{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB    = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $dbKey       = 'ipsec';
    my $systemMode  = $configDB->get("SystemMode")->value;
    my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';

    if ( $systemMode ne 'servergateway' ) {
        $OUT .= "# System not in Server Gateway mode\n";
    }

    elsif ( $ipsecStatus ne 'enabled' ) {
        $OUT .= "# Ipsec not enabled\n";
    }

    else {
        my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
            or die("cant connect to ipsec database");

        my $dbKey = 'ipsec';

        # Generic setup file
        my $debugstatus = $configDB->get_prop( $dbKey, 'debug' )     || 'none';
        my $keepalive   = $configDB->get_prop( $dbKey, 'keepalive' ) || '';

        # A standard config is included in the RPM but we need to generate a new one so we can modify settings

        $OUT .= "config setup\n";
        $OUT .= "    protostack=netkey\n";
        $OUT .= "    plutodebug=$debugstatus\n";
        $OUT .= "    #klipsdebug=none\n";
        $OUT .= "    log=/var/log/pluto/pluto.log\n";
        $OUT .= "    dumpdir=/var/run/pluto/\n";

        if ( $keepalive ne '' ) {
            $OUT .= "    keep-alive=$keepalive\n";
        }

        # This should get all the connections in an array

        my @connections = $ipsecDB->keys;

        my $virtual_private = '';
        my @subnetArr       = ();

        foreach my $ipsecprop (@connections) {

            # Note that L2TPD needs the localsubnet in here
            # Second thoughts I don't think it does
            # Only when you have subnet <-> subnet

            my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";

            my $ipsecrecord = $ipsecDB->get($ipsecprop);
            my $type        = $ipsecrecord->prop('type');

            if ( $ipsecstatus eq 'enabled' && ( $type eq 'ipsec' || $type eq 'xl2tpd' ) ) {

                my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );

                unless ($rightsubnet) {
                    warn("Warning $ipsecprop has no right subnet");
                }

                # Check if the network is a unique value
                if ( $rightsubnet && !( $rightsubnet ~~ @subnetArr ) ) {
                    push( @subnetArr, $rightsubnet );
                }
            }
        }    # End foreach

        $virtual_private .= "    virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,";

        unless ( @subnetArr == 0 ) {

            # For NAT and vhost:%priv seting exclude any right subnets
            foreach my $subnet (@subnetArr) {
                $virtual_private .= "%v4:!$subnet,";
            }

            # Remove last character ','
            chop($virtual_private);
            $OUT .= "$virtual_private\n";
            $OUT .= "\n";

        }    #end unless

        # I think that this is all we really need. as long as we don't have complex subnets etc
        # $OUT .= "    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12";
        $OUT .= "include /etc/ipsec.d/ipsec.conf\n";

    }    # End else
         # End
}

