{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
    my $ipsecDBkey  = "ipsec";
    my $xl2tpdDBkey = "xl2tpd";
    my $ipsecprop   = "L2TPD-PSK";
    my $systemMode  = $configDB->get("SystemMode")->value;

    if ( $systemMode ne 'servergateway' ) {
        $OUT .= "# L2TPD - System not in Server Gateway mode\n";
    }

    elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
        $OUT .= "# ipsec is disabled\n";
    }

    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
        $OUT .= "# xl2tpd is disabled\n";
    }

    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
        $OUT .= "# l2tpd connection is disabled\n";
    }

    else {

        # Currently most of these are hard coded but could come from the DB key
        
        # For nat connections you can use "vhost:%no,%priv"
        # See above
        # https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf
        # see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet
        
        $OUT .= "conn $ipsecprop-NAT";
        $OUT .= "    rightsubnet=vhost:%priv";
	    $OUT .= "    also=$ipsecprop-noNAT";

        $OUT .= "conn $ipsecprop-noNAT\n";
        $OUT .= "    authby=secret\n";
        $OUT .= "    pfs=no\n";
        $OUT .= "    auto=add\n";
        $OUT .= "    keyingtries=3\n";
        $OUT .= "    rekey=no\n";
        $OUT .= "    type=transport\n";
        $OUT .= "    encapsulation=yes\n";
        $OUT .= "    right=%any\n";
        $OUT .= "    rightprotoport=17/%any\n";
        $OUT .= "    # Using the magic port of \"0\" means \"any one single port\". This is\n";
        $OUT .= "    # a work around required for Apple OSX clients that use a randomly\n";
        $OUT .= "    # high port, but propose \"0\" instead of their port.\n";
        $OUT .= "    left=%defaultroute\n";
        $OUT .= "    leftprotoport=17/1701\n";
        $OUT .= "    # Permit Ike v1 for older xl2tpd connections/clients\n";
        $OUT .= "    ikev2=permit\n";

        $OUT .= "    # Apple iOS doesn't send delete notify so we need dead peer detection\n";
        $OUT .= "    # to detect vanishing clients\n";

        my $dpddelay = $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) || "10\n";
        $OUT .= "    dpddelay=$dpddelay\n";

        my $dpdtimeout = $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) || "90\n";
        $OUT .= "    dpdtimeout=$dpdtimeout\n";

        my $dpdaction = $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) || "clear\n";
        $OUT .= "    dpdaction=$dpdaction\n";

        # Some additional config entries if required
        # right subnet would not normally be used as it is used above
        
        my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
        if ( $rightsubnet ne '' ) {
            $OUT .= "    rightsubnet=$rightsubnet\n";
        }

        my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || '';
        if ( $leftsourceip ne '' ) {
            $OUT .= "    leftsourceip=$leftsourceip\n";
        }

        my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || '';
        if ( $leftsubnet ne '' ) {
            $OUT .= "    leftsubnet=$leftsubnet\n";
        }

    }
}
