From 0e7f0b6e099fb0bac9bab9343f7b5d08fee73dab Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 16 Jan 2025 16:56:57 +0200 Subject: [PATCH] dmvpn: T2326: DMVPN Documentation for FRR NHRP implementation DMVPN Documentation for FRR NHRP implementation. --- docs/_static/images/blueprint-dmvpn.png | Bin 26830 -> 29626 bytes docs/configuration/vpn/dmvpn.rst | 433 ++++++++++++++---------- 2 files changed, 260 insertions(+), 173 deletions(-) diff --git a/docs/_static/images/blueprint-dmvpn.png b/docs/_static/images/blueprint-dmvpn.png index b07c190d769842b3156f428a79423dd829d91dca..85f189c10cdf6288378092cd833cf97fdec355ce 100644 GIT binary patch literal 29626 zcmce8byQSu+b&^(h$tngw4`*G2qP`sA=2H=AR-_jjDmnP0+IsK%}6thbPnAOL)QRv z_V9b(@6GS5b^bZ7#gdu5_w($1=XKxrwF!T%0wTbpz{A4AB9MReQXLBmHv|g{NBRy9 z@C~>jY##Uz+f5zx0;{-}Y907+!%A9N8Vjowf`9SmCh+;L^D8|!EUf#jm>=v;r#y2k zEH_p8m(rTv#@o|(O^KH;(R&E{vf4+EkLUzn{=UJO_Oi%T`^GSyI$^&y-(hA3slnd4 z*0U=E4jfxH@5oUDHO}P+MB#WZpT2zg5a;gFLg-XIYzK`M^$ z5v!lQ_gQrXk;u=$%p4XLX2;2!+_NxX&aORS+x7YwDW?SyCRvdC@o{ zY8fJUnyWK7piks)8a9jTr+89EY%3A=a#?CsMspqCyW#M5`kMtA|9my!U!!`kZKH8nz#2#hqv zg2XUlR;7agpMJ-7WdR>{8TMH)hr<6q9?Iw6Uz@hKxCBNLNcmEmhmO$M6QmX@}~ATs7CZ}WOj*rVB>4Y}z77LC!jhV2iIi>Aws zlSO>5PF%x8{6v%VgJni0T~o&QuShm?wmdgxg#4tQ@rvjtB17T3J9H78W{I} zlbo-Ij%`irKJ#>aZj@S-3f1B4hQWv+j*{;=GyhXzEYF`lZSGrPGJ9ETUVcO^zHT-! za|JtB0*Sg^G9R0J?qv^DSv<=65Dq^i5t!_Nb{%)DQm;Eqq|~D#(1%S2ghN~OV*3|z zxs50h&vn0(To@#MRrhDsReVWtO<=}V-Akx{P*!mz;kLJjiYlx2VWXeQQS1a?CyiOc zAB*xWN~4S2jx*>3O0ARh5bro2A0HTG5=!Jzt&K1tlF5I|;&Jas^!H)zuOgx9ov$|< zJXz|8hcyxNNf#IXU!dl#@l7lP65fLpAUoxl#xFH2jlLmo5k65(87HEl3ZsI=GF?XQ zTA~7ZSMl{;$SN{jl-{x%W04D3J*)t`Z8Lt8Vc;qL&uZ1!jjwDYSH`t3N!RW>`fL5e z3;u4Yk8VbEYS*RN%zel|eo|#0a@iASr^EgT60X5~kC@F;(w@*AhAgUrW~rOR9`4$g zc0A>*vduTKPcftrLLDWgB#K$RKBDAFo$X#<%Y$0@UmOaSTYyL|$(axE;kui$_VS)Y>Q6@M8YLeJ$AJ?c#Hn6I5n05m? z?_M^1BNdk#`O5n|sZG}Hh+ix9fO=^9wy}RlQ?gNJU@y#Qqo2jh zZYOEev2doMs;`{3F@1F>oEY$&OMPyLb}E?Iwq5PZ?x9x#-g&YD^_IrAUCfr-hMJmM zIArHnU%u!{QzzF*{ZX}*arGaUr1I~G<6Bi1n;X**<7Z<6*(>tx_k&j$bR=y!c&Z!& z`CJAU3>yp2^(gAmdEiww)aUn298>e)_U41sfNZG4K>OB>qMX=(@U!+`(ZspU|1rS@9+UUr2sr#M`oDy^Y|mJb zLtKa-oUl=&Y;~{2VMsO5X9RZCs`7K2EY3&yFzAb!G@op)E~CJM5oVE3Y5x_&q*sY%0jAc=O3W%mh_pJc;Wk*{znGfmN*Cni4?{+HTEtE!$9{#Im(8$wW7avUu9K!mr^*ZP8{YvFQX4 zWx}!Bf4O3wZz7^(S$V;6zAGw zBXUW(esdtzf$gP&8w4Q}?78@{PVAz;l&ZvEHel`Xv_*b#02Z!^`;TaSn8Vig8cYIe zEw_5CFldpGi+Ev%?;ER2obti2yl3t2sM$gwLvw$vrk4KCv>A?* zm6b)1pP#?Cw^!D86Zp3fCo3xp^HfBz=RyL7JN$Y-iIj)5c{W-$K7FEIWzcOj%l4Fm zL;2pa7U=bVN#88bIXQdlXC!UQhVAv*t?>U)gDRjwlg%~x$I82`2TY+Y-f9F2;ic3@CFu0lAGkw>Bu2#H&24A2>`0Fy!PV7Y&m*3CeD}i){l zu}#M(P4}DFb<&kxHcZ+h69|ASDn70rSo`#X;@T6-<~3L&PZC!B*(reo)2A@mOY=Jtq2v0Y9# zuVnZ?F3?ZAl&l@50~5)}grYmo;KN9o+G1`n_ER$GLWAP&&AxHgh~ z2R=L)%jGz;v&fQVy&w2`H6rs}+L&FEv;f7z>=9mYe!0Dn?!I=o4jpBW70h5!#;X9h zZdV}fPu5C994DBxq4FZ{hiR(4&}qmquUrRAPKGL|k~Gq8)mrwhzu_Zbk4PUr2+i3G zPX7GEFiGNofTAm{GP~%lA~P6RkyGpLnoqD{L7(X%B#kA3`lrPi2?+W%D!wd_1lZ@@ zx!5<514(C9S38qdno5z_Rne7&cq)@$p)TI29vlJ-4W@?(h*>yoxrUpV5+a;`QTZB_ zYjw*h>TQLL|0TxxQZaqK({kW8?Q2?W^Ya1{{Gh+2!SkyyIftCJx?GhWgkuc_OdtI6 zEB&=P?n9ObA~ZyoW8mF{Bk5&OHO>*UU8Jx)r-)|Slq1IkGi9;MTVX(P)DgG)AO*LY z-^~o++@3BBO!S?m^GnrL&DBbq;h?;q<4eYIw?n0Mb1HRsYa&jmmo;*5`5|y!QmdPf zrtt5Z$7rMe{?0=#4QRcElf%k{4*!|#y(4@|7D_D~+jOc*JvfIjEi4p%ja@kwO97J> zW=WW8c0CQ~vHe02_HIoi_Z5N1&f(I618DOXDeY%Pj5*!!TUI-MwirkTLb#?XjuCcHEZ7&cBiiKqh_OY@aP{?dU&h3@P`Au{Jm(-VG)UqZ~ z0|}e^_;+ZlJGp+<+uQ0RAds(CVuf5`5T)Zt@&YdW<#l}cu^1<1OA_>KP-uKrs=(Z_T#ym_mKl~S4Ks1eTf zYNl;QJKnC>SH`3mZpnX3_Hn%-Yx1%A%G9Eiuo!d+Y6+T+!uy1mB6@$cKGb)a_#5r8@#ae=BPK4(EVMC-b*)qwiyN z4UNUcMT>NNJUqNMw#bNxnC)`m(yH_xe|3SRY+vy371O{$E66d9Agsk>)j-khWz#*1 z^KV-ZgHy(}D=bp%hlk1zvTkW4a4zy%EZQfb8f{nD+S(}RB9{ckX`qrKf{>oV(B zpkRtmajWl2XZKLOd26%e1Q?PlqBELISbLzrWMuahh*kYW-t3U`n=iW=t9h(O>Iz`P z2XfFkx2V)mcvXNl^iRw|sXbqtww`|7X43|j;tWM?raTy%$Q1(}d**A!DAe8d>M8YH zC7hdx@=G@@JRH9}!NeyWKt+}Z%{m28R@DG5RPqwpgz7aC5eAGZ>P_%ci~-^gGdmDi zT6-S|Ima8i|Eg#)Z|qlC29~YxOM_?4m%75HH<(mpdfH8*C!-zX397G)wTe%j`+0%6 z_{%Z%dUyi5a7dS&L%fWWU6lgD`a`qi@bKo?h)Kt*A8Zr)B~(C+IPM8v1@*Z#c{Pe6 zSlPp7;^38u<+JgM%FjIrRCM((N&3r2SEB{GxPFDPfCPZu`>AN)S;vpQOc%#Q?u^b+ zr?RTrmy`a0hZ@`*$LH?41)P%98tkLVdqmEdFxBI`lH08z*(Db@TC<(UnK6O~AOh_Ub2oVbvPcd*%Az8QsJqxXG1k_t$3#1fmQB zwR)B~kOB9iP=ONeV+?!h%)RHwFy{1ockiC9+|rg-g7 z56aXG_C~|4M(>oaC?%?^ ztMfR`G`wjIEi$N9ah!i$9Ea@p+!{I7=P%sCBsPbc7|>0P!|V*OeA#@PrLYArtt4DW z_RG{nueMhan@Jp_>oBYIrBzZU^9H=p?*xp#JdwQ@6%{pI?PPLv81P;DRCL>mNWYD7 zf>Ea8sZj-IWQA-tfGysg1AqhXsf+3jcj~8<#_|mfpATpgqFCQ{Mk^~T7bP~SlJl&s zW&D^>FSi^O6e>z>(y8|f6_CN;kBlU*Wwl@v(^CuN_zN?ON%%)HCS&8^^jcbSa$Vj4 zw3NK`2~KSb%x=Pttun3*ursXNG71U`N=l#XYcuk?B;L}HlI92+skv^L>aI9l{;4h7 zrv90eCVOc@us*C)Md<}TJ?oT-hRZn!#!Vll520NaPgt3mL1Mm>MA`pK)&A}4S7I6( zPL!c(sjj_1GR!>2f$SR_?jNGJIEvMe*_q9+@oD5aXAz&LxLr{0g^Kvd`ZGjcu6p5x zGR$e}w2_saomj@_f7wAqWa4vD5(O(@_=^)xlV+Sg0bZln}9hs;i!313BR z9i_Z0rf=c$TkQ(xiNj&5h`7U%smT_%Jt1e8C1_0v>~Y=n@mU3)g5=-AVd~$}=Efhu z)zWI{^3Y0%;|F^-Rp`QEmBI1~-<^6#qJsYYtDQmWhwBk)7ch?;kOW>k#-*0Vq82Ppr3Z{a~+FR^(3 zP?wXkxYOrtfv0J`SJ?xx=JmpygPi)s9FSq#RCVfX0{vyEZMQC}=YWh|_qpp*mxy5B zZJ;9j29z0i;AZhwE+6rQ{gbHgxaK;AM5;vG3%Gmk3-T5^2h*9;F*!dj4NxcB6Wj9o zgOL-FqLry*vPQYHVu8QkVJ9Xg`X7q}_cBN6qeEQ%Q6#FuUdt~aoH^vPqN^T-`n1q>DCr2^Bp5jT=@Z~?3_#Xsfc*` zgzneL_8T(j)Y(Kps$2kN{O$|qt;?LWF%+l+6>`Y^t#14t_JSh&$DB3d!nRvxyrrer zOP+MKqeeEs$KpdLfG-8_ZHsNRnckzN8sCin{1o!RWM6KH-#`R1J!0W+2}UdXTsA$x z&wM7*&RQBY{%7yLX7JR=kZr)SHXytmLE%dBdNS^1Q6KTowFtqD1ltE#O{idpWr*B4O0_;~4C$@8@=M7fpQ z5wP#B(URJ%B~PN|pKr}0e>-Usx3~$gohJC_n3#u;9?=_cvaqr~guHq4#&?Lsk?PvP zJyURcEDr{MD3Wm+>gwxLP*M3K8&9rwyr8^^O6LXK7_+2e@r`JV(0!KI|Pf z?)l+*mQ(+YXiVGppY|cn>utO#2Le(4CrEN216s!w6@1*9cBJ1*Pa~w=Vk+BY*A1)) z-8Ww8zcmnPE@Wc=U^Xeo2IjV7nDSJo>XrlwqnI1}d38~4Kmn{}SzPG_ z`)os)5S&uCt^LQ{o&288T0U<8B%rk||It?NOH`*ZJ5B7Y!E{p4*S>3&yb~+1-k!>v zoE^?7D!scN`LNPr3{k%N8&MKz(F~p#D)x;ACwgWzeHSB4D&j`?4Ga<89Ml!-Iv#D68W-szwKt+HuzJb|@vr+}$cBCj|r?_M7#1CBrD8|G${+~(-a_K&M0>la+M&sCVbe{E`opFwf= zQl1|@+)Ecs&#$EeZ!2|%DDYUN1*{lBD)t}d{0R_k%W9~B(F3N;rB~KwF906_(vL%k zSb^o-R@~XF7#>(FE?7`M)btlJ$BddT z^AtCfX1R2KnJ#sGxpoo(IU21oWLlh$YtGE~4aeifgzo!q)=z`Vt2gjf3J*gK-KO|t#RdKfu3YRNFm1mDCr?DcoLP$EqfL= zFh1JRm6aFr_am9uQ({1QQ}KA8g`%V9062Z}2_*B`^_`5$(X=D3y$yjID2agcKgohz+}vs=BW6_6|1=>1 zTt(zX5WU=|=QAE-MvjkrZ7V121+oTMCOMrKU!Thg5a+cV=>TgAI8N2zb2T`h>`d$F z=@n`hDX6N_3fO;JOEBQ01^u(_t7X(hzcwu~ZoK!OU7afYDIrZvZ4rT^RkNo>E#kfw zLT0R6VXY=FFaPRQS1X~U|7^g?&0Dv+M|zrx{?(I<>50k7$U0G=dGNwmjb6E>3npm2 zmZp)lo5v_3+4#J!z!oJVa@al3Mm0;`(`^z{p#OWX{^}~rxCJo+u zOR(5PK$jWR^pF-xE!EkR^&w_9wn)sS6WqY1WB(Rsx5GONE z5>wWE8?Q#JAp?Xx(WKw1xjZg!Q8FEq2E#PrhdXhUahO;ZMq~=b{6l*j3Q}5b*oMdQZJ6ry~ zgb3Yr*hT^-ce~vR$iQ=qU0G}W7)SoS2y{v?j_Uo;hxpf9j6+TMhugxe{*zYNtGum<^0`2FxTmS#7N5-|Nm|&EU%4HzyJAv z$>fjzi_K_UJf7nFhshA<75BcD%i0@M>Vh@jgXI3uNcybaZyYCCG@0i9hO)l8`W7hb0>u8#5L>O(5wek=tIL9|fKdr5|rk zGRHHkrZqUvx6Cy9Z5C3r{ag4@`CIhB_F5>%I34Fc%bevkn(cW3Na&^xpwEntVt5sF zm@pv3w$IZ4m(FaK)G|1(b@mnz?PR`W02+9h#2(993ILP?^W2Jjk)e}FGA;lY@Bk+8 zE*gj`-cmpz2lz@^Ss6z0?&eEszu$I5Q=m<9t`VZtZ9uyXWY@dC19rVeh})FF zCD#aX0(go!Ud#<(!pZMW%u`rfb!EL%EszX=n!_HJBiMBSGZwuEgTdzK=gXFHE^mK_ znGYrx1K~d;BxKkuS&lMJa<)m$Dnla-pYhm%j z+Z|p#9VO$Dhtr;p2QtCmgM9i6=K=BHzqi2t2i*~05BX>G=Dy2>8GFx%$VQUJef|33 z!w0d8-PV(7FB7<{IvkHUNS9OCWzp%FG*Y&KwfZ7!tK++fW)SC<^fK+^zw)JzLy(J$ z%aYn(lhxWrsd9urP`C%~Hs8)<77#c_Sfx`7I;J!QiTn!)1tOp<&9X03h7l%7z3T%s zxBUQ9kDWdMEKI`Xz#r>f$rIqq$C&7W1kv1_ki;0^3}8g=cQCl2fz*e1O$wt#@29{e z^B5)WvI0g)j|m@h;($?hVsgT7%Fm#n=;D74BvNej5S%>G0H|s6`!Dn$Ox&}kTvEeQ zKRUbwKr;_7FD7wS5bU$O(+7;R-exGr=U@esS2G+wgRqA!fMTF0sU3)a@2UVp>wk_h z)9cf7oPiscvICYE!p9^jYb{{eYe-Y^5LoRR(#&}leF2U2@{Jpn3dwj{>vt@$Q3ddh zbw`J;`^f=A9uR13Mmt*XN4Sfv!(&?XNr|k<$k3QGMaJm;k;}@6Ur404mfP5<&(kRA z*NMLMiykb0N1 zGgN=!}X%6k={| z%+W{q?bQe5m2tV(+aKeI+o(g|PC3`Sb*E)X{)y7wGr#3bOgdgWreC82cqyAV9cLQ! zmIf|SCy^G(Jvm+?iU6_Xa$!~j;VCUG9Yn5hVfhyXqb`u*{yBr-xuC{?p@#3jMb>59 z#k{6JZV)eyXE*7K^3U|UHU(@{3tox-YW}_@XI>! z$D{~80%s(V(yLdykI?-!A>?YD2>Sq#YMpLHbzqsq&_J&tI{c&CM0>2(=f*y&76{kT znUZ`RXq0Kv^jmFgBFwWvB$t_l?R-W&_gvl~=_*$1UY&h>KvpE}j1Zd4ENkPcJn3*W zH~Njk*IO!s!>W!!TNS0YzpmCE>y@sDbZg_wka^ItgI>RFZ(p`*i)=GlXIKgA|j4d(q{+V;n;d z$$mJc7Ok^U!EsYZ#Tu+W>-M8sw`DAvM1|GtSwdgYip(}e7Tb2-f?16SSFsNTmJ?pJ zoar4glhBt86c>WkJHKh+ejE!}#OsucS@RZaR+}S)2%jhWQ+sr+79xHepL8>(_^Si@ z)qk$(=~)G|!3daZYirF|s#EG7U@P8RjyLI?7Sar3?QfSf`kN(W{SGzjYlq}I1-@iF z9+rRNVb-_tBg>CpJ7X%}mN<9i!$_~)QiNjK>B`W+CNr}Ht4_Ag^3%>jN756TW&lGe zFR5{7Ztfo(9PIC#w^}Nie6xiuhs#P`6GB3k@Nu%f)Aki@@0pANFZC~0h!P**A& z8g*9ZPHARRgj_9hK9BeRWic_0A9u_V45ZzY0D{1tP|wp>)65PV3KGlLYf#`00AQf4E~ zW}DNZ8s?I6M(bx|!C3J{-}FxExgdX1a#P0EQloM6MSp=HE`re}qU9T?C83A=YuVd{ zfz7_H29{JmC(2g5u*4}x{RR&=m_7KYnf_GL&MXNBf=fN=v`Rg5z}-e-+&07j@GtZP z?qQn+RFXmJXZ!F~>hpuyXVJ@{W~z^Fb#x%mu?@`A1NI-L3TlI^LouusF&_BFCC~F2 zfNH`Y9=Wn%S0J(~>Zt5I*KV~{537V17uH6;zkHyw}X=?0!k1m!$6x!^zJ{%p{`YeHH@bG|RL}+Ylxd z{ggs4ElI_<%(Y{^?jO{oFG^z?=KO_#`i?}Uv{N`bjsN)LySWspjSq>0R5~quf$<&} zg9Qlh&NVtw2amdZjh>;1)uYgI%c4Zk(W4$u4``GYD94d*%tM{HJod6)N&>|!?>9)_);ZGg_YMCLgNJ*e+;XkQAl zWjNlNX*3K?Jl|+b4o$8r=mnn$d5Cy}gltB{Ch{s(g=e%8TjhNivkDz|)24xCX(6$T z#3O;mO#jXUzusPYAI-Fnmgf{e1?bh5R(|luAHe=t89<^1x_19cCCr~*QZulapV^l| ze% zJq|_o&!=Q{_7aon=oh(KVNuh_%UQirR*r%|5;!pEe%!w5nqt|E2rJX;0SSDyLifc$ zM=d!LQaON`*1eAuwBslN4G4GUQ@>4{A)L4$KYoON_eb7gy)I&l+hs`N;+LsJ;{z|e zo5N!}RnmpQIlFC%LnLuMy$Nrcn^Rj`>*YRxJhmTBSK9SC8u_~K_#bu=MP~r%7zn%* z6;d%uBrZ1=7Z&`tFY<~qFLwQM1sF-eq9ZBwEk`meAEnz~n*phq+)ymU5Idu_+(!Q@ z{E>nBkg-AiPN~j}xAVGUUqH=5Fjw`*wDhtvNQ&6A7HeJS{@Uq!f=}zh_EPA`+nvVX ztIu|!CQq8qWkHcdoYbx}%d3Qqrl#oTM!%zt0dYFM;aO{TRt|CZrLNvjm+1l3mm~b? zmy1zo@!fO_xFGntrQcui9EH=b@vef3e$<9cB83jNdx`??+{DnK+J?fJLA!2s4f2(Q^dgV{Pm5g%@Xo??~eMMC`$2c zRi^>;Vo)$wv7tEnNDzAFLP+)kTOxwNP1`sXObA z)~c^vc(w<7}&=T|r~pW#e3H(US@PN3o)*;}G9 zl;(ZeLp#X(a)-)my&XShr_Nz3uW3NdfmUV{|1KUyob&u!Xyan9U8e_<*yrL;BAHGx z*rUgaarq+V-YHhhCy{?@ICNdbqksK+-nfp({ney>V0TL|G{zmVY*Y1lyk(|O|FXWe zP-<^2{yV_;Xv-p_k;e3{CNzRpQ{18rT?Z)=D89xg^SZh5x*Y&9r%w|6BAc&PHWugN zvR+nB&TD(B5CrMU_?>1X5=nM(9I8ACo?sg_7IOZrtYd-@7Bie3$JcYH>Z{&9y{O-g z)3$Rqoof&7<2|En2Mngn45ca=X&P{LCi4x$A! zyWBbKjh{ze6U!@a#+Va_(|`N?*%WBMgc(Gexww>`3c@)`ejXk+_g_N!_4myuMRk?M z@llNr2lGqp>oGjIsVT$1@!-bNfHIfjm4xGknoCW_6Y-L{xi49@ovOpah-dFDy&--*I@yDKqbOL!K&pw}1q&WDu`0&io6GD!B% z3|T5v(tb2YRVeYlQ|`d&&P?FyHQydz8L4dh>aTvtm?xnNax_2zZv+qR?(0iXR53)W zy~+Q1!Oez3efrbzh}j|`2Z(bBX4ZnhzPzpRld5yzPifA!&fCG z0RrQ+eLf2Z7Z-1`DhWv{JG+SQhNhZL;?(SSyO*cG(+2heeA9<&W4A;oSLxRl(mAj0 z7XWF&Soev1j$Rwlr^v{IVj$nelQGR&0~23+(bEt@0rFsrR{pAP^}@>oV@7C~Q1DYJ z0g5+l@bdVPi?0N0B6MOdAOO(Bj0H>5jnn%(DH>;R=sQFXH&G5jg{W$jpOV z1hjm+4Ks}|?+jJja1#v=@(^xykEeUiWy~D>c7T$8Q8958jDUB$M$S$}wGK<mzj{Sr|5Lgse%{zu6Gk`<^q!3wAGy|n^2|(A~Ussm016;uG zxRnHEbFmebV1m{3o?#KM#2XFJ4=)p)oZ_Q=Q)WHhaEKc= zp?v~s8M`5ggix*o{+{7gl^)5L0tMt3?}I}nSSbk_H#7CyJ`&>ie)>M9>Bb* z^3!stf=t`LZq?Ki$ib4TwfSx}l#cW`BnzTYk+b@~Y6rnHl%&w*sNLbRTwu_`cDqT~EKdyt`w1cheuj(mVn)QQ-~|#c3ch@F=N-QckvTmYrC+PmahJOwuQa~ zBWnXSBayHhH?=giX~egAo!;R#;K+ASi=}`7P^c*~Jz80NQEx)sj}lnr0(fN0bscA3 zw0ce@X|6`RT4`tUU!PE7>2Ivcgtae*1mAMTj?D#b46k!~zt19%@$6^JBCG4fI}q!w^6*(M_7M}Xr;9lINS581DLF$Gk7B` z=wcmmrBsX7=9p@QhKC4i34r8ATL;CROTD;v92ogi09ch$RKsw;Il-WMj^SFK=ulQvhs!MeN{q9WdJMU}(lv1^$;^(lvs@iZh zYLXWCW)jGly+)58Bb_FGI=!oMc>daV%$=eegRO6twaLRug&qAg^d) zoV0d4yL%`t3l@7T_&aE|7uU?!___1%Wtp%p%xdVO^e9_Vu8#SRc z;1M|g+^T+FykT^oK9dT8)&IG>yIWau%lB}3EFrMz>7{ctY&P&TBd9w1F~8Hf1Nv(5 z4``<$ptnbGTHNKrr_m2a-OnV)Xn2~ux5)X}KMgu?3RFcpWBw9O2sWg{grT7}Q#Drq zotRIQKI{6rQ=142*D?MoBrCcMx?P%>j#tFR6<`^bm)n5_W8`-!xQM&L^iBgcMYOL16 z@*v)*o{T+EblT++Csx!`Sj`s_Cnt_8b@@V zdr}y$rWsp~&7e1bma!OdV&^%S7&i|g8`Ax@yn)b^IHp>Ij8Ep041ARVW6)_8{YdYM z=x+wpE#!1w6zq2*qG5Qk6~-ojREjIa9tOlt4={q4%WzR>PV2R|=Lz|<(`D5HZrdj~ zsDJQ{(F$+M;|*LTVh9qR#h2?%im4?F{Y3qGBOa>U&tyL+03(qSJn>K_l)zGX_(Uifd+WvDLs z#uROHd$PyK8xDyl2^7^*2F_8QJ+=-zjoOf7_w8p)Crl-q4$k4ur{AOpH=_jerI7U!Gp84&PsiLMaHsS!ybO&`G zPvF2sv3V6p(+@N@37`Nw{^G^$uF&8}!OenJ-zrL2#B3wYC`~*8GsFfG@ZF`Jr9#Fs za=FNZ(q3S)>jOT>h|lo2#mkV0)@yI>fR(jKl&9RBtbeCwf2cN#F;RONc)miGuZoW9 ztH(wiUHCwV=$30dd7}&8H-zdXl$XaJd_DeJ^hNa9M=jU8)}WZ7;}mxGh>gLsP&T

DbN#rd!otF0Qv~VS05PvUOa6=^B=3*iy-LX^ zh1>uvF}jq#8OQ8J9KbIJkes=m_)pP5fA5s#+gM0SsHg4yY@(9jL2#MnHL-uqu+>xYOYpB z;AIuFw!FL!Fg$OwZ2~NCAdj$)*>ECRu$E1sm2fSz7a}eeoz+izB(ye@@f`x=Fei$@2@PQQPYGtpE_m@-F`?98D0c;&tmu;z3n(g zXX{e~F`sz>m@6K_S?kV<|gnSQ3WQiIa=D>s){N_}slTMJHbx5L>0W7m(d z(E?b_VC*lhu%bVDl{5JE8$MYkyR{uE{A0%xKP}=@AQo9qtGWjVjZU-z_4Y@*NR;>S zKYmt>s?o3aZ4!W9(Vll!c7kl_EpV;5=w8SK=mls146(!aeHIbL_QirZyoOQ}4}$7fyb~O>`Rp7+j>xF0LwqH_N)Sn94GJ=2C=zd+nLmOeSH` zMi)$juxWR2GrdSuOLG`%b$D4lMKztT)r*B~{KEneuVsu4cKiRsO|Kr&iUN(GAJo&YPXVQC;9 zLzdOhDrDV^UggC0zv5}XL`?v^^-=q{vVl9nfqD63C56yWUlg3?of=)SW<5~j14PZu zKAjLrRCA|QM5F~*!}v|y^RTcR1`bs!^Ya8I3)mTW@*PoP-rz&ARnexp*rFEKHKSU? z&j^oiO>do1gZ>CMl1=36?! zq5;FQt--j;xA*sFW`3zG#7suxC|mM6Gm+m*LMe=h#SESVV?ki)R5!QKpC0gj~NFZ@k{2sm#X0@(W=P zyt-Oe^b_cp%081X8~FUou1P?yV;w$P=C631d|p-#V7~Y%Rf|@xCu+ISi(hl@t%&UcDvU{nd%>P(UtjXd0+_-sR_5WN?CkGM^(jo^^aY` zC`_q!>*fUCHk3B-TtnMaGl4TO&GoJKtB;1*5MPJwy07UcQ9#em;q7vJ)nCK834?vsvQC+*=spzO=Cym*$89~4 zy4aaI^urD4E91{zJ~<)xsy}S_lwwFEcX@HqVVLry9xD%k(|_>y^Kx#c@Qw~2_#$?R za?%8ER9vDs0HUcdvmRzv8EK+8%3w3m8z}LTE(C%{fOmedWRg0Wg(@AgN&~MpMm?Lw zbm6Hd4CQ^!3^oNmhN#^oJ6@ZTN8ZTz$goIP(v|hXdJ28;y`CvNfr8>B+n%ov_$vZ3 znwpyK?iJ0Z-)cu^7-e#D82cVC39aXQO%^>c5be^)UH99fWKv0e{`$hIzyIZ4joY-& z4fWH4kNuzhoSN3lzRR$a#IaQ|aOqwhM>nE=PMwwYgwNhE2AWkDW)G$-;T{PltbW*h zpfGu!q89uaN&WVe>N4j^cZ9Rqowe-8TTX>e5tUQgY77bd!Og?6oOQ)z!`gZ$ZVD}2 z0Yk*%Y63~p9|kt#ZRCNWyF_>V+0Ig1LG{P(>PRL|g;|lwG`_+a$qil6Jj-QZHaZE5 z;`BEiAw;LlkhDBb`|r&<}jIO+}Ma;xP>vp{W1i znu%j7#X}aPVL;ihH6?i$_pxH8z>;r;`%j4EOpFc?#h;Y+dJ_F6OX_7u&x5+J8#}%A zcwZ$|j?#NM8w>7#HfK1Ykw$u>tx2w55g{;4vn)?3ON68^7p^?OtEvOuJSp(H6MWuh zk9hh=S1d5`RCO>aYr6;x@N`w3I1SVScq*EJH}35wevjwO;xzKc9%SwM$ebUh30{sG zbbi_xs67bhwbBken9kyY9uEWc!}0X-)_eNmbZ&7Cb=Sk;b&h&<3xlDT%`AjP*mCI8pz|RWpaN;@@67 zu^a?A!4_lTv&@-US=7u@BaBG-1VsvJ4Yd|aVog?tqtyPU>EgFptk(HzsY4BO)ydOg3w)9H?(ng@G8X+@gpa%;xIKTnY8g_etluVt==oyZ*mws;P}l8x8c)e zQk1P#qvc|G?fyn|M+xE;*y%_Q#|EXsQ`GrS?EJEHtNZwFt*Ax?73zENi=y;eA9O>N zKw-X>8d^t2M zGaW3)`%cNL+~7 zdjCG1(2^uY%%dRt@HCOvGDIUAd`sq~we{G?-L&bt4tFHYbP=4{AO>jVD`8_pX*_y< z$n?fep8cG9+i9YApa%@_-ZV>}T%ND&q<)o{FVCy6hZhg`HBCBJBHF60|Fqv-9#^IMN3G*~S;I}=xB4;M9PsRzBel4RiLhnxf#=b& zt$MvOkJgmmjYkh3-UBG0&T!hHg$1)cr+5S7MDlJ^;fF43eW5XOIeC*QrvaJ2PRipt ziaE(xuB4bH>SP2yMAE8yUcj!*91pj(Xvdy!7cGrjZ5b&0u_5!-vYH>LH065sbjQw@c>2`~1lh zhJIoS^0n1(IVG0)dAgMx%b?EHH}`jjP%C!DfOD5Obyt6lPl%MN^|2~o5i3x%>O@KO zJ(O#Ym$agtX*yX21~#m0Y_h7*JU6h8$1599A5c?UEFs^^-DEc8vwoM}{CWSNDR<`o^mgX) zP`2&=ch~K%Nbbs#gi3|7gpgee5|L!dHkExHyR4%WBBX_oJ$plz$U4?+*|Lin+gN8T zV>jFHyrz1d`|i1)@Avom{qg(DxQy#MuX8!h^E{5@{W<-$d{1ZMyC>s3bBYZ&kA3mB z=^Ivs`8$v!me$W77%>}+HLNL@9uAmZAW;{~UDu%H=k6lLh{~$* zurlhMjfqwXSY}3oU@=Oxh7)w8r7wfj9jgT%|CQI&JcF`xW~eQ%;WVAhSx1xIyLU0D ztAk-$jfq+5%NsrUE|2U;+`$XLC?D*a(0)D#EEhZv&7!k=KxlGA!J`+72G-h?Mxbyn zgstL}_Y4O=B;ARZGh#G0yjivRq@^I55tf`a_k%K?<|8`#{*?_PF2`c}0KTiqgj$IERs zyRX3=aO-OSxvg^IIn92?b;eUI7gUZx`Ba$ZG#Q`*GBJwC6-0}CL)IUWIS$r)3y9R* z0d8ec7V3)}pjN?ER8#ljD-ZKA78vos%tcIh561f0;&8fEsUvWFhus{M5KC2m@Mb|; zE9?DxITK@FFk72tYRx2Fj75;HZbYSZXgRE{a{k$~N~-n?TEp|22I6#UXsZlpR74ir(ms;zp3Y+|%jRyvrEipgaer;(z#%ol$!5^Bk6|6!}pR+JV zAFAusq-8!ewb)|f zcNwwxZu92Q#JS2df=;&do{30ip4LuihomM*UEiWBB_!?2aP|TKQ&n1Xe^})x@f34v ze|U9Dzg=YNkx+#7ZIFx1;HKv&Im4|ee8`rva#&R>LBV@xEj#sosWHiXZFPZ#tskjl zUfSHuoghoU%~7tZvL83lxh}QmCz{~70df>{K^$X9&alx^+N{IKMw;*hJE-4JNGsG2 zhuz%_a768$6>VjaSHqfoHuYg?yh*x}1|_kL-H8>7?rA&?_Q43!_KZtdx_YT2)-ufC z!|mG!XOSKeM(&~JHWzm2kAy!wqw`$gc(XYJ0DdH1>Q9ySV_B_un8vj+ZT5XLr{U= zQ9h8jjrY1BA@N#={d*m+j?yTVilu61Mbb?grLsBV%A{8t$>5HLC5Iu(zfY|oo|i8K zL}()9azbf|k1)Xxm6g8Zbx&4-vXp=TkkIj(ic(#y+CKFF z084{X$I%b>>H(U96F}c$Kdp{XKA;h3Y05@)L|9)=< zU}*dSc{K$Pcf(LQhA~0FfI)!di7P?ATjRkePMo+eEg|6!I9!N{%>%jU)(nT&K*Os* z$=zpWf1`5dFiV9RE8Y@qQq*PfnW(e@E954Jn#<>c7sgzgU(?fBYqPkzjJAl z_j%K<14s+xxmvd6@mekaoDoRtL4RMjjr8vz7aHUww!T^@o|5^$Cdg{fBa6GMzUmqk?nQw z;e-eQ07C%RXdrxYo}BJT;ACY@&$s>UZ>(U})yiqer_|T8*Vo>$Hbop=G(z z`t9nAU5%LWCyeYJNs6d4vxDl|U*JE>5KU|CjM&reR0 zu!}bGfA|MoayS^iJoT)gy*+~D7`C3dI68yG{YZd=z{l7?ia)@K0YL)QAB`X}g=$V_ z7a&N|p$2jL6A&Z|P=i2xasc~1sF5Kg1zrmpB-sq;XCyX3pLjv8VxqZZJj{FUG;}i> z=JEz~p;5P<8|u-5w10#E7v`+Qs1rii3_xl0yEV2Xx!>4Tzm9RWS0{8J;ykGugMiOiz>E)QLY@IGr+sPGWZ^N9oM8W$M7 zSe*Ev(pU@sB`4`0a5<3T5_sil%+8=$B+~HXbwPkz0eFI5ALjS5I%nUnJla1gVvV@) zDgVMhSr%8K^FydpWVK!<`lF`UOiz zra+47UNBa*q5CRvf^p3>CJt4(IJlU%b9jw*eF0b<38+IsSln;4?zYTA;I9E)2byP; zgQ4+F$E^x6cF-qNfOSTMfRRpD2^yA*5o%6|=aXUhx0RxCdwUo9k(|;l@0ydLwjXl< z4CqV_-|XfR2C`I8d7-Zr8@cBtBW6>AB^`zvp!=hPdF7CE|l`H+I{coswhaKbp&dH5e&|6wrVLUN@JpNlL1`*-mev4%@ zM=PzL{@U>d*nR-E^;`QveGmUe;P=%fpPMa%##l8NOc=;|&=vDRXewC1NDIjo<6?Fl##Cda@$2@DsVn-loYTR*0ddJ-=wtx( zc@*j|HGs5p2!#qmV}Bn*pSq3%%9;!MYw|wO+``cNC_&(`5cEEDtbn&p8nQPnG~Wk( zN9oDGXONR2fJajeulSep?8tgfLsAw!Bb&K}#Z#>Fj((3V!9DOK32ApnxjFK{mEC`lWk+8Q}knTbH?Vv z393rm%5Bc{pf@-HT3txHLue5YxAD(ayX{9NAcp-QVAyFR*-4hb{|ahpI>UWlELPCO zKxZvKrG4QEt?q|GJs+XfJ>bl`>1cHih}cv%+9w)eAK(6CuAnOh5H+qJX(Z(`buH== zwBDd|cqTX8t*h0wgh8ReA_Qu&008>qKg}CoqIO+jb{HF7QCk9+{LM{a(#A*}D8#VP(1x^``25(Ko*y?ZG~ zawZ}3l7ygmIcseGUrZffD*zUd-QC^4EGJS^Q_U+5+F2dVGs>`0v$I!kYRmIx3BDB- z9epOqwr!Vg@vVozdd5rG^;i258wg;z$tG+(_&zMU5~airWvKlX#Rq20*w}cX8gapF zg*E7?zF^05GE(gn`sm6Ef@-+d=g;LKJ}_^@_|YS4F{WzAu4GB1dak=0pnSu_9X6+| z+)M06hiMhPmDdl{u=Yzq5tmQ=CReSEc2XOrq_vP-s9v=7#8j3#uG4F@Fej6x(<^18 zwos}FYdC~Dqb4X^(Gm5h9sam!>TEs_mpB_nV7{vu(01~=>*cwLsZVd^NEImFBfPzY zJfsG+Nz_HE8X(J6sryk9J#LeV`>|xj zzV0r^G2D>m%pv6?NcXcko%S1OY@8$>DW_UGX`Hba$b})*?94ldIwV5Z`?5c77OQ5i z_g5^0hTVt}ahW}?s_O1yT#_pD{7h$AN21Ehe*3D-B%Eztxxf$?nE#3j3xPOFJv0E9 zO}Hzl){E5_h=?3bl>=|9+!t^U0rB(g@Wg2?(xt@E;v@@=7(P+B+v7WATn2f{64{d* zu_o=bu^`sZ5OMn`k7AW&x#!vFI#4#%=@U>OpSS**v6^nRHU65c1qCgP!Ku6rWSHphP`^rK6) zFFeC_%WfGTBjJkE?C*FV>KjpD!QXz-z`d?;QTZA{xnHBRP0o11ZT4~5#z4#uLE!m6 zG~di;9e02ohKpTfgf=U5c-`Ct9ybh?O}Y zrW9d=J~&yE0)rk|3)^0+Z=62j8LQY87gK)#U8(T3=9*6VHYpHBcL7YRU&j3`3&y@|RU_uM7NSohv*lGy$=n*`@-xJ%rDmCP zaU0Wk;Pl)mbN9)tWYs}BEC8?yHQZ8=Yu1L!Lz8D;yEt5#3hUjBV!zSHWAwTIFF@5~ z(Q+UB>Ie4jI;rRVNy#(NI)TZeJ_SM7=pM?=|Mu^l z9awO7my|e;mIJ&wbbl*!rvN2x2id;EYsAeZFg++jCYx@TSFuoU*&|9yF!yk=&EcQd z`ub3h{DIa35Kn=`lV%5-(~z`PGF?aOUqULs3Lcf%KCB>n!lfKKH`{m&Mc1ycz8-x) zdNp&%-hccFd!pBL?ANb=SRErSR=}sf#P-cx^~vVIc}*Wyg~i73sB8L9E#$+&dU^r&;F280 zcJ6D7NcDpzyZm)1S1GK4l(tU-?><_jsKe&`(*SZYqjS z=hX+VbHzssPzF9_3;?T>9H&2{9mR-fZ6jhf@L|R5z}F!QnCy_HuFj@OF&~?yu6AxKQgPSfJ=_azMw{lD zcI__G$mk3UHI;qfbVWsl`rGbB`{pVX8Lw+n9>S&mWm?3a;?)`^LfHml;mz&H>PEkf zrlADb9PUU(G@a0xE?yVXnyeXmpv^t%HQPlkfp;ppex91q=Q>@nx#(BvIui*h=c83* znpXML3w4Tu=b|fuG)a#IirU$yGc|Q*I&7l}gzI6A=-NA1N&@+E_!Id{Kqol%YXlUw(as_tT-bOvLn?o+LhWv4n3e|!mK4rD&BBQ)^i>G zde>oD&%v&8Iw)QY6wd8W(XAuaYZVIQ*s0- z*>%E)UbxP`nr*r0?dD}TEYIUt46-b`yh|O#j_glL&+PP~`c)07EnG0<^b7WAq93OJ z&9Hs@HYjPpjW0Gx5CYbkCK{y(toHJD2f^x5BVZ;#Sf4!2%!ziW;mO>gEF) zQ)s7pCU#?|hat~STUdzru7>wnp4(YzQrAo*;bN`OKCA7bW}lmHaOteV$ZI`SJibmd zMsVcd$J{TXMX;uEoy^d-HjA{9S2!Gf5<-|06u?@5d8WJ5e@CFfJjb2;Hq4`Voi4|7 zUixEY@r83jLWpmYljy1{GVuH07Y5(`2Dks_@$SP-TpziPkyjWcx6tr3G?c-wFLq+0 z6h&N&);IOCZja--bI03?@%;^TStrsbd+-#Xo%~icw^O0D>rNFo+#nD=Y49iW!`j+? zF(%RHJ?tafL^{Ksk<6(S1blG0cW0eSBCSHE^RQh%2{Ydp`QCVYj4#Qav~A^=b-!r4 z4Toz&?ab@9Ma!4DV0#t@wEVZRR9~_?dafs;z=W_Pg=szw9$Op&1Yo=GW*ta)ZVy}7Q#_KkyZ4^M;Bm^Ir+y2U}r0mig!{ywAc3GQEkdTkiti3O}WQtNi z^yT;CE}_=f%WahLNS!q)5aU6uzW+>~4XDg_l?4m0&c2ybh-N49dU~ zf=X-<(5VY%?mQoRD=btqzCEHq_X%e>2L}hFqZ%;1>cl+?#4jVu%DiWbGc|I};!I$f zHqv_z7__z}_^drieaVONp^`)4D8CJ~55}Y#E~srg8FSJ{lAn3(?-p{>%aDJMxe;ZhF+BcnwpEc0ID&qzyF-xn1<0ve8y zyCbb`zPQ*A1WztCT#DU`-`AUXi7XWTn}vlk27ywP-u|*OnL2Y#ufHGL<})=_iF&Y7 z6voEHEoXqa0^)&ds*0rZ#6admO!+#WpHe)25M9NL_OjB@_|icp#`v%I!O;&U69-I< zs@&}W@Kdc1#N3|AE*exhjZ-V;b53Mx-ibq0RZhN^?EGA&4K}C|zYi;Y_ySI(F~;76 zlZRQ`E(kf#KYm!4K%VAu(b@CpEZD6GC3b@KgM)?by#CxA>+9Fvr}|bCn!QH%Fv;i| z?kvM71dJ+A6*#8n0`KJ4t}cnTm`H_vdR;V=(nC34_s z_;AV<$z0t$Cvjp+J5YWZE-uBzev7WY7VkPU@oYt%3zcn?5ncRjTafG zzYVk{;O85M^*s|#dwrsFh%nR(dSfVPk; zWi3;7@l*YjTT6G0tOp6x#3M3P?(U-(?U#Xxx{s$0@JJvB?+$)~V`2-%{Az50luiD- z^ik4$u2#OmI7wRz1lE|_V^w8#Z;3^zS}T!jvF63NLMwlQ*1q+Wj2rkWw60S#6v zGVy~JhWD$rF8bJoUW!*bIQb=S-<$Q0h(&gr;-`4fZ7bjEPidRnyE8Q7vr$Q{XC_7* z>+XEba3VoQ2v#**Fc^><#7wogeVfXw+Nz_&xPdRyOSs31i|niIU74NDOCPkS024H~ zR81VKSjxZ+@%l&z9X~!cY?oi|)0`ju}&)QMYjC4qZZwUY9RhctHo@&5V^GME4dGSZ(u zd0pY*S7(5HcvEkimFafXQD@{W-s-N-5C$v1CM&Q(Eqk|T_|sq<9T23T z)lK36RyzT3VC3c~k)9r9I@Ve@py~y)G`DYS9ZpOjJLvUG?KyDD%F;g}w#xaG_5wnfu(O8R;(-&MA&LKF{YrI)NJZ_KS1sRM~k zSl6WW*YL@8OS7C(s1NxEO-)Tfr*F7C9CDt~oRRX(`Q$nISq$4LMUXnm`{>bSjf}B? z03`&KE=~Jt`}JI1bFkESlwNpCGJ)sZxyCeIiC2es0XBp9E!-$9nh`m7-6qGWg(mW5MKOnSIOjE9#;@?z(iM-lxU! z2BM;kIdR%%=%D>`&fu@`Ol+-UD$}n=G>sUIg&gE1;WC*=FFoUriMxUj2n8Uz77II% zf|nSm!Qzn-o&#KmBIm%;OUA1Z>=!1Lm94I;gC$d&Ae*c5lR*RDr^j<(Grc)$hPT(s zPJ=bgW%j`5owGJ1z$6Ooi~5X-Bd(2D zY~grd&>M}IKlT7^%F#mPDKkoXAoq|kXB?C!>_!@n4O)nvYYPOa!_EF}d;-qeJ93YG{k&d_D~S4QmjcQ)iL3#D$l~GnHjuX{!ULiUnjoSM_^5k*)!z zx#}RfdET|6j1HZ3@Ed-Y7Yq3DOZ*;82Pz;FZTk$yANrChn0qhCh}{z2&TvZ8rU~go zD~u*4j*~II&$rO)E1ObVTLPxwtDOWV?gTmCtq(0TJSq5h;7)J>55Anayo`9pqj=$bmwrao6%tA1 z$>X;?NBE<`IWWOYoEe+I_nu5Im!$gSL_q=K(|pcCU7d{2Cic=v(WW>JsmD*&UEXrw zd$W7qh?@^wu}+PcIC!DCQyFF4K4}W-pBh6cgQZub@zIL$`4qm6pfs}eEG6) z`D|)DyxI#CAO_~YT_!4;a8-E!-fMdqjvhWLBO&K&X#Vb67HU6J)pdIgmJ6rOI|a1# z@*P*2YPLpD7gfyI(?ol1nMw_PwuqZ+n@iXwjL7l3N=iz`cgHMhYk99+KJ)m=jqs2+ z+#Ft43;MxN`%!NbgTZ$nJ{&xK zI_CAOXUt4ooJVEOURYy4aYA3FZsG3BY)>U6sWj2SxnY5*03g+z@cj9CAmnQVuhQ+T z1@oke0t*-!$$eW&+{kI*C`wa}gcJhZ`*cw|eff)(s~w<{?o9QPR_!n=3xUgsAOvjXq#n2$ZjG3++UxCQ}6NQ%M=H?n28us?Md)kNi?voPq?lr^vBUB3J1{{U~3dmaD) literal 26830 zcmd43bx>Tv(>4mhU4sX=KyVEnAh=6#PjGh@cL*9FxD(vn7Yzh=cL*+v+alkR{PcTo z)myjjKXDCQ;YtdUXvjp!P*6~4(o*6oP*BjBkhd-(JmfdGy7N_# zAJ9%JlA=%*qa^!~53pt*uNOau+JU+k zG^326SSG)$G37m@*Nh3dGXHxS8>V0Oi+Xu6sq}G> z!u?YWL}1EBZ=T_Q48@V|j{7e$oMmPqI57eL6ax`BZ2$jB4^+DU9-J^(G+`rJ?M^A` zN|a+3Wki#O)1-Yo@@n}1XIc_hRlmGG4!ZaKZ`Pt*2FQI5<9Rj_rCNRXSqy;Kb7R(o zQmpNc42S4!hecs#t2Ym^kran;bL2UBJdDTJp@fu<^kdUir0xnky2J>xvM+SPFezM~ zgccLpZ@heqg7Z3+<_JNXG^2E2Whl1Pg?VJ)h)v0Sz@5M_(X10m<95lDw9=x!z2}8% zjgT{%SbK8p8e^3YWJIvaDe$vEh0n121^yol1?edEPq7`ndZ!yaqImEIhCeZ9YOvD? z4Ho`$c4zdL<-Q_1ktjNz2o)4fTQtMW4lXnXr4852bCF%T4vfq!3eENRo}>Ma6{L0N zh5^a~kP#-yy#|~W7J=?%?&tWu|Cq1XX9V0gdA;m1Tt;&#G^^-afk#ETIEmU4#Ra3h zh;nbpVu*S7z$*%HHFYY_+Ot>!0bjOE3&S5_vc%eMAu`9kq!A7=;#JyiBcfHWAYkq; zH|qt8&Bwsg)bzmZ)j1N2Rdp%|d)7|RBoYSfUmlQLk>~NX0OgE`hvlIA(0#kQ*=0Un zf^df2@O#sqt69*xlLXd%v{!o5I(XIXaFLZm_*J&W>fNU}jEUb>)hAnH|UpB-`KQ= z>Xob(CwNHd-6TL@OF2kqEKILzyzm*Q^ky2KL6aabkPB1uTNaq`Emgs~5p}ZPj$Hx+ ztL0Y56^LZ7?e*D??~&|>`#3m3i@q2AVsK(0D3aJSG@1*q5=frN>Lz;ktHXw`^r*-` zuvHO?oxD=;7R?emAb8{9MLGV;;|%#NgKJt+TJnI z8PnUKOC}75P{9CsHA${t{R+qKX;V#5LEx+XA=@_!h{8xw|5i0792H^+IrBeD^w$Lc zuZgt!Uw-c6@ZpLjjJYthQZ4lQq_&^x1r)LmY84%!;Vut!O$Y7KA=J_n966nGf-tMoz&a6sSWJ_G!*W zLqT5<#WKn|V17NKiwv|vT`g>8zgZ^b7BA173FVIXjIBVnc*-LrB;NH$d^d`DQ?5Bl zsaq>fHnU_Tt1o=j2@BMx2l!6xiMIK(sh|;@2DSOYHSCNh(8t1O3XvxksOTS1B)-Ji z<{<|!8J6X`59)Wngc!*$4f`iG++3c~?BDc+iCZb4K*Pt?D+Qij0GMY!&S zir#JiJM4|y3Rwi!-XRoIKlF*d1~CQ>fmh3DxbjJ5Jr)x@1FB{gvd&}ZqPFj&LVY!S zBg;tGUJgdaZGNq{xokiThO#|)l2=`^ju}k@cO>j^aZnZm6nIMO`L(d4LiPHojhe=nDUuX2||>6^SQ(o5*Hze6ly zDt=|l19S9D>^G9TU@r}O{7Vt4;(KX%z`A~=tC@C86_`gY2krLmD#947ZQ!I4Au?XV zUFRpu*3=g>2V>9Vd*utK3HFW1P8>P566?J*?);bdgctEYE^YPOUsXwS&T$(xan^uu zpcXG?3Io?4M2|O__344J#mF{Ib&xs{Ill7-=Ax6Wb8m=+oGrfJkE1lQM5$hh%TC&VoQMotO=^Uy`KWq~+3;ch z+XR$>ca9JVHGYzL1}RKe@Jz{gh|U}1pk{>ZyRgbPnYmHoYk01%#fx3=ZLCpltVXe2 z->ghB?>kAa@lz=de>P!McZ~ms&*hpWZs`hEv$24k`;GC~Zpr5>fcs%vwo=e5dqE@j zA(xS(PPckU>kut4Sr=BdUSb@}O-D>@0qSFbYpzB`wVw#! z(MYabGnM#Jq1#aQHAGEPtInO(3H**t>RJ=+djXqh>QX&Vq8!xiyr&e`_(X*V;dnnb zzUGEEtu`0dqj#uluDpWWzRF=t&A|8N3IQr9SlyRiBB`4>*Zb9Y)9dvvz4|lEW>?Z| zxky(w!*xC{R%Z=MSx!b@9K$VxVo{9?Qc{kVL8JW5chKCEFJv2cn_M!=96`{p>5WSR>?sF50W_~zDz$^18Rt6n8?UV^_4 zrRGDhYs5P`Qk4tJXf}dw;=zp}FQrp11J!kIx zd9~O>KKGR0P+`mU;BvP>V;KsS{;1X(h(v}r5Z>Qgb?`rCcbQ$SI4@yz6)}V0Q)B>t zu1tShdRZ&19xRsK47ENdYLdw66^*wVOnvNK`Nm7jb6A@EG?(>h9aFNj^of{`6y-nX z6!3RW9PntmdHu>(PJU|woMqEKmHr(nl>o`t=+Isk_)je)l0WjD)Hg6YB?}CzI$OV; zHtPs%of&CfZFYu2DDXnwZxD9TZUO+~B0c#rdflu9x|cYpiw%}kOD^54; z&oEVz35~X&_~(^6#K2voPc;J19_qYO6-U#V?vc=27s3;-;OR)oLeyE%y}}-Y`-%a1 z_AuPLL?pL@b`Z(RjH@|8A9D5#dZkX2EoESCFE=t(p(=3M1|Nhv!+mS#=RRWI!uUl) z#iW58ph?;{PJ0a3 zBNcJD1-Hy+2zXDQ-IK7H(-NZL_864-BUx|rI`ix-V`}?%?KgDZopnX``T0X4>;D2r z$zMa}1%%iV2-r8nWOW61$O%8pL8&`I0T`!8v2rW*J!e0i;4Fd|?FGpK;e}L(h~7DG z^_m#}rx_Ffn(+xD=6>%r41$m_%5xUWD=80Tkw<_7`)-0}@?I%SQw{O@w6$Nlon=RH zXQRaC8_8Qc-!4%e1p(UsFkNo21!TvgtZ-X*^9~dz?+NAGM8qT82?ObMiPYSXK}QQC z*x%bg&0+gVOzc-CzS8Z;Zb#Xc2%G~{hOyX7d+EcEI}@xwF!;rTtn5OD@1kAZu;39< zaoxK#I@;BVu*m7R=el~xrX4J-yWMCJWC+#)*+SS>s z5h-y$#5Zq)yJ^@T-}y|s)7=3d23823?744DBV3vDHEIA?=GlKsE&MCBx+6bOl)T5q z6P3jM@Ev?KiIF=NAq(x6)Ta)0JjvQys;=)4+!?Zd=<%(5h@nh=pqm&FL&Z!un<|z^ zE&UfQgUrVN(6Z9w{Tti>HdK;ZVpPawN1CMGc)hcKYYW7CiV$!+`rW02LL!Eex9m=^ zB@iR@O-d1v91V;z5_|bC)C+|C*|IK?pCi$cyOM#r0sb(OWdyvJSd8%KB=raWR2%{R zTMCW$j+`%kXEws&AAaW)@5S$6O&q@efDmLTM^=4cb#?EE6s^f-zaI9Qg{1O1W-;tF zOuuDreCSlkY!Qno#>>c8#>;>C#)BM8-}9#UJcsBo*nDPaFB>ybD@nHOpQ9h{cJO=o zZ}l!+-qaF+Wz8k_(Wc9DAE^kOnjkSj$cvND6#bWzN0q5GLFx3FC@${A{1xd&zi)Nb zq?=ngBWc|H!4wF;B7oXg=5K4Yz*jw%55nRL0gMUvXIl&keX%>QMCF&)og2crFhLm`VKZxv;iSCw zy$mptVM8>xFddE;vb~USKtdeDdvE;tBlv5^`+x1=0znXK_bCG~dV%hx))T@L9|CF& z6J;ZV6bhIt}!afeb~&ODG%`{_(;M=KZ_zDtB`{l7fbN+tib)}S%zygWeqQ|Ga zi%wb0*CuS5yv(Q8?rt$5K}_8t(pdHjM3LK9vHkj-{m$vcC7)#Z?DvLf`a0Q?x8p{h zp{hWVP`f`J7NbQKlb+YM_g=y$1v^+TL{cFogq!ZaAu7j9h?=VcQo!j{XZvcc53K|S zBGPV&v)=Kr)jZPq1sWIBJo|==oc9~!g6SY{NeIe|5gB}$p78vQ6e&9?s=XIHjXB%2 zBPA}xm0HSz+U-5Zd%x-%=mb|{WRM&miZyqa3DrHXd3)`B5-V1@#%M%<=>NZDML3Xo z3{75M5ea9J|06+?YcPh^Tv;gM3NuIcQTNbgS9I{Oxm(PO@Z{pKawOPe%2d?$(T`yQ zvB<5E?EWV++XAUi82-!gWpA#hHy#QJsoOdr5^I{cXfOyV9EZGikQjIQDCG-HIS8(3QB={(@n*dTO#;? z$?|gkn5Z<95*VChoRNer!nfRfoBka(ywX(kESQM5#_9F27bP^d!B~idutE4zlBwnu zYPe*rvwd;Q!vR`TPF^wAvN2A~YM_tS>;^470S0{bm1F%rM@P7%HOTfDDo?F{V z#$=UfW4G*k6lraLRV0~sY|ej8mgJrg zPHqBw^?4I3i>4#_Rq>Q+e!f7&5MdWxChWH+m4f_k#xY;Xqa?)Q_s)jn8-Mg|?adoD zGhH@-(Tc}5vesr!*fbC+8@Kl%Y zH{SOTTB`yCF#|ucVF0XWVT5w`i_Xcsd`K$Xt=R_F9s5^ovAl0#kQw!q+PLB3;#4V~ zWtcv9q{40`C0YzwQ7(LL=aV4GLtVDT{~?^8VRs%;OL1YI*ANx(?uGQC9@`k_Cjm6wFHVJw|=3x&L!lJXbmhX-IvOuv06#V2c!!qu`#1o<9{O zg=~{6yP6eLbW^tQ5{31LOJY3&xWoH*Bw(gdnx;RcP~a#^+c-WVYE%QRY*Q+{jhCoJQ zIPNr-&#jIyB^{|)3$lMfLSje?D%XJJfd?Pe8Mhl8^A+k_B1V)qB^K9f(feAYMWP2i zr_KE`A++G3kK{7RMS7?W{(lS%@96}se+j~SqF8jv7E2pxt2sl}O$dzkP+F$&%4hfB^KMZn4}KftF6?<(F0Zukb}(Y6r-?09*rmClM~yAk z!}Ls=UbqQWpW8Z%)#zyAPMGE9tb$%?G_}HL2;wkDh#J=(^YUOpy2h z&q6TsWo0nT1orJsSpja#K#%!fH0VhJ904nHr5?RiAyJqQ!j!)?&wQ~ZUhZJ1UU zwP6Z}7>4<{AzK-0De0*DJD#My`F*1_E1S~#=3SzgmSzza9ty9*l1+hWP8WBUhnu_@ zkH_K;vAwTjX_a3u#0*sX%{f<91<9|A9sOmG=4jyAu+v|2&4_3zvo)R0hm2tTIWzuq zck0c`+}?Rb-1KCwIrh&CxV*r@fR<9c>v2DNg)q_on!tyA?PJ@X_tlI>)$yK|yMsQS zm(zjDZIbkbXoDS6M$)cX*Y(!x1Nv*owi)>&^8_az-wrK8F&@@e1p4XeOFv0+Lvmpp*npmGoUU6K$llzx2bq0u zjlR595*^gLd5<_$yp5XoOEE)R4~L8wIXP1|>CJ-Xl;!wuv#Kr-Y%x;ZCy0ZIt9~}L z13#x7J=AiOPzQ=N9cR=d{61UN&J@eUSo)(|-ge?kGx8J+q@P1oDt4;5QOomg_4Y_Qo3ccz2Ryq33K3Jnbn9l-TE zJ{&YiWG8iiHcHnkB7Q5P6y6`BsQLIG%GrHfMOxTM`kj~@5QIlCz2}@W)QB1wA|nuA z;68K(g-icoWG&|nkCSisKV>c41vxb2*4Gkq%bg`k3o8$NiObQobMqB4y83HQNSPr_ zU6B3Pul1Z5i4iJo2KT*iX%x9dpLF+JjhJ(!_j}|^@u_E;*zt>yY^&g(QV->)t0M9| z8q5g7_z3w^R^}}G&2W7|gRH7y>jaB|pU*036BxW_^F4r<0+X@&n9!N~+*(v$INkM? zH6(<{q}}S>!kEoN`tjn?O97?DC1TeA1x`b=G*&E`5gLHM=YDhm5 zbORIxp1cC=m<CUT%4o|xWMZ-{Q;%)e?dnph75ZU z@adK!2U3+wwcme1cFU^0;488yg9yWz_^Xg1y4!k0VAV@m?yLLw7Je5T?ds+2M|(&` z4u|?Fl^k{ z240!JdeN|oG)lPLY%V7mUkQLZy6NUss4GMzSwgm$uS8a>_7NI z{IsFtVSha9tz{Z?_)@6+htBe>0AiW6FXQ)9`(VTME-`hPm+!;@(B^Er?Bo~TF4^aq z%Od}mNxBYbM&@iQecW!~)J6Z^tysoOvt--7yQ85=uyGHmqNa+xM9GlFDARvhfG2Dl zFX6K*Q89o_NkRrR6`1rT?eV6#+5W0eQ2hX9jto*~g`I@($51e}Yp=cLE*;fav4XwB zWg2mgY(#30s}nKZ@kNUZx`$`hWqJ2z}d(ics#W;I>)>Gq; z*&uaY|G$tir3WNCvlba)*Sy>-Ehxv?@!V&-AVC;fZ*~k9@L#f(F6~p$0*RPgH_p?r zDuf{(Xk(J70fV{T;So|uhJa8a2lGo4mAa4`r0V)^@zN*VK?S}sX)cTHJAxI2B`F!J zX2FXp^s8!0E7%Wg&5(@fEC=z}izPYK1l#h7U`Q5=0U$F7Y`=~7EajgySXjr8eXUEX z{pSFGP)>_0_`voSzF9H}w-~!Zn4dByR2cK;bthTmf&D)e`R9FJUg$y+2!U^eJ|Vo= z%~sG07rg;Sh^X*skx6~<$_(LfB1jhEt{^pO(U~5EP~*-Xgz!z6kIhf!A*vW;_u&}N zy{?_1{zQM5{SQ|mGv&PmHt#i|0&35h9Ud20(*a|Zf>ejTN9V@so56of)}0S=SrCG4 zj5D@4%EJrQU7*dWLC)V#=J2JB`DGtx`GMznH8mKYE$8D7#>%&nq>Zwu+vidi6L{D;4I zVNc;|TL2LuV#oCWmbx+IX89^Wie%{*z2{KrrJPg))eZkE$o|Rma>R{Dcm!!7d=^QM zcguW8XL7c(JPZ()o;fiFo4e68qY*Dj5&c;-9NYGh!aDrE$2o)TK`TsGi1lIfZq6l+ z0opYip{*~U|LvPhc`tq1R6J+S50@DJD(8Rc`l)WHYeAubjg6 z*A$Rmg%d&u>I-m#C+*B?Z#9@bL})#VZ-D^t#gQfbgC|M)2k1$tv94~q5UkuzrIqOm zK9&FMZ+^0duukgl$$rFse`8PgIcgx0gQ;d1LcXXB{R#jAw)Ph*vbiiYh_NhQyq63{ z7L%*pI!co_2-sht2a130aI%9U6?l-b*@v(>O4)7(=~yDL!w2NYa0X$G*#64%ImN?_ zoJ*tO(-*Bi2#?BEU2@Eh!7YSfA&8~P+nW>w_5_Y8zooZnB3RvI`Q^99bVm;By1)0v z5xAOQxIIJ2>S|n52$l5VTI&a%?TFq^RBCj`*J^Yr?wWSK{G^qcAYCh-}|QOrC>7E}IsHyhwI{y$pueO|acDo>ZBo*!btTC*3FrfM9N#Wb+&m&>d7Vt% zSS_`B-wQQ{rZmY2+;rSxk4|%bFztHl?tRDY?$uZL!z6eJNJZkd8Gu&hzKg}Hq6Ncq zvaD*hNt1doMkY4H*tX0RNc%KieRgl7eh_(aczhh_L|LudriM1RB4~d&`)03o0%LBu zeVpcU9Aaqy%vIu=wo-7*{55;JkQ4eMKi@_UqHT|!FPPbR@Lr73?nFI*)WU$Dvb^x- zaqJo|N@~r{7UiK1omzj9Y6oY`K zr}=Gx+mGmJH+{Mr4kEszw5;vUw{x$XT;iY5B_gh`PtB5amQT|vfB%AN*|m;%M_hby zi1Q(*?uYL1=Q=`pCo2R_EqQ7R1FNJ0I?CnB@;nq7nW1bTFkB#UBIMlLV1yybC6RYG zY|Ko-(qJ$|m1Xu`=*z?^kd0?+|25dRhK3CI-iBgfZ=;Gwe=sLM?FnrVAA>Xw zys%(JxU}wA`dsW@*AV)ezdZ)Sd<;)EU5EaeH2lKz_LKrQDKW6MP?0t&v0>D2HgdK^ zCp57LbpX*!B;RcGgN|n*AM%J{huu?tX$^2(f#?1{XKHb7(0=cy=vqwv^{J#B4XLiI zw^tuKTe%(-<27DaXA(wsK{*O~f?mM3NB?j7t#E_NSSs{EqyVmIgSIV1uea%PyZ(sU zdzUOsqX99EB;+?2W+toJh>SNGv2$?rxz&R75Bragl_;OdM|kyxDR(tA<`9|6kJv9OO<0!ClGI*7ddF%iN?`^(Rt=*6bjUOBYw(q2|JEzYBCA!O#+|G67E*~{5 zVnhIJ@$TGjnBotM*1X-`;_4Nt=5q>e5`4e1soMGs_io+?QD3VC4#?w_;vArLc++{E z>m)Rqv(%_MWu&+dm;b}xYM|K4_1hB0>?$@DLmQ?g&EjGYx-Vd1yPQ4wsY}Phm=!F#1l?@NwJ3+#YvLawLoC01_>WMoCd-A;}<8E77 zp|5JK*jM*c{0z+laC4xYjx>fZMTsvcC=vdcw< zPVGC8`M^*0B2t=+In4X+e3ZyGrNmuo$?y^|L^VPl)dDm|h=S@z|#=0ICw@Oa8 zF|;NMZ1h!hJ!KE*^NSeKLMeLE!^vYlqmZ$g>&&3f(&Cwf-=suc(3sd4lwoyzpNkTy z%(nGZXgJT-SHF#Z%T^Y_kiMpg2A2-=ZODQK3 zijfsNFfPM-b#tw7eCPT=DH!Fx55|RXTsh1A=p+rJPhYc2pU*(ApX(QsLsxn^-08!E z%jt+k#INJ>5MgZ3-HVl2?}vA~wlfmyeD%k3zd;C@_vT#9cI0WbGXmSuiPwnYtNop2D}>BjzDRV z!_s^1%1F!2P8u0GNg`KnbrRqlChdvuRwaZEE+ngJR}(={!;0HJXU-Vg0i3>2An^Bv^~f zh2NPO=!?ngTglz>tQ_*J6_Y{wgm^i=vE`VULqp88u@~NzY%UBw3LVAT?rvBPD*X(<+#g2s*+0;W@&o3!~TiLct@2}=|Yek9zx8#am z3fMD#IrAteJR)vcH|X&|9XBHlhx{?uQVer{EW6;NR&R|=#VY5kYcUHKDr;r|7>?N; z0H-e>-PG=AgE_>lpi09`RVM6++1WCYV^fcKdZk z@WDOa?azQH+Cs#i`Z#&mB*g^Hlm%nLb-KUAJ)Q5d-=C+p9%r|)-cqq)157?Pcm+vh zCU+Z{AH^!{$BbqYvwG~C7T+Wj1ZM!<;atgBs5)45>|O6K-xrlzvD1*))hJ7g(x9h^ z1MYugNRGI|EVpxqWDz#}e2hXGNDG53xttaaCpTyO?l3p+7LcqR?}{TcJ=e*2vF(G9 z1)eXpsY|rsFz>N99fyVx`pU1AR8x<$@urxGGPh1mrv37dr@fG1X!`s6Q;QR2k3zHx zlr6pYbj;Hpq?)(CAtCG?0`bitSuSDt3o?IPGK?9-jVVmwL_3&L#Ya(C7*cj2coUU3 zf=oqfPx5G}ttiiFDdYg|Zf}H+7m*<)IblJQHAO6>o<&dqTjAB?P47|v;vZIgcx@W%jpLJqTJEJcJuRI8q3w_n zezGeF1Wxs=ZK@dnDanRCj^^Law>~3IPjj0iNh)$vV#N;hrK;I3Cn%<&TPHpSrC@(c zeQhBvB`X3K8r>5fZ=yc(M^^E>JvRlFer}(3yC=Rb7Fn!`)HS$3&FHy zzXYL$!S3GkUh@YXQgt_vTEy3>_rNDYx=eC{eHK$^p%qfk8`XU;_twv&XSL@F*oWK_ z971jbzuH-VLCY#hW_%>fJt$$f3fVg+r1K7KB(%d?j6=`I^>?2OiP6*Q4C8fk5rb6U z;5WM$!z+AG82TLOzv_dhk- z@&c`JwXU0giAo8!1E|6@{el!X z9TU;qxLCbc-D}tD9GkiM9d{-UqZ39KMuWZ`TrS1B6s*@=D^;M5M&_|X(DUBow|%hH zHEH89_|rco2uX|O(R9?p7L*VAzo8o)kTmD~`u1+)>rj=kBG&L~9Y*GpdA-*!@_M_f z>+djwDYV%3<5r zM)j=~oBK#9SvhUdgE>gug}kx%Xuuo-&8upi$>AlB__%S3ILz;Ur?<)U7Z`71QlCuw zD{ywHc6ub9AMY72yzb*?Anft7iBMegz1|w@S-iow75+VSV`eumd+j~Qdj{JjBDegI>T1t3c)}J@& zpo|T+{IE~m+T1clC&A5={ASO0*$+Cj8^z$?=wsNbKxHh(> zZ96hkxAxEMJo!4iGy?Aix6LWo3b9ZrnGB5;b~e4^Zk;SPwvAzN>U<#^*C1)Qcyu8b zsN;s2cLP$2qEFbEqrI$mB*G3v*T;gd>g&eqXYJX$Qj8AeOhbBbYWR9J>DzvdmJ+{0jkoD3_J8on3MOo+ynR1k|{9T>(Xr56f zi(L5rWTwK(zHN^)y+acPpLwQ>Mvjjw%3g~)W3dJATWlLg7A@O_g)JLhy6ZQ4)`fLc zDOqko`}$UdmT~d!t{;J}$J$xRgcCa_U0Nu#)Hd(YamF(EZ{)&%3EZzwA~TIthR&+ zSaUZC7Z6(gB(uTU&-C6KZ`7d3A4Q#VfBl^#^_#{9`*T&d4AuWOPLpcf}Rk@}7?6C!JOk)u*`miyB_iilsq zzx3zyM%kO;x#cROuk*GP%r;HrBhwCNwYc-+@1B_AldtW{5pTFBGBsjmyEP3IeXC&^U$4M{R>fgnCAQ{=LDGH^CxmTdm=Gqv2@1Wqy= zp;1jv;<{WdS^Z@Q5~5wed@Ts`a;-^z_5&;4z!P}#K^~8+;XW^_IEXSnqD!%UOc};| zCM(PH@#a}J2du%l7)pE{du3fG)c{g@7fU+kE-`=E>-1YC?MSK*D?5`qk^@gsl-*U^ zn^>`ClD|BExdvnL!ii^SOJjCI(Vukxy1s@Hl+Ck0Z6S@2G)pv7Px5}q0$;kHcEen{ zE6!Stva3<}`g$d9){K*l_%b<1cj?p8SaMjTG-6CR2cv+{Qxp<>JUSP+YwU7iY~gFf zCjXsK>8QoAe_Nf%1;t3HdhYn6IxT9+Fdt?O_3KOZOPvm%ldCmN8G*KGyqE3aw761j z>tlo#PK@Gi9My-J_fZ++2BE#)YP;y%XAi3^JOI*G5Or;hi3ZSa@@)BMh}{F{u;VE+ zw^(=A7dF8S0-PwG<}fY9MfsJJPWf(utkUDFAZna%GNRflwY1r!DX>@kN2e!z>3S9% zWKQQ@JSn8ioWdz-C1iB-Yx3HbXGTug-;nx#k4>X4yOG`5DF{$cU}qhN-S?_4j4N>K z*J*b4Qpq1C+=sC#ZJs%6mwrN}&eUr~L6w$l&7`s;A5WU)JImm|eow!g6@r|bVzOk27g3VZ4gIlW zX5WV^>=lXu_#o?Quo<41-|%=BT#ypI3s69Sw*yV4+I3@bASre$*S`Mt?(*}NG(+P_ zH&e{Yg~=j!Q+q=t4^|E{X-}$OSuI)mw~hB(sAx$DXRYhQXlNZ6qbFs&<${gD%zamQBFx&XFs?wDTPM~y0ZEO$zc zs;afP&Egai{ z1QA#raHin&vLoWqsb!8`W?7t=eGLc zs=WQhh-*v5Oh}?=$&o^3;2fbmNe-LJ3T2tR2i=sDj$1HsiSNgFrumAM0Rq%-)&^7? zlMyMsf$L7OnF=~$+$E|}z9KRvg`tYf^R+is>2Ggo-=t|p(`_JLNb}BqW`}YE!JD~_ z_g>FZi_?&MU*o8qVj3fYESv26jf!jz!uDYBCUPGsau9)X z$1-~HsLSm8>*uL@lSq6UUeGruXrm{&TFwxUZxC=X>~jN~uOusra5Pppcb~CH zN_7>hwBj4J3rTYp3OVkeN`b&k#+{#k79W@5Ft;l=eR!wiHpj)QUj%<1?aen(zvV^lk0hDewc=vh@Mh*%8k$k?dv6x%ImlWnQy-~_ta-iN z>7R(1yoE`bOw9!NKDFbqmGoXs$8du}cX!GI?K;|%ofDL7hSN|s=pe}((C3qok>D@( z%EQ+7(%oOr9=J&bw)UHPY^qNwd4C)Ydw7f>m?7Pq6#Mz!0B<{3&vN zz*}tK?dFI15%);&%|xBanplrh!Y<9xlOH`9W^Fntujk3Dqxoh7>dYa>@-_6rMoDS| zShLGD!%+ISQ-@Dhaq z;??gXby8yR6EXn{3G(yfv}CT_e8TpEBN%Q8qo*Z6)&55fJTsR;@O^=+3+%Jzm>sV^ zaU@=8B~YT>-=F34`sj!tb-Yq0>qCdraoB^e?JC85h7J@2a@i#%vv%DR;UU*y)1{SB zsN3KJ@8{m1d|AL4&@OTTND;r5z-kRdao|k7L`4AUUAPICq$6l&ArlH(YCI|Fcz{$N z|2%-Xg)4Xjp04scgw#v_mOK9S?B@UT^Oleb=hE2ZSPX|_YdLC-ket6qD8He|cjaEu z$8tuCuf^AB@Uwa0uI+n@0xQk2=K$vUVvOCptGS)-HVY1l##Nr*caUBvj7Q5PtjZ23 zNGHc|dhPi@zhVUgmW?iAZTt+Cs$3$f#ln)&_59~#E!Lo3j&bNajyQ4)fROX8Ma&b* z0xJs>%-5?Z*d7gEnDHjzH>NBjp%Oh6EM<)GS7-O8U@|a~0{|TIacumC%G(F9Hs%Tk z>f^Nx;H!@U;JKs`vH4uyM9#y))oHSBiA^72w7@^M^ z0?fKCP4rzh8DAkuPyYjs$t7nMqht}6Wk;w`Q8Y)f5!iPx|SzYs`uJtV9j=Q!xDD8M_^1r?F!g~LEkCzJ$T;ZwfnDhB+*O?}WPHR5w` zMea7MIcB!Cn`VYp(CdWq%oLX@Nr$B}o9M3tiy$X3ka>OLI8&ql zbhPp~?hBGF9}j6dO@i{y5&!2VA7^|zWW{Y*+ z0G4gBMcBt$ad!_3ifN?EV}?|Wt-dx?t=B6`Ztg+?@wfDHV-+D4C?2O9@%Puc)UZH7o}rjcDo+G^jXP1Rb*m}37^AAF`Cz=JK@$#hBcgh zZbz-?;P_IQ40o9<3_1+qkj?V%MUvf+D`db4-+k;CPkYA_#8HSsaZxTwu@U@TX<-5F zd#OQ4uVkU<&IUVgvr~@UO3NX|%`qG64$}l}##QWNDck9uPTIP-2O)_j^R@S9O<+g%$i9P!vQp%<2U)D;x|L7*qT5xsUmU1j!r~Er@s-XUFc+ zP@)I#?-o+AK{w>@m>+25ygL}IzFPPmf$0wGFNkH<6g{=qR+nxrR-e#UZho@04Dxg( z^!Ig5-xNTe^F);YHtaRFV*OG@;@x6fdQim^WJ4ZJO+Yl6a?B|!fwzP_+y%dW`8Dgq zCQdCyV;j6~D2LIxIh&}y8tREoR4hLe5_YC+=z}AE`Y(mRGv02dJwH;Ct1#vN>S(pe zx{U}{(%cW&tT(0&9OBflqyW!Q6Li$cr5UeT1Rc%A8!j)$JE}#Y*6oN{I(o6xKVEqv zd^UXKZB&7jJJZhGE6z|w`hD28+;xYsQ$Ice8NA3HUj2}h4d&5*Oi8boTUN>&3BeqS zL|8gTAj2QLCMX&S7?55(>T8(}Ip#bj76sGAQ@8*aekgQny|z6JNkzkv-wlNxN?%I37G!gi`RR<&F-SN&YQ*kY;!x3n=mX)wEbu$MP=qm)p7*Lx|8)qF^46qtm zuuZ4SBn?C+Ee06&b|f3@%KE=WX-KmZz??b~ow%!xAJctHQuUfDNJaqAi3wd{edjLa z&J8oFj|WZp9!tfQYtYZ7RVPx-;PohfAwlXG;;w3cDtWpL{5!0K&mtb1ADxsKgb=ih zJCKIHU!Wn zH98RdAme5qUMR$GxJk%QC1!4F)xc7BwFun(Sv4&MWp>R%s& zO?F8FWf4q!=Ccrej|pOj+#nrj+Yt-ASw4Bt#i9767n2m*4%NqVbYin`jqlGygs00g z=t=0`D1;YZ5C5hf(^F+XYs*A@>ETUh`4E|Gf2{8Y1a;JplOzzOlKTR%smD~p3)bLL zSi<(X`KU-$Fvr3RYw8u@RqM9u=gix?s52F?L=wM3o!`p+Dt|p7ws+-*!g0M1Nh1-2 zN59U~(TykDa|>*3g-;aBf(loy?F>e_Ybs!=L+E`Dloxm-XngsYt0AV3lR&h|Ux7t5 zRv?x_Pi7zCB;l*PcXcyeqN1fCJV>ADs}t_x`weyvjN90H=zR}t9#LEK-NeZPR*tB> zy7A6>G06K4qOGYLx(YsMuo+<`BLj!-TrJh&63>$@^C>J+B>$c!Z*Fn0v7CT#3Y}fb zn?2@0R4m*$vv5D^SK^7tm|Wg4;{Zz?bh2KDSe`V-1&7I~1{E`_W-| zi8d5P{(+X%9>v#PVGh$KYYtjHG--f_Fs4DE@B=mJSz)WL&Mcc%Sd-d!xcH8Wq=+Dm zLqW6lr;61!$g%8GW?Aje(4LDUc3)l<7Lm1^50_oDA>3I&U#z9!$(xP~*J#BxH;u2? zHJ6XW0bXlBMN}yUZXkp&6OH%$L^%Zw653j$a_*OhVtkOln{#)V8@K5R&+{M zD)P>%!kfv<1TWv~IQDJ17#a;MN)hf?4hP_h`AKDFqHz(BCtMgQ?N^SymKKw1{fSy| zB1hYH8}>mKL);esb2wJKz7XU&g=rVhF&2HCu@+T%c0XhCc841jEz?4taT_2Lp&jqI zot^~zJ>PGenapVZaf~-tT=w^u7UtHkIq=lW0^f90!w^fhZZ{u%B|==!P`rv-pVbwy z-V2dH#k>+Fj)%`Q=-^F6B@%^!i8Ac8c`xkY*>HnS=OM7=K_4|$$S6P*HjT9%Rj$v} ztLdvVr2VBmM?H)%@0;c|K1K-ed7zs7Qhd#TeRZ5geXYMMpb%C5@=?ApZJXKuUT783 z@EAO8*sbR|SqO5|1QM~-BjxTya(Gd~%9G8!VSAeuq2%yvRweNw_ie!ca2%IIL#uCq(DDSn} z_8gF`pe$t7%|A6C$Tu1-ZTz}s#gt;X$5Dg|n5tdYT@RhV1&&U5n&{-CrVq$|RSSoQ zbmgeqtq+BsHiCAC_|m_-Nq={IT-YexZH4@EfXBZ*Ub(dm-F4!|l4V{7bbA?`4@4bp z%^Ke=A%9i^Ae6QUTxq&%=`j4h&&#mvFic(#mK^9fd@u_Q*H0bMl@AX8So6h|tnf5x-Q0HVRC1 zRhr%ZKh2$IR8!l#?op5;NJNm{1QguTlwPAC1Q9``gLI@L0i;NmDpI5V%%O^(rJA@{6j1;%=2H!{E$?nwe;alONAyT5~sh zLO9!@?yUFfX+&as5J$-O*?^Ra{iSy^LcRV1k&W3jdZ2n2aZ-4iH_V*vV|YU_aiSqY zQBtcq%wM(q;jkgz^>Rpaj;iKE{2Do{kGYbC>fcRNCe3NHx7O1L1|{i{M&*4T9lguO z@RDTYXCAEs6~DnlzsZE^J=do?S|=7k;!f_YT|D-OVcq!>SjnUO8p`C})@e@#3sU;@ z*h<6XEoCEL$GJTh7cYI!^9d=#m4Q+Lvz zV1L&;Yu+~kxFYPKoxui#>dLs~IeLTVrcluriQ@^GMZy}F+8ye`Z!u|zg*N6EwJl`0 z5X?apXS0*vNzbc8Y(9H4c*{!lgSR9b?+pR^7^&*Ru!5~EUa2%iFNgUbi=sxZ0iNauj zxX&Zji?^E4bt-Bb%mLqb(Xe)Yt2wdaLB{EA7=iB{p<>l@$DJkn#EFW7xi+Y2*GT^I z#r)PNpGm>bDM3QU&L;T7f@5SmQvQ-fr89{umOk0Z*Q>T47n(}=DRZx_4z!-0a6;5W zXnuX1u^3oK3x40MDHkpI+ZXyVDVbt$t{~zXiTQ$2GXyg94Z=Hkjmu&O`Fd$jC^<$) zZ;R0z@<20~boiX)^4dt&+Gs!9NW<2G<-IK%tKiOoP3|YlBI=>S^*$%5cdJ^53zwA^ znwVUwyP~hZRuEPSCX%my{>W~5 z${;OZduyNzO154#sCwWyRKrjip47U8;$HL@D=I|>mP+c z$n(XU8`X^4N%T2uUF2=`K`tUAk}L;y)GTfH0Ov z%5_1)gy3N5i<+>PZhAjPmwdAh2vK9sN5~LQFb~Tzij7z zl=Z|`&C}^-L$mt7bmV|CcIKFzF4f!AkzDX;W8Z;=tl*lL>nh23)j*+Cy5eW_2B53O z$>4WBjjlG3+;UWD5@0cJX>6<_Mn4;@i`>Kt3`}!-5J@97(27r*Od&y&{s4D`UiV7| z7`1^sFy12)+z;7$WN5rjImIlv^9gJ60J$@OlCSyS|GZh5IsVPNUWI9dteOZA$;)-K zd@GQ~B5Zy;iA0xkIEj_?>S@T;h40C3;k|g%CtDdYY1lj-YoJ})NESWYAK7t)mbjH# z`r92Ol8E-D?&Jha8S`>~s7+Y=nhb2xJ*St_tm>*(%qzC1n#&EKV$UzK%E)FZ$gR@5QDELX55<#}|KBbzra$-7mRhK{zy&h89kj3TmGyj@N0 zZs-vXSi@F>D&&}MZ4zI&>=U+~vOpzyOU-Nwu zoQVnNx~T_=Fh(YMIX8>hU*>ug91uWYWtF*vFsjH)q#AGm+(cOe5xm1cobP>{xN+?o zQv`k0aXZ7qh0@~L&zb!}ldTa7t5N80fIG={V%+x7jz=hKLFWBYHMkMxHLoa}FV2p^ zwzC%4S_HcENVh`6W&gZZX!f4zpu*#OEwofhS$GoXGC#B6h56j9aO8 zwgP7s6G&L>-*q&68%z6jDOGgp^@|VLuJsz~r3We9@jh!`r~JB{H$rzDJQ;Um0_%M= z(b&qoknjuwcFgUgWZj45P}{0shV`iP-zH+W%UGwYcbBhTa8(?EIh^R za$j*^4b(nf%=zH)vvU)=Dd$cP7>vKDP`%g671#yg{O4FFO)(MYa2Vd5z+FUQTWk^Lwg@@(|r7(>E-5GT z^6CX8$rIN5HxgJaBv(Y5xnUOp4^s-@*TLDRFd{TLO(yh(c^M|IQDgjHu2-t#$siL* z6SHZym(DwTb%>^qOb!pAN#+I{S^JiR%H$p^onE} z{<&VPCek}S%**dmxP{~!?GYqPq;*L$A;$OJ0T)~0PoEX4lkpOK2mx6tVV29ljhBx7 zXvkh!Yr5R-wKQ-_t!mOM8en=VtjP_seB(;_+r2i59Azs>rts$R^8w5~Pq8kUozxCK zKT;*h)tykp#vi{^D0Ab<1b8Q_qqrgK_aFakYQugxpGG{6Mzo;6l=yF_YeewQL~77n z+A6JU;L)NVA5hE9t;NH!=0KR8m%}2yG!IIU$cdA#Q0J1(BOUE8r(C_Ay@50|&jYfh zbuWO?2!W%+$<^)7;-%9uk(sB&;FAMIH^;-jj#j6X+&G;?Jj;Ywgc<*OWm=@0W49Gl z%eKM_L?&2K_NfXwS1|@tm)LNV12gWL*RlY10X&ZPYiIsx6T6TEkn8J{fIB4DfgD+1~a?DECngj(v@jlbTNXCrCWIydE2l0e08d@Bzu#hz}~ z=k{Z{OMMD!V&hoO!zX?09icza{kj63i)f9M^dcD#ku8O_Bp)9+#n%?%ktY`ht&7;_ zr(6G0n-eAs3rWmvyr(`=Q#4*j2S z!ip89+=5pf7To?YHJYY3^>X~%i}*QK>wfsp;*4I-+!mAZoFBclU>UX6)J(s|H{(Fi zKy^+A813LYM)ehS{ByHtu88&3%(0VPa?zL~@dQ=yH z357@0osU>b@>q*OG{ZQHDv|ETTJzv7^Y4eN!{96F(|eaTtwEP0;e12oo>iB=0>l1f z4M#*7k$6!ho^=-d+j_4IZ(WRJsjHqE-htjUn+i^87QB7ZGv>s2m{P+Prv&Aob-VTu z-=8@1bpBJg;{!7fn2xB%G%+wg`YXa=+iZ6h_H+jjDa?E!xQLWL7jk+~S!=>e04dql% z?vxo%H(wD|8zKOwG$v2+((1*!DkX*UVR;ldDyC}>CsJFNdvC3hdbra8Vv@D_2DYRn8q`=we*pNhF7-z zaL>#IQULSvcz?e6XM?e>B&RC<=azK4`tqMQqPXQh3|m+t9crE(kOSVCTXPI16*gz6 z;H_d`i63WRIKe2&ewM*E^bu3Z>F`VK3M9XhPL&3FjS2Ei^U<^m&HI?yIG(z8bnB8J zlJ0Fwm-`WGJ4kpTDv6KE!+4Hx<@>r8R{nRF>}uMkhq zt|>dBMY(B~5Y-KaTL36QWmoYjG_6#Ykjm%9;goOJLy?E|9kXXtd3v>o?HcQY+@CjJ z76a&8+siN|SS}jy%mdvKlUqhC@7;N}-NbUF1EhxLPs`k};@a*RoVa#w6eq6b)A=vr z+BmABRV0%JPFyQ221xvL(9P}jyO01E;M2+EKxfNe~gG!v> zV+>lBuxT{_qDIhE^xk&;hnbEIr}>>biSB4r$1Jy;2S#M$+w{^ zhhw!V-A%8mzbw7~vY>w#ZWm_mX&xKpVdzOxV}gM;x;|^+Opyg_PL|)lQ?NgyQHn2z zTQK07Igo;RN+H0?d8+bA&Ehc{K)L}uG{7;&xvu(3R>TuJ@3Fp%;4--DGV7aUGWi3( z+;!lH{DOKPVY7RFtLxzb;NZ&joPn2ra$=~Ixn1WQMiVA-H94xoQK+gXGpgf~0As!b zt_%J(GEAd}U7&b&5l%>%br9GE|Z}GOi zk&@&07?O4aRE~@IY`I?kmG+suu_D9>e|kXj$N}kbE3KY)^!IGJJyT=mB^jFZ=R#Kb zjtZEUK7g9|Y&ks4?gpm$$6mnvKL*#JGwi{WpWZ_x7u(EDg6`N}7UT znx(>+!$H4GkyTcW9R{Z_LYK=8xu5d!tvzW}0)3U9DhWn4SZ?s8eNg3NMg;?8zt9Rm zRtDTchPBrttH8pIuQitj^v@x5m@mb~-<*z+4j}qG!X-Y51;8tSJV>7ogf{Hs76k_q zIbgm^m&UER!Ja3&)sbZzNFM#6dL$NT0eUN!I?L*T!>hUWEB}sTKzcQ2CWRU~ieV{a zlQ68HM?)!6tc{3p!S0(+GN6g-fhSsP{vA4o4#?y58Q~TtaueGQJZLOfFVA3gF)RM? z&!ckRpIMseNG})0B1vrv<}kdt1Ojk?kM~V*X~0h!3Xl5{S$_5qJd$Z}6|0>Y^WNb0 zyxPXV1@Ka2MnYXMT|5p^=+@1LNOeG6a!&7s4g^ADwjs`zQYh#AI9q2>kJK3cW%}{Z zHyLl1s!sY-(4+#^xC_e(9_Ve!K9)X+5`dH(6~zTgkjsY7vGHRQk(D$|K@Xox1*Uge z*JzhT0tcVMW|)2MAZF=+z3|Olrb8qc6}Hh9Rkqdl^ajfZpI!}8SDs>sJn&xmCj%>B zm44>&TFydj(|)2+OEX3Xr*Dn6fG6r$k`t=Q8_o_*%3^}8O|j`5MacK0-s$b*8Me=3 z!xY9T5_!`V~Vrg3^PNJHgF1z=ER zV90)8#U0UT%Ev0lZ*}bPu%{&HhG$l+c@wQ5VE^U!ZW%yPGrBZ6_db9?;j-}c+VC0k zNa~Ga=c|3e4yFb{+*&NhHP4x)T%{Oww!^0(3F}3tI6!Aq$Q^$VaC?Rj|WyC@gLkS#?;kST-KeQIRl7OEk?MtbYS`c zv^`xs(R>y0ghl7}>Q9i=ea!xDs$r~t-lqBmLS{1GT8%KS=^5Bf!ib#*G1n44?sRTS z;E9Yj+W#9VwX@X~sWAfj-pw5^1!jmy{L8=0PT-oDF?U8vRWUn`l{pvI(e8s-6Oky9sf}v|CSgaOo*>5 zqZPk@cN?HiQ9zY5TLaq6;y;WMSFi0E&y=4WcJbRGtyXAWWW5^i@dIyuqPL+Ls(t_oQVsTeWN1(#xb+Ap($KVBUa+~Q+%F-@l45oKV zL-u4KI=c_;zprK96ab@SO^>EjVf~r@SxN!mDen3wcASy!XF`!eH!0e)7G*xrUV{@m zfynOm1%*T&wb^#^6u*j*h-+Sek??y1EE;&f(yjsr zpRclt9|eb`$FM#tCp{TC42ijuS~7UytBsmbuj`C2>Q-gsne~-0LtVl%P+Qj&_PqY< zY-o2=xDWEUW<3px29Bvsn5kSCT0`h?12le}`I$T>>M~kwbjE6zWpqwy(8n>fEewtT zOU1hpW5)MSXk#!O*R!M1F$Zh3Z!u(oi?S#CA(0&YVpi_Fg7kTRI93txy#%)>tj}_P zw3H6FMj;bR=gW8aoid4;3q|j!hb-5SLFc-^j+k@l@m^^vr-L3kO7|)$2fWh{pXj_o z*`Cj~-Fq{rr{n&-DsWVO-j58g(Bzau^)RL@Qe5il6VAC(Z!#>LDpdgsr$W$PK4+De z#ZEbJH@M0ha}W|aXYt_@kR8)SC(pJCd|d!vY4MpFRi9Ty`#*gC4zoXhOoz%o4pWd^ z)0W44IJ~54zMHa>fiY|Revopmn)ISm8LO9d*_iivv)wRG)}MJyMe?Kh2Y@mv2(qOd zO#3oRwi{_OS*#LNK>FNiz6MSvWW)KUKZQJ-*BGG?&91I8Pr)R8+$y6s|KM`^G%D+y z3ify&zs#vDvv4{d|JkKSkzgs3Xp5`XKaagRTH1t6-rYL?-lo+|LCKT(j&jYThn!T{ z1b49ff#eFf%AFdcV(JeJ)pG5`ei>Z>NJf^wLbU$T7|2P9v;Hi8JVtzt&wkDQn z_tIkUPo`LrtTImmkX8&THmRGLAR$aAmKD^zCWxahNv`j-zWrL6}+3Y2~{3gD!rlT5+Snd%y}PC}TOs?flf!yGH}J7zW}| z7OAyi`zhU3(lMCMOyL%vSSkBMmQA+?^j^2n!l^KsaR*psj~5R2hzlEp7I6YF-_>nm2XVC%8&QEx4+k_w)2PVfev} zp1}^0XZXqT$>BWh)%MA9A^?T8cs_1SWt47ZsH(6)6u|d-S*J#wTu%iaG;;;_c(>OQ ztP~Pb`4~WG!-d&7d4FyWq%qb&h=&01Ioe4*b?GAt$7%W`|s~LfzI@tkqnP z1m0)A@7CY2nj}N+dr7^!`w?QwX!~64EA@XkDUCTuv!Pv+V{3fdXF-5N@%wLIzrbt= zHvjuN*~nGes(br?*?K?Oq8%$GOVT7Hw_)W+kPNolg}I*}c5^J}s`Ooi<1Jy&LeF1) zzI+q(!h81=aZKlTA-R0nlY2R@YIMIa1=bdWtwzuuC%91a`fPvqpEVOQhC(A$P3ST| zmaO+)F=ee{mB?EO$c$CZ%M~C$uh!9lB)212yZ5tXLKa2cRL80Qg2jC85xW6E{#@4Pdyf_#~2AwBS!X?$%;tRss+W3Verx9j;7pXt_ub=Cr zBG@P)ysmcnTYsx3I!}p_6LCC#fz&y<-3aMav?ht70EVi8Dv^(Fu8lHYVLe>tS~nDu z=b1xo?=HXL7g#DApC+DjNxg)hkjRF$1bZ_1L|&=6Re}FpA7=OUgGu-AYXW)RL^iMu zA95#Kpq z#}ACUDVy6#l^iq8>G}s=-(KmGJDtp-d8&^qC~;x^p#iYYyD^Ae=gq;fAA_xrP_i;b zJtUrHX&(ZK;7}yL%eldZ2lMh4BBbR{nQu>agQsz$4`nsO(6^OrQo4-UB)1 K`$aNFe*Xs#A`sF5 diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 21df8cfd30..e58eecbc01 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -37,142 +37,175 @@ peers. Configuration ************* -* Please refer to the :ref:`tunnel-interface` documentation for the individual - tunnel related options. +Tunnel interface configuration +============================== -* Please refer to the :ref:`ipsec` documentation for the individual IPSec - related options. +NHRP never handles routing of prefixes itself. You need to run some real routing +protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it +establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going +through extra nodes in NBMA GRE mesh. + +NHRP does route NHRP domain addresses individually using per-host prefixes. +This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses +a generic subnet route. -.. cfgcmd:: set protocols nhrp tunnel cisco-authentication +To create NBMA GRE tunnel you might use the following: - Enables Cisco style authentication on NHRP packets. This embeds the secret - plaintext password to the outgoing NHRP packets. Incoming NHRP packets on - this interface are discarded unless the secret password is present. Maximum - length of the secret is 8 characters. +.. code-block:: none -.. cfgcmd:: set protocols nhrp tunnel dynamic-map

- nbma-domain-name + set interfaces tunnel tun100 address '10.0.0.1/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 ip adjust-mss '1360' + set interfaces tunnel tun100 mtu '1400' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' - Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` - addresses of the next hop servers are defined in the domain name - nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry. +* Please refer to the :ref:`tunnel-interface` documentation for the individual + tunnel related options. - Each dynamic NHS will get a peer entry with the configured network address - and the discovered NBMA address. + .. note:: The IP-address is assigned as host prefix to tunnel interface. + NHRP will automatically create additional host routes pointing to tunnel interface + when a connection with these hosts is established. - The first registration request is sent to the protocol broadcast address, and - the server's real protocol address is dynamically detected from the first - registration reply. +The tunnel interface subnet prefix should be announced by routing protocol +from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing +protocol to decide which is the closest hub and determine the relay hub on +prefix basis when direct tunnel is not established. -.. cfgcmd:: set protocols nhrp tunnel holding-time +NHRP protocol configuration +============================== - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. +.. cfgcmd:: set protocols nhrp tunnel authentication -.. cfgcmd:: set protocols nhrp tunnel map cisco + Enables Cisco style authentication on NHRP packets. This embeds the + plaintext password to the outgoing NHRP packets. Maximum length of + the password is 8 characters. - If the statically mapped peer is running Cisco IOS, specify the cisco keyword. - It is used to fix statically the Registration Request ID so that a matching - Purge Request can be sent if NBMA address has changed. This is to work around - broken IOS which requires Purge Request ID to match the original Registration - Request ID. +.. cfgcmd:: set protocols nhrp tunnel holdtime -.. cfgcmd:: set protocols nhrp tunnel map nbma-address
+ Holdtime is the number of seconds that have to pass before stopping to + advertise an NHRP NBMA address as valid. It also controls how often NHRP + registration requests are sent. By default registrations are sent every + one third of the holdtime - Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast - multiple-access network)` address. +.. cfgcmd:: set protocols nhrp tunnel map tunnel-ip + nbma - If the IP prefix mask is present, it directs opennhrp to use this peer as a - next hop server when sending Resolution Requests matching this subnet. + * **tunnel-ip** - Tunnel ip address in format **x.x.x.x**. + * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local** - This is also known as the HUBs IP address or FQDN. + Map an IP address of a station to the station’s NBMA address. -.. cfgcmd:: set protocols nhrp tunnel map register +.. cfgcmd:: set protocols nhrp tunnel mtu - The optional parameter register specifies that Registration Request should be - sent to this peer on startup. + Configure NHRP advertised MTU. - This option is required when running a DMVPN spoke. +.. cfgcmd:: set protocols nhrp tunnel multicast -.. cfgcmd:: set protocols nhrp tunnel multicast + * **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic** - Determines how opennhrp daemon should soft switch the multicast traffic. - Currently, multicast traffic is captured by opennhrp daemon using a packet - socket, and resent back to proper destinations. This means that multicast - packet sending is CPU intensive. + Sends multicast packets to the specified NBMA address. If dynamic is specified + then destination NBMA address (or addresses) are learnt dynamically. - Specfying nhs makes all multicast packets to be repeated to each statically - configured next hop. +.. cfgcmd:: set protocols nhrp tunnel network-id - Synamic instructs to forward to all peers which we have a direct connection - with. Alternatively, you can specify the directive multiple times for each - protocol-address the multicast traffic should be sent to. + * **network-id** - NHRP network id <1-4294967295> - .. warning:: It is very easy to misconfigure multicast repeating if you have - multiple NHSes. + Enable NHRP on this interface and set the interface’s network ID. The network ID + is used to allow creating multiple nhrp domains on a router when multiple interfaces + are configured on the router. Interfaces configured with the same ID are part of the + same logical NBMA network. The ID is a local only parameter and is not sent to other + NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are + received on an interface they are assigned to the local NHRP domain for that interface. -.. cfgcmd:: set protocols nhrp tunnel non-caching +.. cfgcmd:: set protocols nhrp tunnel nhs tunnel-ip nbma - Disables caching of peer information from forwarded NHRP Resolution Reply - packets. This can be used to reduce memory consumption on big NBMA subnets. + * **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic** + * **nbma-ip** - NBMA ip address in format **x.x.x.x** - .. note:: Currently does not do much as caching is not implemented. + Configure the Next Hop Server address and its NBMA address. If dynamic is specified + then Next Hop Server can have dynamic address which maps to its NBMA address. .. cfgcmd:: set protocols nhrp tunnel redirect - Enable sending of Cisco style NHRP Traffic Indication packets. If this is - enabled and opennhrp detects a forwarded packet, it will send a message to - the original sender of the packet instructing it to create a direct connection - with the destination. This is basically a protocol independent equivalent of - ICMP redirect. + This enable redirect replies on the NHS similar to ICMP redirects except this is + managed by the nhrp protocol. This setting allows spokes to communicate with each + others directly. + +.. cfgcmd:: set protocols nhrp tunnel registration-no-unique + + Allow the client to not set the unique flag in the NHRP packets. This is useful when + a station has a dynamic IP address that could change over time. .. cfgcmd:: set protocols nhrp tunnel shortcut - Enable creation of shortcut routes. + Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly + after establishing a connection without going through the hub. + +IPSEC configuration +============================== + +* Please refer to the :ref:`ipsec` documentation for the individual IPSec + related options. + +.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' + parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action' + always is set to 'clear'. + +.. cfgcmd:: set vpn ipsec profile authentication mode pre-shared-secret + + Set preshared secret mode authentication + +.. cfgcmd:: set vpn ipsec profile authentication pre-shared-secret + + Set preshared secret + +.. cfgcmd:: set vpn ipsec profile bind tunnel + + Bind IPSEC profile to the specific tunnel interface. + +.. cfgcmd:: set vpn ipsec profile esp-group 'ESP-HUB' - A received NHRP Traffic Indication will trigger the resolution and - establishment of a shortcut route. + Map ESP group to IPSEC profile -.. cfgcmd:: set protocols nhrp tunnel shortcut-destination +.. cfgcmd:: set vpn ipsec profile ike-group 'IKE-HUB' - This instructs opennhrp to reply with authorative answers on NHRP Resolution - Requests destinied to addresses in this interface (instead of forwarding the - packets). This effectively allows the creation of shortcut routes to subnets - located on the interface. + Map IKE group to IPSEC profile - When specified, this should be the only keyword for the interface. +********** +Monitoring +********** +.. opcmd:: show ip nhrp cache -.. cfgcmd:: set protocols nhrp tunnel shortcut-target
+ Forwarding cache information. - Defines an off-NBMA network prefix for which the GRE interface will act as a - gateway. This an alternative to defining local interfaces with - shortcut-destination flag. +.. opcmd:: show ip nhrp nhs -.. cfgcmd:: set protocols nhrp tunnel shortcut-target
- holding-time + Next hop server information. - Specifies the holding time for NHRP Registration Requests and Resolution - Replies sent from this interface or shortcut-target. The holdtime is specified - in seconds and defaults to two hours. +.. opcmd:: show ip nhrp shortcut + + Shortcut information. ******* Example ******* - -This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as -multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual -Environment NG)`. +This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as +multiple spoke sites. .. figure:: /_static/images/blueprint-dmvpn.png - :alt: DMVPN network + :width: 70% + :align: center + :alt: DMVPN Network Topology Diagram + - DMVPN example network + DMVPN Network Topology Diagram -Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. +Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24. -The below referenced IP address `192.0.2.1` is used as example address +The below referenced IP address `192.168.0.2` is used as example address representing a global unicast address under which the HUB can be contacted by each and every individual spoke. @@ -183,47 +216,46 @@ Configuration Hub --- +VyOS-HUB-1 +^^^^^^^^^^ .. code-block:: none - set interfaces ethernet eth0 address 192.0.2.1/24 + set interfaces ethernet eth0 address '192.168.0.2/30' - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 source-address '192.0.2.1' + set interfaces tunnel tun100 address '10.0.0.100/32' set interfaces tunnel tun100 enable-multicast - set interfaces tunnel tun100 parameters ip key '1' + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 authentication 'test123' + set protocols nhrp tunnel tun100 holdtime '300' set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 network-id '1' set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut + set protocols nhrp tunnel tun100 registration-no-unique + + set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - set vpn ipsec interface 'eth0' - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' set vpn ipsec profile NHRPVPN bind tunnel 'tun100' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + .. note:: Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the @@ -231,105 +263,160 @@ Hub the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console). -Spoke ------ +Spokes +------ -The individual spoke configurations only differ in the local IP address on the -``tun10`` interface. See the above diagram for the individual IP addresses. + The individual spoke configurations only differ in interface IP addresses. -spoke01-spoke04 -^^^^^^^^^^^^^^^ +VyOS-Spoke-1 and VyOS-Spoke-2 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + + set interfaces ethernet eth0 address '192.168.1.2/30' + + set interfaces tunnel tun100 address '10.0.0.1/32' + set interfaces tunnel tun100 enable-multicast + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 parameters ip key '42' + set interfaces tunnel tun100 source-interface 'eth0' + + set protocols nhrp tunnel tun100 authentication 'test123' + set protocols nhrp tunnel tun100 holdtime '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 network-id '1' + set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2' + set protocols nhrp tunnel tun100 registration-no-unique + set protocols nhrp tunnel tun100 shortcut + + set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 + set protocols static route 10.0.0.0/24 next-hop 10.0.0.100 + + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'transport' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +Cisco-Spoke-3 +^^^^^^^^^^^^^ .. code-block:: none - crypto keyring DMVPN - pre-shared-key address 192.0.2.1 key secret - ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 192.0.2.1 255.255.255.255 + lifetime 3600 + crypto isakmp key secret address 0.0.0.0 + ! ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac + crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac mode transport ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN + crypto ipsec profile DMVPNPROFILE + set security-association lifetime seconds 1800 + set transform-set DMVPNESP + set pfs group2 + ! ! - interface Tunnel10 - ! individual spoke tunnel IP must change - ip address 172.16.253.129 255.255.255.248 + ! + ! + ! + ! + ! + interface Tunnel100 + ip address 10.0.0.3 255.255.255.0 no ip redirects - ip nhrp authentication secret - ip nhrp map 172.16.253.134 192.0.2.1 - ip nhrp map multicast 192.0.2.1 + ip nhrp authentication test123 + ip nhrp map multicast dynamic ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source FastEthernet0/0 + ip nhrp holdtime 300 + ip nhrp nhs 10.0.0.100 nbma 192.168.0.2 + ip nhrp registration no-unique + ip nhrp redirect + tunnel source GigabitEthernet0/0 tunnel mode gre multipoint - tunnel protection ipsec profile DMVPN - tunnel key 1 + tunnel key 42 + tunnel protection ipsec profile DMVPNPROFILE + ! + interface GigabitEthernet0/0 + ip address 192.168.3.2 255.255.255.252 + duplex auto + speed auto + media-type rj45 ! - interface FastEthernet0/0 - ip address dhcp - duplex half + ip route 0.0.0.0 0.0.0.0 192.168.3.1 -spoke05 -^^^^^^^ +Monitoring DMVPN Network +^^^^^^^^^^^^^^^^^^^^^^^^ -VyOS can also run in DMVPN spoke mode. +Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3 .. code-block:: none - set interfaces ethernet eth0 address 'dhcp' + vyos@vyos:~$ ping 10.0.0.3 + PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. + 64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms + 64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms + ^C + --- 10.0.0.3 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1002ms + rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms - set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 source-address 0.0.0.0 - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 enable-multicast - set interfaces tunnel tun100 parameters ip key '1' +Monitoring on HUB +^^^^^^^^^^^^^^^^^ - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 register - set protocols nhrp tunnel tun100 multicast 'nhs' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut +.. code-block:: none - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'transport' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + vyos@vyos:~$ show ip nhrp cache + Iface Type Protocol NBMA Claimed NBMA Flags Identity + tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2 + tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 + tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2 + tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 - - set vpn ipsec interface 'eth0' + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' +Monitoring on Spokes +^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: none + vyos@vyos:~$ show ip nhrp cache + Iface Type Protocol NBMA Claimed NBMA Flags Identity + tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 - + tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 + tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2 + + vyos@vyos:~$ show ip nhrp nhs + Iface FQDN NBMA Protocol + tun100 192.168.0.2 192.168.0.2 10.0.0.100 + + vyos@vyos:~$ show ip nhrp shortcut + Type Prefix Via Identity + dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2 + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 + dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024