config setup
	# assumes 192.168.1.0/24 is our L2TP range
	interfaces="%defaultroute"
	protostack=mast
	nat_traversal=yes
	# T-Mobile and Rogers/FIDO now use 25/8 as "private space" too :(
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24

conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
	#
	# Configuration for one user with any type of IPsec/L2TP client
	# including the updated Windows 2000/XP (MS KB Q818043), but
	# excluding the non-updated Windows 2000/XP.
	#
	#
	# Use a Preshared Key. Disable Perfect Forward Secrecy.
	#
	# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
	# YourIPAddress	 %any: "sharedsecret"
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	# we cannot rekey for %any, let client rekey
	rekey=no
	# Apple iOS doesn't send delete notify so we need dead peer detection
	# to detect vanishing clients
	dpddelay=10
	dpdtimeout=90
	dpdaction=clear
	# Set ikelifetime and keylife to same defaults windows has
	ikelifetime=8h
	keylife=1h
	# l2tp-over-ipsec is transport mode
	type=transport
	#
	# MAST parameters - requires
	# ipsec saref = yes in /etc/xl2tpd/xl2tpd.conf
	sareftrack=yes
	overlapip=yes
	#
	left=YourGatewayIP
	#
	# For updated Windows 2000/XP clients,
	# to support old clients as well, use leftprotoport=17/%any
	leftprotoport=17/1701
	#
	# The remote user.
	#
	right=%any
	# Using the magic port of "%any" means "any one single port". This is
	# a work around required for Apple OSX clients that use a randomly
	# high port.
	rightprotoport=17/%any