From ee209ead6d23aa3ca0eeafb1d439fd1060a67431 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 12 Sep 2023 14:34:27 -0300 Subject: [PATCH] Config blueprints: Add new example for policy-based ipsec site to site tunnel, plus firewall, using new firewall sintax --- .../policy-based-ipsec-and-firewall.png | Bin 0 -> 42987 bytes docs/configexamples/index.rst | 1 + .../policy-based-ipsec-and-firewall.rst | 281 ++++++++++++++++++ 3 files changed, 282 insertions(+) create mode 100644 docs/_static/images/policy-based-ipsec-and-firewall.png create mode 100644 docs/configexamples/policy-based-ipsec-and-firewall.rst diff --git a/docs/_static/images/policy-based-ipsec-and-firewall.png b/docs/_static/images/policy-based-ipsec-and-firewall.png new file mode 100644 index 0000000000000000000000000000000000000000..6e9d43ac9274f66cebd8bbc34a727b965d61d794 GIT binary patch literal 42987 zcmZsC1yEhf7A1t>8r%u)?oQC)!QI{6xk&I}L4r#lSn%Ku!QI{6-JLo2y+1R5grbTI zb?ENXz4qF&c1L_skU~blM}UBUK$iY2t_%V3E)xO*G8+yC_zTgERT1#xy^E-{Dje|T z3uhV*{Ep`;q3NpPVD9Q+&f?+a(DZa?OJhy?O1bvRbW@V| zkobu1;IuROCkYowjW3_Rh=iK$K0TQj;-b0AnQ97+h4Cz<-aU+VWL%}XwC(wPk@;49eFsL)fuXrGhic12E~OU6MPvn6q(|nuGfYmwZ@jG&3CS1 zQd+BCRijoAPL5H;$SzT!_KF9-H83vO*w}b|dEiY1p+?fVyVmW0j@uUetVE0Kc^9BC z<>=(}scgI*usQn^ z`kTnvrs$V(`R(nr{!!MrADKEEE|>_&mis#r2?g@~!~LdDw=3_V-F_N%!Klr70{@qj zw~r}0P5S^1{Y;!JBC<5AiJ51iD*|bmc+AFJIHh!PJKQPC9ui`XBuV~SCNQ7v`8|p8 z<-%b@N1{Rmcta}icDaT27#rQ4!Mj?nCF!aVV@E>EPc@W!6s!;p-e$wla3CjEy<%cx zZ?08QQY&V{eD73&BP|#Cra&s5>2$r%`kcm1K9?A#JeU&{Sd;sfxH79aa$478{CBRN zS6V7|qGJjJM;-?HgJ}3=|D+O}5;Z1v8m|u*k%tGA;mQyF=U>%N6Lj|z2OJ#o8mD#~ z$in`@n;5sbiAZo{!Du^ijG3b0+N67vl<^6Qju)a_=D_l_9C^K?V2}mQ9X4du)w!b6 zIdaEsB{f8_~Y48(GblOqb6@k>6 zBOfyY79}n#OS(jz(Q>ww79y=ctYR)M+n^)v*Fc7}{8o~V1Cv*-`vTUJ>d_0nW$|`a z)v-sljU|WGWXe{d!c?(*2q6zoD9$-4j=37Xb{Qe>4%A1+tF<6f1 zq%!TvHa&=BIWL+>Iu(l~4OeWtNd}kN`#SUb+Ns-07?>db#$;!rQ)aqgG`EN(5NqEC z%4aGSCYYciD&JGIXS>ucD-CiBpX? zb^$?A&G~zrG9jO9utFdaD?YM@t&f}M+rP$A%%*6tR-M&FKAA4ph$8GtVAMlj=5 z<)a6uM4q3Q(K9r(XTx$XV}cvu9RY1jEGCG`U3& zPZ|vI4{*QWrQ%rb&p^mmGqcnV)!8oMWF{x4?yOqn%gC$M=}-@<2QQ-V)8T*CUvNJ| zBn_q^1&lgZk}Z9tq3JMklqPTC(RK0g^AkJr50}}T65@RocM;ETh$EZm32dm^6=`x_ zxX2o(W3<4&#$f_D!r$2JVNl3apnO^OLKrcxV%{<4z`rOm7%MMgIGFP4$({1E*~hZn z!OGgvt*^rV)kuZG@6ofR)J|--R99dmHf96*4V*W!E91>VfEoQ4T z>KNA10DEa(y}%b&pjYQMUYievXR+_y?6cr1S{`|SSISwZp)I#LH0jv^npm8n)ZARHwlnf%1&yC_q znF$zgHYoIXETWv=#qYW*cFC_Y)1-CzsyNx_^rmW0%i~!}gJbOZtLVFT+E;yl$rb## zL(n=OOl5&xUzC>S1sj_m<1>#76I5nF&U#g@QsLD2fvcrqD+8Ul-PD5K+`%^#HoE4L z)(n>l9MngB_keu*W3`I!CF%4yF3#mI@@RlDOUm-6Q$Y>FlNKZAV=lR$l2)3)Iy0r( zhU6#!70TF_P99;uo!m7OrR zsY)dK+!23#66I=Zleb)$#L1-MPX&%UwjfbCCgyXt9}`hFm5@f}zYgPUY&SoPx9@L| z)P?nSv_ds@Xity%#q97VnTo{{vi_>QTjlKogFi0iQ{eVc6;@uIY}xeB^DoM}*f_s- zuyTs`byKk;J7?4sy|wxL3HfB^nCf$fckwTtz6%T_2n>{z3M{lT1sAEu$H#8%oT#au zFJPs+>u}5BWbWK;(gy#yHFRDzF6mENy-$ARvQ9_u{Gt@GqeDKCl*$+S>$ML=hZg} z3nwEh|CQ6KYyaeGk|`Bh)roR18&d0>$}bD@){NqjkrS7FuM7tS#R1P>-`Te_MrHf0 zN*)EM*KMi+Zh#-`24=qf{#lu~&al{|<@L_I3=^U=HYxm38a-km_Oe9(t5{eP8h=(1w_9l0VFg4poYJ)(gFwo9B9bIpdVIu)p`WmplkI1v%@ z+bcI=nm@jGmXg+=C+obFzl~r6s1XIb>>m-rUV-rR=;15r?>bs@+Jz9*CIOZrS`7n(EwuXM$FI|E^Y+mE0z}I##lzI<{3l!NGyQt3j3(v6 zat0p+*-X#}?ShZ3&!6uu{mT7{hlY05rlqFcsVH=O+}u~7Tv&M=CB~Xl5|%bRQ-De>m7$VF$ZSt%7c1LkAgb2=eAyb8S^A ze0;s35fzy~ep}e~?Z4PV%v}y%Gt$bRR}RxwQZjBqe2`D9e6)A&J*o$9wi=PJp!)Wj z+r94DimBH=W7^Xrt3US8wVIVQh)?L~2QynS&U>xGoRQLN)R$d>E)W8kyHdlgpK2^E zX*?bmFYm~}j=q-r|L3Ba_+x<+(>#|&hsf0NVmJ8$=K;&zY_0F<2^WS+J&_}(!+@=J z_>Nua_-)f|1zJRO#2j0_Y(dxAtkf0Qnv(c;97gH53PBO?#5TCDH0Yc0oAHM zHt}m9cokiB!)Jb`n%Ks`x|iPuJ+*-@u3}4}n(Bg~I&`^nN^nX4;-xwM@bN!O6jpSv zKqRGGp-zuQzhA`H`HOdzoW8(&QI3E(TBTigEkTQj!>r#uqh?S;prhgRSL@T;s4^@T zq;8#0Ym44-K1ux=gSEeF3n)iN-)E4dK|iddB6>OtHA`{$v7#0cuR`)G|vp3YBLwkGk}C{ZA|D{YBv+~k~B<{44w~e-@00Avd=!#3bN+JJEzU1GR9V`}$(*P& zd+84#H|NCD#Z?gyOY6<_>eeN8lkpJ_ zmInQu)EIbVWHOdYL3kfjG@N==`98HrOLf@U)y!F_a0U+h41Ax4 z>hp_oB%}+oQwWEbnL_6@=3q4L0I>fN-qCdz+A{VyKbSRzXsWa7 zj`~D;jcluZaOLdclJDXPm)RvoczU1pkMq@F?#%e%(Ha{3v{dKqS9!t0&Q0;>VjtQZ z1wQ{yUf%xxIRtG}TRK~Tw43wkzL0$R^|Yey>($67QrqnDyHL!GTw@pwoYglST$`-3 zPmb)U?iAUDV;S;MI@qyYCL8di;#hIO7Hm}N^|3YVwPt&n57;xMA>g^%Afm_}jRn63 zj@oNy&Q_?n`1zf3Eu9(NqQV|%5;Exa_r2E8{q zIyxliD$LGnVeRL`n=7V!SbWV^qHuvp?p*S>op7XdHGHhm+8RBKZ) z-u6ri_NiMa%$^xaYo;zo>}Th*FJ%z@uSRUKE!iVm*)3f`epmt*{d)oro!mA4Zj^60 zN^U1*NN3N9!`E(7kd_nUnZI9_*lD`|I4J{rDLMYcaq*jz=!z0Zkt;4Qm6=k&PG_v1 z63Wph;6@}zh$vk>@>Wk)Ut5sq`^XvM+IHl*L<{b2OnN;%zPIj5^gYLK*as`ZXE$ot z$-m5{{CZ2ConGWj+b-T?)@{5hB1iV9lfv7BI_@Q1N6_J3<6&W^mVFIo7o|)7q1129 zvDxv}sk7}+b}ucNt3v+-Mm}E7*G*`fY%bhH<^W8qXj`9 zpcJvr7v6L4w=@ICcl$4%_qA{2Y;QWNDYb#F%XX-lulB?SB)6o_)26Qu$Ly{SzG<9q zdh+-Xr`M?sq0H^~8D6n7!=fi4{V2!Ti?N@K82g7A*9Vy0*(_JpQLs~Ae%n}ru7+=)E{7|( zrt0S*1E}qHpC@67XB_`f@h(sP$kc^}s$A)PL!ISp+-Y|fdq)LeV0Q|7VQe5R?dyLNWJ0%FgU zV||?57{1iFA(L!-i}OAmUQepXaCaeF{HgR*fB5oD=)y8bTe-JneTvEQHiVO@%w8=U z&$}NUT8}IB3@^aL=mEXa7ZZCQNSebrOWI8TE>4YFdga^9c69h>HAGirwFIe0A6}Sj z;&mF&e!xiIKQ4eLwPpo^)1n}udC!y%TAO=dZToKc)uF*vX1)}yhl2+g={I{l)Xj_D zZcS2Ad#w@vIZl`L!x^tIXJt{;jO2(dj~Fkm9?P4%7o*f`e=gQ(t;e_&?`@Kkz=vny zT?=J+S?_ajI}78-o3Xo{1WZT{1o7fTmp00Lz?N1Xtn)$;A0CeZr&nXMxv`zJqDhqf z7Lz%a+%|SraW#LbafC*)uF&@>L5s)o(rgSFbS&8BGkifRW}WtU>MewiZ_gk5R3SBW zz-mLzd~G|@+-1FXgeA%o3sC7aBzAsE-7Or6tq_a|LG~j!8e40sb9EjPcVlJgo>TW6 zecbqX_Tn3LBgK}=Ns;)Pna1Dj1td`-Lv1Nr=Xeov1-eKuCix?};BuI~@9Nv8N(#Eq zcXF#)b_BsW_5drTz=ng03J-ZVP;0!$iyyCdmPY$h-)RC4q-T>4f$=GFOL<${e=1V? zGusD8KC>>K;@%0gb2$g#y203kSKpX{F<`Yxw!$bKCuOZEFOIk#bq>0Wi_~5-+!bq# zH~X6wrl$@TDOJuSZ;SE6i%@$hz*=GXpZHrr{}jvEueL?VfOO<;mW1rQmXl$@kC3}H zh8K0EvzWT8Lfa9+=&aT!2nZsW$oRP^c?HA5gcf=+vQO4^)$RB)WZ;z4fO zrhYZ|#pdMN03*v)eK{lVy|=%9+YyxoxBT=MAULXi-O(TR+Q)WH>$O;lhtFzC8mpt? z2Us{9UlN4^Jr|pXgP!V{IdDOk@cmCajH5tNRF5R65b+()hw^k=SbR|Z9*3fDTaX$& zt=!RCpdqY#Gf=ItJ;2Nj)oG&+iBVBsLKywy;jz751F7uzO=j*-D)pMsQl>xhnHtG8gW(5Nh`T922pT$Vx-9rdAQaRJJ z%NIE2>y!0k^9a7YkmR_YiFy}}CrP<)g8gZr-=#pJ1pu~XQh0n}1VdC+3}B;h{O#l} ztLv27I97u*()RJr@g?mKcmAz;>zE2xj-H6OiYI*uf{X9Ka|oK-nJ!JZQrFADDXoAR z2Kl>&<;G6M-MGoDBw#3#VFkp#SFYUHQfmsb6@vs2n&HB~awdK#hI;HSSv0$-uq%R} z>eeAhxjxYc4hK#t+7ev36(WyA%RMX$7w#fBig6U^df(w9sLlS6RkzP^P)}P-QZ2#i zc4D+^#|zmp(nbs%L6-grJ}=l$7pnX}1>kaFhrK|I!wr8s6@gmSi)rN#Y}Vy}c*4 zmr^MZSSA5$gw)>3$qo~;e#ZF1B{6dS_>$Sc-JOinzSvW@EeA8UB;$GqVJ?XK%|np; zAL;qGAl3x`n7SiXvIWl8L1Ri`X;S8c0dD%G9Kp@sp zd=M~WGzvG?w%zwP%+ zc+*1ibR-q=lPkaf(_KXdkN?1eJTL$xcz}2@i)ycPgC*R$b?%t#cJZ~20wC~82Ap%o z3J0luis2eesrRYEE(&sCTYA>pslcc6>000CsSn^CatZUOA9yVP7c<;G5zyX?SE7&KjQJ)zahX0dO0uB(c&S8A?!FeA(KJXYaRLyfC zMelgMLImE_2;&^yx?{Fd-#>7z`;WQrRkwTm_^LAP6}vK#22y!q&GmtR*h=b|@)@N9 zB1sSDpOkPcv<+%J!c;Lvb$tAK6D7L!SZ6U9P~y<@`!@hBiZk!a zHrdZ+n|Bcu`8udfX^x7pRI4s3|AE(w*W+W>P5(fXI0*J}Jmr5?TOCi9H;T^u8>S-{H?Dw0s@)UHOFu~VZzO@AS>WKWwK-B{}V_(U4aX( z;RJ@gX;AMKw7R~nDQ=j#nyrpI`g!J1XX^NXsZQ1B)SKw+gsa|NK%7GwGlbZsVrt$bJgnmLBo8 zG?ZR~ky?F<+Q!T`PSZKJ0wxn(a*h-zPIY4PoZglh1y*aJ&rr`~pn^)kA(`WM!1OlxKy8ev9donu2%`f~LDDJCv6va6 zs<}Wo@yynS>L6q&=+(K$uka7xPkBzkj+u~BhcDzl;kHnBdj<>Mw|S2PB8~{3^{FBg z-sWHjJh6{FE?R#Fnt}eaH8lZhrp5mAnkH6u=P<0;g^i|{)DZ$HT{ghwn~EvK>7NUK z+dR0BS>exkY#DU%S6^S~p?CJKSYZc^+!7K3t&wL#CnNlmbQ&V-q3iSYacYB*u}6pCsTS4l*hh$&) zYvfyD5?z*daqj9`>1{@TDc1>5)l6u)WL)tQt<5@bJ*j?ryn8BEdjbN3L+gJil+dAc zQL(><vtHb5CSv57!ywI6^G1~Z4s0brd?c&PRWgyXI9e({=hyk9tgCW zI~e=6$Fy+rOaoZVRfq@VA&5PfOE2#UCYYA?)HOv@XB$~&b>X!juuJ~s?c9q&YF+H} zF1^Y_Mi}5jxQ^jk*ha5KZS^zxf6ohG;i9YExA<-#R?jorgFFX_8({qTfiiSa)q;AM zutkOZ2c1c;T%q}4aB2;N#5c>j87l&$hwm3AX%9<5zZa06*Kx9*jj62`yZ|GR?M(Cm zylQUJ;X)34d)s94+}YXt4ykk$3;{P}gEPJZFjlz%w|baowRToG7q%4ff0e+551MJk z?YO-RS(>R+k$lx^?s%CwFO&Hz6{$T>|M9j zQS&PBVWPJY8Q}Nd=jyA^_sYzxe*4(EuJ~`!vXq{K_(Cgb$3R%2WCN5@4uf45yrO`G zLkZslriHV=JecnA>PLSS8nQ(RivX`=(ds%U4~~=}KSfIeRn+c1e%#9ou9$)y9>5%? z`Lu6)2*buco3iZ~v*6O(?E+|0i>p7M+meeA6zR=>2cdto7I)!MTk#(#9md`5WVy&` zr}jgukODNtdIxhcoM~4q4~CSrcUD`Qh2X!EYnB+hn<*cFzQgZ#PZ4qeLJUWQj>c*3 z);7VJ)cYr{BJ6+RdH93-v0Mbk!*1l>VN+l!lWw%y1F+hv=9Yz& zN@1Np*S6G0P;v{kzBJwe3?r~w7VSbn8C-PxjE}E{3F3zm1L57t3kV-8?u5PkZg~)a z!+?1Y_A=9!lZ7hNbZdQuj!VbccF=nO7F+;ltL%tCT0TIor}M{OTR7`<0XsnBEx99; zo%>S9ITVcY5rDQN${crdBf!)zmE~?X6%KgUeS-OE@F`7eA|sXi3Y4-#iTUEyGh{JJ zP3}J#;a8x*89zdCgMPDJG||NT zDGqaCPejlXr}5=s&@o@qr}jI)-G_dZVM6q8&H8m4a88_;v>yN!op8Fk6_wwhHInvD zTQT|RHB`(sttn~8Nn8!7=YRGB6lN^5kroRB&H)g4Y&dS(6u@zWJ~!t^f1_=vZ_AJU zw_^%H>NOzr$X$%jt!|QC>9~GcGMP(b1MmE)*_Xa&>#^^Flx-9{}?BS#F2_$4bs&x}8|`<%kqpU>3}EA|of| zuD`CtR|*t?>bWNDtE>3MwFbG@T=rf(B%GM~R<^gvr7^!b^o)aMbU`|*C zrr(Zj`MO4YQ%%xH{+!rde@R?`(gPhE@GGXi@uumB3HV!K@wv)yR_Wr;PgK97AJ;{G3HRnU*ULhgPZj@ zEPPG8AC^qu7B&5zl7!}ecCLkyTTiV4F|)qjNW#0rN8OXV&EvI-ZC+MI+Wac!T^gyp zOnDbezJZdw7O|n}V@3Cps4@(-@2fw_R)w@VdaQ0XR$xNjXljKtXw@nuqTxmHyoc4L zFicc~A+fF(?ei0r@!s%Ck#MIgcN+68;+y4=uSB3*Y9w}c&5NQKn)~Q79Pl(!>|b0U z5n}&ZJB8MQFoM2>LSD@re0`xSpdTE!sN*Y6R1PyQfeZQ+(%Se|bt~=@V-Mc>HN|X+GfK3%c~{3fxuLv>m}`Ia#BlI&nGT53Y!;i81}7AAg~-X~g7})pM_| zM#K4AH@e}tgj~7RfKn+a3q`IV7Cj*zA$(tuQ{pkC>Ey^R(AG%;m}iF|S|hf_lFvG0 zJ;{GBYzA>mQWG#GhJ%F?z0Itgx-&V@eO(~hpnB2RL6{#NG2`nP&Al?<&xlvx z*j1MS97DXS&J_%gxZpbLIL#HbMZI$Tc`g?VOJ-@Z(80%xz7Ih)8r>asPG5J-qK%l3 z0A0Auu%PIRN-t)g7$iY!cw3!jhex``~*m?ZzxU9mxz^?nVvEZ+V^B1M}x;Y?GxW5CGNM~H% zp$9?{nz(w58XV9QPOr%9^*P9eKYu;e>=oil+QBo5@&=(RtvU^Z+$mg8laUpTPpc<} zUkDP~NtX4Eb1=>>*zkld%!4J{sd?zW@ zho+%93H_~^`oontM8s7t-osh$<|3w)?z{IP@8ft(a3`+N;XO^!6NuqI-W>gj^0kAa zs&xBtc`k4SpUogJ$uHMXki-qhR(s#2CM`!qn z*b&NF9i*XNH}WlD5I-+C6DSY%=GYbV0pT<==?TjE<~;Ofdvu-pldv$d@@kMI60yjq zi<9Me#%dVmDDQs88tl|iQ4Gwl6NVjMjIsnVbSz@b8qcbIh5OTo}0Y&yl(p@xkZ~i@Ux1qIsAOMO+i?q4n|8s3T|!sf$E?yDL%&Qj+$3#v}G?h z@+%;Y> zt$8dWdG&*RQgk?_JFNI^WjfQywx)g#yjb>vt=3^r#?L^8Iv<)}ECD%N78nncG-L$n zaGy1Mzt0R%V2Sn)YQ`feG5GnDi3vV_|5L#4qHh0jC)Lt7Ve9koHRZ9ngEOi)>+T4g zWOQU_eI)@c{ZrMtBN<*uTX%U(5OH;?AP5OE%*dplBB@N;)L3&I`942)zT_#0zWO0_ZqqT6(o(xnk@5 zMEKiZQW%yU?MRWaOAiYJ0_Jy%_no~I@ztcAzggH_8h2SW|sBklxJ>Uu;+^D6&A7)ZLAcN(?u7#vtrll9yc? z)cVd@B=a8%;?ZDYeafj?ykpHQp{RX$qc6BV3q$8bETJiohJ$jXRywx7nIs9~RenCK zJ2#00dWe!mJbsi6_WUqG9SZl6oin0gWN0DH{9}>S`!-CsA59gm8o%eoqyrdaB_8tj zOGhU+!&fqb4;;y;%`+c!n zzr;qzZf`E}BN=qKIzzdvE)QOIi-)>}lx24tUE<0)LSWS?0_u+XbnU^EW>P6}NQIQr z9959s-Oo-;V*}#P*9aINDq26ern7zM(ThNmFgU*n&24spWM*=y6@aw`)v|;3^4E#f zmwRaPH<`YOY_6_s*F}*PHSmTw4YyHe9Kgf8BTgHsaxyZMDXlC?M8k6Kosf;+Gh7W- zq7#XI_e2teU&o>GJBrczR?KK{uIne#NZ0f__go1Q;9nc9@2G#Nntrcm+eaQ;5|%^u zbNj)k_cL)(P$}d#ZvRV_U<+2obURXi>-nLhr)kaB){XQ;m1P&r(MiaT+{x!GyG1p+Cf-37%L}t9vt#}IB*rMEE>WaGG!B`vvB57_ zXY4eKu}V4!iB*gaLA^zc(0JAtAQ&^xej#eHleJ1YMn8V-5U(6x61@TioKoekmM@`F z$y##+66Cp_!ha5B%1ZUy4F*as1!(zf9J7k>Yj@5hz$N%{){2%~71|#@r$vjcpmx5@ zKRP|GoSI=lDtOi}vPOeHQNIKU(>}g4$ih6r+4-pv8Ct7@n~(Ge!MVFvg~6AiQJRtK z@^*>Kc`@@~?J<#X*N#_!^!Sm}>1d~`H`*$eZJFD^Y(6xz+V8>O?N*%g;$`#eT}_&B z$4^VbGIgxu`nFpk678^d*%}mo9M-GLjk9C55+Gnx^8%;qKq!Cw5>YPS=2VTx!;GR5 z_V>M6FPleFZEU{7nG({>*qo&9KXs z`6gq6-yzM?Y>>a3BlL_qO5`a%`R7K)X&heW8tr`zKvJ#;bzfu2&L?5Y=Q(jla;LKd zLx0FaCHt8R1PZEP;o=uz=Dg`(k6}?1lsv`QhnOrsIn}I;Qd$4U#?e=wIB?BjaG<2! zMZoSXRcCj)0Vb4j#BgGzIrVDVa<^20qKiDdXwRbBP?SQSKGcM;rD1s70fuaCZS0XB z2hDHE)zgi;xiI9@rE_l#?og*4Ev{%Ni_@vEq#LKma$fv_eddNZ8F52}%q`@!7S z)3UchJ5k3a?XL)}hQJ1nbL0rq?wW`0l|F7R(nAMV{i0)d1`gz#PU zh9)lkNPc{}ESAaw+S7Qok_qV?C&%*nUA}UBe1oTs5T3wi#F4zPcwEPh`E~pBz+xv(}JZ`n&a_!P}Qq0dPOG zt}yTSq9hfBB!>u#r9cxx9>361**We|?I3R$z8Xu>wb4L<>1NZ)hwW=Za0RA>h#F!a zC|OioTlEBt+Ev*20TVM7V*0jPai`xB7T1{h7?zk{x7`#d54n@lC17UO&W~M$rB=HN z7EUp#YVY>QQn?fH{Vf-x)~xb_H6cD7x@9*9M*i47{&iv|1l%N%;{dx5PXoM7N3?dG zgRo=N32e+l(uqfCO-YR}Dd2Ur>2K#iau2px5P$7nBEG?q*NEA)lwU#Q50?_&67oqN zC-I;sC|pb~n-QwX_xA^2*~itL`Y|>%kq0y02ulpr3VffJH1muiW z&h_e~Q7Drh3#7A?qUlWw2&2WCb?vtYbl7dr-1bQms^XM!P!ZNS4<&W)#@m<5el&fd zJNgqS*tmE51tNx$sLkjK$eopLhTQWpvn!UIx^~GAi2=GuojSmo$GwA1D`2(l$mI6* z>-vW6D}2h=pBhz4AS4W=oROoZ=KN+0ZM3hI3`-LE6O*F_yuOlTN-r<>Pe$g7F}hsJd>C7{bh(pQpn1iS|b$B)YuZ1F6T}9Ed%*8Q61pBiyQ~u6kl&`!A3vjJpX0 zJPaW0JFY{99_-GHUe9t?ui<~h>;WrWC^uWk^0!2$S8(610KGF@YmOp(;rujJ$5LRi zKzqeg<;v#LHs2ZHtN89I+Ts{7j>F}T5Z#cw(!#Znysz~$++Dl|8U5Qw2*z~Y@th^X zv8LEPr|pf`YZTY^%{)AMi_42x$24ti-vJv|HtZ>AH z(;9g*)^A&Xyab`@naVnd@=p_7|a^~y@Al?jVQTpTio9633G zfOh@QS7e9!q7u_PZ^o@$`qLnlDzB;?#vIRd)G8}C0Xz$jO3O~T-DhU_N+w@6Wrc)H z1AT2)5BtVeMEkzk%ELY)TkX0~4Er3{1LG50eM_cODLQ`zQ8*`Zpexj{-WK&(rbvqT z;;4P6`(er!bcRPYs@;{EdvG zYn%CZ(#6f67&q5VxdE@S6?^}Sx(5S$l6r)jAY9{DR@$<^-Ch^yY?#9x2!AY#rva{ae^F z>iTvsHou46^Q?x2KQ&Da=OgQRzu$CP*Xvb$PQ%bZuoKMKlf26@+%cu{!&R&f19I3t z;L-v>OJ)fxN40XAu>KHrl!Tk2x0Lwa(@+BNAYUpHL4Ehb7$k2WoI zhYDrv$JR92qWeH+e=gfLbxv!1K8AV>;oYhvooq^eXUwdP%2pJ63|$^X*&{%xGFms^dSvJ!8;Z0B>Dg zUEct5rT|&%K;jXgsO&AbjK`Fv+};I({g~{Woyl1ohPXuVhs7LDeUxo|X>)ZH9~2^T zcUi&+=|Tw4mx#b+-O$AB~NME zgtDx~+eE^#uy@tu-qu=oBrEFO&L|o$bp@KJYDf`3--gmyCa>(=TBVr}aXFzzwCBdt zR=4IMYmLv6OmyQ3*?O_Q!ygZa@D;1IxcKXHtA9PLDMC{H2Zjt z1jeH~%687G(T_=Uz>;H*@D{U(NlzZUr|h{-cvY>2ZadUR_CZJT@88!LEmsNJ@_EJ> zy)E>_hE1jNQY7{gpK3&Y*!%{}NBQ5%-3uS51>m+jwY}pK+#;l&)|_Udu3Zl9IU2p! zh@`mtfZHAotQ^S1rx>GMpibG9v;E5l>!Bw=oi`tC62=9LE8AXv_bC|D92tJ+!rrdD z{va16A-5VEkoNlX9PZwY7qt-pYW%q>>H-mPk!W*_z~xR}yzXYRmecUtSqe!IOhyX~Pk4@ZY^lC7i@qnlM#K)>3_4idw~TkQsvFwOv=)=vtI)d6zx zHv&`|9+wI6>5;Z)jz=z99-tzx`rD|!-uP|$HL8UjB0wXF+VSjpjj%CPVp33Nwc8-2o=ecw5gpMw1lVD(M*ZkxOXrM#UJ*Rl{%2P>iQ9s^F$ zx$k6Xe}Gt}c*#y|)5NBv^>=nawOb9Fzw-elvAD2p{`X|{)xUZnkQ-4{*zaMbFdmX* z+f|p9V86MSYS$`W7At05AC&ICF6L9xZz^2eg>zk>O)oEufOQ9%i6ai)%D10rL`g0?{U13*q$7(ts!!OWZqWHT9^kL0z(Ns4MM zit5_l&doBfU_;v7ihCmM_?25d&vAF`D*+#^1ijo%TvIMlY=AP12k5=gleABs= zu0mweb;{hCq#)GIZ@18+k|>;_83rV|&-#)Z2P8@bEbk#LQHa zPo)*8O?!sAVlnvqKC&|k)9EL~r6`*V7rk61|uE9(hMcA3Mu8r>|Dk`B0N zq9%f6nvjeZBzx)4N-uj5TUL-`gB#o?;eS2ilVjtE(SSQ%bJ_lhF2BRJ(|H4JH*q8- zwxTCqsYL|hi{>b`@uSoGNB1Ddqf5GvYaam!@)USx{z!f{;Giz8=HMP9ctH}OuCodn94!=pJO7#2ONlz*@eY?FOp>kKWM$67%V^jmR&E}kS52J=M{F=>_yX~ z^)lKo-ii$`z!kxlZ+J5&FJKn{_5#I2B??ES&y{mdHh5aJS6|Z}o{FOXci+dDH_FI# z+yMnDg37Ej?JF-!y6v6SsXne~VUB~BaGH8!Ve1?R@<<8PDM;wAFGEtxTEQp%(3?M< z4EJtGr-J4ilT8L8cryq8J)iv%L%kjb%XBuV#|>LG`%dwaaHwRtoeWZBBUN5^QR}g* zjmg%w2n^utHz>c=nvD0uLoG4((6?b=~IZVy1 zHzW&AQ-;*~+>*=(65P}oDI_c?t4&`%ot96M=qDF=D7W`%>>u*`S+mHV;xXCX(>ET$ zBsANzB+m**?I?fi8k_UF-|`#tAFth4axUbJea`MP9=Pw?AOs&qa%r`=8X)(f|L$a9 zvh#=ek!{sHmOqd=-E0DxRzWP6VQjOP{s9uFXT^wis4!vVSn$pYY=z3bl)<BZKvZ|c4eDu;ri(Hqn z{$|Z(jowOUb+HvEOPl$sOfMWrvKL|Xeuz&nrJ9U}SHnvqZ&B!p})2_{ufu7ig` z;}l7CqE9_QIru-_pwoXKC>u{Wqs-gSCAlRPz2@z=*dq-6d6<{1n`zu!wd&-Iwc4Ge z3HBBg>Zy6+jPmde7_A;Lo7xx9Hafn7E-=XIY8}GV#Wz^e3gwXRss&(I$c2*$Eo!82 z&;96rr+mum7PzJCi9jkIJyqPP_MPl(T)_GWI2i}+#RU$azkq_N(Cj5qs3cD@k8@#ZmzQoZ33X9PK-!%~)wzGiWq6GwA@eT|rli^w?xRy`mV)r8(BWniQ*6E-z$TS$X=F%Fx$f(%nKYNl z?fuC+Yd5k3$a}-LY7~8xN@CBAMxY%^$HG=*t!56Zuzs6xZ*n(h+nzX-xB60;B`GQ> zWmXUnu1qwmV)UFAl?(C3jCiY?Czr?p|M&RaEy6?%=?Uh=Etic1}-VF(5Lh z(~48R%h3jjZVz+!nn;3Vvyb)m`CW2o;M`mcuvc6Hfo%DZKWzv@pNJfE8(kVA`I}(u zzU*y6e!-!$%BLyjTx;%QF%Mu)QJ#O?(cKl|d@q*%GJL9Xv1YHe>Y-?QF)8=;D_x`0 zr>+#ia#Vd0^G@eoKbFjm_mvJ_95J!S8k}^#B>W8K+g%CsXe?1Fchnm?4cTVwdn_-k z7?AKK;kWIhc-%3D)58nmfY7zuC}$8S+Re_2bP9pn2^UY<)bLKr0^TBlF>~&(^FiWC zQ@Q?82{B|*qqp(#D=m|d9^@CVz5bVn$2LK2HdN!qa~`_8(pn<EY*to}xJjKB>F$V&iMLz+- zXIhIPt=^^sBp*)>#BW>(1*KWt|MqG4ZHT3`v0_vuvoC9OdA_~-_Ev>%5p3d$Y(5!t zxnyoh+`CSl8{tQm#>!63Rs&^9s6bYW)*-&!vf+wq89Xr`UMDD3o!5}A8xIb^Er;PQ(-Cwk?>A0*g*JjsubGLT}8&94z zaox618?kbx!x&opJa!F8#t457ZdO%$f^{ z*<^X$t|Hl#wa)3wnw^-A`wX^qD^MC3>kTCHJgFj|wWwXpus<$gcW*S*VU%j;lw6t#&*=4sv5Q{>swyfocDAH%Tantw9NX2-2YT_|Hr5Q5PwZEXu73_NNXp^~ zb^5|P;4n0ilW`UU3Dogmr-o7DpF8~wLyu1FKB&f{EJMC}WYVr*1@2RK5_)DDlcN7V3m7*gn=dt@eB{^1%>yD*#%Y|f6YkWJ1QnMtHCaV4yigX&R_Rc*nHqifgD70mocr9a5v|NfG%E5AEpHj+Aym{KedAvP>K#S4r; zh~~DbKGHds2cgga!Ou4qjfWcW^)Rf#u@FO1NNmGWhRvX~zPVincJKFb^i=(*kdZ1R z5>PC=J$>5V7`oF!N%Z1k9ItQNrnlV9r8&rBT^(d&{}=xbRAxMQfnPP(^-aiC&ua-w zNv+Do9e*z{lVE+|a7P!u#h+j8vyKna*dH^Yz`8eJRt}O4KuUQ%aR~08;wic3`6WZ5 zP(Wu+^X;|pZgEAVe2;=i7O%-ketnQ}N`t;Uwd#zX74Q2Zv$R z6r0mf?q}SnsD?dt@6~`I;lm!j>49lBc)fIddBdWg5>m#T1~;L`w2H%&yIQLTo1zrQY3pz!H{ta938Ekj$2ioTknWZ<}hI2iv28O+beM99V z(HGJXIcm=5kX!;-p>Z4YBs9=O(^i^hsE|dEX3GQJ{nnp);^CR!Koc5nge$?_ zgA#6p_ZP@>cLHqv8?@#0opDrc|AB!D(h`SOp%L7hpDPnDt^S{qJKaVyW)TUgWp=zkW-nbbg*h&TLEOt%0=i1<2bVbz!nXnP;$)OzE)<8& zW@;7}F|&@}A7+}i2q((QX)u%u$ovcJ?MzN3$fS}p-L^!qIC+wHkw8ljaD^T3P=qA7 zKgtQ$18(F49Dwr2tL7p$b&&%>k?SfPE{KIzwfehj(VY;8^Q$CTy{;fT^ciD?c>E!&!`|oq1!-#jS-XHqG6Y##liKLK>W7CyC6E6k0 zUF^sg5XW+3(qC|YIZJ2Gk_SO9Q!{*ieEW7*RW*i4xa>Y+`TNi>-b<~NN7a#-YgvqM zd`;@HjH?zTy}%UClpeNMf~1PlSLI809fW2_dwZq_Dv11T{&P5rNwI!k@nE#xY%8=E zOcERBNYjQLY%_`-`>g9Bk-F*40aS}fYdN%6W^yu^1<~i~#Z@dvEJ7+0tdh5q3ce_P-9Zw{&e}XRM_~1^p!49sF=}XqFG_#R}n*5gD@D2`V6gsY4 z2q81>s0AT^6AWr~%@l6({veP{tD@nv1WG}l}W6V~*0JOz= zW?yKK6j^f7k$ugFUkn++tdPpep+`Fkx&$WUfkDfVKAiGfU3=1XaY0!SOG=hxORUV$ z1kLldhHplJgm+@M>pJ*d16*A{9vEYJV)B`H4mP#ev32cFUN>cQy_zTN3gS}7G`eC` zJvuIm%r?`>8Ntk>3?BhiRM^wpxbqC-Z+inK7R!*RSo6T3JuUTKK0WxH0s`hN8~6-6PbR%H zwlTx*&qVON&a$P%BxDBbJ%NR z|1A-p~0=x33Uyy@Z*$J3< z?c8X?PF?TTnhChL{R->^f0^5u$l@Xz%V z!|WU?nIR|3aw@F-$zYy^d13)#rK32x@rM3|gYDev7fy|PRZ7am)g`1_R&_^6A?iGh z6Pm~t!Ebc$JFP;?9#l;<#>Z|O8@4u1?3p>bk(8PqT_`2`x;mIV8vC)X8NrByav zZdvSnr5gdgexW|NdNMU@*7yoB%7;1`&35?xIhe>R?}enl@++(ukaS|Q3X=2JJ#GZi zZxbhy>pf(ZPA&NZXSgo9<~+toQU+y;?Jc=e5yxhv56|MX{6&k)rsEj|)a{o+IJmCo zY#stx?$UQ&Z@%b%yUoEVabHPkS z?14~j@5J@5ssvH>2&Gi#?ts?>V*T7f4m_2IwW44$g+kfHU%;q3*azuHIhDu z`=Ov{^*7h~vxbu=5W?A-($Fky^~D4B8ky-6)rRydip*FmMT2>xDeE50@L;}8Ky33<**{VJvZ7yqKWfS*x}i{bK+ZpZU0Z#&+4NS3T`O0<9IP`? zP*J-#t(gUlqKOH6%XDk}yhnTo;SKEzdO)l3i5|%YhFl#hv>dq8cu~C2F^H!0s4I z%Z(?gw9IHYT-Na=K3ou&;MXkySfQ2$9iB1>UA z`aINeAmQ%mXC~8+QvIB9al-SPO+mDvTYgdB6UNcSO62&mhuTn}u$5(B?En?8WN5FV zagH~mp4er78Ap-a2BSl@QX8Xak%ZQ&_zP>)IOS~#uNNFP?SInY6<=8i!QRPJO7)am z)gEHFK3i}Vg}^9q>lmj+S`_U^c;2A5$<8<6$0g$;=_CDIz~~(rZZlPAB(mL;;0vLG zlBajG{dA+14sCuYo}bd}^peP)l%QYa_fyTM8qlMAk(0e0;*qT9zb|OlO;?O%ds$!AN*GQr%H9cF6*bD z!_gY7_K+WB#KumnDtYows;#A~)ADkwHC_54l1b6a#@3yf&a)(#QP{-9*6yh~DH{n` z^}C-hP0VzBAUqyP-Qj4qP@&+20ay3x*HT7C&X#v^WyO)PMr!;>4RKq@Ml@-5pf!~W zVOIt{(+H1v2XNaGh7*RYy59W`1^R`lmS=$O=0~3VKK*#qrWBaJ!b%W3<$>(mLX(xY z{Y=K@v3uA-;iIr3Y6_vM$?{9*MNh^0*4Z_t@+@lX^yM#l=Nh4`Hg{)Q7}p5SeZOnx zah{A!<(bh84UC)8l#OBs9Y~_!32LF=U=-nQ)icE24et6R$*p{&!PezBIK`WP8=9ry zwS|2x*e3BH&xQUcFOXzLI3fFZA6zqvCG=|CDN#8sx2kH#qx~{x#NxXOkGdn;1H;7L z*_fGC*v0zrN4*h!Y>J`pOPgm&WC$v18ZLLpYW!42>tprk(g8TiUf1}6eeId2Lywue zO%GU7f`esr1Altf6krxurtWvZl!|e~l;7ac;bSYTc1o5Dhh0gwSZFRR)U&&Zd89Fp zW;$S&KfCo*OnnGGj(njbSp7Qo?L!o#)J9;i`a`dAK(xuT9A-3%Ee(8ql3vi1DezCIZ3Wq;cldlS^ zlWEMIlEdEAPI?!l9V6xb$Qlx)nRpOW+$O^|Nf(LpMWhhK3YG4i)X>PPauAuGc!6?j zQ?PhWu~>y{-Q+2ap$NPpe{s`@QdxQ)^$u~-fqGGCHT?oyd^U?{rqnp=a$AZpZToYs z*zz{%l=U$pD%o7I&Op@5C(eIQOwxm}sKEJrlYM($?t(O)iPj!&IieLu$G;cpen(>)TXP|D|@$Oav-5iBBwx)B% zn>)LV?4#kRz0FmK5e5jxMa2f!Mma;NsH%JRr>&kT`z80Z^DJ<0b{EmtUgt|6tH@FY zOQ`smt#WeXA)baj4lG0!`Ek{Bq?evw(G+534!MH=wt14bc}r#Cn8Xm{Ned0Ao|UHV zZmdM!9%^TWN0M*HVqx&D>#EJ>9z}l5m7kL@*O^pApLRZ3;@f@2>pvpMFZ*ueQ~C+G5bYX=&meWFujqKdJp#f_mKfIR;)F2>D6y?#jL=JG`UVs*_g zA&#Rmp(s4AhW_*3;~&d`zMg6_Uje4mbS4$=f9EuAPlif`5I1F@k(i4kK zncTtwQc`%DG&Kz`khjq5E9vOM14SUzp!&a5!S~lBV}AsXrr_Yl}x@ zBsT0*JFovd#dwat6kdlQdQJXF{AH8ip23SsUcaT8(1lkYSbPYX)F}bBxXkvp^Fks9XH~)CCjLcdQ z8MBTi=ZDxKQbsJgXY`pMf%W`RftSUn2YuUvkVg_&*TXTjD5OYyb~d`#k+p)QCi4$o zXRwaF@wd2q;{>#vpwiOHj~REC*9uybBtO^uMaA(~Ey+J2YTZ-8rXm(0TUeGmrCmW%&XT^MR?zU;Zl6Xr@iq3(}AVp=P zO+HVd?{Z6eeB*0O{LxhVI-%}Q9R|c|pHBbjWkQ@iZJ+JjrSx~{pjr}Z!A%!ZVtCGn zXw}MKy*uzX2L<()CTEa!nZ*V_^T0lLD?b!sd0{bYPFo;mBh2u7C0(3oh8-4US<3=$ z`z{!waRr{2PN2eLAzj-<$8D|7wrZY^`q~@L=FtSaSu$2F782En;W4(pj-}qWYcc+3 zN$^c{%JRqWKd3TFPmwHNK3L)m663wAWB6{;T-9Ii(h2B4)P?uIjFU@dSCeYiIvY(5 zea@35{t?sEi9cjAc)=^RJzm;D2(lq zJat;0y>>SwY~x35fm)voR%xuhAu53;Hin#J&}w?NZj4UJxyfq=T*jWsHqKMP$A_%D zhg(=`MsF*-N28gkUkFmM;MST9Et?8U>(3xqEkYO|7k_Lu2#yH)4=(`j@T$Vv7G>RVyM48Mo$!toKtvyG&LR2<4Yx;R4d4z8=LnAd7>$QYLo%}CXi#zEFR}cP z5?;HPeh3%|7J~$a6Zg6Z8gHG$1{+^EM*wG_gjBHI$4cL9%O8xx{Vv_rwUJ9?qqXEiCD-8@}~y>StwGm}we2Zcly@{Uv_xJX7Gg@AG>z z#D~N^N8Xdw;f)5hvs(4Xa5*fE`bSg*tdj$oU^T+*Zq$ntq(8yU4;zt=y+p20q@6pj z9msz&!C`OLtV_6cfq-J0Pw@V1$po5T z6!jhtK&LZDSX0!`h%YF?f2=Ca*`K#48UZRTv-FRHglW$0wR+=3pWy1ev%Qp#Yc)_)$9LP(PifFi z^rNDyypMgrG8OA9=s`aUklRUp`_tK4+HcwYLG_d#7QWeizyuukB9>or5%$`}djn+CEJ>c@Qy99f&5LZW^1V>n$ z8k4PRBH?eZ+uKG^ADfF0=4b9v;ZE00L-RQ4$Z5YmzqQ@x&p`_Q&R)~$y>;uTg8C9s3g zPSy8&s+b0^-ub^K=IJ)8BssKpFVH6=-JcC+%J$hvSw_~pg3BH6kN-Mmlr#M`nvx+t zUJW5p{ntJ0PW+X-DP&Nm6E$=G56DHAI7Fpf#~u@k9Ks;{vZ>O3fb6lziTRZI#*{R@c8hM@{J+k;>p5pxU|>9XccW{3nL& zmrBm6mM*{jqVw)}WFqTO%2)<1je2bF1I}dP2A7{-a4>Y^t|Hn)ZlB(fDtv@62fXVW z!&_VK;pbGCI>)T$OEMUkMffKDmC-|S%3pJ3_aV6>I7ETgv$LG@I;zP(yqMEICohmR zGy-gDv)>tBTi1!V?lBHZas!f$+gfE49v@G*6{YbiSU8h(7B;rIe)3Enlkd;> zTgkqNzd76Jfw$;6u$*;X!jj_>A@J zZ)qI_x;N2X?kCmE8;n{IPJ?&lf{<@<;%{wBtFnyr)eq0k_S)#98|bt$U27WwLoCs^ z=&g^mqf@-mw2|@{#`exoX=h_MYAY=4A-#0G8m-K!Lw&O_xC$O7uKZ@}z&5IZAu-&tO&hcElw6zDjRvmhwxTKc4#KA2-IRO+7u=UT#jEUaP4w*!08Vy(Ekd zHeMX6$U|awKbN=+Z}sH<+(K{*lnz^+~>OTd-b~#;Ap4nswQfKdDGa0SMtPl+|!m{vLz4qWX9u}oHs|tG_r0| zDqT79|CUMgFJ2kdC=nRBW=ZcV8>OCWWA|9?s1-w+$>fR9fVdY!R z$=){-6_7~r)bKxU%oqHaYK4goX7gP6*yIgLI4$qwKD}ZUV6+M@#)Vm$;k9>`gc0*MHrZ;Hrl7Y>^c@c=pBXivKMY@_Zn-00kIWy}=+=#$zn z$3}z(_)NF;p!9nhnvCyRsx9~xMfBg4^9@8K`>FyL2&u=~?Jhc2NBxgC*}giH^DuL2VSGQ)(Joy~r6kRrwqteMJQA}_y+99?t39V5JN80lfc zy7A_;QBHt%dS8f1$W3vXJFVbaw&?v_hX>nQ@%5@IO$-#}gxv(y6^!%Tcy}k1qqi7n zcU;C%<~(*O8S6eEzoeFU136L$+V5K9qO88|9xfw|!2xpYDd=UD*)n^Rx)ooZ`b9-C zhZ+O?u@4_@SZaevCAettU<`LZl%pX2{-phnr)LQPbX&_5-LWu|T$DcwIm9BfZj3A| zD=YffuniKlVvx$fm7FGFa<1Kq5QclQ_UvnJU67>~qs|ahYnevlcPqx6Jo|Mi&M5ig zYj(yQa6)T-MS;fS{JysQD8u!f+uF9Ntf>yUr*gIAwGCqV!@;MGG6V}t>IsJrs?uMa zk*ZNJU+Fi5lGk!QL|*2--+TMo9uTV+@{j@0Z+k1=;~5?wpUwx4ATmg;F=ZfZB`je+ zF-m@KD{APR-Jz(oA#*J>9;L9~cpFi4K2=^8(rI#^I9#+Ja#JA8mW@|&cgqgCez9TV z8xhbTOipf&RwNu~-XAwY$X#!Z_IV&M8retd_N>!Vl3uelRMRNIV9^?1zHMLD^AB*u z5_A;u6|VC2sG!K7^u|xK{DhilvJpPrH|NpkhHI1hGni0`ao5(Jx87XUQJ`V%(Sn)g zr=Y<#xqd@77Y098n7C!d{=qQ9j)qGc)+^iK12Xa=8L?*}g+MY|he=aS)q=Y>_=j4` zZ~n=73EBs*cLity@J5)vLiqHvrWhNphYij2E!Rj}_|jfQCid#Ui>i=AXdQ2g`&$Tq zsh!bAk4gU0K-2EtuJg8l=a=GlCGL{SMnSutbVkk0zxPznlfIcK8*Ule!;(=2$HCC z<^WCqvpDc?`YB2OlgIU78wBx{-dhRNYw{mADet;26LMaIo6@hwwIx=DpO`M)xKB@G zITs0E#wJvvX!N=wQZVT)cDa_Tww)+}leii$bdVD2N(r{-QA8Cr+P(E#eOGRd1d&ed z9#?8yTb#evG;aN0NFX0E@5&Rg0`li1AmL8vU$7FakEu|oA_Kj&VZR1)BQw*sihQCn zV`t6gMH8ZjbBlj{27CuVQX+?Ze=_owPGM)=*r|J7_z>5l%SXPC>wc z=SgI_)a+DHH&P_)6Ar!O%yV<_Y>ii;#TP6gg9O9r7S%kW9#_H0^Y{s!k1x)*N`228 zw_1bJYnrwltM`3gqd%reJ_a@;{BXB_-*voaF?IKZ)YMGiB0V=|leUFnkLL*f&9x?v z?cO$S<-fzDn>Lk_iuMOF+T=HC8GM-wEQx&Fy&J}1Sa4}la@OdnAwJIDJ@p)K7d!Py zN@bLL5HG8@83uyTWjc#B>l5hJ*?f1e@we}ol!M8{P}@ILS12WvO?J2)lxkD|I^+J*tv0-lh$W@)1h_v+^i#@WJM%#69EATjp9s#kmow^{NV71 zXK-)j_t9!SUFiNwJR8BRM$K)`lNDn*glRz$3G7aH;?^5!O|kyk$ewp6E}XmkX#G+5 z-rhMx1HQe`!Go@FObk@Pr_;7FpUzzGOX0l^an&k&(<432atqi(LLF0?1 zt%+n$5GWCprbXAfaBV;I`hnZE=jpEO{bJx7@WWiqZf|M^qSK-Np*)v3k=25%0nqyX z`(AWNIu~&QF0ECs)%yd^dij=eHWDrKeczq161_+q(1u{j_j*erE31XEVY;X|b<12hU&c4i&m!FG=maq*I82ArIT5o&!ry5&G$RFu zi1^~jI^^$_JdRp<*_h!`R-IL@Kd0hdQ^-F$eLQyNG}D){zmst+@e}?a{McubGofB_0s6Li(lhX`pqMMtk73M zyr7E`k85eil}J-%IYn%W9g8x>g6nVc-azotTtb z$oC2Dols4>pEUR88G8hCiOr{~fA|aU8c24XrR!tOj?F};P98sq8(N&Vd9O?&7(+}a zs>tfAktLJCDL?Ne^a!$u&i=lf=&`E*Uy5RS(c?6rbLv&D`l(BHH`~_3OYw(7W)2|& z+@@K2V7t0Scyt73LA)Q!>3xe;?n}~6mux)f6ZYD!RAC@4GtS^S9AS8EUZjV<5xSq2 zOZBB({?GDp-dgRl&9;m~2}1C@YE7u*Db zG0tU2YiD;N6^!ebMwgDHYwjhSdoZ%uCq>kC$MP*8%@uru>==dvd{89dZMa0XwbRCS za0V6maoC4zWA^b7!WOZ}j@oTkPQg4rwVmuF=np{@NHeQ}_ar3q-~3=>>@NRebz&M>&Eg^rN?glP${lo_JvH z3*+3}+*sa@ovBy)k2VQ7TevZamSkoyS`n^yqHn?aMJXk`?If_@Dv>8u;K-_?()IW1 zRbY3j?U=5W1HEk8XWfQJBl_c$0L&YEQdD#Unb`#~3Gm|#QYsUlOcgq}Z{lt#A#u}1 z&-&1~mepm)=wwUz8pmDbS%>#3v5?P5w|frNA<8EwGC!nheKgjy72v2P%=i?QoM(K< z-2+{l{yyR+y~BA2wWZe8MB7= zmru+#)@DUU+~5w@?wTYp3G)`VdPlM4nFttGfVsyfk3B{$AT6I@&FK44TQT;aa)8ej zd-w;A)B?lFYKcru_Fc$P^kZuNqyAA{drh;!#U&?%CUoMoZ$Ec=;8} zAG$8rO)TjfxqCIM?Sc~pxz^(>zhh}eR;825_pIV{b7SwkEMpt(Ecy^h

725_|md zK#Tr?uP}3kKc*a#QYU|q-gov*@o4E?-nBB8S=ePalHI!e zPpNPJ)5@MG7v~jv`+8X>R4G2S0owV+w9|v406En3)QVz%c5+%~FCnjlY^UVwPIiez z+n#umqLcy#_HlZ?tySFi*DSGop2KFK7_{=>9-9BM$9dtH=&V>$`Rbm{v_*_B4>+_J zV0IG*LXtE9jkDdqUMT9aJbw1QN$qN07Vvv=2Lhktoa^#$h298#39sOgfR=Tmb8jm- zdNxKAgv`k;g7ct>GmgR&x1f>6X$90}3}xc>Ub_;)#gmNxcub|G&c^4;eT2#wjM|^= zd_y3yGCle^+GdO@mRiQNYjgd%cWKwbu#Io3zw0hon(fwTSfKcm{Kkj2L}xx_9lg?Ww{1C_a`m#pyN7?PpL*Us zyccEpS(Pwlp%thiJ0Y2gWR*{I2jnbH#^jPN{V7xt!1h>jH=@KTPAV{2yA^-?M`BjB zpAk*wHMN#eQ!ZU%Sz@=NQ%4|y>6#~tN6JCKxQuE*ht@V4pNP03DGoBLTa!a__SjHOh|C2^Y*@mMTE-q*Mm4E$cg-TxifwWJ&fSUWRt%n+5Ezr z9=w7|sdeyU)=Ye({S5`_pOKjP$xYnbBMYVQkuYh3m&;O5GK4WDbsWf%VBELMEc}Hz zt>0)Qfl{isZg~#8x7u+Wx6$qo#oRh+Ry?g0H|C#E`N;s&EY^;LGj6?bdo532H-z`_ zkEDK3L?*W}SYKkGAmX_4;tN9W@89)1Kl(kis(1EDT7H|KH~{jv&3rL@RmH5m9bxjb z7n#D=HO;mEE9JZ^la-vQ(C>)*;_d2ocD24epq}JUIlWsVe}JBfxCYcqZO!aBxs*xm zOom7EueM|;f!zP@aJ6rW23Xva;62H|27ys2oVw09`O{udQNSK7UUR`sJt@ zg!cKLdO3_TTn_2!g9-I>3K~P-3q+Lj0bDEeL+mqQ z+Dq!@T1IuA!6Bx`(ua%;xhF70IU@EHi?@L)Imevi-N)d^k?zLYpx6GO6c9=Ex;@y^ z6m53ZG@&>RaBe_B2vCH4ug+7X^FgCw+m?H%B*bTlohKm-7ty`$AJnp?BP8~sOc3ombt_Nw9~t#ZAJ4BjU|XkVK7 z7XVWL?bnc)HagOcg23kz`7@-N1p_A5H2FI&C^6^f-K9ck;iS1s4sc|XM10io&X7@e zae=iLCa0WlG?Pv^l@z?Z=*YsG@j|grCM^P3iSGdJT@{-0^V31ij^r=C)_)`^SzSe9x}l4!#KJ|w;; zmDw3I9Lf%&`<0y3*UNox;%e?hxZRO{+8Kamgft`X3@E1h~ z%T_6vRIf{0Gyg9(f=0@bJohNE9oZ)WC7*F?ZKfmrU8}7xdigf(+$zb=%ncP17YUE; zz7s%$%r~kjbk|jhU` z2MlHdn49n{!$4#Y?(y7G)OW>ldohQW7Zfn*GZQTE>IlUJ6d07`3nNU(V*cA(nJbUj0f>^Pd2gq}W(9uO2L?>4{l9z=>Va@-?l{ zNh&T@ylh~eSPn_O6T%f4#Fhf=eEZ;f{>**$C;n6|8vjWJn=>d}NSn8~DmWDP1Z2Kp zmCR}G6hDWbAY`FNdgkL!v^G#GU5l&g>!ScLR`Zy?Wme9pKmhB#1h~Dj-8YT(F-WeB zHJpIOBgVGsFP-hlHB$zgCr(T7CU$eYUSxrhU3-3;pu}uXOgWjA(r6b-l(_(h3h!xj z10~8FR@xddE)mw2cSRUYc2c-g^27<#{+7aTE_x+go9e3}37dmnH!$;mf~xEUr)FTm zh}ZJT*C~F+OkE&uL!vZ&Vs3vKno9v)79M)H%r~A4Dd_WEnw{d^jZu}EWj20 zl`40*xs01v-?#WW%gHC0L-c;oh%ki~*r9YJq&YS5u@e$ydp8t9?$bR2frjGZ(sUfY z?flPVQEGv}G_`TW^P6H#usu_$W1P!t_fVsG)WYhP?n&YYD57x6FTXFRHfMd>reJ#M zTzD-7HdT`F1xl^{gyD}2- zMVEM(vAq|6bh!=qYT?rB5IN($mB}l27uMoCLdzDQK;4>Ip+^4YFmBdKD}*ihbF zHWlcX!0z+w3_-Egt!p&xqLlqmuIaBYMlP^}rTjh537RG07OpFcLiVgP0=xzIdEU;| zrYBY01L-X$g^>vm5z0RLCKN{R`vd-w!M8OYt{)IE(OR-zIW}CCxEQU zX7<}8LF&x*M1Lg(2HXO?@06UH;N@X=nO1rYTfz~D;4#>DB5XCC-@OA60J0o-tanE0 z$y_>FlmyNrtx~82*BX&4g zF4stvyZBTbJO_B=l&8{znU2pbZ%htse#yXg_?2r?Mzug(_)(bLri@rwNVR!OvTnBH z@&lU=lM?=TKELbg{KC{8yCvkt)p%2vft%-#8 zNYuJo^Ofi7o(!ozk-Vp;WyHhc;?&*`%<4ATk9>^bETl)*PG0)|tSVC`s1Ukv{G*g* zI7R-ppc&xo@au6ZjaI=I`dn0phIqP#ZaWB}NI=wWgWZlxYX3r4IFZpadGlg4JPm zWe&+B-47!s@M+J*7{GVg2Il+E35E7bos%g0?_S(CL)yK_0DuBbbye5VT1*5{0Ci1} z=r>tUjOyEZa=9Gy{09K2_w4jZW6bvlY786=&Nh(=p6ZkW9{T*oOD%Ef<*nj! zQRkO|RWOdvFSI|#%wsl|szIejXU9A}S!@cx-Z@tB$zIuP9Bh$4xHZ2ORGtDQsmgm$ z)wLb%2gMLC*54V0%78E<`-Wzn{P(+N$w@sHt)b#sr@LgQc>S1>v*ET+L!^SK|1#Rc zn%)`ZXw4Wb@bNEURx$vVp=1^Bq zaDGFQ1l#WMlituIeG@z?Qf&d=<-Dbur0cf1zY#|$F>Tjh+}%7Zz zuEJI`zu|urZ=nMN!}N)F7+%P57O{n4HQ}^!t}frtCMMIHqY3j|AYUo&{^-Z!kM~tj z)5p<~!S>(5ANYkP3(8j@wp2=2MmksItA~96#<1Ui~A+)%zv!gqc}Z@SBr2?oYKbPaf2L zbBhH$@eyEDe4SnCtrl_m){-p_c>?tuTdutSs$=_4jdy`ox6et8w$MX=k4`=|QTym~k!n&6#7yrchuy-frQ$J0@ zql0!0=LLH=#x1>|6Rc&Y!1EM=nmO_H=kSyA z;*d|lPmep4<(8B)cy~l{R6JZxyX|mC2ug2ED^GzHhZIKYs}8vgAKdssPUy9#c`i4ak0)p$}yN|BLfmXEZjQ zz1`seJJqprQ8?ey>&K6V4~OShFGIlUfkQs z#jzWMYG+rMS+?2U4F|68&}9S+lfA8+^@|IU3$FH3rLRLo(YUJON?K+3dQ^7ixI{dX zpveicoc%O~SlHp{7|o-WC_rIdY)^DCBTp>i z39*Zd_VgeWOz)qCyZ41?;s2fVSqX!ChPl%j{-p=WT~)`-Cnw8yDgoa^Id{{9qO6XB z)%>`O#N|z`OK?M@fBYQn9k=BB^wJITSb(fnSlPYzIAmBjqYf1n1^N?Y$cmcm(6L>7 zT1jUQtHkhxIgROLMW2Out|ruHSJTX~CHN7%Gk*3}^os-ci7a97oVa(=rRX!BKY>>o za_b$RBPO!6~ZP|%{=GKL*LFXfc`NjQ|d5H@3FxC1H)^NX}2pI#Nx|_w^u9l zOH*smGfsgw`=v}ev7dErkXkBEOa3=|?0j-=!hMc4gk8UmPz1#`1dB0CrylvCtBo#-flH^Vu{^9-;f0ZjE0AQZ& zUN|sXe6fx!CCPN@tmN3#;S(=2zbyHZWRhJyLApLqQj!kEm*+nmo};3K**mem*jsM_ z?R|=V6aC6}CLt0cHBiL%Lz^=xpX_405WG{(MZ!%a-YIH%Ou!R?co}Zkjo`@&G33#m zU^Yhwg4%oFs9^wt#HSA*2pkMG1^QF+^U6LJ7WlC6 z?IJ8Q>!%+G{;0gQIz&$L@dL7)D8PSD+tcz7Ve`yI)URHX>(1oVr%@YL>-&r= z+E;abtHF5^x)ozis)}9HTa^3oXo7}Aghx!W<`9qTmr6H}y(V<)f)?dkZ5%#p$#UZe z_oh#2*YEu?6Njzr9~Z}gz%Zp|lCrqE{#?W;$a4inb&PD{TZr#^7hY}F2KftPR-@s&JnhXA!Rk9fi zS?3Ybdt`L~FESZpmxwlL&wLYGg;btwDjX5%uz!iHf20AwEnF@$GldHYwC}5O)JmH0%Ff8!DaL9lHq#+tj8MSVT~ z?ohrS?3aL?J3O&%*EZxMniWcXFR(GFj=WM)x^^q|Mk|h8DYRseh|YB>42CZ3f&MTSI@ow^%oLmIpRvd{lN z-k4Ue{47b@vn4N(8MKL{*4~6%%(&9R%oHU@At>9J+5T*QDNnWaNL|@^@Y>>N5T%@= z(il!_8m=2;U2nj5UBq=Xt%i!fA*RwTK9q+1GfxexM*2O|u!O0*1~cretca4|qJ|>fXzP@jBNw5LrTS^MYE#%{T%D&j;RpgahB)@zc z2MR_l2ex@*R8el`PdG#6fD_Er&k>)u-u7b|g-DOdq)!3YvJ@d>E`OL;+Hp`Sp`mYz za*OtewYlx%0lrTdnK)51Nr|5Q4;y7XsBv>>>%B$%3%b3d6JQMGPOKP3s1(K+PUBY| zhIi_!?urZ<`~Im<&vHW=>uQnK{*X~ML_5j~dIrnd-mRkcJ;u9Un4V9NgfV)OjJST= z5`=rO#h*y&17gRs32T`)8lmlJ9iMAh&O`O$oNAM8_}&$VQ_H|e0>r;s<7%x$d!Shs zZRg-k_%Mg(z~I~qdPuY1g!+t=FJC|;X*-+^jYl5`#umVnjxktwv_Q!BU#j=I5Yp6p zu+mRZF!#x+<8k_{60UFOnPi)txGkv%C4S`0*Xh|5#F5HFFRHgI=zXn47|Nc^54Gkw z^yrYI+06U<$wVynio+@wbBt`yd~_2Yj;ROEe7E}a#h`;Db-sGE+V+1nxX5F5y4peR z7luF*ELm+UUrA8aX}<>}kRGq5tnhqh4Efe~wA_{G-Jn-4PPq3w8{8;^#4-&V~{z{<9CRo(<}EWx{IKS19X+V0xwCFb}Z zz)3?6HAT{kGpMk`z%1&23>7Rl#K}7crwgHIcTU{D zN)9cZBhmoXV`Ok7^knPc+Vt`Z0zlAb95YU%%3@AO!%VzP-E*;Wg2!Y3K_KcrmzOqi#z3KQFwrh}x!c#BwWBc$+Bq?fR zGjhrWsp+MyWU9nuG(hF&Czfhi*c~j9GF_I*c%2J;GNE1Th1FjEeI5PK_O%AaalWD# zMzn8!Dhvuw1GdD!TY@V$+naO#S5IFZ6;=2BJ#;rJjf8YdcS%Si-6h=;gQOBegLIc7 zf~3+64MR6L2-1vzLpKZq@9=zo>%ITnb=SK4+;cx?@3ZTieN-0*)V!>5X9_9}1j0<@ z?r>TSZ`TJ2;Ne?xa)pjv#Zm++D~8{3B%)4Gmi6ri5AgA z(o~r2L^s3XAgz)Vjek5q?*X;uVC$flbq(RhV-BM$51^&fk)Z1j!Z?1ehslMW!G-dN8UO$X7ZI-c3Yqnq~ zMYu`p?7N5WJFnZ&ZmTZQ+4LisoiLrb^mm6cfo882>%S}AIm}6mB;O&?i$agAO=R9g z&u>q!V6M{Zt#%%Mhl8=|=0yPjhS@KeO?<3C(Ww^e5X-WK(mBXS3tB~7>H@I`&u)fL zrU~DejHB=5_3yvp19Ynvu-Zg>nNYC=lmqKhB=%v8GEC~)X6xX-1T6)5Bq!*!sRq6| zzEU=pi)Xh02XpC^8HE$&ALd4AU1?HUA~_faKLaVJjQ`Ej6o}<`SIbB4alS?sOxh%p zUVR2#65QLP07L{bv|;@8)TT5^tKi ztp#|#)!99-0y1~Bt9!31^LJI$$l!v&PkMx}4tlrtcD_)|?%bPLqkHH6lb(a~uo`_d zqZTaztv&E>=gZz&Vx}m<;r!wyujgh!THYE^Rhg!UXKX@WaJ$C!!P+EFhvdh!{gSip zjyjkDRtvMTFda0Y>vSflKw3=rQko?yD$BlI1F-vkQuir6b+T5jD?t82)f&4^v@dO7 z1wL8Z=(oPm9fAe`df#d()Dn>;%x~LrjOWCj+CTKYQH7UU(&n(!lPRi|gtSXwJb=CF z(^W`1rSd^(#b0!KCRprz)@nw2YvW5;CFX8MN3a2xp>=G@WjikEUhYN3_~p##MW*2L_2s)tkcdt62gQ{Xzb5t6e_mzo-MJ(iPP4`_Dl(}0Z^ppuTtHVaGCnx0{M}a zSj?oAFtfBVIOCn4sO+qD|CM2*3*X-Nb?qnmLtG8(M(u3zq~sQ3;cYm#34NCK3~cF4 zKCS5GBz($MuGKa}FEZS$)qKBF0EoonRE5`BqcGD4m*NKH!WE_!Z~=ev(h{8*P2(4) z7)j4tm2!XE5xuVU>bOxEL4EUOVdUFpGg6BE*Q7J3zK}hkrrviYRb++C+d?qj)|LEx zv$$2;7AWcX%?qNmd{s8bw%-8adIO?Em}^-s`D&sBHtD6glwxzC$2*6vzW~ z<#(_DFaq#6aaDi|%;Z9o>_0^@*45*29agwnTOU^%W2Zf zVW&8(MuRO8dWb($(peWy!JMl-k8f>DTSlw&``7v0x%|5pT&%yg;z7K6k}T6?^kXMw zQ%^dc-5rdo57lqC7sV{3Sbsa>Aav|V;OG@XOn8Y#nvTXOb9C=jU@}#lv1#gFSZ^XJ z2V`vCT@`@_QBaG7i#x2hL4{vG$MJtFCRO~hy#|$PIL$T2l=Hkt?y1El>@h^8 z_8^wXKYaWl^N}%dqVwe^VMWg076h`pU^{n6ng>7L{Sa8(N%pUHKITL_eSI(XaFmSf z9^*gM{t`~#>PCn+8PNB)OwQ#&K9ZJEehbF75A4Ja_iDuj*x>#%^i_HaYk$CG^a}_; zu{Dtd)jRt%o4M}fa?l<;K<#q5S9k7bu{dUXw=Sx*{IwF$gzEly4BenRn0)Ht2oaVd z=i`UY#c26~H#iKGH}@V8!K3*je@2Z4)*g;Y?>9S(ae{S0p%|Mn(T#k%J6Sa3d0>rB z{s4D_HZ*Qy(eYR%<*5du158r#O&uZzcKW|W`mV@*obsFX6aF9Jd`_JxI^gR!&w=89 zQ&{IFJNdOredZn-R;ua9k=P9QJ>F=NvM{|?hypT-l=($G2coO%(kE{6ub zdLl3VKUR8H0JKBwpUyJ~7RhlA60lkO^8Pwgg~y}%hs(se?mVsjn2uFMPsT1p-PCYP zEyZGpD`9#6d;Iok$vKL!Aj(%O5>-Q-i4{}Ld0zory{e5NEmFIZEde*-7LVzRTp4rZ zDfkKCvZ7M(cA8vMS@}3dM}P7nmCg^ngbeG1=y9wt#f!c=ex9mMWrtaiR4PDyor7$xwZ z+~x{a(D1WsD7q}D$C6{XOmcQmOsqB38earyZ{%-p6aU=yPESzzz0o)yW9g%C`k zq6x>yjViQ=vt=bO4*>_?sLlj~`#{OpZr+3=56 z7d&6fLF)G9FX?6GA30S`9W?kc`c=m<;vjmZ4!QRedpyKXDu!D;3WT^y@Jpz~$kH~i zgZB0Jdmo=#$T;d!JWyj-&z+*7GfAP*s_*xccXRlmHzPj{?Y!vbJW3Edm*l%t(dLW6p^d|3&)(qTd3$(Qiws0PR?h~} z|Jww)9|mrfg~EMC#QwmRD8jc}D)jodQdie3j{dOcSrCZs68@c4(pfedAFB3BIcq;J z>3WMEm1ED+8CO{>p2f>YU5mk6$3@lK{F#F+`u<2?a* z`*GGS@luqc%pM#b159YyYFgWxSPBOwo)qS%>DD_F;|I_K0Lm(uUJ2}#K9l|{ZFTMM z4&u5`mtPj~w-pKf#jZx!#_am?s__mqp4%Mk4}jUZL-LYE8}mcjV?JDi7H{L`vv^T@ zx6Q#B5^rsA@!q4KpqoJ718fc)sxiry!J$r(As8Am%TU8+w%g%?nv>i!sWqK=ZqT`+>!zOl2)b z{R!dsgr}%0GkzE&a4i|Mvlb^oI~MFUp#UzkKp4y86c%MM0Bo}#8+!h1NGwtp>iSRq z@^AcMxYQK|4%00GuO6AAbX!O#7RlkYBewc}*pFkrapZlVz|qN$vIH*KPYnp%#O#zA zwv>W?2^FHuVqk`CDAdg9dXG#eK6#7Ew6QgXF=su3zP=*BL(D!(&{^9aYdgj`6hE~> zJ8J7M_~se?lRc4DT~V&EoMnpyrfwPa7f`etx8J}TYPX`guY1m$WW45&TJG)%MpjlA z<-Y6n{)gPPUJr^lHckGQH@_o)b|(zjHYj|{6pqrbeQ>+ioY^)zTqK4-J#4|59jM-a zFIr*G-P>iHnzPYfVr`k5xtHWOs1>W^)eHK^{#BG>N&MlSLGQmA+F09lxx%!jaCdzo z)T$U^De^q11u{_I`%G=pFBNP}b1ED}*$1?2HX%4EoFfgW)W(w1=Sv^!s}* zUUM_?!??xC@ToH~gU!m#vW{%tf%~ZVOQT?^KNsl(Q5&&w30Z!!{~67zTbxUw;nHPP z!>|q9!1lYHWOGl&lT)nL_pqw%GqPb|X@;9l)Fj9{8>-|XX~sD`=N-dPd6B*^#kO@h zpZ}`cT>%%5$2wpNH=`nJB_Tge<<_9N`JTt>8fiT}nLqRAa-w?fTa-zL%&B}y6_x&% zBKW71nX>UFYn(#SIE(z9iO{v;#6N^dQzR|yND5b!HWU(8R(*weuvj=Aqy2Z;sUqq3 zL$+AHPtD-HaEq-4Cb7qjPf67?UsOv~cjX_dR!azPmOX2<^CQ=M#_LN(1qz ziGSecoxGYk2?P8pn2^^aHrePoVb2&X!)b7#V($4n-pLXAZeq!DS$ZuElDhgmFvl;5XoV3$JiB8K|9Qjw+feZ8tVSC$UluSS7En1*le@1 zPw(2ar)+f_1p>Tt;Wn$d^rf-NUo4XI-duc}?c%RQ)rgtqMD95=V^&^J*t<#D<(pR) zlL`%RmNDyrg?~byZ+4Yg3N)W6RA;UnI}@uGTY;o1GzX+7JbG)Bw;$ii%U*zsG{7W7 zUAbl}zG8PsA~&J_+ML>|?>1~N_jYN)a#o+NLG!n9rR7PFIyR-Ij*e{bIVOM$KP<`` zc}UV*t1^rdQjoQiB>mh>vo>wnlTQrUC~2*zpw}SLFGwa9nH+mck*>1&A#u-Yja@n1 zXF-RJ?ZqRC=cuaE#Y4fxVGR4O06>`E)q!)Xdrz@;@nBWk&ySXcsVrYDoTgf9q@Zrk z)@b+to#$8Y`M!~_C^VApV4OIh{~#Tu6T?|n@1^8f|6Sov$)n+%R&5PV)FyL(cuLKX zjEt559=Ewl|J;=QBkZbN|DDp81A5P*Lzhcc&)(-A3XA2yCI{%Y1#lAIop_maTwBe^ zp*ejUT(-D~;XuSiE>1B%x{NxDK!mIICgi%+%PM1pwEq>8KEoH6SjtI~%;&{F}^D{UT& zFNl15MEY70GFr^M{ULnHLe9*mL<(9I3%ipbSd=Za%S%3NJAXd7x2t>k2vpqEBxVN< z;L(%@zcjCjO`(keBMy~Y=Ptd3atY)5?EruYh$CSNMeGtCoqcGD@ zI&vp$bG`0<)1@XExRO}$O9r2`EQuihN|)}g!mZJk(i zAdo+S+W~wO9F+ME=q8b*01a)%y?FO3G>`_bt7z=0U3dN`Qu5mnB+oJI=UWa4g;Yba zT*J`Wvu@c>v5%&46sht5w~hI#YX-wK!pt>-iysQ<`;VPyQ6@7}tUHCBh5kjAIm~ z8+Nis^&~2@F#s0T3VX<{l2lHCEz{7HHF*}-KnE5PQ?zJby1&&@fX;SG`#u4C+F(!H-F6CdoK1E zaPVkF&e>sINQ5B7tgc0n9H^Cz3ajk6$qq225GF64X`FBrv2GRCIZANSz0uNpSzchD zSGdz2?(kl$xN@8B4L`r_Tlk#mj{^I>ZrP!N!sSZa0*eu0ZVi*)x0+wmB45-=jB3he ze|LI9J)$XLHDSoX5O7U9-Q(~V2=te09NJuW7{sUeG*u30b9H6>(H zGNlWLgimZnG)M#^TLN;De}Gw&%a0^?l%)9Tt6sf^jP#P`4-!j=)#J=;L+J&#SKi15 zliRK$Gf8Ot@YVLaGlX|3pP`^fxypo#nOFzUyRKOIlkuwal%G;blmI`a~EesMhIDa7fYY=A53Qo5LMXSh^#K# zil+@3u*{lH+GU>O6xt1UfI=>r`@jfp#?`t#x_v)kz}8UaaHk=fsWMl*TtGNSAPgH3 zcI?0S(~e7Jh_i%B3ZspG;YL7bRP?cQypzjLAY^A(x>3UtA-PDm^3 zkF~y{G)kf#$9sl{8Zjl=V7v`*FoR#1KcH=H$6f~mC;Cmr5c)cI`SSyFp z)nV#u>`^C$=+3hmKKQRwK)%MF^+z}n?bh3+>m_7!(99Bn8nOlWsjd}H$sT~gTrWQT z#FS$-0}D2yU%l$x>b7nhb=XLpQxIS2|6=&&gkjfkOc(r?I_+YC<9bSH{$e+^eI;Kn zEKh~VZuh10g56eplDNB?(tWd?0~cKPW^3V_G@MQWG>UL~e$}MnJsCU_yi3cl+zTx| z6fP+$Q`xHX{nXMyJc>2QVVaJ;MT_cx*@57-$3T%*`L}XUrC8jYo)+}oFx9qUHC@ypzx zT(4$3<}F$-MeI{*+Aru11=kiI8mHLu836vttAE>XqFZFBry2#olIFy?vjCt=XL<4gfHt)cA!vD0?JDBW;KA?Z6{qT}z zZ7Ff~YA&@?4Tc1hE23+n@jZzn2_6952*L|s|IAgaOb$yzs75pb&`V?1El*4xE6y^KRkU~pNvCCK${Te{Kde0nTc`_1Pe zVUdVM$@$Q7`F{>iHecfFecEtte+tr}0c5tjxeVYQWa$^Earc1|wCx}YQx}9m%)2iy z%j2qR!+|D!sTE8|al$=S2NWGw=!7B^L{^>_8Z*N3E;JL5a+iA zCmF_A7zBHAp@KS_rLWbowRdNx@ty51rr|-}uKrhy|2&_)U?RYIB zd3UnNMC2w^Ru!I~L5K7@RaRu=^+L_DqMNX96Ql*OoTcXg1CEL^Yzze*0VNC||A_a| zG$%#>j04fx^J#2NL~Dnf(iy%Ro_%tXTwPO%El3RtES_2&$i8~GK5arPSnk5URxZ2O zQNXpc;^|Es}!zPm4 zJ%oiiI(!n;zVYSwAU*Ne{Exfd+{pk88oA)Ju$ZP_?k5)iAU^oyosHrqGl+srjY-J-GRV-b$`31y>~cdU-O zDjSy|%TIEXKsv_B8VF>?f1TYy!DGJ67lb76Jzcpm5tSmyWvTMHu1wNJCJmLg5UN=< z64DT_|7qIV+^8L)6alahw|-ySWCkO54A(mx+x_@qW$Q#Duah&dm~6wCW58>ATe8Kc zr%a!&(1;}wV)XO|7SfcyJq}GI_~P6oCTLhgwyn!9uJR97^n@p_U&{Rk+rGV0a1`ab zaNTAUkB<*Ji7*76mUZ@=B27eo;chu4i>m-mLg7MR@cuYezo#=1!3n|%a&87ED;;JD z{5jqshul@`7trKJ{$tVBpz63p35K%A)Qd#c86-9txtaEnLT}ormnV5p8{jwpyWyaT z2xLM+LwE-R*0P4KyP?9*FuAHMc8uu{UV=S6X8@W~IX6JHv}@qA&%ek5HDzaw9B)kc z=!1#i{TlJzcF1H2I`FYDarszTNwywTQi>+Y5OFB*I{ba>cLC73rKyQ1FM*U5 z@5c@HZk3U_2(HhVh!&@%htu(Zxnv6eOB9MY@<&}^Zd|Fd@ceS7Ltf(4Atf1ZUH~3h zEY<0K^-QR&Q@r#MuQ4(m$J*1!Dg2^qQ2tTnD`dhw7<25`xJ0;bzwaouaf=;aL4T&X z&}}&yFScMzX9^Mx2~J$Tca;3obkWmcX->jpER;BGtE$Bo;M|txL;d8k23xbjWQ6C1 zlD;H&<-trJw;@kD21dcdmc=ivee>7XB38PH#1Hh=#Srnf__v)VYfdChvOJ+JygqAU z(vAJ6Ox$!+4UHZZ`wEi=4dbi=utvoIaKq3^^0vU+Vp$AqzE0yNO@)Eb%oal%LT9h<}QJ^8x@LGmno{#A!ex!lH9Qy zu9M2R>OIqtl}^@lJI#H)8u*ldM})$Dyhrv=?%-^iI3!8;=lM|b4}zzV9GLhRW8|S} z->ruWpOYWgc~>SkpWoU28JkgO4t%wB{=jGQB}DV0+O<5U(oW*5=1l#aF}x!mxUs^V zRcR!|XEZXO@OtrtJ5f+cWGo(L^4AIhhMrthbv3|Ts&_NyZY1rB>BqvM7kiWlF@^2{ z3WefIAScL&&#`zeu+V@#Mw;$J9vl$PSTAi>TDTvA3 zqk1=9e^t4b6B6)e7LgI!x_SW_D;wuWd9h41DTKr@vBn#2Mj;55o14qk&CRUCdaYI4 zzquA(>ocZHpo8~7(SL)@`TqwSEcbtYNUB1a0y`?Xz%&JgFD#iYaTa05A@Aa3in^yu z(*N^RFzJXS9~~VxLm(*MTCEhM~u;Sc-TPe*cvwOO5#a*b<5cPuvuK wA^O+N_WyFZ;*ZYuf0-xM6I9%ZmgeN1aczQ_1hVNP2tZxxue6nG6>UELKf1&Yj{pDw literal 0 HcmV?d00001 diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 80083fe1..a0413bfd 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -21,6 +21,7 @@ This chapter contains various configuration examples: qos segment-routing-isis nmp + policy-based-ipsec-and-firewall Configuration Blueprints (autotest) diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst new file mode 100644 index 00000000..1f969453 --- /dev/null +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -0,0 +1,281 @@ +.. _examples-policy-based-ipsec-and-firewall: + + +Policy-Based Site-to-Site VPN and Firewall Configuration +-------------------------------------------------------- + +This guide shows an example policy-based IKEv2 site-to-site VPN between two +VyOS routers, and firewall configiuration. + +For simplicity, configuration and tests are done only using ipv4, and firewall +configuration in done only on one router. + +Network Topology and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This configuration example and the requirments consists on: + +- Two VyOS routers with public IP address. + +- 2 private subnets on each site. + +- Local subnets should be able to reach internet using source nat. + +- Communication between private subnets should be done through ipsec tunnel + without nat. + +- Configuration of basic firewall in one site, in order to: + + - Protect the router on 'WAN' interface, allowing only ipsec connections + and ssh access from trusted ips. + + - Allow access to the router only from trusted networks. + + - Allow dns requests only only for local networks. + + - Allow icmp on all interfaces. + + - Allow all new connections from local subnets. + + - Allow connections from LANs to LANs throught the tunnel. + + +.. image:: /_static/images/policy-based-ipsec-and-firewall.png + + +Configuration +^^^^^^^^^^^^^ + +Interface and routing configuration: + +.. code-block:: none + + # LEFT router: + set interfaces ethernet eth0 address '198.51.100.14/30' + set interfaces ethernet eth1 vif 111 address '10.1.11.1/24' + set interfaces ethernet eth2 vif 112 address '10.1.12.1/24' + set protocols static route 0.0.0.0/0 next-hop 198.51.100.13 + + # RIGHT router: + set interfaces ethernet eth0 address '192.0.2.130/30' + set interfaces ethernet eth1 vif 221 address '10.2.21.1/24' + set interfaces ethernet eth2 vif 222 address '10.2.22.1/24' + + +IPSec configuration: + +.. code-block:: none + + # LEFT router: + set vpn ipsec authentication psk RIGHT id '198.51.100.14' + set vpn ipsec authentication psk RIGHT id '192.0.2.130' + set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer RIGHT connection-type 'initiate' + set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14' + set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130' + set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24' + + # RIGHT router: + set vpn ipsec authentication psk LEFT id '192.0.2.130' + set vpn ipsec authentication psk LEFT id '198.51.100.14' + set vpn ipsec authentication psk LEFT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer LEFT connection-type 'respond' + set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130' + set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14' + set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24' + +Firewall Configuration: + +.. code-block:: none + + # Firewall Groups: + set firewall group network-group LOCAL-NETS network '10.1.11.0/24' + set firewall group network-group LOCAL-NETS network '10.1.12.0/24' + set firewall group network-group REMOTE-NETS network '10.2.21.0/24' + set firewall group network-group REMOTE-NETS network '10.2.22.0/24' + set firewall group network-group TRUSTED network '198.51.100.125/32' + set firewall group network-group TRUSTED network '203.0.113.0/24' + set firewall group network-group TRUSTED network '10.1.11.0/24' + set firewall group network-group TRUSTED network '192.168.70.0/24' + + # Forward traffic: default drop and only allow what is needed + set firewall ipv4 forward filter default-action 'drop' + + # Forward traffic: global state policies + set firewall ipv4 forward filter rule 1 action 'accept' + set firewall ipv4 forward filter rule 1 state established 'enable' + set firewall ipv4 forward filter rule 1 state related 'enable' + set firewall ipv4 forward filter rule 2 action 'drop' + set firewall ipv4 forward filter rule 2 state invalid 'enable' + + # Forward traffic: Accept all connections from local networks + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS' + + # Forward traffic: accept connections from remote LANs to local LANs + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS' + set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS' + + # Input traffic: default drop and only allow what is needed + set firewall ipv4 input filter default-action 'drop' + + # Input traffic: global state policies + set firewall ipv4 input filter rule 1 action 'accept' + set firewall ipv4 input filter rule 1 state established 'enable' + set firewall ipv4 input filter rule 1 state related 'enable' + set firewall ipv4 input filter rule 2 action 'drop' + set firewall ipv4 input filter rule 2 state invalid 'enable' + + # Input traffic: add rules needed for ipsec connection + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 destination port '500,4500' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 10 protocol 'udp' + set firewall ipv4 input filter rule 15 action 'accept' + set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 15 protocol 'esp' + + # Input traffic: accept ssh connection from trusted ips + set firewall ipv4 input filter rule 20 action 'accept' + set firewall ipv4 input filter rule 20 destination port '22' + set firewall ipv4 input filter rule 20 protocol 'tcp' + set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED' + + # Input traffic: accepd dns requests only from local networks. + set firewall ipv4 input filter rule 25 action 'accept' + set firewall ipv4 input filter rule 25 destination port '53' + set firewall ipv4 input filter rule 25 protocol 'udp' + set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS' + + # Input traffic: allow icmp + set firewall ipv4 input filter rule 30 action 'accept' + set firewall ipv4 input filter rule 30 protocol 'icmp' + +And NAT Configuration: + +.. code-block:: none + + set nat source rule 10 destination group network-group 'REMOTE-NETS' + set nat source rule 10 exclude + set nat source rule 10 outbound-interface 'eth0' + set nat source rule 10 source group network-group 'LOCAL-NETS' + set nat source rule 20 outbound-interface 'eth0' + set nat source rule 20 source group network-group 'LOCAL-NETS' + set nat source rule 20 translation address 'masquerade' + +Checking through op-mode commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +After some testing, we can check ipsec status, and counter on every tunnel: + +.. code-block:: none + + vyos@LEFT:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------------------------- + RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + vyos@LEFT:~$ + + +Also, we can check firewall counters: + +.. code-block:: none + + vyos@LEFT:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------------------ + 1 accept all 681 96545 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept + 20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept + default drop all + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------- + 1 accept all 901 123709 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept + 15 accept esp 0 0 meta l4proto esp iifname "eth0" accept + 20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept + 25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept + 30 accept icmp 0 0 meta l4proto icmp accept + default drop all + + vyos@LEFT:~$ + vyos@LEFT:~$ show firewall statistics + Rulesets Statistics + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ----------- ------------- ------------------- -------------------- + 1 681 96545 accept any any any any + 2 0 0 drop any any any any + 10 360 27205 accept LOCAL-NETS any any any + 20 8 648 accept REMOTE-NETS LOCAL-NETS any any + default N/A N/A drop any any any any + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ---------- ------------- ------------------- -------------------- + 1 905 124213 accept any any any any + 2 0 0 drop any any any any + 10 0 0 accept any any eth0 any + 15 0 0 accept any any eth0 any + 20 1 60 accept TRUSTED any any any + 25 0 0 accept LOCAL-NETS any any any + 30 0 0 accept any any any any + default N/A N/A drop any any any any + + vyos@LEFT:~$