From 38c14352d1e67ce038e0984b17370337d91c00b9 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Fri, 2 Jul 2021 08:58:07 -0400 Subject: [PATCH] vpn s2s: Added additional information related to site-to-site parameters Added information related to dpd, authentication id and disableroute-install --- docs/_include/draw.io/vpn_s2s_ikev2_c.drawio | 1 + docs/_static/images/vpn_s2s_ikev2_c.png | Bin 0 -> 69496 bytes docs/configuration/vpn/site2site_ipsec.rst | 167 ++++++++++++++----- 3 files changed, 129 insertions(+), 39 deletions(-) create mode 100644 docs/_include/draw.io/vpn_s2s_ikev2_c.drawio create mode 100644 docs/_static/images/vpn_s2s_ikev2_c.png diff --git a/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio b/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio new file mode 100644 index 00000000..833dba76 --- /dev/null +++ b/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio @@ -0,0 +1 @@ +7VpLc6M4EP41PpoCSbyOdhLPHjJVmUpVNnuUQbapBeQFObb3168EwjwkPzJrHKcK5xDUEq1W99etVosRfEh2PzK8Xv2kIYlHwAx3I/g4AgDYjsf/Ccq+pFi2bZaUZRaFklYTXqN/iSRWwzZRSPLWQEZpzKJ1mxjQNCUBa9FwltFte9iCxu1Z13hJFMJrgGOV+mcUslVJ9apVCPofJFquqpktU/YkuBosCfkKh3TbIMGnEXzIKGXlU7J7ILHQXqWX8r3Zkd6DYBlJ2SUvPMcQwd02m7w95GM/fv71vsVjyeUDxxu5YCks21cayOgmDYlgYo3gdLuKGHld40D0brnROW3Fklh2q0JVM5CMkV2DJIX8QWhCWLbnQ2TvGNlO+Y7EzBjaksm2tgBCqKStGtqHsLK8tPrywL1WDH+QuvmEnsAd6skyPXh3ioLnFcUdYS0ek91SBA0jiPKAGlx9jGS5/N/WVojzVaFZkzcWURw/0JhmBTdoQsfzXU7PWUb/Jo2eRfE79FTuy1U6FVqOuJM/4zmJX2gesYimvG9OGaNJY8Akjpaig1FhwNrEQpCDQ4tGQJMoqCSkKZvhJIqFXd5IFuIUS7IMcBa4GgZs1MYA8G0FA9DTYMDy/J4wgAYM3BIDCN4fBOwBAreEgItcw26DwLPgV4PAOQ8CEvJsSzZzsky4Dp5q0pSk4UQkcbw3pSlpw4HsIvYudM2XXrb+kpoXz4+7ZmPfsEkDG1M4mzmOiqbQJl6IdGhynCmYzRQ0QTnRC8kirjyB3HLylCuyFLIwdtEuxDT8qllLWrT2zZbKL5xFwgpF6yh0crrJAnJ+m2Y4WxJ23o+FmU4CsQGyKjVuYqyiZSTGLPpo59Y63MkZXmjEV1bj3HOg4cH610l/gNPmWKpBMmmmxgpf/xRf13cNp/Gz27OUSlRm4cDF+8awtRiQn1zckTh+XOzuG8g984ZrWiff4A+l3LXXH6z8+4HAHQJBIxB43h0FAvQ9AwFyQMthzY7L8iO60XHTi4MBdC3DUt29Ym07liZWXDsYAAQ+6dqoKpnc1LU9jWs7Mbf2dM4flqwAZ0kQLtdyeuefDa06xnmREk34AMtb7+rOiovlA24VzzANvswZQBVX3igZtyfj5IYAnWDD0yrWDiFt95YhphkLJAnLRDDgjlakp90MMYnCsIhYugJAO3G8RuKn7AC2qeb+FrJVT6zKUlfP+vxbIcIA9oCCclfvosCpij7NQpB7QxBUsegGKBBTDSAAYx+Y3TMgrElfBgRdhXkIB70iAZl3Fw509fMhHPQJAtCtCh5q/l8GAt3dQD+5ostzRc8AJhiSxebBxr+7ZNHS3RVcAwIfLKojwTzrWjxf4/Q4861cumCf0izBsQZjpjiKGGL9wrEOQCo5K/hqw64DsTOXhRfWm9uFCGt0UQUajZSax8IWf0dxLl6WolsaTJcl8mvA1TK7R2/f0qQzoDr7t+oMsC/A6m42vhNg4QDYvgCr1Gx886vRqruC+Z9bLkA6+GbFaoZttijEKZmX9himKY/2t8/qSvC9ACEmiwEHcv9C3QsqXQreEwze8zeeBrNfP6eTcLcC28dJvNB+7tVztfbUpqZSvjtiFHhoQHSimotQt4TjWuoewhOjG2JGd3TvWKBxOxfEOM/FDq9+7da5O7pIMze6TnL9zs7tmh11Xnx7pLByvA6rI1dEv3Ejo7XX7U/Z1kknv45LZ4SLg+fFAOFueMNoLlPCT3myvHnj09jTkf2oDwzaANKDv9tO198PaGn6O7zOHsGb9efGJdzqr7bh038= \ No newline at end of file diff --git a/docs/_static/images/vpn_s2s_ikev2_c.png b/docs/_static/images/vpn_s2s_ikev2_c.png new file mode 100644 index 0000000000000000000000000000000000000000..2d9e21b5bf4182742c3297360ead6f0f42e80315 GIT binary patch literal 69496 zcmZ^~byyT(*FO#j2oi!yDj}$#)B;QAvUGR%vMjOmQcHs(0t$!vff-%O$&)yM@#Jej9|95m(0OH{0g}Eyze^)@j#@(IQ&d~ z>x#sHOW=1GH#`#Hy3b4QH-A#!V86p2=MarL%|Pv zHug52j{oO1xWynbHmH9K(HDWa^5}}GY0B|9!VP>;+Qy=QS=>E7NKY?EH`jl+@k4n< z0l$BL!1%i(|6R31`Zyv0QGvUH3P6_s5gK^b@jqg+fq9{wkq#>UrpC&?wn9R>M!FjR zUgBy4xcw_`Z6GP0zpoZl5HWODN8A;V({NMJhVpBp-OwmgA!RKn+Erf2#Y11sz{3U0 z?+CZ^G0^i;@r2qrA&o^uQ7C(3xRa=#jT2e}E#xP!>!xPw4i@a`?ylq}h|&>J7jd>x z<`;HEY9i!);ijHCw!R32E=)tt&)!~0+d$g{?Psil@DkSX((qGNHF7qDs@jV=>KW?G zYdY$~kwzLQH>|FUsV2nP!AVyWfk4@4s_LTcG`$cQ4>>=Cmt` zbv5zu&=n0l z%)=kz?WyjIBd;cE>?(hwl#QTH%BJcD#yT1b zYI+W0`Y2%+4X8i3+Za6V?rGwPRufgjntF(O>B;$lOA2yME)K>BHyGMZ8=S(R+C~Uq zPKvrd#z+TSMG-N$lb|Zn(+=(d(N}lW*A~_gazcx_={q<&r~x&Uvo#Pkbu)1A@^wU@ z_3Y$f9`cHgrbaLae}s~gE?fx>*Kss((6@8eP}S2hvU7EnH!{)HQ`KR7**G}( zioi{jbhP9k8ZbFAc^wlkzy(+t46tAWLm6TmeN}7)<#0D^z%VLEc~e(!1&9t(&Q??n zBL`K5D#J{KpcqFZTP;JVi!sbjThYix4I+SYbarw=x`?S5;6$hdvxDl1!TANT?xskL zkFY*)LE2897!ebG0Y5!oQ4<5Ki;cGc#86*I2}jw>)zA%rfw;S9K!j~nRQ=r?kO&1E zs3^+L&tKGC$J5I}&tF5?R#)9i2Li(wd8xwrZ2%cT4^MxbsBILCloZ`u4GgrLTe>h;;NTS9v1oM^V-^|7<}(iXsaVjW!UY*m3w6dmN%jP224ItZLv3qnz% zDyA?4n3sZ&tC%th0i3d&tD7>+&RJRB1R-DqmZhlT8}B=`DhEL1_E?nZgjldMb+k-cWme zZ*4zs4=pcKA!l72J9032b)ca@HgX>NUdD=W6kO2J1)Q14p#ffQytfa8mWw zM;NPWq7-d>p}=w2Ky7r~U47IQ6t%SFOw|-j;VLEwXM`sNqbcCv?x>>%cXLF0Kw%IC zUxcTSGStr41O^me4h!C{=x&R#ljqk(+ZcJf`WPr;AZiLQQ(rkbq>;CvvyGew)D7Gz zW}v2H2hq^+P;`L6{Pa{jbWC(m$_g;7wuz~NqK&h;u@Jb9x{fEx4Qb;eWG{zOw-YqL>6f>Sx-tS{Y!8E*m^gbG3;XKXK)nU@bs-pt zp)pJYt_<}v0B=HK^aPNe{EEV^+Grznw1BU^fQylvqNBWqp$0-%$KTK1ThT<$A8zO> z?*p~*QuCIxRluU52FCpE-nI@p4xV<33W@>_Li{!kP<35E*VoR^77aBrard^-m$O5A zIr_j1?bU5@QWt|ky!EjtIesymTnvW3)QDWXcu6At_pTyCYmrMXE_m3 zL1Sa!0Tf+@V0vPL_E2ME0l22Hm$nna8)|4OhS3qQ2fv~;aN$=F7oz?fxBmulaQ>g1 zNKhe=^|Bxy9xI-TJWSuu^7qtbKc*kAFSdN`I;T8e22^-lGIzjFr7SPKe<%4)yzI5n z8}Ex#3EDSu6G})^6!?TxvUvD}*Vt!If*(cc)Bfo%4sCt7 zZWoZB!qj;vn!XtDI*##W{2+eiKHekzB=(2-o!j@|#BZk{kw?y86EMg=kj z^X+)mwPKv~VEa->QBgyw$A2VyD+*)uAL0>^u!iChJR+g8zLEVM@s~Cgr*^}^StFZ( zviz>suaO@n1knXV!WMl^j6qh<(j2;uJtU9MS`y4W=;xr9W7sCxG-3heFd?59EGN%KD%{>ty%IfBWm1X{STjmKJV0qyF-q+pUy_wI4%}RXU zj@GnL)qhjXM=1o zg0Qap&ebem zmxHfbB2{XJxW&P#a zv-h`g%8*Q>JhQ?s_@S>ado18(Pp02onMDcO%ViMBvgWk*wqWkVShxcPehlHKY9FU7 zLYV!QFLP&$ZxSwrGu&cG)#QkdWIQe-zWJDEmGT|V)JRzS9^ezi8WwNe!D(MuImuz& zjEHzncK<lVaSSbZhHyf>SE3FpM!j`!(Zb zZn9bf$5NM>EOwZ3!WC{^o95vl^JD5>o%gGrSIF0=q-dOCKT#4;P>5iC*WP@-Q`@}u zT=_$B-_FjWR}0097`cq26RHDt;Bjm5(o_V37{cdWhjhU^!k)e^b2@6d$L+1-Ej z1$(+44cdOB6{Shjw{Vxg~ie!zX#FW`62q4cL}%<~w{ zo3{eZ1IMZQwb?t%A22ycrcy!;>G>WK|679t3q@ z)uJ#@jJi2f##W-;6pP8sa&{{EtDLOb*T90F7Y+Q~VJkq2Bf1SuT?Jt>Cy(3zHTp!+ z-=|5_-?fR?q|#MFko%{^kiKPR!x;OgL72jWB6@xARSW5FxdpWWb*I7Y#{_22Mw-6K z&Y$*Qy7U+trCCAW^V{_kFB)aYM{Er-@{&F|aL@}={bt_le(KHh%re^>G|3$W>z|p^8fymT(l#H+*9LR!EX=;RJ~j_*Wlxs>X6l`I&#n0s~EZ*9eRON5K;8-dA}^Tyub~x?4d(HF>_5ObGOSACA4}d6V>H)K|FhQ+aY{P5#39;`*U#8rp znArNB*6a+cz-9lV-p5w43ZI2(KEi$&=qa_QzK?y*#X%ACYTxrtm$9o}_t0N=(pLxQ ztgm%X^>78DvZ85noJAIDDTLIga#$WoSZ~B6Z;|!xJWF~f>JyFA5^Z6iBqjZ&2;dMi z{eX$@i5%TjSg2*Y)>S@QcQLzllH|Jlp_B(ROmvf=oOE}6y6XOiz6RUVhUxN`4qwvg ztnv~@rV2Vmi(XUpjnRv9AvSjVTQ4817R-Hi73YE*snw3`NV=xl5u^y?c8MP3g5Ry< zIjMnC0taa>{-y5^Te8__L7w29Z{xE932>z&_?^OQ5=6uYtF)8l7;S@!A*I3s0m!L1 zNYGB!gDT>6oqh=2dRdoo>UiIG&TaxEXXN3r&b0`>z+t=GV4fMfaxfa#WDxEfMt|( z{fC=>v!Dt*eBweXAkYRmAkaef%XA_R{!i-;54cTNrb-=NN&=Vih(_-ku#&^&cc`|{ zrSFLZ#eSAp{INRd+_~x7{BCk|*#A5^%yTgI3HYZH{D@<2v+Up<%C3k?1+Dbz8_wK* z<1}9YryDVZfiod#QKvOgUllsV{T7VpwP*`IRr>ZnFsbvd*iy9;!DgaAe4Zcv)Pi*E zdl))xxif4sxUl^Mt^qZ|-0ZCQ{i^>gK(&`QEjoDP^5#j+DQ50dc1G)UQw|8yL8i*1 zMc#j=>&eq82_wU|X8yABbsPTErJtQ&qW*@7(R;vKPef^7B_I*KKYLP_e%sM~i-m3A zV{YBt_c*$O-yTais0)vR5k#%3Ak)zXItkyCq& zZ|Mueh^ZY^WcgUCko(Z1zUKEyL@Q5>D%!neELny2C>qaCFl*e1ygWPgiw6u-yZwTD z-t`Z*N=}9M&RQ>Svs|oyD;e6{*7SY@ZS%Y6QsMX%;Iq!krlhdoyuu2vw}=1rhQ)aJ zim{jD2B>9O8E{Denv8-Ev;QdYVk>FUjOv<_qP@NRZqvu8J;S%l3NPF2uJpGSpQ?|BVbGY^0N}a);VA+ zPPw--`F*Yb?#ph^)^OzZ;p*qRE0Yy7(t78M+k$EX`z=!|V~iS&iVqe>D{C};hTok> zcSp+dhJ}bDU8S@s=$5i6hEz&)O&m+QQg z*qD(&x-VwE#79Z$r5hIS-(@(cgnrUHcT1D9m=2kHTk>);#e@#Y^@^!NbvA-dWB8Hv zO{IgvPr&R;m;5hQ{L>>D(7;0R2>7poOtRlv=K%r9cPm_Vhfg*ChTm#L4w0Jktd%HpI5mTZ25wZYwEXho2KE8iu(0= z-}Y0_)>CAO`xNDT*&FG%g_FU1N7;JYiA5`m_p5sp={@B~W=2hXIY}*En8bP0Vv;;UkE9CS15g&J-Oevvkrp^2+7o%aM>Jt&)Sj1OhB`?_+iPQ3+9xuZ}I>OT0sIoK(2B zGOQ7-RMTga6)0bk!!h9iOtz7X0JrhQV6$ha63o0sMy6_IgDdRPwxoiwJ(#22-;M({ zW~h0W)~d$wOOFMIXFen@hvz&+R!bt~XP7T@`FHmCr z$@!i3yTUou@!37q%M-PMg*x^Y-;YAP9GylwRiK9&ZdU`+4_XF(KQa89&#HrnkgWZd z0wJjqf*AGdFWxh-*E?x4?Vp$eo|@Lq|1REsJ(6)(@A01Ccmdbb+H$3l={EBa z_Oia^XV=Wr2RvZJU9QeW#o;c@|tw> z+bm~45|5be_jV=C%c0s}=SH>d*C%v0xiUlIc(@|X;yxeZ%}^R-_7?Jd zagLjokhSdE=EUN9i5Y&q-QmF%mspTnwQ>B-twQgD0P~8R5D79#0T5wEWJC%Frcd`D zm2DSfNZRKkGAcbk1!8-kA2)Q;%`_R;qSz^1#=TfcgfUpGbA{GSy>VUb?7Ly<+NliR zZWBbf3Efict-g(uXB+WAEf?d?dg{H_A8q%m^^%SXjs}~*qW@qz!y5#@(+L(^`BcNK}l|%8^6(bZr zlCWC82a3)lFK@K+M$aqrcI8CdHc!pO=g|&Invd4(>Amueu_zV$$}c&niiQDM#?@vdvi?Y9@q)9-`A1??@2w{(>; z)Je}+*sji;Dy|IacsU(CU-HL(Mg0wFoQc5My`CN8At1Q}$9ZPjb?Zze62V;b)igZuRLkoHb^{x zom^zsYjy2YZYF$W*ufDotbl$jRsQH;+5CQtw4l+ws~b5%*0hRfrRN|cVY^GT$~Bc#7IQ@cY-J-ieNVf+>2FvuhQ>Kzbp)_+!hw?7_Z#iOru$Dq@G5S=4THqBZ-;9M>Uqs*$Y=P9=%BbEv$Jy%Zywc9%`Mb4w zoytcBtKo64D;`r^OnrnudPFm!Hvsa?7ybuQHd-)!-7gK_VL=PAw}Tda)qdA#xb~;1 z9A5vW$-<7az4doJ-{?2}ryC#ozTUuPjl(!E?bT- zUxEKVsoKvQd0b&2)w}a`2{Ch992aH3tB1~<+6r60h`}T90e~1TS6+?l6eg@Fx8ur? z{e`^WD1Pe_mWT{~FKD8AGn0EtpIuG(M@P~{zDSb|S49H|DG~8(BwUfX1Ti0*j@2GV z|El+7k_wh9s9MuG>g-JIun;)mlbdaftAkCuw~z$2XrwPqnSIyu#~~-7q4@X&qL z0E6AY6{!l;RqLH0*s$wLF^}sJ3JO&A53?eB7D(!u`zszdzs%t7K2R7Q*|;hf&6+=I zelxIkX?D(dC}W82!*L;U)!%* z>f|ZSb-bus@t=NweL_bZ2L~8G0FGd#L7Nsh0v_N9&e%N5(jP8!lb8ElSzZ^92xSj4 z>Ch0o*KrtD+d1(1j6w-HzkxNWyGx_ZO%Wc=D2CbfGg-BHe?KhULR^UKLGD#GA{q-W zvkJV=#9D4O&UKPiib*=wF{usSOV1Kd&W}`iPHcL2rs*q=Khl9bBdP{Cf=Q+LV-VN4 zL2g?}lTciJ{-_|Lk=7~L81%a@ z?koq7ep=>TQhqP!sP&hrKXQV3{v^BcC($>d2f1;}e5kk&lmM*rc~FW8a=; zF1d!qHZ>s)d)_;(iXLK9-hwA(HTyBsuKq{EQ_WHdN@g7H?T5FwN3_fpLT#qnw5bS4 zDnUq{>rfulBBX*mpdzLRd5NCqNMa$qOKOWM$DiXtr8eKfnxYR9FK$Wo(|5g9estsG z)ijl?q!9E(ND-!az_XE{nl;aIBa6jGJ1Yh~Uc@AcH8(_0T>olsIaVif_|^7=d8{O9 zU!hGML6xW@K2PPQGM)DxsgysxsZBSu+U}@!B zh#m<=xKW{(mtIQjt7-(n^G{w5{S4Vo?_8**Q)g{ZUd0>aBcv*_1fcKn?QB_ar~?GQ zyG>mi`>-p2tdry%MaJ@q5R z6>ib8^w!H)>&}zzZXaFFfVW@6x3JSf8GkLWnSLJ4+4MG)x9$^+*ep0qamFpBDr?O> zf4rEll3Vo>rTxvtgU-P3Mg`(p=Vuu`PRGLdid&JAxUP;v9-|*&N?@274@?To4zo<5MJ(^;h=y=QAN*H{0 zKJ=uPSFswl`R2LhJOb`go3EDf=3W>MyHKFh!?;Mr?ladc6XZA#B;^v~D|Me+OEDys zOH2#HrGuMaSnF6>$Qz0fkSAH<@6zBCqCv-^2zloNSeETwuq}Tpp0h9$9IhjFv4672 zV&>cWiRDHrd05q8Ynz)i#0=9v5STiBEJPygv=*L;u+T_bZeK}BJ3$^aHXWtAcK4cG z%{hfr^Flr)<${1UM@|{!a@SG9%R$Ef*UT?f;IizdgS6T#M9k$v6W-$I@_{x1R~SL? zk0%BpoU}Oc(uF}9mJjDxItD8&nYz9m_Umyiu-6BcSnT&|Qjrh^AJuU!GA+dl5@b8y zTSikz;k#TB_E}Fd^35IAEOJ3ekxwYT^_OCFdWe%iYr$Dbu6;dv+N)vXo8YIDkj-ji zjE;3$kjL~$2w!W+pW6hn#!p$B*+ONX0~LJ^P1z;FCmh#cWwf3YMP#2IP9+haoKIfr z?O2cFcBv2_O{gJoOA{7P_U_NhKAY~idP{5=-O`eWl{5V{b~Em@Gu8Mid*lVhHzLI* zA(8AgH}p(MTMBc~!hqmH&4?xa(9WEdRILin;4#o&~RY=p;$AhsxR# zW#dQsY}bSGL)vHTH7rDCuSQ`zt)5p4J+oqbM6_|T#I;!M)!kL?;Npf04Eble8zaXH zjX?{&BJ~M-5L1cxSJGN^^g#xjDY}WcJa$^yDpyx;rjOUaS^2QW-zz+5>b&jR(d4C% zH5&Yvax4zVaE-lq1JFaE!}U=5u7q{r!BhLnAk#j>qnTyCrw(NrB6Em0-*|3(z%Mxz^tu$drSZ+fUMi3|zk+xOJy+G(bLTm;v7{>j8|l*?-FcSD{lm z+;8a1_T5_f}K`PXdn z3qL3FN$-9=U9A%O{ORK-XAXv`Lex%tjw#B0_ez~n8y-bTTLVU)O9vTMCOS zMu>ck?*ACB2%uwl$>9E$Ppf~kl!oum?)W;)eXETtH9Eu-zc*RPG5K`SYWjwxXK!PZ z!0fAlQt24H96WVq99sVZ6n8oDMNp7pw$rxJSvzbR1+JtCNK0LxkIaz1S05bgQlhh* z#vdl~hF>>$r_p4ftR$yc*le(mFFi;o*}E9y<>H)f`D)2r+T%ml#fS)M%J*yzv27K{ zTl`ZKb}6sA<3q5)`^Z~A4E!%8mo&Wcc%Qm|D}I6*YZ-jrwffv(%gT!{UaMQxBK(WX z1&m?K?PB6*9SKBLm>e1l_*>behC*c^oXvILUv7N0w>6izSHQ16W8G^BoIpz zpbntdS&q#r_341dhb06nq?04emTc86vbRJm$lxR2qg=HL#_n02bYAmEFTOIysEpY3 zy=FY-7nky4H;+LmZ*CMX!_8uL6#z=|Cw7uQ#KbJMNA5V6=7^>^Iw5;cLw}Kl?fB6N)C0C$bDVCOPW9Y_D># z`%Yf(P|T4M;%-#_KORgoqcc)z;q8|Vpf;J45rYW z#Tr7($wBLUd>!c#?`{g#4z^u<-C+}RmiN}qD|oVR`>mu6{){sc(ht`Ka+2c{-l77irFHxY8yFp+ z;}mY_yMp!k_+ryCAmQuD=}>m;0k0*`jA@a&q3e=i-Y+FiW}cpONy*Bls5;?}sa{(panS~SOEndG0LV6;-Es$5qHdF%K%0m~2Cesm`UblY8 zYvngDw*7Hz@NK~RXE<<@_50y)c+vvs8q+N=BTQ!tZt^A^bidIzjGMZAwKL>&&g3tG z^Eo1I;%;UVKasQB!=#V9ZUFM+vD0voSfy;|xu{SMK9h5#6D#hP06xU!H<~vk4wpdD|En2Z+*)%Rv z#~ee=N{9;HK)FG5>zq}wcK#l`H_3Q3&aRe>Kg1~6nlV@dTonzeP>Q`LVbZ5vZa*eE zi%dPYezVo}l+uq(7%kh7?ugPn(RdZG^a=HE)NJaU}gPrz`ooco4HVt&rDYdRaoNAhe*k z|M&Kb+)e}Cr2JD%e}^^yd{e9DiyK+`Fn*l%JpF&HC;18lGs2_cQis}lF!psxmh02} z{m<0&!|xxTZU-54SZUhicStn3Vw|1Q2d-%Gy^#Fi zm`B&El*vQTbh00x%A0IlqP9l@85aiN(IazGh5ZVUlox;?!osen&;;x#?ucf@Wmax|8 z{)+XSu`uED2M`Z!7GOt&xNg(Rh?MvHm%7}q)I$@7jHu4!@WMoKeM6fUA3)zQ|2n5a zD7DY_Q_vDPcq0Sb-M%)3N!gQ%F>J4mF=_{q#~79HHeBFREIKI9S@c2S#yH*NFP#zI zep$E-$`xQ$*Se~gjeeOKu2w(D2%0r9sc{Z@9vNN7+IPo&zs;#?EBs00=cpQeACkJl z!jlY{Qq%L(xRF>jYHNCqcQ9N9X$_jD;UE22aY?ss<_mnq$|Nvq(H_8;%(_`+9gfNW zKvMU)K7K7fmSY5s5>;g_0UCQ(my%dztJ_xmcXyI7C@+I&B91ke z-kNwcY4iQVgQsJ6+_xMfBF1PL4_AG@7V8Ap`IVibx17M3g;Klf-3Cqu9txa}`4f>q zwy$mB0hVUwa=Lh+9R+xW6)84{L%|<~2Sde)4V_1P~te6I>F|iF4E9 z|J?K!R4DZ;k$kNK*6)3gzoS(XTA#;w5BMzjLX68T%YRFaMyLOI@u7jqE%i1_y{#%* z=NYpMt~n=n1kzjEiOW}%SW`opFACCy6>$&|U7E0{Ut4v`84TCH4`99^f%rYeP0=h~ z2Q^iORDdGr9Fx6ZZy>1xB|kYYm;b?9OJ`LMG2zUx0%HU#Vg-AoM_O?7Y)hNQ;P`~^ z%^jJq=g+g#5uFh%rgi+4c6I>FFjLK@Bpm1dlPjpy@ncZ0QK6UjB`l!&SJ#E~iIaO( zlx5wI>6`e90WqaAIDx*!b#aMtyG=u|NDj$f1fJBqAYIz@m*&mEFUD`DkM$zRDWHbv zrH#AIRg-(6DrQ=c zESm4AjNu`q5ZHxp+JAdxHrthTX1B65&3rSr{_EHKBz(g^hMIHjuP6ZVPD{zd$ZmelFSUODM;`vpa_E988<}%1>KM<~DOYNnHDKP1B^w zMHj*Edc$8g)3>6>^XOrg=h649#-CMlOre;qu_5jf3NTxhHk?5HU*wMxcxh4SCz=)qxPnL#FPwW6NpF+9wb~Q(%lcZMuAk?%iUM2&h75r*8MT_p zr?*`dhd?>IbtypP5iO&oLlm{^NAE!0(w1kpDtue$@fDA(l=OibZGf4(N{Rj5TR^(3 zRFCo4$7_p!7zj8Ixc3VQ+G{Z1v*3~tK090~n@9!II^%omi+q+`*Dvoqk&57T{ZJ}+ zUXG1fes`~07|gycQdNSKJhxA-p0Xkm(TZ%0=4ni!B{Ot=*8NVKkbcpRrWl|svaEMO zi;W8(=Q1D3P7=gA&^_MW;4S5#NHj^*3scN!vy$}|R>b&3#w4Yjx=z2bADONAxoESl zmp)dc$L#N)c)IvfWBaGG(D1N|%@%ExC1Z9eH)dF&a$O2@hsHR6lzYd>HNoZNr|$`h zAl9#5`Xe(w;ZGjfQ0mRC94u(;CCa|J6wCQKlJ27kLsNt{yy>Ys&Kt%IZ^k#T`F8yD zmRNWqG$Fs~m$19uz0JFeJsif=>+VnySa%Ya%< z0w?uTI(#S&2a7AKhEg{VcB<}fKWFVrhMMn|BrY2U%ocH5*28H(Pu$k}JjL6aU*YB< zb)7HL45gJ=XcbiVBv*AhGEzOyXTzC4v#&3_ruRi4{hP@~6ZTKYmQfhY+G7iR!enhQ zVo!-h-KyojBQ#+fv%JWrG6pJKf#0G6b&cq^DJ zmB61P7jajZP?aY$Da^sxqu()Nv4j*3Fe2t|pQ_RV7;V7>bJr;Lo|ISKkkHG#Ac9!W z_EIaL7@aj1Tn)iwMR9ley*YpKTa)@V-O;%P+cqh+ zBPRj770-3~1ras@p(*?Fpf6>w))W@%l)FWu+W4ZEBc!2LGNzM{$?z42bl*o=i3clF z*_p>v3IRWfZuwl{^kaALAv3AijDM~#E|gZxU&H!23BsXPW%P>eKQc&ELjiKOK}Sa@jB`m#z;{VwVG8*YhUeR&Maqsd%WBc5^0FO`tW znq_IvAG*q!&l!g8*4(6L0?*p2u8t7Is&{EJNf3s$++ERzqnsStsHcX1k7v}?w7;75 zGA{_o5dBc`^|X0yyEZub{Ae}p#O}wlT9|fmolnSdN!*a>4Ugjc)q|3^g$b(v{6fw@ zZhLn$u)cb43_M%a+u}We%R>Q(}w>Z`YxwEhcg;Z*KJ(y^g%N*vj%o9U1Y_ghp%q!r`R%JrQ4Mr%_qI6ZKHWEn3 z{s6KS#BRI_okgM0&}IUjZe6g%Z?6gZUz5G&m{ns-dM3|8C-vHGW#Go$2VY)6lG{Xb z*vW61ro2qxQg1()L?`t;Y%+I{+1_Y62%>mO0x>m5z6k_FI)m#v}(Dh zUR;5Gb4Q$D!+f151K zMq^0+bkc>>wD4SJXiPV*aGH^ODBurC;RABy}^R`bQj;=x)M6RE96Qr*S^n6 zU8N&0{lc;)J06dHLOlw77AIX0kC&5d3WfF;$yaoB%6WD-MDK`y=IO0XN(^)T& z*+#D@#grO=Han34DP;VQ?ud|J_TXsK%J1qr#b3EeDa&^`<`y}`&ER}0Ht+_6Fun85 z*kwK}*Fu*DpUc37h>bFJun)4aTlcFpNZPVgQ*lX~4M^G^iEVKbcJRcn>BgaN%VY36 zUTH4p^m5tFb@c(0>_3Zy$(N7OjvMZt=**bIqNNLX@D(vKk9H&Qa>xr$+apdoc6ap; zAVbSP$_DShgx-?iU2|Tw3v#h=XJ~CNJh(hFPxzTUqLue4sRKQKZnbI)F-vWDFXA}k zRD9yuzQ`>XTEpev(KHi@9svkM5iuiM10+=WI*vOo5E)EKTL-BeP+{gA6IB~>*+_ek zg3Kw@?L82vF>QMi@}(Oc*IWL_K@Fz#>m11Cs2SC?p?FXzj&wTBw4CyMm0RKcgB6V3 zdkcNkWmdK)B6Q{+hwI>v}@zfU~`w<@5emf8;s^sI9-;eb{y| z8JLv$@XMp!oOcZLB1OcCM;CFqn&-M9FDbQ7b*+rr|42)D(i#WMx{G&>&fIV!6clw@ zwVMbYuI9X0zW1Jhf(;t)K&$;0Ww7ilI#TYx85V1z_>ol;b<1OIYP(hu7%i$d9oN1l zAh*0k@*U1<6`C*>v;6Z-znZ`}qvZk_q-3fGYPNnP7bQ2m?yy36?}!(6|4zd!@13o~ zkbc{jV5pifOA$gO!{qcZWAEg6=asO9pf%_y^*76>N}~d6Yd7MTtr~7t2|0CH-T%y0 z|7}Meg-21a`s#QxFO|IGQ2f-gT*%^EEwfZV=bE>VHr8Hyw=~!)q{lu3l=wjiIR!AK z@(dhGAT+e*d9>RY>HBMZ?IiHycz?fMD@o`wE8^|S>@-j-Z-$pzFg|ygdbT|O&E&?I zQ~Q1`y79@!;D=$#r9p>v^{N(?WGa#uh!t}1HGr=3mACfp53QC?^8CKE0w6^f)_M-V z7Rd-If8iiLa#>0yDP}Fs)=wM59}%x0*(djHnnTmE^xWvd*Vh^uc^dDkpRikvJn1R2 zjsc7+p0>nBgQmO~uz+?3HSBYAn0XcqQ?8IJhY^;;gmt4$=kgzyzd3ZS;hD0ygB4RO zNXeN~RV({4l(f9a?y|1b6Lc87sdra*xU}tnlIi9A(^HzdWTV$T1uH*3mo9%R ztgZ2RZfT)sC2}TlRytI#CqstP(?^hG$_ zTDWpsAmVvf8Q(agwH+BEWgixr@b$v3dH)0GI+u1{HvJl#X(ZC$TJAG=-I_uoJd>S7 zQj0G6x4h&Vo6?WY$`S-E$Kkc-$N;yqygl17P*m>ekfzp5eYwglw;? zKk5>p;3c+F!d<)c&+hnX#m`;tsbO-}?5S?_WcRT~QG^8o867=56vKIBar|Je2WdP! zAQKG-{^puw2{f(62&} zwdmol5(3cUjy2T^0hnPh1c^#HTxpKvj^?Z|b$^^O`hPlTgt0(e|1UK0!dTYLnJN`= z4PWtz6$KRJ-~V?CK=d|MY9bMbVuU8!Y&o#ziFvI}92{$m16pj8Ij?~+6EHK7&=>a3 zjO05mO^S?AYzJ;T)EV$y@Kp3n0S`YFFpFlSaDp|sfCW^vW=!K?iDCd!Mm0lp?tuIX z_*M3-OKKHVQCYw!$uB>Bj&p7!;5qY~9>)MJ7X~%pD3oz1JahuQ*ELS27EEIi+JcYD zsAFuhl?kboKY$12F28cUO$7(A3q2*{T^x}D@LZ+v&s_jYp~3iQkt6g25q<^O;YsEY zEN-peAgKBVNHl4FeoMEGw(RsW8F0&v0I<@*XBn2GqGjd2CCtdu(6 z1=SQ))FVKeJMszmyn!_fJV?r9T>VIv91yV;b$Ee;)hq9TzWR97AV}sg zPr;S`SHMszCsp+0+o7QzVd-ooX7bNs+HO;?aIgi)zs>tauo5zIb0#l~m=r<|8z2Wt zL?sATmP|pv2pW30k4vrzy}=NNjgkgh$V=a6OJjSI%4Jc;5+`!b0Bc(83@^v+SpZn}Z>F0M;Qx1$ zp`1(}W%J#3p9nv4o$vlCZstps1FT2f%oHc#Z9r+^`p+d`hfZP3+_A=8bzp&eYT^6; zzi;%Q>NBCo8eOYhi~8Yg^)T67?%Lxd8X+7Q^b2s%l{x^hZ&q!bQe^2$f?+7t`&W%rBaMPfpe865W=ykxz#vLP|PE`oCUH}L^{LcUjm{w8) zQ%gqQr23(NsnAd!g89q)uV^YP-Y=qeCEdR8c!E^lhs^|$?h^9JDE@MJVKKM49*MLNjzI*{)!W7Rg zyH$5pb;f2@w-bZt5&EOlW*VDCH65%2j#~^Uaowk?<`?Qh>U7mYMt8o7v=m<*!s+OD z6To>-j?%gcO;kE7-8E%-rtG+p>!&BCvemblNEQUU3}U23Mx?hN(LWldBfg?180~WZ zdz+D0f%H;<>#*t9xx{xrqeJd}Z#!_pZDpuz7m;g5K;5K(bIShD)bynw@n2I}fjG>= z2N+55O@S+#m9oELA9mrfn;qnEOj%JS6h3A;N2)s!A~Z ziMk#esm&566r>^k15$u?gG<A1NCS_6l*ahv#~M;!rgo>|&65B04(a;6 zDcqcO{{P3`TSis6eSO2Q*)#|nq(nLuY3Y4q&zE8UHP zgp_pitnL3k_j`|bJmdZFetO1uj%S=R90#sztu=ejHGlI0mu{b4TeE+A1mA<|TajII zwob^mW#{D6(=Ud5x4p*y$g)Tf^=%p!OkmTn_({?)rW`XjIo2HCG?zh{L167wuLWJJ z?~2UgNpeKb`(S*ETa9}i_`&^3cvOb8pp^#atM*dy$GnwmqEKA#%Kb^FM>X6YU8b&IK&EV+;LZBCVEgyM6Y-4=mQz{`$wlTn zLVA9p8baEEh{j)vy#B*i6eEk4=piu)yBGDG`VD)Lj{=9CQl5YFZdclc_xiezaG=QU z0&fRh0Ok`POp5nd1`ixxr3dYx?6U>vwP42=6O*T}kY+&dy2myqqWhiT&OYZSDu??Z z?;vJ5PxnPvF5i<0AfK3gN_TL!a^Y2uZoSbs4T<_3aC5PkZ1j5C;_8Bcj>(;WQ8o~9 zlK=hh_2nt9+>T^!HTS?DaVMWk??;^|k-P-D{6i|_5X48p>46kY^j4Ohn(H)5GSf-6 z;UN^utBjokc*A}x#et=^}hfoOB2yu1TqZ%D=D~X8EN8D$>;*52NCFDx+n$ ze|iB-j^&?Xz4HfWvIl1}6?40t=?wQ}TME{fjOV_~p7^PV^!zRyq(gWgxfe6kb(@~E zWEqvW)gR8K*M3VA(vUpe;O-%m3V3Qb-&pZPj~3MiOmAF?1hA%6celmlRPeU%ZnyG3# zulC42a!$84Uo2x~-^L*zuOR2eGftsJ--DT5|C8pQhQ4JATx~yNK}${eY3pVYxJCsA zQ#so#G=jb*h2N{ee>e7TTXZz>Un(SO0Bh@eyhR1qhnzto_L6cq4P;;$IS2F>p{`0ZKUGY>t2}f6wrBMzcSWu>&xQB!pU`Zy|175_Upz&J)%84 zQ~*I7R*4*RYLZ!SU$B`8QXEal5XX4twWyA25*fF)w4u#G5qzEF4%*t#M5CnyRhH_g6r`fm3sK5j zAOvEsyC6bYiDHp>godsH01Y=GVROZ+1|BDnv-x=UB(29fKz#%CAXzN{P4M$Qeuui$ zme&IHJV|yvO0Qc$Q1e5;@HvPSdC5RmvJ=NeyY96%oxi4|&-z))@mm0v0x(P*--~Vj zRUgHJ~m?@EKi!zrIAWlB%N~dKC48#Oc#NdJ7O?BoP z;o=j$$%6Ig-#N)wBR!~#3bs0}Y_5XfVTmt3k)qenBxdJsq zM_huPg%r>K!a#|^1<9T+DvaoR0J?+q!xQ3si+r zeEc6N6|)B5BL@oW>Kb%hK1^|wDbLaBLtYkdHL`b%qqwezblq&Z&)e^qjqqsUR|SLN-7GJoNH8#;)ToY z6wooF53t8PqcZI=_CygqSB(1reVpP=-u*crT*XLd69Vt!fcyy{F@b@EfV~W$sfD z#V3NkSdgfVr z4K2%2FxT<1VgJd#Tg$rzp^Q15biAmf?0*V1E_kbvcEf1DikoFu)ThX!(AeI~cWK}T z`a0q-vK`{1kqp$_68>M%bwJMJ56dHEop7girvd zH`(u*i6|JLlVGTQ#n#U)zk)t^aQ!O=PXc7;;I2yxc-NP_w14yA=Sx9Er}g1%Mq~R{ z(FhtRF#|05W)!HDFQC&>=aVZweqfhd)IDmD)w})qu9Fag`MJ}AG(?bN+oPf<2J`o5 zH@#8YVP3sw{q%FOT9k_8Ox*)MVy)o`8S1Y*&*U-(*tcb1Iw^lzQI}iQZp&P-v$tF- zh*c|ZMZ|^N$}oUSy-s5d!=n7rpS;s_e`@kBER~ayLhj_`+j+*LluFO5TcF7y^sZ>1 z=}kd*&@r*nd+Eu(7(TNt`c#qEPl$EXr7VptDJTkKT@KbH*k5%>zlc@D0zIvCSqaCw z*-|JvegrP#F^ftwP=SYV9^;;g3hKio{|!1fGK84CxgiW);gDkYHK;SQ5deXUd`sos zt2|nFG6d6UaSVN++s=>kFw@grZ=@^f8oZ4I6A+h&OgD;}nIeYf!IigLue~xiZfeEn z;5D!Q4mwM$Vg~{q(*R#b7AXxBQ`145=vR2#j(uVV@aJv!YaG$!4=-3!vuYCgBuy=RPk;^zk$?u3uxa_E2oX9Y-rKef`|QM3>N zwCKwjkOTz`N60W0$*_t-$8I|_qsdE{f5i|zph=_6+gJN*&%} zQ=9$Oif#VqJY)ZBi5|en*Y(X9Ttt>fvjIKLfaIMY5kMkU*a!$GDu)8B?CnNPI)Nhq zcwrU14Q0DnMV%S-uYVee`Tr&<^hk&2UW6!lae(0zaw=j(B^B^l>2WaKd2Q|d$AQ|? zcm?B+UqEq~{%u@=E`_Y>wgUA`{c5%AI#Dv~tx~bX3T6KofKS4CezMM(95wmLREb!3 zeO{JNFhldt+Yqu1q^Z2!VG0K?i!?5 z=VOYyXARf#^(~pV6YNdnM!WSlq1w&QbYV3UjXo93)}i9H_vLxM$FDK44Zks^q)h|IvpGrK(BAO$s!r}PKO zKi5kml8&jlwmv2sT2JMqEyM`iv1VpP_K;W~k|C(T#G@;hq_C(c$sM^ox^Dw7n?7ni z{jA`y=X50r@HDsChFYI>KUdlfm%EY#F03sv`b zQDr+UW*6G|R@#Tj%YNSGuN4Y8gZb}w41!@#V)oA}2(c+Er6gw`3jQ7CF$Fq$Ob*tc z0J0^j(CcUA=68zdy{Ca?*dQDTqpW>W{ZzJCm>p>3z^o|?T)`%bI=%nCL9%Yhp_@IX zv$vxXr-R4igWJ<*U04kA_ls~Kk=Gw9d|rS2Ru|CPsqwIMDBD!07hm90kRX&YTwIcx zJ|7nx8Ho!bPPUL#bxEimf5%jSw4~hqZfCrUS_wfJ^ zUf%}y(Z33uTxOo)4x`D^k%qvQfAR-pmeByf9LCm#|E^p1@NIiJnV3w@ZPTAS=kz^8 zab`bvM5iln;_NHL63<(1;=o8To+mVF%m&ij2b8Egtj%#XEbV;B*iDLoq9T$E6NFib z2KMbc>TgZt_iER?!kbS%eMVz~b+3K6SB+v=82jU!lXG=@bPB)dHnA zpu#5B(-S9G!^`>X8+t9aQ@mh4UbX-Fx0p9|64*pS!BnaIA`h2}qt}1_KQ1j z$-&$Q_J;hoQgJ^uJFrv!qA^)O1)UxC;O~ICI$Yvq>A_EHnf9_|6x{Amd#O}qT z6a=2&`%r3=q2WWnD=%W-yJ`}38(tr!<=T^LsOV7>@)B}n3log6AIY(8dDW~B!*DRdzYVHM9fJ#lWKZjs>V&Q!u;hhA}mb+Pii}N0=w5J zmOK*|!xaBUGwI;I<8uir^LCaCB*hZLo;mR|2mnUN+Z)spC^|+9wW1<7RZuujiT^-@Qeanfb;<{H z^nJ2O2J{%k|BSLhhY|p5PWko2J=AYlg5R*GrLmPoa)RIZ_Z|Pz<6rssS6}|MAOG6I ze|-bWoBr!7|BW5~jivsL3;&G^|Fwnx$H#?=W@H%u^aA{w+Zp^{?7wFemkt>BEnsJF z!hBi!xxQqDN;N%^BexVUFA1Bw$9TZF*bZ8!7#IoV-Tpr?LU>!UIfI0B6uNZ!9tzmHp2!g~!}a3Vv$Vos`*kAF2kf`#9PyU{t|>c@sJGOGbD(GVBI* z)+Co@1#ih_C8wOsjNI&+5aBccsM+%I>F9+gu3P{vDC4gkzB|b2|@r%UeBO5o_f7kYry? zhywBOy%peiRK9D$)b|&|bJS>JBv@co^i6H>l)bBBs9ln5@2T~yY#%6y)xGfokY{GC zY?@fb;1(x~R|ChHBec6Y4qi?VYT9HLW$_(iPiDSeYvh~ZOo0walf{%LFo-5R>G~W& zWeh5hZog!HakKvy(Zo=+0?pCKjpirWHNI?Q$3F68=af8qyns$)h2yX0jGIa7+v$ieA!!H%QJvZ zN)zcrmtZjEV=T8FZG+pp$-Xd+B&yWqs$xA%rq}G$2wiz{m6*} zW!Uf$_e+eRn@LpNE3D>KAY#{#LzI;h6P+_UZR2F9u0@Faoc6`H3uDW);N$ufKjzKW zq?;wsgsBT|Jx9(*L?I4jLq@kH;X9)c(vbM$P%t8Zz71j_ zOiM;$e7m~H{o`L%qV#*TQd}Xho6~t*Kjg=}(<<0@!}0Mh+!NLMZI)g{f=#`EmVffpjrxtU6Z7imFfFWlka@nlC6Xz5I5)+!X`XV zg`$D_?n8n4_MOlc_e^&L*`IFzp`CdjEb~S8U_5#EYVzwYLGTWf%WiG&#p2^w;!ogX z4`0gvWZ!|h;@;lx*FHQOZa-J#?gi{tW5|2bv-)5-Sh!k3a*`-VZR8eW@leA60F44Q3o%xVLkp135UgqcN8y?JYwt1RwrT%>UeRKf*&jL6T!g)Kj*5pa z%SM4!<4@Nmw)8IM)HX1mDdtl=o6Xqq&GApIAmn1O*}dW1A_C2xZ}=gN{*AU9h9?oE8PUWB#{AU! z!oPDk+kI`CIm@zXuOdfotainbKiLPQE;E|U$!6oDe6VMqixKlsf`5pkKF7UX2>*x< z$$2}3@fMk7sJ6}mCw{*nQIJ9srpC*)6cHWCT%uR^VB>nQ)NNl!tFg*QjQ?ck;8a9s zCgZH_gxUu5>`hM(nBJl=r0E>d1tH&#Y$)bKF>=vv*h=c4woHW{!7yqeJMhLb%%*-N14wsO9oF zMj76VWS7)6y&p77rCtl~8Rd-qy<<&TlMyPGCOh9(UoBahZl`ue!>o>z@)!-{%UB;w z2uhCzXU9F=3t{NP5ut$)E0IGkB_1a|PGAE+LHEElHg4!om;ispu~rEbBA7`ELDI*$ zK~H@W-B{R6aHIjOfEbB%#$<{HeS=@#YLL3-a2OUVE^?k_hT7}0$9G6!}bH`I_))xAC^5m9-^4>N! z8}_XlK^>C+4KY-fJh-tGv7cIKv3J}?$kL_U^?b1y77i$?gaxruCsMa1@nT7|`=r@* z>G#<9HQ$PQ4C*BG#MI~nQBw^rWGK=w;nesAAvf`v`V``bmF_?sv`mUEdcCxQ7I1RJ$$)r7 ze-BqRgO;F9`SKYol?z>mHM;5(uZq9tX|}ZWm%$I_awC8DF{Fyd(61C27z-Wiiil^# z77$RD!tFsyACNMp7s@$HBP}3K6GDBwv1+)_8|JvaKLT3`i$wNvV>MfS=#!FP$!@sw z!xTqO-B|gFc{tQU=W#@79IID?nmJQwcPjB-0+7C}!woST-1I+>_Y#et#5m4B=e1Fe zYgmIqa(CF;k3Y*|aCw*a!!8fM$;(e2)}C_l8jl3aOIzYt4DIU^*T=`@x0? zLcA9ds2hz)W!z_C}LXP=bxe7SU|2yDTd1c@A~=906x z2S5H6Dg7k#7S_ra zwJN7du-GqyMjRG~hNU2vB8&_9Lu%dVumWT4In^0~{8a_iS)C(MySKuGxY|8o78|pq zr!RCB3)g#VgALh%0s9ck!ucrs8A?qS@fHu>6h7iHMrjf1(ZE1SXn{Hr7a0Q132VJt zS_y2*2*&`n1S}b%&`E#W2e+s&8j8WklxV^uf9vAn1JcchpOybV4};wslfy@i2zSy) zn2kbmZ$T}@HQ0DdLgehE&{LVU5T}SroNB`wzu~gb#{#`rdPvy82>tKp(cnC& zje&1gjU_qFA1tmfQM*Tj zMloj}e~Am6nc}q?)4xX8;OT$V z7PYnliSWhh(q2g5)4>wUn9RQXV2Ssd zY`Jg$n~>{*T`21n2+whH2>ZqeQGH8Jmhk)^!T$6ft?B#beth~eSb~6?emU(CSRzUk z#`4b+#M1S=SoGQ4Kv4bcWX;K8#*8&ZDIZWC@ULQw14d~jC$A8&1;R}{(Qy|Ez!H{Y z;p`}L{~vBOMf0Me`vE?!>rpdShXFpxcQTXx!>3Z#K*#E)7G^79u*4U9rBh2{W5$Ph z>TeKz1pH8YX@az z<(%asdS4Y(-N*j>*5_W<%NZSAoRNrdX%`ol)boq?@88eFWo8;?ArP8rnVD^Z#5kod z+x@RD!4E_j!Dm$4V2F_v(Pc&)(9s2v(5soN6A=;FTvWtv!_q*yh~Ei(5UF`>2a=^YjXent4yzc#|Nf)lbEDO?UE;% zUi4FrS5A)gHaR)%+|*P<_xaIpe8rf%IzpD;Qlhr&X1RQN;uuCMjHEWkOOg-Qhh@P_ zST{B{B(w8WK!FL=^aL}+wugEueyZZE%Vp=}JhHX5{m{~)KT)c~#GzFh*BMFCpDyxh z)AIZK7g8QOb6em~)!5irs)dC`MPv^)W7W&TyI~;XR>FZlVyrS6%#T+4_Eq#tj;^5+P9CxLnq9VarXICNZh*W>b6zDiwO8@pJ9^9CR{pjfEsh-|% z>&Eza62*Q_ohmt-M%2@aHjRmii5e5-1{Wb=Eo_V`2Dr$41-I0DV|bDGf`fzE0M}0D z18%OUZ;7sFx48W5>U}-yu=ce0AqF}aM+-ae&delLK>_*q0iwSr&8bc2YCvrFgN3DK zIXef3&to}5dzT|pYT{NZKv4iALM|+m_;fulcI9j>t0LfhqfiJd z=yN_G^hsFHPsXZ&gj+VZ0il`U4`3qspFZvB=dZ>{98VoG#RxN+U7r34kAk<+FNuPx z$!{f_A!7)?<+nHrL(iORx|>tQh9sZoauXMbBs#3FA;81~YHI4i6k(SiA=QJDVmAO{ zc+BK+{#LpJkc^c;fW}63>1fg@8GOH~eRI2haX?i~EkjFN+oLe-!HBTA45+9wj@<@8ziX6!0@F^I&8%U2yK5G-6Cqc*R?AM%9U zzI|I?M^De^2PTDnocDmpT38cyJO-p!Ixw7vs#rA!LGt88cfn)P&-G%vUg-7jiS6*d zzP|QP+6o^Ig^3_-B$WD3o;bf7ac#f3+D#jfIGH=lkqte+L!2Rt#0TXT?xK+bH7Gf! zF7wIUtHG}3-8Qj&`F?|Bb|xkmmV%aoLRT%dkYmefyb701)8UB9v+-YPcZro)K~bak zxr1wTV&IJQrc=O$-p}tsi|O&1nf@w%eploEoQhEoEeC?6<4JmyR8*SlDl7jy&0pne zJN+@%Awzqa^udhb-iSgyi+rl`2qpxu&9$GiURak)K;X!UkdW|k|9JC|Td10+gYn(0 z>q?+|LobwTGPX^C7$JRDCYwE15Q`tR%FkyRG`D}w>oueMdV zTWi`13c8+w?|#CED;gS3b224-cKjFpPRLYKcs}>ZAZ|k$S&(v+_wEg-SVDH&Z`#uR zj;G(*O_pEPeE6{92Gc=&6YrscNRqBUd;a{;*~Da-_GH1w>9haE_S!39HzN2~m~=f$ zjDW+lV5+n!AYG{_Q@ z;Vu(y%f(K!YX>gd^W@~@8^13hgcObM-s)i~oc#FlBiUoYYi)Q?^1|NV-@i@o&+sj1 zDXKasPo>QG8CqOiyi$}GQ+&QzQel~#n0S|!kqq}1e1|?x6}lf85n(uOk!` zXQL5D*&!|}DvC3U5h>X3=Wf4js;N1A0{a+IZy`hwr77Wk=y`QG zs<9hz@Li~|lbU!^7O4P4S5WI+I*I%eN~k^8b3&6)JAN$pi?!J394<`)qeR&>Aq}zZ zn(O*GSA1Qra6FCTZBSd}<)dHXf`fS{4a-0vwRCsrVX1T)zyI8!G<)^x)ndbP2z65y zIO?CTpKHO57O3ojl58WCxZ!ts^VrS=nSg+R?T-s_bb}F0XnZizv9Yny$uQvRXns)Y z=F+@3Rh(hy9_m<7$PQ`4!GPFm1V?$8UVo>V@z%T4)U$~oBFPlLAK`3GSqz*q$bX8L zzD#?7Vf|EA>6MOv?0sKPd+MdvDIv$iQ~dn=2irEI1r}LuBg)6-@~p&R32056>Vf*V z;J0vUtQ(sMsRdPUBVx_a$x7h7g5cM$6zTjPUZj}Cgy$QT!=;~s0;g)RYeH!#^!jWt zpzmH`daf$Lk!ts#_*O&#gRvNVo{yhj%5w#wSQRUA{BrgcixiHWJlZ@t8JBtpxHG!` z6C2R;u`sh(HOkLS=LK~noEH^K`~nIvoAHi9b37s;Aq9=pgoGk%%z$n0E2&12Ra6N} zn9nD+kl&s*JR&$zJ>S1yZDsoGYz*{8uCNR1C@6y0({K-jNY_Be9!I?zl+ds)lRwK%;ywOtG%j=9XQ~d{~$xKa( zv_FvQwl*Mp*wt&noiA8x8$g}g#n#o%g$8apE8U6{@~s{s$KuzH8|*ExVOp3M08^cqo;I?s$4@s zZJ8#f1_Cd~DJo20=hW8Ky;GSKIfd*Q7-(|0cOV_0~-80*ft*{{SqM@ zaJ|8{D~gI}e0R+p2{$tjy+{>kBru5oSF2OK=KPmTq_AuxKQ3MjQ!j8d|!J)G(cC9S(y#l%1WO zPU$XPRM=Om+yUX7cPJ{(0W-`8B~ILQ#rKdHs~d$`Ng#G;@V2(KjXzloFmh}?($d@p z0akwsubG^~Q*RL1h&eb-eR`A`aP4(;FKesiV8G?5yR%mrxKxqf>J#Bif9))A#(N6D zFjtUFa!5Qv5Jw9H1>j`6LSmFf6uin>&2C@zNYh*_Y)O@NrI48&D zUSEd6n08WyoHEHz9($V@iywUB=X2kD-rayBW$1rqaTK2U?Y)3XdE2?I*U`B4>d#oI zBoK}9{-7sDnc^aZ3pzBHmB)3Zr|;}wEsKLuL*9>E5zS=a)`Pl0Dh_?^#ktF`}F7*i#^Y`R(g` z$3OAiyIz-W8aAiaqof0eddY7B)iQDp9B`!?eJkMj4GkCelMTH;KDk1lTy{2liZ^I> zb$;YJEKkwvcQU``d(rf}JVAx4QSRxpXDpNi5l!`?mqeIYA-D37-zYD^#Sydo7;#ue zpst$7>2hfD3vKNa3dB)m{nvNIpF*S+936KCANOx~Qh##9Qm}rp1H3mEh-tUm!fPze zOLVpGgPf!MNLK3zy|gJB#A$WJ!pm<-ZL_?7 zr8ZOFxpRFx8qUj1jPpRh&R!=wAmHdx60M>(R*0^^9}qtE%zG?y+A_uEt0aqF=-dS% zqU(%JVeiuCAR(0x{6UO|p}DQ!&SZ1CJ$dd$$f>_&bz#uLX;3ph+h65#UP2o4Py)vp zIq#TtOm9pK{|uKl9*$>GfnZ?YddR+YDzp8VKm3Hlk2x=)hNj1cm*PDUY)CcK{kjTyD!D<*&OdQBprqASbX_lQf zXKdwwLCdNMo~?%4)Zx3q{`?FLF+ZD^Fy*#ko=a_%xyW3x>z(&AUGfIi&ym>!VC zT&9Rfah&sF(*zSh*7p_*_r{lUDhC{xE45O8yRih0)fs<(FYpnB7en_e z1_%h;cdOq+wad3oKXUYaeNrE}Rn^Z$NvZo{;@X%*05+o$PrxuF00&8rg^ZBk!-qwR zE}Wa^cmsif?oh14{QRp1+wtNt&#Vb@{M0%QDl7uZCHoLs(J@z#+DA=%4@LQSv?>fa zQ4#!V<67n{fyAFJjk znIG5R!;mc_)+WNmX&nroKrX#zYwk9!vMki1J=&Sqvk|FH*taaB?%DK||Z1J*L3TPU5E(gbFW$jYl*}Or`uFJ>@W>u@zw9@v`cRPBu zjRuRWgM#zg;s=6;BV!1Kk#FUk&u*&+Aa_RAQu)R$(68`Bcjp`bp!jbfBq}FNDKUa~ zpI2^u`f@AA@S>C3f4B*1=qKe%)#B}Ym34DzwFW!crm-ap_SWrvFJLDsz|+)cP}cFJ z#9=%nqZE9EQOosej%Ypvj?g!YvTtT}UJj;k^j(5u?>LpL&fK9C0U5O2+F(}J^y~Jp z^5(tks2GAMuY+H`sEp<8c-Be2ar@@9Tk1nYLxVu}URKE!Pp0p_vSx`&6CZoidE*Jy zXb>k9m@@|xMOrW@6$$idjA>mEl||o1xL4ME79i$Hlm=;%Lg!rLEB?@1FY1ZduC48i zi^gx+2JqEFwC200MMY=6zCxwcY2f40z@h$5Kkt^h9zHWJ_Sjw62X?#<*DZrjL59vY*iOcs%LfeaEM1?;qiZ6>kewWs*7t|Ktg%Mu zvJ}?npX?R(*9!0qWInVRF*5R6edpT_*)ClK$E|BVc|DFwe;=`#hWq{{uv^A4D8;-rJ#c{_H=yV?C}HU+3x#^W+Vfh%#J=GlGeJ356)T}DEL$vxS6|VX6rSKXkHp~fL61A%Lni{V^Co~NY z0b4YA_{W6{YR|maMeWps%a*?9r=v6dTJV>mIO%XrV2vAQY(uI#L2IM~_O z< zj3*%=Vn^2P$%VY%vyM&E2>9@VLnkGr@}Az3OoZWj-B82MdSxLE73KYmy2<;b8WQS9 zAm58W_E*%GmL?@03IUXxHIQq2@d#{BJ1gM&EE#1dsb=J6S>s|@Go0Ga6cSzjd?At& zZdNWaDD#+e>E;?;@5^4_Tr+r$#BC$N!DT0Vs~aO~`ZetP4;wur?&KveUf4Na@&JP| z4jiAWA^RE>d|EW+$_1FsJKjo*L(3(1TMoF|K|10$?usZk4>QM9u+CGfJ@Z}Wm+kEu(?Q57t4@KI4Bm4JEj!k${;NN3wY===^5s;PVyCOSH)-UJlb z&{EdynmLfP35(Zs2O0Ht0iU-E&(YEZUY~TNP$O%?Z46u6Ha2RAHH)SUiA3(%K~okh zD4IBFF=SzCE7(rIwBrcu8M7T_)A=m=VpmsJ^-5Y~u)5+}T3SS2ym&D!$~K#7cMbB- z5}yp3FS&VUL)njFdUIZXcHAX;G|LhLo={KQTu9r?%gZ+styU?RnsMBm$%G@;^F0kw zg_LKm!GO^F2M524OG?HiDI8P77tE0OXH$m`Ld=bPO7u~yxzxK_duPZ;w}iG%BUZ?yGJUSndMcx%GQR%mkkW& z?L~Y=Y>VdWutMn47J-?lNo-z9UhfCeaI&cR6P$agKH!#Sk5Ytkm6f1m0ZwjH2h$${1qokyS zG5wOmp_HW;6KnPd$;6f1hq07w+}jWY>3V8vYNIRof66(lGmZ-j!)Cfn-JpAO3iNSd zF+m{bu%5oY;>AxUvUC>4s+1t^!mqacet(EtmGO=A7HHKnwdw|mMKluRc=rKc{N9GO zIO#dAV4%aMt$@|x9(XTM(oFbpM)IEOJYViH)9;D0v@s9_`WP0GQQ8jj*Zx>Bx;amd zx+^jgGS>Tu6m+n?zx{@Xo>;;7TM92(HF#$(LDVaCk<~;!TCWw@qDNVQ46$>9^k1je zpo2N{2GknWC630LK>6g*6xOI68x{tEl#>WI%lGU2i8^`5q1_kGmdTDPfhWhQOP-lq z?ebeVf(BPku$Uv_0}W1t;?meN4FllK>4k(&+CZh^*Mn8_SJFsU2=EBv!CwpRC*VUF znVe@G>OU6VnKOF!?A2>?ZD(@mH-@-`gja*^lLj6!YPzU0Xgsjw$mvjEi$LKo0qp6y zLiAIOiJyTW?&jf{GgDSU^?w52a$noPeY_Q(o11%5pq3`M9L6-(r;94zOLMZdf}AGZ zpl>`xZxdm=tf+_;B3igz3uu=B%JS+9-oH8jnAW?n%Dn0#L(C{kJM?&TQCYPZ>FPFR zWl+Vx;3Eaz&-(<9O*^#6f6V1l*5txWS|9E0qfeO4X)k_gyjhd3CVC1PVy1EK(l4ovY)+J)8zPy!MzT#Qdl z6o5+}?+I)|S^8Aaq0aoQws-tCgj&%4iAK6D4io|}C@5e(5`J+DT+T5;wEgI-ny@gw zFtt3yhlhb54?OSorGRm&^M!-REIK;+@o4I8!AcphI3*M!fbzx>D_m6=T38aMjjIo>?)69Kt)-HfEBHZkB?`he1w#NJYv}r1{H7*6ae50 zLW_P$5Zz*oqa;&#(4ndZ8!iZS%(z#TU3!*QPsbeph4FP44wOVakc<*nQ9U%ADKJUp zuATQ|2-pN@4}bbF9`uDGESRiGamD}C_OSK8XS(T!A`I=BtWBxHr~heO6=Mp7e?AQi zj0CEp|5o`Ku`>cZ7s+FT2g!hWUST7W*95X$dW8`t_O}NE;nE$Tmy`Lf2n}lt=(zsz za`YJqXa!b!!a99X(^J7k?5uZd@NQha%*n#>w_>Vh$X7ewb@^8@g8XP z#KM8!3Xw%M1g;MdImxUC?zp)GPn# zAtqcHZ2v26T>m!Hr^-rYnVUN@MnVqfnddscPreMem)mTfT5Z0Mh;Dp3GNe%zWHG|; z@a{ulLCv)a{)On}g)y8}EK@~MbP2%kfJUIp6FaaIz?lnC302^)64m;InS;{xW zcWN%1kf~_YRk#x*Jq8GqtI&nn1bf+DsaY&!pZFeJX}0?39k{!%+pXOkJFlP=sQ%J-v@z{QoS#!5)472h zWSJm{YlT9WXaHSzr$(yqp+j~wvT_xTJVps4)OoV0w0`(aB9=JV&=yu80s0k~fIaN-n`) zz84Dquhd-GX05GX>w^a$B8r|KLy=pJ#NUPoVc< zH~FwEYE{rYzVxG!Ow{{3XM7DQ5&EI7_+djG2M`1U*yH#tAwf(UGgA}gRn{QJZ>2@E zJ$Mn!RCrwlsTrAd!5@e1oo@>(gwD`MVt@yt&?A9lzSN(4V!K|;%wDy6FL&|*w=-nq z3sMQqyuAr0LTR?%-WGfPhRcA-h)aj*KwG<}^g~g6zQwqIuyXs~YxZC-zS7m#i7-9) zWCN^|c%xgJEIJ!$Qabsqi)nA6N^H0Q(t{xW=JtaKurZ*ad!ECa)A8*?V;K73d-={o zb}|BjSR`xHbb;}crw~2=j?3|pc*`%QHsNNvz9$DWa-j+V#6$0q$9_JdmR(#y5j3)9 zYmYkhzRnKsCQpRJ^qT=mDJjWOnx5UTE`YkY)+Ldyu+bqmdeed2!)zAH@NciuziyUG zB}*f~U)_8KuGf?Al~E@^^s$sXT9v|$H;xF7xD+&^eizppA#erI9b8qQ|ax7vTsoaSV9#ePf7$r zZm-(W386bGqhSPTn(%^?6GlcFj(%c)Yt9MIU7J7ufR}*a`{vw&UmThH(f%JI4w?i; zH!&qDjq9OO*S87wP`p>wx=v!6zq%ThTk{pwe_2vaX~?!~!r?haYGFMBfPLjTTTKjy zx|31D7!Xlnpbk$kJ8#a695-L%hd$*LFrF_n!|cZ9J*%HFYX!#*RG_IRW# zSSW?(ZDfJ^sojg`BL=7HYs<~mYJ1tDD|zn15)zDcL=WA?1;(qV!KBq-SLlTP}L_Y)thEy>b)uvjcu%!q1=U+9sLmJJ8QMHhcXGod&z;`E!NgAI@@Ls-|aXEeu@%k8lJpS zY12cbxAW)Vx?WEBtp++^D^;{?z2tQ@z($em4vJ)9RSoO4>~NPR1R&W?GGXg4$x&reYZH%b6*k>b;6>WOZzz7TJ-GQpz5ec_#D zkJV}JfWs<$rkR2M$I0P&Si%ZjUmY&`k(pi!U(0;r{^M?b(1Y`#iy!JjZU~me!c@}9?sek8A+7Ih!6^11#c-wrlNXh-R6-sc=7`3$m`Av-I(x{`UpjB3}y}Edj+F^Y!mMKyv_7;y}k8E2!X*)f+a1yvN0Ip!0tHlMflY>7jqS z^D?h+X4X5l^Uzfe ziYf+Xyx{eR>nbMn;b;sKDNSi*F|b$*KdcHav^~Uhmc(c<+3uG_x~hs21>;xe%Y8gU zDJ1GjiR+e&eByqJ13{3D8ENfrF|FTT`y76GaI0AHvBhkxtx!|0W3UKL&Xa4ks`%G4 z=6ohH*k67&`(u#j#L6?T5fdH6=Sjs>OM$gI3dK2ycdKY^UiDtu+oN?o-C*DA5>i;4 zuIZj;RZ<|`{U-U`NoHe<$wIv~^zxS2W=}#kYSj80%*%Z^p^eAJ@ml3_shdJbM-rvbTo{N*bZ+ zs@Bq+C1uht_VfOVjZ3*)F?03k-Ak`E)o%;$Yyzxmk6Xj!%zMs$J6WjMSg<}c{*bFq z^L6X-%hEwro-W=-H9o%ih4v90idVFtuk6F8Y}M$#hyp_KQ&I2f=%7%R-dlvmTK5;` zbN1rLUfEG%KV#bs@@ehOj<-<%f>2ae{P#oXIzjwzsOFeaTNXdjYWN0}rmO!=s8=Zy z6xt~cDeRp^pyzRTQo$m85Kn1*z)oK1p^L#}fC+D=kZ7BaqO z&R@-^3|xp;JMM=Mbt^3{MRE?$rE9cB{Fv-tQ;P|yZo6M6#3EOI9TDUbOK|Kw)ym$k zC=zgr_y>H-wtNo7UJY94YDFeZlMF{7OrX|%0w)Z%QO_o4YIvdbmecFntoYdz`{eH< zr7!jCX0;%J0p1AQ3VsoQo+vWS%VPZf>?ithuGvDNg7xG51CDD73PRrXc*%EF4}@LA z!uRSLWIA`}KNUaxu}VZlgg)S9MWAJDn2Lh_eF8SFaV_;7J9(3aQJRs=M|>uiYFuIN z{F;nO!pg%9k)Se&3SxwNr;~{zG&;kH#`<-a0S|Zh^wnAYqkr+Vxf65?-^FCQ@)l$Q zXgNAR0zXVDD)NaeHxbc+&S2z*Dq^DfWcMq$g*1pmJYna|M!IQx zI#buA_5o*6#97-t)MU&aB7j^to}Ra zGPp8vpCIw6)8{fSqn)Djm#$gbIYx%D>JQUH0=)-taS=TEI`*Z~KrpB%1u*m2f?x{r zSPMPE-H9Vqeb+YO98zmGvcXY7B+%)JqrgBNZ9N_KAcX>BTkUSRdDH{Wf{3N1isavt z8R*n|NuBjpEVby#0d!Re+hrkimT`0Y+t30WdGu$QuZ!mYVXLh<}hhI zdDGVRZza~^=xlIgctc&C==#gd_tSnFAOn~{N#AvlYh&0)f=bgJHGJ*_s_I%>@q(it zr!baGIE{QU_K)OeaO}&{G0%QoGWExS8w%V&6`2UL6mK$g$8-PN@s3@U3R2s~@Y(4p zq~>sId~doBuFpg>X{pX!b!n1_?9Ln6;$Rv?8 z>b$JJ6>>;zQ^UtNz7gd39i~AV-Pa8Qy0G|$vBT%t;;oIBLJNz9|0Zi@DiesGCMPZ)eyLOUk`4?VaJqXxB zl^*fUd$(uRQuOyWOCqgk`Bw#}y*%oJZZ|A5=;~OfcoQRfM6fc78=n`uZ7G-{2?d2~ zJ@l%tmF!yYiYj<&_)RKu)Hih1o{=2Qn$7qc`QlXN4ldlK_J~vkl&t z;V0eYFw)RJY0>`*i*hYIYO6l#H;|Xn$tSrhO^JmoqgMTN`~hTw2H2bqJW>RYokn(I z08Ak3ty7zMEv&4o`NaL7Ma{{nvhngS_2RHf&Wx`eBaxn*lgArth{@U~CuInPeD|%; z%5$5G%+oDS8gtH2+cd_@>W#m!y{}##EY4oLMa8-L0SaOaFN$iRB~j;YB`;~23wT-B zjgMW=LpC2CGuFkF{mYlb!}XIJVHv$oV1~9w>4h-roD9^|(wZZDRS-!q6dIUZS zh2Hk!*W`7*QdQxtNN8Whl@S`(xJaocfM9TL2&Z$>lT-3 z*z8QwK=_9uwY*8yUyOK@PVDVxA=?sS(naM@;TK1Czs5p^C=%UwHulb(y9;w=Y+;pU z&vR;vI{SRpsXYf#O*`#M$;|C^r9U}v{jL@Q@Qv=Je(~{v1=V;a>-)p@iLBr)tAfCQ zNL^sR9)!2iK`C}zq-Ro^Sg!KFRHQNzyR7+SWSLey(45RFQN-5JD2A6^%S1geuhBOi zpIA*!PCu%7!%fOEuI8xk;Y;s;DoCC(`QCAs+_-YTy&k%}K<=TT&sI8ba_rbPGuheD zzM17g4k(@&e+(mzzjf%5G`M)e0$@R5;s_pbPrW29NcO5=261p>%rjo#TIv;S+Bh-Z zi=hXu8_|8cB1PK3WJx2{k7Xlt31~^xD=%C+x>M2DTJd#zy*@l_SqrAZ9l7nQ*r+>q zmEo8Xz#47eZZnM|0VccZm7S1-d+3SbcxPNkWZSUD?YC{q!GPU zo&@G>jI36Ka{I!D9EZs@HL+j!!`o<~zE=mCAa>r$$0fVen?|Gt6G|`%)2O5-E|TWz zAd{2d@`xTj436ul;_h19J)ilW1urnNW(}u4;_R>u4%+9~jP0aq&P_d^Z|xwucS_YFGa>RN4Ot`uW8*V7+wOQ_FFV+Y>G_ z>-wg|-E%x#XW7>$%~%`1iviLI1y;&AFlMs|=ms4o@akP`ozAfxM&WHVP*l@Zl-_=q zmp&c*%XH}n7bIl7R?}xcpYfdfOvh@m^PLc;@n?p^<0@$$-{GxTzS0yu_hvI;!%56W zKfjZjgPhiy-~xhD~k_)NqQMktbmPCp)5OKinI(Ak=CFsa+S$ zAPRQ7-cL%r-fXu&OlAm5RKi0A)b|+0TXCzb~y{eu^R->ji}Xz)@`90CbKE&-`)GF(;6NZov&Yy zJuL1cI&&^_b+QvT@mD2m>Q)i2L$a1zZW45#|vY6m=j8uMNCLU zWF`Ncd7I)@ERb;fCYSQ+01SlH{s5S96)PFG!w_5s3SIvf?{=|;qnYwF!vB4NIPkcv zoOI<+thn+xeO`WfEEZL@uS*DLvhMomr>`* z5xO23*~WSyn;PH}g_>Rt@?ndxd?UwyTEOQ-qqZr^Mnp8LAc-+UwmSv3yEIfiUE@|& zFihdG?HMSx7FiSAA`XsZbTdf4a(~Vr7DHm+_e#O4(Id5W4Bsn4{+f}&YmnqmF#-L4 zzv$kSCSjd;xBxSTPc;F3)#Q`ClTM0xYmOOQ5Du_+9MV$U^x>%IaS-p^L<6kl*dRal z1bM$S(%j0hUf4A5b?u6yjB+rx9sl5j$FoA6o&iw_jy8?Rh0;Jry2TUO845vM;XiEs zWxCOpvtV0YX}1Tr(u~-9vEx|@^`j&o@wvAuugs9|4uiS0YJx~~^P(SKQZ}?Ce-O_b z<^O<$;UIn#w+$37y~_6JC_U=%Q#~+UGBveC%Zo*5`c&a6UHN7pusBPfWoIJe2sO2% zv*D|r)bUjYJ+Lxj=j_k%UdV*1&#;tx@?zLvVcse@F_v@JnYN~a@k)+@u`Qd-c!wREgR^+u3PzV zMyc`Q%*ygsS7D00@n|V|jdPpx-gICE!CH)x$h~jL@$<2FLbV5wtv|p+9cRZK)AQ*$ z;s(qd64|pxF?lxa*ljjLnltAu9}LLe8J+~D^fs{n%>#5efqX5|kl7wLj2d zG3RJ}c!Pz^Pn_EdTYez{NFp(rmy%*{a~x+wq8pyRxYpz?Ado$+CFWmQsn}~W&f?$5 zAzx9yOldKI01s}!QllJ7nQ=}n9L5&9=<;FtS=`y87mIL|{bQDIF;TorRVmBxmr!Wq ze2%>hfr|yupL!lxeNhGqEeZ_4p<|yN>wk_kha0+=rN8#Hy|nKX;(E}fC043x#h3p& zq(rJJLiGr`rt758op1azUfxu?^;$;*(4u*JJd7gN_xK8{Q%^_3qSYxyZ*w^@p3-il zSqrNw!~p@>?NOHvAeZuFfI>aPb7rwgcmDu^U{6IbIs-7EKX7_7P!H~>2XUShp+N3g z3$i_be?O1&5ITkqY6>_m-wxaHBg57Y>5S#HD?p@S0aF=xuW_NLvf+p-pT+UP6tmMk z&W4JmzWT0`7R)0QRwr?yakYz7p0bRnB!B%kPxUw^!%O(t&j#yt608=X1BXp9%svoq z#UHos*Ww+-qdxbTGc|yNIv2siHVxTDKDHa82HjZ?-PcX6Rz*o5O*5{sdjATNl9WfM z#lPPjuvAm)2K%9o&9#VZ zcw!oNwGXK6zGz@u3)?xLwp@vxQc>Xg*{rUOxj~Y_4k@@3v|@aFRq)~3`s5RY;_O5$ zY1}MAQ5S0=siu4BZyii9&F?o9Eop0+)D zm@Yi3hN_6aqaa`KLB+g#i%BBt6(3YlA#nr8r|>{+yu>T5EaJtbY5|wirsk@&=A(){ zBHoI%^<(btBvd~NRDv2=gauu&|JYlO%zXNAvWl6H&s|EneTL#jKwJ%;3AsrkYvfc@ zD*NGQ!z?r`|8&t3n%i7iv(8lNA3{}eE%wy>m~3x1;M@tCgJ4^m@3#mXT-KEsUJta1 zjuEzbCVasG%xg!ik93brYwCMb=`UvvZ3jl%`F5vQD^&JIOFAnXIB>3)A#x-Q_?Bhr z&Zk%L86L#9{?~ZiNJ-Tf`!ZlN5*}Zg6E-a0c1BFUl)SMW|2E8RIu**O1xy~Z^I5wv zxgH&0Wja3(rAPx~A#YC|bJ%E~FSUrPDxK2S{+agBM>K3gwRhaq%>(Ozx%A9WCT_@N z$*)%3{GD7DUcECg@XXtv9g@}c$I4!zK69Kf+T$4S9N=H~%+5QFh$4!(Uo2nH zH;mS=Q#CBl#*P4;wKCK@UXQVxh8vt|-bGl)NbX$FyPlO_3QeD-5d{reoR(z11s<+% zybtzp@sO9qJEn0jH7~4;<9mxBFzT^Zj;kxx^SqyT=kOJbFG@xH%O?w)#os}K7!al)0uRW^-EN* zU$j@h@p|xdlO^>Jq4E3N&hQL4q@ZB5lity-t82MI$Wu#|Q=&NUJLR*=D!7YPFH|j- zBSjza8F_Ay`wgVUcp0c;rJ7aIjMc0p;LSBDs#snirDe$*s2GsFy`x~80>-M+tRk49 zHtJ$_vTUi8+Vxqwn^agdbN?euN4fx={=b_g2TYJq1r#kYn!|tbOf+em! z@nQ9Pq?UX+{Zf0XwEZi>@yR_a*UNW~S>H#Bo$GWBCKTGvxi2voCJfaYxQtlKKea^L z-r*byZ*c1{jbXT36SqcwR>!nfVV&~TXYPs0#E`$YDOhX83@(a5z%^l8Q%E8ODMsYb zi~M@Z$-C^c)#5i=>7k5{s%_l3#IJN;x`%~@uPp~2Ryo`l$Z&BJVm zpX;|)M!vJM@~705W(7*AD^d1UPcm5phK$V`4fN-3&~9>wky&W^Ss8887AP`*A!zURo05 z;eMhMOq`-=^LiStTeCCPK+)yhJ9RhpXgs!#>w~pr<0m62sSMGi-{bOq)^U4#<9OZM zQf{Kl2gP0Ud@0E^xAo6wcxkcL4zZs#u)A^Ccwx6D0M?NmJ zKfFKIpPk;r{gg}hdUov2LE-GK-^jYi;e&r@-^c%a*5S1UQSj%~oXADCzcs*xQ0Vnp z(i~l_=;_QrUC;*190kFGl95!nez(qd2c#BfP3c!Z?55yIbYE2|hl$e_drMMdCqFZm z5H>*-c`TJ%T7`f?pzKiRvuCujE-N<4LY&2ye8YS5X|1RH<@aY@)%&tm`a!wI4>6%^ zuZEW(a{e{qJ+gpM9yiJyT4oe#Vm5dHTW}BYnd346iR`DCeZb42#o|=~inA3dgJieB zULR5}U9afnN)7Qz`}E9q6W?_)(<8~n;M^&X-f5QZESQnyQG9cnD2dZiEjS)|C>Uni zbfIGHbxe0^XTF~xtRLzlW^dfabUO?o5xnCGyEv9b(M%mB*xJo}W=M46n0lfwelfQ)Dh}!x+7*3C@yTBK z0}PFtUF9$uMuqhc;$t$D`zj;Vku*kzxsrXfO$}2X2gyo*u8(^yYc{|19ndSjG$!(C zR|b^BR%HnCA39r8)wo}=U(TQ(2FR0W>fUGf=XV*;9g;6jv-*r3)%Aa)KBwf~o9hn@ z`BpMeADAIIJVQV~L;8lUXJ+?IGr0((77$EbDP9$26c@;CPsN$5tDGM4pUu13#o%Pq zL!l3v1)IZ+&^bIr$fK1fAc6eh%+h>J5 zh{&66W0Q=(`}XX-E+8UmdnZ50%l)5k8R`px@>sxP&r*KAquu3(K_`~LvWtfL;qSno z(ysiOABU_s=S*Y)1!?LrIkl^3(`%=pKkRaFCvwe{=|R)PyKlZ9*Hs138A59xfrv-T z#>8X4hZJhdw*-7X7d7KA1;F-e=A#|LU_p)F!vAD}pu1+>4hO`-@@9^NaxS?mn`I5T zJr=`{;M#fgE~tXiN~Z?ig}|qeId)g&&btVVWKU?90H?gtGk?k0IB?AJyyBJ=I7P)^ z<6iaW^v-sZ!bJnlJpmqdT=YkROCXTnH&dY(*VSe5(gX!JqNS=2+e*jPNR-{go5L6Bzs@KMFH zpmX3zBg!(RT~@DC+V-EWy=O#I{Z*EGWk(&ybZ&^qj)Zl6W)}9#kVvfUH*T=PO+I;| z;QO~a@<{zdy&s~vwptcjCjlT77p#~KR1#A9I+93fO@bm~qNu>LOm(qqZLzGE3@c*$ zB~wCDvmV&#Eq&wGv0rPNR!`5W zgiJew%BVS>ksw9Xs!|^#|905asI%LYT|T{-*%X|qZ!*y4)vUj$$pt}^tDgPp!==FJ zOWsBu9hUQ%qte0xo7Hka-aq7iF)63iEClxN=tb6tT?Yej70AY-!$EvgRY1G0+<}fI zc7+h%3v+!$KeT4<$8_R#zR*`q#p@UH@ainK%F;>45uZuokARc)m~5s<>2cQ3cdtwT zbE{ePctQhkW)TT9@$Bm~Bb^R+oVx9TLo^~YKHB@T3bLoNlT=i-GF^+QGM>3~H*ic5 zRo@p2X8jX%3wuR$L4IRJitKqRH3P;2=`*Liu=4=mK-0MPSWM(TB zyPp#F%|1ShV!E`JGc34B9Gz5sAtQU@m*L5$N>`9SBB97QyI?<2tztKTDcbo&*U?!+ zH6p7lH<&C;_TY(?7eOy9KCCZRMvo!SSnNP(fLgv>VQa!EG%w;#E2gYv|)sRqD zV`i2yuuCk9S7GU}M#WRHx3WhqLG5@R5z{`SdmJUf_(OF=Rc0osZfd;W5m4GHjzKV%U=x%TY4+PRm_+%I$u9%Ozf&47*n0Z#s`t1FWN5B* zJc|njFP#HU>X>(%Z5Ngf#AHvq%&oR?YYx6BFAc=)yNCGp_OShkD;a28U7a-=TFy%{ zJ_b>J?-q-}!{ejqtVW#a#qAppC=X-5mSGR}U5#9K#wqu(0-MxL6 zJZo|%U|%XLX+gOQ#mA*9kB2@+^EtFr=2BR0_prDnnmC|1jU z>A>?n^8Uf*H%q`X6}&$HM~wKI{bBQl?IW#a=%9Bkw|J~Hjz73HU^RIe50$M5^(C-5 z($OVef;Xv)zn>OxF9xv}WHqL7ZhP;DI@zcs+&Ohs8yV?lN5a4j{`s2R`Quxd4EXey-9<|vW$CZ8l}YmOi9%a*f7;-0Lr%;sG_}IWdb=T8 zmI2iHmXN=~ZHRu1>nE?q6Qr6loKk*{PotstckyaGeWVwL6XqeJOq=kjB$Tpv<5M#_ zVRuYlrWun+6{8_sAke4{TLx#UX8S00xAoH}-ddfx<}RI4Uu;ku)$W$zA8c`A9=_5# zd^!wx2u`D~)=LK!KQafk%`+Lbw~nmdftu9l$hOD???*Sml20IPKSrWK3MhAHHY%d4 z8J|5NA&!@0Tl|F*t>_CUMzu}%^8`xcy|F*8z4^iGhleG>48?1oo5ew0hx0X`@I4s? z6v${rN0-ym_FY-08_Ary)<1=Z>mALTmj1}>>f>9bgCvu7ba#E!&`qpwe>GlWkT%q= zsi3glQ@R5vHVVWby)K3;Gf=t{asA_ za`t{viFR$Pv|z$R(E<|3x+H#{ADR0-k zPrEH4a1`WGZ)ao_c`;{@(t*X)`|r`MT0ieP?BN_sRh`#CAeykF)vWTn*yv_T65|!u zuI`#9VKpPhVuid)g!qi%YZ)1S9+XA4J|ShPxz#{Lz~1X4`5p`+eIfBXt_=QwH)9RY zyr=)BaDCXm)nP{;wTTcNC}_YhT`^T-wV0`B@7RU)B;>@~XS%L_3yZB7JDogIbq%pGe{Xo=mmIpqVVHzw`K?m9!?-d}BO0o79kGY1=9}LmSG!_*MYQg1J?-!h zPWbd3WJepWPka4c2*^RrEmR;iccdCRURP(IkEm7Nx3UXbYGLvmg)rm#Q5iGiixOzT z(WwZgAFG1Laf2+_EO)(OL7(5QtQZ=W&qbyr4Y;SAtlr%#V0h9%<^}In-n+V30{PvMuY`oJLDw6te9S{9@Mcq@|1OC;PodjP$6H(Vz&5v#b9vy4<{t=s^Sl>sjY# zvdg9BE!=XytFtPFr7z<_4EyQ%N=OdgcZRW#fBBE_LFC>Uezy1o3$k%YN1+Q)Nd5f) z5VSh_DM3C11Q`Rp9Pv_#Sz{T9V>2;T8faI?N1_l{?w4CB%>%FhCVEuH0Jdc4Dg7aF zNKx3w%f)u}y|zT-^u~5f%p`nt_1fp~9=|XAyu+WNBFn{GHrkIWwM^jk?}@Oaa>%3~ zM3cSZ!eXs=0?w!`KY|BgqKE183e=FXuv1RDf@2tV3DsK|!iH*ID#%HYG)F|8u^Gfc z?+Qp=O2mb68u@kDtKKe${Jc=7+*?aG5m@NiiI%hS@TGJO|E!ID=D1VYSq>dn9=?`p zPfS5|P0n7k?flW-u8#-x9IDZd}}-P9%QyNmJy+|1A#653MW$ zVH+;rGEkf6SduaU9NwS;%zlIwS0-^P$|o(D$k;45fdAr6N~mY8S;Zf{a(NS8J$69L z1eXb2K4cmb(4?CFSbyasLpq194^B^)(fE!6wI5~m>8Fm;u8R9`>7qg-bs20n;Vf>5 zFX4V-yXej%pj5RUV_Xj%i}<;|zXSHk*f7=|z@jJi9tF;_$Z+7iKw6Oi-ssduV9p!_ zVcD|UAT}%Xt*u~lUwc29JrenPn1>*RS8r=Gt)$i>DX3v%Kn=vt!&4r$xtbKAU)a@4 zGYjRTt77l;wEey}^j^_1iNKsR;~jROec6YwcOD<6c4tE0rHK>3-9FFKrvG`POF~4X z%O%H13vxUDKklyz+B(o8cz$8Fn9C_(G*kvfSF|_p=03neEOs%jQ>Y)>nCP zZJihFT@Su~pfxvzc;B6KT86yXqDo4hT>QY9F<{a{>1o0JCq?;&Wxc$Q z>|P{dmktdjHsN#?jyb=S7>954Xu|WBM^tUaRdH9qR@ekM3EQLmm8JjAMHHed^`vM9 z;0Z^LL6|AOQ*v{D7zC=7-|ZHe~Gco{Sjcc$K_&-@0}na3u|f+|~& zpWq~o&#uL1r@|6Zg4=UCw<72n}c?)(MFAHKM!I2lJyRpFNr0E2(ty`1L-G z75_7SFhgn7ra(G!vrJKHm0Fu{hA()Y2y^Dv#w;GY`@wZu8Z8s zF=nRAAEl?ZMf(~Z*U?cfR6&!(%A%h2iBGJ*7xZvZyx-0bj2^kO)N`%^0E|D*c!Nud zhke18%D9jd9OzNC#(fS75rt{Y6TV~|HJ=(@-8wyKk3v_gRkAP49e?)s2@lTTHMeVP z-c20_nx2{tOnmD&TF!%lYi1E(M<^9JMU3W(i_uF-dFa%w?9PCy*!YmOgxcm-{Kx*|!CVm{Hl?|SXt!Ck5 zzlGNQp%+_qze?CKn>bz)5y@n=f-+S1`@D!Ayj2H+|LD!z1WkvuxPIq?iY`GdZj?_` z_VT^bgj8Bx$G6%BEG@p5$I|u`2$I*REM+p_c7hnayfFI>omq5u7`yu0x_3suY6k9t ztDxR|ODY-PL9O~om+Ge+2?=rM72A6vO$uf!qP;qIV;5g(J2@rKQn29q(Wz$=D}q{f zvp3L#cwA{_Y;f5+id+?j9)`^O^~7BmFsq{%esIIGlC&%0&6-mfZCdK^*1ZG`_~Ti> zbZdn@Se!I?!K($ry;9Ch{9uy(sYb<+eS}0}m21VMRFG2!*C_!;MwsqRLR8C*Jg*)|L;t z@)XT=G7vmuWT=%-wK=xtFT8Is9J(hJM3{(L_QDy=NYX7;TiMrCx8&yrNwD2Jbei2P zp344E==NyjXgPQuB~4ve+w#6j*V3yo#07gVGx8sChw z(vz=R=6L>FTbm7qjYeSAb}79sl0ZJs^c5ij@U?5&F}>+~x=64a3z?9Ummnf@#M3lV zl)lbj_%))6dMGG=VZ9A|U?nK{f?Md9hVAY>zPn2bflA+F?b|+dcM-HFe*6=kBZv(pgtm^4N5~b{9u#r%0+vBUnxOO z$7u#RBxHvhLK^n%Gs6%(9pm$E76DeK?d$m>+G;xE?sRHF0i%{0YJq1oUp=ue&{}pt zNAYrz78LKJ-oy`)B6<>a;-H*}p5OU36lG|@TarWuL^427*D-81Zj`#@7XC>` zbM{Bgz#NpmLN}HXp6|*^%c@FF@sXmW7@XKImHNR#Yw@;G|isU=pi>`xeow{+FY0a6GBlCE}R+ zN)EA+vssi<>7T0pJ1<`RAfN-(OkNovVUd^6%9pJvRi2hzk57#X24OI;R}E zCC9d~tQ2oM!U|=jR3p`jRhMOg#?xTBM4_WQ6^|t2<39~TiMpteTOJQL^^D8Q8+uP+ zs&6LT)NPJbRUw1paCv#jw^*3t^MacbBzaQ>DkVZ`C+PHm;i*M13OiYmddQcB~PflJP!}V@gZDz>aiF`gA{4 zVICVXD;<*SO~xXl#ycNGi#N=@_p!~J?9C&nb+P12-`iwJ+Bf^JB?%xT-hcY1A1ewS zyd1LGN+-HgW{1|^6wV~{bx*^Vif#>@ zrFAc?7gMr2S7Ad^TPofna+go0?{F2);rWbWCwjhMYc}*e(*h4(wYMJr>eoV!>#~o+ zj}RM9k8c{U?RnbfrU%%D(-VEX_Fp02>PT3o!uu!mZ}W(aZjuE4sAJcut4pt_6VRzW zXLaF_RdDt%cQ}^awf+`81EZ)v&&;Y*9oFZ*U^a~M9#ZzlhH9usJLxlnxB5P@^nW?Q z)?q@2mXcTKmRUVeV%J%@^Gt$z6#!`B>qgU@Uj=smO{2q9AKdc_Lfgadcu z{r6e88P51@D+C+L%S)m!1>R$>XZw4A2*GGkDErdL0=^Tc`gleV4ls!fN+UDm!$S`R z`!(53pYP;p%&{@S=$KV7b5ckN_{fWx&+E_#wzj6h(NE9CU?;+mWQH#0mHnFFyXJO? zlEhtd!xI;~M~@*y%jl7LdvijRkSKh<*PN{2eKPQ0Y+Qd2C|EFM(kVZ9QG?gOs;i$m z5QA=ZBmSGi!yc-$K=9p(R`ZQWFe&r;$$0;yM~{q@Px=NoKThLJGBj>JFL7>`_Eq_( z&7JoEH)`sy#c14Mq9>;C-yG^6>#lNx@BSM72Z;N#8YnF$u048WlFfJilhW+( z;W9Tcl2hJb%Q|qYv?&NYl&GgiU+V|DagqCP4lyQ#9_TkV-5=Zl;upq2EydbwNOFTx zEX#ij^__nZ9}S~q`hVE6={!GjE&(sq1qDf=(A_*FxS7N5pk*2o4R_dofb9NTd~b#g z{evDE2BzwN3l;lThW0snu&>l^unm66-EqZB#oYYS)^?Q^Ju&wG<^YT5IiLjJ?Uwup zhdUV7XvBJVv16~n89 zHJ4)e9>yQGF5sh=Apwne&6DO6JJYzt!_|~2HSV(;88b|4j%i}xGwToXQr1<~% z>o*MD4fdh*`9;pE4XcD`Iq=4TjML=3y*kh$)Oj+)hUsU^U3rk`ZH$S#A=uZ0BN7Z& z=r_+_zr*+ftYDv^m=2DF)d??qW$TkA%Y6t@BRc7J>xVq z_x_3KiM0Qu#0uJfMEKvY7am?u-P7#7Q26s>^G0O;^7vHUyU_Ez$|w$XipOYC@g%V> z0`CTbLBoS&H_-Fa#h&^Bvv>4P6A{`20d$X-rISL>D&EbUJ0YmV5h<#xJ@QE1kOpB$ z@L11SivT1V7g~sVCUAT8KKP2X%3F67UVNMHYGp&8|6r|Z-p@q#M);ix3#&KeYjzKm zLY*TpTKrwO@Skm zWMBKI&iqFJPuuJrOqmO(%{2sOHyX9#6f6f)fR4Xzv*L!JGBz~DYMgsTqUNdfN2ix) zJ^Pr`obM*nF+QzqC%pnJfC{e2yAW@ln|XsWM)bUgAl5oaSC-~CN$zHA*O9W9$l({u_|y8A8GdkZvC@%vWW40`5~ z5NjAxTDLpzOCqZ>V&K;3yFKo=I_eZw0*taZ-~~uJ$>e{R5F2H0IDIEnjnz_-m1Yz` z__Q+Gs3F?rpBW}V_=jrq7La^gX#PUdwyXM)y2hloa_ASdog)1z88%OUdKSL1FgDbv zkI%PRw*0D+@aYW<4Wsn`vvP!B~x$ZjNF$H$iXASw<;Tz(HpIF~QLAeHc4j2o6uF{Ft9Zc7wJtY{P)U7@!h{OZ?#qZ07C ziA__sOJNmL3=ksa?*U3}9DiMa!tgZyDnUbK_|-dR6yAu>H_W_TIKg~ee;S~sh8kBf z3iUxxpg*u#PB?DwYYBDtmmKH4UQ+a7wBkGUR=thoym7vwbFw2`71#cwa8^-^zk_WS0VLD?9Lg0$R{%zf>QZ`H2|@L}X2S+5-MKMZ zG>r1i1sj3}I8Y0|5l7j@aA)xtnjMe3vUGGs`9fQ0PXYfk0UHND@ZEov9R z%TG%Xe6eQk(^vbn0A7NW0Y<*Sjz4x8l8g_m&LbcmD%GMe*3Y z`vg2uONFUF3fIAd{``p?hjH0!TH#Mc{WSgX+b;eG=;B0OvcdH2wAG{K3vvFxi!4nf zW#iTOeC7AcihU0p(9NLCyQ@Jn@!p}p{R}4cu~Fb!JZ7>1t*AKV-kWfrvqfX&4EeIf z4{_GLurp*5E_#Y`UI;qMY_Ixerf!#nyAg!Js>L@77g5x21D1)0V6`3=R2jYBTJ`O> z$kwqMeRPcYmHf<^T|wbAjCNz&G7Kz}i&E-!r?lNtSY2lkR^K<08Y?lBmw?D02B^vX zK|ci?cS=L-5N%|QL*)PuknY#shdLYO7Cbq|-eg^+?^{T;&z3Y?H-d^v8|u4CJ70l! zoxQ!MAsj2Fol&Mvk=&kBihf6H?~mv7ou5I7P*I;r;yC_xqZQwk;&U{ZQ3Iq96^!!3 zVErxc@uV%KX^b47UoF+PdfVStt`d#D9!vj|B1PsOZ+^C_n>tY+&d7O&5|A45Q2=l6 z986er6fU0JN<@qq0s@0pO-o2HzO`sq!D64{bH7?C@RBI#WDBxRLP)8n=V&6d7Ll@a zv@J3y0U?qd6V4TbOkhLP5(`nAaeDMPnAm?P3>%_j*)jbvB@St5){BFe=qkH&5{_xd zd==6DpBr}Xnr(#M;L2k2G}XFTpvK1MV^Iq@jHk|i=<%}o9N@i~cNf!7u6OcC zvuh9O^!N+SWL9bROlGt>E+)3aosQmD#Px!UT4n>%wNxKAItQHZUhfNLKefv8)HMz zlmmk4M|@?l{UB1gagqXGK>W-k#&XiYxJ5-68|)7Hsj9F#NyD_OL}v>;VPGUC>o!lX zKq%GtnTWX*15@TxneU;_C-2QrZ)Gsxnt~tLP?F(={T&7LFc*=t+tE>U&hn>oI(Uem zcgZB1t$n8cluN!zg9H&GoNiqtF}Z<=WAkv?tnwDAVeFqCL=V`+rNAXQg{Ue0`yfsl zmi(-T$(R;BmM-a!F0 z`d}%lIY=2q<}%r?*z}}^4a*n^$X7OS{Y77({swI*?u<1#k%0JgJu0xJ{~iQii*0vE zHE`({kel=&(QfGm5jmZNJ3*l@%l@HXz0PP8XCz~8{!#L#5M}v$`3=4nGY~?ET0%Tq z^ACcF)px@U)N*&}nDRwgm@KDgPBw!DCl!{MCgn5JYkSS?Ex%$wsBSG*DaKrJPU^`TePIY=!W*WiLz#yq~PQXA$l-v@ilD1k$l6~|>ABO&)N6Q!O5_hNx!5k*zD zF@y-NXFfs+peerJ5}*WJGVSN9p;Q3j3j-4fQOdB3>}i^bkKZk!;ii9}p%TJGokaVK z-at$aYP>7YwN25@GKG7}zNE~jMe#3x?$OV6#U z0#Fo{f&EMr0N~fZ%gZ=N;Z7Fz4}=H-D)x?3LqZUu z(}wKl;U3~IfdPH^gSdsY`3L6s?XP3%wySt)ZO&PgK3?2K`Ttr-X?*dpCrnL~@i|^> z=f3gzf(T~9P6t~1l49QWHsBpxs$EPRlMdsxBg!NFF*Yh*9*haa1I>GUmobbhbtam; zS~p`YG$aWx|ATYuyYY-G`e*bf=W`<4fBkReo#I*zO}uKKsvNwVQ{>QLMR(%1QeSA~ zBdrpeI4WK>uKC@fw{>^n4s)|VMd)-rng#m8B|IiO3MZLAU+phMxvRYnBl&{SlJR9< zr-~cC{y|eKHw_XxjhBGOaDLlX=qt*CuBZuTi$5NZ;x48%U*Q`A*DPz!MLf&`0C6Ez zwg(>gOaJ@0I}KRxtca2@U@taJHs^xDdJAmR3x1N+Z&4XnwOt)!pjULZ`8?AJn(vA~ zGxD<7fLs@WYVsUKh&g9xL{vBxK3(aMDi#m~3fPeT9iKW*yUBowuT0oeEMVNx^8L37 zfi-?0nbjGMwnc6xU{RetR`uTli48a{sUpO-Sf|S@t%T)UgyPVy@2pdP?oZ9&dT@Y0 z&3o~Pny9m!HhIuNhCO%D-79Ts4_b9z5a9J`C|A z{rCbfOazXh=8<3~iv9HW#DOM+PlH`jC}&JT8E`ye8@;)@WN(}uu&?O}t}a&tyi~&& zu8+T2VV%>5Txgw$=W%wDpUHYSs+}}dR4bPL+4)s@ z{`(6|=n)5Lzp6KeR9~%t1=w~a6+jm}-NoIh1bhy8j~CFp`D4J5^jDt{F@Qa=UlDv; z6$lrEL5PaFdJNIdoET{Kpinde9ZZ&kMei@&tR;%akcyEPP(n9p1ey#9>gz{;I}NaO zD5%z0U~lfvpCY0{H~If}|NkoZs#w8iX9yK9w80$30k^|TU(VrSVsBD{eFv40G0r9F z{f=7*?>fUwT4LZVSR#o0fs3+J^C(W3JyUgS+ z=l=Sf?0@l@(LMT(15Ob_#6%sFCJb7d3l^0nRpAZ0M39hE++-zp8khuPzj7*v_d#K24}Or@^16)-s`lTWXd1= zY{w7C8DyIwnA^=iFrw~F|F2D%1%o=t{!aA!J*Ftq3fLFkdp)ep3~0)73JpQBPCvyE z&?~eL_djYIJevz9pu$-RzqgCNn;yLN@L{^v(Z|c6_c#6A_+DHxal(zJZqrPmn;_M z%odHY0B*+omZzE{Lo5O=z%}mr&dG1un`naN39j;91o!q=F#Y6^EeF#hplLyqzkq#* zn*UA$HgUUBEDR{^jn>kxDc!12R=|`wIr=He%W_#46#Hy|5{QDbcfTCAB{>jyg7}uF zcL6k?McNN4&@C=0E>7GlHwD#nR!PC-)+-gnn111bT0a!anVBEks@YJ-JvNV+a^LUa zIbu6;iU2QJ_}e@R5NyVm@LZi#f8izfky^$*vZXijStDa9HRKA|zg<&(8g)q^)&bt$ zodA)0zJ7u+ue`}NDu^HU>gX!mz)@IaTu@X+h5bOU`VF{ylVZ$Z`jXGAKh?zM9N%gT zd|m6Y`jGH&hiBSnKxbBmP>6obO(2M<2?eWI|^Z!oZ>DMw~m0OgoLbJXAjkYviZXF-1zbLP`(P5Il#Qxif1fIPw z%_K?Bs6zfvS?3u@<^MMD&goQ&Yn5tVhy-V%{{iV)e^>rnOzC1oWfSsCZp z>sMB?Id*pT%FM`f9sg&%c)an(ec#`4eXsSsTptUBY*9nYDS8=T2vXRe|Md@;PNLYv>62~4e= ziow$`>@yhNjNF+1%J|a-Gw(j=bO_5x|0AxwEuP_;Y0$!8u{tS7A2XILfnKBzwTL_s zXgSHt?nxO;palUK8i;DYh5QLpwsOC6###k-UeG>Y5ZM6|{DH~ew)X#qiA2Z&e{Z(R zYxfjw-2_*px`4O_1@Y|PMfR~l|EfxvMH4f8t9pzMyez$0*McToO@1J9LHy4|g zl$1iAF*ato_(VlXQ868PZ5ExsYJH;qa33;h+OOOysP}J^|sS>5{qTT z%$%Ip&Wi&qir*U>ZxjJdhv??!cGAs08uP88^}@+Mr)Vpg?;7Z!%XXtRh}pjUi7}uW zI^PvFJBkwLeot}`b6I+-uc0xTpVVcD8oE+LP~9Vp)%9;LR+MBI_KM6cCAB7sv8jD; zYU(eC?`#g2yQnvY#)w~(bS5d(`|jccfQjDd)6=;~PA@9Ux|jR15+*V@+s;TMvY)j9%z@oA?ri zal7NWkR63L#FWaVQJwewgiQ9@d~4v`|2Q7{V!F!@$DO8GiNnHE0c6a~*3IdJiT|BJ zxQCT=+t4LkFQFwP+50kdcK=hKM(!jG?UE(70p_Kq;P?M0AR9{8RAN7IKQ=a&I=D=b ziG5U%+4Ap5XQM~C)Po`uub=%g&($0BDusha8wdLBcf0hN{aonGOZ@KzvKS;TQbvmZZhRrr z>%ht+GAvu82^)NMD&3xq{QgvuL-qcmt@-EW!FK}g>oc>C)2%Hk-=bo~(Gr_Iisa?T z+^Y}43i}G0)N8fHi!MvaOx9Tp{=R`^Jy(+R1RDH5_sVFdDAB}QG3mtmtATL@NrgXV zP7<~KX?h+eVjafghlwKPk zibvp29OGMnC&u9kuFcmDtjsqIe-T99v~<~PiOA8Z%+<)Pq4lE5(PrKOZU?EBBbj9Sz%~xZEcR`2{&j|2nx^Ed?n1Lao#-N<7B^}tk| zIHKmTAyEj&KNdhAI%K|J5FaHy-z)OWeLUerU9bo=V#WP9*y9qH!@_yCySv$*(Fqazi8m;kF zlVrN^_4a59Ua#3}y+fX5cVj;A6p|v2eYDt$iB_TLsUN+0DipF<#XHTDnt+)|quYE8 z83uOrz?cjb%pq z3dfBgiwRBNuRswRe!37<|8am>%=zgzyK#WbMBPo5YpVV`UwszG@J{yW3+UL1GIF22 z^rywvd(8|e71b#(@W#hZojUb*9nfqCgCOsFw`A)5@i|EEa$?7yy8clo|1t^@cf(ZT zMBM|Ej06@${X&0XkKR%>xJd`qkkTrPWfpw&tt*s{_qzzGh0SIvFh=}_qP7KkFZdh| zrT!vD?N(+#3w^tUA8&=^Il`}$gkQKfGbsN` zerstsemDv}$GpVkjZw0?C|}{&GrPZVqbZSZ@Ryv{yvN@eLx%f-ufL>#vu5? zp(*;3FTp^dW+o{yvGOnQi|lmtKO{hhbd&Ja_+TTkY2*;rvZg-<8#!53^- zbJ%JddRQ28DyO*nywmJyaSXe%wfEu9#ef}y$tWu*(5#eq2wkm&dylr03DK`#6H=hR z_YxstT23Vp{Y3){5>Q0 zo&}qbcI=~CzheP+m^f|E1g|S|<~Ge1B*G#ZikOx?$D1J8eD?AUoO-lJ04vDkp`L6a zF;zps#rHBf`Je^XR-H-MLSsC<1BrY`xji-zKyS{eKK{N1xO$!AgFSBcq;38qS$Woy zdn?k6u>Y%sq17YOGOP(eAGJ*a{8EWz?Z6pKX~z*xSNr|_t&w8aS{vaSJAJVn)h<%~ zIcE6`wL}hY0rPGC_EN`bBEt*RF8D=zZ;tD8;IXE@!1gFy0^RRrAj4XJ5^);ES^>@6 zz1J2B+v*9iT{VFhIdHnz3@ax8aU#8T%ba?epS*{1IONI6Tg-R=1OqKbEgSs*>4?0k zJ4eIV=+B?e;p5?XVxFDVQrtPq6-g&vwCfDGLj5?F45O3KP@v{C#Wx3Ncky#cV6{H^?d#(=kqr`7Uyvlm&_2G~^6uh=b|Q zbY;g!^F$+r+{%aH zt|Q}3zi`(T-yy=wYkdHUzO&qE-mIec-LP*8ZfJAyqS*#U_*GxIi|sctF25M*#G$$8 z5&%Qum+-i75GIZc>yB&X7m+*S+lM0B3}3Ev-}s!9m34(C>TCXD3yH#2kDZg3cd-T* zw$o#MW^C5C-3^s+uAQewqt(po*Nee{VBtWH%Gb&C<|b0}*{1|VY=2($+F8GARVt3o z1Qn%VX7;O)mRqI7WM_R=aKorLMx2zldD7@hppSMWJl)-<5OaG!dVpZ16Po-p%NsES zWH|@$RIXEs-l>kf*;!m+cS24jgN=!kykV0~F^|E)ZUdB@I_d)YE@M`uD`Em#ksd`)x_-@j z?QW(|PERwjl2uczq{TIg_RbTPsF6qLh;Hbl&juA~dIF;#o&OzSB6XrD0;p@*IXZQ+ zh`%xitY>3$ND*v{@yb-{_X9dbMcz6Z1&~+etY6+(pbClD)Oo{GZ?TusK=hKW>g?^St+HW#`IX z-D9JK@O>`g_`t{PY?WKjX26Hc2yP^`8xde_0iZXuI?*t)4ZO@W1{OcEc0EecbM@Zk}a62;7Anl?Q( zoh$X>SY_lbqrs9{S#51vp`ES)g6wu^D=g#4GV%&Cj6`zaJ=`qmEGD1?%891Pr$~DSpQuE#^?S9z%d7(oUR>3 z2T6nSxzR3OK?&}^v3OygwOsfGrZ%@lOpQ+(>pB;(~eWUxXGQO0(%U17pbPY*ZO+Fk$~RoKyFQ6ZPSx z9Rc4ISyh7?&^NeozZ4^QkQ50tGY~b@fhquobgw;R;3kj(y$*2~$?1(;>-Bf1VKaRy zTPlcx1+i9()L}LMgoK3rz2?2Q{Sdf1)=pXpldJTJ5*ud)*0_3=BRV)}9$>w)I>0e` z1LT)IW(s0XT{8Nqq?BBnGSS$H04mN==vfvJFHI=zZF94=^s_#j?-#!19tPsZ6>r&gr^Ycx;GsNP9{Y$pI)A zjjheiq2*|287w_46*(ELqQwsXmjd)eg=9&u%UcWmj-gS6gpMQ95ImYwT@ap$h0{ui z!`Ve+^xQXlW!XDo4CpcS!FaSU@IP4gR=%Dw&dtqDGBx!e-o~2yuCK2%(i=YO=!3^( z_n!(SCNhX2l^|aDg+SJ$&Q=l`MV{)`onZ46$RH9)?Ru?t_>?kZ1B1OW$iI31j8T{D zukW+#I|WH>NNro8xYd(9C&6GDYHMmbq+FMOuZ`NnXlQAj(`{BwmP{lh9DHvMQh^MS z06ONQC+|xIdehv`C+k=w6HvTM}@mA|57Yu{B!0 z;3C{-_1+%i1$vcva3kU#Q-&aFkN0H^_%U^Wr0ugF{}%k0l_yo29f3HHTLGJ1kJ1W4 z&#QOo*;oN#_brD*`^;ZZ#Gi*HLCmutqxaSY5Z)Igs0R=0cA&bkCM&P%G6a?$Zra*C zZX5+2ujHT(wi4z3`0-<}9Wt+K7+{m`;Rzjwbul;i+KXbvG~hTy1U(H&mtI9NeBO8L z?CR2KjThx#1I}3Jly-`B1 zQ49#Dw#1kr2ZvA3h3B=LxQLoI7{?n3e8pnK1b-mX&y%;ww-Gtl8VX?7OGUBDTs0aJ zVi*7<^_xUW#5R~e63`}JQlPTWx`I13S+%=#ulNErZIpV>E$T&%_bD~~ux!hcz}s{4 zfT7PN*X1g!q@L54;Jn<-$o~{C>kK;07(OH?_4L07HGK)87`8pSi;fH}y2_ z3ZsBczWE!_WXu2X^Bh&$tI=$A< znDkcgcKPYgolDpq59R+w&6-`c7(p&PfwkbEBpU~t@#BU#{_~EvJ{x3x><_Ax%vdaEqy~hz0XEL1J=&dIj02t_A4#| z;r;E{*FbYg0Df7QKbw8zeDLJV;m9VCgT=NwBLWVt5Tx}0ea|JNah{d!?67=|I#Luk za+w5!dJs=iE@T$GFEE)L)-Vg)#tjm!Aw^~ZPhAId6q`GhO)YRvUQSPM;446LW5@)u zRA9C#f*6YW26G?Itm3MMkr5w2k*(rHto4-OZ;Q&x%1+3pk(y0DEK_W2vFCukJ|ikD ztO8zRQw%2K939=xvrkkocUZ+wSRnYRBuiF~0UlCCO;Pc!^JF8M5St}b<|94`;T&qW zM*>J$zS4oz!>-ebE+19m1a6l(&C{tT_mkxrTk{nOp2KTcyYIjp?P>=WT<_(}m%C4J zTd%IXoVkT8qj=Wb(z2hU*Sx>eTP^7h{K1UPnGWeU`G=Q@M|`<`TjE8VfrF+2B*Qk0 zXwDQXIx5HcNIxSE)zHN$B;@!=TKa1VkdV_h0cqL{Iy{cWWQqay=m?Vf)Kz_=ijn7P z-Sg%*{Oam314Bc@{cP|HzbG?9E#NrqOzhjYZaQ|nqF{p)n)%AFR>k)HXZAu!z%E7r zB>KuT-mN0TT3MQ=V2Jq^h#U@%kdAu+S=W2stD(keMvg7lpMaTKS3%5@t8?+#`NJ5r z;?J*mC!g)FY;zZwn2KSmTh2x4$V>`2L&c4oFBO{6P*>NrT(8*>0Q8yU$bSIfz2Z^= z$H^6l>~<=nK#_a}$+{k1-7oK}^7B`B3knM8WlWQTx^Fz3G{vKD{bUPm41z;O_I5kn z;E>7lRjzj~thGrQ?`$s4zo2X&U+B^VN#o$cr@*r3vKyS1D>~V_9o*m>=zuHaiGIMr zVf?Lws~lun6txrF*kj47V{Gi>$qP}|v|_dQ+(qyI$P)V(o8emz!24Mx7+6})wE|6d z12G>eW184yVyBEp&$S!M9H*zFqqefJxRD32sxLrS?Kyg!N?{&E-VAad>5$axtn%`> z%XWMq*HBDRRn=)AYJyx$T}A&XFYgVAQSi=63&aIYkctH>&07GRx;eS%?rZ1=P3HRB-g*L9l-}7JvN8eZ&YhzYgUsO{$in$U7<6-}DAp=V@~CRg zR7hxOWZo1QT`r!c@Mg_ZG%2hcY%ivQ8XmkkybZ1`c3D1^P~~0=}4nnwpJ*s%nn1vT~M^s_Jm^t5-#ZA3vJi1Iz1d9@s>$Tu H!TJ3c8s=DM literal 0 HcmV?d00001 diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e0156a6f..1a404fa0 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -3,103 +3,151 @@ Site-to-Site ============ -Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information between them and VyOS itself or connected/routed networks. +Site-to-site mode provides a way to add remote peers, which could be configured +to exchange encrypted information between them and VyOS itself or connected +/routed networks. -To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site`` command. +To configure site-to-site connection you need to add peers with the ``set vpn +ipsec site-to-site`` command. You can identify a remote peer with: -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode is useful when a peer doesn't have a publicly available IP address (NAT between it and VyOS), or IP address could be changed. +* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used + when a peer has a public static IP address; +* Hostname. This mode is similar to IP address, only you define DNS name instead + of an IP. Could be used when a peer has a public IP address and DNS name, but + an IP address could be changed from time to time; +* Remote ID of the peer. In this mode, there is no predefined remote address nor + DNS name of the peer. This mode is useful when a peer doesn't have a publicly + available IP address (NAT between it and VyOS), or IP address could be + changed. Each site-to-site peer has the next options: -* ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: +* ``authentication`` - configure authentication between VyOS and a remote peer. + Suboptions: - * ``id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; + * ``id`` - ID for the local VyOS router. If defined, during the authentication + it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase, must be the + same for local and remote side; - * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; + * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set + vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode pre-shared-secret``; + * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode + pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; + * ``remote-id`` - define an ID for remote peer, instead of using peer name or + address. Useful in case if the remote peer is behind NAT or if ``mode x509`` + is used; - * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined in the ``set vpn rsa-keys`` section; + * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined + in the ``set vpn rsa-keys`` section; - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined; + * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when + ``id`` is defined; * ``x509`` - options for x509 authentication mode: - * ``ca-cert-file`` - CA certificate file. Using for authenticating remote peer; + * ``ca-cert-file`` - CA certificate file. Using for authenticating remote + peer; - * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer; + * ``cert-file`` - certificate file, which will be used for authenticating + local router on remote peer; - * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked; + * ``crl-file`` - file with the Certificate Revocation List. Using to check if + a certificate for the remote peer is valid or revoked; - * ``key`` - a private key, which will be used for authenticating local router on remote peer: + * ``key`` - a private key, which will be used for authenticating local router + on remote peer: * ``file`` - path to the key file; * ``password`` - passphrase private key, if needed. -* ``connection-type`` - how to handle this connection process. Possible variants: +* ``connection-type`` - how to handle this connection process. Possible + variants: - * ``initiate`` - do initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods; + * ``initiate`` - do initial connection to remote peer immediately after + configuring and after boot. In this mode the connection will not be + restarted in case of disconnection, therefore should be used only together + with DPD or another session tracking methods; - * ``respond`` - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side. + * ``respond`` - do not try to initiate a connection to a remote peer. In this + mode, the IPSec session will be established only after initiation from a + remote peer. Could be useful when there is no direct connectivity to the + peer due to firewall or NAT in the middle of the local and remote side. -* ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding; +* ``default-esp-group`` - ESP group to use by default for traffic encryption. + Might be overwritten by individual settings for tunnel or VTI interface + binding; * ``description`` - description for this peer; -* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``; +* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec + connection with this peer, instead of ``local-address``; -* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them; +* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. + Useful in case if between local and remote side is firewall or NAT, which + not allows passing plain ESP packets between them; * ``ike-group`` - IKE group to use for key exchanges; -* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2: +* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. + Can be used only with IKEv2: - * ``yes`` - create a new IKE_SA from the scratch and try to recreate all IPsec SAs; + * ``yes`` - create a new IKE_SA from the scratch and try to recreate all + IPsec SAs; * ``no`` - rekey without uninstalling the IPsec SAs; * ``inherit`` - use default behavior for the used IKE group. -* ``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used; +* ``local-address`` - local IP address for IPSec connection with this peer. If + defined ``any``, then an IP address which configured on interface with default + route will be used; -* ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: +* ``tunnel`` - define criteria for traffic to be matched for encrypting and + send it to a peer: * ``disable`` - disable this tunnel; * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel; - * ``local`` - define a local source for match traffic, which should be encrypted and send to this peer: + * ``local`` - define a local source for match traffic, which should be + encrypted and send to this peer: * ``port`` - define port. Have effect only when used together with ``prefix``; * ``prefix`` - IP network at local side. - * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer; + * ``protocol`` - define the protocol for match traffic, which should be + encrypted and send to this peer; - * ``remote`` - define the remote destination for match traffic, which should be encrypted and send to this peer: + * ``remote`` - define the remote destination for match traffic, which should + be encrypted and send to this peer: * ``port`` - define port. Have effect only when used together with ``prefix``; * ``prefix`` - IP network at remote side. -* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don't need to create additional SA/policy for each remote network: +* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will + be send to VTI interface will be encrypted and send to this peer. Using VTI + makes IPSec configuration much flexible and easier in complex situation, and + allows to dynamically add/delete remote networks, reachable via a peer, as in + this mode router don't need to create additional SA/policy for each remote + network: * ``bind`` - select a VTI interface to bind to this peer; - * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. + * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI + interface. Examples: ------------------ @@ -216,9 +264,15 @@ rules. (if you used the default configuration at the top of this page) IKEv2 ^^^^^ +Example: + +* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device +* left public_ip:172.18.201.10 +* right local_ip: 172.18.202.10 # right side WAN IP + Imagine the following topology -.. figure:: /_static/images/vpn_s2s_ikev2.png +.. figure:: /_static/images/vpn_s2s_ikev2_c.png :scale: 50 % :alt: IPSec IKEv2 site2site VPN @@ -240,9 +294,6 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' @@ -255,10 +306,10 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate' + set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond' set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10' set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' @@ -274,7 +325,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' @@ -296,4 +347,42 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + +Key Parameters: + +* ``authentication id/remote-id`` - IKE identification is used for validation + of VPN peer devices during IKE negotiation. If you do not configure local/ + remote-identity, the device uses the IPv4 or IPv6 address that corresponds + to the local/remote peer by default. + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation + failure. + So, make sure to configure the local/remote id explicitly and ensure that the + IKE ID is the same as the remote-identity configured on the peer device. + +* ``disable-route-autoinstall`` - This option when configured disables the + routes installed in the default table 220 for site-to-site ipsec. + It is mostly used with VTI configuration. + +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of theIPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to + perform on a timeout. + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the + connection. + +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of + values). A closeaction should not be used if the peer uses reauthentication or + uniqueids. + + For a responder, close-action or dead-peer-detection must not be enabled. + For an initiator DPD with `restart` action, and `close-action 'restart'` + is recommended in IKE profile. + .. _RFC3031: https://tools.ietf.org/html/rfc3021