
-   IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
-
-**LEFT:**
-* WAN interface on `eth0.201`
-* `eth0.201` interface IP: `172.18.201.10/24`
-* `vti10` interface IP: `10.0.0.2/31`
-* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
-
-**RIGHT:**
-* WAN interface on `eth0.202`
-* `eth0.201` interface IP: `172.18.202.10/24`
-* `vti10` interface IP: `10.0.0.3/31`
-* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
-
-.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
-   gives you additional information for using /31 subnets on point-to-point
-   links.
-
-**LEFT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
-  set interfaces dummy dum0 address '10.0.11.1/24'
-  set interfaces vti vti10 address '10.0.0.2/31'
-
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.201'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
-
-**RIGHT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
-  set interfaces dummy dum0 address '10.0.12.1/24'
-  set interfaces vti vti10 address '10.0.0.3/31'
-
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.202'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
-
-Key Parameters:
-
-* ``authentication local-id/remote-id`` - IKE identification is used for
-  validation of VPN peer devices during IKE negotiation. If you do not configure
-  local/remote-identity, the device uses the IPv4 or IPv6 address that
-  corresponds to the local/remote peer by default.
-  In certain network setups (like ipsec interface with dynamic address, or
-  behind the NAT ), the IKE ID received from the peer does not match the IKE
-  gateway configured on the device. This can lead to a Phase 1 validation
-  failure.
-  So, make sure to configure the local/remote id explicitly and ensure that the
-  IKE ID is the same as the remote-identity configured on the peer device.
-
-* ``disable-route-autoinstall`` - This option when configured disables the
-  routes installed in the default table 220 for site-to-site ipsec.
-  It is mostly used with VTI configuration.
-
-* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
-  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
-  are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, trap, and restart all activate DPD and determine the action to
-  perform on a timeout.
-  With ``clear`` the connection is closed with no further actions taken.
-  ``trap`` installs a trap policy, which will catch matching traffic and tries
-  to re-negotiate the connection on demand.
-  ``restart`` will immediately trigger an attempt to re-negotiate the
-  connection.
-
-* ``close-action = none | clear | trap | start`` - defines the action to take
-  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
-  values). A closeaction should not be used if the peer uses reauthentication or
-  uniqueids.
-
-  When the close-action option is set on the peers, the connection-type
-  of each peer has to considered carefully. For example, if the option is set
-  on both peers, then both would attempt to initiate and hold open multiple
-  copies of each child SA. This might lead to instability of the device or
-  cpu/memory utilization.
-
-  Below flow-chart could be a quick reference for the close-action
-  combination depending on how the peer is configured.
-
-.. figure:: /_static/images/IPSec_close_action_settings.jpg
-
-  Similar combinations are applicable for the dead-peer-detection.