From 8acee7ec39da11b41067e26ea86e83aee3401a31 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 16 Jul 2016 09:25:01 -0500 Subject: [PATCH 0001/1208] Update docs [ci skip] --- README-zh.md | 15 +++++++++++++-- README.md | 13 ++++++++++++- docs/clients-zh.md | 4 +++- docs/clients.md | 4 +++- 4 files changed, 31 insertions(+), 5 deletions(-) diff --git a/README-zh.md b/README-zh.md index 127e951cd4..957a3283e8 100644 --- a/README-zh.md +++ b/README-zh.md @@ -45,7 +45,9 @@ **-或者-** -一个专用服务器,或者任何基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可以使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 用户可尝试 Shadowsocks ( libev | rss ) 或者 OpenVPN。 +一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 ShadowsocksR 或者 OpenVPN。 + +这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean 和 Linode. **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** @@ -85,6 +87,8 @@ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ``` +如需在 DigitalOcean 上安装,可以参考这个分步指南,由 Tony Tran 编写。 + **注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 ### CentOS & RHEL @@ -136,7 +140,14 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 另见 -- 在 Docker 上搭建 IPsec VPN +- IPsec VPN Server on Docker +- Streisand +- SoftEther VPN +- ShadowsocksR +- OpenVPN Install +- VPN Deploy Playbook +- Insta VPN +- One Key IKEv2 VPN ## 作者 diff --git a/README.md b/README.md index bca3446cf3..faf20b511d 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,9 @@ A newly created Amazon EC2 **-OR-** -A dedicated server or any KVM- or Xen-based Virtual Private Server (VPS), freshly installed with one of the above systems. Besides those, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS users should instead try OpenVPN. +A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is not supported, users could instead try OpenVPN. + +This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean and Linode. **» I want to run my own VPN but don't have a server for that** @@ -85,6 +87,8 @@ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh ``` +For installation on DigitalOcean, check out this step-by-step guide by Tony Tran. + **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. ### CentOS & RHEL @@ -137,6 +141,13 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker +- Streisand +- SoftEther VPN +- ShadowsocksR +- OpenVPN Install +- VPN Deploy Playbook +- Insta VPN +- One Key IKEv2 VPN ## Author diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 119ef9618e..bccba3a731 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,10 +2,12 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*如需使用 IPsec/XAuth ("Cisco IPsec") 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* +*如需使用 IPsec/XAuth 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* 在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +你也可以参考另一个带图片的分步指南,由 Tony Tran 编写。 + --- * 平台名称 * [Windows](#windows) diff --git a/docs/clients.md b/docs/clients.md index 0fb5baf2f1..03c5deae95 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,10 +2,12 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -*To connect using IPsec/XAuth ("Cisco IPsec") mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* +*To connect using IPsec/XAuth mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. +An alternative step-by-step guide with images is available, written by Tony Tran. + --- * Platforms * [Windows](#windows) From 1ec957d3be2becb7084892e5f1913f436685e818 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 20 Jul 2016 13:10:58 -0500 Subject: [PATCH 0002/1208] Minor clean up --- extras/vpnupgrade.sh | 6 +++--- extras/vpnupgrade_centos.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index bbe5f0cd86..f014161247 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -10,10 +10,10 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check for the latest version at https://libreswan.org and update as necessary +# Check https://libreswan.org for the latest version swan_ver=3.17 -### Do not edit below this line +### Do not edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" @@ -42,7 +42,7 @@ if [ "$?" != "0" ]; then exiterr "This script requires Libreswan already installed." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $swan_ver" +/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" if [ "$?" = "0" ]; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 412d4f311a..4ba63371b5 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -10,10 +10,10 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check for the latest version at https://libreswan.org and update as necessary +# Check https://libreswan.org for the latest version swan_ver=3.17 -### Do not edit below this line +### Do not edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" @@ -45,7 +45,7 @@ if [ "$?" != "0" ]; then exiterr "This script requires Libreswan already installed." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $swan_ver" +/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" if [ "$?" = "0" ]; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." From da8726e24edd092ee6b2d3aac287967bfae048d8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 20 Jul 2016 13:47:21 -0500 Subject: [PATCH 0003/1208] Update docs [ci skip] --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 35 ++-------------------- docs/clients-xauth.md | 35 ++-------------------- docs/clients-zh.md | 56 ++++++++++++++++++++++++++++++----- docs/clients.md | 64 ++++++++++++++++++++++++++++++++-------- 6 files changed, 108 insertions(+), 86 deletions(-) diff --git a/README-zh.md b/README-zh.md index 957a3283e8..48374ef397 100644 --- a/README-zh.md +++ b/README-zh.md @@ -47,7 +47,7 @@ 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 ShadowsocksR 或者 OpenVPN。 -这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean 和 Linode. +这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** diff --git a/README.md b/README.md index faf20b511d..b86b92aad3 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ A newly created Amazon EC2 A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is not supported, users could instead try OpenVPN. -This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean and Linode. +This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode. **» I want to run my own VPN but don't have a server for that** diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 2630875bf3..54bafe7e2c 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -11,9 +11,9 @@ --- * 平台名称 * [Windows](#windows) - * [OS X](#os-x) + * [OS X (macOS)](#os-x) * [Android](#android) - * [iOS](#ios) + * [iOS (iPhone/iPad)](#ios) ### Windows ### @@ -34,9 +34,6 @@ VPN 连接成功后,会在 VPN Connect 状态窗口中显示 **tunnel enabled** 字样。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 - -如果在连接过程中遇到错误,请参见 故障排除。 - **注:** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - 适用于 Windows Vista, 7, 8 和 10 ```console @@ -65,7 +62,7 @@ VPN 连接成功后,会在 VPN Connect 状态窗口中显示 **tunnel enabled* 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. 单击 **应用** 保存VPN连接信息。 -要连接到 VPN,你可以使用菜单栏中的 VPN 图标,或者在系统偏好设置的网络部分选择 VPN,并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ### Android ### 1. 启动 **设置** 应用程序。 @@ -103,32 +100,6 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -## 故障排除 - -### Windows 错误 809 - -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 - -要解决此错误,请按照上面的步骤添加注册表键并重启计算机。 - -### Windows 错误 628 - -> 在连接完成前,连接被远程计算机终止。 - -要解决此错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -![Select only CHAP in VPN connection properties-2](https://cloud.githubusercontent.com/assets/5104323/16026263/cbda945a-3192-11e6-96a6-ff18c5dd9a48.png) - -### 其它错误 - -更多的故障排除信息请参见 这个文档。 - ## 致谢 本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 595d2daec4..38bad1e968 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -11,9 +11,9 @@ After settin --- * Platforms * [Windows](#windows) - * [OS X](#os-x) + * [OS X (macOS)](#os-x) * [Android](#android) - * [iOS](#ios) + * [iOS (iPhone/iPad)](#ios) ### Windows ### @@ -34,9 +34,6 @@ After settin Once connected, you will see **tunnel enabled** in the VPN Connect status window. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". - -If you get an error when trying to connect, see Troubleshooting. - **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. You must reboot your computer when finished. - For Windows Vista, 7, 8 and 10 ```console @@ -65,7 +62,7 @@ If you get an error when trying to connect, see Troub 1. Check the **Show VPN status in menu bar** checkbox. 1. Click **Apply** to save the VPN connection information. -You can connect to the VPN using the VPN icon in the menu bar, or by selecting the VPN in the Network section of System Preferences and choosing **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ### Android ### 1. Launch the **Settings** application. @@ -103,32 +100,6 @@ Once connected, you will see a VPN icon in the notification bar. You can verify Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -## Troubleshooting - -### Windows Error 809 - -> The network connection between your computer and the VPN server could not be established because the remote server is not responding. - -To fix this error, follow the steps above to add a registry key and reboot your computer. - -### Windows Error 628 - -> The connection was terminated by the remote computer before it could be completed. - -To fix this error, please follow these steps: - -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox, and deselect all others. -1. Click **OK** to save the VPN connection details. - -![Select only CHAP in VPN connection properties](https://cloud.githubusercontent.com/assets/5104323/16024310/b113e9b6-3186-11e6-9e03-12f5455487ba.png) - -### Other Errors - -Please refer to this document for more troubleshooting tips. - ## Credits This document was adapted from the Streisand project by Joshua Lund and contributors. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index bccba3a731..398aebff56 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -6,15 +6,16 @@ 在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -你也可以参考另一个带图片的分步指南,由 Tony Tran 编写。 +你也可以参考另一个带图片的安装指南,由 Tony Tran 编写。 --- * 平台名称 * [Windows](#windows) - * [OS X](#os-x) + * [OS X (macOS)](#os-x) * [Android](#android) - * [iOS](#ios) + * [iOS (iPhone/iPad)](#ios) * [Chromebook](#chromebook) + * [Linux](#linux) ### Windows ### @@ -27,8 +28,8 @@ 1. 单击 **使用我的Internet连接 (VPN)**。 1. 在 **Internet地址** 字段中输入`你的 VPN 服务器 IP`。 1. 在 **目标名称** 字段中输入任意内容。单击 **创建**。 -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 1. 单击 **高级设置** 按钮。 @@ -54,8 +55,8 @@ 1. 在 **密码** 字段中输入`你的 VPN 密码`。 1. 选中 **记住此密码** 复选框。 1. 单击 **创建**,然后单击 **关闭** 按钮。 -1. 重复上面的第 1-3 步,打开 **网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **选项** 选项卡,取消选中 **包含Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 @@ -98,7 +99,7 @@ 1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 -要连接到 VPN,你可以使用菜单栏中的 VPN 图标,或者在系统偏好设置的网络部分选择 VPN,并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ### Android ### 1. 启动 **设置** 应用程序。 @@ -151,6 +152,45 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +### Linux ### + +**Ubuntu and Debian:** + +按照 这个教程 的步骤操作。需要更正以下项: + +1. 在文件 `xl2tpd.conf` 中,删除这一行 `# your vpn server goes here`。 +1. 在文件 `options.l2tpd.client` 中,将 `require-mschap-v2` 换成 `require-chap`。 +1. 替换最后一个命令 `sudo route add -net default gw ` 为: +``` +sudo route add default dev ppp0 +``` + +如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 + +检查 VPN 是否正常工作: +``` +wget -qO- http://whatismyip.akamai.com; echo +``` + +以上命令应该返回 `你的 VPN 服务器 IP`。 + +要停止通过 VPN 服务器发送数据: +``` +sudo route del default dev ppp0 +``` + +**CentOS and Fedora:** + +参照上面的 Ubuntu/Debian 部分,并进行以下改动: + +1. 使用 `yum` 而不是 `apt-get` 命令来安装软件包。 +1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan`。 +1. 文件 `ipsec.conf` 和 `ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 + +**Other Linux:** + +如果你的系统提供 `strongswan` 软件包,请参见上面的两个部分。 + ## 故障排除 ### Windows 错误 809 diff --git a/docs/clients.md b/docs/clients.md index 03c5deae95..e0790d7f66 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -6,15 +6,16 @@ After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -An alternative step-by-step guide with images is available, written by Tony Tran. +You may also refer to this alternative setup guide with images by Tony Tran. --- * Platforms * [Windows](#windows) - * [OS X](#os-x) + * [OS X (macOS)](#os-x) * [Android](#android) - * [iOS](#ios) + * [iOS (iPhone/iPad)](#ios) * [Chromebook](#chromebook) + * [Linux](#linux) ### Windows ### @@ -27,10 +28,10 @@ An alternative Troub 1. In the **Machine Authentication** section, select the **Shared Secret** radio button and enter `Your VPN IPsec PSK`. 1. Click **OK**. 1. Check the **Show VPN status in menu bar** checkbox. -1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is selected. +1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. -You can connect to the VPN using the VPN icon in the menu bar, or by selecting the VPN in the Network section of System Preferences and choosing **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ### Android ### 1. Launch the **Settings** application. @@ -151,6 +152,45 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +### Linux ### + +**Ubuntu and Debian:** + +Follow the steps in this tutorial. Some corrections are required: + +1. In `xl2tpd.conf`, remove the line `# your vpn server goes here`. +1. In `options.l2tpd.client`, replace `require-mschap-v2` with `require-chap`. +1. Replace the last command `sudo route add -net default gw ` with: +``` +sudo route add default dev ppp0 +``` + +If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc. + +Verify that your traffic is being routed properly: +``` +wget -qO- http://whatismyip.akamai.com; echo +``` + +The above command should return `Your VPN Server IP`. + +To stop routing traffic via the VPN server: +``` +sudo route del default dev ppp0 +``` + +**CentOS and Fedora:** + +Refer to the Ubuntu/Debian section above, with these changes: + +1. Use `yum` instead of `apt-get` to install packages. +1. In these systems, the `ipsec` command has been renamed to `strongswan`. +1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`. + +**Other Linux:** + +If your system provides the `strongswan` package, refer to the two sections above. + ## Troubleshooting ### Windows Error 809 @@ -168,7 +208,7 @@ To fix this error, please follow these steps: 1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. 1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox, and deselect all others. +1. Click **Allow these protocols**. Check "Challenge Handshake Authentication Protocol (CHAP)" and uncheck all others. 1. Click **OK** to save the VPN connection details. ![Select only CHAP in VPN connection properties](https://cloud.githubusercontent.com/assets/5104323/16024310/b113e9b6-3186-11e6-9e03-12f5455487ba.png) From 077b119274ff0e5e8b4a4a7f9fb60105b5af5d34 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 29 Jul 2016 12:55:08 -0500 Subject: [PATCH 0004/1208] New Libreswan version 3.18 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index f014161247..9b81ea1177 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.17 +swan_ver=3.18 ### Do not edit below this line ### diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 4ba63371b5..963223047d 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.17 +swan_ver=3.18 ### Do not edit below this line ### diff --git a/vpnsetup.sh b/vpnsetup.sh index 6ff35ae8f1..0051e80683 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -150,7 +150,7 @@ apt-get -yq install ppp xl2tpd || exiterr2 apt-get -yq install fail2ban || exiterr2 # Compile and install Libreswan -swan_ver=3.17 +swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index be7ee109e8..3e85a93956 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -147,7 +147,7 @@ elif grep -qs "release 7" /etc/redhat-release; then fi # Compile and install Libreswan -swan_ver=3.17 +swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" From 335b4035b9007096c8f8469ea3b3704b2872c753 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 7 Aug 2016 14:00:07 -0500 Subject: [PATCH 0005/1208] Minor clean up --- extras/vpnsetup-debian-7-workaround.sh | 6 +++--- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 16 +++++++++------- vpnsetup_centos.sh | 20 +++++++++++--------- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/extras/vpnsetup-debian-7-workaround.sh b/extras/vpnsetup-debian-7-workaround.sh index 0b95208de7..6230ce8f83 100644 --- a/extras/vpnsetup-debian-7-workaround.sh +++ b/extras/vpnsetup-debian-7-workaround.sh @@ -1,11 +1,11 @@ #!/bin/sh # # Debian 7 (Wheezy) does NOT have the required libnss version (>= 3.16) for Libreswan. -# This script provides a workaround by installing unofficial packages from download.libreswan.org. +# This script provides a workaround by installing newer packages from libreswan.org. # Debian 7 users: Run this script first, before using the VPN setup script. # -# IMPORTANT: These unofficial packages do not receive the latest security updates compared to -# official Debian packages. They could contain unpatched vulnerabilities. Use at your own risk! +# IMPORTANT: These unofficial packages may not receive security updates compared to +# official Debian packages. They could contain vulnerabilities. Use at your own risk! # # Copyright (C) 2015-2016 Lin Song # diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 963223047d..d00d48d59b 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -104,7 +104,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ curl-devel flex bison gcc make \ fipscheck-devel unbound-devel xmlto || exiterr2 -# Install libevent2 and systemd-devel (CentOS 7) +# Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum -y install libevent2-devel || exiterr2 diff --git a/vpnsetup.sh b/vpnsetup.sh index 0051e80683..1c92d3af58 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -1,10 +1,10 @@ #!/bin/sh # # Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian 8. -# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS). +# Works on any dedicated server or Virtual Private Server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN -# ON YOUR DEDICATED SERVER OR VPS! +# ON A DEDICATED SERVER OR VPS! # # Copyright (C) 2014-2016 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) @@ -26,8 +26,8 @@ YOUR_IPSEC_PSK='' YOUR_USERNAME='' YOUR_PASSWORD='' -# Important Notes: https://git.io/vpnnotes -# Setup VPN Clients: https://git.io/vpnclients +# Important notes: https://git.io/vpnnotes +# Setup VPN clients: https://git.io/vpnclients # ===================================================== @@ -55,6 +55,7 @@ cat 1>&2 <<'EOF' Error: Network interface 'eth0' is not available. Please DO NOT run this script on your PC or Mac! + Run 'cat /proc/net/dev' to find the active network interface, then use it to replace ALL 'eth0' and 'eth+' in this script. EOF @@ -146,7 +147,7 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 -# Install Fail2Ban to protect SSH +# Install Fail2Ban to protect SSH server apt-get -yq install fail2ban || exiterr2 # Compile and install Libreswan @@ -178,6 +179,7 @@ cat > /etc/ipsec.conf < # Based on the work of Thomas Sarlandie (Copyright 2012) @@ -26,8 +26,8 @@ YOUR_IPSEC_PSK='' YOUR_USERNAME='' YOUR_PASSWORD='' -# Important Notes: https://git.io/vpnnotes -# Setup VPN Clients: https://git.io/vpnclients +# Important notes: https://git.io/vpnnotes +# Setup VPN clients: https://git.io/vpnclients # ===================================================== @@ -58,6 +58,7 @@ cat 1>&2 <<'EOF' Error: Network interface 'eth0' is not available. Please DO NOT run this script on your PC or Mac! + Run 'cat /proc/net/dev' to find the active network interface, then use it to replace ALL 'eth0' and 'eth+' in this script. EOF @@ -135,10 +136,10 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ fipscheck-devel unbound-devel xmlto || exiterr2 yum -y install ppp xl2tpd || exiterr2 -# Install Fail2Ban to protect SSH +# Install Fail2Ban to protect SSH server yum -y install fail2ban || exiterr2 -# Install libevent2 and systemd-devel (CentOS 7) +# Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum -y install libevent2-devel || exiterr2 @@ -172,6 +173,7 @@ cat > /etc/ipsec.conf < Date: Sun, 7 Aug 2016 15:24:16 -0500 Subject: [PATCH 0006/1208] Update README.md [ci skip] --- README-zh.md | 2 +- README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README-zh.md b/README-zh.md index 48374ef397..13b4a0bf6e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -118,7 +118,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 -如果需要打开服务器上的其它端口,请编辑 IPTables 防火墙规则: `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如果需要打开服务器上的其它端口,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index b86b92aad3..02f6bbb887 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ Clients are set to use EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). -To open additional ports on the server, edit the IPTables rules in `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. +To open additional ports on the server, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. @@ -126,7 +126,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Update the `swan_ver` variable as necessary. Check installed version: `ipsec --version` +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version` ## Bugs & Questions From 4d7ca74d4abd11d9010d5e3de7b3351eeab74c5f Mon Sep 17 00:00:00 2001 From: Daniel Falkner Date: Wed, 10 Aug 2016 15:29:42 +0200 Subject: [PATCH 0007/1208] Deploy on Azure --- README.md | 6 + azure/azuredeploy.json | 321 ++++++++++++++++++++++++++++++ azure/azuredeploy.parameters.json | 15 ++ azure/install.sh | 13 ++ 4 files changed, 355 insertions(+) create mode 100644 azure/azuredeploy.json create mode 100644 azure/azuredeploy.parameters.json create mode 100644 azure/install.sh diff --git a/README.md b/README.md index 02f6bbb887..7eae8a4fd3 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,12 @@ We will use Libreswan as th ## Requirements +Microsoft Azure Subscription + + + + + A newly created Amazon EC2 instance, using these AMIs: (See instructions) - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json new file mode 100644 index 0000000000..bc2d226d25 --- /dev/null +++ b/azure/azuredeploy.json @@ -0,0 +1,321 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "username": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "User name for SSH and VPN" + } + }, + "password": { + "type": "securestring", + "metadata": { + "description": "User password for SSH and VPN" + } + }, + "preSharedKey": { + "type": "securestring", + "metadata": { + "description": "Pre-Shared Key for VPN" + } + }, + "image": { + "type": "string", + "allowedValues": [ + "ubuntu", + "debian" + ], + "defaultValue": "debian", + "metadata": { + "description": "OS to use. Debian or Ubuntu" + } + }, + "VMSize": { + "type": "string", + "defaultValue": "Standard_A0", + "allowedValues": [ + "Standard_A0", + "Standard_A1", + "Standard_A2", + "Standard_A3", + "Standard_A4", + "Standard_A5", + "Standard_A6", + "Standard_A7", + "Standard_A8", + "Standard_A9", + "Standard_A10", + "Standard_A11", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_G1", + "Standard_G2", + "Standard_G3", + "Standard_G4", + "Standard_G5", + "Standard_DS1", + "Standard_DS2", + "Standard_DS3", + "Standard_DS4", + "Standard_DS11", + "Standard_DS12", + "Standard_DS13", + "Standard_DS14", + "Standard_GS1", + "Standard_GS2", + "Standard_GS3", + "Standard_GS4", + "Standard_GS5" + ], + "metadata": { + "description": "The size of the Virtual Machine." + } + } + }, + "variables": { + "location": "[resourceGroup().location]", + "vmName": "vpnserver", + "virtualNetworkName": "vpnVnet", + "addressPrefix": "10.0.0.0/16", + "subnetName": "VPNSubnet", + "subnetPrefix": "10.0.1.0/24", + "apiVersion": "2015-06-15", + "storageName": "[concat(uniqueString(resourceGroup().id), 'vpnsa')]", + "vhdStorageType": "Standard_LRS", + "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", + "SubnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]", + "ubuntu": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "16.04.0-LTS", + "version": "latest" + }, + "debian": { + "publisher": "credativ", + "offer": "Debian", + "sku": "8", + "version": "latest" + }, + "installScriptURL": "https://raw.githubusercontent.com/derdanu/setup-ipsec-vpn/master/azure/install.sh", + "installCommand": "[concat('sh install.sh ', parameters('preSharedKey'), ' ', parameters('username'), ' ', parameters('password'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageName')]", + "apiVersion": "[variables('apiVersion')]", + "location": "[variables('location')]", + "tags": { + "displayName": "StorageAccount" + }, + "properties": { + "accountType": "[variables('vhdStorageType')]" + } + }, + { + "apiVersion": "[variables('apiVersion')]", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[variables('location')]", + "tags": { + "displayName": "VirtualNetwork" + }, + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[variables('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "[variables('apiVersion')]", + "type": "Microsoft.Network/networkInterfaces", + "name": "[concat(variables('vmName'), 'nic')]", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "NetworkInterface" + }, + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', concat(variables('virtualNetworkName')))]", + "[concat('Microsoft.Network/publicIPAddresses/', concat(variables('vmName'), 'pip'))]", + "[concat('Microsoft.Network/networkSecurityGroups/', concat(variables('vmName'), 'nsg'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('vmName'), 'pip'))]" + }, + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('vmName'), 'nsg'))]" + } + } + }, + { + "apiVersion": "[variables('apiVersion')]", + "type": "Microsoft.Compute/virtualMachines", + "name": "[variables('vmName')]", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "VirtualMachine" + }, + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', concat(variables('vmName'), 'nic'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('username')]", + "adminPassword": "[parameters('password')]" + }, + "storageProfile": { + "imageReference": "[variables(parameters('image'))]", + "osDisk": { + "name": "osdisk", + "vhd": { + "uri": "[concat('http://', variables('storageName'), '.blob.core.windows.net/vmachines/', variables('vmName'), '.vhd')]" + }, + "caching": "ReadWrite", + "createOption": "FromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('vmName'), 'nic'))]" + } + ] + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(variables('vmName'),'/installcustomscript')]", + "apiVersion": "[variables('apiVersion')]", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "VirtualMachineCustomScriptExtension" + }, + "dependsOn": [ + "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" + ], + "properties": { + "publisher": "Microsoft.OSTCExtensions", + "type": "CustomScriptForLinux", + "typeHandlerVersion": "1.3", + "settings": { + "fileUris": [ "[variables('installScriptURL')]" ], + "commandToExecute": "[variables('installCommand')]" + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "name": "[concat(variables('vmName'), 'nsg')]", + "tags": { + "displayName": "NetworkSecurityGroup" + }, + "apiVersion": "[variables('apiVersion')]", + "location": "[resourceGroup().location]", + "properties": { + "securityRules": [ + { + "name": "default-ssh", + "properties": { + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 1000, + "direction": "Inbound" + } + }, + { + "name": "default-udp-500", + "properties": { + "protocol": "Udp", + "sourcePortRange": "*", + "destinationPortRange": "500", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 2000, + "direction": "Inbound" + } + }, + { + "name": "default-udp-4500", + "properties": { + "protocol": "Udp", + "sourcePortRange": "*", + "destinationPortRange": "4500", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 2001, + "direction": "Inbound" + } + } + ] + } + }, + { + "apiVersion": "[variables('apiVersion')]", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[concat(variables('vmName'), 'pip')]", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "PublicIPAddress" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + } + ], + "outputs": { + "Public IP": { + "type": "string", + "value": "[reference(concat(variables('vmName'), 'pip')).ipAddress]" + } + } +} diff --git a/azure/azuredeploy.parameters.json b/azure/azuredeploy.parameters.json new file mode 100644 index 0000000000..1dbe22b64d --- /dev/null +++ b/azure/azuredeploy.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "username": { + "value": "Vpnuser" + }, + "password": { + "value": "Password123#" + }, + "preSharedKey": { + "value": "mypsksupersecure" + } + } +} \ No newline at end of file diff --git a/azure/install.sh b/azure/install.sh new file mode 100644 index 0000000000..6f7ece6cbe --- /dev/null +++ b/azure/install.sh @@ -0,0 +1,13 @@ +#/bin/bash +export VPN_IPSEC_PSK=$1 +export VPN_USER=$2 +export VPN_PASSWORD=$3 + +# Debian on Azure has no lsb_release installed. +if ! [[ -x "/usr/bin/lsb_release" ]] +then + apt-get update + apt-get install -y lsb-release +fi + +wget https://git.io/vpnsetup -O vpnsetup.sh && sh vpnsetup.sh \ No newline at end of file From ab4b154dd6370a2a4b4b66b20a585a41760eeebc Mon Sep 17 00:00:00 2001 From: Daniel Falkner Date: Wed, 10 Aug 2016 15:35:58 +0200 Subject: [PATCH 0008/1208] Readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7eae8a4fd3..c68f38195e 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,8 @@ Microsoft Azure Subscription +**-OR-** + A newly created Amazon EC2 instance, using these AMIs: (See instructions) - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images From b2863816c1c6c077db9495e936663cfd27d05e61 Mon Sep 17 00:00:00 2001 From: Daniel Falkner Date: Wed, 10 Aug 2016 19:46:17 +0200 Subject: [PATCH 0009/1208] detail information about the azure deployment --- README.md | 15 ++++++++++++++- azure/custom_deployment_screenshot.png | Bin 0 -> 49950 bytes 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 azure/custom_deployment_screenshot.png diff --git a/README.md b/README.md index c68f38195e..0be736b1c6 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* @@ -39,6 +39,19 @@ We will use Libreswan as th Microsoft Azure Subscription +![Azure Custom Deployment](azure/custom_deployment_screenshot.png) + +The Template will create a fully working VPN server on the Microsoft Azure Cloud. Pricing details + +Customizable with the following options: + + - Username + - Password + - Pre-Shared Key + - Operation System Image (Debian 8 or Ubuntu 16.04 LTS) + - The size of the virtual machine. Default: Standard_A0 + + diff --git a/azure/custom_deployment_screenshot.png b/azure/custom_deployment_screenshot.png new file mode 100644 index 0000000000000000000000000000000000000000..3dab1f3a8ea1e40016108f937dcbd2f2865ec97c GIT binary patch literal 49950 zcmc$`bySpZ+wV;XC@CtPDuQ%(8HBWybeD8@2?$7obgO`Lcb7Cn4c(1&4-C1_`Q7(( zKl@$pv)11K?QyYiu9+*&I^y#^PC`D)OX6UXVj>|S;YfWDQ$j*Q$pJsC57EI9xzk_a z;1{}~jHDRSJ>uVw=G<6t%{de--daOse2R z2vxYQ)vP$GvJpFHjOb<4G^1}c1L9V^YIZ52mxK5HsgrNmui^=FTR$IoCJOoD5Wx%E zR1gog^fX$N^#mMZ^)O#jAN;~)E0ZUK%sPdFqWm7;uk;&u&8s7uFY0sIBBeO4G@rlQ zOXPjby*zKYGwz|8HgEx>uC(~@IVdt1@y&;_5-;N!)n2Sl+ix5*Y#dLo+{Uv$_`wg? zt&jLVDRd~~bm47~xUYkhIC3S&bQK!b3+Z24qWY4QL`)F$ZT^h#<|-9h<>2G8;74I*8Zzz5mz!+zEyo13uexJ{}Zskiz6oQ)^V3BUe*(F9sI0CP9$ zf6+tVJgpD6peI0d>x~fR!w-(AqyAU1n|RXunPEH1DZB;Fs`X*ug7?|&w z{NQxw=QUiLkEC_%nve@d2%)RmEg02tp@{3Zzcn8UOd3=9z@}N0>qU4GA}?O@LCi*X z_}q8%d&0HD4X>IID*@xDALeTkOqvyOMMZlk&?H$20oR@01nW6|ZvknHk76oYI>Hj< zT9P{UElzqxd=-3&>l3+Wr1Z+&!AGB%OJ}bvC$OJaxiAw{&3{bcu@U?D@v(4&bC)p( zp*sJ?-^utNKd8asY?PRh=c)W%RgHTcVNZRYRJX%U1*gdY9HY_iIcMMw zm;?+XSz2m7T4f`P9?@F-YIz_1^7392GHZC~9K7#DKd;|9(1i`#+uI|q-z9TT&B!Q& zp&@3IEx>xean*4Zy&1)reihdcNByw5z%ReBkdakrDwFluYGF zvlfxGXJU)toP(?5+BO{(lvigRJuW^TVv9xign+=LG+T}~OL-%$cC}?u1qb(+wHxD$ zmkJJ7PS1W;Tb>^D)+UL%^7tVm^Fqok#_FCkYt5Ii7WYDQwg@IkHCGGwx_5I%B%8Ry z1*$FWmr(Cl*7KEN+cF8a_Fc6bTU$NRZ&}&wPgK0;#HD}K-R7`Vi+++~+-@qyXv4ve z-V|_UNswB))4@oFm~IZ;g&36Ln2bcL*@PYr++Hkp_9^G8H`)ZqQ!1vro=&>MS)q;E zG}PSB2o?yde-@S)+_HH%?GLuKzo$SM8(?`A;D<@juUxN`^MrY8XZ790vcA_q96d*I zpYbn=bBiR%rk9_sMn4960^cwJLtJiAscp>m{QRIw=_i7$dbMAt*gM*T%Z^8T&bzU^-37-;| z*@h|z4@GgBJ$2r+iZRcXzY20cC1Nu>5DMPT61n{*?0LcN-tUSuj-B70OVu1TWA(c# zk%*;)Md++Iwu$3RyhE!NMgO9v6^WQ@o#5`$5iKJl1Dk^58>LR8od82qc*_(k3qA${8^yS!^)le;Nj2X6I+cbvBG`26^I}`*0nrFe^NV-7*sqP#EYR~&&b>SAql*XCAB2doGh^KdCh^-u~Tk&p_>w1TU+Zy z=sGjNFBw)4)e|K9M)DSVh1sEqmsgYf!HgL(?5G{-GyT#_m!Sk*-(BOUajZu8vvn8*4y6Kh^P^f3M`gfv^EMm}7m^1*avq8`q4h zDWW-jot*)p1PqVu_b%fZDFXbWNhfAJemX-NKYYa>z}Eov@@tmU%q}7)AcoakSrq{RbaOLMdbTqPF_;mY zt)ivfBo}l!Xkaj*aVYPH*P>xzHQ_Hy0H0+JZFpsi=Nqtiu?R8C>P{;~t+Cp;CJ~K^ zjYVxc29u-OltPY_+eux7kMEm;WJJ3~_4kYn-CriG=j6;%I&n)Q&jW}#4`g6_3m9(< z4WH+nn&rmeF?0$Vb;m-Rp-Bkx8 z=aVHaPwIXs45wnoib<=*-&LYXDt%}pw9FSO z0&nBv(qzvIR4K+vG@HB4y;FH@b0i`x0=-t`#tXHAyJXT%@hP5mw!aU~SF4Q_{#Z&% zE*7!lTe^GD=)qwLOG8X$an&IWjhVp3pB~KxAVSd5;;lF@t@gS)#(41H!N_&HuXU3qWO74jqN*4t96_8!@a#UC+kuLsyL<>8O>@| z&81Cuw5S>0DdtP^##)oj@UIWm>%Y5ucC zMNHb-n5`OlhFzF-4Rw#5H^ZS#gM+fc!|@ECvZXhqg)ZON=2i*1@S~S)85*UJWoQ3Z zDp1KsIaU1m&Rttao6oUk*{7MEo&A9}aRDteb3|ZR!bp~w>()Iwuv09+3&zEd7OE`tI7=+JDF3 z@@4$Eif*f7G*VJh^3Jxp*LdXXqjcBDJ0tBv@XMF7=`hqK`E&^vml_7F33srn-TDxmx(EUdK|4=b(p>pi@OiVfThEYS2<19x_RVbl)Q>x)k6 z(=RU^7`Nvo4|GZ^Dl5~6;7vhImngm^>Ro$63vQHNKWdfrlZ~o%L1z@uILEvfe)<%( z4cxi1wUyX1^0Z}tx;_kp%H98W1R1--C7Z=WQTvG6(n!eje>eV-bdNWGM&Rk@NVOv! zA&aKNXqDNJgfjPZxltpCI&40_CcB^AixYYED&Af%G8aT&vtMghK_9?;KABd|ERxnc zZm}$q!x#<@4q!eS^&OpBGuOGg=3oHQ_&pN{YnQs4;8+x!+^q}85=CHnvK_(ih$FgR zXrbGf&&KH~2rde_n1LBk?QZF}4TVDa-Ttys%+)&9`E7gcN>D$aD4elvLz-?eq66MM zh1|XahlM>x!H11{KSW zG^>_&S8*8VJ@(`~%KkpXa=X1td(CRA11|smoSQ5k%XLrL^s@*COvH?^ITBz^95{~- z$>TJ0-@1)*yI+WD;ydEMuKQJg%be+Tqu3;q>H7DX@ z7P!a;*X=>ugZ1>DW4b;N}`s(a6oGjq_`*g?Z+t)^BX8mV2K2 zRL(@@Tm`}Gdw61f)7dJPv8k! zAf5tLRJQ0MORc^8i(^%ffJ221Giz~eeHQ!L!uEnUWcRn^9&77e_oDYT32bLT=qeMV zuebLP1R^_FukNzHXhcP8+|@sEBjifC)=E6Eo%gz;q9TdS9CM=|&R=v0M;>OoflPt$ z^HrX-$?xH$J}Tdmvf<2=1t$q#7(0DFJt7b*Qm+m&%Ov|#Hl=IYH71_+Ej&9dlS?L4Md~%*z8Uqnt%vvk>+0In)Rc4yN&M487abojp3EU4 zul5;JsoH`KF*_bT3W;N->aBMyhZ!7-t#_NfUiMy;6eD468vLU5`Ia{KE=0B-c!y^y zfpwRc?}F`5&dzAq+A@JbE+-tx#T=^5Q!P;UQ_jsQQ)iMtU09e0xd07|$RfKEFXD z*x?%SR=m0CSL%nxg0GWz;|vypNcraKRQBNS^hPL*&e<6x?_A$AVhl1r6~yIsmLHuk zh)YWs4C&YZy1BjeJLQGx;2~1I5~mjVUf;E~3GEsh%)+n}%%clB9-hgc_l03$SgH(a zw49s)m80x|lWS;?3Y3xu2aDd>4nB)n)i~OqX-5+rwfd({DaXoNt}lm`3LRWElh8T}}=`ayPIsm%XF!wsOsk`5uVWBP@5237pQ@ z%#6shX>vU-&JfKXZ6R5Uyu93A9K8bXe81CwiAd*|EX~2eVei(*apT_p#}}1591ac+ z)_RtPG!vO$e9nq*dAT);KV3gflim?qm-6Npvw0^$;HMob@Uwb*v>3~E;r{nXMXb!fZJ~U(q*_ZWYhdXTDpZ{H!3pHU?e(`--GK{ z+c7?Z$vun11mRZ!thT?eZ)IfVCBtU`i0Xf7t2{uUoL@f>APszJQC9G&W+S1Gj|rd+hP+;IuupBpNao4w7#>f_RW=TLXC|tbLthSa zCSqZ6=wNBol=(gbEv82y~6M4WCR*T|z(atjp0*?r|nm`t5$IJ$)4_U<$uzR5-j&%dofQ+PM>|w+GOK(*5$S zl9CefJw#08@{;pTyM8AnZMV{Nn4W{WIqtML+qo1>Y!>vMpfBI|);1=E;k)Z!kbFH{ z4mDT39ROXDHsT^phZX<0XAH~%Z|R*D;HN4dy>--EPHmQ;omp-BVK>l{!ux}Ad;22o z<^;`Zi_ts-)X2HB=1{|_{Qu055kFlA~C&HxfkFkbBe73uYl7vi1 z12BY#YxV^n;^G>vuID2{W(HLTqiRi!S{qcY8tdF!3hO-0Y6jX^d|zMRyUR6&or%H# z-+G54_4*WNG9H2TLgxWOt~{!sJ}bkE17VOnbd)<&Q-5)Bt@`N&fAjtO_n9VlEJzBs z$w}NH8)-xn_nxW<1vla0SkAWhy>NDRc63tGpP9;0K!M_aFvKI!p{nJij*Aa)kF-Kf z1SKUULg#<7WUpY2@1lARggx^=6*D|~^oU%@?b~m;)aaOu_Sz-6T!2MfmnLFk=@jsR z$%N)+UBVOf`UX$Aib3XBU#X0NjgH#aM=yKrgYJDjAJu2P8WT)qymA;O_2EPI`)k3Y zBfG7^E}DNo7;hM zhYgDwn_#6+O=oJ*NK)HK)`_^OvQw6se3 zhT?;!Ph}FB&3Z}}ghsAK0H&jsInL(=jG+RzlIaNh@?OS8o@&1J%9Knrr=Pk`KlR%Yvteaxsp*OfbB@T zCsf>vK7&uy#%&UikVtKh<>YJUzfdhi=QJ3ry{R{R1+i^~WY7u-1SuNz;JcsD)N)y` zmU#tYZkUh!5P3=`w^CS2r$kr91Kfk*z@+tfF`365)%)fKtHzJWDC*WczkM!*XZZQO zL`>6~PvoSeOy(2ypm}e-Woe(TwcMo4IBt&RD`Q-<$|)$|(aNWET%D8s9l66by*U%z zysi0S3O_+BGg}gA$>2-Y+k$M>XxZ9dq0P}Y5sZ$qhf`joL0dBwKa)&6DwcC{!Uj3Z z5I{#7)uznA)E#eyssakW7rM?1l!s5nnw>x22PdEHyAlag2IEqg4*Ircd+AeCQc{MK za^jNlSg4euryX`y8*W%gM34kW)$&%qv*5GZwQ|CarB&EyG#7nLysQx4AD?s#WkQ5n zJl^P@u!FV8nw6rZvKYi@XxBTa6n%V)n2a|!H+()XD%vE;^$Hzt0fq%PiCiLLe*Rp< z&tyPtq|N{p4CAH8s_{@7|NC1HXYvI4JQ3!igXW}A0!B9Xey*DRY4gkkUn;Bt8G2S$ z!n>9vD&LeYW=Kkf66wMci2KF)D+)*&cUjtrq=C!&K;J>lqHusiNtihra2>5I*f1G>1QqHB-xcchT zCzx_ZcZhACGze9J}<_8wy?aGvuSaxJ=7?8CbGCF zd%r^0?Qq}kq5g^ooKVJt-Zgn z(YZ9}mIVRK!$D=3 zh6=+8i;9ZMnQBX3orAqU+j*QcuZV8Pv%&|lJ-alTJ-7jZkbk3(^r8jpl*9v$%qvA zMMVLW$y3UyXjU2?95lYd6Gd1t;YL@Jtpj28;!lI7P=Wzln+%6*OA1kZjlaibvn)aj zecemD!m7ZlODe>+1e04=FHRG34~1ye zAeQU=!aTXZVGLOpNaoC4CCLu<#{IZ=CymOp*S6GPDH*$9+RXbdEfi@~4&A+H<>2^! zdFkeJYmE$!6Q7>LiZtS_^DRpg0T80%Q{DV+8x z3py%@=ky_cE4dn#QXgdhKs!4ZqodV6ek1?}MQT5VJ0x64Djqm(FdKl)qHR*e0*$%3 z_1$>g#Y%n2?*oZ85#O8@3_ndR-#%5{r;!bvV9|gyXM!&Ed3^ zlWe%WlH$j!?lLt*n#plO^ORQZIXivG`ns`vhENwkwFXj^W!^pVJa^TP_fgSnoeGP-&&*b(E4VlitDAI&I?-EZondgX)_MkUhmM$SDwI*{e4K4?N zeh_86gnaMrSR$HZyjkrZ99-{>$vX4AdL*C8QWtm_wc$Hf{@&BZd@`I9CPbhEA1yWMt&?=gaBafmYza7%sU2- zi(Bw6>Oe=THrsLU@{!@%s*`^|x5?|}X1`N!IUFMYPcQY+=ilw}@;ftgm~)W!4fVB~ zR<0Pbv8@&xgp&$_{^0_d9hT0}L>F2rB#3*sbQ3J~vD)EV;1dtNXDrx&lNx$?!aA)u z2xj^dMdjWO)Fnee^iXjk%bP3<(!n`jMZJ(4K!x<}?8_6K7uOWY0W8lki?RuaA0`4$ z_AW}pU}M#kCpIRRJBM$B&Ve4Jw#eV$!J1)U?ez{0I^|`RY}D(HT@{pFRsCqVP#Rje zxmF+BC^cSKGh|y{-O*eYaIhtwYc?xYPQ;GwTeq9XoEt8Z$%A6{E8ksR8N!23y$v9= zPXS(2MY?~7<#P)$*W?#%eNx=n({rmzP4J=qNP6g0grE$G5z*cE>x&>_ zt=zIup2lyOe7++yU{Yw-+VrLA`7~#LIWu&p4_Q?yfJ2{E$x0w6HlL_jsl8|ghH{<0 zbU;uH1i%i&8XrOLYD92*-u`wHqy z1|vRZ-YGi|14eQ6?wd9;3j+$sfARlaWPvHI`u|OX3mziUVX=P|S-gI&ijOF^_~x(l zuX74s{8Jx;mhN6IETOwaqjEah>8q+w4DFPH?E%y zePfyA!<=aLbS3ad^zLmZ;?gmNl8J}^ z?n*?@{ioaiDN6YdsX&yN{CBS+p60(t0P)d(PD{~S{d!E}Bd91TfoQPaAGc;>8t)61 zd5g&xTgEhX4TdrbbZbY?=R0=Vzf6md z@9K|dOa~zxA+TcS)=xo?(*JRWDuqHMX0wm$f_NU_DKIVh$mI*p`n7-DQ!UbMPAP4@ zO94^p+To$X{oO6SYQZx+p(CXIx!SEZKU6VE$H+@$>U1$4lq8pLkYUFLaVBb~@1ce)ALhUP}KI3tD;uFcDwGwFoI5?}Cf^H$;YDeSsV z1-CoJhW@RrrP0;db~u%2#<1vp8iQ&;a$X>O+Z_A__vq9go49zGStaJurL6iYX*+;f@bK?W! zI8`ezCe5|_u=+85#1QKj(RC zy14MjBryF116bGCIG204(3m(qtqy$8eif_PaE8f10<+Wp>_kS*4bucG z*LqF6)ll=?465lcS-P%0RYTKyZTfS&^>P&}*W7V)aAiDS8AJ@HCj+dNj$85|4B&S= zqV|OCA?t%iSk2eP0E6=6>C=5)w+s>Q6i}l1Jt?WTM5mFM!}#GqB5UpN^-f{wC0L;3 zHMP#WpC*em*4V6Xug+zY*xK_8p#`dimzQf%{N7hp$}PEasojZsKHJft7dLBt?|nX% z>gs%cW!08bF1_z}CyU*WyNJO0$E#g%A#1(A6T}m}VFM+Y-QaZm zmlDgXzc9>0kc42p0cX3S55FAf9NwtyH{K8GNom#l$Kk(6e$9PjBwcOkE43@&arT;o zgan(M?{Qncc(q2QDOkFl=JjCYu3-CEZ<;;M)$8n@g9(KC1ITsce0E=enSIR`)$y`-X^xWjN?Diqh65=$iri%JW@*BZ!GRMa2Z+|ViMyWXJL0uA3m+5| zTfj`~d4xmC|(S3`8kX2XK*q8>WUFE~W`-%6x zFQcY+{{Z!PtXPY;g&sahd{?A@9m9w`3M)+bgsslhK>$eVIq^^ zu|tmphOi5K!cH2ozP|pLnD_(m1Aiw9i2yQKF0Ng4z?81Fn%g|$=cR@S>b=eHl_QTM ztTkk&kL^=2M$#B5-O+XrnDG}0`-TFY$Cvcd^`VfZeIn|%b;E@>{G@bXYASI`&o^B` z1pZaPdFKeMBV|BXuWy!ot|KDIcu}^r6t$`?(B8<(VuKsMpr;Q>7jzYgnyUWh}R+CcQX7w_CWWYPhL18_JTpNwpmt=LLqDU9;)*Jc<94Kbob@A$YaCsp2ld(GB-;O6N$7eI>ypi#_A z$)nTLN(IhT$l1X{Y7eDnIF;`WyTTil1W-xr@9%#EgSk8`IcT}I5xF^fpTMHC^SF2O z?Py?D<=* zcK5*zps*Z0YX-g-3Kk8mT*{xXkDg*O*UqopV}5s~A#`kIgpExjAdmt|Jw0cW zl9Hb2oP#xdcDR&TZq!3~`C%Q*Q~YPo{*2|w>_ZcnG&;O57J5MFWZ?@0#sDVWJ+JwL z<_q2KC@O_?0q3Lh<|@L@@Wl6vlP4!@nhb?QlnLa2(wc2+V zt@qBFzR=%t01IPQnhmoYndX~ixCi;%ULkJDDmD4-hR)S(AWZ9gJ|A<~wU1vhwnB5CJV!d9UTlCcmq; znD`8=yPZ$8FDol+ut*k9Do$9}s+0Sz6414lH#WLXhee08qD1<^eCYsY!F{j1hehB^ zOK-&L=dY)H9UCW3j~H;Ns4mp}RH!#P82N{9s zQ#e6T#>fJLgC+gm=C)26>Ig}-Clzd zkL9gQUs_=Lz_3&RW6hveQuIY-ondst6TdzZWh|H=TKXqKOge17D7kVe`o!3JbAmNG zItpyU@pf+J>~%^|VBq!}kjpi50eB6^B7&BCYk@QP9brs&8~r*?4`X)wT2L`SeEr*} zx#6lN6h$e<_f6ra;#*w2D4h7y3dPr(@_G(c!OFyt!ufuKn#I# zclw~TStw~JU4ZX~p=CNt)S4&tmfi8bs!Jvz=KJ?gdq2)JH&w-u!JdknLjSR+F?8nh zdB~u|vQnXtR69p~VCc$#VWa;y7QoH{c_O7z9_w?H~yXS}k{P}2emsRg#!{OzI z>H|=;NrL%79F$w&NF#%iI@wqW9ISLIA|i!+r40G>WmFV$3?&iwoip*;rxXw)6qS0kSj7zmBDyHzmS{M(algTt#|ON3ef9 zM^~b5*Th6`XwE4Gx|q*)yunSq0}kkRpx2#(WbHyog{Ju6=$OTb9N`_DjWv$*lP6c{EF0b^=wP#*@p@Z7Qg?S21Js;}=)SJ&w( z)~)-xsCPPy8H9uew#|_C_mUq#bvam~;aPj zjV{6=AzPXAD?2+KoC?B`5Yx5zsbJ+&T?$(7Q#6SzMk;Rs(zfm7Q5zc@EA3MZ*M$q} z_rcgqM<=&inO<#bOR}4T$(&7`t2juJRHE&cw&Cl$tP;>{`}c@)Ku{%@?Kvg5&-?>X zYpMx$kC<%x*CbwNcXQ(fBpoT$yCi30 zmh+CT3Qf}S4!uzj(=5P;y>8kC0f1j5KW1rVzD(b`zGz%;3jKDs{q37il`fvmw7qmC zt56mnCuc0E%0$AY;_nAg-TkVs=e5o(79Jj6hR5nCW5a?w7U3v$5eq1}AQyS!S9<{; z*l&dGRp)Nc)<0cb%mLZyFY(j4N7xUk0Rcxkcxc-NqiF2ybxgh;lBdX5<$Unv6LacQ zP#&>6Y3p={X23P}Q%4KH&r3@vVYtLgG9H_TBJf<_zG;JJN*Lo=DR%qocTMqIJe^-A z@WfB$HPz?LPv!62zc5a65EBq|m9Nne!w)cE=Ae4Q9%hBDP25sqF`*yq4nStLFYd!5 zIsh|3ulBv3c(m900i%&<4-8x2r0zid=Q*jh85$j0YC?1=i;moKy0M6zG?75>9z z#u$rq7e4+n8p6+v)^B|TD$W+ZoNjnx5Tzz6)H`hC0rCB5&;3Q{hTzFMy-j0I{_QD% z>~6oMjB=eEH}8T*Kd(<^`aaOV3Qr~%^tqveATHZGVb`hKGTh()LRfg=4ivex1EG9p z0>`A^RWv##=B<|(3a3ws^XNHZC&0HgI?PPHpF%xRlCz?dfXbQ7 zdw(%7o2YSr4GNsH5Ltasa;21Tg^%g{cBYOw$f zEHS4&4Yyf}@JJnx(Tf$j>3YjylYN;vo|QBB@S4+}1JROfN{1O$ zYZRzU&2{oVXblFM)@b>zj?k5gZ?L`Qeg3}&83*BnSRNFj59uxPqL{WpOe@nH@Ll>% zEAfHVdGp1${OY@@scB4nx;VYU@H;4|Ame)w3gRxHxTSXsGw07gFG%4w2a$aF<#i$> z2iU!I9LKzS9kr#pZkp)Xvny(^c5?$ib-rl+rVYJX0lr3kf8*vxy6XSnYt|rcY#@&F z^F!{Ex8+Ff6WB{2bB1iJ?q7bsb0_~)rbE=i6!X=3yp=3 z!K3v2P+>-Y@rzm>pw8`TS5Gqv90aKJrC<0-;yb{J%k@V>eB$WD47d zbUVF>b#fC%T$&obw;(0|!Fpa^+)qe6jFsW+w-g=5bP3FRrZK044{ z6iE5kldvjGD0b4P6TeRw4R1Hi>i3e67TWPl37>J%-PwLv7 zdK7$Ze|Qu%bG!AT0?G_?Pd3j-V~LH859AhX>~%sS$)|^1)TEJDaE_&qO&5L2br!Q) z_z?7}y4MM9qtCSZJ0VpV#1vYqj2J!clGFqxD;|bhwv4=G593D9kK4he{IdlV#Mt62 z7Osi`>+xw4Ry}-&@1@F2V6S#tHqtrzxNuKqNLyyU-}r6sts_mKG*8$ zA1DJh5D+|s*^Jf8;z|c+w)8M!L)u0U^?S?o9WR)ik_W3)#-6NBR~kNAyhD!5S0^d6 zzyCJOR_|Hn(rp}RqoJUFU4oP*h~JKScu%Aj8*-^khbiX@J3^+U5GKi*84NcVu3Wp& ztH0kLH8#uU+|S81A6xT5;<*zFXgQ4PY_8(v&A}U9tbWx>OiM%qDXwG?}MFlS3-t-_saXa;0ac? zTYxM;ZrKC&f`J@ldH>c`^lER<3giUu8eR77Ko+8I10dVpbUA8lpV;TmuMG?gkN^s( zFolo;ybTs72S{~{K@|S=>(|GRAM5M+fHeMVVBpH`uI17sNHDhN>p6q4BGBh*ZMTkA zI_v7{9upEu0K!dP z{;6sl{?y6ul|HWkEPMryV9ALB-VSPQIsx@}1Nl{wfOCQOBA`CWfMGMLl{l%Jf;b02 zK0mKQZqJ(^$(_lNq&9CFF>pYcJUm89D5d83J@s398ZXddH@r1zuL|PTlmnH z0Sp~XJ35WL%-Dh1UQd#|g=!A0Jhnr=G#dTkA7DuCtv^K^HjFu1k#{#EIc zVL2NBp6~vfCu$2J{qHzYp+u{jjQ{ka=@_4KQ3Myd*>q3(vv}6=`WDa8aO#uci^%CM zcQ~AYQRm>5HdolbaDacvAh>41KAaH!7la{ptp>DDxo&{^AQQ?E=fxJvwBX+o`=muR8&;J{kwro^e=#s zpwfy-qv9**{|dKb!-J+%dCw~}EW)FeU@E12rB}h{2u=^c&Pd}0yyS!Hf-?~kf?tZ> zo;?LA6Pi9iRY2vg1WXpt7xPR2W;u~SvKX#DXWwj}=ory3o9%&$P8mlr_MoIy^ zJc?2n$!)i|R=v^`2e3*MYHI4X7U3@d`JawTQXNBhm-wpCQPTvRLjgQLK7;zYI>W;y zg#N1*0BrL7v#>w`aN9K(sPO4B{HcMtgCfp3zfH4Pu_2%Yq54bTX z%4BiUsW*xB%>d8E!V5R?YyLofGtGK-!gEb%*-}`xSP}2BUJh3-R6CiQ}fn)Q#>5 z9pBSbj0JKr>DiH&q*d$I`iR(wwZDlvYA$`O&u30MdNr5Gdgpr3^k2HwpK5zYAY9>e zHMO%}oVWt!22y2EwDNti*)tXh8pg)i!a5uM@fuBT<86Bbinv&)GCWes*!Q0viYF3$Yez z5rE{$la9$^t@O=eAeI3tHH%tj&>3_LXeJbBc|5j@Rtl$pU2u9`+KF8KeR(a?-PLtG zYgx*!--e{?bu13B`cOCtCn%Cg@V@0V8#3+=CxNxy#wv&)*jYF!Hzr5{|Bhz4-@&&? z1f24k<12o6g;NTrfSM{cAW=y~kctC=1-4#biy*TY4iyrluEbUN}L51)!Es$HL2NGJ_JFTQwag7qA^$QF8bAcUx1 zm)N!--Tvaor?8qqQW4^S_BU^;H520xevLMbeyGg2;JnSrrB|yK07cfCFmG}NJy8oD zJhT09`n1``up`L~dM+IwOWzb}r$5gJDJkQMRRSGIm85MPRxZv>PId#3KaU>_`A)QG zL7D4R3jBu$wysC%e2#|T=9Gc1TGCQd&%v|I4|Ii&%3+a#rwT&t*0l@hZ?=ZgLn0%81L!#KJf$-a)-cF?f#wE0lhsm7I?y!A ztmk;H&aXv1T`3pEszvN>Qn{pvq!XXbYQBzFg5@xwF;Q38`oEwSH^Ki{rCahXPjy-M zjmn#kpXh%Ph>PQ2KKk|!OXW?%fW?f7z@13LqvR zuK>DZU4Kpc`t>)NM3$MHOkq#3w=T7yy&NpZwH_i@cd+;3b!Z1rZKRx>xPVRax;>w= znyCoXZT4U{8zKh^VOt!%^2ledX9NW0-~)#Ngygw7oEcSG$_hkeghdD3_t_UfHh~W& z0wRTlS|pIXl$4c0sP_X*WYB3RCno@V8jb!E$BnWCUX&ORH-KhMfd*Cec@#xlQN78H z9T2OY;bA~LE}jw)Pc6Fxy7M{5hjW$^O~$gNF5z&% zinXePIKWK$_U$1qg}~R$Oe(N_5ok2e=;-J`0<4@XZ!(-Ai~zEL-pi%if`tbJ#dz>n zJ9NFzRT16~RM!JNPak|s=%@`9TofP(X?1mC!02A_@+Janxw^joRX(@VqS~-reJ`a# zSy|cI;=RmC1~A7!Cup80Oa4(uFT}<+!g33ItAz(3(i#9~XL`d(fHD8&u+hJ_)Jj!3 zGpMHLjRv+3V~UH5I~^{j1AoEparU|TlbUZatFQaccz)L6Sv9a!fS?0XW^q(+HcUy% zYh$GrSs`@N`w|xlQYh=$XRgNx>abZbAs zjLRdD%#Ac+(cuK&b<_P=cm8#ASfShxxY=oZBWk)6kDuuyx&UPB{HL}W@I85X8v+_? zf(sM<2KVjn*R}Nbv~rmu>3y+u(0WHRASLkuzz&QgpvgWr$CAK^hPCULncoGj(jEiR zE*ktbk36|kq`SMja57$8KrDf%jPfRoka@b+mI}}Kk0-XBKz+iw<6FOd_3<3Z z=dYQVvVmFOsQ}wOq(HPwp3sR8d}gq>whYWf>c_$As{h99Uq%pY@|*$*E%jt`bF)B) zU)pjqTdIC3iwrT(m7afn@cT*9;`h2bJ`k2ks;Iq*o{Na+;=Bp)_wViP)dw-P1!-IK^Y=-jz9K{{+8@E*=S4Xs zr6=B3XXT8xVB&n9F8euaTgfG^$me~<^^{IN8>sGJzs3ZM0^q}Zj+@v>Gcz-Mf`U-c z?rPd9&?M~!rx2jFkNkLx>K_mQ=+V2w^_ z5c!N7RD+cwku_?-FOBkdZ|{Fm_8#C|{{7!DN@<{>B(otxlvINGnr-YtsCC=LSxJhbw13L*Lz%NZTa0Y-N|tSdo4lWHR>k>_&$cN$ymmQU)^#pe zIF)x5#0#+sV+U%F$-slbiU?164c7NlAs69ud-42v5jMTL5nJNNKu7dVPS%z_rZs7J zM+x3@lvg9oxCmO?c~y*z zS+Cf!*PE6g*)DaQ69>(lrf~wnE`)r>hsn9THy3(CSmZBK{=^EY47mbs+!IF8{ozV- z=gw^|en5EyCk@oeIG#*{r}fxazZfAF0;2kD^B5hU@h%i%W#F)BbzFC2pTt60+0l(F zGXSBy^B~_tucm<==;{OWll6eM6X36p^*cy+y#J+d&eLy2E|jJG?_b}RN}xJPQsetpb17ka%CS-|xw8~f zN*V`GS@;b-e;8**)({c6zH<8)wse}L1fyCPLk~j(13iJz>4k+aSr_tglb$@;36J2( z13NPe2-Y>j;JN|mpWNwh^cTZ~b_0HdqzAOIeY>GR=y7)T!p_c4Jz@N1_CTw$s;aoD zsmYMeprX3ERQF_yEjfDvgSWT0ae5p5!kfI^k4xV&C6$-Ut9{Zu@9ZoxnLA5`0hmEA zt?)23@YOBJN@Z5&$Qv3D;^HpQJlip#>0%J<9Jym))3K;sCv{wod(OA%D6CfsUZ*%T zp@)qPa@QQsD&3PkV`DDu_vERm{R{Y5y!#}g;58Z`bTyYOhO*t;ZAHS1J=0>snzvd3 z0T$f%Oxh~-&%E1}Dh|1k{I?!nZ`uEVryWh!!SZiA+PKXVYtl*EUzfJYmx{~0p7h@3 z@Fd0byf=FtN^ZMr?^mU;41>J=YMNf3X{Aqy1fr-`S-m#LN>dynjo;-F|Kd%KSEi19 zUcoMDGEDkidtR=Ge+p9?_};sTdCrwj2KZ{!Ndw64Rn|jT$>G6S)0;5YbnH4n?4&g3N?OvN>@P6m^`FYKdCr@rl5Vf{HG4jHm}(|3 z*Q{^ii@~zsqS+Y@-ajvQNefx?P%1j;Y>s`j)jhUsmS?wW!Snu|zS3%@+xPiN#AxNq zyW3M;z1>7!SY3Rj+A#f^{F2iqvlZD6$5{MOMCwx)-M&k^rEfxU=2(bV2G3avy)W6Xg}MDm0p$&K-?kge!Gk9~azeB$&}> zrjmH;T}+Q!-KM<9kHb!snAPc*6b#78Q5+h0J3m3CU{hZ&FYa-7>zI#7SpHbq)e^V$ zZ6ZcSzT3AO|BT%#MR_o)X++44{qAI!N3h_29{t6(ro?q)0ku@`EFN*WJT< zRU8%F+&5VYxHf_k8&x$sIH&%srpBwLA0(0VNPVTBvms~hEMjQ0+uxr-F+AuasiQ?< zzpbMoMY}q8S!xQivVUmF2dC5L^DLh}8Q@gip7`x_KU+f4u*)WS~iJ-0Yd|P@H>W}9~p1zM4--?T^OS>Yt^3*ByyBQ~^ zWZ|gOX;SYw&S2rdWPiZ|ZK=L>x5SOZTm00{RxZzqt=6o1@tJWOQDRU@%U^o!IHj)1 zk@@-es)4CS|I_g4ZSN~TcZx1`zYg3PBIZ{pGB2FJ>ftJ}PAMXJL+sOyzV*%b==n*b zoEFQd&iSkr>KLsPu$X09O`9@e5)XT;=8x^Mfyhn zxq+%o7y70@-sI%xYP1WRY>Zyb_MOasEf&G1L;raCE(h1a#e>67nFfot_#Nk9?@7og zYZ!}FY21FhqV!5x$YRp)2%qDtVlz&j0wV*R7gWc3`X-e8cW?BCY~-Gmo!OTkDSp3h zM?p!a@lnwe`+{%RmhZ=G@XDOLUmvr!ZRslYH%-;|@3K@a%S=B{HGEwbJ2lErHrBY6 zCFcAAW4_Hk`?tO&2D?ezCjnCPP9Ke6MiS3?Hl%F`*L%C&5X~Qre-Jyet5NGhp@vqg-I~?&Gc)@ud7Yh74F_8 zMvDd;TSuPnZDmm^h7Uh04{B;&dfCTjQ_8b^?=?`N!7;g+)&^52nuMm_FM+|5Jf{OV zjg)4`2TV5q{Is=jFeZRqjZ-+pB$M7xm2aio!*AE$$$o;7-QHzFW>li_+cCG=Y-Y>F znZBYe1%hL7Y&xn`J{1~LdgL>x}8Lt{Ls}f`S;VK7v z_4x}&2LCvH&>6dOy{$D`&dmHMSw~+&LVbdIuLtNNAOr&Q6YB94ut< z856-17FdZdA^o*h7Y91wSG1wFQTMRD6$F7 zUu$ye59WGTu3G+{JaSX1o64r!%~F%&eJ4Ho?r#1dcxPtyOI+M@=aIuw^9QYZODyo9 z=}x(ED>aKhrtA6o`G`P!koEeVtmVCnY?o3^c7*b=t-Dkg^>1)4f zONGZ%;>npO&!g(Be+5^o#$TtWb#UMf zNSaz3A8}k=y;2vq2ao1W`K`k&F<-KC@89T)Z{-?qOIb`AX-}dsSN+3aBuDHJ3YNbn ziyZ2UHh=JHEa@5j@bel|`DV*{;4XIh?l@0v6aTg-<=-=5MFc@Y-RrbZ=5_&Dp$&o*!STFEX#tXa~BPH03a3 zw%l0>5EyB>9$ve2hJ>y{-O!(+Hp zgGHB%Z?jHxmsMsl_g&B84SIW6W8VEm+X;<|f0NE!)bIY{LEqb#_?z#kG3t_p?UTux zQr~w=(RX>_#6`vnX)}uArRAE}9yZ6dMvyq9w3 z6X%+B&IUiBTyl8AoDI~RE>4wV+CPGMPXKpY?A4j9bo$rg;#zM#HCcw+ICC0THCdQX zl6reCw_PAjY+k=Sqwb*0r0BQBzcODiT+8UBXOV8O`$WbO)v39X_JYifc)8e0s^Ml4 z;ZEB#+p)m9-w<3}(Or>kSJPe}6CRm&TwboCBbL=&9>+h9-?RS2@@dS21M`&P(E34< zR&s;e9r;(R6r+i6cs+}ni@dq>{b5n5zazwgrF!x2OaC5x{;gj7{(fW6OB6oDH>BeK z^FmeP719*j6ukd_<8LK}ZzA#H#CAce$^e+`k(W;ADXZ z_XEcr>)DUmsX=)K>k1kgBC^qf)ez`?j_4eW)c9j^`3i3MhUa)i|M`(=ilEN+*RkYC<`d}3FRjVEsypsfUZcfv4;4az-1u*`u#32mqzB$sZ-DK zqx!rdV4{owc|bJ1DcPWEKNW+JZt4Uil_{V*Lem&U?UOBgr3p+nARqtPexl>NhQ>ia z#bO(OW^to~Zba0NAhc181MpVK&~5?&TQ8`d7vfJ>Im$6 z9H(o?o$3<14=CftkeHZ^;Ge{IW|U8?^Ti+EC;ial%wTLnd3)}oux&}CmwF2t-v4-` zpEZlKDy_1zGA!GU5U7ESB`JgsH7>$=yC=@=vkl6Ub#KmY%`sucy&37s69pW%H411i zbZ~$o2(a{~zWzvCdO~#?P(J7RQSw5M^;zaG=AD)O{*u~;P7JY=t*JioSK?*>U?-%1 zC1FzvV>x#00lw3=`4#KxyK`sGkU&~K3~EOVB0xe35A7V`EBKjbJ*WUFYz%kp-+;KM zb;jqS>)tQV%+A)0%~Rda$9WT@>xZeur%!S3-&6R>MsssQC<2do+dx)61MsdpUAZAR zH0BHlr{nUR@2y zRvJzgNKPaCBKE&EoacV&?Je(2getuzQnD5ze?{oKfhBXMw%$l;ZYRGXc!Z1V2|Nw} zpyj}QlE^D58Nzq+XIOIM&E;5y!5WK`2k>BYD_*b?B1J;CD{M0)^nDd#ywm#Mc9H;O ztqc>kK^R4tsKZlW8qw^;A+ztto3qfLJjdOfzefN+1dj#`4AN``pt}j`NwRSb@lqSW zX(0y|TbpaZDg8O*mhQ`gw77t?823()p5tEsns&&UIwZtRIU!4%e04I>8q`ZaK zBFccf2()_#5d^}MzjU}W+wO?4a0t}@KXM!_a4Jt&Xxh94>a8WqCa&6f-Z^i@3G7bV z?Pe-J*|Qi!U?vA4=e!a(*`DE_n=1x53)sqAv-U58L2+DCQc^&~&aa6<%?T#Kw4pnF zF71UzS+lkaB~VIS-?tQls-<7i{=a^_*`%$lP4$VAX8VpEgnNeYVL)u{DaYglWQdGr zQKlLiYfM9OUATH}N9xJ_WQzg8zY;KmuC%f6=I0JoMH74=z~ypD&8I!qT?u>;2&XWZ zG^`$=s~bNtC@Cp@f6f0GR-g}xOTe1O+tMEcvF(R_x%JMM)qFxA59llvl1hX@fFC(Q zV6QNyxWX)fg?Xqt)F`7HVD)XKJLtMjB%_#1cbwR|q%pl7a91~->0GDZMoo=pgAf{m9f#}*c=Lx< z5kbLbJz)kcI!}wax3R8f0NEqqGydU;<)1Ve?wqzSW(gA;1TBU4w#!G#6&4WXYu8>? z&peTxwBDo~U3X*sb7|i0mxjtr%J!A}P72+B`>bAHTy>$?V1&bmbObbfNlFS zy4{OQOJh5tXjoWT2fqZb8j1#mRvStz5A03n`SI_;Y+Q_#=+v{x@%N`z7MtGeFR{YT zlQ*}A@*rOnw9RLx8JA=4H`c>6L?>v@0DqVfVUrrEAJnkaOACn`IL7XIe=9XigGiuZ zIdn*h(jDd-85p}rfLy*+PtwNz&uiAkhh40Rqt`@Ob{R6jr!p&oG>4tIFP zXY!(Y8R<+vdh>B_sPOa+>`mTZdP4@Pcyt&Z43z}66ZsqKE-7n}XbQMKRoj0^z$P2Ld4<-y>QpC9Rya%X(o;x`Ow_U~_7+Z&`A z7%cJpC1ChM)AY93;o;$gYIS=l>_*OHB#l&~tPIsgxO>Vxs~l-_kFHQ0Vjw?+HS>Ff zc>Aa0iz_z970VUa2$81ey?vj#DI*Fq*dP3n{yjfG*Py(Yp8j@l2Ckm(PRlda3qc)o z0^st1Rfh;!9fnCK7Op6P29R{Vsi`(0Qf(it9UL;YWg{;U2}B2@W&Nb1>nx}HWH9Mu zu%N)Y_y$HE0HuKG!EuHOSxNuCsmmL3iN^aMq#v$v-2K0_0RQ0qcFOx#zgAQ{!V-X8 z=7Y98tPau5V~jy(G5iHWtHi$u5@qF0>?~k9FcIkm?j(n}qbT&DrShL2SCaSZ_G#eg zgkJy1HR$yvf7isn%kfs)z_S~Ik^~t^&mK^kg)ZuV=RT$s_Wr4&Ac*O=Z{Irh+}%oY zE#=lWQHP0vuiiUs$6KCb<436wBId+P63nAB6dSC4n2YPX-qr=&jKJ2_eS#-U1{vqye^$D&luqPHH>$lBbJ$M$f#Ap@zBaquOIIj96*X>1fmE z$lX*`Y4pE6(VOlo-N__&z!RS{UGyx(9Cv4ASGB|oAlUALvv1Bn+dgd4CWa;ol{ukU?XZA za+4#xYFHhsQHB2)u}w2=g8Y%fXAtKJu|HGAL}4PpU!K7M&L4}w9y+>5Y6-0P0wvn~ z+o;4S8r{Znc^pCioZxHLZo6Idfyt7bgG}O#=L~Jiz#vDwiaw2vg73|m@2Z!hzp)49 zcJR)kZj_@FvW%L6f`S9LO|?M>w`CCJ%IL7i+L%ryJS~B5-yV*|eo%?Qu}?s;FaQl~%Ds1j07_ehdu^E;Xw-=Y#rShl^7|O6u-gcHb1e;w=WSAdm7!I`(Zt z{`Cd?rjS$m4^qrKMPw+fR@b1?s02}IsdFcx;?`x*h;LtAe7Cxu$t>xvNvw5^wOG>> zF#omkF`iDf?u^E97ppDmtNnKD zoQKvIu1%Rs#)B1$B&?zEyKQ05Z%>))A5w@QxxD9E5YthiBS$vD&jl?H)E(d8V#C2N z6>ilz=e%O7@k{PyGxZK$L7M}cyIGy{h@(a4^^nNOq#B)-%>z&@HmG045j~O?31OfL zCmx%D{v||%u-+2`RSwA8K-hePJfe%||2#K38_cil#Mnr=<^J5@ZXiS@Zs(cU zZ0Vhxo%ih8#UhH^f0i{pMVg|we68i?5vdWgMkw> z+)`~3&oA+ldoBEULkR8Kw(G5}f6@ek!1A`|PrwZD`Pbtl2BoU3Q9}G;l}gwwDal9 z!DfPCleI5b)z$*bln6l2L87x$wS_xe^rTT28TQG)!2+h~DW}{|pV~3ptIszxQZ~E3 zU@hapaKA#e+@G`HY(f)0fReVG8`lkib+6Ra)64wjc z*23?bAJn#G#yXj+XIXrcv>V4~rLZ!}OfXe&dqQNr>t5NBHQBtT`T=nrEB7IEn*PKT7jEt`2*ej;B^>wz24(=A{k5SXB5vtB0-g?=yNPLu*paZ9pB2NGTh6HT^u<<{7Co*gX&hnZ z^_cKkT3tQ0+_~7AZp2Kjwqu|&@K&gScD5^BscG!{_YZmUHNXA}-jKO;iDfc(Q9|<5 z<0Ef%BCV?$(R=1w?y09QU-B_|ByOb~Yc8&>rS(*o^E-OvNWeQqX{TIuYLd&BuN>#% zP#s1_*-@SXA@+6SA~u}6y=(W^43B5cx}LnvjgUgk9fx(JEYm=>m1mY zZaP!+J?moVsnCkOWx`zj=t%_ z*>)r6=C|HoYQAvf8a;j7Pj+pKg%0CmN)d1KQ<9oKXna(QU|#3S&kv-Vy2Y%-8i8=U zcD*c*KgWYSWF(XWIY`sY8hodMs$0_x60)C?uC3PRUcUlcUz7ex*A`vV&FXP-8QfwW z+50|^2?m917(VUvt7MsA@T2FywUk^$^Xek*&I6ucuJmp4J1!o3KuymD)r2%f4|n46 zkJswL-zlD5HfX1MB5T3qSlF$1A|xkAbnnLOeqwZ?pqleYp+37s!mfDGW4_t}Wvg<` zyI9goIX|oC;}W$vy{EWdD)}GTPR1Zk{cIOTDk{7A?-hcHl&rF*Fc=RA4=~by~tPhB8!O<12iN z6;)Nk39J{KGVO!_vSpY_>gY_^o3&5Pzla?e9=@WgTC%ilvSstPr(El!^wzU8LM!d3 zzWhn?^J(|$w#+kN%#qZ=%3z4lx}vp>%}7U{pq8^(5!{rof{{%HLHNOx0KEll*FmrjOebVBG#$ z^vXN8GZ~lNZpy8#vVJPC8o; zkQm9RaR0eVj^$8C*(9!C#ogb9caYh-npf0U#SOtK$iCQ+>2DJ^>;h{ ze%hQSHL2j;sPt@9$-2O#X_;y((rG4c?-8?8x+7jv3u?>KKsiAWh)7>Ofc3g*5h-D*RbT+&h2ns+GC*;KH~}Hf2Q7ZSoL8suhR*#Z z&^4ShAWPQ8`57AuHHl`fJ5TQJlI*tp_U|amvC$q4wG=v<^$3g5EMjp20R}AdD=xg&Gqv?`nn|YO~VKv?PrP_ znwktm2u>9}%u-jB#bxf?NmN_`dWAgxn?$%5j=MlJh!8cG;J#~CnB z%YagvT%m9dlk|wdsXr8HTgWhr6Zq@_n+benz0}Q@f|iztBLQq|A(8WEGJxpln~cz=DX6tLj~;bz)4+#L1dGVh(Np&VnWUW)`ML0KdNwu zPEQ+t2O>?1OeBn+rBk7tDk7^y1Yu((;cmov7EcutP@M8^DyTJ zqxzNCStnnAua$UyG zxpmw2?PR{8>-zfoV2TWI14jRxKYyM`l0({Cs%{Zkjy1clG*sjWgC`*vPY`8OfVonD z^rIRI;lI5fLQ*101xISqWLPY^TxS)5Ss7(~2Ml=1yhDhv{s4+^&9Y%5*-FiH6z$hQ zW!(d*(?0J{xqW*dhP;3YtKtHyLi03s;pFYa&mlq&2XKF z(_I;118P8oY%nf7+5_7j|Lu^I%i`a~=kRIYJ?NU}i|2AMAU6k=wU zaqD0#LV=G|Rtm(j37B^fc`y|f+x{BDNWo7%3kxHlpXK${$)@E^WMl_U-P{aI8bKo4 zS1IH6*VZbpG3?*}4Kimb4CL%Pa(`Cl-va{GdgGB)@QGtN^XvWrnvfvO&z*`t5 zHoafT2@X?qGWUqwtiZF-tzJt;b`u>T#MpWE3_6!6U@`&?)J$RzF<+4wi%6d5fU*Em zwIDeP%M3y70wE%SMd1Ks+K6HLa{U2LoLJ4GvESm*(;oOn+Izczo201SXi3SVz00sT z9uT&Uaklw6U%6fWLeO>RHP#|CQ&SF%)6um5VjJ!ZksGU-(vZoS^JzhXVv_a0k__6} zA3B@}FczY5ph6-=dA;;~SSyzhpookT8|efS6|a&4~8VimK~yJYp*{=PX`RQv+55Kn_9f5t9TUGmvPkT>lTC{|N}h4{l*K5#m)K z!be(D+29g2g3aT5xG1eB{7W}W{y5@-m8Xh;Xm0!_>(}`MQ$rENNY#`@j6#@|< zLeKym9hzP4t7dq6=e&r!o3`#bc+gaR9m8@LBcmd8{ScHBE=eGpDxYu4T53H88Iar;3grW&BNkDfd^m(a9_iAhOT_FH-+d8r6Lcb$Ha7jZsUX~^5UN8)IC`^fN4^3%B^Z%EOMTp=K$sBf z4!pP&(gbk(EaKwf@RfzY!`hLY3!@q=PoJ^eA)EabufcXOLSUc{Vsyeo0euZ&vrDt+ zjzGQ=ufv39PL!$&4dUOvW42GjI)>m-AdSMBwUNgyl$5A24sK!JL%}@@#)8-*>Wo!q zg|eNZY;`$^JMQ8JBO6us>e5on6H?p=CD4+9m* zo1fWUy7mI~30!ug+dxJsViN{uN}$s>KNE^7)1QeIc+|_|skNET^BmZyvHCv5_7BLB z#4{s95T7MI>q5F1D_avm#_ZW64F;A33I%Bu8bXx z;pr0G2bLCEpMFbmk9WBue+htiNiqyn1ah|@^Y0L2Dak|3(Hb>1g!0fMYTbAXh5d@fP+=|nREx+#Hf`*j@=mS8f=&z zw_pX#1)~n+{xW_kD1a?Ag146m<>qBp;hLNElQ>;C{syd7^Fi7eF-a&9G^p4oRyDGN zXnZZGt`(fh|GsvD7$+WC`HyRLW{%i?Ouvm7Do4P$bae4w*efU#r8{&c9E#5axrY1iV=};{ZY5-8J{l9k! z(uRh|0D~ASbT%ciZ~vD|&>FMp??Em>D>df`K-<7TZ>*(?&J`(DXypNK9w5d0U{K*J zx<27-9-GVR(9NTh-_h$wE&cE&t02kzc9UN<64p)Qu3Ta4)&!rIcPKu0{!iVE zNVdv932fxCCIbi07jGg!k|PztUPyN#@@j^;R%@Mfhm^VDwPS}$*2diLe10A^$Na9& z82PN_Ixf%bMCOY~r74!{c1xGbjD^c{`e^?>t^KzcHBbxkR~+H~``lK^{r6nBYa>l` zVPe&5$95~W#PRGH%Xdo^A)D#mlx{kh-Pl;4=_~uRi`jOtavu>B0gYKx*$cErMb0M0 z_U%ycY}J>^|1T|ovi*x)4)2Y8N>ka}xWRuvL-Xr%f>wJc3z!+FO<4 zm6X#&!PZqy>++pTc=PeBC(;%;iQ@Mi zS-n$E(fLi>&h5idru;oI-rvbyWzZLL-5p`3kOy^m0VKIdxRTq&c+5^vy#rvt7{r}v z&X8R>G_ea9VB+|lTn4dIHPB!L2MJT1 z#Z}Ky>Mgw^y;6F;ll)Ou^nFen_ghsdDGIy0gWosHCXoJGzwZ;W-pc?vZ%xgX{og~q z>wZe#>vnV*FO5bo`^YN-sLZlAZ?%0&2){B)w(jS z8#ClOaCIS|?dY=UcHg(U_fnNxddti)(p9Y$>TW1D+ICoBmH=^hoEf zmlN4BQ4TA46!cohWy(Hbkv&#Fd3Q9nO8tP?9J%|oR3dQ` zJ+`h-uYG90`~`H~JEcgcW~N`L+9BJvZdguGjhB{{eXz3JdHnSFjO+4z2A1vxi_WJX zu9Cs5+oi}HM^D^^B)e@?pOnBykN}mvXECTiGTs_YRJTQ6YhTT*`@o5MPv?ud`ta|j zRM9Q>nIL5xR${#KE^umLrZ1X2@}%iS8f;$-l2(_)f1D|Ta+zsh$Dvq*P% z4L_hd2I$#Tcct=`V3Q{w{tbLOc|3-=i`DiS>EHl-KI&y6&75^ z=}M)$)3?mmxO#3Vx%z;Y-dmTX95RNbS2~(BPn-ITq1yfkCMJ8xt!%7p>|_#}w0GEl zPkh{77@Fk&r2^sI{zXx8aSffx--=bb6E`d-^NT}2Fr9qr5g^cMn<{l{dkT4JN^rUC zb@E%$@>Xxkskd@K5U}0%(k%{-6xAObQR9B&eivH}Z2fInm)BGdiq>B~^Xx0~6jqOB z^>^4Po7ZOyKOL}>Xel@jkU&SL+qHIbYz#i|ulyg696!D-Rrq+>)uOEQ>G?E$h;Z4j zr<@B~$YI!hUe{AnHu_ZA>PxrvoyeA<;dq%^9sTw#;Fiykw>f8Ye4jk|THIN^-gfh| zu9Cu6-ILE=gk97Q-h|4S|L)$J(Q5B=|}%)1Zt)IKUuPU%@~74BktTzWH7ay-KTzxY8*rsGZho6}Qs zJpt6+#ogWhi1MBObKwXq;5b<*(D2CKU!fKiQ_&hwi{G#m?_v~vT3*f$7-dPnlmlMs z&#iYFUEXtBy=$ux2e-_ zH-X#p$zs@Dv=A;z_hWJ!e|CAnfr}2m+lsR(L*Fy2D&I|u@~-DyAIWgzJ-EJ2=E(kt zp=jgTeu(jB3;FrpNS4m)dd-Ww(Uaq@EMwyMN zF-T4ePCjKUJ8Q>W*wAo)vCAo-K2{;csM}p4@_@o)L&c?qgpsu0je*`auqx;eo8Q#$ zUs^89Ldu}?0#ms@WBcx&$w>V?x?w{Ez-oLMDd~|~o1U9Xj-(zM9;?EWy1r7jT|=_| zUd5XR5+Mf(hR3Cq@2WlOKUGKHX`5lgs+alc%l!O2&chF@BO{VF*ZbNqj z615Gf?MQSyR`ZGlYSw+~R754}qUqhXidA>5ZCx^{#WhckXhG-YsHrsK9Sl_{{0tEwwm+a;RC#`;X=BG_IhJ!4@3HrdopG&K~ zZVnED*_#)SaZB9&aFt`YB{EdNyxhTNsLtaO#WC8wO$j6B^oKXT@JOt_BA4WTcVk$| z^vS*b3d|hlJ?CO5+4P+~-q#uTINl_ol#tkV2D-cH83pQa0hXp0`8z!W>K-*Vz7(sn z_!)DGoBJ3FHZVZBffT~gg+j;Uv=2t4)vu}DJ_c)F=BV+J#)o;{ zy^HxoV36WQps4lXt}qt#_y!liOpnAJO?Gv`vGF+$%(iz07iOb-<1 zUyNMlCkf5CGq`rjLQB1UWp&jCZWdRcdO#b!k;iq7G_O6+T5L2-ziF$`{V58~AzP-@ z5403e+cCWlG@>_>xOynb-qog2UYl`VAofCFj8>?eP2*>&HJ1EWVu2;+PXBI`@C^uP zxSElmcb{c7eluQIiguMwxmR3%TC|kR*6t)FIxP%Uzy8%OWxnHV#6kIjF7)82KRcSR z;Zh;-QQhC%c5+4N(Idm$ydAA&9t$HrXI4fOjvueME@4C0Kr&Rl?Ay|k$yH?-xwR+2 zzpI)4kaakX{0?Jwv#WLGz6B>rj;`5UVCUgc=1@y~rmy{YADMVVFllDeW%6$x3*H!@biyE6a5ZNEmFt1=lc=&#ydM^flgGr?r&L$wbUgE&z`frrlz34 zyV$K0vO?XQ%A+$=SxV6=EFxI-!mwiAHTjqyeTvoWex!(0`sjD-{m!NwZ_5h?804!n zteEt8ALlomTcG8RgAU56h8`#aoE!uW?>{>`Z?I8xRyFChd)+hiR0C^Db3*fg=Qd`K zLUa{fvi(Zi_~GjPU~R`^%>p$RqG;9xSo8@1gkop=JKYaVuO>`YJ0M>5_u}^u@%|6L zdj{ugT@W~dP_09F`d(h=G*5p7z%A8HW!-LRORcgRoSAC#^ioJsX{p!a$H!|^Y;LHX z8&J#n_$fc>YW!xiKQ^5a9o-*eA`jJn0bt0i;lz%MMH7hPQ_IXgy zmNT=4ibAeS?ED|p2k*A=BlSCKDzMmaS!MD~c9?|C16~7#*)zXiqum9m$HttFx@lX? zA+&(Q`)uP;RtAx-{44mh`7g^9$j)$<7{=+<%g1M!PM#3GVS1%9yL7*c?pyA3Sk#d6_qnm2PF2l^$JsQ?K!t1KncLfxiB|*FKvn zKFyXrCwuwRcwR35=)Nbio7j{iYo;XzeG(q;pccCnfK8E%g+t^u2#k?-1bYtb&;HGA ztFYnyE>ZIIYpbX6O+oJE5-8wPO zVp4mj%ksXV@8SLxt&jlwIa#04$+mZT;$NnGYbenIy&g1zx*p1D@by1(S3YHYh8gYB z%c&)~hn@@gTOp;oXJVqpDAM)W6e_-@L!tSgY z;-(hKEP*<}*TAlsnJn%oD<_8;&kFz5ah11TZe2Th@}{_s=(s%I?{8mN)=m$P-nabK z{j$-!Q(G@CYNOLm%4S&1#DtS|BFw_B<1+}~DKj~3bY*^>Lp9!&IqA{GILAT1JxJZUVw*CU$nvP{5guq0t7YhlCj?g11 zbzuJ~AxCqTysb@^tZ5>fxIGi94MklNIKGS}`gQwXTb|9Wc5jcvPB{GR%Ln7{v+7}Z zvd>jisCYywx%)r-L?^c$h;yd$(BN4WehyRslURFx*L8DLbpqg5^{cSFcjU+%ZF`0oPG=8k zx68ATJ}lrZF>sC`d3E;|3%Ps_Zwm?M1_Mn-k(uj-_ZqB}jT}yH;#araKcsV)#_~WA zAQS7gkHh0q!?Ke+ubY>31);E<q?M}Xy=(^e|R^#JyC13Npp<*aZlL-f9%|ASexQ?D; z?E6T2p6^$5ijld(@72L8V#{;*MWBk}zb0Y-`et4FaO`gjG4FpJ#n`Xz#V>#OP&%IY zoBid7ZSc1sJn>&sZiS|Q&B-qPO|9J?iz~qY@HWK%d0*!L*I(>!_-(mX?XrEmJRB)q zl)Edgf{|$=!faz#qK_P2iMx94oH-L?KJCBP5r6MC!mG>%YyH~fnT z&+Eg?#x?xFbYZB{&a}Ks^hrU=7755Sh*~$Hi_;*VfBykZy7m1J@Y2f=I+nO-#9ny;YiCv?O_6Q3$*PR9-4_-yfk_8-A%yh!7@ zmSYb@^v-AH3-a=o*M`sfP<=+{Ce2MI_%#UD$}+dX(0;F(HDi|%0vMT7Es@CXp^EcZ zkYV>oymtQ9EgF*N&sF|>zR4Qtw)+F4(%(nOU{d#%9NO#}UUQ(>Vsk&v0x{i0Kn8%% z!we#T*sZUxTC5_DnwbrzH{|IPxb$hb4j>Gkuyli_A_gK~q}e=zeQX-7g7o>`ZP2~H zk@3mR8FnpeE{oLGSHd>OP^zc-UrcZ}oqW>t?&lfm$L=55bGlaCiXe z0THts3k{s9@bZnr<44>jcu-QT`egx*KYIMQ7`aTiJVqTI9RjHYdTwQJ4}6{&p6Ky) z0S+^EmA9Lbbq_M5ZHz40ZMcSO-fg0E_jPTH?yM_5(=z5ZqsRB{UiOD4@*Z$iQi4_{ z99{&gO!%pd0Rp3zBd>R%Cn#o&^xw09L#E+-n<3&kL8#iGiJn+<7Tny#MZjHuOs*y3{bN2AzO}?HkfM` z9&jHp{g;rtMl``#6^?C%sQWbGqNHYy&=&{vt_yPqJTEQ1hZev>wz#MvnvUomXHl>w zfaJVVbVP49OVrG=4q~eQ&g42J1@pk>Gr*>Wp_>pFG77r~GsEltukYX@K|E{-S3eGa zGk3-k6lt-z?S7u4_WZC6@!*I!LL%PN`ON9fn>Q2F2jPQ-xahwY;-Ep8uoovfN4g6n zyFE7Yik*%rM|{`!7neox!ssR70gjA`_=AvPn~RH6Q{~nZ!=V=W=K)v}pgYta)i(4t z0agmqvP)^#xX@h#U0YH&Pma@S<0Bhg-yfy)j>%B&lYrJa8gzP`FeS1AVWb2VMEqKx zS@`a}@z8(}-HX)u$y9(*wuh0?%)<>80o2*nFF#|bf^ke*4W8v?=FNa)6e*z)s1UKC zAY?atB7XP83BR9LGLw}PUF^e_s$Rib&9)WSfb8giev5GITDG;W% z0--86Aixfu!XgC$M^cU=82VDEh_0m>?*<{<`0+-wyRT=pq0IpWQf)_pbBo9K9WUHT z6+tgQDaEh3?PHDSjvllVs_9DfMMSjLqQ}%>Yona2-PCl8lqZb4WiURmE`rWySa`91 z1Ei%4$e-V|r{Ey(9USzoxK+sug_88s;<4rbE&O$zc9~b9%N?Dcz%X#mxsZ_syQ*zlbb5eY=35NkWBiM)Bl#(D3&^TsY$Jq z2LS)%#^0rh!m5ju-wt=juG(52ITmtrp=aih24Q1(4h;n%rNMavi|kQWR&Ut2v=@1# zAC>=B^g;j1qdK^FM`&p*R-ADFg=N^8q zaxGcnrT=5=|4#+5ZX*(>dTv1Snbqp?-Mi%`zO~=tz;^%3|LMbDk!s$T^N0%cuywoF z<$1!E{;(s@_D#UQO5$H4{=Z;+qPiI1W@QcR4q7jYIo@!6ssAR_JRVnm+6??UrOmXw zLK)nEmVgl%XC5*YrL9nV9#Fi!6(QyQ#34X5E$ z^Kx6IPSI~>LS?Y5+p*+frv;`=^XbFfUTbdcY_BH6Y8!|TzTdDYs9mZ(W^J>s~ewey! z?kfX#kV=SbLw_LQN`;GjkktCty-MdfjB1lDx_|vqLf~-kbBQj~^gZ;nK1u${`CrBs z2RTjZa<`!~#?e1t$$j^o*j`wxcfq(V=9GB0-IkuhyJr)%Q=iH)o4g5^+Ww@qySlWs z;*qv^_TVc4qY1KluKg<#b!RDKQGZ>wBtGuc4q5_x!|9tG&!1r}l0o|7MJ_FuIRgUd za7tsf$X{dHO117CKs2RlaxxpR#H}$|kr&OjcYhL|V~=J-73I5m>NEA+Ff^jO4i=-q z1swAI`3n0|5=Ap+UZFnBvKUlU)*kxOb?(l38vB!A zZP)#%eD-h5&?`#{lX(6XwXaWgQD1e%P#oxaQ$V8-TiB9r#PjCLJAJ-`P_)mD?7I`W zP#xxUaoKtcHr0bo36~RO?f73|Xvi1sIg~J3seJtYPXi^RZ6u-;AwolTNs<+n zWR<gPiC2D8?;QY|-rbM46xqClR-}A`pRt(0H-Ve$!jdKa__hqen^|N>2dzxTQ8JICdmCNb) zf32*nluC(75rpTz!G9N({2SIf7SXqY&-5!UmxPLte%0_bvMW4#_-MVeOWa1-yjcOq;SlWL2d)Zy~{TP&ksi zK)RT1K_8G|aSxFwq^p;tAEr!@E@di?X1C&);!gAePn%TxMkA8Td(C8Pbd1OH<5#nq zgxp!~R52DE6#Eti5}o{-3rU4i*3k47Xwb-AGgW2yb>w?e z-qPr&R1M}i`{d;P8nVF$v!E|e81pa3NH2al2~IYCrwpx?kg{l`7KrV8CTXh^|C}HW zQj4oG-i9A*PRLRovL$YU ze(8V9J!4K0NLenJZp<(Y&GpB)d{RfpE!k(Z!Mat6IL|tBGbx?9KitOJ&7^kDLJDzp z7xMc}ly_{I8B!-b)KI^eXRz%JyLs|XSvSjlARBEOxtpaH`;SF~j*+Mvo)O7v=L;Amf2?8?)PN(c77(oBj-Q9DNdtonYq z@iEk4KT=O>;1g?Y;OK;eMC-th+znTc-FTs1IMJ&ALYP}|Yh`-E^&dZln$w*{OONVv zaNHcM>&-OIubCcKdEN0gT+f{b9&5#v=(b_azWZC{^xb9-Zt&1i%B+a0Wu{!V8Echs zVSLr4Xy!nzL()Vw@CD_)T#m2azMU%g26UCrJycRj+$%y4=%V^^C)%I1;xT))Fupi3 z|CrL$pB?e?mzi5mu6^tN!Am7z=o_sXtv5Nu;_S7>snDdgwAXIdgQ?AT^jY`5ie6?W z=8ZPW#&dI7erq>-&heeliSJ+U$)Z55?)jeY7P`Nj_jI3)aoQBr5{51_2!9w7j2YrS z9imZJ$bZUvgd$M+qfntTe=eV`%xLm{;fJW?guFySL2T#_mfBfwerFq9;kEo}JX@+med{ls%c{T?=0(w|7(eXd27bH$L1v&OFWT zZNEN_h0s+!mA%D`$OSaZaql0D(U*dcVn$#5JNpNuQP@8S@byhyS!_=iiY(XCJ9X+5 zawgKKN3yb#LLhLs>*rTK>yn(A$IHu$4Z2>9u=ATztHb>-wNc|7qJRCgva&HG7&8r6 zEhE9aXI*l5NB(bMoN03){_IcU!uFNUmR3oj$|pBX)A|AfPE26#!ZfO* ztBa)x(F_5MeD3<`a1 zQIJec$4tmM5o$xn;W5XF8F6hVbY4XBGmwS%`}d*%f3g^z3B*hkcOpXQ^5Wb$^h%I= z$)X$ty^uMR72HkHkgl2LfB)8xfH4ptUn(R3Rzrvy%#GXa!LM}hjG;e zxatXV(DC9MT@Tnl(rzJv1|R?yv3G`z0Iwh(sX2t0*b_njkIIwV7pu1JlPS*tID3EX(YKMuyeF+H(BHJ3U8c`iPJqb%Q zRPDBiuflf-#245u;tUu`06aiem3y1H@A~@wgswUP_)GJRwSfT_!d;9}4*{Bq(Do3u zk|m*n0nlffi3)?r_;6!b5z;q8P>(mFY?C5d0wKaPfs=l#z@=b>q=-Q6=QETYG+$I) ztbuo2YT>sCMtdZ)a2`F%OeT|kCi~M508&V;EZPHB6oIwC?G$NP$Od77`j=pQ0Y8aA z8XQd#Sdxh|0B@sA2>WjYSJ=!?nVVEb`{CvU(&I8PE)g$4LKn;}qB|UK;5g*yL>w2< zB<*g8BRC?2E66qWBh500+XD?5l1h8~9C^$(+G{HzH-fwe1;D^HG?xJdVZYwO%BqOp z2mTvKpO9=4-6D{CWM3cH4A~BW_#v%SdoH)0w79tV5+!obXjW=QMT(lQ{si!nh&U1y z#n5~Lp^a-Euc9fREDbQc7g0_~et3w^>lY88y;J{i-P~7?;@%HQ+vdRGeR;z5_PeJY zZrq56{9k51B?ZtW6oRh4V`RM{#WQEnv#}FlYo9%A!~aH26E%`5Prf0-y%3qz$(K?H zVl2nm9@ibJ4qk2|8AphCXSnu&w`n|~Y}9yt@gS1d;8Q267YQ96k+%bo0~Rwi*c|Coetv~bO=6|l z2~CxeQ)6RTK-RE-1L8Nn4pFE0fH^Yr#eeou5LA8zUUEomZ{xTVIy{6pC?VqpBW-ag8Rqgp~JoD z2hivN8tP((l~%~EY{yZ(OBq(D0g{{En?G`o_=CO6ySz>D(QAmW&dB6?EV-cM{JxKm zk5m+XuVaw-&u9tY4&)F867};qxbKL{XykI?_Cg47Q8{b?s*#8c2b%%UOtEE3?j4wm zi3n@rl1Cd0wkje{W0!rI1Q}#NZGn<3MnV%b-qN%3*Ke3W_$M*jYL7grJ1E#8YF9B0 zI3bzhcYhuVkzzVKJJ}qNaV1D-{}5CKIYE%8rzcyk&nNo222fx`RSdEnY=}>B2DY%> zyYx#x5W+`jWr;8r_^*iI0uZ_JDp4i)Ovh7K44E;9>2Z zq3nikY2Ck_g2w%GU9)4yx(W5PgyOBwo-r{o1$N23)T3A*0QOJN#o-wftH=gU_o#sfT087DF3-j_^*}1KSaQ>w+3~r=;vi6YV_ou z)xIk#Zy9TArP3-IZXjeh&n!uw7dbvsypQF{Dyp5-?FR6pMG7=5iAUAM*;uNRL_SVaU~E ztE!SUj^N#e%7AGDdA>=nXfS@hPnB&L=gD*9P{RRlVPq;_tE}t;s58xisaBc|+n3 z|k4%EcDd^@7MUJ6H20ChwZ(F%UklAoo zwMexGTPuo5{W(l$l(Ftgl7f=xWZUed8QNnz$dB4TX4{NdVPFYc7*=8*s;bwkK#M5F zu6iw0Jf)3{(%+}qG(e2xEzt}YjBg>Y*%%WjWA$75$fAm(3Zne>H@MtZiTVsnYZ&Xi zSjzG!w+VSt5*T~+E@5Hc^;`DUq@6kvPo_|rRzw?@yw@VJNlYqo&arHHyseC4!gnUbBY4p!pNOLVCxRJUw!; z^*jnC)oM%{C_3$X%idq%BjQqaaY1M@$$Ikq%J1nphwr0UcXG_0e7;j(KM{ty}=nBdFo6;~-f=9kUS%XR9{4PX{_dg|`xG)Kkm z^45Q8+I<_}-?{EFCNtq2kU`%G;*r|Hl;AR1(B$Urpw?Eh<*$3FQ`bFuv zq)UZT$u8*&O;L$7iSpAHD@sWoL~vB9^=O}T=ETrLfDr{-iuU=dlo@5hqd4S5-7pmeeY{0q;GdG4NjtWYM z%ekht)_=aP{!8@28!ew7Wf4AEbYH@WkDaESIvi-KDh7uaqysA@z;$rL)8-f*40^@_Wdg| zN>=eWKmS@Lmu9GH`P~TU z5JHIrXGOH7SV1&nSNd7lHr$!O<$bs@BG*zM(3p^Exxm9&nWu1FiU0h5&7Xb^%c09O z%UwQZ9T|rpnkz);s_Q6kIT$fBJnIUk827T9985LCtkQ-cTOEb|m&JP8{)tB4qubMY zrcxf8re8X(s901`AlWgwgN~Yxx*-39EKZ*NJ^-9H?thPV*o7U*-bAM}C|NQ7b|KlG9`=7u5KFa^&x1Lys z5~~8}d4qJ)tvmGa1fQ$Dk|t6mx$Gu?fxE{ap1)N0KY#t*r~mhR;GbLJzx$T?je{B| z?uCmfk3JwC^Z3A<(D&AY89he)rYeSF?zGzKn@=yy^c`D)pbe6zZ1d^UzzHanYCb_6 zt81(JTV8P48p>~Sq^!=$x>;V-n?aW8dY)CT{o7`lSf^o-CEW0rq7bzD+r|wYQy6Gp z!0Xn0i+F%#s!U~7^DgK6<8G5{toqhkoxbPvz$M^I_S)(s>ej5IKHbRi#HqxPz>RFf zw5Eyk%NR&-`>Yful<9st zmE4+8a_Dp0n#nR=r^A*E)F<-pXW4YECaPTaK3b1~8AjPet+c%u&|otS!|oP2qNkwq zU&qMUkL6|`2FQPf;b0N$b&H`LBEVOS$2>10?)s7PX8>0?K^y?$oXxVig2m0)`1lq0 zhl2Su{Q-u4pj`?OK?`gGUKe55-ps97m8>gH1jT~hGHd&A2tMXd|AV)vYbQhzv@ecC z9{T>^osqeld=Bm2EeA*QA4yfT?d~up4B$k~7ho2_YXG=`kw4V*(NPeSBvGXXcr;eX zq~90{;Uy6Vy%j5YtalE=i6wDj00v$K^a3Fe`y2|$fh(~@I{}yq^1=*HRZ*1T*&&EgF)`VZ7$mO5HzO1HcLxn$1XPM0PWYaEihuT^1u91EQkGGFLf5^a}73OnQ+x7qBEna^kLS`_I9E zEd<>Kv^L4EA7PO!z+RUi#6Ut3-B8UMz5ccN)`HYNIj~e`1iXS2Zp46^rjkBx_9<)f z?F*)#sBF@ktV}n2k%#(9{P!Et$a3(P@8DrqiIFOYFUM84F|49;F&OACwrpGEok`6YK{TBjV5|F8Sa z7^`@ln_H{=>h&^ zHf2#%hnFT|7A$7is2~ShMLSkL36V+R8bo4Y>vJwQUl^;!-d2hYHZ#;%sds-VyuX!! z?kkiP`o`ON)sGfu_4F7S7UhSNI=2JZ_=ryR`2D*hNfxbH)pan#eKbp_9K=U~cE= zLMiO8g_dk}D`$T&#Ii`|86Q(vS(=AbuKK;P_&fvi@uj_Q=6V}mkm%e;xc8F9c9*8A zGVUbc#;U3eL(S#Zj5Q=Ajni}&)x31xanp4=K_fI8@t?j>Hapyku$ibecV!`fU3Kul zOaq}fXVG`JuXBkJcZ_adiuw8OTCUlQf~%gh`}?K0E{cl#V~ZbfzZ~Cvo%~!{mEPGu z!H2l@L`@Ua(sX?+4Z}H99U=BATlxiV`{Wz1NKBJ(GrDx zDFG&n#fFrn%$RjibG(3Qx64gpHHvTWYt8uNKDZxxAkDH;?^uTQqu52Ppp6?wau;VN zSBD7dDiu)6x*c&`#m+t=aW2z;X>67Kh?g0os<_Y5-RCBD?+Z&B)&D$_TjC0skBe49}MTY$8K`;lZyqV z%Z=*>9f+0x=-9|$Nys!GkE=DyUbhKO?fMk-!bvti`|Gs6Zlepq8rrnSv;nUY>^0C?n zi|I=r9NnLYm{xAuv7;Cu8~HIW)$**Or={(tn8`cEj>D*N)OnB&lW*-St*G;s^)IZ8 z1@nJAbKkN50uSS--2xHny?Kf=y-BT__n@TeYaHLQn0=LI)hZ9G_SESQ&B7^Hy{Ar0 zN#6R{**kC#VrCK+H=W5*2U-1UU!V0eIC;M+>+Ble?E*JZ=?b#jc&L7uv~_<^Vb|_c zVje%O@$n3Xy=os(mz~Pe3>MX(~=LkH5E2HJc+JP zi0im5&Lt^E)(4EWR7+>UZSloJw6qt!JzB3-q?tFGH#Hr@m{74M zJynVC?DMQ8N>MpkxNGt>AwW(vpaK=GpmI7pIit){dsU8vB(MGf%WpFW&aIQqCs)wZ z)2(}|(?ss$RfjM-n6RGUIZTa6hq2a;nD*Rd;>F43K983i*XdJDM}Kqh2W8wpXR`fN zS=c-kjLyLVu7Wkkr5%s1z$Zf(hRgxWa90t#86z1?MO_7S_rbxLzgQGo(pHTRTM6X> zY|z1cu7dPCYE5hU1a$J)WU-1(zBKy9%PUTcUx`inz?rO4wRA;ee>O>ZKa2BTQ`$#| zn?43$HMCl2IZe>XqKbr5iCU(^OI2UHpvj8TT%XqesfjZ9@gBYQh5Wz6d+!?4iq%y)T84;>VXBB?EXIK0 zxXdVbvRLQ)qr=ai8w!P27yOJDAg3a4(k)Z--sVCv+uq~xi&jH^&1u%sn}UJ}y!=*n zBOG({J@>%YMKLK#N=h&<|Fm}#UfwX0ov?NHo%~PW1G|F`NBwFtz3l&~KG9J8uyvDS zF~ikKx(_cDws0K^Ie!SQD(IpODPbwtX@X~gW*QI?YYVHE3Iqc!8>4+ z&thyhhMz;!y3XrHfP-np?BuX!hvV<6?J&bPI}FN$xx*3J!`R@u@zHlAA@1rKkj+^d zp?N=2{{kskKYwQVfM(MIh$%i9{tz?^olIlu&OE)o$O1cQZR)+M!V>!%&9d=?| zt2wN#eXbndzn>LWCEO*=Tb~OUcDR>%RJ;PBIv~Za&kos4R(l8+s~vxe8E zw>@FxNP4pW4NuJJL^niC48fLrOA8czH;cPb&N}0a>oA!w5I{4`#`a)a>QxNdGaQEr z68U?Dma>iOr92CIeWhr{^jGJJAWaqdeS`<0z1_Q(fX>g=_Gij>>~pEgEj46=AqqE{ zU|#!xCH80dCT1nOQerorWa4n>HV$Iz_=A6=J_peLSGE8nm-7Fy=)HCN{~x~pqq6_M zW(EG||5ETW*7&2s4{G5IZce4D9in|z|M1ta-Y@SkTfR%yWEJc zn#K3+Dm!w(%}Ft3rxIpI24 zo`4c`kWrqsMk<-Cx0C*Ds~yWE@==cOjL%qLP`eN8)ZqX zP{lb~HA0i8{E4q0!%g$P664#|za`@axe1;u+x|}#M`+`mK`@YFnEIc$B<<1=p5Mr4)DAk>PuqKu>pt$VH-*cp=f;Qei`CH}irqml2 zKRcbHpNVE(w)j^3REBr~c8*jvId_t%)xULgEj;k1XP~{l^*DXQMmK`Li|f37_EgGF z?@G6oK6j5bv0eMS>1h96=!reu338LPFDdH-@3{GE9{uwY#S6?lZYB)7tnT+KOA`9? z@Uz}EJ0eD1R>vJrz_Go%sQqkOe|;G3OZ;jsJ6+j7Coyrx%E<{YNN41F->|cJX+pxE N( Date: Wed, 10 Aug 2016 19:48:47 +0200 Subject: [PATCH 0010/1208] typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0be736b1c6..9c2b90c49a 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Customizable with the following options: - Username - Password - Pre-Shared Key - - Operation System Image (Debian 8 or Ubuntu 16.04 LTS) + - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) - The size of the virtual machine. Default: Standard_A0 From bb367047dc40f8bf569a22a8573533e4e1dd9978 Mon Sep 17 00:00:00 2001 From: Daniel Falkner Date: Wed, 10 Aug 2016 19:50:03 +0200 Subject: [PATCH 0011/1208] installUrl point to upstream repo --- azure/azuredeploy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index bc2d226d25..ef01b23a7b 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -113,7 +113,7 @@ "sku": "8", "version": "latest" }, - "installScriptURL": "https://raw.githubusercontent.com/derdanu/setup-ipsec-vpn/master/azure/install.sh", + "installScriptURL": "https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/azure/install.sh", "installCommand": "[concat('sh install.sh ', parameters('preSharedKey'), ' ', parameters('username'), ' ', parameters('password'))]" }, "resources": [ From 05e4d46d41f69109cf37b83fdeabef1ed4cfad66 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 10 Aug 2016 21:23:39 -0500 Subject: [PATCH 0012/1208] Deploy link point to this repo [ci skip] --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9c2b90c49a..f3ffdc7a8e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* @@ -52,7 +52,7 @@ Customizable with the following options: - The size of the virtual machine. Default: Standard_A0 - + From 73688763d23bfb736ef77df88c2f612b46f2d611 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 10 Aug 2016 21:25:44 -0500 Subject: [PATCH 0013/1208] Fix a typo in script [ci skip] --- azure/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/install.sh b/azure/install.sh index 6f7ece6cbe..e61c90325b 100644 --- a/azure/install.sh +++ b/azure/install.sh @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash export VPN_IPSEC_PSK=$1 export VPN_USER=$2 export VPN_PASSWORD=$3 From 68adddc969448083d5e0aa132aa3677912c64c66 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 10 Aug 2016 22:15:11 -0500 Subject: [PATCH 0014/1208] Update README.md [ci skip] --- README-zh.md | 8 +++++++- README.md | 29 +++++++---------------------- azure/README-zh.md | 27 +++++++++++++++++++++++++++ azure/README.md | 27 +++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 23 deletions(-) create mode 100644 azure/README-zh.md create mode 100644 azure/README.md diff --git a/README-zh.md b/README-zh.md index 13b4a0bf6e..a03d3e2499 100644 --- a/README-zh.md +++ b/README-zh.md @@ -37,18 +37,24 @@ ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些 AMI: (详细步骤 看这里) +一个新创建的 Amazon EC2 实例,使用这些 AMI 之一: - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +请参见 详细步骤 以及 EC2 定价细节。 + **-或者-** 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 ShadowsocksR 或者 OpenVPN。 这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 + + Deploy to Azure + + **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index f3ffdc7a8e..331101efc2 100644 --- a/README.md +++ b/README.md @@ -37,39 +37,24 @@ We will use Libreswan as th ## Requirements -Microsoft Azure Subscription - -![Azure Custom Deployment](azure/custom_deployment_screenshot.png) - -The Template will create a fully working VPN server on the Microsoft Azure Cloud. Pricing details - -Customizable with the following options: - - - Username - - Password - - Pre-Shared Key - - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) - - The size of the virtual machine. Default: Standard_A0 - - - - - - -**-OR-** - -A newly created Amazon EC2 instance, using these AMIs: (See instructions) +A newly created Amazon EC2 instance, using one of these AMIs: - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +Please refer to detailed instructions and EC2 pricing. + **-OR-** A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is not supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode. + + Deploy to Azure + + **» I want to run my own VPN but don't have a server for that** :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! diff --git a/azure/README-zh.md b/azure/README-zh.md new file mode 100644 index 0000000000..e1eeeea3ca --- /dev/null +++ b/azure/README-zh.md @@ -0,0 +1,27 @@ +# 在 Microsoft Azure 上部署 + +*其他语言版本: [English](README.md), [简体中文](README-zh.md).* + +使用这个模板,你可以在 Microsoft Azure Cloud 上快速搭建一个 VPN 服务器 (定价细节)。 + +根据你的偏好设置以下选项: + + - VPN Username (用户名) + - VPN Password (密码) + - IPsec Pre-Shared Key (预共享密钥) + - Operating System Image (操作系统镜像,Debian 8 或 Ubuntu 16.04 LTS) + - Virtual Machine Size (虚拟机大小,默认值: Standard_A0) + +请点击以下按钮开始: + + + Deploy to Azure + + +屏幕截图: + +![Azure Custom Deployment](custom_deployment_screenshot.png) + +## 作者 + +- Daniel Falkner (https://github.com/derdanu) diff --git a/azure/README.md b/azure/README.md new file mode 100644 index 0000000000..736022ce5a --- /dev/null +++ b/azure/README.md @@ -0,0 +1,27 @@ +# Deploy to Microsoft Azure + +*Read this in other languages: [English](README.md), [简体中文](README-zh.md).* + +This template will create a fully working VPN server on the Microsoft Azure Cloud (pricing details). + +Customizable with the following options: + + - VPN Username + - VPN Password + - IPsec Pre-Shared Key + - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) + - Virtual Machine Size (Default: Standard_A0) + +Press this button to start: + + + Deploy to Azure + + +Screenshot: + +![Azure Custom Deployment](custom_deployment_screenshot.png) + +## Author + +- Daniel Falkner (https://github.com/derdanu) From d3651890bdfd097b5baadd2e6e97f19764263d79 Mon Sep 17 00:00:00 2001 From: Kenneth Endfinger Date: Thu, 11 Aug 2016 15:06:50 -0400 Subject: [PATCH 0015/1208] Add support for Raspbian --- vpnsetup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 1c92d3af58..571906734f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -37,7 +37,7 @@ exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } os_type="$(lsb_release -si 2>/dev/null)" -if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then +if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." fi From 0c3b2851f5ce369f76bde68fad95d69144f69379 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 11 Aug 2016 15:14:52 -0500 Subject: [PATCH 0016/1208] Add support for Raspbian [ci skip] --- extras/vpnupgrade.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 9b81ea1177..5d995035de 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -21,7 +21,7 @@ exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } os_type="$(lsb_release -si 2>/dev/null)" -if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ]; then +if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." fi From dc97e46542c55fbb2e4761f05efa6c94be9c0a99 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 11 Aug 2016 15:56:00 -0500 Subject: [PATCH 0017/1208] Update docs [ci skip] --- README-zh.md | 4 +++- README.md | 6 ++++-- azure/README-zh.md | 2 +- azure/README.md | 2 +- docs/clients-zh.md | 15 +++++++++++---- docs/clients.md | 15 +++++++++++---- docs/images/azure-deploy-button.png | Bin 0 -> 17108 bytes docs/images/do-install-button.png | Bin 0 -> 2190 bytes docs/images/vpn-properties-zh.png | Bin 0 -> 18475 bytes docs/images/vpn-properties.png | Bin 0 -> 39798 bytes 10 files changed, 31 insertions(+), 13 deletions(-) create mode 100644 docs/images/azure-deploy-button.png create mode 100644 docs/images/do-install-button.png create mode 100644 docs/images/vpn-properties-zh.png create mode 100644 docs/images/vpn-properties.png diff --git a/README-zh.md b/README-zh.md index a03d3e2499..b54dfe370a 100644 --- a/README-zh.md +++ b/README-zh.md @@ -52,7 +52,9 @@ 这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 - Deploy to Azure + Deploy to Azure + + Install on DigitalOcean **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** diff --git a/README.md b/README.md index 331101efc2..8a500c3d46 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,9 @@ A dedicated server or Virtual Private Server (VPS), freshly installed with one o This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode. - Deploy to Azure + Deploy to Azure + + Install on DigitalOcean **» I want to run my own VPN but don't have a server for that** @@ -93,7 +95,7 @@ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh ``` -For installation on DigitalOcean, check out this step-by-step guide by Tony Tran. +For install on DigitalOcean, you may refer to this step-by-step guide by Tony Tran. **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. diff --git a/azure/README-zh.md b/azure/README-zh.md index e1eeeea3ca..ee177f3dd7 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -15,7 +15,7 @@ 请点击以下按钮开始: - Deploy to Azure + Deploy to Azure 屏幕截图: diff --git a/azure/README.md b/azure/README.md index 736022ce5a..616206dd54 100644 --- a/azure/README.md +++ b/azure/README.md @@ -15,7 +15,7 @@ Customizable with the following options: Press this button to start: - Deploy to Azure + Deploy to Azure Screenshot: diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 398aebff56..788525e3b2 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -160,10 +160,17 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 1. 在文件 `xl2tpd.conf` 中,删除这一行 `# your vpn server goes here`。 1. 在文件 `options.l2tpd.client` 中,将 `require-mschap-v2` 换成 `require-chap`。 +1. 替换 `sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX " > /var/run/xl2tpd/l2tp-control` 为: + + ``` + echo "c XXX-YOUR-CONNECTION-NAME-XXX " | sudo tee /var/run/xl2tpd/l2tp-control + ``` + 1. 替换最后一个命令 `sudo route add -net default gw ` 为: -``` -sudo route add default dev ppp0 -``` + + ``` + sudo route add default dev ppp0 + ``` 如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 @@ -211,7 +218,7 @@ sudo route del default dev ppp0 1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -![Select only CHAP in VPN connection properties-2](https://cloud.githubusercontent.com/assets/5104323/16026263/cbda945a-3192-11e6-96a6-ff18c5dd9a48.png) +![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index e0790d7f66..01b7de0954 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -160,10 +160,17 @@ Follow the steps in " > /var/run/xl2tpd/l2tp-control` with: + + ``` + echo "c XXX-YOUR-CONNECTION-NAME-XXX " | sudo tee /var/run/xl2tpd/l2tp-control + ``` + 1. Replace the last command `sudo route add -net default gw ` with: -``` -sudo route add default dev ppp0 -``` + + ``` + sudo route add default dev ppp0 + ``` If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc. @@ -211,7 +218,7 @@ To fix this error, please follow these steps: 1. Click **Allow these protocols**. Check "Challenge Handshake Authentication Protocol (CHAP)" and uncheck all others. 1. Click **OK** to save the VPN connection details. -![Select only CHAP in VPN connection properties](https://cloud.githubusercontent.com/assets/5104323/16024310/b113e9b6-3186-11e6-9e03-12f5455487ba.png) +![Select CHAP in VPN connection properties](images/vpn-properties.png) ### Other Errors diff --git a/docs/images/azure-deploy-button.png b/docs/images/azure-deploy-button.png new file mode 100644 index 0000000000000000000000000000000000000000..e81f2c1c5733192076a5eb63340a2f4a2bda5eed GIT binary patch literal 17108 zcmeI4XIN9o8pn@{2uKqUDT_uBAqu1ik_{+Hs1la86hR;)2MDH-1c-nlm_fWHh?RRnJtFM!KF@wUd4#;o{NMk~{N|m>`4X1~_eObHdKoLX6kEaK* zJ$r|P{&KZWR4Al$94;*_%_)uKB#|ZH2s9cEhbQ8QL`O*BD4!=*aFvc?xlNBrpAQ?9 z^JD_4LLd=i)V|y}Ns7YN+FCtO|EqUhB5D6XVtFq+h$2qOmEs6ac-$~a9L_(di9|zY z$`wK2z{-XkP#!W*3gUu5xggFf7zP!=`~s!7yp+o}RSsn(EnV z22{v&mJH-7B(e~RMCjI2t^s|s$FNx4<%zKm6NveeG&z=m8=NvwI0J4Vo2vlbpu(m& z;z^EpY6zY}$CK$4@^q-e@pza?k8+R)N5U7x&l}2vLMPGS9x&x#59lEBxeD$#xxlqw z`fxaOAF*7)74twJwi~o|CxL)Z=kmC5yf_lokxF)^IXd&mWJi~{c%mbLPl*G06e6Eb zjqhIMm+4@%hTP3WKxLWs}o&HOqw-CAyA6@YEQhVmZW)DA~uTlr*1DP{= zy7|Mcl|=h5ROG7(qdCJ=EGK%7*Zz`zYO4vfj@|16-h zBtnS{y3s&4=#&rD49ik~3aINFLdESa3IYT7Roh^Fxcc-9Q@ZueL_GAu5!AnXQ{ml% zQzQO472Z8Kbs+Ocu|VNQ>>X`TGb~H}QPl$@71*d@+qqq1Q(#V;4~0p z6c-{QxB$fkr-2xwxDXM+1t=~!4a6A5g@_0)KykroAjT*zL_}}_iVIEyF-CDAB7zH0 zTyPqQF^UTj5nO=cg3~~ZQCx_K-~tpEoCacy;zC3O7ofP{G!SDH7a}6K0L2BTff%E> z5D~!zC@we+#2CeehzKq~alvUI#{Y;*XW(0xpcwk9Wg7IIO1(<65zzNBF+A@e4gjRv z0>HvW0PwC0dVc}{DR=;Aiv<9BAplH}td9B369BZzec0|H%G-ZMiTo@dS#{khHsHx= z(HEE1XpCu7*{W0(s(e4+BL>TTmQFjodC%#EdqmgHEKUmCmQ+lgd;r`$)$#ld!5$(< zG~PDm1g_qVJuUy{c#-X#LqGdyh$=T0fFPLYuVdVjYA9EMc5T3?PZI+97dDI7p$I?^$`dy z$j;~05O4UHY#v(-F_uH+4>IPJ9&;cZrVjviA=S*;NjpLgq6dTDzf zcvF$=U}~bbcaQO=9ITshh3-m>#`-w(2ksS%#^~2;HP($-wx?ijjaH`WCuW9K-govo z+SBh5K0XLA-Zbs6LY@DvOxe0B;YDVdu^Tq;=u}qWlHE6&Og6J>MK8=gH@+JE#~PDU zFW+Jr@nL>Mz+#_+|Dgun^H`hcd0qMwBWL~RES6ZE`RTMzQ1A&ir-PWzTkT0~WBO;j zdCqx0)dkee-lfWpu?@G@J+CxPE}rRYc*TK3D4%k3zsg~9V{jdJLqHDhWZBi&N6GhC zxRBfn&AG;!uMTJw950hrM5~IAV)j2NoV_HLY*tfcYBD9!A(8G>xNxaPWlK99p;q0g@4yG1*zO@XD z29BcDnIzZK?4spoSZp=F$ou7@c}k9i_P4o)pVzM7Gd^?9J`<0r4xg3Cw$~2xaxJ^x z*`9u?qede$YQaHrB7sqLatEf#N^iU}nUFKfeROiFXwj?SjHg$gR3t=g_|adE>K<-oGmFh()uW7 zp1z;yL4UW|wTlf*3CAmn(yE%*C%q1R`P6Mr))u7(Fx5SMPMjyO9JAxbZoz-%SMX9i zW~4P1GiUPVm(L=Px;t*)pTBQ9x-T=!);^&z9hz(B_G$Z}m1{j-vFEYnM)#I;x*B5_ zmyXh-m7F{oTD@-Ta&C!6M18XGLomVRncl`D?>*zCu7`{kAKuvoZJEhPiw^&mLRQt; z>}JX|Y0Z>V7U4|o3$?}IR;HGFq_%rTih13lS;w9j-2d~B>*bN3@y(U4i(^{0oQ-Vu z_?UEYMNB4HFaN<7la3T}X;gmsGF9CZ=a4g))}QRMkG1NJ04lEstqYuG;lJ+3J0UBD zc{b05=hJO=*F{HT<0meBFe-3K(CZUyEym_;h0iWK)!NJ^>HEKbR+RNpxMp?EoO^9^ zzqd*)sw5npS~Ydj){beGPIj&r*x}h>d8H>q8;ca*#X6WBx2$blRjmBf@)lpYm%EVx zzAV;Q98)k_e%mEFIM1eOdh(+{4N1$I=a+ZMJH?UhYd+=g)Hy{ux;&p*A>H}@joqsA z7y;ETM*IBZ1Jnp8w>W@u>Umi*jk#q_yp z1WmyEK-QB5X2n(=CZPZ2ksIa*T@JFbY(M{EZHD4R=W^ZqEB0(=G4Z<1uXAG`h8MXs zYS@FP+^$AsN$V=?EMBWBb!SWyMp`^4V6^M_N#NI7uE>MX9rfS zTpf{P2Ccf}c4R_3SZ)76&)U>NnH6#=Kwz`at}HN}wc2exv5mUjop$)Be$G!9np#ap zM$}&o6*SE@8o5wkGnkNrEjd-!67nMX%CgU=^^{rZ6JME5F9>@mVOS^c!#pk4&$zj2 zd0=q9Bm1u6g?YYbdRVdO(3*UgN2ez%8gwEWEIENPUsGi&N08KLcXxCe=$qD+bJ8dp zdn9SvmbGj5zP)wdC|Q_6OVzTaJ)H@S4Nd;%HbtX6-e`N2kN;aw(z@nP6V|EBi}UyM zT94~2u`Szdtx>p|*ID*M-IaX+nR(^>lg`wP&$Q*5|O8lhYK zm(-8BcUo4A!8Zm<+S6{?JrojkOQts5x|O-<=(VPEk>vO``EBXm`i*IK;v7auymQaV z6ZhQ;UHSKNh%0ZjG-Ez-EQ)(D>tV5q<(W66-%7pZ(7JRHAdopLTBv7Vo+i+<*QD z_vpr*c~`YEqXX9}gj;nrK8zk)aH6c*C`ZX0wWzjBUwD@mm0?!L!D?1{&Y1sZ@6Y$Q zRi2qJVo_kkua7%Fdj77Nug^JaVzO4H{$~>D%^dsd%w3Z*ws-1oHD1UwtDsQFns9ba zENzt8Zz`BJeN4yURJ(1P3cQ)S^1Kg#I>(B_-!(|>n%b%jndgen>MW4Y)t~Hf;lnoU s=-)hR2)cXre&>Ir{_e8+)Q@Sv)L?Dxu3YIw_5VBJPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf2qQ^EK~#8N?VNjP zR%IN=pUvGjFWcNjoQayX2uI>d6vRNyQoD#c2?Q$&|A-(Ej6m#yp$S?LL19cS3$jB0 z=whw#Mp`&A2Bu|d>by+drtZGEt>^PQ=XpIld*AKd&THs=K6ubv`0L|a+ecUKou8S)cSo_RaN~Bx5aWdlaUm!UVLPzntflIigVix zT?E9+R~7ZDwEUXWV6k|3xFAKnIWt=gigz0{ApsGp-YBb92P>Ophs6?(yo?0($--Qf z81ML^kd}Ts(`?0K=@rtN(u3FCEmuG-H#*gZeYMhHvGm6FBlW7Lv0c_hKs*0#RQ0VL z(qOSf!#leihvNw7uLjw$Sfb@fRg3%-0iCLClMRcduf(-?bau|!bk5z34M~II)bqtd z)B`z5sxUW6+L&9~@n^l-f7&MM1BIP0j8yS$F`i}4%NV5IdooAOe=s8?9w-`-tX9p) zR?DYlx-FK0K&Xt51$drSGqcsWtVFk^JF~{8iFdLL4C0#GIy#^J^t`(njKxKRqY_7} z_IlqPYfw{1r>e}1 z!xgtBGNxZ_p%13;)05()-`?<_YbY*AQPanyif4w}rVh2|RO5gMg`{uLsJEKDnc9&mG!xW>FSlK!(?AHq$kHqNaV#GB~$&Fc< z+_)fDt`iN$CVm3Kj!QDhh1a1!IYxW8XuJ;~M2_MDIR_!U{%Dr0b1vtwj|ERcn;$}7Nl}K{bFwLHs6tE# z+t>(*6|aQH!gFD__jxiPxE|MKzyG@4{Vd$0IiG%6@Q~aK`?(M73`$G{!~-XEcwrQ; z-Cf&F7=BS1DzDz?vj>XAfiunWfa#Bqe5B#N5H4qG(d;?Zq>kxOM?Qsk0Wlz& z25m2P(>JzYlXpMgsn~z^+6_q&Xomv*Ea;m)Ynq&}kKhn%Py!2xo8YB*)r>e^`~FJA z&m)LvTSdLQ<-kMVT#_eAXHbkd{iAf*l4u~jL=x0XX6d0fDFjqV>S&h}t7w^IITEDMW z>?R~)6JCV#cn2Jh_hmnJ9ne21QVcwcl|NR?F(#aH?I2+q0t<*y;va!*f4yXcWa+p| z1EZTZmL(IrCy|J7)r_pr$m%b~9>13xr4v{ltQR~q+t39 zE})_jT}NL~c=^V4_ZKs&%tJC5&)|iT91WaH*w|8%FX4ihPB;jM@m>fv62_K_3#}p& z@5}W<2nIYzQGQZr0j|Tnk}ok}-=CMGmOM0ACF-tg-LK__p1ffY0t+b7=Y3*95K$sP z9%#7a6+tnt<0V|>7!E{3-!FYrrIv2HDBb<5U0sg41{SaA#7Z`t47)oB4N>+vr)y( zElg9t{@WyB%6l#PTRl5la!=Fup>xfl&`IC1jtr3qEFh|ep1_TpxIOp&bhou^hFqXRF}Ky+G}wB)X^zA_i;vcxgPOc3xSZo zAbRh)UW^Su`5sQ(Kwl<*^B>3ao#IwiCu>@}glN1P0>e&9{oQ(y0R3SPgNl9Liqky9 z9XeU>?=KTFXk+p%jGJCQZCKzEoExD8#Y@}@%;Xv2#eiodTrAvrp^NY=y(0o@Ywzfs zw>dT+Qz;`E-KKKr3ydnB-Hr7-dmz4B%r0+sw9W7So#72k}8bk&|>Ke=F^q@y=X#)Y*;MO!h9Qu zfUMlZJ%clEu;!Z_T>-Yak)TBqzkF&lczRs|2^)9pGR} z7v`zljGN!>y8Zt^?Hx+3+go$XCi5(JCODRl=I5%^#IB!4x(Uc)i5{i?128$}1!P(^ Q6#icF~zbnF}-6P zbjD4u?lCbzLz$SC6PcLQ7MPfL`UBM71~V~TP=4|7;p4~dJ}-R&+pgsU-Phm8 z^@W!U6O%4BCq3BQe4HzGs3SNmf8fq9p0HG@J5k$G*9A_STys5pt(U2j#n3CR^qwXg z+X=1rc~K_{^K~oZp5G8Fea5PL{@K`qAU>{?B2y z^Pdq=E}Tg}*;&x``|Kw(T#uK`UR+3c%zL5d-*vv9;dyFQ9Osj0C8zhXpL5gJ&r3Eo z^D%mtV4N`ZM_!HA^ckUgYvco}PW!QdHzhY4O`U*(#+E_x1n} zRrJE&$qQ+1T3fX7OZ3n3Nv3?knD0 zTLpGp*#9FJH?|kMT0=8kVS3h|;89Ovwe62!QbC=(9(>H2y?BF3SPSZj+58deJ{ua( zea;m8E=f*KE~%M6J-Im#LyAqpe{zUo|(<&E>@{i+C!Y7Q>%UB_mc;csQkpM*9_dw zAMhl4&U&8z8O0=gg0uS+XWogIuWsBq_2dhe(n-bIll!lpUAa7Vk}Hn6CyG_}zSIQE zg?nrhXLesddVFf-zL5I~(R<8Fm!zWl{;D*eUyEXXcKTg3@!8q-6O=2b9dF2LzM8*b zp?gs_s{i^~XV#YcpvTuaE^9sXyTW?)LCa6B(sQ@o-paQrWjo|jIb#=9{ovG3b$5=e z*AZ{0JI@)sE~}NTyu{bZGI4%4CVEERm;cjQ;+KOBqvn&<(eSUU8)x=aAk2cV5S{hs z?!}$EWb%-O?d!>=HY*4{0#m% zx1@NDB_?M0tCgdg%*@Br{VE1Bi%i9w0fKT-Je~c|>#Ra6PmEnA#kxE{GjWm}L6#va zldlKyQ@M1$m(BM3t~HRH0^&yeN%p=-7ZA84xvCR5KLPJ>t;wAEB-OJQ%i)B5Y z%6F)D*(|mq4vV$@TA4Bz9t`I-KeqaC`$Jgo&0ZzWhokvnChVnJBR-|{5guzEoC`7^ zX^pf%x;g8(pEJx})Y30V`)Twu#(h0QOxn-pn>Er&uP^26%>e%df0#di%Y&9DEvo+O z3(H&HTk%_M3##(~@jQ-g&XXLnoR@DsHU0Rc=+@*dB*#TgW3g$=*J;~nC)38n1)i*! zWm!Bi*?nweFO3AK4!JX@NQXIkw4#N|<1fk#cR#ceb7lEZgW`oRUF!xBsC+dT3& z<&EX@ZK`ZAlkKgru(+_?u!=*WORvv96nau7Q8ft94vO6^f_;Kz7{QF{2OruYtE0WMymQvT>hA;}N}H@lO&db32oE&uF^`U8 zPIx_g@kL(g*_~RBj*&2NpBGcV93Q6Sr#i+s*3Xo(4RmA0hDtk^-qscSz1j4hv!62- z;S$jk*%4tia51p_xR@D~dE`;-(Y%Avw18Dxs9@Z zX$xs+K+fButcOz=*MOe)}v zq{giWt?e<8exoVa3rkPM=f+KNl!mj$Y~JFRm!$zAv!yfLL0-O}e18Qz@>N;f{)YRW zx&CKSjre>HIla&>F}pHjvoyIbGRHOhWO;YOZc2Ty0|)Ku{N|K{4K;2kX(DsBw22Uq_#)5OLQRim#7=iR)`~k6CDl#RFBy7*y3iGY3;P#ef6#JO=HS2 zh>86#;4$aM-Jf^wDAp>*UFF~$;n)_LP;M69zaQrvcc)0zT=uSPgUm~*e)-C~Ue0No zg+49*gvDH^hJz2L?7kt5HeMPxJ+s$w+tHP6WOr%Pk{U*#JA^iq7M-Ry>r z7jh7vh=(d4&>|gX_c-YWJLd!6+P*F1+2yg|@sWEdXY8uywuwAM?$if68_zcrAsv?+ zVU5+QmbZfg)|SFbb{hHeF3Iq5U)Vp>iT7$6_0j5^6V<_vR=Ge8duo2Ywi}5r-7yqCV ztpU`4-t+7lPr7vBlGY^vd;|85|B~9|Z}-uOiJ}qnUo46jvrAxFf^7#$B*mQDF}EA5 z8paCd{x)yy*ZUM=1XO0A1ytcV=e}SYf<=?b-|eoEU@H;6expC|>L=9c8ST<`E#!!U z=QU>QEfPVNMh=ZFVJp0IHrT*E(khe-3f8cq{T%bb5h6NQw26kKY`ar^%!8LzSnQh@ z!bn@-8vOWrWxL!R4%wH%O8z19Qq;Bij-qhsb+7ElQ zZlOEVWPBJcdf!;^U0ql1@rR?|v75A#`H}_pa`vQD*VK}dKPBEETe=r5bcJ%T{2K8& zvN|H4I@{*JAGw@uEiZSJa_m1dK5MyE18cY6Z4Dob+}+HcSEK~I^;sYYLa`y^R1lf| z9kR$wj!l4v0op*Jkzvj6+iN%Y_TEsavx@@X7=-h@udX$Nm0o23cbs6#`gDznN&Tsw z=6&-J`_-w7wRUcSfQ>5AgqPS9mp-Md>EOFaJ1=bRUB_Q{qS&vop5BRO)2>+l zvN-U`Io@g2C*k1%yC63N^ca&VPYqvR_sXenhpx5kNrqFhYgCiz-5L<8BR`TGvk{65 zs0q0r)b)F4fCL2of`-cK03#P$h|V>UbP`e&R>Su)KCZjL3Z!%^IWf+lZlPHMGfS*C z2XeDzKJTk;J#-O`SP!1g73eqOyZf(Z55ZO0ts-JV94I@$H7&=@mc0DgSqk{;)IsELZLprb$(9_% zpOf9UMkDO8ddyJ@BK_~9Ja%T=RsCg;0qZTw8e59Gk@Vo{Owr(*0c^`{@W>;yT3v3V z-)i1xX!ssr@c7i0F(R@jZ=onT7gl-kU_|BC=oYMcA*aBbw5{YGD8ih6J#(rc*c2t@srfl2RJ;yhNfr8JaW3Nx;z zbn4q@!r9pFSBH;UXygbe`TG9+1^RP0a^K7WbQ25v(7zefi}v}W>TX@>*+Wy6kiM{| z>2UbF$yEcgJm4tnM)8j3+mb*Lv3W+iKj5sWWIYA9jehAt6o@ z6?QP}b&$aM_SG9G7OT;ErBp7Ny6cX<^hp}&yx#A(NB`j?t?GhkmxvwUvvh6~geXxL zn}Ude>!SACG2hytY|Dy&G99QXef8MOQfQuS^nRxCLi{0nBt0WKU9#=arAFy9OqGHN z{b~`NK9Na6q)#37m=SsfRWj!;9oG+mR3kC`8@b96OU;h-7dQt9IWkZ-^SHl76p23~ zt4ELhkUH)mI!hmL*YqD9$sNl9+92zLWSj=QlKh*o7U+HB4v|}{Tpeywz_Y0b?De9Q zXUXAfhu_7|=X~r&1T2h3r#Jj|d%`73iOr4knKA>_hf76f{}34{#KK%0XwwNaZ-I58 zz#jxCO`0o3d9ACii5au|SdNDAKUHMKXm0#6V*0|%xNjv>T-Ea7a+QRKY{+{d}b&Of$ zP)+Vugv!is=|^Oseum*<#gpoOA9u5l-Nz(Vf{c4;FD8;yGk>0*!0nLwG@8_u(r=~` z>=w}%cu->EHQN}xm}|J$D#xA7Awt0kMaR5pTUR>hG|cW!{sPT8-_hNlC26oI1kF05 zr5BnP=f5Xx5soy0k=XTP zZv{og3}$vknAby%t~9+IpC7vyr4Fks+i6+kzsU#p&E(ry`G>}GLW8cw0;u*uJ-fG~ zlT#Z>M>)7o>|k$h__7?*2TH9YCygIt$-NadJ*b@UprDt(ja{U}zZx%MBO%kR-@(X=8q{I7KDGrQd{ z9eeXW^&ClO+J_Y{{tWWk<7p zhztQ`Sv2NMqw4^p&HW1LPbp5Z5kr5_I%}tbSAanMuhUQ}Qf|DO*Y+Yy|W|i6!7uVo)BXgbp3KSy>l&#u+I|u}-KMr$4hZav0hqN@E zA-ny#?V{s3EpfW6Vws6?+ffYL@V^w7eoLCIOs&)Z=8drWK>w9sy06H3kZtL7(6E zN3I?!Uh??8%IY1FkzYn+V=312=vjSto?(;tZ-fK6?iojzy>SQwukpL8_{Dk!7B)uCBw0ev`Wnd*F1JzH}E+qfggH%6VJ| z?-Xx>(_cW3dG=dEyXWseB!8-S4y=*W(G)4!aYjeb5ATcHp-fj(@AL}Fh;YtD z36l#;rylUFcZ;U|EF`60sHg;;?_4Xp7@n~_944y~vhi%+Sv#EP9Yw|{VqJ^47ykXJ zwmE=V_<2kXKB!N`{{i&s`6>H)bMu*FaBKJ4@S6On)U14ZKU@Iez;V>WEx;2bII%TH zMOdAyb<#O6%^UqC)cPzYQuQ)98eT){PwZ`Ks|&X1f$--#XHX<G0v%+=={S*%zdFJE2T{Xm2cjSL_Q6AX0>}i5%iLHSU+9Q2#W%`29e02WZjN@HTkl z_l4uL%@MSwjlc&}O((EMTZFvJWI0Zt7O&o-4vfF&GQZN5vqiZdgFb=xoM?6NUvkU5 zj+HIWkanNBW4_XhR=o7j zOtd0wMT;FS+Td^E#d|f3i08n zA((Wc)VIck9n>+Gm(Ss(W#|#pp0n1_nKiu5h+=}HeTA$5Z=0M(*!Gfmof8(O6{va{ ziUJsWkNGtO;$6qD-Bcq0Rz*37pT3#Wcukr>ITrd9V2OCI4c-9$>MG3im!Q)VM<(AA zyEKPRoSjU}y?C@K&-u%t>X>O{_TsHsYC)a5giWE|aD?g1=gAwRQi*AHqV{tIe&`yn zf#S5B8n1Ph0_*j;kZTSR)kNq!2E7_j*c#Qb3F~UtYHXe(b)X-Z8+N4^%fOOPLe>~V}(Z?G!rq6%R5VOt-66DnKJjMZ#?}S6yoSWAo!!MEIdVca$-<6 z6(Qh*E!ubH6#yTL)oPE@^Q+M4b`MEc5o*I-erUDJb1Lw-ZA;Phe(;0FpNs5%3C8ni@_77Jjn9)> znyt^D_ozK8HQYKsf#}=SiEsBp$LVGm&<6jA4#-+`32h#VdBDe<0geV!9SL#o^h>5) z9Z&AW-yO~U_T7`cR{aq4Wm3TuEI3vRmDHIVb{*0yYt+&#=fxA`BFT-9tbo9=%yo$) z3|%F12vXV8?losPljHr8+aSmwM|G}1o>8|vg*}6oVRn5c{idC2%)+f3z+YM&28#?J zN&1huHz2E1Y<*gk@jHJzqqE|4F<{m8Pvq97ry8a5$GHcZDas1XK|hko7By%Ee6yd^ zv=r*LPyaCFck1g(*$wohsZV#Xs*ww{SRIyP;-L4a1^uy@~j3sOYi| zA*xbP#ic?b&iY97;L!An`r=4nsT@jANhfW?sV6;u zwUv7(V}NZLIe3#&zVS^W@x>b`KrO`gafL`&KWYG_c%CYGAu(|6Okld-yDof$AWtQ0 zU$wD`ZLb(na7=h`Ina^yYPP$qMi3;zTEJSo3*HsCTi}=POqmnn=S~aN^cBD$OmK~#RYkJ;iEx1JIgqlIYgAQ0yAOPY-t$zqgUv)Bio5T0kPP$y@tIY7hwIIorBfr`tr`6*OxYaprcX?JuE_PT1#1q`S+Nc~>N zN?2}=rJDdqN&~%SPg7As-cDI@3irtUq_sg0f_HTyvsfX{*2Tr1);k#c>vCd;T zwohSAtvht@D#&9Vg{S$SrsoO_9YhSsY7rZHcik?@p~y=XtMK0Ui?o#1J zf}U&|*fHFbv(##p^!<=T;2EeA0L!3o)owzscbEJo0<>uMEA|&_;^p(o0>xS{mr@lf zdMJBo812+%S9Zh2fPjF+*I?D)wSL4?)By7{exY(5NSb!P{bm0ki(R3;hBRM3zA~BamQc;1sgZ$j{vx(C7&G*1x4&zF_ z;9S@P(AxOk=gI8XJE2MBVQtPJc;H_A=8;;&C5@Os)oS;eYebsY=J)i;Yk!h zkjEJhX;XhN^5pa!nO_5;lQ?%}S7l@Kj@ansQoQ`Ucxt;8d-xEoi_fQDFl;Hm-Dp?u zn=C^22zVfBZVlz#sIwV%5(}#wp7Wlw@ipX6^nIrunMR-3>FateV7UY7?9WFYiM*TR z4-E7({{5UZR)xb)@1n-0$ zU{)1f@p(c3gz60Y?w{!lf2bN$_N_>ag(NZDY z)fVN&Goq<^c(LWOa*ZK-iyUSrJ)1HoUjqT797RAiak>utAJx;L+d}JoeKb_Qefz-4 ziTPl_7|~M8`NjTb07|+yvqSHn<+T3Y19`sApv<}f9~d|n_N>yUJ}$1?tawX3fQ?65 z_;sTM%(*6Pr?DzBvzDV%krKK8u*oeJUQ?E)nAYzS#;@|hg*0~Q)-Pe2zu?jQt*gpt z0ecZQS630^rTyOo+UNXR+ov993O<^z@{mZL3%}QA&hs!raz%jw-C7xc33;o>49Ac= z`9YaxrpI1^-#OCXuhEWtz#qGKr(ymr;#Tirn=V6}xFB=?$@vGe&QpSPC5h48*8z8y zCx!aNmxwJ&(?bt2RmP`o1|;XI20_rt8}UOifLNamHy#}ftHYin6`c8M2OQ-?3AhsB z6Qnj#=T3oxKe%V7wCE0L5jZpqn9%%_%=>z$l~DsQ$JaZK*h9Z(qzFldy*qqZjPqS^%`!~2v{ql;_SW36- zgg=`|n261oP>=y`0{GD~Fw*XycJvwY?cM8yNpL|E)IO)KGi!H#RXj6s`w!z!*Kz#b z$!)eIiqq!JpYEN*W8f&e8h6Q)Rw#;B8*6pEY+nBcF@91z9`)~z2^xd~h=2InNps`U z5sfQSBW6`eo4k*#>zvI}nyj556e%3tmi*6DGFTU*Z6;xrvw2hL!Q_c#W_+P6thBJd zcCMg~e@OO2S__J`Iwt{nA$ZX z0+DMscv6GT(Qv^bU2yU2#`IS~4owM%z(A~RVL#{c>wmzlVNdBDcja@P9dCN4v%N~Q zF!(``b3+;k2%%UP;&N;o($j1tOkI4E%fs1TTuu2J4Ddd3f|??ZgN|+$uk?vSQY0RQ zp`>{&U2Zp6FV)Dh_D&WyR*gW|l68p$IUQ4{2^G#A$~mtl`ZJP=#?^Aea?sZTZ=%_U zxZ$Co@CMJvBMe6HCSEu|L>1XHw2LeBIYqF4BK1wUPiWCsDq^T~y})*2Q9+-0i4 z9|A@fhSF4mak=HyLb3xY$^DzN<-9L9{(jX8v=vNK2Nag7e*-Jb zJvq*N?q!R-9c$5G#7;^y_@jRYM=g|6<}-j-^o3#kah%~Lg5>|rqWj@g{P?o`k z7Pe=kbE?d}i@ueF=m*2*4PXy~Yu(^PNZ1ijGwSxKLpD^u%Kj#br4)ZKk3Df%feNsz zj#ud%heqY}$&#L7U*A5p5(GN%6C5&As5Vqm92!Di`U|plZ3AG1@&`kKzn>TMK#un7 z-u}Hf#7tccAz*w6XkY$Q^mDb0ex|pe)R}vgCW8ROyypffU+EJH{ipZ~Hv+z<4`U0Z z13>VP(Xueq)Y&|N6KdR4vK5T-HG(m`7Vi<_DH7LeHuW^DGudes0=UvB!O^LWR|#|* zbV`=4O3*xw4-=oG;hk0J$ib{v?vjP2ELx_QFMIy%G zciT{AFwZgD2J3h3M%KT6Rv^cHe~!Yxv|>T-G4})v7aGI@GWuduSwAqY6|;b-C(!m>d z+mf~ZgOl|pKYnmKw7X08y4TY_%0{3wR`!UyM3+dM{ZGJKhLw_N^tnYcUj2%sx^QgL zAqHCEb)Es}8l7H2zy=K%Xt)(B$528vF#8?*t=wPHe+ygOD_TXyO1FSD3Dm9ddaz{E z3x488xqZMRJHX#SkE>(zt-DV-8sqPNCAJqEl9}@qr$d}j3?=`*{^UZ214zsT2NO`; z5}LF+tJ>A6q?+qg*jV7FrG$E?QNp={gIYyY3RsR2v79qj6<+ptu}BKtYWMTl-=oz! zmT{yfKGX!Gn~ehF(>qqdKAx-0c{#=m76JVkB#W59OTs~i?kI-hb)VrgVcwJ8Qzq{w ztNzC&`=6Gbk`TB3;}y;cr=zijZhuO|$EX}DTzr;FfQHZzKRDPj-vBh+!dE{jb24m? zW`g05a7O#T`2V{v{a-xnk6F%WFC6lI*++qlTN&|PW0}%GS#L(abPEiMB=IQ6Q9I)I zc=n46F1f=5;7%UZaot6R^c>|r1va_!Iy3AFpBH`G5wReK zE&sR#m^_?}4nO<3M2*xw5dBL}A>YQJ7&QdHT^<0^B5u%Vw>-7rCYtHFZY_VF{4l4D zY6`a$FcaCGzl%Q0ewJTpgi^PNDWB8SY)5|LUZy!1R&M3J=ZC((4ZjdSAy}u-C+@;f z0R;W+vyV$a7VDYRBKtRUX5_5LH{&1TT7kgSpE&11=e~K|%agZl*jLMnrnW(vnpyuj zOG*`Ghp-{yltml4CjA<~XqHb7chdtIqs&TZvX&G!kHIPsEbmSa>b>Pos=M)TLNXY< zaNeB3eSqqD|A}M$_adWVkcI|gDtx_z@me=~$YZwNgQr{?@@p;}XRhl-oK;f^_Rw&z zxtd<{aAeVf=Ty+s@~0xawr-#UWf#x8f%eH#BxhMfPR;-*2wQ@jVvQ7Sn=iOn@998k zReP+>cX+2*Jj5~Mj25&^EPAM@r0Za)np#^M<0Ij;*Np`8J(&uu^?@}86kbbLXVwCX z7k*OxH4>UVong>4cr)NnVC3Q2kQ)&}c}ET%3N;E^`k7Czci6}OkEWL{3mCsdKjZOg z3jAiJZ7zz>y#UkS43FD&!fM`^)PcVDV8*PE6(O6 ztQ1&jA()!dq?J!i?gG{}DjEF;W4%IfwG{9K#4+eF;bADXHITHWyZ6}&$Ew&^Kw zw=0FlnC6mROa4u?W`w0s!BwS0b zzF=Eab3{(ShnbcRks&s{9Lv*;XJP6|**I&roHS7n;Vp}bCkuLzf&NTf%q6}p^uK7J z&byrg(ROG)9{D3k0~R>6ThjF|fpkdukOQZ?^qirC;#|U|KF~w7J&eng`PYg0HM$=5 z7rJnDV$^^M`iJ;k%ew$*;Fxjzpv3dQE#|y8!sxJ_6}9*ps7-oCMvYZw6F^lE;~?1K zzW;h_!LK4<+I66c3uh68$EdEe=d0ZgGxS{+zL> zLu1;eQHF*H5|LXQkf8bQWLj04yyuv6Tk!fI*4Hc3#G#oD9RhARPolj2Gvf4BM#kRGxR z`9YxoqGszCbX);_3jLM+sY=r}Ux|Igu`<_e&mcC+xHawOA~t=8AS_2T$Wsf!Y=OkU ztO!Xh&w?D{PS&)}8)9wv-(1rPcp>XvsfatIW(C0D!C!;&PUGg2$ncg`Di&1TBeNt_bZHp@z z&f^^mhYTxVo2Kdy8ZH!7n@nJM=Lua_Wt*shy-*Zku->a}9lnCT{mpOK3Uz=k*bFkd z)$ac8(sNuBF6@zqL0SvYZVbmTioj8ZclCdTog~{bMcaQ$gOV5X7yUh|B zAba5&AL)}jKD;9<2MmBfy5%&5KKA4~T5O5yZvN{QYB4$hjr66oacz-PjX{}!4)uD` z^`7vw{^ah>7u*m~$4ZHvre@5mb@MOl?SBh@S+KXJglg$7?$Zt?8$IhgV_8`l>^cjp z7EORIKagFY3SWFQ50t&!E!VARmk)?yK=1z+7yF;lvbbnCUvWXjKM{bRhJGYGI(_D! zoj-wSZu``Ip8>|gug*3#S^aIKo9Zoi<|C4Mj8#DWNPCfpgI(f$c5cqk!zVvQ~TeY*4 zEa$#>9c4&EBReybr=gcj_Ckg4tqnr5v=|zNt~lfmcRW7;YxardDeKdWY6c}pHZ7#R z?q5HeK|Hz8H-5t-TlgtliVjL-JgQ+$F=B_nrJdTF5;1;M_>+Ut{TBjP-Ay>eNlkaS zj{RyqsR!hBzJI54IxgxIO?ssy^(qx#m6=?fR0GmJm4YW3uejUl4x3#3VJr3x3rM-I zj4>I`US6`*DIb%Ubo8ca@E>BH1{WD^@bHC;diRMJip+d||NWnf-*qxRjcxR6df8ee zlUk*9@ZdkWAbCvYJl>hVQOoOFlZ&;%ziO}JCq!Js`8mhxj`M4EHWrEp@tlnJAgiET zzz`rVu&cmWQ1ySXnwJ?TfAJ!eGR?spHv_k23c^l%a*2}=PYx^Mfu`po~z{{h%?8RUwV%n?-}|1}8bAL}J$Gtz7#i;=W!)JGEx(oR z&;aOPKwsmcYB`5644?yj#ga0Ye%ltghd#!*HPLb5$k?M9(!X>Q3F*R13@{hG`ta7l zhntrN7a+E0XPAMt8I0Evy~ELKM5;)rU6Ig=#`wqzDBH*=JC*+f*_6J z%OJsON4P=dvp%ja8O@@$|BB30k;hHUx2<=3Y5@Ja(79>yzjT!LBSl1uC?L8{Fg3;4 zl!2J`F?v6do<(C$498OC^W;Z^LW-?Rd`3XxSnZubm=>GelP`%<@=M-+99M>VOjifkkBE4=H#`0sO=#vj#+IjXSNBe56^V%$T*Ii6F;+ z41|oce406q@h5^0*sQv2C8>Z&NdW$?u&lN@eE&4>O-T%_CgZD8X(QU|&1E1T}mHe(r5iuf{@I>SN;W)&%s>e(6gO!1r$uhcwn(aH~iDve~{ht^q(I7zvJfi3Ugl5v_B=! zd@9hVCF1ebHBhf_Rk68Ujn~uP)T_&_(`dJdBjq704sJCHjhvDw z)qiS-L-+(=8A`TH8Duiq3T7Tm9D7wdRpUfL33%n`M8bgA5O*UkUqwDFnauTkRQEj@Ba$vDuEIvv!fcl3S71f z^=>YFxJ4@T##^~%uS$GVRs-y}awc&n&ukwK^81wCi5DuXd0MB&I$aj7drP6R0A21i z`;9H|nQ3C}&>sHaO<2wju1h%z2``@%lm@aaehe|^L@xbblkO$!_e|FoygxxK17f41gyT}qy3-%WPT!=k z(hk6BPUZ@Zd1Q9o56)3eY$j8)yjrAv5GJ?A_LHp}w4&7Kn#H&T-}p9Kv(<=jR~Xol zr_pc|2sATh@Qfnn|3rKKWqlSgt7P`?A?l%zud*fIQaO0RB|=GJ)p!pOI-FEutJ{8& z4toFuEM8VW3{&dzbU5yMd#?kwR6mJgK?`nD%uI?_CXj*MF#WVXO(#;ns78rbQt_aK z?5YYq_n`K?`e9bHU0aY#FmyKn=Yu(3BY*8+PKorr7=Qf&?dpZ-$J&SmqKqlIl|{m) z!d=bx)9wE#Hq7C3R;r8?5M03Hk#yPK7LvP%#@u9$0U}-`KzK#0(viKD-mCOo*>-3E zy}eN5QtxnVjtY)ET(4(J6)rqS-2_r7*R<{o#ag)C?iEGB@*EVa~62}_VCX6oWYR8 z7996li)i@PW-Rje;6#=kGVq~-2H;qdX@9m(x}Y@aag+1|J}$;?q!e6Bn>yuWKFsSr z7vbkMtM+WK-yb)L!jO5NOJZyL^W2k4lP0i%w1`3lBz0yO3DzQY{~BFxvaW1BFF?54 z;6X2@H9NYxL|9(7M3WbAuTC*<`CqV?WF%08+{ba>*q7nLLjdD-_f5h_7IDx!YO34| z?ktn0#JI(YO{L;RZL(TrXCoLldl)!qqV=-+L-EjU*~&7##mDmbbKtaf0qdNpNCLr) zZ%9dwirLd>^|d@ACn~rxLcY<-FF+>yDkGu8+;u&@>8}Fuf{md;m`EEqn zG~i#z%^`WDo#S1-lgTczmde8g$gpUT!Z!KYCx0k=v}iHoO`Ahtq^a9E!LEeE=^1i0 z=BT1wAb8MPp^9s!Pg@=GOZ}F|nx#~X{grM@vrN=>28dO|6gj$7ZTB>ee>e%|Aa{i6$F(sWCi=P~R^71ksVN)o+s|HL}knd^t0G2cw z_aQSQUs~8}1BrH_X*Efn`nT%xa-b%-t~;yG`U#TqAxHT-gN zv7uU~ke-fXzP)JjDYWe6V5064#m(*$edLUrn@)t1<$j|do5rh4#D0R z#>-NDl|VnL&%2Dj?Hx1J8%UfaTcs!Nx>BuOCj!-An_l4~tnS3g+$rO`1QchLkp8%4 zs`AyB9AkIl`5pLTYZCDxlPhG6j>QBuUmbMVXz#b0qz<-&ONIm}+YnDdq?=4Yn^$0P9-cI$+&0|kA?b&xX> zBI~;4`d3k)Z66PdAn0q2V(k>X%j_|JORM3FN2>RvLlzHkH@WRTGOw_y4evYGyR6Kz zCsX-@7@?{0T9>#LE-Jmb_2U=l)jbl0ziby6*cJ9Mx&wC*aeE9J{^;&>`i*j1^4?rb zvP~?!?cCvkkK1@1rMyz8)B36glU<|7=r?ZD%1mWBjmw>)nR=axC&QmV9_7~eK;JeS z(I(HS7-Fnis{ciak3&f0)PTgIYPUxokh@Lp>brh9D)7E7>L!V!YM=$xzmYJOJhP+1 z5RmYiFpLx0b)l|ZvLwMiMBK3bT1$-jVO*{HD1kGuTJ#fD&bxz=xc#_cEINlki32QQc z&&bT)T;PzfJX#v0>0nX&-1l<0Pj}5~Ij7#U^n(|!H7;!yOgUgmlg6vc-IEkXrYr@X zHpTDIcdm`^BropBX3qV-1xl8SpHnJZXSyBDZIZ2*XD~|fM--OVYn!B$g$+y^nHL_l zB~cD_#w)8xaw~z!9%12bXogcl3%}>5=0C4{G=+HQxN&|N@eyKj=ej%>IfVMnF&kla zHy2x=tVLEjJq};=d*_BPJZfzgJ+`9T;|8Ba@~D>dhVZ&Vsn>u?sp&*fRNV*LX2oU1W^-ig2+i- zsV7?zn9G6~6w5-|vk4kF!L7*nAch(OD+ps#%{5`}!gpxv@L6cine8Bh@Rn}@>*Gke z#nn592kTr_CoC9iWm_tfx_%&eA(Q3!wJT2akw}b`b$NX0%A6EmlX(q6X?ukg9N+!x z^ZyI*7aua`G4k$Ak4`L&h)@)u+w2Jb59R-)F_uSlq-ts~uBz#1Gw+EVPK}^J4mGV6 zd^XS;{;GKIcVN5yd`&h+FrwY^UWe=-{RrXNJv{mfVmlA4bj4BWfP7_ri9tQTVIOEL%e7DK` z5-QBN9da_H<3cWGt=(~g&bg|-qOZ5wHu&ilQ6ejq7f?kSe^ube$fqimmPfni=y}Lx zy6G;$*CS`Yj{^=Ot}(L;vdrxrFBu!LcoNri&VKejtbj)XA^madk;l|fewCN*H||XT z`+|t?!*dsUlnhAHA-42V@8Xk8%ivY>@C1aV0=m3-tPI$==O}3A;Wf<5*d-FAk^<%7 zkmn9*GLHjSRT!vd_gHZcr^dG+bUGjqqAGRcPdvrDU9UND!`JdvZSXZlc!UMzy>67y zWvw*_aadVno->6)U5^LIjmXvc8kaXtN<-D)@z(`A6_rld=o%fG%5ausbd6%w>W->m z@M6hU@ZyotADxxKcFA_6Lb{nwsc8&Sg|q6umZwFgk0VRxEsw;*>!U=x)vnH8EA33A zOyRCAf1=ZHdua_>4Ml(_9n#oL!7L6rLfoo!>6gKo9E(~aB8DBTv8Xhm`V8RDGQWLA6Latiu{n(7S4fmY;cp=i>7G}OI zJ;_I;3Tcr_y26%-p{sM>WU~4c+AP&QYpV2bqO9owNcz@5q-%NoaB4Yh-$Fu>Xyv4O@Ij4EHl#;pjBH_WZtSCp$pn3_^G zRRQ4^*GNKdJt;J_(Nioe@imPX#UDRtt-yRIX0BG-0-~l6^Oh0-f?4cNDLz`{WC<4? z6b-1E$B8QMgkMJDH-2B_0w#IIg2*4xH*T_FC2i2 z*l02GL$~Mh+@&-FqE=CarkN$76pwWY&~yQ5hFTDI7qMDa3lS(#=-cJ4vK(P9YxQX= z-_{}(AGQ_^0HRhhVovUV&XG8|lf}Pvd7Dc@(k6j#|?WJd#1y=d}_KAX7vopRO z0?nxHawe5MA33l{BB=qP0Y4M9_s1cOr@1F|mf<7mmlr$vE|p8Te@Nc5P2e!5if@ z%|-UQ8e1%B@z+(?P@G!U`v zC7>s{Qj_&Z31cMtuIvAp`|k}Gw!Y}y6^Sk3 zz`5=2m%uU|I3iJ(>EYtSg*5E|9?C!9GU=yl^!ao30t!l-LKL1We&3p^G(WBJ=g*&S zr1@>FRsgk13js&6zP_7p{r@{?6ljj!EDfbiN8mF7DEnqe7Cqom&lK+Ba_j1^`^NTf zw_FBpVHC`a&IUH{T-5yI{eWw>mC@&qk!O|r)w+6K05^}BLl$vg*!KC{$#u17U$bpZ z+SRsE>w3U^WARLeI^inRbw_WI79CCA`>}MtK}PROsbj0+oPlfE*#11r|Cd&FnAiM? zXGU3B*##}&i5ZnfyIwAvy=nXYzi*qb%~+SX=9TFcecn!!6d})yzrVgV2W?#Scvjo% zz~_3^Q9?g0)~DaiUXh}ADbYjDY)#1SQsA1SL;sc@h*Ot#1&&ze+?0B}3@m$$V;ZAp z%iA2~FF!T1;w|UiYFBoKg#!cA!)h@d3T8xgqoNG8>MQGu)>&K3;Vs=<)hcu46x5 zAKq!U%T3-_M3T`iti8YQ?aj^U7cQ*f!W4WK7o&D*~x4On; z$RMV^HR@}`g0WQ(^V1D-OSrm7|r-a()=jL*|Px~tq{mi0G z_IB76(X|&{KHR#glCz%i#z&5x#}XT^_c7MRT@Gvq?#JqQ_Wbt$okEk{MaAQ53hm^M zd#);uy|t&!jPdttiCFDzrH*r7F9L>s18^RCo0xUkn+OY~i#M$Ld|Y&Xe{5LH-;-(l zs_R;Ya)n+DbN$+gXAvyNZy&g^V(-fp&L?A1x)d%}WF+r?pB^vbEh@izKikS|p{Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXfn+r)qK~#8N?VSl= zRmJuHze(8L0TonaF#*A7QL!pmtJW>Sw*0zaSMk?cVzn)ymbNPVyNI@xs!**8ZEdMP zTcsN=Bq~;|O0?Du2`D6hwYF9TL`Bvl?|;sjnfvD6ckj!~O7b|LfLwV#=Dz0;T@9A8{fjCe|-?GqafrU6?`-UWeD;_)2A|35eg))E1+wV zirI1<(51uq0 z`|aN!{RbX|z4qA`1wWd9SL*EzZ{odoH{;$v-GyE~3Q#%yo4DW$pSM|Zfa*Ziw}DLJ zjGK?Y!;&&1eYgQaG_&pYCa6YSed4N-H3MTav6GY}3oXxLbCA>0yqrF=2Bh`Gwq70zDem=s+R`H#0Nc{v~JQjIYOra*L3s>vRMiI6Hu zIwO+T=CO_-+wk|*-ze_~3oFHCs3b0c1MKp?h}x8DuK40H`Mj-3HmQrrZZKg+a-<^y z(kjpArE^}^nX=hK`^$9*(y`wOr!^7caNXHsD#!{`hPa&5e6VYdFDpzIn@QqK8@v5+ zehP8<9HtDWefT)1&`2%~iRj;m{^d$H>{t&&UJeDCAWa&7a1~AG z2&cCmPb)t8@EVx#^Eom{uW?X0wy5;^L;b-OA1T5Gxz|ZQmVRXu)Ao3qX1lhJ5YBZw zbo|hLG2{Gl%=ytzvGvtgP-ME8KwcC|h9>LM5QWNTF`H{NVT$2Ad^72csp&MNr$8e~zr%;&TbIwkb&IO7{>`m8Y(O6@S^Ou=nt27zEdL)A zvT?urkH5zcubPbsXMGGSUfqnhw``{qtPxF(B;+=-KO!k{xzWuDYO2E3utH}a|A|@- z4od?CsJfK5fbw#cIUP4@8bNh5h_cB%Ah06E?XBDZ_1`RNj*s?`@>=O+xi!oee}h}ao!@gZ?v)_qr2T4Qi&2ACrx4dnKby`; zkjObsB}fkQ=ju-)ZED3NPD{9aqm@tg@NwotO~;-4le_SX---+fDINdW61f0_Ek>|K zF_gs!b!VPpF@s8=fx?Z{|In}#jXSB|?bwABNz=|9Xxg;{pgx&mp?DVRpePWR`aDTW zTd)f0u8E@owFqs8q=_WOLfhl*^7b1^ny6k}H$FE~l)jO+(`eh^ovk~t z@?Y=Zl(RoZ_WWurd+ZSuzW&;)GA&d7u}|RDH{O+vJ259JSJb+JxW*-y8<#}vl4)Ur z8{0Ou7zIAT*)T|pO1OXweG$3FFmeAg#=Hj^!X9Mpj1*d9Nbw}%r^H2MIN1oZu?mC@ zvlt>%CW{zy+J+c4O7FyMkJC_DB+l?VorG-}#<)9wdV4)=Ua1GyN#bnXq`q8lQ-9eP z=koqhJo`BvHNAvQIc7UOcpJPwTz~dc`|^JH`({pc63!!H_n+%aF1N2S@acGy-=r~Z z#`|FQh3gUQ2aB|WNz2>g3o{#jIq9eja~$cIvT&aeLr$GdIxD%2bYhUPZ=g6f-fZlp zuke{g$Vn;1(4Cs}CpPXZ#<=gIlWHeP<4!X4TxM{gV38tt??vR#S%<)}pJF&%d|E& zAwQ+%@`CtCT1n5Yr04QjsBNt<+}zUSZrd!B$koXS*DWZ+iwUq%M(n->sjRSLH^>h6 znZU4%(IgQYWJE6d+#zgw!7n>-B}V#=^gZfFeD~?f=7<#aS2otWsLzQ}CrPpFqW(uB zE*n)gt|aU>SwqXlxrvOuG585W=R}IdrgwVI$6+p$%L|oHaZb-J*T>Y0&I=N*uhg6O z&0ehj_162C`0-DQT`%Z=;K8Zy{qPzbGvRE!^F9?ODJ4C@4Pjc2e4>$qD(%LNSVSY! zA{4QZ<>G@&*J-w%+_k9T=l}#4iUw(G$wzTKHN*Khe~%tL$Sp%AgkuScaeK{pZ6S_1O{8r8WQX=CD4(xLjLl;|>}MM3 zY}S>u;+M~KTI;c~<}-*)V@4wB2;=9Ijy`!iZlC$gWv_H{a)W&I>CS3`PcF$%F15at z-$e0lT82jsoZp-%oR>==;cc;>+k>|$?ZSRK-rO!6rsFN;(Mie|1HLe@uz_!+PTfE! z6W6gv&tBBGSb9o7DJbe;`wjU`qtkYHtK_rWj}p>xAiayeH$ZgsVUmVZ_}wP(lE+Ua ze*59;IpD%BO*)>^hQj2x0dayj`{~EA>pX;bt%5(rYa2m&gH0RMjvVU?$SBVuc@p9n zKc6Fe8b84OhUzE%hr}9RXVlG1K^n0o)Sn8eFLA%(u;jNpYj;`nyd4g^{%SVkQUE6& z(I1tc_z33w;78cHZnfAit{R=rGT334b(}>mh2-J>#x9q~TaY_ryK{e7{ck++uTA1- zPCa}8K3h5zzhC)JJoe9xR%`V~4Kei+4G+(ZpKC|MCqZ;Jjij^wej|>=jPG5Jd4G8b z&#zCHyKlcC{BUj! zgiU=-nH*xj3A!yYX`jiJE-O^31Z)ahhjclnY~z@Y=GrJI!`0U#xHQyXK!QVd-bBb9yavcXL_QrXWGCg z!F3L>0d|5MUe>r$L>Gz(r!sxX(~`$eA%6Q2(tCku8Iscco3Qf`VVwzOtAn_dAc!L} zx0l8lr!;&Fjqi=6KS^I?m-`so54j^Wqji^#@r^qV z6kVOTx3Vud{-ihk-Skt}k4*yJ9vS$O{+RZ$)5ySIgDrI{gBpodqx{amixKAta@jAL zd3$_PuxsmZ*%S5n<6ZN`&wT3q3Vi6W{qgu~n=|w`o<54Q8pF;8o$GI`CDm8L#+CbV z3OJ+B`n^kz!e!sP0yo|JD4tup!9);Tjbld)>IT1VnU$S-MJK3gttpL8r{+QbOQ zOBs@e(g$^MX-sgnQ0g1B^= zP`zE*Ehh6WHyX8Fz?|PrYBs)nONaw;06xT@Z$p`ik z$3_rTS2qgk2V{FW1}bNLsi(_U=OiA-Ah? z<&l58>()3+$egvtrGFl=&Aag?+N zwo2oeKSs7;yn=~0A5Jei`w`@{@gg=p@Vh?~;Qt_=5l8eAlg=wT!+!6uVK#o#RwlIx zTMyyuoSqJ2pm#_-wSD?Ha9ET<;u+j z^oc6ifH*czj+xn@koGZDp45%tWX4Axs)zHkkOgKpG%dq^I+pzPES`UtIe5C-H&A>d zDS71Az@u)STH`p{78?XM)Z)^Gfj+2j7?E;$iiS@t>ZlETa!?27hpc?EaEFoSGdxWr zEW|{cXX~&n<9U3OmPT|of(?YjHLW8ElE;rS>5RsCUAz}1j%mYm zSX}2J*l&XN)5Zl!YoRG5dfQA!8r#^Sw~>At#?SA_P&oy6G{V>(b0=pW z!t=8{6Bp#Af_YHE{mMM!p%~65k**hT{YmdCL2B;ll+2{Ha>5Y@pyG_v=02=DcRA#^{Pjj2(w>e}5(xJn}4_U$>Df z81SJngUG;-7@b=6;tP0e<$p=VRpj!`26;oGksyB*ps9C%j2&Dkb3{9+7Vp!RcaZF& ztv&YiN}PT|3GEw?<~R#AC7tm6?F&9wY~c6VdoM05uaWP?+LlhebPJ9xyTUY~FdKKR z`zl6~&-4raNXMEZARakb9K|JhNdlZoT$?~TtQU5qL$(J<*>B>h>BrzQ+<|*;_z3#D zJmhlcp+jbjun76tXp@r8IWgvek+&|37vF;KvT#kC(nn%H>fSmPl+>-u5(i0Zj9!f}~pq~oj`#0MVd3kau6BY9%w;DI6!Is#-f^v4FCc8Fb5BHJ31SCUD;GieyPBj92<4gc}>DDAir z2jKis2jR!xo{85UxJTN^8Tpes=jP@`op1 z#qCR1V!`4k@PGF_fj>U54AqZ3jh%GMz-4h;bFqBY<6C;Zx|*pLzUJjWatp{Ek3{+% zuErmz@t42yGJZaBCeHubL)gge#PN1|!#sRsH*LTQz0s~b(3a!i#7y&uP(F#{{G86Z zfpEM?5#D~H0^`5=Fy5An@E}Z>M@D|$Svb&^5#*IRu-}D^-x+7KJzK9HtYhJkwK2#X z=Is?wocvgc^4nf7Z6xOd8Gm;BUxvJZiX(V#p|{Io0?<#3uT+mNu0muCm!8ojw7hK19HbQJb=;%A)~cJW;I zX!_7L#BZzY_LrN8n~HVPWG1cC2XQ2Uj{U5Y)Zus*#_3IaI6vz-93xgwAAtm64;SL} zbhK^%puWe)pZgh!dC<=N&73o0!z|&_B5+y8F?~+XPZl=gw2w5%kS~SE9i$QQ^LOH1 zc&DA3VV9>!SnPC-e5KNb$z9s}5Hap^ubV}8rTq0@BOHFN=Rn-wYmiq4i<_!R7FVy} zE1EJeq7fJGn_SG&LQ1|snZ^+V!x3^K(h14JI&MfZ@^XTa@cjGfV~65H$B)5DC!LJa zV@gq6T#SPU4Zi0n9&`8 zmB7e(65L_X9aUO5%!b%VI!&g8%H}jqoX!(2LyR$%85lJdFOSrl#imW?ccWAjC&G6? zZmP?L#czx}i%HM>6ro$0eM#Hw8U}S7vTL+`_>z)}eV(U)--hRZ3{IMJ8%<*So zzw8UgJ69rY8aajd{4xEAh5dnW91Hgg$;A1%44Ys45@QsCJ-_IWPl&+Jt_b&Ydk#>4 zCId!sZd-ik$lIpDuEd-EFLj}GtYiOQ_ZyBE`VPXJAAdJ6?3I^Y75G{IeD8zt;6B4l z`7B(Xl;w%r9=jAa=NSpZUNTZ)*oYk zbu;du+rzP6TS}w)H}J&Q4#2U)`&;=Emhl&pD9^@6zl38iy#;rCo%AF6<2aJ<{OwI! zU;*lG8-Q^~IJp&d(%!4^`;vk9{cmo?iR6Ber0k-*f$GnoocwpbT!8xD9EcNty;92H z^mmOq5GRd15aY=`W#LPtF4 z!d}$x`q2QRFAXmG(A^|SVc*^WNkN~!a+l~gz`0kH!Y~x08osQ$5?{$#LXUk4enOrV<^^@%s^kw0=-YD!xceJ)%TtD<9 zm+Q;ti|k5f`xG2<#8IhLFFudQUQT~W-s~-7cU)j!0p4rugAWYuK?k4!JL%3~dqWCa zb^-(UD!{_KAHyfkI?C|I*;mf7u?~ln>rSPrlxABG1z-kJg|J+?z`t!3ekn(PL^nY>Ig(u*yS1!Q; zkNhvr{@=wo>(?*iC#M~Zwb^sh0hmi&MG9PYpAObn!ruKD!>`V-xZPfi{Aij`#6i;4wAfB8y2KRkp6|Vm9 z!E_?5#9c?8il#rmg=3#O2w%n{c<2jb%!$WBCkfdY<2oIkL}DapJLaS|J&2-6Z~T;8 zrdW*eCqJKX#={?U;z>aC0;iRvHjfFUU5ia^NC^1qaBeRY?+p>?ttXm}FJ?Y`x;au5 z<;O}=QaYWVRlM|(j!nn2lTPc}$msb);+@B+JUxH-rAp9Cla2}W*6#?F?Ofvs&hO`8 zBrMHgA~NEw8!F5;AAcR!$8{0cccdp#XES}rg!#@;rekPB=D4I?1Er<(<3{X{^G6?w zIkUcp*B-rJM!sn=4^Io_VXOINcM)adT7#82CqDqM@QxGL0W}{`VVtV`%@L@&JJ026$%&u>N0fV0GQg z_@9rEfv25hqwc;oCpQBWX8&Hj^M4**ZquzFFWrLU{D-XNi}0Wra5DBZ>i!HF;%CX& zBUOvv9dRmB_ie)G$=I9pMu&Sh;hZ< zg!IY9=jwm3Zzaiqbcfz?jpeF9sA`3Bfr^4gBbdd zg4&SJ6h2)@&w2c4=};b_yfN^}9>tuB$wW30BB+g*CT)M%h*+;hf__^2>8A_4wAN`$J+#g>k9gd$|GaLVXg3baO zVRLj3YrEKxi$Ukyl!t8^zZ!(MRaDR@+vYgFZ*@hRZSy~GpM`5@;uxs|X}G3=aVKML zT)yKqMw}nG@|P7P4Hdu_04@hTdSK9mGw|&zX5x;OuizhR!w*@{IO-r296WqX>ZKLW zW9f@;STz@BJuz%;>Wx*aR$`8YSy|HuGPJHZ)6OD1_9U_l$O_)dU z`_XMhzO#!u2P4h+@~!yb#FUJni$$BJ?$-nHc^W8Lq6aV~K+((9)N8TxlyK5B1EnbPCw;qKh|FaTTefS`=O?&)OGzwod<}`pt z;h!F5l$##^3MT#eeEj)(W8l~R_Fx*FKa5Aq|BLT``1d&X(O=+1x`LQnTjR39Zo->* z`a5Is!==EK+y8~~Bdjqe*=3D8kJx!SK#V_$7<`wXT<%wF;JJRLHfdPx;1e#L!k!g` zIPUDQc-agYiZEQZIkB=3iH=Jh=rYn;1=WL3XdemEM`-&J4!l9YrEz7rIODolzF3Mv z!t6JC_8Xs{-`9!Hh0|UeXZ22JKiOp+H?ipGBbt`s^WP_3PC6pcMbmm|oY!e0NiC*d znOc#E@pBfCpbhXg-1M+9v|hnB-GosC@r_fC#<#zJ4c>d1@Upc8IBEwOcsA%f zhqitDc5K_W9XodIkOw%gyz)Wnj#)V{DpO|u#=;{_8jQ{=d5Af@kDnRzr7~_g@xNTJh`iuV_T>9rX zFnJV>#3}rVi^t(tD=Tn-_*3|iHO`D2#?&hO>6kN+TJ$wZ5B-)&lg-+bywnTBB_ zze|j{@r$9S9%*#xivZ{66OrddT^}>!Koc-0sUhw4IKA=6-GsQth;STZvP5+z>@aaAK`4#5<|D1QE^p2T z0-fh)Tp2F27Zv1X*cZ-cJvN66`f0-0V@pnOoVi1=xH{0MY}1yJt{Z*Y&U4yPgYc_w zd>KcKJqAY|atOBkYdsowyiXm!K@7M&XC;?k%E#N`7Xb2*T}JcNAbi*E<|a&Cd7BbU zZ;v657YZ=On~XXYE6=-euc+Y zr3dNEdEAR7qwGy1cz-~va|N~L+}+cu7CZa zG4M#efv0DT#pS`810TgT58sLtXvn_liHpfF1E)TCFCLS)^Dz6N`4R^iT_1~C-a=d- zy74(&KH)9=<@j@e-~9`dM!HR}!s2n~;FlD*=y$K;=x2svTB;g%e{Kx0;StO!n}R1K z9WxP^-+L4GUpfNc`I)WwhkuDVGf&0d)DwB+ZXW9Kh~2tu)Wz=^d^>_ChwhxY`v%P* z*mEp^gGOaPBk_zYBZ!Jg6Qd$nn|Xp|Xd=lna~Rx7>{0|%Hb`{EH>=&Ipgd6Hkfv8TJdwdxGqc|_IZMvFL&iJK{`%h{!Lgs zCZ9kazxmTe_-QBw{TofX&BcaAI*h3Ur6eaP!S_@8!TtN;z`hOm@#jB^@=23$)CZ2o zz&^dm;F-aiOwDlVG8;jbR*b=jYFS)A`i~b5|mDXM&6(u6S-*| z^yq~RG>BaF!n0VicrmWH<6gYAqbL6RwwY03coUyEc{mCVIBaBUH5vFtHS0}G1T(Ld zCRNxMefsv1ulj7;z75;9Zl@EN=c@`(zqTHyj~^QtbMxJ6W8}G!*&RM8{oo;AdE@Q( ztj`cNP%daXqYV&#TL)>#!v||q%_aEaJ)g#Je{>p+yrrwz1YQx=@5(iL-*1rlZs!j^ zjNTz53HlJjYz?(D-t6ZQdSJ*!jKL2^^Q_~15;o;<@%(KDx0PUP{^e7a2EkU6zztU4W=KH(XcCN4f5XA)SoY%3jS!Zv90av7!)9Ol%b zCza$Corz@EPs1W1(Q#N5VShAE93IJ87(Daro%jBTt9QxPH9F=;*`z3vWO9 zHGKKLPvRG|*}xk(&gD00ZK>in9v2qJ>20Rar*T|T=}gAJ(;$Y7wK4G4rF%v;+&kqf zes&~pjeKD6DV>|b;WDH=seq}I+fLf!>(WXuI)s-b5!c4aq~qNQDkNl+lQM>o+9u-9 zpctFLPv;C7BR={t8e=dVCeGH5KAZtD`Q046wY_jT+sdJY?<=tXC@A%3G{#B1|euO+>0CLQl7iBKBX&`w8T6VDM=NsjT^Ppf7; zFNO@<8)Ju?c~0&>K{_fbIGz^M2aPu9k2byCN{~O;M&NN|D6$ewz5JDpcx}Ubyd|qi z^SRSTqF_HZ@GF<&caPOub#}IFYeN722VmPa8oh5bqj!PM;`(*JP0xr?Cx6<& z7hufLgG~B7X5H&=OXm;*Cmm)V9}aeXL*>%Ak*go~_EX=$SF1jOn}2W`_NNHG!A_?a zhYJvm=p~IoT%!^XJH{)YL4NCqN8SQSg9SFqVx+CHP8)kN>FlnPM~trc$u-F$hTQ0#-~OBQREqOQ)0?p5U}fNE zaTgE9rS-STm2+h>?DNBn3#RpUno00{;+4H+kB~0P)=zwCT-zkUQJluVt2BLDK1`VY zTj`|)zhmCzHr8o-UvPy15bNYxBhkc#j5$?fVo{@|Msoh<$c~~ zoO*&(ATaXeih-9fSB}HhC1IBvfnBaQyS9qii6lxosT0czMcCY)E-9a%&TUhUIafZa z4?Ya8Z@5?&#kXMM%BMln+JePvmGS_c0+QSOi^3LRbfUKk347bJAI{|ua}){Dn@BFt zjpF$MDZ6aI(+^Y0<*+mS6c)oy!ui;!a~iIT8NGA)R64t6QwFOD!ZEl!&5_E@g#z-1N`uwr6Hjedz4RZpgH?H%W zz0K4c#LqetFosLK#>00O;8#(u-gJ;X)}XUK$YEl9 zmoXQVa2l`Z5WG!ytTU6OdjXf{LVQkfd4a*_eI&=#-<2cbNTHEnK&(C?aZ(uuj!n@B zeiYBalYy^Yjz89{%lSkKL1jrpntwT(~H;WS!|v_?}yoSVU81DS|@mV z#*box{C=AUdD4la`5Z}l#_Sy*PXCU<99|cWY&H!Q99MLlPDqFd)R8`wE&b#Vm7rkY zkWunA$$Osur-_N=kP|ZwPi-2P50@_5Q34`oXhKZ_lHz0c z!BYiZ>j|Z%fFF)COpI?R#kC%1*lfUrjaOg;C|K8}ccbd)_QYVahxEqf50j3)PJBHF z*s&^B27Yl}-XMV)bxR)lpg}shY~-z;D#4?6t_vG>_cL%e(s%jTmB&Oj%$UzG8M=rf zE>DuyVK>(zq+ezwGl4TG!R8`K;)+af$9OW*P@!p^JzvDRBrb;l!pIIFe5)>@)6{SkHXx3X|?f~FprRJ1Yy#PH%P}$ zItBT?fS)ExSd|Wi^pSiq#e~TreQX)5jP%u@?omSONTwJjoiqXk2M;?kwQ9u+c;E&5 zJ$RplGUC*-ZTrDa`k)yNhecQ;9asWZXHxnHsJZHg;u90cN5q}{PRFLst462<=Xb`6 z$ta5ytcvP6EGp-U*ZQnZ!p_ehtPz*P)Sb{M1qbTZ>=^$?+=|928F}UO$mX*4pGy)ld=}2xp^^ z`Om;_3h`QnpVp;u1}QF1wB|pE58}uZ)*GMbtTL+OrjlId-+mZfdh~By{GH;z62R|OneNoo#x1rB!}E>CZSszTx6Dt#GU9&f=x-M z_Tv3AvYj_B>{KS4&K=6@^z;$Lv)Du~ZIDjfNm8e=`{onUB=nP*Y*~sq7%uU&B4aVKRDqXhY#p2>!P-Vpaef# zj%TA}Y1!s-hN~b&M~zxDgwjPaICNo9rfULdMZhvR&fP&z{p_9BcooHF{h z$Y?y1sj=9I#P}GRE35sBh!epgcpuWsC7Lk70-#~r>m3Wgs!Hnrk~XYt~{x7#Sg zq5Jp516B88>EE8T8bwhQrK@q)hfl^iVI;32D1DvF{g zT^nP|!?xXuSw)+yx%?W@6aHErzq?ye6h-N}1mkjYec?fRq4UTh$s%UOcJnJmj#Lyy zQMxo@$LYftf($&r@h^qOh6Xb1Y2nd(6EB;uD2k$VUC4fmeUFiXp(Bq@tyumXo?Z8j zC>+HH_ro_XyBxon_XDd@x*GF;d587o7Zn$M-ue_pX^x8T{0MWeosCyFr>E3;3VzI> zo+ubnd{nCT#pm(&H5*NgW#l3I;OpP~E^fbRw$&(I4L0!KzU&ek$`7u+?q)UciqZny z_u&8ec6i36bZ{>e9CpMQG4M6KA~&0T%jm=Q$JeHR2Y1}^BddugUq_MMg?u#dO7}!B z%)5uFY~ZhD18-N?vmAX08Tdm-j83g21OHg9d0nu3an6{-49VK6=pNsJY{4-`F71dU+C`x`H_M3%1thj-@c^NQ$$omYO@VjWlAaG>!n9+Xs z6h~ZKSC{6gMn%aYOs=ze>TbY_@(R*+0DK`CKNt1Rwd&Ro-OoKq9C2}7S(M#}Yk&Uq zg<(rB^X~j|nxeuYk;0-PW8lf3E71ck^58V=x8HtgIrHaO8<(ylW$n*#X2N!(MB_z5 z`*0?HzBVS!ZjxrHUyT(fPsVx0He6hZn$&!h*?@?}${p1bvu{G|_!{b`t(_+*#R;Je_Q3xqbBg9U#q8d>$ra zIxd(SGoB7j-Hb;%361&#y`9pDj>S56doT} zmk9Cu`VU-D5pK(*<0{etZ6CY6cHB;s%rp;T+Hrruq-R}!yc#P%Jq-^^-e}q!r5)<8 zbOGovm|l<;h77zpIgN3r5j?p)NDA$%Cv$-ha`as`KfiV*W?ay>TQe=&yn zx{emt5o6-~&Y9Cb47(Wj-!%qT{_Meww1N2BYqt<%SGCu{(ilc-Gey-{OJoD_(D4I$-_onM)4v=b_C!0DVoLjIL;mx z)`ev4%{XVk01Oa02RHMmn04pejGL!B{Qyi~+FbhSn0^lH$o29Cd3l+C+S%X)^(0C( ze(^J7P#oQd;l&uYa0!-%wr#e*G_@8tUpy1fJTnvHXg}84{gKg8sQ#SR>Js*M?ak)| zx^r$`8?J+u++ZVb^Hd#;>1@dB@57=epTzVMb8#;y;ZgS@+*eI{+<+Ou98MYLr)p4H zVuNw`Q$SIQD=};80xV_=U%eO$rcTOfdMLV|?iikZ=~Y-c$F`?`TtjWkeIs%lmQE+V zZS&MpOb_|Jz7&+gizzQB zpLvr;F_y58!P7IDF(%Ts3YL>e!G! zRE6KtUlo_JwhpUkM11z}Y{$nQV>%AwWP1-OE4!C$M?j`%7#_*<@=o#%8aC{# zwsFnT(9nQ)-+ebEjg33-z6+o5JsKgb#oC8w;#k(NxEFtZ<{8X7@jx7SAjyfdXtecb z+*`W?jmOT!g(uj2?^C$h^ygy2K%0KWJe;qMJ3cfAE~Ds^N27%2=1;aGYli323o1};=j`VMS$IBvJmz8)jt(viMBPisd8J;y zs4OT)`HCzf{Rq+hOt;IsIN^K0!p@(}Gi~SEHmPs8S z%avgX9$FXH@eipeC3O&X&&Mz8>QEQRB1}2l##>B`8~J2~ zC49jUMHy%ikCP{#N2TXRbU)MW!r@c#<+3HXY(8IZTpKpumrgzNe5_vkD?GTm3?Dvq z7)GvMi$~V3#>inqBISGA^Yy`Ymg0)lU&a-WWJ#Ng-i1Ah5{=K0Q_sZt&(~pH;x=+P zC!9a2j3m7alPFySzM1lcu}@Lyq~$+3fvufqZSMA6Zq46EV#H9J=AUcLwup3^utbT*XY2!S z_oCIf;-XVc-JV~If7-ZL9;w3fBS&DUlw&@uW9px}2EVlRk4@{Rm;L)Re*H=cr(Q({ zW$bFKBfq5aBp1r&`+5AYNb>x;)3Xt`>X1H#`8ESzEP`@sYRp$6{jWv_ewW{EEBA-1 zj$k`ZL}xxYJoLg#G4igvTGp3NJqshRxdyAtPRG#HsW@xoHMr=SkvQvAip%Bruru}u z$~zPnUV8;rUu64*OXFPD`T9uNf!?L_BuX^?m0y1vB{Tn)*8OcM?&3O0TJs_LAWYKS zIpO@yWu33jq5ewOrO;S%E3JeNvb&lGa>@_z@`4mD8aWapMQ*}~1(#zib&)0-ph{aL6g`-$CV zSh_sb6*NdF$BG+fco&xDiSB1+JMpm|Yjp{IBXk@%&k&5DEHYxJ@F^de3{3tA^&u12 z{PFSpa(uY2O~$X+JAJf{E*vgLODP%S9K4cYX+SDIAiL;)hxc<+H0eQnYX|fG6}`Ji zl(;m>5*_h$zT_)$``UfwF?_$Y6s1nSx*9X4Oo&O>*8bR0(tQ1uu0fm)52k2jzTFqb zxy``0Xx&vDadBB?$QN+??O(u`J9}=w>24md^4BDtxW8QSujt)HqQs@?%95|d?dzT(QR32cMNxJy&Q^!) zH;KdyKXR4-z6peiYuoKa-C70P6 zGW8+hKeqCUq9{t2MeH>F^Si@*5uHtv@n_YFq9{ri#*N^`b$RWdMR$S#9@F&fhr#7T0iqi4e`51E9 zu=D7h7hsnWyp17S9{$T~>Q`e0FI{JYKE>xv1{U4t8R>ekeV-h+-khvnuRz6kij!#( zw-g)^nlgz@k2peUIBzv7N~Yt<(6VwKvM%W&+~>-wzmGx*>xsr(D9)P^9o0K{`X^?4 zilQiO#m*|EUjj!4p2DFi8aL42U6he=JbA%lYXt35Z!<;%Pp-h|-?mGQ6s3Jh+itUbB8}tG)JR(Ldvow%*6??EO{nLK&)C=|01KG}};C4%SLBXithsMFIWL0%Kgf}N(hDl$FO0*WhV;phbm z@T3hZilTHVJTkY&n+-ja@sKr;-9{N`5Ra36!+P=xTxI9IOBPK=oqV^k7?m|uK)E*` zUKgF?rZm630V`~pbl&EXX&SQ5vEQD_3GrJ#-65$Iw0G&@sf>`1zi5UFSXZ2fXw1p1q%0`+3&7*S+qw1}q~pAN(PL z@IY4j;b1!Tfh&L9vYBvWcp;b;NnFfl0;+8fnRqh2n8-N!?qbJQ6(+W~_0$OHAA@#I znTw7ZCeuPf-tC4jzx@Qf6=^ss;?ZKg$qYt+d8`lT>qOcP94&TkKi3DUM^UOLwM0~9 zv>cE!$s+cE-U8N3nq6`c`ob!B(4MCM0IB9`LT2^-+o^a~O`{#YIzz=WpRX)?7B#@i zuH+5JIrduYQHXSp=qVg0)IPyP8$?Z7PLHYA0#`F1a(QA`J-v# zij)2ORcdE_^O~X9BA?7%QWq~9E{Q=3IOYxdNL#)vg3^3B5{i($oG+v&asER>5J>|5 z&kb%H&kEc(4C*(aTji?)i8?kX)h18xubZaYLf>F|aG|O28{CBjJC8{coV`2x+u2u- z^EQ%7ng#f{vddyphoIohs8|~yV=E(7O9&aq*~_pQe9PpIH7$R6Q_7buIyk~d@s+A6 z2?+_~JraIpv~+Dc5`YAW2f<-YS_nS_ei?LXY*f5pE0xRZ4o*>ZH8r(a{I0M<7KVZO^XqT*hOkm|X2}S6K2+xP&-jW@(@rS=Ecgi>=km zZGrg>hVFF|;`HR~vRRbf4%Sde=;haS-_{%5Df4HPREek;6;2EDdy&THfK&jms=*BkAn;B$Jq?i2TznL=CU0QHhb-?5R7 zP-n9}^S;jiEXLSt2P?vcR&TmAxm}+1Kdez_?iXR@`KHxhhpiD?J1M=`Yr`pM;;y); zi`Z}RyCFnv)n-Xg@!I|Os?76M1_R%qTabN>J=cly7fVye_wyM*<$XDQgWvwhqjGsn+j2kIme6Wwa5t+x2eb{0CX z^HqB5J}vmkuCAV|8m3OG(P0gQ`!LQxo8Ij)n11E_MVtJ^f2H3z@vPkzEq~*8Q1Jl> z8m^R|Y{#1Z(!olIUe28iY@m2loa(|{n$p*(c$B2+^m*rKdqHL82d)RGtNVnE*}uGb>^qULap?=#PV90kjU+de)^ zD6EL8&U;_SMWL3WL<5O|`~G%M+t-6GbDPbIw&mM; zNDZTO&8hSygWv(uv&(f+mXk{>+pUE-@k+7S&Bt@7@R3x18O=y@(34yd^;|`l%9H3DTa{Wlfi)@XkiQ0+Bm>L0gh7(twlO>zUgDYvM9pB5!wo6&W2> z1MN$o{k)K!@vLRHFp{1kv+MS(R=yGnrdJ4!>??lj+jY??w`43okCqs?d@d008W?y}G&QSG8zF@5hms!L+;6e<03JIUtbbKmVXg%6rNlcWI z7*X*nsI`B%`ec{?@ZESIB|~}PV;%S>2dn@A^6-^Oop1ZHWo^RbT{BkYW`|{~)hd+V zn}`j9S}I5`JbqJbj4XsAGd$6E8BRM#tUoM2y}1gwZ=b55?rdvu{^{iRQP$-oqUz|L z>W2E}+lpqnP~+|QbeGf~wKCP4MT)Sg=>P$rT4$^tO5?ieG;y64J?Q4KfW99__Vu<` zdB*WQ@EzNzkB{TFK2E{TgA*KYdbx~_SVZ@B+DxG-QJW1P4aLO6jyI_Jd&?R?LJi+Y zQUWCcHaPd*jMK7mU2RP-CpR6w-G>*IpV2P0Z7N;l!#XxJlztiEQ4C1b93D=oLb~)&Jz;!X3(Mv3Y{@!f~)p2-}6MHW|A_uK( zd$mgOm(i}^ingj%7Jdh)Hdp@3b^iSwi~O5u7Qp>Plf@{ zi)<2r5!i=c%cVqy>!Kt-`wL^stbK3izZtMh zZhUz!Zz>2^*;-5Bqn3TqizALNOWpEvMB-p<(RVi@HDaS;L)+Cu*b6Z}TECsBUZJAv zAy?1gAZfSKF1x%;thu(tvA09Ckb%JnPc3rhxKh_#eVizf!jU4LD*j=r^}d#5H&XBk zay^DYJ2Ei0ey!fVqMADhf_}ew-AkF7bDP`jm5jtB4L`HmRT8vl8an@XU|B*pjxtwf zc{tl~p&W^~j8_-;>7iu?HM}M69xoCo^?Yw#ymdyg@AZ*56rv^t;V_={e3e$hB6A>s z;Qn1P+2vRb6Kxevg41NaOJhD1JQ+rX;);-OL!-0ORZ1?sFOSg7Q@D8G&h^%FEV>u% zC?&p3w=|9p13}~8*6EhdvdoPPUf^`gpLhqghDp3!it%6LvK{p#87+U~w7CAFYBPE% z1UZO9mPjhR&#aLq@h8yZE3Z_^=*u{JGKTj^i$-wnS^;WzHRbqB`?*UiU0M#Lbdkd# z;ik&#$5pJJ*Xysek*_@YJ#&D%ofmb19eCUr12no`eTs$3wYS<2c76G8OkF;ktTgg!#Kw1$4T~9LVH2v%k`p>($-$ z2l!~KROku@B)kMa#KhZv%-n7qm-q^;=%#Vmys$J+3yf}FND}v=N!bk=h04Xo#V%S4wt&Q6}fCT-dc9&87@aRb*_TrP`@2oxma$-FELV)L>i&q zm%5Xxu)AZkdTnq74aE))_OL+hvA~T7WX=7MSb~|5d@iFmoL0*QF4$K6Z6a&Kn2TkM z&?z6(yL$ZI)u>gqPvcKApcE3&8*B=7&x`uK&$~Rq8TS)qJ@($-Styt{lP1gF{sMIf9mpkk>3tOr4yI`M z@-(!8-DbI;=LcppY5ToI5$5XaOj$&N+h3?>Z;@!e{E$d%-cjZrchTFHX;7EnG4ysw+v>^FVt zUGb;gfL)!}Xr=^HqTJcnhY@ujW{a9}HRBBFkq`jKW_|$@zIC3PmeVYh>(vbEx<6){ zM$4@VsCPZPKpQot2R``~gX_v)gx_@z){St6--R`MX~Vh%Xn_uOFxUJOKPZh{rR7k z*JC4UX#g9E`6bLjbun+~mu_*v%?Fm&KXE-`Dch@}slC2ro))1?;h#O^b{F3<>t?`C zD6Lo0R*2tEP>|^kph-fFtQSd|kj{q-s(wg1CuLTIbmqt+ikF|ugN<+Hudwsnj-I?v z*A9_ZOsPPeop2d;h&uE+wsAJm)@1`62$;m3@-yT*N|W%VkB|8~`e+&9NVnp`^bq+I z#w>@?m{LQH(0s$$N(-i1Nnow#%Pkj+owYWwa;s?$5%WbV6bl|p^A%0hDy}Rcmn~uM ze6`l6p$d#ynDium(ovEg4o}%v&^6u{zEe`7SGbAh-w$*3(|-2*wi-XotE1WS55`Si z*A9AOubi}_*yfdKP_03Dh^n?4P|&YVnl|vJBo_b^&@Rm=bH0kLdlb83hU}tQi}6{) zs@f-=;MDRTlQ&&w?dj_811a&K@(>MoUmn@3F=ksC$0-*5;jG))occAdwUnYArX_dX z*zjhL5i{GflO{r;W22Ja`V;w?~ zrD3Zu)29$DVR9!|V$p_G=WNG_tw$KUY0$O8-WX}V&#GV+jSpIWDZ2RY7+YQlQlo2e2Vn9b7> z!EBDe1#PE8nxf#JI0SMgjL9y^8HEawdFqZP%EX59>EVYjf2*lgK9AkqsnKF6JZ}dZ$!;7^6r+2l6n`@3CGJqLYsETW6%Vodu z>%JEtwR0MJp5b9VbJfqvXxHg}G8?U7tW3`(1oG}sXD`qV;1w@o z+2_+@s#KeDsv11>GdNqdzr29KpEX}Lg1(ed)z=?4QC2PoL4O0UNDQ~uQ$_6RWgsT0 z?`XDcXcO?dvI+|N@}9>I7NK*rtoGJlH5OIOvJDV(ea)1js@G}aG+X*HS}|S!a8jIo zg0^MQO-WSr`8O%J?y8j^s1N0ONnx175sC3I{z*UpZ!u$ZIoUrK=EDsi{zd+0P2>8T z1jICzYUXU13z22;iwq8GCD`w3l=jvlmy;Ec*(Pq+}2iu=)L$J%iiFYzpi zezOV|hX*iThM`J&O8zTZjV@^)glQRLz45145M{Fa(}91=6skzliW%9W36^xBbi&!- zch`wEACnZkKY~+*JXs4UzuF+XMq~I-EJlRa-`qCOzM1rp!!R$hm(s23W#cy>-8@OG zblUx>(k}oAzw<<1UZvzb74+@C5;AgrW$^J7dQWBQ41HS6I$cuYps|o@RkeWXEnP=& z92mwlyE8v`dvp>%)HXlYEgYgbM_94YLk@_Ky=E81T^4Kt7t~r&Yu0+-cwKkV3OCLr z>FC}|8}Z^*9*7?D3#|nhrs@9}?Tufcp!`s0_RVze%ehU?8qX`%uS$03gEx=y(@9_Yjy-zJiqH41tiU4E&n5bjEc$3*5O zKYy)9@ElB>p%|jW4@QmHMDLGM``^Vz?0sJEl|JuU*L==qy(w*kJy2&Ey1S3D{DG&OA^Ud6 zPE;l*((_6OySFRbONqS)+4@uYH%}}(2f5a9d>Cou9N&;W6(PNIu^RDPNHde5(do>D zB5Ot``QhGstNtp3C8_u6PS3zC=L$s_<73pqHe_R~+>yX8(;qk9sM`uu!3t%lgtB1-47G>q}nR zlW>aR6L5FCPE!O-rH~K_5x~)No$HA>5cy%wip~|m7TCDZ&fYmu*miWH?jkd9Drl2cG^baWAg-Edl_$3s`#~dK zaJ-wlMEerZd-t&Ak&Ikg;9#C(QZ@fJmPH)O${^4X&lg?BPXu1ypo6^gptNwDo2&6Q zCh|SDVG#@v9wCi)oN6;Cw*@Tz9E`)kS&1`EZMf!ywqN7jkg%2y!?Ljzvsr8Y?}Qk} z`O0qf(BInBLGoaT4XjUGr**8MuepgZFA4|*CxEU9@8tJ#$CH!BFXvmd*~*WgDjZAv z6>ReoRXj^|yp;DO0j-eRHMu2b6K-_&O`GMD(mU^`fs~2H4f|R_waYuBRA&}8I@M1O z%r9Bb=<)x&Dx~IzUD(Z{v22}c8r7!LAD(4Cp`y`yc@aHDx&s*#_ioKblTtt(E z;Y?l^E7mQf?ds(}!W!}UkByey_ry`CTa-4U!?&BG9|zt4$)=;4b+u?6W_+>xwc1(i z#crizZB>w(tTSbkkaa`*kN$uXq+{8lon};yx!~~5=bXie%>hS?=9`fRhwyx31;1f9 zfxKEJhYeg-HvatJ8|aa9y`Axx;AQPRJa#A11(T_T`fzEr>VB7i(=mK1NKm9y&#t=$ z5a96c4@8T1zuP&a&YZbDqgg22)iHaeGl4_7DE{yAf3|e7nA+ouO>V z{m2A!YJC6oZq)*V3XQW@LiDHMzvqEv7}K+pw91*E51F)%Ta7Lv&&pCJlFQW`7+)_1 zs#B3-x$pDLv+kaZr0VREGvBa~ejkC2R<(*H2Cg*dXM{w#MSUNuz?DncCRitzF zTe%^fY?vS48=M%f6WTL*>qBe0>SvL)rY!ygkFOdc=^xU?vlWb!B9nEyT#(y?F#yh8Ll{~#s6*dRNBMBhr>pZ$2>Gg^ zICgbv$!3SazG~1hN(6^RF)hF+Eb>)TUa<#^FsxklEGO`wiWeUI#HJ((tCfOi3KXSG?^3F)O_ngZ9H-)y;y$T)G6(&TpG> zP4@b~V$vpt<9?+}aj}k>6CrIiJche=wHPvv0@Q;V9Mg^M(a8joaOEl8jGM3Sd3%F@=V!`F%5 zzM*xKMZ6jq2%m_q8a?P~iLb6+yh5keq&iBMB=$k;|JvMPUrzu&ij!uw4czCS;~)n) zC(exa=C>dXmF*83-t;bWgVw=d1Ed9UueO6znyvZtaJ&5vT|Dg2znLW03w>_RcIvXR zxT2ku5J5*lAY)QFe(qTN1sWOlB=TnA1sO(eiyx$4$Nt0UxfD*#O=FG!)C4T(BvyUp zxGq3WE4xoDO=cpiR$c*L9Vc0U5ipYHOu;xeshR8^j{4l8z)4i)Lb=VzIEE-6)3|g_ zgqXNIQt?Q9o+C(|dI&v!bjOPXEk1F4-W}5;>xJjDqygdh^VW!qI>LQbDdeISv3d8( zpC;V97px=QeXL)}QaZ-oHMU(k^P154xk?i4d_8d;o(h0}8r@nsKo7dHFX!g~jB^yB@0htWwSxuy;Rk(9POaJM? zy=L4=oH4^&d~xCDzh!#$NsQSOPgH3YFvK>lryOaaN|WSIHA(0L?X#h4Uh; zmgEgoJtk}mH%27ec6Dz1O0j|>)rB1%svWtRVYXe(*)ta1YSMDRSao#hjB>&rCS3maCZ;C3_`b)+#9y8t zOrL1dTl#G^;>%r?8HP|(D7r}wqI(U!t9~nuQ)Qur<-I$iiNmGKaiz|FFdw{CztkMB zE6hPX#O(>KcTd;)ei&;z!grgo>O=?Y*N4ofbfDrn2}GCcCF0&xjfnfTwptQhM5&2# zTYhc4QJzwu?ACdWiNdKdNAc zC}jyieJ|I2ZT6_zr%s{f2mrhbv29*Dk=zK&c|vKmW8bJ~pm=v^ZKbf#>ZU0-1+kR# zT!|S}PZfYf#An`|ZWT^_I9U&!B7QqLLC`azG&wn>6fW@b)WpLQOb8cRWWZTIg)Rno zdVWYI4Uk6cPR#Rr0E1UbDivNAQpqEUezEWos>8=)tkUg9&5P7IuGUWZNuol<3yTx- zjw}p;JZw#UEmk;i7l)tZH9v>lpQIc&?Mko#ytaJ5>F#=0-TShW`a?}kO`-FmE92zf zzh8`bj`pq7D9x^b9GTFavS!74x@qz4RHb~9cGUoM$&F<@=Q+`1mD~hF?bOyVe08&m zaD~?z`3W7cqR#m_I}Ht;_`kTwsZWhY>5Z>uuivI#1L_p|(KV{5;*;=A02Olk(?6YZz|Q`(z%ua}^5#P_ z|8}1?BLsG)NR*Z5Ko=6b(-pts!SpZh(E-=R8;jZf5)8T>4yc`C&c>R1^Fbu_Ck?Zb zjF|3yU)KA`)#%&;EmLj23W+EI9bKIQosWKF(L>>)1oZDG?9fmb1$NcyXqhu=F+Vb? zw02ig6ln8@D~p0c1_9A*5s>}%JD#W!O{QYGh!ih> z$zy&r*aNlVGt|C*%b3ZSsqGW1B0Luu*PPS%qP5jUgCtDW>ar1SM!!^gcB#il} zeBXViKZwhu?`0U3nD+enb=LUcL6Gv(`zg4|$y-Jq_E<|xsaQs4WfB@F4O(k*RoT;^{M!Mo}J7qc^mtaHC+Y~N~f|4~fUEryT#lZ1P z4^G;Xs$4bdn=Po~Eze@C>sOxLQ~u4WpsJ-E5QqHKaoJE%b>-Po(}#FXR}r-Z3n%rG)fx_YO<=sbepH|r3zbkMknUG3 zj;>SZHCZMnmrmK^9RjEOm6g7cH?;sSF(wp}-+^7F1bR-O?9vZ@vcc#bP^)1DQcYtsWmCh8Yq^H#khl<;1bFlGI+3C}ZrH ziIQ}wbrVi?wPBR%ZCC(U#xYoXZ~5c1V;E!b{v}~s703(3P)W#|l*G(4V6ssQSrAI6Rq zz8rT|(?I%lp+K^gu^i@+MdENyKp5@AXjs=r;znEtiz0T2Ug4;aARbBb<7|6sbsO5> z5t-lGzldmYt4JQi(eK*G)dXzhJQEYTvOAiM79tns!#KSoLIGMGoPQ3x&{;2v5S<>j z&AM`?9h@K62*$Y=g<5+hoB~eO6*F=b;6&bq3Cl+l5|r;>v97-{hmWp}?d#Uwr}25^g0f)Z68JF0lZ z#iBb-S?itf&dyGk=l$)4GqMN|xb0l3=lLv}9~zE~ynJxI_3{-4hi&z28!@#h=FQr! zQ;d(Z{iKqhrK$=DQT1(5rL?-gv%1b_sn&*^A3Xm9U{sXm_hEI4dcduYgQ1>Cqqgsl z1^3E3|F(L2pTfuUX|Zl>jg}KzDhJ7&72bh1m#IL$tyjI8GwX(Pu(rdw8pW`irbB2b z&>r$jQa|x0Dj;&Z`DH$mu{~WzeZJsqzygbH*S_&-f-RGT z1Yy0pWq%s7PS28d6G`X5d@R18G1H&~Gy=~AkknaunbD6DG+BTPtfqiqLq~sOX5+9$ z30Mm2{>Vgk zwm#$d<~9}ozIXJale|P?-lpihxoE-qAFsvw(@~HgNC7d%R;T-l99hKGIGh0gDoNT5 zq30Zuvh3OMcgvT(wYAA(Qkd?ovuPNc5^^c`S!ym}{&;p=8dbbB6LsA|pP0`NS)^c< zxPp(U+Zb+Kd+QkBITn&DCrmTvY^;-iaC8*NQ8t^-Q)nnJ8%gNlR9Ro2!1|~)COdfQ zsP=1POIya?ja-8u7dh5EG}u*FW$To*agykvx#u_$Sfv+v@8pTrnf=$S%nT&9M)b$5 zuoFvEN!@%+XGlZinQ7(UzNRjjnipjKiEJGv`o;c(B~6b__JHI1wAMA<6Ah|^>A^9v zRQH@@UuV%MO@Q=sHJRXbf8xuTtHwk`&KbYrk!zAiWgWpQ6`%U6L){e+7p1-Ldr@iQ ztz%nWnTCcq>$8x!cI5T?X!hw!(J!Wbg+xAteI82e2u5nNQ7vNJpktf-Q_j+n*Caa6 z2M#LfKyP7%O0qp8jVTQuP--)1m4EQA8&Ah9C(PIGXUNvlAXjHuVlnGrKmNewKGtW$ z!6?G~KmHGnuBk$Ys&bQ88X)gu%&RBPYu0emA2=WnDXiuPKllqcW(4#qY7hKROn!mS zgMU+>XnTk=%$Ca!_>TbSF9Y1y!xEdVmoNqs*KoXVXuX`)!e8&1Q}zPBo@o{ygX#s0 zRJy!PcU~P5Sn8@U?p^ifY*zKZEnX8;#>Z(TXSifHR%K6yb1_CQH-bqtCtT#@tFWdhHWzzHIFkg0c zxJ&E~<+k2d4HNOASe!fMpz_|)iVja*>a4e2ql*}KxR&#}(VYlbd44f zyimXSk$QfD(P)gB!oiPyq-kyK%{db-_PyZrko5i@#o+!Arva%4sx;m+@dJ-1&(Y`J z11o?i-A!<)Nd~JV@*r3(t!xqPXvXUWv}z}jTNO6F%9tcvk5JIC>HHS`H(2#MqO)Zc z$&{O9RYkD|6KXD=te$;Vw@P@+rdORa9`=E4zrvexOy=E@T-;Q#LTgL)plY~Kd~Q1PTfHh{)W4%20|o80 zmmJbeV>cd`KSf%qD+o>j6fch)Qvbp zeq@##H_`izwL}!#USaIIGCZc9z7L0!a|(4igQS=DF-PLtKm8ErB8OjEJuf6P7sV<@ z^gYX$7Crm-Ls8JqW#7Kd&RMBu?+kM@X~$`#l-{6lH@e1feBbknd3fgCa_qDS_Z3~& z4Z&{(R&G=MnzZHIk9pSmIyK5NaasfU$Dfq!+??GhG-V@Gp0&M?%?E>R*7=1mJPQpf zpXY*ZSbN@ijd-nUNdRS_YvkLmsU~`4!&CfhQ*@1P>4aTF-7m67JtR&K7Ige?Mep@L&y4Mi zKR3I1;%bicr^l~gGiX3->hY5Z0t77Z}5#NuqctlNT41jl2W1{4Fb&-i1nG0%Ui^pM4G<3q+i)8Uq=)S=<+ zrd+!_zzZ^5Y-Z~fKDK5=K@O#!gN1X|;W3KmN0CXF?gxITSRDw%PA(V3m(eOUgF3I4 z`gMRpQqp;>hA{!P2VmCJ9goz-(ZL@s)?-$mK9~#?MM84(HQ!Cj)JooSr1N z*XP|8)J)y_x7S)FKy*cRN3=H@VfcmYVwfW4V!^Tp__S;Xu zIz*-aUm^V6=SByMUk;4_;`uwl-QucZ&i66UqW=W_zyj_=a8LSwLjQN3orTeQo_|)T z{Hqr(lKp=H2Ck;d80hHbj=TJ>DpkPmlin|&$Chw)VXOzlQNbi>hH>+r)OQ;v` z9^Tg2k@cK^I11XY*0A42s*WNmFpVs6-uSnM^1Jy*r|+3=_gzxTNW88C2FndQL2T>M zP1`M_9=w?akh(_lZ%yi(xDRH8lg#`T&Tjn1C!c>b`t6Us{AJJ*D1(gi z>O^JJ+2$Y<)izMN{&tOtcXE~=+HN^Nn0;|=KcICfSqFu(ZYf<`MDIqGTMxF8&@(kEkl{D*sZ zRR^dn!%t0lfUz_=l9MCT_XUc;akg*sKfK%Yf=p5+?R)q|N?~k3k*uLYLpmLeF_KOt z-~Uu}^^WPw_+ay0TwisFhfdJeoo8oeRM|b6WNMwd07iw|L>I*&Y9r1yzr3_sy~ zY^QV3251|&fd1<=g zknRTnb2ZTa7N$4d(pcSlPikcXC($c*KSo*5C2SmV_y zEPW#haGdsojS~R#`Qk+NP`3yyApCp2bU34NDP#=mA41sj)@ml{48-oPU+XozwSuhn z1bE|JZFw(t{Rgj`koRkH>VGd(SFHFdkCu{gU^YKN!a6`D{Xb*wqe1D5m0gLuXH?#X zdkAilmU*$V30EJD;TwxNgH=Y79yP97f(*Tt`a0jbTWj(mGGRpyT zlb79@39B)R`K#^{P_kZ?d(_&WXq$_+oKr2wD!>hl3k`gwb7NHl@xt0)(_yc=zSB{C z#kt4HRPcsx*Tk~-8ea8!{UXm}yOJBCKyPWuqP7|ylBiLCjIL@3lBtd5$o5+Ff3@#l z4dS=?9@fFC%H5t@afShxPpp7&pAE^aEqgj%=iDO3$&D^#)#4UpfYsf5u3=F){FQWB zz0%%WXnI*l8@RgZ-Qp{&Z}Cp;DtD$~gL2~UkBsqebAmgGY*O$X&@rL$stMiuaS}gG z?RY7cc&UYX?YJs>)>NN{HLHriDnKCdv&ZG+CM;Jj&p|} zDbe~YweAVbDJ2np3SUs%T*AOu`)v?OA8J|tb3Tktk;O_CUqGod+v86+CKUT+w*x(i zK~vxup|Obt)~Cq|&$8}$7SM$C%I>Gfv5aJIGoF&FXzD+Ltx}bYy>p7X54r zJ;G2O&R+O0upDe*qlJAaMSG@SK0~6OuQD$XnZt`Krgy|8QG+@DS2vj(X>3d&Ju3!e zSR=G2b&GBo`5E7M-S%4~_&K1@Aou31i|+QUDOB~(TI8L3`g;w>^OPRu6%1{(qyDZQ zh!EG>>0^tIwr*Es9b{0F-cND;3{bCC)^rN}Q6I|+rQvXXyt$W z%}ZHm{0{O&SH}R_YpplRbzy;SAE??ig#y{EY&b=5&F)l|g9dkL^S1hoKn=dx~4pF$zdNe*is(y(#HuvSt5KH~;$AZNO zYviV!0{$r42vt3Jb|4Ivxt$*Liz!_J*qZ=64SPS-d^*OGc0XEWyTrcKd#0(}Ie+Ml zkHeYfSH%$4dAu=54@`vy<;R$R=y@U4qE@ZRjdDneJ0oca;*PPaQ6SOmNqEH}uL1Ub0 zFAEK>6ozBu`B>0dw#ONjr-vRmBmB**MbsurtzAeYaXvHC8y`l(QNPc6lGiViwus}B zIB}3ZF&FC_1Vet2Y@zYFkyFc~rry1=DiT)en~xV3KG*S_otU9~JW=cM0TiE!3N+mx z1c+;@I`=hNTps5svv>cZkDdx0(hLMTPF;IGN~tw+xQd`jte1C6fsAHU!`P^N)aY8= z&dUn{PMXY~MUh*+*xi3MnyEx9K$tv7@$uAza(B*EtZL&|`Qv9}Bbxju_EyBZO!{#C z_1m{o9UV_j4<_+FuTP}_qN97MN;W#&=CMT2Ebq9I#qD_wo7v#z5`8?JdCs+2o)JZ_O6{t5GbcA@?g-3r;f==p;C%kT2LD%2>9 zP49bmsUbmbXlxxSw7mSKm_^PoY72xK4|HI??0UKw>QLf~3I8oWs^iRG8Oqf#3}-YR zC9txN9aCXK`&}&FeQ|5D?egREzmPF^gfTBy@oxstA5!D7qqs6Kn0KbZym37(OI=nkbpDBt`m>+f(C z%p8*8{-nq@BR2{ z6c#wM;C-^j?=MTmNBI?hdlPtbq{C*kELc4If03~<2_PTT!erhl4BVN&95|21+Ai!+ zp%BiP#cid)7R@q!qxo>3Lt}LrLljfl)QIg8Pd4?Tf=L1NSsq@+e{*aCRl|&WK6c>g zlsOfL#uh)r+%)md$Yt2k?{HVtjrN%tzFndnjUm9qE8 zqMQ2dj-O>$57go)QtF9Uz8_~&5TJ+1B18$tt7LHq2nmA`apCr^I}918UwOXEr10g^ z`stivK7^-mZ9i8n()~u)O%g#d7H&qlFI&HEZ9t~6T#k}L1G7wx;qEvuTtjHG_2nId zt<{goAW2=vinudIU>v7hYn~u|{!C0d1Ckl3#2ENyNX^8BEHP{|Wv$bkM}btbox!f-5>w6?#^l?HP}bNwW794D7WXueNK^|&Pc zXI@vDy!h_zoMR93cZn~oNL=4VE*pNW27{Z#g{BNRLWVpC12XXud#W>XClgVw5m8tG zd$R6V#H1JEyP6%LD0cFPr{Kyw`y;6g_2=(eRc0%BfRKgHaP$5c+XGptXw4+RkJX>X zx_w`^DXZJi(fWRanybVOZhE>4)66q-JKtd*=ds?K6@2xKmyge|tmWFUozu$)ℜc zg6Q+&X6P5?Z>Qa4Zj*9NntSZvaFzblJJcK?WBS~b!0b2SKmS9<#Eba=B_TARhur9` z;p*NRCu=^M(|Nk{BCfzduI3F%74Wy!iHon-Ho3i+u)rk}Wh6Y;a+u`&1VA0JqwO(D zIlz~VE!Tl!hFv~vsNJ0B_|9mq0mzROpkwryqU8I6@~?Gt9Sm&@IIeay zZQ=BZ%c~*iFM3zX}Iu+mQlc|78gh?vQ~YP{AzQwd8{rd=zXx_HH1@hFs| z%39wrauey&z1hp#8l&8jzTJ5?5igt7E=&-X9VQ4OqC8}&4;XWeFY!O&+`4FjOYNvN zrumrDQZZsLjhOHpV{$f%mEYgF?7o=DTL(oNhwTmo4fgpKI2t=cN+7Z zAVm}~$(ciF_T>t%0-EJ-aP@yeR;vB!Ylj=Ax^)o3#y&QRyK}*iMCQ_5By$muG|@;c z63-<1+cTCt1YY3clZ|(}dd77&gP3)ZS}OcZJk@$l5|Y|#J=Jgj6))9aRGcmUF#EmG`xc#>#^mAa#+V67!rx6()bo8-wnntTpgpN<&17bbd8j$n-N~~unGC!&Z0?6* z0!AEuFfw(wLfbcZ6!eUR7HsIqLRUpu8Mjj7?!tY1$v^ykteb->qddv=Sn9y`Om421 z?JR=EIP28<5{VBVe?J9{njm^7&Y82wj^$xb;qmv4^(?yR(VteX?VoopI}P5eCEx&S>8}W(UAvqOm~_3jgLA&m2}2mI z3r+crRMqAT&n|B~RwBK7 z0y{E+F&wH;ZcZi0=8@UWsPKbqL(PLA2yICb4qd8WEpy^H(T>hKZg;M9X8}$Pl@11t zxjvD~{qORv7roqhSXxgF8)6K&x5S&zmxcttwuuXRdIXbP=1A9F)s}*I3ER}so(*|~ zGMGv3Fv*7+!oHwJOXs0zYb(DNnwX8QUaql*DT&NHtF0oN^0yh#Ezq%_JWz~4CfB>1 zlg*{vzo`HwEm}nK4-0zDN6y>(Q^3Sa7pmCr7Rl^pWj>_jc)lClN!MpuplF&o;hd2H z1$)waZ1J*>nO0K3+GtzC>wI)w(Nxc&$z={S zp`^b)bdoI8vkn=hW0OmN9O*Qq38hO9TTRhQ(!tD7JOpp(Xe(1ROwHn!V%Us@2?N^^ zo0=?=qLz8XmW?JG!xQs&k|{qigI6QMSEivW5TZN%u}3kodAHU3akrkvQF} z;=I#np%8N;SW%2s=^0LkMOi91#!A0?S%`d6a}TXrx8$E=tY_+MWhNyuZAjJAart7 zinJg#AWejTND~MU2t|4a={58Yq4!YUiTA#>-fz9%d+VLQa@LwNlQU;#_MZKH-yT3N z1g!kZ|1MY#Y(9?Z2YX)u1@;nZm>cjBj^bR5?J30MTDN@zSiz1@sx6S|y)A{;hNhSg zAA6O&&Il5}EMMk}WPM^sf^1e=4ER#L?0XKv#p-TuNpX&MINrfraT;}i_TGkbI`=yz z{>xURRUpvc`yEkWAIdM+VM=8zQx~#JwC}uk%F!{YVZvKOV(ZvN$8$6%{=lZ_BdFLV zO$v0%7ddX13tfgj3iVU=o|0Ojbnds!bEsGVe-exrSMznE*=I|@`l-c+xx}5D`}=Bg zxU9@xC{`LOQ80(cw15P{v-KPCvy^dyRYS%Pzc|xk>C`CAVkYmA-{+z>k`fBTq6|tx zYZ67{`-UE!osFd01C5RL<;>8uZ<9qEf9~NsbNnz4mjksm7kzAYHO0Qs`vY^8^dM%8 z)2Hs_ApOO(oYhi7s_*f7m~4P=rsj6~{PuWOduyw(o3`(eZY`QFjw^~9=51x4!}+wb zgC@gC9`XUU!N#kX7L%wPUSq;ikMJYnR4ch$ZP!cG*r(8N_%!TlR1N$o-pkpg{f)a5 zU@7cv`&^&?qfg$L3^ymc1>=exl;Hp$#FDIXwTx0ItSzI2+*IvGPm01AwoPH8J7pp) zg!o*nW4k5ySa)yaXICSeh_>yA>B?I-7`?=Hq zV^B5bmmZ|1r0+=zOr_KtzoT0)!DwhniEeQ!U3$e(U&>P(Nq4@%F~y8BHkjG!SE@Mr zU7_G9ezy=|vd4Q#zf4=Y^F%WjUM>{-ID}QG$bw~Sb7K*t>GUTSkm+b89Dw$J2sm1g zs69JOIBq!J?D)M?Arg9#HEG6%ZQ&E=1fh~hLdS25V7|C@za9>=pA7r;zNz&;az=?n zv(Od%da3C-yE(Sr^)&Q9prEOs7EH1u?&;x+N*MJ0>5d5)-opwTKp)!ayh1hzxi>Va zR(}&!C1Z~(W%MXHfGc~*yrZiO8{q3uC7uCL`?}iazFFdoM`pFYVQ%82vVr|L5$QMI zTQT-mKTHg45a#=&+eK`!Z}OBzOtbEoSDAm}I)eH1<7HDvcBnm>8-)o&YKNg%!iLou2SBrdk&=rBw znIal-!%?FkRJd4@%g^^La$ss0?_1@p(_j1U(ZJ;@J!v~X>~&}Mi6olNCAp^W9;_e| zrZ`V)39|@c)}M#m0qdNSsnx7P>+1rn-{ja9rwhq6wWdo6Yp(`IIP%^PPy2x{=x8ZJVuHiH47l#Sn^$UHaTss2p0R0W~{685&f(rD@ zy^6qN)l6?@?|kI{m8MP;W-L-A)#&2CNSm1IFpMQDbFH}IRQBPqT5WNvs>cZ`C|9af zI_+yHO+KO%-7)-Vj85UmZNY>!E5>DcSgjm%O+z$^0zHfBjbaS{ghjcjvLC+?rPXi>ud-00!Mh{%<{Jvr(U*Oby6{;P0ob)5AhI3qW9O(ILS@J8Yvq z_+|6gQBS0i^;lLq4s-MR$@2!;`_qdwQ=kmpMInTLi5e@wm|6u&bcVvXu{&(rH2+mN34~*m& zB;{p%B2M(*6I=3ZiF;j?a~fjZcuQ{|(x_1+;ASQ5%dQ2hxX@GPJ{9WPp(wYWr{ESg zc#!pXNG7|*=-C54iS!==m70kG;Ep`NUCK|6wS@4i?(W{_E^W=Pgcsa0We}!6qGHd` z9o9{em_sM@2;}STQtbu@Us?t8q|?ND+AmBzfM*9%=iN%M9D%C8&}`n)4+;_qy8t=N zELMxaB7qm^a07%HKW#G)BfP}R?B0r%@{8aK3)k?hRdBoelV5bYc$s>amb8@wizi$t zX_@)bCjWo@$)xZ|$tumK<&~vC|)BggEOpyL;(-8obg8j~rf~r#k`&#T^U~ ztvk`if=Y=a?NLt;=Z(4x?-RGs78+Y42D(aD(VE()jBNw42JH8p>%Trgs;sk*!*7jp zARws*(0x2T3mHcc(+MxicbAaQ92iEcDKTq_=84T^li4vET~hvA)_>=i`_^nH>cGcR z6O{2ts^%xOyK(9zWRjw4D0F3xo;Mw|zukJxFsnXDX;9KU+lXqk5ZWUR*cDu2GA86r zb%el124}g7el}k~K^0_*?Lt57E2%7bp=phjTmPcyle`o%o0Eq0LsFD|roGEuCjAPK zeZMQ?%O!)50&64qTQQ^l&W^JZLHr|-h&b&cpM(a;fH8o~-pF#Xbhz!FJze`bM)kf@ z2EvJgwV1b=mHo&{${B^#o=_@`9P1LuL(wcHK;^g5VqtK{?C@%-kTJ0sE9%(JTN{Hq%;W2WMn(g2{@?g}*cK8KS+R0nEO*%f zFOu}qn)~W675eR7(&#gKh&IA-y)b{+Ry;Gp*2~^QF_&M#fqpxY`uY1slD*;jw?n;Y z{i2cf`uUoBdt$$6rad+qU9h1Ao&u&m{aO{E|4V_*1G`;U`tx@x8KYrFm(5=Ecs1f6GrMpx|ibgZ$!#3tGi1z6bpRwEY{bG zhs#s?lg-w9cU)P&-t3D1h(@SeufFxRPl%LtO5f>1ngl#w$=!ufZ7p0()ju=4mJr`M z+BT9gc^`o&sPY$~sdOGeIGjEQ;@&?GJ5MhD%H(jmZ(mFKc5Eoc+;aBfMET|8Yoa@> z@BDUYu+w<3PdF@Dd#WqvwMS1KihGh!KOuGsw!1l9@EmnT{v~!`Q43}tVPaNlv$6WI z&_Rq7at|4YK(+W6*Ks(-;uP&TAm?5~JTLHBq;;Sjvx)~`pSN5R(R)+vV1}yJT1Re; z(QeiJ(mIpQkz7%*U3j5z{{;OL4rB-N@?||J4-PjmD;lOT8sLlwIiocsg(FS(tba%yDi7@z# z>v~4QLrcfaj1s!KkZ=9v;|c<;=o{^h|7kJ|HBVyT^fh==)tlM~`~5RjjRa3P(+T_? z#h#-dc?M8XV^{pVnb@nu1ETM|;KKQrure^BbC*Q@^(SwmJP@J7IT2@V{R5BBc8J%z zL%)sN_Z-ce1=%1xx~=JHkqN6{L#b<*Vl9o%bwyl%hs;=aSa*v4WIVayAduA*O>6%A zKKSV%;yo?~D4W19zl%yfS52jZJ7buwlVtaeT*d)`bXP$>b!;S+oQ-o8*E z_5@L28eDq1Cjd2E<=CF6c(Fnt!T%2i%x^Z&zeSHU{(>!vylHO`8jp6ste{eQu^*si&f3|k!ak}whr6*ORTIJ_*Cw}|EjTLSqVy)J?K%r$^!Y^($lI{dKK@3?ig;e*>;Fujqw^m+Acei0DOJoE$3 z)2KT?O@>)ss=8#YeSq{kWYiYujh{~AANrq>=tjz3%U}?1ezQ=uG-BLe>|&k@yF4Xe z#KYXoVvavey|BTBlNCT-Qgg@hWD{RW#*=ZNZ;;s2JttUOer{yj4PyN4AU>ooQzlui z#yAM(I0kRZ_|{Nd=kay8)%|c-AJQ7hI0n1AC;^Tu&3|JM!yJ$(+TX2<^mmNeKWz<|<$5<$zb`v&<#QQ__Ty#tL2#PnB4-}9bPK{7 zQdGe$TKY;{&s8lTBSS+&{6JdAGPfyn&bj0$=8~6-{MnrBPn2Y31MoMt-SIdwRpY1{ zfJS2vdV6yqRBmrw!Z5WF^h_m0nm@s~+2jy`-oL2z*ur-Qjtr_k6_GRwm^(Ol;yU5+9{va=t&oF;7F4)DlSn=w<{mHBNX(b) zm1BHBMb9=agJIgpIy*cxc$T&NACwwDE7|?XyXejSlIyOeEmj!xLbT4Wts}0g0Q9jtvgPhuS38Y^*(!=o*8j`8!>~(jA z1?~vL%K204J|IO0$uEZ#@|Si7wcy;+doR>X)?Jc(Y-l?XMGc=tAE*{Lmy}{xk4(p^ z0vY)){m)~&t}pVdF>-f61}e=a2#~xz$b#Ye{P4X;tUT=K16D+k15*-GwQ2ARvSAc1V_SRncNpKixNIf_1M?^h(!7Q;I zQg6AD?XESBcZxr7%v0$yUx(6KY{7|tx$F|7UCu%a#nQK7SNJ3uKQS|(CEEO#EKMPl zP2I`D$f#HWFf-;RxZawUE?_(fm}HJ4)?3NW{jUnN{7?sP>BZk;2a$z@fmhMkYRd5p z4J31r(besUuOJx4iJuMlL-_^#q${jR)}V}>TMsRRHbn<~&H_YZ-gsQ4+iGTLEBy7b z?mr7-I?+Z*za;QYiEF+N^6`jU;&sH^Mc-OZ`roS8SOC^v z)#-AIHEJTUg>R3Nt%}|C=O5_BSk(efHq*G@bXH4ZxfF_X)oLpOU$2f@?yC2{qgfu1 z*tYGzO(|j3281{NN(_lTkvRd8-kopw?zeMXFXtpmu)X>V&3EKJmUYR6lruMhxw_7t z<^FMT^9O8(=z!aCvdfvUorgngb^Z`@QMFtcNir{G^O|zYi>SX;kCep;d%J`(xdTPE zdSz?LcLuV&zPfIXm7wR&HUt!Ab_vQM`X4g37&G+MB|ht2$cgH9)tyjWZl4KY|Eq-^ z+s4z&Ou;PD-U7YShYH;_doRu}-pxR|t&YqF2s?3f3vB$%kfybB` zlIlZwbD;TDEP)T P;8Ic4P$+t8@%}#nIF?W& literal 0 HcmV?d00001 From 14767d354fcf313f977d9c0c08b81dbc0cb25e19 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 11 Aug 2016 20:51:48 -0500 Subject: [PATCH 0018/1208] Reduce wget timeout --- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 571906734f..2f8ed07433 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -120,8 +120,8 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''} # In Amazon EC2, these two variables will be retrieved from metadata -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') +[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') +[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') # Try to find IPs for non-EC2 servers [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 671012028d..08c421ded2 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -107,8 +107,8 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''} # In Amazon EC2, these two variables will be retrieved from metadata -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') +[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') +[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') # Try to find IPs for non-EC2 servers [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) From 28a8d496f0092d96cd141729594ec62b477663f4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 11 Aug 2016 21:36:12 -0500 Subject: [PATCH 0019/1208] Update docs [ci skip] --- README-zh.md | 2 ++ README.md | 2 ++ docs/images/linode-deploy-button.png | Bin 0 -> 20132 bytes 3 files changed, 4 insertions(+) create mode 100644 docs/images/linode-deploy-button.png diff --git a/README-zh.md b/README-zh.md index b54dfe370a..e835b40794 100644 --- a/README-zh.md +++ b/README-zh.md @@ -55,6 +55,8 @@ Deploy to Azure Install on DigitalOcean + + Deploy to Linode **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** diff --git a/README.md b/README.md index 8a500c3d46..6fb5f53ffd 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,8 @@ This also includes Linux VMs in public clouds such as Google Compute Engine, Ama Deploy to Azure Install on DigitalOcean + + Deploy to Linode **» I want to run my own VPN but don't have a server for that** diff --git a/docs/images/linode-deploy-button.png b/docs/images/linode-deploy-button.png new file mode 100644 index 0000000000000000000000000000000000000000..cbdc8192b5698d209d86e3a6cfe4e892f1f98796 GIT binary patch literal 20132 zcmeI4c|276-@vDZN}&)cG@(LfHG5;p7F}d3dyJVgOqS8iSd%T$W|!)=hiIiz3DMcD%m0mm90e7bB5BnEx)Hz5L%9QTxOlVX$?wEL(e?y}22M z&h|ml7;JX{8RX*!YQtbu-5@_2-3#Es-2o4lueS1=!V+aTi=nM-hc`!?`xyY9ERzrp zU=w0tOAqm)lNrjoI%3oy3h2NG;L+egKHk1uN|3hlq+bds^M_H&@JSV(m$vdcen7ar zxh33y%>m$eBmqH36Nqpk8HvFYi8!Jr9E--_QD`lc78-%oqTtXJ92WlhqpTwaN>mPm zNwGFG{u~bcPg~iO$Md70P=SGg$UrS5o8y7PkjZ2e8jHeW5ugTw8|=%Y1tEO7DpO9r z_%Q^ybPmgp$71`!`F?5cY=54%vNAu=^yl+=`S?u-^5uSJ2U0`@(fm*tBpUT2BL;oi z#?PPQJ$YyhItuUxd;nh_7qr9t(9X}3&0}*t**^(6J^jA9Fj6hGo z_g`(VDOZzPKX<}qGkJkD4zSJxTp@pF=TCY4tJ$~isVM$M#hdj%kO(d<;Gd-dpyLU6 z5{8U$XAtoSCK}vTBs>!XZY?r{$N-oCfk^+7=Koe2z!HbXQM9Hj)c;)?zOG`rC(YLb zVCbN}oY|Lw|4*4C;j!*`8WTXcYk|cHgT;YK!;**yhC7Ks!r`^(1OTju|6l`sdu!opRmuQ3tbeD%K#r3B1rz-L**X8?n)>%T72(dD?h^QwdGZ?h*KXxY2lRb+!|$ri z%_)XctJ9djr}&px!OaZVkAQa<6v&nAOMCfu%jq}ff7y$ly@L&f7OOEi7394F`eXs|#Pm+$EQ9axIaH~aw(wiPS2sjgX6= zYlYh~Lmx(DMe4#byc8eQtgL+Z3AJnf>fMU1^YgP$QHIYLaZ_z&DY^OMW72NRau-+5 z+I>aDt8`;T(u@W1vQb}WnEOO5#!R~DdJ=HhGUIp}{>a%a{-~CR0Qb*( zN&#uwxfs*_kqF)K?D{+5qdPbr5>m^xZK zRB4S-M^zEIr{xhlU>8@IxrFb&XR`NbN@3^G#AgORalenr_GP{;w-X&G?ut;YwZg1T zj6|&|RczEy$Fap9tX{iBLeXHPH~RFV;Te*L8Od%oiuF-ycjBr$w<~vUU0k=)&$;uo z_WE0W&m=@%6m?}v?S8h&t8Agn;++G8l*BXEy}c_wj*8g7nql@pWQL4pWqz9-x|5n; zqac1Y)*|!hI#=oF)2D*YFLH?NjX0m*nW1TYRlisZ_Iu<}k=LCf&ky!S0A=5Bd#>XUEJ=o`1b`c-~Wc*;>oXW?kEnoU#Wp&P_+tX|h(A$5iXysfRNCel<%d zt(Hw{AXGlv+nB%C`M##(-0b<4xY)%RBMV+`x}9VG$BG0)FZ;6e-5Zf*$*XtomDs!X zdCbaN#-sq#Av-;cXS2GG;>@ZCuP&YiXvj#n|pMU@cAsa5pD zYZ?dk_27DDVF!u~=$6Ia_svgZve7w?WjUth975JAvwEZMv6YVw$-DK(hS#*U6D^~S za}lsb%fem7Sgo*U2XwBy#HqsvdK!2xB#T=fC-idO98XTt{z#elG$+J_l-3YVjj+t||WN2IJxfsb~8{=G`9saO2t5~;0_m6~lrso2U(C*icQX;V_9ir!* zs5ae4Bo)=JZsrnY(>wLDPSzt4$;WH(&D!uI7<3}%VZ)@*f%`M`gtKI4g?nMztW(S43 zES_QR-u+UcNg~zc)$Z)^w`bIb(tF;r%0hhRl(if&HFjP3Br8Qe4pScuHoODvf`WHLf0{6$mue7%Xq+aYVkNzX&hT);*R;=^ZBx$W+&)~TcJ8u~k z-&BctogDP>d)E6<1f$4k7{FfJ5m!D3 z=}t1zzar^Fm)o^{ZRK#Z-{Qm+S-IBGT?02hj zayi)~R~Msd-Gr#nw~}h!S&YjEuh~@{XmZ<1*{4hPO(eR6o-55UeJ;Pn`hKs+kbR1& zLjRr7nO;p)Tg*u<#8n%Vf9 zMkc?0+R2SfaPBo1{ZQ}p&=2h`m!pB~)gP_;Bguhq#dI~sblCRg=J*f#5qf4jYUL$b zA4_{EcegdpzT|YpFF~VHMlr_v;ak((mOAr9$9n6Tnvp9W+mE{Mv2RdsKI^pMP2b5F zltKoaVb*92Tj47Is@O=C&ED16V*C>2zUdFO*bdF7kM&>m#J1khBCyU{i%_Bpl&$id zV{Bw;33mzzwYC>T?OV5OxD-=m=xlPZWqS_}EcFUX>cH<;a6V;9o9Y7Zt1XFA2CoFt z9d}k|Ng(l5nP26`2?NFK6v<_~kLp>-Wxcv95-K(~GQ4(S%u$u6wmb2g4KKZYHr~Ry z!@g+1@b0-YamZI`;v%L?J<#fE`+PfmY(a#Xmpu*6TEUb;G7HM863h!Kq%fIpnj}5m zS2?MK7Bp8qeEZ;N{F32^FE40#)HX?G&3Lp;qrzkRtoQgmIn7e-t1GTD7Q`-V`pqV- z&qkzMT6X)`koSxJLAhlrnqHOIqgVRRML89Q^7njA!_D4LqQ`RAKP%5KGkJ37yjU8s zr!u*%-z14ajvPD}1&CA5X_6?8s>e^%@EmW6{q~lE4?DciVV_F6sDWv(SoPw=&*La> zXB=+NGY`L)p`Ou}kDL>`Pv#=af8pTdSVaaR(V)W+RlhGi$AR0FYc^2 z^upHvL2_Z%e6CvLhn$K^8Lp?k4Di8JZND^43PJB+AO4+yDiiMv0c>w|mRFMp+E zFWK1x={T=Z1>vpIrk+e*yxLzUa%9eWQ`h{6dC`k?pEU0?)y-R2dp^suMuHw=uCS@C zN&ENTrMA^B6iHMThnji_APHordq-Ml>Q2SG;;wjU`8iBG%RepH{;V11joAb43wzf$ra zV|!J-7A)QBv}B?KI25;3b-(q7UK=%8WK{3M=Kf4FMI%8`s$bc1Kv&J{?GP)cd4IB1 zF7F7hPOpY+>9^t9?)9tkxT&JgW4t`ItJ`O}%|e-!E^52E;g^Fr6k=pYif`+Vxu$pS zow;AJVE2oNlU)a_(z=vZ6b!CQ?0UDVdgk$2@n%~C*5uL&#;oFA(*kPX=?b3(C=B1x{9f_$*j|%eb4~yYVyp_sE$VSr}f@cZ>Qjx9GHc literal 0 HcmV?d00001 From 2cb4d2f9093f7dfdf7dff83a9a5062f26722c24e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 12 Aug 2016 16:35:27 -0500 Subject: [PATCH 0020/1208] Improve tests --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 096b835045..de395f24d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,6 @@ language: bash sudo: required -dist: trusty addons: apt: From b27f58f7852dc8dc36062f5e95e0ef60d421a1a1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 13 Aug 2016 14:54:26 -0500 Subject: [PATCH 0021/1208] Update README.md [ci skip] --- README-zh.md | 15 +++++---------- README.md | 15 +++++---------- docs/images/linode-deploy-button.png | Bin 20132 -> 19741 bytes 3 files changed, 10 insertions(+), 20 deletions(-) diff --git a/README-zh.md b/README-zh.md index e835b40794..7e28b0a7e2 100644 --- a/README-zh.md +++ b/README-zh.md @@ -51,13 +51,7 @@ 这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 - - Deploy to Azure - - Install on DigitalOcean - - Deploy to Linode - +Deploy to Azure Install on DigitalOcean Deploy to Linode **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** @@ -97,7 +91,7 @@ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ``` -如需在 DigitalOcean 上安装,可以参考这个分步指南,由 Tony Tran 编写。 +DigitalOcean 用户可以参考这个分步指南,由 Tony Tran 编写。 **注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 @@ -140,8 +134,8 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 问题和反馈 -- 有问题需要提问?请先搜索已有的留言,在这个 Gist 以及我的博客。 -- Libreswan (IPsec) 的相关问题可在邮件列表提问。也可以参见这些文章:[1] [2] [3] [4] [5]。 +- 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 +- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -158,6 +152,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh - VPN Deploy Playbook - Insta VPN - One Key IKEv2 VPN +- Setup Strongswan ## 作者 diff --git a/README.md b/README.md index 6fb5f53ffd..f4fc67095f 100644 --- a/README.md +++ b/README.md @@ -47,17 +47,11 @@ Please refer to this workaround. OpenVZ VPS is not supported, users could instead try OpenVPN. +A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode. - - Deploy to Azure - - Install on DigitalOcean - - Deploy to Linode - +Deploy to Azure Install on DigitalOcean Deploy to Linode **» I want to run my own VPN but don't have a server for that** @@ -97,7 +91,7 @@ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh ``` -For install on DigitalOcean, you may refer to this step-by-step guide by Tony Tran. +DigitalOcean users may refer to this step-by-step guide by Tony Tran. **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. @@ -141,7 +135,7 @@ The additional scripts vpnupgrade ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask Libreswan (IPsec) related questions on the mailing list, or read these articles: [1] [2] [3] [4] [5]. +- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -158,6 +152,7 @@ Please refer to Uninstall the VPNVPN Deploy Playbook - Insta VPN - One Key IKEv2 VPN +- Setup Strongswan ## Author diff --git a/docs/images/linode-deploy-button.png b/docs/images/linode-deploy-button.png index cbdc8192b5698d209d86e3a6cfe4e892f1f98796..5a394a2851b719c24762d4d3a617ba9af377223b 100644 GIT binary patch delta 3305 zcma)u*0M8W-}jQGACjiB&M1bzB`rePxBkQ^ zj4WBozRd8q9$}aY38!;+&fU3uFW&e0KF{a#T)Z#xLHW6$jI;cTyxbfd99f|<2Gt6T z!fT5x8C^!N^KqK9? zP$mnKr_0WP7k(y`%k>E+Fjpn+?33f+%AYnv= z7t|Bxg@D3f7qy_6iymkw3`6ul5)g3WpGy=4ex3h9A)n}_yywB!-V#ta_WvRM?|#h* zQ_%mVTN@%AaSU{^cJWlO2IsQS4xM6mDenhQLh@h9wDMS9wbF1Bd84-9KK%Nrn{;K0^$yngk+c?SFSzwtoHMec<0lEXa z!~p^87U8vcdP4fK_wnX3XyhZBIE$Z!rj@?TA0{&-SvP5+Om(*+^9?9S#?Eo+8-^wA zcH!2!Yu#}YO_dia9VJCrQ?zwYfdHr<%k?YSNfkNpLF%ac_uSbn=Vo(*^=g4#HeN^; zQtM*7n}!b!BG30phAAdGiqj7aBUYwxN9jIVpvCHCW$>H=+<`gRwtmGUK0Lcv>)xAy=}hg{wi`xi)c zECVkp;)fxPGSYyXs_$e1A%8WlL{9%fGAOi4D=JU!F4N&lsYfu7cs0L4*eL0IDJj3a zsa)~rH;zUkOF0}E~`Mjtso zoM!U!KT4&1QdAD?p32b3^8l$KFyjUN$?nQ4FB?$vc#=HY-(A6ZEY?hZDXd!y5MHp7;wVTj>5U3{<`;hZ z>X`^Uay%S=RL@?mb|3#_Uu+O_B^GAz+$ga%r^jh@ z@y8bSll~{&l}B!o)}?VO|J1y+E*Z))7R4reL#^%OTfvs8F(3|Vlxx*P}$kLB#YQnEwo*WKMk?pA^&^mc?X z(Xt};<0tWY_3^(xhDu)FuhZMbIIL|$`ukOyVs|&GQ9ttR_Acf--o@=#44hnfqAE?B{mg+Y2(2fnntv*a|rv^q9#+EJNh(|B778|t0a zF!%(BwkT$9{T>2WrY)TdBskB1TDRQTXr2^3GqWhjXhU@e-&NB$YThpFIvY@+OJ10H z-1)E2>S%^{n}q;*SvcV3YDman9v^H}qck+VLtV)j!1 z0i~&9x3PfueI&bk`3t6@|HFdsl5m{xj7AaAshx2zRWI_hCRB3jhGYj@R!{mf@!gGcVgR%!#`6d)X(g&{T}X<)N62oBavg z@dRHR-JWQ?&_S7c{zs5DA-!)H{+jGoRDVWQTFX_wU?<2$h?`|Ap=~=IdS!kZn*j8< zcT&dV)qPjiri`(JR}GdhJszh!skQP>B6Doczdwv;L$=Ljox4f>fgSbm5ASv(mDiuH zu}9FSzjry<&D1&Vo7JCLKbUC8>;t_H7(_6er!)^%=J*BQ+5~{; z?7g9or+O`w4|SS_WM{?a$88eUXH;%SNc?fKx+c(qddlM#H9DVu3r$cvHuZzgPb59y z#BtViCYYf|1u>gd5wXv(ORA#}cBhU^;MtMEE{O)^4RdDbVnbbwJy;aDUd(&N{pR`D z0HM8^^Xhd{;I^>DUX8fCg=z56Xi&?gybm|H;+&rQo{I;9<*4*grW`EOAa(3Owt{C? zQ@Y40ZK=fS=5QS{Tros`FOOd!1P4mpoIF5U_TA$d+Y4C z{O>pJ>hNvDaTK^fbiphV?4O8Rm7zrSb`V zCoTkAXm`0H3-l-I)`o9Mw6|7oY>|m0K0FHbl>77G(vak?{=hS`8zqC!^ouzz?Fwlt z7Cosc>BKsaVUv@m?jBQp!>sekF|q7)B509m!h4d`6W6u9JKT<8Yo!;dunx${Qf2bi-}8JBg#2$G z^{GW$S}Sh>0N|XdrhVy)`U7qQ_n1b@tq~5L7?aE$Ac9JIygD4|T;7!|s!i8;qDZj+ zySP31oOl8BiI*8({|T2;xLAFXRd0J<<6ZLMJ!DGPk;Ef0MQhFxPHTEjAE5&@u}3_m zJL`JkDaXs)5OX0R*a5?6v%5PR;!-y~sODNZWz5+TkW1|O{)F0hj`!T2Npy$Gv6Iq= zH!QmsPF@vAI9T3l+d^%;v;UfUYJ2^XNicE(5Z1i6S=6`WJGr}-BeRzIoi?D$7*9-H zHZY<@`NWYl+A?Wj2mJQeG-E7lJN6+F6N@({0c_^7zabghp!uQTkmKZQ+{%EQ+4ho0 z>DOrW_3iKep#_r?FV*GQrOy@*ZSCjR3hyX^Xn#;QT&0|TIvKwBJBy^NVLI}Lw6p|} zQ?UEKUW^!FC6UXFsq3Rq;z6&v(||%tgVf9O-HDND%v=Sl^b>9^Qr^rNXkE}R&7`mc z9jZ=@se=Jx)AX!Xvzrp%c$I!hdxki*wkhit+_v4KISs;>=6a3{;jwsiZoEnVPZw0Z zAN7U}RdC;LN98XS^#zR1b)Si*4|E=ToWW^A$JE__)RQ+9`bnx`HK-dCf8gUJYrU{-@w>&Gi8JShWOT z_hP4z&`Mn67c_uQy|-gchq@JmKBTTuS9Ec9{DeXy5g&j3=m=!#O#ZmSm1bbrY}NW2=)D}PxA869{Vj8ZGAgGadKXZ zxry7`^*LZo9BD{1;~oq^nE%jRkGnWuYJ^~!{%5D`Re6<^feYHvzw6Oy2!S~EtKE_<}4s9mF!v}%8i zQhU}6F^Z_4|Fhr!+3$6a?sa#s`#iXN-|Jq!pe}kzod#qQVWg*`qH+WetbP=pqh*pa zhr*SiO3Jb@0uvqbzg=Uxmmn8+SNThG1A8bzoxunXm=f3-q38-mz~L@14>_odyt6!k z9iRh(E4X<;l@wgTa9KAwFcj(z2RnNxA;2CA9^#`aQ1Kq zyU1V0p>i-N*jWyt2zGNpz!5M7c~`i*JVBUA<-eq4u=Wu?Gw9TYG7HoEZ<79heGRJt z_5akjHjpithFYO^g*`xq&K=)oOR&~}U|1MY+8XBJQ(Jiv&obAdd({S`22@+*qa3#& zeKalVI4q9d6%Ck!g=S5qzbpZj&y4%%EDK@~h9i0*V`AAG5)b^h^h{>TAU+$-PY7a} zR1l)m#H77*6VGJajCOrvxy~w} zb-Wp0zrly>+#iBXQBfxAPho zcibMFkXB;4xheb?a{{p5rZyM@P;*HW8|STLmywMF{4BM2qvCuGN6z?yx8arSHn>e} zW#e*@v}vton>^JQTs~lD8L*PGiFNO^_eR&!WiZ!w99;Qj%`<5H z(O@+S@~Cr+%YHh)(3!{N<0)w9ND}Q4_`)Eyqn{^z6i&n}CQURZ*$+$GGL|tDVR-JM zQJu*E_v>jT!r_7^)rrx z6AzxuXO_PG9(&g^A$%j{MmBu?W=rgvMI|yQKwxgh{%)4lDTs5cw8TR|-x888P4{6_ zi0P>G>_7(3>keyDZgZmP@NAv#Ac9Ca<-%jCDEe z<*M%ScWPRCH!Y#E;Yj_-XR%VwQ%cLjT)ak-zwj`SVP_apXN}Dvo35c?Vi4n)o4XW+ zIH&9q&}*gh=je3NwLL+ayEQ*nhoQAClnw~E{?cRCO-b>CfpqKv%;nw zK)&mlP9K_n%$0t3=}kYa@Pg_q?ejhFx`y5|+jH5!pDI5{^y;U`?mzWZYB_V?KjH7f z$Dqhb)84J;&{lt|xh_kPhNreW(zmun?Ou&>MN5dz5I0!hX8+_nzwz>;??p_k(Lff{ zuYDMxS-1G;b(6AvB8ZuFjYG^e_x8lz(+$`Lt=wL#maB1_->_i;v`n_jwzCS={Rmzv zW-y|&b}BmgoY#qj#|+FbC>qD>R)eY7`7n-5-g8uoS$ArF!z6|FHb#RT5Jp{|uhpw| zUuC4L{#8D|*k?(gKP^dF*^e;ViOPE05Q8yVOJFE(CqK-rNML(;FWGT1_splXO|4z+ zTWX4j*HtO>+Kw#;08dz=ue3v&t>q`@AwS(7X!;Wz+Ww)x%hk8CjLjfy<}$;dA%k*U z{yW9NIOk7ch=t!)E0T+A`=9G=o*!S!#7Jp7=?ahDlt00rqgWjz?qeV~IzpuP$1#9^ z)9`g!!ozAQXz9nNR#6gvN9~G6y!|>v+%yIHpGhaD^Uhk?@)wpq?58R3Ja4O8Jex89H^YXTKWj!VIm-j7#h+Veb+zN7cw z?|Uj*6lRW+L=SH`wuAMf)mQsFF*Ji)hSkS@ucT7DUq2{&Wy`PG!O2(gbMp7shYM@s zL9M~E{Z1pzKVlV+>B7+t+|-6HYrpxYSu^#v6U!)vB@*PqjYIFwNPmXT**ui4qv%vA zfj1dCf{AI~;E8oI6c{li>!}SrSs+w9_Q@U9dMY)XF=(&7S1)HHI7pCS7)k9xSjP1y zOV&DHn5T#VHrh~dVf@C2fx=11U|aed5z~LH%$r?)9&D>V49$E`>W=?LXwZIs)5N>d z6u~JU;T6G%jqB2BYZ6IVX{6N2^i2djt*P(tTFVB62UT}8!)1JJRS^)%_6~2$z%uoE zix=trp!S{w&1mSJFGuP-3?mIG^^DN^s4f#onNGhtC((y?LSc8?vs{qAj*fJ+f6!pJ zR-FTPxlhr_-3$;HgpOtno4+gYag+-2AU=>gjlct(LqFbYII9j!OlDzciYJ9_xTzTI z_emE#Vr=@9&<*5CcXZI{S4)jWAF@gKmAZY*`DE3XHSOf1{8SC2^dL>q0bS8ig<9dg zZ#ul`Nwy}S_(?q{G``bF7+$~qLf5riINa~YB^RFW3u>wl1ltT3aSn;v3oT|%{=3~( zg#zufK8j$ekLRAM$lN42{p8e?WMmSKd-C{NNFm~mz*6VeXH_Zlk)lN2%$*)lf{_#S zrFD^NoBn+@6F5N&QF)Y!`Uy6BgD;gv#tn%;-h zxTWTJB!^&e(V_Xm$g;Sdn9*%Tnb^qRtsj3ByT7)~-febLg0R0vazDD$ARWHaC`nfz zB+%?d72wMDs!+o~1SiSYy=D^+1Pkru((7>vxf?0o0pT!1Rk8r*LMyAdt$AMh6f1mM z?EV0qLX(c(i;K7*T&n%1A^q8i-FTp^AFxUavZ;B}_buH9UV{>cq7KY|Tc(_8V$}_z z2YFfNesX%=TAQDs`(RfSm?}l&5=bx|KSWi}4jHD|j+oL&Zqoq;1U#OY)%`8wV)0D^za;(Zr{?wsey%|t?pyZB zWm0FKV8-K|+S3dlG=E2LJ$GOKLqeany&AlAZ;@xRB z&p&;3BIxFszVXAc{FLhlo?PO7>eP?F0Elqyq6cFG_Rm{9r zuPUefLwiOqj$@fCq~j<~-g*_Caf3e0t2*gDK{f~0CbQn-mwn`4e?fMZk1yw%7HxL@ zw4N3LzF#SM0JeNzpTEy*xlHvH`Pnwrt*x%UY)#d9x|5E zQpy}8fjg_}C2|FMX&QenVpgPaZ4)lg<;w;4Nrpxa%_a|@tNFuzk$7v`la%Z|A+}d0 zM8JL`^O6}#+~Og3aK{XHQI3t+EAiZFQ!`IdYIWBJD@%P_|WC_o>7%`Qb ziID{pRpyyT8jr5jsg7a7^KusQ+9Ol4zc1u#dXJiZRlFL(7fBM#_;#8E^1XV)$L{+1 zlKb=I8=z;V`kQ7FJdoJUYcr%`C1t5p0S?kF<2^MA-$Sx@)y%UDlj`8S;34$^CF4N- zPlVh)qR}y@^RQnfbooHqBI@sr%^#93$$$*ce2@mF?8Bsl$A0@-RR}RVuO$^q$4L8wrc>;H0PgMQUjP6A From 963242bf410ac2ebc22803aab34f12e061f1094d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 15 Aug 2016 11:38:23 -0500 Subject: [PATCH 0022/1208] Update docs - Minor corrections - [ci skip] --- azure/README-zh.md | 6 +++--- azure/README.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/azure/README-zh.md b/azure/README-zh.md index ee177f3dd7..62f275e945 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -6,9 +6,9 @@ 根据你的偏好设置以下选项: - - VPN Username (用户名) - - VPN Password (密码) - - IPsec Pre-Shared Key (预共享密钥) + - Username for VPN and SSH (VPN 和 SSH 用户名) + - Password for VPN and SSH (VPN 和 SSH 密码) + - IPsec Pre-Shared Key (IPsec 预共享密钥) - Operating System Image (操作系统镜像,Debian 8 或 Ubuntu 16.04 LTS) - Virtual Machine Size (虚拟机大小,默认值: Standard_A0) diff --git a/azure/README.md b/azure/README.md index 616206dd54..af2f2d8f75 100644 --- a/azure/README.md +++ b/azure/README.md @@ -6,8 +6,8 @@ This template will create a fully working VPN server on the Microsoft Azure Clou Customizable with the following options: - - VPN Username - - VPN Password + - Username for VPN and SSH + - Password for VPN and SSH - IPsec Pre-Shared Key - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) - Virtual Machine Size (Default: Standard_A0) From 5064f3a6d68d17f145ca0256dadecc63d43548cb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 19 Aug 2016 01:38:23 -0500 Subject: [PATCH 0023/1208] Update docs - Improve Android 6 workaround - [ci skip] --- docs/clients-xauth-zh.md | 5 ++++- docs/clients-xauth.md | 5 ++++- docs/clients-zh.md | 5 ++++- docs/clients.md | 5 ++++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 54bafe7e2c..3155d3a3d5 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -81,7 +81,10 @@ VPN 连接成功后,会在 VPN Connect 状态窗口中显示 **tunnel enabled* 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** Android 6 (Marshmallow) 用户需要编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(更多信息) +**注:** 如果你使用 Android 6 (Marshmallow) 并且无法连接,请尝试以下解决方案: + +1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 38bad1e968..db6989e590 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -81,7 +81,10 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** Android 6 (Marshmallow) users should edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. When finished, run `service ipsec restart`. (Reference) +**Note:** If you are using Android 6 (Marshmallow) and unable to connect, try these workarounds: + +1. Click the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to the next step. +1. Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Ref) Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 788525e3b2..551f10d88a 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -117,7 +117,10 @@ 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** Android 6 (Marshmallow) 用户需要编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(更多信息) +**注:** 如果你使用 Android 6 (Marshmallow) 并且无法连接,请尝试以下解决方案: + +1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index 01b7de0954..05ec75b0e8 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -117,7 +117,10 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** Android 6 (Marshmallow) users should edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. When finished, run `service ipsec restart`. (Reference) +**Note:** If you are using Android 6 (Marshmallow) and unable to connect, try these workarounds: + +1. Click the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to the next step. +1. Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Ref) Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". From cd7febb13d45ce275c493b09f864a46a8add8322 Mon Sep 17 00:00:00 2001 From: Daniel Falkner Date: Mon, 22 Aug 2016 15:34:45 +0200 Subject: [PATCH 0024/1208] new Api Version, dynamic Storage Uri to support multi cloud environments e.g. Microsoft Cloud Deutschland. --- azure/azuredeploy.json | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index ef01b23a7b..10bc522681 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -120,14 +120,16 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageName')]", - "apiVersion": "[variables('apiVersion')]", + "apiVersion": "2016-01-01", "location": "[variables('location')]", "tags": { "displayName": "StorageAccount" }, - "properties": { - "accountType": "[variables('vhdStorageType')]" - } + "properties": {}, + "sku": { + "name": "[variables('vhdStorageType')]" + }, + "kind": "Storage" }, { "apiVersion": "[variables('apiVersion')]", @@ -187,9 +189,9 @@ } }, { - "apiVersion": "[variables('apiVersion')]", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", + "apiVersion": "2016-03-30", "location": "[resourceGroup().location]", "tags": { "displayName": "VirtualMachine" @@ -211,7 +213,7 @@ "osDisk": { "name": "osdisk", "vhd": { - "uri": "[concat('http://', variables('storageName'), '.blob.core.windows.net/vmachines/', variables('vmName'), '.vhd')]" + "uri": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageName'))).primaryEndpoints.blob, 'vmachines/', variables('vmName'), '.vhd')]" }, "caching": "ReadWrite", "createOption": "FromImage" From dad10f7ad7e70c4438995477d65747cab0510102 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 25 Aug 2016 23:34:16 -0500 Subject: [PATCH 0025/1208] Update docs - Fix instructions for Shrew Soft client - [ci skip] --- docs/clients-xauth-zh.md | 3 ++- docs/clients-xauth.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 3155d3a3d5..c4592cee38 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -26,13 +26,14 @@ 1. 单击 **Authentication** 选项卡,从 **Authentication Method** 下拉菜单中选择 **Mutual PSK + XAuth**。 1. 单击 **Credentials** 子选项卡,并在 **Pre Shared Key** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **Phase 1** 选项卡,从 **Exchange Type** 下拉菜单中选择 **main**。 +1. 单击 **Phase 2** 选项卡,从 **HMAC Algorithm** 下拉菜单中选择 **sha1**。 1. 单击 **Save** 保存 VPN 连接的详细信息。 1. 选择新添加的 VPN 连接。单击工具栏中的 **Connect** 按钮。 1. 在 **Username** 字段中输入`你的 VPN 用户名`。 1. 在 **Password** 字段中输入`你的 VPN 密码`。 1. 单击 **Connect**。 -VPN 连接成功后,会在 VPN Connect 状态窗口中显示 **tunnel enabled** 字样。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 **注:** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - 适用于 Windows Vista, 7, 8 和 10 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index db6989e590..b728203315 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -26,13 +26,14 @@ After settin 1. Click the **Authentication** tab. Select **Mutual PSK + XAuth** from the **Authentication Method** drop-down menu. 1. Click the **Credentials** tab below. Enter `Your VPN IPsec PSK` in the **Pre Shared Key** field. 1. Click the **Phase 1** tab. Select **main** from the **Exchange Type** drop-down menu. +1. Click the **Phase 2** tab. Select **sha1** from the **HMAC Algorithm** drop-down menu. 1. Click **Save** to save the VPN connection details. 1. Select the new VPN connection. Click the **Connect** button on toolbar. 1. Enter `Your VPN Username` in the **Username** field. 1. Enter `Your VPN Password` in the **Password** field. 1. Click **Connect**. -Once connected, you will see **tunnel enabled** in the VPN Connect status window. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. You must reboot your computer when finished. - For Windows Vista, 7, 8 and 10 From 96a071ebc5147dde83523ee6e298c6a31e85b60c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 26 Aug 2016 00:21:10 -0500 Subject: [PATCH 0026/1208] Improve VPN ciphers - Add stronger cipher options - Fix for Android 6.0 VPN clients --- vpnsetup.sh | 5 +++-- vpnsetup_centos.sh | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 2f8ed07433..f962f4770c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -198,8 +198,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,aes-sha1 - phase2alg=3des-sha1,aes-sha1 + ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + sha2-truncbug=yes conn l2tp-psk auto=add diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 08c421ded2..ddea15ae9c 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -192,8 +192,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,aes-sha1 - phase2alg=3des-sha1,aes-sha1 + ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + sha2-truncbug=yes conn l2tp-psk auto=add From 72d0f7ff521e3f22a7111a73fe0a21b7a336e21e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 26 Aug 2016 01:52:55 -0500 Subject: [PATCH 0027/1208] Clean up docs [ci skip] --- README-zh.md | 8 +++----- README.md | 8 +++----- docs/clients-xauth-zh.md | 17 +++-------------- docs/clients-xauth.md | 17 +++-------------- docs/clients-zh.md | 36 ++++++++++++++++-------------------- docs/clients.md | 34 +++++++++++++++------------------- 6 files changed, 43 insertions(+), 77 deletions(-) diff --git a/README-zh.md b/README-zh.md index 7e28b0a7e2..91738d6795 100644 --- a/README-zh.md +++ b/README-zh.md @@ -112,7 +112,7 @@ DigitalOcean 用户可以参考这个修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。如果在连接过程中遇到错误,请参见 故障排除。 +**Windows 用户** 如果在连接过程中遇到错误,请参见 故障排除。 **Android 6 (Marshmallow) 用户** 请参考此文档中的注释: 配置 IPsec/L2TP VPN 客户端。 @@ -135,7 +135,7 @@ DigitalOcean 用户可以参考这个这个 Gist 以及 我的博客。 -- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3]。 +- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3] [4]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -145,13 +145,11 @@ DigitalOcean 用户可以参考这个IPsec VPN Server on Docker +- IKEv2 VPN Server on Docker - Streisand - SoftEther VPN - ShadowsocksR - OpenVPN Install -- VPN Deploy Playbook -- Insta VPN -- One Key IKEv2 VPN - Setup Strongswan ## 作者 diff --git a/README.md b/README.md index f4fc67095f..6065216982 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: ## Important Notes -For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). If you get an error when trying to connect, see Troubleshooting. +**Windows users**: If you get an error when trying to connect, see Troubleshooting. **Android 6 (Marshmallow) users**: Please see notes in Configure IPsec/L2TP VPN Clients. @@ -135,7 +135,7 @@ The additional scripts vpnupgrade ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3]. +- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3] [4]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -145,13 +145,11 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker +- IKEv2 VPN Server on Docker - Streisand - SoftEther VPN - ShadowsocksR - OpenVPN Install -- VPN Deploy Playbook -- Insta VPN -- One Key IKEv2 VPN - Setup Strongswan ## Author diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index c4592cee38..d2ddd30274 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -35,17 +35,6 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -**注:** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - ### OS X ### 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -82,10 +71,10 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** 如果你使用 Android 6 (Marshmallow) 并且无法连接,请尝试以下解决方案: +**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: -1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 +1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参考链接) VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index b728203315..70489cff22 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -35,17 +35,6 @@ After settin Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -**Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. You must reboot your computer when finished. -- For Windows Vista, 7, 8 and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - ### OS X ### 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -82,10 +71,10 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** If you are using Android 6 (Marshmallow) and unable to connect, try these workarounds: +**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds: -1. Click the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to the next step. -1. Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Ref) +1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2. +1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Reference) Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 551f10d88a..c171269d55 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -37,8 +37,6 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -**注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。 - **Windows 7, Vista and XP:** 1. 单击开始菜单,选择控制面板。 @@ -57,7 +55,7 @@ 1. 单击 **创建**,然后单击 **关闭** 按钮。 1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 -1. 单击 **选项** 选项卡,取消选中 **包含Windows登录域** 复选框。 +1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 1. 单击 **高级设置** 按钮。 @@ -67,20 +65,8 @@ 要连接到 VPN: 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 - 如果在连接过程中遇到错误,请参见 故障排除。 -**注:** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - ### OS X ### 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -117,10 +103,10 @@ 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** 如果你使用 Android 6 (Marshmallow) 并且无法连接,请尝试以下解决方案: +**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: -1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 +1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参考链接) VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 @@ -175,7 +161,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 sudo route add default dev ppp0 ``` -如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 + 如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 检查 VPN 是否正常工作: ``` @@ -207,7 +193,17 @@ sudo route del default dev ppp0 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 -要解决此错误,请按照上面的步骤添加注册表键并重启计算机。 +要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 + +- 适用于 Windows Vista, 7, 8 和 10 + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` ### Windows 错误 628 diff --git a/docs/clients.md b/docs/clients.md index 05ec75b0e8..1fb8d6371e 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -37,8 +37,6 @@ You may also refer to this alternative looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". - If you get an error when trying to connect, see Troubleshooting. -**Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. You must reboot your computer when finished. -- For Windows Vista, 7, 8 and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - ### OS X ### 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -117,10 +103,10 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** If you are using Android 6 (Marshmallow) and unable to connect, try these workarounds: +**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds: -1. Click the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to the next step. -1. Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Ref) +1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2. +1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Reference) Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". @@ -175,7 +161,7 @@ Follow the steps in the steps above to add a registry key and reboot your computer. +To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. + +- For Windows Vista, 7, 8 and 10 + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` ### Windows Error 628 From 77d0f0bc93d1a1f552c62138157ccf2cf4370433 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 28 Aug 2016 00:41:46 -0500 Subject: [PATCH 0028/1208] Add IKEv2 how to [ci skip] --- README-zh.md | 4 +- README.md | 4 +- docs/ikev2-howto-zh.md | 211 +++++++++++++++++++++++++++++++++++++++++ docs/ikev2-howto.md | 211 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 428 insertions(+), 2 deletions(-) create mode 100644 docs/ikev2-howto-zh.md create mode 100644 docs/ikev2-howto.md diff --git a/README-zh.md b/README-zh.md index 91738d6795..f3f908bb8f 100644 --- a/README-zh.md +++ b/README-zh.md @@ -108,6 +108,8 @@ DigitalOcean 用户可以参考这个配置 IPsec/L2TP VPN 客户端 配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 +如何配置 IKEv2 VPN: Windows 7 和更新版本 + 开始使用自己的专属 VPN ! :sparkles::tada::rocket::sparkles: ## 重要提示 @@ -150,7 +152,7 @@ DigitalOcean 用户可以参考这个SoftEther VPN - ShadowsocksR - OpenVPN Install -- Setup Strongswan +- Setup strongSwan ## 作者 diff --git a/README.md b/README.md index 6065216982..cf3a25051f 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,8 @@ Get your computer or device to use the VPN. Please refer to: Configure IPsec/L2TP VPN Clients Configure IPsec/XAuth ("Cisco IPsec") VPN Clients +How To: IKEv2 VPN for Windows 7 and newer + Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: ## Important Notes @@ -150,7 +152,7 @@ Please refer to Uninstall the VPNSoftEther VPN - ShadowsocksR - OpenVPN Install -- Setup Strongswan +- Setup strongSwan ## Author diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md new file mode 100644 index 0000000000..ad4a74a470 --- /dev/null +++ b/docs/ikev2-howto-zh.md @@ -0,0 +1,211 @@ +# 如何配置 IKEv2 VPN: Windows 7 和更新版本 + +*其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* + +**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 IPsec/L2TP 或者 IPsec/XAuth。 + +Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security association,SA)。与 IKEv1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 + +Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。 + +1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 + + ```bash + $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + $ echo "$PUBLIC_IP" + (Your public IP is displayed) + $ echo "$PRIVATE_IP" + (Your private IP is displayed) + ``` + +1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: + + ```bash + $ cat >> /etc/ipsec.conf < + Is this a critical extension [y/N]? + N + + $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" + + A random seed must be generated that will be used in the + creation of your key. One of the easiest ways to create a + random seed is to use the timing of keystrokes on a keyboard. + + To begin, type keys on the keyboard until this progress meter + is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! + + Continue typing until the progress meter is full: + + |************************************************************| + + Finished. Press enter to continue: + + Generating key. This may take a few moments... + + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 0 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 2 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 8 + Is this a critical extension [y/N]? + N + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 0 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 8 + Is this a critical extension [y/N]? + N + ``` + +1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书: + + ```bash + $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient" + + -- repeat same extensions as above -- + + $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d + + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL + ``` + + 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `winclient` 换成 `winclient2`,等等。 + +1. 证书数据库现在应该包含以下内容: + + ```bash + $ certutil -L -d sql:/etc/ipsec.d + + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + winclient u,u,u + ``` + + 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。 + +1. 重启 IPsec 服务: + + ```bash + $ service ipsec restart + ``` + +1. 文件 `winclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 + + 详细的操作步骤: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + +1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。 + + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + +1. 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN! + + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + + 连接成功后,你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## 已知问题 + +Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 协议连接。 + +## 参考链接 + +* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 +* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan +* https://libreswan.org/man/ipsec.conf.5.html +* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md new file mode 100644 index 0000000000..0f0f5c91d8 --- /dev/null +++ b/docs/ikev2-howto.md @@ -0,0 +1,211 @@ +# How To: IKEv2 VPN for Windows 7 and newer + +*Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* + +**IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. + +Windows 7 and newer releases support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. + +Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with strongSwan Android VPN client. The following examples show how to configure IKEv2. + +1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. + + ```bash + $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + $ echo "$PUBLIC_IP" + (Your public IP is displayed) + $ echo "$PRIVATE_IP" + (Your private IP is displayed) + ``` + +1. Add a new IKEv2 connection to `/etc/ipsec.conf`: + + ```bash + $ cat >> /etc/ipsec.conf < + Is this a critical extension [y/N]? + N + + $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" + + A random seed must be generated that will be used in the + creation of your key. One of the easiest ways to create a + random seed is to use the timing of keystrokes on a keyboard. + + To begin, type keys on the keyboard until this progress meter + is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! + + Continue typing until the progress meter is full: + + |************************************************************| + + Finished. Press enter to continue: + + Generating key. This may take a few moments... + + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 0 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 2 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 8 + Is this a critical extension [y/N]? + N + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 0 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 8 + Is this a critical extension [y/N]? + N + ``` + +1. Generate client certificate(s), and export the p12 file that contains the client certificate, private key, and CA certificate: + + ```bash + $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient" + + -- repeat same extensions as above -- + + $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d + + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL + ``` + + Repeat this step for additional VPN clients, but replace every `winclient` with `winclient2`, etc. + +1. The database should now contain: + + ```bash + $ certutil -L -d sql:/etc/ipsec.d + + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + winclient u,u,u + ``` + + Note: To delete a certificate, use `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`. + +1. Restart IPsec service: + + ```bash + $ service ipsec restart + ``` + +1. The `winclient.p12` file should then be securely transferred to the Windows client computer and imported to the Computer certificate store. The CA cert once imported must be placed (or moved) into the "Certificates" sub-folder under "Trusted Root Certification Authorities". + + Detailed instructions: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + +1. On the Windows computer, add a new IKEv2 VPN connection. + + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + +1. Start the new IKEv2 VPN connection, and enjoy your own VPN! + + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + + Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + +## Known Issues + +The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth instead. + +## Useful Links + +* https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 +* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan +* https://libreswan.org/man/ipsec.conf.5.html +* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 From 6d4bad1fd2ebb8ee56ef419567f1913cadb3341f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 30 Aug 2016 11:35:52 -0500 Subject: [PATCH 0029/1208] Update README.md [ci skip] --- README-zh.md | 13 ++++++++++--- README.md | 11 +++++++++-- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/README-zh.md b/README-zh.md index f3f908bb8f..547dd4d7ba 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,13 +1,20 @@ -# IPsec VPN 服务器一键安装脚本  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +# IPsec VPN 服务器一键安装脚本 -*其他语言版本: [English](README.md), [简体中文](README-zh.md).* +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +[![Author](https://img.shields.io/badge/author-Lin%20Song-orange.svg?maxAge=2592000)](https://www.linkedin.com/in/linsongui) +[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) +[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) + +使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 -使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。同时支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 +IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 我们将使用 Libreswan 作为 IPsec 服务器,以及 xl2tpd 作为 L2TP 提供者。 **» 相关教程: IPsec VPN Server Auto Setup with Libreswan** +*其他语言版本: [English](README.md), [简体中文](README-zh.md).* + #### 目录 - [功能特性](#功能特性) diff --git a/README.md b/README.md index cf3a25051f..fdb8c030bd 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,20 @@ -# IPsec VPN Server Auto Setup Scripts  [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +# IPsec VPN Server Auto Setup Scripts -*Read this in other languages: [English](README.md), [简体中文](README-zh.md).* +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) +[![Author](https://img.shields.io/badge/author-Lin%20Song-orange.svg?maxAge=2592000)](https://www.linkedin.com/in/linsongui) +[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) +[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. +An IPsec VPN encrypts your network traffic, so that nobody between you and the VPN server can eavesdrop on your data as it travels via the Internet. This is especially useful when using unsecured networks, e.g. at coffee shops, airports or hotel rooms. + We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider. **» Related tutorial: IPsec VPN Server Auto Setup with Libreswan** +*Read this in other languages: [English](README.md), [简体中文](README-zh.md).* + #### Table of Contents - [Features](#features) From 7937a74469c8b55a70855db6ee856ffed1205e31 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Sep 2016 15:33:12 -0500 Subject: [PATCH 0030/1208] Improve IP detection - Remove unneeded code for Amazon EC2 - Check IPs for correct format after each try --- vpnsetup.sh | 18 ++++++++++-------- vpnsetup_centos.sh | 18 ++++++++++-------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index f962f4770c..4599c81f92 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -119,22 +119,24 @@ EOF PUBLIC_IP=${VPN_PUBLIC_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''} -# In Amazon EC2, these two variables will be retrieved from metadata -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') - -# Try to find IPs for non-EC2 servers +# Try to auto discover IPs of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') # Check IPs for correct format IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" +if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then + PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) +fi +if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then + PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) +fi if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." fi +if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then + PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +fi if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index ddea15ae9c..0f8afaaa43 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -106,22 +106,24 @@ EOF PUBLIC_IP=${VPN_PUBLIC_IP:-''} PRIVATE_IP=${VPN_PRIVATE_IP:-''} -# In Amazon EC2, these two variables will be retrieved from metadata -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(wget -t 3 -T 5 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4') - -# Try to find IPs for non-EC2 servers +# Try to auto discover IPs of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) -[ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') # Check IPs for correct format IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" +if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then + PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) +fi +if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then + PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) +fi if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." fi +if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then + PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +fi if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." fi From 56a96603f916737f1769ed1898fbb66aee21a024 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Sep 2016 16:45:39 -0500 Subject: [PATCH 0031/1208] Update docs [ci skip] --- README-zh.md | 4 +-- README.md | 4 +-- azure/README-zh.md | 8 +++--- azure/README.md | 2 +- docs/clients-xauth-zh.md | 32 ++++++++++++--------- docs/clients-xauth.md | 28 ++++++++++-------- docs/clients-zh.md | 61 +++++++++++++++++++++++++--------------- docs/clients.md | 53 +++++++++++++++++++++------------- docs/ikev2-howto-zh.md | 12 ++++++-- docs/ikev2-howto.md | 12 ++++++-- docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- 12 files changed, 133 insertions(+), 87 deletions(-) diff --git a/README-zh.md b/README-zh.md index 547dd4d7ba..46326a9c0c 100644 --- a/README-zh.md +++ b/README-zh.md @@ -121,9 +121,7 @@ DigitalOcean 用户可以参考这个故障排除。 - -**Android 6 (Marshmallow) 用户** 请参考此文档中的注释: 配置 IPsec/L2TP VPN 客户端。 +**Windows 和 Android 6.0/7.0 用户**: 如果在连接过程中遇到错误,请参见 故障排除。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 diff --git a/README.md b/README.md index fdb8c030bd..6cbe35d5ba 100644 --- a/README.md +++ b/README.md @@ -121,9 +121,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: ## Important Notes -**Windows users**: If you get an error when trying to connect, see Troubleshooting. - -**Android 6 (Marshmallow) users**: Please see notes in Configure IPsec/L2TP VPN Clients. +**Windows and Android 6.0/7.0 users**: If you get an error when trying to connect, see Troubleshooting. If you wish to add, edit or remove VPN user accounts, refer to Manage VPN Users. diff --git a/azure/README-zh.md b/azure/README-zh.md index 62f275e945..46de68c73b 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -6,13 +6,13 @@ 根据你的偏好设置以下选项: - - Username for VPN and SSH (VPN 和 SSH 用户名) - - Password for VPN and SSH (VPN 和 SSH 密码) + - Username for VPN and SSH (用户名) + - Password for VPN and SSH (密码) - IPsec Pre-Shared Key (IPsec 预共享密钥) - Operating System Image (操作系统镜像,Debian 8 或 Ubuntu 16.04 LTS) - Virtual Machine Size (虚拟机大小,默认值: Standard_A0) -请点击以下按钮开始: +请单击以下按钮开始: Deploy to Azure @@ -24,4 +24,4 @@ ## 作者 -- Daniel Falkner (https://github.com/derdanu) +版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) diff --git a/azure/README.md b/azure/README.md index af2f2d8f75..4ef9222189 100644 --- a/azure/README.md +++ b/azure/README.md @@ -24,4 +24,4 @@ Screenshot: ## Author -- Daniel Falkner (https://github.com/derdanu) +Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d2ddd30274..2a7c684193 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -1,12 +1,12 @@ -## 配置 IPsec/XAuth VPN 客户端 +# 配置 IPsec/XAuth VPN 客户端 *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*如需使用 IPsec/L2TP 模式连接,请参见: [配置 IPsec/L2TP VPN 客户端](clients-zh.md)* +*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* 在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -`IPsec/XAuth` 模式也称为 "Cisco IPsec"。和 `IPsec/L2TP` 相比较,它通常能够更高效地传输数据。 +IPsec/XAuth 模式也称为 "Cisco IPsec",它通常能够比 IPsec/L2TP 更高效地传输数据。 --- * 平台名称 @@ -15,7 +15,7 @@ * [Android](#android) * [iOS (iPhone/iPad)](#ios) -### Windows ### +## Windows **注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 @@ -33,9 +33,12 @@ 1. 在 **Password** 字段中输入`你的 VPN 密码`。 1. 单击 **Connect**。 -VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabled** 字样。单击 "Network" 选项卡,并确认 **Established - 1** 显示在 "Security Associations" 下面。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +如果在连接过程中遇到错误,请参见 故障排除。 + +## OS X -### OS X ### 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 1. 从 **接口** 下拉菜单选择 **VPN**。 @@ -52,9 +55,10 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. 单击 **应用** 保存VPN连接信息。 -要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## Android -### Android ### 1. 启动 **设置** 应用程序。 1. 在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 @@ -71,14 +75,12 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: +VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 -1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参考链接) +如果在连接过程中遇到错误,请参见 故障排除。 -VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +## iOS -### iOS ### 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 1. 单击 **类型** 。选择 **IPSec** 并返回。 @@ -91,7 +93,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 致谢 @@ -99,6 +101,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到Joshua Lund 的工作 (版权所有 2014-2016) diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 70489cff22..0a657db3b5 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -1,12 +1,12 @@ -## Configure IPsec/XAuth VPN Clients +# Configure IPsec/XAuth VPN Clients *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*To connect using IPsec/L2TP mode, see: [Configure IPsec/L2TP VPN Clients](clients.md)* +*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).* After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -`IPsec/XAuth` mode is also called "Cisco IPsec". Compared to `IPsec/L2TP`, it is generally faster with less overhead. +IPsec/XAuth mode is also called "Cisco IPsec". It is generally faster than IPsec/L2TP with less overhead. --- * Platforms @@ -15,9 +15,9 @@ After settin * [Android](#android) * [iOS (iPhone/iPad)](#ios) -### Windows ### +## Windows -**Note:** You can also connect using [IPsec/L2TP mode](clients.md). No additional software is required. +**Note:** You may also connect using [IPsec/L2TP mode](clients.md). No additional software is required. 1. Download and install the free Shrew Soft VPN client. 1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager @@ -35,7 +35,10 @@ After settin Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -### OS X ### +If you get an error when trying to connect, see Troubleshooting. + +## OS X + 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. 1. Select **VPN** from the **Interface** drop-down menu. @@ -54,7 +57,8 @@ Once connected, you will see **tunnel enabled** in the VPN Connect status window To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -### Android ### +## Android + 1. Launch the **Settings** application. 1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **VPN**. @@ -71,14 +75,12 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds: +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2. -1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Reference) +If you get an error when trying to connect, see Troubleshooting. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +## iOS -### iOS ### 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **IPSec** and go back. @@ -99,6 +101,8 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index c171269d55..6bb09fed70 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -1,12 +1,12 @@ -## 配置 IPsec/L2TP VPN 客户端 +# 配置 IPsec/L2TP VPN 客户端 *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*如需使用 IPsec/XAuth 模式连接,请参见: [配置 IPsec/XAuth VPN 客户端](clients-xauth-zh.md)* +*注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* 在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -你也可以参考另一个带图片的安装指南,由 Tony Tran 编写。 +另一个带图片的安装指南可供参考,它由 Tony Tran 编写。 --- * 平台名称 @@ -15,11 +15,12 @@ * [Android](#android) * [iOS (iPhone/iPad)](#ios) * [Chromebook](#chromebook) + * [Windows Phone](#windows-phone) * [Linux](#linux) -### Windows ### +## Windows -**Windows 10 and 8.x:** +### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 1. 选择 **打开网络与共享中心**。 @@ -37,7 +38,7 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -**Windows 7, Vista and XP:** +### Windows 7, Vista and XP 1. 单击开始菜单,选择控制面板。 1. 进入 **网络和Internet** 部分。 @@ -63,11 +64,12 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -要连接到 VPN: 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +要连接到 VPN: 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 如果在连接过程中遇到错误,请参见 故障排除。 -### OS X ### +## OS X + 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 1. 从 **接口** 下拉菜单选择 **VPN**。 @@ -85,9 +87,10 @@ 1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 -要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## Android -### Android ### 1. 启动 **设置** 应用程序。 1. 在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 @@ -103,14 +106,12 @@ 1. 选中 **保存帐户信息** 复选框。 1. 单击 **连接**。 -**注:** 如果无法使用 Android 6 (Marshmallow) 连接,请尝试以下解决方案: +VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -1. 单击 VPN 连接右边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请跳到第二步。 -1. (注:最新版本的 VPN 脚本已经包含这些更改)编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参考链接) +如果在连接过程中遇到错误,请参见 故障排除。 -VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +## iOS -### iOS ### 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 1. 单击 **类型** 。选择 **L2TP** 并返回。 @@ -123,9 +124,10 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## Chromebook -### Chromebook ### 1. 如果你尚未登录 Chromebook,请先登录。 1. 单击状态区(其中显示你的帐户头像)。 1. 单击 **设置**。 @@ -139,11 +141,15 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +## Windows Phone -### Linux ### +Windows Phone 8.1 和更新版本的用户可以尝试这个教程。请注意,该平台的 IPsec/L2TP 支持可能有一些问题。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 -**Ubuntu and Debian:** +## Linux + +### Ubuntu & Debian 按照 这个教程 的步骤操作。需要更正以下项: @@ -163,7 +169,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 -检查 VPN 是否正常工作: +连接成功后,检查 VPN 是否正常工作: ``` wget -qO- http://whatismyip.akamai.com; echo ``` @@ -175,7 +181,7 @@ wget -qO- http://whatismyip.akamai.com; echo sudo route del default dev ppp0 ``` -**CentOS and Fedora:** +### CentOS & Fedora 参照上面的 Ubuntu/Debian 部分,并进行以下改动: @@ -183,7 +189,7 @@ sudo route del default dev ppp0 1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan`。 1. 文件 `ipsec.conf` 和 `ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 -**Other Linux:** +### Other Linux 如果你的系统提供 `strongswan` 软件包,请参见上面的两个部分。 @@ -219,6 +225,13 @@ sudo route del default dev ppp0 ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) +### Android 6.0 and 7.0 + +如果你无法使用 Android 6.0 (Marshmallow) 或者 7.0 (Nougat) 连接,请尝试以下解决方案: + +1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请看下一步。 +1. (注: 最新版本的 VPN 脚本已经包含这些更改) 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) + ### 其它错误 更多的故障排除信息请参见 这个文档。 @@ -229,6 +242,8 @@ sudo route del default dev ppp0 ## 授权协议 +注: 这个协议仅适用于本文档。 + 版权所有 (C) 2016 Lin Song 基于 Joshua Lund 的工作 (版权所有 2014-2016) diff --git a/docs/clients.md b/docs/clients.md index 1fb8d6371e..37d0dbf541 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -1,12 +1,12 @@ -## Configure IPsec/L2TP VPN Clients +# Configure IPsec/L2TP VPN Clients *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -*To connect using IPsec/XAuth mode, see: [Configure IPsec/XAuth VPN Clients](clients-xauth.md)* +*Note: You may also connect using [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).* After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -You may also refer to this alternative setup guide with images by Tony Tran. +An alternative setup guide with images is available, written by Tony Tran. --- * Platforms @@ -15,11 +15,12 @@ You may also refer to this alternative Troubleshooting. -### OS X ### +## OS X + 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. 1. Select **VPN** from the **Interface** drop-down menu. @@ -87,7 +89,8 @@ If you get an error when trying to connect, see Troub To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -### Android ### +## Android + 1. Launch the **Settings** application. 1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **VPN**. @@ -103,14 +106,12 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -**Note:** If unable to connect using Android 6 (Marshmallow), try these workarounds: +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -1. Tap the settings icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, skip to step 2. -1. (Note: Latest version of the VPN scripts already include these changes) Edit `/etc/ipsec.conf` on the VPN server and append `,aes256-sha2_256` to both `ike=` and `phase2alg=` lines. Then add a new line `sha2-truncbug=yes` immediately after those. Indent lines with two spaces. Save the file and run `service ipsec restart`. (Reference) +If you get an error when trying to connect, see Troubleshooting. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +## iOS -### iOS ### 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **L2TP** and go back. @@ -125,7 +126,8 @@ Once connected, you will see a VPN icon in the notification bar. You can verify Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -### Chromebook ### +## Chromebook + 1. If you haven't already, sign in to your Chromebook. 1. Click the status area, where your account picture appears. 1. Click **Settings**. @@ -141,9 +143,13 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -### Linux ### +## Windows Phone -**Ubuntu and Debian:** +Users with Windows Phone 8.1 and newer, try this tutorial. Please note that IPsec/L2TP support on this platform may have some issues. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + +## Linux + +### Ubuntu & Debian Follow the steps in this tutorial. Some corrections are required: @@ -163,7 +169,7 @@ Follow the steps in Ref) + ### Other Errors Please refer to this document for more troubleshooting tips. @@ -229,6 +242,8 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index ad4a74a470..529219fc28 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -2,12 +2,18 @@ *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* +--- + **重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 IPsec/L2TP 或者 IPsec/XAuth。 -Windows 7 和更新版本支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security association,SA)。与 IKEv1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 +--- + +Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security association,SA)。与 IKEv1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。 +首先,请确保你已经成功地搭建了自己的 VPN 服务器。以下命令必须用 `root` 账户运行。 + 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 ```bash @@ -197,11 +203,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 连接成功后,你可以到这里检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 协议连接。 +Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 模式连接。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0f0f5c91d8..117b16208e 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -2,12 +2,18 @@ *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* +--- + **IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. -Windows 7 and newer releases support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. +--- + +Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with strongSwan Android VPN client. The following examples show how to configure IKEv2. +First, make sure you have successfully set up your VPN server. Commands below must be run as `root`. + 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. ```bash @@ -201,9 +207,9 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica ## Known Issues -The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth instead. +The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth modes instead. -## Useful Links +## References * https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 0f80c0554b..3c62ee0e7a 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -1,4 +1,4 @@ -## 管理 VPN 用户 +# 管理 VPN 用户 *其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).* diff --git a/docs/manage-users.md b/docs/manage-users.md index 55d7fba42f..3a2e2e6d40 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -1,4 +1,4 @@ -## Manage VPN Users +# Manage VPN Users *Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).* From b8bc702f2112208c9dcd75c2e29c24fcdc6fe78f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 18 Sep 2016 17:22:15 -0500 Subject: [PATCH 0032/1208] Update docs [ci skip] --- README-zh.md | 15 +++++++++++---- README.md | 13 ++++++++++--- docs/clients-zh.md | 6 +++++- docs/clients.md | 6 +++++- docs/ikev2-howto.md | 2 +- docs/manage-users-zh.md | 2 +- 6 files changed, 33 insertions(+), 11 deletions(-) diff --git a/README-zh.md b/README-zh.md index 46326a9c0c..47f339c878 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,7 +1,7 @@ # IPsec VPN 服务器一键安装脚本 [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://img.shields.io/badge/author-Lin%20Song-orange.svg?maxAge=2592000)](https://www.linkedin.com/in/linsongui) +[![Author](https://img.shields.io/badge/author-Lin%20Song-blue.svg?maxAge=2592000)](#作者) [![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) @@ -54,7 +54,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 **-或者-** -一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 ShadowsocksR 或者 OpenVPN。 +一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks/ShadowsocksR 或者 OpenVPN。 这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 @@ -137,7 +137,14 @@ DigitalOcean 用户可以参考这个vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan (网站 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version` +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan (网站 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. + +```bash +# Ubuntu & Debian +wget https://git.io/vpnupgrade -O vpnupgrade.sh +# CentOS & RHEL +wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh +``` ## 问题和反馈 @@ -155,7 +162,7 @@ DigitalOcean 用户可以参考这个IKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- ShadowsocksR +- Shadowsocks/ShadowsocksR - OpenVPN Install - Setup strongSwan diff --git a/README.md b/README.md index 6cbe35d5ba..744630f614 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # IPsec VPN Server Auto Setup Scripts [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://img.shields.io/badge/author-Lin%20Song-orange.svg?maxAge=2592000)](https://www.linkedin.com/in/linsongui) +[![Author](https://img.shields.io/badge/author-Lin%20Song-blue.svg?maxAge=2592000)](#author) [![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) @@ -137,7 +137,14 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version` +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`. + +```bash +# Ubuntu & Debian +wget https://git.io/vpnupgrade -O vpnupgrade.sh +# CentOS & RHEL +wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh +``` ## Bugs & Questions @@ -155,7 +162,7 @@ Please refer to Uninstall the VPNIKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- ShadowsocksR +- Shadowsocks/ShadowsocksR - OpenVPN Install - Setup strongSwan diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 6bb09fed70..f2a931b339 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -234,7 +234,11 @@ sudo route del default dev ppp0 ### 其它错误 -更多的故障排除信息请参见 这个文档。 +更多的故障排除信息请参见以下链接: + +https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +http://www.tp-link.com/en/faq-1029.html ## 致谢 diff --git a/docs/clients.md b/docs/clients.md index 37d0dbf541..e6ed18f495 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -234,7 +234,11 @@ If you are unable to connect using Android 6.0 (Marshmallow) or 7.0 (Nougat), tr ### Other Errors -Please refer to this document for more troubleshooting tips. +Refer to the links below for more troubleshooting tips: + +https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +http://www.tp-link.com/en/faq-1029.html ## Credits diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 117b16208e..c73d7583b2 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -207,7 +207,7 @@ First, make sure you have successfully this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth modes instead. +The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth instead. ## References diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 3c62ee0e7a..57aa64fee6 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).* -在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,编辑或者删除用户,请阅读本文档。 +在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 From 7cdd372a6e2d80066ebd79cb52e77d584f5f873e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 21 Sep 2016 21:06:22 -0500 Subject: [PATCH 0033/1208] Improve IPTables rules - Fixed an uncommon use case where the setup script is run again after a server IP change. Make sure to update IPTables rules in this case. - Thanks @larryisthere! Ref: #17 --- vpnsetup.sh | 16 +++++++++++++--- vpnsetup_centos.sh | 16 +++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 4599c81f92..36777bd257 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -323,10 +323,20 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -# Create basic IPTables rules. First check for existing rules. -# - If IPTables is "empty", simply write out the new rules. -# - If *not* empty, insert new rules and save them with existing ones. +# Check if IPTables rules need updating +ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +fi + +# Create basic IPTables rules +# - If IPTables is "empty", write out the entire new rule set. +# - If *not* empty, insert only the required rules for the VPN. +if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "/etc/iptables.rules.old-$sys_dt" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0f8afaaa43..4792f8df87 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -317,10 +317,20 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -# Create basic IPTables rules. First check for existing rules. -# - If IPTables is "empty", simply write out the new rules. -# - If *not* empty, insert new rules and save them with existing ones. +# Check if IPTables rules need updating +ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + ipt_flag=1 +fi + +# Create basic IPTables rules +# - If IPTables is "empty", write out the entire new rule set. +# - If *not* empty, insert only the required rules for the VPN. +if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "/etc/sysconfig/iptables.old-$sys_dt" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" From cce15b7f0880f9713452d1c0c2eda2fa0141d172 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 23 Sep 2016 00:39:36 -0500 Subject: [PATCH 0034/1208] Improve IP checking - Use a function to simplify code for IP checking - Remove new lines before matching with IP regex --- vpnsetup.sh | 25 +++++++++---------------- vpnsetup_centos.sh | 25 +++++++++---------------- 2 files changed, 18 insertions(+), 32 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 36777bd257..5e3b24f884 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -35,6 +35,10 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +check_ip() { + IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" +} os_type="$(lsb_release -si 2>/dev/null)" if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then @@ -124,22 +128,11 @@ PRIVATE_IP=${VPN_PRIVATE_IP:-''} [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') # Check IPs for correct format -IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) -fi -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -fi -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -fi -if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then - PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') -fi -if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then - exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." -fi +check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) +check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) +check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." +check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." # Install necessary packages apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 4792f8df87..8e97b5f3bf 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -35,6 +35,10 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +check_ip() { + IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" +} if [ ! -f /etc/redhat-release ]; then exiterr "This script only supports CentOS/RHEL." @@ -111,22 +115,11 @@ PRIVATE_IP=${VPN_PRIVATE_IP:-''} [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') # Check IPs for correct format -IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) -fi -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -fi -if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then - exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -fi -if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then - PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') -fi -if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then - exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." -fi +check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) +check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) +check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." +check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." # Add the EPEL repository yum -y install epel-release || exiterr2 From 0e51150d84b79ea73fc9a1a48d814a24f2763599 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 23 Sep 2016 14:31:10 -0500 Subject: [PATCH 0035/1208] Check VPN credentials - If the provided VPN credentials contain \ " or ', exit with error - The above special characters can cause issues with the VPN --- vpnsetup.sh | 6 ++++++ vpnsetup_centos.sh | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 5e3b24f884..4ae281c7e8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -82,6 +82,12 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi +case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in + *[\\\"\']*) + exiterr "VPN credentials must not contain any of these characters: \\ \" '" + ;; +esac + if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then cat <<'EOF' IMPORTANT: Workaround required for Debian 7 (Wheezy). diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8e97b5f3bf..e815da0115 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -85,6 +85,12 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi +case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in + *[\\\"\']*) + exiterr "VPN credentials must not contain any of these characters: \\ \" '" + ;; +esac + echo "VPN setup in progress... Please be patient." echo From 6d3b7239de48166dfed4d3f3bc1a4d2a9dda92d3 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 26 Sep 2016 01:08:02 -0500 Subject: [PATCH 0036/1208] Update docs [ci skip] --- README-zh.md | 10 ++++++---- README.md | 20 +++++++++++--------- docs/manage-users-zh.md | 2 ++ docs/manage-users.md | 2 ++ 4 files changed, 21 insertions(+), 13 deletions(-) diff --git a/README-zh.md b/README-zh.md index 47f339c878..2fc954747a 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,7 +1,7 @@ # IPsec VPN 服务器一键安装脚本 [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://img.shields.io/badge/author-Lin%20Song-blue.svg?maxAge=2592000)](#作者) +[![Author](https://static.ls20.com/travis-ci/author.svg)](#作者) [![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) @@ -34,7 +34,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 功能特性 - **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 -- **新:** 现在可以下载 VPN 服务器的预构建 [Docker 镜像](#另见) +- **新:** 现在可以下载 VPN 服务器的预构建 Docker 镜像 - 全自动的 IPsec VPN 服务器配置,无需用户输入 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 @@ -54,7 +54,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 **-或者-** -一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks/ShadowsocksR 或者 OpenVPN。 +一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks / ShadowsocksR 或者 OpenVPN。 这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 @@ -125,6 +125,8 @@ DigitalOcean 用户可以参考这个管理 VPN 用户。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果上述设备属于同一个 NAT 网络(比如家用路由器),它们无法同时连接到 VPN 服务器。 + 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 对于有外部防火墙的服务器(比如 EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 @@ -162,7 +164,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- Shadowsocks/ShadowsocksR +- Shadowsocks / ShadowsocksR - OpenVPN Install - Setup strongSwan diff --git a/README.md b/README.md index 744630f614..ddd036d4ea 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # IPsec VPN Server Auto Setup Scripts [![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://img.shields.io/badge/author-Lin%20Song-blue.svg?maxAge=2592000)](#author) +[![Author](https://static.ls20.com/travis-ci/author.svg)](#author) [![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) @@ -22,19 +22,19 @@ We will use Libreswan as th - [Installation](#installation) - [Ubuntu & Debian](#ubuntu--debian) - [CentOS & RHEL](#centos--rhel) -- [Next Steps](#next-steps) -- [Important Notes](#important-notes) +- [Next steps](#next-steps) +- [Important notes](#important-notes) - [Upgrade Libreswan](#upgrade-libreswan) - [Bugs & Questions](#bugs--questions) - [Uninstallation](#uninstallation) -- [See Also](#see-also) +- [See also](#see-also) - [Author](#author) - [License](#license) ## Features - **New:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is supported -- **New:** A pre-built [Docker image](#see-also) of the VPN server is now available +- **New:** A pre-built Docker image of the VPN server is now available - Fully automated IPsec VPN server setup, no user input needed - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance @@ -108,7 +108,7 @@ First, update your system with `yum update` and reboot. This is optional, but re Follow the same steps as above, but replace `https://git.io/vpnsetup` with `https://git.io/vpnsetup-centos`. -## Next Steps +## Next steps Get your computer or device to use the VPN. Please refer to: @@ -119,12 +119,14 @@ Get your computer or device to use the VPN. Please refer to: Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: -## Important Notes +## Important notes **Windows and Android 6.0/7.0 users**: If you get an error when trying to connect, see Troubleshooting. If you wish to add, edit or remove VPN user accounts, refer to Manage VPN Users. +The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. + Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). @@ -156,13 +158,13 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh Please refer to Uninstall the VPN. -## See Also +## See also - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- Shadowsocks/ShadowsocksR +- Shadowsocks / ShadowsocksR - OpenVPN Install - Setup strongSwan diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 57aa64fee6..2ebcdd4f10 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,6 +4,8 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 +**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果上述设备属于同一个 NAT 网络(比如家用路由器),它们无法同时连接到 VPN 服务器。即使你创建多个用户也是如此。 + 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 ```bash diff --git a/docs/manage-users.md b/docs/manage-users.md index 3a2e2e6d40..67d159301d 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,6 +4,8 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. +**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. + First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. ```bash From 1f7d9f1687dc85f79fb40f6524617c4bf4255f60 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 28 Sep 2016 14:50:49 -0500 Subject: [PATCH 0037/1208] Update IKEv2 howto [ci skip] --- docs/ikev2-howto-zh.md | 23 +++++++++++++---------- docs/ikev2-howto.md | 23 +++++++++++++---------- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 529219fc28..dfaa7536d6 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,7 +8,7 @@ --- -Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security association,SA)。与 IKEv1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 +Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。 @@ -17,7 +17,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 ```bash - $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) @@ -57,10 +57,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` -1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: +1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: + 注: 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 ```bash - $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t "CT,," -2 + $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2 A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -83,7 +84,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Is this a critical extension [y/N]? N - $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" + $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -156,18 +157,18 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书: ```bash - $ certutil -S -c "Example CA" -n "winclient" -s "O=Example,CN=winclient" -k rsa -g 4096 -v 12 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "winclient" + $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" -- repeat same extensions as above -- - $ pk12util -o winclient.p12 -n "winclient" -d sql:/etc/ipsec.d + $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `winclient` 换成 `winclient2`,等等。 + 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 1. 证书数据库现在应该包含以下内容: @@ -179,7 +180,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Example CA CTu,u,u ($PUBLIC_IP) u,u,u - winclient u,u,u + vpnclient u,u,u ``` 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。 @@ -190,11 +191,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 文件 `winclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 +1. 文件 `vpnclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + Windows Phone 8.1 及以上版本用户: 首先导入 .p12 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 + 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。 https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index c73d7583b2..3b283b72cb 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,7 +8,7 @@ --- -Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Compared to IKEv1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. +Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with strongSwan Android VPN client. The following examples show how to configure IKEv2. @@ -17,7 +17,7 @@ First, make sure you have successfully these instructions to configure a certificate-based IKEv2 VPN. + 1. On the Windows computer, add a new IKEv2 VPN connection. https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config From 65f1bcd726ba3385fd10da258dbfe413459c1edb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 30 Sep 2016 11:53:33 -0500 Subject: [PATCH 0038/1208] Update docs [ci skip] --- README-zh.md | 10 +++++----- README.md | 10 +++++----- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 20 ++++++++++++++------ docs/clients.md | 22 +++++++++++++++------- docs/ikev2-howto-zh.md | 7 +++++-- docs/ikev2-howto.md | 7 +++++-- docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- 9 files changed, 52 insertions(+), 30 deletions(-) diff --git a/README-zh.md b/README-zh.md index 2fc954747a..0353b43498 100644 --- a/README-zh.md +++ b/README-zh.md @@ -20,8 +20,6 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - [功能特性](#功能特性) - [系统要求](#系统要求) - [安装说明](#安装说明) - - [Ubuntu & Debian](#ubuntu--debian) - - [CentOS & RHEL](#centos--rhel) - [下一步](#下一步) - [重要提示](#重要提示) - [升级Libreswan](#升级libreswan) @@ -117,15 +115,17 @@ DigitalOcean 用户可以参考这个如何配置 IKEv2 VPN: Windows 7 和更新版本 +如果在连接过程中遇到错误,请参见 故障排除。 + 开始使用自己的专属 VPN ! :sparkles::tada::rocket::sparkles: ## 重要提示 -**Windows 和 Android 6.0/7.0 用户**: 如果在连接过程中遇到错误,请参见 故障排除。 +**Windows 和 Android 用户**: 如果在连接过程中遇到错误,请参见 故障排除。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果上述设备属于同一个 NAT 网络(比如家用路由器),它们无法同时连接到 VPN 服务器。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index ddd036d4ea..b4894c1cfa 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,6 @@ We will use Libreswan as th - [Features](#features) - [Requirements](#requirements) - [Installation](#installation) - - [Ubuntu & Debian](#ubuntu--debian) - - [CentOS & RHEL](#centos--rhel) - [Next steps](#next-steps) - [Important notes](#important-notes) - [Upgrade Libreswan](#upgrade-libreswan) @@ -117,16 +115,18 @@ Get your computer or device to use the VPN. Please refer to: How To: IKEv2 VPN for Windows 7 and newer +If you get an error when trying to connect, see Troubleshooting. + Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: ## Important notes -**Windows and Android 6.0/7.0 users**: If you get an error when trying to connect, see Troubleshooting. - -If you wish to add, edit or remove VPN user accounts, refer to Manage VPN Users. +**Windows and Android users**: If you get an error when trying to connect, see Troubleshooting. The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. + Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 0a657db3b5..4478d53614 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -97,7 +97,7 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y ## Credits -This document was adapted from the Streisand project by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f2a931b339..b1a2474823 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -17,6 +17,11 @@ * [Chromebook](#chromebook) * [Windows Phone](#windows-phone) * [Linux](#linux) +* [故障排除](#故障排除) + * [Windows 错误 809](#windows-错误-809) + * [Windows 错误 628](#windows-错误-628) + * [Android 6.0 and 7.0](#android-60-and-70) + * [其它错误](#其它错误) ## Windows @@ -32,7 +37,7 @@ 1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 1. 单击 **高级设置** 按钮。 1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **确定** 关闭 **高级设置**。 @@ -58,7 +63,7 @@ 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 1. 单击 **高级设置** 按钮。 1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **确定** 关闭 **高级设置**。 @@ -220,7 +225,10 @@ sudo route del default dev ppp0 1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 复选框,并且取消选中所有其它项。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) @@ -236,9 +244,9 @@ sudo route del default dev ppp0 更多的故障排除信息请参见以下链接: -https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* http://www.tp-link.com/en/faq-1029.html ## 致谢 diff --git a/docs/clients.md b/docs/clients.md index e6ed18f495..23fd067c13 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -17,6 +17,11 @@ An alternative Streisand project by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dfaa7536d6..7adf40a6d8 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -154,7 +154,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 N ``` -1. 生成客户端证书,并且导出 p12 文件。该文件包含客户端证书,私钥以及 CA 证书: +1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: ```bash $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" @@ -196,7 +196,10 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - Windows Phone 8.1 及以上版本用户: 首先导入 .p12 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 + Windows Phone 8.1 及以上版本用户: 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 + + Android 4+ 用户请参见: + https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 3b283b72cb..69ecbafbea 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -154,7 +154,7 @@ First, make sure you have successfully these instructions to configure a certificate-based IKEv2 VPN. + Users with Windows Phone 8.1 and above: First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. + + Android 4+ users please refer to: + https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient 1. On the Windows computer, add a new IKEv2 VPN connection. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 2ebcdd4f10..256918080e 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,7 +4,7 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 -**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果上述设备属于同一个 NAT 网络(比如家用路由器),它们无法同时连接到 VPN 服务器。即使你创建多个用户也是如此。 +**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器,即使你创建多个用户也是如此。对于上述情形,你可以尝试使用 [Shadowsocks](https://github.com/shadowsocks/shadowsocks-libev) / [ShadowsocksR](https://github.com/breakwa11/shadowsocks-rss) 或者 [OpenVPN](https://github.com/Nyr/openvpn-install)。 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 diff --git a/docs/manage-users.md b/docs/manage-users.md index 67d159301d..2002d7d9dd 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,7 +4,7 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. +**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. For the above use case, try [OpenVPN](https://github.com/Nyr/openvpn-install). First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. From 4c6de2af292f012995e8fc94b0f5ef1cff7dd441 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Oct 2016 02:55:01 -0500 Subject: [PATCH 0039/1208] Improve network interfaces - Better handling of non-eth0 network interfaces - Now easier to use on servers with new interface names --- vpnsetup.sh | 56 ++++++++++++++++++++++++++-------------------- vpnsetup_centos.sh | 56 ++++++++++++++++++++++++++-------------------- 2 files changed, 64 insertions(+), 48 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 4ae281c7e8..034f04192e 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -53,15 +53,23 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -eth0_state=$(cat /sys/class/net/eth0/operstate 2>/dev/null) -if [ -z "$eth0_state" ] || [ "$eth0_state" = "down" ]; then +NET_IF0=${VPN_IFACE:-'eth0'} +NET_IFS=${VPN_IFACE:-'eth+'} + +if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) +if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then + echo "Error: Network interface '$NET_IF0' is not available." >&2 cat 1>&2 <<'EOF' -Error: Network interface 'eth0' is not available. -Please DO NOT run this script on your PC or Mac! +DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! + +If running on a server, you may fix this error by first +finding the active network interface: +route | grep '^default' | grep -o '[^ ]*$' + +Then set this variable and re-run the script: +export VPN_IFACE="YOUR_INTERFACE" -Run 'cat /proc/net/dev' to find the active network interface, -then use it to replace ALL 'eth0' and 'eth+' in this script. EOF exit 1 fi @@ -137,7 +145,7 @@ PRIVATE_IP=${VPN_PRIVATE_IP:-''} check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." # Install necessary packages @@ -290,7 +298,7 @@ EOF # Update sysctl settings if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null -cat >> /etc/sysctl.conf <<'EOF' +cat >> /etc/sysctl.conf </dev/null; then +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 -elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi @@ -361,11 +369,11 @@ cat > /etc/iptables.rules < /etc/iptables.rules iptables-save >> /etc/iptables.rules fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e815da0115..773d3dc724 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -56,15 +56,23 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -eth0_state=$(cat /sys/class/net/eth0/operstate 2>/dev/null) -if [ -z "$eth0_state" ] || [ "$eth0_state" = "down" ]; then +NET_IF0=${VPN_IFACE:-'eth0'} +NET_IFS=${VPN_IFACE:-'eth+'} + +if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) +if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then + echo "Error: Network interface '$NET_IF0' is not available." >&2 cat 1>&2 <<'EOF' -Error: Network interface 'eth0' is not available. -Please DO NOT run this script on your PC or Mac! +DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! + +If running on a server, you may fix this error by first +finding the active network interface: +route | grep '^default' | grep -o '[^ ]*$' + +Then set this variable and re-run the script: +export VPN_IFACE="YOUR_INTERFACE" -Run 'cat /proc/net/dev' to find the active network interface, -then use it to replace ALL 'eth0' and 'eth+' in this script. EOF exit 1 fi @@ -124,7 +132,7 @@ PRIVATE_IP=${VPN_PRIVATE_IP:-''} check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') +check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." # Add the EPEL repository @@ -284,7 +292,7 @@ EOF # Update sysctl settings if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$sys_dt" 2>/dev/null -cat >> /etc/sysctl.conf <<'EOF' +cat >> /etc/sysctl.conf </dev/null; then +elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 -elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o eth+ -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi @@ -355,19 +363,19 @@ cat > /etc/sysconfig/iptables < /etc/sysconfig/iptables iptables-save >> /etc/sysconfig/iptables fi From 6f2818753a1030a5a25fc6266529be560df5b1df Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Oct 2016 22:34:51 -0500 Subject: [PATCH 0040/1208] Minor improvements and clean up --- extras/vpnupgrade.sh | 10 +++--- extras/vpnupgrade_centos.sh | 10 +++--- vpnsetup.sh | 64 ++++++++++++++++++++----------------- vpnsetup_centos.sh | 57 +++++++++++++++++---------------- 4 files changed, 76 insertions(+), 65 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 5d995035de..c3d37c5e9a 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -114,8 +114,9 @@ apt-get -yq --no-install-recommends install xmlto || exiterr2 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" -wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2" -[ "$?" != "0" ] && exiterr "Cannot download Libreswan source." +if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then + exiterr "Cannot download Libreswan source." +fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." @@ -128,8 +129,9 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -[ "$?" != "0" ] && exiterr "Libreswan $swan_ver failed to build." +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then + exiterr "Libreswan $swan_ver failed to build." +fi # Restart IPsec service service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index d00d48d59b..5fa97837da 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -116,8 +116,9 @@ fi swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" -wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2" -[ "$?" != "0" ] && exiterr "Cannot download Libreswan source." +if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then + exiterr "Cannot download Libreswan source." +fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." @@ -127,8 +128,9 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -[ "$?" != "0" ] && exiterr "Libreswan $swan_ver failed to build." +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then + exiterr "Libreswan $swan_ver failed to build." +fi # Restore SELinux contexts restorecon /etc/ipsec.d/*db 2>/dev/null diff --git a/vpnsetup.sh b/vpnsetup.sh index 034f04192e..ff500033da 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -3,8 +3,10 @@ # Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian 8. # Works on any dedicated server or Virtual Private Server (VPS) except OpenVZ. # -# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN -# ON A DEDICATED SERVER OR VPS! +# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! +# +# The latest version of this script is available at: +# https://github.com/hwdsl2/setup-ipsec-vpn # # Copyright (C) 2014-2016 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) @@ -32,9 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +conf_bk() { /bin/cp -f "${1}" "${1}.old-$SYS_DT" 2>/dev/null; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" @@ -164,8 +168,9 @@ swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" -wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2" -[ "$?" != "0" ] && exiterr "Cannot download Libreswan source." +if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then + exiterr "Cannot download Libreswan source." +fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." @@ -178,12 +183,12 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -[ "$?" != "0" ] && exiterr "Libreswan $swan_ver failed to build." +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then + exiterr "Libreswan $swan_ver failed to build." +fi # Create IPsec (Libreswan) config -sys_dt="$(date +%Y-%m-%d-%H:%M:%S)" -/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf </dev/null +conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null +conf_bk "/etc/xl2tpd/xl2tpd.conf" cat > /etc/xl2tpd/xl2tpd.conf <<'EOF' [global] port = 1701 @@ -263,7 +268,7 @@ length bit = yes EOF # Set xl2tpd options -/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ppp/options.xl2tpd" cat > /etc/ppp/options.xl2tpd <<'EOF' ipcp-accept-local ipcp-accept-remote @@ -282,14 +287,14 @@ connect-delay 5000 EOF # Create VPN credentials -/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null +conf_bk "/etc/ipsec.d/passwd" VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") cat > /etc/ipsec.d/passwd </dev/null + conf_bk "/etc/sysctl.conf" cat >> /etc/sysctl.conf </dev/null; then ipt_flag=1 @@ -345,10 +351,10 @@ fi # - If *not* empty, insert only the required rules for the VPN. if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "/etc/iptables.rules.old-$sys_dt" + iptables-save > "$IPT_FILE.old-$SYS_DT" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" if [ "$(iptables-save | grep -c '^\-')" = "0" ] && [ "$sshd_port" = "22" ]; then -cat > /etc/iptables.rules < "$IPT_FILE" < /etc/iptables.rules - iptables-save >> /etc/iptables.rules + echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" + iptables-save >> "$IPT_FILE" fi # Update rules for iptables-persistent - if [ -f /etc/iptables/rules.v4 ]; then - /bin/cp -f /etc/iptables/rules.v4 "/etc/iptables/rules.v4.old-$sys_dt" - /bin/cp -f /etc/iptables.rules /etc/iptables/rules.v4 + IPT_FILE2="/etc/iptables/rules.v4" + if [ -f "$IPT_FILE2" ]; then + conf_bk "$IPT_FILE2" + /bin/cp -f "$IPT_FILE" "$IPT_FILE2" fi fi @@ -421,7 +428,7 @@ EOF # Start services at boot if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then - /bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null + conf_bk "/etc/rc.local" sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local cat >> /etc/rc.local <<'EOF' @@ -443,15 +450,12 @@ chmod +x /etc/network/if-pre-up.d/iptablesload chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules -iptables-restore < /etc/iptables.rules +iptables-restore < "$IPT_FILE" # Restart services -service fail2ban stop >/dev/null 2>&1 -service ipsec stop >/dev/null 2>&1 -service xl2tpd stop >/dev/null 2>&1 -service fail2ban start -service ipsec start -service xl2tpd start +service fail2ban restart +service ipsec restart +service xl2tpd restart cat < # Based on the work of Thomas Sarlandie (Copyright 2012) @@ -32,9 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +conf_bk() { /bin/cp -f "${1}" "${1}.old-$SYS_DT" 2>/dev/null; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" @@ -161,8 +165,9 @@ swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" -wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2" -[ "$?" != "0" ] && exiterr "Cannot download Libreswan source." +if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then + exiterr "Cannot download Libreswan source." +fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." @@ -172,12 +177,12 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -[ "$?" != "0" ] && exiterr "Libreswan $swan_ver failed to build." +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then + exiterr "Libreswan $swan_ver failed to build." +fi # Create IPsec (Libreswan) config -sys_dt="$(date +%Y-%m-%d-%H:%M:%S)" -/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf </dev/null +conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null +conf_bk "/etc/xl2tpd/xl2tpd.conf" cat > /etc/xl2tpd/xl2tpd.conf <<'EOF' [global] port = 1701 @@ -257,7 +262,7 @@ length bit = yes EOF # Set xl2tpd options -/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ppp/options.xl2tpd" cat > /etc/ppp/options.xl2tpd <<'EOF' ipcp-accept-local ipcp-accept-remote @@ -276,14 +281,14 @@ connect-delay 5000 EOF # Create VPN credentials -/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$sys_dt" 2>/dev/null +conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null +conf_bk "/etc/ipsec.d/passwd" VPN_PASSWORD_ENC=$(openssl passwd -1 "$VPN_PASSWORD") cat > /etc/ipsec.d/passwd </dev/null + conf_bk "/etc/sysctl.conf" cat >> /etc/sysctl.conf </dev/null; then ipt_flag=1 @@ -339,10 +345,10 @@ fi # - If *not* empty, insert only the required rules for the VPN. if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "/etc/sysconfig/iptables.old-$sys_dt" + iptables-save > "$IPT_FILE.old-$SYS_DT" sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" if [ "$(iptables-save | grep -c '^\-')" = "0" ] && [ "$sshd_port" = "22" ]; then -cat > /etc/sysconfig/iptables < "$IPT_FILE" < /etc/sysconfig/iptables - iptables-save >> /etc/sysconfig/iptables + echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" + iptables-save >> "$IPT_FILE" fi fi @@ -419,7 +425,7 @@ fi # Start services at boot if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then - /bin/cp -f /etc/rc.local "/etc/rc.local.old-$sys_dt" 2>/dev/null + conf_bk "/etc/rc.local" cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script @@ -444,15 +450,12 @@ chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules -iptables-restore < /etc/sysconfig/iptables +iptables-restore < "$IPT_FILE" # Restart services -service fail2ban stop >/dev/null 2>&1 -service ipsec stop >/dev/null 2>&1 -service xl2tpd stop >/dev/null 2>&1 -service fail2ban start -service ipsec start -service xl2tpd start +service fail2ban restart +service ipsec restart +service xl2tpd restart cat < Date: Wed, 12 Oct 2016 15:02:15 -0500 Subject: [PATCH 0041/1208] Update docs [ci skip] --- README.md | 2 +- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 34 ++++++++++++++++++++++++---------- docs/ikev2-howto.md | 40 +++++++++++++++++++++++++++------------- 4 files changed, 53 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index b4894c1cfa..12332e3483 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ Get your computer or device to use the VPN. Please refer to: Configure IPsec/L2TP VPN Clients Configure IPsec/XAuth ("Cisco IPsec") VPN Clients -How To: IKEv2 VPN for Windows 7 and newer +How-To: IKEv2 VPN for Windows 7 and newer If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients.md b/docs/clients.md index 23fd067c13..549d7c537a 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -206,7 +206,7 @@ If your system provides the `strongswan` package, refer to the two sections abov To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. -- For Windows Vista, 7, 8 and 10 +- For Windows Vista, 7, 8.x and 10 ```console REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f ``` diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7adf40a6d8..ec0f57200e 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,9 +8,16 @@ --- -Windows 7 和更新版本 (包括 Windows Phone 8.1 及以上) 支持 IKEv2 和 MOBIKE 标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 +Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 -Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。除了 Windows 之外,它也可用于 strongSwan Android VPN 客户端。下面举例说明如何配置 IKEv2。 +Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: + +- Windows 7, 8.x 和 10 +- Windows Phone 8.1 及以上 +- strongSwan Android VPN 客户端 +- iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 + +下面举例说明如何在 Libreswan 上配置 IKEv2。 首先,请确保你已经成功地搭建了自己的 VPN 服务器。以下命令必须用 `root` 账户运行。 @@ -191,24 +198,31 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 文件 `vpnclient.p12` 应该被安全的传送到 Windows 客户端计算机,并且导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入(或移动到) "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 +1. 文件 `vpnclient.p12` 应该被安全地传送到 VPN 客户端设备。下一步: - 详细的操作步骤: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + #### Windows 7, 8.x 和 10 - Windows Phone 8.1 及以上版本用户: 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 + 将 `.p12` 文件导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入 "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 - Android 4+ 用户请参见: - https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient + 详细的操作步骤: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs -1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接。 + 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config -1. 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN! + 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Windows Phone 8.1 及以上 + + 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 + + #### Android 4.x 和更新版本 + + 请参见: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient + 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 69ecbafbea..498e0f94b2 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,16 +1,23 @@ -# How To: IKEv2 VPN for Windows 7 and newer +# How-To: IKEv2 VPN for Windows 7 and newer *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* --- -**IMPORTANT:** This guide is for **advanced users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. +**IMPORTANT:** This guide is for **Advanced Users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. --- -Windows 7 and newer releases (including Windows Phone 8.1 and newer) support the IKEv2 and MOBIKE standards through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 has many improvements such as Standard Mobility support through MOBIKE, and improved reliability. +Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 has multiple improvements such as Standard Mobility support through MOBIKE, and improved reliability. -Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. Besides Windows, it can also be used with strongSwan Android VPN client. The following examples show how to configure IKEv2. +Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: + +- Windows 7, 8.x and 10 +- Windows Phone 8.1 and above +- strongSwan Android VPN client +- iOS (iPhone/iPad) and OS X (macOS) <-- See link + +The following example shows how to configure IKEv2 with Libreswan. First, make sure you have successfully set up your VPN server. Commands below must be run as `root`. @@ -191,29 +198,36 @@ First, make sure you have successfully these instructions to configure a certificate-based IKEv2 VPN. + Import the `.p12` file to the Computer certificate store. The CA cert once imported must be placed into the "Certificates" sub-folder under "Trusted Root Certification Authorities". - Android 4+ users please refer to: - https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient + Detailed instructions: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs -1. On the Windows computer, add a new IKEv2 VPN connection. + On the Windows computer, add a new IKEv2 VPN connection: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config -1. Start the new IKEv2 VPN connection, and enjoy your own VPN! + Start the new IKEv2 VPN connection, and enjoy your own VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Windows Phone 8.1 and above + + First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. + + #### Android 4.x and newer + + Please refer to: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient + Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues -The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth instead. +The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail with "Error 809", or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth mode instead. ## References From 5193d199cacf53a6b2e29e2ee03e5806fa166707 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 20 Oct 2016 01:20:17 -0500 Subject: [PATCH 0042/1208] Improve Linux client instructions [ci skip] --- docs/clients-zh.md | 157 ++++++++++++++++++++++++++++++++++++++++----- docs/clients.md | 156 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 281 insertions(+), 32 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b1a2474823..4333fb1474 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -150,40 +150,165 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 ## Windows Phone -Windows Phone 8.1 和更新版本的用户可以尝试这个教程。请注意,该平台的 IPsec/L2TP 支持可能有一些问题。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +Windows Phone 8.1 及以上版本用户可以尝试按照 这个教程 的步骤操作。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## Linux ### Ubuntu & Debian -按照 这个教程 的步骤操作。需要更正以下项: +注: 以下步骤是在 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c) 基础上修改。 +这些命令必须在你的 VPN 客户端电脑上使用 `root` 账户运行。 -1. 在文件 `xl2tpd.conf` 中,删除这一行 `# your vpn server goes here`。 -1. 在文件 `options.l2tpd.client` 中,将 `require-mschap-v2` 换成 `require-chap`。 -1. 替换 `sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX " > /var/run/xl2tpd/l2tp-control` 为: +要配置 VPN 客户端,首先安装以下软件包: - ``` - echo "c XXX-YOUR-CONNECTION-NAME-XXX " | sudo tee /var/run/xl2tpd/l2tp-control - ``` +``` +apt-get update +apt-get install strongswan xl2tpd +``` + +创建 VPN 变量 (替换为你自己的值): + +``` +VPN_SERVER_IP='YOUR_VPN_SERVER_IP' +VPN_IPSEC_PSK='YOUR_IPSEC_PSK' +``` + +配置 strongSwan: +``` +cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.l2tpd.client < " > /var/run/xl2tpd/l2tp-control +``` + +运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 + +检查你现有的默认路由: +``` +ip route +``` + +在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的命令中使用。 -1. 替换最后一个命令 `sudo route add -net default gw ` 为: +从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): +``` +route add YOUR_VPN_SERVER_IP gw X.X.X.X +``` - ``` - sudo route add default dev ppp0 - ``` +如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的值,可以在 https://www.ipchicken.com 获取): +``` +route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X +``` - 如果遇到错误,请检查 `ifconfig` 的输出并将上面的 `ppp0` 换成 `ppp1`,等等。 +添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: +``` +route add default dev ppp0 +``` -连接成功后,检查 VPN 是否正常工作: +至此 VPN 连接已成功完成。检查 VPN 是否正常工作: ``` wget -qO- http://whatismyip.akamai.com; echo ``` 以上命令应该返回 `你的 VPN 服务器 IP`。 + 要停止通过 VPN 服务器发送数据: ``` -sudo route del default dev ppp0 +route del default dev ppp0 +``` + +要断开连接: +``` +echo "d myvpn" > /var/run/xl2tpd/l2tp-control +ipsec down myvpn ``` ### CentOS & Fedora @@ -191,7 +316,7 @@ sudo route del default dev ppp0 参照上面的 Ubuntu/Debian 部分,并进行以下改动: 1. 使用 `yum` 而不是 `apt-get` 命令来安装软件包。 -1. 在这些系统中,`ipsec` 命令已经被重命名为 `strongswan`。 +1. 将 `ipsec up` 和 `ipsec down` 命令分别替换为 `strongswan up` 和 `strongswan down`。 1. 文件 `ipsec.conf` 和 `ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 ### Other Linux diff --git a/docs/clients.md b/docs/clients.md index 549d7c537a..44ef7e1a2c 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -150,31 +150,149 @@ Once connected, you will see a VPN icon overlay on the network status icon. You ## Windows Phone -Users with Windows Phone 8.1 and newer, try this tutorial. Please note that IPsec/L2TP support on this platform may have some issues. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux ### Ubuntu & Debian -Follow the steps in this tutorial. Some corrections are required: +Note: Instructions below are adapted from [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). +Commands must be run as `root` on your VPN client computer. -1. In `xl2tpd.conf`, remove the line `# your vpn server goes here`. -1. In `options.l2tpd.client`, replace `require-mschap-v2` with `require-chap`. -1. Replace `sudo echo "c XXX-YOUR-CONNECTION-NAME-XXX " > /var/run/xl2tpd/l2tp-control` with: +To set up the VPN client, first install the following packages: - ``` - echo "c XXX-YOUR-CONNECTION-NAME-XXX " | sudo tee /var/run/xl2tpd/l2tp-control - ``` +``` +apt-get update +apt-get install strongswan xl2tpd +``` + +Create VPN variables (replace with actual values): + +``` +VPN_SERVER_IP='YOUR_VPN_SERVER_IP' +VPN_IPSEC_PSK='YOUR_IPSEC_PSK' +``` + +Configure strongSwan: +``` +cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.l2tpd.client <` with: +Create xl2tpd control file: +``` +mkdir -p /var/run/xl2tpd +touch /var/run/xl2tpd/l2tp-control +``` - ``` - sudo route add default dev ppp0 - ``` +Restart services: +``` +service strongswan restart +service xl2tpd restart +``` - If there is an error, check the output of `ifconfig` and replace `ppp0` above with `ppp1`, etc. +Start the IPsec connection: +``` +ipsec up myvpn +``` -Once connected, verify that your traffic is being routed properly: +Start the L2TP connection (replace with your actual VPN username and password): +``` +echo "c myvpn " > /var/run/xl2tpd/l2tp-control +``` + +Run `ifconfig` and check the output. You should now see a new interface `ppp0`. + +Check your existing default route: +``` +ip route +``` + +Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the commands below. + +Exclude your VPN server's IP from the new default route (replace with actual value): +``` +route add YOUR_VPN_SERVER_IP gw X.X.X.X +``` + +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value, found by searching "my ip" on Google): +``` +route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X +``` + +Add a new default route to start routing traffic via the VPN server: +``` +route add default dev ppp0 +``` + +The VPN connection is now complete. Verify that your traffic is being routed properly: ``` wget -qO- http://whatismyip.akamai.com; echo ``` @@ -183,7 +301,13 @@ The above command should return `Your VPN Server IP`. To stop routing traffic via the VPN server: ``` -sudo route del default dev ppp0 +route del default dev ppp0 +``` + +To disconnect: +``` +echo "d myvpn" > /var/run/xl2tpd/l2tp-control +ipsec down myvpn ``` ### CentOS & Fedora @@ -191,7 +315,7 @@ sudo route del default dev ppp0 Refer to the Ubuntu/Debian section above, with these changes: 1. Use `yum` instead of `apt-get` to install packages. -1. In these systems, the `ipsec` command has been renamed to `strongswan`. +1. Replace `ipsec up` and `ipsec down` with `strongswan up` and `strongswan down`, respectively. 1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`. ### Other Linux From 44eb55f9f3801d15b4441ed492ac384d13f95dc7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 23 Oct 2016 14:32:07 -0500 Subject: [PATCH 0043/1208] Update docs [ci skip] --- README-zh.md | 2 ++ README.md | 2 ++ docs/clients-zh.md | 8 +++++--- docs/clients.md | 8 +++++--- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 0353b43498..4f41c6506f 100644 --- a/README-zh.md +++ b/README-zh.md @@ -121,6 +121,8 @@ DigitalOcean 用户可以参考这个故障排除。 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器。 diff --git a/README.md b/README.md index 12332e3483..2dbe8d3f20 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: ## Important notes +*Read this in other languages: [English](README.md#important-notes), [简体中文](README-zh.md#重要提示).* + **Windows and Android users**: If you get an error when trying to connect, see Troubleshooting. The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4333fb1474..b79a71aa0c 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -265,7 +265,7 @@ ipsec up myvpn 开始 L2TP 连接 (替换为你自己的 VPN 用户名和密码): ``` -echo "c myvpn " > /var/run/xl2tpd/l2tp-control +echo "c myvpn YOUR_USERNAME YOUR_PASSWORD" > /var/run/xl2tpd/l2tp-control ``` 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 @@ -275,14 +275,14 @@ echo "c myvpn " > /var/run/xl2tpd/l2tp-control ip route ``` -在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的命令中使用。 +在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): ``` route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的值,可以在 https://www.ipchicken.com 获取): +如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): ``` route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` @@ -325,6 +325,8 @@ ipsec down myvpn ## 故障排除 +*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + ### Windows 错误 809 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 diff --git a/docs/clients.md b/docs/clients.md index 44ef7e1a2c..b99193918b 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -265,7 +265,7 @@ ipsec up myvpn Start the L2TP connection (replace with your actual VPN username and password): ``` -echo "c myvpn " > /var/run/xl2tpd/l2tp-control +echo "c myvpn YOUR_USERNAME YOUR_PASSWORD" > /var/run/xl2tpd/l2tp-control ``` Run `ifconfig` and check the output. You should now see a new interface `ppp0`. @@ -275,14 +275,14 @@ Check your existing default route: ip route ``` -Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the commands below. +Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below. Exclude your VPN server's IP from the new default route (replace with actual value): ``` route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value, found by searching "my ip" on Google): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP from here): ``` route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` @@ -324,6 +324,8 @@ If your system provides the `strongswan` package, refer to the two sections abov ## Troubleshooting +*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + ### Windows Error 809 > The network connection between your computer and the VPN server could not be established because the remote server is not responding. From 13db1d4a7f99e8aa2db2acc6dca25129565a3436 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 25 Oct 2016 14:44:45 -0500 Subject: [PATCH 0044/1208] Improve Linux instructions - Add option "noipdefault" to fix Linux clients behind NAT - Specify VPN username and password in the config file - Combine the Ubuntu/Debian and CentOS/Fedora sections - [ci skip] --- docs/clients-zh.md | 62 ++++++++++++++++++++++++++++------------------ docs/clients.md | 62 ++++++++++++++++++++++++++++------------------ 2 files changed, 76 insertions(+), 48 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b79a71aa0c..0d8eb23954 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -154,23 +154,30 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 /var/run/xl2tpd/l2tp-control +echo "c myvpn" > /var/run/xl2tpd/l2tp-control ``` 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 @@ -307,21 +328,14 @@ route del default dev ppp0 要断开连接: ``` +# Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn -``` -### CentOS & Fedora - -参照上面的 Ubuntu/Debian 部分,并进行以下改动: - -1. 使用 `yum` 而不是 `apt-get` 命令来安装软件包。 -1. 将 `ipsec up` 和 `ipsec down` 命令分别替换为 `strongswan up` 和 `strongswan down`。 -1. 文件 `ipsec.conf` 和 `ipsec.secrets` 应该保存在 `/etc/strongswan` 目录中。 - -### Other Linux - -如果你的系统提供 `strongswan` 软件包,请参见上面的两个部分。 +# CentOS/RHEL & Fedora +echo "d myvpn" > /var/run/xl2tpd/l2tp-control +strongswan down myvpn +``` ## 故障排除 diff --git a/docs/clients.md b/docs/clients.md index b99193918b..cdbb2c3794 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -154,23 +154,30 @@ Users with Windows Phone 8.1 and above, try /var/run/xl2tpd/l2tp-control +echo "c myvpn" > /var/run/xl2tpd/l2tp-control ``` Run `ifconfig` and check the output. You should now see a new interface `ppp0`. @@ -306,21 +327,14 @@ route del default dev ppp0 To disconnect: ``` +# Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn -``` -### CentOS & Fedora - -Refer to the Ubuntu/Debian section above, with these changes: - -1. Use `yum` instead of `apt-get` to install packages. -1. Replace `ipsec up` and `ipsec down` with `strongswan up` and `strongswan down`, respectively. -1. The files `ipsec.conf` and `ipsec.secrets` should be saved under `/etc/strongswan`. - -### Other Linux - -If your system provides the `strongswan` package, refer to the two sections above. +# CentOS/RHEL & Fedora +echo "d myvpn" > /var/run/xl2tpd/l2tp-control +strongswan down myvpn +``` ## Troubleshooting From 895d46c0c9f349ea4a9bd2ea119ee0e3c92b881b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 25 Oct 2016 21:32:52 -0500 Subject: [PATCH 0045/1208] Fix for Raspbian - On Raspberry Pis /etc/rc.local can run early during boot - If the network is not ready, IPsec may fail to start - A delay has been added as a workaround. Ref: #76 --- vpnsetup.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index ff500033da..457d4b9770 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -433,6 +433,11 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script +EOF + if grep -qs raspbian /etc/os-release; then + echo "sleep 30" >> /etc/rc.local + fi +cat >> /etc/rc.local <<'EOF' service fail2ban restart || /bin/true service ipsec start service xl2tpd start From e3d830dfd41d79329ce3911d19ed218e0d097740 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 28 Oct 2016 11:54:29 -0500 Subject: [PATCH 0046/1208] Improve services on boot - Better handling of starting IPTables & Fail2Ban on boot - Use iptables-services and disable firewalld for CentOS 7 --- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 3 ++- vpnsetup_centos.sh | 19 +++++++++---------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 5fa97837da..fd1e09789b 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -108,7 +108,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum -y install libevent2-devel || exiterr2 -elif grep -qs "release 7" /etc/redhat-release; then +else yum -y install libevent-devel systemd-devel || exiterr2 fi diff --git a/vpnsetup.sh b/vpnsetup.sh index 457d4b9770..1d5ab817c0 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -162,6 +162,8 @@ apt-get -yq install ppp xl2tpd || exiterr2 # Install Fail2Ban to protect SSH server apt-get -yq install fail2ban || exiterr2 +update-rc.d fail2ban enable +systemctl enable fail2ban 2>/dev/null # Compile and install Libreswan swan_ver=3.18 @@ -438,7 +440,6 @@ EOF echo "sleep 30" >> /etc/rc.local fi cat >> /etc/rc.local <<'EOF' -service fail2ban restart || /bin/true service ipsec start service xl2tpd start echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 9de96f1487..73026e0852 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -156,7 +156,7 @@ yum -y install fail2ban || exiterr2 if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum -y install libevent2-devel || exiterr2 -elif grep -qs "release 7" /etc/redhat-release; then +else yum -y install libevent-devel systemd-devel || exiterr2 fi @@ -408,13 +408,6 @@ fi # Create basic Fail2Ban rules if [ ! -f /etc/fail2ban/jail.local ] ; then cat > /etc/fail2ban/jail.local <<'EOF' -[DEFAULT] -ignoreip = 127.0.0.1/8 -bantime = 600 -findtime = 600 -maxretry = 5 -backend = auto - [ssh-iptables] enabled = true filter = sshd @@ -424,13 +417,19 @@ EOF fi # Start services at boot +if grep -qs "release 6" /etc/redhat-release; then + chkconfig iptables on + chkconfig fail2ban on +else + systemctl --now mask firewalld + yum -y install iptables-services || exiterr2 + systemctl enable iptables fail2ban +fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then conf_bk "/etc/rc.local" cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script -iptables-restore < /etc/sysconfig/iptables -service fail2ban restart service ipsec start service xl2tpd start echo 1 > /proc/sys/net/ipv4/ip_forward From 9319ce8ae2d7f899106184814f8839af6856f1aa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 29 Oct 2016 17:32:05 -0500 Subject: [PATCH 0047/1208] Clean up IPTables rules - Only add the necessary IPTables rules for the VPN - Other minor clean ups --- vpnsetup.sh | 100 +++++++++++++-------------------------------- vpnsetup_centos.sh | 95 ++++++++++++------------------------------ 2 files changed, 54 insertions(+), 141 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 1d5ab817c0..42ca10b930 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -146,7 +146,6 @@ PRIVATE_IP=${VPN_PRIVATE_IP:-''} [ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') # Check IPs for correct format -check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') @@ -340,78 +339,36 @@ fi # Check if IPTables rules need updating ipt_flag=0 IPT_FILE="/etc/iptables.rules" -if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then - ipt_flag=1 -elif ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then - ipt_flag=1 -elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" || \ + ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null || \ + ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi -# Create basic IPTables rules -# - If IPTables is "empty", write out the entire new rule set. -# - If *not* empty, insert only the required rules for the VPN. +# Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" - sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" - if [ "$(iptables-save | grep -c '^\-')" = "0" ] && [ "$sshd_port" = "22" ]; then -cat > "$IPT_FILE" < "$IPT_FILE" - iptables-save >> "$IPT_FILE" - fi + iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP + iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT + iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT + iptables -I INPUT 5 -p udp --dport 1701 -j DROP + iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP + iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFS" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s 192.168.43.0/24 -o "$NET_IFS" -j ACCEPT + # Uncomment if you wish to disallow traffic between VPN clients themselves + # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP + # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP + iptables -A FORWARD -j DROP + iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" + iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" + echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" + iptables-save >> "$IPT_FILE" + # Update rules for iptables-persistent IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then @@ -451,17 +408,16 @@ fi sysctl -e -q -p # Update file attributes -chmod +x /etc/rc.local -chmod +x /etc/network/if-pre-up.d/iptablesload +chmod +x /etc/rc.local /etc/network/if-pre-up.d/iptablesload chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules iptables-restore < "$IPT_FILE" # Restart services -service fail2ban restart -service ipsec restart -service xl2tpd restart +service fail2ban restart 2>/dev/null +service ipsec restart 2>/dev/null +service xl2tpd restart 2>/dev/null cat </dev/null; then - ipt_flag=1 -elif ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" || \ + ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null || \ + ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi -# Create basic IPTables rules -# - If IPTables is "empty", write out the entire new rule set. -# - If *not* empty, insert only the required rules for the VPN. +# Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" - sshd_port="$(ss -nlput | grep sshd | awk '{print $5}' | head -n 1 | grep -Eo '[0-9]{1,5}$')" - if [ "$(iptables-save | grep -c '^\-')" = "0" ] && [ "$sshd_port" = "22" ]; then -cat > "$IPT_FILE" < "$IPT_FILE" - iptables-save >> "$IPT_FILE" - fi + iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP + iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT + iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT + iptables -I INPUT 5 -p udp --dport 1701 -j DROP + iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP + iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFS" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s 192.168.43.0/24 -o "$NET_IFS" -j ACCEPT + # Uncomment if you wish to disallow traffic between VPN clients themselves + # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP + # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP + iptables -A FORWARD -j DROP + iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" + iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" + echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" + iptables-save >> "$IPT_FILE" fi # Create basic Fail2Ban rules @@ -452,9 +409,9 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* iptables-restore < "$IPT_FILE" # Restart services -service fail2ban restart -service ipsec restart -service xl2tpd restart +service fail2ban restart 2>/dev/null +service ipsec restart 2>/dev/null +service xl2tpd restart 2>/dev/null cat < Date: Sat, 29 Oct 2016 18:30:35 -0500 Subject: [PATCH 0048/1208] Update docs [ci skip] --- README-zh.md | 6 +++--- README.md | 6 +++--- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README-zh.md b/README-zh.md index 4f41c6506f..d34636d326 100644 --- a/README-zh.md +++ b/README-zh.md @@ -37,8 +37,8 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 自动确定服务器的公网 IP 以及私有 IP 地址 -- 包括基本的 IPTables 防火墙规则和 `sysctl.conf` 优化设置 -- 测试通过: Ubuntu 16.04/14.04/12.04, Debian 8 和 CentOS 6/7 +- 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 +- 测试通过: Ubuntu 16.04/14.04/12.04, Debian 8 和 CentOS 7/6 ## 系统要求 @@ -133,7 +133,7 @@ DigitalOcean 用户可以参考这个EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 -如果需要打开服务器上的其它端口,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如需更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 2dbe8d3f20..788655b877 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,8 @@ We will use Libreswan as th - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Automatically determines public IP and private IP of server -- Includes basic IPTables rules and `sysctl.conf` settings -- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7 +- Includes `sysctl.conf` optimizations for improved performance +- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6 ## Requirements @@ -133,7 +133,7 @@ Clients are set to use EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). -To open additional ports on the server, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. +To change the IPTables rules, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 0d8eb23954..48a76693da 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -315,7 +315,7 @@ route add default dev ppp0 至此 VPN 连接已成功完成。检查 VPN 是否正常工作: ``` -wget -qO- http://whatismyip.akamai.com; echo +wget -qO- http://ipv4.icanhazip.com; echo ``` 以上命令应该返回 `你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index cdbb2c3794..9726e125f1 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -315,7 +315,7 @@ route add default dev ppp0 The VPN connection is now complete. Verify that your traffic is being routed properly: ``` -wget -qO- http://whatismyip.akamai.com; echo +wget -qO- http://ipv4.icanhazip.com; echo ``` The above command should return `Your VPN Server IP`. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index ec0f57200e..2449bdcbe7 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -24,7 +24,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 ```bash - $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://whatismyip.akamai.com) + $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 498e0f94b2..3aa9a79d92 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -24,7 +24,7 @@ First, make sure you have successfully Date: Mon, 31 Oct 2016 01:13:20 -0500 Subject: [PATCH 0049/1208] Minor clean up --- extras/vpnupgrade_centos.sh | 4 ---- vpnsetup.sh | 27 ++++++++++++--------------- vpnsetup_centos.sh | 17 ++++++----------- 3 files changed, 18 insertions(+), 30 deletions(-) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index fd1e09789b..8cdbafc079 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -20,10 +20,6 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: ${1}" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -if [ ! -f /etc/redhat-release ]; then - exiterr "This script only supports CentOS/RHEL." -fi - if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi diff --git a/vpnsetup.sh b/vpnsetup.sh index 42ca10b930..e3abe028aa 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -50,7 +50,9 @@ if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != " fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + echo "Error: This script does not support OpenVZ VPS." >&2 + echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 + exit 1 fi if [ "$(id -u)" != 0 ]; then @@ -68,12 +70,9 @@ cat 1>&2 <<'EOF' DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! If running on a server, you may fix this error by first -finding the active network interface: -route | grep '^default' | grep -o '[^ ]*$' - -Then set this variable and re-run the script: -export VPN_IFACE="YOUR_INTERFACE" +setting this variable and re-run the script: +export VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF exit 1 fi @@ -161,8 +160,6 @@ apt-get -yq install ppp xl2tpd || exiterr2 # Install Fail2Ban to protect SSH server apt-get -yq install fail2ban || exiterr2 -update-rc.d fail2ban enable -systemctl enable fail2ban 2>/dev/null # Compile and install Libreswan swan_ver=3.18 @@ -377,7 +374,7 @@ if [ "$ipt_flag" = "1" ]; then fi fi -# Load IPTables rules at system boot +# Load IPTables rules at boot mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' #!/bin/sh @@ -386,22 +383,22 @@ exit 0 EOF # Start services at boot +update-rc.d fail2ban enable >/dev/null 2>&1 +systemctl enable fail2ban >/dev/null 2>&1 if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then conf_bk "/etc/rc.local" - sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local + sed --follow-symlinks -i '/^exit 0/d' /etc/rc.local cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script -EOF - if grep -qs raspbian /etc/os-release; then - echo "sleep 30" >> /etc/rc.local - fi -cat >> /etc/rc.local <<'EOF' service ipsec start service xl2tpd start echo 1 > /proc/sys/net/ipv4/ip_forward exit 0 EOF + if grep -qs raspbian /etc/os-release; then + sed --follow-symlinks -i '/hwdsl2 VPN script/a sleep 15' /etc/rc.local + fi fi # Reload sysctl.conf diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e14feecc50..e1db0bd419 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -44,16 +44,14 @@ check_ip() { printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" } -if [ ! -f /etc/redhat-release ]; then - exiterr "This script only supports CentOS/RHEL." -fi - if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + echo "Error: This script does not support OpenVZ VPS." >&2 + echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 + exit 1 fi if [ "$(id -u)" != 0 ]; then @@ -71,12 +69,9 @@ cat 1>&2 <<'EOF' DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! If running on a server, you may fix this error by first -finding the active network interface: -route | grep '^default' | grep -o '[^ ]*$' - -Then set this variable and re-run the script: -export VPN_IFACE="YOUR_INTERFACE" +setting this variable and re-run the script: +export VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF exit 1 fi @@ -380,7 +375,7 @@ if grep -qs "release 6" /etc/redhat-release; then else systemctl --now mask firewalld yum -y install iptables-services || exiterr2 - systemctl enable iptables fail2ban + systemctl enable iptables fail2ban >/dev/null 2>&1 fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then conf_bk "/etc/rc.local" From 6d99a01b0a616792b753ef530fbc6c1f63c0ab14 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 6 Nov 2016 14:35:58 -0600 Subject: [PATCH 0050/1208] Remove SHA2 workaround - Libreswan 3.18 and higher prefers sha2_512 over sha2_256 - The 'sha2-truncbug=yes' workaround is no longer needed - Ref: https://libreswan.org/wiki/FAQ#Configuration_Matters --- docs/clients-zh.md | 10 +++++----- docs/clients.md | 10 +++++----- vpnsetup.sh | 1 - vpnsetup_centos.sh | 1 - 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 48a76693da..4785bd5ab4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -20,7 +20,7 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) - * [Android 6.0 and 7.0](#android-60-and-70) + * [Android 6 and 7](#android-6-and-7) * [其它错误](#其它错误) ## Windows @@ -374,12 +374,12 @@ strongswan down myvpn ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) -### Android 6.0 and 7.0 +### Android 6 and 7 -如果你无法使用 Android 6.0 (Marshmallow) 或者 7.0 (Nougat) 连接,请尝试以下解决方案: +如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: -1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请看下一步。 -1. (注: 最新版本的 VPN 脚本已经包含这些更改) 编辑 VPN 服务器上的 `/etc/ipsec.conf`,并在 `ike=` 和 `phase2alg=` 两行结尾添加 `,aes256-sha2_256` 字样。然后在它们下面添加一行 `sha2-truncbug=yes`。每行开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index 9726e125f1..b9b7d7fc36 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -20,7 +20,7 @@ An alternative Ref) +1. Tap the "Settings" icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ### Other Errors diff --git a/vpnsetup.sh b/vpnsetup.sh index e3abe028aa..7deed8e7e8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -212,7 +212,6 @@ conn shared dpdaction=clear ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 - sha2-truncbug=yes conn l2tp-psk auto=add diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e1db0bd419..444af4a535 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -202,7 +202,6 @@ conn shared dpdaction=clear ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 - sha2-truncbug=yes conn l2tp-psk auto=add From 61bd1254ed9ddb6800c03c93041e0b4978f8b624 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 6 Nov 2016 19:30:53 -0600 Subject: [PATCH 0051/1208] Minor clean up --- extras/vpnsetup-debian-7-workaround.sh | 2 +- extras/vpnupgrade.sh | 10 ++++------ extras/vpnupgrade_centos.sh | 10 ++++------ vpnsetup.sh | 13 +++++++------ vpnsetup_centos.sh | 13 +++++++------ 5 files changed, 23 insertions(+), 25 deletions(-) diff --git a/extras/vpnsetup-debian-7-workaround.sh b/extras/vpnsetup-debian-7-workaround.sh index 6230ce8f83..21fcae74a8 100644 --- a/extras/vpnsetup-debian-7-workaround.sh +++ b/extras/vpnsetup-debian-7-workaround.sh @@ -22,7 +22,7 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -exiterr() { echo "Error: ${1}" >&2; exit 1; } +exiterr() { echo "Error: $1" >&2; exit 1; } if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" != "7" ]; then exiterr "This script only supports Debian 7 (Wheezy)." diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index c3d37c5e9a..d73515b617 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -13,11 +13,11 @@ # Check https://libreswan.org for the latest version swan_ver=3.18 -### Do not edit below this line ### +### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -exiterr() { echo "Error: ${1}" >&2; exit 1; } +exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } os_type="$(lsb_release -si 2>/dev/null)" @@ -37,13 +37,11 @@ if [ -z "$swan_ver" ]; then exiterr "Libreswan version 'swan_ver' not specified." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan" -if [ "$?" != "0" ]; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -if [ "$?" = "0" ]; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 8cdbafc079..98eabbf2ec 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -13,11 +13,11 @@ # Check https://libreswan.org for the latest version swan_ver=3.18 -### Do not edit below this line ### +### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -exiterr() { echo "Error: ${1}" >&2; exit 1; } +exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then @@ -36,13 +36,11 @@ if [ -z "$swan_ver" ]; then exiterr "Libreswan version 'swan_ver' not specified." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan" -if [ "$?" != "0" ]; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver" -if [ "$?" = "0" ]; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo diff --git a/vpnsetup.sh b/vpnsetup.sh index 7deed8e7e8..799c5aa094 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,12 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT -exiterr() { echo "Error: ${1}" >&2; exit 1; } +exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "${1}" "${1}.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" - printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } os_type="$(lsb_release -si 2>/dev/null)" @@ -335,9 +336,9 @@ fi # Check if IPTables rules need updating ipt_flag=0 IPT_FILE="/etc/iptables.rules" -if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" || \ - ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null || \ - ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ + || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 444af4a535..59a3b55657 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,12 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT -exiterr() { echo "Error: ${1}" >&2; exit 1; } +exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "${1}" "${1}.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" - printf %s "${1}" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then @@ -325,9 +326,9 @@ fi # Check if IPTables rules need updating ipt_flag=0 IPT_FILE="/etc/sysconfig/iptables" -if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" || \ - ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null || \ - ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ + || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then ipt_flag=1 fi From af1af539aad55d960d1f5977ec307e4542f563e2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 Nov 2016 13:04:47 -0600 Subject: [PATCH 0052/1208] Update docs [ci skip] --- README-zh.md | 9 +++------ README.md | 9 +++------ docs/clients-zh.md | 4 +++- docs/clients.md | 4 +++- docs/ikev2-howto-zh.md | 6 +++--- docs/ikev2-howto.md | 6 +++--- docs/images/vpn-profile-Android.png | Bin 0 -> 83871 bytes docs/images/vpn-properties-zh.png | Bin 18475 -> 85831 bytes docs/images/vpn-properties.png | Bin 39798 -> 95100 bytes docs/manage-users-zh.md | 2 -- docs/manage-users.md | 2 -- 11 files changed, 18 insertions(+), 24 deletions(-) create mode 100644 docs/images/vpn-profile-Android.png diff --git a/README-zh.md b/README-zh.md index d34636d326..53f553ee50 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,9 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://static.ls20.com/travis-ci/author.svg)](#作者) -[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) -[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) 使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -125,7 +122,7 @@ DigitalOcean 用户可以参考这个故障排除。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 的局限性,在同一个 NAT 后面(比如家用路由器)一次只能连接一个设备到 VPN 服务器。即使你创建多个用户也是如此。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -133,7 +130,7 @@ DigitalOcean 用户可以参考这个EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 -如需更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 788655b877..7542a79aca 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) -[![Author](https://static.ls20.com/travis-ci/author.svg)](#author) -[![GitHub stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) -[![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -125,7 +122,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: **Windows and Android users**: If you get an error when trying to connect, see Troubleshooting. -The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. +The same VPN account can be used by your multiple devices. However, due to an IPsec limitation, only one device behind the same NAT (e.g. home router) can connect to the VPN server at a time. This applies even if you create multiple users. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -133,7 +130,7 @@ Clients are set to use EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). -To change the IPTables rules, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. +To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4785bd5ab4..8ab0b728cd 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -378,9 +378,11 @@ strongswan down myvpn 如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: -1. 单击 VPN 连接旁边的设置按钮,选择 "显示高级选项" 并且滚动到底部。如果选项 "兼容模式" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +![Android VPN workaround](images/vpn-profile-Android.png) + ### 其它错误 更多的故障排除信息请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index b9b7d7fc36..ce79f82d46 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -377,9 +377,11 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): -1. Tap the "Settings" icon next to your VPN profile. Select "Show Advanced Options" and scroll down to the bottom. If the option "Backwards-compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. 1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) +![Android VPN workaround](images/vpn-profile-Android.png) + ### Other Errors Refer to the links below for more troubleshooting tips: diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2449bdcbe7..a0cbe833bb 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -17,14 +17,14 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - strongSwan Android VPN 客户端 - iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 -下面举例说明如何在 Libreswan 上配置 IKEv2。 +下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -首先,请确保你已经成功地搭建了自己的 VPN 服务器。以下命令必须用 `root` 账户运行。 +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 ```bash - $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 3aa9a79d92..423730314c 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -17,14 +17,14 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - strongSwan Android VPN client - iOS (iPhone/iPad) and OS X (macOS) <-- See link -The following example shows how to configure IKEv2 with Libreswan. +The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. -First, make sure you have successfully set up your VPN server. Commands below must be run as `root`. +Before continuing, make sure you have successfully set up your VPN server. 1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. ```bash - $ PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Your public IP is displayed) diff --git a/docs/images/vpn-profile-Android.png b/docs/images/vpn-profile-Android.png new file mode 100644 index 0000000000000000000000000000000000000000..609850000929629f866125a6a21b256b8e65bf1f GIT binary patch literal 83871 zcmZs?by$<{8~2Zb0wS$+hlrGPjiID;sUXcJB_%yt0R^OUldgfFbi)KBMuRX)x{(3G z=;pcke4pQOJb(QD;27K+_pbYjGhXNWjL_9qCB4UR4-XHIRPBY5J|5m}4DcgHbQicX zUxOq8UT(STt194?4l->3e-PL{*LseJR}o8cVRZ-ioA~{UH|}_NWF0p@x03nD81e9~ zk!niMU&73{GVXj}9{clIC;WL*Xxst~mlT2b1P#1aO6)~WlFXq#yhXstp0{(hq`s-i zk4TN}UnoWR?)>_606cN=-@n;`M}Cq%tWsaUE{l5aNbdOW56pP+l{F07_Rv8!UzIPO zZ6cRr!IfU$m72UZPHD}x*VBUnQ!{AT^A4`JQbnLq!X;!We}K<2W^?653!`7s(_qka z7?oWoC1_L;cu@A6HNy-{)&WS;SzK2L#9fowx^JKdFcH0%%JAin$&BGd@oHY()P)2%sI?d;o`QY<#<`OZk4#J8$tE#dws(@?cVv~85|E2Z`_^mp;&XcU8xJh9S@g}tc!n+FC4+6=%< zq&!B;(QaD^Te-VGiAbyc-*aiv{;WPxn6c#bj(N%NeKQhWed=v9ce}d1)Xhn5E8w1O zpEt|kG4f~K|C_CK3z&3<`_(Cu`qou!LXC@LQ^60GwO!4`d#{`SM%>)CDtqtFkOybx zT5fh}hp3aV)6KvXA!k(yh#1}2yB!{SbnXmxnwmqIW(gZe*G8}HgxA~i@&b*MkQ#1a zpm%xy)DJ_^`8kSVn1!$(i&p0=fz(IkeN%HPK{*YCaq;N1(Ie1fJ9# z9?V4RQ?DqU)UUlA=fO^u!>u0UU$52W8oj>@h@%m;#I@0~&OPbi>vXjQFT005&IuioQXl9eQ z@yhzKEOKkr-VgKFp6YaX446(W5)or!KRO%wQCSkENl%=9(SCfU`=wtnBW{wi^mT4^ zwcn_<5Y(cFzb4YD)b5*!F^^!yqw9UpI8@C7i4tj7mNlb4eQQf2cEB?$*o=qV(X)TE zKVcpnw3CI@W|qm%oNX!;w3=RZ z5`E5QP5Gr}G<<)Q>6PE~NPle)OwhZvucQh0$~&0n;Qn;|20Pv4Z5*`iIWiJ(j?SmC zAHo+K^K#=?wEssmd9*#<6($0l7oPMZ=6B%ogb$f=4mMkQ{;(};-dKD_o(f|f-SCi+ z+P%lIAr{6i7RI`R#3i#FNCEx3PT(|gS(Iv4a-&6ld-^K6+DUyrZR9v&$8=qr*a6JO~oc!su}m$-{qts%qcPg`7TC4g5vvRWv@X zR6G#&n2#IFH;^g!JxP_ftI5VbO4#Y4k{It}dhzO+UOvIBaWnVm>cJ1MF!~xtyk8ss zAafH~1i0DLq{1$Lh=(-{@OQ2Mtme{uG@vc#=b__JTH%YGE71V`rh-tj%Y^xqfob># zJX^8f3tzo96+YY;<0Cs`DmRn4B{1xOtKL)R%dfdx9&2V$IP$6O3111~^-haAwxze% zzGlR2Y{YFj3-kzh&rjEH^bi0^d*!o1|V*S`I5Lcq-Q$7`z14E0=}*E3!VOAx?N3lbl%Vv4_) zCio^39Mg6jxn51UiNrDdh*;heM=BECJUw@t)V04xR}YP(dq2*2o2_ER2<;F4)&Er#6Gboj4mHM&e`;^ftg6)$ zK9O$QJJ|_(r9cv~F|wtOza%0w@Km6ogUUX7%upjk#_PpS%XOfy?QUFs^f^5{>9$87 zO=4Cdb`hfk)=GS&&7aY2fSvtrtJdn(YcnM{AQ(Vo*5na^P*cKns3l@}F!E~56!=At zwnC1!&daUZF}ufMg*fE)A0!mx-2=8SxrLvr;|skHCV;?XYFyxFWtIABFGoY$c3D}) zcx15bSlp)SOpUM;{Z*+3NwxdTJH9`kVQbm1Ck6B?srhZ=4bPSfSzg*rtnnHY1}4q< zZ*GgdJ3xrRy5qzkquo;pJ~|ry`_iSbJck(Tje5A?eVBlGOS6W`n;J6|9khSuX&zU> zypQdB22mSF-|G-c`@iK@@v)`FvJL&*0vrWj`)mpJQ=;7F6XICPjjyZi3S;d5p0nml z-X+(nqTP6A_dX&nxMP1c128@;^#ui&-XQiP)EKD7v=+f?S39Y#JJ2^ zj4iWFO5?f}pR;&=ea38)ZEUq>3%7=$Zg`ZJJx$@zNF~~&!*?T>3oTsW6#SEorV)L? zmcJ|{3(6O#P4UO5b0b^)K$t3xqu?E_rUd4ksKfD4m!)sGWz2V%pUI!^2gwH*H)dyA zynOe>{dv?gnhJB70;})ke8_EQGg__h$%0FM9-GE~Z%vL*7@(ROdeEyWq#CQX)(%P% z^|ng2K*y&4%YL`*-{OR;dxVO^+T;2~?m5aG9v}f}zt`9*r7|Mu0(-6%_o{p~7t2?o zOyftUE?+PPhpilC=3*P0nadcerUp{;QDOnUOoYK?&N1Kx)M3E(Ra-_)l* z`daOkqg#xugNR}1(rf(9pMHnMr)&<3G?KwzE8u1}Uq_)8rF!5d4`puF1YwfflLbRI z1CPyKQe!(L9liJ~*eAazPmRsYF5XLgUz~8jC*aU4pJw*NWpxMNU}Gjn(HNx~3rp*| z_-QbD(rlnu5om3Yu441au)qYaynGr{YSvT`3qJc+5a7ij47f?no_^#TQQQ0&WTGZq zS+-Cxatw84U{6_X=*-%euWm;vtQF%9Xr zDr@dI*ZNMZBtYmhbAm&1voo7<{=h$$0apoT$P}8-`lSrYRACUV%LE0QZC)BsufGy?Wf(0r?T1 zuz*z3sKsOHP2F6zM@wLh+$+Kkm%XQh;gp=}CfoXjF&X+pEOPAzn&GND=0DpRKhd$6 zP_Zl2|Tr4;;1n!%hap=)wr2V zz~`yHsn^UeH|jB}zRRq#u&lMCPn8cM6mGGj)XF za;e`SjOHh@9Fp;}%Q`#QU|y$5XGaa-n}lUQsv!^<>Ep@rPk5xAYDAUVAvq3`mUiBn z6!Y0z5p$lY7qeQ*zl-Uj)Yel@ItoFw#TIDk7-&S0hm?~E($p(Ac2I?HB!SP~`lf=c z-(kyNgiU=Gujad)u#MmzDZVt+#veBlCpGe16??xej$ybw50lE=8?F`$+)EnywO;GB z0ZY~gq5hNxFi3kTq>3E2k36s`d}wGY=*e%U*JZK@ts1pJoZ^*W>SffquHFZoGp)K;^ zen74*q<>Df6Dxlug~A-EGeT*^o`zsFWD?&`y{VEX8Myc5-s3PwTOY&P?rvuauw66@$uI=GLgq9*Ns&Co%(6AfjD?E z+vuSqN;$$Bh?t|_Gfx#mav?Nsr^4K)`1SSI6E%E7qj#Sl^F|zNXV8-3E;kNh4O#*N zG(;WX=oEs^YI}_FA4yxy{lzAcp9hlQ0*_zO0d(SS9zSB~MP-_012lp*pY!d^2c2fxDOt+GwN{6AS4(p4pzAu-eM>U8Q- z@K3Kw=G5A$!n+O;9VCe9_T-NuB(x_YUo|$tDOFh1@mR2Fiz+KtxklLLIi8d6zf;p{>b%uq2lkK!H=iNn@kKXE7~1vi z`9LL2X&}Ww`)4wZb{~qWq&cPwXJ1_M1jk}@?8JP4gltNb;?itQb;eUyH-=YK)UD@* zeurB$OLK@jw*+6GM*lv^&^7C(H%`K`=Rj~ceQ864%CccWg%uA|=iZ!Ksrp0Eb zsir7hX_Pf*&iS|)oxKG&59E1Jyn`PqM!UHNspEV{^i$0$rFY`fVCn$UQj>MQgb0?p>lcEZbdIs_IC5d>ek!LCpn!Dj8S#fZ?ot9&odIR ztkf;AdcYc`bgVBS&3H2;Gx)1 zzFF;LNHw~XGUXpd*vM6Xez*kKyX)qFJ>!ihSS0Yq;J6lFmp9_E{7oL&_HgtZNUZJdUD zBI>z*ljX-6tR7)R$IoUASjrYT=rJl0^7A9}Qnf$KdYn6i^x|2^!*}$ZiZ2b;1@%T( z{pgE47jLB;jx)tcnA&bv5BqKwaMSF(F%jAMiWw0jCv%tm33+dk9aQd${-lNy7iifzYjY?eI{^debd>0mkV2a8l&b2^M9G%s*$Qd2tZ2==Y`FJiU9GR+Ge_5v)qZ(~>nj6J z!CpSinO9s%PJ8)1G$UxloqL)LjnR^@-2w@PDWkFo3br3kUT^-(M0g+!H9GyA?5ufR zQG6Ni8#`7i_F%7<2OhqP(Z;qKWTQfoo%Vb*h;>>fLd{3R|D6@NSU60jAd@cXSr0h2 zN8+p$G1VhRo?=od!cK7sW^6O~x1zr-FCFIDi@O{mq`$9C6crN-{_tte83g--Y5H#b}dJ^G2rO8)wt2Fb3{38x`po96nxKkLB zSlGeWcCttdrQ!PR?4P*%Kr>y6_vgVL-^S&!eE3eLzW6W9!eq4`6y4!Y$*B_kL*VOi zeI%o7xumx~*>`eSb&?clW^{*#+H8m481~$@Zgcq+tOHy$lvdDZDo-B^fRd8Zfv(%Nb7xKX})0KH;R zFS#gq4t!%-QdI~kQoZ~?&ZfAWlJUP)D7pOa-K_ujU4>8D3B{b`yu5-n<}qizqop}X z6MekSiWTOHo5@MZCRkE&{z%XLd{BIuAxY=yp1}d9YD`pq*1Okl%niF*5qF|#BEOE) zb^&NlqPO$6IQ)*VjWHDW@{*9%|7jQKi!ORP3wDRSs|M!C8+5*1hj9rypN2iT9yQR> z+AM1cyf_&HUNX_qjI`4~eGk8!VMDx5_3Z?!mrJxjxcM@R7T716Z*pvRRbyG0T|5>) zzQMAy_~1vMZx|77x_&))gggwp9`F5aj`^e z|J6Dr;t1XEz$6MJ`c4GIQKokNj0`(z44sIU&m$M%UsH&bl&(&?o zXE@3xa;_J`!NGGR**Mue!``O`t~5n`V7xWVA%Wn5#if%u_}adDEmpXEnWzW=JAwn;IBKh{#ShU+>gT?N*f;awp?zz zgncL!aDS)8PMXSE7IoQjecp0V*K#Q!cfM7{UT}Ip(-&KGFbRzvYwoIBtAbvQE{e8C zI%zuS50XhFJ<0h4F-9xj&}7p6L9m4LpCUcMe`U>L@{j_`4^#{$tkT?3VX2M){P1OHn z*JD25Sh*z__w9Jx#05!f4r7l7PJc-wwpf^KDb9&%Tdkip=W;F0rJzr!1r)HKHm|7z zK7DH@53Bu3va~;&2iHmTR~@G`XC)Khyz8 z(&LXc{L^GV^^#kx+)=nMRaUU)YCMGE2gN+iIyvI z(DanhVV~6X)p1LENU5us>e;JIG)EDt{z2z9Q}5m$Di*Z5GW}$|Etur4pygdsh9rqU zZxgHMd^eH!`nKjT6*IUoJN#|U9=@KKU_lQwtpM9e$dr^ z*2Y%VP)xm@lDGmtEu2VtFK90@E0m291bcrr92@vRA>K`ikzC+v)8e|A8uLyA0yc4~ zd4-*>b0LB$$UQrxXy0i*ckXwBn|Z0tHhM;SDenb-3}ct|#6A#4?|H4CN1xcpQ?{5A zyu5u$5-P^dzr}}JlE2*0!315O&mWx6UxS$g4u&^?nfr3t*{3zxT^4k?3A5W@m%sLr zIbBJ_+zgVUee3%2cs?sedJS=Kxf3KGBW^vKGf!*bFO22}ts1tRy=vSjNQ3xyh<9ZW zl1QUFLPS|n2lw=NbD>Jz{gTbNXu89DhN29 zm0T*N%x*v^SI4WG?7>Z(8xBfb0{Gh0EF-v6!rzC6kb|W{xjnyq?>M^0_ajbX(lX>* zEG+{$uWrnXw=Af5$Yx1hj6b@69dD|DbfHN3g!3B^>?{bV=(_9u0<$krj;v>Rn~yr( zAAsivu#cw&Zp0F@`Cy2a=!dF8i?AXR=k5L!=cB8nyy0&J8Fm}90Bg>U_SwIiOB)~4 zm3e6!nE$dG$|Tv&!5({ zJ-e*&lp+HX;u9v9mW6?bj{B`_t3*&#DUp$aJdt$ka)dYij+jEU@7`YJ%P3*C+mxXl zxP-93icD0P?-O&wcdZEd?OTA&-9_bkJ}A4RM91dTsyw)(^Ienx2^^UPr9SpVNJyJi<7Q;trrvvrb&(fcptWy zC^gHIgQSwsthHU)qukD)Gb=p*n+R>AL)C;z{(LI7CFqZjt@ z{r+$NevHt1+N>ns*YtOdAWz!{N{ORu`aPA&DdJ@>)1)KIV}i~4w=941QWGfqO+84R zuWWqg*kdqVWjnO1vV`N>$mrWMb>AXtd8S(xgJ-BCqpQV@tg?2N_8Qnue znh!!+=K-6z+;%ILe~~Il@~)>CdCVfu8d`S5m-`KFpoaI)PdK|zWf%5s)2^b5ycjNr zQ_h<2D`TsvKjYVydCj?<>56a zdcKlseUv@^uRj#kR-nMBx3iuTTC`>!dMJ`qgp-m4%ZxSLthUzc9yy8FTWc-B9adE`a>a^a9=2tf-xGg zc1ylPEOS2>@u(ox6OxN7SXLggx=$d=E*friV+z0T9_XZ$)D z0pt6?1tYAdljFJ?5AQhft>@wTwB(PL)VB!^-Im;Y&+wc`qFO?0w?+GmXuc3-A9C6IQ+0e zDe;R=`6VkZ<^)N0+whd1*n<7#ClZp5r&dxc4)VQ+Bv{3j!|+v=1N_?=ghCPXDjtax zD~{CqK%qI?TzG)?xy9Y)+my#}?qoikvR>PJFMcy5TtfZ2%fx6b5|9!Yq-ji6DAxzD z4t~^s&DrgxAYBm;m;AI=Q%qJpM3tP*lT--psHIX!l7uZRuJSbbe2c9Omj%^!h^?<@ zpmb8GcAv4LSYm2>3(cD!IC37;{;^5>rr{`LMF`WO{Id!kLJj$A_Zw<-D?Z!fE?0_T z1=0u{{?mSVBw=#M*^pJ5{~RdTFtg#ecGrDMO^}2SHulVi!#UN+erm7z-BRJJEGN`n zlB=d$87RPh{-dW8?Yf#pFzz7b;aSkaM?$Q*VfUT;nO-b&E4O><-IcGvO7dr=~9_n6ny&b61hogW_Smp1n zTn3j7-okXM9g#=(KZYGpIAO`ZWktTEvJO?nE1TiG_z*|lrii5ucs8dkyZvC1$XAY0 zfr{KEW@?S2foiYfjiCv8F${V@5`2&bKo$2SRRl>6Cu%#i4npzznH% zZr9n+lwFyhtQQM}u0N#a4#cf{lj`Gsmw^++cHG?c>2(Jsa?O3-|9(!WY?BJBr9>Q&q-6`|E4dME`brbwv9P2KmL>i&L)Y3v)4w}l(n?%x6#U@a*;lBXO=_c zsa2Uf?oPO5C{1IjHEu6M$b)Y@Izqn-CJh6=k-mtk%7kQzqlc(?Fl)J5{*HGx zuq$KZTwbc?QQ=!mTX9AImdUKK)2S^Ixs_k6_I6aa>TM#*6G+;aUAqlAg&wc|-0OAN zSn3nx+c+{7o*;A8uQJ9D{$>+BOy@&Jsc&q{Hx%i)r(q8uLX6k6bK=#0Sx|B)h2rZi z+ajWEA@jKjb3Xx4!KvxqG9i&#U@9YpB`Ow?HE;z)P@L$LddL!jvXjUh61b7rOiY?B z$4-4u?O8hK6eR+th!a`Q99cS{3JO)DXwfvAtN(=`(%E?NAu5nQz8ROlp4&up>Bjy` z5pmFWf%}kHw%l=o!iAo4lx`T7-4FFA3%8d0&>fO+(8sqL?lR|r(OQ=xL$QZWkh;yl zEOjBtT(|nK_7b;z1=w>WxMGB-xv=}?9Jy(PLZ_hckOH}`5Lsf=zrSOkXcGklwP!=Q zRZ-xs?>-hB$p5*8ToCUhssS%s9&3Mv7EAtx+*xC>m@8a!fk#cXSm_U}tI&Wv$O`(XIL!AztG6=lu`xv%#i`^ zfl&6dTw-)0bJDCq!Yp6Pdf(Yzbw-|Rr01qXSrVMqAmEg1dK3G(<&MB96Cn`AwLDTw zmopbhW`w?LEnSs(!&{f^W8Sa_`3dpK7_-TS=mSU{(QDTo^N#rDdO9kmdwOLv*Qn(M zbQKL~z(yXN8%CI!g$AG9OD>Zky%DP!*>}@C5wf7!XR|0HuW|YoP=RVrg5O9n)TNsW zt+{#2(#qD0<_ZaT`{962kAX+BTv@i5JIQ2dpMlfGpfms)ApY7J5Unt*I$9fiD>M5E zNv)UW&N*}w_Vfv$!e0Z_eVFkcCsWs^=20VHpwiuN=8`gPZRq909G62EKc}cSlW`^e zPLDQM=Q0gqd~YOsbbxZO!0JYLck`?LqZ`#Aa0xAzXcKAQxx9+wmOfl%ytx8Al;zO> z{f~kFqi%AVe^#U?r#F7(@tj z4y1~I|0fsHJ7ggJQf1oBb5GdFP~TkoC0u&dGpUT*?yI6tW-;+v-sQ+lP3h^{c}F9a zH5xIFJdqpqGHA{cz?nG@)(?EViiC<;Yu50r)uD0b}Hd4C$&SDqz%$;r6JfPNP z9^6}02s$#DE>2U-NMG`DX!rj^xOO$?w}WJKu4lhIZn@UFNuhi%a9x-a+;Sev{v*Bh zueO5@f!qCxj(XJX3T=~ z$5r3Rr}{pR-k|N%Oj9Tf!8L+`1|K8i8>>9XiX{lfHXj2 zyXE?7V_21yGzY;dir$>6aWJ+=CXb{#l+vH)O5-`*uv5BC2a9uK<99{K=HFM1o244< zVdSv^=UBs*R2i==BNJn0wl8H3YpDl2LD#a;OwuB2{Z}4;f3q|Dti*4G$zND)QJ?w? z0^G{e*mLYvo))0ocP>LR;=|RA^EZ*!kZrWp$)ilgdjP1_Y;E;BIoKGl)g{82RmEFir?)B%8B_%Z^H{^+4)2&;sp9ut{%Fm7zu z&1-wl2YAC&a7Os6Kxz=wxZ6g8$?%?|za1AcWa`$s9QtfKz3}&<#C4?{+n@`D#4^#A`{l0I96L*y}6ghMQK_+6+`!2XWz54;Xdg zzU=cE0=yp(Y&hFhK^V%Ar5qG57#+)>!`dj*_{rrCem9N+x(y+sVtO_8h`qWkTriEpyG>Kgxe&S!$$xdCfoT+P_6)c*ZL?bUXE|-FW`4NT4G`J-U*pi25KV_+7iC`|2?OD6{L}9DfxYr#nm2sc9J|(Z~^fyO#2gW7*H6DSLo{hF5TZ1BhNyATX*zi|ezA4FJ$P{YPJy5}uNW@p$8F0+8fVIS@C!`2lnd^PVNUx@#>}uN=ty#AlNqHLu=dFd{!qhy)HM_OONyUp&XZUc)glI=O*m?Ioo0xy>&Bz>ZW0W8wZldl?(GF|8oTI;aY zs3+>8e~jN-1NaOyooF5ZQwYOH?&nCZ$IvuxTsKdKhkgg?a_7}iT}#FsKs$)GpV_H> zW50?4pZyJ=2*4H<{uhz3EZJrSNMI>a-UD?Om+K z#|pgp0J*EJ@uF(98PDg#vw8O+xxDmKcBvvolN2t{RDX2X@u+IU>FPH!;>E$hO!q-) z_FicfSa+<{Qn&{o)cizOz~auPxr%_sM2ILrVt^xUcixIm-jVL}eitY@nauFE_6_Z& z&0pAr_WoU3J)E$JU4Fsx{)f~*({8rV20P1(|H?j7)%MoMVHMr&RRL&v+m3Yl*aix| zPTQELgkXGTof}7nXt4fBfg$4VcrSRbW{`?PSE%K}?QFcR`C%p`lvW{ykSyYP0Xa5- z!Z(TigN4s(vY6{q2Za~RsHad+1C+gopka5pp<{Bs2jNZ~xdhB?QX3&|OCjPqQ))~J zT{0RcZbW8Fjg-YeZJ?_XYzI_#7wYSOPm4{;EAijX*rg$; zIcw#-#C|VByI%I_1XATb)RAzKY9@j#jpL|9CFYz2)tk>}cU11z9o-rpsK8@3#OiAs zk>EDBGy*|ip2D+$q6j4|_-%LGiQfWbIY#zh_|Qcst;G-7yZuBmX>*8xj;52=DJ-!k4*EntaZXO?OvDO7FGvck1Ha?Whzy9+b1qO70PE)L6r zNUiw3wO@@AUg~QrL{UN7KHYWE{9~6F4dIVjL`8CdJ>Q2b63i%)%RM+GW@Iyke0uo$ zMVfP?eW*X%Z>|@89|?g)HYC#{k}=ZGk|I5!2$-XX``fW?n@)A=_~E> zqMAzmnr>J# z{@dOumLGK=66FJ~2<*JSpZPL0YvjW%dH~?#H}}GwkIIRL0@2dMRzF z`uLOG_L_0^g3TvO6Ff8k<E6jz5nA+qbSs<9GkU)dN=ugv4(r zNI^ior(j8f0A0AWo&2A*8qcU#|41LLY$}8_;XU&Mot@VACk7gcNFJH(6GoG+aCS4M z)y;twEM{`pESTaH`o5gd_ zYqY1Q?v<(&g>UDX0!LgqKBzs^hho2fbJ;F0>`vtN27J;&X+JjbAaA#Jf1I+7n<%;a z=Q2YUw?fjD(R!D5eR=jjEy>vjbCB#(0=IzQnb2fb64Z?EWaWuN%(Lb=p3GVzBQ(@3 zAifK?prGK>$-S~k`s>ptur25)^z?_7# z{n2&6moq_^lX*r%0+Rna62*|@8t`Z_i_TR(_fwEz2yVI+n)f?q;$CGwE0xRI0`oi* z{@hosAor&0{xIC%u=nH;l;phs{-k%CW_UDDV5;|PgD@XDXlj_?0+5-EmIFiUpoGMG zOYXDSg|c$Qc$!bBTnJ{Gw>|mhce)B!{dR{1(sp~-c#Wmc4MJkoLmXOf)$5aYr_4c- zZcU+?DQY0ZHC!Ew$*i{l75{)Ux;V#Kc7$lw6LL^V5hu(~-od*KUq+YlE)73=oo2z! zg@OWAsTVgDJg0%Z1<$o#if4<@I{>8v_-s+!H|PwL#WDIR5TgA%5GXa* z0=1ysFZ;y`Ypv5SU|o{lL_}u4Oy=XtC+OnJ@Ta-Z(9-_+thcuRZpzotIW883)dAiW z(GK8aw|wkCi6_GFGn~#GRdCa4aj_yv{1N?q zteVROuuWu?(P1>gQH2ab+$>rwrYpDP3B+?~QDkH~BJ89WFk&Cjvlo6xA>8th+wcR3 zUd}-^eH3#kDpcuiXX>MdQC?*1vGsy&CaM(Ym*>YifYUXZaMAR=_E2lO}^fG>^Ij#;U zb1SnzkA^@i zmhSc60cjaC=SN3taF(0cP5M4|yVjs(XjnJczsU2kA>o=4tC*dxkv{#)c*Zx~bv2pm zYBTl`kCmS)fGst0D)5H$eTaJL;1~Y>K4uSjqFY}!oLQ#HG&~#JH{#$b8fy0n@A$0S zQjPDlJ_kAD&hp&W0q^)Te}fO1s0Gk$Qs?#4O%=Lb>Y){5Li^afZkD!786QFyuO3eF zm(C89(potw#OB!WVNq`Ep#9G6EPSW^OUojk?!^9Dto^@W6vrq~{HdX$c;pXeP`pe^ zD-Mu)rocd1wv*ajx4&a`lVo)qKcCOLDN6pM zd)Q)ILb~4{tB3q%=042`^zTd#8fZ&%J3e!+iacU`d%g$iu8Ta)ZTw+FJxtbXw5CS* zMBefPVPZ#Y@Pa^!F8&y2eAyv{l^+NQc5jOYD(Yql?=^ENaQ}O$bNZud)R(d*C*70E zDcLYoq{jaKni6aEqN@Gw?!Lr>=se+lA6}i!V3}|`&;^qVsy+LX|0vHhy3$AR9kAlWUG)`^M|-j9*^{)8*;nL-ibS)ZF{cD;FN=H9c-(@H8X ziJ~$kzr8n4cv}$gJg44gPS2da=<@6|F{R%>?eSQOiWE+()?>}~JS4`->i95IB~8CJ zuK;hh`UVag{3y&n)9n{ZVT7g*H^t4zIelsDS|U5<>riQ zcKWLFHt#mb**-YzK0THEm!u&et6Sqn1;ghb6g{}JC?Fc7Z2F|J?|x=`ivHB6B^4K!b+1r|ZhhMF00yjdrhw4w`nF(||y! zQVdW?O}@VR@uq5I6>gFF`98fq98U7@bBA}l+jgWFQXb%gbicG|w(W<#)=t%>SNFbr zLz(_m-_udFkQV;}pr)^K=-Q>S9~pk$km{ z0m*sIx;bA5I>!5V?uN~)1_6?ykx*i4EVfwlF0Vxv(46ptv+d8gh)!{t#A*V17zk4k zLpyANdp$gh7bgHa;&1^n)Ef;{e0LBaCBb~t%Nyxp4PrX9cCQ%bREc^~hT2p2U5=I< z0iyU3pnq(wd@TELM%zGjy12b|YR!i=@Wjd&u>BBo$MwrNL_5GAsNC~4oz${HY-N+? zKI*3uU7;1yD*e#`fk%IAF+c*DH3*1+JjPxbB5})I6Ng&25A!^y?3+xP&u*Ys$r&EU z-P`R?eGmQ~bWrPrzE6P_@P~arkLOe^0EA&eSOaadsi56og!Vw1Zk0_)&SGj?{zxa2 z>24;7-aDK5b9&%zOe~{hsdk(}f$vSE6C#)7g#P7vlXb%GI^M|j(n?W#y%dr8B!cy9 zW&wv|Ru-;NmQ6drJ07@B+CpF%WoKQxnAx9Z`S0~eI|^(nPxna##D!wx3MJAB5v=*<-i6GrGqp*q^1o7DXBry=e>Z&`yFZB0k!N1|+ECsyVG$IN?)`Y34!|=` zMK1Hr_P|udSXY!W4Je-{XT=&7mngDE7lDlh`a?qX*qi`?#l}ZM7NQD%`~*hwP?1G8 zI&7Ltvot`IeDt!wyU$Evi=V7e*8PA;=vqbklumNW9MDi%z1T?PR*AU)WH#K|cgf{1 z-e=tEBdr4#o1r{jiX~KO3w*wn2xN-&Vs^i?J%GszLnuGv6mzu!0hJqjKuV)Me}b0$ zPv&@2e3&SjYwVxAj+H5=m7S z{QF!+g@Q2*N6%S~fDI46VR-g8LZ3i1z&C&%jky2#)YaK$;eSy&cI>;eAcIDP|JkiE zc8i!y$XDS4U%Q86;gsQKjT2yZ+RmTJehQxbkb3@=*#aGm+uZfE*4xx3N_Q!G2RFwq;3I<<+JIFAFhVftXf-Zn7wJ;iG`;B2YD`Z^-0q5SATfWmML zPXM_b%QDsNwnhbAik|eazl<(HV2Q4n%g!D}qkG=EJ(B2`JSEuRhJcRVXtSQ~CJEoIn}3=)BzJ6jLuNV1 z@#_JShL+k(n6v|I_xb~;Tt`u26Vl2*AIwtLy@AX*+$ogZif+=fLvk?6bHYp#Yk7R5 z6s+zS=?ne&h=9N~Lhg~{4nTg1&!dUDru#BfKBcZKyJ^FKI9*W*L*v?4-zQLK%9Z|v z>Ti;$pcRjl<+u?vnqo-`^4Fj(T?Up>q&N#Szkl8j+gAZ-SYFiSuLebs)F3koGg_D) zfE_O}*^*u6MBj=Z1iK4D92HdP(xAwSKX9OnSJe-yd8q#ocb`riMRU_Q+%Zbo-tQzE z#bQnOB8s=-eG=62ZQO$=w?&HSo~DQ(KHRcl#@Cr)%_Kvy!K8Q9Jpchz@BWRmV7Qys zgCEdAv46J!*y3UxPjl;ShcekEj%VD5-oIX$?Ibzx7abbyWZ+bwjJbgcGsqQCIiO4p z>q1n*&3$@7wtKHTtO|DOAe@)AJq+es4B zj#WlL-v8acH;Grcu9L=ue{B%u1!!(4YQr~f;ol9F>ROJWWx?H-vAvOa3ac_nM8#%5 zvRLP4sSjF-R~@;_=tu#r9GX#6j&dKyOHTwSN!g2V@Biil!a&hR_Yl-GW1OhhwoBm` zW(nRZZ|6t~DZgK9Erv6Ko>Y@Q86u^FmPg08(NUSG{_Pg-Vxk6&jRfH2l0!q9x6-Qf<Cu|*}y zZe%ITSVHQ0y*r=p_j}#0+wb~ax9fLq=bw{v<}lvx_dK7E$Nlkmxh{$4f6f#K&ri;g zH~qnegK#$wc}*2Bfp`cjZZ|l#)Mg`a+R}-fz4Qcp8nea?Dv=|7;Qu)BVLLhLhd~*F z0-lF2L7sg6f!&tA7cMVsir+@d{eujO-qN&AkoUN>qmGYAoY7ukobclz$bv5^Z8G_Ma{zmG?M zJahNdG?q<)LWt8K<3a z+n#)RCM2@_Q=@ila3uL~;uZY>|MIfk+g>Kff9@p2au>01kio}%A7VpQniu;l{wiXa zho1H5n@QNXWuez67yC6Yk>?RH=D2wd$3!rYpxYH;eN+Dw;N+#nHO&|k_P`G7?GVm0 zq{pr*A++Ia&noHtQ{+UVji=+Vego64(q%FaO|{X6M8;S|gsj|<|HZI-0TQ~11rG+< zf2jGnrVeWCO;78S#NjzKwM&@%3KP|8r)9Xy1jHFK4ZQ4MF?x`1`DwLG-|(f$!RvF+(OfhwXmMrCrt3Gmu!{+D2o_DRVcI9 z(?rrZ-400=m2aFc(#ysRHQY9?$$6QFGv4)04beQmCQrM1bmgSdanw8dS&#_0siGt@ ziQFUizgHIHtNpdNTy4lZVIy#I)L}bIK^-qC8hnUzy}$8+vc?c{_N7JovW{UA-2(5}kZ^!|q!E?o+M>#hxZ6Gc z6em)+hZ_o}!MYy!vwd%bS>9`RP;sOr)+Zz$axGen3<&d&2$hV^AINvTH<}!+$%QpN zSksu%EnKzKW8QfBvDjWP8yhUVdaR^nlo$xuN8iv%}K)I|0R5!$rLH9hiLZdl3cBw*T&(c)_*6 z7ySm@Uyv+gi+kMy#^{BY>Ne>U1H z&BeL*1EX&=Pgn|>B*?lIJms95PkDoVr&Mka)In$>yRMw!XV;_Fehz7E>l?e1segbe z@(_QyPU($4EzB{9zbZn=sMg$&G{)qG84>(ruk>A+mz8H6a{PF4?%?)U=v7v@0z-gv zv_7C8shQW&T5G1IwuG-$nXxf;0DUg2dGW&cF|MDw=&RV{u$D({oPA2*r--aF! zL$<>mu+)`8wI#p<)B4yrRYOp^+13WtBblaY%bscjQIZr#u*BQ}lV&NHzQdBvwDa3o zmq+$oF1#cwB~y=^A;m6&372(1eq79n>Gh=tAs)`QUb6G^CS)XaAyhh|r;*mh*=8!# znWhGWdIuQO zW#H#j6}ouYj^X6;9I#_=FV>HHnLvvHpV}R_ITK4bzmn`;9$0{L)dFro3v7u~ipUAl z$rf6_I!bCUCHnv(C&s;71iyE?dhC@=K+`)`Yis0Ez&xMbGD$-VpcS>k2^QhHGr0}E z+gl)sanwSiD`GpB$-VQqbwWJ5u7(PLI_fR$?C7SR3$c@7oTRCgTTy|08NHzzHwm-JlT_( zmbSkJO+qbC4gbNAGWGirx&P>=4Ujiz@9Ov#rA|MvQBpx5e(S~gPi5byT zsjeTpRiPKdZj}T=Jm$G)W%Rw@czrDq*idZ&1Kpx>%dQz=38Eu6IKIG~H{4^gC6mKI z-X@#`YG42fUn-K^$if4pPDIsmRL${5Wzw7DIh-bGQp0aO7%`~SN-`L+NT31|Jmc5 zGpW*RR7B68M4jos@Lxa0NGLpF5rIOGhCf%1yp^E zX{J5vR7CSk-0Akb-@tQHH~@pXX(S_C+^@Ba7^j<37{~!pE-KFwHMSh znBbXIxf5goCHcK>GHm~8#?@;w5MT4XVK!-qJ^5Ts2sOv`{Z%{941lmCuT5R#))}j` zuEvd~1S!r+lI={39Nq>ds%hNY&c_lj=!}Xv2R}j}mD^9iX=i$6)9S%%a`aHHi1GnF zz;$IDvSA8+mJmA>HUCcz^yqP1Q4q*Q!sfL%g?(D-+yM_$DY)y;@!6s2PV69ptNICkqxEOq~zWf6o(Ptreg>Nwq9K(cVsGI||Tp0@KzOg9MM4Td&ao0Wz zdDQHjP#R~oH4H+Y9P`iysrKg=4IA6=6{LNJr(=YL{JUmNe=<5=M~~oxI9}?GGVLew z7_MB33A*q~co*bOa=weLoQ?%$a`nm3$5VEk4)H>(n1?aUP&A@a!X-!Q5$meL=8v!H z8?x9h!!Bo z%zOv|aVuMiB@QIp2-Y0;ZA+nqYIy2F%FPK<6eL3brQJ>$=$=3s5mD_NZFzdU0p+J_ zd)1idq8z~tE^gud(^7RA7qSi;E)3Z)+Av)RR-H?e*pwMKB3~}7YsfKz&NljT)`gGw zc^2fu*dr)EahbcKxqmHrB&0r^dJkA1T6afBVtJ_+_4#gGh=WLpe{wVE=fOhyWT`F3 zete3=F>&r^Y^hn|7ZH_2^=mWS#m3=KUJN~I)Np>nK(|0br$BsN-WyetAvylQbAqou z4~^SrD)gOs%e*?pCNj4!BIY7PoM#v~dmz>vyL{7F`l!F250`xVL(R`jIw~frtBU@j z)9;kXb)o`=F{abF1WYR1#gcgWqt$4*z)N9Bks?;%RXGj&vUm5(kF3_847m;hm&mtp za5Y3tDmp~@uo|m*?bh}sKV6d1X~Y&}EnaU|6XGYzsnuFpn0%0_mwZQiymzY_o%)99 z^%ZsO7+=`HCU?s$!AWRh9K=SKF-3@cLeKH5Hljj3!$CrbSU0K}H_VuH%F$s0-_{X| z9_<3@Jq2GNb|nQ_FVkr*ZCucp$qSxTEOhQy+{_!uxqJUjUM*}~d+uSfG*$2u@t;T* zx)sDcAvlvb$>)8hdQnec80o$0%pURs9nyW#o7W`?<_>~INw~6VpqZk#h538+a&a%2 zMd^}`wD7#EoidZ6bO6?|HLyQ<$Mg+9i>+r)yA!F3oHQ9))YT~Vft|7 z&uJ*^6bdDb(U?aF60tdng&y;SIY|5d!{i2uk2c(&=4Lg>v++LXSC*LU?u2AZNg0H( zMlo>*ho1|O9!M5FK%H1^Agd=X@JuI-&Z~$eHTn$xRy?`&jmsr|&^3&6J?>4Zod4XF z`^0C-sxL>@G3-P(yd|7!ESwPksW3*c(d`g<_q%sEKR4fB|9(B>H#s{qa`iiuJD9Bf za+CYJ^4#Q&d7Wkl3O95!UZNX47r%&nFgj;w<_MI{%~|0;D*6(kuaL6wB6oNrpWMxj zOggfAifQX<6Tv?-SXgzgVt^?8`pB4c;k5($t@uH6&-mGjDsp6qsdEuxVQ$?d33LqU zq1Onb{rhLgb+R-QQ{}!}d|-~{g;5~JBP<{P6HBBJ3}WBeUw$cXWju48^b&_TOi7=9qQC$Lqx zbwij$YGT{OoRGor**gOBTawqO0hnnHY)`L(Y=+q0nTzw+26{!Rv$7&d&o8DD!y321 zs&N1567xseI=-GJQD?56gb1A}phk2&PS#YLICjxX7W@oPPGL$bv_KnCgNC$+GccU^ zCQ>Q<(j4a!BMST|n+u^R>x&b@o>y*aN@*D!^#@W)a_MMR)DJrS!a?e5ql^*IAenjJ zx)OZ!dL92PxRTp>hpnzJtIjHXgPe;jnSB^eC1;lorLPX?N|kQm-<+%pOGMpt6hX+m z9p)L8h+pJ`rA}w~5ii+}<5A9CqLXD&f`Tkbuae}tCU}PL;6f#*FJ`=IKdk%7mP7FfhathBI0#N(@ zPMKyRJMX7*`u_p`%`1h!yHTmJk>&E$3Q(Rx`QQ3R|NFh@{VmL0assbA7|-12x>IWf z00H{^v>BMjmKHzNi#Wy1D5Y0AO#*|7@+CsUv%6I3YO~1T*#4*Vfk&?wZc!c>RTA8r zDPVsv2D+mA6DU7_0PYK;g?xYWCZN{72Lx^=_;`BPRCKcF-0iDh)lA-laz8A;)r&L5 z0h#j;!AEOPn^(^dO!8}o{_Rs%Cr3-aLgiBs;Vj+zU9Cct?{pDAwch*nA20*ABS@%c z_{=X-N%IZ9v+qHjPRk&&i^uiD+`F`vwP4_mMgz%*IM?FT61E727BetAU4UT6OZ(g3 zhr#cgKNvCv#z6A)vAk1A7>{;zj^}~Rp=Cj}JA@mB8+SWH=0UGU1#2uYhJOR3)ubbu zEk1*Wu^CY9R$ojIRrV}-5fH!?Vo^>GpmdW7Ad^9 z`3+HFUG13q=37a8DS+kBaMtX0Re(W>n(JOLXY`fhmfZ2WW0))1AeK zd)wdn>-kZ!eWAc|Dq(-H4-{H9oqr$`1Q52TNlJ&2+=VZ{J^`FSVcMsv>M+O5PgfkV zrVyh1LU9ScV{gdeoxQx{`5(z$SL&3F3-|1&n4BWl2a&&kcwSDY{<`z zmoJbgAvT6>0IUc_=Qcfo$~+Q~%LAJG9!+5I@4z7&=N>Mm8Vbc$`uXmB4T@=X1PI(; z8XUZz`QXWWgr5aWv5cc;9!Qf|13B*MyUZc*vt;O2r4!pwg4xNRo@7;H#1) zQ>2v3{e2@Cm6^nBL;wzgAVrT`aN=g0`viOksC=RGZX@!Ia{*q#5oCym!MelGn7hWt+6}g~ z4olkn!bcHu6A=Gh%7cI&Uk3ukPe2RFxuvw2TJrsA<~C>VhUsW4^LyxVkK3l;T{}7o z(P}0A(U)_fJx?fT8EQ%x%je^;g?bUbU+s{i3z64&SoiBo{1`@vNbh$}(( z4ru)e0b+ULMPNlemPCpfQ+lzhUH}38>k%lf|zjDo^lq zohV~UI+iaoVmJc$Z9T-v4S&Hq{17|IA%jN9meL zJl8{WKv-a_;TrjoZ-Civ5H{u{GwMYsABwE{4WKfLMx#dOj~@O+j+1xbu8afSA`;#$ z2iuzs5$fDQiGUly5I$AE?_6a;wd9^9vA zH-ac^6@QK{mD}ZdTKSKm-UdjvA@366k5Z#-4AF|nZNzl13MIB)B?1;vEGL$A;QGSj zlJIo$eQLH(gm$<}IBtHB2I(7rQdFv>Jxf-Z>>@H0YRPD-KDksw}|SOaro zkea#o`omS0aWfmb3Hy9uTth|7xAP*y!Z(1Mes46WfW>Bs7!e~dAhW>UFA8&IPW7ETSswDzk$+Jg0v}s29KjMDO$R&b~FeL8Mn$up*YdBAalzc^8ZI=u~n3)^(H z?;7LQIr9U4{^ui+wL|7fkrhS({n9+=Raqs)CmK>WM1 z=lp#C5V1j8M}%f;nRQnnh%Cm6pY1<_m>oo}HHv*~*}bT9RH&;T%s0k zM+WA6nsr2G-^p!PN$%pUe3E7`k!zgo#^0EvUA=B~gx&JO*DFZLYiDy+r=Fkkdy|1} zUl4V99(ev+kwmhliwps~;nv~W?!d681)NgMpGF?Bn+5SliNEl+oECkqF|Xo$H?C9K z&98vbY=l%X9eSuap9h8>fMHorINogDoJ(_yY^83`0Et!@escu~z*bDNAt1vYElPD^ z7OHQ3)PvjY1wds+ojEPe|YxPEtItFbE`t}z%X|g2hWwRfoG<0ZBlEPlKkh78R zPkGa%nRK&wlvpEMVa^h3x29BE*M?ezs8i1h?BYmO>tuL>DAtOptk1*obmv!{Uiyv@^Q+Bmo zI4OBPNAag=!wV(?s0EQho_y=kaG|g#;U5u?372)H-3HXQfVTO{J3ofw$qILoxCw*S z!kHvNZtl&l;FRE@6E3}9t%==Z+$6OiXPMcti28=`#w*{vZt%<4b;PFm(rvj_sUtq&l|FPH{@~Y?s}@R3dfc#$@!|noWoT= z{n|ABR(^gN;r4IeH=E(9{Ud9o4(`Mybh-yRNJ$xz?V~(QC2lG*2f4f+7oAd|b zrd_-_j{Qd!fhWtA$S_3^2wDFe->v^>OI^N}X)$GrgyM2c-xrn&= zq*`~LByk@K4)&1cSpOSRvcHvHb8?yc>3=hTKlA!L1Bb#QJ)8=eb^}pPm!E!^>!nBp zuS&tg=5+bigw`yhUu^;}f8DKk*4KeyjR}3fKh_vKf+bs_M)_~CT1N8?VqWbP5EfaRd zuE>;bohNI*lno1xcVt=u=%KC3km~(WEGBZ@@>9@ng^V^|@i~HuN4s3aY=zx4VE8J= zyrY`yo|M>-Ef4Q@LI;Adz}4V$#tZBjc|Grvi!<~6Lj@8mgq<*u_VND$K>mL$vQ$#t zB=4=i4&bvWCCSpQ)7Ix@YyL)uO>YmDlI}DL`_Q$R{*7;t>ll-A{)@V-lR=rO7={)L zY3~9Al4@fOgMH__FuydYxhgJIWYWw&)_2;k- zmACw^jcf+fv&S1Vzf-IK{Z3dEi%vf|W#BjjEkuI%R%-t>{Ono9eu51>tr?W;l|i`~ z=p%a(3Z2yzps)sN0Ert0E>|AA+P6n{z$jNLo}?o75i0E~EBZAjH8cRZ4BeO1Ky%>x zC~n7W5WVG{e}saT#LYhMFvT8dgZ-AgJ`F4^3nn3)v)a$8$j8E&EuiZK3I;Ee6!+Hv zEhPCJ^z^s`z1|F}2fPbyiT2q0L{e~}rR~sd)}DJ{haCp##Sfbq)ghA9c49NFVD$+= z3N^?jLcLH=VA2u)&tQ>w52$NPW$UDUumxv9TmIj_}bMWCba>cS4su(u_+>5q!px2z|6KLL@~fkk-uPd%tp7ZC7O?;(0gcl~LW<53h5 zY?DtQfzcD}>O-G^LC6=H2AOGPkS+PwRDm?Vbj3_EWVT>5!TN6m0i?=b?_7dX$|Wmc zHG|jo*br`z4xqIYBnXjE&9s3aHRhYa98eTm%s~m4F_etD3v3chILBgw6cRO8k`s^t zI;pwqu7!i67~X?#;<#8&=vPqS^&VJK*gsI(*loY)&o3!?RuxUq?X-&NU!g&{-B4Cg zd6&f2W#eN-8`Oh$qW-+<R$lt=?)%u zwMma|I-b%aLNVt>&?^ZaddCAB1F||fgkyxT{Axf`o%j(3svQqj-GM`C{%0rr4|k}- ziFUz(4Z)x8%`tY`89Uf+;Go?hmhlg+4xe9hFm+bcPm;94HNiEbC- zp|?O9{XDv7pj8o#dAb9S7N9kBo+d$ z))Jy7$8$({*whmX%x66Vzal>TV~V%iePSKbFfvu72!`>l8p+HoNVb?kbYSqWP^56n~40}GyR zFpC|)XCex{Vvor)M#F`L4l}k52p+029HX56IX<)M1vXkE06GVUxNZg|j^4~`agjd* zEdJeY=#IS>sZ<@UQbG0Mq!w#>F>z_h&BeZe_cT_a!RZAY`Otz%vJpSCXd!wG?bZN9 zjWTd6zm=~ZRX*@3nFMRTE~`lSy2u|;))?3HtYyf6KT7H+5CIcnP6pdN^wdR-B0nP9 zNUGxBprS%)y}{v@*7%qjgI{`@!h5OGI{9hevUY2PA2f%99@8gfMPX{h^_87>Qbhtc zHVti9P$MKafBRs!RBRR2+0>+X^=!D)mxJkITg>jeg_+bA!{33sj_X0UpV7B}#wE=H zmOGXOH>EhdkQ13W$8J;mVo=S*gB5-c$Pwf28*}e&>|b)6Kn~=b)pyJaiwNu4vT&eU zK0jU8|FVL1rNu0#dg;AI6`91m#T39GkFU4exn4Re}7azG0x5kVYf&ZKq{rK(;Cr1Lz-uylKK7pIJ znj3S)5hWxdA>55*G5{^0-c3_&T9{mBuIczb`!!iEvd+DP`_+oIQlr;>xYP9FeG zI7*7gVhg}DykZzIG@3vhO~Uzm`b=2 zuZH+uUkkGMx*EEAZ(8A*ck{?oCu%SKY{-dI;`7TRA3|tNstJ1U1?s%f!`ls-_obw>QdjX< z1oH*VUBnOxPJ5=>jN?pH-P+PCY;M>)^Imz73V0s&$kx*}beiC{K0NBfjD=aR9Pm-+RzX7VMaj*fk6;8jFUslv<&M6JT0r_~KJaqBzf*RR2o zw3H5|im&%{YU#4PwW?zq=`x>9CFk|g_|QhzUI+~$0jE|`$r7%k-bdF(kKxZVauB+9 zgI)DmFMp22&)7a!cDBB(upDH4s&(Z@Wv3OHz|^n`yE}e!v=4c?XPK73pKY6A_@!97 ziko+rvQbWjwQY~T4uwj;WTlivq`rrVVBbY zG=meUl>>>p7lVKtn2Oxk-8dl^dV(?y2%4%Ob~1&{bE!HGDanXG?SG)aQrm%-a>lR8 zuN@H+%Gr_j-{@rNdJ>PXkKnp+D#^{8^EV6XIVXbu z1Z&AI#%Es#+2{b_)j;xTGt;vHVe9cu`s%v63evdP^@skI{OhbM%GL87c9CT{)^wcP zzVD5t&IfzRjtWyti6NSltTzc$g41(dHpKp9o?GTZ=&2(s@YTVOzYoJ7_zDorVu+ON z%;*-7i{Ewhe`7Rh99m|!+~(T0a9<z>q{FWXs?SuW<=)HGC0<_)t zO2S%(2h7`v--*pV@ie&-rF7B$(>c{Bf0I0p;Sk^ZTr$>A%L)Ro5zIM@IdIR`O8h<~ zbkF|N54+-(huAJw_7xF}5cV%-O=tQwCfa@?eSkYTKvx@fPb8Z6=gV7;#LtJjx<{OA{JTUx)n_!BLRq>e6ZLd;n$)!+C ze)1pR+rLrKLL+{mgm2n<0PWHx64p5#acjjTw1^F^?*E2Pz1=RdLEO;csX*Zo(d)@! zwXgBJ>5+jdw%PRDj_4FKhtImjyO^MJPD`9hm*0itL@p^QITcp9O!lM>WP!)WTdxst zAp(5g3@uUJgl2V|3|Zv9*9ZNJnR&>5UO~klgpb^s=hZc_eGy@eHFEvdbF`=O@OA$m z(uSH&jsmUTI&OvFj(Fqb+b?VA+q`M=b&q2{DB&NcHNXY;DdLqCaqJaJ;aw$ z!3nyDsjVRuCM`s4i)MN6c>d@cq7!(-W?Ms;MT?!7SNEvB)jKb}(bC9ihslu7%1dWr zq6?9aoT!yypWp0JO{c6g`BK3C$Hv_2#lRozFp|qvsrt4<#pcJ z6AVA^y~+M9w)t4nv$kV}DHdJDl2}Q^1S7VJE!(P=^LXjJ2D8H@j78Zv1|CyKgu5NZzhw>G+7#F|Mv}$I{rf8_!&9?$8c>{cfnO zDtU(6#?7&$`FH%WowCs&M{qSQ-##7ZUzr?Dz33#Iu?pMXGKW=(Ua$HG?OWEMd9(4ct7i0pesCd#$I>z@TLmkK2O1BnmO#Yg z*EcJ@H-$$$e<{I%U7;>}xtjb~Q!A@)mHNsH;8r(L{eIqDCx@8s6 za^J{~stW&FfF%qG#^|q{Pp0?#hNlorIbv4 zeD}BL-m&b~-ySy8v{rSwfh3?St^CCl+&SmHQo&Et9{0b1zAs+Eo6>Fy7z1XbFa!JQo4G*p$OWA299=+q?uFYdm&wop4SaxFSh?h@nV9kBY*i@w zuLyMF@-;KlG#uduq#yug{{qP8xHN&%sek*^fNV0B>)+f}eesmLqVnNawe{&O5SaV? zRsS<<)5`pKSUo_TjV>+i(}_ZwRCcf)_%34KLhd9)TAJmY`MY4dLrg4GasBIArv6DI z4{C)`=}n%vGl>wa;BOE`4XYEu!M(ACtO%@Uvq&Ui2aU`EA$6f)K-6KtgJb&n5#0WB^e z$z4f_3O3DF5Z#CunkMG|mMIg8MN`S6BlJrO;TtwDtJZBE8irG18e@qL%|)P~Nx9oG zHpF30=~S8hSHH{Gyu;pK^uN^?T1lP-42bT3GsWNHpZ#TuCvHl|U8qNdfNds_#70xB zFHj4JdkK*YVdg>aB(oCGVMjMWYSG9->);L~pS%Y;O4i=aYLQydkNh8CN4f*Jh^GsM z_vAIeZ%Wk2)(OZJ9pmxZnly?c6ol+p*1(VmP%ihp)04JHCg_AP6kyLVL!TfqqA>jT z?pjh-k_n^^QJ6WJz)FZ6f$BJBU8B^&F$R0z(iUCuTM zorgX!319yf>x0S641$eev*353N)}_F0)Z(maPzNw8Ul-H1cbye3zEoj1E9=_N|YR| zHt#OPGVFoV3f@EZc30X!*-y|Hatix%ZF>FHL`Y2Teol4ak?eg^C2SSpAYC^Q%oeA5=`d;aTCCjJcXATW9nd*f<{dK2KfMmB;9{_v>BC8B@2m_3GnxXHPxz;c>ekI1(VQWOzlYXNETmV7 zjxI6{#n+TNEy;pKd?*v|cJj_sd)3)9?1yu)zL0JSrLpACa;yLz-(qEdd)&Lo3s`Xt z&X2UnR5AQyJ~;oRLodGtyx&#^|3Kl+o@QXHb^3yoqB2H{$As|%2uA7!#w}_ej-=Y?dUJ71f|Wr*sw&oXaY= zjaIN>9#l!b7#b_+L2m?))aa}C4uLrxYW-(dU#Y3qIbRJxXR6`VG-Tyk2{{ zQ;JAlK9a`l%nifr8H7~+lc3cJ-}lTXKRoN ziBkq^v+l0{fP}Va%DU{Vj_YJLm*Y+I3;3s&F|!R&9Y_(uZzG3)q7<8?da|e0V1#G* za*gWfagWcuuKB5dkB<1gyHEy-&ZIn)f<7D?*DZiB8>&--IAGjiy)xRH2boNgjxVUx2mF1UGy&Exy)g;afe7MuShgHhqjSSTI#8e>M(3uJJh=4My8T6UJ_E&^-|^0N z>KUQUbSe7-a2m8^_f2Q5`<@;YNS0<-ol9x>31QmpjC4w=_|SQ;9DV-n<8Kqbb}-Jw zQj;Xiqq!{5D9-5s{F~`t_rEy0hh$!O5a5Ar{FP56HZbgUTZQ&LcGJ4@B7H$;LU>t# ze!Bph@@XJzzI!>{E@tMgBRpH(TFbvA^pMJAt0%}$veCQa^w@$@^E>v%tkpQ-h-5Gka&@Dw8yI%(0d;)X2;tM zYFgm$Ovz0JioDlTqIh?YKc^rZ$u3ek3o) zW`NOv!P}As@{OuKxp-!XQ1hs&N`HN44WylC2LK1 zWFTTH4ggb75OwY*Uw4;G#Mh1&E|oxecVyQ7 zz8q-cfAub32xRqD%AC`3n6Q5Kp!AG$+fXx*YgKW41-Y-Uxghhy$M1)W2l=tq4BLZYT&59D5X4(H=2$kA$3jqOOYEtr$>q!i~{=SK#D1wC2F`U}hNzcuP z+itwnD|m55!(R`ksJU=_?}k%$<@S~Rexj;5B`=Z_PTJLVQ~F?@!{~bZTI}_PIO>JG(}4_P(X6w9z=DasKbOeEgWdr2;Uk5s zBTuzB$%sgOC#SvlSu+>-#2=I!Ji=c77H{L8fDXo8RWRa-{h}y0D#f{l*tXxos-VhY zfw4FC$iup-(M&^$+f5EtB5@1Vxr<8JH z`Vonn9buxR##H_#sP@aAEpSmE24ge~CLAeSI8%=d*$|0t&L)%2^W7gAW! zJzf?RMK$_u#LH@le$P?t54RVaj+-TqQu2Q1@b7mNToBqMeGG>{{gm_h zvLg#NLU#srYWt4BikJ_;Ylh#E0>(U8!SbzDT}2<+E_~@i&ER}YKg0Vkt*~JIC#HY2 zfszm&|5+8Ep^nLu3(nZF!?a$-ueUI{cX_bQb-4W3iF5{oGpVJ5j9ifsshup^IgX(* zsFdQzFUZAOtg_J(1BROqyKHz~f%#4>fjtyZQgu&P1;)hvROv+S=WzLkCA6u%;mwKB zJ=?vYBuyiK8xo?w{31V%ZPsNir^qYjy%b{t7rPJ>l}w++Ij-hKiKz$O5}__ByxgmY zL;Xy1gmu-lgaGsHf;wo-HXv2V7n;pHt{oT!>72tcReIfGJsb}S9;7o1Ok)@=M8v2M zUfi5M6NV0st%yk^hl!qPeA|t#38zHT4izzraatuS7~DT2)i0iptoetam(M~u;>x(6 zIHjL5OKCePZt&UQy4aIlS)Q!gY{hMxnY_Kx+aBk1`6DV0-uq@eTCk7wEKOLq#dPE- zi{<-h^%y5~ooDJg!UV@oD`2!1S?KzIJ1<0po=o=VEn=>B+K*eKt}-%l?LTW0P~N^0 ziU{mLQS&2S#Wby)=4KP{Pf{MA^Eb_IL3u`iUCmC8q8A;7)GEnq03{?3j?+K&OAw6? z0JaB#^g%H=-M_sJS0P_xUc_@MA)P^DS7LAGoPWZ3r*!P2Zzk5%`BvwdfKl*q(!SP^v$HFib#plf{lPi?+THeZST}6LG$E z`bKG}*DH=tBI7YB`orsBY))QdWDr61zTBb2s)|gg7FmXY<_>*Rg;3`hTdG^XEF$A& z8}9SF4s%6|J=eT5pKn=)_Sr5!V|ji%PjcQKH|XkUSbvQ+s1$qmS!IAHJ#Aj@)XM1v z>3;ez#~(QrHyiCX-xBKS@{Kesh)4Xm&pD$5gB3kR-89$ya{_Ye5=E@a1H2Aqr}Z0V z4rvoA1YDwhI^!!x-FnJ9##0F<28UjniM`-)Jvt%r0UO)hK}#f*BEwkj$MiDWwq8nj zlNSiv0ZGu)JwEnR<)Rce-~O-qXrhX9wyXR}|Fuy+MC*|U#93Trtj5*nzE}lUPTEXK zM3682e#HG!cn^Xoz}1dq2-0d$XdAA=4)TmVw%BuV0-d!T>yEFgRhtgog6++efO4HA z0iiDoZ1S6lHDI{-8?**VHaF3i9B=S4YYGB~&%&=r>;7aazR8)f84;6h<0zD=*C6(u z<2mkOVerIzsMd z_)8-}==ecy1+DFjux#c1o^{<6@sf&9HsQHiwd3|{KEreGx@4zg9-LYGPO-G6W!m( z?mcg;k+7%J>5iO&p)r-r2g7=}yN?9nD)7^s7YwrnZjkoH9wD*_`nr2-99&1+vkB+> ztzq7zlU>5eZ>UkNQ0TTqcsplrMOes#8vX6&pU=oX-ZceU@EQ5_8N5-=z})mXgY20^ z*9n3f_`eQ>u*0mWJ!l>iu}l^QYKQ;XR@e4P$@YQ};`GXCc)%G8O=0rTNSr1p0nf>VZtMMcSVN2u16J8yL&8KWdKbdEQsMupfd2N!yExxcGY znyC^I22qhQvC(t*FN$IBF%C-NY~Qb(EQW(G{R7#% zN9t+mm&{{ZKL1Tpb#MPGb$0%G{U5DJf^_r^3@(PM50aWTjz*d%z#NIMVD9rQ zW7D?%v?aZRo>$M6C_1`tFP0~B+*sLjo=Cq`E%`_|$x3qnn(&x~pm!!)sOEnqVBF71 z403oAdZJ0Ez@ef|*QhtfN?GCOV!x9aPHq_oJ8X44965HmXnTI!Vt$v$KYsgl?d)fs z-7nYt!ocYc|Eg10B(80x*sG=&#p_jx3q@^|SBHG;eT|G+dY{>p_@O#IT0g`jQ8fF{ zm;QggtmlqvCfZv58#iAPQCfd;f%GAUBtICvMRb@b^!s3S%V>mJUa+)qpp-%MY+R4W z_Q@^9&wrutZ)lE`foIA8qUP;?PdWV`wj%iVf#LA#+na#9`kQ3K=CX;YS%6ON7jh^| zw59|&<{|2D$o1y%3x~HH1liY~RQ)d4&A!~@Cg5w4f4|mwbXr&oI;$ z03DbLD%##dB?KTKWPGnI(Y6&jR+i@ysxf z-~WwHVF-WvW=m|LQwH=zgaEbS4my@!^j07HkWoYFayHf!<%B>Ws6$AsrSaH8r;^Jl zzA{m1sn=lT_TtwuwYw)R6!N=5aux3m0Vrrp5VUxAElF^r!8U*L^kN4 zPK(5`Shq=gvP8GbZ}6*ngql9Td7B6%7TMX39|Y-yiAg;cg#DQe{B3K`9_Ua8ShG zCj4|d*uDtK1>{#mA5_qQ9%aB|v`%+^MJhOw3C<4R0Z0$OFPU&jUpn^pVlojN`={~` zh|UiMseX%ZBFQY67HMj1#C|`KpaDw8n|7h%f@wNyTd(no9jNa>gL;AWEX_(#9~IgH zFb3#|1v9;9*4SBbiFT;e^eo^VHbEM}uxQgI!F{|=SjA_`{q?ec6l+}O?dP=yxKqwL zEgSW&ZP`(g(;YD}uIZ~GmmW&LailCmCUMyA{B8eR+A3lqc6=+ZJ(Ozufhqv12P)vN zBcQU|iJ4j`v<@yU2`w=_%)G@d;IvOgsO1X9-kz(;dmCCzRp239IZg6HSLYbxY+P znn=6M2otv+2t9-J$f<`_1dDY5HxrO^*-`%hxuNuF=Cx-fSg!s{eB}?{59y(^ij~?n)Y`M!1GtiakZn6Z$7jN2;#(-CLY&4xhZ!J# zr4{{>Aj!{MTOWeTegBGbx;&!h|5VkFo$B#(abi|OiMjDc?t=b~Ni)bqRRb8$?1R5G z94PZiTrm(dS4LZ)L$a*A!4J-+ll*`2_2%(VzVW|*mO_a^g^YdAI+1nkdt^yPk!?cC zE{uH}TlUD3y{v6a$x@T-W0!qGcE(mQmKfBz?moZsJ?D?}`1PkOGjrefbzSfG`}KOh zXvenEDM&%i~qS`@|bIF{kdL7zvA^F@=uG{}Oq4B@oLmcjOP`6hoE;?C4XS@39o z*2nRkqBC!@!U6t32_SfkExqao9En1xy#~X#nL}JdUTL}rb1XxM*Ay(Q1xSGRI zJ9T;*>S-Zc>t;fOX!jtaP&Yu|WqkDi#l_{)LEZ82bZ?S28|~KgPCJt67+Af0Ccxr% zeWo#FT~ju0Sa*lptBq;SVEJt`K!0%`w&|QG=Cp?6KwHrT93T_-;+7!h1Shyeh#7c? z5aR$DbdYnAVSrU;cC*0cOAsJ$_HYw!n=9`_A0Z#EdoEr{;V1 zE{0smxV9XBaNn4A5%{B2K`ev%Ul4fm7{;K9++?F-Jxv>?En^RFbN>rsT;r=5HD%Gt zG~2Dp1J?DlFr`x^d>Jlb0E1Haa$gSRDlIO)Yux{w$ZOlp^Q0(G&uVGy1wnOSpr_`o zQc>`ej(aL$*R31_zB}Z{fG{EyXt-U8xZkFVZTs|?cz#eccQpIQlcX0aUY)M|&%WK7 z3CG`=evta({D}GOWRm3rxJH=Lc(p*y!sN^!KQd^26hi7!?M^(T>}<)|ir7Qac2PYQ zm@hVfl&|~@IN<-BD|Hgrz7oQp$?9Ghr9GmF;>{$E8Z$RLHuqGUiv5hqm^Z*b!xz8Z3y|SbKfpICOV#TbQN*tkiJo*q|=$cHOjn_;5+d! z4_D>w1ODh&YZ56~w4yw8BuvZHB;`hAE1E~qO@Zma&kVK=9IyrSHYk)^)BosPU|AJ zm$71H{1j6Q6gF3(m4&|lUQOI{tHlD=x!@Li=lR`2}@TwT~VwF0;= zw0;xbp&Ct;j*24-yN_yw;V3A@8OoC3XEagxk#lCfH%Ae)tli*=pTQhdR}nnHeW5&W zUB-d<6@AzVQCR{;s5DjU^=Bn`ka3+@BnWy~>$vyU+7!m@18`0qaQ_LH@{h`Cz%}n2 z8o%lXJk_TSFGXGQ=05}M4BN5oA6P9tIL>=JTJ&{M*u76S{)3 zd|*Ry=x+PnCDSdzg1GaXtJ>QV|y3A ztD~$Pq$=-F2c;y91k^IEj7W{AAe?^Qu4t3pRW$H=RgL`!8nVoG{`DaPKmJ;8j>K+c zwC}KL$U^*tEkAlq4nKegnqYphV6?FVS=MP26oC|dflpE`fCF`>AlexCcPsJz)!!{4 zh!4X%sdpAnJ6>O(arlUQcL<&6()5qsAHX?@P<*;WY5V|?74%~PrMUlydHCkmHA!O- z?a<|7Bgk&n#%(C`dxb!%{(jw1;%4qcbymrv?^|C57$103;A^|Vs-F82Hq6En5W6S{ z&Aw0iokF~b{c1GanUaHh%VXwtQI~HbET}`AZQqUSKQcyaz=%4>bb7Dyi{dBX3@=l+ zxz+`8a$fko^1ARc8$u!Y{f9zu0;16^{!8FnzRWrw@2VbNg%17Mmnc6uA?`*^Q2O-$ zZiX1z*Rb*s55xTm@Ni^P=Aknlz4P++_I@^AdGWuJOW@^k8z^bE|6e6j$!MD_WA);> zI-g5#CQZ4wBLh@yroVuT2+i`@h68I}X7{tKba`LL;<9OEocj}Z*=3wYRBpcw^f6Rr z+?B|{zZ2}B+{LRdEs$i^56~Oy;C{Y18E_d05+IrOt@FciEkGL|qfT8L;J*q@)gfp? zZRHtpL2+TDY*-a?E|v;bq#kOh3X=gP)5@2)LA}`s zUli|4h~5m1qf3DtK;b(uWq{)?Z71~S%69KxLG%smGXQ@8r0X_<2K{jzkhkKWNF729 zkO6==zaQ|gcAy>RJ6L#mYXVNP^gxj1Zb@+PtpHL>Vi_PYl^fr<8ZO5gKLJ6>Fk+f= zv6q)yqMN{9CGa_9qPD;caC~kZc3nSa6W`QWWq zLWBkgGT3P}^dd^;0*Olt@Z2|6pWsplRSknT%U=^65CUpetQ772Zua!lC%{lXmeivPNhGi)y%Z@btnAh|QrU7B z)Y*@bz-kXs6b!&+4w#~o?#RB{oV-Z)>Bdz5y1mr4cWq^QIS%RZszm7w~KX`XM__ zWFVA(!mpQ1Z?6oc^@`XP)Xe!4*$V^aqst|hKJI^2(u8aD?f3oydmBA3ATR$O0SQg8 z9oh$Ia0_Zx4|9hAoDb@f#vXeyf3-&V4~n&lJl~}=8w>}R__30M0_9O_oo_2ctztq> zaLTYD(Vlr{mWhq4=&RL{$pOi0mGpYov68gnw( zIr8MDJX@u$gS)^ZJ~#ptK0A;nLQ}tyJX#flXHTi4kEW+E6eQ~;LTE!K2P|ZC0?G;8 zPk{&#-TS}5xiPJxwLY=@53B{_z5xzo2ua-sKmr9hx023KXe;@wfdIr2JmITf`ZYNN zsQy4Nf+T1>Y@s)ug-Kez;~Qx1KlfO!2NjVX*Qt2L`35zJTdqOFd2Rtz7v@b|UTFh5 z%Kl&K*JGpR0N{bv3L|qODEdc7PBSM$Lp44jH19rpk$l-3Y6JmEygHA$HN-e zp6WuSs#JxTDf>1CR3UNvk5}Vdzi1&R<2#?JCGGCP;CfUK62gDf4|m_abN6Vm`q~Uq z4YTmL(MxSrTi z6_AQ&0z^X2CqzpFFt*BYkw(+x zbZ#yVv2uB^Bkj86Y=bl7Y{tfc+2-TrL|#KS)nGJa{E74KXrpDSZH|t3ySBx)5KyMF zFvP8^A5!h{@uhIe0ahSQ?-&jeWOi#7c#S%ozI<~we(;fmw@TKR+Or3~+3+7t9doly z)3f{P=Xh(X6`7qdm0Njd{O7B+KCa-G=h>Pw9qOu0Xz%}=epB6Y+69pI6XY*|o8OnW zEj*A=RQaBYHT@+7sh z0*GFv19a1taXRA&D&OzmBYB|x{ga}`?g&A*PG_TTf>RiKAr?w1TPk9?=t}}brZQgd zTq?pj*I$5Nc%JdTPu&^b9dP}}zwxfk>dz{ktu zt{Av`v%_&ZAQv9uKE-4SM(eHY(RNEeMg4tU3boWW_zS80(G65RRDU6Z5{BWWTC-f? z7xJ=4lwgRA9=WIZ7qEwwf>RVfl(pcMm9?$tuTas`P_QjDUpR1$D2;lV^KxHoG%H<- z*%t1Q&(tJ9{kmHp_maWmO2_GnFJMc-E5*ds?!=B?)M{dVDj3PJbv4-c&n(aJCQl)9 zTt|yyk+&Yv$mXSCMd#mL8A}raY&{7qXAL!_?#Zrep&l5E=ThS1{V-A0Um&Lxn_7#t zLa3ZBs01|k44$8r687JK4Kr6{xYZ2m&SAA>-zO!tT(FnF{jy*p6?QYu2U*uml^JJ* z%XiNAy*2e230h-oxW%1TOGvGt1RQ02)Ty7I#u<@?^TJJ;C%lEzO{sCSO#u{h_=mTc z=6cf`31wRGzvQ12J>G(&zw?L{R}Z(Q*xqD-bjF|ReP z+gu4Nzzzmb5Y))CN3BQfQ6ctf=;)XIhBaN2beus?$n&_i#`JCt4#nV|0Bm3AQiW8p z+r)@GcTqC=y2=El|0U9;K3Ovs>(?f&!P6U*wom+N@rxA{tGXmPiIRogY4>((-%xvD{mM(sB#aV3|VrnI8fkE4k^GgSkNXi7Eju zV@xS2z@4i2nkCi2gD4(U2uSm!CDP1iC?}xZuzwZw(2@Whx+xioEP{&5sfM;!@u-uC z?tl}AdR$e8?d$QDLgEy$l#v%rWcp9xW_q)--8)+U3`sGTES%G5vj3!L5xj0S^SF^V zUY*uFtAT&V^Ny+R3eS>)G+VCX=2UW?T+y*z0obyh0Mmt{D*D+!Cn@9>QQWhdW33rI z*aXeAlq0A!2jyOvu?jPf_!rp2nOWuYa#x~g))lk7nA%i{(l($Ex4`CQq&VP(ZF25B zs1s?dOcB0KbdVIt{tI?1tKY#U3_i=hBDVtK3I(Tw$*1_jYQK)8BqPjA$vqoN+*g*^8>+us~qwuDfCs?jB!DxiH!I(UL2 ztj6w3xeJpV%jx;!ymZ3N3&Ol|82PePbIx?IyhwDO1&55}->NcU-2@u4#t6&bXbUQ> z@U&uEQjRTyuFRTUa@4-1}HOUUh3BI4O%|(=lmy+E>rVe!3!Ci{IsCxGTx7#4KSaV}uMC1N2>voyi zMEaurGCYDc&-*9rvecf5wCWOV*m9R#bziH0ULk>z1aVzGslB|Ohn!kYxJ&#g%oXga zgiltClDz&{T9}k0Mmz^MqqRxqkIWgs(h^mFGDtJRjp4Q(i^1g$#IN#1_BGxSMPZ+# zox0T4;MLqzwm*^z({Nkn-5f@uT7OpDhW7%yxmyiHiaaX4@Yn8J|9{EP!MAUZU*CFU z`t!_{I=jVlCedEqXCs%}SknU8!sp?z_8L5o{SHSi|6w~D+XH$YMlU;~~nYGvoVzH5d3OS~dVtO5$NqMb8w>2V=R3JVW{TV+L=`mQ8_Y3!S}xWvdbc zO)`6dbBlaM)U2S5#aF56TR-=(DH~$_Ow?FAdRMt)p2q4|IEwfMZ523t%1b-kLJ=ij4slZ zekTF@f$@@NbZCoEj#u!7r4Sx2CtDI_>{a1vwOx3hloyMg{3(gbX-(J`iWkUbDzY`f zA~TPLAk`$=){uZoGVSO|ViEJ`X+H^K3X%Pdd>eG48a(OvqZ@^S{em4u9(h1_rRu+@ z5hBA%7Q#d~%#IQ*J=4^KmQA?ui6KtG6LatvZxDSEzd8Zq^7`-Jc*ul8;u(kv{**0s z$-?y}wXL+@#liTkUVqw}q@rGx?~!|KRa0WqY>9fxjVo-{iD@Js*{UOuV|Q@A7`}kn zFLN_5{@hW-h+};EGYbd-XV#jX3Bmz& zYIJ8u=G>d}7o!CI&oiweX|z3>gZXaU;FCG}|z5lE82k zS(Bc0)ol0V4nEId#IZ}uA9I(d_M0v(^GAwzedv3)^*Y}Rc&XaY1eA)R=E5CBBhEY+ zP<_{rxX1AN;f#nm*Fsdcf%U9sY^L)2VBHb?`{eCYY5ld#Kk8p~H(<_i&k{Uwo#RJ0 zxrJeK{5yIx8FNd-ZOzUThX$&%bL9mEzVk>U0!@evcaiGCrebA2V$>-2+_0u?F#9>P z{w8oteOZO0^(6%!1bP{;S6};Egd>aWmG73Rb0?M~cz=xpB{8Kdy^TI|B#l|(zMv4R zFqIq)0#ku9;9_)G_%4u~?cELY!c5NPP;Z>~9}^iC1L5fRqlBN*>=KrD%P;}bs&255 zIEywmd$wm?%&z7eaVzR})|~7%9d+gdVj@2=9p;d0+#S%ckOE2Q}G! zRi%wG01^3rxKR6r1)s{8ypJ5e)hlSEaDl@pgPl5BdglBVv zY|FoHJn*`*+xLgWJ|rLFou@dBJfmaVGy}t@aoig-F%HL9C!g~FqOq(?l`C_!v}~7UT^!M3 z<3+>Fz_1uG$B1F%p?68})N;K}6Y(-3phf+D6p>XUI$IEaB26EO&`k3=^@XwrQB)Ny zS!0hRx8%kXv>)*k*wfu6x?UuzFDqPDoxd>GnH|~4)F0=t{Bmm(H^j=v;2{yhv|tp} z&CZyXT=u&wk%}h$Lr<^x1Q-#x68l(t5U-KVl8v+7I5(>qHf1OW~g(Raqr@&hfQ0zLe{Fm+9o1ULXh94lpLvl*yL66hLq%T3G^ZBzR|$I{vH~6 z*NTl>y@YGKd(uqUcKNWW_UC?Oz9|RE_pROCA2;i!;H1zIk7?ueB654+PEUO|O)ZnF z=E0qpZzo==364^YZTr;>${9|uC>wXSQP99)nl%KI=>l?Og}7z4(*gPgBahNDWVD+LgKoCZoEqs5%DRH7y`_tpolphG-2&%)A{9)kSw3juB6#F;5R;lMWF@{%1Z*pN4Z(AqCM$6I(t4aT(mfBlKaYl=+D(hzo(g# z#n{X~E#tZ`I#Ndt559|6QTrqC!QLQexwvFOJo^<%gr+ZA)zZ203q?TQ&Dh$ho3o#X z(KB>(5%WYa_Pb2117@{EQ67YVhQMIk^%etD;{t7#Nl?csrJlLGdzU-I(9+Cg^7X5H z63HvV(Z*u?t;e6mhweKD*HyYd7&m4vrisvu_GFE;M)juPVWc9zcGYdSL=;F{~Zc#ov_{{_rB1^mt(*Pxq!>|(P4PBGH@hkn4PvL|%|hhIOE z3=S09kxNm@GK+?5krVd~kXO{~wDuGB6d9WV-{j!AAefQ=Ypr7bANIKafA!Bx8>97* zjQ{V)Ic|!T2|nLu#pMok*)INCfPN?2u+ohW*+Q#JKg*EhQPF>2lKESCwe)2n+cD5- zED-g71V{`(4O{#G_8*BU`@rz#V;AHb0PxTUp#n2QK)Pu~43K!d*1+`5&8#Slyjt$E zLBOs;8kXU*YY7WbkNdy@_z6MV`f0^QL{jWcI_!Q**b)D=e5ET8$CmfP)1pSlkaIoX zGWD`{J0`~Urrno&b9{E5O7#S!^o;g(_2}no zta%8CXgrRNUApF%rn5%R+|w~% zS!v!Mo)$|y1a*cXn9n=q)4oX|le<)wK{RHHZ~O$#WRxYqc8PqGD^i9J}ro5UDg3XFtPqW*(06k2Mrw; zAC~NnSxJp?Y+pA`PO}ey97&*A8;d``@(Yk8jMa`;O|*;vC3SSJ0m=a7_p1j0RY=wK zYWpVxNKE<1?T2V)W(lAM{=GUZECKuwW<)?A3JnB(@)u{HbMQh;HGLby>K#`+s8G~eA{0og; zQjjG5IQL~>yIJrZ!+{Cwml7!MQu{YZNa1b?175H}ZaiyTzEfc#upid6GANe-b<$WL z2tj=Z3yo1p3#pKW$`u@!N?-|ihmC-f-w4_&|6zCE@HB&qmJfLl6_?Gqmt5%srUX9$ zf>5ijeQvI%mfx%5cbU%{7P7>8w(IMgidz-KeTF3JrkM9~VJg7qdvY?qW8skSzq6Z3 zyDztl7NR?-66^edu&Iz=*OEsGii+OpvHf#71U$^fVA5d%^ikK)@!v$-uSmLl(uV+A%ue#k{Cts@SuJdAi8^CLBM?fhz9$`Il!B>{Nf-?{XkrZFp&0vP=&}75p@YQD zLJ1U5#A9!1rRJSkES~@-U~uNrtJhB;Ct@kkatV>!DlW@$Z9`61@JV?gQvMtt#+m}V zUPxI#SjkwqR=~ZYwnvq6g_Q|>a-KV-o2(Jx#6=yBR9>LR2#Am*VD$uWRY=;TYs%nO zT*nP%XrSccNw~Md$+%>_)1^cL;W?V+aE0lT&iEvBte*Si%=4O3D z02olU=NoQ>{F6LhKksmdaeXcsFTG`V*ZuWv;X>)8sZE}%h#N9ay>Y?XBD#52PaBH0 z5*^w$Er~JLLzX(K>PwPq6Bd6k5uqp+Sn{O%Ckgki%Tj%{ zn>qS$uwAq`p%Ba#g~{64??;dX+oZ~4yWFn~Wc;v3Xk!Z4dWJeBUGl3HUAdC!H;PC% z_3U!1Z@)t+Hhh21>1%n3n**P(qIrzwFvtGN^F}3*N$jzglX71m`|^GJ5==kglGf~c zP7)QCz!+%41%%@zdNRWGp(O<{PE!#MqW50cWMH3|mPxK(jzm_+4$jNHAcN3tjL0CVCbVidIM?#}Pput_t%U zT%2hlgM#(^22BWd*9FpF9M46LCSSITm>JC=t**f6ii8L zEj(N5rwkK0>>dfg#3I-p%%0`AY!f+|x>NYO9eAx{0FfgqO}xvTy~nzZlJPrCtS>4a zlR4`qluQOQq6DSD*?S2Rwfd0QZ$ywuzK<%iZ4@D_DOX`apj}ar7FsU}?jLypufm;u z526pE@|#bk!LkKZ?n@j#0{-n1?&B3bY+K{j*In*Eo3YjYQ#t0`1j#lc1RDfQu4B=H zpaURC%!5#GF`cCh{_CEmo2l|d8m^r`-+zT#RK=3Pu6k7sFv&Ct%d_=Odqc@yOrLsF zVuuC*TWJL%fhWa^Fm11K%mqOy#}LbK6^yq1$zUahA2zo~tW^V3lQQaO;x?q%Sfl4c zDs)GnqBw=A)3&Kt8FiXLlv5BSi)&gLXV|hn(ZR4_PRHgn{W^k`jY@chsrNI&6}hck`#rVvajM?)vyu78u~n7<`seIaIAGw8CeD4DId(@rO{t3t#I+>DE@-L% zAYsGi;^rn#d;`-ZP1`mM)nPN+<*~%Bcub=#Yxg-d{SDbvh>vi3<6JF`Rg`7hPiAA` z+>*;}mx^7X(KW4M0e`d1Yof&o#-Ctc<*dD6*2AeX|CnhCNK3=`g3oTnOV0qXAIepe zNL##+%-^Yd>vV{;+J>Bc07&dM>`g(SlcQ-`uwQ!9woeud(jG{KtQu~GEBf<_0?Ffc z3l+l#5oo3_`f=fDSz*ZctQ*Xuh~4a#NT*CMW3!$1mdHYTsRu^R*E`}`3B>-XLzM#G& z<;oexGa)izPl{9>cd8Oj=9eTw@fwG5Z<-6{(mL4r?!Bn~fQS1S5mfT1!4T1(76m^| zFxZf+QfgN<_kb+z&TRk^PykLdRj`S;8~tY#4B4U@>4b~b+QrhJQEr!=K#{<<}9yC(zP}F#S2&Tk|2XHWNb(w97*y2%QO!5HJ z3`Ziq;qi9Nv@UqyKHZ4U?nt%EW6EVSa(Ik*cbPyr_jr)cwgW~GViHTjQ}V}UQ7}^0 zZNOTj6x#4BJ^7fYj2Rmx8h@;j+{@X8m` z49G6F8~N7K9c&iU+hQMt0z(x&yj=Ozd+JES8w`21K9@jqG(6Vy+UizOp7V_z|i?9jX$a3!wy zMI7*U-kvuT8o_*eP6*c2u0L@iV47)%aObBiU(tt|I5#-IHP7rOMy*{!O4 z^NI}Z+&N3bhScM>$>wN^su2|T z6+Nzvxp}JA0fVc;5}+iounWSt*158FGE|Dk24-NjjrfHQiZ4cwR7%L52U$V44ipJ@ z0kw_HgAo2^C9d)x+gwiWSroocQ&M%% z4kD{8t%gsq&YakgHYPocXS|8fWMd>=(^$I9knEb1}*o+%+;)smBxnmP?DK z4`}1{C-}0Np4Vi37qtJonngl#-xGdnD^O)JBxm?dzZRR1DcDr!HD+^_EA~aISHx1? zEaWD)C`P77eTo)0077n$d^hL*8v8u*vQWK#QNCL(B<}?gx}1sp9cL-J-pFW5cLD=I zw)744f-!`X4s1FyaKucF&7*d-pmfY}qcQ<&es`&|5I2BJB6qL5a9cVXQ0~4er5BI? zDDLvgFLJW5jkLv2XYFZPrU=k3xKp`NKQz>tPe&wOe?aTXS^Jn~i`J}ldV#Z}|1=3* zMqM6D?s1a{xO0KmgfgEjFlO*Bjdlibtt65C3JUd9`%6+`iqmb>N3?9mo9cWEq;BLG z-PyTfuRKl+rur{(p=DCBqE+ljmSMqL!xR(j(6QAhQw!qF%&!2{uucn_Nj`}tn}#l6 zMkIjt>L>+Czuj$V)FQL|Xzr=Qb?&PdZP!zYgRGOUiEg)rBS=rngO?)K!pS^KAykZ- z1puEghwV_V`g6k_to0XNnf+H`Z`Fr^8$YyQ!A!GT8&!v zc&@%kZM4-VNspual+VJrdybm_%@5ooa{+lr+0`XsTu5TS&;S`o?dAR_0yvH1G*4qr z-SrbOC8BosrEM@au%Ym}kCh?fD;d@MVWw^`{(S~xSrPj z@C2fFm1V9~HRro;=-UUogkaTO4URReb_OX*oWR4?BE*eN+yr1hY_AsjVr-qw?D-C+ zaOVpgCcOxMKE>L9G#tWt*qvBmOB99g3J23CkXNA1-L5Dz4U8KFT!3x7Z+~w3Z!hB; zo@9fztL8KaLp7WkMm49EKLyE5z8b$e6%bRiy?3@`4YPiz5BU_1s;PqV373ilt_ z)cpp0+~|ELTUtl^u*%pzC$&u*{*QDTi~cm16rt>hN^?gvY9S>PyZ8jKS<+X8n?4 z4x~%ND7Ku7=u)n9sWN4lV7}Unox_FG>KTcZDbY~$Oscabcx#J+IFwX*l#DQ(InKVo zwpeP7_iex*48f%hfubxHu@>2+r{BvI99V)$U8^{~uyDm$t-5C?ny0)F@?wl_dCGW@ zwP*RKzv(TTb^!peY(9kJI(t!8pu&xFrSiqL%! z#3qOI5-D8Y8#gRxW)0rj-Tsp?@Z?>v4WEbDO1ifGnJ>w4>cl?Nz%%KHvZdyK(Zjwo z7Mbn7%qxe_i2vf$fFYz|w8Kr-%m9+IUV3*sJd4HSfn?xXlpmCqbs@Wo%(u4>w)kY# z&7*{bHs)w$`1Se^jl+}3 z#7-}e5;4B%l~-Yv2VR7uC8WV^2l8+=X`9*DbKPayuz!&1oGTBoxM>ggi%GY4C zB~vz3BcItO2+HNu+nZD2PoXzcZExQYuh)L`M;`bM6qmuc{o`mJjotm_>>Dh`*Nwry zK7*pt9OZlO1K60%+<8@mKYGp;>)IT5W4ptsnn8wbzNTC~?3rdk29E2;7_SS0lZcn<xA zu)_Xd$l1wI+Gqu!#m%wZ)H25TG&27qi9K$5d)sKdXzxx{3DDZsP&f3sCW70}4W#^a z$g=0#Jr))e78WiK$a%^1Ul`eQiM%QBM?&qPkVx=x7|FQYMC9YATq<|-yaRMDRSsXM zEIYnqnu7iJzdkPK5lJFqs@0Z~tIcd~+mgdL_LE_RX)b;|>TmxD)@>7EQE6+htl{1z=(pcl( zeiMZbNZ1kxct{J*5xW5tzcP+NHIfF!1MVwYlWqciG63;c4?ZYxp`HXPVXbNd>J$!n z$?4K=IUAE9&=SakXgp{O9zGw?KUxJ16aCg$MiW5jegFyeJ_5?_Fx2FkcA4mo%1;k6 zO_&~;_tUy@CoAym=*`>M4q}@rOPxe5MwgwpG%E2#}$_EIjO1%`WRq(~6uaV^iftN5-P_ht+=Y3U! z=L#yJVo>0L1iUUI6=r6-w&<6_CI#?SP$efJleGA_5r4sV_n8S4Yv8s$`-U$w_iy8Pzy;L$ou9bIiVN*uG&4Z z(s)04UHMs6f`ek^gk7kBYszxZ$J)u$?Wh^+nwhIg{;PyuLs?y~oG`9C%iG=NX~>ja zhg`mw=_yqoUlT>tYzMYUq55~m|EwJ4W-Splp12(Tk5lnv7|($>5Zmalzp1l%&Hu4G zLYRC&EHr_Xh3IU(M7A^_vG`E4kgPlwuYl_vX_fi>%_+AOaM#5!>!7E^%}cxU9TYty zAcb}W+^xVZTQ2ei2qK3-7pM?Q#gj#E&Ssks`|}r4_Q57+0DkmgAfRFKX=4zXAcae+ zH+>IiR&6n|rdb%z4FD00^P>hrkKh)wtN6>*3&3c1-Z4?-(aP7Izd!P6!Z~%0@n1Y< zf-E#Isucfb&|KlvNacI1Z>DaRc(O$Q>}ktXH65imSqci#p;wPeeoyo6O!M+C{j@n8 zaQ+!;kDeCHN;UlXWJZ|&ld|&hk3Y-G@81U{h`-bC&E5IYVb9Im_3lFEYiTMICGcou zEdwBU5?t{z1A`3^Ls=$+QceE!0&p;1T24~)#ewrA3I{|e*Um`Pq&~~d1?@Ng_HTh} zx(&C0J2abhPI1}g#L^w`sEm$`oSV!k1yX9CYw(P(9dT>mQ&x*Hn2g@zS2a0#UnW#) zsPwy{lc^`9La+D>MaQk1e98m4ty^`^LrV-4J%B!LKWn@qePPEB&DSw3^LD1oOV{~u zH`IvB^H-_oUpuODxv4{^_YGl?n6oNFINCFBeFOLH;fq(YWvsXSCTY48Reo+5IC->c zvz7QBC|O=CNvcLsV*XJ5EjT(J3U&!vL-{Vi50B)U0@h{DD$9$C!?)HKEIH=IL&UNU zIQ(24Yu==FEac@2ndYml-s7zO?s<#B$$U$1Lq@A#TtSlr9V_kiQz)9i809tOQNH*b zB5t|=p7Jp{%dLt$9n|(I?GF#FMVpY90e4z*r?71zN6RC?G8_ZYwX$EqL}l#8Ycc2A zEKfsmECwWe+a7~XPV!QTN;tdiSPuVB2#)u#DV*XXxSJgsI%9W+0>M2!E(LhR*^E&X)Utd)1#c7Q@}vV; zfzC(EMe*Ui0;Q(j%k^|L;im0l-OAq7+3%gsjeA3^6sSFY_`qZ&P$pw$qk42{UH#(N zIK?jH0$8{=IHLdM6XD9qy?4sV@5~tBCbl`+4gtc4`=fttE@am4$b-&^@rM5(UA~58 zQQ^|F>Y5+q58I-73wJaUJio)nyA4!4+uGAIfB0~n)yi2bWQL?=*k6Kf<-dl-+G?8H z@jCIQi%YFg$YsBiHxnfLNAv>E1xpsX7dT`GPvm)bi*5;OyK~L^4Du-ltPAt)Ix2^Ft{3@1NrjV9{;Qxx+F%Wz-wT z5*BgtLY%zd`z~=cEY6@X$ID%vTFfC&LLQ!aYDqUd6g2UZ`MA|cLT(s|_YL4>1?TCM z4fAb4Hi&h7#Z6)HNF|B!XAj@9_vqwg$J?Nit~fNnM(I_vkA;rF0?rw&*piPEk)aHB zNEMP9q8HeA>r9V0DYIBZ<0!yA6bPQS7fi(ry%i{h_<;?1H$!W1VT6Si34B7y;Er5L zR{Mj7+T2QW7?$}U@wgjjCe2Is8f4Z6CJ{@T^!9(<;yKbKks9mnIl@nWFWR|`dMHy( zb_q})^VE{oCk)pNLlq|G03$FlU1_XP-C}9A_sgs5ucM0H>YvdQEhl0_^Fnh!GR1CN zn;3yKwB?*F$0H~{U6t;Q$?#h1@ZBLra7m#^i;nvIyXo*@ZdcyEk% zeNjca@CO|Z>wf0VFbGH|kEuMqkQJz$rmKR=7^gicF z?c+g+btlRg3WV1$*MIwVCxF15l`A44T8s$c59D9kI*=rBXQsTqo^m^KS;pP6V>Ts(jmE_~4 zc(&y7+mO$o=B|^^MuD(+|BKT{i9hX4Ayk%#vA?ezgZ`gy|N|m6XBJ<~XO}MFd1jl}V_5WIa1ZHQ6CTUr>opS2MVTfm% zWTW0q>TKZ>ix|N5@J%#1NMon8g`yi(wjzxw3wFr$P)hk9vJ4IoW_TM1D zCR>h@t=NdouyC&=%(*3{d@&>b8xNNj2+ zc%@I0&VHh}ZF3^=XSV(E9Ag-pvrbOP2U+0ip*aSv>-_3=uQa}^IXOIe>^FnjsQ171 zX|sL0?Fr{6R0{+S7z(s80^jLk6mJ&Z`3E{XuaAl>STrkqn;f<1Cg!mJ?_k0R9w@ytY>ip;-b%)sx^?S^9EdA|57|_ z6ibpkn;EO~q0_|Pf^Ayj{M8j=0ZbQ)@ydd6QbM=y zYZVCa1y@pSt^5)>^XubR_kFA2wa1$!IGk`R=JB;m%VV#d(#3&vgZVqbBpur8q12VT z25r3bR!xO+WuLR{YyC7bm}8KiB2}r2jlwk4v>VmQafTC7(mPLg#E|Sxl(Bz=qJzBhLr`LV=#5gCY>7I|$!M9zDR#J7S4?H*7qWz365; z$8)XvjfTRSc6mF!tm6Vf>GTA~81qO(cvm1~2z$94c8Urr@$eL9cZ>3~9m|lJjJv|z zYbHt?GW*S`gSv4pLvN+378E|S{&ZBg^!z(tO{bvEX+noJBcL!mk@Sb^3K)dpeziP- z+m*trTAo&ynkRD7_0$~pV1pmWl)RBHzdFGp*G5Z(J=(*-<_y?2MCIVvYt~|FJ(RF8 zjLuiP1g1}Llu5vo*b}GPBu%D7gdMd!Wq68uohHu?@p1O2Gk8_-_somX$fc{&Q*SnP-kp#Ibq#x`(#7V=<#W9aUuZQs78>^-g*wL$%4_FgJ`L z3_ec?)gtk`bsJ8EbIP+xe>JW_?9SFL`9GgFosl~gFf6qtdG@fa&aSowH!Q}kF62qcQIGB z15DB#iUXF|pz!jJMZCGs+p}cdR@G-szPb}_@BKW<7lv=Pm#{L#Jk9NN&wFdv@$7aS zsNLirD>TBJ`+D!E=BDR*fZ8%SCech$UVi;R8dfrZQgJ7PbamS;_^PKlVxs2gM+}Ag z^)VZJI3i|>2S>=V*>7u2lb7jT>{D_d!iykYGzah?y}W3z>mIWyIk8z%_219QeZ?il zvULrHO7t3u@OD5qG)TO5tDHH-;R-v;x74D*OhaYTkbPVySFH8?8sglo{&UHqR6u5o zs?D8=szG$lkjLsAXs+hoK7R9FK$1T&^kL?jDdR&mycd~4=oGe@K#$>&i@I&f^>Dl4 z`ZUEHOL?5OHpg$p-+#dPiM23sizIJ*(!ma-+?-04rZsSKV&d7iXGsDj>1Bp_uaedc z9=Vi9Io}rz1Wekib%L+OvFkahLNWtOuJ_JPc!EPuXO_fVC)KBpGs8v&JZt(1fw%AE zf(Y%uJLg@V#fh|#?j?s(*qd;-D zMykyG0-00${pWDKAkw`o9QyjzpsxkDY$g&y+Bnk{PleDv&+FpszDg!MDv&04YrG$? zITLkat^FN$3+Yp;q%T&h&ceL+milpPyRnu(Nx zA6atvnvoB$xBZrc%cuQp-lbEu3El2oc0Gs}s*M>DMN67(`qeim7x3-IY!~)?Ty-OJ zgMs@lo`}BJ_Ku34$%XU|-ouqGQN6Da_07px%s7KGu~uU5cKlk9 zk&qn25Gg$-l#$@~{2J_INi0Q&0!dMWo@uF+zC=r9H3QbVzs+&|!UU$eMz}{$Kb@RT zqx*erz(bctgI&?&qf3x-^6)2wa`+p&1S)Fjl(~kwhH)>#BUi~5rcKl>#-Q-`15Wd> zOmT}=F22Sbo~ECOK@A&%wChQkPFi$9cur~=J%MF|At05@fid?QJTITBC0A|NKH=__ z!%lkP+S9x`cj(W(9^gR|-M9&NCe*)I2ur7TpP-0%;Fqdoul(aKD}0Y7i1wD`q%Z?m zHO#w>kd6-XlvrIWQ`;l7roO7t3G5U#+CHC-ZHRJW*y(-_&$}ZLu^;`vI>Y04a=diz zrPn@AlYE1C6}sy zoO^QYi2jW8pId&(E;6AgvRhMO?UJZMh#=*&KLyQaesl%Ef3*7IJv5Z|4wXYvR)xwM z;$Sy%cK2uQw5?oDx06R%*mc6{Yu`T0%{jxd;Xr(@+sRkM6z%6jc|cOR*`LncQNs1f zzJ8V|r}q}m1Vlsy4uKgqbF9v{=O8Plj?`7ZeneDXq>C+pkDAP=Ea9wUSJr< z6SnQlDI2h@O!;th->u@yC2@t%Aw?A9?h=N z3)iNh8mC*kd~6}@Z7Wa`<`>wI_v-GtTkU4 zW}ckqzVF}lyF#Y^^Jd;$a9hCRoSmRl0X=L#F*Xg>`yg8Rgckdz!iUUhWn-S#(ajSl z3z1G)B6`NqTgpy>m7OA;&slYL*eO;xo@?pP^`=dfz_X4P(2N;h^v&Xlrsi!|`e^Wb zi>>9~GlegUWM39ihLEIIa|t=FfUDm6+YNH|V+#j_(?+a4ihZ(hx#V(EsW7Eq1Wxi*CQ;gS_UX34VIGZ?g&?g2}rr=&XAxH;yK{Tli1{x zmQ^9tF1ivGct4Rqkqnu;*7C^@;D=+pnp(Z5H`1s`w)q;WnK@r;BaaNcg1d%w(F#j8 zKU-Bo8$5)0;F?#&LP!N zpT>4mAPBW@zj%^@YK|${UooEV=nUsMAZ$$;V;5Msg>0(I5|Fd;v!Sh5FI${iWl3IH zdc2HM;dP=2Q6^@>^D3>-_Mfv?rFY~DnQ>In&lNQ$m-Dh&_EIXJ+{E@Q>?=0?tu{9+bNDdW~SE}UW3^YT^>+tO_lk|Bmz%s$DPXkol3v{3Pmh zFT?om8=)*7Hq4YFZ^T*q9#hWeLwgV92S+LYrtEo`+{IxS8+hAsMw#1j_X|6~!@S;i z>trcB&3eIf%b0ao>0G0MQ9@wD=gPd{+qJF~uhAb*-cHWK1Ae#WGda8O0NRQpF#E*QaqH7Jcm8G0dB4RQ6W+#}jzl%v)k8syY^->_e;xD4El{Qqyrj2I1T^5XqyDJ!3DO+qD%f#=Gc{X37i*s$L@s1bY zd=N-gtmR0)4Yp7@$J8w}`4+>d*20ABo({5pK}g?rBw{o6D>9Ki-~0Pn`O*$g=b&8V zh^)TF6|u0mf13UImZJL)*DrjgGU;nX5s;psS}SIztHfjj7ctpC5VB3bEayLwlVh&7 zT_p;!RDDHD6H%seyxmW#(|hHEsuw#ll@`zfoN1jJ$~uIk=6>1IjvtH3YkBqDH!1qQ z940qE5zRYCu4cTg#!sKfSQu$wo{-9jrNbj`jD$a5p|9nQ^3HZet_B19i) zLWnI7*#fR{1taUq)x+fmNpd1ovWqC0x)^C4_SMLY;faMv;dQmFokAmg_IX2^mOKnb zKH$_+{m|HmA+k*3okO$0L5>narzhnyeB{$H;w5Tlh-9M@o}TNQ@WDPjh~A10t&pzb z45fQ88>t+^-J?61-s*%@a0ccrpfoS(b_D#ckUTLYn5K9 z^|X9c$3PtozIo$SziFq=B6mMXRZiwO8pt!<8hn$Z=X*_I6RB*s;B<7OnP}5;esVH# zJy`0FA4V?Iaq$RFetS%O?s%GZ+?S~p-m!y~eM0ImT6OF;{|#97VFkzTS%xf(h$x~j zMvxTgepA*e-gGp0N;a^(1g4~NPcC;kr20a&-=+;s0GxoWq;cN?^dP0+PBHuAhZA{c z=uMnesY{E6Ae)#q<`06sjR;yu8A@jv+DbPzNhBl;e?)G(6-Z07*3OFZykSKi0n6OO zRn2QLs@|WFak43j@IvrnP+@$3O4?Xae5P$Y#|X7X+9@*Orf7`#jnuwtZBH2IM^@B) z(0>PFFDSWjnPr&lqBI_w`4pZP>USOEsI9lv$ha{~oJJ;rSsGfLYq|{+PFN)?@^%h= zRo#4I0dy5~CDNej8TC0o$9NrVGUC)ZU0ki7ViVzHT5{jZ-k_H!%r)p!x&+l%o+Xv> zt1EUQcnRfsajnlWJK1bc__L|rkm;D=dD$kByQULG=2eAO%`}d7%|tsVHyN#yPEEcE zv&CvhIad*#7%|}&=%YqrY~+qjr zE_E0=N;w}nR{9{zbjr4CbS+9&w5)|HVnkNfTpjZtNXjzbwBl8|M0L7GG0c|-cJs(= zA)IZIA^k<-1}}%rNy}A}|G=gijRlf#B*(yR>z$O@QF9*ThN>Z_I~OW) zY{j>Uc(h1?0O1wmdoA?D>XN-=M&hkw?`f?V7#&jcGV@YTne8q(h4Zcaaqtuw-GTTF z*(jYlsfFJ1PoI^XMsxRWV@Ao;p0CEUUyiUErL>0U%nVGF z+!AQ;a+TFmHT&bF@=nx3X<>RbIqgz0nR&h5Ww3r@S$bXfy*s*ZRW>OdZ3ESx#s2U6$F3oE zQN{V5a7r^>dBR2(=HIZu?A_Cwkbge@`?pLiG^{qs6a3V`D@_3N-#5Vrb-C{4fd`!M z58E3q|6YH>VLU-Z+5Pt}Hu?VlZd9iK*1YxPzn{grm-txgYnb;eg;n75gvIIQ>T$YuH+8rSsNTk+*L2n!1jH#Q_# zSug1Y)I@$7bAj`2umi1yh&ymeS_7T9RT-#9`B_EHtkWp__)Uku4sCway09qwH-P9* zN=0CDyJNNn?$8uCy7b;9cc6o@2XcfVVAqpRkgc%rMc=xYIba}K_)ppHOT6+WEx4b!mVauUp1-u)?vgtql)Z?4?_bH1Vs zOF@;8tC{(E6Wlw=mvY}6q#K)<%RLd?0!cl8O@02lOJFe3`$qv^YtQ>&kIH|}_h2%3 zML_fi1kCLNLV>8`O^CYgtjo<=YWx{Y0f>>T9qve(c|_8i=Sz29v^}QASI^ceH7wwC zooSqrFMuA+2PA<@0;Pz1TC!Z6f8+Y5C4HF)P&qVF%lr%+-;$7!c=c=W^N_wW=qZau z%Yvyws`0Td&nWFXGFFX!G6B{`5Y&*z#0mX}uxkl8F6q@EodQOu+}T0t z=NX-XK(EglNOrbfXW%u}VXWJ$9Jc#WWQANu0e(B{>#lf|+RO$N_Q85?{Np_jo@qh@ zY}qigIoH5XBZfutGiA=yQ}03=o7+M=u&r*{$Y_n1{c46PqCpW3{7w5h%Cl}}XTpIJ|{c`22 z?~f10g}8$Ue;WGP8kvv@;kh|_v;Chjkf|{jH#|E`DCx1k+Q=?gO2r+xYtnFQ@2iN2 z&8EJ0KKx8y-un zfx8Pcdj^C&wGV2G0Ik3fV;QG=E%ywN9M(cLFTNI4Jft+GS#{3HIZV~#K*5%_L@QHEMD*_?8;9kqDmAeuwnCaL0l~zrD z+&b6l?WY3jAf@09{WHArO*Ffp$jPKw^8;It^`eGzhM1U`q2{l8|1WKznRUhD*OzxG>lK8X~ zy1jv{<^bdgKcMTD{hca7MUoGkoH7Xc?zPu~`E-5^r11y^rze{oGG7S*kA#b}PLjI{ z0+fNHe&{F2Z}jX7cb;ka(=9gEqkiH%iCYsHrt;X3ff~ zsKh|&EaXv0wFkX1=CTm!{L6XXL$li>y~{ z2{1(`cui)2I#Aw|BuAdm$FFK2*v2g=t%nIugUe~uqq3ql4#+f(y}P@nMj)Zl4JW3V zxRmSmrNLb#NB(73+`V3%X?_u#EH)wVh1AP8cHp2&FBm{eVHln>Z0x=2E+CRFwpwvn zUb!m=w>-p7TJ_OFRAG$1HG}TNqX%AqTFfV;0Ex>xD^hXH{08h7fwNeo=WoHaBc|UxYUBL~F?8SAZ9^epG{qZ6$ zfIjgD;}FG4U-yLP&#QZ6U|V3o^IfK7r1V_;b4dX zi%kEuS;FTW3{YU9qrPFTQdJQeVr=|Qq_y8Az&RrsMjuaRbxnLF$&UmhVYlsneU27| zu^mnJ=s@V9>Re`%f4vNNd}J@j&l_!J=j;!%tHn4*U3n(Eqbj!5KMhQj@5kJM2@RL| z!Ap|o;G%W%KQf2S4eN2I^nRJmqrF>eVJ2+PIE@MSE_=E?8W)SN3iOI8Ydaq zM1G2VhMrEhsXlJd>OvjeK}2m=OVHLMruv&^hS`eD7N63rXaxZF(D(Zk!nejmw!ouJ zFoEVs^cG#9UPS)1QIzO?cigG?8<;*swXuBGWfg6wLhSvn3ZlB2l)LpNRW^3`-G3`p zcUBC?eOlEn7CZQ}C$09}p4LVzxZf26Mfb4Ffz`OxqTNNyFF$s*wULZw&Z=y_+pTiI zgtZzd;5rV*5q6hkiJu}*=LUL%i#n7RyW?-fS=R-^N_!Ba(mBNPaN)w+}+{kwK%aHO`EVcFIlv?k18tL53QbZa7p0cYHYbm zfiZq}C{aR1gB<<7> z!ynu1fXLFY6tC}16gNu5MMV}p=M`F=Gpdi~Dawt%p9}&yOB2m~1pIrbtuBE~2E$0M zXZhqFJYr`-q`KmF@`ML^aUcZ_xtc8Up==|hxuM6EdK5uV&DB5lfVLB7ws5R2nAyo= zF#iMCF4Iq57Ye|0ahMmm6Xq-qDTnb)xx;1#_@F~?L3&M1E1U$B6sO|8yfFqNR>Qnl z=Jd_6Gco!oQ5`FIf`NjbW7!zI(zv8$!@(q@gp+!XwuVgYGLC%KZbgUncn{Cn_R(kC zm5b9dd9x8H1gvLUq?3}rFFgtLeN3&YCr4)2^szNj%zr|3ev_y&uY*MvnXm@4lW{umJTr45Nt}umysH#qO1r4H~{&8(xL0iMfnIs$7}Clu^ci znAu8qW>GsOC#VcglCm$mOj9>V4Iy4RHshE>gw(FM`H=aM+(0Rd7~)q9;iJLOul;=c zUacRteU)fwmkId+`}t;z@u*psv_fpv&EdusBsxx4I#@P#!Pjq+s(&#FBnJN(LU{^N zFI6iyv~d{E(bRIX$U0dkfCC;agP})lRcu{0(!y+_i2EnD;y&itt&Hcb-e>8=Uq!(l zG4#^Zy?0t^J&e>evGa;**F6ENgJOc{{r&!_1O%Jxqx)5P5-*5xFE%l(wki7i4OP0S z=qoO-0yx$fRHTKZQh5-Ezwajhzm z>rdTU{fo=1UF*~7Nw&eH7@I^gDh^d^1j6oDK!k?y*O#vnTd)4+`KomGd|BG%B(g6s ze=HD`!pLM@-3Tw~G|m_A6x<$gl|M!-f+{$TJ?ojFFk*$p+UL_2|50Up2;IeO^W*0< zo;@A=f2>y@d7Aeu+)-cqSrw0#4scELm_7WGS8eJ;1;)vPq(V&9Kc7VJmkJ~f+(~PDvKP30fwI2yp)Bql6 z470nF$LAQXC^*ORcZTIF_;J*EKstmNgd1^L)KMZM;ePp53P7XQyTt$jxF zW}hrgtbA!+kkPl`Za)6P;(iw6GW$R13V2iGe_)e;!H-6GvZhO;$KOAGrLt*0$;3|| z{o}sA$)?$aYj;WOCa#yNytnu2^gtwmiVg3w2+)~#1^)ZxCYPSCu|xaD%R}}U_q~kz zLhnC~;CPgT^V3RPG}(t;{{4ac`}Oy$s?uh~=dQi(5b&(+v)|>h7%iZZUYFUG{9pKF zIR96*bzO0>9>{l&d;@A?Lgq^i+nlMX>4L@T)l}~jxtvN_zx30(L4BFn-X+)l)S-gX z$_1Ht3v>dm=iy80e~Bd z{^wpV0IBY@`Old$8?bmj1Y#Yf5x|-0-@o@8 zr;dC2z?LGKF3)73B#n<{6+zrJA-iW@Z+37n3n=Noe*5-qiaO*H)Z$q8+M%Wr6$zep zRMqKeUn+}cR(y{Bvr=X~XA{4PNvBmA{iAMI<0|YAO}P9<)4c!ukA(Xy@NDmjan_93 zotGm$J054q)tCvzv*Lop3176Xd2Tb$!5sx!ly+g2LDI}c$cunScR#_$^9%K7zdSb~ zPc<|LgiT)DLxMyX`0u~Uj`<>H8A+!5P{GCR<4S>H_CBZ=uowH`*UjauJ5!f<{HAO1 z>~J&YstvGUsRJo7^J2f(-J=^nflS6NIpEK{ASqVt-+XG{^^=7~(Z@Y;g)P6vaJB3+ zN5FYG;NeP5JGWDvf+U)3u;_k@R6I0l$Y`b>za6>{_`QYozw5rXAAQ}&T;QLk5VVUR zqWO7;>%qag_SY@ z%AO1nZUE#ZIS_6FUIuzepR{`4oS{Uf`g=?`lsxQM;&0G|mKUEe+a*af`rzGaL22`h z;Q5!<{fkm3+uwe5@bEZyb#luJd$7{I4*0Z)`HB7~vuf0`>Hv^=b&Km+K$)72C`xPy?N&A7p{=jH|{!iP>^i9)C zG%x^~dJ0MVK70NIkPR5igpJN66#89!QkoPyP9@7yH*A&9k_j^U*TD69kbvAx1J-8& zsLr%NO=)^d{YQeOw6L_G^N-|5e7s0~Ym-Ptc^Ur7y;zNj>@&Pdu^Rgv1 z``2CRpLz-}tdXWzj=B5H-i)=++;^A-ZqJ(;fhZJ;e09OVi&q_?!$e_k_d(h^e*2g{ zb9dh9h;^l9_eyU_tqh)9h?d&cu2S;sdXCPw$aV%zZ!M&-W1DPmqPuno4E;m;rH@T4{3Y139vEKgzW=|6W%rY{|zMuX6><|06Smw6xCKW`8X4E-+x<`X&m z|IU5)d!3B#Zc~rw^o!Rq$jen);Aj=l!MqAE20i7|Atb?VUR}BAs15)}SS(VAcmmYf z*+J#36O;jd%yy*F>{c6T9ujcKHlGp}UL~Y=xC!y+_1fVxPs!Y*M=5M7?5wwcV2Isy z)0N-R+DirNmr$pvj}f1~}Q_7-hB2ixW|!)RZ6MD4F81M5`fT<-QZP_KwNnVY87nBZ_Ax#LQ{^&fKXJ=w*bGwKw-%dWB6xnz( zQ(5iyHl5HuoNWmrUU*V*3uU<7I8qq%f=1N+*P~((T3b$8{HM;S8maXDaO|h-%C7c0w3=B$ryax|JVrufXKOK$5^)$lv$MTCTE)TB=YQ`1V8F z^-OPO?k%2y{5tzs*=2;mn_7$VRs^5J769S%fvV-9o}S*&8xT_NJ=8gD4m4qr{YqyJ zeFWnFheLu)qejU7=jqDX^bZPe)Q_ zEUg|uMIHch>f8p=WFMDrI6_|yW-%>;b?|rKWSc`6)a$_00ZSEARby%BZPyh$F$exu zb-?%H!0?qVhNJf(|1eOmG0k4g9knnFl3;i?0F?4slim9^Dn>zo#v{Lk5M<}z)MH?F zZ3W zN-GEQ^3tdN0Ml`@qq}2E7)XxkR78K9N}clXVF42wfaW4I`%E_|BUFhu0UO^?o#!7h z%rTdd%nZ1h)gapDH4ya0gp=tM@G77|1>k6d&BiEM-fpKO;q96cJ7GIGLgV(}P`?^eQc zNW1O`cd??P%ucWPychgwD_`&WzUaVbLuG)gIIyKMU6r3bi6w-nb*Mg?WFXTXO@{50 z)pszMVuC0-sk0ppI)^@shMWQDLK)3$K=R7o9@^7_igh7C8#T=rn??q5ocM>I9SAPY zx)HMnJ`wy1@fIdG-H4@)lGKP9^q``RM4}Z#1kZ>cAV?=;q_XZQEP(|O z@ghqW{cWXYs-4m;FIOX57ZbWV|Bpy4dCAWXV^)RM{tGTE+SUJAQwI z8O<^m(a0xsMD8Lx&=}sOuC*IWeI#&_tjAUAu5i&e1ju{%#^HX}MQ2f8C?Hx^o5{`39pvHwGk2^%IR+ltFwKHuUHVRV>%!N zqFIPNMhp|&xmln+p;}XxAyo4?V(5+9fb#{8@?mQ!@>iOnzX_1)xE+^7cf8aYL4+ay zH>ckur7EGFXYh&x{&y2F)$6FZx|Hpfdm+G6`5Z?!blJeE#`nN%GElV0DZfv2v>8lO z3yCkfzCvGd%o9w|%8L?WjA3#Xa?j)% zQ?=Ev4W3lqq3X$e?~Z?YMQz3%vZ#kunK_Sj&+&A`CqJ^7j4E@FHREwlsgm|+9b(2) zSdFf!Trw>RAU8_kuSP~o4G>aSeE65<`@lmzga*ARpIKC$JRhwRmWrDVT;hkz({&_# zLN6&e-k)52aDo`vY6KF#PG7Irt@4jBZ__g1d4CNv@t`C*@2xU}NO@?lRgAgf0AmHhp_!0Sp}^A=bhqbd443u7xwRzDBF< zPMZ_C-KIjz4!a)8CxS*i(Ky2y#nD`4EJqsVQ1ZSPTP8ErILL{#%t>?i$Yq@iLsj5sXFi$__IuWd82`P{}gO-Bx)N68B$k~kYb;R%RUakCPe z?&F$d+uvEDm6sl9arSqoVn5}mDeT^%Ui||kJ+T3kDGhYvh$|&(C9G|R=94kLCwi|0 z;qPiYnTlll6M_}31t66bge-+LtCxX&u2<@%YX`oOGP}FRzKgJDGz=BSkkB$D)vB~u zQPlP`AB#J$_^Vu_N4g;de>?WmQJaRp!npi_?a{_0AlK901&TXcj7LkY(uNne%Km;Q1P>|_vFnC9c#+ zi!Ey?q-iFWqF2US$K9_tWcTM=)4Py0NM+g>KE$2wsUs`qYVRS|Wfc2>KgMSG@{qJN z2b2=rF8OT7H<*21%(zSTl&)mIMi-Np90es+XP7Y~%Ik`^<>IPWlD0~hc=Mr6D%@Beucm{_!v%5t8yze#C`Uoz^sj(?E)j~u2hv@~oqBwo9vPPs0 zBa@6yA~Utz^)=OW(Z@`$N7cl$RhTdmOE&Nzxp=;Gu1-80)^|L-D(d#eTl6f1V~(G= z@`%iElCoSIYwZ|inR72E>{X7ELK7_feFYuL7=~9F!CMV^;&eIBgQ}P$xIVV7CEu67 ziQG44X!Uv8ww)T!0llx#n3a)`EJ0W5o;4EXoREoDXM(C(r}LP$Eo{j2Wx_CWSA%B5 z8v^UZRIHc7g06>%;yLe)-F1BU&P~_vn-Wu;%k)p%Sai86g@;vE8!mA{SAf^LHZM@J zm`v-pU5RAI4`)T!i&!Qx?wLIX)Y)~Hmq)~71$vMxbF_WqR_d(Qh_WAiJv(e986+eB{gTN}^E z?wlc2?vCFVieCEu*Qz&qT&d@wY*Ax*N2t0Iz6S zALSP>?w%)N>ZM^@l=X1@UMQC6ashVAXz2-T zA%53gHlt#?5}1^|2V+RCgTi#C2E~R}ucR{}jaP-d7qwpagGL-yKeR3|*QtLJA-t&~ zv(^F>)E}_vxMic%3LBO7I@if`am!cC+m8(3?@m&#RH9Y9`32MO+D#;iYmpYQ$%Tlz zcZGiTD@qp-w3*Lk!{;f2p}M?|jw3<~$dvSXsmTCQZldPY*bKh^ir!y(-uUtyeaN5M zAk3i?B|~x&On%k0xBDmJ(E2cAJ#tBwcbv`k;m^}Wxpo&0D47lU^&?1#G@RD>b&F;C z9$G(h{boRhxEMvZ*x^STX9eL(d&aXikB3GiLqCQCRY+0(VlvB0mc5Np1?UND{0fuR z17q)xA&&DiJbu6bLVM!yGQX+Th$vHp4eG}z@iv|bcSsWwC5(7o|7Fp<{Vhz=nWH&5 zl9}(Dz}BkcgCXiy^Kr0w$i)FPTLm0a@v6$EJv~b3_vf!n%iMAOBl-56MgsDHBbnJA zIBhOkEoG^4pRIs{UYzXJspy6{x@)(g#m=;a zcXCVJ3l;r{X5LV067pw6UrygZZ20}E5JHjiTa2&R6$G=nZ@Ww-I)T|3=%U0Z10DN} zXlZbPNiLE+q0OpB{S!rG;m8R__}^l*3Kh1+lGaJa>~KMEt{Cx2A*nb66LxmTa(@QH zZXw>QiHUDSb4> zOPnwK8Oy}4Ts|wUntn{?G`As*ZkVv`6*~*HqBwS&F3WwhOcR=|R~#cGtW|>oycgZZ zZ?Rtgv^up96D$4cQVB{-C?a-E`~CQ<|A`UXPN?7fI-}6od^fukvinLXOYM{S@Ntu=)DZ)4^&&JTQx$@}5_ndZQjrJboZvv#0g3Y^ah)Zr>}x zwa&nF8+$m9uwT~2ua)D*;}>4|o@a&iaoO8P4jV%McWAQ0J4wp7Ee>LM-3>8B4$4};Q&M?BHW{^ zk!u!N`4)F-O(qKA)kyODNk=CwYVWOg#WRc<{>J^yYdIRqP-a2V1)NX?GrhS?JJWU; z$u$}qE(45Mc+wJUsBND79mxtNl~E?~s9p{Wt8gZ%8F62cT>7;Yt&oN!I&P=YxVCtN~Y&wzlfIO_0S zqYMWTUmn*10J=$^IQyPDCZEC5?q+7giEtOq^MDr~Bqw5OTJN?=t-VfLTM$7s>37mA z7Idk<#h!&HYXc#IO0ufPPf_xg1%Eirx0z&wio1(m<$2T{qQh>*-#jEUWKO@GP)IBL zayN`kFp+YJN6EVk6|4F(g8b z3Njmt7Il_XQdblB+%UG}>C^R|10P5|=E=V(YG+65dOh;TuRshoemyTU9YKoIF-(;K z2V-n)j<$C)=CdM^@?@~6luXu)!sjn+{2WX9{Zhwy7k1JPkU6g}@4fOB#syFRnoQVh zp_f?Gm>IX=eR!-_J`I8CFvnfl)b&MIT@U_*wh|3#ye&M5n(zq`j~6+xj#F0}nZ`ey zwV0Fp*`YrFh-2-+bRl0ehllD*w~W?XHcMgpyLlz!67%sKjy+pi7U~%gw+wN4eFG>M zW_-CgoZguKtY7@7GvC+SN5#aZG5aHqDPS*?DO45E){MAY6L}FdOiwko$!sXEhZBju zXJRl&(}gIk**v@2 z-pv3T5U1HCY8&bn*9qca6AX_}WCLY|!f7@x;Vy8|&{(HL8{&Dr^`-Uuca$zYvY}K~%murDhl-jt zBe>7Y1rbX1rHI}ZwjnJUhzq&B&TWujGAEa(Fs>0=1;W>eZMiceiSX^6aSSW878~@l z5MrX=Y8kb34DTH1$#Qg<&0=VJLtI&O9*otSJ>rJtSk+!_9W>yHW@dz7g3k*pA4>gMMJ_r{_<3v zf})BFOh@G|n2u%oOkWVBF$Fb#;QKXdVgEL$;7hKn^%dRK2xF}DI`3QHVi()#d)d^} zqDxXK^dpC!xV(*OfU55~^SF533LQN(zd@)|2nwBJ(xZR=tiKaG$gkd+mKvV#Ip7*0}qCLvua%k5__ zH!CiOO~+4>a@Ur#P5w%iaEN%xgQk@GkV(7?FS7LB^NM#rVmD3D_W1tF>TS=>Ji9U{ zYf|NqvI8tCdReoGiYg;)-d%vAN}nuy9mJ4}NMY}?Q{xE=+~u#RoWxejyHF1W>X%b5G!;TvyWik%y^(;g8{KV* zX0tD%wQD}^5cz_*@67o+Y3B-@Jc&)!YqAf=pbVG9A-%}N)%mWnea22c9ku2$>$5cE zg|sCedr;m{NA%VP#{>yHDNa~1Gt(t1(()Y&eDUp16JsZonxjewiXbps<>s+i4R61Q+ zo{ipP=tSEkojR@sz8gO*|Aym-no=K|HbgGjtl-Nw^84rWR&!!S4_5HC4#K4)BGWZq zkG5uwnJ4DuC}=#*0{YR*c$p0_oc~LM-RLWRA}ynTfrm{QTol1-gt_SquXq~fM=P&x zu>|bzuxUR2pYHpD(k$770=iPA%-@zLT$rQ>OYqmSOYSl9yGg%j^y)7jU-;Jq+~N+k zg^wr+hx1o0u{|T<6q0Um+|jI!Z(_b$wp($DO18qQ{mNNEsF{91MT*QXY}f2h7*K@- zHHY1Sgpk2)jpHK_Jo`RoAw&5%6|c6k z>fI@^U{O8#085>WDrPIM4Ws6U4i%Mn>9&uWDJT)6iB~kJ9??gi6@@6h$Fo|rdR3B* z7_3+KrY4+JA!r4qMPWCRy9pmWZCg~QOw-3rQl}`4io|U4QpAnwf8r|!GlUws(w6kR zrmnga5}$z0K@W?gWe$^7ZBHoYjQM)1N$fK8kFxZbX?OasY}z)z_#f3)i0|22Y^(fr zA&W2nZ!)b(8ZhV46D;GX|C zgW(2oLkHvctSP7HvvK{5W7mNksrngzHJ^ZFjvVa4rA8^Fq8xsME_zVyZ_X=8vYRD5 z)a!*zeNT+nh2+}%_xL#swPtv8cCg7-&{xj#$Ru&q_+>SwYg{%eTBg~lKU?WKNBfQ0 z$$+_$@38w583QB8QvL=mCtlNMX1BtZ&ci*eO2lfLxXn2&&wfd-+}(&q^P+&*nyRP> z72EM(!zFeWk6)IV{zy_ehr^iEtC$2#MjYO@z~oV>Z`ZgQ!YM+!?nHkIQNZs%CR3A5 zmV{5U>9}sx=y9dx2K|Kh<&k?**e?-HrplF@-657Ew%JLPBMYOD|C**k z8`0Qx5$W=@?#Z4uKubK++A^$Mf=i#zc%;o}m);t7KP|FYqWQ2ro@PUNF0k=iuF0~c zNTQ8Jcf>agGk|#?88-s3kcG6!J32^Ms&G{q?-!x8TsxPRb778t(@Ea<+pwqr+oa

)nZE4E={@wfMc-o0^YQBpDheK+oc5A89)<~w8`zzj}&EkM4V!Moug{(@s zAji#yjv6m?wG6||q2spY4sN3SlRQ=X=pk^>NzXZQUBdx}+l=NrrzwhpYINaYM^c7c z_uB|ITUS-};m=}EFm;cc(jNbD%_WGWWS|_48oD)Umo$E8+(X6XPL2RqP5oG?H)m4v zs$MxWH>P@k0kC#t`f)m?bi=X3spZVCOqHy-Q(&f<8-xw?<01epGx-|&*$`yh#1=CD zuR1C%Ies_zKp9B-hyx!#X(tcMY zv$XjOy*JN$9XD5f#dtw|H}a274BK$V*!WH{*IU33EBTKMtSd=7Tx}w~w4yoi`r^~* z_tocS*^L1WHl7U78&;1&#SCnW$E?6y&1?3OEgo}O#5R|?f<|~ zT99=wk9yL>URaz)N0tHKPs;uk*{PqAbuZu&6${y+5H8;yOd7)r`aa<^cWW*!^-R0> z)9%)huZ~XCZxHeeZ9U+8HIE zv&x~m^)x^C6YYS(YGlKVi&EF(<=%SjSB}-B>C3-uH>y9xPP#px-o?FRxiMZoljBVavjwo?->TQHBVH>QOa<|ZD~eN}@F!Yn79iR=F) z8o#42t{U86(|q9fE;YS+JL~QKAk^vYvFcZ;^9c@*4a5tH0z;O%-MmSw>2L1COEv3J zv9$5?*|xv&%5MUm1}K~wm{?_~w&rKW_*W#NP0^W`E<1X6t4ZA;d|VekGzLh2(B!fQ z*8V*eB6r|QnPY%No&&ts%|l3OV*Q~#MH2t19DSm#VF6UkauWR-bITbp&%Y{4OTL=F zT7B@>zEfg?PI2AVWF;@z?kt;s#mrel^}0KL13F=4X#}A= z!qV!{_U#eBx@sdZFV#?O+-{@5GTXtw%G%DgqW#$ZedP2@m!=uFzE{^M_ZQXgJWq~_pEpxrsI+H4Ue=S(&;HO?HnROvxe~ij zHK1R)LEMTvT_xC1-dF{hKYlh7*y!;8`MDG%m`Zx$m}11FJ$Em6En&?;uit#k@cSj; z2bphnp7l7LxL3b+^7iuWP)Dyw%*e{(&cu}5PS%C{6sgc_hA1s_g-r|5Jn@QA!CQq;A|qCP#dk+WRC zUcC;VO?tFUxAG(3n1y1~3dlch!t-2&RxIu3S;pt3c|H=fUq!}#*Nau7fu#P4@|k&- zBM=kn04|>XPMTy6fzx`uo}e3AB}h%B`bIB2{-f6S0q&a#=x59OPI?2T$^q~-)-9{i z@NqbE81|d;TrL|s5umOf$2=;blMkA4j{$KJ(PC z7Q9K11MYc*r!VC4$wyeM)vY^WH7?4*87clZpLBEom7XqZdGT3R^pAV`XTxT8F}<&s zW)J<6_K_+-6Xjr!FT-;k$IIp4{?031kNIzxycFuTww1MDYJu`x{!3$i6Zm4U)VnI* zW@p2+!VX9lU3_jh=>1={eP>itTidPYD2POgB7$`6gf7yg9Y8@T(h^DtARsLekkF(n z{eXZT2~DcBBm^QQp~I1?p$Y_~Ni!fFLJjq9e7}3g9rxG$@qHQm$QWerwf5S3ueF}} zJaf*nRfF`MD1!g*qW~(lEZ2ZdA-x$S`Rmlx>Hs)?AgpFCT{m#G#;L35IznNEKO z{Hpq{zyG*W$9skT%WVz55d+P&aqgL6* zFHFnv{a(eegZC+=I*k?RgyREtCn^dGjy!vec}T>gN^mf2KFrlpK>`aY#=tJ9H`6_Z zpZNs2!YxN(A}&EpmhEboT0mYPq6B-Hbm$qIjEaLnOhxi9{TW%Qv26T>(0_Tx6v{G9 z#+$IvQ#6$uqYM-1(aJbsy%?EBzC%}g*-~=t&_6H@3nmk6#4Ji=&V+Ru7OobF*R%J( z7RyQI93>dDZs#x&r!<0fW;I7NkD5bV6>LN{jvq2{#9DxCEnA+tVhjrUdB*DCu14ZF zhhRvS70yL7)?;Zs3nW^Oh;EONvbE$bB2C%2QkO2_HwvsYjuoci)~A&80XD9I9zE?x zid2yLPiiOP>wMm`?xq(6@QFY!d87r}IK%BgP$?AxLBCKbe62{LFcV3L$&2mKvUc$# z>0nEov&En4MTUB*KbxZjOl*+dRgG9|-Z1Z%=Ae?zEQj#q;1g5&s7aX6$-^3a4r1tb zyuS_cg8}q7`{1r0S)gBq3wO`AGFG_B&H?Y;GJ>dIl%h&JfV6d<01j56MpT?8)c+6` zuWkMVg+s{;5=cYegx4f(!cwn3f6f)*=8CaV1Ub-`{h{tE&=LQ@V)~X!(u7wbEpO7K zhCNywOw~Nt__M>w12etI0SVl*b0{dMfg>ibGcBGcux%?DQ>(P2UO%yBDM;?qVqjn> zA)UZ6hd!ZZ$gVNmk1ctkwNFI3?n(Z*gZAS&f%@8pXTYE($nXP_2wmO}7c7cf|6Z^g zdr2jzJfSwZ7d20CJs~KUHp_Nk1G7esOU4p~Cs zuL7<$!?6#3qJE>R{nykXi6@3cymTzJSvFdS4UQQ{oGn`eE)j3%0_)Z5&^a&7$9PMy9wT|Y!%IE(kJ)Ng$vs*%THTs_QnXw;<0Kg2>uxN4 zj==CaTgA5+$0e9M%Ak$qVZ0Ia@Z;5x=;nD3>_)6w@$@_0Fm>jYtAharrY6%R(St#4 zulon&aed!y=z+av1H@=-P_I9D!Uw10mwlB~gr&_O%anhQp33jhYgJQ#i(=9{MFY2u zi16Srux=@?e|lF`X;GTW+Hi|$)B;koyrg)bP7D} zXN$bch1@m6z$u#Kkuy*aB}@8nwy7}F0$c**6pKTFnaFeFFR2o0kLX-khCA==(MOXl zh`mh}a${XF%D`GMVx~!x5BrZOM!7?N(DzpZLW!!6e#(y}Uz2>S#P<;)Tm&l~Rh0THf7X)OC2c3up>$dPzgO`?+REZ681{Q&Cj0(BrFn=wwW zM#=HyIrz;(RlnkwGfUvCb(l9@F#Ef;)PH8EJ-@=tw72Cj^XKfX$m1}fLw8j(4uaI;b_hwQ_m_d2r^Z_rpX;o7B#^5ZVixi>>(=NH>go~e6#92ZfHDT zM?9uge$`|fAkJCSJ|Mmagi?1ct*B8UU;*y}7$d9Ejf&njp4;NG85@)`JMgGA^UqZ-TExQ{f!hWy3%RoL>Wa)h}zKf2}L zob|`nnolvp-J*dIBb&b=SAsrKq&Q@U}!K!pWr zD8sMB_7GwClSn@s=z`=25lep#irkM!BhzCdmR`EhP?SdXznh=Y=&?;++>VEF2v!zS zyFCeJRnrq+I@XETX1oNsL&INrfc)n!#U$CD zc-;NsC+l9G2;&cFzb=HUCj2+iNW#xGMwvb zjvLyexONW*mfbch<9x@>EkKAz8(OmCA%BzEtgy>dyy)(#hj#<5i3dHV zE0w_oNbSdy{JDp&i8${;5?Df74;g69oicj=jk#_?@>PcqD|ooAJCRcqaq(;d2`y)4 z-}IUP){^2USDE5d6_W+gJwYVEP*Sh{<6|q+uDWGs>R!R$FwOVm&oZ%Z#A4pqsZn`& zEpl>$*u#+q@H`T!7h;X%KwmY7mw+ToNkye*F5?FXOneV?dsp-o>NPPM7Vlz30hx`wfSslU^9^uZ+us~?voitvc*+ce* z8^LhzS1`f@{rFj}woe0SL$n>S@XzaR8USg%ZFzvTZBtIyKA$9>uq=V8BQgIGF%elT$~EeT3GhX zLz%Ca_Q4G$T;nCrUoGF$f-A7fYgs;_PvQ7daA4&ZnauGOB5F8jz_NhsMVMY&q84_2 z&kB5Rpj+3A0V~V|&}3?$6FWjs9rd49ftBT`4-n_L>ng(pk;jWt*WHmUCj^WslEt&w z*3w9tsnd>qrwu0ii?#t4udbwpRzF1B3qYxuj=`5xZ8#Qlb0YjeZ)WQwPpfiRhrqd&q1)hRfxz1;t z0yR%5$s3;fKJM#5V2L^$il9=kc*mo7e`|%z$ZG1duzf8L195?rh{tUDrE5_G0f4{C5y`-pQNr+Sf)?~pn9b(U|LT$G82ThBvj1lO9sZay`h*&8cF>w3nwnS7_~l!>#q9;7nq$#7CVB7rR1|^nb4On zfh9;$r;Hs>7ka(yU*GY3i8a zq>XZWwuJXJR9A-xZ)kyKFKc-GRR`V^LkrK+y?f86SK|u2b`2dGtP1$qOjoyTz@d{= z+cPc7O@kPz91IcjPcP*Ang%pwLg6O&B5jZpq3l?VSaK6q3Cg3nuI7__qOr*yZTzzH$y$Z%QNhl?lvi%7x>9*PSbqHz%rD7e|RE z7>yxM3_bUZ`s+n;#>flUh!0EsLe(~buo^XM?C7}YlLPT0#0evnt=@w2hZm#tJ!85W z5<7|+Mt^YdrLcx-Aj26k({CmqfxmbboI;_LL!$~38LY*b>$P(E}Ahg3jps0G(vqOeiYV4cQ zaY?*eRJZ#!dSA;Fl-O5{uJ$Ktn{f4KS+oMtNY9&Bgf!m_f$JS+%6s{6qW;MBVv#0_ zJL2Ws9}81H5M^gshtT5?_Uc*mmGF8%9se1OSuYvI@0WlL2gi>)_x`w zm{#4DB{ll$zt*9{oWwV{CO7*WDD0Dq71s z3~|N!t_R?b=O03o#~?L6Avrpw1x=q9+ zhYyD*rXj`-pVZtMh9Z|=V*MpJO-FRZgBHa_am}OiLQZiNU3ueE{?PP5X<~QTTSQw3 zS&|sb3@YV8xiHNMA3OVto)WW!*cU6R;A}x}5r3k2?>mFm55SjKE9yQ*Q{_Dlj zJ7dP_4nyq3D~zDFy~xCIH{HAP!+(-DR(}0)1YvE`cIfe!4fz}iwXnAY7FDA*+Dr7c zjLNcAWv10fa;D;yk0dTSBI2T7Gr5<^qIqjyviAoKC|!|A{Qytw($@vZS*97nq_o)8 z2YD4o0Zo7+1_Ce)Ut4!^+WPg)Gs*#BFEjYR2|+d@iKnm!J7!Q$tRUcA*j} zvmqs>2ZHke6WJ15Wkx~B?uP;rHyq0;NdAtrZm|V0Pha#1?rP(|@_gO!M+*f-y6&%`AYTQMwAOwi>mv z&9e|@mvcp^FN7r>#19J~_&LW5TR3XI@^jy3xRVc0xdL`EYk!OW}K%VRC2lbZEH%x zq+~w-=>4Bp#sam3OwAHp3?35j&4@0IaSaK%Ty@h|g@|)SAVmgA=DAOE zRTW`HM)aK;Lkdk@%&9~;NWta;CkxU9{G1&9vQpr>a&OI)V9TbYnUQMD3eO5h$k`qP zA(Acki)Xve+MH<7$|_HTS1aQH(bjIlIMB+Y?z5ZCe`yHauuB(@1fzANWn_j#uJ!_N zO4YZt&#ej6&6UisYcm0}W9Z)l=mkgtatOn#)L9sFudaR->Z%TC$>ctVRAnBulfe87 zmyW6bRKoC@@0=GFW=Lf3iT?D+(KtL-Eb?6Sd7AonO4yVrl^MZQWhXq&hJL}86dt4X zoGV=F;p^luK1UrTd&jC*&f0J1HO9q$LXAw=m(Xt=6@OY?^ye9Wom6IeAtbj;Jvyp; ztG=UpS2tH8=2uQ{xt&{{)I+A7JBMma^FnB7scZyLvjAt7`)JfHtS1gy$v52=o!8_g zf~bAv!g|h~hHI#6({Sbujk?InYhCBMOEji+Sz^u!+K6J*R(R9%|AEe&DJ)7gwR@oE z_WhHZ&vK}E_1&ea=a36(-289p0BW`6YkcFvcY<9R_pYMZS}jf9$(v-eCjVmUuWmqI zk6(4=jeyDnUuF~DMF)~UkU4X=+&^K4S)klW%69rJ72^ysDacQL z$ELe$jnOE9+Rwvo0$JshdY;jCgr4(34hhqp!@OK^=lADlNIRdG zz+F{uVIUR+)7dOITda%QJmBOvc^fXz;q}%XDfj?%cH#K>-wQpLi=(|3=-$bBKPH=N z0a*(x58v;iAB27-gzww`a%=k03*h@f7etdRbT0k$fH!}prZZfED|%{Ev{W&R)!)cj z{z6Q1am~S_1~5BWhZ-IBmr%4Wl(T2dimr5AfERzfj&ADULsYke$YFaDhX;w^<6S<7 z>_lTZw~Du#U+%z9A}tL}SLbBVHlDhaIp9GDqL0JGN!-ffjlsRI+*Gw-P5OCBqiyVY zsHLYBCu2|U;iFK9@1zC7f0mQerrv<^F7Yt{Yq|wJ4s75@*Zq`oV6(xwZLf*SJC`Pm z>Vv8~(mtO?hz-lGO>sYmJeIV)kL$iy1lha(P!xPZ8vth< z>r%6u^b0r}3*2_-Gndm3&r9k!t=)(}(aoFs_@3qwOEzBII0n)t*LDLUYzdW1L4W3KbT8tzZ<50l@X~ZJ&8S*CQNC zq=QTCpZt4=AX0aeY4~+GrSb#{KAsFlDDC?a#mn*Fs!Yrfn>LQG6;&{Fw_y{`KAw2j zmHV!W9|0xUB;aJ&^k=86KohJcy3|ls@TS5Nu1SOadzB5YUAxpMB(4FfG{Z_1IH*P_ z9f{`)KAd6EZZ8ld>M#u}*TvqDxY&H)Lp_!@ez0;4%3A&D272LKr;Nry+0EO<@ler~ z^>rU`$*$MJ`Tjv! zSNEfsHzi7z(b3TTtpy*vPS{g+!y} z;TjKOD~Eb`D!w4_WJBao+u)}~2^{A zk5hdcM?a2ooV?>nPb#Ue(W&3EaF1)^KY7XUe)}g8uReRw%dhoB{q-;z+|4bxnHnN< znm7r*P+_^f)47s1yTwNlYSpo*`?nh^iU?fdr1FHBTfKCV{YfTshOf_pu1t;^J)p5t zO@Ao-s@ed@(;pMHJ)r)_9+>*Cy#~u;h3ozbLXRnY5rg{_`yFsY$mfDoM=)I~YJG8UpZly%# zI6@(ueG#uNNokKz?~X^*&VGD5UqfDPG}O;-__~y0P>jo0vS#t6|HE(*D=9qWWUQ zb`Sl9&CpAKiQ$|@%f#ZHo%cBLrW%x&7;f?2q|tG~0mOec5)f00>4^HI{)OSSwS|kQ z2vhr^6&G%6oFCCG&v5j0ehf^8j?P?8urpzgz9u;*%P@U~{Ey~OnU2nY)hQEkFz;?n z`AJ6pp#=~U?S!OLZO-G?H$L#orae7(se3oyiyBMIWznsW$Qc)ykMgCLZVgiUzbW1I z>l-Cca66x7A16xMv==*Sx<^7BIYNc=lR8m|{p+pOGak5%szmVoav_Z#3ZZ7cn|1;%{M?WH z!>G3;B`bOB%e};aTH0?Zq{gWSEr)d+LxAq_P0W?Xg{}t9V?zI{kuWBAqY}8GZm9+J z4fSjgZ@QY?J-L`!6#KspoNEmbVxdqqZ*wqxFOw`!6cLrt4QS9AFQi!51yJn@@ii7T zYpYn}mNO1!C)w%RO@im_58T`(^0S?;Y3f=OtP}Y9CCl<}w2CLSM|kUy%gf7ym}H)* za_%ZXNB&O4?hVfuw5&qL{&a0c==BQwMOn>shS>IfyE0lTHCYZ`4ymPuHa?>8CjyBN z#ydqTm(FdEfY%vFyEc$9-9%B|`%OH}Q#S&SEL{2wsn$W}-5zTEA#rm;sUOfKm9J^p z^+n^N>V|4BO`K;(AaIeGtq5|CV!@;petEAWNy#(6{KlG*?Kh}Kc*JLIZl*Q^?w&Ki zkg+Wp_9wJC<_9~D0u!4|*x9i{?>S&GNP5lG9hS=KmrN6rOm(_&+?NaXP{jq6&%HQO~s=!RZp@TO30vH+$b#)m%{gv#6g1kcDEV3K0@Cqg?e^r8{Hj7L8T>O zMtKNONq%!xXbHK~0JpVu#LQf)vMKaKx1xvOwtOBOvQx_wrY2Kb)BD4Cq00v2+b#*6 z))k(f{H~)fULlb?G%{!GLdpgA%00xNdA;DkiP1O|jZ&|qoeV{nnrxFbDLZr}9+~<6 z{`Mxw(y9|iS&HeWHo+8YZo2*T1UDTgpA{z(Qj{QQ-VVX6vEkh?|yQ)&xY9F$!sa#93`>7UeNw@4Z zTRoCbVo5isDe^GhnDs+X0-$w>UpNn2qcu@e!gTwC5|;K^6xX=^s$7g|36F;>5~B9P z?4OK2bAn#AvWhhL!8*dQ@%PI$`8t%S2WIgO0k>VsJCn^IS(%IuT{NW%f=U(YXputg z^te~?;s~aB6jITF`VXxj=D(GOHwLGYqF3 z;D8xZ;6(UC=PZor4rXZUTHTsn8#B_rmMwd~bil7OV_z=w9S8aIF<_xJIE7?;W zm(Hy_M2n1tKBBT&nAMp08W#9}D&Gz%B~=MRTX@;9wS)Tz3)_}H_uK?se5qSaH`KzG zpK22TBXX@mbxZZz;CuR}-*razNbG7CA0$uQXQGK!-l>?%?MbaFThr}uBg_cI>Ev3K zPiRiCoiri}hV~R2U=zd8eX!NBqNkJ^X`%7k#OB-8)3C>ZeMk!&gH+=rZy#vYdQ8oS zJ{|Y0jp`)A#IZYC)q(=`>I{uu%1i9fDCEZ=_F#0GJ-TTZMdeMWkcM{Aq8Be-&#>rw z5gN~%mwa9V@}4KDq=twvm=Fq9)gl5wA^DXe8r_m(0br8%_L{Z}ajro&6k!nNZLtXN zHWr*Xi8%z)Oc}0*$ms$I+yNBNUzx+>ItvN>$t>G=@HEIm`tC_WKOeh6qj9X^N zZ6rj5=JKyG#>Tp!!^3p7p@YIcD$8A!s%CJlolO8&NU4H0Dqe(@!@0pn1n~?QpnG`d znAm!M@W79#FT=3u2V}2S2FE0Sbzyv|@@1PMdo`)P8Kqe4b+qnuEt08O{8tT3@rz93 z)a$#mwGwe2Jm(qs$IUr6N;Za1z__10_Nnk&TstknY0&Uro!E3&gFNZ{NuCI+1ht?4 zFsOgo{n(-!niN6bU|zzvsHw)wtB&7}#24BTKca{jlxqH8S<}8?$FI6RF(=GaY?Lc|A#^B=^t)Z~vW*inz#Pfgxg(ILA(;bPsiOo>EcH?}HSR zlhqI%E;+;OEyA^F2o8F7N^N{#0BKOFj}4ue}=?K zyLJlpvo@<m@FS*wPlF0aZzs9FUtPU`3gOLh)i$A_ zbX40XB&4w~M~rDmL)xvPK34sT+__L$hR-~QvFaB$rQd3l3b(RM^Mp%XOwWJI%bp^6 zpTRcELBFen@zJ1xMWb+jnwghy{)9P1v)X1;m?hs)IHH#)EN0HYc2n|Zm(wOn7>Lg@ zBk`D^EQ?<|sF~_XkUyCm$aNIvTvT6ndxaTqFXx?piJTEBhqyR0$D?6E)6Z?lk1{NR z-_^ak_~UWi1{brYQnaa|mva?dx>COko7~AewvpsmT)O-u>VM z_t==ZU0jft;(juA<7X$A5l?wkUt#wKn{W@4-Zz5zq{ycgvZP9iap>fvQg7TROh__}%>9o?*m4cFYwfhzR@3vM9ztyzjM%?bbWPNW!$F(5XDB!~Q>eq$Uo-64TiL4-)X( zV9pBr9oEjue@_c7d-N`5KCOXg^=)kVZUC(fa5{GAJscwyrP)bm_SBxXnOP@kWfMlb zr=;S$Y#z@m@1E|X3Y^A-clny!#SiTdKWhsH4|*0leFY>%mksz&>+*WM9f5M+bU=Pa zDPi=QNEuqZFpx;He?rZ;P;yMv2qT(&+6I~95^_>WaxbIof!TmA_+^}vVH<@fX=nVvq1UZvuu%b7um zY|8(xpxnA%7?~P%U#}MErA(f*wC9@%nWn+X)8k!#Kgm*EdmoB-i|?omkNBTno=!us z46l>rkb&P^_P#!IcG_tj$RoY@G?%;|gktg2KqX;d_z8oj(*f3b^{M%6XYj(wAKNA! V;m~OLrZd3j$)l$aOEsQ_{V)0+by)xa literal 0 HcmV?d00001 diff --git a/docs/images/vpn-properties-zh.png b/docs/images/vpn-properties-zh.png index d8e9cda41e4f9f2b071a5752556136e73e0771e9..7b2948ea51e46efabcec6700a0c123c4437b064a 100644 GIT binary patch literal 85831 zcmXt9X*g8x->(!(NPZ=IQdG9GGxjB9P>I1rB=$ zhRhgaH#3&On8*Lc^Wt3Ry3dPqo%`JP`F=m!`S`@tfc+BRr88&Fup1fbJv(#eEcEpF z!ODDk#h~ZL+tbro|7Qj|XKF?SNT-AIuG%KrXU^0mupPg=a5}#D#?adT%o&c~|2xj6 zNpSF=Im0M1($jt(Y`;!tLEbh9Pzs;Q<5zOKX2~UTo;4|{|0d`69CU{Y%qb_Dh~y-&QN@=+kQ3AG$dLGD&(`6Ghl{fV3N!>hP(_xAQ* z<^HA?^oq7NpV1$9>U00sZ|<4^M~l~L+C}L2GEL(G+8hr`Vahh6*$0;&9sLOP!o4)& zuZ~>I3~XE=)1>@iBD0IlJ#KDpxBkA@D$?L)$>E_Pe7&w4>=oE3#`f!r7cXvRBshw) zI~6i9MQ%9ORH~$z`Ssm#;Ts%$2znk*#(!$i&?P9VsbEldVrDFF5y)`e@^MdmOKyIx zjcUeU`RQDf$WN&UNyl(G1%7nR|bKUj@C1gWbq3+21TunXZ?((kA_1!}vG#vDfR8UEF!Q0rp$&&~H7v6k*7~ z2U)gzm6}5_-iH?Bz(WTgNctAi`*O4DliH99MM#5dh)XzwFT-MHgh&}2MzI#8!+4GdX^gnEwe)7Ox5=?rTaRDx<&F>yHOhGEW%|g)#J7fy z&-`j&vBmy10%8Oy9e+mz_@^`$qw8>+ttUSw-XstR~bJv0CodF8n3iXRmmAfvQ?rg9q z%AxbFsHj_ioJ7iFF%lmaX+5jQ|2hR}R8lqKSb`QK|LVO1uLSz58l?7({LDoAUr3Rw zHhuo7snAA05r%%QtfYc>3=HlIyeytU-hfrFx;(BS-Ktiq!i%g+e*^l7eN|3y+(ioa z=L9e7_N_*FM}Fg*lIr-hoLk#gx;-kAP8AThZEwThc$A#uM}iY7x&efeR6kvTW5<|Z!7v!8oZf9o)YS}d-9 z4=Yo<&JylRuoyg|#WyVRleGTfQGD4#x(PpOW!q3gSn?7F2c8Ug>iH-N|Ezc8mZOQVKhfLqv2PGJ z^v=^~va?kxDWGR{QU5f1-NUF=(&^y(M2}XWxpPjbMMle*7>YDC6lKGX&WHI))7a{z z{E58&gxM7Vz2yE+(L#NJzXM$Fk_3BAhXT96dAbhCtMyl_XVIJ~VfcL%V63txYE|n5 zCVM#Hps&Et8D!rZZz#x(uxsI7aUpuzdqQ*(NG^~%ss=o-<;oX&ON&~261evm*UEq_ zuZb&h>m3yb%|n+cw?97dN`R453V@u@J|7-b2dOj%^{`hU#i;WSX9sl_>E$6p*}x#K zo#gNp+|^6?qU33t@hJKc`fztmuAoNJmtV;nXq+xH7<4fQ{W3-{{SkjRVGjHL<5&Ff z&Vu(_X^IGs8G}-8R%W2S`qY{@;YLF_-wAgKyx(z5kTK&y?$)Azlxgh$5nG0D>k4Pr zwC_bXu4X!-O*|%@Mfvp0b+TJUz;Ss~C6QSR%rUa9?)ff?uar$(x|a=c^;XU664bKN>q^=sw#}D7!fdOW3Eh`Q@4rM8&+;)OvpWF)|m?oqe z*C5IH13}D%k?M!nZR%gTKd9})kdkDYod#%Cn4h-VANvsY)_&=kyPjTm&xQq|>JBR6 zng#!exkS@9KAN_Ekc$K)obkO3u}27hr0QuV*IxH&+NmkTJ?=Eenc@k$Dti^}KC~=B zLZAV|eucm=y-dA1qs7>0)@Xn{l4*Zj;C{rp+@Oh4P0+Pl&oMKdkkLV$OboixVZ7g# z*Fez~?KTby;lZ!JB;M0uEU+-7)Q=ZAW%gviZOHAZzeB?aK;?x|h5hG-@W2txT+pGp+fd}x26VUJBiudYR-CgaK+wygBPE4sDO)}A zPX6F~B1{Z58F}Y7?tY{P*wmYAORux?#t;IzH_bwRi>N5j{*$#3^$`YeF)mId3H0}x z25x@qwl=-fnb=gnp_-i{s$yza?Rvg3xBn1R`cuX~Xbnn!YT5eXtH+R$Sd7*L%R`lx z>lJ#qj~^;acd^o|y0V+7if@50R!R-73FVH)m_qYdlR2q_xQ{Nqa_rv*R?6UCz*!g4 zynGgSbu@Xe-=!3SX%#hjC#!@mduL`xg_LnAGo{_i6A~hM3u#UwCj8K$1n73vPf#~7 zHkB*RgOPR*$EvVryJ#n&h2{Vku`;qrm>l=f6A{{ASGcwH zOJm*Xpf+?Ksv&>3iaMSEmkc}T7B)q+O;is=PT_at2&un7<7 z;rgm_+U-u1@?4n98me+#zwJ(rylD3{wiKh;nk7AG@AwUU+!dKmaqplv53e+W%XCO8 z;Pf2+mPDAeXkg1QiZ36=Sxy8F6XmRx_8#-7_EKM9IFFyQPqb($XpAM`kE-zjHKxx2 zzM2rxnfr(R+4p>&Zv3eE%ieln))nw1?dh(C3}n)J*WV%RRr+Q`_%6|YUITo?yT&Y5 zFO)R1Z(39TjGfoQdcswMOS1s3y0Po0cTH*Ez=wWFtBFddM~ukksRq4z-I8_h>u%3r znZ|B8uq8qIyqmrko9kfnb@=YDy>e2cJa_8`X(p>&XRlW<6c{p#&QI1LFT#yevJ4Dj z_(>PdLfj9BamT~dKQi!p^rNn@?{=ys;_5UN5|T0^fsx%?C#}`|xPEm$KTO~eWM@KU`aeh4CZx4#3kacO^ zZ|i?O>9pV?A_Im#8S(e`!eZrQWm72#)Z-c0+QUqr@*Cg%uP8mpFl!y(YjsrP(K@VF zKbm}ufvzd-l81x^YY6zZc?%U(Lnf0hO>DuiQ%FQRI zx|Y@fx33Q|P9or@4hO%8Xa@ZUOTBFCyg)wrZ&}IF{C=mifK6-8^ErzJFq>1**@=+$ z=&Hzz{hP6C)${Xim&+Uz)SK0g6?%z)&n_Y|p=Ls?o;gFz%i#FsAy4bQ3~*9zFVl#d z&RqKEYC||(30^S5$O$Tex2%MbntWjXs-)&J{Dt8BxMnkFCi076B6?4b{MJsfS>D79 zSegW!MlXTUZ@gng$-iaOT>D)d@5ecr$qYJ2*Xt}n(=-(Rh3)Rht2Iaso3=(}^@n(w z##CF`49sTx@;tOxed=9OXzTLg7N8^Rkt++jkNU=bf;h29b>g#|1sX^Wp6~F|HO1to z3n}I*4xfTt(C5-S!?3Og$p9Ps5>8iH#g8+N{6icrm!>ngtCHHmmg4=F;O}DAUNzRPlRQ<0Y-Eq?Bb+r{xv3lbo4U+s1BT(w^q4z=g zj@nj!KT}!OhL?%iKx3(NZz6_wZlh7hJHdMEUmzz8vprWNXbaL+s0L>W4k>+B8EP3M zT`i?N4(ojI)^PTxTnejh){iLnkeL}0Yov9r`;7rrb|S|uJe1)=$`c_!dZK}vtF)j5 zvTgdbM=c`XUTG__h;)5~eTSGjKWckxD7_j5Gqe5}8|Y`oQwTb;SQ5pLWc9wdjt|=w zkhC8-C+7e5#T+JI3f!2*`5t+U^&O(u^N|N!%RJy^vJRPpQ=1r_CK#1rUuaVUZgYim zRfyjHSI^!*a<<>u4|4P?;CT~1@r{%26pybat z7p{FT@n5eqC_4qT7!>Yg0}MU_3e&YhIaz&&mS?=OvSW*ox@H$SZza~S2*l^##c1*g z7f2$+xoOkcycE3@AEnY#1i|{ggpYH9>qJ@%6ys_>($&$&Kk~@!wj8M~VC|D{!_2)U zj2J3etul@yu2j@gC~LCT4rIA)AXq0$-;ZHPV3#KmkM~tJHc6AcRgcSZ{f;1*r3B-$ z`DH~?v&tONe&4igevyM<{d@1Dmws=r+MzF@#nVVE^n5`W`IN>gbu0;P-4&8u!>t~0 z4^)ks)zH2t@%uNMtT>wv#666eYvuW574bZQ>yjrY0i7@6O1f5mg~79a+h6I64{Q79 z_1K6xEu9_XBh``0Lb-x5Qo?G$@8KA48el0KP~WUjrS zZXM@!}7BR@fFbvsbNc?rdVohMICyGNR#OUaO>7E>@q)j1E@Ox@#YWxxN$cEmG5U zatOq?>PgqTtwB_2cuetxQj`6*l1T7u`$L@A&4ERvpFs--yEk1hA~zSk>w$(dree?z z9n?Dn&Zu;0yL9n)Y9NAY=P6h&>s8wuhu$2T5%rUY38NhS zL1!H!-G&eO(ftS&m9T$k2SX)ni(+2#)-4Wjr)=#uKglQ|?A0MHAv}GJ-w>?mWzs7Y z2FV`a5FRnLZS|B4qjsIh*+B_1=!q%2oN#)jL$SjN8AQsitT6&PKrIe;65zS>;U~EN zTtnkXA4EavfNTo`p)~P?YEr>Gqm!D%8FsgNi2bF9tD>2c(DHonQZ@`xUpx)}`_!PM z?he#)m^+DiEn4 zDNP9bmqMx^>`Xe@VqvJ$*BJDD>c<55{V+mhMmqhQ6u3EEDxcd-t**)&;ryz(wi80K znh8RXJBb~p#yk!%->i*#6+*fv1Y*>NPc}wz7aSZQLwt&>!BeF{NQxJ!R6(h9E9@wg zaFKd}$2Rd%Z!~HTIiR`Gxo=zxr#NI-?6E7&B`W&NrHUcUN*xo_R7=WJ)h-G7wP(2g z_OdQR4w>;!)fgolMjDg=^8GN7feoJ&(}BuE^k(1`vQ1N@0HIS*A z^7~Jx4tg7n9-=h|gTxw0-Hg30(#x*hg?g`sduC2@+-QPPOFK7M-Lq)4v5T{hy&bw% z`VW1^boS%-`x4`(ddKlz8JmS_9(}Z>Y3RJn^SYvuoV5nTckY*?k@nDK32>8Z=NLPs zUp@7TPvPz*=)zFciofqXFNhuRFX&57Ezu)pq-B#9ShK(UGF(1~oM=q6e51~DAmR-6 z`<8ET7w($e`VzXVQEPb1b!*yZ1i3>pgR6!u@#74M`Jvt<p*czCPaSFy5 zq4$^qwXbv*^`DK|3w>>`e?^S}*_*9ej9;7|9=B{NGVVcDSX2%;{Id7o4IsfakGY^1 z;O*oXCQjG_6WR!&-dc}Wxo&k$+Tf<=Hm>)x*9hUa9WbR)=+=f_4w>M1TIgsq=|=*4d^7K8W}JyFi?3g1Bt<43z3>3)1L?=l(9xZ=YF0~SuLDSZgd%D zC(*Z{L5KKW&8(W%y;*95gI!kmL6PwA%=R9ltGepnMnT>#x$Cj!;m>_E(^hB!l@WT- zjWRePFp-iHg7s8)C&kM&X+@g%oISW&$#@pv)0OU@n7|DZOXf4})oOthR#(0D7K zO?!qEom6BHa9H+dlQ(H$`s>B1VLy*W8PH(q$@Ux7!<8a5<9L)&EMo^VI-DbRWp-}= zktuOF{s$s~x(+SwIS8y3YUd~QeSHtQFODG2xCP$^DTC(=4j8A%5Yqq0;dGS^WO)y7 z&N9LeMEz;VbE60uFy)gKeXlj%F2FOppH_8Q(Q76VbOY^1STtC^wm(i1$$I0kAFWi} z4H8OHvrv2qj1T=FYn!V+eZxePPOBZzRci~**gaMKf@vQ{ANC4n2ptuRmuSMM!X;qr z>U&68J5Hfv*Rx5o70wE1v3Fl!DgLcI&l%S1T(v z|JiugBC#^LJaHui;J%^qTQ4^W+=d0qwej+CWahf`Y0YY=q=ggr!^PFfNnI)V+waAT zUDcNE5f*}_7iOee{uMOMdOJ}^=WgP zBE>@M4~jGom*lfu)#a83(j*%E;(+rKD3eMb;HkhKijEXMUVv0`Czzq#?pI@4L<9q< z_0$$|HI1;-56&b5zO)wgqD;*7bhT<8S58&+%Pl?O6S7O+;)^%Kh}m!kn%vCiv4!=6 zP!=GEl#>lzVIYGV0XLbdcF2+Lq*l6l&Y;LsZknesqk%&T)j62Am3uXkt9IZt%}V|kJy1KJNBJ3 zD4fI)zh3|)>NW1P9P8+O0mEEvUB7*mt8vf}X>MK;`W7N|+Gt0Rd4vj*o$h2IpWj;Q z7%xsj^121?IsI8&0goWv-R!;RO#IsC3u~xHO7zfyZ+|fgRBa3I-2JLbw$d_lK3QOO|#PuW`{D*KcSv(>3PwPe?tu@FfLF# zqYznhy`lt*iQNvlTx_=vofAl`YuDdx1;9X7&f zPizq0VY8|lV2!p@Ez$njyn_DMzHn7=!t-I^$c0BOipJ2VjD0v`AC(Y(yhILPan+z? zLCF1xVdrSn-vdb7;^748v)ssiIImc3y=z{8Wp-am-}Z_jZE#M(!$hNjbPDQxLe?FH zbGC#^2ZUPpk2oEmPFXJzA@GT{r_eN?g276C@jO@#1Q$9lGpO-UeQ(DMm=HQwguW;~ ze?Kq0;HXpzV-xCR1|3L2+im$})a&3fH;z#movEf8Bt_C+bMFix@((nc0o^)6g>CxU zw1M-_NOw>@+%{&LNG*{|6Kr*MVbXYaA{+L*L>>}S z9LNfZU5oK10LG;{VL65{0+R3dC{IXQdHyKRli63lUU6xZAC`dUHorFDHfz@HX~dKX z-mc03X;!RQ^y3%s_ceWN&jeawe+C-8={?BrjTm1~`zD-b$HoRvF{tA(fP|bvN~`a> z!Lui8F{wg~Q%M5hupLjW2O)2DkcNGR=O``p!+<;*m(TRsrx|%~qc;2Z$2>XWe)a&} zF9S;+*_U&+*kxv$#Feif0P}yn?wt5;A^TuW*U8>jP1P=BW*^m#JHnA13)+Vyz6>>mBq7BwF8zuasz)%MClpxEa$ahYyv>Zxtl8-NHXph%&X+uy52&QnqWrLGzqBvKr)OWI2an<Dvz5I8T5UA`VRD92~5?QL1&2vzh6Dtqq!6cT=3;Gv!{V01agC- z{|;@eVoB144Gxgx;N)fRV81hwR2&P=%#2%n&~qt@^bfF z%}h-_O^kc$y`e~`KCJ(0!R<^ST5id0hCJ!;J*3qs7GBW!+hK?! zjWUi@&dux#So*NO4-_KkD|e-FiPVIlUWD2=hAcX{rN?>PY!|^<8~~UE5@QM{^qS-b zpG3XO-|NXgo()hc!Q}a2sADne^8fQxjmoea-lV^P{N#A$e;?`x5H^-Q8!_tc^{$Yi zuaLD-h^w5+LCeWbFYbQWimvee(Am-O<$@9~OvA64{#Bc%)y(<}_4l}m)b;1~8^V?@ zZ4;HXqm{d-x{5rvUSM=r$nM^VvBP1q+6+uSOo4m*WlZf|cvf4$QM%_3Et~dmJDP+Y z<^jKw&tpzCIu(+DQm=fA0hOaZVD^B})=NB|tow3E;u=^WSw zn=9DlhF<*)z8fUbE9mc;JzXz_4enlr{N*wz-PxE492KaSKzPq2*Mc=~d|9%%*e3V< zqO-`^imBB~X3m$YOUrE5u~*e9ulx%s6dBN;G3A}0dKYE~JuJ)^a)<3NB$$V=bieEz zlk!2d*cZx~xz2b`Vad|+b5*uYGFI;))PmK3To8qjVs{DPMS!%{^o(XG2IXO_?sn}a z>e|Z4FBDF4hRF|Hn#0I+I{FVi>`lv1agk*?2+d%vsT84pUNG+h*hy%beTye}pA|kg zQg`K^On{S+|K?V#;wgO#KU(A*L^ii>*TM*EU0D*2i>R+Bm+xCdMJ~Mse*nH|HjKAz zx(#~Ob=XU)uMN8sMo5mORGcJJ8w%)+$0ac(dZt&W(DVcEc zQsb&2LLRMu>eTjAJNG-prG_O|C2BimrTTmCKxMZxoMHrhtqy;eX{K!k&Z_%$&QRxg zkPpJPSU|=6-ZnWWn|WJ?8DVq}=vOE_gxEfxc0$o*$Z#XO{u`3p7<;qU@CDPHI;vKs z>S8gz6unj>gQHq&DB7I#4G_~f!S#}0`6n9X3!Jx+HcbKO^gP(ClvA0c^7Ii;VEiZ( zLZJz_u2w^2Z@tr&^oqEv)4iEGWBw8W8IhjjF5G<>ZMkv{Cp83W2GiVa#6^PGPN6{k z`;pFP9h=uGX!UHAhesO1m4#s2_alufgA*;`FQws@`YS_Mb|&{IQPa2T64f^v(J1E( zJ4^desyeh*UV5-{y#$&Y#Juy13~c1Gl(e(aQ5b3HqrKDLf&Ii`&odUMmJ&2Ok;nfm zyx^&BIs9|?s?^rElU+kXR544O=El$X4pMqGn`oSjZBEkc8i*&dqqm!Q-lMl4*dpp^ zJb3;0YCz6l^U%Wdr`(sy*v3FRKEB4$4vk?`FC%{MHbweRQQ_=(H5ime!S;KFYm7+^ zX+d9nd|Qna??pH{M_Z)%M3AfZ)(vOB_uIFF6@<^vCX>Im95<~s2gtdRlCSC0%3&UO z11)BQUNU~M<8M}~hYURUL7lT&bsv5}tM*Av=T6V7F9=Vy^Sg=r`tXx?e&P!m=9?i? z?WN*s%MaZk){|afd)~{gIb=P2Mxb;%Rl;pz(ZC5M1T=#WHK4nW2U$>&!sISgPxTsV zxu4zbuLHr<73K9gy*h)0^kYn31EpsDl{>q=FdaGV`BKC`=xo&AKhF*4+aF<{U^PDY z_p+W9R<7)^K!2gMaeKG6i$FFK0?k$1B`((GMllh^f_ zykMKDm=dVnB>KD6aaW+?HZH6AN@FLkPEK_nudHm)s@>D25E*!(nl z^wMl#H9GJ3zrha0L)rrrF@CQFv$7m(Po%u;gyp%NsCI(Fcj)U6rF~=bnAsYGIy{ML4BDs} z6P(&oCXb84gK$>wFZ5?{UUxn~72H9Xc?*UA9Vf{ZF#OuEf?Ju2o^#1Ht($G~vTc$n zkP$icq;P7aPgz&U4jZ~nq0)b%0jdwTnnea66^su9%ByY=vy43(4n*JHfs!+`y^E!2 zd;dNZahSy=x!80q_K=Gfz?9Xw=H90ULOGLF_9+~iub_Md^EM}6Ax@;1P?sDN$L?yG zUUp}d&*r^tz`b7F>U(mpH3s1=ar<*HR^Q4i)Ng~6U7!|BS!;x?_vQL1n*A5!+~A5@ zj$0#Rb;al=7&11(X9I6^OQ}bzJ2G`0dCmBg!zmS87!+hG`pi7xdu!_r&KJ)~)~wxD zc=zSy`}?<~nlLT7u6nL3llOk>e^|TWl(!SH3I*Xq55Bc?`>T#b+G}b~*UoWB#^Z_T zFp-s0ADGxR5^{Lh&NM;B4s2E+!&m+yion;0i0$s#lmnqK*Q~Mj0+WGZS4SL~Hqy>L z0Rca!yp*L}kkwo1j0l+X?M?Gnb1rOlyo8A`r30RtY?W&2!FJh^QCh963yz7-&-lod zu$=mNU1#k$jG6>&wm`$HmzB*~aAR~d&uqD}pVat@R8O8iimR+OE1=`W(TGkcG&}2t znG!bG?r=OIJhP_nY-_bc*ODk;kI=u+sPl*x|K-X8Fg>TTZ~tNxY*?$)cZo#aowCj2 zFMYas#!^!AK09YzDLcO+VS@IO;FVUs(TPJ!df7HeOYsUBfqTQQcz)@d$-NlXT{=vw zS@_l%NI&$GAngJX0BYT{gqWWggh_E_4N@%b@W&GoLX~T${&x4hxLhUN{Zvh>mX}K= zZtL6E+~&-wb&L3@2rpXt$2k-JNmo~;!Ibs!JE8+U3_(3!zb_ke+}+ zbNzI0r78iy=u*i1LKlji@096Wy09FGIfa~UB>`+n@E~0oXx>i8IXNC~KLhMNNDt`L z6v7TzE&(v#vmL&b2C(HpE2kz-#behHqKag(FsQCF49QJ4;EiF0j-`)D)qs9jTz{>+ zicc|gKgFj(;yme6#%iHFl)Bo$<8;4 zH0~JyOu zHMhY%DX2o1nh7wzY-huMncqlMW%PyP?Wv?KR@p3R>sdn&r2}YnN!I&}Vv>9kh#tNO zL&D^T^3(de%{*yN|^Yx(VGo!@V~?P zZ%`b9A%6K;(VJX$l}F@(NycYyw=rm#|II&nTy0uioF-&_n4PV0BARsUw6CW$%V< z<`*I3kU?9Y%V&n7{zZV+F&I?z}nUjdc(AsKehW_JWMf< zr_>PcIkQNJJr^}C2O4&&;U7qmp(kkWwNR<9YU=FAJKXt`Y7CzfMX%|W)+!ekvOAbr zlRymkLSDLje@9XS^me^NDYkFmbN(pUjP|s$NsjkJd5IMigzmI}_BWOk!<_R6-E>=1 z?oSM0LiQD7B{;))8=RW;&#C&ajn2y52cK`S5GRD#O%ymRlOCI>n^RzJk6M^25(4rzw{Er4+ltS6a9~FT+oh4UJ&Nbjk{`E2@zO zTM^d`hgR`;<}kOBP`rp6VY*YMd7(2mHN@&h>U}-2z9R`Vyens;^!=5zE`IWBj{+%y z_FIf)^ly&DrG1%ZpBbCx&IC1>vwf~jydQUnIfC-#zZ zpGnXYy_1p|X&!FXn2f8>uMzzV8KK|ESzH&6Hht$rib87QE!7Q?D^FMNg6%=JLez`S-D9 z$*051!+yq9b|())UKU6J<$EWw)_p>RkDBYyv|r&JR!6)*WS2YT=Lxk)zmZ#ImuoB^ zTN41y&NhFT2HqD6So6uT&5wWIsBgV2D{;*-kru%6Ne56gtJ2dT*_CPE>^|#@qPv@D z4EEN+hKNjkNQIvY^~q#zEN$U7HD1*PvvoImlS{aF8pNgtlliZ!IpHN-L7MrgElVz_ zHt2;bZsY!dUMDML%5Cwqm#q;;C&BiioUu){!q+#t;x~SoekhQscA!`9wCawA(*WqA zP50vwA|Ro_lv?3qa6Gc4G*)RV?g@}NPv2dMuUKm*?1C`O`L5WfJkou}!!YlNO%-U(O=H52m8{l z(dFtkY<<{90A72|ufG%{C_zG%-+H2ID>5k#8a?iPP=(GZT7C~q*czjhi7WL!!Sd2k zJTV=Ml+z&5mJefi5Htwk*PNh+liNvCyic*SWQ=Pd{nsB3P~J ztK&T#;;mA1Q@Ipm%pU}RhKJC1r_z<8nB@{e_JY^IxVGc_6F<1~56gz9Iv01{Hrh-` z-_s0=O~8osvSEW7TWfoDPgBIn`}F&h>#LvBV7~7hn{^Wna(BI--YlD$X4R2INQ_`A zgT8at0`UOp;iy(JdlC~ekMBh5bPx%Cn4@7g$^uSO4))&#HTwC}zy za%a&K|6FguJJL=%&sEC}Stfa|X#EDE0ZRg*6RiNNs;Y{b_Q*e&`XKT0@VyNmhQ4O) zD-l)wd~CJmfQ5Kc)WEC?Zg{tVQ>nHn^vIyIvvb8(Fz|~_XHFR1bF->Tj!{pDIaN2r z{ulo@Ke;+7u{7+N0u#EWNy!=oG9^HNrR4A&593PLylqd(5B1WOpAx4*YWV!oV1dK9 zO$l+#uT1JP!*xHkC~PIVw_e4}_>_jNOES%5IArukcw3xn)Yo}6$E9a8v*p7r&O02a zGuV<2`@kzb^(6ieZ{FoWD`ELntqI?_h+fz)4K8y zk$3w20h6I5)2^OT`b#V*8KDR6bnfkETBi1nOpJqagc#JwN`;D(nTA%Ba6 zEbJLn-YhcTKHdqsixLh}-)|i?VS*osCwO&k(HY`)VH>+{{`p+D`&Q`V6#FpmkR$N? zYr4JVMATH`%bM0E*Sxg8fKLeGyiF5Fs*=f=M6wJg>*M*!I^Ye0+2y-AMx7nc_EQ4H zE^$f^HXYWV#~C|W4YmYEEz<5mr$jT>(N zg_5nsX#MG4H5gyH8P<@|4wck8?pDx;uIayznl_aa)L|=s*()Sy%9i{gg^^X@UcahU z1YjkoeU39PFA(%J4B!;>efsdIu;BQ0ELLBWHXohCiOnyEpvyDz*>-R+#lUnNdgEzz zd(OJymctuZ}V!P34-i6*n<+*JiJE`O|Yj^hXs$l3c~g637W*#QBx-P@wB+S z401(y5aA)_ADVM^otVjM?>}FOS{n^@E{q_T8fvWmcUeXPGPQ^IClEL@6N5A!XY~&_ z^ZkByi8vOrbpFyqdASZe(pk0XaHyS-5Kun7&6aztd_+TR=YLD_HyHzz1~3w&tZwo z_3Eb>{$ZDW(2F8F)&0*r82h{xF&`0)kA8HrB_U`KV-0uB58vZhL}Io6qCt%7{nR0Z zb6b}EZUqHZ=|Ep?bQ@f5RoYx1PKc8>k~yUC{Hs|6_C>nAa&J3^o)qK61pChZ54O3*b<_ofV%u5__^rh3y4B>)PWd@+CnoAijF3k0DdZQZWa!bG@#Z8`j z=e5|+Md0zfprsf;;y_br9Vu5aWpLDK##(##8fug~BC%YN+sMPh!IGxxOpEqkTO$&T z-;q;qc0I^tW_k2Dag&Yx9i^^n>CGhE?^S4Pet*hPbNQre1pU$a8}H`AN9lz=uHa+s zbfx%#pr%;4-_WkEq=4)7)hd^XBR3Cz&%W_a_=c{~0QomuQRNJ_kZ18(hp-LLNfTy9 zs6f6`4;^l+kSosT>>^&~7p7Po$bk|)aA_KYnxrpaG-5Bp>ZZR)Mf-KxY%&GH(lOAF zxPd%@t?VwoUkUAkevU&tE4oTQRXQr@1_J5^(JaO`_@LBz6QcX;T~Y_nBXW!2!1FH1 z?S0Zrxx9L(!hT_ugHTFMWmpN{*Mgxb#Gc-VkcvWZ=g9XlBpq*wZYPj{TbF}h1^v=- z5a}t?fwEN@TV+pK#aZL}-KCi2obgeF*PAI>Ac}kE!;~Z6^imKv`ijv}{u>AX5DswDi59gFJG&GCpDO|tH7>L+^8?=AChJ6>NRRc=1ocniBy45;`% zQFj0TZ@mK02o)3_Z?O7OtKoF@o9{}Ij|2koKIGLzg$3dD4;$yz1?DR4RiwXjT`iN~ zijFu@RoU*RgaJ$2iDj&1i)G@uj+Ip~irEt(%VNIZ=y0NIXqj$UkjHxO!)y5ep52Od zyQDt`-eL8VncF=sQkZ_g%Ph2eP^QQ@5tf$3-4+t!H8w|c6PT2G1>wLD!i;MfqI1XO z9{TZ!+m&T7vK5;%dHh9`|BH7k`;+(hJqz(q5p9}_y~yexm)oo!+PrKHQ(&#n;dp(T z-etw!40u1)b+StUy*gmLh`v^8rc(f2&hnQqGw?FM^Oqj=zn7UKbS&9oF8dLcC&&`Y zXf1J6ZJ=bi=BC+GqLs>;)|84#yrU*Da%Q9H7y26V=|d;C8B;#N<|6y{w`;jut0!M3 zCZ;hdPZhpP-Qzh9FNzm%dig_D=_Z)z`>y&SlLe!tsrj+|19q#fOG|EtP-5QHNWhyV zi`o#2Izro8jYPA%uv3Ly)ML z#)j#TPrXujf&B?NBZK4iiZb)N5$|iCiuc4}2v-Q?0nXm1AMw|)=$g-Q2SLhbP#n$D zcmmP6u2Y3)N3qEuzwe^$Sy+=KnTZAP@Wa7VT~nv{WkOo%+GKj)N%!eA|Cs`sTpv(tQ^?-H(dUw~(vl<9h@(|{FYy?-VSdEYnBC2ZW z^109q<_L?Vc%qpf_SwLifpT#yVxPBiCh?B+z<`p&SQ5h14V&&gk5tc?$q$%G4;T(~ zJy%!nTP)L2eYbkLD!oXpqx!wTgfS0v2A{2gmk^cSb4>f#0e04P2vim?s_;N)$ruoH z6}!e_yGmHTvfpgJ_^PBQX7%z19-GSX>#rt&(ZSAmE@8j7c2D9kc8NcOW^qaJtNW9e zFe@UadDJ(MVd3#!TMCOcemf)ZqUOCaFZ>dZwy?R`#1vMi>!gU0Qs(VtBICOn8z>$r z>7#dnRIiJKgnWt(UsNN1Pk@D)hDZ3UNOzdyMzl1reOy2t)&haHzsfC(KRp^u#{Ji} zF8gvh7-~pYWJ-Kf8fD6J5Z6yfx5}+9c!L9^k5X0B&KksvAFEczJSVUAeUW>V`;+)H z?d;V^!?M8V^ICrMMr!IwTUu=~o*)fWUidjXFRmM(KWGRAR~Y1>E=yL*!!?FnBK2*4 zOBmo%#i zbF1-?a|ZG?_T=gmtWOi7KexJfJ&DLsLrAI_Ub)xRvfZQ{?vf+FGy74Up!!l#r9B?F92nRyvX`g)j$k?{$f%@;{_74+N+0sW-5eK zKdK_I>g%*|xWy<<=L?0ePb9%XOSOw~t>f>oW!oqJkw?V!vaaT&si&$q(Hr%)XqDA~ zYW5j~_?Pe$F#s@KJKpn(tDnB-2W#-Q2!m2KT8@hG{@3?a0z2cMgPALxzBiH-=DAe) zz1(5ty>h@M>O+-rUaC(J_rE{=5~g`06L6G~c$&s7TR45Uq;^bdc1#6ukimHnEk)jm z{itV6EL^I2ueFQpDU9vBjoVTO3jTQ;1Zj6$__Kg$(@saUV>bqxw7Dd>^6XW7$)suK zsF7;Q>NG3v%+&Y=9Qq+^G5-~2bI4ry*$UzpQ>MRX{7iXNTNFPaXNhO|f4$(>Nn&Pw z$L?8D83A-K*t=(}8Irv|y|O5flk^{8=GjCYh!xT^p5gi7qJG#v5xl4=E9&|RP<$ie zIE~vZUbK~Zo(5#bvqWUC@15@}6{d~QKso5{;tKVHlZ>uo!d&2o`VpGFrO=)U53bUEf9kqdCj*Wwa>~!WF}KbiO7AFqF=E+X`I|jcvG)CIW2&vD#gTle-bMk- z2aa5M<6kC>u=Vd`EnVueCkg`~g36m`-o59#>L+h_85qFFs%=P#YAra;8@7yW-qp_2 zrZT7h4BBX#y56z!Y77+_cC$b}BFxkOm^KQxC->URf<^i+kpLi`j_I$PreW<-H@^7V z3x0PRi(uUBlM<6~`T_Dx998(R)SI}JP^Nt!pUXf)wI^WIn5y<-{Pt9s$9 z&iwU_ekBDOXUMAnGWi}nv5LT*1+NkxL$vU8nee!^=0grD|IT>Nzot0Z9!rZUnoiT`dDU7Ef$SAy zG9XL`!FDAlzET%#O4Y!OYb6+0a_Y}^oS{W5* zT`&!5Gq;`)DT!Kjm}uu?VFn1A+&}&!_U6Cdvejoj%})~n0MP__FP(HXE*TlX3V-D@ zFOm(vp@ZbXQ~qs!xL!Mj7hBTby@lx5@QU@O;vLzTy|j6tB;p+Qb{Oe#{N7>^eOM)n zycTIuFv9bd{e4Smtj0e>PDkz8gm7vRN(|;&5}(@C5wgqeyi$TwsRuI@eP`^i@^B~n z)9=n^ZZzwWeBOOqotApvIkCnUBlNGj*BjQcl7<}NjqEuy!OL}9N9jR{b=1co`3GE| z<7>GcpoBE%AFFRIrIohM?St(0prq@`Xvg zMU)@=pii}Cv{(PbEMR#{!;?6o?HPyKOZqs4Al|-uQQvQfz5N1s zYevTU2xC+y!+f`UpTO=my_d;zt4i!|2{yijYLzJwHe%k*_7O)Gs88uDnbOyCksqyK z8&23j0n+X9rt;TE(sE@pC759FWOkTJPM6kXUI|*_s{kFKq3_+ufAo1k8n?&@m;FWI;O@;2N=C zUoThxEM9~WQe!kn_@8k-E)(B%qs%s_DdDIvO{6R$##DA_i;rygWHTs`mG)(=A#Ix^u=9nxnYpqlV2&B@&e_P@xmij!voPcBFgG{Z~bC} zrT4yLO+67(15PZu$7l+k->OAukj@1S#u((E`_te|rEmf2jLHGv2q{{zone`rI35NW zhTAE&mWRTTQ>N3YI(pRHGXp<>@UP%X5lYNt*ur2TvQb;km7`Us_Z(A2V}AVLmC*hG z0~Su)eXaNGb&u{^+0OWnSbGiLb<8}V*Ee_nOxHo^WIsOvUNNFn+fYg)F|=34%Z$F;9ZCH%Rd35gsm)F8-bp}D_pq`p#_j_1gTSY23JatOi7&$&C)0+5B~nzIB4X6} zaPo(8+C+Oq!XZ=fTXNmn^OU>O5>F-nQ?Z?MH6vZ6@MerY&xcr4Cs|kZ`bN63Z1^Ol zd=CXT@W*M%bJRpGZm?@lTFT4rF?_eCh2O-A6XY}tZ~u7{E0?jK6})y_py5e#<8pI6 zpvT9BnXhgvgebl&UjHY|`xDUnw~UBh@0NARk$RQq`&(2R_VPf0x32eI|4Np@QkY*1 z?`+^T@&npOt#!ig1`rqJ8u^1mx7hrGsTHEW?C}KKw}mI7t7koD!Ze%#?}^`AP3S)B znC~9pxexQS0v)2vjwz)4-x1fdj+UA>_j}#e4t8vM!~{55{^+-pdR?j()$7&u%hfbN zaA%+E4b}=%n>)>E>fJLxqTCINFY&BAKqsn^>VMD%pHf%OE#*F;iSLn z@ll$tn0AI-Aq+#soD1I$02}e7+2pAlW0Xq4H`s{t6he)uAqL3jMu`bvLWT{pLm+EB z95%q~Psr4u$4)Y#ZVK?b{HF0n?{aE$b9*HrAMU^!K2LmE%xlIueDT?aKo&BmpYWQxQ)n}hK_+}w=wzr#*aG#=Y_ZgZs5 zhE&6ay;mqgi8rYaccyVJ;D#uLCB5s`9O?MLHINb;CfzW9Z%dFlLhO@aUC}~r0-yTgArv-Esu{D7RY@orzU@i-sjGhLGP(P zgn6UOvhMYQ1fu32CR#Q4q{T|u1%IS=IYscouDBEo%G@4br zbvD-L2iLebawEog19l$fQ*u?${hI>H%MWq?#D-=V8ZnJqM+Lc7JO zIyXBy9KKLskDKuAcmj`n8yFL5E~TVR@>* z7<8+a|EWa-q0D^3bT6MINRzbFABN%e}( zxL6b!e1Wf8xHz%6_v5d@+>EYw!k_$~ec$nPWwI@EgxG@kGVDG4?pyzY;Sm z4CmlJ*GROa&k26nNtu$_?FXrX04Db<#w*j=GfYh>U&y;PiX23w`5u`H6G8E;(Qr{M z;Q3_i2b12UTOPyii>z*7H|6qt5!6DyiaaY09yxC6kCT3quY^)zc<84iZMT0jLHt$z zGFfY*ce5DeGmhsNH)ALwB*uIv?HSPfW!76}jg<{Ezx{h(z{4#LC`0E)Wx%vUV|>?M z6bOXWGwVr4sN`yIhP@HiH{aLrCvQ!2^?vaPrOvSbMR8|}p8DyffQi%)w60D8$<6S< zoe6y0B6n||dgUcq^{GCofW05+CrZhr_w*Llm-0y2_T-4+cCsS9fN{c|0NxAeOC}WN z4@StApo5mfrdR6gHJ)?)JrTVW`coY)vWGrSJ>{?}y5~Q?i76M0 zpV35M+6_E@RYVm~vSe>4oi-%jRbcuW;q2&Wa`38Zn<$5Xax)A7sv1B#RiVqz_ds%S zX<_*A#5j{R0|hy?yK}p&MHjbA4Y*#A9M^Q9qgP5BgkfyRV)ub5LrYR6<=Id2s_{O{ zwA0OmmnsaQJcUWVb_}*vkdRhS{Ctb{4BzowU1*EmcT>d0muml~HZ~9;d+e&Y21gDE zRpXBMgA1r*tSC5+=!ia~uzdOK;yX*v)9D2P5hY9HWUO#Q+@~u4XQuLB$s`2ec4YM` zASHn_V!5KEk{G=tJ6i2Neu`v+{_kYAXl=Zp zvSw?g;iaV<3!?CC8mxZ;^DKuL+JVtLhAoA%Jc#ZEnJ})ju&pp#@G{YBJ_vQPXn=_rBG{hAl|Q@N=tLGp6Re*$nm5V1xW* zD#9&do$xGdo(fg!;fUjPT+j}4sXY-AD;z4g5 zL$2%DZMk(n`wlFo$~zVd;k=sm1p&fVMA25gN9P};OBYwToy&0lS?84 z=R;&%L%?n>yG>104}IOp83P!I;n}k&`~AzzSsKcUKIo01@C21OzSGlhDm=JSk?$IB zK3yLdoOSuvMsb9l1%ydE=bFfSzei;Dy3T$rBb~=bu+UH^03h`;PizFRhcY{vJD<&Z zx9QMBEsFS8G(V4XvKv3bPMZqa#Svyd5!+(MfqV>i)Qv4e^HX%$m*uHImaM zKdnidy+mOK|M?0p-9e&EZ!!xxp}3P7gY>l6i4CyeJ5UR1l}&|hqX^m$;Zvfmk}Fa} zYEQ&}L~us_O6@dhw>$y8t-^aae&HVB=B(0lWRfpDgtUnTi@iWlO_|)BczyQthLY(` zMYmaxi?ttueii+~{5UniFtfT%n1^9c)*JD6eX%Qa%E6zh8O)Omn?uD8l<7|u7adOM zYuP+Cn|TgQKeJ~vS*ub`8?9Bnv8(H_%vN9vFNoBR|I<2#^12T?&q3Vz?aJaW7i$nU z`-#4-wEn5Y@ssa#A-#g@+J|-;Wn${d3v`M?7FCN4Q$GVn7?9x~yDg|p*BZd@Yr=^o zCu!#iQj9Zcp$g<=Paj;P#ngCMPUb6814X&^CJSHcCWdjhx)tRbVxGoY>Y!pD+6G_) z@(!BQ7@kkisYZ#cc^`da`2BUQHDsA{5m3>$R;v`P`~ zJ+FYSqF*el`_S1c>{%>$<(aC|^WzinL9mkDiEFTC1ZJcmWo$OWP|T!c@%AzoP5WI^ zf&)hc?bb_4K-ENdVtrqs!8$0LD^yUsrJx@)o&gKU|w!do6IR5^wR-5vI$(-Cq z6<@MdDI`?r1g>TVHJ&rHP&QZYGRegYxy9b+Rm9b82N;-M^xduyUm{^FZVmrJPbL1v zA7yMWV(B_tA*wWTsz)DVDRhyuw4QA{d4`Po7{H?SBhxp;mENP zDdB}RpW>F{!_?eczf``VvIHF}Xy;XJ6^_!H(=L!fBU5>8%sVIoJ1vdMn-_kjKAuc< z1Cs_L1&u?!5k>-T)PR0}!s<Nxj(mb=8XCNZ_qkJh<1aIgm$W5%QN^Z|cGbiXf{X7%=wB1}RPcF@<4oa;1 z6hl7wdg9?37!mbfRCvwPR1O{=@_|@8eeyWtP|u^dO!w1#s&DhDHqkLx?SWqN338!nMvN>% z`TmQG(gTn@7=|*5Wf-lEys$8#Tt%u43EUts)!mhD_f2JqA0{{AU%T%d{9rF$7%25c zdYT(sk*h$$e7l%s*02`bFDUt%*u}ueNx7*NmSsu!V>lzDAWsxXEjm^?BzdsqEq5Hl zgNGvYXw~ZGGC4}CC>VwbjvLex@)koeFUv%Bl1BgMR&z0!tI`ZOz|N7 zp86li-&V5BWFh+g+)?!7gSoU;xzGijGq@#jP_uXc>JwT+t4n$my3IdF(BI@$uClOX zqZT*aRs0&WNAjCjK{>qDle3Ihg@9El)nYo;Jzte_eA zwwd7l*b99r(VHOD$LB9;;@y3t?kCI+avy&60VM;V*?Qjv0yuxCdnB6u?}sN7#ZSQq z-tR9edFA-x)l=EM6Xw3aNT;Ll-;3p2xjnEYuO;@YL%fzn0A8?^G8F5fGxLDiHb=)yzs^u4o$SXW zL6Nmsb~P8@SA2BH<0(xWfT1Hr)2-1Dk95_@qFm62X%b>jtgzcBp1U#&9Uc9ki15>Xg;-KZw>^}P8OpW(ZsrWs#1 z7>4td_A1o?m^W`Ib=zuw2v>IH5Ph(mu5_>NJpf`mr1d`^lsA^YF&1xfNcuLKZaF#$ zAqf%v*bZj-KL6j)MzfWq1!wn+j*S3klVF3dcSsIE_MtF9Ms&Vi;zv@Ao?s$Zx?p^t zo0jPlL(-;xS!Bs@+NOE;{*P=cr;5yLEIK$rIe! z$aFPzxzOK#W>c?n@>EF=nvvXA$}~uOIy4djSBz2 zBGHc7J0B!WKl2l0f?p^CSw}b7sgRD)?dVSt>spZ7@lr3Ga>0!!Z?=;^p_@g4$M(r~ zf@$ju6z@ukhI=yB%>xzs7y< z_!KXZ(OS0EpS=`ooWohDQxbSrsfk9Hun>VhRUkw_6iyL8!eA4Br|arE#Qv#V7q@*0 zgx(S}K(>wFxGYgl7i3NRJG&B%Jr0vPzS(sM6wwh0M2|iTmhP37s?~0a1upl%n?^9` zX1_(ZoEPAaNx19}Q}Ghrey;3TmV(oCf#bcoPzOhPsXF=R?&Xrhmg@m*tga!XznoAo z*58E4Jb~^jzt3raBuPj`23bX>TrUf+941CiEi>|C(z$*Yvhn4bjU9R$wHv zjgQyQokn5h+ZzN&3-dpItdbrXpPQ-;gKZ8;w0b+{EH(1e1>5NsD3=r4fHPy^i9+g! zq(}OJ&Er2y1Oh24JFDoX4kGwPRaM3 z*4B9ZcY!0Ug~MO2Jj?ZDQWHZnF5elNf4G5WK za(Tkh^y5@pk>1f8xW2@573l_lE^z+)^u$eIPE$Z163wdqg8vNDjup>dnM)NGIj?Z| zE_bjmoZ*xtV$dYn9}jh6E3VH1E>wx}TXqDY_8pBX7BxRdxb7AKBz;l(H z{YPc9`lCi zK91*m&Wh<*XZ^qeA@|blYFqTtsbfN35241hj4CfQXz}w$hSS)bx`_9p%i=YU3#(TSLcuq9I7)vYclrx_aWLUPY@S zWo+z-|Cn-8TV^9avrMEFQ3jZ*@9Hhk^qzn8L)n~k?c=6WAWz{KK~UU<0UE2{yu1Ek zD{}wNiQD4O^OBl~y*&L~>AQm3%Unv(f~}c}FFkqb*^bU$uPP`o{w7uet;E%RKc{SL zs>o_-C9O4%?esko;eGtG+IgH=N-N87WoU1mo7wq;^~Lfyr03MS$-~{E;2>o{Llz77 z+lRS$IG~{ox#PKw*XSny)sBs(!xA5t{t{l75H9sHh6aUsYu{0+n5*5Nbs}4M-D|!= zw@~&G_uURX#3Io3XRUA`L1!5OY2zn6u7{6B{IM@7@m^A4>zS_8EgbV&is-@IWobQ} z`?<1Cv2*?wr5%c2l@0#xbXA&8vHV#$H-Ubm6&Vu`&RDN^aX|3u=U;qN!W8$ye2sU6 zB@bQMau<^?%!YhDbocw`XJE~Nx?s%LDc|Kz`6nT#O`JvYm=jYOx2NYyG1?iOU zhMs*sYnBkn9i|k6j3t#0!RIR}kg&>NB&r^~)PqFbefFS&=*lLJ> zHc$`NnxMzys5;vConfRgF;Vf<$;nLmy52Yxy}{G_w&NxyLsOs||J=NBqb`;LtQCd7 zi2jzeF!Yk)lAx5d7uPG0WT>T{Cx)Tzog&(=d=Qo-pakN04Q+yk1w~PHwo|g_i4#wo zAo2>xWJShPE$8&s0AV1YB?NB@XeiU7ysk3tI5w#=&4l@GGj~j7|8a|{H&h@wt&gz+ zf60PDmg6oS^(txsv1Kj{gtE$9x;;l0%VI#kf#S{XIgNnxhWKklYL)`>zEI7VgvK`C zLnF6!Z10@ZHEa3BR-Pvzd7UufWy?K5A}2ENz*ylAlP}ZY;gc7FTcG@*b`n9lPnhaj zSz>9?$jA%Ma^{iYPn@;K?CK+NGv?M+YR-4dxoMxN$4Apj089&5$thcdGE9jF0XKC8d zzC4{8{gvf>f+3c?hqrKbFGD0wqJSG7Yc*^5;e0@-p9MRky`23hL*rvy#(QQ1nNL)6azd)|=Z9+0x1_WUVqyNyb3<>H(3 z$V|fclp+zN*UhqBJWQ78d9PAYTW{9OXBm>@CQ*+b8^#nRdtYz`QJC+#?mZR2P=w6N zhE+loFH^g5pqW&zCGLwp2-F3_9Cx0PmAs}nv;)SS1XK8?+Ah8d^S@tb*!iJQe=jAr z7B|m=OjOhr>=;G{=+a*RV8zM9q|ao|BqUoyj65U)T}Yq56s6>-;+inVlE;FD#H*TmTvBwO{dl3+M0ond zx5;=!DVYK~JTD5KQr1Oj!x-=LN#_vzC5w~n`DI)C5BL8Hu$AjNE8jA*R^v8vTx%Z? z(50KKPjSzbif?%rar`aIjea@({Cc0rFsa5}a3?9@4YCiFI2H_nAl;oiA|kd&F}~-i zhGtlN6axhxcGvd01N8`Cp4xAyH4v?08#F{->Yg#@F>(}uPo?#*GP9mq`#)Ag-gk?6 z>jWTmoB&cfYzr!`JB$G1pI)(6`_5=WHG_pl89qhHIHK4akvq(%_XXko9%75*$h1}f{y_qJ|+xUkIb;o}yYa)Zr zRy!-p6K59m)?68|G$nd|s~wp@bG`bE3V+(1i;;x%Y0`TTxnnisq6W~v@a;x?*^hzF53$MUFZwOQ!Hjp6 zQU(o92BGSLJ$4MhqmTuaYoZ4bOU!$U##ttit@X%ZddaEgw>{+YD>A=4|hndQw-6|Q!sTLm@<+(&c>>2h#p}@i19`0 zS|)2;s^fl1HzGhd-+GA568-%eGdsNKc)R6(QLfZW@#TfO>w2>*l=DcHtzsh~$79+P zL4voje5dqY#2s@-bLDTvIbh+|@H%A3+1S#ezb*sPlK7)RW;<+EC!Ihs2BY*dZ_TnSw>^1Rry);9u zKX)OF|>OMhs56dMOz!c&JRwF_RJv; zN*1955SA$GZur^X_3O||V~ASXMGWI?B8)LSv$PRoHuNpa>6eht$b<3>AN0s;DnG1Y zp4@8&@V{(x8E1EDJ(xl)^y;`UYuwO~QKU|)Ogt_1bf)mCdBH8MNUj~GA)+|B2Kx_= z=Uw`c42M#6W(H94Uj38gh2CoX@K{84ItImXj}>cSQdQX79CNX^P1SKIdD-%bxLXGX zVej_E|Ki%w#Gfm6nzc3$sPN_}`#024Qwo{7f!K?$-S#OVyk`StU> z!JkN~`q}SbIpX3-UoyHdx=j6MdZ$v!$vO+}c-u(#nC!XyHHgYlvRRC}uqV>TYnrD} zj7c!LV~!=tiu3Q5b5z8Bg(8>(hWjn(h$g)lyth@BAB3qan`tm(Ur#lpUmW>wNBo2a z`$es%0{5_A_fZp>V3n4?)&rdg@jvOs&KjBpv=Uq6uAFP%kX+bXlwSU1bA7|EZPfFEh<#x^L%t0 zf2&fbgsNAk1ZZ7anViS^i-0PQGQw!x2D~^!j@hDs?YsOsMG*jU(D=XUP zWHxN%pMIC=mPGlIz0==IAMzj2cxRFwq*jZiERZ-g7ae-|%*JJJlPX&E^HoHhbr51koH zPd|&m9U@a0j$D}=^#n#5^1Jt@uP}FzkYBiMGA~#Ka5C#L#_qbU_j126M)mRPW<&!F zo3whhBsC{2z@{Pf9Zqy7{Ugzy` zjrhy}pnDZcXB)ri0MfOpL^dd;JU@JG13j3$ z#-aJtbj_`#yrY>V1PPhOeNOhh92j^hM+ToCT3Y5qI8P;wEEbvxT&NQ7;54G`vv{=x zA-!9`jv1mbZMLNP?WUe0`nU8xuOUvzdvGddB6EuBJIh`fORoNH9EIc7mhlb-8g+X0 zn<4B4teRme>Hz+^MB79Oa=JI!b6zNhqdMJXA?;4o?U+3Iz===0#*^b5f2mz2CKKM* z2?$zxUhivBPk%TGU7X#%WA2X{*urOzCo(lDj0x}NWs&w#b7^2Y?-TSB_?Vq> zfi+Y&yA!S#yU%QiCp%GZV52*?#_yiMJFq>kBelILl7_RoYf%}r!Pbxt1N>X5? z*H|oR81@>4dc$Uzou*sRO+m!}16-r@{N=diC`i~j!PVoR#nI}NAF~f!ZU0&w1vkuz+mS$A9IH;`HL4;dO{7+w}dfg|mh+Ri24cVuLFh{e;p z`$5Z~j<5YHjPyZ7N}=RDwdx(j6z5bvbhn(oadvYFWRev@)_{H46j2u%H3fY`q*p$; z0up-Mj73!2mskIo!arCiUBrevB=Az!g8};V8w*KxemY`IwC&g_xmG6>4TjeiET=z2 zR419~vMKtXm0T_iLX>U27vfp{-nz%uZ|(59$9*lE(hb~aMmkTQ4@vhJ#Tm1?bB2~M z2jlhfM~*`l9s%XheM(EhrZza0QjBuAFDPmv^JXWiBAK*Z^lN6ip{W- zuXH+Tq;#9efVuc0!$LAVaD2v-g0sWYkr$#VC1F$AvaM*|4f3rMhS2AlfhQxLsow=Q zHH(_W?B()Pz`*Q^jH#rdWM78|nD#Qt%SSRAh1)FhMTXd1i7O94fF5Zu*^=}*#Q;GO zL^y4T1nIrAq+nC$yOxZKiSS}1Eef%{`u?K>1UVokWH0rGMckwo`>TQ53m@BtLK6{U! z*VJjFW*h$v!x29d^XQaUIOwLY0F9nJ=HD9uHgQ}LN6b8vP9rmgAp#tV(?4rd(f>T; zpOxQ??$&y@FCZ&MJZgkjaA8wo@2LKCI_tf@Ojuh|5HNR4xu;|cI~vpwSVj~zolc&5 zG!Q-df(Z<8O@Gsiz0#~kw}wU{U+Wp#G%LI|@C7)PXmF2g$=Fp|>`(&-l|2FC00_5=x=dVe%>8u%)F0`a%dB?OM`h@X#HyPc~@eE=P!!d>K z<%YVt$~%<@1$~&=--GS@0kcN>0+jWe{8?7dsNp&|;=wG4`!Sg*$dWDkQ0e+u$#Kgy z9Hi(sMNw(7XyN|aj*pdW$fi+(jK*cgRyOEJZNcMP!#p`}K4%0Sv|%{47Zpv7yd?Vg zJ>M&)QXt&a?RIM&nbgx?14??RZP{!W{l?aFp z-4HFsR?Wgq*N{Y5=p}KpYjw_iJrjS4dm4)v83A}5k^xq_m)>m_e%<}W?1e#Av2u*O zHe{~usq#FI51Jb^!#K&A#p2*19vUiuZyZ?MenczxBW}n?KXi3+hkR@QF2xSFx zb3&phz2eObLdo8Bq4+S*3%cDjIFIBbZIG4`>^RdE%EGy*yPTE;9R(FD$_JNM^VjFL zgJ#fomy~tOzMNqV(%WJ5R^_(H({6UpL^gDbC2ahtN@72PvqUlC62Lak7 z%9ZD8S-Lq++0da`0quy|Fy4Wu?#CfsFOMudd|{Ig>U@bcd-nrJLvYLVm{$M(M>AZ( zZGJsP7MSjS`;%J=$*wE9uIVC^nWh{|3R$QDS$M&VjwIu03}|43ws9 zU=Iz8u#e5CFN#~u zg{~=|dvj>fOjrN)2#MILEB*Z3hAf(Jv4mW5%cyr^Q{|WX{cv^mN*BGcqLT&Elunj{ z7@ED{w28R!l18*X=(8Wm5+MuUt$-QNysSDf<sK9il2&PBelwV zBV7MRat5VE+p1{{7_64?RlM_Sr9C&y&wuo9d6q+Z6_AhV zZi_t^UBf}H>J`eZ=c*Jp)f7bSUDN^*KUolE$*$-&FhstKjMj1x#QPyQqDnH4`APojVB|R$vl)5*U@ivui7Xi9s7=v4FEc< zER~WMMW1koR*~-a$_>$Qgje&!qzl|VPsRkbJyRv$CpU`Umw*u^(gezOS8yk#)TFi* zE&I*};>ouKyC;o5ZawWT*ygDA^+7T_BAz8(9OlcAcui)~Ll2E+hZ%552yyE7bc|P- zSq!C>GwqE_&t#z+6`TqSV`i9!e4?#u^z-ljXqcft9+Goo$uLlzH_^=nQK4s z+1jlWPucvv$LXza0&4P05^+kQ3EHyfTWgf7q(r?q(Wpw~V)(4Is_uje=+Q4<#Gy6J z)$}kwWQfg2iGAaefS+Pq=Qu0j771CjJ-M7>JU~or)8BnH=B8U0w7ER(HO!fNg-T7< z6G{d*=079myH;ZmcMu>i@+dt$nK+8RVQcb_hkCc>w2Ow;`t-Jy!onoPn-nkmJFkQ# zH962C*I1EfCFdpF;><1`Qx+)t?F%wGk)%hX!x@id!me!J<%}HvG2iKGycpWe@e6Fo z*1O6sceb#-^>(ePphXXRO*#;!a5=`T}ia!A78UG^#y0y7 zj!U;F5TtL=+s zr;`)@_0}I8GpEA2+ao`S_DB(nXzUS%GMqRqz*;-L-afc4J~);H}WGYo^~qaNjz|+jN($ zk^WIZrBkYdAE_|H<}L1hJnx-+o`NN_-yPx}W}*@@rIDv5#0vORtqyTdpPf>u#ve$q z4G)Poo?%Lrd@bO+>DYm)4{Ou$W=}4S3ViCEf;489<;FJ|J|nXrHYY{3&si zt3g(B-XuaoGI;xMR4NpK+y&H^;f$$Wy&aPFAnk!$mI!hp|y|7w**Tw*Ytx zA$3!WcmCnBGXRxrq|$v_xMQ z)8FIzw-q~;>GPRFVHPT(UbQiJd~ONMh>Iy$dWD<^xC#qZ;YyEmSV4e1{07g?%KjEV zy!@`YewaE>&bJ02$=3&sC%m1WafKP!Y~-c8VphID{ntg!QJKbHCpJCn@Le>uB8oOW zF(^}<>7#GnDC9BQNRB!x?$=`UEa4luowr@d+xoQF`c-HIYVnr90~ZrpKbi|Jp}?Zy z0(I%Ysh<%!NY`1J=!gMEJz{Q~*SSx2BS!=zF7#UYex!n%CC7Bl`_wWYv8@);)4!w* z!~}I}YjJajr$-w|8q`R)el+ne7cn0 zX5&VejNaALtJ$C+7t9-vw5My)MR_-eq5X=>rl49(l}CggVS!>*E3o1I{`B_AThAUH zoFsxs;Zl>?59&xnW)e+=n(ywy`d&*?-$M`@(ujgX28~Nlf=T^41!!K@8`m$=bLN?* zyrIR~t_zuja`Q0gWU67b%(#St23&dS#m**wVmQ5;hVLcJb>93wz^!!qL_Egy)RYi6 zcW|e^uk@2*Ba>9vWW0v}uRoq2?9J5VtDf{rpHgvmzg7i+Z5)i&bSm!!lZ7BY89r{D zpLEAk7uWq?Cu-4<475f# zkoZl;*a$GY?6uk+u%kyehy52`ViPhu5jwI#+(8|wTXA0(XVG=z%9?Pax{g!HTL|$l zW8`@@ip4YM3kv)X<|<#beO*;`JiQsn$@+^ki27Rti3^Fi7@Xw@Jgv%j;xel|3lU6Y zrtT~Y*sjCeqhm*9*^~^ue7c`N;xPa4S(v0iWZrwfOVRU&P#N2}D^C*-Ir2qrd!c|T z`(A)+nFw73d%}@iTck;6rs!9iL#c#rZ)OTvj50j#x%s>=uF5`CJueAvcDWb9nziSp zz94WDGB5$8Ui-*9%2b}s2Tw6HS1LzHk5oWX3J>6ka}Dv@ip#nnC0UroiAh`0WA9AC zI{bRF+a7nue)i%$k*S{z13OiH5t@WATLwabh#yHNVRx1|KDtS>$7(`;eM7zA91zVL zw^xCK=!(6RH%E3Y%H#2bqMomb>4n{@8FMM@vn|R%mDrzwtNrWYt&*eWkEgt>Oe_SK_MYfj|@COf3?d=7G@HhU-6*8Z@P_r9cJuHn`{Q z#<|V$zETh{gh_H4WmsOH@Q6k!7!S7zO{WTRC&+BD2D-l6hKT?a)v*XnGtT;%2{|EU6E!k|=t5ykJ2{mZ+2@=e}uMbn%22J8lR z%9+R-0tA)HT{A%T-Wl`M8!Te3L+`7YF`VF*#*Oet`H$nw)kpwy{2~gdUlj(BEr&N_ z{~OSgHOY|mIp-6(gxewXD(p%PFI2w_O~FW1A{0FT{?Z!9tc=KVy-C~bEA!F@G6*uY zpEEVr+}mROJIG>d)v90G$?;?ettD9HwmAt1M|``N;_LWNPM8_n4ww4F_g=+|die#< zx?~`BGI?JVJta6)TEhd2KrXuEsV%rRre=w()_j~?a2X3$c1?)y`d8m80pt98Z<7)g zv^uG_&yXA?X!uIe*1?~pTd(g-GP3g(&AcjoI5unYhVz9{3N!O}RcbEyJgdN6at4)w zh%Yvx%EiaHFOZI;ng8p|>*N^74K{8;hrWJ|kf&iy6u&tacRPm?D8^tBFv~|+i%gys zU6Jl)dD@og7Saz+lK=GZJt?fD%`Z)UzRsq9^G|ozp!rx~uakq!S0kEwmfWsPpDV4b zO{qfcfmJAB%aNiklzI5yofnU-jU`wh#t^o_?ARD5^Tdd?pE@fP<2!6Wc6>8`HW}x> zFEhd`g3rBiuH(QQa!B_Wg)?*h<;q#}9Ye}}Ur=VaY_PKW=_W%e;c!O~9<0E*Q+YX#|iq{>=5;&`E>xD~S zFD1wD8nZd78G^&TwbD6{u-u+iVa$N+J)hxE)$`)$a@s)L2g96@xBgQRFfoeYKiFKx z4Eu7h9`%MEJxu3akQ{Npuuw&xj<{=fQN5KrrO>9|nR0;0T7MgI7Q9|q+aa*tN}E{f zl!F*s*Mk58--6Hfnr1lG4|6mwhg_B3kY`7X?>^kt-F;{M!*=lH$j^#~y71-{Tf)t6 zQZON|b}Qd0jhNJa%7H|hue0WE~#Ls*$|_K zo+=7h+38_f!t??SCSF?u0IetlVA7;SC@E*4A4KK56uOTO6jQM0iuqncLZ=I!UE^a? z(?a9&LfzYR#K&7~!qnKgj<%l`e5B-Xd>MG^v!sOVR?(9CL!*Nxx+{Nfnvmh`-uh8zs3!Z;>2**NvS}>_X^WlC z+HcE*wZUjo`D<^XX&z8rZge7Qi_Hk^R8sWsdS4xqO+{=gUTuA1@BU=+)6h)|qW8Yk zFIHGz==cPADsS}2J*1Y+Nzi$E5~`D%Wu0ZJm!Bf=?l@Y$g+Gx&#P9&4hD~oGBR--z zp}o^{?&osCzP@}k(tgvSRbDOdk557Oae@4~%CBG!_+!-*@Dtl0PVS8=^waJ?ACg{G zL6^0=YOA)$R;ew52F#L8*djctokiSK^UpcO%KkOrBMLHc8I+B0dvy08=C<3>jrl zQk@FO9_TMho|3S)U!De3cujt{J<)qKn%CsswIapE?QJKaZ=teBvd5AZ>p{*w(D4+` zL8#gZCWV@uESs$QQy3W%4^AF|FZ?#Qy;qty4x0t)kn>B%Y_6r1)tbQ_&pVzTVo(gsuH646^4!FnaH0mY)W2{!!vbD}&H-}?} z516#W|2Jb^J*?m-u!$$pslc|qCe_qk7yV+dAU$h;3Hax1z($a8l5Y8IsZq2Hu{ayF z+@euBsa@Oslz;hk&uiET%*<#G@@AC{lqBiT(A6gQX(%Gb>2o6Z(IY6>&;+d{CABv@%b_0U}?M|+X3G2i+huCeG^qBj9G&|luy8whGFS6vXr`Nr# zOTS<;9-YBsGhLRoq=Jf1j0zuen@t3N`hPT?cRZE<|Nk>Oly#(R&fy3lEA!a%D7&(< zbA-q|_Aw73>j)uxMfNCVkH~S9EhLeSIJV=EWA#1WpWp9q$91mTbzawNJRgte{c-PI ze*8NXjUF?_GelJ*Fo-4;HdY=eguvo?pKgjG+)JSdCX}1VGm!h6XP=tgK8+y~tTXWu z!Ge3`TrQKln}m)S`&XZ{%48fLW#`>1oxJ0Am-8;yYk9IWY1@JPt)HELyLm&)8*5I} zv})I*_1e>#-Kpm}>~*>kmU;yu$7vz;#4)xiSaI{Yrw?$2F?`c_xi+Eeb5vaM6Nm&R zZgK*z3q>M@lRe%ydA->HxJ(l7*)JKo3D(cLNcVyiWzhiGb3$K)NU;6+t^qNWGMS?+ zeddTNxp>M$hG4>B(EJryAd1;H5G*&aRICF&G3KM97!NroR&VFI-5w3dVEN?E)U5p4pA#s8feIDyc%sZK z_)YiR&796b-H9tl{=QI>ma{>d*qy4aoL-wJ^u{7xmtJ7M9AKRt+>C@oGZm|c7)I$J{=Zt3jHJ`OUCus*5cz`9Q{Ue(#(8jOOX|ZSka!DzTp2&69s|q0EbqneCqupT!@! z*N(I;cQl`mC^J)b5(59=&E8mdku)!Q2sTBK{1jq{u=8FQX0h_v?^aSrk@o*^3SbgB=^$wa`n)RAjN8tCSrb(sTF)APn#B{9$3&D&i+ia z8T-+vLDkma@%DdGwqaix+`Qps=tazu33PkbX=2W$AnoVjpP90>;%_uqzPz`>;1ww()aaoW;268_uZK0 zg{}VLso+8 z^{c%er3(s%<@=Q(V<%E`JJv?+vjOL8KE^o^lCC*5o>3k!xi`p@JEFMph4@OoE5ua5 zp5Wpu$kuDR9Ze@L>}DKJNFUyjG#>&fS5|uNd}O2y%#gsf>b8xfMHm3}ZnXMQ&tc@c z9^5|iczR=bN(&UMSZKFitY#%xbhKIN=L<0mX1Ni@f8G8G$A0-=cihE&chHLOm)`zI zULehnmPXGvN3ohs*x*ibF1AZ9%18+=GtP&Qq6~CnmFGoC z76oDEA^Ti*?}cB|T)hRm6||RVpGW3ST5J(bBgzsgYl~|0YKy)`>RtDN+zqZRN(%vs z=QMJ%r4}gygQ2U}jb5p3)02;QGb7X0yfY&ZUL0hYx`Z(Veajfw)q$l$c$c97uUxu_ zyLT_jcPi}v0%*i|xAZ!;{pNIR(5$ZZB zY3M%Vxc&ok^z*z=yfXxye8=jdnh-6(wqsPJbX~X7S|v;#O#Uunksrs#mNiNaaIZ-r}i8 zV|R<_tl)9!F8bZ1ed9qd-}2wGX#8Tu|b~K1Tqm#M{4M#Xc=TkE7J~jhT6D+ONe9v+=CJ0+MyjI zfx};4>%vKP+&t5zNiy27Iu7g7Mnjt;ld*U>)>zQ`NDPCOIu9twoJ&sHku zPU)*I@Ze#_=gD%v^gl#lA>3V8N=iXFgaimo*$TIxc8X+`LzA7ejlDa5BBNQvWqoKf z1rG9Qs~+LMd#fSSYh_g};CTdIEQPnuX*Z3TP$J&aXq)eWfW1vZL`lr`4I)3we^1~h z;3?89RAFZV>*excxSRUHu#n?luEC$Wv4l*8^9=d*%EpM|&Vv~4~NFF+iJTD^es-kT#!FFh|^jg+kFe&vaNxy9|6eVu;d zcZyP-0cTz+J0^*y6Oez3<#2_^!+;Y%9xagPuG^@Y)(%dC*HMA%Z!2Ck@#Z~!xPsT0 zUnS7$S$;}`zW_-Z@n z*+j4trJ%j7Mm9!#laEPC1X8$>ZUlXcvCy@@FR^GvALBK*9;o~Nc38%$1e{ZK*FH%Z-!gsy$wp;SDMMjR3@&*MMWpTh6&a#bLx33wE7 z&e-J)?ctm^=r<3b_KBZig*PypKBe;4ReG&X?K_(o zZ%{HGOiE1FI261rr&IKy<=ZxKd}LiWdb0v`iMV>_yhN?9w0S7n(8EDq5$@`A0D-G| z() zL%Na11>wutR z=^g?%3)^s+Z$34!Nj0S2MreOTMk?4;Gu=g(L--)7m;5IlI57F@KJoBL#!NX%CnkJ` z_lHyK%1ci}Ky&e5v_BbNINDzzS`{}bYFP*;i&ec-U1qP^)OB#vQ~}} zVzSy()>b`sqmg@=XoKe~gyfS!oy^M;dwIJ7Lc&d*^T$jf;+)YPFU47*3es=3J#ufF2nV!B{UBF>1?1FQJ zV?o_J4(!^`pXgOIUe$es9Zr2muPG`+l_W;ZisIShzp6dZ2pG9=_S_EyI->z&Un6xa z0bKkgacz0-%BV~myi~(bNfvajik=@Jjfvvs6tO3~45iom9b=L(#X63cY z$fxj?X^=K=I;$GEea#ZN{-f-zYK(IUnk}IcM#Int^DQns#yh_>d6m2_xR}-rlql3= zE4x)uy3Z0u&5{RQU`F4iS-})Re1*ten?K(3d8?ntCwBsvTTjIn*Qcu!^S}RWNpO0{ zVXye|lUfmPfcu?;#u+$VIfhgp(6uinZzqSGs^x_Kh5v20AA;3& ziH;ga98b31H4SaL8!ks_i%(z0Hb>)y6@q;}NH^g?_YAFa-uqg;pT8A`}Z zyJC}z3VFxVd6auTGFOy8U7eJmjWo#fSOIxweE#RqyAw@Sa%Y^}cn`*b z>lKb4`nPQLd2QlgU9CG|JJy&iGI?x$2?Xu0GR?spNi4Gtb0HWZZ+LB(+>-rXD3wZD~j%2ki(n_V<{J$v=?Ijx7c83V#nESq!jwH zVK(H+C(wDrERm~wj|)$p`aJP0$Wq?WMeKSi@j6?&!on0!x^(OJD9_`Ev*ML;3y7ku zUe9Zf>t#Zs?k0)(ulpgZI=cAlk26>7N0X)?DWD9#`Nq%ZT1gg(CR@cS8Yi|Fl}jY1 z^q*CKCn2+5EMiNduxmPX^Q2QqO;HIwqOf0s`02iw9UgWdt2nZMxBe#64b`A=I{UHX zsokEQlsV^Zr9H#U4{XOgJN+A$U&WAo3)N4l2W%c>`~uL^ERaS5#rp?M0j<`yGb3aV zUFfSDX)>!=4j>>aDuy0&$CV*|ksPZahI-VIDRfQNb;_xMv$7cW-c;tfJ1I>%j-Q2U zqTi8g2%O|#!qu;l0uXvk3!f?=)!P3~(a7e} zibO;!@OjkXL48DL&2H^!*KVvthDIEBEe2RQeZz$d3D_VfgiqhEhJ+jRO3ZX-O99a9?rAEKfyDYb(qMeRD+YK#sc8>3E6#vX?&!m zOZ!=%lxjCodf6uN-yivID~~cz&S|mMp8b&mBI6CJF)j>|p4xpB^DN6Q#4V=>^DyN$ zWjhdfUnd2N*62d`uA$I7euXC)O}K_AFQ@Lj0u4{|Bc_ls)Qhtgz1ecx_s!6?LAyh+ zB{au@XS$Z5-<>9;A=%@M_KL``d6z{T;`|znO;W=x&;g>Yh8CiIt-Mv2|DzoJw$tF} z`19pH`%{OB<$4(~SG5Ic;h1YGzW?fEYp;tpm{L?;K%*JjOszW6Ow{zMxJsm5fRvYX(wM2W7CK+gP3Q!m|>4*kAt(nWm(iEgoCJns0Yt$ zmYO{OCnPilyT^#4o?=SlU&8`3u(UR%-po_%)1Q%=;s9n?^<0jZ51g}kWxVLk*f$b@`k=-Su}j|R%RNk4H~^f!n8{3 zasS%L#x>2qSfKv%sC`%7{?Yhu_q5L}R>&hkqnBy@P2BB|7uyhLN-&C-;Cd&lzid0_ zh0Mwj1=XPJ*#VXRRfJ==i%3sEAoKFOM(9fMhmbYB=YE8#jXV&!OV*i(6vH%S2y#Av zku>eY)Onwk{Hu&(I=CGG@t8?D{qo_sL$zi!#yFWy8oy%%vppTrJzj4=Zjr10bWT^) zDaM}MyF{_&#awQ@M)Un%JAUz)64UMqFZgC3_Wjc12pt=T`g)w%=PUG68X7{YMPMsN z=4ftu5hJNcg}y4&IG71{JeV1JUq%5fQquH2S*BWRL>p^fG{I1{c)qnLj#_wzthrv> zHKeXbtFFkvLR}o5ymFkDiiC3{5i8Prjf@$%MQ`_3F&0`LQq>&tV;a3E=Sr^=_>_wrWM@H zN;SN+xy+Ov9e!Q?qm<8X{q%=(b;dJ8`tLm=kLC%trJdVX>C9(;NpwvMk)jJ)8i`!^ zbwpB^E5SrQ)bIyxFaMbIYI{56=tYEbVli6;KjpkUJg38ez#G1wvn7(AdHzKWu^f?p z3$%Z;ohT3GkRVolI%hcUYMHR7{HWeNRam-Zv%#`VggoOyeq?8Nk6Ksk_a|LlX&3Jh zUT8Re^KD-CYey9s6!KpX^0yq9vJYKutMw+FmVRC{9Yp69*wYgYj{YLQ>Z8jNK^kpq zC5c#Y;8*VvOjDb)8n8433RJ~I+0VPD?rKTIwqte1ku zG1BmIyu9CNh^RHatg}PubD*wDk$3%un9@`lJ3#eu#H=r+!e3<7G40({IkL^WlAVIARPFK>M;l5UJolQbX6!1aiNNaHVPqZOT3bP@ z;#58A$aBi^N4d{*DL^Ej;rvtMK=<+b_d@KjP);eq>e&s^;QYCwOGc8GcK?oN*rJ2` zSPD!4k;;Hpzm#-XoGu)@whL{)L=gVuIKmKMq;riMo6zW6Qoj%W0~Ut&@^KCpCFn}c z8py!YE6%|?>>mjn=y443MaaNgVvL^AJ@B3Y-)x=PMkuf2r0pf9oH^YxdHE=7Bo^YV=BYOyX zSAUoyb?sU0*}KMY{G(j^pkJ}hHdZ+sliyoGtZgsVHuC%?{S`XSu9gEuN%?x=kK*=> zPB#&42en29E(Lop$OZZW>u_!OlaMAfvbV>fZMP(_BCBKbCf)Hk+B>q>c})6<+`SWM z<&W>bfTj5eQ*!)Ppwp&H@EcY6U@*%HqSH`&IjX-*d~s*=djig>_m|PZsQv7@b7hx+ zz10vKnAGty;;!A$Uq~=EdqEh!@;HF1+PS)vT(qB3co_8$D9)(8&Dy%Wth~Jx;%JOU zjvd;etiVLq*k?(mcjO-E+^#Rbx|xP1|6@z9K# zg}w7K`|rad%T}po@;?(@o;JXa>c38YmHQAFn$d1-PVgD#|9B|b*BYlsUr$DOnZ#*H zEwzFDnby+6#RB#g3p8t%ArHrMaZXPy1%S%gLzK%gL8T>ReMgIjalk>!{UBv`>**!& zcg>Bku|N3PAdWBo0guTmoKySfq~}u{?q2uuoczC4|L@YbsJ-nsA4gv4`81<)MY`Rw z@Y&2qLyh%D*nn&0NXW%C*S&>fXG>DLf2p6E?*(}m*PDt{uU~yQS}c`5L!v?@%g8FF z1N;VP=eD#xn)Up?v16~UN-AwkQY-GLJ89g}erTCL9oZ{Ytuf^iQ2lxE8G|ArCU3;g zxi4pWP8zt1ds~{D_tdsA6+k%o6pInH&qy1!<5GB@l-+;vGp_O+Zb(^>rFEEvWoYvW;m_kB!Fj`rN;~J`{86P zG%PkPuwm0HxBsWB1|r% zHwmSqJeE=rw{-PWA2VQs+Fx^ClDWn72!s(2gJ3q|GcMb!J*2UcV(w>6KVE|s43Y6T z%f@2^)u1(Y=yWlozk&=^O18wM6dzvYXtrq7;dRYI^@Fz4Q+tce;=eemPI}GF9_BoU zn@Q@w5AOLOh&aYW``M%Q-isa%_JwB{a&;~i0iVixb&l8zW#k=UV9I~Zwd zOG}HuA69v6(gF6mkanIeC6F{b=s+{9(ZIyvfxax>-z6!;O!-aW5PvdlJmmhVjoINPSbP0C zgHE2j|H6D0&0Bp)b6N9>cZv)O9V@at>_JqoBAjrRyHjt8dXA*k$$-v%h-MmY8cXpD zPaoO!$_7iBUQ#iTHcc(zma}xY-IS# z=}E~uN#uwtGIHlsHsMLR!^1OI%%d6$g4^S|bZm;zagU|+DHRXMPF zSxh;h>>K;df?SI?D{>=or3I034dGu0d7_#c&mLUJ(oA2&sk5VCyHPspP36NA9#8&& zmpW?12JI{{70*W%HZ~C>t@TFLGd06|N~~pMeYS5^&1)wec|)U&)=vFRi>js%FjeLj zNA-a)TN(X?qJ+cEos%Knq?c?)=*1V@nC64hyt{mYm!R<$A2K`1`p0XrjMO$wP_v|M z2AgqL&`Rb_2r=a|+3WwgI4)ek>%em*MO4hr=PIuoz05>EPMedCfNKvJ5ZX7ZVTe>D>5hW5y4o?!aOTGcjO z%^fYz;oai5g1gg--r`O``LRTXti&D3$pkmPs7Ul9I6W@vcKUB#yknU#$|mizqO)(p z$-{dW26``I>o+~U;+53@7jhH}CSLk6ojgc4wDa{Z?u0@L&mQGksHtIvC3T2&Rs%$n(8-xB0Q|RAXDqG2`P}&XoX6)gn)Hf;yDi zEfmP9#^UN_8y5ea*=n#QF%03GPh;9%H}aBVWg1ctj*z6tVXtbt02O}j(##AENk8Qc zH|}Bs)=f)CYiFAiXgS@^Pgm6>sO=Y6i#wDxS|H+)vT0Rh}vUTV70uz$KJ!q{=tH-5R6HM(sML~F<3M) zyFAC$;2P#TwYGUi1qwN`;v){Sn*QKsz<#m(HmZ>qsN9n$)ntgUPydE;i{;}8t^|I| zYS(J-;PT5FN&v@Uw*K`=YIxc$aEO4)Uxd=I#y68N%sulTR+n=476lxZ`IroJ;V)On zn;E4`E97gMI@K3{o#Z7f*Ps1Im@Uzmjg+*7JP>dj?w8VIvr@`Z!zf|66-9S`bal8t zk28?8QedOuo#2O8`>defLk%za%z)!7Si)jII)Ry@kI1Pk2A2QbY<=W@)$EP{2+mNP zw*g)S>(5NzkmJ{B*|R9eDzF*9k;XuAgH#WLGgww#rM-wo-fPft_H4H|y&dtq?|zIj$KQ**?;ywWr^n>!pV)>mSMZOH;}M&W zzqbx!Kgn}Z%PLes%ztP!#9wQL1g|#wqZBC8ls^4EWQ!4G@FquH8 zXLr=F@92$5Qo2Ult@~(=0%x}W+>l~*-LGa{Th}I?IRwy`qF_GR*+`8Qi}Vu3ri+`3Y7%u3T(&I(v#^OL4%hR!t9{C<|#a6WD@B>LV5Lg|fyU z$A~p83xS)d?j)@Uv^}&^Xre<^q`)X`P#%?+m~NrsD7x%DVqaW;=*ShM%6#rrP25#k zR1nHCV4<<98)C>Uzg1y?=E~8CB3sFC5^3&zu{B81x3zgn*8@T8?>O>JdO?2 z^|CN!Vj#*rm})aI!9cZ(t~+*XnU5%h^2&?rT&E1sUlm;$N|0%C()8g~>nce))%&t; zmT#(i(q!A-UnYvaZFjbgW+LsSCTIk^!S7axw&xF5h@tO-peQ634H;2X9N*#o1mc67 z>O>?`I0!vvJb7Q+w#K8H7?SzG{+(OD+5St2+I&gzXYI(lW4LC0})hJx;{V4BKU3XiKP_aIBOK@@?Zl+5)L<3d7N2<70L}dTAzVP07wT$po-kegu|Wzs zVD3*buc;PtbaG|uj}0dWR>`9NO5PXn*Dgz?oJ`X@CQp?SKaNdzJ`Z zzb{gL$2w|eaRiU3O1ib%c3}v5YyN!tV}c6DdS#1ovKCkGts;9`Gom2r&j?3x^X}tf z-~7o)TFN)O5vPL@Wf#IZp6PsvX@Z>3(@7kV2$%X#816qL$FV6a;Ee)B(j$$;yQ5;^ zd0dDT^T-s0t_>i218g>93evpeolj<)L^)q-OX=mNcIX)>XvtJ5k<2dbxCF@6;1KXo zuUgdBfUQO&Pl5B70j;NLS#^k1X+o90BCJf9H)<@Wpz&I=%=yd0+qh;8-T;M)JLCw& z8dE{@r6uS{d3CN`5yKE&=PakFNpPl`3rk`!4)2oNU;^d0_AK}g~(1F0NtvoPAz7pVOFd*rpWg7o0cJ#!`P3v$}zpRy1 z(2A*-f?*ywpMGy7(=7G0@e%z*x~GYVOM}u&JWP*%7fpesis&!O%rYPuAdx)){4)2@ z`@RQ8ow&PneQAS=N<%ET#33W~O1-#n;?-yhU#F&b$+4S{--{GTU{ay@Re?>$1&5_E%a*DGw%b;)J{I>vVg)!SJpJ2)byo^E~bmxzwbut0PJ7F zVCjJN>FN$?1eu7zJ06aGlyqsqCY=MnZu*=aJSb~5fh%=?_W-S^h>aYh1A}s;C}3Ikrq9GUK*kVs6bF*O*=}VWPZP-CYx_{KYS3*h6w?Bg5Cr zX%y<$SyYz;oij_RD&y)1x~gXsHk0W{7&{Oz@2fu%>}W7kJg)o{GxR4rhEhZK^ouSm>RAfBF;gsx@z;mx zYKzfKosS+<=7i=r9>PRo!Gu=V?YK&=vUH8Xc&Y&5QHg2tnnoCUX%8ITDVE?F&?%(l zSrbh5!c7`Y%+-g3A>Z@97Smux|2fj-m`1FvLb2Ft@fChGp4m~rjMQ5Zh+UZGRI%p_ z&I%DvwSqApG41-uRZJ5jPPRppcS8BLG&K3Ma`e6vqy;GCq4f=ndd2(q9x+={@!+|K+zSgiJ1%FYf6y09 zTnEh0YCV}mrhnOlZ3c=LmbToe=sqJ>sNMEKGL!kqM7sEyE_ESkyun{g{dRWGw4vSX zIxV69eHV+iMEq|x>FGh;;7p$_VURZR2uwh8bXEHd$98d@eUKm8LG27#LpX5IvK0L3 zMOGajiR^#+i6>KF?zR!IqO0cj05MU2jxUn++CK4YOU~f^36Tmsc9QHFvJO3wl1KF3 zs9W5QOZ=jNlu{q3ZgxjicxnTSw17^S6pGuoBa3Rnr?pr$AJ<=r9q~w^;F7CM44;@S zDFCZM+pA6Eu3T=NuV2C0XH2u-owYkdJB*i{=9aK0y>J+Fyw@E%gjVwFeN~}i7T^zGJqQO*Bhl>nwCfhU1cnhJ3jSu0~Ku$ur z0%gnVeZa^?geb9xMztY>DxV7-ser;>ie#rXR0Aq3fd(+nSj4#f{2!^ZL>RFtR)a403}jKL3Yq^V#dZu{%Fdfr z7izK@UajOk9^zsta6cI068QR|$WE@2f}1Q!q^^~n5hY;K+(QXnK)JD8LtOAi;?Jc= z;r{pHTw%{{tP;(hGkT22O&2rF4g%<|kjm4C|6zqeJ7dEY+?e{BqqR8fM67*=HBX*6>I3QgYN1n! z{P2mXV%6h>`e-}Niu$ygQ*}n`DSci|nzqXH)9l%ro|Qm^VN1fK;sPc$AwvaAxA{l( za7^kL(%xqmXodXVRq?_wgeRX&?1Np-FH8iYZ(US2tje9*7Z^(z2-oWOx#$5rCDK58 zgM z(rQ4lI-zgl?BAD$WV(1A#oG8_vx7>x|6St3P`8LezQV=4rmA_Rk1{-->4+;$#S!}| zHdB=3oNZt{@U&qX!pDGZ+Hw0SSXYPOQbV%p`iFAbktllq*ab3D)e3P(@m__~J38zB zx9Q?o-CW&v@*h)*>ygD;V)uv~MG&5+KYW?PE;Giz<<;mHF|3e_^uK?ypGtPKPWlz> z=MhWTIxF+6-*T!05~T^Z>L-5BzQ^|Yq(1p^QRnulq3GWXk%FF2=_4uEg*`52XDqMNr8`IN0VDObdW{O z20&W9#2X?p+ZqaER^7@e8rRle_)d2$^LI5Dph0c1UGXJPBQp4e;IPh=`~#>6$d{-3 zILdu*JX}Ma5X0+JvrbRYJsYo!GCHHIt3HhNByMI<5U4c=tImP`X`<*GtD0uUGiLv^ z&()_tj~Vk;{-NVQyv06mfDkTOnOXO3WAsxHgAMhQfwG6nPhJNXXQxg!2UASF5UCWW z|10?9^&PhW@PVO8va) zv$Nk_v^PyT*2kPmY)?>bzd5`y{`XU#-ub2HnMxlG141`kGo5Z+|Iq%Q%G4m==Kxu3 z{1c)7`Bm9mM^)Hd;@CMFH(SgN?c+BN*O6HMRpE`tcXrl+nu!`ejB<nmmg(tUGxOJaf zs|i!{`FT;%$Tx9x3B4VOnzQlhf8QG7_y`dybbcw=_&;<|09*X5cw~EcL}pTd7-zqi z%cso;`vzgcdyxKS^{n%e$4Ok;ogbyLND zdcD=TKPMi#c5v_FUOrgPdcl@j>^vsHfnHycYg(Xt|DB3qYRBV5vdgE8JM8>NtJ!JP z;cFa{{6$i-n>tf>49F_mq0nY8B-mQA#i?d0Z0PW=amanEg;4Z*t%_)1aN#LVD68X; zpzk_7w-}$y#$=;py6-{$FLKG0&~gwxW_vPx-&&#j-$}Rq@+p5lP4k8O2YV0HI+!a@ zL-q7!J$dxpW;NeyaZ&a@xY`mHrOOHm0eE%O^h99I4OUTlrK$zq3T5i>2}1uPk*4KDr*4P zOuXA8FPVF%*0`GK$vNFNFE?gYFgslDzgM*I$1tkpO={Ptg^ zJ}?Rvv(C>py2Ry3YFb$-b&{g^NaY;}HWq{a73z5Ahw+%vrt)s05k8!)>pc8^?Z42k zc9ck~MO6P~(V%Wy?%)m!iJu2iP3dE~xb_YqW0FdOijM?vB%u1now{01J!3x#u3`yFrw+nC^+Rv@{_r(3C+I)yOZLH{>)f?n6 zrt^aHadgg{Zpc86OSwh&b~666to!8DJDQ$FwY2d>%C-J^5Q_>8@ZyM8Iv_(F%J4)R#vat8F<@~~!|N6@Z9<5}==J;S)^C)!x z33oX5pe&Ilx?{+P#)wfmU`t6#5SadAD2nm?a3Eg`CyS2{O#ZQArpsG>lud75XJfUV zmeob5QX(8qszr9kD5U;Q5L$pPYzKVMhjE8%zb?oji^sQ>%J@QrJ7x}l7yPWt$>Y&; zDcr{*wyW*4%o@P(|=uJxPIBjVK*# z(c`p>Tx55LRknRn?-zEG-r~)9n=Y@?P?Gfmzn%Jq4URXu$y8kCy|h#I{`_r0Z}~8+ zrXy@iBuQhUl=dxa(~G(2)DQ>$TPrd|TKotmi`$dbM#==_^W zaFq^gR*zaTG)Woc2{Xuv=cGz5iBkrL@rfR){*mdxIsrPL^j{PMW^azfNIbU1}+ zLD=COo@_%84k43rvkUf;Trz%Nyv!99$}6{SGH9Tn=-*Xl)mN|N!qJ3-8GHL}YP8Do zn>ZO-Lh>kGwhXYYJIm)fj?LiOYC)*y+d=Jd!^IJxH1)xtX+wzo_@xqyxGR!^g;W$5 zNG#J*A#|{E!@Fy`9!tvR&HI;~Q=#jX#P2g*a-Dn0UIrJ{+R4zL`vpzD|8l!Yxx`+k zaLN4OKRL19bZ&pHP$Y$R4-E;OKzIlF^~xArF((&=SQe5 zxV$7o?hE`z6mKpFOuY4Sk^H4i3*Mz&CiS%wSkh}p3lfz~Xn7frcP?(pX@}3ehLZoi zMG6gYom=e-i+XET=ce<2;Kkvm=QqhNiD1;98}>A=`e1)-68d1mM*h_jM+Y23zA& z%qK8E%^7?n29t(?(Jp_k!CalM}%ICy;t#L(qnF! z?wpn^dBrqN!xyS|Oojxt@Qd{4QX8p0=!Hi3zwBo z=0?T)Q{P=~0*1`dj0UF#)ZmQ&kFfU)YV!M{Mx`hy(iKEX2pwqx3WU&GK$?gONK>jP zMOrWr2uPO}2t}k9!AdXE6@w%}=}HHMgkD2{B(xiU|2uc?r}yPkhRozS&#C*Yz4ltP z>R}~C;Sd=pYyiB~PRveeuVn(Thpg1wuKTgI8UBCWq1GLIG@^YxLcH)M9QI+Aw`19G zWyKN^YUdM{@Dgo)#tFtK=F{Vo)Eg6-Pn*xDEgv^EBWVKtA*kp;8Q9cKyzQG03}2^s zMDztEE+*ZhK9_&?whXidO&Mi-b-XXO`fnxc^J945g-Xsw_m8zN-XzdTi|l9rq#2N$ z)J+m5mOy7}sz@xsi_(AXgKn|168 zg%(cLVt%#ba{|9NI>;8I8vp!CJI>)>CZvA|_xI~~-ez=UT|^zNGj}!gTVn*Co=&xK zOZ8O|wMcChRYIe$m+XXN&R*&D7pg59>mGTDBB&xc>=n;-OFha{JePb{1$y5_qR-4F zBc{e(=zAh84V}7s{oId-$zL@z=$kl-?eyv&tY){izTX6Q1+F=VQ&;cLyziV@^*RmP zm|a>w-qIesnhZ?wN$2{ujho28Wv zHBoMkIgCVXud>|fj3nsW(F~>?p=peFGpgUd9rx2&6iOHNE?=`s3K`?1GHGo`L3>mG z9GgY;Dl<>_&(+4#O-${DY5D0E%d|bm(;zx*IJe4N;a*kyS%PQ8q9@MIv*2Fg38}I< zDY>UxFc!?@h7kLMq{RX+U%otMDSuha89@G8#$k}Rn>Cy_ceJ>l@>)Z+ISjhFlhi9; zIIxrppGBu@*n5uDlW9f+bB_~qHCx8yJM`10Cu)QryVeeVpHjm(6gYsv;VdbJ-Ru$4 zEJdHPjlR;O*92Wu?f2WSS>EW;79bip{&0V0ZikTQ$QrRsTH3 zm`SAW+4GAFRxdp_6LR3tb*JhEspky~Np}*a4oMLgbaM^$4t2xQpu}E1-%iS+%Kg*@ zYo71XbbJ2hhK4;ab(W#q%zYM97HZ%z4S74c3B^OftAOIr&drqUX}U-S!}NN7NHWP& zQHSVVU&)HU*GGeRT8?#s2WLAi)~mC>&|ldusGd<1eEiXjs6UIE8+&^|fB7<#DhJ=4 z4e*<_AqT2h7{AH>t-G?aiW5#B!p&jB@X~N)al~T= zN~nC=GaH8C-N(I_%+tYRjvJsm5aOh0;53I_Qi7v4UySdPh5Wz_XQyijBOc(RB#8cA z)|3e#FP*|Ca#%->0rwWl3{4OZW}mJK01~vX-Z?#T{?|L(#@|yf=ZY%T95&S(DV04` zyuQ^~t0NpjZ7|$UjS>{lm2fCA*ZSjbX)oqk39oq=QG2@J#;$pEd!oVL8ur%iQaTv1 z#~{R-;k+?$`swI%MQQ1LLVWWbB+rZH59bV`A9AqPJ&^MnZeywp{Xs{f{+E_^_Bng`ciYB|n}o9-8MFU7v06tLfH=1UEya}Bd|7`NhCY*uw|n zn^UR^HfkFJd!q>_VVh6Z-pn33tf-o> zt4oU=W_GwAaT9g*pg2B1>JNqN_@!_i<(Y^E6cYxVS02e}%pxersV@w|N5ma{RDHW{(TJjyq-(@HMrq7!k zHczdl9n3yo6eu7bej@S;cDE$&%FayyCWXF$y25+rYuMlyCPn^xw0)vhDXxQ8JAt7M z<1BBY>)csH9ArBZJ2hVH zvMC6&GOpP}=>jf#;n~j$>uzu)hq_hB)v>_dvD=BM6DTb-Op{Js0eM#pe-v* zsi_keGhv63A6wyf288%=%MY!=`xA+*I;lJ2T5m;7Q+f2ZD3X?to1#P3({%_mGX)slh>{8#Dgih6nZDxGO)guNxpwXTci>JKk@YyUfZa!-e&lD>rFRPQnYnT6el3*m0f#=#nWsBL z+Oh!3_Et`a^GOvk9zl*L#PRz|O#ytNzv}aF`fX5IZs2DE!eM_9eAQVBVGKyn2Z2P^GM!clsZOw~&6^%0Y?_)YTeBWpo@~ zWO-cF>FH_yy_u1+tafZzh}VC;RD_6VV~$d<fBKfr6dA4WcoM9h}*=?gJ%@H$V?-x7U^?M`}TZNUl(k0 z1b2WqJ!o$0WIxTBlbH(fQ9!ZUc~mA|nqC!kWo~(Ivovv2I0zk!*6FxZsxOP-9KN3$ zbA|Jo$ek)yaB8~njPYe;t&(u%F`s9CZTt3M^bc7jp?jDWy71dfII=$A*o*rRUSiL` zG~`q1V>KN2@npoc(lWlBwF8e8gC3=BktDU&Gc4~k@t_qr!qkE8{|(2!5Yy2C-m~%u zTZJWVSH<_ym_Xy}%R=%1N|*Knp z+QWZ}iup7&?|P0XZYyg^mq{KQC$9`UwS=m0>np+O>vp2dBX%^KB2#_CS}CYq+JgDJ zjl=1lh7kiz4K%>6y&&hR!|%;B1G)kyi^s!T$6o>2Hti?c*_Nk!bJ=sp(WiFu5d?*7 z_Ha^HPOtV~Ea80G;U+Q7xvNQB$L(F9G1EI?)KRViCQsCup#)|iBIT90wB%TqE_(^X z^9X3CgXBp;zETOwVCT#5H`8{`#6}@Flx!^IsgYVq90f!1&-Y9OGt9#Fs3~YcQ|f}9 zHUL9y%cWv1=J9?mBJd^noyvUe01jp2uI25=;yc-*&mz>ab;9<7#IsLo>Us?}(bMLi z>j#-aCraYkg)3!h-_ydlFoEsfn{5(T?>xbD*xkg%VJC=tU0qH2p_3rO(=kWqD$4Qc zeRH) z$K3rj6x|-hM#b*XeO>Zr10Pu}g0!~nS}ql3*^Ot`4tPRI;28K~u4hwBA8(T$-bv7~ zb0^DUC%yisyxzNnB2&>x9+A>@_yDwpJ#Cl{ zonv6dBFge%I4}35rh>k?R`W8yy`lFd5^X%1tW|*(ZjRlIy`^@f^Z-gd-L@9L3lFR!iq3Hi-^) zqQ_h`lew#$M0e+$QqT*>t_VWdIrzM2n9lto5(=?CtPcRu_$t6BTEpTwvJLoOXRFTg zQS0B{zkBy1YsVYUrEjx&+JC?>9d)1tDm=9HRDgHrh*A_@0{;Yj4%e|b{$195X)brN zCGa38o`d0qjsWxd^RaG?*i>##SY}i)=CP$8Nm%0ck}bG(#Q+C1Spq`9es!2!A)j#r zw=x}Gd(40$-YWJ|H(sG2ARvLi%`*y!2<=b`xj+@lb20RU_jmX3`jGAc z&`96ok?)PA_TUZdNKR~|JiZ#>*2wvR><9Fhy?6KSx-%`hr3Ij(SLRyEfRhs`Z^qWw zc$Y%5tu4SU)4_+I2!~wGuP; z5Rhm6ankfmK@CIyLY|hG5mh%nkV+9f7>Afq7^r{qQ^{3=b9EdZR_qR{P%P_j+FO21 z)p*WFlbWQP!}=BYK%?b)6f!pgr}`*q+SSuR3&8{grBE{4IebqB$2Y={vpFSM6HE~# zZ5*Xn$l56wyNhe_EU@)$KW+_}4JrDS!Cb0mgkj;J>6V59t2l&3bk!523|MFyaL-9E z&=`h-=Go9SrHLo;37Ecg6qI=YhT+AgH$L8mz_>IgYrg{Ak%o+;E2uys+>^{Yj1SnDquC>jX`d+IZf?OL zl%LL&tbiW=Sz9gY)Rw~OVVY(moX}UKaG?3z6SQ0F*&vox0IJi8mOJ&=NQhNxElmz_BlaNn zCsFEtM|c4;&N2X#$J$Gp06qO?G+!>y!aV%T4}ERyehbvjIRB}F(B$GPrwwbP_u@pohW-TFp$%vSPrAeCjK-$7WqN2WXRsj^%X9Sn6BON%;5V0Yn4eS2)G zM!4R09gpkK#A>bGo)>gGS!t`00*=(#z1&aBZ_K4>c(fJ5R1i zD7O9zePqLI{8!o%cB^H(o2Bm`))PP>Jlpmgxg1d&ij-$9(H6%kuP1y$5 zZD>hH0DKV$Fv0xkbb@{@2ts_>016K?XKDzm&sDr zp|ayBq*?d|b#HU`#q#2}Cy77Ny2-*UvFdKGKL_zL9FIZ>c4(wpTY3o-QKKl0s?*$x zj%go%5%|Z_IK1({;I=o4h8&0sbD?NTB^v03w3$%P!^+bc%Pij0qk$Y}_?}Fkp*F>u z(A|r$q0!M?aSr-^^58GlWaWW{EbB7Jby+#`Gyb9eE7Md(i`!9U@{@;PrA;}JWaviJOQvWo+ zU;`1=i=I0M7B%0bf}IIKCY>9_tn{c%P$fSM=;|}f1{0N`VuY`45C!zHNQTnYWZU_u)XEv`!5!>FDFM|BKJS?D?~`TEt*{&inMTz$ zNJ@4Nl>tcGITngUDY>z4VTY5u+{1_vmMYz#l=uG-s4&vim$te1Uz?uSQw@+YnI;=o zbTO(vujN>Ff3gL=2bQ*Y^o~zId|n;l-#M1A&>)uXxfDeALgz{XGbmn4GayPZv4yq8_T1GkfU-___AlONO7_P)!YKk+5Y@}nP&|(3wH+pgE@KLe&z6eBc-)_?HNuiT6o$!`c4Q9foj)AZ0mGB=ub0`rmiDyxC1 z7=aN0*Z$NsC?QA~Acj^5=7Qm~p{tx%(Y!4xT*7WmSdn^ir9jjO1J4DOU%gBlb$`UP zFlk$)lou!Tj;S5G_!;OiE9gU+>BloeyQW>^3(6EY`3E2zkDwNIX1uXZUN%ESh9^nY zi2v8ASJ;{I@#zUz*{w|h^CPo>YTr!(q3aZr#pF{e&xYK=V2r2hZcm zR)C)!^7H=b>+QS5pPoCh$m4W#M?yE23wPBKpyK7CDsF`wEf(ngSX zDf&tN(N(3rqg@xd9w-FhVmAgvlYsv5Roefp*toI@q3VqT{BCw1?%y7H&ye=l6VvhyF3`QN>J<@}oN;s21H%ZE&9!W07gOx=xj$mnGnVpZw_7a08? z_G49hdfTLv_OJQt-|=X@YO|a6N7z||dcuKw`HAamr=6sPw%7L_mcDy>62d>YcB&QH z6;T)Q?17b)mH(Oa-nHkT>5tx&+OX&nFomG%{UQ+_=C#qI}$%J zf?osiQMWUB7TNgF_J8kNc5Yge9MQhJ*QIAiQ=NYM_N|(jRrA7ssFos|6m~2uiWYdk z+_Cz9ztr>BG3l(j{_p#RGFmR--veSwGvNQ8{3y9G9ZoZD`q$uMeZQf@9c!N_sjqKP z5)KGs-$(cU*Q5Ge!C$(l_l?={|iZMNw)ds8I zGzIq0{;qi=y{A^xbU%2+_E)Byg>nZ6Jv`5~;GqxflPRlRS`V)O+Hux&JWAgD^(Fh& zj-*z7PqRZ?GUNno$#?v39i#>cI85zyoN;+wP~el+hE7ydqHtn={4mSoVAhM$r58MB z5EZk+z({{E8@8n+{Vn`pW^6G*x-LOJrrL~uDY{eGtF=yw2J9e6<`<-ws&x4r%SfVg z7=hqXD<88v{S{Pjr5GZ$pY)lEQ0i9-~!G zv2Ol-rF9R&4SUj4X*2t9-l^DhJb|?}?FRDfysiX>Rhq^pU@j}xU-~+$PrmJA`|*aK z!k9y#IgFOoZZ3Cs7gk{$o;enA+b3SU!s!Vy7xDti;@@iF0mHa?mob434lpkLlWWX{ zAmBZgGh7Qy$;0fc8hSt(ucV_a&m}?U#-9ZY_GQ#GV@h;pJ?@1YZF!nPPjd}1}=(__VY&{?sSk#^IZPM+ii{+XKznVVVU;+M>SrWeMf z=jmPj8&T)I!Z0(TIRf#$M2g*mJ!hulO%U6!t(8O9gc#XQpl4*$29&0dQgpI3CQsOW(HKHYxm z|JBVtH1qnlMY~EzPu!*Kes(bxpNVOzVxnw?MBnsLRo$ZnZ_x1%WgND$@J_$hL4Lq* zkZ1E!TKF`D24@J3F{_pjV}2^^o2b_u8kx;Up~Y%-;(%;mN4HX0v9T*m$O14FojB(v$S}ttD!7uP z;sVjOtJSRudYROgfJS{>`=au=Qi1e=1+>O}3_tuQ=Vzh0H+nw=C$6436T0@v2bS}; z$EZUMvll-j%e;O@b8`4wgkjI$RQ(fw)|fvG-2Az*&j~oCui~g#G01}iPT(84Qs4)l zgqVm8j7Ls_w~Gzma8^80UlwTI%E8gLc@dem@4XWpvB8nmY(Cn<1Z@mV4FWdVi~wFV z+HNPYs+Zaz{67DUyU(V#Im52Ut?aLhamybW;MLkK((057`6y4#e5$a*au`(qP1|^e zR-Si%vt_A}uvS(?O0VqI!#Ptm^|%y{U2QsCL4)SmX@B}-w-QbNHMyj$T|5o$Fr{nk z?)=Dknnn2eb^otu$m@(5N#g!8BM782u{+Jr>Be*cC&nlEEVGg2scUQ>ikF7e z^y|wSOO{^e26(^q zAMv2cnUqn&Pq)MtwL!L2&0WV(3VZJb4fYl8X9S|x+4P(#mF%ms1~U;st{)X9&#lfF zCh#A^#g}aR*@^v>ALqJAd9qzH*Vvdy*@crqpqub;jGwzk6;``I?+y@PaH%xi>Uj$emQq0=|X>f5jup< ze_?y9uMO%{9}r}ouP_~6nwH*9R*{ z^XK+F2oHwk9k6eGyRLqrE5?lmC^2E;)R5<0^gJ-iF}H+}5NNv&PwjIOa*T)be$cSz z*vo_l*O7VM>OdIgCS&aSyr{@s`PlV9jayy&K{87yXzIqRUo!gn>p&BWE=vPij92x-^AJ^wMaq{gvZvR<(T<`#~n_@A==%DL*A(>>S}N zCBtQA;X=)}!uXa2e}VZW?lAbUc7!wolw8g}8EFgA&huU_s+*=2h>-G}0_JZu$I^k; zWDpDBBDl^c2mU7PwK1De3a*-51bLR|{@)rb#8*lj8n8-KC#K3GUqINP^U%@^CDaUF z0wTl*%-~=sJ=t&Wn)xjaxnryh)>caB2DMGbk7vHCWZ{fGqTd*iV7w&}^Y({7bAl5w zl`!d9Lbu;~rNX%=YmI4}T@gH1I5#OZ;)xYZbU4B+D`;o!up(8Q#ndU~sdD=ZOfBS; zNbKh|4r}d!GjL&jZDF4=xzHJRwR6YVQsM8D%QAo!$-FDI)y{A$n*2!9kR7d?U32lQ zN4^&(1Gmr$S$S&5FFm*p(%7UH`MD-{{_OvzCGmf5gfCFJJJ-62Jx&$@~SiS z(Uzy-D^*9gRNckjlTael&K5TB$e8cZE7HHBWXfQ?*4^3DlY<;~_#cK1zftnWYxaok z=ncPL?HfLRPZ0x)q5uj;Y3EZMhnfpl1BZ7GlB34eBoeFkJI=ZI;#Z`hQU8Wcy7}b$ zq;~Za_jo})lqe{8au~}7QrFQKFIJ#xzWA%$k)QLbz88Y1p*y1I=}VnCz)hMq@Hn+YQ$!>G8n6F(wL27{r^2 z>8JpuViruT6L{#ZK|+r*MQ;%|uOhuLcVI!|1?ol*i{++(&~oGW04SLOcXWfUAjlvj z0>|4TdixmL?*KsF==wFJP`L9`l;fc@*xikCroV)rA%qTi@{1F0G^wORmkV)s^_nnrl;>3+WVs6jUa(3>E?8kwxf&qCK|nwJ zHM$p%*zK?#dqd(f0l;-+S-u%u%(OXk=_Ha&7EoGXa`YbNd?585AFv9kVKwA zGeOxQ=Wq6Yu{hdk&ogJSI`aGmga3jAPrB>!$D(7{_B(EVi*K*E1prWV5LLN;=(?KLml#r=s5G%F+B#&+y=rxAsD6~5Bc$Q!b`+2hFgi|3!5P%7UwX2w>lXR z&^i&4Ts|RMCg*au$cBCb*S_;t_GzL# zx3}^a+h(O_YP_klwvx57kC6kLZcbu&Scf+%!C-T=T;Uv2YF33 z{!~yxI@lE^iOw$*;saw??FQ+Ojga09pe2s^N(M!}byzChY6?md~=t6YU4oYij z{*75DPex;8^HJ+*V>JY7r>ZL7Gu3K@)dMSk) zByyfJmf0p+B{Fm5Ty4#QgWmHmLQ~#IRD=FYypB+pUb1)0TfJ_Qy>Mxs(-jh53Bl*J z#v&cjd+2OH5(_v8vw#XjsHe%hQzfHztITWbA8%{=<3+o@sAP)4|c?8(ax zznIv|!_UkCgr3irQ^`W5bdUtUKF!ne5*@0x;2-!x8+LZJO4BMiw~`l|qUGZOX4yhb zFOb1PQ3SPw0q-~Y10>tW_%9YNQ;s(R9qHZi_#I940JcQ1qvJ#-`>crpQ@J^{@T{Wx zyycju@#f~IwZNYA#7zylCF#EBYXhlP;{#oiX`kcYWL^L0Yg(Vzu>lUrE`t3I>{IAm z943+wVOA7MQJ5EOvA)R0DF~a?C(e874f~tqbk~VU6R5~>AeIuRJ+&(fZ13c_rDtQ` zU95986iZMscp`!_*J&K64=K;=y}4YSRF}ixDl2^`~fV0t2<{LKJ<~# z9CI^mPz)isy%cA+2?lkpFdtz>GZ>udISUM{q(Z{eyN_WiuFPo!ucy13OCF~6&F@@MX1;)H@HU%x%+&Nv$-gc|L?2LelcfCivc zQPY5;&5UG|A1c~Mm(K7X4aF&FHDrojYzZBljYrxgEHh8kE?l83M>kPRWEo$477+ch zY^v8kiIg<$DoWlK>U5=Yo1WC_TG%HQ&kX}1UFzXw3LB&G25pSXYT7)!%SB49D}Ao~ zO1R}p6k_EmoFQ~Xfly^bk_lwR<5n!;lzcE}FY;CGSt>?*4_*nW(kLqV{M)7c$LA8| zjpbYUOov$k3!h3|F2!ZQ!GrPbl5+(Q59!xBcx_Xbn|;D+G-@_V0>)-ocW#DsrfHsb z2XtdSGbIrN*0@B;oA@qTram6AT^sOiPc?@oOd~@;b2n#iuxpHSy)1ZZ;y%1q7Bgzz z1Q$-sED%ll!r0F^I$O@_f2fq2XsMl%)nHSUm=En=X}qomSq_rwljnkMpVzHnSpU$+ z#;xbkJOi~ity<*(aI^OH6`6B^!h2jbZ&E^i#_8IgFX720?0BT;e5p-G ztWLXtDV&QbQ62_o(4utGh0jaLr~ZOe$0o>YnXD5>{CSwV?5dO5K!TH%a&Ed6s1uTS z_?A2~$#z}fX|+Wdc8dr}l@E7I66l!BV2H3K(+;wtr0qGqs*a|rt}9oxsUk*HiL}C( zFK35YALdvqH?g-CXovu^Uu-JIEStYrVXY^`a9c{*r-4eQL%KZc`TMFU?*i8SD>D@$ zR%G0lrs2wuEad-HWAQ7kAZoE_<(>K|J=p*%hou(su7{q4D&HR|q;Rp~#Qn z8ov;Qbkzs*ep7YhjC4i3OLU6qXB&*o9PbxfdI}9rrIVIgNQynrxgBe+j_0|F)@Mrx zUQr)+vC+G}iorV^BE^xFY4Uq;%ej2iFCmUx^_??do4q^mF>RlykB~b&su9Ra(;pK< z+CIAZBwz?1X(y!!*Yon@_^v5}qmqiOFiiKRGPHDGkH3#Gxv=3uxIo;St~Ejh1wa64tS2EKi%LeJ{FT3s||3o5=d&PPGFc{qWLws^A8t za$2#bC$;UuGL@E|!$`bqTdBy)-VpZynm{S|aXqubl=1eX+8>zKN{RF_5bG#=%9+?sEMJyc!vr;g= z%yU(<{>G?kK9(K15JUL=IP!wzR2A5s%l>4v)R2eFzWxBul_Lu$NsVMj2!GJpp<6gR zKChrHbIs^)4G@OviBVg8RYv1?<=?MrpMOv6MI1>I7V|dci^yon$wVTpRJOzHM&RS! z>=XQ}$JyH4STUBrua~7w13u)tLNTx1a{rh}NOkK#CA={zsH-K&KGEXkVia7fp$~oE z!U>Fj;{ZM}loZr8*5OCTk8%ig&x7Zg-@QeR^jf0d6@(IbxLN|0hRk{NbS7;Z$hv?q zWMP z!1#z{9Wir9Zp?UYK@_xcJj4@mrj7Kj&xI){p=>|sdj-|^wC*k4>4N9{1FPDr*(O>H z*Q6g0u-DC@0Pyq$a*lg1uX zk*&s?iQ0|AI`=?*r@%JA$SY&xzH(&~!FZjGKQE9-wa1>siFdiLBmj3V`~~J~KS^caEwx=|o?$2c& zHd6wF12^ntVHz%XOpL$ad5g`ST`%FNIR9Qq`hpWP+MrK4$PLhaVf|Hly$ZD5?m9;} zGvnWwyOgX%3jl&F+_l-dHtE@$%6S3gBhHM4nLQlKZGO`3I3LJdo~gw+iToQ+luztw zdLF|e=i-J5C6xm3b!VhKS?1YKmrbYh<2hDnrgRE4IvI;wPt->hw@CKHqF1;X!yXCy zL?2_d{rtXPYv6)avX0ikpS{?84XAG3`lfg=oP|ziB#upmRN!o9tE(OOqsgBO?3Oje zAY@0!uOn%nc+arsiCVeP*hhoyucIUb(Bk;w{qVzR!tXp^*;CruXmB8tcl)}?wE%hT zBmL8c+(_`$n1tMI-;$*zYMUuH3k7Tb5m{;CHV@mSPmC2n-b4cZ>O4YHZx`gnJaqY> zp9h4?<+f$ecAPXLS4_y0DhNUd9)-|t+ zBxVv5m!qvgAA?iBQw6wRwQ*1Zy{D7y*=0kjyb2EU) zV~M&nS+n9Gpd{b$sE^)6)t=PGmP%o2Y4UQmqFtjsmyU;8CD~pUXmkr@-|wzbXP9Mt z-j_Fbd-f>KSpm?x*o^yS)7jj9=(r`j1@9#g!na@{l!B)bZPIO}4m-04S^w+Cs>qBR})7WI9B zB!$m~9P=9@ESJj%jMYy-_lpdTIy$3z4RtKwU-U}a`Dq?sgQvcrQ?b@41l0rpJ{q#% zcW>FheEGwpc`shg4ln}YX65Y@MdeoyKUNi%COi790N zkGoGF)i&EMzCK?M8(Caz2S&vWn)TBv5@J;Te!=T9OCYCX^e^RNB;KkU7~Iz^9V~=H zqaq{oO@}zUAsUmfM^_smW)A}-oxIgTyt_?}mH(uL4oYZ=(u-Z(QAnfzvdOK;1k9*9 z9ozs19abY!DW9~zXlY}-DiN65UFkB~!))W`g%LHmYw2V!OJ|a#hmO$lT?wQ0HN-qK z&!2X7zh-Ybi{zdkBA!ukWL7(7m$Zm*t15+~(gD4X>^KU^CjI?5}HNuR!wJzpF zHK-J0`(n}aH7U94S+q?F;BdTmQ&FC2h=2)c->V}MbGq7no<^sy6~MHbuiH5t$W$v- zpEjO4bOw$&rp%r!eoTM7bTH7loT0y#d-SC3Fn8s|54Qfg{@YWDFL33=ioBUs1}9T* z(_d3nw4X_7{}T5KBf>z;4T>ZY&3{(OzWTwX ziJ?z_JVk9VINHJbLz8m1nT6i%K*GvJm;w^ca5(U=YF&eD1JUwdE1d(bzlu!Z2=1TY z=2g)j1{D1QgnM%`r0hl76ZBC7hjnS4+)4ZFQb_^{$@Ta{c0KsIk&2RV?r9&D8BWI zmCA9!emy?2L6t(`=0bXM>WZx}B{ zc<88DlYYX{Vl*_}RlmxiRAI*)95HNJN%o|>(?5rH2CGEMtB~|HyH+qWIxeO~>c-wW zjy!J~%%=%l9Yk`LCk406PBsR7?%YXn3TNC))Za|d5y+&QL%*_=?%R9+)|RzT%uhJP zdaw}ig+`g!d2g8sH_MIs zp5SAGHPz6M%Fz`ir;hHJ8j~+&pw(z-J?77YLpQ7y-s$(_C}u{vu7d!~-p_8XLCb^U zExzbMO*V3cgZDhjRlT@v{9_!(tB*-Na0B5FDLr$>QpUtU_pb05lR$_o_W*bMuYN5sQy0Q1H()4<4UO13ev-lmF2? z@HgbAD&x%wM7Gznz4H~PbQM^?y4Nv$nUfx0`joF1@GsLs+5;UCRO%_*pd46_Tz#@^ zvArp8C4eqF{8}6u094U&7+HI#xFeLV;T}=gWC)s1|^by zNUd*?)4Jc1KeJH@J6ZXf{tun$o5uTt@c_-q#e9XMv%OrDm&a)(WnX$gR}hvFS2S+C zF3gwX_uzP-zs|3!(52`~G`rzGf^wov4PDe|u4AS6>;RpddCY`SjCwpkKvHCZz?E0$ zJ_a&q0?r8;3+J1ul%MnI%8@vgGT=$9=y<+dX;S6X@*JtpxZ3efU&8J6976FOka0wu zzucUu1J2{@KK}_Y|E{oI}f243zA*}s;b z;S}t2Iy6=@u01X}VSmO)&V8OMD-j#@WZON!ZOH}6CjVfSRf8~zA7^?_6282#vHn{* zabJ>yZH^dKZo6$wLx&ZuXiA|sb9=0`SI%(fShzuixL82Xc{T6`M(ZoOXC!VaT`+sD z^`Y+&55Fftc#y#&ea3E#l`H^@cwC(lu^koe9x(XZ|0twA`{|YWb0^ey3FucFRjmH> z?i3S()%e^FAl7Q<5vq`*>G|7{klko@U?{M%pVVmk+c_xGd$T0Qd9q zS}vBGiy!B`(c*4>`e75^M$=pCv!A2>CZ>k8m$m<8^^?kRj)1`q+Gz9<8z-1MY$R{? zu6)~i9g&s_>~IMDd6O0$h0SGTYhBbsnfcyUuNc!&d8U6o0b-Z)nN4i{g`7cd5M0RN z%YD6^D`px=Mo`}lm_3td5 z4lnuXa4=umk&=|515Yw^QHI6M_V-MyIuPGRVf-tJfB55wUjK&umW%;mWhwfIQ*of6jHs#4jJ5 zk5`EwJvBc#1YpGppaGZ#Y*D$$&gp2LH^-)vm__(!lhs1A$(qDY#D1Nf$>obVCjkOi ztgmvIL6J-hW>P1S=eNf3Kgt1T8Br$dYOQrisCYB;$7r+fF}wg2O|CF8@lvVogGsT9 zd5r23&z%hiZIqLCL!-=I7#Miq;LO6P-4OgE&OjSXB4#^mznu5%?9+@AwTi|#MpT=BksY$M7lC4ao#b&9V4}eG-=K@Y3SlSB|pi?-G=LL zOZ<^~>^GL1n12FR0j5Wuf8DtV)!d09>-<)HMRF4k6-IxOHK3LA6m4XSA19cDj*p5_ z?6~D;g<7UK@qOL?O7dItqqLJ>$k>^ik^n9P593?OWu}f}%_P{(ZFfX3;%4&8v^CK& z)xDMKfB;~4=i{W&EISULxF5U5oS_9zKcor;r*di^yEVMA>_;fozDaQnw=NVw$FgnUciiQ49=I5Hq1nZH zwD?z-leAstsXD6Aoy(+0h+b`BeM=kOsmaKIlcm}Vd}9W4TsAFQwU26nq7{=t3vxqi zuW9t|)8&M;|A(maj%Txr|9(|V-DYWx8WA+8Rn#VCjaqH>HfqFHwJMY%s8XZUirH8# zr7flQh*1?J_N+Zhh&^K@)^qj#{hsIfH?LRZ<(%)izUMmU^Lc+9?{q}DjRG>D7=;oK zLDh}y<8ZtRiS)J^WH>h2#}Uo3LuKd3PF0dJ6AkaA`l{#5{K_D&iQ-F7o`A!T$yD|p zEL176l%8ccUdr*CQCE3buQ*7Pc>@!2O~~;xBT-v!!r(4jH9~GD4rHz2&_mU9u&ZwlqJY^^`EKBw) zvY20D&TN+r=5SefSiQ)+5QN~(&sKEc5B?0QqI8IKC%U*#ek}q~oUK)ZbG6Fu3Bk%Q ze#j=PMoUV{R2uArg}J?c+q0AzK~>}U;?@r^5AvtmGx$KHQMgRM{n-XZg;{BK>n%Qw zhne?qqi*_w9LSORLeAFACzJa4m4QBKGuZ{VNmLa@F76vLYI>jAXr)_AibgZVeZ96q znYN!VpUYyP&8$JXm86*i0^CY&oYe4B-Qd%gCEV8Ff0hvTu?$$Rt4Y`UH)O9zueZSn z`0Vx2qu(%|6NDY*advYea@~Kcs%qb^5OD)@I|8SAc+k6DKfHOXgH?ltpXONew**3Q znG${KQ#uE9rqe8V9MV=alA4=>0TiD9o-(@5%jw2ha0$3b@JFn?N$c(B~C3J%kPSD zeDgyOs;28cdk}?^a31l z?U6X+v;_BXDR|fIy#*bc1x>8Br(_q#1x1GuyhcIQmCb*<(^v5~WQ>-WWJP9~(-@k3 zPU+6i9j#LTHnY)TOkT=0y^bGM{YGptDmQ-hpMZ*X;~LDU%z&z+kiYdom?)})T?M>y z#vQuLTQrwv#SuW0ye~`}-^{MbQOl}uxI|7f*RA)QbY)zQIz$Y{Gi(<0RK5!ipM5M8 z<-OJ=5E^akrzxG3cFysIDwD$LQYHcp=xl`O?;=^UP&d{LpxgYYYm=NmCWrN+^z4q3 z{G!`_%D$#|lyXchmZQl=@ggqE()l(R-hh84P{W;bL*bjjLg_I#EPZ*Iffu9^8wKkP zUM)qU9Fl=3CMoriq;522ptyv%i>v;e>!ItOx@)H7WPcxu?-Flfo?GEB0)d$WF>0#W zZc*&;nG_LziQ4%Nw(=sBVPLA8jxi5vSDiZm`h_6T)VIohwPItZ^_aq>r-^cJfV9Qg=d;RkgLMLNy z4t!T0Q=7Z%V|EY913Ey12b@v%vW1?fU+GCeQJ;-aE^IgstYOH@g@KUv; zWYh36C`s|MSbMhbw+jBqO^H!sjPS)H3^;2RkS*d`5?^W;!QG*LhW7$Dmn--SkQc;6 znXqFwjlooC#mBhDibSt;wW|Bh5LwH-Z20+-Ji+~P(?U-zF*anLvfc``i5>Vz|0$Md zjQ2|1mtn6n0miMmE2Gv%_jmT#+ix}Ztw8EdFfZ&B69Nu21emFO*BhZIeK>X!qS=2Vf3af zclLCxJqLb`wVWToTd%TJ^$$)wF=~;8P(MRuGjQUi)D2b)?ygEE1Q<+Fjeit$Oboef zP5$)$F!Q19ClMD_g{ zKlTq~HxC30md&lgY?><#RaLDl$9l@8%K0fL6^ndAJ7AUyUxwNIfD43m#>DRGh01_L zw4evZOgU>G78F>e593IjV^>NWg{oE3y z+ZX(M+`mt?Vv>U~UMGx^h+DNaW9VuZ1)dDs=2k?J!&LCN6{95fU@~`?&C8bGHcI7e zKw>ORltXs)vq%GOCmR$WX7loNM2B2eX^R_mN}^OiJHGeoBm><5IqRyN0AUNEv_TFmr6Hu_uhhQyjR9=%WpwG{mdNEGmOy#!WsULiw@o zcoL|Ezs$(u8dud)LJXbb0jy5~h#LvUV!g??LlC!%;}A@j*ZIciS7JhUzpm#7x{5`^ z6n;wtEc{by=&R(cKgW$+47E=RS)q)37ixdCgD0D~DuJmbN|5u=SjP>D%u>}-L&w!V z8D3wD@dr0W96r_GVA-s^HP%yDeK7(av!1p2 zKI2=?9H|%QdGPGgBlc5B(_(RH!?(ZK&pX?p7bo3+;Y){d&rkh&sa20#4{M(TN|V~^ z7MK0MC{S)h_}y#BGN(MJyMl5LH(yOp{_}z=7~-U>aZBKv-9Qc$`H)j_Gh$^JMjr1e z74p9OmFZXWCDg)oDTi?DhkYSOSuOVJX%drBC1H&rpScyv{fvH>LX~tpMq)qC+zy^d ziehIJIPPcMT~2ohW})tcUz5Dk{nD7uRNsEPS)GICG7Nzjxt1@SujI*ms;RNx6SW!)875ui_^oS=UFWaH_L=10taI! z=Sl)r^~{p?$h>M!@#BTe~u;|2)hMx)+@X1WI#W!NuUlfosZm#ICTA`8HT4=zq&@Pk7 zW|evfr2MLyXvIUvM^~0kjSX;X)J;$;EjoLOfGaO}Tjd;n${a!7y<%57eNwm$7Uzw{ zU)qhGdLF|Q!1{PMZ;Z-bYyj%m#fJ0l>KtV(WeFI=zRd5>V2Z6?k#nxRt6~2^@`)sm zX}rA`Hu*9xUxp%L4hbW*AtG9-=?ANOii%Z9?f5JqR@(RB|UWi z=CNne0_wZ~MlJ!7OIl8C)-T^~20Qypft@Aud~O^kdjBzhg9)}eb6oksNqq)ylA_jL zm6M1QUd(c5$`$GOYm_-*rYa0Ov}`%BT&fK{sqMC$-Ag;{&3d%jv>og<1x4~vjwmqa znPfVsVJ&WGt1Gd9J14>KnWCf|pYiR2a1pxF^&J#v8<@2F1K!bchdy+tcQcc6r3j}G zf_Y0)n0z7_m95e=anr>P$928z=t)~c+K2yIL>re;U@%bVv%S~RmufGEYenfv&oWO) z@1mQlR{|DLQ0gudXSPjwfAjM1$_*p;{SgM-0zAZT-S(+c=fe7+*IDfC#xDo6@ADCa z_2X8%G9GYnf?J7Kt47&2tu153oa_b5KYP>~*E@H>J0j#?I%L)f?A~@5yv%x5nyx7M zXgf>gC67Z_`x^!_OOS#>vm0ui&fdtza`Cm1)ZX}K6IiOk@ADT?A%fcR*8GH-J-?K= zSz`ty`^?&4MC|&nTUPLaK?CT+S(T`_Hkz!4TNiYJ3G8%r#-ZflC1mcY z-xWc>Ip}aE*ermQx-K79+Zor7FMaqjOu({(`lK0Fj)vJ!^UX3PKYDCk5s-Y+8B+S* z%d0zV&Nq1!6zt1o?_x52{8Q(pJGJlgPUDvwZf!Z8319~)c+Ig+{CCky9I7_=urG=4 zXGHzhtSf={et=vNy7F0?R?xa0iWt_mmxkVoDy=*OhsMlxo$iUuRh60Zk@z_{j(bO* z3u;PRO@?{yfTchm$OBlBppfF3U4RcY2nnC{D5CiMzIAo{wRDo<-6g65LQ=G*=fH>Y z4UW1=4q~67fr1Le4DyktAgga&ix>m9H%9n`xFW|>o+J_0bU8QB8C_g8$iwe54Q&qflM-Zl{14(xIn z>SMMQS0z5_xpRlRX|UyD2ilK_v@5^GX`^Z;SJ?0$02k;er>cEqA~E3{(|yFP5$$-O z&ke(GJdK;UC!3<==P_CimW}z&&h8MOs#G*KK4=sG_gJz=*6^AM+Bhb8+ZTZPCXiL1 zEl)7lr2N_~#dlQ~6GC{?p#xWAT*d?kWCOA9u115VGK(hJIq_$v%~@qpO3WrqXgffz z&6sqA?|e&fqsQQg`th}af@FQF)K(Fl0V*d*9L__7-JB}lLFo~oHkhr#d1B_Z1>9XV z87&dJiW}YfzD?J+-&rC@V40lyaOHZD z#(ktUD`pX0?wRt=xkNQq5hfPJ;n0xc^pUp)tHT!n&?Fn7*@#Q61Vw*`k5PQ(qmtzv zi}vvLF$~Kkb24AuTs5*BgPzf=<0dW?V$vWZTyMckkkR+P zs^zIuI4tq1km3kVy-&L|_xM}Cy%uaTS|OW|?Qb&`Y4|cJUvmSa1;eQG*jIBfD@pS5 zQ=b}zZjBJJkB!b_c=H%k{HX1lf_$U!da8!Q2Z2UgzJVq?k1>XKX1%7 zzNn}WkR@6>5v)Q5SEdVSCLCW2cSp#5q${C&Rp4SvQ|h>rB*;=hkGu7%%i!APa0kN! zC8e_zrv>%s1e;9*2IQO2Q*bT~zmBg$q1^fIm_Q7D?QaNOQ(h?KS`!cB&cR=xoCEJ| zaaXU$VTyN22S~09Or&^BsVIPQ*oc(JAqNRec4W}6K~Mu}bvhnq#3taprupRb2Bn9O zK_tk1A50$E%`6Ed2)po~eb!N0I`vb@Z>t_*T+*{Q&~8~#H(gMEr4q+ME7OwFof`XA zaZJ)7`TKZPqR?0<*{8``v!dSF*ZFi0rrLV^#Kn6k(ksTyk!$$7*Tf}^V8~v3Jv8Yi zr(dd5(m-SjYdJl9MpU4!4p|Go|4uwGK_EKmUUaHnbM1+& zZRj6c3p={PMBJ~1E!7=STdFGc6z-%}kHn<@EnLC9ONN&Skm@kcfz0u~&5c#0%TVHA zq?N81Rh<+|rj66aAZG=bb5Ew8Ydt;Y7vpC2OP7J$ z5e6efq?pqwiwK!Nz4JE0AzX|`^ch*)&)1D0$=0;Wq7*+2L@6bYrS&hA*<^>fb{4Id zwKR+Q_Za7eb1#+VudkXfL>&)Ic@Q#;Cu3ADkC-Z;z(ET2(=@`v{!-+nz(~vrUq5KK zP#-qp#8uEFyJsb`sU{A%g0Ypf~(iWaKfovaiaRPS?4I%ZndMAApyf13tzZ&yW?rJKYlfBB8 ziGvp&E<)LEi{yO9kq8g}H&ai;rgZv}wg8nNH?#eV9CeS!>_4K7f}!J|60+3e3r50d z)N?%jjvW$3q<=W*1id7;vMR0Ngyklr^sp5ZoBU|Fnt2z=*?VuFj{GtETthdUM^>FX zboHI;h6tro(tEKA@MEV_ZI4D$HiW*oO9M}gqWLXqGI}pplNCKG<#lmy<)Jx z5h!SF;>wkdqLj~8bZVT67z0nc)b-e_(tE^x!M(oGdg$rHzDT!~I(-{F-nZ*E{tloz z<}1FyuXep;hV2d+FEOEfhmu}J=7sgWj*}f+&k~E!x3QXdS_E$Q0?v}+Xw2IwNiP_pSHXFiFI=MW25$kcS{ z;nDKUWseUY(P&|$$Uf>IBw==YIKBNGFLjMxt@AO}_b`r6FXFheIEj!**)UwL3$_af zrh!8uee#r$Q8pC;S#|?cnS&HvuNhb<7X*VdZ%{O?k@^_mCd*taY7cCsBELwhg9E_= zNsB825`)}Y5+uwe1Gv-Vn=I?Vg&_D@LYX}`^C#mz7uoD6OsWV{$v7x)OaV0`UoSpm z9#eKGOyJ}s?#|5I;_d^V6`CkaV1%K!83wnazC#OVI=42zR)df z5LaGY#}k!gg)|@Iao>tm{Wdd5_CG2#**GV%D=6xtCkMZZ@i~js;x{rL`YGncm(o$? znQ%14ua+|bMl0U3Y00K!y<4HmpxX}ReAMnvpM(Ly>!r+TqOV|6R`82bZVRW47;w`X zGwjUp^tA+j#6|F1+(kTce8}HpiTGOQdR~*PZ&JT?;<*m!@)fB`!L+s2YGl7rWzbpH zx{iDD%N#e}n4-ggKGBdoF{Ql%D~ZM7x+@KF^bS#s?h0n5jO287HJ+D)_XQOeC31u6 z81lF?)#yf?2!?4!=Ze$^nQTPYGC=5$JT6dfSltL~l-w0!vKZeAc1HL2`=5`73 z2?aWRFGd(lcM~p*pD2p;6c9GegOyUufL+Jfggdv7`_j&1vvoLjqYMK@U+}u<1eYeb zEmJx+kig=Tbw;JP6#@l1yGAIi5llV8-LA@4ruB!Z8WBi0b zTcpGO{Q&&9eU$hBb#ps)&9Jsrm^iMQmyMLAkFVrdtdt4`ji)n?a(`utvUN&U)tE)f zjsLWj$&>aDIr0y!JrglG|1`3F+P7WR;^cEMYL+fiTKDPf`>oY3kuuRxqE6_D(NCuP z5Nh^mBI-u`%+*93=H5rH@EAi`$}DJv$7RQzTUaLeBke*|3Rt|tJ-K&|uG;*q?)WII z-siy201}DAh+9u8Q7x$foiGOFH@OchRn}rr5w5+olfdxunv|5QrntABI1jmp+B?pe zyb=B&ZMaf$KT@{z4@rZW>k0bIo+T-M%n9j<^3`$SxLt- zaYG%SIJ`X=aNQTX!~JVB6`Ox%0eTv$NdgvRvMq6bPM$S8|I;!1{Rlc8G~0i!u^oT1 zwLWt+PuUc-g|4mjmtuB-9;Y9lP2f8#19k= zPlncI!pq0#P7lq4^BDVv*_Pbg=wDaRCXraLyXLyxD_TZF3gDgSS zdKYY4l!?`ML95F~Uu+~6@q5QvNyk{`KIXZ|*8l5PwPctqHr|NSi_R8rC>Iz@)#J8) z+@VgSuyjQp@5H(z470N5{H8oSIE11iQzoa!-+0okZjjj%lRkyhfxwG`x+hkZ7>I|1 z#Q7WO%l`0jrtonAK-)>?nNjZ>-3>3P**hK;V_cv-8*G&;e}E=>{qTs#aj2^4;2G}? z)e_em)=S;??YtQqxJUqk4W~fe7S~(Z+r7{rzZgwJG>>p?NWPtqW5)8ABtioXINNn&_IcWwjk zHR*gh&ViRSWr?5tFoE|KIZM@q41YG@8uC9()ptDj z7ld`G?P%U}ep8EnanQ9niM=1`nUFmcy4N+H7h6VFXA9a5YbN$@C0H$hUCWfAPCB|q zuyNDA(9Q*Z0=0#dyKW4UeS(|v!kTl;QputFK#&oU&oV+ih^smO(KZ%${rvSIF^SS+ z1+2r9Rh+)xKOPn*ywV{fd)yUDn7pm+u9(JYqE`EAt+=j^!L``1R3-EHg95+;-W`sV zfFBNvI|zqhygIvp8HlfbFA=4L$?rvhw*tp&aG&RGf%CF|!Yerw>C`A0t~_c|N6stA zVhar76Diq`!6BR3gtis~D&cJw>dd={f!~)PI#I2~R+;;M5iZ{iDHSnW<&Qi~f=%=K z3a&b>8FEz+brqrv?gH2H>8g{*-){!LG*Z1R8-~A@tGvTuH`oTdODZ6$XPaL-fk>cE z=iTh%grrH;CJ>#6rvom#4~?kC6USqNrNC%q=K*N&RjAT$omf`1?o&kd%ia_PhKY_y z?@u-yu$4!BtV)wkqN@@d5oN(-POTPrbE0=?aL4W7u44&S^7<`#0$P5EaxGPfK&who zzh9}pLM%{WPhYD_NZ`;%%qOI@N7C;h{*@S9ofKdoei@Uim{f{4>|7`{+8|LPKI-PG%4wkG%8w)s?-p@6Ah3?q^XdtEDzg7q|x8o;$Fv#TbX(q3XJPNT&q zWR)}fZ_><^8QRkCIOdd8K(CZ(Oa9d3?OU!Bs>^q!G>abo)9hRg@n%|KXN;Tb#DXhz znBv;&+v))g5Pjwgv4KmDBt8XJuRtl;h1|o1ob|GJz+UrSWs|o;ec@C8 zOo$*uOiRd1Huk$bBSnlGiiMh?qm&@2S<3SjuhQ$8R=NDwIZSX<6EYuGqx86V)-@s4 z{%ZJf45d^OClyj#B{_*;s=}hyM3beS-O7_)&rWs6;;Yg#lHFxoDm7IgUMc`gmcrSO z6?pfQTB)w4xb>GAFjV9*`fWo#E3zb>6J-ExRC)$Q_TWr*2|{*v)ufLtFtsS5YvguK zUM>amEiD99$mi@v{eOHTe~c{E(JnoDN%|8~W`?4hv zPO+Y6aST#@tKOo5oVi59da010ET^b{`lN+%0?q(KZe4S^_Qpu&JxGHikmfG;OXC%` zyHv}QLMWpN_H4s8;!ziJcE>b1-VAD3zR3< zQVa>cZtEFk@kw=yqL)Y&$gsuloPbd{UipomLHzqfRr7~cI6k2hF}qj0nY&TZ{EHCI88@s!%c8E9kemz(CTgV zHyffSo7YFUb6Mg^GKl3GjXGFUEds2kmBH=p_eGbX)pgN>4Zq3tNFy5bG3v`cVy>Q1 z)~o5@w`rLl*eFmV4PlpS?Lk6PFb!=%_f3tU{(!BrDe>;F>T6+Au`!2T*-;~;y#7gT zkm`Y9rUMgyVD`Qt=(yc8es~)o86LDwui3*ZCMJw!oRCe+X=p-Q!|mDJ9p$QvlQrOj z(9I7Wj|L0|WrAPa3P7@gebxPo51EXI>4leGRe+^Q9g%rd-Pqnht8!ma!-@NH1kPKZ z;tfd0(=cO^?B(K{A1lc?LE2dy!c|RrEL#XH$1CQTiLYV z%k3NFqEzn1Q$V*hjW%}|@^4Ws_152#<(dBF|EH$0KJ*Ll1>k#10vGQu!{;gj^fPA$ zLJL;6P1KIOSI;{_1Or}({E@YPA;>uM@BjRH@^&J*mUu1b^GJy2sHLb6n(S2&aFruo zft*ouR`WKkQeM#EJp~nlk9(SR+;|{s5 zBV|%hSGNDm#2zd?`iQl7^%<_&;tC|kZ?H1Z%1O_|k}pk!Ts3 znBL{pxT-2cKyHHSbDpPNp%;V{b>B3zwm5H-Xsn0}L~`H=N%R%4tnrzJzZoxc@?Qb; zrTmRBEi=ky;?wflWrY3=%45@E?Q_wsv@msFg*|Ssrjo|fB?&Kuky_k-4ae8KCNmIpHMS6?x1rlL;E8qmT9XZn?Fpio#TeSI) z=XvXQ1KV7)L(qvkv@Ue&Y?B{l=Z0y9kaU*3-~Suy13vv3VE8vN=i>)$yH3qBFF*d{ zx9x8uQ_{~L8fxz33~!70o^cS}JOorX%C3~|rBk9;wnl=l4c^Zg9eZM8D8rrn^-uZe zP?{ksJ)x-|Dn0sQc8IjmlY^*}+i6{o&=IA7sFa)7c(fx}bTW;WE#z7JU&bnB6aWtW z55EeIdGJ4pI`VsI#a6C|a6i!?Hq&s^K< zDECb_DB3&&1cyBYV55)9VXwozt6>Z~(vr>L_#^z8AEJ9qANJ<)RxQ5Uz6{8T2%n3; z6_LK~-*<2!RNcaWuT2u3u5;BqxjE@Qzm5jR1^5p)jjVytEb%`uLi3X~fQHS`C$s^? znP5ZM|C~s27kIL5_t)VZeB0t$1pfW+S5*^>L|)IIF*LQ*y6-ocRte1AK2rZw>r)Ho zeT4}*-R-RH*c&_ii*UVj$haf%NoPZL{2aOmFe0l?J9nf0#?}0*`s)5MIG}5Dg=2p> z^E{8J$++##ZEk#r7XAF&SD=EQYF5P7ew}R$*q1t*eQ9ueen!Gt=|jYmE(+c5%Sp0^4dJG*^6u zR{X8aafuxa{%^FN{$5VuD@6Q;N`hDSGHbWQ`OxR3^w3S!R8G%^dQs8C5532}7Fl!u z_NiW+?j@%;zmmhv1x|5`;c9b-{B+Od=JwWm-&9n(&%mEpWaPT#(s281>~6vq=SGFB z$mp}b)p_%TT?{0*b5y=LuOi-Wa$N}lV1psaq5UVN=Ce4)J74*ZQiJ`(>&?aR7M_kEI#$yL-Mrn0($9GyIC0P zYKu}?ABi{;c_{BS{&3cE<01zRpef^eID9lbXERiD(s^k1DZLzPX>_px$68z)8kPGg zgr)c@e$LDM$g!%iy&lrTDD$e^e`N>!&rH+21>Vl9e5?NplkL}hFPGrX`oYl8%QfR= z?UZ54)D?7D-}C=M$|P@q;VgX^O#|J3$}_8?loAs|)|4vt!t$D9W97%$c>p4zn7Y&T zC#-x(z;NcVDo?^A({q(TTUe1bvKSOQU5;n}I#nH8PA~h54d%@11Ck|C zn31T9)9U?R<>TltF9;jh?dSx+wv#^P50@Fux|6Cq>7m`4&e&-UA)Cjn?Lk}hMIQV) z{&T_p3V$M4CK*|&H@Q89X}RTfmZM=-TqjE3bK3cX{1q3n(Ap6#tQ+cklBWM{mJ%WP zH1ARjjI`d)CpF<-$rm+t`Hwu(slJkX&hHVC;@{BTv2|lL3M+sQ1riCx(+4Si2UL2N z|D=e%U_~be`|Yev?@lB3dzS$2m___|`RB;1d@D;yz4$Gi2uGmti`?mWJ>v>3uAqGB z9`$w{q2@gHQoe|(@_uhTi^4>!i(JA;(qq4DT@~~bNq(P`&DvUgWK|-12Kwf)+~1#x zW4R(8^EpI+f#2xbY#pDV%}l>?RumQ;9dFB+4EhZqlkJ^&1qGHBr1+#2viVC6RhFIk zc=~80SIgviT_Vb+FB2r+zvA^I=<3Jq#I^IH&CtOwN~V9Q<-TmKT2=8eOz4Sxriel4JowRaDSN%_3!Yt@bDRM3z16M`gm^K|jXvCQW1t_x2>({XZ((0mdgiBbBZKE;_LT%4V{z zjQ)6q@|i-1U?6d2xVyZQ$MP>3wFZBYy^SbJE#FB3yHPO7(c;l_XIqDZSN49XuVG9T zne*mY70QunT$ru&P*S>OG8-+%^AYcG2#`r^9kMz!mIfn@UOXvn(K{uVJ?!i6uP%Go zOuQ{o3KWzi!(W)JpHbt^TM2is{G<%rH&Mrz@|wAo=m@T$EBiq}lE>y2kuBs8+f#dH z##mnaqmK7nF-?F)=9%7lby=_nT1ZjbIlj_TCCjdnH^2dMMFJ3L1fMQ~Bw)wC*t&uM z@a$5*DwdGc`&{6nu2ZG75#O!~gRntRmftIiFMc+kW$JIc27YOI2r0UY9?Kvz7^Gx& z&o>c0V%HnSEJ-t`AH#p$S$MFEz{z9S%0&pd>oJJL$w zlOuH)`G<7Dx^eva{k7F ze&@=qE;55Y^YTi58|mf#R9;jKPH>ODt~#Dx^(d`wc@ylx)s5STJ>E5ZC+>$Y&40TC zJ1Y*Y?u`1r;9xMWoJc|F8V$eN=5Wtx-~s8j^c!os9016z%p83ufoCroe3!QH_>uMUb{gd8!#JKvgYBs8c3r>++z4C>utSG^-FGXCD<|CF2(*qUfPU;mTXY z_n_ogu7bw5s%mE=I*&iMoHEl&dT*I4tC&6(1c%gT@Vz1|+=TiPTFpZE2JK`!^emvVukv%9Euy+M)HT4l-WI_I|; zPXEC%#=7YSGi~JP>jX57!ttHj=V2qI@9(Mk?w7K@Z8@82@mLg{ zH>kXJDS&BsMAIv#BkHUfA(E;-WC(OCw{UA&=DsUErB80j*8WB&vJ911zT5~98`^V= z(8YNtCS}3^W*ru&kn|Fy~-WaRXjDI*bYhN6n^3JWv*n+^m&1o z*n3K^6c0L$p3cG4F-mtVt`0oUk%pfJIw~rYueG3MJ-KRxy6n8>p_9 z6Q%{hZ^R0!l5idf4CW1oC4vc77DzsA^R(t%;>ny?jjgRadGpvF+Or&(e9oZ%)t^2| z2?!kD!(3}TyVe^#$bT)AF?sB6cqQ-%zGt8;>_`pac$3(1KYC*S73Ph5;>TK-#40kU zS7Ukg`<{)%B&JV$SZ&Krm)u~#6Z2p37ELpo%{#_0P5JoS0!!2Om#vLB1bELej2?WP z_MB`y78bm#2au7!HnrcX5fV0g2yL)U7shlNV}T&KU%vnnjDJJZ|OiT;*aU9kFVn&`greTmsa9=8-U0_n;c!E zpx|3&62450{>|xG_YrZn4)dbf1YClqCtM$<=T3X)s+M%u0HQU#9>D%QRgD5hvx2{` zoc$G@hD2@>Aji9}j#4&dMhE`^shn!e`Yjj(6lu#Kp4Rc|;!5+1{v3gL9#_`{w(E_Z z4h!yK#6RErWv!0XgVqff1Xs}oC8&M1+ziiftZQ}R8DbAbafc8yi;=4S$mk}Hdm%vD_&sb8STENFQB2%*RAHT_vdCI&_OW^d^35p ztR^J-dJ8E(UInUP+93gC;rzf(whr(5haUNF8il|x#<1JACb_peiJffcN&bDI&7}uM zpPDYm9@PF3xpVjrq#(v+XyPW{zo3ZF1@M z^G$HU^rKgPCEW0bhY^CxA5Z5Q&u!7PsmDq^vwCuJ>zpd zRFJPMP`g96R^!QB#Xg(I?Scu&FoK2eI{`|37Ic7vdr?3u8edS8qg;FeKKc^HtCM9wwT(ct z+-Fbhl*3Z~q4>o8xBHYS41I6e;`_yq753von(_2`(~<5@Ox;23mrU1_{}!k2kP8#5 z1|~jF?2Y>?@r&TOqu@>PS?;9c-F@nidFsix4@)qNnPj!8QX4oucD3_w2e611drlTH z-MHDS7v{zZ|Kr{lYan$!rIl?L zXBo(Z51rZCv+rW8(`yjTrdO;D9)0@u>JCx_R1;Muho5U6^(}4O#UYijIag4tV z0n*FeaNY6$qBh9q8~x`cGp&J*4*nPA3Be`77>7Uei+{&$gAjk21Y8Ist=@=UQWLjA zHt$X?yzW`S?mPci1I+x68&7wTM(6-pD6l!I(dvT0FmJu^r0&qMG3xKSqvdXS@eF%F z8OrV6zaa6lZph1)jVA4kp&OKCc^AbmQ}EtSh=uF-gPLD)Gr2xX*SQq^%L)XHC5FK|UQ@fP z5eWiKnD+BDuQIDh2^M=n+Xl?EigFR#lar{3>7|9s6W1#xSQj8h_C=sB#3O?~IW0G^ zZb{>t4_6If=$b=FK;!2YUp@DR6SW0ac=L`z?De_P{ZZ1>ySr5`(EOv)BdbTAb?1jt zGELI-2X8VZ^VX~^^w0${gtfYq}_AD1v`bA#DyH{qc zDgsZ4Y(nSENZNNZ_;c~H2-rRjvU<(_Q_CN4jAXW7l6?DfT>A#%4@>B49zAaEMLtJE z)h1nTSH)%^%Ka&4i1BRpeZQV^5wpWm|EA*JP;yad!|i*)h2aUrILb4f99F&9kM{-g zP}T`?R+_skCWkDVn_&zEC?x^OQ8U^pd0W-7NA6j%v2NnQJK-SrP2e4%-)()o-%|E_ z3(N45OpC8;z^25-)B2^u?R&ve(72YE!|T>3I+{6$CTvHiPAE>##&QF%3}N)LzpQ}j zzecK?_&xI21w5b|719KT_bziLZ^N=|Oy(IQiI7`+Fm^A3>IU`8-{E$lThCQ8dXB=5 zm<^w##WNThq)%RW->r0Y2w3Et8{ewZz=9PC`OzbwSM1cWvD9Sr9du|MJyVg7q?)$s zk&o(FTG^Efzu|N8^=Q!EQ%L#e`yRLBrY;guMZALpr&Efuw zr5Ni3Nm&(1OB)|o&AqaVgr!5JE%#$IsBHDCbAHHj=F)A60KLrPF}9{3w@K?>jUSEo z(0*wg0-hYI~{u2ActXN#eMk}AgKQ)%R*gZ#UP$J{LCxy^h_OikGYp^J??W2J*C z__{}J4f+`Ko?%m`-DUb*&PIZpo86Zr5xjahQQqF?BEC{ zPx)^N?bDtawm+$SmHpB$7mtF<*8UTXKGS#t%L|>Ao4kE|*nc4tf^E&c%Ek7*S#qfE z*~vYlTMNVB)W`!@71xYDO`(I%)7hfTudDEB$l#B+?NoF^?_g`5Gu2tGV8^6WW)}-(0JzpRqwIZGq1Y5v$=T9X%hjI@<4MM?Jp9*5=Fez}2d1_;V(s z5-70F{lm<7@^q8`+%PlrlTY*W4>?>C^ur{fLg4T)nn36({hM&z7u9uInk^=0Ad@Af zBC{L)icy~t`XY3q{47jXA$MkA#gn{zeEp2uKojv4*fv2EV;EVh)LR}y(60h>xEj1)*5XB@? zWbM=I=@AEfKR?r1&ixKb)>D|%MNY1u`6JDPHd@0ELi90)eRK%{f+Xod!R%KLG{-BQ z_6zeT{gi4{rweg0s~>~63hkiZ1;s>Pxh?dO9Z4Uu*UH#Tn)&#BlO2WH zFQNv#P?$+&_YOYWy_|X)q+vkiB?EH5PrEa0Hszc9<%FN8n;6jMmP|lD=-5vj_MmIh zafw~9{(xPOez-p8o`H*@j)9b3hh8U_zq`e=El`W6qCUM0K7>+I4Z^$!z1qsnC}WrP z+`cy7!^^7-(J)cZ^O7j3c`|L-hEPml=HoFH|B601ocd5FT1DWL^SUEl$vG)`xHH`c zF^ZgLhRJ38?A2f4IdYpa<44WQ79}qZ?Ne%)IJMpxOj+`{CEQ7i>@DAy9Fm&Ya=KOM zqvC4U0~D#IF#Y;);LzXl>gx0H8b0J!>MA9Xq|n|D3eVSn%Noko{!t<CT56m{va=-bPVyBY^>+@V%*-i zkWI`+gv!nJ`-9|mT?fubUYrB`sSgtAKkMV=YC7m=#Q|G$e<+EpkUwj~$ZT0b*(9kKF^z7NOEHlM7^pHLTfmdP!| zvgZF%k{mqSSx+)|Md*as<4-5fa*pp>vmh6n1e@jd%huhzyboX+L`8g8@Omg^O{`8A z;4v&LL|tzjDV*~Aezq3!{^Jy+L3@>BsbzoE*SE}TAk|;_i}b_u7sFw+5(soCqb#|1NkGeXaf;7G(vG4RHbYEIx#rhD{V&U1e7+V%TPSTYoBdl20>wjZ>rFw6_t%k*3|MyE)v%MPD z({7mT;==kiIfFVf|5x^7)c9YyKDy<@QXiAc$GgjRV-){rvsw&?>Fi=*VfXLPtc2C{ z&u;Ov6}Og6o42$-qv6BZlTSLK+nY`h(B|8oPPuH3M&P$@i&&Su)tEd=oAhtREGGQCKYiYe8?! zFY`<+#bp0sbru?%qsQxhvy)#sIB2nYfJW`)NA+*f>mf@RHWr7C?>*&q*AE}degC_4 zd&)iXPNI7p`zzJ&sq2v#tRFmI95Mcf>F<^e#^;gpqXzi!opAK#OIk^T=P}nUTMyRL zzi#>N<2~CC%5=}WNcsGNM_rrChS`nnm!yEj&9k%ZtF3?Z-~U^g_~`%qRPX)=wv`|G z7e8LEyZ-ue-0>%tJMOrveFyWTlTIl+A9|qO!4HPo`erwujYc{%m~&>OI_Mq`!>Ia| zg0NPM(mxXIm&o=bmOm>Qj&c1T_fE-6R|hpl#BbF2S=bd|Y`P3)=q#U(zwoE?h z2^W+W?;4{OnLykE*Sk}e#(m-7a>F7#We(`@V z;Trbo%E>@3U|N9|(kBNbu=HPhkj`!hXdHDF-Ejzq@ zjxE$(46{G1T`+h)h}GIcueZJreuwK=*@qGCHF)IsPt4`WT%I(z&@=_hvhDfOanL

Jj{xw)NXc4n&l>g!)yp8N0reffzW`;msX zdkei=Zn>>|>&BbPyWV$2`SE}G6Xl8D{p51)Igcp|3%+&L|6o8@{p2us#i?Dr8q7CN zu7*)T+F(aL2KNDuebDe$lhXV#3FsLW7O1~UwWf#B}^{t?*FjK znca3UC^PJX!>$aHS{3WK{=@tmRyGRVHodYs$#>`fT5YYzr-{;kyKAsb?55m#QuhvM zerfziK6%>ZanD*Y=*Ot*H@Qv%dxZYpu67L1%xow(-*!v6@!Qvz-~G@v<>fDXN%@}d zd2%^!(`-ZX3v)e$J>Tp|{_&gND%W23?ed9F{%N`P+UuHzv(1iuVd?r)`cUa?fQC0 z^)LLfk{{#7XEn6C=l8t6gZ5U^mGarmvt`=@50qn$Ikp^g{ITW7e&mPBlb`g&a^VH% hHJkK>vT16n{Qpy7;g9zDR`dV>002ovPDHLkV1igR>wW+L literal 18475 zcmd42cT`is+b)U~3yMgS8VyJh1Oe#~EL3UIqzQ;rfl#F6#icF~zbnF}-6P zbjD4u?lCbzLz$SC6PcLQ7MPfL`UBM71~V~TP=4|7;p4~dJ}-R&+pgsU-Phm8 z^@W!U6O%4BCq3BQe4HzGs3SNmf8fq9p0HG@J5k$G*9A_STys5pt(U2j#n3CR^qwXg z+X=1rc~K_{^K~oZp5G8Fea5PL{@K`qAU>{?B2y z^Pdq=E}Tg}*;&x``|Kw(T#uK`UR+3c%zL5d-*vv9;dyFQ9Osj0C8zhXpL5gJ&r3Eo z^D%mtV4N`ZM_!HA^ckUgYvco}PW!QdHzhY4O`U*(#+E_x1n} zRrJE&$qQ+1T3fX7OZ3n3Nv3?knD0 zTLpGp*#9FJH?|kMT0=8kVS3h|;89Ovwe62!QbC=(9(>H2y?BF3SPSZj+58deJ{ua( zea;m8E=f*KE~%M6J-Im#LyAqpe{zUo|(<&E>@{i+C!Y7Q>%UB_mc;csQkpM*9_dw zAMhl4&U&8z8O0=gg0uS+XWogIuWsBq_2dhe(n-bIll!lpUAa7Vk}Hn6CyG_}zSIQE zg?nrhXLesddVFf-zL5I~(R<8Fm!zWl{;D*eUyEXXcKTg3@!8q-6O=2b9dF2LzM8*b zp?gs_s{i^~XV#YcpvTuaE^9sXyTW?)LCa6B(sQ@o-paQrWjo|jIb#=9{ovG3b$5=e z*AZ{0JI@)sE~}NTyu{bZGI4%4CVEERm;cjQ;+KOBqvn&<(eSUU8)x=aAk2cV5S{hs z?!}$EWb%-O?d!>=HY*4{0#m% zx1@NDB_?M0tCgdg%*@Br{VE1Bi%i9w0fKT-Je~c|>#Ra6PmEnA#kxE{GjWm}L6#va zldlKyQ@M1$m(BM3t~HRH0^&yeN%p=-7ZA84xvCR5KLPJ>t;wAEB-OJQ%i)B5Y z%6F)D*(|mq4vV$@TA4Bz9t`I-KeqaC`$Jgo&0ZzWhokvnChVnJBR-|{5guzEoC`7^ zX^pf%x;g8(pEJx})Y30V`)Twu#(h0QOxn-pn>Er&uP^26%>e%df0#di%Y&9DEvo+O z3(H&HTk%_M3##(~@jQ-g&XXLnoR@DsHU0Rc=+@*dB*#TgW3g$=*J;~nC)38n1)i*! zWm!Bi*?nweFO3AK4!JX@NQXIkw4#N|<1fk#cR#ceb7lEZgW`oRUF!xBsC+dT3& z<&EX@ZK`ZAlkKgru(+_?u!=*WORvv96nau7Q8ft94vO6^f_;Kz7{QF{2OruYtE0WMymQvT>hA;}N}H@lO&db32oE&uF^`U8 zPIx_g@kL(g*_~RBj*&2NpBGcV93Q6Sr#i+s*3Xo(4RmA0hDtk^-qscSz1j4hv!62- z;S$jk*%4tia51p_xR@D~dE`;-(Y%Avw18Dxs9@Z zX$xs+K+fButcOz=*MOe)}v zq{giWt?e<8exoVa3rkPM=f+KNl!mj$Y~JFRm!$zAv!yfLL0-O}e18Qz@>N;f{)YRW zx&CKSjre>HIla&>F}pHjvoyIbGRHOhWO;YOZc2Ty0|)Ku{N|K{4K;2kX(DsBw22Uq_#)5OLQRim#7=iR)`~k6CDl#RFBy7*y3iGY3;P#ef6#JO=HS2 zh>86#;4$aM-Jf^wDAp>*UFF~$;n)_LP;M69zaQrvcc)0zT=uSPgUm~*e)-C~Ue0No zg+49*gvDH^hJz2L?7kt5HeMPxJ+s$w+tHP6WOr%Pk{U*#JA^iq7M-Ry>r z7jh7vh=(d4&>|gX_c-YWJLd!6+P*F1+2yg|@sWEdXY8uywuwAM?$if68_zcrAsv?+ zVU5+QmbZfg)|SFbb{hHeF3Iq5U)Vp>iT7$6_0j5^6V<_vR=Ge8duo2Ywi}5r-7yqCV ztpU`4-t+7lPr7vBlGY^vd;|85|B~9|Z}-uOiJ}qnUo46jvrAxFf^7#$B*mQDF}EA5 z8paCd{x)yy*ZUM=1XO0A1ytcV=e}SYf<=?b-|eoEU@H;6expC|>L=9c8ST<`E#!!U z=QU>QEfPVNMh=ZFVJp0IHrT*E(khe-3f8cq{T%bb5h6NQw26kKY`ar^%!8LzSnQh@ z!bn@-8vOWrWxL!R4%wH%O8z19Qq;Bij-qhsb+7ElQ zZlOEVWPBJcdf!;^U0ql1@rR?|v75A#`H}_pa`vQD*VK}dKPBEETe=r5bcJ%T{2K8& zvN|H4I@{*JAGw@uEiZSJa_m1dK5MyE18cY6Z4Dob+}+HcSEK~I^;sYYLa`y^R1lf| z9kR$wj!l4v0op*Jkzvj6+iN%Y_TEsavx@@X7=-h@udX$Nm0o23cbs6#`gDznN&Tsw z=6&-J`_-w7wRUcSfQ>5AgqPS9mp-Md>EOFaJ1=bRUB_Q{qS&vop5BRO)2>+l zvN-U`Io@g2C*k1%yC63N^ca&VPYqvR_sXenhpx5kNrqFhYgCiz-5L<8BR`TGvk{65 zs0q0r)b)F4fCL2of`-cK03#P$h|V>UbP`e&R>Su)KCZjL3Z!%^IWf+lZlPHMGfS*C z2XeDzKJTk;J#-O`SP!1g73eqOyZf(Z55ZO0ts-JV94I@$H7&=@mc0DgSqk{;)IsELZLprb$(9_% zpOf9UMkDO8ddyJ@BK_~9Ja%T=RsCg;0qZTw8e59Gk@Vo{Owr(*0c^`{@W>;yT3v3V z-)i1xX!ssr@c7i0F(R@jZ=onT7gl-kU_|BC=oYMcA*aBbw5{YGD8ih6J#(rc*c2t@srfl2RJ;yhNfr8JaW3Nx;z zbn4q@!r9pFSBH;UXygbe`TG9+1^RP0a^K7WbQ25v(7zefi}v}W>TX@>*+Wy6kiM{| z>2UbF$yEcgJm4tnM)8j3+mb*Lv3W+iKj5sWWIYA9jehAt6o@ z6?QP}b&$aM_SG9G7OT;ErBp7Ny6cX<^hp}&yx#A(NB`j?t?GhkmxvwUvvh6~geXxL zn}Ude>!SACG2hytY|Dy&G99QXef8MOQfQuS^nRxCLi{0nBt0WKU9#=arAFy9OqGHN z{b~`NK9Na6q)#37m=SsfRWj!;9oG+mR3kC`8@b96OU;h-7dQt9IWkZ-^SHl76p23~ zt4ELhkUH)mI!hmL*YqD9$sNl9+92zLWSj=QlKh*o7U+HB4v|}{Tpeywz_Y0b?De9Q zXUXAfhu_7|=X~r&1T2h3r#Jj|d%`73iOr4knKA>_hf76f{}34{#KK%0XwwNaZ-I58 zz#jxCO`0o3d9ACii5au|SdNDAKUHMKXm0#6V*0|%xNjv>T-Ea7a+QRKY{+{d}b&Of$ zP)+Vugv!is=|^Oseum*<#gpoOA9u5l-Nz(Vf{c4;FD8;yGk>0*!0nLwG@8_u(r=~` z>=w}%cu->EHQN}xm}|J$D#xA7Awt0kMaR5pTUR>hG|cW!{sPT8-_hNlC26oI1kF05 zr5BnP=f5Xx5soy0k=XTP zZv{og3}$vknAby%t~9+IpC7vyr4Fks+i6+kzsU#p&E(ry`G>}GLW8cw0;u*uJ-fG~ zlT#Z>M>)7o>|k$h__7?*2TH9YCygIt$-NadJ*b@UprDt(ja{U}zZx%MBO%kR-@(X=8q{I7KDGrQd{ z9eeXW^&ClO+J_Y{{tWWk<7p zhztQ`Sv2NMqw4^p&HW1LPbp5Z5kr5_I%}tbSAanMuhUQ}Qf|DO*Y+Yy|W|i6!7uVo)BXgbp3KSy>l&#u+I|u}-KMr$4hZav0hqN@E zA-ny#?V{s3EpfW6Vws6?+ffYL@V^w7eoLCIOs&)Z=8drWK>w9sy06H3kZtL7(6E zN3I?!Uh??8%IY1FkzYn+V=312=vjSto?(;tZ-fK6?iojzy>SQwukpL8_{Dk!7B)uCBw0ev`Wnd*F1JzH}E+qfggH%6VJ| z?-Xx>(_cW3dG=dEyXWseB!8-S4y=*W(G)4!aYjeb5ATcHp-fj(@AL}Fh;YtD z36l#;rylUFcZ;U|EF`60sHg;;?_4Xp7@n~_944y~vhi%+Sv#EP9Yw|{VqJ^47ykXJ zwmE=V_<2kXKB!N`{{i&s`6>H)bMu*FaBKJ4@S6On)U14ZKU@Iez;V>WEx;2bII%TH zMOdAyb<#O6%^UqC)cPzYQuQ)98eT){PwZ`Ks|&X1f$--#XHX<G0v%+=={S*%zdFJE2T{Xm2cjSL_Q6AX0>}i5%iLHSU+9Q2#W%`29e02WZjN@HTkl z_l4uL%@MSwjlc&}O((EMTZFvJWI0Zt7O&o-4vfF&GQZN5vqiZdgFb=xoM?6NUvkU5 zj+HIWkanNBW4_XhR=o7j zOtd0wMT;FS+Td^E#d|f3i08n zA((Wc)VIck9n>+Gm(Ss(W#|#pp0n1_nKiu5h+=}HeTA$5Z=0M(*!Gfmof8(O6{va{ ziUJsWkNGtO;$6qD-Bcq0Rz*37pT3#Wcukr>ITrd9V2OCI4c-9$>MG3im!Q)VM<(AA zyEKPRoSjU}y?C@K&-u%t>X>O{_TsHsYC)a5giWE|aD?g1=gAwRQi*AHqV{tIe&`yn zf#S5B8n1Ph0_*j;kZTSR)kNq!2E7_j*c#Qb3F~UtYHXe(b)X-Z8+N4^%fOOPLe>~V}(Z?G!rq6%R5VOt-66DnKJjMZ#?}S6yoSWAo!!MEIdVca$-<6 z6(Qh*E!ubH6#yTL)oPE@^Q+M4b`MEc5o*I-erUDJb1Lw-ZA;Phe(;0FpNs5%3C8ni@_77Jjn9)> znyt^D_ozK8HQYKsf#}=SiEsBp$LVGm&<6jA4#-+`32h#VdBDe<0geV!9SL#o^h>5) z9Z&AW-yO~U_T7`cR{aq4Wm3TuEI3vRmDHIVb{*0yYt+&#=fxA`BFT-9tbo9=%yo$) z3|%F12vXV8?losPljHr8+aSmwM|G}1o>8|vg*}6oVRn5c{idC2%)+f3z+YM&28#?J zN&1huHz2E1Y<*gk@jHJzqqE|4F<{m8Pvq97ry8a5$GHcZDas1XK|hko7By%Ee6yd^ zv=r*LPyaCFck1g(*$wohsZV#Xs*ww{SRIyP;-L4a1^uy@~j3sOYi| zA*xbP#ic?b&iY97;L!An`r=4nsT@jANhfW?sV6;u zwUv7(V}NZLIe3#&zVS^W@x>b`KrO`gafL`&KWYG_c%CYGAu(|6Okld-yDof$AWtQ0 zU$wD`ZLb(na7=h`Ina^yYPP$qMi3;zTEJSo3*HsCTi}=POqmnn=S~aN^cBD$OmK~#RYkJ;iEx1JIgqlIYgAQ0yAOPY-t$zqgUv)Bio5T0kPP$y@tIY7hwIIorBfr`tr`6*OxYaprcX?JuE_PT1#1q`S+Nc~>N zN?2}=rJDdqN&~%SPg7As-cDI@3irtUq_sg0f_HTyvsfX{*2Tr1);k#c>vCd;T zwohSAtvht@D#&9Vg{S$SrsoO_9YhSsY7rZHcik?@p~y=XtMK0Ui?o#1J zf}U&|*fHFbv(##p^!<=T;2EeA0L!3o)owzscbEJo0<>uMEA|&_;^p(o0>xS{mr@lf zdMJBo812+%S9Zh2fPjF+*I?D)wSL4?)By7{exY(5NSb!P{bm0ki(R3;hBRM3zA~BamQc;1sgZ$j{vx(C7&G*1x4&zF_ z;9S@P(AxOk=gI8XJE2MBVQtPJc;H_A=8;;&C5@Os)oS;eYebsY=J)i;Yk!h zkjEJhX;XhN^5pa!nO_5;lQ?%}S7l@Kj@ansQoQ`Ucxt;8d-xEoi_fQDFl;Hm-Dp?u zn=C^22zVfBZVlz#sIwV%5(}#wp7Wlw@ipX6^nIrunMR-3>FateV7UY7?9WFYiM*TR z4-E7({{5UZR)xb)@1n-0$ zU{)1f@p(c3gz60Y?w{!lf2bN$_N_>ag(NZDY z)fVN&Goq<^c(LWOa*ZK-iyUSrJ)1HoUjqT797RAiak>utAJx;L+d}JoeKb_Qefz-4 ziTPl_7|~M8`NjTb07|+yvqSHn<+T3Y19`sApv<}f9~d|n_N>yUJ}$1?tawX3fQ?65 z_;sTM%(*6Pr?DzBvzDV%krKK8u*oeJUQ?E)nAYzS#;@|hg*0~Q)-Pe2zu?jQt*gpt z0ecZQS630^rTyOo+UNXR+ov993O<^z@{mZL3%}QA&hs!raz%jw-C7xc33;o>49Ac= z`9YaxrpI1^-#OCXuhEWtz#qGKr(ymr;#Tirn=V6}xFB=?$@vGe&QpSPC5h48*8z8y zCx!aNmxwJ&(?bt2RmP`o1|;XI20_rt8}UOifLNamHy#}ftHYin6`c8M2OQ-?3AhsB z6Qnj#=T3oxKe%V7wCE0L5jZpqn9%%_%=>z$l~DsQ$JaZK*h9Z(qzFldy*qqZjPqS^%`!~2v{ql;_SW36- zgg=`|n261oP>=y`0{GD~Fw*XycJvwY?cM8yNpL|E)IO)KGi!H#RXj6s`w!z!*Kz#b z$!)eIiqq!JpYEN*W8f&e8h6Q)Rw#;B8*6pEY+nBcF@91z9`)~z2^xd~h=2InNps`U z5sfQSBW6`eo4k*#>zvI}nyj556e%3tmi*6DGFTU*Z6;xrvw2hL!Q_c#W_+P6thBJd zcCMg~e@OO2S__J`Iwt{nA$ZX z0+DMscv6GT(Qv^bU2yU2#`IS~4owM%z(A~RVL#{c>wmzlVNdBDcja@P9dCN4v%N~Q zF!(``b3+;k2%%UP;&N;o($j1tOkI4E%fs1TTuu2J4Ddd3f|??ZgN|+$uk?vSQY0RQ zp`>{&U2Zp6FV)Dh_D&WyR*gW|l68p$IUQ4{2^G#A$~mtl`ZJP=#?^Aea?sZTZ=%_U zxZ$Co@CMJvBMe6HCSEu|L>1XHw2LeBIYqF4BK1wUPiWCsDq^T~y})*2Q9+-0i4 z9|A@fhSF4mak=HyLb3xY$^DzN<-9L9{(jX8v=vNK2Nag7e*-Jb zJvq*N?q!R-9c$5G#7;^y_@jRYM=g|6<}-j-^o3#kah%~Lg5>|rqWj@g{P?o`k z7Pe=kbE?d}i@ueF=m*2*4PXy~Yu(^PNZ1ijGwSxKLpD^u%Kj#br4)ZKk3Df%feNsz zj#ud%heqY}$&#L7U*A5p5(GN%6C5&As5Vqm92!Di`U|plZ3AG1@&`kKzn>TMK#un7 z-u}Hf#7tccAz*w6XkY$Q^mDb0ex|pe)R}vgCW8ROyypffU+EJH{ipZ~Hv+z<4`U0Z z13>VP(Xueq)Y&|N6KdR4vK5T-HG(m`7Vi<_DH7LeHuW^DGudes0=UvB!O^LWR|#|* zbV`=4O3*xw4-=oG;hk0J$ib{v?vjP2ELx_QFMIy%G zciT{AFwZgD2J3h3M%KT6Rv^cHe~!Yxv|>T-G4})v7aGI@GWuduSwAqY6|;b-C(!m>d z+mf~ZgOl|pKYnmKw7X08y4TY_%0{3wR`!UyM3+dM{ZGJKhLw_N^tnYcUj2%sx^QgL zAqHCEb)Es}8l7H2zy=K%Xt)(B$528vF#8?*t=wPHe+ygOD_TXyO1FSD3Dm9ddaz{E z3x488xqZMRJHX#SkE>(zt-DV-8sqPNCAJqEl9}@qr$d}j3?=`*{^UZ214zsT2NO`; z5}LF+tJ>A6q?+qg*jV7FrG$E?QNp={gIYyY3RsR2v79qj6<+ptu}BKtYWMTl-=oz! zmT{yfKGX!Gn~ehF(>qqdKAx-0c{#=m76JVkB#W59OTs~i?kI-hb)VrgVcwJ8Qzq{w ztNzC&`=6Gbk`TB3;}y;cr=zijZhuO|$EX}DTzr;FfQHZzKRDPj-vBh+!dE{jb24m? zW`g05a7O#T`2V{v{a-xnk6F%WFC6lI*++qlTN&|PW0}%GS#L(abPEiMB=IQ6Q9I)I zc=n46F1f=5;7%UZaot6R^c>|r1va_!Iy3AFpBH`G5wReK zE&sR#m^_?}4nO<3M2*xw5dBL}A>YQJ7&QdHT^<0^B5u%Vw>-7rCYtHFZY_VF{4l4D zY6`a$FcaCGzl%Q0ewJTpgi^PNDWB8SY)5|LUZy!1R&M3J=ZC((4ZjdSAy}u-C+@;f z0R;W+vyV$a7VDYRBKtRUX5_5LH{&1TT7kgSpE&11=e~K|%agZl*jLMnrnW(vnpyuj zOG*`Ghp-{yltml4CjA<~XqHb7chdtIqs&TZvX&G!kHIPsEbmSa>b>Pos=M)TLNXY< zaNeB3eSqqD|A}M$_adWVkcI|gDtx_z@me=~$YZwNgQr{?@@p;}XRhl-oK;f^_Rw&z zxtd<{aAeVf=Ty+s@~0xawr-#UWf#x8f%eH#BxhMfPR;-*2wQ@jVvQ7Sn=iOn@998k zReP+>cX+2*Jj5~Mj25&^EPAM@r0Za)np#^M<0Ij;*Np`8J(&uu^?@}86kbbLXVwCX z7k*OxH4>UVong>4cr)NnVC3Q2kQ)&}c}ET%3N;E^`k7Czci6}OkEWL{3mCsdKjZOg z3jAiJZ7zz>y#UkS43FD&!fM`^)PcVDV8*PE6(O6 ztQ1&jA()!dq?J!i?gG{}DjEF;W4%IfwG{9K#4+eF;bADXHITHWyZ6}&$Ew&^Kw zw=0FlnC6mROa4u?W`w0s!BwS0b zzF=Eab3{(ShnbcRks&s{9Lv*;XJP6|**I&roHS7n;Vp}bCkuLzf&NTf%q6}p^uK7J z&byrg(ROG)9{D3k0~R>6ThjF|fpkdukOQZ?^qirC;#|U|KF~w7J&eng`PYg0HM$=5 z7rJnDV$^^M`iJ;k%ew$*;Fxjzpv3dQE#|y8!sxJ_6}9*ps7-oCMvYZw6F^lE;~?1K zzW;h_!LK4<+I66c3uh68$EdEe=d0ZgGxS{+zL> zLu1;eQHF*H5|LXQkf8bQWLj04yyuv6Tk!fI*4Hc3#G#oD9RhARPolj2Gvf4BM#kRGxR z`9YxoqGszCbX);_3jLM+sY=r}Ux|Igu`<_e&mcC+xHawOA~t=8AS_2T$Wsf!Y=OkU ztO!Xh&w?D{PS&)}8)9wv-(1rPcp>XvsfatIW(C0D!C!;&PUGg2$ncg`Di&1TBeNt_bZHp@z z&f^^mhYTxVo2Kdy8ZH!7n@nJM=Lua_Wt*shy-*Zku->a}9lnCT{mpOK3Uz=k*bFkd z)$ac8(sNuBF6@zqL0SvYZVbmTioj8ZclCdTog~{bMcaQ$gOV5X7yUh|B zAba5&AL)}jKD;9<2MmBfy5%&5KKA4~T5O5yZvN{QYB4$hjr66oacz-PjX{}!4)uD` z^`7vw{^ah>7u*m~$4ZHvre@5mb@MOl?SBh@S+KXJglg$7?$Zt?8$IhgV_8`l>^cjp z7EORIKagFY3SWFQ50t&!E!VARmk)?yK=1z+7yF;lvbbnCUvWXjKM{bRhJGYGI(_D! zoj-wSZu``Ip8>|gug*3#S^aIKo9Zoi<|C4Mj8#DWNPCfpgI(f$c5cqk!zVvQ~TeY*4 zEa$#>9c4&EBReybr=gcj_Ckg4tqnr5v=|zNt~lfmcRW7;YxardDeKdWY6c}pHZ7#R z?q5HeK|Hz8H-5t-TlgtliVjL-JgQ+$F=B_nrJdTF5;1;M_>+Ut{TBjP-Ay>eNlkaS zj{RyqsR!hBzJI54IxgxIO?ssy^(qx#m6=?fR0GmJm4YW3uejUl4x3#3VJr3x3rM-I zj4>I`US6`*DIb%Ubo8ca@E>BH1{WD^@bHC;diRMJip+d||NWnf-*qxRjcxR6df8ee zlUk*9@ZdkWAbCvYJl>hVQOoOFlZ&;%ziO}JCq!Js`8mhxj`M4EHWrEp@tlnJAgiET zzz`rVu&cmWQ1ySXnwJ?TfAJ!eGR?spHv_k23c^l%a*2}=PYx^Mfu`po~z{{h%?8RUwV%n?-}|1}8bAL}J$Gtz7#i;=W!)JGEx(oR z&;aOPKwsmcYB`5644?yj#ga0Ye%ltghd#!*HPLb5$k?M9(!X>Q3F*R13@{hG`ta7l zhntrN7a+E0XPAMt8I0Evy~ELKM5;)rU6Ig=#`wqzDBH*=JC*+f*_6J z%OJsON4P=dvp%ja8O@@$|BB30k;hHUx2<=3Y5@Ja(79>yzjT!LBSl1uC?L8{Fg3;4 zl!2J`F?v6do<(C$498OC^W;Z^LW-?Rd`3XxSnZubm=>GelP`%<@=M-+99M>VOjifkkBE4=H#`0sO=#vj#+IjXSNBe56^V%$T*Ii6F;+ z41|oce406q@h5^0*sQv2C8>Z&NdW$?u&lN@eE&4>O-T%_CgZD8X(QU|&1E1T}mHe(r5iuf{@I>SN;W)&%s>e(6gO!1r$uhcwn(aH~iDve~{ht^q(I7zvJfi3Ugl5v_B=! zd@9hVCF1ebHBhf_Rk68Ujn~uP)T_&_(`dJdBjq704sJCHjhvDw z)qiS-L-+(=8A`TH8Duiq3T7Tm9D7wdRpUfL33%n`M8bgA5O*UkUqwDFnauTkRQEj@Ba$vDuEIvv!fcl3S71f z^=>YFxJ4@T##^~%uS$GVRs-y}awc&n&ukwK^81wCi5DuXd0MB&I$aj7drP6R0A21i z`;9H|nQ3C}&>sHaO<2wju1h%z2``@%lm@aaehe|^L@xbblkO$!_e|FoygxxK17f41gyT}qy3-%WPT!=k z(hk6BPUZ@Zd1Q9o56)3eY$j8)yjrAv5GJ?A_LHp}w4&7Kn#H&T-}p9Kv(<=jR~Xol zr_pc|2sATh@Qfnn|3rKKWqlSgt7P`?A?l%zud*fIQaO0RB|=GJ)p!pOI-FEutJ{8& z4toFuEM8VW3{&dzbU5yMd#?kwR6mJgK?`nD%uI?_CXj*MF#WVXO(#;ns78rbQt_aK z?5YYq_n`K?`e9bHU0aY#FmyKn=Yu(3BY*8+PKorr7=Qf&?dpZ-$J&SmqKqlIl|{m) z!d=bx)9wE#Hq7C3R;r8?5M03Hk#yPK7LvP%#@u9$0U}-`KzK#0(viKD-mCOo*>-3E zy}eN5QtxnVjtY)ET(4(J6)rqS-2_r7*R<{o#ag)C?iEGB@*EVa~62}_VCX6oWYR8 z7996li)i@PW-Rje;6#=kGVq~-2H;qdX@9m(x}Y@aag+1|J}$;?q!e6Bn>yuWKFsSr z7vbkMtM+WK-yb)L!jO5NOJZyL^W2k4lP0i%w1`3lBz0yO3DzQY{~BFxvaW1BFF?54 z;6X2@H9NYxL|9(7M3WbAuTC*<`CqV?WF%08+{ba>*q7nLLjdD-_f5h_7IDx!YO34| z?ktn0#JI(YO{L;RZL(TrXCoLldl)!qqV=-+L-EjU*~&7##mDmbbKtaf0qdNpNCLr) zZ%9dwirLd>^|d@ACn~rxLcY<-FF+>yDkGu8+;u&@>8}Fuf{md;m`EEqn zG~i#z%^`WDo#S1-lgTczmde8g$gpUT!Z!KYCx0k=v}iHoO`Ahtq^a9E!LEeE=^1i0 z=BT1wAb8MPp^9s!Pg@=GOZ}F|nx#~X{grM@vrN=>28dO|6gj$7ZTB>ee>e%|Aa{i6$F(sWCi=P~R^71ksVN)o+s|HL}knd^t0G2cw z_aQSQUs~8}1BrH_X*Efn`nT%xa-b%-t~;yG`U#TqAxHT-gN zv7uU~ke-fXzP)JjDYWe6V5064#m(*$edLUrn@)t1<$j|do5rh4#D0R z#>-NDl|VnL&%2Dj?Hx1J8%UfaTcs!Nx>BuOCj!-An_l4~tnS3g+$rO`1QchLkp8%4 zs`AyB9AkIl`5pLTYZCDxlPhG6j>QBuUmbMVXz#b0qz<-&ONIm}+YnDdq?=4Yn^$0P9-cI$+&0|kA?b&xX> zBI~;4`d3k)Z66PdAn0q2V(k>X%j_|JORM3FN2>RvLlzHkH@WRTGOw_y4evYGyR6Kz zCsX-@7@?{0T9>#LE-Jmb_2U=l)jbl0ziby6*cJ9Mx&wC*aeE9J{^;&>`i*j1^4?rb zvP~?!?cCvkkK1@1rMyz8)B36glU<|7=r?ZD%1mWBjmw>)nR=axC&QmV9_7~eK;JeS z(I(HS7-Fnis{ciak3&f0)PTgIYPUxokh@Lp>brh9D)7E7>L!V!YM=$xzmYJOJhP+1 z5RmYiFpLx0b)l|ZvLwMiMBK3bT1$-jVO*{HD1kGuTJ#fD&bxz=xc#_cEINlki32QQc z&&bT)T;PzfJX#v0>0nX&-1l<0Pj}5~Ij7#U^n(|!H7;!yOgUgmlg6vc-IEkXrYr@X zHpTDIcdm`^BropBX3qV-1xl8SpHnJZXSyBDZIZ2*XD~|fM--OVYn!B$g$+y^nHL_l zB~cD_#w)8xaw~z!9%12bXogcl3%}>5=0C4{G=+HQxN&|N@eyKj=ej%>IfVMnF&kla zHy2x=tVLEjJq};=d*_BPJZfzgJ+`9T;|8Ba@~D>dhVZ&Vsn>u?sp&*fRNV*LX2oU1W^-ig2+i- zsV7?zn9G6~6w5-|vk4kF!L7*nAch(OD+ps#%{5`}!gpxv@L6cine8Bh@Rn}@>*Gke z#nn592kTr_CoC9iWm_tfx_%&eA(Q3!wJT2akw}b`b$NX0%A6EmlX(q6X?ukg9N+!x z^ZyI*7aua`G4k$Ak4`L&h)@)u+w2Jb59R-)F_uSlq-ts~uBz#1Gw+EVPK}^J4mGV6 zd^XS;{;GKIcVN5yd`&h+FrwY^UWe=-{RrXNJv{mfVmlA4bj4BWfP7_ri9tQTVIOEL%e7DK` z5-QBN9da_H<3cWGt=(~g&bg|-qOZ5wHu&ilQ6ejq7f?kSe^ube$fqimmPfni=y}Lx zy6G;$*CS`Yj{^=Ot}(L;vdrxrFBu!LcoNri&VKejtbj)XA^madk;l|fewCN*H||XT z`+|t?!*dsUlnhAHA-42V@8Xk8%ivY>@C1aV0=m3-tPI$==O}3A;Wf<5*d-FAk^<%7 zkmn9*GLHjSRT!vd_gHZcr^dG+bUGjqqAGRcPdvrDU9UND!`JdvZSXZlc!UMzy>67y zWvw*_aadVno->6)U5^LIjmXvc8kaXtN<-D)@z(`A6_rld=o%fG%5ausbd6%w>W->m z@M6hU@ZyotADxxKcFA_6Lb{nwsc8&Sg|q6umZwFgk0VRxEsw;*>!U=x)vnH8EA33A zOyRCAf1=ZHdua_>4Ml(_9n#oL!7L6rLfoo!>6gKo9E(~aB8DBTv8Xhm`V8RDGQWLA6Latiu{n(7S4fmY;cp=i>7G}OI zJ;_I;3Tcr_y26%-p{sM>WU~4c+AP&QYpV2bqO9owNcz@5q-%NoaB4Yh-$Fu>Xyv4O@Ij4EHl#;pjBH_WZtSCp$pn3_^G zRRQ4^*GNKdJt;J_(Nioe@imPX#UDRtt-yRIX0BG-0-~l6^Oh0-f?4cNDLz`{WC<4? z6b-1E$B8QMgkMJDH-2B_0w#IIg2*4xH*T_FC2i2 z*l02GL$~Mh+@&-FqE=CarkN$76pwWY&~yQ5hFTDI7qMDa3lS(#=-cJ4vK(P9YxQX= z-_{}(AGQ_^0HRhhVovUV&XG8|lf}Pvd7Dc@(k6j#|?WJd#1y=d}_KAX7vopRO z0?nxHawe5MA33l{BB=qP0Y4M9_s1cOr@1F|mf<7mmlr$vE|p8Te@Nc5P2e!5if@ z%|-UQ8e1%B@z+(?P@G!U`v zC7>s{Qj_&Z31cMtuIvAp`|k}Gw!Y}y6^Sk3 zz`5=2m%uU|I3iJ(>EYtSg*5E|9?C!9GU=yl^!ao30t!l-LKL1We&3p^G(WBJ=g*&S zr1@>FRsgk13js&6zP_7p{r@{?6ljj!EDfbiN8mF7DEnqe7Cqom&lK+Ba_j1^`^NTf zw_FBpVHC`a&IUH{T-5yI{eWw>mC@&qk!O|r)w+6K05^}BLl$vg*!KC{$#u17U$bpZ z+SRsE>w3U^WARLeI^inRbw_WI79CCA`>}MtK}PROsbj0+oPlfE*#11r|Cd&FnAiM? zXGU3B*##}&i5ZnfyIwAvy=nXYzi*qb%~+SX=9TFcecn!!6d})yzrVgV2W?#Scvjo% zz~_3^Q9?g0)~DaiUXh}ADbYjDY)#1SQsA1SL;sc@h*Ot#1&&ze+?0B}3@m$$V;ZAp z%iA2~FF!T1;w|UiYFBoKg#!cA!)h@d3T8xgqoNG8>MQGu)>&K3;Vs=<)hcu46x5 zAKq!U%T3-_M3T`iti8YQ?aj^U7cQ*f!W4WK7o&D*~x4On; z$RMV^HR@}`g0WQ(^V1D-OSrm7|r-a()=jL*|Px~tq{mi0G z_IB76(X|&{KHR#glCz%i#z&5x#}XT^_c7MRT@Gvq?#JqQ_Wbt$okEk{MaAQ53hm^M zd#);uy|t&!jPdttiCFDzrH*r7F9L>s18^RCo0xUkn+OY~i#M$Ld|Y&Xe{5LH-;-(l zs_R;Ya)n+DbN$+gXAvyNZy&g^V(-fp&L?A1x)d%}WF+r?pB^vbEh@izKikS|p{Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf|D{PpK~#8N>|F(* z9M#!9BfIGpaK=BKn3~(lEwcySP`+>&tcKhdJH`95O}lR$2VUtrox_rl?m#j zEwHWE znDxz4oVde=`1XtM3G!hWjo4u@9(mw?JTt2fR+xnyQ8L&?lnxdmD{6?YKm{sLfeQ3T zBG1ae@r!|E2s`xPdBp2P3jMe3g?*1a6kk66FszL?*(kd5vdghBw+>v_MHu-AL!VNC z+J7jAO+l3}P=N|mpg$r-i2%0eAP`&!khzGK3Z?lA17|q4b~=`Zx}uQ^s{(j zW)*CBh@1p$z7c59RW5lyh+`{IfeKWh0{x*#ZgtyA0)%Owze}6|UYI}-=Foiet~h(s z4GHp_Y!bco&OdO^)Okd8m)d;50Duz&@NGAasXzrPP=N~cha)Q@SX&8Lc0`o-U|A8e zmV;v7MWfBS;OajOhBaV|O`;iZe}LPk%!V5{h^X=hw$JZLqs`ljq(B8KP=N~chogw# z9ulH$D&zs`kU|NSb3X7QIGc3B%{%V|yFN(sCIjjPN&%_=4uyhe%S{tvxl;)@w2|d^ z$MRvxC~#avk^DIUmN`q1q9h5U90J#+B=JnR$aYLzHCS%u-G`Pkl0YQ8!m$zB9s7q%?k<^-e$b9tH`n}Ec)3t5J;ixQ%H(H}twOz^jV*VqaW*6_NEgJG3*x^dw`6X9%R0*5y z7t)N2>n<|s_^i9%BK}ofb*MD_V)(|5)05UA|DoDyDftKFlbraC{GoO=?ZPn3@&Ajj za22jU(xv_-J{GTr>|Y=bk!#7{F`w63?BA}1D2)5JuuZ%#J{Nx0*;R($J>Iv8TMB2e zDUAC_4VK23#{QxAL*lCGBMhtb>T-3&Ga+>riJ*jkGkhE}K3;OvldMfP+bH_*{f}|a zqi6pguk5Mx;Gm#{C@rp=5`X?nGeO8lC_~J`v&P<WeFv&_KTJfGH_}iw! zT#peXG~JW2@*U%tN)a?e&kP>RoDpnTd^gGbdI2k2wZaPYq9g^{nzd9MmNjy-{AMA` zvJ@p~L52LyR(Fb6XF}uEAc3VALSrjxKigPqEHkA@s6}t97yT+p0yz?c+VUI5!b|P1 zJVb0uo8LY1M|_Xv4WfqcQUVfi)@<_>s6anSHgPOVCC!Pb+(y)*i7Oh@w8-;PaxISv zaLOSc3xfnsf-r(L`*qSu5rgW-2P#IyFsVNY z3JBp^z~{wo2|VJR!~PUFS?W?nRB4%hzpl7rx9wnUw%I1pd+&XKdneCjjuX`S*!h$> zN)Jhz0BQD0c18klz?U5=TOk3XQPa-sz*z&no|QtbK8;+uo|+pWzb-_#mKyP8Tmq>C zfkncL6=5;6mVS@|6^P&~Lqi>28lP`5lN$JC0aYBupFon8@lSAO5{QzDJHfOg6!F!7 z+G;|NBt)znL7(s;fnZYr5iFQ#i4vq74;ca|jSf~IHC#ou2FYh#Xu*Oj=8z0yStHi3 z%W`D>dL&qPt3z3qF(r&QGFePvA>k85jaE&NH&XHUqd)+kD`L6WeiUG~&rZR#lLCLX zy+u&BtzveFoMBo6@Y4Kq^~F`prCN5Fok?aeY>vrdboGbonQ^vbd%`)_ut2TQ|B`71eIcG&Foz4 zY?LR|*kftJT)`$dhO(%skrg*zkH8w@>YHvQP=u&iQp3p8`0FJXVqxiGbZXt$gbN9# z(z;#wfT%?V%q$VwXmIi!*%TDg&W*OoctU1QZXcIm;IOD63!yx)+KkI3Bv88)06`G2 zK(VxoG%JX4BnTP?-Wgt+yGZd$QZg3aBe3(2059Tu()1&#mTQnqxoIW|@ItGI4a%~} z^(5^;!pk_=em$vl61HyO(%xdcNwx*$nj>vO^}u@lJxLmkObD5xrftZuGS(>VjR1E7 zT65Gs*m?}ZmXt8(V`G_#OZdA$1^T1X)5jl(v1c5EZMW%99!|x;P0kJ2r?rqYR$>Xd z#8%CCA&Ls+h&?v@1Hs=<#o9j=X|ol9u#LFpvOnaA1-8R@_&p-<8_xy*y!Q6Hxb5oO zvD?j$F}+wxwWP38aJWp@BNpm&S&uGwXfJ~NrkiXWeemIjxPRJQrnbdL^)+#HogRnM+xbM8OBG@pxI(a z8RjMS^G5^?35X=~>I5mISpXGOa1l94oMWdqG3Hrb1w3Ws5!(|)$c_C({aiC%7@4fRsVA9 z$ugthVSA-@o=!;vo{#UHX=qDeC5mf2U_?+kR^^u*=2BHDPt{Je`D;r z{Vq7-v8e_hBBOazg|essM-m-iIu5?;*$I#CzJmly3?ho$Wrke#Df!g(DZo!91LMSZ z69i^g9hAQ*T_Tk5O0px`NC%D3u5}w^2&w|@be2M*NbVX+E}0%lYVLd{H%dU0orVdV zREk!C^hipoqF8W9!*}eA^mjzXO{i`19@9*z;&``+T4Cg{ApDdjYRmPLpj0G?OS^ZH z`pp=bzl5YEzsn0G4d0QUiC~)KJ(X1=r6iexLvw0PUUrf4&+lw}Sx}(hlBXen{0*J7TeJZTaNWlD_gf@^*d^jvl@KIBinN@>KG_$}*&NIH!XWeKt}pxGgd3D`C> z_uyLW6-1yw9xc}*Q@Z<~sz$>qQfLxYcG%Ke!B^5Iw%OJ;sI&KjYl-JqDoXh*+ zf~P+-KKg*2-C{wC-@5>ZUNf5+d>s#N-wg-v*dIsiuptf_ybmUR;~GoDv6AX*eqM34#Ony|_+?fAYpXovndc&ENN^n{1; z4NGmjC2R09W*FNba^!xZPMa)7^0PZ}!47-i#V=@qtmK_va;d$1ynzP>Z-m1Jv)nuM z!XZNr#>6j~jz;lU^3HF0WvE1iWU2(2l?+AzXX{fa%QZ+Qg7f8FxNygPG4*p=jO-XG z3M6tnTpBU55LXsw;VN8zluJ&*7=GYl_<;5pvVK1d+;%H$ywUpT-n$oCw`)mhL$f16(DGypgw(*LX;bqL zDN1C8FarYy9f0!1pHqvajvf&F2}U2i`3Sb#ejAfcfDLf){S|n4S}De#1Uzu@ZCECA zgn}!uHb(cw2jlMdijedP>eTELl3ubsSjfDOTNVjrC{kZNgo_7{#21HF;IY@{;KAu- zc=#^?K6#s!74rQxc&R)^_CIjnp#3oMbGe*oc6B@k=e_n6c5Y8iVI}YUk}IU>Z)6O@ zzS!^K#dvu7LR@ol4i8*<7nZV~SN6_td8G*G3AV2+ie#YQlUUY0Fy#wsA{wAtcML9i z?OE*Hk!7`u*yL8D|7{a+%|ax8di9#B?Zd54!_V*%(1spf zD*GBwJaHYKd*lv0`{-?$QuaNboBK5;&;JsSJ$fUadhBjI`NS=FW&XE}%ZHcts8|!w zJqizxkY-c!r{Kuu_=A_@vS0a3TLZJ~Gft$*CB$Ybjdmnuo%pTkbOQODS7$_$h5@8e zYgPwg$AGg`e$P)EZQP?t5JpKP3AA$A$ds5c;|tvP&Qwf)<#oLE{@a*0YYsmD;wuCh z`G*)S1w(C=VOSqYO?zb2zUGWF4XaakbbE0k-Uyc)2^3nd;o}$g#TMJd0|~@FS^@!T z!tb%}ey3vaf|oGs3*MtCBtf(7VP|6T1NWfJsxvMjnM914TDuH=jdHWlq>NpP7caX6 z>s>VuM{ems9$+*5sQr-`xvhmNyV3xV8SKzJf7@f)vaO5Z@`GoNs zvxxN*x;fN3ON~3kjN-~aMwrr9xyfu=6PgFBazq+%W}KQnW$K>yR3EjdXTzAWbR>xQ z76oA}aOIV=SDC+Bhw)QDYUYgYYj{&WK{zxEnb$gt@l)8TMxB6d$**nqJQ0KEy@>a} zw%I<*jWy+I4-8%rvgS8sB=Z{Ak61!&t|^XgA{O8p?Labz8haVRm_o!RLo&xvlDr|w z<*+^2=Cwf`e=7o7VyqAO4eD4-R-=aXm4ruLlM79}ph59K{KGsfN1T4d=c<1{ zDJ_AT3i(l&2IdP_;aXEyy;W^y&qP^bOD;=%W`E0(lc|Mg!+KQt%McKhcj(dx`|Wdz z!B{`Y;hD#7$IBJp;jTyjPCgHLKfrE#ACF<(n;Mr+y=DdG_`X+33!w^`I`+RTdl*4K z%dnv)Xr#1Oi0MglCLTz^HT{PDNS1Pzm?5&08k7{A5GXWh-wbFH#56Bc;MFwQlpQxs z9hu-R7l>7ZFv(8JXM1kh6=x0~j$`)U5l8Je0;6^rgfY8sg&a+aq=1IPp+%yVockpC zuOc)Sz&ja49S33H`j273JFO9x5MVxh4HI`Bf-N-tM<6L3oEdGNXv>NuaH7QI5w5gC z!dZv0*uU$=c<|X;1T3U{?s7S4P*1*mfvE+$E*bFk7+wtgh^w2 z;LsiW;D8-^;GuWl!(BTbhN<=(+;>1X9D3c`EcX=Lwf#PL?aNi?@0me|W76|ynVxwnG+sXCO%x#Gb0at=gZK^hK?6?la5KW6e!5xG5z=K!qi37Gf4>J=K z@L%1EONREqA%nW(xE(gbo$nD;9fnU%z-`;_ffwJt50~xO69*1lA6Gq7#rm&hT1|lO z@5e<0d*k5kyRpm{Vm4c(S@J{NF=%JpdiDM|Yl=on14XW+p@`r@GRuaiG!;+DZX zW5Q>&_B77&%{@4Oa8De%Lq8la_&j``YEF&60@F_FgZ)|mhi=yk_q?MSI20C|QAHjr zT!m{*T`jEU#F->jD`F7AI^hTK2*f_MBsb@xakep);|%uf+6votX@WiXJt3Y0Pc8iM z2X97`u!Z@($9_j+hi)acsL(VuoHUAZ(#kZLn?O$B>oY#5J2oG@5h}hagB`e-H|=o@ z88pJYm!RgXS@IeP4ig?~AG!jQ`j5m$9n;k2q~B6oAJX;y48fzolO^^A@$CkxO=_3@YwXlc!YIu^gy<(8=%PWiTJc|6|OaN)l*^pe$EFdef&Wz zeBuGje)d5uc>V#DK7Bvt^P2M+e-=05!}`h4&VHcNkjJq|h^%a$!cb!8R4TmC)v zIAAO`tzC@1AH0ltPv47qjAP*o_wjldv!A*f^PjvMi=Tf4WslyEPo8-IOJ==i@Ii{U zEM$=sU;(`bX{98~`pprB%`<_3eC7E}8)rTP8?Bjlq%mn_sz4)#QRtnML3Ve#avB^Mc;C#>N zbU60ebsj$Z%tr~$pUB=22kyN+tszQ=t%hPpe1zqnD}LrB+5iU~IE+HYhqcW}>=@0# z(l1%=FTcQN)<<~ofZo`D+dkO+j7RXr=gVMyH4$&j*#~5AEF*2Mp|v z6K>c9XWV`;+R^N@)wa>b*nT_aNh9}Pm*NZTi%qtc^^`=>I!9s8UFPDmFLJCeO~%|9 zhn#;1+Or*;PGhj&F0=9dXRP@z%CVRN@zDdjW50o2u>Tp)pzMo9EKf06r5`P+9!yJO zS45l3W8SGSxLWlmLBq0I-+YG8*zWi2(-{X3>WjTkeH@DyQ3>eU8@(nRiL;*mjP+7% z+;ws%nyJ20N(xuuT0>VNWIywXmnru9k|HEZ8d2d%QfVQM6*WTRL?a~KCa{W9c&}M6 zd{Dd|Zu|RRjJBW6)a%qH+;H7R_^`M;-fh_nVX_gSg}BLg1E&$=qoq(>Ou%vw784gz zj8|@3_9E>cAFrg9x0wA=;LiRom#-9EEf5v)Z~VoW^5z%8hoO!8M)zC-CDB<^A2pTH z*Ptd}*68mB>-WQUn{19PHr)mrZn`0Qckho5ZQC)Pc+R{0`{wv50=}6u&w9`d3i*#x zPGg|MP;BKqk6G{i18+E^uu1#0nct~&fxbB8DQeGeQ=@zDa%@U~vjPbZi_nu{p;#F0 zn7PFeTu2$w3Xx6Y`P4jV1<2Jc(@CQUDK}|m4P_|2RM~#CFV1>r z5w+J(@$_4t;fXW1mYg*4%Z0{TWp3GUERUUFqc9E)6q}WB%)7RikdR(g{>Whj%GhMn z%F#e|V;31KDx{pC>P>4#+eGxiL63iqXWm|nC*HmU+bBFMK^ifWq41_P#4iqoq{L-V zWW+PFEO&x(z)Y`YS}DU!EOf+tIg9X3g&>=8u-yU*qtj`j-2ZMFo?@9FKVvYJ4e^S6 z?W`qf9ukOr!!K5e^`@Sc@GskrpbZ>|GvA@cP7CPqH%sxvS;G*uKN^?5U51mK6R_9T z9dP?Q6k!p|*ubZSt8lHUORg5Xh&{h?G2BLt*w>2SHf=({=Wl|3j?WUsDamFzb_#@#Y8b;m!Boz$fp`KzHdu%q;#$BhLk7)2vbfpB;;s6b)G4128LI|MTsDvv z4yD+rE@KnSt}1`52~(E|#-Ct&vBivJhlGx#LnLcPLYAP|@I0wirV65e%(OIVvsg)U zdOLJRS3HUt|1ka&B)_>EPd;@3Hs79np#jq9L%jCh=akbPO1^pvZ_YUon{P+P>eLI} z@dTcE@>8`O0tyfDo>oO$Xlw>kOW2kYvJz<$7}7|RX23{;&P=XzH+05Bcn#GWQdHE9mFxCwtZ zg+-uGHEWEz5Kpc>~>m4uWv#k zUDD$Sqy$!hytW^f=Tl&n(B@g}ywdgf3mf#`4C`;w2U~2m6*la@33_(vgpM87;WG{D zY3d|9A^}@&6W5}tK~QFN?BW7)hrp9S$AN!BuV{Vjw0$1~b!I><8E0HRWQ))$w}EDM zSOIe)(}?#%s+ZdLL?Qk52jk>Fug^RatUQ8S)QsR353Kr82KF{r;Mph6!j~s^#2(vp zv9D=b=p9br?LD+BWuGoLuPT2FZ=`4R&jJo3yr#zV37o^x=|9$m28-zPH9v4*QzD67h!*1*Yr(YI`pbqtz|L`-QI+Of__ z=2i2i>}!7%GYV7NZ3-KNkGU# z3rAwm9-rXeJv(EsD_`S#m!IQE(IkQ~1~_S(EF_SvdE_PpvJaAur`{kQ0b zy|?Lv6RzC|2kg_89ZLc$R!$06;aX!Cl{Ke?nA5lfjhZ$?su2O10H12y98H?E;{E0b z2-w>c=WyYL*Wj!RF2!H|ay_iA0iGJ;A=XSu=!3NU+N$z!#wdoccMIXHTF`oPI z^VkfK8-$=5MB3PkS{H#dQs>s5Bh<#UCxZa=izQW9RPiZlmepZNwvJkxkLHvxPDvxw z*3@IaVFRg!3t$9&T4m`WNA1jL_55B;fY&}Hf_!5!Fik7Jj}0qMzIA!u^XJT}LgkaT zXb~hLnkhbkkXpM>El*R2r1b~Xs5NM;@aFV#?YQWqsgP>EI8|18HwcUg0&*ZIkuqU6O$(SW zrll#xNtKU$r-dRxk{XL&PZnYMLUBL8vn?IIYgS8}dvcZ)s6cCmt{FKH58QhNzMDRY zct?yRpG(1#%h^nGWFON4P~$;hA2Qg)XHJ+Qrlic&;S~G16f&P!A*I?ER!LRX^f$(- z{-8c8%UCOF+YTI#qmLSgvCmTha@3dkK=ZQIZ$mjp*`I;{4>fL$#fJ}uozA5h9f5?v zpz%@WiXGB3V4@yenXDl&r;s5SMLrWFNZ57;l~r}<-n&26+hjd#w*IE*-@iAycI}IH zZQ3$ZOo)k_MNLd!d&TFB+Uv0ZfdOo3pvt_!R}f*`H^MZgLx^IfXs$g0K*j(+1r~B? z7!94DIhXI56_Er4zF~gzpZ0Oq`%1@ma|Eh*BP^rY8X(rb5e;EksfwRbGeM@ueCoY? z*qp{6sIlkxObzHGLx55^ZRDvm2x3Z);I6zYtm26C4x|+y8%62JNg)eBvrRO$Q$TI< zY|1FDT{#LEMuLSP){w_lCVize* zI-%lPRFXofxCjZ}&zAToPPG6^A|w*cP*mI;R^uXKScYj>sJ3gUgwm2HKB%wBy{+xv z{gklCbVXR3Y`Jmt-rFDI<&VBJ;1Mq(A}BF%Jiw|EWFVudh}2I5N~a)|!mF=+V#52> zxTNW361A{A8+GY=WOFq*eDBdhXVXCowDyv;Ztb5T^6?UG8E`u~JohYi=}66jXd6hA zC{Tg^N9nEucEjjK_K_Ea4&vGlO&|vXpmH&W}bWe z$l#^GI#2p7hi61JURbL%KAH0=Zn|xW(%~olB^6DVU9eJlDmv|#JOZ-9a3PJra%SyAEnP`e}u^wT!>{g z%ZY>9HGus=F4KS(uv0=sI0kVk#3FeyjAg2;0UT+-8Zur9y-(7oeoHVUtt2vGHQXp= zz`kkoW*9Z@aH_GEQV>f@lDg#MHbVj*z5{yG`6giL-R{;ao zZqksf++8l2Q+`A3Bq_gOe7FoX5TSm73iLlp>;+V4iFdSiwNaRtq$Zz}3o>WG*%KC$ z^8G|0FTh_B&~^5O0d#%WXTx)OTXYnl@YU9261ij;pVBDOhGkT~H0gt>8G(_a6%kLX z*6g(aSGlcFdBpaxHs5^n=)L#e!-S8&`N15>CloPX@;fCcPRvsNSf`7n48IwFaY$2v zoj)=fpUe(T#MfMM4HQTS6hL5YCYgR3Q_$eH<&pVlrg@A&W{8-^=Tf&NEH^U{Tr`FGQ9})S zGmil^`S18e8hadhV5E+PEjm#yP-Ba1-kPsXdv z7ijGz&7YAr!Uor3RWny!`iG`!X^lm^r*(k}^uI~kRZ;*iEn8Z*eB*gAmpVigG{9|e zkOCnF`B;%wxV&)Cbae@fJc^2hoSH3@@@;sgpUI+D?^8Uq0qjOpzUuJSXF2$p1X8XR zuDS^Mj%L_g5T@|fW=)tUlF`_ih%S>5FKPAp`yPsnWRV2YoX?1n3BZj@$1F}_SPB9o zzm&Mitmc&$0Df(!{1jIS_?)IO2Acfpk&!fUQse#wD$xHf>DbZ0l446>Cqk;X2xR5K zFh^a=ewgoOkJC|I-zQ(K4A zYzXBVPiWe6EIc4uYT$FZ>>j+%Cv?btp;z87dJ)ZV7Tx4Mj+?8FVVpAD8N* zTBMTHCM`il`#r#5m*9L(3L0gTNT^u&X>zg!NImoX_ zs{;7~{k~+(J4#$xN3!gUl_kk<8Z&P}t;J;1{LI~=QL=p1^V6SKLYYvty!Sok91&weByzhK|+fv8Zh0Mhw_vE zsJ+%U(io49E(^l6nS!SITk+gmnWQOriA+Pt0{tOL^T3^A@}~futw&+)`|?w>Ev4OS zN?(C~H!5iI{{<97MVf`d#*@M!jb3AUBJrpw_DL7$_oDv@$eXQ!3-r5DWEM9hOlL8huW3+Q z?c~^OJRO0TYY4e^l9{1H=F~Qy4z+siN29WmRryast>DxBLz8wVmC_+!B7w!=0Wba5 zuCUtdut2{b{bxX48d!mTH&T0;PNbbP*-mCmOFnCA^taz~zd226Z6;f1^HKv8V`^tn z74Z0D4xm<;CDW4kv`c4!{@4lEC)7cu^-Yi`AuG5ZlPLWCYI7#$p3 zpg$~y0U<=-PGAwhXttLbE3)NQB=8qN{&%JS2*}@f*Mkk;3iNxB@o5?@DQajyb|5yQ z_LI@z);Xsh+YoZ?BpnoQ>0DkiskFc=ufEr8hv5ZjmOTl-;H~*XlL2?1ZAT^Kgkz6J zs6%=PBF6f(3a*;pn|?LOt6w!t;#eifUw+3;_}i(cN#%r{D5CbIeZMWEcshwBYJ+8H zWVL48Y4&JJd3I=J!m~4Gxo)jpgCKGN?gwwaOSX$&_$i{Z#Ru+6u1d8 zyl0Nu%Q!3_pVx+b?lfllOcy#%kVNZ;p^a8vA6Bt^t@yi!4bz06rg}-RkZd$I#xmxh zHCnK=jF;sKG_{bRFHPyH@wef)KOcx@PBUbgA04|FMGk!C)%ft)h_zM~8ngbu&SzOV zWP|B4eQinL+6mP7-=eXzE@RKIK6GT1%B@Z2sAIb}YBW#ZX~B9=qgd_}Q!ikCH298`{VPwMe;&H%9ZzuDTg# zop!8ge~mvZLnT@}t>ERDe>3Mg)*5X;$8?gYw3ahS}_M{)?X1pjnyg!HT-Wo9;%{BG$;T2VZi!Hn%QWYKkl+qYW7Jc$e?ke z3Hd+vYhQKkt!zsl=bmz$DQ6YqZ)~+;lxgPQW%H<}i_M_4#Xh&xu0o5D{NwoK4+=%A z&S=*<_g9Bj)bd}mYp$| zwvbMHs7Wt_olc;tt`6CBhWE0_)H6(NC2}=c)Mh-S>KxRjYvI-VsLR!&p6_Kd3{%Ij z*-8}E6(Lu*9GRL3HJMsu>pWD~euE6tt7jZV*(Ru~t>rW3AzcTr)$0)X{7nx$+073tB|hEqK@Ur z<$PoquPIB8j9g!gYQG-!nKW{|l&_llWhNi>^|f%aHp`raR|C|gnJ;zqY%iu1o(ixxd{P6 zr+Mj^@_>w_)1q_$h#6=jHMg3Q!6>pAu>@?W(`_{0ox(;S(!y!NWCH?6F$I`rVrW$~ zpHnF6G^}JIWtcL)B;3`GX;as_ipU>Tb<5ZWA?q>CdSg4VZR#l0YU?Q2Y8#n)&a!Rm zGS#MzeDYIWE!&CwldLa773;sQCd2S`2t1$snL)Mqf$f+~H^%bpGWe|bTBegDe`T`b zr&^?W&u05&)AhV3z9jE3jM}A=$6^A;d%B#y9g2Ot=uQso*uZLStMS<`0Rn`M}i}BZZEMI*M`Miep z(-_rMB+`txk{7eid}dgF=7D_XFn`sx%Rw2-{xrV6!u z7S>y=n@ZG^VKcRLtIYq3dtDjf%g_9!-vwIpv{I1&C8Se~bTUcSNO$Uw)FKSCCaIZt z)Fw<fLj zjn-{J!KH;j)C8%i_yjCa1M{fOTM2d&?W@A@nqw}t!_o#mM$0AeX`qkk8eme+sJu!e zktXA4`vyKWS__%fCun5}>b5j+y~|H&>KYJ?4^^>{)%Kqm?cI|gfHcg0Sz$(jrzwyu zpGVEo*5*O18-`*BpjOL&8SUcfG%^+ps71+#se`K-H8n1)LF0;#+B3lFXPLhQEeF-C zwi~Tyd095Tu45CaV8(Upx&(jbsq6}DM+?WLc4^Z>Ic5SMOCac^FNXD4MsxHZ+cEC0 zEGoZw)DmTpsjk?P@)(h{)v)}mOkZv!fx5EI`t}Lx+NsjvbDb@~SNRULYBR$^Y5?n( z!Xu(Um6jKo)lad%R#tPsY$kmfH7&ZfqzwE-Rljb&wx7HhLja@1T^LrOsu z*(J0Nn5NWCvw>dLw;E}y)s z2GLS=-S@@cd`o<$bA&Bw#u^}&Sj$l3w`j?UzubWB&Gr>Hcslx!;k9*hmT{TAo!D+F ztLZNd0GThlzMDE>Ur8|ChjQd6U~B4MigYIKKI6>qTarLZu4@hjUQV)>;} z%Ysp!RUXZF@jY@o`=g&^KVenL>P(UU@}Lc0hu)JDR*`>&S3X6`d%hh-`OgBaSz2w7 z7o!`NC#ZV_AT_J@t?@i*kJ_)0fFaF|yc^Io*Or;SOgf<$FYR6_txu++Kv>%(XaR*` zO7on|M&M9Z6-Fkg76xh5UNbOsaD~|clZ>vjT&1ZAWCcbH&bY?l~7u8NZ}=bmS8dmsWbmRLCFm$Xl!jM zs=X}Ycv5_pLJ7;JcL^x$R2H>t)46=r*NZrz=L^`UOkm7*D7zf9M<0oonVJ?IspXOc zY>7(MleUr80qoioN#_E{J)pBybvCTdp>)+Y3?niQE!K~Ohk!9rJ|2U%x)BR2Zorn? zT!&JYPk_J@n(%S`iVr9Z8rnxkNfNG%<|^>Y1BB`>{j@&wIk5ES(l2?2_ceM2e^O@s!9VTvol)oKXUB#@Yko+pEf*J&s z3$hY}`%*giLn1Cd(owUU*iH^hE`@`6)LuRo`CNGy56e}Rh)M|X><22F0GMg2U8Mw2 zlJFVpIYC}jo`tR?l{F9U`R|HTq^7pzBINxH>)CiE1->k+lpyi56xQV9(WF^Rv~JoQty{N5^PzX3+>>vS3?tKDor}zB z_P>$FO(6EzfxVoxW&%G!*$=A-26fbkc~9CIK|e>Woysl&CPhtJV*nZ67m(GO%7U;p~hI!91y)tas+umxj$M()Opcrx-d0O(Psx@6!B3 z0Ugmohom!CMxg058p|ny-{Vxg`SuCut#qY%GcP)?R)SM8<_Nq3VhId^ssRG#UoN44 zM*@w6j!paYDhzKj5H~DhSslL1cE!T$FleWnQ6>&jQ;>%OYNOKhBMAj^mjFo$f&`|7 zo6n1m|>r?q$vE1{EPCSUI6z$9<4UW$6F2))YuVxYLjLqCK)C< zX)K!U<>2w<%TQId97~oh#j-PJVe{d)p`2l5f_pk`UkpaD6ky5pbE&Q9FmFMFbdn%y z#Ez6=XD4GaUYA;u4uRhIg$bOIT@3f-qtI%v6dqnugXQ0SkIGMW!!w%)%kVQ zmj(n?ZVkpdi|)Y4oo>ZqkL93tJ9O|(m>t$o3v_78Gj9f%nLjy6CDbTsLTc_BFwF^Z zXa)yn+92zL`L(hX4q7%YR}eK>D_g`4%5pIW>VyIFFEF!Ja0w~-bXgu18GZM{zRnpq z@Y)3uc`Ot2%z6=c2W6LGI~Lk0VV&9AVtlzkSLL6CW7(cbSs8qO)I?TH#r4>7%bT%K z_0L)k%df`3ZO5Z*(e)Uz?QuAM8`eDEv9~)MNAG_MK6>|5^xXDp+nB^ax7IE!!-_44ilD-Q*n#Al8`%zhw=|We~9) zl!n?sHDlf>zYar&(6V58WtoUqq>)B0)1;zcv{%M!^OLgGC>GRXc~90J^;Rkb0x)UO zYFg$_N-fLDI;2pLwMPjLr~GE@G~(}AY$syjp34$wsqISpXZwh+G)X`{V%FZr;bmjRsl{nas&2?j zj#mUX=b}E#IBB^`6OnQvp{-5sfO=Yo^{`5B#E!$Md@;{SS>7ybRuc$Vugd(-$$uW` zMS0=0Vz~;mW@)uS-px`IV50{z>vGhJqpSh6@mI{og)=V0j$|&M_t_tSovz1s6UL%D z@u*fnN~ZGoDMl7^1=PSavp{DV$_MKke<_*DqrPZ57r{{`XTT0*>e%9EO*7Xa<32BG!}2dO=R$ZUoiX{(QmZk3S!pu{Sn4tUvN^cmqpPqZ z%?AAoI-G&e`^dNBOsEHdB+PHqQ z$V!W6c!6%bbpgvo(91C*`P*}zv{1%J&CFtcJ(fwDWk>-atuz-`&JolJoFjtQb9qfHY?p5PaS##J9;^8+-5Yq z7b4b?uBYLS*c3M|q99}%4tu;bd}-iXg)6sI=B9yF#+W@CMd<{0;`U=c{ z{bc<4oNKYwtxsbjYc#Z;!{fIffy++qVKi^4gmM(c6az&bEb_pii;&58DeN}82!HE$ z7Ot95NAQU2Od5SobxmbK?VJ^_31C>is#_gVsqI*;kd~gbSn{f@v@GjW043L6n(xUP zHHrnxBryI(<#nZdf`Gb2i@{J9TCC zWylYm#$xi)>oAPzX?3ag05WyUxV@;F@l#kyThGxd;fHu!!c5}`0R@!=q}Ss(Oq_T) zx{}|s6iQlo9I`L5Qz6QwSDAm&ib5(+`d$F}KL)Kf$a@Jgi$GDJMGy;xI0UB0!aXsf zqku3TToRCb0xb4C;v%d?w_!w!7HHdgU9@U764#ZJNvR=@9C{~iJh=(lwOI$PTd#w$ zlgTJFi^GarF|2hnv})ak*AU!LMg}Xt7CVhR1*eW`j}~pt!AYmLJF%UFn8kG}vPeRvVJq{ULU@LCKWdNbxT zJ*VtejBeQi>$F^lVb8>?ELK!D9z%wW$IYj-~6G>WPSBI6YstC1YVf%G9C@C!&#%r7z8mJyWytjO`OAGM`FA zgQ)t9wmATMcbC@3I+Lr6U?hEC1A#%8lQ8b+Tk-rWtbmCx;hrPO6RdN=gPB3Xe`*;~ z3<$C$c)tPQ4d_YR&dDzyVfYDu!~ARRVts}b>hgIr9~9EXpWckoE!tqcmaWjb)h@WB z;tSk#%z2pg{<*Xq??w5fGssJ4V`_pR7f!*MEl$NN1Xfs6aYn11a7$?ktcn{=`?OXZ zEyiK8+*F_5fMLT<#POqAqQzzx;)6s9-So^CnfUQ`gc#bbG3SNYYhdCCK%IgCPmix;~5 z3A^HajJ>JM@T1fmxtb!@4Rv|EaI*5>nsv|yr%x=RFsj4UQ=6e>n^tJkay_(Z-4Z9h zT7o3`Zs@QxaT3ebrUk=~z8w{%w`1_g@fd$bQ>@3lw`$c2Cry{#_S5;7fXbJ_kg{SAiw(?Tjanxd98E6xqtuy) zTaJ4Qe|rCWeEZ#3`0BmUcQZu|z{Ex8m|U-K2dUh);b`Tje;dp_n} zc^%%zGBTdrKhi#=8Pd`q7{#*!0%~L#W5R3dpOdpuufZmwq%{9%lkR8{Rk2dY$V@9i zEhgKe8+s{>%=j7e(EhqIEctdR-n{rj9CGSsIO68>FkrI_@Xjkoq9XyT-dc)O_&IJo z?yuUyUWk2;4GgdE6GEBSjTunYJpm3%UCHS88M&4 z1DtiaD&7~+_()KoNq|%eT0R?Mof7Y58y$(IF)IZFT{JB4#cSL^Kip47oykW zOYr&kU*WxrKfr;fOfYR+_u*UUdp-H??Z04vpQC2{Do$(pcXTK3e)rOmXzNum-_-MI z6_kAN7t9>71m7=VJHK}kW?y|1J_$dj(sCYpJoXK~U9t>czDxd~C6Q$tNN{JfvO50h z_K=HmMXHUKsdbqZ@}S=l$G!Xy?E2gm6k2W3y!9wty|_A_)%L*!STJfizWpXnWA^y# zu*h>U;P0jEGhg7V@4m*8cP_%hEB}u9>h?1}La$rCN9j9fU_*9T*&)R<$bZAW#P{EP zkMG{O5Oc3wb^c{-{2-7TK2?r9=ojesC0T%~_k5k}T2WaL{qSqWh7#QCGk@==sJYV` znM^%uYjUWp{sx)lwPwDqW=|}yUJiGehxBHbptP(43#N_3#+fwynJ?q%4?n>LTed~_ zw%yQrt4lEZgNb1&cb1veq-h%Yu<5FzZiA1p2lZ%-SKDi#d(E@1Kwk^Y4h8YC5RBaPPejRel>rtio_RG_#t@;j? zmDSX4EfhOV2v`Ifc8DtGyRMeNwY&<;YL+9Ku>fD!*{H6r#_}2hN>wegvu5EFf@6J- z!fcb_7}_>4^N%}hw-+|P_i0S5VMnF5S5;Yq+BzT2gQi$M`w2YnosT27_}#-lm3q;`Mp9v4*&TTh9_bwxF(7=1~ z)XNdyZvvEEg6*th@p8{UVL$uNxcZd@+n%6H(Q=lv8?LeYV}rNmqJr@Y@V$le@L?iF zKu(}VQ8S4ZGcIBFnGNCrXX*I@zg8oUz;UtUvIZ zra7u?RaI5|tVL8)f@O8}NCqr-brl9)bT7P1uEp$Sv|geViavPF5Id!+P0x4 zyZOad}*(oV3>RFZy%PEkrsi`q# z)^}M%>ZAfs-3zKMEU&FYU8U9suwE+LLe$q%3D|IFY}2t%kK7f|2}>H~_bomt%hET$C=DjRh4C;D|2r zWyfZC+SAY?jL#L>Bw=`8+*~mqWu+7r3+C{>M{sCIX|!6flw@9C!TEzHV(_H-G(A7X z{3)kk6ULRJ#_4Ou3G*1_C_}VR*SO)LD#=Ip~hV9xX@N!cvS~upN4KKM#}4Oot2tEkL0l(27I(T8)4rfV(p1 zNt*AXzX|rSZl}M4=d4lu&c@e3^2nBW`i&FOC+dOYUw;AaXy(&(k?8pn_Aa{%qoZCp z{_PhKj$(KMwrlN*`j@BTly1ZEmm5F9&Sqdef#gNAv6Yz(#PZ2)!hf-U|cX zJ_&uSqwzA+4Wpef@@OC1?lBtu<%&_c$ufbRVf=B9W2-7=PBCfxJJxP00xh~cHAWSFN6wN{($qj4c0d*jZ9ui`KB z4#nA17?xItY?>g)@GO&^rENkXs5$)Rgd|M}@a4NtA;UOT9*6Jf(`fM&bZT>5`Lc`h z{Z8Q+JNpg!(n=#Eh7;dW5Y*Wzc-!rSJwKjJja^)&X`2+XxeO(G5%Wr(u%_UQfsbP6 zsh?uO{8E%oIR_i^iCjN&^~l|({t>F|x*yfW{W-@xF)dlHKPUg9Jhfqoxa zS-q=$R{Z?~$Sbg}ysDpPxSvBBAQY12FjL$l8-|?$E0+ zgV5)7-2tOFc^H$YiLuEji|)YQ-Ok2q{H`VCngx+iXUl3P1Uq1tf!Jfy$1vqJO$Dn% z^yQt{x92##A$ZX!KLJ!z)_inFug>h#1Ws$we9X{{0)|QOnMF-q(+%az6fjyS;%}Cb z@h53|#^0GwFU`0ZE^u+^*q*p*r;G4vf&zj9z+ZF^c0arn=N!2eftcYxo`9kicqi=U~BtU7*2J|M26ONrfTk zv@=Eyco46=$(R^#vivUW-SccrPiSCWvv*1;;3+%@4MU&5U5c`ucR){nAV&54JC6EW zf9yEOM%Zy{jKW2@{dHOgnE<8JU%|({dY~(LC55EfQbE&o-HrO7livXcUpo%-$6SbM z6v*ldYD&}EkSj=?EZ_JJIAw@?$-u1;76yg+W+Rnh1vO(_sIr-01z8ty=^q(W~jA%vt zUeRUq&u=TxFKHw*%FaZj0ch_8%}LfQ25*N;vGDdBj_%zX>v!*oem!qRuiM9ALums3 zIym@=+hHBm1HF3mM&IGDVbsLSu${>(wKsx~=J^WDq}5qoR~+!@t#FU%gZ@3&N1q+1 zVE8MSU~6`IE#8m@?t6oA-zb@cP(Tr##aTrzEr9ZoATxbSfNB^NOWAwyFX+daOn~QL>&vA3l zzUbbw7lyyQD<)j9Euzky(RcP07~bbRylExb(HODS8wX#0I?9h${`+9aOFQC~zina0 zFe1&4@icIzj;vuW35COO<+&mLKBOnQ_8N|tcfARRwPy{x?3zaFq$VZ7Mv%`52q;uF z6GU~VbpWh7H4Mw7F%mYirg;i9XuVj>PpIjn6aZS3ra^LtacaCmt{6w4CXJb3!4Rys z7;q?hcwfGM%~Xl4Hr;1MDOtl*l9QSxJSV5DXenK|+d#5xc7 zTW5g^@QpxJc*dto-_`EAuQ7-WHCe%x?gg5D>Ft2S&+AJ;%=Qe|!68rFiv)S2SN~q< zxzhxUns5=e?X({HeEc_z=y5Jyi&*}kHF|CW^kn-`QN?y6_5t=9hJmVss4EWp`?+kN ze(2J#4@Nyd8n0Zu74Hk^a>zNFRYLG1@M#5T)Ny}YHf|=y_Bar?Ewotw6nqYWmEbB1 zQ8TzCJT=%~@3+H&SDlTrF}=})ywZEf6_}${*XlFk4U+nse&@??>XoGOW(eN`R810S zfAHhD%^HKAy?Uc}zfI8N$RuugbRVqCcN2;$OljIX+mrRgx(UKTIBwh=9M!8Q`tQmX_J2*dnhVC zTWquySp^bWMa;807=Q2`0-!?^*`&uCpWlOn&$4mxW11ovFQRc6Mlj?ueU(XSPoR1I zj7Q!YSuFxO)v*MLRul?IT}$yY-vkiX(pC`sPO#Qm0<&O=;KEuk9bmsdDuS~<~ zrytFfDH>Q;0j;07{t5J~fA!mtR*Fn>xet6TeP^4hKBSEm>7Z=I%(}_2UZ|_`JL|_L z&@+rSvf}H^t4CaB1+xsAR4#Xv#RtZ62(|GQg&D(1@3shxS_q}4V+3rzJkv>AmxyIs zGGigj#TdnHyrgTyU~$FOx8hGDx99Iz|1f*tFny%>o0S~6jGtg8>q$15)bN>-xEs=T|d%AH{~rOebt@w;(Dk*8U+W^bS5o0p*fq^&XYuR{zU zcy`XXi&W8FyLQEOH{VH~v2n_=hhx#AMdrSkN5WAxrU{%Lc|_wdtX@{D_*Fuj^&ws* z-)sFq;4of>mI9_)Pq7XHmS0MO+RBztV*6@pruvlxvn<`DPmWBc5P6!8t6spm{fYc* zEl0P`y>P=V_hRgrgUA;WFbv%=5u-rAF9qzk?^ciz*q_yp^B|vK=eo!*!5f=4Z|F%4 zl$Qqj%zs}MY0rx=mnE>qzE$mRC;+D-!9?p3)DtuqPIGV7VIU@x62SnGPi>hRvwq9Z zs5$2zRc;#1aR;N87)rCwP*W$cXeFlUPz1Ax+MPp?l=(>bGWX3ch-s!qflwzWDdST| zQ`gL}@WzdjQFqBvI~262Gt0Nkv;{nTPxIX6!4Fie^%t~IyM?Mi~(D3JLs+_o7YV-Ir22K6e-ZH-0C&O@T6lRBc${6>S zgpIbFkc-RnYY5r|U`Cr|I6tcARm(PH-7*V&6HYeAtf)o^s=Tj-LlS0YzI>2HlHex3 zGz+IxB)+4v)RF(pG)4&y7DR&H%v;ad$jar#aAt+6_Bk^3n`Il5-bbh+JnYC zqY%&1+E8mpEW25iD}I$^q@v;5R4U}M)Pg|PpT-+BxGPto*(!q8xAwHrIu+el={119 zs{H3cMYQ7g0{v%5b)LuSAAja)rJ`1WejM=M5&=S6&dRXVV3o{y?Smp96%ZPqyH*7_Ga3N#%po!5n6eHzTkKxMou)X+Nw6 zX_IHD`I1cvvw`rV_k}J1X8e0wBL>}*I}Z{ zwa0fQ9A)ZA;3c&04nbSx*4D8~OS){5;arn15bRi=ij;sY(I8isEDD9umIgNC(VjKT znklQ=)A#_@?h>qwBV?Vb?$}^#M}iCQMK0Tm|IF4C^06EKi1RO2RGW%lOq(?DihRZr z=sFooZYpi75NdjBGS+V8!V=(0oLR;S-CQa3~v}C!In7H9@@q#Kx(a9QcBF(CaL0TKgslsG4NvIing*;}2yfYZ* zeDX0q{^TQkGQ2}Be^MY+fQXca6L$mFMct#h~pm4HSKDCX;jikYA zoJTyWeWYyGjTziGR-cp~))_S+DHTSLGhccysYOnC%bRT|l0~1Q6&J6`P{pr0|E9ip z6==;+zW(!VurlnH#brQIW}%s8N0Meo_AvMA!tc$D1DORfd!_Med3@jq&~s)#a`}G6 zR00>R)|3e^9ucFORhsOuUap=Q$&exI4OnXcO&UWO))D;4Fw|sx0=)SoBTIvo$tds^ zvuZ$8{!pLKH4DI_6`*)?WW-!nf`Ofj@q}8zDQ%3JZa{51lcs=SC)73qGF@fT3(Rv~ zy)pSSK@Bs?XY3>f6f`@5)uJ?|F>Aoj#Kp9=!J6_HC>;qdmV=3!bd`5$`MU3GrL9)^ z>K*=;Ki8C*_XV`3UK--?!&)h{1RrUgtRt3L`L|d;rIpFnutUWIr_#Kwj5?MyW965^ zK~jyRt$@|E@^hOnd~WXZciiMG3p=nrH5i;{1i4lS+x)_NcFMSd6ehnHxI)QAW?U-L z=y}6oIE7JIa|u-Ro6q7c9`q}QJh_sziJRWbpZBS_okZ*csA0VcqP2cOdcLL|ieUqX z^`*LI8TDKIV`j6EAH;XE9{<_i`c8Yzt1@k_`x2(AThng5H1kL63(O29#v%SOvw_Hu zro9N@ibH9reR6@?H*R-@6@Q6m)NT?$S-;xwk<#{LHL+cNZTZV|4c}7f(S~L;Ee)TT z_tXdYOl>RP)w@;Ra;8Ck(|y$)6&P7TzAJu}wV?7bZGy5H7f>HGd0-jY&y;s|j<}yN zui`^fAGB=Z{K<^ZnY^g)>3zMU`Y}AHypa!0yo^H@i1^aPrMOp-|N3k-^UcoAu-f6( zW1HzTFQq3QHEmV6{_T~4_?=iQg@K>y=Tb`aU6xy|c#>GCutrg1UywjI?~ufsawW^1 zsy=Ppg9eWU`VGL({>AVSCVujLd_$2luuMdC-Yq-RJfyTw5csvRQzXsQ_Ho@Ek0QzY zVUk*!8dS`!H>d(>fX;vhnM|&MHA&Ji)oFF*&0u}za@0m$Z8yM<#SSjh-Gr6EBN;1! z8eG0I*A#`+KBavn2&~$JU9NGJMOv6(^qkYiG=y9`Nj_}No-ux6{=V$$o6Y@ryn;eU z%Eo^&m3i`>{CyK zRyJy$d4UR4paK=>x1~$3z5(Z)dIB+*AYWBOxRx?4t6jcrIpDH*dl4;M*~2>dO+;y- z{iOu*uW#Cjm@bQ2mxQjgL=CPPNg%a9q*RC{iaFH61ZU)O-13t2F@EX-6{tW3D$s9E z#yB$nV(&uiW)&9enI6WcN zwDX&O8-XC-G$ls<(#x9dp#fGuFg~DI?bp29_)`vlGs;$=0u`u01^UfN3biJTXo7=C zvz`R#(&}|jtJ@9S6RS0KT`RAJ(;8dUif57e8=1ip0y{4)^w0pLu9*0Wm4L4)jFbq9 zK=YAPW~A3)F8=?(N}x>e(t?*Yef>Bu5=!~|`ksHT!DjQh!t?w)Yx2tH?T7rW@O@?B z*Y?ZjrSj?fe`^_6yfmHlhwlxS>R`n%fAnj`HZ!Yp8@?B=RbSekTlJ>}a4RDX#^<$k zd04cSiPjTo(ui@_2;v*?Tib)=uXvJ)GJ4Se))T%s< z_R8tc2(!GeNNk-w`UfUek1mluSwDtUrTVUW4J-3m9u|@J6lCR9{-39O-jyeP*Ju9w ze*>xBRhWF4RPXvO`lGbL?@BCezU=w-by)Cx9jpzcQ90#TmsyzC@V!8*CbLPRD(v6X zm~p)j=rwg+>x_&7P7oKs3x^}ET;{t5!y})Xyl3!R+n#7uw8(g1C?CwqQN3iA%`*~3 zE})n5KK{-~HJ>Yr7Z7QBq3NRb|JUU63@gg=GV?U~nRoTCSR9>RnGd@n<-?d+>&%w{ zg9cjheZ?;_@$<@u%g3n&u&TuT$bs%FOg`6o9z`;F_>2)K4u#Lh^F#c4QJ?Y052S@c zqIg+M!}ErFBIQ4xv-Gd=ihdl|zoVZUZfzt}Gc2I0?8oK&Z!UM9RPGhauKJJ{bOjdr z!&5%*E0$wz%Kw_AJnsCv`qK1uqPD?iEvl4jM)<2W2%@ysD@X|NSP zGSiTifOdaO^1D!9-?hDK-s%5qC=ZIo5)gq0N0a??S;`D%Q}fb!Kj6Ja{A8{vJK}p< zKJVwWqELIxL?~fiw990Cb|u3yE_3ofv9^N>+o%@_S6=!idS1O=$X#@OnJP=__PYv_T#iv2CZ6Eev7pDi*dLn zjE;!YX8@1&7w2EIk#ewe%6ojz3uy)MQavkDv(2LC6dXXfBuDmZ^Qzy+z$kimRHB^*=v}KASxp-bVmgz8l9a(2PTIiF2 zo8+@2ClK%hBwa^%XaLuzrC_9;O(DTAHh-Iy*;c$ws&1OPid+_wf`H(uy}`8XUWMfY zzAUSQpq)^Bl!SqemyV_g5rl7F2ohz*c`vn}w{EU5t-<6h@{cEp}(#x=oH5Si* zIUd{aedF)aW@nV9hfatGMV!*Bu$8?Hu36-p)r5`)tjn*&7Tb(RDZ>R6s@la+!bAIv zYi5!b_7|u?1uD?5B~6wwt{W+zc?@sB^!#2|@q$zVFu^M)?cSks&wKj*+dz;GCeTEE zMj9oM;rEfZ@ea+5AbJIdhKJ+nFwG3*;N7*8c|*GtYPL^&0E5=u3Yhu8_6g`o0%gdH z85G#EP-YOB`Ibvbp+ml>)ppvzNqfY&lo&pNma&-%2%Q)4^c_dy#mL7!BN;cJn3MLS zU2y94o8go4FDX1K1Kh8so?q?VTBB+)Ru0pgJ#5feKWhUrX9jMhbCA38U}M?XF0J(N^d+*o|kSBjD8Dp{1DpgS6ZuNND)Cg9-h$-;q@riJw7qMb8QVP zpcZ&D6NE#v6QvM7babFW{9SpMCU2RI&?vz?4LAtGbx?yAZfTNdVCMGgyEaF&rQypq zVfmc$Qq0+^5Bf1KGh2lMMJFjG7^c_Az2H9j0v0fTW@9jvV$vfK4j$EsIhE9mcUhz| z4zF8hZ1mP#%%kLpa!hmE8*%mer{jv3;xP^62=x?TvLbY%l4F&yLA0NU&$ty^JTOwA z0u`u0zlMaBnh`05QJ5pG-fX{3bRp=(VGLsNlItTOZJ7b2?YjIPPtjRD(g79P?^^B< z4FJg163X{4P({iNSk@7|i%+6N6dVL?mdLFr#YbEA zM_=Yfk`!SEBhUFe=3YD=Ix`whjsmF!+Ljg3^BBYQUS@h``jZ5X(k@Ve3RIw9NoEa` z#sLXe+9ysfYKPx7HYksWDAwl%>;y$KN1mSo(BDdvCz=^RcQw67nzO*sj;CshG=nFp zm9)Gw>inCq?Jdt?f*B}y1<&4k1kN4T8{u0Yp!Xy4z2~s->KPby)I{d695)>F6m}`q zfNK{1f?e^@K3CyW`QNo89@7l0QrvX-=~(||#_s1(cEfz^e2kA<%df>YTa3q?=vM4Z zF(Z)yM^=C;rWZyY;Nr38Kc{p|qV$=EVDG;dda$M}f^*3`XP_^If&B4q_ouPXBd4NU z=$Q&uJju?d;jE2M!Nn7`1estSWnt-H2MUT?gX{4pm5mLc(7rwjRGGFF8c)CX z9?tBQG6T47zjN@x2hZV|Ql@F8Xf4oosCW+d`#0dU;Y^Kbb{VoOww|>J3#GZ6t!*_1 zEiIdxIWK0DLMKGeUG_or#N()-K0e`zB=#KHh52SFSf9b>S7JUb99cPG_!ds>Ou<0m zC?Tc&xV5kQ=v!V!@`4*s9%;qjxo7 zk5&XzlYkkq`w_V7#VL5@shPO?^x;^}e{#Fz933l6fe;X!x7Y~l=TgYwNZjjxZ>B5i z1g9{Zjz9Mlj8bek@==ATkG@BOAe^;oVI>Ia@)gN_6bjxW)L@w@rx~E7o#QbNLARZ; zpZ7SPo%|ARi$>v3JqXHt<}i$4*K}A}aD)m|9@vg}DSjT|auciE}#a1h3f^bG{Tf+hIbjH|7(DcbBSjPaS>!wfAM+wtQxmji?fDcC1byuSCjl9G=zH>|*yNVmFxy_oEHpF6 z>@jASap{JHjLxAgP=N|mpjA=ql==VEL}Px$EX{@2Bog7b!FYZoH3N}kK;HOjNOGN+ zEe!~MB28mlUDD}A76DWTBg+>pVPZ24Y5F?;Izp`(^v&^`PCQ9qGA!dCl@MlT8* z0k1o79xfy}>O`SlPaTfZTmHnC*Tac#y-1;8A?c)Gb$o#YoSYHq9=P<@P7O$uUT>h4j z(E9ZP6{tW3`juo;QPkk87P1QD%~+~&KMS>DT-V=7fnJ-x%xs23)PqF?k~1Ui1=yl9 zg@QTmO|bS)P`dTbM{wq;@u@`lCAN9e#yiG6Az4AKI!;RGf5zIZB_FoHGLpaECxG%R zfim9JasrOBp2A+y9T=iH@}G{!76(Om@U4^3lX=q0RvoBpTrwsRY1k~GEDt5e1OlZ) z05!Tf1%uo?a`rgNi;m0FacH(i0^)qhu#taWn;&EuXNpe(w>GMKg~A zD_a43(bYHL{8LUa-hlebYDf>&x+cruvEU}cyA@fKq-^-|#6&tmlL{xlpPNqMADcFf z<2UF}P}H`TLLl==5X@`zt4D-b<|i=oCYgq#dGONai(tDh5=nw5L0bnk+m2?f?2g&j zoQt7^K>5f60#3xv*qIEQ#rh{rr1M{{+ zEnb$7gro!x0Y9`fS6`+S(=qog3Xz<#PBd>{?x_M5s6Yk!wIpYNjso?FpPKS5oYA5v zVU5N)MMAq60|iwA^&fy;pp^f<8bmPG3>*3R!%0im>>kyjgq%%5!N?hFfFcSGO9G4e)jI_$P=N~cYssS`DatQo z73RdCF1NAprvc=J`Z_2?TLs9uAJ~87CymI4}*Z|XoYCj zJd;omSPEd{d=VfSkovn>SVeU^mR8iXO_9R5P)1>AD1o-5mNpTKsBKFaBsKGezjZ*a zG;E6%W41tGyaHYgOlY81q(gAEYC!%iPpfnJf=*Dk5}HphVL$=Gdp^S{qdEsy+b9sZ z8J@A389Wj|f_J%ilm=}OhSjKdKtU#T6@fNll55n?>Ap@XHP8)xL;HoVP zm<6NpdS(DvbJ{5+s1*xjU9*ZdXA0v{eHNI?#~p?g4h$VokR;@LH|`jMI18-!RVI1E z!+;mf8_i!&2>k6F!!u5e4KRqvTUUKw}f86eIGr!)gl9uJYc{*jjJ zPcL1<9|^O(KS{6(36Qm!2wQb>f7QTio-(;w6eo(AI026L%_M!sb@Pok;_ENJ!uOeP z(FDy1%5jEeb`T{&Mc+uISmXWmv>eOOHqj0_KZ^v*C#V;j6|9ltp*pNW3u_$;gF56i{nM<@l>lMnMD+X-Tfdg->`F8a+b}O_bJ~_4 z%Cae99@tE@#Hvw+R{ZCg4bEI-5G!Ld|HgJ}3fI`}r(@4FP0aFWIi)Pr`c-Joe`)5YC@5jP6zb$P?H(#YTov%S z+Zs9BLqY@j3lG?XYU<(Z=$q8m;Y?Mq#ndUQii0K_h)P8DaUqAxvY7&7@azG!q^i|Adj+*STC+EkH9~tU;Na-s~iorD;apL3o0@5%M^-> zcu$HeHE7o*pM+_gn{I@+Hes7G1q1T0FIdVSG4p7;pk|2F5#+b*#E!9Avug;71S@q+ zF`({W`S-u0IF-Ww`|gL9ty`IQv9N6Fr_cA9LwMe!;?a#du~B3P^0 zJnf%j6*C{auh~27mWn@Q`Yr*=SR}M$0(Rh}EE59Vs&=xJWhOxxvePCgqy)^8@><*_ zcb=;Gr$}{>W94Waf$TiFo8lQ$MTSR|@1G*&Uu`OIVdhPHm>EZMrCDhP`010yl)h}S zBmu?qsDLE-DOaDioF;E2SQi27FX1JT43c4=XBc*HqeAI5)(d;FXSB=NWz(xHCrWa4~Ewy1Er}pjY&8_>y>o^0lTkB2Sxm@ys}RyK247f*$1e2sD5)S zpG~DhlPe;fz2M4?`mfmVzeZ9T#A8dAEW;y@JVIsD!zrhoW)u+hoYkFO1_HGVhMBPAafvnN!qUjTP|I`8Vz+ zxu3{gma*^%K+LN-2!=qhs_0OwhCOt%O*mYK#2`v>b!IHvIyH)DX-R{b*m z1nWueH!Hy|AWZ>7LCP}t6y(}L zRiLf<*6az5BiRux6#{Fd6MqP*5z?ml4$t6^BuQKAX5*1=OG@uwqk&piB)`8nWCjfk0CNCZQ$4rizRQaUP&yJ{7vw{GDlvV{t29XHR?AYvA1XSjRo!5*HXts{V2!4i^ zR74BL08LoJ6m;04`Xz%oquILhdY+PcYZ{!ykV=xnVKmBcIEPLNW6%u$Ai2Fw;x< z^XvJW3CfkEL41V~mFa(xb4XDsS>Cy8pYS(1~1}A6X!b$h>P&ad64|5AE6OUmVPXwrnrjvrg?hT=!7M-&uNRCF1|r$K2_TmEop zNc@+H@)GN*@%7g<_|NEstD+wgWgjxa#Qdgw<9B_^}JMw3>`(yYYq0%n1W7;7~y z%OO~kaeq*FX<1}x;z}zHG-sWXP~ozH25H&VG_{dA5fBN)G^brJ8|KzYD%5^Fn$PT3 z1W$tAkJ9_a7t8KSBQ^)6yU2vq#-AntkUJ@2$IepQ_o=zbq7YyNY)oQq3=S)cbA`+7 ztSPNfARytvayXv0c$P)O4!M$dR=gx2jId>8#M4NnWm02ieaWZ0vUgUzvRX+j)s6tb z8}R%r(@q<0!y^-}?41=aY1Z-|I|+(Grm4;COkUVlYEw@;fHH2g=^OJU{L|{?JRez1 zPeRjYJ!%j>N8w;Llp~OT$${~ zf37+pUx~*B(OTmzCBmWwBR@(Uwo-=pfNZMA)B_}al$>rD*L z>$zMr{8ae@_Frk19u1=$t+tF@dF(r$Cs*t0*WcQHi4S9!m^>5$A=O(0zWxTJG}M{2 z&d6Xm)6rTWZHy?(TVz09z-!zz>J{d9JV>OKMMxGof`%gvLuNUd)21oy`0OYGak8+cc50`aSWA{(E#@bq zv-1-j2%5A52wFBfm&dqQmgXW|RSv9aIpT8PMnwb2qISQN{Eu9p5kbqW$IL4pM zP9}}a*7(3m;#~34T3<00gEMZnC-WUzX=;}2oJ@CR@2q%f+h+OFrS;2?AF-V>0!V(> zGK7`A^Dh_cGQ+H9f_(C_*3^!M*%(G(CqC2r60F*A&VU&CA|fwHAu*j(vTY@K`X!eD zTGnYmzS23tf=VeJ+V?1xlaNX9qF`a(lrL5*%TjCvzexJJuR(We{Ne#AKk7~rw#MR< z#mO@0EC^Ys5@ci=@@gYfC*oHL)*M)0vQ}Ky5&OOo6ihF0XdN&r`OgEtVf==9@TnYW zaN6jAFPP$u{q1r5M%yA&Vc`wf zY1l0&b)+>4*pucE+T3rT$*W_iqlkQVD5Eh`QBSvm-H_ zz(P#?(x0261)n!>)&y-@u4_J*uHqvraXu zC0B7db{InbA`(XBH(+$LmTdE;XxX#{+qXH6p2TXB>w!v*I5S6y=GcP4RSUsYU7qz4 zPHlP;CVzGZ2JLto$^+G#fS&rgS=^Vygi~6eb&FPL$$YgqX&UR7ym>PDvKiZ|c`LMO zu^yU}4_h^FgBGW}j_9+SF`{Wp@?$f!Zq*jenl{G?Q)P9@y(CwbMGL2vr7y+JJ06cI zpWlb!gKowGSqP=qVL02rc?tJY}Mv>i^J9&7i;a$bBLhVpq!UaeZUz|qr+C<@XP zDgts)z|$g;u%e0K*n~K@)SkS;lw7VVyawxE2)$JrAyYLFfgyt$JqBz zj9p#QBoL(|QnwJTn7+uQlz(Vc7?Ku4DHA$GWOYeV5_qw!e%hp~88d;l ze9-it#n)hm!FOOTK}=?`rUnKS2gdE-)iZp|(q<{3?w^{1w!Rw^H^`Mr{NR=lKLYS1%BA!XbZKEcf}!m88O zCCyTxoBQ-?>@?&?EM9ac1`WOuWwQ1NkY-~hmQj!lYQ}QQcsa(cu^r=+lw?ftnf&7v zY)m`7>7{u0`(;?VOQ{qv4GA?VC^Cw3lgH!P-A=<0_9q%B zhNlGN{zjMJ-6eeQyDBW3aRFvuOkQBUh0!GZdE;j>`s1ZcYbh$}k+k=9_H$rR#u6_d8`@~8AuRi|gt_E=DS0hM8Yz6cATab33 zG>S9ZT?(SCtOSLt%QW-wO|_6bN3BKHp|;6&`9PgUW-XgB4)rT259A&}OC3uEZoqo= zZ*x!A^03N;Wmje`uu_y4fd}=FkY+a7oVRIm$}Hz!Y1#7QXN|@Xn0e&#U1x0hsueeT zK$KH#B%9%?%ydW1@0LO+MwB1208$=?T}#`=!$b;j`BH^98I&)~B|n9e|;@R?D~ zGY&kO^o&=Bac4uCt_?n3Z5Lb>ET^^`o30^ymZtX!jHT@;FV%dmX=uK$_caEg`|2FB zCIaTZioi)T*>oJ!|0(2TMrYx5`ZJ!Mv@d#Oq?ySVtGrA2c}5u7jI%Oi{ERT8PAXwW z6It<^bXY&^#;i4(^YX6}Eake2I<1fXGd`wf=VN)W#DvSrslxn;8C4bmvg)`hT*|Zv zq124E!=|TgDD<3p(bmdJU+w~<-7z1kYa@`DDn$|FuVnjbC@y2%T*{*ayQbyIpS~pc z-jqE@-jiH2=`&oGdD6_2TDG5-ZinrU!IViSqZ5%O(ll4YQ#NYIAC||oSsxnM6%SZ! zC*?uqsf=okHQ=YTg$CQb>IQE#vW)_w4R4L~yS1y?~Qyt~HT-Ko-HemVZv23WAi`kp*hMhaI zy_iPOWegts{$dOxKN>$TuZY&1&%9*GQ*uAm2Q^?ZOn8SpV+Q{S^Z_l13+6tLXTtB* zpbhOA_Y0eSRpVlsr6pcno3BiU{f4|K%Hv#&b+HnY&cup>`k30zgf)Dwd+~cehZ^wu z|4}Bahwpeu5WvmxsBC32hl$%PxFm_=$y`j8q?sGaoV0jd8ld{Mq>dpn3s)FtUYi%? z<5xjjIE@G(nmIutGf4ZAhAI$~JEdFeUTE941=eZZ3CB+;!lYB$q1_p8AQ8xK?c$wN zyJ5&3Wk{9YiIHt+-nMKa5h z+pv6X(5BVSxb9On3G*O8Md?l0d*tJo|LM)xb(cGF+sUnI)_085xr96qefWUH}mVjSPTAEWce|irHKCMHl9KpHUaGe%fNa zR^#w;#Vr`orZw8NZG(0#&%ztwXL#uN>o9|w|28|{g;Ii7vf?_7SdZms+m?Ab74JGt z2}1IHzlu{@GaqcHwrx7##K{p7UIMKaKa8E*w86TqyP;X@voL{eZl;S8P&M_BHAS9G z!Dr-vZvux@>{PqebJ^} zOPn^Tv9SVlp0R|U#tssbpU2aO?u(ts-|SfgK`9Pu-!yqD!F%MNppEGV0(9Rh#gyk} zp=ZyICT{}8CT=r^O*207D?76RX(|tnTTH9KLy6TA*|M1^-E<@LB=9=~VNa6{rjN&q zyZ;%xgYQ!bamni%Y?T|z@#6ldafoJ%m*A7lyQ4P+X4G{!cDMeDqi$X-PB$uEGjfnD zCTr0h7}mBmT6Jj4dLDw?Dwto^VH5X5oZh-M)@juVt;pMdp2nA07B}pHUi}}YU~WO} ziUNS~Yujy2UG;sfKX52WDG(a4VQsyNii%htZO}??P}YOKw`JdG*|MeiuIIu!k;1R| zUDwYgvcpO#p>5TL6^3HrqBQiG$8`hpyv=_Nna~Xd)_r4}|2DK@fyC6BQdCn@gJsp< zqb3_rL(HPChURG1a@5sUV%hR43^;!-O3UY=qI@wbCY^zKSN|RBj`=GF-1`Wgt7EwO zXYk~Gdt=PL^|<<|hcIf|LM$k+K>4e?;>9tyV|JSQ@_Td8@$$L&wDbaO&A68{?o4eJ zs;g+KSJ&eEx<#0M?a??d8iymdszEKoR8^)?TbV&^bpWD3UB4Z_(+a4HwZ5=gd0x(o zwH4GNU0si5HQ!@do#uiEykCXr-3u^x&?4q}9u~fKDrQ}JG3L~>eD9otxjTK1g`ZWR zY})yld->&js9cWfWy?`nmBI4LZ?HVg&i~Q5 z*s2``WGgb_R*z%n%Z^05>NLC$W}(Ani%`0FKg>VoeDt_$J}sIuOg;Z&?0eG3*yoDV zvC+okFzw;}(Yk6Du07^&=yvl0wo56d{&fxxIPNLb*385;L-&Vw_hOWm>e+3G_8X4B z&zplQ#wdR*bLmHzeEx?xz6beH5NK{(8300$ekAKX~`B-pXhZ&A$!df!pEc zndFz6YNYEjOuq*2&0UDToz`LdrBPX5Pj$DNyhq)8c|CcGJXl$U@9V!rRh5U@r6fO+-`OYX$Q$W8%B}auVe8iG80DbdmXk5!$^+1r^;lW6 z6iX{-;fBj1jM=|6s_JWbub!3?t+JX*RMyf0oN*yGYu6fW*CAkU{seZq@?f-PnB`T? zvHz1(F#M^_s5G=i+t#Boer7f5s^;U`W1qtCN$iUY7ou$HX!7X|_?Y}~<&b@my>l_! zcP1*zZbz`+j<{}iCF5Fx^}1||xwB`XYH2n5+fpoF#{5^+vb-#NUAnmeYd$XCu^0OE=!xz-{tX{|^b961rUtRmF4(RU z%^IclJZIWo1TTkwysCW_yd|)+Sm-A zzKZ8(eT2(*>V+;{yQ9aTi!txRmoRyeOD&z|KGR83&^o-V4bQ=$1DOjADAFuWQX9*D z`T{0}=isPq*to<^9g!HYevNORpHk+TNh7fR{%2$2f-;m5z{?lDh(kN2jSIrwXlHEO znVMhOn|Lue7e{Q*_W~as2am=E^UF~o&6Fhzl!wpXz>7E=hwq?S91+@YHyQ)xeNKTk z5tIFMapX2R2Gz5HxN!dCI3k*e7o2l($hK(vt`AJ7of*Mbs)s?u4$a>x}r3d>d$hp7{y11b@K!IE3kHIwl)0 zZdXUXVYWB(E!Ty)N07@>!xoj57DoQbL(L*?D9dSZ;blLb(9MPo{_M0{g zFU-G`d^HI#&76hHcIbnCJ^G;A4i{q92NN-M>Qp>KrQq;^yW)PnyaUr9uWGiKHT_P!GW=NV!18Ll2H}b< zWw}6=KX1S|Oe&*LBtMidd=z6lXb_)u8qm7-JLA}=STAh*`FC~3#i!oMdYXurXUxQ< z!`T$mty9Om+;#3X_(@V!(rRWg(`mE0hgA)fFn94S!T`ZA-^V=KC|Y^g}_|o zSXQIt$*swJ>HFGzsh_D%OG``5_dLKaq%e&6E)FNkdoc3!Ti~nugPAmAa9e3N+}DE! z`XNQ7{Z9anGx}T5it*$NrF%czm(3>-Ovrsh;GxMWAAHW5ic5Byh@sPFW5GOX#Z%72 z03ulsW-xH*o_KQd>v(PILY#g0mNY|U2JeHrO6Owsf?2F^zEkl84r?!$hNfovG#`nA zglYkpe6*rP_w0`yC+><#47VuCA(nJ?`@x@*6 z$`kv6C1slzGnaBN<$+yX$aW_%B8bZ>-?s0v4n5T|+nvH#;~HML0QcP(;OHaU8lk80 z8?wBqFXhP$!Z9vQuhjUD?!=>S8iQb5a+gYAQqTlD4#z&9%)=K_IIsuqSU8v9H5cV& zUaSzE;=CXX3Y@e4#}7 zIQ3hFRs~rEVe=Wu@2$;x*bx%!&}70Kx}tMihP6`&N*CfIznGn=1opsT*!}S_7`tFE zY}c6#)NyN!9Pl_^e$6qn7re6Duy@aM@EVy_AS1A3*Eb!zo@JD;Hkf`6hF{VXw>@+K zx-k#Z^d(%f1VPV>^K0h*O6w#j%I_6=?095WbncFRA1y!yJCFe0tC)+AscHHIAMK5w z)1DpdF#4{BmV^!XJ*!S94V3>f8hGtG6o1W4xg%d|~h z2{glo{F(%7f`-crnAM{*Ixsp7#K{uU z)JNr41N8QwozeeqS75>D?WxTUz>a;d#IcvHk3m}td<5Vr!z&sAAe5Lqsf@WSd5rbz zlV_+ZnsyYPlNF4GqiJRt)gM9903N|tJRnJ_Ej8*jpZl|Wu~)A>ao6Gy123L{GdG=s z1<`gGz2TFX!2GLH!o~Mt@4jbXO2=(5*uD&RzfRr|K)SEtqMm!a#8V?D^~q>y2K zn1xKdwD?Pt4Hn(MJ9=O6DtSv9D*Mu;NqBt2p6JkNd+fgP(|Bb{EI{iQ-hqAkU4UsF zcErf&a@;wcyhh;_g;Q}szrAr^1(}q2E?w|3x^?cs`*Iga2cck7`LxQGJxPLC@vY65 zNPXNW4CJ$UR7lk~gmroMjDCx6^{MN(B(hOMoXX3;3J>v)C>AvgV8F=SP-o)Ruoz=? zX~jhIl)tA-)8ouEppP%d$iDs1yI)`Q?%4-@|LWj~v*+Qs4K|=A*A0EgK1CIb%*TrK zqb)Fee_;Jlo1qhXZ4`CI0T15+>zLl?-FJQT8}%ASym&FTPEfmGIkW;&GZ8c>CT7m% zGI(>sQ%wI!9Lw-M`fZ4QefnbG`xjCuXwg19E`@<+LI@lbM~c7IO^MIQW(VQ0ab-BE zSAX>B+Xww`uE53u7S^81;u3Un)QqKtXi?JFVIj$KUPrxwhZinU{+*A|C7d@G!> z{m{2}SM(n?2|G{z8@8p2r7f4ufGJy1vwAFU5MH-5cxo?u9>1 zqGox)K=@s|qWjECv2&jbFg;|LD^F#Zp6Ju3Cw88=GhV)65Yy|5gINC<(-(dF^uva| zjz)0PgE(xRuGs(Yr(yoFz0rUDUKsK6NKE+Kb}S3Eakh=-(EC}P>r0_Su*q5Lpwj@L zOQ-G#b17^;Xg6TLov@wS+=(|I3%hnk-;XcFpL+cbZ%A|#=!u#VnefQN;$tn2%I0c~ zMJ65-$ZNn+ZW0Ybn)L;yld>+^9>v5YXT8I4`PmMx9M%WDdym2k!!E?p?R((hCvQYz zOh41keTPrLPA^@69mBpj{J|SddDri=F*fRR66$Vz3@a)e|@mQU*Eu66P{)sAIBKhXZPNHn9j!7|FN&A=~6(G?_`ll zlo;TU;-D!$EJG2W3#7A}y{6_Qz(?LBoINIq;|}UbVIl2aE~D#C?R?NvxIH=+{d@LBuU^c{u?gJt$PrjCw;uL;{B}6UZea4g@kmh_G)~7&Ul)rD^psOh!NnI}j75tUnQ+=1$|0CKa+Q!- z<&!rKWk*xv_#qvL%q-@PV|xo1tUnFIW}T1i7@ss<%{8(N~?|5S9JXXo=eFN#&4tAsJ9wYk>zlj9Gcg&PNnC@oASx zB%~q9?WCHbR?8Q)3_n3&4ZU#eFLR=Hrz9yP)J>S|+dY3CAsB zVBRBuX^Yl)+X1$ZzBBKdjnd!;FxqR1KRsqfbM>`QDx#JzurnK)(PEP&;JI4uoM!#e zLZpVPPN+Dv@JrJKrE!|$8(D95M2$a+R~buKs`#=F&1@b^3&!L!kus4$f=#CBw4Xn; z2k!3jIQ}}2>9EdOnM_u@VQTJqJ?oogmzBsonH?#OAm+>3NK9GeGfiuj{b$^K(y~Lj z@hGTN7V?T|9}4t%r&obKg`H}Ib;iu|qJR;vGY#gzluE6p_A}F`X`w0&ZC|a8$3iL~ zdQS`WueSyU~ntm1rOdoLPq#L=jDRgOH}1rV>1Si34UfmdQ;xzGZfqhMAG^$H zewz8(@&&8YOABY`V07kFi-^o2A`&S4^d*6%?J|gYPx~WungmQyid(u#~m8~I^*#D4C7{8j8|b4zd%3U z2~eM`e|Gq^znt+%SkMB|KJLtuM%1MNr|nm9<^~&Mzy@1j!;LmX|D)&Oq{DU~52OhY z^0N}$n1<>_ZU6z02Ezmt5)MjJE-1~sF!dooW&P{Z%sFS7m@DQ*bMWHk>Nz3N9iYxtFAGn%A? zU_+fLUNa!AFpR|TnfRM8s@}|Y)#Pl|yYlNZPp0p&oJvFQC@y_U@G2fhYbF?0@lLWHQl5L_6nB=DzL-*N`E+ITK442NFi}ycz2cOKGiH|?I6GwF*XlYKh1f@kV_)&a? z>py!n&+LISW}b!-9_=J*?l!FvS)4Q>_&wIX*5<2)yAB1Acuv*~tu#MLi+2bvoOvF0 z%t*mo`FsB>m+;T*hefx|FH<5&} zlzAfs;wd=%wVD9GB1yAZQD7(?EfCP$(e~}zo991yp$ngK;tBF(xD!P8_J1y(Dj(JnzOtt8{J`1!4$$}1XPp~cIJ<9hK(-+h@rlHneQV~=Z zk$6z!!UmiQy!Qj;`>>i?^I6nKS4Kbf$?MnOR^^lD=i7@stkW`SghmYPvK%7(d1(@F zY}#;Wh)6>r1{)Mfo}n_{RV|zw1(110n@l!$h;046F9Z1H9TxP4n+M``SeLBB(r+Wij!yzIfXsp&W6LHuJi zNZPi5SqUl2`Nm)I`zndq(EDcSg5S*^ApD;1H2=+%ucH+|e_U^BCDn!6RNsv-%s(j5 z8YR;NY!_*{RKN`1=bPon?YMRlal#aYpABfD{;6401&T@SEey<8NnTM^bs1jZkGKwh zL>g898I*VH7%xl%#rPdlJiCUM23!U3KRE7%7(WF2WhAr1AsXw`Rl@wPsdx@A-CObd zsxF1of+oF_YWPi?#2nPDdncrG1>nUHa{|j}qHeC63NvJs|K=ZIb1uD=Vlr;WTxc)n?ACtD2SQTlVLPY$|gSuwa7#tU{ zTk-p`D_)6cuDKJKjkk2NjLsJQIrQT}*8&x&Km{t$>XYWb=SeWVGSWE^7C~K$Hl4_U zr|mun`Z|jt@5a%BN-6jRYpoWIPZe<@e$%{c-YZan3RIv1{pV>#?f&2C^hG*Fj{md) zpG$??wYBrDX4<%j_wbMLJ<gKoGIdnpqW803&tnD8fVU%*P8Ke2+!Tm%$FTL5PL4l|xeD0&0A6 z<`(F8Bds28WHmyY<_YYxSugCqZ3n~~CI)b+d9PUi#&`cCTGh4&TD|^{PknT5C57DO zT^$CWWVirhzqas?O`9?-qt-I$dEeGCM?PFP-hbO+MizaaCdfwxkS|by))4&?kk=v!C?-o7Tloo4WTfD?;UPV6!dHq_|JbBGCe7hotj_XjP*B({cZX!w`=>$0X8w=An zY0fazd;L4Uup@V32j;%JO(`IM3HvH2G-v#>ph*py}7(Dg+Buba((Du!D@W}DQ z5IR0vRU7;LgeK3Q7hUtyATR!SXHf=S)+?cq*M2qHYsrS|L>Tim@aBN#f_UvxXq&AA z;4ubm{;%c9K`|VE)l+y1RG z&a_hU&H5O*;RybDSDfziMqu#VW#TRwgt;>rG{<@ss6Yi;D=4z$+9`t01P*Af+fLH> zgae%;%O~+sf}|jctXIohg$=}h?<=R{ICBJB0%+74WR zZq8+38rrnj92LrT&#!#&*$dwA``#I->N_6AxN9@#2c~5!lLplj|t0fj-dPrS`mJY zHog+dMrr80XdO_b!m9ZFktk?gqLx|5gX$9m&y$&CMg^QU^*}#C`O~8DeOQeStXG1vv8~; z#*;SZ>I$fuMJCg~g3wLzbhVP&_ zQNpw+h&-Z=oiuQi2ng6ZfSkXYhmFm_^NEo0%jHB%MdJy{AVEM2(9~>HkKKkofHFQyEVvy*hTn<>RB&}9 zsRW4c`)JJfJqnC4N+o@%i|jHVN}_q#n(+%(DO6cMz7G3gUTxN)PEyn9P<+|A z&V;WLI5GV)FUh|PU6N>Ia9WtH9YA%Ir}4rVM32RU+&4!0#y%a*v87odUNHAfm;x23 zKx--a2?8FK&@6#d$MspECR9)}m3AL~iUqUwz>uqlq3<&<8?eg|PQoBQ?lGVhAW%zD zgRb}Lj7F}L#iRjS4y}JLqz0dcpBCuy1>#x8>}{Sl$4Pn~g#n>hfG^Ein!PY4%u_hnfW0B^CLHi1cWqv>E`BO zj<7+C)yZGkSlbVC1ZIJ&%FMbj$}FuI9p>Rj^|T_GhpuBV;e{j7jrTMgMuV6-ic|;9 z3qb>qacB!kzX*<-H02UbQm(O1vqq5E($G~>)|u+uVqN9IJ+DCj3$5(lFC|$qs&j(1 z0eRMMd_V~Wit-ErPvrF+VBT1FtkCAOg;g(OOp%XSr zufwP|BXH9q7q6YkaIM;+b*pyh)NUP|JT-x^{AP?EeFyG2bv?9h+YW6Q-=C)ufQUqn z`#Mf-(+X|dw8VO?I^g)JgeGeJ(dXA=6ys^zsukL`*%`N#r=@lxthf%t+OJi`JYb1StnkESu-xd=0oqqf{L3leDqDISbPgc48IOHpV9)YTem=)*6ZMe zsj=1Ke0~Q;w`qnJEn8rnb=F1ekvHNqR&T`}Lm2-$Xw|9>hTrzNIpjxY2`3y0pO^%? zMu4pV_`e0d3eb&$PP{f&f;?#ibsg$$qz=hw^!dbmHhw+>()tTjpaQMk6y!YA)_sqv z+GVKE)L~iGGAysFL1k4M^ImuiJqK-u>Y8=2{`sL zOT&Ke0(`K2ITkPE^C@Ry-sM;0-KrV5cBg$2-cic<7h!JM^@#S}2{(T7E^avLSqy!Z z>6XvM{7FOb%&|9OX7x;5H}+z5zO@u(%um@Jdr?DAqpGHw`Cf*qWlK;~^(?L**A4en ze2$8#7Xag~!qdxV;Tp!bW!uUZ|_W@~T>V%X+G+szN0{YieqY$3%y%|E9{b{PDzU z#pzLq1T-%KODmsQo_r8#@&a~AcbPWEypfnRfG-=YKm{t$T1)K9Ip2q-M%U$P%?vsn z9-hN|OnLqjJT|5ex_9e_VHbUbk6wHoUwl3t&*5AgHCVuq13LA=`qcjAuis+Kxv*cH zhBChb(_U~e?x^jE5e|Zid$4=Y-ssxB3wrKw1!guVh?xOr;+SnSv>7Z!u3R4$QWdY` zh43#pXoz-C)TUZPaB11IIKZBa=RW=zmk#cR?!9`V&+xxv#*Ak$?bX-uOzvzPJ4`N# z9K0?)v0>!#yUU_c`?q-o-Oy#g6F9tQN9;UlTRc&ADTaPA9j|=+5v~~24ZXW{M(-h) zM#;c2q3A8q{j4K;t8(c|@+m{O}L2a95-so(M*`_`|Se@073kZ{+O~EtPxj1$w zIb=L@XuHigEUO#3Zu~fo?%E5xOx_+3lwXAHLQPlA$}wfIRp9Qk4I&-L-r&9w#eY|i zG<+;FgUN(#4ZaHS4URXYU^IED`R255OWBf1$CsFq-&Eohs6Yk!&l3SA3=;-uT!NxU z6J0Y~5{stb`961I-h#O(EnR>G3nt)fJdY_AH2XELo`9rxG6W6B=KBP}WQV~R6+Veq zUw;EHM5D2NdriT74S(I~IgFe_O}1=47EC$={Rw_Pp(WuZ4Xy~-koBoZI?!;WOIWcy z*9_$9=+S@xC=hgT0PdVWA9Lr=!NU3TFt_}19MXwEO6^yN_FIg`Z77!F)I0HvoUS?D@O54zy+Cslu?IJtZn`gT7H(^Wp!vBx~> z66tq-(Dk>(Rhwuoyw2et>L_pB@{S60WdiL4gXic9YgP zhMKa-{;hpYY-*V7=vXjqGF)o7VGx6x7k0)DBLYmQ=!BusCAeoAHBjQhms6g@$9gZM z78-WMPCL7}^r$Nkj@lNTZ4aRnq85G8t7C|4eLbQ@rIoOF7!X>!%jT{9A zP(JkqS_(OWu%;i@o3e!!x8dOK2jZ^JJ#2gat2lF`MX0d0!3f3ons!^KK=|}_S{r9! zssU}*3Bg>`8zqD?tfR1WeC7lWa*<1IUz_v_oQa8@2V$gq8Sa|y!O!v1JG7Fl zid(T)&pmPXq5#`m@I1zCJRjwy5^NG++79NQ0!fqy-n=%yx+H(R;>xjojnK=n9Vig> zUBbzPVHuck7FD$#s_N=c$5K|+=dh$+rJ(7unp7DrVMQ@28i*>FDppp6HcHYIsH$+O z$)rZPXNn+}uEoOsOx*91THH_a!{N^`bf$32%u z7%`|Vs`)&KG`yKZ=RqUkT|60`{(dIrAJ-dwd#{g?6KgSms-j1bmR8$-@K9`w9vC^e z1AH%m<++V<(z)e0x^Ex!-*5o>9Q$lTKTc~>A!_}ljG29%!oasQYou|_ACx=*A53haSNiO`=Iaoz0q&@D;P2HLTu!f;PA`O#ey*#pf~d~VzSNr zXc}h?fjNOXkNNL<7%n+8hpUG7MgRVT@ydv+aL{_4aPZ?dqUyLl*s#||=s#=f!p3tnF64*Wkhw6}uu4ezFgDRF?(?dJqh%3%T z`BDAQufO8E1T!gMsygk7@n=W4Vie2YcQ-sg{7M|wjlG@k2T?VuJ>mlEjpC61Y`C(l zC|G@AeXQjFENbw8{Xa?*ceHEp(s~b-bs1uKi0W*H--RyX1qoSN9|EJvGrxyczDm*r zL?g|Ump^LDPBPbi{RU-n>r+?~-1)vsQ;>05%$kK_N>Q0;ah&qd=}O7R#|n@P)fAw} z)^APkR26A)K?aUf#P5=MXq$iSX0efIV3#_3Ie&b zN1xfS-68~j&bT?EgwL*@K+bCb9bpXnhlGG-%Y{@&@MGE3kC->PQnWf(X$N)@^C8U8 zte_-{8Gjx7zR^;hV)ifgGpiP^#k{b522q$#zRofy`G*)$#Gc5yiHNMKEgiBU%SLn9 zHU6k6mZtp7kInE(J7t6+12cb`O6m}=v`Lsltz3QGee+!OnKTr$FC1!IK3Y|z?F9nX zrWRtU&D8ao0XQ!6<%JmIcZBoAt9bL$T^Y`07`B1(-9W!)t6^c~Tjg1nU-+nciq}7A zm%2-`jq&=XjnrZW=lP0EtNg2~AU32bay2Q`LJ5nyt}9cKzxiFhFwN_RCB1O(Y=($GW@+BaQLCyQ>mnJREXV=0d z!dQZ^C&2VF2t7Xgyz(0P8Q58B!M=|S z?@MvAtP%#0JzvYX5-baa3*&RBIU^u=6KGuuqktkIVqOEro1+j2sA&1@tF8c2(2bbC@K~;yYO2J-vZuqSQfJgjzk4n zg(S>N(g}0qXQFl)Rg}#{We615ks(px1*R+wDAjqZ$=w$;W z36L2oV!l?85-5stCGfO5)=!aV2~65pi`XE*ltv$EffCd78K=&r$dUi~5o^Tk$6CN7 zcTtZ0KWnrbbp!=aKJ`QvgoH)N^w_5fP@2juVL;v3%zg=MrcH2&_ukR!TID}y${ERm zU^ppH8gkV9bSYd^2l?5cQ8PpOH2srh(pJ0zaN&wsI7D!c>rcw4ZT#7)Gv!X(LxdD+ zIe#OZ^~r2}Fymv){A30``Q$Df+CHEqq?Nd|*jZ=BrA$!gSLP|jyiu5hI=Lxfa6mI| zlxHb}x~Iiyt4o%~PpJhfexpb#ZZ;4NG}F$ae^G^1SV_?MhmdsjNm{$Z4CKfV4$V4A z;YeUFM$~hfO_C_uLrFeGNpoq!zEx`>I z+P+VK)$~lc9mMa(6t_L?m4L&E!fMsJp3v&csN7E5Cl~R_5tdUr7X%(){#R$V%v;Bb2{wS*@ zVp&~T8A^}&l2<{iXqA>QPh)|)CkZ8-F%}8KX{x17fv5fXSy}_C5v>aO)r|!dXe=&+ z9LuFWePlsIAAx#vq@+W-qttnidB;_O>Ht)#7tuT<4lE>#ZC2L5=a%pC1phb(gLTU8!=}~CJf?&;&EDJ4xc9b!e%J|yM;Fl_w z8ju7)UV5_;Oqmi|38(T(!zciKf&M*7yA-_qxc}v8MW4K8#5uCWP5%n<g&z#1l{QOkE8Ys?0QhyziUanVATyMdB~ z&`{j4sThS4@knLMvTQcvGg`h}Ni3;jm&EyKaOvvcBc?#8(VjcfZkfK3JQ98^t3%B2 zwKoszjOnri8;^sY={>W55Bqf@bd2Ch5JdI9Lu*2LG20tBj7v&elthwgdMu~hT8x}v z&pOlW9l4JjP03_jmG$sGoR6_vtb;?g>B;(H{`roS);#^Hhjbs?P7vn>RDNOA`TWEFcRAqKVO{fW{UJV8Id+ zHELo3J77y<{HK~D+F3pk{8*SO$Det}iIrq(5hGlkH zSQeJ$p5-w!uiSUoVOq!`wCepN>t&iUba|bE3DYCPQM|@_ z%X4YAY&X7R}YOyo)MfWOP=@WQ3*qW7Zn}8kF5U9CwYa!zzo@it_yxyax0GbK^r_g>q?Xw z2No@ke*0tYO#%KmK>j7(FCkIf5*VeyTYifp&h3Z^Z(NQZ3RBjIwD2~Ds7L-;P7hE5cvqT#eGjzsHe3XpIMEUxn^0BxZ66o5SkpqBJZl>cpmyJV=Db zrO7g;(Ocq-EdLXwdokLl{B3wlG^a6qaZx-iXZ~-LgNiT>6j~}G0sSC}ux#_XhD*qD z)@T@!o!lmHc^?tFA%t@oJS z_xQXNl$I@~HliHVURXc>HizUDuQ!(RJJTvpfm$(IdRPknm)Ulhbx0efT$!ZAQe3(B zX}D4N83xoCtoFY$f)BfQ)Je%Kp)ln0lLDx~SN!ab%OCw6=Kppa7V=m4c9Eyni(bXZ zGf6HZ%R;3I3#K5*&BJ>%j#c-YP7f1Zz9DB_YdF*D;7gwK&2<$?CC!Y*=cn{Xb(Zhv z_mpw5@G1EaO&pZTS;l|00%b^)4=oWDVx8Bjb9$~KSVe(S@~RvZu9kjMC$W5VaTb(H z|1-Eg!2SsSs6W{xG`d~qEu8;!5Z^^je6C6=Fkbg zUw2uwY-p@IGn%dYM)PhwSE@;k^WPQ17)Kcc}m|PgL zLV2&A_s!seFf4}_t$yoM;h5`cftzWo8vHC4+9a3nRXC1XA-qrNisa+a=+$8+L-C$K!yw}%d~+=dOX=c0 zii6(G=jCoPBcFKQq-hC$uNp`$3@RkOB;F5z~#mA^(#|b;j$TVwEpOR^gZ%oTy=O1C2Te( zFP&yAlq559D&ug%W!K|d-@X(>`>5Hac2bb#tbw_xrqQ*q)$x8sOI@5J0!uRv!O_7m@A z^T*TZfHb`Fky!Yvaah3Skk;vl(aP|!0Jop}7YtfdX?obxiw5DZ=ih;4Y?sF7T#L8+ zGyF_|)coIJ-YwchU^&JeJ`llEij%DBXOSIn7)H)_kexLT-5zCJ%0}X-KTgIJTIpF# z#?z1miCFDSAz% zlFO#>!RU8z+7**24_fuJuEP95Y};gMpO@W%_kJ;!%8V@nzd!yIjK=_}FNGs(O-&F& zO>B#njWp{BO-r_B`Dxq^7CQ=P(`^wnImyfG><4Tbk;u(3NM947Ncve9Sz6ddw1~q- z#k-h4=NmYn8=Es9jl$8gcG;9lbiWC+NV@XcsiQ>3jGAY$#iQ_THKW`l+|nEHD&G<3 z?+|PSEPWAAzy2m}=+TOnIh(EBe}Xx${SD79rdB*+3~o9#4o{OJMEZ4CWjIToz+(a5J%G(`H;(;J`7Zjs^&u9@M|k*cxbb8v zEj8if3i7I%45djeF`i?>jT?zFG`>j5vL?M2Efr?emh2}jhC`A~z+JEe?;UX<_Q7-v?eaGaS{N92M7Des`lglK zIMVUlL?TSXmEE4k*^4u@e6z?d8iT`Sccr;`{sKv=7e1!0zGrUCb%Rher9Nuyp!Fyw7 z(@4@{4?K;fW$UGLf1HyTfl<>bc*gsqNmKB~*L$L~TvO8K`imEvPLmYtw5NC)D^41O z%8>Cjo!Iir^D}bWShQT2(Jab&W64{R-=UyZ{T9GhC^Z^PL`y`y(EAULvAJ>n2 zA7{vNCb>GN@E(n*Vc1zs^QGkzbGqa5SEe8_fW)cZ@a|9Jtn$0ipJb|bfyUBkrk;j8 zLQ8@=U2)ayXW(s+)v5abX@EVVcSK5V^nj)}R$rWI=13ulpRXcAmn?!96%t<6oDI!eJMBJdq4H#Ncn1YD|JQfaKTcljX1%$LU&MhtA0bYD`*pUJnen>r zY#s`p+)Pvk|06kR5h4;_T>f_lB?(%p>M#{q@l%$zOY780h=@a?)G`OMVzg|5$XcXq z1`jeZ`mMu^1Jyxj{JEJJ!QWa&Ahdww*2s~)Ij4~MzpLNosyVMW83iXLAVm^m7`n#4 z3axifRigHY^ZW%A-T=Hc_GX-BR?GxeJF9qS5wG%n{8!C$aZi~Lx?uFD@MDQ&7zbT9 zAu7&{kE8VQB-0mH3xt1iP3bB5@DoleUibJ+7*})fw^p`P3UtjLE%z{aUF*n4?Q8aE zUdO8JS0#*LWx+MCLJ{7C)n+)M}!V_Lwx*n5VaZl?U5feUx*AM`_>q_TLDc@@(E2&A{mO4mW1t? zu%x-PcY$dA(z~C>qA#_kHJdUdNi%9hTuH%*GObJsGK^9@ z&{k;)RI!Cp;+2r-!y%qpCN=J+%^3MW8o{)$EG#T`NQeT+Va0J5JvuqK@A4CA0IWb$ zzX&FbRj*y0>$+_Mz4MuG&$slPniCKFiu&LyY`dJlGNi_TI#M((l=v=cvIGFT%aM2+V`(fGB)b)*6 zvD-z*t68&!FVsc^@>)BA)`bqRN4xg;BJIJ^_;htrXbo&B10De_d-ZUt<5Iu3vKJ#U;isu|uQd4P{bF-$qtZE9diUM1~@U@PzCQs=;?dz!P+L%CA zw0WNIta4Jc$YUgCtzi?OnsLyitQEm(vz?dDr%B}1W<-qMp%oxKtPZ}S_Kcey=TlCC zu_Kguyso8yzw}o!v*PAnP0mvOX$RM8DzHpEz{+5yQDW6WH8b0x-S1GzQPEKmYnbJi z!3xGhb8oZeoYuYP?ffkzr}TXp#+%{loYoiD zSI>CrdC9{(&ub~BQJ*U_YmBT?Y{lul+S5`BOEOV7ioc#UzttM^coXHBraY^7-&e|C z#!q{6N`B^E-j~WSR=mCfD^0r7Oux2J(|aS?s+G3NTgBg6ufN(nSM8{STPuvRoy2sm zV)_-&YKQS=dX0=E8!#-EnHByD)0))o1Rk5eidT&9Q+l-K|Cc`VkMU5xO3n<~$VG{* z;(Nc!t~T*ptC3v{Bc*gQZhBTS{>o$ivD~fIzN7q<43#hXR64@)70O(3Qry(1r1=us z=2P#FYr^=Y(K@sH2E9JBUAF5xHugOp5li@Muy~>XAx+2Z`Lz!wXUBS3@`PvRNcFT842|L6_Cu+TE4$t46WuC1(aPOl>*F2TWQz@=w*r zPw+R>Cm)HmO?wUVX@I5<Kz(gdH=XnyT-uN5%cJG)R6YfX9s zM>TW5 zFbH3NDll`p1LE5Nvh z`Ls=Af)$kVWH{|&JDbW@>=u#S83tvb=CDSDX?FEaXloXj)7E!sZQd*?@E$1+4WaG8 z95Bm2^U$)_+RR!?s+eJD^h8^Rpp`|n@28nj%}jOEECZ@}SzdQKh3VrxDdw}wG&@YA zF&FsEPR<^DK0tA`=s~Vi1{yu%{tD$~{}OzRQxFp@K1G zg|AdmQ@z-Mj}BfZGs8W>GLd1KH+xkpJ0u&*u~oc{sSj%H8*fFfF6o-tSfqi7p4uF! zTr?>%UIin_VlQ`%tFh%G7ZQ>Rj);oHTfO*poY6Xoz1uk0qje1X?$jFlv`ylM>9kC! z08-TqftIvU6fAr!Z|0ncNfvfCBSLXeo#A;_#H@&j?-OaRCNb!KW67}s$$BxCP&IRc z6?d&F17)w>qOx+!Xo+8uE)|Zf$}}xF&!YvOP4RiYU$!_2C(y7ca@ShfJMz`1!VVN; zVUf(zDQR|EMtsg?jY#uTQ^2& zD}I#j zt09=l0_s!oC?C9KV=?H+u~;bC8LK-~v?9qAk`M4ydGQuW*#V+J!5{XSIQ| zmnHG?9!;^xQ2vZMs`x{DlxB=|D@$A!t-gs&X{}NoFJBqQ*V>j~*b8wZ;}jz%1+6^F z25T55!>`un$0|pnXvRY=7AlKsR!(LKtuk7#306$TyOMIuGLBxh%E(=1&QI~+J)uR- zG>|yWz64Bz+>dD$GNz4RX${k|=4UktIYn8SRa2MViqnrAgM};~BH&Dh@nin4&8{^q zzbYCL)m2O#ynQAJzbU5Ec?^gU`ENiBvnPyyQXsAwA znS5XzGMcDJxiAmX$`9pX@HDP#b2*-2aBGsxe_rz_uYmEADdkBR;Dmh zOa+*QQtQB|f~U#sBGm*f$T*+NE**>0jvtLB{H={jw9J6VcZ(=8v`j@>Qal>cRK>U% zONAB3@si9alA~9wSn^5{(?h~$1*1{JIPo5}TN#He$w-|a8OB+g`1*`Pk`|O)Fat6q*Sqi`e74s+nH1qt?=UG5DCfcR9v!h&8E*PKZ=L;3zoc9 z4wUbztQjguhvio!Cq1#t0#j&Ee4j6G!>d+sQ629JHhGr z-P0~Ez5IDL7HM24XZXCxOnIS-rU3}d3{$6fj^L+dm}tK640yKgsi z{r4g)lr_X_mAM_!WkFYGWF^sx%%*9{R+4;@SVMuzhnpthdNRHEj3-~2EGE5c?`!bn z3nQ=(!;t^Inu6DCR!8JOi%)S$Q`5@IXAP!>NDEw*oA;{un~t%lt1>fVDpVQBKWSE0 zC!0i-tj#z{S=J%1ONsfi7L#l#q~$8%{XDPbhSj$q5;JSxGYu6~0o7g+<&dD|EfQtR zLGBr-SVMq0~sRx$hx^C&|i*D9fD5*ELj-SpLrrI^`1sx*0K zeAXVVSILpzkl^ z%`i@K1y-_fRk>1xOe)i|mT6H-N9n9&TB;e(3g(-aC}Db3`S~UWrT&X*mh-AO^N#nV zSSB>eLMq;;tQ@9Q>G#tNM)H%C7PV%jSrUvF7%a)=wq}#X=}wP7+R|V3y+9i_oZ23N5;J9ps2g z$T#UP9gTC^w?U8g33T7-I6Sa8jX2MJ_k_`S`1%BTwQI+tHGcLyTN_M4+ut&tMA%WlJ29pdQCckjRRm3X^om@WC3O}F0a=!R(3_fu*9=x^{2Q zJGH}4o|m;lOLxhgIB%!c=-EDro~@6@qsyq!)Ta{rJATrx1P8R|(b2_?)8=Es(4XL~ zw@2XQ?~KDzmMu3$uw*pOI{s*!`;D9M_M6w>#I~2?AFPx{@iU91l$P9i7<#vD zg`RDTan8LTvT~BnmyW}C`R>xTtNw; zJO<}?Qc=$t=4&U5=Lw(bIa@mS42K z&tY16GEMt^{l|ER@>Xle`|xg@#dF;{B^kf(;Ndb_{3L!SF%7?NTY~O8CvYHTf5Xc( zcF>yji18@917{vLn&tdX%5^OMG%SvuEYm8pH@-;Ao~_k****BK@@MBHy0tqR4=pJ% zhSSnN9EZ|Qj5FVP_PtA~T-7@0j?M@F5zkN2FyKlm4F^Rm8`W%`Ns-Bg#M_Lr+mVkV zl6mi)idlc+EcZM*wC3UBpj}u-+h{Ke8fR4G9(gWF;~?BinsPJ71vTncK$DZaI{$Q- z4oMn{Qev`N)-ur_uT0?MjEhg!vb4N$15Vl5!2vtBVTE^a;5W)~?o-#GXl)tp_~Aqx zJUfFI{*%VbuYDKKTrdu=r_@s)~28rT}$`bsqGLDZb zX_e3l`lyNuhl=4VSuwA_gZ6g@nDM{s@Xke(aOkT(W`3N(%ddYAPhWC3URx8#|0;kF zQwe-nS%z_!JcVz~4)D^)eAk>aF!hrA@kS-z^RMgi)^Q$Q{3MN;vv0?u{~L?9t3Spa z$DV?}YK@f3Jxe;ec8XGMH-9@^c`G|U=<10H-5PpnN~iT6C7c;JT^bV*O7 z-z>+@qq2Oa5)*EjhoP4(#c_9!B>9fSLr+}}r%JA-BBpI2Mqd0=?DeRJnV+u3pMLdk z47p@F{#!wkc>M`UK@pZ|2G={sxHRI6)rwoTY~>o7U9+T?_>Y2J@HX> zIYwV{19o}D!;Jq@zJIxx=D9<;$s+dgVR|xd|JgzK-Dd%wd-XQ>KO2c>s+b?gosQKH zXYt&Bc>dF8kY)NtfABGGzhngVe9Xs-%d0Tq7mEK3e6*Gp>l@eN-zNl^`U%ta>K&MW z>s^>r#do}U6aIB<1}}ZWch4S+dA}Qn*V5$}J7hAxIXjD)JpcS_XW{XS$6`))0Y)En z3MwA*@%$&0>qpa&Ip;#GxM~!7edBig`I+HJFz^4n%Ejjut?_Ynf_Cd!7(RO>dLBFq z5B}$mD5VU(sB&2ritu68OBi?4!T1%^Hgnc($o}NFc#?TH=7&$9AK(4Le=8ZM!I*sU zJ(wkH{$C5xVO$z7{@26r&wC3`PW}WR()xXS(&KpNdpF_uy~=R+#ZTanS5kQ4e~kC6 z@8YQoM&pfi5u7(aK<jy!7Au(X*0rt>96$5cg2_dp?xHb01Y>#-kUAF2R&KiY9za57+t3Sdh6F-*APXngy98CJrSiH6N@3`m3`{Nd#QyKPd z8cjLGSx#IO@7ot2%v*%ds#;-LWde&U()f%r{E)4vPxzh>Sx-Jp@%IjVEM+~JLH-f< zsKF=A$A*y%b6H%Kf!{x9>*)RE@KCe#2}Kq**QwhUU?LjJcGYyN8Z`#XBeSVm!UZS+&^RX3my{F|BC4sd>2PjM8P-DLZ8lzv*%)uNy-yDta9n19cb~BWee=1T^w4SWN zR2IeR51@RoWCmXHM&aC}!01b8yvjr{M07?!&=L zo~1?nJDh#2e9vjd=R{of-`P0RnS_64N8!6i$!(Ot*G@hcJ?1aOhm2E#Bzx9zOrP9# z3|kwktDyVLbH!CFcdCgSIMl35r{L9p&Bpyly3CUjoY3#b%uJqKTT2ZCoF zV@szDv!Bi4iYo^&PbOpLTdy(Rd~P?!z3;VH_|8PkDx+MP?}v7gi^WG3$v}SDqGi+Z zd_e2_c;=4GyDkTyCoMjA>2$pKZ5Z0An4PST9Ok81aL zT=mH;oYjRn%yQ;2FFdSa`A@)Mxjg;&&{9+ujYF+9FS!%tIe@(HVYgnRBf?AbXZT!SBH38#Hz3JpD#hKUt2-BuNgVh0_4=%?4Bl*jM znY@fv&xfzzjM8dWW{;t-mgCrrJW#aRFugO85!++*$o8;0$v_ z{;|~o8IK_9TFzw@+yhq+# z2NfRUAEc-dn8}Hx@khrUxq7M%$yWLmrozO$Dk?Tw^O=JN}_JnQ;c>3zkDP4ba!*Jbqc1~Y_C#(fJRiX(5(qp898dqzwsF|tc!Yx&`qH2XIv@~GiZ_|v^x7a zbAjolj9GGwd(8}o2`YG9zINsx%Z1V}Wf{m%P37%5-Erm<8T|Fb&v8LncMSO2<#>(p zLhwWUhIu^w!!?-9&%b^=6@$8E8Al)Tuqf1T>cG`CpJ~-R z2bU4&X%p_xmRFi^r>gb9dUV3qcE+G7X-rw3#t#LvdwxCBHkUj!|jy z9_<&c;lUbc!BQZKY!Dj5$pxQf5!qsB?{qNMgsGZtF)d1s7GOa(KN~|Oz*$i_i+j#&696AaA_=haL5@eQ+ z#Z`L`#cLXMz#1spEZO%w^gHy=nDw$p>SE~&$sd7(%qO#vXDYWqn4Y79!6^hwes4Vp|DxX zLKQKsp)rhKx_l&t@6!h}mbb-$|2G#y4xW#XGN3T{ug|;1_$`Knq&S zdT4m2j0olv6~s5r^fCVY5omMT_pz&#?7joh@8Ab9=S9u4U<#Ly!mzzA!-80QmS-w3 zrZGjWs1Y-=_Nw^_;V6dt+CQ}m8D;YZD|!RLEZb}}MnN)e!Rh<9!O7o# z3`f5*3g7fk!sQS2!UM+?nF`y|kR^tBEnJL)O)d--mBlNL}lEpAzTezpq+JTVcm^IPMr zy^X{1bW$Xq3r@4)g4OE8f4U-Hb^xaYSg(t3`ul@b;Rjf&9>ND-{gX`H+|k~P{Z zeO!N>NSXfIFU9GjevgmOV_Yf2OP?)4sR%KxdugTZJsem5+QWn2PU57!yW{VtJ;Xfd zhJllx0xl?`+)H?zh3td>z@WXm;MCiGk54Y3EP4LoNrQ0T@4kZywIoPFA|}L=h*vX? zBqX_y92WBGbl9TGYNU?LO|Lr!J~;)63mgpGuLuMB{gwHBC%%>LjMFDQgXE8jaW>OD zV6W2={P~|4aBOGn_x6prbg!%MwuVE>)xbZW%3R(Ab#BKgvv^v=09hI}ewh^#``(1> ze&OK3ql%gLz479J`*3oXeQ@F=rtL?qG3aY0IQ8gB==;i8e4Tl#LhDdF`;4bXn(TJ` zVDt$3;K&p9WZc#I>WTrACLwd7Lm9QkX-7VbzOUYc1I;KZ#zn0Nrq_%Z()+#r(f{^a zvG_*`oVHIfE}i6~8!cvJy5W?`&mg$42m`w?of}F2DP1%No66ses8YEi(Q7CvgJP0V z9j`(W%Us6a3#Uzbg7qkYQ#u#p^nR0Y6ytYj=b;$!^DG`ZiuLPj2jL%QK8iC~{<7(X z_-Nh*IOv46lpPHX#$Bxs%^yj~0HtvCJ`D-pk&jBKvoDUM8BfilS}k>!Gb%>4*wjMJ zG9xmX&}~EgP6Ib|emNQhu@#_U5ly>5nfZ?iq7|jF#Vji5`}3KYa`Q=e@#74ez-;2s z&No}$X^b)zfbVA6#Ad-&$ApuW{xbq{XoY2@1!!f_^k%@miKDDQXZh{8ad;e8K79@L zWJ^J#bu{}-vnOS_X#9JMO(y-;rr9x8J{djfgo6Y#Ny4WX7*Fb3H$}xmOESr@c}>=f zCI#^hL(+P^vaFbKR4awKi;Sx=LA;(}T8fy3yq4e@IWN>~a}*!`iG(ymGH{;5-JK`n zu%&n6FupUh^e)_Vy^j&k+<@J)nzg8r)#1n(S*MO$!njqDyaHtzW$H4!)Nm$os#9C@ z18DI}ampVZXI^?~%FiXqFv3c!<1;>#bCNRs@PVT+x$CPKa*VRaGZSK{T8+z#S;gN> ze}XJQ<)b|I%vj(AEfKk8*fL^z6)%;IY-SCKRHavi*Fh2QucFX3>X7X(rbHycSgWsu zEg;8P3+-2%Nl0Olg!w|BmQ9RgsdP&|3P=0yYE+h50J7D?Wihlb0b4#)6qy(ahZQUB zvU#k6!|{+V!3EjcQBxwGO_IwD=ohE-8At_Uh?LF+0NF^^>VYizm% z5#u}Mhc99|l`=9u8`C^@`7X^+RTyseEI) zsPatfE2;i5#n`y`L;!pr!`2L75tPokuUv_e{~$zGCXa9BgLT>i6$GeRxm%6 zNCvngLuG|>kpZjx7oVlsYK&7Un)w|ngOrhKYQH_G(0@N2bAEXWWvmf=Vcn_^+rL&LCG$<-5W#+bA5r^URC^+>{US#Uk3#uKU0Qa0mrS)kMbWH#?+ z#g+AJ77LS6L=kEo5~W6+Aig^LSgGYFm!_4Klk(S^4kM9=)__k@VUV_H^{B0(4q$on z)rCiEh+%8zClPvuqq`|eznWTEeznl@l;AW=P?;q~WX5PqyEB6|EL6OqXHv3Y8EQ7G zanlTm52jzf0%vwU10UTq+_V}rq)!|LhlJ@dzHLOsjnF)l7%+(F=N(VOBG|RHl-7#GEGqYcdh3+K}BEKBqKf zrI1)wwPZ!W_bRW|50GIiN3&Op%uqs=N5+?jjJUKWS(*M0<_AO6^XXs>oAYW(lBju; zTs0{w-nEpg6mmuc>lGQ73u4R}<-f|m^ab-~W9iqD4BBN)&P7!KO2MSZxcH0$WbsiM zj;lo_C6Gl`b}eOG$@j2~s`X^RykMfct;s;Ag+>kF|WCmXk=c+^Ozm7_RDO z*8FA~ckn~?%9I@qJ!YPzWI&Jyly7RWWil)yW~m4%Qn}L-yq^XPWf>ZdO^+sjOOjTL zW^tO%AX4Z(NC2#yvQSlw)AHLh zY-0ndVyUUW=XLn?-!4Z-J{J~7>P`w#6M1B*Wn6U>(IO>rNvoO}m#UbW0m~Ss*oqM0 zE2C8GHM3Kem|P3eOBzk!$y#P+ro_99k0#}$jO9iPO!w;^)_M;mJkRgU@GPIvZZJmo z%1RbNA2SY*&0CFM|EQGdU|>wYv)3^E^6|^CTPDFcF$`8D`IWVvk7TE~1Tk9IBzpNo z)dZ7|S?lu1a`a-YLlSXXlVEB8v+`=A^Ni_WrNUI@*Gx#tM{A*Es|Vnc#p7{6P{BMQ zkuiKt91Ez7)G4ZE7=(DDgk(=8OC>EAkc6g@M;XRKGEpCal!)3LvR7oeYG_!B%FR4f2d_E^WqrtI&c@l+k&Jj$@*ND0X=ff85>Z)@70W`(bLyDZd(|-;C?EJ; zaaIwoVj5+|o9HnPW}+Q0$vP!RQ3r3&F;#OaUyc2Bl?V={Mv4Ro0AwpfYBHW%<^!9E^o#bq5T$lIc)c zl(OQdW*AFmCT^0MI-^-9)K})=B%D_^7QLuIeWw*;(+cs_+EC%~xj6Hj5i##le0Jo+ z)IR2gjMNm%uL_*%tz0t3uu|&^WEj4dH_E12=`=cn7NBY3(^8go8gog` zQd)*U_y$#GT7Hh?MM90S$!$giiG*3{)%#CVp0Z+E880uU1;rAm^42oHL>81c(qg0orPF+t7BJVEVpkcFJ44DrtvD@)rj9eMAtS;!>n+jx_2k#*H7N`!Fj)kZ8r{Wr zIO=R=Ip9l8K1qg#JbB*8gNj#-EhVb*l1bAFH-x|z1&LjGFIS;9pfM|OQXxxGZ!G;9 zwWC(8`m+L!Fyj5D)vMAfB4+&6AHyg!Eovq3D-X3C(lL=Z-!03Zbx!4@n&n7~$jP;* zK9dY(Yi3UKK9^;kZ!{#P>L8g(4m>kILE7U5| z@)s2wfIJ7|V>7k_t0PBEgE`vC^m~ThocPBBMHo5MRrp zsorfV09IHMgP$NdvCxXBNpmDo(hx~WDNL~PsUiy^rzBr4D>k4KkZ;{s>?BX^U+a?q z)dUm4nz6%ddC0O3S5jmctf=~w&)TeR$*Y2^f*~uGA8``62wm~f@|9}b%W8MzGo`f^ zXGQfBttk(YkCk#B;cA+4e2{cV9IaS5MJfprKsC#WOU0=QuWGKAm8)68X3Y*w zz-MWp@{|KnTR-|trtD*yN$?qxtESouS>{DdmMHT_WM&jT z6@=NNfN{}$i_lljf2vrFm1$G(URhHre@V6yH9S}2@l_G!ipugxq!@cfR%ucl&{{xQ z8V^$Pj0KH!hD(B!e={r6bJMJ_@_Ex}QB#3&j!CXelu_CuYRcMkS$#>y`kv)Gqj@2c zshKRJGQx79z6<50A@~@TF>_aI45|E^ykH*7Qmiliid%+xp*5ORy0k`+T7F4}sn!=S zoAerAy{B-LFN`}csAa4;!PhleS@ zl!eN)puACSR4rz8C8|;6w!-IMt;H?V{tdrkEgrf0R8xj@-SnT-gC^Sa#dazAbCGg!HXO=6z6u&}UbiCF1>fex{+(df%!_qH)iy#847 zaVr`EBwiXI+8VV!L?kbAuV}8@|Hz}Q3t#m5OUwtR0Z&I$~oX4OpY!{HJ<$jafQs2piW-Li8L&LYp>DQpi-=fVt5}xrGGm-LLYQzd(o5=YnEi5c7S}3%H zfjl9Ov9vW;Aq%ZDuRRgW+>@<z)1>hv>ipMW06AQ=2GiC+(~~@{by@K0;a3Mhj6|=7OTzR&=XC&BSXfxJFlba# zpwW6{T8-8c?`htUTsGmNc1@2aCwYy-Rp){nHX?O1hTKUYtKnljXNGOr!yfjqM+-ba zzEd}=OjD2_OORN?9nohaP*Ak zeaKZ~I54I$^7_6FE%`0V{IuA^o@N(XyT**L(PqoJbF2N8Om-St$~5q)=QOL5iPx+_ zX}$2eCM8uFWnn%&&7IV=c@L|xLi3HF$^K@*W{@`bnOT-RzVyE^VM?!Rf{xj&nX=W; zPA&emhR>Vu)WTpK^qhLZHLFygs{+2C5io0#@VX8SgVH&DUm1L1W|UT9Eu+h4vI>{? zYnChTT;qRb?pIor5Dj@UVe>x4bEUt^#9Q+`&AK}#Uc6B=767>3?m7j~5HyC93qC7)-CAfHwB!3?X7(R>pBgXhjE!ri zem0ACu{I<-S^Xu3;2iDsss39EEI}c)_SzwcXLz1T3G{3{oE6BxG@_?NtP{g0D{6Km zig=aZW7MV|1&t(H2Rp-esa1JSYujkZryq$}wrJ1y@rt8$-4pz-bwl(?iskqA zK}Y6U7A0tH)~;||g{y@R;tVH1Nvs3o6=U3`sQhrIE?GKY6GsiXogAePOiLIq^;l@l z1>eyMlmX*M`NR}=%7^bUi?cadB-FQ|nVuFF7A+o)sp(tPXx|)EkyS-(S~yHo?=_QL zkRvA+4;P)%5(Tp1lf16kS|V{>mnEzf5@Y<-`YYl`E&d~-4#=u$lB-$?T9Q{Id97EZCUK(bB}+r&b1tr!;9K3Pz#-D zon{S0G8Vno`jGX{A988P4J4O`lh7L7;$>Rtw2BR(#jR1fJHoQ8-BysrA73YjHFw6ZM_TRTFnw8NZuW z`wM5Mv8BN4;&!cADeGSI2jV`{CuP9HtnkV7I#vbs7K7( z)L)?WE3^TFaVJSZ@k76qEiU6Jm0>J;hNi6sgQV0R<)tL6g<@i5VPRoWH?}>=8$UD& zP^4#ltIFlGgaSK}*?@OC{_FaD6eT*4rkbFTM?ZkGK!z zyblX+#gT`PMY)EAlC&M(tQJE+#?^d>n6|c4&!|>!g`wS}7^-o}X!%-YkyL#h`w{xzcN)I_*C$cN8)Vmt_SESpJ2u5< zMUsdWn>E(u+<_KdceGK3Z0!t^@e+PYp=5c*e;wCBcwDFP4*RRFY zoS+rrw4Tk_mmWXHtFI43H(JmcO-B~<$_*qpitKNavW7^-9Buh0zdhqXYh5Bv`C5aV zZ|iz3UVCjAx~so{u{S<=EpbfZme*gKn2YQczhb$d2<=T|MkZ;gTZWN!wY+S&R=K7} zTUc0F)Q4?P@=iFM(xpYOjWWotq%To3(5ieY9_cj*r=kaXJ5OLnIj@zEL7zTju~cJD zNyzh6uOU3L$?-R~}p<^9@4U28lKo$(3Ao<9t)&l-+iea54F$ymPkPFmzzh5bcb zrBO5*3Pn;MGBa*mPBVwf!q?jDCA92YNwh_Sfya`h3&t<(xXoKj4gWRRsYkP*ap8OZV7wF)3LONEBB5nER$R!c3WAm>Mm(ilFL_4%Kzh&PZ*m*y` z$}zs`562vdo4Y=X$4=c9i^hBtKMekYf1WWNM-TQf;q`0LjpV&@$;}veZbyv&OC^R} z&hL zfK|an{5W-HnrQ>4cIw0sQuo#$Zegq67NqTMn6m7&~8e^K?)DQeioiN zsuc5X3UGV>mH2YZ0CZdUb9mP;z_&|BpeN(~hyE#e<>MK@uQ2tsUtm8qc<5$%Z`r3fu*)81w;SySrJZfGJCoibmy3rb7~8iiuKO47X8h!j4vxAF3;qOL z^rHY1UKxST8eX{MkLdTKG#;Fg#1GD|!b7vKMUTaIpwADA`TYuX)v(CLcjKrFQg~p3 zi%YtVz$`_8QBll2^ufsI&%_fyPvFn9u0~G^-V+&Lkinx5CvpCHDJql^=(h9@9C2Jiw_r(h`((R!Ln%3X2?N%}^-7K!Pw+p+M`IDYU0;4ibUMrSIDZ5LkU92ZhO@V|q>(+=C z604NL+z&rP?=E|qE!WZx6#y-KMN%6ln`IFAn7?Ea{&MgOs7j}K9~DLRU5w5C71NeD zW{9OmtHgt1RHKT5(uU6~naEE@^G!8xZ z2d>|j1RB?N-Z7GO05>7cC(pVEFCqUwGeVuQL53}o46kd8Ho1Zl$Y{6>pL3jPxT5q4 ze18cwb(+sDxE1~6i)YJ4lcKb9yId?;#x>5kq_hQ_(&=XScoK168+dDb>lo#sA(qTE z2~3+xi}0xc6XJ805R<`F$m*|1v z)04ass}=%DQRBbmYnKfgj;IO3;gZG}b&)i?L}}y;u>6_FP}Hp}TL3ZBS?W05aMJgI zzb(q(;MpJG18K;33PnrjVwP7)GHr_z(}7D;CJAd#SB-T~@coW9*rg^7IuFFzeec7> z87U^5*OrXJG0x?fLb8lk$JvZxi-Kyx(+1KaUYFUxrj?{*HU{T4r^{e`FMAFC?>VIe zNIK7Bh;umZU91fKI`;0OOr`QDpNCnDcamhTF+2%|7x+c$r-jpX0M2!X;nwLI^chFl zl!q|uz|JU*yGT>2>+bii3~u9=4(W9DIy6QhD?h1f64(Fbi1FYSiX*G8a6{8G%w z>KR(zagA0XNSJZ0Y2)mRVY8k^ygw~|hey}R7`W_yoWj@zwDL8+U5opZqX{2gm+m-d z_6T&34Z(~At!e%xu@A1A^DL4BX>(Hv#1f|f)8522olnM3N4<|T8LnH@3Pl4aP`Ye^ zbnT9VUmuPh&c&F)v}D$z_e;}0?iM{(@&d2;ep3YRJsnGb0$rZU|;#kZ0 z$hy~anyqX4E;K_|hI~vdlTcpvu!lXG-yt5C$!UD=2S$C9m&Ik0$rY8?q#e zn^~!Z<7Y5;`KRdBWp{?JvEsCR)qzN2jge#-8U7B*%gNBXPH4A&J{ZK2cBBY2gfi5K z8n&ph=Ej}EXo%Y5Bt=~_WXNmg9h$%->zWV7<=fXYwB7?P5@v=#>Rx^_jz%46W~<&| z-YYrKV%B~7&GhPdK?+H8V$(r}Ee5T3lcuH4@Tt6{Smg1K;_34_EjKFL+~hN_>o#b3 zrdk=sa@RXFm{NaiDd-;EqM?<1SDfVTt3|+YWeH@mRF&~{d17H<(LA9^o|;?p{_@Y! zZLba}lIz%TnW^D*V!QCkXEX+!>F~tj{H}PIWeE%!${dw~<0nbbXGDFHuW`BXMlG_h z8#HuK!8C_ac z_r&6X)B!RgQ=^1L+7!IvDMDp<8L481@AzzUD30pzUo|t*EVsr#g8yAqsSXR0$ zazln%96;}(CM9X>UXMzKa_0Sf2TzFDjn&ToG*;itw$-p1hA%`((zXBqb6`nCK~(K1 zQuj%+#*d@POXgk?FX@?iNgZl5tq5M>Cl$EjMFkOv_|?YXr{ZYT2-BqRTDpLF&7dR^ zDH@)Su~nd!hFM~PFf(HLTCIes0>k(z{J>+Xvf<)q_OORNn&;uM6)(O}jhEL#OQDN- z9Mxe}{;dGTWCIjDx!FjW1SLte(p~Z+i*$1ohU$zga$XUM5{AUdl%cgBpxUb>S%ySS z1~kvbwWNRqNI3|0iI7&^n36>pe4)Uaw;=rcxzV4g6E z*79OfIAQ!0*H!$}yF52+UFaSyGc4tykuw#sH6(hiZpi>i$fi}o*HAw&bP_s0&6+y; z0(?Y8a3n8%2*YAW$x8F{DSV&b@htqxmEs`JWEx{^Kz?cjsAdnV%DqY?=_h(%=29^M8mps%`@y#0k+c(zW3#OhDF#82iP9}{S=N0g?isfguu2LGIT=h+z@VZYDXlktT zRv1~Ed|?qwFeJ05XPU+GroF0bYTW&Uj?1eeg}dU z#tZj2Fcrgur_x~2IEcqWPGj9>z1I@qTB2NSdQ;sSh)uY40~CCAOBUUYg;kU&Vxg5w zL&Pr2R@Qp>T}L9W{(unKth6FaGGRI$`Ms^v9&u_*Glqq%Dd9O;`LjirE;@KxPhP7+ zGA^cGQql0ctF5=p@W=Ym!P(jP!-TzMSX^5ZCVCP=aCZ;x?jGDBI5bYR^cXyZI z?h@QBxVyVMOy_*_Ju~y%JNN$W?zMZ>-nHtjs$KO~WL(}-Y*{dJM~Bzn1>G_vLC<`E@)*~UH@Pv{U0zZ^u*>0Zva)fdK(;-rb0D(C zNr~|c!+fmaRIRCpZdl@#yd=H3vjUPeT4sb2t90^(`iD^SdJHtN%Ge4k;3YF+brywj zAq^e|2U`3NO3aL?o+S4GK3*dYHghDkg1hBgA#@tU4c?L<8MmWD)~O(s!MSCAx7fx? za{>=t|ARquzp|f}_ySe&IkJ!C@JnoP9KWoAB}MGTg;+*wN7jJNv6%vTG{(qb+vU6U zvO5wQ3KZA+1iw=@p?q6D%6`~Va2qPAbDe|bo(z9}%cr<#l{ol%vYnmcGHitk{aZ0y7Vub<_ouo3{Bho6C61*JmqG8-=qx#2F3KJPF` z(Lh?QJu7A>(D+@eLg1EstG~gPVF8n#jKH1v1D4GbaX?h0($SX;^vM;7zTsy?D;c}_ za(to_C@p1|zhXeJ`UEHvyA0Umzq3tFc?9cNDxj@f2k{VMEw32q(TGq}DoayoYm3Me zWOG_Sk)7uCH3QkQf>cJOb3TTB48NMcoAToe^pDL3Yt z{BqGD9s@a_yz0PNmsE&P8ARXc3Kk6)27^kuM1{&-)CLB~vSi$z$Ouu?!sM1f&FVaG{Q;DV;#93o4bROs$6FE2o@Jq_2BPQz?Ex*v~w zy+_ghq%=sEuN%9R1WE-MQCyZXQ@P_^RESJAR;fJT8 z()YcXZ<9UIl#@0*drv<9lhGS1bK3W0vLmQ5I_1QA*Xkj?xu52@@ebDe_ne!0i-2+y zuDBq=>c#b%aVcF5iN#!J1MJk2n#0hLN7Yjn!V3D#13_T-h{9M{s!>Q z2Itw3`Y@h(q=ivfxzhUB4~T{y2J)P6DM%gxd`^ohN#7cDt`6{p<5r=nZbuF&H|K7TN2WF2K?bi z5&FMN;VuLv6yvL=eUi(Rf|1&?X@6zIq(IWh;%^vAd0Li|RZ@Q$dnl~cB#A_&q@F=t z;7D1P|5G2cmu-3?E8@p~Bo7K62|rH6?Zg2*Ejtp^?|rA$^VK9zyOT19BXGi8;cfJ$ zACGND);#m~%Cqfyv6c1Ow#DYZM~uMZL{#9r`m*kGV67~f&%5V4&m<9>^jr?1koZGx zruy@M^B@=~U?|**}_RVZqv57Sl#lP;#w58s_?#TWoImfUtM`Q1zQT0*Qh3 z!R3zY2Q2s!?=S$jt#lmh8*#O+f!CYQ%Ej}2t?etixoSBP{|w7cB(n|cx*w2J!Jy_p zGosS5nrrqZWS6_+VCTwm==$J>m)8bKbKpl4SB&v}3$=ukR_Bdn{+P2+PEEL0E4GYq zFMZCR&wf^C!*5EPObZQ^h8V3`W++8vNinof)G6YzfV{M};H0=d&hNhux0b)wWHI$o zRDuL3*L;oUzsDB%cy+{ojD)ZsCQshn4)+ZVK;(he^SXj0bl*iOuh0f&0c-X?NWLxQ zd#!uptMeoqzz$0#DkVV4?zQB)%_m}vl+tbQ-+{i*MDJC|nFUG30Z5X*qrj+&5be~& zQRrRhkWv^WQaA7B#XioXxaMUX80$RyeD1G3Pg)J?MIs7vXhG8W#XddehAJsrJ2z`y zR;g0Q4Lego{4;IsME2=ZuK;WlL$NcK89xy$;OYea1hyp+$e3MR~uM7GYW7XI`B z10Az`p0%zQE<$i9Mos8rLfUTJiXGctX2Dk{vHf~4#DWnYWV8DZ8+b^iUI2gAXKVX)_V(Q*$1iHS{)W&T4C%*8JzR?rCyilw5*oLmWylY-# z?sz$2kNUI6^-=M3p$wMS4w#c}DLH#{j@x#7PhD>?*>ZkUD;PhF;pHr-i~o+(?Fe2? zpFI5!Ze8Wq`gOIQupH(cVzsN*P42C2AYfW4DXbh*&g+?kQ(hzAOmzNQZbW*n8LfeC zev?*>mWW!d+KEVwBhE4{k#CQ=(g)*QU=I#N+VnLvUe<~)J^Wle+lNf&{rS&_|HAC8 z>g(e~ggDPjQJpeDvK}PuWBAnqq9*S2?|L)YdVx7js{!WZXp!vBCLju}%c@3J?Z~V_ zit(x1jd>)6Qjk-wDm_1HBhNP3LYRIcvFBH_Rd|o$vea65uj2%XtGDonp7_axbhbc_ zayqq6k!z!8@-F?SHLlws-X8;xWW5r*l&+Cya zAV%8vvTHqq?y5okto4d^<8RA>;*K~a>zY0S>{}Lu!Y)TWdLOtrlhRcW!BQ^?k}Yu8gBnA1$v0#0LxH!g>r(^nrW;B3OYki`v5K zn(8p^vsEK2$@j3Ww}%aIqx(hF`P#!Ep6x4~O%Vpqc`YxG(=#p%%kPzoF|on`dNiW5k7{``ggH=J+uS?_eI;} z8L00h(>0&L1Hu)`)DwLuS)&#u6lK-4$>aP)2av@|z3gc_^=?b9hD{pjF6JB{9I$@n zokz&mhvCrbF(9Il(USwB$)79i$K)-6=9b>yltbrklk#%+_E{q4ujDUfs(xF7lZ4bW zMTNLuG=aEMGXjgLTXE3!yPtw8_FH@YxJosUne}tQ^sA_puOiaBqXz9T4EQ%O4j_HF z!65panxh&o8Y44aSBJ z$<**gHJLN9rVSJ&M@Otj$zI{Lu-#&cQ(tS|Dto(hTh^^2@+Rbmf9#2qEqrZbshn$9 zwpR)VT^+n=k7t>{<>%MoO+rx}KLf`+thria4e5sWC}O38lM67}0t*=%VRFaQn#%trFNK8=aSX zqLt58junG{@hAhWGS_)d(;v5f%MTPPqtlv{1=6EXI~56yYKBMfezB$=cA#^=FwAhd z(0m-&nW+}F5hV?vTUHjx0mtf$XJNKuKEbZ6HW0pkiXT4MtY&Lv0_3lTz@OamC_5#$ zW&g0?hgbMVUYU7QNnUHAr5%;_l!TGg>Qw6!O3TP7cJ7MQ+su8n)@oudXmUIu>uemg zSu}5wf86!W&h=b?V0Jy{Q{w_);vx;qQ^(Sc=E@lUp%b$QruE+hOuv~8 z$FZ1U5P2MU8A*Pt{ry~OJ`r}vs6mm6)=p(oyewpw5y zI`oF`6}qN7Gaa5M*^b0XM(jDOiGbmr>z0=HfPQR(m=%N1Msnb}#TZ-qu>(JI2MJqC zxqsn~9a%4`RG*>5PSjqlzp*Mvw9I~5+Vn22nEC1?z>e)+=;Bd1r6y#4`H$kG%SIcM zUTuD1x&|L+FrhuOc!n?Oeme*JS`>Z&3yL-isF(pO6)TlZhg+x90JD&M$1Y*J@U}1N z_nHj93L`-%>C1X(O)|6mtn4v#yVn3o#M?CVSQ_hRew_WhLZF>lc3X7@8E!8dJh>t{ zcI7H57C+^JBy*8&+n=$!N{;A5VKdZz zYR{y-YQLUrzAxHhDU7v`AlKF|IwJ)qIJGDSYcopdxF!nQv+2?0j7CbU#A>H+!ltP%XAA)xI%WtbehE!9W=exVIc)@WDjuWQH#OTDV9Qt$!`7c^$zyDw$L< zjU9;)xeAly^V9c%_n$RvesAe0L2+LNyh`dLG;lS^%~VI9-9NeNc>ZG&hg=u#6TEFXu<7muN ztc{kIlo8qWw#h(e5_G%dr0(XSiQPU7UnS4=hvNcRt5hSidBj zRn3StpG&F3t6KZRXpP1$L+=_EUr^mI zI;Gm8WFMmF3{PGGGC!`W$lour#f%Q%#;l7E@KnOb88dvbJt`dM;%(WK`8nZ;BTrnu z{8Q`?eb|h5ZzdCJyAho+*8SY0SGq0;M_&PgH_C|qt>6gprwp0tpxtxH)EPvAhhDtt z@TVLm%;?nc_{x-tS3^GCE?6S?A(nL&5S#>X`eMKkW;B8)o&A0zF)~ex^lAVae`r1? zp?t;p>x9pv$E{JP>A_h4I}$CTV1FD@wK03-gXgFHNN=cOomOOZJ_j(n?kht=-CToj z^%qw~Zo)pdl2dxz7Y_N(M{d+TN^I9Y>LGzL;!1}ZIgsOZF80fo@T&Lp-Jwu_yveK6 z$InsIoWKjY_!w1jqk<5fx!f+ZZm-*u`S=P3)G8VOY)69DHhZ$|v}w9MNA|hG5nEb1 z?|XZEhh^$=>oxo12fslRI+RFODqLtso9~P`L|zu=-g}8(oZ;blPJN zHGPsW)vs$xl&b_u&_9@g+}`2CTiib zZPbJWvLA6y)0NJ=MzyLY=rRDpFDN`j^VlZbT4qLLVj@Id@GPcWyV4Qf@Bp*v0U@$!835y9CUraH1+%GqOcO&svmo`qo@6{k(4LVCAjTWbQU62yps*4+>OMTig3r`Cg6Zw$QlZpxX_uv z4kUfQNw1v_gbXF#p<%o$+h3Wu*(Eq22dy%O)+0n|-^J9)m~iHFIdE}J1$&RiySdRW(U z{?(432T>^PVf0If?{;e?9VyXTl+PFu5S{6iJE7`&&NWqNSz4|WcE6$PQHn1XC-mec z*e2Usfg35fy$%^J6$_>j(`Q)^6LN+kyG?TBmx+v|TD6tOdy#XxfEC@v0)XAT=m}C= zYa|>8f`VRko9ML~c8GL;@|Iv2HS_LnoY$Z12pvG*%_l}Aex%I~0i@kVJ z?`XgH>aJ0JD8-kE9hnVpG9Z6Y|(R%1{{b1ksviJD?%jk1% zA&@;xTu!OQx;7&FTYoW5vkg%rA(a9S&9UqC8}D@XQ>F{%W=pZ&;G;4&gYl~MBCp%c zRjP^&OIRHA^BM?=$}-xRXQ&-y@WQ;7keGCE8DOEpn$7k_S(C0Mm09w*E|xb+JmIg| zo+QU4taGZO7W-Y~~L{=GQURe~kg ze;igiZwk}n6J9#ht${HOoYvRU7b?97B*c%et=wzO+p2(By7sQe96b7s+?4KfRf}pU~;fUba;C%F5uF1tGI5vcGM-US%>g$W*%#uP?~KCFe&Z4yybv z4=3Sx2{$)xYYv=u!2Hxr-Lm)pJp9^kHkj3Aju) zsD%#0*eH-l%$!WIpCZgYyFqXYRo)`gluCUkf$wG|3vv>NiydCh3NX--ZQ?L4fRD~M zyF!1x`#CJ>uB1X;@D|ied(UJtW}0F@66-3ZiYv^%?%J824LH^u6$O`HV_GT8^3kM3 z>{BvTm>&qsDg{%rR{`jKnD7>oSt6`J-4>>_1C&X^{@aQN70Z$)=zD>)w zFK<|U3~ER1N?Aqem^63#dyCX3^Yg$)+l2IS;1bhbrm+I6DLIT_N76!Sm4jnl`4HE1 zt!Eq`us=Rb44cv#E>%BGg`!~=iX6Kr`~q#aPW>Wa;14CH!eBlWA8^Fq)l8>5`5(6>}SmYqg1nmnz|61Jrmaqv_i9x*gBv&=8;-2>!Fj_4(>vE7>A z6L{WWC2AtN62MHPjA$tLWHx0O5#@=P*``+5yo2yC@TGxMbvormHpS;AR4$Gycw#B` zB76Q3D_49+nXZghVziOOf5Wxy#o#15eQe75zF5ba(##aFUMI+uuPTa?B8cTE8D-Lg z12gyoiq;)POBS~j2#^tj55UZtxueVIRr^!NN}YtQ-0O62?-OF~#a2mLx-0yIH{0D-e@y%6QZHBRM zg@EQ83p#q2Z1Rk~I1_x+cue+E|F$XRb_0Y*PJ%nef#+B)I^S&SY25fCrcsE>ca`e? z5l2w2K{0v+we6PnKOKQj3J@Y97CUPbzg>Z(b}vqHDx*2CM-o>9LORnTl|*sbJa=z4 zZ&z=NcB?$9LM<9B#v~?p3}Q`{5LX?G?2m8oMOt)6vOQuGxy`)xxSb~~XYG2S0G2zH zF`gV=53|NPrGe&>{O-XBo{a}wS!}Fg zjPcI|C!vEA-q`A{XR;^nIOqsJxX9Z7nA*93*~UuI;VM!{!X(dOmsZ89bfXE|CDfv7 zN;R3o3^#tW^B3vAN`3me%88&y)F~L1akRO)VDsJllx9qnQTyrGh)kXykydGelF4iu z0$Wl>sghhVglF97Q`k3_LUqG!4I)lw;@p@;!k71eW*@%48;`RV!68+vPL&xvR#^ zrNZjDxAoyDc<-M)R-YK;jUSI)?R?dv1g_N+@B4BcZTj9PFjB@|8gRIkg&ipQFKbV) zQo4vh9V`eH@-!y8nB7PBWS#2o-{eg)7CcnpqYJ)$HUdEKcj+PFKRzdN{ceF)RzZ}U z70@#1H5Cll{avm6$6g+ys67g$kaD|K@nTD5I5RN*@WWIju%@!ZZqsr(>q?qWfxN1} zN!zI#0V%p?^_`4teZz4ZsrqpJ9X?$8=j0)xvWlb`?i(6cflCr^EZGO=0t5~7x-lJq zRVyvV7+epkFuk_k{NAnT=9&|rCJ)mp$A`7|kPXT?@p+`U>A=D`VY~g!jAyeD#2P-i zvdPSe2K1ekvdfTrTytadyu-*+PFuVcA@nP4(L zE0aSOiJoB)o(@q=$xUKRC*L~Nq~T9``hugI-)N`-3cC1!Hq9JMs(LO}L8AILEU6SX zDhWHE_as7b^mXNf`eLZ9ed_V-W3kyJ2qqa0Q*-3=yZ+K37nq)XUt7!qK{^a@!`Hk2 zBAR76ueNzrOgNb3c^1bumDDmOYme0+uOsKeX02&qhWw=ymsu0fuX=mn}owc`DdSZoW$TY z-f}>+r^k?0F%-7mo~ODaR!lJmQ3FTxI1o~x{mt&Rc>ykkD~DYs3)E?`SPU3Yq0>Y% zxA+yP?RTe-&}&<4&|`t%t`cuggOC+1*8x4T>lo8<@OU{ufWBk}svwxRop%RNg8O$d z=AE<3^hZkr!_@2k$eoD$a!18{D)V7O&`KJWd3}DrMzY`ReAyM&%vOdYUVc~54GSAz zeXsg9EU}16RwX&4OovY5o{8q9+lK=i+(->qJTS%x(2i0NcpX};S;*28c{pFQpAzbj zs;-yC5ySyV*YapWYT6p4Y}vMaYW!kRto+4x6&t;%%2nBh1_~2X3$+%74P8l|40q>s zoTmre|8JL-9$_$no`Jp^t}NTHUMF3N(J~Wfg=1lE@WgTg(sTik^|53aSW?8=$I8q0 zvro)$u|A^7kF7Q3laQRY=BzW&!<*e#tC_@#kisIs=%HcZDO}_7H@A4U+jz!JYW6h* z;k>D_DqVyOX|F`bl7P=w!Q9Uu|6iXtVD;E{K3m1%rbsJSvRlPr%LjO?|W48l-0J1FWLFdX(cAf zL^5#LhS)8;9P^!;EHnOqjl_-gM_h%8#&L!?#*iwihr0169D?~0k@&a-pm_J?+X!zR zD3sWRl_%4eA(0f%5>Yj!rHD8JS9|gCVFfrS(BqCv<48A2XI;8`9L#cyOu6K_Wpa(8 zL7&rqt)k8r`s+u^Q?Pb=uIIEJRImC2d)G~eLA1)&flET~m|8OG_}s}Q^hqZ-6>qQB zb{c*+p5xR^9feFIH@Mp`;jG_Ie87 zm4b6N>x(jPEUT=xNQwH65X+vQU=}?3c`bxibxQw_9kB%gnOmoXi1SVE_{S-H_qJ)9Z_fG+&vVw2dX!SVA=A$eN5kk~RavzwtI`#_%WHZ|N zPx(Y&dm6}1fnSZNWLSGb4^%F+nxwb;fKkQ#se?ei zF-`{%N1=IAzNJ%{KiFh-)!1K0_Aigo)Jva|;eDCO{-9i@2)DoFL=rujKlXy(PB z({Vs0rZ!M9*cgKU>o3Qn?AQ<+8Yh!* zbx0jHYzBupG1Gi1YA(~9E^lX3xng^4=323jEUX=n0W082U(ECXyJ3?n!y)f$mP1!r zv~g4zl|owPo4p0Q{hw$EO>_IhY3|S~Q*l)v2rHk)M#3~L6h@{d-OOfM*-L55#)@Ve zf0=`80I^e2Pj$^MVI8JJcKaERj^V@DhDhlB$-Bdc93RBqoW?(`@DE$QTI_Zqd2d~( zj&c%mcKvNO!wnc(V8~}Cc?r=P^TPICa0eWlP@@TF%xYVWon=AJU74pTpx2wLO&6$( z53!>gM+JdrjqHEB{u-i8k~RE*95P$RYA$k_=SmOBuuwDg@2Xw)K9)b#ooXn+xCE3x z1r9rZ+s&*PNFHR3y5Vw}akAjdBrF_BQxkECh;*>7vzL+<&!yHMSPUFPp&P7Is2x_y z)9e3s?bIB_H2t)QUKOFV3|AYPuOtBC{mW}t|p{_j&rWBBcw!Z^=X%2+yY}M+ig2^KTUx2dZ8HEo5NKj4&33mm`hxnL|#QoViW6q z`}VjKUDc9R1>cDEpDzuFNBKyc5R$>A7`h?oKZkS{ZZ4t|zB>k!yTieS6JU~Dgv^qv z%ZlzkqhC*o?Gk3L5b8^Al%R*)Aemgp{zlY;2&3Lfl$n+!$%FEJ&Qf=6FW z9P7nTXQQZ`A8jrBNf!lY2H+t>`I{(xEc-)W=k}Xi6ovK070A(|9XCd!G-q)aaSC`6 zkl41k%))4?ss?dxc(0Vx`fj^Mk-Cl)6Foi78Jw_%%ZW7l#+f=wNhQtCnrtYWPOvE_ z7Rm*7V=jNUVXmH=a(S2dMV?zoj57BBXTCdS3e7lXmeC>ayB%-TOH? z-?%7$yl)QEA7IsiAK=wDLbmq2#35)_l0g_Oh8dqq0rx?$H)pxGV)rGgCA;0I>0{+{ zj$|s=FIngITKB$)%M#bm3cHM13r@y=3uNyXUwdQhktvJGg#YYw(;J^ZEdxC=gQ`SA z29`LXtRBd!5Y+_tN%!JbjXRXPhiju-7+6}wUjM2e2UI$P^EfFI+usBxKcw z16G?2NxL{?4vfk;B-nPm@#1!SC2cCEN3pP1&6~G#ncT_#{ z@!1+k!2C9s{G){@z>O!e98V%CP+b(l5}{MLOrMfP3bX&}3r#yVDqAB9GZM^3KkS3d z>Go-8LYKd`qA()#ril~}OkANtZ$!oAfPUiSWd~x33jz9-cVgw>W8YG(0;@E0d6;*Q z{3Gs07p^_3ZJaMPV99T?{&F%r_&l*S=1OAGRM8|p-h~F8ql5ril`NLg{$1#AhT` zKm0A=__u-OI;na5Kdki~Qq3erJ4#o|Cc}u-1ehsQ~Ln@U*9OIJ-(P6VR1#WsYiCYbG8tJ+LrA}W}=LAY$X;dmS zLmM!tjohnx%*J9X%X@GM6OR&0@@fFXcFMX*7g_;f4SaenxR$j7G-aq7qfX`H1@PR( zrTi-D#c-fhUlp|~V_cdVmoq>?=^qnWFUXnfk%H+~Yg(_9-y*Wl>;;9at(NjrPc7v5LWDTF+VW zn|EyVHb|c;d>N%kB5u;uyD-*}`xXs08Q$fd886 zJozDMxtMac^A)Rbh0m^1QO92B1_LbhvvqSIjW=}qB@GNshEEH$d3y}L{Mn(?ofsSL z)GXQJy;nym0R`n&wFbZ_w{qyE9RCY_IO0(zU_^BC*64EYmZ$l8`c0};T#bB8v-b>9 zPErtb>yMNZ0@-jgrAebDRJ%o3<|Ag-qa76$O)^xNnPH0reR+FminH;5{&U9yTgCX3 z1I1bSrCKkCwH&yZ51!zs|RhP$M$ydJ#y1K3NZ3YjSflTL7({2{I z6ey}Uom>r2p?@L-%<*Thph3wAG89F_(zy8ymb~?=OGQ5?xsJo)wJJEW=!y*Oqz1Nr z#yoE}8w8h?KQs^C78YRl+*yt>NiT>s@>tV(vsx*I1ze+)w+(=g?vjYwFIu8H1sU!k z(5}3tKn^6WrG^tl8AlRwW}I07eARG2iiAfK@T%8<)3EQd%yS?vSOH|vsc{<0N%J>t}UvGo$$Hvf|n zWbc^ZtJR`ms1bOO`4Dee&6RAGxY|JGWrq3EZW3>d7d|^=+9%k!*CZpKGBG;3Mm^DZ zk6jr~%u)^dqFA!6+xLcd8nSIM$@s^eP`dUM5DjMcXiQ%w{5(&YTNgwZ(DU?uu2>^i zD%`;}C#*bGDCnUOCk%(lDmD+qbxpoMMG{cfj$vm`E@L0U>dh#oq#j(su`yxjd=Cc{ z!*fMAa~9+Lb+@*sX0d@~n%PCflV%VPAj(Q=8p@nZn=tgz@ne(&pksB%%Y;tSWM+At zlbyeY%8}R&6Z06hCYRK#<51?qm+U@vaW|1qrNqDrv@u9U4kp2mf*pyKyhb=f)20CX zwke-N1N>l_&n}Y9@(~46!nOe}#N1V{pR-+;Au`n_dIF(}4F`I6E?;UUx4OzkE~j*W z_JagKCW~EkI>nRCa80+}So4(oOUYOB(`@?_g7|7SwF2FLzF4mJ1x|kiGXn?oZx6e+ z0>bVkE8GZ>6x=YCiJl40AK@wxJ#Ft~)49uOolLXQ|Cc5Ap9Q<-l9!r`|E^7h6ty zozm7|RFun8AZ=K=;<^BxFj--T-YwtQyFsD06Nxk`yWXyn!;u8O0WWhD+lUmWxD5-PIC-Po~-16~W@b+Y&+j)qtw4(ZmbjRoL3puinpm ztQP25bT3~STJOI&nbwH_cjg|xWqZo}{1-dMK{yTDmLzd-8xptj{mgfjpGu0pSKUKvXOz!N&gLs4PA3Fz6Z(H51?`kt25*(3sBaFG zG4v7ho(1+YHhA`-FPiEr|BU?4_#Yb-U=fo;TF=EwV_a*K;T!cOI$M(n2 z(+?^$05f6fb|NRXxrn|X>P&ejKU6nINcRGpY1jJ#T*rQYj;mc25qq61m)kLo-S#Z_ z=|;KTmbCp_{zCu#GZDE8)OzW{RWh$$&+A+ju;&bEi-#VYB7DqV~RoVk2sL zXTWebd-R9L*7t;w=Lw#Y9QN!*Z_d+}YiB;E!8(oaaq}UW|hEP(!KeUhm z5oBh6NB~9(5XS=}p8&sD@J%ZfK1Mk&r|RkC`9GM(wa9@(rA2#$Gjwx?Uw-h#wF?4G z>IULrSov6DrP9cw8gBjP7p|n{nX{1CB1a9vNlSz`>vwn;NQC;yP{HFoS>clHWn(gx zB9cLV7IeOJu|}U4h~!l8hV!tqQlC*L1iW*eDx9bd5@Md#tkiSMKN`|O^f*aiMVjv) z(SQsUW7U$1lW!n)gNSoEWSt~AF}F^k(M@jA6m2Tc%JMrn|4|Exj=5Y)p9D@ULqhwluUJl2|EEmXBSR!2$)4P2Uan>r$t)BBtC zA`>51sNHmfG5RT=^rOB7bYjk7SyQtaiJ>s6Zi6#-@f_7S?83&WdK3QWg(}dc$N4(g zY~QC~x5mz?Z|cN!5qguh$}Lu7Xv9kxM3m{v<+9~z5!}=e-DtyGClIZf6N%|QM$h8o z3w*0%pW>Kbum6rZ<$$=$J0j}R$i?tl!R`nRxbh!8m^awr(-_k@)C@97ST`|49Bl+! z{X5}&6&l*IA1bq66j1C?l7w+GY%2{ddBfhvuYYrRWc#4khxQ8e>`gi1ljzMP? zpkc(zV!vt)X9Ua>(bMz$uLTGag9H7wS#aT)5!UDN7nh2f=jq^&gTw>`IZ_qY(;mS8 zg-H(q`Q#-N75|sQsCv<*TDU-tLXZuRgcE zL}?-$&hiUR3LPl|=utCBz){Dp(ZM{ut{SRn0mtGd>@=Fy{U`$VHB8JE7})ElMtn*} z+P5RA_$l`dZ~H^yV8f%q?5znHg*4!kuRw2ZFrh`|QPwlv^HKZ&a42Ryg{uMP$kdaR zOJ)cYlNUcNvu*#a#j$3^rY+Yq`t52kRN3zC;$o2Yg07F1u>&OIV^2xJ$BgjuaB6-& z-4Uc1CFU5cKjj@T<+-gQV*$QTymV;C|~ke6&PLUnEKFI|ssw)R6I zmOuQs2KabzWWZy59uC+2sj|aDJD_p}TXV4}^5lWKNfkROVjl#iR7EEl_BXqoHy^nt z-jj|WKb#{v?6^!O38QS>=dWgS72Oa)Af$PZ$yTP3!TYk7rj6Ek$cqZUnt@W&6NIsa5JlD37#H;sZt2RPue=nMB+O8{la(Ac|qsuc*SwLhzk6Q zth4zb-`LGP70UH@qNI9xj}_p)RpJ3t_-QuukiSH*E75RMe|D=DMyl$e{x@Bp8ixtP z*N}0rH^JHl7Dgd+d#3^N^)(P$Sf;jM7>4r%$%m8g5$9996DxE!|3mWyXUC6*q zXbF3)L(Hi3LAGzR_V86-w*ALJF>v>CJte6Pt5;$_qLk{}lSLlPsf$i@+ zggABF*0QqAza(fv;WP#_~+EXf>2H})w{lgWWg8*aGf^m6kChQ*OXUP1_? zJ9&Z-&2H~Qy@QUHYLZ=QJhY3ecwynliG|cgzFB95ikn%FX2z5tgGG%L$UpII;6~}1 zv#C=_UCif$Y~Ltb-;?iTEA@lP@#p+q&}I@wwesRrmiB_um8$>xz~MgQ@`j@ZIZ1(NV{wz)n` zDP0IccLXC1Y6Dvy26NVXnf2Xlv5}^VgfDV~EVTvvuPo#L88#=NK!LlK zSS{0S{e(5Fnr3aJlA2ZHC141TgJo`lS|<<7Ndv%mYov;xMSs_^3+YWJ*sp4`#iZ3> zdlQEHr1N)2ON_<$&mCe5oFT4(JbxN>y-uWkE4a9>Cl3IG&LiPeDOs!Rf6o-iq=hws zg2x>H6}*)whD=@{xbKMRK@^~ zir103cRTCgdtG)vo-dgK`!2WkvH9Gpxr;4%>7;}Ac#Jst{sMqS{?fm8K1gim|7xE7 z$!t?M{#tJ1oNw8-qj!HZz2M#9mrvXLf7*3;nd^Vi0sCLqoesbR8`o~^^A}8#{QSMZ zuN?le_te8{20({1>EH^dnvVg}eXX<^M%B#h6|CoBv3HzU#;<|1ZWF|HeK0KV|># z=KuTe|6TsyyPp4TSZn`Z4nQ2Lp#ztUf5CV3r$`!-ztvBi3m@qb*Uc|2w4%sgxU4p? zS2a+4L!TFp0tH{Mm{;A-3hnSYU5mCJEiPZx^wG!uD`dF&D@Q)e&4nek#{*7R3-_#4 z;$+?BO`wSE;15%(k4cGK#})38|Df&U+v@ob+gHb@LQi~LdiTMpz4m#n+$5 zUX_qZ5a9%$>HoY5-0W#WMjw0#;Q40X@#uQ)RIFyw|FgntU~7;N-2s{6LiBth0fqyh zr3(F@94q+!_1eyiA_d%NVi6DE_AKBJ?W49YxJ(AS+OG&K&bnDF8RKckg6;{yi}O0x zn#_X;65+5YpKG$%Xpd6_{yJU&eD8v=x$A8fKhjA?z@7%1EA-bjPUsFw`3fzmeZhr~ zuMw%d!+;yi6$}8~utZ2dJ~}xX6@z?UGnGLn<#zgdG_vLxFc{P9y=tLvlKtbPZG-L2 zGL!QGsej6+<;ERz#|boTdpLDhg|{HYJ)p~lUuTLW(KM9Ch@QNB&~}x&dW1XcB!S*=UGru!aW~pw7T`EQjvADBaXt0Gr@5E)tHrhB@p5%wn^879@Ji%skeZiu z0%Ol=XUC77GrGTSfU_;|!zvvB5-&+mSu6`b**()jJ+)u9ZwF4Yr;u#9B|AQAu zG?4S*-EttCqR1m$<_%Gvk+W7Pf8n0RNIq&P{Qr>zc4R7zT|LM9j94pgA|F^3n2$w8advDZY8;fsinz{dLEFePam zqtrE(Fv>80sw}QQl2j*`tEqKJfrFZ9;PUvZKQ=0$>Z$L?2LztjhmZ(UmXTSAJ%n7W zNVl7HcXP^RF|ee3DQ*6f7UI4kHE0}ma*eMFZ&=ADN%)|reoTiAGk!m={>4?oHtx|0 zu-4ILOM0L1=a8SCl8C@qh4`-73T(H5^^&fUbnY$2s8?Lt3+%zGoYTdtTtPJx$K{{s zCzilI0^0)T_oMIdMR$OmVs)c;B&pTeXwQ#3s`q-h^I~W%%Ah(#S(DC6-CPh7X1UV7Pm728P8w{+Zb6vg< z@IV^;SrSnHV->cr>=U@ZYCT=5gnkGi_aOFSertupZfVx9*1fJN)1kI{5x!nBj?>4L z@algw_SIo+zRj9#ky4~UiwActQXoiy;_mLnJroHVXiEuFJQTO0#odBKaY!ldP`nff z?zZ7~zO(0?Z+EY2-#?Q)dGwu``<{7bCFWiC0f-LEw)aTkCHwH8pit+w#fze0jCKGMJAEo($TnEE0TV} z8Br(u43F~Y+@_IST)1FX7zTMknmd+JEpDQX_UmnhK@pQHE*jkAGKdsbT{qFX`JE zP#PR%AgtI=F=nYF6aPG@RY9uxgy!BCtq)kRAlon|z9M2`$FEl{q#7l=f6iF+4RB~e zqnk9A>*mtHTQvG6fx_i2tJo%jo`sjDSeK%JZG#3UZ4g6j2yN2`?W}n%){`YJ;-sst z*$HpwA|c|rSbwV-t$k3r#?{fFo2ucGUZMVy(RVhJFFEgSUt)`y|4Cm=4?rVYKi(8l zYpXvsqZuWg>%RVsvEg&FEqrlVXm^-(A7I1RB&gFd%pPVN4}|GhM_?9-S< z^5l%}n+6#&Xl19|CIVx0b7!usB>HOlx4_Eo<}UOB49J-M35&fqEsXht;j+G1B<+85 z9L03uxMAcu+syEM?t^#D!h07LnI%jr44%4y{UC$&w^f+*MLKN*(C zN`%|PUwxs(?uBQ&4b02eGH)jQE5(|&+N)IK@i>&;KNSQ`0 zw!D0<;OE03bjzX}?{rGb`WNe-y~|#HuMMJjf&qk=0%`W7bNy*EoWkLpAW820k|n$WV6c~OF={hUf8hXC`j=1A z3tzY5AxetK3`AAXLNx7byfCY?DgQoWP)F{#zBe=I1$;awUWjdp#v9vNqHNQ6^H<4A z?C{k`JVEmc{LAek-2$lJkd$dPt#~ydBlvy9( zB>wyG*U>jqfePQp;G)3CoF^C!Mu-L@N8%=m{w{lzOCF_u)UuC?lpNX3k+kF!y9GM> z>3|nWsj9U&E_15R#px;=fVWP_O)$U~D3k%1MIHA-j@C4oKD1KuZbQ&X|B6D(EZE4R zw7t_8ZLRZqD&bQL-oVZbZ9uEHOyN#u(^wd0FdS~cEmk*p(mRM6^UUL4^ooHoiy|wd zimoeh-|wLK_u8LWz7Kuzey?}$N(NNbqyqSk+s=0*(j7jbG9zOXH_gpx0h~#(?BcO^ z3%cRr_9dM>kvFQ%IJs@!>|!=#uf5-LHAth4vE{JU(w$%7wIVu57H|W^oY`g@-X;e? zfOU5p+2z%hvb95JQG2j;r)E3HW>>vZgYXqnDi{7MRfg}s*VOebr=wj^wKqW_>pOG( z#;PqVJ8+D3x%Yy6O$8my({-BDnDg)~z_+R1Nr9P(_kU&3Rw=W~RcjH=45Tukairfs zU9>mFvVCo+(T?i1lDv8IA()pFp+(xvx8$?y>a55Vm1 ze5{%0hl$eViTBvq*>2I5fhHG&zpglI$<`Oow&=SpM#-QnF}~B@0ScF4x>+3we?YlbB(!I)b;pOWM^3} z-UVn^fse54b#hsK6)bf=$$W7W)iS?d`|?H4-og5bH(^Y3qy2lDym4Kun|GqK{i66@ zXbvc5k9iRiU^O!c9s;eK;!{|5%KwsE@<+m-dhN|%>fayOn|PT?uopk-k(E6KtuI0d z1hu7|Li#?!$;Q8B))NSfOu88u@U!qQZteikc2X#CxE6e>|4Xs#$}QDtgsr1&=LZ!b z{G-W9@QL!l13F3zu~j{~%mY1p&^ngmqq|(bam`FV5BLiqjS7G&hX_6Vj0BuRn-%&h z0QEUe#2(d@{Xa0N^FI;PXldVoEBmfBE9%=#Tv4?^9NG_S$S5j6N2!p4Y{OEu_Z;P? zEl01L*`_eB7jrX85Myt&b;v}O*6+>Ir5SVsSC#@1XdypOIUeHP$i0YT#wCg6)Ji&K zeT>Ge-rmAK4w)(i@ZIsb+pjr1H>_Bz11=3N8a@iRE^i3|uhm^$CiP0miB7UZ2^Y`_023ALSkjxE1JrtejC8y4kT zV}=SL@SU{!6mX;10%n@D3_x)!5F5PN9y`yu)^!SDt*b0M?(XLtL1fqITsVyb<4@X}I1r4dyc*-(11cf9rF zHz~k7(zzS5M)mn0DFv6D!>O^?ZNenwnnXKTRcA{%?q$wDG5dEa?>u^SU;EIGu$x|% z;}r*`s#Y-w<8`%20fGQTFl8kB+T=GxsRt{KKV6aUk5)|_5TmK3&b-m1$r7cp%N#x399n8J-pQAu9lXqylBKwO{2CgsHVu_~rxG0P~ zq81zH90*Jy96nJFz)KJ~S zZHUW**E(V!r#_liu$>~*GGkvcdMCQu%7LVBvGErnL5Qq>dxu9 zDP6qL_T2i@UWSgB+|nga;`Z*%bNHKNY@K&6 z*KU?7jLwspYf8J`+}k5CXVMxk53jJ&j^{1W)=%U7k%|4fx!Nkzy@EZj7-JNo!2>)u za5ohiC5}d5!KAe9jv&m82E5U}tv*0nT6&9j#g;0axxUKN;T+iX>h`ohFW=R^H8;n` z=;)~VIBZM7th-!V)m-`r?7ZGejUAmDM!QpkTJburiJ&w_(wRribZIoC3%kPI^|OzB zrGvYZY0S8UiRXx#W8XNg&pd)ppy5fPOX+K{CbdK(v3voF6`>+W=GB=Yj|EnshV66~ zf}w9lUk6+!(daGmIb8npR=d466Btkg_%^V!@q$ui_$*8W=pn@RJOT5Ia!Vwt*oIs4 z&J5d|L1itd(}FF!2F8&D_XdwQ$(1Yw|8$!*fk4-@>x#J!o6 zIYZ5LsS2%oAnoc&P_pI*irJf z;3E~wa-@d;ILg~4qG`{txkqTkrX?yMn*|@A$L~Tk9_xSPFHtOSm@)pLA8vxL$`!w- zw`okSrv~nVLBv>V$s40FU9i+9;DjD7{5Fpf`2L|~SVmsJ57W8t8KT;ZrW!XV=!bg< zaEtAJc%q~~Vd6S42(e7i@(IA}s%n3^K;@Z>RRe;kihs4B#$4OH5ttj=w5UJxTl{2W zJ<4aH*!F2=9j_CC6t5GsEO${%TbAanJ!4)JF|UDH|I8;?bP{ZzqWC=?g+qTs9b!;( zYl0*b5nEuWW8OVoqG@88T69t)!D4um6;ss2vLBRb=$dgBw2k{A6a?ehO|_d+c71$4 zB{v3IH8F<-w@{@I%h9wp=eAGTkGPO&)l54PO)uDWBD#*((%OMLe%t*UX>PN!Ai9A! z_x{OKL40h%QY$z+8C!${ZNF|s^!1zQCp^?Uk1UWC?at*iNnNjon|>^HLn;mMALeb( zQlz>_VA6bzTCQWiKTrVky6c$f^5!HQQGp1VZg@0$o(?stxlMmw13%TlHR0aHI?@bH zGYCH45~R1I1%$-OPYL6;e6pBwuH~hQ@5S##fL-pIsQ=D&w?re_jy2Wingv+J=adCK zN5Xy~>I3J(dUnav8n|7=3n_sMoRHg_X9aizizf1Ir|onLdrHq>?kicdY|2Qwnh_Ve z6e20pjT}7)nOvj3v+4OujB#BY@PfA8WnqIe`zyf68fq?IA(e%A%15W~j)CaQ{c^*n z*-MC$;r#1|^ECQYQI?}Bo|m~P~@-DsLn!1}-;t%oO*>z{it|DlJa zozFskvwwsNT7t$#bDZze_D(@gtb)f$j+|Pyhvwu zn*~=u=y>5VH%DtMQT%rovBB=$5(#?X&%~1j(r#(Z_MFU!4gc%Vve0d3)!^%*DW>?% zu->m#Q5%PetnDOF6yW|rm`sw^Oy`pU;N^beCm(1bnGpc55U`)vob;Wt&#q*cs3U|| zl~Ry}%mToVFvA)h<$vzV8`Ea=YDFwa`KBe0!vyqv5MpVPo~J!5L2$d4!#?>2vejwI z(9@$5YNA1!fFkbYi=`#VfA`6N;t!t6{}g} zs;h#e?p@TGUnLw6G~G&g{N@Da%I^qU;se&|P0i=|djKntF@U2V)Zg&Z!h--Gr{~^@ z&V{wqM)P0?SqsQ;c@U!38~ZzR2H4rMtqRcw2)D z|NHU=g0l=TLi#Z=P}EUk4|Xr;;h=_fcL@eXU#-@_XTBcA;rH6)`nD8VOskoH#V4t= zuxlatxJb}K7ki4LQ~n;&xq|r{E}R)=@Zf0zyOGnjA&5nS1p|68CD#*MgWr#asXU~Q zX(u*GvdXa88d~@S-)UbdaC)H|D5J#NoB&Ersy=RxYk2T>suU}IeM(9!tj6h%83Do-! zom-ss1yDFwZ`6fCQ3tGl%R;)tvQJiMaw&3c$*c;F6D2#6V)N9`!t{qPj`R@Ka8#lt ziYpN@$ZdTV+iswJhua&3!$SxqDV+Olf=1HBr)Q5$IVH{eviig0@_b#LYD9i%?2&4< zy^iVmdKNd?hk+bAoEq7YQTma9sb*Sz@!{LsU+RZ*?*b*mRO7C${(dAJ~3Suyj^;tYHLwg z2pgJ<;OwBlssHsv7y8r1I=jS=G;grS&VvNZPG)E6K^j%OlNr+8es+!p?%|b^CRv{& za{i)1QR|Zml^ySd-AsKv+*7Ntdd#eP`Fy0z_*?NWVWZg7SDuqZg&aQ-&x}Q*)9%_3 z#>0p%%b^Y!M4Q&tt^AZUguU`nd=<76mxe%Vhj2>mDVOJDEJhJUV`2QPEL%fLFNryS zak)Rmi+hnO@(5c2?6iwE5fXKdG+^^H;##OImhzG6W7rWFeDkIWn*G<{V-afnw>w6) z#hK7@>swb($zse`f2|c1UlkM>{Og~jW+sF-r8A}gUZqnp2w(H;o^khiX+g$t5|XI5 zo#Yjkfq1z(9up`&&(r>EPw*ZjOXDBPPw!)W2H*k^jT*H;?KT^%#?+Voh4@FS@taQ`cWoS7fyv#Vi0H zfLS6AVapCEox9;AQvY9X&Fd~b!>JAwwnMoN|2>@Kf7=%ric5U$5AWE}TS@VTwSSz8 zMwtKKzQuXS9>qVvu*<%>&gn>9Ph>Kz`8l6iDmLwNZiUxxlRnuYz%krxo)2zO1OCVM zkcb5|mUDjwlzhKjTaQ?ES@~`i))%pIEpEvOk?0=_^1gUsbjix@^G^e3U!mH$msLV0 zESaL(5`urrFKrzt2Wle>U_d`!qitPh5=P#;k(kxq6@7N}f5ySw;gXA-?Jz}S!HL0a z*dZFvsc^jUI|@)X{-IdnOJKBL)d&h(%e=mS0!#~`;nZH zD>+P}HX_33t@08VUmI;!ryt|_b1JX3R&vbD{zaDu%WYIAOkwG~CaiBQ&+6&+x28kJ zui%O$<5z!I!oaEwIJhL@+T(yBbML3`HKx2a*(4_&i%7zma2f^gfm$)g={aeC>Ls_J)mI~)jEnDYFHoLx=G&(F=z zZEBj!n?7zy^~8xwFpM+$O#2GRZG0~*qgNMU2r5 z$jj^2kM+y(jqQWo&6exTXt0$=wHlzZKQy$oEFsza<+u}cB)SH=y@}8B&9}j((*!l& zY5}lKyPc`Bjbl?+74JOU6GI|yKI?LFU_ngG%0&OGsiOpIP0hGC=or<2rVVQvg2MMJ zqjKafBhBJ>Cs<6JTjpvhK36-DkpVxG&dAL#M`FXG969uYeJ(2coUmGkqfxp)>6l=J zSDXH7lyN4*HH;Mpp}ij)1=ej9BD1)t;ucQG30tjc`G8-d-A4r^SmXy}+QI7dqm^+{ z5591UPhr0znUs5DIIH^EowmcU%zk|jjQE(dOvo7H!&f`Tl%xO>aaG93fhp5Vv`{^c zYf-t38+%!`ML^i}94HB2Hwl87>hw|sh2UkQNP1Q*-Ik{`5Q6*5i}r%*;-4~iHij02 zDRnxmtxCDirKjL0B&4Jd@dh3E+)X@;+(z4Rt3y{Q8jrQa$@AjEm=1oUy*$Xezp)de zsY7aBaFK^}q^RWsVYzL}nC=^%bGZy5CU3fHgFIEwcYc8f1a|ToehEF?$O>vaZ}X2d zze?ZFhlnyU0?;HLMhs zf`U>PT#S5sRB%O(MSos($R7+{k$@QXT*&d&Vsb8D^H^}wk^S}|Dj2kdlcS*mtjuSy z_TiZX*17llVX$ejU>5z1?h-o;DdQ;IK zhIKni>$R-1=0vQ<-$SHV8^+8#{lyq?1|$#@Yyn5t9Eg&jNjVTKJXv*LyU{Ro8gXpi zl`B+3z1(+gC0=ILJ3D-`wLf_`ctG)EqREt8{ZRGw%~#*))Q?Aa$t=_!9pRzpSMXYA z%e#oi-2E@##dF26p~P(H0h=5{QQ5Rvz+Fw05CZdH7ib-am6qHrM+q-9PDQ)Ny{r7B zJT?(5!=g;Dl)~)W{LW7AgOQ(gF>d$}E*JinVX@Twr74$C6&1i`EOYJBvv4zObqYpd z;=ru}N)$U08?9iNN0e{;>okgvf}M=8IU4KA>^h(>=IqZ$+Je)`myF%)(qlo)PL5p~ z#zfj6l?r`IuM5~=5ZT68F20fdbp&8lV}>Uqw}HtE?)T< zY2VTpMb5;lOQ9Fzhs~B-sJj7%>A{j+?zAsVvP^*I{VZTAsk_UoZ`WYgVAf%UkkS37 zXn{bch1v*yW1WFyr!d{Eq@~#y_wBGVDv|7f<_xzD6?R-ML>Gy4tQy~LosK{G__K5@ zrNVQ2-s9Ayp9e;brG6sHW8YD1l?3gf-7Wi|zF=K%QE1sGcJ}dAB4XSh&k~oT*3?@_ zkMsDG4;Lq-V>xs730H7Nw|XD$^5hWqH&h>S&Hgd5!e@zR9DVf6D1@F(0^$9} zTR0N&UPnZ z)65_}X{CE$oJX+=Utkx9jS}AK*$hjx3y0>efF$eO>U74taMNSnpBF+eCIPu_L4608 z&+W2Gcs44oS4geQcmmfW)vG;gZWvdhBwlQ_oh!Ep{`KjW4Po|TV~<83VAVXxNb|!Q zJ!eG_3cKJEYRWP)%dE&)On6(f(wxeYaT6&DM#b>lhNB0%?Gx-qaI)7-GH$%&O%0Yf zBhwPiQjGZRa3soi?J)Ax(CDo8?_}3u3;OFx`M6!MqrMqbdDXj+vQ`3?s~YcP9>T>4 zO>iqjpAh+dj7y}*9^0Y*gXL0Qni}Atz#QkClXNk(3r_u1$>w&Mvr|Rlt!6Ca=z)(LSsQpf`(o%= z-_pFDZ`U&qx_!w=^P*Lg0%Hlax&1=)UUXT7vT6Y7lk{&FvMbo5=U2~D*WR08GfTf< z9Pdkf6Vdni6WK2&8=`Nej&be#y1X(pBj(f3{E=hS&B$sTubo;zd0_a|xxAIzs^a-- z+m2TcsChpq!+Y_iJ|ZvwCn^@?`43TKw5f=vOsJ`MpTKxZ`|}^BXHOyDtyp%eQ0Z6m z*NVs*(tSJ5ON@>A^z58F^klPzT>r*#|}dJes-zmGkcRpas3K2m*|`Q zH2+eQ<|ic_`nfqd6eX9fma0tYpPMa`>WB*s4$0Yz*{iNfxHU(MIFw`;OY~NU>L%YW zHId7wAF~>IKVcSwV@{TER65#VmvG!g2sllBvjh`om9bv@R23#ljAktxwUd>VMa1@B z(dK`XM$e*ABLbadHa&0MDk07~zE&zVy(XU0$?Fd!FEy>9;Lv-GTX0+>V4hvg*Fjn$ z-e&>i?z}m=WaTgps&2n0!vVq3j@j)~+Alp?JamLf61Y28lgfXz7|UCNHl8---d`Tv z-SCod8-_4#ti_3KiIR!kqeTL)_}h-pZ44@X#1q?ma0^WMpS$YoGDzaIS>la%G?p5T z`&`O#$x6Dv=#*!qVVj8Rd{D;>*@Mg+99KF$k(^ikV~Yz6{d|;g!XVCScbs2RBWK5NF#Gd; z>aqjiv2L7lMU~%9m)L@g>F1CbW=)^la-^Z)eQ7lW_5PvUCk6c4r*3q?TW65&$XG+J zldnfhP1JdB|K{gh1xpin=hK*#Yfp0(?uMkz$!XT=s#P@+YniP?CqwiJY>P+u_NB@D zb)yh{sLC1ZjrlC2$?to#_`BOzf!@w`yUY13O_UNZ?gPE~GL1=Sxkxoaj{1w^z1IS; z0irqX#B?J1*N_0#WSoaULJCa7k~)q8c5@wahOYSqt2)#rUi+_4!}}SE_B?PgDTQco zlKSx}`%;JX8T%QvhL*anm&G2-`}gz`uTk?n>ht{hJ0f?aL-nUC@9GLZIn7fCiHPJi zx*l~cxlV7;AYs&=p3(6lmk8;A{4e-i7&2m=L=0d$4*w$trXpT)TqEJNh|RtYi0*y+ z;f0x5L1&~x>0l}Dq5vqp`|Jfs2x*vpwD2_9{7jsr*}!=h?v9QW2GiD{r#@$(fA61QP40Ji88`xvPZv!_WM^O#i4&PZ#LY)Y9q>lcubX3 z_I)Rgd6K#s_D56CLB9?D`o(w9u?xkm}^w_Qf^RL$mK3Ho;R^)n+4#27ns zP1#}+zRL6RF>_H9)2&Hm#3C1-Zi%iP^d)V~yUIq~``(mZ&-w@nk$(@obyEot{ypy< z)V>~g^X-Jx$I!u!a^f;0KT<%+&MGXCU!z@3=1<&{uyvO8kq{RJ95$K6$ z)P!w;5r0mK>`scda!I6!%uGW?Vgi3^3Ia8sP{T7Hs|);iMhRvDbctM z#ke?K>05g$;ZKvKZQI&>-uo#@e26SB_Cz_>eYQ(6^bqU-E#W3*?fKRoDY?ow2$$DC zL4t*YB;G`OcrW8Ef7k^zO8Xr^@I58AnJABMxJP3&!!Dn_-qHP>!>3aXT{Za=d&3wH z5tgYY=-f$1hL`#-mW+gS@Ny9}zfD11Ia^6;zhMfzo?o`y9?LIilj$bWo#~Z&m6*(+ zq&6nvsj*)0`;yVIjYYE9OJS~{+Nn-1B`bIbX0OorO&1^0od>4q{z7kYDTBj(6xvH74OGYfh)lF%cyWGMgX0kT;KimhkN{nB|nbA!NI8-0|325 zoJfzQ+>|}FW5~Alz3dx>Z(&-;_RV%w>>_twlz3^3ihLX4WLzJ_7-o;OUxx_z@yUfd zwgd!aEB@qV8A^N`)L!&HnN&%>!_G8>ut2yc@zF88-0FrQ_dD?e;V2)zny)}u$R9t( zh_H@a57-IJ_Cj+`dkFcvAS$N6fALY_HF#Gqrg+&J3{@Wl9-D{V=J7JR z|8L|Njp1>1H%6SM3{vDo?PUXHj)$LFR<+)#^PT8lQOlO;>>f(15}B9D{R{6~8MVw3 z^#X&kbZsM>bKz*r(UCZ1_c|eYfAcjHqOy(lD1ZYyj!_r3Pg14|+|rfS{M`6dV$6GX z-pFf3VI)L)6CdZ#tw#;{07}GE4TX;Sj^iz~;z0z%zv31*;T2}bX&sKJ7+mGpu{a=iHai~hpp&s=ni z94iiZv{@teivV>7TZNn2m`e!ksj-UL0;?exlt2T?{Im9;P9>=8*9(zt%t4@%(^t@d z+%m@P&m^dcF=39s;J@ZZ@@EW_+<&hwsVK78Cr%d-Ah>y8$+$If@464sV<^fIf)p1w zzhowS0@A^KoYg_@-6r1;2qu6Ut}~g~CB%|qSu-_`WjN`J@O`U6MfoYj8d}4US8Myt zlXk4q@#QnQwHe28O1g_px{K!;=icgzZQybW0_xknLFPGH0{x=C<8bi^8iPKquhk$H zpMsJ{Ro3Wu+)7a!qxEsbOtmd%6>=73iOGLNU_~iezFAPdpa_ENNV3`4*{Y$Tp_3nU zmrYBo%i|b>&bZf*Kvem~fuK-#CVavk{7bv7n1 z1`Zs7xBTcLp*w|hJN(be{@&zhn4OD{;!d?pcm@V$2Jig-{aaP!LU4=L(az3J@z43$ znX{7<2i5*ia-7uHa0?i_KHZ4uv_Oe7qo{(+v$u(@45I}c!6Q@NUrEia_X-o0%)=Xj z(BMp8TN@^u!GwD`U%6_0iEcj1np#Ei3Y@U4cldau=?>@X73@H=}Yu`J{>`J8XV$yj6zh-FWt~1|CE6Fp`UkeDgnO2F)lw( zcf`~wuzao&~U`slKv-mJp#Ctli6f0WU4)3x!KsqcoLX|aNA zR&{Ti#jZC@Idn(?{>BhiH(!PJG#C z!82T%dEylJ(EdL46TiR6!q^EBTRTkRQdV*A9k*1H(zM$dW*XKUFS-h{yTh;H#D*zGp)Ikb%edOV zZyq{(W)Wy4yqQ20n2a}06f5h&wMac%S-y7}k8iBrhM+>1Bq$}Z{qXqu-UlnoPOWyP*FCWnzu` literal 39798 zcmV)*K#9MJP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXfn+r)qK~#8N?VSl= zRmJuHze(8L0TonaF#*A7QL!pmtJW>Sw*0zaSMk?cVzn)ymbNPVyNI@xs!**8ZEdMP zTcsN=Bq~;|O0?Du2`D6hwYF9TL`Bvl?|;sjnfvD6ckj!~O7b|LfLwV#=Dz0;T@9A8{fjCe|-?GqafrU6?`-UWeD;_)2A|35eg))E1+wV zirI1<(51uq0 z`|aN!{RbX|z4qA`1wWd9SL*EzZ{odoH{;$v-GyE~3Q#%yo4DW$pSM|Zfa*Ziw}DLJ zjGK?Y!;&&1eYgQaG_&pYCa6YSed4N-H3MTav6GY}3oXxLbCA>0yqrF=2Bh`Gwq70zDem=s+R`H#0Nc{v~JQjIYOra*L3s>vRMiI6Hu zIwO+T=CO_-+wk|*-ze_~3oFHCs3b0c1MKp?h}x8DuK40H`Mj-3HmQrrZZKg+a-<^y z(kjpArE^}^nX=hK`^$9*(y`wOr!^7caNXHsD#!{`hPa&5e6VYdFDpzIn@QqK8@v5+ zehP8<9HtDWefT)1&`2%~iRj;m{^d$H>{t&&UJeDCAWa&7a1~AG z2&cCmPb)t8@EVx#^Eom{uW?X0wy5;^L;b-OA1T5Gxz|ZQmVRXu)Ao3qX1lhJ5YBZw zbo|hLG2{Gl%=ytzvGvtgP-ME8KwcC|h9>LM5QWNTF`H{NVT$2Ad^72csp&MNr$8e~zr%;&TbIwkb&IO7{>`m8Y(O6@S^Ou=nt27zEdL)A zvT?urkH5zcubPbsXMGGSUfqnhw``{qtPxF(B;+=-KO!k{xzWuDYO2E3utH}a|A|@- z4od?CsJfK5fbw#cIUP4@8bNh5h_cB%Ah06E?XBDZ_1`RNj*s?`@>=O+xi!oee}h}ao!@gZ?v)_qr2T4Qi&2ACrx4dnKby`; zkjObsB}fkQ=ju-)ZED3NPD{9aqm@tg@NwotO~;-4le_SX---+fDINdW61f0_Ek>|K zF_gs!b!VPpF@s8=fx?Z{|In}#jXSB|?bwABNz=|9Xxg;{pgx&mp?DVRpePWR`aDTW zTd)f0u8E@owFqs8q=_WOLfhl*^7b1^ny6k}H$FE~l)jO+(`eh^ovk~t z@?Y=Zl(RoZ_WWurd+ZSuzW&;)GA&d7u}|RDH{O+vJ259JSJb+JxW*-y8<#}vl4)Ur z8{0Ou7zIAT*)T|pO1OXweG$3FFmeAg#=Hj^!X9Mpj1*d9Nbw}%r^H2MIN1oZu?mC@ zvlt>%CW{zy+J+c4O7FyMkJC_DB+l?VorG-}#<)9wdV4)=Ua1GyN#bnXq`q8lQ-9eP z=koqhJo`BvHNAvQIc7UOcpJPwTz~dc`|^JH`({pc63!!H_n+%aF1N2S@acGy-=r~Z z#`|FQh3gUQ2aB|WNz2>g3o{#jIq9eja~$cIvT&aeLr$GdIxD%2bYhUPZ=g6f-fZlp zuke{g$Vn;1(4Cs}CpPXZ#<=gIlWHeP<4!X4TxM{gV38tt??vR#S%<)}pJF&%d|E& zAwQ+%@`CtCT1n5Yr04QjsBNt<+}zUSZrd!B$koXS*DWZ+iwUq%M(n->sjRSLH^>h6 znZU4%(IgQYWJE6d+#zgw!7n>-B}V#=^gZfFeD~?f=7<#aS2otWsLzQ}CrPpFqW(uB zE*n)gt|aU>SwqXlxrvOuG585W=R}IdrgwVI$6+p$%L|oHaZb-J*T>Y0&I=N*uhg6O z&0ehj_162C`0-DQT`%Z=;K8Zy{qPzbGvRE!^F9?ODJ4C@4Pjc2e4>$qD(%LNSVSY! zA{4QZ<>G@&*J-w%+_k9T=l}#4iUw(G$wzTKHN*Khe~%tL$Sp%AgkuScaeK{pZ6S_1O{8r8WQX=CD4(xLjLl;|>}MM3 zY}S>u;+M~KTI;c~<}-*)V@4wB2;=9Ijy`!iZlC$gWv_H{a)W&I>CS3`PcF$%F15at z-$e0lT82jsoZp-%oR>==;cc;>+k>|$?ZSRK-rO!6rsFN;(Mie|1HLe@uz_!+PTfE! z6W6gv&tBBGSb9o7DJbe;`wjU`qtkYHtK_rWj}p>xAiayeH$ZgsVUmVZ_}wP(lE+Ua ze*59;IpD%BO*)>^hQj2x0dayj`{~EA>pX;bt%5(rYa2m&gH0RMjvVU?$SBVuc@p9n zKc6Fe8b84OhUzE%hr}9RXVlG1K^n0o)Sn8eFLA%(u;jNpYj;`nyd4g^{%SVkQUE6& z(I1tc_z33w;78cHZnfAit{R=rGT334b(}>mh2-J>#x9q~TaY_ryK{e7{ck++uTA1- zPCa}8K3h5zzhC)JJoe9xR%`V~4Kei+4G+(ZpKC|MCqZ;Jjij^wej|>=jPG5Jd4G8b z&#zCHyKlcC{BUj! zgiU=-nH*xj3A!yYX`jiJE-O^31Z)ahhjclnY~z@Y=GrJI!`0U#xHQyXK!QVd-bBb9yavcXL_QrXWGCg z!F3L>0d|5MUe>r$L>Gz(r!sxX(~`$eA%6Q2(tCku8Iscco3Qf`VVwzOtAn_dAc!L} zx0l8lr!;&Fjqi=6KS^I?m-`so54j^Wqji^#@r^qV z6kVOTx3Vud{-ihk-Skt}k4*yJ9vS$O{+RZ$)5ySIgDrI{gBpodqx{amixKAta@jAL zd3$_PuxsmZ*%S5n<6ZN`&wT3q3Vi6W{qgu~n=|w`o<54Q8pF;8o$GI`CDm8L#+CbV z3OJ+B`n^kz!e!sP0yo|JD4tup!9);Tjbld)>IT1VnU$S-MJK3gttpL8r{+QbOQ zOBs@e(g$^MX-sgnQ0g1B^= zP`zE*Ehh6WHyX8Fz?|PrYBs)nONaw;06xT@Z$p`ik z$3_rTS2qgk2V{FW1}bNLsi(_U=OiA-Ah? z<&l58>()3+$egvtrGFl=&Aag?+N zwo2oeKSs7;yn=~0A5Jei`w`@{@gg=p@Vh?~;Qt_=5l8eAlg=wT!+!6uVK#o#RwlIx zTMyyuoSqJ2pm#_-wSD?Ha9ET<;u+j z^oc6ifH*czj+xn@koGZDp45%tWX4Axs)zHkkOgKpG%dq^I+pzPES`UtIe5C-H&A>d zDS71Az@u)STH`p{78?XM)Z)^Gfj+2j7?E;$iiS@t>ZlETa!?27hpc?EaEFoSGdxWr zEW|{cXX~&n<9U3OmPT|of(?YjHLW8ElE;rS>5RsCUAz}1j%mYm zSX}2J*l&XN)5Zl!YoRG5dfQA!8r#^Sw~>At#?SA_P&oy6G{V>(b0=pW z!t=8{6Bp#Af_YHE{mMM!p%~65k**hT{YmdCL2B;ll+2{Ha>5Y@pyG_v=02=DcRA#^{Pjj2(w>e}5(xJn}4_U$>Df z81SJngUG;-7@b=6;tP0e<$p=VRpj!`26;oGksyB*ps9C%j2&Dkb3{9+7Vp!RcaZF& ztv&YiN}PT|3GEw?<~R#AC7tm6?F&9wY~c6VdoM05uaWP?+LlhebPJ9xyTUY~FdKKR z`zl6~&-4raNXMEZARakb9K|JhNdlZoT$?~TtQU5qL$(J<*>B>h>BrzQ+<|*;_z3#D zJmhlcp+jbjun76tXp@r8IWgvek+&|37vF;KvT#kC(nn%H>fSmPl+>-u5(i0Zj9!f}~pq~oj`#0MVd3kau6BY9%w;DI6!Is#-f^v4FCc8Fb5BHJ31SCUD;GieyPBj92<4gc}>DDAir z2jKis2jR!xo{85UxJTN^8Tpes=jP@`op1 z#qCR1V!`4k@PGF_fj>U54AqZ3jh%GMz-4h;bFqBY<6C;Zx|*pLzUJjWatp{Ek3{+% zuErmz@t42yGJZaBCeHubL)gge#PN1|!#sRsH*LTQz0s~b(3a!i#7y&uP(F#{{G86Z zfpEM?5#D~H0^`5=Fy5An@E}Z>M@D|$Svb&^5#*IRu-}D^-x+7KJzK9HtYhJkwK2#X z=Is?wocvgc^4nf7Z6xOd8Gm;BUxvJZiX(V#p|{Io0?<#3uT+mNu0muCm!8ojw7hK19HbQJb=;%A)~cJW;I zX!_7L#BZzY_LrN8n~HVPWG1cC2XQ2Uj{U5Y)Zus*#_3IaI6vz-93xgwAAtm64;SL} zbhK^%puWe)pZgh!dC<=N&73o0!z|&_B5+y8F?~+XPZl=gw2w5%kS~SE9i$QQ^LOH1 zc&DA3VV9>!SnPC-e5KNb$z9s}5Hap^ubV}8rTq0@BOHFN=Rn-wYmiq4i<_!R7FVy} zE1EJeq7fJGn_SG&LQ1|snZ^+V!x3^K(h14JI&MfZ@^XTa@cjGfV~65H$B)5DC!LJa zV@gq6T#SPU4Zi0n9&`8 zmB7e(65L_X9aUO5%!b%VI!&g8%H}jqoX!(2LyR$%85lJdFOSrl#imW?ccWAjC&G6? zZmP?L#czx}i%HM>6ro$0eM#Hw8U}S7vTL+`_>z)}eV(U)--hRZ3{IMJ8%<*So zzw8UgJ69rY8aajd{4xEAh5dnW91Hgg$;A1%44Ys45@QsCJ-_IWPl&+Jt_b&Ydk#>4 zCId!sZd-ik$lIpDuEd-EFLj}GtYiOQ_ZyBE`VPXJAAdJ6?3I^Y75G{IeD8zt;6B4l z`7B(Xl;w%r9=jAa=NSpZUNTZ)*oYk zbu;du+rzP6TS}w)H}J&Q4#2U)`&;=Emhl&pD9^@6zl38iy#;rCo%AF6<2aJ<{OwI! zU;*lG8-Q^~IJp&d(%!4^`;vk9{cmo?iR6Ber0k-*f$GnoocwpbT!8xD9EcNty;92H z^mmOq5GRd15aY=`W#LPtF4 z!d}$x`q2QRFAXmG(A^|SVc*^WNkN~!a+l~gz`0kH!Y~x08osQ$5?{$#LXUk4enOrV<^^@%s^kw0=-YD!xceJ)%TtD<9 zm+Q;ti|k5f`xG2<#8IhLFFudQUQT~W-s~-7cU)j!0p4rugAWYuK?k4!JL%3~dqWCa zb^-(UD!{_KAHyfkI?C|I*;mf7u?~ln>rSPrlxABG1z-kJg|J+?z`t!3ekn(PL^nY>Ig(u*yS1!Q; zkNhvr{@=wo>(?*iC#M~Zwb^sh0hmi&MG9PYpAObn!ruKD!>`V-xZPfi{Aij`#6i;4wAfB8y2KRkp6|Vm9 z!E_?5#9c?8il#rmg=3#O2w%n{c<2jb%!$WBCkfdY<2oIkL}DapJLaS|J&2-6Z~T;8 zrdW*eCqJKX#={?U;z>aC0;iRvHjfFUU5ia^NC^1qaBeRY?+p>?ttXm}FJ?Y`x;au5 z<;O}=QaYWVRlM|(j!nn2lTPc}$msb);+@B+JUxH-rAp9Cla2}W*6#?F?Ofvs&hO`8 zBrMHgA~NEw8!F5;AAcR!$8{0cccdp#XES}rg!#@;rekPB=D4I?1Er<(<3{X{^G6?w zIkUcp*B-rJM!sn=4^Io_VXOINcM)adT7#82CqDqM@QxGL0W}{`VVtV`%@L@&JJ026$%&u>N0fV0GQg z_@9rEfv25hqwc;oCpQBWX8&Hj^M4**ZquzFFWrLU{D-XNi}0Wra5DBZ>i!HF;%CX& zBUOvv9dRmB_ie)G$=I9pMu&Sh;hZ< zg!IY9=jwm3Zzaiqbcfz?jpeF9sA`3Bfr^4gBbdd zg4&SJ6h2)@&w2c4=};b_yfN^}9>tuB$wW30BB+g*CT)M%h*+;hf__^2>8A_4wAN`$J+#g>k9gd$|GaLVXg3baO zVRLj3YrEKxi$Ukyl!t8^zZ!(MRaDR@+vYgFZ*@hRZSy~GpM`5@;uxs|X}G3=aVKML zT)yKqMw}nG@|P7P4Hdu_04@hTdSK9mGw|&zX5x;OuizhR!w*@{IO-r296WqX>ZKLW zW9f@;STz@BJuz%;>Wx*aR$`8YSy|HuGPJHZ)6OD1_9U_l$O_)dU z`_XMhzO#!u2P4h+@~!yb#FUJni$$BJ?$-nHc^W8Lq6aV~K+((9)N8TxlyK5B1EnbPCw;qKh|FaTTefS`=O?&)OGzwod<}`pt z;h!F5l$##^3MT#eeEj)(W8l~R_Fx*FKa5Aq|BLT``1d&X(O=+1x`LQnTjR39Zo->* z`a5Is!==EK+y8~~Bdjqe*=3D8kJx!SK#V_$7<`wXT<%wF;JJRLHfdPx;1e#L!k!g` zIPUDQc-agYiZEQZIkB=3iH=Jh=rYn;1=WL3XdemEM`-&J4!l9YrEz7rIODolzF3Mv z!t6JC_8Xs{-`9!Hh0|UeXZ22JKiOp+H?ipGBbt`s^WP_3PC6pcMbmm|oY!e0NiC*d znOc#E@pBfCpbhXg-1M+9v|hnB-GosC@r_fC#<#zJ4c>d1@Upc8IBEwOcsA%f zhqitDc5K_W9XodIkOw%gyz)Wnj#)V{DpO|u#=;{_8jQ{=d5Af@kDnRzr7~_g@xNTJh`iuV_T>9rX zFnJV>#3}rVi^t(tD=Tn-_*3|iHO`D2#?&hO>6kN+TJ$wZ5B-)&lg-+bywnTBB_ zze|j{@r$9S9%*#xivZ{66OrddT^}>!Koc-0sUhw4IKA=6-GsQth;STZvP5+z>@aaAK`4#5<|D1QE^p2T z0-fh)Tp2F27Zv1X*cZ-cJvN66`f0-0V@pnOoVi1=xH{0MY}1yJt{Z*Y&U4yPgYc_w zd>KcKJqAY|atOBkYdsowyiXm!K@7M&XC;?k%E#N`7Xb2*T}JcNAbi*E<|a&Cd7BbU zZ;v657YZ=On~XXYE6=-euc+Y zr3dNEdEAR7qwGy1cz-~va|N~L+}+cu7CZa zG4M#efv0DT#pS`810TgT58sLtXvn_liHpfF1E)TCFCLS)^Dz6N`4R^iT_1~C-a=d- zy74(&KH)9=<@j@e-~9`dM!HR}!s2n~;FlD*=y$K;=x2svTB;g%e{Kx0;StO!n}R1K z9WxP^-+L4GUpfNc`I)WwhkuDVGf&0d)DwB+ZXW9Kh~2tu)Wz=^d^>_ChwhxY`v%P* z*mEp^gGOaPBk_zYBZ!Jg6Qd$nn|Xp|Xd=lna~Rx7>{0|%Hb`{EH>=&Ipgd6Hkfv8TJdwdxGqc|_IZMvFL&iJK{`%h{!Lgs zCZ9kazxmTe_-QBw{TofX&BcaAI*h3Ur6eaP!S_@8!TtN;z`hOm@#jB^@=23$)CZ2o zz&^dm;F-aiOwDlVG8;jbR*b=jYFS)A`i~b5|mDXM&6(u6S-*| z^yq~RG>BaF!n0VicrmWH<6gYAqbL6RwwY03coUyEc{mCVIBaBUH5vFtHS0}G1T(Ld zCRNxMefsv1ulj7;z75;9Zl@EN=c@`(zqTHyj~^QtbMxJ6W8}G!*&RM8{oo;AdE@Q( ztj`cNP%daXqYV&#TL)>#!v||q%_aEaJ)g#Je{>p+yrrwz1YQx=@5(iL-*1rlZs!j^ zjNTz53HlJjYz?(D-t6ZQdSJ*!jKL2^^Q_~15;o;<@%(KDx0PUP{^e7a2EkU6zztU4W=KH(XcCN4f5XA)SoY%3jS!Zv90av7!)9Ol%b zCza$Corz@EPs1W1(Q#N5VShAE93IJ87(Daro%jBTt9QxPH9F=;*`z3vWO9 zHGKKLPvRG|*}xk(&gD00ZK>in9v2qJ>20Rar*T|T=}gAJ(;$Y7wK4G4rF%v;+&kqf zes&~pjeKD6DV>|b;WDH=seq}I+fLf!>(WXuI)s-b5!c4aq~qNQDkNl+lQM>o+9u-9 zpctFLPv;C7BR={t8e=dVCeGH5KAZtD`Q046wY_jT+sdJY?<=tXC@A%3G{#B1|euO+>0CLQl7iBKBX&`w8T6VDM=NsjT^Ppf7; zFNO@<8)Ju?c~0&>K{_fbIGz^M2aPu9k2byCN{~O;M&NN|D6$ewz5JDpcx}Ubyd|qi z^SRSTqF_HZ@GF<&caPOub#}IFYeN722VmPa8oh5bqj!PM;`(*JP0xr?Cx6<& z7hufLgG~B7X5H&=OXm;*Cmm)V9}aeXL*>%Ak*go~_EX=$SF1jOn}2W`_NNHG!A_?a zhYJvm=p~IoT%!^XJH{)YL4NCqN8SQSg9SFqVx+CHP8)kN>FlnPM~trc$u-F$hTQ0#-~OBQREqOQ)0?p5U}fNE zaTgE9rS-STm2+h>?DNBn3#RpUno00{;+4H+kB~0P)=zwCT-zkUQJluVt2BLDK1`VY zTj`|)zhmCzHr8o-UvPy15bNYxBhkc#j5$?fVo{@|Msoh<$c~~ zoO*&(ATaXeih-9fSB}HhC1IBvfnBaQyS9qii6lxosT0czMcCY)E-9a%&TUhUIafZa z4?Ya8Z@5?&#kXMM%BMln+JePvmGS_c0+QSOi^3LRbfUKk347bJAI{|ua}){Dn@BFt zjpF$MDZ6aI(+^Y0<*+mS6c)oy!ui;!a~iIT8NGA)R64t6QwFOD!ZEl!&5_E@g#z-1N`uwr6Hjedz4RZpgH?H%W zz0K4c#LqetFosLK#>00O;8#(u-gJ;X)}XUK$YEl9 zmoXQVa2l`Z5WG!ytTU6OdjXf{LVQkfd4a*_eI&=#-<2cbNTHEnK&(C?aZ(uuj!n@B zeiYBalYy^Yjz89{%lSkKL1jrpntwT(~H;WS!|v_?}yoSVU81DS|@mV z#*box{C=AUdD4la`5Z}l#_Sy*PXCU<99|cWY&H!Q99MLlPDqFd)R8`wE&b#Vm7rkY zkWunA$$Osur-_N=kP|ZwPi-2P50@_5Q34`oXhKZ_lHz0c z!BYiZ>j|Z%fFF)COpI?R#kC%1*lfUrjaOg;C|K8}ccbd)_QYVahxEqf50j3)PJBHF z*s&^B27Yl}-XMV)bxR)lpg}shY~-z;D#4?6t_vG>_cL%e(s%jTmB&Oj%$UzG8M=rf zE>DuyVK>(zq+ezwGl4TG!R8`K;)+af$9OW*P@!p^JzvDRBrb;l!pIIFe5)>@)6{SkHXx3X|?f~FprRJ1Yy#PH%P}$ zItBT?fS)ExSd|Wi^pSiq#e~TreQX)5jP%u@?omSONTwJjoiqXk2M;?kwQ9u+c;E&5 zJ$RplGUC*-ZTrDa`k)yNhecQ;9asWZXHxnHsJZHg;u90cN5q}{PRFLst462<=Xb`6 z$ta5ytcvP6EGp-U*ZQnZ!p_ehtPz*P)Sb{M1qbTZ>=^$?+=|928F}UO$mX*4pGy)ld=}2xp^^ z`Om;_3h`QnpVp;u1}QF1wB|pE58}uZ)*GMbtTL+OrjlId-+mZfdh~By{GH;z62R|OneNoo#x1rB!}E>CZSszTx6Dt#GU9&f=x-M z_Tv3AvYj_B>{KS4&K=6@^z;$Lv)Du~ZIDjfNm8e=`{onUB=nP*Y*~sq7%uU&B4aVKRDqXhY#p2>!P-Vpaef# zj%TA}Y1!s-hN~b&M~zxDgwjPaICNo9rfULdMZhvR&fP&z{p_9BcooHF{h z$Y?y1sj=9I#P}GRE35sBh!epgcpuWsC7Lk70-#~r>m3Wgs!Hnrk~XYt~{x7#Sg zq5Jp516B88>EE8T8bwhQrK@q)hfl^iVI;32D1DvF{g zT^nP|!?xXuSw)+yx%?W@6aHErzq?ye6h-N}1mkjYec?fRq4UTh$s%UOcJnJmj#Lyy zQMxo@$LYftf($&r@h^qOh6Xb1Y2nd(6EB;uD2k$VUC4fmeUFiXp(Bq@tyumXo?Z8j zC>+HH_ro_XyBxon_XDd@x*GF;d587o7Zn$M-ue_pX^x8T{0MWeosCyFr>E3;3VzI> zo+ubnd{nCT#pm(&H5*NgW#l3I;OpP~E^fbRw$&(I4L0!KzU&ek$`7u+?q)UciqZny z_u&8ec6i36bZ{>e9CpMQG4M6KA~&0T%jm=Q$JeHR2Y1}^BddugUq_MMg?u#dO7}!B z%)5uFY~ZhD18-N?vmAX08Tdm-j83g21OHg9d0nu3an6{-49VK6=pNsJY{4-`F71dU+C`x`H_M3%1thj-@c^NQ$$omYO@VjWlAaG>!n9+Xs z6h~ZKSC{6gMn%aYOs=ze>TbY_@(R*+0DK`CKNt1Rwd&Ro-OoKq9C2}7S(M#}Yk&Uq zg<(rB^X~j|nxeuYk;0-PW8lf3E71ck^58V=x8HtgIrHaO8<(ylW$n*#X2N!(MB_z5 z`*0?HzBVS!ZjxrHUyT(fPsVx0He6hZn$&!h*?@?}${p1bvu{G|_!{b`t(_+*#R;Je_Q3xqbBg9U#q8d>$ra zIxd(SGoB7j-Hb;%361&#y`9pDj>S56doT} zmk9Cu`VU-D5pK(*<0{etZ6CY6cHB;s%rp;T+Hrruq-R}!yc#P%Jq-^^-e}q!r5)<8 zbOGovm|l<;h77zpIgN3r5j?p)NDA$%Cv$-ha`as`KfiV*W?ay>TQe=&yn zx{emt5o6-~&Y9Cb47(Wj-!%qT{_Meww1N2BYqt<%SGCu{(ilc-Gey-{OJoD_(D4I$-_onM)4v=b_C!0DVoLjIL;mx z)`ev4%{XVk01Oa02RHMmn04pejGL!B{Qyi~+FbhSn0^lH$o29Cd3l+C+S%X)^(0C( ze(^J7P#oQd;l&uYa0!-%wr#e*G_@8tUpy1fJTnvHXg}84{gKg8sQ#SR>Js*M?ak)| zx^r$`8?J+u++ZVb^Hd#;>1@dB@57=epTzVMb8#;y;ZgS@+*eI{+<+Ou98MYLr)p4H zVuNw`Q$SIQD=};80xV_=U%eO$rcTOfdMLV|?iikZ=~Y-c$F`?`TtjWkeIs%lmQE+V zZS&MpOb_|Jz7&+gizzQB zpLvr;F_y58!P7IDF(%Ts3YL>e!G! zRE6KtUlo_JwhpUkM11z}Y{$nQV>%AwWP1-OE4!C$M?j`%7#_*<@=o#%8aC{# zwsFnT(9nQ)-+ebEjg33-z6+o5JsKgb#oC8w;#k(NxEFtZ<{8X7@jx7SAjyfdXtecb z+*`W?jmOT!g(uj2?^C$h^ygy2K%0KWJe;qMJ3cfAE~Ds^N27%2=1;aGYli323o1};=j`VMS$IBvJmz8)jt(viMBPisd8J;y zs4OT)`HCzf{Rq+hOt;IsIN^K0!p@(}Gi~SEHmPs8S z%avgX9$FXH@eipeC3O&X&&Mz8>QEQRB1}2l##>B`8~J2~ zC49jUMHy%ikCP{#N2TXRbU)MW!r@c#<+3HXY(8IZTpKpumrgzNe5_vkD?GTm3?Dvq z7)GvMi$~V3#>inqBISGA^Yy`Ymg0)lU&a-WWJ#Ng-i1Ah5{=K0Q_sZt&(~pH;x=+P zC!9a2j3m7alPFySzM1lcu}@Lyq~$+3fvufqZSMA6Zq46EV#H9J=AUcLwup3^utbT*XY2!S z_oCIf;-XVc-JV~If7-ZL9;w3fBS&DUlw&@uW9px}2EVlRk4@{Rm;L)Re*H=cr(Q({ zW$bFKBfq5aBp1r&`+5AYNb>x;)3Xt`>X1H#`8ESzEP`@sYRp$6{jWv_ewW{EEBA-1 zj$k`ZL}xxYJoLg#G4igvTGp3NJqshRxdyAtPRG#HsW@xoHMr=SkvQvAip%Bruru}u z$~zPnUV8;rUu64*OXFPD`T9uNf!?L_BuX^?m0y1vB{Tn)*8OcM?&3O0TJs_LAWYKS zIpO@yWu33jq5ewOrO;S%E3JeNvb&lGa>@_z@`4mD8aWapMQ*}~1(#zib&)0-ph{aL6g`-$CV zSh_sb6*NdF$BG+fco&xDiSB1+JMpm|Yjp{IBXk@%&k&5DEHYxJ@F^de3{3tA^&u12 z{PFSpa(uY2O~$X+JAJf{E*vgLODP%S9K4cYX+SDIAiL;)hxc<+H0eQnYX|fG6}`Ji zl(;m>5*_h$zT_)$``UfwF?_$Y6s1nSx*9X4Oo&O>*8bR0(tQ1uu0fm)52k2jzTFqb zxy``0Xx&vDadBB?$QN+??O(u`J9}=w>24md^4BDtxW8QSujt)HqQs@?%95|d?dzT(QR32cMNxJy&Q^!) zH;KdyKXR4-z6peiYuoKa-C70P6 zGW8+hKeqCUq9{t2MeH>F^Si@*5uHtv@n_YFq9{ri#*N^`b$RWdMR$S#9@F&fhr#7T0iqi4e`51E9 zu=D7h7hsnWyp17S9{$T~>Q`e0FI{JYKE>xv1{U4t8R>ekeV-h+-khvnuRz6kij!#( zw-g)^nlgz@k2peUIBzv7N~Yt<(6VwKvM%W&+~>-wzmGx*>xsr(D9)P^9o0K{`X^?4 zilQiO#m*|EUjj!4p2DFi8aL42U6he=JbA%lYXt35Z!<;%Pp-h|-?mGQ6s3Jh+itUbB8}tG)JR(Ldvow%*6??EO{nLK&)C=|01KG}};C4%SLBXithsMFIWL0%Kgf}N(hDl$FO0*WhV;phbm z@T3hZilTHVJTkY&n+-ja@sKr;-9{N`5Ra36!+P=xTxI9IOBPK=oqV^k7?m|uK)E*` zUKgF?rZm630V`~pbl&EXX&SQ5vEQD_3GrJ#-65$Iw0G&@sf>`1zi5UFSXZ2fXw1p1q%0`+3&7*S+qw1}q~pAN(PL z@IY4j;b1!Tfh&L9vYBvWcp;b;NnFfl0;+8fnRqh2n8-N!?qbJQ6(+W~_0$OHAA@#I znTw7ZCeuPf-tC4jzx@Qf6=^ss;?ZKg$qYt+d8`lT>qOcP94&TkKi3DUM^UOLwM0~9 zv>cE!$s+cE-U8N3nq6`c`ob!B(4MCM0IB9`LT2^-+o^a~O`{#YIzz=WpRX)?7B#@i zuH+5JIrduYQHXSp=qVg0)IPyP8$?Z7PLHYA0#`F1a(QA`J-v# zij)2ORcdE_^O~X9BA?7%QWq~9E{Q=3IOYxdNL#)vg3^3B5{i($oG+v&asER>5J>|5 z&kb%H&kEc(4C*(aTji?)i8?kX)h18xubZaYLf>F|aG|O28{CBjJC8{coV`2x+u2u- z^EQ%7ng#f{vddyphoIohs8|~yV=E(7O9&aq*~_pQe9PpIH7$R6Q_7buIyk~d@s+A6 z2?+_~JraIpv~+Dc5`YAW2f<-YS_nS_ei?LXY*f5pE0xRZ4o*>ZH8r(a{I0M<7KVZO^XqT*hOkm|X2}S6K2+xP&-jW@(@rS=Ecgi>=km zZGrg>hVFF|;`HR~vRRbf4%Sde=;haS-_{%5Df4HPREek;6;2EDdy&THfK&jms=*BkAn;B$Jq?i2TznL=CU0QHhb-?5R7 zP-n9}^S;jiEXLSt2P?vcR&TmAxm}+1Kdez_?iXR@`KHxhhpiD?J1M=`Yr`pM;;y); zi`Z}RyCFnv)n-Xg@!I|Os?76M1_R%qTabN>J=cly7fVye_wyM*<$XDQgWvwhqjGsn+j2kIme6Wwa5t+x2eb{0CX z^HqB5J}vmkuCAV|8m3OG(P0gQ`!LQxo8Ij)n11E_MVtJ^f2H3z@vPkzEq~*8Q1Jl> z8m^R|Y{#1Z(!olIUe28iY@m2loa(|{n$p*(c$B2+^m*rKdqHL82d)RGtNVnE*}uGb>^qULap?=#PV90kjU+de)^ zD6EL8&U;_SMWL3WL<5O|`~G%M+t-6GbDPbIw&mM; zNDZTO&8hSygWv(uv&(f+mXk{>+pUE-@k+7S&Bt@7@R3x18O=y@(34yd^;|`l%9H3DTa{Wlfi)@XkiQ0+Bm>L0gh7(twlO>zUgDYvM9pB5!wo6&W2> z1MN$o{k)K!@vLRHFp{1kv+MS(R=yGnrdJ4!>??lj+jY??w`43okCqs?d@d008W?y}G&QSG8zF@5hms!L+;6e<03JIUtbbKmVXg%6rNlcWI z7*X*nsI`B%`ec{?@ZESIB|~}PV;%S>2dn@A^6-^Oop1ZHWo^RbT{BkYW`|{~)hd+V zn}`j9S}I5`JbqJbj4XsAGd$6E8BRM#tUoM2y}1gwZ=b55?rdvu{^{iRQP$-oqUz|L z>W2E}+lpqnP~+|QbeGf~wKCP4MT)Sg=>P$rT4$^tO5?ieG;y64J?Q4KfW99__Vu<` zdB*WQ@EzNzkB{TFK2E{TgA*KYdbx~_SVZ@B+DxG-QJW1P4aLO6jyI_Jd&?R?LJi+Y zQUWCcHaPd*jMK7mU2RP-CpR6w-G>*IpV2P0Z7N;l!#XxJlztiEQ4C1b93D=oLb~)&Jz;!X3(Mv3Y{@!f~)p2-}6MHW|A_uK( zd$mgOm(i}^ingj%7Jdh)Hdp@3b^iSwi~O5u7Qp>Plf@{ zi)<2r5!i=c%cVqy>!Kt-`wL^stbK3izZtMh zZhUz!Zz>2^*;-5Bqn3TqizALNOWpEvMB-p<(RVi@HDaS;L)+Cu*b6Z}TECsBUZJAv zAy?1gAZfSKF1x%;thu(tvA09Ckb%JnPc3rhxKh_#eVizf!jU4LD*j=r^}d#5H&XBk zay^DYJ2Ei0ey!fVqMADhf_}ew-AkF7bDP`jm5jtB4L`HmRT8vl8an@XU|B*pjxtwf zc{tl~p&W^~j8_-;>7iu?HM}M69xoCo^?Yw#ymdyg@AZ*56rv^t;V_={e3e$hB6A>s z;Qn1P+2vRb6Kxevg41NaOJhD1JQ+rX;);-OL!-0ORZ1?sFOSg7Q@D8G&h^%FEV>u% zC?&p3w=|9p13}~8*6EhdvdoPPUf^`gpLhqghDp3!it%6LvK{p#87+U~w7CAFYBPE% z1UZO9mPjhR&#aLq@h8yZE3Z_^=*u{JGKTj^i$-wnS^;WzHRbqB`?*UiU0M#Lbdkd# z;ik&#$5pJJ*Xysek*_@YJ#&D%ofmb19eCUr12no`eTs$3wYS<2c76G8OkF;ktTgg!#Kw1$4T~9LVH2v%k`p>($-$ z2l!~KROku@B)kMa#KhZv%-n7qm-q^;=%#Vmys$J+3yf}FND}v=N!bk=h04Xo#V%S4wt&Q6}fCT-dc9&87@aRb*_TrP`@2oxma$-FELV)L>i&q zm%5Xxu)AZkdTnq74aE))_OL+hvA~T7WX=7MSb~|5d@iFmoL0*QF4$K6Z6a&Kn2TkM z&?z6(yL$ZI)u>gqPvcKApcE3&8*B=7&x`uK&$~Rq8TS)qJ@($-Styt{lP1gF{sMIf9mpkk>3tOr4yI`M z@-(!8-DbI;=LcppY5ToI5$5XaOj$&N+h3?>Z;@!e{E$d%-cjZrchTFHX;7EnG4ysw+v>^FVt zUGb;gfL)!}Xr=^HqTJcnhY@ujW{a9}HRBBFkq`jKW_|$@zIC3PmeVYh>(vbEx<6){ zM$4@VsCPZPKpQot2R``~gX_v)gx_@z){St6--R`MX~Vh%Xn_uOFxUJOKPZh{rR7k z*JC4UX#g9E`6bLjbun+~mu_*v%?Fm&KXE-`Dch@}slC2ro))1?;h#O^b{F3<>t?`C zD6Lo0R*2tEP>|^kph-fFtQSd|kj{q-s(wg1CuLTIbmqt+ikF|ugN<+Hudwsnj-I?v z*A9_ZOsPPeop2d;h&uE+wsAJm)@1`62$;m3@-yT*N|W%VkB|8~`e+&9NVnp`^bq+I z#w>@?m{LQH(0s$$N(-i1Nnow#%Pkj+owYWwa;s?$5%WbV6bl|p^A%0hDy}Rcmn~uM ze6`l6p$d#ynDium(ovEg4o}%v&^6u{zEe`7SGbAh-w$*3(|-2*wi-XotE1WS55`Si z*A9AOubi}_*yfdKP_03Dh^n?4P|&YVnl|vJBo_b^&@Rm=bH0kLdlb83hU}tQi}6{) zs@f-=;MDRTlQ&&w?dj_811a&K@(>MoUmn@3F=ksC$0-*5;jG))occAdwUnYArX_dX z*zjhL5i{GflO{r;W22Ja`V;w?~ zrD3Zu)29$DVR9!|V$p_G=WNG_tw$KUY0$O8-WX}V&#GV+jSpIWDZ2RY7+YQlQlo2e2Vn9b7> z!EBDe1#PE8nxf#JI0SMgjL9y^8HEawdFqZP%EX59>EVYjf2*lgK9AkqsnKF6JZ}dZ$!;7^6r+2l6n`@3CGJqLYsETW6%Vodu z>%JEtwR0MJp5b9VbJfqvXxHg}G8?U7tW3`(1oG}sXD`qV;1w@o z+2_+@s#KeDsv11>GdNqdzr29KpEX}Lg1(ed)z=?4QC2PoL4O0UNDQ~uQ$_6RWgsT0 z?`XDcXcO?dvI+|N@}9>I7NK*rtoGJlH5OIOvJDV(ea)1js@G}aG+X*HS}|S!a8jIo zg0^MQO-WSr`8O%J?y8j^s1N0ONnx175sC3I{z*UpZ!u$ZIoUrK=EDsi{zd+0P2>8T z1jICzYUXU13z22;iwq8GCD`w3l=jvlmy;Ec*(Pq+}2iu=)L$J%iiFYzpi zezOV|hX*iThM`J&O8zTZjV@^)glQRLz45145M{Fa(}91=6skzliW%9W36^xBbi&!- zch`wEACnZkKY~+*JXs4UzuF+XMq~I-EJlRa-`qCOzM1rp!!R$hm(s23W#cy>-8@OG zblUx>(k}oAzw<<1UZvzb74+@C5;AgrW$^J7dQWBQ41HS6I$cuYps|o@RkeWXEnP=& z92mwlyE8v`dvp>%)HXlYEgYgbM_94YLk@_Ky=E81T^4Kt7t~r&Yu0+-cwKkV3OCLr z>FC}|8}Z^*9*7?D3#|nhrs@9}?Tufcp!`s0_RVze%ehU?8qX`%uS$03gEx=y(@9_Yjy-zJiqH41tiU4E&n5bjEc$3*5O zKYy)9@ElB>p%|jW4@QmHMDLGM``^Vz?0sJEl|JuU*L==qy(w*kJy2&Ey1S3D{DG&OA^Ud6 zPE;l*((_6OySFRbONqS)+4@uYH%}}(2f5a9d>Cou9N&;W6(PNIu^RDPNHde5(do>D zB5Ot``QhGstNtp3C8_u6PS3zC=L$s_<73pqHe_R~+>yX8(;qk9sM`uu!3t%lgtB1-47G>q}nR zlW>aR6L5FCPE!O-rH~K_5x~)No$HA>5cy%wip~|m7TCDZ&fYmu*miWH?jkd9Drl2cG^baWAg-Edl_$3s`#~dK zaJ-wlMEerZd-t&Ak&Ikg;9#C(QZ@fJmPH)O${^4X&lg?BPXu1ypo6^gptNwDo2&6Q zCh|SDVG#@v9wCi)oN6;Cw*@Tz9E`)kS&1`EZMf!ywqN7jkg%2y!?Ljzvsr8Y?}Qk} z`O0qf(BInBLGoaT4XjUGr**8MuepgZFA4|*CxEU9@8tJ#$CH!BFXvmd*~*WgDjZAv z6>ReoRXj^|yp;DO0j-eRHMu2b6K-_&O`GMD(mU^`fs~2H4f|R_waYuBRA&}8I@M1O z%r9Bb=<)x&Dx~IzUD(Z{v22}c8r7!LAD(4Cp`y`yc@aHDx&s*#_ioKblTtt(E z;Y?l^E7mQf?ds(}!W!}UkByey_ry`CTa-4U!?&BG9|zt4$)=;4b+u?6W_+>xwc1(i z#crizZB>w(tTSbkkaa`*kN$uXq+{8lon};yx!~~5=bXie%>hS?=9`fRhwyx31;1f9 zfxKEJhYeg-HvatJ8|aa9y`Axx;AQPRJa#A11(T_T`fzEr>VB7i(=mK1NKm9y&#t=$ z5a96c4@8T1zuP&a&YZbDqgg22)iHaeGl4_7DE{yAf3|e7nA+ouO>V z{m2A!YJC6oZq)*V3XQW@LiDHMzvqEv7}K+pw91*E51F)%Ta7Lv&&pCJlFQW`7+)_1 zs#B3-x$pDLv+kaZr0VREGvBa~ejkC2R<(*H2Cg*dXM{w#MSUNuz?DncCRitzF zTe%^fY?vS48=M%f6WTL*>qBe0>SvL)rY!ygkFOdc=^xU?vlWb!B9nEyT#(y?F#yh8Ll{~#s6*dRNBMBhr>pZ$2>Gg^ zICgbv$!3SazG~1hN(6^RF)hF+Eb>)TUa<#^FsxklEGO`wiWeUI#HJ((tCfOi3KXSG?^3F)O_ngZ9H-)y;y$T)G6(&TpG> zP4@b~V$vpt<9?+}aj}k>6CrIiJche=wHPvv0@Q;V9Mg^M(a8joaOEl8jGM3Sd3%F@=V!`F%5 zzM*xKMZ6jq2%m_q8a?P~iLb6+yh5keq&iBMB=$k;|JvMPUrzu&ij!uw4czCS;~)n) zC(exa=C>dXmF*83-t;bWgVw=d1Ed9UueO6znyvZtaJ&5vT|Dg2znLW03w>_RcIvXR zxT2ku5J5*lAY)QFe(qTN1sWOlB=TnA1sO(eiyx$4$Nt0UxfD*#O=FG!)C4T(BvyUp zxGq3WE4xoDO=cpiR$c*L9Vc0U5ipYHOu;xeshR8^j{4l8z)4i)Lb=VzIEE-6)3|g_ zgqXNIQt?Q9o+C(|dI&v!bjOPXEk1F4-W}5;>xJjDqygdh^VW!qI>LQbDdeISv3d8( zpC;V97px=QeXL)}QaZ-oHMU(k^P154xk?i4d_8d;o(h0}8r@nsKo7dHFX!g~jB^yB@0htWwSxuy;Rk(9POaJM? zy=L4=oH4^&d~xCDzh!#$NsQSOPgH3YFvK>lryOaaN|WSIHA(0L?X#h4Uh; zmgEgoJtk}mH%27ec6Dz1O0j|>)rB1%svWtRVYXe(*)ta1YSMDRSao#hjB>&rCS3maCZ;C3_`b)+#9y8t zOrL1dTl#G^;>%r?8HP|(D7r}wqI(U!t9~nuQ)Qur<-I$iiNmGKaiz|FFdw{CztkMB zE6hPX#O(>KcTd;)ei&;z!grgo>O=?Y*N4ofbfDrn2}GCcCF0&xjfnfTwptQhM5&2# zTYhc4QJzwu?ACdWiNdKdNAc zC}jyieJ|I2ZT6_zr%s{f2mrhbv29*Dk=zK&c|vKmW8bJ~pm=v^ZKbf#>ZU0-1+kR# zT!|S}PZfYf#An`|ZWT^_I9U&!B7QqLLC`azG&wn>6fW@b)WpLQOb8cRWWZTIg)Rno zdVWYI4Uk6cPR#Rr0E1UbDivNAQpqEUezEWos>8=)tkUg9&5P7IuGUWZNuol<3yTx- zjw}p;JZw#UEmk;i7l)tZH9v>lpQIc&?Mko#ytaJ5>F#=0-TShW`a?}kO`-FmE92zf zzh8`bj`pq7D9x^b9GTFavS!74x@qz4RHb~9cGUoM$&F<@=Q+`1mD~hF?bOyVe08&m zaD~?z`3W7cqR#m_I}Ht;_`kTwsZWhY>5Z>uuivI#1L_p|(KV{5;*;=A02Olk(?6YZz|Q`(z%ua}^5#P_ z|8}1?BLsG)NR*Z5Ko=6b(-pts!SpZh(E-=R8;jZf5)8T>4yc`C&c>R1^Fbu_Ck?Zb zjF|3yU)KA`)#%&;EmLj23W+EI9bKIQosWKF(L>>)1oZDG?9fmb1$NcyXqhu=F+Vb? zw02ig6ln8@D~p0c1_9A*5s>}%JD#W!O{QYGh!ih> z$zy&r*aNlVGt|C*%b3ZSsqGW1B0Luu*PPS%qP5jUgCtDW>ar1SM!!^gcB#il} zeBXViKZwhu?`0U3nD+enb=LUcL6Gv(`zg4|$y-Jq_E<|xsaQs4WfB@F4O(k*RoT;^{M!Mo}J7qc^mtaHC+Y~N~f|4~fUEryT#lZ1P z4^G;Xs$4bdn=Po~Eze@C>sOxLQ~u4WpsJ-E5QqHKaoJE%b>-Po(}#FXR}r-Z3n%rG)fx_YO<=sbepH|r3zbkMknUG3 zj;>SZHCZMnmrmK^9RjEOm6g7cH?;sSF(wp}-+^7F1bR-O?9vZ@vcc#bP^)1DQcYtsWmCh8Yq^H#khl<;1bFlGI+3C}ZrH ziIQ}wbrVi?wPBR%ZCC(U#xYoXZ~5c1V;E!b{v}~s703(3P)W#|l*G(4V6ssQSrAI6Rq zz8rT|(?I%lp+K^gu^i@+MdENyKp5@AXjs=r;znEtiz0T2Ug4;aARbBb<7|6sbsO5> z5t-lGzldmYt4JQi(eK*G)dXzhJQEYTvOAiM79tns!#KSoLIGMGoPQ3x&{;2v5S<>j z&AM`?9h@K62*$Y=g<5+hoB~eO6*F=b;6&bq3Cl+l5|r;>v97-{hmWp}?d#Uwr}25^g0f)Z68JF0lZ z#iBb-S?itf&dyGk=l$)4GqMN|xb0l3=lLv}9~zE~ynJxI_3{-4hi&z28!@#h=FQr! zQ;d(Z{iKqhrK$=DQT1(5rL?-gv%1b_sn&*^A3Xm9U{sXm_hEI4dcduYgQ1>Cqqgsl z1^3E3|F(L2pTfuUX|Zl>jg}KzDhJ7&72bh1m#IL$tyjI8GwX(Pu(rdw8pW`irbB2b z&>r$jQa|x0Dj;&Z`DH$mu{~WzeZJsqzygbH*S_&-f-RGT z1Yy0pWq%s7PS28d6G`X5d@R18G1H&~Gy=~AkknaunbD6DG+BTPtfqiqLq~sOX5+9$ z30Mm2{>Vgk zwm#$d<~9}ozIXJale|P?-lpihxoE-qAFsvw(@~HgNC7d%R;T-l99hKGIGh0gDoNT5 zq30Zuvh3OMcgvT(wYAA(Qkd?ovuPNc5^^c`S!ym}{&;p=8dbbB6LsA|pP0`NS)^c< zxPp(U+Zb+Kd+QkBITn&DCrmTvY^;-iaC8*NQ8t^-Q)nnJ8%gNlR9Ro2!1|~)COdfQ zsP=1POIya?ja-8u7dh5EG}u*FW$To*agykvx#u_$Sfv+v@8pTrnf=$S%nT&9M)b$5 zuoFvEN!@%+XGlZinQ7(UzNRjjnipjKiEJGv`o;c(B~6b__JHI1wAMA<6Ah|^>A^9v zRQH@@UuV%MO@Q=sHJRXbf8xuTtHwk`&KbYrk!zAiWgWpQ6`%U6L){e+7p1-Ldr@iQ ztz%nWnTCcq>$8x!cI5T?X!hw!(J!Wbg+xAteI82e2u5nNQ7vNJpktf-Q_j+n*Caa6 z2M#LfKyP7%O0qp8jVTQuP--)1m4EQA8&Ah9C(PIGXUNvlAXjHuVlnGrKmNewKGtW$ z!6?G~KmHGnuBk$Ys&bQ88X)gu%&RBPYu0emA2=WnDXiuPKllqcW(4#qY7hKROn!mS zgMU+>XnTk=%$Ca!_>TbSF9Y1y!xEdVmoNqs*KoXVXuX`)!e8&1Q}zPBo@o{ygX#s0 zRJy!PcU~P5Sn8@U?p^ifY*zKZEnX8;#>Z(TXSifHR%K6yb1_CQH-bqtCtT#@tFWdhHWzzHIFkg0c zxJ&E~<+k2d4HNOASe!fMpz_|)iVja*>a4e2ql*}KxR&#}(VYlbd44f zyimXSk$QfD(P)gB!oiPyq-kyK%{db-_PyZrko5i@#o+!Arva%4sx;m+@dJ-1&(Y`J z11o?i-A!<)Nd~JV@*r3(t!xqPXvXUWv}z}jTNO6F%9tcvk5JIC>HHS`H(2#MqO)Zc z$&{O9RYkD|6KXD=te$;Vw@P@+rdORa9`=E4zrvexOy=E@T-;Q#LTgL)plY~Kd~Q1PTfHh{)W4%20|o80 zmmJbeV>cd`KSf%qD+o>j6fch)Qvbp zeq@##H_`izwL}!#USaIIGCZc9z7L0!a|(4igQS=DF-PLtKm8ErB8OjEJuf6P7sV<@ z^gYX$7Crm-Ls8JqW#7Kd&RMBu?+kM@X~$`#l-{6lH@e1feBbknd3fgCa_qDS_Z3~& z4Z&{(R&G=MnzZHIk9pSmIyK5NaasfU$Dfq!+??GhG-V@Gp0&M?%?E>R*7=1mJPQpf zpXY*ZSbN@ijd-nUNdRS_YvkLmsU~`4!&CfhQ*@1P>4aTF-7m67JtR&K7Ige?Mep@L&y4Mi zKR3I1;%bicr^l~gGiX3->hY5Z0t77Z}5#NuqctlNT41jl2W1{4Fb&-i1nG0%Ui^pM4G<3q+i)8Uq=)S=<+ zrd+!_zzZ^5Y-Z~fKDK5=K@O#!gN1X|;W3KmN0CXF?gxITSRDw%PA(V3m(eOUgF3I4 z`gMRpQqp;>hA{!P2VmCJ9goz-(ZL@s)?-$mK9~#?MM84(HQ!Cj)JooSr1N z*XP|8)J)y_x7S)FKy*cRN3=H@VfcmYVwfW4V!^Tp__S;Xu zIz*-aUm^V6=SByMUk;4_;`uwl-QucZ&i66UqW=W_zyj_=a8LSwLjQN3orTeQo_|)T z{Hqr(lKp=H2Ck;d80hHbj=TJ>DpkPmlin|&$Chw)VXOzlQNbi>hH>+r)OQ;v` z9^Tg2k@cK^I11XY*0A42s*WNmFpVs6-uSnM^1Jy*r|+3=_gzxTNW88C2FndQL2T>M zP1`M_9=w?akh(_lZ%yi(xDRH8lg#`T&Tjn1C!c>b`t6Us{AJJ*D1(gi z>O^JJ+2$Y<)izMN{&tOtcXE~=+HN^Nn0;|=KcICfSqFu(ZYf<`MDIqGTMxF8&@(kEkl{D*sZ zRR^dn!%t0lfUz_=l9MCT_XUc;akg*sKfK%Yf=p5+?R)q|N?~k3k*uLYLpmLeF_KOt z-~Uu}^^WPw_+ay0TwisFhfdJeoo8oeRM|b6WNMwd07iw|L>I*&Y9r1yzr3_sy~ zY^QV3251|&fd1<=g zknRTnb2ZTa7N$4d(pcSlPikcXC($c*KSo*5C2SmV_y zEPW#haGdsojS~R#`Qk+NP`3yyApCp2bU34NDP#=mA41sj)@ml{48-oPU+XozwSuhn z1bE|JZFw(t{Rgj`koRkH>VGd(SFHFdkCu{gU^YKN!a6`D{Xb*wqe1D5m0gLuXH?#X zdkAilmU*$V30EJD;TwxNgH=Y79yP97f(*Tt`a0jbTWj(mGGRpyT zlb79@39B)R`K#^{P_kZ?d(_&WXq$_+oKr2wD!>hl3k`gwb7NHl@xt0)(_yc=zSB{C z#kt4HRPcsx*Tk~-8ea8!{UXm}yOJBCKyPWuqP7|ylBiLCjIL@3lBtd5$o5+Ff3@#l z4dS=?9@fFC%H5t@afShxPpp7&pAE^aEqgj%=iDO3$&D^#)#4UpfYsf5u3=F){FQWB zz0%%WXnI*l8@RgZ-Qp{&Z}Cp;DtD$~gL2~UkBsqebAmgGY*O$X&@rL$stMiuaS}gG z?RY7cc&UYX?YJs>)>NN{HLHriDnKCdv&ZG+CM;Jj&p|} zDbe~YweAVbDJ2np3SUs%T*AOu`)v?OA8J|tb3Tktk;O_CUqGod+v86+CKUT+w*x(i zK~vxup|Obt)~Cq|&$8}$7SM$C%I>Gfv5aJIGoF&FXzD+Ltx}bYy>p7X54r zJ;G2O&R+O0upDe*qlJAaMSG@SK0~6OuQD$XnZt`Krgy|8QG+@DS2vj(X>3d&Ju3!e zSR=G2b&GBo`5E7M-S%4~_&K1@Aou31i|+QUDOB~(TI8L3`g;w>^OPRu6%1{(qyDZQ zh!EG>>0^tIwr*Es9b{0F-cND;3{bCC)^rN}Q6I|+rQvXXyt$W z%}ZHm{0{O&SH}R_YpplRbzy;SAE??ig#y{EY&b=5&F)l|g9dkL^S1hoKn=dx~4pF$zdNe*is(y(#HuvSt5KH~;$AZNO zYviV!0{$r42vt3Jb|4Ivxt$*Liz!_J*qZ=64SPS-d^*OGc0XEWyTrcKd#0(}Ie+Ml zkHeYfSH%$4dAu=54@`vy<;R$R=y@U4qE@ZRjdDneJ0oca;*PPaQ6SOmNqEH}uL1Ub0 zFAEK>6ozBu`B>0dw#ONjr-vRmBmB**MbsurtzAeYaXvHC8y`l(QNPc6lGiViwus}B zIB}3ZF&FC_1Vet2Y@zYFkyFc~rry1=DiT)en~xV3KG*S_otU9~JW=cM0TiE!3N+mx z1c+;@I`=hNTps5svv>cZkDdx0(hLMTPF;IGN~tw+xQd`jte1C6fsAHU!`P^N)aY8= z&dUn{PMXY~MUh*+*xi3MnyEx9K$tv7@$uAza(B*EtZL&|`Qv9}Bbxju_EyBZO!{#C z_1m{o9UV_j4<_+FuTP}_qN97MN;W#&=CMT2Ebq9I#qD_wo7v#z5`8?JdCs+2o)JZ_O6{t5GbcA@?g-3r;f==p;C%kT2LD%2>9 zP49bmsUbmbXlxxSw7mSKm_^PoY72xK4|HI??0UKw>QLf~3I8oWs^iRG8Oqf#3}-YR zC9txN9aCXK`&}&FeQ|5D?egREzmPF^gfTBy@oxstA5!D7qqs6Kn0KbZym37(OI=nkbpDBt`m>+f(C z%p8*8{-nq@BR2{ z6c#wM;C-^j?=MTmNBI?hdlPtbq{C*kELc4If03~<2_PTT!erhl4BVN&95|21+Ai!+ zp%BiP#cid)7R@q!qxo>3Lt}LrLljfl)QIg8Pd4?Tf=L1NSsq@+e{*aCRl|&WK6c>g zlsOfL#uh)r+%)md$Yt2k?{HVtjrN%tzFndnjUm9qE8 zqMQ2dj-O>$57go)QtF9Uz8_~&5TJ+1B18$tt7LHq2nmA`apCr^I}918UwOXEr10g^ z`stivK7^-mZ9i8n()~u)O%g#d7H&qlFI&HEZ9t~6T#k}L1G7wx;qEvuTtjHG_2nId zt<{goAW2=vinudIU>v7hYn~u|{!C0d1Ckl3#2ENyNX^8BEHP{|Wv$bkM}btbox!f-5>w6?#^l?HP}bNwW794D7WXueNK^|&Pc zXI@vDy!h_zoMR93cZn~oNL=4VE*pNW27{Z#g{BNRLWVpC12XXud#W>XClgVw5m8tG zd$R6V#H1JEyP6%LD0cFPr{Kyw`y;6g_2=(eRc0%BfRKgHaP$5c+XGptXw4+RkJX>X zx_w`^DXZJi(fWRanybVOZhE>4)66q-JKtd*=ds?K6@2xKmyge|tmWFUozu$)ℜc zg6Q+&X6P5?Z>Qa4Zj*9NntSZvaFzblJJcK?WBS~b!0b2SKmS9<#Eba=B_TARhur9` z;p*NRCu=^M(|Nk{BCfzduI3F%74Wy!iHon-Ho3i+u)rk}Wh6Y;a+u`&1VA0JqwO(D zIlz~VE!Tl!hFv~vsNJ0B_|9mq0mzROpkwryqU8I6@~?Gt9Sm&@IIeay zZQ=BZ%c~*iFM3zX}Iu+mQlc|78gh?vQ~YP{AzQwd8{rd=zXx_HH1@hFs| z%39wrauey&z1hp#8l&8jzTJ5?5igt7E=&-X9VQ4OqC8}&4;XWeFY!O&+`4FjOYNvN zrumrDQZZsLjhOHpV{$f%mEYgF?7o=DTL(oNhwTmo4fgpKI2t=cN+7Z zAVm}~$(ciF_T>t%0-EJ-aP@yeR;vB!Ylj=Ax^)o3#y&QRyK}*iMCQ_5By$muG|@;c z63-<1+cTCt1YY3clZ|(}dd77&gP3)ZS}OcZJk@$l5|Y|#J=Jgj6))9aRGcmUF#EmG`xc#>#^mAa#+V67!rx6()bo8-wnntTpgpN<&17bbd8j$n-N~~unGC!&Z0?6* z0!AEuFfw(wLfbcZ6!eUR7HsIqLRUpu8Mjj7?!tY1$v^ykteb->qddv=Sn9y`Om421 z?JR=EIP28<5{VBVe?J9{njm^7&Y82wj^$xb;qmv4^(?yR(VteX?VoopI}P5eCEx&S>8}W(UAvqOm~_3jgLA&m2}2mI z3r+crRMqAT&n|B~RwBK7 z0y{E+F&wH;ZcZi0=8@UWsPKbqL(PLA2yICb4qd8WEpy^H(T>hKZg;M9X8}$Pl@11t zxjvD~{qORv7roqhSXxgF8)6K&x5S&zmxcttwuuXRdIXbP=1A9F)s}*I3ER}so(*|~ zGMGv3Fv*7+!oHwJOXs0zYb(DNnwX8QUaql*DT&NHtF0oN^0yh#Ezq%_JWz~4CfB>1 zlg*{vzo`HwEm}nK4-0zDN6y>(Q^3Sa7pmCr7Rl^pWj>_jc)lClN!MpuplF&o;hd2H z1$)waZ1J*>nO0K3+GtzC>wI)w(Nxc&$z={S zp`^b)bdoI8vkn=hW0OmN9O*Qq38hO9TTRhQ(!tD7JOpp(Xe(1ROwHn!V%Us@2?N^^ zo0=?=qLz8XmW?JG!xQs&k|{qigI6QMSEivW5TZN%u}3kodAHU3akrkvQF} z;=I#np%8N;SW%2s=^0LkMOi91#!A0?S%`d6a}TXrx8$E=tY_+MWhNyuZAjJAart7 zinJg#AWejTND~MU2t|4a={58Yq4!YUiTA#>-fz9%d+VLQa@LwNlQU;#_MZKH-yT3N z1g!kZ|1MY#Y(9?Z2YX)u1@;nZm>cjBj^bR5?J30MTDN@zSiz1@sx6S|y)A{;hNhSg zAA6O&&Il5}EMMk}WPM^sf^1e=4ER#L?0XKv#p-TuNpX&MINrfraT;}i_TGkbI`=yz z{>xURRUpvc`yEkWAIdM+VM=8zQx~#JwC}uk%F!{YVZvKOV(ZvN$8$6%{=lZ_BdFLV zO$v0%7ddX13tfgj3iVU=o|0Ojbnds!bEsGVe-exrSMznE*=I|@`l-c+xx}5D`}=Bg zxU9@xC{`LOQ80(cw15P{v-KPCvy^dyRYS%Pzc|xk>C`CAVkYmA-{+z>k`fBTq6|tx zYZ67{`-UE!osFd01C5RL<;>8uZ<9qEf9~NsbNnz4mjksm7kzAYHO0Qs`vY^8^dM%8 z)2Hs_ApOO(oYhi7s_*f7m~4P=rsj6~{PuWOduyw(o3`(eZY`QFjw^~9=51x4!}+wb zgC@gC9`XUU!N#kX7L%wPUSq;ikMJYnR4ch$ZP!cG*r(8N_%!TlR1N$o-pkpg{f)a5 zU@7cv`&^&?qfg$L3^ymc1>=exl;Hp$#FDIXwTx0ItSzI2+*IvGPm01AwoPH8J7pp) zg!o*nW4k5ySa)yaXICSeh_>yA>B?I-7`?=Hq zV^B5bmmZ|1r0+=zOr_KtzoT0)!DwhniEeQ!U3$e(U&>P(Nq4@%F~y8BHkjG!SE@Mr zU7_G9ezy=|vd4Q#zf4=Y^F%WjUM>{-ID}QG$bw~Sb7K*t>GUTSkm+b89Dw$J2sm1g zs69JOIBq!J?D)M?Arg9#HEG6%ZQ&E=1fh~hLdS25V7|C@za9>=pA7r;zNz&;az=?n zv(Od%da3C-yE(Sr^)&Q9prEOs7EH1u?&;x+N*MJ0>5d5)-opwTKp)!ayh1hzxi>Va zR(}&!C1Z~(W%MXHfGc~*yrZiO8{q3uC7uCL`?}iazFFdoM`pFYVQ%82vVr|L5$QMI zTQT-mKTHg45a#=&+eK`!Z}OBzOtbEoSDAm}I)eH1<7HDvcBnm>8-)o&YKNg%!iLou2SBrdk&=rBw znIal-!%?FkRJd4@%g^^La$ss0?_1@p(_j1U(ZJ;@J!v~X>~&}Mi6olNCAp^W9;_e| zrZ`V)39|@c)}M#m0qdNSsnx7P>+1rn-{ja9rwhq6wWdo6Yp(`IIP%^PPy2x{=x8ZJVuHiH47l#Sn^$UHaTss2p0R0W~{685&f(rD@ zy^6qN)l6?@?|kI{m8MP;W-L-A)#&2CNSm1IFpMQDbFH}IRQBPqT5WNvs>cZ`C|9af zI_+yHO+KO%-7)-Vj85UmZNY>!E5>DcSgjm%O+z$^0zHfBjbaS{ghjcjvLC+?rPXi>ud-00!Mh{%<{Jvr(U*Oby6{;P0ob)5AhI3qW9O(ILS@J8Yvq z_+|6gQBS0i^;lLq4s-MR$@2!;`_qdwQ=kmpMInTLi5e@wm|6u&bcVvXu{&(rH2+mN34~*m& zB;{p%B2M(*6I=3ZiF;j?a~fjZcuQ{|(x_1+;ASQ5%dQ2hxX@GPJ{9WPp(wYWr{ESg zc#!pXNG7|*=-C54iS!==m70kG;Ep`NUCK|6wS@4i?(W{_E^W=Pgcsa0We}!6qGHd` z9o9{em_sM@2;}STQtbu@Us?t8q|?ND+AmBzfM*9%=iN%M9D%C8&}`n)4+;_qy8t=N zELMxaB7qm^a07%HKW#G)BfP}R?B0r%@{8aK3)k?hRdBoelV5bYc$s>amb8@wizi$t zX_@)bCjWo@$)xZ|$tumK<&~vC|)BggEOpyL;(-8obg8j~rf~r#k`&#T^U~ ztvk`if=Y=a?NLt;=Z(4x?-RGs78+Y42D(aD(VE()jBNw42JH8p>%Trgs;sk*!*7jp zARws*(0x2T3mHcc(+MxicbAaQ92iEcDKTq_=84T^li4vET~hvA)_>=i`_^nH>cGcR z6O{2ts^%xOyK(9zWRjw4D0F3xo;Mw|zukJxFsnXDX;9KU+lXqk5ZWUR*cDu2GA86r zb%el124}g7el}k~K^0_*?Lt57E2%7bp=phjTmPcyle`o%o0Eq0LsFD|roGEuCjAPK zeZMQ?%O!)50&64qTQQ^l&W^JZLHr|-h&b&cpM(a;fH8o~-pF#Xbhz!FJze`bM)kf@ z2EvJgwV1b=mHo&{${B^#o=_@`9P1LuL(wcHK;^g5VqtK{?C@%-kTJ0sE9%(JTN{Hq%;W2WMn(g2{@?g}*cK8KS+R0nEO*%f zFOu}qn)~W675eR7(&#gKh&IA-y)b{+Ry;Gp*2~^QF_&M#fqpxY`uY1slD*;jw?n;Y z{i2cf`uUoBdt$$6rad+qU9h1Ao&u&m{aO{E|4V_*1G`;U`tx@x8KYrFm(5=Ecs1f6GrMpx|ibgZ$!#3tGi1z6bpRwEY{bG zhs#s?lg-w9cU)P&-t3D1h(@SeufFxRPl%LtO5f>1ngl#w$=!ufZ7p0()ju=4mJr`M z+BT9gc^`o&sPY$~sdOGeIGjEQ;@&?GJ5MhD%H(jmZ(mFKc5Eoc+;aBfMET|8Yoa@> z@BDUYu+w<3PdF@Dd#WqvwMS1KihGh!KOuGsw!1l9@EmnT{v~!`Q43}tVPaNlv$6WI z&_Rq7at|4YK(+W6*Ks(-;uP&TAm?5~JTLHBq;;Sjvx)~`pSN5R(R)+vV1}yJT1Re; z(QeiJ(mIpQkz7%*U3j5z{{;OL4rB-N@?||J4-PjmD;lOT8sLlwIiocsg(FS(tba%yDi7@z# z>v~4QLrcfaj1s!KkZ=9v;|c<;=o{^h|7kJ|HBVyT^fh==)tlM~`~5RjjRa3P(+T_? z#h#-dc?M8XV^{pVnb@nu1ETM|;KKQrure^BbC*Q@^(SwmJP@J7IT2@V{R5BBc8J%z zL%)sN_Z-ce1=%1xx~=JHkqN6{L#b<*Vl9o%bwyl%hs;=aSa*v4WIVayAduA*O>6%A zKKSV%;yo?~D4W19zl%yfS52jZJ7buwlVtaeT*d)`bXP$>b!;S+oQ-o8*E z_5@L28eDq1Cjd2E<=CF6c(Fnt!T%2i%x^Z&zeSHU{(>!vylHO`8jp6ste{eQu^*si&f3|k!ak}whr6*ORTIJ_*Cw}|EjTLSqVy)J?K%r$^!Y^($lI{dKK@3?ig;e*>;Fujqw^m+Acei0DOJoE$3 z)2KT?O@>)ss=8#YeSq{kWYiYujh{~AANrq>=tjz3%U}?1ezQ=uG-BLe>|&k@yF4Xe z#KYXoVvavey|BTBlNCT-Qgg@hWD{RW#*=ZNZ;;s2JttUOer{yj4PyN4AU>ooQzlui z#yAM(I0kRZ_|{Nd=kay8)%|c-AJQ7hI0n1AC;^Tu&3|JM!yJ$(+TX2<^mmNeKWz<|<$5<$zb`v&<#QQ__Ty#tL2#PnB4-}9bPK{7 zQdGe$TKY;{&s8lTBSS+&{6JdAGPfyn&bj0$=8~6-{MnrBPn2Y31MoMt-SIdwRpY1{ zfJS2vdV6yqRBmrw!Z5WF^h_m0nm@s~+2jy`-oL2z*ur-Qjtr_k6_GRwm^(Ol;yU5+9{va=t&oF;7F4)DlSn=w<{mHBNX(b) zm1BHBMb9=agJIgpIy*cxc$T&NACwwDE7|?XyXejSlIyOeEmj!xLbT4Wts}0g0Q9jtvgPhuS38Y^*(!=o*8j`8!>~(jA z1?~vL%K204J|IO0$uEZ#@|Si7wcy;+doR>X)?Jc(Y-l?XMGc=tAE*{Lmy}{xk4(p^ z0vY)){m)~&t}pVdF>-f61}e=a2#~xz$b#Ye{P4X;tUT=K16D+k15*-GwQ2ARvSAc1V_SRncNpKixNIf_1M?^h(!7Q;I zQg6AD?XESBcZxr7%v0$yUx(6KY{7|tx$F|7UCu%a#nQK7SNJ3uKQS|(CEEO#EKMPl zP2I`D$f#HWFf-;RxZawUE?_(fm}HJ4)?3NW{jUnN{7?sP>BZk;2a$z@fmhMkYRd5p z4J31r(besUuOJx4iJuMlL-_^#q${jR)}V}>TMsRRHbn<~&H_YZ-gsQ4+iGTLEBy7b z?mr7-I?+Z*za;QYiEF+N^6`jU;&sH^Mc-OZ`roS8SOC^v z)#-AIHEJTUg>R3Nt%}|C=O5_BSk(efHq*G@bXH4ZxfF_X)oLpOU$2f@?yC2{qgfu1 z*tYGzO(|j3281{NN(_lTkvRd8-kopw?zeMXFXtpmu)X>V&3EKJmUYR6lruMhxw_7t z<^FMT^9O8(=z!aCvdfvUorgngb^Z`@QMFtcNir{G^O|zYi>SX;kCep;d%J`(xdTPE zdSz?LcLuV&zPfIXm7wR&HUt!Ab_vQM`X4g37&G+MB|ht2$cgH9)tyjWZl4KY|Eq-^ z+s4z&Ou;PD-U7YShYH;_doRu}-pxR|t&YqF2s?3f3vB$%kfybB` zlIlZwbD;TDEP)T P;8Ic4P$+t8@%}#nIF?W& diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 256918080e..57aa64fee6 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,8 +4,6 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 -**注:** 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 协议的局限性,如果这些设备在同一个 NAT 后面(比如家用路由器),它们无法同时连接到 VPN 服务器,即使你创建多个用户也是如此。对于上述情形,你可以尝试使用 [Shadowsocks](https://github.com/shadowsocks/shadowsocks-libev) / [ShadowsocksR](https://github.com/breakwa11/shadowsocks-rss) 或者 [OpenVPN](https://github.com/Nyr/openvpn-install)。 - 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 ```bash diff --git a/docs/manage-users.md b/docs/manage-users.md index 2002d7d9dd..3a2e2e6d40 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,8 +4,6 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** The same VPN account can be used by your multiple devices. However, due to a limitation of the IPsec protocol, if these devices are behind the same NAT (e.g. home router), they cannot simultaneously connect to the VPN server. This applies even if you create multiple users. For the above use case, try [OpenVPN](https://github.com/Nyr/openvpn-install). - First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. ```bash From 6479212c451c86e82be36f7b2a48abc1227ec4f9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 28 Nov 2016 13:11:57 -0600 Subject: [PATCH 0053/1208] Improve workaround - Improve workaround for non-eth0 network interfaces - Fixed an issue where it cannot be used with sudo --- vpnsetup.sh | 8 +++++--- vpnsetup_centos.sh | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 799c5aa094..eb76ef39e2 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,10 +70,12 @@ cat 1>&2 <<'EOF' DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! -If running on a server, you may fix this error by first -setting this variable and re-run the script: +If running on a server, try this workaround: -export VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +EOF +cat 1>&2 <&2 <<'EOF' DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! -If running on a server, you may fix this error by first -setting this variable and re-run the script: +If running on a server, try this workaround: -export VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +EOF +cat 1>&2 < Date: Tue, 13 Dec 2016 11:42:37 -0600 Subject: [PATCH 0054/1208] Improve tests --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index de395f24d7..aad1545624 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,3 +13,6 @@ script: - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - sudo sh vpnsetup.sh + - sleep 15 + - sudo netstat -anpu | grep pluto + - sudo netstat -anpu | grep xl2tpd From eba1e4e08e5653bad50de989310350f2ea45b383 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 22 Dec 2016 10:27:56 -0600 Subject: [PATCH 0055/1208] Update docs [ci skip] --- README-zh.md | 30 ++++++++++-------------------- README.md | 28 +++++++++------------------- azure/README-zh.md | 8 ++++---- azure/README.md | 8 ++++---- 4 files changed, 27 insertions(+), 47 deletions(-) diff --git a/README-zh.md b/README-zh.md index 53f553ee50..3f5600ba43 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,8 +1,8 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) -使用 Linux Shell 脚本一键快速搭建 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu,Debian 和 CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 +使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需要提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 @@ -23,7 +23,6 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - [问题和反馈](#问题和反馈) - [卸载说明](#卸载说明) - [另见](#另见) -- [作者](#作者) - [授权协议](#授权协议) ## 功能特性 @@ -49,9 +48,9 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 **-或者-** -一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks / ShadowsocksR 或者 OpenVPN。 +一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks 或者 OpenVPN。 -这也包括各种云计算服务中的 Linux 虚拟机,比如 Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr 和 Linode。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, RackspaceVMware vCloud AirDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -126,10 +125,10 @@ DigitalOcean 用户可以参考这个管理 VPN 用户。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 - 对于有外部防火墙的服务器(比如 EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 + 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 @@ -138,7 +137,7 @@ DigitalOcean 用户可以参考这个vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan (网站 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更改日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian @@ -150,7 +149,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3] [4]。 +- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -163,22 +162,13 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- Shadowsocks / ShadowsocksR +- Shadowsocks - OpenVPN Install - Setup strongSwan -## 作者 - -**Lin Song** (linsongui@gmail.com) -- 最后一年的美国在读博士生,专业是电子与计算机工程 (ECE) -- 现在正在积极寻找新的工作机会,比如软件或系统工程师 -- 在 LinkedIn 上与我联系: https://www.linkedin.com/in/linsongui - -感谢本项目所有的 贡献者! - ## 授权协议 -版权所有 (C) 2014-2016 Lin Song   View my profile on LinkedIn +版权所有 (C) 2014-2016 Lin Song View my profile on LinkedIn 基于 Thomas Sarlandie 的工作 (版权所有 2012) 这个项目是以 知识共享署名-相同方式共享3.0 许可协议授权。 diff --git a/README.md b/README.md index 7542a79aca..e67e6bba3c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://static.ls20.com/travis-ci/setup-ipsec-vpn.svg)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -23,7 +23,6 @@ We will use Libreswan as th - [Bugs & Questions](#bugs--questions) - [Uninstallation](#uninstallation) - [See also](#see-also) -- [Author](#author) - [License](#license) ## Features @@ -49,9 +48,9 @@ Please refer to this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. +A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. -This also includes Linux VMs in public clouds such as Google Compute Engine, Amazon EC2, Microsoft Azure, IBM SoftLayer, VMware vCloud Air, Rackspace, DigitalOcean, Vultr and Linode. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, Rackspace and VMware vCloud Air. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -126,10 +125,10 @@ The same VPN account can be used by your multiple devices. However, due to an IP If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. - For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. + To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. @@ -138,7 +137,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (website | mailing list). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`. +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`. ```bash # Ubuntu & Debian @@ -150,7 +149,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3] [4]. +- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -163,22 +162,13 @@ Please refer to Uninstall the VPNIKEv2 VPN Server on Docker - Streisand - SoftEther VPN -- Shadowsocks / ShadowsocksR +- Shadowsocks - OpenVPN Install - Setup strongSwan -## Author - -**Lin Song** (linsongui@gmail.com) -- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE) -- Actively seeking opportunities in areas such as Software or Systems Engineering -- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui - -Thanks to all contributors to this project! - ## License -Copyright (C) 2014-2016 Lin Song   View my profile on LinkedIn +Copyright (C) 2014-2016 Lin Song View my profile on LinkedIn Based on the work of Thomas Sarlandie (Copyright 2012) This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License diff --git a/azure/README-zh.md b/azure/README-zh.md index 46de68c73b..53e3bf5535 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -18,10 +18,10 @@ Deploy to Azure -屏幕截图: - -![Azure Custom Deployment](custom_deployment_screenshot.png) - ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) + +## 屏幕截图 + +![Azure Custom Deployment](custom_deployment_screenshot.png) diff --git a/azure/README.md b/azure/README.md index 4ef9222189..801f97d70e 100644 --- a/azure/README.md +++ b/azure/README.md @@ -18,10 +18,10 @@ Press this button to start: Deploy to Azure -Screenshot: - -![Azure Custom Deployment](custom_deployment_screenshot.png) - ## Author Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) + +## Screenshot + +![Azure Custom Deployment](custom_deployment_screenshot.png) From 8cc1362d1702a2c0756a47581adb696cbd4b980e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 23 Dec 2016 16:17:36 -0600 Subject: [PATCH 0056/1208] Workaround for xl2tpd bug - Temporary workaround for an xl2tpd bug which affects CentOS 7 - Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360 --- vpnsetup_centos.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index ee0c7456f4..80ea1e2853 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -144,7 +144,15 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ fipscheck-devel unbound-devel xmlto || exiterr2 -yum -y install ppp xl2tpd || exiterr2 +yum -y install ppp || exiterr2 + +# Temporary workaround for xl2tpd bug +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360 +if grep -qs "release 6" /etc/redhat-release; then + yum -y install xl2tpd || exiterr2 +else + yum -y --enablerepo=epel-testing install xl2tpd || exiterr2 +fi # Install Fail2Ban to protect SSH server yum -y install fail2ban || exiterr2 From 9b3eeed571adee116ef6fd55bd6ce03e001321b2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 28 Dec 2016 13:24:17 -0600 Subject: [PATCH 0057/1208] Improve tests --- .travis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis.yml b/.travis.yml index aad1545624..04ffe5fb73 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,3 +16,7 @@ script: - sleep 15 - sudo netstat -anpu | grep pluto - sudo netstat -anpu | grep xl2tpd + +notifications: + email: + - linsongui@gmail.com From b59389a03fe16386925fb57385110ed50718a059 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 29 Dec 2016 00:35:37 -0600 Subject: [PATCH 0058/1208] Use L2TP kernel support - Use L2TP kernel support on CentOS 6 - This could improve L2TP performance --- vpnsetup_centos.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 80ea1e2853..35abbd67b2 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -392,6 +392,7 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script +modprobe -q pppol2tp service ipsec start service xl2tpd start echo 1 > /proc/sys/net/ipv4/ip_forward @@ -414,6 +415,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* iptables-restore < "$IPT_FILE" # Restart services +modprobe -q pppol2tp service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null From 261e472e3e3ee981e40ae5e0392ffe0d82b287a2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 29 Dec 2016 21:56:23 -0600 Subject: [PATCH 0059/1208] Bugfix - In xl2tpd version 1.3.8, which was pushed to the EPEL repository in Dec. 2016, the options "crtscts" and "lock" are no longer recognized in "/etc/ppp/options.xl2tpd" and generates an error. - This commit fixes the VPN on CentOS by removing those options. - Ref: https://github.com/xelerance/xl2tpd/issues/108 --- vpnsetup_centos.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 35abbd67b2..9fc8aa9778 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -274,10 +274,8 @@ ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth -crtscts mtu 1280 mru 1280 -lock proxyarp lcp-echo-failure 4 lcp-echo-interval 30 From 69caa6551295c1e1a2f9bffde5c693be744301b3 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 30 Dec 2016 16:16:33 -0600 Subject: [PATCH 0060/1208] Improve options - Remove some xl2tpd (pppd) options for Ubuntu/Debian - They are not recognized in the new xl2tpd version 1.3.8 - Ref: 261e472 --- vpnsetup.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index eb76ef39e2..0b702b9c35 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -276,10 +276,8 @@ ms-dns 8.8.8.8 ms-dns 8.8.4.4 noccp auth -crtscts mtu 1280 mru 1280 -lock proxyarp lcp-echo-failure 4 lcp-echo-interval 30 From e6ebdeaaf8bf197d76e13076c5b9510bf49cfb71 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 30 Dec 2016 16:24:47 -0600 Subject: [PATCH 0061/1208] Update docs [ci skip] --- docs/clients-zh.md | 6 ++---- docs/clients.md | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 8ab0b728cd..ddb74a9f48 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -176,7 +176,7 @@ yum -y install strongswan xl2tpd ``` VPN_SERVER_IP='your_vpn_server_ip' VPN_IPSEC_PSK='your_ipsec_pre_shared_key' -VPN_USERNAME='your_vpn_username' +VPN_USER='your_vpn_username' VPN_PASSWORD='your_vpn_password' ``` @@ -251,10 +251,8 @@ mru 1280 noipdefault defaultroute usepeerdns -debug -lock connect-delay 5000 -name $VPN_USERNAME +name $VPN_USER password $VPN_PASSWORD EOF diff --git a/docs/clients.md b/docs/clients.md index ce79f82d46..4c2dc8ce26 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -176,7 +176,7 @@ Create VPN variables (replace with actual values): ``` VPN_SERVER_IP='your_vpn_server_ip' VPN_IPSEC_PSK='your_ipsec_pre_shared_key' -VPN_USERNAME='your_vpn_username' +VPN_USER='your_vpn_username' VPN_PASSWORD='your_vpn_password' ``` @@ -251,10 +251,8 @@ mru 1280 noipdefault defaultroute usepeerdns -debug -lock connect-delay 5000 -name $VPN_USERNAME +name $VPN_USER password $VPN_PASSWORD EOF From 3dbf3a9c09b446a4be75eae6bff389eeca700e8f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 31 Dec 2016 16:36:04 -0600 Subject: [PATCH 0062/1208] Remove xl2tpd workaround - Updated xl2tpd package is now available in EPEL - This workaround is no longer needed - Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360 - Ref: 8cc1362 --- vpnsetup_centos.sh | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 9fc8aa9778..27c77de6b7 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -144,15 +144,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ fipscheck-devel unbound-devel xmlto || exiterr2 -yum -y install ppp || exiterr2 - -# Temporary workaround for xl2tpd bug -# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1406360 -if grep -qs "release 6" /etc/redhat-release; then - yum -y install xl2tpd || exiterr2 -else - yum -y --enablerepo=epel-testing install xl2tpd || exiterr2 -fi +yum -y install ppp xl2tpd || exiterr2 # Install Fail2Ban to protect SSH server yum -y install fail2ban || exiterr2 From 9ea2b50daeb024827f2f4edbfb02ce035efdd349 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Jan 2017 01:43:21 -0600 Subject: [PATCH 0063/1208] Improve OS detection - Check /etc/lsb-release if command "lsb_release" is missing --- extras/vpnupgrade.sh | 3 +++ vpnsetup.sh | 3 +++ 2 files changed, 6 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index d73515b617..38255a0d59 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -21,6 +21,9 @@ exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } os_type="$(lsb_release -si 2>/dev/null)" +if [ -z "$os_type" ] && [ -f "/etc/lsb-release" ]; then + os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" +fi if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." fi diff --git a/vpnsetup.sh b/vpnsetup.sh index 0b702b9c35..2ea82f97a1 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -46,6 +46,9 @@ check_ip() { } os_type="$(lsb_release -si 2>/dev/null)" +if [ -z "$os_type" ] && [ -f "/etc/lsb-release" ]; then + os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" +fi if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." fi From 525f39d141bdb8007e996433994965d33517c0f9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Jan 2017 09:17:59 -0600 Subject: [PATCH 0064/1208] Fix tests --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 04ffe5fb73..04fb655524 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,6 +10,7 @@ addons: - shellcheck script: + - export SHELLCHECK_OPTS="-e SC1091" - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - sudo sh vpnsetup.sh From 89d75f72430a2bd726c2aa13f48a31d95c057696 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 3 Jan 2017 22:40:48 -0600 Subject: [PATCH 0065/1208] Bugfix for Android 6 and 7 - Add "sha2-truncbug=yes" to /etc/ipsec.conf to fix VPN connections on Android 6 (Marshmallow) and 7 (Nougat) - Ref: https://libreswan.org/wiki/FAQ#Configuration_Matters --- vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 2ea82f97a1..e72daf5873 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -218,6 +218,7 @@ conn shared dpdaction=clear ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + sha2-truncbug=yes conn l2tp-psk auto=add diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 27c77de6b7..1da1918295 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -205,6 +205,7 @@ conn shared dpdaction=clear ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + sha2-truncbug=yes conn l2tp-psk auto=add From e41cf78b536819d1599f5f11e02688c04b2152f4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 3 Jan 2017 23:30:01 -0600 Subject: [PATCH 0066/1208] Update docs [ci skip] --- docs/clients-zh.md | 3 ++- docs/clients.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index ddb74a9f48..0e54d9728a 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -377,7 +377,8 @@ strongswan down myvpn 如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. **注:** 最新版本的 VPN 脚本已经包含这些更改。 + 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index 4c2dc8ce26..8dc11782e7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -376,7 +376,8 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) +1. **Note:** The latest versions of VPN scripts already include these changes. + Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) From ca84aa7a139c1a33525f4db6a28a99abe45b3405 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 4 Jan 2017 01:50:41 -0600 Subject: [PATCH 0067/1208] Improve services on boot --- vpnsetup.sh | 18 ++++++++++++------ vpnsetup_centos.sh | 17 +++++++++++------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index e72daf5873..e8692bc111 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -387,16 +387,22 @@ exit 0 EOF # Start services at boot -update-rc.d fail2ban enable >/dev/null 2>&1 -systemctl enable fail2ban >/dev/null 2>&1 +for svc in fail2ban ipsec xl2tpd; do + update-rc.d "$svc" enable >/dev/null 2>&1 + systemctl enable "$svc" >/dev/null 2>&1 +done if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then - conf_bk "/etc/rc.local" - sed --follow-symlinks -i '/^exit 0/d' /etc/rc.local + if [ -f /etc/rc.local ]; then + conf_bk "/etc/rc.local" + sed --follow-symlinks -i '/^exit 0/d' /etc/rc.local + else + echo '#!/bin/sh' > /etc/rc.local + fi cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script -service ipsec start -service xl2tpd start +service ipsec restart +service xl2tpd restart echo 1 > /proc/sys/net/ipv4/ip_forward exit 0 EOF diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1da1918295..dd9fd5780d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -371,21 +371,26 @@ fi # Start services at boot if grep -qs "release 6" /etc/redhat-release; then - chkconfig iptables on - chkconfig fail2ban on + for svc in iptables fail2ban ipsec xl2tpd; do + chkconfig "$svc" on + done else systemctl --now mask firewalld yum -y install iptables-services || exiterr2 - systemctl enable iptables fail2ban >/dev/null 2>&1 + systemctl enable iptables fail2ban ipsec xl2tpd >/dev/null 2>&1 fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then - conf_bk "/etc/rc.local" + if [ -f /etc/rc.local ]; then + conf_bk "/etc/rc.local" + else + echo '#!/bin/sh' > /etc/rc.local + fi cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script modprobe -q pppol2tp -service ipsec start -service xl2tpd start +service ipsec restart +service xl2tpd restart echo 1 > /proc/sys/net/ipv4/ip_forward EOF fi From 9500da32313cac2c0f69f7dddb2fc74a4e0f9bde Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 6 Jan 2017 00:51:59 -0600 Subject: [PATCH 0068/1208] Bugfix - Fix commit ca84aa7 to avoid a possible race condition when starting ipsec and xl2tpd services on boot --- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index e8692bc111..bc5738cd2f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -401,8 +401,8 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script -service ipsec restart -service xl2tpd restart +service ipsec start +service xl2tpd start echo 1 > /proc/sys/net/ipv4/ip_forward exit 0 EOF diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index dd9fd5780d..dee7c98e19 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -371,13 +371,12 @@ fi # Start services at boot if grep -qs "release 6" /etc/redhat-release; then - for svc in iptables fail2ban ipsec xl2tpd; do - chkconfig "$svc" on - done + chkconfig iptables on + chkconfig fail2ban on else systemctl --now mask firewalld yum -y install iptables-services || exiterr2 - systemctl enable iptables fail2ban ipsec xl2tpd >/dev/null 2>&1 + systemctl enable iptables fail2ban >/dev/null 2>&1 fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then From efeff51f3adc7ba0595c87531ea6c88e83798ad5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 6 Jan 2017 16:08:17 -0600 Subject: [PATCH 0069/1208] Improve tests --- .travis.yml | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/.travis.yml b/.travis.yml index 04fb655524..49a8473ce9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,13 +10,34 @@ addons: - shellcheck script: - - export SHELLCHECK_OPTS="-e SC1091" - - shellcheck *.sh extras/*.sh - - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - - sudo sh vpnsetup.sh - - sleep 15 - - sudo netstat -anpu | grep pluto - - sudo netstat -anpu | grep xl2tpd + - export SHELLCHECK_OPTS="-e SC1091" + - shellcheck *.sh extras/*.sh + - sudo sed -i "/debian unstable/d" /etc/apt/sources.list + - sudo VPN_IPSEC_PSK='vpn_psk' + VPN_USER='vpn_user' + VPN_PASSWORD='vpn_pass' sh vpnsetup.sh + - sleep 10 + - sudo netstat -anpu | grep pluto + - sudo netstat -anpu | grep xl2tpd + - sudo grep 'vpn_psk' /etc/ipsec.secrets + - sudo grep 'vpn_user' /etc/ppp/chap-secrets + - sudo grep 'vpn_pass' /etc/ppp/chap-secrets + - sudo grep 'vpn_user' /etc/ipsec.d/passwd + - sudo sh vpnsetup.sh + - sleep 10 + - sudo netstat -anpu | grep pluto + - sudo netstat -anpu | grep xl2tpd + - sed -i -e "/^YOUR_IPSEC_PSK/s/''/'vpn_psk'/" + -e "/^YOUR_USERNAME/s/''/'vpn_user'/" + -e "/^YOUR_PASSWORD/s/''/'vpn_pass'/" vpnsetup.sh + - sudo sh vpnsetup.sh + - sleep 10 + - sudo netstat -anpu | grep pluto + - sudo netstat -anpu | grep xl2tpd + - sudo grep 'vpn_psk' /etc/ipsec.secrets + - sudo grep 'vpn_user' /etc/ppp/chap-secrets + - sudo grep 'vpn_pass' /etc/ppp/chap-secrets + - sudo grep 'vpn_user' /etc/ipsec.d/passwd notifications: email: From c23d5c972a7729e4798fc2e6e4572b31be34968f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 7 Jan 2017 23:32:58 -0600 Subject: [PATCH 0070/1208] Update docs [ci skip] --- README-zh.md | 19 +++++++++++++++++++ README.md | 21 ++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/README-zh.md b/README-zh.md index 3f5600ba43..de3dc558ad 100644 --- a/README-zh.md +++ b/README-zh.md @@ -14,6 +14,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 #### 目录 +- [快速开始](#快速开始) - [功能特性](#功能特性) - [系统要求](#系统要求) - [安装说明](#安装说明) @@ -25,6 +26,24 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 - [另见](#另见) - [授权协议](#授权协议) +## 快速开始 + +首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS,Debian 8 或者 CentOS 7/6 系统。 + +使用以下命令快速搭建 IPsec VPN 服务器: + +```bash +wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh +``` + +对于 CentOS 系统,将上面的 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos`。 + +你的 VPN 登录凭证将会被自动随机生成,并在安装完成后在屏幕上显示。 + +如需了解其它安装选项,以及如何配置 VPN 客户端,请阅读以下部分。 + +\* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 + ## 功能特性 - **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 diff --git a/README.md b/README.md index e67e6bba3c..086dafca46 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ We will use Libreswan as th #### Table of Contents +- [Quick start](#quick-start) - [Features](#features) - [Requirements](#requirements) - [Installation](#installation) @@ -25,6 +26,24 @@ We will use Libreswan as th - [See also](#see-also) - [License](#license) +## Quick start + +First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian 8 or CentOS 7/6. + +Use this one-liner to set up an IPsec VPN server: + +```bash +wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh +``` + +If using CentOS, replace `https://git.io/vpnsetup` above with `https://git.io/vpnsetup-centos`. + +Your VPN login details will be randomly generated, and displayed on the screen when finished. + +For other installation options and how to set up VPN clients, read the sections below. + +\* A dedicated server or Virtual Private Server (VPS). OpenVZ VPS is NOT supported. + ## Features - **New:** The faster `IPsec/XAuth ("Cisco IPsec")` mode is supported @@ -48,7 +67,7 @@ Please refer to this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. +A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, Rackspace and VMware vCloud Air. From ba0fbb3860440905d6a8ba2af43dd5cc89f52016 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 9 Jan 2017 02:23:09 -0600 Subject: [PATCH 0071/1208] Improve script outputs --- extras/vpnupgrade.sh | 2 +- vpnsetup.sh | 45 +++++++++++++++++++++++---------------- vpnsetup_centos.sh | 50 ++++++++++++++++++++++++++------------------ 3 files changed, 58 insertions(+), 39 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 38255a0d59..737e4090f2 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -72,7 +72,7 @@ Your existing VPN configuration files will NOT be modified. EOF -if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then +if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then cat <<'EOF' IMPORTANT: Workaround required for Debian 7 (Wheezy). You must first run the script at: https://git.io/vpndeb7 diff --git a/vpnsetup.sh b/vpnsetup.sh index bc5738cd2f..64d05a99e7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -39,6 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +print_status() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" @@ -88,8 +89,7 @@ fi [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then - echo "VPN credentials not set by user. Generating random PSK and password..." - echo + print_status "VPN credentials not set by user. Generating random PSK and password..." VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" @@ -105,7 +105,7 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then +if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then cat <<'EOF' IMPORTANT: Workaround required for Debian 7 (Wheezy). You must first run the script at: https://git.io/vpndeb7 @@ -117,28 +117,27 @@ EOF sleep 30 fi -echo "VPN setup in progress... Please be patient." -echo +print_status "VPN setup in progress... Please be patient." # Create and change to working dir mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -# Update package index +print_status "Populating apt-get cache..." + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." -# Make sure basic commands exist +print_status "Installing packages required for setup..." + apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install iproute gawk grep sed net-tools || exiterr2 -cat <<'EOF' - -Trying to auto discover IPs of this server... +print_status "Trying to auto discover IPs of this server..." +cat <<'EOF' In case the script hangs here for more than a few minutes, use Ctrl-C to interrupt. Then edit it and manually enter IPs. - EOF # In case auto IP discovery fails, you may manually enter server IPs here. @@ -156,7 +155,8 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script a check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." -# Install necessary packages +print_status "Installing packages required for the VPN..." + apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ @@ -164,10 +164,12 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 -# Install Fail2Ban to protect SSH server +print_status "Installing Fail2Ban to protect SSH..." + apt-get -yq install fail2ban || exiterr2 -# Compile and install Libreswan +print_status "Compiling and installing Libreswan..." + swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" @@ -191,6 +193,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi +print_status "Creating VPN configuration..." + # Create IPsec (Libreswan) config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.d/passwd <> /etc/sysctl.conf < /etc/network/if-pre-up.d/iptablesload <<'EOF' #!/bin/sh @@ -386,10 +394,9 @@ iptables-restore < /etc/iptables.rules exit 0 EOF -# Start services at boot for svc in fail2ban ipsec xl2tpd; do update-rc.d "$svc" enable >/dev/null 2>&1 - systemctl enable "$svc" >/dev/null 2>&1 + systemctl enable "$svc" 2>/dev/null done if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then @@ -411,6 +418,8 @@ EOF fi fi +print_status "Starting services..." + # Reload sysctl.conf sysctl -e -q -p diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index dee7c98e19..29f7aedb5b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -39,6 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +print_status() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" @@ -84,8 +85,7 @@ fi [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then - echo "VPN credentials not set by user. Generating random PSK and password..." - echo + print_status "VPN credentials not set by user. Generating random PSK and password..." VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" @@ -101,24 +101,22 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -echo "VPN setup in progress... Please be patient." -echo +print_status "VPN setup in progress... Please be patient." # Create and change to working dir mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -# Make sure basic commands exist +print_status "Installing packages required for setup..." + yum -y install wget bind-utils openssl || exiterr2 yum -y install iproute gawk grep sed net-tools || exiterr2 -cat <<'EOF' - -Trying to auto discover IPs of this server... +print_status "Trying to auto discover IPs of this server..." +cat <<'EOF' In case the script hangs here for more than a few minutes, use Ctrl-C to interrupt. Then edit it and manually enter IPs. - EOF # In case auto IP discovery fails, you may manually enter server IPs here. @@ -136,20 +134,18 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script a check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." -# Add the EPEL repository +print_status "Adding the EPEL repository..." + yum -y install epel-release || exiterr2 -# Install necessary packages +print_status "Installing packages required for the VPN..." + yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ fipscheck-devel unbound-devel xmlto || exiterr2 yum -y install ppp xl2tpd || exiterr2 -# Install Fail2Ban to protect SSH server -yum -y install fail2ban || exiterr2 - -# Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum -y install libevent2-devel || exiterr2 @@ -157,7 +153,12 @@ else yum -y install libevent-devel systemd-devel || exiterr2 fi -# Compile and install Libreswan +print_status "Installing Fail2Ban to protect SSH..." + +yum -y install fail2ban || exiterr2 + +print_status "Compiling and installing Libreswan..." + swan_ver=3.18 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" @@ -178,6 +179,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi +print_status "Creating VPN configuration..." + # Create IPsec (Libreswan) config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < /etc/ipsec.d/passwd <> /etc/sysctl.conf <> "$IPT_FILE" fi -# Create basic Fail2Ban rules +print_status "Creating basic Fail2Ban rules..." + if [ ! -f /etc/fail2ban/jail.local ] ; then cat > /etc/fail2ban/jail.local <<'EOF' [ssh-iptables] @@ -369,14 +376,15 @@ logpath = /var/log/secure EOF fi -# Start services at boot +print_status "Enabling services on boot..." + if grep -qs "release 6" /etc/redhat-release; then chkconfig iptables on chkconfig fail2ban on else systemctl --now mask firewalld yum -y install iptables-services || exiterr2 - systemctl enable iptables fail2ban >/dev/null 2>&1 + systemctl enable iptables fail2ban fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then @@ -394,6 +402,8 @@ echo 1 > /proc/sys/net/ipv4/ip_forward EOF fi +print_status "Starting services..." + # Restore SELinux contexts restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null From ad8295721d8c7a2b0d2ef970bbdb3d4b79bf0f3c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 9 Jan 2017 10:39:26 -0600 Subject: [PATCH 0072/1208] Minor clean up --- vpnsetup_centos.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 29f7aedb5b..a07c0e0ed8 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -151,6 +151,7 @@ if grep -qs "release 6" /etc/redhat-release; then yum -y install libevent2-devel || exiterr2 else yum -y install libevent-devel systemd-devel || exiterr2 + yum -y install iptables-services || exiterr2 fi print_status "Installing Fail2Ban to protect SSH..." @@ -382,9 +383,8 @@ if grep -qs "release 6" /etc/redhat-release; then chkconfig iptables on chkconfig fail2ban on else - systemctl --now mask firewalld - yum -y install iptables-services || exiterr2 - systemctl enable iptables fail2ban + systemctl --now mask firewalld 2>/dev/null + systemctl enable iptables fail2ban 2>/dev/null fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then From 2dbdee12877f26645c5cf56db8f1bfa20f30bada Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 16 Jan 2017 12:30:37 -0600 Subject: [PATCH 0073/1208] Upgrade to Libreswan 3.19 - Upgrade to new Libreswan version 3.19 - Some changes are required in the VPN config files - Ref: https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html --- extras/vpnupgrade.sh | 26 ++++++++++++++++++++++++-- extras/vpnupgrade_centos.sh | 26 ++++++++++++++++++++++++-- vpnsetup.sh | 7 +++---- vpnsetup_centos.sh | 7 +++---- 4 files changed, 54 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 737e4090f2..33870120de 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.18 +swan_ver=3.19 ### DO NOT edit below this line ### @@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server. Additional packages required for Libreswan compilation will also be installed. This is intended for use on servers running an older version of Libreswan. -Your existing VPN configuration files will NOT be modified. + +EOF + +cat <<'EOF' +!!! IMPORTANT NOTE !!! + +The new Libreswan version 3.19 requires some configuration changes. +This script will make the following changes to your /etc/ipsec.conf: + +Replace this line: + auth=esp +with the following: + phase2=esp + +Replace this line: + forceencaps=yes +with the following: + encapsulation=yes + +Your other VPN configuration files will not be modified. EOF @@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi +# Update ipsec.conf options +sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf + # Restart IPsec service service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 98eabbf2ec..4590dc3939 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.18 +swan_ver=3.19 ### DO NOT edit below this line ### @@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server. Additional packages required for Libreswan compilation will also be installed. This is intended for use on servers running an older version of Libreswan. -Your existing VPN configuration files will NOT be modified. + +EOF + +cat <<'EOF' +!!! IMPORTANT NOTE !!! + +The new Libreswan version 3.19 requires some configuration changes. +This script will make the following changes to your /etc/ipsec.conf: + +Replace this line: + auth=esp +with the following: + phase2=esp + +Replace this line: + forceencaps=yes +with the following: + encapsulation=yes + +Your other VPN configuration files will not be modified. EOF @@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null +# Update ipsec.conf options +sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf + # Restart IPsec service service ipsec restart diff --git a/vpnsetup.sh b/vpnsetup.sh index 64d05a99e7..2f3c1113f8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2 print_status "Compiling and installing Libreswan..." -swan_ver=3.18 +swan_ver=3.19 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" @@ -201,7 +201,6 @@ cat > /etc/ipsec.conf < /etc/ipsec.conf < Date: Mon, 16 Jan 2017 17:27:08 -0600 Subject: [PATCH 0074/1208] Update docs [ci skip] --- docs/ikev2-howto-zh.md | 11 ++++++++++- docs/ikev2-howto.md | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index a0cbe833bb..66f41bff49 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -58,12 +58,21 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - forceencaps=yes ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 EOF ``` + 还需要在该文件中添加一行,根据 Libreswan 的版本而不同。请运行以下命令: + + ```bash + $ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then + echo " encapsulation=yes" >> /etc/ipsec.conf + else + echo " forceencaps=yes" >> /etc/ipsec.conf + fi + ``` + 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: 注: 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 423730314c..e68a65bca9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -58,12 +58,21 @@ Before continuing, make sure you have successfully > /etc/ipsec.conf + else + echo " forceencaps=yes" >> /etc/ipsec.conf + fi + ``` + 1. Generate Certificate Authority (CA) and VPN server certificates: Note: Specify the certificate validity period (in months) using "-v". e.g. "-v 36". From 85ac19fc70df3bfacb51a5d777b7ef6c67a20b3e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 16 Jan 2017 17:31:38 -0600 Subject: [PATCH 0075/1208] Minor fix - Use the "fixed strings" option in "grep" commands for "swan_ver", so that the "." in this variable is treated literally. --- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 33870120de..e3f355edb7 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -44,7 +44,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo @@ -149,7 +149,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 4590dc3939..f5d79bcc84 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -40,7 +40,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo @@ -141,7 +141,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/vpnsetup.sh b/vpnsetup.sh index 2f3c1113f8..8d46ad547d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -189,7 +189,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 80b83aa2d7..f00c453656 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -176,7 +176,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi From 2727f1a1a0f9a75ccebd162126f0888146f3ae24 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 16 Jan 2017 22:13:13 -0600 Subject: [PATCH 0076/1208] Update year --- LICENSE.md | 2 +- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/vpnsetup-debian-7-workaround.sh | 2 +- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index e001b5d186..bcb0c6261b 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,7 +1,7 @@ ### Creative Commons Attribution-ShareAlike 3.0 Unported License Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ -Copyright (C) 2014-2016 Lin Song +Copyright (C) 2014-2017 Lin Song Based on the work of Thomas Sarlandie (Copyright 2012)

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS diff --git a/README-zh.md b/README-zh.md index de3dc558ad..16c5c4178b 100644 --- a/README-zh.md +++ b/README-zh.md @@ -187,7 +187,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 授权协议 -版权所有 (C) 2014-2016 Lin Song View my profile on LinkedIn +版权所有 (C) 2014-2017 Lin Song View my profile on LinkedIn 基于 Thomas Sarlandie 的工作 (版权所有 2012) 这个项目是以 知识共享署名-相同方式共享3.0 许可协议授权。 diff --git a/README.md b/README.md index 086dafca46..6aac510e75 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ Please refer to Uninstall the VPNLin Song View my profile on LinkedIn +Copyright (C) 2014-2017 Lin Song View my profile on LinkedIn Based on the work of Thomas Sarlandie (Copyright 2012) This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 2a7c684193..e568bdd99b 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -103,7 +103,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 4478d53614..127f9d4ef0 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -103,7 +103,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 0e54d9728a..7bf3dfcc19 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -398,7 +398,7 @@ strongswan down myvpn 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016 Lin Song +版权所有 (C) 2016-2017 Lin Song 基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index 8dc11782e7..68d2c7792f 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -397,7 +397,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/extras/vpnsetup-debian-7-workaround.sh b/extras/vpnsetup-debian-7-workaround.sh index 21fcae74a8..c767c255dd 100644 --- a/extras/vpnsetup-debian-7-workaround.sh +++ b/extras/vpnsetup-debian-7-workaround.sh @@ -7,7 +7,7 @@ # IMPORTANT: These unofficial packages may not receive security updates compared to # official Debian packages. They could contain vulnerabilities. Use at your own risk! # -# Copyright (C) 2015-2016 Lin Song +# Copyright (C) 2015-2017 Lin Song # # This program is free software: you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index e3f355edb7..74e5eb0fcf 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on Ubuntu and Debian # -# Copyright (C) 2016 Lin Song +# Copyright (C) 2016-2017 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f5d79bcc84..2816a44c7b 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on CentOS and RHEL # -# Copyright (C) 2016 Lin Song +# Copyright (C) 2016-2017 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup.sh b/vpnsetup.sh index 8d46ad547d..3522e86622 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2014-2016 Lin Song +# Copyright (C) 2014-2017 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f00c453656..943777ccab 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2015-2016 Lin Song +# Copyright (C) 2015-2017 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 From 9455b19119fed1fffaca04f8ebf53a3c12557e35 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 17 Jan 2017 02:14:42 -0600 Subject: [PATCH 0077/1208] Fix docs - Libreswan 3.19 requires configuration changes in ipsec.conf for IKEv2, so that Windows 7/8/10 clients can connect --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 66f41bff49..4fb5dd161a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 - phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + ike=3des-sha1;modp1024,aes-sha1;modp1024,aes256-sha2_256;modp1024 + phase2alg=3des-sha1,aes-sha1,aes256-sha2_256 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index e68a65bca9..666eeaabac 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -58,8 +58,8 @@ Before continuing, make sure you have successfully Date: Wed, 18 Jan 2017 00:54:53 -0600 Subject: [PATCH 0079/1208] Update docs [ci skip] --- README-zh.md | 4 ++-- README.md | 4 ++-- docs/clients-zh.md | 4 ++++ docs/clients.md | 4 ++++ docs/ikev2-howto-zh.md | 4 +++- docs/ikev2-howto.md | 4 +++- 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 16c5c4178b..328fe7b918 100644 --- a/README-zh.md +++ b/README-zh.md @@ -138,9 +138,9 @@ DigitalOcean 用户可以参考这个故障排除。 +**Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec 的局限性,在同一个 NAT 后面(比如家用路由器)一次只能连接一个设备到 VPN 服务器。即使你创建多个用户也是如此。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果你需要同时连接在同一个 NAT 后面(比如家用路由器)的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 diff --git a/README.md b/README.md index 6aac510e75..57228c2537 100644 --- a/README.md +++ b/README.md @@ -138,9 +138,9 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: *Read this in other languages: [English](README.md#important-notes), [简体中文](README-zh.md#重要提示).* -**Windows and Android users**: If you get an error when trying to connect, see Troubleshooting. +For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec limitation, only one device behind the same NAT (e.g. home router) can connect to the VPN server at a time. This applies even if you create multiple users. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, you must use only IPsec/XAuth mode if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router). If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 7bf3dfcc19..6b7eebd76d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -43,6 +43,8 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 +注: 在首次连接之前需要修改一次注册表。请参见下面的说明。 + ### Windows 7, Vista and XP 1. 单击开始菜单,选择控制面板。 @@ -69,6 +71,8 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 +注: 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 + 要连接到 VPN: 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/docs/clients.md b/docs/clients.md index 68d2c7792f..aa020a2180 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -43,6 +43,8 @@ An alternative one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). + To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dbb8865f02..481fb7a715 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -15,7 +15,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Windows 7, 8.x 和 10 - Windows Phone 8.1 及以上 - strongSwan Android VPN 客户端 -- iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 +- iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 @@ -224,6 +224,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 + #### Windows Phone 8.1 及以上 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d65e5f7fdf..b2d9a15ea4 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -15,7 +15,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Windows 7, 8.x and 10 - Windows Phone 8.1 and above - strongSwan Android VPN client -- iOS (iPhone/iPad) and OS X (macOS) <-- See link +- iOS (iPhone/iPad) and OS X (macOS) <-- See link The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -224,6 +224,8 @@ Before continuing, make sure you have successfully this registry key and reboot. + #### Windows Phone 8.1 and above First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. From 5cbadb643b1672cbebdd69801e74990c535cbcf6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 18 Jan 2017 16:10:34 -0600 Subject: [PATCH 0080/1208] Update docs [ci skip] --- README-zh.md | 6 +++--- docs/clients-xauth-zh.md | 4 ++-- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 8 ++++---- docs/clients.md | 8 ++++---- docs/ikev2-howto-zh.md | 10 +++++----- docs/ikev2-howto.md | 8 ++++---- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/README-zh.md b/README-zh.md index 328fe7b918..4cf0326eeb 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,6 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需要提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -47,7 +47,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 功能特性 - **新:** 增加支持更高效的 `IPsec/XAuth ("Cisco IPsec")` 模式 -- **新:** 现在可以下载 VPN 服务器的预构建 Docker 镜像 +- **新:** 现在可以下载 VPN 服务器的预构建 Docker 镜像 - 全自动的 IPsec VPN 服务器配置,无需用户输入 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 @@ -177,7 +177,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 另见 -- IPsec VPN Server on Docker +- IPsec VPN Server on Docker - IKEv2 VPN Server on Docker - Streisand - SoftEther VPN diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index e568bdd99b..2e9720613f 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -4,9 +4,9 @@ *注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -IPsec/XAuth 模式也称为 "Cisco IPsec",它通常能够比 IPsec/L2TP 更高效地传输数据。 +IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 更高效地传输数据。 --- * 平台名称 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 127f9d4ef0..98539fe63f 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -6,7 +6,7 @@ After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -IPsec/XAuth mode is also called "Cisco IPsec". It is generally faster than IPsec/L2TP with less overhead. +IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster than IPsec/L2TP with less overhead. --- * Platforms diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 6b7eebd76d..eeabd826ca 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -4,7 +4,7 @@ *注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 另一个带图片的安装指南可供参考,它由 Tony Tran 编写。 @@ -390,9 +390,9 @@ strongswan down myvpn 更多的故障排除信息请参见以下链接: -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -* http://www.tp-link.com/en/faq-1029.html +https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +http://www.tp-link.com/en/faq-1029.html ## 致谢 diff --git a/docs/clients.md b/docs/clients.md index aa020a2180..3c97df495d 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -387,11 +387,11 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): ### Other Errors -Refer to the links below for more troubleshooting tips: +For additional troubleshooting tips, refer to the links below: -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -* http://www.tp-link.com/en/faq-1029.html +https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +http://www.tp-link.com/en/faq-1029.html ## Credits diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 481fb7a715..86dbf4f371 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -19,7 +19,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 @@ -27,9 +27,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" - (Your public IP is displayed) + (检查显示的 public IP) $ echo "$PRIVATE_IP" - (Your private IP is displayed) + (检查显示的 private IP) ``` 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: @@ -175,7 +175,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" - -- repeat same extensions as above -- + -- 重复与上面相同的 extensions -- $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d @@ -238,7 +238,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ## 已知问题 -Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误 "Error 809",或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 模式连接。 +Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误,或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 模式连接。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index b2d9a15ea4..9031087386 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -27,9 +27,9 @@ Before continuing, make sure you have successfully this registry key and reboot. + (Optional) You may enable stronger ciphers by adding this registry key and reboot. #### Windows Phone 8.1 and above @@ -238,7 +238,7 @@ Before continuing, make sure you have successfully this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth mode instead. +The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail, or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth mode instead. ## References From e40dd6219bc14f41fcf7fd55ac2c1b85fd0e9ac0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 18 Jan 2017 20:10:43 -0600 Subject: [PATCH 0081/1208] Bugfix - Libreswan 3.19 removed MODP1024 from the ike= default list, which breaks compatibility with Android 5.x and others - This commit explicitly adds MODP1024 back to the ike= list - Fixes #101. Thanks @keijodputt! --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 8 +++++++- extras/vpnupgrade_centos.sh | 8 +++++++- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 6 files changed, 20 insertions(+), 8 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 86dbf4f371..2848062f93 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048 - phase2alg=3des-sha1,aes-sha1,aes256-sha2_256 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024 + phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 9031087386..0b99e688a6 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -58,8 +58,8 @@ Before continuing, make sure you have successfully Date: Wed, 18 Jan 2017 21:13:00 -0600 Subject: [PATCH 0082/1208] Improve VPN ciphers - Consolidate VPN ciphers for "ike=" and "phase2alg=" in ipsec.conf. --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 12 +++++++----- extras/vpnupgrade_centos.sh | 12 +++++++----- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 6 files changed, 22 insertions(+), 18 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2848062f93..c898221464 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024 - phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 + phase2alg=3des-sha1,aes-sha1,aes-sha2 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0b99e688a6..eba32acbb4 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -58,8 +58,8 @@ Before continuing, make sure you have successfully Date: Fri, 20 Jan 2017 11:25:12 -0600 Subject: [PATCH 0083/1208] Minor fix - Improve sed command in VPN upgrade scripts --- extras/vpnupgrade.sh | 13 ++++++++----- extras/vpnupgrade_centos.sh | 13 ++++++++----- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index e298a097bf..bde38a1d9d 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -158,11 +158,14 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then fi # Update ipsec.conf options -sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \ - -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \ - -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \ - -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \ - -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf +IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" +PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2" +sed -i.old -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ + -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 45e95fca02..59fa2e1d29 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -155,11 +155,14 @@ restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf options -sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \ - -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \ - -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \ - -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \ - -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf +IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" +PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2" +sed -i.old -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ + -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service service ipsec restart From 0c8f117fd9b3a93f651a768a525a22569fd3e186 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 21 Jan 2017 12:13:27 -0600 Subject: [PATCH 0084/1208] Update docs [ci skip] --- README-zh.md | 1 + README.md | 1 + docs/clients-xauth-zh.md | 3 ++- docs/clients-xauth.md | 3 ++- docs/manage-users-zh.md | 7 +------ docs/manage-users.md | 7 +------ 6 files changed, 8 insertions(+), 14 deletions(-) diff --git a/README-zh.md b/README-zh.md index 4cf0326eeb..810788e9ad 100644 --- a/README-zh.md +++ b/README-zh.md @@ -180,6 +180,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker - Streisand +- Algo VPN - SoftEther VPN - Shadowsocks - OpenVPN Install diff --git a/README.md b/README.md index 57228c2537..fe01b20989 100644 --- a/README.md +++ b/README.md @@ -180,6 +180,7 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker - IKEv2 VPN Server on Docker - Streisand +- Algo VPN - SoftEther VPN - Shadowsocks - OpenVPN Install diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 2e9720613f..b7f78183c7 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -19,7 +19,8 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 -1. 下载并安装免费的 Shrew Soft VPN 客户端。 +1. 下载并安装免费的 Shrew Soft VPN 客户端。 + **注:** 该客户端**不支持** Windows 10。 1. 单击开始菜单 -> 所有程序 -> ShrewSoft VPN Client -> VPN Access Manager 1. 单击工具栏中的 **Add (+)** 按钮。 1. 在 **Host Name or IP Address** 字段中输入`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 98539fe63f..4198b782de 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -19,7 +19,8 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha **Note:** You may also connect using [IPsec/L2TP mode](clients.md). No additional software is required. -1. Download and install the free Shrew Soft VPN client. +1. Download and install the free Shrew Soft VPN client. + **Note:** This VPN client does NOT support Windows 10. 1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager 1. Click the **Add (+)** button on toolbar. 1. Enter `Your VPN Server IP` in the **Host Name or IP Address** field. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 57aa64fee6..dc879c434d 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -35,9 +35,4 @@ openssl passwd -1 "" ``` -在完成修改之后,运行以下命令或者重启服务器。 - -```bash -service ipsec restart -service xl2tpd restart -``` +在完成修改之后,重启你的服务器。 diff --git a/docs/manage-users.md b/docs/manage-users.md index 3a2e2e6d40..58840947f4 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -35,9 +35,4 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t openssl passwd -1 "" ``` -When finished making changes, run these commands or reboot your server. - -```bash -service ipsec restart -service xl2tpd restart -``` +When finished making changes, reboot your server. From a156a1f5f3937a4c4b320d5fc1e4355df3c0218b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 25 Jan 2017 12:37:31 -0600 Subject: [PATCH 0085/1208] Update docs [ci skip] --- README-zh.md | 8 ++++---- README.md | 8 ++++---- docs/clients-zh.md | 8 ++++++++ docs/clients.md | 8 ++++++++ 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index 810788e9ad..dcafb0ff62 100644 --- a/README-zh.md +++ b/README-zh.md @@ -140,11 +140,11 @@ DigitalOcean 用户可以参考这个修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果你需要同时连接在同一个 NAT 后面(比如家用路由器)的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 -对于有外部防火墙的服务器(比如 EC2/GCE),请打开 UDP 端口 500 和 4500,以及 TCP 端口 22 (用于 SSH)。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 @@ -168,7 +168,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在这些邮件列表提问: [1] [2],或者看相关文章: [1] [2] [3] [4] [5]。 +- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 diff --git a/README.md b/README.md index fe01b20989..3f993361a0 100644 --- a/README.md +++ b/README.md @@ -140,11 +140,11 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, you must use only IPsec/XAuth mode if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 & 4500, and TCP port 22 (for SSH). +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. @@ -168,7 +168,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on these mailing lists: [1] [2], or read related articles: [1] [2] [3] [4] [5]. +- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation diff --git a/docs/clients-zh.md b/docs/clients-zh.md index eeabd826ca..b0f4ca40d5 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -388,6 +388,14 @@ strongswan down myvpn ### 其它错误 +首先,你可以尝试重启 VPN 服务器上的相关服务: +``` +service ipsec restart +service xl2tpd restart +``` + +如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 + 更多的故障排除信息请参见以下链接: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues diff --git a/docs/clients.md b/docs/clients.md index 3c97df495d..e89cd33883 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -387,6 +387,14 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): ### Other Errors +First, you may try restarting services on the VPN server: +``` +service ipsec restart +service xl2tpd restart +``` + +If using Docker, run `docker restart ipsec-vpn-server`. + For additional troubleshooting tips, refer to the links below: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues From 758f0e141814f88c2d018271e9bb98fb12fd1245 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Jan 2017 17:15:43 -0600 Subject: [PATCH 0086/1208] Fix IKEv2 docs - Windows 8.x and 10 require the IKEv2 machine certificate to have "Client Auth" EKU in addition to "Server Auth". Otherwise it gives "Error 13806: IKE failed to find valid machine certificate..." - The IKEv2 documentation has been updated to fix this issue - Also, this Libreswan wiki page may need to be updated. @letoams https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 - Ref: #106. Thanks @evil-shrike! --- docs/ikev2-howto-zh.md | 79 ++++++++++++++++++++++++++++++++++++++++-- docs/ikev2-howto.md | 79 ++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 154 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index c898221464..af9b55e03b 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -175,7 +175,82 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" - -- 重复与上面相同的 extensions -- + A random seed must be generated that will be used in the + creation of your key. One of the easiest ways to create a + random seed is to use the timing of keystrokes on a keyboard. + + To begin, type keys on the keyboard until this progress meter + is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! + + Continue typing until the progress meter is full: + + |************************************************************| + + Finished. Press enter to continue: + + Generating key. This may take a few moments... + + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 0 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 2 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 8 + Is this a critical extension [y/N]? + N + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 0 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 1 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 8 + Is this a critical extension [y/N]? + N $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d @@ -211,7 +286,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Windows 7, 8.x 和 10 - 将 `.p12` 文件导入到 Computer 证书存储。在导入 CA 证书后,它必须被放入 "Trusted Root Certification Authorities" 目录的 "Certificates" 子目录中。 + 将 `.p12` 文件导入到 "Computer account" 证书存储。在导入证书后,你必须确保将客户端证书放在 "Personal -> Certificates" 目录中,并且将 CA 证书放在 "Trusted Root Certification Authorities -> Certificates" 目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index eba32acbb4..7788113bcc 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -175,7 +175,82 @@ Before continuing, make sure you have successfully 0 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 2 + 0 - Digital Signature + 1 - Non-repudiation + 2 - Key encipherment + 3 - Data encipherment + 4 - Key agreement + 5 - Cert signing key + 6 - CRL signing key + Other to finish + > 8 + Is this a critical extension [y/N]? + N + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 0 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 1 + 0 - Server Auth + 1 - Client Auth + 2 - Code Signing + 3 - Email Protection + 4 - Timestamp + 5 - OCSP Responder + 6 - Step-up + 7 - Microsoft Trust List Signing + Other to finish + > 8 + Is this a critical extension [y/N]? + N $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d @@ -211,7 +286,7 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". Detailed instructions: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs From c8d8730fd003d0ba5cb062b0ce6a04bd82d54005 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Jan 2017 17:42:13 -0600 Subject: [PATCH 0087/1208] Minor fix [ci skip] --- docs/ikev2-howto-zh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index af9b55e03b..9fdac8ebc5 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -286,7 +286,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Windows 7, 8.x 和 10 - 将 `.p12` 文件导入到 "Computer account" 证书存储。在导入证书后,你必须确保将客户端证书放在 "Personal -> Certificates" 目录中,并且将 CA 证书放在 "Trusted Root Certification Authorities -> Certificates" 目录中。 + 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs From 8c0940f63b9d23191d014eee4a894dc8077093bb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 5 Feb 2017 14:48:11 -0600 Subject: [PATCH 0088/1208] Update docs - Improve IKEv2 docs. The strongSwan Android VPN client requires an "IP address" in the VPN server certificate's subjectAltName field in addition to "DNS name", when connecting using the server's IP. The certutil commands have been updated to add this field. - Other improvements to docs --- README-zh.md | 16 ++-- README.md | 10 +-- docs/clients-zh.md | 66 ++++++++++----- docs/clients.md | 70 ++++++++++----- docs/ikev2-howto-zh.md | 183 +++++++++------------------------------- docs/ikev2-howto.md | 183 +++++++++------------------------------- docs/manage-users-zh.md | 7 +- docs/manage-users.md | 7 +- docs/uninstall-zh.md | 4 +- docs/uninstall.md | 4 +- 10 files changed, 203 insertions(+), 347 deletions(-) diff --git a/README-zh.md b/README-zh.md index dcafb0ff62..039ff83a89 100644 --- a/README-zh.md +++ b/README-zh.md @@ -2,7 +2,7 @@ [![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) -使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需要提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 +使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时,你和 VPN 服务器之间的任何人对你的数据的未经授权的访问。在使用不安全的网络时,这是特别有用的,例如在咖啡厅,机场或旅馆房间。 @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS,Debian 8 或者 CentOS 7/6 系统。 +首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 8 或者 CentOS 7/6 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -36,11 +36,11 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ``` -对于 CentOS 系统,将上面的 `https://git.io/vpnsetup` 换成 `https://git.io/vpnsetup-centos`。 +如果使用 CentOS,请将上面的地址换成 `https://git.io/vpnsetup-centos`。 -你的 VPN 登录凭证将会被自动随机生成,并在安装完成后在屏幕上显示。 +你的 VPN 登录凭证将会被自动随机生成,并在安装完成后显示在屏幕上。 -如需了解其它安装选项,以及如何配置 VPN 客户端,请阅读以下部分。 +如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。 \* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, RackspaceVMware vCloud Air。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayerRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -111,8 +111,6 @@ VPN_USER='你的VPN用户名' \ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ``` -DigitalOcean 用户可以参考这个分步指南,由 Tony Tran 编写。 - **注:** 如果无法通过 `wget` 下载,你也可以打开 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 ### CentOS & RHEL @@ -128,7 +126,7 @@ DigitalOcean 用户可以参考这个配置 IPsec/L2TP VPN 客户端 配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 -如何配置 IKEv2 VPN: Windows 7 和更新版本 +如何配置 IKEv2 VPN: Windows 和 Android 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index 3f993361a0..9ce42e2980 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Use this one-liner to set up an IPsec VPN server: wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ``` -If using CentOS, replace `https://git.io/vpnsetup` above with `https://git.io/vpnsetup-centos`. +If using CentOS, replace the link above with `https://git.io/vpnsetup-centos`. Your VPN login details will be randomly generated, and displayed on the screen when finished. @@ -63,13 +63,13 @@ A newly created Amazon EC2 - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates -Please refer to detailed instructions and EC2 pricing. +Please see detailed instructions and EC2 pricing. **-OR-** A dedicated server or Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, Rackspace and VMware vCloud Air. +These also include Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -111,8 +111,6 @@ VPN_USER='your_vpn_username' \ VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh ``` -DigitalOcean users may refer to this step-by-step guide by Tony Tran. - **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. ### CentOS & RHEL @@ -128,7 +126,7 @@ Get your computer or device to use the VPN. Please refer to: Configure IPsec/L2TP VPN Clients Configure IPsec/XAuth ("Cisco IPsec") VPN Clients -How-To: IKEv2 VPN for Windows 7 and newer +How-To: IKEv2 VPN for Windows and Android If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b0f4ca40d5..af1efcdeec 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -22,6 +22,7 @@ * [Windows 错误 628](#windows-错误-628) * [Android 6 and 7](#android-6-and-7) * [其它错误](#其它错误) + * [额外的步骤](#额外的步骤) ## Windows @@ -162,7 +163,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 /var/run/xl2tpd/l2tp-control ``` 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 检查你现有的默认路由: -``` +```bash ip route ``` 在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): -``` +```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` 如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): -``` +```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: -``` +```bash route add default dev ppp0 ``` 至此 VPN 连接已成功完成。检查 VPN 是否正常工作: -``` +```bash wget -qO- http://ipv4.icanhazip.com; echo ``` @@ -324,12 +325,12 @@ wget -qO- http://ipv4.icanhazip.com; echo 要停止通过 VPN 服务器发送数据: -``` +```bash route del default dev ppp0 ``` 要断开连接: -``` +```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn @@ -388,19 +389,42 @@ strongswan down myvpn ### 其它错误 -首先,你可以尝试重启 VPN 服务器上的相关服务: -``` +更多的相关信息请参见以下链接: + +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* http://www.tp-link.com/en/faq-1029.html + +### 额外的步骤 + +首先,重启 VPN 服务器上的相关服务: +```bash service ipsec restart service xl2tpd restart ``` 如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 -更多的故障排除信息请参见以下链接: +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 -https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -http://www.tp-link.com/en/faq-1029.html +检查 Libreswan (IPsec) 日志是否有错误: +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +# CentOS & RHEL +grep pluto /var/log/secure +``` + +查看 IPsec VPN 服务器状态: +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: +```bash +ipsec whack --trafficstatus +``` ## 致谢 diff --git a/docs/clients.md b/docs/clients.md index e89cd33883..8fb47cc237 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -21,7 +21,8 @@ An alternative /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf < /var/run/xl2tpd/l2tp-control ``` Run `ifconfig` and check the output. You should now see a new interface `ppp0`. Check your existing default route: -``` +```bash ip route ``` Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below. Exclude your VPN server's IP from the new default route (replace with actual value): -``` +```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP from here): -``` +```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` Add a new default route to start routing traffic via the VPN server: -``` +```bash route add default dev ppp0 ``` The VPN connection is now complete. Verify that your traffic is being routed properly: -``` +```bash wget -qO- http://ipv4.icanhazip.com; echo ``` The above command should return `Your VPN Server IP`. To stop routing traffic via the VPN server: -``` +```bash route del default dev ppp0 ``` To disconnect: -``` +```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control ipsec down myvpn @@ -385,21 +386,44 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): ![Android VPN workaround](images/vpn-profile-Android.png) -### Other Errors +### Other errors -First, you may try restarting services on the VPN server: -``` +For additional information, refer to the links below: + +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* http://www.tp-link.com/en/faq-1029.html + +### Additional steps + +First, restart services on the VPN server: +```bash service ipsec restart service xl2tpd restart ``` If using Docker, run `docker restart ipsec-vpn-server`. -For additional troubleshooting tips, refer to the links below: +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. -https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ -http://www.tp-link.com/en/faq-1029.html +Check the Libreswan (IPsec) log for errors: +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +# CentOS & RHEL +grep pluto /var/log/secure +``` + +Check status of the IPsec VPN server: +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: +```bash +ipsec whack --trafficstatus +``` ## Credits diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9fdac8ebc5..1972c07d84 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 7 和更新版本 +# 如何配置 IKEv2 VPN: Windows 和 Android *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -15,11 +15,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Windows 7, 8.x 和 10 - Windows Phone 8.1 及以上 - strongSwan Android VPN 客户端 -- iOS (iPhone/iPad) 和 OS X (macOS) <-- 请参见 +- iOS (iPhone/iPad) 和 macOS <-- 另见 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器。 +在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 @@ -63,14 +63,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` - 还需要在该文件中添加一行,根据 Libreswan 的版本而不同。请运行以下命令: + 还需要在该文件中添加一行,首先查看你的 Libreswan 版本: ```bash - $ if /usr/local/sbin/ipsec --version | grep -qs -F "3.19"; then - echo " encapsulation=yes" >> /etc/ipsec.conf - else - echo " forceencaps=yes" >> /etc/ipsec.conf - fi + $ ipsec --version + ``` + + 对于 Libreswan 3.19 或以上版本,请运行: + + ```bash + $ echo " encapsulation=yes" >> /etc/ipsec.conf + ``` + + 对于 Libreswan 3.18 或以下版本,请运行: + + ```bash + $ echo " forceencaps=yes" >> /etc/ipsec.conf ``` 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: @@ -100,7 +108,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Is this a critical extension [y/N]? N - $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "$PUBLIC_IP" + $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -116,64 +125,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Finished. Press enter to continue: Generating key. This may take a few moments... - - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 0 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 2 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 8 - Is this a critical extension [y/N]? - N - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 0 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 8 - Is this a critical extension [y/N]? - N ``` 1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: ```bash - $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," -1 -6 -8 "vpnclient" + $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a @@ -190,68 +148,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 0 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 2 - 0 - Digital Signature - 1 - Non-repudiation - 2 - Key encipherment - 3 - Data encipherment - 4 - Key agreement - 5 - Cert signing key - 6 - CRL signing key - Other to finish - > 8 - Is this a critical extension [y/N]? - N - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 0 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 1 - 0 - Server Auth - 1 - Client Auth - 2 - Code Signing - 3 - Email Protection - 4 - Timestamp - 5 - OCSP Responder - 6 - Step-up - 7 - Microsoft Trust List Signing - Other to finish - > 8 - Is this a critical extension [y/N]? - N - $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d Enter password for PKCS12 file: @@ -259,7 +155,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 可以重复该步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。请注意,如果你需要同时连接多个客户端,则必须为每个客户端生成唯一的证书。 1. 证书数据库现在应该包含以下内容: @@ -274,7 +170,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - 注:如需删除证书,可运行命令 `certutil -D -d sql:/etc/ipsec.d -n "Certificate Nickname"`。 + 注:如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: @@ -286,34 +182,38 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Windows 7, 8.x 和 10 - 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 + 1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 - 详细的操作步骤: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + 请按照以下链接的步骤操作: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: + 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + 1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 启用新的 IKEv2 VPN 连接,并且开始使用自己的专属 VPN! + 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Android 4.x 和更新版本 - (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 + 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 + 1. 单击添加一个 **User certificate**,然后单击 **Install**。 + 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + 1. 保存新的 VPN 连接,然后单击它开始连接。 #### Windows Phone 8.1 及以上 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 - #### Android 4.x 和更新版本 - - 请参见: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient - - 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误,或者可能在连接后无法打开任何网站。如果出现这些问题,请首先尝试 这个解决方案。如果仍然无法解决,请使用 IPsec/L2TP 或者 IPsec/XAuth 模式连接。 +Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试 修改注册表,或者换用 IPsec/L2TPIPsec/XAuth 模式连接。 ## 参考链接 @@ -321,3 +221,4 @@ Windows 7 和更新版本自带的 VPN 客户端不支持 IKEv2 fragmentation。 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 7788113bcc..ff85764b72 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,10 +1,10 @@ -# How-To: IKEv2 VPN for Windows 7 and newer +# How-To: IKEv2 VPN for Windows and Android *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* --- -**IMPORTANT:** This guide is for **Advanced Users** ONLY. Other users please use IPsec/L2TP or IPsec/XAuth. +**IMPORTANT:** This guide is for **advanced users** only. Other users please use IPsec/L2TP or IPsec/XAuth. --- @@ -15,7 +15,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Windows 7, 8.x and 10 - Windows Phone 8.1 and above - strongSwan Android VPN client -- iOS (iPhone/iPad) and OS X (macOS) <-- See link +- iOS (iPhone/iPad) and macOS <-- See also The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -63,14 +63,22 @@ Before continuing, make sure you have successfully > /etc/ipsec.conf - else - echo " forceencaps=yes" >> /etc/ipsec.conf - fi + $ ipsec --version + ``` + + For Libreswan 3.19 and newer, run command: + + ```bash + $ echo " encapsulation=yes" >> /etc/ipsec.conf + ``` + + For Libreswan 3.18 and older, run command: + + ```bash + $ echo " forceencaps=yes" >> /etc/ipsec.conf ``` 1. Generate Certificate Authority (CA) and VPN server certificates: @@ -100,7 +108,8 @@ Before continuing, make sure you have successfully this page. 1. Restart IPsec service: @@ -286,34 +182,38 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". + 1. Import the `.p12` file to the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". - Detailed instructions: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + Follow the instructions at this link: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - On the Windows computer, add a new IKEv2 VPN connection: + 1. On the Windows computer, add a new IKEv2 VPN connection: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config + 1. Start the new IKEv2 VPN connection, and enjoy your VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - Start the new IKEv2 VPN connection, and enjoy your own VPN! + 1. (Optional) You may enable stronger ciphers by adding this registry key and reboot. - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect + #### Android 4.x and newer - (Optional) You may enable stronger ciphers by adding this registry key and reboot. + 1. Install strongSwan VPN Client from **Google Play**. + 1. Launch the VPN client and tap **Add VPN Profile**. + 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. + 1. Tap to add a **User certificate**, then tap **Install**. + 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + 1. Save the new VPN connection, then tap to connect. #### Windows Phone 8.1 and above First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. - #### Android 4.x and newer - - Please refer to: https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient - - Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues -The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail, or you may be unable to open any website after connecting. If this happens, first try this workaround. If it doesn't work, please connect using IPsec/L2TP or IPsec/XAuth mode instead. +The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try this registry fix, or connect using IPsec/L2TP or IPsec/XAuth mode instead. ## References @@ -321,3 +221,4 @@ The built-in VPN client in Windows 7 and newer does not support IKEv2 fragmentat * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index dc879c434d..315a36c4b7 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -35,4 +35,9 @@ openssl passwd -1 "" ``` -在完成修改之后,重启你的服务器。 +在完成后,需要重启服务: + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 58840947f4..fdb7dc1669 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -35,4 +35,9 @@ Passwords in this file are salted and hashed. This step can be done using e.g. t openssl passwd -1 "" ``` -When finished making changes, reboot your server. +When finished, restart services: + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 05788c5aa8..3164b82cd5 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -15,7 +15,7 @@ ## 第一步 -``` +```bash service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec @@ -69,7 +69,7 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ 要快速删除,可以复制并粘贴以下命令: -``` +```bash rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto rm -rf /etc/ipsec.d /etc/xl2tpd diff --git a/docs/uninstall.md b/docs/uninstall.md index 9da7f2990f..ec09d9700e 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -15,7 +15,7 @@ Follow these steps to remove the VPN. Commands must be run as `root`, or with `s ## First step -``` +```bash service ipsec stop service xl2tpd stop rm -rf /usr/local/sbin/ipsec /usr/local/libexec/ipsec @@ -69,7 +69,7 @@ Remove these config files: Copy and paste for fast removal: -``` +```bash rm -f /etc/ipsec.conf* /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ppp/options.xl2tpd* \ /etc/pam.d/pluto /etc/sysconfig/pluto /etc/default/pluto rm -rf /etc/ipsec.d /etc/xl2tpd From e31c378b442bf5e584040bb7364a71737605cf62 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Feb 2017 20:59:47 -0600 Subject: [PATCH 0089/1208] Improve upgrade scripts - Better handling of updating ipsec.conf for Libreswan >= 3.19 - Other minor changes --- extras/vpnupgrade.sh | 17 ++++++++--------- extras/vpnupgrade_centos.sh | 17 ++++++++--------- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index bde38a1d9d..26e6bbcb99 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -72,9 +72,9 @@ This is intended for use on servers running an older version of Libreswan. EOF cat <<'EOF' -!!! IMPORTANT NOTE !!! +IMPORTANT NOTES: -The new Libreswan version 3.19 requires some configuration changes. +Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: @@ -89,7 +89,7 @@ with the following: Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, -which was removed from defaults in Libreswan 3.19. +which was removed from the defaults in Libreswan 3.19. Your other VPN configuration files will not be modified. @@ -157,15 +157,14 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi -# Update ipsec.conf options +# Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2" -sed -i.old -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ +sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 59fa2e1d29..3e87990054 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -68,9 +68,9 @@ This is intended for use on servers running an older version of Libreswan. EOF cat <<'EOF' -!!! IMPORTANT NOTE !!! +IMPORTANT NOTES: -The new Libreswan version 3.19 requires some configuration changes. +Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: @@ -85,7 +85,7 @@ with the following: Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, -which was removed from defaults in Libreswan 3.19. +which was removed from the defaults in Libreswan 3.19. Your other VPN configuration files will not be modified. @@ -154,15 +154,14 @@ restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null -# Update ipsec.conf options +# Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2" -sed -i.old -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ +sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service service ipsec restart From e6b9208eeb0ecf7835c8f0c5fe63be1f39ad122d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Feb 2017 21:12:31 -0600 Subject: [PATCH 0090/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- docs/clients-zh.md | 4 ++-- docs/clients.md | 4 ++-- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README-zh.md b/README-zh.md index 039ff83a89..3a235a645a 100644 --- a/README-zh.md +++ b/README-zh.md @@ -138,7 +138,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19](#升级libreswan) 或更新版本。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index 9ce42e2980..3e7a026951 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or newer. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index af1efcdeec..cf0a8d111c 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -44,7 +44,7 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -注: 在首次连接之前需要修改一次注册表。请参见下面的说明。 +**注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。 ### Windows 7, Vista and XP @@ -72,7 +72,7 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 -注: 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 +**注:** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 要连接到 VPN: 单击系统托盘中的无线/网络图标,选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index 8fb47cc237..c733ddb371 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -44,7 +44,7 @@ An alternative one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). +**Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 1972c07d84..79237b0afb 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -82,7 +82,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ``` 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: - 注: 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 + **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 ```bash $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2 @@ -170,7 +170,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - 注:如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index ff85764b72..9b9614d788 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -82,7 +82,7 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete it, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: From 4a1c0e34c7f3a4c3b402a0909ad7a35bac9b8d95 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Feb 2017 23:40:39 -0600 Subject: [PATCH 0091/1208] Update docs - Add link to Justin's blog post (IPsec VPN server on Raspberry Pi 3) - Closes #112 --- README-zh.md | 2 ++ README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README-zh.md b/README-zh.md index 3a235a645a..bfb1bb7200 100644 --- a/README-zh.md +++ b/README-zh.md @@ -75,6 +75,8 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** +高级用户可以尝试在 树莓派 3 上搭建 VPN 服务器。更多信息请见 Justin 的博客。 + :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 diff --git a/README.md b/README.md index 3e7a026951..2e8f4e10dd 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,8 @@ These also include Linux VMs in public clouds, such as **» I want to run my own VPN but don't have a server for that** +Advanced users can set up the VPN server on a $35 Raspberry Pi 3. Read more at Justin's blog. + :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation From f7961242e400b48651e8ea473ecba98c8f9f0a29 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 10 Feb 2017 10:32:24 -0600 Subject: [PATCH 0092/1208] Update docs --- README-zh.md | 6 +++--- README.md | 6 +++--- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index bfb1bb7200..4f81c500e8 100644 --- a/README-zh.md +++ b/README-zh.md @@ -57,7 +57,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些 AMI 之一: +一个新创建的 Amazon EC2 实例,使用这些映像 (AMI): - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images - CentOS 7 (x86_64) with Updates @@ -75,7 +75,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以尝试在 树莓派 3 上搭建 VPN 服务器。更多信息请见 Justin 的博客。 +高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! @@ -156,7 +156,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 升级Libreswan -提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更改日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/README.md b/README.md index 2e8f4e10dd..3b32d3b476 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements -A newly created Amazon EC2 instance, using one of these AMIs: +A newly created Amazon EC2 instance, from these images (AMI): - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) - Debian 8 (Jessie) EC2 Images - CentOS 7 (x86_64) with Updates @@ -69,13 +69,13 @@ Please see this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. -These also include Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi 3. Read more at Justin's blog. +Advanced users can set up the VPN server on a $35 Raspberry Pi 3. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index b7f78183c7..7a98904639 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -20,7 +20,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 1. 下载并安装免费的 Shrew Soft VPN 客户端。 - **注:** 该客户端**不支持** Windows 10。 + **注:** 该 VPN 客户端支持 Windows 2K/XP/Vista/7/8 系统。 1. 单击开始菜单 -> 所有程序 -> ShrewSoft VPN Client -> VPN Access Manager 1. 单击工具栏中的 **Add (+)** 按钮。 1. 在 **Host Name or IP Address** 字段中输入`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 4198b782de..874f4f3b17 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -20,7 +20,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha **Note:** You may also connect using [IPsec/L2TP mode](clients.md). No additional software is required. 1. Download and install the free Shrew Soft VPN client. - **Note:** This VPN client does NOT support Windows 10. + **Note:** This VPN client supports Windows 2K/XP/Vista/7/8. 1. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager 1. Click the **Add (+)** button on toolbar. 1. Enter `Your VPN Server IP` in the **Host Name or IP Address** field. From 03007079e69d257814240db40d9fc29e409ab3a4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 10 Feb 2017 18:00:29 -0600 Subject: [PATCH 0093/1208] Improve VPN IPs - Use %defaultroute and iptables MASQUERADE, no need to detect private IP - Use %any for the first field of ipsec.secrets, instead of public IP - As a result, the VPN server should now better adapt to IP changes. --- README-zh.md | 1 - README.md | 1 - docs/ikev2-howto-zh.md | 7 ++----- docs/ikev2-howto.md | 7 ++----- docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- vpnsetup.sh | 31 ++++++++++++------------------- vpnsetup_centos.sh | 31 ++++++++++++------------------- 8 files changed, 30 insertions(+), 52 deletions(-) diff --git a/README-zh.md b/README-zh.md index 4f81c500e8..406794d5e4 100644 --- a/README-zh.md +++ b/README-zh.md @@ -51,7 +51,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 全自动的 IPsec VPN 服务器配置,无需用户输入 - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 -- 自动确定服务器的公网 IP 以及私有 IP 地址 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 - 测试通过: Ubuntu 16.04/14.04/12.04, Debian 8 和 CentOS 7/6 diff --git a/README.md b/README.md index 3b32d3b476..aac9934f8e 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,6 @@ For other installation options and how to set up VPN clients, read the sections - Fully automated IPsec VPN server setup, no user input needed - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance -- Automatically determines public IP and private IP of server - Includes `sysctl.conf` optimizations for improved performance - Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6 diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 79237b0afb..a1e16c35c3 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -21,15 +21,12 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 -1. 获取服务器的公共和私有 IP 地址,并确保它们的值非空。注意,这两个 IP 地址可以相同。 +1. 获取服务器的公共 IP 地址,并检查它是否正确。 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (检查显示的 public IP) - $ echo "$PRIVATE_IP" - (检查显示的 private IP) ``` 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: @@ -38,7 +35,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ cat >> /etc/ipsec.conf <set up your VPN server. -1. Find the public and private IP of your server, and make sure they are not empty. It is OK if they are the same. +1. Find the public IP of your server, and make sure it is correct. ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') $ echo "$PUBLIC_IP" (Check the displayed public IP) - $ echo "$PRIVATE_IP" - (Check the displayed private IP) ``` 1. Add a new IKEv2 connection to `/etc/ipsec.conf`: @@ -38,7 +35,7 @@ Before continuing, make sure you have successfully " +%any %any : PSK "" ``` 对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: diff --git a/docs/manage-users.md b/docs/manage-users.md index fdb7dc1669..daf279353d 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -7,7 +7,7 @@ By default, a single user account for VPN login is created. If you wish to add, First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. ```bash - %any : PSK "" +%any %any : PSK "" ``` For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: diff --git a/vpnsetup.sh b/vpnsetup.sh index 8d10555f76..0189234935 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -133,27 +133,22 @@ print_status "Installing packages required for setup..." apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install iproute gawk grep sed net-tools || exiterr2 -print_status "Trying to auto discover IPs of this server..." +print_status "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, -use Ctrl-C to interrupt. Then edit it and manually enter IPs. +use Ctrl-C to interrupt. Then edit it and manually enter IP. EOF -# In case auto IP discovery fails, you may manually enter server IPs here. -# If your server only has a public IP, put that public IP on both lines. +# In case auto IP discovery fails, enter this server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} -PRIVATE_IP=${VPN_PRIVATE_IP:-''} -# Try to auto discover IPs of this server +# Try to auto discover IP of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') -# Check IPs for correct format +# Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') -check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." +check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." print_status "Installing packages required for the VPN..." @@ -208,7 +203,7 @@ config setup uniqueids=no conn shared - left=$PRIVATE_IP + left=%defaultroute leftid=$PUBLIC_IP right=%any encapsulation=yes @@ -225,8 +220,6 @@ conn shared conn l2tp-psk auto=add - leftsubnet=$PRIVATE_IP/32 - leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any type=transport @@ -254,7 +247,7 @@ EOF # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null \ - || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -371,8 +364,8 @@ if [ "$ipt_flag" = "1" ]; then # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" - iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" + iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 020bbc6223..692de3657f 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -112,27 +112,22 @@ print_status "Installing packages required for setup..." yum -y install wget bind-utils openssl || exiterr2 yum -y install iproute gawk grep sed net-tools || exiterr2 -print_status "Trying to auto discover IPs of this server..." +print_status "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, -use Ctrl-C to interrupt. Then edit it and manually enter IPs. +use Ctrl-C to interrupt. Then edit it and manually enter IP. EOF -# In case auto IP discovery fails, you may manually enter server IPs here. -# If your server only has a public IP, put that public IP on both lines. +# In case auto IP discovery fails, enter this server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} -PRIVATE_IP=${VPN_PRIVATE_IP:-''} -# Try to auto discover IPs of this server +# Try to auto discover IP of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -[ -z "$PRIVATE_IP" ] && PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') -# Check IPs for correct format +# Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter IPs." -check_ip "$PRIVATE_IP" || PRIVATE_IP=$(ifconfig "$NET_IF0" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') -check_ip "$PRIVATE_IP" || exiterr "Cannot find valid private IP. Edit the script and manually enter IPs." +check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." print_status "Adding the EPEL repository..." @@ -195,7 +190,7 @@ config setup uniqueids=no conn shared - left=$PRIVATE_IP + left=%defaultroute leftid=$PUBLIC_IP right=%any encapsulation=yes @@ -212,8 +207,6 @@ conn shared conn l2tp-psk auto=add - leftsubnet=$PRIVATE_IP/32 - leftnexthop=%defaultroute leftprotoport=17/1701 rightprotoport=17/%any type=transport @@ -241,7 +234,7 @@ EOF # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null \ - || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -358,8 +351,8 @@ if [ "$ipt_flag" = "1" ]; then # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j SNAT --to-source "$PRIVATE_IP" - iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j SNAT --to-source "$PRIVATE_IP" + iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi From 08e08c69245d035a9508086754a3bb0e9a1e7dd8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 11 Feb 2017 21:36:37 -0600 Subject: [PATCH 0094/1208] Improve customization - Use variables for easier customization of VPN subnets and DNS - Other minor improvements --- vpnsetup.sh | 77 ++++++++++++++++++++++++-------------------- vpnsetup_centos.sh | 79 +++++++++++++++++++++++++--------------------- 2 files changed, 85 insertions(+), 71 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 0189234935..49f7e5e81f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -39,7 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } -print_status() { echo; echo "## $1"; echo; } +bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" @@ -66,7 +66,6 @@ fi NET_IF0=${VPN_IFACE:-'eth0'} NET_IFS=${VPN_IFACE:-'eth+'} - if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then echo "Error: Network interface '$NET_IF0' is not available." >&2 @@ -89,7 +88,7 @@ fi [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then - print_status "VPN credentials not set by user. Generating random PSK and password..." + bigecho "VPN credentials not set by user. Generating random PSK and password..." VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" @@ -117,30 +116,30 @@ EOF sleep 30 fi -print_status "VPN setup in progress... Please be patient." +bigecho "VPN setup in progress... Please be patient." # Create and change to working dir mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -print_status "Populating apt-get cache..." +bigecho "Populating apt-get cache..." export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." -print_status "Installing packages required for setup..." +bigecho "Installing packages required for setup..." apt-get -yq install wget dnsutils openssl || exiterr2 apt-get -yq install iproute gawk grep sed net-tools || exiterr2 -print_status "Trying to auto discover IP of this server..." +bigecho "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, use Ctrl-C to interrupt. Then edit it and manually enter IP. EOF -# In case auto IP discovery fails, enter this server's public IP here. +# In case auto IP discovery fails, enter server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} # Try to auto discover IP of this server @@ -150,7 +149,7 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." -print_status "Installing packages required for the VPN..." +bigecho "Installing packages required for the VPN..." apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ @@ -159,11 +158,11 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 -print_status "Installing Fail2Ban to protect SSH..." +bigecho "Installing Fail2Ban to protect SSH..." apt-get -yq install fail2ban || exiterr2 -print_status "Compiling and installing Libreswan..." +bigecho "Compiling and installing Libreswan..." swan_ver=3.19 swan_file="libreswan-$swan_ver.tar.gz" @@ -188,7 +187,15 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi -print_status "Creating VPN configuration..." +bigecho "Creating VPN configuration..." + +L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} +L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} +L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} +XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'} +XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} +DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} +DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} # Create IPsec (Libreswan) config conf_bk "/etc/ipsec.conf" @@ -196,7 +203,7 @@ cat > /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf <<'EOF' +cat > /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <<'EOF' +cat > /etc/ppp/options.xl2tpd < /etc/ipsec.d/passwd </dev/null \ - || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -357,15 +364,15 @@ if [ "$ipt_flag" = "1" ]; then iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT - iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFS" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s 192.168.43.0/24 -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFS" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFS" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves - # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP - # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP + # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP + # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" @@ -377,7 +384,7 @@ if [ "$ipt_flag" = "1" ]; then fi fi -print_status "Enabling services on boot..." +bigecho "Enabling services on boot..." mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' @@ -410,7 +417,7 @@ EOF fi fi -print_status "Starting services..." +bigecho "Starting services..." # Reload sysctl.conf sysctl -e -q -p diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 692de3657f..ec50a49cb2 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -39,7 +39,7 @@ SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } -print_status() { echo; echo "## $1"; echo; } +bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" @@ -62,7 +62,6 @@ fi NET_IF0=${VPN_IFACE:-'eth0'} NET_IFS=${VPN_IFACE:-'eth+'} - if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then echo "Error: Network interface '$NET_IF0' is not available." >&2 @@ -85,7 +84,7 @@ fi [ -n "$YOUR_PASSWORD" ] && VPN_PASSWORD="$YOUR_PASSWORD" if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then - print_status "VPN credentials not set by user. Generating random PSK and password..." + bigecho "VPN credentials not set by user. Generating random PSK and password..." VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" @@ -101,25 +100,25 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -print_status "VPN setup in progress... Please be patient." +bigecho "VPN setup in progress... Please be patient." # Create and change to working dir mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -print_status "Installing packages required for setup..." +bigecho "Installing packages required for setup..." yum -y install wget bind-utils openssl || exiterr2 yum -y install iproute gawk grep sed net-tools || exiterr2 -print_status "Trying to auto discover IP of this server..." +bigecho "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, use Ctrl-C to interrupt. Then edit it and manually enter IP. EOF -# In case auto IP discovery fails, enter this server's public IP here. +# In case auto IP discovery fails, enter server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} # Try to auto discover IP of this server @@ -129,11 +128,11 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." -print_status "Adding the EPEL repository..." +bigecho "Adding the EPEL repository..." yum -y install epel-release || exiterr2 -print_status "Installing packages required for the VPN..." +bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ @@ -149,11 +148,11 @@ else yum -y install iptables-services || exiterr2 fi -print_status "Installing Fail2Ban to protect SSH..." +bigecho "Installing Fail2Ban to protect SSH..." yum -y install fail2ban || exiterr2 -print_status "Compiling and installing Libreswan..." +bigecho "Compiling and installing Libreswan..." swan_ver=3.19 swan_file="libreswan-$swan_ver.tar.gz" @@ -175,7 +174,15 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi -print_status "Creating VPN configuration..." +bigecho "Creating VPN configuration..." + +L2TP_NET=${VPN_L2TP_NET:-'192.168.42.0/24'} +L2TP_LOCAL=${VPN_L2TP_LOCAL:-'192.168.42.1'} +L2TP_POOL=${VPN_L2TP_POOL:-'192.168.42.10-192.168.42.250'} +XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'} +XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} +DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} +DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} # Create IPsec (Libreswan) config conf_bk "/etc/ipsec.conf" @@ -183,7 +190,7 @@ cat > /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf <<'EOF' +cat > /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd <<'EOF' +cat > /etc/ppp/options.xl2tpd < /etc/ipsec.d/passwd </dev/null \ - || ! iptables -t nat -C POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -344,20 +351,20 @@ if [ "$ipt_flag" = "1" ]; then iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT - iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFS" -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s 192.168.43.0/24 -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFS" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFS" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves - # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP - # iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP + # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP + # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s 192.168.43.0/24 -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$NET_IFS" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi -print_status "Creating basic Fail2Ban rules..." +bigecho "Creating basic Fail2Ban rules..." if [ ! -f /etc/fail2ban/jail.local ] ; then cat > /etc/fail2ban/jail.local <<'EOF' @@ -369,7 +376,7 @@ logpath = /var/log/secure EOF fi -print_status "Enabling services on boot..." +bigecho "Enabling services on boot..." if grep -qs "release 6" /etc/redhat-release; then chkconfig iptables on @@ -394,7 +401,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward EOF fi -print_status "Starting services..." +bigecho "Starting services..." # Restore SELinux contexts restorecon /etc/ipsec.d/*db 2>/dev/null From 320e17a61d4c95a4cd97f595c8863ba5140f7fe5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 16 Feb 2017 12:14:13 -0600 Subject: [PATCH 0095/1208] Workaround for fail2ban bug - Temporary workaround for fail2ban bug on CentOS 7 - Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1422500 --- vpnsetup_centos.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index ec50a49cb2..b343380406 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -420,6 +420,7 @@ iptables-restore < "$IPT_FILE" # Restart services modprobe -q pppol2tp +mkdir -p /var/run/fail2ban service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null From 43d11fe35a6f22a0a5bfa8a140e044bdff5b9f49 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 16 Feb 2017 12:28:57 -0600 Subject: [PATCH 0096/1208] Fix xl2tpd on CentOS 7 for Linode - Fix xl2tpd on CentOS 7 for providers such as Linode, where kernel module "l2tp_ppp" is unavailable - Closes: #114 --- vpnsetup_centos.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index b343380406..460909364f 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -418,6 +418,15 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules iptables-restore < "$IPT_FILE" +# Fix xl2tpd on CentOS 7 for providers such as Linode, +# where kernel module "l2tp_ppp" is unavailable +if grep -qs "release 7" /etc/redhat-release; then + if ! modprobe -q l2tp_ppp; then + sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service + systemctl daemon-reload + fi +fi + # Restart services modprobe -q pppol2tp mkdir -p /var/run/fail2ban From 347f3fdbfef64d5f48264abd2131f041ca297d55 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 18 Feb 2017 08:53:00 -0600 Subject: [PATCH 0097/1208] Improve IPTables rules - Improve blocking of unencrypted L2TP without IPsec - Closes #116. Thanks @ryt51V! --- vpnsetup.sh | 11 ++++++----- vpnsetup_centos.sh | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 49f7e5e81f..dca0e84f58 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -356,11 +356,12 @@ fi if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" - iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP - iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT - iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT - iptables -I INPUT 5 -p udp --dport 1701 -j DROP + iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP + iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP + iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT + iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT + iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 460909364f..98fbc3c611 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -343,11 +343,12 @@ fi if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" - iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP - iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I INPUT 3 -p udp -m multiport --dports 500,4500 -j ACCEPT - iptables -I INPUT 4 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT - iptables -I INPUT 5 -p udp --dport 1701 -j DROP + iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP + iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP + iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I INPUT 4 -p udp -m multiport --dports 500,4500 -j ACCEPT + iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT + iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT From 6f1dc6db1c3853643611ef6905cb95c4ff2e7ee9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 6 Mar 2017 11:03:33 -0600 Subject: [PATCH 0098/1208] Remove fail2ban workaround - The fail2ban bug on CentOS 7 has been fixed. Remove workaround. - Ref: 320e17a, https://bugzilla.redhat.com/show_bug.cgi?id=1422500 --- vpnsetup_centos.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 98fbc3c611..214830e90d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -430,7 +430,6 @@ fi # Restart services modprobe -q pppol2tp -mkdir -p /var/run/fail2ban service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null From fec47196d660b4b6975114147cb6f3426f78b622 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 19 Mar 2017 22:10:49 -0500 Subject: [PATCH 0099/1208] Update docs --- README-zh.md | 2 +- README.md | 4 ++-- azure/README-zh.md | 2 +- azure/README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 12 +++++++----- docs/ikev2-howto.md | 10 ++++++---- docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- docs/uninstall-zh.md | 2 +- docs/uninstall.md | 2 +- 14 files changed, 26 insertions(+), 22 deletions(-) diff --git a/README-zh.md b/README-zh.md index 406794d5e4..1b304b02ec 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,4 +1,4 @@ -# IPsec VPN 服务器一键安装脚本 +# IPsec VPN 服务器一键安装脚本 [![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) diff --git a/README.md b/README.md index aac9934f8e..441841ec25 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# IPsec VPN Server Auto Setup Scripts +# IPsec VPN Server Auto Setup Scripts [![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) @@ -139,7 +139,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or newer. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or newer versions. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. diff --git a/azure/README-zh.md b/azure/README-zh.md index 53e3bf5535..a1cf55f374 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -1,4 +1,4 @@ -# 在 Microsoft Azure 上部署 +# 在 Microsoft Azure 上部署 *其他语言版本: [English](README.md), [简体中文](README-zh.md).* diff --git a/azure/README.md b/azure/README.md index 801f97d70e..697f219100 100644 --- a/azure/README.md +++ b/azure/README.md @@ -1,4 +1,4 @@ -# Deploy to Microsoft Azure +# Deploy to Microsoft Azure *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 7a98904639..1a59fabc62 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -1,4 +1,4 @@ -# 配置 IPsec/XAuth VPN 客户端 +# 配置 IPsec/XAuth VPN 客户端 *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 874f4f3b17..601a8b8c3d 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -1,4 +1,4 @@ -# Configure IPsec/XAuth VPN Clients +# Configure IPsec/XAuth VPN Clients *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* diff --git a/docs/clients-zh.md b/docs/clients-zh.md index cf0a8d111c..20d07aa2e8 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -1,4 +1,4 @@ -# 配置 IPsec/L2TP VPN 客户端 +# 配置 IPsec/L2TP VPN 客户端 *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* diff --git a/docs/clients.md b/docs/clients.md index c733ddb371..ff2f74d010 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -1,4 +1,4 @@ -# Configure IPsec/L2TP VPN Clients +# Configure IPsec/L2TP VPN Clients *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index a1e16c35c3..d17f5957dc 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 和 Android +# 如何配置 IKEv2 VPN: Windows 和 Android *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -152,7 +152,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。请注意,如果你需要同时连接多个客户端,则必须为每个客户端生成唯一的证书。 + 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 + + **注:** 如果你需要同时连接多个客户端,则必须为每一个客户端生成唯一的证书。 1. 证书数据库现在应该包含以下内容: @@ -167,7 +169,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: @@ -181,7 +183,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 - 请按照以下链接的步骤操作: + 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: @@ -200,7 +202,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击添加一个 **User certificate**,然后单击 **Install**。 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 - 1. 保存新的 VPN 连接,然后单击它开始连接。 + 1. 保存新的 VPN 连接,然后单击它以开始连接。 #### Windows Phone 8.1 及以上 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index cf2bff14d8..4e49b7af79 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows and Android +# How-To: IKEv2 VPN for Windows and Android *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -152,7 +152,9 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: @@ -181,7 +183,7 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". - Follow the instructions at this link: + Detailed instructions: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs 1. On the Windows computer, add a new IKEv2 VPN connection: diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index b71ab347f5..6a19db099d 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -1,4 +1,4 @@ -# 管理 VPN 用户 +# 管理 VPN 用户 *其他语言版本: [English](manage-users.md), [简体中文](manage-users-zh.md).* diff --git a/docs/manage-users.md b/docs/manage-users.md index daf279353d..787a78987f 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -1,4 +1,4 @@ -# Manage VPN Users +# Manage VPN Users *Read this in other languages: [English](manage-users.md), [简体中文](manage-users-zh.md).* diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 3164b82cd5..6c85d8f881 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -1,4 +1,4 @@ -# 卸载 VPN +# 卸载 VPN *其他语言版本: [English](uninstall.md), [简体中文](uninstall-zh.md).* diff --git a/docs/uninstall.md b/docs/uninstall.md index ec09d9700e..6037292326 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -1,4 +1,4 @@ -# Uninstall the VPN +# Uninstall the VPN *Read this in other languages: [English](uninstall.md), [简体中文](uninstall-zh.md).* From 6d9eb9a2fadd4b620d5483c2b7d3b4d7b1da6019 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 23 Mar 2017 12:39:01 -0500 Subject: [PATCH 0100/1208] Improve OS detection - Fix OS detection on Debian when lsb_release is not available - Closes #123 --- extras/vpnupgrade.sh | 7 +++++-- vpnsetup.sh | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 26e6bbcb99..dfc0c557d4 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -21,8 +21,11 @@ exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } os_type="$(lsb_release -si 2>/dev/null)" -if [ -z "$os_type" ] && [ -f "/etc/lsb-release" ]; then - os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" +if [ -z "$os_type" ]; then + [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" + [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" + [ "$os_type" = "debian" ] && os_type=Debian + [ "$os_type" = "ubuntu" ] && os_type=Ubuntu fi if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." diff --git a/vpnsetup.sh b/vpnsetup.sh index dca0e84f58..e44f766088 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -47,8 +47,11 @@ check_ip() { } os_type="$(lsb_release -si 2>/dev/null)" -if [ -z "$os_type" ] && [ -f "/etc/lsb-release" ]; then - os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" +if [ -z "$os_type" ]; then + [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" + [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" + [ "$os_type" = "debian" ] && os_type=Debian + [ "$os_type" = "ubuntu" ] && os_type=Ubuntu fi if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then exiterr "This script only supports Ubuntu/Debian." From 222acbf5aeae8887401f0f955f330cc5d3ed3f5e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 23 Mar 2017 13:55:51 -0500 Subject: [PATCH 0101/1208] New Libreswan version - New Libreswan version 3.20 - Use GitHub as primary download source --- extras/vpnupgrade.sh | 6 +++--- extras/vpnupgrade_centos.sh | 6 +++--- vpnsetup.sh | 6 +++--- vpnsetup_centos.sh | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index dfc0c557d4..ac1b9d3924 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.19 +swan_ver=3.20 ### DO NOT edit below this line ### @@ -139,8 +139,8 @@ apt-get -yq --no-install-recommends install xmlto || exiterr2 # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://download.libreswan.org/$swan_file" -swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 3e87990054..f906bbe73b 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.19 +swan_ver=3.20 ### DO NOT edit below this line ### @@ -131,8 +131,8 @@ fi # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://download.libreswan.org/$swan_file" -swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi diff --git a/vpnsetup.sh b/vpnsetup.sh index e44f766088..3caf615d81 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -167,10 +167,10 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.19 +swan_ver=3.20 swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://download.libreswan.org/$swan_file" -swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 214830e90d..fb29eeedf2 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -154,10 +154,10 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.19 +swan_ver=3.20 swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://download.libreswan.org/$swan_file" -swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi From 67474fddc9e0c4c10b597fb4b850afc6603d3d63 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 7 Apr 2017 13:55:46 -0500 Subject: [PATCH 0102/1208] Improve VPN variables - Check VPN credentials for non-ASCII characters - Ref: #130 --- vpnsetup.sh | 6 +++++- vpnsetup_centos.sh | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 3caf615d81..e5d60cbc6f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -101,9 +101,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi +if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -qs '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." +fi + case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in *[\\\"\']*) - exiterr "VPN credentials must not contain any of these characters: \\ \" '" + exiterr "VPN credentials must not contain the following characters: \\ \" '" ;; esac diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index fb29eeedf2..2e6ee3c9be 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -94,9 +94,13 @@ if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi +if printf %s "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" | LC_ALL=C grep -qs '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." +fi + case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in *[\\\"\']*) - exiterr "VPN credentials must not contain any of these characters: \\ \" '" + exiterr "VPN credentials must not contain the following characters: \\ \" '" ;; esac From f58afbc84ba421216ca2615d3e3654902e9a1852 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 12 Apr 2017 10:17:08 -0500 Subject: [PATCH 0103/1208] Update VPN ciphers - Add aes256-sha2_512 to the list of allowed ciphers - Required for Android 7.1.x and (possibly) Chromebook --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index d17f5957dc..9f2c93aae3 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,aes-sha1,aes-sha2 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 4e49b7af79..17ca30a0ca 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -55,8 +55,8 @@ Before continuing, make sure you have successfully /dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer -IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2" +IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index e5d60cbc6f..426515887b 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -228,8 +228,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,aes-sha1,aes-sha2 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 2e6ee3c9be..bf6eaad123 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -212,8 +212,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,aes-sha1,aes-sha2 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk From cebf9f4361958c5d38ff66ddc8ca766756159bfe Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 12 Apr 2017 10:30:26 -0500 Subject: [PATCH 0104/1208] Minor clean up --- vpnsetup.sh | 10 ++++------ vpnsetup_centos.sh | 10 ++++------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 426515887b..7cfcffa4e7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -71,17 +71,15 @@ NET_IF0=${VPN_IFACE:-'eth0'} NET_IFS=${VPN_IFACE:-'eth+'} if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then - echo "Error: Network interface '$NET_IF0' is not available." >&2 + printf "Error: Network interface '%s' is not available.\n" "$NET_IF0" >&2 + printf '\n%s\n' "DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!" >&2 + printf '\n%s\n\n' "If running on a server, try this workaround:" >&2 cat 1>&2 <<'EOF' - -DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! - -If running on a server, try this workaround: - VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF cat 1>&2 </dev/null) if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then - echo "Error: Network interface '$NET_IF0' is not available." >&2 + printf "Error: Network interface '%s' is not available.\n" "$NET_IF0" >&2 + printf '\n%s\n' "DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!" >&2 + printf '\n%s\n\n' "If running on a server, try this workaround:" >&2 cat 1>&2 <<'EOF' - -DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! - -If running on a server, try this workaround: - VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF cat 1>&2 < Date: Sun, 30 Apr 2017 17:16:33 -0500 Subject: [PATCH 0105/1208] Improve network interfaces - Use eth0 instead of eth+ throughout for consistency - Improve error messages when eth0 is unavailable --- vpnsetup.sh | 41 +++++++++++++++++++++-------------------- vpnsetup_centos.sh | 41 +++++++++++++++++++++-------------------- 2 files changed, 42 insertions(+), 40 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 7cfcffa4e7..c95b7d7d18 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -67,19 +67,20 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IF0=${VPN_IFACE:-'eth0'} -NET_IFS=${VPN_IFACE:-'eth+'} -if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) -if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IF0" >&2 - printf '\n%s\n' "DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!" >&2 - printf '\n%s\n\n' "If running on a server, try this workaround:" >&2 +NET_IFACE=${VPN_NET_IFACE:-'eth0'} + +if_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 cat 1>&2 <<'EOF' -VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! + +If running on a server, please re-run the script using +the following commands: + VPN_NET_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -368,17 +369,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFS" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 16019e095b..273336f3af 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,19 +60,20 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IF0=${VPN_IFACE:-'eth0'} -NET_IFS=${VPN_IFACE:-'eth+'} -if_state=$(cat "/sys/class/net/$NET_IF0/operstate" 2>/dev/null) -if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IF0" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IF0" >&2 - printf '\n%s\n' "DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!" >&2 - printf '\n%s\n\n' "If running on a server, try this workaround:" >&2 +NET_IFACE=${VPN_NET_IFACE:-'eth0'} + +if_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 cat 1>&2 <<'EOF' -VPN_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! + +If running on a server, please re-run the script using +the following commands: + VPN_NET_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" EOF cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -352,17 +353,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFS" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFS" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFS" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFS" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFS" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi From db834c146ffd26dd9ebedde097ebd41d3917332d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 1 May 2017 20:08:02 -0500 Subject: [PATCH 0106/1208] Update Azure template --- azure/azuredeploy.json | 44 ++++--------------------- azure/custom_deployment_screenshot.png | Bin 49950 -> 24430 bytes 2 files changed, 7 insertions(+), 37 deletions(-) diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index 10bc522681..9e08549116 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -44,45 +44,15 @@ "Standard_A5", "Standard_A6", "Standard_A7", - "Standard_A8", - "Standard_A9", - "Standard_A10", - "Standard_A11", + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Basic_A4", "Standard_D1", "Standard_D2", "Standard_D3", - "Standard_D4", - "Standard_D11", - "Standard_D12", - "Standard_D13", - "Standard_D14", - "Standard_D1_v2", - "Standard_D2_v2", - "Standard_D3_v2", - "Standard_D4_v2", - "Standard_D5_v2", - "Standard_D11_v2", - "Standard_D12_v2", - "Standard_D13_v2", - "Standard_D14_v2", - "Standard_G1", - "Standard_G2", - "Standard_G3", - "Standard_G4", - "Standard_G5", - "Standard_DS1", - "Standard_DS2", - "Standard_DS3", - "Standard_DS4", - "Standard_DS11", - "Standard_DS12", - "Standard_DS13", - "Standard_DS14", - "Standard_GS1", - "Standard_GS2", - "Standard_GS3", - "Standard_GS4", - "Standard_GS5" + "Standard_D4" ], "metadata": { "description": "The size of the Virtual Machine." @@ -104,7 +74,7 @@ "ubuntu": { "publisher": "Canonical", "offer": "UbuntuServer", - "sku": "16.04.0-LTS", + "sku": "16.04-LTS", "version": "latest" }, "debian": { diff --git a/azure/custom_deployment_screenshot.png b/azure/custom_deployment_screenshot.png index 3dab1f3a8ea1e40016108f937dcbd2f2865ec97c..beb5911e8eb2152de3a6386dfd6cdab6ed4e3dbb 100644 GIT binary patch literal 24430 zcmdSBcT`i~+ASPKK?OuanluFg0Rd^!!JpEkO7BGw>4e@PDuQ&RcTjroEtH`2-a8~w zs+54#(DN>A~oO31kwX!Vnt^2ni5D4)r zIVm*=^VIBlMR79fV`6WOT!~|6Y1*{bI^?2A+cktdH&(Xglc(A@`I29 z5A{?LI&zzLjW54PRINQ5lIf#ei>~5nb(mee!jjd0tT0t*^Q(V=X|6iHzUDqht@C=4 zhV*^aRdW5$ukkax?bw((TO>;#DUI&qTi$3s@sc?7D2A7ABV8X3q-6QbR#w?&H7L*F`XcgV|gV2$lW9!UDcdu7!sD4Zm-JDdi7F z-MNHgT0uj6e~T`(cU-<)U0tt-Tqj7|3L2Z4nVFcF;0y3*M*U3iwMgdkya|B>!pjxM zwiPsAym;~8_cgT$?uBc+O4{1m=p>d+TZRB{e3rW;5XcQT`6QNy4WY7cDpR{IYo|A|fK=3?C&Q$SU!ImOiW!lA?t`o@#hB81o9Pn^PE!H?o|TP5jPay4?k-S?qQN%lA6o&o`+TXc2$Un_=0CD zchAC+3$Ypr^Y!XD*!3!K{h=h|zmr?$yNKvQewK-p#86nE8rQ<}5^gWt84f|%SO zJa#doE{3YgovdfI;NB#kqVy>wy@%Z`hX}UEeg0%6^I7h<78ESX+;08(^!dC4b^);{S`g0Hda zJ?7U=^8;A%<53FiDI$7E;;bapU*88a0;hy+jI5$Pv{g~Qi^sApt`)QUMO#?%WnXNO zN?AQu!PLWu#$yRI70MmzdGX70^}z3B!h#`HkgIymagW~TP!oG9u7cfUUby}UxfeTk zJ}&;SEydt${uJhWbpPN`IN_x1k;B6a1!99D<56?8@4jbEj62$64d&;e`*kKqxdZM3 zZmghA>hi8tP|g)N#cZ0}kngWa1A<~)FtM*1#ks39+|ECCF`Qzfxc#=h{C}7uI46MD$gW7oSdQZ_11#Volx$YhspRKht@=4FfX6D5!=GR<)g-PmOOoA-xA~d=3 z2Hk<<6-=a^Pu2P8ChkVB(A1MY#8K9XE8=IO%gc^Y9&>mnb>N2I5zMURc(_fWkN(u{ z6z7An_Ww1@Ow43oF4;8h&cJ1K(iL92UxHoj=cNj(i{;-)5W7eTKw=_Vn%7$nxb<4Z z+Dz)*USUT1>^7zhnWCUVVDiY_V;l^pTwD5+J_fU0?<~q=!R^IO=#zxVou+e=;~Irc zD{Lm8;Ce?2pq3GE*P~l8%wMES;WqJGX_5(>hs}yAC&PzT z2_zxiKN2tzQ;Ue*W~(yvUREBqI+WID=0XzcuGsQxgOTwSwz%2bY0RI{PYc|Aw(rnb zC~V2Puc4|DNvM2=c0bqN-5m;{IaF?5M_U~3v0j6GhjZT|wHS(W3s%|my_qkWlHuuH zcCj&mT{f83rs2aOg*?0B(LVQ_{$vSo!-RSqQgECN&C9sd56&3q<}5=?*SUs?n-%t( zTX1OPaMx1V!0(a$6%y=q?AfnAn~%zMk{5>&uhdHq1Sc+xkY+!ebuf`F%}i{V-twmt z=)g`ksc1YC&{ti!{iDg?y81`G)vS@j2qZ-XHGQt{(8afKW|`JYM8;OG9nm^yPm zg}3Kc&&uJCp*_AEu#3JxD81@ByLRyr#+#I)nTs~&5$3boXF9v>-x}!5y3ioni?fWp zF`RjU852L<=-&QzL)>;CJ*sX)CTf7R5gfKjoqN*!UT|sxwm*7+&Uk{W(Z7XoRGPCv zZw%VtrL)i^#JXH)-j;U!MDMrF8?~xZ@DKtS6!?6b?$%O#eZA1Z6%Nw1_4Sa*$jDAv z-1)XK?u}t|oy+dYXRpwk+rGQHem)FCObkAr2UAc3@vXuR65Ki~jbQFP;`>Ne&UXV< zxwE9y=trL=J-5RGxiM*mq{+91&r#5m>2zLpT}m&Ll>oD42leUvla}{LW^Ug2FDImaA!1vN-a-c zy`85lt6!s$gzc&nLGO`z9_&oH=MH%|JPXfAK+ZK!tPJm1 z;dIZPU3C`i5oHZeSTAynQD~-bL_e?2GRz&l+a<=O2`(eI!aMWcx%ZUe?q{e|OwaId zg?dU}WElHcJa=sa$rJMORW;)KuPj{i>7-}~jYw%#ycTYt*F~Hb(F=*JO-|H6ABXI^Aysnijn&H)efyx?IHduL zG3};rO}Jj@*4-#%L>am=J9lp~I$=H}v&m5VWcw!flb+KbdwJ*8UUh;A%YIlD0Na%|l= zaC5nQRoB!Yy*5fJ=qK(x!;VZ{=wH|jKWkCs^4rSUBte|VF{JH`--AHzSJ@*Qc+5Jp zv$Mmf`B;Si_Tu^5>*2#UOWjcq=fd%fciuaHI`M>EU!s9Py#9DK8-DvZB!fxmbd>1~ zr(s>Rzc}s{?g@{~Sa}8@Q(%>)7=HvGmZ8NL$y>GY^Hfvv>_XkY9DW1x{#RfSU-vWI z&%htkfr~m%+eTn)5Xf-op8)p51%Tcj{@9>&=RX z{t`)_rNHxf63F**${f~06uSCtPc$=!{Klb$kMo*4^!MUM{$RVNwoy{~fuO=*6m~D= z))dlxYJaTMuZOM=W*&@Uy(+qsI z-l(+(<84EYaMQ+mh}||>1Z^E=nDU*n==PpqhPU(hfO8oYcOwnG?zzhYYC|kT(Lh3H zS4M)*0)s${*M5fz-pi!J8gGQ4Y?(qdk~l|&)vr%*fd9Od0Ko?H_*w7?+^V7buN%-V z)Ktct)zNJKNR~)TBg-+IJZ{@p*oBCRQo=-GuF7>ktcZoy#uNS~;aBZO9!qs|mDNBN zF~LN-J^PdThn#GF3(4keG?UF|0Uw#+36EG==wZ;YvZ)r{qA9{Jjjh`YjZxfdM`x%M z5(7>!4(}cebqJ3-idkt?8hEZ6YHy=ma4HGnN7(ulXrpUtQ1|sL38%AZ>r*5_LrPW4 z-NfJU-N8otKZqvl%Li&~+1D>b{{_~4(V_hQl9D431 zy^NN6ba0jh)2&#V3a^8$Zm8=$dtzAGuC;?YuJaRjuMFyLSM_GVt&O7LWMy!>bxEx` z+Y|}K=CkClHz~2|Bp3U69PuTEk`5gLg6^>Ml{j~bd6C=#+qG!s$q5zM^x|l)p=ZZ+ z(e(2&at^;kT)Ho(CI2F0#GBS&cdfY)<5@{eyvJ{nQ`Bg7ehsp^eyL$i+^7I-gTv%CH@ZD&OQX=pyvf!@;oaV#yTjI>7 z57zzX-g;?yr|hn3#=)TKLrN_QON8pB^lZ@Z)U1|zU+g5wQs{b;@8{bF*|=RP&tGG~ z#*@Y_KffDGyNx$DZy;vSLNMF0y|Vpy!3Je7X{kdWKTF$5@`OlRFKw^RE&?2 z+(y(%$7!c68K-fSew>VsOm`V0-?V<;(lMBqi)zDkksb02)1#Kq*}gXKj9pu|Or4as z6YgC`oa)E&q!yiLvh+#YcIcMVX6;^fqa%%_v2`WBcpu+^vXvS-NjPqRc%wG7`vZ?I zu4YS=Etp_lv&Bzo5SOXvI@ig{2jUK{yD5tGHa`y26Fvt}dFZx}Z8Gd4e%9{X)#nc! zEh+BVllhtcRrI0wRvv@r*4O>UE;sBUi95<+Ze3u?r(AU3|C6!1mifFmG=K@Z6r9F= z?lrK|(sCM8R`TRrEwu4~j5KQhSYf*-Iq}PvKWk`uT#?-Fp}Tz&l#LEsT_fg0v`X?b zv_aBi4~bM*5e{KJvmVGWu0+)=Buv%Sc;+l0lgIf^5jKY+iZGt9ngwxn7hU*}?_U;A zb9W*lA`TA^YinznWFz`h1i4Sn(-)W)$XaTvr;m1CO2WKkT|Nu6r*`@S_QbNI(!5Vi zP0d9Fd9<_G6-J%qhxP!UO-)UY1j92@E)xhRN5%0nYuaTZd;0W};qW{=+WD!Qdc3#V z<)r~=g7fkj+r_R(Z3{FW-@lBL zXRqoq-Ui9`!QZxDKm7$AiL!Z&{X{pW|AcyZx%4NVX3g3Lv0Fk=ffSnnfpR?^{CJsu zM8DA5j#JBDJU>Ej*h*m9@J(FnIyD|Q!P8qQJ49uafH?8Thf#EC6+I5gj7^l1Qe+Ov zd@NtWY538IUH)~Y!-Qxfhv*dc221W;V;e5-(l(?*-d3PUWKd9^PqVsIyGLOb=(}X6 z+fOv$?07vLy4xWJovC(rNmZN`mc}lROjKmKsh|j$i$oCu#t4t~`}2&9_Odw&`(Ed4 zf?ruuH%D!GLBsAuRna*bxcT?4M?Pc;mEP7jauOW(+>dWfy>T!fA)gSGSUEtdTv()^ zYg+{^%|nNcIRpIj+-%Uk{pRM!H55mx1gk9fLZQ3JRD$=uuyby}l;aFBK3aKUwEJcr zYFR}RuTO|n20V&t=0ieF8U1gs+Rf`4+cl`(;L0Sw?AHqFAX^qwl2kLko0i-HP>1V~ zv`Z2@x*?*09{)s^n5dfZ?bhrMA^?!Gs4yKjk@#j@<-et&Y*ZetYxdprwXeFcn{iNr zy@D{n7g=`QD4W_i@DddfnVp@DpcQudJ^W3#>Rrd*2dPetb)0gZf|An2nu|yp7c;YY ze0buxKM&l0_gvfhCc7i|H3coeWv_SAK@sA$@JA+YjDsJVKf|zNEuZLUVLx={pxgJN z>{28>j(h4_2aPNc3$-0np>lRJ9Nu~ogreS9Zp5MV;?hNftEdxZAfBE1ck`5io|g!i zYgE=KOYyHOG^E0AnR^x~l1F`YrNNjlrsfJ8KO~!4wqq6z5mSzibc~IWu3IQqkG(De z3nlrBA)CC2Fb2{wp4$;`s$MVK=kF!nVjAQWD*0g}^H&*Y?^kBdI;JTT_uxD+^qm5! z*EGsS52t?Zr}etl`^R@(wGsPZ|3Yh!v6i-)Yus>p_Rg{VZlCxXRf>x5*B{{P9oAt)#xJ({TJDJ1?di@1Q{83@T-Q6qwUpr2 z2L%}!d3gsJEEg6~7sbu_gJePeFK5exg*XT3eLJhw3x2s3KOTCldQVz4Hrm$JuAu#q zmqJ|T_-xpE^6Rgk)S^|>(dYDAY-O0W$ zn{mqY-2)^~yLx&V#jO@028(7G|3wHXRCVbJv0E7?8&Lp$x8 zu878OgJ$eEZM}FXb@ofWaQgM!ML~|r5k~v*SF4VUJd*Vp-IuFpQ+(rIyh{zMeGyZH zVp}M7Kc>0MGdroXe;zL3B+AIRz)&wd_h^CJZ1CCjQXQ%Ncy`=GfKe(gL;)}FCCBZz zAU?VhGx%zqMdwv*ELD)DNqSxQ3M?B4x}Gf;nE6S#dlk!4;!X7C88W>Q3!@*yjG}cn0`x=I%QFh9DPDPlUE%qXe#=~ zJlFj9!6gf_l4^_jneisiFqi~v1~Xu7z^ z@O4)lyHtIjNb9DGaMTNR+#8m==xCj<$5zx{&E`r+FJBD~Uz-@6cmBq%xa79vLa*t* zZAsB{o6g1F&-vT-8h_rzYvDgvAkSk1mT4wHKi2fJwmApOOQEL8E~q!$7g|_qS zHuCEfnoug|$1(>!BN3Pk+QFu$%bT~IpLV?awjQdjc>5F`tDruizQ|2Ax3_tHY*2eh zIaLI)I+M+V=h-@7$-xibe0cgUO{++KyjX4O=OJBXx=?Itg_pc1Q>?eM#Y)D zo#NWDWaD(zyQvvr&Q94r(nq;zR@5h3CA^mz@`MbYc7<@uP8xoVqDSLLjLzUmx4&>3 z7{6=ze$b(pWq$YKp;B)rmtyC*lJ3PkOe2)A!5)g`Gi12nT-CQ)?0ffPRgIuW6pN7( zl5Sdo6r4PX9dL))WB0OiJ*Y)ls_1zyDnV{rM*_Pq`YeI{UEahO=wmG1FaQnG$SJji zGWut6v55xjpW3U#R(#O+Ls4p)MfQelWXnl#K{AcUD%gQiJqD>Ym1-bs%UB0G&tv)qmy_7!r<+*krb z=Atu)Ogekx?a}@Cpz2MisAyYgG$~Mf{>GsI0)8^ov3zc6ARN7GTYi)MFEL#`O7I-qo^ z^{W5Cg@U>b3d`lMn^+2s{vwZJKsz|<#6Cn{<5Rw0axv`K>izTe95~B2fgvH*q{+lm zh2ajss4wU0((O;iL~*wW`Il0jqTvgzJUdKHX@;kV48rT^T^=_LAL#Nn{4n$3`8S~# z0Q(YIL96M{mMlLnZsUlQg_ly&0qs=p+}W@DdcPd=_h!NreM;V#2ODUla=5KGmUeHQB^5iPhqIoZ|BqCBFxvOC*T+M}$GI>L{( z@gq-$b!9EIJ7`2XP}9^}wqWphmo`79z@vTJ50F$~A;|y6M}Nk?_Yp%eK6PD8Y&YDH z<2x-U>tSU|D&Zb(PV&*_ZYK?MT*T=k)D5N%#93XehOn*zySHgBQOf5JolAeU@BCq% zcd=T;w|ENxe9o_|^DbqV5V`f=?Q{Dv{d`nn*a zUU6GmNg#j;2%_V!LEguAJXm=2sMA}twPkQ$(Z!3&$5V$Yt3<2f*w0PWNn7s9rKU(s z6G*5zc(6a+d_?a` zsz6k(gV^#wK#1D9ewSX>W0{@v)wf*Jsx!6)YFCYCK*(O1TGn8zK`_E2tZHg+Cx=v7F`sD9zeIipxs$z+|Q`nfMP!k>3{#8MSadvu6+ z_%?B1p`K=)_ZAZlTYw$HRP%d_Eg!E-a&2;1p?*EfweaZOYs_+1sM47{(g&$KyYw4& zn89*NcboS*7K0jj!qqsd;s@^)b5X!uN|Pr{_X`}*yW@V1^`CE;BXin zCLR&Uy)RmVUo_@EyiW8a;yQ-#M(WlvhoFz(#}l1W0OeZB-6Cu`epleWCD`4&pd)*z zja+0HKcBCZD+wL5E*GJNU#P8i`>KLxoUKS3BkX?i-~u`-O@=>N)%Z=hRb579jCa4Z z_XdoAMJ-1@tvo6I;WEb=bLvJPvqgj|$nx}P+e`Q|met^>to)jj)V24W?RixbDGLz?1Hi5@RRp)Km(VPsuNup) zP=zdiG5I(|%{*$$xCt>9q83fMyP-QSz*{4r;GEOODWh)}CtX&j!3F@EEOewNh_D4q}529-b>SoE9o5Mxi!N>dh~d?q6J7eb}kVYI84V@?F?j-W^e% z>ChN{5l3rVL`!wfOiUDVo4s&EOMle1TQD{>sKG!i?+5Oih?jz9iE2BQL90fleL8r= z?0c6W$1CO)TBR}fZqB%YUJa8V+NAt6g)MF6#>Nc@Kf4Qe1fS(O+Q6j1z%ir*?#>_D zw~X^;H?>y9m1U1VVeH%|;xV5KLolSA*ZAc58a}IkS<91OCG}zQqsqZ=%sp9A9ld06 z`UG6FoK(gy3LcsJ^%6&HG&s$aDy74da*mC?_yFkWjd@-iOPCz&7LPA0jn-WFK#n|j zkp}1+JBI7wNQS~OS@j%QZc zFqf>LpemGrTr)8u{gnNL`Y6eb@=c6PIrxTaml58=*n~R*)DIL{cHucQ*dQz4z??3< z7U8*j2&B+{KD?TJ`1vQ_>Zqh_6n4Kj_EWz&m0bV}nyl>LgZbmdRN5UoL5UI+{%4MS zeE=;VF>Ol7P#u}vT;n>64-RVIMM&`jmBXtU1-PNV6GOBjE|!zUx)t=G>Q!}hlhhy> zsj!}42RSx5xo`|r$cFOry@@<#(J?W=83L>!iT}i_@E51&UxhrMIOVGyzV-i3rTk~2 z<^K==m1bH1+)m&FEsJ5{yqd0xFAHFv;^a!(==9j~r9R06I_AnqN(W$mV%bBD+Re9b z^ACC@1O?TzpBJ=S4RB+FP-;1k<%3^|xe|YK?64A`+T=36lGB@sjV*IO)CM{-k@JXQ zKJQ@9NT}T2ZCHANdob$lsKSG|dN3b?BtYnp>dy&Lv*E)R`01w6a9OON-+-K=DxY^? zczL?_NVpJ4C-kK1-?%>rZ5U<_u|4iy8x*p>u^YSk`H96boMv6@!;`U+?aP}T2^C7; z_3=kCXV%?Ilx`Pf${I>C+h@LK+*vWf&dfrZAl{mr9RDsd=xz4rp^<%EaD@jA-j3tV ze8(Vmg2R=&KfR?@ol3rJE{O3DKbY&ubc<*Q8F2uzN9y?7&enj?dU6a1sKEXK3SY)I zji1761t@%{|1$HEiFEpgk4EPR?CIZ9XU@Dqbr=!vx0@&;YR{CBmOh9~5$ z1|~OWTo*y*fo~%j2iTeNggZ6y;>*W@PNbyGIfX8IFYSLL-hkon3-4OAR_5jjMjC6h zYk+QQp!=W|R;$O1v@UPl#P>&PXO6#fdzSE7J7hKhFn`}HK3y_J&2)5hc6N5MfGcwO zJzT6?WhxF7;P-yT{|R+oLwpBq{4b`ce>O<{=l8=uVX_m4m^p%GCE$Y+=d&0LGg|a# zaLg1j02lsX^6l3D=db>E7k>Ssm;ln=Z-iv7puY;S?7e;}8Fp}|fz&E8`bxH zKI)OUuQbD7ewKX9e8nW6`YgzK*K+Px4mQ&F52AvkM8x1Mv~);O&xwnNP#wrAv1M>d7zHX%yp;iEdah}*G5 z_T2SDTkF10O8(-r4Peo3#+9IvuM<=)`O>XY>}5+0m3(6dwY8m!&di+E?!Iojr24$6dr|+NlR&Kle=GhqL<#) zYRJ`kqGw+iU(D#5mM>T`k@B{rFOCg#dpzaTQc0>_1#rpfO)V(Gf|D1P_1_WDS>ClO zK?$Ij_1G8%!jVb>@d6ZZ0}g5Md~(RE1fLkKMQ;TZCR_MSa8S6`X{+1nY4EtVE%bj~ z7wE`UB3JT6;=O;CMEE3*gVw%k;PEA3o#{;yoEhEZF+W}SG~%`rbrX`gP*R7|tFuo# z*-LXr6i%Qz~BmR#4&hPKkD4@@;GH9kGfuXeXc9y!uO>5h;0z_S&N64CSTT zQ|+8)+Ty=5PEwFsIW7g3TEfo>&SYC}UvsC{S$EPS*2;tRe|YJZP`|mp@m0EF>+q^? zpoWDwAr)6C;$+>tFFv>%k3{V2;PSQI0U(X1L)^2w7^)!j$ovJ)M zrtCL4f4eQY)oC*#U-cU|w=Wga#$x0kfgf92Tc7tHpKrq$x&;FQ0(j_W3WB8D3)pV= zxAJ4`$w{O7d#p+j$I-c*`g(ZM=L9(grs`%Uk(Em&E+vK!^lSOe2h%wxa`3!nMepQT zrx(P}RC()KCW|oVH%lnIIPJe4|4tiwFTz{4svw)ceDq$EKI>KWcBH6`eo6Af6J=qq zzWX(9UsC|H@{{d>MRSn_0cj%<(TssfR70SVn!G~QQ6mxOTABUeGtXrG6DnRvxT^YK zxFD(?m@8 zR~q-Gk>*6lso@1bSIm{S~oP=Fne&fsIx6G2~p97kPyV zyJNiV^p@POqjhOarW;SU8mlTR0bfG8@gX%LQHs_?jyFLI(>)+awaLhMiPUw+a~@q1 zM4^d_;u5R8*d7k3i9P)G9bwQU4AY6i*jGM^F11*Bg#$O)5)wL z7C;YX3=p6pLZX8g+!LBbT5B#1%6VgJKv3)qqmD^UO-)P$O6gO@caA!SS0N@I z)GVX~RPp^exA=r0fko4PTtLoxu5k&a-{V)j4tQf%wiSKp!M;N-MN4FSAC`Ix5-3Pf zc=_-Dr275e_^&j_0`2L`g9=Fv*@DaaK`;|}g{CoVhh&@u3`V*K2YHB!x^IQF2#HtA zsdr>9Pm~}ib)`$=JpCm?9{!xJFaz1Z=loy_yM+`r>kMmZYT||+_f^neT90^+NLPP~ zORnwncdfAmbypmyv~Tda44qfV7F1ui5qvVJF{bROgeoT#CLp1&)_LNM-O@A$Gs<;i zvSe>%fP|4F2@ZzRHU1SI47GqbJVWVm;RZmF+F!d;*-aNuIA?E z)(D_wt+bIy76X&ft4MM~qm5eUdnokNNj%vZ?xF?Ddj~ ziAs}_lgbP?|7(NhoI1k|IYTQa3{qNAv2g-2zb#J>F&`NG_OlqSM?hyPmuGFt#GB_L z_@-uNj{A%+Mi+OMR#$PWu#44CH_0S$XL}|3bs(aw9h~GSB(OaCgo^|6+TlAOo={0k z&ENj49=4*sJ%i~sd}ss2ufOU;{&K%xxBP@>);cbT_2YIPTthfqk`(e1^>b(;Rcw|* zkjs4YWl^WZQB^%5OPZJ$zgofM`Z7yQ&)Zv%@CyD0a16K-`fA(`<3~eStO}>c8%#?2 zmYv{Ne@KN~l?M5IpC_!7)6^CI?8%^Qq0YVhWhhH=mOaSzy=T7fFt;`-Z&`1RQkkaCCG8_<|*dO+dgESknp$3Rq$aDl2&< zBrYghj-)-V*JV}Cs7<6PhCNHcM=Plu*Mef!1Ry;CKiHOS7FmsjObvSLyXf!pa51Z0 z4l+Y7ZB?y}c+PcE*w~hq)f2uXMV1&VPgk3b(zIw{;gXsL(U%~@46yG)XL}69B#SC4 zB0Zu6jFps?^lQ66ihis;k@}rKH)vRL5fbg*^|3mAAZ_-+ne^V4&VvgMkeGtWSY?W% z($nd8ga$w6=H^C9oLJ6Onls6SdF*shQgRs_<#792{b~*1MjR~!kuv%1#$@>HkH{)1 zJuE5&>UU4lnDYv#v2^Gn3~;TQCJ+1SjKDBF(XK64K5zy6l6v~KH!|zR>&S?CgU@5y zEvL4Y0bk8Cze?ZFJE)Gg`3O~*E$`jhyW=v%fLHU?#|K}!XB>Agcklu-#rURE6;dE8x?h(Q~=*uP(#f`Bwp_@v{6~23QZidPKf@g**xs_a@(Su9yNTR?)YjwhcA5;5OX{6rlE0DTSN+rIc*fH%U;FND)_LzKdGbv>=c z(PwgF@th^%MHc3+Q+L<0m`Hn4#r3bQ07#bb7?Zk7P^)O(A>hfOU5aeBgkQp#^}J<8Vjmyn*^f0eywbe>^4Xj^jSp3% z9&JZlPl@Li)C|owH_tiPe88QL{Ch;-7*WNFDX*ArT*bkQuM>_kO6A7oJq>zdwIA2d z?i65aLoaA=U~bNw5$dcw(*kQz&LfLT6Lk+vQ;Q5^ki7W*0q;jw_!@P3FMi#?^y+4i zghyROkPslWh+O?E$E@?WTVAwyX>~uF*+|Pa$7XNm*w=v=91YVwBPKL1&}pSxu4;HHR za`@kVyd2IIW$v>LBn|HT3Np2-Qti6icYzEkGj!`bNashYU16~?H}&;rJo3tWA>;$p z0eNu_4NwK>b;fy$D4=C}=d{_?QcJg6)if$H=OFz#G;@WWwE64pd<|`~H=IPBIQR-< zqYnT9GM}a8-iQ}21cp!a_I4W_G0zl#W%8QCR_MWt2{=djt$<$($u^}{wzl`8IzrnP zt^fM#Lr~Mfq&|?vZi$;!1CGTMyG>s@6!8b4Z*Fz_Ub#pIkS~uZOx8P=pccvzN3~st z`NJ7OU|dp{u7n9AG^uyqrcScQT|>sBq#8I)t0&^$#;z8L19ifzzqUZhpQNX*#czd`cJNpqAm;Ksk&KnZB3^C8$Z=dPG zl`7{j75DXth$Al%#EKwgw8Q&v+1o*FFUW^6U6L1$78Vw7-hAs@o&~lWkT3wHvg!l} z&|Fkh6n3`A(B<{M;@k4v==n0uv8%A=63uf3Kw!24fPw*W*6S2gHxXV9o`zn%!#4^F z(?O!T>)+wI+q$WVlKi(*olBc`V4@>R2uONAEJ3XGbte3>f=*eN|sk(Vd zoHG9#c1iHJA!KB=`uR7oV7vN$@!%hcGg%14-~5k-qcXjnXw&{h1qq5W zFU8?cdQO&oi@?^|&GSj?LY?ZS22Clc%8+rZq@VtOgZF?@sgxlleWhRS*0!LC-jIp0 z8UtB?MUpIWICxk`siJ_VNUpc{{!1^&iOHp=pQrZYf8fn46txP$nSiRrI0#8A7jQ#_ zC^fXSBIw0W21U1tBrd6=EZIm33W`o^jlv(1LQFEO8|#G&+{%=shK3W*_Xgr;Yz#yB zI_mP?tp|1_33MO{q#s$b73NOwD-JC5H^p(S8RZvx=9YCzWmgnebOXNVe-J>Js};k4 zqkGiCN1m1IT!XAe*P*;@Kuxhe^dYwDU%8%`$Kt9vz;N|yScOLJIIZ#RhY1GZU4ZTY zsqjk4%xv;(n08d7qWdjxk|JQx8XD`;I!I~ANPF1T^6YmjEA`wlViPu38xrEq2vtDI zfPE1&7nNeXwG+Ea;xN;5$>I!I-XwyUZmbuT8P(b*1&RInjt7dS*snfSwlkH}D>TBN zTfTp@a<`d{E%-qIMhF@(V7+8kg*qDdt3JFrasVd9#voWnuR&pc43~1zo8~bsYqwHv zV4SkX+fb;{bh<^T3HTKd|ABm!hhW5qtln@Hum)`=5&QFgYQwPEt0w4)e(jT$A`Pbq z;6fN@Q!`wL{cK!GvQ82g<#RsV{OZqG>6{?B$8R??>SY}+ZMQVcuO6JayG(-14o5N% zh|V(trO-l%VKTN0*p8^`;$nVdK2Kd;b8`fy6Y(;Mlm>6`3+Otu zLH^@+=u%TvynhfHzWr@fV|-!ahM9=;en6HE3dPZSjueGVqH0k^Tz zxQ!5-|8=`c%}vqiDlNIF{_iTJ_X#E1S%3fJ2Y_^+dQ3`cp4gSX zXNN%$)I=^e#y8FN0#Qb54k>mrfW^XaslO@!xI>Fg(>V&TMsjZZWmh1XD}X>5?CnkF zF_S4K7{#O_L-E=TfEJc0A3OTD4FAnQ3d*}CE!BSMq`laCN6ItU6LseE((`v}#Q)SE zFZGoz6c6RwrIR@l+H3E>ZKU=JGV=ag(aYhPEvm_LYaU)fe;q<3>VL4|K2fL%Y@q@I znt*n2X^4%D1xtJ$v9bdDJjtbt-C-;T-=c=r0INH!Jh!E zzrdBGA36cdkN_6i@Pz~g%@$rB?%qPQ-hR0!ke0X*xOl5MZdCzyLn)Hkl>L(E%%s$A z9)rn43)D1fYHBV`&|s)(PnPv&lCbNEur~Rs9N+rfXi*2Ol`ZpRmWAz)7C^z0C(ts# zXj9VuD7_)@hAZ$1bV@y307Fo!J=Ttb6o_IwN)<$mD#uA)1 z(p(5^jZk6|X^@ZFGAoeN289~B`wMJCf>cBgM_!1(eM&X>=;H0Y;)+iJv}gmRPJU8H zQ72+Qtvo8bn#*>XOSaix${}~bnkpboq5Y^5#2+tTJ6uSeaf%wL?F5~XlhpxxApUZ^ zMDU_?f>>N)MGZ}=;wiyK0PH6Z3Q59K6ciL0f1HLBfXdGDt_mE9%N_@%4vek<9(3Lb zk{O|DkdU&CiLboj^N?G{KD#^13F$QNfraDyNo)hjeQ*Tc$h5tI$w-mDF%e?51}{?M z`r!gmXDOBQUw=$vN3`aeuXLlGKgt5?)~?-ZS!oWLrA7cZ_F{{)KT|Hj4tufG0&-Sha(u>L&4_w;KW$ko*r zEB#3$Ha>rtlr=sRg4GCj{uMg>JBRlF`F{DJ1IYWtnSadaw()tma~ASCDM8z;?vW@y z^y1k2adO>Sw|tU4Cx;hy7+<-r74`QL zmZ+4}fcbCOM!GV@z8$l;fCSq4P~^h`CIwMkDhx|v7V?t`miZqVDo^t4)Y_ZYccInd-{ zRq?bM^+)Oe=V`43%dIT&_w=f9C@RMoHoIm%lk`2=56S}hR4gtO)DS#(Vz?a=MVRfz zww}lSjt94CZv&z?6fI7m(_O2N=;-N>|;-Dx?v8;C3{I7T(>;ZKRTTHu&2gDafsX#R7P`P-q+SMo})szOfoetwvdcEud(~;eEt%KFS&oSD4RU(7S z8lta;m;3i?F#W5BBu+;axG|_^@7<-Ix_PI*CeOWv#YMAcGGMZWT-H=gtE_41D?-R? zq{6iq!5+SWTX4z4$IB|u{-!9a+*YEhn3$P?`yB7)=CT~*WP$}t0AMeJdHZPj@`ql4 zP8|nMiO}Ev<5%6bVfBiQBRCfN@p6((HZ)od%Q~K<`yT2Fpi|vZp0JC(j0u1JI(uIr zC76kTpTTjsmAO0Yp}$O)We;al&a?5}tOM^}-Nk=;Oj_*`rMFfXcS#wtt-l#7RS1Kpw{IKZ@3c}SB|_N8t6JY zTAtO^-5qVdb|rL1YyK|+CT%$okD`38hgP(ze%@WOSzvu;*Hw*RNX3(HXWWn zP!_(zu6L4ZXR1u;xE}mz`Vlo*oxaMWCClggL3M(^dc(u6YeJV2E9O{}zI@3QmNxxM z0LCf4fFVy&#+bG;^gvO=WF5bdUNeDjh^ogV+Q?WmT3C(13$%2HBUe21Gyz zO9-0^1hA1ELnd+`@rfPo7RL%Wyin^8J z-gE9b&-=X3yMVMp$maW>`yCNUtzsY=ASNazBGS^{o`xj68KC~;sd$rj<^ht;a>l9G zqNFMb-8V#s(AldKjTibXp5cq_YoMJgIuYPwH{@d}37)aQC zEjPaMsF(y6?jP`zo8q)B4#?dI7Uj9d$Et+)yeSm2QW1lzIinjg{4S)$JXR@7ET|K74;(rvA6~Yin6qS!$Qw zkmsUSM?n9FD&|JPpu{~0MB8zXU$ZrQGb`#;)aXG$!@*8XXG5spquEDgScH}uLrR0a zjI%P!*y?_fCBD|?c+Y@9QDu{@-g=0Ph_6%E%+SCG4*Bh`Abe_u#mWQKdW*J&f&y4r z+L-U<=H?cb&;p;h2w*|5Z>QI{%lSu6UM!LFop2~fMy<#6M0(vY7c;eWW|vh?Ywk0n zn0;{BD>*MoljFDAC@Ym;4d9SB8r-fJ{UH{ICT`dRN62dMB7wH=vqJSF&d)FJ@Adi- z7Qq6f?JplV;f%n9`Js3k^AtNpuhF&Kj8nAq``Q%@?K8&}a?q5Q!p50EzL7?=9pg6T zkM~vzOsb5D2}Xr>^xTt5FXQ8zv4Bb{5a${|Dp-m29)H`DPaZuvD>K+NpT#&T_$%OG zJqot*Y&Zn%t0S23-2ZLlZgSD8hvdomzr&d~6yFMc&Ynkg2_M z@!zclS5Y$M$|8NR;vH!X#(V!uFQ#mhB2?<#itN}PwAu`Dqh2%`v|BZ0c4D0qX6v~v zq>dQ?xKb2aU8KMCW7;mwwTkC41Wqj)WWeEJ7R@AoAKouB5-*PD;*hoYDd?42sb7LO z-Mxo#Z*wT9+yv5@iO9>nt>uF;4!>Wb^+=lLG@mjG#kn#GY@`QNVZR`Tkx)~wA6J#( z`u+r*ht!8%Dn)R_kc+uL7j2l1U; zY2loGAgRgRzfxg}(_80Vh3R^h_o66cjan;=xTm4S>=K(ux|+4qB9q zrvXKAxmsFUF!3-9LFrP8CT5#hvk#{0SuyNfT6$dG%s%CK-&(%#RL+qdO4(c&dV~B0 zHL4)p*C~Nan6E0SI|T7=uJqnIeE2X0TPcS?7}|mNs_@#FtFEpF_sPgov?`!4U){nQ zi!u;NGjB{I;&-TCb-83RIVk2u0z(;`+1Sk?gw2+6RL63Mqac7Sj7N*Tv$L2treYXd z^ziAAdlFx+4|S!n@}C~spqpg|@M-ESQPOL_whLC~FM+xVUk0Jk^+&xeaW6!XPPbLI z-2E8ez034=m=or@c0c=9&Q3PPpin5du9~b0D7Z^aO$EJ<3<=H#`=0l~x~DkxND*N82s~^m7Zh1fpBCijoZ7q5hP6xedc{dt=&Jb1|JXIM z4&6i(kwgShH|0zciBxVNlr!f!p-SDkm2sK#96+gN0hM~Rl9h~WAo;$k)6QqZoSq&- z660#_*7(Q$)n-7t;!;s9i#09o{hQO2755swhg>A^Ok24~gEY#j@H2?zPbt8+N1;es zX}o98B7x`a+$f{l9Wp`t2F-v-OF2m5bTuuiV~)b4b0&4PXas`Rsr^)-i9w_tV8Gdd1OZd_vMlD=sq6sAHm-o=IYAIki&}k^*h|x3b zWQ0JeI7v$wL*j&j$MZ%7&yWgR2ZDC-gEtmF!8?b#vpz?3Aen_({1!R7dyyW=({B@G z7B=mn_Dkoh3_iYNY)9+_MR=Hxku9M7e!W=g#3>&Ri98nkQE+{;|3?n+`Q^cUAr|N?Qav1JWQQvz^;K-f;T0qf|RXCqG|Fr*PeGl}9lwy2uz1NDmKT$dCblL&mUV5ugmfS5uaKW&n+& zgzPi7sxF>8XN<*;%q7*z$DVgAf|(rF8zj^;`J=9t<=+?ld9#xdXpCoMvRSs1Z>8fr z=vUFm7e)P!9WdpU%P(6#m}Nm#!J%H|uUlM`P4j?X^xYmCpo0{uZ_FQi?Ot~lU@=dg z<*-k%dSGZi{G1XSqJ}H9!5j*18k8i=1KOj46j3x#GO znct#ABXV^l1U{vR#VdLDihG`(3^NKWDLz!N$^=T!&50YIXwhCshR;~uC#2o{lBfPd zIU9|U)Uxlp^W4^Rn&dBUa#HAKgV<#uIW|a~q=bY7K+sMk0)dc_(2d*S(zmWyLDR3^ zLBf~9Q(Kgr{WReB9JVf)-WX!}X`Eu*CPPG(A3~Ew{Wsat^ng>FGdW-un!d`{Fy?YL zP{=Zd=Ye>miz)$n1t9kIn<&)Ky{;g`&qh1C9oE&nuab}F;Y5(mQ0={@Yf6Z}LbQAS6Z1`yUFmc>3;eHL zb6Fm#6l%+t(9)lhY)gE4Kd<8wXSv#fO4r-Gic0$MgQqV?T-7DLtnEsOT{B!AEJ_Ls zM^<*+wcYFxwB1_7`+3jfkM2ce>=~9@Q1a@2QQgX4p-i&?&MUhW`MUvFp~UG%drobZ zf$z11kM$Z>9P7J19ocLcQfQLZy;ZnC9< z?9&p~T+S{U=;tig6NJ&OR#$X9Q|N#JyCC)6ebjrc`deUJk}5T!GiD?-Bfa*ML7R%H zZTI16D}}xOb`w)m<;ixID#cvC4BY`|Z?wPPIOIk(L$-WWl$vWJVR_MB!jpe1cm5gi znq+0kb=Iz8B$%?{MuuKV_kNJH>1tU3R^$F7FE6mWGZDpP+#$$mpqTYD7;d}kvrnEp zVUV%tcl8|rSvyNG0P{K0|{q5Aq%mfjWuYb6Q#i12APV$!jL!Jm4tTG zCzj+}E3p9#%oPh+Vn&A61(R=6Jmxvtp!|ekm{-KQ2<)ehDDe!>j8F#`=}!jmnMWJ? z**iP#T{PTd+)g3?2pjfQ&itjJ*&a4m<+NPL5w7Nji5HTDcmBn$^-{)TFHlW%;)G-d zsoaUdcrCPPN8dg`K9X6v`yHLwVJd9$7R%C6)z#I*!^7Fx+1J+AK+EiW$zGfYf8@0)R~Z!wHld&WDQ z&5|mF$^NMj#WP&mIozH4Z;%D)JW$L2SNXvoHES7N{GdNPfGElvh4BWxi^4z#(7|{p z;lFek(EOVHs3!0~Dm2E7$?rG}pdcjUfAsfE^uLW4K+d-Ckp*cW5_&6v(lihY0@pnT zVJx=ZijVR4xA>1YG6_W+{Jh-~Hn-ikje2if!eXF%dDEq?u%3FIt@ zO~g?JP<_rIFuVD*mIE0}q=el9_WW;t#veXM_S^4sUuy#BK`C1DJDDFE_V<0pHUOhU zp9K6Oj04b&aE=3TfVfXm`xiPpbyt9DRWXv@p}Q#!G`-vCRBItwDbHivCmkFd!rOV} z+_SeG&CShM`oTB29egs*Q4U+?I_4Xcn3!0M5&wuyQb+%$wvq+X!E}9c0C=(T`up%S ztGfQLg+SE;*K=2N>IsX}ga{u!PH8k;Gf+aKDJ~Fn3iH2uQ+k~1;!7Y;p3)-JUDcE= z6Nbr1)`k@|>PgW0^dwv9>hiDxh|}}?ESGLU2j(}0y;IkZ8wWLj&!b(#*bV4@7()UM zheN}gZ3W9$EYQ0MQ2mpi%wx+7_|_Pk22Xt_8Zk zpDRlUeR;fJchP?0t70Aq`1+K*&!!UQt|9ukm=4LPN8evV9dT&NJH%A1S*5kW+sp$x zpRIZ@@GjR`zeGSz&*=%k2uhRH@fN=JA5E}Wv5I%AE!|o9pnT7t=$vbiU%RFoc>DfQ z)iC~NAtK`9&1V7{F|*(^7Cwp0H4(1*kl?2Ss3#}kxXKsfc1-A17Bee+3{y=Wm#-hA qYYUF+H`6;nrQxgg0lRnR%!}FG{K`$=j`V@;1-YZFsYFq<{OzBP`q9k* literal 49950 zcmc$`bySpZ+wV;XC@CtPDuQ%(8HBWybeD8@2?$7obgO`Lcb7Cn4c(1&4-C1_`Q7(( zKl@$pv)11K?QyYiu9+*&I^y#^PC`D)OX6UXVj>|S;YfWDQ$j*Q$pJsC57EI9xzk_a z;1{}~jHDRSJ>uVw=G<6t%{de--daOse2R z2vxYQ)vP$GvJpFHjOb<4G^1}c1L9V^YIZ52mxK5HsgrNmui^=FTR$IoCJOoD5Wx%E zR1gog^fX$N^#mMZ^)O#jAN;~)E0ZUK%sPdFqWm7;uk;&u&8s7uFY0sIBBeO4G@rlQ zOXPjby*zKYGwz|8HgEx>uC(~@IVdt1@y&;_5-;N!)n2Sl+ix5*Y#dLo+{Uv$_`wg? zt&jLVDRd~~bm47~xUYkhIC3S&bQK!b3+Z24qWY4QL`)F$ZT^h#<|-9h<>2G8;74I*8Zzz5mz!+zEyo13uexJ{}Zskiz6oQ)^V3BUe*(F9sI0CP9$ zf6+tVJgpD6peI0d>x~fR!w-(AqyAU1n|RXunPEH1DZB;Fs`X*ug7?|&w z{NQxw=QUiLkEC_%nve@d2%)RmEg02tp@{3Zzcn8UOd3=9z@}N0>qU4GA}?O@LCi*X z_}q8%d&0HD4X>IID*@xDALeTkOqvyOMMZlk&?H$20oR@01nW6|ZvknHk76oYI>Hj< zT9P{UElzqxd=-3&>l3+Wr1Z+&!AGB%OJ}bvC$OJaxiAw{&3{bcu@U?D@v(4&bC)p( zp*sJ?-^utNKd8asY?PRh=c)W%RgHTcVNZRYRJX%U1*gdY9HY_iIcMMw zm;?+XSz2m7T4f`P9?@F-YIz_1^7392GHZC~9K7#DKd;|9(1i`#+uI|q-z9TT&B!Q& zp&@3IEx>xean*4Zy&1)reihdcNByw5z%ReBkdakrDwFluYGF zvlfxGXJU)toP(?5+BO{(lvigRJuW^TVv9xign+=LG+T}~OL-%$cC}?u1qb(+wHxD$ zmkJJ7PS1W;Tb>^D)+UL%^7tVm^Fqok#_FCkYt5Ii7WYDQwg@IkHCGGwx_5I%B%8Ry z1*$FWmr(Cl*7KEN+cF8a_Fc6bTU$NRZ&}&wPgK0;#HD}K-R7`Vi+++~+-@qyXv4ve z-V|_UNswB))4@oFm~IZ;g&36Ln2bcL*@PYr++Hkp_9^G8H`)ZqQ!1vro=&>MS)q;E zG}PSB2o?yde-@S)+_HH%?GLuKzo$SM8(?`A;D<@juUxN`^MrY8XZ790vcA_q96d*I zpYbn=bBiR%rk9_sMn4960^cwJLtJiAscp>m{QRIw=_i7$dbMAt*gM*T%Z^8T&bzU^-37-;| z*@h|z4@GgBJ$2r+iZRcXzY20cC1Nu>5DMPT61n{*?0LcN-tUSuj-B70OVu1TWA(c# zk%*;)Md++Iwu$3RyhE!NMgO9v6^WQ@o#5`$5iKJl1Dk^58>LR8od82qc*_(k3qA${8^yS!^)le;Nj2X6I+cbvBG`26^I}`*0nrFe^NV-7*sqP#EYR~&&b>SAql*XCAB2doGh^KdCh^-u~Tk&p_>w1TU+Zy z=sGjNFBw)4)e|K9M)DSVh1sEqmsgYf!HgL(?5G{-GyT#_m!Sk*-(BOUajZu8vvn8*4y6Kh^P^f3M`gfv^EMm}7m^1*avq8`q4h zDWW-jot*)p1PqVu_b%fZDFXbWNhfAJemX-NKYYa>z}Eov@@tmU%q}7)AcoakSrq{RbaOLMdbTqPF_;mY zt)ivfBo}l!Xkaj*aVYPH*P>xzHQ_Hy0H0+JZFpsi=Nqtiu?R8C>P{;~t+Cp;CJ~K^ zjYVxc29u-OltPY_+eux7kMEm;WJJ3~_4kYn-CriG=j6;%I&n)Q&jW}#4`g6_3m9(< z4WH+nn&rmeF?0$Vb;m-Rp-Bkx8 z=aVHaPwIXs45wnoib<=*-&LYXDt%}pw9FSO z0&nBv(qzvIR4K+vG@HB4y;FH@b0i`x0=-t`#tXHAyJXT%@hP5mw!aU~SF4Q_{#Z&% zE*7!lTe^GD=)qwLOG8X$an&IWjhVp3pB~KxAVSd5;;lF@t@gS)#(41H!N_&HuXU3qWO74jqN*4t96_8!@a#UC+kuLsyL<>8O>@| z&81Cuw5S>0DdtP^##)oj@UIWm>%Y5ucC zMNHb-n5`OlhFzF-4Rw#5H^ZS#gM+fc!|@ECvZXhqg)ZON=2i*1@S~S)85*UJWoQ3Z zDp1KsIaU1m&Rttao6oUk*{7MEo&A9}aRDteb3|ZR!bp~w>()Iwuv09+3&zEd7OE`tI7=+JDF3 z@@4$Eif*f7G*VJh^3Jxp*LdXXqjcBDJ0tBv@XMF7=`hqK`E&^vml_7F33srn-TDxmx(EUdK|4=b(p>pi@OiVfThEYS2<19x_RVbl)Q>x)k6 z(=RU^7`Nvo4|GZ^Dl5~6;7vhImngm^>Ro$63vQHNKWdfrlZ~o%L1z@uILEvfe)<%( z4cxi1wUyX1^0Z}tx;_kp%H98W1R1--C7Z=WQTvG6(n!eje>eV-bdNWGM&Rk@NVOv! zA&aKNXqDNJgfjPZxltpCI&40_CcB^AixYYED&Af%G8aT&vtMghK_9?;KABd|ERxnc zZm}$q!x#<@4q!eS^&OpBGuOGg=3oHQ_&pN{YnQs4;8+x!+^q}85=CHnvK_(ih$FgR zXrbGf&&KH~2rde_n1LBk?QZF}4TVDa-Ttys%+)&9`E7gcN>D$aD4elvLz-?eq66MM zh1|XahlM>x!H11{KSW zG^>_&S8*8VJ@(`~%KkpXa=X1td(CRA11|smoSQ5k%XLrL^s@*COvH?^ITBz^95{~- z$>TJ0-@1)*yI+WD;ydEMuKQJg%be+Tqu3;q>H7DX@ z7P!a;*X=>ugZ1>DW4b;N}`s(a6oGjq_`*g?Z+t)^BX8mV2K2 zRL(@@Tm`}Gdw61f)7dJPv8k! zAf5tLRJQ0MORc^8i(^%ffJ221Giz~eeHQ!L!uEnUWcRn^9&77e_oDYT32bLT=qeMV zuebLP1R^_FukNzHXhcP8+|@sEBjifC)=E6Eo%gz;q9TdS9CM=|&R=v0M;>OoflPt$ z^HrX-$?xH$J}Tdmvf<2=1t$q#7(0DFJt7b*Qm+m&%Ov|#Hl=IYH71_+Ej&9dlS?L4Md~%*z8Uqnt%vvk>+0In)Rc4yN&M487abojp3EU4 zul5;JsoH`KF*_bT3W;N->aBMyhZ!7-t#_NfUiMy;6eD468vLU5`Ia{KE=0B-c!y^y zfpwRc?}F`5&dzAq+A@JbE+-tx#T=^5Q!P;UQ_jsQQ)iMtU09e0xd07|$RfKEFXD z*x?%SR=m0CSL%nxg0GWz;|vypNcraKRQBNS^hPL*&e<6x?_A$AVhl1r6~yIsmLHuk zh)YWs4C&YZy1BjeJLQGx;2~1I5~mjVUf;E~3GEsh%)+n}%%clB9-hgc_l03$SgH(a zw49s)m80x|lWS;?3Y3xu2aDd>4nB)n)i~OqX-5+rwfd({DaXoNt}lm`3LRWElh8T}}=`ayPIsm%XF!wsOsk`5uVWBP@5237pQ@ z%#6shX>vU-&JfKXZ6R5Uyu93A9K8bXe81CwiAd*|EX~2eVei(*apT_p#}}1591ac+ z)_RtPG!vO$e9nq*dAT);KV3gflim?qm-6Npvw0^$;HMob@Uwb*v>3~E;r{nXMXb!fZJ~U(q*_ZWYhdXTDpZ{H!3pHU?e(`--GK{ z+c7?Z$vun11mRZ!thT?eZ)IfVCBtU`i0Xf7t2{uUoL@f>APszJQC9G&W+S1Gj|rd+hP+;IuupBpNao4w7#>f_RW=TLXC|tbLthSa zCSqZ6=wNBol=(gbEv82y~6M4WCR*T|z(atjp0*?r|nm`t5$IJ$)4_U<$uzR5-j&%dofQ+PM>|w+GOK(*5$S zl9CefJw#08@{;pTyM8AnZMV{Nn4W{WIqtML+qo1>Y!>vMpfBI|);1=E;k)Z!kbFH{ z4mDT39ROXDHsT^phZX<0XAH~%Z|R*D;HN4dy>--EPHmQ;omp-BVK>l{!ux}Ad;22o z<^;`Zi_ts-)X2HB=1{|_{Qu055kFlA~C&HxfkFkbBe73uYl7vi1 z12BY#YxV^n;^G>vuID2{W(HLTqiRi!S{qcY8tdF!3hO-0Y6jX^d|zMRyUR6&or%H# z-+G54_4*WNG9H2TLgxWOt~{!sJ}bkE17VOnbd)<&Q-5)Bt@`N&fAjtO_n9VlEJzBs z$w}NH8)-xn_nxW<1vla0SkAWhy>NDRc63tGpP9;0K!M_aFvKI!p{nJij*Aa)kF-Kf z1SKUULg#<7WUpY2@1lARggx^=6*D|~^oU%@?b~m;)aaOu_Sz-6T!2MfmnLFk=@jsR z$%N)+UBVOf`UX$Aib3XBU#X0NjgH#aM=yKrgYJDjAJu2P8WT)qymA;O_2EPI`)k3Y zBfG7^E}DNo7;hM zhYgDwn_#6+O=oJ*NK)HK)`_^OvQw6se3 zhT?;!Ph}FB&3Z}}ghsAK0H&jsInL(=jG+RzlIaNh@?OS8o@&1J%9Knrr=Pk`KlR%Yvteaxsp*OfbB@T zCsf>vK7&uy#%&UikVtKh<>YJUzfdhi=QJ3ry{R{R1+i^~WY7u-1SuNz;JcsD)N)y` zmU#tYZkUh!5P3=`w^CS2r$kr91Kfk*z@+tfF`365)%)fKtHzJWDC*WczkM!*XZZQO zL`>6~PvoSeOy(2ypm}e-Woe(TwcMo4IBt&RD`Q-<$|)$|(aNWET%D8s9l66by*U%z zysi0S3O_+BGg}gA$>2-Y+k$M>XxZ9dq0P}Y5sZ$qhf`joL0dBwKa)&6DwcC{!Uj3Z z5I{#7)uznA)E#eyssakW7rM?1l!s5nnw>x22PdEHyAlag2IEqg4*Ircd+AeCQc{MK za^jNlSg4euryX`y8*W%gM34kW)$&%qv*5GZwQ|CarB&EyG#7nLysQx4AD?s#WkQ5n zJl^P@u!FV8nw6rZvKYi@XxBTa6n%V)n2a|!H+()XD%vE;^$Hzt0fq%PiCiLLe*Rp< z&tyPtq|N{p4CAH8s_{@7|NC1HXYvI4JQ3!igXW}A0!B9Xey*DRY4gkkUn;Bt8G2S$ z!n>9vD&LeYW=Kkf66wMci2KF)D+)*&cUjtrq=C!&K;J>lqHusiNtihra2>5I*f1G>1QqHB-xcchT zCzx_ZcZhACGze9J}<_8wy?aGvuSaxJ=7?8CbGCF zd%r^0?Qq}kq5g^ooKVJt-Zgn z(YZ9}mIVRK!$D=3 zh6=+8i;9ZMnQBX3orAqU+j*QcuZV8Pv%&|lJ-alTJ-7jZkbk3(^r8jpl*9v$%qvA zMMVLW$y3UyXjU2?95lYd6Gd1t;YL@Jtpj28;!lI7P=Wzln+%6*OA1kZjlaibvn)aj zecemD!m7ZlODe>+1e04=FHRG34~1ye zAeQU=!aTXZVGLOpNaoC4CCLu<#{IZ=CymOp*S6GPDH*$9+RXbdEfi@~4&A+H<>2^! zdFkeJYmE$!6Q7>LiZtS_^DRpg0T80%Q{DV+8x z3py%@=ky_cE4dn#QXgdhKs!4ZqodV6ek1?}MQT5VJ0x64Djqm(FdKl)qHR*e0*$%3 z_1$>g#Y%n2?*oZ85#O8@3_ndR-#%5{r;!bvV9|gyXM!&Ed3^ zlWe%WlH$j!?lLt*n#plO^ORQZIXivG`ns`vhENwkwFXj^W!^pVJa^TP_fgSnoeGP-&&*b(E4VlitDAI&I?-EZondgX)_MkUhmM$SDwI*{e4K4?N zeh_86gnaMrSR$HZyjkrZ99-{>$vX4AdL*C8QWtm_wc$Hf{@&BZd@`I9CPbhEA1yWMt&?=gaBafmYza7%sU2- zi(Bw6>Oe=THrsLU@{!@%s*`^|x5?|}X1`N!IUFMYPcQY+=ilw}@;ftgm~)W!4fVB~ zR<0Pbv8@&xgp&$_{^0_d9hT0}L>F2rB#3*sbQ3J~vD)EV;1dtNXDrx&lNx$?!aA)u z2xj^dMdjWO)Fnee^iXjk%bP3<(!n`jMZJ(4K!x<}?8_6K7uOWY0W8lki?RuaA0`4$ z_AW}pU}M#kCpIRRJBM$B&Ve4Jw#eV$!J1)U?ez{0I^|`RY}D(HT@{pFRsCqVP#Rje zxmF+BC^cSKGh|y{-O*eYaIhtwYc?xYPQ;GwTeq9XoEt8Z$%A6{E8ksR8N!23y$v9= zPXS(2MY?~7<#P)$*W?#%eNx=n({rmzP4J=qNP6g0grE$G5z*cE>x&>_ zt=zIup2lyOe7++yU{Yw-+VrLA`7~#LIWu&p4_Q?yfJ2{E$x0w6HlL_jsl8|ghH{<0 zbU;uH1i%i&8XrOLYD92*-u`wHqy z1|vRZ-YGi|14eQ6?wd9;3j+$sfARlaWPvHI`u|OX3mziUVX=P|S-gI&ijOF^_~x(l zuX74s{8Jx;mhN6IETOwaqjEah>8q+w4DFPH?E%y zePfyA!<=aLbS3ad^zLmZ;?gmNl8J}^ z?n*?@{ioaiDN6YdsX&yN{CBS+p60(t0P)d(PD{~S{d!E}Bd91TfoQPaAGc;>8t)61 zd5g&xTgEhX4TdrbbZbY?=R0=Vzf6md z@9K|dOa~zxA+TcS)=xo?(*JRWDuqHMX0wm$f_NU_DKIVh$mI*p`n7-DQ!UbMPAP4@ zO94^p+To$X{oO6SYQZx+p(CXIx!SEZKU6VE$H+@$>U1$4lq8pLkYUFLaVBb~@1ce)ALhUP}KI3tD;uFcDwGwFoI5?}Cf^H$;YDeSsV z1-CoJhW@RrrP0;db~u%2#<1vp8iQ&;a$X>O+Z_A__vq9go49zGStaJurL6iYX*+;f@bK?W! zI8`ezCe5|_u=+85#1QKj(RC zy14MjBryF116bGCIG204(3m(qtqy$8eif_PaE8f10<+Wp>_kS*4bucG z*LqF6)ll=?465lcS-P%0RYTKyZTfS&^>P&}*W7V)aAiDS8AJ@HCj+dNj$85|4B&S= zqV|OCA?t%iSk2eP0E6=6>C=5)w+s>Q6i}l1Jt?WTM5mFM!}#GqB5UpN^-f{wC0L;3 zHMP#WpC*em*4V6Xug+zY*xK_8p#`dimzQf%{N7hp$}PEasojZsKHJft7dLBt?|nX% z>gs%cW!08bF1_z}CyU*WyNJO0$E#g%A#1(A6T}m}VFM+Y-QaZm zmlDgXzc9>0kc42p0cX3S55FAf9NwtyH{K8GNom#l$Kk(6e$9PjBwcOkE43@&arT;o zgan(M?{Qncc(q2QDOkFl=JjCYu3-CEZ<;;M)$8n@g9(KC1ITsce0E=enSIR`)$y`-X^xWjN?Diqh65=$iri%JW@*BZ!GRMa2Z+|ViMyWXJL0uA3m+5| zTfj`~d4xmC|(S3`8kX2XK*q8>WUFE~W`-%6x zFQcY+{{Z!PtXPY;g&sahd{?A@9m9w`3M)+bgsslhK>$eVIq^^ zu|tmphOi5K!cH2ozP|pLnD_(m1Aiw9i2yQKF0Ng4z?81Fn%g|$=cR@S>b=eHl_QTM ztTkk&kL^=2M$#B5-O+XrnDG}0`-TFY$Cvcd^`VfZeIn|%b;E@>{G@bXYASI`&o^B` z1pZaPdFKeMBV|BXuWy!ot|KDIcu}^r6t$`?(B8<(VuKsMpr;Q>7jzYgnyUWh}R+CcQX7w_CWWYPhL18_JTpNwpmt=LLqDU9;)*Jc<94Kbob@A$YaCsp2ld(GB-;O6N$7eI>ypi#_A z$)nTLN(IhT$l1X{Y7eDnIF;`WyTTil1W-xr@9%#EgSk8`IcT}I5xF^fpTMHC^SF2O z?Py?D<=* zcK5*zps*Z0YX-g-3Kk8mT*{xXkDg*O*UqopV}5s~A#`kIgpExjAdmt|Jw0cW zl9Hb2oP#xdcDR&TZq!3~`C%Q*Q~YPo{*2|w>_ZcnG&;O57J5MFWZ?@0#sDVWJ+JwL z<_q2KC@O_?0q3Lh<|@L@@Wl6vlP4!@nhb?QlnLa2(wc2+V zt@qBFzR=%t01IPQnhmoYndX~ixCi;%ULkJDDmD4-hR)S(AWZ9gJ|A<~wU1vhwnB5CJV!d9UTlCcmq; znD`8=yPZ$8FDol+ut*k9Do$9}s+0Sz6414lH#WLXhee08qD1<^eCYsY!F{j1hehB^ zOK-&L=dY)H9UCW3j~H;Ns4mp}RH!#P82N{9s zQ#e6T#>fJLgC+gm=C)26>Ig}-Clzd zkL9gQUs_=Lz_3&RW6hveQuIY-ondst6TdzZWh|H=TKXqKOge17D7kVe`o!3JbAmNG zItpyU@pf+J>~%^|VBq!}kjpi50eB6^B7&BCYk@QP9brs&8~r*?4`X)wT2L`SeEr*} zx#6lN6h$e<_f6ra;#*w2D4h7y3dPr(@_G(c!OFyt!ufuKn#I# zclw~TStw~JU4ZX~p=CNt)S4&tmfi8bs!Jvz=KJ?gdq2)JH&w-u!JdknLjSR+F?8nh zdB~u|vQnXtR69p~VCc$#VWa;y7QoH{c_O7z9_w?H~yXS}k{P}2emsRg#!{OzI z>H|=;NrL%79F$w&NF#%iI@wqW9ISLIA|i!+r40G>WmFV$3?&iwoip*;rxXw)6qS0kSj7zmBDyHzmS{M(algTt#|ON3ef9 zM^~b5*Th6`XwE4Gx|q*)yunSq0}kkRpx2#(WbHyog{Ju6=$OTb9N`_DjWv$*lP6c{EF0b^=wP#*@p@Z7Qg?S21Js;}=)SJ&w( z)~)-xsCPPy8H9uew#|_C_mUq#bvam~;aPj zjV{6=AzPXAD?2+KoC?B`5Yx5zsbJ+&T?$(7Q#6SzMk;Rs(zfm7Q5zc@EA3MZ*M$q} z_rcgqM<=&inO<#bOR}4T$(&7`t2juJRHE&cw&Cl$tP;>{`}c@)Ku{%@?Kvg5&-?>X zYpMx$kC<%x*CbwNcXQ(fBpoT$yCi30 zmh+CT3Qf}S4!uzj(=5P;y>8kC0f1j5KW1rVzD(b`zGz%;3jKDs{q37il`fvmw7qmC zt56mnCuc0E%0$AY;_nAg-TkVs=e5o(79Jj6hR5nCW5a?w7U3v$5eq1}AQyS!S9<{; z*l&dGRp)Nc)<0cb%mLZyFY(j4N7xUk0Rcxkcxc-NqiF2ybxgh;lBdX5<$Unv6LacQ zP#&>6Y3p={X23P}Q%4KH&r3@vVYtLgG9H_TBJf<_zG;JJN*Lo=DR%qocTMqIJe^-A z@WfB$HPz?LPv!62zc5a65EBq|m9Nne!w)cE=Ae4Q9%hBDP25sqF`*yq4nStLFYd!5 zIsh|3ulBv3c(m900i%&<4-8x2r0zid=Q*jh85$j0YC?1=i;moKy0M6zG?75>9z z#u$rq7e4+n8p6+v)^B|TD$W+ZoNjnx5Tzz6)H`hC0rCB5&;3Q{hTzFMy-j0I{_QD% z>~6oMjB=eEH}8T*Kd(<^`aaOV3Qr~%^tqveATHZGVb`hKGTh()LRfg=4ivex1EG9p z0>`A^RWv##=B<|(3a3ws^XNHZC&0HgI?PPHpF%xRlCz?dfXbQ7 zdw(%7o2YSr4GNsH5Ltasa;21Tg^%g{cBYOw$f zEHS4&4Yyf}@JJnx(Tf$j>3YjylYN;vo|QBB@S4+}1JROfN{1O$ zYZRzU&2{oVXblFM)@b>zj?k5gZ?L`Qeg3}&83*BnSRNFj59uxPqL{WpOe@nH@Ll>% zEAfHVdGp1${OY@@scB4nx;VYU@H;4|Ame)w3gRxHxTSXsGw07gFG%4w2a$aF<#i$> z2iU!I9LKzS9kr#pZkp)Xvny(^c5?$ib-rl+rVYJX0lr3kf8*vxy6XSnYt|rcY#@&F z^F!{Ex8+Ff6WB{2bB1iJ?q7bsb0_~)rbE=i6!X=3yp=3 z!K3v2P+>-Y@rzm>pw8`TS5Gqv90aKJrC<0-;yb{J%k@V>eB$WD47d zbUVF>b#fC%T$&obw;(0|!Fpa^+)qe6jFsW+w-g=5bP3FRrZK044{ z6iE5kldvjGD0b4P6TeRw4R1Hi>i3e67TWPl37>J%-PwLv7 zdK7$Ze|Qu%bG!AT0?G_?Pd3j-V~LH859AhX>~%sS$)|^1)TEJDaE_&qO&5L2br!Q) z_z?7}y4MM9qtCSZJ0VpV#1vYqj2J!clGFqxD;|bhwv4=G593D9kK4he{IdlV#Mt62 z7Osi`>+xw4Ry}-&@1@F2V6S#tHqtrzxNuKqNLyyU-}r6sts_mKG*8$ zA1DJh5D+|s*^Jf8;z|c+w)8M!L)u0U^?S?o9WR)ik_W3)#-6NBR~kNAyhD!5S0^d6 zzyCJOR_|Hn(rp}RqoJUFU4oP*h~JKScu%Aj8*-^khbiX@J3^+U5GKi*84NcVu3Wp& ztH0kLH8#uU+|S81A6xT5;<*zFXgQ4PY_8(v&A}U9tbWx>OiM%qDXwG?}MFlS3-t-_saXa;0ac? zTYxM;ZrKC&f`J@ldH>c`^lER<3giUu8eR77Ko+8I10dVpbUA8lpV;TmuMG?gkN^s( zFolo;ybTs72S{~{K@|S=>(|GRAM5M+fHeMVVBpH`uI17sNHDhN>p6q4BGBh*ZMTkA zI_v7{9upEu0K!dP z{;6sl{?y6ul|HWkEPMryV9ALB-VSPQIsx@}1Nl{wfOCQOBA`CWfMGMLl{l%Jf;b02 zK0mKQZqJ(^$(_lNq&9CFF>pYcJUm89D5d83J@s398ZXddH@r1zuL|PTlmnH z0Sp~XJ35WL%-Dh1UQd#|g=!A0Jhnr=G#dTkA7DuCtv^K^HjFu1k#{#EIc zVL2NBp6~vfCu$2J{qHzYp+u{jjQ{ka=@_4KQ3Myd*>q3(vv}6=`WDa8aO#uci^%CM zcQ~AYQRm>5HdolbaDacvAh>41KAaH!7la{ptp>DDxo&{^AQQ?E=fxJvwBX+o`=muR8&;J{kwro^e=#s zpwfy-qv9**{|dKb!-J+%dCw~}EW)FeU@E12rB}h{2u=^c&Pd}0yyS!Hf-?~kf?tZ> zo;?LA6Pi9iRY2vg1WXpt7xPR2W;u~SvKX#DXWwj}=ory3o9%&$P8mlr_MoIy^ zJc?2n$!)i|R=v^`2e3*MYHI4X7U3@d`JawTQXNBhm-wpCQPTvRLjgQLK7;zYI>W;y zg#N1*0BrL7v#>w`aN9K(sPO4B{HcMtgCfp3zfH4Pu_2%Yq54bTX z%4BiUsW*xB%>d8E!V5R?YyLofGtGK-!gEb%*-}`xSP}2BUJh3-R6CiQ}fn)Q#>5 z9pBSbj0JKr>DiH&q*d$I`iR(wwZDlvYA$`O&u30MdNr5Gdgpr3^k2HwpK5zYAY9>e zHMO%}oVWt!22y2EwDNti*)tXh8pg)i!a5uM@fuBT<86Bbinv&)GCWes*!Q0viYF3$Yez z5rE{$la9$^t@O=eAeI3tHH%tj&>3_LXeJbBc|5j@Rtl$pU2u9`+KF8KeR(a?-PLtG zYgx*!--e{?bu13B`cOCtCn%Cg@V@0V8#3+=CxNxy#wv&)*jYF!Hzr5{|Bhz4-@&&? z1f24k<12o6g;NTrfSM{cAW=y~kctC=1-4#biy*TY4iyrluEbUN}L51)!Es$HL2NGJ_JFTQwag7qA^$QF8bAcUx1 zm)N!--Tvaor?8qqQW4^S_BU^;H520xevLMbeyGg2;JnSrrB|yK07cfCFmG}NJy8oD zJhT09`n1``up`L~dM+IwOWzb}r$5gJDJkQMRRSGIm85MPRxZv>PId#3KaU>_`A)QG zL7D4R3jBu$wysC%e2#|T=9Gc1TGCQd&%v|I4|Ii&%3+a#rwT&t*0l@hZ?=ZgLn0%81L!#KJf$-a)-cF?f#wE0lhsm7I?y!A ztmk;H&aXv1T`3pEszvN>Qn{pvq!XXbYQBzFg5@xwF;Q38`oEwSH^Ki{rCahXPjy-M zjmn#kpXh%Ph>PQ2KKk|!OXW?%fW?f7z@13LqvR zuK>DZU4Kpc`t>)NM3$MHOkq#3w=T7yy&NpZwH_i@cd+;3b!Z1rZKRx>xPVRax;>w= znyCoXZT4U{8zKh^VOt!%^2ledX9NW0-~)#Ngygw7oEcSG$_hkeghdD3_t_UfHh~W& z0wRTlS|pIXl$4c0sP_X*WYB3RCno@V8jb!E$BnWCUX&ORH-KhMfd*Cec@#xlQN78H z9T2OY;bA~LE}jw)Pc6Fxy7M{5hjW$^O~$gNF5z&% zinXePIKWK$_U$1qg}~R$Oe(N_5ok2e=;-J`0<4@XZ!(-Ai~zEL-pi%if`tbJ#dz>n zJ9NFzRT16~RM!JNPak|s=%@`9TofP(X?1mC!02A_@+Janxw^joRX(@VqS~-reJ`a# zSy|cI;=RmC1~A7!Cup80Oa4(uFT}<+!g33ItAz(3(i#9~XL`d(fHD8&u+hJ_)Jj!3 zGpMHLjRv+3V~UH5I~^{j1AoEparU|TlbUZatFQaccz)L6Sv9a!fS?0XW^q(+HcUy% zYh$GrSs`@N`w|xlQYh=$XRgNx>abZbAs zjLRdD%#Ac+(cuK&b<_P=cm8#ASfShxxY=oZBWk)6kDuuyx&UPB{HL}W@I85X8v+_? zf(sM<2KVjn*R}Nbv~rmu>3y+u(0WHRASLkuzz&QgpvgWr$CAK^hPCULncoGj(jEiR zE*ktbk36|kq`SMja57$8KrDf%jPfRoka@b+mI}}Kk0-XBKz+iw<6FOd_3<3Z z=dYQVvVmFOsQ}wOq(HPwp3sR8d}gq>whYWf>c_$As{h99Uq%pY@|*$*E%jt`bF)B) zU)pjqTdIC3iwrT(m7afn@cT*9;`h2bJ`k2ks;Iq*o{Na+;=Bp)_wViP)dw-P1!-IK^Y=-jz9K{{+8@E*=S4Xs zr6=B3XXT8xVB&n9F8euaTgfG^$me~<^^{IN8>sGJzs3ZM0^q}Zj+@v>Gcz-Mf`U-c z?rPd9&?M~!rx2jFkNkLx>K_mQ=+V2w^_ z5c!N7RD+cwku_?-FOBkdZ|{Fm_8#C|{{7!DN@<{>B(otxlvINGnr-YtsCC=LSxJhbw13L*Lz%NZTa0Y-N|tSdo4lWHR>k>_&$cN$ymmQU)^#pe zIF)x5#0#+sV+U%F$-slbiU?164c7NlAs69ud-42v5jMTL5nJNNKu7dVPS%z_rZs7J zM+x3@lvg9oxCmO?c~y*z zS+Cf!*PE6g*)DaQ69>(lrf~wnE`)r>hsn9THy3(CSmZBK{=^EY47mbs+!IF8{ozV- z=gw^|en5EyCk@oeIG#*{r}fxazZfAF0;2kD^B5hU@h%i%W#F)BbzFC2pTt60+0l(F zGXSBy^B~_tucm<==;{OWll6eM6X36p^*cy+y#J+d&eLy2E|jJG?_b}RN}xJPQsetpb17ka%CS-|xw8~f zN*V`GS@;b-e;8**)({c6zH<8)wse}L1fyCPLk~j(13iJz>4k+aSr_tglb$@;36J2( z13NPe2-Y>j;JN|mpWNwh^cTZ~b_0HdqzAOIeY>GR=y7)T!p_c4Jz@N1_CTw$s;aoD zsmYMeprX3ERQF_yEjfDvgSWT0ae5p5!kfI^k4xV&C6$-Ut9{Zu@9ZoxnLA5`0hmEA zt?)23@YOBJN@Z5&$Qv3D;^HpQJlip#>0%J<9Jym))3K;sCv{wod(OA%D6CfsUZ*%T zp@)qPa@QQsD&3PkV`DDu_vERm{R{Y5y!#}g;58Z`bTyYOhO*t;ZAHS1J=0>snzvd3 z0T$f%Oxh~-&%E1}Dh|1k{I?!nZ`uEVryWh!!SZiA+PKXVYtl*EUzfJYmx{~0p7h@3 z@Fd0byf=FtN^ZMr?^mU;41>J=YMNf3X{Aqy1fr-`S-m#LN>dynjo;-F|Kd%KSEi19 zUcoMDGEDkidtR=Ge+p9?_};sTdCrwj2KZ{!Ndw64Rn|jT$>G6S)0;5YbnH4n?4&g3N?OvN>@P6m^`FYKdCr@rl5Vf{HG4jHm}(|3 z*Q{^ii@~zsqS+Y@-ajvQNefx?P%1j;Y>s`j)jhUsmS?wW!Snu|zS3%@+xPiN#AxNq zyW3M;z1>7!SY3Rj+A#f^{F2iqvlZD6$5{MOMCwx)-M&k^rEfxU=2(bV2G3avy)W6Xg}MDm0p$&K-?kge!Gk9~azeB$&}> zrjmH;T}+Q!-KM<9kHb!snAPc*6b#78Q5+h0J3m3CU{hZ&FYa-7>zI#7SpHbq)e^V$ zZ6ZcSzT3AO|BT%#MR_o)X++44{qAI!N3h_29{t6(ro?q)0ku@`EFN*WJT< zRU8%F+&5VYxHf_k8&x$sIH&%srpBwLA0(0VNPVTBvms~hEMjQ0+uxr-F+AuasiQ?< zzpbMoMY}q8S!xQivVUmF2dC5L^DLh}8Q@gip7`x_KU+f4u*)WS~iJ-0Yd|P@H>W}9~p1zM4--?T^OS>Yt^3*ByyBQ~^ zWZ|gOX;SYw&S2rdWPiZ|ZK=L>x5SOZTm00{RxZzqt=6o1@tJWOQDRU@%U^o!IHj)1 zk@@-es)4CS|I_g4ZSN~TcZx1`zYg3PBIZ{pGB2FJ>ftJ}PAMXJL+sOyzV*%b==n*b zoEFQd&iSkr>KLsPu$X09O`9@e5)XT;=8x^Mfyhn zxq+%o7y70@-sI%xYP1WRY>Zyb_MOasEf&G1L;raCE(h1a#e>67nFfot_#Nk9?@7og zYZ!}FY21FhqV!5x$YRp)2%qDtVlz&j0wV*R7gWc3`X-e8cW?BCY~-Gmo!OTkDSp3h zM?p!a@lnwe`+{%RmhZ=G@XDOLUmvr!ZRslYH%-;|@3K@a%S=B{HGEwbJ2lErHrBY6 zCFcAAW4_Hk`?tO&2D?ezCjnCPP9Ke6MiS3?Hl%F`*L%C&5X~Qre-Jyet5NGhp@vqg-I~?&Gc)@ud7Yh74F_8 zMvDd;TSuPnZDmm^h7Uh04{B;&dfCTjQ_8b^?=?`N!7;g+)&^52nuMm_FM+|5Jf{OV zjg)4`2TV5q{Is=jFeZRqjZ-+pB$M7xm2aio!*AE$$$o;7-QHzFW>li_+cCG=Y-Y>F znZBYe1%hL7Y&xn`J{1~LdgL>x}8Lt{Ls}f`S;VK7v z_4x}&2LCvH&>6dOy{$D`&dmHMSw~+&LVbdIuLtNNAOr&Q6YB94ut< z856-17FdZdA^o*h7Y91wSG1wFQTMRD6$F7 zUu$ye59WGTu3G+{JaSX1o64r!%~F%&eJ4Ho?r#1dcxPtyOI+M@=aIuw^9QYZODyo9 z=}x(ED>aKhrtA6o`G`P!koEeVtmVCnY?o3^c7*b=t-Dkg^>1)4f zONGZ%;>npO&!g(Be+5^o#$TtWb#UMf zNSaz3A8}k=y;2vq2ao1W`K`k&F<-KC@89T)Z{-?qOIb`AX-}dsSN+3aBuDHJ3YNbn ziyZ2UHh=JHEa@5j@bel|`DV*{;4XIh?l@0v6aTg-<=-=5MFc@Y-RrbZ=5_&Dp$&o*!STFEX#tXa~BPH03a3 zw%l0>5EyB>9$ve2hJ>y{-O!(+Hp zgGHB%Z?jHxmsMsl_g&B84SIW6W8VEm+X;<|f0NE!)bIY{LEqb#_?z#kG3t_p?UTux zQr~w=(RX>_#6`vnX)}uArRAE}9yZ6dMvyq9w3 z6X%+B&IUiBTyl8AoDI~RE>4wV+CPGMPXKpY?A4j9bo$rg;#zM#HCcw+ICC0THCdQX zl6reCw_PAjY+k=Sqwb*0r0BQBzcODiT+8UBXOV8O`$WbO)v39X_JYifc)8e0s^Ml4 z;ZEB#+p)m9-w<3}(Or>kSJPe}6CRm&TwboCBbL=&9>+h9-?RS2@@dS21M`&P(E34< zR&s;e9r;(R6r+i6cs+}ni@dq>{b5n5zazwgrF!x2OaC5x{;gj7{(fW6OB6oDH>BeK z^FmeP719*j6ukd_<8LK}ZzA#H#CAce$^e+`k(W;ADXZ z_XEcr>)DUmsX=)K>k1kgBC^qf)ez`?j_4eW)c9j^`3i3MhUa)i|M`(=ilEN+*RkYC<`d}3FRjVEsypsfUZcfv4;4az-1u*`u#32mqzB$sZ-DK zqx!rdV4{owc|bJ1DcPWEKNW+JZt4Uil_{V*Lem&U?UOBgr3p+nARqtPexl>NhQ>ia z#bO(OW^to~Zba0NAhc181MpVK&~5?&TQ8`d7vfJ>Im$6 z9H(o?o$3<14=CftkeHZ^;Ge{IW|U8?^Ti+EC;ial%wTLnd3)}oux&}CmwF2t-v4-` zpEZlKDy_1zGA!GU5U7ESB`JgsH7>$=yC=@=vkl6Ub#KmY%`sucy&37s69pW%H411i zbZ~$o2(a{~zWzvCdO~#?P(J7RQSw5M^;zaG=AD)O{*u~;P7JY=t*JioSK?*>U?-%1 zC1FzvV>x#00lw3=`4#KxyK`sGkU&~K3~EOVB0xe35A7V`EBKjbJ*WUFYz%kp-+;KM zb;jqS>)tQV%+A)0%~Rda$9WT@>xZeur%!S3-&6R>MsssQC<2do+dx)61MsdpUAZAR zH0BHlr{nUR@2y zRvJzgNKPaCBKE&EoacV&?Je(2getuzQnD5ze?{oKfhBXMw%$l;ZYRGXc!Z1V2|Nw} zpyj}QlE^D58Nzq+XIOIM&E;5y!5WK`2k>BYD_*b?B1J;CD{M0)^nDd#ywm#Mc9H;O ztqc>kK^R4tsKZlW8qw^;A+ztto3qfLJjdOfzefN+1dj#`4AN``pt}j`NwRSb@lqSW zX(0y|TbpaZDg8O*mhQ`gw77t?823()p5tEsns&&UIwZtRIU!4%e04I>8q`ZaK zBFccf2()_#5d^}MzjU}W+wO?4a0t}@KXM!_a4Jt&Xxh94>a8WqCa&6f-Z^i@3G7bV z?Pe-J*|Qi!U?vA4=e!a(*`DE_n=1x53)sqAv-U58L2+DCQc^&~&aa6<%?T#Kw4pnF zF71UzS+lkaB~VIS-?tQls-<7i{=a^_*`%$lP4$VAX8VpEgnNeYVL)u{DaYglWQdGr zQKlLiYfM9OUATH}N9xJ_WQzg8zY;KmuC%f6=I0JoMH74=z~ypD&8I!qT?u>;2&XWZ zG^`$=s~bNtC@Cp@f6f0GR-g}xOTe1O+tMEcvF(R_x%JMM)qFxA59llvl1hX@fFC(Q zV6QNyxWX)fg?Xqt)F`7HVD)XKJLtMjB%_#1cbwR|q%pl7a91~->0GDZMoo=pgAf{m9f#}*c=Lx< z5kbLbJz)kcI!}wax3R8f0NEqqGydU;<)1Ve?wqzSW(gA;1TBU4w#!G#6&4WXYu8>? z&peTxwBDo~U3X*sb7|i0mxjtr%J!A}P72+B`>bAHTy>$?V1&bmbObbfNlFS zy4{OQOJh5tXjoWT2fqZb8j1#mRvStz5A03n`SI_;Y+Q_#=+v{x@%N`z7MtGeFR{YT zlQ*}A@*rOnw9RLx8JA=4H`c>6L?>v@0DqVfVUrrEAJnkaOACn`IL7XIe=9XigGiuZ zIdn*h(jDd-85p}rfLy*+PtwNz&uiAkhh40Rqt`@Ob{R6jr!p&oG>4tIFP zXY!(Y8R<+vdh>B_sPOa+>`mTZdP4@Pcyt&Z43z}66ZsqKE-7n}XbQMKRoj0^z$P2Ld4<-y>QpC9Rya%X(o;x`Ow_U~_7+Z&`A z7%cJpC1ChM)AY93;o;$gYIS=l>_*OHB#l&~tPIsgxO>Vxs~l-_kFHQ0Vjw?+HS>Ff zc>Aa0iz_z970VUa2$81ey?vj#DI*Fq*dP3n{yjfG*Py(Yp8j@l2Ckm(PRlda3qc)o z0^st1Rfh;!9fnCK7Op6P29R{Vsi`(0Qf(it9UL;YWg{;U2}B2@W&Nb1>nx}HWH9Mu zu%N)Y_y$HE0HuKG!EuHOSxNuCsmmL3iN^aMq#v$v-2K0_0RQ0qcFOx#zgAQ{!V-X8 z=7Y98tPau5V~jy(G5iHWtHi$u5@qF0>?~k9FcIkm?j(n}qbT&DrShL2SCaSZ_G#eg zgkJy1HR$yvf7isn%kfs)z_S~Ik^~t^&mK^kg)ZuV=RT$s_Wr4&Ac*O=Z{Irh+}%oY zE#=lWQHP0vuiiUs$6KCb<436wBId+P63nAB6dSC4n2YPX-qr=&jKJ2_eS#-U1{vqye^$D&luqPHH>$lBbJ$M$f#Ap@zBaquOIIj96*X>1fmE z$lX*`Y4pE6(VOlo-N__&z!RS{UGyx(9Cv4ASGB|oAlUALvv1Bn+dgd4CWa;ol{ukU?XZA za+4#xYFHhsQHB2)u}w2=g8Y%fXAtKJu|HGAL}4PpU!K7M&L4}w9y+>5Y6-0P0wvn~ z+o;4S8r{Znc^pCioZxHLZo6Idfyt7bgG}O#=L~Jiz#vDwiaw2vg73|m@2Z!hzp)49 zcJR)kZj_@FvW%L6f`S9LO|?M>w`CCJ%IL7i+L%ryJS~B5-yV*|eo%?Qu}?s;FaQl~%Ds1j07_ehdu^E;Xw-=Y#rShl^7|O6u-gcHb1e;w=WSAdm7!I`(Zt z{`Cd?rjS$m4^qrKMPw+fR@b1?s02}IsdFcx;?`x*h;LtAe7Cxu$t>xvNvw5^wOG>> zF#omkF`iDf?u^E97ppDmtNnKD zoQKvIu1%Rs#)B1$B&?zEyKQ05Z%>))A5w@QxxD9E5YthiBS$vD&jl?H)E(d8V#C2N z6>ilz=e%O7@k{PyGxZK$L7M}cyIGy{h@(a4^^nNOq#B)-%>z&@HmG045j~O?31OfL zCmx%D{v||%u-+2`RSwA8K-hePJfe%||2#K38_cil#Mnr=<^J5@ZXiS@Zs(cU zZ0Vhxo%ih8#UhH^f0i{pMVg|we68i?5vdWgMkw> z+)`~3&oA+ldoBEULkR8Kw(G5}f6@ek!1A`|PrwZD`Pbtl2BoU3Q9}G;l}gwwDal9 z!DfPCleI5b)z$*bln6l2L87x$wS_xe^rTT28TQG)!2+h~DW}{|pV~3ptIszxQZ~E3 zU@hapaKA#e+@G`HY(f)0fReVG8`lkib+6Ra)64wjc z*23?bAJn#G#yXj+XIXrcv>V4~rLZ!}OfXe&dqQNr>t5NBHQBtT`T=nrEB7IEn*PKT7jEt`2*ej;B^>wz24(=A{k5SXB5vtB0-g?=yNPLu*paZ9pB2NGTh6HT^u<<{7Co*gX&hnZ z^_cKkT3tQ0+_~7AZp2Kjwqu|&@K&gScD5^BscG!{_YZmUHNXA}-jKO;iDfc(Q9|<5 z<0Ef%BCV?$(R=1w?y09QU-B_|ByOb~Yc8&>rS(*o^E-OvNWeQqX{TIuYLd&BuN>#% zP#s1_*-@SXA@+6SA~u}6y=(W^43B5cx}LnvjgUgk9fx(JEYm=>m1mY zZaP!+J?moVsnCkOWx`zj=t%_ z*>)r6=C|HoYQAvf8a;j7Pj+pKg%0CmN)d1KQ<9oKXna(QU|#3S&kv-Vy2Y%-8i8=U zcD*c*KgWYSWF(XWIY`sY8hodMs$0_x60)C?uC3PRUcUlcUz7ex*A`vV&FXP-8QfwW z+50|^2?m917(VUvt7MsA@T2FywUk^$^Xek*&I6ucuJmp4J1!o3KuymD)r2%f4|n46 zkJswL-zlD5HfX1MB5T3qSlF$1A|xkAbnnLOeqwZ?pqleYp+37s!mfDGW4_t}Wvg<` zyI9goIX|oC;}W$vy{EWdD)}GTPR1Zk{cIOTDk{7A?-hcHl&rF*Fc=RA4=~by~tPhB8!O<12iN z6;)Nk39J{KGVO!_vSpY_>gY_^o3&5Pzla?e9=@WgTC%ilvSstPr(El!^wzU8LM!d3 zzWhn?^J(|$w#+kN%#qZ=%3z4lx}vp>%}7U{pq8^(5!{rof{{%HLHNOx0KEll*FmrjOebVBG#$ z^vXN8GZ~lNZpy8#vVJPC8o; zkQm9RaR0eVj^$8C*(9!C#ogb9caYh-npf0U#SOtK$iCQ+>2DJ^>;h{ ze%hQSHL2j;sPt@9$-2O#X_;y((rG4c?-8?8x+7jv3u?>KKsiAWh)7>Ofc3g*5h-D*RbT+&h2ns+GC*;KH~}Hf2Q7ZSoL8suhR*#Z z&^4ShAWPQ8`57AuHHl`fJ5TQJlI*tp_U|amvC$q4wG=v<^$3g5EMjp20R}AdD=xg&Gqv?`nn|YO~VKv?PrP_ znwktm2u>9}%u-jB#bxf?NmN_`dWAgxn?$%5j=MlJh!8cG;J#~CnB z%YagvT%m9dlk|wdsXr8HTgWhr6Zq@_n+benz0}Q@f|iztBLQq|A(8WEGJxpln~cz=DX6tLj~;bz)4+#L1dGVh(Np&VnWUW)`ML0KdNwu zPEQ+t2O>?1OeBn+rBk7tDk7^y1Yu((;cmov7EcutP@M8^DyTJ zqxzNCStnnAua$UyG zxpmw2?PR{8>-zfoV2TWI14jRxKYyM`l0({Cs%{Zkjy1clG*sjWgC`*vPY`8OfVonD z^rIRI;lI5fLQ*101xISqWLPY^TxS)5Ss7(~2Ml=1yhDhv{s4+^&9Y%5*-FiH6z$hQ zW!(d*(?0J{xqW*dhP;3YtKtHyLi03s;pFYa&mlq&2XKF z(_I;118P8oY%nf7+5_7j|Lu^I%i`a~=kRIYJ?NU}i|2AMAU6k=wU zaqD0#LV=G|Rtm(j37B^fc`y|f+x{BDNWo7%3kxHlpXK${$)@E^WMl_U-P{aI8bKo4 zS1IH6*VZbpG3?*}4Kimb4CL%Pa(`Cl-va{GdgGB)@QGtN^XvWrnvfvO&z*`t5 zHoafT2@X?qGWUqwtiZF-tzJt;b`u>T#MpWE3_6!6U@`&?)J$RzF<+4wi%6d5fU*Em zwIDeP%M3y70wE%SMd1Ks+K6HLa{U2LoLJ4GvESm*(;oOn+Izczo201SXi3SVz00sT z9uT&Uaklw6U%6fWLeO>RHP#|CQ&SF%)6um5VjJ!ZksGU-(vZoS^JzhXVv_a0k__6} zA3B@}FczY5ph6-=dA;;~SSyzhpookT8|efS6|a&4~8VimK~yJYp*{=PX`RQv+55Kn_9f5t9TUGmvPkT>lTC{|N}h4{l*K5#m)K z!be(D+29g2g3aT5xG1eB{7W}W{y5@-m8Xh;Xm0!_>(}`MQ$rENNY#`@j6#@|< zLeKym9hzP4t7dq6=e&r!o3`#bc+gaR9m8@LBcmd8{ScHBE=eGpDxYu4T53H88Iar;3grW&BNkDfd^m(a9_iAhOT_FH-+d8r6Lcb$Ha7jZsUX~^5UN8)IC`^fN4^3%B^Z%EOMTp=K$sBf z4!pP&(gbk(EaKwf@RfzY!`hLY3!@q=PoJ^eA)EabufcXOLSUc{Vsyeo0euZ&vrDt+ zjzGQ=ufv39PL!$&4dUOvW42GjI)>m-AdSMBwUNgyl$5A24sK!JL%}@@#)8-*>Wo!q zg|eNZY;`$^JMQ8JBO6us>e5on6H?p=CD4+9m* zo1fWUy7mI~30!ug+dxJsViN{uN}$s>KNE^7)1QeIc+|_|skNET^BmZyvHCv5_7BLB z#4{s95T7MI>q5F1D_avm#_ZW64F;A33I%Bu8bXx z;pr0G2bLCEpMFbmk9WBue+htiNiqyn1ah|@^Y0L2Dak|3(Hb>1g!0fMYTbAXh5d@fP+=|nREx+#Hf`*j@=mS8f=&z zw_pX#1)~n+{xW_kD1a?Ag146m<>qBp;hLNElQ>;C{syd7^Fi7eF-a&9G^p4oRyDGN zXnZZGt`(fh|GsvD7$+WC`HyRLW{%i?Ouvm7Do4P$bae4w*efU#r8{&c9E#5axrY1iV=};{ZY5-8J{l9k! z(uRh|0D~ASbT%ciZ~vD|&>FMp??Em>D>df`K-<7TZ>*(?&J`(DXypNK9w5d0U{K*J zx<27-9-GVR(9NTh-_h$wE&cE&t02kzc9UN<64p)Qu3Ta4)&!rIcPKu0{!iVE zNVdv932fxCCIbi07jGg!k|PztUPyN#@@j^;R%@Mfhm^VDwPS}$*2diLe10A^$Na9& z82PN_Ixf%bMCOY~r74!{c1xGbjD^c{`e^?>t^KzcHBbxkR~+H~``lK^{r6nBYa>l` zVPe&5$95~W#PRGH%Xdo^A)D#mlx{kh-Pl;4=_~uRi`jOtavu>B0gYKx*$cErMb0M0 z_U%ycY}J>^|1T|ovi*x)4)2Y8N>ka}xWRuvL-Xr%f>wJc3z!+FO<4 zm6X#&!PZqy>++pTc=PeBC(;%;iQ@Mi zS-n$E(fLi>&h5idru;oI-rvbyWzZLL-5p`3kOy^m0VKIdxRTq&c+5^vy#rvt7{r}v z&X8R>G_ea9VB+|lTn4dIHPB!L2MJT1 z#Z}Ky>Mgw^y;6F;ll)Ou^nFen_ghsdDGIy0gWosHCXoJGzwZ;W-pc?vZ%xgX{og~q z>wZe#>vnV*FO5bo`^YN-sLZlAZ?%0&2){B)w(jS z8#ClOaCIS|?dY=UcHg(U_fnNxddti)(p9Y$>TW1D+ICoBmH=^hoEf zmlN4BQ4TA46!cohWy(Hbkv&#Fd3Q9nO8tP?9J%|oR3dQ` zJ+`h-uYG90`~`H~JEcgcW~N`L+9BJvZdguGjhB{{eXz3JdHnSFjO+4z2A1vxi_WJX zu9Cs5+oi}HM^D^^B)e@?pOnBykN}mvXECTiGTs_YRJTQ6YhTT*`@o5MPv?ud`ta|j zRM9Q>nIL5xR${#KE^umLrZ1X2@}%iS8f;$-l2(_)f1D|Ta+zsh$Dvq*P% z4L_hd2I$#Tcct=`V3Q{w{tbLOc|3-=i`DiS>EHl-KI&y6&75^ z=}M)$)3?mmxO#3Vx%z;Y-dmTX95RNbS2~(BPn-ITq1yfkCMJ8xt!%7p>|_#}w0GEl zPkh{77@Fk&r2^sI{zXx8aSffx--=bb6E`d-^NT}2Fr9qr5g^cMn<{l{dkT4JN^rUC zb@E%$@>Xxkskd@K5U}0%(k%{-6xAObQR9B&eivH}Z2fInm)BGdiq>B~^Xx0~6jqOB z^>^4Po7ZOyKOL}>Xel@jkU&SL+qHIbYz#i|ulyg696!D-Rrq+>)uOEQ>G?E$h;Z4j zr<@B~$YI!hUe{AnHu_ZA>PxrvoyeA<;dq%^9sTw#;Fiykw>f8Ye4jk|THIN^-gfh| zu9Cu6-ILE=gk97Q-h|4S|L)$J(Q5B=|}%)1Zt)IKUuPU%@~74BktTzWH7ay-KTzxY8*rsGZho6}Qs zJpt6+#ogWhi1MBObKwXq;5b<*(D2CKU!fKiQ_&hwi{G#m?_v~vT3*f$7-dPnlmlMs z&#iYFUEXtBy=$ux2e-_ zH-X#p$zs@Dv=A;z_hWJ!e|CAnfr}2m+lsR(L*Fy2D&I|u@~-DyAIWgzJ-EJ2=E(kt zp=jgTeu(jB3;FrpNS4m)dd-Ww(Uaq@EMwyMN zF-T4ePCjKUJ8Q>W*wAo)vCAo-K2{;csM}p4@_@o)L&c?qgpsu0je*`auqx;eo8Q#$ zUs^89Ldu}?0#ms@WBcx&$w>V?x?w{Ez-oLMDd~|~o1U9Xj-(zM9;?EWy1r7jT|=_| zUd5XR5+Mf(hR3Cq@2WlOKUGKHX`5lgs+alc%l!O2&chF@BO{VF*ZbNqj z615Gf?MQSyR`ZGlYSw+~R754}qUqhXidA>5ZCx^{#WhckXhG-YsHrsK9Sl_{{0tEwwm+a;RC#`;X=BG_IhJ!4@3HrdopG&K~ zZVnED*_#)SaZB9&aFt`YB{EdNyxhTNsLtaO#WC8wO$j6B^oKXT@JOt_BA4WTcVk$| z^vS*b3d|hlJ?CO5+4P+~-q#uTINl_ol#tkV2D-cH83pQa0hXp0`8z!W>K-*Vz7(sn z_!)DGoBJ3FHZVZBffT~gg+j;Uv=2t4)vu}DJ_c)F=BV+J#)o;{ zy^HxoV36WQps4lXt}qt#_y!liOpnAJO?Gv`vGF+$%(iz07iOb-<1 zUyNMlCkf5CGq`rjLQB1UWp&jCZWdRcdO#b!k;iq7G_O6+T5L2-ziF$`{V58~AzP-@ z5403e+cCWlG@>_>xOynb-qog2UYl`VAofCFj8>?eP2*>&HJ1EWVu2;+PXBI`@C^uP zxSElmcb{c7eluQIiguMwxmR3%TC|kR*6t)FIxP%Uzy8%OWxnHV#6kIjF7)82KRcSR z;Zh;-QQhC%c5+4N(Idm$ydAA&9t$HrXI4fOjvueME@4C0Kr&Rl?Ay|k$yH?-xwR+2 zzpI)4kaakX{0?Jwv#WLGz6B>rj;`5UVCUgc=1@y~rmy{YADMVVFllDeW%6$x3*H!@biyE6a5ZNEmFt1=lc=&#ydM^flgGr?r&L$wbUgE&z`frrlz34 zyV$K0vO?XQ%A+$=SxV6=EFxI-!mwiAHTjqyeTvoWex!(0`sjD-{m!NwZ_5h?804!n zteEt8ALlomTcG8RgAU56h8`#aoE!uW?>{>`Z?I8xRyFChd)+hiR0C^Db3*fg=Qd`K zLUa{fvi(Zi_~GjPU~R`^%>p$RqG;9xSo8@1gkop=JKYaVuO>`YJ0M>5_u}^u@%|6L zdj{ugT@W~dP_09F`d(h=G*5p7z%A8HW!-LRORcgRoSAC#^ioJsX{p!a$H!|^Y;LHX z8&J#n_$fc>YW!xiKQ^5a9o-*eA`jJn0bt0i;lz%MMH7hPQ_IXgy zmNT=4ibAeS?ED|p2k*A=BlSCKDzMmaS!MD~c9?|C16~7#*)zXiqum9m$HttFx@lX? zA+&(Q`)uP;RtAx-{44mh`7g^9$j)$<7{=+<%g1M!PM#3GVS1%9yL7*c?pyA3Sk#d6_qnm2PF2l^$JsQ?K!t1KncLfxiB|*FKvn zKFyXrCwuwRcwR35=)Nbio7j{iYo;XzeG(q;pccCnfK8E%g+t^u2#k?-1bYtb&;HGA ztFYnyE>ZIIYpbX6O+oJE5-8wPO zVp4mj%ksXV@8SLxt&jlwIa#04$+mZT;$NnGYbenIy&g1zx*p1D@by1(S3YHYh8gYB z%c&)~hn@@gTOp;oXJVqpDAM)W6e_-@L!tSgY z;-(hKEP*<}*TAlsnJn%oD<_8;&kFz5ah11TZe2Th@}{_s=(s%I?{8mN)=m$P-nabK z{j$-!Q(G@CYNOLm%4S&1#DtS|BFw_B<1+}~DKj~3bY*^>Lp9!&IqA{GILAT1JxJZUVw*CU$nvP{5guq0t7YhlCj?g11 zbzuJ~AxCqTysb@^tZ5>fxIGi94MklNIKGS}`gQwXTb|9Wc5jcvPB{GR%Ln7{v+7}Z zvd>jisCYywx%)r-L?^c$h;yd$(BN4WehyRslURFx*L8DLbpqg5^{cSFcjU+%ZF`0oPG=8k zx68ATJ}lrZF>sC`d3E;|3%Ps_Zwm?M1_Mn-k(uj-_ZqB}jT}yH;#araKcsV)#_~WA zAQS7gkHh0q!?Ke+ubY>31);E<q?M}Xy=(^e|R^#JyC13Npp<*aZlL-f9%|ASexQ?D; z?E6T2p6^$5ijld(@72L8V#{;*MWBk}zb0Y-`et4FaO`gjG4FpJ#n`Xz#V>#OP&%IY zoBid7ZSc1sJn>&sZiS|Q&B-qPO|9J?iz~qY@HWK%d0*!L*I(>!_-(mX?XrEmJRB)q zl)Edgf{|$=!faz#qK_P2iMx94oH-L?KJCBP5r6MC!mG>%YyH~fnT z&+Eg?#x?xFbYZB{&a}Ks^hrU=7755Sh*~$Hi_;*VfBykZy7m1J@Y2f=I+nO-#9ny;YiCv?O_6Q3$*PR9-4_-yfk_8-A%yh!7@ zmSYb@^v-AH3-a=o*M`sfP<=+{Ce2MI_%#UD$}+dX(0;F(HDi|%0vMT7Es@CXp^EcZ zkYV>oymtQ9EgF*N&sF|>zR4Qtw)+F4(%(nOU{d#%9NO#}UUQ(>Vsk&v0x{i0Kn8%% z!we#T*sZUxTC5_DnwbrzH{|IPxb$hb4j>Gkuyli_A_gK~q}e=zeQX-7g7o>`ZP2~H zk@3mR8FnpeE{oLGSHd>OP^zc-UrcZ}oqW>t?&lfm$L=55bGlaCiXe z0THts3k{s9@bZnr<44>jcu-QT`egx*KYIMQ7`aTiJVqTI9RjHYdTwQJ4}6{&p6Ky) z0S+^EmA9Lbbq_M5ZHz40ZMcSO-fg0E_jPTH?yM_5(=z5ZqsRB{UiOD4@*Z$iQi4_{ z99{&gO!%pd0Rp3zBd>R%Cn#o&^xw09L#E+-n<3&kL8#iGiJn+<7Tny#MZjHuOs*y3{bN2AzO}?HkfM` z9&jHp{g;rtMl``#6^?C%sQWbGqNHYy&=&{vt_yPqJTEQ1hZev>wz#MvnvUomXHl>w zfaJVVbVP49OVrG=4q~eQ&g42J1@pk>Gr*>Wp_>pFG77r~GsEltukYX@K|E{-S3eGa zGk3-k6lt-z?S7u4_WZC6@!*I!LL%PN`ON9fn>Q2F2jPQ-xahwY;-Ep8uoovfN4g6n zyFE7Yik*%rM|{`!7neox!ssR70gjA`_=AvPn~RH6Q{~nZ!=V=W=K)v}pgYta)i(4t z0agmqvP)^#xX@h#U0YH&Pma@S<0Bhg-yfy)j>%B&lYrJa8gzP`FeS1AVWb2VMEqKx zS@`a}@z8(}-HX)u$y9(*wuh0?%)<>80o2*nFF#|bf^ke*4W8v?=FNa)6e*z)s1UKC zAY?atB7XP83BR9LGLw}PUF^e_s$Rib&9)WSfb8giev5GITDG;W% z0--86Aixfu!XgC$M^cU=82VDEh_0m>?*<{<`0+-wyRT=pq0IpWQf)_pbBo9K9WUHT z6+tgQDaEh3?PHDSjvllVs_9DfMMSjLqQ}%>Yona2-PCl8lqZb4WiURmE`rWySa`91 z1Ei%4$e-V|r{Ey(9USzoxK+sug_88s;<4rbE&O$zc9~b9%N?Dcz%X#mxsZ_syQ*zlbb5eY=35NkWBiM)Bl#(D3&^TsY$Jq z2LS)%#^0rh!m5ju-wt=juG(52ITmtrp=aih24Q1(4h;n%rNMavi|kQWR&Ut2v=@1# zAC>=B^g;j1qdK^FM`&p*R-ADFg=N^8q zaxGcnrT=5=|4#+5ZX*(>dTv1Snbqp?-Mi%`zO~=tz;^%3|LMbDk!s$T^N0%cuywoF z<$1!E{;(s@_D#UQO5$H4{=Z;+qPiI1W@QcR4q7jYIo@!6ssAR_JRVnm+6??UrOmXw zLK)nEmVgl%XC5*YrL9nV9#Fi!6(QyQ#34X5E$ z^Kx6IPSI~>LS?Y5+p*+frv;`=^XbFfUTbdcY_BH6Y8!|TzTdDYs9mZ(W^J>s~ewey! z?kfX#kV=SbLw_LQN`;GjkktCty-MdfjB1lDx_|vqLf~-kbBQj~^gZ;nK1u${`CrBs z2RTjZa<`!~#?e1t$$j^o*j`wxcfq(V=9GB0-IkuhyJr)%Q=iH)o4g5^+Ww@qySlWs z;*qv^_TVc4qY1KluKg<#b!RDKQGZ>wBtGuc4q5_x!|9tG&!1r}l0o|7MJ_FuIRgUd za7tsf$X{dHO117CKs2RlaxxpR#H}$|kr&OjcYhL|V~=J-73I5m>NEA+Ff^jO4i=-q z1swAI`3n0|5=Ap+UZFnBvKUlU)*kxOb?(l38vB!A zZP)#%eD-h5&?`#{lX(6XwXaWgQD1e%P#oxaQ$V8-TiB9r#PjCLJAJ-`P_)mD?7I`W zP#xxUaoKtcHr0bo36~RO?f73|Xvi1sIg~J3seJtYPXi^RZ6u-;AwolTNs<+n zWR<gPiC2D8?;QY|-rbM46xqClR-}A`pRt(0H-Ve$!jdKa__hqen^|N>2dzxTQ8JICdmCNb) zf32*nluC(75rpTz!G9N({2SIf7SXqY&-5!UmxPLte%0_bvMW4#_-MVeOWa1-yjcOq;SlWL2d)Zy~{TP&ksi zK)RT1K_8G|aSxFwq^p;tAEr!@E@di?X1C&);!gAePn%TxMkA8Td(C8Pbd1OH<5#nq zgxp!~R52DE6#Eti5}o{-3rU4i*3k47Xwb-AGgW2yb>w?e z-qPr&R1M}i`{d;P8nVF$v!E|e81pa3NH2al2~IYCrwpx?kg{l`7KrV8CTXh^|C}HW zQj4oG-i9A*PRLRovL$YU ze(8V9J!4K0NLenJZp<(Y&GpB)d{RfpE!k(Z!Mat6IL|tBGbx?9KitOJ&7^kDLJDzp z7xMc}ly_{I8B!-b)KI^eXRz%JyLs|XSvSjlARBEOxtpaH`;SF~j*+Mvo)O7v=L;Amf2?8?)PN(c77(oBj-Q9DNdtonYq z@iEk4KT=O>;1g?Y;OK;eMC-th+znTc-FTs1IMJ&ALYP}|Yh`-E^&dZln$w*{OONVv zaNHcM>&-OIubCcKdEN0gT+f{b9&5#v=(b_azWZC{^xb9-Zt&1i%B+a0Wu{!V8Echs zVSLr4Xy!nzL()Vw@CD_)T#m2azMU%g26UCrJycRj+$%y4=%V^^C)%I1;xT))Fupi3 z|CrL$pB?e?mzi5mu6^tN!Am7z=o_sXtv5Nu;_S7>snDdgwAXIdgQ?AT^jY`5ie6?W z=8ZPW#&dI7erq>-&heeliSJ+U$)Z55?)jeY7P`Nj_jI3)aoQBr5{51_2!9w7j2YrS z9imZJ$bZUvgd$M+qfntTe=eV`%xLm{;fJW?guFySL2T#_mfBfwerFq9;kEo}JX@+med{ls%c{T?=0(w|7(eXd27bH$L1v&OFWT zZNEN_h0s+!mA%D`$OSaZaql0D(U*dcVn$#5JNpNuQP@8S@byhyS!_=iiY(XCJ9X+5 zawgKKN3yb#LLhLs>*rTK>yn(A$IHu$4Z2>9u=ATztHb>-wNc|7qJRCgva&HG7&8r6 zEhE9aXI*l5NB(bMoN03){_IcU!uFNUmR3oj$|pBX)A|AfPE26#!ZfO* ztBa)x(F_5MeD3<`a1 zQIJec$4tmM5o$xn;W5XF8F6hVbY4XBGmwS%`}d*%f3g^z3B*hkcOpXQ^5Wb$^h%I= z$)X$ty^uMR72HkHkgl2LfB)8xfH4ptUn(R3Rzrvy%#GXa!LM}hjG;e zxatXV(DC9MT@Tnl(rzJv1|R?yv3G`z0Iwh(sX2t0*b_njkIIwV7pu1JlPS*tID3EX(YKMuyeF+H(BHJ3U8c`iPJqb%Q zRPDBiuflf-#245u;tUu`06aiem3y1H@A~@wgswUP_)GJRwSfT_!d;9}4*{Bq(Do3u zk|m*n0nlffi3)?r_;6!b5z;q8P>(mFY?C5d0wKaPfs=l#z@=b>q=-Q6=QETYG+$I) ztbuo2YT>sCMtdZ)a2`F%OeT|kCi~M508&V;EZPHB6oIwC?G$NP$Od77`j=pQ0Y8aA z8XQd#Sdxh|0B@sA2>WjYSJ=!?nVVEb`{CvU(&I8PE)g$4LKn;}qB|UK;5g*yL>w2< zB<*g8BRC?2E66qWBh500+XD?5l1h8~9C^$(+G{HzH-fwe1;D^HG?xJdVZYwO%BqOp z2mTvKpO9=4-6D{CWM3cH4A~BW_#v%SdoH)0w79tV5+!obXjW=QMT(lQ{si!nh&U1y z#n5~Lp^a-Euc9fREDbQc7g0_~et3w^>lY88y;J{i-P~7?;@%HQ+vdRGeR;z5_PeJY zZrq56{9k51B?ZtW6oRh4V`RM{#WQEnv#}FlYo9%A!~aH26E%`5Prf0-y%3qz$(K?H zVl2nm9@ibJ4qk2|8AphCXSnu&w`n|~Y}9yt@gS1d;8Q267YQ96k+%bo0~Rwi*c|Coetv~bO=6|l z2~CxeQ)6RTK-RE-1L8Nn4pFE0fH^Yr#eeou5LA8zUUEomZ{xTVIy{6pC?VqpBW-ag8Rqgp~JoD z2hivN8tP((l~%~EY{yZ(OBq(D0g{{En?G`o_=CO6ySz>D(QAmW&dB6?EV-cM{JxKm zk5m+XuVaw-&u9tY4&)F867};qxbKL{XykI?_Cg47Q8{b?s*#8c2b%%UOtEE3?j4wm zi3n@rl1Cd0wkje{W0!rI1Q}#NZGn<3MnV%b-qN%3*Ke3W_$M*jYL7grJ1E#8YF9B0 zI3bzhcYhuVkzzVKJJ}qNaV1D-{}5CKIYE%8rzcyk&nNo222fx`RSdEnY=}>B2DY%> zyYx#x5W+`jWr;8r_^*iI0uZ_JDp4i)Ovh7K44E;9>2Z zq3nikY2Ck_g2w%GU9)4yx(W5PgyOBwo-r{o1$N23)T3A*0QOJN#o-wftH=gU_o#sfT087DF3-j_^*}1KSaQ>w+3~r=;vi6YV_ou z)xIk#Zy9TArP3-IZXjeh&n!uw7dbvsypQF{Dyp5-?FR6pMG7=5iAUAM*;uNRL_SVaU~E ztE!SUj^N#e%7AGDdA>=nXfS@hPnB&L=gD*9P{RRlVPq;_tE}t;s58xisaBc|+n3 z|k4%EcDd^@7MUJ6H20ChwZ(F%UklAoo zwMexGTPuo5{W(l$l(Ftgl7f=xWZUed8QNnz$dB4TX4{NdVPFYc7*=8*s;bwkK#M5F zu6iw0Jf)3{(%+}qG(e2xEzt}YjBg>Y*%%WjWA$75$fAm(3Zne>H@MtZiTVsnYZ&Xi zSjzG!w+VSt5*T~+E@5Hc^;`DUq@6kvPo_|rRzw?@yw@VJNlYqo&arHHyseC4!gnUbBY4p!pNOLVCxRJUw!; z^*jnC)oM%{C_3$X%idq%BjQqaaY1M@$$Ikq%J1nphwr0UcXG_0e7;j(KM{ty}=nBdFo6;~-f=9kUS%XR9{4PX{_dg|`xG)Kkm z^45Q8+I<_}-?{EFCNtq2kU`%G;*r|Hl;AR1(B$Urpw?Eh<*$3FQ`bFuv zq)UZT$u8*&O;L$7iSpAHD@sWoL~vB9^=O}T=ETrLfDr{-iuU=dlo@5hqd4S5-7pmeeY{0q;GdG4NjtWYM z%ekht)_=aP{!8@28!ew7Wf4AEbYH@WkDaESIvi-KDh7uaqysA@z;$rL)8-f*40^@_Wdg| zN>=eWKmS@Lmu9GH`P~TU z5JHIrXGOH7SV1&nSNd7lHr$!O<$bs@BG*zM(3p^Exxm9&nWu1FiU0h5&7Xb^%c09O z%UwQZ9T|rpnkz);s_Q6kIT$fBJnIUk827T9985LCtkQ-cTOEb|m&JP8{)tB4qubMY zrcxf8re8X(s901`AlWgwgN~Yxx*-39EKZ*NJ^-9H?thPV*o7U*-bAM}C|NQ7b|KlG9`=7u5KFa^&x1Lys z5~~8}d4qJ)tvmGa1fQ$Dk|t6mx$Gu?fxE{ap1)N0KY#t*r~mhR;GbLJzx$T?je{B| z?uCmfk3JwC^Z3A<(D&AY89he)rYeSF?zGzKn@=yy^c`D)pbe6zZ1d^UzzHanYCb_6 zt81(JTV8P48p>~Sq^!=$x>;V-n?aW8dY)CT{o7`lSf^o-CEW0rq7bzD+r|wYQy6Gp z!0Xn0i+F%#s!U~7^DgK6<8G5{toqhkoxbPvz$M^I_S)(s>ej5IKHbRi#HqxPz>RFf zw5Eyk%NR&-`>Yful<9st zmE4+8a_Dp0n#nR=r^A*E)F<-pXW4YECaPTaK3b1~8AjPet+c%u&|otS!|oP2qNkwq zU&qMUkL6|`2FQPf;b0N$b&H`LBEVOS$2>10?)s7PX8>0?K^y?$oXxVig2m0)`1lq0 zhl2Su{Q-u4pj`?OK?`gGUKe55-ps97m8>gH1jT~hGHd&A2tMXd|AV)vYbQhzv@ecC z9{T>^osqeld=Bm2EeA*QA4yfT?d~up4B$k~7ho2_YXG=`kw4V*(NPeSBvGXXcr;eX zq~90{;Uy6Vy%j5YtalE=i6wDj00v$K^a3Fe`y2|$fh(~@I{}yq^1=*HRZ*1T*&&EgF)`VZ7$mO5HzO1HcLxn$1XPM0PWYaEihuT^1u91EQkGGFLf5^a}73OnQ+x7qBEna^kLS`_I9E zEd<>Kv^L4EA7PO!z+RUi#6Ut3-B8UMz5ccN)`HYNIj~e`1iXS2Zp46^rjkBx_9<)f z?F*)#sBF@ktV}n2k%#(9{P!Et$a3(P@8DrqiIFOYFUM84F|49;F&OACwrpGEok`6YK{TBjV5|F8Sa z7^`@ln_H{=>h&^ zHf2#%hnFT|7A$7is2~ShMLSkL36V+R8bo4Y>vJwQUl^;!-d2hYHZ#;%sds-VyuX!! z?kkiP`o`ON)sGfu_4F7S7UhSNI=2JZ_=ryR`2D*hNfxbH)pan#eKbp_9K=U~cE= zLMiO8g_dk}D`$T&#Ii`|86Q(vS(=AbuKK;P_&fvi@uj_Q=6V}mkm%e;xc8F9c9*8A zGVUbc#;U3eL(S#Zj5Q=Ajni}&)x31xanp4=K_fI8@t?j>Hapyku$ibecV!`fU3Kul zOaq}fXVG`JuXBkJcZ_adiuw8OTCUlQf~%gh`}?K0E{cl#V~ZbfzZ~Cvo%~!{mEPGu z!H2l@L`@Ua(sX?+4Z}H99U=BATlxiV`{Wz1NKBJ(GrDx zDFG&n#fFrn%$RjibG(3Qx64gpHHvTWYt8uNKDZxxAkDH;?^uTQqu52Ppp6?wau;VN zSBD7dDiu)6x*c&`#m+t=aW2z;X>67Kh?g0os<_Y5-RCBD?+Z&B)&D$_TjC0skBe49}MTY$8K`;lZyqV z%Z=*>9f+0x=-9|$Nys!GkE=DyUbhKO?fMk-!bvti`|Gs6Zlepq8rrnSv;nUY>^0C?n zi|I=r9NnLYm{xAuv7;Cu8~HIW)$**Or={(tn8`cEj>D*N)OnB&lW*-St*G;s^)IZ8 z1@nJAbKkN50uSS--2xHny?Kf=y-BT__n@TeYaHLQn0=LI)hZ9G_SESQ&B7^Hy{Ar0 zN#6R{**kC#VrCK+H=W5*2U-1UU!V0eIC;M+>+Ble?E*JZ=?b#jc&L7uv~_<^Vb|_c zVje%O@$n3Xy=os(mz~Pe3>MX(~=LkH5E2HJc+JP zi0im5&Lt^E)(4EWR7+>UZSloJw6qt!JzB3-q?tFGH#Hr@m{74M zJynVC?DMQ8N>MpkxNGt>AwW(vpaK=GpmI7pIit){dsU8vB(MGf%WpFW&aIQqCs)wZ z)2(}|(?ss$RfjM-n6RGUIZTa6hq2a;nD*Rd;>F43K983i*XdJDM}Kqh2W8wpXR`fN zS=c-kjLyLVu7Wkkr5%s1z$Zf(hRgxWa90t#86z1?MO_7S_rbxLzgQGo(pHTRTM6X> zY|z1cu7dPCYE5hU1a$J)WU-1(zBKy9%PUTcUx`inz?rO4wRA;ee>O>ZKa2BTQ`$#| zn?43$HMCl2IZe>XqKbr5iCU(^OI2UHpvj8TT%XqesfjZ9@gBYQh5Wz6d+!?4iq%y)T84;>VXBB?EXIK0 zxXdVbvRLQ)qr=ai8w!P27yOJDAg3a4(k)Z--sVCv+uq~xi&jH^&1u%sn}UJ}y!=*n zBOG({J@>%YMKLK#N=h&<|Fm}#UfwX0ov?NHo%~PW1G|F`NBwFtz3l&~KG9J8uyvDS zF~ikKx(_cDws0K^Ie!SQD(IpODPbwtX@X~gW*QI?YYVHE3Iqc!8>4+ z&thyhhMz;!y3XrHfP-np?BuX!hvV<6?J&bPI}FN$xx*3J!`R@u@zHlAA@1rKkj+^d zp?N=2{{kskKYwQVfM(MIh$%i9{tz?^olIlu&OE)o$O1cQZR)+M!V>!%&9d=?| zt2wN#eXbndzn>LWCEO*=Tb~OUcDR>%RJ;PBIv~Za&kos4R(l8+s~vxe8E zw>@FxNP4pW4NuJJL^niC48fLrOA8czH;cPb&N}0a>oA!w5I{4`#`a)a>QxNdGaQEr z68U?Dma>iOr92CIeWhr{^jGJJAWaqdeS`<0z1_Q(fX>g=_Gij>>~pEgEj46=AqqE{ zU|#!xCH80dCT1nOQerorWa4n>HV$Iz_=A6=J_peLSGE8nm-7Fy=)HCN{~x~pqq6_M zW(EG||5ETW*7&2s4{G5IZce4D9in|z|M1ta-Y@SkTfR%yWEJc zn#K3+Dm!w(%}Ft3rxIpI24 zo`4c`kWrqsMk<-Cx0C*Ds~yWE@==cOjL%qLP`eN8)ZqX zP{lb~HA0i8{E4q0!%g$P664#|za`@axe1;u+x|}#M`+`mK`@YFnEIc$B<<1=p5Mr4)DAk>PuqKu>pt$VH-*cp=f;Qei`CH}irqml2 zKRcbHpNVE(w)j^3REBr~c8*jvId_t%)xULgEj;k1XP~{l^*DXQMmK`Li|f37_EgGF z?@G6oK6j5bv0eMS>1h96=!reu338LPFDdH-@3{GE9{uwY#S6?lZYB)7tnT+KOA`9? z@Uz}EJ0eD1R>vJrz_Go%sQqkOe|;G3OZ;jsJ6+j7Coyrx%E<{YNN41F->|cJX+pxE N( Date: Tue, 2 May 2017 13:37:58 -0500 Subject: [PATCH 0107/1208] Update docs --- docs/clients-zh.md | 24 ++++++++++++++++++++++-- docs/clients.md | 24 ++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 20d07aa2e8..4de4b6f92b 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -186,6 +186,7 @@ VPN_PASSWORD='your_vpn_password' ``` 配置 strongSwan: + ```bash cat > /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf < /var/run/xl2tpd/l2tp-control ``` @@ -295,6 +301,7 @@ echo "c myvpn" > /var/run/xl2tpd/l2tp-control 运行 `ifconfig` 并且检查输出。现在你应该看到一个新的网络接口 `ppp0`。 检查你现有的默认路由: + ```bash ip route ``` @@ -302,21 +309,25 @@ ip route 在输出中查找以下行: `default via X.X.X.X ...`。记下这个网关 IP,并且在下面的两个命令中使用。 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): + ```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` 如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): + ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: + ```bash route add default dev ppp0 ``` 至此 VPN 连接已成功完成。检查 VPN 是否正常工作: + ```bash wget -qO- http://ipv4.icanhazip.com; echo ``` @@ -325,11 +336,13 @@ wget -qO- http://ipv4.icanhazip.com; echo 要停止通过 VPN 服务器发送数据: + ```bash route del default dev ppp0 ``` 要断开连接: + ```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control @@ -383,13 +396,14 @@ strongswan down myvpn 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 1. **注:** 最新版本的 VPN 脚本已经包含这些更改。 - 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...`,然后在它下面添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) + 1. (适用于 Android 7.1.2 及以上版本)编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) + 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 并在它下面紧接着添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) ### 其它错误 -更多的相关信息请参见以下链接: +如果你遇到其它错误,请参见以下链接: * https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ @@ -397,7 +411,10 @@ strongswan down myvpn ### 额外的步骤 +请尝试下面这些额外的故障排除步骤: + 首先,重启 VPN 服务器上的相关服务: + ```bash service ipsec restart service xl2tpd restart @@ -408,6 +425,7 @@ service xl2tpd restart 然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 检查 Libreswan (IPsec) 日志是否有错误: + ```bash # Ubuntu & Debian grep pluto /var/log/auth.log @@ -416,12 +434,14 @@ grep pluto /var/log/secure ``` 查看 IPsec VPN 服务器状态: + ```bash ipsec status ipsec verify ``` 显示当前已建立的 VPN 连接: + ```bash ipsec whack --trafficstatus ``` diff --git a/docs/clients.md b/docs/clients.md index ff2f74d010..4b0ae33bd3 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -186,6 +186,7 @@ VPN_PASSWORD='your_vpn_password' ``` Configure strongSwan: + ```bash cat > /etc/ipsec.conf < /etc/xl2tpd/xl2tpd.conf < /var/run/xl2tpd/l2tp-control ``` @@ -295,6 +301,7 @@ echo "c myvpn" > /var/run/xl2tpd/l2tp-control Run `ifconfig` and check the output. You should now see a new interface `ppp0`. Check your existing default route: + ```bash ip route ``` @@ -302,21 +309,25 @@ ip route Find this line in the output: `default via X.X.X.X ...`. Write down this gateway IP for use in the two commands below. Exclude your VPN server's IP from the new default route (replace with actual value): + ```bash route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with your actual public IP from here): + ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X ``` Add a new default route to start routing traffic via the VPN server: + ```bash route add default dev ppp0 ``` The VPN connection is now complete. Verify that your traffic is being routed properly: + ```bash wget -qO- http://ipv4.icanhazip.com; echo ``` @@ -324,11 +335,13 @@ wget -qO- http://ipv4.icanhazip.com; echo The above command should return `Your VPN Server IP`. To stop routing traffic via the VPN server: + ```bash route del default dev ppp0 ``` To disconnect: + ```bash # Ubuntu & Debian echo "d myvpn" > /var/run/xl2tpd/l2tp-control @@ -382,13 +395,14 @@ If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. 1. **Note:** The latest versions of VPN scripts already include these changes. - Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...`, and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) + 1. (For Android 7.1.2 and above) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) + 1. Edit `/etc/ipsec.conf` on the VPN server. Find `phase2alg=...` and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) ### Other errors -For additional information, refer to the links below: +If you encounter other errors, refer to the links below: * https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ @@ -396,7 +410,10 @@ For additional information, refer to the links below: ### Additional steps +Please try these additional troubleshooting steps: + First, restart services on the VPN server: + ```bash service ipsec restart service xl2tpd restart @@ -407,6 +424,7 @@ If using Docker, run `docker restart ipsec-vpn-server`. Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. Check the Libreswan (IPsec) log for errors: + ```bash # Ubuntu & Debian grep pluto /var/log/auth.log @@ -415,12 +433,14 @@ grep pluto /var/log/secure ``` Check status of the IPsec VPN server: + ```bash ipsec status ipsec verify ``` Show current established VPN connections: + ```bash ipsec whack --trafficstatus ``` From 7aeae4c8b81cf96f61b56516dff62476de3ab2cd Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 5 May 2017 10:37:45 -0500 Subject: [PATCH 0108/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- docs/clients-zh.md | 6 +++--- docs/clients.md | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index 1b304b02ec..307db3f33d 100644 --- a/README-zh.md +++ b/README-zh.md @@ -139,7 +139,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19](#升级libreswan) 或更新版本。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19](#升级libreswan) 或以上版本。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index 441841ec25..83dadcc145 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or newer versions. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must be running [Libreswan 3.19](#upgrade-libreswan) or above. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4de4b6f92b..2aa7dfc78f 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -395,9 +395,9 @@ strongswan down myvpn 如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. **注:** 最新版本的 VPN 脚本已经包含这些更改。 - 1. (适用于 Android 7.1.2 及以上版本)编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) - 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 并在它下面紧接着添加一行 `sha2-truncbug=yes`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. **注:** 最新版本的 VPN 脚本已经包含这个更改。 + (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index 4b0ae33bd3..be7091ceee 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -394,9 +394,9 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. **Note:** The latest versions of VPN scripts already include these changes. - 1. (For Android 7.1.2 and above) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) - 1. Edit `/etc/ipsec.conf` on the VPN server. Find `phase2alg=...` and add a new line `sha2-truncbug=yes` immediately below it, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) +1. **Note:** The latest version of VPN scripts already includes this change. + (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) From d437f7044d55b4dde583b8baf7af02f9e01009b9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 16 May 2017 16:05:25 -0500 Subject: [PATCH 0109/1208] Update docs - Add troubleshooting notes for Chromebook users - Closes #147 --- docs/clients-zh.md | 5 +++++ docs/clients.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 2aa7dfc78f..4363d8ef70 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -21,6 +21,7 @@ * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Android 6 and 7](#android-6-and-7) + * [Chromebook](#chromebook) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -401,6 +402,10 @@ strongswan down myvpn ![Android VPN workaround](images/vpn-profile-Android.png) +### Chromebook + +Chromebook 用户: 如果你无法连接,请尝试 这个解决方案。或者你也可以尝试编辑 VPN 服务器上的 `/etc/ipsec.conf`,找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。 + ### 其它错误 如果你遇到其它错误,请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index be7091ceee..89601917fc 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -21,6 +21,7 @@ An alternative this workaround. Alternatively, edit `/etc/ipsec.conf` on the VPN server, find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. + ### Other errors If you encounter other errors, refer to the links below: From d711e2aee6e608449d90b196515f731b994d398d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 17 May 2017 17:24:19 -0500 Subject: [PATCH 0110/1208] Improve network interfaces - Try to auto detect server's default network interface - Display a warning if the default interface is wlan* --- vpnsetup.sh | 32 ++++++++++++++++++++++++-------- vpnsetup_centos.sh | 32 ++++++++++++++++++++++++-------- 2 files changed, 48 insertions(+), 16 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index c95b7d7d18..51a74356fb 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -68,20 +68,36 @@ if [ "$(id -u)" != 0 ]; then fi NET_IFACE=${VPN_NET_IFACE:-'eth0'} +DEF_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" -if_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 -cat 1>&2 <<'EOF' +if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then + case "$DEF_IFACE" in + wlan*) + printf "Error: Default network interface '%s' detected.\n\n" "$DEF_IFACE" >&2 +cat 1>&2 </dev/null) +if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 + if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null) -if [ -z "$if_state" ] || [ "$if_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 -cat 1>&2 <<'EOF' +if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then + case "$DEF_IFACE" in + wlan*) + printf "Error: Default network interface '%s' detected.\n\n" "$DEF_IFACE" >&2 +cat 1>&2 </dev/null) +if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 + if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Date: Wed, 17 May 2017 17:44:19 -0500 Subject: [PATCH 0111/1208] Improve tests --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 49a8473ce9..5133fce918 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ language: bash sudo: required +dist: trusty addons: apt: From 8fb4bf7897c32652608e09bd8bc461c620809ea0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 22 May 2017 11:46:28 -0500 Subject: [PATCH 0112/1208] Minor clean up --- extras/vpnupgrade.sh | 10 ++++------ extras/vpnupgrade_centos.sh | 6 +++--- vpnsetup.sh | 25 +++++++++++++------------ vpnsetup_centos.sh | 21 ++++++++++++--------- 4 files changed, 32 insertions(+), 30 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8f97409a1c..37337b5242 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -24,10 +24,8 @@ os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" - [ "$os_type" = "debian" ] && os_type=Debian - [ "$os_type" = "ubuntu" ] && os_type=Ubuntu fi -if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then +if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then exiterr "This script only supports Ubuntu/Debian." fi @@ -43,11 +41,11 @@ if [ -z "$swan_ver" ]; then exiterr "Libreswan version 'swan_ver' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo @@ -156,7 +154,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 3986942526..5f33485c02 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -36,11 +36,11 @@ if [ -z "$swan_ver" ]; then exiterr "Libreswan version 'swan_ver' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." echo @@ -145,7 +145,7 @@ make -s programs && make -s install # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." /bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/vpnsetup.sh b/vpnsetup.sh index 51a74356fb..71996d6b59 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -50,10 +50,8 @@ os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" - [ "$os_type" = "debian" ] && os_type=Debian - [ "$os_type" = "ubuntu" ] && os_type=Ubuntu fi -if [ "$os_type" != "Ubuntu" ] && [ "$os_type" != "Debian" ] && [ "$os_type" != "Raspbian" ]; then +if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then exiterr "This script only supports Ubuntu/Debian." fi @@ -72,19 +70,22 @@ DEF_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then - case "$DEF_IFACE" in - wlan*) - printf "Error: Default network interface '%s' detected.\n\n" "$DEF_IFACE" >&2 + if ! grep -qs raspbian /etc/os-release; then + case "$DEF_IFACE" in + wlan*) cat 1>&2 </dev/null | grep -qs -F "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index d5f410f72d..86516ad6e1 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -65,19 +65,22 @@ DEF_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then - case "$DEF_IFACE" in - wlan*) - printf "Error: Default network interface '%s' detected.\n\n" "$DEF_IFACE" >&2 + if ! grep -qs raspbian /etc/os-release; then + case "$DEF_IFACE" in + wlan*) cat 1>&2 </dev/null | grep -qs -F "$swan_ver"; then +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi From f403dbeaf78eb6a64a13a2f0a14390c1e08e9875 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 28 May 2017 21:47:17 -0500 Subject: [PATCH 0113/1208] Improve tests --- .travis.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 5133fce918..e03cca1d21 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,6 @@ language: bash sudo: required -dist: trusty addons: apt: @@ -21,8 +20,7 @@ script: - sudo netstat -anpu | grep pluto - sudo netstat -anpu | grep xl2tpd - sudo grep 'vpn_psk' /etc/ipsec.secrets - - sudo grep 'vpn_user' /etc/ppp/chap-secrets - - sudo grep 'vpn_pass' /etc/ppp/chap-secrets + - sudo grep '"vpn_user" l2tpd "vpn_pass"' /etc/ppp/chap-secrets - sudo grep 'vpn_user' /etc/ipsec.d/passwd - sudo sh vpnsetup.sh - sleep 10 @@ -36,8 +34,7 @@ script: - sudo netstat -anpu | grep pluto - sudo netstat -anpu | grep xl2tpd - sudo grep 'vpn_psk' /etc/ipsec.secrets - - sudo grep 'vpn_user' /etc/ppp/chap-secrets - - sudo grep 'vpn_pass' /etc/ppp/chap-secrets + - sudo grep '"vpn_user" l2tpd "vpn_pass"' /etc/ppp/chap-secrets - sudo grep 'vpn_user' /etc/ipsec.d/passwd notifications: From 654ddcdfa42adde12d438c33f83b15cf4698c1c3 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 30 May 2017 15:01:26 -0500 Subject: [PATCH 0114/1208] Update docs --- README-zh.md | 4 ++-- README.md | 6 +++--- docs/clients-zh.md | 6 +++++- docs/clients.md | 6 +++++- docs/manage-users-zh.md | 18 +++++++++--------- docs/manage-users.md | 16 ++++++++-------- 6 files changed, 32 insertions(+), 24 deletions(-) diff --git a/README-zh.md b/README-zh.md index 307db3f33d..e8b58f7baf 100644 --- a/README-zh.md +++ b/README-zh.md @@ -68,7 +68,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayerRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -141,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19](#升级libreswan) 或以上版本。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 diff --git a/README.md b/README.md index 83dadcc145..a212fd74d3 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ Please see this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -139,9 +139,9 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must be running [Libreswan 3.19](#upgrade-libreswan) or above. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or a newer version. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4363d8ef70..be2d84fc2a 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -154,13 +154,15 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Windows Phone Windows Phone 8.1 及以上版本用户可以尝试按照 这个教程 的步骤操作。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## Linux -注: 以下步骤是在 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c) 基础上修改。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 +以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -269,6 +271,8 @@ chmod 600 /etc/ppp/options.l2tpd.client 至此 VPN 客户端配置已完成。按照下面的步骤进行连接。 +**注:** 当你每次尝试连接到 VPN 时,必须重复下面的所有步骤。 + 创建 xl2tpd 控制文件: ```bash diff --git a/docs/clients.md b/docs/clients.md index 89601917fc..657ed2e7a4 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -154,13 +154,15 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Windows Phone Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux -Note: Instructions below are adapted from [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. +Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -269,6 +271,8 @@ chmod 600 /etc/ppp/options.l2tpd.client The VPN client setup is now complete. Follow the steps below to connect. +**Note:** You must repeat all steps below every time you try to connect to the VPN. + Create xl2tpd control file: ```bash diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 6a19db099d..1cb139fdba 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,17 +4,17 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,修改或者删除用户,请阅读本文档。 -首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets`。如果要更换一个新的 PSK,可以编辑此文件。 +首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 ```bash -%any %any : PSK "" +%any %any : PSK "your_ipsec_pre_shared_key" ``` 对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: ```bash -"" l2tpd "" * -"" l2tpd "" * +"your_vpn_username_1" l2tpd "your_vpn_password_1" * +"your_vpn_username_2" l2tpd "your_vpn_password_2" * ... ... ``` @@ -23,19 +23,19 @@ 对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: ```bash -::xauth-psk -::xauth-psk +your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk +your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk ... ... ``` 这个文件中的密码以 salted and hashed 的形式保存。该步骤可以借助比如 `openssl` 工具来完成: ```bash -# 以下命令的输出为 -openssl passwd -1 "" +# 以下命令的输出为 your_vpn_password_1_hashed +openssl passwd -1 'your_vpn_password_1' ``` -在完成后,需要重启服务: +在完成后重启服务: ```bash service ipsec restart diff --git a/docs/manage-users.md b/docs/manage-users.md index 787a78987f..cfd7bf4519 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,17 +4,17 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. +First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. ```bash -%any %any : PSK "" +%any %any : PSK "your_ipsec_pre_shared_key" ``` For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: ```bash -"" l2tpd "" * -"" l2tpd "" * +"your_vpn_username_1" l2tpd "your_vpn_password_1" * +"your_vpn_username_2" l2tpd "your_vpn_password_2" * ... ... ``` @@ -23,16 +23,16 @@ You can add more users, use one line for each user. DO NOT use these characters For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: ```bash -::xauth-psk -::xauth-psk +your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk +your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk ... ... ``` Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility: ```bash -# The output will be -openssl passwd -1 "" +# The output will be your_vpn_password_1_hashed +openssl passwd -1 'your_vpn_password_1' ``` When finished, restart services: From 0316b0f755a6103d31b932fd738d709356ccde19 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 31 May 2017 14:13:54 -0500 Subject: [PATCH 0115/1208] Fix Azure template - Switch to version 2 of the Azure Custom Script Extension - Use default VM size "Basic_A0" for deployments (configurable) - Clean up install.sh, and other minor improvements --- azure/README-zh.md | 5 ++-- azure/README.md | 7 +++-- azure/azuredeploy.json | 37 +++++++++++++------------ azure/custom_deployment_screenshot.png | Bin 24430 -> 28674 bytes azure/install.sh | 12 ++------ 5 files changed, 29 insertions(+), 32 deletions(-) diff --git a/azure/README-zh.md b/azure/README-zh.md index a1cf55f374..03b83d09bd 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -8,9 +8,9 @@ - Username for VPN and SSH (用户名) - Password for VPN and SSH (密码) - - IPsec Pre-Shared Key (IPsec 预共享密钥) + - IPsec Pre-Shared Key for VPN (IPsec 预共享密钥) - Operating System Image (操作系统镜像,Debian 8 或 Ubuntu 16.04 LTS) - - Virtual Machine Size (虚拟机大小,默认值: Standard_A0) + - Virtual Machine Size (虚拟机大小,默认值: Basic_A0) 请单击以下按钮开始: @@ -20,6 +20,7 @@ ## 作者 +版权所有 (C) 2017 Lin Song 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index 697f219100..ed63b5a8d7 100644 --- a/azure/README.md +++ b/azure/README.md @@ -8,9 +8,9 @@ Customizable with the following options: - Username for VPN and SSH - Password for VPN and SSH - - IPsec Pre-Shared Key + - IPsec Pre-Shared Key for VPN - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) - - Virtual Machine Size (Default: Standard_A0) + - Virtual Machine Size (Default: Basic_A0) Press this button to start: @@ -18,8 +18,9 @@ Press this button to start: Deploy to Azure -## Author +## Authors +Copyright (C) 2017 Lin Song Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) ## Screenshot diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index 9e08549116..b330df6f18 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -6,36 +6,41 @@ "type": "string", "minLength": 1, "metadata": { - "description": "User name for SSH and VPN" + "description": "Username for VPN and SSH" } }, "password": { "type": "securestring", "metadata": { - "description": "User password for SSH and VPN" + "description": "Password for VPN and SSH" } }, "preSharedKey": { "type": "securestring", "metadata": { - "description": "Pre-Shared Key for VPN" + "description": "IPsec Pre-Shared Key for VPN" } }, "image": { "type": "string", "allowedValues": [ - "ubuntu", - "debian" + "ubuntu1604", + "debian8" ], - "defaultValue": "debian", + "defaultValue": "debian8", "metadata": { - "description": "OS to use. Debian or Ubuntu" + "description": "OS to use. Debian 8 or Ubuntu 16.04 LTS" } }, "VMSize": { "type": "string", - "defaultValue": "Standard_A0", + "defaultValue": "Basic_A0", "allowedValues": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Basic_A4", "Standard_A0", "Standard_A1", "Standard_A2", @@ -44,11 +49,6 @@ "Standard_A5", "Standard_A6", "Standard_A7", - "Basic_A0", - "Basic_A1", - "Basic_A2", - "Basic_A3", - "Basic_A4", "Standard_D1", "Standard_D2", "Standard_D3", @@ -71,13 +71,13 @@ "vhdStorageType": "Standard_LRS", "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", "SubnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]", - "ubuntu": { + "ubuntu1604": { "publisher": "Canonical", "offer": "UbuntuServer", "sku": "16.04-LTS", "version": "latest" }, - "debian": { + "debian8": { "publisher": "credativ", "offer": "Debian", "sku": "8", @@ -210,9 +210,10 @@ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { - "publisher": "Microsoft.OSTCExtensions", - "type": "CustomScriptForLinux", - "typeHandlerVersion": "1.3", + "publisher": "Microsoft.Azure.Extensions", + "type": "CustomScript", + "typeHandlerVersion": "2.0", + "autoUpgradeMinorVersion": true, "settings": { "fileUris": [ "[variables('installScriptURL')]" ], "commandToExecute": "[variables('installCommand')]" diff --git a/azure/custom_deployment_screenshot.png b/azure/custom_deployment_screenshot.png index beb5911e8eb2152de3a6386dfd6cdab6ed4e3dbb..70d62f247eab04a909ca7204a22c8c92b4493420 100644 GIT binary patch literal 28674 zcmc$`cUV(jx9^J;Q2`YZMUWpNp!6c0fQo|j4$@Hsgb0yd0z^bbK}6|2A~kdfy@aBI zfPl1wmY~uJA+#irkmM|W?>_rE@4kD#_uglpbMGH{)|1T4x#pZ}%`v~@GsaqPO^kHd zPx78*VPRp{y?@t?h2=0A`1qeV4*U|5?!FBi4*8ks++nF0fXI=5$s67p0ej3Z(}e;*&f}!d+#25H6qt} zRP216vt6l3+((xu!m{ z3*KW8?rVz2|CHm-$O_(NAl-(Zx&ID4(c)fd{PDPeOv!1bz9L(ftC9cLVq=o_Zb;m-uhf<;%#1Y%e zP7&azkaqO&@D$TcaqLy3_0|n1bqn$Z{<1S0* z72vRO=miKk{5ld?6$F3dl4hNwd<6LZ?leC?Kl$;MXLA~B-I-WyyVkhN*POpAzT^8H ziE3yyx-t01r$Fp7BRA7sH8#p?ae&&R>5cB3I%w`SX5$#`Eqvr#d!soggE$&mk$aon zEp*+3PK;_0XIc~;^x%2Kr5tD27Uxb+`)p|eJoSqB!03#hS#mh-5c8IECvdJCHNW%w%rRE`)ff3vQSs$Xqhz&G1~nPhMwx^X9l);gVugeQvX4+bR| z)q^X+w>0hj+i`wVK=)Yg)`Kw>j_`LbBA7F&e}0VZ4;h=y9qHeBIXaRmE`E6@{zOpX zVC$ZMXYtOMoq@W(J~8~hu_jOPIBb0-+P|N#l-{QY-V+I5QC=};E{ttL>(#bq;46cy zU<>9QN+4x+*D!mntf5IMJ7?bzyPw)apdHGA?n^iCWfo%YX4maFf^3;D>gcCRU^|YI zAn+sS78GAdMZ^VlCvZzf`*L?Iho4m_Kf(_dSa~IsszTd$EQVQ7oPs`%PYty4EP_4{4lL@^d9d0$F%Ln?c3uMOAs&0%xLH`2d|N;} zrxlzPRw}Ns04i*%ZZxx=B2MRZMi^`Q7e)M92Mf%CfeCHDJmsvpiOdL_F;ZXzq>jp5 z6!GlzYFGwG?;FlC!(ztIj&Y6kbn;^%_EM1oXyHVXuOogiN{g z(f-^l$agHe%v8{wZTa1ef~&jeeJt@dBfo6FF{?4_KVVDdG`!JhQKal}SY%bxyJEzU zrxrg*gyA&WktnS#R>1bI5ViZ;u&Cz6nu`XYy+s|w( zKaEWp(Bo`Xf-_O;VH5+pfB37dfy-6+3s}-usc_%!pmOAo?xXYjNh7$$g6zKw{zX0ah-W%4-!KCQ`>=34BPNnm~9q&<}=(w;RQ^L#KkFR z7`f+sC51GF9NhY(Z0DYJJ`V=+Ew7)d1GVhf8a6T96WeNd+&x1&L#WQ!f($4@JN+DN zuC085I@mxQ29KgjTyb~9X0EltmMEl_CBq(vP)5)xi#q!Ga8g$wb{~8Ba1WN$8qx4L zv7SGu#CNd1A!hlglH$aNwKl5^%$)Dq{d2}B2Sa1wCVoqlA(*={c4>fv13sbb;ZE;Lt@OqhJYdP z=#J$QdvPmXw+&{S;@c)j`vJKQVqBtoEEpAa%DH}a>|-Lf721lTQ<9deHWP%*z$~qg_z!#sjqG6mrMX;1HydEn5j%H@S zor&+h(njc$aH%|WDef0lQen4c zjc2$+e`F6Kx)Qew+Lym!M3=FI_?K7a2!Vtg8Anrcmr?*uRP*O3thFa}wl(Kx_v@g5 z{Trj%t}aD6O-gG|;ZM*l=pc3SQTI#09d;TS)n?~U#3@66dgp|b@3l37V@6Ob5}XN! zvB-dsaYt9WZ*0!~EG=M;qA?!Sp(%*AZPzasyggQ@&krqli>uvbs8Lhpq0SlwFNMm4 z?rJ=H!}X}V@>dcOfg6i~7Ey^S=fB}ya#|S-wU2{R8v*a)gOhz;{8)#o#XCeQb*#Fo z=UQeup?l#>>7p>VNK}Md3&Y3!d-D5$bCn*y1itbi-g3nchX_A(%2Pa^Kub?gk+a+mBqgK?$iVJoF1oz7@TZ9I-(w9xEE!-lT=)b z9Cx=-I^(SCrl8hxOLI9tsQrY&{_Vm-)$Q)QOkUFZn8Cf^zYIBjM%|*ZPdrupP#Vw? z4v-%tzjDro?m}y!er?j%g0nnUvtcHy+*5PfMZU0G7c(cx_pBhdnOgd&Ee{1v|G9{F zgF3#IIT0$3qi)j;?SLxz#d6xGs-bn?&w(7P%D+v3*6rb(mhnqjpScXKgSO^W30akR zo*-N~I9o1J2Ld%vE40tgj0g<kzS*DCAfa>E0@%; zwJ}IfjaQ&1)i5n$WuPr1iD3v8(7EElXgAYr*|yC@Wcl*z>4xUGv-N;8I3B%xxR9m$E;mZBV>`?MV2vzIb z(2Hq9b-~e47zES$g;~KZ2zefGI}pPav)9EmC(ke4fn4betzP)(q!X@Lz(u&X9)f>xN+8=>`Jhbx;Ms6vu?9Tb!BqF z_F3{}gCNA3l4U49sQ|6v_*1BT?=`j=Ie#vEWlM|zf)!l3*#imIyR6?{SlsSdvDVLc z(Z>p5_IBvUct21<|O?({lnNiY@ zlpb~JQYy1A?Fr;}&4x`FB3YkcoTSXjy(JW->ir4AVPh5GI`J%39J9cy;>5U*Q>m zgnyo6Rc>1_G4bHrw{Me`va+(|^Zfi?#(-2;o&TT}`hFs_#S^OrK7>iP9{AZS4MB_D z0Yq@e2VeMeE{#{0Q_T3@UC`-ELI{McOIzFoY1cKBuc2};02W8+WapLe-HHgxgQzR* z9x3D*coFmD9@rizx~LmEHjx>P%jBh&!brdvUYw3 zKTyD;HAL4(;%sU6Uv%OKW7h6}|JEPw>l)n1IYiL1bAk0K`41Q>t%yLyhD$z+lj4T5 zKWSx+(}QAAJ_Cl$f1c-j56MSu(C^Soc0?SuC@^{0*#}j^r5>Rc!(56Aqcfx8+T<%!oC2`?yJZ6`t2Ci za{U>d{=#_q&kHAy2@XK|%k&+Cali6s` zq&H}-5l}ux3GY?&&07N15iOW~#};>|B8UK)hkIu04ViDx)xjpKj3}?&6P)9#_}kxpzRoCUP}(S znJ8sP&ves5^G6MpCA6Uon*t~7 zz7l=f#+^@&)KBfC6p5=ud~OS0X&a`xZO~=mdiG-U-@I6^fa)!jPm0k+4B|aTVDyNZ zS(4viuc|+!R3rHJAxVerR@BAcVVrxb3Vp_5hIX9r!qIrf&ro80vC6{Xa7O<1I!&Zw zKLmG`Mvxh_DaQL5na{k$hF0#$mOGF>7}b(hXk3f&0&D1PJkzd0BcVdvoBFw16I;S% zoL%w-7jlPF-KTgkJ0#=%h>=&*iY-=r8>C?+4dTli)r2K{o@!XhRnzmI^;@!;j<^j; zwa-(FXH--S?B$CXC>zK^8Hf@mY#G+C!g|odC!>l6QqZioD!rm=dP)jjZv6GGcqnDt zmO0z7dX|_8>|Qe35_a`JP(I}1y!R(@x4DvY10mRou13rxnnZ*VoOr4ZKLfk3C_F|BWl=FhLv>p+Iv zzJnv90n(naZHk<=>s0aTuRevY1HH^;q7M!g%*ZR}9lnV9FuA42e<_2%K6s;KG z<3fT5i075}&B~jJh7P-g5Y;V&lP%FHay>#AIEUIZf567vy#N4>%{IFv&6^yiU1xnl z8%TyL%6PH)4Py_-VPDDiEeU>l=TZJZ`%jqC%CTZB;9)*SI>xDLvzZ?uC?c`qaf46R z+e!E5#8vmJgz}4+6-79`;o5h)RQo<3&){`gLbcNJKs#w9F@Wr2q^xR0gg~{2(%H%C zMeg-&m0vg-$R4f3pJBE=Q|8+-fvc_x-qrOJ+cCHZwcDElr~KKJ?}`rDe{yZVZZ^z0 zWc8V2{H{CCp`IJ-#a<=TRbB#1!fm@4R?^Hc&+3#D_iD|lLUN;M?$9=NFUGTs3}Yhi zL0UJZLF11lTX$dM5=a_k(_R;{iqz(*X5T$u?uD>BygcQ~(1FXIY^{evU5j>n=Puwu z(|Ojo2s^e;rC*k9W-hRvoyXgyF{&cBaga$t(V?*yuI(nK!<+$upZ%XKUv^QstY| zmL4A|aI-C-WeKiviNYU7Po}N(s)k^U=>2xYEw@q}{Xq>XxXeb`%E^H7;Mbko({-B& zH(~b(hZ{O$E7dw=Zn&mdsvl^3O08V=(W(cvR%KZbj`lE*H^Hk_93F5{9;C)LVlp11?10=nj+Yi7T7bzQMj@g#T!ToQDlf)(T9_?IXrjL}ob#NF#^&YMh-rnQ@G=KA=E4or zjQq+lVf{Jy{;QLxAY*wCAwPCE$-{Nvpd`oA8>YG8Pr)a{%7D%Ax#MZADtMvFB0^bd z-+uN!wp_=W*>FWBkH9ScNiF0G=-qN!p)T~-?U%%o-gX=hRZ`T_bh7-6_j`}o#*6Q8 z7GcRd4$a#Frm8{dAtQrw*_TP2*pSqKT;~uXWN0}#9(E^MgOYYwlD>^Q(tyV;A~Il6 zDnol2Q(=|foadJ)vxDxWk@xW{FTkm#8-G6JhV{6V*i-U94?32d!_%+Zc!sx0dyOzb zJeAVi$*WZ2l_JjB6FXUQJ@4$LF#)sch63uXHn4^%Pk6ZY@TDfPfou)sC2+{*+of8+ z)q7TH%;rao9Z^st1!+s|w#oZfDzBt({$RO3I@DK?^eW-i^PH(>#=Wu0YG^kNLJO_~g@z z{-nJv`U8}*Xx#ayHvbKMMs6PPUAH5_R}Y$(@lA`K@ed4~GKUy<%ckd?g#tfzu$}-g zHp_F)Gk+*-x0}!N^)sW*V{bm8_EXX{DY$&{TJ2#F*0o#imq}v=xoow zHTG}gb-o`J-n(|bApdTLTWS8aN_X1Yx$#o7kU?L^0%YDN>MsrV)G@n$Y)(a7Obh23(oSCtd>4QwQ6_GJKW-FFdR@ha5>YJ!5*-G;{lChxK5 zY!=F0(ZX6OZV$435BH+nCyfP4QvER#l-2{r%%Z%j?N~)YPo##f$$=f$PkAs5(mw@lGaYXVK^r_&`b9QrQjsYU*w61+oA&<1cX0dWbzd*79`f=0 zB}uzpxgt$DZci+3p^fFND$pV_{=VJLy<6j@ofyg*viVT@7!PYYMOH$y_W94aNU)v% zJxwCr?krk)ngp%%c4}213sMeZBrIBw?cLqoQxy<-d0GSl!4nKN2ZKvTMn|)y4vJsv z`}kDngOr3v$xgXRAp;}ZXT=6_y>|1Y}y?-d0; z^|biDsl_DsH>>f|W+z z67GqgZRBr-M^W?&PSu@CYWCTpMHp%wpmO1K`kU|{kI_v(6hBhadilV=#FE{Q?Fri= zUcY|*tJW;DT!FP~EvR1axLN=-e-UEx<#kwrYQL7t&13i|CSWz*If{IDB4J>jv=)J> z?U2hk)^sp7{YaGib~|o3rpIykPh1?e8_q-!y@O3PaWna|=(dtYG}cJEu{$6zFwiDZ zRaJEihpVWsSFEeA7XyK?D{|_N)8v#0WN)!?;DU$T?^ zGNc~tgg|j?{cG|GM0=)dxOzYWa!f!Ze{i(h245=(tD383O9m&^dPf}($FQbfs)l1~ zP1p-mjAE^SfxxyCpWc*mHb?Tob|Qea#yaa|tWdhY$vM89FpD-IE;(@^)MP&=~7t*r^~!nV*0&(4(@eo3v%T9!8Qq2$Mqwu#1Ky% zpV;WTq@$lSwM95o9M1LMes>F2D%cciIR7Eje05E}%854759+}x>*KRXc;C$0ub^VK z8U3+vBYZ;b@HNUCUyG?Kqo!UnwBBg@nCD~YlaZQvOhQzh4HyDt3P+FManV0j5^?KB&uF~rUC%iYc~LVp%fj0svVwVtyhG;eAa zzIsX9_!Lh^y3$&j>3d2y2Tu|lxw_*<>)c@mrR_H@&Hr!&*cLdnP?ign>;n7<;zs=w z+EoHZhSO1bohmAA-I=M5ikNDPh==F|gf;#0?toyT#&zKbr)jUFQ8}KOG z5F5V)3Yw26UNW2!SgOzX^jRF$79&$aws?4BLiejC5hALA3OZ?Po2Lzm1+$e z1cqrXGRC7ZQQRgFFe&s!bHD#o=Q9{uS7&9Et(yAnhj|uG`3yHZ6Rk5B+C7@4)jb`_ zc(csb>CF6H!O=E4<=wVEOlO8UaNcb7Xoz<`N~6mv==R1LPU#q}CpJX}V9Vk%8is1# zdwF^qSeZ@q96^{T+>ttcC*R04fz*D(`y_!?{;HSv(RGx22OmZ<+eg&=^GH5{M4G}~ z6K0=h0qxYmiuB(g^z_#EG){XKF-#WNTJUA2L)@z!R&F=`qL65*V z5XTSfPQ&5G`)swfuraEnZm6|_IlYGp4Deqa2%4&$4pktp5zO}HDqn`dyRW{W zGpcktpqJRLu+Ua+2KK(G&Br{09QKmVBj}pH5cO)R5BtIa&Wh9L6XKAjoHA}~Rt{Y=5292{nH(n!O zc5Vbq8()wMAdS9%JItCb;IYIC%^x(PPoE?Syb5>1?S9f4Ldn*{jc$I9qW2hQp7+Vv z?>$3O?u}1>(hVKX!RJrO_r4mX2J+D+|d z#*;$?^SU}CUa#PPkdsPQkO}23AyKe`t+H&_fsNyvbXNk{F+JgqUifK0d&E-&<@mU_ zd1Au&gFrAv#fFC!OywhSU?>cVabBPLJqkJebYHUF$1%x$^ACDn>)SJ&-A#vCv}Q8V}xvz4jXUhvV>2+ZU{W4Ju9TE;rTfwTVXQC=&jmVANeCBC44WNGrOtU z#HkYvmV_p+i^6-1+L}u?f3&#*c z;t8lsLzQ-&d1B|U9B~%s{AOYkrk336)<%CgFN#ew(PZu<`ZtqeIv?Wj4sGfaZt(#= zu6+=DfdCTYgu(Xw=jx|lHF~aGytuuqmjmKtQI?@-&@v)g0-|wv*PS#I*t1sGW3+Fa z-lL5^Ah-_G)H+o)DCi0HThU}chCwfIgd}BCR=9TZq_fr}_H zOq&<<-e99nAVjCOjTsBa2n?Amr!@N5qO-3j%m7j#Rj!pv>NT(&UtA_?}%lfnw!S)0w| zcoN#=U4&FZtn~5&7Y0F!Q!L^E1Z}Ap9F}dO`R=`{{|kAZsv^Hix^h37Gf+j6M&8Wh z^jqu}$%#1vmw_FP9S&vb=%`bPH@GRx_wj{VZp4%PD?yF&q5*3wV=Y$25b!Lac5V72 zS6))+{zOH`fm`rgmXJw7udKT}#$EiyM$%fEF3SEi!8SM6L=kG+3(VBmNHP&PtC%6s z%c((=HM}^B)P_kM_)pJe@tY}>wIz7!{%m{bOXwZ?Pr0E|=8#9v>Q4~AoU3xhGTR(! z!B}K@oDwvhxCd@`^T**od-P0?KF~REl3dU!UJw<(nlEi3KML4(V2s6d>KAKGtzv;k zONJ`8O_u~tv90q%H35sE=D#UWKb6?jIY}G4x}ASj-j?$qndD;L52tuKUY{A5au}`A zq&2i@68F$mdmcs-7~NSgZ)X1GaV_zWh?tUJjFrPi?-ik4m+?2@Gp^HW1gdp7#oUYB z<0BA@*%a-W-j>!NOA{vf_tI+xjI;A6@?5fjaI4IPG#!x)9Z_DkXdV2E`MD%{LU4BQ z*IUf1AdU;>Vx*bNL_8c4;mq7beBns{WDHDpLcEH-)9%Eu%OX@^748Dam1i>a$8)jd zIY~c_fY!l`u(7oE&2vJSV%U3N2pygN^fL2WF?=HVyL9fA2$@GZYe9-A1a*LYaHKO? zRp?$~LcCuJxg7Plei3k>^eZIFpI*0ok30$}*we2~H6ICZgKlT@L!%#0P49j58)N7W z%zpY?4oWH6^fsM3K?44GQ8DQcUzHx#HYNYney{mKRiPL3$dZ||LYy`puYVI7_*QSr zEGZ$u-QlpZ*A2JHQ8z>_?P%eoFv$qqrso#aP&D7vW=MN_tmT!2+O}{ASuxV^4uxyR z(DhS1$YyC}U23Zdn6IR+2v%G34T|-fjoHXH(q$u@-%hOFLWu8a?c*=#hpHJ`4x{-t zqqK|V5DD|q)8;kiC45|~se1ibxt!#YbK9dmo=&4lr2$5?0*fSV<^ z=eEEv6|XAHXU;|mt)1+c`O@>8m*Z$B+sd{!s+A>0y5KM`Sy~OHFfvf6}3LG+0lMz} zi?qzh%bE2ynp{HJ2M9u26&P&sY>la|JXs~|j2PJU*?eb?;=H(}ikQN-yyCPV)T9!P zZz#Q?qHCUguX287-82kZ6Rphg=U^5uwie`v*kx(wwakBehtAwYt_oWT7&jpXo(eqh zAmp{&6?t@{M7~DA-u*aA-L($eE}A`ZeyHglgP-?0k1wqe&f91_1D42iuWJ#Oa)W!% z4x9CHQAx*o*tGOMewothOM#-|J5hpNv~({}5651PPQ(y9%{)7yqp4}O@(q(i`|a7w zYjf}8ET?{$zkaN`?xLfn!~Z7KrpZzF<2gS_p~wwD8WNcg7n4dJW~+&5TI!0OO6pM- zgGeU288%2AHB%5q46iPh$;0_xYKD&{t2!XN$S(Otx-}8OGoEyvpRphQzF0R)p5|Px z$#Mq2_?1w&elGix;p*m5PkkegC@Z)0&6}n1pf`&TBYKWm+0rI}1TOEc8MhXHv;qDm zcy45U7K1)^%NeV>plHK$#M`EP4|Hj(rPfyeg=>X)vc=-0j>#wc?;s;@^S^k~MAwhy z)VLqV{+L4=KEsw>3e@x~vzcnF{W{rm-}P`UeNov7?%>B43@t*Qin{Lg{CgmaDs?;D!5*Lon97jyLRN zF3xzg?&y1ggaZ$)9)Xb6HK&SwVRL7gR@VLr-H1-|6JBnM$!;)3req4-TGR~N*6Orx zVns_!<@8!t1DpZjCb?hBl?X zsX?ioixMA_qd8654s(~R6TgO_zun0*cvUjc%yMFkkQu1}_Q~CD8BVIqz#srA-logbeqf!QJ^ zaW$@)OW{A#b0r|NXR!1i&kIO#J`9JWDC0vkDKCx)O$v$VeE!pU_xALJ)Bhr3qt7-A1S$O7Hdoe1?(Iyf@;7QZV<`zodi^|6NaXe<@TE$#z%3BmK zcN7{wLswJ&8#OqO-Ott#uiY=$Lcb|cKEid~NAlE|H{WwluXPRCV`5LVbiS{hO3c48 z_z51;@d`AWxGfWVM591Z!BV$(+;%iCP*~<%&U}iBg?Bv;kvn4T;n&zn4U!2vz!=Ui zw^9O>7fKO(w(F9@*sL+|4Wq$#W#5&CcniON@!NiCgfQ16t}6u}!QXnUn~5c)-WP{P zY-Ix|N2Ou~If?tq-T1@@k~3h6K-}X@dG)}2zU6-O$0CdG8Czn|6y|Xpv@|?-yG_O` z*NJ=^9dvN+J>cB`rQ>~orcq5wE$ev(JQJKi#5g8C-ulj+7j)0U#zy6D-Q8j$BHF{l z!!a>2kG}q$fqCTLGB6KF$MYlT_@aeFte5^dIrD!v1o=-m>%Rm(|4vW-f2t_+wG-ti zj5JS5_>;Y5u~HUbxu}BQ>OzmDJ_-C@kF+!+dcYkX@poDxT0fv}WOxNBV%?)_qrDGE z+&hggHy^>vW&+r4Q!}3qSc7%%Kd&5H^mMNeHTqVQ$@V9mD4Uk_C;#?a_Mr@TT%Z627*_R`yE?c?j#$D$2Py$-+cp_U?po|!Gw;7%u zscnOPZS_U+e@E8*;5B|$Ia?vJouRHjYCd4_Ua#C4B{=K2QEc7I>*wlxhkm@N)O=g% z!J&2wb6}NK2g*A{Vv}qMSUS+^^Wi5CqQV!--Htl;*`^7cm`u@=w}-r<96NP5x7}wh z<<_!sc7;u#R{G+r)aBrD$gnnY^w+Ul*C~$x#hpW)Vh7rg$vACZ1+kcHJug|!iuSAf zOZ2Cw=fZ$<3n=5t=`HVcgOV+!o8K)4i$itq4}`t(G9-U{kx+P4`of+3MR1fuw@aXl z=UTREIM9^y`O9ct+UtNOJw>67LH1gbouX~7x(#wImuz9kd5!i#m6~N{F5hlcs6P9y znR0?+p15{)@55HkmBX&;Ek)f+^OW#^dY0Rphe0Tg*HgLKCqb z{gX0xv_K5j#I|r2T>!YkA%r0y!F$ivd$wb`->?y=+;LsDwG&q!-SBz$d{f=#;Hc-? z4H-Ge>MBH%O?^a8`3^BFISriW;VC-EA^H0Cx~i%zkUa9m{%_#vZ1Ue-T^BKvlasE7 ztINwKP-x54)YRD2RLRbce^LLh5b~sZw#q?YVMZX5g}e6#&<$}74M#RMHgakDpFe-j zU%p(LmUi);j*hsPnCFwIgNyY%63AIEI)AWw{yjhZ|A+~a`LE|MVkdN8Gz;kZFI5I1 zHLK}k-oKp8qfqBExz31djE%!Un#{Yg**H2oIq4t4pMS>09aTqZ_1p!a%vEqU;7kDE z(i4ch*bR%-&H83)gw7cT5O7{Y?M}gMNW~W=cU)avRm^isvKDdUh%iQ2GDamfs!;Eh z4GlR<#~$GHi)n)FWK+0-X-}R4b>lsB=QokzJS5<|dehx2t=V_LNm8<+!m2La$^bnW zE=r5KW_NEKTz7rIW=+fTVamyNz{KXZ8u8d8O( zhRagkofhX+8@b?N`s`4L$@TQ?&j7scw1U(PSn0MQgU?tj7F-wpmVSrxiVXlnhoq_p zpMFTE7tSLD+|PKz8ji61Vqy2FB2qs&5S^L~bnGee{61RM4zIU|?TE_YFOS`?=LOa+ zQi@&Jq#NFvL?H9*x3TAP)_?m!Z(=10E4a!@R10?9TSGF>uuER^dXkx{TT{ie~d$rihiy^i;d=m z(;igI;OdYJ#!4K^3y1WlWzm|8E5Kpo(m+AO4{W*qYmgCTcyyItQ#rlOx zO=+_IokT7RSam5mdCDTO>8i=Pi{ZWXqQjEho`W)8_por@qvN)RG`>u_Ri6{rBb_(AT19RbX9BmZ#EOX>?=*NPK-Jx`0qai`7=X_RM=RVeWs?~v)Y`7~3g(0P{H zXV;%}bMDtYw3lIA-`1L@f+qa=X_n>DL}LwvWvSIl2DoD7?D{~BhZ5dUv;FdjGsHkS zBt~BJp0IJiVrXLFJuvpn%UTs(C?e9hvlx7Vxz2CCYysREXx$-8F(~fxI@Sb|Mk<8QvWHa7YEFvD*;+aAoT9w(T;rG1NmMA6_R7{Fo{Z z!M<%a9=}|$fL6TR1rGJq8?W+CQ5?MN{L@Qflvk27tH0S^LDJ_7wOmYpRinp@_WA3{ zIe?9!n{U}gH9Qr0_Q-SMCq3Y}rS$OPr9nmUM2q^dmlVEa#WIT&QhTx$bQj}thu#{8 ztQ}NAja%xsQjP?Zo8(Gu!J&@BEG*QAzq?)u{$`M;A)IU^H~Iq^->7iQhu=?xV+Sv| zOBp7fvuoCA#(P@KRn&x_)2Vx;y1wrlr`z0l5TUO?78T942CgM{3a}&@x<%=>QOVFw03mIPtAE^;mK|9#1bt40MxbholO2)p<^UCKOhU zPOL*3jR(hll`QP0rEBlhgo8WAt_j=yR+&$X>>DTl< zC>jDz@J)rH&>IAG+D*9CO+^5wv#=ch!A^09hu1rVx;XZj6)S0bR}G;aBw~VQpV*ot zBDjqZdi98hh!bNt_hdzJ*NpR6j1H z)E&d!+v~9Yc~a`B^=*7*W7jI71WzTs@^&J&e#~gZxsSl2KPjd~*rjtU@A@#`FXlKpXpq7ofSJFpV$kW?Hn#3RMKb}V@ zapVFa*NX8{>mV#J3WrQZuNq`?@0v(U=4nVxYwu28e)pA*`-$ewMootLS(i1<57*5b zIp}_p=y7PU>8r^Eq7=6i(8@G@-Sh+8qEaA+h}3~d`Ji7B8<8U5O0$J zO2ggA5kdJFi03>(HA0?*oas^hsf83^QC1?!9*$puy@s{F)}w9z zkOlm*`$*gW5=%}@-cQcSS@*wvef!6rt?S*e(;_mVtyh?A{7ka`;5q7JsWXa0CR$bB zudw{m5h4Y-{Of3Qzqyb0xov;`gJf71?F)dHvlbh2S~QQu^8D=ke|`qdJLg#Ub-$=H zEG#D!G9Wp^e`i?;T{Qj%i#)}pnG*CrR5&q?CZ*;&QCHr+9)_^ z;3wvs0J9iI$2$dnpKT5(1w6&tP?F~Xb!O2{1p2bcxo@h2v;91n+E9x0$^2tgSvyS? zmNZX)D>-GeB;nGYzQLg4E2p;)BJkd=o7zxZBa=ZR?asxk>0j*6iJ*EogpFr;bGZaR2+hVBo+^f$fS^ac|#AWpx*R|}CNLJ+(B zaA1ka13OkkiF(i5FsUI8TA4gg8uK?NY+2&i*w~n|-^Ez+I<}Ns+-id7`BIkOd+!#4 zB4~f(3%S%rk>D2Y?p}nvXDnh;Sf)GD{Q9`U#Hg=Fzq9aqeaz^-WbzhT z%Iq&p=3fq_r_DdRq^>+JDI9w_t(sg3S&^Fcp=N$+v5h_Ag|5Ad)ILU+n5e9i^UkRo zn7Zc?xJ+5^sU<~7<*s?zEqcBhmCkGGqOPhRW<8mOWLqvR_=XF=u!B5}2(0sz&mvq9 zExFp&v`?F51}*~m=9dfASzRz&3;hZa`@!Wl$ZiHiT2SzIG@tJqx@U?Z?IjzRKb?e8 zvwI0#w2VUg^63wi>t!i`4};6YJqYR`0N$cuzCkidLnhaRj|=W%}%bi@%pq)%E*NQ zQ*AG=_7}e0e1H>b*5)5pkE5j9|3s z*`4vqh;gY?vXyR=wancf&3aloZiuwBZ3P5rqWakT%X`*)b+;;XfjB5CkL3UGFuT z1A?wuBcFD)J)~m8DOhqVroK>H*l?w#;`3A=qyI8*t)S*O2RPHcQCRJ7Dtjvpsjr$v z4rubUb-7~?IR9nl-o7=y7#l)?iU{F`>-K4P+VS$tI#YcpTXCE#_(vpRZob5zVaj9V zX#YUQS#`98m%S&yctA`7Z)WWPuEs1gGoc{P?(ppzUt~#Q;ZEqL+!-7t%qbK)L>V|a z2F^H4OyA?pHZ~6pCu;4G8S~%}??iMOdl|9wTzPFf+>s;<9!qK&oNT|*@OFcK3iF^) z!PXn%5m-g#0z@!*gOk z7XC1JWuIn&<*|yHdpL+d(~f>>_ARd*Fwy??vV1Nez6)csbj5aLZtvRXRSnCRGpT2) zf;S)W!}d4HVZm|qdpr*LLlI=;;JI#Izd8THy&liK0Z4>PJK%>1cBi}NAONG=mqW?O zNGdBNe2l6S2j|)qnpYAGt$sTFdH?mewqNF9k7nr0z#Q&BF9g*r!kt+=KhA`>#(DY& zoe@z9YBKN72BOqi+hqVjvIM_HhEuA2Zwi&#W)f~M40vYLnIOw@+=dp@Y~+s@)qbbt z5cMI%Jye0GUcx0|3T|wQ0u>m;(_AXrQtWt+Y$w&+wY?;mUj#sYUutV4wj(pEbYbw= zoz)#1J?|-RCxi4;-Rm$Vv%wekHmSgN6+g_iR{pH@iP3AW;PPMInv9VfFxf=@#EbiShiU>g?eSMTn<$@ZRbR19e|9%diSADCvON%!ZzaA7J}zy&i6X)oX14TeVayx(|H!_q(po*NixA)>%T z(8-5`{FCcE?mOs9Zxzg)|I)YzPM8_SCHMJ;>Ll>-aR(OO7wQbJ?s`m#L%E%t*-w`j z(jT{~X{af8GaRaxI-XJX$*EHEa^lVVO&ar{*;E|PPpOgO3v%hdq2Po$?WOoz{Xy5c zy}vDh=ren$NKKYm3-jH;;^)6=%iNrQ+`C_sP^cQq^8CB1npz7WRL92w6hoQ9e5;YNTketj&2Rv!YmkL&jHd#N&&%og;V{reY!7!L`H#4yZf>O z`dB_lpriti;SmWEcB;nND58TLeoIugUv27d>63^iD;%bsP^@hKEUvP55-k1NCg>ri z62JDUDxj^DMtbGIb6jal%5EuzFVqNI7Qo~9Fq>9co@cunfepwFSUV*Ygp>Yz&BBI` zI2muf8VuoWLrG(aPV*EEdm_;S8am$aY>yIOAMNz4B^`Sa(+*TrVuKJ{LYb^ zbd)(*b^(xOidh{mZCP(x%Be8SRGhTIJ`PO88opMt!9Av$-h4z9U0eax^;Lnv&p&=i z3LQhEr?z7+NY*%gk$h0q5fQ%CD+zcA8c9%HqDR8?%p# z#xKwjKSoFcLy2@rEpj`T(^zUTf+%TCEQ>#o?@>gY6_sc-`(l{kes-g ze}{j)dW<&4R!2mQz{5#;znahb$t9oksPBAvidy42qAZ7wJY<|n2yqJy32CD5egpQi zDObC~{l)x5qZ;O;%`zJ#@LCCh$w@ zo@v+2McMC*|JPi~dsVDwJQwU6_X&?ZqJ!@97&GsldNMKEF~Phb+pHvVofv!?;Ix0p$ulN$J2KDDhxcXmQ?oVcZp z>4m#^AZmT)HINs5HvQb$?RNp&!S}YWUD&>RVcV~BKUYleHU|gJkLA|2|B2oH&Nh{K z{U7jV97smnYpS+49f&2cdM^G*2i~MHw`ju>F4xI$W}E@=U77MkyLnT{!2@y^wf?)g zs{i5a|5+aR|9l0;ze1eUEW>QFRJqYhExLMa=wQD|Aw&sKksVGtyrS3C{EtHbomB8!Gyw21a0C9=_&COy^PQ#0guoAhJAmKA%}NXMghhc0lz{>N z#|(NIiB6Q)Jp`_uYU|Dhly^k(jyTU+)#?!%W(wnR!R8JvLDSnr9!FvsyLHjl-nOOV zk_1O&NteWcK;Myrl>OobqO53ebK?Ow=qzlZ93Q`S33{6oGkgoJj1OaKG z1VRZ#ss)fyY6wM;-g^t7hzbIs6M9uZDS;6Q($5oS=A3ulOXqvf^_}Zn=X~D}{)D}= zpS^eXUDjIn+7WmM^)Mzux0LtO!wSSocCB|7dAgFoV&X&zN;NWCvYCkBNkWjx&3@d1y*!}@ERAES&a z>|zRQ<`TH4Cxo!5vWc&p!l74&IGHq(XF8PczSjnxIio#71cGro{1kwlkh-rppfd=X zh;Yed_d<92fcU zl=S=e@5y<_b6UE(R*})12rTX91bjs}(xu(HBX87N@iU>)TGsmOWO+<<^w92Bd!jxP zSw=@kmk6TF)=D_Evs+i+)CxpfJm&)a?@N^#;*oJ58Ge!do=-ANglXYKf_MwNm$@jc z$MDe01~DIlyOvRF3zbg8rEf`2u}n-% z%ayzAj<9Xfj*y$*e8I1Asr_}x3HjH%%T<%yj0=RVp8NeY+flr#%o!S=BksDV2t?;} zlwZMU&dL+nr4t5TNEimxncIZCU_lo;@!6JE3~Fimst@=wiyfQ7NV0`>JgB4n&ANYF z*xzNeSF#6ck&={pvWrkQ z-dp})+2W$!S!%MSdR|4m(mjigt&zd{%=N{=MNkTtI%SHFji8y9@KzF}<8>ZluhtM$ z9;z-|%}edOw;F+7P($XoTQ)hyASVh43Q`D}t*(E7{U{6jKZK`rO3+o^w&sS~%2m*I zPn2>(e{oW=t835uj=)Za_-1yr_*QO~>raF}g?UL#9b3amdug$(AyS9ozO}1)} zrBQY1pb5D5x^6T!DvD|BT{Jnq^0w6#-tLvL8fbOWa1rO2dQt=J7m}3rQ+Y5hb?)&l z?fQAz^W;W0_hKc0@~{cAl~A}h$b;`DzeYk?BbycCE5OErEH8}7s2=1rMF@}^f}O&D z{<}2xucU+T9`t|Mj==Ol@BpvEe9^HT0a7{X^l`N^aWu-)ST?hcF=l9#LXFLXw)Z}Z z>H5X8WwOjR_2IF~U*C@xwn$2CQ!a1laQ9I(Q+S+?G1Sm#xceoA4thYymei*wHBK6lx5UJfpT7}Y)4EcWFZz*E~f^Q{dm|9g8Q4_Z9A`5>L*?5BB>w7QaU3;2~Ey+7a|V za;FQ$Gz08U3HGBkE@kxxf76=nchZlty`7x#Ifu*C}u4}cX@g${Hd-A-gLZ5hvt zdq9Tt7hkZk8csPa^c!(PLI8%gm&J-}kaI=pIRUdbBI>0v+f+cR*ThdK zse~;zySPwN=q<6Yur8@Xl6PJq#9R%k!CaM7Yn3-cVgJr7IYePSfzc5;(jlp?ELId@ zSIRk#bX(lO(WoG6FKZm%0K2o%hW`Tk>I0-6TZYUpN{WdnE%l(K6#{zr-+uoI$csD~{nXU$EU<`_a)} zbcr*EXVd2dA>AwaNS;xz(`_M?Lj`dBh)n-|h*8VLBp)=O7cX2GDzXNnP1+6)`4$!y zz!0J!J3D(i|Mv&i;Q#g+`rkWY^+Pej2`brP6{0y0t~W+zrdi({;>DbI2nEZ)x#&+2)xE6_A4$MiLrpE5f3!V~qvM&Ad>P%*c$V z+lk4xVdcc}qKY&ty!+3m4J?-}0dCz<%bYM;YGg>BKD?XHMg7c54nK1{C>6^CK=F@0y9`j>LT!USS67kikMxx7K#(I`fONK#mExpFDX5!4mqQJw5Yt`c)o zd(&HPE29##(b|bMtsUm4DH(IizBR~qA2UUwoxPTB+cRRPJFlFQl13u1Vy+) z1)o%OE{2_-5gwlvjjjEnrF%&mGZE|%M=+SiRqE+>UfSC_;>~THgsQy#Bq}jTXCU_~ zWYC{aUC&~9>pD-n7k~o~9pDa%1_t4yO+WUR zNM97D$;`Yi@x?J2xe{G_zaW-{m4B4`t$F^Nr-4&f$q}Wf{k>AMD4%>qUea=bj_lMK zG_s^bqDPzYEXuOr17L;*FZ*w*f_dtN(sq$PP5&+J-LCze$ok!7r_n={3EoddE=fsA zro{WQAsK%i`lNZt1NwPos75Q5;+HQ z)NncFr?PDiz5y-!tz;q*6^qi>8IHpEU#@C25-{-$%xZtlIb%j97Hf4p`Q0z_ng@#qZ@|Bj2^=&{Zb-|SjV<~AMc1o4#0 z+xF^S&rH*x`ofFj&UiCnq(1dX-k{y{&-Rt7CQIeId6$f(Y+cig5>xl3m@=7+b?mdq zQi3L`QJQqr>wyVs11zMOr#-y+K?*-mHCZOzWX!R>bj zPl&RzAs)aDw{UU4sxDIKrRGPuk-PyooxwiPbUX-0a3-Olbw-a zD4kzfuB-rq4 z$gHI>@j<#JaS}poj#}iLkh`>TbV>DXqIi(7W6wD&i8V9OJcGo*&(D7_x($KIn>~d> zlCd^CqYPrSmy`8iGoE8m=={%^D=Z4xqc_5PFB|18yk*a=ut)UfpB5IMv~k4T6Jafld2aBkcU@Qy4R7F6j}=h4 z1}ZzPmylt0qF<8hPtDQP3IcCyfRjaZEX&YMK+}BAN5)~D><@T=W=}tKnDYr8uKmhK3$}H$MY!x?b1p~wNfMu>H)h;ek#(6*{`%CS(>#z>|1T(U- zq)n;5^<=7JuTUT~0Cp`E1?@^#{1ZrM!@$_`@6ym$E(g-^8xsEs<-`2Y5fCWnM1BvH zlH@-FC4&y-x?3LqZ%~x~SAwJzIp;s(!P}fm{0DLnpFfO2{xtCbQVmBzmG!-WK`B*m zqM*10PkUvWu3f|IRo}1gunQyj(PaOIRc{-|YN?p6E-k%SX@b62Qkh*t2nkt_YX(SD ziaDZyi$gcWP$1uxr4B@wS<`#5$EFvr!W84;;zrHafKwb#Vyv)nX4RzM=w})b$9f!o z2tWQ)P)+@1c6u*YK!^gUHSXoxKC=rI>R^bk88QIMP_sM*Ta8h_t!AFRm*^F|K5!%% z0C@7(;VwTS!hflx#choM8`YEt-B;tMtKU_KZvP?usF_r*1FSq_3}!g#MH#Db?;-2C zpmdcG8u2!hyXg*Dvp3@5lh}s+-Id&;A`g(NsUSvwBMUv&C}POZ5Is-z%I&= z_KsNH0`ouyInO>b35mMKKi{g~Sxeb>qnK(R9R0hRPLlk9Z|;!b>W<%5D;R@J=bpsF6N)b+L#4zh!_RMlO|tCT`?*r|e2iQ3@& zl7iTMi|))=*zkC1sXM~g9@`1#7aj`=Uc@N1MmVn-KxHcm@Y04`$kboizDecU8DD|<0*7i~Y_MpE&h=a*e_Rl|U$-xnrfvpNHy{1y-q(ev@C zJLm&n4Oe$|c8b`S?mvF+mF#6~jHMV5QS@?6tv1QewDZD!qXiF{0i9njrMm@4W^uzQ z@`{cJhFS=(!P&0D z0(Y}x3w~J(KDT0dgR&LxnZNiD{aM8Re_AB}kqH`4AKM0zJ%v&UyHF2(zXE>sHlDi# zHjRJz@&;_ur;LMxV~O(-U^(lz7V>Bhz$x)}Zp96Ml&;_4!0$h|u(0ya$~8FQx^FE9 zCudSdYX{BRxX0wOPzZ%KvMQ224eF*Qkk+YBS{8e>x#qTs%L=L*8U`>X<;p>wGUaq7 zuN5d}72s0xaQ?A$?FGJs%T?rapq_0&<6ciq1ahO7L~TSM-cDOy0~AFY(7tndjHLoe zn}q5S8xcCS_lcWsgt~+iAnlL`|0;_&I=S}PH%x%2>NPNsYnGV(G*D>3+F*_NWhUIH zz=O#LRBYConUlT&zaj#+7btr8{PqWh#bh=(F-G8W^|(cWo@eF8GpW$XAx>TiDmFtD zX^eeGniF8*sR>x@vKP<@FTCeV>Ce^8b0dfkem%YcItuK1=HvrNN7MDY$Tb#zLPzoy z!zWLW?k<)1*G6h5JBB(w)kDA3*Ai>FhioI;RvsYkzB^}wRwchh7F;_T?=H+t({yIL z(KqGA-;S z=F_1YQp*m?{U4*2LLQ5;NRLYNjVO>V-e?2?X0}5i7K8cRamX@?cHsnzP&eRkmNbhg zvXhGP>Xb0$GMlc-QNsPLv&_tr_UROae-N|E<#!hz|KeO#B!3>b|1QK}gp=YdfhP2M zN=gx5vghklJ25da$8?BCs2cx?=&?9Uz0GAurv6r&z>zfua_R(K>@1t^hI`yh{F(ic z_3?G`a}&271r^m3!Mm&AB;Xz1a3Lt{Iku&-HU;6kY;Ue@VKLP^LO(*vt_3{TwpK?< z0}2xsG%{jjlY{km(~zIvVN1V?a1uFb=DV(oo(SK=@|5zff?DR04+o`Eb#C4rwn=e} zn}{FmVOfZ{dwQu1XmSJ_S*ca*RIp4zvsZ1yzFeuYaxWgsM7etKYmB5-7$q8{9=0+4 zrd}1AlLvd{8)u5ba0vmso@M&tx`k;Y)} zmB$V2C6laG{XnAGSz=D0c{E&vehyycuqXEO-WalLfHaOsLveBmQ74rt%ymehk(u3T> zCJlagAcLe`f9N*zgfBEa9b4;Bb+#qg9x69!oL!i^uy=(J{V9Irn=|QC!@V{;@>^;z zq|Zh??tS^iU$BAZ0 zPC)z?3#vw}u9Cc+xbWOW?>49j#w+S**_ng?R+{hSt;eD52M9?jfD@S(AC z>k=QSe7{XUGQxXTbjt4U{F;-UeH(zg$p=*d+ja15V9r6un3JUpjDEaQv&y7lVPeWi zNJ##SU#RD>&nP>cnOl5A93!Y>YU-$o%)d5*zHOXdF`&>^iC%7yCRNLCO!_xm^B=Lz z`V39k48OMDdOq?2Awisi<={_#>-qY*FXqJy#zb=5Fqwo~LB$?@=P)>0f}bB88v0az zmBz5v3Kg@nmsjjww99Wy#_;nE=Dk%RKVjYoi73_2seDVfeoo#QRwAbLzA=2Z6tE-a zT|~Z!*-8pMZ97+cgPG=x3POz^D8bQRC!!D4WJr-emSe+0U&GN(8P|P*)^$EnvT^c& z5=J~2AQCBp`rKT)-6Eget@XC9uBv&0f_%jKk&wG+s>U1f3t>1?ZMz|z)d=9vEn1zD z>G@k|1)E)f-k1X6OgX;xPn#2xdT;jhf@6=7?&Vm$N7Upy!wLanNec_i3D|frb7ieF z8N6j=C2>(^Ku}Cqo5KsOZ)ay$eD)ZdeMhS=3gzK~H9l;~3-u<6z1l+HfH9bg^;ox~ z8Ge+^{Ek3oCw4_3J0+C}1VU3igX~W6wWljqu>dgB1)ctnWDxYAU`MyRyl!_6?9DHB zQt-p|*8{QX1?wf8#&ullsd+&$d!268YS==X>VS+*0ShLGxU3UqcZ8MNS|Iz5s%jaE zx|TeeCA({Db80nfxXfns&{%jPy4_ZdHe4Fx&g+K#>AG!iIvnk}8S&YYJRiFe&o3!C zY&aUlo&npX*G8>19$}!Q&U4w&P6>H^Q}>u_EA$(PY*>ePpVJk#EjW)*i;L3CdEMqL z+n&T*x?}noxg#tDeD!`+L#A+BpUFnrPbRvlbP4m>tvK8pP**$~8rAN?I$o~%$Y`Sh z8qC2yP1$83WmXgC004c=2_4$|7`po9i>ve$PDMo}@D)i|IKZd|Y&0(NTy*gl(e*FL zxsK1!4qS)AL$JtK>+eEX&9d9tRM6a151ZgB*YN)_c=bT^WYfgS5u0q3Z;ss-$CD~0 zvc7#qjqOz}GDEJmSE@&_-=l={12b6f?e(aN*Vu(VUjC8{IpVr}ike{)knrB`l3nY7 z0^_c?m;HM7tTp2yO=d@TI)i_E^X8VcGj^&TIo~;zjkERGj<;&2-dp7~JN6o=<4zpi zm}v?h!&+&FS}yFWtK;JgQI|ny{^>GoEX9{RjQSkm#pRef!4?a5dW2exLs}@BpZ^UE z>mky_=9U&|VYWumJ^6uC^u<8nuaTqvEAyVJIz~MtE2U=msxvNs{~Q@&cyyu?$0M@_M;+GE*`F=PdL1F`L1 z9^!5JV_(Ug2Ys3936jXnvVLh~UmmO+mpW1q15<0fdJ&qb(?Y!o3ZmiVP-$-`vLzAg zNC;^Rq&cyKY97yu`@9BveG}tK2N$EmV;{U_nIRo~N2h%cQL$ZGV_OS|HQd5ig2mOm=7opYxWt*eT$X_QN6R@Dxgy&e<4I2DWKzo!&bnupN2F3z4=ihDkn4 zu_yh3*`-_{emgF|Isj;ssMy%+V4b0wW@nguJP*i#=JPVG8?gh*tKgsitg8FHA5??@ z-%_Xb^-w%-9nzc=Y)8c=1uQ3;_&$7HcRR-@13s8K@?G+UZO{rtlStqvxnw(7XbKEQ z%d(sc3JN++8kKl_&z1=L821q;CP+dw@mG;TMV*}*+vn=kWcx_WIRwbE*>pSj>c%}+ zC$06T{c{sj3s#7S^e~s1H{82`Bu}hCQ2a>4!uswiaalDaSV1w%1V4gX>(7tej-g>X z*kVUHPtVh^UuejCl_8Hj`&jtjFj4wl2qRZGoJT|pOS{e6jY|b;viJ1lIZyD`Gx`DW zt~8O}Y_z}P4BCEl^0d=P$61j&VJ!+}1@}LBVdzoV*`;kx^7v0Y{QcPXiSm%4m2uqQ zsV>reaI8;PPhBWxuznob&!X(V1$Lp@J;VP-iIIPZ=fMyx3f7I)FVpl$fZUVwDE4SB zrJdq6QKBR7(rzpI%lmk)KI`u~zGCw=>(9e|^#H}9<8wJ5Csry%yvMw{?3x|fJ`-LH zL2HcaHgm-Q@#*BJ_5^wHM&8xAOT`&Ce6tcD!YHFY(lg zcpor zOQwj%$+)IdGY7wma2mk17fu|;=MBPTd)GH!Q%EE>6+F#Kkm}a{AzlPqua;uJKlqSJ NSwZ7gp&UH$-vCB4uEGES literal 24430 zcmdSBcT`i~+ASPKK?OuanluFg0Rd^!!JpEkO7BGw>4e@PDuQ&RcTjroEtH`2-a8~w zs+54#(DN>A~oO31kwX!Vnt^2ni5D4)r zIVm*=^VIBlMR79fV`6WOT!~|6Y1*{bI^?2A+cktdH&(Xglc(A@`I29 z5A{?LI&zzLjW54PRINQ5lIf#ei>~5nb(mee!jjd0tT0t*^Q(V=X|6iHzUDqht@C=4 zhV*^aRdW5$ukkax?bw((TO>;#DUI&qTi$3s@sc?7D2A7ABV8X3q-6QbR#w?&H7L*F`XcgV|gV2$lW9!UDcdu7!sD4Zm-JDdi7F z-MNHgT0uj6e~T`(cU-<)U0tt-Tqj7|3L2Z4nVFcF;0y3*M*U3iwMgdkya|B>!pjxM zwiPsAym;~8_cgT$?uBc+O4{1m=p>d+TZRB{e3rW;5XcQT`6QNy4WY7cDpR{IYo|A|fK=3?C&Q$SU!ImOiW!lA?t`o@#hB81o9Pn^PE!H?o|TP5jPay4?k-S?qQN%lA6o&o`+TXc2$Un_=0CD zchAC+3$Ypr^Y!XD*!3!K{h=h|zmr?$yNKvQewK-p#86nE8rQ<}5^gWt84f|%SO zJa#doE{3YgovdfI;NB#kqVy>wy@%Z`hX}UEeg0%6^I7h<78ESX+;08(^!dC4b^);{S`g0Hda zJ?7U=^8;A%<53FiDI$7E;;bapU*88a0;hy+jI5$Pv{g~Qi^sApt`)QUMO#?%WnXNO zN?AQu!PLWu#$yRI70MmzdGX70^}z3B!h#`HkgIymagW~TP!oG9u7cfUUby}UxfeTk zJ}&;SEydt${uJhWbpPN`IN_x1k;B6a1!99D<56?8@4jbEj62$64d&;e`*kKqxdZM3 zZmghA>hi8tP|g)N#cZ0}kngWa1A<~)FtM*1#ks39+|ECCF`Qzfxc#=h{C}7uI46MD$gW7oSdQZ_11#Volx$YhspRKht@=4FfX6D5!=GR<)g-PmOOoA-xA~d=3 z2Hk<<6-=a^Pu2P8ChkVB(A1MY#8K9XE8=IO%gc^Y9&>mnb>N2I5zMURc(_fWkN(u{ z6z7An_Ww1@Ow43oF4;8h&cJ1K(iL92UxHoj=cNj(i{;-)5W7eTKw=_Vn%7$nxb<4Z z+Dz)*USUT1>^7zhnWCUVVDiY_V;l^pTwD5+J_fU0?<~q=!R^IO=#zxVou+e=;~Irc zD{Lm8;Ce?2pq3GE*P~l8%wMES;WqJGX_5(>hs}yAC&PzT z2_zxiKN2tzQ;Ue*W~(yvUREBqI+WID=0XzcuGsQxgOTwSwz%2bY0RI{PYc|Aw(rnb zC~V2Puc4|DNvM2=c0bqN-5m;{IaF?5M_U~3v0j6GhjZT|wHS(W3s%|my_qkWlHuuH zcCj&mT{f83rs2aOg*?0B(LVQ_{$vSo!-RSqQgECN&C9sd56&3q<}5=?*SUs?n-%t( zTX1OPaMx1V!0(a$6%y=q?AfnAn~%zMk{5>&uhdHq1Sc+xkY+!ebuf`F%}i{V-twmt z=)g`ksc1YC&{ti!{iDg?y81`G)vS@j2qZ-XHGQt{(8afKW|`JYM8;OG9nm^yPm zg}3Kc&&uJCp*_AEu#3JxD81@ByLRyr#+#I)nTs~&5$3boXF9v>-x}!5y3ioni?fWp zF`RjU852L<=-&QzL)>;CJ*sX)CTf7R5gfKjoqN*!UT|sxwm*7+&Uk{W(Z7XoRGPCv zZw%VtrL)i^#JXH)-j;U!MDMrF8?~xZ@DKtS6!?6b?$%O#eZA1Z6%Nw1_4Sa*$jDAv z-1)XK?u}t|oy+dYXRpwk+rGQHem)FCObkAr2UAc3@vXuR65Ki~jbQFP;`>Ne&UXV< zxwE9y=trL=J-5RGxiM*mq{+91&r#5m>2zLpT}m&Ll>oD42leUvla}{LW^Ug2FDImaA!1vN-a-c zy`85lt6!s$gzc&nLGO`z9_&oH=MH%|JPXfAK+ZK!tPJm1 z;dIZPU3C`i5oHZeSTAynQD~-bL_e?2GRz&l+a<=O2`(eI!aMWcx%ZUe?q{e|OwaId zg?dU}WElHcJa=sa$rJMORW;)KuPj{i>7-}~jYw%#ycTYt*F~Hb(F=*JO-|H6ABXI^Aysnijn&H)efyx?IHduL zG3};rO}Jj@*4-#%L>am=J9lp~I$=H}v&m5VWcw!flb+KbdwJ*8UUh;A%YIlD0Na%|l= zaC5nQRoB!Yy*5fJ=qK(x!;VZ{=wH|jKWkCs^4rSUBte|VF{JH`--AHzSJ@*Qc+5Jp zv$Mmf`B;Si_Tu^5>*2#UOWjcq=fd%fciuaHI`M>EU!s9Py#9DK8-DvZB!fxmbd>1~ zr(s>Rzc}s{?g@{~Sa}8@Q(%>)7=HvGmZ8NL$y>GY^Hfvv>_XkY9DW1x{#RfSU-vWI z&%htkfr~m%+eTn)5Xf-op8)p51%Tcj{@9>&=RX z{t`)_rNHxf63F**${f~06uSCtPc$=!{Klb$kMo*4^!MUM{$RVNwoy{~fuO=*6m~D= z))dlxYJaTMuZOM=W*&@Uy(+qsI z-l(+(<84EYaMQ+mh}||>1Z^E=nDU*n==PpqhPU(hfO8oYcOwnG?zzhYYC|kT(Lh3H zS4M)*0)s${*M5fz-pi!J8gGQ4Y?(qdk~l|&)vr%*fd9Od0Ko?H_*w7?+^V7buN%-V z)Ktct)zNJKNR~)TBg-+IJZ{@p*oBCRQo=-GuF7>ktcZoy#uNS~;aBZO9!qs|mDNBN zF~LN-J^PdThn#GF3(4keG?UF|0Uw#+36EG==wZ;YvZ)r{qA9{Jjjh`YjZxfdM`x%M z5(7>!4(}cebqJ3-idkt?8hEZ6YHy=ma4HGnN7(ulXrpUtQ1|sL38%AZ>r*5_LrPW4 z-NfJU-N8otKZqvl%Li&~+1D>b{{_~4(V_hQl9D431 zy^NN6ba0jh)2&#V3a^8$Zm8=$dtzAGuC;?YuJaRjuMFyLSM_GVt&O7LWMy!>bxEx` z+Y|}K=CkClHz~2|Bp3U69PuTEk`5gLg6^>Ml{j~bd6C=#+qG!s$q5zM^x|l)p=ZZ+ z(e(2&at^;kT)Ho(CI2F0#GBS&cdfY)<5@{eyvJ{nQ`Bg7ehsp^eyL$i+^7I-gTv%CH@ZD&OQX=pyvf!@;oaV#yTjI>7 z57zzX-g;?yr|hn3#=)TKLrN_QON8pB^lZ@Z)U1|zU+g5wQs{b;@8{bF*|=RP&tGG~ z#*@Y_KffDGyNx$DZy;vSLNMF0y|Vpy!3Je7X{kdWKTF$5@`OlRFKw^RE&?2 z+(y(%$7!c68K-fSew>VsOm`V0-?V<;(lMBqi)zDkksb02)1#Kq*}gXKj9pu|Or4as z6YgC`oa)E&q!yiLvh+#YcIcMVX6;^fqa%%_v2`WBcpu+^vXvS-NjPqRc%wG7`vZ?I zu4YS=Etp_lv&Bzo5SOXvI@ig{2jUK{yD5tGHa`y26Fvt}dFZx}Z8Gd4e%9{X)#nc! zEh+BVllhtcRrI0wRvv@r*4O>UE;sBUi95<+Ze3u?r(AU3|C6!1mifFmG=K@Z6r9F= z?lrK|(sCM8R`TRrEwu4~j5KQhSYf*-Iq}PvKWk`uT#?-Fp}Tz&l#LEsT_fg0v`X?b zv_aBi4~bM*5e{KJvmVGWu0+)=Buv%Sc;+l0lgIf^5jKY+iZGt9ngwxn7hU*}?_U;A zb9W*lA`TA^YinznWFz`h1i4Sn(-)W)$XaTvr;m1CO2WKkT|Nu6r*`@S_QbNI(!5Vi zP0d9Fd9<_G6-J%qhxP!UO-)UY1j92@E)xhRN5%0nYuaTZd;0W};qW{=+WD!Qdc3#V z<)r~=g7fkj+r_R(Z3{FW-@lBL zXRqoq-Ui9`!QZxDKm7$AiL!Z&{X{pW|AcyZx%4NVX3g3Lv0Fk=ffSnnfpR?^{CJsu zM8DA5j#JBDJU>Ej*h*m9@J(FnIyD|Q!P8qQJ49uafH?8Thf#EC6+I5gj7^l1Qe+Ov zd@NtWY538IUH)~Y!-Qxfhv*dc221W;V;e5-(l(?*-d3PUWKd9^PqVsIyGLOb=(}X6 z+fOv$?07vLy4xWJovC(rNmZN`mc}lROjKmKsh|j$i$oCu#t4t~`}2&9_Odw&`(Ed4 zf?ruuH%D!GLBsAuRna*bxcT?4M?Pc;mEP7jauOW(+>dWfy>T!fA)gSGSUEtdTv()^ zYg+{^%|nNcIRpIj+-%Uk{pRM!H55mx1gk9fLZQ3JRD$=uuyby}l;aFBK3aKUwEJcr zYFR}RuTO|n20V&t=0ieF8U1gs+Rf`4+cl`(;L0Sw?AHqFAX^qwl2kLko0i-HP>1V~ zv`Z2@x*?*09{)s^n5dfZ?bhrMA^?!Gs4yKjk@#j@<-et&Y*ZetYxdprwXeFcn{iNr zy@D{n7g=`QD4W_i@DddfnVp@DpcQudJ^W3#>Rrd*2dPetb)0gZf|An2nu|yp7c;YY ze0buxKM&l0_gvfhCc7i|H3coeWv_SAK@sA$@JA+YjDsJVKf|zNEuZLUVLx={pxgJN z>{28>j(h4_2aPNc3$-0np>lRJ9Nu~ogreS9Zp5MV;?hNftEdxZAfBE1ck`5io|g!i zYgE=KOYyHOG^E0AnR^x~l1F`YrNNjlrsfJ8KO~!4wqq6z5mSzibc~IWu3IQqkG(De z3nlrBA)CC2Fb2{wp4$;`s$MVK=kF!nVjAQWD*0g}^H&*Y?^kBdI;JTT_uxD+^qm5! z*EGsS52t?Zr}etl`^R@(wGsPZ|3Yh!v6i-)Yus>p_Rg{VZlCxXRf>x5*B{{P9oAt)#xJ({TJDJ1?di@1Q{83@T-Q6qwUpr2 z2L%}!d3gsJEEg6~7sbu_gJePeFK5exg*XT3eLJhw3x2s3KOTCldQVz4Hrm$JuAu#q zmqJ|T_-xpE^6Rgk)S^|>(dYDAY-O0W$ zn{mqY-2)^~yLx&V#jO@028(7G|3wHXRCVbJv0E7?8&Lp$x8 zu878OgJ$eEZM}FXb@ofWaQgM!ML~|r5k~v*SF4VUJd*Vp-IuFpQ+(rIyh{zMeGyZH zVp}M7Kc>0MGdroXe;zL3B+AIRz)&wd_h^CJZ1CCjQXQ%Ncy`=GfKe(gL;)}FCCBZz zAU?VhGx%zqMdwv*ELD)DNqSxQ3M?B4x}Gf;nE6S#dlk!4;!X7C88W>Q3!@*yjG}cn0`x=I%QFh9DPDPlUE%qXe#=~ zJlFj9!6gf_l4^_jneisiFqi~v1~Xu7z^ z@O4)lyHtIjNb9DGaMTNR+#8m==xCj<$5zx{&E`r+FJBD~Uz-@6cmBq%xa79vLa*t* zZAsB{o6g1F&-vT-8h_rzYvDgvAkSk1mT4wHKi2fJwmApOOQEL8E~q!$7g|_qS zHuCEfnoug|$1(>!BN3Pk+QFu$%bT~IpLV?awjQdjc>5F`tDruizQ|2Ax3_tHY*2eh zIaLI)I+M+V=h-@7$-xibe0cgUO{++KyjX4O=OJBXx=?Itg_pc1Q>?eM#Y)D zo#NWDWaD(zyQvvr&Q94r(nq;zR@5h3CA^mz@`MbYc7<@uP8xoVqDSLLjLzUmx4&>3 z7{6=ze$b(pWq$YKp;B)rmtyC*lJ3PkOe2)A!5)g`Gi12nT-CQ)?0ffPRgIuW6pN7( zl5Sdo6r4PX9dL))WB0OiJ*Y)ls_1zyDnV{rM*_Pq`YeI{UEahO=wmG1FaQnG$SJji zGWut6v55xjpW3U#R(#O+Ls4p)MfQelWXnl#K{AcUD%gQiJqD>Ym1-bs%UB0G&tv)qmy_7!r<+*krb z=Atu)Ogekx?a}@Cpz2MisAyYgG$~Mf{>GsI0)8^ov3zc6ARN7GTYi)MFEL#`O7I-qo^ z^{W5Cg@U>b3d`lMn^+2s{vwZJKsz|<#6Cn{<5Rw0axv`K>izTe95~B2fgvH*q{+lm zh2ajss4wU0((O;iL~*wW`Il0jqTvgzJUdKHX@;kV48rT^T^=_LAL#Nn{4n$3`8S~# z0Q(YIL96M{mMlLnZsUlQg_ly&0qs=p+}W@DdcPd=_h!NreM;V#2ODUla=5KGmUeHQB^5iPhqIoZ|BqCBFxvOC*T+M}$GI>L{( z@gq-$b!9EIJ7`2XP}9^}wqWphmo`79z@vTJ50F$~A;|y6M}Nk?_Yp%eK6PD8Y&YDH z<2x-U>tSU|D&Zb(PV&*_ZYK?MT*T=k)D5N%#93XehOn*zySHgBQOf5JolAeU@BCq% zcd=T;w|ENxe9o_|^DbqV5V`f=?Q{Dv{d`nn*a zUU6GmNg#j;2%_V!LEguAJXm=2sMA}twPkQ$(Z!3&$5V$Yt3<2f*w0PWNn7s9rKU(s z6G*5zc(6a+d_?a` zsz6k(gV^#wK#1D9ewSX>W0{@v)wf*Jsx!6)YFCYCK*(O1TGn8zK`_E2tZHg+Cx=v7F`sD9zeIipxs$z+|Q`nfMP!k>3{#8MSadvu6+ z_%?B1p`K=)_ZAZlTYw$HRP%d_Eg!E-a&2;1p?*EfweaZOYs_+1sM47{(g&$KyYw4& zn89*NcboS*7K0jj!qqsd;s@^)b5X!uN|Pr{_X`}*yW@V1^`CE;BXin zCLR&Uy)RmVUo_@EyiW8a;yQ-#M(WlvhoFz(#}l1W0OeZB-6Cu`epleWCD`4&pd)*z zja+0HKcBCZD+wL5E*GJNU#P8i`>KLxoUKS3BkX?i-~u`-O@=>N)%Z=hRb579jCa4Z z_XdoAMJ-1@tvo6I;WEb=bLvJPvqgj|$nx}P+e`Q|met^>to)jj)V24W?RixbDGLz?1Hi5@RRp)Km(VPsuNup) zP=zdiG5I(|%{*$$xCt>9q83fMyP-QSz*{4r;GEOODWh)}CtX&j!3F@EEOewNh_D4q}529-b>SoE9o5Mxi!N>dh~d?q6J7eb}kVYI84V@?F?j-W^e% z>ChN{5l3rVL`!wfOiUDVo4s&EOMle1TQD{>sKG!i?+5Oih?jz9iE2BQL90fleL8r= z?0c6W$1CO)TBR}fZqB%YUJa8V+NAt6g)MF6#>Nc@Kf4Qe1fS(O+Q6j1z%ir*?#>_D zw~X^;H?>y9m1U1VVeH%|;xV5KLolSA*ZAc58a}IkS<91OCG}zQqsqZ=%sp9A9ld06 z`UG6FoK(gy3LcsJ^%6&HG&s$aDy74da*mC?_yFkWjd@-iOPCz&7LPA0jn-WFK#n|j zkp}1+JBI7wNQS~OS@j%QZc zFqf>LpemGrTr)8u{gnNL`Y6eb@=c6PIrxTaml58=*n~R*)DIL{cHucQ*dQz4z??3< z7U8*j2&B+{KD?TJ`1vQ_>Zqh_6n4Kj_EWz&m0bV}nyl>LgZbmdRN5UoL5UI+{%4MS zeE=;VF>Ol7P#u}vT;n>64-RVIMM&`jmBXtU1-PNV6GOBjE|!zUx)t=G>Q!}hlhhy> zsj!}42RSx5xo`|r$cFOry@@<#(J?W=83L>!iT}i_@E51&UxhrMIOVGyzV-i3rTk~2 z<^K==m1bH1+)m&FEsJ5{yqd0xFAHFv;^a!(==9j~r9R06I_AnqN(W$mV%bBD+Re9b z^ACC@1O?TzpBJ=S4RB+FP-;1k<%3^|xe|YK?64A`+T=36lGB@sjV*IO)CM{-k@JXQ zKJQ@9NT}T2ZCHANdob$lsKSG|dN3b?BtYnp>dy&Lv*E)R`01w6a9OON-+-K=DxY^? zczL?_NVpJ4C-kK1-?%>rZ5U<_u|4iy8x*p>u^YSk`H96boMv6@!;`U+?aP}T2^C7; z_3=kCXV%?Ilx`Pf${I>C+h@LK+*vWf&dfrZAl{mr9RDsd=xz4rp^<%EaD@jA-j3tV ze8(Vmg2R=&KfR?@ol3rJE{O3DKbY&ubc<*Q8F2uzN9y?7&enj?dU6a1sKEXK3SY)I zji1761t@%{|1$HEiFEpgk4EPR?CIZ9XU@Dqbr=!vx0@&;YR{CBmOh9~5$ z1|~OWTo*y*fo~%j2iTeNggZ6y;>*W@PNbyGIfX8IFYSLL-hkon3-4OAR_5jjMjC6h zYk+QQp!=W|R;$O1v@UPl#P>&PXO6#fdzSE7J7hKhFn`}HK3y_J&2)5hc6N5MfGcwO zJzT6?WhxF7;P-yT{|R+oLwpBq{4b`ce>O<{=l8=uVX_m4m^p%GCE$Y+=d&0LGg|a# zaLg1j02lsX^6l3D=db>E7k>Ssm;ln=Z-iv7puY;S?7e;}8Fp}|fz&E8`bxH zKI)OUuQbD7ewKX9e8nW6`YgzK*K+Px4mQ&F52AvkM8x1Mv~);O&xwnNP#wrAv1M>d7zHX%yp;iEdah}*G5 z_T2SDTkF10O8(-r4Peo3#+9IvuM<=)`O>XY>}5+0m3(6dwY8m!&di+E?!Iojr24$6dr|+NlR&Kle=GhqL<#) zYRJ`kqGw+iU(D#5mM>T`k@B{rFOCg#dpzaTQc0>_1#rpfO)V(Gf|D1P_1_WDS>ClO zK?$Ij_1G8%!jVb>@d6ZZ0}g5Md~(RE1fLkKMQ;TZCR_MSa8S6`X{+1nY4EtVE%bj~ z7wE`UB3JT6;=O;CMEE3*gVw%k;PEA3o#{;yoEhEZF+W}SG~%`rbrX`gP*R7|tFuo# z*-LXr6i%Qz~BmR#4&hPKkD4@@;GH9kGfuXeXc9y!uO>5h;0z_S&N64CSTT zQ|+8)+Ty=5PEwFsIW7g3TEfo>&SYC}UvsC{S$EPS*2;tRe|YJZP`|mp@m0EF>+q^? zpoWDwAr)6C;$+>tFFv>%k3{V2;PSQI0U(X1L)^2w7^)!j$ovJ)M zrtCL4f4eQY)oC*#U-cU|w=Wga#$x0kfgf92Tc7tHpKrq$x&;FQ0(j_W3WB8D3)pV= zxAJ4`$w{O7d#p+j$I-c*`g(ZM=L9(grs`%Uk(Em&E+vK!^lSOe2h%wxa`3!nMepQT zrx(P}RC()KCW|oVH%lnIIPJe4|4tiwFTz{4svw)ceDq$EKI>KWcBH6`eo6Af6J=qq zzWX(9UsC|H@{{d>MRSn_0cj%<(TssfR70SVn!G~QQ6mxOTABUeGtXrG6DnRvxT^YK zxFD(?m@8 zR~q-Gk>*6lso@1bSIm{S~oP=Fne&fsIx6G2~p97kPyV zyJNiV^p@POqjhOarW;SU8mlTR0bfG8@gX%LQHs_?jyFLI(>)+awaLhMiPUw+a~@q1 zM4^d_;u5R8*d7k3i9P)G9bwQU4AY6i*jGM^F11*Bg#$O)5)wL z7C;YX3=p6pLZX8g+!LBbT5B#1%6VgJKv3)qqmD^UO-)P$O6gO@caA!SS0N@I z)GVX~RPp^exA=r0fko4PTtLoxu5k&a-{V)j4tQf%wiSKp!M;N-MN4FSAC`Ix5-3Pf zc=_-Dr275e_^&j_0`2L`g9=Fv*@DaaK`;|}g{CoVhh&@u3`V*K2YHB!x^IQF2#HtA zsdr>9Pm~}ib)`$=JpCm?9{!xJFaz1Z=loy_yM+`r>kMmZYT||+_f^neT90^+NLPP~ zORnwncdfAmbypmyv~Tda44qfV7F1ui5qvVJF{bROgeoT#CLp1&)_LNM-O@A$Gs<;i zvSe>%fP|4F2@ZzRHU1SI47GqbJVWVm;RZmF+F!d;*-aNuIA?E z)(D_wt+bIy76X&ft4MM~qm5eUdnokNNj%vZ?xF?Ddj~ ziAs}_lgbP?|7(NhoI1k|IYTQa3{qNAv2g-2zb#J>F&`NG_OlqSM?hyPmuGFt#GB_L z_@-uNj{A%+Mi+OMR#$PWu#44CH_0S$XL}|3bs(aw9h~GSB(OaCgo^|6+TlAOo={0k z&ENj49=4*sJ%i~sd}ss2ufOU;{&K%xxBP@>);cbT_2YIPTthfqk`(e1^>b(;Rcw|* zkjs4YWl^WZQB^%5OPZJ$zgofM`Z7yQ&)Zv%@CyD0a16K-`fA(`<3~eStO}>c8%#?2 zmYv{Ne@KN~l?M5IpC_!7)6^CI?8%^Qq0YVhWhhH=mOaSzy=T7fFt;`-Z&`1RQkkaCCG8_<|*dO+dgESknp$3Rq$aDl2&< zBrYghj-)-V*JV}Cs7<6PhCNHcM=Plu*Mef!1Ry;CKiHOS7FmsjObvSLyXf!pa51Z0 z4l+Y7ZB?y}c+PcE*w~hq)f2uXMV1&VPgk3b(zIw{;gXsL(U%~@46yG)XL}69B#SC4 zB0Zu6jFps?^lQ66ihis;k@}rKH)vRL5fbg*^|3mAAZ_-+ne^V4&VvgMkeGtWSY?W% z($nd8ga$w6=H^C9oLJ6Onls6SdF*shQgRs_<#792{b~*1MjR~!kuv%1#$@>HkH{)1 zJuE5&>UU4lnDYv#v2^Gn3~;TQCJ+1SjKDBF(XK64K5zy6l6v~KH!|zR>&S?CgU@5y zEvL4Y0bk8Cze?ZFJE)Gg`3O~*E$`jhyW=v%fLHU?#|K}!XB>Agcklu-#rURE6;dE8x?h(Q~=*uP(#f`Bwp_@v{6~23QZidPKf@g**xs_a@(Su9yNTR?)YjwhcA5;5OX{6rlE0DTSN+rIc*fH%U;FND)_LzKdGbv>=c z(PwgF@th^%MHc3+Q+L<0m`Hn4#r3bQ07#bb7?Zk7P^)O(A>hfOU5aeBgkQp#^}J<8Vjmyn*^f0eywbe>^4Xj^jSp3% z9&JZlPl@Li)C|owH_tiPe88QL{Ch;-7*WNFDX*ArT*bkQuM>_kO6A7oJq>zdwIA2d z?i65aLoaA=U~bNw5$dcw(*kQz&LfLT6Lk+vQ;Q5^ki7W*0q;jw_!@P3FMi#?^y+4i zghyROkPslWh+O?E$E@?WTVAwyX>~uF*+|Pa$7XNm*w=v=91YVwBPKL1&}pSxu4;HHR za`@kVyd2IIW$v>LBn|HT3Np2-Qti6icYzEkGj!`bNashYU16~?H}&;rJo3tWA>;$p z0eNu_4NwK>b;fy$D4=C}=d{_?QcJg6)if$H=OFz#G;@WWwE64pd<|`~H=IPBIQR-< zqYnT9GM}a8-iQ}21cp!a_I4W_G0zl#W%8QCR_MWt2{=djt$<$($u^}{wzl`8IzrnP zt^fM#Lr~Mfq&|?vZi$;!1CGTMyG>s@6!8b4Z*Fz_Ub#pIkS~uZOx8P=pccvzN3~st z`NJ7OU|dp{u7n9AG^uyqrcScQT|>sBq#8I)t0&^$#;z8L19ifzzqUZhpQNX*#czd`cJNpqAm;Ksk&KnZB3^C8$Z=dPG zl`7{j75DXth$Al%#EKwgw8Q&v+1o*FFUW^6U6L1$78Vw7-hAs@o&~lWkT3wHvg!l} z&|Fkh6n3`A(B<{M;@k4v==n0uv8%A=63uf3Kw!24fPw*W*6S2gHxXV9o`zn%!#4^F z(?O!T>)+wI+q$WVlKi(*olBc`V4@>R2uONAEJ3XGbte3>f=*eN|sk(Vd zoHG9#c1iHJA!KB=`uR7oV7vN$@!%hcGg%14-~5k-qcXjnXw&{h1qq5W zFU8?cdQO&oi@?^|&GSj?LY?ZS22Clc%8+rZq@VtOgZF?@sgxlleWhRS*0!LC-jIp0 z8UtB?MUpIWICxk`siJ_VNUpc{{!1^&iOHp=pQrZYf8fn46txP$nSiRrI0#8A7jQ#_ zC^fXSBIw0W21U1tBrd6=EZIm33W`o^jlv(1LQFEO8|#G&+{%=shK3W*_Xgr;Yz#yB zI_mP?tp|1_33MO{q#s$b73NOwD-JC5H^p(S8RZvx=9YCzWmgnebOXNVe-J>Js};k4 zqkGiCN1m1IT!XAe*P*;@Kuxhe^dYwDU%8%`$Kt9vz;N|yScOLJIIZ#RhY1GZU4ZTY zsqjk4%xv;(n08d7qWdjxk|JQx8XD`;I!I~ANPF1T^6YmjEA`wlViPu38xrEq2vtDI zfPE1&7nNeXwG+Ea;xN;5$>I!I-XwyUZmbuT8P(b*1&RInjt7dS*snfSwlkH}D>TBN zTfTp@a<`d{E%-qIMhF@(V7+8kg*qDdt3JFrasVd9#voWnuR&pc43~1zo8~bsYqwHv zV4SkX+fb;{bh<^T3HTKd|ABm!hhW5qtln@Hum)`=5&QFgYQwPEt0w4)e(jT$A`Pbq z;6fN@Q!`wL{cK!GvQ82g<#RsV{OZqG>6{?B$8R??>SY}+ZMQVcuO6JayG(-14o5N% zh|V(trO-l%VKTN0*p8^`;$nVdK2Kd;b8`fy6Y(;Mlm>6`3+Otu zLH^@+=u%TvynhfHzWr@fV|-!ahM9=;en6HE3dPZSjueGVqH0k^Tz zxQ!5-|8=`c%}vqiDlNIF{_iTJ_X#E1S%3fJ2Y_^+dQ3`cp4gSX zXNN%$)I=^e#y8FN0#Qb54k>mrfW^XaslO@!xI>Fg(>V&TMsjZZWmh1XD}X>5?CnkF zF_S4K7{#O_L-E=TfEJc0A3OTD4FAnQ3d*}CE!BSMq`laCN6ItU6LseE((`v}#Q)SE zFZGoz6c6RwrIR@l+H3E>ZKU=JGV=ag(aYhPEvm_LYaU)fe;q<3>VL4|K2fL%Y@q@I znt*n2X^4%D1xtJ$v9bdDJjtbt-C-;T-=c=r0INH!Jh!E zzrdBGA36cdkN_6i@Pz~g%@$rB?%qPQ-hR0!ke0X*xOl5MZdCzyLn)Hkl>L(E%%s$A z9)rn43)D1fYHBV`&|s)(PnPv&lCbNEur~Rs9N+rfXi*2Ol`ZpRmWAz)7C^z0C(ts# zXj9VuD7_)@hAZ$1bV@y307Fo!J=Ttb6o_IwN)<$mD#uA)1 z(p(5^jZk6|X^@ZFGAoeN289~B`wMJCf>cBgM_!1(eM&X>=;H0Y;)+iJv}gmRPJU8H zQ72+Qtvo8bn#*>XOSaix${}~bnkpboq5Y^5#2+tTJ6uSeaf%wL?F5~XlhpxxApUZ^ zMDU_?f>>N)MGZ}=;wiyK0PH6Z3Q59K6ciL0f1HLBfXdGDt_mE9%N_@%4vek<9(3Lb zk{O|DkdU&CiLboj^N?G{KD#^13F$QNfraDyNo)hjeQ*Tc$h5tI$w-mDF%e?51}{?M z`r!gmXDOBQUw=$vN3`aeuXLlGKgt5?)~?-ZS!oWLrA7cZ_F{{)KT|Hj4tufG0&-Sha(u>L&4_w;KW$ko*r zEB#3$Ha>rtlr=sRg4GCj{uMg>JBRlF`F{DJ1IYWtnSadaw()tma~ASCDM8z;?vW@y z^y1k2adO>Sw|tU4Cx;hy7+<-r74`QL zmZ+4}fcbCOM!GV@z8$l;fCSq4P~^h`CIwMkDhx|v7V?t`miZqVDo^t4)Y_ZYccInd-{ zRq?bM^+)Oe=V`43%dIT&_w=f9C@RMoHoIm%lk`2=56S}hR4gtO)DS#(Vz?a=MVRfz zww}lSjt94CZv&z?6fI7m(_O2N=;-N>|;-Dx?v8;C3{I7T(>;ZKRTTHu&2gDafsX#R7P`P-q+SMo})szOfoetwvdcEud(~;eEt%KFS&oSD4RU(7S z8lta;m;3i?F#W5BBu+;axG|_^@7<-Ix_PI*CeOWv#YMAcGGMZWT-H=gtE_41D?-R? zq{6iq!5+SWTX4z4$IB|u{-!9a+*YEhn3$P?`yB7)=CT~*WP$}t0AMeJdHZPj@`ql4 zP8|nMiO}Ev<5%6bVfBiQBRCfN@p6((HZ)od%Q~K<`yT2Fpi|vZp0JC(j0u1JI(uIr zC76kTpTTjsmAO0Yp}$O)We;al&a?5}tOM^}-Nk=;Oj_*`rMFfXcS#wtt-l#7RS1Kpw{IKZ@3c}SB|_N8t6JY zTAtO^-5qVdb|rL1YyK|+CT%$okD`38hgP(ze%@WOSzvu;*Hw*RNX3(HXWWn zP!_(zu6L4ZXR1u;xE}mz`Vlo*oxaMWCClggL3M(^dc(u6YeJV2E9O{}zI@3QmNxxM z0LCf4fFVy&#+bG;^gvO=WF5bdUNeDjh^ogV+Q?WmT3C(13$%2HBUe21Gyz zO9-0^1hA1ELnd+`@rfPo7RL%Wyin^8J z-gE9b&-=X3yMVMp$maW>`yCNUtzsY=ASNazBGS^{o`xj68KC~;sd$rj<^ht;a>l9G zqNFMb-8V#s(AldKjTibXp5cq_YoMJgIuYPwH{@d}37)aQC zEjPaMsF(y6?jP`zo8q)B4#?dI7Uj9d$Et+)yeSm2QW1lzIinjg{4S)$JXR@7ET|K74;(rvA6~Yin6qS!$Qw zkmsUSM?n9FD&|JPpu{~0MB8zXU$ZrQGb`#;)aXG$!@*8XXG5spquEDgScH}uLrR0a zjI%P!*y?_fCBD|?c+Y@9QDu{@-g=0Ph_6%E%+SCG4*Bh`Abe_u#mWQKdW*J&f&y4r z+L-U<=H?cb&;p;h2w*|5Z>QI{%lSu6UM!LFop2~fMy<#6M0(vY7c;eWW|vh?Ywk0n zn0;{BD>*MoljFDAC@Ym;4d9SB8r-fJ{UH{ICT`dRN62dMB7wH=vqJSF&d)FJ@Adi- z7Qq6f?JplV;f%n9`Js3k^AtNpuhF&Kj8nAq``Q%@?K8&}a?q5Q!p50EzL7?=9pg6T zkM~vzOsb5D2}Xr>^xTt5FXQ8zv4Bb{5a${|Dp-m29)H`DPaZuvD>K+NpT#&T_$%OG zJqot*Y&Zn%t0S23-2ZLlZgSD8hvdomzr&d~6yFMc&Ynkg2_M z@!zclS5Y$M$|8NR;vH!X#(V!uFQ#mhB2?<#itN}PwAu`Dqh2%`v|BZ0c4D0qX6v~v zq>dQ?xKb2aU8KMCW7;mwwTkC41Wqj)WWeEJ7R@AoAKouB5-*PD;*hoYDd?42sb7LO z-Mxo#Z*wT9+yv5@iO9>nt>uF;4!>Wb^+=lLG@mjG#kn#GY@`QNVZR`Tkx)~wA6J#( z`u+r*ht!8%Dn)R_kc+uL7j2l1U; zY2loGAgRgRzfxg}(_80Vh3R^h_o66cjan;=xTm4S>=K(ux|+4qB9q zrvXKAxmsFUF!3-9LFrP8CT5#hvk#{0SuyNfT6$dG%s%CK-&(%#RL+qdO4(c&dV~B0 zHL4)p*C~Nan6E0SI|T7=uJqnIeE2X0TPcS?7}|mNs_@#FtFEpF_sPgov?`!4U){nQ zi!u;NGjB{I;&-TCb-83RIVk2u0z(;`+1Sk?gw2+6RL63Mqac7Sj7N*Tv$L2treYXd z^ziAAdlFx+4|S!n@}C~spqpg|@M-ESQPOL_whLC~FM+xVUk0Jk^+&xeaW6!XPPbLI z-2E8ez034=m=or@c0c=9&Q3PPpin5du9~b0D7Z^aO$EJ<3<=H#`=0l~x~DkxND*N82s~^m7Zh1fpBCijoZ7q5hP6xedc{dt=&Jb1|JXIM z4&6i(kwgShH|0zciBxVNlr!f!p-SDkm2sK#96+gN0hM~Rl9h~WAo;$k)6QqZoSq&- z660#_*7(Q$)n-7t;!;s9i#09o{hQO2755swhg>A^Ok24~gEY#j@H2?zPbt8+N1;es zX}o98B7x`a+$f{l9Wp`t2F-v-OF2m5bTuuiV~)b4b0&4PXas`Rsr^)-i9w_tV8Gdd1OZd_vMlD=sq6sAHm-o=IYAIki&}k^*h|x3b zWQ0JeI7v$wL*j&j$MZ%7&yWgR2ZDC-gEtmF!8?b#vpz?3Aen_({1!R7dyyW=({B@G z7B=mn_Dkoh3_iYNY)9+_MR=Hxku9M7e!W=g#3>&Ri98nkQE+{;|3?n+`Q^cUAr|N?Qav1JWQQvz^;K-f;T0qf|RXCqG|Fr*PeGl}9lwy2uz1NDmKT$dCblL&mUV5ugmfS5uaKW&n+& zgzPi7sxF>8XN<*;%q7*z$DVgAf|(rF8zj^;`J=9t<=+?ld9#xdXpCoMvRSs1Z>8fr z=vUFm7e)P!9WdpU%P(6#m}Nm#!J%H|uUlM`P4j?X^xYmCpo0{uZ_FQi?Ot~lU@=dg z<*-k%dSGZi{G1XSqJ}H9!5j*18k8i=1KOj46j3x#GO znct#ABXV^l1U{vR#VdLDihG`(3^NKWDLz!N$^=T!&50YIXwhCshR;~uC#2o{lBfPd zIU9|U)Uxlp^W4^Rn&dBUa#HAKgV<#uIW|a~q=bY7K+sMk0)dc_(2d*S(zmWyLDR3^ zLBf~9Q(Kgr{WReB9JVf)-WX!}X`Eu*CPPG(A3~Ew{Wsat^ng>FGdW-un!d`{Fy?YL zP{=Zd=Ye>miz)$n1t9kIn<&)Ky{;g`&qh1C9oE&nuab}F;Y5(mQ0={@Yf6Z}LbQAS6Z1`yUFmc>3;eHL zb6Fm#6l%+t(9)lhY)gE4Kd<8wXSv#fO4r-Gic0$MgQqV?T-7DLtnEsOT{B!AEJ_Ls zM^<*+wcYFxwB1_7`+3jfkM2ce>=~9@Q1a@2QQgX4p-i&?&MUhW`MUvFp~UG%drobZ zf$z11kM$Z>9P7J19ocLcQfQLZy;ZnC9< z?9&p~T+S{U=;tig6NJ&OR#$X9Q|N#JyCC)6ebjrc`deUJk}5T!GiD?-Bfa*ML7R%H zZTI16D}}xOb`w)m<;ixID#cvC4BY`|Z?wPPIOIk(L$-WWl$vWJVR_MB!jpe1cm5gi znq+0kb=Iz8B$%?{MuuKV_kNJH>1tU3R^$F7FE6mWGZDpP+#$$mpqTYD7;d}kvrnEp zVUV%tcl8|rSvyNG0P{K0|{q5Aq%mfjWuYb6Q#i12APV$!jL!Jm4tTG zCzj+}E3p9#%oPh+Vn&A61(R=6Jmxvtp!|ekm{-KQ2<)ehDDe!>j8F#`=}!jmnMWJ? z**iP#T{PTd+)g3?2pjfQ&itjJ*&a4m<+NPL5w7Nji5HTDcmBn$^-{)TFHlW%;)G-d zsoaUdcrCPPN8dg`K9X6v`yHLwVJd9$7R%C6)z#I*!^7Fx+1J+AK+EiW$zGfYf8@0)R~Z!wHld&WDQ z&5|mF$^NMj#WP&mIozH4Z;%D)JW$L2SNXvoHES7N{GdNPfGElvh4BWxi^4z#(7|{p z;lFek(EOVHs3!0~Dm2E7$?rG}pdcjUfAsfE^uLW4K+d-Ckp*cW5_&6v(lihY0@pnT zVJx=ZijVR4xA>1YG6_W+{Jh-~Hn-ikje2if!eXF%dDEq?u%3FIt@ zO~g?JP<_rIFuVD*mIE0}q=el9_WW;t#veXM_S^4sUuy#BK`C1DJDDFE_V<0pHUOhU zp9K6Oj04b&aE=3TfVfXm`xiPpbyt9DRWXv@p}Q#!G`-vCRBItwDbHivCmkFd!rOV} z+_SeG&CShM`oTB29egs*Q4U+?I_4Xcn3!0M5&wuyQb+%$wvq+X!E}9c0C=(T`up%S ztGfQLg+SE;*K=2N>IsX}ga{u!PH8k;Gf+aKDJ~Fn3iH2uQ+k~1;!7Y;p3)-JUDcE= z6Nbr1)`k@|>PgW0^dwv9>hiDxh|}}?ESGLU2j(}0y;IkZ8wWLj&!b(#*bV4@7()UM zheN}gZ3W9$EYQ0MQ2mpi%wx+7_|_Pk22Xt_8Zk zpDRlUeR;fJchP?0t70Aq`1+K*&!!UQt|9ukm=4LPN8evV9dT&NJH%A1S*5kW+sp$x zpRIZ@@GjR`zeGSz&*=%k2uhRH@fN=JA5E}Wv5I%AE!|o9pnT7t=$vbiU%RFoc>DfQ z)iC~NAtK`9&1V7{F|*(^7Cwp0H4(1*kl?2Ss3#}kxXKsfc1-A17Bee+3{y=Wm#-hA qYYUF+H`6;nrQxgg0lRnR%!}FG{K`$=j`V@;1-YZFsYFq<{OzBP`q9k* diff --git a/azure/install.sh b/azure/install.sh index e61c90325b..4174f5f299 100644 --- a/azure/install.sh +++ b/azure/install.sh @@ -1,13 +1,7 @@ -#!/bin/bash +#!/bin/sh + export VPN_IPSEC_PSK=$1 export VPN_USER=$2 export VPN_PASSWORD=$3 -# Debian on Azure has no lsb_release installed. -if ! [[ -x "/usr/bin/lsb_release" ]] -then - apt-get update - apt-get install -y lsb-release -fi - -wget https://git.io/vpnsetup -O vpnsetup.sh && sh vpnsetup.sh \ No newline at end of file +wget https://git.io/vpnsetup -O vpnsetup.sh && sh vpnsetup.sh From 748d89bb4b92824933ebc9b593ffcf810388a786 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Fri, 2 Jun 2017 18:20:23 +0200 Subject: [PATCH 0116/1208] Add 3des-sha2 to both ike= and phase2alg= lines. Fixes #154 --- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 71996d6b59..fd57a1b8bf 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -244,8 +244,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 + phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 86516ad6e1..cee3ce3213 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -230,8 +230,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 + ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 + phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 sha2-truncbug=yes conn l2tp-psk From 47a901513504d8b6734983d61afe45b7533deae5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 2 Jun 2017 14:24:55 -0500 Subject: [PATCH 0117/1208] Improve VPN ciphers - Add 3des-sha2 to allowed VPN ciphers, and clean up --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9f2c93aae3..9f53b3cdb2 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 17ca30a0ca..7c93dc6b24 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -55,8 +55,8 @@ Before continuing, make sure you have successfully /dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer -IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" -PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512" +IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index fd57a1b8bf..cdc0f8a400 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -244,8 +244,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 - phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index cee3ce3213..4c307df53d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -230,8 +230,8 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 - phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk From bc0324f9570b8843b5968c078328e4663acf6d6d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 3 Jun 2017 14:53:45 -0500 Subject: [PATCH 0118/1208] Improve IKEv2 docs - Make it clear how to use the VPN server's DNS name to connect --- docs/ikev2-howto-zh.md | 11 +++++++---- docs/ikev2-howto.md | 9 ++++++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9f53b3cdb2..894ee5aa91 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -21,14 +21,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 -1. 获取服务器的公共 IP 地址,并检查它是否正确。 +1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) $ echo "$PUBLIC_IP" - (检查显示的 public IP) + (检查显示的公共 IP) ``` + **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 + 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: ```bash @@ -78,8 +80,9 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ echo " forceencaps=yes" >> /etc/ipsec.conf ``` -1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: - **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 +1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: + + **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。另外,如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 ```bash $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 7c93dc6b24..973b024d1f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -21,7 +21,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo Before continuing, make sure you have successfully set up your VPN server. -1. Find the public IP of your server, and make sure it is correct. +1. Find the VPN server's public IP, save it to a variable and check. ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) @@ -29,6 +29,8 @@ Before continuing, make sure you have successfully > /etc/ipsec.conf ``` -1. Generate Certificate Authority (CA) and VPN server certificates: - **Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36". +1. Generate Certificate Authority (CA) and VPN server certificates: + + **Note:** Specify the certificate validity period (in months) using "-v". e.g. "-v 36". In addition, if you specified the server's DNS name (instead of its IP address) in step 1 above, replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` with `--extSAN "dns:$PUBLIC_IP"` in the command below. ```bash $ certutil -S -x -n "Example CA" -s "O=Example,CN=Example CA" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t "CT,," -2 From c01fb796507b3571b6ea5fb55b568c4c157a283d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 12 Jun 2017 02:29:53 -0500 Subject: [PATCH 0119/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- azure/README-zh.md | 10 ++++++---- azure/README.md | 8 +++++--- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/README-zh.md b/README-zh.md index e8b58f7baf..7c9858cfc7 100644 --- a/README-zh.md +++ b/README-zh.md @@ -139,7 +139,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19](#升级libreswan) 或以上版本。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19 或更新版本](#升级libreswan)。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index a212fd74d3..3fabc705a1 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19](#upgrade-libreswan) or a newer version. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19 or newer](#upgrade-libreswan). For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. diff --git a/azure/README-zh.md b/azure/README-zh.md index 03b83d09bd..dd23efe5de 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -4,7 +4,7 @@ 使用这个模板,你可以在 Microsoft Azure Cloud 上快速搭建一个 VPN 服务器 (定价细节)。 -根据你的偏好设置以下选项: +可根据偏好设置以下选项: - Username for VPN and SSH (用户名) - Password for VPN and SSH (密码) @@ -16,12 +16,14 @@ Deploy to Azure - +

+ +在完成部署之后,Azure 会有提示。下一步: [配置 VPN 客户端](../docs/clients-zh.md)。 ## 作者 -版权所有 (C) 2017 Lin Song -版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) +版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) +版权所有 (C) 2017 Lin Song ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index ed63b5a8d7..f9efc7e285 100644 --- a/azure/README.md +++ b/azure/README.md @@ -16,12 +16,14 @@ Press this button to start: Deploy to Azure - +

+ +When the deployment finishes, Azure displays a notification. Next steps: [Configure VPN Clients](../docs/clients.md). ## Authors -Copyright (C) 2017 Lin Song -Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) +Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) +Copyright (C) 2017 Lin Song ## Screenshot From 5e3689198f089462765893389f6cf853ec53d97c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 20 Jun 2017 23:59:13 -0500 Subject: [PATCH 0120/1208] Improve network interfaces - Better detection of default network interface when the 'route' command is not available --- vpnsetup.sh | 7 ++++--- vpnsetup_centos.sh | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index cdc0f8a400..ea5bb35c92 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian 8. +# Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian. # Works on any dedicated server or Virtual Private Server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! @@ -66,13 +66,14 @@ if [ "$(id -u)" != 0 ]; then fi NET_IFACE=${VPN_NET_IFACE:-'eth0'} -DEF_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')" +DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" +[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$DEF_IFACE" in - wlan*) + wl*) cat 1>&2 </dev/null) if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$DEF_IFACE" in - wlan*) + wl*) cat 1>&2 < Date: Wed, 21 Jun 2017 00:02:03 -0500 Subject: [PATCH 0121/1208] Improve services on boot - Systemd may run rc.local early during system boot - Insert delay so that services can start correctly --- vpnsetup.sh | 6 ++---- vpnsetup_centos.sh | 3 ++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index ea5bb35c92..180f47d56b 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -432,14 +432,12 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script +(sleep 15 service ipsec start service xl2tpd start -echo 1 > /proc/sys/net/ipv4/ip_forward +echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF - if grep -qs raspbian /etc/os-release; then - sed --follow-symlinks -i '/hwdsl2 VPN script/a sleep 15' /etc/rc.local - fi fi bigecho "Starting services..." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 97a151a9d1..15134a5a7e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -418,10 +418,11 @@ if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script +(sleep 15 modprobe -q pppol2tp service ipsec restart service xl2tpd restart -echo 1 > /proc/sys/net/ipv4/ip_forward +echo 1 > /proc/sys/net/ipv4/ip_forward)& EOF fi From 6255c43e93facdd41d72783fa61dc76b2d0cb60c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 21 Jun 2017 11:24:02 -0500 Subject: [PATCH 0122/1208] Update docs --- README-zh.md | 8 ++++---- README.md | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README-zh.md b/README-zh.md index 7c9858cfc7..d1545ac05c 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 8 或者 CentOS 7/6 系统。 +首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -52,13 +52,13 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 测试通过: Ubuntu 16.04/14.04/12.04, Debian 8 和 CentOS 7/6 +- 已测试: Ubuntu 16.04/14.04/12.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些映像 (AMI): +一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) -- Debian 8 (Jessie) EC2 Images +- Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates diff --git a/README.md b/README.md index 3fabc705a1..3d06f531dc 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian 8 or CentOS 7/6. +First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -42,7 +42,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w For other installation options and how to set up VPN clients, read the sections below. -\* A dedicated server or Virtual Private Server (VPS). OpenVZ VPS is NOT supported. +\* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported. ## Features @@ -52,13 +52,13 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 7/6 +- Tested with Ubuntu 16.04/14.04/12.04, Debian 9/8 and CentOS 7/6 ## Requirements -A newly created Amazon EC2 instance, from these images (AMI): +A newly created Amazon EC2 instance, from these images (AMIs): - Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) -- Debian 8 (Jessie) EC2 Images +- Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -66,7 +66,7 @@ Please see this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. +A dedicated server or virtual private server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used with this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVH and Rackspace. From 8ac15731060952f63d6de0db55e416e390e8f1e9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 21 Jun 2017 11:59:07 -0500 Subject: [PATCH 0123/1208] Minor clean up --- vpnsetup.sh | 19 ++++++++----------- vpnsetup_centos.sh | 19 ++++++++----------- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 180f47d56b..33bee0a294 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -1,7 +1,7 @@ #!/bin/sh # # Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian. -# Works on any dedicated server or Virtual Private Server (VPS) except OpenVZ. +# Works on any dedicated server or virtual private server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! # @@ -76,12 +76,9 @@ if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; wl*) cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << +If you are certain that this script is running on a server, re-run it with: + sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" EOF exit 1 ;; @@ -92,12 +89,12 @@ fi if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 <&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << +If you are certain that this script is running on a server, re-run it with: + sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" EOF exit 1 ;; @@ -87,12 +84,12 @@ fi if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n\n" "$NET_IFACE" >&2 + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Date: Thu, 22 Jun 2017 00:50:50 -0500 Subject: [PATCH 0124/1208] Update docs - Remove Ubuntu 12.04 from README (EOL as of April 2017) --- README-zh.md | 4 ++-- README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README-zh.md b/README-zh.md index d1545ac05c..ca713987f1 100644 --- a/README-zh.md +++ b/README-zh.md @@ -52,12 +52,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 16.04/14.04/12.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 16.04/14.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates diff --git a/README.md b/README.md index 3d06f531dc..3b2b78c2ae 100644 --- a/README.md +++ b/README.md @@ -52,12 +52,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 16.04/14.04/12.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6 ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates From caf9293b8a4316a404aebf243841fd6e29123850 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 20 Aug 2017 10:52:28 -0500 Subject: [PATCH 0125/1208] New Libreswan version 3.21 --- extras/vpnupgrade.sh | 7 +++++-- extras/vpnupgrade_centos.sh | 7 +++++-- vpnsetup.sh | 7 +++++-- vpnsetup_centos.sh | 7 +++++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index de6cc2430a..32e4cd4ad8 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.20 +swan_ver=3.21 ### DO NOT edit below this line ### @@ -145,7 +145,10 @@ fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." -echo "WERROR_CFLAGS =" > Makefile.inc.local +cat > Makefile.inc.local <<'EOF' +WERROR_CFLAGS = +USE_DNSSEC = false +EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 14f8be98be..e44887fef0 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.20 +swan_ver=3.21 ### DO NOT edit below this line ### @@ -139,7 +139,10 @@ fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." -echo "WERROR_CFLAGS =" > Makefile.inc.local +cat > Makefile.inc.local <<'EOF' +WERROR_CFLAGS = +USE_DNSSEC = false +EOF make -s programs && make -s install # Verify the install and clean up diff --git a/vpnsetup.sh b/vpnsetup.sh index 33bee0a294..bd84466401 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -185,7 +185,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.20 +swan_ver=3.21 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -195,7 +195,10 @@ fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." -echo "WERROR_CFLAGS =" > Makefile.inc.local +cat > Makefile.inc.local <<'EOF' +WERROR_CFLAGS = +USE_DNSSEC = false +EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c4351e657f..66ac0ec78d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -174,7 +174,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.20 +swan_ver=3.21 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -184,7 +184,10 @@ fi /bin/rm -rf "/opt/src/libreswan-$swan_ver" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." -echo "WERROR_CFLAGS =" > Makefile.inc.local +cat > Makefile.inc.local <<'EOF' +WERROR_CFLAGS = +USE_DNSSEC = false +EOF make -s programs && make -s install # Verify the install and clean up From 3f2b2cbc0bcf17cde7ec72eb148b8a1c68f82cf0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 20 Aug 2017 11:50:46 -0500 Subject: [PATCH 0126/1208] Remove Debian 7 - Remove support for Debian 7 (Wheezy) - Libreswan 3.21 no longer compiles on Debian 7 or Ubuntu 12.04 - Fix tests by switching to Ubuntu 14.04 --- .travis.yml | 1 + README-zh.md | 5 +- README.md | 5 +- extras/vpnsetup-debian-7-workaround.sh | 73 -------------------------- extras/vpnupgrade.sh | 13 ++--- vpnsetup.sh | 16 ++---- 6 files changed, 11 insertions(+), 102 deletions(-) delete mode 100644 extras/vpnsetup-debian-7-workaround.sh diff --git a/.travis.yml b/.travis.yml index e03cca1d21..3eb710a651 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ language: bash sudo: required +dist: trusty addons: apt: diff --git a/README-zh.md b/README-zh.md index ca713987f1..ab4e44feb5 100644 --- a/README-zh.md +++ b/README-zh.md @@ -66,7 +66,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **-或者-** -一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。另外也可使用 Debian 7 (Wheezy),但是必须首先运行另一个脚本。 OpenVZ VPS 不受支持,用户可以尝试使用 Shadowsocks 或者 OpenVPN。 +一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以尝试使用比如 Shadowsocks 或者 OpenVPN。 这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVHRackspace。 @@ -180,10 +180,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IKEv2 VPN Server on Docker - Streisand - Algo VPN -- SoftEther VPN -- Shadowsocks - OpenVPN Install -- Setup strongSwan ## 授权协议 diff --git a/README.md b/README.md index 3b2b78c2ae..b3f43190ee 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,7 @@ Please see this workaround. OpenVZ VPS is NOT supported, users could instead try OpenVPN. +A dedicated server or KVM/Xen-based virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try OpenVPN or Shadowsocks. This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVH and Rackspace. @@ -180,10 +180,7 @@ Please refer to Uninstall the VPNIKEv2 VPN Server on Docker - Streisand - Algo VPN -- SoftEther VPN -- Shadowsocks - OpenVPN Install -- Setup strongSwan ## License diff --git a/extras/vpnsetup-debian-7-workaround.sh b/extras/vpnsetup-debian-7-workaround.sh deleted file mode 100644 index c767c255dd..0000000000 --- a/extras/vpnsetup-debian-7-workaround.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/sh -# -# Debian 7 (Wheezy) does NOT have the required libnss version (>= 3.16) for Libreswan. -# This script provides a workaround by installing newer packages from libreswan.org. -# Debian 7 users: Run this script first, before using the VPN setup script. -# -# IMPORTANT: These unofficial packages may not receive security updates compared to -# official Debian packages. They could contain vulnerabilities. Use at your own risk! -# -# Copyright (C) 2015-2017 Lin Song -# -# This program is free software: you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation, either version 3 of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but WITHOUT ANY -# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along with -# this program. If not, see http://www.gnu.org/licenses/. - -export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - -exiterr() { echo "Error: $1" >&2; exit 1; } - -if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" != "7" ]; then - exiterr "This script only supports Debian 7 (Wheezy)." -fi - -if [ "$(uname -m)" != "x86_64" ]; then - exiterr "This script only supports 64-bit Debian 7." -fi - -if [ "$(id -u)" != 0 ]; then - exiterr "Script must be run as root. Try 'sudo sh $0'" -fi - -# Create and change to working dir -mkdir -p /opt/src -cd /opt/src || exiterr "Cannot enter /opt/src." - -# Update package index and install wget -export DEBIAN_FRONTEND=noninteractive -apt-get -yq update || exiterr "'apt-get update' failed." -apt-get -yq install wget || exiterr "Failed to install 'wget'." - -# Install libnss/libnspr packages from download.libreswan.org. -# Ref: https://libreswan.org/wiki/3.14_on_Debian_Wheezy -base_url=https://download.libreswan.org/binaries/debian/wheezy - -deb1=libnspr4_4.10.7-1_amd64.deb -deb2=libnspr4-dev_4.10.7-1_amd64.deb -deb3=libnss3_3.17.2-1.1_amd64.deb -deb4=libnss3-dev_3.17.2-1.1_amd64.deb -deb5=libnss3-tools_3.17.2-1.1_amd64.deb - -wget -t 3 -T 30 -nv -O "$deb1" "$base_url/$deb1" -wget -t 3 -T 30 -nv -O "$deb2" "$base_url/$deb2" -wget -t 3 -T 30 -nv -O "$deb3" "$base_url/$deb3" -wget -t 3 -T 30 -nv -O "$deb4" "$base_url/$deb4" -wget -t 3 -T 30 -nv -O "$deb5" "$base_url/$deb5" - -if [ -s "$deb1" ] && [ -s "$deb2" ] && [ -s "$deb3" ] && [ -s "$deb4" ] && [ -s "$deb5" ]; then - dpkg -i "$deb1" "$deb2" "$deb3" "$deb4" "$deb5" && /bin/rm -f "$deb1" "$deb2" "$deb3" "$deb4" "$deb5" - apt-get install -f - echo - echo 'Completed! If no error, you may now proceed to run the VPN setup script.' - exit 0 -else - /bin/rm -f "$deb1" "$deb2" "$deb3" "$deb4" "$deb5" - exiterr 'Could not download libnss/libnspr package(s).' -fi diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 32e4cd4ad8..bb9aaeceee 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -29,6 +29,10 @@ if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbia exiterr "This script only supports Ubuntu/Debian." fi +if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then + exiterr "This script does not support Debian 7 (Wheezy)." +fi + if [ -f /proc/user_beancounters ]; then exiterr "This script does not support OpenVZ VPS." fi @@ -96,15 +100,6 @@ Your other VPN configuration files will not be modified. EOF -if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then -cat <<'EOF' -IMPORTANT: Workaround required for Debian 7 (Wheezy). -You must first run the script at: https://git.io/vpndeb7 -Continue only after completing this workaround. - -EOF -fi - printf "Do you wish to continue? [y/N] " read -r response case $response in diff --git a/vpnsetup.sh b/vpnsetup.sh index bd84466401..fc4932a205 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -55,6 +55,10 @@ if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbia exiterr "This script only supports Ubuntu/Debian." fi +if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then + exiterr "This script does not support Debian 7 (Wheezy)." +fi + if [ -f /proc/user_beancounters ]; then echo "Error: This script does not support OpenVZ VPS." >&2 echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 @@ -125,18 +129,6 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then -cat <<'EOF' -IMPORTANT: Workaround required for Debian 7 (Wheezy). -You must first run the script at: https://git.io/vpndeb7 -If not already done so, press Ctrl-C to interrupt now. - -Continuing in 30 seconds ... - -EOF - sleep 30 -fi - bigecho "VPN setup in progress... Please be patient." # Create and change to working dir From dc71db34515fe870b82bd219cc8bfc63adb27bfc Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 21 Sep 2017 01:23:03 -0500 Subject: [PATCH 0127/1208] Fixes for Raspberry Pi - Change "start" to "restart", so that the 15-second delay actually works (wait for network interfaces to initialize) - Workaround for Raspbian 9 (requires left=$PRIVATE_IP in ipsec.conf) --- vpnsetup.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index fc4932a205..d4e5fcf8cd 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -425,8 +425,8 @@ cat >> /etc/rc.local <<'EOF' # Added by hwdsl2 VPN script (sleep 15 -service ipsec start -service xl2tpd start +service ipsec restart +service xl2tpd restart echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF @@ -449,6 +449,15 @@ service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null +# Workaround for Raspbian 9 +if grep -qs raspbian /etc/os-release; then + if [ "$(sed 's/\..*//' /etc/debian_version)" = "9" ]; then + PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf + service ipsec restart + fi +fi + cat < Date: Sat, 23 Sep 2017 14:19:30 -0500 Subject: [PATCH 0128/1208] Improve RPi fix - Minor improvement to Raspberry Pi fix --- vpnsetup.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index d4e5fcf8cd..2d4b1f4d95 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -267,6 +267,12 @@ conn xauth-psk also=shared EOF +# Workaround for Raspbian 9 +if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then + PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets </dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null -# Workaround for Raspbian 9 -if grep -qs raspbian /etc/os-release; then - if [ "$(sed 's/\..*//' /etc/debian_version)" = "9" ]; then - PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') - check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf - service ipsec restart - fi -fi - cat < Date: Mon, 25 Sep 2017 00:28:10 -0500 Subject: [PATCH 0129/1208] Enable MS-CHAP v2 - Allow MS-CHAP v2 for better compatibility with the built-in Windows 10 VPN client. Thanks @remini1998! --- vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 2d4b1f4d95..aebc7ce3d2 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -299,6 +299,7 @@ EOF # Set xl2tpd options conf_bk "/etc/ppp/options.xl2tpd" cat > /etc/ppp/options.xl2tpd < /etc/ppp/options.xl2tpd < Date: Mon, 25 Sep 2017 18:55:27 -0500 Subject: [PATCH 0130/1208] Update images - Update VPN properties screenshots for MS-CHAP v2 --- docs/images/vpn-properties-zh.png | Bin 85831 -> 85508 bytes docs/images/vpn-properties.png | Bin 95100 -> 95097 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/images/vpn-properties-zh.png b/docs/images/vpn-properties-zh.png index 7b2948ea51e46efabcec6700a0c123c4437b064a..40d9f4fdbea5a12c960b6782e2b9ce433e0da7b1 100644 GIT binary patch delta 32980 zcmafacR1VK8+TDfwdPamF(RT=t)jI;f|#|cgL=#w)jn2*A|$?MQ6(V=wMVNu>`}W_ zDx!APridCfDrO?&)!*-Ty??#e_2#c{zPZjh_c=M|zCZWp{+zB{*63{3imp!JVNXhx z#g5;S$Q93A={FbMc_!;X@B3>X|Kq(+IUg{5qsW+rIfk9}vN-dzy?@>LtS-MQ)R9MV zP1D4thxQPxZalo?IrfKEI=y$l+1sYsrUhyGGWHr6Sy0QI(Eb*bvh4PQFK`>THPNlk zeazN+9MCc2G3(EBow6%8>oZvd2xIRxMtd!B#ZAP%7Mp#zbl0rhE(E>3SKrpsTi#3| z?M2xD;)~oB=*tOY%Ix%(wyOMrj%pXPS6wU!n0b>ZtMAD{iTsRco-gH~R@3bi>N zf~xC#<+0U9?`fOjQwc?uJA}lFHB{f%9r)r>kXY}BYtU>645SJCoe-@^za;>(Q%sCx zjRRe6t6;oMnr_h&`s?+qw3C&Uk^qive&^w76A91mtSfQ0M!gL-0$+-lcKyr^3_4%vEC>E(@3EM)P=}6cDcCBGD;plkiYWy13Hs5>6g}U@1&|o9>Z|dTYS>eS?? zIdm_J9NR1nytdk8y>bOe@)1`qre*e{Uu7dnGV)vCALyIUzJ50qvkP|96F`q=Ku>9s z1-Mn04e5bp7nI=_=LFUa-^^ESysEzU_zKd6!WqrO?ZRcBrarYb{h- z5%}a!^kg;(jiw}H(Zv{*OYoWqv^K%$!!M>4RLz3yX`i;EJz!6y6oOh$*6@jYXV6iW zcTTU~Uz)JA!9H6FWu|an&*XBMtTur&EXJtbAn3b1TD3Ui)DmRQ=I-n=;WiPx?D!UUPcaj(Vz8AvkX z6d)WrSp+gzfPKRHWF6r!%Ye6G+XnulK%BZ8cI>;}b^XNpF74*D$QqtzhwI{hpN@Kn z8woM7tD>6TDHe^~Oc8;mK-m^i^)RWOPzJ?4(L&995Ll$!O{P?H>_YpGxBMBgp~E!`_mZU-3OuAbyl&&|$+=I7Gu za+)R<$o#|AY((>ZZ{NjKU-(=Hik8uRQ9~9HeuHkbk$$d(PusshwDKKvoI* zj^_XNnN_91;8p)481>o7XW_z3okmqZIrO;QyHrm8Fd9?(b#u~A>V^G3Q$c`#)*LVf za$b|^F%9h*n$LaZRUq&50?7Y5JDaMw=81iY3Eh<4pF)M&Deej^O{Q+M?M+SooFLX( z<^(V>O*UBHro~qy3r#+4wY}pwOF6~5I;3Md4JPwz!e7BD*x7e7kElT?S=;lSqUWow zunBL44lsyMyl(`2F;p{1INV(-Auu%C$blkj$#o%<+b*a*d}#zBD-n0-FFvM`b!}Kw10x zWY|A#CE%va%u?k^$$A--#|WFsOwKMiZnPHd459LLN$)zc-ro2u4w^XN0f^FjtBbIM zEe=)T8BE%6niFmiC^wYxNa!WLzWqh)Hz6#Ly8JnVt{cnkfsT9mHTE9$GgnnWco^CI zbQm;!`#Q!YE8D;RQ6H5JW?2X~~^nvwIu3p8TZZ>HL`7eD0b^XQ=Ra3fUsMV?&Gd5)>-!?L}epuLSr zyAWBYk5PZ2(=G$zVs6i}_0p++rzH7YND3l22jf0J67iKhvbKm7Nlpe=AV3mspBqBf zdD}jK<#p=Vtwn{YMM>F^2aQOPcK6%JciMJ4n)TIvg+DE#vo(*?%gc?1ge#Ex$$U>~J=5MGO-qEm7dhD=3K-n?qO zIECyafrC@4$<;{Ok%4$qWvLb>QsL1yYmMb>b+yz&`DyC1`jJ5{8Sw&(CPO9-*uN#m zjFE#j>?L;_CON9AL9E_rxQW*If?EJiDkLSm~x>%rXxrGP>rj6xcBOSzM~;=OkB2W3^kXZtu;_S$^FdlzRJMmjlUAzn!wLu0xe%)5=UT}UkW^bi8X(NKd#@J`;`3z#b zU*u)bp(LA)rZ)Oi6VPH$-Re*4cks7Cwd0SUpmvHF2Glm#Z+w3r;ilC|z~7eD*HUxs zYPeT+Od2KGE@j(Ucn)nI&Bc;>9QX4`U5uZbq)qx9L#`j7S`ucDe*lVD)D(Zug4k~F zVqPoyu4y>&))J2EmaY^PU)OI5Oq(6KN&8WS)arfHZ0`$!-M;U;FnLQvhEgrwdhMz zWPHB6xaKcr-5RiaeUUWF@Lf!?X{l?TYiYC2Jx^ zp{Lq$?>E|QtgQSVp8yX~;U+#WH%opyfz#cupy7I6hJudB^hbRW80-vOw;~Je+XbAjOS3Y84~L9q>O$W1}*W2C%Gq;HLomi4#xJ510rIWlg?R+5f<6_>)-GOFhX70QIk)B0O<_l*S)t$Y*fl0w%#h`Ar71Ut z{4M@`H1L{gOt7ySNU;(8AmFy#U-*xeRi)C7b#4xKsPA#yCYfm^I>T&lW#!o4UVmE< zIL@TJeEMUHNn^LkV#=1@`>hpo$OvXv5@+v-z~OEhTW77Q^ClY!u|Iphw`0id!u%wu zwkXS@SR^Gt3|X@+m5{wM_|#lq^=v?83|#~v2HZ6Un;j3yNXLFi_C)WTEp06&G(VDD zDjAjaFUjAml(7!@vLt7Z9yD~?)jhZJ9qw%}+gLlCtA(*;U)DRO=~@d{K4S>*b=^7v zmvfyHl6f!Zu10QQLWK)+CaptyTf5LeVSY1Y_8mhp znzoI*-znp8>H_kUOcM#;y3Voq#jee|FZdpV+vC)@M00lRS}NqaepD(?a*m2PME|t$ z*;4Se#pAPhjo}ags}(G?H$&&0?cRLh85kwsshFm{9ZG_L{QVk^8{hUYDDqfEIDDL~vdpYi>!Dr0Vu{79-7!rCBtPo-yu?*vQL6`(^!J28x)S-@3Mh z-?CS(d^fCipB~%q-cK0)d^LXXy((vup3YgzkRd$D6?8a88Sf9Pvkx41U#t)NRZo(J zZN&$6(Q8Vy-=}f9c2o~(|flv;{za9kI5I>h5} zg>e$`62j&IX_93dWpVKl`~b07iKV_m&T~koQJ)4_Xx+ClRR~XAd&v8A4=mml5IZIs zIxMN5W{(oH2@ed+F&3H=ze?`3A(uN4DyX_*LSJIXl0+NR`>U%>tl<>nIN^zJjuTxOB=HAq4^;vsvo%N&mIADP64^ z6VU%qOs&Z=IK)y+@0)Xq2hw9yU2T-XBE}CeV$n0-mp9RAu_C7i!&TYMZvD*mA;&zg zHGz^7-z`I;Uf1;adz}`hqzso>gf`HfHN-WFhRf zZ0|7fj_ugpZvn5mwq<*6NRYOY&g}lk(gIy%1Ye$0%yA)G{ZkgZzgN2?UCh`Ju#Z~) z`|b(L;P-p^`d^i*-EXzOI*Y`MbI9N)lp=AyvoM=x+^6(Ui>yA;sGw8t3`gv+KpDrNKjo!or{4Wo(n?J;V7*}DM#;=Wg@*8E7ljFMOHaA4f z>1N1spA9=O{@)36z_6fA$0q5h;9^t2YFjXI0VKRiUCPK_nBs_8qYgU|#cAQK2WGKh zKSPglJfUw|3kzMecG@h%+#|uv{G3Wp;yn)jx%$p)+c~fIJNC@lmq2KDOVRAui^=a( zeQFXa{=M?e|IVAA)nJl{RM61(6)VvZV<~nZk0&PaxS;)JfRTi3@!dGsu7gHba>VkI z4QT=LTRyBCGHTAQzAJ1H*yGRv%i78W9DsSijcI&I3nnRsgPmDH%yT&ahJOJ1IiqUr znG=7qBu}VSGII%d`zJ|%21z)Ytp3lFD;Ku}YVufsdoJ`3NA(9L&XD-O7wsLAWv>8N zu3X{b7SpG^1vR=qQh)wh*394}dLO92X|p_;>xo1DU66wQ^GfM?cl=Ao%zx_+@GbEV zdN#4iH0-00PBjUIYi~d5-yWrJs^*U}!gj)r+>U~)ZAuDc0?%&2?_2POq=4qJn2a^mdok1X6Z z4UJ<$FWZD;fesF$p<{02aw5El#=S~3a-xf{))iI@*KcgKx3`l9Bf38Q$(~#WmlYs6@5@l0x^VE?GT%Q>bxhv|J>OEQp3o? zd7Dj}tt09(f&`w1m>Ui|t5JbPv~sL~*%P{rr69a0RJ-ER1A2VF*OvUK!a_2m@3tZ1 zkC_XiMx%jr@$ihFKYvavDELVvnT6>qtEdc1osPWejMIr_vJ$^fI~DQKA!xex2I=uW zFdbB{;qpwbkaJFU_zN{((fCD~+*!BrK@bM7M{4lAX*hcMh^VG4o&8u(7@t}#6Gp#GJ|wQT!Tz~A_f**DA*SxK&U~{NkBTsTuw=}|NlxzX%3eU(cB<<2I~yk}zvhLw z6neo2!DT*Gm#7WMdAEpQ90w9{mYtOcXutdr8@NFduWw2A{R~ReoMZ1$etj- zF6liaW(z67RZLd|f@P4js8eb9+ds?Z>Lz_Wd&d5L>C`qnyW<2kUP~R8b`<+u!Ck5J zhG84rcal+kUm`wKI~!*U@;xC$zZ;%B)Ox6V*!m)D2a>-gAlUUM=p?c2(16=MmrH!8 zIaFI*z%^YZ-xz!h*t4vhwcxxZg&gZ_}Hr1x$;Bc_&+VaS7f!7_zZl-*Y zGT7dm`XG6XeGGcEGd$^u2g2f6g|`wmw)>#vyKtDD{-0D?n*VTkbJw9d{ljSz5PDgd$TV!yDg_eS89(R$WH0#w=lK4|N|Sx~k*!(C7^g-ymouHcOGdTS_?vp z28tn8C@Rq7z5YlZmB?IJ0HUI}a;6pabR~!}=fv;p+)43Y{}vm(Xw0V} zfqVkCAxpw{zumSIj#G~QJEfPoP{eR$3DiO#QC<4j2Hp5j)O$(Q0=iza#}(Z-=2*^f z8y{k8tPXvJow~ftIo+`BJgjE`A3!M15+j?=V1cL3cQ6K>TS@Yk6k}H2@m{b}^iEUT zVbdZ6L^Y<;m*7q?`W!dG60>^Sn?{y~+a8lGkBiZBoKE*JA{D$igbRvG^w#~`dN;u^ zojc(BRm2xs44foTeVhB!4HBY)-PEpYE%xey=}zL1Wv)Vp0{EtPINd*a3#b3% zs61{hcIjL*f4RAD12`sa8xp?`4XOzEf*&573a@-^V!esLyNU#&;cfY7%yvluVmp%7hBJ-|i zdgP9Oj|qt27PzhK)d|a@$Qj?7m-gVSDd68B%qCYZ|L#$8Kv(HJGul_2cwGdlDZye| zi4H750z0pVb2oGgON@@3Q3jpX(Wq}R+o_qR6_q*YrJRFnTL0j0FUYdi&xHKCf{$8w z$hT_K_D>(|aLqc1bV)OHI$+owf3zS7R3^zYKAh3}9TA`SRj(Q8p7|ri#5V;Z-w}r! z5*WmdsOsyr1-ez6>Z?}1J-0$a5W(p})r)J7tE6$`67Uu4=6i;*`jZI4tf zUM#OoNrl{70t*!L-(qc)lmrlbDX-)B$TVg{kp&vv!(ah6lPbxdiA+na=fFNZl{;+y}5zk3w26hRX zE;xtl6J^^pXlKc~Gw(zpG+!gy9=5mY7zzI>#6{N6{lSLJA26AHB zQ78zwE`3=XJqN2XX9arr<*n06SE!Jx!t(=eR;2?2>q-Lyh^i zhFRiW1y1Fg3N1^E(gU(TL?E3lv&RBrI~3y1FC)-Nj&%nTqu+fT&n9o%W=B|T&8Z3H z<3aR-C@t+B{9VGB^&JsT^;d0{unu-jcV@`_E>d!Au?TPG&MI$&KS~OEtJ<~scRQy| zkDfJv)Yp?9%Ey}--#D`M$f>2Nv+!^zCjefau^H>R-COwF)NPqM#GSROQf&vmrd7k0 z{jdLMAgu*w^zMa=4FTjr42o{MwpmvDm?O>fq;i9mWC{^+AgZ)y%v=X@>Lo)d2 z6(Re>koSF^J{oEEpidffQ+D*JcNJ+j%@Js&$R028+Pm0V`Mq=P!PCFF<-PtyzCM`D zdh0jwlf{(9om&s8vZlyH2t=RHMdzCngEl&;xoCX$(Ss$UGgj&zHitY}%DVyJLYz}R zW+GarJDMj=gNtd9_Hx{-5`hU71C8Z?_f9^~zGLFk2UP7c$Qq0>_{YGv?^ zEHOK=?bk*G6$@xfHhSJ<@tsPa95CGL@_4noB-Ojx-@U7D-QDNa_=v*#Y&Vz*YJ_E} zDvH4|A#Xj+CdO!`LSsdG5XIw9o@R7jl{8Qr>TX!T`3an@8`-whuHYoCh#R%}(?){I zZ3L9!K>11MTHFfrau4`&a3LL=8Qz-NP{ZY&j;Hq?zCAa8TY#4mU%lO-?xu7aQvhFD zk=0OT+GB`poSiJX&>1oHH=_mN+6=@*2 z>x=R6Wuv&gONuCyLx=0|Jy-bmFsH+!TcOJbM~`y2Sqaa38&H^+F>N#OQ@jp#A|M)TAFJX zqL8Zt>FYeuTg3>|u>asEFMCCKj&c?H z)Y3p=L{m5qBP7mD>~lw(mX8ZwUX_?KIBMt9@Um9zB&(ed?wXKR9DzPB^PnZKpwVgE^%vw@Tx;eB0WvfFI=6akAr7=U&UNLuAb9sT`kgF zugXuBzi$&+dN549CwEq`YwWJ+=yJ|5_fuhI)NTqReq{f)JgvKrz zC#igjV(jx5j|I^>6zDL>t4rc_Sd)-*yD;zKq)oY-j)WeNQD_$Qg7o}p81uXuFeZuZLUS-bbz`fnuL?sh-lE^#}MEgpj&a*Mkk?Y!=3jOjsEkje25J zYr+Mx=3oy{8TXu(O|IrY&^hRxIi+Q=eqzA|BKtK*5YT#KUKAc@9!Pd6oaB(e@nE&w zJSdQ#iEG!A)!I2S#m(JJxcLwYUTgh8R=lE+X5X zeQP-4B6v@$D|Y$P!ad>E4yl$c-N^%!JiveJmeeeJ_dhy1p&0l6C#N;Dmo`3$#u%8j zsQ;_--~DA}PKmmQUFPMHFpwh(%w;T>ZhwgvNsf-wi~gl6tV4Pfb#Kg10j%YW^;RXC zOn?oL;#eoJp{m{qs-(&D44NyRqdgy>sG5sypF-6wGdFa`h-#9zx*PKPiU8BhW0N1v zp10TJ{zhAhP>u6cNzMpoMPRA-5|;O;f@~V*wS8qb!@3j+PDdkZsk6-#3gwH_aVI4ysO3F<6&m)Q zPI4!tIfZPOr}oTjw^HhWAP2{=-KwCpo|!=g6&}qaE^;%SvL=_TL^-z=B$!Bqyh=4t zX!?P>EFm5B*N6!T+?Z`AUKlk~!wR+5dAQZDAa-z(4=bE0qJph@6hP zriVWpPm_q<3!wpI5x$_t#wr<5Gd_;XIBQ3n(TOcpB zUL_Obv-TQT@<&k$&s?EaRc>QNpNoyyjdSed`kWFZ?jRjNWBrlNvHd=@GXb&2dRGH~ z#^vSWYFtf3#!{<0HxFJtSLpwE^ztfn;xdGv!DkxQFbOyl%#le8<#k&K=#xJGY$Ip% zfEtgdNn7_y-k!M6U`Z}l>$!=5ckeF>bCYfvIX3t|5d!4{^ZD9s%f=0@TM2TZIz}$# z=Ov%YU^hPk-bAuyRe@IJ`_~s^eOI8ez0DmP<${wa!tVMVZCVj7_7SF4(c) z;&2|70Zc4dqA4ni6Tf_A@{YIr(?^fmg?n;>))abrnzG;9!eExCst#t03P;v9+FoNNhvYtes0Uj*UuMPM1i__m!R)<8i&o&P5xS$W}UUrmv$pV*oWDY5?9Gpma? zPD=hdAWAMeC{pyS*Pf%ZcHwNxVJmWT$OU=!weC} zO%}4C6WV~_S>8~9KHhe^T$0!NcCBH*HT~wAzWEirBj{4GPt_ueN%5M9?P;mUQu%vQ z-f@$lg^Yt8h^hKpCC zk|)u?d=jT-xwe zMXKX5aquP9E4j$V4*8LrGcRLc&Y$<#j#xYTeOHiW!N{q@c$PeP+iK9RfoTo-@0UHR zdb|<&^Q{5xr#vktSGA!w7SN-bs$a#!r0M-&)u#7yau#WLOO3baJ%6Xmhd%|gIQ$== zDEPc7oC$+F%S?+O-Xz~4Q37ypky%XKrQDEsC9GWP;2>u0zO*-Ab%b2RdmeTT)f#^# zdW;t@K-2R2I=agoZc_cC~xoW_a~K2``VGLKMXL6m&prPD=8 zW_`8Xw#+En@~!^;on8&wb*AJ}e(nnYyNaDbN5cZd5XqBj0voEa1IQLV`QBjyLK1XA zvj?U2?}*Q|+jiLe-f%zq=dbQpmOAOM1X-chYIDnp`1p{;vg)v^3mUt0q{CQGPHx7E z-~d7uPJI}~b1UfRAi3?wBKPD8W2zciAUVrLkvlKy_8W9XWbJIVz~G_MX6U|LYL;)q zd+=d(mMDGPy+O?u=!0(-Q4#xHQ5SI2AtR_g>-`!Cjjqp^qv>lEu$2BHiid zQA53|P`Wz=2If4?G$A35`I>ZBRH%z)Y(q5j;ze`&s~yj#iO=9obYt}5j%Htb^1+SO!r2DTJ63Oq&)=kg| z-aAqn5?84rki@kI<~nuXpj^B%DoWj3(#8C^ed9=2NbUX6Vksj+;77Hk6i~ftX}36y z*iBXR5JZiwZ_RoG8!+Ujk;M#eTFr2)De!eEH*{mQQWGXo+F_U}dQB+77AfgPcq7`v zGfkVhq;CRM8j9_>*`kb@0|ZXdzWu5X!{PN_&li~o5kwd{+oRXXkR~v?DWnT*-ughU zqkihbmaWh{HqWbR!^^~rT56CW_Zu`;OT46Dd$4TvO8!X48Z*!Gg|nj5Da`r~@Vs3K zL6J(}@EbCbPOa|KENR}S$dW*et-N&MvbLfVsT1gtH0gF8?VIx8*8)-KA>Osn_Sj4k zFBk1uSR&W`9+@-__Dpe)l+Mg&XBp3|08g6z8?C2+4KIwcpil=C`0X@M>o@{({Xj4$ z;53-Yn+J3Y5zL;j83!pYv;ZtXaNd%@)owdua$mQ;nk_riBiF%sHq08hV@wj1a-(@C ztrhpT@DHu^ROk|08_VLntQ6S=f^ta<3GBGRI2f5edQ$>*nt6JSTGDos8Rrp6x4+ce zLoiq@xn{peo_;EDZtl z;6Y-S8Yky@YVWnCwWl4vEeq)s*M5w(?Z&#SZ*Y(BiASEE;W@NNQG#Ht!8fXd_H*2q zlAbpI+=stXO2(y|c%*1@MNE8R1%v$t`pDI{Rg}zO#ecOU6q3_Ugbw3+Ft1A|AclBq z8jYL0{z^QumQn#a*69MNp~Y# z4ucGKsD$MWL62^wQq_o{u2KNtMn*l=}A$*~ldh=TsmZJ}h+v@tp zpZjiI;(X;=C4MF##RQ})m)4C~7P4c)I6yrk7?m2Yi-7q9L{N6bcB=b^kC!xqCoE5k z8I&Hmp+u(A*UT6!RZW|}LyK>pD53f;&mKC=I#_6KML!sAY@#0mj7^eu(~kMAm#^)kPR+2!a*k#CHiMG7)24N}gDj>lFoLm!aeC5rkAoYMy}>#BqAhPf9G zcY$C;puCl~x;I|w8m(tx$DxN5;~#tS^ZnnxgaZ*~nU~xVs%{4b&89Au@?v29go{E| zVlB&T4RSi9@yLVEa2lW55?G&>oO|4ZsM}$-^%H-4Ug!s6UiuX>$f~m2+C`WzNqY&o zOS34^gyH&Cf-zuetiym*Q>cmPtlmdbO+gfJ9s_rJ0e5LR83Iyk z)uKZNcP8-MGMQg>o{IWrRd`ngNjKAWqU2jO>(#;MHfQZbh=ZaS^nHSvvGi#~TdQW> z!`BFF)T=Uim!T4#2NQPsR9#0Aw9b1+`-nWIqa7S8a{f)uy^6G$!G^I)a~m43L|_hi z3y~Wz>0Mvj*vWb#vQaEc{7?ZI1yn~NH($v+phtW)4|K6r%NwgaHi3vA=%3{w>*Hs- z0z9$@eoZ~8_`Q9pSbwjREhzuz9Njs>j?6-z#ZoY-`-p(Cw|9 zqO@h^xSJBPDD{D|_C*JpFUT8x&>aeUH`S3O5}i-HOc-KoeOu4+QZWpoO6HLOmn3E@ zRME+yfqg5Gqj8vR}b<07bBHP?Z@8Q(ivqT+E&d!((9LM6MGTbC$uIcfS5U-Qglg9M~$Ywe^7s;65XV-}0 z7ofAavkY947XE_J6~w?!7MXnj#cqfZquz5)-M+4>BPvmRTkmqfHWs#wbV4wV1W|p}AC*lNq(a@w$L3>N~t-$1%vqK(|q70F@{SrlvvmX~E#HC@* z1vh6BuR8=R1NGSe-}FcLQ88BZ_+d$6mHpwfXS-LoQcI2=Zc=1tY|5IBzbLy8^ed)~ z11sIgy-bg^(bk_Mi@mV-{t_%6jJHF4(Z-`QtYt48f29jl=Z zOAC{qrlIc)jvWigv)|kp0!^daW_944%+l}eNZ*F9YWxqn_C$M82jj?C~ z?!iaU$tt1^Pa9vHcM@X_pO$vv(vx&x6ify!?>R9i&kW5 z9XYFvLbir;TbC`rhHDL!nmr#IWpwb$eMEs~e8!oxFD7If^f8~`60YLu5IX{Bh4xMd z26-{}K&jiO>o=dw<@rEa)edKIDd4?{6t<-Vh9{L@(@33b!2f+Cm2VHbKCrOLo69=^;&r znJdRZD7mkbbJzKuD>LG(&&>=lX9<9(9-Cl(p#!^}FR}T8j(M)Ms z8Sgg?9i0(oZplnkGfkZks%dYTT*g;EZ6b5>!%13=9zOI)6F3H4HfcJLfw>hXaPP#& zD%UNaxw2jsCX~CNc-I^bIKP}t~(L(d_Lhh9Bw&be?;*IQ3bjlw4cb< z9s5r|lnO)uT%0F5>X-*5ZJ08K^qkbTo=WKh;i{`b2mz@#-Kp_0Xvy8cU=lG%+QwKj z#N65~@g^>^`#j1mAEuAbDYUnvB#q~D7gThHu^Wft^Wb16lmM@O3hYFM1S8)SCNxYw-Rj0?oOL%s9#OP+8 zIys5GLs#gx`EzP&m3{fi(W$sWIfGPVU8nNWVJLDdZ)DzV{Y|m4gvUHfUMtzjX-7k9OFF$rOZq^)Sqg*+_`VPTzMX+TBK|fQs%(L&~)O13M*tyg4y}c;o zwU#Z#TpF@VDnjl_x`6no8mFlad^)PtbgLW5fgS$nHSSk7w?gk|GtF#ANI4;@MR` z#_?%eB}fEp;EtL~JxHiOt^hMHNhi&N{5OS5J8cLe8&Sn(Z>y!b09;t{wh7xnl)kCO#52{(QG=)I#0MS?;JZJFeHSa_z>S(gSHc<%*nAI1^@Y0uF2N(Sqxo8O!&E zh+J+KtR#;E~@Rvk_{;;Fg&ak9SxxE$<%)C4E4a~3HyWf`ajVE#?<^0gA zC`VXAxiYZzoqOw!rK4B{VY*t=8?gaS<}oyWX1UT9(&$iquyk+M@KZ(!z7?0M#2e~` zv&u8L-YP2`^I4RU=-hH}@AQr-e9`vxqT3nokU1S;7}>I@nYWHF@J@71@@qmwBR+PhVX-rt;!k?f2kisXNcF&`LO_)yZSC)14o~#M^vF- zQZ54`8wc3-*9Rxwh22i;+e#Dl6PxkZZNf;yjLXj?eG5bQ3f|@I{BM`#%f523n-<8y}PQKKix>aNsdVDW03^l%o9d9Y}k#-E2&lcuPmTBQnWo?r|6Jmtm*$ zu?#`v*IQ38m)8ry)of2leTXM-qQ=k_-GzKWl} zcGcVk`f6>J$1D(ML>N5HBmx+&b#zHeNe8+}#5}~MtHzhAQ+gX>?m$QTi$}S=*Kc5E zEr<@<_rwnh-n*(w(#8u2<@EUkeMO-sWv+3YsaQRMKpMhph0}@eSBDvWjQrWKt84B# z|YZY8Keob*csI2@K0t75Jz)}JyWXsj*V-!j5Ba@)t0Gup3;Ho35Qc5P_ ztX9Ez9|(T=G30n_L{epr`t*nSN2`IEG8KM}qaZIm2`2t)nBMh}d6un+cdl1g5N3lc zU>|qzm8)A+uX?!^BQMg*5?c=XreW;%j_oalN^T^q)5v=s*eQ>dTPxF`;>48^w_HRV zRvTMi_Wz1djD-TnzfN3&J*c6z)DlR;bFOR~*cF$3jeMv=_Ib`IE2n%Ft=hRO680{M zS+F20a*uxb5Jpv)*vxxG@e4c22{G4xBXHy1;w2phN%@gHX$}FnPuvIyYi z-F+%!N+(ZqY2r7*VQJz`kx`Cohb3Iddj-FpXXf>2;ofYjG@D-m0*XS9v*Xe)4k>Q2 zm{j&Z)uhd1Gd{ou5*^U281<r5kyh#He<$eoO5Hj znW<~?#kp2iDI*yZD1PQ$gpXck2AVzd4Ib&`T)oH~EjgxSGIo|J=AFHGNKuxT6d=WG z>%DTRzb@=Iwwz+7*M%Mtq>#>F+z5F{tg$k0{DQxu(DgxAEM{p!hrFWuH(`{G=^9fZ z;T$`YFf;rPL57`49`HM;P)dP6Q&PGY`EE-|Ouw%{dKvEe`%t;tAU?Vq065~7q zv)E6gevfLPmT0pryM!*7)7Yu75=AnZmIIYvM`y@@Sp7KeQ?MA!HfAHB>1k!mK!-8& zF>d#KUJ~`A0wep^{#+8gZN=(~<2*S_ZxN@g+yJ{3K)K}l)ME4!ZAa#&loYKUK5(Yc zuDPSzo(~v(_8EI3_x`i_YJZ&E^8qcyHY1)&h8 zt0Q-+-E2mwJ>G2M(gyKCku#?)Wmw4pY*}~Eo&KTm3@!HDV%b|5&VBe|k@RWIhXqA3 z@{Vw-EJRTk33LB6DCl~5;XB>MsmwP%CiT~=oIU5Thy8-<%L5i9t+(pemfuGsFP4;< z0~EW{{?)zu{~ilHKC|_Sj;q&wL_vWvx!ljZ>-PLD{9Gz#nyn&6{hU|Gc{gRZw6|&; zIa%UoU={cChrJ7NrY+s^+2clH$aTzRLi}HL0pfg5`o_OGYB;Qk>uZ|5Hq#tXQ%3T? z0Fi5Yi*NU_;qC2c<7d{1G7IH_q>g83qF|as$fednBMZ2m(kr(N=0;R&$*NEZInPeL- z^t0tT|B!Z<7+?X5Hkf3qddWbRtoT~;XOd#Qj0g0KMtu~ZdYV*AZd?AiHmScHq%NF9 zY)+<&Kqh@f@aQ8Ol7Tn?bf*3gJko(6G+tEvm1qGCt%|_Dh!?~A{Tm| zR5q;iaXy*&t*zPZ{>e=4pwNPXP(lwVV30t|(B`u(r8RA;bI&F@Xnm~>0_)>OdECml zcc!pAo5So&v@+AkBU!bFb3IPS$de0(plO(q+HzW!)9*UHJG(B{X4go~k zp{b~d^sdq*VCZZWY0?Q0dQcGb(2F31A`(dGO{5ngbV3afLdqNO|MTI^*JPKKJ+szc zGrzf}hpCPzpqMBCx*C1NBG+1@%~Z!327QNr4)ABsk&G>plYIs7`Z-X1`U(@o$%E`*AGsx$dI10m2hR_?%(Jv$q=23>CFB$I#{2#*HMgBbG}b=jBYSCbe0bl z;algH3|rjH88pK|F=@&e^E-+V#Xhq;>x>L(l#L_gIWu*n};TX}*2f8R#HPRl`oEb99C(3#O=O@^J|YXn_HJ{xqk z$ZmkE;$`h_ENT;sE!AD#fNF0nhXL<<;{W0*he{d8N%>Cz)seFyM{7*q7-^p}(b2 zC~V+#*kWNVfZ-S6&4+b(>F{WmpfRIvT?^o zaXjH^_SLl{C0N>1f12{^k@{+Bzp;Ml^Kn+embjZOK;=rn>w}yglDMRvsY)bS5b-?A zwnUzY5qmeqlh;q^p4kSs@n8{GUq{G^_UFI{`2_NOdjC~n z)b1~Yj7s8&SkM}|jIDY1@Z<%qEa9vCpNfUpi*Yxi9AnwmVq1~&mtlTxMeg#FWy8tn zN*O?LL+O@2=a}$))~FMF&byhB=aP33?c-<Am-5@IYYp8c-!gKv|Qm8@$vP4evkYgo{fqEvgK!Q~GEiXM`6ESpe-i_}J zH5st?s^chV9^%*QFdAx!6N?6A+e zz4c3&b2EO-bXJe|a+cn+rQ8O_+|Cwd2{WS5QO~PO;$>=%=3&3Z!e$%J+`;R)7CGDF{i`YBq zL)>e{8)s^M$70wGs6Ekzl~eLF8wBkRaf8gFD%rP-XAbDXY1l<^gMQ&XQ-%QbTK z#!&YCtQLQ~ZK}QK;S3)=9=T9;ev|BmGUgAs-xjbjG)OC=o)POXSbz=Rb#&Ot{9-b! zb_UFM*gs$V_IwM@asPbqkd;oA{sDQwyPnH8*F*P>-Y3Buu>8EDZSg}JH%uNzm_=Z7nU{q%>6Trov zu^4_di1QD609)z0x!+j~0$nU~gx)1aU*0TZ$%l!T6)@kHoq8)R;B+|C`Gz+*;Z9rd zHcT~%lU-rLf*6gT;W`;NB1wl~EBnvfX8X66Q`dx?sc^uEb~;;P){uwzkXC zohYX4YkrtF>r%Fs@uAPdDbX8#y z6)WY_|9iz5ck?7hnmLv?cA3-ThrnOFZkYZh2Kq54Te&nk%|}t{To@E1tS{_GTyKfW z^jRWFMKNwu+;41z1(Pw44Ls21vT0V?M62lz#lbDGe+zpMyT4<9$#MN%2NZwR#qy4| zo9>WG>78LbqQ~)E{971o$|&lN4w52p%dK(h+(;r6mW;U##D?P6xTh^-hD#~#{FE6q%3B!xe8K6Lc3Ue_5hQcP?U=t#&znrhP&r&*9!(*_1zf z!$vMMqMp4h>GW*BxG3`=d>nx{MI7rRj^T^^_C+XF)Q*J&N}4e+8Mp{iloc>d{gzUW zxFQH$DRQi`Ui*HNycVtCo)2SP4(KM(_HV#VXQ%7WIu7_d?nfS}0`;wDgMPAbd+0O< zzZ=wn^g)=U(QOGZk9-+W5XMUXRa{gMpX!QBHH_2eQ@ouIuh#Ae`7-p z#ec5O7@0kQvCIhoB4Gg)ix^!2OzPlJ;lj@Q`Wh@7UD`9Fl*WVK#y`GJfZE@;QMO=S zm7wGRK|*ykiS0w0qnyEz@+(QvNMVO9BaumwNlQpRZ2*p--cR;3CBwzEm7V~V_BgQC z60}ZCQF&jiuWq(Hg}eY8XKlV6<+J!B{H(K#d@rQ8-vM}9curc+1X1I8vOr-A0sTj^ zA(72kwBxcQxHq)<)cqeq!l%{C9?z$xA!SI}Q(gNB9SvZt#xGc&5{| zEF-D;p*|lG`2itYinSj>=`gDlCyeIfHM=U-{j1Lp%++nDUj>nqWSpW95TCD6n9=#9 zOQ}|JpMdJiueIF|jBKE7%eqZ<4P{)|ct4`RP0JknhLt(z?#9E72R!o!3a?UwN6KXr z9`zB*q$4gsT(0R%7zA<0=a)$>AVVq~=v13D!k9cE7d;uz}aUQ&y%h%7x zwfr;5eK{QkPc&e8f=4=Rq3*T?ocs()yv4(!u>n}_tYQgOK2=I_>LET!^cuYwSGYyQ zqqQgJu7bn@UUg_veo+7HeZ^26_5Uq)oU&CcUN3v~jFirFLrw*~244+8oZFrKECWxlecKptyB+VU8HJk*7zTWT zLPNqkEqUIU_xekut)zHqmDZswN`t%pV+a|m;282IDsBzWbFv*5u3mJ;oLo#h!LH@-x=ZVfx4(mprVw*Q&yY_tj** z>2t*b&6pqW{q~lsuy)E_0Z7y@l*jP*iJ_t(Uzfg3g=R%&bK%v%9*K(zIaB@b4hJ(F zNy|LeOzo6f9;`}^kXw=VT>!)niPZm-LnvA(DPDXxkre?zQ(7C8&!(7rT;z1D$N9<`Jr3lpDFIUkcwO0uSP^*oRwoy!OS_y?j=l z6scFm4B&0r4n#dJn@~3_TS;yDm(waDzpNzW+b1aG^~6BXRh1fm3QD5(Z+h2(TF5&7 zy5`I+%c@E{?=f!d7Aiqn(IOGwr5={v80dxI)$6GW?iZ(cl1ACFw4xy4gB>Enj3K*C z?S%tZ&7+6>u2HRfeek2>Cq^!Rxu{;Dp^><0aSc0O-OhnPKsfq>`9IBW_xM^N3_kZf zeq_%{ynEv=uh9r_z4G2)HP72IyyAQJN0th{hK3JlU$wJs>Fw+7tIuPL$9x^{sqNjE zmbC4g8dnM8n8_~cE3mD2P-Pi+<^CG2uEULh&95F3uYLP-R4|Oh%IsEqk+$t2uQ!F7 z*kdxlWJ^TBc&{od&rbdP&D1|Zf~o(wIMG9rrnprnuMvPR9U}Kf3U?b`;l>v^GV)np z4(S|nYe6?4mnMrBhKo_4hq~7I`ff)R!X=y6AN30au-;f=d^J(p5dSGD zdpzWzo2SWV>LHK12Fk(=Zy!R|iUME~ZZNu1X|9EL ziZzN$X@zgZzomB?6`EmG#JrYnDTy>#@@wA2?clAl;+aHf@*5>}v%e?@vEdSl0;8+h z3k0+yOiX3&X`Vd(EhR@7AFB0z@(++G=?#$at)$K5($;q@Z4xJO@wbSz)O~vsS;N09 zW@(7ff42!-HUc)*$^tYa)$LQWzp&pwu)5MPsK6IlGZ?#Jg{B2~3d-`6@Ngkq#?kC? zBHQExoear%1wQgeCY$)9rDJ&y>7S$rvevTPTXyI~lSY^EJ0I<+o5ROY*50+;Q6T4_ zA0RWVSQT`e@VARQr1_gQwY$@EAPBuY>%_Z{y{8^!8QkHgJVkL%qMqcasWUdK%#5Rr z8mB%CKN(w>{z?48&V8$8L%UGea7_45RDd%3x+}WaJz63Aj)ZCdIk05&{mQebo0>PG zW`#u&^DvX=7jiEQnZKZ)FH)*40A{DhC5KByidmaepE7>y?er*Gxcf_`#2DnrdSYhh z?#BAkT|%*~Z>m_;OHFR1k%j)pmfg--+z21e$=2)XW1Oy{<&YxILrsz{CMV#9j(ML&65Xj z(ClT@q1h-sqYJNv`!8w4O9@_1ciiGqofKZN-AQt7!NaxGUqQgwT>~4^#6m4^`tK-L z@(R69cO%OoU&q$56co?`4`x3^gF+9DZ?}Wk)k+s(IuEmR^Zz+wAtS8%u?qLnUcdSK zFjeuH`BVC#rAzdKOLs18ZM@}3(1V+NN^;Zf+Z6Xq=OgXpW;k&^lk&_nznd`|jGNBd z5caGy4!?XbhHIR$m_U7yf-yF%0^D#jPQ}2(c>6UEmse0Y}>!A!vaFW4b@!4J!-#L*d9X^ID+bk z=;Zv?DRIiqdsh1@`jC@U1)KI#ZOBL4ij5lM)JKNw>c)kU>6xZmcB%(2hnUns8O+s- z5EGHJ_Prp=83kiwR!|!*Qn_{I$=xzA$a~aiNZ9DX)_35Yu%)UdNdc3|H&t6qvk|8R z!DDPjo_CIz+w{&!n!UQP^lEs$+F2+gdBg$`DbZukD@yJN>;|1=zNy3Xa8Gl5QKa;4 z-l>=|*0m;0G&LmcRV5su-rI*3m~L@NO+NL#GO}t{(5_jQqJ8Xr@#2bA-ve33B33~c ziKd#qW1#yjUkLGxi&kW32a3Gu*`*vfCoTtpXsmKVGPe;bX%oO<;HpM^b?{~xB+gu8 z(^yM?MAuW-FmL145cdypxvHJd_4i5=BPpL@gspsE3T6elEh#&L)$oX{VXcbJ{!%RG z)BCU@H5|ZH#yWEr+xjryj&fc<5p=K3!I-iDgJM#HZh4M31C$1xyn2pLnq$7@DK^(l zZ|2mw+A5jk7Ietfs%BrgLqAfRq37ikb5lT+X`Qhx{)4&G;W}R(1Y-O)KmNDC#t`-c z+*`<#7Z3Fae63j2g?ddeag;F7tqyIkkDAL+XVOUJ%uW>9GP@V&aM=W_rqOE}$TVsS zfE6yl>~b1u(Un3%p&fOl{7LM)4cJkR`MQYzY9DrJT!=PM4^@jQQ`N`I^nJ&Y0I zK~09S0mdDh4=q&u-&@A(<29iLg8G4C7DXMSuC1%zkl$z};G8v`o`>n#^_iiOG2zDw zq52IovG>M})Imre0jU6T#(}~?`VnAi0l!-)bg~jq6=jETVQ*MvS$yM%*5H&Jq3+f` z(LJY9zBF>jm?Zjs{X5mfweFp9244nr40F-HMLfe4y2+TWo2$l{PnW5eUmzqX`!+uk z&FF6YUd!efkFF9_a=h{wy5S;q@iR?j$n-VOU<_ZV9}eedw!bd7`#LiM9Q5c}F~G zKRTbdb2sx~(Vx?nSXG%Xw14wr!(@!?VKd7ZbwmHPuHiZAfp#18aQZp48WBK_Gp`#8 zU==&~2_DYrW^ZseD$Lk+4+pNpX_J@p&i)&j^}b_0DknXrShi(D%#*Ylz&=UWAj%c@ zre&wKcdXZOy$F2t7L1!1{p81q$S_hB6teZ0+wZlbQ>2Aq+1W6d0ePB;l5&_ z@d za(bSV_Y0o4dIDPnu}MqZgptl-2}&RM2v2l%Z#Mi6@*!{p8|AYv^Ia6?`o{QOvgNFE zaS9?7(VXS7l^xNt0T`ycTq3Ss9}!H4Mx;SV$$Q?L9aAA0SAnS#^hG8J^yfP9n+I68 zG!L}=F=-q7G`-jeQeh@I(#@p6MCK_=)bnXsF%3IT4oD*G1*GHoQF@xhv%7`nir#7} zju}SDGSH2S5lgn=PMSWbzckGb3G@D5^wM$Qk1s~}N ztiZtMMd^qc(fgC~Cl7{6q*CO*L&-fwf&u#+>k!8}D^)`&#}c1`s(i=!yD=I}mvSsl7`Ym1M(8JK)~cX!dv<)`(TdK5 zI`ViI85Xn{BQ)1 zAtt!LIGq)ca(k=^zr9sn?R(_x&)y<%M#Ce#`dUfhGfH=zTu%<$-ELdzmfN-u+tzLy zrjRGvEUEL>p$IQE(vf3JY0!%Od8lOwF(A}y4;vOseeCJ8!Y-IQ^;MGzDfEnSW6M`m znEtW3W@1I*(i~eepBt`u{y_lUEJNBU^o?uN(IC+MJSaW6el~r_L)UhF@U`#oW=3v8 z+f$FzAJv3mKPUu=yKe=(2c-e>Owxj+{Um;D$+Bmx`|Ar?s{eAZfJaW4CcnE|0Daas+96&tf0EyuH73HM(<} z)tIq}j_K{^g(8!E0e-g!5=I!hD7of-a|1H=DkIrS5r-y;VGxV6zD=$=8?Q)rlbVgM7j#-?wX&f#~vdA@3}O077C7 zjn*!2yI-9shrj8WAc#}U!o#opm;{qqKRT*AV$>$VE9qc&5)TXc z6>I*Hy}%~jabLkvG~)H#*|azi7&<1DX!>dfjZPE??;G{GbTNjs{|Da)^xLkY4ipK;~$GMc2jl<={b0yFuD`)g_~Q^h)BS1(!* zF{&>~0m5LtT>-*2TNGJ3xo`6V!*|PCU$z%Ga%2EoRlKsLd-;~t~ZZ6Sqp*e*yFUpp3(;fZIC)z95z8!n~(p% zGR%MY*c$D4jPEIga!d>RkFNW6aK)k=J6c$-@Um}>GeHH%KXh!pVdvYU1MsSoab{J+ z2XTpCu(+M;gZM77d!FdGyt#y{RzHuY>El%5!;S0>HH^B5AV-^eImo)UBY(eItA-8Iy1dbHYJAo;% zbzVrtupSUsCpB3aOF*F2?UD0p`uGwAA4?yyF1eUzLlkyW1!t%g-|Lav=({tiQ=}BB zyOYkh0}w4ry}W9K6xkjy)s7!Gd!0Xt4$hG~e5tz@aj5dw`Eys9D=^;qt>6os15Wyi z#%4L4)dC^Rtt@YT>h9a8UioEq?XXY^>dyK&AqHSBDJT(AP%q6hKgL)K&KC_O!)0GV zS0T*LkCH0x8rsS`rK&kj`TMR9@wC?&G({RR@vY<4vS3M;#8NxH4(*{j{Y&dP8E%|^ z_*jD?N49@$nO*0yS2XgD<98O(!n#}EXu2Sb=J*nT41-)AG`NotRBTK8M4uL`Hhr`k z2*fGzJhb2e-I)oYn5w#nTN-|xY_`t~AY#T=t}=42v1=E0hz5X7XHq|jCS=m^cGzxR zTmSpRK%-cDNYgxW09z;3By6DCM*8yk^AztuhnW1NlTW&i#R3e(Gp#H-%J3-l>LcU7 zoM+TUYdE|y581W?n2NxmX=3wniYzhEzuHf2cU2y1ifyI9e@M|8UjnV!A6%FNPg~kQ>LTg=pFK*S8YxV7NnW{JTDVF#bUX@_2|H%Nn<+ z&YvDi@%S)ekzBFqI!w#I+1@&Vjhiz;VpBC22{&%_7Ym+zg%SGMp_{c!YE_>B+O4ix zq&8=`9`XFso5K9=T~Vrt@Q+ln8w1H|nh(Wdml_Ue`(SADO%YVei2l!z_Psf#Jk|L? zt8!~3horWMX?x9ZRU@hQ!sX{dh!81B1d_q6-@%yo_tST}Io)@|R)_Sr!bd!Pic=88 z(gB6It8GJPrR*dZRrF>M4N(THIr+X)P@mq}Da)>dx)|5v@x8)Md9De}2f5fUI|T_Ip<1sxqc^VZKu zvwVPPWaY1#`QZ9d#2CHxHK`C2h?5!zw|Hp%vxWIDA^Z^Y875gPXloA?Jm~vWMaEa! zg4$++`irZ}n@V#VUnmaoz~M7zq11M!zMp15g`BiZ)~5wS-oOYmWr3|GnU~vUN-6u^ zNIhG-f7(8+Do$iiO<6>`#3^<4#R!Y}!Lw##zgN}UsBCo*t10Ewzg($-X?@Fl$*=GY7Q6eOHFW|wb|g1_qEu@AaFF_nuszP|C*7eY-L4ky zGLbC&*$Co+ZplBh{)`a3`OtLuPaZ`{uEo~q#q0C=fHH*5T zhuoMY?J}K*8$_jz$sXg#scMF*qy9Jcfk9i~cN;f`x4i!QLNgk-7s1|b4FTuL6Rvyp z!)D6)O%SkZfG|ktO8CCU@2jTtKZhj6_Owa8o8VL5#4qUJKlnd@M%u$TyNdmR-`%ej z|35&TOM%%>M_wdzk(|WM7Ozj?RM@w4%1v zFptAW4CNa*>aA}iUDVie>iOG0OuqMB7X=c_BLZGm#~-K~w_7d*p_{_n4vp^h0TJ+U zo84oY0C>N;nDO^2krqk?eLC6JZRgMV;WO(wtMfsSi4sn8iWjs&lE1LLOZq8J+MWYt z66=f>qm=$)3P)(wfeZ=lW=vmZyU+PlLlTFE2;yJ<@3L>S?CBWx!ZyeYb%Updqv_%B zIi~o9q4~ZyOIOdoloieZ*ZZq+f3SWJ1%#Fy@1{)o)R4i4e4hEW#1%r(w&|CBzeM-LX~H@7{6Jze>?QRRPL7@8;zAQv9~yd0EtB_Q;O8 z$n|;mun0G+KRCiCOYyY)+euv(R@?l5ATS*!w3sz02S-qHtl`b{wubzTnP?aGxCF>Kj`QKR4Sbfm!+h zNdWNS{B>i+o@bYBR*{v}SZeGj(C(c7`D4X@tCGMP|({35J!04Kk5 z<(zk^+)O=_Kn&znBRT|chFGp$Z-CU~zpe3g*w8pf6@#RWQJ=%{~ zn~L^Wzct)1_}oZ^!BC?5xgR#?=yB|m2E-$kks$KpEPt`+CGG!cMf+hh!}>|8Dc)JR z=1@QP>{m^*<{7gL=hZ`@|7)e9a7_flHH6YPGybbKrva^zni{#KSqB`xDQZthP@Cc{ z{L{!p&;9B{?i;Y5BCAd;3IpKJSk9kctyf})G&2O)#@e22U5h@!?R)sQk$diwU$V~ zr}45pXAQOXzO4YskeTOYUqRArGn&61aBI9w9-wtBP&?7AEbJBy3({E5M;gBCxGJD~ zsPOm?D?B?@qL}%8hMC3P=%uu_-eBpn*1n)0%#sZZ2#ToByNsZg?w;Lio3R)%EI`~W ztIisw4;;}RSgXyDe#wnYjezcN%^l3W>|$N5s2_ToRLP?D0(R-f#%kIimI7y2rn~Mc zUB*#wFqq7xKHcf5n({O40gc|PjeMve8qhD()PRj?NJY+r-#$?NbIwFA2HE&ek*3R{ z7MB;k-H>#cAJ)o`#USI7moB7(eihMBsy@P!Vr%M(H;yAux2-8xKj$$(V+Q=8Wo;DaNM*VE0{a-7=KMojUI9ScnQ=(vnn-gV z!ikytjL<`Dy6DThhQpuW4l{iRHesQwQ73E?HqQt>rO{m%#ekrp7~X@Z2orwyc&`Pa zv7Xxefe&$@#gYvdqg{=sm#KptXR1u$Q~!W_-VM_8y{xj+ej=}BXvJ8W;io7%)x8u# zTfn2LYsS`M!Djw#iuS#+XdIaQW@LtHPQlg$QY>7~+VmH*6q9%(tX^*<+HA5Xtd9$8>kYQkV z-)Y=c=qNkOjf3TFt-k(-H+aXH-79E7qJ3US%`hJWBuIB~fa_AnpTqx6F8p)t&HC;r zOU~J$wDFs=BC5Rl=-7WEcSOBel823HrT?)_ShOluwh^qaM-0DTmUKEU^B-x{LN=}b zN&0wX_TXU2Mke02Fgs3^%E=TNjg9SAE&<1#c(Gn&ja9Dtvn7y-j4MX+n}RKfu>c_! z$a=?d0irjT5{we9kU|Un?1yLxuI&8@?t)k|h;yDI)^Vh*v(K{tL9WF=OiM`QttGX*aABek_vb7r*** z`=#`uuAN;hSilX(eprzpo6n_Zh?m*`46n7~o^O3W*P}^VWamGwVY_lbEzLx3q6-xn46( zPwM)GR7F5;E4<8oY1e=Nw%!k>FVi*Las{;th^~^AzH?YM!$s|tc3k7^OnU+=K;AjB z%2AUn6owWhAwewntGt9FSnHc|u3fZTjGd4gz9XD6=OlpKDBN@Wi-z`9Vda`HIr_~v zrfkzG#<0F3rh!w@eyVrd_qSX-VYzXj-hDl;cUOQ}B=p^-a9ulN7MoOqKwsYh+4_v?lYaZzoHq$RbtZABv)i;Nz%dOOAfH(Z6)w$vGT`8;Usep&rkn zY{JjHuTsb0?LWacxcq`lV}EoAD`W(%T#C0b*728E>~``FXb*)aYtjkXujo)*kyfXd zX~kQc9JekqA%A&Qw>5^J^*j19tq+V2k);w?xerwbp*#H9*}415A8vE43bYRaJEv)W_0gBG12!yj-g9MGcs`{FBk zc$OBO5KE^7cvQv)+fL|~gLi1r@c^d)^%Q48xrefJ6nC;hh@#xZ}GA1 zV*fGnx70sue@T?YdyY;2ed7^mBc#;JI@=_?hDJnxXJnS%ODU1m{vs}>IqpX+^?QL6 zDVe(;46P7^+&lS()~*Vt#pFGaESUt&fdvmPB(wm!L>i;&YIo?zh*V1huSb9Lb{a8- zFqBuPsZZTiRpen$@ttxq9oRXX-z4bI-%t3;skmNx^1to6Ou!fd<;8pwc`mS>4UkQG995i+}8&BC7@9HaoP5!WQ*i#4S~W2Wc$%*KMqS@o`+c+4>2{&4&D0Jodb zUW>-UWw;lZ?$)(&1SJs3Wx$(?R>jc&ru#^nYL(!h!E_?ZdFIAro*dkFP{~CyZ@q(M zsXmJ*J~-J0!8F3bk!Jgf=1lax3KV+|QFpe=0m6#eM9b&p!6{%mUgp&>>``I3%M~v; zNQX`s=pZC?JPX1@(yV~mWxk{Ep!|2wHjWz;JL(#?8}jaMK+iDW ztBz>QlZU1b(25zi$UA=taR)}4OZ75~Gd;7JqK2qzV?zJ^yQQM#d zP1+-%_+YJoM8GtLp6r{`q_FBX5l4J6?Kd>Y*s#f8only79v)0`c0?_Qsz0YD`Q93P zH#S_qf%`40PwKPHcl=kcZKrg!EzuN?Dn+u3`HIj8w)Ft-fxWh4fgb~xWk?VE>B2!( zfB)CXxd)}CO_|XVNAA$jx_n?EXO$Vsp{4`aWO~Lo%!RP2D;H50BwAdtQ5b2)xLXW8Dj%0v5CnR> z@zw?}kH`%#;- zvtFeV)l1Ue*ZUaX*EjkLKm~pwgP4?Nn=(~ff3xB&q}~a93;@43CV%fzd*T2d1Ip{D z{ZkkGHF)UV@IQFkYh)Z*+;F92;?+3N;ZyP2OamX8#93-iOjoj4R_-P&8p7e?>KxK7 z3%~Y*bR5R51`Po+>8L+}ro>Y`@I#!m zW?`$FcW1!8aywE=#*`hUzU@egXTR+Np(n;T@6C(J_Vm+S78bH&%nNq*>)eU{@)AbX zd`qmwN81~=oc-t^Dq2v-Bg(#^qx9}Q-wty#O&yfy$Ew)-$Hnp|1VOG^MEi|Zj<$mJ zo7A16VfFKT2#s&5`V~n)C9&a*x;^J8st(lxf_#BzauJ&}22A&mry{q7!r`<2Dnz)| zY%0l%Kb?98q0#hYXqX4{?uYfk_Ai|g*gUXG(_e8&a@6N`U23aegXunQn5rC!=^Vb8 zobY&&_qkm|#C1v5gXgB7oFit;u9pU|e4=FQ5N<00%JvrOo7lSbh4Vgg*hv-)S}--o zJbe36;~n#NxdjuU&!0Q{SKKyR*Uy>ZRf)hUW0#+3;T;!w)_K_Cj%#S*9m&kF-F9St z2$8Qm6gv*H@;P^o*e!Ji`$({kpWQ310(B*8gF99lXZ!ie3LO44aB22CZIgME0GqpM zXAj)ekTN9jOGxG#BVB8QrB%_KcZ&vbC%JR}?3+#NQlOIC9*vOeJY9jlpKi;>Y|i~l z8_W2o9QN~FpvW6B`zw9UK4@;56Z|ot-8Z*TK#q1%j?&dnF>yTWe;UiVM=p}x{hb~A zS*=*h%q-2dZZ33ivl{IJEES)S>~BQQAUafoo`h(toyJ% z6OGf&P%{(FroEe*jXr)nbQ=L*(d$F4Z=3I&NS(RqfWTA8x}SK3T1fjLrc|9z@;D1^ zO1o2uujRA6&$BIUZ?SHVdyL5!*#4tD&nr0}wpZxEO}IX5@9xoansmOBnF9e1dmYO0 zNr?;Zo@mMps3N~A(0REGW*pJT{BIYFdG1Ztc=MqvDIt<)IU7nA zI^`le&2_Hl%s$ArFrjDTSQLH)95gPEP=RG-wJHZ-$K(+$&u1G2-J!p%!Gs^Gi<%AP zg04qLk)b1|a^@9-T^`aGC4jx0Jo)JiRhI81R4r@olU4ICeG>bZTW$16&w{FZ!y=bv zo5RI#dBHMW^Rd5N^J$jwXF$q=s=Z=-k_CZ%z3yL{k!`>t{py1DX{Pq+o{W{!xH}~D zzqzI$OQlD-Cf_V_@y}cn|7Sucw}a%_2jnuk*L)41K6xrj%K)_2H6@!YyrbJ5k{=XL5(u;Ekj*(kF= zPe~>zCk8lc$Q-NrpRqP)K7bZ7<(=%z+j4XB^v^Z=tiH2H&fK1!i`mOV$Z1-tb$aus zvCV1ufN4fH@+rR8L(dDEVKrXw-qH-qDVTL=^jWlN+*A7y-<$kFVXrjD1Fq3g^Rw|) z1#1NRZRCWlAF{Ysp<;Oc_FQ#kmUk`k)~Y9vAL21x8{o->$dRxZWNSB>4cd8zo~1u0 zF0#5wE-nt99+A=J;ny1+mFK|Y3eV0BSi7sk_3Z*G!flGzc$;IFW+(LX)`IghqF0>8 zqvqMP_iXo_WM9GQjx5WdZ=lEQ383g_ zG%L2cUFxxwlo_)bet8`AGqCFt7jAccXr67s7pzHirVXW80(yErn=j!(6Y!At)SRuS zU!@~UL}-tO4p7PC<`*^)UhXvGa7|E+)DxY9>>;2G88o%xW!+7S~IXCIUu+uk`yXR z8F6_SEGf|fiqz)yO4`F%Cg$s$FLHrOy<8xzrzmz0%Bu*ROf}U!4seLIL;8_BUgMTK z>$V*`zHE9hR5xrk&OhsD0eVJ!xa^DZiHD14p&BidsvCWpLO=O#0!5qOX>XPey`5eD`EJ4y9I0ZT)0sE%(hs$<^Pr&PuFk z3=93=;}KCOhm2Z48Ig89k+WV(bwzcwv!K8ZDwOvaEw z^YMi#eHJ|ed~^(xs9(2>X^wWR&>Y&@;jLqMkfO5P4ZO@AlFiCG0jL8{pIB1oEF5k9 zt)|;uJZ@h@v?P@waR99?-O_+sw3R z5}4u&R1)c5Y4b)MN3HjZ_E6=?^L3pBttXK`FM!&)k{3v6kH?lm243~6L=EDrZQH4Y z?yiurlnY^5W~F%c?I(-X7tsFq|(WX6rCE)@$lnKR?w+%~Uub=(zEnD%6**P@q&fxTZkz3S zJa`*ivuW)5#7qUISi`O&xXl}0=_8+0VsiOYnCz?C$F0BKf2ylm=+q)I%|eG`HzRI# zMsfnk^)X?_eq>$O*v%&;zy4jT_S#TJb!Kd9R`^!_G%KS|uiLPZ(u12q=41fdaztMQ zdf2SXwf*1XN&NHE-LSrR$%1>kE!)Y5I+P9eepQ_V=0X*GDCiu8fG<*)nEF4-o%ic?2^R%w~D@^T6jean_qY^Rh3ZfnA+)*qss z_}5s4;4$yMjPHsQ#4H^&P9kh1@pLTo&5AH3e7Tx{A5Fe*72v;`RQFZBxuJvFCE*F3 z?JOFoVP``s8o#gyyqAgWM}AMHZwAid`-ozT1yug8U-=Lc|59;Pohr3?kad%J&7$ti z1JD`vIUKFc-(3VMu3E%OFz@IQ!&q>^WoZ1Ta3fMkvMTDn zb%!52vI<%K!iX delta 33402 zcmaHSXH-+)6RikRM7mO>B%vcsKxv`3fHVOWkfv0TCM^gAF1-jsAQX`%MX=I~bX1Te zC{?9{LPD=0KoZ*H=l{$5@Yc(xtlX@7&z+ewvuDpfaRnFpiZ0aj^#bDkRRj%UTSb+? z&zDQK;J6Fief|Qq#baMapP}$dNLD*J+Arb{^W|t$FDSzAIg9q2IA_MyxCwkq4o&Y# z+r3Wv{XyzyHMR3itgmc!>hG`Sw6?z6gmwk4IYm%b@6EjHoLTie4d0kuT0h>{I@}N0 zKiP^HP(R=-HRvqDPx%1hK?`igxyX%aDvLwbUkkh&?ax+%jnn;R$paxxNju3{j?SZGQi&DYZfUXV{8;UjqPZ7U)rBzljuGL`ssnW z+IXsosl9LwKkZkNZBKD&I1DC&LvgNXud4k5-Xn6+18eJ1co!%-Ayzi0r1pN{kB8E^ z0>Xcgr|RTq&z>DKmOp#N7C`!3#;TXUn>~_0ceJ?w{H2;wb2xl+C#6rOXmBYHG24@& zX6G?lPnsh=pL>*?r`|Fq)1jL_Jy8RG20=&+!MO z(D4QdMMA^n(d-yI8|0h)fkuq4ZT>?=&<|o?F$wkCY5Nmx?OOE<^_R=i>b6(+XA#F` zkSkZNNS-$ek0T_TBT6F_M1V)syN~+J>8FFo9DofKOBi8NC~%t9HYLeH zlPAu1$xLQ&hON^jga!xlk>~IER@RgSA}yUFCUTiZk3n}A%JhwZ`?FrFe4r%FtCpun zPXF0w+wfc3l{_K&n!~1g1NpKCa@V&SYqh{3lm`9nv}k@lZBhFYQ;k1v=61p!m57=L zk+r7_t}N=n(d~%_f2+_pwwE)Yz#g>#Q>N3#;OWPsPZg!5^GS)#mPpQ+=J&LEu@6|8 z>h4Q>8Y|A}=}$sPGMHMSmcZLZA#1ws*n<9*#%0%s%0n1G>>5iD$n-6gdwUsm)Dxt# zC6_L#{@ygOeH?f5*PYSN`PiQ(`F^uuCi#Qj)9v=aY<_{`P5s0hjSm+D`cMk>;XhGx zpWM8{3lPp>Uj+h2>+|oc;PcZ|!&vO-1Wio`b5`=6yR8lPH5PoUCcPx#Y$9jLTn(XE z*z1UBN;u)n=2sHMuew+Li#ZGb@-I`0bo+UTL8WO;N0r<=6r zZP|Z|5(s-TMc659o@+%Qwj4qlRCo!=z2x8b2Ksg8#M~Uh2k>nIv%~vh0Rwo6wl!$8 zdZ{Vpv%!%7Q8U0HpS`el*fhf>mN@_zZrqq{n`(b=cVEJQ@K7<~wY{;?I&Nj@{;Joz zmD{E~gL#K@otu;D*u>Wn&$EqAEGX)sSCRvMR&Khe=?YxoUC{TZA-@yBj$?%A=Qv%y;-BGHOj=lC5swxCU2yUE z``p7nePZL@PY>>zS)atDo`m1LrDEr8U{EN(AJs*y?}vfD;TZWf3U(kl@*rn?3cu^h zxnp!b{SjPh$&1pXsIufcTCmGP_O*PdI#m>(=AI@;p8PCxiPyX`P@49>J-|VS#V-&QP>PYTXi`iwC1vAmC*}<%#kLhZv#rPL^ub!_f?&IRE5S@bE992O5sEQ~hzO=g<>D{&!ov|T!mQVKfX(AC=XKYe2TCtU^U2K)Y6DitVOmArQC-Z#ijIDzRn ztB}PE>wYcdZvlrs%~_{A!s72+d{VzPCw zOujt5D&#`n^3Hl`;wCt#C%#9k<8rC46q;@1US1qG+ciPUDkf-J26)Es3bIxnTzSmn zQBd2yJrw(0N?zbDdW9ExAjBg!(a%dt3W7oDgWN zrv`QDQ*o*~{ML+>s4R3edo;3j{27#E-F~8(V}80fmos-9dul5aiI>e`i6D06_G$jb z;2F{nHwo!ZT}>idu5SYk>E41-N2rEDbD%Acf-#%N`8f+BmJpVe1)2e@3Wi23B*n|`Vvq6?cSNn`<6O4hzR!#Cl4+kH3NM6X&tMt9iW z#3o=S2zy;!O$A|-DtNCk2d66X@##I8&>w49-fBcRc_sHaQQrS38NYf;nZwQjk$bHH zi*J{*t55M`cKn7SG_f}8oX5&6b@ZO0!ZE3=yzJl4(87$1K-@gv3Rpxq{(HR;tzOCv zbIoJoy&}G2`aEB^fs8ype+JHLiw+oPE&m>sImOa9EzBa1~9jcwbO%f;EY z<5{(X9&jQw4zZZ$(G=Iu)uaR99QpM-ce2fPGU|WG@E>udOGR?R6vtgOpO_gqRkv-n z=1lXi>1yRFu4{V-b9MfgF1})gPsNXmj)?0C@=9Irzi&PE{UKJ-FRe6l-%RtcouG93 z#Am`&ta&evKv#T{Pat<4-dEYeoHk5{%~3O9fU<&6tf$*jQ(=GGHh@$tB^(IWw;AZs zi&WbzTF?-*W#HKpc|x)jR%w-TA?vhhWVU?UgI0`$3yYDU>PAOL3_5e%L!oKq0n5Zl zN@_iHERhv#i$7wd!jgUcZ?$wzVp6C=Pju*uXR>w`Qm8Cx<%41zx+3x6w1|13aIJgA zL=><-q6<<9cBTd(k2OX_a-|w@zb;f=;GxvNxp(Kz2d0kK9!pPqNs?l z)>A&N;UjW!L>bwv*gFR*hWE z55wde1Vn~)$cJ2{2;@8KdmskB^m6$S?}B=ezQ?2A8cXe<8<^4D_$V1%HORG*?LEm4 z;xBdg&Yg9qGf;R2+l091TFM}k6VG3dt*>z{h2&V7L0hJS4?p4$yAHy!7EC>|$Fy3T=Gbk6Qy~LyCW8(wFKOpcz>~1nn?L z6)RX!TQx~skJ0c-%Tr=Z51P8Lc{XfKe&TUr61qPF1*abbLeX59jK)XXuuyjO$=c5# zH>5tz&lOZ40pUUCSsXZ^^3n0ci#iFV);956$PF5BQj^h3Ri})^r+APcE`*)I+JL5P zm5Q%l9)8BLOkpki#7>@-$+I%z5m=q9g4rJC@%5&U|J&uZaWPyu^!PVtI94p;fCH;k zeV7OYY|NcHkjFGnWU)855HRu&CvtW`FYm0424!kX_Vh4ay%B-$FP1$}f9j#KTkFvv zoL#6=rxiI7A$WU_o;L423su52MvvK|IAk`|NBz8>_vECyE}EYFh+}&u&|PKT(wy@x zM24dCz!N4aT&b}%Im`jLX65czrdPFPCAYANl3ib8YNi z3*6SQz)MzOa`A=ZhLu5LfvkgV%LQ$fh*c@}fIVXU>n`xvsc-68+1zJFr7-ry(ka)l<+mz2#YFvXOt~y!B0rlF#`4&CY(h`q!y@d>wisG`t?;s4-L*t#q zG%5Cp4(hr~rNx~@s2jLa*A9~gs72^}({jHKPp;P3?Tw+@$xdI5;&Y(P?&W=4ew{9$ zA-={QdDd58A2ogOI#ee|?mXrem23SK_RyN%@UMh<=&hFRFO2IFeEwc*1)FC*S6@OFV_Apdj)Q=D(QDM*&E1&g#jlT(fAnalf*IpgU0;3* z;-WtO3B%j=AeGxPO6Uk`#px8S=GLCL_VJj&KjwxJjsL(|U-Vg{D*|Rm@nXPgJqzhG zVIGH-r!(f+T&G8aK&}&FPqJTMlWc|m(g#?pP~Ny;?R8aQpvFcKF0EVe2728?R-{X- z?s{5>Cwu9wDz$V;EohrrdFm5ZZo<4IVXVq{{0N+WX+hT;#*B7_r627Ym{1B`n#O~x zm{h`khU(W(xi`kWz^v4B_jI}_M)Awfx?_C{{Ho}9FfD+-=*f_Dt|c>;V~sfKaTUG^ z7MLtg|5y9J{i_olVl0ry*D(q$^V${TY2A3mbRLzZQpp<% zaq$^p4i%E5puyKR2zSR7YN=elT!(s%jTxng=*Qi@3bcI*X z{Z;urE14Wc-^e&2WbZ>NNpm=v^z;JWo0uiAq}7ir-=iHMCp>5@;mX?SSJ7Pm&?r>N zBp*~I<8zPtwC>Z65$`@pigtzZILJ7lJBeN;QCvMBT8fVzBXkvhZWu=nfHx#vZx!~*$XBE3wT1@KV|G5v z@sz*z!#1W|n$z)p1;QfLkPCEzB8gGEoGe}0A1~OBchA2zKUxSmDmO+fd-MsuN|mLU znjzTQpS~;es9`|}Ng7}$Ua@JWxJDjmv>N=fJ}aB4y7LF9<_QI=Db(787YAJdE+Yve zwYAA-dSnt%?Yn6&i1M5?1@4!0X<4U5Sfo0r?m4O9cG8*ljsi^v{5Rut_K#L%Tv;Qu zoDdbdn!9Z$1C9LuHCS>2lrFKZ8=qODljC2s_9!5vx$iYa)(pC@!KmRbZH2hmVL$I5 zzTUn|ycu~Di=2)(cSPe0&ar9d@|7y3TY=N5Mq~)<1~7WLPUS6NRo@I5rdLd5cB)+_3%k?O`Ge+3o|Rz;^y|RR3D66^1qK!~Z&a;H&8rf8bVr z;_}jQCnc%v<=qFRZ@o@Jc!$mr}rx3IAAKbO(B_Ecs1gEzT0JhlW%#w&Tp zBtwEUK72U4U+H{QS^wWX;6ElxzxQD(^)14lgzt z7Us;Uclb))2%ovY!k^n^t92gjA42xKwZmIvV=hv6UAAaI~a_#A#Xu8RQ&E@vflfx;# zCZDOMpr6euZ$b|DH;iFznwNNJPLC@z(T&O8M+u3b$WK3h^$v(1&nN@JW?G5_!cTp_ zBc5NtZI}jSeo4IMO5x0>;PjA<$;P0DCI9R1I!ouD^!`C?4XoS+ja^bydohQCnHUa% z)S^xE6&qFN$7>$y+NEDNIgzp_{K!|@YC(QHS3BMs?Dalk8W@)>ob?pYkN+uhSSuv)=xY}UxTjc5ZCx4gx(Y{j)N`@aIa{Dt~?n1e}y$+7^ zTJZ3DmdWREKg>`eE)8e&q}Wot$m)KRxdhkg_`F4!EE@Jyu?=^;$UWMF-f8>NhYq^ zgm)>n6YSYqCw|t+14Pq{5=&LuJPu_r7 z_;U0L%lSKIW_fK1(5?1*X&0}o$YV2L6xaaQTA39;4ZZYLqvzY36OX?tyWbV;iiOH% z#KGKN^^9m3va#n&Kg;aO>_fnsc}qz_7ZGbI*<_YIT z3aiKJ2q?1KNUZQ@&TGH-D`S4!_JvNXn8YJ8L+wLYbrG{$8KrvAy9LGY_i?{cO3(f7 z*<`VzaYrDZXe>3JCS|p>VMH@*heKoj(Dh6o)A~nNm(WQZtiSsU*O*o z_j~%47mLqza-2Qh3~453TRYm$5-XIl`(@fbv>$Ky$&T3vnug9D&Ni33xq%gFMrMu$ zUH1u>xY;~lrUIT2DclxrW!3xC!86REZE(SsFGM-~!pi3QLSyj`4NP4Cm zWqT~~J2n0&q_!)gq#KfBv+5bgeg|iy>uhocD81@JtWbJcTCE1e(i4ae@BHWDsE1n^ zy2K+h0c{-5b;~x=85h#;bV4AkT6eXot=SG<%e4>RcqsiyEpcFzs|3u3)1gIP2VcXqz*lwK1B8?L*jieVk^z|@;ArO~ zlOB%_6ULp&g1L;io9=k>I6v^u+)T*a%pyClSiuvWa5^0i@9N(`o%ag$%!K+V%=a=e zesems#Zo()kYmx2a8D3Li7bIaO42z<-}^d-;EMwF}F-zHQd7*wLGC zIcI=HSkY%Bc_}?&ntaxq3yje# zm5-o*$nF~fsx^lOCiBrf!nIln5N4=@YpIm*T1Ko(56(X!EQN`jHF^R56(ZWi_I3$x zXb~z<8`Tt4^AO^1W>BR*BJdidGBt5+Az!0utXabPTT>t*X&;9&_g&Lz?WRkS;AwI$ zHVx$zme@hnUzi+Xp!9E{ZGuSn7cv^Q;NG%upP$mhER&;s8cw*XXeeXYPfzm$@bG9^ zWKDbN{O!2VpYgj{dB!zOg@~m>(hW5m)SU&%3nA0~ee$Tdg-7g*N?o>Q>U%%$g_nul6vVWZm9=g25;A??dnYz>gEhO^^k**}yfH8>2-0Ld3W{m8*-l|nEwu*x zKK)I&$E>qC!=l5X;IEB#Ef^i-(%3E5=oAn6AVbOW0%TVh4}cT$)oY-p2C%fmznZ{Tvt0WHxz{>)mPnhN zh?yn4R7=d!8zgh3ymd6WsPAsjP=C>WW?;`cvyKzFl4Vs&ZzeLx<%8@b?dptv67L~G zWXWcLg)l(=PTNJym+F$d#!N@dDVhvYxrqQG(0*=eRT#}e9ZLvE?{aB|$zv4Mb)Apx zP5%P3#9(9g#7#lErHQ*(YD#weoz@<{Lhs2uK{;2t35$1YnGl`K#7}K;((yGb&o_P% zca4A*t)a$1)=!$baqdw@+3Cc(YXB~I6LfkC@Bn;lJ#aa85h#cc&yB9R#G4?E} z!DVz_yE-rweUm1BeO^fLj!gV|AfR@uYd=VG2?bBvc=1b8w_qJ&)ML&foMwA2O2+L~ zanSat|2!==THW7yl%Kr~toVv$MXyEmT5pz{8(bwKs9jHOee z;B05%ul%RxM4ikkw4B9|8pkgQ6UYqEa~*jPqZz>GtsDMG+gYz4bd+JV1u$$3g@&IZ|AqS7{*IG**kl94U`=={d0D9tU=xHsSZ>607@ zY4}Nx5~}@H?h2>k>@~V=7CGox(cGl?s0W5W+5QN@Xn}orG1%B#ruWZ+hhY<9l#@iTY!gLG!`MPByFoj?1(&t|4SHX;@%9Gz=l2&6uT+h(eNdji&n z`?9ReR9gTOrIgP*eFD~szAvQnm3*(&EBvT}KRhsFW*Aoq<3sXG$6Z3A}zPThrmKl##%$+c`3`ujrE18O2^+~~> zxm4-;&$g-l3nd5FH0{OTlW+pv&K4&B$dKpZ3!=3{@LlpyqQ;%s)02Z-7Q`Rw4ZokH zjh8Hu+p!ydzuGr^{Jem{MIjIwEx+?I0p+)1Of&m*;W?^vMGP?Pn>0KD!;<#hWW#L_ z?QRYNC%aQ~@BL4nS+|$AFYC)b2I?1I%SL#%5J!yr-#hNTBcyt$m9;P4thODgk=Nl2 z{YsMz7S&5M5!O5FirE)gpBJ7&BlGLf+{5H7r}S^FxUBffLltm3(fXgqJ#m3Ucy`HBT)e z83>*35w-J1ij-A1&qaoN`TfH#Y1u}R=y1Z})kEit33qgw&{X87Rqv%Z3i)D~B%&59 z&}r-qFmMpW4|k0!<{^tMrekkdL^1%fjw~xMK>)(W%~?w)Q6v(d`~sbW_Xt~z5RA*x zUWwbc*_!^4%1q+^Z)8>uuiDTaHxcN1)z2X)K zMAibT^89+f{6~riQFXjN{(0R@9T!4COXHmD@^Jw*`Fa7X7>JSUIb6oHIJf}$aX$%2 z(eU9HY8}_NL0{|X?F_@cm%_uhF}oyM(l_%S1_Vt{pTK;%(BMY>IZR`He;U)Vd;TC= zV^&2`}?&?CZUM??w1P7+{}oK*g57j_%cK=FkH}1VYgRIM{cu2~R=4I1YL3 zm*`9Z;RO5fJJqS6fYynS)ba_TGHK^K#n$I1(7px5II?(cVHjM{JpBS%E_7*9$i6&J zKUHJtmCyY7nF|bOOf$kI-+_{?vP9jr{DdzlK1`z80KOG-@4V$w;@~APz!)npS0=VE z=I9XxnZlN=Nu}63~cfA*0G9FS);VIH4FASPrC)CypgB|-Dfy0fi9g?@3=QQ zUx;?#(tJm5B2Nk4=cU>r6~TM>LO=>5Gzh(b3ItTsWdJvdSoCg{X>I+ZZFPT~P{gEo zNagw3j;jq^vKuQX`@YS+{+L_UpUO4_VvggemouS*3ChrN6sRp zb0>c~@b3;f%GwVcx-4e*o0M|qIv1Z2D&|Ooc!#Y}Sm;#StYhRZp})Vn3$N6V-wFpp z`@(@Lalf`Bbvz+t@AL?yL(j@AZX62FL34*DklIoVaBNms!CZ$YhLi$lHdlC2Nw(CQgRzZ9D$}7WUxRqUO8zH@P1t|NVIu`>o#+qa<~!baNZ4v+fi2yU`~cQ zI80=*%o^#@m77wEF373Qn~!-IZf<^D3+&BE-c+MnlIVZBHkf8HKG-Fe{weWw_Vo|G z#`XCf8_cUy~lzmQ?16q`jGOhz8mZ+{-YWp=ZLC<`u^Tx zw{k9p2fZNDQ@uqo4wIY2bwtMYqK~EM;iUBnKdq1?VHy{YG|~!#5j3YK+Em5vD9sPM zOt>_y6hAR+z>`PHwITG+(6#~InSp#j<8#pD+rXj)wet(HozXVNX9VGC1D$`0#$M32 z+fapzPw)8C+c~NPY~lNU(z#;}x(%{E47>N-$#sHSl|9@CEN2pmpgZx>6&=f9!YBLa z_lon$m*GhHowY$f`-GAs-xWksc$h2%tTpyeBkK^WqkyBvY5ZxmI&kvcqwBWsrkr2^*SCMA{}T z(@)ecaFdr~nsKZ8O@m1DD$v`F?cEub)E`YN2Az##9 zprAGP5S6ehwc?Ubzn#m!e=1SfSiV(2cbFZp@UhhSazZ8ofDR?Li_H~2I6S}B!DaJ& zx!EVYMy+O}Bw%cYY3F80XS(|7mw+!Ak1R1@&i z4@Yy(28-G_`?JC~Ms6c(WpO`En-JjStU{rbZkhp_pR?sm{)h5u$>y4w*$vjk$p!F% zmB#DJu;rjLIid`E=r)6P4fXo_er66G_vRV6opIGFD}`%ubFz4+7p} zuX+7E%x9dc?dcMZRKkKo3eA^Vcf@P8^BE)9>5^qa5!4#wPO6A`ahbGVu=L5W|&B8HT1X!9(glh_4$7CjTqz&n; ztQDth&*@ZkG*xwRb8Aur4Je}NMbDnijxasQwNhweX)RO}1m(nR%Ec|4#;h>a%p+EzuS%|LQ7*vSWXHGx=Arnk@d4o_ zFL-bom4x_0N<0JGcD$)7j`L=ZE^`KiTXo#oTIc#I8fSlq6hT&|%j_Y{=L%521X%M_ zcg{hr_bd@(nm*AVV3wRpk;qEp?-RhVrjK?35fZ{f+<9J%?S1xPeAgIYt)w6;^fSCE zG_EW4pECbKr-UIOuO#P1QmMP{ih+DsbyllDngk}tlN!^` zQfF!ITZ9ep;K-0R?P=$i*{bW3Y#o}5$KCr5_@=2XZ}iDecRJv)?Ye1>0x+mtaWt`X z+Mf4h6fXu4#O!ot8h9p%)~(a~FYkz^2XZ(PF7UdEespQUJeC(Umb0Lx7Zi4_Tk?m! z;-kv@FbSc1g7|Ig(b(b|L!IevmshNrBg9@_VqcZo1u<`(a8K;=?h$j125Z^Tl&4SB zz7txo0j*rjOJ<6(thVPl4~#60r}1x)E2rgZdeho2E>q4XK4{UmZ7UV|IU6GG5F

+5>@a4~Qu-BbgI%*jO=u`?50iZ<_ADpE643#DxWJ{?OpnAicWeu7YI$vU zJaR$F)dh}yw#w{IMh--1$n$I09*l<*zA^9xLCGDx(}+|4(DEQ)(?!6_-CZe1^LTv; zyW&w~ud&z)V%g`P1vLnazsn345y(U7^vA!65Ku);7J(PEeKjF}G%=$x=V zh@hLOsLDxP(0PJ@(GaX!asA~_-0}!BY0;k0_tEsRe3C{$z)Amvz5qP@C}gU*E#3Y} zu!?)W#zw;y`!29jS=@>Ekd|(Et=7Vw&h(pe4j;qR>&Gxzz2?pk28$81R3b#~PPK^> zsrW*a#vbJ(2v^Sfj`V1BMx+l|ItpeYqkZY;s%HHSQPn(*JJKQgh0|C%6}nax^(G!i;}kE=w2(yf1KpqhGq_ z{V@_1|DpvK^+qeAu9hJCg91n9wo@*n% z?RTaNN-EnA`c^^lJ*|5~b-Lg&f8V0^YL1ZxKz&W((I89R914V}|F)3t&~}xO?+Kq^ zN}lsS*uaxzpPJdOZ%FyIubbkl!nYnLMKr1H(G}aMy`HGuD5`S{)O8GO1C72gH0&=| zFyc?t+V~TLL@Gb>AWXc?dm#$4y!aQAi^gW4_PrsXrc9LfMb{`_4fMuUE0(lu&;Cwe zpNM)c4N7>ofKqc!d4n#SV^%5Ei*nOjMj$X!69Zj8Y-F-*33aFTz>SP zwMLv77?F)VeeV?)lt3MEIUI4PLUTnyJz1R}vO~HUq=P7TvRm^0)=bL0Fe+!uO09}1 zPY35MezsRUpgtyyXXN{nz`5SkKoSke20!ZL4V6$~?(xWep z?V^g02t6j$PXXXIFF>u@r=>J1616IL~sr zY&>0%$hraxqsX2Kh!|aaqdzFRMzJIpzrfDu_lnvj`xq+k7xe#HgBGrmv@{0)?8O(T z!L{?(H${RGj8u}N3CxNBvCzrZMq4xRdy_vq)HQpUTELcyS4+$;`L2HNW94#zu@8FN zpMMhdR2IhPJkmXF$cutbjfqO%_AOajqO=)v zFp@E*ACQ$suJfV0=ab|4kT;PKzdHAjwA+RGaSxo|>!yWvrkVib9?5E4=I~d^_<2!NkF?r`#O! zy`edY5ZkUyin`zN>AWU2Wd*{B>$wZ9eIUtL7Fg?&UquwsTUW&_B&w|pK)1YuQy3rh z(K^}l`agtK`2bb0S0;9?q<3>c+pz*}!!y4iRqF}e zSNuaM^g2g4bWOe=3z6Q@0!SZNr0$+C8r>FqYl3R=N7qePy@ zw96>%Tw&sapGz6(7YtOKT&RCSbW}y+bd*k)tym`GyrqPx+J-%Atz`8eSY49W(ZeWq6E-bWP?%kfX&=uT^OU7%$x zUel6kQQhZDk^NM}I=>;vc%^*MQ1wLRUa`JGM`v`OzLpuHTc@O**Q<4T=+sx`RJb)7 zpcsLmN5f{kZY}#)uDpLZ@5!b9KBV{VmaNijka3>;@)9RDVFkdP@eP$(V;%b=gdC;L zPIag8U#xaHamjB3dhc52I6cL`$KLnjW-_A=9$u5yuAV5YBJ6DZ+2p?`2vpxD_&u%z zQfAgdMW>Jh-|u)mtZlYge92HBI=Z;n4v9_}G8s4%X2&W1?Z#=-iz27vbT8+jMc=6E z>D^N=9V$Y=qk*WX0^?z}FEF*qmp@kX-78w zeD@}Y933RH>U3xW8gy6(>rc57&&Ju3n9?XC<-%@O8t)1t_lytNFHr@0eR%w0=h z`HrZ;`Wi4#&-tgF#jn|$$}F|_yP!vO0*T3%-Z?!o0@-H{(YMxx9VvR1!pz-fy`NK3yPm{amw*n(`!?ld=!Ws=koLVg0wK4n-N!37W34b$ zqxrh6v4gWIau7hhk4jtolJTXrRLCm z)#zma{^zKI<#XjJeUVS_QA~q}Ih0~GC@|*$i|7yb$Zv<;KXMZrGgIN0Fz$*v=>exR zVA|X#hkDKCU)gtQsk?gLz4IaAjOJ)7@4Wh%4(7Kfnf4>j2foo!#4u#Co&fN{f2iMq z--I5U)*n~L<$rH`Y1CK(VMNKfJ}iA{l4pa4S^6bbrXoTD;>*j%T=jp`Uyyh)jfByz z>fV@;z&46(yWE zd+*-ZF!c-jfkUi@ia_0G!hlUL2&tv84f_?!$~-@PJB*O*?(qvKXrxh8w_D^obc&32 zkha|`J{IKQ_$GV_^78f{Wz@3|MunK7r*G0{P3*yA7gY8#W`v5ES_y`6?M6SENv|TB z9k9B>uN+(C!_Kkk-!n^?Mc&5ku{5m7SPt~Y3GAfu#ih2TM8R?3rut7SVuGoDEek_A z1sdVg<@}njmm75f59l%8ilXmFVeN{RR_*DS8j~rdKGU6RJmSqqz&EU9-|7xv$tDJQ zE<+&n-j6TrL*@ssws>NP)R{>Y_TKX-7u8p7;~x^xp8a&Hfg6B7tn}PDb4epT?K|Kx zI=&DW*l*?NWeZNAEzI)wUZb-bH`GDd+_q|TGo$0`{w{D@ifFQdMC5>R!h2WKFtv_bXg4ntNOwr z^rY%xo0rqd zbZmU7ANPU_F>RQe>~+C4)qk1n7Y4e04FbA_5+E(^;Hy2*d~F}=D*;&^PhO&F>*ZsI z&ozOEJcm%2ZcSvaB^8y=`Sq>b&s0=`z;Sv>S$D4rH((ygt#;#OQGqnCJL`SjbzUXe zE;$#1$qlzrlp}d+_>x+49TVAS2jb|&X#z&k=x{02eNG*!IKHox`L2YTr2`2;Uc&{4ldJ3d5o}Dym)3e zug{NnYU!7ABeC_j`!Sa$iC>}>T>}d1mX(*9?Z2}RKHC|#dnq%+#^339XsB#hdt7qD z@`Q(!_cTvRG(P(Awp)Pfk~0!umbt&mq=uiwjnh3Pg0F0Btp8R>-WOwKo+Ct;+iY8% z@vU+e9H5AsdA$~zE9W?J&0Jvu?2IZ;xzuoa2J0)@=R|MHUo?5D@xK2Mhqx<>zn{q{ zan5#(iNqHg`KbDNPl=J(uC|DNvlSTM>dM>|`o=Y6(y3yih zb^3l2(MDN)-)}cZ`AtX*X)kO4%j74X>l7IpdeC+zQLuIlbqgKMpS>f~wq8d#8-I1! z2mZKuhC0IMGIKO8>7W1;-`lDcV_J$&bgw7DY;!*`3$MpW>*WO@1nj%->Ev>osHGUd zZG!TaMP+#EMBAV|ebGjIG3Wbm%L}}5ZvsCqU$J7WfL$2C^cU8@HFrF`?5D*_e|bk- zOp*#ZN!>*r5i!}{Gp_1bK&Quaj-=D?`bKb3qKWKcVHg#G_+xay%3!Ej=%PZgt>e)=SFUv@Asc@|_NjKua%svWW+MLc>`Wd{9IdDdv|@dg)dY^D zqc#ygiDK9q$K?jmP;mg?;%%hc-I4w8qHBpY54ULj};ZVqd zy%QsiW<&7z1U*eCk&x|#$XFIB8wkGSA5E}8e=!4+q$B%wN<$8rTbtSYD`B8-tCQh2yUrf)dp*u~d(?fjoNpzh6NoPY!tr|34|n z>lqPuRyrd0kSK#gfE!wT4{6k#W7N>ac1n7jnYWG5-4^{L{>X1EFS+0ZstC!5VtCoP z2v^^UCTabadqH#shk<)OO6i>)c_`k<5jjpWRXIL-g<`=1%TJ0ljIkp7+5?rOH>OAF zC%=&KGdIOR?0W8ow^GZD9mbl8p*OePfIi@6>a+AUp)sYsmFj>1NJQtOl%LtQtUd|f z6;9eZu?ivR5$oF1TD6Pzac5)A-PrX5T-zf6Fz}5sH_d4wFE+vdA9@ks{}zmxHw5ga z9DBq%ESE)tV!r!QtBA-1&|HaovtAloHOuGW!5<0_@ZP3NZmi2fJwI;Hy@4IS>rPNs znjjAzjBjqfoKM6U&sG^9z6z&%6_J}t_fYM{c;5ET*Yc(C`7D2z0P2X<0dd9t0KOhc;*e+-wR52N}AU(YH@=R@ex}22mdhJ`H z*RL~uNwUfZA2H4KLQ*VFolK7J1euOa4)7%LY|{b{;oP(zvSyM3`e@%8xwAhtdDTJn z=KCvQmzv3J?(b*~D6)!)V>C_P^_>~EHu{GQNSA%RCz4*=^)(C8Kxx9{#6+-ea>TgE z=lBoEX|#)P_pTFKl9!m_5Q&{(b7SvYYL|ap+9z;0&=`##722HKu~wggFv!opK2!9% zj8*0e(NPHtl&Ip<6wJJO2W?O$>#f2aXsbb;bq)O#V>IqO_EIx1yxWB5CK%T*Q0=;1hd$igU-k6RCU%>g`ckq>fFw|f%)ZS zEXITS`KN;SbKadvW8Cu4fP%H+yw_xY1648R9V&5pm(FatUr(MvH_LmixlWC7P_T^8 zcIc~htHNipZV~A042TymKo@Xi7;zN*f!_gg5sz?AVMhC1$Y2{>S7b|C`|7lWD_jE( zeme;qA|6tc3OkXgwUEt*hTVr1h|4`9aTv}0y&qdGqZ?Phaq4ggF_3hB%OX@4soRbM ztLDxs%25T3Cp;PDbTL~Oi^fq5hcUUSJgN@4%cGTAc`ue3PqhHvB;Or&u|Okx$$iax zqU8U=+d3v>4nqCA8w0-Ced!5G$kpriH8H>IaLf=*!=a^z*3}n~V2oBSTFA469CJD&laHyrh4_=yTjKNDUB;Bosrc`E_$h(^WjgVJ})L{~NbDWcipM*a270y|U*CWysu>U`*@e*5zsD zRN2QD+d?!6w78Cao!)eSL<=^X{Ma0fpiYNN7VugXE2XI}53?S!(=M8NhmD{;I zM8KH>M4ah5ilZR^@~Vl(mQX(ZByY{+s8OQP!-EWX(${XqC?;2V*X;L742Ah%#CgR_ zL9M2j1Kuvt1-KWVou!Eo&rQB;7X)Sx9+>#)sN%2=)>9=ap_qx%a`Gi)ZL=v8RXpN4 zrtx*LkD+(=jy2TH`KrDK4lC2aKDR7X34*YP^=N4pdL?oP%w$RC3SXpxQXS_$xJV@f z{PWW6iIdww@5OqT!`O|5tJfc0YDc;zX<2$8jYOj`?$>#rXmS3138wAJDr5jNL*>C7 z4!*s+pT%m5vy!z~;(~Ap6W*qIRF{mN?3?BVNIw8Ky%DytSSM8ee~S9+xF*~Gj~f?J z(2EoUa#j1NhT!7g`T)+4X3DAe2QtTNbpM2sCw{RSl%ix+vj3M zF_n($3b52yONd4+QrBC9w!4QuF?^2Zo8Z3^^JUcQT!?8P@k3Tj4H&jE+$)kNNJlp} z{Vql)bXV`8N#1a$Gf0p$Kj#;_Mu3@s)co^ZF8j&1Y&J9(N`{0 zE=WDCTTs7+e8XQz*0Oi>fRAc)`9+&0< zR~|44d%6Yi;DvVM-#BSGEpn=MkI@Fh(85+QU7By2591m`UEkgbkgUx#TTQ%XDYLPD z*l2B4VDS6?kG5lb4$H7vAt6DL{5~N+&pqxfg3@pG=5K42`k$K+qD-1yy2y5*;K`0E zvb%k3pxrwiinjcvIxeYol1 z;M1`6`c?4hKr{5C-wZx{x8aBCg?IlBDV(*pTo+_&tc1fJxkSWELyqbyyxZKT8of<3 zvR#GOMmE#lFw+~?hq`~}kD=fAX*bw@J&I#dIE7~{lix>%rY>!ff$ApEjiowt7c)Q` zs$VBuJz-TFmN04ZMcmGhcE=JyErMmnme+WyR^p@RoerS`Qh^S6A>G~Hq+1C1t#2`K z=F6J`6AbH7z<$YQZjh_Qd#KWHslcUwP)2?#&kYuMk;{NXB4V97<^$kxwUaNKfRk#k zB}kF-(A`d3R2e7;3NUiQ4ao5$(_zcGGBvEM71P6o%`+~}`?7S){Oh~Z>yi&|iaCC+ z|Ce>Ul53)`sG2+mp0Js>{XXYc&Jv*?<9Ybv(qoP@;ilzpsD`ibb#2g{U4VSr`wqC5x4So`1&Z6G}(u`?R~d|`B(F$%%vMLj$t;B1`x+tEe@KgQqz&8p^b<_ zUZrxF@o$v6imu04^ryL7AybKw985wdgG~FYX^tVRv|T>er0?|lo6wsXIP5$_zFY6} zx22OYzTD-i0-zA*KHo9LWdyXRU)h6}gQ}}tY`6AHIT)6mji9Ms+us*v z{Rg?^v!mmeSuIO9%Wg{r4M$Helm_AqpwA?m2qXBf=1pH!mpKP-mj(8_rQRceEoeT4 zx{YwXpxJz>pNYNp(1($4c~30tnK3{U0Q3E(dAhZy2Hg4FW(-=t*P8Ij5#b{J=0uv& zhfa#`2^&w%2}{y4tz|R=P>q>0>^6y6U;KvXFlq2f(*V7t#rHTExL4b^fdm%V&$-!2 z{Vo^#1}HBQ&SC&49|Aeo?_gz~n;A^6*VYAI`8DvY(^y0Iy`rOz+s%c3 zXg3HA?Bo-WHv~PzuWe+99emg?m%)Gpb}=rWUB-3q(&)o3mngK-S0vCV?)=J=xqTx8 zo3-^as!?B3WYAde&O+Wwyk_=wDG~NubLwp3kDWf*LHC)8tE3l~F|w}R6&Mlu&Z|wr zrP&aPjQ+KYr_42|Wt z65YS3gv)q&-iOxS9*eG34;;O{&uqF~rHK$Ozp5c#@yO}%m6bCSL(B$kle+bNdIze& zE3f!l6&!!c9SeVW&7pGkv}hMB$sdiq1nfu8yo}-tWP7roH$medF{JL)!;bOp=^AH3 zu?9|b`{xg)Ge=jiD?G2ftL5-f`l&RZS)7AcchZmeaw$oB;lAcKnh}lk#&`J{YQ|YO zf0)Xp%Z3`d-z{kriAksEgtG^`y(GfYZSlekO>YdRjEvbAWD`@|kcb#+Y|LxieZZE= zp$JNE=y@*l7_9P)?tUD28{IzOrOYfJDE%Z?vHVkkK4<_g}k8lk+(&ce^0 z>l2w5Cw}gS^%QZ^i^MSbtwYpEgOSt>>IXMZJQJ5PFAAWfQV^-M<;->yxO}S_{5(Jg z{9HQE_urEQ?>`oA+e56+oz{PF)1Lb@$O%+yf*EBemIa0>yg}^=t z6Rsy)-$`}8)t>rb$ooB@aO6vWb~ht2S7z-@c+H|EF;p=DoSCiGGaTCU^tG? zW4SFf-0d3#elz%dTx8-IglA284+or-%{CYWfTX<<6qrKpY--W0aU`p+&-=}GXsE)?}~^NsRUnP-q_f< zxWt~Cdrr(18wCE)_0UPx*IDB$rS1#{&il^bqoIEKr}8G08-#kQI2B5T$;4Th!bkyz}QAO}7!MJdgV8h-y7+;qSUHfIAk z(oHTFTU%}O13rEMj#St&1Dx1pI}^*Z$Eh}DibLPUw{cejmon99drY6RZz~2^lz&%k z7<&)^H{=!KBYf?3NRhb^H2}TI;^;8(AI^RtuqJ8{gX>9u$jJ?EC0wl$CBE189Qru9#aTDaNfpRm?Ex=6csHJ5EYpvW`D40b*X_95zzP|k zoseZgbM}~#w40tS6!Ku*Pe;cg*XDdIp7~t^q3zHK&E%uS0uw|l7L zm_WDwTaqraW_q0+`;lVd8|Q{NL?jU6FWP&Ld9~g<9UAaLv0Kk#rtSgq$tp09@p7N4_S^!@TaK{ zU5#>?5E+sW>i%%`J!mGQc$$M7dv4a8RTinjV#)+}OrymRGU3ke!* zV$7_{qX6Pt+Sofo+$fm>ama>iH)2vMLGQo&Oi+~w(8%*o0Pj7#eT_nMN!%<~w{gZ+ z6YA#-nwY6eYiEL9t&WkB6VR4PSu;YU2_bQq$wz<5ON7bq0mSOeISiU`^|taDMsq+1 zm3#7a(BVFG`n^*2T6Tc#OoWktV!rlP`+aD;CZ9t!CyRN+z@l90>ga_mi z1?7`03qjvQ;H+3`A}dB7Ypw0WmK2jINOit;!>G^QH1h=J-M))0E-s?z=4_nTtO1er z*@Ej+PH#ke!xcW!m(ss3aIw3Na@tE2VXa`maJ}v^ytX~s$@ox3!(ztaIrrj6va^cTbRBn4-mfA#K*J;9R6iMIr86_X2sw4a{+OYPxn7y)uW0F%b{GfIQj zL|p{W3w2di&R}Z!ZPjB;EBX$GIxXv(W=pEC)nYj5HM!Mr?#V_#hb+FZ4d~-uo2&=Gs$vJK&F^EE=!MC#yDnQb=0wX1lutfg5ZpwA=^2;*Hr zSwQujt0n(R)Qkh*98Va`$Y!OF=w8FCV9NI z*tUiw#n#zfNk{rTTb;kaYsKb~*E`v(_$s?Sh4BhT>M$zPEn#2cs8ia8WRR1ktOW8o z{w#j+a@T?$v)5XFu^*c2Fmn|k#y}5AH&ys@pBsK%W>O0j;#!Em!t;9~(P*ICv!OlY;t7x)X>1aN-zPmIwd=<%)Cu9O(o9B@iJVO}bn@u<%J8l`P6%7hYd%xCV*glc}TMVC1g6g@DSlU>< z=hB}nCLi_Nz8j1?jGzbb|ZChW?ty6UAU3(0tUSYBEE0Ws4-INN5ByCy9u)#YQ z(+Bz(wof|Ke%9YF^EqFugpu^p$_;dki?4nl55*QY2wsiySGbyj<>sieW9H=d2@|94 zutRdc;7srd`!7RZ%N8|zNk@oAgqOwPRgR{|6OJG6jYHHYKLhbunsEhVq1QEYJYgq} z31YH89Cd^JNv&)u8yHcADH;9lim7cuw2y{G5AnG-{(zqJDf>c8FN{xKlNZ2!fNY6T zJ153URDhp2pCL!zSyU&!L7jZ_a^+sIVPA{7i6$tgjft3{s%JU!dh3-#0*pby8&g-V zbQUKUTGMNA1Iq1&p7tr5(N|^hgaZ-$z<9m-*`t97xAi&$TP)VE=N9%3MII~gjf}psE} zzIiIhNZX3QEc>CEjA5#tH;k;*OCli||57z=5C<52Ojmi+bwnlp@Q#lrc;26KTo{d4=M&bl!>rH*K&$ z&yCLBNMXlZM83w5fP8(hbj z$D5%+Kjyq|_AnGs@d7?bBF%!SP3kpuXPUd2 zPOXbhtdr8|#H7%zEaMu6vjho?7-luc7wy_T8A!c|&erAJk2DGrf5q>j8-j{= zTcvhtAc7^Q>x@yil!Ao1dd8@1;LN^5fOikaSdmI|mHDpX#Cx*3h<=MEPgQ=d33f`T zEyD5OK_GV0AyRUPwz-40W>m*IR1#Co&rZxTz*cfDSIPhYXflmyoVSEI(#|;vqBW0H znEYucmnZ9uI1T`6&&5nHK9B954eVC6IQt%so2QAP>OP-;=fd@fm5BocU0}@kC-Vbg zT8>#l=D%@sR}(Pp_dfB2MH$IcXQ_vKTz1;y>Sp$NtW%Vk43?~LPwHQwueNxnH#rWi z_dSFe3P%8#c1fFQ6`BvSEd~P>&UE}Oc`|?3KwXDPw zxtNj8&z#;KjF?{X{^;PwT*daEc?v=*vq=gXY`QCTaY33lzxdNR|NU5fHh6yULTfk9 z@N{Q$?s$>9DR>86TkA0s(&Ta6TYLCdM=&%A+c^bo zHLc$&Tc3N?b>1X(G3VbjNZwWmg1%Hd>xH751A3cOf=y0wYlmj@nBybz_ko^HklMX+ zw*W?%+7SKF%AAe{P3cD%hoxF;J+F^!_p~p%aP@M{b%EXO%UzypnLzaDju5X)?X9W) zH#Gy9RC76_qH^rP^?f_NCTUgjke$iIm*8BA;q`_H0jgKZx**&mIBrJ(GFS zWh71Z;Qi2M!r)H4HLwJBEmKu@*3~nHPMQq>T}y&%w3agNdQnJ@DPC%_4flkVievAg z2opS?b&PfxQ*-g7Z6fBz#hW8SBDKdlSeGyBTiU_kWN3`&dZ(QHNe{3#eM`q(IhET~ zqxSX2x4Jq;*KbBBwTzRGO8K!q`=b$3K1ZXHj-rTmudW^pzzK<~j+Kg3Y0vM^1n&e* z)?f-3?I_z)|AbX?C(vt9GhTVzq={TqlJ71sj7y;AH~}NJv)9^M3~5AnS!pxw!iRoe z64s4u{brqU@E2?G-H2MbeW(1fr)h{;-ax@s=M5vC3WA`sDk~5PxIH zW%*F-wOmzTkJEm*4SJVYK+w##xO6Hkm3g-4<`8pRmRM~nto!I}$YuYLG0kMcWORrO z7_ItzNIm4Ly2@|eXg0LoGkCRsf3gzeRA+?uXIoC_`r`pMm1$>joD^qxSqO>yev40Y zf;TFp^HxaDi4+@YlS^?8tvEuxk)pCj2cfDzs5Ai92?c5#X&Y7X@tg+m#rWio2nIa- zKdE8dv=AfV%Y;J3v`U;&*AmKji%1PG)KzV8#)6f&od{?ZP`r>|m+7l^WMiw{-RGA% zN`*_Pz8KEg$?VB?Gj!A2B?#Ug{7;t3P^)ViX8$vDPgo+se&)?8dz1Tq+hU5#NZ`yb z#xX!z3E#8sBvOCfNsDqq$>OTbu7XcU!DzMkB5>T<6sm{kj5*p0b`o_)EMQQ{up@o$ z^Y$y(1@r{2pt2Zzewtrsz~9a)?M?8~oLcgvj8a{Dle?%q0@@SvpBB8Vp5$#9*-jzx zHMYk|I>#O6#>b74C)aWvVab)qy0;exfI=6E8>HP%5R3O3@GWjdsjAoUF$cp3ES92! zR-A|eN^D+1GV)8gM@u=IWpNZ!MXcI3e}(4K=fOFI2xC+W!k?YvF5g%&)0T3PHZV>N zl9{KzSocER$gs{8yuoRTnVFLNh>O(c;oH;}wh7R{PPS9aBy!Urb<~m)*USJlR*k0X zS(@3ceA)FJGRei1*$R_f?h zo;c7dtvbd{;rK)-Y)*^ZFo4Y{>!6yt-0Dy29HwQr8^} z=3}8lDeq8#hRfNT$y>6MWJ0###BVz_C!PXEhvH4&iK9RN?8`v0f8O++VmRDkKS>?8jim9>t$?x6#V|jKUTMF(R?Rg%9$*k~8>veZ8>b@tHMjZIb8tfR${4x5ox{6bf zpaHD_lXu1191dW1k^GV+sUBW+aF*uT{xB!zewi=&4n;m+*d<6W)CUSu1$0;8sa0SD zT{f|8ieDf)v}WmZ4%uBFe&C4?$iO(8duo303?iCRFxm3yfW957m7*O8Zxn$@R=DYW zzW$Y8@N2@qzp8w7?7))=B|Kwmj2a;X0sV#>&TRDC|D5gA&U%!>^v2TC!tYS&UFBW1 z%uG!izC-o&VFfaD`8zkopBbn67G@Y1n*gzRRD}_^J)yo9CvnYZyL%K&VWO7CNM@)Q zZ#Xz74UYT(dDoTRoiEUQ0{ha<`ANV~5ws;jc)CbFLf z+8S|e^|pQtP%z?s+5EnuU8_=0lR&K3u4{s|HNwIA_tSa3VPEtZTV0nu*s&{x&OvfsKQ-QsMTwHXcMI74yiB`hl6TdH}^})|7DfSM{|}ndqpa zp6tjmV&34i4hV8+l;OxM7?gcr1Ul*Pj2qphFwlU**4YgQpNgp|6FFyO(`qVut*znK zeD0oV75Q|7@&>T|vGehe;jmoDE3QB!8`w`X;M)@`PPA8)qe3$baE8~6JnybMQpf66Xn+J@H|Qep~7sCUGQAuGBtR9s1f z_PGb$tnz4|pz4h0&?@^wFZ*&sIpNsaB z$6oeXs0cL3m>U8LaJ!}&$KJS$PJ~F{E3rTF4zEO*=KlM?`;&GPNVSA(!G&W8&v7ep zUo^?9An+<@oDwO$=DhBQX{09l$&UqnzSgzJ{fo4&^DRfEEkz$+e#HTg4EgFyQ@4&h zUMcjs-(EQBROmTYB?k9o2h2_3p=s}r*}makV45wj2-N|i#DmoikKiICuS{?p#qvU zIk)sT6ktKIt?vFIKv~A+=RyCJ(1$mS+sl+ z-?ADJ_zMF3Kpjaz5B`tg2#$LAe=!V-_*9em%-#Q&P5A$R8!k;J9ND;M`u}4!{(mSz zV$zdSB(*_{EHYQXLdWYk_iZoey+u062l|MDD|}oIeG}$g4Q1Sum2M8h9%Ij8@ZJdn zDDd{lPA#_Ap^QQ~4_k=i3QyY%7&s)~u5Mw()+UP1*12k*-kkPc+(c8J4COa&8{1G) zRV4pF*P5ShQ1G*i1Gl#*^!siE$DdPa-U3hd-N8DHqhDK0i_m}n`&vjsvDll%bH=8Y zTK9t{vnrv5TgRH8Ykg~d_+Pgp&Vc={+D`n$(O(Yaog=0_sn5Dw@{z>a1%& z@^8Yye~{M?PQZaZ+v}VMqZt=@1Z}2WcU}vVJ9OxmUrQ);{7kzdy0&D#G4MdFkE?LhcL;9ssdlxRaS3UvTO!vOE-p|PJ zyzts!&rBsB3bsIZ8rGUCO4KXlOc?b%Q-E`Ic}|HRKSYvI2E2>A@3l-B%O0kaS^!z+QQ%^iX1T_`NzH~ZgKRJzak zJhe>Eb<4fZ>$|nT4M3L{#&27b(C2?^^yVpt1V~};xO{t2O>)rmh6winivq!mcW2?qE@Q5$oRVSje+6=SoiAgiKiGP{d8@)+`?O12 z6?xpb{0xRi^0n|&6tOAx^H4Tii%Qu5kuVlml5$WxRw3S+nQYa8nQQ=U;3sgjTY zAU0Gg@S%Cl(b0;N9DEeynS`eEji+n^$T6^_2TqZQMW*GdfOfjYHb@fc-LvIbj*^+` z=yC@6U+hqC)`e<2kH4Hy>3@Z@q>9oL^f34PzgPJ>1t^L@hxR+WD16Lm-||PROy<3b z)m;qgz1q*aXSHtIK4I$!-l;G45Cn1p7D57){)DqmGqKTb^LmQX@ha-BzK2@#oT_}! z=@1MKP+rPH>x8$kZE51A&HlHZND$7y{vp}W`2M@a#3syZ#p1@EfU(EA)mL&a1U`}v|(z$A+^5MKgr^+*w6_fu)U4h{aN@y|4Oncld)yocg2^; zs{-pQiT&7}w0>DCE=R>;=E?{CajZ&Htu6}jV~I~-*?MZ|r_zGHr`xr)*odkG^ql(J zCklV>8N+%-GO7?^uq0@FZN5%G#CC2_H7l|k{XWi)DGBtOLRxij<`)rKRgw{qRmv7D zJyKhJF2FaC_V6B+2=FI$L|2+cs{G$D4RLYUl8EqtL|)tt_4mcQ($&O-NNH9|T!0$- zxLK_1j>7C~gN%<;V>|cd4byz4OGHv8DEsFt6$<1vomPj_d;%+8=W&^+ckqu%tZ5U8 z%Dp3z?%PyBG<*gBOLL>$OqnHbfla9#sln5}lLipetdiL2+C3lhk0Mag z(l!X($V4iXI8J_wYSBLBxb3BGa=Oaaty?-1A#f7qWnurNjQI~;e$@=A+JkYn5b)Lsn zTB&8(H}VHM3SW_;oc@QLErX<>C%@Qxf+--%l|e}NT4Mi8A#z=p8mbZ70f7p$3ujt= zulPp(*?gX1u0N}E`!hvx4Ig05 z{rwHdWLnkZ)VkGeum?{sW-Iz+-{^xR42#Ntw+B7{22^)NeqVAloK#JqTI(4PyV~Y> z&w1z}@s{jc8~Pjys#lfe{hfF|{Cn`->!!`M*Y!t$jgsP;`*szY9!oU*>J9W1*Aw z-my?sGkYQeM%1SZyk1+nsqVMdYK{;XwwLeHkD~g4Q$ENw$>Uq17~ON!)L%2)X*H*W zDCqI4SR&QY!-hY%7?0)EF81TS^l8fZIaKb253DM!WsUBn8^O_PuVNGv*#S!g814iv z9+gbtQ42fzojKwXO`9uJlPy^M*jmf;ZbaPie`k}rlWaV>iK?s8@vfM7uWlRnkchVg z;%8&--D0b!#Qbb)0he;2;`6(ioBG3IxLQ@|8@d;_7|;H}Fh#rRg)naqa$VtKbhD-m z9WsVz%(?*zsqieq-{2Gp;5zsc_HEr?HzftwT3=|yH|I1j5KsVga=KI%L|5oHo`3$u}D8MxAiddekV`x}|SI#OQgzZEDkf_Dqo!$`7vm%ocS@!77Ps2R*w zLnR6dVg$U;4<~B9%AL~GJhjxjJEd8Y1w}7bd6Kl#7KQw~@2R|2KI}4nHdlw?jcE?< z451tb*MzWhlYptUVi|8^Rn098?f?keXX^=764!GtHPI_M%}n3SbKYt2)we3bhSe6D z{-r>nOSy#`^w-*C3*0K+>R%h^()XM82&#JfV)obnattzDdIxSG=ag8q2-oON-qaMBc`lPmZ0w~#gkWN_ircUQ&%ySJk%emu2vAG1Nr9wZ`*n{UO7G z*8rxp3MDE5K5nnZ^6J>Wt)oQd&-iW~t1g$^5ZI~3uQmTC zc(@MOwx``}w%rm=biYBKo@oB9F2L#)U~u}Yg3VEJm4r5?mvc%j42-M1N@W~5BT zXVXS8@S{zSuTji%IA+nywCLa5o^_w#=bKQk>)R9`mf0!K$JvFm{)MU)y$uSO)~B9A zCwT^mr2PB}!GUs)*YsLaxrr2&)&tEHO$RQY?6&%lhIwvlc3MUhyK~c@t85T1SO1~&tr}3&#@!t0W zPG`2uDdHyGsqZeuUbSCU4+jz>0_Q2u_&U{xP#X{P+~&#@8)b60B9nbd+7ep*<)-yQ z_k)FbVfA4NOKdY~yeti&Ld6aQ0LKB_#t3M;3G|koY3{8qLKpi*V!!~`rfv%S2U-s-ax+iYZ>$wXPKWCnCSfj;i&YD638{?kl2E%Zx4{Lo zk6*(|d3_!og^Q?uI$LDAutU?OoT&882eG1I*%Vjs2w6j|MLPma*}#7@{D-4emp1Uq zx3a{knfnSd>`d{VlXeDuTlhKL$@ANI7lpEdjjq4m^rN_##*-<`X~`P^Z*rlZ8SE!d zsgn^q>&YaZZ@$|n9U}3_lLux%`wIyRgtaVv7G+Us!3n;FWHy8&e@oQ4tP3wGM%j`m zv4^v;rA$H(Wvm9Is)g3Yc5`lKp20O=bYHr`@1u{FLhMI-kiNB$zOAfbV1L@&Q6l?B zTFUi~moC20UPKJBh^Z@?6~%T@Sj}1LL!7+JLiZ7W-m%w&9Ip2+b^oU1=mM%?9jY{-iirf~CW_`es(528#{fFu^FJ(ASd!a@JmfJMa8*yP~(`t{)lX&a? zT9O>Ha2&ENInSGTvVTB}SfrhP_o%d;DTAajgR=Eu=*D$XM$NQlH7btlxB%=y4%~rW zENwxJiXVWG4t8E97c1|M%aNKt`Xj5f zkD2S@Z}4WM5LrTZ9Uj$DR#+zKd!DELpzw&7AK0!^6>@-^dF)MP}yd8xMzncpwYh3`&JXNJ$NEM1m*HpeWtz<55Xp$;Bs91kCUDk|hBr>#&G&@XfiIO1Fvkv9NiPApS=<{3< z>WiY5cfZ_3RXBDnq6wWdC+*P77{J5NDrEO0*!m5}&-(!sseVSsCFyrRCw2aX|6v8* z@agmNE(wD;G0ALIpH^>jy~1Kto!V29*M^7Y1_Q zrmS)Y-8Lr&t>nMAu#T?CwfMOPZcCA$)vp}w-V2dYk70v}v;U-AY%-z-8`*$(<^#Zm{xN{`)b|YYy7zXj&5b z4jPDIU@rER*3f|*`$8sC%dS+wMlVP=-h=SZgv$#bc-)GaA!kIiF$%GL#3A4LFgrNf z2abQU9q$~s@CjH(wcEr?%d1IS+4{O__cv;JHn*~;w zo3ht#leh9rR1T{EpG}Y28uUqfEaSFrhs*4Rf~^!UFNYsdDg<{lRo*e+BEv?BJ9*KI z%7vTGB%Ez>C6UK{W&(C@AJCl}bv&(no$U|H#b&C@*Z%V!eXjKsng`4)Oy4>=8YIgh zx?6Lv^00qzmL92laeB{~YiSgm5^?CN=9)gBefzNMY`z%CD8c#6N_YK5+F9^TH|O(I z9emJl^yW;5gZqm+}ZajtFz;7cH|Q- z_BKDhhpyIDqlFnvDxjb`_m6XvNwZA>3!^ORpM9HOe$3&KVi+afE~4yvyhSohvt0yE4j*fbhRRIxd?XSjk1H?AH&qCo7!~it?vnDm9SVB1{zSQ^-z{z4~_%3Gvr%t3M0v)%{01V>5dr z7!deYre@;Yr|;VwnVAR0v=n1W`?RV%&?#Vt&#AwTGzzS|WJntH?RXBIPyXtDIsRwn z&34fCj$Gg%=maJSeb_VYw89}$f5;)iFj}8;&(Ot4*HA{kQ@@KRz}@o2jwfiE_$tuu zG|c%_Tcu~L&o3h@=MK}(zI}_we#6gEvgo^Z65`wNGb_+ThB`ECPIHk|pTFqnVF& z;#F(h3SM_)E4inokM?ES)dB(Kl=^V`HtOY%mp(S<%^S+M-Hg9Or2Zr3@5L6 zaEW%&A^Xb@q(@|?cAUA2eANI~`#wskYKt;#js}hVt+Ac~U$4<4UX>mcktl=qc2s(~ z`CHydzV?sG+G&IhRy zM)2n!73EY;ggvGk>v_GHcDKm#3E6N!VPP-;q_FQgbTRho)UYdWn_ceT76P4je>wg^ z>_LV!~x-mfO%gpSF>T5 zH79h#{gHwv?(CoEDtz1z-QG8$qa&lp2McPo#~0tq07>X+C!~hG&rO-Kk>#ayTv|C( zwllxi?{)7Vu6sQ*3LaeI_sAcKa|InTHhjbhXoE$G>f&N(I3gx2szZ&sVOM&ot+kM; z=a`LeJT?q7-+a2McuM=Nt4v`jnl1mAiuCaL-e#hOD_j@hfIXW!&pEkk!-`yP5@}XA zDBE-cyu1&gS_EZmPsk=fT@$U_L-B1D6=mLN94nfEeLvqo#D1C)ZqUJTuCyGC`}vi5 z4W$IAevy52@oF@bP73Zoya1g*dl?jF#}MUiGv~*t`I%Q2laVHOqz;_F00**C>o!N3 zEtZ~5%W)OB+bsnX7KXY4PL;I?fjdyr@4zMlzDWDEVe0TZ$V3|QqH9l zlHp`c&$OWYV-l))3^LmVD)ZvsMLlPUdv`uh_Lg=yi+Kh3w4ZDlkE93-mRd|~0*>&) zAg`A15goSVV*|6wCa&M3p6Odlzew^*VahUO^CQQx6KK79!%Eu|5VE%m-3xR47a+f= zd`2IM+j6kCKi(ZI4Id{AdhS==tfia+)K)?A|FlgZO_V>)22a>fvPIzzfftpzHp25h z#M591J|FT--hJNMvvGwoI`;m4ewZz3m6@WE-_K178=~ey2d>LedwFAyOF}JWCQIO~ zk{qR=o8gZwBrdsWdi6;i7>aiQPGoz3Hm=P4u1!QG5~{5DqCDu0&Nf!}&}(=TY``JU z78$#%wgQ`A0`-QF(f+|bYIx(%!91s8`yVM_W9JJIiV_Og(;sXg%WDTU{HNN%IkbgZC^+!Z-1D@j6hhn)4GoYQz2rUao*>kV`GegIjx*dJB8A2Ie5Y)JTr%- zA76=%6q|g}%S{GMA?a<4%gkMK2RkPmzY+hMae;c3bz;b<@70sM$@?Eyg7R8$m9yw| zCF7iBerK`q?-Apq0?BPbg>)uv5T@1pxRGu}b~L)f#gR$9u8G`APL){6QP~w=%MOMS z$3!j)c&fc?4ApVh*^?pelNXfqdP=S(uE1w-E^vRVC5Rzy>36A@^DlEC70KgrBAtUC}mj+oHhi;cA)Nx?Fo}@}^3uXW^J(v075a zx}~UQ8erfvD`8cV+jHJIXxQe6c$hyyaGj|+?H%so`ERG`cn1%;SZC@9fDrX_};W!q5NaZ1V-zdHyc z8aCH)>klmu`+(FR?#s)0mUoV1bq>7_Phx)oU%GDQ{~(`2B+cTXf-C| zxZ^*LfhQ+35-N=$aS~%T^p%iOo4c>o-;YmgmDM&gAtE;|rXp|b$i2p%nDni5Tj$)X z8@hM3w_=+(;yt8h%aFgsp{nKST8?u_MtPohPT`Jj&YyzdKhDn!>g%(eVb8ywZEQjT ztDMtaatJXBbeb4Z8%)l1T!1AUY{N8PpYbiQigY71L>7yFqDcP4C)xA9RX7q0b3)4=A(h|2!B z5PMt(+&6l1Bfv@^a4=<9P2Zu=jyCL2mh~I0_tOM6njN9v(S_A7cgq(buWg#hoY>&l z{on5|m>%+uaom8!vzoVl`KD5*!x*<~zuseL{9PTQLxk)IKolVpZz(Fv5VTui9erg> zY$OFg)n7@eDyC$|IHejM-?Q?S vE(A8R2boJ~_xW>mO)iu0uEO=@*E6!I{h#i{ diff --git a/docs/images/vpn-properties.png b/docs/images/vpn-properties.png index c7dd884f72ad5dc463f27a149455d7b1ffff6207..e2bc9172cecb4cab4e66b5c0143b4f7b288eca5a 100644 GIT binary patch delta 8400 zcmXX}Wn9!-*S#nhbPnAiAl+R<4IvHEjg)lPA5pryK~fr|8|hA!5C)`%7-WQ@hJ3lt zd)KG);q3j}YwvZ=S?3mpfr4R#rlCDYGi`Z+cB=;b8dVfN6?%=UJzv{)lrN<8yCa7h zXyq!-|0L8(xUmTRN0ipPhPYj{T385eaW%T~4Lv(foD&$?mtk^<>9e{Exm(s`={Sqb zU*b-+x*76nZ~&&X1O#g0kS>VGL3-iUv|OQLW77L|CGNE&BLp$ zX$LlE#Ow~1c!huT1Xu?z%Xws&JfkzR?w-pzr!S5#RX2f80#6Bx4YT<)STGh%S6cnG zg)t{>MwjOTloVpm$6aR>*Xf^GyCJ%#pH0BN`ty|9`9oP&Y&y7V+DL6pmlY}L_WC&v zI@did^BlSFepxuvi#i?r@~*~m3_g)t?FJMmA$uWGRsAf^vJC0? z`YH#fLAc!jRMJ}Ty>tC;4l%HH`3qFH62Y11CG_0RAYc8lp?G#rqr3M`x0}s6J%GAM zBM%B=V;WchSAMunR#&e>u3_Zr;QIzq`Q~J=<1d=;?y)+i`M6AGBek(s#WdokPS+$_ zfF(L}7ES;RrzXKbbu-7My8cjHhrX?hKNp}*g*7(1d~@`6w&L)tT31ie`-u5I)YKkn z{afli-n$%F6OWVJ@eS;4yP{SNBQW$UFm|G)QIwLde(-vh++h0m2Z?I0-7cY1;o*cG zffq>3_b*&DmAN{q;|x9uHO&+S9fg;|a4r=&+mpR|Q1#P%6Fh#!trBS_n91*+&ZYSe zEDleD?dmgWn~;}t(?zXnM%NLG;_Q#wD4(bFr*w)}w=nb%Z{_08F#4b#2PizFgfew} zd$#Po-WA@k&N4#JR<~*_&Loogo;3AKZ7EU+-J78Rn zGzW}1Llqa`C3UyLcWkJz^p-wZX$8-*R1>OaS<@OzWqmZ+&1X2ZzPioIDI06?-Amwp zEg}M&V9@eVduzCnTk6geN(*5d% z`Y4%wOw8SsrFm+A-j(s-TvO>@b@4mTXO?arxG>WcEa_E1IrqcqV3qNIBI9%!sb&#v zX^-#b%pq=^Xky}*O<%hr_(P`l%cLi6-41eR_ioH=?pD8I%nD9J$H0#apC}ma#PMu zKx~g-Q2N;U+z-AL7u()+%U#`99OFwLS6ce^zaenXd)8VYAxX6j!?DCS5JQ z4_jMIF|mZOKn61n;L{59%c9~`3#S7zkTqg)z0`QmNk3((10XIAoQ5qKJq_w~m;JOc zi0{-|I7tou5*b*!_^D_827Ecx88|)u#PZV~l2`9?$8?S#Ui;mQCw~($r%o7Qiku2K z;QYP*OZk_29y~TNsqJIx%6^Hj@7WT?pAH>^3>bO}p5Ea=B33uyDMBYup0EW&aJNcP5k>S~cCNcmoEwDbh*=4qPS zR~OkS#9MFOgb4bPdf|c-lX#JW1LbG%YN{<1vf>RKf&Ed<#bY1E5ymo?2ErV`9>Pn> zu6M34e7m&6N=>fb`Ann)jvaX#D?f5G=%^r}jUYHCFIZn=K6zHG7AC6^n%lwk_AnbB7+X1kW{uLrg|@Te6EkXn}~mlDr6 z`ggoX9j=T?(0YgW$(q45-vvd<9aP149#>We{m7J#Q3ap2&ol@Z^yUOLEdPT6S?2?y zY~)XwAv6lC3>~jhA>hCC<4a%Z+c7PQ;;ik%#2rqY1BzVz$nKuw^!ouR z>GXB+e2VDrpOZ!O+?PW!gl_88+bLziTa10TR}jW{X(^^6suPVeJ*b63%Yo(^jEf=` z;)z%z2S^Svfsfr&MZH%7m^d7?C`}WJw9#CApQ5vHbAZ#apW@H? zw=1askS7zj)lw0xlpZA}gkB%W2=m`(-mw3{)MM*nUt7}#xrDixL1~3|A|+)gg@`bO z|EX{3_h}~Zcc8W;Mjv;KGJ-MG{i+~&qb>$t9tyI~4HkZJKKv@ogt7Zo;he&49Q4`! zm6(<|KxWpDM4>>v!p&>vfQq7kqbPA&bVn`dvCKOpe2waS_?_ohwp~WrxJgB%pUz-i zelP348lCau486taH%?C@6IN%)=Bc9~=*1*q{X!iGb~AiP<*DGJJ=It8jGYw@wavUR(_WJ_UJ`JMiAO^ixUS2N6r%;MprB>tXL2>yzc9A=NxOKz0c0GB+Adp zgQ!Cs>Bxw+rg;46Z#CJL9m5S6HcpoFGQ>>&leeHuwRel7!%r|UY_xp-V#hWJ=6 zosH$Zd;`-4aTLhON=F*7tQf%JAu;+~^{peG%S&$~Ojj$&V!8w<5dh9IhF*nc5(BoOtTav_y2L2!j4r8o8MR1I@ zuq_j33)r6sV8xbyWJcAZZLj8=jXqJ!Ii)TzZj;d~@@%Gqo9JMI!QLDN`a-TgMC|rhvG^G~xlfpOjXkDO-dNzDU;oj0Byhdd zVy`EOWjcPnu^*<3WAbA>DaAxh{p)|3!W$~xry|8_g^%9W(&i$2X+cZyFuaeHcm@Bg*9GP z1isWZ-2x;sRAxzbpK>gB%?v9bO&K7{yN{ z9lQ)4QoagFD#JkhWo|yz(*66tfaOy+`<7Q$?(J_Re9J?ef0!bt7erDVNWU_?_7 zR0GQ#%2v09w8Qa(^|~+qSBQG(sv@-ML)Wu6AQ~K(CAM+}^PgAeJ2x4v5vlq}y5@Cj zcPRd-HR<5hRX6MsXKpy|*E~8kvL<6l4!w-RHg6KIiF1@=^i5 zrtSY<74`y`NoJl}$_9ft*r7Cz_Pa7g;SSCA;L9t+L?(n`*uQ>od4lJonSCg{iGGc01jHU}riw= zuFR%_5})lDzdfpWn_Cx(SorNe&}k7t-ZcDLRaHq<$=kaHQorXfcmQH}-NexHOxDE3 zto7bAszx(dKTuE6r;{e1h)L1^vj~5p+Fk+R7r<6=+3grr(vO+S*Rv=QH8cR&HjN1~!hO|Z@ zY|Rb!DisB&qMz)I+6wV6)HaO81V!Yk8F93RR>^vc z3j_q+pEd44XbOFd$}}f7_GPME$!lKgNn#4jnerii;!ha-vriezURll3Gk8(Egn5j2 zpfh(>0C9roIFxb@mX=!hRepF)plZ$JF zCh+J3t(ljlvRU&2<8bCVf6o6T@hOwZ@kVB_M-rSlMJXh}RwAh7R5gxDlu&r%>|rrg zb*FBHA+_l7Sw4(l TMs;W9?ucQZhDs;YvgG+0hV=K-~lO%pLM&BaCY)ZhFFH;h0 zzU%5yQ2QQ#@)CPLvt;rG+gL1ZgtaI62z?yFC*V;zLuLpWA>hkaQ#V{C!&I5)>kC&H zOoG_r%wtt~UDN0(qG0D;yh^q{WiPpR=NGm&QEYyO`Yz`144a0L2f`5iV+8O!3*M>w zUP_^%x?7KlfSvKr)Bbm765uU_8?kDUuggTyVyqO&Xw-fQLQH;(Ao^!Sjo+}AJn8VO z2UNt6Ygu2|Wq=|m1<0w?x!$=n$T7gEj$dOU;>}(E;?{&)pS#!hNy*(#vN!Q^G{|T) zt||LqcBA?(eN!-^(z}bVU<=5#yJADu38L*%@@PoFLW%GY=bjELL${>vN*g2^!HU7e zn6I^8Tu&KfP=aNpT$f881#@UYtX2jiFf>5*QF^w!*HZ5?^jkd5EUkPQ{U$>`jZgj5 zr+=pAzWHoSmz*$@+=zxaJ5WHir*;)LJ4@)4UfsTjh_Gj@KtS1p9k`uQ7fl&2rKe7A zRAy6Y`wXW93+VDN_)rs^^<3OI(*Bu8lU0LPzfz9UizvlVU;Oc@sFk&REz7K4!8}K=ekx*zE>}sYE)S!1&}$a*=^^) z=%)YXza@NA9>$kRs0>gjPcAdT?Sb0g{{{Fbg z&3^Q|HnY|{<x?G^T+ z9=ww;+rGmyqjCL>A}>FF+Ld8ym+EjiPS!XS`*e#um%W6qzt94*lCeuRys4dTRoWd$ z9a<|=c$e_2XSjQsXm=L~{)l_Y-S~)aPh{(o8Rdj?M$qNkEIU* zI9pwnk#vUg8;rmJY4L1)e@gcw<0MzxUE{|2juDzSERbR}!e(p*?T{RV-?5|DbzSUe z?=7Ku(7klf{UZ6*D!r2R8lO=SE~f!|n8@~SfP(UsLRQEh`YU(D=m~0SvcVt*eIjYh zqFL=VX0N9XZkecx@0sK^6n|%uE#OV$OsxICteKgBO?DQgQufSvBc9j?H*DOHYl-gj zUCf%>E!CioErOxvh)=KW^y!E73G$kgZ6h+;YwjEgdslwxhPbA5Tntp4DqnnMZz3yE z{Kwz%iH*abcaXJikY}0h%7PUcLm=nrRweT{n_TiaY~fr?=<9eKQ2m z%L((#LGF=mi`y~sLYo6S6l8!BV44X=Wct1TaS|1at$w7fOZ75EtN6FL@Hu`lLMw;S z;};o2ag4HB)Ijt=1!7E7>M)kaj5WoXg4PnaCVF|hwNAfGYN%^h4VidlCGZkB;w|-& zN(J?Q-|@A%_+Eh5*nH&hvpRg+|D|13BEt&&M_o5&<`6^wR~G`(JXujqszE5c$#Zs1iTs{=4S zsYmn$ZI3fQ=8GA(!a;8Vwkkgqn#hZ58t|JEPx51SNN6z~qhFkVqaADBzAzL7;#Q5FuK`JtQNtfT%O43 z4@!Lgl=rjh1gnhUPX=J4+A2z_0O+eDx>zfd^nu!v9xXZuo7@rBA`(ZohEk7*gO~oq zKz%ka#1WmZ>T)2e`LiQ`sUm#WsJp!Oqj0;96P(KV0qTgZBfP6Oqi>e2GocNtqdL4U zqR3E$L0hX$&CGIWZH%1z`VU5PkQ|f2cn^I8ldI*tvc2vnpFi{MZozeCK+i8K)Q0fo z+YTQLeS$yi*2oSYvP&6j{mswyVCA6JGAfykiHXUfPd=Ab zk&S#IC7s8*wlC>T9WZO~8j#w%On=*T@w%o`Ir)z7ZI_*(evKWO+TJ^-UO8LaP;UL; zgh3axFw`zmOTQJ}7I@$Vt$93$>CN#0$UVQk3J(r;^RQuV(@6iegrT(wJU68WuD0C*b}$nedrI&>mv4!Qv!{Blv_&t;3#by{<|T2m=KTQz`G|kQ<&Qmvwb0CE1F2FrpjU?1Dar7X$~Q zWt`;vwzbdyxOl%X{FZF8IH$EVh?IN}-tGXCOM^a0s&(&au)YhreM`YrYt(`%&^@P7 zi~JxA8*Ae`7gqrQFo!>sHrXH~OG~6>_NSD970XBl79t`uA>4&Ev9S5Cwc}TjpUQUp z6)Lqd60Bhl^L}|P<{Dn`#iwPX>oLC8#Dk6-f}xu2)WilxFmVU-kt)Nw|oKe?1~;@lV1*UO%Z);fLJ34XdF+T0SY&fVM3%Z}Bvb9b;{5T^JTlWgFJn!ZKN>*;;vA;BfWjC6efxjRc$KnyG zwH#!7x8UvH7{Q4X@%ZBm?B>@rY;wV*#eu>RVL|H+N}L=V&1=={x$G6}RY@8?@xwD; z^EK7APkP)A1E(G+xTssD74y$jB{a0zA;)o3#U~<&6b-jQW~G55+nnik<*u4hLt5%E zuzNo+R!Db}OS|1)X4uh?oV-y$MVoX>fkmJZV#G)ovs2{0o;*w*j5#lfn%q6iE6BX1 zP_d|;PdNB#!%oV^IjMaoNagDY>bp5XPfK3^B`Q7`J3Zv8ayhF0Fjh=vuC&LM!fgB1 zhG1g5OPl63TcVYXnvn#%+(@_>J+uRF#&-nROyr(y+lT=@Ag>HBn@-%^_}<)IZ)aV5 zd}~9X1LJpBvIpFM8y99oDv;u;0EW7#@UfH(W}{8N-p4* zB3<3+dmbNabh1RARZXoK){#5C3(8$E#CMDPB*uZnK7ylGM?I?Qymwj@oj_N9Ml9{( z7p6?qm?T5c9ccbQXLes_R*CZyYj-EEH_c5qcmLB$x6Dc?mmenon}WFSoxVzmcY#}> zGzLZ2cvyeogNdVfAs13yU#0?l5%IuN?%)hwW%`3my4}X`RNQU&0;YjEmu8GCK>l&a zHqA4!ZXXKwKnMJ&_KtfgdmomeZjoodQ8fD@3#uY8lzB022|kj@Zn65Af^CHj)^Nuh zJqp5t@`$pb4_gw25*Z>p4GM8SSR2v#eBi^1ogUx@P^z~VZGFQFWvc4IKy(ymRYQEZ z2?wuIT3)I5{^v3Eek9~akVcs9pQL7W+a(Ga*m6bU0tFL$Mg zB7=PH+SXZkg`MLQYmZ!-OL*7gZ{v4)uFHUH2$GU$R9Q&wEH2^U^5LG=rRQ8fEj_*V z-B%&`5C-p<;kcT4i67YCfiL&5en~O}Ww3dlSutI&+dm={LXZ@j2_jyj`vAqp-7j|7 zPG>f8gg^am(7~yB)^9R6KcE9Tn>^fU38Ax{*oysH^A(J-dAYYO1+MwLbI;N$joOe~z!A7IZsS6+v zdI(9-9t&0SPx3P9Mwo3h7DGwYn)iM_i;JlI-dVSlZSCR8t?v)tA-{TXtmue-Gz(91 z$7TSew40;$7G1g;m?HC4@_epFMNVq;P>BussanEL32yl%=#sMZlj39=ov&7XTO@tt ze9I<_rY~m6KcSQYi=7<74pVIzr_4MN(htmOblXYXdo@_f0;TH>$CW)W=wyC9F0;q1 zI?lx4Mc--e5!>sE{h$Akvlb+(@*@~O=$7)Xt zm*G+o^orp?)VlLanPTgiOb9<O z<|M5?;JL9}r@_E?3K^-w`A*>i#i^t#2U;YG39mJ)yIrf%2$TNvntGnYrc*Y0coDPL z0#2H1+9E47CB7HyI-eV>qm@Da()mAjoO5M3d>6l*xOK?&P8h0%uAQeghm~j8*zpDL z9)Q5TCJG42@TQI)G@mCL->t;z#TB~3OgmCiZk_HE>l6d`rdai-ZW+4Q{prUhT?@%* z`RQ9$@?ld9sa{L8z(%bUm^{a8n5OJcUZQT*;bQG!Z)9g*;NeBBXB(CankfeH3LnSD TN#*C`e;xr*cq3mYXA$;)RF-{C delta 8410 zcmXYVbzBtc^R=iT5)#4^OS3d9-2&1jDc#M|mslEBktHs@w170yjdV!Yiqz5|Ez(QF z0x$Rb{^tLg&zyN?&YXF!x3MwX*dLRzUSL@^;$mUm!(wTH-4&wB3Qa3@z6&&;cAR`L z^R1CSqziMZK_HiM>Xb$)MGtjs+(bZ09ThnEQQRuLi}j6F-a=3LX*&TZr}HYe%L zzeB7biHBcgf&P1b_eb?7mqyhajUp=}%SKOvZ>ze7KcPzFP@loNB$;GWe2ziQ->-w0 z|AzQx!+;6yvX#pXgbAm4DdZwcMuXgU;@jb^2JRI^Cdxk%qfg|WVR-gl4vdE_GrnmRXSPtx_rVoRav!6 zv*bOrdxA9k_KuV&MIqVeg29uf1a#A*K^Ch$1j}T5LK(>O8)21KiK{Wy^G^al2ioz$ zoc6>j_m+w7-i!rTyRLn4okJ@-cv7sCbnBnGJP5s|hlo9n}Z5IcVrMD(3(B-IBCTPiAmHO91=l%rW?zDc$- zxw1e@iUka1v*u!NM)5WG*q4OcPBB20HrXC-?ZryIXQj(eoT0s%d#?dK0Y8RuPP6MO z!m`jW>b1;bggx!Dz)&C=LhX=qVK@mLuEX}%SJC^8V6WwD%xdD(x}ubyIBXAKF7KtOf8@7iytk^8oIyUNFbX%08<-# z#V$Yb&mLtR*DLUzY2om(-G!lQ8Jo3oOew3O=xTbQ`;&0aq1Y|yarxUtoT-3W7bAnI zJeB_M+JYWm&$>S03Ghfe9Vyie^ViO~O)#lQQ6&bcAe2b{RX!ZHog@xYM#DwW<}Zvi zy*x(2UVOIENBH047=$~qe4c47>eZDJC%Q!uCKUL+r{LRZ;}rhRaRCFQDuG?-GF)Zv zoo`#SG}|A7TLgc8`LD@-Vrrgu73B3Bqdi9G($G;&ATyst`5-9ioxb=mBo!;AY8$*@=dSoB8lbZ91sV(v*BVBc)Cj^48)9Ce=`5mwSH{Bir=0d|NK>sFA4nDUp^88k&LQFyA5Z>U$WyKYM zI-b$aq6_oxc4%e$W5?i0Y(Vj4fd0OR?K~HAHoo3}=SU6~z6%vv=$N)=Kc?*%$z3NK z(LYeje;|x-dz0QN=kg!KTo#_~w6Ak?;A?ew<0hD!`#WI&G5Vu{DN$xNR*zPzkmfFh zB>=;c(CB=!U&x7%A6@*BmTfggD{$)QCQe)%!n}PzV$7iI?&%Xq0-lY_8@{J*&C>u<8WMYHKtogyj%tCu#iN75tX>cJ|eK$ zf`6D}JB?Az+tW;A{lo-i4!z#^(FY`{n=p}39v@p7D_5C7X`IDXP1izI^=cl<%!XL;(sYYSzDp!@vRXM(f3)W?Ei+Y6Z&m!Vw zXW=ds_3x=zd?pNCxMBUB=^>@K;Cx)eJdMk*;xaC%ltMczOFwf3&`1=Sc5rEZFZLfA^xVavp(ZMTmVI}P{)2eNLuPnxZ6&$J+`k>RsVPbMz2 z;KucLS+D9_&UFb)dG>M9+7X$CVV66?Ob!gd@I)n)7(x3dE0jwEA8pbA(GMil^}dzv z??PXD9J2FNTXUgJh+S$yP1t)p@)z=Z$UHDkE>J(jmQ#r&>aT$vY2pq*;J|X zyo+(^K=mcUb1i3{L+y~Ue%zHYgG|BZl%2fDnxRP{>VngBR3k*hsCOk12lglIT1 zB~r~T?s!B|YmjvtE)2V^0$1EjuH;^Yjrf=wDgRkJ4AAB(Cpfjg9KexSC12of|GwXP zj;GT2Gl)y!a;0AVv(-&u3#C9Ts3b0E9Mfh*dk8ojYx5240?ktR`C8RAL z&Lgu8!p(}@3cQV|jM#Ni54$Zzu_SFr4kXvcZk?pEcLCs93FEya>43~OM!#$zAJ5YO zr4TEb?BJGam=I)od&VCH$*W_0LS7 zLI~;mAtf_qywCgDLR%c#PX?8mDA#9cBF@p}bYvs+!KFN_S1T()gQhkumxH-0y?mB_ zZb`?o{H3mIcu;tkjQO^fMG!R{CpA8Z{SD#BhB_{+P3xwo8qjDNdl6960t}t)AUS<| zhHw{jLagwMH0Yxi3j@7Gst@CV=w7;9!px{p;K$hoONoWZ_J%lKyii*qd9WABW6ANp zv1UVEtUGIwoxrf0_17|0Br8dpf0#lB+@8ULvP-h1395fzV}kHkfyRdcEX>r6G$HeZhp>A-8;j$>>C)0lNbK_EM`^4U1$VK%1{wxB_2mpJHN2yhZ|*X zpXY{Zk36>^^vHqgSZ#?-a5!86KO731HFPn9B+Cg(cs?5<{57-|bRM1~CwDln7-?^b z8mn2do_ku?SOa0eL$uq4M5Ak)o=kn;&=^DN(Fu*i1ssIF2aaA^T?__OyVPwpM!+At zY-q{VLZd`MSzuAuRp%rDD7Bms&!2bMBK2T<0UMi%kaZJ z!9XZJF9{q_vhdsV8K9M4A99#+PEq*pdau{@<)$X>xYEkx6ZJZXuG!^g4i6=4IG+)} zUSWKKX*?L!#$X^dc6awn^JKv?L?%)_F{(x62!2C5U@}U(sZLy117R{mxZ}x33)Pn9 zbn)u0VW;DPwe)^3DN?kSxx-}2*rh})wVwf?Wk!jKbLeQr8K~y7b$8o|1o*tCM~oJ4 z)wvZf>#iVGGS__#4Xv0N9wTY0K(Z&gx)7+r|w?xx27{_Ck8 z{HLpJUU>jT;Yh!O7XZph>0s?e5nHzRHN3Cu;u06y&nGJf*jylUf&KfQy20-YTw&@5 z0)zT^a-dOdgT<@u$E9qw^&BQIoNw90lSpCxg=>`fukv70AL|lRuxE1`XF9Q6>Tqs zmwDAG4$$Pv6lr@&4r_ob;Hsh3u@Go*%QmJJp7+=AW9cJ;yFKHEvaj$e+dFq}nKGO= ze{Gdj-V_%b{$D8BxoOdDxoi~Brvep^^tZ_CpYmLk69z>A0I~0WP*q!p5EkfqP5<;; z_J$<)haCjvXvH2<%?Inhjv;Z^U>LqM2?Kt4TV1H}-ULA7fK!GVeM=9n_8iCRix5spk-?wmWCF?gPI8XD^wD+xO9asDS7` zlX+to$+RqKEXuSTQ7n=)O(`rwnZ?I|k7fe+f;(e#wCvgSo$mWJU3E?;I(|t6|8eK1 z;*+%Rxn=P*oy8dZ-&6?n=o_KBdmb&{t~-s}7>gU*7^h;wEsf3?ixsvQbU^*+h#%bp zscUpbYwC;7M7F)+H~)gi@QO!S;9c4$2P8C}hr`?OKNG})1Vt}BW4jDweq`V4jm_wF z*R^jpk%Q4|w^G)iAnBpWP~R(3<7;+KzyCS7_=`3yysi~BW&0}eL0b54)wR7N&2U4s zAwnd8&v;i4<^llm-H*qw53Ct*KL1}Ltlh2!hx6TL&)D$eahmqXrt+(uFahXbHIrVI za(`muquOS-$c?YJ4^Krh!|A#9lj2Xz|K~W6Cp;{{M-;+P73WTckZy>M_Iszc0_N{z z$oUZfx_m|Jv(Z6?^L1$1^*_Nhp&O~ZatW)C9NZ|hd9j<@dIDPgruI^fFy_H*CBP!M z?M4;M^r#lznEwB)a2zSB)HGO!-4nC(1a$`D9YL|0p7AGZ&oLEBh)eDtCXaYs?9yd; z1iR1YiCvP5vvbowu|Uvlzx}Cj4jB`@k>3WKjsGi(i)3V=!g1XnU}z{eEE~qZtz|O= z->`KYj*#;S;<4{kdWHsb`{-7v8+7|R9*bI;@%F~ducs6h6%-Y;wk{OTp0Tq@?$Ka!8SX@(Ai_ zzS?L`kEc4J(*#%O)zZ;{SqJ3_RuN1y0`v^^22x)YS?og1W{K-_8-R#yhdor~)~T8M zd*4EWGb1t{e%mT4k>dFHwdtWZD0GUgwsvA7e3Eup+m1aGN$sBuQj6IK(Jy~a5{Cm8=^;Xq-^Z?*$9XcA4w>Os}V z5d$Bag*NS#V{*W>iA!fxBptR4{38Fxc}@sPvndVBcR@9oCTbF6Qy(=j^{2>RF)V5W z@!YjToX)$ExaPmUg+zbMUnK#>`|&qSvZN`yiMuOj=OfgZq}yq+65HQjCr-Yu-61Av zeI+8(vS}KMFw=z%P=|&S<~7vRu;c2rzn~8yez?BsDy}R0DSvNgWJQwEsLS4=TJTB^ z)p7=)ps3i>JhK*0mJrzD(eY@` z!^jfzJZ>x99U$uA(6_5McJ_htV4+bUwcXafYRh&W!6-I#PCCpi-N8@SX?)G17)KM8 z>3##-8)osGbx9o7dL%EX9JxBmK~HZcAZ0oMWkv}`+Q7|tUtC<_N`PGi z$yn{lw;C#}3;%VRhKB5(9An7Zxw)FEp=$hw8?cwsxR<`L zf5xC@Wx_d3b9yVB2;7v!i%-7=0=_by_=^5p^h-iyOKVRd=U*H7vk6~Xrjy7%CprE0 zb@u$|^`wU&x%H+=iywiK%=p97$Z3vX^eq>%Jak6U4H1>De)OT)C}I|QYSB|5T2Hq+ zcxxk7X)`cCcD8dgb3bxS-8hT=k8UnF z`uCeuffOE`oa1@$HrHru9z%}EzV;&xt`YCw1FsWU8&+OMncHeogT%;TAv?u1 zkADOSamq%8WJM;w&SM#=IVnln;&5-wZ-X1-FaCUFC_bNg4eH~Rn+#=jcIweGA^YI= zzS@As=L&HWO1YH`<{v-W^v=bpc$GquVki6qKza0;B2L{sT7T>rCm%ur6K3?NpY6W* zBa6ls16&jAuQa${vVD-rPEqsDo^9+DbbgsM?HK>@pAqZ zq@^z8>njmgQzvcKJ2nHBMpkW0|u-*40nq?&q}g{xX} z3E?~alJ@i1xVa)gTy65(Nk=ZJxD<3MRdzb2ul<({c&i`9~zMHT;R40ZWyYN5n%-b!hPXA5$A5wj|KRlb6QfOdQfk-?zR( z;=!~1HWndKJW>zzQm{P&%t1l{pBq)BRzxZnxlGoHX9p7q!}PxEf*8|$xp5V=Z8yiI z@YGJ(me;tL9DB8eBVv-KNaBX>&J7p6MJD-8ZbzZvKh&fM*gxb+%sMHfis1Bqm?+K* z>0r8*8&7QgkQ0_p(-YkF&%Qn60_6$T<+vIPL;P}Trl=61m#Z$WoLwTrrh!(v{-9gK z6r&hz=8tcMu<9Bv>OpSi(JeY*C=evc|$g1H0!+UF`%_rY0{m}OSN|4zkYoR;jBI!oN>>G*|m?eGXroZ zF4>VJVy*-v+6o|6`89c~X8PL{izAs_Y z7nC{@IV#b=9nli}w~pg4jEpZD{?7EAv_BV^QA*s0IvJS5)z*DWXd0vu1?owD7U5tJ zJjJ8r`Ly`&Qvxy-&V+8wUbbr`IXa-1GHaqszE>um+M{rb{m5w{*eb6i#rJaJ5-AyE zl-vN@-YScl`goeE(f^@3E#KQhGrTC{@Nkea;*I2SY{b_e@1@^qCx9l7{X8f;p;LKR zqo)Se7G3=N-i7epYY;tYhc-3#%HsnMi8A>x=9DOC0OiiIa<3HD@Fp&AUVYj4#}toM zjubRCnEEz)@bf3iUo3WHxfM={T}OI+^7P{{i`kcfhm&+|hjsWqdkw&0@G}S;rf}FB#7ZB5CDT8X5 zxoaHeC^N9awC!m*mq9^(K6UwZhqXFO*5@{>v_|q0!xJjbGS1qYavtr8QZ7}6<#PS? z(Z-p7R$8f)vQF8Je4nyPw&2W^bJaN6;gxgUM+-Tla;>4{IhE{JKh?#^QsdYwCma+M z6p#r+Hw;C&a?f+Z!T(1qg~y>xC@x z>iD}U%B2RaM0kE+(AVr-CZTm*50vytCuUsGs^Vf5T51XV|VacZ{93x`|F_bj&GqNzjXN);TSwJd;n=nnk z(iofC{LeSkbvMv!(^x_E-KLI=z0zL#2XovR zVux4k?zQPZo5tY=@b?$&7>jw3>FNbVgTtZdWC-lmhz)$T#SCpA35c{2g5|-mU)Aoo{`O zh>HG&qjYro24labj^YoPuiFSo?18@V=`vWHVp!={%R=N~^d>+OXg1aIM-oa)zT&h2 z;Im4|y9Lz+y!MM9X>VF+ zhT5ozfAu4;*%G#?nQ(=SKlwdbVLCT7qb`|ML~I z&Vh3E%=OvUZIpQtF+ zw~#xJ_rYSn7kxv!HbXGEXB2)$jt(@_*V#oeLaGink*R`OT^jO#5}!tHvTcrsyDH;z z(4!##5sU7w?SvwTMLtEh3+ScmAgIIa#`@=&jUTkLpV(x1*kNSa@qqPbrh_fuA}1=z z;hvBJ77{zcTIr}kmE5OHr@@EPug1P;CT_wsQ+G+6r1|wX;0em5qDooiX98BYX+m*1 znH*?U16{Eh{FW5C}m;7nOcJ9e2+@R3Dgl@&O^c8 zpW789v(7)#qGWJ(2o(#JejDfIyGpnU+jnc03pfrU@|NCZp*h9yOvGzPUcVIB)BBvy zuUiLSH~o`<0VM^A$=4D8*vmSMs_0x||D4nEw%9*CM& z0=Py-Mo{&JKql!#@qTMX6ok$xd>8iNLE)`(ZlumBq|JerQ~chChAiVlT#+e^(`YFOQ~bA zSU>*yWD!L8p8!yFWOsoVVht&>8e{QrGrOI2I7_l+B3|+xKiTN6!$p~vi8ywkNjoL7966$qY6gfsBc#C0wp8T? zLd6lkC7}?n)9ZEI(BGIzdZW|2KI}wo`9twDjn_>y`Cb9$Id%HyF830DC9KP|32QLfA6i5PAqmxj4%0V(ZXizs2{LgQr$=tJ$RaArIX}Fyeb=!d&ael zNU_a5MHJbRlC%;p^Ry_eis1a8{>ZES@=~uoa?{&9M|?J2t{sM*hWB}MKSP_IiQX8o zsRE~0|1qocA`aIgI~>HiqM?K6Hz0iz^$t66X5EBI%D9V~%Oac5?0u|QSfoq7_g-X` zf+|DKANZdp;$hXgB$h6Yx}=m!pSZNiKn@D2%sg3c#`+9i>KG&$tvtKm~okF&5@8HXB@H&)MU0-#x%rV2O(aVyf^7{pihcJp4Q^^ek{>Aif9L>zCUK|&4;s@-W6Jyz^?<>`+sD?R zo#_Ynqac0e(tOdNva+_x~Y6Sl@x}6VZ?BwO%_v!lmrS~TbAa@Y-a;; z{@i*U(-`FhBU{Ab&BjsNj03w|Qq^2RL-uK+s@`&|-twi^rLX34C$x&1nC`9#*A2@I ao9y=EI+io(hutTSrlO!BUnOf9`u_l!2!FBw From 536ac8f54b3cc8682f56a0ade828429284d5beb6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 27 Sep 2017 21:41:24 -0500 Subject: [PATCH 0131/1208] Update ipsec.conf - Replace obsolete keyword "virtual_private" with "virtual-private" --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index aebc7ce3d2..773fcc7711 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -219,7 +219,7 @@ cat > /etc/ipsec.conf < /etc/ipsec.conf < Date: Thu, 28 Sep 2017 00:15:08 -0500 Subject: [PATCH 0132/1208] Skip building manpages - Skip building manpages for Libreswan - No longer need/install "xmlto" package - Reduce Libreswan compilation time by ~30% --- extras/vpnupgrade.sh | 3 +-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 3 +-- vpnsetup_centos.sh | 4 ++-- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index bb9aaeceee..e3b1137b0b 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -128,7 +128,6 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ libunbound-dev libnss3-tools libevent-dev || exiterr2 -apt-get -yq --no-install-recommends install xmlto || exiterr2 # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" @@ -147,7 +146,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index e44887fef0..7030d17323 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -119,7 +119,7 @@ yum -y install epel-release || exiterr2 yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel xmlto || exiterr2 + fipscheck-devel unbound-devel || exiterr2 # Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then @@ -143,7 +143,7 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup.sh b/vpnsetup.sh index 773fcc7711..bb89b3febb 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -168,7 +168,6 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ libunbound-dev libnss3-tools libevent-dev || exiterr2 -apt-get -yq --no-install-recommends install xmlto || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." @@ -194,7 +193,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 2bee99d2aa..e29434156a 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -157,7 +157,7 @@ bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel xmlto || exiterr2 + fipscheck-devel unbound-devel || exiterr2 yum -y install ppp xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then @@ -188,7 +188,7 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s programs && make -s install +make -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." From 23c4a287d3dc074432d2d6bcf1bcc764efdf2d8d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 28 Sep 2017 01:02:15 -0500 Subject: [PATCH 0133/1208] Use parallel make - Speed up Libreswan compilation using parallel make ("-j" option) --- extras/vpnupgrade.sh | 4 +++- extras/vpnupgrade_centos.sh | 4 +++- vpnsetup.sh | 4 +++- vpnsetup_centos.sh | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index e3b1137b0b..a79864b333 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -146,7 +146,9 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 7030d17323..1b04fc6944 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -143,7 +143,9 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup.sh b/vpnsetup.sh index bb89b3febb..ca280da49f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -193,7 +193,9 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e29434156a..290ef445f5 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -188,7 +188,9 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false EOF -make -s base && make -s install-base +NPROCS="$(grep -c ^processor /proc/cpuinfo)" +[ -z "$NPROCS" ] && NPROCS=1 +make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." From 9cd6cb50b7c67c4683fb0eb8da2d7499e8d67b34 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Oct 2017 20:33:24 -0500 Subject: [PATCH 0134/1208] Clean up packages - Remove libunbound-dev / unbound-devel (these packages are not needed because we are not enabling DNSSEC) Ref: https://github.com/libreswan/libreswan/issues/117 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a79864b333..2351684f68 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -127,7 +127,7 @@ apt-get -yq install wget || exiterr2 apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ - libunbound-dev libnss3-tools libevent-dev || exiterr2 + libnss3-tools libevent-dev || exiterr2 # Compile and install Libreswan swan_file="libreswan-$swan_ver.tar.gz" diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 1b04fc6944..552bb4f6ab 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -119,7 +119,7 @@ yum -y install epel-release || exiterr2 yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel || exiterr2 + fipscheck-devel || exiterr2 # Install libevent2 and systemd-devel if grep -qs "release 6" /etc/redhat-release; then diff --git a/vpnsetup.sh b/vpnsetup.sh index ca280da49f..34f50f731d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -167,7 +167,7 @@ bigecho "Installing packages required for the VPN..." apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ libcap-ng-dev libcap-ng-utils libselinux1-dev \ libcurl4-nss-dev flex bison gcc make \ - libunbound-dev libnss3-tools libevent-dev || exiterr2 + libnss3-tools libevent-dev || exiterr2 apt-get -yq install ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 290ef445f5..5a6204eb12 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -157,7 +157,7 @@ bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel \ curl-devel flex bison gcc make \ - fipscheck-devel unbound-devel || exiterr2 + fipscheck-devel || exiterr2 yum -y install ppp xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then From 087306dbf5f6207215e566df7ace5ae150f7bab7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 2 Oct 2017 21:55:21 -0500 Subject: [PATCH 0135/1208] Update docs --- README-zh.md | 18 ++++++++++-------- README.md | 16 +++++++++------- docs/clients-zh.md | 30 ++++++++++++++++-------------- docs/clients.md | 18 ++++++++++-------- docs/manage-users-zh.md | 18 +++++++++--------- 5 files changed, 54 insertions(+), 46 deletions(-) diff --git a/README-zh.md b/README-zh.md index ab4e44feb5..14eb4d342a 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器* 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -42,6 +42,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 如需了解其它安装选项,以及如何配置 VPN 客户端,请继续阅读以下部分。 + \* 一个专用服务器或者虚拟专用服务器 (VPS)。OpenVZ VPS 不受支持。 ## 功能特性 @@ -66,9 +67,9 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **-或者-** -一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以尝试使用比如 Shadowsocks 或者 OpenVPN。 +一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -124,10 +125,11 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 配置你的计算机或其它设备使用 VPN 。请参见: -配置 IPsec/L2TP VPN 客户端 -配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端 +**配置 IPsec/L2TP VPN 客户端** -如何配置 IKEv2 VPN: Windows 和 Android +**配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** + +**如何配置 IKEv2 VPN: Windows 和 Android** 如果在连接过程中遇到错误,请参见 故障排除。 @@ -139,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。另外,你的服务器必须运行 [Libreswan 3.19 或更新版本](#升级libreswan)。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 @@ -155,7 +157,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 升级Libreswan -提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。检查已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。查看已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/README.md b/README.md index b3f43190ee..860c00f409 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server* with a fresh install of Ubuntu LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -42,6 +42,7 @@ Your VPN login details will be randomly generated, and displayed on the screen w For other installation options and how to set up VPN clients, read the sections below. + \* A dedicated server or virtual private server (VPS). OpenVZ VPS is not supported. ## Features @@ -68,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM SoftLayer, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -124,10 +125,11 @@ Follow the same steps as above, but replace `https://git.io/vpnsetup` with `http Get your computer or device to use the VPN. Please refer to: -Configure IPsec/L2TP VPN Clients -Configure IPsec/XAuth ("Cisco IPsec") VPN Clients +**Configure IPsec/L2TP VPN Clients** -How-To: IKEv2 VPN for Windows and Android +**Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** + +**How-To: IKEv2 VPN for Windows and Android** If you get an error when trying to connect, see Troubleshooting. @@ -139,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. Also, your server must run [Libreswan 3.19 or newer](#upgrade-libreswan). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. @@ -155,7 +157,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check installed version: `ipsec --version`. +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check which version is installed: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/docs/clients-zh.md b/docs/clients-zh.md index be2d84fc2a..7f7014b19d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -20,7 +20,7 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) - * [Android 6 and 7](#android-6-and-7) + * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -182,10 +182,10 @@ yum -y install strongswan xl2tpd 创建 VPN 变量 (替换为你自己的值): ```bash -VPN_SERVER_IP='your_vpn_server_ip' -VPN_IPSEC_PSK='your_ipsec_pre_shared_key' -VPN_USER='your_vpn_username' -VPN_PASSWORD='your_vpn_password' +VPN_SERVER_IP='你的VPN服务器IP' +VPN_IPSEC_PSK='你的IPsec预共享密钥' +VPN_USER='你的VPN用户名' +VPN_PASSWORD='你的VPN密码' ``` 配置 strongSwan: @@ -316,13 +316,13 @@ ip route 从新的默认路由中排除你的 VPN 服务器 IP (替换为你自己的值): ```bash -route add YOUR_VPN_SERVER_IP gw X.X.X.X +route add 你的VPN服务器IP gw X.X.X.X ``` -如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为你自己的公有 IP,可在 这里 查看): +如果你的 VPN 客户端是一个远程服务器,则必须从新的默认路由中排除你的本地电脑的公有 IP,以避免 SSH 会话被断开 (替换为实际值): ```bash -route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X +route add 你的本地电脑的公有IP gw X.X.X.X ``` 添加一个新的默认路由,并且开始通过 VPN 服务器发送数据: @@ -395,13 +395,12 @@ strongswan down myvpn ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) -### Android 6 and 7 +### Android 6 及以上版本 -如果你无法使用 Android 6 (Marshmallow) 或者 7 (Nougat) 连接: +如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. **注:** 最新版本的 VPN 脚本已经包含这个更改。 - (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) +1. (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) 注:最新版本的 VPN 脚本已经包含这个更改。 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -414,9 +413,9 @@ Chromebook 用户: 如果你无法连接,请尝试 from here): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -394,13 +394,12 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) -### Android 6 and 7 +### Android 6 and above -If you are unable to connect using Android 6 (Marshmallow) or 7 (Nougat): +If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. **Note:** The latest version of VPN scripts already includes this change. - (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) +1. (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) Note that the latest version of VPN scripts already includes this change. 1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -413,9 +412,9 @@ Chromebook users: If you are unable to connect, try Date: Thu, 26 Oct 2017 01:30:37 -0500 Subject: [PATCH 0136/1208] Workaround for Netplan - Newer Ubuntu versions use netplan instead of ifupdown by default for network configuration - Scripts in /etc/network/if-pre-up.d/ does not work under netplan - Add workaround in /etc/rc.local for the above --- vpnsetup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 34f50f731d..3c3494b11a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -435,6 +435,7 @@ cat >> /etc/rc.local <<'EOF' (sleep 15 service ipsec restart service xl2tpd restart +[ -f "/usr/sbin/netplan" ] && iptables-restore < /etc/iptables.rules echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF From 47e1c9205166099beacfcbeda5fa52ebc07490aa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Oct 2017 01:37:35 -0500 Subject: [PATCH 0137/1208] Clean up ipsec.conf - Remove unneeded option nhelpers=0 --- vpnsetup.sh | 1 - vpnsetup_centos.sh | 1 - 2 files changed, 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 3c3494b11a..ce468cbcac 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -222,7 +222,6 @@ version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET protostack=netkey - nhelpers=0 interfaces=%defaultroute uniqueids=no diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 5a6204eb12..0f7c115195 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -217,7 +217,6 @@ version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET protostack=netkey - nhelpers=0 interfaces=%defaultroute uniqueids=no From ef90b6ff1976eb1c5dd0eb74d1fe94b7c4c0ab68 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 26 Oct 2017 01:42:50 -0500 Subject: [PATCH 0138/1208] Upgrade Libreswan to 3.22 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 2351684f68..712eaf5760 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.21 +swan_ver=3.22 ### DO NOT edit below this line ### diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 552bb4f6ab..dfe2f10067 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.21 +swan_ver=3.22 ### DO NOT edit below this line ### diff --git a/vpnsetup.sh b/vpnsetup.sh index ce468cbcac..3c39bef395 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -176,7 +176,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.21 +swan_ver=3.22 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0f7c115195..bfa11a409b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -174,7 +174,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.21 +swan_ver=3.22 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From 1488ac0ce88c6f938604b59ba8669e90c7bda006 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 27 Oct 2017 00:14:38 -0500 Subject: [PATCH 0139/1208] Workaround for Raspberry Pi - Libreswan version 3.22 does not start on Raspberry Pi - Install version 3.21 on these systems as a workaround --- extras/vpnupgrade.sh | 20 ++++++++++++++++++++ vpnsetup.sh | 3 +++ 2 files changed, 23 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 712eaf5760..29089b2b46 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -49,6 +49,26 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi +if [ "$swan_ver" = "3.22" ]; then + if grep -qs raspbian /etc/os-release; then + echo "Note: For Raspberry Pi systems, this script will install Libreswan" + echo "version 3.21 instead of 3.22, to avoid some recent bugs." + echo + printf "Do you wish to continue? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + swan_ver=3.21 + ;; + *) + echo "Aborting." + exit 1 + ;; + esac + fi +fi + if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then echo "You already have Libreswan version $swan_ver installed! " echo "If you continue, the same version will be re-installed." diff --git a/vpnsetup.sh b/vpnsetup.sh index 3c39bef395..d61db8562d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,6 +177,9 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." swan_ver=3.22 +if grep -qs raspbian /etc/os-release; then + swan_ver=3.21 +fi swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From e316c8cdf81440fbd29342677d6ba7fc09cc9661 Mon Sep 17 00:00:00 2001 From: Any <406088125@qq.com> Date: Fri, 27 Oct 2017 13:35:51 +0800 Subject: [PATCH 0140/1208] Troubleshooting error 728 (#250) * Update docs --- docs/clients-zh.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 7f7014b19d..0d241ef9a4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [Windows Phone](#windows-phone) * [Linux](#linux) * [故障排除](#故障排除) - * [Windows 错误 809](#windows-错误-809) + * [Windows 错误 809 和 728](#windows-错误-809-和-728) * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) @@ -362,7 +362,7 @@ strongswan down myvpn *其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* -### Windows 错误 809 +### Windows 错误 809 和 728 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 @@ -378,6 +378,11 @@ strongswan down myvpn REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f ``` +- 某些 Windows 系统默认禁用了 IPSec 加密, 此时也会导致连接失败. 可通过该命令启用 IPSec + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + ### Windows 错误 628 > 在连接完成前,连接被远程计算机终止。 From 68a6375399f947bb391ff8ccfe56751950b1e04b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 27 Oct 2017 01:02:03 -0500 Subject: [PATCH 0141/1208] Update docs --- docs/clients-zh.md | 13 +++++++------ docs/clients.md | 6 ++++++ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 0d241ef9a4..f478aa4ed8 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [Windows Phone](#windows-phone) * [Linux](#linux) * [故障排除](#故障排除) - * [Windows 错误 809 和 728](#windows-错误-809-和-728) + * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook](#chromebook) @@ -362,7 +362,7 @@ strongswan down myvpn *其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* -### Windows 错误 809 和 728 +### Windows 错误 809 > 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 @@ -378,10 +378,11 @@ strongswan down myvpn REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f ``` -- 某些 Windows 系统默认禁用了 IPSec 加密, 此时也会导致连接失败. 可通过该命令启用 IPSec - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f - ``` +另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 + +```console +REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f +``` ### Windows 错误 628 diff --git a/docs/clients.md b/docs/clients.md index cae2c39769..b3ac7e93d5 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -377,6 +377,12 @@ To fix this error, a > /etc/sysctl.conf <> /etc/sysctl.conf < Date: Sat, 28 Oct 2017 17:06:35 -0500 Subject: [PATCH 0143/1208] Update docs - Add a note on using L2TP kernel support --- README-zh.md | 2 ++ README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README-zh.md b/README-zh.md index 14eb4d342a..aa33857cf2 100644 --- a/README-zh.md +++ b/README-zh.md @@ -149,6 +149,8 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 +使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。 + 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 860c00f409..fb7c7e500e 100644 --- a/README.md +++ b/README.md @@ -149,6 +149,8 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. +Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service. + To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. When connecting via `IPsec/L2TP`, the VPN server has IP `192.168.42.1` within the VPN subnet `192.168.42.0/24`. From 16e437f58ed2448222e21561b70ec039ff91bd6c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 29 Oct 2017 19:53:35 -0500 Subject: [PATCH 0144/1208] Minor clean up - Wrap the scripts in a big function which is only called at the very end, to protect against the possibility of connection interruptions - Clean up some variables names --- .travis.yml | 2 +- extras/vpnupgrade.sh | 7 +++++ extras/vpnupgrade_centos.sh | 7 +++++ vpnsetup.sh | 58 ++++++++++++++++++++----------------- vpnsetup_centos.sh | 58 ++++++++++++++++++++----------------- 5 files changed, 79 insertions(+), 53 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3eb710a651..e4b796177d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ addons: - shellcheck script: - - export SHELLCHECK_OPTS="-e SC1091" + - export SHELLCHECK_OPTS="-e SC1091,SC1117" - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - sudo VPN_IPSEC_PSK='vpn_psk' diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 29089b2b46..65644b088c 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -20,6 +20,8 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +vpnupgrade() { + os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" @@ -193,4 +195,9 @@ echo echo "Libreswan $swan_ver was installed successfully! " echo +} + +## Defer setup until we have the complete script +vpnupgrade "$@" + exit 0 diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index dfe2f10067..f4f607a609 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -20,6 +20,8 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +vpnupgrade() { + if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi @@ -175,4 +177,9 @@ echo echo "Libreswan $swan_ver was installed successfully! " echo +} + +## Defer setup until we have the complete script +vpnupgrade "$@" + exit 0 diff --git a/vpnsetup.sh b/vpnsetup.sh index c6335beaa1..13d04b7571 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -34,18 +34,19 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { - IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } +vpnsetup() { + os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" @@ -69,31 +70,31 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" +net_iface=${VPN_NET_IFACE:-'eth0'} +def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" +[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then +def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then - case "$DEF_IFACE" in + case "$def_iface" in wl*) cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" + sudo VPN_NET_IFACE="$def_iface" sh "$0" EOF exit 1 ;; esac fi - NET_IFACE="$DEF_IFACE" + net_iface="$def_iface" fi -if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 +net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$SYS_DT" + iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -391,17 +392,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" @@ -484,4 +485,9 @@ Setup VPN clients: https://git.io/vpnclients EOF +} + +## Defer setup until we have the complete script +vpnsetup "$@" + exit 0 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 43b4f920bb..bc8405d27d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -34,18 +34,19 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%Y-%m-%d-%H:%M:%S)"; export SYS_DT exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { - IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$" + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } +vpnsetup() { + if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then exiterr "This script only supports CentOS/RHEL 6 and 7." fi @@ -60,31 +61,31 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -DEF_IFACE="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$DEF_IFACE" ] && DEF_IFACE="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" +net_iface=${VPN_NET_IFACE:-'eth0'} +def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" +[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -if_state1=$(cat "/sys/class/net/$DEF_IFACE/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$if_state1" ] && [ "$if_state1" != "down" ]; then +def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then - case "$DEF_IFACE" in + case "$def_iface" in wl*) cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$DEF_IFACE" sh "$0" + sudo VPN_NET_IFACE="$def_iface" sh "$0" EOF exit 1 ;; esac fi - NET_IFACE="$DEF_IFACE" + net_iface="$def_iface" fi -if_state2=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$if_state2" ] || [ "$if_state2" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 +net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$SYS_DT" + iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -377,17 +378,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT + iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi @@ -484,4 +485,9 @@ Setup VPN clients: https://git.io/vpnclients EOF +} + +## Defer setup until we have the complete script +vpnsetup "$@" + exit 0 From b7a4bed866ac70efc617789460edd340aef73114 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 30 Oct 2017 01:56:00 -0500 Subject: [PATCH 0145/1208] Improve startup - Ubuntu 16.04 (and newer) may run apt tasks automatically on boot - If used as a startup script, apt-get commands could fail due to this - Wait for apt/dpkg lock (up to 60s) as a workaround - Ref: #252 --- vpnsetup.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 13d04b7571..90f21e43a8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -138,6 +138,14 @@ cd /opt/src || exiterr "Cannot enter /opt/src." bigecho "Populating apt-get cache..." +count=0 +while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do + [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." + count=$((count+1)) + printf %s . + sleep 3 +done + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." From 70c6d6b5401e8955b5322cbd4b4e42c3b5ace0e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 1 Nov 2017 01:01:49 -0500 Subject: [PATCH 0146/1208] Various clean up --- README-zh.md | 2 +- README.md | 4 +- docs/manage-users.md | 2 +- extras/vpnupgrade.sh | 52 +++++++++++------------ extras/vpnupgrade_centos.sh | 40 +++++++++--------- vpnsetup.sh | 82 ++++++++++++++++--------------------- vpnsetup_centos.sh | 72 +++++++++++++------------------- 7 files changed, 114 insertions(+), 140 deletions(-) diff --git a/README-zh.md b/README-zh.md index aa33857cf2..1bd9c0828e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -159,7 +159,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh ## 升级Libreswan -提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `swan_ver` 变量。查看已安装版本: `ipsec --version`. +提供两个额外的脚本 vpnupgrade.shvpnupgrade_centos.sh,可用于升级 Libreswan更新日志 | 通知列表)。请在运行前根据需要修改 `SWAN_VER` 变量。查看已安装版本: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/README.md b/README.md index fb7c7e500e..37eecffff0 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ sudo sh vpnsetup.sh ```bash # All values MUST be placed inside 'single quotes' -# DO NOT use these characters within values: \ " ' +# DO NOT use these special characters within values: \ " ' wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ @@ -159,7 +159,7 @@ The scripts will backup existing config files before making changes, with `.old- ## Upgrade Libreswan -The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `swan_ver` variable as necessary. Check which version is installed: `ipsec --version`. +The additional scripts vpnupgrade.sh and vpnupgrade_centos.sh can be used to upgrade Libreswan (changelog | announce). Edit the `SWAN_VER` variable as necessary. Check which version is installed: `ipsec --version`. ```bash # Ubuntu & Debian diff --git a/docs/manage-users.md b/docs/manage-users.md index cfd7bf4519..c14dc53a1a 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -18,7 +18,7 @@ For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format ... ... ``` -You can add more users, use one line for each user. DO NOT use these characters within values: `\ " '` +You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '` For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 65644b088c..1a4616d315 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,14 +11,14 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.22 +SWAN_VER=3.22 ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } +exiterr2() { exiterr "'apt-get install' failed."; } vpnupgrade() { @@ -27,31 +27,31 @@ if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" fi -if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu/Debian." +if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then + exiterr "This script only supports Ubuntu and Debian." fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then - exiterr "This script does not support Debian 7 (Wheezy)." + exiterr "Debian 7 is not supported." fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + exiterr "OpenVZ VPS is not supported." fi if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$swan_ver" ]; then - exiterr "Libreswan version 'swan_ver' not specified." +if [ -z "$SWAN_VER" ]; then + exiterr "Libreswan version 'SWAN_VER' not specified." fi if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$swan_ver" = "3.22" ]; then +if [ "$SWAN_VER" = "3.22" ]; then if grep -qs raspbian /etc/os-release; then echo "Note: For Raspberry Pi systems, this script will install Libreswan" echo "version 3.21 instead of 3.22, to avoid some recent bugs." @@ -61,7 +61,7 @@ if [ "$swan_ver" = "3.22" ]; then case $response in [yY][eE][sS]|[yY]) echo - swan_ver=3.21 + SWAN_VER=3.21 ;; *) echo "Aborting." @@ -71,8 +71,8 @@ if [ "$swan_ver" = "3.22" ]; then fi fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - echo "You already have Libreswan version $swan_ver installed! " +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo printf "Do you wish to continue anyway? [y/N] " @@ -91,7 +91,7 @@ fi clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -174,15 +174,15 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" -sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ +sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ @@ -192,7 +192,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ service ipsec restart echo -echo "Libreswan $swan_ver was installed successfully! " +echo "Libreswan $SWAN_VER was installed successfully! " echo } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f4f607a609..f7337ff007 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,14 +11,14 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.22 +SWAN_VER=3.22 ### DO NOT edit below this line ### export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } +exiterr2() { exiterr "'yum install' failed."; } vpnupgrade() { @@ -27,23 +27,23 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then fi if [ -f /proc/user_beancounters ]; then - exiterr "This script does not support OpenVZ VPS." + exiterr "OpenVZ VPS is not supported." fi if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$swan_ver" ]; then - exiterr "Libreswan version 'swan_ver' not specified." +if [ -z "$SWAN_VER" ]; then + exiterr "Libreswan version 'SWAN_VER' not specified." fi if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - echo "You already have Libreswan version $swan_ver installed! " +if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo printf "Do you wish to continue anyway? [y/N] " @@ -62,7 +62,7 @@ fi clear cat < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -151,9 +149,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi # Restore SELinux contexts @@ -164,7 +162,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" -sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ +sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ @@ -174,7 +172,7 @@ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ service ipsec restart echo -echo "Libreswan $swan_ver was installed successfully! " +echo "Libreswan $SWAN_VER was installed successfully! " echo } diff --git a/vpnsetup.sh b/vpnsetup.sh index 90f21e43a8..b76df8a4ed 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -22,7 +22,7 @@ # Define your own values for these variables # - IPsec pre-shared key, VPN username and password # - All values MUST be placed inside 'single quotes' -# - DO NOT use these characters within values: \ " ' +# - DO NOT use these special characters within values: \ " ' YOUR_IPSEC_PSK='' YOUR_USERNAME='' @@ -36,13 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'apt-get install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } +exiterr2() { exiterr "'apt-get install' failed."; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } vpnsetup() { @@ -52,18 +52,16 @@ if [ -z "$os_type" ]; then [ -f /etc/os-release ] && os_type="$(. /etc/os-release && echo "$ID")" [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && echo "$DISTRIB_ID")" fi -if ! printf %s "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu/Debian." +if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then + exiterr "This script only supports Ubuntu and Debian." fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then - exiterr "This script does not support Debian 7 (Wheezy)." + exiterr "Debian 7 is not supported." fi if [ -f /proc/user_beancounters ]; then - echo "Error: This script does not support OpenVZ VPS." >&2 - echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 - exit 1 + exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install" fi if [ "$(id -u)" != 0 ]; then @@ -75,17 +73,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$def_iface" in wl*) -cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << -If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$def_iface" sh "$0" -EOF - exit 1 + exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac fi @@ -97,9 +89,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null 2>&1; do [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." count=$((count+1)) - printf %s . + printf '%s' '.' sleep 3 done @@ -151,14 +143,14 @@ apt-get -yq update || exiterr "'apt-get update' failed." bigecho "Installing packages required for setup..." -apt-get -yq install wget dnsutils openssl || exiterr2 -apt-get -yq install iproute gawk grep sed net-tools || exiterr2 +apt-get -yq install wget dnsutils openssl \ + iproute gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." cat <<'EOF' In case the script hangs here for more than a few minutes, -use Ctrl-C to interrupt. Then edit it and manually enter IP. +press Ctrl-C to abort. Then edit it and manually enter IP. EOF # In case auto IP discovery fails, enter server's public IP here. @@ -169,15 +161,14 @@ PUBLIC_IP=${VPN_PUBLIC_IP:-''} # Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) -check_ip "$PUBLIC_IP" || exiterr "Cannot find valid public IP. Edit the script and manually enter it." +check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." bigecho "Installing packages required for the VPN..." -apt-get -yq install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \ - libcap-ng-dev libcap-ng-utils libselinux1-dev \ - libcurl4-nss-dev flex bison gcc make \ - libnss3-tools libevent-dev || exiterr2 -apt-get -yq install ppp xl2tpd || exiterr2 +apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ + libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \ + libcurl4-nss-dev flex bison gcc make libnss3-tools \ + libevent-dev ppp xl2tpd || exiterr2 bigecho "Installing Fail2Ban to protect SSH..." @@ -185,19 +176,20 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -swan_ver=3.22 -if grep -qs raspbian /etc/os-release; then - swan_ver=3.21 +if ! grep -qs raspbian /etc/os-release; then + SWAN_VER=3.22 +else + SWAN_VER=3.21 fi -swan_file="libreswan-$swan_ver.tar.gz" -swan_url1="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" +swan_file="libreswan-$SWAN_VER.tar.gz" +swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then exiterr "Cannot download Libreswan source." fi -/bin/rm -rf "/opt/src/libreswan-$swan_ver" +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$swan_ver" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -211,9 +203,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi bigecho "Creating VPN configuration..." @@ -329,8 +321,6 @@ EOF # Create VPN credentials conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" + iptables-save > "$IPT_FILE.old-$(date +%F-%T)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index bc8405d27d..1827d07865 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -22,7 +22,7 @@ # Define your own values for these variables # - IPsec pre-shared key, VPN username and password # - All values MUST be placed inside 'single quotes' -# - DO NOT use these characters within values: \ " ' +# - DO NOT use these special characters within values: \ " ' YOUR_IPSEC_PSK='' YOUR_USERNAME='' @@ -36,13 +36,13 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" exiterr() { echo "Error: $1" >&2; exit 1; } -exiterr2() { echo "Error: 'yum install' failed." >&2; exit 1; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null; } +exiterr2() { exiterr "'yum install' failed."; } +conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' - printf %s "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" } vpnsetup() { @@ -52,9 +52,7 @@ if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then fi if [ -f /proc/user_beancounters ]; then - echo "Error: This script does not support OpenVZ VPS." >&2 - echo "Try OpenVPN: https://github.com/Nyr/openvpn-install" >&2 - exit 1 + exiterr "OpenVZ VPS is not supported. Try OpenVPN: github.com/Nyr/openvpn-install" fi if [ "$(id -u)" != 0 ]; then @@ -66,17 +64,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -z "$VPN_NET_IFACE" ] && [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then if ! grep -qs raspbian /etc/os-release; then case "$def_iface" in wl*) -cat 1>&2 <> DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! << -If you are certain that this script is running on a server, re-run it with: - sudo VPN_NET_IFACE="$def_iface" sh "$0" -EOF - exit 1 + exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac fi @@ -88,9 +80,8 @@ if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -195,9 +184,9 @@ make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up cd /opt/src || exiterr "Cannot enter /opt/src." -/bin/rm -rf "/opt/src/libreswan-$swan_ver" -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then - exiterr "Libreswan $swan_ver failed to build." +/bin/rm -rf "/opt/src/libreswan-$SWAN_VER" +if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then + exiterr "Libreswan $SWAN_VER failed to build." fi bigecho "Creating VPN configuration..." @@ -307,8 +296,6 @@ EOF # Create VPN credentials conf_bk "/etc/ppp/chap-secrets" cat > /etc/ppp/chap-secrets </dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%Y-%m-%d-%H:%M:%S)" + iptables-save > "$IPT_FILE.old-$(date +%F-%T)" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -448,8 +435,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules iptables-restore < "$IPT_FILE" -# Fix xl2tpd on CentOS 7 for providers such as Linode, -# where kernel module "l2tp_ppp" is unavailable +# Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable if grep -qs "release 7" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service From 7190577c9999b21c8f0154c9aac4a77345e2f973 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 1 Nov 2017 22:15:56 -0500 Subject: [PATCH 0147/1208] Minor clean up --- vpnsetup.sh | 5 +++-- vpnsetup_centos.sh | 7 ++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index b76df8a4ed..a4eedb852d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -34,10 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { @@ -382,7 +383,7 @@ fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%F-%T)" + iptables-save > "$IPT_FILE.old-$SYS_DT" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1827d07865..8cb84015d0 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -34,10 +34,11 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } -conf_bk() { /bin/cp -f "$1" "$1.old-$(date +%F-%T)" 2>/dev/null; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } bigecho() { echo; echo "## $1"; echo; } check_ip() { @@ -357,7 +358,7 @@ fi # Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$(date +%F-%T)" + iptables-save > "$IPT_FILE.old-$SYS_DT" iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -438,7 +439,7 @@ iptables-restore < "$IPT_FILE" # Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable if grep -qs "release 7" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then - sed -i '/ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service + sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload fi fi From 2dfa587a7193d265bbdb86360ab8951521d25572 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Nov 2017 23:51:53 -0600 Subject: [PATCH 0148/1208] Fix Libreswan 3.22 bug - This bug causes Libreswan 3.22 fail to start on a Raspberry Pi - Apply fix from Libreswan GitHub repo: libreswan/libreswan@e154ae7 - Ref: https://lists.libreswan.org/pipermail/swan/2017/002338.html --- extras/vpnupgrade.sh | 1 + extras/vpnupgrade_centos.sh | 1 + vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 4 files changed, 4 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 1a4616d315..88f0d0e6f1 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -161,6 +161,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f7337ff007..ee2ad84a53 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -139,6 +139,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index a4eedb852d..30cd001882 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -191,6 +191,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8cb84015d0..8c6513b2d7 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -175,6 +175,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From 8b40709d4da7d1565486960e17fb264c3e3769e8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Nov 2017 00:12:16 -0600 Subject: [PATCH 0149/1208] Improve VPN ciphers - Remove unsupported ESP algorithm on Raspbian --- extras/vpnupgrade.sh | 3 +++ vpnsetup.sh | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 88f0d0e6f1..83569e27fa 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -183,6 +183,9 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if grep -qs raspbian /etc/os-release; then + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 30cd001882..22b22c9035 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -279,6 +279,11 @@ if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +# Remove unsupported ESP algorithm on Raspbian +if grep -qs raspbian /etc/os-release; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Mon, 13 Nov 2017 00:17:38 -0600 Subject: [PATCH 0150/1208] Remove RPi workaround - No longer needed with fix 2dfa587 and 8b40709 - Ref: 1488ac0 --- extras/vpnupgrade.sh | 20 -------------------- vpnsetup.sh | 6 +----- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 83569e27fa..b8fdb8edb6 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -51,26 +51,6 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$SWAN_VER" = "3.22" ]; then - if grep -qs raspbian /etc/os-release; then - echo "Note: For Raspberry Pi systems, this script will install Libreswan" - echo "version 3.21 instead of 3.22, to avoid some recent bugs." - echo - printf "Do you wish to continue? [y/N] " - read -r response - case $response in - [yY][eE][sS]|[yY]) - echo - SWAN_VER=3.21 - ;; - *) - echo "Aborting." - exit 1 - ;; - esac - fi -fi - if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." diff --git a/vpnsetup.sh b/vpnsetup.sh index 22b22c9035..3954085812 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,11 +177,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -if ! grep -qs raspbian /etc/os-release; then - SWAN_VER=3.22 -else - SWAN_VER=3.21 -fi +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From 3f39255f841e2ee612bffba9633b3d71b7729626 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 20 Nov 2017 00:33:36 -0600 Subject: [PATCH 0151/1208] Bug fix for RHEL 6/7 - Fix compatibility with Red Hat Enterprise Linux (RHEL) 6 and 7 - Ref: #273 --- extras/vpnupgrade_centos.sh | 12 ++++++++---- vpnsetup_centos.sh | 13 ++++++++----- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index ee2ad84a53..76692d0e16 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -115,18 +115,22 @@ cd /opt/src || exiterr "Cannot enter /opt/src." yum -y install wget || exiterr2 # Add the EPEL repository -yum -y install epel-release || exiterr2 +epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" +yum -y install epel-release || yum -y install "$epel_url" || exiterr2 # Install necessary packages yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make fipscheck-devel || exiterr2 + flex bison gcc make || exiterr2 +OPT1='--enablerepo=*server-optional*' +OPT2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum -y install libevent2-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 else - yum -y install libevent-devel systemd-devel || exiterr2 + yum -y install systemd-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi # Compile and install Libreswan diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8c6513b2d7..405fc092fe 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -143,20 +143,23 @@ check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit th bigecho "Adding the EPEL repository..." -yum -y install epel-release || exiterr2 +epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" +yum -y install epel-release || yum -y install "$epel_url" || exiterr2 bigecho "Installing packages required for the VPN..." yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make fipscheck-devel \ - ppp xl2tpd || exiterr2 + flex bison gcc make ppp xl2tpd || exiterr2 +OPT1='--enablerepo=*server-optional*' +OPT2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum -y install libevent2-devel || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 else - yum -y install libevent-devel systemd-devel iptables-services || exiterr2 + yum -y install systemd-devel iptables-services || exiterr2 + yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi bigecho "Installing Fail2Ban to protect SSH..." From cc64a29c016c6937bb7d7d8b031c702c33636821 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Dec 2017 04:36:33 -0600 Subject: [PATCH 0152/1208] Re-add RPi workaround - Libreswan 3.22 may fail to compile on Raspberry Pi w/ Raspbian 9 - Use version 3.21 instead of 3.22 for Raspbian systems - Ref: d472c65 --- extras/vpnupgrade.sh | 22 +++++++++++++++++++++- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 8 ++++++-- vpnsetup_centos.sh | 2 +- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index b8fdb8edb6..27f2b88814 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -51,6 +51,26 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi +if [ "$SWAN_VER" = "3.22" ]; then + if grep -qs raspbian /etc/os-release; then + echo "Note: For Raspberry Pi systems, this script will install Libreswan" + echo "version 3.21 instead of 3.22, to avoid some recent bugs." + echo + printf "Do you wish to continue? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + SWAN_VER=3.21 + ;; + *) + echo "Aborting." + exit 1 + ;; + esac + fi +fi + if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." @@ -141,7 +161,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 76692d0e16..1e44f5b8bf 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -143,7 +143,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index 3954085812..a8527e6cd7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,7 +177,11 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.22 +if ! grep -qs raspbian /etc/os-release; then + SWAN_VER=3.22 +else + SWAN_VER=3.21 +fi swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -187,7 +191,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 405fc092fe..0c8121a784 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -178,7 +178,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From 076406b80c888dfc6b4ec5105095ba1a2c6d934e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 20 Dec 2017 01:22:09 -0600 Subject: [PATCH 0153/1208] Fix tests - Add workaround for Travis CI build issues --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index e4b796177d..8e4ea961c9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,6 +2,7 @@ language: bash sudo: required dist: trusty +group: deprecated-2017Q4 addons: apt: From c982502ad4dc1c42eae7e75db1d424bc7f9c6eb5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 29 Jan 2018 01:22:24 -0600 Subject: [PATCH 0154/1208] Upgrade Libreswan to 3.23 - Remove 'docker-targets.mk' from Makefile to avoid git errors during compilation --- extras/vpnupgrade.sh | 8 ++++---- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 27f2b88814..ef4f02b784 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.22 +SWAN_VER=3.23 ### DO NOT edit below this line ### @@ -51,10 +51,10 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$SWAN_VER" = "3.22" ]; then +if [ "$SWAN_VER" != "3.21" ]; then if grep -qs raspbian /etc/os-release; then echo "Note: For Raspberry Pi systems, this script will install Libreswan" - echo "version 3.21 instead of 3.22, to avoid some recent bugs." + echo "version 3.21 instead of $SWAN_VER, to avoid some recent bugs." echo printf "Do you wish to continue? [y/N] " read -r response @@ -161,7 +161,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 1e44f5b8bf..30961ee200 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.22 +SWAN_VER=3.23 ### DO NOT edit below this line ### @@ -143,7 +143,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index a8527e6cd7..a1790c972f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -178,7 +178,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." if ! grep -qs raspbian /etc/os-release; then - SWAN_VER=3.22 + SWAN_VER=3.23 else SWAN_VER=3.21 fi @@ -191,7 +191,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0c8121a784..ae7e9bbbe8 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -168,7 +168,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.22 +SWAN_VER=3.23 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -178,7 +178,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From 3d2b6fc86154983c9a4921ddd0c82a194d79b591 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 29 Jan 2018 02:06:08 -0600 Subject: [PATCH 0155/1208] Remove RPi workaround --- extras/vpnupgrade.sh | 20 -------------------- vpnsetup.sh | 6 +----- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index ef4f02b784..27b2db9d46 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -51,26 +51,6 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if [ "$SWAN_VER" != "3.21" ]; then - if grep -qs raspbian /etc/os-release; then - echo "Note: For Raspberry Pi systems, this script will install Libreswan" - echo "version 3.21 instead of $SWAN_VER, to avoid some recent bugs." - echo - printf "Do you wish to continue? [y/N] " - read -r response - case $response in - [yY][eE][sS]|[yY]) - echo - SWAN_VER=3.21 - ;; - *) - echo "Aborting." - exit 1 - ;; - esac - fi -fi - if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." diff --git a/vpnsetup.sh b/vpnsetup.sh index a1790c972f..12eeb30296 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -177,11 +177,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -if ! grep -qs raspbian /etc/os-release; then - SWAN_VER=3.23 -else - SWAN_VER=3.21 -fi +SWAN_VER=3.23 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" From 0cf01c0eb8246299e319ef84faff633e4ae604d5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 29 Jan 2018 02:11:16 -0600 Subject: [PATCH 0156/1208] Update ipsec.conf - Switch to new keyword 'modecfgdns' in Libreswan 3.23 --- vpnsetup.sh | 3 +-- vpnsetup_centos.sh | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 12eeb30296..53a342e144 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -255,8 +255,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index ae7e9bbbe8..05f1bf1f63 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -243,8 +243,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes From fa5abe7825eca1c17b8b19d5ea94bb9dd748c6a1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 3 Feb 2018 16:10:09 -0600 Subject: [PATCH 0157/1208] Remove unneeded check on CentOS --- vpnsetup_centos.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 05f1bf1f63..cd7b68a7d9 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -66,13 +66,11 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then - if ! grep -qs raspbian /etc/os-release; then - case "$def_iface" in - wl*) - exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" - ;; - esac - fi + case "$def_iface" in + wl*) + exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" + ;; + esac net_iface="$def_iface" fi From 21228a8caf22fed91f7613b18d8c94b505dab791 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 3 Feb 2018 16:55:54 -0600 Subject: [PATCH 0158/1208] Improve RPi workarounds - Improve workarounds for systems with ARM CPU (e.g. Raspberry Pi) - Check for ARM architecture instead of checking for Raspbian --- extras/vpnupgrade.sh | 2 +- vpnsetup.sh | 12 +++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 27b2db9d46..a0ff1e3abe 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -163,7 +163,7 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" -if grep -qs raspbian /etc/os-release; then +if [ "$(uname -m | cut -c1-3)" = "arm" ]; then PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" fi sed -i".old-$(date +%F-%T)" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 53a342e144..d846c48e64 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -75,7 +75,7 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then - if ! grep -qs raspbian /etc/os-release; then + if [ "$(uname -m | cut -c1-3)" != "arm" ]; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -268,14 +268,12 @@ conn xauth-psk also=shared EOF -# Workaround for Raspbian 9 -if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then +# Workarounds for systems with ARM CPU (e.g. Raspberry Pi) +# - Set "left" to private IP instead of "%defaultroute" +# - Remove unsupported ESP algorithm +if [ "$(uname -m | cut -c1-3)" = "arm" ]; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf -fi - -# Remove unsupported ESP algorithm on Raspbian -if grep -qs raspbian /etc/os-release; then sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi From 00ea75988375f9749716f60345adc4e8766821ba Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 3 Feb 2018 22:35:51 -0600 Subject: [PATCH 0159/1208] Fix tests --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 8e4ea961c9..d40ee07cba 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,7 @@ script: - export SHELLCHECK_OPTS="-e SC1091,SC1117" - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list + - sed -i "/^make/s/^make.*$/make base \&\& make install-base/" vpnsetup.sh - sudo VPN_IPSEC_PSK='vpn_psk' VPN_USER='vpn_user' VPN_PASSWORD='vpn_pass' sh vpnsetup.sh From 43dbac6c3cb1580c728ba9246128c5269a53ed7d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 11 Feb 2018 00:37:00 -0600 Subject: [PATCH 0160/1208] Update docs --- docs/ikev2-howto-zh.md | 29 ++++++++++++++++++++++------- docs/ikev2-howto.md | 27 +++++++++++++++++++++------ docs/manage-users-zh.md | 4 ++-- docs/manage-users.md | 2 +- 4 files changed, 46 insertions(+), 16 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 894ee5aa91..b2fdd286db 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -47,8 +47,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 narrowing=yes dpddelay=30 dpdtimeout=120 @@ -62,22 +60,39 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` - 还需要在该文件中添加一行,首先查看你的 Libreswan 版本: + 还需要在该文件中添加一些行。首先查看你的 Libreswan 版本: ```bash $ ipsec --version ``` - 对于 Libreswan 3.19 或以上版本,请运行: + 对于 Libreswan 3.23 或更新版本,请运行: + + ```bash + $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf + $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf + $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf + $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf + $ cat >> /etc/ipsec.conf < Date: Sun, 11 Feb 2018 01:05:13 -0600 Subject: [PATCH 0161/1208] Add modecfgdns note --- extras/vpnupgrade.sh | 10 ++++++++++ extras/vpnupgrade_centos.sh | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a0ff1e3abe..9a66c0f9a6 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -179,6 +179,16 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +cat <<'EOF' +Note: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". +EOF + } ## Defer setup until we have the complete script diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 30961ee200..80379d82f5 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -180,6 +180,16 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +cat <<'EOF' +Note: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". +EOF + } ## Defer setup until we have the complete script From c7d63c2bf1556f4006fd05fd73d3bf4961daface Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 11 Feb 2018 02:07:29 -0600 Subject: [PATCH 0162/1208] Fix tests --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d40ee07cba..aa67ea14ed 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,7 +15,7 @@ script: - export SHELLCHECK_OPTS="-e SC1091,SC1117" - shellcheck *.sh extras/*.sh - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - - sed -i "/^make/s/^make.*$/make base \&\& make install-base/" vpnsetup.sh + - sed -i "s/^make .* install-base$/make base \&\& make install-base/" vpnsetup.sh - sudo VPN_IPSEC_PSK='vpn_psk' VPN_USER='vpn_user' VPN_PASSWORD='vpn_pass' sh vpnsetup.sh From 36208fa4ca7820e66a37c9296a4bcd14dbeb26cf Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 17 Feb 2018 10:05:34 -0600 Subject: [PATCH 0163/1208] Update docs --- README-zh.md | 4 ++-- README.md | 2 +- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README-zh.md b/README-zh.md index 1bd9c0828e..e4235f6647 100644 --- a/README-zh.md +++ b/README-zh.md @@ -139,9 +139,9 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh *其他语言版本: [English](README.md#important-notes), [简体中文](README-zh.md#重要提示).* -**Windows 用户** 在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。 +**Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index 37eecffff0..2166888876 100644 --- a/README.md +++ b/README.md @@ -141,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation and an Libreswan issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index b2fdd286db..7d5e92c946 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,7 +8,7 @@ --- -Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 带来许多功能改进,比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 +Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 65c5b6d50f..6d6a173118 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,7 +8,7 @@ --- -Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 has multiple improvements such as Standard Mobility support through MOBIKE, and improved reliability. +Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: From a06995d35dbf182b20e329c1ca22aea81d1be66c Mon Sep 17 00:00:00 2001 From: Aofei Sheng Date: Tue, 1 May 2018 14:34:04 +0800 Subject: [PATCH 0164/1208] Fix iproute for Ubuntu 18.04 (#375) The iproute package has been deprecated in Ubuntu 18.04. --- vpnsetup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index d846c48e64..d7d9ed24b8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -145,7 +145,7 @@ apt-get -yq update || exiterr "'apt-get update' failed." bigecho "Installing packages required for setup..." apt-get -yq install wget dnsutils openssl \ - iproute gawk grep sed net-tools || exiterr2 + iproute2 gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." From af1ef064a34d882c10d47e55f994ee69f45b6013 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 1 May 2018 03:35:41 -0500 Subject: [PATCH 0165/1208] Fix tests --- .travis.yml | 36 ++---------------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) diff --git a/.travis.yml b/.travis.yml index aa67ea14ed..dc1099ea73 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,44 +1,12 @@ language: bash -sudo: required +sudo: false dist: trusty -group: deprecated-2017Q4 - -addons: - apt: - sources: - - debian-sid - packages: - - shellcheck script: - export SHELLCHECK_OPTS="-e SC1091,SC1117" + - shellcheck --version - shellcheck *.sh extras/*.sh - - sudo sed -i "/debian unstable/d" /etc/apt/sources.list - - sed -i "s/^make .* install-base$/make base \&\& make install-base/" vpnsetup.sh - - sudo VPN_IPSEC_PSK='vpn_psk' - VPN_USER='vpn_user' - VPN_PASSWORD='vpn_pass' sh vpnsetup.sh - - sleep 10 - - sudo netstat -anpu | grep pluto - - sudo netstat -anpu | grep xl2tpd - - sudo grep 'vpn_psk' /etc/ipsec.secrets - - sudo grep '"vpn_user" l2tpd "vpn_pass"' /etc/ppp/chap-secrets - - sudo grep 'vpn_user' /etc/ipsec.d/passwd - - sudo sh vpnsetup.sh - - sleep 10 - - sudo netstat -anpu | grep pluto - - sudo netstat -anpu | grep xl2tpd - - sed -i -e "/^YOUR_IPSEC_PSK/s/''/'vpn_psk'/" - -e "/^YOUR_USERNAME/s/''/'vpn_user'/" - -e "/^YOUR_PASSWORD/s/''/'vpn_pass'/" vpnsetup.sh - - sudo sh vpnsetup.sh - - sleep 10 - - sudo netstat -anpu | grep pluto - - sudo netstat -anpu | grep xl2tpd - - sudo grep 'vpn_psk' /etc/ipsec.secrets - - sudo grep '"vpn_user" l2tpd "vpn_pass"' /etc/ppp/chap-secrets - - sudo grep 'vpn_user' /etc/ipsec.d/passwd notifications: email: From 632165685a925a3d2e7c7c5cdf2403205c4bc584 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 2 May 2018 02:58:45 -0500 Subject: [PATCH 0166/1208] Add iptables dependency - Closes #363 - Thanks @rocboronat! --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index d7d9ed24b8..255d1c85fb 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -145,7 +145,7 @@ apt-get -yq update || exiterr "'apt-get update' failed." bigecho "Installing packages required for setup..." apt-get -yq install wget dnsutils openssl \ - iproute2 gawk grep sed net-tools || exiterr2 + iptables iproute2 gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index cd7b68a7d9..c3f5b04549 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -120,7 +120,7 @@ cd /opt/src || exiterr "Cannot enter /opt/src." bigecho "Installing packages required for setup..." yum -y install wget bind-utils openssl \ - iproute gawk grep sed net-tools || exiterr2 + iptables iproute gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." From 4795b69a797f9e23f43956ef0f93735f418a77ad Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 2 May 2018 03:29:52 -0500 Subject: [PATCH 0167/1208] Update docs --- README-zh.md | 4 +++- README.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index e4235f6647..bb2d489ad4 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu 16.04/14.04 LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -77,6 +77,8 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 +**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 4.15 内核兼容性的 问题。 + :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 diff --git a/README.md b/README.md index 2166888876..79e789cabd 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu 16.04/14.04 LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -77,6 +77,8 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. +**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux 4.15 kernels. + :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation From 3c9c3d25a7efedbd4c3d7eb821c72ad9a85ae2a0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 3 May 2018 00:52:14 -0500 Subject: [PATCH 0168/1208] Add check for Linux kernel 4.15 --- vpnsetup.sh | 11 +++++++++++ vpnsetup_centos.sh | 8 ++++++++ 2 files changed, 19 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 255d1c85fb..80e6c6dc0a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -69,6 +69,17 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi +case "$(uname -r)" in + 4.14*) + if [ "$(uname -m | cut -c1-3)" = "arm" ]; then + exiterr "Linux kernel 4.14 is not supported due to an xl2tpd bug." + fi + ;; + 4.15*) + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd bug." + ;; +esac + net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c3f5b04549..465c03d6dc 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,6 +60,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi +case "$(uname -r)" in + 4.15*) + if grep -qs "release 6" /etc/redhat-release; then + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd bug." + fi + ;; +esac + net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" From 6a5c14b8736165c2447d249591c26b7c6f3973e9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 3 May 2018 01:34:05 -0500 Subject: [PATCH 0169/1208] Minor fix --- vpnsetup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 80e6c6dc0a..31af68567d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -449,7 +449,7 @@ cat >> /etc/rc.local <<'EOF' (sleep 15 service ipsec restart service xl2tpd restart -[ -f "/usr/sbin/netplan" ] && iptables-restore < /etc/iptables.rules +[ -f "/usr/sbin/netplan" ] && { iptables-restore < /etc/iptables.rules; service fail2ban restart; } echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF From 240a0187f64524d373aecdb0689bab7ff2f110fa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 4 May 2018 03:11:27 -0500 Subject: [PATCH 0170/1208] Update Linux kernel check --- vpnsetup.sh | 9 ++------- vpnsetup_centos.sh | 4 ++-- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 31af68567d..64623928d0 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,13 +70,8 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.14*) - if [ "$(uname -m | cut -c1-3)" = "arm" ]; then - exiterr "Linux kernel 4.14 is not supported due to an xl2tpd bug." - fi - ;; - 4.15*) - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd bug." + 4.14*|4.15*) + exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." ;; esac diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 465c03d6dc..31acbe3f6b 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -61,9 +61,9 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.15*) + 4.14*|4.15*) if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd bug." + exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." fi ;; esac From 0c6cb4b8a907429d876e3c8a7c4f4466098ff3e9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 5 May 2018 18:49:38 -0500 Subject: [PATCH 0171/1208] Update year --- LICENSE.md | 2 +- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index bcb0c6261b..548ebde539 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,7 +1,7 @@ ### Creative Commons Attribution-ShareAlike 3.0 Unported License Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ -Copyright (C) 2014-2017 Lin Song +Copyright (C) 2014-2018 Lin Song Based on the work of Thomas Sarlandie (Copyright 2012)

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS diff --git a/README-zh.md b/README-zh.md index bb2d489ad4..dc7d059fdf 100644 --- a/README-zh.md +++ b/README-zh.md @@ -190,7 +190,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 授权协议 -版权所有 (C) 2014-2017 Lin Song View my profile on LinkedIn +版权所有 (C) 2014-2018 Lin Song View my profile on LinkedIn 基于 Thomas Sarlandie 的工作 (版权所有 2012) 这个项目是以 知识共享署名-相同方式共享3.0 许可协议授权。 diff --git a/README.md b/README.md index 79e789cabd..e653e3e0b8 100644 --- a/README.md +++ b/README.md @@ -190,7 +190,7 @@ Please refer to Uninstall the VPNLin Song View my profile on LinkedIn +Copyright (C) 2014-2018 Lin Song View my profile on LinkedIn Based on the work of Thomas Sarlandie (Copyright 2012) This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 1a59fabc62..1554d617ab 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -104,7 +104,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 601a8b8c3d..a87589f5ed 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -104,7 +104,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f478aa4ed8..3850a221d0 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -471,7 +471,7 @@ ipsec whack --trafficstatus 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016-2017 Lin Song +版权所有 (C) 2016-2018 Lin Song 基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index b3ac7e93d5..42fcfd1967 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -470,7 +470,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 9a66c0f9a6..783961dc85 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on Ubuntu and Debian # -# Copyright (C) 2016-2017 Lin Song +# Copyright (C) 2016-2018 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 80379d82f5..6b4527c7c6 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on CentOS and RHEL # -# Copyright (C) 2016-2017 Lin Song +# Copyright (C) 2016-2018 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup.sh b/vpnsetup.sh index 64623928d0..17336052e8 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2014-2017 Lin Song +# Copyright (C) 2014-2018 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 31acbe3f6b..deb0e6a315 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2015-2017 Lin Song +# Copyright (C) 2015-2018 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 From 102ccbc17de100d21a776fa7abb9f58b0cca5ff4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 5 May 2018 18:51:24 -0500 Subject: [PATCH 0172/1208] Clean up VPN ciphers - Remove aes256-sha2_512 - Change sha2-truncbug to no for newer Android versions - Fixes #303 --- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- vpnsetup.sh | 8 +++----- vpnsetup_centos.sh | 6 +++--- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 783961dc85..9d81e59d63 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -161,8 +161,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then fi # Update ipsec.conf for Libreswan 3.19 and newer -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" if [ "$(uname -m | cut -c1-3)" = "arm" ]; then PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 6b4527c7c6..61d9d39cbd 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -165,8 +165,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 17336052e8..bfe9fcf56d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -245,9 +245,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 - sha2-truncbug=yes + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + sha2-truncbug=no conn l2tp-psk auto=add @@ -276,11 +276,9 @@ EOF # Workarounds for systems with ARM CPU (e.g. Raspberry Pi) # - Set "left" to private IP instead of "%defaultroute" -# - Remove unsupported ESP algorithm if [ "$(uname -m | cut -c1-3)" = "arm" ]; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf - sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi # Specify IPsec PSK diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index deb0e6a315..f70157be04 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -233,9 +233,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 - sha2-truncbug=yes + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + sha2-truncbug=no conn l2tp-psk auto=add From 17ca2ee87fd8e24f2a9e6262104f157af4629e58 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 5 May 2018 19:37:33 -0500 Subject: [PATCH 0173/1208] Update docs --- README-zh.md | 5 +++-- README.md | 5 +++-- docs/clients-zh.md | 6 +++--- docs/clients.md | 6 +++--- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 6 files changed, 16 insertions(+), 14 deletions(-) diff --git a/README-zh.md b/README-zh.md index dc7d059fdf..928d8321b5 100644 --- a/README-zh.md +++ b/README-zh.md @@ -58,7 +58,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty)[*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 -**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 4.15 内核兼容性的 问题。 + +\***注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index e653e3e0b8..f8c0d4636a 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty)[*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. -**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux 4.15 kernels. + +\***Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3850a221d0..3b75b82c07 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -406,14 +406,14 @@ REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSe 如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. (适用于 Android 7.1.2 及以上版本) 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) 注:最新版本的 VPN 脚本已经包含这个更改。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`,开头必须空两格。保存修改并运行 `service ipsec restart`。(参见) +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=no` 并将它替换为 `sha2-truncbug=yes`。保存修改并运行 `service ipsec restart`。(参见) 如果仍然无法连接,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook -Chromebook 用户: 如果你无法连接,请尝试 这个解决方案。或者你也可以尝试编辑 VPN 服务器上的 `/etc/ipsec.conf`,找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。 +Chromebook 用户: 如果你无法连接,请尝试 这个解决方案。 ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index 42fcfd1967..b368cda28c 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -405,14 +405,14 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. (For Android 7.1.2 and newer) Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) Note that the latest version of VPN scripts already includes this change. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`, indented with two spaces. Save the file and run `service ipsec restart`. (Ref) +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=no` and replace it with `sha2-truncbug=yes`. Save the file and run `service ipsec restart`. (Ref) If still unable to connect, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook -Chromebook users: If you are unable to connect, try this workaround. Alternatively, edit `/etc/ipsec.conf` on the VPN server, find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. +Chromebook users: If you are unable to connect, try this workaround. ### Other errors diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7d5e92c946..9ca4310743 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 + ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 6d6a173118..2d9dd216cd 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -55,8 +55,8 @@ Before continuing, make sure you have successfully Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty)[*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,8 +77,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 - -\***注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 +**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index f8c0d4636a..08b07f123d 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty)[*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,8 +77,7 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. - -\***Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. +**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3b75b82c07..2bef225827 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -6,8 +6,6 @@ 在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -另一个带图片的安装指南可供参考,它由 Tony Tran 编写。 - --- * 平台名称 * [Windows](#windows) @@ -406,14 +404,13 @@ REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSe 如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=no` 并将它替换为 `sha2-truncbug=yes`。保存修改并运行 `service ipsec restart`。(参见) 如果仍然无法连接,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `ike=` 和 `phase2alg=` 两行的末尾添加 `,aes256-sha2_512` 字样。保存修改并运行 `service ipsec restart`。(参见) +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook -Chromebook 用户: 如果你无法连接,请尝试 这个解决方案。 +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。请注意,这个解决方案可能会导致你的其它设备无法连接到 VPN。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 并将它替换为 `phase2alg=aes_gcm-null`。保存修改并运行 `service ipsec restart`。 ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index b368cda28c..5fc3b2e60a 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -6,8 +6,6 @@ After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -An alternative setup guide with images is available, written by Tony Tran. - --- * Platforms * [Windows](#windows) @@ -405,14 +403,13 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=no` and replace it with `sha2-truncbug=yes`. Save the file and run `service ipsec restart`. (Ref) If still unable to connect, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Append `,aes256-sha2_512` to the end of both `ike=` and `phase2alg=` lines. Save the file and run `service ipsec restart`. (Ref) +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook -Chromebook users: If you are unable to connect, try this workaround. +Chromebook users: If you are unable to connect, refer to this issue. Please note that this fix may break VPN connectivity from your other devices. Edit `/etc/ipsec.conf` on the VPN server. Find `phase2alg=...` and replace it with `phase2alg=aes_gcm-null`. Save the file and run `service ipsec restart`. ### Other errors From 964b7934aad7caa3d435c0692ab748a65e49bee6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 8 May 2018 03:11:48 -0500 Subject: [PATCH 0176/1208] Update IKEv2 docs - Add rightid=%fromcert to ipsec.conf - Remove strongSwan Android VPN client instructions due to issues (#307) --- README-zh.md | 2 +- README.md | 2 +- docs/ikev2-howto-zh.md | 27 +++------------------------ docs/ikev2-howto.md | 27 +++------------------------ 4 files changed, 8 insertions(+), 50 deletions(-) diff --git a/README-zh.md b/README-zh.md index 5360c4957e..f7de0a7188 100644 --- a/README-zh.md +++ b/README-zh.md @@ -131,7 +131,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows 和 Android** +**如何配置 IKEv2 VPN: Windows 7 和更新版本** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index 08b07f123d..ae1cd27309 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows and Android** +**How-To: IKEv2 VPN for Windows 7 and above** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9ca4310743..513f50efda 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 和 Android +# 如何配置 IKEv2 VPN: Windows 7 和更新版本 *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,14 +10,7 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 -Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: - -- Windows 7, 8.x 和 10 -- Windows Phone 8.1 及以上 -- strongSwan Android VPN 客户端 -- iOS (iPhone/iPad) 和 macOS <-- 另见 - -下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 @@ -44,6 +37,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any + rightid=%fromcert rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert @@ -212,20 +206,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 - #### Android 4.x 和更新版本 - - 1. 从 **Google Play** 安装 strongSwan VPN Client。 - 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 - 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 - 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 - 1. 单击添加一个 **User certificate**,然后单击 **Install**。 - 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 - 1. 保存新的 VPN 连接,然后单击它以开始连接。 - - #### Windows Phone 8.1 及以上 - - 首先导入 `.p12` 文件,然后参照 这些说明 配置一个基于证书的 IKEv2 VPN。 - 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 @@ -238,4 +218,3 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 -* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 2d9dd216cd..294b7a43fc 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows and Android +# How-To: IKEv2 VPN for Windows 7 and above *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,14 +10,7 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. -Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: - -- Windows 7, 8.x and 10 -- Windows Phone 8.1 and above -- strongSwan Android VPN client -- iOS (iPhone/iPad) and macOS <-- See also - -The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. +Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. Before continuing, make sure you have successfully set up your VPN server. @@ -44,6 +37,7 @@ Before continuing, make sure you have successfully this registry key and reboot. - #### Android 4.x and newer - - 1. Install strongSwan VPN Client from **Google Play**. - 1. Launch the VPN client and tap **Add VPN Profile**. - 1. Enter `Your VPN Server IP` in the **Server** field. - 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. - 1. Tap to add a **User certificate**, then tap **Install**. - 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. - 1. Save the new VPN connection, then tap to connect. - - #### Windows Phone 8.1 and above - - First import the `.p12` file, then follow these instructions to configure a certificate-based IKEv2 VPN. - 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues @@ -238,4 +218,3 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 -* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient From 05847255e509defc8ff05aec8acac16a634fefea Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 9 May 2018 02:43:54 -0500 Subject: [PATCH 0177/1208] Update docs - Fix Shrew Soft VPN Client instructions - Tested and working in Windows 7 - Closes #326 - Closes #379 --- docs/clients-xauth-zh.md | 1 + docs/clients-xauth.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 1554d617ab..d2aa93d34e 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -25,6 +25,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 1. 单击工具栏中的 **Add (+)** 按钮。 1. 在 **Host Name or IP Address** 字段中输入`你的 VPN 服务器 IP`。 1. 单击 **Authentication** 选项卡,从 **Authentication Method** 下拉菜单中选择 **Mutual PSK + XAuth**。 +1. 在 **Local Identity** 子选项卡中,从 **Identification Type** 下拉菜单中选择 **IP Address**。 1. 单击 **Credentials** 子选项卡,并在 **Pre Shared Key** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **Phase 1** 选项卡,从 **Exchange Type** 下拉菜单中选择 **main**。 1. 单击 **Phase 2** 选项卡,从 **HMAC Algorithm** 下拉菜单中选择 **sha1**。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a87589f5ed..a6358d9a03 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -25,7 +25,8 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha 1. Click the **Add (+)** button on toolbar. 1. Enter `Your VPN Server IP` in the **Host Name or IP Address** field. 1. Click the **Authentication** tab. Select **Mutual PSK + XAuth** from the **Authentication Method** drop-down menu. -1. Click the **Credentials** tab below. Enter `Your VPN IPsec PSK` in the **Pre Shared Key** field. +1. Under the **Local Identity** sub-tab, select **IP Address** from the **Identification Type** drop-down menu. +1. Click the **Credentials** sub-tab. Enter `Your VPN IPsec PSK` in the **Pre Shared Key** field. 1. Click the **Phase 1** tab. Select **main** from the **Exchange Type** drop-down menu. 1. Click the **Phase 2** tab. Select **sha1** from the **HMAC Algorithm** drop-down menu. 1. Click **Save** to save the VPN connection details. From 9417d26afda6cdad9aa098eb05e38d5646e8bfb2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 May 2018 00:11:59 -0500 Subject: [PATCH 0178/1208] Update docs - Improve Chromebook troubleshooting section --- docs/clients-zh.md | 6 +++--- docs/clients.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 2bef225827..ae4a10513e 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -19,7 +19,7 @@ * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) - * [Chromebook](#chromebook) + * [Chromebook 连接问题](#chromebook-连接问题) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -408,9 +408,9 @@ REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSe ![Android VPN workaround](images/vpn-profile-Android.png) -### Chromebook +### Chromebook 连接问题 -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。请注意,这个解决方案可能会导致你的其它设备无法连接到 VPN。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 并将它替换为 `phase2alg=aes_gcm-null`。保存修改并运行 `service ipsec restart`。 +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index 5fc3b2e60a..a0fd24b101 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -19,7 +19,7 @@ After settin * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) * [Android 6 and above](#android-6-and-above) - * [Chromebook](#chromebook) + * [Chromebook issues](#chromebook-issues) * [Other errors](#other-errors) * [Additional steps](#additional-steps) @@ -407,9 +407,9 @@ If you are unable to connect using Android 6 or above: ![Android VPN workaround](images/vpn-profile-Android.png) -### Chromebook +### Chromebook issues -Chromebook users: If you are unable to connect, refer to this issue. Please note that this fix may break VPN connectivity from your other devices. Edit `/etc/ipsec.conf` on the VPN server. Find `phase2alg=...` and replace it with `phase2alg=aes_gcm-null`. Save the file and run `service ipsec restart`. +Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. ### Other errors From 7f656042500352d584c713e2a3edacdb5d34f1e6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 May 2018 02:57:08 -0500 Subject: [PATCH 0179/1208] Update Azure template - Use Debian 9 instead of Debian 8 - Update Virtual Machine size options - Add wait for apt/dpkg lock in install.sh --- azure/README-zh.md | 6 +++--- azure/README.md | 6 +++--- azure/azuredeploy.json | 33 ++++++++++----------------------- azure/install.sh | 3 +++ 4 files changed, 19 insertions(+), 29 deletions(-) diff --git a/azure/README-zh.md b/azure/README-zh.md index dd23efe5de..8cc7d0e528 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -9,8 +9,8 @@ - Username for VPN and SSH (用户名) - Password for VPN and SSH (密码) - IPsec Pre-Shared Key for VPN (IPsec 预共享密钥) - - Operating System Image (操作系统镜像,Debian 8 或 Ubuntu 16.04 LTS) - - Virtual Machine Size (虚拟机大小,默认值: Basic_A0) + - Operating System Image (操作系统镜像,Debian 9 或 Ubuntu 16.04 LTS) + - Virtual Machine Size (虚拟机大小,默认值: Standard_B1s) 请单击以下按钮开始: @@ -23,7 +23,7 @@ ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) -版权所有 (C) 2017 Lin Song +版权所有 (C) 2017-2018 Lin Song ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index f9efc7e285..220589afa9 100644 --- a/azure/README.md +++ b/azure/README.md @@ -9,8 +9,8 @@ Customizable with the following options: - Username for VPN and SSH - Password for VPN and SSH - IPsec Pre-Shared Key for VPN - - Operating System Image (Debian 8 or Ubuntu 16.04 LTS) - - Virtual Machine Size (Default: Basic_A0) + - Operating System Image (Debian 9 or Ubuntu 16.04 LTS) + - Virtual Machine Size (Default: Standard_B1s) Press this button to start: @@ -23,7 +23,7 @@ When the deployment finishes, Azure displays a notification. Next steps: [Config ## Authors Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) -Copyright (C) 2017 Lin Song +Copyright (C) 2017-2018 Lin Song ## Screenshot diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index b330df6f18..2f67031e5e 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -25,34 +25,21 @@ "type": "string", "allowedValues": [ "ubuntu1604", - "debian8" + "debian9" ], - "defaultValue": "debian8", + "defaultValue": "debian9", "metadata": { - "description": "OS to use. Debian 8 or Ubuntu 16.04 LTS" + "description": "OS to use. Debian 9 or Ubuntu 16.04 LTS" } }, "VMSize": { "type": "string", - "defaultValue": "Basic_A0", + "defaultValue": "Standard_B1s", "allowedValues": [ - "Basic_A0", - "Basic_A1", - "Basic_A2", - "Basic_A3", - "Basic_A4", - "Standard_A0", - "Standard_A1", - "Standard_A2", - "Standard_A3", - "Standard_A4", - "Standard_A5", - "Standard_A6", - "Standard_A7", - "Standard_D1", - "Standard_D2", - "Standard_D3", - "Standard_D4" + "Standard_B1s", + "Standard_B1ms", + "Standard_B2s", + "Standard_B2ms" ], "metadata": { "description": "The size of the Virtual Machine." @@ -77,10 +64,10 @@ "sku": "16.04-LTS", "version": "latest" }, - "debian8": { + "debian9": { "publisher": "credativ", "offer": "Debian", - "sku": "8", + "sku": "9", "version": "latest" }, "installScriptURL": "https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/azure/install.sh", diff --git a/azure/install.sh b/azure/install.sh index 4174f5f299..811f7c3c9e 100644 --- a/azure/install.sh +++ b/azure/install.sh @@ -4,4 +4,7 @@ export VPN_IPSEC_PSK=$1 export VPN_USER=$2 export VPN_PASSWORD=$3 +# Wait 60 seconds for apt/dpkg lock +sleep 60 + wget https://git.io/vpnsetup -O vpnsetup.sh && sh vpnsetup.sh From 73a97f2ba457a06628e032160c9320004c2c8398 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 10 May 2018 21:18:58 -0500 Subject: [PATCH 0180/1208] Cleanup --- extras/vpnupgrade.sh | 3 --- vpnsetup.sh | 7 +++---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 9d81e59d63..274256c8a1 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -163,9 +163,6 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" -if [ "$(uname -m | cut -c1-3)" = "arm" ]; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" -fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 2b5df53541..a30f596121 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -81,7 +81,7 @@ def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then - if [ "$(uname -m | cut -c1-3)" != "arm" ]; then + if ! uname -m | grep -qi '^arm'; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -274,9 +274,8 @@ conn xauth-psk also=shared EOF -# Workarounds for systems with ARM CPU (e.g. Raspberry Pi) -# - Set "left" to private IP instead of "%defaultroute" -if [ "$(uname -m | cut -c1-3)" = "arm" ]; then +# Workaround for Raspberry Pi +if uname -m | grep -qi '^arm'; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi From 738f5d476482b1536f95cc889e193d53ba7ed661 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 May 2018 00:56:29 -0500 Subject: [PATCH 0181/1208] Improve check for apt/dpkg lock --- vpnsetup.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index a30f596121..27198fa0be 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -134,17 +134,19 @@ bigecho "VPN setup in progress... Please be patient." mkdir -p /opt/src cd /opt/src || exiterr "Cannot enter /opt/src." -bigecho "Populating apt-get cache..." - -# Wait up to 60s for apt/dpkg lock count=0 -while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1; do - [ "$count" -ge "20" ] && exiterr "Cannot get apt/dpkg lock." +while fuser /var/lib/apt/lists/lock /var/lib/dpkg/lock >/dev/null 2>&1 \ + || lsof /var/lib/apt/lists/lock >/dev/null 2>&1 \ + || lsof /var/lib/dpkg/lock >/dev/null 2>&1; do + [ "$count" = "0" ] && bigecho "Waiting for apt to be available..." + [ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) printf '%s' '.' sleep 3 done +bigecho "Populating apt-get cache..." + export DEBIAN_FRONTEND=noninteractive apt-get -yq update || exiterr "'apt-get update' failed." From 94ca6536c8651b77e9af5ea417f15156f37b3e5e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 May 2018 15:26:14 -0500 Subject: [PATCH 0182/1208] Update docs - Fix/Update links - Add reg files for Windows Error 809 fix - Move Linux client instructions --- README-zh.md | 8 +- README.md | 8 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 12 +- docs/clients-zh.md | 220 ++++++++++++++++++------------------ docs/clients.md | 234 ++++++++++++++++++++------------------- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 4 +- 8 files changed, 254 insertions(+), 238 deletions(-) diff --git a/README-zh.md b/README-zh.md index f7de0a7188..8a2a2c30c4 100644 --- a/README-zh.md +++ b/README-zh.md @@ -69,7 +69,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 -这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVHRackspace。 +这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspaceDeploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 -- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 +- VPN 的相关问题可在 LibreswanstrongSwan 邮件列表提问,或者参考这些网站: [1] [2] [3] [4] [5]。 - 如果你发现了一个可重复的程序漏洞,请提交一个 GitHub Issue。 ## 卸载说明 @@ -184,7 +184,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh - IPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/README.md b/README.md index ae1cd27309..c2ed73bbf7 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Please see OpenVPN or Shadowsocks. -This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Bluemix, OVH and Rackspace. +This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. Deploy to Azure Install on DigitalOcean Deploy to Linode @@ -145,7 +145,7 @@ For **Windows users**, this issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -173,7 +173,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. -- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. +- Ask VPN related questions on the Libreswan or strongSwan mailing list, or read these wikis: [1] [2] [3] [4] [5]. - If you found a reproducible bug, open a GitHub Issue to submit a bug report. ## Uninstallation @@ -184,7 +184,7 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker - IKEv2 VPN Server on Docker -- Streisand +- Streisand - Algo VPN - OpenVPN Install diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d2aa93d34e..821549e188 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -99,14 +99,14 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a6358d9a03..5d6139897a 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -35,7 +35,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster tha 1. Enter `Your VPN Password` in the **Password** field. 1. Click **Connect**. -Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see **tunnel enabled** in the VPN Connect status window. Click the "Network" tab, and confirm that **Established - 1** is displayed under "Security Associations". You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -57,7 +57,7 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -77,7 +77,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -95,18 +95,18 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index ae4a10513e..1e4d3904a7 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -160,6 +160,118 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** + +- 适用于 Windows Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- 仅适用于 Windows XP ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +另外,某些个别的 Windows 系统配置禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启。 + +- 适用于 Windows XP, Vista, 7, 8.x 和 10 ([下载 .reg 文件](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows 错误 628 + +> 在连接完成前,连接被远程计算机终止。 + +要解决此错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 +1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 +1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 +1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **高级设置** 按钮。 +1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 +1. 单击 **确定** 关闭 **高级设置**。 +1. 单击 **确定** 保存 VPN 连接的详细信息。 + +![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) + +### Android 6 及以上版本 + +如果你无法使用 Android 6 或以上版本连接: + +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook 连接问题 + +Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 + +### 其它错误 + +如果你遇到其它错误,请参见以下链接: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### 额外的步骤 + +请尝试下面这些额外的故障排除步骤: + +首先,重启 VPN 服务器上的相关服务: + +```bash +service ipsec restart +service xl2tpd restart +``` + +如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 + +然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 + +检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +查看 IPsec VPN 服务器状态: + +```bash +ipsec status +ipsec verify +``` + +显示当前已建立的 VPN 连接: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN 客户端 + 以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: @@ -356,120 +468,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## 故障排除 - -*其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows 错误 809 - -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 - -要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请参照链接网页中的说明,或者打开提升权限命令提示符并运行以下命令。完成后必须重启计算机。 - -- 适用于 Windows Vista, 7, 8 和 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- 仅适用于 Windows XP - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -另外,某些个别的 Windows 系统禁用了 IPsec 加密,此时也会导致连接失败。要重新启用它,可以运行以下命令并重启计算机。 - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows 错误 628 - -> 在连接完成前,连接被远程计算机终止。 - -要解决此错误,请按以下步骤操作: - -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络与共享中心**。 -1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 -1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 -1. 单击 **高级设置** 按钮。 -1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 -1. 单击 **确定** 关闭 **高级设置**。 -1. 单击 **确定** 保存 VPN 连接的详细信息。 - -![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) - -### Android 6 及以上版本 - -如果你无法使用 Android 6 或以上版本连接: - -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在,请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。(参见) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook 连接问题 - -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### 其它错误 - -如果你遇到其它错误,请参见以下链接: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### 额外的步骤 - -请尝试下面这些额外的故障排除步骤: - -首先,重启 VPN 服务器上的相关服务: - -```bash -service ipsec restart -service xl2tpd restart -``` - -如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 - -然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 - -检查 Libreswan (IPsec) 和 xl2tpd 日志是否有错误: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -查看 IPsec VPN 服务器状态: - -```bash -ipsec status -ipsec verify -``` - -显示当前已建立的 VPN 连接: - -```bash -ipsec whack --trafficstatus -``` - ## 致谢 -本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 +本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 ## 授权协议 注: 这个协议仅适用于本文档。 版权所有 (C) 2016-2018 Lin Song -基于 Joshua Lund 的工作 (版权所有 2014-2016) +基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index a0fd24b101..4c8b972460 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -73,7 +73,7 @@ After settin **Note:** This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -96,7 +96,7 @@ If you get an error when trying to connect, see Troub 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. -To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Android @@ -115,7 +115,7 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy 1. Check the **Save account information** checkbox. 1. Tap **Connect**. -Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. @@ -133,7 +133,7 @@ If you get an error when trying to connect, see Troub 1. Tap **Done**. 1. Slide the **VPN** switch ON. -Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Chromebook @@ -150,16 +150,128 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y 1. Enter `Your VPN Password` for the **Password**. 1. Click **Connect**. -Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". If you get an error when trying to connect, see Troubleshooting. ## Windows Phone -Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Linux +See [Linux VPN Clients](#linux-vpn-clients). + +## Troubleshooting + +*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* + +### Windows Error 809 + +> The network connection between your computer and the VPN server could not be established because the remote server is not responding. + +To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** + +- For Windows Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +- For Windows XP ONLY ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_XP_ONLY_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f + ``` + +Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. + +- For Windows XP, Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg)) + + ```console + REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f + ``` + +### Windows Error 628 + +> The connection was terminated by the remote computer before it could be completed. + +To fix this error, please follow these steps: + +1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. +1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. +1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. +1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click the **Advanced settings** button. +1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. +1. Click **OK** to close the **Advanced settings**. +1. Click **OK** to save the VPN connection details. + +![Select CHAP in VPN connection properties](images/vpn-properties.png) + +### Android 6 and above + +If you are unable to connect using Android 6 or above: + +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) + +![Android VPN workaround](images/vpn-profile-Android.png) + +### Chromebook issues + +Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. + +### Other errors + +If you encounter other errors, refer to the links below: + +* http://www.tp-link.com/en/faq-1029.html +* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues +* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ + +### Additional steps + +Please try these additional troubleshooting steps: + +First, restart services on the VPN server: + +```bash +service ipsec restart +service xl2tpd restart +``` + +If using Docker, run `docker restart ipsec-vpn-server`. + +Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. + +Check the Libreswan (IPsec) and xl2tpd logs for errors: + +```bash +# Ubuntu & Debian +grep pluto /var/log/auth.log +grep xl2tpd /var/log/syslog + +# CentOS & RHEL +grep pluto /var/log/secure +grep xl2tpd /var/log/messages +``` + +Check status of the IPsec VPN server: + +```bash +ipsec status +ipsec verify +``` + +Show current established VPN connections: + +```bash +ipsec whack --trafficstatus +``` + +## Linux VPN Clients + Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: @@ -317,7 +429,7 @@ Exclude your VPN server's IP from the new default route (replace with actual val route add YOUR_VPN_SERVER_IP gw X.X.X.X ``` -If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): +If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value): ```bash route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X @@ -355,120 +467,16 @@ echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn ``` -## Troubleshooting - -*Read this in other languages: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* - -### Windows Error 809 - -> The network connection between your computer and the VPN server could not be established because the remote server is not responding. - -To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC. - -- For Windows Vista, 7, 8.x and 10 - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -- For Windows XP ONLY - ```console - REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f - ``` - -Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC. - -```console -REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f -``` - -### Windows Error 628 - -> The connection was terminated by the remote computer before it could be completed. - -To fix this error, please follow these steps: - -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. -1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. -1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. -1. Click the **Advanced settings** button. -1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. -1. Click **OK** to close the **Advanced settings**. -1. Click **OK** to save the VPN connection details. - -![Select CHAP in VPN connection properties](images/vpn-properties.png) - -### Android 6 and above - -If you are unable to connect using Android 6 or above: - -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) - -![Android VPN workaround](images/vpn-profile-Android.png) - -### Chromebook issues - -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Other errors - -If you encounter other errors, refer to the links below: - -* http://www.tp-link.com/en/faq-1029.html -* https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues -* https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ - -### Additional steps - -Please try these additional troubleshooting steps: - -First, restart services on the VPN server: - -```bash -service ipsec restart -service xl2tpd restart -``` - -If using Docker, run `docker restart ipsec-vpn-server`. - -Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. - -Check the Libreswan (IPsec) and xl2tpd logs for errors: - -```bash -# Ubuntu & Debian -grep pluto /var/log/auth.log -grep xl2tpd /var/log/syslog - -# CentOS & RHEL -grep pluto /var/log/secure -grep xl2tpd /var/log/messages -``` - -Check status of the IPsec VPN server: - -```bash -ipsec status -ipsec verify -``` - -Show current established VPN connections: - -```bash -ipsec whack --trafficstatus -``` - ## Credits -This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. +This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. ## License Note: This license applies to this document only. Copyright (C) 2016-2018 Lin Song -Based on the work of Joshua Lund (Copyright 2014-2016) +Based on the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 513f50efda..1f2b1b77ef 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -181,7 +181,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 294b7a43fc..710e9f9dc3 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -181,7 +181,7 @@ Before continuing, make sure you have successfully this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. 1. Restart IPsec service: @@ -206,7 +206,7 @@ Before continuing, make sure you have successfully this registry key and reboot. -1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues From 3b7039ef7877021110fad332e8c853c4b32fc560 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 16 May 2018 22:34:33 -0500 Subject: [PATCH 0183/1208] Update Linux kernel check --- vpnsetup.sh | 9 +++++++-- vpnsetup_centos.sh | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 27198fa0be..2e00b2f1e7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,8 +70,13 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.14*|4.15*) - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." + 4.14*) + if uname -m | grep -qi '^arm'; then + exiterr "Linux kernel 4.14 is not supported due to an xl2tpd issue." + fi + ;; + 4.15*) + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." ;; esac diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c96ef5a874..23d8a3abfe 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -61,9 +61,9 @@ if [ "$(id -u)" != 0 ]; then fi case "$(uname -r)" in - 4.14*|4.15*) + 4.15*) if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernels 4.14/4.15 are not yet supported due to an xl2tpd bug." + exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." fi ;; esac From e3fe8b05bf79e973542b4c7e3d6292745b433d21 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 21 May 2018 00:58:24 -0500 Subject: [PATCH 0184/1208] Improve workaround - Specify "left=" in ipsec.conf for servers with 'src' in default route - Ref: https://github.com/libreswan/libreswan/issues/177 --- vpnsetup.sh | 3 +-- vpnsetup_centos.sh | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 2e00b2f1e7..576f3617df 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -281,8 +281,7 @@ conn xauth-psk also=shared EOF -# Workaround for Raspberry Pi -if uname -m | grep -qi '^arm'; then +if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 23d8a3abfe..1923142ef2 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -262,6 +262,11 @@ conn xauth-psk also=shared EOF +if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then + PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Tue, 22 May 2018 01:49:13 -0500 Subject: [PATCH 0185/1208] Update docs --- README-zh.md | 5 +++-- README.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README-zh.md b/README-zh.md index 8a2a2c30c4..3397df9374 100644 --- a/README-zh.md +++ b/README-zh.md @@ -58,7 +58,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 -**注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 与 Linux 内核 4.15 兼容性的 问题。 + +\* **注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 的 问题。你可以换用 这个 Docker 镜像。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index c2ed73bbf7..65db8da81f 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,7 +77,8 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. -**Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue with Linux kernel 4.15. + +\* **Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue. Use this Docker image instead. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! From 3f8e79b8e4d420c236b56ab57d0b0094f5d5cb1a Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 May 2018 00:38:01 -0500 Subject: [PATCH 0186/1208] Use xl2tpd 1.3.12 - Install xl2tpd 1.3.12 for systems with Linux kernel 4.14/4.15 - This version fixes an xl2tpd issue under the above Linux kernels - Remove Linux kernel check and notes which are no longer needed - Ref: xelerance/xl2tpd#147 - Ref: https://github.com/xelerance/xl2tpd/releases --- README-zh.md | 7 ++----- README.md | 7 ++----- vpnsetup.sh | 30 +++++++++++++++++++----------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/README-zh.md b/README-zh.md index 3397df9374..fe0279d702 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu 16.04/14.04 LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -58,7 +58,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,9 +77,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 - -\* **注:** 目前脚本还不支持 Ubuntu 18.04,因为一个 xl2tpd 的 问题。你可以换用 这个 Docker 镜像。 - :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 diff --git a/README.md b/README.md index 65db8da81f..321056647f 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu 16.04/14.04 LTS, Debian or CentOS. +First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -58,7 +58,7 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) [*](#ubuntu-1804-note) +- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -77,9 +77,6 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. - -\* **Note:** Ubuntu 18.04 is not yet supported due to an xl2tpd issue. Use this Docker image instead. - :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation diff --git a/vpnsetup.sh b/vpnsetup.sh index 576f3617df..b8d4867f28 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -69,17 +69,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.14*) - if uname -m | grep -qi '^arm'; then - exiterr "Linux kernel 4.14 is not supported due to an xl2tpd issue." - fi - ;; - 4.15*) - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -184,6 +173,25 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ libcurl4-nss-dev flex bison gcc make libnss3-tools \ libevent-dev ppp xl2tpd || exiterr2 +case "$(uname -r)" in + 4.14*|4.15*) + L2TP_VER=1.3.12 + l2tp_file="xl2tpd-$L2TP_VER.tar.gz" + l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + apt-get -yq install libpcap0.8-dev || exiterr2 + if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + exiterr "Cannot download xl2tpd source." + fi + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "xl2tpd-$L2TP_VER" || exiterr "Cannot enter xl2tpd source dir." + make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exiterr "Cannot enter /opt/src." + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." apt-get -yq install fail2ban || exiterr2 From 8e15eb683c0af5a736449c86a4aef89efdb3120d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 23 May 2018 01:39:53 -0500 Subject: [PATCH 0187/1208] Cleanup --- extras/vpnupgrade.sh | 8 +++---- extras/vpnupgrade_centos.sh | 8 +++---- vpnsetup.sh | 42 +++++++++++++++++-------------------- vpnsetup_centos.sh | 27 +++++++++++------------- 4 files changed, 39 insertions(+), 46 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 274256c8a1..b7165d7468 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -118,7 +118,7 @@ esac # Create and change to working dir mkdir -p /opt/src -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 # Update package index and install Wget export DEBIAN_FRONTEND=noninteractive @@ -136,11 +136,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -154,7 +154,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 61d9d39cbd..727051ebc3 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -109,7 +109,7 @@ esac # Create and change to working dir mkdir -p /opt/src -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 # Install Wget yum -y install wget || exiterr2 @@ -138,11 +138,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -153,7 +153,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" make "-j$((NPROCS+1))" -s base && make -s install-base # Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." diff --git a/vpnsetup.sh b/vpnsetup.sh index b8d4867f28..2339dddcfb 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -73,8 +73,8 @@ net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then if ! uname -m | grep -qi '^arm'; then case "$def_iface" in wl*) @@ -85,13 +85,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null 2>&1 \ - || lsof /var/lib/apt/lists/lock >/dev/null 2>&1 \ - || lsof /var/lib/dpkg/lock >/dev/null 2>&1; do +APT_LK=/var/lib/apt/lists/lock +PKG_LK=/var/lib/dpkg/lock +while fuser "$APT_LK" "$PKG_LK" >/dev/null 2>&1 \ + || lsof "$APT_LK" >/dev/null 2>&1 || lsof "$PKG_LK" >/dev/null 2>&1; do [ "$count" = "0" ] && bigecho "Waiting for apt to be available..." [ "$count" -ge "60" ] && exiterr "Could not get apt/dpkg lock." count=$((count+1)) @@ -159,10 +160,8 @@ EOF # In case auto IP discovery fails, enter server's public IP here. PUBLIC_IP=${VPN_PUBLIC_IP:-''} -# Try to auto discover IP of this server [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) -# Check IP for correct format check_ip "$PUBLIC_IP" || PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) check_ip "$PUBLIC_IP" || exiterr "Cannot detect this server's public IP. Edit the script and manually enter it." @@ -181,13 +180,12 @@ case "$(uname -r)" in l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" apt-get -yq install libpcap0.8-dev || exiterr2 if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then - exiterr "Cannot download xl2tpd source." + exit 1 fi /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "xl2tpd-$L2TP_VER" || exiterr "Cannot enter xl2tpd source dir." - make -s 2>/dev/null && PREFIX=/usr make -s install - cd /opt/src || exiterr "Cannot enter /opt/src." + cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" ;; esac @@ -203,11 +201,11 @@ swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then - exiterr "Cannot download Libreswan source." + exit 1 fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" -cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir." +cd "libreswan-$SWAN_VER" || exit 1 sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -220,8 +218,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -237,7 +234,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < "$IPT_FILE" iptables-save >> "$IPT_FILE" - # Update rules for iptables-persistent IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1923142ef2..91c35f4489 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -72,8 +72,8 @@ net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" -def_iface_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) -if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then +def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) +if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then case "$def_iface" in wl*) exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" @@ -82,13 +82,13 @@ if [ -n "$def_iface_state" ] && [ "$def_iface_state" != "down" ]; then net_iface="$def_iface" fi -net_iface_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_iface_state" ] || [ "$net_iface_state" = "down" ] || [ "$net_iface" = "lo" ]; then +net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -193,8 +191,7 @@ NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base -# Verify the install and clean up -cd /opt/src || exiterr "Cannot enter /opt/src." +cd /opt/src || exit 1 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." @@ -210,7 +207,7 @@ XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'} DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'} DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'} -# Create IPsec (Libreswan) config +# Create IPsec config conf_bk "/etc/ipsec.conf" cat > /etc/ipsec.conf < Date: Wed, 23 May 2018 19:54:37 -0500 Subject: [PATCH 0188/1208] Improve VPN ciphers - Add back aes256-sha2_512 to phase2alg, required on some Android systems - Fixes #391 --- extras/vpnupgrade.sh | 5 ++++- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 6 +++++- vpnsetup_centos.sh | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index b7165d7468..7d601a4fd2 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -162,7 +162,10 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if uname -m | grep -qi '^arm'; then + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 727051ebc3..205599aab7 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -166,7 +166,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 2339dddcfb..9be9d09ab1 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -258,7 +258,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk @@ -291,6 +291,10 @@ if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +if uname -m | grep -qi '^arm'; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Wed, 23 May 2018 20:40:58 -0500 Subject: [PATCH 0189/1208] Use xl2tpd 1.3.12 - Install xl2tpd 1.3.12 for CentOS 6 with Linux kernel 4.14/4.15 - This version fixes an xl2tpd issue under the above Linux kernels - Remove Linux kernel check which is no longer needed - Ref: 3f8e79b (fix for Ubuntu/Debian) --- vpnsetup_centos.sh | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index fd717271d6..713f090223 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,14 +60,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$(uname -r)" in - 4.15*) - if grep -qs "release 6" /etc/redhat-release; then - exiterr "Linux kernel 4.15 is not supported due to an xl2tpd issue." - fi - ;; -esac - net_iface=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -166,6 +158,26 @@ else yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 fi +case "$(uname -r)" in + 4.14*|4.15*) + if grep -qs "release 6" /etc/redhat-release; then + L2TP_VER=1.3.12 + l2tp_file="xl2tpd-$L2TP_VER.tar.gz" + l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + yum "$OPT1" "$OPT2" -y install libpcap-devel || exiterr2 + if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + exit 1 + fi + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 + /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + fi + ;; +esac + bigecho "Installing Fail2Ban to protect SSH..." yum -y install fail2ban || exiterr2 From 3c84f8e2abb250d3a4048a90eb4804e53d5a2268 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 24 May 2018 22:04:27 -0500 Subject: [PATCH 0190/1208] Update docs - Add support for Ubuntu 18.04 --- README-zh.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index fe0279d702..255995af8e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,12 +53,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 16.04/14.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 18.04/16.04/14.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -149,7 +149,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 -使用 L2TP 内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04, Debian 9, CentOS 7 和 6。 Ubuntu 16.04 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并且重启 `xl2tpd` 服务。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 diff --git a/README.md b/README.md index 321056647f..acc34c99e6 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 16.04/14.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 18.04/16.04/14.04, Debian 9/8 and CentOS 7/6 ## Requirements A newly created Amazon EC2 instance, from these images (AMIs): -- Ubuntu 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates @@ -149,7 +149,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. -Using L2TP kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04, Debian 9, CentOS 7 and 6. Ubuntu 16.04 users should install the `` linux-image-extra-`uname -r` `` package and restart the `xl2tpd` service. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS). Then reboot your server. From f838fcfe12144835177563b54e97c1b9d7cfa032 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 3 Jun 2018 23:24:37 -0500 Subject: [PATCH 0191/1208] Fix IP parsing - Fix parsing private IP on some systems such as Ubuntu 18.04 --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 9be9d09ab1..38c617c35e 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -287,7 +287,7 @@ conn xauth-psk EOF if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 713f090223..aa28ec36f1 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -272,7 +272,7 @@ conn xauth-psk EOF if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') + PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi From 1ff393b91c6eec784fa0f1cbdb16633d87edbbc7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Jun 2018 00:40:09 -0500 Subject: [PATCH 0192/1208] Use Libreswan 3.22 - Use Libreswan 3.22 instead of 3.23 due to an issue with connecting multiple IPsec/XAuth VPN clients from behind the same NAT - Ref: c982502 0cf01c0 --- extras/vpnupgrade.sh | 31 +++++++++++++++++++++++-------- extras/vpnupgrade_centos.sh | 31 +++++++++++++++++++++++-------- vpnsetup.sh | 7 ++++--- vpnsetup_centos.sh | 7 ++++--- 4 files changed, 54 insertions(+), 22 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 7d601a4fd2..f92d4fa2d1 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -78,6 +78,15 @@ This is intended for use on servers running an older version of Libreswan. EOF +if [ "$SWAN_VER" = "3.23" ]; then +cat <<'EOF' +WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth + VPN clients from behind the same NAT (e.g. home router). + Do not upgrade to 3.23 if your use cases include the above. + +EOF +fi + cat <<'EOF' IMPORTANT NOTES: @@ -141,6 +150,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -179,15 +189,20 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac } diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 205599aab7..a40a42530a 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -SWAN_VER=3.23 +SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -69,6 +69,15 @@ This is intended for use on servers running an older version of Libreswan. EOF +if [ "$SWAN_VER" = "3.23" ]; then +cat <<'EOF' +WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth + VPN clients from behind the same NAT (e.g. home router). + Do not upgrade to 3.23 if your use cases include the above. + +EOF +fi + cat <<'EOF' IMPORTANT NOTES: @@ -143,6 +152,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = @@ -180,15 +190,20 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo +case "$SWAN_VER" in + 3.2[3-9]) cat <<'EOF' -Note: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +NOTE: Users upgrading to Libreswan 3.23 or newer should edit + "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + with a single line like this: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + Then run "service ipsec restart". + EOF + ;; +esac } diff --git a/vpnsetup.sh b/vpnsetup.sh index 38c617c35e..b101599839 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -196,7 +196,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -206,7 +206,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/docker-targets\.mk/d' Makefile +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -273,7 +273,8 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns="$DNS_SRV1, $DNS_SRV2" + modecfgdns1=$DNS_SRV1 + modecfgdns2=$DNS_SRV2 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index aa28ec36f1..29863ac909 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -184,7 +184,7 @@ yum -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.23 +SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -194,7 +194,7 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/docker-targets\.mk/d' Makefile +sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -258,7 +258,8 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns="$DNS_SRV1, $DNS_SRV2" + modecfgdns1=$DNS_SRV1 + modecfgdns2=$DNS_SRV2 leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes From d5a01f52f2f5cd59b2febb2a93d14fd1634608d8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 6 Jun 2018 00:42:58 -0500 Subject: [PATCH 0193/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 255995af8e..70e02ae0ac 100644 --- a/README-zh.md +++ b/README-zh.md @@ -141,7 +141,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 -同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性以及一个在 Libreswan 中的问题,现在还不支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备。 +同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 diff --git a/README.md b/README.md index acc34c99e6..6786b1416b 100644 --- a/README.md +++ b/README.md @@ -141,7 +141,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation and an Libreswan issue, it is not currently possible to connect multiple devices simultaneously from behind the same NAT (e.g. home router). +The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. From 59f817575c6cd9c381a7d707b1b6ed7eec2a323b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 10 Jun 2018 16:08:12 -0500 Subject: [PATCH 0194/1208] Create rundir - Create /run/pluto which is used as rundir in Libreswan 3.22 and newer - Fixes #407 --- extras/vpnupgrade.sh | 1 + extras/vpnupgrade_centos.sh | 1 + vpnsetup.sh | 1 + vpnsetup_centos.sh | 1 + 4 files changed, 4 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index f92d4fa2d1..4adcb3df61 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -183,6 +183,7 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index a40a42530a..9f9fdb266d 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -184,6 +184,7 @@ sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf # Restart IPsec service +mkdir -p /run/pluto service ipsec restart echo diff --git a/vpnsetup.sh b/vpnsetup.sh index b101599839..45b9f2c96b 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -475,6 +475,7 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* iptables-restore < "$IPT_FILE" # Restart services +mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null service xl2tpd restart 2>/dev/null diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 29863ac909..678b11ebe7 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -469,6 +469,7 @@ if grep -qs "release 7" /etc/redhat-release; then fi # Restart services +mkdir -p /run/pluto modprobe -q pppol2tp service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null From 0c151515fe694991c11e8f8a22f84ba6503fec81 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 28 Jun 2018 00:03:42 -0500 Subject: [PATCH 0195/1208] Improve upgrade scripts - Add note for users downgrading to 3.22 - Add check for Libreswan 3.25 (not yet supported) - Print Libreswan versions and improve message - Cleanup --- extras/vpnupgrade.sh | 72 +++++++++++++++++++++++++------------ extras/vpnupgrade_centos.sh | 72 +++++++++++++++++++++++++------------ 2 files changed, 98 insertions(+), 46 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 4adcb3df61..6a3ffffdd0 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,11 +47,16 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then +if [ "$SWAN_VER" = "3.25" ]; then + exiterr "Libreswan 3.25 is not yet supported." +fi + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -68,13 +73,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat </dev/null | grep -q "Libreswan"; then +if [ "$SWAN_VER" = "3.25" ]; then + exiterr "Libreswan 3.25 is not yet supported." +fi + +ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi -if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then +if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then echo "You already have Libreswan version $SWAN_VER installed! " echo "If you continue, the same version will be re-installed." echo @@ -59,13 +64,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then esac fi +is_downgrade_to_322=0 +if [ "$SWAN_VER" = "3.22" ]; then + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322=1 + fi +fi + clear cat < Date: Thu, 28 Jun 2018 00:49:49 -0500 Subject: [PATCH 0196/1208] Add new version - Add support for upgrading to new Libreswan version 3.25 - "USE_GLIBC_KERN_FLIP_HEADERS = true" is required for compilation - Fixes #412 --- extras/vpnupgrade.sh | 5 +---- extras/vpnupgrade_centos.sh | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 6a3ffffdd0..28a37ab9fc 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,10 +47,6 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if [ "$SWAN_VER" = "3.25" ]; then - exiterr "Libreswan 3.25 is not yet supported." -fi - ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -168,6 +164,7 @@ sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 22a32a1776..81e3ace0eb 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,10 +38,6 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi -if [ "$SWAN_VER" = "3.25" ]; then - exiterr "Libreswan 3.25 is not yet supported." -fi - ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -170,6 +166,7 @@ sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 From 145f29b4773e0c7d162dcb0116198604c05e5eac Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 Jun 2018 00:42:08 -0500 Subject: [PATCH 0197/1208] Improve version check - Add check for some Libreswan versions that are not available - Include Libreswan 3.25 in multiple IPsec/XAuth clients warning - Cleanup notes --- extras/vpnupgrade.sh | 40 ++++++++++++++++++++----------------- extras/vpnupgrade_centos.sh | 40 ++++++++++++++++++++----------------- 2 files changed, 44 insertions(+), 36 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 28a37ab9fc..5537249088 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,6 +47,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -89,11 +95,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -103,14 +109,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -203,12 +209,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -217,12 +222,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 81e3ace0eb..e1726e69dd 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,6 +38,12 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +case "$SWAN_VER" in + 3.24|3.2[6-9]) + exiterr "Libreswan version $SWAN_VER is not available." + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." @@ -80,11 +86,11 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ]; then +if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then cat <<'EOF' -WARNING: Libreswan 3.23 has an issue with connecting multiple IPsec/XAuth - VPN clients from behind the same NAT (e.g. home router). - Do not upgrade to 3.23 if your use cases include the above. +WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF fi @@ -94,14 +100,14 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. This script will make the following changes to your /etc/ipsec.conf: Replace this line: - auth=esp + auth=esp with the following: - phase2=esp + phase2=esp Replace this line: - forceencaps=yes + forceencaps=yes with the following: - encapsulation=yes + encapsulation=yes Consolidate VPN ciphers for "ike=" and "phase2alg=". Re-add "MODP1024" to the list of allowed "ike=" ciphers, @@ -204,12 +210,11 @@ echo case "$SWAN_VER" in 3.2[3-9]) cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit - "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 +NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" Then run "service ipsec restart". EOF @@ -218,12 +223,11 @@ esac if [ "$is_downgrade_to_322" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit - "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" +NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 Then run "service ipsec restart". EOF From b8088d3934263c45d0bf2ad25652d989d127f51f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 4 Jul 2018 20:07:32 -0500 Subject: [PATCH 0198/1208] Improve EPEL repo - Improve handling of the EPEL repository. Although uncommon, some systems can have epel-release installed but disabled in /etc/yum.repos.d/epel.repo - Fixes #210 --- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/vpnupgrade_centos.sh | 8 ++++---- vpnsetup_centos.sh | 18 +++++++++++------- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1e4d3904a7..8e496ef2c2 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -283,7 +283,7 @@ apt-get -y install strongswan xl2tpd # CentOS & RHEL yum -y install epel-release -yum -y install strongswan xl2tpd +yum --enablerepo=epel -y install strongswan xl2tpd # Fedora yum -y install strongswan xl2tpd diff --git a/docs/clients.md b/docs/clients.md index 4c8b972460..1f185047c3 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -283,7 +283,7 @@ apt-get -y install strongswan xl2tpd # CentOS & RHEL yum -y install epel-release -yum -y install strongswan xl2tpd +yum --enablerepo=epel -y install strongswan xl2tpd # Fedora yum -y install strongswan xl2tpd diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index e1726e69dd..d97a4323eb 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -147,14 +147,14 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ flex bison gcc make || exiterr2 -OPT1='--enablerepo=*server-optional*' -OPT2='--enablerepo=*releases-optional*' +REPO1='--enablerepo=*server-optional*' +REPO2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 + yum "$REPO1" "$REPO2" -y install libevent2-devel fipscheck-devel || exiterr2 else yum -y install systemd-devel || exiterr2 - yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 + yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2 fi # Compile and install Libreswan diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 678b11ebe7..25385e6bd4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -144,18 +144,22 @@ yum -y install epel-release || yum -y install "$epel_url" || exiterr2 bigecho "Installing packages required for the VPN..." +REPO1='--enablerepo=epel' +REPO2='--enablerepo=*server-optional*' +REPO3='--enablerepo=*releases-optional*' + yum -y install nss-devel nspr-devel pkgconfig pam-devel \ libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make ppp xl2tpd || exiterr2 + flex bison gcc make ppp || exiterr2 + +yum "$REPO1" -y install xl2tpd || exiterr2 -OPT1='--enablerepo=*server-optional*' -OPT2='--enablerepo=*releases-optional*' if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel - yum "$OPT1" "$OPT2" -y install libevent2-devel fipscheck-devel || exiterr2 + yum "$REPO2" "$REPO3" -y install libevent2-devel fipscheck-devel || exiterr2 else yum -y install systemd-devel iptables-services || exiterr2 - yum "$OPT1" "$OPT2" -y install libevent-devel fipscheck-devel || exiterr2 + yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 fi case "$(uname -r)" in @@ -165,7 +169,7 @@ case "$(uname -r)" in l2tp_file="xl2tpd-$L2TP_VER.tar.gz" l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" - yum "$OPT1" "$OPT2" -y install libpcap-devel || exiterr2 + yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2 if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then exit 1 fi @@ -180,7 +184,7 @@ esac bigecho "Installing Fail2Ban to protect SSH..." -yum -y install fail2ban || exiterr2 +yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." From c8e1bbe6d04ad1c455c2710439472ada8a3e7e11 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 17 Jul 2018 00:23:14 -0500 Subject: [PATCH 0199/1208] Update docs - Add note for Windows 10 upgrade issues. Closes #376 - Add note for Android VPN troubleshooting. Ref: #416 --- docs/clients-zh.md | 6 ++++++ docs/clients.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 8e496ef2c2..c1b26c6e31 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -20,6 +20,7 @@ * [Windows 错误 628](#windows-错误-628) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) + * [Windows 10 升级](#windows-10-升级) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -214,6 +215,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -222,6 +224,10 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 +### Windows 10 升级 + +在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。更多信息请参见 这个 Issue。 + ### 其它错误 如果你遇到其它错误,请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index 1f185047c3..6172e994f2 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -20,6 +20,7 @@ After settin * [Windows Error 628](#windows-error-628) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) + * [Windows 10 upgrades](#windows-10-upgrades) * [Other errors](#other-errors) * [Additional steps](#additional-steps) @@ -214,6 +215,7 @@ To fix this error, please follow these steps: If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. If still unable to connect, try the next step. 1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) ![Android VPN workaround](images/vpn-profile-Android.png) @@ -222,6 +224,10 @@ If you are unable to connect using Android 6 or above: Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. +### Windows 10 upgrades + +After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. Refer to this issue for more information. + ### Other errors If you encounter other errors, refer to the links below: From 89e105fcdad15f83109b957ce3709405500cd415 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 4 Sep 2018 00:51:58 -0500 Subject: [PATCH 0200/1208] Update docs - Closes #433 --- README-zh.md | 4 +++- README.md | 4 +++- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 70e02ae0ac..a3a9bdd1a1 100644 --- a/README-zh.md +++ b/README-zh.md @@ -143,7 +143,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 @@ -168,6 +168,8 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` +:warning: VPN 脚本默认安装 Libreswan 3.22,因为新版本 3.23 和 3.25 存在问题,从而不能同时连接在同一个 NAT (比如家用路由器)后面的多个 IPsec/XAuth VPN 客户端。 + ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 diff --git a/README.md b/README.md index 6786b1416b..8c37b710d8 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ For **Windows users**, this IPsec/XAuth mode. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. @@ -168,6 +168,8 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` +:warning: The VPN scripts install Libreswan 3.22 by default, because newer versions 3.23 and 3.25 have issues with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 1f2b1b77ef..6e3e1251e4 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -204,7 +204,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 + 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 @@ -217,4 +217,4 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络 * https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html -* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 710e9f9dc3..f6d730da27 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -204,7 +204,7 @@ Before continuing, make sure you have successfully this registry key and reboot. + 1. (Optional) You may enable stronger ciphers by adding this registry key and reboot. 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". @@ -217,4 +217,4 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some * https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html -* https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 +* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients From 1227a0ed5d1a89ab480b34135bb69443a1704df6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 4 Sep 2018 23:11:59 -0500 Subject: [PATCH 0201/1208] Improve xl2tpd workaround - Exclude Ubuntu from xl2tpd 1.3.12 workaround (Ref: 3f8e79b), because updated xl2tpd packages are now available for Ubuntu 16.04 and 18.04 See: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796 - Add Linux kernel 4.16 to the list of kernels to work around - Cleanup --- vpnsetup.sh | 28 +++++++++++++++------------- vpnsetup_centos.sh | 16 ++++++++-------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 45b9f2c96b..ca46b5947a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -173,20 +173,22 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ libevent-dev ppp xl2tpd || exiterr2 case "$(uname -r)" in - 4.14*|4.15*) - L2TP_VER=1.3.12 - l2tp_file="xl2tpd-$L2TP_VER.tar.gz" - l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" - l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" - apt-get -yq install libpcap0.8-dev || exiterr2 - if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then - exit 1 + 4.1[456]*) + if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then + L2TP_VER=1.3.12 + l2tp_dir="xl2tpd-$L2TP_VER" + l2tp_file="$l2tp_dir.tar.gz" + l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" + apt-get -yq install libpcap0.8-dev || exiterr2 + if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then + exit 1 + fi + /bin/rm -rf "/opt/src/$l2tp_dir" + tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" + cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd /opt/src || exit 1 + /bin/rm -rf "/opt/src/$l2tp_dir" fi - /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" - tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install - cd /opt/src || exit 1 - /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" ;; esac diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 25385e6bd4..e7b143a7c4 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -163,21 +163,21 @@ else fi case "$(uname -r)" in - 4.14*|4.15*) + 4.1[456]*) if grep -qs "release 6" /etc/redhat-release; then L2TP_VER=1.3.12 - l2tp_file="xl2tpd-$L2TP_VER.tar.gz" - l2tp_url1="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" - l2tp_url2="https://mirrors.kernel.org/ubuntu/pool/universe/x/xl2tpd/xl2tpd_$L2TP_VER.orig.tar.gz" + l2tp_dir="xl2tpd-$L2TP_VER" + l2tp_file="$l2tp_dir.tar.gz" + l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2 - if ! { wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url1" || wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url2"; }; then + if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then exit 1 fi - /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + /bin/rm -rf "/opt/src/$l2tp_dir" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "xl2tpd-$L2TP_VER" && make -s 2>/dev/null && PREFIX=/usr make -s install + cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install cd /opt/src || exit 1 - /bin/rm -rf "/opt/src/xl2tpd-$L2TP_VER" + /bin/rm -rf "/opt/src/$l2tp_dir" fi ;; esac From 7ce65083af6cc516d77711663870e4e7de2690db Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 6 Sep 2018 00:22:31 -0500 Subject: [PATCH 0202/1208] Update IKEv2 docs - Skip the "random keystrokes" step when generating certificates (use /dev/urandom instead) - Cleanup --- docs/ikev2-howto-zh.md | 136 ++++++++++++++++++----------------------- docs/ikev2-howto.md | 134 +++++++++++++++++----------------------- 2 files changed, 115 insertions(+), 155 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 6e3e1251e4..1830045709 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -54,32 +54,32 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` - 还需要在该文件中添加一些行。首先查看你的 Libreswan 版本: + 还需要在该文件中添加一些行。首先查看你的 Libreswan 版本,然后运行以下命令之一: ```bash $ ipsec --version ``` - 对于 Libreswan 3.23 或更新版本,请运行: + 如果是 Libreswan 3.19-3.22: ```bash $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf < - Is this a critical extension [y/N]? - N - - $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" - - A random seed must be generated that will be used in the - creation of your key. One of the easiest ways to create a - random seed is to use the timing of keystrokes on a keyboard. - - To begin, type keys on the keyboard until this progress meter - is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! - - Continue typing until the progress meter is full: - - |************************************************************| - - Finished. Press enter to continue: + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -x -n "Example CA" \ + -s "O=Example,CN=Example CA" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t "CT,," -2 + + Generating key. This may take a few moments... + + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N + ``` - Generating key. This may take a few moments... + ```bash + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "Example CA" -n "$PUBLIC_IP" \ + -s "O=Example,CN=$PUBLIC_IP" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" + + Generating key. This may take a few moments... ``` 1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: ```bash - $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient" - - A random seed must be generated that will be used in the - creation of your key. One of the easiest ways to create a - random seed is to use the timing of keystrokes on a keyboard. - - To begin, type keys on the keyboard until this progress meter - is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! - - Continue typing until the progress meter is full: - - |************************************************************| - - Finished. Press enter to continue: - - Generating key. This may take a few moments... + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "Example CA" -n "vpnclient" \ + -s "O=Example,CN=vpnclient" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth,clientAuth -8 "vpnclient" + + Generating key. This may take a few moments... + ``` + ```bash $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d - Enter password for PKCS12 file: - Re-enter password: - pk12util: PKCS12 EXPORT SUCCESSFUL + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 重复这个步骤来为更多的客户端生成证书,但必须把所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 - **注:** 如果你需要同时连接多个客户端,则必须为每一个客户端生成唯一的证书。 + **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 1. 证书数据库现在应该包含以下内容: ```bash $ certutil -L -d sql:/etc/ipsec.d - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI - Example CA CTu,u,u - ($PUBLIC_IP) u,u,u - vpnclient u,u,u + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient u,u,u ``` - **注:** 如需显示证书,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 1. 重启 IPsec 服务: @@ -189,7 +169,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 文件 `vpnclient.p12` 应该被安全地传送到 VPN 客户端设备。下一步: +1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。下一步: #### Windows 7, 8.x 和 10 @@ -201,10 +181,10 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - 1. 启用新的 IKEv2 VPN 连接,并且开始使用 VPN! + 1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN! https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 1. (可选步骤) 如需启用更安全的加密方式,可以添加 这个注册表键 并重启。 + 1. (可选步骤) 如需启用更安全的加密方式,你可以添加 这个注册表键 并重启。 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index f6d730da27..70206d5544 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -4,7 +4,7 @@ --- -**IMPORTANT:** This guide is for **advanced users** only. Other users please use IPsec/L2TP or IPsec/XAuth. +**Important:** This guide is for **advanced users** only. Other users please use IPsec/L2TP or IPsec/XAuth. --- @@ -54,32 +54,32 @@ Before continuing, make sure you have successfully > /etc/ipsec.conf <> /etc/ipsec.conf < - Is this a critical extension [y/N]? - N - - $ certutil -S -c "Example CA" -n "$PUBLIC_IP" -s "O=Example,CN=$PUBLIC_IP" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" - - A random seed must be generated that will be used in the - creation of your key. One of the easiest ways to create a - random seed is to use the timing of keystrokes on a keyboard. - - To begin, type keys on the keyboard until this progress meter - is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! - - Continue typing until the progress meter is full: - - |************************************************************| - - Finished. Press enter to continue: + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -x -n "Example CA" \ + -s "O=Example,CN=Example CA" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t "CT,," -2 + + Generating key. This may take a few moments... + + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N + ``` - Generating key. This may take a few moments... + ```bash + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "Example CA" -n "$PUBLIC_IP" \ + -s "O=Example,CN=$PUBLIC_IP" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" + + Generating key. This may take a few moments... ``` 1. Generate client certificate(s), and export the `.p12` file that contains the client certificate, private key, and CA certificate: ```bash - $ certutil -S -c "Example CA" -n "vpnclient" -s "O=Example,CN=vpnclient" -k rsa -g 4096 -v 36 -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment --extKeyUsage serverAuth,clientAuth -8 "vpnclient" - - A random seed must be generated that will be used in the - creation of your key. One of the easiest ways to create a - random seed is to use the timing of keystrokes on a keyboard. - - To begin, type keys on the keyboard until this progress meter - is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! - - Continue typing until the progress meter is full: - - |************************************************************| - - Finished. Press enter to continue: - - Generating key. This may take a few moments... + $ certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "Example CA" -n "vpnclient" \ + -s "O=Example,CN=vpnclient" \ + -k rsa -g 4096 -v 36 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth,clientAuth -8 "vpnclient" + + Generating key. This may take a few moments... + ``` + ```bash $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d - Enter password for PKCS12 file: - Re-enter password: - pk12util: PKCS12 EXPORT SUCCESSFUL + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL ``` - Repeat this step for additional VPN clients, but replace every `vpnclient` with `vpnclient2`, etc. + Repeat this step to generate certificates for additional VPN clients. Replace every `vpnclient` with `vpnclient2`, etc. - **Note:** If you wish to connect multiple VPN clients simultaneously, you must generate a unique certificate for each. + **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. 1. The database should now contain: ```bash $ certutil -L -d sql:/etc/ipsec.d - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI - Example CA CTu,u,u - ($PUBLIC_IP) u,u,u - vpnclient u,u,u + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient u,u,u ``` **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. @@ -198,10 +178,10 @@ Before continuing, make sure you have successfully this registry key and reboot. From 8d90a3877c7c55854cf45192042bbc7d91892466 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Sep 2018 01:26:31 -0500 Subject: [PATCH 0203/1208] Add version note --- vpnsetup.sh | 2 ++ vpnsetup_centos.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index ca46b5947a..633b338c11 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -198,6 +198,8 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +# Note: DO NOT EDIT. To install a different Libreswan version, +# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e7b143a7c4..0adb3cd1dc 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -188,6 +188,8 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +# Note: DO NOT EDIT. To install a different Libreswan version, +# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" From 2fe44b172ebc5230ba7b7b45f5642986a7edd287 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 11 Sep 2018 00:03:04 -0500 Subject: [PATCH 0204/1208] Improve Libreswan versions - Add compilation workarounds specific to Libreswan 3.23/3.25 to the VPN setup scripts, so that users may install those versions by modifying SWAN_VER before running the scripts - Cleanup --- vpnsetup.sh | 17 +++++++++++------ vpnsetup_centos.sh | 17 +++++++++++------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 633b338c11..ff00b3fb47 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -180,9 +180,7 @@ case "$(uname -r)" in l2tp_file="$l2tp_dir.tar.gz" l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" apt-get -yq install libpcap0.8-dev || exiterr2 - if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then - exit 1 - fi + wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 /bin/rm -rf "/opt/src/$l2tp_dir" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install @@ -198,8 +196,6 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -# Note: DO NOT EDIT. To install a different Libreswan version, -# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" @@ -210,10 +206,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 @@ -291,6 +289,13 @@ conn xauth-psk also=shared EOF +case "$SWAN_VER" in + 3.2[35]) + sed -i "/modecfgdns/d" /etc/ipsec.conf + echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf + ;; +esac + if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 0adb3cd1dc..36eb6c3db7 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -170,9 +170,7 @@ case "$(uname -r)" in l2tp_file="$l2tp_dir.tar.gz" l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2 - if ! wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url"; then - exit 1 - fi + wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 /bin/rm -rf "/opt/src/$l2tp_dir" tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install @@ -188,8 +186,6 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -# Note: DO NOT EDIT. To install a different Libreswan version, -# run the upgrade scripts in this repo after install. SWAN_VER=3.22 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" @@ -200,10 +196,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h +sed -i '/docker-targets\.mk/d' Makefile cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" [ -z "$NPROCS" ] && NPROCS=1 @@ -278,6 +276,13 @@ conn xauth-psk also=shared EOF +case "$SWAN_VER" in + 3.2[35]) + sed -i "/modecfgdns/d" /etc/ipsec.conf + echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf + ;; +esac + if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf From 716bdad687008f82e2b8f9cf475c5371a07e4f44 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 14 Sep 2018 00:01:00 -0500 Subject: [PATCH 0205/1208] Update docs - Add troubleshooting sections for Windows 10 version 1803 and macOS IPsec/L2TP mode "Send all traffic" - Cleanup - Ref: #442 #376 --- docs/clients-zh.md | 29 ++++++++++++++++++----------- docs/clients.md | 29 ++++++++++++++++++----------- 2 files changed, 36 insertions(+), 22 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index c1b26c6e31..34c51f2eb4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,9 +18,10 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) + * [Windows 10 版本 1803](#windows-10-版本-1803) + * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) - * [Windows 10 升级](#windows-10-升级) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -93,7 +94,7 @@ 1. 在 **机器鉴定** 部分,选择 **共享的密钥** 单选按钮,然后输入`你的 VPN IPsec PSK`。 1. 单击 **好**。 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 -1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 +1. **(重要)** 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 @@ -210,23 +211,29 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见) +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (参见)。如果仍然无法连接,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。 ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook 连接问题 -Chromebook 用户: 如果你无法连接,请参见 这个 Issue。编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 - -### Windows 10 升级 - -在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。更多信息请参见 这个 Issue。 +Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 ### 其它错误 diff --git a/docs/clients.md b/docs/clients.md index 6172e994f2..77c95020a5 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -18,9 +18,10 @@ After settin * [Troubleshooting](#troubleshooting) * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) + * [Windows 10 version 1803](#windows-10-version-1803) + * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) - * [Windows 10 upgrades](#windows-10-upgrades) * [Other errors](#other-errors) * [Additional steps](#additional-steps) @@ -93,7 +94,7 @@ If you get an error when trying to connect, see Troub 1. In the **Machine Authentication** section, select the **Shared Secret** radio button and enter `Your VPN IPsec PSK`. 1. Click **OK**. 1. Check the **Show VPN status in menu bar** checkbox. -1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. +1. **(Important)** Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. 1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. @@ -210,23 +211,29 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) +### Windows 10 version 1803 + +If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. + +Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. + +### macOS VPN traffic + +OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. + ### Android 6 and above -If you are unable to connect using Android 6 or above: +If you are unable to connect using Android 6 or above, try these steps in order: -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. If still unable to connect, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. (Ref) +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). If still unable to connect, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. ![Android VPN workaround](images/vpn-profile-Android.png) ### Chromebook issues -Chromebook users: If you are unable to connect, refer to this issue. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. - -### Windows 10 upgrades - -After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. Refer to this issue for more information. +Chromebook users: If you are unable to connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. ### Other errors From dfc5fce92c1e8d9be6620d7a815e46056f8cd700 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 16 Sep 2018 01:05:29 -0500 Subject: [PATCH 0206/1208] Improve version check - Improve Libreswan version check in upgrade scripts, including checking for supported versions and showing upgrade/downgrade info - Clean up notes --- extras/vpnupgrade.sh | 107 +++++++++++++++++++++--------------- extras/vpnupgrade_centos.sh | 107 +++++++++++++++++++++--------------- 2 files changed, 124 insertions(+), 90 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 5537249088..8256f8e682 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -47,11 +47,15 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +swan_ver_is_supported=0 case "$SWAN_VER" in - 3.24|3.2[6-9]) - exiterr "Libreswan version $SWAN_VER is not available." + 3.19|3.2[01235]) + swan_ver_is_supported=1 ;; esac +if [ "$swan_ver_is_supported" != "1" ]; then + exiterr "Libreswan version $SWAN_VER is not supported." +fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -75,12 +79,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_downgrade_to_322=0 -if [ "$SWAN_VER" = "3.22" ]; then - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then - is_downgrade_to_322=1 - fi -fi +is_upgrade_to_323_or_newer=0 +case "$SWAN_VER" in + 3.2[35]) + if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_upgrade_to_323_or_newer=1 + fi + ;; +esac + +is_downgrade_to_322_or_older=0 +case "$SWAN_VER" in + 3.19|3.2[012]) + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322_or_older=1 + fi + ;; +esac clear @@ -95,34 +110,28 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then +case "$SWAN_VER" in + 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF -fi + ;; +esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following changes to your /etc/ipsec.conf: - - Replace this line: - auth=esp - with the following: - phase2=esp + This script will make the following updates to your /etc/ipsec.conf: - Replace this line: - forceencaps=yes - with the following: - encapsulation=yes + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Consolidate VPN ciphers for "ike=" and "phase2alg=". - Re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. - - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -186,7 +195,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then exiterr "Libreswan $SWAN_VER failed to build." fi -# Update ipsec.conf for Libreswan 3.19 and newer +# Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" if uname -m | grep -qi '^arm'; then @@ -206,28 +215,36 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo -case "$SWAN_VER" in - 3.2[3-9]) +if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "service ipsec restart". EOF - ;; -esac +fi -if [ "$is_downgrade_to_322" = "1" ]; then +if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - Then run "service ipsec restart". +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "service ipsec restart". EOF fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index d97a4323eb..0e22aac26d 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -38,11 +38,15 @@ if [ -z "$SWAN_VER" ]; then exiterr "Libreswan version 'SWAN_VER' not specified." fi +swan_ver_is_supported=0 case "$SWAN_VER" in - 3.24|3.2[6-9]) - exiterr "Libreswan version $SWAN_VER is not available." + 3.19|3.2[01235]) + swan_ver_is_supported=1 ;; esac +if [ "$swan_ver_is_supported" != "1" ]; then + exiterr "Libreswan version $SWAN_VER is not supported." +fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -66,12 +70,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_downgrade_to_322=0 -if [ "$SWAN_VER" = "3.22" ]; then - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then - is_downgrade_to_322=1 - fi -fi +is_upgrade_to_323_or_newer=0 +case "$SWAN_VER" in + 3.2[35]) + if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_upgrade_to_323_or_newer=1 + fi + ;; +esac + +is_downgrade_to_322_or_older=0 +case "$SWAN_VER" in + 3.19|3.2[012]) + if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then + is_downgrade_to_322_or_older=1 + fi + ;; +esac clear @@ -86,34 +101,28 @@ Version to be installed: Libreswan $SWAN_VER EOF -if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then +case "$SWAN_VER" in + 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF -fi + ;; +esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following changes to your /etc/ipsec.conf: - - Replace this line: - auth=esp - with the following: - phase2=esp + This script will make the following updates to your /etc/ipsec.conf: - Replace this line: - forceencaps=yes - with the following: - encapsulation=yes + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Consolidate VPN ciphers for "ike=" and "phase2alg=". - Re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. - - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -190,7 +199,7 @@ restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null -# Update ipsec.conf for Libreswan 3.19 and newer +# Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ @@ -207,28 +216,36 @@ echo echo "Libreswan $SWAN_VER was installed successfully! " echo -case "$SWAN_VER" in - 3.2[3-9]) +if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - Then run "service ipsec restart". +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "service ipsec restart". EOF - ;; -esac +fi -if [ "$is_downgrade_to_322" = "1" ]; then +if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" - with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 - Then run "service ipsec restart". +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "service ipsec restart". EOF fi From 329a5ecf507bcecc0905d1056b17cef371918d01 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 16 Sep 2018 21:36:49 -0500 Subject: [PATCH 0207/1208] Cleanup - Improve display of Libreswan versions in upgrade scripts - Clean up notes --- extras/vpnupgrade.sh | 64 +++++++++++++++++++++---------------- extras/vpnupgrade_centos.sh | 64 +++++++++++++++++++++---------------- 2 files changed, 72 insertions(+), 56 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8256f8e682..0a268ea55a 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -58,6 +58,7 @@ if [ "$swan_ver_is_supported" != "1" ]; then fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" +ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi @@ -105,8 +106,8 @@ Additional packages required for compilation will also be installed. It is intended for upgrading servers to a newer Libreswan version. -Current version: $ipsec_ver -Version to be installed: Libreswan $SWAN_VER +Current version: $ipsec_ver_short +Version to install: Libreswan $SWAN_VER EOF @@ -114,8 +115,8 @@ case "$SWAN_VER" in 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple - IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). + DO NOT upgrade to 3.23/3.25 if your use cases include the above. EOF ;; @@ -123,15 +124,15 @@ esac cat <<'EOF' NOTE: Libreswan versions 3.19 and newer require some configuration changes. - This script will make the following updates to your /etc/ipsec.conf: + This script will make the following updates to your /etc/ipsec.conf: - 1. Replace "auth=esp" with "phase2=esp" - 2. Replace "forceencaps=yes" with "encapsulation=yes" - 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", - re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19. + 1. Replace "auth=esp" with "phase2=esp" + 2. Replace "forceencaps=yes" with "encapsulation=yes" + 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", + re-add "MODP1024" to the list of allowed "ike=" ciphers, + which was removed from the defaults in Libreswan 3.19. - Your other VPN configuration files will not be modified. + Your other VPN configuration files will not be modified. EOF @@ -211,40 +212,47 @@ sed -i".old-$(date +%F-%T)" \ mkdir -p /run/pluto service ipsec restart -echo -echo "Libreswan $SWAN_VER was installed successfully! " -echo +cat < Date: Tue, 18 Sep 2018 00:57:03 -0500 Subject: [PATCH 0208/1208] Improve variables - Move SWAN_VER to the top of the scripts - Add check for Libreswan version - Cleanup --- extras/vpnupgrade.sh | 15 +++++-------- extras/vpnupgrade_centos.sh | 15 +++++-------- vpnsetup.sh | 42 +++++++++++++++++++++++-------------- vpnsetup_centos.sh | 42 +++++++++++++++++++++++-------------- 4 files changed, 62 insertions(+), 52 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0a268ea55a..a551c8c69f 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -43,19 +43,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 3168cb5927..45d068f021 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -10,7 +10,7 @@ # Attribution required: please include my name in any derivative and let me # know how you have improved it! -# Check https://libreswan.org for the latest version +# Specify which Libreswan version to install. See: https://libreswan.org SWAN_VER=3.22 ### DO NOT edit below this line ### @@ -34,19 +34,14 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -if [ -z "$SWAN_VER" ]; then - exiterr "Libreswan version 'SWAN_VER' not specified." -fi - -swan_ver_is_supported=0 case "$SWAN_VER" in 3.19|3.2[01235]) - swan_ver_is_supported=1 + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." ;; esac -if [ "$swan_ver_is_supported" != "1" ]; then - exiterr "Libreswan version $SWAN_VER is not supported." -fi ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" diff --git a/vpnsetup.sh b/vpnsetup.sh index ff00b3fb47..c1d692cd61 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -69,7 +71,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -82,12 +93,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then ;; esac fi - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -418,17 +428,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 36eb6c3db7..f2b12edaad 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,6 +36,8 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" +SWAN_VER=3.22 + exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -60,7 +62,16 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -net_iface=${VPN_NET_IFACE:-'eth0'} +case "$SWAN_VER" in + 3.19|3.2[01235]) + /bin/true + ;; + *) + exiterr "Libreswan version '$SWAN_VER' is not supported." + ;; +esac + +NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -71,12 +82,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then exiterr "Wireless interface '$def_iface' detected. DO NOT run this script on your PC or Mac!" ;; esac - net_iface="$def_iface" + NET_IFACE="$def_iface" fi -net_state=$(cat "/sys/class/net/$net_iface/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$net_iface" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$net_iface" >&2 +net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) +if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then + printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 if [ -z "$VPN_NET_IFACE" ]; then cat 1>&2 </dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then + || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ + || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then ipt_flag=1 fi @@ -401,17 +411,17 @@ if [ "$ipt_flag" = "1" ]; then iptables -I INPUT 5 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT iptables -I INPUT 6 -p udp --dport 1701 -j DROP iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP - iptables -I FORWARD 2 -i "$net_iface" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 3 -i ppp+ -o "$net_iface" -j ACCEPT + iptables -I FORWARD 2 -i "$NET_IFACE" -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 3 -i ppp+ -o "$NET_IFACE" -j ACCEPT iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT - iptables -I FORWARD 5 -i "$net_iface" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$net_iface" -j ACCEPT + iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT # Uncomment if you wish to disallow traffic between VPN clients themselves # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP - iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$net_iface" -m policy --dir out --pol none -j MASQUERADE - iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$net_iface" -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE + iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" fi From b803f32b71debbdb5d1060b899a9dea86acb8589 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 21 Sep 2018 23:44:29 -0500 Subject: [PATCH 0209/1208] New Libreswan version - Upgrade to new Libreswan version 3.26 - Ref: https://github.com/libreswan/libreswan/issues/202 - Cleanup --- extras/vpnupgrade.sh | 46 ++++++++++++++++++++++--------------- extras/vpnupgrade_centos.sh | 46 ++++++++++++++++++++++--------------- vpnsetup.sh | 27 ++++------------------ vpnsetup_centos.sh | 27 ++++------------------ 4 files changed, 64 insertions(+), 82 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a551c8c69f..7f2d422cab 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.22 +SWAN_VER=3.26 ### DO NOT edit below this line ### @@ -44,11 +44,16 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235]) + 3.19|3.2[012356]) /bin/true ;; *) - exiterr "Libreswan version '$SWAN_VER' is not supported." +cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -220,34 +228,34 @@ EOF if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf - and replace these two lines: +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf - and replace this line: +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 45d068f021..7f95d1ae96 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.22 +SWAN_VER=3.26 ### DO NOT edit below this line ### @@ -35,11 +35,16 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235]) + 3.19|3.2[012356]) /bin/true ;; *) - exiterr "Libreswan version '$SWAN_VER' is not supported." +cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" @@ -221,34 +229,34 @@ EOF if [ "$is_upgrade_to_323_or_newer" = "1" ]; then cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf - and replace these two lines: +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit + /etc/ipsec.conf and replace these two lines: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 with a single line like this: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi if [ "$is_downgrade_to_322_or_older" = "1" ]; then cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf - and replace this line: +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit + /etc/ipsec.conf and replace this line: - modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + modecfgdns="8.8.8.8, 8.8.4.4" with two lines like this: - modecfgdns1=DNS_SERVER_1 - modecfgdns2=DNS_SERVER_2 + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 - Then run "service ipsec restart". + Then run "sudo service ipsec restart". EOF fi diff --git a/vpnsetup.sh b/vpnsetup.sh index c1d692cd61..cd1fddfa3a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -36,8 +36,6 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" -SWAN_VER=3.22 - exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -71,15 +69,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$SWAN_VER" in - 3.19|3.2[01235]) - /bin/true - ;; - *) - exiterr "Libreswan version '$SWAN_VER' is not supported." - ;; -esac - NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -207,6 +196,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +SWAN_VER=3.26 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -216,11 +206,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h -sed -i '/docker-targets\.mk/d' Makefile +sed -i 's/-lfreebl //' mk/config.mk +sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -285,8 +276,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes @@ -299,13 +289,6 @@ conn xauth-psk also=shared EOF -case "$SWAN_VER" in - 3.2[35]) - sed -i "/modecfgdns/d" /etc/ipsec.conf - echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf - ;; -esac - if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f2b12edaad..45649e5a31 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -36,8 +36,6 @@ YOUR_PASSWORD='' export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" SYS_DT="$(date +%F-%T)" -SWAN_VER=3.22 - exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -62,15 +60,6 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -case "$SWAN_VER" in - 3.19|3.2[01235]) - /bin/true - ;; - *) - exiterr "Libreswan version '$SWAN_VER' is not supported." - ;; -esac - NET_IFACE=${VPN_NET_IFACE:-'eth0'} def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" @@ -197,6 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." +SWAN_VER=3.26 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -206,11 +196,12 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h -sed -i '/docker-targets\.mk/d' Makefile +sed -i 's/-lfreebl //' mk/config.mk +sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS="$(grep -c ^processor /proc/cpuinfo)" @@ -272,8 +263,7 @@ conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=$XAUTH_POOL - modecfgdns1=$DNS_SRV1 - modecfgdns2=$DNS_SRV2 + modecfgdns="$DNS_SRV1, $DNS_SRV2" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes @@ -286,13 +276,6 @@ conn xauth-psk also=shared EOF -case "$SWAN_VER" in - 3.2[35]) - sed -i "/modecfgdns/d" /etc/ipsec.conf - echo " modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf - ;; -esac - if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf From 5d3f4eb7e657841cbcfbb9998009cfcac3dbd1cf Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 21 Sep 2018 23:56:16 -0500 Subject: [PATCH 0210/1208] Update docs - Update README and IKEv2 docs for Libreswan 3.26 --- README-zh.md | 2 -- README.md | 2 -- docs/ikev2-howto-zh.md | 10 +++++----- docs/ikev2-howto.md | 10 +++++----- 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/README-zh.md b/README-zh.md index a3a9bdd1a1..f824a36ccb 100644 --- a/README-zh.md +++ b/README-zh.md @@ -168,8 +168,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` -:warning: VPN 脚本默认安装 Libreswan 3.22,因为新版本 3.23 和 3.25 存在问题,从而不能同时连接在同一个 NAT (比如家用路由器)后面的多个 IPsec/XAuth VPN 客户端。 - ## 问题和反馈 - 有问题需要提问?请先搜索已有的留言,在 这个 Gist 以及 我的博客。 diff --git a/README.md b/README.md index 8c37b710d8..c8b14ac84c 100644 --- a/README.md +++ b/README.md @@ -168,8 +168,6 @@ wget https://git.io/vpnupgrade -O vpnupgrade.sh wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ``` -:warning: The VPN scripts install Libreswan 3.22 by default, because newer versions 3.23 and 3.25 have issues with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - ## Bugs & Questions - Got a question? Please first search other people's comments in this Gist and on my blog. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 1830045709..2635661f41 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -60,21 +60,21 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ ipsec --version ``` - 如果是 Libreswan 3.19-3.22: + 如果是 Libreswan 3.23 或更新版本: ```bash $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf < Date: Sat, 22 Sep 2018 01:58:58 -0500 Subject: [PATCH 0211/1208] Update IKEv2 docs - Re-add Android instructions to IKEv2 docs because it is fixed in Libreswan 3.26 - Ref: 964b793 #307 - Cleanup --- README-zh.md | 2 +- README.md | 2 +- docs/ikev2-howto-zh.md | 25 +++++++++++++++++++++---- docs/ikev2-howto.md | 25 +++++++++++++++++++++---- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/README-zh.md b/README-zh.md index f824a36ccb..3d66ff3900 100644 --- a/README-zh.md +++ b/README-zh.md @@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows 7 和更新版本** +**如何配置 IKEv2 VPN: Windows 和 Android** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index c8b14ac84c..b1f42d89fe 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows 7 and above** +**How-To: IKEv2 VPN for Windows and Android** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2635661f41..b591822a87 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 7 和更新版本 +# 如何配置 IKEv2 VPN: Windows 和 Android *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,9 +10,14 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 -Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: -在继续之前,请确保你已经成功 搭建自己的 VPN 服务器。 +- Windows 7, 8.x 和 10 +- strongSwan Android VPN 客户端 + +下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 + +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且已经将 Libreswan 升级到最新版本。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -186,11 +191,22 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. (可选步骤) 如需启用更安全的加密方式,你可以添加 这个注册表键 并重启。 + #### Android 4.x 和更新版本 + + 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 + 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 + 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + 1. 保存新的 VPN 连接,然后单击它以开始连接。 + 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试 修改注册表,或者换用 IPsec/L2TPIPsec/XAuth 模式连接。 +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 ## 参考链接 @@ -198,3 +214,4 @@ Windows 自带的 VPN 客户端不支持 IKEv2 fragmentation。在有些网络 * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 5cbe3068f7..a8f7832856 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows 7 and above +# How-To: IKEv2 VPN for Windows and Android *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -10,9 +10,14 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. -Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. +Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: -Before continuing, make sure you have successfully set up your VPN server. +- Windows 7, 8.x and 10 +- strongSwan Android VPN client + +The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. + +Before continuing, make sure you have successfully set up your VPN server, and upgraded Libreswan to the latest version. 1. Find the VPN server's public IP, save it to a variable and check. @@ -186,11 +191,22 @@ Before continuing, make sure you have successfully this registry key and reboot. + #### Android 4.x and newer + + 1. Install strongSwan VPN Client from **Google Play**. + 1. Launch the VPN client and tap **Add VPN Profile**. + 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. + 1. Tap **Select user certificate**, then tap **Install certificate**. + 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + 1. Save the new VPN connection, then tap to connect. + 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues -The built-in VPN client in Windows does not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may try this registry fix, or connect using IPsec/L2TP or IPsec/XAuth mode instead. +1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. +1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. ## References @@ -198,3 +214,4 @@ The built-in VPN client in Windows does not support IKEv2 fragmentation. On some * https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients +* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient From e22664f7a27660cc4d24218aea28594237b6db3c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 22 Sep 2018 12:10:02 -0500 Subject: [PATCH 0212/1208] Improve upgrade config - Try to automatically update modecfgdns lines in /etc/ipsec.conf in the Libreswan upgrade scripts - Cleanup --- extras/vpnupgrade.sh | 109 +++++++++++++++++------------------- extras/vpnupgrade_centos.sh | 106 ++++++++++++++++------------------- 2 files changed, 101 insertions(+), 114 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 7f2d422cab..0b9bebaba6 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -57,6 +57,25 @@ EOF ;; esac +dns_state=0 +case "$SWAN_VER" in + 3.2[356]) + DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) + DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) + [ -n "$DNS_SRV1" ] && dns_state=2 + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + ;; + 3.19|3.2[012]) + DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) + DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1) + DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 + [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + ;; +esac + ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then @@ -80,24 +99,6 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then esac fi -is_upgrade_to_323_or_newer=0 -case "$SWAN_VER" in - 3.2[356]) - if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then - is_upgrade_to_323_or_newer=1 - fi - ;; -esac - -is_downgrade_to_322_or_older=0 -case "$SWAN_VER" in - 3.19|3.2[012]) - if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then - is_downgrade_to_322_or_older=1 - fi - ;; -esac - clear cat </dev/null # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" + sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf +if [ "$dns_state" = "1" ]; then + sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ + -e "/modecfgdns2/d" /etc/ipsec.conf +elif [ "$dns_state" = "2" ]; then + sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf +elif [ "$dns_state" = "3" ]; then + sed -i "/modecfgdns=/a \ modecfgdns2=$DNS_SRV2" /etc/ipsec.conf + sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf +elif [ "$dns_state" = "4" ]; then + sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf +fi + # Restart IPsec service mkdir -p /run/pluto service ipsec restart @@ -227,40 +253,6 @@ Libreswan $SWAN_VER has been successfully installed! EOF -if [ "$is_upgrade_to_323_or_newer" = "1" ]; then -cat <<'EOF' -IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit - /etc/ipsec.conf and replace these two lines: - - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 - - with a single line like this: - - modecfgdns="8.8.8.8, 8.8.4.4" - - Then run "sudo service ipsec restart". - -EOF -fi - -if [ "$is_downgrade_to_322_or_older" = "1" ]; then -cat <<'EOF' -IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit - /etc/ipsec.conf and replace this line: - - modecfgdns="8.8.8.8, 8.8.4.4" - - with two lines like this: - - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 - - Then run "sudo service ipsec restart". - -EOF -fi - } ## Defer setup until we have the complete script From 20f57975b38a581c06e1c6fc784277c437db9fde Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 30 Sep 2018 18:36:42 -0500 Subject: [PATCH 0213/1208] Update docs - Add notes for the faster IPsec/XAuth and IKEv2 modes - Cleanup --- docs/clients-xauth-zh.md | 8 ++++---- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 12 ++++++++++-- docs/clients.md | 10 +++++++++- docs/ikev2-howto-zh.md | 8 ++++---- docs/ikev2-howto.md | 4 ++-- 6 files changed, 30 insertions(+), 14 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 821549e188..b354f8c7b4 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,11 +2,11 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 -IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP 更高效地传输数据。 +IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **更高效**地传输数据(较低的额外开销)。 --- * 平台名称 @@ -17,7 +17,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP ## Windows -**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 +**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,无需安装额外的软件。 1. 下载并安装免费的 Shrew Soft VPN 客户端。 **注:** 该 VPN 客户端支持 Windows 2K/XP/Vista/7/8 系统。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 5d6139897a..59250b9719 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -6,7 +6,7 @@ After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. -IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally faster than IPsec/L2TP with less overhead. +IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster than** IPsec/L2TP with less overhead. --- * Platforms diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 34c51f2eb4..86c00a475e 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,9 +2,9 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*注: 你也可以使用 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* -在成功搭建自己的 VPN 服务器之后,你可以按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 --- * 平台名称 @@ -27,6 +27,8 @@ ## Windows +**注:** 你也可以配置并且使用更新的 [IKEv2 模式](ikev2-howto-zh.md) 连接。 + ### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 @@ -81,6 +83,8 @@ ## OS X +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。 + 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 1. 从 **接口** 下拉菜单选择 **VPN**。 @@ -102,6 +106,8 @@ ## Android +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 + 1. 启动 **设置** 应用程序。 1. 在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 @@ -123,6 +129,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. @@ -27,6 +27,8 @@ After settin ## Windows +**Note:** You may also set up and connect using the newer [IKEv2 mode](ikev2-howto.md). + ### Windows 10 and 8.x 1. Right-click on the wireless/network icon in your system tray. @@ -81,6 +83,8 @@ If you get an error when trying to connect, see Troub ## OS X +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). + 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. 1. Select **VPN** from the **Interface** drop-down menu. @@ -102,6 +106,8 @@ To connect to the VPN: Use the menu bar icon, or go to the Network section of Sy ## Android +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). + 1. Launch the **Settings** application. 1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **VPN**. @@ -123,6 +129,8 @@ If you get an error when trying to connect, see Troub ## iOS +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). + 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **L2TP** and go back. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index b591822a87..bcdbe45a72 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -13,7 +13,7 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: - Windows 7, 8.x 和 10 -- strongSwan Android VPN 客户端 +- Android 4.x 和更新版本(使用 strongSwan VPN 客户端) 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 @@ -29,7 +29,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 -1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: +1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: ```bash $ cat >> /etc/ipsec.conf <这个注册表键 并重启。 + 1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看这里。 #### Android 4.x 和更新版本 - 1. 从 **Google Play** 安装 strongSwan VPN Client。 + 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index a8f7832856..e2315d072f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -13,7 +13,7 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agil Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: - Windows 7, 8.x and 10 -- strongSwan Android VPN client +- Android 4.x and newer (using the strongSwan VPN client) The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -189,7 +189,7 @@ Before continuing, make sure you have successfully this registry key and reboot. + 1. (Optional) You may enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more here. #### Android 4.x and newer From 4f41fcba9a0a4cb4a4e79456003cf5369fc24895 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 30 Sep 2018 20:04:21 -0500 Subject: [PATCH 0214/1208] Improve upgrade config - Replace all occurrences when updating /etc/ipsec.conf - Prompt the user to edit manually if more than one modecfgdns1= or modecfgdns= line is present --- extras/vpnupgrade.sh | 44 ++++++++++++++++++++++++++++++++----- extras/vpnupgrade_centos.sh | 44 ++++++++++++++++++++++++++++++++----- 2 files changed, 76 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 0b9bebaba6..aaaae1a8ae 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -64,7 +64,7 @@ case "$SWAN_VER" in DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 - [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 ;; 3.19|3.2[012]) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) @@ -72,7 +72,7 @@ case "$SWAN_VER" in DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 - [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac @@ -223,10 +223,10 @@ if uname -m | grep -qi '^arm'; then fi sed -i".old-$(date +%F-%T)" \ - -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ - -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf if [ "$dns_state" = "1" ]; then sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ @@ -255,6 +255,38 @@ Libreswan $SWAN_VER has been successfully installed! EOF +if [ "$dns_state" = "5" ]; then +cat <<'EOF' +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf + and replace all occurrences of these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "sudo service ipsec restart". + +EOF +elif [ "$dns_state" = "6" ]; then +cat <<'EOF' +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf + and replace all occurrences of this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "sudo service ipsec restart". + +EOF +fi + } ## Defer setup until we have the complete script diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 9282b0d479..6dbc0e9a32 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -55,7 +55,7 @@ case "$SWAN_VER" in DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) [ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1 - [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5 ;; 3.19|3.2[012]) DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2) @@ -63,7 +63,7 @@ case "$SWAN_VER" in DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//') [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ] && dns_state=4 - [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" != "1" ] && dns_state=0 + [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac @@ -221,10 +221,10 @@ IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2; PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ - -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ - -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ - -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/" \ - -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/" /etc/ipsec.conf + -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ + -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ + -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf if [ "$dns_state" = "1" ]; then sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \ @@ -253,6 +253,38 @@ Libreswan $SWAN_VER has been successfully installed! EOF +if [ "$dns_state" = "5" ]; then +cat <<'EOF' +IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf + and replace all occurrences of these two lines: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + with a single line like this: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + Then run "sudo service ipsec restart". + +EOF +elif [ "$dns_state" = "6" ]; then +cat <<'EOF' +IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf + and replace all occurrences of this line: + + modecfgdns="DNS_SERVER_1, DNS_SERVER_2" + + with two lines like this: + + modecfgdns1=DNS_SERVER_1 + modecfgdns2=DNS_SERVER_2 + + Then run "sudo service ipsec restart". + +EOF +fi + } ## Defer setup until we have the complete script From a04d2d32e87e40b8d6d628e49fcfce6fd0e6a4bb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 9 Oct 2018 12:32:28 -0500 Subject: [PATCH 0215/1208] New Libreswan version - Upgrade Libreswan to 3.27 - Cleanup --- extras/vpnupgrade.sh | 12 ++++++------ extras/vpnupgrade_centos.sh | 12 ++++++------ vpnsetup.sh | 9 +-------- vpnsetup_centos.sh | 9 +-------- 4 files changed, 14 insertions(+), 28 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index aaaae1a8ae..871ba816cd 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.26 +SWAN_VER=3.27 ### DO NOT edit below this line ### @@ -44,14 +44,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[012356]) + 3.19|3.2[0123567]) /bin/true ;; *) cat 1>&2 <&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -289,11 +287,6 @@ conn xauth-psk also=shared EOF -if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') - check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf -fi - if uname -m | grep -qi '^arm'; then sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 45649e5a31..2d5656ba35 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -186,7 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.26 +SWAN_VER=3.27 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -196,8 +196,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -sed -i 's/-lfreebl //' mk/config.mk -sed -i '/blapi\.h/d' programs/pluto/keys.c cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -276,11 +274,6 @@ conn xauth-psk also=shared EOF -if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then - PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}') - check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf -fi - # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets < Date: Sat, 13 Oct 2018 14:26:09 -0500 Subject: [PATCH 0216/1208] Update IKEv2 docs - Add instructions for iOS (iPhone/iPad). Thanks @zzuzjl for the suggestion! - Change IKEv2 address pool to 192.168.43.150-192.168.43.250 to help avoid conflict with IPsec/XAuth - Closes #453. Closes #461 - Cleanup --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 6 +-- docs/clients.md | 4 +- docs/ikev2-howto-zh.md | 81 ++++++++++++++++++++++++++++------------ docs/ikev2-howto.md | 79 ++++++++++++++++++++++++++++----------- 8 files changed, 125 insertions(+), 55 deletions(-) diff --git a/README-zh.md b/README-zh.md index 3d66ff3900..3fb7c85f6e 100644 --- a/README-zh.md +++ b/README-zh.md @@ -129,7 +129,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows 和 Android** +**如何配置 IKEv2 VPN: Windows, Android 和 iOS** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index b1f42d89fe..a9d9325a1b 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows and Android** +**How-To: IKEv2 VPN for Windows, Android and iOS** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index b354f8c7b4..d24f301935 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 @@ -92,7 +92,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 59250b9719..a44d205f95 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -*Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).* +**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md). After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 86c00a475e..4c0bc6dbea 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -*注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。* +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 @@ -129,7 +129,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index 6c2aba380b..f99f601a52 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -*Note: You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).* +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. @@ -129,7 +129,7 @@ If you get an error when trying to connect, see Troub ## iOS -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index bcdbe45a72..f39634d52a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows 和 Android +# 如何配置 IKEv2 VPN: Windows, Android 和 iOS *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -14,10 +14,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Windows 7, 8.x 和 10 - Android 4.x 和更新版本(使用 strongSwan VPN 客户端) +- iOS (iPhone/iPad) 下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且已经将 Libreswan 升级到最新版本。 +在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且将 Libreswan 升级到最新版本。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -43,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 leftrsasigkey=%cert right=%any rightid=%fromcert - rightaddresspool=192.168.43.10-192.168.43.250 + rightaddresspool=192.168.43.150-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes @@ -104,14 +105,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 -s "O=Example,CN=Example CA" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t "CT,," -2 + ``` - Generating key. This may take a few moments... + ``` + Generating key. This may take a few moments... - Is this a CA certificate [y/N]? - y - Enter the path length constraint, enter to skip [<0 for unlimited path]: > - Is this a critical extension [y/N]? - N + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N ``` ```bash @@ -123,11 +126,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ --extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP" + ``` - Generating key. This may take a few moments... + ``` + Generating key. This may take a few moments... ``` -1. 生成客户端证书,并且导出 `.p12` 文件。该文件包含客户端证书,私钥以及 CA 证书: +1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -137,19 +142,29 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" + ``` - Generating key. This may take a few moments... + ``` + Generating key. This may take a few moments... ``` + ```bash + $ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer + ``` + + **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 + ```bash $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d + ``` - Enter password for PKCS12 file: - Re-enter password: - pk12util: PKCS12 EXPORT SUCCESSFUL + ``` + Enter password for PKCS12 file: + Re-enter password: + pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 @@ -157,18 +172,20 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -L -d sql:/etc/ipsec.d + ``` - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI + ``` + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI - Example CA CTu,u,u - ($PUBLIC_IP) u,u,u - vpnclient u,u,u + Example CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient u,u,u ``` **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 -1. 重启 IPsec 服务: +1. **重启 IPsec 服务**: ```bash $ service ipsec restart @@ -195,18 +212,36 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 - 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP`。 + 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 1. 保存新的 VPN 连接,然后单击它以开始连接。 + #### iOS (iPhone/iPad) + + 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `Example CA` 都显示在设置 -> 通用 -> 描述文件中。 + + 1. 进入设置 -> 通用 -> VPN。 + 1. 单击 **添加VPN配置...**。 + 1. 单击 **类型** 。选择 **IKEv2** 并返回。 + 1. 在 **描述** 字段中输入任意内容。 + 1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 保持 **本地 ID** 字段空白。 + 1. 单击 **用户鉴定** 。选择 **无** 并返回。 + 1. 启用 **使用证书** 选项。 + 1. 单击 **证书** 。选择 **vpnclient** 并返回。 + 1. 单击右上角的 **完成**。 + 1. 启用 **VPN** 连接。 + 1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index e2315d072f..d2a1cfd879 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows and Android +# How-To: IKEv2 VPN for Windows, Android and iOS *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -14,6 +14,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Windows 7, 8.x and 10 - Android 4.x and newer (using the strongSwan VPN client) +- iOS (iPhone/iPad) The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. @@ -43,7 +44,7 @@ Before continuing, make sure you have successfully - Is this a critical extension [y/N]? - N + Is this a CA certificate [y/N]? + y + Enter the path length constraint, enter to skip [<0 for unlimited path]: > + Is this a critical extension [y/N]? + N ``` ```bash @@ -123,11 +126,13 @@ Before continuing, make sure you have successfully this page. -1. Restart IPsec service: +1. **Restart IPsec service**: ```bash $ service ipsec restart @@ -195,18 +212,36 @@ Before continuing, make sure you have successfully strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. - 1. Enter `Your VPN Server IP` in the **Server** field. + 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, then tap **Install certificate**. 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. 1. Save the new VPN connection, then tap to connect. + #### iOS (iPhone/iPad) + + First, send both `vpnca.cer` and `vpnclient.p12` (exported from step 4 above) to yourself as email attachments, then click to import them one by one as iOS profiles in the iOS Mail app. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `Example CA` are listed under Settings -> General -> Profiles. + + 1. Go to Settings -> General -> VPN. + 1. Tap **Add VPN Configuration...**. + 1. Tap **Type**. Select **IKEv2** and go back. + 1. Tap **Description** and enter anything you like. + 1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). + 1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). + 1. Leave the **Local ID** field blank. + 1. Tap **User Authentication**. Select **None** and go back. + 1. Make sure the **Use Certificate** switch is ON. + 1. Tap **Certificate**. Select **vpnclient** and go back. + 1. Tap **Done**. + 1. Slide the **VPN** switch ON. + 1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Known Issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password. ## References From 9c529435cfbcde39515127b266ee89a87b79fa89 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 14 Oct 2018 23:53:06 -0500 Subject: [PATCH 0217/1208] Fix IKEv2 docs - Fixed an issue with address pool clashing by reverting to rightaddresspool=192.168.43.10-192.168.43.250 - Replaced "Example" with "IKEv2 VPN" for clarity - Closes #465 --- docs/ikev2-howto-zh.md | 22 +++++++++++----------- docs/ikev2-howto.md | 22 +++++++++++----------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index f39634d52a..69989db07f 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -44,7 +44,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 leftrsasigkey=%cert right=%any rightid=%fromcert - rightaddresspool=192.168.43.150-192.168.43.250 + rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert narrowing=yes @@ -101,8 +101,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -x -n "Example CA" \ - -s "O=Example,CN=Example CA" \ + -S -x -n "IKEv2 VPN CA" \ + -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -119,8 +119,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "Example CA" -n "$PUBLIC_IP" \ - -s "O=Example,CN=$PUBLIC_IP" \ + -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ + -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ @@ -136,8 +136,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "Example CA" -n "vpnclient" \ - -s "O=Example,CN=vpnclient" \ + -S -c "IKEv2 VPN CA" -n "vpnclient" \ + -s "O=IKEv2 VPN,CN=vpnclient" \ -k rsa -g 4096 -v 36 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ @@ -149,7 +149,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ``` ```bash - $ certutil -L -d sql:/etc/ipsec.d -n "Example CA" -a -o vpnca.cer + $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer ``` **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 @@ -178,7 +178,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI - Example CA CTu,u,u + IKEv2 VPN CA CTu,u,u ($PUBLIC_IP) u,u,u vpnclient u,u,u ``` @@ -191,7 +191,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。下一步: +1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。然后按照你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名,则需要在 **Server** 和 **Remote ID** 字段中输入域名而不是 IP 地址。 #### Windows 7, 8.x 和 10 @@ -220,7 +220,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `Example CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d2a1cfd879..4dbe23dfd9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -44,7 +44,7 @@ Before continuing, make sure you have successfully **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows, Android 和 iOS** +**如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index a9d9325a1b..57fcb6138f 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows, Android and iOS** +**How-To: IKEv2 VPN for Windows, macOS, Android and iOS** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 4c0bc6dbea..1c25a600cf 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -83,7 +83,7 @@ ## OS X -**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接。 +**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 diff --git a/docs/clients.md b/docs/clients.md index f99f601a52..d62f84d409 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -83,7 +83,7 @@ If you get an error when trying to connect, see Troub ## OS X -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md). +**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 69989db07f..dd79ba3b59 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -1,4 +1,4 @@ -# 如何配置 IKEv2 VPN: Windows, Android 和 iOS +# 如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS *其他语言版本: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -13,6 +13,7 @@ Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: - Windows 7, 8.x 和 10 +- OS X (macOS) - Android 4.x 和更新版本(使用 strongSwan VPN 客户端) - iOS (iPhone/iPad) @@ -132,7 +133,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` -1. 生成客户端证书,导出 CA 证书以及 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: +1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -148,12 +149,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` - ```bash - $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer - ``` - - **注:** 这个 `vpnca.cer` 文件仅需要在 iOS 客户端上使用。 - ```bash $ pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -164,10 +159,16 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 指定一个安全的密码以保护导出的 `.p12` 文件。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 + 指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 设备时,该密码不能为空)。你可以重复本步骤来为更多的客户端生成证书。将所有的 `vpnclient` 换成 `vpnclient2`,等等。 **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 +1. (适用于 macOS 和 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: + + ```bash + $ certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer + ``` + 1. 证书数据库现在应该包含以下内容: ```bash @@ -191,11 +192,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 将文件 `vpnclient.p12` 安全地传送到 VPN 客户端设备。然后按照你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名,则需要在 **Server** 和 **Remote ID** 字段中输入域名而不是 IP 地址。 +1. 按照你的操作系统对应的步骤操作。请注意,如果你在上面的第一步指定了服务器的域名,则需要在 **服务器地址** 和 **远程 ID** 字段中输入该域名而不是 IP 地址。 #### Windows 7, 8.x 和 10 - 1. 将 `.p12` 文件导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -208,9 +209,30 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看这里。 + #### OS X (macOS) + + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 Mac,然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 + + 1. 打开系统偏好设置并转到网络部分。 + 1. 在窗口左下角单击 **+** 按钮。 + 1. 从 **接口** 下拉菜单选择 **VPN**。 + 1. 从 **VPN 类型** 下拉菜单选择 **IKEv2**。 + 1. 在 **服务名称** 字段中输入任意内容。 + 1. 单击 **创建**。 + 1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 + 1. 保持 **本地 ID** 字段空白。 + 1. 单击 **鉴定设置...** 按钮。 + 1. 从 **鉴定设置** 下拉菜单中选择 **无**。 + 1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。 + 1. 单击 **好**。 + 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 + 1. 单击 **应用** 保存VPN连接信息。 + 1. 单击 **连接**。 + #### Android 4.x 和更新版本 - 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的设备,然后从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 @@ -220,7 +242,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将你在上面的步骤 4 中导出的两个文件 `vpnca.cer` and `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 @@ -241,7 +263,6 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 -1. 在导入到 iOS 设备时,`.p12` 文件的密码不能为空。要解决这个问题,按照步骤 4 中的命令重新导出 `.p12` 文件并指定一个安全的密码。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 4dbe23dfd9..787ce74e8f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,4 +1,4 @@ -# How-To: IKEv2 VPN for Windows, Android and iOS +# How-To: IKEv2 VPN for Windows, macOS, Android and iOS *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* @@ -13,6 +13,7 @@ Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agil Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: - Windows 7, 8.x and 10 +- OS X (macOS) - Android 4.x and newer (using the strongSwan VPN client) - iOS (iPhone/iPad) @@ -132,7 +133,7 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". + 1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". Detailed instructions: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -208,9 +209,30 @@ Before continuing, make sure you have successfully here. + #### OS X (macOS) + + First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. + + 1. Open System Preferences and go to the Network section. + 1. Click the **+** button in the lower-left corner of the window. + 1. Select **VPN** from the **Interface** drop-down menu. + 1. Select **IKEv2** from the **VPN Type** drop-down menu. + 1. Enter anything you like for the **Service Name**. + 1. Click **Create**. + 1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**. + 1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**. + 1. Leave the **Local ID** field blank. + 1. Click the **Authentication Settings...** button. + 1. Select **None** from the **Authentication Settings** drop-down menu. + 1. Select the **Certificate** radio button, then select the **vpnclient** certificate. + 1. Click **OK**. + 1. Check the **Show VPN status in menu bar** checkbox. + 1. Click **Apply** to save the VPN connection information. + 1. Click **Connect**. + #### Android 4.x and newer - 1. Install strongSwan VPN Client from **Google Play**. + 1. Securely transfer `vpnclient.p12` to your device. Then install strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. @@ -220,7 +242,7 @@ Before continuing, make sure you have successfully IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. -1. The `.p12` file cannot have an empty password when importing into an iOS device. To resolve this issue, follow instructions in step 4 to re-export the file with a secure password. ## References From cf7737238d1265d8b4d914c72396bd3281bc7491 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 00:05:21 -0500 Subject: [PATCH 0219/1208] Improve IPTables on boot - Improve loading of IPTables rules on boot for systems with "netplan" such as Ubuntu 18.04, by creating a systemd service. This is needed because ifupdown scripts do not run under netplan --- vpnsetup.sh | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 1b252447c9..485c599b8f 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -434,10 +434,34 @@ iptables-restore < /etc/iptables.rules exit 0 EOF +if [ -f /usr/sbin/netplan ]; then + mkdir -p /etc/systemd/system +cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' +[Unit] +Description = Load /etc/iptables.rules +DefaultDependencies=no + +Before=network-pre.target +Wants=network-pre.target + +Wants=systemd-modules-load.service local-fs.target +After=systemd-modules-load.service local-fs.target + +[Service] +Type=oneshot +ExecStart=/etc/network/if-pre-up.d/iptablesload + +[Install] +WantedBy=multi-user.target +EOF + systemctl enable load-iptables-rules 2>/dev/null +fi + for svc in fail2ban ipsec xl2tpd; do update-rc.d "$svc" enable >/dev/null 2>&1 systemctl enable "$svc" 2>/dev/null done + if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" @@ -451,7 +475,6 @@ cat >> /etc/rc.local <<'EOF' (sleep 15 service ipsec restart service xl2tpd restart -[ -f "/usr/sbin/netplan" ] && { iptables-restore < /etc/iptables.rules; service fail2ban restart; } echo 1 > /proc/sys/net/ipv4/ip_forward)& exit 0 EOF From 804211c1014fa04678820c09311ba2be2e6865c1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 00:20:54 -0500 Subject: [PATCH 0220/1208] Cleanup --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 4 ++-- vpnsetup.sh | 4 ++-- vpnsetup_centos.sh | 1 + 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dd79ba3b59..2f87c9bfba 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -25,7 +25,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ echo "$PUBLIC_IP" + $ printf '%s' "$PUBLIC_IP" (检查显示的公共 IP) ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 787ce74e8f..85506996f7 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -25,7 +25,7 @@ Before continuing, make sure you have successfully /dev/null systemctl enable iptables fail2ban 2>/dev/null fi + if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then if [ -f /etc/rc.local ]; then conf_bk "/etc/rc.local" From 0442d25217b74dcb9e7804ee2d2f4b668b2cd8b0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 21 Oct 2018 20:25:34 -0500 Subject: [PATCH 0221/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 8 +++++--- docs/ikev2-howto.md | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 2f87c9bfba..0260b198de 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -25,7 +25,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ printf '%s' "$PUBLIC_IP" + $ printf '%s\n' "$PUBLIC_IP" (检查显示的公共 IP) ``` @@ -98,7 +98,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: - **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。另外,如果你在上面的第一步使用了服务器的域名而不是 IP 地址,则需要将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 + **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ @@ -118,6 +118,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 N ``` + **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 + ```bash $ certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ @@ -192,7 +194,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ service ipsec restart ``` -1. 按照你的操作系统对应的步骤操作。请注意,如果你在上面的第一步指定了服务器的域名,则需要在 **服务器地址** 和 **远程 ID** 字段中输入该域名而不是 IP 地址。 +1. 按照下面你的操作系统对应的步骤操作。**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 #### Windows 7, 8.x 和 10 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 85506996f7..7fa6da1353 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -25,7 +25,7 @@ Before continuing, make sure you have successfully /etc/systemd/system/load-iptables-rules.service <<'EOF' [Unit] From 69d1bfe06fb862c3da59bac4dbc7e70c6b5e6d21 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 24 Oct 2018 00:56:37 -0500 Subject: [PATCH 0223/1208] Improve IPTables on boot - Improve checking for iptables-persistent, and do not add ifupdown script /etc/network/if-pre-up.d/iptablesload if it is in use --- vpnsetup.sh | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 9549754e65..1e0b446f8a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -387,6 +387,7 @@ bigecho "Updating IPTables rules..." # Check if rules need updating ipt_flag=0 IPT_FILE="/etc/iptables.rules" +IPT_FILE2="/etc/iptables/rules.v4" if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then @@ -418,7 +419,6 @@ if [ "$ipt_flag" = "1" ]; then echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" iptables-save >> "$IPT_FILE" - IPT_FILE2="/etc/iptables/rules.v4" if [ -f "$IPT_FILE2" ]; then conf_bk "$IPT_FILE2" /bin/cp -f "$IPT_FILE" "$IPT_FILE2" @@ -427,16 +427,25 @@ fi bigecho "Enabling services on boot..." -mkdir -p /etc/network/if-pre-up.d +# Check for iptables-persistent +IPT_PST="/etc/init.d/iptables-persistent" +IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" +ipt_load=1 +if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then + ipt_load=0 +fi + +if [ "$ipt_load" = "1" ]; then + mkdir -p /etc/network/if-pre-up.d cat > /etc/network/if-pre-up.d/iptablesload <<'EOF' #!/bin/sh iptables-restore < /etc/iptables.rules exit 0 EOF + chmod +x /etc/network/if-pre-up.d/iptablesload -IPT_PST="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" -if [ -f /usr/sbin/netplan ] && [ ! -f "$IPT_PST" ]; then - mkdir -p /etc/systemd/system + if [ -f /usr/sbin/netplan ]; then + mkdir -p /etc/systemd/system cat > /etc/systemd/system/load-iptables-rules.service <<'EOF' [Unit] Description = Load /etc/iptables.rules @@ -455,7 +464,8 @@ ExecStart=/etc/network/if-pre-up.d/iptablesload [Install] WantedBy=multi-user.target EOF - systemctl enable load-iptables-rules 2>/dev/null + systemctl enable load-iptables-rules 2>/dev/null + fi fi for svc in fail2ban ipsec xl2tpd; do @@ -487,7 +497,7 @@ bigecho "Starting services..." sysctl -e -q -p # Update file attributes -chmod +x /etc/rc.local /etc/network/if-pre-up.d/iptablesload +chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules From f05bf90dbc0cc43ddc5721cfe1164a48f92adc6b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 25 Oct 2018 01:04:16 -0500 Subject: [PATCH 0224/1208] Update IKEv2 docs - Enable MOBIKE option for Libreswan 3.23 and newer - Add AES-GCM cipher for improved performance --- docs/ikev2-howto-zh.md | 3 ++- docs/ikev2-howto.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 0260b198de..dde93b2b25 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -57,7 +57,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 rekey=no fragmentation=yes ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null EOF ``` @@ -73,6 +73,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf < Date: Thu, 25 Oct 2018 01:25:35 -0500 Subject: [PATCH 0225/1208] Improve VPN ciphers - Add AES-GCM cipher for Chromebook compatibility and performance --- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 93bb86e890..55a94f5ca9 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -216,10 +216,10 @@ fi # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" if uname -m | grep -qi '^arm'; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null" fi sed -i".old-$(date +%F-%T)" \ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 2a73a44002..230b4f092a 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -218,7 +218,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 1e0b446f8a..885f58831a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,7 +259,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 938cc89f2b..783e137cc6 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,7 +246,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 + phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 sha2-truncbug=yes conn l2tp-psk From 2f9f5c39debe34633639808dc8a1496955809eb5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 26 Oct 2018 15:16:39 -0500 Subject: [PATCH 0226/1208] Update IKEv2 docs - Add known issue about multiple IKEv2 clients from behind the same NAT - Ref: #469 --- docs/ikev2-howto-zh.md | 5 +++-- docs/ikev2-howto.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index dde93b2b25..06c0b834b9 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -8,7 +8,7 @@ --- -Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。另外,IKEv2 支持同时连接在同一个 NAT(比如家用路由器)后面的多个设备到 VPN 服务器。 +Windows 7 和更新版本支持 IKEv2 协议标准,通过 Microsoft 的 Agile VPN 功能来实现。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: @@ -189,7 +189,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 -1. **重启 IPsec 服务**: +1. **(重要)重启 IPsec 服务**: ```bash $ service ipsec restart @@ -266,6 +266,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d42b4765d2..0699e81a48 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -8,7 +8,7 @@ --- -Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. In addition, IKEv2 supports connecting multiple devices simultaneously from behind the same NAT (e.g. home router) to the VPN server. +Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: @@ -189,7 +189,7 @@ Before continuing, make sure you have successfully this page. -1. **Restart IPsec service**: +1. **(Important) Restart IPsec service**: ```bash $ service ipsec restart @@ -266,6 +266,7 @@ Before continuing, make sure you have successfully IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. ## References From 732ad1e94149e9d49a3c8d05775cfc8309c8fb25 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 27 Oct 2018 00:49:41 -0500 Subject: [PATCH 0227/1208] Improve VPN ciphers - Optimize VPN ciphers and their order for improved security and compatibility with different OS. Remove 3DES algorithm - Change 'sha2-truncbug' from 'yes' to 'no' - Update docs --- docs/clients-zh.md | 7 +++---- docs/clients.md | 7 +++---- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- extras/vpnupgrade.sh | 16 ++++++++-------- extras/vpnupgrade_centos.sh | 14 +++++++------- vpnsetup.sh | 8 ++++---- vpnsetup_centos.sh | 6 +++--- 8 files changed, 32 insertions(+), 34 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1c25a600cf..b851be4244 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -221,7 +221,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见)。如果仍然无法连接,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index d62f84d409..64484d2116 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -221,7 +221,7 @@ To fix this error, please follow these steps: ### Windows 10 version 1803 -If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. +If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. @@ -231,11 +231,10 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y ### Android 6 and above -If you are unable to connect using Android 6 or above, try these steps in order: +If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). If still unable to connect, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (Ref). ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 06c0b834b9..4e667fdb2e 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -56,8 +56,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ikev2=insist rekey=no fragmentation=yes - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0699e81a48..816d241d6a 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -56,8 +56,8 @@ Before continuing, make sure you have successfully /dev/null | grep -qF "$SWAN_VER"; then fi # Update ipsec.conf -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" +IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" if uname -m | grep -qi '^arm'; then - PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null" + PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 230b4f092a..ea85036ee8 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -120,20 +120,19 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" - 3. Consolidate VPN ciphers for "ike=" and "phase2alg=", - re-add "MODP1024" to the list of allowed "ike=" ciphers, - which was removed from the defaults in Libreswan 3.19 + 3. Optimize VPN ciphers for "ike=" and "phase2alg=" + 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -217,12 +216,13 @@ restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf -IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024" -PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512" +IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ + -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/vpnsetup.sh b/vpnsetup.sh index 885f58831a..eea63b89de 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -258,9 +258,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 - sha2-truncbug=yes + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=no conn l2tp-psk auto=add @@ -288,7 +288,7 @@ conn xauth-psk EOF if uname -m | grep -qi '^arm'; then - sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf + sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf fi # Specify IPsec PSK diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 783e137cc6..964b17d270 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -245,9 +245,9 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear - ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024 - phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512 - sha2-truncbug=yes + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=no conn l2tp-psk auto=add From e8723245f02af0149c01932a854c0f0177f23394 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 27 Oct 2018 15:22:53 -0500 Subject: [PATCH 0228/1208] Improve VPN config - Increase auto-generated IPsec PSK length to 20 characters - Add a note to README --- README-zh.md | 2 ++ README.md | 2 ++ vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 716472f7e0..272ad47f4d 100644 --- a/README-zh.md +++ b/README-zh.md @@ -102,6 +102,8 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**注:** 不要在值中使用这些字符: `\ " '`。一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 + **选项 3:** 将你自己的 VPN 登录凭证定义为环境变量: ```bash diff --git a/README.md b/README.md index 57fcb6138f..9f187abc7c 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,8 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` +**Note:** DO NOT use these special characters within values: `\ " '`. A secure IPsec PSK should consist of at least 20 random characters. + **Option 3:** Define your VPN credentials as environment variables: ```bash diff --git a/vpnsetup.sh b/vpnsetup.sh index eea63b89de..20a2753ffe 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -103,7 +103,7 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 964b17d270..2ad6fa0d35 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -92,7 +92,7 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" VPN_USER=vpnuser VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" fi From 5f75a7306a38a2e07f817f4dc473643ca0dcbf38 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 28 Oct 2018 00:33:42 -0500 Subject: [PATCH 0229/1208] Improve VPN ciphers - Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with Android versions 6.x and 7.x. - Remove aes128-sha2_512 algorithm - Ref: 732ad1e --- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/vpnupgrade.sh | 8 +++----- extras/vpnupgrade_centos.sh | 8 +++----- vpnsetup.sh | 6 +++--- vpnsetup_centos.sh | 4 ++-- 6 files changed, 13 insertions(+), 17 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index b851be4244..77279374bf 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -234,7 +234,7 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是 如果你无法使用 Android 6 或以上版本连接: 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (参见) +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (参见) ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/docs/clients.md b/docs/clients.md index 64484d2116..845fd8eb23 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -234,7 +234,7 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y If you are unable to connect using Android 6 or above: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (Ref). +1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). ![Android VPN workaround](images/vpn-profile-Android.png) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8fd6e16e8a..683fa8de89 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -130,18 +130,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" 3. Optimize VPN ciphers for "ike=" and "phase2alg=" - 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -215,7 +214,7 @@ fi # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" if uname -m | grep -qi '^arm'; then PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" @@ -224,7 +223,6 @@ fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ - -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index ea85036ee8..b0cffdb4c1 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -121,18 +121,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes. 1. Replace "auth=esp" with "phase2=esp" 2. Replace "forceencaps=yes" with "encapsulation=yes" 3. Optimize VPN ciphers for "ike=" and "phase2alg=" - 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no" EOF if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then cat <<'EOF' - 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" + 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" EOF fi if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then cat <<'EOF' - 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" + 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" EOF fi @@ -217,12 +216,11 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ - -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf diff --git a/vpnsetup.sh b/vpnsetup.sh index 20a2753ffe..586e1153c7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,8 +259,8 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - sha2-truncbug=no + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=yes conn l2tp-psk auto=add @@ -288,7 +288,7 @@ conn xauth-psk EOF if uname -m | grep -qi '^arm'; then - sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf fi # Specify IPsec PSK diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 2ad6fa0d35..c9bd855646 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,8 +246,8 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - sha2-truncbug=no + phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + sha2-truncbug=yes conn l2tp-psk auto=add From ccc93a8c96e8e2a8188b7bf4f20223b026893aa9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 29 Oct 2018 01:27:04 -0500 Subject: [PATCH 0230/1208] Update docs --- docs/clients-xauth-zh.md | 4 ++++ docs/clients-xauth.md | 4 ++++ docs/clients-zh.md | 26 ++++++++++++++------------ docs/clients.md | 24 +++++++++++++----------- 4 files changed, 35 insertions(+), 23 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index d24f301935..3a224be2cd 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -59,6 +59,8 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl 要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Android 1. 启动 **设置** 应用程序。 @@ -97,6 +99,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## 致谢 本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a44d205f95..e394046173 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -59,6 +59,8 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Android 1. Launch the **Settings** application. @@ -97,6 +99,8 @@ If you get an error when trying to connect, see looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Credits This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 77279374bf..f86ac8d68f 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -18,7 +18,7 @@ * [故障排除](#故障排除) * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) - * [Windows 10 版本 1803](#windows-10-版本-1803) + * [Windows 10 升级](#windows-10-升级) * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) @@ -32,13 +32,13 @@ ### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 -1. 选择 **打开网络与共享中心**。 +1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 1. 单击 **设置新的连接或网络**。 1. 选择 **连接到工作区**,然后单击 **下一步**。 1. 单击 **使用我的Internet连接 (VPN)**。 1. 在 **Internet地址** 字段中输入`你的 VPN 服务器 IP`。 1. 在 **目标名称** 字段中输入任意内容。单击 **创建**。 -1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 返回 **网络和共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 @@ -53,7 +53,7 @@ 1. 单击开始菜单,选择控制面板。 1. 进入 **网络和Internet** 部分。 -1. 单击 **网络与共享中心**。 +1. 单击 **网络和共享中心**。 1. 单击 **设置新的连接或网络**。 1. 选择 **连接到工作区**,然后单击 **下一步**。 1. 单击 **使用我的Internet连接 (VPN)**。 @@ -65,7 +65,7 @@ 1. 在 **密码** 字段中输入`你的 VPN 密码`。 1. 选中 **记住此密码** 复选框。 1. 单击 **创建**,然后单击 **关闭** 按钮。 -1. 返回 **网络与共享中心**。单击左侧的 **更改适配器设置**。 +1. 返回 **网络和共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 @@ -104,6 +104,8 @@ 要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Android **注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 @@ -145,6 +147,8 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请参见 故障排除。 + ## Chromebook 1. 如果你尚未登录 Chromebook,请先登录。 @@ -208,7 +212,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 settin * [Troubleshooting](#troubleshooting) * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) - * [Windows 10 version 1803](#windows-10-version-1803) + * [Windows 10 upgrades](#windows-10-upgrades) * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) @@ -32,7 +32,7 @@ After settin ### Windows 10 and 8.x 1. Right-click on the wireless/network icon in your system tray. -1. Select **Open Network and Sharing Center**. +1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. 1. Click **Set up a new connection or network**. 1. Select **Connect to a workplace** and click **Next**. 1. Click **Use my Internet connection (VPN)**. @@ -41,7 +41,7 @@ After settin 1. Return to **Network and Sharing Center**. On the left, click **Change adapter settings**. 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -69,7 +69,7 @@ After settin 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Options** tab and uncheck **Include Windows logon domain**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -104,6 +104,8 @@ If you get an error when trying to connect, see Troub To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Android **Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). @@ -145,6 +147,8 @@ If you get an error when trying to connect, see Troub Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, see Troubleshooting. + ## Chromebook 1. If you haven't already, sign in to your Chromebook. @@ -211,7 +215,7 @@ To fix this error, please follow these steps: 1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. 1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox. +1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -219,11 +223,9 @@ To fix this error, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) -### Windows 10 version 1803 - -If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. +### Windows 10 upgrades -Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot. +After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. ### macOS VPN traffic @@ -341,8 +343,8 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret - ike=aes128-sha1-modp1024,3des-sha1-modp1024! - esp=aes128-sha1-modp1024,3des-sha1-modp1024! + ike=aes256-sha1-modp2048,aes128-sha1-modp2048! + esp=aes256-sha1-modp2048,aes128-sha1-modp2048! conn myvpn keyexchange=ikev1 From e797493a17746fbd6d4138fcf02ec8fbbf99e9e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 30 Oct 2018 00:00:08 -0500 Subject: [PATCH 0231/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 5 +++-- docs/ikev2-howto.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 4e667fdb2e..1774392a60 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -235,7 +235,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### Android 4.x 和更新版本 - 1. 将文件 `vpnclient.p12` 安全地传送到你的设备,然后从 **Google Play** 安装 strongSwan VPN 客户端。 + 1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 + 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 @@ -245,7 +246,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 #### iOS (iPhone/iPad) - 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 以电子邮件附件的形式发送给你自己,然后在 iOS 邮件应用中点击它们并逐个导入为 iOS 配置描述文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 + 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 816d241d6a..68c1926527 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -235,7 +235,8 @@ Before continuing, make sure you have successfully strongSwan VPN Client from **Google Play**. + 1. Securely transfer `vpnclient.p12` to your Android device. + 1. Install strongSwan VPN Client from **Google Play**. 1. Launch the VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. @@ -245,7 +246,7 @@ Before continuing, make sure you have successfully Date: Fri, 2 Nov 2018 01:54:49 -0500 Subject: [PATCH 0233/1208] Improve VPN ciphers - Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to improve compatibility with some Linux kernels - Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 352d92da51..cdf92b9518 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -57,7 +57,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 rekey=no fragmentation=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index fa3244a06c..2e5261e241 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -57,7 +57,7 @@ Before continuing, make sure you have successfully /dev/null # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 586e1153c7..2069e58b3a 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,7 +259,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c9bd855646..1646aa48ad 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,7 +246,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 sha2-truncbug=yes conn l2tp-psk From 23458655ac5addbb68c1872df82a537404105e70 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 4 Nov 2018 00:59:01 -0500 Subject: [PATCH 0234/1208] Update IKEv2 docs - Add "pfs=no" to fix IKEv2 disconnect issues (at 8 mins) on iOS/macOS - Replace "fragmentation" with "ike-frag" for compatibility - Fixes #474 - Ref: https://github.com/libreswan/libreswan/issues/222 - Ref: http://www.openradar.appspot.com/29821241 --- docs/ikev2-howto-zh.md | 3 ++- docs/ikev2-howto.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index cdf92b9518..04cc4d8f3d 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -55,7 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 auto=add ikev2=insist rekey=no - fragmentation=yes + pfs=no + ike-frag=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 EOF diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 2e5261e241..2194fc5d35 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -55,7 +55,8 @@ Before continuing, make sure you have successfully Date: Mon, 5 Nov 2018 07:47:09 -0600 Subject: [PATCH 0236/1208] Update docs --- docs/clients-zh.md | 5 +++++ docs/clients.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f86ac8d68f..3934baf133 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -19,6 +19,7 @@ * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628](#windows-错误-628) * [Windows 10 升级](#windows-10-升级) + * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) @@ -227,6 +228,10 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后重启计算机。 + ### macOS VPN 流量 OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 diff --git a/docs/clients.md b/docs/clients.md index 59044a9fb2..1b5a039626 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -19,6 +19,7 @@ After settin * [Windows Error 809](#windows-error-809) * [Windows Error 628](#windows-error-628) * [Windows 10 upgrades](#windows-10-upgrades) + * [Windows 8/10 DNS leaks](#windows-810-dns-leaks) * [macOS VPN traffic](#macos-vpn-traffic) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) @@ -227,6 +228,10 @@ To fix this error, please follow these steps: After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. +### Windows 8/10 DNS leaks + +Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter is from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). Reboot your PC when finished. + ### macOS VPN traffic OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. From 593bb3eea08981bdbfdfe1005804fadbe364b5f5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 7 Nov 2018 00:40:24 -0600 Subject: [PATCH 0237/1208] Update docs --- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3934baf133..3fc649d23b 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -230,7 +230,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后重启计算机。 +Windows 8.x 和 10 默认使用 "smart multi-homed name resolution" (智能多宿主名称解析)。如果你的因特网适配器的 DNS 服务器在本地网段上,在使用 Windows 自带的 IPsec VPN 客户端时可能会导致 "DNS 泄漏"。要解决这个问题,你可以 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后清除 DNS 缓存并且重启计算机。 ### macOS VPN 流量 diff --git a/docs/clients.md b/docs/clients.md index 1b5a039626..12c2ed84a4 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -230,7 +230,7 @@ After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re- ### Windows 8/10 DNS leaks -Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter is from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). Reboot your PC when finished. +Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC. ### macOS VPN traffic From 442458193a4cc2a6e3c4d4315a803f234656b084 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Nov 2018 00:00:58 -0600 Subject: [PATCH 0238/1208] Update docs - Add Windows PowerShell commands for creating a VPN connection - Closes #478. Thanks @nzbart! --- docs/clients-zh.md | 9 +++++++++ docs/clients.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3fc649d23b..3a6317f0ee 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -48,6 +48,15 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 +另外,除了按照以上步骤操作,你也可以运行下面的 Windows PowerShell 命令来创建 VPN 连接。将 `你的 VPN 服务器 IP` 和 `你的 VPN IPsec PSK` 换成你自己的值,用单引号括起来: + +```console +# 不保存命令行历史记录 +Set-PSReadlineOption –HistorySaveStyle SaveNothing +# 创建 VPN 连接 +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk '你的 VPN IPsec PSK' -Force -RememberCredential -PassThru +``` + **注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。 ### Windows 7, Vista and XP diff --git a/docs/clients.md b/docs/clients.md index 12c2ed84a4..4adf0e7651 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -48,6 +48,15 @@ After settin 1. Click **OK** to close the **Advanced settings**. 1. Click **OK** to save the VPN connection details. +Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes: + +```console +# Disable persistent command history +Set-PSReadlineOption –HistorySaveStyle SaveNothing +# Create VPN connection +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk 'Your VPN IPsec PSK' -Force -RememberCredential -PassThru +``` + **Note:** A one-time registry change is required before connecting. See details below. ### Windows 7, Vista and XP From 7c6563d581404e264c011c87da1707353dc47708 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 9 Nov 2018 18:47:34 -0600 Subject: [PATCH 0239/1208] Update docs - Add info about IPv6 traffic - Closes #480. Thanks @sunfeilong! --- docs/clients-zh.md | 2 ++ docs/clients.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 3a6317f0ee..1e26b28302 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -241,6 +241,8 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 禁用智能多宿主名称解析,或者配置你的因特网适配器以使用在你的本地网段之外的 DNS 服务器(比如 8.8.8.8 和 8.8.4.4)。在完成后清除 DNS 缓存并且重启计算机。 +另外,如果你的计算机启用了 IPv6,所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6,请看这里。 + ### macOS VPN 流量 OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 diff --git a/docs/clients.md b/docs/clients.md index 4adf0e7651..fc5b73cd67 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -241,6 +241,8 @@ After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re- Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC. +In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to disable IPv6 in Windows. + ### macOS VPN traffic OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. From 0adf0bebcd32a86cd6b32ef1d2eeef2aaff79fc4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 13 Nov 2018 23:04:47 -0600 Subject: [PATCH 0240/1208] Update docs --- README-zh.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 272ad47f4d..f6ebcb4c74 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,6 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) +[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -8,7 +8,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 我们将使用 Libreswan 作为 IPsec 服务器,以及 xl2tpd 作为 L2TP 提供者。 -**» 相关教程: IPsec VPN Server Auto Setup with Libreswan** +**» 另见: Docker 上的 IPsec VPN 服务器** *其他语言版本: [English](README.md), [简体中文](README-zh.md).* @@ -75,7 +75,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以在 $35 Raspberry Pi 3 上搭建 VPN 服务器。 +高级用户可以在一个 $35 的 Raspberry Pi 3 上搭建 VPN 服务器。详见以下教程: [1] [2]。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index 9f187abc7c..209f2cee64 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://travis-ci.org/hwdsl2/setup-ipsec-vpn.svg?branch=master)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -8,7 +8,7 @@ An IPsec VPN encrypts your network traffic, so that nobody between you and the V We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider. -**» Related tutorial: IPsec VPN Server Auto Setup with Libreswan** +**» See also: IPsec VPN Server on Docker** *Read this in other languages: [English](README.md), [简体中文](README-zh.md).* @@ -75,7 +75,7 @@ This also includes Linux VMs in public clouds, such as **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi 3. +Advanced users can set up the VPN server on a $35 Raspberry Pi 3. Learn more in these articles: [1] [2]. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! From ed997dd190bab997eaaf8a21bd3953ac90117a50 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 16 Nov 2018 13:05:29 -0600 Subject: [PATCH 0241/1208] Update docs --- README-zh.md | 5 +++-- README.md | 5 +++-- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index f6ebcb4c74..d5d2555da3 100644 --- a/README-zh.md +++ b/README-zh.md @@ -57,11 +57,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh ## 系统要求 -一个新创建的 Amazon EC2 实例,使用这些映像 (AMIs): +一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +- Red Hat Enterprise Linux (RHEL) 7 or 6 请参见 详细步骤 以及 EC2 定价细节。 @@ -153,7 +154,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 -如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS)。然后重启服务器。 +如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 在使用 `IPsec/L2TP` 连接时,VPN 服务器在虚拟网络 `192.168.42.0/24` 内具有 IP `192.168.42.1`。 diff --git a/README.md b/README.md index 209f2cee64..0de60e618a 100644 --- a/README.md +++ b/README.md @@ -57,11 +57,12 @@ For other installation options and how to set up VPN clients, read the sections ## Requirements -A newly created Amazon EC2 instance, from these images (AMIs): +A newly created Amazon EC2 instance, from one of these images: - Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates +- Red Hat Enterprise Linux (RHEL) 7 or 6 Please see detailed instructions and EC2 pricing. @@ -153,7 +154,7 @@ Clients are set to use Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 -使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6。 Ubuntu 用户需要安装 `` linux-image-extra-`uname -r` `` 软件包并运行 `service xl2tpd restart`。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/README.md b/README.md index 0de60e618a..00dd4142fe 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. -Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users need to install the `` linux-image-extra-`uname -r` `` package and run `service xl2tpd restart`. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 1e26b28302..2db647ca2c 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -190,6 +190,16 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 vpnsetup.sh (或者 vpnsetup_centos.sh),然后点击右方的 **`Raw`** 按钮。按快捷键 `Ctrl-A` 全选, `Ctrl-C` 复制,然后粘贴到你喜欢的编辑器。 @@ -148,7 +149,7 @@ VPN_PASSWORD='你的VPN密码' sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含一个辅助脚本,以方便更新 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index 00dd4142fe..5fb9f3bfa7 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,8 @@ sudo sh vpnsetup.sh wget https://git.io/vpnsetup -O vpnsetup.sh && sudo \ VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ -VPN_PASSWORD='your_vpn_password' sh vpnsetup.sh +VPN_PASSWORD='your_vpn_password' \ +sh vpnsetup.sh ``` **Note:** If unable to download via `wget`, you may also open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor. @@ -148,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. A helper script is included for convenience. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 138b02559c..2096e4a001 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,13 +4,15 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。 +**注:** 现在提供一个辅助脚本,以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。 + 首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 ```bash %any %any : PSK "你的IPsec预共享密钥" ``` -对于 `IPsec/L2TP`,VPN 用户账户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: +对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: ```bash "你的VPN用户名1" l2tpd "你的VPN密码1" * @@ -20,7 +22,7 @@ 你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '` -对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户账户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: +对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: ```bash 你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk @@ -41,3 +43,35 @@ openssl passwd -1 '你的VPN密码1' service ipsec restart service xl2tpd restart ``` + +## 辅助脚本 + +你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本: + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +要更新 VPN 用户,从以下选项中选择一个: + +**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户,则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。 + +**选项 1:** 编辑脚本并输入 VPN 用户信息: + +```bash +nano -w update_vpn_users.sh +[替换为你自己的值: YOUR_USERNAMES 和 YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**选项 2:** 将 VPN 用户信息定义为环境变量: + +```bash +# VPN用户名和密码列表,用空格分隔 +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' +sudo \ +VPN_USERS='用户名1 用户名2 ...' \ +VPN_PASSWORDS='密码1 密码2 ...' \ +sh update_vpn_users.sh +``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 07d27edf16..56289d2c42 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,6 +4,8 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. +**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script). + First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. ```bash @@ -41,3 +43,35 @@ Finally, restart services if you changed to a new PSK. For add, edit or remove V service ipsec restart service xl2tpd restart ``` + +## Helper script + +You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script: + +```bash +wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh +``` + +To update VPN users, choose one of the following options: + +**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above). + +**Option 1:** Edit the script and enter VPN user details: + +```bash +nano -w update_vpn_users.sh +[Replace with your own values: YOUR_USERNAMES and YOUR_PASSWORDS] +sudo sh update_vpn_users.sh +``` + +**Option 2:** Define VPN user details as environment variables: + +```bash +# List of VPN usernames and passwords, separated by spaces +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' +sudo \ +VPN_USERS='username1 username2 ...' \ +VPN_PASSWORDS='password1 password2 ...' \ +sh update_vpn_users.sh +``` diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh new file mode 100644 index 0000000000..cde41f8089 --- /dev/null +++ b/extras/update_vpn_users.sh @@ -0,0 +1,174 @@ +#!/bin/sh +# +# Script to update VPN users for both IPsec/L2TP and Cisco IPsec +# +# Copyright (C) 2018 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +# ===================================================== + +# Define your own values for these variables +# - List of VPN usernames and passwords, separated by spaces +# - All values MUST be placed inside 'single quotes' +# - DO NOT use these special characters within values: \ " ' + +YOUR_USERNAMES='' +YOUR_PASSWORDS='' + +# Example: +# YOUR_USERNAMES='username1 username2' +# YOUR_PASSWORDS='password1 password2' + +# ===================================================== + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } +onespace() { printf '%s' "$1" | tr -s ' '; } +noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; } +noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; } + +update_vpn_users() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before updating VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +[ -n "$YOUR_USERNAMES" ] && VPN_USERS="$YOUR_USERNAMES" +[ -n "$YOUR_PASSWORDS" ] && VPN_PASSWORDS="$YOUR_PASSWORDS" + +if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then + exiterr "All VPN credentials must be specified. Edit the script and re-enter them." +fi + +VPN_USERS="$(noquotes "$VPN_USERS")" +VPN_USERS="$(onespace "$VPN_USERS")" +VPN_USERS="$(noquotes2 "$VPN_USERS")" +VPN_PASSWORDS="$(noquotes "$VPN_PASSWORDS")" +VPN_PASSWORDS="$(onespace "$VPN_PASSWORDS")" +VPN_PASSWORDS="$(noquotes2 "$VPN_PASSWORDS")" + +if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then + exiterr "VPN credentials must not contain non-ASCII characters." +fi + +case "$VPN_USERS $VPN_PASSWORDS" in + *[\\\"\']*) + exiterr "VPN credentials must not contain these special characters: \\ \" '" + ;; +esac + +clear + +cat <<'EOF' + +Welcome! This script will update VPN user accounts +for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec). + +WARNING: ALL existing VPN users will be removed + and replaced with the users listed below. + Please double check before continuing! + +================================================== + +Updated list of VPN users (username | password): + +EOF + +count=1 +vpn_user=$(printf '%s' "$VPN_USERS" | cut -d ' ' -f 1) +vpn_password=$(printf '%s' "$VPN_PASSWORDS" | cut -d ' ' -f 1) +while [ -n "$vpn_user" ] && [ -n "$vpn_password" ]; do +cat <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < Date: Thu, 22 Nov 2018 16:49:56 -0600 Subject: [PATCH 0244/1208] Add more helper scripts - Create additional helper scripts for managing VPN users - Update docs - Closes: #355 --- README-zh.md | 2 +- README.md | 2 +- docs/manage-users-zh.md | 86 ++++++++++++++--------- docs/manage-users.md | 86 ++++++++++++++--------- extras/add_vpn_user.sh | 136 ++++++++++++++++++++++++++++++++++++ extras/del_vpn_user.sh | 138 +++++++++++++++++++++++++++++++++++++ extras/update_vpn_users.sh | 2 + 7 files changed, 386 insertions(+), 66 deletions(-) create mode 100644 extras/add_vpn_user.sh create mode 100644 extras/del_vpn_user.sh diff --git a/README-zh.md b/README-zh.md index 65b974b6c5..1034672f32 100644 --- a/README-zh.md +++ b/README-zh.md @@ -149,7 +149,7 @@ sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含一个辅助脚本,以方便更新 VPN 用户。 +如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 diff --git a/README.md b/README.md index 5fb9f3bfa7..ef7713a729 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ The same VPN account can be used by your multiple devices. However, due to an IP For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. A helper script is included for convenience. +If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience. Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 2096e4a001..e329970885 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -4,57 +4,39 @@ 在默认情况下,将只创建一个用于 VPN 登录的用户账户。如果你需要添加,更改或者删除用户,请阅读本文档。 -**注:** 现在提供一个辅助脚本,以方便更新 VPN 用户。请参见 [辅助脚本](#辅助脚本)。 +## 使用辅助脚本 -首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。所有的 VPN 用户将共享同一个 IPsec PSK。 +你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth (Cisco IPsec) 模式的用户。如果你需要更新 IPsec PSK,请阅读下一节。 -```bash -%any %any : PSK "你的IPsec预共享密钥" -``` +### 添加或者更新一个 VPN 用户 -对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: +添加一个新 VPN 用户,或者为一个已有的 VPN 用户更新密码。 ```bash -"你的VPN用户名1" l2tpd "你的VPN密码1" * -"你的VPN用户名2" l2tpd "你的VPN密码2" * -... ... +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` -你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '` +### 删除一个 VPN 用户 -对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: +删除指定的 VPN 用户。 ```bash -你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk -你的VPN用户名2:你的VPN密码2的加盐哈希值:xauth-psk -... ... +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' ``` -这个文件中的密码以加盐哈希值的形式保存。该步骤可以借助比如 `openssl` 工具来完成: +### 更新所有的 VPN 用户 -```bash -# 以下命令的输出为:你的VPN密码1的加盐哈希值 -openssl passwd -1 '你的VPN密码1' -``` - -最后,如果你更换了新的 PSK,则需要重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 - -```bash -service ipsec restart -service xl2tpd restart -``` - -## 辅助脚本 - -你可以使用 [这个辅助脚本](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) 来更新 VPN 用户。首先下载脚本: +移除所有的 VPN 用户并替换为你指定的列表中的用户。 ```bash wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` -要更新 VPN 用户,从以下选项中选择一个: +要使用这个脚本,从以下选项中选择一个: -**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的新用户。如果你需要保留当前的 VPN 用户,则必须将它们包含在下面的变量中。或者你也可以按照上面的说明手动更新 VPN 用户。 +**重要:** 这个脚本会将你当前**所有的** VPN 用户移除并替换为你指定的列表中的用户。如果你需要保留已有的 VPN 用户,则必须将它们包含在下面的变量中。 **选项 1:** 编辑脚本并输入 VPN 用户信息: @@ -75,3 +57,43 @@ VPN_USERS='用户名1 用户名2 ...' \ VPN_PASSWORDS='密码1 密码2 ...' \ sh update_vpn_users.sh ``` + +## 手动管理 VPN 用户和 PSK + +首先,IPsec PSK (预共享密钥) 保存在文件 `/etc/ipsec.secrets` 中。如果要更换一个新的 PSK,可以编辑此文件。完成后必须重启服务(见下面)。所有的 VPN 用户将共享同一个 IPsec PSK。 + +```bash +%any %any : PSK "你的IPsec预共享密钥" +``` + +对于 `IPsec/L2TP`,VPN 用户信息保存在文件 `/etc/ppp/chap-secrets`。该文件的格式如下: + +```bash +"你的VPN用户名1" l2tpd "你的VPN密码1" * +"你的VPN用户名2" l2tpd "你的VPN密码2" * +... ... +``` + +你可以添加更多用户,每个用户对应文件中的一行。**不要** 在用户名,密码或 PSK 中使用这些字符:`\ " '` + +对于 `IPsec/XAuth ("Cisco IPsec")`, VPN 用户信息保存在文件 `/etc/ipsec.d/passwd`。该文件的格式如下: + +```bash +你的VPN用户名1:你的VPN密码1的加盐哈希值:xauth-psk +你的VPN用户名2:你的VPN密码2的加盐哈希值:xauth-psk +... ... +``` + +这个文件中的密码以加盐哈希值的形式保存。该步骤可以借助比如 `openssl` 工具来完成: + +```bash +# 以下命令的输出为:你的VPN密码1的加盐哈希值 +openssl passwd -1 '你的VPN密码1' +``` + +最后,如果你更换了新的 PSK,则必须重启服务。对于添加,更改或者删除 VPN 用户,一般不需重启。 + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 56289d2c42..005d02a799 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -4,57 +4,39 @@ By default, a single user account for VPN login is created. If you wish to add, edit or remove users, read this document. -**Note:** A helper script to update VPN users is now available. See [Helper script](#helper-script). +## Using helper scripts -First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. All VPN users will share the same IPsec PSK. +You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec) modes. For updating the IPsec PSK, read the next section. -```bash -%any %any : PSK "your_ipsec_pre_shared_key" -``` +### Add or update a VPN user -For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: +Add a new VPN user or update an existing user with a new password. ```bash -"your_vpn_username_1" l2tpd "your_vpn_password_1" * -"your_vpn_username_2" l2tpd "your_vpn_password_2" * -... ... +wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` -You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '` +### Delete a VPN user -For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: +Delete the specified VPN user. ```bash -your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk -your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk -... ... +wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +sudo sh del_vpn_user.sh 'username_to_delete' ``` -Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility: +### Update all VPN users -```bash -# The output will be your_vpn_password_1_hashed -openssl passwd -1 'your_vpn_password_1' -``` - -Finally, restart services if you changed to a new PSK. For add, edit or remove VPN users, a restart is normally not required. - -```bash -service ipsec restart -service xl2tpd restart -``` - -## Helper script - -You may use [this helper script](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh) to update VPN users. First download the script: +Remove all existing VPN users and replace with the list of users you specify. ```bash wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` -To update VPN users, choose one of the following options: +To use this script, choose one of the following options: -**Important:** This script will remove **ALL** existing VPN users and replace them with the new users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. Or, you may update users manually (see above). +**Important:** This script will remove **ALL** existing VPN users and replace them with the list of users you specify. Therefore, you must include any existing user(s) you want to keep in the variables below. **Option 1:** Edit the script and enter VPN user details: @@ -75,3 +57,43 @@ VPN_USERS='username1 username2 ...' \ VPN_PASSWORDS='password1 password2 ...' \ sh update_vpn_users.sh ``` + +## Manually manage VPN users and PSK + +First, the IPsec PSK (pre-shared key) is stored in `/etc/ipsec.secrets`. To change to a new PSK, just edit this file. You must restart services when finished (see below). All VPN users will share the same IPsec PSK. + +```bash +%any %any : PSK "your_ipsec_pre_shared_key" +``` + +For `IPsec/L2TP`, VPN users are specified in `/etc/ppp/chap-secrets`. The format of this file is: + +```bash +"your_vpn_username_1" l2tpd "your_vpn_password_1" * +"your_vpn_username_2" l2tpd "your_vpn_password_2" * +... ... +``` + +You can add more users, use one line for each user. DO NOT use these special characters within values: `\ " '` + +For `IPsec/XAuth ("Cisco IPsec")`, VPN users are specified in `/etc/ipsec.d/passwd`. The format of this file is: + +```bash +your_vpn_username_1:your_vpn_password_1_hashed:xauth-psk +your_vpn_username_2:your_vpn_password_2_hashed:xauth-psk +... ... +``` + +Passwords in this file are salted and hashed. This step can be done using e.g. the `openssl` utility: + +```bash +# The output will be your_vpn_password_1_hashed +openssl passwd -1 'your_vpn_password_1' +``` + +Finally, you must restart services if changing to a new PSK. For adding, editing or removing VPN users, this is normally not required. + +```bash +service ipsec restart +service xl2tpd restart +``` diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh new file mode 100644 index 0000000000..ca40a5d33f --- /dev/null +++ b/extras/add_vpn_user.sh @@ -0,0 +1,136 @@ +#!/bin/sh +# +# Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec +# +# Copyright (C) 2018 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +add_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before adding VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 +VPN_PASSWORD=$2 + +if [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then +cat 1>&2 <> /etc/ppp/chap-secrets <> /etc/ipsec.d/passwd < +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT="$(date +%F-%T)" + +exiterr() { echo "Error: $1" >&2; exit 1; } +conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } + +del_vpn_user() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo sh $0'" +fi + +if [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: File /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd do not exist! + Your must first set up the VPN server before deleting VPN users. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then +cat 1>&2 <<'EOF' +Error: This script can only be used with VPN servers created using: + https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +VPN_USER=$1 + +if [ -z "$VPN_USER" ]; then +cat 1>&2 <&2 <<'EOF' +Error: The specified VPN user does not exist in /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ + || [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ipsec.d/passwd)" = "1" ]; then +cat 1>&2 <<'EOF' +Error: Cannot delete the only VPN user from /etc/ppp/chap-secrets + and/or /etc/ipsec.d/passwd. + Aborting. No changes were made. +EOF + exit 1 +fi + +clear + +cat < Date: Fri, 23 Nov 2018 00:21:47 -0600 Subject: [PATCH 0245/1208] Update docs - Update docs for managing VPN users --- docs/manage-users-zh.md | 13 +++++++++++++ docs/manage-users.md | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index e329970885..ec32cb9a13 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -13,7 +13,13 @@ 添加一个新 VPN 用户,或者为一个已有的 VPN 用户更新密码。 ```bash +# 下载脚本 wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +``` + +```bash +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` @@ -22,7 +28,13 @@ sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' 删除指定的 VPN 用户。 ```bash +# 下载脚本 wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +``` + +```bash +# 所有变量值必须用 '单引号' 括起来 +# *不要* 在值中使用这些字符: \ " ' sudo sh del_vpn_user.sh 'username_to_delete' ``` @@ -31,6 +43,7 @@ sudo sh del_vpn_user.sh 'username_to_delete' 移除所有的 VPN 用户并替换为你指定的列表中的用户。 ```bash +# 下载脚本 wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` diff --git a/docs/manage-users.md b/docs/manage-users.md index 005d02a799..409ded3792 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -13,7 +13,13 @@ You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](htt Add a new VPN user or update an existing user with a new password. ```bash +# Download the script wget -O add_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/add_vpn_user.sh +``` + +```bash +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' ``` @@ -22,7 +28,13 @@ sudo sh add_vpn_user.sh 'username_to_add' 'password_to_add' Delete the specified VPN user. ```bash +# Download the script wget -O del_vpn_user.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/del_vpn_user.sh +``` + +```bash +# All values MUST be placed inside 'single quotes' +# DO NOT use these special characters within values: \ " ' sudo sh del_vpn_user.sh 'username_to_delete' ``` @@ -31,6 +43,7 @@ sudo sh del_vpn_user.sh 'username_to_delete' Remove all existing VPN users and replace with the list of users you specify. ```bash +# Download the script wget -O update_vpn_users.sh https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/extras/update_vpn_users.sh ``` From 582f98d18c72f49c8b262acd271ed0383bcab3f4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 23 Nov 2018 11:52:38 -0600 Subject: [PATCH 0246/1208] Update docs --- docs/ikev2-howto-zh.md | 36 ++++++++++++++++++++---------------- docs/ikev2-howto.md | 36 ++++++++++++++++++++---------------- docs/manage-users-zh.md | 29 ++++++++++++++++------------- docs/manage-users.md | 23 +++++++++++++---------- 4 files changed, 69 insertions(+), 55 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 5eaaddc8e1..3273e8aed3 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -24,17 +24,19 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 ```bash - $ PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - $ printf '%s\n' "$PUBLIC_IP" - (检查显示的公共 IP) + PUBLIC_IP=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) + printf '%s\n' "$PUBLIC_IP" ``` + 检查并确保以上命令的输出与服务器的公共 IP 一致。该变量将在以下步骤中使用。 + **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: ```bash - $ cat >> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf <> /etc/ipsec.conf < Date: Sat, 24 Nov 2018 10:30:42 -0600 Subject: [PATCH 0247/1208] Improve VPN ciphers - Optimize order of VPN ciphers for performance --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 3273e8aed3..4862252241 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -60,7 +60,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pfs=no ike-frag=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 EOF ``` diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 5bb91d9420..8335fa6d6e 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -60,7 +60,7 @@ Before continuing, make sure you have successfully /dev/null # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" -PHASE2_NEW=" phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" +PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 2069e58b3a..b268d7d6e7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -259,7 +259,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=yes conn l2tp-psk diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1646aa48ad..be7f55acbf 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -246,7 +246,7 @@ conn shared dpdtimeout=120 dpdaction=clear ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 - phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 + phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=yes conn l2tp-psk From 9756ef92faaa78b60b7dd20855c8569c76c94686 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 1 Dec 2018 12:31:06 -0600 Subject: [PATCH 0248/1208] Update docs - Add troubleshooting section on iOS/Android sleep mode --- docs/clients-zh.md | 8 ++++++++ docs/clients.md | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 2db647ca2c..e7c48dee02 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -21,6 +21,7 @@ * [Windows 10 升级](#windows-10-升级) * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) + * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) * [其它错误](#其它错误) @@ -195,6 +196,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 故意设计的 并且不能被配置。如果你需要 VPN 在设备唤醒后自动重连,可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 + +Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。 + ### Android 6 及以上版本 如果你无法使用 Android 6 或以上版本连接: diff --git a/docs/clients.md b/docs/clients.md index 39679f2d6f..c3a01321e2 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -21,6 +21,7 @@ After settin * [Windows 10 upgrades](#windows-10-upgrades) * [Windows 8/10 DNS leaks](#windows-810-dns-leaks) * [macOS VPN traffic](#macos-vpn-traffic) + * [iOS/Android sleep mode](#iosandroid-sleep-mode) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) * [Other errors](#other-errors) @@ -195,6 +196,7 @@ See [Linux VPN Clients](#linux-vpn-clients). * [Windows 10 upgrades](#windows-10-upgrades) * [Windows 8/10 DNS leaks](#windows-810-dns-leaks) * [macOS VPN traffic](#macos-vpn-traffic) +* [iOS/Android sleep mode](#iosandroid-sleep-mode) * [Android 6 and above](#android-6-and-above) * [Chromebook issues](#chromebook-issues) * [Other errors](#other-errors) @@ -257,6 +259,12 @@ In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. +### iOS/Android sleep mode + +To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured. If you need the VPN to auto-reconnect when the device wakes up, try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel". + +Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more here. + ### Android 6 and above If you are unable to connect using Android 6 or above: From b0a7cb3eaa4fe13bb544fab772b10008d34adf04 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Dec 2018 00:33:46 -0600 Subject: [PATCH 0249/1208] Update docs - Add instructions for Ubuntu IPsec/L2TP VPN clients - Cleanup --- docs/clients-zh.md | 16 +++++++++++----- docs/clients.md | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index e7c48dee02..565f9f50f0 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -49,6 +49,8 @@ 1. 单击 **确定** 关闭 **高级设置**。 1. 单击 **确定** 保存 VPN 连接的详细信息。 +**注:** 在首次连接之前需要**修改一次注册表**。请参见下面的说明。 + 另外,除了按照以上步骤操作,你也可以运行下面的 Windows PowerShell 命令来创建 VPN 连接。将 `你的 VPN 服务器 IP` 和 `你的 VPN IPsec PSK` 换成你自己的值,用单引号括起来: ```console @@ -58,8 +60,6 @@ Set-PSReadlineOption –HistorySaveStyle SaveNothing Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk '你的 VPN IPsec PSK' -Force -RememberCredential -PassThru ``` -**注:** 在首次连接之前需要修改一次注册表。请参见下面的说明。 - ### Windows 7, Vista and XP 1. 单击开始菜单,选择控制面板。 @@ -181,11 +181,17 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 ## Windows Phone -Windows Phone 8.1 及以上版本用户可以尝试按照 这个教程 的步骤操作。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +Windows Phone 8.1 及以上版本用户可以尝试按照 这个教程 的步骤操作。 ## Linux -请参见 [Linux VPN 客户端](#linux-vpn-客户端)。 +### Ubuntu Linux + +Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端 (设置 -> 网络 -> VPN)。Ubuntu 16.04 和 14.04 用户可能需要添加 `nm-l2tp` PPA。更多信息请看这里。其它 Ubuntu 版本可以尝试使用下面的命令行配置方法。 + +### 其它 Linux + +首先看这里以确认 `network-manager-l2tp` 软件包是否在你的 Linux 版本上可用。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 ## 故障排除 @@ -326,7 +332,7 @@ ipsec verify ipsec whack --trafficstatus ``` -## Linux VPN 客户端 +## 使用命令行配置 Linux VPN 客户端 以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 diff --git a/docs/clients.md b/docs/clients.md index c3a01321e2..ab1d1ca7dc 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -49,6 +49,8 @@ After settin 1. Click **OK** to close the **Advanced settings**. 1. Click **OK** to save the VPN connection details. +**Note:** A **one-time registry change** is required before connecting. See details below. + Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes: ```console @@ -58,8 +60,6 @@ Set-PSReadlineOption –HistorySaveStyle SaveNothing Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk 'Your VPN IPsec PSK' -Force -RememberCredential -PassThru ``` -**Note:** A one-time registry change is required before connecting. See details below. - ### Windows 7, Vista and XP 1. Click on the Start Menu and go to the Control Panel. @@ -181,11 +181,17 @@ If you get an error when trying to connect, see Troub ## Windows Phone -Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Users with Windows Phone 8.1 and above, try this tutorial. ## Linux -See [Linux VPN Clients](#linux-vpn-clients). +### Ubuntu Linux + +Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI (Settings -> Network -> VPN). Ubuntu 16.04 and 14.04 users may need to add the `nm-l2tp` PPA. Read more here. For other Ubuntu versions, try the command line method below. + +### Other Linux + +First check here to see if the `network-manager-l2tp` package is available for your Linux distribution. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). ## Troubleshooting @@ -326,7 +332,7 @@ Show current established VPN connections: ipsec whack --trafficstatus ``` -## Linux VPN Clients +## Configure Linux VPN clients using the command line Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. From 4f64a72ed1540e1dfe6c0c4af04b68c5b3ea6fb3 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Dec 2018 21:51:47 -0600 Subject: [PATCH 0250/1208] Update docs - Update instructions for Linux IPsec/L2TP VPN clients --- docs/clients-zh.md | 28 ++++++++++++++++++++++++---- docs/clients.md | 28 ++++++++++++++++++++++++---- 2 files changed, 48 insertions(+), 8 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 565f9f50f0..33d4dc57c4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -187,11 +187,31 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端 (设置 -> 网络 -> VPN)。Ubuntu 16.04 和 14.04 用户可能需要添加 `nm-l2tp` PPA。更多信息请看这里。其它 Ubuntu 版本可以尝试使用下面的命令行配置方法。 +Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 和 14.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 + +1. 进入设置 -> 网络 -> VPN。单击 **+** 按钮。 +1. 选择 **Layer 2 Tunneling Protocol (L2TP)**。 +1. 在 **Name** 字段中输入任意内容。 +1. 在 **Gateway** 字段中输入`你的 VPN 服务器 IP`。 +1. 在 **User name** 字段中输入`你的 VPN 用户名`。 +1. 右键单击 **Password** 字段中的 **?**,选择 **Store the password only for this user**。 +1. 在 **Password** 字段中输入`你的 VPN 密码`。 +1. 保持 **NT Domain** 字段空白。 +1. 单击 **IPsec Settings...** 按钮。 +1. 选中 **Enable IPsec tunnel to L2TP host** 复选框。 +1. 保持 **Gateway ID** 字段空白。 +1. 在 **Pre-shared key** 字段中输入`你的 VPN IPsec PSK`。 +1. 展开 **Advanced** 部分。 +1. 在 **Phase1 Algorithms** 字段中输入 `aes128-sha1-modp2048!`。 +1. 在 **Phase2 Algorithms** 字段中输入 `aes128-sha1-modp2048!`。 +1. 单击 **OK**,然后单击 **Add** 保存VPN连接信息。 +1. 启用 **VPN** 连接。 + +VPN 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ### 其它 Linux -首先看这里以确认 `network-manager-l2tp` 软件包是否在你的 Linux 版本上可用。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 +首先看 这里 以确认 `network-manager-l2tp` 软件包是否在你的 Linux 版本上可用。如果可用,安装它(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 ## 故障排除 @@ -383,8 +403,8 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret - ike=aes256-sha1-modp2048,aes128-sha1-modp2048! - esp=aes256-sha1-modp2048,aes128-sha1-modp2048! + ike=aes128-sha1-modp2048! + esp=aes128-sha1-modp2048! conn myvpn keyexchange=ikev1 diff --git a/docs/clients.md b/docs/clients.md index ab1d1ca7dc..b29c3321d7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -187,11 +187,31 @@ Users with Windows Phone 8.1 and above, try network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI (Settings -> Network -> VPN). Ubuntu 16.04 and 14.04 users may need to add the `nm-l2tp` PPA. Read more here. For other Ubuntu versions, try the command line method below. +Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 and 14.04 users may need to add the `nm-l2tp` PPA, read more here. + +1. Go to Settings -> Network -> VPN. Click the **+** button. +1. Select **Layer 2 Tunneling Protocol (L2TP)**. +1. Enter anything you like in the **Name** field. +1. Enter `Your VPN Server IP` for the **Gateway**. +1. Enter `Your VPN Username` for the **User name**. +1. Right-click the **?** in the **Password** field, select **Store the password only for this user**. +1. Enter `Your VPN Password` for the **Password**. +1. Leave the **NT Domain** field blank. +1. Click the **IPsec Settings...** button. +1. Check the **Enable IPsec tunnel to L2TP host** checkbox. +1. Leave the **Gateway ID** field blank. +1. Enter `Your VPN IPsec PSK` for the **Pre-shared key**. +1. Expand the **Advanced** section. +1. Enter `aes128-sha1-modp2048!` for the **Phase1 Algorithms**. +1. Enter `aes128-sha1-modp2048!` for the **Phase2 Algorithms**. +1. Click **OK**, then click **Add** to save the VPN connection information. +1. Turn the **VPN** switch ON. + +Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ### Other Linux -First check here to see if the `network-manager-l2tp` package is available for your Linux distribution. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). +First check here to see if the `network-manager-l2tp` package is available for your Linux distribution. If yes, install it (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). ## Troubleshooting @@ -383,8 +403,8 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret - ike=aes256-sha1-modp2048,aes128-sha1-modp2048! - esp=aes256-sha1-modp2048,aes128-sha1-modp2048! + ike=aes128-sha1-modp2048! + esp=aes128-sha1-modp2048! conn myvpn keyexchange=ikev1 From ddaa0ee99c4c2c6fe4650c4d9394fc7d5186f7d5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 17 Dec 2018 00:07:04 -0600 Subject: [PATCH 0251/1208] Improve DNS servers - Improve modecfgdns format - Better parsing of DNS servers in upgrade scripts - Add usage of DNS server variables to README and allow users to specify only one or both alternative DNS servers --- README-zh.md | 2 +- README.md | 2 +- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- extras/vpnupgrade.sh | 19 ++++++++++--------- extras/vpnupgrade_centos.sh | 19 ++++++++++--------- vpnsetup.sh | 13 ++++++++++--- vpnsetup_centos.sh | 13 ++++++++++--- 8 files changed, 44 insertions(+), 28 deletions(-) diff --git a/README-zh.md b/README-zh.md index 1034672f32..18bfe18311 100644 --- a/README-zh.md +++ b/README-zh.md @@ -151,7 +151,7 @@ sh vpnsetup.sh 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。或者,你也可以在运行 VPN 脚本时定义变量 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 diff --git a/README.md b/README.md index ef7713a729..b545ab1eb9 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ For servers with an external firewall (e.g. Manage VPN Users. Helper scripts are included for convenience. -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Alternatively, you may define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 4862252241..72d1535e7d 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -74,7 +74,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ```bash cat >> /etc/ipsec.conf < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < /etc/ppp/options.xl2tpd <> /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets < Date: Wed, 19 Dec 2018 00:14:31 -0600 Subject: [PATCH 0252/1208] Cleanup --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 560a7312af..45b9504ff4 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -71,8 +71,8 @@ case "$SWAN_VER" in DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ') DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1) DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2) + [ -n "$DNS_SRV1" ] && dns_state=4 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3 - [ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4 [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 64ed4f34ce..a3eb542343 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -62,8 +62,8 @@ case "$SWAN_VER" in DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ') DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1) DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2) + [ -n "$DNS_SRV1" ] && dns_state=4 [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3 - [ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4 [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6 ;; esac From 2e164ad976ce8c502be2c5598f23a9b4180dee27 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 19 Dec 2018 00:14:52 -0600 Subject: [PATCH 0253/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 34 ++++++---------------------------- docs/clients.md | 34 ++++++---------------------------- 6 files changed, 16 insertions(+), 60 deletions(-) diff --git a/README-zh.md b/README-zh.md index 18bfe18311..9ecaeb142b 100644 --- a/README-zh.md +++ b/README-zh.md @@ -103,7 +103,7 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` -**注:** 不要在值中使用这些字符: `\ " '`。一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 +**注:** 一个安全的 IPsec PSK 应该至少包含 20 个随机字符。 **选项 3:** 将你自己的 VPN 登录凭证定义为环境变量: diff --git a/README.md b/README.md index b545ab1eb9..d4452a99c6 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,7 @@ nano -w vpnsetup.sh sudo sh vpnsetup.sh ``` -**Note:** DO NOT use these special characters within values: `\ " '`. A secure IPsec PSK should consist of at least 20 random characters. +**Note:** A secure IPsec PSK should consist of at least 20 random characters. **Option 3:** Define your VPN credentials as environment variables: diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 3a224be2cd..e63d22c2c4 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -**注:** 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 +**注:** 你也可以使用 **[IPsec/L2TP 模式](clients-zh.md)** 连接,或者配置 **[IKEv2](ikev2-howto-zh.md)**。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index e394046173..72af2739e4 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -**Note:** You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md). +**Note:** You may also connect using **[IPsec/L2TP mode](clients.md)**, or set up **[IKEv2](ikev2-howto.md)**. After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 33d4dc57c4..85a1bddd89 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,7 +2,7 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 +**注:** 你也可以使用更高效的 **[IPsec/XAuth 模式](clients-xauth-zh.md)** 连接,或者配置 **[IKEv2](ikev2-howto-zh.md)**。 在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 @@ -13,24 +13,11 @@ * [Android](#android) * [iOS (iPhone/iPad)](#ios) * [Chromebook](#chromebook) - * [Windows Phone](#windows-phone) * [Linux](#linux) * [故障排除](#故障排除) - * [Windows 错误 809](#windows-错误-809) - * [Windows 错误 628](#windows-错误-628) - * [Windows 10 升级](#windows-10-升级) - * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) - * [macOS VPN 流量](#macos-vpn-流量) - * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) - * [Android 6 及以上版本](#android-6-及以上版本) - * [Chromebook 连接问题](#chromebook-连接问题) - * [其它错误](#其它错误) - * [额外的步骤](#额外的步骤) ## Windows -**注:** 你也可以配置并且使用更新的 [IKEv2 模式](ikev2-howto-zh.md) 连接。 - ### Windows 10 and 8.x 1. 右键单击系统托盘中的无线/网络图标。 @@ -43,7 +30,7 @@ 1. 返回 **网络和共享中心**。单击左侧的 **更改适配器设置**。 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 1. 单击 **高级设置** 按钮。 1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **确定** 关闭 **高级设置**。 @@ -57,7 +44,8 @@ # 不保存命令行历史记录 Set-PSReadlineOption –HistorySaveStyle SaveNothing # 创建 VPN 连接 -Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk '你的 VPN IPsec PSK' -Force -RememberCredential -PassThru +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' -L2tpPsk '你的 VPN IPsec PSK' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -Force -RememberCredential -PassThru +# 忽略 data encryption 警告(数据在 IPsec 隧道中已被加密) ``` ### Windows 7, Vista and XP @@ -80,7 +68,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' 1. 右键单击新创建的 VPN 连接,并选择 **属性**。 1. 单击 **选项** 选项卡,取消选中 **包括Windows登录域** 复选框。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 1. 单击 **高级设置** 按钮。 1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **确定** 关闭 **高级设置**。 @@ -94,8 +82,6 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' ## OS X -**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 - 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 1. 从 **接口** 下拉菜单选择 **VPN**。 @@ -119,8 +105,6 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' ## Android -**注:** 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。 - 1. 启动 **设置** 应用程序。 1. 在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 @@ -142,8 +126,6 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 故障排除。 -## Windows Phone - -Windows Phone 8.1 及以上版本用户可以尝试按照 这个教程 的步骤操作。 - ## Linux ### Ubuntu Linux @@ -211,7 +189,7 @@ VPN 连接成功后,你可以到 这里 以确认 `network-manager-l2tp` 软件包是否在你的 Linux 版本上可用。如果可用,安装它(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 +首先看 这里 以确认 `network-manager-l2tp` 和 `network-manager-l2tp-gnome` 软件包是否在你的 Linux 版本上可用。如果可用,安装它们(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 ## 故障排除 diff --git a/docs/clients.md b/docs/clients.md index b29c3321d7..7bc656027b 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). +**Note:** You may also connect using the faster **[IPsec/XAuth mode](clients-xauth.md)**, or set up **[IKEv2](ikev2-howto.md)**. After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. @@ -13,24 +13,11 @@ After settin * [Android](#android) * [iOS (iPhone/iPad)](#ios) * [Chromebook](#chromebook) - * [Windows Phone](#windows-phone) * [Linux](#linux) * [Troubleshooting](#troubleshooting) - * [Windows Error 809](#windows-error-809) - * [Windows Error 628](#windows-error-628) - * [Windows 10 upgrades](#windows-10-upgrades) - * [Windows 8/10 DNS leaks](#windows-810-dns-leaks) - * [macOS VPN traffic](#macos-vpn-traffic) - * [iOS/Android sleep mode](#iosandroid-sleep-mode) - * [Android 6 and above](#android-6-and-above) - * [Chromebook issues](#chromebook-issues) - * [Other errors](#other-errors) - * [Additional steps](#additional-steps) ## Windows -**Note:** You may also set up and connect using the newer [IKEv2 mode](ikev2-howto.md). - ### Windows 10 and 8.x 1. Right-click on the wireless/network icon in your system tray. @@ -43,7 +30,7 @@ After settin 1. Return to **Network and Sharing Center**. On the left, click **Change adapter settings**. 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. +1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -57,7 +44,8 @@ Alternatively, instead of following the steps above, you may create the VPN conn # Disable persistent command history Set-PSReadlineOption –HistorySaveStyle SaveNothing # Create VPN connection -Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -L2tpPsk 'Your VPN IPsec PSK' -Force -RememberCredential -PassThru +Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -L2tpPsk 'Your VPN IPsec PSK' -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Chap,MSChapv2 -Force -RememberCredential -PassThru +# Ignore the data encryption warning (data is encrypted in the IPsec tunnel) ``` ### Windows 7, Vista and XP @@ -80,7 +68,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' -Tunn 1. Right-click on the new VPN entry and choose **Properties**. 1. Click the **Options** tab and uncheck **Include Windows logon domain**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the **Type of VPN**. -1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. +1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. @@ -94,8 +82,6 @@ If you get an error when trying to connect, see Troub ## OS X -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). - 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. 1. Select **VPN** from the **Interface** drop-down menu. @@ -119,8 +105,6 @@ If you get an error when trying to connect, see Troub ## Android -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). - 1. Launch the **Settings** application. 1. Tap **More...** in the **Wireless & Networks** section. 1. Tap **VPN**. @@ -142,8 +126,6 @@ If you get an error when trying to connect, see Troub ## iOS -**Note:** You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md). - 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. 1. Tap **Type**. Select **L2TP** and go back. @@ -179,10 +161,6 @@ Once connected, you will see a VPN icon overlay on the network status icon. You If you get an error when trying to connect, see Troubleshooting. -## Windows Phone - -Users with Windows Phone 8.1 and above, try this tutorial. - ## Linux ### Ubuntu Linux @@ -211,7 +189,7 @@ Once connected, you can verify that your traffic is being routed properly by here to see if the `network-manager-l2tp` package is available for your Linux distribution. If yes, install it (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). +First check here to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). ## Troubleshooting From ed5cbb865f193ee740659bcc76aa1d7ff49ce942 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Jan 2019 00:44:23 -0600 Subject: [PATCH 0254/1208] Clean up network detection - Clean up default network interface detection and remove VPN_NET_IFACE --- vpnsetup.sh | 22 +++++++--------------- vpnsetup_centos.sh | 22 +++++++--------------- 2 files changed, 14 insertions(+), 30 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 0892ac1697..3d3db0ea98 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -69,10 +69,8 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" - +def_iface=$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$') +[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)') def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then if ! uname -m | grep -qi '^arm'; then @@ -83,18 +81,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then esac fi NET_IFACE="$def_iface" -fi - -net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 - if [ -z "$VPN_NET_IFACE" ]; then -cat 1>&2 </dev/null) + if [ -z "$eth0_state" ] || [ "$eth0_state" = "down" ]; then + exiterr "Could not detect the default network interface." fi - exit 1 + NET_IFACE=eth0 fi [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 93967c9e97..c133bc4a7a 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,10 +60,8 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -NET_IFACE=${VPN_NET_IFACE:-'eth0'} -def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')" -[ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')" - +def_iface=$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$') +[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)') def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then case "$def_iface" in @@ -72,18 +70,12 @@ if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then ;; esac NET_IFACE="$def_iface" -fi - -net_state=$(cat "/sys/class/net/$NET_IFACE/operstate" 2>/dev/null) -if [ -z "$net_state" ] || [ "$net_state" = "down" ] || [ "$NET_IFACE" = "lo" ]; then - printf "Error: Network interface '%s' is not available.\n" "$NET_IFACE" >&2 - if [ -z "$VPN_NET_IFACE" ]; then -cat 1>&2 </dev/null) + if [ -z "$eth0_state" ] || [ "$eth0_state" = "down" ]; then + exiterr "Could not detect the default network interface." fi - exit 1 + NET_IFACE=eth0 fi [ -n "$YOUR_IPSEC_PSK" ] && VPN_IPSEC_PSK="$YOUR_IPSEC_PSK" From 997cacdaeb3f772e7827c7d13a54ed746f98261d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Jan 2019 01:08:04 -0600 Subject: [PATCH 0255/1208] Cleanup --- extras/add_vpn_user.sh | 2 +- extras/del_vpn_user.sh | 2 +- extras/update_vpn_users.sh | 14 +++++++------- extras/vpnupgrade.sh | 12 ++++++------ extras/vpnupgrade_centos.sh | 6 +++--- vpnsetup.sh | 14 +++++++------- vpnsetup_centos.sh | 8 ++++---- 7 files changed, 29 insertions(+), 29 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index ca40a5d33f..12a1f0912b 100644 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -11,7 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%F-%T)" +SYS_DT=$(date +%F-%T) exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index 02e20cfc0a..e176dd50fa 100644 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -11,7 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%F-%T)" +SYS_DT=$(date +%F-%T) exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index fd1774dcd7..4db422356d 100644 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -27,7 +27,7 @@ YOUR_PASSWORDS='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%F-%T)" +SYS_DT=$(date +%F-%T) exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } @@ -65,12 +65,12 @@ if [ -z "$VPN_USERS" ] || [ -z "$VPN_PASSWORDS" ]; then exiterr "All VPN credentials must be specified. Edit the script and re-enter them." fi -VPN_USERS="$(noquotes "$VPN_USERS")" -VPN_USERS="$(onespace "$VPN_USERS")" -VPN_USERS="$(noquotes2 "$VPN_USERS")" -VPN_PASSWORDS="$(noquotes "$VPN_PASSWORDS")" -VPN_PASSWORDS="$(onespace "$VPN_PASSWORDS")" -VPN_PASSWORDS="$(noquotes2 "$VPN_PASSWORDS")" +VPN_USERS=$(noquotes "$VPN_USERS") +VPN_USERS=$(onespace "$VPN_USERS") +VPN_USERS=$(noquotes2 "$VPN_USERS") +VPN_PASSWORDS=$(noquotes "$VPN_PASSWORDS") +VPN_PASSWORDS=$(onespace "$VPN_PASSWORDS") +VPN_PASSWORDS=$(noquotes2 "$VPN_PASSWORDS") if printf '%s' "$VPN_USERS $VPN_PASSWORDS" | LC_ALL=C grep -q '[^ -~]\+'; then exiterr "VPN credentials must not contain non-ASCII characters." diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 45b9504ff4..a91fab2eeb 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -22,10 +22,10 @@ exiterr2() { exiterr "'apt-get install' failed."; } vpnupgrade() { -os_type="$(lsb_release -si 2>/dev/null)" +os_type=$(lsb_release -si 2>/dev/null) if [ -z "$os_type" ]; then - [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" - [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" + [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") + [ -f /etc/lsb-release ] && os_type=$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID") fi if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then exiterr "This script only supports Ubuntu and Debian." @@ -77,8 +77,8 @@ case "$SWAN_VER" in ;; esac -ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" -ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" +ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) +ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//') if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi @@ -202,7 +202,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -NPROCS="$(grep -c ^processor /proc/cpuinfo)" +NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index a3eb542343..fb33eb92ae 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -68,8 +68,8 @@ case "$SWAN_VER" in ;; esac -ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)" -ipsec_ver_short="$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')" +ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) +ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//') if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then exiterr "This script requires Libreswan already installed." fi @@ -199,7 +199,7 @@ USE_DNSSEC = false USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF -NPROCS="$(grep -c ^processor /proc/cpuinfo)" +NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base diff --git a/vpnsetup.sh b/vpnsetup.sh index 3d3db0ea98..8bb8bcae77 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -34,7 +34,7 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%F-%T)" +SYS_DT=$(date +%F-%T) exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } @@ -48,10 +48,10 @@ check_ip() { vpnsetup() { -os_type="$(lsb_release -si 2>/dev/null)" +os_type=$(lsb_release -si 2>/dev/null) if [ -z "$os_type" ]; then - [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" - [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" + [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID") + [ -f /etc/lsb-release ] && os_type=$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID") fi if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then exiterr "This script only supports Ubuntu and Debian." @@ -95,9 +95,9 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" + VPN_IPSEC_PSK=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20) VPN_USER=vpnuser - VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_PASSWORD=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16) fi if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then @@ -207,7 +207,7 @@ EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi -NPROCS="$(grep -c ^processor /proc/cpuinfo)" +NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index c133bc4a7a..8be592e0e3 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -34,7 +34,7 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT="$(date +%F-%T)" +SYS_DT=$(date +%F-%T) exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } @@ -84,9 +84,9 @@ fi if [ -z "$VPN_IPSEC_PSK" ] && [ -z "$VPN_USER" ] && [ -z "$VPN_PASSWORD" ]; then bigecho "VPN credentials not set by user. Generating random PSK and password..." - VPN_IPSEC_PSK="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20)" + VPN_IPSEC_PSK=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 20) VPN_USER=vpnuser - VPN_PASSWORD="$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16)" + VPN_PASSWORD=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' < /dev/urandom | head -c 16) fi if [ -z "$VPN_IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then @@ -194,7 +194,7 @@ USE_DNSSEC = false USE_DH31 = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF -NPROCS="$(grep -c ^processor /proc/cpuinfo)" +NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base From 6fb35e25cb3aaa3e462234ae2860b6af9cf5a6b5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 12 Jan 2019 11:34:10 -0600 Subject: [PATCH 0256/1208] Update year --- LICENSE.md | 2 +- README-zh.md | 2 +- README.md | 2 +- azure/README-zh.md | 2 +- azure/README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- extras/add_vpn_user.sh | 2 +- extras/del_vpn_user.sh | 2 +- extras/update_vpn_users.sh | 2 +- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 548ebde539..045f89a595 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,7 +1,7 @@ ### Creative Commons Attribution-ShareAlike 3.0 Unported License Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ -Copyright (C) 2014-2018 Lin Song +Copyright (C) 2014-2019 Lin Song Based on the work of Thomas Sarlandie (Copyright 2012)

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS diff --git a/README-zh.md b/README-zh.md index 9ecaeb142b..d087bcbcc5 100644 --- a/README-zh.md +++ b/README-zh.md @@ -192,7 +192,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 授权协议 -版权所有 (C) 2014-2018 Lin Song View my profile on LinkedIn +版权所有 (C) 2014-2019 Lin Song View my profile on LinkedIn 基于 Thomas Sarlandie 的工作 (版权所有 2012) 这个项目是以 知识共享署名-相同方式共享3.0 许可协议授权。 diff --git a/README.md b/README.md index d4452a99c6..5deaa2d2c6 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ Please refer to Uninstall the VPNLin Song View my profile on LinkedIn +Copyright (C) 2014-2019 Lin Song View my profile on LinkedIn Based on the work of Thomas Sarlandie (Copyright 2012) This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License diff --git a/azure/README-zh.md b/azure/README-zh.md index 8cc7d0e528..19b8e4170d 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -23,7 +23,7 @@ ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) -版权所有 (C) 2017-2018 Lin Song +版权所有 (C) 2017-2019 Lin Song ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index 220589afa9..2ad6bb7346 100644 --- a/azure/README.md +++ b/azure/README.md @@ -23,7 +23,7 @@ When the deployment finishes, Azure displays a notification. Next steps: [Config ## Authors Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) -Copyright (C) 2017-2018 Lin Song +Copyright (C) 2017-2019 Lin Song ## Screenshot diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index e63d22c2c4..10a1573ffc 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -109,7 +109,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 72af2739e4..45a26d07cf 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -109,7 +109,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 85a1bddd89..055e4c1765 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -536,7 +536,7 @@ strongswan down myvpn 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016-2018 Lin Song +版权所有 (C) 2016-2019 Lin Song 基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index 7bc656027b..1c928d5dd7 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -535,7 +535,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index 12a1f0912b..a142b6177c 100644 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018 Lin Song +# Copyright (C) 2018-2019 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index e176dd50fa..514b2d6166 100644 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to delete an VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018 Lin Song +# Copyright (C) 2018-2019 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index 4db422356d..49624eb97e 100644 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -2,7 +2,7 @@ # # Script to update VPN users for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018 Lin Song +# Copyright (C) 2018-2019 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index a91fab2eeb..6aa162d857 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on Ubuntu and Debian # -# Copyright (C) 2016-2018 Lin Song +# Copyright (C) 2016-2019 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index fb33eb92ae..f267056a94 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on CentOS and RHEL # -# Copyright (C) 2016-2018 Lin Song +# Copyright (C) 2016-2019 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/vpnsetup.sh b/vpnsetup.sh index 8bb8bcae77..fcd3290ec9 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2014-2018 Lin Song +# Copyright (C) 2014-2019 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 8be592e0e3..9508325e50 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2015-2018 Lin Song +# Copyright (C) 2015-2019 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 From 39e9223d91d5814f7013a82e8d9a1bcc4e9a721a Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 Jan 2019 11:51:15 -0600 Subject: [PATCH 0257/1208] Update docs --- README-zh.md | 7 +++---- README.md | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index d087bcbcc5..835ddb5b14 100644 --- a/README-zh.md +++ b/README-zh.md @@ -68,7 +68,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **-或者-** -一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试比如 Shadowsocks 或者 OpenVPN。 +一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试 OpenVPN。 这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspace。 @@ -151,7 +151,7 @@ sh vpnsetup.sh 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。或者,你也可以在运行 VPN 脚本时定义变量 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 @@ -185,9 +185,8 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 另见 - IPsec VPN Server on Docker -- IKEv2 VPN Server on Docker -- Streisand - Algo VPN +- Streisand - OpenVPN Install ## 授权协议 diff --git a/README.md b/README.md index 5deaa2d2c6..0befadc597 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ Please see OpenVPN or Shadowsocks. +A dedicated server or KVM/Xen-based virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. @@ -151,7 +151,7 @@ For servers with an external firewall (e.g. Manage VPN Users. Helper scripts are included for convenience. -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Alternatively, you may define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. @@ -185,9 +185,8 @@ Please refer to Uninstall the VPNIPsec VPN Server on Docker -- IKEv2 VPN Server on Docker -- Streisand - Algo VPN +- Streisand - OpenVPN Install ## License From d382350bde95bd3339c92f815729ce4894b54947 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 13 Jan 2019 11:51:47 -0600 Subject: [PATCH 0258/1208] Improve VPN users - Check VPN users for duplicates in the helper script --- extras/update_vpn_users.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index 49624eb97e..0df05da259 100644 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -82,6 +82,10 @@ case "$VPN_USERS $VPN_PASSWORDS" in ;; esac +if printf '%s' "$VPN_USERS" | tr ' ' '\n' | sort | uniq -c | grep -qv '^ *1 '; then + exiterr "VPN usernames must not contain duplicates." +fi + clear cat <<'EOF' From b36e8cdf33333f06bc118975deb84875c6a52239 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 30 Jan 2019 19:43:53 -0600 Subject: [PATCH 0259/1208] Update docs - Add Linux VPN client instructions for Fedora and CentOS 7 --- docs/clients-zh.md | 25 +++++++++++++++++++++++-- docs/clients.md | 21 +++++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 055e4c1765..d17bcd6bcc 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -167,7 +167,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 和 14.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 -1. 进入设置 -> 网络 -> VPN。单击 **+** 按钮。 +1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 1. 选择 **Layer 2 Tunneling Protocol (L2TP)**。 1. 在 **Name** 字段中输入任意内容。 1. 在 **Gateway** 字段中输入`你的 VPN 服务器 IP`。 @@ -182,7 +182,28 @@ Ubuntu 18.04 (和更新版本)用户可以安装 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +### Fedora 和 CentOS + +Fedora 28 (和更新版本)和 CentOS 7 用户可以安装 NetworkManager-libreswan-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。 + +1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 +1. 选择 **IPsec based VPN**。 +1. 在 **Name** 字段中输入任意内容。 +1. 在 **Gateway** 字段中输入`你的 VPN 服务器 IP`。 +1. 在 **Type** 下拉菜单选择 **IKEv1 (XAUTH)**。 +1. 在 **User name** 字段中输入`你的 VPN 用户名`。 +1. 右键单击 **User password** 字段中的 **?**,选择 **Store the password only for this user**。 +1. 在 **User password** 字段中输入`你的 VPN 密码`。 +1. 保持 **Group name** 字段空白。 +1. 右键单击 **Secret** 字段中的 **?**,选择 **Store the password only for this user**。 +1. 在 **Secret** 字段中输入`你的 VPN IPsec PSK`。 +1. 保持 **Remote ID** 字段空白。 +1. 单击 **Add** 保存 VPN 连接信息。 1. 启用 **VPN** 连接。 VPN 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 diff --git a/docs/clients.md b/docs/clients.md index 1c928d5dd7..b1765ba1bb 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -187,6 +187,27 @@ Ubuntu 18.04 (and newer) users can install the looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +### Fedora and CentOS + +Fedora 28 (and newer) and CentOS 7 users can install the NetworkManager-libreswan-gnome package, then configure the IPsec/L2TP VPN client using the GUI. + +1. Go to Settings -> Network -> VPN. Click the **+** button. +1. Select **IPsec based VPN**. +1. Enter anything you like in the **Name** field. +1. Enter `Your VPN Server IP` for the **Gateway**. +1. Select **IKEv1 (XAUTH)** in the **Type** drop-down menu. +1. Enter `Your VPN Username` for the **User name**. +1. Right-click the **?** in the **User password** field, select **Store the password only for this user**. +1. Enter `Your VPN Password` for the **User password**. +1. Leave the **Group name** field blank. +1. Right-click the **?** in the **Secret** field, select **Store the password only for this user**. +1. Enter `Your VPN IPsec PSK` for the **Secret**. +1. Leave the **Remote ID** field blank. +1. Click **Add** to save the VPN connection information. +1. Turn the **VPN** switch ON. + +Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + ### Other Linux First check here to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). From 894e6ccf414f010068d44cb2bf63fce69d54b366 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 31 Jan 2019 13:54:08 -0600 Subject: [PATCH 0260/1208] Update docs --- docs/clients-xauth-zh.md | 28 ++++++++++++++++++++++++++++ docs/clients-xauth.md | 28 ++++++++++++++++++++++++++++ docs/clients-zh.md | 19 +------------------ docs/clients.md | 19 +------------------ docs/manage-users-zh.md | 2 +- docs/manage-users.md | 2 +- 6 files changed, 60 insertions(+), 38 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 10a1573ffc..29e03d0cab 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -14,6 +14,7 @@ IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP * [OS X (macOS)](#os-x) * [Android](#android) * [iOS (iPhone/iPad)](#ios) + * [Linux](#linux) ## Windows @@ -101,6 +102,33 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 故障排除。 +## Linux + +### Fedora 和 CentOS + +Fedora 28 (和更新版本)和 CentOS 7 用户可以安装 NetworkManager-libreswan-gnome 软件包,然后通过 GUI 配置 IPsec/XAuth VPN 客户端。 + +1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 +1. 选择 **IPsec based VPN**。 +1. 在 **Name** 字段中输入任意内容。 +1. 在 **Gateway** 字段中输入`你的 VPN 服务器 IP`。 +1. 在 **Type** 下拉菜单选择 **IKEv1 (XAUTH)**。 +1. 在 **User name** 字段中输入`你的 VPN 用户名`。 +1. 右键单击 **User password** 字段中的 **?**,选择 **Store the password only for this user**。 +1. 在 **User password** 字段中输入`你的 VPN 密码`。 +1. 保持 **Group name** 字段空白。 +1. 右键单击 **Secret** 字段中的 **?**,选择 **Store the password only for this user**。 +1. 在 **Secret** 字段中输入`你的 VPN IPsec PSK`。 +1. 保持 **Remote ID** 字段空白。 +1. 单击 **Add** 保存 VPN 连接信息。 +1. 启用 **VPN** 连接。 + +VPN 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + +### 其它 Linux + +其它 Linux 版本用户可以使用 [IPsec/L2TP 模式](clients-zh.md#linux) 连接。 + ## 致谢 本文档是在 Streisand 项目文档基础上翻译和修改。该项目由 Joshua Lund 和其他开发者维护。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 45a26d07cf..92d8ca763a 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -14,6 +14,7 @@ IPsec/XAuth mode is also called "Cisco IPsec". This mode is generally **faster t * [OS X (macOS)](#os-x) * [Android](#android) * [iOS (iPhone/iPad)](#ios) + * [Linux](#linux) ## Windows @@ -101,6 +102,33 @@ Once connected, you will see a VPN icon in the status bar. You can verify that y If you get an error when trying to connect, see Troubleshooting. +## Linux + +### Fedora and CentOS + +Fedora 28 (and newer) and CentOS 7 users can install the NetworkManager-libreswan-gnome package, then configure the IPsec/XAuth VPN client using the GUI. + +1. Go to Settings -> Network -> VPN. Click the **+** button. +1. Select **IPsec based VPN**. +1. Enter anything you like in the **Name** field. +1. Enter `Your VPN Server IP` for the **Gateway**. +1. Select **IKEv1 (XAUTH)** in the **Type** drop-down menu. +1. Enter `Your VPN Username` for the **User name**. +1. Right-click the **?** in the **User password** field, select **Store the password only for this user**. +1. Enter `Your VPN Password` for the **User password**. +1. Leave the **Group name** field blank. +1. Right-click the **?** in the **Secret** field, select **Store the password only for this user**. +1. Enter `Your VPN IPsec PSK` for the **Secret**. +1. Leave the **Remote ID** field blank. +1. Click **Add** to save the VPN connection information. +1. Turn the **VPN** switch ON. + +Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". + +### Other Linux + +Other Linux users can connect using [IPsec/L2TP mode](clients.md#linux). + ## Credits This document was adapted from the Streisand project, maintained by Joshua Lund and contributors. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index d17bcd6bcc..e211461407 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -189,24 +189,7 @@ VPN 连接成功后,你可以到 NetworkManager-libreswan-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。 - -1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 -1. 选择 **IPsec based VPN**。 -1. 在 **Name** 字段中输入任意内容。 -1. 在 **Gateway** 字段中输入`你的 VPN 服务器 IP`。 -1. 在 **Type** 下拉菜单选择 **IKEv1 (XAUTH)**。 -1. 在 **User name** 字段中输入`你的 VPN 用户名`。 -1. 右键单击 **User password** 字段中的 **?**,选择 **Store the password only for this user**。 -1. 在 **User password** 字段中输入`你的 VPN 密码`。 -1. 保持 **Group name** 字段空白。 -1. 右键单击 **Secret** 字段中的 **?**,选择 **Store the password only for this user**。 -1. 在 **Secret** 字段中输入`你的 VPN IPsec PSK`。 -1. 保持 **Remote ID** 字段空白。 -1. 单击 **Add** 保存 VPN 连接信息。 -1. 启用 **VPN** 连接。 - -VPN 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md#fedora-和-centos) 连接。 ### 其它 Linux diff --git a/docs/clients.md b/docs/clients.md index b1765ba1bb..c9ad15df7b 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -189,24 +189,7 @@ Once connected, you can verify that your traffic is being routed properly by NetworkManager-libreswan-gnome package, then configure the IPsec/L2TP VPN client using the GUI. - -1. Go to Settings -> Network -> VPN. Click the **+** button. -1. Select **IPsec based VPN**. -1. Enter anything you like in the **Name** field. -1. Enter `Your VPN Server IP` for the **Gateway**. -1. Select **IKEv1 (XAUTH)** in the **Type** drop-down menu. -1. Enter `Your VPN Username` for the **User name**. -1. Right-click the **?** in the **User password** field, select **Store the password only for this user**. -1. Enter `Your VPN Password` for the **User password**. -1. Leave the **Group name** field blank. -1. Right-click the **?** in the **Secret** field, select **Store the password only for this user**. -1. Enter `Your VPN IPsec PSK` for the **Secret**. -1. Leave the **Remote ID** field blank. -1. Click **Add** to save the VPN connection information. -1. Turn the **VPN** switch ON. - -Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Fedora 28 (and newer) and CentOS 7 users can connect using the faster [IPsec/XAuth mode](clients-xauth.md#fedora-and-centos). ### Other Linux diff --git a/docs/manage-users-zh.md b/docs/manage-users-zh.md index 3a8c406969..776da0bff9 100644 --- a/docs/manage-users-zh.md +++ b/docs/manage-users-zh.md @@ -6,7 +6,7 @@ ## 使用辅助脚本 -你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth (Cisco IPsec) 模式的用户。如果你需要更改 IPsec PSK,请阅读下一节。 +你可以使用这些脚本来更方便地管理 VPN 用户:[add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) 和 [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh)。它们将同时更新 IPsec/L2TP 和 IPsec/XAuth ("Cisco IPsec") 模式的用户。如果你需要更改 IPsec PSK,请阅读下一节。 **注:** VPN 用户信息保存在文件 `/etc/ppp/chap-secrets` 和 `/etc/ipsec.d/passwd`。脚本在修改这些文件之前会先做备份,使用 `.old-日期-时间` 为后缀。 diff --git a/docs/manage-users.md b/docs/manage-users.md index 52f6e0a7ce..091e2d2802 100644 --- a/docs/manage-users.md +++ b/docs/manage-users.md @@ -6,7 +6,7 @@ By default, a single user account for VPN login is created. If you wish to add, ## Using helper scripts -You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth (Cisco IPsec). For changing the IPsec PSK, read the next section. +You may use these scripts to more easily manage VPN users: [add_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/add_vpn_user.sh), [del_vpn_user.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/del_vpn_user.sh) and [update_vpn_users.sh](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/extras/update_vpn_users.sh). They will update users for both IPsec/L2TP and IPsec/XAuth ("Cisco IPsec"). For changing the IPsec PSK, read the next section. **Note:** VPN users are stored in `/etc/ppp/chap-secrets` and `/etc/ipsec.d/passwd`. The scripts will backup these files before making changes, with `.old-date-time` suffix. From d153a90fc3d7094aaf6e6b0b78b174a65194868c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 5 Feb 2019 00:24:32 -0600 Subject: [PATCH 0261/1208] Update docs - Add a known issue to IKEv2 docs. Ref: #414 - Cleanup --- docs/clients-xauth-zh.md | 4 ++-- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 4 ++-- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 3 ++- docs/ikev2-howto.md | 3 ++- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 29e03d0cab..7a24ed6470 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -2,9 +2,9 @@ *其他语言版本: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -**注:** 你也可以使用 **[IPsec/L2TP 模式](clients-zh.md)** 连接,或者配置 **[IKEv2](ikev2-howto-zh.md)**。 +**注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。** -在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **更高效**地传输数据(较低的额外开销)。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index 92d8ca763a..b4ba9d55c2 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients-xauth.md), [简体中文](clients-xauth-zh.md).* -**Note:** You may also connect using **[IPsec/L2TP mode](clients.md)**, or set up **[IKEv2](ikev2-howto.md)**. +**Note: You may also connect using [IPsec/L2TP mode](clients.md), or set up [IKEv2](ikev2-howto.md).** After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index e211461407..72b2cf3958 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -2,9 +2,9 @@ *其他语言版本: [English](clients.md), [简体中文](clients-zh.md).* -**注:** 你也可以使用更高效的 **[IPsec/XAuth 模式](clients-xauth-zh.md)** 连接,或者配置 **[IKEv2](ikev2-howto-zh.md)**。 +**注: 你也可以使用更高效的 [IPsec/XAuth 模式](clients-xauth-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。** -在成功搭建自己的 VPN 服务器之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 --- * 平台名称 diff --git a/docs/clients.md b/docs/clients.md index c9ad15df7b..1f27b0dfb9 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,7 +2,7 @@ *Read this in other languages: [English](clients.md), [简体中文](clients-zh.md).* -**Note:** You may also connect using the faster **[IPsec/XAuth mode](clients-xauth.md)**, or set up **[IKEv2](ikev2-howto.md)**. +**Note: You may also connect using the faster [IPsec/XAuth mode](clients-xauth.md), or set up [IKEv2](ikev2-howto.md).** After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly. diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 72d1535e7d..8f40b6e098 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -4,7 +4,7 @@ --- -**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 IPsec/L2TP 或者 IPsec/XAuth。 +**重要提示:** 本指南仅适用于**高级用户**。其他用户请使用 [IPsec/L2TP](clients-zh.md) 或者 [IPsec/XAuth](clients-xauth-zh.md) 模式。 --- @@ -274,6 +274,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. Ubuntu 18.04 和 CentOS 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index f977bb8108..641a59d502 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -4,7 +4,7 @@ --- -**Important:** This guide is for **advanced users** only. Other users please use IPsec/L2TP or IPsec/XAuth. +**Important:** This guide is for **advanced users** only. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. --- @@ -274,6 +274,7 @@ Before continuing, make sure you have successfully IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. ## References From 0679c66071755d804aea68ea7474550c8942b2e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 9 Feb 2019 16:24:19 -0600 Subject: [PATCH 0262/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- docs/clients-xauth-zh.md | 4 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 4 +- docs/clients.md | 2 +- docs/ikev2-howto-zh.md | 131 +++++++++++++++++++++------------------ docs/ikev2-howto.md | 131 +++++++++++++++++++++------------------ 8 files changed, 148 insertions(+), 130 deletions(-) diff --git a/README-zh.md b/README-zh.md index 835ddb5b14..cbab6f7786 100644 --- a/README-zh.md +++ b/README-zh.md @@ -133,7 +133,7 @@ sh vpnsetup.sh **配置 IPsec/XAuth ("Cisco IPsec") VPN 客户端** -**如何配置 IKEv2 VPN: Windows, macOS, Android 和 iOS** +**分步指南:如何配置 IKEv2 VPN** 如果在连接过程中遇到错误,请参见 故障排除。 diff --git a/README.md b/README.md index 0befadc597..8cabc7248c 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ Get your computer or device to use the VPN. Please refer to: **Configure IPsec/XAuth ("Cisco IPsec") VPN Clients** -**How-To: IKEv2 VPN for Windows, macOS, Android and iOS** +**Step-by-Step Guide: How to Set Up IKEv2 VPN** If you get an error when trying to connect, see Troubleshooting. diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 7a24ed6470..7c22abe663 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -4,7 +4,7 @@ **注: 你也可以使用 [IPsec/L2TP 模式](clients-zh.md) 连接,或者配置 [IKEv2](ikev2-howto-zh.md)。** -在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/XAuth ("Cisco IPsec") 在 Android, iOS 和 OS X 上均受支持,无需安装额外的软件。Windows 用户可以使用免费的 Shrew Soft 客户端。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 IPsec/XAuth 模式也称为 "Cisco IPsec"。该模式通常能够比 IPsec/L2TP **更高效**地传输数据(较低的额外开销)。 @@ -127,7 +127,7 @@ VPN 连接成功后,你可以到 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 +在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来配置你的设备。IPsec/L2TP 在 Android, iOS, OS X 和 Windows 上均受支持,无需安装额外的软件。设置过程通常只需要几分钟。如果无法连接,请首先检查是否输入了正确的 VPN 登录凭证。 --- * 平台名称 @@ -189,7 +189,7 @@ VPN 连接成功后,你可以到 功能改进包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 +## 导言 + +现代操作系统(比如 Windows 7 和更新版本)支持 IKEv2 协议标准。因特网密钥交换 (英语:Internet Key Exchange,简称 IKE 或 IKEv2)是一种网络协议,归属于 IPsec 协议族之下,用以创建安全关联 (Security Association, SA)。与 IKE 版本 1 相比较,IKEv2 的 功能改进 包括比如通过 MOBIKE 实现 Standard Mobility 支持,以及更高的可靠性。 Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来对 IKEv2 客户端进行身份验证。该方法无需 IPsec PSK, 用户名或密码。它可以用于以下系统: @@ -17,9 +22,11 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 - Android 4.x 和更新版本(使用 strongSwan VPN 客户端) - iOS (iPhone/iPad) -下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +## 在 VPN 服务器上配置 IKEv2 -在继续之前,请确保你已经成功地 搭建自己的 VPN 服务器,并且将 Libreswan 升级到最新版本。 +**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。 + +下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -200,80 +207,82 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 service ipsec restart ``` -1. 按照下面你的操作系统对应的步骤操作。 +VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。 + +## 配置 IKEv2 VPN 客户端 - **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 +**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 - #### Windows 7, 8.x 和 10 +### Windows 7, 8.x 和 10 - 1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 +1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 - 详细的操作步骤: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + 详细的操作步骤: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - 1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config +1. 在 Windows 计算机上添加一个新的 IKEv2 VPN 连接: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - 1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN! - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect +1. 启用新的 VPN 连接,并且开始使用 IKEv2 VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看这里。 +1. (可选步骤) 如需启用更强的加密算法,你可以添加注册表键 `NegotiateDH2048_AES256` 并重启。更多信息请看 这里。 - #### OS X (macOS) +### OS X (macOS) - 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 Mac,然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 +首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 Mac,然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 - 1. 打开系统偏好设置并转到网络部分。 - 1. 在窗口左下角单击 **+** 按钮。 - 1. 从 **接口** 下拉菜单选择 **VPN**。 - 1. 从 **VPN 类型** 下拉菜单选择 **IKEv2**。 - 1. 在 **服务名称** 字段中输入任意内容。 - 1. 单击 **创建**。 - 1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 - 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 - 1. 保持 **本地 ID** 字段空白。 - 1. 单击 **鉴定设置...** 按钮。 - 1. 从 **鉴定设置** 下拉菜单中选择 **无**。 - 1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。 - 1. 单击 **好**。 - 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 - 1. 单击 **应用** 保存VPN连接信息。 - 1. 单击 **连接**。 +1. 打开系统偏好设置并转到网络部分。 +1. 在窗口左下角单击 **+** 按钮。 +1. 从 **接口** 下拉菜单选择 **VPN**。 +1. 从 **VPN 类型** 下拉菜单选择 **IKEv2**。 +1. 在 **服务名称** 字段中输入任意内容。 +1. 单击 **创建**。 +1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 保持 **本地 ID** 字段空白。 +1. 单击 **鉴定设置...** 按钮。 +1. 从 **鉴定设置** 下拉菜单中选择 **无**。 +1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。 +1. 单击 **好**。 +1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 +1. 单击 **应用** 保存VPN连接信息。 +1. 单击 **连接**。 - #### Android 4.x 和更新版本 +### Android 4.x 和更新版本 - 1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 - 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 - 1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 - 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 - 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 - 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 - 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 - 1. 保存新的 VPN 连接,然后单击它以开始连接。 +1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 +1. 从 **Google Play** 安装 strongSwan VPN 客户端。 +1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 +1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 +1. 单击 **Select user certificate**,然后单击 **Install certificate**。 +1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 +1. 保存新的 VPN 连接,然后单击它以开始连接。 - #### iOS (iPhone/iPad) +### iOS (iPhone/iPad) - 首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 +首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 - 1. 进入设置 -> 通用 -> VPN。 - 1. 单击 **添加VPN配置...**。 - 1. 单击 **类型** 。选择 **IKEv2** 并返回。 - 1. 在 **描述** 字段中输入任意内容。 - 1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 - 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 - 1. 保持 **本地 ID** 字段空白。 - 1. 单击 **用户鉴定** 。选择 **无** 并返回。 - 1. 启用 **使用证书** 选项。 - 1. 单击 **证书** 。选择 **vpnclient** 并返回。 - 1. 单击右上角的 **完成**。 - 1. 启用 **VPN** 连接。 +1. 进入设置 -> 通用 -> VPN。 +1. 单击 **添加VPN配置...**。 +1. 单击 **类型** 。选择 **IKEv2** 并返回。 +1. 在 **描述** 字段中输入任意内容。 +1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 保持 **本地 ID** 字段空白。 +1. 单击 **用户鉴定** 。选择 **无** 并返回。 +1. 启用 **使用证书** 选项。 +1. 单击 **证书** 。选择 **vpnclient** 并返回。 +1. 单击右上角的 **完成**。 +1. 启用 **VPN** 连接。 -1. 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 ## 已知问题 -1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式连接。 -1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 +1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级 到版本 3.26 或以上。 1. Ubuntu 18.04 和 CentOS 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 641a59d502..422cd4ce4f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -1,14 +1,19 @@ -# How-To: IKEv2 VPN for Windows, macOS, Android and iOS +# Step-by-Step Guide: How to Set Up IKEv2 VPN *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* ---- - **Important:** This guide is for **advanced users** only. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. --- +* [Introduction](#introduction) +* [Set up IKEv2 on the VPN server](#set-up-ikev2-on-the-vpn-server) +* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) +* [Known issues](#known-issues) +* [References](#references) -Windows 7 and newer releases support the IKEv2 standard through Microsoft's Agile VPN functionality. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. +## Introduction + +Modern operating systems (such as Windows 7 and newer) support the IKEv2 standard. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a Security Association (SA) in the IPsec protocol suite. Compared to IKE version 1, IKEv2 contains improvements such as Standard Mobility support through MOBIKE, and improved reliability. Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certificates using RSA signatures. This method does not require an IPsec PSK, username or password. It can be used with: @@ -17,9 +22,11 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Android 4.x and newer (using the strongSwan VPN client) - iOS (iPhone/iPad) -The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. +## Set up IKEv2 on the VPN server -Before continuing, make sure you have successfully set up your VPN server, and upgraded Libreswan to the latest version. +**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. + +The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. 1. Find the VPN server's public IP, save it to a variable and check. @@ -200,80 +207,82 @@ Before continuing, make sure you have successfully Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". +1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". - Detailed instructions: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs + Detailed instructions: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs - 1. On the Windows computer, add a new IKEv2 VPN connection: - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config +1. On the Windows computer, add a new IKEv2 VPN connection: + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config - 1. Start the new VPN connection, and enjoy your IKEv2 VPN! - https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect +1. Start the new VPN connection, and enjoy your IKEv2 VPN! + https://wiki.strongswan.org/projects/strongswan/wiki/Win7Connect - 1. (Optional) You may enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more here. +1. (Optional) Enable stronger ciphers by adding the registry key `NegotiateDH2048_AES256` and reboot. Read more here. - #### OS X (macOS) +### OS X (macOS) - First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. +First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. - 1. Open System Preferences and go to the Network section. - 1. Click the **+** button in the lower-left corner of the window. - 1. Select **VPN** from the **Interface** drop-down menu. - 1. Select **IKEv2** from the **VPN Type** drop-down menu. - 1. Enter anything you like for the **Service Name**. - 1. Click **Create**. - 1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**. - 1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**. - 1. Leave the **Local ID** field blank. - 1. Click the **Authentication Settings...** button. - 1. Select **None** from the **Authentication Settings** drop-down menu. - 1. Select the **Certificate** radio button, then select the **vpnclient** certificate. - 1. Click **OK**. - 1. Check the **Show VPN status in menu bar** checkbox. - 1. Click **Apply** to save the VPN connection information. - 1. Click **Connect**. +1. Open System Preferences and go to the Network section. +1. Click the **+** button in the lower-left corner of the window. +1. Select **VPN** from the **Interface** drop-down menu. +1. Select **IKEv2** from the **VPN Type** drop-down menu. +1. Enter anything you like for the **Service Name**. +1. Click **Create**. +1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**. +1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**. +1. Leave the **Local ID** field blank. +1. Click the **Authentication Settings...** button. +1. Select **None** from the **Authentication Settings** drop-down menu. +1. Select the **Certificate** radio button, then select the **vpnclient** certificate. +1. Click **OK**. +1. Check the **Show VPN status in menu bar** checkbox. +1. Click **Apply** to save the VPN connection information. +1. Click **Connect**. - #### Android 4.x and newer +### Android 4.x and newer - 1. Securely transfer `vpnclient.p12` to your Android device. - 1. Install strongSwan VPN Client from **Google Play**. - 1. Launch the VPN client and tap **Add VPN Profile**. - 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. - 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. - 1. Tap **Select user certificate**, then tap **Install certificate**. - 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. - 1. Save the new VPN connection, then tap to connect. +1. Securely transfer `vpnclient.p12` to your Android device. +1. Install strongSwan VPN Client from **Google Play**. +1. Launch the VPN client and tap **Add VPN Profile**. +1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. +1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. +1. Tap **Select user certificate**, then tap **Install certificate**. +1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. +1. Save the new VPN connection, then tap to connect. - #### iOS (iPhone/iPad) +### iOS (iPhone/iPad) - First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use AirDrop. Alternatively, host the files on a secure website of yours, then download and import in Mobile Safari. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. +First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use AirDrop. Alternatively, host the files on a secure website of yours, then download and import them in Mobile Safari. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. - 1. Go to Settings -> General -> VPN. - 1. Tap **Add VPN Configuration...**. - 1. Tap **Type**. Select **IKEv2** and go back. - 1. Tap **Description** and enter anything you like. - 1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). - 1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). - 1. Leave the **Local ID** field blank. - 1. Tap **User Authentication**. Select **None** and go back. - 1. Make sure the **Use Certificate** switch is ON. - 1. Tap **Certificate**. Select **vpnclient** and go back. - 1. Tap **Done**. - 1. Slide the **VPN** switch ON. +1. Go to Settings -> General -> VPN. +1. Tap **Add VPN Configuration...**. +1. Tap **Type**. Select **IKEv2** and go back. +1. Tap **Description** and enter anything you like. +1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). +1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). +1. Leave the **Local ID** field blank. +1. Tap **User Authentication**. Select **None** and go back. +1. Make sure the **Use Certificate** switch is ON. +1. Tap **Certificate**. Select **vpnclient** and go back. +1. Tap **Done**. +1. Slide the **VPN** switch ON. -1. Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". -## Known Issues +## Known issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. -1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. 1. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. From 323e7cfbf46ff977398463a8ad9018ad7576fe1d Mon Sep 17 00:00:00 2001 From: Abubakar Siddiq Ango Date: Sat, 9 Mar 2019 20:07:46 +0100 Subject: [PATCH 0263/1208] Limit Number of default routes returned to 1 (#541) --- vpnsetup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index fcd3290ec9..1d3c6e0933 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -69,7 +69,7 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -def_iface=$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$') +def_iface=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') [ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)') def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then From dfa607eef8f69db77510cc5d5ba8397535e1ff90 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 9 Mar 2019 13:13:42 -0600 Subject: [PATCH 0264/1208] Improve route detection - Limit Number of default routes returned to 1 - Fixup for commit 323e7cf (#541) --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 1d3c6e0933..464f3ea0c3 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -70,7 +70,7 @@ if [ "$(id -u)" != 0 ]; then fi def_iface=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') -[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)') +[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -m 1 -Po '(?<=dev )(\S+)') def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then if ! uname -m | grep -qi '^arm'; then diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 9508325e50..6e934825e0 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -60,8 +60,8 @@ if [ "$(id -u)" != 0 ]; then exiterr "Script must be run as root. Try 'sudo sh $0'" fi -def_iface=$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$') -[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)') +def_iface=$(route 2>/dev/null | grep -m 1 '^default' | grep -o '[^ ]*$') +[ -z "$def_iface" ] && def_iface=$(ip -4 route list 0/0 2>/dev/null | grep -m 1 -Po '(?<=dev )(\S+)') def_state=$(cat "/sys/class/net/$def_iface/operstate" 2>/dev/null) if [ -n "$def_state" ] && [ "$def_state" != "down" ]; then case "$def_iface" in From e61efe242e6ec9693603b91f1016bdb9a34fb9f2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 15 Mar 2019 23:12:56 -0500 Subject: [PATCH 0265/1208] Update IKEv2 docs - Add a known issue (#543) --- docs/ikev2-howto-zh.md | 1 + docs/ikev2-howto.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 94674f03b3..65551ef6aa 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -283,6 +283,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级 到版本 3.26 或以上。 +1. 如果你的 VPN 客户端可以连接但是无法打开任何网站,可以尝试编辑服务器上的 `/etc/ipsec.conf`。找到 `conn ikev2-cp` 部分的 `phase2alg=` 一行并删除 `aes_gcm-null,`。保存文件并运行 `service ipsec restart`。 1. Ubuntu 18.04 和 CentOS 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 422cd4ce4f..3c4d9d7801 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -283,6 +283,7 @@ Once successfully connected, you can verify that your traffic is being routed pr 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. +1. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`. 1. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. From 4c5513158720286274c0422f06c904e5663657bb Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 24 Apr 2019 22:09:23 -0500 Subject: [PATCH 0266/1208] Update docs --- docs/clients-zh.md | 17 +++++++++++++++++ docs/clients.md | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 62ae223239..8a275d65bc 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -207,6 +207,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) +* [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -286,6 +287,22 @@ Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果 Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 +### 访问 VPN 服务器的网段 + +如果要允许 VPN 客户端访问 VPN 服务器所在的网段,你需要在搭建 VPN 服务器之后手动添加 IPTables 规则。例如,如果网段是 `192.168.0.0/24`: + +``` +# For IPsec/L2TP +iptables -I FORWARD 2 -i ppp+ -d 192.168.0.0/24 -j ACCEPT +iptables -I FORWARD 2 -s 192.168.0.0/24 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# For IPsec/XAuth ("Cisco IPsec") +iptables -I FORWARD 2 -s 192.168.43.0/24 -d 192.168.0.0/24 -j ACCEPT +iptables -I FORWARD 2 -s 192.168.0.0/24 -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +``` + +为了让这些 IPTables 规则在重启后继续有效,你可以将它们添加到文件 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。 + ### 其它错误 如果你遇到其它错误,请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index 8b2700a83a..63b1008838 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -207,6 +207,7 @@ First check Date: Mon, 29 Apr 2019 10:13:41 -0500 Subject: [PATCH 0267/1208] Update docs - Minor clarification for Android VPN clients --- docs/clients-zh.md | 2 ++ docs/clients.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 8a275d65bc..f75d0ac592 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -112,6 +112,8 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' 1. 在 **名称** 字段中输入任意内容。 1. 在 **类型** 下拉菜单选择 **L2TP/IPSec PSK**。 1. 在 **服务器地址** 字段中输入`你的 VPN 服务器 IP`。 +1. 保持 **L2TP 密钥** 字段空白。 +1. 保持 **IPSec 标识符** 字段空白。 1. 在 **IPSec 预共享密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **保存**。 1. 单击新的VPN连接。 diff --git a/docs/clients.md b/docs/clients.md index 63b1008838..b0e6b920ee 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -112,6 +112,8 @@ If you get an error when trying to connect, see Troub 1. Enter anything you like in the **Name** field. 1. Select **L2TP/IPSec PSK** in the **Type** drop-down menu. 1. Enter `Your VPN Server IP` in the **Server address** field. +1. Leave the **L2TP secret** field blank. +1. Leave the **IPSec identifier** field blank. 1. Enter `Your VPN IPsec PSK` in the **IPSec pre-shared key** field. 1. Tap **Save**. 1. Tap the new VPN connection. From b57999120609ac1b69ef8c0786efe11408550e43 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 1 Jun 2019 21:22:34 -0500 Subject: [PATCH 0268/1208] Update docs - Remove Ubuntu 14.04 (now EOL) --- README-zh.md | 4 ++-- README.md | 4 ++-- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index cbab6f7786..7563edf261 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,12 +53,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 18.04/16.04/14.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 18.04/16.04, Debian 9/8 和 CentOS 7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像之一: -- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic) or 16.04 (Xenial) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates diff --git a/README.md b/README.md index 8cabc7248c..b0cae9b2ce 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 18.04/16.04/14.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 18.04/16.04, Debian 9/8 and CentOS 7/6 ## Requirements A newly created Amazon EC2 instance, from one of these images: -- Ubuntu 18.04 (Bionic), 16.04 (Xenial) or 14.04 (Trusty) +- Ubuntu 18.04 (Bionic) or 16.04 (Xenial) - Debian 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates diff --git a/docs/clients-zh.md b/docs/clients-zh.md index f75d0ac592..2647825f14 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -167,7 +167,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 ### Ubuntu Linux -Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 和 14.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 +Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 1. 选择 **Layer 2 Tunneling Protocol (L2TP)**。 diff --git a/docs/clients.md b/docs/clients.md index b0e6b920ee..65bc6dab43 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -167,7 +167,7 @@ If you get an error when trying to connect, see Troub ### Ubuntu Linux -Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 and 14.04 users may need to add the `nm-l2tp` PPA, read more here. +Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the `nm-l2tp` PPA, read more here. 1. Go to Settings -> Network -> VPN. Click the **+** button. 1. Select **Layer 2 Tunneling Protocol (L2TP)**. From 1659d0336ca0812df08c334e97eee143ac55bc87 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 2 Jun 2019 21:08:43 -0500 Subject: [PATCH 0269/1208] Support Libreswan 3.28 - Support upgrading to new Libreswan version 3.28 - Patch applied for Debian 9/8. See: https://lists.libreswan.org/pipermail/swan/2019/003210.html - Patch applied for CentOS 6. See: https://github.com/libreswan/libreswan/commit/5db185497dcfff703391db955138b6c5d54a8893 and https://github.com/libreswan/libreswan/commit/4b93354f3575e4c6abe91a4e95f6fd43f4a99b0c --- extras/vpnupgrade.sh | 41 +++++++++++++++++++++++++++++-------- extras/vpnupgrade_centos.sh | 36 ++++++++++++++++++++++++-------- 2 files changed, 59 insertions(+), 18 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 6aa162d857..65bcfb90ff 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.27 +SWAN_VER=3.28 ### DO NOT edit below this line ### @@ -44,14 +44,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[0123567]) + 3.19|3.2[01235678]) /bin/true ;; *) cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false +USE_NSS_AVA_COPY=true +USE_NSS_IPSEC_PROFILE=false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -239,6 +257,11 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi +if [ "$SWAN_VER" = "3.28" ]; then + sed -i "/ikev2=never/d" /etc/ipsec.conf + sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf +fi + # Restart IPsec service mkdir -p /run/pluto service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index f267056a94..400a0b1611 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.27 +SWAN_VER=3.28 ### DO NOT edit below this line ### @@ -35,14 +35,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[0123567]) + 3.19|3.2[01235678]) /bin/true ;; *) cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false +USE_NSS_AVA_COPY=true +USE_NSS_IPSEC_PROFILE=false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS=$(grep -c ^processor /proc/cpuinfo) @@ -237,6 +250,11 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi +if [ "$SWAN_VER" = "3.28" ]; then + sed -i "/ikev2=never/d" /etc/ipsec.conf + sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf +fi + # Restart IPsec service mkdir -p /run/pluto service ipsec restart From da20e723e82459674570c2fdfe09a5838fd07b16 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 2 Jun 2019 22:44:12 -0500 Subject: [PATCH 0270/1208] Remove xl2tpd workaround --- vpnsetup.sh | 18 ------------------ vpnsetup_centos.sh | 18 ------------------ 2 files changed, 36 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 464f3ea0c3..5767e5e261 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -164,24 +164,6 @@ apt-get -yq install libnss3-dev libnspr4-dev pkg-config \ libcurl4-nss-dev flex bison gcc make libnss3-tools \ libevent-dev ppp xl2tpd || exiterr2 -case "$(uname -r)" in - 4.1[456]*) - if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then - L2TP_VER=1.3.12 - l2tp_dir="xl2tpd-$L2TP_VER" - l2tp_file="$l2tp_dir.tar.gz" - l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" - apt-get -yq install libpcap0.8-dev || exiterr2 - wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 - /bin/rm -rf "/opt/src/$l2tp_dir" - tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install - cd /opt/src || exit 1 - /bin/rm -rf "/opt/src/$l2tp_dir" - fi - ;; -esac - bigecho "Installing Fail2Ban to protect SSH..." apt-get -yq install fail2ban || exiterr2 diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 6e934825e0..21588f4426 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -154,24 +154,6 @@ else yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 fi -case "$(uname -r)" in - 4.1[456]*) - if grep -qs "release 6" /etc/redhat-release; then - L2TP_VER=1.3.12 - l2tp_dir="xl2tpd-$L2TP_VER" - l2tp_file="$l2tp_dir.tar.gz" - l2tp_url="https://github.com/xelerance/xl2tpd/archive/v$L2TP_VER.tar.gz" - yum "$REPO2" "$REPO3" -y install libpcap-devel || exiterr2 - wget -t 3 -T 30 -nv -O "$l2tp_file" "$l2tp_url" || exit 1 - /bin/rm -rf "/opt/src/$l2tp_dir" - tar xzf "$l2tp_file" && /bin/rm -f "$l2tp_file" - cd "$l2tp_dir" && make -s 2>/dev/null && PREFIX=/usr make -s install - cd /opt/src || exit 1 - /bin/rm -rf "/opt/src/$l2tp_dir" - fi - ;; -esac - bigecho "Installing Fail2Ban to protect SSH..." yum "$REPO1" -y install fail2ban || exiterr2 From 62d9b845d6fbb2ca6e07ce596df1d5a8700cd9e2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 3 Jun 2019 22:02:14 -0500 Subject: [PATCH 0271/1208] Cleanup --- extras/vpnupgrade.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 65bcfb90ff..4e90846cf1 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -202,11 +202,12 @@ cd "libreswan-$SWAN_VER" || exit 1 if [ "$SWAN_VER" = "3.28" ]; then if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then apt-get -yq install patch || exiterr2 - patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736005462084c5d7bc698e13f26fc73a9a4f/programs/barf/barf.in" - patch_url2="https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb.patch" + patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736/programs/barf/barf.in" + patch_url2="https://github.com/libreswan/libreswan/commit/716f4b7.patch" wget -t 3 -T 30 -nv -O programs/barf/barf.in "$patch_url1" || exit 1 wget -t 3 -T 30 -nv -O xfrm.patch "$patch_url2" || exit 1 - patch -p1 < xfrm.patch || exit 1 + patch -s -p1 < xfrm.patch || exit 1 + /bin/rm -f xfrm.patch fi fi cat > Makefile.inc.local <<'EOF' From 6c0c006d24e16cba351d2c967991b4c9af0cca36 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 9 Jun 2019 00:14:33 -0500 Subject: [PATCH 0272/1208] Cleanup --- extras/vpnupgrade.sh | 4 ++-- extras/vpnupgrade_centos.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 4e90846cf1..7ebbeae223 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -214,8 +214,8 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false -USE_NSS_AVA_COPY=true -USE_NSS_IPSEC_PROFILE=false +USE_NSS_AVA_COPY = true +USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 400a0b1611..621ebfb421 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -208,8 +208,8 @@ cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false -USE_NSS_AVA_COPY=true -USE_NSS_IPSEC_PROFILE=false +USE_NSS_AVA_COPY = true +USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS=$(grep -c ^processor /proc/cpuinfo) From f69a0a9c97b9049dc4d0d7fc58fb1bb4775db4b4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 9 Jun 2019 00:15:11 -0500 Subject: [PATCH 0273/1208] New Libreswan version - Upgrade Libreswan to 3.28 - Patches applied for Debian and CentOS 6. See 1659d03 --- vpnsetup.sh | 15 +++++++++++++-- vpnsetup_centos.sh | 9 +++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 5767e5e261..a8664db8d0 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.27 +SWAN_VER=3.28 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -180,10 +180,21 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then + apt-get -yq install patch || exiterr2 + patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736/programs/barf/barf.in" + patch_url2="https://github.com/libreswan/libreswan/commit/716f4b7.patch" + wget -t 3 -T 30 -nv -O programs/barf/barf.in "$patch_url1" || exit 1 + wget -t 3 -T 30 -nv -O xfrm.patch "$patch_url2" || exit 1 + patch -s -p1 < xfrm.patch || exit 1 + /bin/rm -f xfrm.patch +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false +USE_NSS_AVA_COPY = true +USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then @@ -234,6 +245,7 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear + ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=yes @@ -258,7 +270,6 @@ conn xauth-psk modecfgpull=yes xauthby=file ike-frag=yes - ikev2=never cisco-unity=yes also=shared EOF diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 21588f4426..44592f1851 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -160,7 +160,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.27 +SWAN_VER=3.28 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -170,10 +170,15 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +if grep -qs "release 6" /etc/redhat-release; then + sed -i '28iLDFLAGS += -lrt' testing/timecheck/Makefile +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false USE_DH31 = false +USE_NSS_AVA_COPY = true +USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF NPROCS=$(grep -c ^processor /proc/cpuinfo) @@ -221,6 +226,7 @@ conn shared dpddelay=30 dpdtimeout=120 dpdaction=clear + ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=yes @@ -245,7 +251,6 @@ conn xauth-psk modecfgpull=yes xauthby=file ike-frag=yes - ikev2=never cisco-unity=yes also=shared EOF From 609f24257d5f9ca342182a4b2e119ea7736f6263 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 10 Jun 2019 21:05:51 -0500 Subject: [PATCH 0274/1208] New Libreswan version - Upgrade Libreswan to 3.29 --- extras/vpnupgrade.sh | 23 ++++++----------------- extras/vpnupgrade_centos.sh | 17 ++++++----------- vpnsetup.sh | 11 +---------- vpnsetup_centos.sh | 5 +---- 4 files changed, 14 insertions(+), 42 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 7ebbeae223..f7c408f66d 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.28 +SWAN_VER=3.29 ### DO NOT edit below this line ### @@ -44,14 +44,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235678]) + 3.19|3.2[01235679]) /bin/true ;; *) cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -258,7 +247,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.28" ]; then +if [ "$SWAN_VER" = "3.29" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 621ebfb421..a5c51e3f7d 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.28 +SWAN_VER=3.29 ### DO NOT edit below this line ### @@ -35,14 +35,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235678]) + 3.19|3.2[01235679]) /bin/true ;; *) cat 1>&2 < Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false @@ -250,7 +245,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.28" ]; then +if [ "$SWAN_VER" = "3.29" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf fi diff --git a/vpnsetup.sh b/vpnsetup.sh index a8664db8d0..a146f55e82 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.28 +SWAN_VER=3.29 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -180,15 +180,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then - apt-get -yq install patch || exiterr2 - patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736/programs/barf/barf.in" - patch_url2="https://github.com/libreswan/libreswan/commit/716f4b7.patch" - wget -t 3 -T 30 -nv -O programs/barf/barf.in "$patch_url1" || exit 1 - wget -t 3 -T 30 -nv -O xfrm.patch "$patch_url2" || exit 1 - patch -s -p1 < xfrm.patch || exit 1 - /bin/rm -f xfrm.patch -fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 44592f1851..789132c03f 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -160,7 +160,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.28 +SWAN_VER=3.29 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -170,9 +170,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -if grep -qs "release 6" /etc/redhat-release; then - sed -i '28iLDFLAGS += -lrt' testing/timecheck/Makefile -fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From b9a4c233505d6480b3cc8ecdd6d054391d355103 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 8 Aug 2019 00:12:55 -0500 Subject: [PATCH 0275/1208] Update docs - Update troubleshooting section - Closes #606 --- docs/clients-zh.md | 6 ++++++ docs/clients.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 2647825f14..6894d9fe1f 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -207,6 +207,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) +* [iOS 13 连接问题](#ios-13-连接问题) * [Android 6 及以上版本](#android-6-及以上版本) * [Chromebook 连接问题](#chromebook-连接问题) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) @@ -276,6 +277,10 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是 Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。 +### iOS 13 连接问题 + +如果你的 iOS 13 设备 (iPhone/iPad) 可以连接到 VPN 但是不能上网,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。 + ### Android 6 及以上版本 如果你无法使用 Android 6 或以上版本连接: @@ -312,6 +317,7 @@ iptables -I FORWARD 2 -s 192.168.0.0/24 -d 192.168.43.0/24 -m conntrack --ctstat * http://www.tp-link.com/en/faq-1029.html * https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn ### 额外的步骤 diff --git a/docs/clients.md b/docs/clients.md index 65bc6dab43..be7e878704 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -207,6 +207,7 @@ First check here. +### iOS 13 connection issues + +If your iOS 13 device (iPhone/iPad) can connect to the VPN but cannot access the Internet, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. + ### Android 6 and above If you are unable to connect using Android 6 or above: @@ -312,6 +317,7 @@ If you encounter other errors, refer to the links below: * http://www.tp-link.com/en/faq-1029.html * https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ +* https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn ### Additional steps From 772da07efd4813d8c026f0d13a4f295c5666cac2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 20 Aug 2019 11:06:11 -0500 Subject: [PATCH 0276/1208] Add Debian 10 - Add Debian 10 to supported OS - Add a note on Debian 10 kernel versions --- README-zh.md | 7 +++++-- README.md | 7 +++++-- docs/clients-zh.md | 7 +++++++ docs/clients.md | 15 +++++++++++---- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index 7563edf261..f3b0bb5ff0 100644 --- a/README-zh.md +++ b/README-zh.md @@ -28,7 +28,7 @@ IPsec VPN 可以加密你的网络流量,以防止在通过因特网传送时 ## 快速开始 -首先,在你的 Linux 服务器[*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 +首先,在你的 Linux 服务器[\*](#quick-start-note) 上全新安装一个 Ubuntu LTS, Debian 或者 CentOS 系统。 使用以下命令快速搭建 IPsec VPN 服务器: @@ -59,7 +59,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) -- Debian 9 (Stretch) or 8 (Jessie) +- Debian 10 (Buster)[\*\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 7 or 6 @@ -78,6 +78,9 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 高级用户可以在一个 $35 的 Raspberry Pi 3 上搭建 VPN 服务器。详见以下教程: [1] [2]。 + +\*\* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 + :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! ## 安装说明 diff --git a/README.md b/README.md index b0cae9b2ce..c193fb6fe9 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ We will use Libreswan as th ## Quick start -First, prepare your Linux server[*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. +First, prepare your Linux server[\*](#quick-start-note) with a fresh install of Ubuntu LTS, Debian or CentOS. Use this one-liner to set up an IPsec VPN server: @@ -59,7 +59,7 @@ For other installation options and how to set up VPN clients, read the sections A newly created Amazon EC2 instance, from one of these images: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) -- Debian 9 (Stretch) or 8 (Jessie) +- Debian 10 (Buster)[\*\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 7 or 6 @@ -78,6 +78,9 @@ This also includes Linux VMs in public clouds, such as Raspberry Pi 3. Learn more in these articles: [1] [2]. + +\*\* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. + :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! ## Installation diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 6894d9fe1f..c828583e2e 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -209,6 +209,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [iOS 13 连接问题](#ios-13-连接问题) * [Android 6 及以上版本](#android-6-及以上版本) +* [Debian 10 内核](#debian-10-内核) * [Chromebook 连接问题](#chromebook-连接问题) * [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) * [其它错误](#其它错误) @@ -290,6 +291,12 @@ Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果 ![Android VPN workaround](images/vpn-profile-Android.png) +### Debian 10 内核 + +Debian 10 用户: 运行 `uname -r` 以检查你的服务器的 Linux 内核版本。如果它包含 `cloud` 字样,并且 `/dev/ppp` 不存在,则该内核缺少 `ppp` 支持从而不能使用 IPsec/L2TP 模式([IPsec/XAuth 模式](clients-xauth-zh.md) 不受影响)。 + +要解决此问题,你可以换用标准的 Linux 内核,通过安装比如 `linux-image-amd64` 软件包来实现。然后更新 GRUB 的内核默认值并重启。 + ### Chromebook 连接问题 Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 diff --git a/docs/clients.md b/docs/clients.md index be7e878704..e2e1a56b28 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -209,6 +209,7 @@ First check Date: Fri, 6 Sep 2019 18:57:00 -0500 Subject: [PATCH 0277/1208] Update docs --- docs/clients-zh.md | 17 ++++++++++------- docs/clients.md | 17 ++++++++++------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index c828583e2e..5c303a0064 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -202,7 +202,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse *其他语言版本: [English](clients.md#troubleshooting), [简体中文](clients-zh.md#故障排除).* * [Windows 错误 809](#windows-错误-809) -* [Windows 错误 628](#windows-错误-628) +* [Windows 错误 628 或 766](#windows-错误-628-或-766) * [Windows 10 升级](#windows-10-升级) * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) @@ -217,7 +217,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse ### Windows 错误 809 -> 无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 +> 错误 809:无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** @@ -241,16 +241,19 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f ``` -### Windows 错误 628 +### Windows 错误 628 或 766 -> 在连接完成前,连接被远程计算机终止。 +> 错误 628:在连接完成前,连接被远程计算机终止。 -要解决此错误,请按以下步骤操作: +> 错误 766:找不到证书。使用通过 IPSec 的 L2TP 协议的连接要求安装一个机器证书。它也叫做计算机证书。 -1. 右键单击系统托盘中的无线/网络图标,选择 **打开网络和共享中心**。 +要解决这些错误,请按以下步骤操作: + +1. 右键单击系统托盘中的无线/网络图标。 +1. 选择 **打开网络和共享中心**。或者,如果你使用 Windows 10 版本 1709 或以上,选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击 **网络和共享中心**。 1. 单击左侧的 **更改适配器设置**。右键单击新的 VPN 连接,并选择 **属性**。 1. 单击 **安全** 选项卡,从 **VPN 类型** 下拉菜单中选择 "使用 IPsec 的第 2 层隧道协议 (L2TP/IPSec)"。 -1. 单击 **允许使用这些协议**。确保选中 "质询握手身份验证协议 (CHAP)" 复选框。 +1. 单击 **允许使用这些协议**。选中 "质询握手身份验证协议 (CHAP)" 和 "Microsoft CHAP 版本 2 (MS-CHAP v2)" 复选框。 1. 单击 **高级设置** 按钮。 1. 单击 **使用预共享密钥作身份验证** 并在 **密钥** 字段中输入`你的 VPN IPsec PSK`。 1. 单击 **确定** 关闭 **高级设置**。 diff --git a/docs/clients.md b/docs/clients.md index e2e1a56b28..5e106bc21a 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -202,7 +202,7 @@ First check The network connection between your computer and the VPN server could not be established because the remote server is not responding. +> Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** @@ -241,16 +241,19 @@ Although uncommon, some Windows systems disable IPsec encryption, causing the co REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f ``` -### Windows Error 628 +### Windows Error 628 or 766 -> The connection was terminated by the remote computer before it could be completed. +> Error 628: The connection was terminated by the remote computer before it could be completed. -To fix this error, please follow these steps: +> Error 766: A certificate could not be found. Conenctions that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. -1. Right-click on the wireless/network icon in system tray, select **Open Network and Sharing Center**. +To fix these errors, please follow these steps: + +1. Right-click on the wireless/network icon in your system tray. +1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**. 1. On the left, click **Change adapter settings**. Right-click on the new VPN and choose **Properties**. 1. Click the **Security** tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for **Type of VPN**. -1. Click **Allow these protocols**. Make sure the "Challenge Handshake Authentication Protocol (CHAP)" checkbox is checked. +1. Click **Allow these protocols**. Check the "Challenge Handshake Authentication Protocol (CHAP)" and "Microsoft CHAP Version 2 (MS-CHAP v2)" checkboxes. 1. Click the **Advanced settings** button. 1. Select **Use preshared key for authentication** and enter `Your VPN IPsec PSK` for the **Key**. 1. Click **OK** to close the **Advanced settings**. From 1187cea1d7e9f2889afc2e7eacb8cb1d491a0200 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 7 Sep 2019 22:34:19 -0500 Subject: [PATCH 0278/1208] Update docs --- docs/clients.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/clients.md b/docs/clients.md index 5e106bc21a..bd18ef7a66 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -245,7 +245,7 @@ Although uncommon, some Windows systems disable IPsec encryption, causing the co > Error 628: The connection was terminated by the remote computer before it could be completed. -> Error 766: A certificate could not be found. Conenctions that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. +> Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. To fix these errors, please follow these steps: From 9c17bcf63a5534773262265c4adeb9bf88e88999 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 8 Sep 2019 23:49:51 -0500 Subject: [PATCH 0279/1208] Update docs --- docs/clients-zh.md | 11 ++++++++++- docs/clients.md | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 5c303a0064..046788db8a 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -203,6 +203,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse * [Windows 错误 809](#windows-错误-809) * [Windows 错误 628 或 766](#windows-错误-628-或-766) +* [Windows 10 正在连接](#windows-10-正在连接) * [Windows 10 升级](#windows-10-升级) * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) @@ -217,7 +218,7 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse ### Windows 错误 809 -> 错误 809:无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。 +> 错误 809:无法建立计算机与 VPN 服务器之间的网络连接,因为远程服务器未响应。这可能是因为未将计算机与远程服务器之间的某种网络设备(如防火墙、NAT、路由器等)配置为允许 VPN 连接。请与管理员或服务提供商联系以确定哪种设备可能产生此问题。 要解决此错误,在首次连接之前需要修改一次注册表,以解决 VPN 服务器 和/或 客户端与 NAT (比如家用路由器)的兼容问题。请下载并导入下面的 `.reg` 文件,或者打开 提升权限命令提示符 并运行以下命令。**完成后必须重启计算机。** @@ -261,6 +262,14 @@ Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPse ![Select CHAP in VPN connection properties](images/vpn-properties-zh.png) +### Windows 10 正在连接 + +如果你使用 Windows 10 并且 VPN 卡在 "正在连接" 状态超过几分钟,尝试以下步骤: + +1. 右键单击系统托盘中的无线/网络图标。 +1. 选择 **打开"网络和 Internet"设置**,然后在打开的页面中单击左侧的 **VPN**。 +1. 选择新的 VPN 连接,然后单击 **连接**。如果出现提示,在登录窗口中输入 `你的 VPN 用户名` 和 `密码` ,并单击 **确定**。 + ### Windows 10 升级 在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照上面的 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。 diff --git a/docs/clients.md b/docs/clients.md index bd18ef7a66..99089a3058 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -203,6 +203,7 @@ First check Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. +> Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an elevated command prompt. **You must reboot your PC when finished.** @@ -261,6 +262,14 @@ To fix these errors, please follow these steps: ![Select CHAP in VPN connection properties](images/vpn-properties.png) +### Windows 10 connecting + +If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps: + +1. Right-click on the wireless/network icon in your system tray. +1. Select **Open Network & Internet settings**, then on the page that opens, click **VPN** on the left. +1. Select the new VPN entry, then click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. + ### Windows 10 upgrades After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot. From 3353888ee908c5365a36cd7f3d25bbb0651054aa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 22 Sep 2019 20:37:23 -0700 Subject: [PATCH 0280/1208] Set sha2-truncbug to no - This fixes VPN connection issues on iOS 13 - Android 6.x and 7.x users may require sha2-truncbug=yes. Will note this in the documentation - Fixes #638 --- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index a146f55e82..d6cf046ff5 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -239,7 +239,7 @@ conn shared ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 - sha2-truncbug=yes + sha2-truncbug=no conn l2tp-psk auto=add diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 789132c03f..a64426308a 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -226,7 +226,7 @@ conn shared ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 - sha2-truncbug=yes + sha2-truncbug=no conn l2tp-psk auto=add From 60716c065456ac4b2f17827792c00aeeb639c117 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 22 Sep 2019 20:46:24 -0700 Subject: [PATCH 0281/1208] Update docs --- README-zh.md | 4 +++- README.md | 4 +++- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 26 +++++++++++++------------- docs/clients.md | 26 +++++++++++++------------- 6 files changed, 34 insertions(+), 30 deletions(-) diff --git a/README-zh.md b/README-zh.md index f3b0bb5ff0..dfc18088b7 100644 --- a/README-zh.md +++ b/README-zh.md @@ -146,7 +146,9 @@ sh vpnsetup.sh *其他语言版本: [English](README.md#important-notes), [简体中文](README-zh.md#重要提示).* -**Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器 和/或 客户端与 NAT(比如家用路由器)的兼容问题。 +**Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器和/或客户端与 NAT(比如家用路由器)的兼容问题。 + +**Android 6 和 7 用户**:如果你遇到连接问题,请尝试 这些步骤。 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 diff --git a/README.md b/README.md index c193fb6fe9..e0fe8d2b44 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,9 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: *Read this in other languages: [English](README.md#important-notes), [简体中文](README-zh.md#重要提示).* -For **Windows users**, this one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). +**Windows users**: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). + +**Android 6 and 7 users**: If you encounter connection issues, try these steps. The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index 7c22abe663..f65795b598 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -65,7 +65,7 @@ VPN 连接成功后,你会在 VPN Connect 状态窗口中看到 **tunnel enabl ## Android 1. 启动 **设置** 应用程序。 -1. 在 **无线和网络** 部分单击 **更多...**。 +1. 单击 **网络和互联网**。或者,如果你使用 Android 7 或更早版本,在 **无线和网络** 部分单击 **更多...**。 1. 单击 **VPN**。 1. 单击 **添加VPN配置文件** 或窗口右上角的 **+**。 1. 在 **名称** 字段中输入任意内容。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index cf3aaec7d1..d59c0d9a11 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -65,7 +65,7 @@ If you get an error when trying to connect, see 故意设计的 并且不能被配置。如果你需要 VPN 在设备唤醒后自动重连,可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 +如果你的 Android 6.x 或者 7.x 设备无法连接,请尝试以下步骤: -Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。 +1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 +1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并切换它的值。也就是说,将 `sha2-truncbug=no` 替换为 `sha2-truncbug=yes`,或者将 `sha2-truncbug=yes` 替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 -### iOS 13 连接问题 +![Android VPN workaround](images/vpn-profile-Android.png) -如果你的 iOS 13 设备 (iPhone/iPad) 可以连接到 VPN 但是不能上网,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。 +### iOS 13 和 macOS 10.15 -### Android 6 及以上版本 +如果你的 iOS 13 或者 macOS 10.15 (Catalina) 设备无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 -如果你无法使用 Android 6 或以上版本连接: +### iOS/Android 睡眠模式 -1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 -1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (参见) +为了节约电池,iOS 设备 (iPhone/iPad) 在屏幕变黑(睡眠模式)之后不久就会自动断开 Wi-Fi 连接。这会导致 IPsec VPN 断开。该行为是被 故意设计的 并且不能被配置。如果你需要 VPN 在设备唤醒后自动重连,可以另外尝试使用 OpenVPN,它支持 一些选项 比如 "Reconnect on Wakeup" 和 "Seamless Tunnel"。 -![Android VPN workaround](images/vpn-profile-Android.png) +Android 设备在进入睡眠模式不久后也会断开 Wi-Fi 连接,如果你没有启用选项 "睡眠期间保持 WLAN 开启" 的话。该选项在 Android 8 (Oreo) 中不再可用。 另外,你也可以尝试打开 "始终开启 VPN" 选项以保持连接。详情请看 这里。 ### Debian 10 内核 diff --git a/docs/clients.md b/docs/clients.md index 99089a3058..b2e7803555 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -106,7 +106,7 @@ If you get an error when trying to connect, see Troub ## Android 1. Launch the **Settings** application. -1. Tap **More...** in the **Wireless & Networks** section. +1. Tap "Network & internet". Or, if using Android 7 or earlier, tap **More...** in the **Wireless & networks** section. 1. Tap **VPN**. 1. Tap **Add VPN Profile** or the **+** icon at top-right of screen. 1. Enter anything you like in the **Name** field. @@ -207,9 +207,9 @@ First check by design and cannot be configured. If you need the VPN to auto-reconnect when the device wakes up, try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel". +If your Android 6.x or 7.x device cannot connect, try these steps: -Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more here. +1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. +1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value. i.e. Replace `sha2-truncbug=no` with `sha2-truncbug=yes`, or replace `sha2-truncbug=yes` with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. -### iOS 13 connection issues +![Android VPN workaround](images/vpn-profile-Android.png) -If your iOS 13 device (iPhone/iPad) can connect to the VPN but cannot access the Internet, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. +### iOS 13 and macOS 10.15 -### Android 6 and above +If your iOS 13 or macOS 10.15 (Catalina) device cannot connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. -If you are unable to connect using Android 6 or above: +### iOS/Android sleep mode -1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. -1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). +To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured. If you need the VPN to auto-reconnect when the device wakes up, try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel". -![Android VPN workaround](images/vpn-profile-Android.png) +Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more here. ### Debian 10 kernel From 99e194e683ca3dda2e67a462f657bd49b3f36aef Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 1 Nov 2019 13:31:23 -0700 Subject: [PATCH 0282/1208] Add CentOS 8 - Add support for CentOS/RHEL 8 --- extras/vpnupgrade_centos.sh | 19 ++++++++++++++----- vpnsetup_centos.sh | 24 ++++++++++++++++-------- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index a5c51e3f7d..5f494e3c22 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -22,8 +22,8 @@ exiterr2() { exiterr "'yum install' failed."; } vpnupgrade() { -if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then - exiterr "This script only supports CentOS/RHEL 6 and 7." +if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then + exiterr "This script only supports CentOS/RHEL 6, 7 and 8." fi if [ -f /proc/user_beancounters ]; then @@ -172,17 +172,26 @@ yum -y install epel-release || yum -y install "$epel_url" || exiterr2 # Install necessary packages yum -y install nss-devel nspr-devel pkgconfig pam-devel \ - libcap-ng-devel libselinux-devel curl-devel \ - flex bison gcc make wget sed || exiterr2 + libcap-ng-devel libselinux-devel curl-devel nss-tools \ + flex bison gcc make wget sed tar || exiterr2 REPO1='--enablerepo=*server-optional*' REPO2='--enablerepo=*releases-optional*' +REPO3='--enablerepo=PowerTools' + if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum "$REPO1" "$REPO2" -y install libevent2-devel fipscheck-devel || exiterr2 -else +elif grep -qs "release 7" /etc/redhat-release; then yum -y install systemd-devel || exiterr2 yum "$REPO1" "$REPO2" -y install libevent-devel fipscheck-devel || exiterr2 +else + if [ -f /usr/sbin/subscription-manager ]; then + subscription-manager repos --enable "codeready-builder-for-rhel-8-*-rpms" + yum -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 + else + yum "$REPO3" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 + fi fi # Compile and install Libreswan diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index a64426308a..b0ab813801 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6 and 7. +# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6, 7 and 8. # Works on any dedicated server or virtual private server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! @@ -48,8 +48,8 @@ check_ip() { vpnsetup() { -if ! grep -qs -e "release 6" -e "release 7" /etc/redhat-release; then - exiterr "This script only supports CentOS/RHEL 6 and 7." +if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then + exiterr "This script only supports CentOS/RHEL 6, 7 and 8." fi if [ -f /proc/user_beancounters ]; then @@ -111,7 +111,7 @@ cd /opt/src || exit 1 bigecho "Installing packages required for setup..." -yum -y install wget bind-utils openssl \ +yum -y install wget bind-utils openssl tar \ iptables iproute gawk grep sed net-tools || exiterr2 bigecho "Trying to auto discover IP of this server..." @@ -139,9 +139,10 @@ bigecho "Installing packages required for the VPN..." REPO1='--enablerepo=epel' REPO2='--enablerepo=*server-optional*' REPO3='--enablerepo=*releases-optional*' +REPO4='--enablerepo=PowerTools' yum -y install nss-devel nspr-devel pkgconfig pam-devel \ - libcap-ng-devel libselinux-devel curl-devel \ + libcap-ng-devel libselinux-devel curl-devel nss-tools \ flex bison gcc make ppp || exiterr2 yum "$REPO1" -y install xl2tpd || exiterr2 @@ -149,9 +150,16 @@ yum "$REPO1" -y install xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then yum -y remove libevent-devel yum "$REPO2" "$REPO3" -y install libevent2-devel fipscheck-devel || exiterr2 -else +elif grep -qs "release 7" /etc/redhat-release; then yum -y install systemd-devel iptables-services || exiterr2 yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 +else + if [ -f /usr/sbin/subscription-manager ]; then + subscription-manager repos --enable "codeready-builder-for-rhel-8-*-rpms" + yum -y install systemd-devel iptables-services libevent-devel fipscheck-devel || exiterr2 + else + yum "$REPO4" -y install systemd-devel iptables-services libevent-devel fipscheck-devel || exiterr2 + fi fi bigecho "Installing Fail2Ban to protect SSH..." @@ -441,8 +449,8 @@ chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules iptables-restore < "$IPT_FILE" -# Fix xl2tpd on CentOS 7, if kernel module "l2tp_ppp" is unavailable -if grep -qs "release 7" /etc/redhat-release; then +# Fix xl2tpd on CentOS 7/8, if kernel module "l2tp_ppp" is unavailable +if grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload From 3858040f55b960bca08933fbc0f640bcb184cba2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 1 Nov 2019 16:15:29 -0700 Subject: [PATCH 0283/1208] Update docs --- README-zh.md | 17 ++++++++++------- README.md | 17 ++++++++++------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/README-zh.md b/README-zh.md index dfc18088b7..6a93640501 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,16 +53,17 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 18.04/16.04, Debian 9/8 和 CentOS 7/6 +- 已测试: Ubuntu 18.04/16.04, Debian 10/9/8 和 CentOS 8/7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) -- Debian 10 (Buster)[\*\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) +- Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) +- [CentOS 8 (x86_64) with Updates](#系统要求) [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates -- Red Hat Enterprise Linux (RHEL) 7 or 6 +- Red Hat Enterprise Linux (RHEL) 8, 7 or 6 请参见 详细步骤 以及 EC2 定价细节。 @@ -72,14 +73,16 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspace。 -Deploy to Azure Install on DigitalOcean Deploy to Linode +Deploy to Azure Install on DigitalOcean Deploy to Linode **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以在一个 $35 的 Raspberry Pi 3 上搭建 VPN 服务器。详见以下教程: [1] [2]。 +高级用户可以在一个 $35 的 Raspberry Pi 上搭建 VPN 服务器。参见 [1] [2] -\*\* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 +\* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 + +\*\* CentOS 8 暂时没有官方的 EC2 映像。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! @@ -158,7 +161,7 @@ sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 -使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 10/9 和 CentOS 8/7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/README.md b/README.md index e0fe8d2b44..741e6a6aab 100644 --- a/README.md +++ b/README.md @@ -53,16 +53,17 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 18.04/16.04, Debian 9/8 and CentOS 7/6 +- Tested with Ubuntu 18.04/16.04, Debian 10/9/8 and CentOS 8/7/6 ## Requirements A newly created Amazon EC2 instance, from one of these images: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) -- Debian 10 (Buster)[\*\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) +- Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) +- [CentOS 8 (x86_64) with Updates](#requirements) [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates -- Red Hat Enterprise Linux (RHEL) 7 or 6 +- Red Hat Enterprise Linux (RHEL) 8, 7 or 6 Please see detailed instructions and EC2 pricing. @@ -72,14 +73,16 @@ A dedicated server or KVM/Xen-based virtual private server (VPS), freshly instal This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. -Deploy to Azure Install on DigitalOcean Deploy to Linode +Deploy to Azure Install on DigitalOcean Deploy to Linode **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi 3. Learn more in these articles: [1] [2]. +Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2]. -\*\* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. +\* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. + +\*\* CentOS 8 does not yet have an official EC2 image. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! @@ -158,7 +161,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. -Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 10/9 and CentOS 8/7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. From 3b6a61481fa5a439e37f0f7ff2b3e76ea2566275 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 1 Nov 2019 21:34:56 -0700 Subject: [PATCH 0284/1208] Fix Azure deploy - Fix handling of special characters in the Azure deployment config by quoting the VPN parameters - Fixes #644. Thanks @turbozapekanka for the report! --- azure/README-zh.md | 2 ++ azure/README.md | 2 ++ azure/azuredeploy.json | 3 ++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/azure/README-zh.md b/azure/README-zh.md index 19b8e4170d..de2943f4db 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -12,6 +12,8 @@ - Operating System Image (操作系统镜像,Debian 9 或 Ubuntu 16.04 LTS) - Virtual Machine Size (虚拟机大小,默认值: Standard_B1s) +**注:** \*不要\* 在值中使用这些字符: `\ " '` + 请单击以下按钮开始: diff --git a/azure/README.md b/azure/README.md index 2ad6bb7346..d10c0743bb 100644 --- a/azure/README.md +++ b/azure/README.md @@ -12,6 +12,8 @@ Customizable with the following options: - Operating System Image (Debian 9 or Ubuntu 16.04 LTS) - Virtual Machine Size (Default: Standard_B1s) +**Note:** DO NOT use these special characters within values: `\ " '` + Press this button to start: diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index 2f67031e5e..ca7a75532e 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -47,6 +47,7 @@ } }, "variables": { + "quote": "'", "location": "[resourceGroup().location]", "vmName": "vpnserver", "virtualNetworkName": "vpnVnet", @@ -71,7 +72,7 @@ "version": "latest" }, "installScriptURL": "https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/azure/install.sh", - "installCommand": "[concat('sh install.sh ', parameters('preSharedKey'), ' ', parameters('username'), ' ', parameters('password'))]" + "installCommand": "[concat('sh install.sh ', variables('quote'), parameters('preSharedKey'), variables('quote'), ' ', variables('quote'), parameters('username'), variables('quote'), ' ', variables('quote'), parameters('password'), variables('quote'))]" }, "resources": [ { From f1a002d1395a01c5d7b313a49ad0c19deb585cda Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 1 Nov 2019 21:47:15 -0700 Subject: [PATCH 0285/1208] Update Azure config - Add Ubuntu 18.04 to OS options --- azure/README-zh.md | 2 +- azure/README.md | 2 +- azure/azuredeploy.json | 9 ++++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/azure/README-zh.md b/azure/README-zh.md index de2943f4db..ef79aaa4e2 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -9,7 +9,7 @@ - Username for VPN and SSH (用户名) - Password for VPN and SSH (密码) - IPsec Pre-Shared Key for VPN (IPsec 预共享密钥) - - Operating System Image (操作系统镜像,Debian 9 或 Ubuntu 16.04 LTS) + - Operating System Image (操作系统镜像,Debian 9 或 Ubuntu 18.04/16.04 LTS) - Virtual Machine Size (虚拟机大小,默认值: Standard_B1s) **注:** \*不要\* 在值中使用这些字符: `\ " '` diff --git a/azure/README.md b/azure/README.md index d10c0743bb..499ff60ddc 100644 --- a/azure/README.md +++ b/azure/README.md @@ -9,7 +9,7 @@ Customizable with the following options: - Username for VPN and SSH - Password for VPN and SSH - IPsec Pre-Shared Key for VPN - - Operating System Image (Debian 9 or Ubuntu 16.04 LTS) + - Operating System Image (Debian 9 or Ubuntu 18.04/16.04 LTS) - Virtual Machine Size (Default: Standard_B1s) **Note:** DO NOT use these special characters within values: `\ " '` diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index ca7a75532e..38fbec2db7 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -24,12 +24,13 @@ "image": { "type": "string", "allowedValues": [ + "ubuntu1804", "ubuntu1604", "debian9" ], "defaultValue": "debian9", "metadata": { - "description": "OS to use. Debian 9 or Ubuntu 16.04 LTS" + "description": "OS to use. Debian 9 or Ubuntu 18.04/16.04 LTS" } }, "VMSize": { @@ -59,6 +60,12 @@ "vhdStorageType": "Standard_LRS", "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", "SubnetRef": "[concat(variables('vnetId'), '/subnets/', variables('subnetName'))]", + "ubuntu1804": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, "ubuntu1604": { "publisher": "Canonical", "offer": "UbuntuServer", From b01471bf2f79868eb03b474ff0bf49da6b46121b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 10 Nov 2019 15:51:28 -0800 Subject: [PATCH 0286/1208] Update Azure config - Add Standard_B1ls to VM size options --- azure/azuredeploy.json | 1 + 1 file changed, 1 insertion(+) diff --git a/azure/azuredeploy.json b/azure/azuredeploy.json index 38fbec2db7..455aadb351 100644 --- a/azure/azuredeploy.json +++ b/azure/azuredeploy.json @@ -37,6 +37,7 @@ "type": "string", "defaultValue": "Standard_B1s", "allowedValues": [ + "Standard_B1ls", "Standard_B1s", "Standard_B1ms", "Standard_B2s", From 0dfe0d302192e95de370bc018817684965911cd0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 10 Nov 2019 17:23:12 -0800 Subject: [PATCH 0287/1208] Update IKEv2 docs - Add new IKEv2 instructions for Android 10 Ref: https://wiki.strongswan.org/issues/3196 - Change certificate validity period to 120 months --- docs/ikev2-howto-zh.md | 36 +++++++++++++++++++++++++++++------- docs/ikev2-howto.md | 36 +++++++++++++++++++++++++++++------- 2 files changed, 58 insertions(+), 14 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 65551ef6aa..d6e9ea237c 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -111,13 +111,13 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: - **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 36"。 + **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 120"。 ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -137,7 +137,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ @@ -154,7 +154,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ -s "O=IKEv2 VPN,CN=vpnclient" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" @@ -213,6 +213,12 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 +* [Windows 7, 8.x 和 10](#windows-7-8x-和-10) +* [OS X (macOS)](#os-x-macos) +* [Android 10 和更新版本](#android-10-和更新版本) +* [Android 4.x to 9.x](#android-4x-to-9x) +* [iOS (iPhone/iPad)](#ios-iphoneipad) + ### Windows 7, 8.x 和 10 1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 @@ -249,15 +255,31 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. 单击 **应用** 保存VPN连接信息。 1. 单击 **连接**。 -### Android 4.x 和更新版本 +### Android 10 和更新版本 + +1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 +1. 从 **Google Play** 安装 strongSwan VPN 客户端。 +1. 启动 **设置** 应用程序。 +1. 进入 安全 -> 高级 -> 加密与凭据。 +1. 单击 **从存储设备(或 SD 卡)安装**。 +1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 +1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**。 +1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 +1. 单击 **Select user certificate**,选择你的新 VPN 客户端证书并确认。 +1. 保存新的 VPN 连接,然后单击它以开始连接。 + +### Android 4.x to 9.x 1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 -1. 打开 VPN 客户端,然后单击 **Add VPN Profile**。 +1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 -1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 +1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 + **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### iOS (iPhone/iPad) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 3c4d9d7801..eef7ed44e3 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -111,13 +111,13 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo 1. Generate Certificate Authority (CA) and VPN server certificates: - **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 36". + **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120". ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -137,7 +137,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ @@ -154,7 +154,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ -s "O=IKEv2 VPN,CN=vpnclient" \ - -k rsa -g 4096 -v 36 \ + -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" @@ -213,6 +213,12 @@ The IKEv2 setup on the VPN server is now complete. Follow instructions below to **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. +* [Windows 7, 8.x and 10](#windows-7-8x-and-10) +* [OS X (macOS)](#os-x-macos) +* [Android 10 and newer](#android-10-and-newer) +* [Android 4.x to 9.x](#android-4x-to-9x) +* [iOS (iPhone/iPad)](#ios-iphoneipad) + ### Windows 7, 8.x and 10 1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". @@ -249,15 +255,31 @@ First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then 1. Click **Apply** to save the VPN connection information. 1. Click **Connect**. -### Android 4.x and newer +### Android 10 and newer + +1. Securely transfer `vpnclient.p12` to your Android device. +1. Install strongSwan VPN Client from **Google Play**. +1. Launch the **Settings** application. +1. Go to Security -> Advanced -> Encryption & credentials. +1. Tap **Install from storage (or SD card)**. +1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. +1. Launch the strongSwan VPN client and tap **Add VPN Profile**. +1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. +1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. +1. Tap **Select user certificate**, select your new VPN client certificate and confirm. +1. Save the new VPN connection, then tap to connect. + +### Android 4.x to 9.x 1. Securely transfer `vpnclient.p12` to your Android device. 1. Install strongSwan VPN Client from **Google Play**. -1. Launch the VPN client and tap **Add VPN Profile**. +1. Launch the strongSwan VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, then tap **Install certificate**. -1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. +1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. + **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. 1. Save the new VPN connection, then tap to connect. ### iOS (iPhone/iPad) From 4b28ce5de91e75efdbbccb6f5992e3d9458560c1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 10 Nov 2019 19:32:29 -0800 Subject: [PATCH 0288/1208] Update IKEv2 docs - Update macOS and iOS IKEv2 instructions --- docs/ikev2-howto-zh.md | 16 +++++++++++----- docs/ikev2-howto.md | 16 +++++++++++----- 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index d6e9ea237c..6c9915556c 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -178,7 +178,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 -1. (适用于 macOS 和 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: +1. (适用于 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: ```bash certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer @@ -217,7 +217,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 * [OS X (macOS)](#os-x-macos) * [Android 10 和更新版本](#android-10-和更新版本) * [Android 4.x to 9.x](#android-4x-to-9x) -* [iOS (iPhone/iPad)](#ios-iphoneipad) +* [iOS (iPhone/iPad)](#ios) ### Windows 7, 8.x 和 10 @@ -236,7 +236,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 ### OS X (macOS) -首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 Mac,然后双击它们并逐个导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击刚才导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 +首先,将文件 `vpnclient.p12` 安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -282,9 +282,15 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 1. 保存新的 VPN 连接,然后单击它以开始连接。 -### iOS (iPhone/iPad) +### iOS -首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。你可以使用 AirDrop (隔空投送)来传输文件。或者,你也可以将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 +首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: + +1. AirDrop (隔空投送),或者 +1. 将文件上传到设备,在 "文件" 应用程序中单击它们,然后到 "设置" 中导入,或者 +1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 + +在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index eef7ed44e3..22b8d3ec31 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -178,7 +178,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. -1. (For macOS and iOS clients) Export the CA certificate as `vpnca.cer`: +1. (For iOS clients) Export the CA certificate as `vpnca.cer`: ```bash certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer @@ -217,7 +217,7 @@ The IKEv2 setup on the VPN server is now complete. Follow instructions below to * [OS X (macOS)](#os-x-macos) * [Android 10 and newer](#android-10-and-newer) * [Android 4.x to 9.x](#android-4x-to-9x) -* [iOS (iPhone/iPad)](#ios-iphoneipad) +* [iOS (iPhone/iPad)](#ios) ### Windows 7, 8.x and 10 @@ -236,7 +236,7 @@ The IKEv2 setup on the VPN server is now complete. Follow instructions below to ### OS X (macOS) -First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then double-click to import them one by one into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. +First, securely transfer `vpnclient.p12` to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -282,9 +282,15 @@ First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your Mac, then **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. 1. Save the new VPN connection, then tap to connect. -### iOS (iPhone/iPad) +### iOS -First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use AirDrop. Alternatively, host the files on a secure website of yours, then download and import them in Mobile Safari. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. +First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: + +1. AirDrop, or +1. Upload the files to your device, tap them in the "Files" app, then go to "Settings" and import, or +1. Host the files on a secure website of yours, then download and import them in Mobile Safari. + +When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. From 4360737eafab3e7319e631ef62f5857470b6cbe1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Jan 2020 00:07:39 -0800 Subject: [PATCH 0289/1208] Improve OS detection --- extras/add_vpn_user.sh | 2 +- extras/del_vpn_user.sh | 2 +- extras/update_vpn_users.sh | 2 +- extras/vpnupgrade.sh | 6 ++++-- extras/vpnupgrade_centos.sh | 6 ++++-- vpnsetup.sh | 6 ++++-- vpnsetup_centos.sh | 6 ++++-- 7 files changed, 19 insertions(+), 11 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index a142b6177c..aadad2aad5 100644 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to add/update an VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2019 Lin Song +# Copyright (C) 2018-2020 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index 514b2d6166..ee0249edd6 100644 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -2,7 +2,7 @@ # # Script to delete an VPN user for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2019 Lin Song +# Copyright (C) 2018-2020 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index 0df05da259..93ec63b423 100644 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -2,7 +2,7 @@ # # Script to update VPN users for both IPsec/L2TP and Cisco IPsec # -# Copyright (C) 2018-2019 Lin Song +# Copyright (C) 2018-2020 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index f7c408f66d..dcaae74f03 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on Ubuntu and Debian # -# Copyright (C) 2016-2019 Lin Song +# Copyright (C) 2016-2020 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ @@ -28,7 +28,9 @@ if [ -z "$os_type" ]; then [ -f /etc/lsb-release ] && os_type=$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID") fi if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu and Debian." + echo "Error: This script only supports Ubuntu and Debian." >&2 + echo "For CentOS/RHEL, use https://git.io/vpnupgrade-centos" >&2 + exit 1 fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 5f494e3c22..202a2e1f57 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -2,7 +2,7 @@ # # Script to upgrade Libreswan on CentOS and RHEL # -# Copyright (C) 2016-2019 Lin Song +# Copyright (C) 2016-2020 Lin Song # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/ @@ -23,7 +23,9 @@ exiterr2() { exiterr "'yum install' failed."; } vpnupgrade() { if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then - exiterr "This script only supports CentOS/RHEL 6, 7 and 8." + echo "Error: This script only supports CentOS/RHEL 6, 7 and 8." >&2 + echo "For Ubuntu/Debian, use https://git.io/vpnupgrade" >&2 + exit 1 fi if [ -f /proc/user_beancounters ]; then diff --git a/vpnsetup.sh b/vpnsetup.sh index d6cf046ff5..6c95f7dc5c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2014-2019 Lin Song +# Copyright (C) 2014-2020 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 @@ -54,7 +54,9 @@ if [ -z "$os_type" ]; then [ -f /etc/lsb-release ] && os_type=$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID") fi if ! printf '%s' "$os_type" | head -n 1 | grep -qiF -e ubuntu -e debian -e raspbian; then - exiterr "This script only supports Ubuntu and Debian." + echo "Error: This script only supports Ubuntu and Debian." >&2 + echo "For CentOS/RHEL, use https://git.io/vpnsetup-centos" >&2 + exit 1 fi if [ "$(sed 's/\..*//' /etc/debian_version)" = "7" ]; then diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index b0ab813801..29904c22a7 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -8,7 +8,7 @@ # The latest version of this script is available at: # https://github.com/hwdsl2/setup-ipsec-vpn # -# Copyright (C) 2015-2019 Lin Song +# Copyright (C) 2015-2020 Lin Song # Based on the work of Thomas Sarlandie (Copyright 2012) # # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 @@ -49,7 +49,9 @@ check_ip() { vpnsetup() { if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then - exiterr "This script only supports CentOS/RHEL 6, 7 and 8." + echo "Error: This script only supports CentOS/RHEL 6, 7 and 8." >&2 + echo "For Ubuntu/Debian, use https://git.io/vpnsetup" >&2 + exit 1 fi if [ -f /proc/user_beancounters ]; then From 53a4bbb06a87771998d455927e6be6a18fd0df81 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Jan 2020 00:09:30 -0800 Subject: [PATCH 0290/1208] Add install note --- extras/vpnupgrade.sh | 13 ++++++++++++- extras/vpnupgrade_centos.sh | 13 ++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index dcaae74f03..5a16ae4da3 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -115,12 +115,23 @@ Version to install: Libreswan $SWAN_VER EOF +case "$SWAN_VER" in + 3.19|3.2[0123567]) +cat <<'EOF' +WARNING: Older versions of Libreswan may contain security vulnerabilities. + See: https://libreswan.org/security/ + Are you sure you want to install an older version? + +EOF + ;; +esac + case "$SWAN_VER" in 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + DO NOT install 3.23/3.25 if your use cases include the above. EOF ;; diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 202a2e1f57..c9c87832af 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -106,12 +106,23 @@ Version to install: Libreswan $SWAN_VER EOF +case "$SWAN_VER" in + 3.19|3.2[0123567]) +cat <<'EOF' +WARNING: Older versions of Libreswan may contain security vulnerabilities. + See: https://libreswan.org/security/ + Are you sure you want to install an older version? + +EOF + ;; +esac + case "$SWAN_VER" in 3.2[35]) cat <<'EOF' WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple IPsec/XAuth VPN clients from behind the same NAT (e.g. home router). - DO NOT upgrade to 3.23/3.25 if your use cases include the above. + DO NOT install 3.23/3.25 if your use cases include the above. EOF ;; From 815fdc0b1cec1223054b990fcb6985ed280a0e00 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Jan 2020 00:22:25 -0800 Subject: [PATCH 0291/1208] Update docs --- LICENSE.md | 2 +- README-zh.md | 4 ++-- README.md | 4 ++-- azure/README-zh.md | 2 +- azure/README.md | 2 +- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 2 +- docs/clients.md | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 045f89a595..64f6ed3e72 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,7 +1,7 @@ ### Creative Commons Attribution-ShareAlike 3.0 Unported License Link to license summary: https://creativecommons.org/licenses/by-sa/3.0/ -Copyright (C) 2014-2019 Lin Song +Copyright (C) 2014-2020 Lin Song Based on the work of Thomas Sarlandie (Copyright 2012)

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS diff --git a/README-zh.md b/README-zh.md index 6a93640501..0747863a25 100644 --- a/README-zh.md +++ b/README-zh.md @@ -60,7 +60,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- [CentOS 8 (x86_64) with Updates](#系统要求) [\*\*](#centos-8-note) +- CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 @@ -199,7 +199,7 @@ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh ## 授权协议 -版权所有 (C) 2014-2019 Lin Song View my profile on LinkedIn +版权所有 (C) 2014-2020 Lin Song View my profile on LinkedIn 基于 Thomas Sarlandie 的工作 (版权所有 2012) 这个项目是以 知识共享署名-相同方式共享3.0 许可协议授权。 diff --git a/README.md b/README.md index 741e6a6aab..9c7b634855 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ For other installation options and how to set up VPN clients, read the sections A newly created Amazon EC2 instance, from one of these images: - Ubuntu 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- [CentOS 8 (x86_64) with Updates](#requirements) [\*\*](#centos-8-note) +- CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 @@ -199,7 +199,7 @@ Please refer to Uninstall the VPNLin Song View my profile on LinkedIn +Copyright (C) 2014-2020 Lin Song View my profile on LinkedIn Based on the work of Thomas Sarlandie (Copyright 2012) This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License diff --git a/azure/README-zh.md b/azure/README-zh.md index ef79aaa4e2..7abb8e0dd8 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -25,7 +25,7 @@ ## 作者 版权所有 (C) 2016 [Daniel Falkner](https://github.com/derdanu) -版权所有 (C) 2017-2019 Lin Song +版权所有 (C) 2017-2020 Lin Song ## 屏幕截图 diff --git a/azure/README.md b/azure/README.md index 499ff60ddc..6ada507966 100644 --- a/azure/README.md +++ b/azure/README.md @@ -25,7 +25,7 @@ When the deployment finishes, Azure displays a notification. Next steps: [Config ## Authors Copyright (C) 2016 [Daniel Falkner](https://github.com/derdanu) -Copyright (C) 2017-2019 Lin Song +Copyright (C) 2017-2020 Lin Song ## Screenshot diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index f65795b598..b15080e4ee 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -137,7 +137,7 @@ VPN 连接成功后,你可以到 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index d59c0d9a11..a9fb446775 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -137,7 +137,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 652f92d2f1..00c39c8727 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -584,7 +584,7 @@ strongswan down myvpn 注: 这个协议仅适用于本文档。 -版权所有 (C) 2016-2019 Lin Song +版权所有 (C) 2016-2020 Lin Song 基于 Joshua Lund 的工作 (版权所有 2014-2016) 本程序为自由软件,在自由软件联盟发布的 GNU 通用公共许可协议的约束下,你可以对其进行再发布及修改。协议版本为第三版或(随你)更新的版本。 diff --git a/docs/clients.md b/docs/clients.md index b2e7803555..0182db2429 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -583,7 +583,7 @@ This document was adapted from the the work of Joshua Lund (Copyright 2014-2016) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. From ca6bf9818dc9310b6140e0c3d6137206992af354 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 15 Jan 2020 23:58:44 -0800 Subject: [PATCH 0292/1208] Update docs --- docs/clients-zh.md | 4 +++- docs/clients.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 00c39c8727..a26eca1493 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -189,13 +189,15 @@ Ubuntu 18.04 (和更新版本)用户可以安装 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +如果在连接过程中遇到错误,请尝试 这个解决方案。 + ### Fedora 和 CentOS Fedora 28 (和更新版本)和 CentOS 7 用户可以使用更高效的 [IPsec/XAuth](clients-xauth-zh.md#linux) 模式连接。 ### 其它 Linux -首先看 这里 以确认 `network-manager-l2tp` 和 `network-manager-l2tp-gnome` 软件包是否在你的 Linux 版本上可用。如果可用,安装它们(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 +首先看 这里 以确认 `network-manager-l2tp` 和 `network-manager-l2tp-gnome` 软件包是否在你的 Linux 版本上可用。如果可用,安装它们(选择使用 strongSwan)并参见上面的说明。另外,你也可以 [使用命令行配置 Linux VPN 客户端](#使用命令行配置-linux-vpn-客户端)。 ## 故障排除 diff --git a/docs/clients.md b/docs/clients.md index 0182db2429..788c96c8bb 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -189,13 +189,15 @@ Ubuntu 18.04 (and newer) users can install the looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +If you get an error when trying to connect, try this fix. + ### Fedora and CentOS Fedora 28 (and newer) and CentOS 7 users can connect using the faster [IPsec/XAuth](clients-xauth.md#linux) mode. ### Other Linux -First check here to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). +First check here to see if the `network-manager-l2tp` and `network-manager-l2tp-gnome` packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line). ## Troubleshooting From 228d801adbf1ef0ac333305e61073f12fd37ecf5 Mon Sep 17 00:00:00 2001 From: Stephen Nancekivell Date: Sun, 12 Apr 2020 07:19:35 +1000 Subject: [PATCH 0293/1208] Update clients.md (#767) --- docs/clients.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/clients.md b/docs/clients.md index 788c96c8bb..b49c6d3b03 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -286,6 +286,8 @@ In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. +If your computer is still not sending traffic over the VPN check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top. + ### Android 6 and 7 If your Android 6.x or 7.x device cannot connect, try these steps: From 03c4dd9b249db6cb0032b063b4c296a51d7567a1 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 11 Apr 2020 17:00:15 -0500 Subject: [PATCH 0294/1208] Update clients-zh.md --- docs/clients-zh.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index a26eca1493..57f19b321d 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -286,6 +286,8 @@ Windows 8.x 和 10 默认使用 "smart multi-homed name resolution" (智能多 OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 +如果你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 + ### Android 6 和 7 如果你的 Android 6.x 或者 7.x 设备无法连接,请尝试以下步骤: From 2c660bb91440a14faf083d156127ee7a5330b065 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 11 Apr 2020 17:07:43 -0500 Subject: [PATCH 0295/1208] New Libreswan version - Upgrade Libreswan to 3.31 - "USE_DH2=true" is required for keeping Windows clients compatibility Ref: https://github.com/libreswan/libreswan/commit/8fcbbc7 - "USE_XFRM_INTERFACE_IFLA_HEADER=true" is required for compilation on older Linux distributions Ref: https://github.com/libreswan/libreswan/commit/c21909c --- vpnsetup.sh | 6 +++++- vpnsetup_centos.sh | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 6c95f7dc5c..23a1204748 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -172,7 +172,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.29 +SWAN_VER=3.31 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -185,11 +185,15 @@ cd "libreswan-$SWAN_VER" || exit 1 cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH2 = true USE_DH31 = false USE_NSS_AVA_COPY = true USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF +if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then + echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local +fi if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 29904c22a7..5ec944484d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -170,7 +170,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.29 +SWAN_VER=3.31 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -183,11 +183,15 @@ cd "libreswan-$SWAN_VER" || exit 1 cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false +USE_DH2 = true USE_DH31 = false USE_NSS_AVA_COPY = true USE_NSS_IPSEC_PROFILE = false USE_GLIBC_KERN_FLIP_HEADERS = true EOF +if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then + echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local +fi NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base From 48d9b06babbb6465e2232768b1ecc0cefab9a1aa Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Apr 2020 00:28:00 -0500 Subject: [PATCH 0296/1208] Update upgrade scripts - Support upgrading to Libreswan 3.31 --- extras/vpnupgrade.sh | 62 ++++++++++++++++++++----------------- extras/vpnupgrade_centos.sh | 62 ++++++++++++++++++++----------------- 2 files changed, 68 insertions(+), 56 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 5a16ae4da3..e592e5ecc9 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.29 +SWAN_VER=3.31 ### DO NOT edit below this line ### @@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235679]) + 3.19|3.2[01235679]|3.31) /bin/true ;; *) cat 1>&2 <> Makefile.inc.local + if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then + echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local + fi +fi if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then apt-get -yq install libsystemd-dev || exiterr2 fi @@ -260,7 +266,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.29" ]; then +if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index c9c87832af..1eb93088ef 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.29 +SWAN_VER=3.31 ### DO NOT edit below this line ### @@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235679]) + 3.19|3.2[01235679]|3.31) /bin/true ;; *) cat 1>&2 <> Makefile.inc.local + if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then + echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local + fi +fi NPROCS=$(grep -c ^processor /proc/cpuinfo) [ -z "$NPROCS" ] && NPROCS=1 make "-j$((NPROCS+1))" -s base && make -s install-base @@ -267,7 +273,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.29" ]; then +if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf fi From c251d6d6eaddcd0d429b12523703b12684c29598 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 25 Apr 2020 23:02:24 -0500 Subject: [PATCH 0297/1208] Add Ubuntu 20.04 --- README-zh.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-zh.md b/README-zh.md index 0747863a25..9e30d7d9dd 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,12 +53,12 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 18.04/16.04, Debian 10/9/8 和 CentOS 8/7/6 +- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9/8 和 CentOS 8/7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像之一: -- Ubuntu 18.04 (Bionic) or 16.04 (Xenial) +- Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) - CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates @@ -161,7 +161,7 @@ sh vpnsetup.sh 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 -使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 18.04/16.04, Debian 10/9 和 CentOS 8/7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 +使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 如果需要在安装后更改 IPTables 规则,请编辑 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。然后重启服务器。 diff --git a/README.md b/README.md index 9c7b634855..b6477afcbb 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,12 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 18.04/16.04, Debian 10/9/8 and CentOS 8/7/6 +- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9/8 and CentOS 8/7/6 ## Requirements A newly created Amazon EC2 instance, from one of these images: -- Ubuntu 18.04 (Bionic) or 16.04 (Xenial) +- Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) - CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) - CentOS 7 (x86_64) with Updates @@ -161,7 +161,7 @@ If you wish to add, edit or remove VPN user accounts, see Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. -Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 10/9 and CentOS 8/7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. +Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. To modify the IPTables rules after install, edit `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). Then reboot your server. From dbb3c6b436c3e05958baf139dac5d399a7d07aac Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 26 Apr 2020 00:32:54 -0500 Subject: [PATCH 0298/1208] Improve RPi workaround - Newer Raspbian kernels now support SHA512 --- extras/vpnupgrade.sh | 4 +++- vpnsetup.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index e592e5ecc9..c34e4aae84 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -245,7 +245,9 @@ IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1 PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" if uname -m | grep -qi '^arm'; then - PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" + if ! modprobe -q sha512; then + PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2" + fi fi sed -i".old-$(date +%F-%T)" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 23a1204748..01ce88914e 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -272,7 +272,9 @@ conn xauth-psk EOF if uname -m | grep -qi '^arm'; then - sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf + if ! modprobe -q sha512; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf + fi fi # Specify IPsec PSK From 5983c799042734b7176189f4030517d0fb116cde Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 26 Apr 2020 16:27:00 -0500 Subject: [PATCH 0299/1208] Fix IKEv2 - Apply fix for an IKEv2 regression in Libreswan - Ref: https://github.com/libreswan/libreswan/commit/90f8a09 https://github.com/libreswan/libreswan/issues/333 https://github.com/libreswan/libreswan/issues/329 --- extras/vpnupgrade.sh | 5 +++++ extras/vpnupgrade_centos.sh | 5 +++++ vpnsetup.sh | 5 +++++ vpnsetup_centos.sh | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index c34e4aae84..cb8b66592b 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -212,6 +212,11 @@ cd "libreswan-$SWAN_VER" || exit 1 [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile [ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk [ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c +if [ "$SWAN_VER" = "3.31" ]; then + sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c + sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ + programs/pluto/ikev2_message.c +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 1eb93088ef..03650b3fd8 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -221,6 +221,11 @@ cd "libreswan-$SWAN_VER" || exit 1 [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile [ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk [ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c +if [ "$SWAN_VER" = "3.31" ]; then + sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c + sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ + programs/pluto/ikev2_message.c +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup.sh b/vpnsetup.sh index 01ce88914e..19c7c9c621 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -182,6 +182,11 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +if [ "$SWAN_VER" = "3.31" ]; then + sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c + sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ + programs/pluto/ikev2_message.c +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 5ec944484d..f50f69c1f9 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -180,6 +180,11 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 +if [ "$SWAN_VER" = "3.31" ]; then + sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c + sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ + programs/pluto/ikev2_message.c +fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = USE_DNSSEC = false From dae0c0335630bff2c11942e592ff2225ed965841 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Wed, 29 Apr 2020 11:00:25 -0500 Subject: [PATCH 0300/1208] Improve output - Inhibit warning messages from Libreswan compilation --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index cb8b66592b..d33fbee0e9 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -218,7 +218,7 @@ if [ "$SWAN_VER" = "3.31" ]; then programs/pluto/ikev2_message.c fi cat > Makefile.inc.local <<'EOF' -WERROR_CFLAGS = +WERROR_CFLAGS = -w USE_DNSSEC = false USE_DH31 = false USE_NSS_AVA_COPY = true diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 03650b3fd8..46365a1275 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -227,7 +227,7 @@ if [ "$SWAN_VER" = "3.31" ]; then programs/pluto/ikev2_message.c fi cat > Makefile.inc.local <<'EOF' -WERROR_CFLAGS = +WERROR_CFLAGS = -w USE_DNSSEC = false USE_DH31 = false USE_NSS_AVA_COPY = true diff --git a/vpnsetup.sh b/vpnsetup.sh index 19c7c9c621..93de7f408d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -188,7 +188,7 @@ if [ "$SWAN_VER" = "3.31" ]; then programs/pluto/ikev2_message.c fi cat > Makefile.inc.local <<'EOF' -WERROR_CFLAGS = +WERROR_CFLAGS = -w USE_DNSSEC = false USE_DH2 = true USE_DH31 = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index f50f69c1f9..3049a0f49d 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -186,7 +186,7 @@ if [ "$SWAN_VER" = "3.31" ]; then programs/pluto/ikev2_message.c fi cat > Makefile.inc.local <<'EOF' -WERROR_CFLAGS = +WERROR_CFLAGS = -w USE_DNSSEC = false USE_DH2 = true USE_DH31 = false From f15db57ea55875feb96ca3cdc6741dfd31f98fec Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 30 Apr 2020 00:12:56 -0500 Subject: [PATCH 0301/1208] Fix upgrade bug - Fixed an issue where the upgrade script could break the IKEv2 section of /etc/ipsec.conf for users who manually added IKEv2 --- extras/vpnupgrade.sh | 2 +- extras/vpnupgrade_centos.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index d33fbee0e9..8a9a4c3ab8 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -275,7 +275,7 @@ fi if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf - sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf + sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf fi # Restart IPsec service diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 46365a1275..4ffd9eb366 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -280,7 +280,7 @@ fi if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf - sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf + sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf fi # Restart IPsec service From 7076376aacc4acbb5e9f7c986c619602aef6cc55 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 30 Apr 2020 01:13:39 -0500 Subject: [PATCH 0302/1208] Update IKEv2 docs - For users running Libreswan 3.31, the "Use RSA/PSS signatures" option needs to be enabled in the strongSwan Android VPN client. - Ref: https://lists.libreswan.org/pipermail/swan/2020/003440.html --- docs/ikev2-howto-zh.md | 12 +++++++++++- docs/ikev2-howto.md | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 6c9915556c..469d754ecb 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -113,6 +113,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 120"。 + 生成 CA 证书: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ @@ -131,6 +133,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 N ``` + 生成 VPN 服务器证书: + **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须将以下命令中的 `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` 换成 `--extSAN "dns:$PUBLIC_IP"`。 ```bash @@ -150,6 +154,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: + 生成客户端证书: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ @@ -164,6 +170,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` + 导出 `.p12` 文件: + ```bash pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -207,7 +215,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 service ipsec restart ``` -VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。 +在继续之前,你**必须**重启 IPsec 服务。VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你的 VPN 客户端。 ## 配置 IKEv2 VPN 客户端 @@ -268,6 +276,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,选择你的新 VPN 客户端证书并确认。 +1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### Android 4.x to 9.x @@ -280,6 +289,7 @@ VPN 服务器上的 IKEv2 配置到此已完成。按照下面的步骤配置你 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 +1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### iOS diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 22b8d3ec31..e84000b5b9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -113,6 +113,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120". + Generate CA certificate: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ @@ -131,6 +133,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo N ``` + Generate VPN server certificate: + **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must replace `--extSAN "ip:$PUBLIC_IP,dns:$PUBLIC_IP"` in the command below with `--extSAN "dns:$PUBLIC_IP"`. ```bash @@ -150,6 +154,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate: + Generate client certificate: + ```bash certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ @@ -164,6 +170,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo Generating key. This may take a few moments... ``` + Export `.p12` file: + ```bash pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d ``` @@ -201,13 +209,13 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. -1. **(Important) Restart IPsec service**: +1. **(Important) Restart the IPsec service**: ```bash service ipsec restart ``` -The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients. +Before continuing, you **must** restart the IPsec service. The IKEv2 setup on the VPN server is now complete. Follow instructions below to configure your VPN clients. ## Configure IKEv2 VPN clients @@ -268,6 +276,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, select your new VPN client certificate and confirm. +1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### Android 4.x to 9.x @@ -280,6 +289,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor 1. Tap **Select user certificate**, then tap **Install certificate**. 1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. +1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### iOS From 9e6b26b1b2a9b05df1b1a68ae911167dff0251b0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 3 May 2020 01:59:37 -0500 Subject: [PATCH 0303/1208] Update docs --- docs/clients-zh.md | 8 ++++---- docs/clients.md | 8 ++++---- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 57f19b321d..49a6a65e94 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -384,21 +384,21 @@ ipsec whack --trafficstatus ## 使用命令行配置 Linux VPN 客户端 -以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 +在成功 搭建自己的 VPN 服务器 之后,按照下面的步骤来使用命令行配置 Linux VPN 客户端。另外,你也可以 [使用图形界面](#linux) 配置。以下步骤是基于 [Peter Sanford 的工作](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c)。这些命令必须在你的 VPN 客户端上使用 `root` 账户运行。 要配置 VPN 客户端,首先安装以下软件包: ```bash # Ubuntu & Debian apt-get update -apt-get -y install strongswan xl2tpd +apt-get -y install strongswan xl2tpd net-tools # CentOS & RHEL yum -y install epel-release -yum --enablerepo=epel -y install strongswan xl2tpd +yum --enablerepo=epel -y install strongswan xl2tpd net-tools # Fedora -yum -y install strongswan xl2tpd +yum -y install strongswan xl2tpd net-tools ``` 创建 VPN 变量 (替换为你自己的值): diff --git a/docs/clients.md b/docs/clients.md index b49c6d3b03..e85c13c7fa 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -384,21 +384,21 @@ ipsec whack --trafficstatus ## Configure Linux VPN clients using the command line -Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. +After setting up your own VPN server, follow these steps to configure Linux VPN clients using the command line. Alternatively, you may configure [using the GUI](#linux). Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client. To set up the VPN client, first install the following packages: ```bash # Ubuntu & Debian apt-get update -apt-get -y install strongswan xl2tpd +apt-get -y install strongswan xl2tpd net-tools # CentOS & RHEL yum -y install epel-release -yum --enablerepo=epel -y install strongswan xl2tpd +yum --enablerepo=epel -y install strongswan xl2tpd net-tools # Fedora -yum -y install strongswan xl2tpd +yum -y install strongswan xl2tpd net-tools ``` Create VPN variables (replace with actual values): diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 469d754ecb..aadbd6dbb8 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -109,7 +109,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 EOF ``` -1. 生成 Certificate Authority (CA) 和 VPN 服务器证书: +1. 生成 Certificate Authority (CA) 和 VPN 服务器证书。 **注:** 使用 "-v" 参数指定证书的有效期(单位:月),例如 "-v 120"。 @@ -152,7 +152,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 Generating key. This may take a few moments... ``` -1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书: +1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书。 生成客户端证书: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index e84000b5b9..9e384ee96f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -109,7 +109,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo EOF ``` -1. Generate Certificate Authority (CA) and VPN server certificates: +1. Generate Certificate Authority (CA) and VPN server certificates. **Note:** Specify the certificate validity period (in months) with "-v". e.g. "-v 120". @@ -152,7 +152,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo Generating key. This may take a few moments... ``` -1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate: +1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate. Generate client certificate: From 1839943b0e26dd57bfb428b9d2095b01da2e5fe4 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 3 May 2020 22:12:17 -0500 Subject: [PATCH 0304/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- azure/README-zh.md | 4 ++-- azure/README.md | 4 ++-- docs/clients-xauth-zh.md | 2 +- docs/clients-xauth.md | 2 +- docs/clients-zh.md | 4 ++-- docs/clients.md | 4 ++-- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README-zh.md b/README-zh.md index 9e30d7d9dd..d98a675beb 100644 --- a/README-zh.md +++ b/README-zh.md @@ -77,7 +77,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh **» 我想建立并使用自己的 VPN ,但是没有可用的服务器** -高级用户可以在一个 $35 的 Raspberry Pi 上搭建 VPN 服务器。参见 [1] [2]。 +高级用户可以在一个 $35 的 Raspberry Pi 上搭建 VPN 服务器。参见 [1] [2] \* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 diff --git a/README.md b/README.md index b6477afcbb..4f4df86bf9 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ This also includes Linux VMs in public clouds, such as **» I want to run my own VPN but don't have a server for that** -Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2]. +Advanced users can set up the VPN server on a $35 Raspberry Pi. See [1] [2]. \* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. diff --git a/azure/README-zh.md b/azure/README-zh.md index 7abb8e0dd8..d2b6e14181 100644 --- a/azure/README-zh.md +++ b/azure/README-zh.md @@ -6,8 +6,8 @@ 可根据偏好设置以下选项: - - Username for VPN and SSH (用户名) - - Password for VPN and SSH (密码) + - Username for VPN **and** SSH (用户名) + - Password for VPN **and** SSH (密码) - IPsec Pre-Shared Key for VPN (IPsec 预共享密钥) - Operating System Image (操作系统镜像,Debian 9 或 Ubuntu 18.04/16.04 LTS) - Virtual Machine Size (虚拟机大小,默认值: Standard_B1s) diff --git a/azure/README.md b/azure/README.md index 6ada507966..f590665690 100644 --- a/azure/README.md +++ b/azure/README.md @@ -6,8 +6,8 @@ This template will create a fully working VPN server on the Microsoft Azure Clou Customizable with the following options: - - Username for VPN and SSH - - Password for VPN and SSH + - Username for VPN **and** SSH + - Password for VPN **and** SSH - IPsec Pre-Shared Key for VPN - Operating System Image (Debian 9 or Ubuntu 18.04/16.04 LTS) - Virtual Machine Size (Default: Standard_B1s) diff --git a/docs/clients-xauth-zh.md b/docs/clients-xauth-zh.md index b15080e4ee..78b0cbb7c2 100644 --- a/docs/clients-xauth-zh.md +++ b/docs/clients-xauth-zh.md @@ -106,7 +106,7 @@ VPN 连接成功后,会在通知栏显示图标。最后你可以到 NetworkManager-libreswan-gnome 软件包,然后通过 GUI 配置 IPsec/XAuth VPN 客户端。 +Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用 `yum` 安装 `NetworkManager-libreswan-gnome` 软件包,然后通过 GUI 配置 IPsec/XAuth VPN 客户端。 1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 1. 选择 **IPsec based VPN**。 diff --git a/docs/clients-xauth.md b/docs/clients-xauth.md index a9fb446775..d7c9803a0c 100644 --- a/docs/clients-xauth.md +++ b/docs/clients-xauth.md @@ -106,7 +106,7 @@ If you get an error when trying to connect, see NetworkManager-libreswan-gnome package, then configure the IPsec/XAuth VPN client using the GUI. +Fedora 28 (and newer) and CentOS 8/7 users can install the `NetworkManager-libreswan-gnome` package using `yum`, then configure the IPsec/XAuth VPN client using the GUI. 1. Go to Settings -> Network -> VPN. Click the **+** button. 1. Select **IPsec based VPN**. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 49a6a65e94..58ae8458a4 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -167,7 +167,7 @@ VPN 连接成功后,网络状态图标上会出现 VPN 指示。最后你可 ### Ubuntu Linux -Ubuntu 18.04 (和更新版本)用户可以安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 +Ubuntu 18.04 (和更新版本)用户可以使用 `apt` 安装 network-manager-l2tp-gnome 软件包,然后通过 GUI 配置 IPsec/L2TP VPN 客户端。Ubuntu 16.04 用户可能需要添加 `nm-l2tp` PPA,参见 这里。 1. 进入 Settings -> Network -> VPN。单击 **+** 按钮。 1. 选择 **Layer 2 Tunneling Protocol (L2TP)**。 @@ -193,7 +193,7 @@ VPN 连接成功后,你可以到 Troub ### Ubuntu Linux -Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the `nm-l2tp` PPA, read more here. +Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package using `apt`, then configure the IPsec/L2TP VPN client using the GUI. Ubuntu 16.04 users may need to add the `nm-l2tp` PPA, read more here. 1. Go to Settings -> Network -> VPN. Click the **+** button. 1. Select **Layer 2 Tunneling Protocol (L2TP)**. @@ -193,7 +193,7 @@ If you get an error when trying to connect, try 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。 -下面举例说明如何在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 +你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2: + +``` +wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh +``` + +该 脚本 必须使用 `bash` 而不是 `sh` 运行。按照脚本的提示配置 IKEv2。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) 和 [已知问题](#已知问题)。如需为更多的客户端生成证书,请参见下一小节的第 4 步。 + +## 手动在 VPN 服务器上配置 IKEv2 + +下面举例说明如何手动在 Libreswan 上配置 IKEv2。以下命令必须用 `root` 账户运行。 1. 获取 VPN 服务器的公共 IP 地址,将它保存到变量并检查。 @@ -154,6 +165,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 1. 生成客户端证书,然后导出 `.p12` 文件,该文件包含客户端证书,私钥以及 CA 证书。 + **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。 + 生成客户端证书: ```bash @@ -182,9 +195,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 pk12util: PKCS12 EXPORT SUCCESSFUL ``` - 指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 或 macOS 设备时,该密码不能为空)。你可以重复本步骤来为更多的客户端生成证书,但必须将所有的 `vpnclient` 换成比如 `vpnclient2`,等等。 - - **注:** 如需同时连接多个客户端,则必须为每个客户端生成唯一的证书。 + 指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 或 macOS 设备时,该密码不能为空)。 1. (适用于 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 9e384ee96f..926d9f5c10 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -2,11 +2,12 @@ *Read this in other languages: [English](ikev2-howto.md), [简体中文](ikev2-howto-zh.md).* -**Important:** This guide is for **advanced users** only. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. +**Note:** This guide is for **advanced users**. Other users please use [IPsec/L2TP](clients.md) or [IPsec/XAuth](clients-xauth.md) mode. --- * [Introduction](#introduction) -* [Set up IKEv2 on the VPN server](#set-up-ikev2-on-the-vpn-server) +* [Using helper scripts](#using-helper-scripts) +* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) * [Known issues](#known-issues) * [References](#references) @@ -22,11 +23,21 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica - Android 4.x and newer (using the strongSwan VPN client) - iOS (iPhone/iPad) -## Set up IKEv2 on the VPN server +## Using helper scripts **Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. -The following example shows how to configure IKEv2 with Libreswan. Commands below must be run as `root`. +You may use this helper script to automatically set up IKEv2 on the VPN server: + +``` +wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh +``` + +The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, refer to step 4 in the next section. + +## Manually set up IKEv2 on the VPN server + +The following example shows how to manually configure IKEv2 with Libreswan. Commands below must be run as `root`. 1. Find the VPN server's public IP, save it to a variable and check. @@ -154,6 +165,8 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo 1. Generate client certificate(s), then export the `.p12` file that contains the client certificate, private key, and CA certificate. + **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. + Generate client certificate: ```bash @@ -182,9 +195,7 @@ The following example shows how to configure IKEv2 with Libreswan. Commands belo pk12util: PKCS12 EXPORT SUCCESSFUL ``` - Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty). You may repeat this step to generate certificates for additional VPN clients, but make sure to replace every `vpnclient` with `vpnclient2`, etc. - - **Note:** To connect multiple VPN clients simultaneously, you must generate a unique certificate for each. + Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty). 1. (For iOS clients) Export the CA certificate as `vpnca.cer`: diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh new file mode 100644 index 0000000000..6669998948 --- /dev/null +++ b/extras/ikev2setup.sh @@ -0,0 +1,305 @@ +#!/bin/bash +# +# Script to set up IKEv2 on Ubuntu, Debian and CentOS/RHEL +# +# Copyright (C) 2020 Lin Song +# +# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 +# Unported License: http://creativecommons.org/licenses/by-sa/3.0/ +# +# Attribution required: please include my name in any derivative and let me +# know how you have improved it! + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +SYS_DT=$(date +%F-%T) + +exiterr() { echo "Error: $1" >&2; exit 1; } +bigecho() { echo; echo "## $1"; echo; } +bigecho2() { echo; echo "## $1"; } + +check_ip() { + IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX" +} + +check_dns_name() { + FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$' + printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX" +} + +ikev2setup() { + +if [ "$(id -u)" != 0 ]; then + exiterr "Script must be run as root. Try 'sudo bash $0'" +fi + +ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) +swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//') +if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \ + || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \ + || [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then +cat 1>&2 <<'EOF' +Error: Your must first set up the IPsec VPN server before setting up IKEv2. + See: https://github.com/hwdsl2/setup-ipsec-vpn +EOF + exit 1 +fi + +case "$swan_ver" in + 3.19|3.2[01235679]|3.31) + /bin/true + ;; + *) +cat 1>&2 <&2 <<'EOF' +Error: It looks like IKEv2 has already been set up on this server. + To generate certificates for additional VPN clients, see step 4 in section + "Manually set up IKEv2 on the VPN server" at https://git.io/ikev2 +EOF + exit 1 +fi + +command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Aborting."; exit 1; } +command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Aborting."; exit 1; } + +clear + +cat <<'EOF' +Welcome! Use this script to set up IKEv2 after setting up your own IPsec VPN server. +Alternatively, you may manually set up IKEv2. See: https://git.io/ikev2 + +I need to ask you a few questions before starting setup. +You can use the default options and just press enter if you are OK with them. + +EOF + +echo "Do you want IKEv2 VPN clients to connect to this VPN server using a DNS name," +printf "e.g. vpn.example.com, instead of its IP address [y/N]? " +read -r response +case $response in + [yY][eE][sS]|[yY]) + use_dns_name=1 + echo + ;; + *) + use_dns_name=0 + echo + ;; +esac + +# Enter VPN server address +if [ "$use_dns_name" = "1" ]; then + read -rp "Enter the DNS name of this VPN server: " server_addr + until check_dns_name "$server_addr"; do + echo "Invalid DNS name. You must enter a fully qualified domain name (FQDN)." + read -rp "Enter the DNS name of this VPN server: " server_addr + done +else + public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) + [ -z "$public_ip" ] && public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) + read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr + [ -z "$server_addr" ] && server_addr="$public_ip" + until check_ip "$server_addr"; do + echo "Invalid IP address." + read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr + [ -z "$server_addr" ] && server_addr="$public_ip" + done +fi + +# Check for MOBIKE support +mobike_support=0 +case "$swan_ver" in + 3.2[35679]|3.31) + mobike_support=1 + ;; +esac + +if [ "$mobike_support" = "1" ]; then + os_type="$(lsb_release -si 2>/dev/null)" + if [ -z "$os_type" ]; then + [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" + [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" + [ "$os_type" = "ubuntu" ] && os_type=Ubuntu + fi + if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then + mobike_support=0 + fi +fi + +mobike_enable=0 +if [ "$mobike_support" = "1" ]; then + echo + printf "Do you want to enable MOBIKE support [y/N]? " + read -r response + case $response in + [yY][eE][sS]|[yY]) + mobike_enable=1 + ;; + *) + mobike_enable=0 + ;; + esac +fi + +echo +printf "We are ready to set up IKEv2 now. Continue [y/N]? " +read -r response +case $response in + [yY][eE][sS]|[yY]) + echo + ;; + *) + echo "Aborting. Your configuration was not changed." + exit 1 + ;; +esac + +bigecho "Adding a new IKEv2 connection to /etc/ipsec.conf..." + +cat >> /etc/ipsec.conf <> /etc/ipsec.conf <<'EOF' + modecfgdns="8.8.8.8 8.8.4.4" + encapsulation=yes +EOF + if [ "$mobike_enable" = "1" ]; then + echo " mobike=yes" >> /etc/ipsec.conf + else + echo " mobike=no" >> /etc/ipsec.conf + fi + ;; + 3.19|3.2[012]) +cat >> /etc/ipsec.conf <<'EOF' + modecfgdns1=8.8.8.8 + modecfgdns2=8.8.4.4 + encapsulation=yes +EOF + ;; +esac + +bigecho2 "Generating CA certificate..." + +certutil -z <(head -c 1024 /dev/urandom) \ + -S -x -n "IKEv2 VPN CA" \ + -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null << ANSWERS +y + +N +ANSWERS + +sleep 1 + +bigecho2 "Generating VPN server certificate..." + +if [ "$use_dns_name" = "1" ]; then + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$server_addr" \ + -s "O=IKEv2 VPN,CN=$server_addr" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "dns:$server_addr" >/dev/null +else + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$server_addr" \ + -s "O=IKEv2 VPN,CN=$server_addr" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null +fi + +sleep 1 + +bigecho2 "Generating client certificate..." + +certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "vpnclient" \ + -s "O=IKEv2 VPN,CN=vpnclient" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth,clientAuth -8 "vpnclient" >/dev/null + +bigecho "Exporting CA certificate..." + +certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "vpnca-$SYS_DT.cer" + +bigecho "Exporting .p12 file..." + +cat <<'EOF' +Enter a *secure* password to protect the exported .p12 file. +This file contains the client certificate, private key, and CA certificate. +When importing into an iOS or macOS device, this password cannot be empty. + +EOF + +pk12util -o "vpnclient-$SYS_DT.p12" -n "vpnclient" -d sql:/etc/ipsec.d + +bigecho "Restarting IPsec service..." + +service ipsec restart + +cat < Date: Mon, 11 May 2020 01:19:03 -0500 Subject: [PATCH 0306/1208] Update links - Add a link to IKEv2 how-to guide --- vpnsetup.sh | 2 ++ vpnsetup_centos.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 93de7f408d..bb2e3ff4ba 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -30,6 +30,7 @@ YOUR_PASSWORD='' # Important notes: https://git.io/vpnnotes # Setup VPN clients: https://git.io/vpnclients +# IKEv2 guide: https://git.io/ikev2 # ===================================================== @@ -522,6 +523,7 @@ Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients +IKEv2 guide: https://git.io/ikev2 ================================================ diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 3049a0f49d..a7a6079c57 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -30,6 +30,7 @@ YOUR_PASSWORD='' # Important notes: https://git.io/vpnnotes # Setup VPN clients: https://git.io/vpnclients +# IKEv2 guide: https://git.io/ikev2 # ===================================================== @@ -492,6 +493,7 @@ Write these down. You'll need them to connect! Important notes: https://git.io/vpnnotes Setup VPN clients: https://git.io/vpnclients +IKEv2 guide: https://git.io/ikev2 ================================================ From b293aa30819ab856f66a4a55220f3a12cb67826d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 11 May 2020 10:59:08 -0500 Subject: [PATCH 0307/1208] New Libreswan version - Upgrade Libreswan to 3.32 --- vpnsetup.sh | 7 +------ vpnsetup_centos.sh | 7 +------ 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index bb2e3ff4ba..e07d79e26c 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -173,7 +173,7 @@ apt-get -yq install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.31 +SWAN_VER=3.32 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -183,11 +183,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -if [ "$SWAN_VER" = "3.31" ]; then - sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c - sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ - programs/pluto/ikev2_message.c -fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = -w USE_DNSSEC = false diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index a7a6079c57..d2783e8a37 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -171,7 +171,7 @@ yum "$REPO1" -y install fail2ban || exiterr2 bigecho "Compiling and installing Libreswan..." -SWAN_VER=3.31 +SWAN_VER=3.32 swan_file="libreswan-$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url2="https://download.libreswan.org/$swan_file" @@ -181,11 +181,6 @@ fi /bin/rm -rf "/opt/src/libreswan-$SWAN_VER" tar xzf "$swan_file" && /bin/rm -f "$swan_file" cd "libreswan-$SWAN_VER" || exit 1 -if [ "$SWAN_VER" = "3.31" ]; then - sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c - sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \ - programs/pluto/ikev2_message.c -fi cat > Makefile.inc.local <<'EOF' WERROR_CFLAGS = -w USE_DNSSEC = false From 6a285499e3106f2a5be0566a1c37cf4ec9776abe Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 11 May 2020 11:28:37 -0500 Subject: [PATCH 0308/1208] Update upgrade scripts - Support upgrading to Libreswan 3.32 - Update ikev2 setup helper script --- extras/ikev2setup.sh | 11 ++++++----- extras/vpnupgrade.sh | 16 ++++++++-------- extras/vpnupgrade_centos.sh | 16 ++++++++-------- 3 files changed, 22 insertions(+), 21 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 6669998948..1ab24155eb 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -46,15 +46,16 @@ EOF fi case "$swan_ver" in - 3.19|3.2[01235679]|3.31) + 3.19|3.2[01235679]|3.3[12]) /bin/true ;; *) cat 1>&2 <> /etc/ipsec.conf <<'EOF' modecfgdns="8.8.8.8 8.8.4.4" encapsulation=yes diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 8a9a4c3ab8..fda23933bc 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.31 +SWAN_VER=3.32 ### DO NOT edit below this line ### @@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235679]|3.31) + 3.19|3.2[01235679]|3.3[12]) /bin/true ;; *) cat 1>&2 <> Makefile.inc.local if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local @@ -273,7 +273,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then +if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf fi diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 4ffd9eb366..7f15434e4c 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Specify which Libreswan version to install. See: https://libreswan.org -SWAN_VER=3.31 +SWAN_VER=3.32 ### DO NOT edit below this line ### @@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then fi case "$SWAN_VER" in - 3.19|3.2[01235679]|3.31) + 3.19|3.2[01235679]|3.3[12]) /bin/true ;; *) cat 1>&2 <> Makefile.inc.local if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local @@ -278,7 +278,7 @@ elif [ "$dns_state" = "4" ]; then sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf fi -if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then +if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf fi From 5bf8b861926ef76a60509c51e4932a2ed9a76444 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 11 May 2020 23:15:05 -0500 Subject: [PATCH 0309/1208] Update IKEv2 script - Fix CentOS detection - Set MOBIKE question default to 'yes' --- extras/ikev2setup.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 1ab24155eb..e1633bbdaf 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -84,7 +84,7 @@ You can use the default options and just press enter if you are OK with them. EOF -echo "Do you want IKEv2 VPN clients to connect to this VPN server using a DNS name," +echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name," printf "e.g. vpn.example.com, instead of its IP address [y/N]? " read -r response case $response in @@ -132,6 +132,7 @@ if [ "$mobike_support" = "1" ]; then [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" [ "$os_type" = "ubuntu" ] && os_type=Ubuntu fi + [ -z "$os_type" ] && [ -f /etc/redhat-release ] && os_type=CentOS/RHEL if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then mobike_support=0 fi @@ -140,10 +141,10 @@ fi mobike_enable=0 if [ "$mobike_support" = "1" ]; then echo - printf "Do you want to enable MOBIKE support [y/N]? " + printf "Do you want to enable MOBIKE support [Y/n]? " read -r response case $response in - [yY][eE][sS]|[yY]) + [yY][eE][sS]|[yY]|'') mobike_enable=1 ;; *) From d44b09d57724ee223ff3165d0b1ef46e83233302 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 11 May 2020 23:23:38 -0500 Subject: [PATCH 0310/1208] Update docs --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 751d8adcdc..9fac53eec3 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -230,7 +230,7 @@ wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh ## 配置 IKEv2 VPN 客户端 -**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。 +**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。如需为更多的客户端生成证书,请参见上一小节的第 4 步。 * [Windows 7, 8.x 和 10](#windows-7-8x-和-10) * [OS X (macOS)](#os-x-macos) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 926d9f5c10..c42d64ae36 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -230,7 +230,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th ## Configure IKEv2 VPN clients -**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. +**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, refer to step 4 in the previous section. * [Windows 7, 8.x and 10](#windows-7-8x-and-10) * [OS X (macOS)](#os-x-macos) From f38e2ea4f28f32d99cfa06d38653d21a983acd26 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 14 May 2020 22:41:13 -0500 Subject: [PATCH 0311/1208] Cleanup --- extras/add_vpn_user.sh | 6 ++--- extras/del_vpn_user.sh | 8 ++----- extras/ikev2setup.sh | 44 +++++++++++++++++++++++++++++-------- extras/update_vpn_users.sh | 6 ++--- extras/vpnupgrade.sh | 8 +++---- extras/vpnupgrade_centos.sh | 8 +++---- 6 files changed, 49 insertions(+), 31 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index aadad2aad5..35ee3dae40 100644 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -84,7 +84,7 @@ Write these down. You'll need them to connect! EOF -printf "Do you wish to continue? [y/N] " +printf "Do you want to continue? [y/N] " read -r response case $response in [yY][eE][sS]|[yY]) @@ -93,9 +93,7 @@ case $response in echo ;; *) - echo - echo "Aborting. No changes were made." - echo + echo "Abort. No changes were made." exit 1 ;; esac diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index ee0249edd6..f76fbb8f11 100644 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -63,7 +63,6 @@ if [ "$(grep -c "^\"$VPN_USER\" " /etc/ppp/chap-secrets)" = "0" ] \ cat 1>&2 <<'EOF' Error: The specified VPN user does not exist in /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. - Aborting. No changes were made. EOF exit 1 fi @@ -73,7 +72,6 @@ if [ "$(grep -c -v -e '^#' -e '^[[:space:]]*$' /etc/ppp/chap-secrets)" = "1" ] \ cat 1>&2 <<'EOF' Error: Cannot delete the only VPN user from /etc/ppp/chap-secrets and/or /etc/ipsec.d/passwd. - Aborting. No changes were made. EOF exit 1 fi @@ -97,7 +95,7 @@ Username: $VPN_USER EOF -printf "Do you wish to continue? [y/N] " +printf "Do you want to continue? [y/N] " read -r response case $response in [yY][eE][sS]|[yY]) @@ -106,9 +104,7 @@ case $response in echo ;; *) - echo - echo "Aborting. No changes were made." - echo + echo "Abort. No changes were made." exit 1 ;; esac diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index e1633bbdaf..a080c25f65 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -70,8 +70,8 @@ EOF exit 1 fi -command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Aborting."; exit 1; } -command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Aborting."; exit 1; } +command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Abort."; exit 1; } +command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Abort."; exit 1; } clear @@ -85,7 +85,7 @@ You can use the default options and just press enter if you are OK with them. EOF echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name," -printf "e.g. vpn.example.com, instead of its IP address [y/N]? " +printf "e.g. vpn.example.com, instead of its IP address? [y/N] " read -r response case $response in [yY][eE][sS]|[yY]) @@ -108,11 +108,11 @@ if [ "$use_dns_name" = "1" ]; then else public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short) [ -z "$public_ip" ] && public_ip=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com) - read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr + read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr [ -z "$server_addr" ] && server_addr="$public_ip" until check_ip "$server_addr"; do echo "Invalid IP address." - read -rp "Enter the IPv4 address of this VPN server [$public_ip]: " server_addr + read -rp "Enter the IPv4 address of this VPN server: [$public_ip] " server_addr [ -z "$server_addr" ] && server_addr="$public_ip" done fi @@ -141,7 +141,7 @@ fi mobike_enable=0 if [ "$mobike_support" = "1" ]; then echo - printf "Do you want to enable MOBIKE support [Y/n]? " + printf "Do you want to enable MOBIKE support? [Y/n] " read -r response case $response in [yY][eE][sS]|[yY]|'') @@ -153,15 +153,38 @@ if [ "$mobike_support" = "1" ]; then esac fi -echo -printf "We are ready to set up IKEv2 now. Continue [y/N]? " +cat < Date: Sat, 16 May 2020 22:11:01 -0500 Subject: [PATCH 0312/1208] Update IKEv2 script - Raspberry Pi (Raspbian) kernels do not support MOBIKE --- extras/ikev2setup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index a080c25f65..e8ca581caf 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -125,6 +125,10 @@ case "$swan_ver" in ;; esac +if uname -m | grep -qi '^arm'; then + mobike_support=0 +fi + if [ "$mobike_support" = "1" ]; then os_type="$(lsb_release -si 2>/dev/null)" if [ -z "$os_type" ]; then From 09c68fda01e51e8f2f95d117b61831753bef9e12 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 16 May 2020 23:11:17 -0500 Subject: [PATCH 0313/1208] Update docs - Add troubleshooting section for Android MTU/MSS issues - Remove "Access VPN server's subnet". This seems to work fine using the default configuration, without additional IPTables rules --- README-zh.md | 4 ++-- README.md | 4 ++-- docs/clients-zh.md | 35 ++++++++++++++++++----------------- docs/clients.md | 35 ++++++++++++++++++----------------- docs/ikev2-howto-zh.md | 3 +-- docs/ikev2-howto.md | 3 +-- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/README-zh.md b/README-zh.md index d98a675beb..3f11ac5cd0 100644 --- a/README-zh.md +++ b/README-zh.md @@ -155,10 +155,10 @@ sh vpnsetup.sh 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 - 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 + 在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 diff --git a/README.md b/README.md index 4f4df86bf9..d7604f92d2 100644 --- a/README.md +++ b/README.md @@ -155,10 +155,10 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). - If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience. +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). + Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 58ae8458a4..65bc758d88 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -209,12 +209,12 @@ Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用更高效的 [IP * [Windows 10 升级](#windows-10-升级) * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) * [macOS VPN 流量](#macos-vpn-流量) +* [Android MTU/MSS 问题](#android-mtumss-问题) * [Android 6 和 7](#android-6-和-7) * [iOS 13 和 macOS 10.15](#ios-13-和-macos-1015) * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [Debian 10 内核](#debian-10-内核) * [Chromebook 连接问题](#chromebook-连接问题) -* [访问 VPN 服务器的网段](#访问-vpn-服务器的网段) * [其它错误](#其它错误) * [额外的步骤](#额外的步骤) @@ -288,6 +288,23 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是 如果你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 +### Android MTU/MSS 问题 + +某些 Android 设备有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。 + +``` +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 +iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ + -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ + -j TCPMSS --set-mss 1360 + +echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc +``` + +参考链接:[1] [2]。 + ### Android 6 和 7 如果你的 Android 6.x 或者 7.x 设备无法连接,请尝试以下步骤: @@ -317,22 +334,6 @@ Debian 10 用户: 运行 `uname -r` 以检查你的服务器的 Linux 内核 Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到这一行 `phase2alg=...` 并在结尾加上 `,aes_gcm-null` 。保存修改并运行 `service ipsec restart`。 -### 访问 VPN 服务器的网段 - -如果要允许 VPN 客户端访问 VPN 服务器所在的网段,你需要在搭建 VPN 服务器之后手动添加 IPTables 规则。例如,如果网段是 `192.168.0.0/24`: - -``` -# For IPsec/L2TP -iptables -I FORWARD 2 -i ppp+ -d 192.168.0.0/24 -j ACCEPT -iptables -I FORWARD 2 -s 192.168.0.0/24 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -# For IPsec/XAuth ("Cisco IPsec") -iptables -I FORWARD 2 -s 192.168.43.0/24 -d 192.168.0.0/24 -j ACCEPT -iptables -I FORWARD 2 -s 192.168.0.0/24 -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -``` - -为了让这些 IPTables 规则在重启后继续有效,你可以将它们添加到文件 `/etc/iptables.rules` 和/或 `/etc/iptables/rules.v4` (Ubuntu/Debian),或者 `/etc/sysconfig/iptables` (CentOS/RHEL)。 - ### 其它错误 如果你遇到其它错误,请参见以下链接: diff --git a/docs/clients.md b/docs/clients.md index 2e3a289d2e..0a8d8e4247 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -209,12 +209,12 @@ First check /proc/sys/net/ipv4/ip_no_pmtu_disc +``` + +References: [1] [2]. + ### Android 6 and 7 If your Android 6.x or 7.x device cannot connect, try these steps: @@ -317,22 +334,6 @@ To fix, you may switch to the standard Linux kernel by installing e.g. the `linu Chromebook users: If you are unable to connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`. -### Access VPN server's subnet - -If you wish to allow VPN clients to access the VPN server's subnet, you'll need to manually add IPTables rules after setting up the VPN server. For example, if the subnet is `192.168.0.0/24`: - -``` -# For IPsec/L2TP -iptables -I FORWARD 2 -i ppp+ -d 192.168.0.0/24 -j ACCEPT -iptables -I FORWARD 2 -s 192.168.0.0/24 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -# For IPsec/XAuth ("Cisco IPsec") -iptables -I FORWARD 2 -s 192.168.43.0/24 -d 192.168.0.0/24 -j ACCEPT -iptables -I FORWARD 2 -s 192.168.0.0/24 -d 192.168.43.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -``` - -To make these IPTables rules persist after reboot, you may add them to file `/etc/iptables.rules` and/or `/etc/iptables/rules.v4` (Ubuntu/Debian), or `/etc/sysconfig/iptables` (CentOS/RHEL). - ### Other errors If you encounter other errors, refer to the links below: diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 9fac53eec3..f0c9b558fb 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -331,10 +331,9 @@ wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 +1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级 到版本 3.26 或以上。 1. 如果你的 VPN 客户端可以连接但是无法打开任何网站,可以尝试编辑服务器上的 `/etc/ipsec.conf`。找到 `conn ikev2-cp` 部分的 `phase2alg=` 一行并删除 `aes_gcm-null,`。保存文件并运行 `service ipsec restart`。 -1. Ubuntu 18.04 和 CentOS 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 -1. 目前还不支持同时连接在同一个 NAT (比如家用路由器)后面的多个 IKEv2 客户端。对于这个用例,请换用 IPsec/XAuth 模式。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index c42d64ae36..b1607e3706 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -331,10 +331,9 @@ Once successfully connected, you can verify that your traffic is being routed pr ## Known issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. +1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. 1. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`. -1. Ubuntu 18.04 and CentOS users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. -1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported at this time. For this use case, please instead use IPsec/XAuth mode. ## References From 0a0607feb9f90e0514ea9c79c829c2a957aab82d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 17 May 2020 18:09:40 -0500 Subject: [PATCH 0314/1208] Update IKEv2 script - Save client configuration to home folder --- extras/ikev2setup.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index e8ca581caf..365c24a708 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -293,7 +293,7 @@ certutil -z <(head -c 1024 /dev/urandom) \ bigecho "Exporting CA certificate..." -certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "vpnca-$SYS_DT.cer" +certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" bigecho "Exporting .p12 file..." @@ -304,7 +304,7 @@ When importing into an iOS or macOS device, this password cannot be empty. EOF -pk12util -o "vpnclient-$SYS_DT.p12" -n "vpnclient" -d sql:/etc/ipsec.d +pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12" bigecho "Restarting IPsec service..." @@ -313,19 +313,23 @@ service ipsec restart cat < Date: Thu, 21 May 2020 00:22:05 -0500 Subject: [PATCH 0315/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 3f11ac5cd0..2c76a82d64 100644 --- a/README-zh.md +++ b/README-zh.md @@ -151,7 +151,7 @@ sh vpnsetup.sh **Windows 用户** 在首次连接之前需要修改注册表,以解决 VPN 服务器和/或客户端与 NAT(比如家用路由器)的兼容问题。 -**Android 6 和 7 用户**:如果你遇到连接问题,请尝试 这些步骤。 +**Android 用户** 如果遇到连接问题,请尝试 这些步骤。 同一个 VPN 账户可以在你的多个设备上使用。但是由于 IPsec/L2TP 的局限性,如果需要同时连接在同一个 NAT (比如家用路由器)后面的多个设备到 VPN 服务器,你必须仅使用 IPsec/XAuth 模式。 diff --git a/README.md b/README.md index d7604f92d2..2a32ad2b02 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ Enjoy your very own VPN! :sparkles::tada::rocket::sparkles: **Windows users**: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). -**Android 6 and 7 users**: If you encounter connection issues, try these steps. +**Android users**: If you encounter connection issues, try these steps. The same VPN account can be used by your multiple devices. However, due to an IPsec/L2TP limitation, if you wish to connect multiple devices simultaneously from behind the same NAT (e.g. home router), you must use only IPsec/XAuth mode. From fab5d51d786e5fbd69f191fb786e2ccd6e445003 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 23 May 2020 17:57:38 -0500 Subject: [PATCH 0316/1208] Cleanup - No need to apply IPTables rules for Ubuntu/Debian --- vpnsetup.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index e07d79e26c..fa5e7e4c29 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -419,7 +419,6 @@ fi bigecho "Enabling services on boot..." -# Check for iptables-persistent IPT_PST="/etc/init.d/iptables-persistent" IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" ipt_load=1 @@ -492,9 +491,6 @@ sysctl -e -q -p chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* -# Apply new IPTables rules -iptables-restore < "$IPT_FILE" - # Restart services mkdir -p /run/pluto service fail2ban restart 2>/dev/null From d457ebd16de4ca13f5f5865899753966e360d312 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 23 May 2020 23:38:37 -0500 Subject: [PATCH 0317/1208] CentOS 8 fixes - Use nftables instead of iptables-services for CentOS 8 - Existing firewalld rules are now preserved during VPN setup, which will be saved as part of nftables rules --- vpnsetup_centos.sh | 77 ++++++++++++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 26 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index d2783e8a37..e3802f9c66 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -159,9 +159,9 @@ elif grep -qs "release 7" /etc/redhat-release; then else if [ -f /usr/sbin/subscription-manager ]; then subscription-manager repos --enable "codeready-builder-for-rhel-8-*-rpms" - yum -y install systemd-devel iptables-services libevent-devel fipscheck-devel || exiterr2 + yum -y install systemd-devel nftables libevent-devel fipscheck-devel || exiterr2 else - yum "$REPO4" -y install systemd-devel iptables-services libevent-devel fipscheck-devel || exiterr2 + yum "$REPO4" -y install systemd-devel nftables libevent-devel fipscheck-devel || exiterr2 fi fi @@ -363,21 +363,36 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi +if [ ! -f /etc/fail2ban/jail.local ] ; then + bigecho "Creating basic Fail2Ban rules..." +cat > /etc/fail2ban/jail.local <<'EOF' +[ssh-iptables] +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] +logpath = /var/log/secure +EOF +fi + bigecho "Updating IPTables rules..." -# Check if rules need updating -ipt_flag=0 IPT_FILE="/etc/sysconfig/iptables" -if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ - || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then +if grep -qs "release 8" /etc/redhat-release; then + IPT_FILE="/etc/sysconfig/nftables.conf" +fi +ipt_flag=0 +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 fi -# Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - iptables-save > "$IPT_FILE.old-$SYS_DT" + if grep -qs "release 8" /etc/redhat-release; then + nft list ruleset > "$IPT_FILE.old-$SYS_DT" + chmod 600 "$IPT_FILE.old-$SYS_DT" + else + iptables-save > "$IPT_FILE.old-$SYS_DT" + fi iptables -I INPUT 1 -p udp --dport 1701 -m policy --dir in --pol none -j DROP iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP iptables -I INPUT 3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -390,26 +405,27 @@ if [ "$ipt_flag" = "1" ]; then iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT - # Uncomment if you wish to disallow traffic between VPN clients themselves + # Uncomment to disallow traffic between VPN clients # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP - iptables -A FORWARD -j DROP iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" - iptables-save >> "$IPT_FILE" -fi - -bigecho "Creating basic Fail2Ban rules..." - -if [ ! -f /etc/fail2ban/jail.local ] ; then -cat > /etc/fail2ban/jail.local <<'EOF' -[ssh-iptables] -enabled = true -filter = sshd -action = iptables[name=SSH, port=ssh, protocol=tcp] -logpath = /var/log/secure -EOF + if grep -qs "release 8" /etc/redhat-release; then + for vport in 500 4500 1701; do + nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept + done + for vnet in "$L2TP_NET" "$XAUTH_NET"; do + for vdir in saddr daddr; do + nft insert rule inet firewalld filter_FORWARD ip "$vdir" "$vnet" accept + done + done + echo "flush ruleset" >> "$IPT_FILE" + nft list ruleset >> "$IPT_FILE" + else + iptables -A FORWARD -j DROP + iptables-save >> "$IPT_FILE" + fi fi bigecho "Enabling services on boot..." @@ -419,7 +435,12 @@ if grep -qs "release 6" /etc/redhat-release; then chkconfig fail2ban on else systemctl --now mask firewalld 2>/dev/null +fi + +if grep -qs "release 7" /etc/redhat-release; then systemctl enable iptables fail2ban 2>/dev/null +elif grep -qs "release 8" /etc/redhat-release; then + systemctl enable nftables fail2ban 2>/dev/null fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then @@ -454,9 +475,13 @@ chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules -iptables-restore < "$IPT_FILE" +if grep -qs "release 8" /etc/redhat-release; then + nft -f "$IPT_FILE" +else + iptables-restore < "$IPT_FILE" +fi -# Fix xl2tpd on CentOS 7/8, if kernel module "l2tp_ppp" is unavailable +# Fix xl2tpd not starting, if l2tp_ppp is unavailable if grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service From a087be669fbacea455830cc297df6c9ec6177ee6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 24 May 2020 00:14:05 -0500 Subject: [PATCH 0318/1208] Cleanup --- vpnsetup.sh | 10 +++------- vpnsetup_centos.sh | 21 +++++++++++---------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index fa5e7e4c29..9ab41574f4 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -376,17 +376,13 @@ fi bigecho "Updating IPTables rules..." -# Check if rules need updating -ipt_flag=0 IPT_FILE="/etc/iptables.rules" IPT_FILE2="/etc/iptables/rules.v4" -if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE" \ - || ! iptables -t nat -C POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE 2>/dev/null \ - || ! iptables -t nat -C POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE 2>/dev/null; then +ipt_flag=0 +if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 fi -# Add IPTables rules for VPN if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 iptables-save > "$IPT_FILE.old-$SYS_DT" @@ -402,7 +398,7 @@ if [ "$ipt_flag" = "1" ]; then iptables -I FORWARD 4 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j ACCEPT iptables -I FORWARD 5 -i "$NET_IFACE" -d "$XAUTH_NET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD 6 -s "$XAUTH_NET" -o "$NET_IFACE" -j ACCEPT - # Uncomment if you wish to disallow traffic between VPN clients themselves + # Uncomment to disallow traffic between VPN clients # iptables -I FORWARD 2 -i ppp+ -o ppp+ -s "$L2TP_NET" -d "$L2TP_NET" -j DROP # iptables -I FORWARD 3 -s "$XAUTH_NET" -d "$XAUTH_NET" -j DROP iptables -A FORWARD -j DROP diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index e3802f9c66..15e1e4826c 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -151,12 +151,15 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum "$REPO1" -y install xl2tpd || exiterr2 if grep -qs "release 6" /etc/redhat-release; then + os_ver=6 yum -y remove libevent-devel yum "$REPO2" "$REPO3" -y install libevent2-devel fipscheck-devel || exiterr2 elif grep -qs "release 7" /etc/redhat-release; then + os_ver=7 yum -y install systemd-devel iptables-services || exiterr2 yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 else + os_ver=8 if [ -f /usr/sbin/subscription-manager ]; then subscription-manager repos --enable "codeready-builder-for-rhel-8-*-rpms" yum -y install systemd-devel nftables libevent-devel fipscheck-devel || exiterr2 @@ -377,9 +380,7 @@ fi bigecho "Updating IPTables rules..." IPT_FILE="/etc/sysconfig/iptables" -if grep -qs "release 8" /etc/redhat-release; then - IPT_FILE="/etc/sysconfig/nftables.conf" -fi +[ "$os_ver" = "8" ] && IPT_FILE="/etc/sysconfig/nftables.conf" ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 @@ -387,7 +388,7 @@ fi if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - if grep -qs "release 8" /etc/redhat-release; then + if [ "$os_ver" = "8" ]; then nft list ruleset > "$IPT_FILE.old-$SYS_DT" chmod 600 "$IPT_FILE.old-$SYS_DT" else @@ -411,7 +412,7 @@ if [ "$ipt_flag" = "1" ]; then iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" - if grep -qs "release 8" /etc/redhat-release; then + if [ "$os_ver" = "8" ]; then for vport in 500 4500 1701; do nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept done @@ -430,16 +431,16 @@ fi bigecho "Enabling services on boot..." -if grep -qs "release 6" /etc/redhat-release; then +if [ "$os_ver" = "6" ]; then chkconfig iptables on chkconfig fail2ban on else systemctl --now mask firewalld 2>/dev/null fi -if grep -qs "release 7" /etc/redhat-release; then +if [ "$os_ver" = "7" ]; then systemctl enable iptables fail2ban 2>/dev/null -elif grep -qs "release 8" /etc/redhat-release; then +elif [ "$os_ver" = "8" ]; then systemctl enable nftables fail2ban 2>/dev/null fi @@ -475,14 +476,14 @@ chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules -if grep -qs "release 8" /etc/redhat-release; then +if [ "$os_ver" = "8" ]; then nft -f "$IPT_FILE" else iptables-restore < "$IPT_FILE" fi # Fix xl2tpd not starting, if l2tp_ppp is unavailable -if grep -qs -e "release 7" -e "release 8" /etc/redhat-release; then +if [ "$os_ver" != "6" ]; then if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service systemctl daemon-reload From 71d67ae690425a56c47dbac4c8c7a33bea626a73 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 24 May 2020 15:07:08 -0500 Subject: [PATCH 0319/1208] CentOS/RHEL fixes - Use nftables only if firewalld is active (CentOS/RHEL 8) - Fix RHEL 7 server-optional repo names. See: https://access.redhat.com/articles/4599971 - Fix an issue where the codeready-builder repo cannot be enabled on EC2 (RHEL 8). Fixes #804. --- vpnsetup_centos.sh | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 15e1e4826c..b165d968e8 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -140,7 +140,7 @@ yum -y install epel-release || yum -y install "$epel_url" || exiterr2 bigecho "Installing packages required for the VPN..." REPO1='--enablerepo=epel' -REPO2='--enablerepo=*server-optional*' +REPO2='--enablerepo=*server-*optional*' REPO3='--enablerepo=*releases-optional*' REPO4='--enablerepo=PowerTools' @@ -150,6 +150,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \ yum "$REPO1" -y install xl2tpd || exiterr2 +use_nft=0 if grep -qs "release 6" /etc/redhat-release; then os_ver=6 yum -y remove libevent-devel @@ -160,11 +161,15 @@ elif grep -qs "release 7" /etc/redhat-release; then yum "$REPO2" "$REPO3" -y install libevent-devel fipscheck-devel || exiterr2 else os_ver=8 - if [ -f /usr/sbin/subscription-manager ]; then - subscription-manager repos --enable "codeready-builder-for-rhel-8-*-rpms" - yum -y install systemd-devel nftables libevent-devel fipscheck-devel || exiterr2 + if grep -qs "Red Hat" /etc/redhat-release; then + REPO4='--enablerepo=codeready-builder-for-rhel-8-*' + fi + yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 + if systemctl is-active --quiet firewalld.service; then + use_nft=1 + yum -y install nftables || exiterr2 else - yum "$REPO4" -y install systemd-devel nftables libevent-devel fipscheck-devel || exiterr2 + yum -y install iptables-services || exiterr2 fi fi @@ -380,7 +385,7 @@ fi bigecho "Updating IPTables rules..." IPT_FILE="/etc/sysconfig/iptables" -[ "$os_ver" = "8" ] && IPT_FILE="/etc/sysconfig/nftables.conf" +[ "$use_nft" = "1" ] && IPT_FILE="/etc/sysconfig/nftables.conf" ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 @@ -388,7 +393,7 @@ fi if [ "$ipt_flag" = "1" ]; then service fail2ban stop >/dev/null 2>&1 - if [ "$os_ver" = "8" ]; then + if [ "$use_nft" = "1" ]; then nft list ruleset > "$IPT_FILE.old-$SYS_DT" chmod 600 "$IPT_FILE.old-$SYS_DT" else @@ -412,7 +417,7 @@ if [ "$ipt_flag" = "1" ]; then iptables -t nat -I POSTROUTING -s "$XAUTH_NET" -o "$NET_IFACE" -m policy --dir out --pol none -j MASQUERADE iptables -t nat -I POSTROUTING -s "$L2TP_NET" -o "$NET_IFACE" -j MASQUERADE echo "# Modified by hwdsl2 VPN script" > "$IPT_FILE" - if [ "$os_ver" = "8" ]; then + if [ "$use_nft" = "1" ]; then for vport in 500 4500 1701; do nft insert rule inet firewalld filter_INPUT udp dport "$vport" accept done @@ -438,10 +443,10 @@ else systemctl --now mask firewalld 2>/dev/null fi -if [ "$os_ver" = "7" ]; then - systemctl enable iptables fail2ban 2>/dev/null -elif [ "$os_ver" = "8" ]; then +if [ "$use_nft" = "1" ]; then systemctl enable nftables fail2ban 2>/dev/null +else + systemctl enable iptables fail2ban 2>/dev/null fi if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then @@ -464,9 +469,9 @@ fi bigecho "Starting services..." # Restore SELinux contexts -restorecon /etc/ipsec.d/*db 2>/dev/null -restorecon /usr/local/sbin -Rv 2>/dev/null -restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null +restorecon /etc/ipsec.d/*db >/dev/null 2>&1 +restorecon /usr/local/sbin -Rv >/dev/null 2>&1 +restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1 # Reload sysctl.conf sysctl -e -q -p @@ -476,13 +481,13 @@ chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* # Apply new IPTables rules -if [ "$os_ver" = "8" ]; then +if [ "$use_nft" = "1" ]; then nft -f "$IPT_FILE" else iptables-restore < "$IPT_FILE" fi -# Fix xl2tpd not starting, if l2tp_ppp is unavailable +# Fix xl2tpd if l2tp_ppp is unavailable if [ "$os_ver" != "6" ]; then if ! modprobe -q l2tp_ppp; then sed -i '/^ExecStartPre/s/^/#/' /usr/lib/systemd/system/xl2tpd.service From 5fe5f04835634aca493bebdce6087a6ff397909e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 25 May 2020 13:40:04 -0500 Subject: [PATCH 0320/1208] Update upgrade scripts - Ref: 71d67ae --- extras/vpnupgrade.sh | 6 +++--- extras/vpnupgrade_centos.sh | 22 ++++++++++------------ 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index ba6b0a9bd5..63136cf9e5 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -285,11 +285,11 @@ service ipsec restart cat </dev/null | grep -qF "$SWAN_VER"; then fi # Restore SELinux contexts -restorecon /etc/ipsec.d/*db 2>/dev/null -restorecon /usr/local/sbin -Rv 2>/dev/null -restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null +restorecon /etc/ipsec.d/*db >/dev/null 2>&1 +restorecon /usr/local/sbin -Rv >/dev/null 2>&1 +restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1 # Update ipsec.conf IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" @@ -290,11 +288,11 @@ service ipsec restart cat < Date: Mon, 25 May 2020 14:20:32 -0500 Subject: [PATCH 0321/1208] Update docs --- README-zh.md | 4 ++-- README.md | 4 ++-- docs/uninstall-zh.md | 11 +++++------ docs/uninstall.md | 11 +++++------ 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/README-zh.md b/README-zh.md index 2c76a82d64..dec5b7df84 100644 --- a/README-zh.md +++ b/README-zh.md @@ -157,9 +157,9 @@ sh vpnsetup.sh 如果需要添加,修改或者删除 VPN 用户账户,请参见 管理 VPN 用户。该文档包含辅助脚本,以方便管理 VPN 用户。 -对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 +对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 diff --git a/README.md b/README.md index 2a32ad2b02..12add589f9 100644 --- a/README.md +++ b/README.md @@ -157,9 +157,9 @@ The same VPN account can be used by your multiple devices. However, due to an IP If you wish to add, edit or remove VPN user accounts, see Manage VPN Users. Helper scripts are included for convenience. -For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). +For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. diff --git a/docs/uninstall-zh.md b/docs/uninstall-zh.md index 6c85d8f881..561349fc19 100644 --- a/docs/uninstall-zh.md +++ b/docs/uninstall-zh.md @@ -37,14 +37,13 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ ### Ubuntu/Debian -编辑 `/etc/iptables.rules` 并删除不需要的规则。 -你以前的防火墙规则(如果有)会备份在 `/etc/iptables.rules.old-日期-时间`。 -另外如果文件 `/etc/iptables/rules.v4` 存在,请编辑它。 +编辑 `/etc/iptables.rules` 并删除不需要的规则。你之前的防火墙规则(如果有)备份在 `/etc/iptables.rules.old-日期-时间`。另外如果文件 `/etc/iptables/rules.v4` 存在,请编辑它。 ### CentOS/RHEL -编辑 `/etc/sysconfig/iptables` 并删除不需要的规则。 -你以前的防火墙规则(如果有)会备份在 `/etc/sysconfig/iptables.old-日期-时间`。 +编辑 `/etc/sysconfig/iptables` 并删除不需要的规则。你之前的防火墙规则(如果有)备份在 `/etc/sysconfig/iptables.old-日期-时间`。 + +**注:** 如果使用 CentOS/RHEL 8 并且在安装 VPN 时 firewalld 正在运行,则可能已配置 nftables。编辑 `/etc/sysconfig/nftables.conf` 并删除不需要的规则。你之前的防火墙规则备份在 `/etc/sysconfig/nftables.conf.old-日期-时间`。 ## 第四步 @@ -53,7 +52,7 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ ## 可选步骤 -注: 这一步是可选的。 +**注:** 这一步是可选的。 删除这些配置文件: diff --git a/docs/uninstall.md b/docs/uninstall.md index 6037292326..b0f0cd6384 100644 --- a/docs/uninstall.md +++ b/docs/uninstall.md @@ -37,14 +37,13 @@ rm -f /etc/init/ipsec.conf /lib/systemd/system/ipsec.service \ ### Ubuntu/Debian -Edit `/etc/iptables.rules` and remove unneeded rules. -Your original rules (if any) are backed up as `/etc/iptables.rules.old-date-time`. -In addition, edit `/etc/iptables/rules.v4` if the file exists. +Edit `/etc/iptables.rules` and remove unneeded rules. Your original rules (if any) are backed up as `/etc/iptables.rules.old-date-time`. In addition, edit `/etc/iptables/rules.v4` if the file exists. ### CentOS/RHEL -Edit `/etc/sysconfig/iptables` and remove unneeded rules. -Your original rules (if any) are backed up as `/etc/sysconfig/iptables.old-date-time`. +Edit `/etc/sysconfig/iptables` and remove unneeded rules. Your original rules (if any) are backed up as `/etc/sysconfig/iptables.old-date-time`. + +**Note:** If using CentOS/RHEL 8 and firewalld was active during VPN setup, nftables may be configured. Edit `/etc/sysconfig/nftables.conf` and remove unneeded rules. Your original rules are backed up as `/etc/sysconfig/nftables.conf.old-date-time`. ## Fourth step @@ -53,7 +52,7 @@ Edit `/etc/rc.local` and remove the lines after `# Added by hwdsl2 VPN script`. ## Optional -Note: This step is optional. +**Note:** This step is optional. Remove these config files: From 60d89c7181a1763d6ad4f54b8ca0f0eb26695b89 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 May 2020 02:52:49 -0500 Subject: [PATCH 0322/1208] Update docs --- docs/clients-zh.md | 6 +++++- docs/clients.md | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 65bc758d88..0a459428ff 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -303,6 +303,8 @@ iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc ``` +**Docker 用户:** 要修复这个问题,不需要运行以上命令。你可以在你的 env 文件中添加 `VPN_ANDROID_MTU_FIX=yes`,然后重新创建 Docker 容器。 + 参考链接:[1] [2]。 ### Android 6 和 7 @@ -312,6 +314,8 @@ echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并切换它的值。也就是说,将 `sha2-truncbug=no` 替换为 `sha2-truncbug=yes`,或者将 `sha2-truncbug=yes` 替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 +**Docker 用户:** 如需在 `/etc/ipsec.conf` 中设置 `sha2-truncbug=yes`(默认为 `no`),你可以在你的 env 文件中添加 `VPN_SHA2_TRUNCBUG=yes`,然后重新创建 Docker 容器。 + ![Android VPN workaround](images/vpn-profile-Android.png) ### iOS 13 和 macOS 10.15 @@ -354,7 +358,7 @@ service ipsec restart service xl2tpd restart ``` -如果你使用 Docker,请运行 `docker restart ipsec-vpn-server`。 +**Docker 用户:** 运行 `docker restart ipsec-vpn-server`。 然后重启你的 VPN 客户端设备,并重试连接。如果仍然无法连接,可以尝试删除并重新创建 VPN 连接,按照本文档中的步骤操作。请确保输入了正确的 VPN 登录凭证。 diff --git a/docs/clients.md b/docs/clients.md index 0a8d8e4247..bd84e88361 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -303,6 +303,8 @@ iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc ``` +**Docker users:** Instead of running the commands above, you may apply this fix by adding `VPN_ANDROID_MTU_FIX=yes` to your env file, then re-create the Docker container. + References: [1] [2]. ### Android 6 and 7 @@ -312,6 +314,8 @@ If your Android 6.x or 7.x device cannot connect, try these steps: 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. 1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value. i.e. Replace `sha2-truncbug=no` with `sha2-truncbug=yes`, or replace `sha2-truncbug=yes` with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. +**Docker users:** You may set `sha2-truncbug=yes` (default is `no`) in `/etc/ipsec.conf` by adding `VPN_SHA2_TRUNCBUG=yes` to your env file, then re-create the Docker container. + ![Android VPN workaround](images/vpn-profile-Android.png) ### iOS 13 and macOS 10.15 @@ -354,7 +358,7 @@ service ipsec restart service xl2tpd restart ``` -If using Docker, run `docker restart ipsec-vpn-server`. +**Docker users:** Run `docker restart ipsec-vpn-server`. Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly. From 5894ea2e1f0a5ba3c021c442e75f1e603e4c5180 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 May 2020 17:35:27 -0500 Subject: [PATCH 0323/1208] Update IKEv2 script - Allow running from inside a container, so that it can be used with: https://github.com/hwdsl2/docker-ipsec-vpn-server --- extras/ikev2setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 365c24a708..38e1d9c440 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -35,7 +35,7 @@ fi ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//') -if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \ +if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \ || [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then cat 1>&2 <<'EOF' From e1e1b67afdf1afc025aab06687ed504c3fca578c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 30 May 2020 23:09:32 -0500 Subject: [PATCH 0324/1208] Improve IKEv2 setup - Use /etc/ipsec.d/ikev2.conf for IKEv2 configuration - Allow running from inside a container, so that it can be used with: https://github.com/hwdsl2/docker-ipsec-vpn-server --- extras/ikev2setup.sh | 110 ++++++++++++++++++++++++++++++------------- vpnsetup.sh | 2 + vpnsetup_centos.sh | 2 + 3 files changed, 80 insertions(+), 34 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 38e1d9c440..7d6affbf2d 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -37,7 +37,7 @@ ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//') if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \ - || [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then + || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then cat 1>&2 <<'EOF' Error: Your must first set up the IPsec VPN server before setting up IKEv2. See: https://github.com/hwdsl2/setup-ipsec-vpn @@ -45,6 +45,11 @@ EOF exit 1 fi +in_container=0 +if grep -qs "hwdsl2" /opt/src/run.sh; then + in_container=1 +fi + case "$swan_ver" in 3.19|3.2[01235679]|3.3[12]) /bin/true @@ -61,7 +66,7 @@ EOF ;; esac -if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then +if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then cat 1>&2 <<'EOF' Error: It looks like IKEv2 has already been set up on this server. To generate certificates for additional VPN clients, see step 4 in section @@ -130,31 +135,50 @@ if uname -m | grep -qi '^arm'; then fi if [ "$mobike_support" = "1" ]; then - os_type="$(lsb_release -si 2>/dev/null)" - if [ -z "$os_type" ]; then - [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" - [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" - [ "$os_type" = "ubuntu" ] && os_type=Ubuntu - fi - [ -z "$os_type" ] && [ -f /etc/redhat-release ] && os_type=CentOS/RHEL - if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then - mobike_support=0 + if [ "$in_container" = "0" ]; then + os_type="$(lsb_release -si 2>/dev/null)" + if [ -z "$os_type" ]; then + [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" + [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" + [ "$os_type" = "ubuntu" ] && os_type=Ubuntu + fi + [ -z "$os_type" ] && [ -f /etc/redhat-release ] && os_type=CentOS/RHEL + if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then + mobike_support=0 + fi + else + echo + echo "NOTE: DO NOT enable MOBIKE support, if your Docker host runs Ubuntu Linux." fi fi mobike_enable=0 if [ "$mobike_support" = "1" ]; then - echo - printf "Do you want to enable MOBIKE support? [Y/n] " - read -r response - case $response in - [yY][eE][sS]|[yY]|'') - mobike_enable=1 - ;; - *) - mobike_enable=0 - ;; - esac + if [ "$in_container" = "0" ]; then + echo + printf "Do you want to enable MOBIKE support? [Y/n] " + read -r response + case $response in + [yY][eE][sS]|[yY]|'') + mobike_enable=1 + ;; + *) + mobike_enable=0 + ;; + esac + else + echo + printf "Do you want to enable MOBIKE support? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + mobike_enable=1 + ;; + *) + mobike_enable=0 + ;; + esac + fi fi cat <> /etc/ipsec.conf + echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf +fi -cat >> /etc/ipsec.conf < /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <<'EOF' +cat >> /etc/ipsec.d/ikev2.conf <<'EOF' modecfgdns="8.8.8.8 8.8.4.4" encapsulation=yes EOF if [ "$mobike_enable" = "1" ]; then - echo " mobike=yes" >> /etc/ipsec.conf + echo " mobike=yes" >> /etc/ipsec.d/ikev2.conf else - echo " mobike=no" >> /etc/ipsec.conf + echo " mobike=no" >> /etc/ipsec.d/ikev2.conf fi ;; 3.19|3.2[012]) -cat >> /etc/ipsec.conf <<'EOF' +cat >> /etc/ipsec.d/ikev2.conf <<'EOF' modecfgdns1=8.8.8.8 modecfgdns2=8.8.4.4 encapsulation=yes @@ -293,7 +322,11 @@ certutil -z <(head -c 1024 /dev/urandom) \ bigecho "Exporting CA certificate..." -certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" +if [ "$in_container" = "0" ]; then + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" +else + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" +fi bigecho "Exporting .p12 file..." @@ -304,7 +337,11 @@ When importing into an iOS or macOS device, this password cannot be empty. EOF -pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12" +if [ "$in_container" = "0" ]; then + pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12" +else + pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o "/etc/ipsec.d/vpnclient-$SYS_DT.p12" +fi bigecho "Restarting IPsec service..." @@ -313,7 +350,7 @@ service ipsec restart cat < Date: Sat, 30 May 2020 23:13:14 -0500 Subject: [PATCH 0325/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 21 ++++++++++++++------- docs/ikev2-howto.md | 21 ++++++++++++++------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index f0c9b558fb..86bc79a60a 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -51,10 +51,17 @@ wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh **注:** 另外,在这里你也可以指定 VPN 服务器的域名。例如: `PUBLIC_IP=myvpn.example.com`。 -1. 在 `/etc/ipsec.conf` 文件中添加一个新的 IKEv2 连接: +1. 添加一个新的 IKEv2 连接: ```bash - cat >> /etc/ipsec.conf <> /etc/ipsec.conf + echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf + fi + ``` + + ```bash + cat > /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.conf + echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf + fi + ``` + + ```bash + cat > /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.conf <> /etc/ipsec.d/ikev2.conf < Date: Sun, 31 May 2020 17:37:49 -0500 Subject: [PATCH 0326/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 6 ++++-- docs/ikev2-howto.md | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 86bc79a60a..1ad90a2747 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -25,12 +25,12 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ## 使用辅助脚本 -**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。 +**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。Docker 用户请看 这里。 你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2: ``` -wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh +wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ``` 该 脚本 必须使用 `bash` 而不是 `sh` 运行。按照脚本的提示配置 IKEv2。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) 和 [已知问题](#已知问题)。如需为更多的客户端生成证书,请参见下一小节的第 4 步。 @@ -237,6 +237,8 @@ wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh ## 配置 IKEv2 VPN 客户端 +*其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* + **注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。如需为更多的客户端生成证书,请参见上一小节的第 4 步。 * [Windows 7, 8.x 和 10](#windows-7-8x-和-10) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index d091add48b..ed756bc664 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -25,12 +25,12 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica ## Using helper scripts -**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. +**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. Docker users, see here. You may use this helper script to automatically set up IKEv2 on the VPN server: ``` -wget https://git.io/ikev2setup -O ikev2setup.sh && sudo bash ikev2setup.sh +wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ``` The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, refer to step 4 in the next section. @@ -237,6 +237,8 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th ## Configure IKEv2 VPN clients +*Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* + **Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, refer to step 4 in the previous section. * [Windows 7, 8.x and 10](#windows-7-8x-and-10) From 333a63850ee6805b9de6c0e73abd5edf202f83bf Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 5 Jun 2020 00:29:15 -0500 Subject: [PATCH 0327/1208] Update IKEv2 script - Support adding IKEv2 VPN clients - Users can specify name for the first VPN client --- extras/ikev2setup.sh | 136 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 122 insertions(+), 14 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 7d6affbf2d..2100b156ec 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -66,17 +66,114 @@ EOF ;; esac +command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Abort."; exit 1; } +command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Abort."; exit 1; } + if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then -cat 1>&2 <<'EOF' -Error: It looks like IKEv2 has already been set up on this server. - To generate certificates for additional VPN clients, see step 4 in section - "Manually set up IKEv2 on the VPN server" at https://git.io/ikev2 + echo "It looks like IKEv2 has already been set up on this server." + printf "Do you want to add a new VPN client? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + echo + ;; + *) + echo "Abort. No changes were made." + exit 1 + ;; + esac + + echo "Provide a name for the IKEv2 VPN client. Use one word only, no special characters." + read -rp "Client name: " client_name + while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ + || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do + echo "Invalid client name." + read -rp "Client name: " client_name + done + + echo + echo "The CA certificate was exported during initial IKEv2 setup. It is needed for iOS clients." + printf "Do you want to export the CA certificate again? [y/N] " + read -r response + case $response in + [yY][eE][sS]|[yY]) + export_ca=1 + ;; + *) + export_ca=0 + ;; + esac + + bigecho2 "Generating client certificate..." + + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$client_name" \ + -s "O=IKEv2 VPN,CN=$client_name" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null + + if [ "$export_ca" = "1" ]; then + bigecho "Exporting CA certificate..." + + if [ "$in_container" = "0" ]; then + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" + else + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" + fi + fi + + bigecho "Exporting .p12 file..." + +cat <<'EOF' +Enter a *secure* password to protect the exported .p12 file. +This file contains the client certificate, private key, and CA certificate. +When importing into an iOS or macOS device, this password cannot be empty. + EOF - exit 1 + + if [ "$in_container" = "0" ]; then + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" + else + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" + fi + +cat </dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Abort."; exit 1; } -command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Abort."; exit 1; } +cat </dev/null + --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null bigecho "Exporting CA certificate..." @@ -338,9 +446,9 @@ When importing into an iOS or macOS device, this password cannot be empty. EOF if [ "$in_container" = "0" ]; then - pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12" + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" else - pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o "/etc/ipsec.d/vpnclient-$SYS_DT.p12" + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" fi bigecho "Restarting IPsec service..." @@ -359,10 +467,10 @@ Client configuration is available at: EOF if [ "$in_container" = "0" ]; then - printf '%s\n' ~/"vpnclient-$SYS_DT.p12" + printf '%s\n' ~/"$client_name-$SYS_DT.p12" printf '%s\n' ~/"vpnca-$SYS_DT.cer (for iOS clients)" else - printf '%s\n' "/etc/ipsec.d/vpnclient-$SYS_DT.p12" + printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.p12" printf '%s\n' "/etc/ipsec.d/vpnca-$SYS_DT.cer (for iOS clients)" fi From f3a93e17fc7654f9433e6a161b637fea98b8b756 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 5 Jun 2020 00:44:33 -0500 Subject: [PATCH 0328/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 4 ++-- docs/ikev2-howto.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 1ad90a2747..c8095a87a6 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -33,7 +33,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ``` -该 脚本 必须使用 `bash` 而不是 `sh` 运行。按照脚本的提示配置 IKEv2。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) 和 [已知问题](#已知问题)。如需为更多的客户端生成证书,请参见下一小节的第 4 步。 +该 脚本 必须使用 `bash` 而不是 `sh` 运行。按照脚本的提示配置 IKEv2。在完成之后,请转到 [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) 和 [已知问题](#已知问题)。如果要为更多的客户端生成证书,只需重新运行脚本。 ## 手动在 VPN 服务器上配置 IKEv2 @@ -239,7 +239,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh *其他语言版本: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* -**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。如需为更多的客户端生成证书,请参见上一小节的第 4 步。 +**注:** 如果你在上面的第一步指定了服务器的域名(而不是 IP 地址),则必须在 **服务器地址** 和 **远程 ID** 字段中输入该域名。如果要为更多的客户端生成证书,只需重新运行[辅助脚本](#使用辅助脚本)。或者你可以看上一小节的第 4 步。 * [Windows 7, 8.x 和 10](#windows-7-8x-和-10) * [OS X (macOS)](#os-x-macos) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index ed756bc664..ac6e8f13f9 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -33,7 +33,7 @@ You may use this helper script to automatically set up IKEv2 on the VPN server: wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ``` -The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, refer to step 4 in the next section. +The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, just run the script again. ## Manually set up IKEv2 on the VPN server @@ -239,7 +239,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th *Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* -**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, refer to step 4 in the previous section. +**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section. * [Windows 7, 8.x and 10](#windows-7-8x-and-10) * [OS X (macOS)](#os-x-macos) From b7293e95da737f716c52fc403e9a70e17db506e5 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 5 Jun 2020 10:56:33 -0500 Subject: [PATCH 0329/1208] Cleanup --- extras/add_vpn_user.sh | 2 +- extras/del_vpn_user.sh | 2 +- extras/ikev2setup.sh | 137 +++++++++++++++++-------------------- extras/update_vpn_users.sh | 2 +- vpnsetup.sh | 2 +- vpnsetup_centos.sh | 2 +- 6 files changed, 66 insertions(+), 81 deletions(-) diff --git a/extras/add_vpn_user.sh b/extras/add_vpn_user.sh index 35ee3dae40..4f6053576b 100644 --- a/extras/add_vpn_user.sh +++ b/extras/add_vpn_user.sh @@ -11,7 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } diff --git a/extras/del_vpn_user.sh b/extras/del_vpn_user.sh index f76fbb8f11..1b95571997 100644 --- a/extras/del_vpn_user.sh +++ b/extras/del_vpn_user.sh @@ -11,7 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 2100b156ec..3fb5251f91 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -11,7 +11,7 @@ # know how you have improved it! export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } bigecho() { echo; echo "## $1"; echo; } @@ -27,6 +27,47 @@ check_dns_name() { printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX" } +new_client() { + + bigecho2 "Generating client certificate..." + + sleep 1 + + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$client_name" \ + -s "O=IKEv2 VPN,CN=$client_name" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null + + if [ "$export_ca" = "1" ]; then + bigecho "Exporting CA certificate..." + + if [ "$in_container" = "0" ]; then + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" + else + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" + fi + fi + + bigecho "Exporting .p12 file..." + +cat <<'EOF' +Enter a *secure* password to protect the exported .p12 file. +This file contains the client certificate, private key, and CA certificate. +When importing into an iOS or macOS device, this password cannot be empty. + +EOF + + if [ "$in_container" = "0" ]; then + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" + else + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" + fi + +} + ikev2setup() { if [ "$(id -u)" != 0 ]; then @@ -66,8 +107,8 @@ EOF ;; esac -command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: Command 'certutil' not found. Abort."; exit 1; } -command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: Command 'pk12util' not found. Abort."; exit 1; } +command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: 'certutil' not found. Abort."; exit 1; } +command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: 'pk12util' not found. Abort."; exit 1; } if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then echo "It looks like IKEv2 has already been set up on this server." @@ -83,17 +124,23 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t ;; esac - echo "Provide a name for the IKEv2 VPN client. Use one word only, no special characters." + echo "Provide a name for the IKEv2 VPN client." + echo "Use one word only, no special characters except '-' and '_'." read -rp "Client name: " client_name while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do - echo "Invalid client name." + if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ + || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then + echo "Invalid client name." + else + echo "Invalid client name. The specified name already exists." + fi read -rp "Client name: " client_name done echo - echo "The CA certificate was exported during initial IKEv2 setup. It is needed for iOS clients." + echo "The CA certificate was exported during initial IKEv2 setup. Required for iOS clients only." printf "Do you want to export the CA certificate again? [y/N] " read -r response case $response in @@ -105,40 +152,8 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t ;; esac - bigecho2 "Generating client certificate..." - - certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$client_name" \ - -s "O=IKEv2 VPN,CN=$client_name" \ - -k rsa -g 4096 -v 120 \ - -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment \ - --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null - - if [ "$export_ca" = "1" ]; then - bigecho "Exporting CA certificate..." - - if [ "$in_container" = "0" ]; then - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" - else - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" - fi - fi - - bigecho "Exporting .p12 file..." - -cat <<'EOF' -Enter a *secure* password to protect the exported .p12 file. -This file contains the client certificate, private key, and CA certificate. -When importing into an iOS or macOS device, this password cannot be empty. - -EOF - - if [ "$in_container" = "0" ]; then - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" - else - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" - fi + # Create client configuration + new_client cat </dev/null fi -sleep 1 - -bigecho2 "Generating client certificate..." - -certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$client_name" \ - -s "O=IKEv2 VPN,CN=$client_name" \ - -k rsa -g 4096 -v 120 \ - -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment \ - --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null - -bigecho "Exporting CA certificate..." - -if [ "$in_container" = "0" ]; then - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" -else - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" -fi - -bigecho "Exporting .p12 file..." - -cat <<'EOF' -Enter a *secure* password to protect the exported .p12 file. -This file contains the client certificate, private key, and CA certificate. -When importing into an iOS or macOS device, this password cannot be empty. - -EOF - -if [ "$in_container" = "0" ]; then - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" -else - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" -fi +# Create client configuration +export_ca=1 +new_client bigecho "Restarting IPsec service..." diff --git a/extras/update_vpn_users.sh b/extras/update_vpn_users.sh index 338df85dd2..0664532e8c 100644 --- a/extras/update_vpn_users.sh +++ b/extras/update_vpn_users.sh @@ -27,7 +27,7 @@ YOUR_PASSWORDS='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; } diff --git a/vpnsetup.sh b/vpnsetup.sh index 321091c107..4cf7be0ca4 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -35,7 +35,7 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'apt-get install' failed."; } diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 9a2fce71d4..a21bb0c09e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -35,7 +35,7 @@ YOUR_PASSWORD='' # ===================================================== export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -SYS_DT=$(date +%F-%T) +SYS_DT=$(date +%F-%T | tr ':' '_') exiterr() { echo "Error: $1" >&2; exit 1; } exiterr2() { exiterr "'yum install' failed."; } From 8ea8bbfa4e9d4f1dc2b72a4044b00f262c055951 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 6 Jun 2020 23:09:58 -0500 Subject: [PATCH 0330/1208] Update IKEv2 docs - Add instructions for add/revoke client certificates --- docs/ikev2-howto-zh.md | 98 ++++++++++++++++++++++++++++++++++++++- docs/ikev2-howto.md | 102 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 194 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index c8095a87a6..7fd4481c55 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -9,6 +9,8 @@ * [使用辅助脚本](#使用辅助脚本) * [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2) * [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端) +* [添加一个客户端证书](#添加一个客户端证书) +* [吊销一个客户端证书](#吊销一个客户端证书) * [已知问题](#已知问题) * [参考链接](#参考链接) @@ -25,7 +27,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来 ## 使用辅助脚本 -**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。Docker 用户请看 这里。 +**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。**Docker 用户请看 这里**。 你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2: @@ -225,7 +227,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh vpnclient u,u,u ``` - **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。 + **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要吊销一个客户端证书,请转到[这一节](#吊销一个客户端证书)。关于 `certutil` 的其它用法参见 这里。 1. **(重要)重启 IPsec 服务**: @@ -337,6 +339,96 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 +## 添加一个客户端证书 + +如果要为更多的客户端生成证书,只需重新运行 [辅助脚本](#使用辅助脚本)。或者你可以看 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 + +## 吊销一个客户端证书 + +在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。 + +1. 检查证书数据库,并且找到想要吊销的客户端证书的昵称。 + + ```bash + certutil -L -d sql:/etc/ipsec.d + ``` + + ``` + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + + IKEv2 VPN CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient-to-revoke u,u,u + ``` + + 在这个例子中,我们将要吊销昵称为 `vpnclient-to-revoke` 的客户端证书。它是由 `IKEv2 VPN CA` 签发的。 + +1. 找到该客户端证书的序列号。 + + ```bash + certutil -L -d sql:/etc/ipsec.d -n "vpnclient-to-revoke" + ``` + + ``` + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 00:cd:69:ff:74 + ... ... + ``` + + 根据上面的输出,我们知道该序列号为十六进制的 `CD69FF74`,也就是十进制的 `3446275956`。它将在以下步骤中使用。 + +1. 创建一个新的证书吊销列表 (CRL)。该步骤对于每个 CA 只需运行一次。 + + ```bash + if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then + crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null + fi + ``` + + ``` + CRL Info: + : + Version: 2 (0x1) + Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption + Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA" + This Update: Sat Jun 06 22:00:00 2020 + CRL Extensions: + ``` + +1. 将你想要吊销的客户端证书添加到 CRL。在这里我们指定该证书的(十进制)序列号,以及吊销时间(UTC时间,格式:GeneralizedTime (YYYYMMDDhhmmssZ))。 + + ```bash + crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <这里。 + +1. 最后,让 Libreswan 重新读取已更新的 CRL。 + + ```bash + ipsec crls + ``` + ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 @@ -351,3 +443,5 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients * https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient +* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil +* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index ac6e8f13f9..cadf5092ec 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -9,6 +9,8 @@ * [Using helper scripts](#using-helper-scripts) * [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server) * [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) +* [Add a client certificate](#add-a-client-certificate) +* [Revoke a client certificate](#revoke-a-client-certificate) * [Known issues](#known-issues) * [References](#references) @@ -25,7 +27,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica ## Using helper scripts -**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. Docker users, see here. +**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. **Docker users, see here**. You may use this helper script to automatically set up IKEv2 on the VPN server: @@ -33,7 +35,7 @@ You may use this helper script to automatically set up IKEv2 on the VPN server: wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ``` -The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, just run the script again. +The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you want to generate certificates for additional VPN clients, just run the script again. ## Manually set up IKEv2 on the VPN server @@ -225,7 +227,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm vpnclient u,u,u ``` - **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page. + **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To revoke a client certificate, follow [these steps](#revoke-a-client-certificate). For other `certutil` usage, read here. 1. **(Important) Restart the IPsec service**: @@ -239,7 +241,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th *Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).* -**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section. +**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section. * [Windows 7, 8.x and 10](#windows-7-8x-and-10) * [OS X (macOS)](#os-x-macos) @@ -337,6 +339,96 @@ When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". +## Add a client certificate + +If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server). + +## Revoke a client certificate + +In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`. + +1. Check the database, and identify the nickname of the client certificate you want to revoke. + + ```bash + certutil -L -d sql:/etc/ipsec.d + ``` + + ``` + Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + + IKEv2 VPN CA CTu,u,u + ($PUBLIC_IP) u,u,u + vpnclient-to-revoke u,u,u + ``` + + In this example, we will revoke the certificate with nickname `vpnclient-to-revoke`, issued by `IKEv2 VPN CA`. + +1. Find the serial number of this client certificate. + + ```bash + certutil -L -d sql:/etc/ipsec.d -n "vpnclient-to-revoke" + ``` + + ``` + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 00:cd:69:ff:74 + ... ... + ``` + + From the output, we see that the serial number is `CD69FF74` in hexadecimal, which is `3446275956` in decimal. It will be used in the next steps. + +1. Create a new Certificate Revocation List (CRL). You only need to do this once for each CA. + + ```bash + if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then + crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null + fi + ``` + + ``` + CRL Info: + : + Version: 2 (0x1) + Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption + Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA" + This Update: Sat Jun 06 22:00:00 2020 + CRL Extensions: + ``` + +1. Add the client certificate you want to revoke to the CRL. Here we specify the certificate's serial number in decimal, and the revocation time in GeneralizedTime format (YYYYMMDDhhmmssZ) in UTC. + + ```bash + crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <here. + +1. Finally, let Libreswan re-read the updated CRL. + + ```bash + ipsec crls + ``` + ## Known issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. @@ -351,3 +443,5 @@ Once successfully connected, you can verify that your traffic is being routed pr * https://libreswan.org/man/ipsec.conf.5.html * https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients * https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient +* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil +* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil From 2def2f2f204374130b37193f0a6e4475ceeac368 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 8 Jun 2020 02:01:17 -0500 Subject: [PATCH 0331/1208] Update docs --- docs/clients-zh.md | 25 ++++++++++++++----------- docs/clients.md | 25 ++++++++++++++----------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/docs/clients-zh.md b/docs/clients-zh.md index 0a459428ff..d1b8476e4b 100644 --- a/docs/clients-zh.md +++ b/docs/clients-zh.md @@ -96,7 +96,7 @@ Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress '你的 VPN 服务器 IP' 1. 单击 **好**。 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. **(重要)** 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 -1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 +1. **(重要)** 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 1. 单击 **好** 关闭高级设置,然后单击 **应用** 保存VPN连接信息。 要连接到 VPN: 使用菜单栏中的图标,或者打开系统偏好设置的网络部分,选择 VPN 并单击 **连接**。最后你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 @@ -208,15 +208,15 @@ Fedora 28 (和更新版本)和 CentOS 8/7 用户可以使用更高效的 [IP * [Windows 10 正在连接](#windows-10-正在连接) * [Windows 10 升级](#windows-10-升级) * [Windows 8/10 DNS 泄漏](#windows-810-dns-泄漏) -* [macOS VPN 流量](#macos-vpn-流量) * [Android MTU/MSS 问题](#android-mtumss-问题) * [Android 6 和 7](#android-6-和-7) +* [macOS 通过 VPN 发送通信](#macos-通过-vpn-发送通信) * [iOS 13 和 macOS 10.15](#ios-13-和-macos-1015) * [iOS/Android 睡眠模式](#iosandroid-睡眠模式) * [Debian 10 内核](#debian-10-内核) * [Chromebook 连接问题](#chromebook-连接问题) * [其它错误](#其它错误) -* [额外的步骤](#额外的步骤) +* [检查日志及 VPN 状态](#检查日志及-vpn-状态) ### Windows 错误 809 @@ -282,12 +282,6 @@ Windows 8.x 和 10 默认使用 "smart multi-homed name resolution" (智能多 另外,如果你的计算机启用了 IPv6,所有的 IPv6 流量(包括 DNS 请求)都将绕过 VPN。要在 Windows 上禁用 IPv6,请看这里。 -### macOS VPN 流量 - -OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成这一步:单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。然后重新连接 VPN。 - -如果你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 - ### Android MTU/MSS 问题 某些 Android 设备有 MTU/MSS 问题,表现为使用 IPsec/XAuth ("Cisco IPsec") 模式可以连接到 VPN 但是无法打开网站。如果你遇到该问题,尝试在 VPN 服务器上运行以下命令。如果成功解决,你可以将这些命令添加到 `/etc/rc.local` 以使它们重启后继续有效。 @@ -318,6 +312,15 @@ echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc ![Android VPN workaround](images/vpn-profile-Android.png) +### macOS 通过 VPN 发送通信 + +OS X (macOS) 用户: 如果可以成功地使用 IPsec/L2TP 模式连接,但是你的公有 IP 没有显示为 `你的 VPN 服务器 IP`,请阅读上面的 [OS X](#os-x) 部分并完成以下步骤。保存 VPN 配置然后重新连接。 + +1. 单击 **高级** 按钮,并选中 **通过VPN连接发送所有通信** 复选框。 +1. 单击 **TCP/IP** 选项卡,并在 **配置IPv6** 部分中选择 **仅本地链接**。 + +如果在尝试上面步骤之后,你的计算机仍然不能通过 VPN 连接发送通信,检查一下服务顺序。进入系统偏好设置中的网络部分,单击左侧连接列表下方的齿轮按钮,选择 "设定服务顺序"。然后将 VPN 连接拖动到顶端。 + ### iOS 13 和 macOS 10.15 如果你的 iOS 13 或者 macOS 10.15 (Catalina) 设备无法连接,请尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。然后重新连接 VPN。 @@ -347,9 +350,9 @@ Chromebook 用户: 如果你无法连接,请尝试以下步骤:编辑 VPN * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ * https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn -### 额外的步骤 +### 检查日志及 VPN 状态 -请尝试下面这些额外的故障排除步骤: +以下命令需要使用 `root` 账户(或者 `sudo`)运行。 首先,重启 VPN 服务器上的相关服务: diff --git a/docs/clients.md b/docs/clients.md index bd84e88361..ac30c365e2 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -96,7 +96,7 @@ If you get an error when trying to connect, see Troub 1. Click **OK**. 1. Check the **Show VPN status in menu bar** checkbox. 1. **(Important)** Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. -1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. +1. **(Important)** Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. 1. Click **OK** to close the Advanced settings, and then click **Apply** to save the VPN connection information. To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". @@ -208,15 +208,15 @@ First check disable IPv6 in Windows. -### macOS VPN traffic - -OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN. - -If your computer is still not sending traffic over the VPN check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top. - ### Android MTU/MSS issues Some Android devices have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to `/etc/rc.local` to persist after reboot. @@ -318,6 +312,15 @@ If your Android 6.x or 7.x device cannot connect, try these steps: ![Android VPN workaround](images/vpn-profile-Android.png) +### macOS send traffic over VPN + +OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete these steps. Save VPN configuration and re-connect. + +1. Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. +1. Click the **TCP/IP** tab, and make sure **Link-local only** is selected in the **Configure IPv6** section. + +After trying the steps above, if your computer is still not sending traffic over the VPN, check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top. + ### iOS 13 and macOS 10.15 If your iOS 13 or macOS 10.15 (Catalina) device cannot connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`. Then reconnect the VPN. @@ -347,9 +350,9 @@ If you encounter other errors, refer to the links below: * https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/ * https://stackoverflow.com/questions/25245854/windows-8-1-gets-error-720-on-connect-vpn -### Additional steps +### Check logs and VPN status -Please try these additional troubleshooting steps: +Commands below must be run as `root` (or using `sudo`). First, restart services on the VPN server: From cf2ed17ae6544fe7c1a0b1c46680c065f87ebe78 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 11 Jun 2020 01:16:51 -0500 Subject: [PATCH 0332/1208] Update IKEv2 script - Improve error handling and move ikev2 config to the last step --- extras/ikev2setup.sh | 111 ++++++++++++++++++++++--------------------- 1 file changed, 58 insertions(+), 53 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 3fb5251f91..e38dc31cb0 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -31,7 +31,7 @@ new_client() { bigecho2 "Generating client certificate..." - sleep 1 + sleep $((RANDOM % 3 + 1)) certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$client_name" \ @@ -39,15 +39,15 @@ new_client() { -k rsa -g 4096 -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ - --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null + --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null || exit 1 if [ "$export_ca" = "1" ]; then - bigecho "Exporting CA certificate..." + bigecho "Exporting CA certificate 'IKEv2 VPN CA'..." if [ "$in_container" = "0" ]; then - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"ikev2vpnca-$SYS_DT.cer" || exit 1 else - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer" + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/ikev2vpnca-$SYS_DT.cer" || exit 1 fi fi @@ -61,9 +61,9 @@ When importing into an iOS or macOS device, this password cannot be empty. EOF if [ "$in_container" = "0" ]; then - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o ~/"$client_name-$SYS_DT.p12" || exit 1 else - pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" + pk12util -d sql:/etc/ipsec.d -n "$client_name" -o "/etc/ipsec.d/$client_name-$SYS_DT.p12" || exit 1 fi } @@ -107,8 +107,8 @@ EOF ;; esac -command -v certutil >/dev/null 2>&1 || { echo >&2 "Error: 'certutil' not found. Abort."; exit 1; } -command -v pk12util >/dev/null 2>&1 || { echo >&2 "Error: 'pk12util' not found. Abort."; exit 1; } +command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort." +command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort." if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then echo "It looks like IKEv2 has already been set up on this server." @@ -168,12 +168,12 @@ EOF if [ "$in_container" = "0" ]; then printf '%s\n' ~/"$client_name-$SYS_DT.p12" if [ "$export_ca" = "1" ]; then - printf '%s\n' ~/"vpnca-$SYS_DT.cer (for iOS clients)" + printf '%s\n' ~/"ikev2vpnca-$SYS_DT.cer (for iOS clients)" fi else printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.p12" if [ "$export_ca" = "1" ]; then - printf '%s\n' "/etc/ipsec.d/vpnca-$SYS_DT.cer (for iOS clients)" + printf '%s\n' "/etc/ipsec.d/ikev2vpnca-$SYS_DT.cer (for iOS clients)" fi fi @@ -189,6 +189,10 @@ EOF exit 0 fi +if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then + exiterr "Certificate 'IKEv2 VPN CA' already exists. Abort." +fi + clear cat <<'EOF' @@ -341,6 +345,47 @@ case $response in ;; esac +bigecho2 "Generating CA certificate..." + +certutil -z <(head -c 1024 /dev/urandom) \ + -S -x -n "IKEv2 VPN CA" \ + -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null </dev/null || exit 1 +else + certutil -z <(head -c 1024 /dev/urandom) \ + -S -c "IKEv2 VPN CA" -n "$server_addr" \ + -s "O=IKEv2 VPN,CN=$server_addr" \ + -k rsa -g 4096 -v 120 \ + -d sql:/etc/ipsec.d -t ",," \ + --keyUsage digitalSignature,keyEncipherment \ + --extKeyUsage serverAuth \ + --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null || exit 1 +fi + +# Create client configuration +export_ca=1 +new_client + +echo bigecho "Adding a new IKEv2 connection..." if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then @@ -396,46 +441,6 @@ EOF ;; esac -bigecho2 "Generating CA certificate..." - -certutil -z <(head -c 1024 /dev/urandom) \ - -S -x -n "IKEv2 VPN CA" \ - -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 120 \ - -d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null << ANSWERS -y - -N -ANSWERS - -sleep 1 - -bigecho2 "Generating VPN server certificate..." - -if [ "$use_dns_name" = "1" ]; then - certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$server_addr" \ - -s "O=IKEv2 VPN,CN=$server_addr" \ - -k rsa -g 4096 -v 120 \ - -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment \ - --extKeyUsage serverAuth \ - --extSAN "dns:$server_addr" >/dev/null -else - certutil -z <(head -c 1024 /dev/urandom) \ - -S -c "IKEv2 VPN CA" -n "$server_addr" \ - -s "O=IKEv2 VPN,CN=$server_addr" \ - -k rsa -g 4096 -v 120 \ - -d sql:/etc/ipsec.d -t ",," \ - --keyUsage digitalSignature,keyEncipherment \ - --extKeyUsage serverAuth \ - --extSAN "ip:$server_addr,dns:$server_addr" >/dev/null -fi - -# Create client configuration -export_ca=1 -new_client - bigecho "Restarting IPsec service..." mkdir -p /run/pluto @@ -453,10 +458,10 @@ EOF if [ "$in_container" = "0" ]; then printf '%s\n' ~/"$client_name-$SYS_DT.p12" - printf '%s\n' ~/"vpnca-$SYS_DT.cer (for iOS clients)" + printf '%s\n' ~/"ikev2vpnca-$SYS_DT.cer (for iOS clients)" else printf '%s\n' "/etc/ipsec.d/$client_name-$SYS_DT.p12" - printf '%s\n' "/etc/ipsec.d/vpnca-$SYS_DT.cer (for iOS clients)" + printf '%s\n' "/etc/ipsec.d/ikev2vpnca-$SYS_DT.cer (for iOS clients)" fi cat < Date: Thu, 11 Jun 2020 01:37:47 -0500 Subject: [PATCH 0333/1208] Update docs --- docs/ikev2-howto-zh.md | 6 +++--- docs/ikev2-howto.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7fd4481c55..87597ac865 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -206,10 +206,10 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 指定一个安全的密码以保护导出的 `.p12` 文件(在导入到 iOS 或 macOS 设备时,该密码不能为空)。 -1. (适用于 iOS 客户端) 导出 CA 证书到 `vpnca.cer`: +1. (适用于 iOS 客户端) 导出 CA 证书到 `ikev2vpnca.cer`: ```bash - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer ``` 1. 证书数据库现在应该包含以下内容: @@ -316,7 +316,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ### iOS -首先,将文件 `vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: +首先,将文件 `ikev2vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: 1. AirDrop (隔空投送),或者 1. 将文件上传到设备,在 "文件" 应用程序中单击它们,然后到 "设置" 中导入,或者 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index cadf5092ec..fa6263f936 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -206,10 +206,10 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm Enter a secure password to protect the exported `.p12` file (when importing into an iOS or macOS device, this password cannot be empty). -1. (For iOS clients) Export the CA certificate as `vpnca.cer`: +1. (For iOS clients) Export the CA certificate as `ikev2vpnca.cer`: ```bash - certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o vpnca.cer + certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ikev2vpnca.cer ``` 1. The database should now contain: @@ -316,7 +316,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor ### iOS -First, securely transfer both `vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: +First, securely transfer both `ikev2vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: 1. AirDrop, or 1. Upload the files to your device, tap them in the "Files" app, then go to "Settings" and import, or From 3faa8fd86e29ce2e6be300112fb6f257e0f9b9e7 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 12 Jun 2020 11:05:42 -0500 Subject: [PATCH 0334/1208] Improve DNS check --- vpnsetup.sh | 8 ++++++++ vpnsetup_centos.sh | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index 4cf7be0ca4..de7ab8799d 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -117,6 +117,14 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac +if [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; then + exiterr "DNS server 'VPN_DNS_SRV1' is invalid." +fi + +if [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; then + exiterr "DNS server 'VPN_DNS_SRV2' is invalid." +fi + bigecho "VPN setup in progress... Please be patient." # Create and change to working dir diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index a21bb0c09e..ebb4d40155 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -106,6 +106,14 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac +if [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; then + exiterr "DNS server 'VPN_DNS_SRV1' is invalid." +fi + +if [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; then + exiterr "DNS server 'VPN_DNS_SRV2' is invalid." +fi + bigecho "VPN setup in progress... Please be patient." # Create and change to working dir From 9ec99c8512af1ccc49d52a8a68109bd13da13a05 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 12 Jun 2020 11:09:58 -0500 Subject: [PATCH 0335/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index dec5b7df84..7b993c1dc8 100644 --- a/README-zh.md +++ b/README-zh.md @@ -159,7 +159,7 @@ sh vpnsetup.sh 对于有外部防火墙的服务器(比如 EC2/GCE),请为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433)。 -在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。 +在 VPN 已连接时,客户端配置为使用 Google Public DNS。如果偏好其它的域名解析服务,编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`,然后重启服务器。高级用户可以在运行 VPN 脚本时定义 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`(可选)。 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用: Ubuntu 16.04-20.04, Debian 9-10 和 CentOS 6-8. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`(或者 `linux-image-extra`),然后运行 `service xl2tpd restart`。 diff --git a/README.md b/README.md index 12add589f9..cb03ef90c2 100644 --- a/README.md +++ b/README.md @@ -159,7 +159,7 @@ If you wish to add, edit or remove VPN user accounts, see EC2/GCE), open UDP ports 500 and 4500 for the VPN. Aliyun users, see [#433](https://github.com/hwdsl2/setup-ipsec-vpn/issues/433). -Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. +Clients are set to use Google Public DNS when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Advanced users can define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script. Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 16.04-20.04, Debian 9-10 and CentOS 6-8. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`. From 012c19fed12de52f2d12db8d1c70ddc13c052ed6 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 2 Jul 2020 11:48:35 -0500 Subject: [PATCH 0336/1208] Update IKEv2 script - Allow specifying the validity period of client certificates --- extras/ikev2setup.sh | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index e38dc31cb0..92d289bb16 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -36,7 +36,7 @@ new_client() { certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$client_name" \ -s "O=IKEv2 VPN,CN=$client_name" \ - -k rsa -g 4096 -v 120 \ + -k rsa -g 4096 -v "$client_validity" \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null || exit 1 @@ -139,6 +139,18 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t read -rp "Client name: " client_name done + echo + echo "Specify the validity period (in months) for this VPN client certificate." + read -rp "Enter a number between 1 and 120: [120] " client_validity + [ -z "$client_validity" ] && client_validity=120 + while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \ + || [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \ + || [ "$client_validity" != "$((10#$client_validity))" ]; do + echo "Invalid validity period." + read -rp "Enter a number between 1 and 120: [120] " client_validity + [ -z "$client_validity" ] && client_validity=120 + done + echo echo "The CA certificate was exported during initial IKEv2 setup. Required for iOS clients only." printf "Do you want to export the CA certificate again? [y/N] " @@ -249,6 +261,19 @@ while [ "${#client_name}" -gt "64" ] || printf '%s' "$client_name" | LC_ALL=C gr [ -z "$client_name" ] && client_name=vpnclient done +# Enter validity period +echo +echo "Specify the validity period (in months) for this VPN client certificate." +read -rp "Enter a number between 1 and 120: [120] " client_validity +[ -z "$client_validity" ] && client_validity=120 +while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \ + || [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \ + || [ "$client_validity" != "$((10#$client_validity))" ]; do + echo "Invalid validity period." + read -rp "Enter a number between 1 and 120: [120] " client_validity + [ -z "$client_validity" ] && client_validity=120 +done + # Check for MOBIKE support mobike_support=0 case "$swan_ver" in @@ -275,7 +300,7 @@ if [ "$mobike_support" = "1" ]; then fi else echo - echo "NOTE: DO NOT enable MOBIKE support, if your Docker host runs Ubuntu Linux." + echo "IMPORTANT: *DO NOT* enable MOBIKE support, if your Docker host runs Ubuntu Linux." fi fi @@ -319,6 +344,12 @@ VPN server address: $server_addr VPN client name: $client_name EOF +if [ "$client_validity" = "1" ]; then + echo "Client cert valid for: 1 month" +else + echo "Client cert valid for: $client_validity months" +fi + if [ "$mobike_support" = "1" ]; then if [ "$mobike_enable" = "1" ]; then echo "Enable MOBIKE support: Yes" From 8283bdb32fce6c4101db825ade6573b36413d98c Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 2 Jul 2020 17:52:13 -0500 Subject: [PATCH 0337/1208] CentOS/RHEL 8 fix - Fix fail2ban rules for nftables on CentOS/RHEL 8 --- vpnsetup_centos.sh | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index ebb4d40155..1f4526816e 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -381,15 +381,26 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -if [ ! -f /etc/fail2ban/jail.local ] ; then +F2B_FILE="/etc/fail2ban/jail.local" +if [ ! -f "$F2B_FILE" ]; then bigecho "Creating basic Fail2Ban rules..." -cat > /etc/fail2ban/jail.local <<'EOF' +cat > "$F2B_FILE" <<'EOF' [ssh-iptables] -enabled = true -filter = sshd -action = iptables[name=SSH, port=ssh, protocol=tcp] -logpath = /var/log/secure +enabled = true +filter = sshd +logpath = /var/log/secure EOF + + if [ "$use_nft" = "1" ]; then +cat >> "$F2B_FILE" <<'EOF' +port = ssh +banaction = nftables-multiport[blocktype=drop] +EOF + else +cat >> "$F2B_FILE" <<'EOF' +action = iptables[name=SSH, port=ssh, protocol=tcp] +EOF + fi fi bigecho "Updating IPTables rules..." From 93e89919ac765875da88e97052b3d934d92025f0 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 4 Jul 2020 01:35:10 -0500 Subject: [PATCH 0338/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 28 ++++++++++++++-------------- docs/ikev2-howto.md | 26 +++++++++++++------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 87597ac865..7f6486a13e 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -251,7 +251,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ### Windows 7, 8.x 和 10 -1. 将文件 `vpnclient.p12` 安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 +1. 将生成的 `.p12` 文件安全地传送到你的计算机,然后导入到 "计算机账户" 证书存储。在导入证书后,你必须确保将客户端证书放在 "个人 -> 证书" 目录中,并且将 CA 证书放在 "受信任的根证书颁发机构 -> 证书" 目录中。 详细的操作步骤: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -266,7 +266,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ### OS X (macOS) -首先,将文件 `vpnclient.p12` 安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 +首先,将生成的 `.p12` 文件安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 @@ -279,7 +279,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 保持 **本地 ID** 字段空白。 1. 单击 **鉴定设置...** 按钮。 1. 从 **鉴定设置** 下拉菜单中选择 **无**。 -1. 选择 **证书** 单选按钮,然后选择 **vpnclient** 证书。 +1. 选择 **证书** 单选按钮,然后选择新的客户端证书。 1. 单击 **好**。 1. 选中 **在菜单栏中显示 VPN 状态** 复选框。 1. 单击 **应用** 保存VPN连接信息。 @@ -287,42 +287,42 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ### Android 10 和更新版本 -1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 +1. 将生成的 `.p12` 文件安全地传送到你的 Android 设备。 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 启动 **设置** 应用程序。 1. 进入 安全 -> 高级 -> 加密与凭据。 1. 单击 **从存储设备(或 SD 卡)安装**。 -1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 +1. 选择你从服务器传送过来的 `.p12` 文件,并按提示操作。 **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 -1. 单击 **Select user certificate**,选择你的新 VPN 客户端证书并确认。 +1. 单击 **Select user certificate**,选择新的客户端证书并确认。 1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### Android 4.x to 9.x -1. 将文件 `vpnclient.p12` 安全地传送到你的 Android 设备。 +1. 将生成的 `.p12` 文件安全地传送到你的 Android 设备。 1. 从 **Google Play** 安装 strongSwan VPN 客户端。 1. 启动 strongSwan VPN 客户端,然后单击 **Add VPN Profile**。 1. 在 **Server** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **VPN Type** 下拉菜单选择 **IKEv2 Certificate**。 1. 单击 **Select user certificate**,然后单击 **Install certificate**。 -1. 选择你从服务器复制过来的 `.p12` 文件,并按提示操作。 +1. 选择你从服务器传送过来的 `.p12` 文件,并按提示操作。 **注:** 要查找 `.p12` 文件,单击左上角的抽拉式菜单,然后单击你的设备名称。 1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 ### iOS -首先,将文件 `ikev2vpnca.cer` 和 `vpnclient.p12` 安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: +首先,将生成的 `ikev2vpnca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: 1. AirDrop (隔空投送),或者 -1. 将文件上传到设备,在 "文件" 应用程序中单击它们,然后到 "设置" 中导入,或者 +1. 将文件上传到设备,在 "文件" 应用程序中单击它们(必须在 "On My iPhone" 目录下),然后按照提示导入,或者 1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 -在完成之后,检查并确保 `vpnclient` 和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 +在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 1. 进入设置 -> 通用 -> VPN。 1. 单击 **添加VPN配置...**。 @@ -333,7 +333,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 保持 **本地 ID** 字段空白。 1. 单击 **用户鉴定** 。选择 **无** 并返回。 1. 启用 **使用证书** 选项。 -1. 单击 **证书** 。选择 **vpnclient** 并返回。 +1. 单击 **证书** 。选择新的客户端证书并返回。 1. 单击右上角的 **完成**。 1. 启用 **VPN** 连接。 @@ -432,9 +432,9 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 +1. 不支持同时连接在同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端 (#237)。对于这个用例,请换用 IPsec/XAuth 模式。 1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 -1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级 到版本 3.26 或以上。 -1. 如果你的 VPN 客户端可以连接但是无法打开任何网站,可以尝试编辑服务器上的 `/etc/ipsec.conf`。找到 `conn ikev2-cp` 部分的 `phase2alg=` 一行并删除 `aes_gcm-null,`。保存文件并运行 `service ipsec restart`。 +1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 ## 参考链接 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index fa6263f936..548334de6f 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -251,7 +251,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th ### Windows 7, 8.x and 10 -1. Securely transfer `vpnclient.p12` to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". +1. Securely transfer the generated `.p12` file to your computer, then import it into the "Computer account" certificate store. Make sure that the client cert is placed in "Personal -> Certificates", and the CA cert is placed in "Trusted Root Certification Authorities -> Certificates". Detailed instructions: https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs @@ -266,7 +266,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th ### OS X (macOS) -First, securely transfer `vpnclient.p12` to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. +First, securely transfer the generated `.p12` file to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. @@ -279,7 +279,7 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor 1. Leave the **Local ID** field blank. 1. Click the **Authentication Settings...** button. 1. Select **None** from the **Authentication Settings** drop-down menu. -1. Select the **Certificate** radio button, then select the **vpnclient** certificate. +1. Select the **Certificate** radio button, then select the new client certificate. 1. Click **OK**. 1. Check the **Show VPN status in menu bar** checkbox. 1. Click **Apply** to save the VPN connection information. @@ -287,42 +287,42 @@ First, securely transfer `vpnclient.p12` to your Mac, then double-click to impor ### Android 10 and newer -1. Securely transfer `vpnclient.p12` to your Android device. +1. Securely transfer the generated `.p12` file to your Android device. 1. Install strongSwan VPN Client from **Google Play**. 1. Launch the **Settings** application. 1. Go to Security -> Advanced -> Encryption & credentials. 1. Tap **Install from storage (or SD card)**. -1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. +1. Choose the `.p12` file you transferred from the VPN server, and follow the prompts. **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. 1. Launch the strongSwan VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. -1. Tap **Select user certificate**, select your new VPN client certificate and confirm. +1. Tap **Select user certificate**, select the new client certificate and confirm. 1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### Android 4.x to 9.x -1. Securely transfer `vpnclient.p12` to your Android device. +1. Securely transfer the generated `.p12` file to your Android device. 1. Install strongSwan VPN Client from **Google Play**. 1. Launch the strongSwan VPN client and tap **Add VPN Profile**. 1. Enter `Your VPN Server IP` (or DNS name) in the **Server** field. 1. Select **IKEv2 Certificate** from the **VPN Type** drop-down menu. 1. Tap **Select user certificate**, then tap **Install certificate**. -1. Choose the `.p12` file you copied from the VPN server, and follow the prompts. +1. Choose the `.p12` file you transferred from the VPN server, and follow the prompts. **Note:** To find the `.p12` file, click on the three-line menu button, then click on your device name. 1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. ### iOS -First, securely transfer both `ikev2vpnca.cer` and `vpnclient.p12` to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: +First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: 1. AirDrop, or -1. Upload the files to your device, tap them in the "Files" app, then go to "Settings" and import, or +1. Upload the files to your device, tap them in the "Files" app (must be in the "On My iPhone" folder), then follow the prompts to import, or 1. Host the files on a secure website of yours, then download and import them in Mobile Safari. -When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. +When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. 1. Go to Settings -> General -> VPN. 1. Tap **Add VPN Configuration...**. @@ -333,7 +333,7 @@ When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed 1. Leave the **Local ID** field blank. 1. Tap **User Authentication**. Select **None** and go back. 1. Make sure the **Use Certificate** switch is ON. -1. Tap **Certificate**. Select **vpnclient** and go back. +1. Tap **Certificate**. Select the new client certificate and go back. 1. Tap **Done**. 1. Slide the **VPN** switch ON. @@ -432,9 +432,9 @@ In certain circumstances, you may need to revoke a previously generated VPN clie ## Known issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. +1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported (#237). For this use case, please instead use IPsec/XAuth mode. 1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. -1. If your VPN client can connect but cannot open any website, try editing `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=` under section `conn ikev2-cp` and delete `aes_gcm-null,`. Save the file and run `service ipsec restart`. ## References From 71dc5bab01d316e986f46ac1a61f9eb110cc6d6a Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 6 Jul 2020 22:42:45 -0500 Subject: [PATCH 0339/1208] Update IKEv2 docs - Connecting multiple IKEv2 clients from behind the same NAT requires setting the "local ID" field to match the client name. Ref: https://github.com/libreswan/libreswan/issues/237 --- docs/ikev2-howto-zh.md | 59 +++++++++++++++++++++--------------------- docs/ikev2-howto.md | 55 ++++++++++++++++++++------------------- 2 files changed, 58 insertions(+), 56 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 7f6486a13e..3e1ceced9d 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -195,7 +195,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 导出 `.p12` 文件: ```bash - pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d + pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o vpnclient.p12 ``` ``` @@ -245,9 +245,9 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh * [Windows 7, 8.x 和 10](#windows-7-8x-和-10) * [OS X (macOS)](#os-x-macos) +* [iOS (iPhone/iPad)](#ios) * [Android 10 和更新版本](#android-10-和更新版本) * [Android 4.x to 9.x](#android-4x-to-9x) -* [iOS (iPhone/iPad)](#ios) ### Windows 7, 8.x 和 10 @@ -276,7 +276,8 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 单击 **创建**。 1. 在 **服务器地址** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 -1. 保持 **本地 ID** 字段空白。 +1. 在 **本地 ID** 字段中输入 `你的 VPN 客户端名称`。 + **注:** 该名称必须和你在 IKEv2 配置过程中指定的客户端名称一致。它与你的 `.p12` 文件名的第一部分相同。 1. 单击 **鉴定设置...** 按钮。 1. 从 **鉴定设置** 下拉菜单中选择 **无**。 1. 选择 **证书** 单选按钮,然后选择新的客户端证书。 @@ -285,6 +286,32 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. 单击 **应用** 保存VPN连接信息。 1. 单击 **连接**。 +### iOS + +首先,将生成的 `ikev2vpnca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: + +1. AirDrop(隔空投送),或者 +1. 上传到设备,在 "文件" 应用程序中单击它们(必须首先移动到 "On My iPhone" 目录下),然后按照提示导入,或者 +1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 + +在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 + +1. 进入设置 -> 通用 -> VPN。 +1. 单击 **添加VPN配置...**。 +1. 单击 **类型** 。选择 **IKEv2** 并返回。 +1. 在 **描述** 字段中输入任意内容。 +1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 +1. 在 **本地 ID** 字段中输入 `你的 VPN 客户端名称`。 + **注:** 该名称必须和你在 IKEv2 配置过程中指定的客户端名称一致。它与你的 `.p12` 文件名的第一部分相同。 +1. 单击 **用户鉴定** 。选择 **无** 并返回。 +1. 启用 **使用证书** 选项。 +1. 单击 **证书** 。选择新的客户端证书并返回。 +1. 单击右上角的 **完成**。 +1. 启用 **VPN** 连接。 + +连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 + ### Android 10 和更新版本 1. 将生成的 `.p12` 文件安全地传送到你的 Android 设备。 @@ -314,31 +341,6 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh 1. **(重要)** 单击 **Show advanced settings**。向下滚动,找到并启用 **Use RSA/PSS signatures** 选项。 1. 保存新的 VPN 连接,然后单击它以开始连接。 -### iOS - -首先,将生成的 `ikev2vpnca.cer` 和 `.p12` 文件安全地传送到你的 iOS 设备,并且逐个导入为 iOS 配置描述文件。要传送文件,你可以使用: - -1. AirDrop (隔空投送),或者 -1. 将文件上传到设备,在 "文件" 应用程序中单击它们(必须在 "On My iPhone" 目录下),然后按照提示导入,或者 -1. 将文件放在一个你的安全的托管网站上,然后在 Mobile Safari 中下载并导入它们。 - -在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在设置 -> 通用 -> 描述文件中。 - -1. 进入设置 -> 通用 -> VPN。 -1. 单击 **添加VPN配置...**。 -1. 单击 **类型** 。选择 **IKEv2** 并返回。 -1. 在 **描述** 字段中输入任意内容。 -1. 在 **服务器** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 -1. 在 **远程 ID** 字段中输入 `你的 VPN 服务器 IP` (或者域名)。 -1. 保持 **本地 ID** 字段空白。 -1. 单击 **用户鉴定** 。选择 **无** 并返回。 -1. 启用 **使用证书** 选项。 -1. 单击 **证书** 。选择新的客户端证书并返回。 -1. 单击右上角的 **完成**。 -1. 启用 **VPN** 连接。 - -连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。 - ## 添加一个客户端证书 如果要为更多的客户端生成证书,只需重新运行 [辅助脚本](#使用辅助脚本)。或者你可以看 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。 @@ -432,7 +434,6 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ## 已知问题 1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TPIPsec/XAuth 模式。 -1. 不支持同时连接在同一个 NAT(比如家用路由器)后面的多个 IKEv2 客户端 (#237)。对于这个用例,请换用 IPsec/XAuth 模式。 1. Ubuntu 18.04 用户在尝试将生成的 `.p12` 文件导入到 Windows 时可能会遇到错误 "输入的密码不正确"。这是由 `NSS` 中的一个问题导致的。更多信息请看 这里。 1. 如果你使用 strongSwan Android VPN 客户端,则必须将服务器上的 Libreswan 升级到版本 3.26 或以上。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 548334de6f..c4ceff4d29 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -195,7 +195,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm Export `.p12` file: ```bash - pk12util -o vpnclient.p12 -n "vpnclient" -d sql:/etc/ipsec.d + pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o vpnclient.p12 ``` ``` @@ -245,9 +245,9 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th * [Windows 7, 8.x and 10](#windows-7-8x-and-10) * [OS X (macOS)](#os-x-macos) +* [iOS (iPhone/iPad)](#ios) * [Android 10 and newer](#android-10-and-newer) * [Android 4.x to 9.x](#android-4x-to-9x) -* [iOS (iPhone/iPad)](#ios) ### Windows 7, 8.x and 10 @@ -276,7 +276,8 @@ First, securely transfer the generated `.p12` file to your Mac, then double-clic 1. Click **Create**. 1. Enter `Your VPN Server IP` (or DNS name) for the **Server Address**. 1. Enter `Your VPN Server IP` (or DNS name) for the **Remote ID**. -1. Leave the **Local ID** field blank. +1. Enter `Your VPN client name` in the **Local ID** field. + **Note:** This must match exactly the client name you specified during IKEv2 setup. Same as the first part of your `.p12` filename. 1. Click the **Authentication Settings...** button. 1. Select **None** from the **Authentication Settings** drop-down menu. 1. Select the **Certificate** radio button, then select the new client certificate. @@ -285,6 +286,30 @@ First, securely transfer the generated `.p12` file to your Mac, then double-clic 1. Click **Apply** to save the VPN connection information. 1. Click **Connect**. +### iOS + +First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: + +1. AirDrop, or +1. Upload to your device, tap them in the "Files" app (must first move to the "On My iPhone" folder), then follow the prompts to import, or +1. Host the files on a secure website of yours, then download and import them in Mobile Safari. + +When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. + +1. Go to Settings -> General -> VPN. +1. Tap **Add VPN Configuration...**. +1. Tap **Type**. Select **IKEv2** and go back. +1. Tap **Description** and enter anything you like. +1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). +1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). +1. Enter `Your VPN client name` in the **Local ID** field. + **Note:** This must match exactly the client name you specified during IKEv2 setup. Same as the first part of your `.p12` filename. +1. Tap **User Authentication**. Select **None** and go back. +1. Make sure the **Use Certificate** switch is ON. +1. Tap **Certificate**. Select the new client certificate and go back. +1. Tap **Done**. +1. Slide the **VPN** switch ON. + ### Android 10 and newer 1. Securely transfer the generated `.p12` file to your Android device. @@ -314,29 +339,6 @@ First, securely transfer the generated `.p12` file to your Mac, then double-clic 1. **(Important)** Tap **Show advanced settings**. Scroll down, find and enable the **Use RSA/PSS signatures** option. 1. Save the new VPN connection, then tap to connect. -### iOS - -First, securely transfer the generated `ikev2vpnca.cer` and `.p12` files to your iOS device, then import them one by one as iOS profiles. To transfer the files, you may use: - -1. AirDrop, or -1. Upload the files to your device, tap them in the "Files" app (must be in the "On My iPhone" folder), then follow the prompts to import, or -1. Host the files on a secure website of yours, then download and import them in Mobile Safari. - -When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under Settings -> General -> Profiles. - -1. Go to Settings -> General -> VPN. -1. Tap **Add VPN Configuration...**. -1. Tap **Type**. Select **IKEv2** and go back. -1. Tap **Description** and enter anything you like. -1. Tap **Server** and enter `Your VPN Server IP` (or DNS name). -1. Tap **Remote ID** and enter `Your VPN Server IP` (or DNS name). -1. Leave the **Local ID** field blank. -1. Tap **User Authentication**. Select **None** and go back. -1. Make sure the **Use Certificate** switch is ON. -1. Tap **Certificate**. Select the new client certificate and go back. -1. Tap **Done**. -1. Slide the **VPN** switch ON. - Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`". ## Add a client certificate @@ -432,7 +434,6 @@ In certain circumstances, you may need to revoke a previously generated VPN clie ## Known issues 1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode. -1. Connecting multiple IKEv2 clients simultaneously from behind the same NAT (e.g. home router) is not supported (#237). For this use case, please instead use IPsec/XAuth mode. 1. Ubuntu 18.04 users may encounter the error "The password you entered is incorrect" when trying to import the generated `.p12` file into Windows. This is due to a bug in `NSS`. Read more here. 1. If using the strongSwan Android VPN client, you must upgrade Libreswan on your server to version 3.26 or above. From bff3fe5a4b25d078c905d78368a27271c24f5994 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 6 Jul 2020 23:03:13 -0500 Subject: [PATCH 0340/1208] Fix for EPEL repo - Add workaround for EPEL repo issues --- extras/vpnupgrade_centos.sh | 1 + vpnsetup_centos.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index d8075a89ee..db00caf99c 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -182,6 +182,7 @@ cd /opt/src || exit 1 # Add the EPEL repository epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" yum -y install epel-release || yum -y install "$epel_url" || exiterr2 +yum -y makecache || { yum -y clean metadata; yum -y makecache; } || { yum -y clean metadata; yum -y makecache; } # Install necessary packages yum -y install nss-devel nspr-devel pkgconfig pam-devel \ diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 1f4526816e..03f97eab71 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -144,6 +144,7 @@ bigecho "Adding the EPEL repository..." epel_url="https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm" yum -y install epel-release || yum -y install "$epel_url" || exiterr2 +yum -y makecache || { yum -y clean metadata; yum -y makecache; } || { yum -y clean metadata; yum -y makecache; } bigecho "Installing packages required for the VPN..." From b686bbb0df6f739fd8f1428cde9e52e73b8264ec Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Jul 2020 01:25:07 -0500 Subject: [PATCH 0341/1208] Add workflows - Run automated tests on multiple OS using GitHub actions --- .github/workflows/main.yml | 251 +++++++++++++++++++++++++++++++++++++ .travis.yml | 13 -- 2 files changed, 251 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/main.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..dadd2f9660 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,251 @@ +name: vpn test + +on: + push: + branches: [master] + paths: + - '**.sh' + - '.github/workflows/main.yml' + schedule: + - cron: '25 10 * * 3,6' + +jobs: + shellcheck: + runs-on: ubuntu-latest + if: github.repository_owner == 'hwdsl2' && github.event_name == 'push' + steps: + - uses: actions/checkout@v2 + with: + persist-credentials: false + - name: Check + if: success() + run: | + export DEBIAN_FRONTEND=noninteractive + sudo apt-get -yq update + sudo apt-get -yq install shellcheck + + export SHELLCHECK_OPTS="-e SC1091,SC1117" + cd "$GITHUB_WORKSPACE" + pwd + ls -l | grep 'vpnsetup\.sh' + shellcheck --version + shellcheck *.sh extras/*.sh + + test_set_1: + runs-on: ubuntu-latest + if: github.repository_owner == 'hwdsl2' + strategy: + matrix: + os_version: ["centos:8", "centos:7", "ubuntu:16.04", "debian:8"] + fail-fast: false + env: + OS_VERSION: ${{ matrix.os_version }} + EVENT_NAME: ${{ github.event_name }} + steps: + - name: Build + run: | + if [ "$EVENT_NAME" = "push" ]; then + echo "Waiting 60 seconds..." + sleep 60 + fi + mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + cat > run.sh <<'EOF' + #!/bin/bash + set -e + + if [ "$1" = "centos" ]; then + yum -y -q install wget rsyslog + systemctl start rsyslog + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos + else + export DEBIAN_FRONTEND=noninteractive + apt-get -yq update + apt-get -yq install wget rsyslog + service rsyslog start + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + fi + sh vpnsetup.sh + if [ "$1" = "centos" ]; then + systemctl start fail2ban + systemctl start ipsec + systemctl start xl2tpd + fi + sleep 10 + netstat -anpu + netstat -anpu | grep -q pluto + netstat -anpu | grep -q xl2tpd + iptables -nL + iptables -nL | grep -q '192\.168\.42\.0/24' + iptables -nL -t nat + iptables -nL -t nat | grep -q '192\.168\.43\.0/24' + if [ "$1" = "centos" ]; then + grep pluto /var/log/secure + grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' + grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' + grep xl2tpd /var/log/messages + grep xl2tpd /var/log/messages | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' + else + grep pluto /var/log/auth.log + grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' + grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' + grep xl2tpd /var/log/syslog + grep xl2tpd /var/log/syslog | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' + fi + wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup # hwdsl2 + bash ikev2.sh < Dockerfile <> Dockerfile <<'EOF' + + ENV container docker + WORKDIR /opt/src + + RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \ + systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \ + rm -f /lib/systemd/system/multi-user.target.wants/*; \ + rm -f /etc/systemd/system/*.wants/*; \ + rm -f /lib/systemd/system/local-fs.target.wants/*; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ + rm -f /lib/systemd/system/basic.target.wants/*; \ + rm -f /lib/systemd/system/anaconda.target.wants/*; + + COPY ./run.sh /opt/src/run.sh + RUN chmod 755 /opt/src/run.sh + + VOLUME [ "/sys/fs/cgroup" ] + + CMD ["/sbin/init"] + EOF + cat Dockerfile + cat run.sh + docker build -t "${OS_VERSION//:}-test" . + + - name: Test + if: success() + run: | + docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + --privileged "${OS_VERSION//:}-test" + sleep 10 + docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}" + + - name: Clear + if: always() + run: | + rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + docker rm -f "${OS_VERSION//:}-test-1" || true + docker rmi "${OS_VERSION//:}-test" || true + + test_set_2: + runs-on: ubuntu-latest + if: github.repository_owner == 'hwdsl2' + strategy: + matrix: + os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:10", "debian:9", "centos:6"] + fail-fast: false + container: + image: ${{ matrix.os_version }} + env: + OS_VERSION: ${{ matrix.os_version }} + EVENT_NAME: ${{ github.event_name }} + options: --privileged -v /lib/modules:/lib/modules:ro + steps: + - name: Test + run: | + if [ "$EVENT_NAME" = "push" ]; then + echo "Waiting 60 seconds..." + sleep 60 + fi + mkdir -p /opt/src + cd /opt/src + echo "# hwdsl2" > run.sh + OS_NAME=$(echo "$OS_VERSION" | head -c6) + if [ "$OS_NAME" = "centos" ]; then + yum -y -q install wget rsyslog + service rsyslog start + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos + else + export DEBIAN_FRONTEND=noninteractive + apt-get -yq update + apt-get -yq install wget rsyslog + service rsyslog start + wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup + fi + sh vpnsetup.sh + sleep 10 + netstat -anpu + netstat -anpu | grep -q pluto + netstat -anpu | grep -q xl2tpd + iptables -nL + iptables -nL | grep -q '192\.168\.42\.0/24' + iptables -nL -t nat + iptables -nL -t nat | grep -q '192\.168\.43\.0/24' + if [ "$OS_NAME" = "centos" ]; then + grep pluto /var/log/secure + grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' + grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' + grep xl2tpd /var/log/messages + grep xl2tpd /var/log/messages | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' + else + grep pluto /var/log/auth.log + grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' + grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' + grep xl2tpd /var/log/syslog + grep xl2tpd /var/log/syslog | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' + fi + wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup + bash ikev2.sh < Date: Tue, 7 Jul 2020 01:52:14 -0500 Subject: [PATCH 0342/1208] Update docs --- README-zh.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-zh.md b/README-zh.md index 7b993c1dc8..9e2b29c2c0 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,6 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) +[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 diff --git a/README.md b/README.md index cb03ef90c2..70cd417ce5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://img.shields.io/travis/hwdsl2/setup-ipsec-vpn.svg?maxAge=1200)](https://travis-ci.org/hwdsl2/setup-ipsec-vpn) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. From 8f42527e163bb31b98999ae6bfcf4c851b5b1ea2 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Jul 2020 12:16:55 -0500 Subject: [PATCH 0343/1208] Update workflows --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index dadd2f9660..5aa097b52a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,7 +7,7 @@ on: - '**.sh' - '.github/workflows/main.yml' schedule: - - cron: '25 10 * * 3,6' + - cron: '25 2 * * 0,4' jobs: shellcheck: From 0f7ea7610d1129d80af1227208565422433d9bb9 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 7 Jul 2020 12:17:09 -0500 Subject: [PATCH 0344/1208] Update docs --- README-zh.md | 6 ++---- README.md | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README-zh.md b/README-zh.md index 9e2b29c2c0..b9d548d922 100644 --- a/README-zh.md +++ b/README-zh.md @@ -1,6 +1,6 @@ # IPsec VPN 服务器一键安装脚本 -[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) +[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?cacheSeconds=600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?cacheSeconds=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?cacheSeconds=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?cacheSeconds=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md) 使用 Linux 脚本一键快速搭建自己的 IPsec VPN 服务器。支持 IPsec/L2TP 和 Cisco IPsec 协议,可用于 Ubuntu/Debian/CentOS 系统。你只需提供自己的 VPN 登录凭证,然后运行脚本自动完成安装。 @@ -60,7 +60,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh 一个新创建的 Amazon EC2 实例,使用这些映像之一: - Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) +- CentOS 8 (x86_64) with Updates - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 @@ -81,8 +81,6 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh \* Debian 10 用户需要使用标准的 Linux 内核(而不是 "cloud" 版本)。更多信息请看 这里。 - -\*\* CentOS 8 暂时没有官方的 EC2 映像。 :warning: **不要** 在你的 PC 或者 Mac 上运行这些脚本!它们只能用在服务器上! diff --git a/README.md b/README.md index 70cd417ce5..f53f7a9219 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IPsec VPN Server Auto Setup Scripts -[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?maxAge=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?maxAge=86400)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?maxAge=86400)](https://github.com/hwdsl2/docker-ipsec-vpn-server) +[![Build Status](https://img.shields.io/github/workflow/status/hwdsl2/setup-ipsec-vpn/vpn%20test.svg?cacheSeconds=600)](https://github.com/hwdsl2/setup-ipsec-vpn/actions) [![GitHub Stars](https://img.shields.io/github/stars/hwdsl2/setup-ipsec-vpn.svg?cacheSeconds=3600)](https://github.com/hwdsl2/setup-ipsec-vpn/stargazers) [![Docker Stars](https://img.shields.io/docker/stars/hwdsl2/ipsec-vpn-server.svg?cacheSeconds=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) [![Docker Pulls](https://img.shields.io/docker/pulls/hwdsl2/ipsec-vpn-server.svg?cacheSeconds=3600)](https://github.com/hwdsl2/docker-ipsec-vpn-server) Set up your own IPsec VPN server in just a few minutes, with both IPsec/L2TP and Cisco IPsec on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials, and let the scripts handle the rest. @@ -60,7 +60,7 @@ For other installation options and how to set up VPN clients, read the sections A newly created Amazon EC2 instance, from one of these images: - Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) - Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- CentOS 8 (x86_64) with Updates [\*\*](#centos-8-note) +- CentOS 8 (x86_64) with Updates - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 @@ -81,8 +81,6 @@ Advanced users can set up the VPN server on a $35 \* Debian 10 users should use the standard Linux kernel (not the "cloud" version). Read more here. - -\*\* CentOS 8 does not yet have an official EC2 image. :warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server! From 3b4a666e028252035d3fb2c55bbb5f7717198f3f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Thu, 9 Jul 2020 01:41:52 -0500 Subject: [PATCH 0345/1208] Update workflows --- .github/workflows/main.yml | 116 ++++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 34 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5aa097b52a..b4227b2612 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,16 +20,22 @@ jobs: - name: Check if: success() run: | - export DEBIAN_FRONTEND=noninteractive - sudo apt-get -yq update - sudo apt-get -yq install shellcheck + if [ ! -x /usr/bin/shellcheck ]; then + export DEBIAN_FRONTEND=noninteractive + sudo apt-get -yq update + sudo apt-get -yq install shellcheck + fi - export SHELLCHECK_OPTS="-e SC1091,SC1117" cd "$GITHUB_WORKSPACE" pwd - ls -l | grep 'vpnsetup\.sh' + ls -ld vpnsetup.sh + + export SHELLCHECK_OPTS="-e SC1091,SC1117" shellcheck --version - shellcheck *.sh extras/*.sh + shopt -s globstar + ls -ld -- **/*.sh + shellcheck **/*.sh + shopt -u globstar test_set_1: runs-on: ubuntu-latest @@ -48,8 +54,10 @@ jobs: echo "Waiting 60 seconds..." sleep 60 fi + mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}" + cat > run.sh <<'EOF' #!/bin/bash set -e @@ -65,16 +73,17 @@ jobs: service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup fi + sh vpnsetup.sh if [ "$1" = "centos" ]; then systemctl start fail2ban systemctl start ipsec systemctl start xl2tpd fi + sleep 10 - netstat -anpu - netstat -anpu | grep -q pluto - netstat -anpu | grep -q xl2tpd + netstat -anpu | grep pluto + netstat -anpu | grep xl2tpd iptables -nL iptables -nL | grep -q '192\.168\.42\.0/24' iptables -nL -t nat @@ -84,23 +93,39 @@ jobs: grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/messages - grep xl2tpd /var/log/messages | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' else grep pluto /var/log/auth.log grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/syslog - grep xl2tpd /var/log/syslog | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' fi + + VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ + VPN_USER='your_vpn_username' \ + VPN_PASSWORD='your_vpn_password' \ + sh vpnsetup.sh + if [ "$1" = "centos" ]; then + systemctl restart ipsec + fi + + grep "your_ipsec_pre_shared_key" /etc/ipsec.secrets + grep "your_vpn_username" /etc/ppp/chap-secrets + grep "your_vpn_password" /etc/ppp/chap-secrets + grep "your_vpn_username" /etc/ipsec.d/passwd + wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup # hwdsl2 + sed -i 's/pk12util/pk12util -W test/' ikev2.sh bash ikev2.sh < run.sh + OS_NAME=$(echo "$OS_VERSION" | head -c6) if [ "$OS_NAME" = "centos" ]; then yum -y -q install wget rsyslog @@ -202,11 +233,12 @@ jobs: service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup fi + sh vpnsetup.sh + sleep 10 - netstat -anpu - netstat -anpu | grep -q pluto - netstat -anpu | grep -q xl2tpd + netstat -anpu | grep pluto + netstat -anpu | grep xl2tpd iptables -nL iptables -nL | grep -q '192\.168\.42\.0/24' iptables -nL -t nat @@ -216,23 +248,36 @@ jobs: grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/messages - grep xl2tpd /var/log/messages | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' else grep pluto /var/log/auth.log grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/syslog - grep xl2tpd /var/log/syslog | grep -q 'Listening on IP address 0\.0\.0\.0, port 1701' fi + + VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ + VPN_USER='your_vpn_username' \ + VPN_PASSWORD='your_vpn_password' \ + sh vpnsetup.sh + + grep "your_ipsec_pre_shared_key" /etc/ipsec.secrets + grep "your_vpn_username" /etc/ppp/chap-secrets + grep "your_vpn_password" /etc/ppp/chap-secrets + grep "your_vpn_username" /etc/ipsec.d/passwd + wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup + sed -i 's/pk12util/pk12util -W test/' ikev2.sh bash ikev2.sh < Date: Sat, 11 Jul 2020 16:48:12 -0500 Subject: [PATCH 0346/1208] Update workflows --- .github/workflows/main.yml | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b4227b2612..2a569c2102 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -62,13 +62,23 @@ jobs: #!/bin/bash set -e + trap 'catch $? $LINENO' ERR + + catch() { + echo "Error $1 occurred on line $2." + cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7 + exit 1 + } + if [ "$1" = "centos" ]; then + yum -y update yum -y -q install wget rsyslog systemctl start rsyslog wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos else export DEBIAN_FRONTEND=noninteractive apt-get -yq update + apt-get -yq dist-upgrade apt-get -yq install wget rsyslog service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup @@ -76,12 +86,16 @@ jobs: sh vpnsetup.sh if [ "$1" = "centos" ]; then - systemctl start fail2ban systemctl start ipsec systemctl start xl2tpd + sleep 5 + systemctl restart fail2ban + else + sleep 5 + service fail2ban restart fi - sleep 10 + sleep 5 netstat -anpu | grep pluto netstat -anpu | grep xl2tpd iptables -nL @@ -99,6 +113,8 @@ jobs: grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/syslog fi + cat /var/log/fail2ban.log + grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ @@ -223,12 +239,14 @@ jobs: OS_NAME=$(echo "$OS_VERSION" | head -c6) if [ "$OS_NAME" = "centos" ]; then + yum -y update yum -y -q install wget rsyslog service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos else export DEBIAN_FRONTEND=noninteractive apt-get -yq update + apt-get -yq dist-upgrade apt-get -yq install wget rsyslog service rsyslog start wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup @@ -236,7 +254,13 @@ jobs: sh vpnsetup.sh - sleep 10 + sleep 5 + if [ "$OS_NAME" = "centos" ]; then + sed -i '/^logtarget/d' /etc/fail2ban/fail2ban.conf + echo "logtarget = /var/log/fail2ban.log" >> /etc/fail2ban/fail2ban.conf + fi + service fail2ban restart + sleep 5 netstat -anpu | grep pluto netstat -anpu | grep xl2tpd iptables -nL @@ -254,6 +278,8 @@ jobs: grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep xl2tpd /var/log/syslog fi + cat /var/log/fail2ban.log + grep -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \ VPN_USER='your_vpn_username' \ From 6c88c7fd2709f636aa5b409d81e408f8508bf5c3 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 11 Jul 2020 20:19:11 -0500 Subject: [PATCH 0347/1208] Fix for CentOS/RHEL 8 - Fix firewalld detection when the setup script is run again --- vpnsetup_centos.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 03f97eab71..9ddb3ab320 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -174,7 +174,7 @@ else REPO4='--enablerepo=codeready-builder-for-rhel-8-*' fi yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 - if systemctl is-active --quiet firewalld.service; then + if systemctl is-active --quiet firewalld.service || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then use_nft=1 yum -y install nftables || exiterr2 else From 5d8932e4110a17d54348e7c8c3347dff0a822c0b Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Jul 2020 14:42:04 -0500 Subject: [PATCH 0348/1208] Update IKEv2 docs --- docs/ikev2-howto-zh.md | 2 +- docs/ikev2-howto.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 3e1ceced9d..2a450d7bbe 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -266,7 +266,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh ### OS X (macOS) -首先,将生成的 `.p12` 文件安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 +首先,将生成的 `.p12` 文件安全地传送到你的 Mac,然后双击以导入到 **钥匙串访问** 中的 **登录** 钥匙串。下一步,双击导入的 `IKEv2 VPN CA` 证书,展开 **信任** 并从 **IP 安全 (IPsec)** 下拉菜单中选择 **始终信任**。单击左上角的红色 "X" 关闭窗口。根据提示使用触控 ID,或者输入密码并单击 "更新设置"。在完成之后,检查并确保新的客户端证书和 `IKEv2 VPN CA` 都显示在 **登录** 钥匙串 的 **证书** 类别中。 1. 打开系统偏好设置并转到网络部分。 1. 在窗口左下角单击 **+** 按钮。 diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index c4ceff4d29..4d3e24e793 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -266,7 +266,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th ### OS X (macOS) -First, securely transfer the generated `.p12` file to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. +First, securely transfer the generated `.p12` file to your Mac, then double-click to import into the **login** keychain in **Keychain Access**. Next, double-click on the imported `IKEv2 VPN CA` certificate, expand **Trust** and select **Always Trust** from the **IP Security (IPsec)** drop-down menu. Close the dialog using the red "X" on the top-left corner. When prompted, use Touch ID or enter your password and click "Update Settings". When finished, check to make sure both the new client certificate and `IKEv2 VPN CA` are listed under the **Certificates** category of **login** keychain. 1. Open System Preferences and go to the Network section. 1. Click the **+** button in the lower-left corner of the window. From 5e090770c8b9803926417389bfbd156c0b46e41d Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 12 Jul 2020 17:14:30 -0500 Subject: [PATCH 0349/1208] Update IKEv2 script - Allow specifying custom DNS servers - Add notes about the IKEv2 MOBIKE extension - Cleanup --- extras/ikev2setup.sh | 82 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 70 insertions(+), 12 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 92d289bb16..38d6824464 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -189,7 +189,7 @@ else fi fi -cat <> /etc/ipsec.d/ikev2.conf <<'EOF' - modecfgdns="8.8.8.8 8.8.4.4" - encapsulation=yes + if [ -n "$dns_server_2" ]; then +cat >> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.d/ikev2.conf else @@ -464,11 +514,16 @@ EOF fi ;; 3.19|3.2[012]) -cat >> /etc/ipsec.d/ikev2.conf <<'EOF' - modecfgdns1=8.8.8.8 - modecfgdns2=8.8.4.4 - encapsulation=yes + if [ -n "$dns_server_2" ]; then +cat >> /etc/ipsec.d/ikev2.conf <> /etc/ipsec.d/ikev2.conf < Date: Sun, 12 Jul 2020 17:17:21 -0500 Subject: [PATCH 0350/1208] Update tests --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2a569c2102..42a888640d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -137,6 +137,7 @@ jobs: + y ANSWERS @@ -299,6 +300,7 @@ jobs: + y ANSWERS From bde54094b832bd6d2f2b16d6290f375614c9ca97 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 17 Jul 2020 00:21:50 -0500 Subject: [PATCH 0351/1208] Add issue templates --- .github/ISSUE_TEMPLATE/00-bug-report.md | 48 ++++++++++++++++++++++ .github/ISSUE_TEMPLATE/10-bug-report-zh.md | 48 ++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/00-bug-report.md create mode 100644 .github/ISSUE_TEMPLATE/10-bug-report-zh.md diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md new file mode 100644 index 0000000000..e1ea03d8e7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/00-bug-report.md @@ -0,0 +1,48 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +- [ ] I read the [README](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md) +- [ ] I read the [Important notes](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#important-notes) +- [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#next-steps) +- [ ] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) +- [ ] I searched existing [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) +- [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself + + + +**Describe the issue** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: + +1. ... +2. ... + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Logs** +[Check logs and VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status), and add error logs to help explain the problem, if applicable. + +**Server (please complete the following information)** +- OS: [e.g. Debian 10] +- Hosting provider (if applicable): [e.g. GCP, AWS] + +**Client (please complete the following information)** +- Device: [e.g. iPhone 8] +- OS: [e.g. iOS 13.6] +- VPN mode: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") or IKEv2] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md new file mode 100644 index 0000000000..a68427cdbe --- /dev/null +++ b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md @@ -0,0 +1,48 @@ +--- +name: 错误报告 +about: 请使用这个模板来提交 bug +title: '' +labels: '' +assignees: '' + +--- + +**任务列表** + +- [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) +- [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#重要提示) +- [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#下一步) +- [ ] 我检查了 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) +- [ ] 我搜索了已有的 [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue) +- [ ] 这个 bug 是关于 VPN 安装脚本,而不是 IPsec VPN 本身 + + + +**问题描述** +使用清楚简明的语言描述这个 bug。 + +**重现步骤** +重现该 bug 的步骤: + +1. ... +2. ... + +**期待的正确结果** +简要地描述你期望的正确结果。 + +**日志** +[检查日志及 VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态),并添加错误日志以帮助解释该问题(如果适用)。 + +**服务器信息(请填写以下信息)** +- 操作系统: [比如 Debian 10] +- 服务提供商(如果适用): [比如 GCP, AWS] + +**客户端信息(请填写以下信息)** +- 设备: [比如 iPhone 8] +- 操作系统: [比如 iOS 13.6] +- VPN 模式: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") 或 IKEv2] + +**其它信息** +添加关于该 bug 的其它信息。 From 43aa8a22c5498c785f051d9a181f193eb7c1ca4e Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 19 Jul 2020 19:40:36 -0500 Subject: [PATCH 0352/1208] Update issue templates --- .github/ISSUE_TEMPLATE/00-bug-report.md | 2 +- .../ISSUE_TEMPLATE/20-enhancement-request.md | 26 +++++++++++++++++++ .../30-enhancement-request-zh.md | 26 +++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 .github/ISSUE_TEMPLATE/20-enhancement-request.md create mode 100644 .github/ISSUE_TEMPLATE/30-enhancement-request-zh.md diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md index e1ea03d8e7..ea8050c562 100644 --- a/.github/ISSUE_TEMPLATE/00-bug-report.md +++ b/.github/ISSUE_TEMPLATE/00-bug-report.md @@ -1,6 +1,6 @@ --- name: Bug report -about: Create a report to help us improve +about: Tell us about a problem you are experiencing title: '' labels: '' assignees: '' diff --git a/.github/ISSUE_TEMPLATE/20-enhancement-request.md b/.github/ISSUE_TEMPLATE/20-enhancement-request.md new file mode 100644 index 0000000000..5adb599570 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/20-enhancement-request.md @@ -0,0 +1,26 @@ +--- +name: Enhancement request +about: Suggest an improvement for this project +title: '' +labels: '' +assignees: '' + +--- + +**Checklist** + +- [ ] I searched existing [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue), and did not find a similar enhancement request +- [ ] This enhancement request is about the VPN setup scripts, and not IPsec VPN itself +- [ ] I read the [README](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md) +- [ ] I read the [Important notes](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#important-notes) +- [ ] I followed instructions to [configure VPN clients](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README.md#next-steps) +- [ ] I checked [Troubleshooting](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#troubleshooting) and [VPN status](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#check-logs-and-vpn-status) + +**Describe the enhancement request** +A clear and concise description of your enhancement request. + +**Is your enhancement request related to a problem? Please describe.** +(If applicable) A clear and concise description of what the problem is. + +**Additional context** +Add any other context about the enhancement request here. diff --git a/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md b/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md new file mode 100644 index 0000000000..214f0b3260 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/30-enhancement-request-zh.md @@ -0,0 +1,26 @@ +--- +name: 改进建议 +about: 请使用这个模板来提交改进建议 +title: '' +labels: '' +assignees: '' + +--- + +**任务列表** + +- [ ] 我搜索了已有的 [Issues](https://github.com/hwdsl2/setup-ipsec-vpn/issues?q=is%3Aissue),没有找到类似的改进建议 +- [ ] 这个改进建议是关于 VPN 安装脚本,而不是 IPsec VPN 本身 +- [ ] 我已阅读 [自述文件](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md) +- [ ] 我已阅读 [重要提示](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#重要提示) +- [ ] 我已按照说明 [配置 VPN 客户端](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md#下一步) +- [ ] 我检查了 [故障排除](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#故障排除) 以及 [VPN 状态](https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#检查日志及-vpn-状态) + +**描述改进建议** +使用清楚简明的语言描述你的改进建议。 + +**你的改进建议与遇到的问题有关吗?请描述。** +(如果适用)清楚,简洁地说明问题所在。 + +**其它信息** +添加关于该改进建议的其它信息。 From e381e06cb44d0f6a5c1436caa8276880cc016c02 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Tue, 21 Jul 2020 10:58:11 -0500 Subject: [PATCH 0353/1208] Update issue templates --- .github/ISSUE_TEMPLATE/00-bug-report.md | 2 +- .github/ISSUE_TEMPLATE/10-bug-report-zh.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/00-bug-report.md b/.github/ISSUE_TEMPLATE/00-bug-report.md index ea8050c562..b8646287a0 100644 --- a/.github/ISSUE_TEMPLATE/00-bug-report.md +++ b/.github/ISSUE_TEMPLATE/00-bug-report.md @@ -17,7 +17,7 @@ assignees: '' - [ ] This bug is about the VPN setup scripts, and not IPsec VPN itself **Describe the issue** diff --git a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md index a68427cdbe..745e00d343 100644 --- a/.github/ISSUE_TEMPLATE/10-bug-report-zh.md +++ b/.github/ISSUE_TEMPLATE/10-bug-report-zh.md @@ -17,7 +17,7 @@ assignees: '' - [ ] 这个 bug 是关于 VPN 安装脚本,而不是 IPsec VPN 本身 **问题描述** From eca137a560740291b398d691903dce8283d4a98f Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sat, 25 Jul 2020 14:22:19 -0500 Subject: [PATCH 0354/1208] Remove Debian 8 - Remove Debian 8 (LTS support ended on June 30, 2020) - Cleanup --- .github/workflows/main.yml | 2 +- README-zh.md | 12 ++++++------ README.md | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 42a888640d..134c311a7f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,7 +42,7 @@ jobs: if: github.repository_owner == 'hwdsl2' strategy: matrix: - os_version: ["centos:8", "centos:7", "ubuntu:16.04", "debian:8"] + os_version: ["centos:8", "centos:7", "ubuntu:16.04"] fail-fast: false env: OS_VERSION: ${{ matrix.os_version }} diff --git a/README-zh.md b/README-zh.md index b9d548d922..094478b13b 100644 --- a/README-zh.md +++ b/README-zh.md @@ -53,23 +53,23 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - 封装所有的 VPN 流量在 UDP 协议,不需要 ESP 协议支持 - 可直接作为 Amazon EC2 实例创建时的用户数据使用 - 包含 `sysctl.conf` 优化设置,以达到更佳的传输性能 -- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9/8 和 CentOS 8/7/6 +- 已测试: Ubuntu 20.04/18.04/16.04, Debian 10/9 和 CentOS 8/7/6 ## 系统要求 一个新创建的 Amazon EC2 实例,使用这些映像之一: -- Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) -- Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- CentOS 8 (x86_64) with Updates +- Ubuntu 20.04 (Focal), 18.04 (Bionic) 或者 16.04 (Xenial) +- Debian 10 (Buster)[\*](#debian-10-note) 或者 9 (Stretch) +- CentOS 8 (x86_64) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates -- Red Hat Enterprise Linux (RHEL) 8, 7 or 6 +- Red Hat Enterprise Linux (RHEL) 8, 7 或者 6 请参见 详细步骤 以及 EC2 定价细节。 **-或者-** -一个专用服务器,或者基于 KVM/Xen 的虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试 OpenVPN。 +一个专用服务器或者虚拟专用服务器 (VPS),全新安装以上操作系统之一。OpenVZ VPS 不受支持,用户可以另外尝试 OpenVPN。 这也包括各种公共云服务中的 Linux 虚拟机,比如 DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVHRackspace。 diff --git a/README.md b/README.md index f53f7a9219..cf0236d8d8 100644 --- a/README.md +++ b/README.md @@ -53,14 +53,14 @@ For other installation options and how to set up VPN clients, read the sections - Encapsulates all VPN traffic in UDP - does not need ESP protocol - Can be directly used as "user-data" for a new Amazon EC2 instance - Includes `sysctl.conf` optimizations for improved performance -- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9/8 and CentOS 8/7/6 +- Tested with Ubuntu 20.04/18.04/16.04, Debian 10/9 and CentOS 8/7/6 ## Requirements A newly created Amazon EC2 instance, from one of these images: - Ubuntu 20.04 (Focal), 18.04 (Bionic) or 16.04 (Xenial) -- Debian 10 (Buster)[\*](#debian-10-note), 9 (Stretch) or 8 (Jessie) -- CentOS 8 (x86_64) with Updates +- Debian 10 (Buster)[\*](#debian-10-note) or 9 (Stretch) +- CentOS 8 (x86_64) - CentOS 7 (x86_64) with Updates - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 @@ -69,7 +69,7 @@ Please see OpenVPN. +A dedicated server or virtual private server (VPS), freshly installed with one of the above OS. OpenVZ VPS is not supported, users could instead try OpenVPN. This also includes Linux VMs in public clouds, such as DigitalOcean, Vultr, Linode, Google Compute Engine, Amazon Lightsail, Microsoft Azure, IBM Cloud, OVH and Rackspace. From d18801452d16516db1e63f4b44002ec1db8f9100 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 9 Aug 2020 13:56:08 -0500 Subject: [PATCH 0355/1208] Add IPTables check - Add IPTables check to work around an issue with Raspberry Pi OS kernel updates - Ref: #835 --- vpnsetup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vpnsetup.sh b/vpnsetup.sh index de7ab8799d..98cf4956d9 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -125,6 +125,10 @@ if [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; then exiterr "DNS server 'VPN_DNS_SRV2' is invalid." fi +if [ -x /sbin/iptables ] && ! iptables -nL INPUT >/dev/null 2>&1; then + exiterr "IPTables check failed. Reboot and re-run this script." +fi + bigecho "VPN setup in progress... Please be patient." # Create and change to working dir From f8f97e014a9e01e6cc64bf43a3368b04ec3d5687 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 9 Aug 2020 14:49:02 -0500 Subject: [PATCH 0356/1208] Cleanup --- vpnsetup.sh | 22 ++++++++-------------- vpnsetup_centos.sh | 33 +++++++++++++-------------------- 2 files changed, 21 insertions(+), 34 deletions(-) diff --git a/vpnsetup.sh b/vpnsetup.sh index 98cf4956d9..07ef2d24c7 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Script for automatic setup of an IPsec VPN server on Ubuntu LTS and Debian. +# Script for automatic setup of an IPsec VPN server on Ubuntu and Debian. # Works on any dedicated server or virtual private server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! @@ -117,12 +117,9 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -if [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; then - exiterr "DNS server 'VPN_DNS_SRV1' is invalid." -fi - -if [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; then - exiterr "DNS server 'VPN_DNS_SRV2' is invalid." +if { [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; } \ + || { [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; } then + exiterr "The DNS server specified is invalid." fi if [ -x /sbin/iptables ] && ! iptables -nL INPUT >/dev/null 2>&1; then @@ -390,8 +387,8 @@ fi bigecho "Updating IPTables rules..." -IPT_FILE="/etc/iptables.rules" -IPT_FILE2="/etc/iptables/rules.v4" +IPT_FILE=/etc/iptables.rules +IPT_FILE2=/etc/iptables/rules.v4 ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 @@ -429,8 +426,8 @@ fi bigecho "Enabling services on boot..." -IPT_PST="/etc/init.d/iptables-persistent" -IPT_PST2="/usr/share/netfilter-persistent/plugins.d/15-ip4tables" +IPT_PST=/etc/init.d/iptables-persistent +IPT_PST2=/usr/share/netfilter-persistent/plugins.d/15-ip4tables ipt_load=1 if [ -f "$IPT_FILE2" ] && { [ -f "$IPT_PST" ] || [ -f "$IPT_PST2" ]; }; then ipt_load=0 @@ -494,14 +491,11 @@ fi bigecho "Starting services..." -# Reload sysctl.conf sysctl -e -q -p -# Update file attributes chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* -# Restart services mkdir -p /run/pluto service fail2ban restart 2>/dev/null service ipsec restart 2>/dev/null diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh index 9ddb3ab320..c8ab6b0bbc 100755 --- a/vpnsetup_centos.sh +++ b/vpnsetup_centos.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6, 7 and 8. +# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 6-8. # Works on any dedicated server or virtual private server (VPS) except OpenVZ. # # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! @@ -50,7 +50,7 @@ check_ip() { vpnsetup() { if ! grep -qs -e "release 6" -e "release 7" -e "release 8" /etc/redhat-release; then - echo "Error: This script only supports CentOS/RHEL 6, 7 and 8." >&2 + echo "Error: This script only supports CentOS/RHEL 6-8." >&2 echo "For Ubuntu/Debian, use https://git.io/vpnsetup" >&2 exit 1 fi @@ -106,12 +106,9 @@ case "$VPN_IPSEC_PSK $VPN_USER $VPN_PASSWORD" in ;; esac -if [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; then - exiterr "DNS server 'VPN_DNS_SRV1' is invalid." -fi - -if [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; then - exiterr "DNS server 'VPN_DNS_SRV2' is invalid." +if { [ -n "$VPN_DNS_SRV1" ] && ! check_ip "$VPN_DNS_SRV1"; } \ + || { [ -n "$VPN_DNS_SRV2" ] && ! check_ip "$VPN_DNS_SRV2"; } then + exiterr "The DNS server specified is invalid." fi bigecho "VPN setup in progress... Please be patient." @@ -174,7 +171,8 @@ else REPO4='--enablerepo=codeready-builder-for-rhel-8-*' fi yum "$REPO4" -y install systemd-devel libevent-devel fipscheck-devel || exiterr2 - if systemctl is-active --quiet firewalld.service || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then + if systemctl is-active --quiet firewalld.service \ + || grep -qs "hwdsl2 VPN script" /etc/sysconfig/nftables.conf; then use_nft=1 yum -y install nftables || exiterr2 else @@ -382,7 +380,7 @@ net.ipv4.tcp_wmem = 10240 87380 12582912 EOF fi -F2B_FILE="/etc/fail2ban/jail.local" +F2B_FILE=/etc/fail2ban/jail.local if [ ! -f "$F2B_FILE" ]; then bigecho "Creating basic Fail2Ban rules..." cat > "$F2B_FILE" <<'EOF' @@ -406,8 +404,8 @@ fi bigecho "Updating IPTables rules..." -IPT_FILE="/etc/sysconfig/iptables" -[ "$use_nft" = "1" ] && IPT_FILE="/etc/sysconfig/nftables.conf" +IPT_FILE=/etc/sysconfig/iptables +[ "$use_nft" = "1" ] && IPT_FILE=/etc/sysconfig/nftables.conf ipt_flag=0 if ! grep -qs "hwdsl2 VPN script" "$IPT_FILE"; then ipt_flag=1 @@ -490,19 +488,15 @@ fi bigecho "Starting services..." -# Restore SELinux contexts -restorecon /etc/ipsec.d/*db >/dev/null 2>&1 -restorecon /usr/local/sbin -Rv >/dev/null 2>&1 -restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1 +restorecon /etc/ipsec.d/*db >/dev/null +restorecon /usr/local/sbin -Rv >/dev/null +restorecon /usr/local/libexec/ipsec -Rv >/dev/null -# Reload sysctl.conf sysctl -e -q -p -# Update file attributes chmod +x /etc/rc.local chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets* /etc/ipsec.d/passwd* -# Apply new IPTables rules if [ "$use_nft" = "1" ]; then nft -f "$IPT_FILE" else @@ -517,7 +511,6 @@ if [ "$os_ver" != "6" ]; then fi fi -# Restart services mkdir -p /run/pluto modprobe -q pppol2tp service fail2ban restart 2>/dev/null From fbbc7faf49484cccc695f71792d7bb0b4f620178 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 9 Aug 2020 18:14:56 -0500 Subject: [PATCH 0357/1208] Update workflows --- .github/workflows/main.yml | 63 +++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 134c311a7f..67cdfc8250 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,7 +35,6 @@ jobs: shopt -s globstar ls -ld -- **/*.sh shellcheck **/*.sh - shopt -u globstar test_set_1: runs-on: ubuntu-latest @@ -124,6 +123,7 @@ jobs: systemctl restart ipsec fi + sleep 10 grep "your_ipsec_pre_shared_key" /etc/ipsec.secrets grep "your_vpn_username" /etc/ppp/chap-secrets grep "your_vpn_password" /etc/ppp/chap-secrets @@ -162,8 +162,39 @@ jobs: ANSWERS ls -ld /etc/ipsec.d/vpnclient2*.p12 + + if [ "$1" = "centos" ]; then + sed -i '/pluto/d' /var/log/secure + pkill -HUP rsyslog + wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade-centos + else + sed -i '/pluto/d' /var/log/auth.log + pkill -HUP rsyslog + wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade + fi + sh vpnupgrade.sh < Date: Wed, 26 Aug 2020 23:20:04 -0400 Subject: [PATCH 0358/1208] Add AWS deployment template (#838) Add AWS deployment template Authored-by: Scottpedia (https://github.com/Scottpedia) --- README-zh.md | 2 +- README.md | 2 +- aws/README.md | 61 ++ aws/cloudformation-template-ipsec | 806 ++++++++++++++++++ aws/confirm-iam.png | Bin 0 -> 342089 bytes aws/show-key.png | Bin 0 -> 678877 bytes aws/specify-parameters.png | Bin 0 -> 286098 bytes aws/upload-the-template.png | Bin 0 -> 381283 bytes .../cloudformation-launch-stack-button.png | Bin 0 -> 2296 bytes 9 files changed, 869 insertions(+), 2 deletions(-) create mode 100644 aws/README.md create mode 100644 aws/cloudformation-template-ipsec create mode 100644 aws/confirm-iam.png create mode 100644 aws/show-key.png create mode 100644 aws/specify-parameters.png create mode 100644 aws/upload-the-template.png create mode 100644 docs/images/cloudformation-launch-stack-button.png diff --git a/README-zh.md b/README-zh.md index 094478b13b..0c3fe22132 100644 --- a/README-zh.md +++ b/README-zh.md @@ -65,7 +65,7 @@ wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 或者 6 -请参见 详细步骤 以及 EC2 定价细节。 +请参见 详细步骤 以及 EC2 定价细节。另外,你也可以参见[此页面](aws/README.md)来了解如何使用**AWS Cloudformation**来快速在EC2上部署一个VPN服务器。 **-或者-** diff --git a/README.md b/README.md index cf0236d8d8..35463fbb08 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ A newly created Amazon EC2 - CentOS 6 (x86_64) with Updates - Red Hat Enterprise Linux (RHEL) 8, 7 or 6 -Please see detailed instructions and EC2 pricing. +Please see detailed instructions and EC2 pricing. As an alternative, you can also launch a VPN server on EC2 with **AWS Cloudformation**. See detailed instructions [here](aws/README.md). **-OR-** diff --git a/aws/README.md b/aws/README.md new file mode 100644 index 0000000000..62ffeb538b --- /dev/null +++ b/aws/README.md @@ -0,0 +1,61 @@ +# Deploy to AWS (Beta) + +> **Note:** The AWS deployment template is still in **BETA** phase. You may encounter failures during the deployment. In that case, please let us know the issue. + +This template will create a fully-working IPSec/L2TP VPN server on AWS (Amazon Web Service). Please make sure to check the [pricing details](https://aws.amazon.com/ec2/pricing/on-demand/) of Virtual Machine on EC2 before starting the launch sequence. + +You can also use `t2.micro` instance as your server for your deployment, which is free of charge within the first year since your AWS account is registered. For more information on AWS free usage tier, go to [this page](https://aws.amazon.com/free/). + +## Available Customization Parameters: + +- AWS EC2 Instance Type +- OS for your VPN Server (Ubuntu16.04, Ubuntu18.04, Debian9-Stretch or Debian10-Buster) +> **Note:** To use Debian9 or Debian10 images on EC2, to need to subscribe them first at AWS marketplace. [**Debian9**](https://aws.amazon.com/marketplace/pp/B073HW9SP3) [**Debian10**](https://aws.amazon.com/marketplace/pp/B0859NK4HC) +- Your VPN username +- Your VPN password +- IPSec PSK (pre-shared key) + +> When choosing your username and password, do not enter special characters like `" ' \`. + +Make sure to do this with an **AWS ROOT ACCOUNT** or an **IAM ACCOUNT** with **ANDMINISTRATOR ACCESS**. + +Right-click the [**template link**](https://raw.githubusercontent.com/hwdsl2/setup-ipsec-vpn/master/aws/cloudformation-template-ipsec) and save it as a file on your computer. Then upload it as the template source in the stack creation wizard. + +![Upload the file](upload-the-template.png) + +At step 4, make sure to confirm that this template may create IAM resources. + +![Confirm IAM](confirm-iam.png) + +Click the icon below to initiate the launching sequence. + +Deploy to AWS + +Make sure the deployment is successful before going to [Next Step: Configure VPN Clients](https://git.io/vpnclients). + +> **Note:** You need to wait for around 5 minutes after the stack is shown as **"CREATE_COMPLETE"**, before you can connect to the server with a VPN client. That's for the installation script to finish. + +# FAQs + +

+ +How to connect to the server via ssh after deployment? + + +AWS does not allow users to access the instances with an SSH password. Instead, users are instructed to create "key pairs", which are used as credentials to access the instances via SSH. + +The template here generates a key pair for you during the deployment, and that will be available as plain texts in the **"Output"** section after the stack is successfully created. + +You need to note down that key file if you want to later access the VPN server via SSH. + +![](show-key.png) + +
+ +## Author + +Copyright (C) 2020 [S. X. Liang](https://github.com/scottpedia) + +## Screenshots + +Step 2 diff --git a/aws/cloudformation-template-ipsec b/aws/cloudformation-template-ipsec new file mode 100644 index 0000000000..32dea39c56 --- /dev/null +++ b/aws/cloudformation-template-ipsec @@ -0,0 +1,806 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Metadata": { + "AWS::CloudFormation::Designer": { + "0a162613-8f2e-4864-be99-75d946934a4a": { + "size": { + "width": 350, + "height": 440 + }, + "position": { + "x": 290, + "y": 70 + }, + "z": 1, + "embeds": [ + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" + ] + }, + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2": { + "size": { + "width": 290, + "height": 360 + }, + "position": { + "x": 310, + "y": 110 + }, + "z": 2, + "parent": "0a162613-8f2e-4864-be99-75d946934a4a", + "embeds": [ + "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a", + "464ea4ae-199c-4917-9404-aed674a8615a", + "ec256f27-66c3-423c-9d98-b9f0f634e7b8", + "4731d93c-f3fc-420a-b535-f0b99840f356", + "40c2d4e7-f01a-45b2-8878-a06680aa2216" + ], + "dependson": [ + "0a162613-8f2e-4864-be99-75d946934a4a", + "464ea4ae-199c-4917-9404-aed674a8615a" + ] + }, + "4731d93c-f3fc-420a-b535-f0b99840f356": { + "size": { + "width": 230, + "height": 130 + }, + "position": { + "x": 350, + "y": 320 + }, + "z": 3, + "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "embeds": [ + "5262ea47-2337-4be8-a4d1-1f0af38a1731" + ], + "iscontainedinside": [ + "0a162613-8f2e-4864-be99-75d946934a4a" + ], + "dependson": [ + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" + ] + }, + "5262ea47-2337-4be8-a4d1-1f0af38a1731": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 440, + "y": 350 + }, + "z": 4, + "parent": "4731d93c-f3fc-420a-b535-f0b99840f356", + "embeds": [], + "isassociatedwith": [ + "db7c3441-9f9a-4677-a14d-bccfc06714d1" + ], + "dependson": [ + "4731d93c-f3fc-420a-b535-f0b99840f356", + "9d3d19ab-d561-4f59-89de-73498eeeebda", + "464ea4ae-199c-4917-9404-aed674a8615a" + ] + }, + "464ea4ae-199c-4917-9404-aed674a8615a": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 510, + "y": 220 + }, + "z": 3, + "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "embeds": [], + "dependson": [ + "0a162613-8f2e-4864-be99-75d946934a4a" + ] + }, + "40c2d4e7-f01a-45b2-8878-a06680aa2216": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 430, + "y": 140 + }, + "z": 3, + "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "embeds": [], + "iscontainedinside": [ + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" + ], + "dependson": [ + "4731d93c-f3fc-420a-b535-f0b99840f356", + "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a", + "99fce86e-18b8-4b1b-a572-7bef3c5cece7", + "58a1ab6f-49ac-4ffa-93c7-3f708bf65871", + "ec256f27-66c3-423c-9d98-b9f0f634e7b8" + ] + }, + "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 350, + "y": 140 + }, + "z": 3, + "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "embeds": [] + }, + "ec256f27-66c3-423c-9d98-b9f0f634e7b8": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 430, + "y": 220 + }, + "z": 3, + "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", + "embeds": [], + "iscontainedinside": [ + "0a162613-8f2e-4864-be99-75d946934a4a" + ] + }, + "5bb16646-dc1e-4661-9164-6ecc6848dc83": { + "source": { + "id": "4731d93c-f3fc-420a-b535-f0b99840f356" + }, + "target": { + "id": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" + }, + "z": 3 + }, + "99fce86e-18b8-4b1b-a572-7bef3c5cece7": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 150, + "y": 250 + }, + "z": 1, + "embeds": [] + }, + "58a1ab6f-49ac-4ffa-93c7-3f708bf65871": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 150, + "y": 170 + }, + "z": 1, + "embeds": [] + }, + "d3fab7a7-d694-435e-930d-ff7693dffbbc": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 110, + "y": 90 + }, + "z": 1, + "embeds": [] + }, + "2c5cc5a9-5a17-4d54-80ea-56e204c9c1a1": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 70, + "y": 170 + }, + "z": 1, + "embeds": [] + }, + "e81dfbbc-e8ee-4f4b-adb0-b314056ab0b3": { + "size": { + "width": 60, + "height": 60 + }, + "position": { + "x": 70, + "y": 250 + }, + "z": 1, + "embeds": [] + }, + "9d3d19ab-d561-4f59-89de-73498eeeebda": { + "source": { + "id": "0a162613-8f2e-4864-be99-75d946934a4a" + }, + "target": { + "id": "464ea4ae-199c-4917-9404-aed674a8615a" + }, + "z": 3 + }, + "361e0035-6c5a-48df-8339-3e31f19bf032": { + "source": { + "id": "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a" + }, + "target": { + "id": "40c2d4e7-f01a-45b2-8878-a06680aa2216" + }, + "z": 3 + } + } + }, + "Resources": { + "VpnVpc": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "0a162613-8f2e-4864-be99-75d946934a4a" + } + } + }, + "VpnSubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "VpnVpc" + }, + "CidrBlock": "10.0.0.0/24", + "MapPublicIpOnLaunch": true, + "AvailabilityZone": { + "Fn::Sub": "${AWS::Region}a" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" + } + }, + "DependsOn": [ + "VpnVpc", + "VpcInternetGateway" + ] + }, + "VpnRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "VpnVpc" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "4731d93c-f3fc-420a-b535-f0b99840f356" + } + }, + "DependsOn": [ + "VpnSubnet" + ] + }, + "PublicInternetRoute": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "RouteTableId": { + "Ref": "VpnRouteTable" + }, + "GatewayId": { + "Ref": "VpcInternetGateway" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "5262ea47-2337-4be8-a4d1-1f0af38a1731" + } + }, + "DependsOn": [ + "VpnRouteTable", + "VpcInternetGateway", + "InternetGatewayAttachment" + ] + }, + "VpnInstance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "", + [ + "#!/bin/bash -x\n", + "export VPN_IPSEC_PSK='", + { + "Ref": "VpnIpsecPsk" + }, + "'\n", + "export VPN_USER='", + { + "Ref": "VpnUser" + }, + "'\n", + "export VPN_PASSWORD='", + { + "Ref": "VpnPassword" + }, + "'\n", + "sleep 60\n", + "wget https://git.io/vpnsetup -O vpnsetup.sh && sh vpnsetup.sh\n" + ] + ] + } + }, + "SecurityGroupIds": [ + { + "Fn::GetAtt": [ + "VpnSecurityGroup", + "GroupId" + ] + } + ], + "SubnetId": { + "Ref": "VpnSubnet" + }, + "AvailabilityZone": { + "Fn::Sub": "${AWS::Region}a" + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "KeyName": { + "Fn::GetAtt": [ + "KeyPairInfo", + "KeyName" + ] + }, + "ImageId": { + "Fn::GetAtt": [ + "AMIInfo", + "AMIId" + ] + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "40c2d4e7-f01a-45b2-8878-a06680aa2216" + } + }, + "DependsOn": [ + "VpnRouteTable", + "VpnServerVolume", + "KeyPairCreation", + "AMIInfoFunction", + "VpnSecurityGroup" + ] + }, + "VpnSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "The VPN Security Group, allowing ingress UDP traffic at port 4500 and 500.", + "GroupName": "VpnSecurityGroup", + "VpcId": { + "Ref": "VpnVpc" + }, + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "udp", + "FromPort": 500, + "ToPort": 500 + }, + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "udp", + "FromPort": 4500, + "ToPort": 4500 + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": -1 + } + ] + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "ec256f27-66c3-423c-9d98-b9f0f634e7b8" + } + } + }, + "VpnServerVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "AvailabilityZone": { + "Fn::Sub": "${AWS::Region}a" + }, + "Size": 8 + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "9d4cbbc2-f521-436d-bb4a-85b82cf22a2a" + } + } + }, + "VpcInternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "Properties": {}, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "464ea4ae-199c-4917-9404-aed674a8615a" + } + }, + "DependsOn": [ + "VpnVpc" + ] + }, + "EC2SRTA4VJU5": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpnRouteTable" + }, + "SubnetId": { + "Ref": "VpnSubnet" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "5bb16646-dc1e-4661-9164-6ecc6848dc83" + } + } + }, + "KeyPairCreation": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Runtime": "python3.7", + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRole", + "Arn" + ] + }, + "Timeout": 30, + "Code": { + "ZipFile": { + "Fn::Join": [ + "\n", + [ + "import boto3", + "import cfnresponse", + "import string", + "import random", + "'''", + "This python program should be embedded into its designated cloudformation", + "template as the inline code of one of the lambda functions.", + "'''", + "def handler(event, context):", + " try:", + " keyName = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(10))", + " region = event['ResourceProperties']['Region']", + " ec2 = boto3.client('ec2',region)", + " response = ec2.create_key_pair(", + " KeyName=keyName", + " )", + " keyMaterial = response['KeyMaterial']", + " cfnresponse.send(event, context, cfnresponse.SUCCESS, {'KeyMaterial':keyMaterial, 'KeyName':keyName}, 'KeyPairInfo')", + " except Exception:", + " cfnresponse.send(event, context, cfnresponse.FAILED, {})" + ] + ] + } + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "99fce86e-18b8-4b1b-a572-7bef3c5cece7" + } + }, + "DependsOn": [ + "LambdaExecutionRole" + ] + }, + "AMIInfo": { + "Type": "Custom::AMIInfo", + "Properties": { + "Region": { + "Ref": "AWS::Region" + }, + "ServiceToken": { + "Fn::GetAtt": [ + "AMIInfoFunction", + "Arn" + ] + }, + "Distribution": { + "Ref": "OS" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "2c5cc5a9-5a17-4d54-80ea-56e204c9c1a1" + } + }, + "DependsOn": [ + "AMIInfoFunction" + ] + }, + "AMIInfoFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Runtime": "python3.7", + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRole", + "Arn" + ] + }, + "Code": { + "ZipFile": { + "Fn::Join": [ + "\n", + [ + "import boto3", + "import cfnresponse", + "def creation_date(e):", + " return e['CreationDate']", + "", + "def handler(event, context):", + " try:", + " regionName = event['ResourceProperties']['Region']", + " distribution = event['ResourceProperties']['Distribution']", + " ec2 = boto3.client('ec2',regionName)", + " IAMName = ''", + " if distribution == 'Ubuntu16.04':", + " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*'", + " elif distribution == 'Ubuntu18.04':", + " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*'", + " elif distribution == 'Ubuntu20.04':", + " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*'", + " elif distribution == 'Debian9':", + " IAMName = 'debian-stretch-hvm-x86_64-gp2-*'", + " elif distribution == 'Debian10':", + " IAMName = 'debian-10-amd64-*'", + " response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[IAMName]}])", + " images = response['Images']", + " images.sort(key=creation_date,reverse=True)", + " AMIId = images[0]['ImageId']", + " cfnresponse.send(event, context, cfnresponse.SUCCESS, {'AMIId':AMIId}, 'AMIInfo')", + " except Exception:", + " cfnresponse.send(event, context, cfnresponse.FAILED, {})" + ] + ] + } + }, + "Timeout": 30 + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "58a1ab6f-49ac-4ffa-93c7-3f708bf65871" + } + }, + "DependsOn": [ + "LambdaExecutionRole" + ] + }, + "LambdaExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole" + ] + }, + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + } + ] + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "d3fab7a7-d694-435e-930d-ff7693dffbbc" + } + } + }, + "KeyPairInfo": { + "Type": "Custom::KeyPairInfo", + "Properties": { + "Region": { + "Ref": "AWS::Region" + }, + "ServiceToken": { + "Fn::GetAtt": [ + "KeyPairCreation", + "Arn" + ] + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "e81dfbbc-e8ee-4f4b-adb0-b314056ab0b3" + } + }, + "DependsOn": [ + "KeyPairCreation" + ] + }, + "InternetGatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "VpcInternetGateway" + }, + "VpcId": { + "Ref": "VpnVpc" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "9d3d19ab-d561-4f59-89de-73498eeeebda" + } + } + }, + "EC2VA41EUF": { + "Type": "AWS::EC2::VolumeAttachment", + "Properties": { + "Device": "/dev/sdh", + "VolumeId": { + "Ref": "VpnServerVolume" + }, + "InstanceId": { + "Ref": "VpnInstance" + } + }, + "Metadata": { + "AWS::CloudFormation::Designer": { + "id": "361e0035-6c5a-48df-8339-3e31f19bf032" + } + } + } + }, + "Parameters": { + "VpnUser": { + "Type": "String", + "Description": "Your VPN username" + }, + "VpnIpsecPsk": { + "Type": "String", + "Description": "Your IpSec PSK(Pre-shared Key) for the VPN server." + }, + "VpnPassword": { + "Type": "String", + "Description": "Your VPN password." + }, + "OS": { + "Type": "String", + "Description": "The OS of your VPN server. Choose the default value if you don't know what it is.", + "Default": "Ubuntu16.04", + "AllowedValues": [ + "Ubuntu16.04", + "Ubuntu18.04", + "Ubuntu20.04", + "Debian9", + "Debian10" + ] + }, + "InstanceType": { + "Type": "String", + "Description": "The instance type of VPN server. If you want to build your server within AWS free usage tier, select t2.micro.", + "AllowedValues": [ + "t2.micro", + "t3.nano", + "m5.large", + "t3.micro", + "t3.small", + "t2.nano", + "t2.small", + "t3a.nano", + "t3a.micro", + "t3a.small", + "m5a.large", + "t1.micro" + ], + "Default": "t2.micro" + } + }, + "Outputs": { + "VPNAddress": { + "Description": "This is the Public IP of your newly-launched VPN server", + "Value": { + "Fn::GetAtt": [ + "VpnInstance", + "PublicIp" + ] + } + }, + "VPNUsername": { + "Description": "Your VPN username", + "Value": { + "Ref": "VpnUser" + } + }, + "VPNPassword": { + "Description": "Your VPN password", + "Value": { + "Ref": "VpnPassword" + } + }, + "VPNKey": { + "Description": "Your IPSec VPN PSK(pre-shared key)", + "Value": { + "Ref": "VpnIpsecPsk" + } + }, + "EC2PrivateKeyMaterial": { + "Description": "The content of your private key for accessing the VPN server via SSH. Save it as a file and use it when you connect to your server via SSH.", + "Value": { + "Fn::GetAtt": [ + "KeyPairInfo", + "KeyMaterial" + ] + } + }, + "NextStep": { + "Description": "Go to this page for how to configure to VPN clients.", + "Value": "https://git.io/vpnclients" + } + } +} diff --git a/aws/confirm-iam.png b/aws/confirm-iam.png new file mode 100644 index 0000000000000000000000000000000000000000..40b5ed1172197278cfd82a13b2f58674b589b561 GIT binary patch literal 342089 zcmeFZbySbuMA7oDH_nEviH`mwe z2PKn#l%1HER0SFckJ7`!UAnZ1KUTukT-dhhnybVsm+7 zVzhr?u1V9NRV#a5?nfo`&@(=yV!TnIBgtlg??=q@p>J~!F_Jnr`zkR1IDB)`$e^X1 z83yA|tG|ww!TiJdnTq)_{M&aDy2$RK^vo5{@6CZwA7G)z>Lbgo8h% zx?_C!rA3~UJt3`#{fMm}VD#SY*@<`-E%ZHM!bXRL?OKv{^d}m#TAe@J(f158E%x3= zyfGcb=d(v^*;7X~FeL=@F*1k)7jW?hXO%(ZSyu>VAo>hS3VsUM7+Iup(WbPv z;(Q<0UP|Pt6D{>MZ{KuV`{c+Y9L8$M`J7$jb^MVDkDfNI zQrO2$oLR;tqD#>IIs=Av27(#lSDn&CoiCn#3&=O^nvob`P;8v?)qW?_Xki!0%C3|Z z86)XQ{JQR$8HuFv7YkOgdJHzDDqj&DjmHUj=Ojbj%aOrq2!FCKRxQ{WpRr?0Exx>> z#gUn*r>tLQcU2Zx!V>I$@M0-53O_=Id@HKW@*eX&$lE8F9e--S`xy{3e?3taS3MiW zHX}GCB@FAvR;JzbXa0@@VZo7-4YZJd5Sbxy5;=|iXHrB<-S;-u@dtwry$a!s`8K}I zlixuZ?J_0;!^HfpSdI`83Ne3U*RJW>!yh$Wk|!>0ZN zu6?=EUqaux|3i^oLJ9LeDCR{y1bgAcvqmqj6|XP_0TkfnkY+f(M^ zr?FgNPZS(4-Lk7=swclcQX^n#_PBh=Hrm4;tykmv?cw+|XIl{!xm z7h;x{u4>V{5exrX$>2TpFd`rrBn2)hvsKbxb@})Vr2JBNt!Jy>pa-g9%{aYsj}!-tEy0@hk;CbJ-~9OeGmLS5No2BD2i2tpZ9m-5tOJ4h@Zs*^A@D?! zvlQM@ zQ}y4ICZuQj?kpqhMCtk2g$_ao_<;X2<3S#|O<=_PX=a@8_awu?R(wLw-n^Ip!)V2* z6Mi7IJ4~{LeJV8LCnoL9`Ptf7q5p|<>(q0y(2kK(R)vUx*51-bg%kz9lb3+L&vskt z%Ps_nEtgp5u#1;vL~zNL)Q$x&O?;?fBqd$C#|4*IjX1XoKS&gC2k!&#MRKHlS4@;* zX8icLnuL&8sdau#)xf^G4*vP@ z6*sf|t665nSov5bIe>bkjWWTHm#WTr@cg(jp`BMd`a3Ld-n?OXV_4*<^Q6dACr$@Z zIcOvL$4hxMS8%wt(j_^%`fIiSghGR&w`A_<{#NTLj~AvdZc_j_8k~+&f@X-SLUZ4Y zr4{J^)GzUsM0_KZ?9vF#;+D;o$$h{1V~{b`K|iE8l}$6DL|D2;?xOTSao#{QAPs6z zXaHLgm3#GfzF84$j&sy#D(H9!5)Ff1HlLD z54`bb@V)TQ2t)~D2y!Vk$Z2@@j7$`SUq&W%>Gg`VG`8Mw^xHkROthNHGWLN;$_l+=?~H20Z(`-29;&F-b+d!qyY^gFHlhL!5@@;Qq$GFUG`HbY)uRj&m#S z@pPfTdrj5Lb+kp}bK;}o<@(;l+sFHAoNLHxbZB@N9cZf+O;2b~6cp+fdfTzub;T2`8z7Bka2L zx(Ff?Qa>=UGnJ{ujWSw}P0wntG`80H-Z%bw_;5RDhnQdAij6AaeS%H`4t)}RmNaRk z-SaDx*nzxCl|JcI^0VpjKHec$=q@$CZw;qIhl8R6q)xaFZ?0gj#Pg46o9KoYk5}WV z%lT7JhttOOjw6cQvnI{ZNhS~gROg=Ro)8(X95CdS4z56SFGVbCEKe_2EsGKx z5OdQf)8j^|MD@{wPWnCW84#3Mh7Bc7o9bj)so<*YX3|IrOZH_!J2OqY!t@2t9m4Fx zcyj1S+fPh1I~PJLBB2x)aDkQDT1WNOwDyLMp%7q9i%eolDa*2=iOkAKyRa;wY;ShF zS?b#9TJl=WtBhAHszRNS6hQBrZy#em%G#Jxym}*O@2zwAwG_92$tB18XF|?mq7~5b zy4^WO;pMubkdU?|7v!WB|Gku4XK`5MjTV@POL(@ zmLs2Qn6k`cIvkcOxhx4BY`1)5QQcpj!V8)3pH7+9-Jo^m+N|uaO4H@4aW-ggOoive zoi}e)_jDRFFVDWjVkUd)Aof^RJKeQ1tNqL&^R{yM zdhzGFXweC)n%PQ9j*LFE&pMU(JUPeu(RYz8wspdq9NzrTF zGq1C?@y*vFEPO>7#VW#^H|`@K97_d9hp?Pz0%?XAy%rA> zH$Rg>hFzyUa1@s|wJ}93a|Y@r-#`hGA}5>F(yWmmsd+`}PoJM@^^~DjCA++#<^%Ig z<;o&9Npnt{YnL&TI$c%OsUbqH=PsAqF_r?B5$Oa1-fJm~b-y>KH!0aX4D*_|T#x^- z8#Ghdz#R&j*PQc@%MaIc&WHEAitp4k`;I9ftsUSRwo8dq0}{BYtrTi z8;~cHZH9=0{s#G4T{qn2 z^6NAmks{9x)Sir{$K?7V)6K$_-g#q5!zob{aH9E>$MI--E5u-rd~x(j6;*y)(oqs- zxbLxlRsWN}_yPsJ;r9jgEs!_QUZo*X{eiJW%7`3a2H(P)waff%=dsNOb zdfH+nSy7I0X^SJmlzp$I7JrC{WXv7r_a*NzAL~Afq~P!yRtF`9$9>FSt3oy8pM6Vb z2K=R6wA7`~+KoPYdEl!ns+f7!7T6Cjg$EuLH{ZsQV`RU?5bHr85PYW>kT32Z_xLad z)W+Qv)#=(AS~rZI>GMAs#9DlMCVE=%yxHEb7fbob9>Ffj63qMnF?)#)JL1i?WGxgG zF@nMVT z2Ha0F+Rhjlq>OhzOj%WiBMgjtuGSy5T(lGwgiJy9Y{q6F6LU5X`%ib{V2F4Kp+S3d z7h_rvdpiebArH|Pe_;rr;k#z`7qow&xY&xm&{F(BD-Lopr{!hiVdHoq_K232R>aB7 zLP%9Y>K}4+P4tD8i_0e=c6N7ncQ$u!HjtAgJEx$aAUg*aI~Ug*G{zfePX`xck2em^ z^nVZXZ{tXqJDWOLe{!(~IndsXYit5?brF5>;_gBJ{`q^J<{sAn@gxW5f0l(_Ap2bp zJ0}|l`+rB~Vr}t%L3Y>kH`!n7`ulMrcY_J3JDWR+gY50i9bClzgX1E9J?a0{`5*KA zoA86Rhq;}Wgf*Jd8NDVkE|F2A)g7!|#JK(;`7h1?P>HbLZOnh#sJ~CaU#;k4AofUv z{ojw2*rVf2D)a$-iyErSw%W*iSH*NjdBtaxN>Em zWvbp|yn>DF$7Mb#{mlIOo~p^ar+z;g+wd+iG5r$1p4LyF?m5hy`wm^qT@9pcqBcEI zLlAfInYxDC%{1@9!xZn${w8;e!MP;sWQA?N)3;uQYR6`>X3IK(WA zLxAYlOGJxg<1P#dtY7`hTVsP!vrY;c=!?c3`P^V;;#i-QHvN9f|+l_5TlUC<}EnFagLQ zPl^Z2=zX_v%)Dp?Kif0jL%p5Zz%k1m3|IP>lJWes1{~CxJ%TvYEM>{r|BPe|hNjsG6GG@f#sVh{ z3s=SDyTTjT9lp8+(5Np$gLwGPb74NOp_l6W(RL{%S%U)o4B(x^Sr)tz$aeE|r&UDr zF-`Yz%qmmY(B&~Fl%Y#GBAp6Y5gvVfLIo5AJKcl<02Q)MXeXuTn0uC)oIQQ_GXJZc{@~+iXmf4%{VIW(h;c+#kW#sjovdW&ZxRkpj zMN~fRvW6l(>Kbf%{Y*VA!=18;vgKpSx8}F#!L1__8Tzj1HzQMkPN+m4X@%(Zn<%*S zAV3hJkWBxw#|hQ_ckjyq;uy1w&Z{g35bI=R@7i(Xeh62uvuxO_=o8f)h%LBK_w0Pj zThP_erj$zm@N-@5bIL04DQ3A=u|3iDWTNc)So-#@Eb5o}cJryBD0o+lD?bIvgitX82{5EnhCdzFoESwReR*B9n5LaI8h=6nulS1sjpAjpEKYGNQ50AeFm*cG5&_U)Xo%Umz z?ECDllPP1nyxO4yQe$OY)Sn<~Zw^{&sBNFfxI!Lt8) z^-G>_j~VPeSr2U=JAzIxq@?Yc7B!Jpwk6x%@*j#FaMq`(o^p=vNb8N2P%|evt*L0P zJKBeNRoTaN8Si+RP)E0hUh^8de$NFThR-OUC=ML*jzCU`#qyC1+5^hBXEfi@J39^8 zam<9Nz!3{E@JOFnv}`JiDvj~mfFsfuuufF&4&|AE%3|J??_tmCe~YldbRv1G7(0^Q z+4GgM?FR`Wvs7HLc3%9;E0156dX#}P0n?6`uYSz|9}8OEYC#*~tanSO1&Y#ic-|PC zjd>iKD|-$^u3L%wxIW!hhUS9FS+|?P@1fO)pZn0~HL&bXUnq;PDGCR!{hN$#9MeYv zJZ}=u^QKo%E|a>3M8F%z&c$8IM+^gipFGIJg)Moe39gT~kJ)x4gm#7`*=MHMc?jxq zN9!m)ojP&RLuq;}S4a zI@DPE`+R!p>4Wnen6=AG<8#TJL9W@H{D@kt4yYpk`oH!9iS&q=QBUEr3qi-ZO&yBm zoU&5B6+OFr#Ps5p#a>mZ`F)GMKlJny`1ts$H^zl{`Qqt)-M4yB46{a=Db%up2Y;Ax z(*Gwu8fq7_BXH{daBtN(ryIk<2QgfJ*?=O)le!brhR*FrYF!-`zvV&cCm{7B`{J|y z003IC5E0@KE$7CCj{;`shI3ALd}KgRl&@nrV$AY^jkio!ti5-3EaQs)JWAH(Jbe#1 z4f!9n^_}%f;(7nF?;kVf8Kw{|_PC2^Rv~lI3c++tC9;t_QDR&!+^&ffFHe^C?4EdB zGLibgKVpXa4XoI5=LCj7WzCXgOC58xYBqWj_-WO{2_+ynOJpHKcU*-w3i0YO)Xkb-fY?wg!_P+ZV zdhm$uNb5kcBdIwU&^p|e=B#U9W}39RI%@r2`y+@5oTu^>A=s}7vx~^vXeqlA(wvsN z15MNujRvg&{_d)Kt*5Yuy3Lr zg_u>#>tj`V=fAuLwaAd|zB^9>y$RsPv2H4$H$QldfBo{ASM^8JY+!qdy=4D)gV-$H zgg_7R=i|akogU&jK75U9-f@S0OKBgM85+(41_Fw9^N(H0eFn1n)2Z+Rc)k{J5(nDB zkOampsENeoU){zyl=uzm;o!2f|VS-Sw2Bz>-p&@HGm2YqU$kx@14O^ z`G2vp=Y886INA=`nNpe~8qs8f@>=L=dzD4V3|W9EkaUzbL*HR$t_C#)@rUY35wPY_ z2IyH!GJ$T5Vyo0~7R)X*m#T0}HjxghqUkb6T+T92q1LC~d=x#&ryfrwBC_43SN%13 zeeAF)3e|@q=?cFVUli|s9=c8iY~o)l5jrH^2Ktbwou@BQx;CrSN#7|P5^r(H!UIj@ z&%rFIYj!VsWC9$t2-tDVa*FJ};@^y%qWnv{91KRzqkPuE^%AI_>#sc`#_n;(*<@(jHQ^Yq46intf?#6OD)dR8QIX6f}7mJg>}92`rVmNsWP zv%G$Z#mFBJM_dXI-Wa2r=NY)HpOA7`Jxq( zy-Mi1BHC@j88h6ufsH^c98{Laj%ng{JtC?pi_je3skiZ|6osy3tJ0Hp3dA3#xe*jK5 zOW(xSZ-x=~#cmMb)LQzzMwe`2{A<52;Uc7%EyvaoPrPu(5Wxuog;MA zBFYJgIPV^gzW!Njlis_=`!b&XO=>quQDe0x+!R@57wy|)gIJN)T?y~o{6cN{`|8Y0 zfLP?60GaS=DKA7-n`^zy`sf8Dh*bH??pi>^gg%_jeE(@ryBeXA?DM!?J*V*kD!uG1 z1AR!l+{?zj0#;Vf*!<$L$TW(xD25Z2Yh{{k#4jIu+0!VGHVJZ(-e_D(&J|n|bF{dj z-Go)?f9<8+x%qbe9(RfR1abhw8rriUMd|0X!@P%G9^*B~^k zJaN=oTjdyz*rH&8IqkFdG8{Q}$r#r8w?&@*Ua36MLkT78aw6)D31^vp62CQBmMThZ4cqeyc^}i;hPYPLQSP3Cq^6 zs6>=^2WmVCDBtl*xZVbyh1VPA9e&5d(qCmLxH5|SnxS_Gj4+ZtsPB~3fVaNJ6|cJk ze#*1qyM)ISZuqM|32?dtD|~8u#2q`-8G4c&VQ!BnqFUGx|4ia4 zytX?%r1J=tV{P|P+*DExl)dW|JI-T1{mZDxs1I1|WoY5zC{&mA%% z2}oGhC^|YFimu+(=Ox=(4*>oV z;@2Te88}7d*8?8}Pi!cJv-1oSY?Ibj3aH>R(o{aGYm)Uc((5a)5)1=Qzb3uz`UA_B zy|yvyH`T9lU?m#nEnzd&6*-Zir?(P>?9WuK4IIoj=))|B(#Y#PmRRY!hT%)P<#x)_ zSX$*~JvT-0>I3b1%lw_M^V{V6*Bo(Xp-zf;S@qo=Y6iOxSv>n~lX}Zpbk|grE00_S z&-%c!w`Z&GeHk{UA-ySd>D_=kZ}kt;op};>{<0C2ILQ^~{Fkjln_c*2R2LC7$%>=6 z%NsSpyO6hgwF?FS@(ixY$E^y4mc@1R7n+EN95X-ooo!*`yeb3KrgkNsolNt4l*Me1^QJrXTJJIperNUiefbaG|ynpINHj}9J zar_%yQV0s3Zun;>GZ)Aq_baP9w6PP9KFLl3{Dv~n&kzK%m#(kaKu`!krJ6exUP~u! zIo476`8*swPP=SpIuO`QaVF%Q6Ib#*%Fiv*asAUP+TeC&-?~J%oGN+0Del!poB*a_ zj6}b^@5zDa`RLA+iRwg*mnP@SWjAYW>9^yf#&$bDfyBQXcZ*IPi zx%^@&Q~@PRMnj{JS~^6edjJ(s-?01Y_l6;W;wHZC#U?rxv36VmY~BixrU8EX_EY3` zq)vhcc!J(ZW$2TW>w;7=_%-(s0MNY|Sy+0S>*uRextjH6dM(B8>C51AjGg1G`4E;b zNzGj=((paUHH|)i5+AH9`r)%W+3$3&ydU)YG!G zdR;Rft>wTIIvO`yl%2>L!*-nN74^!1BuyE;OWiL@V@3VvBl|QC0iD?P+L z*CZ)sV^iH%f|(9rYtiyF7uno{9@~yxG>GoF0u5@PmXK$R54S3!lDXKrE)rGQQhI0j zZN9A0xx4d?u|I#N8M8v;TuBjt8CIed}S|_g{U=)%zmFQP?YXQ#vBonuZr{8 zr1tH(M}GHtIe45L4&y5EFhOLcZH-Mj$lYoicB4$^e^8Q)Urr_ldj|4aT(cvFvR9?| z_%kbR*KTx`NbWQR_vR2kLi_WW@8dB9~W!avq{+(H|05GjS{yUN<=NGcr{3p~ucjO|Bx=RQ~ zq&sGrx}md_-flN8-pp<$ZXt{Y?9XD=h4DX~1GuaKA033ZD!+)!G3icfDK6Pr5LV-r;W+ zS?%=c67n#kN%L}GAad7!N`M<$u@j~eD zR|1X_{oyd_uE-Sy*BD(`lfjs&$!s-f)_HV*pEnQyo}wqXevClyBUXLWvb`8BDk)5z zjdq>Z##Iu9uGJHU=MRIK5A@XLj9k=z3ZF*qM^!rCDx%A~xGixh8~25^ ztaJ0&jNQ?}k`0vVX;6LM}B0+cKp%c_C_n8zQ%L*eF@5-OIYks&&$+XdK z=goJe+-(mQmJ&q>BX05BSns{J-W@BASKb;$I#oB-`u;4}rGC%n$tUDGM6;RNy}iH@AZMCFl!oPp4lW zi$1Tno962Ej%U}0Ic-P(9EeC2c2C%x;-rkudSB;Y{aEoO=SRkARfFIr5BCY+$3?A$ zw}@|&A46x$7n?rSAw3peS2?ju!t4gSb+NZ!;qYg(*P8K2RJvGPxc6W}z1N8Pv58gDmp*1)m# zs_IT?D^@1ui)^!oZ=Gt!rvBjD|Y0REBFRNKXSy~M>;$aHj9_B@4eM*|82C|&>IZd zgZx^6q9P3@BFRP|h&hN4iWQb}oiLc|$6ck0kpsRH&F7Du8U7K?u6HC$7vsmK`)ui? z$v!AD9Gv;D1M4*i54$ezwU#saoeO^!WCC(CjRqKIPz)8-XgPCR6eaeRe=^wx-}NuWz4g?r*|ybe8?he&p%DP#aLb3Q^f`={)f>2bh0QgYw>bY$@P+?a;n z7v;C+l_6g~u@ot|L_PHxBZDNT)SI!7jBX9K^z$y|hgd$hA$R&pk;Ap(DAHp>g9TlY zZ(bn(m9?r{`e??)7QQ)bM3^k}$)r&E<(u2^pNcGXa%~gWDq_D>>Wfb0Cas25dN4bg zZ!c_-iNyuU@`xsDK0mwJ>hMSr-oAKtIPSpJxoPGg%q@iI^@UqtxgyB-o#~%4+D(1; z`HoO0Xh$g7^!*-*X)V!NgqPht=2t#(W#fTa$yL78()i+g)ySr*0?Xqi6w#5JZrG~5 zb&Y3|JvYgV@ONfhZF6Hdj7S(b>!sao<@J5R!+KlWO?q{nNo4N1r?WLDx3^5$M=M7u zc~x28E40avmlEaEk-M!z&4i+I#WWqFW1}X$f${6>-*Gsz)am)pjxl_B1o8yTPx*uH zLIkIqub60?aF?f&jv%8d@QuRgn&JEY7*i--I&Ev1J7-umFn1j6qz!CoEcT3tLK{eY_&l3Kz*p1#jf+>_%8tB%nV>*=|{>VPmn% z8QMYG%L@S&z))3!z4#7QwZC83!kt1v{ZLDg`yA2ap>JwMO>^_a;xKDDpZj3+qL(Rm z@uI&~=MDde8nW`|y2LwaG63S#1_*aY_=R_Tp%J%*-b;SVBzU7VyJh{v!!=My+ORP> zhiX)BH@seHh<8cw_gkY{+u4&^=1-s9vroGv``&$SFL5>#XueCW|CX)VtDp=VaM$IQ z+M5rUSkOOqRP$N_uVPXv zr?h-pDL3hG0zl1uW*?qnYQFTnMZYce29mzwWF|M|{0Y8}#1%$F0?I#0L;zd^Qh@c& z4`nJ&=k*JaQVhMDg0$im3o1IR>X!3|k zwD*QQ|A`*d1u2p}4)5G`o^Kp5!JB-dJ7rb&?Hft)6;cOc>3k|Pm!Y@YMRA^k9NluZ zV~j8DOG}{+4%|DmMXq?w@pIGd=3GQrvGxZupk&E#FrOy+wL1Xc=`OB z2#V(unBr|Tkk>V4h66P}zy;0>io@W8!Go!?Cc&H1-%!&C(TRh^y`z{!lU#hu>QD@0 z-JP3Xif8s?0m+$~wm^J1HXa#I7nO4u4zQ$dg97Rj;Sf<(-eg%-lv^The|V;wpj_Bo z`K9I6S!wc^LHjJL30KClO#Sx zvgn=HF|%XW6YY(k-}w*!>zvDKJh4)g(Sg; z=QEHAr2WqzY+)ai=}UNi(qw7>?&$dc6FozB{8s8M#1q z$%x!Ub))mOXldn8=HmaJ2#^tkkOD)*fmuUSVK`HB{E>J@~L~5zl2P3GECK&mUBB?`OeW& zz5k%can*_9tAZ2n2Xu~^$)~@HVaRjBk=flKGW={FPflU@b=K5Ni8P%gOJe?r_=P;L zX&GIy{Y|W#T~nv`$kZgqvleMXg78|U>7Z_actv^0g&~d4Q7cTr_u@c*+0iX06qZ)K z#+$d}6e0df;}3s0ZnXQCVlgXM=idaA2;3);m4`b!>0Fjdo=IvyD`)f5nZZGw$&ZeaAL3R1(XKp4FU}o;& z3741I1Uwm(EDL$4-0qcp`6$U$nTurNgllBJ;c1_O5R!k#Zx0eSa2N6Q;um=e4c0}` zP>UwdR@}}(uZcE0@6**{_Vg+mko`nbTrAqxEH3C(7>mQVq($qs>zsb#h-A%KyTL|y zDocBFhl8JQzltokw%UG`F2!V$oh#CtlY!3lQ=|q(rJXQC1LD(8tX*D6d7)!L3LUTi zdjxWUN%eaCfVEZq$s;k~DcMlYyy0zUoj4CXv{?)^{Jx^1NZSOEyg|{(%VFzZl; zt)Zw?zj47gYm(eD)X80_)(tU4=e8wjW zI6a|TlxOv^a{UE0HC}X81P$@kH;uAL<;2Y^TM~*JV&LfL%$j(<8dt_qn=zK>?3W1A zlELB7b7q#F_};bEQey7+%9KYR{j*L!U@=5q%E&9R!JK-S(Y7%;(s`Z3ESB0-m{7-@ zo}k-L$Zcgt-F4c9qq-aHmTX6v+PcMfjs*&QHcsNzoW+@vmrk2J|FyJrj%U`Lbk1ZJ z>u7JIyS+&|ckjW^f)Sd6$f8Qxb($K>hv&=?pW7~4Iq~ZzNzA_WM+NlS=G_xVTqdf+ zfg^lUp;Ay>8t=fqhF4NP)Tid4jA_Hhse9xaWD~~&*-vd*YP+{**(vo!`GVOhg|tq@ zW^xSDeOG7uBTB2oR!r>wOei6gjS|%}1~cp=t}dUr`IU;=H|*u~q@5#aQv^t(b~I<_ zqj&RA-zMB<)MwZP1!b?lxy4hmeMC|YOOguOVA<0s5$ivWin;D!+HPK6;GWTCIsj-R0avYjBomWeZhNsWjqwgTP<8< z$N_OjzD2&cXs%;G+;)2m9jC($2XB`@Ki?RLXMMjB?(|{(2JVJu;lwKDFfRn`Vm#80 z=un+mJzSDD^~V;~EY{iX`XpwOX&diRohKAf41B*T)s21!8;AOhRVMw1NcOa4`ROn= zv0%QT4;R_(G|g5ql3qolc-3Ww6j7>Ud!A0 z=>am>QTjkeAe9Mc6g4&Y!=hyZ?8W$yYlR_v_QfwRlnOK$7)$&OW~Vh!^ps8nVU+@!d;}NA@qQ3i*T^kr`kV3*TdN`br8+ zHT8F+rCI@#FL&S&yCB|06lr2Q^U)@8PJFc;gJgk`<3o?jn^(aPxFzs%sitBGf_t4*6}JGu2+*|>N2-}EW)2)plFv(-5& zJ5Tw+lj$`RmR4MA_y!1S_y?|eNppGdTmP_O`+6*F>(V%O&s%^d!zYA^c;?k5VYV^T z9Nu_@e7RE#^CV(EG-vYEgWJEH@%rCa8?WP8=qa49yni5N9aUooD|)o9;&D*Q{I<3I z$9|XGm~;;CTt1&^h7a2wXz_4ordb8bJ*zD0`{KJz#Ct=^7f{02*KFKkTDe8!3(>@O z%L5gm-Kpo@!Z9<;fq)5h?6i`8csF?Q=q>r@tF?GthvR3(_hYBGhP^P7>W{C)gk8VO z&CYg)Ra(dI16oJG)9w{o0VE?<`EW?64Dxi*D!o?tTKSk0bFfJF@Pre0|91l5nkRqv z*SbVzcW9mwK1O4QXZ-br{%zS}5#W+ezr@ovsWo?Md+Z`b)X_0xn~hK&wLeZDOOR3s;5k5DXGuYu5yZFKexWHD45=L zhxf^d?(+h9uO$5{`%t;&{hIK?15r2e9C-(gRohx5Ska-^=dov%s9^n=MrJRLL)Ta^ zl!Jf4YqtnxM&XF}^L>>$$XPeCYIK$20hP7$6x&+LE~y}&+>K1NU;LQbidFw*wfDPd zRUjX(2=^j;<=hjghhp8&-w~udquOW?cOr3J2m3F_Go+Zs_DO|pwBhBJAEDp-Qskb5 z`6Pd4k`wPV$4}yWXpn8I5GyIP(^_)NK$c$a7UZGtApBT63h~bU$CZsMV`lfGLB$Cb z&8fFwcm@s+kv6PSFwrXer!FhTHPGF`9(6q-3>^s2w#WL>OtkzR)fHAJy33|}U_-$@ z+IWx@nmig|_@}V?2NMD8tXg#7Dq-J7?DS9=I*aeTP4wxU zCE9fhG=kdNJ2Pb+JM})w&d6MMVGGzad_1k#4k*sY2#p$T>v@DvexPu4qJQw9d6}T3 z%H3k&Pm1e=Hd^)22yq!3!?f`D!tIpnEXD}^g=wUx8~ox~wMXLd9spcd^diDn#;FTHLZIlYX*m*ex!~>iUYif8lG=MX2%CZt7Ebv$$G>eRlf$XHkyj92O$oSN<_{RXD$KwIM}!QTH0K zpImplR4ofuTPUwU7A^Jzwt>#~s52G)8l}6^`K6H)T`Tv1>5NmdLj4Pyw|UZ{zXT7a zR+Aw&-9Wzdn>8liFgN}e)aF11)_5PFW-Qqi`SezVumZkupvUi-->yGV0-%94qAQyq zezl5E0qFbpV}SFP?-S@#(Q4OdM&EMb@Z8`1J? z=Ys3KEG0GuE*p5znr7twz=k5!7ju|KcWOOG?$6{S7c!T#*zakRQY1??iq^VIBI!9o zsid12rb5l?Apj#1#zVITIfONP)kkVOw;1V@b(reCRw%AU-{10)rY`%3jni zk#;x<>^?jC&wZsSkXO}M^EudYl`X#?=xl2k%Op0Kx-!m$i}PvUig+G>*+_`co2P1a zDcgUhD{IY$(_}IHWh2`>6dG8fHPdLmnzPZi-;k_M>TAi%+$S3%2@Y+-emU#2nYPhh z1&1bxnL0YpMa^lKrj5A8`D+Z?DhYUj;eTRCc_25-_5+NQ2iAmod_$UEGk9jYk+D`V zP?-I`1D+e3zHo{5ttnpeGie?DDJ&a^yj|5Mru2}lM!G;r-JTud^|cgKub;-9qEUTG zj=m^dZYuXRcs~-qcW2XZI(g(NNVR}S@q5e#h(pT&xufa%_$buyCK~7B4}1P)+qh9a zX6n?MLv0b(!;osorF(*YHg)5MkvH9O*?_vH{(2pWmq&ncdoV<|qUkcGzN~mDBl^#oI?F^CnYq{XSRlS$ak;;`65LW{F{KE=g{}i8wwv3ZWdho&da!EjcCjU z-zEqyUVj<)26-XzkLNZ!UY*_$EMwFwsVLOSa}GHk3X*}daYfy&I2?Ld$OljWup!kU4)Ac@WUL70f9#n@3jNI!7$tiWwcKa$HSd^uR@uGmsf%m5D)zw`ndXy3m3egYQc37YD09uISoFyQMPzCwK24( zD+-@M>oHFjX+`oA%EJrYA{q4mUdj@!5)$ik?$BA*NhfY`~KX@7kFv#0h z*zU8Hz-+{wS8$nl67<2=@Cl$upV(OS#O7NQj5#gXMzXDs2fV| znB)z(pE0sgX7#e(?vRcn-Zgrp=lJ7v7}zvy2hZX2cygcp+b4S>!(UR}Px7QDE5CFt z;J);ZGX^j3=8ZnorAaW}P+Q5A66CVw{D5`3=Q5w0I$vF?KuG1%LX_CMQ`fxs zYM~vgTh~N#*X2M@*ss92*V40-{Sjp)d4}fhe!cWO`x1-xT6z99GbA31w^J4)-%1Ex z{VXr4WEwMkdo-o;a1SIFg5BjE=Fqs^xdB0z99A~f<~YdWFy5a}gz|%?P27h}0VAkQv%0C3(Dp4ObUb46^B%>0T3i#S{*|)5Hx{9F zh!!l(WaL#uuEJvsa%IW8n9q*p`VYuf?DlF15knlhrz9LH7nMhZn0qdK)Pi+$`Tp$} z(}Qnh22(dJL^p5Y(vVZ>0d~|1JKrJrqG5k!>C!?Mk@xB_K?sd4Iweb8nD_%m*0_Y7 zR`Dx#a)@JL%8dq)1;d`=r>vQGgVq@LL`yn!)l7bJpL6qe&fO2}I6pbYS{GK*U_EXH zE?jg8WF0Wd&$u5ZyYqn-%=pdwuGk`#wgZ0Lc$|%E@;6^Wo43U>n|3El4t>JXk2fvw z@ZC2}#K3)G8O0sdqCWUh_I2YL#z)Kk=6&%qAz`{mi^JCQhZG3wm?Da0UX1%+`0Z!b zW*bIMqcR#gs=e3nMqQZTjEEF)J7=12i`#;+q5GM=HArtnsX7o@VK-gQ6|S8mRJYuZ zJ&aH3#!a^8XEEEAWIYUQWS@cMDi&zY!Z=?coXa!w&6)Y%oZMvIT)gvUKl|Bv_F8MN?07Ch zGo8=BKVMX7eoBFU{;mYlh6~Yoiu5+c(6<#fdBy+>yJR0Xan-dKgEmNS(vdyO)PA0# z2nf1)WT#`%xxEIN2trZd7x#Bk0a&^RuIwQK9 zia+Irjw>Wn>gfw-Atr_#%FXHVyZJ1%FRu+EJkzBT(HZN6)>P#d^8rnP>s!wZJjf+Bf_dMcrUeVQPVCm(bKtqvK^I0E zr{v&N6Xw9Xv>nPEL?NS>mq-M|ps(Wb(im2g^4E#pR74}T`-{cJ`tGAgI$s?rChB@i z92YlP%=_CN0P6L(;v6wu**_#;&(uZ`&$tDHvQk`~Zy~NW49Xg1*Pl`cgQ*3up2hFym{xpriL9c$(Zy zojuE0n>d~&e9m<@cNBju3jCH^anv%UcB04+{?kWi|14JQR z+QOoe$Bem3Xa&9b{m#)@*~RMMTAXTXC73SKf`j3wDvpgXd&ZJc2sjCjqQ=g+qz zSE%0jrAqtvw1aa`;ebDM7Jb$^DOnV9W#b06uf>#-qbc|#+Rnnp3Sc~S+b61i(MLEz zCY-dswT$c>6i4psMB$O||9Q8*4D_&vAL7(X=DpuRhk&ajybND|1l`~89)aYSvkt7! z@YAU^(w+^5Cl2?=Q&n{-WOpPKmr9w1MM|x+Y3cd&5K;PcDgUm%_)g7n5t^v_fM9d0 zZV_^(4-T?wr}a~+J;+;?96Ha+iw?`1+k9Z%Oed!w(8sH2M}rvzi4Jqe<&d*?$N-a- zTt_r2_SPxD_22T7+D%cpjA*{5cYV^vH9KU)pBVQapuLU^o)-4neZP?tek1n95VPN~_0cfG(xdR1m&3am(S zc>f$VJs)trxI74N_)q&4<)y|izK+mCP?ofEYOGIuDs#F-pU{-TK! z0+I8uKD28X@A4cw{FVmn;b;th}HLyfDS1^#DQVk&m#IVi)l=2{WsSeyJVFNC=X)|cI7rORnc8(YU0~efY{56ex3*GzW>_`Kq5q9<~}w0oeWC>G%?J$ z9qkQZ5vsGh^KZ}cU!1KlKBe_N2ssG&l`RNX^05oDc*&h3j@AO*Du5T-(UmI`=q)&<4Fwzg9#%`SmJT(tGL_! z_9Kw5kXzI!&t{PaZ+Fg+VY$;CI$UF$#zqvqv-qJ!2fe|49GNMPdcV(Lzj~S7eopT? zbgVo;+rHI1LUGr?zbi7g?BaikA8>|Wc5YKqJ6go}SL4FoiMw_t^0?6@K~K-3GwjgW z8W!UzDMR7wognRhFx^oe@*sLeHl6=Rbi1Vr9XwsI!@i_G!r~|MqFDuuaJc3R-rd^qjZS#UJ#qH z$gk8)Qu!GDDOS8GA-dfCY~$^+E6Nq7=4FhN{W^tcCm~da$)i_`@7eaPx@7)NNokh0 zlpXK2nqByo=`)>CFsDNOEZ_0Zg9z77u9Khf2dquL-IXAOM1(iN$$ zl`@}$^X*rjPa1yYh!DPyC-q*q4I5dK#4HwP{dREfIn>B|m!@;H9dj3OX2Qvh zJ?`OK9+77R6moj%d4u2a(Wdaqmc-bwxp!qXoKZW0X%kX!ye~KQhtl>$7@4BWjw1g3 z-nT`<&-UZ0hO?Z~UFZ%Eo!$Zm!&_}*m(-}M=c0yilh-eDsOOtIkUayU*lfJek9O}^HKs2gYTGfB3-cc0VZRR#0vy5DIsr2wjeez(Gdclx z^#O-6>xgytmYGn#NKf~5+1ote?Q`cFMc;!!=<1N9)WrJRYhwRoR_yTrL_~m%n)LOj zRLuP<#{aUp{jRwjGRlv+;J}OZz9mCsJ-@540-pk>?4%fXL!z-U74H4onC%$)nSsW@#rr?Pg3M% z;X^Uu=5o4p+-faMHS{dL+u2w5Z3b17=rA21O>&LSs@>hu~#< z<2lqo4mz?v_oux`>;guz2Gh5C`E9@cNT`nn2Jt^KM;~Cr zCApn2$Q;bP{}>|Actka^55bns^Wh;8e}T_C*nlyEX~z5R>V6xP{>JV5ADpYjEyBiF zf4tQ;^xuDPT&=VOxrs(EI#3HtvECQ_SX?pE5uw>F-|m^!|MYum-~;7j;gXKsI;jBO z2w~)70Q`gxJzXL2U#0ZAM3`ny0iJDI4jXV@p>+^4;8tU}WvrtTtZGZ3SrZlO)iN~( z40O?o7k>crPOh*xt;9}R&ffC#R0J-18`i+GS-`k17wt!p;sd*xI6SX$5^n^# zRn%e`Eyt-CoXPR*r$|I$B}qrW#~$CIAMf%hF?xKh&yC(h3wv&!fA;(mP$}Jq-sZ>X z6cY$p^$aH&f3IT_jcwo-8Y5J88mQg?-8gC5E-pn8mxj>>KD&Z9|5;u!8=_sH@kAb% zxXQk05(Gu%$PMM&u*Rl+96eytXkKS?iEQYTfZ{B`^=fTED=zW`E?D`(5l)j#;P8-B`EWk!$51ELdf? z{(kmzy&m56ySs0<2e>}d19bMh`I@@!(dbQ$)F3^_(<`Y9W?!jcv+!INr}}f6(z?{$ z1$;Jgq5iAt16kOTBF++52u2pYZQ!8h94y7fL@B&?|Sqe-Sf?dlG%` zUXJcwmaz&ktWddoewOHG;vFctTdFE`J*{C{!5|qE@lbI_5_3=%0mjRn@CJ(0(z_}k#uZ@U zb{;TqnTiCy?o^xCr+4t*<~DY{_iDS$TA>O4I1MSQZ@VsQOC%_zc*?Hv-sSv-x=$4T zQ~rOlbdX1sTN~2q4xA9kgZ5VaCXmKb`&rwe;i;R9+~;8L(he5n2Vphr!Sz1e;#%b7 zdw$2Z^J`~smy>!2VV=%cv2(T2nXUsw+Bk)^5wg!b-qaifQy1X{E8}Sc?_khd5gF7v zzV?41Cm_pq?Rz!?$!JHgyeMHIqyZsn@kK%Bl%Vy+ip^^XdJnR2*MJ`OAE-N< zvDS8<1mncvUA?P?fGET)CUU+weDOPfTPNX_j4w*4K;h?me`tJqikS74^?8yC9U=6S z8D8-FY4{!04?%r*X00PUkV4-voi3`Mc`rA4v@O72L41DTOLd+F;TZY2r22dO?BS+5 zYlUMwJ||}b_X%ZBoRRYe{}`{$x}-$i34tz!M(m9)>7bq>M>vEAcsj~0lJ-T?EYM!& zy9m$9i&TYrwPM=Y67o2O4D3i``b8__@tt^F1$C zw6oWuuVDasH=qq!6mZM=Aiaa1+8kp>okiQP4cfOorkrygh+yO+&LCbmy_|M%#*s5l z$Lh7=>h@;XtGpP){3K9k-O^_x zT{xiUxE~|Gi~*Mv4`_j#c3Gn9lnH(XZtJmVB3!BKXy+|{q~f;b z*fmTWEqj&&aa~*)WhYyPM;scr;Ew(#+Q9E2^k!!e1t2%6U$R+1>Pr?*+i>hvw(IzMT)O}L_qTDD7U8kcS_$_s`~aI>iGv+>WVYO?Tz1!*B$Wd zL|2E{efFwpEA>VySa`Btkug`h_CXEyEy!EiIt_=j)GaQaX_jYc`qZD=pJxAR)f@0* zAC!F8=ZQHF*Kz}0U_q(X7zk&{KIN&leOJmp8uO`Z-7@j^VrQ0S88uJ;QdpxO*umH- zCDY$&*W%T($;d=yPR%NM`fl~U9aF!H2O(%UhaM<=bc~jLDJMeF31X_@JPUJ_DOc)< z>2Zx0qoVJa( zr9H6&w*>19P(oJn4M5dhK2_$eG%D|IF5rGHyTYJ;l)sW-#i{0ob)7$W#sN_AY|Rw| z1)s_z}R z?~|}V*W_f@|AgW1#?w!lnbsHw*ql&3wL@@m?ld33c@}(~#fi@~9)qHlYWL|RHd=cP zJYrCtsq&)|+Ck*(<`g*58K_{kk@b($+$7!?LOru-I7=@Y_v&HV|9HA)uS*UX+rZ&N zK0{`b`0E}*+YGT@TGc;FGl$Og#kSTKep*bsd4Kxya_+i%cY$hK&Yt0g|50+lo5|5~ zI(uW}$ENxbCo@xH24dU4I1q@Vl|o#TLf`KIR4GLwOx0Yz$$7J5e7%U zn*3t2_-k&IcY3Q*@9Bw;lHu7!!hJh@Z#7@Edm61cRO+ZZEmSv)dvD|T9<{F8oP70e zugR3@2ktVMh%Pl1={fF_ZTQBd)$%Ub!s}M+iu9_Zh#710tmJan8sp)R&kT}vN4B0T zX52(o_4KSB6oBPAwK=DVwrJeG>1V1f?H4xz7=Rx;KJA+pK=cfADR^GbNJd}BV%rQ_ zguN;z2UE%)P$J^XRpaBCg}ub*>vCFj%P>?hGK?dINbnvnh8$ne+VAZforu->_b`QR zSR{U}TXU#~`&}gFytab`v|weMf>XsXyoqNDyn*89gzz+{=yaob6v!~51!ZV~0>3c#$s&_i&m$pbv=(-R-Pdrnx%WD z9<8uaHH&R_?p?9{oh@p5Zorpq2#LF^db%utdz~O{KPv|IEu>X4NkPEnVH66z;je9( zAU5BEy5P>_c>1-ql~^m1+D$50m4$4m?#%nnm*=cUg&T(`2ZP%Esig06HH5h~rs?pD zY`2d8oD9pC-r9>N7?keT#%@E7IG>x#bbeUTL_Q-9CnsPR8}RJ6#uJ6nPy{JyYhH+f zI@OGZ18(<=nvXE(Rm`FKCo&65_SJU1Kr#c)9KWc$R8PO_5@U}eLz=+L%^GA-t{^wA zo)5A*wRH(6)%XT_2eg!vUh#=yq$u&gY=UGqx#?2*3{SA7jFU~Og=b08`5?Vkm3*VR zXvksZ%Vg?bQac~wsM{&NaFBbmVU3V{T+vb{%cPDwDzPtb``tK?6Aiq7kV?j>Xk^aB z;jve=TttQ6gk8{OZ4c?Z##0~+%(;tkKQ`yRmoa&ZFK2|a_YJ}&r|q8^>Bt^9@KT(j zM6TWSL{!nirBv*8&wRK-=Z^KluQ)q7sr1`(vC+15a^DqqmCAS#ia2)1`WgO%#iUlg zOYF$D_i+f<)ysx(ofm$$Q#qb8kbgDK?@Fb%qbq=zxq##2#lL%$>S7bySFavj*%HGm zTH*SsRmQN@tABj+utO_!eCN{h|8@5Kmuh_!bY4fBA%Gpb-|CWG$d;YV-slwFfQETF z8UC8n`-#~fCyUdit&&(vFOEP{aA04v?~t~oTk;{L ztmNs{N@#H84A?1mxMjU!p+=Sf`jN?cH~iliqt%yPUsZfdr($hYGrT+lzSpkFf;UM^ zB`5Tof>0q)m z_###SoA*qRWLhcudqKPlmS5^;OKwm4u*}fs6E71J?PM&4d$6@o3XBtjoPQ%~k|P_q zdR(%4w3xORya$p($PITjIp|dHix}U;4!a-rcjZaS1lbvWux1WyoXF4IU8(x#Gw#+_ zecbK+Y1P>>DVmqBw8N=3aMzUB(L)*L2-_@pOV6|Bjkaw5Ng4aXc=C$!aS3!J%@Xjf zZba4-z1{rN{=;q@HT;*FFPjX9jDD^8WwzCjCH&EBfumL{zIo}}f3&hjPS8E8?vq-q z{SDmGk>pkz-^U|$p~sPKk0oipO9l5zHXGgl)LE1)&)x_*_CLie?)>?ubesENwHf=n z*^~xb*l`icx*4(1TrpcNJ;?8d_$aB&Y4R^Bbq0*ICYu)Q+yKp`7w?(5^Zfp{FJ=5f z&e@=``ipF}kd4+n^)IvJp~2~oIS$^%C8@XZuvLQGy)Ea5S%y>WYu{~m*jj!U|E3LT z6z}V6*Phm~0874@JFUyV|Fog9$1XperDE0DaP;tAE9cx!7x}SoZvrvi#7zD(xH5QW zqqWrW?|EH%3;OX~>Xz!}byS*cYod9BKj1A8qzurMAlfi@IeXkYVl)&_?t?hdChmQS zW0fZ3o|5PPQmqa0V@i!Qg87bj3Ud;7mq)0NBZ9ulV5OLFo+6|!hiQG{&O{&3pJVb1 z;AL{=o=Hf%B~215m+~1z5K7O-G`MN<_g`%Y^K4m$)Ah038)7$Gq`jyTBNr5rH ziFBGY$vIo?rx!sKIBjfgDx*Xnw2k9*ZQs8H`nXL7=vLisabh$s%|Y-2G~Zx->#-w~ z-&TkQo{uu#A_DfD_K87#ikIwxcPt1wJ_?Z9|FQD}h{9e?VW%11L;yqlPJLH>{n^=0 zGf>Zb{W7Vu4`<8V?`jhRIf2RuA>Zu|a|dBoY*26z5FzXHBiqY8+X}J{dSEo|jn0B; z5q3k)x+a(0#xG8{`o_79kt(MEJUbuJ7eQ{?6KIx{Lvt+fpZ2aY&r#@)PGh_s*Wz=xW z7(kGn*ml*+FFaP0!T&(#)!)TLQL0N7Ux_X@;++sS1T+tj{^O^@9JYgpJ<<*rPENN^ z@U7DSN@`O)czJc)58#UQi<8>qE@B4-96!^q&$E2VH8;jMMNpY3@32ripUvPC-Ogv3 zS4OqCvQl|c^;31+L|-#Kc*kJ7A3?7sVKqTlFOm=7tX&l?tcbZ}z|39TFRaKo^qj{* z7ck>a5*5bnZ9c1aE6$>Hfa8$7S*ojdLJRy4hV!Ur?LJx9qtdX~6_uNH3gccBMPlo_ z#Wr$rhmh)87WLB$g~!H?@vI2laE`YvSD%!UqP5pPTUK^)D~X6)Td$ixXT=eA3AGK= zeU_H?AjG}xc&}7DI0^CdPO{$GVLU8$oJyJ!)IBEU>n<|!e0oY1{jKdTWieyubYX?3 zUhRvvV~SiLi`~+gt`qj?&=XuZmG;LbLeWy9pNurv((~p2RxriKBgyn$!b7Qb-1nuX zzZ7dM@i<4gQ%3E}VGT7t81Y3zC{3)VC(*)z$V!*|t}s2w(o0_C#EIr-tg|B0)>b~l z-@-%$Y-e3FzEH`jXdaEb1YSZYC*RzUnvlOUGB9lnC6 zU)`(pW#ueQgazQMBBEv>-c%CdZ)Bz#flq{v+v0K=a($g510{7Al@4I zwkTks>hkDIu;+{Y2|sPo>Wy<-xGNJ*Wofy226FR#K3lL^Z7S-4GN#={5>{wFs_$U( zUD?8x!D;vp%UB`fvY-Z@nzJ$AoOrc2Bd5Gj#rRmO2w&%mK$w!u1*9!10b1l!$ats3 zpr`%253JBk*mU8ff>R6#Ky)ABYJz4Qsyl$(&y`EzTZ}(T`z^wFN=U9Bxz@ese(aOE ze2;Vo9hO+G!r?VX{#j#n)Zz3fO`qU7wsoW~+3AOE#y^Pg9wjOth8qoH@Ah5kfT_&O zVt3R&ncw+r&B}q?ySn>_PBsg_olv5N1W%GM+bnSokE;rxd*26*_>-F4uz-KyEQQSX zCjp3C;`A1ph1?@vuR=;6j)bbr$+xTbC+$~CS3VAgcRL>Nb8e&0vgyZDbBDIv@Z{VX zFEp|Mvy|yRD$Zvn=`EEFz0jK(K>N-Q8SQXK=}picUw&`WKK^^$3npB!UtD_*B>B2Z z|KMunXvtm6TeV8lv^MBNTRVv>pOZoQUw8S+Z6v&;4A2H+bQxf$H84Sa^EF<+hBt*r zXF+w68Z~>KDnyugEB89f@8WHuq(hH=E?O_@ex4vm1P6(hFWDaEtM0*n{lf}(2Al^U zEcn{na>k8O(?5WB+?Z*lua6AQmal85hY(v*e^B!;AnxKc2`E&5=zUcTmtPIoL%HUF_B=fvDPBma}n0ITvzEB{Ybd+*`nbTz5n74FIXs({tXb( zf&bIE3ZUv%Ui2BFy%cz5vM#~rW zC2_}fbfN%=b(WHuZKlZ?Epq%e@rR&tqs=CFq~*3L9$-ddBw%uz1b8{P2TJt?kJI2M)%J?mG@y#VFeyk zHZlY@)2nfE)Z3q5`OY6xo4EB}^vG_-DNXXETInF=l8M0Cb^aoyCs!^bE4*<_Uh*ep zPU9avSBrUz;5?ZijoPnw;mafJz}kw|#knLJ#O9HUB|(#Vn0i~oU@T_?l_oq@P0HGZr5Zbn4)fHpD=V|` z$XQfd*X%%gt~XkZbQ(S4Hd#tBbv&q3b~A7Q#-GjzrMY7+_!UkQdSvYm?8N_ zV2s%7lZZZrAH{!fD)$>f%0|zUV^Ssqrf$ceS>o!OWUZ5!2q}rgIrndNe#^pr2QN+R zj{i(UasPqBeWd>u!FvO)A_R?3&NEcTiBxVCek{da`60q&x|Ibbq}+ylNqpK_EA-Z_ z7*6%Jq$B*Kb`Ifb7k9_pi+*I`UUnA*Vx9cg&6H|Vou{zWI#DJBef5Jr-CBH$ghpZe zJ*;Ih&g7}_6C<^lZsT{#!c&G90YOT)L!UzRfW228(gepib2 zo61<(3mPb?Xd48QJoKy>58s?^B$_S|Q%zlqcjL_tz*amca*p%1ei`&`1vx;Zu5H}s zFKgoUfNGZ)+>V>C{sqKemaD?CWmvr>%)0rKVE9rAW87p2irWV=u^m}}^m`o+={<{Q zMh5%KlO=-BzAMS(H!jP(E^K?VTr0ngpM_$s$Hn~O_p!YU0)RVo;>|YymXu#9-Nch) z#lS(x0e8Ramx4#d&gVgj@QT}4cNtA=r*+TXs^3|oh8CoSF;XrEtDAQhXWfvq^L~`SO|MCq0ccx-niLPWuYOutRq$21jU5waND) z;2JsL92VXx6Oz%!^K?UZlXz4kkEuI(^NGht<#jFVG5&wlr4#2rb28RpE(T5$hbPz3 zDY>WUM>!6ti#bB6oGpE@f9(Zr&VT-+S`$?lu0+CC3)L=;1m*5j z*UTjtJN%L#mz^JJ)V~h@OWau;*kq9uU$i(a{I>l-3*TEmXwJ6l2%IB&U(T@ADA2j^ zmcD)5Jo9*qh~692ywkC>NUCdRY%Y4q(b9WjmF;^syTk9)Sk~ArfS>+hmhw|d)rqPE zH>A$FjnH0`+fG%nT1&9*!20d;Fvko;>c z+o-!n+-%ao#XbUq2-WI`&vY9;V+z{ra>&eft}!gkc2k+Rf~PM5KXl9YiL`GdSJ=e< z1CY6NMHs?qPhV|!neV7=45bz`%h4i+kaC1a_z%SgsJ zJ@Q^V0lp?`yvBA1b0_GMRL9c5E5+019}AY{TcKX{p#0_`HMPdhPapMoeMW?JL?8T! zHt+A_iGH5TrN8HE>;e7lmdqnmyNK=WrK#K$>t;Qfrl*AFJ~!ah(>U6Q=5yl$zGU(4 zjrvFdq4*C1b~H4BKG#K3vXL_ZigkzuwT6900+zHLDNey*{pZKd1_tQLlW| zJ|Pif`$ah`UrbA|#bwUQm55!a=U8XhuS_RQ$5)FuZ^idQh$<%J^$VqNt zMNfrbA0K3`Vp|D{0(gViBV~uqp%pjgFFdN3kERxKS|ACzFFDV@kdb$=PsnIzk>{>& zzNMWO*zV1dY%QS3FzW*tIBrNGC6?t3dv}|>%AU$#@dD?R6xR{D)+wnKL z^``2yzpaLEZl@ZbEXvJOsh5iE%ZqM&djfqk)xZ8`Cpz^ zmo0iZ+&~lNm5#j71b-(}^**cI_AAM3h-33Ss>y!n@zcu=m)qLf{G(#gX#WNc(tVsu)Y%SRg;!YN~i7zMB()hO(`!%jwC2j0g1ho*`;tX2 zK#;UC*Gg^kM{)<2D2q2k_PL-0tt3~#e}AfS7l|+S`$;d+*L!_u4yecuO*ZNJ zLqkukYyBLhjYb-5b(c)Z*0cY}z~xosvQZ-5I^50ycjCXY8b>6SHtO<%k$P@RuSd>ere`83qS z3h^FPIZN)Fkas(8YFU_J1X0MR_0#9GLUP#%vk_YxiSIek4Gg7dv2GkCzUTr z^Ut)M4xexKr1QsKn&LceRu?FXjU=XN?XO|M&E}W5ILG1Ocw7kRnDs1Xz?~k!TD7IM zOTAUDnZuR!#4dImPqD#wRIFcgCNF@8-l|A99~G|PWFKd->Qv=8-H||!-_ksQr%8$T z{>J(nMs}nbD))U`Y!Cow&)=!*m2DNToIH!O5GC?@&Un}DzA+$t z!G2hSvM*nAX>B@xB7a>))rLDtfh-B@d1UUh-5HeQlI{U$lJEOC{v6W1 z6*)yg`^IYt98rPOX$)Jo6wNya+CH4PMyP3?$aK{uu8myJt*#wQK1?N@0JZ!146BD% z4x9QGzXT`KHk};I;3IwO3CJjZEPEe&jF8(yDgmz-Xe}LADe%~{On}#o)4^Fs0opDr zP8CWf0aXw}#3UynmpfnYAt?b<%}cxtsYxS;%r)aE9hdm%zYSE8f1<+Xqp@dOeN z`daJleL6Vp9bQfXB9}}(ZVeO=@aOo38vaNRK890rcTsn8eFzb~VlwU=hP!JaqDIjJ zbsy@RE6Q6v3o5dW?BTHXIX#e(<>|}a`n%|#g+Banr+ljcI9*|=#a?J zjOSYwyVPOY+g+xc9O0$A=<8?81pi5dcX%-ibLhqTu*L*;Lv)(+`|7}=WTe?${k%PG z9qhnzhhIc@QL5UpZ%g-7nd7DLyOi4 zeCDXzajTs3F`{-G^$%xMkDw3kJV-Gw9@$ZUn!AzRnxktWUDLmWR?Rryevr7yW&(QF z@-ADk+1on13bl^)b2vi;#PT7$N1;(-=(`vjgN|NtLa4_aw)Mcar+K`&m?)UD7Z9a* zw>aDB>FU=y?)2UL%eDCDYu~ptx^*Hz|0_-O`PF0Sy+C7qB%TX zOHHr8pdA}|oIaS4@#m8?hmzVGNMXzG&#}#{X7LcVz?xqh^AjosD`dRcUyJ3h3Nr(L zZ85dfR=Xkc2dMQ}XjgrRyqTJvmbtUf{8w+fxcPuJT~kz&I%chI)I8e07hjRuip3M} zk0N9_PmfC1bTiTgCOO_UXICYDmUMMa4dbg43{qQ}pU=X27v%Sm-AW@!-9OGI`>mZG z-ARcA=YF3A&M|kX19K*d`A+3UOjZa9@Xze;ZyorTYQdXkQPJa+>Jk$=={6d(uy{ez zOnKilRGJ2VHFO8H^&|H>Q0BqaMUS@zR_EgaswL?J!FOKXEjuoDs2ypgHCx8@{0~= z{5fOvDlCtBUTdn@cuYpCc{J!I6f^j;deZ6Org0{6(lgjaKGG+hQqgVaqf?#FUD@!6 z^a}A{QN*uIWfXEi6UnAOh(`rD zk>D<@~r+h(&q*B$sI=%gVv4Yel2@<;HDo z`e$`9h=GMI^pm!HuxF+V-aQvBhL`7VRNzPnNx=gyaQN_g*{wj+@@4)qA}uiH@EKEO zT?DbDlZ%^7=y&+}b2ja`%8D(WgZ+is8KvgIIm1p<6zV+1`W8Liy@V&EqdGv7=k z`@)Gs3gGqd;?ggajc>vYlL(+b;H!Ofa58OhaPn4#M1N^{dHKE*<6k3sIR3 z8@pW(Mf10lECT<@&cVC}c{)glpXt2Y4_UTVzbC7u*#jUI~8X%Qyf`LIJCT-(9eX z_lF~qdGon^t!mVJdx|c^d+TSqOJOhGEC6iamzGZ~eDd-WKMh9-c%+cjSi-6y$`))7 zILGI&EGqVD>|G|NgX(W4GcB_pNA47ak;m$gcoYh=h0*G#>=6^_>UKQ$Y>2w0aIK7L zdi|t;Q?2Q1Ll_Cty_vec%UV(VCBs`ISYQ+~bnltR7yZAu3K|n<^3QW<@ik3$vFJa1 z&&T(e5y7ETtt~c2}7Gk(GWC(dyo?#`>{c5%M zRoefN5B2F*>GY%UL^Uo|CG~l$-fKPY^y2OKx^LF~L(fS&3fXBetjqHuPVH}Py+~j$ z`rB8E$B*&G;LU#G_ysV(+!t0c@ zFQ8zz9w4bf#k$wdLB{p0dYP6hD^BQA#FBIWvuUvnetAHy-#cG$vDB%eJMl``^7l;_ z8WeHvPs=S%Vc|OTEjpL*Z`vm!md75izJcYZ4xU+99CPL%4BdyU)BIlD26mm9?E^;J zv2xnAy~6d-d@sGTB!n2w1hNBcTeewE4B=eRBqqU+<2x|xV(WqG%J1$&tB?WJTo+RB zQRUc~-nFV@fM8x2=Pr{iig-^;%V*Y}%*xR7Er+=S;Wqc2tE#1ss=Mt|D}4tHF_+JJ z{vkY1Dm8oX#>FV|z}YAC5C}#O4^82Jd6nIWj^6=t4rcD{4yVhPbh__(9TTl2<{HU4 zkIRHAD^(i)hhL4+t7JB-qjyX{zWfxTn40P$u9m7VE=s1+IG5i3sPdpwQQvzk z*ztF$^ks-wc0&)IwgtMBEL2<_*6Ld{8y#J4TOlown^7ro`X(#=2HcNJ{!hM^Pwsz%RGT;}JHtKX{qS%lU+O)9%~Z8;yotPhltZy!<%7&1eh$AC_-dc_jkrd(7mr zd17Nz$TQ!S8a6B5&)93I%}#PfaEo;|Q>{Hl>ZZ?94RQAKY9cL2(4B)Jg9~eZ+*|_Z z>N)Khnp-|D9h-r5->&I|0Y&+*_qeg$H1O>MG%EZB=C@2rgdcO&8TD8aTd%jE1vF1QK#0jZA@uuk%G9h9h4|%eV@1f~^1r2)U^qK@ar1*4A(Ul=>U2#gP zbr*Px)!c8o5Ap`Z@vlldl?=xS;UCVHM3g0QKPSVZZEP@nr3d>9{VJOI1oXtqcFE-_ zzuwX>*Y1I{ZkN;nn>j1SN(jelps>>ZLP`^N$aph>w zKzM;waO1!IGn`V3Yd}(Y)i%9lVc${ZjT8Ud|Ob{Q-T0vMO zRj+(;ZQ!qhH>qjArwiM{B(?Hss>cl!_DdOlnXnO=48W}=nrv7m32KtfyK&#yKH>l9 z8(iSicqI6U@I2Dqwx?d|>F=7BFAemhm89!8CPeBq3SPOx=~muRnaoaNJvD>$tTD6K zAA)QVDHX(C`y>!>)01&E^W$eU+2kG{^A`+acy<-Qf)X1XD#W|4T$Z7>OAX1U$Z;=I zK0X5{+s6PXp=cU1ocLS}l`h=W;=GvOUc+ap>N*9-XS1~hH@wqK- z{ZOuIeI_W;OSW5wao#k}Lfrn_7X;nkb1ui$gGsv;QSyMaQV9v&xX}jCul#L9g_%EtlZo&T(=A1wtB9;H*UeHg7^IsIfIMrNS{}Wag zPJ;i5Ghu&z?*9b-A>00EB{-R*|G(ZOWGr_yL)474UE?a#&gi$2q1-~I*iQo~o=%jg zEY62~InF2UdyVgdn#Jcj;#9^ec08~DSn-#UzJBxhKKy_YE`Qqbp6u1b9`hY%p~0c$ z<0c<|0ZL0vWQ|Z8GY8{H_v+6`<3R^2bHAH=()cQucHm~)! zof41wW&8sBLU_=rd)~cO_^eOrtYSHw2G1bTefxh3RhTBC3Ugo#F0Bc%3ih z=}rU79A3L^zF0dTP!D-!ktWx4H>CEol&L|3#GZQcBJ#a;(X<8a1K%)NNy*6v!eM_i z-8-d}Nb&g1wUYL4tgWy|QlKuQY%U~_7bkR!e5B5HV8DH38p1`Fm_o@bK=n=++<{xo z!UffqxcaQ#1=@**o3lMxXkkiy?I4>GBDDJEmtp~7G~_pvRNN1lHFDKS)-hS!{#aht z4`#IAz)@5N!9_QyJJD-ktmx8C=YZCyz&Gur_0RX_B5wnZB;}e_w-Nj63OU3r7K^0@obs=_9JvEy{) zeM)nZ9Bc{-SY{YpqVisBKe*l zP2TGkZ|=j%InKMcIpy9HarnC!eOvgFzDG$QOpz5CEE7g8xxZ`cvx;47;*8Z({^Gl_KU zeW<87lNmxzrK_}o$b~sIj!S_uGCVi_3#&$**uk5$JR2%rIs!7Y5{fTUvQ#et7@7!) zgZVVEnqZ>7jz>`sxE(shEsiiuz{%bVpPc(u+Y@`x;tw61ABe>T24k4qbE>D^9-I@M zho@GI5Jtc&Kl}EFM=^)WKUtmPhMGO4qSRFEm6yWckg}bC>iYAo_uux3GOBrO3p&2G zPKY%Wc}!P8E^3(qCJ)@*AHdtzy&}0mUEV|6L4N#aO1n@E_abPJGxY6t(mPpG zf*QlcddJipFiJT_G1xPq!*#-jtss|-#ig)FX5_2gRU{Q0J4!{ha2J9A z3Mj^Y1-Vt92EB0(R_$WwzXxf==0A3}dM)WY571SklB5#TK+2giyEK3JF2fKr&HI}V z|K+BvZOToMOTw?WK0S(L`(qO7r^p-U6Oi|}zq!#@7#poWgQ1&%riN$=u%VQHlI>{8 z+W$q^S4Oqfb?cUwQi>OcV#VDl1PIWg#odDyD}~}(tU!_C9-Jb9;_mK{AjRF?A!yK> zZ=Ca;aev%$(ZF)!co`%gREPGT=D2g+b z68>=U;Ih>qbs`kv`ST7hA|N8J4pr^!mTv!5_#Hk%?5!#h;Ef7^Q^cV@GQPn?{Uc4> z&!~4Rc;NNVlq@4>xIcpgCjH62OJ;jXQyM1XN(|{K2<$ZZ-V3s5I@K3Sl}JZkjE!{m z$!og5EjZ-&?k_TT89NtfT<7x$+23n{H1YIc6cP@&p(`@m=Q=L|3D|((vMKtaBM!KtPJkN@$LRA^Sw!BV-Xg>`HUK?XFY)CLqtKWV3 zF=#W&w4xNfqq^`qT#-asl|E*JeDEyqGPx>UB91;R1e_?IVd``d7qElR%KSxw0AF?P z=~I)e%7%nA4P)fXCzeOrB)oi!D~Uw-uY|}aHRyB6B}hkA=P74ub<+FkvE+Wt#OE3C zj?q?PjrXK7Qli~w?78Ri@$ykNQ+4*=TmV8lSC2jL&|T!T1`I{w>6sVt7`sCAZr#5d z5d`xNA%y?yT8O8M3Sa+QV`lGXlo+R9EBOczv>H#4l5&n#)Ru@DU!|&GG6)RD8joP3xC5$yAkM zBN6>&4t?wF>PImVgktT4?=iv3#i-qqzj((#F<|nKHhRet2HgecqVSA!zsYMP3A?pl zB#2`hMm~-H?%5;r+E0J~z?`nTpsN^Zq;%55t=VJuT?BIT-J{}qB6^G?QE!o7HIk?R zPr~n2#@Q;~b`XukaUbBv>42()pTP|vynn3o%a|*FX-eK@)m@0s1ZDVSYrvkV;m%YZ z`CPY>%QN<9?rRTrYlPlgUl?~}`q4l16MxD5-b7e_0E{?p>~&*~0bYXPFU$l3aa6Z( z6L&T!T=rW0d*u_Y92LzGT$#Zrvc$J%Zohs`Bk3b~l?K9sgVfSeU0zD0QAbb=vGBH8 z{i69QUIrXdp;yV&LuZga9PoT82XpID%A;4}$7+=-5E2<-h{x+0W_SEpZlB5(MZwe_ zf%IW0V-nYx4JM7g{WuART-2NY3M98ro2xV)Ajbi0q2clFKJ%p*8o!6L%}^SNC8sVb z{v{qcEYcV!3BTL(o`3z~IDqCc?ASxe2?F*%BEQ#|4wr}5cSQb0)XuuT=9j5m>(Gz8 z5eLp6-W+FnvK5$2M5d6s-~hFwWj9`^gRSlaa(V1XQjrS2SQODMeajP(T$~=C2Shh$ zUhk?+b|ZTKGHQ7Czw4c4XZ`6q^NIA=urrlYx4)9Aw5=nl1pe@Z`Q!`blp=TB+zI@i zG|Hc-ZySV@ReXeo0Y)4gQR1I)3gtF+YNrRnwP+;1(!I^@*m=u48I3_hAQsonMUt%Z z{En!sBEE0qm2h7-P^?KZ%k!!4CT6akAln{v@xZTgdoy;-Zx7fLt9sxqM?9Hlgl)&{ zW?!WVNF*~q-OG&L-XPt-u^&eNYY!jC9>Kug?teKgZr77ZBTb)cXtn8fzaxs}dsjQfD86~F&}jOdG?Q;^1Ar;)-ZuF^q<$SKzl z>+=_B*M}2w5z!3Hd1lpy)2QqE@*y<+?;AIe%VO~A*Mnm)PG~BV%g`6>?EU@^cRSr) z21{3*cCMEgngxmH7vG^wX2b$W_sH6 zCA(keIPBUDeMxtI7JXW-5z?;Tu(~lS8kA5DwQ3faE<~}PNlPwaof`z*&FOyf}-g87@3TTQn?<<*S*qB*+7Tn~WiWE=``v@)LFi%MEEsyl{#bAXJ zXEEd}CU*xp(SB(bJUCUt*bj-43L%~8 zXxis$(+^9Fj&n`6=egj-yTF;<81l)(+ojN!eVapTkl{y{l1`0FfeP{j;F(9S8%UJ~ zuDc3xhj1=y7ra%$q$XJhuD(Ag{ms&e4*ZYyL{AxZ(EsMgXr%gdc2^8ju-->cKA@ta z^x*-@vTF$E2*krl53R>+&dm%c#L0B@=OuAgBo8@|sYb0g5&W{{(teJSHp4%^Mxv)q zU{+{B8n7-9;l1k8`5$bpVd)-F{my8WWFMHHVwc89X_*@ z0kYVJ$%_XKexn`1=bn8}+?TNYO~jkfme!tmlI#X#1LFU0omHIyFBjgiIUL0(*E-HM z>`*M#mly&w-mjabq@z!UNrACrY|wkEoHyW(Ng?*MX1$Im$+R}{!g*%RhPdmpryD;h zY;8gu+PAH5L*yER-;cBlT)eC$oAl}oyd}C&P1!JWMq_!>e>svs1ulI89nQEBptwE z?!z+lH0Wn=Xa7RpxNnbwj%g@vwjk}8ELG6d7-DUy2aN1#d_;?!Rg8!{>ex=ePmskO zICXb~Bx;o!>A0WBC;iHkMXi@%o3dj{<+J>$;oLHu2GB~?EOn+IO69D{FE|MbFW~*lvY326+7&n?~56V2q5eC)9_F-v3sbNrjr0 z#uwi7=`NDb8u7izBro^j`u-DQdv-NnXS=%E=@54aTV@Z6W0-H5mj*wqT(#V*TzCFl z(_C%$Xf>3`8)Oi%GnTIS3ioa9{qGz!WM_*!~LhK4hbtb67y=s2@k=JxGt( z+J?)IFM}sTU?^j~8KF4WozNSyXO;MRr(nS1t^DgAG7mHRxe-`*h-&t>=Kg+n*ls_$ zJC$l&WOptK=_VPrOUvEuy2Rk(sn0u7_rp@or8e&dyZL5i`0f~UUpPtJ!ut}%VEA^v zU)!r{?mCeNk$6T$EB#iBBJ7vS+x3M*wN(;|vxO%KBm+Xzz!`_RcQhUMX4P{Id-GEkzFH2ul)M@@$8X*To=4nZc)?onuSX z`WElq|3_4CbanZ#tCpgT;77!q>~7iq*MA)UP`+lpQPNHxWFB6#zvde5-l3r0yq44Z zqbK8H){8TcFwW`}Pa_lq2)1sFmxlvb=0*m(Ip(_8v9YPIe_8W@L%h^czDDs<-d*o* zu;`^35&}@SN0Z(}P zdMt0b`+yd)HEN7ExP%swBR#^9#Fm&)qk77M)Z0V#bJq(!(H42${C};(rSlKMGNneW zAG;5lA*y`=PtU=KsquShpOOEH98co7XVJ-Fk|QDR7t4}ilAgH&LE|wN#K`2-G&!^{ zE`M}ySP0+?UI}hlmv-f?{8tIlJF;cEZXxihF#C&QbGkjCe2gcvD^Tyu7ODaR1ME@` zT@_ofZn=Lpm@j%>eV^W*G0YyY!Ej-4Nd2zCV1nD05oYa@wTf^q(k)EZD%bk>R`5?D zN2;K20UMCL`=F-loXT=0S6icS=-1cOCeI;0`Irl!P0@U%jJJOC*S36aHAQG5XIZUg z;fPwthk$<$#!^Lf#lPQZi_yE@Uthxeew)E}U}J0hiLnPbZ=o|(Ewx4(LaLS z`}T9FX#tM_T?5K1(G-84x8@(n#x^dED9vNjM@7i8u<&~5Je}~O&YpkfIaZ^xS6;mZ z$0^jsfN`(}HaBu|_`W^Zr3%|{HLr^3H`_JAKd-j`HhDaoRGV*dDJ0_1`|wui52x); zR8sT%5`_~`lf}X%`5l;F4z~z(F0e>*dzg^oQxhM=ax6=X?{>iCeMQ~jOz~>Iy413Y zNx2e6Dz90s9SETQR=}3|DqSams>S`;Ix*7+x3x~3e-yagRHy}@!~jQc=a#zeAH5eQ zfKZECo(VJFT|7kk_t##Vu3FJpn^hz%y?LMf) z;WrE4a$4Ox^$Z)XC8i%chTruHtsU=Ndxa;*GeQrbE1H zWaII7T}Cq-KCF1(qq7>e{Q_QWP*mF?6o!)63$v*1=I<-=mhdM|lV&ZBla1yCJM^k^ zj0f%z5_Tq5ufw!NMvbaI7O3d4@mrN8x~13K+!ry3fH2Y7GV0BzefOKos?laZE04Um zXY*yq_^R`*ljd=7RiU>jD&q0RQM^M!XVD)w{V}q2uJs!;m$YGyZ-%d!SmKdBpEYo2 z_1r)DB2UPQOuhO{z+L37#%Q^mABa*^>^T*qO;{c1zd)5meG^OtVwn?Vvbjvp3| z^!d@9O#)l-NW&sde(jV#)LZv%@I4c7b|*yJWcV|<$X|p!6x2S$`)n&eMUmk47Fx6l zzsW#6=?{4PbV0vnye{%jH#gz;EB-j5z7XP1V;z%~_2!IAWqb&;*{;sfb55vn@m+VA zb$j~G1cgeqYqyaPDR%}*xg55Ur=oWXAj2uQk@!tQRnV6xH#yThr@sOzEO>byP8crF z93zlfK3uT#5GHWJ2lr2c>{zVmNxQ;H^RetumRP!u({c0F?T3PdwD-j_CBrey%TM2G zc!jgdZMLCF+IoGM+tbfiH{kspK%bZa!GVwi$H%Malr6FlhQ!1XXtNbr_N+cWJbitPdFk6p z&vtZU7MaSzscJ`C=^Wn^ zJZUUoZECL3iBxkKI#r)#Kx%iT8B^tTuKTXhQ}$D`o{2N#dw)P1k7(>dr?K%~PPMZ% za|r1LBkybI(Jv{;2gIv*30*$nG$c zTZdf2$wc;4ylP!pj{Z}1#<#oFC4zQw?_olU<&whr7G0ofZ`H3_(PC;Vpg$|G=zqy5 z@>mZhtFw{7A~ZBzRn8sM|B}ZHc32(?!uqck8I1}qHHy`^)-Br?|H=iCpVFKbZBcpf z9sgVp8o|PSPbw}kV>41vR&D7tDy$Z`YC8ce3=*c2~*bQ?_rfiHXc^QiE>~(kTj^CYnh2VJHkW z-<>lgDCpY03*sR^@mZNKo+@1|4N7FwCLpCLi_5MeZr6IEthRrA#j4qyNK`(d1T_^E zUGAjui@WqH8Pd`FKFwhwy~An1RQRz;KSxDT_^Nkj;;EO=6lX!&A*7>xfOz6GnA?qK z1O0N9XU>-Xxif|h$(I%%AzBy5{_Ihe$f>EoX~vpwx7senWb9USd2pZ4VbbyuzBR}O z)YNWJ-86q4GHASZ9Q46*RL4dWWfwi6v8YICm3ztFqS5E1$;BdJyyq2^(8Pz4Y9X7Y z#%e6-g6o9!-U)?xe=h~yiM6)M?uPs<^{-?MU^w0Sv9B->w=>5)QvfgOvBiIISH@OI zF_fupd!G4DL6+t07O3=>o<`7No^G;mEFPWO|079-UI~e-odiN&hLvh_E8_5|$%*o_ z_*RLSP!B(4e^f79Z$eR8-`=SZz7++!nLF&%6>aQ9~D9 zIhQAiuV}tJ$UNgB#DwqaZ{3p0oo$}muIP78rIwY$_bV$wXU_!5hOaqih=MhW19Kmg z%l6?a%=}KkRGwO=-Qs>skTsAI|DHV*@BfOv8-UK!Eqj*niCrjL4Dhew4maqJ^+QXT zL+e#J$XQ)izw%7J>7w2{=hDuzHz}*!r@uLPa{-q{Je*{Z{mND=UKlI+gIS9xTS6>T zEXIU|P4^y)qMEuv@fVb)$L87X(Cm;Q?!1CeIY42pejamt==*D7#^I#0B~Q@uk90|L z-0Bo|yps^gZ|B7$6XiBI`t4siN0(QM+=jy(?z`WopMkFB!J6sj#&I9p?=5Rf(d{7w z2ra=3KKJ(8ue!Qy9xR2ccPJ(?@d|YcFLAmZa$EJ$p*R8)fAq?KgTDKDlPTIIsJ1^D zVG@tx4{J&y8%#ZUEFZ+Hsn}_sOHCR-8JN?y+wI3!n-8dv3tELMy?t-YHd|CQ7CII< zmWelN@l~)d3%_TE8=#wu-R8B(rO#^}kXWLwz-OkO>KZauz06~Sh>3m-sJ>C4WS%0q zh!AWr;XFl-LvnOc(ov8QFFobHlpDt@#?2}K59L`aoU=jdRxP`izDyrX^Eu8548^{0 zOAOX9+NJu!jrb6{0~dO`>)k2v7Bt>;8hIY&xGj83wet&};PrFj=n*q~6UZu45N*P= z?`$1kyp1_%Z@hN2OzZN_)1G(lBQx#?k^%=QV=}Ar6s0#9lVok{yvvEXm&>j~cDKJC zEIfJ7q@ghBRPxAMUh;QYrE#)7uC`}gdp%w)UOb#2lLBUTiC0-1=Im>FXGLl$qAqo{ zw)1M?B%Gy$_q+FPv=Tm|YEYt4PBdrh1gZrje61pwhIx;;~vydEbY=N;DL z{7>tWZ>&h5Cy-6cll*l)ho^srvL&)Xo;u#F>a8gppjzoW|H~RJR+CRN-&UA3cS>V@ znp`>$4h4qdgo9ci#yuu-j3~U;w`UXUwqZ$e{G&E(HM*}1O=8geTE6{;TVef7xT}Lf zj~hVDbzgOQnnG@0RDe({cioo{R-3h5ynfG)R1+wSE2$|s8J>l3E?VBzZu6m{cWdHH zLs+RgsMsr^Ew0NXkDcYqwMGTeMx~2e;1~7g)|JIDyjR4EwnFymB3UKPcu;0Gk@H`F zW6&@1uXam=Z7mKOA$)jaKejKHWc)yT{3?*uDS4R1HJ={p=5fx892&dYs6|uK(v?4p z;3j30!{D;}hrtK+!f>vwA-vQ>vIYTCzqy_-s7XQOe^-Xp-l)s>T3bgC2oZ5=NG~+l z()*rvU8J{Y@JYVgx!BaXA@|Jk2}!R%{>!=S!{pQ8S&I_9LtdkMP?OH<@t!EI2-8|b zztFH}+@WC1Ajiv5QLN$Dz8p32T(fxt$B*AFC?qYe!|4MgXZquqKQn ze7xMwmTRnqZj@e?j=D4sA+omikk__Z6CWt@0NjT&$jxKb&=4m*Fv* zs&2`Q=<)OIsndl%9V^zFY;_`R^Up{BC#mQJeDHF*&NqV}J&I}heOcH7v1*o83E0o8 zzZE=vr@UtJ-APDn@p-9c?1lb2?`9|#?9lNp(d{T?BlveX2dGJ%RKkmk)v|H>u;Bpst2%8+I#HR-nCBZ3^aR{%tr<&9n=bhfS5LV* zs`Q=f`s<)TI;-3}mDJ8JL5`IvFp<=ZPM+9X6H6MX8Ap0GsUb;kq_`gFnoRSG5gM8nNtOU&Ya?#70(8LeNBVu*0m z;WGHO>zggFS7%OWSs1GkXDx%mguCes7}3Lgg#CA6+Y(jXmHPV?;x#RG+qqGJfz&POkZcKJ$qfkNFk}uOTNG zPS>g|k~ThI<-o5Cv3oF(3MM~Z<-@_2_;{ej&W(V7u(`YTVDYKi;Yx)ZMaPzyoV3ncPNxkH03Mhv{t*0$i8-=*t&E{``4+RrC6z##IqM= z{m4-glo2`C(4w3?GS9M`5z2WNjI}|23WfkGu1Zw>2M}e!=T)kNBzV_TTCqO~I4FKb zAKm`88W;!YCN@A1oE zNwNj&Sn?*puF?_{>N(#k=;+NlY{+(M}f=k6Qz6E{TNO-OPoX+%$oQmwKP{ zID*=#n6`_-GWV162!ddUS^H9D?g}jyxLgb3IYftmh?kNyj@WViJWC^1To0_GVd414joPciJu^I?GGguY{_z?z;(do&_76hIvs@Ho}NCxf09;-k+4=J=HKR&N!0-P7tSXwRO^HVQp+Hi?jdvGtD+C8qp%xFv)C$&sgc z*Tydb1kHc<&jOw~(7%X%(j~@9NffetrejU1s4fj62<1{OKRVzJEOiF;Y%-_@%N7GS zHgf6tSVq_H#)C~*uyo7j*&tZI#ouU?NV3Lb@mU(%p%q%LXt1cklPhr0=G5j}oyt~( z)k;68v`x8nX^noHP+W|T-QM8_H%-odnl_Np+Q|_3o|f31Q6Q5pq9?tAKJNoQ3ijb* z6}A`&8L4)i@v&KM7bYR|7~IS0Ky7F?IOP1`HE&9$CZOuBkAoV_>3uD~encLZtS)H3 z8pT%d>FFr--Mvy$WM8=aVe_`-NxU{6IZ0SBdtw}$W%y7_g;<#jPbM_?C^2$h3!~xl z=ohcYruI+lw0OX?-yA0GAZq^yr>6E@Vz}S)owEv9(Jgc(U!D-MTQ>`BYx_P_#O#qs z;gH3mDt?_-yZ={f#rJ)pM=~~>RKZxP{&$dDYW~SGJ*n}ngw1?41myiqwP|;U9byZ< z$hS|Z|6&UlMIjiHk<&;<>Rl>SE$>gjYGSUE2~v7m?^nFx7h@9gL-CNUhl{a+Xjz~l z*@JRwgNBCFz{deiilMZtbW0A4am*CF8j0hslO|#Fg1*ZL8QYmbak2!Wu7_e2_+To3 zXlYi1f%7y6XG_uC&%iWUB$(nuHJFQ2wBcxmb9KZvvCqe<@ZssglU1u703T-c{u}d! z@;6CbMh1;3(}U_oBJ?JhC--;U#B;L=1A8)e0;$REixzQRg|_Ca{NrED-E?H6qaX3zf`vS`lHx`E5$>!!F2aR=z)C1 zj|RO7(m#y%f=ZfFd3Cn4DD}qf-M5>jC)qm}T?Zc0lamGBM;Q-TqM596KkS<+tg8D) z8hj#G6mlKRz|m%;qW~j1Jvso4u^iE>PO9Vic4-6vAgUfFqfm{rONW2mSQ#KJm{2`y2*N!l3@>f%Re3)(Nev(9j@9!}*q;cD9sE7&8R7^}pypfd6hkFIUiQ{!HWiLGN?*IvK!6Se0h zIr-)NOV(FdYXPX#vB;_BKax>27&DuJT=bAh;+s#9c(1D-_sW|nS1oK0J1r_-$54a( zvLDq+?Bzh)KU(7tlCT;(HQZ6-N-c?8xrMJkdN7hIwEijUnu)^T2SbHcedv!DJYt=< zf4>WojQXYrG!Fzm%t=+|i=v+D`o%&9b=Zi|pWf*%!T-4Dh@P~5;A+WFC*p{uF^uIa zT5GjKV0xYO&2CNOp$9N!wqDkOd4Mn-S9`{wiRw~Y=j|*l-)vKX zmdzl~?U8E71)hC3n5gp%c_B0;iUM*75rcSC7+$qe^1J75jeyY!lN8|V1KEM0u&rY- zwI)hh1O+9kJ*b|tWZ7ZJHXAotjNM~MDrSizb2Q39>gL2ZU$%|ldkAqhN>Ue{@YZcX z)D&Hc!a0RQv%cTcz8tGsee~tgyk;5jP?Bt+5k+SSp`aLA&$(R;;||Vsi%@F$Tp)nP z*|Yit02zB-ISCi_{9^lXu(hpP+k&?+a=~gnmRd-%?{%@$=hY;--E2z&74xMA2bjdf zU5q-gHY`tRLd}%&lIV#SCV`?p%x3S&WT zFS7p&OoD`r{80Ymx{K%D@Ye|)+Y$uzTryA?$mC9BcIga{s_dNM`=t4^=dwoz{)^r} z@#)m>9kJtVXE1n`;ewLfL)p`x?cKX#lTckc*-Nt8xAhpWB%Wcu$N3j8n*%y;@h-6G&+~%OP`q_>y$39_wdJ)4l4s4_xA!e-6e zFSSr3j zG-Qv-&I=gR0q1pDH$+CR2!^$YC7B7?1MH_cmnZfpB0aGU-)_2^kxljhLgXaW->#SQ zQ{M3+TA!7s$KgzM;v?F(@#Qv6<*$Tg{cMOcc)Te zIk8PvTMltV6mZ5{8+(#t#wp*S>_vUN3s~`h$x|&3{Wa^5pH(a$mw)EcGd`E9M_sfp znPO$i_J2;m{kw%m43?5pP9y+y)Cl1EQb#K)B%8m;N$)VtX}zC*Q>4bgt;2M9pr7Tk zI|7C#u_-JHG7oC&f(jO!$Ak~DmtRTvY<+1$oS;_`EJ!zewq+Wa!_#fV)GaQ?tSB?A z$|O?|&4M5%Tw*rr?=YN4g{@%&*}n9dq8`a8CjJZ#?bC{*;uivS*p$4V8;3JRb;En& z&%U0OYc`atEgccC(XjH=3g-kH^ndI9(eahIz6VtWqLb7-4UwsVYSevY^o_2u9_bAg zL`{sJryaITwu#Vz^?@^scbk&?Q%g%eikdwD`XCzz?V=7plTMVp@^6lvfujbNZJ|%_ zh|(^(LfNb0xpv1AJ3~IIMWfNl8a;%#@BMKD9Lv$U6EptG|E`^y&-~$Z;S~4sllHII zIe{}MvqqCfcVagw!1KRt8Z`!t`jJUacaemnt{YCl(XMh6RZ%`Mx8ruc&dfHG)u~I1 zyZA*$E%i{ghf4p)d2i3)x>-I4xMym zv!HMh%y%}{CL1r@*3>=M&e62UGQK$l!jaZdvzJKKG&43;S^rYq)eRX z(|6Nmte(aV&+8APs$2eG6IxaAtJ-|~

e90miMN1Ve*5pm9T$-F&Nzeap^gkh^33 z^?t{My+LCBfPz3$7E&=dnb%zQkU#hL%3<_jS5TAlIa;PxTn9-6295tioOlTVW4PJ$ z-DlzFZg)PH`32L(dlZrR4#=qntK!Y$U#AK32u=3CtD}HA`ukxh|y}qreZ=K#ccA?ev zm2A?x+#sf;!+MPe&bjF%ifYOIV#Yw29|6!1Dzg-y%`_>&79%mIr~+t@yL;rh5hg$m z??51>}MBH?B6xn~kUmwplv4z{!EeG3Yq2-y2+r=dn$*K|v zvRA?bFsTM3q|8u&Ua>`0qn}e3BGcmhvT5#G!pP%&6gj_wAH^N}EdckTj_&S(!hCim zUIxnoF~Jz$Y)!hOXTJTk;`=+rk04^C@140x{#731R}Knub7>I+Plbqi(4I>IlX5_} zcf*qVAt(GPG<(qKM*Ll2PnevB0xZ%Jpn^G;Z4F5dtk$@mtadJAV^y2H2plcfEUyLm6x}0mU&Ib9{}*9pk8MJ!NrR3b8Ssru z_4pc##piZ8LC^gJ!1r6qqEU$h8E@KuEQmowM40G=k?%4AT-5t}*jX$id#J-NW=(e} z+K?!g^+ui$!X)DUanHGKesbFNAxy;-r}1iz_x z^o6)tR~^RgOXHPID`Jv@k(4qLPlU4-VfoAQK*V#>>`L(>J+n#{7i%Z8vN%gYJC(@C z_EIOz(s_|jnFiB8179Txu>ZLJD1n62;Irisv0WDn z>u#1;^`+N?3`>n8D{i8JR-#iZ$Q6=}b4*1ca{!2mV81l(v(}Wz#M;?&c;M>x6q&5q;0K3UQ zWq~XXGPB=!;%HOW*YH}qLNiWjeUq=K>*0>~kA$jXd01~+?TS`m+={E>zFXxjC-Eia z%?dH^zGzgWWz5wl8IZ=1@zT}fD5sgakqF6?RJ=4k8c*7H1Jt(p_^1fqAd6wN(A?{tnkee%w}rVmC|lB~FWv=@lIXCH;8= z4|VR7xtW-%Y|4fW-?(jcD`GwFI_L|tokaS7J5Q`fmM@4KxK*ocGAYHWir-_-jApvJ zfp@viz0z}e^d;^aE{$fgOJ=lrQ8LpEu)6o9;3tOM@+f-zXKkFXP?i^E$Q00;V(d?HjLN3-mvvEPJmSh#(yl@k_;rLvH zbMHDe?h6O#sBv?>&&BeG{g<}QcWz%liL>A!m6-p`r0BYf%NJ`Gg)OU4Y#$5VnT2Z7 zki9wjf!%4u2IwJ#F0T4N8;Q8?{hnsmY4y~4`np&ELC)#F;#)dT(`i$oM>v^k+C8q& z7k(U!LcK#El-=QAU#`lF}Oo-rnx-ZWbh#OGK??RG0D z@X})`FV^UAFn!v3)P#<^ZA#vzWZI!fF2a(-SQnFs1N#?$3gfv(j##Xbr!a#ht3iO| zT8L9O?qEm&p9pjGkvyIhI<$ox{ERkH5vL&c5r+kU_=GinqzvnR4a`Cut%N%IR`#&2-9H z?r{B%K_*o6XO<|lKEzf{#b7UQ50ONVk&skQ`BXOclWer{usR~Y%HjMzcnZs zx^r7z$^F?41->J`?KF$U9fx5q#|kagugOAhDWDP*R>CV}=lmkO0O0?u?(*LYuGC}`35nhkvZ5&EoQimcNkmAdr#Ysr8`=H5*hsGZ!K1?F`nkf~A=g^6rs<+dnUuGl-k!!wY~tT1IF!?Q9q>o}U8; zowV!ZrV@o(VZ%-QACt0(hqSLY8i~T$cejWd zh|hsTyT2JY^m7V)F1O$5w|%d(cW_u}3^4eN^rAS6?v9b26Z?&x16<}Gqb9Uxw7+Ey zbYJKf9obDBSTt4Mm#OVd49193zZsk_i-#MSzB4ZSvCDbAnqy0SPg}7+es^)WJ2tf9CbNPw0p?EgGE-^wb z>+f9^LB0NYX_k7PEGt!+6uSQn1mwS5H%L$VvoQPYO^n1PwD86LA9-%U+*DEly!z$_xxGn%r**|-)~R2GV>RC7 zfaaLm(cM-;_`^ND)UAM`m`hzXn}XDApG^*Ks<9~nYH(5x63VIor_GA`bj!0=UN&IS zQ7Ibil>z@mZqnl4;%>O>?P-TiD^hA6ew&B)asDnmu`~CdF=oH}DAj!DDxZ{L%CvXi zFK>**$w9OM7siJ=985HA_r*Sl=>}&$ovEhj0d03U*$-HGql$fVj?k@+>R3AFpT~;- z9wh1Xk3+4MH2eiK63KAK9o^*mxi}R1*{a{A@kV<7BN}KO-iL&K%k4F^A)%qw4j0&B z+1%l-WT=T)il2AqJ5L9O431=rHCtY}uT2qfEsgeevn3_>y_4cLtXHz_GU8+7m)T+r znS>N(MD~eOZp-x1dO&%UQo+^<8l%OlrD7J%n;+6u#=OlI3^POiPygTYhqYVQVqZ5;|>tJVj;J?oq}sf7Nh?HarlSt_vk z;zm@>2uITWBpd@2dsx`CKsj*8GUnIn%Al{{m81r0A?ffMBu~>ZYXco z3UZ(XVRE%MIIL2G?X$}JnG+XnEX=qHOgf=)B%`U}+mh|UT2DK^*hi$UTCs4D-%=ng z=Ry|K{>5x!!wTX<`!k%-W~wr0t9z7_8u0;=-Tdhpi*CsO*(S?i)kAGu5Mq~20i|xH?76qLT7Gq*A1pBl2E0)a&>i8IlwcUZW-eePJb{#R@IPKS%FJ* zgdcM}-oSEQ0)%~LuS$zCoM@`O-1_yVji9Y>asF7m;UwngbJGj1R%XxJ5}nDlg814_ z%b|D;<9nZ-VPHFJjDW+WI_%T6OYNDk{$n%|&?=eA%Z_F7xQq+4=fP!CUpr#5L85y< za>X%nWv#bL-~z)XbDWHWoO+UTWW;2@n^+mMF721#OdOFFo}Od><&zD5DCq^FHCO9vTF@lE@ye;>SZFN6<)UnLH-E8O zl@MwjK{RlHgO0tj@-2v1;=5N>uI_IX?u$>_mWAiBHlR$7r5BjE`A&5LpL#GE;J<%s zm3`;+;ZcOzXQWj*Vxc$tYH(aov!>ZpSPX}t=AfiUU{S$LX+81SoJxU&@BqoK%T(K~ z9-(`MWs!=#djA!T=LyBf+Vo}r=SSy}_p@u8+4u@j=-RyTPzWBAZg3H3Gt`q}v@f4= z9Xavfw2q~Vruk0oBn|@8`K(sK(dT$R>>%Nb%DBW~H_2M26Q*@^w$#n4S@2bu7q}ft z;-?#^t4US15m-IXUS!A&}i6~ z#y_%j7`-l|h7cpCCv3A?SfD0Ao~vMXiXZOb>ri ze$2{=Fer)25)^ zy@Q_AfXv9&3kf;z)w<#uhqHMMCPzlaL^U2W!BM;)b=~sEiyIl!2O1RLcD-Tei=zM2 zDrQ1v%cIeXGS(`$+9Eg2)O>3?UPp0wPD|S4b$kNlXNv~8YSiTCu!gxNUPW$R3j^r^ zvoE0|g-Z#U)*74D1X-zr!B%V>MW$PQe7hd|xfkGopjS3jVKn%{x#w$!jpSZO*jp?G zM<#(rtfGwmC|p}7NlqPj-Q8T=UpBri?OTk)A!_zkI>Kj}4aSUU?(%56AuhHz4)pz> zW-nUSS_f(@N00Q8ocVb2v*o*r4P3i_A|>o6uvsS) zdB$wJ9^!JZo&}Wrf<8i5wCD62%2H=+D2P0lAW2xzsiH=P1U|1gIvMo?ruiz1f9f4q zUs=*bl9QBaY;(mx*z|K*+|S#%(bxnhTt=E|U`s37nxEk-&0jD}#chAM2SZDiQf~}8 z)-w8A5%8kmqw3Vj{C+2#ce7030ajAtelh$GWqk&(RZlFPhTTCqfYg%*=!524@FS(Y zzOe@&C$6R{Z295V%K3477d9evIVH;E&YjLdjyW42!l|mAhm&RQFMk80t%&BWe<@!7 zr6#-aG4Oapv@6p+gT~3Y*6R2>xsZ?K&*Xl5wHyl;Ml5he7tVR#C4h~(tk=lE)x-yp zlyy;rzqS2;7<=!qCYP;!SP(%(Kt(}>5R?)+0!oLdC@2VsNR!^A_ZlFHh=6pYh*Clc zy*EK>C_?DH_a1r;p$2|&mvheE=j`|UuIu?D7X;>+nKkRa*S*%v;2P~;I@|-FKTzhR zwrv);?2@AvZW-Oy_MU$#@~({E@-*REc$S>PwL-#%pT{=!F%Q-TCp90{IjF}HPZE2T zK~@3>e=u7zKha9%;ER6y!{D>gtD;)6tTO? zYVmQvYV46NH$XEU_3B*=Ggybc&384DGRBS4&$>$OuU%WVrjpU zY6%qaxh;>I!9w5%gqzgT*$ejau;+f}n($ndSbWP6Z?&g zS2%YVCw|l_fn}rZYb`Mp{OFKyaC?YUl>)ytdf5dXB4|2xb@J@-rP23~!7VR9i98uD zwK^xH(SUghR&fV?E?t0?n&|f!HdMI&qPj_6N;zM`((A7W1i{&wveoX($Ev{gnvF+keLGus; ziEEeS2mRAbq6`~h{bvz0bT*UlgHFdrUN?o_In#w?xx}Bo=6P@K4-nlZS@&aqn(kxp zRlrfr`{DJjsPtz{xP2)%*=>=Ak-f8mIx6p z_hALX?!T-(f_=I}X)n?>1BCa=znaXVfPLl!@iOcQ zEk`BSs!4JcV|cWs@ zs~#4w$`$gP=@TnVn$~*-uLo_1+!=~F0lL5On6f7eWwk_-(!|k)M%tl(xq`Ek<$C@> z=KN9Rh?P9206P=|GpAOzrEaCJhobdV%$c&~7e3al8lgva(5;Vq3;gR-G6+a*;y|YQ zv-U>V^=LItG@wO=k4x)*VsI1wIuz)sg1>R;hbMbQ3iiE2>Gu#- zI5zCv=Z(qb{JIdFjA@2^+l#nk<=qDqd>@PwC9?43yF=~Dgxnj<+mqt>y&d5UJ|HZ@ z`bVQ-!{N?bH$CDur@aES&PU7>1m-dDTwM$RfmY_wRuvZ z={#u4;}7m1s}5&>#F6dj=%ll?4HJ&gp~57K2JlE`1sW0A-eq;2muEbB@wF)E{kFF~ zkKHk?Ypd3#_keNh?$EK3Qf}yHlTSp=sDqe|lwv2Mn*r3$&p%sf2TC5S!H%p2c{&X^ zG-+w0za>+Q2G~)%=7XT&@aT*5uRf>Um#?aj4Sd7f)gEr2-|5KlWT!HU_v^iA1FxaN zt2gh0XN^BJXxc%a!@tiU-@`yR+rHVKbyaOalj!vqusBG0TOUR;yj~4pYcvTc<-@kJ_&XLPV3Y6oz=i}s_RPDF@Dp{S} z+6u@Mqw67{?&-sOXOB>3*ewmn*O?(xyCiNeVzzSpV{p@0EFUIyS@+pu{mE7ogNIJ2 zP3PhOvHir4qTN#=WpgPAl?uOgJs4%B!5Jvi0U4z#m*GbpI81P%RJ)mZwbO$K>VywB z#>=v!foo+X@B~oJx}VG5V=o>b2ZcpSf3; z=$X^A%jl};vX`MTevPKuZ-TkY~Ad=1@`ifYe{V9 zHeDT#J~%<$jbvBujg!jiNq@FQrjKWCx-xG)Y&nS4{BT_#mDX^(Jfeh2#_#k~U-|4j z7zj;a<2!8SrN-4N98Y*wNdvhaXN6O(GGK4zIQdkjrF9G0J(sgK%~wJC{n|4lWnA)d zC8E;QipzG#>!33x^;(&)!u=UY`>S&eYXA>^nN4%942Cw&iymiC?${Rma&~{Z@ zCgY>8yy2o7g=E5Z&?9xZ_^8;xN`;I4%|$Xwk^(M*I?V#U60W1jr+5sk1@c1~3U)UmqMX7V*Z4L#T*HaJ02+bw`i z@ayx~*2L#CZYYDJhFuDiMJ5K3OA_%o{&0Qx7!ljdRYq#Hr?SC`ySV?@2_{)j?-UCz4Hn)UsDVp+%at+g0UtaI0Zpnlh&sHVr zK#$le!>cU^uRxYRqf<2(n|CKgjO`mw;tDx7u2k%)v>0*jwt^C$qv)o6)hr&y>weSq zF!mOYKNuXI@_U;$OySBgE`_U;;zEb~9K}l6uCYX~mJK{p8NwTcN~Wxr!`i7PcL=iA z?MZz_3^Lipq08u!y~UE+ZjTRidwr}WAWu7M&V6sGb9d5hy1gaY#{t!#>NsjTS+osD za?L+KAdiALkMZ|t3_Lr&RNhM0WZP0MeTPR^A|VU3tSgG_580e1!f@Yo#!LJspyQO5l0`&&ac`jdeNmGDC2PvXm4JBC zWxx$;9Q09l)FM@LUz&n9PJBJ0Jv%0N(&Ho{0`){@VOkE8m%5lhw=hhoCc2vlKlYAy znDQO@UM4ebgBW~4q4PrHI%WZeJdnYzxWw^j{?M$Yze*1@b@Y-5?>kGJ6FNFlmcaeY zL>jTz8aF3Bwf7+sAl&#JZ{q$jt}p7QZM>lfzsO4+aXRpO#?#^5fY!v%g$g7>j0!@D z_I|vZ$Fx+Mw>fy}g}o>UvP-(a)%|!vp3KXqN;+ zVvjc6sOLqu5C`@pHH9D91OxRjn~!u(HXCudX=Xxi*Yhw zGoww}nPQC|{zc@}e4EI$fqJdz#&qza5V4*aUxmIa?~Bh0;+ruUUGgAfy3Lr#sR{l; z1Iq5>v%%tX>x6S#ajNuc73glJp<~l6y7p&ux~bawKLlUOrCsX|gq$5=7W;weEwv$Q z3(>H{`^GuE-IVu0L%CYqTd4Ee3AbseW7knkn`#(#C>m>)2!Fw}Jg(nu+IcyxmvDwh z=KcOM8|}^m8IFeqHJf)$ikPl+l@o5WkuXYgD${XZ>=d+_c;I!RD|&OXN`W(e?RnbG zZqbF#?cpisa_cYauf>O95NxvaYdURc$rG)gYGPbt2=_ViTv%xRl^s3EMupx;dM|BY zx#aQA4DN)WJGX7Pftfw~Om86oCuSs!wULsRkGskH!cvRZKArX4vz?9YbbMVRzB@pe zanS{_I8jChZKv4Mbq*FkrN+Da8f~{?^wV>EyQ{YYB`3;bCfv4a`m&tNICXCOcOU`P zi?D424kZ5xu#7?@x(l$@_I(&PK)7v&?39DwN6qZK{G>e+PxdHTRFSEvBEl@erEH;* z_8yh;gskvw?V`%_E%B_One+7;vT9wmZ)fLIae9|iMPB$mFCf1DDurX!pk6reyw_nJ z3hUw!7ycyh=UT(9EbdcMUL{wgB;i3c%fIP83@1P4)?s@a^vO#OUh>zEkb zEoPNhp7$MvSwKLiN^oOBHu=*5d*yWJZg1}f>dO}$({W#U*Coj|Dt(Yvu%ll9j>Vba zJMG|h{E!`rjfD)!aodFQ0VRZMICPx_Sk@?&6(~_T|2mA|#M-CMz4tbzOvA>CJvX;m z4^U$j1@6z91geLq_9Asz*N%#3Snrr_@@kCu(&>H0B?4Btr5x7X;rg&6piRR^a)gQ0 z*x6aMT`36Q`LTw-yv*Sh0m{B*c#4He`_-t8K&qOGl z&eLwL1Zh>ecu`Zc2KBW{lHNIb67L$yWGHJygZy!5u~;w<*!#>pVE87`n8D!2&qmia~Ve zcAPXURch`eo=G&RkrX#+$SqQuhQ|(jzFsG9JQv5ZV^KZ@hJ!UDO zR;iS=)2MT1aN|L;wa#n__m+tc72Z8j`F;NdeV1zUraRi@+htf?(jejR_2#J^juG_P zkQKjz&BSFg3ex;-?k`MltD3364qqrO-~*^SDvla{(vuUTjdWO9Jz-n~F>f2)_}0N< zcCC%ItC08btx4+~;LbD7vzjXus!J26bYPLh6$)9ZvK%Pe)|@ZJ`apl;YC$pzeQbMh zVuJmyb~aV#wl!xhu9(rDfsW&JH`30pvi-Jo9z#140FrK{8wpmN2JW1Db!IQR{wT<9 z65G}lnV!|q3Mn;)3UpA4Oj}YcO=7g&5-i}ydjMGZv0M7BayvL0oWU@`r&~GkuDiA$ zZVvaGbj2sQp4h}3-O^Xs$SvvG<*h?(ZLKIs1$cY~NZULS=SK|}yp-4|?e8Ow)3&YQ zwYlXDr0b(*Iy;B$``OeUebk@Ygp(Dnp617Gmagm9%Q6c&G%o>KwQ@DWpeX$)8xnvn(CsX2O^$Z8%d7j9_$6BosAUN7D_tCkB<76jqZiw@;><=OV*Y*c6~K+ zJsaI{ZS4f$VuK_)=(u9f^TrCUeCaZdTp!P`Y7Mi>OIV448z<7lR~sOgP^XLCXQ2s3 zXi1C8bHN{My6?OQH;j22Ia?kxSL_xHA5IQwjQ7I!Zm|Y5Gc7adourSp58LA0%FMD8 z%2*C)ZcjI6ZmFXj29iwN&VAObf41~mTv|3be+8HYW`|ji#VT#v?;$1fQEfHCY1FrL z8iIdvMMOtZC9cG9P?nKtNSWkdrq_W3%1Um|vPSD}qA$!DwsMX`w?DSNL+KnAaDIN+ zYUk`jEtdQGXF;7PXM^s&e$#I0w#_KS_FbO?fwFf%sSXWR@dbZj+maA%Xqp)VA7s^- zK}6Cd5`Farx1@;m?qK^FED<`txaq6d)BSSSw{{e7Q$D$xW3Q|X8grX+FGrau^uM@K z%RB?!u4=A*ec01%1<5G5a(nS)Abx@SagmY3RP|Bq&Y7<8{Ev*(gP)|+a%Ma6Ykf>n zBd8_6INSZm%p+l|p^iCym2 z&@lzqoXW;YDK@}K7&beYHBB4d-?)5HtqT6Ah zKR0b(#bFW==Z;_Z;X~M^-b_QEet}ubd#o9Ll}wm{A8Qg`RJ-l_4nEBB(_IyA0g2bj z#%VG_6+|}aR}YSZnLn?-crgrKebF5Pvkj}cxI-VT zX*Fc?GDlBBd`z-d|I++RI-VUh`!(Uw!z?6J*>l=>vfIJ{HDGt6Vvr{4B6M9*dh3kI zX~G`$wA%%bKeQJXKBy(bFRhMmyqXre0sdf2AsFn_?pDNBzk8xF@;FjpJ{XY?S?ryBm7jARkc2B+^q{y@Fjt}(AmJ*6*< zPd!JIoQ34Pz@9(hH&N%_w}xgwjxFAvsJoOC<-q`;zOP*G)FNux> zh00SrEISmFni7$A=DH}gf~zYYEVC_|X0>Sk`E&m+95su-@Wl(bN%69t=7ouJ{0K3o z!myKc;TAqUk)>al;?TC?plj8CXteL-%P0v-i@gk0ckX}5jkh!mhTXs|iPTK#&5N{D zV?lJI_5M<=Tgn1FlWQ~iaa*_rOya43bTkf|kzhy$-gyBtJ24_^VuvfwpVPqJRJgTX z@pNu|%iz``%D`||kc-PZwvXgHO}qr}GVN?+u+FkuaqjtX(FW^%b~Z&fRqg2z+W8Sv z+6v9Dnxh8m)LQqJGmtAQOQxEz2|hgZ>AJI#O;-Ezap)cDk&9rHOisCw58`ciWx&#o z^v67fGKL}GH`btM^I4oZ#|r9fNFkS8B%@%PG2wi8+^8(!yV3^!KiN#JOWrlm;1Azd zXIZgJqJgKY-;|+C6`HdZD3B!nu%A1my{!nmWUcIo5NutqDH&TIkQqDGc&S`}M6J1} z;WDCg9)}-30=VW3yB)z2HSwcv20P|XfrQO54#y`KceZWo75%oifv;_XP|)%d%(5`* zW9{Vp@ia`Lm0u%KY}8I?p|uMXYE@E%c%{2>44fV@JU?bBQJ7vjwy?qNZfzEhYs7`% zfTrOFlhaqumZ_QpzJS;;?hO{>j%4e0gWfb$#q>0C86O3ep4jg`7*R&3AL=s29Q(7J ztto#K9^wZB=1#(Awt@=|u{2^o8w2jFYlWMPE&zLa=9Pkw4vvfRUZ3WCjH2~lJJ!92 zovp3cErcD-q%PM!^ty74GGnF`%o@j{UW z+qNutrD4st^8mQ3Fhl1NOf`LCc>42mCyl{6I#54yXRQ0%c@lcN{md-*U}4E14rQH3 ziK}`w$8OAUiZ31m8lV28D4k3HZiuyj?*h@l{|R4<93PBb&ztc98u=x%Nsla*W|hU+b?r-Co>MDTp<7 z3-jy^^ta9g&R;n%wr{i}?Dy#M7zOf`mmnbNA&Ic~g4~h0)`=o%xAUqc^e2grb2ZTE zh-h5Pu76(VIL)ccokftYyWLjzr2^m-a-{L9{?AYFaFm-JYF3G1E3TJ%Zx{&AdGquU z3E}Yo5qS|Gve~bYx+-}28uQ2{IDXMR&Er4Dth|$G)}Wq~>lQ)HPvWBaVdAk`(*kni zca?8{?t(CNf27LqsW-dbW%Vk&x(R%GIqXBlqh_FpgS2n=Q`qM0DT$}ZYidu{ANEwC z3VX8@+6d}oYSMhA0NpkLbtVeI4r*txi^4uM|#F81j(`E z2ABp-dg|YtZmdI3v!@-<8zEDXZPnl1>iv1A*plvJyM1NjzhgC@8YH08`%LR zDEKx)|7@GZb*!l0W@rU89>$ON$U*pboSpPG_#K zoLHUJDzq+P;e~tW(TC@PU1^j0C#UDM``PUz+ae^~lGNXX)4IRIZSuDz>*y#2X9GU6 zMZ~;xpQEN7?`a})UPj-6f4wV12~nfe8f02EwQW1*B6PsI(GNPXtlI3VCqk288#mVZ(d^@zP*B2;*MQ$-I+nMFo zd5r)yTURtbj$8wQ3HSi;d_TG{Ya=6r!1p~WG1J~ z_5P%1L65$i%>K;YZY1*%{bt!>2sEy*6(#3Tn%a%Ldn)%b=it<*Nmm>3vYrrw5qU)s>_iCjoK>OgcDUqWP|MZhI=iyP$^Nk!=La9q1xhkxf ziGHTPAkaZFf2v2ekH+mw$kxu3{e-yeuL${?wkmEO?tSogYk}e{N~14qXdQRd;coP{GR$VlBY=rH|h?Qd4@EL9YgZ; zo&6QXc3Um>ZBChj_Rhs%PWP-BEac+dgYDu}a^Gy$4B)yx3(bnvc)jo>m|2+QjW4-7 zY%v@85eYB7(hKx9V?dI3(H9+FjSym&)!mr2$>$zRK*i;G@A~X38(RIO_ValLz}C|~&|M2?^Hws+*KgQ7 zNGQ@^vU2SbuyHM&er0|bKKI&{)zF}7bh=ivB7kiT(Qb*md%);-E;tVYGvy?L!~JEX z>P$0d!$?+*^gG-)PN`1nZ2+#FUL_WYWu4{LZi;u`k2(WSsdlF~3ONzXik|+JVS$%F zy}!IpMdX!Li5cRK%OAOSAt&zhq1yG|GaHySyf${U#^q6LxS~`~l;6csHcd59!kblj ze-Y~{`3vy4Q0bMG6-SqKWN9n^sCu!J24|bzFB~8|+2qXR-g$u#ZOSS&F$0U9kh<+SjO|6B^>1!nQb*-RWY`vUw&n=Bv6Y)M+kfeZ{QFN#@ zjVFu}I!M$L_7JZU69{{-y^xBUloYX0mD(BYrb!ezQ4BddbV3mYfC!FYs}R{-Hu{1r zZcA}FKt;c3<-{q@ZsQ#p6*i<$>Uw4G!P-ROXymurjYPW*j9czr+!vmMr%T0DRlRFu zr@h@!(1~$4NZetbmG$jTL&$+>49~Wdgj5$tSP=A)M9uRwjhBF5%Xc~Ug1WPjle5>W zwU1d=dd0t1^shy&d-r{}`ua);!;~TTiB4tyy5NETB>w3v1$(Hz%@}| zv$yndNl0aJPtxmAg^!vJD@XDSD*@;L#Mh@O2Kie%5PTceN!!Ex?Wd+d6y!P+R7&OO zDe7eJzVe%V!lf&Sg^9U+SMc!YDtH9D&mfH3!#_epa*f$<=7?PfPeB0uwCdlO)_3ZF z8;3@f&k0WE5s7QuqeC^va^n`2KkVRX65>%2ShQ|M{d;!57{QY?p#u|?44&MwYmMoD0teqw; zC!X|%!d#9w+pd$9<1;|pSmvUf7M zni@;5Ih&Vr<(B2iDeD}X;sZpQeWM?_fsS)>wTd=YwF)V1#t z`H_+OxX2G~-Jkdn%hQ`EIQZX9{PB|>Px3dWz2g0uZK&Qr@uz{k9R9l2{rqFi!uz^| zF4DJiQrk7$1?_D$9W8J7l2&H>81M{C76l0OyaU!coQ}v^-yEZ@nG7rzYSqYSsGr#UT3+rQT3&`U zgK1Z(-ki~LtP#kD>kZ|8X)IZWgkHIZ$n^PyqkL$~y6CBDJKejpoX%Tj-ASrlZc(zo zw_gdUuxK>4Q{%k5<~-K7R!-A16&u!ki{K@6Nw(2WkEUH4{dbyq$MX&+)^x8rm;QYK z3qjn~-D7Ix++l$$l(GVf>Fs2*6|{Rq0qa$(Hb1h9X^ ztOh0YYhy&NIC6I)#x)$-xr5Y=lJo3VKiDzBxH3F2PXb69mQt>d8;+OR>~(lJPX}$- z4fY%Q~$97FO|jZ7b{9sZ|X5kBMii4Q}4x71276UH>4;5}cqi-Epu zQVaJ_u#dS48}%v<^|Y~dk_=*wsl2+CQ6)L;=K=+E8$Ghpd`k-kbQ=3jFeZuPyR`D9 z{H(fQAtg>2V*BasJI�#hC?GjbRt>eGYWx8Ibw1Hj)7+bbl{}cQH%$OQk*v*6I3U z^rE=tXoYPfDT9zllo_6ZJI70}4T^hDC#QPN8z2A3>2AjP*vPboE7dkNVMqJNx4*gW zzjVRifPAJ(4c@&sb8?GmMP8h`ynIjUkm=Jc#8+y^cO1E@87<_^jM~;BFU8e*{UFjy zYmUYvb1E4b;L}y>q#Q1`6UkY6kk(>#PVsGir8^EORCv)M9Wtn1WobRdC$i$T+&yMb zWH+IH>qL$T`al;Jwg6giKPZ28!_)Y~9aREBK!L)~s2)n2iF22k#?KFt^%NLz9mRPTe@(0JPi3V_l*&GV+t!0ly4UVRofI>XvLr8e8 ztm4Y%Hg}@-qr@zke%XNt(OKs#Wj}5UIoKQUH`u5%R!%yS3W5NE5yfa2b~Eg~*b&Rp z>}tFrVH-7vF#viuh`eV+j!`oE)F`+*A&eRtQ|un&ENalB%e$Smhm0rtIRXLhX16}+ zx^0fWu~-DK@$jmG47=xUzWEn7{ewLGNmZ|Tqa)s9lDvG)bnkI>7cD}Uu$t&^>aCfC zW>%X+T&Oz_)i6+5)B7-?}`Kys&DHzBYhVW>|HkDRKdGgl+Rf1Iez`;eM^En`a8n^fwQoeNynD1OVe)`moHp$?P%=vcO2kw zacq94tGPAi6bz73*p-~sdM#TZ%Yds;j5o{^ZeTGmmmd~T1UKsg$Zd}VNk}m1yr;F|0#~LTB_4@Mx!(3e)SL0j| z+o>#T>4r#^hshi{d&cqVWoqI-gB(l6Wb@~5caHH}WZ0;t`~5?22u@d>cm?)sFh??g z#O-aE*!Qn-K9nxGD`@e9jQEGAt6qkYVR9&)uG_g58WsL#Og|!3`>V`L`-T-+ffro` zsPK*uEK*S*XxFLlyG!Z!VouLY(Ep$bzt3BZ|0CV0t778IM)~=H^3h=lvg`F05Hb-eCfR}v-Boumk35kDjy!d`L5-m_Uw1_^HDFao4#-G4Ug{q#jg?D?(V@dTX|IYmwbCFUuSf%ldSq8_ z=3a|I(DNTBb-FwFS_GqAH-SE?Wb_-zsj=~K?nO3au8#@kL>jB2U11rrzcpRZE>SbD z`0MmR1}V#r&^Z?1n?9lWto(m?r$^oQW{!9kI#zezMG3*t)l5{x;@G0La2vaHVlkI% zKZTDA&DKZ!s4n3+94@hJP$(W%sMFDe+8fSPcV1A@XG*D*JDC7NmpQs?R>&X;1cq?( zF4uWD>s^5-r4q-W`)V_Cp})q^gzX=V$kYE(5rqjtStgJ|ux;(NUQ~Z5I=r2p+GEw6 z0iDcKo?NY#(0zAQJ#YKzjhh#LKAvGbX|33KLoa&AJx=)3^>Ii;w5`MGvWygA{yf8? z&R|;N>Xx*vua&;%^Z@*#5tXSm+)91_d;Qm)y|_@3I_J2PfG(E^+Hv&&`|&1PJ$rmF zSN=1oWyIg6)L$~cD;Qdew6U(@iZ)l)(s(!@HHRTrCP_BDs>v2~Tq%4i${Z1Aj(#F# zQV|M0mIIfG@sGVe6B(4(Ia54b;32+ONPVNuU+~Hrbo<%^)4v<~NDj#%G`pszGg3za zWxW406@-Z;3WA7dRz}(d31iJ_`6v?S>T8vh;fI5x3j(A3qZsmT(HG*Uye`3XppdUB z{;+t>d>?84$)Z+h{@Xk z@PTH7B{dTXZN=d)R80|r)9ptUb-4%-U17j^6Nho3ZnM~F++BbD1tcl3oKJf=aHJ9% z@Dne-C*7PI%d-&d?aHIVG~W9zW<36B_RiDCLC+r;PBy&Z`ZX!bDkR(VBF-%a5+ zD7Jl0bkIOVJzFCGf)?G|o_W~1lWp$;$&X1#2Gx|&*T?SzGI&e&;+Zr_n)*q*}F_GrE_BOl%kB^|I+ei8s&|YxaZ7J5N3_;IpxXkCSz6Wgvpt^6u=< zI%z&MMSr~?B*^qUT7oR};Rc5>c<6}eDPTN$esfcvZL;)}rrNI{LY6oh{>qc(GN9z| z2C^PTl08f&cs|4>M|P)hepvSSRp^~GB`UDq6`;lk_6%F;rjg#Xf2$<Mc{b2-| zq@SH#!D;+xtY@;}r3SnKI=Y`afmI8!}MfHRS*VS^gBbn7Ovl%l>`uBZyJucM&65|H`Yqfi~gh z{5ZKyAXJ=kgl}Nng zVv`qx)mTwFd{a&ezlxoVW}&jy5`rxTOds1A%+Wn zIHTg$DsJ3Z-UT#PTVW3K70#p=S=qaVc#!EBT3j8HlqavIbJ$bxAj>blvhqg-yp-F^ z_{u}eDsyg!|En3C3$gCvl)G02fF?vhgiO0_C1$wL>|T^Wj#swHr%Q?A0BmPO28ozv ze^PH|B*qnzNC184B6O%6uv01IkUh}%I{(_)x(~Bm)Y0WZx8pj2gFWd~JoUbRd!Ob$@jTy=~N_jn+ zoW?@|FYn0x78w3-2HPV+ZU8k9+4OAm(m^=M0L2FgYQlwf*U|uK6)I2K=69$rDv#9} zRW5@2B+a$Zxy4+bY?Esdd4i+{EN&;;SgX=*B*_Jwm2y7_!QgN>c}VN?-=xI9v;W_y z((*GBNkVz9mhM#WZsjRpu`ozXqBQGb=ZGvglzzM?dEqSFfzKS1rcUVF^{;GY^vrGM z!`bQ3%`j=_D2%}JUw~Vg^6wb+A8m5GdUxzubPTI>RRgR(7$*`aYqJkRy42S$0c=yL ziV=uVMr`NCJx_Bo9#9uo3Krg(nbRyarUclmt*6A7VKsh}kN@|Wy?T~}6pZ#e)s6lD zk&-n6mi0;>gh7w*%VLo{W2!@HouX-ngmR|G=C?1Zx2DwQD}o1Z|9J4@Aj=<~Zwz!P z_2H#hEKSq-Cqa#{j2>O`jy>@bg3E<%E{vxrZgz|28ZvAUO0dq=g-biFmM%w1D!Xqg z)p@-i3EPpsSfw&h4_bB74Q_RHvo_E9XM^&PBC;mZDxqX`v=IQKh1cSBZ4=jKV=!B{ zxd{=c$Jnbc!)mo`T8Qm+E(7Tc$9e1x?rD!F$)Ky(F0zgN{92)FsEaEoN&dfR@IFal zWj|1WS_7TR2ltoM;RehjG|GY|Q8ibNujLN`5MXhqDCK z-10L`V9nYQxc^Tp`&Vv=L)~4Sjk2EgkML10R84U8I$2ny0}?QvIe$n9Lmedu@p8gd z$F2X*@UiBf$@X$5iBTwTS?fnJ@u4W>JEpMW2_T*eJktN=q47`g)m>2)GbmC6sVkV- zgSkib2#h1x&9O?eD-$(z3@Q8iOHncsXw{M}AGalU4WDhzO7olXn_ufmd|7kr->ds~ zWHcaX=To=lJ>TW(hQ5YA^hB7+fMXmu7RGnu8LaOHJ;XbWSBL%REs&>XxH+~c90fvV ze>8hNAbD4_mg_;AJG0v6uWSM`7_W&TyXIo85ju{X)`|Z;lo)9zDYG4aH;(U}%IMZZ z1o-`4$NKMe;tfr_KpW}2zFbIj@z}Va1L5{)aP8tZxK%W=v8XPT>>0341v$_saUUxZ-gs#JR|)0CdG z{%XlviG;~x*>G*RAW@M~WQg!Wo4}TYm%sh)KLRMiSC>hNSVfC6P3jw-3AzoA+*UknQ=fyjJ``5n?CPcna#wre6TfWti(>(`S0Zuv6;%;B^V zhei=hwKog+?EDx3&H@@5&$8Np(%6Ds!&qF#iSD%=(dp z19^Y%jywrAqxhrDe__Ii3<++wxLp`?MC~}MzwpKCM#s*@_01}0!@Bf?p{)>rRxcuMfmMKa)e9u;7+4E__~I%WvOyR_YEY~gHKMo#RM@Iq0~B$icDz#CT-=PPPzYF_IJ zzLxt($o9BSr0j9eOg%;fSX!b6^ zhV+x**!OIU#NY4~a`pJJo*CU@Z!JCdq)Yaws?0yO^RzAoLi_}wY+M`axU`{3!+27f z6Dh=m#U}H5t({u*Cy0lA_S*euHu;n*fdN_8=U`MCKt@Nu?cMn2Speu1fYq|OHlexF zG}J%)!fW1K#DM6m2Mb%-H#^n@Zk!Z`;40wj{r&r{Ax*I)9h9l`u*gM0-R%b`P&Nb5pKLFRS|B=ICW_ z?%24pRt!&|wE4yE|F|(0` z$>m0GOu3Q>1pmr&{O_j_NRz1tY&q4=VFV=Ag+fGskF>f*aw*nyJwuC-W-kyRNrkrM zLGwoG@_@(=m#dE%26!rL26{-gK4Sdb^xs;P0 zg@zn~m&U)sS-9Fp%{r?AcmhcS4@IHxRC-CSt}P6RtVzzkkQ-8Llto%TQBlXBMf0q4 zoIlYmnmYySpao*T>-Q>+r@#DXD!ZIV(nl5kOC~k(7co-eU0O1b0ay`on1q%nQR4a| z3-i7FF+!wPV``hT-^ex>2C#g0@~|#6t?2ium{ckD;H*x`L~G5Y(`MP6jyt~{s^ds zy7;}O2zut#c;##^W}76LDz%mWlu=WE$*6NN<@~>wmqUoDsLze3 z4k>D(C!wrxuXifJf(CW(m+ZC6ZEea9GGr5_p;xJIvJyMQpLq6_h%oJ)VG)Bx|LIaB z&q%fb^(g)~i+yt@U&Gordi<$e@{!bYg^Hdn%QEl*NUKXPxI8Uil~4xujm$LZ_63_L zrTQxlE8lifsKzRCl|=e2?Wox&nC`h zw3v-;W*dXDo0jGS8W2*VRxLWQH&Rw)$~ng)BO9m(8gwkkE%s+m0(dgV3(x${dOTB(osC*mG3fMH&9S0`)r+^@Rp7p+S!ai4x2UUx%x z%)j|-4CNX7K2c%*rw69h1#+S78!AYjBS{9x%{7`XvM}(Nc6_-JQDn>@escu*b1=4) z|G^^WtuBGD8T>#h$_@Rl;Cdb+0VmI0Un4yGsR)S%SZUC%`E+T3eqijAhre4H6CLq$ zjw#p)09T^GS5&oyu+lEKE~~{KkNymx*`PO*o;OS)D&Wt)2B_Sg$ZU*L`xZxi@76JRgz6 z#oaqr>n?dOk z{5kA8o`BS`I|^kEgw(4B<#Vmpie8H}q?FBE{Z5hv&7b%jA}~Pv8$BDLAPKK~dT;L_ z245d4g}Z&SeFQ8Hf*)QySy4XkhB@y%!&P*{#=3B+6D(npeJ`7Jv5i3++r~<^ZYNQ z2h#i7-7f3>Kw-#iwRzmy;P3H{J0m$W{l{DGIr!bVgX#nPkX?^`oTy=L&6@s{tsEol zBWR>-{PYrqHEz91^&Ukl4=YPS#nM~t2U|>WV0bMh;{y&TGxO(qFeD@^q#MO4Hy22u{fWwz}Zb{%8L$N5`n8D&*%*VQTmi^mwXJ3W> zAA9c^)zrGK{o4>x0R;q<5>W&d1ySiCk%fSWf`}BQ1c(SolO9Mx1Vy@v3Q|Q7M3CNl zO{7<8p|?;HLI?zs5O}A{wfA0Y?X&;?cbqZKr}y|NL&u28%$)c0JlB2wuA5~QAV1@p z)Go-5<5ERmauJ0clNs!c_X%l_QyA~hfw^c2yOuHqP>Wa`O4hIKm^^)RBH$U_8t{*# z>o)ODt&zu}_Ln4u6{b?c*~?Z+tq-`>E!4fgs8aULqG%YiIvpBy&hZF*Wuh+F+_jCm z6{B!9qD)b4z60#F9s|GCwiopT^(rOjckk9emp10X-HFk*)bRhNkl**m1wPDik`l15 zYmeUJG0al9eX4Cd{W5aNbgW1Cn08Kk;=?5}M`4ht@As%A?;#+}CknH^_=ARnZpof` z6#-toA#~+Y;ixa(so0wCW?JS}q+05c!71eRR0K0<<<+CDcQaV7QC;ng6EMf(96!x{ zt;k2-tIY)PYJcFOiJyP-;leGCZzg&5&SmRHNjiSWzKt62WZ*QqP4;uDq?2q1r^3iQ z)x_$jS7MT#vn0bHeQ+`ev7xd)`l_O?B4wW`W8!WFkQV5eDEUb%Owh^}ynYUnr2Sd^;)k^I z*Tl-5Z663uiB? zjs&m8Ut4al?!Fje-J;6dj9%N##r7p4cVgppx5cM>xmFBaN&UE}Pd7xx7S@Tj&{i&` zwI^{`XOA#Hz-STdEuI6gB49w02H7)c;kV93xX}iX_x}Sf<&%1eT zqo$@Uk=|x|mDkDaLr~yA%?=@*=$=IP$oCtl=qR{f(DCI~Shi`&SoP*-nV}%arvF`{ zScBwnx#1yFB9dH00279^Hz<0j9t;&fj)&!JMyV2r1bn9-&F@^^Mlw|zwtN!PS-`Aq41jgP3P48f&u zd{6XP1g7tK_=BiN&*^W!FR4@->Hs^vH%HGVIc`_dY4`LRKdr=2AdYg8htQ%1X}1<= zvM}FfJx3sRg+_qxoT2CiJWtm{0p{gO?;4%vj@s+D|D?|PC+h4XwEjFNl{eQ*be8F3 zl^MVB^M1?&jx+b@O@cluAP_^^1`tgHmLL1;C4gpQZj8uWCBxhPY%%#`p+JB+Hf<$% zLQGUQSBSrV|ErEVfRmu-1B=R^Mvd8#M%Rml$s~WTJjdnR^jN zH}Fxq7`O7|?gucs(&L%$9v@aGwUR7zkn2*UuH!+eh9NL|QjX6QS(F*=S5e!cL=cAE zR~QpTOzc)6^%)qnS)In>q47)}mBtO?)--5mCi*+~t>)6=;wkt6DV@B7>lNcHi_=3& zwPSP{7wW@ly8L(JXIP!Kqelq41$O4O&J8KCx*EU~xsHzQ3PNftHt)A%pJC%uZscBF zzpqt0=$-cuH#cLIZQLIF?Xd5}@qEw%A)lcq(Bz_{7)Kbr#h4@s%&#`z9N!@YfA9RP zBqp}SP^fH9bYs}ddl5}4=7t?e>^n^L3h!leuOEiS_~anb$1><4sh+Q`Y@sccxxQ`* zu$GQzsaO08S^klc4+*K~dR6OC??t@Z^1LXKevTWX3Y`|LMZdMisjJ8q16{pnyM~?A zDBHA$grJU{Cl8t#O^0@Hn&FCF*)_}Oodg_g7p#T9)b0=*vSE4f(Q^r9_5+ai?R zUQ{taF#A?C+uU;)>pg2(p=K?02?5-VJ5u3SnvAnMK3r-xCS~V(S5EH?E$At=Pmf!U z*UVd+7SHTvw%I~$ljv)H!#>p_dw9ZYYPN1d_3a9bYvw%dKhO7_GeDzk$vKj(AN`v| z(}08$7o|u&l-o1(wtG@hvU<>FcwvY^vJoyUkT#eHCmJM4^I$ts{qCqAt8u9H#UmAq zit*C`s`&0C`S?T3<~&LxVlA>N(=1(W@N)}=PvRM>?@1jiNRW|O+^nE zYYhx@;6S#Z%~~ed-()0MsJYkFxwO12^2{C)MdCGNe?don@$Qtv(W$2==>wVBH{lZt z1xbvUs>OFXw^$1FgLll%N3@nPH)MF=rEOaRHCykhCOLETu^0TFBqz)^H$>7$XI>N0w1PyN zR+b!V%zI~`n)V}SP-Sde9=TDm-ITUDORCxa@!5WBV7oU{)gBXzLtkB=Hez#xq1%6G z8!K>UnW0%rFo*PbR6c3YBHpD)c}@hAp==GUbWTX>K1}fn5<&L?)c4|*MAt{u`7Dzpx(uts%jEkhmVgVdUGR`s8{3@QqII~J#U~Ipgf&N?pBh9)A zf9i}M&EL0c9DH2pkJk8uhnY(#@n4&>O(Bkn5()9W>3T`d<2z&CTW@F%#5YMhBijV2 zorF^$bQ^{C)wt?1i6gk8sDz1$QrXEb`P@4CI`#SF5g_Np|&pjC^2NUKu)&M4LU6o zX7QMc>bxz!HboA+QTyqde3S8|;`6z?$z|^3+mD=Bn!|ZG(WS%Qsd0xAW=#*CoD5!F zQRhyNQ8@uU3tvXmLeHq8Lj%a@4SciLdh9d(cmY_-TD7*3O41Q_T==otv)|_Gew5AZ zW0u3Q$fJ3%wR(X;L*wls=Tgf1Lg=Co*(axJ?Tk$EG)l$@q!=Eq__unL!m&w5YBWEe zCtNNU(-Uy_eAVy|zk=cRE5l>hPWYWf)K{KF!@9HTxz-DZ&NS8C!R{T(7#*6b%}aZK znFdb)UF*v;S90EZc3u4s#WYfN_ZCZIkL${Wntf!)l@7&*FKgTG{g(kteM53neF$|8Q)VPi-x>MjKn)eF!a@9+L%6B zEo9FV%bV{{y?)+!isu=Hike*vavY8QEItJq#B0gcXLf*L8}cb9@K)a}#ZWkx}`_gG6kCL@!@FGyFBl6Vd!4eF0P3`y6DIfSY^_*`47 zu*B)2Q4|(FH*&ur`#wt41RWd)NiIy(+L|nTdB?l0bT@wsls>yNcz!|^v}w1vL-5i9l(Z!KIn z@=@YUCVRoNirkcm9e=mlH2K^t6L|@$1>%}RbIl@Qu5MpCPCOP;uk3k34*{J>GbwFQxw+)Smt#-8RZnWTG%t4j{KMdlJ;mBF?o3V^ zRmaat2GcyA{;oa;O>*c#^5TS|3jS^wPz~9oi)xjuarNCas@($Bh!Md`(ihG}V(c2E z83f;-49dKEbfi{=veJ5c`6g|ED8IL#?Mv*Pw?F8vfq%2o)_8OkpZlX3G?91u=|gUw zAcukMqR_3mE5;Ud;~HVKSGllArko!&ZhW|Fa@w(%@dGnJ<2CriC3T5OYdSN8CeiTZ zmDcAjSH$Qcj&N0h#vaa7fq}>veTi>EiJjw{OP5i)P z3fo>RA*Dkr#Lee0ovIs*S;jz`>xZYe5?1#4wbA>c^ltQk%+}Ovh)CTBXI{R02DFB$ zsgGQhAjVqtD~jXOJPK#)58fZ?7XCcyQXW_)rgi{(+d^T)&Kr4naGg{@t>=_jkkE~> z>_m@!aE8`auNIL9fdik55Nf9jM86&CT%9*ar4||_#Ydo3jA7QbCiUqV>FFsFMHJ-; zxyI4C&>jWS?s6=d%Wq)R8&81joKZon7N#l>x)?RSD>-t(tgz9U*18RF@}sU%X)@-U zhT}4x@d=2YHjg1i$5*9~>b5A`F*TNIJQT(5p=Ii|x><%sMiP5e!Ni06^;SLm6(Sy# zK6wogS3QYH+K_y!v9t>c@mWOC?bDS}6Y+4V0PVAX>0qb^U1M}ik6(PimtCK#?c7#i z(_aWrU>bCsz<5^YHsexY(zb{D3o}O=u5cet2U}iws-Voqd2>?(?WiR(Oc7%DEE7%^ zQ@1i-Yw6S;=Bi47 z(c5%Azd|PA;!5M(Iqhv+>&{zR!`7q*G?$5vY#ylE4nManBh9*h6LPA%(QVj1eb~JN zQ_aGsM>{au<4613^*T7+Wt?s#T|^SqP>xUc~@xRxTR#v^4dE zP5REI$Q^m+sEeOXw8d)g8iMBDp{uP!ObUJ`2q47dvne>;!b1>-D>Hcf>iiOnnIzuO z%U?4iA}L|QsWeLdx*feg=L4rjsg=H&YsfwsVi2d$qa7k{qZPI_BKn|AakPEAuQ$Hk z(DoIUvylQyi#yF)HLl4k+mI;?cZimV z&heX$lXqI|E3~zLT_{(_8Pbv#t@-yWU$BQhns{ zHT{07e0X$M)2n z%}eq?Q`qYMXQ@*}RN7AzZ#d>*;L{h{Lx`_$G*pKV41c}X^pu-*GwSj8jLgtDrdCD0 z0<_#Nx%i*`gG}NR>Ido=)y1nmSTbEUh8XYr-HMj&okYkKCZxsfSo&#;gU6}Menruh zYc~Dk`1Ce#dxX+e=Qh566lv@X&zx(cw-E z>UE?-Z{p4~cVfHCj&TL47~lK3XF)(ON$HL84M){pa$~pD_AX2+-8MfqVHb z{KnYrSmlOc_QNvfk2(Fs>k?h(dP&AL+eKpCN^L9*GYI$a|svzf5RV!eqkxU)1zvib0 z0r?`*r)y{D*u!Hj;gY%;mHNC`wcm~~T`-gGNw-b+gDER1JqPcKt59NrH-zRIZ!R^b zo=4qD++LH!1IP2+izY8q=Xa?frWBbS-qj8=U;^7YiOr-51-6@+Pgt92or?9ksGf6) z;;QFFU@#cPcTH9@6)vjmapUGHm&mZMC<10xeRj|*`G;(zFfw=Dz7h*!Zb~|SU(xpp zc6t8FndUJrJf1emSsh7`G|2yed%x!|=NBMe1LB|U<^p~;65#^@NC-E^tehiY7}PZV z7Yp&iCkguserfT(dZauvFAdy(LoL5k{&BHuxG3|BtCQ$spvTPb&|*M>jWA>^DiN$u zi?vS!TQibSpASsO4VfJD=4=a7_0xpTiime7MaG-AXV!P?+30DBbZwxmwsvsOW<}{k zfPtGpa_iD`!e5&W^ZH30-P@e>BXeLd-fBHJ{vg}@oY z>TIj3&)|TjuN!xC^y#t^49gc#ipB{x5L|Qhlv~XBf%)z=hGpk@Y!fMRxQ zu+_CKCT}7CiQx3$rZ>N9x8}1W(?FKMT)0n9gv*}qvi#Vl(I2jKIoh1?B$c=%yRs3_ zaka7WG(Q9GtP_2)z>_;iXF5zo1Uv{t}h$U(bsrEIqAglUdJu zbwR`JxRlM&Aa~Ss+}N9C?DhyjbzFLTQp4U^aand-^f)Qg$trZ?Na-tJQabl%5>M`` zd)G(*U;)P`ZHn4;4*oOZMybWI?5HE4$|Z}6t(a!ayP9o8lJjW3+_%IgOfsUAn6aa> zJ3aQ#8Vd8|?)ZwSktZGK4TV+J&E@VZT>A)97>hW!hdGKHBOnXkh0o)(i={6ZK1}{3 zvFaO^hPwb00OOU_y2QGjvFek)w?L8a3wu-{1DrQ6!)=bzkHIJnbsW&h(WX&auS#f56t+`g#P zi5{E6-p_JvrY8pp_Z;qQ6k;85X_;x3 z2hzeH228tb_|!+b`eYea<|bSluVxb(P9NM3q@V6MJT7##`2;mGM`P5rui4<^N@H2F z=9C+trfP>y*XMnlK>PDV)yFKw$ijQ}-m(i-Jll0zR%yf~JMf`mnR>_dOQe%a9bn77 z_;Pq=RAd9PJdd>t+gN!C)^Y6eu|FL*08d@>z7vFc!?Hp}r@3i2m9=E`gr)faU@oHQ zWkwgs)4~lPyPPtX_$2iZb85%W?!PAV*&z2fGv7y*^8xbH$HsjRMhixgMxguCxh@ZD zsaD@JY|+tN{MEY#OYDnDU5$SeJ=G}-F`>TmqabDZ02>IpuK{x%e1^X!<_~pQp)S3hb2z?Jqsi6{cdNV zps;A#zSnheYiR}`L~uBhUwkwat*pNsxZ5|Ms0 z0D$8Q{{)VOC9^G4(N_AH?4M?>{c|UO;>NRLUy+4D(BZtuhmx~p3Z#=-ano8AXCrC1 zg;4kZxa$Uy`$8Tb!RBmT8MU`I3{E+vxv|xIBk`&41)U$l-Zqul5$RHBVF&NId@0Jb zNyV_U9G8&~ggIpUS*07!cF7p&wr)FWqB@B%6)_&I{3CnxpY2htkDFs}f!#!6gquXa z3H8!o5a8p_yRF2?;}m+2I{bY>FK)RHz>C}eFYw}U-=cq-4t)i8ZwUtPBP_u-h6~Gk zqP6&KuQ6Wd2UXpT{beKgWrC{3-2TYes*v6R5Ukg^ktnmaW;Ib`TP$Q4;L+eC^LjqN zcW0;1%zC7WF~4L!)Q1hEfgT?Y)A|JhYl)D)ZrKZY{tI*jwk`HW54jVQ(*6o;Fs1xs zGt*;grmejHD_dB!ThM>k71l>GCR+m7?f;l5tZOhD0)Rg;eY50OK@Okcm39qgFmLQ< z=;GISSTxZ4D$5M8w)~0x=pM<{YG%GYV?%2c{7`!JQNr!zl8x*1q(6C!fve!pPb3H5shS(3%2prM?8lEJA<5zpV}6YsxwSI=>ye`FF*TV z`oezf>3n&^=`V%vU(Qy43%!4mvroDH+vIE>NbT#o_+O4~e_rxVP3+69FYtXQxpMLY zb_>Mo&{m@s`I}ESp56x7!n_}c@Bw+%Kb_$BhZ0{ zoDP9vI%2JJHmokz>m3p?=dYq9R~4!$g&w`WDr+e)-6a#P1s&!qI180DH`Owgipvl3 z{mWPRv%Rhhd7y8${Z&eU^xWdtFZbvTLEDCqFphDfZNuuaux)^+8Jdv-+Y9c!*ZfJ8 zbhpcFf%R2zB^k76$Lo1)^3B=dOI%K&7>q~X*Iyo%fBi21a2y};AG>|BGyO;RcT!Bl zPrTLTSde^~%Ubg7x5*;77SGR^M4l}7tf=T`hCqmzvOa=FD@Q*3bmk&6vNqz58wHZX#4J?yLM-B6R~I)z`Nz{Jg*+4JkX6Z zY<}T2pK?8Eq$GFncpOVv1*;zJdh?7PqUR|v>KohwkMr`m9rrtw8UzA9P`(|z>dm!u z^JIH)NlA(Ezt-75JH`HZeNE=ngtp!<9Cl!q3`CN&4JF?evBSzUT-yK)_RL05n7f*a zOi?+|Xs^AH2QaXj6-II-cfYmd6mTRk>ImRmz{3jg&lS3I$j86lweRQ`Cfv+crtIGe z(6xbm55^ByIqcxtJ`J*6?o5}3X(`p5&!6)cOb6~}%ExqWr%6-7&!xvFY$i$)yd-gV zVMMU#T?B8+ZE&d~KgmR03$I)OIDuJzI8i;~u4$#~eQ>U5`M0=)>mT1=i>#`+J1w$RyuQf--G^ zJFfDHMPd8;A5H=fwU6yPTT_wejG7#5Py)HBf4^J&r4KZc4S)DFN$&x3Eduln4lMGh zI{{@{m<*+Q(qGr|M=GnbCXH?Pnj4<`oo#JCPcVPigmCS7$?G|f3!YV;r}l`%jcB2N zFGK#gNbE|}D_3@v!X6rw)AcT2?na}6YVfW?ke?PvLWC9pD zQo@J-_+}@cwhrr`0HH=#UIqXAO(kAC!}lif!e+!V8P{}FPJffvqtW&T5;(@XXC>fp zaJ#a(q2n+%(C%p7*5QhI5Hru5c7CpBEmZr)3Aa5&Z^P4qqGcfV|FT#U5Kd7ixYS3m4u1<1d~|JoMj$Ml;7bC9t;sM%05s~&OzGpP53gB;#sU+C8FwRMSI@#L&R-?zYyD%T zqbeNx|8_tl!>-*j@g%oUROLN3_B=oKrA|y&$a>BFc>8M?pk@FIAGg<9PRMI!52WAD z_!zeJ_nr;_Jh7!*(5<{_bWk@ylT$>pAyz_P>-f^h`&APF^*KF$&$a(wTdBVnirQ)I zkG|-WRF`jV9x-Q#F+nN6x(#9N<+)=;1VI(w_kgv&AT`V)T%PD2r`T+UJ5s3D{sylp z;&ew#Y5E$M-{PuC*G8o(Pfym`zu!CmSSOIdyMPaxv)UN=3J%|nq|48ZD_Z@J8=}Q) z#Pr+R>t4|1`+;bR|5_{^Y0g+MzxrTdN#af9?h3&mOc|Kbofe}(S6UcW9)2+NR<-XJ zo%OG~;!n$x`p17^H=qAY>;^We-5~f8;2!LvpUvGQ8~>Ei?r6n*$vhB!z59hLK&enu zQjGpH>bK^+#|QE)Lem*1EIOmF<&&uh1oozIJAFD#QZ&kzTBp9XOn@g;@@0KehxV6g zkM6z}!Ok*ifEF)wp74FoRb#LJ|3eb0`o|cwQl0zML_Oc0e(dP}_J0wZ|53!|f3ceX z#cF8|}RR`dS~R|5_a1f8-An6ovC8~?Z)2Uv`?Pgcm2BWyVVuSoum2}K7uQr z9lJgwrl#}PU@=zo1rtraV?U2`s`6M zGb}wY!O0V0|9a!I#ohn-1+IULf0~o=*;8TomM6Rp+Fyh7$0RL8m;%~rz=kYQ1N))n++$-~LO?z7Q zMYwNc_rOL56_cAnM=%U8{D1?0j9^cCex1rEE^6=M?!khxr}h>#9K;LNSV+F^p!&|5 z$AP!whjIkSXmEkAZ2sRqorlGq7I4z2XYUaITTxDl{)Jmcvp*b7dav;CmCI(+m|E^H1 zq#d0g&(abV_dtPo3zq9<{&x&-)@VkyQs+{XH_6CfNlH?^+4J3OGKe@CiSGVZ6_aoF z_wXT)J$v3cM68_;@l;;CADJR97%_>1I1&va^T-WB7ZdjSVtdn1zo8$hE)z*CAw^P`|~zsZ-l z^%h4amE=80RC2d&%etTQ5a&Kuc_K7n-R*t*?D|4wjedw3=t-WorovHw-Y- zDVR3FxfRzwAHT)ns5XP|N&Mi~fe{cZT>{Alja9Rrs-LmCr7~q8gnKo{UG3P{8||z8 z>tv@8yz5Y;UpY%xg%X!OXk3j6LDO2tb6pbL%17Psq+-XR)!$^fw$HxIKijgo&}%zb z$1Y-bsvY|%` z%OONzpNx3D=DoV^Y;RjzbBeX6%x;bOf6{418pQsl^l0AcO;6{j8@ z17e&cW~|)H9x$n-@H`04=28js(z&E>ygepL16bQOu#N%mW;bbuagI4_`}DU)vRv-cGvyh6saN5E(eMz zt?uvtG12SYH>^RozuKEgj#EE z;`gwxi#lZWECRq=gL|>4jPTGE-*GKr>fJdv1LHaMiqzjPajo*{r?6(ue!j#rN^ZTA z#RH-hKOSiwrBo)FJq9UGjei3YLiKm*8@1)p*uzUbBTdD_Zij>vpImE#qBv^GFA<%y z_-QN8iMVf>rcN5IH%-euKBzKB0&{si(l|ww#pfmhOD}E%W81kZZbsiXaE}Tfek_H5 z65yYF$>iL;)yAng9BB#7pykP$Mn`}?+5&Ja^;BM`#+O#b51V8~ zaQ4R0IYr9zfS^?9q6OO1*^K<b7H);X{13Ol3Pr;3dHN5)9Ml7CCi%!-1#Y0+at zD;lHQzKK(ogV+fcXmE!ez{k$%d1G?;!rtk(# z6{%habNrAuRp3H?92s4o4c<}l8cb%#{WiL=gD!68)M(_~e>j&NgdEm%g4B1YQfnOV zoSmOEqQESC%UDz1e!1p2XLw|o-x$Wd`$K=a9xQIVr9L+$f3;|x>3|!;K{oa>YoI%) z_$BYBrlKb5f=Gc;ow>JPa1}e7R}7xkgSrqBw{NSgJVmR^dSxUqstTM;a=$$&y3Bu? zTupXWu`CfG5y?sXA=T)|8hSI#_1T(&nw@cU-lp5@?_>YS0zh;`O6R@Hd_W4ajRz{} zx&o6`YUc$_v8YCvj%#oLkxolTJ|$w8zEc(oNZX$LvNR(|=CmUQ9sLjuDc zWR;HXRXo)xa?~rlJRKWZvVkEk$&->z;mK6vXqI%gli}Iz#GQtuK$Q1$m$CgSv@4Q= z7z?4pM3;f>*(9%74ckEslW1t_ax3lcMT?t5&=K5Mfut?KB z&)f$ISbHGw4v;Tal#kfi*#YL}Xsk$tc|BM2*!`!!-Ee|oka}Z<0>Gvug?2wHHnrFGJ4ZI4;W~mex z09I?9>Gve`vX78#DeR?vZk!7%3cYq(a#)>v)KP_0s@@jhLvh*r{U=R!Zd?Typ|pyo zElfj1y)xwSa>>_xXQHbeI!Dk6oQI$H_xHb(_sx9m)z+=mw1+V2#|#o#@t46zLwD?j zdcBt(NQ*-!b&`rm*s$UP>CF$}6{~lbL=Hy8EUj#aJjP+RP9Kx78knafLA#gzCMHc* zh$lj_$YWjzGaTF+;6o8hn!uef=x%f5P+BQ`^VYM-nG}hBrDnO0;AOB`spCCDF@*Ds!hnAy;l4 zkm*;NN0YNgSI4AA?xHuX*zt*4m=0iKy$WA{tW$T$J5S>Pndo+f@eBMQbyl|*cZHyB z5`{MoZ1ea6Vyc)DJZa=ULL0jXUUDbSsXNfO$%*Vle3I&AewF0wu17g5?v@Bc&hqKy zl(2))^`gFtd@2p@m+#L6axlmK%#|k<%$3_uOsjUhcU^e*0zYWAH2lp05%K8ronVm+gv6qhzfRIvmD3Z& zoX?X+)SC`3Rn#2DBh;E@9uDT|@GY%#R$Lo;zfZn`2<{(aWqWHLJ6OXFSxrT6?hP86 z)&n1dyJoVohH{4MHA1bAmRwdx!W!b${zVDm@R zn>YIuL{8^Kwhm1OXx8)vG3MXmCy#TUVHbD6OWbu`RZhGi9nXu@hAt}7F01Z#fkRbf zyvG07xK}FeGkTuzGDXwbnvmdG-kzY)38B7=a{P`B_y$`aN}viz=ZgtB9dXgp^5un?-6y@7WNZHHs{ zl^mj;b0xl3%7S&~E=$XKmSm4QHojmrkmwin2jsvi9z(0Maw>@&!)8_H)oC6gU_V|5 zJI@N!oU-lxD`o`!ckb}&(ulqZ?Q(b+dr$p0M2K2ejKA&=!h7~d6ya?E8jG(98{ zFXL>F)9qrLl;2ELtq4-W;&r0Zu{iFJ2-f5Vh~KN0_61us>!6eR%iH^fjfeY9k;IXiNEG$)42Mcw5jPf zKi8S$(y4m&hx~!EB#dumg74}EF(aK^Ad7btNlK?TzD~+I#uF51IwtvC;6$?EOYTF- zo6Fad*WbFJnzL&rAE}U#(84RaDrH_spU(&r`s2mk^pYwtQtbkdHKvfB{ED#>Xg@h3 z)ucA#bp1^J@ExRM2-}UFbxo=2z`XaxIVwaW*5*KGK6HzCSY_tp-jr#3+jtwP_r?dm z-f1ifI+7*w+~RVBpaI=Bv+4^+~4pXcy~)IyeKNJZK-7{COy%m<9*@*l%m$-X<@nJ(rfdky%~R;=rno1Y$78Gx(I~d@Ohae7Ja$i1oe)=Ukf_gyMS{wJ?>f<5h-)71y)(Tt<+R-y zSdu%A!owW9YOCLUvVF;}!>3IrCy1(+VpT<6w9g2cvTv>8@yOwfmIwSqM+5HQs9=c%k;)j4YnErc9hRP0# z`-%qg^n%aQ#Fo~r)cuRvI`Q+@m$Aw*4Uatk<0^uPX2dX!5%9S=oFpSCD&Fm2yiAAk35yy$H9#e-#(-^A=z zkj^vTZ{4|CmUY8P)O&_Gxr*jXtb~`8K*0# z?DS-kCeYsDox`X_I*#~}wUK}H^b0%&NqRi6H5plKxeXSoXi%974KUfklf?cl{IN@;_v@&(Pk#3`Memo5&lV#f?lJmL-l$+(7>1q*o$uN{|{BU+ffYONtoe-Yvxbo*q^2E98uX*HU{Nv$+J$fB41g~y>(w}3D@h3D) z7V(o0x;|HvbJva5T|{>Qv@=cr<#o8)n{5mb%zd`@limWei_U#MP*{KgpwDDwz=x;- zeC2X$c~k&TsPm{ZIZi_(0(M`-pNj+y+rB zPRyMwcAB|<^k~JA$pF)$*PzZVvwV+?NiSmB6Cu<^$e?XU{4sCkPX|H}@mCVHn~T9< zn7cCq@7sB2OWpP8j-o#(iNN6pY;N-&&Dc(Z5z>UL`vp_(mndGFbFY%*vp`f=-6ZH( zNXJ9N;Ii|CV~Mtl)y0q6eb4w#e4`>F&LzGMad)AT?@Gl>b6$9o2_?is(2quj%3V!_ zJWP14U7b<=XZ>`|6eJotOu&A}nx;7w1O-`{t#AK!&^#;lbSb#Rx{7_LpL;+lPm}gK zC9;~41_UKIet#ua1(1{x0;ebX!F-Ua>uS94n}c-!2oV1*G5yBWMDz{JL;zOyjOVMD z8=MfwYCRE~_V>L*)s<=pvJTT)YnoEg4$$oeq1ntWFo22G( zeouAU`~Fe8fHC|>!r%r+gnSq}iAH;P|M1*-K5cw)2A_f3WZxW5kEAVJ*hUK#!!0}S z9%cd}GgmZHTx{+s$y*A9$Nt)8m_}c_ko|l%`PxhF6CTz2dgjV6AOfA>F|6=g*X_lT zvdR^>C^q$t7nIvGgIsf&M#r~CCAJPXo>Ca-EWHXtQd|F)Jhsw*1{m)hn)t;15?lukV?+(|Xg#US8NeF0%_g zM`bfkiez0KBcyXGGmt7?-4EBwlr zD!D=d{88rcj2^nzRckJw(;{wzf=p7!A>uRw2f z;3zgUv6!{)XeNl>YNnUXYjFsnTem6`tHYxC{@EJ;w-?`!eu3P*Ae)Sd&ddWOR_}<( zB~~v2`slFxrs85H)RUw=cWy@SP~wf>w305RQ)&5->65aqR;!oNL?{{I@Ec@ynEc{` zPSr0h?VtPFKfk#4;#%``rb!L_y4Ir8m}I!E=*>-Ezr}OMVVyzM84trRE%rVmIB3V{ zPT(LgtEq_@rd&vQrAyXEM?Jdsv40LYvl*m`W%xbTGJ8-1 z&%W1bGPs~_e%?Kg4N#OEWvrBUW7qlXQO~v24`U0(*kd;+N(MC{-m=wgLDhfP7XMZ5 zyB0Vsy=^x)mCcSv0UH0}lXb^70@`G0>3d~ZP}`5K;UAybI*Stccu)V-tDZfDK2T1R zJ`uIoU3{@V-UebHhW*!j{ljqa$KQ1Ma0C*7;T(x&pTuHP<%&JpVnsg_VtTtHz?*N| zmso>AYgA_ShBoWMMMU=GD@|LhiQRG_Vozar_Rs#qQ%$q{DHF0_=W_yO)Ea$KKCTiXH0;CMF8ruPN=G zLS0yY)rS;emKClAtx;BNgl(iDj2{_B(M>o0!#pqG8@a&t&?|;|m4&bw5x4H-z)2Cx zoB0v!BGc|lJthofFeY0T78}42jKWWT(9ukQA#{yz=mvca3=d6C4K2~v`oOqLw(%N^ zP>rZf*Z)JNMxT6IA@ji0)Ky4x!3|#!z2As)=P?RNxA`|Okizq8+sYxpP@~5lCem9b zLGZ)tuk37m=hCteIiuYK+G{rSgOv+{=zB%nJAF8r%SEzm=#xWtVJ<1$sRLKI*IuSy zY-dA`9-5s0_)EU3_0`&?p}VC9JP@)i`JZf&G@5Qag+y=uTdg{|XX)5(;z}ENwbA|~ z7RvxFIc3#Qu4WKo-gv5D4fL87Z!T5^UQCDt4$CCD5B%WcH}1P&vi(=+NJEnd=kZG*4QL z&v^T|WqeDXc6hv?A?)-v?7!Fp57{Epf(H(K)i73GC)ym+COl2*Y$&})o}M?juR#%X z;>;9Ur1PD=3QU0jZZU*8hZ*|EkK!Hwph2Y9I1XDmoluMyWj=6sFBo-ez33{+_Zvkc zl>1=V!o?X2J<}~~u5Ov?%{SqLc_!2g@ z>nHOH1W?oIDE0d~#o}J!LbHZJv^b+*sEC^eRMC zh3ZMx&+C0ZH)HnJjCYk=NVdm!eeoD|@o!H*@WiO^u~+>@s`gp zTDvJ@-ws*d743N@DVdVM!{9pe@S5Rekd1YOlDmA{b8e@%FE@aV2ai|rkIDLe=3SX{ zzpJ6STnDZ`KQ&V^UJxXLT2XUodto{XLT+*VR6(35Q%&;QA8e;wSWZ|+c*6^>@NIWO zM?pFc>ZB8WfujOyj8BVmdYn>x;+WI7OsVnLq5RVMIFR2++6&W>AWo4-WCTv-lWN~B zsmnxRn+D@OUN3YJnBOjhITx(U%Ud_D3z2@cV%Z_}#Vl)w?X6(Rq)>x8}ilYNGT_8e5;s*l#o?KjLM zo`Fm>z|#%!3(#?Jw84>C4P?K7i zL=7seZsA2oSo$wMfq&5 z%Q-NK3zV)7(Z(D)GL6gnfWFWQh&L)S-5j%Wt6>7<5trXC+ZS|2beC<7jOgFjJk)*p zS5d`~*q(DecWjhHwu$?D$>V*{Ln8>`C=3qkbF~uOZHtITX3i7eneQsfIr5xf2Cz zV#cMlh*Ti#GN+W9fsHsW+U8cHC5tf^ba29)11)T>;;Q`^lkC4d*?G%+5T;2>^2n;q zVg9uUS|~jIYWU0x#&n~Q5LadM5f1bapXZkMbrtnt8WoKt;M21Nqtjlgh{8_o+^gB@b|Mc+cDk?;(1cMPCzNB9m=?AQ`I3JwsR|xvc8e@x&tS%!l-GVo%Z?kUxgy! z#h2NIuq1|gS{faQDC1&871zPn11A=>2)p-Dke^1FZytg%DxGmuGtIYt-JGC|;bjqL zFI@`U$|1#h8VF=kZNdFSih_2iL3A9`#^-^19o zKD$QyIRLoG(bZlrv@ag@mw{6$YtE<2_sq;eTMFN{$j{e_CRH?%#+PZY2)7bl25UzbRC z^i#XTG=!P5VCF-jduWK+w4CoPW$dLy$4W$D-()fXWb!(C&8>oH<4#*PG-6qn@=7mc zG4+Zvm8no{lt{FLeLK<*M1Z~o09JUE2bbYd-*w{VF zS6=DIl&(%YD9+_)5#`(%0FwT`cb^WDS2+Vv9jr8J`dC`UIhBTRxj$Q;AH;3CkeOtx zT8waRO&nZGus0!tW(?bTju13(06PLwu$I=M^jdY9J2R$n`6pf=XAqxz2n`#k-jI19S!oBA%Ycte%k+awZ&EtzEOS ztIdAbt!xwrb?;D!G3nSAm0v0!^q!@h=srC_t++09VQjUPuw0g#nko>>QWS(g5z|S9P*<-R=FzFG$O+%Dtd$G1d+Pen{U@z#tG zIiS|Y+kI^4ATkSDdy`R7k=;L%&%S(dWT866w_uBLL(myuZtLE3j$>{ncK=V(RmjaXT%B+1x+bvIt)^+n# z>|T}bUAoHlCP^q6zJQXA-c>yFH_xhcQQ64@r*gpB6{b&ma!`%mlwN^&(ZR`0bsCkA zcQz_nf_|vFGE{dF>3Wk{_VX9&qDpfuJ^AX}dNA$#c-){7edP%rXMQX4?Nv|u$a)!A z)yQ=n**R-()69gSl9|74Xy2T!$b1!d`R)NO z?}`*gS8lK9geOHgsQ5_sB9|X~9SnM4yiy<6{bqAW8)KhfU*QRo=W>x(z7R2kd#DTk z^&snp?plu*%Bbx6)HYgs9|u86aF~LT1HC(MeCsWEjo{_eZ=DK^9Fix}3_EPdCl7v` zIeg|{x-zp>?K{)IRnI@yQarHpC%qx5Uk(XbR_Vsw^EoX&EC1eNFm$m~_d;lxr?{Es zRC2{lu$R{Rz2JSfySYEb4?Hc;6bbd1U7xi3I<-6v4ehL#e{^9W;@Z#d>u+VrPjqoQ zW6v0*e5p+73fdJDSVckU}b@^2J_MI7EJLSEcY9VA%4Y$)BCCP)9E{J zm*+q%0~J|C?@)QEp5qU=1zc=`3jMp7mc83KLVo?y{#-m)6Y~xWeTsdj&Jdf`H4!yF zcBE#_=n(W&p^3McOqV2Ym`5_Wv?e?hbQ#dQO|yr+ua{_)r^;_ zS3lF&cJ6y;@NW+wEY)G`+x~<2{4@91?!6a3 z(|CwOBf9iW{0_>RMCj2)G!}NFw@)u15)3n){gv|n`#aEZ;AfSe%zGb>%7d8>r&TE5 zXM0w15D2xRJdF&X-%IGI2Z10;4M#I3CFeM@aDY24BNC(s?WZKntZ@bu|$}V=(Z(ehG~yZ z|GHoN{R69Iz?ZHOY%+RoVM}=gs+?|CUQi}iwQx{R6^d+^em0>T;cQBcY++29Ee6!iz&Nw*dEnX_UydF%5}g9@Au&Co|0)s^At{}oI;EaZWeCAbGq zU#n=Qr7Sk79xx>VuLz#7-YWYx!H+dlvS84Z~bY`T_OL-QMa9EzU<^jM5WwvO5Aw?@XFAmgbN2nN+*%3f?X-4u<=4 z1ly=GUnJq7?-9pI=HAgP@c+DK6FXSH%(pBox)xtJYq_l0IXc@Hg{5V8_q_Hv!4myx zz2FldEVfk?KC6E7KKJsToj&<4H;pfzWthCy=_lX#-`{8Q(GLJfbR3v|^*JXM(oGRk z#>9oXjaQ}FnUFA`6x8r)1$frVrV7dwa8W_3{t8sEmNhX1ar3fbJ>^}9;HAUd9W5N8 z@XVOZXI+n|n*SLOwK_Xu3(yv4fs^Mp%Qql(2Uvb3a%&xtVe;ja!i&KEz?iU?0acKK zJ#csmk{*yUMCiq)rmCbM1H|z{(8V@!CFB#22Je(#A-118qHoJzC(G+2|EH6sMO-QE z{FyY>yVdn|I_-7156L&->8lqM9WlHbBOTv|DE-{Z|9;^J*|kph{p0Z1dGP-=qSwcj zmZbGdN%r$j09e#zPj-z|Wh1MQ4g^9+F3WTezX?e^$P3Lx!u_pcU?GVHE~&a$lfqXn%xmjP z!J5mUP|(}E$B=E^*`@Ciz>-%^|JpzQbx)DuJY$fV6_q;_L{gCpV?7C zTCTwX7DLnF^9w1-;8z_Uid4Upbje_-JW!BcBmEr>^K{GqFR=U6*;m~i4b~~ZJjBZ+ z`_7(5Rn*09Oe==ax(ZD#tdZO`+bNc?9c#ot%gsU5p|`Fed z2N@C)@)r*CZ?`mkb7Oglw@3S=-KB3AJ4w#_ zx|cbs|Mg61juukz)cr%AU+a`3l*x9M1=4>6)i3u@$-BMYwN19b_J^kP?BNf`85ixM zx*N1x>eV+sW^UYIL2~D8%Tzx;APi@bVzaBMy7l5|4W>#2#fEdgW;zh~eZ!gs(b@rd zv)c!dM8b0Eo0~W_vq$N{Cy=-9hk9F#0d4{Msm7xjAwyH-Aa!QPnqJhkN6(b)c^0oj zE`Ilx!*(A?Y<(%-!nFnaWb8JvT)3F%+x^LEyO|7VPLS%+%dpOQ|Nbm(zNqq{N+soj z*SsG)(Y+FVW_BT|#DCw0eQ;5!EJt8U!I({UO4$`c-{Tm|mB1l$#M-;d7=Mq+=2*UN zC5#MTNgpS<9sG+n@6w)b*3W~~IpAHWa zod%Fn_Ub)6Kt#vUw2<}NT2C-`gPhrJdfC@fq-AG?;36*Q z9kZCP&%k0WQ`cxS8`(wM$7z&{J(qdI*ays&4f2%^$;l>BHqXgR!?IbcaMF(`l`pZE z9&~;XW#Y?^cq(wMqPTd-xbzP zp0-_Y^DrAb6AOa)yV}f~8~WWFzX}Wy@zsh}5T&}4hD2vg5|jj5B%SlL>`k&OC2Yc$ zXWN>2ea3_dKm-8A-oYUdt?-+V+f(zT9q)nI%L)bonzjxvo-zA1UoaGtg~Kmj3^v&ml?;%Y~%8gxqjsV+HxqW&pagmEdY_9Lj zI*FmLmff^);=Eoj9SO2mw3lsYQ6#%?NhDUjyR=>q zzIC2WN|vK{IFsI}LTm_X$)>OLolj^k=ox;HmH>bGQ)l0v+ulOobhjh4CEHb##e2nQ z+*Yip@-`WqOZc?UU~%kR>MQcVt1b3XH`-Rk>Se-UUO>FZyx*dHvenkeMFOi^hI8aJ zA^7IZ-^=0c>ygiw5-U8pZ0+A5np@YOzW=?S7S&%6kxPk|f+U>8%dH%h39bmG-)z{m z!&JoYdtsBMT~I2b?)e=l@A2KSIaF)d$+f`U@+xns{nXcn;UZ6eb92;?GTyFvv?QU? z(BMjrGgxu@3*8PNPu!N$t$--PkfJRR(Sl3H<;5VBL@%UyA&asQHU=UvlO?h#uFRd+ z)>LIQND{;EQ##nP^({4LWF4^f5LGo09S&QKSmGD@D${yI@BOLG-WGbBfZGh%=a_qp zL&c!FpA>QE^CwqAzjP)k)|8fO?@5#^n~A^?dsIHHK?kXZ20LT-{o@D&s7Ef}jmL5h@x8s@_D4rQ2!*aTKLKN(!PzLyCBj~lJDJq#Yv9WwQp>t9TUVKfQ z{(QP)k};!1$%Y$}Zp9l6SEAZpG`W*y_Ug(XTh)lxX&oW%QgMTg7Il7BCUIt90Af*n z@mB`c?a1v6=`TF%LH6UzEf)AB@bXVBw!a}W842vJX zYc@WbAZlPA!tXKA7VZ7%qQCSyyJ(x~?+2IuE+=RJ&O1z=<(Md3OSI(n$G&nTxMuBQ zC@A=Rp8Fl7(n6}mW_4_bZNo z_enAtr+0m-VQvI`9^DV|;*)nrKNDbN1x~bW8oG3UgWJ&1W;RE9OqZ$h{)OUnRmDy~1Zwmm9~eBI*5 zE;$))w7(=1(KNnb$LE!+Xok7WO1e~eNQJGp@R6{Q6Upuat0{x4UsP9aE^93q1^xE@ zmNV_oH-2&)?7#P_DdxQA9rgcEfE(5D!zAUjW-)##LpsE%rBnV+uMoVBjVVFrNHt27 z&%tyiO8&L)onD6SF5~LYmOxnI*+<=`3@95n{h*oG%)1GT?Y5woGOS+uvMXc z6DJl{ZVX0pHp`z*4xi|3Ua2j=?}Yf zXhj0^Hd0oBQB#W-_8L7IWmCLCfkLKr@>6)|0}OuGXWLfs62UUp`g;Se#yKurPRGLU%V9g*os%TKAyrHC-9!T|XE#+a~ zHDU|H`;$SU zFm%N8nLUU(^6|6G+C%;vj$nI`AdP47UDj_q_MQiS}o2mI?d{(SttEt)5lDy8O@{!dsQ`|ul+9)9VE|No)c8){F`9Ct;G zc6u4}%kz9ZDkJ6}CN`wbV>zo?5!vUVxFWX;rT(8+DvXQu>u_@m)v$sS80?F5m8;ib zd8zl_%Ap}}wVwy>z<0kjZ7=p|o5o$*0vNt=N|#Hwl_5-Yd0B>f39vR@Lc;pnjk56` zdv5)%qWY^OKD_@yfE6NAa3L`Y(BU!KW>i*%s>3Zi-L|r>%UK{ zINR}5aJR5+XqUFbWfOfijMB0C#Vf$;T1}h z>k#-McsVm%MgP(H;Eu2d_a8)~Ux`RP;I^E-?Y65GUn6&;mIlHLn^_t1m>7)zcSb-+ zaK!eJ&0vVkbVZ1##WK8Q44__qh|Ra#UO?@2ZqMEL>F_*BmVecn=NFE>-uWAQ{5MwX zIRv)Mygp{VFQ0HHI;{FeUwT7_==; zX!-i>I)3jF5=73wncWBuTIpDe%J)oUQl)y8N&kZmGI8Gp+wbOmxUi8MAz1dh^shzt z=O5w7=Bq=w+MJQ$psxG~Hl3FlFyS0*>_4Z9tdHSyKWW|snp?myG_RhIDfDRP=-2&b zls?q{G)-kEWn0E%d!|un8VRG&IrPz;Y40e{c;PK1difBo$Gbg<7;~BDd)F!(yaTa1 zChqU~@hg}Ay_dhzha;w^bvzDQd_Qx#@j~)~7_gL~hOgc8UBP+_ac!!q2uOR2CR{~E61>0OzhG}fMq1vBW06MvdDPrfX z_cEqC{8%s<%M)YXq4}t7?yAOq5^dIAVE;lmD4CbhjBmX|()E=M*=cBU8BK!!7zO+L z9RWW%>D$1JHEKJ|YZD^MllNZZTgEGS9wLC`^_2tA)it291ZpsGbmE6h)kjUhVBvuS zi+ik-`E*-DCE?ci1Bdru@}>MCs88<+4+>&7f765h`39Y8jXto(8A}R3VC(XxQ#ChK z!Yr4Y>X%uP<^WBWMYcx%83MBIk|55J!`N51|~`tU0ebT#pR(ue;^AO0tO_@DIQ|Eto6pMcEYFMP9`Sr4~+auQrS z^Bgp;Kj!Ypx{3A9mhwlx5Dfx)AB&jN^(lL?xqcSUKIL`iIhj!w1*fKx_yp`IqGYls z^}^49%g3?xTsL;E4^PVvwX(vVg#|To?a{OOM_D2XkVT-YhI{0$Nve z0t;OC8>d+(fTi?=NyL9a!qL^WRo`%j@x=7zDT~U}KS8s50ef`z)CA!To*5N<>;il} zcTW^uA^8keIt3Y^z5M`J!IW$4N&Nw%Y=HTRtsHTUg%}H*TgNop#v~YdA8~Do)3=|= zwagMmJ^ib4`=iPpy0@!Di?Qp(En6}>5H|Uq@n6BcnD7?^SB^$X`x{;5cj^iPqzm== zlJ8c1Lp+3MG-d#y&CgiAvrojek9~32z<+k@d)ot;ZT1;tB`AN^&*GKwYB934xqqT^ z9_>CWYyY*L3-?jy*o62NAi(H!Uf8N@d%w

nxNhsvd5a30?iV|Eu1-4?FQAb<^+%W2!s1m1=pSER z@A(m)mqNTzm@A=DA6HU$1+Ez8xZ-77yvX&tHf>GNwBwBpFZH}KPEbvUUx=?B{Th@y9#@+&SB7EN(V88RmG~TVrsCB zN39cwa4iI46`zkfG5dfd#+|DLmp=*I`bB&&{En>MG+J$?^6ekAqzUQTs_$BKNcqN7PK zzucF4ySxHvSy?~auzvsZDZ&2tvB45^>fRm=#{hTDd%$zkRICeaOHz|@Y7gqJ&~V2& zG)1j_mPTyk?Nbi4GqeL;XlWBarXb5F-(KoY;>BPqCB9LY3AW1Bunj3}{Q!`+7*aC& zWVu{oQO(PB{!`((fv1&K`?#J85EH36FMEc*%M#r7ymFjBDK1Viap0_fs4; ziIV&F9vfw598=b-XXtPXxBdb*oTe3fq`N4(LdoM}^L`MJ@>yVyv4bdkmBvT#^P$mf zBKJ7R4>V>N&4}bFY*9#!_TBNTn(}5nlR!3PaLL1_s1t4`=wt3r94?p_hkRg@0m8k^ z!OHYtCf-)TY}A9G8klvj4X(%$1=}n^F))T_wZz+opY@9~V;4fmjL_N}#RJ6Gx<o-z7GFYbY;1C@P_YlT(I^m{+B<#A@IG>ZtV$4yoc`4n{Dn*F zi|NQ3Xv*?)NSNofY46KYfN&3#4*Kw@G>*ybqN64m7CUh;VQ;_K zh@!jLTb*VM4ma`a11APaP&Xg&vDwIBUUFK2Vs9A;a+-Ta_UXNi~1P|;BdS$9|z*1$a`EB9o7qna5 z-JZT+{mFj6sg20x{d;?)T9kS=oraU&qA;eU0&$;NA;nEy)Qhq!eDFCZ#q~-A2Tl1( zn|s=Vl;VTo3L?YQ=9y!!%KA{7&PB#+jpyeo!SZb@jC-*@v<07j7Bqcg;hJyF6@Jeg zV@ii9Y;U_w&2&IS)YcU;qZVPwJ`Htq^5#8HPVc#q&ROdUz>C{uWklJIwg;_=LF~< z@V$+cJ>?q>uMXW0%1Mpnfg`5nJNC2Aa|+5du5nG8d5g9+S4Cd2`wZpWx5+wW}nY9 zl+$>uFcB+Q8~?T!?$Pd!%?0~V_R}a%sQqO(V~MLhp?P5MWtTEi_pO{AFO9P?@bzP5 zi-DSB4)-$X^(sT=NYMJt(J7~e02K%WpUb5t+UHl~3flZbl=5bAapQ5dn{x;0>wYTv zHAv7<%YnUJ%B#JiY$c0NKS~-NVkz@Dzg1gIn6JdGidS^=RxBUfcI4Mc-L>is04;iy zjn*4hbE-J3$%``84X+eWE5>hG{j&i0Qh99$JG-sSIj7P3%@`AVHLc!qQw{3ZX2Vgs zcI$wWrGg4_Rd^a&r%8%i88y9jxSsdwBZ$(!c&WTW_vU_hsTLympA;3UY)s<|>4nKP zpZi%=w{l=!vL+8M$_~g3c6QofE969v$*wZ_HQpNSUh;Lan#hlaj^$l0b0@F`r5V~w zw)-;;eNhh>47XPGx3hy34T%iI3?9X-J-v4#(ATc_mi$AC9uRoR<8Xc0XHM@eyRhHl zzR`%eh{uX_2w2HRyi!SkjiOVoYIamn@s@}hUzy(G+#=dlLGfi-AnAyWoNic&8x$lx) z&qCh46NrTITOJX@ZmWgrdQqeV8gI6v&+ONGbG0z*HF=(`#nZ%=$}QHK=_2d(hJul! zH7>v4?6A*3p3p>%%5-Cr)5{tvpSb&NtJx0j1wbhg{|jl!lW=H!*LT(u!5<99%Vkax zpiV!2p&?=;_ES9rO%<)g|H|8DopG2*zYO#ex? zt!(CF8jHa#{yHaXi5sw-_9dPDMr;Y1vs^8r^&YOEAf<4Z$by~5b zHgBP@LseojF`XJmbof3TW7N8&@XkN%(zRH-+ar zuVp2@Ieq+g8)AvfN)(`xEH!+_YD%m<+W5BY1moS@#Ec#WP&9T1y2i06H2GF@b2@ZG z@#9|P^f|dfE_>}#{*DhWo}l?-Dv-&WhPE)UtJb%)+*71-7>0yHWtWe z^>oc`d5-j_Rs==7k3HMmycuE~SAwISnq&sPhPB3r*UqgtlL+cunJ6(XiGriFFV8yK zo5Sj@cs9E^BTSy13s~rve&3Pzhu8e4YUoRcW@4s;Kc80iT_2@oRM{~khZ1MmDJn)n z)|@bQTAtLPcY= zBWgK)2lxG|KzC{BcEaEAqz^>$Hv!-Jf2UXzm-7;j;@+6QMz4T_?so9(-ad8l=d${zgUo$SF=#tI|xS&Cl}-WyrO2%JNa@aiDS z+_4ErJY);G4|#6v1wYNM?SpCQUY{{Y9q{nfQApi19G2@6qv8c*Y`g8s#u{wrSWT(X z74uyTQ_CaL(I6|tNSH|(rx^YE_3!DcKPkrSz&-muR!G`Y@JNYmF+#oC0aI%2J(A`h zw%6nKZ=D8(iO16(R+oND%Ho6azZvoeIY<1A`a3G$7m>#I;iq@W*Xs3`Ru_ZS?pUpi zx!?gGprXuRMcWN4&07^tPD?M%qov!MpQ0Bhuzj4#-P!gs7%fM=xQLKJA45k_dQweG z?dSIRuk=jt94Gf{hcnOj(cBE}24dLDL~bRL?ePb=#*JfJd0fYjtaLeUwGNTrf%||1 z$%Yl!Q>VVBd7YuX%kn9J(~42OZ5Z!5X2i_S6(G^l5>lVi(WqO+tai&Nc4^KOjtQl; ziO+3qQhHnhSB@$^-cp`}YoMjnWZja{cB`Ka$d?0j7mKto2Gp~)ycr6c=ReZ0%z3-~Q@c0NJ-d^DV7Ynokv z38{IrZV-b(%}t;YHg9$U;t4~DpA znqaNrGylmW{T_yShMHVl)u9pUY1QBw5x(yp|;?( zDl8&i?5@PXWLgIeEVm*xles9~OsEQZtMh7EQDd>c$LZT;&+pk(KhIm(`)yltMp@gw zilWQd91`?%zS$ftpXCg}T%sqCN6O~Q-V6MgRJAG$5PZ9OTV1ifvx`)K+F*2EAB&z$0?7gMReT3bADM6K@PLAPVQiW zKb)!_TU+jKObe?CC1@q>m<)QL**>qC1u-!a3~#2jws?3jX_{X1^Kp-1Nb5^(jwW9{ z_f_;-&pbD3>gnK=X_TAT%8Hm)+IaFcT)d<68|DvpU9K|MHbpI3i>-Z*oR`4*CkcU8 zov5H09f} z$(}J#;b9C#$~5_I4wQf=r6&o&GFw}TKFZyiSqy=%LGz2X445MA(#uD|5Dhetaz7!B zve*3@J#kRKUbt(()x>vT+e;iC))}JA6!}`-YKyE6;S-m zH8F~pFFa?G9e7LuRI!m~j2%6{un8P|*;&;h8HnW2Wl*MNn*}p)o^k2SBMEHCJ>)y; zdU?`!P`39&a??t24XZk-=}c!EGhE;Z&$ASjv9=8kdc8Q>?&CPbfi%2euy~W}BE{59 ztAg?@=R=m9&G#K+A^7MEKXEo?N#TP5u(f?<;uqT4TqVUf%E9@xD^|jS=nYJ$@p+Zm zxzifvtJV+(VQ-zo6ejs>|Lfsr^E*X2l3vX8Fa#9W>*>rU9)`IqEOV#%Cl|}1?*qXO zYxUk1K|DEJcG-yY@krmJh+_Y9Tyxg0SqylL04UYJgANZOTv2ih9;>R4JKyNH_^WW@ zllDpa*)PZ^rGTR_gCRFF;DA|8l-f;4Ra9Z;XNu$slnMk;Hr4GCbTMM2=5+OctnAb~ zqrU5A^`#ry+=3stI`|f+X_A5QofsJPG7>bky6sLk1a0i>x&7h$wwY~k_)-;9vyZm! zs*&hnGE_OW;E)BTG>=80dDp4>RHMh~wiLeCfuBg;jhc3A3-!!;^BXDfM3|3AYE)Rf z!uX2hTt|y!k4{<|&nCreKI++TIg8j`zV(i|_x=#c0)nLyiGR!}YT2obpXqpMu^H$n z0+=EhUn9cIA4{>a-@DGek2308-Bj|_miPChqfhd_U7x3=TRr#X?sng-w%u6FzCn@4 zM8rBiR8gLf^$;WrHoEMosfS)1p5v$H-KgtmA{ zC*E6&*|Soy1KGBUMw7@?*eve)Wcs)`-7_f}tk>@0WsGuq6~)0aY#kuhF9$&UsW7T% z?2k&|)IzzylT)X(ElDX+Yvsz!4)D!4+#pJ@ zDd`KC#ciYd4Yl9?K=s?U^D$rkH&6S6R@N^Q?>7X}xDS7i=D9HyQ`V-^e}tXj-gJC9 z*e@Q`sdhi`^R#&tH1WC9u3#MCn?D!+{-qLwS@@QWfc{v?hsu zbGp8LSd*d|vTn{i3%#k7TJh#9VWT>Iwe*Iw!bJf)qeBA5p&O@<`+ZX&_ zX3UpAIq+tcA$PMoQ=LI*0m2h1*{Pb;H3L|sMk}1Lpdw_(G^8reoN}ufw2_Q7waEV? z2Qw+FsEwhW5Y6CO+rb8{GI7VG+jWHhvpoJ;CqLPLNMTp+=>4II1IIq(gXJS)Gji=Ki;#&IW;g0k|} zlqZ1<#9YabAS=V3rA#+a*PoiC1gBjh4phz1wao^x9qWg&+}s$Y!NJY*XAKy5Rl3%E ztzHHE`ec*{duC@JX6(&%&@alqtz^FN0q0ab@Zxh2##?}kf^K67^T<=)+?4_m?j@M> zUB?yN2GS=pb3eRKC@d|P9HL2^ueyi zSYRB_cu!fot(g;fG=Q%V+9Kb>>tUhZf*rW|VsXM}J%~;u`8bv_zS$J;n0Tw-XBlaX zZdgo>YyTzu`NbFL%?FA7T#@X+O#AH|g4@_)p;0i3g8-kw1H-UguX@>XYd&@Lb*1Vh z#W3TAk_~~$wMd4)#sPXz&4_==GuigXIZ;onEIl)|q*bn^7UIRc`e~umC-LwVc^M#H ztvj@dkXbf#Rx8F@-^4@BjBJ6z$8uS z4vFxiu+y*8bHCx`lCekHDviZ1_1QwuTrFnm5(-jFU5BHft&xzgnQObdxw^h*Uceq6 zxEZg|wMmWCoEr<;0Vv#PtF zCMScRfD9-$)}OFODagyH^$liSAo-eul-IG3hh8z*j>IRS$5MR1=c-9vd2sEV(tHJW zb0tupJC0mAXDMC~$?cLzEF@&QwUkWtc@0BTLJS}wMswU!4_%;4#%}l!*}mXtDd*QN zKu~_J7BC}-P1L}mXc*MT>ou2C-gvaG-PnDwPG?}wu)8;2p7hPbjod7YQ=K`sdVotS z8>oxZUrQaA1&E*+aMskSBznXOn-CwA9mFnP_>xtypIOlkMK`Mv>*R7MZ(~dIknOYR zC~ss%{HFI_xN`CpVm0xhp1y2y!m?ub^5bcs=HoM;OLK5&?bzo>f*kUh-1hd2ASc09 z$v!o=;h6<>fV})PH+(9g!<9=tpv{7tj6zScBpy2V)Dl#zJM|wK5cDpyDV$ntivljtJ4DQg*sRUlglEVfiaFFpD7rT*#H1{rBN z+8W9Pr#DKs|3k5rHEecZH+wZGzGQ!Bg`HJ0AAF;lZbV52JV~zGo}~I8ngyk)J)CJF z?rGw;=VHb!)!l~SvSsV_w&c*pcgm{da{)}YaS@^BQ>$qAj6pZ@a!K)8I3HXE=Z>@2 zkBvR}THn~IMAXwe29D<%&S&wSlj@Vn_c%zCM6Ku3$)%q@7r8r~`>@$Nv=~~1d&Z*O ztf=PY}^WKhS zI(DNHGRKNqD~|W6@{=LAX^>q(W~T0guJ+dzQa3(+$}ChQl{VIga#=ytWdc*OlkLj} z3ukVhH7@zGo*Ri4A@F)HREdy7f@6A!aZ*;H@lMoq8K>$!Ws@;JDH!Q>iknTDg)U*?@I$95Mr3iBQoQ7(g}in>$;!X_VmbF4DHj80S6gJud!Fx`=qx{i%UA= z?2B*_xH)TJV1?sxWe)>t8*1aZefB1G#b4C~rSIuk+Cc-3tA~+B&gm5!6GG;pIlEc< zdmO-J;_m%UxP~?nll(ExSk(?;inYkcNuKvJ^F(W~lBBFMOM!~1XEgovpa5cVOaRCj zeoWh7M_ZrP2+c1el?cW^tb~TDaR;XM4!(^4`1@|*EqK@`xde#3<26M=Q0*m?VjJ{j znPeU(SNY_GoEPb_NKk5TpctD{$>Fop+iHAnF0$Is2n`V+LZjtpgoah@CF&iZ)rnCu z=BcZp&6i=(i_2Mk?r3sFdCc*>-|EL6OC=!@<25Urs})#n(7J^e!H}h>Vx_+^l(xyz zE`1T1%eS?_;BP)DKNV-|h#<#uUT$_|8A|180790PaNXBr)vgeT#t%=c%gm3Vht`(E z9;WlGXS(-uwM#2Pa1RNeJD7qT9u3y<$f`d&rbF+!6Wsn=>P7#UH5~8p178FX(bAbGv89go#lumR#nuV;`n=O1g8ani_~untaiYCM4R>kF;Xn zsTW_C(4exFnDb=eF?~~bNW9PH-oo|CSX`8=U_Wk?{@LShBbBpEtgNiGLrf=6Q@pI{ z{mtmGOj5}iQsMKCF@YdxmD6VV-kCS#=o#&~A`Ul%LnS^_9u6q?$nx%TyCw@7vzZA$t9`9xD+Z#GY8+=uUDBUxb!pblu$^p*c3T}>?KRz^_Qa8- zvk-6To7H5ZY+6FZGJBe>Coipnlu}J>Ew7(T5&Tt`3qv2Zj`QoW;SuW|ILyG4nx@m< z7Rph7OFzsBq_RTiFwCjrNqFq9I(Qjl!O4hbtpqP-3mt8&_vWA> z8i&mOvM+#7`%3p10AdPnTQ4jP^uT>^HQT=AoBB#T34tAYJs%fJFi&FQlTp%~ORNp? zLvKuE;U*&K!h{7EgL8HcMa04t-{c__sU6XuE{KcWB0k1Fiv9fA>l)r5vG_>arnrIx zX=K21^_ksz`+c{C^Cp&43Gh;e)gxh=*Ptu#@Bx| zLCCk2fkNp4&s#_f!HXO$B^VQ@=lLSEHFZE^(4fU%956#8y?oz~jj zo;QXu;`&sbD;ml)q4w%|0Xq&Wd8e^jGa#xy)_wY20Gd1i#VRY!M5Yp056##WIV>R} zI1vNGVVSD3Hr49u`Cy-rGAo+{G3tA+K6u6YWok^dgD>axY4zTE8}>7xfP_r!c0sJS z(cMTDx~|8=}%wR8UG#1Qh8?hXh4>2ayf}A|N&N77$T71nE7} zM5Ongpp?+N^xh$aUPC(zb?e^l{p{x*XS`>eG0ymZi(j&EWv%cL4u;GJE@Dzm9J9(>`7%}JI@Iz_wL9gaAKcwzmE~stVk-mtvdipM5CIOUCEsyHZ&t_~x8rNH%s~ z1;WIyJV@}U@!-2cnc(%tl_p9vk7R#E2!LW)03}*@eeU){R0=D0#lO|nzv?RLEXB3# z>SWshg0)~|H+0d!Bv<=7uGVqagKOvIop0sP3e&~00FQ|$$a6lYXnn&?@3@%9UWhhb z5viWtb()vOI^?hu14!O>Q8;xRXl~DuZN^;Af&w+-38Y05^n4|RO6Agf*q(;T+lxyD&4o`;e5ww`rs6@f@1 z{P=$RJAgES5z?x{vXwjB-F>P@`jyOlN}&6IYDP77IG$nS*RuW5y3=d z!N{)NiTxj#iC=F-)q?Da82(Q4V7sO%7HQmL!=AxA^I{D<R)v=ruez2Qt{2S051>HR}D_D*aP2dG@|L(7Yq?Mh2=( zJn;om3#5)y3+z@?`abFl++Kfykd-wyw3J>zhb51+FGg6=0ECDU^x%d0yv98?5*Wp# zgU!D%+N#FrFJg>sA0+-re8&Qb?{zqGoC6ikHOna7Utc1JB}Z0A;wd>>AV*m@)rk#< zUx3f>)UGR)KTkEk`}@9CU7KfIWSGB42>n8|fy8?NM4K=3HGwD|mQRYbCRWp-(4=~oT(w<93%s}tTjm3AEDt_1|S z10AeCg4|{P2y(A=m@B!qp`U(SO67$2-Njz5C)I@KW5d?%4llg3l<>9aP8@joi!~ zD`h-CdCUS(rkDN30)TTNLJnmA36Jpe3Lfz%SWc>0Ul;#@4zFjyiSbY99R!vpe#d&= zk;=WQ#pFO7$|m~?TK<+z$Ds3y2fJCl`wYybb*^_MtFCvqUFB~enqP03AOPT&CeiUq z*H=_Q2~%ao1?*Okn84zin;hyDTP%ctFV9*$h5^`qhXG7PmYEXDHDBru{Y!uk zo5T4Bb`Igbp3g3um_nP6(|c5bvxR^|_pkIGAJ=OH@duQ8HoE?A!->7|g(wapU)%Z5 z3saE1qT%@v#|~IsnYFzB73x{_?02XqJN2X@<^H@>1Esc;M)Rau?Q6r@&xV)Z*vUwezS z5?6)FQa_N=a}~zq@YEmtso%?OW7W@}>%;rMZ!MT5o-niD=X!tY89x*|!7tEMF5rHO zldI=Q)k6Ou;N!>N;&@ucoa5rR!u^kd&_$Fnah(7VnkCS2U^n~+5ZY*xk~yl?DAhtL zHSqUt-_LD=@ad`D3qjLb@sB$r_>doFOsrQD0)nBT$6e5xuK>~$078E>B$mWo%^tr_ zx=rv>gqsh$XiMN@UDY1FYKK-E#`T707K2(j}lvm*v4j|^z zNx!FXx0cp(HHCcUv1$2^qG|Ur4?16NXk0=J@jiLoZsVRr5_^EuA4Jc$HfrDUZ33VI zeCq!he*4Ul)O)jl??wllQvjHZy52re@#12jHNuYb_9;a1tOF z^Klq86rfu)ZR(QotN1^=TYT;Hk~;fu`^BphTljXCqZB=pdfyNLNdfE)p|CkG_Gq|I zE)o1{DR0)gK3Ke2$vF2dl~SbF%u^*i4O{#yxG&Gnw=DH%P;wQGSb!7X~rXteM7`lO900Aj$JI! z2d}N{?G=xh{GxB37W^Ncmdw9;T7E8wzdpQw{LC>o)Dx%GP*p~KA4;gR44OQMWN#jy z{J4JDO>{ddH5hVD;N6=*u&%@`))rRxP;a7f%2=9zBI*BQ>YKYz3k<0Sq`ol#7JSml zD6h-N5d<(JC|*yn2+g?k0(jrEB)fZ5%$nIl+jL8px48uAHb>5S83VGnm?|mad zYkem{^L${Ts3x^OV{6dLhagY-8<6Pdt4yeUDu60J1xS3WxuHP`xasG4!)*#^NvLht zogiB`5B32wej)-`&mmsqTIBi(DW@k+wu?eOyr@^@psKf2_~AK`D;)*Uo*$JC%JY9_eY6HsutllTI_PE=F}bnp&4 z9D#XP5C@%`=OR;E#hiYxt$*G-hsHCio@-z4EW}%_rQUzIYr3ThBo8cjYSVDFW=o`Y7rd_Yri`Xm)0}@`h`A=r>wmJpZZv zl|`+dnB~sm=kto16}VE3pcmgcu|My?Mfcfz?oY%QmzIiBq$p6?o$!n&l@r-nU+3Ph z#AF}ZgRc4GhVwSYCMMyJ7bYKm&Sn)P2Vwn_{O$a8h2w+e;;5lvz*-^js_aZkL&?S4 zFI)^Ra~pjVcWR3HZ?l_6i*jETh)PAsT=)*A*dXfcHB1r>EVv8MTvZMyoiuVRb$3lf za(=zve{c`Z-eyZS^v=xR;u&umE@GtU&!Yb-(T9d%r^x&Yz8oykYn zL6dXn53VCza$QnGsYFwQGBlxrDdHWy*%CMvilJ(;t7&@n87t>v=*7uI9SrQ8i)b zg+}xA_&wvmjP#h?YjYTflr*VT@6Sm~XgX`!A{J`vFw^!uQIPmd%a(XNamur7KiF-v zUP;GG)g_II(M|&kYjqCGz22L2Pb`$bM+d$adCvelpItZ;y_?Y0uc7+471mvuCZ_^= z&3WKq!^I`5o{&7A++wxv) z2$E9RZoXR@{+$gr=PxvWx-ehd@%N5DfI(Y2lLN`|*aIlnWNx?g2q}Ph@7Z&GsSq1~ zU4iGO9W#?jtY!ymH6h4(p@zreuKL-YeU;pan)j#r6|NeYE zes=Ma_;GX>Fa_=I{Sn>u-s{iNT|fy1@YYNVi&R(q{hr^VU$GnbrwYo!_k~o#znr-2 zP6eb3)%~=1z630uvOg@InSjNUfn%ng9azkYgY+z|d+fMa{K1D~`~NVz__c)msU8eH zm%PV)L!v#bPmS4XzCTZMTYel~GD~`=uEYj0PJ#Cp!Sz+_^w9g2ML@)X?vZZhT2{ zhN_a`N0Hea#=f5;xu%5H!C=D;69<(^%zvxV?Cd{yWmkV?PfH(7Ant9ga~bg}M9LoX z)Y4|S-veEA6+1;~|Hv|)h4ZHljiAz6T%HUw=N1}cZNcn6P&z-i*FSwAuQ+o9*at*} z*?c&QcwWfBJFS`Kjl`%07G^eG7lncO?C9QOh#y{?D=~W+Tiqim{F>9hauM)<<|2e= zRlnps_?P1?8!#T`8f75unFD&8&#B;LQyK60UQED@oovz8 zKDLqTZ?mCa7kN+niYgwcYlPeZvY=Z=aqgk$lWuG2hBB(jwAAO6beq~=t^t`kvU1K+ zb;lGnjldRJV}PPYh8DoONd2Iw6+i>Sr44~pgp_|tML2uU-370H4M;_pm-=%m0{L;K z&Vt@J>8!qH_kDc21K-{if1f?P!bFNVyREXfHQ%{13ouI9jr5Oy({TLL618&i;~$Ya zVIM<}BXtyyBXzV~?s6@VlQdNHGkgn0knaRS5yFx?BI{Bpy>%&*w^xfEm1V4fn}tW~ zc&Mo|f0yC?dLGzH&eu4pQw7ZZz^IiAZ207YJ;B;uNW{GX#!1!783Y+!D#2IJ0=qto zE&d5X>R*`%)AJwxTPA`Nkcn^&V_t9^xImi@;5`2%Z~!(ZX-YEX^Dp^2QlINnH_HB& z*sb5~u(W`wraRsJ54YxzZCU8V-f8}lV~Setj3>KkP)A+l^TzLiIyHTsXy4y zT7l|H@@cxbs38mt;i}Nd@GZ>RJ1KivY4!jZ6s&HTs7AL94-bpLYJWsi{^^zfd14}e zd`9s&65&|DX!{S52!5;WQ06)GQxiXc6!u~rM!&*`D-79y149W>So3F|Im|vlNGrCQ zE|)D7{o6R>=hOV^T(VjGE1(tnr#v0LKk{@~;=ytCk+kTV*M`H7d_T9S4fdC?;dVUM ztvleCxo|zZj)Ji3{~{c_C4VcYLRC`uAnW-vEqD}|1cQ!P)~LIJ={cJ$c)Mm11)vEn>oPXOqY)S z$>6+xaAV}_4&Q&P(T3yZ$1#?+(hCdrAFB)V*%8~inb{#gn2y?~U80Y`mxq1J&1U(Y zn@y<{5ist<`?`$7Fiy_D<6qk5tnPKhZHgTirS$@s1J$~cHYla|2HxSr%N#2~dqF@@ z>^8Wg4Oq_+!u~7(kF4|L>WN=GvXeh~WGR?`&&($OTV{5hzNW7S1a>#7TFS!Du_9A- zC4*-tgA*qEiU%YmczaVD?RuB_;3iA}a1X2bwz!L?wG#m7{MU_GX?w7)lEvJJaaU_ z2)iyOQ5lg_yK9tvJhaIjYY=MuKC|ilTFWlSKN?K5TLB;sFPX(A(RE$NZkYWWdGoU* zjn2tDK>R0;Q$+W6yOa-9DXq(d%ntn2$8q(jG;0tD$GuK+K{Yp71l6Q<#mg=WkB}b1$jiWq4)A@3#Ma@rZwwomLANaoe3K zHtQGmVr%zsVC?CJGV*5S++%4JT15GEwCu*+{z$JpQqW&Q*apct!&BKwI{Xqx2@?dvc!50(%Q)~ROo&fWp|EV?pAFVY6w$BU< zQCU{ij`NpgL$OiBE)g0!I->-K&L;&9pfgY}|8wj!?|(lHjp04|KGA```l&ZRBlI8i z=5p!1b8JBbgfp(SvV8}S$U&1l=Cc@*aK{Ngy$bj^Fx7D_V3+%2s#9exbpnsGU}?#m zg5$Y3%cH#dA`bp_FT(kv`1p8Al+Ao+5k9BQoIFOtdXq)tMP+5B84Mvs+n+&*j~W@T z_L?;J+a-s_jt$R=##Jf_ zu2n?@?*cPy;}xK|=}5a_=>ihppSL48BZfHf>_&DmF-4>2H9RrasEV?pCk1OV{Ozc#(eG7G=W17 z9VT)s0o?BAnP$f?S>;GUT59rAu#PHp`1gt^T^jJw)~UbGo(!W0Mpb7?t_Vs6lwQ&x zgO>y|&m@rm$_9|m^Ea;p`}%ldo?l2{e~~R&&>PLv<2%<<-v9Y(i{ZAt#36P;a z=V7oW!t#q22$$5#CC==;HrVc9k>&W8inBFrfw`)KEyY7GEF8Ni7Q;0x+G;!Jy3Db3 zItw)YhQxvFZaO-fnCzG7@p>pzHG~XulBIlhWRDRYPyr@B=##I|il5=1Ek+d!lQ_o7 z#BBuyh?fgmRKl!0IwEfPmz9;Pm%?N-uDYEPP<{&4`dw&}(R1uag|2qMA(Fs32HAa| zMRKQ$q0UL?Sf&BABS&tasp4(jfkVs~F<-OTbz#dBfTI9l@w*^S+<_fV&*Q%b9+e-? zfq{!c?1be+xr57wD4yIx=T5T0ol69c-Oi)NgQk_rEZ&OCU9`mf{Ijg8&mg>qy><(Z zZUtuCgY|a(#^p~=#92ffVnJId6sj4y`Btv)Gb`lI@>*^ zgjD-{Asc_D4mxH+u74%Fqsj=Y{4C64^Y&jYBrA_@0!;GUB~jpJo)ts`ftkO2pehDp z#(-@Fs`=#ZP1rMGlosaCZh_8Yw?JLs)ojHdoo3QgX@_A1uLx#XbEL8>I_!qcl{6}n z-QJn)W14`BiOFU-^d$lbLkCqgjSL68y#2_2mgD&eWR^wQ?2u*Vo z-#j7zDz{<()}Vz6g;@!5*lF;&MyRi4jJd$wxFTd=OC)<2wS(oS01ECNu2Iu2O{1ab zlL71VD|h-5g1lKzF9yX5I@_@jniq_pEoz_-u{v74zOIhffTngHT5=ovtZ5p{1APr> zb9eMQNbwry;mtW-)J{BP*L$^{HMQ5fjY$S+CE&M~6Gi+MKO1+MrZX3bn`ksqOJHI- zrVnGCGYfkf->OZ0HeT2sJ$f(5XY#bjHgyR}&rLySrSO*fneTF(6{01Mzqc-s%4E>2+;+|Q%9Gh@SX%FJ7+EVR^AUrGH zuH;G}GyjL$Tk|ATfMDU#GKDqZfZBDWfLWi2pWyYjd7n%hoCHLUaAzDK0KrhH>H@|J z?EpD#>Ys`zovbAyt<@^jF7k|~Tv_ElCicjU_hhNV-Wq+(_7EeIFsE`!LFU+ zsEaz5k9ql3#d=oxVig(If^2^&5dZ>+RKZC2I$byNb*3ND&j=oUfgBTJc%7&D!SPnq zy6F8jZtDc7cr?mlX~Jdl)}pBZE!N3pH9@T3*f8EuSn1)VT45L6=RU4Z&kScFitbx; zZHMs6!(l{T1Zt_e2;DSl+?5K^;~sYLquQCEU93@(E!Icw*gCJCw2*sS&0zg-o%Co^ z#CdWLVsdoY!TQ10rMr~}GZc#f5JP!!c20$ro5F~EZpuww{;7}pi*x$OSl@j3^sOn3 z_8wHjZJ#f#gtvvb?`S1-j}Rj(GJ!fckaXV0hZng?LA@%D$eq!95Cavh19&VchKciv zC{*)K&eFE;b{~oBT9YPIt@(g{=R8&ihs)jSXLYI7-YSCkiGlZQox9#4qWA1 z?Q%azofqiPc=47hfzvv?=Vshr%j>EIu@k6UiXHcl&U{j%ax(%3xF6fnG>PYoJqEUa z*kakK`Lgg1`d*p=`awX@CBp7r+?5@7>{;}(;uBAHr=(%0EnDjR|g^aFuVRb@SabSX`F43Z10xlbFH+#s39dOej%kJ zxLa8_a<@wf3n6xV2b)m>6>WAc$;RFaUfXw+i3oGm`OK29ensv|zeAe`nE zRV;o_$Hy zGyTnChW!8^DN0Vs&2pjpft>xwP5$RLax8jT5wiWGjaJ+N zPS;Ya*Nf(&IQzbVCBWgQd5-#>T}`WtjUBQHHkq|_kXC%>gFd=YK;ep6L6(d0YX!h5 z2HWm$qW{n}uh4g}&n;JE&w#&ZT}#|HyruDZ;p*O!DPW%1Gpn{?JOK74e3!VrY|$Hk zZA!R*4HUv<${X2kLcV3t2Jbv>Uq|D+9FW6+Hu;Lk`XNzERojnltgsj&?^`!^g6F2| z`J`nEY`X{r+J76mXsz|L8#`u9^XeA8tnw(VS8LG>uw=#AjvS?E#ZmMF@u{)sc5Yb% z3!TNs%9l$m4_bE9i~tyke&(0!8-2RFmVC-CPX=~*xU{x8Mq}?>ozJnpa+ENA%Xmkz zmHV{hYRS@ch%v)VUTsrn;oaUAJn%>(8dNKBCFt`BZlwi@w|&>sp5fMY5a9&v6v1;0dXfTIyHm748hN4+j|y%|ZHW z-H=0e;;^9{d^}{jlKX1U;Bp>SajX%ATy!J>tdFSd&hVY{<-zm_dbQm?82Z>C(_hgfIM#cTa8`u7X4J z0?k!}VHFnb`!4Q@k^cDV+uk-z0p{_0@m??bFL|MK@zQ-L2KYx;i%d^1M?(UwSbm=o zW{jL!aXtxuRGodw;u(U&vubpC&fl))>$Ja9-K`JiU|gu)y)xC6sYj9TNgG6Hpr*}a zKl4rULSxGKe&(AzeRslFqtDozKgDhCqkU?58sdf6A$m|9uS(WWr-X$;Hp#W$Z!5=- zwR~U(c2Hi_rd^&I7qyQ41t+}(n{i?a(TiStR0(G%4@suU~k>P ztr$z65kl~q=Zee2Hksc2n!AH@7BNd4$jzEnyK#|-nOk?WqIjLRCbvdt;q`cBUKZuN zWH(7%cOP=?wmL8Fp#*4k;OjCL0=Gxah9@5)CDK;P(5-|0S9^y|A;2bT3Y5@I-14|$ zZmM8{45`%A@(&D_IQ>JOuZKC@plH-r(QLuS z7peTfQzaa6uqjD_Y}k3Sq7{x>0V?*W3%*)h(@6YIq8Qn{%;JGttNqo)L(XLUd#@ok zWQ9lVVlo#Kynt(!u@)4gHkmU`9Q2M~^>ci70q^W^YO~j6LqP0$C4vGNpMBhC{Bmx! zf)<_F`4}>E858u&Quks=-F^Der@FR7ZJ%FeP&w6`C@(gLZv3?{YSTI8Ncz|iGNp=I z$CsiqDA+x9$Aza(?xKJs6fCwFaZGdQ3=fp7PR8EAhOUSp^jXtV15*nk>TLOdS{f#q zK?NmGl7nqWn`H4mUm7ZvDgtnlS^&W%hbn}Krc?BqY=~(3!)lhOsChmMlT2RvBXKRF z@MOAUL59$~6JSV0N?XP%Cex4=*5KDkiK*0K%B zazjbJTK+iC!v+!*1J-4~S5v-vsqS3^88=?^Ry*yM5nsxl$lh|CECm8_;T@?deAr&* zZ8dsvYmi~^!~6>|=cU}3Ou#KvG~5%@zX(8{i)@%%P@0Y~_1S@~#M4{(X(X~z`~slD zgROyEhjn5>btPFZNmt0S2YaUA3T~RrS%Rt z4Aq9erlr7kKYZjRwrIWR7tZuT51&zwW*i^pQgv2KN){+*`wEP^;#~j>@y-$eM3~Ka zF2zlv4SsIB2lb>EHUz5b zLn_8D{;2#YpMdqyuW~v_CE3Kp+_W59W)1#I^%kv`=HO!@qgPBXtDxf@Lz^;j*XkKj zNj3kW&NW|{QTrq=q9mRHtgs3Rl@}0U5okxBM!zZ#&`0azR$A;G+s+S>_V`wm(9aGr zAPPooUOM6QX%NxyHVXuat^iktNh_&bUx@YWG*vjyS1Qbxig~xX{tTN`+-8p!HyJH- zST@T?;F4d=qXbnSPtN!9J|+PZo{|7epp_eP%B#;(b6rV+hs;#zBqzt08@YB5GS2f_ zn#ocU=p|@eeF~-eTfyvlCK{#IdG|$=SH)(gh2Z3C0u~-1zrq(qf%H#$lhs|;NiaVt3I0K$$T)NI%JfP{p%t6cw;p7i#48&w z34CEq=reKq!W*6gY9c(yPGS)E18hM}@u|A@$+GBx$*Pj0UOdx!d>_EjD}`UKDYeT+ zw(nrNqGKOdn9nLZEk#u<_WURgU-GSiXdQlujaDkbTJ&@0H94)nf2~TIP z;;7ur?8h()L|^BD_vtxIiZ;z8nA9D?PDQ$MRnEwEbLZNXNj6g zi}BO2tGzV8g_j<)G$1FQGKE0`Rf{!r)3(OYuPOA$IwU~QozIVaO2W*5%x#Sh^lJux z%>oiVL^*RM3C=$$8A1nh$$fys#RBPrPCshxK*3+>6O>MaeGDW~`@m?Wt~19A&q;*@}_`{3Ulm=*(Hpllw+S z`<8cfg#w5+`D3$Moiz5{AHw{-Ko_F@;dXTj0JbgXrd&g+EWAV#5RXs`X}#`zu6geA zeI$nuMFD^!h+@d1t=l8#mPv}a5Z~O@M*sFZA7kO+tG5-R3HeYN*@dU@t1qwqKJQ-n zax;kgT)4gC8ciud$fT;9eq}(gYbemrFSwu8I+8~1I40Gwe;_ND`k7(omXTjx-0%zOQ+q{0;o3H`= zU|aUcbUnY`mFE+4s>jMD{G!f>Y-G>>q;;(i_`@rx`=g?_k)_e8!$W*bksE03s#p3w zZs;t7`-bzUC&}t@&z`wG!~bRf z3^2MeNtzV7p)#R=2*A5>Mm_A)*F7<1mPF31Q`Z4CRF^{A>4d3!El`YijOWMi8IiH4 zadW^?GkEtNICspahUqa*0uV(>Yd)iclDFgY!bX=@Hg2u}O%QtAj^@Y*{zgFcZFOhGYSzAt<{S5!)BAD-*eeGJSQ!IDg>50DH(z!G06xyGhdX_(8kK>B< z1lHxh^zJFiHSE}dHv;k$`Tgib=DN4KJv9S^+v+G?@Iwe_z7e?=1|_{Gxdg& z02{l8?W;D;y_GWjpj6FlPYudsgj;;scD{$K69Zo903T3$ zM2&Vq7t@0$OK}xiVTIs>WgY|nGdT_BYK%n8Y6InZ)l|q+!LCMaL5su`j5Nq9_hn3i zFvV7+lKv%CKzeRAUA=P61W8(1rh~cyR~3-oVB(w+1*~!tl0}hla8Pp$3~*KugHL)? zvTVI8(7HD*LO99j_j18Fy@_J7QirxDLcUV@M|0Qp3=SuMMHWq`;ZM&V~b;_LTy~^@({z|)hN3LiTX@Rnj z7Vo1r|80W#QNBQfx%Pxz!S2Br*QrlmFFPbZ-18hOc(_oh1k1qHSiY5oX zov()nL4j%I6zHC#^^5Bh?saXFfrx;~8A`d$^&2MIVJP-^zc!5wTV)ie9+M_sfnHUg zG;m|l#-!$L8FE}Zx)7d%Dt2`lkF#4f%Qp*%&)VRA)Bj~;nhPooKbZ4yo|%X2cVQNh zrBY@?Ip!46hg!_yTj%vX2kb}7%ZVs@x^VUz(pk!-Iyq-7Gf9Lq74^YHerOM_Yv7xS|bWLd&t9F>o-SvPh{=8+y9eNl8Z+Z2yHg?SYp8b$NuppZhT4c(?rWgF zBi~UbB;*J=Ky?pn@0HvpSP{4lVf(sLTJae-xmP)ZwGyD>LZ${0z>q3C@y>iR4vf4d z;Cj2|-Pr}(#i_oPW#ZA?9e+HP4BP%ZgDul5CH&L94bUpX_b8B)lM^9H!A5XO8(Gtl zHnc*uX=OYB1&MFbN2|v#%yRZDLF`x5A9-=Lqrzk%7Ey3S7w;~kz)iVww|nV9Rw<8G zqPI6}26Hy%WR6Zd8MB&D-3yz+oA>YiU_Z}MKG&nh<$TCNkvr2~hYGPQ5Grb2F^|c& zDQ!{fGl4bTsMU9|_~=u0U%aZfdt&f7i<`(P5Qb<<{$)F21hL$6m3XRTHQpV5xf9Tl zQyMUUo4v?4cttbd+pwL)j$-zg0`^23B9n37Sb6TBrBAqt>o{&g7Lj|PdWa-jU6vOB z@U~FVu{KNJan~~0G2L`?NYd$aj_+qUSY7}SgY6bOn+A}5%gEh1roE0;RFN@>U~F$K zz@W`bnC(5OGv)BSPI_;l*zFm-HF}tjtL{F?`tf-PSQ2ULIH5i^OEH;94Q_XYQR-9e zjPvXU@?&RFVBUjQYOzYzun`1opycer-83)I;fiSPy2wq=MWJ z8tcWbEee@QNVeGUKqg=yBpXtl(G&YAl+AMUuoXsK|H*0+=tc)kh0aqh1i43P2Mucd z0MU;PS(e6YOE~Cx6DJRiYkA^G+ivAQAU)@F;#|Ws^EaWOb@%kbW>1 za_DGsfSq~7f(&;Uc5@yFEs~HO@uKiAdU;u>dK_`jm@OKDYCH=g0x6I#Q@fqy0lYM@ zBrrAU#!kfq%GSkvYC=KXtF4129!&tMIh+q}!oD8W>W&7Z=_zhgr-Z{gF&He7mWM&N z{!kwGUY`uga{LzmeD{5<$>>2soc(9eVo`&A-zti)|3yk0o6Cpk$SFBucGljy?H4Bg zyq&Ms6Lp*fb!Sm0YjE2`?Fj)|j~$6*kPVez)k}wQ>Y}{~Ao%Afb?Gssm-~cYP#tC4 z0&8FF%J*VxoGZ$ftPVf5`Cheb89{zgKSFMTk?=OCOR?5g1S+L>ciV0i!IF!gD%-RS zX;nt2=6YUTJ~?GTIP0yyz(4M#S|p$n(@VNlh5}_tx~Ytfb~Q)A2Mi*PT3AXKS$9XT zZCK9;bl_Y|XF$FEg4@!@l_*~OP)Ft+m%ICeo|y*rm~Gx?+skHC8Zis!0~#AxF#Bqn@I0b0b^BwD$STJrrSn zal^u8rq7*#m-f?TBUe`94f-z{4^T4I0^Y~a5yD3R3}wz*`n=9)B+yug^nI^p7^v>d zYf4^(&0*+(18`lA0-PL&1KW;}*gXKrp*&M|W069>e>mIO>d&u;jY*^;^nm~Yi}W0C zP)~76VvDh%PS8>0o6(gG{QGupy4<43948!x#I>)5>*ZAa2EN&D=#Bjq0O`G(th(Q! z)vM>)%*$B&P!C+A2X2O3UQeko&4JrE?M!%`Ic(Pox^NEGqBOAT#pG&qi<;!x#YnW& z6q@~}il+0-yP0a}eG+{s6L-jrdF@rz+t%7KhHnZJE$hO2Lw$+0w1&C#cDyq@A$EPQ z2*^38(OjoYOpz}%Pg~t0QF{bOd(U9{Le|>k%Jo*OdD5(_;nBcq4s<}53v>`JPVof1 zmeK&2jzQE1Z^oiGhihfx#=Fy)&!;hl!VnIxY&Vdu`Bc2}Nn*2;)oEVuXsw=6SM=;2ME2>zj0n1xDhyzEA}4HG zMVW4s!zue6+E#X~h1SoTd`>wNM1~|^Kk#wzUo9g6^^Co7vp?J<51-Kq*Jh}&8|!y~ z!|QqX1?DCTkz?Cr{mS!hMnJEWKHJ)Oxl@zS$dWn=mO~6Q^GuAlEvUe%Zt=aV-q{rE ztFZdQ*X%Qs`(q2Usi31uUF1`#rWyxrzOAJiZxb5G)Jf~PbwlO#!cQ5z{VU5U=toimGT&-jjme~@F#yr75vR?*G0`d6E}=8LyQsE;hpEZ?UzIpkh>HaU7C z@GAQXgH;A8W$x0=d3 zV*!)3L#o1QnG3n&)&u!W)1Jf`RYwCD^BjHTzS-XTv|I7+I$57gv22lZ>JS2=v=Uw0 z_M~Qf)0nLewR~y!z`vJ(=9N6F>+&WloU>p zR-d&o0-!*3U)*P^WC$8W86H8LXHOc51Z=LJ77qb1pp_Cz7ti1=nxK~k?6t}@m`(O< zz7}SiVJnlKJ;WpU=$+{OT3pO&c~b$k-ZW&bv&6Pt>1U?G?Y>7J5*r)4uSCyl9qcnJ z;q;}Gg>%WY@1r##l{2(}dExx0k6A!!nAsquZ!@z-VuV+HW8b5_4XsWds)z>kXE}nl z&c-g>&6X3_L*hwR-o%6P1$o*b85yA-dDba$XoEgHGM$Uj8g}G=umCpsonV2j>IJg0 zJ6*T0uVbz5PSl0CFu51LDH;`&x?jY$?OR7N#gZ~u$Xro?Gwx^?&Nq~ZgS_AATDj~L zK22Rl6$_|anKOGi8vQmTvXVPPT302e30QYZ_9f>9B=Ce9ZCvm28ClM+L{ch5DPNmD z$-2haZcN`gr%a%d_hw6LyUXz%*eeokg?c&pwA8Hc!LCE6Qt+2@oXmcjqUf}G*fMoD@8wsBzW*yaaG5frD4uzW{tT;&NZm=%G@ars zjTJtrQ`^bj*P>Npn!iLVGpw{kbG^H8wUPhch3A}JAOf*#cUIIB!xK48dV)L|$)2m~ z%0zK#-GLAU(g#pTr1)Nauq#V8+w|I$^OK7Gpg%7)piJ(1UTE%2p8-ueYtBAKk8U)K zQcum4_m5$OT)Q+Ts!c@EZLQiG#oxy4`||6jo6g&FjC3{+`Gr@-M4!KK*U9Lk_SF$o zOVG%Hj>9iIr(YkzRQsX24t?8`Z>X+B9g zs>vXeVD&ZSbVZR*%9)9hIGH89GlNl|Ujn}+hs@w3!LU@rZ5G7@7spJmX52?H=Ux#5 z39TR&o!mz=Ejn{d;nAGNOjird^rnSNq1FXva){lyrrD-!WKWSQb7gy~OtZ29*@du~ zmY6c|t5}ml5?Pgd8Oca1-}}(a}#oj(Vh{4;_7yn*wW& zK~+(uwO1G`WpXRG8XxxKGVjU1{7{n07#eYJMk<`y7B;YHQS0j}My)FGTKE9BS%5U* zK|-U>r&dOu@;IziG)QE1r`Fe@Q+}kbam#IhqQ}W!AvE>jL0Q&thhcq$O+Z1m%2ynn z+n4vk5)hT$#Aikcs@W=Z_5N!4$_;9*YW}cH{TqJ6$i1aZTkXJ%=OKYfq^PJ^Y79?a zk{vdBDTSD$ySG9?J)?sw->Bnq!jY*m(oeZaz3}BHx}ygwqyA>9s}|k4N&bN(EiqhB z>})yjdI6K)aLMa2+Xpgj<_a-M&7ondA$h@aq*N-63nj0ohYIHJ7mz%Cnu3*7L4`)J zw+>LPP3olezzXvBbJKE7ES`lNQF`Mzut8-sqdVlGnJxEwR);=j=`&5<_JwpRc_|Ds zPS%0yTv62T%I@NL<@)O=#NNAQAmju0Krr<{KARxQ2bOML{LoND#I?{~kka)e z1?7xhHRpH(x5J_y#`YsUuwYs36=a%GzL63uixVN-pOR_#Cs% zLVFOx>*jrBtQqujuHqCrzesCc)N13B*WFPotCe5_D?nF(S%2oa*p=_~q=!B5FsS9a zc__>dh%X8oXo=xe7Ew9x#lXXUwmFJ_w9ssZshQx@UF|z~^B|>7N7=!TPs0qQx?jxi zmHP9$JUM&)dTNqXBXOL@(@zDd1;(msVNtcumoCRmG7ZyY-gs)&lQbP`l^@xxU7;P_ zeV3IWJgY1BMM(E2ZCUkukQ@pAFyr90;f(!s6-MU!GnqX_c}fEhvTjjunT7QeB`*H;iV6W;$x5 z*afV0=DE&TS3g%!=p??>!uZ7NB*Xp2R=RZVCQerAa1x{{%jq)Z5Gi64mI&}hN=9FB zDJgBs9biM@r5PKD4_0SS}_z=Uoiiexq@NfE7sJ-qphejdp%g zP7g#=*=uT~oP5Ihg{Hv`uFsKgvunleKJ9)(Q;3G<;>8^~nrEa_Bw)%UU+*$=j@Fte z==rxDLyiQ=7R!~>lXBoN^jF5yZwDgV>ZE9uKdu%X^^`9~yd@w@SJclXgsoE<_m;iY zSmEe5yw&FT+VpeWC&`PU9&(jzPd+`(x)VUbWl3!sv^HvxXwR~A7$5K=F6hMYxm8JT03eaEc^eSFeGZ?=@otG+3_a{5|mwy|rBEwm@kz}id3 z$ulW`=ce#zP-^#tVI1RKh08@xrf2YzAmJ*um=!X0vh{*Y+xc#7ZAuR55vt8xz0g@E ze@xG(r7N5yfEr7>>n$U8?wz4__*vVRWp5{}eQ7Tg@Rq3>@PjvZ$I*!TB)Q75j1+CR zJuPK%^H8o#^|CD?!9BCUviOxvZbfMo7R3J|?5l&??6!Bm0xc9uffg-R+}$lHr9g3a zD^|P^JV+=|ptwUR?(XgsEd&i#Tml4#;1b~S{m%J*bLX77bN_i~-kEojEo-g4_TJC) ztm5fuXQQd=CFh12aI0Xsh2o0=%M$DT#p-rwczHjytvI$$!g{%ZfKCJ;X_RtaPNWZ! zBzEZLo2yXxlK1R>+QC)O*~X+AOQiL^-1!`u16kiFR?oGyEF{dPX4eWr8;Y7;@lr|j zfl^j%{EF@n(d2nhP6Vc&ef&14PZC*&o1+N!m?G6;EwAOVsrWt7Cp3N z!WoDUV6zTwS;mLH#~{6;YhEh$nTtO;dK!%q-n(@vJNG7fB)kyCCPg^4q%ZqTQb@xxPY%@}-XXpDF+0&DUkOkR zYw~5>TrJ}Fh<-G)LP4odgg^81-y{RNA{Vt|^~O~0@&!l}-(0wX#AVLT zQ?YEk2HWLc7Kt4kE?nP97J8e;OCU0bzaj*!t*EVRZD?^#SYsd%B-$~49&gBY;71se@{iLIfX(1W;RAMEqIevxU zHo--XA`=~|z1i|aQ8!yCj;%w;D_3cGb={MPAlv?!!cQk09=ud_o{CNX zbgm)idn07KZBga5A>w+89*xj$APJGfFpf2dGh~%%GKA|&mwTWvQzY!FdDEI=qu`VR#nz{h@I9&ernCJAA{LuPtaM5^y z-671q{||=tQS{A6WAGj2oa2hGVQWAmFqq^U_4$NDrSiP{?9kFpn%wT?Z#iG}0{c_U zGLg$k9=p(sN{|VJ8SVSB*>(t`p5loUPDTh zLp^X?;oBI1`Y54I+|Pu9S2JVsS~|1cTUeU!M?fG@*{_@nq0eu(ZhT^N8!e_8i-=}Z zN;jLXdMxXT4>!$V6$k32 z75kNp7@1c1BxMx!X&n99-v|3Ne|Wj0yTo!6)pFqi_S<3w@0BK=tYhNj%k<^I@}=F# z1Rx!#!$U_4*t&poU%5se$lN!y&N4OadaTlNBQ5a+_M`9QhDl-bJQSMeXW;upy}C{e zn2=5uvE29~owc!DRKYmCO)(hKq#GP|I~Rn5kmK z%CvHu*e2*6+9qHc)ONN*yQFXYeqOL7NB;Nq$*rHXGwLpiMZHxSRBX~7k@iUPJb{IT zZ?xN#ZeFY5>X*#V>VW2Uz;bZ9qP z#ZO9n4>x({{}EQhz@v-}P4cH! z7JWTK7%zwXW{I`6WZ(r%zgDX7)DOp-{d>>+cdGFO>sV%)_>-c0Yn>xUVVbb6h|HQ} zheWqtl%ePHT-4!XW}#&{Z=sbY=+w+>WA()EzS(M9VE(7kZK7$*cq()IyOYZpFq`Lm^((=?as(IwRxT4BK@vo3kul-Z5js&qI zKTTyF=;*6HH-mJ5z5th8p)oRzY7}tpxiisTs(RsfcMB59@-wj-?9Sm{-YRk-4n5HN1+M4R zjTYX2r{&(@jveCP^6?VXcDoX70~A&!ayKc?`O;xnS);9K$9&a|zPZQifSCz6Py15H z#(_xpZOLiU2=2ViPP<)z=c^p~QkYm@r@X?*N8xKZkG~`_9nq_gt6lGI2@&0GRS{|= z{fvx)6-0M@f5-ES_73GTrWyVlrYvG0$590FhJi+D!Dq7Oix+Cd?e>k*G6^(H6dnnS z?w5BJW4Pj3oqOcw1HKiTjx<(j?m4x)W%}1owMa)*aq7?)FAQ#E8akAXY8>3+U@JZc zCWfuuIjJXiYiW~485PUMWFY^vC1Pr2G@;|oWf&U8Z(?=N#J z9BFUIXIGN$ye?zRqr?}_7uXCt({sbGE?TxnAHqcB>wn2U$PkTjPz3w6ojmjSVx;1L zIcq~M4eF*n8QS~etgRlw^1361(PP=uQvdV3SdA&@nX%N0rvedfgGO3mV*8Eat}TlpTCmz_HenmJ0d zO%U!_JmJcTR|Gn;z&fv^y2Vf5 zsnDmp(`2!CxWIO()r~W=5woz~@}XI1fQxO@J zaP)j>J~5)JrQ9Ywu*E*SjBjtD!Ua{H_t2VSBBssPe>GyZD>9hZLqwep06HcVdpmqS1Tm zO3%*AxT4zyq^PKyRg+5UE$!;7EDp`}L&9ts^y@qcnzv#YVNIX)npY<(E&KW%POd~K zErPb(?t9`bcGn|oj5z?*zK&7$3vEhN%~iRYe`=f3d>$~GO|R_dDm5rsN)4cHVQflT zQ5uzYT#d-X7&3Y z=B}R%jVhPyi#OD3YFJt=CmlFHP@nA`=u?%Mlj#KDVEIsEkUG9fo7FJ1r&VK5S25qI z6;QOkwhV7PvxtohZlX_?q}K7gdC$nOyu_WE$;I!35%xTjVu9X09dAKafzWbfZajZCQ;^*?M z*7lR+pc!&lL&d3Ptq`>_Stln|-+=1U1DfXZ>2t7DqxHh76IeM^u^v6omPGHPf@#%P zcw6giaI}-9ZdsVRXCMiwlQhe8y@t0{anHr+?zEeCx_;}ZNz*uo?rv!x`2bo~dgM*^ zi+s({T4ku)QDAiO``q{}&%X>BG;)vi8zH%z#*I7fO<|mPqse6zGhdlCRR01gO194n zxZb)uG`|ITuc{A`M7h_nG$ zNY##`0b6GCsYV0Y7poj{%;vfqY>2%#g6RA_E$T$HUgV1R3{4VlY{=bJT~Q`>$2N3dC=p_ODQo@ACg?A|*lf#4G-}UF}HA zd89+5{et*SmH**Kbi&=q&%@f%%WE(Bq9U?vG%yMJcV`8I+Y-us=4zDvv6wBjh=-KL zct{f2x(Pe$RoE3(-)Fh{S1yDV5B+t6J3zYOAa}TT{E23S;OXtrf>ebT&gLV_gX8Yz z%$>N~p6E`OBNBFJf_z7nu;guPVhQE_Q>{e3za6*{{fbPsy?oZ3?DI&*-VMj*d=ofa znT9_bHimI zU6X3XT*(x`<~a6CxWtUq{~F)m{L6=0Q?LS^`nWW=&PU#Iim_9 zfu}}9!M(n!WB0~j zRZqx_JL~dL??jWRrrz8=1+@nF`Lhd((r(gWVs|@u`WZtXnlIpNl0@C|?E2T0zvcZa z2NehX`tcL#A@Io<5zsi}IOhq}EhBa=19{9Z>mB+I({sq4XHf%lAw3{1*)#qufA0JS zEdWj@Y#hWZeL&w0RquYRx94_LdO z=R5H+a}C^J9L-aGjb^!ExhU6ItvMk;zAMaH9c3g6xoRtIy8mlLx&DxgflfAZBAMFz zccNd1YG$_Exn**OWSQ=Vb(s@U!}R?=!XBltp7%Rq!qk|?oV*p|{W~soI9mj5U#k(g zTtD=8D#G&+=wb?n;PbhjQLNO-;~dz=C#Js!_MOrQWV_0Aq(QGZ$6MX^)rpUpf>QVJ z=A(s5-h&3`Ic`uKw8`Q;YDwFI2W^pJ7U#j`>N1U;m4@wV8I%&Tf)114^ovC!ok`&) zoo1=~E5!w8NBU!wdpzcc@`DRi8b3?ps!b!YVRc&>HI}d8Ix==n-O_MN0vqGT0R9R! z83e9$o|ny1)N)piPosUH9bZ1by~eU&O0#`@aB{4&Qc08hRH4mNG7(TdyGg6w*uzXN zb&^9odK$&~IXICCuZ>S(NNd(ewdb6al*s$;goC%UAS(7|-3E`t1v}tF%y+ny^l6e~ zLaOmZa@XsV#B>4Hq&RUc{8JxiBkx%=hLacmPyFdI>=%{3=UQHmOrhK(nfw7i$NSB5 zykVAbGCZM|d4oxr6ZH8bSmA8qO8Dk6(CKeqL5pOao@vk5LT({2GLu$DWJ8rbKQVR1 zzb-r9#^63l2k~Ze7UD2B_+*Ql@n~xj1+$atj`PYLPGzSr9$x~X$*&&~1iuER)DJKk zohk~#4cHM4JD4grM~#&l>hGch@vO|2inN(RaQ6}HSpB>1E@j{B1wJe*j;jgYnS?z& z9(l5oWVn=w4NQ7Uugfm9xyo%2W*?en`w0&?AGF{q^91k)J{6Ofpeh$1u0FJ&>3WaG z7N6v$Z9H({u+-pGW+v<%-zRHn)RmLQr_b1vCkYM?V#UGsB-X(h6k2{mV?Lnd6ozks zQZ2XfbY&RozF@ew(bM~0D?tea5?3(eFXl;!#F#7ymQTTslnOQX{#4X!EVi8vpsE4C@vVW>Yu-7R!@cMG&q`Yugh%6op~>2Ws>w1sSR_3+? z6TD*D(qs)|HAf1vcW>rNbXyzBYCasW4N)r^J!pvTCSB~@lz)MKkPMjSKtQwkogE^( zyVZ8o%G8BEea%VW@vnUSaGDXa8Mkt$Jy3+*;s7b=iA%=T)w|dcP*|qA?$Fl;u=};2 zq0P>!UcF^RiFhRP@RT4vf?sc9-80jwntky=e$ya^<#01lzSL8@5GjoPZKXR|NwLL3 zLF+@SxEkbakkWz-N+xIapEOS=H=%9N6!lF$$=$x7#Gk+fee%rwf~+i-wf%F&Z9YSx zGset;JVryajEE1~7oaq4(|qqf6kyNXd!cD}`tfsLep7DIFRZ{PWcZAH)ct-hAJGa3 zWe^x3NpnT<*en(s?D8OLniso143KZG2na48pL}iMQlnM>Dwd)yoP%Xt<=O0={VSHJ z?cEb#zxxgO`CfFfnpjxB=8$|!S)?Njt`pO6*xDwJhjZ9Ot>}q+8d3FD_L#4SKz7!g}4se2(Jexi~T+h{nF=wEBV0tj2D7*4$$`J z6^_CgvwFf|*r&N%pGt@`l6oo{i)qPW(@?bj zqfLQi*2&Uczp@3U+F8=!*4pt^6RHZJNS01W_%J2biW&BM3T(Ggj+Z=?wLHBUX0E@d z4bgHhv1gV#J)3hz22REPKCp6|0h{ns6{cXQynBm@vCVgryF;>-6)I$eQ(HO~$bB$v zgIMVaF;Q=E4Zu(l_xp&A3pI@VkivM($&Dp>%^-r)h(@M_$~dMseJ(_G<%@V+BQhDU z(EkO5$->9@;gs`Z!>2IW#CsrJX;2SB5%Un1aXzEg7{l`%F)U4}-ag%(BNx~*+7j;~ z&IA!#QZiQS=LYp*M-0-$8!-;rzutfj+RJ?@;#a20d+oa-32pZ6?+jw~)s5fy z9q{~ZSl#cPs>&zq!K(uUp$*JSF*+t5R+P@1c`ovS`|QkBU)NHW)yKwDbHK=_hhFEq z+ZbA%iseA|(2E(DG-`_XJI4iI{QJ=&gG3P=%4!U_ z3v)`b?;r^~>9I%95U&CjVmDoKQ_7&6FNXnrhxQW0Q_TKLNxmb2DBW*rK;|afJ+K+{ zO#I{M7~Jq+q!q7ML&)++=5 z@c6C8@kh1c>sBs2RTFf|m|r-Go`?=obe}Qx>3Y(^b|(EqR*=GDW9Gv*r zDJS3}(8ag^ni;9wsH(Kof&*s3|KdN2eCmV3=zII8>K%UsDY@>3y7p)p%8S?h9YJB< z_e(e84T{#kxaOI$?Evy0R%c_PxQ=AQm_Tzrs!Gvm8xMPDyJvQhB zm67k*oZQGFGh@-f;lmk)Rzo{YR&aC&LICse$y7knX)2jQOrp4Ix2cG(5~#N&{nS|m zc(Q~COe9viUX5ktOT<(z?YjdFQR(25?C*vr(?XV+_pYk24zWM#@}FXx|aUQ z8#Im{xEhkBLlKpj)KGp-D`c5nBGY;%r z-WZp0Q>~IlJ0&EySXYdplSl8(l*2u97U6W(Ju6f@{ggvL+@lCi-)hYyv$Gy48Pi<0 zUzCeq^=meJ7mW(dI3_|kSa-wca78awpLQ@BHrvLREj0D{UKP4F=cspTgC)@3d)RI# zx!m$Ld&?A`GoBAL$t0}?OEc;5Uc%TdQ(0NFLt7o*G)v@fPi@qwCB~6Yg-wN4T#8L~ zs+B8U!@MgCh%Ec3+`NLf*};}m?AM;_wmYz@G|f^~eMF`xz>ex?t9C<2-E{f3w?GB6 z9r5O%Sv_IU>h~)UJRAdrE~n6T1!`Y8R8VQOtG+al_hCef4E=ydNFk> zApRf*Cz;&?!FW<{M~qM`n`>zGJ34e8kigrWh1fMo6DB2mX-Ilg0G^40arCSdozz(j zt{)mU`g*y0#5dXM4sPc}4zeTeM4(dnvdCUp{TRxi8Iv>nVxbkV&hnegN2p@J?8d588hmMcI?J1c;N->-h{Kx z+U`Erq-fVJGjGEr68I4r;F1@B6MXPiU-ro%CUtZ95Uwi??u>4i7VMyVLzXgIv(L=q zcU9x!K)@T;N=Dqh7SD$#I5QkmqDj&3m$Ipu)_j^Iz3$=EqvCSG+j9kU%hU&D?e|VI zgC*8ef>~{PKH09th2c3kqX4Zj)#=kA0IJsk4*;KfO&C&BF)Ut{jhV}*3=oW*ur=Dg zJecm$J3Bv`R{ApQuBk&*$KHQ^MbsACi7=+zFul{&B-i?w3EB;H?q?Z*(s=>3%Qa(C zPZvhT5Uxrj0ymzi=H&doU%C3J^9F?41lG|#X6R@91}MQ!j8W&iO;10`*2{>k6$LI` zXX_pcP8{4YQF-LW<7}d%Dw?+0m2OKiLOf&E1xFnSEJ1_dG@quBr|iT=XP6eYu%hfb zo0)fsJ0-e089qzxHh1$a0z~<4{90zE9v~yvnxXaP;#ryApnF)h^q7Jh!~x~^4KQ(u~?~* zegzmOJ?4D{o^`l%?=Su3ttz!WeLe!j~X9f1<@{KTXH; z3`*lA!+@<0Fq8&^CHb>VOiJb>v(xhT%tyjsQ{1KTNzhqpg&17 z-IN0M`b+Vw=%~UY=v5`-U@;Q~{08rbDib0N61RnnL#=Rlh~|$xN|SDt!EBhO&r|UA zATk^=4d1(;$$A~n3mk-IiW?eI;KPU}T>CQbPSQdOnG_~~$FXSYN zFMvhJ!m)l2V&r=mW)ViU341xN+o>CIi zQ=pqmt4v0Czlzhv_(* zYgHz0%GVMOH|sh?_7eCabaujvYgHs>9C~C2gVgKFqlkRizn^A-S+;oHnh{ad=O0to za|O-{^B|7cUb_j&LCEW#i4a^TtDo-&_(G6B5rSjy0X43@S$7uSIzEVNjm7r{K;kkm zC6tIVB3!~XufhFt1M(_b^SsG_r2OG_7p1dpX)b;_4+Tag2Rt2kFl2he-R5lkhK0mf zBAxs;H9udl+&nwHfZXFHRUY*l9~RIeOU`Cah28dOm~V^6%qd{S)i=h7s7_4ZLF+&V z;`eDF;vDnl$sd6)Q>qo6s8>QSwI)Pf%EDHy?9f2J~o8TD7VYv1&n8pDye zn$LH{;QiMU1+uqe^SC$S_9jvgv8>`@lSC$+4sHz&I<3JLP^ke2j0SYdj{h^s3$Sy`FxBI*6r^`l&k4X2N}>W#X6WPM2OEj#=fMrHUNGn^a;> z>i*rK^OMa_5eEy^4TfI(GR=Nd@2_XYa4bsozum71;pQ8Z?pBmY@Jy^WdA~%i@kd6X* zpD28|RR3kEg<SRJUqepq06^60Ft4YF=k$3-42KnhA0|VH@%bWA^ECTMKJnjw@g^8xyvGh zBd5dsWaL|_OXg7GbS^T@h~=3{E7xgn+$%o zSBSSgE92O5;p{=hgu{OFK~KTUvqm@&xG<;J+cV~I?2Xz%Ea}u;Gvm)FDo^Cad%|9; zG_OHtq!VHk)oX{G(}&OmS?R7$h@4J>tYD|l#eeXdD-k3TDbOd-s7Xj8ORhA*T~FRX z`oo=2P?0h9JA1#rI3ha ze({1D4T^eNf~f*uAhz4Wxe-BNJ)`}JXRCp=qWwo#`P}b!o~d-JmVuV7+bC(!&%2V3 z)F`@eyf*4;Kd99ZY_$#xlGNLDJFye$tu}KM@K97^2kU%OA+Q<=nWh|C_?UzxW>=~! zpw}*3s=TR_FHf{txzNA^3>BGYKwZ<|IpF9;g!IW?Tg_mWS!Yg(jP82jX>r0Jk38^N zpL|Xm$6<+b&Q+<@^`gIs{l-bAX4jPNPNvNgWIshkjJ7c6F4s|(_%Nmp+FtA3t1Wcp zaCHY<1>A6;u6}WeawR)-_z(!~R_a1c!Gj{MXIfQ-xUUYOiXvU4vU8W?yr1MSREBzH z?wWEdKK78+)#)Ag?h=(+mMN%-Iu|hSJU7R2ps=&zK%A@C0fRNZDcmk|`AmHlYr&sjNS1PaYG#mq;{Le$3Vf!fI#eo^F)TEWPP zp|SHvOp-^ES4fdM>)op{-Wj`!D;nxBili@3&%K8}og0j!ep!4VTh)~tWlA2KL0edElc_bRuSrZ_Z@kck(s3Es~N8qoo`V*;L z4Q&d(xzyhVRLE~xXCp#t*>-%a)(m%)-H#?$RYC@C4N-uMnA`2acrtU-q>R#szoQ&HYY25bC*!XB z7V+yz)S!0WaA0sK=j&=~SP6O+Coz^4lE~y;T*e@oPp&lRtUnXwBkRSuc#WbHJ&c^W zj8F20u#-NNo3QpdKe6m7z3Br1@cFFYJ)EJTFaJ(58QtgYA;0myzx%E%sxUNHn7I#A z`=WpsY4FzO{u_cdT%pkO7qzk2s@$i5Q)oCf!rb(d7=d+$m!S9?H1U3ln2aDv#<4A{ z$MM{H6A91$^=mr8q<0~@F1R}1<9Qp96K_{on1$mVp%|&VR#%(nQ`kw1ejWzn@{uw5Vzs81e3i37q#mheT$1K}afL@X$ApiLL zf$4cOLgGPU7I(VA=h0A#QSy;2AJ&vdPlem^|qbq$2JN z>8H4k?HoyN8qgC-*^42+yjelY04U%YgJ}t}^bDuHA1|!$$>oknJ^g-L)gB6pt|zHj z1nIZUa8zR35Cw_Hr@hvIZ&hlcf8*`jNCaL?Ih@__iWvmZGt%t)y?HWU*MVXBiP;^6 z92g+V=rD_K>{Pt?QFpUefKe~3;qL5cTK6e+Utiet;uOv=O!);;k@rXt0l7yW@;-d- zl~##R3@9qJ3Z66Kzx6O04_Flb6`2qJc@`LaMm*4d-FyQgR{jy>B5jQF$za91?@y@9DmWJx~n29^^3WBP{I0AQKyt z)S?_OMdG``U*Ax(g-`H^Sa5S%(~oYL;9K@e{9M?1FG&(?FJ+D#cybZ)VxMcN#a)nK zaau`n5Xca-sTHFbF^2ni{uhEwUGIhUOnKsOWmK@Ln%2A{SMs5IYVa&Z8Ag3SFc@d{ zda%i^z1L+hna%GPapBssZ6BdO=P+A*4_^>SynXGP;?rgyJ#|tR9@C~g_XI8tz>3d} z4^@=pe)KfWucT+4CLP-ukl4^%qDjOPhsC+|&|`b~G|!()?a|OwJFlCdy~ZH=@5uti zl|5)8Ie5|^4t{ehl{CJu8U8K^2zHaa6O5xX;pvjtnJ_x)@?qRs=N-tIJP2s3O~Urh zlY@hA+z6~3Tp~O@IWLn`1jSLHd25$nzvj(3b^Y_kYTq`)d9Rv2xMfPXwe=q?dy2BD z_Ul{vE7sApgm{O>bj`qS)sR(JzLIrw>t!5tnRYaf1_~yX(c}%LDjHh@5 z=4JZra>V6>@o}QjZf7a z^ax7O?S!@=22Te zZ@ziFB5B|TrcW>$`DSxOPF%NfaB|9uw`cZW{81Fu5)Rc3rD0}|SGJei;P9U_f@A1LNGQ925{_{_BBvAB&d)}@73Lx&pWj)_sqVZL*u*M<*xXi?ti&JsvhOH0wJB&pZClOv_MgN>tXxs>i9~Z z!<_z=0idCET4M-njC#nu1_1#iKzWVD!;>2pi$Uq-cds9F1k?=y793jH8C9Ez&(`SR z^)1{1bg{D!mi}`HsPzH-qW=3E6jqjtdV1l)&x}$u^geluyW3MJxie~-CZ>FDV)*;% zx#y!wsl3XYS;hEQdFvk^OYfv?ru2#_+wmL9SzWd=i$``@#V}r=n?qhR5~p=2tt-4y zNT$(bU0jDLnq_!;0Y&BaN>%UvJdVcS;qZyS2_+h^5AEpo1l6$vaZ7xKP55^+wz0k; zH)TW4NP5OOAnFK_{-Bo!v{4_M@UT!P`0xBvN}=hzI#K?Iex&~0u8z-?(nfz~dyA9B z8gne-3>|A}836y$0(kFeuoP*f{xgr8G?vkT0%=2{^IZS4O+W&ZfoB>g#Bpc;P4pNe z{Thlr-AL}}mZRM$RH#vd8U-j13bFeiI>6sh#eW#}|3)tU?`sU@6O%&X*;YM@HAq@e z&-A4MC!qYO@v6IG4i=*$V`#W$69Ip3NiR=8rlg*RthVFi?~mrcI>@Mlc&*@Zj9TZm zZaWf;);{O_&tLu*MDlFISCTI&QOeQX$aW|U`I=JIyVk13PO&Ekj{ zr@t-Z|J}bwGQ^5>7t2&w)6p{h?j#`@&R9Wbt<%7eRGd>d-JeSrymsWpUGLiZ&T~F5 z6ewAMv*P$$waAL&3lw)Q+qUf)@@(<7)f$K@DeBnX71E@VxwYw+E<{Nx{%_FEe|7Vp z);y?Tq`l%0eac&*!snYFl)5}x5&UC`+^E3`F58yRqYwM6;K<)>2p2c}DPhJkNWs9Y zV}k$c_R=fWJv3snI(EQ%b?p|8t)sAoI4Z36tbhpLul{>9SG{RJ1zK0LQ%hZC*h|&? z&H4!X%S5Mtj-Hu_g7d!`_V5C2kb20h#TF`MQgOvUbC`X;^Zarw`RoXJTi3C2a{1D-SH4!rZ+-CnW!UY`u%k2C|7BGB&(Qk9h+}D` z!-fi!QiY+GLh8?8k8R1~#t^0}ek{f|-{}53iZa`eC|KwFKi={WLuH5H_er{=iAo55 z^Y((z8-+{<7!F6LJu)eyt#$%Gd4qQwj;&(yJFmBueCzZyC^(vWpq)!sJnE_m8pN2v zxQO|0i+=Hh$~9F8F*rUO4DEI7NK|J~z{t0Hk?TZ`f7OB2bf4HLJzsCb5JK&hmB6mY zdscab^ZDaH;pX2Xb)5V5YpepX6p5=t2W0dS%Z0#ecbp)LW-=1YKsqTX{ItJ*H2(RB zs;2Hq44!ArhDunZ1L?@{ffRg5(-BiTvfl2MBMwx?9J%)9-^TbHYk%CK!TYee(1-Ve zF9qnAZTN86DUV$5vkU?Jbtfr8V}phLXtvmrUkByXe6y?E_OzSNqr5Fq$tH3ufOboG ze`F4|HaorB_m}@^-6(#nV|8P{X7=l>(7i?W;fju!Z`atW4^#kD9PC6y!&mv_iIGEm1W7#7VR$`E{QU10iiE0By8Kk-=mgl^j4r|$XoK7%){ zm*D&!=P7M+-==5(GqDd!7_Jz7^Y-ET*=todFa8cLS0MbV`wtJ!+Uat9Nz_cGT@3#j zagNR3u8!&Yb|M8S(~UUNN_UX#>=_xid9LH+Kr%shByO8Qz_Z>x;HB=6kq$QTZbWWnOpx8-MYRpz4?4SAxF-J3m%06CY5C z)BnF?D<(#qNA1A5{o+7RgowiLrqPjtwxoX8LVNz^8x@5g6LX1G^j1g^74adAUeA+} zrU4{%r95;3I(ZN&_Po$^|kwFmyWH^u8 z9!}-G0Ww@2;Nlg&vR8QcDJ@`uq|ngt>i-*1Go}8*8M9zh$$B^N`35-Im~uaoRpZp! zSh{n--X63t4SPHty<-C*QS1PNroO_;Ie@+eTETOT40?YbNo;7-Tm8&NWGIwC<)|zIGbn;UPUC+-XL+t;3z16~9MmpH5g5V0ru#JL2E2QWXq| zR4mepSGeBDVO)i#=!-bBKo7_7d(9BNfS;HLfASBV<;y#&Z}ne4HLi+?elt z;9!=Be}`-OAN}mKz^K_7Q6$;kL&goIBxLZTYJ72LJ>vxpyiVl9=oUR>dZw>hJWU2a zekEx6J(Zcq4Wt4p;yBBRe>C6W{U#q|U?|vuJOdad2pWrK(*6TGT4j>$($O>(Y4jR- zqt^)uynW@viQS!P*hT%rKhbdqW_fax>NtqH#-WhyhL2j4aOu%HcJitB`vQzXe-b$} z4uRn4C#)vK4*)kJt|O~Vzu1aP29Z_E&8X9BnkI)y!K+77`w(oiG>tte#BZs?w>5!7 zLthZF`KZ~WV0qu2U*ogMT1aue69D`#UuSzclc$BSh$hsfhrqLD2RwwgXWpDCL zBz5r07#meGh`RB3IBA@OIZ%>DsDG>ib+diEodR6^cRe`Eo6CH~0i{PC(eS(%Q z*qW?}gw>&Vv3`EdRFRs55wQ2##y8{fkb`M)$op5mU!pRlnDD*hOFvm<;6dJtHuwGS z>~b9C=5aUh)9a3=U)X?r`NRa#`jWx)hc?Ltv(UO%?$Ht#PWKCr&61BQJ&YbJw^{7B zyW}kSNm=6zDmvh3wvsHuN5`t-L+kVW(ms zUK2*iiDPm7CgS*+nK{-oHij_ecYlV+LcbZT9qXhYp!Uv#GIHYaX7BeB=>$0z8e__z zmn1Gp_@Qd@&}%(mVDF@4;{ItA{pIH6>BqRSb-6}~b5z>hk_W6oiOnifUbsyTXE6zH z=h(_6&3CSNR#M$)Z>i|n%k4~m5}U~AvDxnLn2k}uzl1zj-R+~do-y;NIXg?sY`xfM zbYBv^zU)!?y+;Q~c+^_>7<6K3dE0O>$QSwD@{0UF)7C3#nwX!n3uoe~`|LGWeLGE! z$DV2V{)N}RZ&2=zI@Z2cZ5-_6lt^OPpD#!nj~}a-zbD22jN}fT#3%NUIl}q6a&?WZ zlbLx9-|@XCmi;kti)1%^)x-C_Tj}4Eh_b+nAiGTwzgZ`D*3E3+;7U&CdQ_|;Xn4_C zOdRV0JT6+i9FH$~q}tTmO}j4qn%iBhlJwPU@M*46YV)~1fi*bT%}FH&6|^nX+0-hg zh$@xi&F+arFyw2M6029(>lIf01eh0OG&gDe6tbgT8A;jm%wpaf??_L0RM#4zGhQ8B zQI55QCMg7A6a63d-a0DE^?estL{Sk?k#6ah?hvG zp&8(eZnvMk-DiJ(zq8i)=dATzi^Y2Xn&*9=xZ}F6=e{$Y_SDLBmIU$?KN9X(Nu z>QR+w)Jmb*lGt4M^4U@tk+qW8Y;st=9EKW!>;0LqfD%|qdC%CBO{BL>z$u@x$f-z8 zu0#v(^dNH0oULcVa(3ityLHa{D9N6Z^mUZMPll+K;F2Pg`?l}UBXwAFQ+&M& zit+1>^G1m(A7mFQt~(0x&QUg2!Ia}jsjX5dkwn?Z3ux~qk}Q*iDePCSQ20_vlr7% zl8BcMBk$u_%&Q_yPef8gt8a6{tlh)N%><(EiH-*6Jp+x9AK zZi;Dn{#>N{J~)XOfWod^hYT%(?zi%pH#Iwpt8QjXrfgL$@ZCUruJ;+>10 zdk==XBBnEO@!g!*SM%Tr71zf2K8uPNs1t?NMHO;$IH2^b*?o%PgQlCT_AH#wXak*%P3v^K`XnjhRSuh(h8utqMf(LErKB&(6j9k38f-6S{yd3 z@ExlLmIoy`axP(qo$C8Gvwi1$mwH>}cL$j}siUiF%3Ai^1RhY++Hc!jna(k+j3@ms zMw&EnE}?<+nsXlrf}%5|c$Kg4PZ7544-X86K*n3su_-m|ZR7J7p0Bt9uPx>jU}8nVP7lt3;oZ4fL0W0um#W^Ja}`O@ z+cNjLpk@h~E&?WTQl!(5We{NfLCl6P%ozbWW$4%sEEErw)VKv?Kzbus9E^oFo}Ja*D-3~2#f=& z*&Q$QYB(PNFrG%lWNIJa%av9I`{cJnfLj;)VuFvmV?Oko=IN`s9Ona~GP?oQz z-UlR=m4B#i)Bw!e>@<#KX-cRbj;k|X?@VUt2R=Gp4%IEAHLTo@CBOC0e(()mOJ#nU zf?UP2n|RTS@w7mBwTuZEg|DcNn1 zPR6?e;(A`(tG)QNDCSzpDs<%D8$4M@Uo&dt{Rcnrm&g=q_I$`u?2~?W;;W_pR86XS zzlofXobve{KdjmWj2$bxsE@MyhE{(};>~a%9oFlcNGgKs@uk-~fhv*jTJO^d zpGh;OmXKkTha>J}xrlPkiDu^PlI>d0?pD>DwLIe3)#>*3@V$JRTbEDFa+h@u`G{e(n(q4yasL_11)i-TiwHw*cJq#ZWHp|!klM`=Z> z^95t;YN5tit)x}yn0ZP&UxsPQelvy0xPaMq>uh#Ih+~X)d}r`kM0rM&TogF$!8y-i zY56Yq?csyfbjaX%22u}~A$gBXMsJ)m;j@2W7jVzJ7(Ig*}%+b8@7YFfh zY97cfHy`2q3Qo38lf#LQGP#?E-!zX!iS>b`L@luv(irpAV zr(byUKP4}1z0$WZR04CvP^|ejLz1~K=bq;&X5=TjtqD{Y8${xj6}fTaSz9TJM?bJVtAoex4_D$czq;x zjd=EwQjD_lvCwdpR8(dZmE!Zra`u5JsLlzd;>QJ|J-3Q5|CE6UrU5L9o2&f-f>Bj^ zF1B^U!*^s65>8gV=hXBD!bG^>oeCz;j8nPcwevApHC(=Zk1 z!GItdWrXc58Nnf?R$(p`drS}BId^8jBJI^U1bd`GjM#WfoRdsCn}RvhDM?1i@oA&| zw~{T^9oOWV*Fr5^oEwoJawT>!Mv|^t8FfyeLN)ZL@9dgC z?&7m%!k4bI;9gmZj%J=dW{S_Oz|yt#$$6sp%&s>6`5PeD3PuPM5e$iv=3FtKBw0X@ z4(?oTWBK{J9>VZ0Fgf?mNS=2j;1iHUHw%9a3LASi?npITco9#+9;EauVa4p;YU zA4P{V^7|A|V1c1B6?4fxuaTfilz7x?1U*>~ON@3l!D};#(DF~K#9XtdJF_2h%TNQm zUsHAvbIot$vDVnEU zv`yL9jzkAXr64O#Hs_8CmB;*2L~GKgrSV8OPVM zPzJk2GA`bH8!Zb-9(LW~D-KJK2TwOQw?}>b2G^{o*ps`=EGHmW#p76TcO|KwX$Z-- zOH&g>SKbYK01deg%%mkmw!;kf^;+Odn*`Co4S9i)foj|L7%=s#3VmMBZtIhqxTe|=I{bonAr zwcOXk-MH{%uB6gRcX7X6AWkiN6`#>@=Dq9HG{ziObVPQa4fll|`v4`r^Cm{Gyy;AZ z6)9fAcr=DK-hS2iq+FB43H2dH-b12*`svXauC+yf?~pK3GfLMLV)}yP@-hv#VOKek zW|!pEnF=$?B<|#{9<02LyW8C_?%-$BVN`6#sj>4p#>%zJ2O$RESkB7n*QPR%?X@Gd zi>3%6W2U2q>xBmf6AeBi`KE$MfjvF~v0FXYW{v?uR?SU~nTEaSjHSxPu27%JIrNjN zE3{Kr2u7FNP5w1jPSR>*eG`;IIn1!90_%8;iM}h3oFFCKIs3Y`zFxMLZRav+xQ)9f zq3EuRX@(I6Nd&PksnJe(F8^Ik6piZ0c>TC#q*!!wyzC64l9-HJJf!U?My_DwPgdeD zMu7_6;kL*;OXJkWHVJ3zac{*d|9fRHWVjQo{Dti6)BhbZO!)s38UEN3^7)=Pd2-6y zNgKWL?I~mJW*=(O^1)Yf?a0YRS8eQx5@PyA`y^aIyDk=o)yUq#c!6SA2=C>4Er9-K z2h&BlTbJR3BuC=U*JleNT7WGh)kdQvjpK9m)e&mzXlD^XxRQ=ip^Vho&KOORgP`hk zofuE$vvJzF1;qCeAt(r%g-QX9b&ioQ2!g_734meoEcsh8Yt@;2qGRcRY?$51GmfB}MB$Z<4!Je4}xo_2J;tBmx0oyDEROKwaea*l*NeV$R3zkP@T2U2L((SDL=pMu}>+oWecx*)^FO=klmnuHFnIR?TbNnvUC9bQ+p$ zG7m1H?XAf`RsOQvr+?6x(8R~7D%9%PK@C?kI9F)LJci#s-Y5=7dupwrM0F^m7im=X zs9L2T7Rc3>l_P&{USr#>WLrC2)Og+IJ5Pjwgq_;cfF`FEW$oV0g-tN+^g`_O>4x~t zA<%M`F6${DZV#17_k$g77p4iuTXKNm?CQ##=!Gr|$5mU1LG#T(WKMFOloa=^3K+v@ z3RaJNF8W+NpPLji;{}uKfikZmJ7W&f0;Yw5 za6@j(4T_7LBO~^tNYRb%kzd?Idkdz#Fpiv@sAJ`B*}uc?9J%0f4^I${ItW&+A$UN! zKNgrZ6T^q3UTPAjP#`CZ-*E2a{OX>&6PSptrr~BlRJBCqW_`$e9NS4ysnE&KITh*m zh;SDfuCLzlwqL1A4~&8joh#LC!!J-QP?{DBM7JD%(|VZ-#|J$NT+~k!!&LSdvK7h` zVpp!G-^@1vqPxj|nT~R3Dz_=_o7r2)`I>?}s2$ZI7JeZ1rEJ*QBbF8o>H&+L9uO=Zc990forYjzMH@r%HuzW&BK%ZnbnZK1T8{Y#om68>|=h~X__Qq{%HIvC) z98T8Y7=pJYv#vN?&IZ7Up-d;X1ii~DOku?t%!C$MWDfdb*gBqMCDgJL91Cg+x(zxTx)gKy&zp>%pVMVpT4g=PkgsnZj;Vtza6w#Ny4r$KF zI49EieNH|CK1*R2jU}77(efL_?dt&(rm3K+TKn< zobr-p;UfN-Q_7y116jd5c zJz6P?C0pd7w4sWVBNqwdNf++(_OImrWa{i&jNg?F54$=EDVb2=JEM7tQ4g~J!b=^M z`8U*wGVs>7`+WQ}?R0(7mHnpdunFKMcChdvXK>)%Wo*A{yv0#H4l>`$bdfoR>pJL~ zu?klmCR_2j^~>y!Ufe&X`O=ii-phw0S!E-!q3!H9A$_iY9hN~@ut>nw+(Q2k)3@mR zkx63+;1UCpmdBa~+tRS?J%k|pVJ!)M zCddIxAgh&@4rkHDErm`ThdxRA1@te#z~46LpTy>!Cj8UUMl42K&QZu^9ft|++(<{s z5RN2wk+eCp2j*=J?$N~wK!Y@vR=4VqIfDitwxH~)RdCM-21ll&PMQ`+W}{r}xg2NX zrOlUq5%CQ0m^2ZOMle-tzFVFqa=6>f^$%r_yZ@p~`Qrun$l;o#Xqz-D*uS$$B2tUi zcHhMj%ZT+x5`tP-wy@-d0f-nCMj>RtEN0sYF0LKIsM%LEBr)KbeoYC=r@dGfvxe>_#y(n@yNAA1Yy&Oo88VV@C6rTVEF zU<;$hVEKtV3cSmQCJyVs3iHvPQ>Lo~Re%SI6Oq{8-?gKgB4>k5lJp6!SBm@t%otxQ}M1?)Kd;=YRQp3J+e! zEt*bK?Ro;JvsBB~@^I!i+m(XsWk4Kb0b|p5;<%kccn2oCU+k+JU!7k7)D{mQr=zf9 z!pbWVU-@9_B(E1&ec`Rp3kz7GIA036yOhTAkJV+OcNc=r6om7nxrJUn6jSrX^LXaP zmFAOm=FZObP8d`=`Uq5?0$!(o{6a`{>FHrVaPY?1WwF=ru4j8;(S4tT2{P7q&Eq&| zZ?u51S0jU>ny;U73nG|J#IU4Prv1@Dv=kG5-Pf|pp65u_nW4de3huRxDjY0zM#{eO z%PMO(Apc9B(L?o@Eg{EPqywXGlT0HoI#^GPo9Gyjj&xFTa`>Rf79+8{G1ECu23^7( zF7C!`8(c=dVC@WrkVkK)N=q18$Pt|W(MFo_@gb5T#)saI#9@!2PvI}Huh9f3KmX`n z3F{C4;}6>WSSLn%z_jns+B`8uKf#fcZkJju>`8M&Y+fR0DS{2(vdq2L;7G{(TSe~2 zXSkDSlAn*>m}vBn$ttwNx+`{mxfuqo*>Y9NYyaM#_&@!ETb}4R<}5CAYv9K;K=F=k z(6%t?tGrNda!cMPMM2avX(U~g)^$d^TgV4Pj!!<0@ah>!qT6-ybJ2mgt-!2ifq%a3 zAMgCv|DpW4KE{R+8`FVc4xWji08R;Ep5<@RY*rRv)@>JP4c=^~(-NEz8g^z+5HDH0 zBR}`OZ4>bGu?%UPZI^rSUwKbYboqda;fjpvk{`x@Z-Gtt=c33&J!$8ts*xn?8wO?L zvOruSvu-zyFTW;N6=D$=>uX|@PZ*MM_dZ+B<*-D)*E|(tHx>zItSWCE!FSw6QNIEW z9HTgS@WOR=mxpQm>qO-vd+pBenkFONC9sWu({x^;ie*pCNA;5{W5qmpCzr>j%3clu4imu%_jiGYc| z+2Itsi4%QER}H}!pa>v2@k%aBJLNRb{0WV{9}yc=QA!2qXeQ-$1^$j1s@0)`Y5w2NLR*rA;MXAATHebG|4 zpLg{p5Q!jYCKmLjhp(X!Tp3@!A#Z3UM?GcfJ?8BFr~&7&3cejKtIH-fSXkAyI4gdzYC8*X76qpq#vC+0%;7(-Z7y8$4cy|xJl(+QdWTP%GU4LyF3f{JY2!ZlL zoSC$cm)Dt14+9^9rU%RQxyLYb3NxQbW0z(#c!Q5?BX7=N!~b$jG9Ib3`8!H6?4RSSpIz|Gt|do z6|Jg-qwd%c$4Dk?aQwHa9L?m!qtqM}%cX=3>4cs!)1Yq=WZV$4@GTA8%GY@0!U-4O zmO&<9Y|feW=?=S@5$(!<-PB+B(Y-F?@|af-%3k&DFuc4j4c?Q#tC1#v*266+!6~NwgAUN|I<7= zV7HT@g~@;0z})u};TSiVL%S+FE;*`Hb9Uvf6;PU)J;5q@iA_VJzGW2y$FvbyPX>h^ zzDMA1PWOMKHJ!Te&FlEZ>*Z`agM9rb$6C*1BumAA^#J@)zgX_z<5{g9y!mG za;T29`b5x+Nf2Ey>JB5!9zU`jOJqg(sJ$z}Vb-IMHLI#?8p3(zM|-1Ue2KutM{s{- zby}3}Pp9>FTMTmsihlfOR%gtEz8+M>#H+I-i8vN@T^&|laku$3Pb=N{sP`k7Ux}fSp z9Gv`Kco3VDG+Y+(J*wx!fDqo24cCqCtz_y0HV&mTqn5iJ>J@x9Evy2W49Y+;4z|hqrNIuLm8u>_%V+NOa+%`yVk88$MJv@)- z-{&rhpZ$Ts8I|rJ z{i=LC+#JU8|MlE^$>Pqy%8R2|>S4_sspJ(GrewoIa3QOP zUl}=1^poOO@$RkG42Q5lS6FXU1qT@y>D6A%$`${+`+7&1!k;KF0kIl;i@!r5GFHkzJ%2x!-vn8Bsu;o99^%0R(eJIt`0%ciOF#wR_?(R?f4P@>i7mfg@N`Y%1^VKy`O zHN1d8ky_2Zq}D>vF)W^4BU1Q`WVcNSoZW0o2Cc99ec1$;KGH`qy%WHsg76(nvqHffpa+{e~R)H zNGk=UrCu;AZq19boKg>zw0c+8zXT?pMSu_*52;|plGEy3Ots}tKI9?|g(Uf2at+imURF(! zof_j#z`QY~vE*HVg-ODMp|-;4=MB%7Z}15B!ACuhoHA4pQdCm5mt!rIJAJG2|47Nu z-+uJ(FdfaFMx<{riP3P&yIDIV-uw6fr3w|uH@shWZ6%F-`}}3P1ml)JDD*QPq+ey$ zK7>bLBzy%-fXm+CY8BYN3nuW?+ncGXWE$k;B4J6Zzr9MZIG=Z_v|Zs|+A81!QmK9%G9CBWm-ghCgidTg(d=dp(Kn z*{_%2sE2R&!Ig7LAZGo*B&7!n$8AO?dP23yu&j`F&+w6Hdk`;q*ct-fY92CR8NI%;INZ+rt?gcf8`J^yhnc5aK zM#bl{m%jP)X9C~M{zBDq!Pe*gogDV-zT@$tv3gt_ye6{W5->uHC*Qq(@vupBKyRFM z=FpHE7h%2hSe$ycOEyK_+ZU;|N3w8g)s^$bBhd4epi${c;t+Oj55* z+e45-wUnl{G9rVrnrYVaa$N?p@We0P3_Fu01T&$!ytpAxq=Fve`>fC>;;?85so}~* z{o{b2!9za;dB)^f;KKs_uPBTpj1UJ^kZCWx$%1Vw-C4-BE!QdiXx0;H%owc91uTHn zYble~pnEccB3$hvX~}z2DXfWz*Iz*{V3(5+$G7X+%;iuyt{+H7syHftcrmQp%UNeH z{p?zdrXG$}MP8EQ1QzVf*N;qCZK_}Nh?Afn)v`No53=gDKbA(80v)Y@{S36~oh&Uo z(3Fo=d;%XxCbADNc-}owx2jzrqP&1LHAc9G-M*@`;0Re{P1Hwy(h9r5v))-CpW}oX zfg*<|?ci~}SAEt^o-#$kC%qvj8T0gLrpglaWrQfrE&HX&A{<{QHmivaQj8`miP8!R zQhWRkn5Q$MCIX6^e7Zf3B-ZQfZhno^w(v|)cVDz;*+p5))i41%D$QyX1U|_$8BFH+ zgw!dpe4OOGa9VV{h^-V*Wjflav^fff)icJ0hQ$h%xm+BEShjwCGErkoY(Ab}3H#k% zaG|o31ySz)??LOgW)Z^M?N`+t#OpJ#I1;;zJuMFAbP^Qy)5B>b5O~B3C05!wd&OO% zv0g1Jx(q(ZB)GOk!n**GIb`*_4U}1XtmCt6A#KpK zC&m?db2bZ}xw@qHyuI8A&26_9IeIEia?jSP&%C%!k4Pz$z~e%@@U8dN+2w}zl#;rY zF4sX>!o2-Cz^eXR&o+>I#Y zz1m8%EfEIB0*cveQY{ z4j^+}q>f<1w9iOlN*0cbPS<#QojAovV$0nTT?y=y!u>o+MMn+hkY?iop7#D@#AP^u`*YDTP^PZu_mGa$vLfk8t<}H=rk?ktT zwQingMeA&fwjoiICA*G>)Zdux*)|M{xGQ|wn4M-A+-7-dZ#i0rmZPBr5zH_hC3_1j z7;-*X=ugHuX~1*e)IFQdY1^CGu`Zp2x+k++Q!3dhl_-6g&R6XH_JAye``AR(Nz37g zRJU@o=AfxMkiK?ozu`s+htt4hO4##y&j*smd$cOgI!u3cl9lq{#0LXGJp_MV@O4~J zFIg_|ALc^|ex!rY$2Qh85aO)L^bxOFZWzHS%9M$9r|=>$ykn)k%JA61hdeUTVYi*N zX)lX4(LiG~nZ*&YiPjjL2G9UQba6LVTqE&bC0(w?0)9eyYw#Ds0pk(+U?5VD+bPw8 zQ84`cOw-Gk>bMOYH-O%vs!}5Fl=Gs+h+baNsx!spS*vo#(vGuJ9;o=vATL*! zRo#-?b+4|UZ_)hC_4zr(a3YUAIV7;GTNr1WRrScKVF8)rM2F9FL!8x9Yf1mUe_vrM zO0cUvVm+P>a0U_%#(q@4SG~9ZwAiCb%gE&7PqAIaqNM%QaU%?#mS zxR;3$W$B83Lth`MSB8;vIGw}ZdG@@ijv?|SX?oG$mWZhH-LiG%xKiatGN6Y{@``~3 z1ypqHjl!Gz27hs=K#^YK9R>A5h=`$mFlyJ;u0tv9RU$6D4*GnQqyNhGMNxf!*Hpjml2PE|&EE+hRN z1k0y@#XE}U@LD3xueqLvdx+l47Hb=F=2+-DsN1pPx=4NC4TxCZ+s*M`RH=;j*;_hU z!Fi*s&iM8TM{zQc(RyL-%>AU64$T7Y2*$;V$*I|||DNq0Y7@4USZ)nn$iZtSf+Z}629NzvtVG?6&^mps zllh=!4yN2QsYY`;5ygj@Z*e~kfM_gD)J!S@Y5p>l$kEJS~(DgXMEUN|t}5 zH81az9G3DliVU_!fm1$Mg`OTXD~ZnOo{}MkyO&;fm9PR0HnJ0}O*d|KQkKkiL}%u0 z+9c1;o0Fc0dmSz%un&0pqlGnWK3{fcT2FZHl$RA#6-F%LYp_xBqQv9o%12rVd7#_x z3EF3$NXtTguB%*XRtah$VlBd5})XpS1w27jQM38E;Z{1A6K0U3H@RQH~nJ-tXp2zL_XCpPo&nn}MW zwy?w-%OdV^mUgssbkMCU=cWXyWIpq&7a|Y(h|#4S^FhBzVxVrK?r*SdJn~+F!2C%;gjMLvSGNR>QrQ zv}Ot=FFIA+wz4b=EUU`v_iOrL=NnDx$vyO%ak}J?SGJ+d!k=CpD_$4teb}qak=XGG zd}r!N{`mJW8jAenkotLc^!j}6caQ-&r6!nH+ybW>aYkry<5H)PQM0Z!B2B*S2g;n< z%lWudKocv0{n5;B8yh~K6*22mOT@-j0824hfX`1JC=!)l?zw+;mF4VA7DkHotVLrK zo=eNE6Buu2Hr~A0sz|;145A3E_Dr;o*4Bgy?aXD_KekySot%0Kh^~(At*AgCaO)~= zK8q(zQErfVj+#8FWgiucds@3!KbV|Mk!XC!d6%x^JP?8rHVEjFMRWcIHT2nw(iuo%@3)N_6FyaP9<3dRj&>q%)uRx{t6B=s` z(bwrT!1bGyS?l_?P7kJu&`_SkmK(rBawUuS{$wUDk~d)%^RVu!yTdTWTYuHuz`)&x z>O{8WPU?rF4x))sh4C=9Jw6{%e&SV3PZ|vEv6we>Hc{vz=yirQwNF{aAT5 zG@M66N&oPxzVL^5L(O*vYa`3DaUl|WLw?AP`57q7rIH`IHU&M$OvM~Qo@NsB0=6Tc zjjm_o4Z3{;NoJercaS@|~hR`^;a#M19C=(|8G62|M+hmO7t zC*iOlukoyFMS5n4XfS5eVGpFCQv1aoc7qz6R0ZBgm|6IsSD8NjJr7jYa8<0?=2Vup zb6i`v-Z$>8Q0a79w5-;dHLvBH4rW`_Q~#jnI0GwUTPcB2->V$CU)Sp~ePo8Aq^~DL z{BogME7G$1X8*LxA#(CT8qN-$VA3*cXnPWn{Qh_d_`I7o{90~p#9lZKG zSc~}OK>A9+*#dR@@_bteH+EGe8^rP&fk1_QkZ|u_8?uyaM&-!-E42R3RHJ1gs*=yAmZQCS`(gpx-4C-GctG z5hE%?s7?nis1bL?uAW2bV|s`_KaQQne94wR8?5H5UZlg)o-cRa!6{ z*Q*I1ttEU{;ZDl#awV77{;}92wX2vcsp<-8NXwm;K~aj!NBSvKtkD@oe|S%rb>lBX z^>2WMc`5};MFQ_gu0w6w5lE~=$10E84HH-`#r^p)CkmA5ryk}k*Wb)>Jmk|@MPLwI z9;x=p&`A{PScw(oe9gPg=y^LA`msO2uclN;FS03AcR*D5HJ17pS(VFfjuv!FG9ugE z&|y|;vJ(}o*_IWjor!Uqv*gv=4=HLmwFM1>;?J*qTaDr<-+B2Bwg4zxeEH+wuc`YYTbsy4K%GBiD~+ z93*`=6=FFM_=`unKzTw)>DQWx+a?3#ohj!rWm{CHX-(wR7<(+n|B8fD7Iv|4y-a|c z@OSm(U zsq(h3u#5iLXZ)AmQ*fT&-ukI5Dk>eJ#rRZP6o&Uv*B-t0y9oA_g#^xtOQyufu#3-7 z$3?%4K_t1P9q@59!vZ3;w!+I*Ui}UnmbO3ENqdBmPvX7YEB8ZVp@-k3p;+-6)x(uR zoH4c?n5nRF>kR zm_Hl-Ns(n3|C1u4(^zW|@K%T$2EQvu{(``dw}<)3?Zi|N59K4_R8BJQE*K=vD6M3C zDf{yy|H6X*I^FMd?t8I=(W_0rYT%gn$O@ugw_9!w4<2XG6%R{E;L`uek(sUr@&1J) z!y=M6I}E(}32Y1~W7y7d<8=RKIsP-qcV=IUAa;FvNZQcgv%7k{y*Dkyr8L7+DQGO_ z%r@9bNwGC{Xs_8_(K}`POT2sUHJr;@H`-q ziFZ6{Ww2w#TfAN@1iK6Qn9fhU2LbYLbGUwA`(M; z)^^K{7J#=ff|tO&X9c^?fqNUWIu^6dyd)+vLE5HAY%Tzz84R(dD(fF1(xMSb(9h%q z%H{(^xGW_Y{|gzO|MIc%$3Cq!F_M}xw?z3sd;8KfAdH5~feq!WolI{ras;Enu)JCJ z7zdZ)9%*&ut!kPmWDX{Xaz5H!WqG`rzQU$&-_AZ74YC- z^#1B*YM{NNszMobN$`$_p!2h}(5-4yUeIkW7TZ)NHMc1yLRWZ)TSf1uZ1Dr*j*loe zGGJB^9kIsq4%Q&SSphyCPP6|)E{~Iiu8$s@WIFXNeGm0ZD3C4X7N`7JLC^MF3Kf(m zq~$-k0$q>Gbg*C;nv~=*@;$q`O)&PYZNhC~nsM9#25rDE0oXs-*za~CRGM%gFUyr} zn=r&NlGto+odN{oqda6ClTkXUzJsNYq{tQ56`0c{qk*<6FdpIPn>XwAVerigtA(tI z`X<_bL4Sgu{G;4o^YYJ!kM|}Jl$Pt*`oJ(j(Mg(M()Q*`zK$T*iL74AShWs_koDTt zDaa3dB{B-O10GB;8y%|PSDVI6REXUS`vL7PhFPuT(P!Vn1RJBpsgw)KC0ac4T1J`w zz;J#It?&YlC{2l0bo7y;ukWd!QgEwDAh*?;{>FKe{0tEDu}*0VtJfwiWVn{)_6z5{}4Ui5<}(URu8iXt%zn zf{J@x(Hp^pe{zyW>kfgM%ExgAzi@{Iw+rtWlL9l8GFRG7Pzf}+(f3pYMP|9{RixCf z{;N9T^&38>C|{^%^e0yyVLgH>5MZ0&e5(x;L|_QwF%0}cTfx5KId{K#LAyv}l zTV>jhs~ZYa``wY~aPrTEtVAL03WJb&LA>J~4AU^y^#4O0APA6+0i8bth8O zEM8M#Pmy~6_GuMNS>bw~GK?##7T0Wka^239}VDGUOdUuxm>7clB zM1lcD;74SY-`(G>C%g?_>P)4%+Fm@1#lW1<+Uc#Q{*CWKU{5uJ2$(bZslkyK7^LIJ zYaz$s2y-54ddO)h!l`;cckKmiKlhU_onr4EoZ+gUC9tjQLed?fQ z&_(ZcAynPRWiK`r!Me6h!sjp4=dzz$JU!MO(D2Wk5k1Lz7Lx?8x_Jy6YivoHWSk*{AX%~tBgh=9_?EE`G( zTvi9zIk3A=F`$SL^vGtcb}xa84v)l#zA1Fq!?cNV-?fP{b|WCvSq)39*;Glsi3(#_ z5k1xTnNEf+Kh9_-wHMLbmMGPuey`-MG_B;C8h@oq;J25JE8s%>_a`JP?syKA|cL z)(0Qyxo#8er0YJFly+ep5a4|BM+_1G4^4W7K^?y~OMB?giqgyVBYFFKJVYg#TDnNubJ+4T@E?Flk^uI%zZdYqt)YKxlQ)Na_pQ;@B z7YOSlup7()C$_j39WXg(gucbL9LEU=cxH-ck>3wy@%uR-mEb+=p`!!`Lw5t>zvG0k zh5WXd#odM#p6H=$OLycfL``q)TjD!JyG^YZ&DX4Ev}JP`^aK!%bfa6JE8sa6gyX(U zyZ(IW4Mm`{YMDxilj@Md)=eSi(fw4s+4j01o42oKQ}JS8-nec`;AhYY=XHXopz)u$ z?9UmvC5Btt87J7_QZh7-pJDL(E?wjf!LxwrIsOl%k%PtHU%AY$VCk<9UF6R<#zq=& z97DmJJug_S>?2`11^MP&&OrqIs4ZBe{vaoU%AN{)m`no9UP!Iq=5qKp0dUcIYl~Aw zQ9*n1^n851|5}><;+3DQ`tN4r*H_)LJ=Ou}kQRSvbJvKs7bM^u%LDS>>u|C_y>7Rg zDu46cGY`olq?Cn|ahtZpcdFi(!J*6fdzpQtlr%1e zP#n3X3VR=8yaOSvz$Ay#lO=LL1%w~Q5DplUFh}8s{edQrFt$3F?9te{`67}>FgKFege%jDKuDsV+SIN z1DG2@$Vg^cje08Tr`PXNi0b$yE~`zYM)pSvX|MNP#IMcsAC)Bx`f2Iu$7bP9+rsL9 zp)FmdOWoAB*1>T7_HInXQX#~}I+6qY<-k?}fB!)k{XwOqooXw%)T!l_Dpx5`@7S;p`H==4c zqqx&kM=$NCeoDgkUXv*CG>86##s`-!(fV&7*|X7Vrb62tw+XwvnI+BJC~41%94+WX zdUS`-aD$P?d$hGih^_n=}i;`1q7tmC@7$as7NoN7byX0p(H3(q$<6O zim3D!dgz26dJDaU76^nENO^Of-#O2H?s(rj?#mw;gE2C)*WP=rwfCI!^Zm{@Z=@|# zkikXm?>iM8I|nkD5ubcc$p9UGR9QA$LSn1>^I&1ciigU-ktQ}!@I6wJY;J}{svmb? znd#hr^PMFXD4pH7iK>cZa62~9;OFSljQ!%svF*ge>p^+skA9W0^Vkvuig3n$&p5_v zMV&h#0KXCYQ*juL_Zx9aADsk#x6@@j_fP+<^q;_^S?NO1f(UOzvi7`QC1$RqQ#vQY zET6w@Q489*eqQ}{yn=b2+^t4jW!0p+a{a4Xg>y)r2A z92Kx#nyY9q722r>&@G>|^zU?AM{yG;D%J-wrZ|8>ZlGpjimX|^$;Vd|Xrc3&k{#2> zYoEM$aYx31`20NB*4sj}Np}m^!K_~4iw8DFw-ps`)*X)w8STI_LFJ5c^WCt8C8T}) zHMa-`XeWgPp+@;OU|jo(YfOuN5J5fH@!#vb&@&0G8kkfdwEP0qWVMpdRuW%3NRd>^ z$3y#vQda5K4B~Fi*-w151RSVX$;L-Bnu9355EE4#IRbA11Z-&WNKL8F=1A+E7g??v zkqj`yViYCyY}6Tjr?G@6e-Rht1TJ2riCQ?54U^!hbR4JQDFDLI2h# zMrQg?{Cf5MMkM@!{qfH9lHzq_By`L=YdQ7z*EW~SO4m0=Li`uOf6iB3uEz^kN1c1B z#Drdy({`60=0j2P(m(h5TuR0lGGv^2)1>)>tfEf{`wMzyeG&~a{mg*(Rd2_8nG{YJ zJ;eT-QTYI1xe)XYkLLT+$Sl>nFUZsXeZ^LQ99FI?yW<(kbo+04&g{!&-$$>@v@%If zqyH*&?zDx-@tGh3W(?kp@{^np5FzEedbUGM@2V7`u788nUt&pkk-V20f4^s^NM0!7 z|HE$Rdvkgkl+5mX<}PZIIuZK`y)Ty4Ug>y#XQEJpbsJTfoDD@c2ujTq8{9&F$c-a|Fhcdh31m+;t?Hs>lg8`IAGtB<}jHdY5+3 z9|&Fnvz)kh{R_@vp8Knh-?2O$q}gqzpt##UMzUp$^88L-<#x05Y0op|1_o6yZ_Za& z^js~-)@vWX$5jMCvp`M6&qQJetK09Nx|oM){cGO;oX_`AN()sIxZ^GXmmG7iJvI#_9!+Ap)UAff$R>@&2iNt9+krI?3v(i zkP_kPJRS%m^A=C3h?dZCh-<%I2YtXA5ca^q7M*`lR1Kn~)S+z4_(rn`y_aZrK zIwloAuo*A=$AW{ENnn?eT2HI6I-i}f9=RDiTQkR&mX^5LSCvUQIz8tH1thAm*E+YB zOi28ffsJvF=e7@4J6kDSt#+o8e(-uWpTycO{IhNk;~qUybL$@{B z4Yyt5Oc8I-^Kom4H3%p~N z>6=}A@~&y8fEI}2)q~pPUw^iu89RWxWZ0m&v;v9?4(LB#Gv^G&IRwyc-gft49E3(D z|L`G3@1;orX@=o6{5Azy&6SG)$DwWXI9W+C$zBPa3AIRBo4yZo(TTt zA8E0tF%w$3!*NV}&F%YEeX9JSZ#a;}^#Y)|<^2%aogO-0F9MV8w}3eXNtDc`5t$8~_ASe8)JN;hBN`10#BV)j^ z$)2B=uBT)Sdc`(54G^|25t{J4-8Rx6d4Sd)$dGNbjRK2&p+9Bkh2ZzGQf(ma z)eZf7P4kOL@eS)6&FxZ1N^;AV0qNYGDdWzP!wgo%8Skr@dNhtg3{EOY#)IW+DSLb@ ze`DA5$VmgkO_#}e@62kKg?Vlnr>pDxhlzSKK&F`m>Sm>Wr7BkkY1NHfznQxMjCf}; z6)7!v8Wo*@Xw?eZxM;l|R+XCcgTejSQ+0eCo zjyePJz@@qZ*GN9UD)(&E`PSHk+;OIq9C&Ed_r37EAvO$+{;oNlN3+9fW5c#~AbQ9o zs!gMM9s?mPDNp3P7y_GBxRYp74LE(-SYUl6QCAoVX&xoPd9t(?v^vI~vGu{94$BQ6+Y zysS1uDRvE36u7>UT}kSsp1CB%jOIokh&l>!zh^j@EH`Qj4=M`2jG ztvy;s&v5MEhm|h!=J>uuiuN7B3mk@$bxd+vZbQ>?4TPq}=x9#yKa0_uBpQCFb3TuU zr(Xhw@o1EyW0nnBg$#sYj+MhCIVI2F0@#xi!cM zmWSD0Hx!P=pKT|YyUzWL71m9qhjP+fembxR&3bzaa4vS}GFig6lPTl8T-a70Zr5EV zzfjo&c<~M*>w*D({A_j57!h1Mc#^COh!E2BI9Be;mMtt(z5cG>wxi&?y7}pi-=mJ5 zY^u&LrCq-Z0HBT4CqlZDyB0xg<8RJ4+L<**tU8ko>8uw5wwuc8-%igr6#*NHi1L*75J|9JaRNIIY9CDDoFKz?pgK{^Ki#^&gComVKru zSh2-T13UB{U^9V3^8JPn0{&9S?qD)@c)z~L&dp@EMd6oaavEi9pcjBnck zXG5$nWQ&oxq*a6g!l((d{xla91Z`>~%wySNrr`Aaxo32eMMa%*4n+hW;uOy(#y=-Az;&PXzjs9oW42M7$i_7=X786+$)a zHQLVA`&16{p=KTf?N2`o@UUoSY2em%@a5NY0x3EJ7^o*_!^}O?m;&=)T!M4tD3mT@ zchifDi}ObM__UG4i?bzR91m|{kS2RnSr8is2k0C$>Dl(cqUgoD(w%2?mwD2MOVike4%U^;D)`0Je*UG!L-o+~DIA zg`$`oP$~S_kW-+Puc*SVdG8NIsvN5nd27CTpP_TB_qV=k9v-VPU+4@m0?zT*@3|{) zCg~GAF>J1X&bPVj*WiVyTREpHr)BM~#G{FFE)t2nNIbdB2etfdQSjp92@W}``r$01 zxdesBH8wP-6ilN)aOYw|lYjWUYTLv+1-IJPzZyo23MWc|3nU0q)wgB7;k=i04$0r? zQbQ_{z(ijD(nHnDpzXACW&pt$oc(RDW`?BGF;%`WeML`Z1&`_u7HL1HWvMxB{pK*x z<{Q-L_vfF4ZHqwqU!=)ykyCICo2PQS%10ZXv+slV{=+k!uK)k$nNDMAZ(NhZagalH zjBF8?KN(`Zd~YJ&<0`^2AJs@tB8#{jKG<=<%~#sl<;udDgK7j6B#H>F97CU;8LO`5 zUMZs&^`5Ow2^K64Excf2L0;bJp(2lbde>>6ifTQ_#5#y%x|he!?eq-gXUJ7iT0`~w z&bW*IQ75*1*PEf-<*lBaHlc*7`s1y_ox{WzRmnyc?Im@~BOWNo9uf1Yu#~BuHBPZY ztgG0Mi1M9YLoVsZq15{r)Fbx?_;FI?#-nxnJHpw%DcRtWr_kLtKZpy-9Ugli*|3!% zs`C3V%1yzl*y?<(W<`U=t=Pcmm=x3w+d``GES1B`5|Ik1nuHv?&>Vj`*UOfunxW=H z8^O&BXkFOUjQbI$gpw$$;wfzyj#F`Ml^aNLQ=UGt)k3xFso7@FR3DE=h1V^6<{YlX zt3iXeVLNoNDA28@XzL?D2X$@X*iwEEuWsf>mKAdA5gKbpLTsZ`)f-VB z944)7u7>;;Y?%f*oaTTp*X6m%lpVyQlqv3-J>(qgYF^7i@PLiMCN9)c%q^MH<%f6Q zUwd}9f+%-AJYZ7wq+F-8_JL4r9C^F^cuPm3wlQx3dVhM(hpa)}{0QFm1-boYghwEj z&=%mky;B(FNVCsXkn0SHA^)^{*QH3Vu+>wT|LMORhloaSnvHpK(?z?7s*!(Dueh>H9+UPJYjPwnbS`Ta@UIVj(@CO zQXZ@cU+_a_w^I9=xmSkHdEf?ezGhqXoou}R^4)XA%`ZX#2-}~Wngqs`(Fg?h!lr@} zv5g{xTV|v^F+;tZ+4No2K|Z&>c&3^MrMoq>zkm(+q9Vi4Uhoibd#p;jQFBW1bZM@| z&hZ}jAZTm1;oNsyPpZh^ae&SU;5kZc+!zn;+7>EP|qc%oL4WzJX**CANGr8uQ|fr;$&0}v@tM%h^J zx{3#H#~P`>7AVA&f6H1+wK>42WV%;W(-g59=H~?OPEWXmvtbgM7wAP_?^`N+W35oF z3-p2F&0m^G6PZgv9jJ5LVVCe^jI3VR&7Myo^`0x5h6@dRghQ$}J)D%%KSknS;JfvoGJ)8ui`pOiD?Jk(jJNY$%nI|j{oAgIe)xk=8L#tQ zU6Ytr<7l>XoPE&G$`S4*xJ>mI{>oGv4Ln@p+rE~@@uM42AH~1@!so^QpjPuiat&)H5i1&Rq3K16WSOAK3dA zZ`jx5J2$Ke**BlE5&wf;Tpz0EMxWWP6cpWgjt*TBM@) z)-Fn2pq!Rf_>8W*RHLF2QPGFe52Z%w!2ftGzON2tHl&b(Fm33O$#0Nxo!l~|9n-L9 zg|M3Z(Re5*+zw4Eoa?Xvwqc2~O%ek=d!9|$u zdAzW7Ey(s|q)6JET3LVXO|c^3R^o)lOlH;7huXgL0h3Ln#>}^=mi}(WkcjBz8+Y;Z zD3CGE5YztYB`-O0uW9cDhv^R{^hLyTTWEKkt%SI3O|?a{K|~UXyb+rK6K(8w75r(U zVY4Mfc^GeXd-;2ghem~TPJ1X^$$j+-knNPn+-c`HSElQi1}sCbjt(+-md&stV#dFT z_yl!|(jgmaeaW)w0`aVA$=>sOGvEF41!@oikRMgcWeFeKJA>eqjD@D4L%+8(&}XVC zkU8+UGj*qOc!858&dlxHv0)pQiRqJoW6}P)E6)bJBoss&Crav;Qm&%A+v5)qR?ns! zNK>PsDy?|?j~6CHZfOOv!ww?j7BI`D;wmZefb*c!3m2bKEDW%0Ncg?Vy)9x0SE9|K zb*#XXmrCAF0)__j%Q!PXigNBd^L({VY5hb_@TLKy+jC@f$k0g)SD z(K(EN`21$4mAp5v&G!kmFkcXHDV+ld$!5ykEi-E%n+m4)oSa9I=4I`$R)MEcj&1QT zu+u>}@wPwiMZ8Zcq#=5WIPYM+bSdQ`wH$n(7}@o}YbL;OV!>gD5X=r0@!wCD-@!?( zF!Y=y5)eE^-iT+{2p$Fh>g$5NFP@S+K;gkE_tZG2eh5I5%HwYRsHlxssC@)exXmX3 zk4{?hQobLpEE4ozHbr+r$a%&iYODWWP6ExhE`lpdHqrJxs@4vt>U)Yqv-0@f7s}gS z0j-+DZ3wFS3?UVUWD*Ppw6gsIYG_*T6%Fbf?@r)7n=$Ihv+^0*kZ8VA*lH>RT1UOr z3UfnE-PvB)*SP3Yx0~%Y%N_psb-`dZM0u?RYY*+Fmk8rj##B@mH~0c@E^Slu=R3PS zQKBk}GF>(P=b!TG^a<@HzZZG|2W>DQAb!qC@5R@hMpO>G!kgY@c{*x1aK||`2ig{a zf7VXLtR^EwCs4n~f8L*Hz1K*L6Q6Xnr-(Y0;oq=2dbQ%L1o?S8)+Qr&K zpkvELCio}p_V6u@*Xs>?U6(6;sO#q?+E(lCE+{Ri`da)_^<4f@=5szGT3SVEjeUtY zAU}J3>nsO+Hk()ph!7_^E8So6(dSL-e?gug(uw&8eQuqj+ zwX8@<5NTFFK2jVt`|Oj~s|VAq29-NFTAvTVzwFO;?!kopP2(`JAX0 zm4j@xTAkU;Oqnj5EojB^zA~*l9$n3CGc??osR8k@0Gx1*5UfUE_J?g#1QXQslHTdp zu@VbyB?osuaTP{LAtu7Nyj0G8=xa`{uXRdx;PG^;d^Xj6!%%%O$|XF10qb$d3`cj= zECjLIHQHXJ7DZzFZ$_Iyd;dyFhjzYWf4+i~fR|4cXZVNs4acJ>0mgD&*bf!(x&F9B z?NOapy1va!NBYGJFsm9Y{W}Oc%Du6~D&B2HWNIrexDcNv_@VjW0Qx7)7qe5MyjPYd z!9@2|qfxWmA}|TyhqZlj3!rtM4tl9oI-Pco&B%2641ceQOHHywEnYydE1s<88jPre zgz6ob+NPF1bY1Iu)*^ded~J|OE6`!#7z>Z^`H?0~*OjHniX0ZqLn7W9dgkBCkzhHeE52(q;~lkG$1OUpr|@D&wu=q8@xN_Rd4lTq%? z7~equZrsxGY^Cyy!K5X+Aa}zi9zc9!oV@VIr*BdD)IQklEOZj)rUR5B=xCd3e3%um zv}Gln?%}{9i$f(Afo6e=)X>4f^Br(=8H-^K4sxaNkLRb46yNuu`zm`Xfy={@JJ|2> zM<*eSm>B&Rhi<#u__xc7IcXN7YR3X>38x+IV4-*bDac!4ATn1|zERJ%v9y_+b?|qT zTM)})`N{^vO-~NUEPpMe3%%0@j&t#T-nvh_Ql`qFjG+ZRvzES(mpW=jj_sXJ) zE6~{&wn>|Wg~)I^2KE9g7L}=~_{8sVzEyerkeQbVMURRdeLaEW7314~Bd}Hfc$Q)d zuZoxt!>UUsD7BUp2)a;~7$64S)o=|hwszcW$nbHs6b?%7`lJU{u-fNwU7}iOqx)7= zb3zXKGL@m&4zT>}(c1aoWrAeqvzJLo0J%-hB$x^n^!=!q(yHI#r|vSD?hXCZ zgmh^-l;Y=08B$&)#GR;0flm~00sZXIct{pxsr~+xzk4Kgl^fc6Q^;=RmhDJN)Ytq> zS!S;eO@d)D9W71JHLYbIdcEsk8_Dy5$7hA5Q@}WdHjhWy4ZDqf$VaEIhnBLkmZ-+k zBUzZ&LlnJ&=IK2>o(z}dl&W=*0kx+u9hOV3R$raLcnER`#j0qnAXF#eCkB-w@qn{5 z#*LbKzTlmxoQFO?-B73gD#~HwUR3f^9WPXlH$1A(=_P6vVj}(X7R`g4D7xlB+{X}{ zicPX4ogpTfMYH>>{q-z)7V_$1!s#i@b^KmGYt$fDj&~c*+ECkR{Aj$f?Wmdi-hQ)7JO(2{vl*^%6R^RUtDjWVZ~QNg8i#aam1lJ^xbY1uQ&Oa-DY+tPiv zj7s9VM^~pg;ftQVm(x^LwQxX21cJ_2M|{nQ5n;QGF{zYHwApVLzTojF6Dceo|I7rD z_vXNprxrTZ#xTE6?zpSpNbPZ7GX~$0h>VCPS(z!aMAjzgnkz_@Ay#6N8x#cYJ}aK7 zcKuQ6ZP{gnJ2JC>VrILh<~t`lNj+yCJlA!*kwnOkrYDHaxo&=K!>jHqEqjF{og-g+ z*jv!Onfex=JPTI)dgE1$5x7?2MGxGGgTIj5KHi{)zwg{%*yX(Lt`S`U8`v3(%SU(J zVg~R>XtHn`MKa@V{xxAecG(a7!y}KcaUBHTXWtu#Nh1~JV5k5Wz*?tmE4ExKXzhnE zKabp7tL^h%y(F6528p7V7E5}NBK?BFN5@IPkDJquIpyJQ9DS%LZ zyhD#f4fxGs(6qZQ@hVu*Ldq^$!Uy>RV`?I-=e}GWn~cehhTLewMN|62Pg}>2x-dZJ z^#YefW#SdLv{AN`76g?v+jd^dz@uvQZ}ng%J=bys-ZWley*6PdY?w)T_xj-7XgP_$ zB2!3?j=aIkm{PMDQ9`>@)#-`;zd?|^8 z7WtXV~Q!VUj*e47frde%|^)?f~ZS=F{4i)%|6v2vC zIC37Dj3=6~Lh=`$lTX1LQuQYS_m@Fu&!# z<6ob1FPn%rUuBB>Vc3+9LF7W2Xt_F;dR20OSIsS|J=qep`Gvcu}XYq&$U4thEigJ>#@JR<|fWi0JaQC~^-vt`ihA zl-9c_EhrmsI0E*w|}-Bbo;9? zfpAl40e{*1W!XJfYrA}ti2Z$FZ-`>QNM<_+F!n(4(5DHoVW|m~YpbEwV>AbU$oz`s zw0mj%VZF54=B9`WAoR2FhfkiLED9%EO5-fj5tw~p!fbeCq!0__m7`QA*x1CsCp^4k zbZBzEDp$2U1}F2)!!mEh4-8%MB)QKjP)gtGudm1BLQfXltCg(BtB;6(tgW`( znCo)3ZI53|IS~MuPG`XD8?{Q;+V4Gf%_~Jqc$$wfTrO08<#A1_C6=$6HE)5hv>1*4alA8z$Y&|GFow`lOiC4Y5m@2tDgc(U8zc2L#!%=B+Au=fp z4Jx2>eUBJx!suUk%8DBvESKjzSaS?K+(hq$#;fh4-}>z7$!2XWQoyJC=NCu2gE>ul zjKcP+`tI{Lxhsex&Y@e8)FfW?*5b}dlEaeXRE4hDNhaHU*UMcWKa2*e>>rLEM+5l5 zdjXWiroJq2cmLF9&Ej88?WrwG_Zi@l0AcMi#dDgT(AP$;6$ur$JIn)|S7~IQscR}v zB-pcUjdCW@M^u80+v4Qh?EC)#cV!0js_iJhQCK1?N)vQI-zeid+6Dk4J6Wi zSL1PJCH|QbCSdkRYrN=4u^`?hs>rBkagh%jpPc~)RR&n;bydryZVTO3^4{Gvdm0$g zapQhPC~k|`UL%={Lk34+lCY57I*yX=LFXeqv(a@o4OiEFO)mUqr0?pm)>&^iwRNBrYuEE%@2VZRX!J(%`mx1L zwE?FvXgROBg@3!xBt7kyJxDUwv!$#*c_#H#iKWfFYY^nO$M)fB!E{ZKld0Q6bjp64 zI~-bEZwr-;irzPkOJEPs*}e=>@t)ANw@F<&F(#nUBg{7(>Ds9k+f<=MvrY4J3de(| z8=inyAEU}wLNKSEK-4&#O`xaO>jgluyNrdAY%QjpaeYvHLr+ofjo5b7IBCg79l`4# zCisXj->^3=h2V2UxiyE*y=$-b?fP9X1Et}=%95-H4zX<}o-iAYSwit^JJFwWM2;{; z;EDNlqYqtp7SGEYzjJuCTJaj?0sb+$`bX8NkzrnZ%d?-1btB17PG^@oU(}BC#_Kgv zq(S-%e{u$wJoRb?C^`vf`PVf9A&E!`(bt=ypf97W3w%4IP}qRyw~KM zbrA;;EY(kMwrm2;SVs9aEt8HHT-wOolmXOEtR>%RGOKn^vd7a> zxpX?gQ)-%dY|++P`RDw%29|2DFO(*{g?M&yf_4(TM(EeqoBo@t3dA&}j$`}pSvn%m zarF7|&AtmK^sH_&9+)BW;^?a-pL&uKQJt*Y{FQlLI3Y;u!eo^GPt@&HbN(|e{N)gA zD0LjD2*efKCtzmYxG}1yCVpFBzcH86)EHnmN4TjktPrgC^&FSBr!TGI%zxih#;y!g zJCHIlzn}pioPIA0;p33n8nQPzw>pi?@3>`2qaVbiP~G8EV-BKJRU$2*o44VrX-?G8*WJdMeE8LII-QVaYv6M09j2pMU=_ zEDI>(0!IS>^|>TrFMV2Y`?9ha$xG6;R+gf**q|f#CZRgj{M}BM`lz;X+8of&US(n&5C}OV2rPQfh)HX9D@w$qnnHjMf`W^eY zOND~@B0U7teF$%{2;L<$-<*wp!zsZ_WBF2i=fEV8Z?LXr{0>h98~g+hTaa@zH4WC= zvJCFS99NcxC?CFuVB*X`3{T5$#jDLAr%C!|yy;liI)Z}gV`r+d#^k0F_8=}6H6!mly^p%K^r>9_AVM#-eX7EuprU^9& z-TzaJf$@~$R%=V&9QU)bWQu4+GVPCBvVUpOep}iw!R?EsRNHL-wn!O}cg4A{Z4LW3!fI;XaBv?HGBW0E_tmp?7)`e6gfCmt`?S z^gd(ZT1#qYBqQ1kGf^4e^x*Ka@^S)I@q#Ilkd+&lVr=!q6r}fhDX7$GWm$}B0#)`p z9_5eDVS|eN6`a(Tg%xPteBYl7E1;f#B+#Lz81+3=PM~TSBo~9nkpM>yQ zPUh;o|75d|*+FY0-_NR`vh6>jCEf+u{-5Ucg-Np+<9-}j!Jp4hn*5&4@h-(F?t&wk z-Z8oF`J6TAzfdr2o|v!u@p#nMxNB1@bFZ8-^6p5!9$b3Q_^qG)+fi|8_}F&Ey>3|NA{_!-nO`6n2&I7Kt_quocCzQ`>7&- zTw|0>z=y(&%bY^pV&MVR3i1`-vJ(o-QOxlk$?YObE<(M1r{4A?| z7OMyF6Sv=1wYLNsT9!61U7dcg@bD~)x+LD!UqHo9T5;>q;EfdfZ-Bq&K8RV9U%o=! z_ZxP8MHtLnAKaCifF-MyLL!+e7%hD-Y0n;`_P#paAaCy~uZo2G<-=j)u<#EPd-^X_ z@OE!BP`Gdo;4k7qHo5Vsp$IY+2Z(>?m<7pcAglRHRia+(e$-$}@_GpnH@lr(EZWOy z@%YBgtJgkWd3M8nw+&6O9YOS~0Q3T}KWKCCPY>Pq%N60oj7YV2C(VaVE+!)_*%byH zHSX~#B|eEAHx!-MFP>}~>CXazc+J@Ca}a7c8;%SpiBp*q?)uhC+tMpxC~>g30}9S> zwm-UR4IAkje6*T_DRNCW7b*OsAP*Xxt$SO$)H;i{9ciJ@apkIE-n?q05p%~2E#?8} zWw$tmeIAb~T5P}Kgt{RGE92u_xq`2Nq+muk*^Qr?T7bn^6sOkv-ge5lp?aUaR2+RB z^GBiU!9hV0)ZbW^=CWD8Tcc>A^j*Iv3JFX!(C*%}j&}0zcbXeioy5vY@pY2zi&!u4~&2Z z``f#t?w1o&fQH4BDMkIPqOd1L@ANc$%QNQH4Rp9(Rz?~4UKRaRO z`a9x>k^S~wf*{Yj^^<_DP=ilaR^VGa0ZDhLB7~DIyuAi@{0|=G+%;V{vV=~Tk6=Ez zl%`_Vg`b%ecE9aTe=F49J@(_NM$JpuY$eMy+;wkT`JK_9`HnJydiAuK-X2<3XcA0P z3u)E)l6Jk?u7rwOxaSqk$^6|y5qp#jb-)a7Knqv(n6#Vc*(ii;yx*=0e!wTFjAmynDn2ic`5ES}X1@{8 z|0!d$OJ8(CD3fBx{;&c!s)eoSXOJ1TVaS=_~C@a zVX_ z$u+CN@`q~P;I08sT_Mx9u=3;64O`zGAY+1c|ChRuneO8SP%}*~^lYM53btG;nFVh1SQqxglVwYu{e1RB27h|y%6m+zNKa%#+pkQP`M6E~ajtmnQW5mk=~&2rF~x0%gSQcea&tN$eYFa}Wr-5BC+xk^p{w z6-ivOEiZC8Z2zh|bH_jiZa-ZJDA{&p=v#i#S#LzL!`g=V$Rqz7q5C)fQsZRb>fX|A zR*?-oc*xUha)rjJH3ZW{(+fL0W87*`gG_u*c5k0cJP=GIGAWH6r4)}JsNNK(KUC-q ze{{i7VJnuP;Sd9)FpCpW7nKL4Y;FOl!*=I%-Ys#yynd_vL77FpXQF0>`s+cS>(3>_ zY%WPN><1q2{F#0)LFh)5X^&nQc`s^QbG-=fOIN^q!>gh##*3M!-r>OWde7_aYz0Fu zzwP<)xd4RfE`>Su-D^6Jb6wlr%;=u1FspL<_MogjHGSOime!wgTu8Kp50QppNWxWL z4^F=ws$f^BO`UA<@V7AHy0`PoZ-s19a!dVAQJ+hlEAN!#cV8M@jJl?0jNZCEcG5eM z>99d8yrSPtsZbYUJ{o+sin_q%FZoiupTG4XI5D8w95cw*sjX}N8ri*2jW5@MDS+kVV>pk-qj$G~0j8@jkzI1H>0WmbJ-=w$05 zzHQsW3qjB@^FCM}6WKcQ3_qj2of2#{{3B{naB@RpVWt8~ot~)!2&ZDrnltkUJ5!~M z@jNGxuHyTDn@^kdZjExq;;T3gN4CNqRJlzm8F38ZPn>@CDNov)7q5Nz*uow2@Ikr=@Gnh| zP>LO`JO*55z-@bMyt=KDxXemSWC{xUZS)l?i&;!a&nbH;t3 zjox4u??}UMl+&aGH$u)ghT+G)K$_^SJIvjL-iTBoA5$=kVOO>at&ZXAJ1TTNpSze} z4B?WUVy^oN97s}KTp}#m7xIWRT1RuFGByh`Z%8hlu06NA`LjR#UBt;tQ%?UfI@eOj zv8Q|wJ`L1J`l+&0)fXx@NisqK( z?UjSd2x#=L6yD|ua}{z0xWDGCdVtGHvFOu+I7|7I#??}i?e_p@e1yib>n`k;1} zidS3~-qf0f{cD`-DKUZHb$G5f?VHLg!d&6Yf3AV>ChCcaS zAOMG-E1W4gZ1%{DNu2!^p|BCe&z;67KlkQMEYtUI<||_H>OKY{DhT;Lt@IwiYKsD~ zh6gl~+_S2|&*{o$bSR>&VJg79+n1U;)P@;d739ND$IF=OGc|NE@8Phl*XmM}64vWp z-oM@Vy}OzAXyoupx(5l;ZAKe5m^v_mKUz*T80`i$2c_KU5xqP4dZ`cJE&w@u`r6Qg z71C9kku<091n|#G+|7$FycgGKu!lFpycxdySM$!v?xf(Mna9H;`T0-jL;0NPIE$OU#1|q0z|Pdr9H%4DP$h)xT8eVpulLiGk;-akl&;{B<9Tuk&>Ix_!zFEBq#k58g9>AZ`{_dadR0 z=7p-|YJD_2hO<y z627zqQQzxZ1V+w6Nsu%U7?|b-SLxG9WzP*u-d}=Ssj{&Pb^Wu-A3nCy)%@yuLkwhB zrBJzGqDU*xlO61~&yHxKeD+aNG=dV+Kkmg3Ejq_&ut+s!v{UrI9a@n7c4))1ZRMxe8f%f~BY(Ya3SzIng zPjU(a`HS8h3D*{?#~b=RH`Ky!(DZM9G#I+!_GUQ#zxS=JsK2}z)1$@rF7)qs3i6$F zEJb>zM1-KKhglt*#Z;jiZ3+O0wu|T5X&5y!;kVQQmq)B9LX39s97G_W!$@*a zUg1kOXXIp8OFXmm(+2r7N!61M6L8wZ$TiE4gUlzJUX9CPN;FRz{|=x2Yg2!ie|3oF z{ANs0vJH3CKl|~&@zvj70PTo^G@3EX*dq|KnWKmJ)`aotsOQ!+xTZD{2eR(Cw%+Q@&Cua z&R2ebxZ0qp4z|(_Ii3}PPLMN7w*`=MOl0n0TTlSKSq>=Z;53q2FO4$~DJk9`FX8RB ziS1F4@T#i;k3@R<#_x?jav5xkooM?m@Lv()|LYL{^}PAd0Djzfx%i8nGQ&UF?6|4v zrp=$GF&FEBme$SAJ~_q69S&&zTFPt1p(Polv3n4xKNtOH0WEHTS`5yA#z#sP|Gjzt+W{9;FBa`4 z<$@wb!=4IKB%rmQmSb}DY+-PlgX+UmXSwFJh;V9TufwyhA9s@m+ZeBGcrG=CJKJHA z;7hIk{_NjqM?22{ujj;ZL9toi(EleFW2;bAdH9LLsPqCtO1z&U{w;k8SIf3oIme$* zs_AN@)k7T>LnM8ARYQKVb<4pasS&*`|s;bh`6S`FyMY%^U2lw{l)C*C9&A>l@+>h9uSUo ztCx7zvEJm#dL5b%H*sfZMAnKU7*WL&pa)6n2oOH zG)sV6MLZ9$*tYW|;~~^I&%3MO=1i5sDSpY^jNdwI?K7@((YdOw41DeXvh+@yZhob| zBx)&C`@C%5?JeAmX-aI6aJ5(R@0FqMoX3c(JhZOemt5F*jl?o=rRpTe)70~LGPaytIk(3yoNlNDwyBw*Zv;=so6`bo(ro#QtZ~} zN;gD2NTO1@ZRKxo-qdUGJo~yv;>E`dXPs9cMxGL1Gx1qA9Ui9M+XSV61RJ>Il$L|c zEV!>YZ$7o%93A1*8!=2$6L;fu*xZjT9SIXvi5+sJsNNA?*$A1Kq;r|Sd#sn7 zckkO<1-&Iyq)S9VrMriMfCz|$bV!4Aj2?&xh%^I6Bi#)nMo4#Uz=*-<&M|U~J^MYc zbDndazhT>F*XR4WuJ^@|1ft_kB>eu#U**VlH2rS#GbgO7+)=J^iKj!peMj3+MktpX zsF_2QShlW}p}DZ23h znnuqZt+Pif2Cp*SQ}^yiT{WZ)}%>D%`w(eN|hrEM`xuIP2!XSEsa1#Gasm7Y>q~Nz_Ta>Xl|jnN$oeFXjVFS_qes$WAXl0*52*K ze3^w#SuS2AC7dF}t^~VcAJd+BDc@3WH~AvM!x^(ac$mKy>%lI^yz}j&>A+(Xz`rwF z-_^g|aa!pLg%`;l^u=5$;hM5TQcp(4cea)yjNi%WKjHGsO%ZwHp_Pj1aMEpYLw|_gIaa;v^G_HC(0@Gt3J{PsOeg_hhlOM-$?86^l+1f zi}Qc%i_KnU3Ahv#Kj~ND#;(3xXFbw;bnk{jnCUZbj4N@*z5X8LbRT1ncZf90GJ8et zyU|OXCK)cj!7;SyEMo7L^SyV1P7dz=Kf(}!Lr$zli8ZU<>KQC9m0x!C?)`81BzP~y zO7N=VD9hh?O-d9MM@|ZB^Fl8&d#uMhpQ?)i@iRMHBv{7fJ`k<~c2<~-h?jcfJ3umWih|@CQCALM8gM&&i3XwC?|h?^rzSUteZ0yVktV$>hY@)Yn)!^ zdYV&nSuX&mSEtjs?ZIE&JVKEp3F=pmHxUMgmyd5ftT>&vZ)BRpw!*=UM?7NztI=WA z^0lE@)TwHjcoZ9r%T2R*e?#aR&TWFOkQRUS@5Mz2N6J&@o#k<<6-~2%mGebQanN6y zf#D7N4Ge;Tau~hZ<*uM-*fPajPqju}VeO-GCS( zh0%8MEI;*r22XYumDZ2W)!D+dHKZmp1BV8k$1)@(*D5Agj7%@vPpwzxjRjYZF^Egw z%a!AML1YxPs+p`_$DI~-S;_wT?93!}lX=Rp;60~hmR3Sw0axa@Fs~fu^-Bjszpen= z8xSBcfNhD!xt-t0Fy(~jneEQ$+VJl0%O~tgEhHcqD%dF_+N1 zH(6J-9p@1QIFj)WLH0%65(7J)Mr4a>WGE56Bx%7Q%D<>!SsIH#IR)%M(Ym^JH@8R>iOTYDq1=hl^49Wp9HSxzb z4yN{j>vM$XMlP($x=VFRc0WSaFG2I|@ z4nh``1J0;1JnU0=MLn5z10Y9AuvX0(w3ZJ2b9tFJ7+{|<0@-HW8ci=sDV&_m_%F-e zH>FjV0^HvPLTi})8r#x-Rgo0ylU>C6DPw#%miyT!hKyLFV%xyL(4jcj*WghNOZWWH z_%TZH+ktLiPO}Ar#x`W@&m=3T9?OOfy2zBa%a-jumNYfZeOY!DA$}XWUKgO|bsF8# zo9?nQL0{3kViaJFIY$tdDkmvB1?fLOqRsjgZ1$nQEtI(VkW_jdAc)J_rox`|nv;3x z_OC_>_`2kd?rDY~`9t%!DZSuV`D{F%N=J|WHk_Q2R|4c<6bRf6Z;U|R#aim}|9|&k zfAWFTZH!z$2y`(39&frPXJ|rNpG|B)jMs0^CM+v8^TMP~>{0m<4%00SYVvbX)6v0I z3b!xJjNG)mHeH*jWj4lUQtMvR)6LP1m9E#ByoHwYT<2Ul+>Ba2)m5+Aw@n(+m1Q@# z=Zy}FLcVIo#%XGQ^>-}p@;Ib?Py9hUlA;H*u%x)=_>SFEe^_%@_Gv{kyba|v23n7Hx-|g>;T{N z@q4tSLF-(oaYhsw<$oFs+%TOGmKPMGFH}?|pUSvU$siOBV3fP%JQw}31NRf4&^JHJ zt-uq+Yuh&_?mX9roV6PQk3WrMJmvbXRgl1f)N#oPce<^r5)X^w= zv#lm09&VR?P$*_k`iNh7KV>YN@aq80Dco|8zlL?o?!VRNB7r7pl}4%EfWGVcuABEq z1sV3%cW7gbi<3(>Nh%sE{m%;s9vlaT%~xMa?a}usjtfj}MzfB_0DDZ{bJNJ?gfV8+ z&HaMIwI}RTmk*Vm|3b+H$aQA=?yB5tYDD`X&J4@KcLlyh9YRGWv}(Z2P3PZNhw^-0?tzxT)Xc$cjj7gu)iO$mPqe{p2&)qOwU&KRm>`G_ z$f^DwSN?lm+1h$4YEW9-E9tD^Uzf_NViOn?dgOxdrYJ0~4dk_uS*fsUA{q`pukKElRk^9a5}KnRdO}=p zxv9t!Ki_iH4>o;ue;4Weg5R&_<^_}R@XA@}@-!^n=oN;Xp*0@i)@Y#JYx~7VePeuyFjbVNg>38(el_&^E=G=UssAr+Kc^SG!TI6&TJ*j9M>ba@HLm3q>p3)DurQ3pM2{+>S zILr}Wx)pVk819Et*F6ZA%b z;SuqjMdVeW=l@wIzX!Gl5rC+Ft_1(g=?*v%TlGX;J}a~Sq8W(#))z%z3EUHN-c7W( zn584iOXFoJ&+TGL)E`8X8x^uZRZkE0iP_f`SZiosigR55AgIRoq?>q)DAHinQ;srL zdzvayL+!Dj;^rJxF8^(+I>&#l;^Jpz{2m)6kJ<}^tE(Ci4CB&KU`}VPbO{U5t>%nt9^vy zwxPOD=yr?sa&~S*p{1FLb#vDi$I#mZp&>E6b?tRY-to~~SyAOPo==ZPMgR@`@%=(V=)K>Q1N5-f)B73Y-O-ORDwtSz1 z!{ph*T%ApGm_?$g%irsv+el6HgDlI_<9o29-Upb5W#g87okr7hLkA~hJBYC)GJi?x zQHS5zu1Z!xZRiYweKfXb%$=6_tXa#TIqO(U30yvjG}E&kFNyrHD#V=W?ny(5VnX;Li+U z+c7Qt;d}+mVKUcXY+L2#V(ngk)qUkj6S4+COd;e7h!{9CbCF#!k}W$86%;^?Y`rsl z?lCThE0?}*q5=Z9BKc*GNSs9US!+SY%7NFRM5;&Hu4oy7L8Q0{*gLfIuvRPIrh+(I zFIcXHeo!x3J8_p4%|S(7mI6u^o;0_ZsP4`PTz{{~=^-dm4cT1#UuO7e)1qOBGc;n}2T)YjyfYl}lwTCl3NE=7Gj$ z_F$qVOJ_tm;3l;mZS#$e^=go7UTML5`}sjB1Y__jZ0||!N1x3R`uQRed-&AZ9$L^F)$K}*5CF2T_4m@`Do=UP=x?(1r(})`$}dVV`Jms( zAtBezQ&8e5#zN`^m;24@uZfV2ML$Nz^>eweLEeKLkQUkVd86y*o`LR1Wywxbu-8=m z&C)I~_3MFlc>A|vw#yBOsXJ>ct`Jkg2OL2>kwTO@*8593R+1pwhgh30G-``m3)-pT0x`bvitt;5tlmHkMKdT?v^TV8oMJ5yk8u{3%`Si z!SpBJ+@_yL36Dq?hENB|as-q|#nKI>i8#H$kNhLP(f_)|Jxj3BcHFd*YAu%T+kCwf z_YQc=1e#OSKprEo-C-JZP&A-{ldd9*vdy$2?O)%iLxrpb8yQDjm2^Ux#nw&3}aPno+2X5 z8Fe8yBypZOfsF^W2G?IjowFSg_wmH4=yU4D{P8}z`(vWLU(dU}sZg(U7ltn98XUw0 zV}=5VeN-M3+%YS@8rR8l33}|Q9TP!Q3GHz4Ec(M!E0n+Zp9&LL;TS*Q+BJXMn%1Pi z-qPlcX?9fHxsd9$h9|Un@8udj$?Tx;R#U81XsHFmgn$@V3nVHpkTuVPYzIc)9}oW0 zSOThdPriM(+n#X?Om5buw6E*x>Dx&X%*r2}QtXQ!OJD`+#g|8cv~5Nxu#Pb!-BK;O z6=}_q9;ZO71K>>jZCh~Eu(bzoS>w?8#(-{MhMB5vYhx0mV4umLd`-^h#QoBLa=5C4 zrHsxij(B;sS}FtSdr{QQ%sX&j4_J;_S$?w8&uheAS3w+t%0IANO^dr@$LV&~tR44} z8rQfmjKw?M;K~7+{I@t;$9;AQIN#sr`;6)0F1dcX`#0l5*ZwEK2cJk*_w6#cC8;%1 zLepQQxcu~@%rv30MbeD51(8QL3s83PwoN`;VCd(q*H*<GsTWwDHp}U7SzAw|bLW!`E z!+tth#4fB|q%l5{DlIPTKbCPBN%x-lmsIsf;Bt{cov>;$&xp)%7gs8&8GWX~8_;@r zsH(6B4Zo3PU>z;*;7CS?MBQhrpzVkv`sc!E^|a(vqmKp&P2Dk4y5+&-!gs~zMe3Xh z!5{A~O0x#$=5=*z$mE%WZN>%z@ZCLX5Eh3${B?+!CLsxl9(w>A(Xfy;dEPx(?9x6? z#?-1(=v#K4S}8lDmBt<`2@rNs;biB|#J2Yv;)Tu_8WDTma@RVi&8O|Sv%m#r?@=tH zz=tYEQ74GxN}{k3M}jSGOjdM1A90)C+NY6Oa^WQ9IgZ_d1r}N&m;8cuv&RP2vS9+k z{*&;LB^+y_fVBYM0Qi$ofhDqQ#l_ZrO-|iMC!y?Ui&8SShpvO7uF$ z#OJN*MtUJ8N%XZlG^s>@gy~6M8!>`lp4uG?5UV?_ZWG!v^@*6dFk+4RY$}U9%wAEJ zjFsNenHCg4TVJ#Zx8bnEj_qgX^ux4i-gS6#sd4<<$! z7XUc~3GG?o%G&pwik-5AWbs|Y3`c99jad;~$o>rXYlC^YTygswz~#C}l5Mz&mj>_f zz@(Y&I>+~+$u{JCD)5@q>H1bV`!i|>(rHn144MA=F}ytUZMrU-?{^TB;=8f!)Tt_zEJluX3O0?h=VOj-i=P;7 zZ@8;UGG@$@8e;Xn5GtEC{R+61`Yie?!5VVf{UgC4;$w~ic55Tc(c;6NhiOD3-f+F! z{IDBWcI6d~Fq8>|QZXdWzkByYXh6Q%dmc!+!v#Kx#jS-N^(i#!WHj-|xBF*cE3j1l z2N&TZN^s7VcbQq<=2y^8ANiYDgzX@m`187)s8e(LzF|67oGbx;v!iUEy{<_38I!~bsex)ZbT~XhPp$=i&V;Qk1vwZZG9&ZRU(2P41His1`cC?9fJU6)P4~Ex z{Uw6Gz5Gl)6XC*f)d8VDxw2~$16^Z>-yF^&_&OT&&|kzuIo=V^h``rX=4Lf+?cap0*JU{<>oM-)N)(gJ*b4 z&~7Nfj-g}RkFXa18$a5JE+D>*)C1CLGktcm6UUGpgtpUQ3n9(jKHUl=zngrN#ISK>EnEYIKMGG2 z1GVeVK(amOQw_7VZO8T6l=&SqT;^NAV^tFevKO+?J+_|&=`4*P|14CZUx~G0Bh+eE}!<$x`+HQk!cq8ZdefD3*AH z`-eOuLe*p^+(JGtnyBwta)q9fXFXdY%lf{`C<7aiUB2_;YazYNo$QaZT7i?x^yG?V zQ=gxaPfflh7)=DDe{>=^f63Gj%y?z)e_ghy)nKAxW>K3#yRMD&n*|h5HC-r0>9hpN z-K69v3|^k{@5q7+Z3$pH9zlkax1;MZ;q*k0Jq?7OQ26VK{Q|SsU`DbiAc0m%kv>-F zVj$$9y^2Q)o$9U6&7f3`?Y}BASEr9-HG^?=W4Jm%xnNG~&2GoH*_VSJ7!8k&mav~D z5H>kZPYu~@8HrY&FlEl*?(=zZk99$=?QW4B%P^nr^Y^fH1kPAANjGD%teKd!0Rg1^D@Z2kA! zIxK{g;cJJt-WI6Pt!@MMfXR*Imb)69TXc0nX=Z6BHEcoa>ueF2ZK1kfywF!BrAcWf|kWSY$h6k0Ol+al%Fi6S!#+yVN&$%N41<2U<@-*a% zYJa5C8xU}t(rFZ+fBl6?7Tx=0CENZ4cHrH9V~!VQSSh5n$eu&2ls>@1bX4Px7Ce;;L9zM1YfF7h4N<>|c}6%ZKC0*u-f2C6g*e*bCh`+4X` zOOT*f1}2xXz_gRe@jzVfxCuMtAiTKV``B$lpRs#6V(CY>ayFTddV{7WCxRFZ?ES%7&Xd5k1p2>qw^V(#N_2IN=++TJn zzKM=BHb&;29Ps+p(4NbNDfV*h-xhMTf;ExS|Bq5&$B_c->!W0giTv2?q|t>a6T(HG zw4pAxz$+v@Vq-@La0|X|tvu(b&VoM#qG}`qK z1Rs9g=R`{%wwZM=QL(esrrn9Cp}oa@F#BZmFV(8cwJk;~oR&$9Qecg{ui@5W`$qTr zIX2w)(bb{{LBWv3pRI@Pw{YfnN;)_n53BzQ6&$|gLqDimP%kJ<&cAk5UN5+w!_U#N zWfu75s8b|AC;Ba9z)Xx^3OgWI8VtX-lRT7ndx+c4cTQ;ctDg$53R?890yke`%IXQ# zkU?|*k`W)Rcs1-5!YW2yG9^zl+`jgQEYRkZRUn6KVkusfB3w$I{zj0ItaBP$zItT= zhX{X)6Q}EpbQ|1M9q+)DV%8Mzp58S8m25~H$8`gj-W!A+G`s9F*|co`LVL>_+3g47 z+pPAli|C%F7JY8C%?^s+?A6!)&~CBChE-T*g$9{Ae{XIGsdmZdOQ8irbFZ>@=7%ty zPU?a_hr|GmJ&_}PU)a%6VIzFhsrn|__IRI%SR`pB$R5e?h+d|Ky!KUXTqlA?CrnAB zPB{%EG)fD#j=9&)-Z|t6kb5@j9mup27(lmGRJUjGfB9{WVT#|Ys>i+Wl9DG@tSwT9 zT9uiI;w3xL2HK z(!pdCxfors5qfuMW`HQp%ghU2Ji4*YYv1ECicA+TFS8e0^3>MLa~58d;(OV$k@9pv zMhDvQC8^^30qW;ND%4)>=q)ik>b3~;9tQmhK7jNNsLd$_h{!j}y`yv)^ZLQ+Ofi{GmzhbEV<9lYr~p z_~zfv2T@iEVgk@-9snwzTG7~wDMuJse604%jmJeFtXq^7qs(%47KEXc+`^0W zlFwODAx*6;B6${q-2z5_RKybnt~b&cl!P01aQQZ8DCUx}mgK5(`zXy|9~^S|aM7Zy z;u(SS?Ay-y>#n$yqHG&jKTA8h!D(TPJm^UFV%O+s_sM@fr;{v*3X7p=mg(ZxTc#=o z6Kq(`aolis80~T`Zy}JItIQ7-O}Gqql=V7PE;;35@trtmIvs0?PQgmtNCDsUxs|MI z=XtHQwivkl{ipG>tHLd-l{6kTbQKM1cBdU+Rio^D=i^emG7a*Tuo)xQ)Ta7GrlSQ%I?W|nHz7krN+f{vBu(} z_tHv?-1R;0vj$|-W-SMk-WO?Gwth~ivWV45JCVD2zL4tc%*{yq%Db-btijQHF|Z7VDZOde(EZqQfd=Va(*s&w z8Z8tsZ#F(_Vk-gjPSl~;NRN)7sBa#~JR{rbg`#Y~kMsRc<^h-g&?)~j0gyC=Q4FA{OJKhcB|XNq7svj_>$v9CHYjsR#W!v-=&6jR$_ix^pc;rnS_` zPA3ZD3q5Wz9KNpDs1_bUWu@ngMr~If6Ecqp=k1uFO_ zYD_E>Vvnm8TTO85uM(XXVJ*ZxWmxuf3gO3+v-6^*&a29KzF+oYMEH~G^^V}{f%z}H znq>IHk5@I!{{Le!Z$!K2v8dPBO=@}1({D-5NiH)WD@rV%7zhUgA;&fIWcR-WPx3QEK*LNkj4n0#h z{{y`&8obI-`zzpxS}(Uh1?NH-6_@RsVPe_)@-xKuu=8)HVXXkA`EgQKGNe%E=~m<- z5on$^ugq1u4e6XEUl4Kz8S!StrZZ^Nnh4Iqt z=##hP`7XIt{bvx%-wZ=CCBfTb{jZ%m3q! zef#*s7}S_&Yt`-WGr1(YFg?n*b;z6UrQiAPp%pL$wx6JinuZX159;?04_i9$CM+ZK zD%a~79GrS;OZ1D&z1^omsk1^Q-6zL&IxPQPZp(}M&Mp%E;(_p#b=U{a#zz|fN%p6H zW6w-p$Xp3Lr0i>2Us30`*6R37&QV}7x5{Q6a%XSgDoEJ+=|FdVh5?svCu6g7^Ny}J z#x2N`8CJO=HE7`H(t6E`ucmUFSoTkRF&u2-h3O;%bb z+FFzG@E3L3l9v`hOxvofk&MC#`D9RaxRl zK1$a1Jpg@8ex>qg?3v|iPei2#`V4zVX(K`S-$^PaTl3pQUYtW!`5KS1WW z2lN%?ev`$JI{x#~R8sR}M%jM#2fIV`#tTQ)c`$6(Df8Cq+?9h2Q$#e!FqfpX({+97 zVXg>MMQiRr!K0x6tP*2AJ}~pV9&L({qv`v*-b3mF_$#C|cH~EdNgC(b94r!Re9ENo zn+^ohP-(sO?KhOAYrSt_@iJtZEYIQYLxpT(Yv6;)Zy(k|UiC!I>5XlvyBK94BL%m0 zufETYTHG|W^d8IjL*V?(k1t6bfxscYCHXDGh^!@jUP?b(_y*Y7*Yk#mmM8!T4X;~WiM8_ zoskEP$z>!K#mxHvs*qcfy$ikDfRs|@DgfL?2jcZSJLD~8fmw;J=uXvtE5~)$boR=} zeODkFrE_!t{mPAh@-Wu%=a6Y;2TPfK_-?ZX+3O+QfprBwprnhBCdJ-M&Jqth+glN& z?DcW?A;}&u-vLw)znpb$@`C@%`s^KVc#X2Of$WYLy_61l zb4hoJGAd~cCF^c1VN$MC=u45#&X?Q;Lab165nU{nlxJrF? zV#Nd(rwZGAgIidYyY4^bJ60p>u#OGM&|o^xUXJJyNBe-K4|>*q(;2=0>Q)~j5?;gl z-%wwZfX0}pF%L<4+O)%eN)N@t9tZv~(YlcJs{+HtFsCZqA%o`EAD5zBr@j{1%%dDX&gc7r*ZtOk4KY32TrY zKeADOrf@_v^uW*fi~U-i?M7_D6y+Kc9xCi1@txXM3hj5wnnJNtW$^Q&ijA_}wZ$wuW8KhcgIw5S6}gzrh<;o*|pOwc=6RGAs4BBOHa10b5zXWY}r8c)?J( zMZu^-Jw7t`1XE#*qs2SF3NxP9Hzc&}vET+!ZFLN01pM;d!|c$_AkJ25toM3I)y?)M zWXti@@ea?(jldWp%gS!-=>+gtRdwt1L6r(s%SKpIw5y7iP(?YrdX6Ve%=25jXG>t) zwCbOXl$D^Z@c*&A|9>8DH1)qb-FGY{Da~$EObf!wUyWE;0vavGUDL_uCdmD64Se%t z`p&@o_bC@0J-ks7{oFtyO?55T(Yu<=zAzI7i-Wt2Mfe?!>y6bbA^H&jKS#))3E}dR zobh3ic=b7|bYmZaU|@AvZYiB5rv`4Y4d3Sw6Mhen+^ql#A;E;1tO8i^4Ghvppk?#M zqjvuty-Z5E^{=8jLYX-?G9=H~g|&{8J~3vT?9EtTM1a3U%QeqG9vJFOTRjbafogK; z0DciiPfb%9*bFM{gEiXL`S8QOzoTXCYJVd#2J_udz9;n7LGx{y*Y+?^UPNV$ zKFwLD!b3Cd15|SzZXX;w^%s?+{>UU$M>}dkA_@@@O5;7zNeaWCqee#|JIv?$n4)}D zpBHguxkJ2t@^GHV3fa5mbdmCo`W(UC#dBreF5-3rpD$KV$6<}=z+pUoGw8QwQ~Q*6 z0?UX&D$brpd5-Tu?A%QU^vvda2t-eOFyswM`zPwJartVuT-O^Y|D*Q2I~OQ#<;ulO zzxfj9i_As{b?VWef|(vtL6^729Wt^v1b=JOyX`}I)ige!0eEJ4;fYivGl~?#gqlCx z>U=~C<$d3;1c#||d5;41VA|uC;BvCoo=h$v4i(A2`wgwFAvwt$xUPBKaHc>ptK2Rm zGYjO~c}|&N?cp|mFRY}u%cc8W$RZIjy{-QQQKGFZYCMw=t_b+m{USMhqw}FA9Ooqj*l%5|ANk+DVT{G ztmv<{Ut@&(OA~=T17R|%J(#g?wxwl{DXj8%Rrl(f0Ac5S{eG^1%30mX+WRkfoX8z- zYIRCXl@Z6|eh+koG&NKUCTAfoD`whKzxYgGEgH%%x$7N}n{-w8*ymGPgA%?(nzaz{ z7uH-xY|O0Qt7{(HtIY#e<{7new$nAoWZfc_g(iHHfKBkPHZY)!pi z=AY9Se+bu%HfGg-?5!yob%k~L=KYKe?#JNv$b*p7*%;<0cvtFcMM7h5UkGY>D|QVr^G!87qBA^}6fT#y#cO4KmCfI* zb{#_s?3F0vgLxk0_E{f@zhvFM{QlIroKB>XXpoIeey)hg)vblc;+-Vy6fQ2(oz<`i zgtqBZdb#yg1^tHyau~Zo%j+lupAul@lO?(1Qf^;|*b-0_ZE7Y*KKubM|E+5vtAb=P z$n*^n1p&T~v%Axgy#0!`rh9g04{c6Lco!W!Zz=_`WA2=G;g_?OdCiaLK;@7gmT@oo zdpaL|dM%J8a2Q6RW_MbEd0Ld8|6XrHORhZzdk|@Q^5UhO=;iY7RQ}qbWJ)*leX@RE zGW78(yHkIL&+h*m;lDnnK=Q;pF*F_Px<~5xdW*DQi)eZ|7A*Pc1;%x z#kpK#8n{yk8&(3rK^pB->4|a^?M(j^hS5A;0>=m>c6>HwaLMCE+wm0jgpX+)p>fEo zlBWjlJKOIR^fXuFlKm|UPkCa$yRIo_Og;&#^MRcs7^4ds{nbz=k}K27-Atyi020Z&>`-pQzV6ceG2DI4-s{_^_W6uhzbb1p6jb4p)=}!-oAkC#3`oKk7OP!YwpGE- z-*+Jy84eq_K9_8m$4K?4_nG$~wy0V~VXL!gn{P5JIijBBHy?EMIVe*&7j%h@6^1I! z0@!7n0c81xjPS*L5P{!3o_Voi=|R2UpwI9Vp7OAA03H7V6p+L}eV$OIT4zX+*Uck{ zVo>jrxa#<ZuA1nMKT)!+-IVxpH0;n4t+lP`z4C*$U zEn}rkpg+u3z2*ZMEsGuu^lPF{`m=Y>QT{HCMdh_9Ygol1$QxZ?^rmP)Z;Cib+&~)+ zRZWby*LvQ6S$+N_B?Y_3PL^-YgHGpXUUt$U>kT|)KmC{%mbsZJHc-{eJbsQ{f@N=q zJT}UjOZa6Os|6VKl(ehdmDZJY&?J9Gw(q=(bGS)Z z$;y`wA#?)-SB4b~GVBD9FcH1RhlbwUY5gwn_qqj1LnjRQ^#W4vwbPR!p7=b5bv8QQ zGIq0--nR4IplP2W+6{wFRkQFzi{G_*9J784N@Q|B>kLV`-fWsCKqx8=*=674#nYwQ zowaIxx5+k#HF=D8yk$+vQKtW88+p}^+s_H((0x6ryh3-kDHq?0pCPuE@IpUlPIys7 z_pCW`v@H$D$3Zr5C#_zI4!En}G zGX%61o&QlCDO9yXgWq^oaiNOQ#VlI0T#L+K+_jIkj$Z8WlRU+xrhK@7Ju>D@7_q-Ol-|` z8A3{>IH=a4kPHzQcAYo=4N+s%46rGwf89QFTS(V64|U<g85PoIpoE z^J}$2U1IPO(e$~!+{brAOa7`~Vkq+a@A;050)7#A(C{R`M2E}G=3W&L@DaAvl#$iu z$LoDtq_!%j@VumceT?|t^1eC2=9~GZ1EPWPq#KJ;pb7)`bd7NFcm^5|^v8Nw=Y6J+ zl=)G+{6kOo^Z#T?QM7+4>-I$Y`bg0llobWSa=dMDl@MV-sGWt+|IX}%J^o6q3;SfU zLGCv9xKn{l=^cyI=o9GR1n+t9)W8wkZT`?3b*wjUv zXc)+P?>_8r3D5E|WSQu-dy!Bp7xr&X3AV{KAT`WJU4QQpElZS z$%~cNgc6+DDGm3wOKGnXs>|!Uqq<6i4J$w8>H3X^0MjW<+$rnt%@46ciAUmE1k|YI zY=f!jsieZmrqPjG5bQ+B_f=wD(LKi3xl%(zb50fOQ6s&PkdN&qC=dRQ(tbuV{i4R1 zyIW%iuSi~1$g2RS1p6hfv`Q5y^^*olm!+*?+-G{q&{Oy1lB55U{3D}DVX(tEr&^0d z`=#9Guid`I+lKUFtOl-C_@kgwv-E-AQ~j*|YGlLF zsF2!&ITs_wK`|oh?MjCXS%-aBYlc2+a3;9nqYpny27%85HmvoUfEyWYPXR&@$Hdhn%C$$bVoo zbC~4DJjikB(FGmm1!7wyroe-S!(0C&_qO~@W8bTd>lZoRN2b@VNYgQ5cT>)Q;Iq4^ zKpb-^r9Xz+K~&^q8TnrK7;rTOE**DH^$akBzvVz27(MlGHSHy@|J-+d2 zcW#B$-T$g{d9c=WEQ}Gsr!&$=@n0Hfo7G7x_;BwwUYm*8EE$`?tY9vXq3#_DFfFH^>4kXX zu(Qyo59X=`Y}m(^!H?C7C!-I;Y+z+OaO+f#`i^+k3PvA-u zSo5B9Q%S~cO&N*h?55EN|7PxvHl0A39j>y+!^56aIi$@&ve;tFfVTaFj;8ips?a{F zd4B$IklHqF2Tk|FrV#}Y(^;a!JP6b<^i@f(0elRx6X=o#w!dP9ZHB64180EYEWT<> z0THxQGlf!K`^Egm%icYcL7sZ1IPn5zL5qCp^Pg0U4~sIg#KW73-RW$j9>0MT;!cgd zg@%C5ClbT44rI}14A4X=p6RQMfX6%N(ljQWHZE$+^t&-J>Dhe|^qH$}_h+&MJjDe$;p!v@>u+QocKUSzs`NO4 z3w(ro4hZi)vn#X^Bz6hbp*c?eMqqHQq4&@5t)Wz}`_I&#j(emSG(ua(z zpO*JYDYa#qQWPjSe~GE&lMQrB#${~v_6KJLU3Cy8rWm9mKyJHqlE}gPPkk<>GlZh= zS=8h5*432^Ok)zMJ&Ws#y>(U8$VyX>?8eg@2<(t7&|5u_oyy-VSmpVvlmA}+_O;MA- zzutLQ%(ih1LizHgU*A}$VR4I$ zptcv_w=i&CM=(I#jqZ0bqF#z$$GMB~WAoWNtx8`lsEoYhD@r4>4scQ{U1K(l!l;+U zMDOQtiuAm(IF~C4U1M=-^RG_i*+MDpSMJYar%6{bQeUrI45U|)6p&z+hx(&k1E#*M zbZPZc@m#)o()y5cfu^k3wr-+**_t_=7@IFUPs;@RxCYo=Cr#!@W(O z+HY_Y8-j>3kl9lG?%Z|zXFyhPmL@bmaF~q#_!P%jYCE)E;yi|uyp9*aMnQj?v-Fdi zREMV6WIb03(iL008DB^YVxUMmuq=;Bq1WS|unm5~eVkHhWE7WfZ1AdTT9z9&;jP8 zAi<@@iUoIfcZw5=OK^90cW(B+_ndp4C;#&6%eS)Dnsbivju`U3V5zMU6*!>({T`O7 zQ7!M)Xrt5kyqxI|R)$mQG!jwRODMxlDn`z}c z(Gq|nn4BAJ*;99%Ul2f`k1-(OjRD;ABg_s{C5hGgYkrrsv-a(}_e10;F;TpMLv9L| zpuWc2saS`43@fI~6y|)93F6InJ3sUudHY6*O0pV0 z2u9u*@KH%!FTEFbkb_45&^QE**E2Sf$2@98PdO5El$Q7=e-c8|qBWUNlUfCV^;svt zvL%mRdSO=)A>`BqV)Oqz(MZc2=FXhbO-JU1kxu|G4V{{Q!(&7hyWjqcct7k+OsH2D zq4k)1sk%zhYhj`Gx)(AzR0V~@na_+CP^OUvD+>V8uu(~BlA=)Rm)+$4i-r;}V*2z6 z@T_Oq8sxLp{YXUkFDjn=&&O?CVMIL7)m3E$k+`gXAcLd=ZJTAnCFuu2E1T}x_j;;N zEJ8I)hxN<;D!|8!#j5eP))d{5436@5&Sah61BQbIg7ofJ7m$>%=B=ep zCeBqsEXF}7l!BMYcKRmgoRU}YJf`{K8R9VLBo$9&#ygl{w1SwaJ$6dH`tTPp>?H%_ zF_!A8B^6>59T~Mmih(HjZDweYX-ICoZkU{7GXG^D@uHG=dMlu*F!YGN35db;$T0E| z==~9(+u7+%@^b^ChAs*rB8J}L4ZvTad9Hlu<5_(TWcYP9nEQ%qK8x#awbS#>`6g!) zT}m~#`TiF_#x$>v!>V;xTO(Ji6`%wuo+rys99&w$;Daqk)AF1_*pep;0PklkdG`BT zvIr7vR2^*x2|ZFAKgnR-G5k@wdxVX-oSB{);tyZh z$Im!vCW{itIJ)M4R95lizb3}IHdS1Y^vR?OS=d=J4-Wku`dC0$j0hX&Ks5!0n;oqXpK+EpQ)YQLZUSb&CV2BCsMg$ktG zz#Rgmwo$!yp*GjNHhs$}eKJ&*!{cv9@EWxbe^F(kCmHnnK$i3Q3?L8k9B41VjN`Ja za%30QdlS1&J;~>fdlQBGvYt1YWoIUv{rpvH1H-?nUEi&}09$A-N+#4=iiw zcou_!4{!2Ex>X~^*{1n^1a9IjtJsSP*G^CVnje?~X@E(UGh6zZ?nf-%lMdY3q{GWH zbIW=o(>I!2cIa3J0WQdbyn0E(YZvJzfh z<67!FYhR`WtMJlttK=qIPT}AV_EOd=kHrWJ;GMl<6^NtMb-YDBCNROQ>!bsPc-%gc zr4H;9+OO*ah$=xs8t9-RG#p{a=m0k#l3em;?*-3l5{8&~?Tg}uPpxO*!HxV#f_IKy zF`zaW)$$IXqAXpQ3xj~e+_U_%6v<=Oszgd|ZHvS(-00@k7E(hv1)=>a)bbu%^dNw} zn>VMD`_`)x$Z^(%bvYJW{O3tqs8m1TQ0BCx+s*I6lA93onrnLh1-`+jd6;dn0D0RV z%GOLQF1psQUYWh(@bCI_o)}c4+G!_UvwA~!%-*=!s7t`{HK`Jr(DMrtvNr6Vf9Tjo z$pI={hu%>w2lT+0(C9t_UV-wA5=$r4o9Fit4^waa^S>i0O6l$&hgSO3P*VZ2Dv5_1 z*eLW%B+vVuK3`(YBNUY5^hdCZ?!`=r+6lG@e#!LYoq3F*TY z2+wiitV_r}FVrnzDUu~VotJf8jh!9se^`=scqk0tXB)K)R&D&Y(C=c3I4SW2%vcl| zY+eW9C+cyjc1xOzKM--SlV`EA52Cw+aF6iG7}`nviu$g`N+(V_Y%;%J;d40%Ku6c3 z`#x&^!Zsto*v7KVP69S?dy?B%@0(Vev(XtmI2s!%V} z9jRSJYPmEuD)}@_5|B%6>y1CCQZSl*5I}`IhapkQBiKW*<<6n$^Ip2)jf?&6PQ|5h z8*ECgk+)6H2W!Pb=#xeUOS|tS8e8)6H-ELgE3zLmxTpXz(omWYR+AaZR74q1^#Z zMiVCnv|g`STJwj}%JGOvL>x8}Z}xJZc*tlGXP5ZCtI_m*iHR}h%F{fUvwoH&_cb(V zMChfU`T*TKsdc{|;=TKocktWIv+~RyQWX#pR@Zfx*PRsiN3~}VEI6INTcCrl>%obX8}Z#kYCsVJiceO}%Sd2C-1R>c3bT~Z1a zv}C1hMK0{^{L^wTB**Hs&x^afs^b5bGZ}_Uw-2{W)K^%iT&S*qFj2yUU8(^XhCLyr z#y7cVp`MyJFZ(o}Ke|(;JJtRORIC#Iy8jc0&()9OtoqDMeTUhL9zLudHC;6JI|1uW zNl~5A_9UE3U{4?UNJvOz?ek=Qcd=gdXqv`npFhJkZUOfWL2yly&XM0VnxRm8#6|}?ZCGoV3WX=P$bdOn)hYpWBK5o2^BL3WZcFQ%5N5lwcEgm3k<8~J*l)# zhpVgyOWO^*&3n-Zudzk&LfCoT$b4^QQ{dD&Tsq4FN&jU?3R;FuwbgN^N4TY=FYQDp z9C!;&f8-O5WLo-P7U9ZIpBKd%YyEMXn!F_R#rqmZ1jeQ(GG#a1KW|+~n4y%YPz)pi zgY~&7>%ER{aR>vvROpSC7m@CB>_Pl!kMUbw_1h;3#otlhrlScqEdJ9YtCCM~V{!fC z&lHJMHN0)83^n2X69Y*>vq>Mz$tH@vcd+p8)}BaRiC}4JP~isXQgk3!FEkAaY-r#V zGh)D+&SW9c9D})nm`o(JOjE{UmI4^Wu1R#+QaG2jg^>)0|A94Bs%~b45dW9gup$uo zB8K_?%X*T5)_lZnq=}`Gd4~@3qP7jeLK= z0>$Yx%MB(c|Bzw=#tgL0O`<`jw@G2p#=VK6Jbc>weits&OUrS$yVJHw>;9qgtfx$p zq)80GorrVSbR6OwK8!!D&bu<>-gvh;NV| zPg9^4EN@<>ZaPc+uFq;pfb)D}3pbNF$2tGp%z+kD=7Hx4l4Hptir}uPXz89!MuH`mEIOsM8paawQpeWv$8J|;t#|*I zx!Lvs)$N5Dw<*X$FD6u3`-WQt=uxqaVt%^TbG9<#Tse4Z7%AD_3bo;arFmEg?mJu^ zG}<05K&&QsT4mc9?qkzImAI@Op}Y#HBR!!Ci|;#?z*a|3r_KH?ymZZ{W4`M-YrCzmmbf^U-s&ohX+wAW_0`h43%o!*F5bZLC!N*U zU`Lw!y%mih=-p<8@U6`T)6YY7%|@pY@m>cdBteHfe3I>YlI|&Vqz!3hx=gu>Z_8~R z?%lq&2VaU#!22lg|W_e*=!)Kr+w?`R{@3r;$1bIz}C^)+%CrT zmch-XHF*GhR;*P8y;KNGKnE-Ge@TMMZw%)*h=rHQB@A5XWDQ>= zFXz<(VmEQJokAN_@WAScZ-&#v=2P9re;r+@DZ|bNiLzx0>+M&ieqOwjYe=?h;ffD% zY&&feSS%HIMku8S$|Iyio`L}j?vH2<)6dsH&3swH>!oHugV)u}Vy*3Xd##n;GGB@M zG7=onTb9>Nqp(xrxfOgWj;kSV@f!p0yqXtEHA(^s6r&(go9>V(+wtzcv#%gNJd^C+YeYMb zGlRnC{or5+cvn6Rc9Zc1Vm$fye3dL%<*!mI_fTouk2Ync=3d4@6+27En)i0j@OVKdS##teDX!ESCQF>Bvd;E$tAgv6)hl|0yHr5c zjuL?zD}H;=XRE9V^vkaL&{h>GO z_RS&%^PFp`XX}+dS!v%ug0WNitnhWT(BKyfZ#ZDN->|iBqgPui?xVW?ZglPuHR(XJ ztF{8jj5a&2W4ptJ%1a*Nz8(tLl5=;0FCWS5=%oc{dnUB?Xp1*qbOh$|xDU*CV&&%J zRS0I+)-b5C7ncksn7~MaP#8wZ01D>Un>VJGyB?X^RX={so5WKto?I_Gjn~T6C(%fV z$U87K0#-r!f2{wg;OF5XB=!-(r?6JqB+l@~c)qU~g%%3U^jhzhiAMwYk-Y_@Rzstd z+|x&63(q?@%Kzbt{)bUG855_x&Y-{bPl_ zj=nS9H?%LOXSpZ&Zi7XKk3@Z1^=EO`@yEm1cgh39LT5Pep3G zH%_SIDbORn8MXh$rb7J^Pq1VqmnO9({%n)eykDnlxOyeBA|c=$(@}L+k%#1iG&ZkQ zu`C$LQ5@|}movuP(p$aoS{p;xzort?@4YIm4O@oZhu?c&mA$GcqO}IlrM{OsrVm&u zrhdau&|DDGRJK@){FMH!cR6fwJ;2dtA?gka`6l!GVoAhT;!Vr*{je8f;!h{g8{6Bc zRNweS5vQ%eL4nIO4>Pl)u)gsI2a`lG@5+OE6_v)5=z-1Z^43869NGYXg!3sW-!Bab z1|C&q-N>pG+r$J$D~zNviptptDXXO@NNdR0S3DQ;lT2Xks8*TxYk`tBq#MCgJ1saPWZly?Gg9lDkC5@a6i_`Fy@04i&iT)N+RwZSEmr)1hbNM?PZFuU;^Gs_3T2ny| zwFyjMYMS4<;p2*kOFxI>jn69|qtV_vLESwqkah@xj0reT)Z|SyQJF`b`kEPp4)UGqV^W(#n zKs`Gf^g$IOapQ@i`8NRHk9%_IT2{aBviG|fWDK(^%-;+E?5>2Ts=>2zXvE|Lb}9OP zJ3>t~CdM>p8D#Fn5Lu?aj^1MiqKDqUW&gbQ^Fg zmiP|~s7rP0J4Llk<9ol<6)$s}#R}*f8=k+~580e00{~{Jgv{)Za%kB0LjeC4xMDL4 zHxu$3*jFifoGt#r)-Q+0Y0zwSoww_K@aJ7D4*3YJ%lRQvbAu(Uh5F^Ec6;77qPBic9Dt&k@PuIA-A`*{CejNJT@|b|BTc8_ye@ZB|^{!}seE3J+Z}%AS zSW+VDr0?*GlQqo5A|YU#V~b5&q|!70g|h@^48tWkAL24p{0`WR^Rk5Hi56S8nB35| zx=Z!*2n}nZQOgg}t|z#^Lv*e=uc`z7gH5UJJJt_ZdQ|h=l5iuFhfX6H#`LlaPueM; z$nW}F`s_-3I}cRRmsBW`?NlKz0;O4|Z2mZm?qnwNI{0naEfjRN3cFbSgFmpHAx3}$ zcbEG)+^8~#!p?t?c;TI_WqmDV%(FBfp|CS@pcUfDtlRAR7Zcqnd0XDUiO&?H<~dI( z74xvY^jo%>5)BxW2(HICm?#FSjoj%KJuSXU05HlA>D1EIYkx@OF-NJ3*_P&<{l*}L zU@iVeZ#i3}-bpJR=-_sGd((xtxq!t13nxF{L?$-E{(4+SmxK|Jy6qU9A;0TyX*|!- z&3CPG+x((kVb}`u*a`#XK0_b*IM$(LEQH^jcuULWpoOc%NSa?wADA`JZ4V3Oqj+6$ zd!S_!4V5mnV2TenattU7vT$@PQrKqK{|%zJVV45;_l!an6;xtch}d!&Dl*J=qk9H^ zObsU9`7I%DXqKZDne0LF93VDCo}#?pyy!}ua;0L>Jp3ViyhNM5u38y})R-wu9u$q& z>i!(Mny_^Gu{Ee2tzTQ@DPk4&!`z&uOe3!Xr!m;`agvG9we@xh-4Pkgx`TzHD!7vI zO8sA@;ge{%YJxubKGzuYJ~N)pdg93QDC z9UbWe>Km=@Gz!0|^DQ$qu+My>4kzQ2y(^9LuDUZ>iOtb^?YDB-4m(WVohZ~L2h$1S zU&n*;tkdRd?aIB7<{3~1Ml%7JRz|1Z^1~(h#3ZqR6-}fJC7U-v;}R zm%B5C`1bM${+@VVt5-@g$^XC+HG30M4+#%<`!%B_R zF8fnN^$JsR?(UcsT5RW;V)J=m-HWc-QFpzpP9Npe=FjRip^XZ#0p~Z>PF7R#W6P0K zO*Zpol&BbQMYGSV7DsfevIuZ)P0jK$aR&r~{t$zn7MjX+>(j2fTu2nQBt=SJ!2wfj zl}O%Na-JCOI?5^XeaiuN0-j>C-O3F95ytyOSa!{J;d;ZlM9=#0uq!&~&rO6C62sRKBCY^`peVA8kBCQVg7| zdI^KUaP^wkUehw{3)o0O`Aw7)GS{_TUHNv$Ygyn$E0e*yftBT|ALIt=JZHa9+6kil zc(r_Gai5r&C^gui?ut3LIn`PEPeIy9Hwz;^lB|J(yf_2r2|N7Gtg&%CM^#L_#W}a` z(caToSgki%`=9h{B#EZ=%6gcK;OnPLktxDj!|mZzq^Ls~7!c)37NA0K!)ZsMGV}B7 zOve~|DGQu0HfMCXr*68MWy&pLH3-)uR)_z9IB&m$4t}13HpIovhi_+d&|OVmtewW) zGDh~bDaPC;>{}VJ&em8~8!N7sTYstbRn1nPfnWV=GHDGNDGQ5xNZ=GO7G-i8WHN6e zc<%_Vv{dtb;Iw?dRqZm@+T?tgcX$@eWx~~_F0H?5na+5a6{zszbWMgtT4bNZYP0?d zW|Kzy9czmXHd{SQ6kNii!A73p)izrUiwzOb$auKb)E#=y( zr+uUFO9-b@Ny|ei$;ZJ<40Q;c(V?lTk&$|A^}Ie~ZbCTFd#3AQ87Q0@c zh$QHUf#s`8O7-tLV)GXr6-A9VOzPg+UQYs@EK7dZbd_(CP=jLy&RVY zniRoe(_0ccM^fMWAgDT3V!#$x{C!M_1_$uza6Qh5(|bv(1YLlr9Kih5cD|KwOQD`} zb4Q1ba=&U#Jm7F0Ig0lAQyE>R+HjwbvGs1Pml7}TWHsg7ODb*b%4({J-DPhQ!4+<@ zR1}wBlBsHQPCRXtTEV`dV?M=N6Qf=2V!I;zZw_O-^YzV&IF1v^{dcF5>}t*+$Hn!b zqrex)*1cpeyNGoT#=yehh)w*f#|6oGF9yI<)>@-z=aKy#Hb*&#i-SRDD)Jch!J*U^ zSVnP!5&9dyvI`+31poSb)t57~4|*V*kKl5A zgdJ9f2Z}(6+mvJ~XVz7KBYo_!`7EUprTgJMs!PPpOwvPXC1Us?M*Qc|lJ22Do(MO; z$5@pXN?rhtZvDO;OaB9sEMzT+sz+A$8fu5_0eUoJ(|UjJawOFfsE*jaO7$r4S}*v<7wcS1S&g6e+Q@v)r$xNsO{Si3xTwlCCB?$Gp+Z3ooG7I5Ieb~_q z6dh-xs$@~G04lHyt)I$0bz4g$HXfL^ooLaXT@*HG%Vi2W=w5oXXviC@{@JFLn}W87 z1W3l4bSGY@h+Svh86|1nCz0D~w6xxA-8Zy#f6UqF#udN#JTwxU=wvc!#W!BD>^G0p z&gD5o3U1vXTVjj95pLU$ktW@_PW69HCaw8G`0Qpix`zLrM9(z&fiY&9HWw;fz{oq*)0Ti)%SPKL1k^KyIRY~NdNj>t<5~W zMxl-mBHo?>u(H>rHsJ zI3is3k%mR7HsiD)!c(JU{RZQ3_}|^S=9*URZG~x@uWj>3O)8d8Pct!hDbr2abBg=- zmH4$@+&JRZqTNw#*W!2IA4^6m!xXK@`fK;RkrGXd#9xnGy?Cl^yF1prALPQvwjE;f zdoof>Z0q$@#P74#9&e|!c@J)AyhCbtNBJ~zWxoQZ7u`ayx~fN-zjisD>+}|BloRhy z*0<%^fs?$pN}M?CE%thwUb4WvZkrxv61{~%UD4q*-75DSd$xNAw*~i4UqIikos5?s z1(hG!8*aF3MKX>AT}5wp@b6lVpU{gJ>z^enZwEA(pNI|I1MggpYs=@lT@N-2D^-C? zquWHKb3MY&n0MXQNUQ4lsF=6M=dLhN+ar4S7KeUe0#77N6WrCMP`{eapfq-8=wae+ zJGcD6$q%oL_DplPwGdV55VY@N``P`)evoNW+&e{3d%fyuQPlI{_Maf&*XD$6)=|8H zx5E6eLU~*12!zSJIYNK(acmo8wQNN7WxQ)9vZ*vhO<<}}cVy-_PO`~OLgvMPq*a4( zO4xQ>ebBDpfagpCSnG1H8f0@?gdFs1-7YAU?~!=Jg(TBCjuTYVoP~~@ym}n2@bXg& zA^YC#G*-*@1BY{Ff>RYonwdCGp2nmcpFlQ2XHH5T=CD)~>ng}zk+t2|rnr?cq;RXh z&3Z)KO2BIBBR~H71-)hl^y60dXOmrfo1$q!Jg}SGLH5YYhsE2&-d}AyBwZJ?!K5Sl z9<{d9@(2&0}P()fY+pcK($vad~4U zGWRn*?Xg}yCUlj?WE28|Q&jF78CsKMI40=Wg1oS4VJ&=nJ;D2yP-C2=nlSZ$CAk;U zAdhM{RvNg*^hoctWF55SvdqIoL8FvoGNP<)mme&rc#edmF{y0%pVOXZ+z;5v?UQH~ zLv4Sg%>rjz(Qw2YNn+kDqwR|%w+TL1m#7{FTt*Q(vM3Qd0 z5aVqVT6~6OV!j~ozACM@@Cx5o{&T6CGeK#qB*GLDqUca_t{ZL?nI8aZ;gMyJvkNsOFIeNBO{_TbOJ81wXajd&jk zxR0?FTdvCeY~XQ8*m$WPMOoEyj82+q^XugE+Z{DkB`;~j$d|Ynw z+D4twsol*WBi%?(>}jOX2|%Z!14>JuwP3MNnBV(frbA^YLN6=}yxIXn-KXm=oh5jO zc_^>&;*nJxz3wW|`$=^7uL{R*wH@$wFLbr&vCg^geInPP`R-zVBzzZ}!nWy9S?Kuy zk!x}vaW;-6ok`Oq!N(X2dBCgmIYZ+`ZNfwqJ6pU44earSZv00o%u?1M%l86VuF`I& zL6Rg!>Gmcker@wY&5&e#%>-P zE%@OmYUbAF(%&nMa55{RZ}&cPAE&4aI%J*pcJup)LE+uE1y~z%Mw?7<({5?lAb>b%q=k}rqN+#uuURM)Jc1K zkX1Cc*Dhb<-Z&5|fZB1V9p#^9hN(O_2CZNlFBngSX*%_KA^SEbPx<<<$3I{iL>3-K z{=u!0T47?B;xTNAl+4EVanbLtc{5L!pcrW$lWO{Ttb@q{&*wKU)e$357OMHxY>gxrb1{Sg7?qOiHQ2sdMX>7sZEeu6 z($my;Nwtwl9{TrY?w=$&fOR?i$zY2k!T+vF`>5rTVHUF#(FQy#koX#U2$A8oK4K+( zx+N~Um1iR%n|fZRa@V4Ae<&0jQY1Z{)ExCGq6Ivhi$RV6DzRcg8KsqaCC$N4S1X|(W%hhjuGv;gwn4_@l=TZm>kG0QMlZKw zi47q7%EC`1v)F8gRxyov;#=XX>0b2lF9!;%w|7&V5jfs)p&V^rSf9>0+St7XSG8te zl(gL(sO^sbjaN(;q6E9;DJJn!nPW}I{lbUJiZCx84~uQ9w4>SupI)gbT7=k{hBby~ z8jTqJc`BVVX7}5gJ{b`w@MP+AopPplH>yOP!^~%fG<36Jn6k1&;xk0}U%6yN4LT?A zA7XK|3T7VGeY#(@edRoD%+}NWIRXG@M7>nF8+ z6$%@S#}mK(R7+eq)Z1vR3GWv&SodX=!ZKNVwA|2>z+Je`bi>VIC-M}QYLnrZ_iaF`{>QNLjGlzg|gM9PEAMY~> z`HAEklgsmVhS3AMr`6hNERMf)Q};8-4ldFi@Uy>~*j=yOX)nWGhynMNOa8cm>TSo8*1Dc77DL;0-mzX-0$_ z3@3o>|HU(<-5P=H?B|rD-7yHh4B5@i`3k44s=nA7O3O={Tv!~(o-5Z*)Fw-JP+Cuv zdowmspsFuiW6c~Xc1hr>^T66A{_sg0@RWJ6GmC$l7_`V$9cYTAt>aZFzu}D`Rk?`q1oncod2lGb?zS1a6|rV{QL}iHQ|o3X*P|({*aBxH4ZpsAcV}xc#Ai8h+wY!=6>o

z{~;+G9Vc4Rrc$L>!3mra{{;nQXoZIH%U`nDrkVc);n;S#UlsOlrrjSY|0V}vcQ$M` zH>~0mOMM}1A-QM|{rs9j?yFLh%W>YkC#is#*sE>F)i9=&-cr2<+^tpuYq*rRmbfi` zE^}y|LjBRV+HXzYQI7sz?NZvKC_8Nrstdf1|Il_XDI0lbFb@b6F4ioKW(0VA4r;xE z)yR5e7aC*-)ycO~kBdJ2``|cL$hfXJd2El}(Kz$LMe(Qy*!KXVoc+Z?a{1PP%V zG}9ZN#P6JgmFn#9)Z03C;Y4cBplM2{Z0}3~PS+Ip=QZ8YDx{vWE51p--nlxQ26)TV zV>qH*(g)ZBBRI4Sp2?{RG#fgK^c!I{yiIi-XN zns*5KYkM#1mLyTj5?0+-Z17KCo24eDC+CjzO=1ek%1Ta#k%x8C#)IDj)T4@VO@e8D zoo}toL3n59TsoQ5^#)# za^ZUUXOqqJ>KJ>_aqzBJ#Q8SmtPTi`{FWwecikb~Bi`zbq_%;u^6dMY^H-IQH-HmF zz3)yLFRkZtB&Ft%>)#qk51>kyG+CEmFo0W6WQ@xO<{ZZKQdTJ1QrRpB9)x_LZ+1kh z^EjeM2XOx>p$SPSHOHG13iMnx6Pk_C$1f9zK%tma=lovj*xAtW0d*!wi?G^E)})6m zUDVGn$b3i2TDP*ycVJ0l{X_e_T?_5yzQCVK6Zjk6gC9dld|w7WU}~Y$GcytJE0}eHedcXu zhXpmx1QYa0S=2bMxY-fB9h#8duqs54D!t6SeNcr&#bYD3_$h&y)T_BrcN+WwIJ6)9 z#JdcAtetykkdW>mk$bzvW|Os5C{^O^#{UCZi#YIh5Zn^!&NR{|1@&gs*v#rIX1CsJ z95TmvYj_+l{dH*h#L3=h@@hL9W1W$}E?m?2L0-$lXyFGSZ^2uHK06cAEc!S?SW_iIpTas>r>AE1xQiE zsM?gQoUBy7=G6n%S*PY-fL5|+S7N@@e=uEu!AtDOe1gzrsHamDXy4i~EFao8HP+&`20 zhB&+y!W1wU4}N4_x8Xa5nHYRg0EU{J9yTU$(z17j4co*ox#+rmzw2@Cz-+p4$j9YY zNEkmoxYN#34I?poEik{sI+&)PTqD90wJWQHEn>3KCH9{In~&Veb>Is|48+u0E{`7B znX5r-*x8^WyQg}F8jXzAbP=0^eOU(EcOi&<2P^`yi%#X*umC;B;r6DoeT+yypP<^t zD1*n_kXfOed)8UlJim9+I*Jd->s$!K8jI$reaHu zIi}e0ZEOJdNV5mgAqeCKY^!PUeEL2IYgk0Htoe@Y_AJ?s`qO6O7ZjY4fxC-pj?I74 zxSzs4Rvkb6&BWl7ai?V;P+S6wIBTH12z2fyYdfxi7?qB-`C(J)9W}(FvHsaIzsS?%sE*i$_cpNwU+?llzujA9J(|`bV3k9 z(;6rm^e+jm(4`>C9AWJka{YcS%!>K9JN|fI<=%dUBZSX(OsEO^rz>;>o8$BjW#|e0 zm~~@X9@eUhAl*&^wU0E%9(HGW5PNGty;B6Lr9680XWZ6 z5kXgllgl-Qhz#br#smQV4~nke4;HZ;sL!6hqPG(~-;*QF8&%KW$cgNPvIWxVHyxHr zN#}v0q>gKx!_)D=MMZ+ZxFD^{tAqTsVL;DYr82_d=bS{eq2WY9xs$o#^60$Ap$()L zHtsRAkK5(UtwuK|Sk(KbZ`<+0XhEN_MgdmrbebnI7hya^9D5PTwENGd`hS_g( z>1)_>LqBe_oR*bPsvXXSx;+8o3;H8qv`_(krM=tuH+RoK+TND^4hXV@oDN&P5w4T za@{Blbr&oB6VP<}bLY*eeX44P^6GeTfZtS`QviC3F@12lee@(Wi(f9%jz!>_GINgQTUIBQ$wD|eZqI|*zJf5r}lZ4 z-QwmQV$GAvliu5)kf4^`0bXeP5PpdW6 zCtMtIAEj?DH>x@QLCjOx%~M?JJfC*+9cMvhJ?OJd7T%J{Rh5G$AxZf+r)GS-G39Mr zWEKTL+@V#k_H>cY{;pq1{rA?N-IUpH5VJEhPB83Xje}fGJvJBnvi+PJimhS01A*Rj zPOWVWwojrCb-cPB4nsYmP(dOq02`lO{Ni(TxcX^M4UYYUNxE_Ja=`iQFH@Z__Ga|E z3F+;z4TI(ilD<%aA0CwsJ)IW1KrUciV`^@GO~*=+DFZ0XZ!Rbd4{X3t0HCjQ{oJL~ zK5h;$B)d9*k8!caGM^QErP1%DjaaQV8&bBA>y`d9e4YXsW)7bZc7v8%hrHcqPT4lz z_~R;n=F5TL@WEfccCN>|Z9EJxXFQiqz?i-rOY{0=f)}`QYpuC==X2UJ8~&E5&_Y0M zieRR5=rAZb+33{ZkHj`ye#=ah|6O(XcG(QOoq&O#x7JFZ#6S&s-$KW4hNz$mq7j>H zfq4s(WyJ)3?WVG}QyM%0@x@$4w{J``D`NlELiorTMoRf`*b{Wv_{&Q1yisw}#sGP8 zXOOnXvry437pi$&B7~^0#G$9#QmJ!;V6 zTft*{mum_mR!=+Lw}kNnm2y-usCNrIvC@9B}@AozA_ z%$UUO;NNbhL?Y0#1M3X8Q+1GL{T05J7kXx>E6k^3K|Rur)p2DE=G4WqH%iA%g5F=o zo2PkxXHZI@zF$MTKU`SLWoQ_im~!n7uxt!!DQVF(Oct~2&zr)n4rX8|&V(pPgJ=A4 z4lO zNm->z?feo}cDz1t`tu)t*?SFtd^xgsCs<7&iN<8S=bb^9va3Y(lm_02QY7NK{NFxD z8zad3InlsbhGuvl2?!NLCnRR8i4GsNZN1vFZ>9)xg`}+6x)7*?dMvXS2$;U9{US>@ z)Yb#Yc2QaK9(0Kq7rKx248z~D;muKS{L4 zuR}q}BCCS7?bY2?^b){304k~`Tn}b`rU<%nowFp{j;wGY7uic${0*#-dB*53|8&!J zfsHrJ*V3+BXZJ@frrW%kLUiY|kn;c$-5&?3h+2t(&#$vJtYTVw!y(m zv@c=Ui?ID)4L<2xJI6i4^v!vCj-mf-%eB_h%`W${w;$%_>Zp#@>8kcFSiP{;PC z`+kPcj64$U3WrPw*!2K#bCT5wV^NzU_S$Px-hJvF)8>rTTnFAB)3N+$pe?!K@?t>a zFNOu8UCk*i$Z0wU^V3cD>GT}ofPNa+2S`)LYs=W4^Kmh%!n2e0$U=U)-zEG&h7){= zwx@fptr5}d6eY@=z9T>t!5SN{DI=MZabWV*k9Bm1Vn zCGcm7@k|r{d-^8CT}=qS^@ye-{l88=A~>vzIq27+Z{nD{@so);&i=tDppOoAOTaP_-Rm%4=_pSwZv8Bzf+Kcmqd1hHe-|`svN$x9fYWV!X z&U#-R_9v=G#c)qFR%ZWbT8qkHGWN8=s*IlWIkvs7tVx?yGnT^n0KxCFW zR$_kpw+~OY8%u2B4tQ0+?9^tZe*$-1a=aZ227I=e*Rf$f&VPw+RS(u{{$Bs0K4|44 zp9}bJVHOceJe61ZskLl16s4ZC9MmSy-g5F~a!+V&)IU_d;adYTgkb}gY!_!jT`<_! z2kVLyeV_Dmdf$~Ht-AYHgaEnPj69->-c~JWh|N_EnwY0Mk;FF=xWf9X-fURYXd6PT z%98&ZGmRJdra3%TWsJ_ZUZ$uuNV%s5O=rUp z4avMmy4NO$rXDk%_`}aPs4V+Z&5U*UOD@a)&#nsvMt$+-LmV161a+r3e*WmV6V>w# zfe%6ZWnEX#>zkupXhha<&T`L2(UT06Dgo5_`^#Bfd->PHA%looD!YP3k7I*&wox5A zZyo}Iv9B!Qo2AQwDpcLKIo=(lzKW6cHs=Ybwup^cC(l*8iJVGaFsxXYP()fcnj?UB z0S-SO)-jylrYF{C!UNus1a#5YBcg*iq%_K;aVZNDzUd~;(-uxfTNI#tVcVjns&|A< zEbothEKkHVnHgq^{h$#{;a;#LtQ2mPC)3p`VZ>$ER;rd?m*N30bRRZbbie%06IP#( z5WVbPckD0B-@STVj}TUTU2z4j9o4Skdqi2wYOWWgB zZ)1qS7k>swdoe~pTkZF^ZpW$hnC#sW>4SefQ`Y6cQ{Aq&O)GxfY}J+|GLyuQC%9!& zXlbv7&IUNff*rq~H#=^AxjA`(LTx$v%PreOg6HL70oicYK2vWN&M9jRvWfEGBgrO^ z#zv-ojq#FcBbXcAHZccs*T-0)?ohGB3PjhLKPaAfla~oUdB2npet2ZpdKaBWufU{) zAD!fuC@50K9+0X5WCy0HY7(2v^UIOXpp|}`;sPGodl=akUtxd~=H;2Ox51~XmZ0S(RqDlB|Iayq>LqaF@Y_jbp3Mw%V;w7EZdu3+0{-YBK zsQZla*yoQfPif)f7?EjcBoy&u=a+-O)7t^k97>CGvmdBQHG{x;bap~!Lhqj6n}T`S z=;Cfl?QHvTF7w4+Ow_Q_d9*{ih2vqtZPCKu(p(CJrL5O|X#~FL+={KC`$T20)qI^% zn9HZ{1jo|_s63`)sg(*GaAzB(YvZrfW4C8PxDQ~~Mk5>Psn?vRe5Te_8!ZU&?q z=@O8J0fw%jhoQSnHbSZ(@xdgW~-co_?EX5^u;D{$(6?_Ohrm$tW=; zP{Y0+`rK45BdeVd&%arWe1MHA;9}ic_UVhJd?C_f_xWJ~sDaSAWK&&hn8*ue^5S@xv1;|Hw6BGoigSNiSyw);HTewmJtPAb;zz&K)(I z#R@WB@)Autmm4xGEQk2ykl*_(l^J{qAfzYX4nMkWj{IJS71Dg!s1FvGdiEw4Kznfhtb;5CyGm}%ymN+c>CdXeeiKjH*IbKoxz)6r$`6Ns2p2V6X zp$Oi|?^n!Cr{l(#V!>i`TFSHaxjGC8JfTm6Zz-~c2~r3+e4`tnrWebbStPKMpb9$N zBQf*|GYDflT>zWgXorPgZm%fI1a`% zEi+l&pPDb=>E+yg{+%T8Ok9gErvzONnnN;Jhqlj$VH932NpTz!Cox`Gglx`~yd+au zD9{-5fI%m~XNv3}McINI9B&pUsL{GX8r3gv3tn7!XuP(Dfk}bG95dEBhE8R+#rQFis4;G;ktc3g7Bm^JY4p*L1zr7O! zeh45MPhf1o0)H`kkJGpf^pipAsc`wBz7!-$Lg}$zW*9nmXnV^NOX9~TslQ2fGde0{2BbB>DHP<=KI?twlE+cD@rSHr$i<>^g1Or+5t z8ISWW(Q8ORpdMzB>|E?js|Ys?^}H8LG{0#6GOksbpYchni3#5;LRsTyb_k%0sQ#nV ze5KWK=$jGk{Qj8wnC%AZ*eDf+n&aR&Vbq)7eHMo0ZcA(Q_F`?nHDa#wpWyU=qzxFa zQ}xyzq@TY5{Rr1Pn!fivg_9uhxv1y;*b!+A%l5@J^~PaPJS09KMgrNc+v1p=s=%M> zf~-Jw-I@YJWFPvhT~)@{ux!=PvnPf;4u#n$)NKfTTOo6)|BP#IqhH@~CQjn@+S8c+ z7BKgO?C?2Njio~sE;ns4`4 za=Ta3lK8j!w9lfbjfGTBmo^9T9;-g47)Xk?&LR7jZ_PYZR6>OsF>PKE*eB>B=jf+i1NY z*>LD{byR*%j-E5!54$oWH~Q4;Cddxk)L`S|zc`we_e^iT=8^blR~;5bYzx_+Z^=As zl(4vzi1l0lF}$HG1V0Trj3{F8h;ypoG9&$#!i&HkF?(d)eF*el`mSn5!+Ri|*$BQK zI6o^Gh>J8}%W}V37>+aBaUP(IilfkU|2cp+$lD${-rpC>y8*YDIWyRMf*J66~6n>E;uXSl|phLwb%A&FhE}wQw?H;e$$G@e!+U$?v_Y%J~)-R{5;59vnPD8 zrdP7Wjo|wRPi!9tRemTVH06Z^v%@@iV@hSvu3K7ED+$O|&sn#t+9cN2*b=f5%k|U^ zLH6_3{+<#!%?08<1-^5>Gy`KgWR<5pQI0`KhCIm@x1X;elx(8H{`qx%2<85vIvlls z(`KshBNAh>2K_Wm@n0CK)pvo$Q7qaDiA~}Un#={3gKMbz3in!AaC?jg$E~fV;y%Qg zLHFgn)+hqn;;DE4|8&ZF0Ik67K>@&U-YbA^14x#3&;V-DT{*ArIw@QI`&c~m@A0Z zDl5{U`Fg}s!d?`r(TD4o!{}|dYLdcd#U77HGM_P00e6dNrfBiRwx99ejgAA!0~Ax) z``$}rYL>h+rQ>+SJmG{>!eZjXV8oJAofHG7aF(%o1$+NE8}l)lBPaz>`ETgDBeV+H-Gs2C& zn@`JJ)gwH7($~-X%uu{qFdEp>0?M&JsRR@a<-`YHw<{;7zB_GaPDw=(v9;IGkmPQP zs?t{0ZWM6{v7%Uu^FML9rC90vx@0HDlKVR-ZIzpg16TayyBF z^%V2i$M(jOnP0aC&RY6!-ZtZ$f2Yi01c@iI0?y?5ag%1mm77iAHKIh{X-<80QesGM z%+E;UoB3@umi2rWKVHiC4n|3Mw&R>>aXTc1iSf;poDSnDcon~;kyAItkHc8^>OXaa zl_h)af`j1{8l^t@lv-F>Q#ph$jr!D zvb2?@Z-(;Ul1{CGouH(HLbMBMRP4~PGwZudevn?-ozp>&Aiid?q#rtz<$RzWAl11h z)I@})S*oWC8sr)u&PD%4(=&6}W{+x$kT<^n!L36W>aCYi@5yIaC3|i9)g3Fc#z?37 z{OR`WjTheL7|QTK?FrOE2KD5}r{Rhgd zU;~URj^6y;`W2WgV{~h7iOzw2Sp?@$T!Da z=mUF((=A7lm0zwhQ>UPxa~jVBqhg#Hc|Zl&0+h0U^zup{D^9?X{g*JaKf%^rlA29Y zv?}`(Q_(L3a~10zz3{XF&Yd)ZV`&!WCt`EH(}=Bzz4&IdY7X%Pz^?(!BeeC{k^*mb z)WqxtLOT+r5I~l|49TabkCeUGoj|ROEng%b&w{kYxD<}W>Uh|1H`xPwukIdnjb`cg zq%6!Cfo_xg$DI%N*w-aSWXIS`GQGz<2>y-5w7ZK1`*28{|5ZNCa=os}xqtxRHa@&R zXOv%JG5VN%@=u70hqI2?C7FLC#)Z{uY=O*mH%OgbW~ZHcpbdDd2;dOgb)}TK@36R~ z3PBh^5HqpZq5{;P4}Ms6oR5h};}2kqJ`NW6GaX4A-Ieq5q!$vALlWkRC48C144Lc; zlb8)p!#L@Y%*on3gwds){0^pdEnLC9U8(Whbo{+SAEjN@ceQG(Gx#)^I;tntyuwt2 zVmkC~Z_>I!pqlfe<6<2rhN52=&4S8}^9#CyBr1CB_d%EvQ(!hi;OMuMEdT&62oVOGXFvWWYUxlY0+HJCXyG%5g#FpUA- zV9Nt!?nXLGEDJH^mFh( z!$X$HEJ$XJ6XO?uBD)+2?G|Md>)1Ihv|jH<9}lN~!vRIi{u=jzp=&y{&W^R9uyrdY zCL?>rNxe}(g@=c?91d6;KwyCTbwQ;NsjU(Zvi@Yz5e@@mq8-+#J;JeX&Tx`!Dyb>TnU^;G0!)5lV`o=ZQWbNIHruFOQKK^bQ zU9Cl80a4u7<%+d#=KwgT_y{TvS=}7?}5X*L|Q>Pi}e!M~raew`icoL@! zCw~8i4MaMFUqv_L;~$8)$8!mtLyLIcYZ8-qXI-RQR+knqixpPmf;>~5c^%zu0Id=* z5cN8VPfO+$;aOk@Z{i9oG^H>*C1%%&#FII{VBNYycKAJNc?cRj0{eZr9=;`-GY@26_ir^ZI z;^Ys<1fqsFoE$~aaEPm*>a20IdZeB7l|1>@57E;eUUH%PfwRpG8w*cJ{N)S9)N5|w zwb4tneib6yTz@1?zLq2Qd?7jxE_x-mJ)OO|Fe%{6<~SnVO&RRb&(~N8=DafP$FBYo zGmv9nw|ppxqFSGT_P9iBYHQjI>?V6R&p85g_)Qi^E(7TvQO-OykR~Uu3n@OI2l*I-6>?QX_ABl6-oLDP; zz@u30HBhFVoYmo%d*3ZE-+=({7Vw)yD(6uwJE3>d34OIW3~Mj^uqssighf93bXWFq zC9M24uhaVpQh=^mBxs;eAOK2{RQEdWnN?a;F$18ZLAy-TX(G04JayXVkF+8Rq8g)s()Wn#`suF( zpRx|7!s&~M#i%I&8opa`QYyW@99_S5Y}&kGbrk*0`qE~#QOKqUzTE!u8Iqq((vXrP zN^V@2*g#V>L<6#BIH@b9#almn;;dk8keW=t^u&O?mC)%eJTZo;AZ9~8VD8<-JJ^)+ z+=)Ac6nf&)Dxb(O{7q68Gp+}IPM=y<6A9?vXtsHpMn5odwsloG*d8`Ztn`X<4zY9* zwS4NaS@kox{e^nTt1SL0r~R~dZE7m1pGl*fkZLhno7hiqWCx@WXS&W8oB4DOfI#W& z6<;e_Zw(P`5vSK_Ih1R8tWDmNTKny%lka2CYV$eUGJbs=W$$y!0^s~CX=jDUC(~bP zT2dgdl>;M;-uO{s|^C`SPo7x|E!(V|W}R^>(Bp`9hp{22@c zA+c9@I(Z&flhaM=C(GVgz(uqwRD6oc_kKJV&A%T~h*zR;uSe<^-SL`;-B&mALY4Lm z@2}c{ngQCbFCzBe5z*nsx!$PU9IZMnrgi?6V@Pxp3An`Tqkn&S1!q3fRP5kqEk=Fn5TI%3QeY_;GE8Y7C$#(S{FZv^v56kyGQzbbL5X+hi0USMuVYS6~Sa_0_E@DxpVDk-btN~9T zTkNS5G##ku=r2+iql)rS)0L*Bi4xXdj1QYnemI}Rc=3mt?(ybZS|1Ma(usB5?t-mV9_37{58v5eZ)InmX zL9d~)L&p{0VDU{YyzAHf1NM`x7f8+6#}UP+5V%@198+074J-@oay<|PYVK3XKe1eTF>eM4M=k$Y|G%Ed zKRzG0(3(>Qz{x%IiY)1fSeNG7?r5N*S#8Hzf!(Q%>=43ZkHnt`GV?B-6Z$&J>i!AZ zu1z<1t2ii6qW{%q_BTuJ3@6Hm1LSf4`SYLv5tQ}`A7mCyx7lgPQTTJzsdlB_E2Jyi zeVE?%kkp8}Sfbzb0u$i)7r^76J3->K$xwbB)tX1aPq5{$7tDPu+rr|`>YUEjIdogu zvs-N1cH10M8I%}JgRGc>oem_5?>hp&s zX;J)a`Wy4-`L!#SO2kb>u*q^90CsR*;tX%=--+pO7^Ny&uY<3GG=(XbXGW`-}q5Yo%x+ZA0wON?G^`@vD!iPx=IT#*vnF$3_j@{sw`!cb=HjNc3!$(IsE%P|Eor9jo_M!ZjC+Mu<6Awb2rOO2|yw= z-B?f@n7Rcu&>T)&XN>pDB&6bKV8_dQGa9C zPG)&JQe>P|8c0GQU_=!2`~0t46MGaCeeo6lYaVSHnVRWD3r=nC_wQ@7?kZ1TupH6b z;48VDnOx7l#9HxqoA1Ig^bP@laIKs42O(6TpCVdlebz|g)G^4(p*;hYVMM-PFOKTs z+QkomYIT;%1uSya-wVuA8ZKBR)_uo;>dVHC?UGncFOWl`zG7`P_q-MZa7d=`b-o|G z;K!c=N^GUW%L9FDM|dHW86|Fwj#fht=pj3-s=tu258GK8lYYeOGc&BLW}bLY>`&rN zefz;ElSHyn$rt+Z&SUd7^OLIny&O2fnwF{aMH&^f-!RJoqPoWKOWZzNvJXbpoBG_4 zpmb?yFbB_k^Q4=!@Uf?PW|p0~faOy(>XZ_enrcV=E6`ml@~l9}IqeB({cn5nAF_i~ zVzlj%c-#l5tKUkEp^1nJ*Tt{g(-HKI8+fATab3M%I^`O&D3j%sGlexL zC#MPw+pg4#9h4VZ-9>oWS%!<0(a(Acf#*;kU1#IW)#o@>poNkA}gWGkJBS(Yn%(vFdJyUmlC2yo7 zCYWLeuPwySDWc8hSL>8C#6UHxt^DSl!`jl)veqf@f9Kx1mFK?CKUw08`eGU&=5+Z_?T~rvrr{9902g&Y`mSW_*$qXG2-`r^C!MdG_Y1mt70jzRWAO@+r7Xjh82U& ztk!FWA-%x_C-%`iaxzDO>7DIlqptD`wK0Qw6@FqO`ST|;n+_iLh?RSG~d)g=Xc#YAhn^-Y%`hoC(2WFYK_*$0jc)znk)Wemm!lj&ZeztnS7}CW(lkMMsE;0I9>o!=s1Zp zCH_y722ECD;t?uMwD1M&Fhy-@0jQ+kTj8X&qy+-rdFHkE~Z~?^#44dJJ(Te%}P6WyXyaKmh*FK|md5Lfg zd|3T@_i);+=rT;B8n5rzs!Pmf^qMB%rqtG39NAF7WjAbF!Dv60+wKOOG5gz$Q6bJD z+kAJ?ceADKVy_N(!=c|HwKbZ-oZWhrgq$w&QnO4WIg>9t;R5L6Uy|jsNJDor{pMkk zrYi1JnOf#xc%o=nHeRRL#~hlDM^Y=4>2;jO+_hH2BB@vLt$fTwKYRS+9sPCbWA?QZ z=*zLqdnQr5Z-#SRKFo!mjfVD}jSsjMN}rdV9SVS8!&CZ-bHojs2e$)qMp0$8?j(FgeYL$sJY;KS(_B?_gFQd!(fi2VE3@eCNrG$M%$>~ zngpG?H^#MPR)ZqiSIJAQ$rjxeGcGq~62rI{5_U6#-_Tw8hjab*huj%GLs9_mTlVjE z6O2D#;4ETs11@a6p;aqo%RVEOt8$hq8Jij^i3^Ey!vL$MM7pO9YIJ1}I~nu*h{S)j zM!FnAAMri8j^Z~kad^^+^QW7 z>9XiOPT-1E7~z)cCzhZi*v@0sOKm#E+w9$b2HUxAc(#5XPR2{ZfrpCjvD6hW{aCRhLER>gYy)?=h0E!Ck|C>CGS=im4SS%# z5Im{-v50VMclgO&ocRft>|jElV(vsU6P;g?`iBp>-D3|)w6TjB>ARnY=7FihJTxPT zo(}trVtUg_^!wPbu6^-DXZ6(KiCfr^X2{}@pOv}1#dsClJiF{Nmz0dMA^WZ5nl3%h z`>(ld-b!;mE>mB!3&hb1)VHfre$oz7PUd$|LOR3PN2tBb+S>*ETMQaXKiEoPC+Vdb z1UY@|s@(l-3PI@JWeiUEWrBRhvwjbHa+_%ei3T{RTDx0ntvLD$Sbpe07O8D&0H&m6xo+>J? z5PM*x=pa;{s?pzq%HelkzI3#G_tgPa6w}GBO z^wFC`aE%0fJg)y>jp?*HTr*PhO%wxHc);0T2F)rH$_qDrfu<4xYf}5|F}n!^_Md0A zWI`K?LfcE{n{AFA$o<2h zf#D7Gxr1Dr=17Bk*)W?wLhHpFTRnGI6puQO zjWG6^6^d1|3oKP$EPU+jxY%iM{1UJ|HvVQLh0O=o+UfMUl>pX98(cE45`V8s{lDtY zP6F@ot=VS}kL|SCE<8($k)GoT3Q&e=qWE(%7RO{*%fsJ3;&63CwH%4xo7Y!3rejR#2 z&;+s4kWcQpb(2!SDWSt6 zpK@pe_Az;~!01w`6#Jpyz3x(JdT~%1YwWFZ-~BlsMbnV#RBpDng1(JfTSCs|LYuUo z%?y`*ztp+w1GVx;2}q%%1K*3`qP#3@EkFt|kAAVmS(7rcMowG1eAY3(dlX{977Eg2 zkz6Y+bWasak^HA)`L~bYL4lSP<|dWX{LNy1jJW>eDOrRB`*MEtspXRSDH#Vd>j>D| zn!>mc(+=4O8`Sl(&EHfYJ;mbtHFs>E;-JRTYInjZ&Vc7`aB~&L49=y)-`XhzKX<$w zWo&h+Od#vLmNp}6Z-y>9^cxOJ9RSiel*FVCD`m`?W;@Z<)t&G551+2k#FlC_i4#Ci z4vTEUApy_FK=e!fN|yvp(bci1hRTwH&KW(|D8VSoA}ZgB;hN!3)B7DyE=5eOd<~#PoZ<^Ix1MnGt-sKo|X7wpzn9VyXp>_5Vi*~0^HV3h<1{!_d^Ni z^MjJ*77{N9RGodNCyb-F(3D{YqXX2#5r-C`$s!x~q>r1&j>_MxBn)X6aG2$BtliiR zvN#NB1zEYc4A3+~u|w59TIyq=`G1Sp+x~d@{->U`H30QHDf{cis$ko#822W0FvQ8j zN|@8K!`&1mXq&+RX;zaa?#-vDNVFN0^5@I}R)~{u+@|MQ=f5guI0a4kTpx$IN-(m{ z)AG!H0*RtECZG69b%x^)7xi^ufE-hBkiu|U{bgMduAV7|y zy*a5j>MJ2k)*~9o8ol1fzQ)_Ch8=V5HD_Sxc@iJtdvg zD9}*v{CDGD+UUR(<3nI!Q>FBL?-u~JxdRd$`h78T=~GS^4>BumU z`vy&)R<$loZV*$5(b4qB$HDJaULU=dmf%Sz3&NkwF>F&dQg1m9`V6aOsZMA+ZZ`b0 zH0uDwQCJBLm^*A5Ru+_Xo4-9)^zji!YYfA8(HaL_B{Cph?>qleLp5;gC7SDPP-7Zg z&P$Nk<|cpO_c`iW-HX{Cse2wQ z1Shn-%ojk5)e}GG)LSG#y1`kEXRn~m>pXn#%C+TFN6MJE{f1NO>`SlT~Y; znANDt_Y>m_$_cG%*E8OR<``h>)u$+5B9_-ZHvmaf@_rnn``ZX(cgWGKfph@|sPNtZ3s&&HcY zcN(qw-KRX4Q;H@Qc@D9P4mW&!kTIk`dE~$w<0K)s7>JysA>@|J3$~+6bP|DQR^ujn zt~}_}(xHhRob+5u<%K+Z8eH~UMfvA0#QZ=8e7ysU? zNJv}pD1iUen#S^313 z_Pm_noizK1#sWK?s+ZPUi<>ml=sQl&0^u#7&`&!;Z0l8J{q);Nd1dgy@Gdv0cgNwV zjT(=LbjF$%TsaflqOZ(%7t%sEoTX+!p~ctsk4z|RS%A7^c5-I3mqPE? zIisY-xA=W-CIDc|sa3ud20(_nn?u@!E!sUMwrG!1%y^o<;GH5D&!>SuVy4c(-EjZ+ zKb+y|kU|cIXc5-vI2qtuQ~*%!0qy0(AA!F=+^f#d$N;GsIEQKzZUs!lTZJm`zl;-w z*B=C|1=XUT)rH`S>rngckqLR9&=yx{n(tK%HBYpE)u_gyd%@1YEe)7hA_h!@84`Hy znH(32q)$CuCXYPV9+hgeB*;MfWO#|pk$p#M00`W zbJlP6wK=+3(_R_-2~aL(+hoKsG{60#Kkw?AIebE33|g?tq4!*I$?uogS0x#onKQ&& zXR`Dyq0qZ09TasD5yjzqKUby8B1`F#o9N%@D|X}hqTT=ea&FvfG}y^GLOe59<5lXp zDi-^bGCculBZOr~#jlp+c8wAz^?1tZmc}Lb*_E^TzU9rNib492^UW_DTOf%JUDn(B5(Yng%|zCv(6KNndi&+-7=7^J^`jIPzJ~7_rHQd@ zN59m9{dZ45W${H;rB5!+KuOPUzJ6G@ApKFMEA#>d{MI7LpJ|Z8yQrT_1Uk;ojA*|p z94h0}=lU6pxSM33EVTfLeaa=M*GgyL8M=;Sx1w250bjKv;PMHxl4pNL9UFUg~8q#u|rzbw+y-vJbNbicoBq!-C%K9vCsJ@#x{3Oz}SM1vuIT;W;jpJA*_m~ z;T4?c7sIZc^!l3yVWA?&RU6JWU8aVSb>azXEs$iqMGe)#N$L=lq%$%`u< zRzEd{5ICEOD+vzKqXNIUW1XdUw#cPaFIPbN_qWXD>8%$N!hI4H^Du{QO7wpwg!3E| zi6<~NrK=AP^`YRL>!2;Ee-M~uM{T9WopMtq5(6IV)~?aJ01aBvXG4lWoh9*a?EQS#u(A6KP1q@s^}hvMVd-Q z9ZY73oGSPD5(4t+jORw{zei_wPz)5h-|b%g9mBb2BZf?aGu)Y39DnmC$FXaxT`O$S*}F~ z@2o#j2>QS?Lx9U7ji9R#L~-YS5Y5V%e_?I^BX#mG*MrPVB{NvaQB-|cgR$hg0ejk) zz1WQfI^d}m6hO3l(;!AN(mW9BFc?P_SsSYOty{U(&}{tzJ7S@(&l8#sIkWh0`I~DR z$v~-MWNQxvADQr!v|y=hgEhx+US4GJqdI-eP4AszsIw&LL-^erR_tm_gAAu;Te`Db z%OxG^1b8OrSfQs4*{avKe&tNCCwO0IVPSmU9)w0qAt$+6-$ImbdwvhsVf^(vD^hP4&CNHt0i;ZXHndk7p6hQnL{Om zZF}2it~|=(4y3^4=&&AAYJONA=D_LSZQ*L3(!G@=YDzM`oujDN;J0DSq-8~PK9;Pl zPk_t9Y_zRIuIcGji3QRFG;SWg0=IgTU4%#O^}U@ESX0lNHd)?$!aRa03=(?(>vegd z-O~`f`Iz!18I#@K5T4aCiYrU&r%Rq5of>U5zv{)KQhO22!0Zrgtg~iA#`OgDgAG}5 z&)?5MX_@YHXD9$AGp@_`$~5LC$Nr}!{R`vdnR3P(<#w^=`3~#9a?^i5#D9L8q!O$} z_#+I247jNoI$e84!3R!hERX18#4;;5m~%j{4q_AFhtnLs;S7Y!nmvL;8|laakPc^f z5}7oIHO|l$)2hyW51W5j6!%Z@-$1cp4{vw<2>wd&{Ou(E$(>#7w1L?!UJ+lPlPAdQ z^b`B@r{^p zd5JC2IcX0Ty4hmI+SS7}7+DuKw9dru1c!IiM8NC2Z&K!z4giU7WzSYs2Mj2H|jH+Igm4}9JA&azL zHf!wP9gP0Y0{tT={C7g}patXIu_Yd8;hOS_N9j#9&q6jlesmXt#6BO2cj} zcR$BS4}wp{OYt+&t2yv!GqPb4=12^!1J4MzSz|mh1!3ipHj6M6;a)zYl3lAk{o618 zx7GemQcy>~y>ReI>`bQ5fAyw-M<}b0D*y>-K*TgHJie^DbN6oJB1H6{fJ5I3Xe}w< zaK>Z~Ii>yJBww`bu1DH+;~sZ0cz0y0-QDe^M;z53h>)|=|0d{vXqUe}-%>ud^^&pk zP6*`YPkcykAKi3xeo|;2vgPO^66JVrNg+`;y4pZStOD*%gzJ0#ph5;H-_=E7LSsvw zwfGNhkO6D0^ScMZm&K4tj0j!wKK{mf3cwGb=YL-ApPRYYCK$i{`n^FE=lM#-(eSjv z0;LV>2-2eP5bS_wj(QDkBrs&<^kLsp;MK*jpFIO}Le=8GnmvuJ?M}3Ko%LkbK%AK4 z;JBYBgO=n=0AGbvg_JJu7q0&qg8k=$fAP~=z|$ae7oOoA(yigW?;pN=1q%{OFvp&n zFV$|y_Tk*>`Y!fs+jNuX$n0=Op1Jnys+f@D_PP?`_5bjyHzXHe4bJvy;q4!=4%v3v zWu1onCzO%{=%;m7`KYa82(%Bx{fi63=4t10v3e-q|>&L1}pqH4ON z*L+4N5@&JX8<10}-h<>K-EEQo$dP|jBZzkO8Lb)J{40QVs9^z-6+ZLZY&-S$c3l>* zQ{C|1jSb|RJi*&ZqruNKs_J#5lGlmSA7vN0r&va0K{_Y8ms@9HpY1QCD%|4BOqT54 z@&6TrKxvas*}&QCYpZjoQcn54)%XY&cGb%T?qTGVO(Ql{iO6#ZAOm=^G^L=+1u9@J z-o-+L?IN6&dD1&1%6d|>G_07(0?0@_{}(a)o2Y|M3@_pw$pSjAQ&;=@W*475h~Se# z8}Z8%<1!zB5YAN7ep63lw6O{z)QaG7z;2)*1-YA~&*O|@molkyGHtTaDeMolyj4i% zfi_mX)5Bb_P4@ghNehta+L}M8`ShJK`zAxh*jrTjJk?6Hgc7Eyycv|mrWw) z#eg}lrykmXl2Qk<74}nZn&PD_(1PtkU`*w(X*_1f%^I4ZJ$ZWQB-MXVB!5%*hnl&? zL-|#{a3@Luz31(V^vwji=2x6~B~6`43L`8uSFXr#UCO}K(o@RmwAf%;iwsKv(Kl@J zEm*yNTQ+9X+5{r1Q`5gewylRxXZ33jG3@!+5B?A4pN}BGXvEXFuM~`p&HbR_Ey$L? zd$FrlSnhBswkvjPx8JD9PLRI5LNQ-j9!)t$SM0kcC&}5^~f0>Z<^A?o6tyyY`8R_!CKGtV5cl8fvN{9uRme+t3$oEyX{ zr&D}XHMt6oDIrF1hNAa@Vh6-7<-xt`5Sj8jb;`@R_NuRpIzR*gJLJ}r?H>5*F_S3g z`nS%$2H+3go&`KF)6ks66IYXhF(Yh~U4AEUQqR`!HPJl3$Ks1S`-pHYe}uqjY5sTq zu92WM@d$j@cs31+duifo>wm9&K0W8MXXhOtG&<)}dZw76B9^3Sd>I8inSQ44952O8 z^t&Ox!<=wNfe)P0a8BA-smuoks)#A&tFK1UKk#|y>68ejZ$4+=`s+RlzrJ-l(un7h zF343umEZsT#hh~DPMc1gXR;?j8$U4^;ak7zKZ0hcqBJ=*MNepf^|JHfRj>r_b=>AY zO;F&>6@H7;yg%zxQ?e}Ln6oAvpACWbqSgGdwekmx(ya(9$~Liy0y8-fLdy%Gb-Cky zm(dY>x9YN#vgtzvO<0Lzevoa8O)w}=bpEH{t$9k)&M3ya1hobHVqUaQS(iBOqZI^R z?n!ip&Zd_E8rz4*t%PDo=tMPXOKP&W@a)VGyX1J2AZ|VO(vPQZqv}-ttHvv1zlV>O z+cGK#!v11+6GwtbnRhPduX(Lv-#z$cZt{xNXnaw9PP9wQUd*n;!Qn3?J8Qp)uBa-y z{ya{wdOez33^l+-(q*D$$*YN@th!rpRBZCdZqhQDrn@HBKh;cq|NPH zatG}DC#HQos9=?Q?jZ>1$~;+~$C&e%Bs4=I{5Z!T=eaun;{x~ZtS9Dt-gf@}S>lCnc13R}Noh8!2um$EzPu>~KHOtC zs2+9ZUMf)Cieelx`#9FU!7!)AtvV(-1WcB)zaQn0T(7eemG ze=}T8^j~(7W%Oz@5dvTPxSYQ{8_(V42K*u(s!Dr2S-2B+Dvysok=~U5wia*j+XBdQ zu%8Nkwudu-Q7P?r-2eUsE&cN^X#vzsFarFbV0x8{!4zPzQtCpT)sW=V24qB8FF(6E zaCLp6FV*|GcoYdo;unegH^@*y@|Y|Q4hlP)GYVh=_{We0}#f%s)WRGk+)LQd0LgTNQIycHT0jxTAbd#^;b9fNF9K z@}X}c=q!lbhloMdQ=c+|F0bNJu#x4szFAovFerr2t z`vw?rmHwk!eM14nt>SkjF{-}GAuVOL>$Bt4>M!5Y`%<_f0?IFM4D=Z|qq_jWdj+y*ag>;P&$LF+?=dd3UG^ZyzoW_$- zzqj;Xt7#}6B@a#w>%{w^Tgte8?kUudVUec80+mT2I64|mypPcn?Y zonwb^7;uZXQ7EwR+JtpEZ z1m7O+Ayu@6AI|kO3y#4RVfo@1E5xSinoL3`KnHthx?Nrw&Z>yBX;A> zM%d6jgg4Uq?psFkcp3Q0J+?}d#XAypLnppXUx7n`S{CsWLf6oizIzho^gN?KEHQ z;`Xjm^BlJSau7^bB?G}yqIf5YKXeA3Qar$6q;qZoIVpLca3I{zkXFO+qKdnn9<$Jv z9X05+P-j>%^Ch<0<0)RC0)kuVTqL=PqN`@F4pUnn7=8x>++_^#CO4g*_Rv$N<-Fc} z`IqN)0(se$zQ7><+oiNk;MYLqw#hFtbTZg#N*!x7SCa$VH@heG$quU zZ$P}Oy%h6FH$i7{ zlv1=%+`YILCs>OW(jvv(iwE~oin}|M;_gt~2@s^XI|O$L8s0p6KhNIp|BQ3S`FK7u z_>hq`*1dAwbItjiSsYZ}mpL>_P6U_kr5~xJx(>B!x8|9i0;VuYxGxojHp^=Bv^MWl zN?mQWs=ZSqNUsxhUHb?o8s4jFJwv*#OxCmE`*T;LwD=`1`UTEC)H+qjHjWR`7Y7~A zqGNJBF*a2exv(kLsxA2VVD-!UY1s|*PEK0euEtIn4_miJ)b{~6k*|st-w$X5iYXCt zYNH%1*l#2HBlsQ#9>_NI8EJaHU5oWBM2FcDRz%hpZI^BIm7~A$4(q%au}vb3VnZ0CivV_tR$Q;q5&f57x(NUI;VtSNCEp*_IyW2Lgl9wO%;&n z`O0auqMw%*+T`x{VvRb{B`fYO!~>pYUwdZ}U7~U*r7IYlA>; zE3M*6$L+O>CT#=kXuIyi7KsH!s*1fuXs_BNbUVm-WGdP>R7m*kzVj7nsk^@UF*0XN zHl2EAH=@=0aRp!UQ3mt;&+eu3u)&|oD4#r7brjP`Zu`b@2f6Y$hwG)TH<{p%<_|db zIHThpGvrEmJjjo`9R~AbSY$KOEv-!!LtFCak8_`)1_CkZN`{Hb`u6P5A0qZ0stC?I z%fU=VV$0JlutfnM;i0{xfl3D8FC0^egrQ>GU9`5V{;EF}lGMs9)Jhh&upxI|`V=L& zOMKB7ybby3BxtuARvJIXG0G3;VFP>q_6ht)^Elm+{Z=ak_4F)ebXD5HL7}tLtM9+n zoTxHa&3a0awFo9D6nz?>H{$Gzx6p*}mYrkX>kWwl)(3-%Of)e{>~~84k{N16dt5Wd zbP+73hxEr;_ z8yb$^9X;wKXusNMnJuTqSI^iSj%w^QXr2-qMeRz%<#cwhIgF^y+U}AlTa01SAYbi_ z$wW0IDPUiDYvmpqZJD#NV6h!r_DeCGQ=Mb@{AGuW^(;hJlMiZ~YA>1hOvW5l=(4J( z3Wa|Xmx;s>l*FbT#IPAYTyurYqLI{aw7?L;rcLU95?fCukWS>xVZ_kY#ZVT{sKm1# zF^p-l-Pek^H8Uac#*k)=k<)B4j${TWPkl_VS}us3D$R0 z)N<_-u5npxkgI&_1Z9iK4<}L#576ESJrGlFiijWk)PDmKx1JGYyVd)u|J{1Fn66yA z@!jq4V!cyxgfyAenMRKBdrb*Dfzu*>T=cZPNejpXgW|BtQS;RSB+Lww2TEj_Xnl_% zJ!3cDs#Ktq{&gV{dm>>@t@H~CN)&8jgy^KT)w}k=4=V|R=wQ-DGxLs$awXSY*5M z@#gH?h3J4^6tt`w6$!CD?MVvi){2ON9<$!6oDa|fos$GF_!TEU6y&HKj3@HQE}i{j zA}CU4dmW963pD$5MA&qmW{oL7B;De=aVH;hypU*et`*dnx}SQw`DVT~G|xxwD{@N` zyH1MrQjJ+@^(UpCnq^l+Cy5qysTFFIaUaNP{8#=|xds?BlD~9z@X~7XV=9RHpgy`j za=KJQ;7S}mr8;q2q)d$8bjI*VJ@p4ydmGMmWx@MJDyND(1dd?OMRl2tkOEg1Eyv}}@y8UdG|;suXL{ zn~%V4sI+}J&+0FRmer>m2tsiXEzZ8(ZL5gjfYnk}MHzT5L)=F@_C956V`a&Y{>I#x zoCECLRbAkOQwao<_c+6a(l%LleKYSa-dHUaWof+hyR9yEZR@Z3dP{rzb$|%8t?q}) zNSiAg$zy795wIZF_lh7MibQCheZ15qo@oQs@NK=>0~dGZu|Wx6TsI#Vf z3fM2us`?voGz6?=O#YTvEshpn(``p`x+V8kTfYK*Y*-i7Yx;Hjvg+&f*9-q2KBGce zJb;fkB(Q1h-o>i%^Jf190eJ|e+UPC7Bc4o)n#gpc#+=S9io<)_8oBiFs`qku~ zpP91t2pr0faD;kATiiJvkM-Mam@5Em1l+Dduw-_fhL>LXBlcozB$hQ#x1I<3J|%SOa~zu7#&(+hH%BlZp8PFWe$z$`WUF)xFwV9K zfDijc=2NkY$YPRNB^4|n#h=lR5y=W`f5EFjKx9=Yn@=d2HJbc~4Y(-ir}%{GHE@Iq ztPw3$UsGbI0r3{2v94(R$?}>(K11?_1N++;{ED8}!tYDHcXj8ow7gL=T;oM3XFJW=?Z3D4>F(~yM$4zh;|e@?*jQv;rx&9OYc4%PSxz{4d* zj8~ha9n`q#y2tXOE%c#(L_3Acp#PT6WO&zJi3|_vtdn10i7oo!{xt$q*|y}|b9KJ{ zw4xkxDRM#XaXxP$NgH<=L0tL)&mj|AO!Most*L(h*sfDtticOK;5NgU*pBFYvyqw9 zSO=x2n%&*KQjJj$qt$fTXIedElWIQS#fEZFmypF!4nQ%B1Sj*q-}{sCh|T4GDRSXYuIX$-F(WFo#8^L+gF z0y-E21SBDs%)~+}TUFBhEf=iVP9`K*Oapc|vVQ!|)_UbcKYCi7%(d=K;2m0 zJ7Of?*a^M_$n7~EerC*^shFQP+bS1WiSYw?cX(gUCr^|~Qlz4tKj5*oP${Y|{I>pc zBY{PleIGq>*8YshE=iHB)GUU@`VX*i_1w+l{z@Y<0#0(#BeR~85y-GunDIxCqy3Px z#_WO+0fBepW(-c>J}1K3#VH-f=CK`$*8Zq0+EnSi*RoSEoW?qmPW6^3H7?SblUhUR%pfGgH>)1~Y9%YL! z=XvlbjNYr7KEu8hm~0S7R?*Hwqk|9YNh1i~o~#TSI%B%z(&6Bm^y3tLIAPkV>Ck09 zT5wI!JodDjJjQL>KUa*%%31Yga`~zrz|bVn5$jGy$z?H;(J?p7Txh7w^H_)acnNPg z7rG0ja^&c^RJlEj$HBKfm^@+gfafO<&n?H_S6*;0Z>PWR*$N+PkKw(~%J>8B{0R(} zvu8UiL@j%i{0<9tJSEuzr*z(59oT(#Rsyx zmMvZgOWrYX?^+_8)pM$!^9Uwi(dv(S!ltT&%0(Z8A^rS{_}j{RUO^9JV}ZzyIHM`= z^pwS_3lW@f)bn%e$_;6t3`ffrUaHup1qr~aBo!ESvR_|Fv~YpB;6x!Fwgg)XIA1^@ zn(H<6lm0+D-$jh25^Dt4UuDIn4SHPI3#_6jUgk^`!p_oc9_&9v#o85_SlCVJDykHO z|E*PbX5&2f@nvijoo2<`Z-rLeCJdL*fi zS2=sA8%iZ6j9$fKPjJ7e$(uT5L!Y;b{ycg~FYeX_O19<=pz3r*$1gB5UAacuo39C5 za`}J}qcE3^Ka=rUlVEwaBT|jS;6uT%0Tawm6o>Pd7M^sA!e&km=c4y*+jaAS=@KyB z>^YlRP$XPgYL8(1O2dF(W>VoW8SHbjo8_@?Ml*QbCqS2H9!W|q^Qzo%^=Z{B=+MS* z?lq6&gqsRRUh;ABK!A}POGIzG7gN>}cvrjHrs?O-c5E;upXpA|lZT3Lil`FY6>`LL zSvs~gGK)rfP`grinaF;iVYu3!ScRfzH*`L>@g5^^CK4gGa9JH;+eP0My%yz9>X|hD zI=Dd)bSSz%XUF5Uu9Er^BWGy(AWe+cN_S-YC%s7Y=7c$J5naEpJzHE69Wp)DXy|wT zjev-u3r?Ijc#<%{LrUl*ZQR4$S~P&ibmxG2^^5J&i(eP0(yrq**t*p;ihsy!)!;`k z0FRk`LA!`$RgCv9hC-o3bRmHi_wt9ANH+i=z+&q|Br$rN!0Lea-S($R_u+*Gt8E0(${f_R>u**=O(`c7S)lS6;hKaxDc$l1gldvt(FI;5*qmbGN1qZw! zskvAnvwycW#AM)&MJwzv=&fHNkVWNnV|069P|*($7BhQ*t)|<)c;R!}P9yRJnszC8 zz#oIpPI!NOa#0y8pW>s%5z|@8wK;f^%-NolRc*KCo&yu3sR50OaT}+Irn2p-0?}R;4I1?z zs#b{TBD6et!wcXN2hBMQW1$9NT4et@+Z^y-3ZNHBZ?vH^z$P>6_nYMar+EAF8MRDq z&g{ayjCw;}n~Rf(KRE5pp@;_|mQmu(P%36@mN43A}{Ozzgv4amQE(3CEb|QyJTPgE+*N zPT6YOnJ>&nD$Y)J_VZ-td{896aipGpRIqk}*7~`2DqNr}`6@5OZXo$aY ze9-jRt!Bz|t30lG@ugf62TL4zfdcgV){qN>Fs^aQv5|bfDIT+bjwVOw^r&0N_Vg#r zbfvYahIr<3_#l{D#ApbUCiZb_64%f|~8r!CiSw-~6)S_hid;}lSPK_(1 zM^Ta7YzOzU0}O{##dIwBeT`36cu1%W%)J3e)W z^DII;58+!CI`&BpZRrr>%5R@ zux+Oy=6a+AQgGA++VRqC4)rVyjE^is%;8xw+4eLlQ|~OKIK)mQ!*%3tKCn}8YF+v1j+A*++$5R zdbqg76mYS`A*Tx@bH;v%3%egCQOx;-DpU_Nu$s?%uD=EhG+RM7mxmH)z|}q11KkEJ zvQy$Gt&HSmpCQDHD$^7Qbq58v8b|9Es5r3g0XmXta^6%I8(iRk-X04+m&MDYH!SVi z2N9MjHcHJt++Ha8BD$RNFv{L{>2yieRLj$GSkIPqt)#8W9k>Q}vmBV#8m#S4Q{dl< z8hH=zjx#EMcYwDFxu3zf*5mX*T;8!ezIoFnY6-axDPvKYLYg&NgFg;ti)hoUPy-qr zbhhS9S_amuzHH1OIU{mF&qzpPkrB0~70WFUZyS-$Hu$B$%n$)<$mC z0_?&c%tcfpYakafkC6Ym3dhy#`I5x3+&t8azF8&e5>_X?D^V*`2S#t(PUi%G z&u6IoCov~?>K5{JkVFfWGR?b3s?{=PXY;J^Q$x3}MLTy#1XlR+Xv^OQ8)uIpMupET z6ra$4t4=s6{0iJm%1KjReacOQeDWaREga)Aw#f8pa26?uUn2|F^&a$~w$A2;sFU&A z8J{;{YG1|U=55yRNDK7&4&5EswFqo#-`l7hZ^-W3@o{Ux?!u| zH6va|ba7F3@NeH6mQ{%+Gj-gZL#lco@D#r$2RL881ZOc_CV;a&7b5J{*zx`8me(nS z2e@U)v#O-*#%r1`pD}Ax>yl_9z2oPxVXeOuY)9+2UVogcx$3I1x?rqTm$Zn;Q6g(J zxet6*uzFyO`5c?Kp}1Fc7F*CT|LiAxQ>WVy-P zlRzG7$XtbTW^^Yw!1F`FBTeuSqDRC|{G&sqlJL^CCT+*F9HeofQamV|aW6?K;gRzK zaC^wigc1^ucG5DIcYm_!l7h_gef}f}2L;10v$f^Ea?uft4%3IfLh~5sx6~Absa5Jv z4~yw4WF-cA)SWhP)jUXNpyxIj$VPMT!S55PzG^p|_G1=UNUZM>2d z*d^6&l>1^!;_U3mh0b@LAXyqV2z50x7&WMoTJhZ!6T10>-G833Xq*t~_psK$MDa(w z*{I66@;i=N22<&VG&xK^e^WQdWQP7X;GYYELaA>Tzv0Ih{NzBKM>8W(E0z18mFw#v zG|@zSTDEM3LVzAdb;L}ml`o*kMujxntzj}~&Z-5&nyzT>L@gTtBr_^pG)hu!+eh1* zsZ--gJNfJS&yY%*IzdmF$KFrDxXRnf?&S3vWtLejuh~Ef>ReB4#HDyclZO#Ttk!)X z$5UdkOn>ybvd~*)4czg;#yULV<8nESjxjJhrCV?GKP-Sa44@4Im_h|8-cd;YGVs-h z9#(1d!6k-8i77M2YZzP3{&IMZo$<}E(^&d;Odx8_Dc=03Orl^(sL#Ee;2{@hIJMQL zA`3I0@m8ZsOs(WX{Q7>6LBp)GxJA-Z*t<42gy7 zZhuO8$!6yR^zTs3$tWeVcWDo#RbTSAMl+k{&_-FMDVFRLqLN%vt3)?@v<+s?$RL8p zkD-m;8M<(`By;819${ymB)O&FsN8RW-lFgqJ@i||1=Cb6C*45S`(RR7Z|YHZA$Xy+}#nD?F`G}Tt`XRp^}^FQbIe~1e18_wWX)vmX- zzn-H5_de35e}8*Rmb8-XH~yXnbi-xCdumT2y6e-lpJts;mLz$SC$GL_mULFu>VAGp z$i`fu)6y*TF=)#?gA>_q&@J>^wJ2NnE;?KT#UFe>mz#s>302Q@oc71Z?UKwhDrgtSPkO$A8M9B$ zT20RWqR$nbv~4)iNDNTDEDJzo(Ny$B!E_;lj+}bKz4DrTfTB#(f{SEI}K<6=wkjRW;VQ%xAR0tjFQUTJhGa6E;@9VRoQB}sShtRZZhYqVz zw5DAVJ6kDmoAzEqKmt1ko)?BVkI_tjRn)eOoToI#Dc3BEXl#ov+LfNkkf(9nP3#{R$FVGil5b{_#VvOq8 z-;1#MLm_09?UvXUO?yc?j^{$aoonY9%=4G*;tFlyA>Z=WXc*AcO6fNHBjU`eN=nhJ z`L)$2)XTL;TD>nM5(26}!c}8Hyamc}T?W1Z((kZibnIF=&ep_=>SeuILVx~H{F2l- z)g%qZ=Gi)^#P^b!z$?O2mb0Jx{koJ#kbG*67DkCP^Q{u`!}R_Vtn5Q?UrT?ld4;X5UHvtaMpWLW z*RSkze%HXoCb2&zZS?~$HX+Tt$D`8H*fEU>|6IP4Y;+#iudG(tKc0m&vIAA!)piKl z*J+LOIQit*Ncv_Vl@-7B)DNO~oT{g{_hlyc?r>MZvT3E47FtYof?XF{Vd#d%1D7 z8*~d9-n$%si*3?WGCFnY&q(Y*;RMS$-{ge?xexWkGpCIgLE%ye}E|e@oOQRX$0dZ)mM_TON-dV+b zBt(d1)V+=N7iH1K;YVi+GW#&H0~7+s^a zp%w>wrFv-?i8MWbPQO!@_7AK2By+ZflI2^Ta%Vsr9( z4$wR_wlfp)FjRdfF6I5r>;|g}Xo;Pr)ceCE5jJF_wZmVELCnMPed#x8N1itxSlwaQzI-J=uVz~H^K&yy!4QoD8^&wyKfri>gU37^n+t2kVo8iZYsk|e55R9FXIB9G^w`QN? z-~mmQHhGk^n&tLXy|n;Be1^CPtXPJy?0;RTOU;;mvcb)=N4R;G0`nWyx9_YgWTMb$ z*{i1rIv0YYW+K!L(OpLP{Sy7wV+fA>X4))(ttsth=l9nlBdv!ZV0XLE{ZO0RviXGd zx4hhZs%4zbez_+nPDFF6vmel=dJ>3Z3e#_Re9C-D|JL6(Ia~7|_Wv9W# z9Nl)&)pq;P35{Nkh9M*o6qmPDl5t8^=`$qI$$gxmBDf z82ca;KRS{_%_zoMe9BR?|u6kIF$kQgz1D&2y#I`PCBq zTQ9iQim$E?W?xu&b!509I>zru1cqd*rjGucz0~UPrI3s8zCBT_r0<_@Lu6XpeI=v9 zIOqM=vfYq-kcTCe=&cUkS(*=EQ1n=9uqWefI2I-qT|fSQ2{SPxS9q`38kWd{wBu}#x$Fn1 z=nztdwhK$%IWC!7~He8$xmWWRMEfKL=^AbfrncRTee_pfx1e?oaU;mqA&V8wuWqzw8s; zY9uAIn4{;B=3(OpylO;~Hk6^2Q?9Rq!1!pmFD3TWhjcyZoe?!%tlV$)z*b^epH7U) zzicdBhdyE?HB4TKTwvn*nxTA>Fa1)!4PA5y z8HUyia(lnIRxG0(Yd`&-A+{#vacTe?uwuH3OSk|1g0rJV!hLIVK_^8u-g?Ro<=3_H zlo$q@*^<#^T+EvE%`Zic*I6%CDp#4SI7Hu5dJogduzquPd5`{#T0UzpOQe&KnMgu>5$fYdtg!EaC84X2wJP$-YzF)I> z4EgI#x8LY3QMwrG72i3&XLdxJ1Wu=mOjWWKSrZNu{z-4cb07eoB6QmGwwvnMOyPSn zVLBEmzd$fgm*r4hu~ZvnI}$4GPdxhHFW4 zS2GjGnLKp)&tu~YuJDXK(5$Th8Pdf?SHRX121jfxwXF4Q#dDSVm?;`;a;K%r#9*$o zHT>gzg}79&rX*I472JM{Y_E#C{^vrg(G=*4odo7KKHScELS;cS(e%?zfK8@stQR?- z|i^X2}COl^w?YLoNbKZ;5~X@&eXydSu?=M=1{N?K+9Z zR*AgXVhB}Wct0QQyyVs35ngaUhDLR^9KDmi-AX^eVg#5Crt+DK$Z1^h9>X2|I2(}e zE+yb0*8uCARhZD%zVP61v^PGyrx?7*YE$Mz^DagegT2nr?W3jOE?22-Z;~Y`%(p82 zg0}7{l4{L~Ry&XQB2w-}SU8Tf@(BG}{|$dqX$J0BV|1a+C;gv^RH1Vp56!&K@{pEpQqQn)EfMs`85l*FO^J zh|j^!TI}0{?m2-A4I;#OC5;w`$HxG?3_uTF6Dc;-gTwH6UA%YUF@Rj$*R6h(oJI#VaZ=(x|0Zjo}uXEXJw*;S0EO8IE=7@Tc+7e-y9 zi%W>OPG(t<2MOw|klxf}%;lzMER-@G?}W5I4O&bT8R-e#XE<$-dI=_X*h0_e&zc_8 zysI|En{5{w5*0Z*R0v1YBRy`kCku3rZ-SeASBP}?ec9Ls+pZndpM~xfRhv@q*t}tr zyEkkJmfeOPR6bvCnh*`(XnO!TNz94tvQpx?%)j4()LE&XEy)qtWjh`ja3-6GxNxD7 z=y~?3Ly-x<9_iNpVtjZ1> z;`&$Lb7j8xfuTfiRiOdqh0wp z5Mz`@9h)nU!(iq1FjusEOpf+zx*E=A-EhuF(yC3K*%3<%4_v@74^l|hk^ z^PSn8vdQ#IAMfhf{G27ww_Y7o&DxTByaT>Fu@}9U$dhw`FtWvNzU$XM`n=`j#mPrG z*t$&w&&y9){3VJ4ug%tf62%cTWW>t0W$7PVrExA+;jH#YiVEg` zuWmoz#~`6iaGBtlwbprQy2+u{^fl2+)mHO%f+yN#*M+T{7|OrqmLQ*-PqW#pxoCu) zDY-Z=J2iH&b@eH@x?<~hB>3v?4J&pkLTUdN(=GYVQX?{rf8=KU`uUPT9AWLXriI5- z+fJkzmyJVM#n2~wlaL=u>nUf~HCtCIcECmJM(Gor$xjb7FNO;z zT@UIV0iUB(H}@+o z-3Q%m(N75>P%%h=`)|H96q>=$)`FzV#Zb0M^VN*rhSQa62c`CCp|O0EEHfX5rl$}x z_NF~cRK2AolOG#?uc|K_rm2%we#4IWDFS-O+6|h-&~|i=@O7Aa-oZU_iavhICJaX1 z;oJYoaQSr!xo%-wR}Bk=7hse3oQaQfTem{+JmGdICBS;77wz@%EV;&l?-TK4LxBn9 zYG9j)kjClv(l4c7kFEDjGZ9WcaE>yprjV^XIl_v)0T&&z z%nI78%{Y21UD!^f2v1MYxUp{e^!BZilRTe_KYOkb;+)u}f-LSu5W#@*ABVWg=nD&& zUT3o8{@Af9%yb=>rSjQ&34FHs@8jX6)Y>e)s1v|fNot!FF+Pn37FI0UPfKDg1n`|0 zQM{OM(${|gMU~ChVVL4&MYt=BTd1#z;o-3Lr)t!K8gzY)F=Dc&Pir)5i1^#{5YBTd zVjk+ERQeZtov6eX`zC=7Hl=v%OUBVjk-g$_l?5K#tp`;H)80zCb_L^jv9lxAP?vFT zJqkZ>E0U4gMa!)sj55?vjG>yy1=l!080T-4_)(q(9Jb94*O}YD(kGo7Xx*NBHd-~N z)mn_hpjyWgA3Du?5J0u^kvc__^SmhA1x=_t+IH3zA%=VUzy%?BIsR+khKYY}vzqOu z6h_J5QlLK*S*`?bPw%))Sf#5D-rsj}0KJO?#n7bR@3Q#X)c6P&gpjSPh`vM#_0#{Q zAKvxMsw_ClXS=e8vM0;eYZ#ZwKBHRn;Mc|eDc47r+U;b7K?qw`Kxw*|xTEjd`frLDTJ;oM}vV<#gZ z`t^3cQhGzxp9gvIuJtc<`q1JfGsm~s93#3!k7~lH6(|f~StO#;@`UlT`WB(^zPG@_ zM+k9szFj#^>oMiB-$Ia@Q*<#G9NeEJ->b-7wN2b`F9|_4l9*rKUTl5~)F3AuwjgO+ zb!j&jW0M6;>t?-@)h}%T6p1Y`UKg%B2_HYYr1@?x;o65Ak6rd=_;a05HOGldM^@c$ z{%bzJ#zzq(dSZSF{J0ZzN-ioGa=Jx^<(Cw9xm76+H_6x|o#neqt$a%PAe$Zix?pm) zib57d%lUSgPdG{4BA7qYSEU)2TEVq=uO7J5V!*`_r#7ch3nBQ*N@{$oR?}do)2|Fm zZoCMa3JU(c&m6ad_jkBuZT3C&#nyA^HkSQ|l|>6?4KR_kc2GUC<85|_T3k|$`PHK6h!Rp>Px)@mqtksAX3=_|E6>|N z+wnU~vs~p#K4k-g5dM)$a2|Nk6#x6es5hmBov(CE3QKRK5umHYh5N+eP*2Es&cS1^ zk0>8W84B;{(2bPls_0c2zpKhRFPqjBaH&F@o_Db%ef)X%FuT!*p;(O>TBYmT7-W*c z)A@r>%2B!3Qw&41D_nnj#i>s-7yW4hTx=Hi|Z54F{A8h?p&}jBtZK-+E1LC z$apd2eA|lqIChII_mLnkzS()0MC~<9WT?t!EyHYY79{D;9lhu3lLoE-tmxI=0j$F+ zhElfFxn*9vEH(`q-TPv7gOgVD5dYC?5M)cKoKtPwFiD>D8djd?=P_7L3KWKY7*L{a9 zjtE-n_InEPqOCY*%eCk*-x)lcd82Qk!Ya>zi96yVlQw0iz<=yYUsjRmE^8ucHjmbNKi#!X(Td2 zRWPxk8>62z4w8=yE40>UX@j3PWN6G3d^*x4a{YIL+TZ8J^LF<$8k2UF2~Ow`-&k82 z0kR6SMQq4=ySJ{LA{b}Tx286s)OjC~^QTA3*tB#Ud?e*P^AC<9^r>5La#|3d-#-5J zA27zL4t15tvC`sNvSO>YWasFlGy4vVxm2bo2?G%V{h-Gd&k}u$j-Y+i*ZhzW{bU^2 z{=Ed~W6)q_`iYWk%rC7_95IWx$srCdjvy+(hX0AC@LzrTTs%yEYF9 zFAfU%_^sE^1(Jr9v90{+NS-4f?%us3^d4O@Ci>rg^3?10M*!MP|2 zLLrQr)z-~=_tESyy!Jpv=qk0arg-bnIdS^@zZvuYuJ?cT*1xef-*MNhe!Zu-ZTX40 zeO33PpV=C64_S0%&lNrdrI|yl7mmHBvsr=hEQ+_+jKo&tIm9b%htO`V|T>tS|oM5Sz{wH?#Fn(lCG!G3D0y z8VE_nA2W%LDyA`;=(%Ua5QwY_G`@&4p`;ew6lD1cN!P@0P9VK zi8aPa^6JWy1TTjsZ#UD-d3^lTf;okXN7Z=XJRJWhg#RZ7(461vQ#R26IcejKow*0c z?aQe~M@)rD@BQ@-wW|dXX@UK$eXuP_M+Sm}LyH8Tc<%U)Z}De;&gBWmEj?&rW#6w~^|3qdplS;Vb^k_H*|%DCd~_ zC!wLzvb&O=>!ZJvP~gOo%9%r)ghV?)p7jriw9yC3ZC7YDR~hY?SO`@4;=&7r6pz(W z6LtHdxHeIfB>%;}co=*gQlU*#ZL5P(Nz1D`LCVh_kxcz&xkk&_`U``60l&5XJkxIa zr?@%F_rDHi}_4Pyfu2FmM@vi^TYQgo~)^{|r=3}i7`$_T@xOkR>C;>ZTa0Y#Nn0DEX;qLVZV`{CejlG(o(f;*YDLm#}lvHq$=?# z;Le}2ps&7!>AWr7eZWgStCazGt+v1wD`GFd99_Q(A9&Ko9~{Fk*4CS-=y0lZe$Wq8 zzzA3^eROR@Rb^7JnVMx}_U_TcD^VF4<#!fn zb~Ex{ii}cz#<_#`hsnLkdHJfr%CIy2%K(0*y_ z9g9hPzOR-}VN$MrVJT(7;x-A#Muxw|YdPKT(uS+j-;z?pp^SPO&Sz5c*5fS9>}K?M zX9LRF*rATt9C}2Hbvae#juU0h)(#84wkWi$$%>}?^r}kQEj{$*zC8vlLx4K?Tmw5T zhI#tC{svpPbVGgJ9h)DU_?NBkm%~Fz!^cd7O>FuJXJ#@>DB$O=skG|fPu0ZUpCeWQf#5o!#Z5&F57ol+Bi|37y5 zU(Y((a}#P}o9$v_dUjg`&#c2L>rPu4vC%mTZ?!qpedQ;MgKPFn;hkclsaC8UDsMk8 zU|7=m3^JA^e$8UH-r*)UecS^UQWlICpY+8&rL}%yQ_J`WLML+iOD}wQsaEv1`%%;n zE^lms9fQkO?Ycu7@7w9ds=4W41!7DpK3=G9q2>5DH0$B(%e*VHZ|}u#e2A-T;2Nb< z%zw{T|2&#=2CwD%(wT`YFWe=GQ4=jl;BGxM@ z!#CMK`9!jfSlCBV_Y6tclc$Q@o1ys=2b}g053@%N3&r16|5{uchd*5_{I;5`v4IzE zem+Z!_8acNiVwDjsT${E3$B$9K>F8w(odmjCu#e*bIG`JfEzA(Kwdx|)s(A2Gn*Ux z|5(&(GL+$i>FgZ}YqzEJ>vRL<%0E!(+tNMl(GyjD1gyJjHHjp2t=5`KQ$xs-B$p4P}`-|BmQ|NEAI9;iY4SE0N#4 z&OFVOE8Rd382Ebl)MOJI+?yjC_VMD{oQ;q)NKlNCq_^bsN7J2#7o~LCVVmWBZwl^m-FU_)s>NzOdNi*W8@LpcLHm}-*!Bym z;Ls^R>W9XSH^GUR4yGl=5vFSh7sYn0i%N8NkN&M%^CiWl*^d`tV+ zzZKOjxU@Mu*qh#}#3E^~c2BUEf1%*xFt6gCGvVyJd>7mq*0{UQ{rMV;&BtU8nY+L3 z4e#dfwY)8drgM3h1itRcLX*Wt3?COv>-!!oG82r9U(p%6K`wa9t@0nKs8nvdvyt51Lv^*I3r>)c#XEEmdFJSr?xouLkjm`VDH;o$sga5bXm0G9%f!T574~O z-$+@5=VzEq?9ZSbo7tWvthaS_erael;gtvL>xPSE9XZ7556_Mhq!iL-ok^{`zh%qG zd3*dccjtoFlR>)JG#R0@&WjAw_`UJGVWHE34F}P`s$~nUr`W|gW*s`~4Y(_rPH@OK zq=+RT?r271K2B6K85*vHB>&9*>?24|6LHX%$%)L_$?%_Z+7KY|4bnR@8g`1Tj|Go- zIman@SNow-`U0`txb+aU8OZ-&&af#w{+nPZmovl_y}qFPx&jy-{~75LHs2x_AXL}a08bvCYgRO%!@htW5zck^~0Ww7sl&VbPmKLz&_*m zKCd%gQe}!E2jh(3KTo9*ku*J(amTZwCe3AElp{uC%=dq`Xc8<``t42@=OUyXnMF~1 zcC*^zXY?rwI&msMmR9wT{;_1UFV+Im_gEB}D{Z{@k4BoIi8m4y!#~F@Kh{k2d=GrY z>xbA8Pug{5q~bk~8sAfud1rDWMX3;vb&f}`S)||+N&)&&ErStoS*_PqR*ZKG*NIPX zTxg1$DQn8id^5V;9^#NAe8phWnJ@3*AuW#N*z{iNicGOTbw^%&;WdevuCb_L*pJzc ztT>1HZd(j@PtUF;M1ArrV`?iiikG%ACQ{u5CUi43O`1b4TEySrO(4esvlE&)PtcMBfe7Vhru zgy8P(ytVheXPZ@EtIW|AJ;iZpj#q6R+#anWo1V-+$#S2!`DI`E>oq?s5u$3FJ- z2u&qp!RVWHe_%&V00@1Y7*56BFs=5*Kb9p8cBi_t*tca-cA&#ZP_=u z-ntaXc37|+yGDPRk!3FKy!W;%(1TRZXTe>-b8#g#b@UH!$W=_QW6}298M0&-cLevO z7{~j9p8$*P$#4fi$q7JGj=CmFesD|L5LGmnRlba8@og8}uH|*s#Q5;+0NT@`-TJeq zNS|M_)9MOZ6^h&_zS()~KP4&wgaiu7N_trGATI7v*z~sIvCuEJt~K|7bHwVvk5{2< z+`r{$wu)>t_tFPz1{W+^&(yg5TGgCE>UbFtuO=PY>Fix9m}+|&Q@3QJYRlJObM}r- zx%=*ax_~5U?7RxPp9{R?RJ`ainT)r(Zvmv(f6)~8gix0dco5*Ieh=4NPjJItMH{^&;sFT#tYJs;6TmSOj;UuL`C;sa_vJf)A1)S0VVhA{XpeAB zR&*!`5R|->(@OpP<-RVqq3UoO8V#RMcUCgMjK09coIYr`+bztn1q-s);Bw9*!Gm=e zd0mGz7gGx$Wc0zvVZ%{;%;M0~I)y>lu(8ZM-601gGqB<5>4 zGWn@b4~ICFKNDZmMI7_c&p)#_FYzz|8xC!g?Zfj00Wt+sUo~ijKK>oNZ0XS`Y5m73*LD z9ZpAy6t^4YX!^Cwo9IVQzr@Rz;(ga4l}A-ks=$a1J_&jedm{Bz+m9Em+hn+)3l2K+ zipln8C*t*ZMg2ZOOWEGw+CFRBYvZuSYy$AS^Pyb6mmnD*|0(zn8Cb1kYri_1# z&35QXM``Y@=xfZ;XPY-*R<`{ZmFakyYDC)q$jk6UD5D^0F6x8PVWM%GYx#WYWvlz7 zE<1+p6?X|8FB=(2%3nZoWt{suMb2ll6fU7)0dE8kB&Ac*h?2Fl=!S6I$3WHmfu&YW zntt$RFhWAL!ejSocydWXnDa}rHQKRLohd;;!V;sbEO>>l@kQrxe5NKEL*-hgJB~{5 zSY-=APRg&u&Qv&t&B?aU>O%7Lh$B5H^zqKup9)P*v{@Y{6k6U}E(*P=6(@7wg4owO z)qti+sYl7$!x^W)>R4{TMr6hkY3sDKvFPI{`BJ1G>pe^_cN?$uvXS5iI#TH4&##v8 z4aVcrcM>DUzmY)14w8?725VX53~@rGw3+C{1Y*UxMT)2kJ~XIJtpVsp7vs;4_5e&- zq`6&OUxDV{exA!2WzNUfTPi@q)CvYwiT$sZ^foj5>kV>q8yQC@MSF{(D(15ub*}eh zPt7y%b?u^d<-qL_2Ck%d?Y%YWzB9U_3C6f?$2r!M(b;P^InQxfp)cRQq39Mc$nFJ0 z=Y9$GMQJ=TGqWB@spD;HwH+;`#xxCAOO1BUqfhZ((~w<_d)Qmc#TrXRY?B5=v1p2F z6q9H$X4F6U^;?e~oW;H02qmVhVd3#(t67rCjxHt3rzZpW$fbT2*(D6(K)N*ry81tu z;qv(Y`dl91s=|kCz^3y&w8n3_Oz`C7oj<^kC|h8VVXsei!1VZKG~dCa*leWY$HeCx z{80iDvp$|#k{^OA{8FR#zX3W10b2S`{^b=k8hZDIQ`@OZ{bP*7@#NDNt^&Z=MAihV zmV8%SEJYn&0Rt??he5m4J%rue<}k!uq!h^OrqSN(Xj2yE-@3&Krs4>W4t8;zI{RNJ zq7a|9A-yaH8Pin?+}e{41i-f0A$y`TJx0YA1(fmpa@3TC0g%KFlbX!pNWYhZN|Kqm&Hj80S@D_||Wa*80fDhd^`ikdL+X1E6_=IIE5 z9v6(lBs$X5GI0K^PK}PkYr$uhQje=OTN_QISfB{@3ar|XadS?D4=Q+dYEO#Z9duXS_Fw?!s$5y@H$d(oBhW_@Gm^oWdy|Dv_Q!-b_$m;so}<-Tz_ zP1)XgNh5N7NP5hp@TL_qKd+V&S>&(r_8kbHxQeZKcU+HsYJ0i&PWcgSc>lu6a}P^B z>b@D^)8is;I4%h5$!&4VIf3gle)?uE4qC>Q`ay)-NyMJg;+2x^2o03U)eXRtaINj?XzB2R>PaZ3TyO>*8^GPpB2ix~C z?3)H-GUHnD*vwE4U~3;1^V2CMh8{PvdV|j&Dc@enaOC)g5d_3AD=8wn3B^-7hFaLl zv*tn`-b03wZxq_Gcj$#{do`kc@6pFUcMMnBmm{+`isG}p)QpHzB)c3xB)zs|;R_rn z1jI%SBg4g>?-hF!eU1h<@Tpntzo|{Gk#Vsv1GWSOW=a$8(wCmM-+L3{&-ZDTdC3%6 z$5K-_J|4?c&EKN^LtZ@MQiaLrXRmOqoVTrJ$Lnrmw)|uLpifQ}|0FkPiceP6pw0Dz z$s)9xu=`v!&{k03NZMKf*75Vc;4m zVYxe7bKx>uje40>qa+dUn###L7d*4`Iyny=KK+li)J`}w4tExd&V^RWR+D1 zjJu}}{kGclB%DnBjcTZt0^Kf?NSIy8libaLmG0Qu9(%=^ikAG}(%_)GE_vu8hj8>Z zLkTwLe7Na+IAQ}e-wku6cB~ir5>8;GSAtN{v_Pa28Xe(cwumBQ{kQDJ-1Q4* za-6Kzwz$iX^n?4tuTZ!GcKmw z{Gk0lUY0}uu-Tu_V{{6uofWxhgiYHmnB&QPV5gbwDQY(Viz0nx#58+muC8d8XidzR z8zn@xuYRpnQ%~gltLsT~wZZ7Haerlg}n_cM=={{F>2j-*jYrB}M=va%iBMnu)v; z1^*kHpB-abY|*=>zBR%90^M2(@%=o4=RA=+PD7aykqh&37d;)KxEcz!){09!XOfGUOddwxsugYi!L*(H_ z0Tp$=pjf|$Zz>!U8yLi@e}MD`6`D33UZ%$AX+i8h=3C z*NLl{-|e;8Oav2ffhQc}f{*IUJi`A*Anh>IZW&IG}4J@d^JzNG{@gi(*>7)LE&`}+8>Ej?- zZ*@aCw-prg#gRoZtC_Q40P3~V#^;^*7KG>BWg33+m_pYQfpcU2a;tGx{W_-o^P87_nedXU_Y#k7-tnI*+Mb54sm+L$YMHat0eT0cYR zmtkVI+3ww~<`Rh|H+|_6hSZYUI^EqT>;1;i^GyiSBiuwFzF-eEvKai?ex!!$=e6&@|s;YmhdZ^xy<$kmbi=4mCBc9 z8x9!FKKFX9!t?!(sn1$0H&XkZkrFF)qjw0{1k@l)lOVmM&sKU|UL!HJu20HMNEQ7$ zJEi!#w!*=tm`1?NJ=`PT1N;534>bnaVZwZjq3O3Mx4A-bOC394YmF|PBnDY|*BV`_^}?zL!^Ez-I+{Gi z=kbbklA={65yX7=s}eB&BR8TGwZrK`tcH4u%~92VX#u#H@@HGDMkJ^7jx1#LR-)xW zZdxrub%;r&MGTkaY2Jv+w|*Xgx85iB6<`X5akw8LWisfD%2r&0#a|S6EF%F|Vi!-} zFItBN*1P01rOSmi5fIzn<~I?ZqKkpVh$wvSFlSt5XLYIniJ4ROGo?3g0X%K|nWdAg z^b?q=qXyLM@NrmnTQ6*HgQ0NNfC=l0+?ef3P3stWmcXB($0UjbOLlMl`v)yTmyn9k z?ZC0erC>cc#aGayqYz}GtGUgz3axtn4%ZO{h<}@#JOq^KRqoAlf<@Flc}|^WMp(vV zoRw1eNP?f-Y0QW6UL7R=pF$bxKe; ztno9R{}lwWGTpW|B|x% z3@~)QW>{yinn6A{6N-0pyKkp&_YD@%YZ(Hioy!ZQ5T%#z&@Jf)cs)X3boe6roKy*P z_*$UdQ&AgJsY~Eivz;R>1-T*&Q5$`wqc^uSMJh=sp0PL95c4aVtcw8F@Sf+l1Wt$+ z!{Ht`w+)K7%)GlmZ55cy*t$r3W~eTSbZm0PKw*GwEe9oeaKWKLj!&B-t|V6m6~`!l z;KV0%B&}_38>jcv+bj$GsF+8n^(0=8CC&GmV!J6m+7Pme3FBBZpXw#xv~j!OqWJvf zcw9KLjuTkU`}MD~w^ z_MZa8OBmFnu7iWs2w~%0jWuiUQ2#}mq#>JuKE_~4J12=X9^6~p6r%(2+LaQ^T&isg z^QQE^XlP&Zl_p(1xV-#QYg&n~9QoC9%-SA@-q=YkP1@7Uv!~@y@=!H}cI7LhE1Dx( zsTkUq&tZ_H5U$hgY-_7*fhA6qA}GihJMQ-x`m1cL(o-+GvkvVTwjTvy_&xHShMeE_ zsRG@TZu?yu!NKI z-LJT-<}-Y_n?dhedW;R6t2c6kTS06Bz;YVNd~DMzFB@rLi?cJx?Mu{IyWb=Qejt_2 zlxb%-E}v^BdFAtSZ5Kem2YR%7MUr%4zYgN5c_gLGot2iP5QH6uWM|wQ($<%`vKC?3 zq_((Q_9A`bqyHZl4)|uR#+SFuJBC*J_b^Kt#s26crHJT6` z+=Z97DwRgKTzF(5Rn%i#k?#J-@+M`v{k0o+cnt>*+2>uuSx0Stxvh?d=@VOhaQTc8DC&RT8@AA;?I9U(;Ue>9R3<0Tvo)!ZSk?I2FCU}rF2 zVi1LdSw?BgfeEhYw|})MYrdLlgyaX08#Gd6U~z3$n>B*sA05MX0o)xUsCW;0najE= z{5dvysaMHFLMy<2&{m;`5U#AH*3U_NIdibpFRqne(|HViT(6R!AcY`5y*W-E#P{`n zQiLlRxjD`w$D9Xe(h@&mJoDjGmRkL`Uyvjs&di6z)Ebc z@P)rRZolKU!n5NUYV}zp=EV&Z_y4le6SVLCK%^a8ex#Bz)5p@Ev2+=d`o$~xDabcr zv0CAJjI_D@fIWm8%T}Ww5TJ`JImGIcV6&8b^03ASHoEx0KF1uQH6u?j_nblUwaRQB zh|1p3zcw)_{hI6Wfh$_7&N?X?f_gJBghjJ-LAdxww;B8stn9?kOf5z~czI;MrOdx%Ub;aAgDi%k9%hMh) zGWo@koe0K2YGQy9@dOMxxYU95_u`2GDfeJQKE@r+PP`@#{At%}A3*5O_qD}lp!TsgI>Pd_ zX6Ce0H$fk*nR9`{k7j*QRn=?v5E@x6U4RkISFAK=O9eB>7junPs(8V?P+z;DvyMl5^i%Lzj4Gd14loTfcOFtjQ@C53mN z^>#pnJh`|3s41m2$1>ZlmEdiam6Ub2(7QxmE`a@??p_|F=zbVIE{yQapYwF9B2hGW zw(VT)*NS0^z>{1sP|f%qGm)7{1g*b1zQz6ILfc)-@ZB*dMT00z#z>z}(F_Y)Sk)t%xV~$ z?VX5F&3Z41%v6Oq1o#IR@0>{~euH+{bBv1|odKWs5no#$x97=8FZqzz9wG77+WQ+Y2JLhSgzFtI?&S%?0?cawX$t0vJCKIA8Mnp#KyI0T(+mJDO?fmOHC zR;ev-MvgSFt1Y-Glm(y{FoZ*Gcg z{5f~QY-fY@|pWC?PftNTGEHVPuo`(%ezn=F{PZ6RNe8p=ZGU@ z3>Rk_-~?L*qEJOG@*Z3K+-Q)^e_C`Hr4U_G#&kEooNReLQTQtTUg2S4W=%9}U|-Ne zov;}X>ezt02Ah6z=)@StBevYuYn5<3^HgD3+^-^%jb5_xd3+pB$zUga=KYMq#sO}V z3bd~6G%gr4mBq7gbVZZO5YU^Q{xv0aG=Pv_#=|pgzb1kv;C)b6m+hgCo&G6vyfEjj z@Eh?(jR`5|{$uyIPjXJ4iUNRkPCn;<{0%}VFKEo4fohJb~-eOJ{?MC+-FdYiSn0BPgNl$LUOe@F$DVc~~oS!j&F#c?%zb0BTKj^5+$i9o$@y@r3z*^+0%xp`*7C&Zz7 z#`9&CNBw}P2Zd5G34>#+w6c7YgNPRHONk&980*$VATpSQ^DgNc*J*ZEf%roX87u)_ zL(3sT85H+PWuTtAY-E&9sp=eMe=#tasV@ z4sSG}bG5W_YL@G}9KUtl5Z}Ozuo@W4uwGpQ*T}oTdK*i9#43jo1+CmfDm^0%SV$VLl>JOTPN#PeHpYL%~lUt0I5Xlw^#~UUbqBb$9Jfqdw6!Im4xVogO@V0W$|LEZS-mc+Zx-GXC)%(wr>l z_sBw49fPjL{>OIfPHJXLj_yX~v`@V(7F);bgF#o>N&0M66^#m9{I`M(kz-BaV3&P+ z{R>!|N=-J-1q@2HKjeHQwwtHz12$72eO~^TV=kNw(XV(CS5*Rl-{k>dtq?fULcY0$ z;ZboowrbC=-u-76bAo6`3rsae(k6UC89C%b`~dQkra;I&SZ zu)SzzEg9pZrUHg$GW|J{W6&FtdIxg;e#j&yl@TqU9M?XmG4L$oSv$%r-}Y#I%m?mT zw^q&9lCY$vxY>+Hy^B=1pmAGF?5p8^k7Y0st9C+-w6&_di}?*!)Wcv#afM-3AXwrO zq=NqDA;k<=frNg|<)p>=ZPwCHgorKjffp3e8#L*`Egd|=Y%a^R>3F0bj({F)vYmWC z1?x4Z@G2&eEr>1&?aVfBdJetndh*lxi3-Jwe4qXkJ|$zqHXIAx_iHmUbf-!x&+(Jt z8LF?4v5Dl!$uj-~=}2c2G>HKDK=g+QO*Y@h;H+1-W~`}Rj(}}GaONL2wX0!^_X1f< zR+g`sCx}ABgshZ9<_@2U;n7NR7>+2K8C}|5zHtE-u+3$Wc#PZ56IXK(vO$RCUv|$6 zKYu^KJ$_&zIqC|UeR%^P+&*2*T)6jhRJ^DbWo&nhE%{gx=W>3K-JnlfqZFDof3XCV zUD4nukoiCl%SuRZPMeWb#P;c)9JNhvtXu#7^?Ooy6w^fi5OKk89`0!Te<<(E3BhnN z-~uHtO40knquF+fUKbAf!_^BEQA!E4IZ9PqA5ysaONKUU1^jOK3+zmQNqv-=^Jtfa zl!_4AIY&I6K}E2xp7x3z4=G6m(P!uBV_NXQP7M`=*luc|Oh)A()aEiaSWXxY>?RIu zTuL5r&s`_idEh<-|lktplwF^j zo3FIcRp9VJO&hmI%F~p7DSTG%yzutz4Z!bD7bJ-m!i8Zo-)?W!fKCHDSoJh67Wi0+ z5ii)$yYi59)LOI1h!J@an!9QX^a{6Ia3Tt^aEKzJNJ_ptS@)--PtyeYrHD0#GK=pP z76;!M28_s={Rf}6JKhtN&^0!^rC*y2uyTpvfJP_W95c&`yoI=RT}cE!D(-}fz>^vQL*Kns@r_F|{&b@|>ZlTRdRzN|Cc4Od(9gC&bpQ-1zmg7!(L{w$+P zWirfgEVPh64QOVz`O=40EiLAmz!HaCr^bhnd~IcSb`*Z1cWX)g7qw9bby<^8bb6voDRDD?qLhN5$o-wJnot94 zVyBjH={2L**K9cjqO3RuqmM>s10fGF3s%h{;U~T*6uydynkgh z8xP9i!r3XppACx@yHQQMC%(@NA`5Br2ipSLhv!0E0nyxW?njHzTDX@oPYFX=)HIgb z&&$D<`m9Iaf=R%Ff{?N)oG!PfyHBn3u|Ts^F?cJ=poFLK^o!XrE+Ec?d8r_jT^N3# zE!$rZ2DCoTw?jVRgTXIl#}%$Dbj7b&2%D4=ne+3WZVL?p97X zTF(n*2W47K_Y3$AsNDB^Btav#imoSZ}*54C12}#mrW)mS2!V+;eVb^Q)!(^g}&4%~59aPe7>eBPPQcG{`1WBD)tR^pT zOx-~-Q*%0g2ZW2=FvMa%;2qHO*L*kOJ-LqMf!B_?VNT`#uo}&mZKAjMOpNU-&;=ib z{d22%ad*xZM%cVt;7f@%~`)33-VG+TO}15t7Z;*8yW?;(z!SfV7Zs$6)>AdPzT zh}9pIkn@f8Hi;o?>9wcxcNq`R0!)@v=*1)|^P}JF)Pe^2IrfT_(bFOzWMT$ko8qFaa*2mL&lWp{Lzb3- zi=&my@R>QuAhymn{oowhDX@fs^gn9GQXRBBe?x}XjYk}gkG?egSPp@#5;JP%XgZ-e z98lGfZlAa~5tkG@HL0qvD$G^~n+`|!DN&DS$B3vj5NFmkGu+F2JZ@-I(G5r5WY}b) zX$Q(YeUkkp_sF~A%CtlwTLzm!yWuE`ZL;~Wc8G`%ncqsz)L2pVQBFk1_&6$kw#5V% zbaYFbuw!Mr?fyl>9>{d-)YC2>%aYWI__gx`zX?poG$&l4rI5CpdM_7$c?n+k#yN;Q zXCzr&yiv~=y1kV@qicUu$z=HCxjM5ik6&|UY5P@_Z^n|v_(YHpor3$EpXtcm$JG~O zSs;`K%yNCORshJkcghQ->g3xsK27U|A>Ny0*j&fLlMn<7z0~*&yNTt6oCHzAeLh5i zSST1>qO8Pm5#L;d1hW9v&h1k-e1j(%1kX_&tH4o9@&dO!cfx;>31pd0+Vf^*r9ja@ zpSibX*smzI_6?M8=#w$zQ^;(U$Qa64ZM=zOJ#Y{8+HMa+ecWFC&Osg0p1JM4Xq=kU zwa}_k*w{i9HK5a~**uU1bl!QyF(*I|Wlt!NHbAerpJ>EbLf2P?6V9}OuX?JjJ3NWS za?Ae*-TjU8WCEL2S<~ep3FUnE+HZ(_pN~o|tp9ZS?G(wT8lNO>7O7kg%zwixp(NeG zW6k~GU*ztQls5rggv|I(-j%pU4DFx8sJg5#^KPQ~j7YZ>>9oewi)Kw5q-263+a^+`jURl#Eist=iw;-9?{HYm{=XX=3$Cey3bp4fF3! z3|W-WRi}9Tf8YPVz45<)2`542o#BeaZ<0P@EX|R5kIS6?=-oRrVJL80-eaHGUuwt@ zt)wb>XWkr^!@cO6f_!kqB92SaPo6@MgHe!`}YSlrO0C{wi8Mk|IyPSQ;8qhpD7a5xeyC6c@)Yj_vN2Zui8|*6zdB?sP4kwtZyL}+ zGPV{xl^T7etsD%*vHNY)|B%!Frm4H7Nu)p&IdZM0F3@%*;bMR({14$N9{i8fy%w!tmhE|2KSxvme)!nZ*MW;uU->!aEDOlI-5HY{`qx-mizU<; zscch@V$grU+1k<1`ZQ|A%V+G6i~N7Kpf*AI@4rn+9>RBOt<^1)|8D$-)$RFnnE^6W z$^58O!wZFQ3nU`%L4|6O!5=}G+wljYNuJ+P=J@tLnz&R5|zVJVXHhy4)>$InmO^)B|w6XK}64)(9z$`|wxPHg=CMNjoSx4a2 zZ=|BHZ!br$b^_TTWO8>hl5%u0QaogzApQ~-`2AkDvdj9-1AdJOoJ0q6Z2!APr@Bn1 z4 z1xOjIBZ}9wFey3t43d1KKAhXOi}d<%M^T!hA-`EqfOu0n8|#{#)`o;$42(Vf%jrsp zOGmj28g(dqm@;f^5{J!_F(OtNWog)+SSJ4>%1J{**%xc{UFBxEZ1iP8j=Z#f{60Au z=s-J@gJhRV#}y*Lcgwf#%idilZh6=qkx6CPu;&d?f<{Uk%PCJ;n;~R z2LY5%5{F{ktD)d*uREf(GkvcjeQOciqz#C)iv8c7VF=tV{7Fe$`t&HlJJi)SSBP>j3Pb_I&AMI(6#Wis{rR+%O zk&f9ht(+}`?gsRE+-AwOsZlDtGsphLf~)8Ae@^agch9+IZkTH%Dz0ze4?QvV->43z zoO}Cs4*d7(bPlb?fcoA_#5W>DBTuF8?C3|zjHAyeuRbURCI=!aVEh^j#DYpCQ;rm+ z(A(Hx2omt^E!)Da+>@@YzxnZTB#aR-XEoz0u&AVn$WVQRXU+59-0o+{9BrjOdJ{^t z1yVi+1D?tf6bCh;lX}px%L%&5Aj#RkB)T_I{9h!`zv-U;Ty=NSf}3yxw8vB>erl(A z+nTt@skY0D?aeXk>d$eQw)mQjpxY~sh0Zl1AtqO^-n&lJ(3PrxNoO_6_iZDpTWfbG z+EMn}a$U^dV>i`KlhYrM#oUHZbsGB5qUZl!zx;r@-ZJk$OtUa?Q)Z2zonqA%{1vr0 zQWrWZm5f+oE^SuqI4$UsmvFF08?KRMiAaBPOlFf?sHG#Obs30UFRj=hE% zGJ5+u@i*iV&W;Q0vMVn<7-uz!XtF22;ykq zzPDWXZ*vEHUaYYA`=rkEd;fWL6eB@BUC>Z>c7Z>_!(#)|v(Cz9KW7`{I{8)0-oJq> z+R5E;n0i;z&O@Xtoy;*O*&RoXn&`YP@gr(&#MtDrn|3C|!cu2y%>8{)1=JzktTv$9 z2>39O+=&%b*dEHdEQ+Ond$N`8x(^<1Um-hL{0^3M$N13!AlQ5=nuuZ;bsPz08po&Vs}I;bl3 zP|T4Yb@7}r8M002S#V4TZxh`YKgsVblrB*y`Dulbx#9U7AtU#vB0;$iMSO z@YChTvl8Zk?}La2@4{ExDgL+q@#(4|oeh>0vlT^OMyh<5AFspDylYaW!A{sOyz1>4 zx}Sw@R{u0OG2y43RQ-kNWCEF<;K8!5#CttEt19Ghm1?0L$RYARK~R63e-^m4>wQ5t zJ6mmJwVW0{n(ibNR=j6AcJlYQuV}Wr66g<++CQy9*~*H;n5Q+5)IRuuNw*gwO+4x^ z1|wUdKl+)~!!y z0XqR{u|pX|lXI*|6@$sSR#7LlVRB80L>n=f%&dj;26sNQFhcq(^B?Ss@a^+rnM`=7=asAk}|%o?pY60w`m z{&L!^DuKt9>^Zh5Vcqj}2T&79G2M{a(JLl8s%@w%}~ z=RPvgYPAgo$It;ET_pg5!63UF+wcXgV=O{Zp+X zXqW@8GiT*>I^yJf^XDDl(0&)=dbAFor(&kC=Kkhm^IA)l3tqz~jmK_D0s@GIRy&fj zO^QrB-sADJ?Otr;Y@_mKl7VVF1TKOtzeHip%KF)_slbM#eYVV=_LsV710HYguE)lh z#zq&aVlSevJQw(_bAJ0zD`4hcTV`@r7cYdy?d&dN(dzM>EVGbOfZ$`!=OAsztCcs7ZE>A7{bQ%+1cQieL4r)N@^{rt&W zutDN&^jhi7AtF!ViuQ9CZpaZ;b!h%GODE2AO#RBMQ6M!?1n+iT5ziI>`y-ZC6XMc3 zYm_1ha@-Wdc`1H2*U(EZ@|0kf?B`(g+UGouY*Cg|tVp68$!ezwN}-QC((ahV@Yh$W zl`E1WYqW;;Yb$^5`PSZ}1u#W-@dzh|(){dd-%!y#3$MX5lPWoR7}lYPVLI zzj$l+T&TxgS;t_!#E+H}!Ip!3i^2*K0o?WK5_a%S&i9bmz2;hz?!-7#)(AwnuNgv6 z)NuR>aFp}a20v02h*#~bE|sNvErW5QmHU#OXc!nKAjo#j*64@)lTsGB_J&7WF`=xW zH}ASq|ze{jboimTN?i9?@Wu zd-IU?`q?v?*r0i=hKSe(!L-Sdag6G|c5XeVjc8C9qq^&>@nuMMw#xBN9_3CZ$uf1x zU@;jm2=Fzfc6PLm9CO(06(|;uYL(;~PZH{2;VoTzSJc(b^?8le3a*7#PWR>pFmRV}F7&$1>t1;HMn_X~Int*ehL+H>3mT`KnAo zv%3$?)nX+AFfbLOwMPYNohHH@j1WAySi?51_>bV%QSS?6m$bdQqZKC=UbqX95!TJv zy#(z>+&uDUIC&46fyQ!{SKLS7Z#n(I=?@HF){3g_P(4v;b_d#xQ5h?5%hLCro~JnN zMm#Xu9|ii-RshsQlR0x$axI^;)g z%@_GGIG)>xGY>x_rYce~!a3+~P)u1nJ@x#6884V#knBhoC;clx=Kun3&E+pFepzj>XULt( zrouP;XabE+p6v=SDA>aVLt#n3dE&S1uH-Z{A3{1S5&)K>%l(c@JswdlCS8Zh%NGRB z+>1UH51La2%|vH5!59we(;jEE{?79kNEdKxc|90p+r8{VN^ZI7jO)@3U=yD9*nM@G zjOz)3!HMP@EtEZ&WWA}^f`K}l>Bvlnw8ml7ZTQmO0Gkd>)fZ?R8NHi&61BU9VrcF>p0{3ruQWT=`yK?d z?FQdW#bbdTwwO2Bu2?T}PGt^E_Y(xV7}3pkrgaHF-=8r=kB)ZNL%Zftn=_+$Mn%(=0D&Vm_Jz_hj#@NYBg^+4c%Vux^<^zq`T_WuXuVnej_gb}v^xN#5ZPQnb9~l!HDU#juTQFLZ(}OgHvH_kLNm^pj6) z21`vJi|$;zyp`2-KvWVU4~(7_iO#-U!ga)hYz1kM>PhxwR1MOHus^E!I3ulCEkDE0 zq20!(^qd(8)(Q~T;;bg*8h@;P;;1ZEIvFVwI=0o2Z0jv$=Myr>+G`LA&Wu_se3C;r zII2x)8ne=UDf(YVG00C1!vD#9hxGTKnhj5BY@EXV#dXi}#Ybmse)dHG9&$!T1N`w0 z1)^ddvma#0dNdwFPaY1Dd0#(p_@r82D>>A8V|HMld$A6)Q+QjXhm4qsdgI3)8GVx% zdFMA{I+#w{!ApndAK{z6{lF+}Pv-tLV8{f4?Mk4Or^Ae>s>bKFBlO?iYINs2(2FJ5 z_P_{Orwtp;l()zo;=zqy$z@+fKWX#fPHiNi@7WH*I^4O^Q#}5#-Vb8k<=%_(;I>?K{pLkQfn89 zorR+>YRp`T;;_+cU!|R8^1!vd4*vhRddsM|ny^c|aR?5<-Gc{r3&Ax&a1HM6?vUWF z4FnGkjk~+MOC!PEZ9308GvBQ5SFiJ<*Xcf0r|Pb%y|3M$!8I6cnG4rr3_gj7X%fA> zyVycg?hnuMDM-JDJ0RV|>22ub9sSW^O&Mzn^}D29nJ}(+(L)s%y`*JgyruR@MYWw} zQ^wFB8PE*{ZAhjBWPn7|CK?YAvxGXAVRYj=-?Cvu0rw%;o-&p2FgQ20>4(36W zb7u7QXV!FBYN3t<%V5?_OBvi+YRe>5qZFpB_T1A?S1vsd6_- ztg!u){ldncrni5~N&v$B#(S==kL!1#K{Af7Z@$;{@JnQlBN9$0)f)qMM`?APtifIl ziSGIyOXZ$HCQoc#E?)L8+iq?aCftA7`fh~l9iz*Awp0SrhyZR2iE|lRlE~~EC50e- z*Mz=fo)lVf^mvm*Lxn2eeV&<-P&>h?Z&!Dy(EZ8Uqr$6=5p;`2v<^6kiMHYYZl@IA%Pyx=T2i ziS*m_2%~tlSA6$)mL1tUg@HPwn_jRr0Pd^HY1ZXGUsr(cg-M(UQ!TcMHW@egVZlDm zmu98D!B<%beap~Ba6hWSkFdtq7M@|>zUsdnj4oa=WyXekeoN{lgBLtil*HNC;A|Cc zoh=`n0N1S7IFMfVsu2Ml2;5H~Td2z6G+R&(^8Oc<4|V200XB)QWfC5$wvnvuLV0fN*qVXYT> zGH~6)%AYwt4w_re0Ab~;q&n&_qKX8B!Ow^EWRW7b*zxm>L2kK5RC6C}r)6i_pJaZB zfM#)WX-KPklk`6;wWSWE?=EQ>;E?5-ddr&5hF(wCT006Jt1iq?=chys+Fr>BOG@yMPDbhrB0&oCyE#k!sx*-PiK- z7;fBc#?w!s8)#?XFq?pn@QRq0emQl0Pk;%(5!1ty8%<%3f~OztKwHi8e;XCQddT-r z>6Id300X_hb-dkf4kHbc*d8h6leuPpItUZu7t6N~1O*NdbeCy4@5>acE95CGj*RtJ zzpb01HppT_EUC8d@vq_Mbc`C62_ky$=zNCK2A*%zt)|GFX#QS%^G@$Du_MepZxSqm z=PsW6HTR~Z0gBK-l*TbVX1te2b4hSwEN@M1Agv;SYVWCi;~GohREXE(VP^E*YA4i` z@B2|^bjqO^0;!=qZeJ!EcSa^tFLO_?munL4($C5IFA8l4Iey<+cyB*7Kj`3X)3CtX zs;;dbf4uzu5xmkQv(KbYkAOy&HSe{nn}F}+i~S&YQ?hOL>)9_DVTA4e6@d(%aCo$; zjn@CESK(^y8ht2jI(#%yNr>?v`x%DsGzo0F`$n}pml%`!tHTXAU8G-a7_aL)?s|1) zZ9gnSM@%R3eo5o>tam@Udsw$yE7w8cYu_g6<#Nta=D_lfd2H0T)xmxi-&%XT{V!D~ zn9co9#gKERZzeo5L?pA%&*!yk*t|cVBW-PAr^4|)$4A3HL};`!dwSzOZ?7H2_D#cV zB7>2$ThzOyINK#l*QL98S@`WPc5#@os*}b%%MFWECUJ(?Iw(!q-vXrQeb_nxwcL5; z1)1D9mjS?ExUBIycAZKwD-d40+h+fimo4@E`?=8}+}5{jH-+rGQeBtrs@)X-w=W%z z+i-DU6Ta(J5st-Zd)NaHYW z7a$&(wjl}Ic~{SC1>Nv&umb7|@*>2#IP_OUM-CL@=fb$A%1>y=V|hoD^lsN|YfT3r zCfEvrLXd)n<>v>KWp4YRa+3FQoAk#bH6{-&?JTc$P6EFq&XX0T1!!GezB5Hjwtd00 zc^m3Xvo>_*Q6v@NQvyr3t8!t-EuMg5fj+x$AG{(%|m=T#_eu7<7e#{dw;~pQm3cRrk|VpY_NYb6QokNqxl{-o`mLl5L$g5=}DSYM-J93w*8; zA1*r7wEg$UW^&~WET^6UTJL{tXMUW#6I655J64o?AF$$|QHzqSBz~jXYW55mSgddqR*;b7VGTouR+^g{q)B2-zSm&kGs@Iz(zNi-_gfmf)$4w{34V^NYYx#Ic_eE4ekyin${rP($JQuYpnG)8!#9R#k zfX2m+gmp;~gnr8ibt3;PJ##IL$9HBT0}$*Y36M`|15hed4#ZN!PR+%cqzCumOp2t!3 zWpcsXwg(Wo6umNYe$kgWe7vT9oj9hnZ~sbV6=>6>7o3qQ2PHl6uG^*rPzJg*P)m`j zU|^K}ng98%&b}v;wj1W*h*^vJYR%Xqx7#;X|A<~Zs9X+@fS?GMHL35i7<%f|?mIM} z?LpH|3b{ZxtG%xQ{aNlq-DC6z?Lq*pps7))0p<+!M<4PxK7-VRVD!-m0fA1A;{j41 zw*3fN9LS`EbsmWTvxS>MD|rWdg0wr4PH{L{BzJO=e_G_cBYdEEkg(MO=kfG{n0tKI z^=-#DgzJGq^oQ5pE-^T?r@T0n*I(F=Y(JA*ZaA`7W3fDJOqERGB1M!<@khZP+}%i#_#wHa~2M)c5lPzw3!%gW&r<>-`8%pqqpD`2m0uw|s+K zBZd^t;Q;Y^rtj&H+ys($>@?;W?C`usU1v6)P|*h5nf812I*AYs*X$H-v(~&Gx?@2b z`8x%rx0mDof|t8k*d)oF@=fYK(Ln!B4~D6t$IaMk%#r9~Po#YgVs%HP^L?lp)2UTK z!{^2~oYbYVwo^5LRZh~b?+r&y_M_q_s6K6~8BB8+5?ha6hE6H=gzhBfzVtwccVxVw z%kiZ!5b!OJ65erG+y4Qm85D)NCjjWxg$5LB;Sm`wves$x(%mRd7+2zD(Ept;tdIwC zt8VyM3j)rAqZ>*sb7Ni|+K3to0cUWN9^ZR=|BSa)sOW1c$2&K5vrw zJVX+^_E-cI5t;6fO^zV|1UZMa16B%x(fPXozvOC2fL~87{c;W4gAq{s+|F^?y)PMT zg3sw-5N&Rr}*A zX0!Ib^Y+=)pU>BY3*P)qtR-E&_Z%m86vB9!6Xs^Hj(8HPQxEjbY!EhRz}4QM3MEr( zqUCu3v%oae3Mx?fd^V4K*)RD9xCm#HY3V_l%~DFqs2?=GtI^7FQwjPY(tB%!D!NX3 zsy+0(UvAtBd>g?|>!{-&tJrL9KeQ!A8@qa(d2gAcI=MAbVan2Qty=dK@EShadDb=w zYJHC|f=}XxJ03%?D)f2zQ1u<{b6ieX+kV1A$9;Ku^MTbT-oAqEK#!d6=YUwQ&D?uw z3q`aL8HG0SK-m?SR8&^MPsg*JiM8=~Fd>4_t@9UcQnD$8~%-NB*41bGbf+Uv>H0!t2ufWr&1$!@u(dVgzR@$H|fk?T1{7{L$?qc_or}vD1&X zY_i$IAX?Y|k?sS@%Oc&QQ7(g7jeSkwNTGeGf}VOt3*k z@(|XfkWAHJ!v=Ck_WbWCajIzT6!-@p>|9DD#a}=EBG51V4n=DArM!JnrL^yi`l{RT zl$UeD$hnL-^8{G*2?)HJhJ|_Z0I1B`3W(-|e$kWNf)%{b?WF+OxdaTS{Lmg&)NGJ! zTgO)4r%QyO4(!|b@Uj2H0#G9iA`%p1x)R5I`)LZ$65%q;dH?IH5?S$5I3*oD!!*y2 z90qHHWaoAiMz;pUIu61xzQtok4A@-;m~Z+sKFqwVlNpV=>~GVnSw@2y5}0P4%_1jl z^)tC)16GyW9$b%@*evpA<^n|U0*Lps3_~ zNe82o(tn(J==p9UvfMs7$Fdhoa*D`0v^NA=!rL_8FP5V{@gZyf(fsw_5Zhn?4QpkA zhcy(!q=P142S9&N+VMth+^^JYRkRCF+038HqMTapu$8maO}Q+|v}Et<@Cis>4KYLu zWVg2-nd>*U>hWBislFtzV4QKIs2@jcnpU^a>V3L8A_DKl7XwqdE3}6eJ3T>{g4v}T zf?JDw2p%IZb&sRFe?~i)d0q||;YACw)$EpO9tp%g?`D0%1Tco4j+u^X3`M^`#9m%( z)cEQguIFbO9j+ACWjT#~dbGLIwJ8Qta^(7Y&P?am-okGzezS&elixP}yOT^*sHJ+M z8KAB%2<%(%()DIkSyDH!JK`kG-rnPFRb&+-b2#3AlJn)lYmT z^&vj^&e;4{rY#H|t0ESHe9}Lr0Y8|L-o%Sq`rZVKvPEuL^oKEPp&A##ZM8zFdwe=J9Cfj1bOS`t zjmlMZQr+gVwQhE8z~iGX{P;`?-3(%W3g3KLTl&7YBA1dpV!NnowXgvnOU z_k_ohR`AyvO)7vtYBjClY~uAuy=teby=FttEztuk?Wh)P$pzpO0 z!(2pMljYJZyY`p`9)ok5a3Y5Ax80n$EVmU)^wVi9KBqiSRq9Wi&+VbNLw+!pu;Su^ z#}$dmN^g4Fr0>l6I4dUsH8UvH;9Tr{O?u&*U==lSj_x+%@x(|KVy#wW`v(gKa}dSk0){Xs)YH{^znr` z_hc+(1?u1lCXx!9@fA5jU+qcESG0BarT?MwANn8tUXz2OKK=!@Gn#mlOW%JAzTqNh zLx|kf_?3Emu}M$g6U6Fe^TEsyB+P7okj}~URN`bL{6BjVc+{e;!9q2+51?!6$cn+H zV^gW*FnE&;QH=UwGjJI>XjB%BD0}=KQ2Q_`Od60~u_Ar4TUQ915ySmg>Nz1ZuX}W)h_p4j2?{}#B}>NmbGqNXXn^vzEJ3P zV-;#?7}ANPWUl%+qSlql;AOrsUTk~AFn1l0rQSe=OGD>wqG5t~3*l@efR8vbXn-wi zU)TMI*=ji2(Jqc#aT%r8C5t4<2G!nw1t=Mz)ZqaTrHjvRnv_dYcFKOGNbM?bSTi!* z-SZg-X17S#LrPXjWYXmPq-C1>C!3TosdBrcX0Ij(h>uY!DmekHI6S>jm_0vN7Yk=R zJ>brn#iL^)vgFvKuE8;>jZSL9_^DF^xR;sqKo*5p15hGk4VK)86&N1$`*AENrbT0g zNQ8|982C>aVUq)k$nVg~O!AY{dQDm1Yfk~p6p^6|OR4J7OqI(4qiwA5{-(dw-KzPv z>E217Gw~qbaU0C&uv+Ft%+p0+r?JLw)kdDrc*zc(0h}(e3as!S&zKJnTOcNY(+P5! z`qCBVIz>N$kRzWu%K8k9!fzlGZI#VOlBDBx@#u-OC-zCJg8tE9U+&G%vsVpRaS1kZ zcjh(8EeJr)QTe1X(&e{VKzFL3!%#p*jG^}w{42Vg-q|Wx#m=Xl&+5kL>e$+jbHy`f z(tvWai~BHPtbMfYtq&k*0t_bnGTP~{0q}5;|2QN}@4P<|{MzzVtrQvioqR&4Rsoqp zQa!hC6pqUT+%;~KU3F3f)@I97BLrU1d=V3?ykZI#5}?{It`{^O>x^Od@3WdVJdtHMHXal@V|i zY1Fg0gA&EoJlh6~8$$2ix{AV=9)~|G9_`y-VswSi-m<)0^p^&)(ws^H8fvYo;kg!* z4Ft`_eyrk72BMAzN2Qn?U)!h5EA?7_dnEMW9~?B%<(N4JaAq)~!l58J6JiuCu%NN@ z4C!1B<(OVS&?&<&#tdW^Vv!B6`W)cGxH(xr{oc%>RzTzgK4crNU-#@mDUTbPUWR!{ z{mGT&m1j)0XNN9Q->=nS>3jYt4B{F<;Of3EO*eF&?+rCC>m#a9&j zkLwIo>$HgIiTpBbvIE`IP-v7pI|;~aw3DR4MpBeG`*cMysfCd9XHe%8XBL|68Hd+26B6l0=#@qmVqeke6sqi0t6Na5Fh zkxThYyLPnH4bTHCOca4DbtP@LDRuwp#@b3WcxjprZZ$ex6A1x4n7`G`xoWt4HIB$4u#hBFz|HId^aFlzNjt- zRvxQ>4!S8H33_E<3;^uc=8wm6QlE4G9&Nw5~~$5dj^rT z>P9C1BZCEMO9#Yux|m%Nf*9!(-qieVTRTUpyI%`s5^1l_p2&j3*bzi*kmb+^<#gUViI1QZTwR}TxJT=8_XZJ) zSp|&eEzPWw0`{WPoeN+<&aS^$M~Re&sk$(gl`No1Jug0c?(AL8w6C@gAWgoai_pJr zb(!LeQe$zQXxCd&SGB)!(-E%j7U#AztDvpM!m1Se@{0pW?tc?IE_Iu|HQOONl)et- z7PdcYh>5TKeqDJqAJ*`Hux@?@hVQN;B^J1|+ML7Tw~;E|z1^i+2L*a9Rm6GD7mU%z zilYmQ`nk?$UsVa5#V5uHz%Rthn)D!$jq;fTe+YAy2g@TN`f^)0upzOzZ)1&#YjBvq zbWK$o!N^eh5I2a>^?bv^3$j zE~J#fr9*~BzG(c*zmwFq8@pWAtCGxd3DAssC!W3tML0HFG}-rbVl^<HMsCZ78X|8x7I zfxV$M`*bQoaMgXD_<=hq&d`Hmo8br^%h_J^01T}fU%-SMDc#A6k5x<&f z{&9~nchA7iBO?Z%D*CC7yiC7Mire?$o0@iCbjqN(>OI7o*UOIv*s^EIIso(&L{fg*PwFW*Ul*{)H8)b z+ZO3n#`ok?4dO)x`|q+NA~{S7_hi3rUJGwDz+=yPR<8_NPOorgLe+0S=cl&(-f#~e zPBRM%Oc5**yn%9Wp4_6EZN=Zz2@I3kTr=3ud-B-eS%lTEb>1N^D z!ed0jW+ZOSB|cYiNvvb}hhe2h9F=_Km*L5l=E=*7$OrW3;;q|3*|o?Nr2D9*nY}}9 z_fNkx=cM)i8#F<%xqJ99G#GdMUdn$g$BmsuwLzQrH7^b~y~TxjGjpY>H{6$P!c6m%0inB(ZD?%?>D} zOP`oOSN<5D$<*YUSb9U){^eF=@V)(W&DT^r%KTVtJ`<3%d7q4gHe~FhI$!6hbH)`p z3b8UYpR!zwIIKprHY&EG{sWc4szBy;;w;NaTh_=$ImLZleo2ML;2!&@Z8G^^sLQ zrK22e>TEo3Q9a_d)mH_&yFufCU_3TaHAdiVyx(748;8#;U&EvP$tIpO(LplcW~m zp}amE#tiOrfR9S{ToZ`k@n+o)jNZI+jYlu`RQ6| z{>#oY-tZcn+-@JTzsbp3jIax}JgO)Mi+FLiPf!$}Nz+)c?YbjtyWNVJj>gN$%+Rgj zs+|cLFCHwa{oC<8yU!57)A?~ z0Bc&R9EQYL)rXfrVe%k-{VNK>%?VS5;a$Kfr1VPFr+j||D;1jGvpCJg=bH?5z18{% zfdn~BA!<98_qMafnNnY(X3XQucR!cpwd*O>BJ>jt2WHU&QC)9rkqJF-4TDQ64!pU6 z_UrRSwX*O7%t-6^%qhRKsfKzVcGDL5m%rFq#!ZOx1U;JU*Bv)8zf8fqJWzx?&B)~T z2{FIoG@8-Qp#X@pIy{-*X3YvIQi9Xeg~E+mEwtaG^eA|om9x??uZUaMHrsfecGm7khsSpi zh?=7ZR3n&Y!9Z!E7tISw4a(-~wfV(+{58-zH@YDAZ>m{r_FSM|ei+ysZ+LbE=S<8Q zK$KfTi8b9b^a-+aiJPD^EQdBw(B$i znM0hdqP>9G~9Jso5Fk4FVeyCiN@S450%dS>@ zVQwu8y)Laj6S-+JA6Qbv)?WGlc@rFw0OY+ox)5C%^Y*$oc%owrzyiX-KMo+G%fd0O zAKEG($ala05>ml0`-Yd(3+;Q_MYRG}%auaR!2Qd39DDzls@wg$?&ybGq&xA;{XD%9 zBwyauZ$HJnsT3-vzkDUf(#bz$%hWl(4*VAS2V+UOFvUuLr^%8knHJGdV=Np#=d@c` zr?RW*C#@WR-H39zsz$Ur`lYg_*PTXit0HY9Bn`&GnUl;qJ|uOjud7>3aMHf*JRnPm z)^q6t?cf)*Vy85|!8xBWRJFFfJ(J;?sIi(;;i?6vqOZgm%cPA1|6z}oSdcK%$p6Y< zoE#en7)%7FkY>YS!diR~h;i8$+uAN3kh^v=UaW+(QP8+}iXF7On%)4D`FR&wrnc$i zPV*3x_6-VoHA0X!Cv0ALuF&ACf2N)p@B*VDu z;m(V^Z!Z=xTNzDv0E0YNxt4^|9@pw7zMpjxOvoFKbJ$CZJ$^9lns`1RIWtYTvs3oxU{y2PJ!P)+lGFARzUOqPLA>#le`Rrr@Y{v=W?;kL#=0#UF8=dYFj-FK%yCCG+%h$iD^Vjkj96%_4PX=N(1P(>Yu zJbbiVX8BaAuBC16^`WG`kQtlnD9wehJCTmz8+LGaI5M^siZDkOknECN5#*oOapEt-g+Ze!kHzV>AN;$aYbZ#bKm z`_aljiLId2a0KV6b09}+AcJE+nw73)rZ7osLb(f0MPMeISac!`yY?ItT)^&6WX;}l z`h?x(QOJTS^CZnbXWJYzQlFuB zo#gL)Ac`koWd|TA1YzL$AmQ3nNQ*p)m`0*C!t3zJ(-K3^r}*&3DE}7E${4cPp`RW3 zQ=3s>R6dpB1((`&B5utgbc)T4OR_UsLLsR8JY~2}(UpjnW<|+6GkvI#?4}|=LMdse#{Za>ONtQZHgHvyV5XO+F**^^@G{2` zS1bi6)Ix9($W4snLebUZbjL>4gcO011}>E+RiWYZMRb~~L6m`Fx4XTaf`>v0a?Kd@ z!OBj<_)Be>!B-+K@_~GhC?THB1dp~zwF5Q_QT~UwY+64the5rREqsv8hg$abKOJeH zz-1_!Z1eGAalE(0G`usB#`am`hJ=(wa0{-JPZCw2+1u*J6t-)%m?-Se`~DwYL)3q( zG?6w8U&oM~m?jZOL;)(72QXkU$%Rf=gxHg}AL zs8$f2`>R(zEG*BInY+(^Oldl#8m(_!P-`Od(zQ4(9lM(E^=V(Q@O5P@_?+jcH3Rq= z2^ivG4W9kPptVJa`kXv)?1iG!&cpnBDz6>MFTXp&2c0k;q!oGdAs~J2XyR6KTn;** z#tR9Mc3kLlgj_`24l3pujCWq%l07;n&) zqzxq82IQ!ZG_VRIuF#P^_tAa7WBvVxFE3J{-u>%&Mysf*hPrE=izC-{#IN_+8`{l{ zC>44)guTm3t)Bw?CSfk~ma;dsqnonbk1sb0*!MFs>8h*|;Wc#0AqSFWy+cC;dDLlz zpX>H5(@e*{f_$2?t}L5<9_tm%g?8tak7GgG!}6^=R-v_p!4YokNj7Np-^S}aPXz~T zacIVoi|a^>;yF=boctC3^QR6oZ~u1`bZ3XOdwG}5@o9xgl~Nk^s(D@)iANV~qzeJ| z+Op@8o_H;!ytrD|mU9J3?C#FyV(AlJW07)RC(IX>8{qMpj*Ld3*s(4!5BMmrVE(3i z$dGOX;q5SfuKYcez`A~cVu^^pcDetZ6)&`<&{IN(M`3`D%%rm6rHqOt4(D< z5w9>1o4>4d195L%V?3<6mod!zj2n^L8K?=6N23PFI zXQ%d&t}O{NrDl^fu1{PlTJ1u3Qx9*~JcJRJQg@}iina-@ZNB{wA|Pi?ObPwwU_*Sf z<)vI@MDFh#KbaJKS3-Rer5lzlATRX_i-$QpH+tm(FR@;vkO*vE?4pRb#8%8l(efRR z=bJ@R`GUMM7Hb)PkKGZzTbd(U0_DLrA>S^DW~aPzZyPo^7k|pS`b7ZNw+;+zVLi~N zf7pb-c@O~|ONl5)N5vqJiTfRB`iR~wm9Q{g3*i|Ws_8dDyrLzyguv>sV)i8*3nKw$ zV)Me#Pk;1Nrk(h*M+&Uax#5V@zu~^BCFnLXz%IX;+25P1dH=aja0ALvPE5V z)pS6PIiftHF1HT($KgeD(^(%Ovl2j6(IsycY+tn|;u^Z#i`3ri)NY zah>d=yJn-W@E>_alq4yjO2-sA+E&6$fcb=YfFr=1Sf^S@p8+wzs7wOF5dJVPn*4Fe z7s;k|ip9*9exX6{?$3#}$cK-2jSjzH2J8vjxIhTB!m{IOq!!

`#1;h`3l56&pZ#`_lT7_@=Kl{B_Jk>z4IS##-jPS;9i^h>($gP?j*|sk zHxeAgB(j&w3sKxiASzR6Qj8(ckF?Gz&MRara}U+vHu{4zrsI90fWx^WUMLVMCaBuZ zpmiQ*jtLYmg+LF~qMYQ(w&2mL?uHD@^y8*16{nOW4O=bU4mpu#;E(&!MY*Tqrx>kDmnv$fVbLt88xq$ohCxx$c? z0+Lf1Fu>ROS#Z)SrPgJddoS!}L4a|gK~pdkOYCeAAn2K(&a9J*!a5l4_hZ==3PM|re74SBEN^q1YrAMce=h%{*1c39m&n!`4(W-=tErta_KwiO zaAb}jIP7_l@IL%Gdt^8Cr98UgYho7DN1qV_$9Mw^4k<9)JQkhVGb;Nn%Z36XMB|Qv zKL`}XuE8IwP)b@bAmNr~dYn)*iz?%*VH4(aj&Zn6`910IKGEX91eu$uWV;V1O z8C*g?^x1$}#=pi!{jmG7G+>s6)32fZz@YfRno&vj%{P1+ILEopV$ zIpAPYvHTf)`}Y0J+V|A`5FMb4^BW4t`{OoE8&SFybl2=?yqLANDy(h|Vv@n41PG9Z zaTQ|J)x_4nr})z52b2|Lw667_mi(;t8Ain$2QijkhjlFV`tIwqtn9xvMkHP1q5Vlj zPW4DhI+3(X-)Ym{a1oDw4ak^OVujHB;1pj{W#_v3&=qsAOZbHnC?vk5Q@JbV*e#Jl zE-iGl84p@<9(a@N4Qm8>431?xz)!(?HLi!$7(eu)&L{aJ(WX4IEe-RV*1CBK4ZE*6 zGa}q!i(vxKZy3YIo}lyNh68nb`lRV z$511Y%J#+io|!0&7xD*D*#~-z=h*SO8*_$<1pJH$KIj3%DU1LE`;t|`9~ElltJEJ) zfd%xN@YD8mAj$I74Y(Mp2m>+MSBpV-YaM)+J$5ojwnyrhou<_^eD;h1utmOXcSu-v z%R%)}ZV)>4DSyg`j|+-|5W0@>m-#Atf>{xI=U!TgWUm$8DbVtDt85r)oiwCC-c4ms zhJQ_lLqalquA(dMx`5t&h_qoRRNui9Lp_oN~RrmP4ogSZq*?f{O!)&cXgHFWp11TemZjLB_3?MUC2hE&|8&YKy8olb)ekzPuje)@u+w~5 zI|cGPD@fM+<+eCuI}%qQYg1HFHDdU-UwMWLY?MH{rG_ttlXn*J!M^}q^7Blmgs$ov zO;2Ut)de;LfVFX?F6Rtq3f1P|!X=ztP|IwQ9tQp> z4*)NiaH}o4@&2s4v55{1tCV3!aGKudU1i#4DtTtgz@oHX9~LRi_T}-ul1Ch-?g_la zgQf#NI_8x;A})_@USH?P*Rqgx)Pc-cT;Z!4VTy^Tl6|FOi!nc=7&#w z^eDdbS-9sPi&s4Ej!Zi-ke8ul%i29eSxrJ27t18_ZR^E$bnkttOhTyYsM}8Mdm38U z&>KHv?$@o-SF>BHQIQ3O?*QATS_gf%!wH#Y=1UK}=4LDbFXQefH05*L6Mj{`EXYvL zzIn;U+?OEpFK?vX**_VOKEy-Q;VBXuE&Jt7SLCj{IU#FYHOrZRt`IYGZ%Axs8*j3? z)eGG>CB|A}{A+^mXom~DSSdAf0Rq^GS#;{}yGv0RiS!(!lD#Rq*p{B-l-;X9ztXo@ zYz-#nUzcnBw2BfCPR|r_YwRK@s0olMawqCS!QVYs9;UAFCLHVVt%xbXc<(43RhT33 zYcf1!vp~{uq?DWEuc98Nh1TB5A`+kT0ez?N9j3O5EfBP}J#Yl&@+QOnPQ|yCh-?c4 zi&`*lEva4gX5k&oz9ReC=dEJd2Gz1j03PyLf#n`ARPZRVyP|0wU2gELpeYZF)1z z3=`QFbJkDm`2IeVC~NX59o_G}fJ46?dOal?y#~Ro;G(3x$@ArP>4Lx#L6P_`n(fkO z5S2)UwUm!pRLv0TB_rOAB;8EcC+q+m$bmw@w83Of``1!<=d4UBmExYX-IG~HxiIZ& zM^gKAu-}s`@8cY}EH5@2@a(r|6|&dWk>%A<9k7BuF*Ii`w;qXmokrh(qRIW#h%1mM zYVRu{`C-8Qa+4dGT{GM!3Zk~;lroyy!&RQ_%{))Aa7O)JZ%YgK3yYN5!`qZPGXX zkc*h-kT3Zw-PF|oltD{WBQRqIkRi8T&*C-us&`$MZRq-}-G}rpuI|^@KA^7N_h=a0 z6CJG=Ju@vNF$Hu+IbATGCMh({9YKk;%@@Vm?2gm=#(+yOvYN1?mB7{aS_LY5(x-@b z1?-xmoht0-wNqO#uWBkbz~4bzerL@mZZS1mZRQov4kJh92`TALn(3DDES0>lKLqlj zufGOZI(Nitobs@U|v^xJb`=FowJtZ z_+*LVc21e};z$r~e(U#|oG*J9PY8pZTWrHJd)D<7bRkFmtFQ{rN~6ohr^=D?GL2qx z5jAIatF0}cs!gPgSA5BWtl|_w^>$LIxy3zhYIajN#bw&{3-22j)3=6_1esK(q7Q}A zUJaQ~52~5IAdSQGYS@k( z{6HT)?mIoegAxVH`qtA_uZ3MN+d&Qx-&H0Ut|#PbSn8t_QN1Wot9PZ>MAehGRb&=) zH+i2KD@&+7@+Q2tj=?94^P#rwy0fl=x%t6jg%wX4VsNaAhjh_x>4DKb^o5c}E^G)s zh4}kOAvrUu&EwV0=FKY-5|!Me%+s!)X(Mlz#vCf1A6qjhVFkRjE+d)6>_npsgZ)eu z|Mt@WEDhE1Q}=ld16dQrSeHnnWv z`ZGMYZ%4mEvUFyh7xn4lmfDvX`iux6fYy2tmLxq#uvGzW8f*J%l9_rW`h-=A3(oln z-=Ltde#j0p8uI%b!d?%532@bBDB94w6D<9{adzJ*1hBp=L_GspVeANS>Um%9yfeC; zVhpy77W~8TtnQHh$y9M>wW(5`Iis_A&$Ch6#d@AuT{m54#9@F}HksAd^~mB}VDhYr zWm@=@VI$0p{Ar7l@x4T2wFYmA<=2(L~SKI3CKX|F=sAPi~Cd^07&PC}t(dZDtxc{a#T{_{)k z=0R*<3Yx5x$EWv1jx{bxuQDIRWnlwakKlj8CvlMv#;

jj#@KFTpnP=OLa$cRu&u zB#1XQYpv@tVcUSvX^{Xep$)`c$r`c+a+CdvsX{M8S|2oDJhuACKV&-(D8x@^k<8kB zTKwv~e9u{I>b>r*x3p6nR)_6=FSJdp?yFR5_KH$iBiAj7F*n1H@aE0#WA;Y?)m1lQ z+h-~X-bL`TQjSa#!f?O1xIBWgAjbs>w&00FwK29v65^;0zXEIFzJvsy&+gx;x;bLX z9b=!7@A3TLuDXAncQMEBUNkb?bH5TBQ~7$d#JBP5!V4`YOHxHhy?eL*3`d>tNiMPI z8VUMYlh8T+e)$h<24Lcx;piyBz2*wsH*9zpt!KI|&#V8CQLnlV^pW=eRA0UB8+myoPrg+CmERy$T2>Q>W)P5tr!TY z1x~5-+~LDO!TMUV9}k?D(Bn|&-$)`oAbk>u@8m$jz0$F z_>$+onHPU`)w~rpDxU5R>wq#zNB3I`5)xXp=;n3^f#_Dm8x!IKd@>zZWoFTWDc_zK z)v^nS%i!p2U%eUO9L){!y$s-y^*P4qkkh={VsTk$+1&v!oiLiCsILQqVrj`2c6fC0 zV>RYaKEy%sJl$&MRnXCk)wAWPeeiHwZ6GVm@?o5wL;gxXdvu5{hoVOVae6soY8diH z+fx55dfj%=z}&awG2B-$(tGH#<~F%x4f^#EoLsN8Y@P$#zRCh#=_f)Rnr3$>$$(FM zF?ziR>;cECWwiy{D!+kA^Kbw{pT6Pl6(IiwkE--|973F_E<#dXJiUtC{&ze2Cc*g$ zaJGAF<>-zgl^veS|C{}xt` z^0tisEDYG|S-ZyX>=aiwxdp(5$DB9BC$FKEhX~gC?(eDyzbI^ zNjQcWR$0pK`yBq;YSkX6U}%5(mmOnZhMz}&N5~vOJcVy78c5s(nF>YW!~NLP53_2n z+bvfnrXj#6f!(#hVSEo`=aUW$nDu6pZJdgzn3Zfa1IzC!XgwMPYm`#R>*XEavbV}2 zh89$lH_%e;(c@;qs=tlurkMqD%8#QK=imL(U8voOfLxKIxi2Vgb|g#pERv@Um42jR zkn_0hCSV#wyraU0VNQQ5&ldaP3(R-&g|-$L5&W#)~9Qr)$|7>$c&er_ATQFKgk-F;(t*uS4Obb$H&P{{S-T3J0Z<$=O&X~L%2%=kQ|Pqgq;jaiwH z@XsUFrJp7?-ALEowiJjVVHh@|r(#}vGaeI3!3eor?%u%0?#Y2SYM%NXu6{xj;B2ST z>zc0dyBa=euZPHJTUT$&if((phxYKTp+gq=Q4|(Ix}k_6J*9f6<@J#hz>na131wIM3=O3hmjdo5I_3-vsL$ ziA6$Da(HnD@e)`53|!gSo^FR>8?t)HY*qZ!9R9{K+Rl4U1y&(gd6R_E)G!w&eNyLG zJT?%2g$m^ToQb2z#@AL;RuM5Xu&<{+V}72S?2re~HJTk%xgXy?e!>;7fPQv5*BMWf zFYqT9r#H70FdTQFJyTKe%U1UZj8l&FY1BZ?+|V0D9i5$@VpLxRBol3-|)_JHQ|eKPHhEodwSr{ zx62O;QDo_XGv$}o?ob1Z^@*3bQ_GFM3_f`*8bUaTAjq{b?rQ9Q2V4K+`hnvMNf{E+ znqKhg>B2WHqwC|PF0SuGBK05BjHddvM&dSm0nJa6tYwo~EP0o`WzTmdv!{hOUI7=p zPXYlpq7Tq9z7Wb^qpp#VZW6X*@rNAl8;$-DFPkIiVe2b%I)3bN|IZcryoxEfCs?7P zD2?JBL1%$fdt~1ad~=K4tmj1h2F$B$M>R=T7$`LSW~aCHk1n-=5=wtO_9c1Kr_CS* z4Np}|*jg)nbS9SlpO)`-u5%e*8%A@a)MjL%M+c=~!%sT!M3bZ{op_xV3BQLLZ*zgjLG^HseIhar0HcSCzP$kIlCH_9_c`BI z8Sxvd)VT{LLvfZTpwr7<>Bc`)C}&-VOAmX!@&vw(Ru-YiM&bc!(MWI$8K|IC0=^=> z$8Y#}M%FQSM`EpG=N5I^8ZGUb^DKFPa8Z`_ux_w)xv3hj6Gi)5O{&*r7TRwk!GwxU z8iy_pTe}ARLJJ&&mD_kPrdeaqV|Tlc4(p@AQ-&2-ZoGjr9HU7g*~{roBk9`YFXhlX zFlo=!c}tNhnoq{gxf6XnZZi@Jl6!tb`{EZqT*4vB%pR^*lROKa{;tY7P0jvUZLtpd z4UKYb{LK{FWG|G8mh0}kdoRuwfYqw;G^e!|9JscXv*gVKwS(jyLoD?-;*rj3(D0ni zPfxy7fr}ijUXD+R__0mA__&+LFYV9b^xbrX-ZSdhSr%&4vqF-@%|W9t{xmR7Jr>iz_@e%Ux7Qe~F@{WmEmKNJ z7qz6_=2aUD9_@&KtWeeid;)ZlmV)dTY6sE{mj$&+j#suSRG^o^(3_5NUvgTj2mL>7>O_NW!<6VR8d4edQDkcqPZ|2M7yJB3+wR0>v(dZh)Iasuez;$K*k|#9gwZej^biW1nS!(PIpbAMpLp_Pwd{N| zXLxCm@RrnZOdwJoYE)n-gm}B>aMHNu;lTQ#BS5Dn6~#L*zI?=P!ASo&WLbFrTBi8h z{IK&rOL{ti0)Gy)3IIDbJ6zxyLEwI~O9mCL`W{<}S-sic_NXkTtG`%jGQ9MK<_Yg! z^TeViQH|&enO6-FRKCu6`3rS0hCdcjUXf7BJ`uy83$3@O#+c$w`9Y%il@48R2M-G z^_DWaJRu74dK&#C4f$3(;-w61kQOeD4zV`<7xmo&$*xt5M9rVdHsoIp{w&!LpG1uz1!HYx-Mzm=-!MRL^s~(EPJ;#I75UGb@u$e47?oBKS3|fX)*(Q&@F6 z0blTtP2*CiwVlNvs^8vb@k+;LU0iN{ICkaHjx-;6t9_Dg?2^>_ja+iuZX@&43U}ZA z3B+t9SYl+7=d0n)VbbiDR~ngUP5sG_TF!1e(u-k~fdr@ek;89Y@iHoO<+i+7?EWnW zrfip3`%(7Z#?EtwA&t%zqZqcCT))w&Q61PxXw7X-PV={}ws`2?yQ(K;rUkyB?N=xb zU#0#yCzHE%TJymuv*qDsE{M6cGTk!k0j__+72!UD@s{8P$dW(8#bJ_Dgg?OJa3{*% zQzf-n&aOeq44<+x#&E#%TYH!cws0lOn%Ee+6yFmZ|C)UzuxCClZsGO%1eXb+T_>+y zbD`It{a@N2FPaL8NG4=DPfobVjemG6-)B|oJG$B}xI|=DcuStkuU^R8-TT4n{c7;E zDaLOmaL?T3-ZfurjRb66J)KpDbrzSCIVS>?%Co(hzli#DuS+J>WG^UCYd_z`m)F2(;=e2y&(jEdJfNK z;F^6%(K!@6_PzjPH1|>m>k)jqHpg~}|5(yZvlu(h3dF(x*h*`7gnEvnFra&75D%sS z9-C*+>NpMX!GDdBt~HMN*qzfgNwywdEqd#Yi@dW`qta)+X;FB8Z&rZcRNp$Js@fl* zmeJb&!hU1@?7T7)R~B*G&^U7KJ9eFxT_~KASUF?Al;?fZ<+tn&CjiuF?BHF=8$hVb zhu9iFgl4eV^n9{W$VPp}-@aqwItSW9jm=bDE!L`ICr_6=k+0;MZq-G(Hag$w4?(Ao z;OMJo=ii<3OiDxC~h>;RcW9%$80xZIN=zY3x1J%#N+W6VL zR#Kwb&mziD8%KFr1$UQbrgn9FLR4IPvMQN5AZCjK9t+i}+Y*u#zkldg4R4Nk%%yo} z3W$Pq8-IBGMrKN%ox2*2s5`cr(ZYg9IgQcm)*7wRw;YzYj12TK+xgz_4W$u88|~y@ zCe&e5RJ$rUPgX^whh%e3HAC+f(`CyS7k_-RY{ESJX!@Jn^n;`Mj;^cJ%|t{RE-2el z9q{Q)3^2~=>`m!#AXjsh&@!?GsIAD=w?^kEDtf!-%PpHUo;>Y5#r!^?b@ySYwS;v! zTq-V8#hW4uZ8Ab1PUDP1xeVWLyDtUeAE8&9)A=N^uSW-S+<oK4FCGle4o!elH73< z|LDNG4*-8(GcWr6gOd6@?v`^FEMxo7{=p~vW%5GZZJms$z+okq3<8sOr@SqRqp+8Oh9i(mwQ6fGxV=6CVE!ZV)FrY7-c9d9k$CP7DJ zcYWG{$Rt9(i{is<_49qt6$G|6x1ntp-ix@s)<<%lt;EA7krN^KPjR-}ifr#|LX??b zi~=8cS}V1zE0#_-Qylk=f0Nu%9jn)p$(3a#l~9baftB7z_&id7pSD=!x2eGGZsFu0XMxrM$9YS zw&w5h-?(pzn`Dm1-QG`a1U8p^AyXoDZr~@fYdUm=_4nD1#7a``je3`X`muFIIa!d0 z+gdKv;``>Mfxhq!z$$#!?@pt}46|;atRaV7<%-b`!zKM4i??mYW7s`$L3E#F2 zuFf}W`rLmVn>1M%B=C0=*gUL=v6xbKBokQSVw8JZA^qj&_$)wa^Jnl|mz#`la$2uW zzRo1Kjp;9}Gu~As)Ku88$%^ViZ4H&y)P2%1B%bH|mKNwf)7E2T<4W9a)HpDAjvJ|2 zth4*sctxi@*4ALix04e>X@zHUWW`GYmvue#*`x(bG~Z5F*lB{#7c3Yn`D#0!&Wsk6 z)`rH7UYZMKExnzKbXe8&o6s}O%2~&J3vj5*PH&f+)Rq_zth^)Xx2-?9m%XmUTB$Jp zXvJbg9$m$Ml}+O{&7;9L#<8=$m8`$g+&AN}ll|~#8+5<9JOW<4J#qxYX0{L89-_^< zZZBu(4{zQbK_@2f9ZWCR2xLmh#2ZgMUBA9>JK6Wd8I=iTz3zJHQF(IG#tO7b-7jz5 zPTS6pSFmDjIhfqWtt;8LXewH@wI``U4#XImoeM4`Zaqo1&Ag4-UOx7yFO$Z*^ulF( zJ|9zb7nzjpO|AS9%^-#Fhxo@;JKrGN8*T52g{i0ZEXFQl6;VA3Aegn=hH+_A#g!G2mRpE{`uKf6Z{iK9^}i$>E4R~c-g zVFQdOXjwZ+S`}*EOu?R0^e~OPGJxOBy*nHK$S`La)i!BY?&z9jGCJBcr!+?trSK=& zO~qj{ykI2apyfip!888&L=`VILIM4|4?DtA32`7i9lvK`qqWzo2GZmv{-LQ(bn@IC z7JJ{rvPHRImf?gJmK5hXFyZ)-VOme&aW^2%QayFb`I>iX_HCfHxd-LApg5an`XPTe z*&-qPRf^J`X31PQiRi<6J)Ui+o-3buIZLz+QXDXXwzc6NStxLW?cuD#hKB#UF3x3c zKz=&xn{uCM$b_Kw@t*4$ZQNuq{fpPWbwt0!-1ZCVi#zzK7Vk4plYZ2@wH6!oY?hB3WucP5 z+li4bzHbYfXdsY+VDtKixyaCl=~b^dl>N(=2}o&{vUcX&*bN1b zz22tE+4YCQ(BS~kvl73;f7!6fx_*IG$@K}j#buoQKs=ay#j%g*UHqqw*>{_m^{FFh zV%meVQnpBhEfMLZ6|IFHTTJ@@gS@Z)Yx0f11`$CTk&;qT0qKqr0s<-sC`vcd-2(;# zDe3Mpq(mi0cXtd4=^hM$k)sA|eE0djp6B@|p5N}h?q9ZR_w~Nt=e*B3*N#L%D~m+g z;mKx5_~I0#r;Oy?wMQVI)#a;&S*NhT8*yoHZmdZ;Z;lZ~#I1S2;NT)-PC093{38CVBrsR~uxHeez$I_+O_9YOW)O*(aK4{3YP-zIAQ+g^au${@GEN@ zZmMhAh~@=lOemhecP!Ii$GdJesmV7Np*2L}PUbDl)@m^+8-oC>wh4jMY z_rQ6gjKzZB!n5u=EYtSY-oQRe_>d`Uc6P62l&AYDM0%^#4CCNgYQo{ilDao(5y`dy z8uUr>d@r+C=31R_?oyrmy`|X^!uxbpvrsXxyHg1b{34+E{fOa_^?`eCb9#x^;#J?w z9oF?OwJ`Ty{Od2TYVSY*Ow-#O; z<0wCvm|EXbdrCmTbH8nf;F?AnSBj0ADq8M=3lI9(@{ev#yGnByS8I#?ir6}v3WuYY za~VxL8Zc+JskymEWApadzr4J8YDRY4w~{&}uw#w9qN(a8Xsx^VY(5 zyJ9Z~`IEz7sZ8X`CFNND-TwU_pW<&#e0r%`6cT_N8^~;hLBwD(GQtiT* zHAM3FHg;5MIozNLJK3MaJa&hL(rJ|jtdBs-_<_Iy2Ucw_{i9(}(_22QoB&%Gk1!~F zh>?zX9(P_#d-_I6)>&1PsD$RYyH9Eh0W#pL5xPE>89(!>nBwHXaDxM{Z*TH$5iO4< zqLh!e1i@Jo?DNK6$9?T1Q)~+os~)Um@z5AbjvkpsSZzPVcy>|Xy0o(SWim)@%H&*C z(Lh_NAa}yr)gx26X2$y`|FnB2erjJGK>UeJOK$5^z@N{Mlx`mR{n{y%b9iaC=(ubR zrhN5^KY$-x_lENr-;8Ym9;+rge--g~-(|1zZANablPKF2gkTx_k7-!+vBoAJp7tI` zcpjcFHZ-E+#tfuJNX@Pn^yFr!TbQaiB)W%adw6s!@c?!DM?s}o$4Xa>VEY^H1nQbu z%cgk5Q4B!y3DkSW03J&B$-B$qvRE*1==iG3Mv9PJt4X>u$)w@F>qle%onir>QQ?8P zNZND*Y&&vCM^n15ZokCt|7HPjfQ$pr{_0*7x9jL$(bu$ht`9EUD-p7`V0_2MO&!18 zbcfpBzVr!Oij!aW{XJ)B4QFb*%z{KoUQn~b<+@a;OciJ4shK|!{5=cN`Cq3tC?AfJ zMWT@|%j55rmfYVf=ejCdd{+Hnd_@%N$cG&+~uI}v@$1Yo3PCemh;P^c1? z7jWP!zIqY3y6wq+akeyo=E@WwQj@<*LdMkFSiBEM`_sY-<_yN zTA&##6y0F$`k2g!Wc^``W;3qmU)ZC{TFFPbnha<0249-Zmc`U*bNCY^5;m3f78~ZC z6qJ)cyLuTgoP5OIwnKH@Nh^kMV=&GY(9^M+SB3jFoLFlFBAD*DriiwG(hmC6E>wdZc~ z!^$0|lUNW9rG%KekTQr1!g6yVP2n|YLEOf8PGN$4KWiOeQDb4_yU1VwbnPaAh4Iw` z{)(;7AU8tWhx4iz(Or15wy0sOz;j31&jj=+voCGt4apKoo*~TLLqg(Xq+;sbAvTbr^}+P|Xr>@W-ZhwFDL7;^S2U zV@XZg3D5H%5Y>|t11GoTAc5udMRKdw3W>Fk?fRnozN`BRrvd%MSd$RqzI`N03Nx(( zl9X<#Wva10FUm-`e>5kxY|r5%eS3pufp(^w1b#HNq)al6`6u_|6q0#Q)6c-7mi{~s z`;Qv*?BEUHU0C1A#QCfD@iL~)Bm<=jt5x-XSx4Y9(tvrwA;*uXs+P@U_3XT>UwIze zbb$Nrq)^bwQ2X97zBau<<8ksHbS8fcuwl#Tqb%hYzlpwpGV= z1gd5^=@ga_Scds)hW*@|qj1xsaLV=#5*~>rkK~B4^(oniEi#rW!r>dW-V=ir*$rCi ziz~eL?5&UPDOwKOft$Up_Ix*s8OUBaNpBE43|PHhit5+YtO&Ua$-7$-zzS2k{I8o5 zyzrhi*{d5Z58TY}2L{i4uyi8kET-adciEpjh}8ZQYPD>XfPnGw*(Yr5|JMe;FR)n~0b zg?4+>5ntqx5Ks8=$t_ypwq|wh@uz;!FLF41RWtxq~j5pM#pmoqyLlVy9|^I`WjChwwk+iyh>`!~ZdpsjBNdy>(y#MV9c zP5NuSQAbcH0NY5|GHPm8*k*cKz=)}!lFw9`U%6hnX!iUjQLG@3vY>XvVOMXLS(Q2L zgATUAE4jP3_@8cReaYM~bOFA-knA|&?U>y8-qAYl)ry}j)+R{YWTLBVtew5Hr1inA zec1UtY*yRT3!%M2qc-QCi;`fpq@-Zrj{34bwq{0d`x%HjhN0&lFf4?@OK zcX9EDmsAbHEm6{3ap);Gw?7>BfG{oJb@pGZ;cZc7A108jZx<} zIUN|52027zkm#fH)yu=P_}Tkg2iahD3XEvvMj{xmPDWujKA#U?z1zDk-B+ZtI>vX^ ziEN+Gh{2D;3R6rp?jkF$497s_ewllm*ebr)SvkY>qO)c;B$8iqV27<;x^uDex#uG| zPrMrN(c+9E)_M5fJ;!Sp@(c2A>r>;!c-h@I3XGTKu7RZr+SYf=jO)5*iCV>vuVy<4 zQ#sf!i~%nWXaIS+-uE=M^R!SI`90KDJpJhVviaYIctWSWaQ`Edae3gR4}D@Ve<2q zUKUUC{7^3sBSwc~cKx@1U<98m!Sfc=!KeryKc@YTQbpep3V}fx<4;{{xSC{CZKy9l z|8naGHp*jNm}2=Z*>+g^y-NR>BXr#7O>W7snA2Zo_8hd?Pic7-;@Q}-QEEH(mXC6#Kz0meef&|v|m0@QRFMqUsuo;bmF8+A~ftP|UK-$TcJWy4@5q8}X(sS){&Sqwv-|q3tBS{%!?ufWCgC zldtT#*_KvQ?>9U0fQLu9B8VOHLSH`q#1p2Ub?UbGoP%i={(awsi#(T`iHEU-)U8*B zruH2Z&`YSRq*YBq4L8vbBfdAOOhseNl1o5k&*1%{sn9A-Ild$?S!M+tKHVm~aZwy^ zLfZ-;uUhNn@x5X$X+cLX`$&~XV@Cu5DNroR_PWVaYI-gzs*v(hdfYD_aQLUIqT>() zJ%pKHZYQe%hj;=j5WRYP4R*!Nv%ccWoQk$GkfKJ1`tXftGfkf1JHL7FwtZ(;bgLWi z1H0FU2*%bmV%&lZyoy|)u`@Sj^}20!k4p7qwP|Yn{mV)tBWCxz^85B$=;kWr6yn{( zTioGwRyrgut}up8UrKgoz{{E6axXUp(sqI0k2yikID8fJG;2kana9G!3LsJd_te0} zhCm~9xFG&-H9|>+M@&74WUcgAKLt(~vj1&8D|dC2M_+&ssk%#Kw|EXfH~8*aYxP%j z4HFlWcQI}*XPH*vGF0IoTz~hyi5;&~mtjc#W-FWnlf-d+GO=>^SS7#%yWPJbwzxhB zr-9^3RfG3ugT{Qn9?g(!2meR+xw;i?T!M-M*HGpGat9z`W$_=bAbek3dMpT1Qfn%qInv%=EM<&K|tMeTM0(x`pQ2&Bh@34&kk zHW+5t5BwTGuz~1Q!ft-?`hkw|_Tlpaum@Ttr^Yk2=EDx1)Zn~$s193BPb3i?mw;8s zO#$vR^34x^4s@nkfYD^TRK45iM>U_ijm=)d*z$?4in*jZj_^Dh4_vFOiNY|9;yrq9 zKz@dU0(8b}29x)SRv_K57&P3w_9&XtOOVPJEu*h=?Owx(^>qx?evMEOy@M)mmJrwb#%}8>npR`4xa%k|K-x>;j`u^=(*sT99N+5G zm*v{sOl^Kvkl;>cqdBD>$vWeB&~Gt0jC>E+Y%wj#^)#suO>jD=4Zronx;`;j_4R%o zBA1xVj3=nPQ=1r47|t>Z;feqpT-~)=d<|A8< z-Ir$e7y2J3iu%QpS>7Hi<}elgyj%gy5c32mGGFDX-WKNo&WoukI4XZQ@iH*C)1qwYr7>_h~)GrPY4K<~`neUzZ z>(#6Q+Y`W~ne_%bxXG=hXInvXp5cIUnjm&GA|c;c4|-n9adc9>N3;Ei`ob*&7ZS*w(Cik(W#)rt;B%>sJ-=t9 zfr)*K@H}RacO4~y z^;z7BLOj^sb~Hm9t}=f^r{=~>se@O1#5UH5`-Q)TqW&Y!W(gx7$7^>trE>t}VZ;M8 z=0wA_j5kYUv8j8AGyfj{A(uiX1 zq7C{j-R!=*mUuH=BEJuCxkV`8dUC&mQn&V9!2zD#S9BWbXuXR|xXSRagxa5!ZkJAT zRb6aKwT#|h)OaMUCCRM+z|~lb?wXDP4(8g~CXT&46RWS2MYC4-8{AA|J!sc_cX;$B@gb z=RMMzQk#k1oLLh{l)0%Dn!F{#J)%Y@dwFNvf2M}@o~=$*v&2-JzQInovxATWk-_Kjm1z@FTUq(Eg} z-socMH{(=hJ33<{!XV*va zQQl=U`q`?3ckyS8byB?bUD7SrE-Jc_g(0su4U5B{dF2G+v+Ez2rf8~j893NIcM7ys zeU*hpfUUs0OW-+1`=dcF0)>{qGR*Jt8L*RufwVm zt-Q-kE=U@&MPA;{F-VR4wKOSvir%K;TwVr&ewF4%3($!Dh1C#a#O|zUr5lu$zlSCg z@o{C*y*_XR$ez1#P*zw){Re}+I#FyH*K6_9<_s;a;{cL%thluWc z+gV)9ewvRb=&0A{SuB5tySJFf6JZ(|=-b-VyasG5+enJNbg$~dvc|CYl>O1dUAO`S za@U92VH=SGJ$)7+cfDmoB!}J6as@um%}wNMHfWu^m?<-GtbE-uY_|P;?EUTS_04wM zs`2TWhYe@5sZFIno!jr@W@(bcnv~RFy0w#$N;jqf8ru&%M^}QCkLlb@CnMb-uK_n+ z5JYxw%U_I-74CoD5}ZG1%M*`W(Q_K0H#1ga+C1cS&q|!SIuEiU(!2p(f+C7ZXhvDyN3mQ<9>>kcjvMJP^L#3(dpVbJlUkeO9$sz#({5jd)X;V{d+vQmAwk;cQ%JGBqBZo(E)YM5`Hz7pgpP3eMIu36zmbV7|n%83@ zLo`pX$6K$pm=XKHi;x5h;b-}=w|6dnk6=B!JleS46SVKaTR@R^{5RQ(h{l3UlhQJhdrE)@tp64WY0MIxoDKpbC1+Pf2I?u#;@$(zh4v-|Fu_^ z60{ZXJoXD@*p_A-CL4LXB6k9p5bP&cTES9b9>%6n?Nv^u+bu3NX{q$F5H zhA(?%eup@uz3T{RTAN%R>tDQ(*wbBn-+U7>n7N@cV+e4qp%yo`F@ws@{5B+;$e;{= zJoLSI*`>7wrJOy2${{V};Q#n`QNQ^cX0I@rw1a}ig{Em|eN;f+@HDWVH<;zUDS9JT z{NA#*-De|)WrCWUFt%hN2&E;1No0knZAqI%M_>Dlzx5t!`i_Qm{3HKzxraNnK2-CS zoQ;k%IqhoFDO^L>aKM3ACX3J=$^7#%(U^7KWgY8hx^EYT`mAqASRU)l7a$n_sK+XK zPN+56mV6AVe~%1(dp$N_SmOudQ2w!dYq?2E2`@yXo$KYfR@Pn%96l+`NC-`POA&6Z z4-;xS?$23zQqULe6(C#mj)JZHAD#cR1E6Zv^NER%L7g&bas3{(Veri2D8RX;(a)`` zPw<-Fq;TbwqhDHq!@eKo*Y9fyZBKMG^^gqAqM;WxNN&S}$`1&>R_ysADz<04)&yp} z2Q1EUTxeDvq2l&}#T>rX@~=M3L>T@v(*&RBWS7XEwTv>?_As_@s{6T#yd((a{KJT8 zDZmP8qi|9HX$0D@-jU80!E1IrjEschl-pD2n7xi7b*M_7ad1v%&G;^i5mEj6No@+z z&)Fw>CN)ml`Z1!=w%TPYsp_)03ADl7ck*1^FKZ{iPwwnAm3{O-331TDGyu%}B?HOwCfzaTK-g>hAy zD_{WQ&d{q=&t>SyK0+Hp%bp85gysH1HE%*bnR3`hZeN}4eK_3uGQi&=xPm)x@H26{ zT&K91QoxFCuh$)jqEO|wb%2?m3*XgEfOp5u7B2KHt9mEgU}24Z=AKrAggGPsmM)-P zUendqOfdU=tiidSngxF8q7l!t_8C`zp#Oo`S&2WDgyf=xklsL_Opj?oLM~}%PdwA_ zzZl%}A&#y#Y!c_(?Of8dk4Apy0-e{~{%esoNTGGJ^eiKaw@_eo)&~2 z_PRQ;p5mNqOUCt}tjf3W21$eZg&w1shai-2#DR?CV3%|_D3DU5>51ykgIIgdB+zG^ z{=GGo`t-Ht5^pkLmY0p}D;Dj+vmFPY>(dQaTesy7ou$m$SM(Ke-k9YGPGZp?FSTz6 zMLuc(jS9SyNF3YX&pt>U5%~wNpdTN!i^YVbF{t(KoT}Na(X-6i-_=S4y^T9j7dUyt zantEh`;xNql3tmG1-Wdi=aI37=dnM537>RybqjMFfe^VGyvs_TZ zHY0Y3osLJYm%znX;-U8SBJpvN@!#Ii;ssj9E@sC|jV*rTT)tu@^VlqBR{q%6&U229 z&wm_VY3;jE$y@)BUSmQd8yr{Ltuj0W3}8Q-tPoISv(}+QdZzrBYwcYPIj4UMf;1n3 z<(9Do!0)XT9t_uf{RZ4H7Uc7eE6V`--GG~W1SMRyuhaT`OIvgZUTyJLD>xZ;rYC%} ztbHCD$}-k7I`3DzkJ_|3{asoSk)P{jD6I~d9%2bBl7D*Y9&#mfUF1N2ca@?0-G`6y z8zo|yvne?{CM{zy$3_p&rdeMTr^WWMB9z%k%QrTg{+7_UOYSNq4g$+ZBTp)Fekhd= zuibk&$+^#^!rnql`P=$Qx{UH$Ogk2)!7&-s$8ceO`-JzJSI&rk0_i#yqLW`DZIxAR zsB0KoBaa6qw}tbtvG!_Nodt%bJ_)lL&+w*FyUhj{M7Kh8rQe{_H&<5qEm*9i6Cui1 z{#^8Jp6H?;v<$oH^#N@^vD4JJ9fgh=CX$r@^VKstVdkhLH(0A)uiJoTk$jPb6;GSItVz z)c&@UMBZ-pqFPkk=1tSQ`;evsBmt6u(NQ?lIe&Sj6Ugv)8YRfRhT2%)x3BjGYA|G(k>r&TeFALwV;LmX2eVcE>c_ zuwT^&h033M6h@~X&L2ciwQFU_Z`p>`v2KiDY8vK$@_+e>83lisUFPZ-nL)EiIN8Z# zhO`!7q*|x)gB3`10gS3&qeb7`Um2BocX;Si_N&J=&WqHE2yFV56#>5yeRj*NUDVorp+=| zyl@?|Y`MoW<6$@+QnKVUxUnCtP*?NUPdgBMCOOwL6x!_l^W6|OkWb;Vf;wOVqKINh z@%gG|&Cgd2q%Ry%5>{$)VQ~FsVp2+n6xb)2}!E!0C_Hki&e zCY%1P3qu!8a$c|KGd$;C+2d(!^BeSu-TiA4$qdKMSNhq;%zL_4-xT@_XaOkVA2m;R z^223blSolFJTh{UoG6uWaWM55ZASK{ooDB)`{YnXljW+cK1ZTJXZ=RmfY^)2EZ?`z zd^sP)rm@nl+d&o^4xEFwwHn07ZE)VF`19qcy5M_knp&pTYLNgrvzrG1(%S&6Yzg(kd)msiE*+Bb8vd&7 zS){tR958o(fChz<8TI*Br5wUWr$=I2GW-N4;Nz!0kD8n%`Ar(#)*l|ZkNyrwCQJt# zX@tpX`{3NCc3NJP30AdittnI0NBQ@gW&nCI-&=g9YpJwcUS(vb%+=gK6U-hFY(C!L z&YNUNB4VO^F4ggX(|ug@>-lRfb<7Gwq0ghp$kLKxeC9Ta`Wlldk>>7{LS%)i2e`Ou z!YaiObLJow_7fY^e%jvmvbLw|U)JtBW~uJeGvugSF2;4+X`4J$W3Br7FPdxJksTPW z13BrtQypo^XC0$0;O;|cm1KZa?lCZ;dxIW6fv5LdGTTE8A&!HXc-ETkrZA}%sqMss zft!-HAETj7XgFXzH?8#!e6M9!hYJc!ZcG1S_S7Y&yQi&SFO$~fKfOX5YwHT!AQs~M zO*A%Ppvo#a81b+q=Z-zRhZA%{muCmHhfDZ;UXR`QY$I(b4M>>n@!NVt!fJM+D(JoT z*#SjZ$*?*-Yf(d4sVB^^*}3e{!sB;_#XI%9TOjs$d4{sNY}>-h^cq6KxKf(&L~@kS zw|uJ)t^o=8Z|uKmZNs&LSIo97F-$AEdL%Ml@yzC|oW5ufw+*&rWDTvR^Rp;1yXiAK zmH48Es+^zgzdx-)CHuuaQ#GLd7TcFU!h0qab-%J^IT6DAP8!DHH&lPpsCi7{=H0%0q%@+cH@pFx0IqFe=UDH;5j}21T{UItN?f zdrOaqk`rYY05zbeF1JR+o+zGoO?K`lLSjmhMYhLuXdqg;?1}4e{;7RQ?yi65l&f?@ib>JG#*^Q?SlJJDtuv;31Nkbi zR?qjXFQ5y0*i13MUx#Tjj!Q39)x+M>h3Obq^;~9iZAI>j!SSB3@hd*(p{8m5vkkVCO$-_j~sbU{4M0Lm)K{ewNV9zN4? zje*PdMHdbweG6|z(&JtmAM4istNkLec?powXM;}akI=U z1AF@87||s0WfxQBI%1C54;A7^`Cw{UD93z*d;=lYw7FikSi>E!OkYTw1zHKk8*FW} zfAtqAl7 zis|h~{o#LGB@Q(FsU#IP%GZ(TG)a-ibe`qs{?c655`qktxuA)O;}(i42-Z83X?;an6CQ81GR`g8vIJjz& zsNunA(&&iHVRZ$M^Z3_HJukmkNHmXzs`&r`77s>&U-Mu*CCsyI6$+riZ=(6`njZZd zBA#>Zxds;QD6{wIGhZ^A(D4ioaPIknkwaL^QjeAzM7GT1WLxrFjhzz06tHARb61=S7V$ z^_j}X&e?fiHmBvj%AGrVJm6ZJa)`$TZt~9w)kdPYp#RRFXtl2mQz|=;_fR+F+y?{& zpWQnv5V$+620(mYN2oBGfnd2N-fEr^CR6w4=(u?H13M0{JI3SDjT3tV2C&w9z~P}1V1PEs z)yq9bqwOobHG59huxWO92A^muy*7#tV@Fv_ZUI@Uv2&p zmX@tTcQvh1qorqa$!w)k-jP>OUU=Sh8gb){NX0)LsX^wNQ`b8!NrLql1m$^Ri2Ptr zTw{KSdmmFkW7`QFIPdIgR7C~_Bfd`YzChw7$whD8mBXuz(o&IBkA%@BkD@lV zZX&uB=p1n0I|ysFe4s;|)THW@DSFBcXh%xlqQO^@FDg3@t~OrR%3cSvP`5?cPjrp~ z%xvkyR z%E|%4v#kLw_oVW-KH2D!_F28G1UaNW*pZYa{W`B8?xfOqXdyo}OFAoo;lynhpD6O*>1f_d9`(erT*T9(Ww(vv>2?&8NF}LA!O(w)HJWDGu1F6;ld}k^zrBqJ#Tm{`Rwy> zel}Ujc=dhNO|cikrG*JG@7ib7;1r$s_@1m#%N#9@R;68{MA?^qM-=Z&GkB=9JaJ8g z6VnmzsG9eb85ONb(t{=pWzN>`Wva+kBHTFF=b2Xe_PJ&-r&Hs0Tn|XOca$%FH_`s& zqJzLaQv_ZtJeQSYzF%9D#`a?5_Fll9*HHEJR5pjsWG=1h&&(~=Ido~wpzGG+6Y}3oXl`RMSpb-{MAgREMcHOGDW|*Or8d#@&&gynHL=cIfJ zs&M}>OZy|HCMOA@%0bd8+3pV8uCeI3m*6f1(=P$>olbZcO4CUp=t?-_wUB3y6-^6X zmFKg~?%M0z);L=(v`2up&yICQb9>5usEE`8mBJ0_;kcBB`yKdbt!)@U4|9y?byIU@ zE8O&1y*EF|x4X3a>39aW#U~(Qs}ZR^78+80tVXc__(b>HcUYI&N?)`hr@V|;%Z{ZY z7%%eimu^JD$TuQbDlT9H`B-%);n1l>H;6PHX5*!8Y%=3^@y6q4ZdhBBF^(2aJ5ke& z0f9bf@$wffpYSzve6ry0SAs446%yC9_?o?HYymfS8hLtq&-1|p4*!2Lvw{1nEnU?& z7&lsHP%wZuX6o>JC{_IxE0Rj-WV`N!6P7Wb5Sf-y=iI3lC{QQSNjTnQ;yb5Ci1&=y z*v)LAP*1+y?WS9kIp`GX43i<-DZwMgn+Bc zYK1Usw#|z(&g64Nn--j#a|d$Q5v8#wDV2~AFh<5VP(xNOi$ix`oyJsH%*i??GcN6*rO*uhatgZ7pvYfb8d-XVTJA?M^OrXW1 zQnG=C5j#Daa(U9}&ikFpj`IG4Nq(|}T-tgwMXT=T^X<&9_bi9QM6;>isIjt);nojt zS7rl7(JSn_97c}&^0blL+w!;ddlie9{WI%Bj&DEdf`KV_>2%(?MTc|pL(DBFD82lP zRG4H4Sry$Wd6y;oxdl&?2oT1E(4RCoZppjkYQ{a?lzmcs;Uw|kHLGj}5;eY7gcIRE zs&T|@#uFqUKv1Hin#j{-+qQ801A2Dk{*`8H z_hUd^@uJD$FW??73+@DUDK($GU|zI^k&$NXWi7|AoPTZgY{tnC_nZ-IGlx{h=mfEb z4Q7;Je3ond*B`%*c$F{tuO8MYv}om7 z`dy*gd|xRRaXdLI>{$n%(ObR(ruBggxIl~ZGixn_r=3AB@f91e=yXzY_g}V1@x1TB-}_q^$q&DBos%?71WM8Uxvd#=?|S=-ouFS z|1>iPr%9pIO1ZeOiaB2?ABcAq?vrjPf|0Y;b7t>K=&j8Prp>B6EBvc?|2Wc%HME}uISwiaEF}LOd^@Ul zP3G6XK-RL)8tFDlG%t;%MLfTbO@kdXj&bC6;i}F(_zc-Xg_ZdoN;;x$YD~1x$6v%e z0A8)_(^wCVQ?N#Z?>7Ut???x#H^)B|xRkc>qY&o?q?6=*h8`8XExGywE$Ga(3P(Ic zN@*?u`L;^JW!tv%I20824Wc5wfq5K3f|qQYFN`1au0fud-s(3U9m}uXdoDS7Dl!xr z2uS>E<1~8G;=M+pZ7d-md++*5N!P^!o%X^#j22_D?~f?Ln5|W|8{PJ zUMoy)68&r1u|G6)N!978krR{UTI;i6b&LZer()tpMgr1c?iT2glu2k z7VsB82CP3zO|kaj15>2@>AokqI=R%?^^aqhB$Ycp+~n5W;>QFmR@OuaFd{0Qy=G&H zeY^U|yo#If&at^)G2QIZj!y7S_Z!>eR?y_1tfQ$D0@7y-UC$^BKGf4}*2AOR{@JKb zk_l6n)n2*^>hgCb){XwliJ@_`Rvxe`qR@SkqD*-Fwd-=qLB-Wd5_DA*^+(wMyRywq z2lbnq!_#Nt3J8F1|L=!kp-Pr>AUmnINMgXWgZ8?jcGy$m&t&Wl$WGu9BgBHJe0d@w za+rvU@fn2mLrj<;EjvH?3$^SlG}mBmF>?p{Wghl{Imzag; z3EtZq?-wcdX`MxPnH=?8K>P~H@It!~tNqv)cRmUZhVxCZ30Nkn0L||52pbpcMTk7) z^Oz?o(>wAIUHbkE5qTC|Y{(J{Y<#FB7ua}f)k=Oz7ZZT%16t&-`rI51ZMFoD3)a=n zl$#AmCzH`%8XpmEkeKAke@c>{d@WD;lSA>GT}i(Xbd*UO7;q&U7|WyagJP^i;6G$RrWDXyG1FGH(dPO)_`l{o1MHEa%U zUKVSM=*o96z9fi?HKX%6DNMG-viT!Z!`c4w+1}V9^gkVaPZtstCxEf-^;gqTaAwdz%Z65B~Iym@E_XVG-?B+kP-bCYzl*yPE`j=9Tf zF9@&r9C!FC>xl^RDRzKq;LiTR2i`2DyYY-h!MyIL)K`pg8&Z_U&jh*T9(_SjyFpjb z;|Y13>lk4JLanb4gC$-_o?k{qH$8q3J4-NpK@#qI!|v3%B%i5sH*eK02Xe@YE@tK( z$&tS28m!MlLEG=jvK4%D?%v)T*SZvcR#PXhS)jUCW;QnHHMpW)RNMcU?d->^l*Mno zRSzwN`%f?{^ZriI+B1|OD8j-%0GAI zD68qYBJ}Yu7$R0DrWBFQud<(m?ir`#!G_N{`Km8JO6U9?p6qdFFc+HTk~Jq*4)H{| z%uV*-w7Tw3{TtdR3U()OK_0(ke<92ongUhuOy^+!C)4A;6E`!-rzx|STE)?$$W>jK zWzl(^S@PH?Z;SOYkJKd{QLmB)?B=UmFw0eGN(d>RButl+g6xA@>F*<=M3Z2;`tOVE z5tQuw&knE9A?shBi;KTcuyo)4O6M&yRBWl6Eq3XBh$Fjys(Xa)>-ulsXD zV^|g46kX<~wvoZx9Q_6m!i}#>ZY~GJuC!Xz6=Ce!8MZESXhBJmR7rQH&HrvWDBxso zgZ3`;zGmlr=OKoUe#dI&j-dUx(9~{0xQABid|m`O8=};9P_S@CpAr;oLABYJ(<2&G zrSUg~)IO2^VfZ{l#Xe>!a<-#uQ&wMaFPo77TF>+8XVr!dvNL;ul}DAMRi4|4!VPln zrbl|~j2-oIi2L}XQ@jH@JjgiRw-r6Zd=e}+r&@CVNvWq-DDxofgmcS&>*xI}Urflu zuHCTT_EsKKfNAb$o!(myQ(J^84mHcgxSu*d^I*aezqlO+ zvLm>d+5WIRCxo?fYN!5|o{(hDH45zh$+NccT64+m+W-fm|4pHH;1A}CF2ZOssr#NgCQBeDCJn^k zgoT98%5qfCOwv|47#sx-esR1kkiyjStI?;_Xtv&&2uayfb|vP+(8T3v*) zGLTm7&Zt0jyNuM}+}`AgguvQ3P;2mrpYqbhQ(EdIbzd_Vw0FT-&ES)B zukl?wUsR9)<69}xwgSN3c9m0zVSbs}9IYx^QMidnz-&sU#UnD$Ea<=^=#HGWrMIR^ z;7Ov+>uj21Z4DZ-aih>5_fDAUNAK_hxkA4_yZrS%g`Tq7{7tTE*B)u6F_$Pxt*VQu zp2OlMtEP&)p~^>+hH}6kzBU?apY(E*Oq5?xYN{JP#s%@wrqn8BjpCzYv~e4mo*b2w z3iK5dKG+a)az{rYWEdmedaT+Rez+bJaNN;)s&+ld_PoEFpbMj(>}E;8DVA*U>|wu^ zL_~;~y3dICLv<_Jj2Pu{Sz(8_mcJASc|!f{pb_f~uk_hZi$=D-RyT4cLfeV!fsegH z<+$Z#VfR#q-4vTnzP(o30nKawg;1M+pJ_M4euu1uP!C6GfnU+)--KR$V3{1wKbkQG zk+^pJjS}p(%Q@?N&#tx*@QRpcwDPu zoi^@rdq6?q7#gQ=eI2@LQ)dv%6~a~Y)OB>wQ!$Lzz(yN# zTrk@$-+&&YFukJFEGc$U0C|EjTt3W+Robp3KQ&-zRe?6Kp z5zLK+6#W%Z{ycG?+h9o1T!C^^wbo0XU+gcPtoV&%Z!dKm+gJj4T3C1`A?kSTyxP{# z6h2u-)6Wbicfm9QEetopc6z)R60ZF0frhFPcHsuHsL11GuZBqhSyrm;u14%P$Mq$p zF#;$#gMNJXTXQm5;XC@6?}VD7Okd)uNb!f#7*{d*^A&xWPS!$)(kdq438~L-Pr)6u-G1cH{J;5f8b< zXuxRm5QR5zw$BolSnOH!OsO>GGXUaTe*^vvHea^#j$<6ob*13Em(aBlZV9C56S6#F z;xpxr*v9WGOU`E!0+v<4d?r)i&0WDdrCwC{*1n&iKAm2DddVT!c;^S=u_p#A?=8;bk4Y4%z- z_~5#5c1-s1J3>nr#+a7;SA#&{7FE-ToL8)4phIu}E^BH22hlMc?T-ii;mi?xB!MvU z^9;2>z&k;y$q{)IXrsmRzpO)2{g-4VvSa^4+*<|36}8)<3Bf(MH|`eP8wu_n9D=*M zdywExW5I&EI|O%kY24i!J?vd|>-_iDt+Vgjt*>f5tm=oZx#s+Aj&BSTtJ`$+`_C%6 zH|y$nef!80&4i7&Imhq1+GS$QVFQ>R1lx)gLoEHyqcyCr?S71dmur`SkI(m7=Ka2} z2|UMASy5EeNm2n3b~P#4xN9@SK$4b3B9ySYxmNK2&-vNVwp)!N)SusV1(>G9V-`p? zyR)O3wNs~Gh%uUwxlePU+s&41uFs4P_C%&ThoUyNZjaJ_^UBsW7xj;PbJ!XTms~wv z=%=b@8;ebq_|fiyOTw}qD!z){mCgLVMo)xyf7^8qxqErehu|(o!{%VORs)2M9iqZt zS+n|4SctfrAt@yHeMdNG&qjPvg!(*o4mV7Kr{S|qA8%c7xZ54pw)SlmE*v2}rvgjqqA*0e64m1iMd;3n@A?gOZaO(-0Pt&U=JS80v*Ahl%98(AwKa> z;(LU4*>*fBTIG6IGkR%+LeL$yY-goV_83%;6m&=BN(rbQWts2f|8DDR9`kWT zDLmw2i@r+6e~K#Lx6n|l52w(Ab0pOkG7^n~|G&5Zz9Y|o!r5hr@yWjWU|8b=1G7B> zU&$yC5uHXGMqtijH7Ik9u@-Qh1YJlM1mcUBe`bL{c~S0bb*d7x+k1cVg+7Set3z)# znDLiM(|q-}f^?<4EiP=%zPG+TyznDFhSN(t4g0=Z^*i4INPD6-v~Ah6x>oS zK40X(#}vojeEhP`2$ML~?42sIGR~D``42W@|(K4Fmfoh>v zSI~&W6i3Ebvxwt8MEM(-v*4FscyUCrcKPy!;^i?yNa4xh`+x+cjV0%)`kl`y2TY=c8>E8Uf=D<%(T-;Cz(&e<0 zb$=MgI3CO$_T_o5esB25=G#L;9Vy6v{`r10Ewvj9CS(LP?O7k~AN)Z=5{O7b>iLTb zu4CmA_`u(0MA@U{UcCLnWEtN|8MxMKg&r#4ln>25Rkuqmb@nu7rA8-l@%e;u31z`3 zxL_VKtwr)}>=Q}EYIogr1v4VIw%N`U`_R*F!ViK0MRbc>bw*T%g0B|65$-|I#3uzV#w*cdOP_a7-uM5hq|09ceTOPXF z2`7S=2>17UdG6~12Ah-JcivtoW;P7)fV%*1&tRu+e;}0I<3;$p-{S>bPAJ8}v$Q8x zr{-hT%G<;WjnclcJk#`RQy6@a z2xGketyL%2 zyVbR{`c6ofQS)ZR25OkX7M3Xc?jr_2r8k53ZI-b=gCqtM&Jxy);}|}c@;gkf6o>Bo zGL2J6w)k!-?q^|Yp(Axxf`Ch0hhDsHKz~HYk$4ui#P_gq?Q9H^0PIg|9EyOQi2v&C zy+IH*;LrKVJ?g$2P`7Lt{r5@R4S0Whyr_Ejd%7t8?}sm15DUfo3L{xSvon(H)h62e z>*aqv9_##oK@V$huTxvIvN0ahU;kN6Ym)s-R@PG4?U2SOU?`*rWXA}V)Xz+kV(apO zV2~~E?ooX;Qrb%7V;rI!8>d$x$c5ue6;k<$HGKUG3KXzs*_nvNZQ%hHK&kwG1)c5a z9QCOWn@iU$BXu-t;4<9~xxk(oRNSw(*()KL!}@l8w$Z_F)EB0v)n$}#VrKTU8m|=_ z>^u4Sf3QG`&@TwJMmw;>BP+#Ew#v#HQti0djiKUt(;;70#YC(YI&FrRT2yOm>wX!s zaV!?wjMsBAVKVglY%B4|NaD$&%*RP9oAba{dk7E|g^qIbJzZI#286?8Q~n(A5zYGs^Qdx`!ul4jIaD6k0IrBvCn+!djIt2zkyAFMmR zFOX;(+V3$#|boM5(u*doXP5$ysDnrp> zOCxg+>WBObz9Pc0kBEgbm+Y7gcJB5?2VEr*QVU? z?Ii)=RO{pQN03@9ieq}$I;rcMoOvf9m%yUCC8OLXh>%)O0OZjOn}4z2*o$egIIpXZ zuhshS|6ygyiGGa?pa+aaD<|jl#8QW@D0t|5q~OFZB!6i=Le|NUz1Xfs4C|{t>GiPF zuB@iOQ1j3a@$7Ln#feP2OfXE{Kxv~4xsl|1#;+`F>6{+uLnzjIQ9QUwdb4-MPh=y6 zdC`EpAMy2Z4>@=LA8gBFOV}`!JzGw`U&JCP6UQ#T@ay@=d#?vvRAS7;3n|Wv>y113 z${}6hMc2}k*b|2evyy&NiLw>olIZ_z zJPEv8zXHoMu&$P3S&=?++)iT6j}&$xB;3f3dUQRp+{6gr&O_dkK zVY&VTCY7DqC*P7zp1-s@p;w;GbOen8OTWqUfR+j7uc|-t7K)DRyiRvfEZQMe9x{9r ztzC(BMZwP_O6=N%0sjBVS>?xl`4$0^_Bhm8BKX%lvLtF*FyS_Xu4e8D{ge+ot`jrV zu4ld%3TBQWoWNvZymTQn3uUDk?Ur{(;`y<3jW9b9Tt~z<-p?t((6?`R|YXSm*pH zJXAhx|H-D2@Bk^^aq*j-C|TH9;ZZMLDn(2o8Qx;c?RVA}Rsm*5XgpkQ#!Hidax7nl zkXy%y^iPBJ9x=BPxM+hTwH!}4ZZ{PAe~=t5dpYa`L>SPAr|B_A4*o{sFz8AZi8CQp2tIB zmks|;1u+*t92MHWInHo+ZZD(F2_1|tf~a061ZDTf4QSKLSmM9!_$5sc$0m26yHsk` zDU77D(EKLkjH@*rktvQjE3^vVF@2s8l*GQcF12AT=@B#~BHi#reTgBuG`?^*X=EAs zzpd34I?>h|BXG<^d6*K3fK30;6Fv-L^0Acy^Ao;&{hF@h{w376@1wnFmOPWjuq6q$3cG8K&bUu<5|0*pGlDfWYycJJExcTX0RODAXvrjg|X!-_)qDc=B5Q zW_IgeT{R>meWxkX!F4*|bBw6JqFD;o-!-`+xh%Se^4BJ0f~ShH%v5^bwwc}gwm0Tj zp<5Ps4n=IbCE+l%cMX{A3LP%EheoM|Fs7M`S^wK+eooOg7aN*bpi>oFqhwRe$nUS4 z(FvGd52{87z2dS3B7OP^KT2~cahOO`K?~|K)Kqyd`&Kl!v?d0X^tg0t!VUWD4=`LZ zH+!;i>)y3Vz!r3W(-6$!ZE++^X8gAMmqM5_pI@o}H=w`5ozKaZK5WtQ0vEY5lV-&GsLF+z@V?j(r6Wv=zIUcaimT9S$e_DC|HRME9 zfud5CnF}Zcdb0*rl4VA7*1iaI!6e~m`K5aakRM%Um7_=y%i>9X#tC&1B z=Ov(EW>>YxF+&)zQj_QlsZMCSn*XA6{4|%>hrX}qp)EzCI+3?86cUZy?m`}e0|vRSE=c(by+uCZv08` zsG~tpZ^8I%c=KrC|L{)Ieq;K-qx=gtZ?~#`d%5dAOq`bF2T@53pw`)&A`p_d+(u=#*t`pCiN9!9h% z3hAurbbE&<<_;wHzN?!w|-6vo2rHS>npW@rm{($>K~EVOr`RSx_{%w9vzz* ze>6*Fa9fj)6U-+QH~R{O9vq$GHu`%Pp44T@q2X&AU| zQV0*m63yfZhGRF8^2U) z9(h>A4P(s|AeFj=my4@BK0d(NJ5UQnesz1!0s8qgA8VI*2LLm3H9{ppK9WzG9Ag@P zZ{Yx=bitYFJ~W)AJrb(8S>jEIb)|$2;#a2=8CWD%OueTIz5bzB$v6Kj%(G39BVLFOtQnlkJda@`<8QiV%V=) ztds8~?MbXkcYZ%yl32MgCFrXp)*mPIG2B=X+Rj9E77wjwv ztDF9x-NI8x`%~9herKvL$VYDt3(Qzuob3FEL%5W53~&x659I-7GNS>#Qg078#51_; zC}CKu(%5XnqTl?=*Pdb}zj0U4q<_#fP!J#R_g9B)5!o$fj~#k##g=0p{Kmqm69Tco zF<>FaA?5k~#h-Df_nwu_h?r`^I|2ePm(A}0N8J5^J_ke!_?@Xbu;gaHnA(m}4~%295J)1U zy6#2qk<7>_(7gGlotbASns}d!#=nrnl-TKMcSqz!d79tgmP=N~Aa~*7uYPmOQ zm8}|HcNd}Y0|=nuOq3uZV4X;Z>W&ZN~LD<~H}!8Zy)G=(s4P)ovGcx|zw8Jc65AOBF@82?3ksRIRq_&CI&X4y%Y4 zSS?d#VYOib7cB3S`ma|qCuI$mrkOsE2ac7?4aY|Pi?Ljl(B`nFU)=PHWz=fXr}>VPo*V|V(5nRl(ICE2-p%|pd0RTPPy&)bpLQ_)D8K4n##)bcJb^&X&Exh{ z^hYN&^b_7>3BQ}{yh^_bE=LTv%|GWDE;Zq|Ibr4iX-eQ@l(NSCIpc7Sn$)odBh_-i z*>f;8IndRnq#E<04TeF5%6k^k6VlMMd&;huI#Vcf{8PLZM+V%>Nrh=V{QpR_Q@^N* zrUgEK-SB%5`(XRW+>PoH+gm;`P&Zn$EY2p?H1JHHQ>dge2W{wR*8|VFfg2N{6%`xn ztS540<6{wTmN09D)|r_Cd89FU z_AerKv@DfTJpM7+BVWWt!LT#cj)fG*-?1P@P$Ne>l2)UqiVYuGFztfn`w4>^Ov#!bWyd||0*3~U)SCnD92L!CnqeWLhBaA3 zO$u+)bxcF3k3-g#@M5BZsK5)}CRAapC##NfzJ{fqPAej(0+)Y!t`jFs^Al`-boutA zZadGcE>9nqfF2*FiFWI>mL!H9kA%IYoe(o)RXg&g5AMY$GRpX0m(D~CM#;#tT1NXi ztvZgqx?W8_NSS~l_ZzYpaLI*C8B@;(+}Ovj{@#$Lz$S~{X?#0v~c_L8o3DqMtNZZ|l1Z3;x`25<@Ndb{2p#9#%mx z$s3}8o8ueFnBE~_CZ|oeCqp&t*}*4UrNCs;v#kb} z^>UA&ZEHxet2ma0fnTRhE7;fFb1K{`&>tK+<|N#WAIwe) zCplvwoS89I)ZmI4D^IekARK}Cwn?XIppe1q(DRda=f~OZ7eHD@^^)irW*bl7{O^s@Zc&EntRKHl+~h79{z!X$G{D;YN1WF&nMKw+LWMPi2KWO5F=vqE#7 zm}@u;|KrqSxt@euL9hS|NP)(LQJTyUP$ZbIqQY*|AdTBsW3rBWxuYlBGn2S8}C$*k2S@4414QahI2uEJ%vNmcA_PjQg5A)ipD zDT+91r5dI)S4H=#a6xZNP{YjNN~FY)6azKAJi9o=^zNQ_D_D_=B??po35b(; z?K(mZ6DLhS#II+NGnU*py*kPbIHXrNq~kSEtVTd3Wd-)JjWcz=>{|6gdOJkiuZD_E z#y4Jkc8$Vu=^-f5_wru|tO8V|w3;NSj^^4c6_R+E6)hI=h~pGXHR)+^v*yJz=1OAR zm;!T!x){UJUFTDf_wJ|;vPg^FY{;C=?E4Jf8j8lVs}j}y!VNtdnHBA=w!dDSPzf7EdR zKM?6_j@KvWRcsZ$lEcrQ6@BeVsdp1ut=i}QTNi9NxW|4EuXrus6`@vYV`9`j@>vIQ z=f3bi&n-v0%Ew%^TDvTy7yg$u3(0rBXTO^Yy!xG5->5gW;I7kyeqLwXza-`w_Nh9Y z8uz-3J?fNc!?YZ=vKLT74}lihe{0vA2LDltHu5|r-2Zy(`c*5eL1FQpX)kf{Y3J5V zTHS$EPk&+$uFp<@CBp#9oR|k~6BJKZ)%k|=&&IE!UvevjbI@QxUWkL{p2 zyFqrsZb*4cyFVYGqPx_hh^R~vAhp#tu_^@MPkoK$F!JI4@RpLB^0By+NQ=kjM=jS8 z4~;{ihH7wE6#?ysycIeOB_Dj` z1x2jxx_6422A{Q{wLdAp?mc-c~8+8y%7Z27J=zKDj{X zA5nWp=I1GO6Ff}X=M_jeBf+skOnse1bS#~>0A7@gmU3XIvrdz3qWk7Mo^}(9QE^k) zN~eHYtOM@vLFvawR=Lhg42H0h>A~1udvF>rwpWqUEi(Lswx3ZAA=l5*SAG44<&=Ujr`}yWtGi8Msn?k!pFwsAZBw9 zPQw-N3t9UQ8~)l}_lMN|Q6D-gygKK)t#a9(=cb+)6{&kCMijY@tDl1gCU+x8nd49F zo{HDrt5!{yYxl0#qN-%y2T9^wZqFLeRtvResre!(?6bX2h2{zgnDL-Co9vQ%3{X-} zDt*+be{6n?8ycwTID zc+DMOXPzgU{XQANjQ!w@YO+lot!xn=_)S2;0%Vtpv0Q}hy?;~bu)>C{ioeFaTkUDl zMav>;g`+-8Fn67reYg|K7Tm#8RV$j4ABO&Gw-3wLv2B3(+lp27{4J%n9IsR0H=cV% zTfJ@P?TNRdFgkNYqA%gIj!u2jN_=vkU#t%+X5cT1?+Cei)r1o=9xRl)vVCqH{dq4y z?1gep3?)jXJk)YntpF0jj_^7rA(sE>tp;wUegTQu>D0)r7|bhj*=~?4-o1ZcaS;$v ztZ|G{F0^s?JX-&p=ByvdtIpv0UXfZL?4+0_Ni>n+aEgxZIIY0nWYG+|-srdSP!;Dv}`NFPg!l%NZqO{G4pdb-Z z@b{8rT^Sq&JPL8^h7>&pRgrLf;%mP{u#TFN9Lkd84$YB({Y26*`mJCU4T67&L)o{n zF9J{9Su?HUEi>0?+SlD3O{0~1{CS7f`pg4sNi=6~u8X$UL-~qB(ljK+EA?a6+zNE# z26fVv5O4dI`{Pm5^LB`Z*w-}NW)U1lEi(3fmQ*&L{@o07(f&U%C;L$7v`#`Y^3y@+ z=;wVtw+?_jGhTrVy$VrF$mQDXr`WYYywl*EuvfiOPMjQm-j`>bcTJRsxcyY>0Ms-Kv%8m^B+@ zRo4XGSJylVMtNq=Q&Z`He?eU#{lVdmLsHuH73tKP6V^T_ppwK+LbNS;`u0d*-TwhW|Lsy)|YfxG+JHy*HYiY=lm)+)d7V zRBLjia>&qev7{TG2yw&1#Ue*yoRh3*W4x0aHbCI=>`-MjI-` zH6Z18KToRaeA2d>FQv29Zith-crI?gU1>}BmFnJLrLK}sfzQw!TBp(rdXwF@_bLs<~0_J z-uo&as$AowGji7SqL)&!LR&1xU(G{JmgB>P&T5$VVS=ED?j@ZkPu}lMPg*zcY?<{AU ziREtzSkAX2gq)VJZAIlJeE#f3bvjZTgXPg^xsDNZ$Hd3`=w#@RJ*UFTZ+^1rPM2p8lj+&F>IqNVdkgKqhA4_Rs=mWSPD zohCgv30V&uH0SVr#GX}ppU7$=$<*oMRZ|)h9)6PdfUD*DII-};8EusK0mz)pkd%y@ zR-lwNJ8U_TfQm|UFWqpEN|EB^*rNmRjT+_sEz zd4ID3S#2M6K|^f12kEi$5$egr!iUAsIvBpd3Na*7D<%(;cnWh$&CYNg^*2>@L74Zo zo_8~JvOkUy2{U%yT8}5=h1-_0KfONVM;tG52<8l>q&#|Y?G2Is(R3T{%+joz?fs;D z&JK$v z)0i~%{g}pz_k8h8sS+V!08ySPE+m)zFl2tTt#)N-FN>xbAtFwYqw-k|{ z@%@L4vn$KjDYfKJeSu~m(B_5icp&cl{qce>pW6kM`=(!h``dl^H6$D`y#BC3_rY15 z+@SiH%cnH3)%qJzo1zn)HO!UOLwk{r9E!ZZx?GNX@TloA}=G*jyjp z3pbiAWQ?;gpE}Z?YCz!&cuzh3$H&0il9J6)a6LGm`Yu1gbEZa1)4@Eu&y+k9=O401 zxVyYo!a&Bq%s5ZL5qFo#HW#81NKcm#efJN%jU5T;Bl>~u#{94Mb{Mslb!=P2>eN1M z;1DJFh#IT#qNvTNFZSRdG!==4ev87V&sB4n+rXE4QuM_3Ifi)Zr?)gf08xX|JWH+2 zKN^{Y4};&bO+D-7xn?I1VFjH?Hr^4apa#Y}^GAKWwifs|C^Zl%?}2a{H1)S*&F^IV zdcperBmedg3H2{2vAn)`7hp=ybUPYlW$9UoACVj}Z^2Y;*2afNd>$sW@BA{pV9JM( zD_rMZmAKb{o0D*2*RF1m)cz?F7hfJEARn5??|wETEtQp|U3w)w-ow4&rI^9RFJ0Mr zOs3W0^&7Fo%S8~UcY43{O!D*6OFu&rRl1he)Ju7Bn~uQ5>q}IX5&4wPhS$Rv$Y+3$ ze)UZ8VuVKt?u7a|bJA+Fqu9}OO)}yREp5T&Z|!#b&eu+Xt6S$shYQs}44}&uk-?J< zf2h*Kx?4pw;Z@k0?+#V1p+*J?#rt7lxXEt#r1ZrO|40JFlAh;x>LfToc`_CN*BE>s zSK0o8QU7cL&n-Jj06$mNd5q(^oy}lqTnj1>-aqB=Dc>KH_5)SV>9>`~gk1vMMVst-%gy`lMw@+N zAnSmDN2IZDk z8Fi%xf%!S>Ogd!B`6{7s=547H{r(}Tg!P{RGC?&B(IU3?UjdoKzljWp*@NJ;X@Ayq zJPr@M4Wz+RTdE2N5KzFa*5%5Kx4|3^|8YN&?Xj=8K>8Ic9q8Ml>!%OE=YMg9JP2|h zPZKWeImokC&|^(4mMB3He3?Aj{|sJR12^X}1V!8hKWqe=KU<~)-2&<>3^4DT?*A4Q zlRpCgcQDBQ;xCQrAeOe`M%Q3{q-*(HE1gybZvK`FlB5zbc3OE1O>@3T*5)jui-pSA z4AQG!|JCA)2EwB^C;x2A*Ed$^4Be|UxOAx0i1Olp zyVhC5RFZqjLXz(Vp*US+HAz)ybI#e!e4r&8`Pu= zK>nRLJy1;2F(2G{FP_J75oeSJMB*OEh*H5@7P82*06J*Jo{5zE(B-$glg2Yb-yGCbUn8`>%ynxz+eL1D|6MH`h;6|ZUF zrLf`s4y4becsDcj^AhQ*E8KA`mfZ=vyW3q*yL1uc(0|Ty4x{8gD>xC3Y0*-eN)Lm0 zEwdFCcrPk6%a!HXY}6yrus(>Qw_;f*qnVkL4?kqP?!k3^76*|8dn8%pYuh&ot3O?aVGQPp9D^lX^t$pH95BUn zd0&0NoC^dKGe9n)ijcv=;!*h~5CTayf@u{#z1)E>7250bH-XXT zy!Lsm#o42yqt>Dwgi)#=xblIyIkj=UN|a8vfhvY_Ov^LU;=6T?)RFvyM0)?%+5-Xn*FL zjcEuty6r9^l_WHjQ{XpiRqy(UHg$OEuR@*d^VJB;l!=$M>-FYPh=$`40=J}g{v^_% zL#&KHZhd)1y&bvx`V~kngAWtUp2l{tfNqv7&4;+6iqY6FjTY0KIf-vPW?rxP!Vg5R zssDgB4^MR0rzTyZu8@BF1ZS`n+A0B4yi+{UGujn5XRlA(n^d;@PhXFW$0|@SS=)*x z)RZV+nDlY-)_=h!fF8$2q`!6msB_V3!q} ze7@d#9KWZkAfz8lc9Z6km9&EXeZ3Tl-pc!0Oad8j__i}3%eyp|wbNhIly81b$Kx)_Y^H!-)b zbYj26m>4*xm&X%;jJ@xYFJW3mqKRZ`Fx^SLp7J`I&Y{gVDALLO{hYFxY6#gh?$IXD<<(m=w0>dcY1E1V`2}m(!fJ_}pHZ*WwdIyPhn3 z)i+T?!mNB#6fEZ-`bURCc6c|XYvzIbIBdLxJ(8Ntf8j0ncC(c=^C@W4>maM*RTO+n zPUJ`zG)%|+#mopwsmhZkox?xW=HIu2+NqZvW`@wLu}Kg@#1|1pede@k<)Ig_xfoWV z*tmyC<(Dhx)o`M2=u97;0ErQhnS~?=fEzz_-Ff#M@!$$m>C#i1+S1fu+D>V9*EWpMs2#|}KG(BDqnf+==>MnRmqdW`xQ>XS_T?%pv`oAI>iIpr?ugPRLk9J<*?x(1 z-sopUOzJI>-C&E_9c;46?jgXD?@+YmK4?Rw#feJ2=y0Z{1FLt%m@^5=gCN#fgyhRX zC{O_ZHixDJbWOfMB7T=JcTRIZFaIV9@R!K;-gg9jYLkW$3^AM#R0BonG?rONcpivgJzOL4`d2{){W$z0ub6vT_%e9HZs z+CziaI0w2889J2^KpBE6J8f2yvvIJcD zSfN&QL%Mh{bP@YIbN`4=k=$ZHFSgZ~u|y??%I2<1i(_AJh3vGIIUz5?6R&d4-u2<7 z^|T&^o$Sta9*id0TV3 zL1_-o&qOACY}9p=;0~P(QTY%Y&aU$KsJN5^1t??<2Tn^Fm{mPSahP26gnSnSbWPgC znOm>T(giJ(uqroH_I=#Tqlq{*^!*`PM3xtSMud7+q@`WY)Ua0CMi*=~U`pyH`H=3= z7G#eyxs9^EsmchmXEJjj2P4N6b=AOLf`2^(p!aR<*M-_G{SF69*i%h6Rm%=mBbkGk zNf=2$dl-v8+kg9xc`BXRQ8oGG9E6L69gv)l)~ol7S)XtkubFZ@nvK#37mKN1$T>pt z=MTunpyAQA8)Z}MX(mz#FSo89dUB^{>TM-otVXK=c`c!Ear~G*4whSwvqr#?wl5Mr z-7cp+jFFdZIsObe{`_BgLa|c;dDP8QdvNe_fc6Xgzlk~FJH6(kuMZuhs>SBg5-P4A zkj@+v6F30*NkM*K&dZdYR)<~#n7QZMFMj*?@HJ0s;1a5*dgZ^UcsDt^Qz!}-@}A-T z0y@>ZU#H?91QiCT5baoksR6VG@O^J59Vhhz*i^T`%Nc^x+k1O!+kDg!h{(8DuE)UQ zfB*Yj?idN{RU~j-NOwi`Q=8N{8F~h*86I*h5W43^W*&!1kaNbPJVesDL6@ima5YXV zxUpU?O)+Ow?{etLce>MFkr;(Do;iG_w=$B@k5vm3l;!c-gJz3hLD~6ojm!G>8dqSq z_6dBXHG@MCWIPxX&pz>A7nkd0VYz6F;mrDi$P#CL?m&FThc#FJ4~;ohcX8ex8ENUT zEvIzE)eoT#3R~~{WMi-F&pH`^QHN8*NuB2J%w2~zL^t~62l_6Y%z|E0H0B^Vkmt&9 zt*3LV)uNN8!}OTrOr9liiCPIcHQ92l*BLCfi=&DLqNMoY@q+Zi8|#@uXTW2gI)5?3 zyyKdHJaA#YOg(YH)@n4(9&R+3CEU>5HU0L?HE1QefN9|afq@n@I^uMag?6a${DHno zoMURYL7W5$(Y9TF)vrvCy^9=DtJAId$a9c{M$h9@o!6d!ip)B`uwW1+? z2Q{cv>hi{&YMyQJpSSA5+}uxK$_EEWJp(=u@et8ny1d@adW0A-UX}i zzuRj2DgXWU4O+6s3NWifJ)uQjm=JkfaG{BFGW?&=`xq5e2fb=$+cFp65i&e3!)WoB z&Lp2gf}?&RxgD0MUU>_EAFoMTM(MHderT-Nep_0BZ2-k!wgyH@&KOAn4N_DLR>)J3rf;0A4|sY5kyU(2dV=MgDPt+}22 zW^*|#^P;v{myMRJ`2Qm)E})4b)t#~5q8l@lU%(@tHd zyWgxk90m<=z_(q@mgi2~JPsvE`=(gM*PC43P363h{cVq`FN%MrE4uNt>g}TBh}aRo z=`$wLT9%YdN$H}xk=C%Scwp_m-(c zDHg`H-)s<~yJd%ct5FhqbIHxP`V*Ia^Aub$ZrN3@RwK&hw4$;%9t62@pfBY(Cx29{ zY(1t21&kn$h_<1oj{Zw4hwr&av!@wOH@{6@;HeqlC)}UNVwf}Ar_v+J$3mY~KKedr zQvij9I(r4hq7k(dc(fbAtJ4>s+QWma!dAzIo%&L&)GUC-V#Rq*x~{VT1Hugft5DEJ zrH}o)&R0Zb-E{I`w(mMa^*q{3on{fgk}FT-KkwAs@H!!+(=Q-}UJj4dw1ae+r-7pD zdkHX&nGL9WCQD6taEk38QzSMG?fClk*Ias~jBmrlfV!QTIH-ia%{~Yc%E+&upegYk zkx#mnnrFbxd)A$Mh90-+W=GLF8Q?JAk4YR%#iKhN^gKk05O)5V9iO4ZO9fC)3Mova ziS&*Pm5KlS4ygkY2k8FiU@T8PO%E~AYT;H?&bnK3E%o;TCx<_AE?ShCzJ_toY2^J~ z7<~GcJsF`i+laDv5)nnUX&gJ6)wCW-yu;~qgyP;u>m`=e?RffPhRR(52PoNscjdIu zyuq1LRp3*wWl`^87P6&N-m=?s zE>3HwSFQ^|CKQk^G9X;a>bSblJgTA4*H^=8&p>QzH>Mt&I!If|e)oM5ni9-isl}qd zp_mj%2gcgSr(Yv@bjY7ED9fg&vSfXrzK>jwhkL!ydTcXZE)&Bf53k%rK-}*8g7mbv zySrVEndeU9oZQ0^ zE<(D6GNur24z42`lJN+9#kV@J zsnX^8I$d9|r3yA=B8cfFa8oYjT>zAOb8K$#EL90v#s2|!H;3{Pp)}!f4oP)j>47B* z2TFvAkjm&JL1eaq3JCTJ-71bt*QHQK?)3;pLoULPVU*VMMAE9{*jsM@IM@5lnla6x z9Lh4cD3LTDVL)sgu+=fZj&`kP4Ge?Vy;SWLgldTqC3Qv`Hi4i>ULxDTg>q%}gS#Bx zHyFHlWH1NT7txqm{z_|xUXF#J1|37hV{A^&`$Ojo+4ZpbTQ#L$yPD#zC|OEKsZ}vS ztdGfh)82#`h8V8V6r{h&hRt zb97ggd33RypWG@k#XNt8XN<^%)S?{hFAZo0lEs=Cc;DGxclR}kS=Xo0n=Abqy!%oc z%I~nPurYoyzr;-RS*=p(6?A> zEC#t+xpN9~T}D-rIxy25h$)}cmQ`wkJ%hdOT#!|(OC}M2)Y2KpmajMCn<9?Iawej# z9+E^zDZT@3<1Nn&1A{-E2G*C&(L?g#jzLcRi`o$v$UNApS5 zHc(a#$;bS__xNjt>_quZJdSc(hL#c^L~pFd?Dq+ z)uD-*mSNi|;<^KRcvp;eok+$!r@HM9E6Ri{@XXAsWY-TGHUtx)o^6n!n1u?N>8O0|p>I_GEgieAEQ!W_R!3!H|bk3M7O z&TR?3pAlK6GuFO#+sn5zzB}N3^h$EcnjH41TQ0zZduH%7p7r@K%>H?oslCMdPB&Y1 z_B#Uu6{V0x+*D}SGYpH!@!;;$9)Dm-n`3=eEhc~h(eaUOF-w2VMsa6I0H-gXI{$wW z_Lfm?aND|YkpeAV+T!jG!M#9>OM&8E+zJE@PSF;34^W^KFYZ#D1gE%5pg07F05|Wx z_w4iT{hhPFUl|!AV`QzlraWuTxt=+I2ofaLl_nCv&<}Wez_IKa7$|YH^rFE(<|lAsF(+S8gGC z-AXq5&3lqzpX#cnyLKY67{;I2EiT%b;xmt(B;2~2@Epr~lJ6hWF11t|F#K;NK7BPR zB1ZE#S|aQ|1B(t(TrAsy&WDH#eR@3SBqB~-&LvdY7#Ow&>xGsXA6xD*maD5iBqUM( zs?M_W@r(3;1R;qaP0_nmW|)caJu2k1w;tqkCww%`Ac_pCOgQ9{G7o3N>;U}mqX;~5 z6qLPZY%Z&jw-a2dfCFU13vaP7B;pNlcT&40Y0P!(bkrCzYkETl}zo057NliHR}MVB6o3}-ch z-*3(GS>V59f$KUx&mXsx7!@ZhZvW%G=>=J_B$Xg-)b5#ZBnouT#sWQdg6PgG3HX?A(c) zKAv&g(+#T1yJFVm;x`B}HWL5sA$k6)FG=4AiMa9O!#N$cnq#eUExQl~hhK{>&Ij3b*s^>OS>Q zD?xc2$$4z$Gtc#o=zRJP`CRj5!d+#yPcAF!Q_9o<5+;?+z%NTERGK0iQz#+z)Luly z4jCvR7$K{(G8UdFYQ&$WPrK>~>ZwJTn!aoNvZ2r?2p4#nSK~?u040&FtKz~&*2$p# zO53`nwzT@WsdytJIdlBNvZ|#TwB{0ygYXQ>tNTQ3hqr?)*uw3cC~PcsRiIw+A5cut(ntoYeyCY6K_52|GbU%01JBx9{ldSkNx9od>J34GoZKLpN;|Q1n~PlT>n>WFSS!39+1eB|+Xt-(Wve zT0Uepmc=cO&noRg6esId(F8m@o{Cf4T<~LIu$N^7-%Ra5tBn`C!Kxy!u5oYdGqdxZP5Vl$Q6b3O%N76T>%;={qtR26C1RnCl&WZVo(bhJN-}4*03Q&8?giig*T8 z+OalR*|2i3+%9ZRUt6=jG4{3UYkM_$aowQV;b@1&?ggDSjZJ&*!KO%>PLMZ*woP;* z-dT7&$GK0;omM$epJuPkwkv##*mTt_Fn?!fP!-N$)Sy%Pfu%w)UZ;Hi$9?zah2fh< z*CA1n_2f%?reK52RlM9MS?cv>fyAE?8T&<7yH3;LQ?}`?YZ`GDzgownsMws_P8klC z&U?6aSPl}e63!kyc@HAK5B*8dqKPkOhfX!DTlZ7|_v{XN<~d6Tl*0Y^jN#0$dSkX3 zC*-A;w;7?Z)7Y4~i3$@gR#8Hmz{gZIVkQz(u`A1=sQY7WT!*8&DSycm0CTjGim9To>}N zK0CW4t=(2glhjpe-z)OykZtRMrN0`%((V(rxXJvGBbCZ-OfkP1DLTwh9iZ)!$c^1S z!C%g7Z@!Y<0%8yK70!&kArGsy>oN=yS$Aa?=ySbF1i1F2VmU$wk^N>?zxGCi7fck? z4(3q52YC*Ta|eXB-x-whNK-slpLJgNeg^q!r931$m%o!~%bWbpr_MRg`j<|nNyN=2 zg<|lxcPa3qdK@;Nlh}}RCsKk>P6<}z4Zo5#Tz7wef3}@fqPH`wiNg4b{j~*NATYN< z^Z9<&n7nFIVfPoksF#v7RTTu2mHiVg&v#}jSD9?UOKM>gA(B}%_2jz0V-T{ZV2LDZ z@l7Nr=g=yodeycY+1Nv>SqvhwTP&BHS-XR|4cA^3Su4DnYcXxKZO?Y~6lx#0n?W$v z*xu{dt>%f&pkypGzN7iGm2lxvVmRI?mYTr>l&V$&`-vv6XxcE0>Zra0^N+vgZlk$@_snWQt zAUneCsZ|OACAtOC943w0J{B>3qJa??Ui&`NmcLJ=0Ri1_+lkj30wrSWy-05YATO5U zB@M#^Bve%0j9u?3HIWVSH^468=*>)To!V-qMH-u&Mg97ZQulu_OVTx!*isY|0gOqO zPJ7nLgylmzMaRiR^!tO&QM#q^>0@`ljA+k!UwPW@ZLFnZLSci7o6p+2pJH3jDwd=O zn;#6~3soB4zqYjPqm|u^eO{l(0?R)RXB~83kLJtiAon!)d&x;D-N$_JUTWh-#He2l z7&Jl35eZ9G-Bya4H3j{Oj^8z>cuup6gQQ>_+1S?NQM9p(<{RXX% zCKC*{>0_Jbc3Kr7@RrHqIDL;s3Zkfv9nLpwp=vdwd{?;_9Y>|&TfTsUTm4D|0CbJ@ zYsY9+%<8J6yVl#(eL=yBGP>4U*{w22mz;5+@LX1#{-rF&_LU`ZILs4EgwOS>fRwGP zR}4ii2T&#iy+oH)+JrKTe&2Izu%H;0gc*L6CbSdzyI)9nDm;7UXz;Nojn!07{JXNp z!}3qv#Gp7(k>)#dsbX8R9~20d=Z3VqVxH10ScY`he|~TC2CivXI78JAy4E)p7b(pf zNk6m3*48vl$5@>{ z9&VRF79W2nq$q0l(6!ZW|CCr*?V}!3{aFC_4!i*8+I);*eRpl&1Z$QpndMu9&DFON z_DRn_Z)?ez)D-6!8OFZ8=^BVzfY%+eg>vb)<(WkGPzpCh_z!$BTey@+uVYfGfHT%n zTv9SKEWI;rCM0V4_LMf6otB*T8iv`7zL7Pd8#dmkn9yO>&T?L;I#N`^!EMOw%1Aq0 z_?l$^{qV}MDDE7aH!nX)$%qwW85pq{wT2rmEK6+|qaQ!7H9v zxSbTj(uw5SUy;^~z3mht0oBx_cBz!pvdAtb?j!UAr+&+M_xznm?($a<^G=!I4jtDl zq0x?uNsE*2>+R+~j}<6AB8*qJ@QJHPs8cqYTZfV~&5n~8ZRj_3@zjCl9~EvaB+APe zS*M0qUE3DCa{?TtXR@CF#rb%Byw1ZxxHmO}N&MM6HC*g8KRC2%etzhFT4_{9LtbCi zOm^ngKwku8&8gBXi#?n0230$LP)^Moz2UK`M5|D}Tuu;<+q?~7o^4Xw%;s;_R4l)9 z`HXkw+7R+w=&oAuhh{_i<&u@*A>Q z#)H)gy(&iqXpoDzVwm^K4L2k56=zW?OzDy0grVXs82+ zw`LA%0FU!TH1*FgfuWcL?MutmA7QBF>V zbnp&uPOKC@@uVg7A*y%^LoZBQlp z3ddl74ej8Tvy{sO=$e$VZ??OyIRMu|Jy-$&FIUAR-R4hZJ*Rsr*9k|-)ISOrKf&L6%}{m#H{Ov< z4LUT;W@pJ!O_F$U2&{46eWn(*r~>!i5r}un zTW5ruMF#UP*y53-LyI9`5vRt%(@zXS;6B&!@)o!5V3jjL@^#+ zfrptlScFxh!IFKh^+D~9@^aDSu4>lYYX0uR%J)!P4_a1lX_(5QQK*nW*N481&P0GN z9X}{yGpyp(DN$^KoLZH6<>P}oIn0^YI@#V>I$9Pmb$nh?TJ<2(pk;vd(V72JAQ1iT z?D1>1;2A1~Qb>qIgy5hGBJwCVW&Dn+&;j0xYz#eVWz1bX7jr@6yaM@U&jpwV^ze1RbV}8tJBD4AZybCp|E9i3vwWTN#n@$az+9tqN7K})`4ZZ4TmIJf zl(6Ee6Ec)+*)mA`4b&$?xN}do+$~q)QYbV)Gj^m?57_!?Hst^nzW1@xo5IAM z14JA@EX+xSH)YUD%i&~NX?7!b)u|D@hqWB6mqV&Ee8&Sy_BAR~(PeO}?z1OYV`Du% zXJ9RVMX`R}XKg&PJO(QVy1{D{sN7?ZKn=OdFy?KQ_;`1fo;d3!jWq^IVFu?AU8b{Z z!y^;-mW>Dssk*f^NpHaCKaNhHy~qbuAJQYKFDXDR&qH^K^tc{(xYyDW{OM+MXyNk8 z0JxXBJiJRZfpjDf(X*?&Tf~TiBD?mMzRMTA6RUiHyEH1i;K9VUA~O?z~N z)0(FFZ`&0WlkJsL`OtBKAKnJ#s(wOF!XWYKDkZ{z?sBTYYpiS!P8V_y@t6#IU*5eY z-ibf)dmXy7jr*u~dGetVV&Gb2jBVHbrsxzgk7v*nVfpS zrJ!@Gxw3nf4k6qcZnduwec@ftWd4$%l^lkmgxUP7R5xGDMDo2Dzt1h+5TPQ&vFpT`FwK(e_!ToldvQs&{I zH%a-jU#eJ|Eewu|zTqR3T_d51m$MZ`ts6e32(iY@Rg53BVwQ&6@J7s#65&%jRb07F z0{T13xqJBcWk^%-q1tH|Yz0>4*@cGMuU~){62{+Gw0V9G@5#HY8;z@1^Qf~>(kd-q z&=u)tgVxQIi9){KbmH~QO zRWC_Iv8#=#HWo9Ft)VW&(C{{=?eHV~sYOMY_!aZmemWMs@+tm>adk+s7LOMRG7tI3 zuKwTV{_znErj3`YJ0Je4NdA{OxxneyW>Ay-_X`8+rf6YA+uD^fq#!{(IS`M0%G!>0 zgjHrG){Fwfkf$MXGj?bt6P4sDnc&n~dfw#fBA&6yLO^O6ZjAmmCg-u}9E!S^XLr}H zq{6KzaK_Y6W*fB2dB-lheFl!3jZ)kWAj^OVl^UMD{73uc;N+CtIc5?rSk9q7iLCvW?J}IC^6W6#mTwl8vd*+*-eeGC+b8;Fem5L(8?d4t(W31^yPjbw%ulfG zK_Hp0NSf+kQLZJD%4^&H-QPb&!@oEl{(9l?6b$)bg=h#><@(mIhcad&+ z&z=0Y{+YSZk4MYCEmp`fi*mbqdi_K*i(#e5*@fPsKQ!D0u7Uy}w^U&J5RZJv^kN*CekCt7@$*cCVBOL#1IU|+bP7O*{Y;@Vx_|1k z;K2Y}nN_~i3^VSV3w|B{er?*Qi{)mc*AbVN>R)4udwzZJm;wC5+y2vO4B!Sg1N9!X z&OVWXN0cx-ZaODZ6CMrHflCXG;s3R?zg8%0f)&rRY0|efIGEyLekCgQjl$4IaW)z5 zY{#EwdQ@yIWTv)RncB*IdU!Lb4WnHjQaY@wDztl%n2!UiSFuQ$)wA-G;Y(I^nB~?L ztJ~jq$mEr2i*4287@BDCoNu|yJCIsn!o3DS-J;bj2Mh2Yg48Tc%botqhX0Zg1|KTs zS%l^F&*-|;XJZ)IdreMb`M+?!#4P{!L1VC?(iA*j8!`yzA7XH^+8QQ!zjqimw`;8U z5c^8$TiA!x)TwZ47Wtmi<5}JcAF_xGHd!%6fE~>EAT+cXk7neJrUl2@MGODNtKW$i zPIs3G`1{o=3%=jbEue@|(?@GtEemT%Z}ntyj~y&bX1<5-!>Nx~d6I359=s7CJcFC* z|Mw;11oNYh+AeZ7H`G^(hBznChvO$jF^?$`H3I+sGc`MOx^mm0oio5EgsmOw=`N}; zf4nWEXZKpcKh|yKuE}-t8*-)^r2Fjk+rY<^&Y;#$qx9kuzc#bCdPUu@ zc`je69^SehB?#F3S1?AZN7vfByz?V+y1>&cx`>74OZlkRrVOhOai&ylL34wD)9o($ zc<96xZ=w^qF7&$xwcMs$Tq>tw!}TVUSFusv*yar&Q;n|agVe~Tx|5cWYVKvyUY&7_ zc6jxIhev)y@$(;a7TTB4Zg+_%p@3lrQj1Q?PA*5~vySM6(|rnu<+-^(5CtDFPX2oi z(e5M@^w)n^N*;7I3RKD%T+Q+A(`Ak*iHh(ajUlOqj(^|B6X~D_uk#akFql`pKg79v z;s%jD6ULDW`MFdz1)RpVfUpsk`Y4JjTGhSFsS};il~M4vw|Er{{Prm%_}jvi@DI-% zl~RkHn@Q1_lH+2Jc(PiPkSbFqQh)7NVwb$knix3Dn=ex993JKx9XbDLSpP7yLfWol z%akC7+NI&u&;N~eNKnxTQF7Bt{qR3qm?)hn)}3G{&Qvc|Su}6o*9qo(4By#R9CN8n znHwqmu~zf=CJp&$Kb!c4HBv8(Y^PC>>riI!Cmty&dMz)W=il{tL#ksXHTK5 zRnkrllB%&62J$(j1TVmBdDYLENwKUx%*1Ik{k8#n7^qRETud2kL#x5RW_6pJz9YaR z)Vo%++$w=j?es!&b$yaI(-t2njfG2-HiTKH;~`V z;^_&h@#l&?=*=BV@m%aGP}>ii~0= z9>2q@imf`@Qay;va@g)@*A?m6{*bG%o$XIemJX!j>I%fR&1gxLPl;QY#@3M48ClgY zef*Cb>LO5hLj&_8g<=pz0V&dv-A$+n;;^t2eTku3{{xF)ydcXUBgwwnBnKesb2) zUK&ojHLEdDg}?8Ym02k-XZ8QH7Yqs1B~*YFxdPBhQmWW4M)pAF<|o*PHn6y%8#ry% z4zblIVcykA2@AFH!sx+BubL*T*PUi@PoEWCFgvmG%gQ(6Fs{gDDyVt=4w{9Bx(3ZCn!HKF3#TKX|i zqbYKESLUJEFpYO%{}gib54<5*x+l|})UA!0?B?aj}jj;Ov=-l5l0|Os*`P2zAVRt~^1IQgechXR6?)qu8 zk4WF;x%P2{j@{WQ(utR$%RrxjDD(F0R^s#r+DyOiq9%SSk_)Cf3Hhp_2iKPXkdkLN9rhei@ss0|EG+DCHy-GBeP>A57*#Yn|8P9n(O3+3m~4+aQ3ac}EXCs4d$uAL;dQ{hUCnFv$&m~N|1+mM znZJRGi-vQnbRCHpZ4-->)1k@tGmRxa(f7dm9-wLNE?0g89(ZzTi6ijVx08vHASaeX zwT?_EX~Y^fUKOD8T|H;}`5vQgtNY~h|8#aZ!JA=EB*c^2#pls#%(sre!uY?jeTu!| z?~iVy{Gu{lTu%K#-J(-%s{HImiqj@r=Lp*5uHdbiK#PPB5q0#XJ2-`H(?|$Wd_n*F z%ADry0*pV4=x#xOP^QG3J)rtjC`NkVkNMwS zL9dS5)xY+Ayi#6p6G1-8>|CnbG7#AxzR|;=Rum-nq|fJN2mD7Lt0sH7xXX}IqGpi8SL#f=UJ_&1-p^45&0|Zps4sSXf9S|GUCr51r)IHt zXLp#?Up`A|bbiS9H~y;I zF4=E9F0NNinHJx~!KW@|X5kjK|7`~!sS0>nk^e=sX|k$E^6K7ljaKg8kj}s9YH$)M z3f#;i+qb~aXt0@gOtjxTXV2w2QwNk<61&HTC#$!!A5mj4+oz`B9WFN=?;K6bd*SiJjwRjAT~LkrXiX0ZGSN{LS!`c>vO{71t?(O=Q{g=ub`;(xMR z5>#e9lz8yg@T4~%r|yFqNWwGSV|WVseoCRG3s_+hoNEn++b^ou#s zCCF=CNqEU<9h?2ZtgcW(wialQ?{G)a(;oDr0?1)wuy_SS08KmSv>X(D-VG|dySoqe zt7bu!=ZREx3U{9vu)MT7n416qd$EcOz~5fcD*rDo|Nk8yGdb!hWIGH*u@9gGyVr}(#QQvu^XsbLQw!WF z({Pi%k&zL2pA=W*~$7C^n7>9s0ifc**B=PCr=Y~llm*0ZKnCy z@jg{uLa}G#cdPY`#s9cIE$rZzRM4GW;XI#fK~uSlDJ%g9JVmDp`4U_;+(R*6Ns>YQ zUX6+Ms&2S($1BqlfxIKfhIy3Z%Sr(9)jpbV1Mq2D4pXyUShcW!AYUHJDZfxU7@!(y zBB^}BVAPqfl11Ti?8D096_6r-^;G8#a&|6o~5Iv==}cOd5d{<~T>%LP?~wsU9f zNWD9YcBNIj|E}7Ro<;uQK>CSSOhERUeVd#gVC0N!xsL6B+yhGVliV*C&B7#1)QOvz z4^1*tWSASVi)FBclDJF=iDwI67$oY6XY7~}Kq*y; z`ZCu!=FTPc2%rR{*ytovFjmM;vzAZdhkKrR;*_C4t{by^uwzeQL`;8w+nGD8CII<{ ztILmg!cUU@d}Y6DrFbhN{ZbYYe5M?$p81wTzT$o;Bxo2V=~AX*%<=Ie=CBIk5>vif zqy6=S3oPRCeB)y-ISrUXUXV?}4mpV>d6P^CHvz|lf^_2eaLLJbu=(NDEop&8*gGt1 z$y_fB?w8Nar+J6Y3Z`nV&}bw$>T-P>bY)NBZTsuLFU$Y%DZ(iPYiFz` z(}gPVCoDvgUG^FM9ZXO^K;PIDo~fcwM+^^T!`SU7C=wmTT=KtXR#k`2C!DSxtr5PRyBE!c460L5pqLD}ivgbEH3#Dmka1y&Na z?w_d#TC87jf}=nnn?7IQ$r_5j->+|VruBXTX|Zn{UxH2dCNrK9F$UhYaRKa}s;a7X z%TC}S4`qv-XDs$uTzx++g&g&Q=Dks;&Nt4iY}=!ycZsBcI;wgUcCCdD)vsl%L?Z6* zzZJ+cc#YBxspg8D^ha^(h=KzbV%Wt3zHRxqjFEer%|-s*-;yWU^BS+ysf-{-6U9m58vD^6m= zFpR-nzb1x3Jd)Q3J~wbJa>j1=s5fs`+%Ii!;=G2FxF2jQ5U^r6Ah6#KSl9k%&VG+) z96NccP|W=Tb;>Of>{L~;z$j(VtXtXXQYwx(Fu0jipB+jjj2RtmF+PObc#S3-a^;|) zHmpU;*U>Ou(J~CZR#&+y2{L!7PkGii#*!wZC6g91075dedRTl%$C=3Dqe2@R%`RVT zF%>)zW*{D=W>&=ofk1tNH-Shd3Xc29S3m>h0{17xi9P0lW}{)Fmtu=kEj}MFL2n(( zj9f0~;gCh=kn`RUei>(lu^;Wm&z-r5KsWj#HP$gNuMQGtG<}Q6dxKXL?&MYDV~6-G ze^2Ww)|n9odAWJ4VFL=QhYIc>i514Gy*!@!<|@{ z?Iz~li>$V|dy3uZblE#X5R2yK3MAbiAehI%n|YW1@spU60bf zaK<-kKW0JSQ|&|%i;gVkPiiRxN{cw6`1%9Qmq(DRt)Zf^Au-!CUCBo~eV0o=I|m1^ zralbJZC^iQ{MKJq>SDOwO!q?~rxsG$x1jR)y-$cDn6uLPdBLeiw#RKAlejWX0JhXk z!r<4&w|GYb)RTg&xa20Z;;lV!J>#C01`?-ykaJ_}70{uEDx(*Glx_ zW#iS+e@BIAWGIj3E9(1sH{K)2vPjgb{x(r&eupGD0`_|b5MvQFeH=i!2tNxjNCZok zp_d*qZMz4R7K5a$DbE5jz9&VOidz7%?6Yc0i;)>i8H~4KRcQ=-!q6wmcyCv|*86Vy zj{R8zA2Oz3Dg;^QO^(Nr?OcZP0-q7k;JU98(z^*W7#m6XCA^rQ`4j052+U2eUcALg zw#l5Qc)>8R@W#w~Vnrc7Vk&$<`3pWJ=U}`!E_^3f6dQ=D$(!g(pShHHBv-c>ZgotE z^&NvC-gX3(Bhw2CN*s3FsqvnryGz1kHFUvzzAwSM^H!~OS5lSQ>zuUZk;;ii% zZ^64W=%clCX93AXLvVnL&H{ISG{X9M%l*2 zGUu|PUYXoD`A(sz6#K=a?-i8s>=GbUxs;O|kNCl>)=^QR%JU|{-#2@AG9PUeEv=#H z{tX^O&BEG&v!kO63>Oy{KC^f{sM~o%*$kiTt1R!~EMPvR3RKJfg>t)XI*TyQMgJnc zS4gp2GC5}P)WmBuZVi`nv9WiAIBrakV8FiIzuwUMG~=2ID#epj{3ZHx8sZP{tJ-CA zeL`{47bLRl!M?`o06uHQ9s%W2-#*^dV^BAB;lC8O%&>4M&`)r(3A$yrdjQ&-^qi&v zc^puL-i7QukGfcgiKc`V$p^0F2_SRwTkn>y$wFl8cQ@J$2mqx*(WJ6%PeA#!!FP}p z9_HGt9g-^U1;Oi5!nHH(XQhedH6{T@m<@!*LuU0qO)R8IHSO!`}r585pZ5@go4ekX8pV)^k z_#&X(oEe-%asp5($=hI@5gSXP)apK;!65?y>Ku9KXYi5ddCpsMy1{ z)lE)WF{D>R7PdYs2+hzNRR^9YqzOT0bHCiVq1~P}lUqZhPkUgyLV{2tc27uhf-3NM zu{D(8=-5Qc_*0u%4Y|4iyxuLljCS`%G_~=}XC!mx9)5`hEy9iyr-2`A(&>HFw9$dMvIk%|_$unlvrMQ0+?x@F3DRpf#-~RXmu>na)ED~Zr zZFc{*!SB*$L;K8R}Dj!!% z{{LDT6c)rfX*HY83-dFYcGoRY(@gT{Fp{ua;94)@bvoz2KD=(xhAD0paZ`L}HMM#I zqK^Ejc7aUIhrgex(jx5-XkIWExv1x=>$?S1Zzo>r$OUyooX;%P-2F^`o-mvvsQH{m ztl2Tg1QhMh!$%|Dd3A1Z)0*p)EY=FZTInItzNqZH>1jnFetT@Y{0{$A`lBb!-V%mS(#_!P(hVre1xeHw|aZ?)3Q=N z`0bq-tg)k7M$&fz{boOIECrT@2Qgi_tE}sBaDi6#z|*d(T)_obM*I^OS9fDhDTj9p zFns4M`o^3Iw$8`Sm81gO9c8Z^E^O)0husir(Pp{x3n8u?8q>S5TG(t=Hr?ZmSeexY z^4jt{TgW={Ob&6#&J6X7&lU?B@yeawzPvPQD0K*YIPhi9_S#RNKZJKuFR-}yBtQD> z>;gy5&EW$y+KNk)1>*zN;AeWY5{BVJ8*Z-$(-Y`nP8{tf?ViSsd+#_zQi^DBq&*?M zC5i2a7QjEZi?AKAUBcs~HA59O8J#?{N=iT9SgQFfcS2x>cTtF^$)(ErSd@7?uELeg*@cEdF|9`^`y z0QQux*O+ay+(6Kdhj`)#R<93GZ%`Fr);mujNBi>ii}}LA9cF|L@hIyzTT^3@$sN;F z^+5QiW;i@by313T*T+lpvR4a!DaH<44Se7O+?|WO@^~@6+WuG!coDiILEXN5_^Tvk z%4RekH>&}H&E38y{#McR;TrjXtDtd}!)vAGZAai^4}2I&zbC>2+`@|ge)6*jleNtn zSurUlLv5}dOF=AOHR(23U6;(Jw0V5N@+IznNt<_UUW_XjgS&eo))q19AO<^P{|*hE=&|B% zd!5_yh}NibH>_V^)t&x&PK1Mx88;1?#I~fydvD!R7cJMt@~ zGdtYT#ore@GF4I}gF6qGs`CwZk>pqD`aNs3Vul7TG~??9l)y(Z-{qMnc=Gon-{h0H zHWjMZd%_jjBgZIxF9+4yzN>?AK5~LY5C*5zR;ZKDRM{^ss zA9m+e;rMZFOw{ebY{aPX8Eo&2X=qiV!vt^GlrDySo%D7uYVxOBl+kbC`vx@UjVVBC z#6hy<#jONQzcQTqNK~sox@-4{=0HJGC~aZu-m4MPx!EIW zl9R_%#=un4mJFSK;XfAK#pw~EyGp)GjeV~7dX4skX=~+ku~C=*=h-CRJtV=qJ&u14 z(E-{KE+X6V&&U$ym`Xs$l1=#v_C%Z;r)VhkcsR~4>cR)9XF0R-F7YIn6+b$0!I07M z++JtXDvu?4p`G+$94D?ciq^;ofprWvQbfhx^h(=3|F(sYOzppvN4w;L%4jJyk|c-Y zC&n>7rr&>-vEZCVVk(IW-S)a$AE;eK4O!WJuY|b%F8R^74->IO3qyHxR`nVcXIA&3 z-~Ah8_Pc=#=AK5Ex+M)rZjcB$_sEr5h>x zeK87Uz%OJCYNNoVE5p6B1gLbqIP#Z286Uv3-zw=DQ=0C3>N?}vL{l(_J`{9gov@Fibb+(zTvy_q9wR^Hpsh zd#bq(Y+s`eMpXRbDBY^WXAWMFY{dJU!E8SB%^&W=ne3)|z!sdLK$_e;YUf~Kr_?IH zTaFA7bMLmD($?!~mzO_ntm`bw1{d(zUcDpu$v8LmvBdV%ujXmJ;Q=^8;8=Me{Nlyo zDtnEW(BSj1`8Q9U9~tDkngHwc^EcYHD))RHJ{(NLnS z7Ky4?m)CpbdE__Ia?jngd1K#x=x*y1Ru*ft$Zczn&E60O%n2n|Ee+56GlRwhPSNVB z?Lyw#7Era#4Paqbzclgg_Ye|ut=V#Uqh;{N`_`tCjqlUvt)1M%$)VYcr>y=bU~#rWt?k70YtM)S63jWTqo2rA2q$Op*2=t}7JJxe5%`4X zI(`#I%s^z{p6zf=pfpgcE-GGok~*x~1HYkMEUeo``*L}ZinU2=&Yq3A$!yNGK{X!n zhAz{Mb|KPt5amGC2mK7^iU3hcXc2nprd3=}es*QnXf?>r-CF_A1azqloGBXvFpWgK zT34VgqoCrhMoFXnSR1g*?L6xgqY$~1^YX!w`NUC<-bX1lGD)CpQAQy;FH0LjT=I{G zjR4Q=7%*TWERl3&L4T*{Ym+XrHFVXOeAL-%oUm%7mo+iVEu1+c{-7tFs9Znc@418U zH;*)H{;cJI!3gdd4}Yw(7g4)$dvwLJ5{Y0%X{V_G&ASC_O=DYiE0Qu}=Bb+)NgWN8 z)gZPzD{})eqErXTAuf*(Ri#=mV1*XBImO=HMRlcm{%w7T2yS;!1d%G)GER3jsdD2i zlvHnKYWr-G>L4d$ z07XEJ8hQ0DmnmJBF2BC$ZcB*EaOkWqEgIc3v$D zBlO04V2c(A;Xq!z@?I_~0~+dw2lJ*NTd5a%EuJ22PXyND^|Tf z<}3w_vfLz@8vRKvUq!5%0IAs*)}k=UU=su4gBsf+eB|S~B7eq0jt>$|*{^KaZ?)b8 z$~AUxI-g0#_Z6DgOW7{+em^iDlL%kEmu`QpAs#cELUK9K&xle(e5Gvuq< zBU+sLFz08TPE6G=Fgh@2(? zeH!(8<4wNY&d5-^#93FWHwPO<;?Uxo=M8B?IPTWxvoS4njQkfD03m+$235($T2VtR z)uDLKO=8*PGxfEyVqtk=GyE>Vy8eEPTvMecG6C0=T0`bLt(MNf*!H~X68?Id^jRk` zGSje7*grM7vPq7Dkcc3&&x(5>V(^WmsFwztNs-rTY9x3(IjgfP!SmvBiq+#x2X+2~ zH=>x%x#O$pr#IPWeEN8VZR`cSo6@15QkNKY6<(ujkSL^1E{b;h?H^{-By-#@l6p6{Klk)SACQlyQmfN$*8ZtMyAL|Lxk%KQA^J91~F?T3AEuc=0h z8L%Z$(L+tXaLU5rxl*FKl2;dvmd^$&vbJO6=})e=B(nlfcb@`R3eDk$tA>oLl#6tM z0RxUVh{s1AzZXIZ&?>1K{f<-eIqVnA*<(~fA0F<|_FY{xLLBE;Y1KPxlt(kfRmk30 zKkNxiZ3%T;#vY*3LZ(_f?+Sc=drg!=w?7Iuj(-O|l0Wa)S@`P^p}SekgO2#uvhx~DvwouoJ=!ce_%s{9kCL_TTzSc7;R2eylL3<6Q(4U@h1-b^RjJ(fBeSrz{GRlv82Fsl*pLyy58SS+{(UJr z<;Tk^SgB%xW$*g^E~P1VxWcsgO#(Jj$^nW;e%b>Wn?%fv+?jd+X&_Hkt-dNBC z2oT&g1c%`6!QG*O1PSi$E{(gpH*Sq{d++_8d-i+lf9|ciwLW!Ke^_(XTw{(k#`FBf zM|3LmML-+n7JQ)u&R2Zog0YYglBD3c+vTWp79U+|1Lcl``MctB7eI_v{fTcKIu*h1 zegOUfydL4h*-=u!!xnRL*(^F?V+vf(w^B%&pSl*^IOGQu+W=AVf^zNs1yjqYtF?Kj zN{PM9GIS(`?6iyE^;R}R6%B;xRZMn&=8fNngaq94`$F>m5G5C&iq-eZOE}Nh8o(Q4 zmz2oi{^e~k-sNAuprUk+`i&rpr&|wYxbtOKXn~PKBcF{_9m0E| zIlGaeIXZtA+jEMT*!Qa)_nZs)DZSv0F2Yx)}}njcy1U%JZWopqcj?~T2iqZZQtD>Ldim+J7zz@eXihvNwT=YgO%*mwd0ZxpH=UT?;6$eV zj*%3kFYudCFMWtDVk#tXJ{wH(cuKUA=2M|D@R!+%JLl`xSV&q`yaUksb(L9_-$Un84!1N4gMly=4_Ju8H^#*PeT;^V1D(!Jg0JX)`ezd|;^; ztIW%$J=UTcyyBf)0~>peMTMBpEFw*6Hk^P+RyQ!-x@5ZCX_pV8H0F||qeq*HZQ`hw@-`8ks= zRU623CtsF8E>zjDEP#m9@e}6=BGN-u*JxU?;JAN`GG-9rLS6TY4?5gM%x4c?pj^VF;hTs*x`AP@SmdD~0WNLL%#kk3M;s@qZZ z{I=owfvrV3c+EAvM#ni((s3*S2ZO|-L&66v=K2DdfB(_da<}m{nctlKY|S92@fz#k z%UPCKAjNA<*H{yKcQXbSFyCZ($(axh zlpvhIn*E!Io{c8ut(p!R4j|zNp}|k-Z^fhMaMb;3mKglqV)$|7i)3k&B+ftMDhaqG zE$da5UXv23w-Lm9zZ=kV315n@TJO&=W`!nhv)baQu z2m0$WEijoTIdqS;RgUv_JkUqCY)a6!lYq#C3gP(v!R^Ma%uk3}_!iMz`{pPtRQl#6 zjV?}*G7HBYOED8~OZox;*u^^`Yn&2mx~7t(LJQY_LHDMD=Kz|wnVdf6E+M@2Ik}7L zji%92po}CZ@L==z-B~Tj2*D(A{bE)zoax2bdeL&3yUjE5@<^nk>D*;9=^noLBeRKLPMmAj zhtcdQv}xV%-+FrcF`hs;k>_sEUB|Tk-J~$^rG^V37eF;TeR_tjY1V$9A?psou@!PX zqiVzC?}`be4wZ;Zl$_>F;`+va`7FQl?)Q$T+!x^_7ovCa6j-%aUi^tJ_H9f=E>wdt zNq3R6Q<{l$*tc%^UTOpN1s3`u`$dT0da~K6VmX-llI#e1T`w0A5E?HXkd0W`zq3nw zhPwadXo(Mlc6FJN=54^!hsqL{^A>vt5k1TVi~a!kX;aK3XP@2s`O6^ih^+O5MGr+7 zQYS`Ewd?ck#ivL%6v*xvIg5FKsF5~ljbb%@?T}T?=U-vDW`f(Y<9eR6NG=n)OYFUM zwrxLxAsE&Q@ce>^fpk#Powf{Gz}_dpk>i8GR!QLT{UF^b$5UV4)A8B2ym|;0Uj=HG zOO2+(@hC#*P^+k$onrEH2k%k}+CxF|F#))cD$M-XY02+;vsORJd55EgMu!otRP2jL z4`+d~QJVpUMK=3#2`r6QBOUo}G1Im4{_90SDw{j^*3!98t%Q?x94B+{bc)lptLLk+ z$7;x+{5q#3$({Iz3vt~CXBlWcd$pd^JyR9#7I%zn)ZpcGEBJRqP zwXWTEtc<@~STg1;G>Qf#Xq=>F^2rLwgbAM$95LS4y%uHu^MR_oU-NQrNYk82R-AmD zFapJOcBK85I@M+3qr*1J3w2)P+3SzQ!Y*x}(m22rpL)E2=A#*`*>amo%raZGE`!t2 z-sswhJt?CUK(Wz=TO&pTP5ULEXBHiDa!I6U9!-a0%ir*N1<9Lsxe`9t43#c#P~(?% zp*;`CNh1#A2u6A12uAnC`foblO5_y)2;k4RlJ+ehYK>~Nx2sfoi$Aq}RXyw|rd|R| z?ljf;o4gMho=1xdBGNI+4xx}KeJpiR2OHSLP#tFzk(9r084jD*=Ei7zMio9Wm;0SJ zb0)&<(PhTg)bgFJoB76cr?|rd15Ge+GU+oRzF=1di}2%bk&#g9o8|;{P`JkjkG5^w zM)@jGfqt-uYZS$M3Y}-gO?-eG-Eg!>bbI?ADTj_j0C)DwGaycL*%QD73$JmbEbj_$DKS((7c`%S7ty*AdJ<$o(j!z<-`?juK`{H*&AlvoGb| zT)cfqN59d^ueXfV%daSa3e7;E9L0v=|Jxz-mmdB;0edeyvmAd|X3SHExF~|Bn_|vXySY35R*8m0((Zf(-NU>sahY0x z!ygCYtJfUa}DngPCBE~g=-w_REbtmxSo8N3jJd4L94WN^DS?+ zgI-${TWw&}=H}??SZY--#Kz5~F^+tBgV!LSrP+I_PX7GiMHxUjfvks(ir(-NmBQ?K zLA0?krQC-Q!f8LIaPssM#XAm3I>eXntzHTaX3HC$k2)D>Y$M2f^1Fr7v|3QVA6Con zka543l)ra18sWq961eI7(Zg2p?x-hj&y=mltYVr!Ytve$yi=%!1!GJYyN^N}<4g(r z(g47%|oMV=7=C~z`_A$bq4T_jz@fgs56J;!`T)b zHs_)IKD3e7GjRJr?C=Th*AsYxAOkSalLpEb#=1gp+u2e8AD^e^j*%6(^FwY>WF1q)Gu%n}duN*acng}Q*(fB-mlwBWN*|q*X51*>(=T6YtehI3h$VlX{_hF{8PevS z)2YSsU_7HiY7*DjUrzC1mC^F4nk25%g0ETj^RHmy_yhNV#qu~DG(}Q1>PcJLFO62R zf*PiL1Aij06J{3Gs1B=2rf$3_^k>=BHQQGwov1qQN&~Tauf;2wK@XL9Sq;i045ys- zq51&J-oTXjDSwBfBNWrL>xb^aKb@zD;HE1IiZiDtjvnLl`va#W*@C@fw*aX1{nPm| z!*z)1HPQ(ezwwYs>Z?p3f6oSrGJl9Lk35wS$$sZ7yJeI-^vW6^+cFJvQ@-+@^}^A;w4e_9 zu!O**KaG0@Fh^UU1sNRDx(;1tx|a3dy>h9E z4|Afg;A^?(<_8W(Ea1nUA$6+w_iL^MGE~etKlrQ5)kkUCzwyY)M|NLDOX6tm_S~nF zwXG(-q#7BmWE$JlB5Y)%mOU+?3@~>UtC}+FD0UD^A~JSkM-{RuAGbS5)NN9t-jMx; zl{4qK**!zpO#5m|{6vSjvVS!J^Ge{@a(%Bwe~(nbaBR|;{jEuZIenVdBE}!O<*Jwk*6CA zgjG%O>y1QLyp-zrhZNP_xq`gH0<1WGgGC&zv8oD%%c4_=h1Nq}m6lEATRXY8qNhN7 zGt#-GJIo~a!;lUyvs>G6QQ{?yT4FlYdd*^VW*@(J)bigjT_# zm@-XFZzk#-C=H??_MOP=Nb6{X+`>3-ehniPxX(?OH^r-(7R|_X%%C?N@lfRiA${S0 zt*;Z-ohTZYhkW$0=YY#t%Q-hPd@Vjk2 zp_qbZiKZr7I^AF8a{@KP4@!5^e=3UBE*Z{+%h&q9zxwxyLrjaRn&Dj3AC3~i~ zv5HHqglbah*>o`#+TJ2eOgESlY*|Up@wVm?=^zl-{@`75HP>|YRc(vv?BFGPq&IqO zJ+qKXw0hc2z=Qb3*Ytv8T{i7ts6w>I2}ew>>oa5i_mGPVEf9j9Enk`I#8ed!K_O)} zAVPU$qsD_sR0}T}@B+VI-bVi;20YjJ@(u5jYttLVrz7j^SHVi~f_F$mZl#hIWepe= zkiK{Zm3UUA;ER0&(NQKVKf|`~GQ~W<91a28W5Yn+^9B2^(QbXX~n3WG&oZ&l)hgrfU_`zfd zh;RHbaR#$dXoN_R0~w&xzdx8qBeZ5t`n%&8-kI0KgC%&TKYl8*OP+5h%*GFq{VJ~e z*2huXBMgptjL3f5+V1|RYK+1%wWsmNR8-Y3iZ zJ&YXY@C)3u4Wng7uecgQAI=^;%3v(S*5C8U@F=_=fsf{RuHG2Q*IN~oonl%idO;Fh zoK(|yh{_vFFPHPMbIiUp8lKlF_2{^kKe1njh@IZ#Uw+q)!ce$Y!Ey@OSKnAj7i)@9z0SwRaUMc43vYDohi?DzId!9F@ z%+{!w-;g-@?z9`Gp%UbQ0ePvt>iRLv*iU~xGz7>iqbf?jF*;R{#&y+8vZ#}Pp1cf{ zP?@}HdcUV^(8@2V5j>)cfxwZY9yp=LYQu-(({n0lFiT}FvD$9zCxKR5C& zia{?=_?oS@e8JlFodacWnjYw|6SIoR%L6%+5v}z2q*v?%n%Va^e#?V~Zi4z(09uiW z8*63%{(`0UYg2O88teE3z*FT~Mc_SuR>{hByG4fEyWa?Bk!({tcn5B+sytqfNBocn&%4ln; zZ?j*2rLJ+$75l`qZU6Hp#=K(H^vK}AgrIF-)qFHZyxpR+SLPv8V()VZsa&zzH%<;# z2e-C3kts9!p^R~HW=m&yP_mp*-gQC61;v5uHhhaWGaim;5!V%lp2!!>IA)fFhR1p! z0$Slnx-v^6e{1bg=uxKK$?KLjDHQN(t6$#F)f~tiQr=VYF{~4GqD7e0I%)A5m~;`7 zyxhW-w{Zxe^???gZS`C=fPhN-7qQPN1O)j#&gYt}j2z1g@p46Hi{Z*mr}``557{?7 zS7058CBxx3+eESB)}n^Ptd2#)p}^qh)Y+h;AD6i}4>&GMiO&tQE4&VIXqbH*StiLH zP5-uXi?ZRK@$&*p^AmngX@E(phv&|xO3X!M75_1_-iX7@e~EK>q=oq7U8I$~qQd&> zU=qtln3=VGfZU|FV)i3Tzz{Kf8LfUgtXTMcApN=;A^F9WuN^>=RvPP%|@xJ>V9%? zTXW8;>`Ss5mG{ujFwwe}w9ny+c(blHOX+Ir$`^qjn!XV`)T$JqwAd)|YmXy1Eyr6Z zoQ=76HG^+Q2$ObK-@Q!S#C#X@m1X0YMMJATzbT6UupM=5XoYV@kY{>rjFw1lt>?sK!zM+%p&+7pQ)u&3rKjw5w7D!96lH0VLqL62@Yd4C-~)H`_WAq~0`cU*GQ zi}lB4>omG?Hx1ZlJAr2lLAF8ke~?Iq8xFH=Q+q(kW|fmgKG3-7uT}V7IcNHeo^M>! ze=Pf9S1-Uc?B5bOOm?KlQ~ykf%eLXBzckZ{^lNV%Y!XaU4`Hy9ugUg*z?_LwDKO_R zMB;DfuaHoDghlGwd2SWc7L!txWYnimMOl383&+(RejqrswYPFiS23I1^hvBTm3*U4{h2W{k*OdpX?c5XKT5$ZgH7@{5L8x1O9tUoXA4E6 zI119Zl}#PLmdQj7p>>LR?Lm^u+&#=iTOc3271y+CdHtIeaRqfpA&a5P;0yEh?)%B} zBNaaTmPLKwcU|@ttmJSmhp3?mjv{{819{Tc2@-;PWl!AR3OY&A5&6w; z1JX`n7;yQnoS9pmizIQLaEFcVvzh_d)stz-DLB;WffHtr>t`1j=a1J#ZWT)QGjgsZ zW#RIB27rWigRB0G0hYdKK>W}gq>&--Y*C(SL{PTv+lvUJ&=cQ%y@-v^#>W(uZYJTQ z zQP|50!nT%AU{jQTXG2vQ zOv06$SZp0>d;n^FsPh^rauAwPLst7!IN@+RvsQW#+;s31@;neHSnR3gHaJ%oly%(Fp4byXW% z91o{%FN1BN*d}Ijt_|~)J$it7D}h2-jgyLU-d>YyFlpA~D0!qmvj z=c6(E2qZ&@>C~Wx$BWBzfEU%b>JKXu#fafe5b0=?H}C9D2bV`&Wbx*t>a1e+rC*pR zs3N$G`}zt#PGLmn&KDD73?|*}$vxA|p{O;D-Js~DzAq1$+XTX|@rD9!KOC$(_3Kc( zNjXTay6Kt#eu~6>qh%xzUvZ6#*p%G`zWUOBBQZEGL45gsvn{>H=>6Gu0Q~~2hX2g@ zoi`OGrAaUw4#h$CPqxPcRrbR4Iq|j~&#C(isI2@*RX0|+Bev^-CxNgI9KjFGgywCz zqpWamqgAPI?TEJ~Qqi%P_rrNxcrAveJgAB%Y#9EG9@kie@=qKLGW(`BEnFfAC=3zJ zrjYq!uI_F(_Gs#u{gZw;@4~kh-31onl}62z-)f;vR`Gy-plzjm1%Z<+M=# zZp77_liusjPUZKjKTt9UH5+_b^mk99DQ-93a=CrqgI967Du0s%%Y-2N;$xC#W063j zdCsmUyC9G60Qu+YtH9$BJLRZG%05&2e_Pu4c3|EMmjyH$L+0)Ifwj)!-{LyrIZU({ zb}`xH$+1P=iTIpF1@;13OT`9yow{8iW;vtROi_={XTeKH={5g zt+Y0Go)#KUB{ZXuEbtx%3VMyu@P$XmC;oL`RQ$eEjKHZcxlT2cw_!G3>(aD#s6~bX z^W|vL^4B?en_VjlN+5}3N1CL}1(7~0va6HS7?7?Co|CHmmtnWDgYSdsWObyTc(M+% z!^x{b%+A7dVNA`K^pEbXtuJK*O|ZBpu!k@ofu;!Z&1}8|Fd7|HFngf&oW$c#U{n$Y zA}g-#0+Ka7m&H0v&nrN{f}@WMV^8}zjgsffCH(j+=V*+EX!SH$l#PniFF zWXiydUX5jmt1y4)Fbie(#S;oe&herJTuxN!YaJ@U{4Xj>SC^_NfYX8?kde-v#BsF! z24NRfDE6*D-O+pVbu47v2~(LLW(I>Cn=hxco(kpuL82CP-<3TgMEAe$Je3d3yE$1cYq&}xu`VAV#IXNamL!qnAjOCx*k6wstRro8B_Eht$bW0kqL4 z4@9BsSlavsMNuH95K|u=h(ObqdKt6xJbZgw6Yp7&=lsFP<)PdxR7Fyug+84ReDvS` z9n;|cgH1U6Bdc|vp_NOxqXFT@E_#nb8syGY@Go!zK0Zim1Ey`w72nYiBzfIj!dv9j zRst(cF6d)v5hYcFOfgCO8xLL7lS4UcO^SG6oQ;f4R67enVQP7pV+jusKUy3iiGfDM zD#3s^*h;c-ow^}Ac{x^=F`3awvTDe8#=r&Nql~+sH*5DaqU<}Td$6)|4sda2pR|fe z&~d39NGfeIZaC`f~rOm_+^%EYFT8-EHq^*EI z>k{slKduaO2Y%v>HgkV~eo`zpAJlpph&gJ$-WoM{Lp+C`YH9QOBvt092`PfbXTnq& z$?PMbL{d4nhXZFeRR~MZ{5NfY7saJ{=GH(9>%G&PD?&E>P^|i8I^-*cNf8HtAMVgP zRUxyGn`1{#;PERyHPAgpu$HUZpnsrk!v!fLTsgkbnF)%}$xpP-Ez`RPV_RG{q~qt#Qh)EU zopPnvBCu(=Z<%rQlXHad>owikxR#YWZF>g;dtBc-9*>;hR$_YV$f2(o4ti*30bi)* z@-z;UyEiUwtzO%GZ@omI=fGzB;qJh7wZE8w1Z~NM7@Gb&;UY#@p^oWGk8L;39NVHJ zk)JHU)~Ed(@4uLDlO}Qrraar!OPc^(5d_M-nhVnN67Ceh8oOb8vOls%>1sN+edY*82ju4I3Qho$ zsu6MOb<*eRK)xQuqmh`XiuL`u_3EZB^pp1snIQc!{)3yhABVlTGyA!A|B!{abi|db zB%Va``vtVioj9Uz5(O4CoAp%miR2$iWc9D%IF_P^8^>(uupalkAx1fuz%9q92cVwn zx4fb)#fyIgVuu$(z8WZOycnHVk^<0?*%@6 zjak1HV+bk#bJk^ZAJBeI%lzM2k(jTiD$G<*zA)x>sIum@?uXLGW53z+7vF3h9P|3D zE3U05C6^A&W7gWHkzCm{;6K{uXzNdt-%;fay$h9NRHaAgqx@xvQmkzeJ`v zy0g5^So_rtOIe7|^1buyY|vkEca+{Et81_C$!u)nl*8ellB`)y{itiqwzi>Oo*k$a zZ@Pvaoe9bRt}y(&Km8w?lL78qxXJhoO;X$Z9gD}zB$d&}F2YfA}Ti5=a#hJm;ee5?u5)|2oG0Sv4%k*d4yb1>y!P1`SPFG~z3fLil(T`9D`H zOlgg_WaUQ$S70R-w+&4b6hAR7#GK_C(osK2;U|KVY689n2Sg0*i)xlyBmZIr3s}RF zCDSK|#A^tOPMZ7`2H$x1KWw@uKT*(wsk39uXP=t*@5ZZ|e6kcFD(5v;82=sP{`0FJ z$8Y{Os})=1i;AA&4v(V9=-#%*$tm0aKV%6!QT)+zjZ^w?8ZTi8&E8Qi6y7DsS~R%h zT*CLE_VxMJUf~+?s zVgB@6q=GGPo$sxZ7f#_QMFFb@*Z;T`7+(E{uI6c?s-S4>gDGpOr6}l`R|^4Kq*bo9 z!HSsT{4SzjKKoU0z8#CA$C5$Gh85)KYd~&^69N>z2s!_ELC&Bg{;Fp6{|kb*FWIp- z|5zjUZZ5wviOVdte5*in%rg!&d&edzkJJHIgt6wIAz zP(`gMte*vg64=MJ#dmunE!w0-z<3>huZo-j>H86ZV}`rI$p45GTDMD~{l|PhL-Thb zf+H%Vj=c>M`hNNJ;{gi=9<(TFh=7)T~=iG62#B63wo~4W}BwLsFZw!ct5cz;<_Mg&1HL|DQpY& z1PZ-|8d)fO2r$Bc!`1#5#@FE|jNg56>gT%2I8AGoY{igY~bX=%AXQLIJC zi_|}1gGv$k6P!=%y1~9Zqcu^)0}>R|#^E=oiTkUke3){;7kMdH?85~+2W*g!qMrNR z*Tz%7ESbx3`o}-c4mX#9*XXV$RV4h2v-BzjpOO^4A6ZHGjRGIi3EkZJjg_!Ou zJrifpTkIf``d#c*V`Yso-rSLoCpWPLKn7d$K+emT^2g~>?uJE;XV`iFGnwxH^nvxG zK=6~3`IE!qM4LrP-P8Qv=0Otu)ye+^84-jKoUo%M8icBx?=&?eq^y@MJM za^1csn#74X-BKTRo~rRs*tN^hMo0Q88AXBY#`r)}?XfR8^P3xN0X z%#ZUl-BJ+koHFIzWV*p$z&2t5>&C$D5 ze&eR4e#dN&Iq1%2hS#ppLaVuAWMYJ?On25H_G5#XCad)xSo{gq4&WeiC;}RdXHu$n zBZD*24Dt06v8J9D&jxwOvpgj1>& z9V3O1Zyv06dfD4LRWVH>KO&2I5%Y^2P!YxmH5n4%7s?)r?Vf}$kEj0ORuQ{+@vw(2 z+@)tknwBlCiC<(DZ^6p2wFcKWG9rOYIN4^Lo^W%VNS|=-7kzv$_As%$d<3}o7S1+Q z#T0wZtCD|NfmnXt{YsI)rBC3ffT8Q&Ul$++pDS~jX2~)u* zd#nemfCl3eD3j<10Z$n@59s_PR1f}}oR@g^qcNE^@j_}8ZDrx!i5y8c2StA_X)n09 zqp{53vW_+7Rd|e-2nsmyWP#7a$@U;0?ZaFX5E|@*zMK`%L2hfO1z0^&4Pi>VF-@6m zfzfmW7H6xt`DZODoQlNvHwvXB#7GTNXQyP|byu|p5q%SIYIl8@IChw5&aO?mrzq`Sji01jq=|H}drRfK3OV`#N?$mpq`DSc(#;|cbcAtS>Ee7n3rj~ALC znM=ahC$utijviA}y1FYWD^pXK3QkUWLz9@CcQo_gAA+{ZW|C*hnAF<@B!^s%-y-L9 zuX*2pSqy>7To>)orc$w$eXt%BM=RH-sluSrldD1sdmV2OxfrKf8r=BGKRl-wgU(+- zs?L^RFkT(uk9LKX+eXy9<`>s~XS8w+dc0}ji+<;B(sy6v5a#WeG+;xS!jpfd3)eU_ z2F{i4E|uhF%yz=*SjZE}28vRe42fvK5e9jOy@}6lx~5b5W7kAJ`@wn_>UysgtqC_& zsKP)D+BRb`x}D;pM;BH2_N0aO8~D-r7ZCp_aIHZ!_Sb%T5M7~}HCj?}45Q08lKZv3 zYrRy4O#d6?Z-5Z-Vs$y!5xMB{kCtfLY%!@A)`@*16}%b^5) z@SoN*x6pa3jPySht;sZ0CejqZ|JUV5BY_Af%%56Mf5mY<>Dqhhs%k_!W?}lr@UwAC zKF28bWyT}Z5;j+)q&L3ld&YLqQh%U@cZUix7gu-MmuTlEUD00^7hJ&Z8~#p(Na&ur zNFP_p&XT8d%ShI!vG!)Jbd&GYUsnf5ncsA6vB_yldG7eHJGgZNS(I#XxYr-$5(yc# z#i*@EJN}T_&W|XOU*QFsA_o-9qDxPc{e}aA)wRWO+}s>1l7M z*kruJPq|1{7RMKviul>+k1Emt@jC>&Doe!$M99e5BmZQ9K~*kK5e>o3ajX|Xzl_N) zcdS#fQUi23N^~u!3F~9iHLtJ9VZu2zS3AL-b@%|N{d_y%8q2p$DQF0vzo3AYa&4fv z{nY2%4jVqgpZDQ=2)PI{vJfTQODVaeSa!G>+8T4^#P4kxc06J3LxHgfm)fBj^IDVM zw`$aDpU-&%#K|ggB;i`5!V(kC&`N3ZrugAFFi80E;Od)PeS^XPW9Jb%2j!`hGj64oJ};%iR&gHR|hlNOQtw@rdLaOCx!O&otDw@ni6873Qu zE%r;dP@6jz7d+@y$CG`qWWLy&CB`CY76zTBmOwJ@*zG8D`3lSvf^dhpWFv>kV6DiE zp>=x6{HOLTCVw2_3qeuEDER%koJrFObu!`(b?_x+H{8J#eH3Bp!|#DUr-P>q&sfj9 z&-xJt88Y9Uz8j6tvrT6TVv+BVjwhPw(5>%hO~9>P-~LXF(*izm(NTCQA4AudXGb>1 zJyOPKan+aj?)P}IpBU;NMuGa50c;y~SCD{mYu4SX6ULXwUa}~A($f{+l-WDES;q^D z6lT&{SJ0B-#k)JOLCdZ>=!pEQH)c8IS+0RdqFW6{XgWWW?0aJ2NDn2zP)&EJ8JzQ- zGeEn6Vyxnym(K4K>3VlK4us|@DByYVbv8^=wNM3 z)?bxrTdh?Gcy6K@}+XWWx6XfD~9F5NiyS% z@BGsGYI2dzHc%9dl_wRS-}gbgG;JntUL3x^2sZ%y&7{wS^^9SbJ#ub5fccyb%IsWQjJ5p>NKEK`V5aYiwvd8W?JND<|f*TU5n>?t$6{6q{ z`x;djc-X_y=b2FuV8d+>u?87rl0I)rBvgy#>U@m7|D0Wp-yoWTI(6?lh!9J%&rm^y z)oH|z_NM8e$9u?Puo&+%TZH+!D+}?nzZ@b_)6zy@Yj12)SrPVkjrSnph zM;*^=kZk08@5P#Q1p&+IsZ#e_r;u@e%M>7icFp6hUK2^JnFF_DJJ@`!NVs&m9xL!d z_Wh}>$$xwR7$X3gr!BV+$~x?+A5##*H8mSmsr9|6Et*|qK>)8-?>Ev(;SQvHlRS1* zR2_c9g8P7=ay^u|J(;-~pe`_T&D3R8()&3InWETcvsO&uI=kxYsXL&&Bp@{Eud&a>KMB9?SHWV>`H5_mK5A?4zlj5;97#=idq`J1zi!lW=#X@ z1s|;tvb*CR)?rfcR!;EUMn51iGuyozRwypOM~Dt~y`1=(kB?oFk-fWPE!<8oy^_Lfxh<4 zw&p(Jo;PLiBjWLWa+9X&=5LQX;>9amqapyW>BiYzfrrl*cienCS z5C+-Gp%Y~ZfcwS0f?1nTfaFk#fTpvdR@lf7|EO`88<}%}uhr#&I?As6bwL?P(*W^Qwi*MRE zL#r1`Z9=?C4hndqclS5|vB~X{2WeSu1n2B5fZnqQc*W+pb56={87yOE+&l9YLiO)= z6^)y+s=Bwvwnj5wWxR^Q!#eZpCW@puW8uHr8Z+HFK;QfBpCX>VIag#rE zCp?O$u>D*pkYA=rm!r9sE{`)^$kr_QBZ>N&ECnlw4-N(1Q;O+ptm?huqql<&A)YUK z^i79Crvv1*hGh`E-ls?RjK|>Qlr1^+STl7Unmgx{nAQMFE-Gc>Sx26G>=<-Y`JoFS zZ~s7K$KquGp{1!yI#-@k`}3>Y&s#m@@)hBP%n^AAT@mqehd=WS%rlJtm6bbq?nK9KTc=LQ zOrfX@meSvORv3KW>v07?j|T32hrChEok)cbuh{Y^D`NE%Nr{*LJG^|ILE{C!f1>fX z``7XB{qrD3@F0t7^PkKCJ2V}Wq7Phjcb}L)6qx=|mc7*t#F83~9K`-+OZx}q(DunuXkQy{!U)AEsPe$gw?by_zYx9hLT0|6_03w(>$0x)u zle{)_!bIJl*a2YnLN8xJg*dx8W<-l8tZics=Wv#t+%(jNZk?)zNj zu*1ZkG{v1Px)CluA$Pd8Hc7* z`6Cx3Cj}(cy90H{DbSqNXrNsIxAo-wz6P7b(x*#{77%12$~@)HJ0$wi4dabmt3YjJ z`nwAzy13$l^KH(tu8-lLfrG>n#{G)B^_Po=P4Y7S5r_wKT9gk1U<2KEf>@Ntco7ot zm-Y+_U524Xx_99cC9Rp+hQjyNFAri>x742?ehidu;~KB}d~V4_ zb}B&2%;wi=wHG~HWAa;4Si`JaXaEuZqWv~o2DfLtoa6+qW;x;{KW}t$b)~rV0(Ne) zj(5rM5AOm$>kd0u^<_aqnwlM*uf)YcN+) zJYESVrM6f6sLfcRW{xlT)EUoy@46lcKO5j@Ai|I5YyS4O>l3m8QHPYo`A@d^43pdr zts19|$6!B)@kn zEnxz006UrX7koQbJf*Fi)3uv?_2n>Gv2vB{`307t+oIrYvzA!m3?HbF>8I7jN=r!q zj|63H3P5k^+;9nyj7@?3lmtLAgzF-xXj}&<1ImeT2{H8vur;~u8L?nzl#iB}NdQAb z(F4_w172)CG5%Y6B<)?G*c4%yoO<^YXg2c$&1dC^ES){8R2cP zl>T{^ca^X*PHt%d&e3b_1AhUXI}7L;8~cXnYd-P^4>ba~6oR z`IP2&N2h@!Ndu{{@*g^Kx;${>1=8{KcCav;BR%@wC67KhKyJP9Iy}2GUZeE+#(9TQ zt!kAFFskSJB2Qk1^|{3K=Z3t74e`?C^&$T=a~E%}62S29xx1nDqrOP19F==C9e2a( zd&G#@^4No^>DB)0ufJu|$T5=o$UP>G&r)6^fAMt1cmhsb8Iu=&rVG?+1pv$gFcnxP z7)G+&W9m2G$pw9HkxiR^G=QfKn8ho{2sn!V>GdpJyhOV6zD4f1uBTiz;9}Xi>rYw# z>jpf)y;;Z9Z>fh{Wph*y+Ml$qQHP$j9J6GAM%0n&GY?$$NT4S6V8js=Kpuidoa-o$ zs*dtmG(Sp{G(Dbdy(jFpBH+mtP_GSs+<=?}JDFE`2`mxR)$3pxsteOsc)vx6L4eH7A6$H(_agBP-2(xc+%H-*f?GSIAV!xq$-mgllV1&}<)RSfAtl8;+r?w~g zNm`EP(Id-aJt&hrTK;oGUiXcmUcJc6AIm4NUaJ>oAICLut_{jVcTIsB+3MF?A3dtv z&0Dt0>u?AKpQ1h!epw;4lEI<5KrZNlZ8^7r|yZJ9kQi zy2dhd112Fo1^y`GJx|x}3(4=nLh{}_Z<(K67Q_82mX;GwYHXqdun@B+4jH@|kAMJx z)%?+?&8D)Iq%tR1=mSdjBYhutkA_uY1iPn~3VA%mix)Sn$xT~G>ad~4axH>o_kmN| zN+B%cCaqhy&REI@sRvAEk_e6_pv{FndH&>>-Nd19D96uY+zj9?0`ZtHSfEmbR(2cK zc>J)kWqX*N%`;0tTcggf-ZZ{2X(gF}f(<+!$4d^BE|>9u=7vhSNt|TXfZxvrKf#T` zCJBA{iG;C16D?wc*zw-%Fpn21S`FHkgSk}&vm9Hmsd6=JdXzV=Xad?vu)>wU{(>c> zH+9NM-rQ)z+>jAov(odkiK`Bv&&OB^+nPZC3^qMc!f^o4Anx-JUlMqqO&xDuID+WY zytmkf0l1lD24LTS15 zqP|AP`yYO6ES`!ND>f8DT2N|h`wVn_7bjFhnxrpoV_ztyc(U3&HGW~^=5CTrKNm#+XwFa2eO zlqp?GuDxo22M9&5Y6R^`dgt8_Wyvoq<&q0~N!_}&)B8O0Pltc^Pd*=E+N4aW64DKB zhuWM5_c?g}|A8g6mAO&+fetiB6_s5cD%cV-?iqf;&InuDf@dgYZ^2(dISK*=tb({Rn_XZHZtp5da ze7(BH()Ya&Kasif7fHzy#pRkSE-`&;fA^K9Z`ry{hK-*lE$Y|6>MU>WNFDHcxD0$V z+$>ynG3JLyA+fFAd~J*j9r~#B>D43V3TSov8i2er+MgzyHgAR=x5#x@UvAog`kc3L znKW;5y!5}YFF@b&LQwN9^ovz+d6ftArqkPxEHx5yY~v@m_Wo3Tjdh0!I$sIe2wSkoNi!DRrc%@7n>k!8Qu zaVkbR)(HXIsncgk9=r#Um-SZ458!^(%tdnM8ErM{@E`dOVOKJ?M*f!*|2Z#?ad=V5 zgxP6Yh5|BVs~qObipXc@x6kdcUq(!tAMhk|41+&+oO7)N-^y&VFOq4>NBJa8*RY*m zd9*HiZZbyysXWbZrToi|0wCVpR#l#X^AoW$~lCgJ_4pi)&0#yuL#Q!6DW zd2^!;b3;Z1ZX%Ryw+k9)A5B}>5z#Q+PlQhEC^BuLus_Pk&(L<|%m!2;fSv(t%4NXM z3Y8218b^eSavC@yHGtWksaI-r`Dz}l#%Ous2@={mPv|?6L?GybYaf=8?>{9w0MvBp ze1$AnFcM%`5GaZdF#N3= z80u)`=&^EX{|n{a_lHWII zy)Bh+{j=cLb>Z^0a`}Zlq(Qyf^4O4f&9xCUfA{^5WccVw^27so;A6rj+4ZOAs)cF9y&6&GE_TpnsmyT^=ExlQ;yY(Jv(X64|anqIZ z{L632^Dn(7PdswJY{$n0S^!^pSwG_*H~^VM?qgHK7F8kNoc#-2sL#oMuz|Mvdf5*~q2zyDe+dDc?4IHT2vby=TY|7-11E%uZAfNK(=8@&(jaut) z8AS*V(Q`_?23iRQ@ztNi$&y|h&v|`%uGh(U#*rAupUo3nPdLbjOgpd1=>FwM13D4T zi4biwwy{kbuWf6mWhbm{t;g)-IT)S@mXWESy#RLu-ycP-88fjFfFz+G%k(K`a7M3} zQpj+*KSz>&Xrs+DH37?-y@~55Z^XZUsE? zLI_EQKheJ+cPEe1-ncu3`|{HQ6qJN}G#{?%*A2g#d(bR>Iq5Ws5b%Tr;9hLzv~lA` z!`lKcOMzAMOju5Yb!SwD7ZLk^Z*;j=Y^?7L&fpVM=Eqp%H-Jh?8`pUo{^)t4BYr#$;;h*6v6yUSjt(_YL;TK_DVQn13W;$Uki%vQTRv`e<4ww=E zwGl4qj?(@BKjqV7j`HS08|Fqoh!CKR5-l;aBD%YXM+C%^&+Z{1faVeU^W<*szv1J= zW*k8g0_J5aNEn+@1z}m9+`MJnJ{V87i*p({5;VZaoswCW8K_`hV)^_h(9-YR*06jl zjTc&s<$-+0f{cJCDTMhaU*^}X|5e6K{Xx2(+19vysaT=BOdLH|euGugg?)R;h*9IE zc=4ig+s)UR=O8VUTD5N|l`2&PC{kjH7=e#Q8$j!nlUvDmKg^OT-~J$%UVI^}M@tx2LgS`PmvcI`F>O)-mZaZIUS`^l zfGF$wPtVOPHRL#`b>)hoSN`u&Sh{{GUyhwBkNn?9a^ru_l|gsjB4@xg!_V^;7%St; z`u8&yjx6}58?KhEuw0~tVk=lw&irYvd2d>=VxKtb+TR~KK)e2V`D~wN7buUl~;!l0AFGNPx77GqOn|a zCO;gauz0dDy>QS{y zC0J`tloG{@$!#}X58Zn??z!t0WBIuot8;pv(ZVb6>BF=-B@8|WOQ-+-{UOIV5%ID|Nc*B&{Tb5z){iCqhr<8Xw8mAZH z%VtisVEd?i8mH&>(SHGUnug<+d$bKSdNGIl$cY(mKt9y6B5gGFwULOI4?a%LI7o3I zp??zsQ2C-@BrV(6R{B#QG?BdQ#8VdK{xoL}Hj+-o?v1sjc!^@31zr3bd%t3N9lVBZ z+kP|4X&7$Sv@r(S{AM!Cdh_~tt@HuHuo893A9woe(!`hDR!`vB9D*uDg6jwE8gXPpRmq2KM7;JY#|>2*=w zSv~Qn;g{beSu|^=Odk1_$#P!*OQkyQIo^9DKG^r>Es$<$Ya*lnO2A(x>4oQCkp7ok zjHP6a%|uCcE!;pUN&zg7-7lFX;2xLRK|RY180YZCniRtQxeJqz(YS{B^A|{)Hm6Al z{zB6V!TNF+K-Z}gWZE}V3~%!Q^v3}bAY$?f0B^FO$U%-bS%{1Ui)z)EK)r@pvS%yN z(p$FpbD1f*Npp!*uZdmHS4#w&+C;VjFr&3Dk6QpV!(VD-@mxs*K$p_%A_-uFqywTo zSc)Ex?Ab#?YutDl5toy^dLL2r!M0&;%SZqU>(xi1*3WuwAI;`OUAjpKn{kCVtd|H} zOPKa!8?yaYFE_vNk_D26wj;>x$Z6n6*MN76)6GoA^L*QHu#}IiGcVSBPVq&Zu4vx* z;A70~lH|r)x=YEZYZRvIM>+xk`CzfOdCN9=>9x1 z1uMq!00I8OJh5htDtIxkjrns%U5<49+4a+TR9@)d_Z@$k>(z9=7X%9zFz*43Grl0B zb1I&588vn8883ML{kR!a1`(9;URp+u9w*Pg^0rhgS4Oyev|%OY^*CucXux7Vzd-~+ z^5xAVn>S~)$vp!vkV3H9Bc;zn%-PZLkC(=22j3^S0n}yvFO(5*5pcuxPs_PoIs#-m z)yz|EJ#b~q+gN)1>6c@qR`tpNm1zl!)jJU8z02%^6&_YwfY=6nf1y$f=FbBVeleE8 z|7k3msV_4JHtB}l{2M)XJgi3Ff*S{~P3l%DWpqpZuh{gvRD@Nt4g3%YV%c^bDTs4y zeMj`_^%w3#@1r?gJsel7itL0%s`Bt5%`oTV1VCwV&AMNNW%sQA)ptH3mC6>E|G{@G z-{-WCno1}5$2yU(LH*<9ngJKc3$MK|wX0V$R))24kDk}FtI3%iSqX|bY|+#c@3omr z))^NYtcYoYXpMMH+W-_7DO|{ajEqjjrk-`{m66#$&yybjBGTV#`_oz(pR0?PER%;G zeMUm?k;%3%Qh;(;i#hP#V?C+2i}3+q#*aUncY2O9iLm96cWs4Oj6%j5&Q z^I1J)`_}a`^_y?yv{O%!v`BpG$?VA1L2UR}Bjw7=FU1Bk&q=G3T9`U7z|L?B;8SG7 z#?6?-<}v=BPH5f?*Wq})O9lC zl{e%+m-SDmPrXKWJaigh-(a8P%gUUe=bGhHOW?EAAifRe9Mr65SOa{y4FOc zwC^MlY>dO*PKyAv`7iup)qoY==r2ag!w1Lz_~k~ujZOR7lu z3Ko?I?te%I4Z7QWpy2&Rz3*DFT#hpwFr?(J^{v}bg0rScz71=oMzPXTq+$iB_{TOQHBzmn z1k09>DIudKUbGnj{E;y^4*Z16gVPDigj3Gxk$!qK2e`D~0AT>bB6z_M1MK9o@$h-KGhe(rSqx>N#I5 zP@sU6!^gnIt2W5fkKJ#q82NFWWS%J|baegGxm4LQW#AWez08}x5Od&K03m+IZqPqr zNo*Cf@#}hIeGI{Z;55XSlSFQ48BgV*g=c4Ql(0o<=m!C>SVMD+ko?UQs%jai9TZgsgAkq zm+xIAVZ~Ynb5mLgV=#{CJk$e0b@EV`S6z9h3>*HI(1Q567haZczMpBXpGF;Us%_@C zv|9Ey2%-@O3_y1MEf4kW3BRc`<(`M1k~dy_IvvbW{c#yI!Oo_Q>d7O~HW~8HSfj%t zg$qlQ8f5{RE`;CPGYt5z?}5A)){&NctRtUO{CG~ExTNE-WEuWaWckXK=m(APZn;5r zFZ=_I-i!MujCSL_^YLfHWGk$!KYRZ*xI(~j%rwaGUIe^xEEx-^ z{x-Ga_-EP_Bb<(7Cet=tTF&ux$`4EBmtU5fKEpg}!1NpXb-x7tIy++m zdHDWUzI<7^?#fH$?uVX|(#4BNm-eTa&F`|&9EX+#^+kgvDwDS!8;xI@7$*6dHQr0j z_)k6pnVLT%#S3XZJ^Ism&NRx2$CD_Y`C`ZqcwHZ*unT^ z;^g6;fzL|eT2-ZDv4Tl^ecJwxkrst<*w&+!9(*h89s8nd0^D8Rl{7rU01D( zJ03a>Xg^wp2jX)tz9vHkeU~v{#Wr;xvY$O<0;cemd+XvA4%SX z?9kOT8zu4nDN|k|1Uz9SM=&W7g$WKNO2^VvL%0V+t5!%dtRQ*s*R5MuUL5k0Tzk#c zCb>)JGv!)r6i_V?0>-gUK3Tp_%GNsGq}lgaQCLsD{K~7CY+oTGzy8wvxEnf`xbwxa z)2^*@Uf~pzFE0SkeYh7{UMyt{^&$EvjZ*O_n5pMH+GXe2zEvX8CGdG_){*x=cu)FW zc!7K~Wixi0pD5kB_msxry>dN@&yOP7!_jA-8?KV1@t)7jV5>G9pltEcaVg``#L0W6 zF*GK}fuGR7Xb6)-46g8dxq<^32f(<3BCym=`(_fRD)`t_zM>>IY8IF8a7EIhGrVY? zDL%P%8&Q9zW|JW9*3KU`%SpvcMC9!u=9;UU zQWc~!elLAANDmt-Sp9$8zb_w@HUnTgtpeOXZx-ryGmC!>E#jE?Vca zjT$zPn{U5D`V6=q%b~}~jz4zEs1bAI{r4U)OOaUs=ktYN4R+6ij~Vds-8UyA@>KYFNc3SSN?O&0I6TEo~cny07iG;`GWNL?P|I5;`7Zi_Xa05!=^=(&5qn( zj+umamsI@rn9Y3d9CW2zctx&ZKjfOr`w9KjR;yZB z#@+UR(r4$j(x-bDvow9}`V9bScN;?!`r;gP-}Q3QEsx10EPbCkbFN%=<&Dw^8#VFW zZrRGUQVMPf%mfUNo9RC7J$|n zeXf#6ZvBt(lS&2q--V6RkMMtbf1U_qotGZDNv{9z5c%H+U(2~CHIR?re_ck78Y{=c zVtDp9BV|{=p6OS^cDUp2{?hx}L2_BQ(+xOU5Mbkzk3MKN6q~kSwY>J$yT-D8{d`!f z|8=X$OJA{pLM7z3dmfcKHLJ=C&pwXLv%1O2oi8_jV>yYROM$j2k)lhNPGheIBf(zFbhRQY1~*D~VkG4jEe-^mS^ zdM>?AZhew;Jhg#bdgDEEYV-Q$K6(GmA?Q01*|eX2t-4BALY#oE3TW5n6zSDO3&>Dw35DPbE<`En$2scF>JrBX_`Ntau`R_qjwhj-=qa1fvk99bGS3ye6V7J zGw5Gdti}?7qH+Qq7V~A^yqIJth^PD#!`<5c`{Kt~KCm+*(F*Z~rk@lpD<{}lwtN+N z`pHM783t2+!QKKt9<=Tx@hjf6Y2TSJL08^<1Pb^yj%obj${+o3@&Ut14Zog~j{_hF z4$9;?2O{%D64IE5WNv00$w#Ng-etj$5G>P}_7|*n`1PLWl#R$t9gKY3(QU=LP15(= zGq41syvehCV?qGNdU&N8tpAmqDi=eE5ITs9}9$Dfr%p zpUNyu#D19Zqxr&JpczkVnf7n<|(B|Q5esxoC_wVp&K>O0lm8;~68}2e+ibs!m zQ(D8Smwgc3!SumFcixO$BEOVD4?is}n>LgdZO=j9IWmWyEJHmxp1#>;NdWb>g9qNXr2H0GlM%cHc&bDT z@*1@OR$)?8dii1xG{hJpC$yGxo41fJh7FgOQ2+7cM$7PFpUZd*7Uy+2Map5B&YfM) z5xDm^_cUcD#Q_h!ev|Pyqot1NELwqFIGW|$1dp+~kE~lQq1D(?vU;t!l0)-;mdI!C z0`LT^*W*HwICYMjF}sl*OqE#10TTUSMm~GbXocEK2Va3Ru#r>2vdnUF9p5sL~XV*J_=pgO-i?0d{)i7DUE}&lHTTi%>3+4C^T;>jjrDB=&vAU>0 zX02Pbl(`c=5bhjI|921Ec>*kuygA(UR}YZWTDLSW-kf98mmxoB^CK$f$Y*svBYjEb z_19b>r@_x8=f3p8$fc!2-x!RQCG*U#&yBGganr__mmj4>o$~p}&0Ovubh}wzy=wJZ zGw*)*zT2g7L(C;WI(y<={L+hho6T!3?A=370YE|GW+ZpqdOeH-PBkAzt3y{eVDplS z6)KoH{(S>)mB~}THGHSHYa^Fm;_VpCyq(WHL#9l5+ZcE7{eyMt)2pY{sZ}$kP3Yf~ zr2W9090mWhzTBO9{De1TJpe-Xv&;KmV3ust%9v#9p)&MPvwAgo@1>_;X*(NzuQGgf zw!`k}f50j-j{%$q-hQ*31>JFjnqEB$7$A%7IC{)D(@)D{wbRezKagL4{T1&xyG0{ZhJZSEIvs8GjsYgCR<10`u+Y5y z#;eU-lj-?jad^kAHwZVJq47c2vpXSgGh@BUd+4zT?lk>@Qxx{4H}MgH%dH8(4!Gn( znZIz60bRd(?Fl&v^Lmmuf3xN^CN};*1+2L1`wt^OFg{@qR7QNshcDL5q4Dg!?2?NN z$jJ8m9WDZ{9B>i9&U(hmbHc>Q*n!}t9DF@;`h<#=a+K}(<_3G9(fOszem?Z%^ z{{ft!)9LM{>sg)B^EPZyUw)kOF0h1+#ytqFE?b`1T;@;v*jN*DEWPiJ6QmZ#OOool zRH+j3(4bpjnYjY}B_gxNy=|;>$#cWCS4f*vS^+mmGh=8u`2U?SX@c2Bp4Q2oJ9aRb z0YOb}Z1p-Uk{6&K(8`>?g4w64RjVR&!NBo1QNLzc`y=){>WB5d^72chFUA@A2-dj$ z({TB!Oy=avwoZ{W$?oE?6ZUA=3DQU zS6?0s;IF1U{=`!N24})?@dmRL{`ljMhlBEgW+y-bpfp1t{^bby^2@K_sC=9JfkE=A z#{sOuSu(9lNgQBEBfk1dJ{_45AbqhSR|e~$1SgF*a} z2L_sfPA4N1F@a8`S*X*wQnqDF8H5*_yYIeJ0xN$J8T+{>`HvkE z{^~P1w^u)D|MnZQ8k3)0SU!^%@nx3GlM+AwU;vbqGrLMEHULUNyFB#J1Clo8E0HhW zH!^sq1`*FmZgDI#+|#|U$nc?3VE0b>d&Fmwe0pcI%Qx@g#_$pP!xZQM8{`CsedyJp zT5UP6d7&xr{jg5HbK@*?d__XN(^RR;emsZZ5U^PYF+(B%ulwC8c-6g{oI9j{3hYGYa}uf`bp5A1F-lA zbm$_HkKQn#U)reQl6(fNJxarEKr~Ni<#LHk8ts)*sIVk8M*j!pBro&lMjPf-Mi3xm zpv@T)!TrJ=*3(7~ljM$Pd#)OyeJPA~O`9;v_)%rOGZB5r;=_e(SR<)3ryDEJfaMQ0 zf@Qnm)vLS>shAlSvi`o2I({Vj^4~^u@;N;vSk!wl&s3I+a2hxS8c?vN43<6e=O>*b zXgsZ)__K*T70Q=4KaJ-Hw-$J*=g%hc@&&u&8ST@fO@4qv3Jj$u9K`|EE0;3Umt@;E znJ-tICh<;P~vx#6Se>T~AC7^mTJ~HuV6M6h&DAT#I8Gn8vKS56ZY@)AP^;b)t zc>UVu&nm3?A-2GueH~flJB(@G4ZHse`1!nn*~9hhG>uOrk-R#E*L?Bv#EYX$=1G*s z^mOtAo?2KsLo|?Wfxe6?PmjK2Q^|N~tUQ03rbp(t!+Mc=WV#aeiinQ18sm=H(m)s> z9bZOxWAf*x*f{d|IlOaKf8|P*O+>MhW#xi?{pISb{(}e4$p-wSr5wMkJpI2{rCQZe z#+q{nUYO_2nPHZpug6!rr=EOV&hOn9ySOzpJ`_Lv;9We-g7WGsFBxEg%VBT3^%he` z=d;d{*%Qah!bOXuY11YKfMEh3%=72ZhcoG(hHnU#-Zp8{7(nX_GHBr4(j7}zYhow4 zuSbrSdGqE=_ikO&AAG!CK0N8OkzY4CIpS9uy*^GxQ`5K^Qz}5weKLLKk8n(%9QDr$ zKneNDPjHkEc7AbPv}8HJnTQ$G8Anc%mfJk z+%q3yDaWe@>?D|_?ZG1fw3g>yD!(t?gxyr@qt6Cp+5~{v58io5>zUock^tf)6F8(r z-L}nAc+x0I`wI@SVlJDi#&jmRQTu% zl!TQSfUCXOWGL^iYbDQ*-*fgSf#aJT^?ve2R$^VIj(2oKD$0OVf?73O8D?^JRM4L37C&cEbTP84oG@W6}=7+*q-i$J|Y)xk#hL2{_Ytd`xkw3=k zwb7+b<9apV9w^mZs_IPB?K}*VG{2rRPQ!MZiK7mYEvq(R{-cq2t-MD5*tbZD^arJ- z>w*02S=6S{5sv=8sj_(_nLG&d-1t^SZiY48Fh%+NVVh6ur#wufY*P<}wXMiU^4E(W zym1Sf%h9rJUgojS?fX@)Rr8VeKq)t59B7&U6u;N98GVN3@cL9g8rE|j8OI;n#UIvs zBAJq6`iHi=<|T*SHkz(wF`cCG3{x!I->wJad9HB?A`fFtB{KCN<+JOr`LpWRl(;`q z+2mvRC?>n|o+2|YM$;H?r!ij7?Xc$5G@jdGP2b-!Q682R^NQ#PJXNs2Qt<>T57QXV zin7CF%V1c~nb$7g4r`gptLHpoKZ=-ZwbNX9zZ$UB%t0d~Lw0Xi@)10!QKPzi{>3n3 zHMs*m^=`iDMkDM$S6n4`-f_D$Y}i0Hu3sbKiHzs4sb&+ihza@xpG zKS(NGbd04JmZZRJS|atDiLv;CWu21B(eq440GmP9k4tFr@kG9#ED?fLg<&9AGkWm<0 zk~^IvX#{F#Of#To1i-PewxsR=G{F>Kq<&Kg)Nd@wC$~Mwg7%*+aAIqTEL#MJ0<{~}|*tn7~j?krMHaxyxFFgaX#~;m*6UdzH*Y0L*r3U_9;DCD zAY3AZ3ACCJGlWL-`_+W_*B1b}CNR-0XWOQZsnFJk%CPC-a(Ts1s4+6B@Wt)=t;R2SI zp?H8NHYp0@BS?g9GS)5^`TA3|Um=MchkF^mPmT32+XEnKpyerUhjve+?*CDs0X`41 z^Bh;;jF-f@sZzZB{`9PP?XvB#<~drAwqES8Ue84r^fF7GX<$IIb;ff$k6$nLxgGZB zvmea1e19J1JKBiXU|)xQeY}>K^ymad`FW~gy>6S|PP4<_JrEV98KXy=&kie_zkZA- zUpjA8te?;3iGEK|k(v68o!7o!)5}QDdEkNEka6Ip{)6TDW6|PR{dJb*xylQ?~m_rrL%r`uZmSp z=F0Geh(A9c&o$nkrgXQwHz$-sYpz|${O8CAHZGd`0r zWwwsW&-^6&oZ*aFL99HLZSxxe);~>Sl=552<^dTuK8DGi#MJICWf4RoxJe+8KXB3eS;@MgRan07*naRI^hd zfldqq1Ce`6b3_{T_gzdd=KLFcoF6tjuGI5#|0JA`P(Lu3oba zJNwm!yGB@gfzta!v<_@nE(1zLe*Q#!hcceKwde10t^uQV{5V67+qXvo1UHKS?18l% zEg_RnXepr;zepHXa`)%6T+IWeXi+59@Y-)~zyznTQR05m3J`EU|;L-!Lc`$A`*Z=(HWFfzFg zHcElzYN&igv(vX=S+oIf3RD5`iEG7Do1}(KB?)|fV!PoF6s>0-eBc1sWp)W?G(a1* z2<54tg7x4`Jvv4hKZ||_oCiw4vN2l!V2xUFIHFNqdSdLtSMfN0CAn!$%Go_64eb!Y zvTJjVTw2bu^A`}QQeBc70H}ihOAMHq%80EeK<@;^jcwBFYFRfbdouKxcJ_H*`(gPq zf$G2kSm*^|)tlU-FP5X%fHmPtubt=zj6frH5tjn6P(?pWYSLVSXiq;S16)mm-^lQ? z#n1uzA={d51|TyCt5>#j7{F5e0l%<59HcwuaU1u3>P}8 zHp{}J)|d*0&`0KvSWMTZj;9!dn5+jqD=bP%#Yuut=rR= z*|2PaoinhE{o$vcHz3J_ci)5^o=-CJJ>bOKVgA$4hs#qhz9UWQRhRqWRGrT7X&tKi zVfe4V_e$}ig-u!71}wwT;n4v55y5B!ym$y$rizeh#aM2QZ=J{9Twi~XDE`jF~ zkGR8ACOL;PA^>Yn`t#gftdtZ2fFA@f5x{0c0RV(tvQA2-Ps^xZ%S3e}078F@VSq!C z-|+)rL4Yp+%Raw<%S195A1qrA%gWC+%U{D=0Jh-X48SK)utX_T#Q&J`BypE){<0zh zLBTHYb-5E(r>q~W9tl_l0PY64ygdp^W+fv%jaG&v0Kf!$vm)+XFZ^XeL0Hn}>Df06 z4lgNBk3L!Q1Yn(;a!NaiU?=l1uMuFM@t=uyNFsQZKz|gPoqCdwZJd-vUFpj*0f6c~?$CzE<2r?DME`g-c zqrNuF-P^XorYy!f(nK4uYR|5%^5$D_V@dmX`Do||*fFkzJo&_92K40e_cm=#GrvB4 zdP~PMd&oyva(?5D*9&(p)aB{~wOH?BMGDER`M=1YyS+M653_&zSsr}+St$UZ=$b1o z#&Z0VjRmTLVB{G-Vx&C%;+xX4ab3Cj`YWYojq0)+*QtI-SX=67%Z^>r5Ppm30NM}Q zdROHBA1VzHtmZD1n>KAR_kse`{_+{GZMAOQdU@;R|C5`q{ZEw59;W;`5C3_Dpcwqi zCgBD$|aW$khkA@ zLoU2%04z^?%Bt0?<@65ir7r-?w5U~9<3^37b*oke@O){=3kJ-*;fCwvuDb`BCFG}J z*Tyx-C!w8KvR~coVCY>RIwthNYbgK=AMXAb4E!W3R<4pZr=Dy;+2>w-&48>0u&Oa{pS*?e|%j7d=kL6i4LvVmh{g$cH$Jd zXuvg6rHThSx%RU)b(DoM{uv8U9Mfiehh@H-jKy29U8ke$LR@v72Al?*296yKBqb-M ze?WK7;LPo=A8)yeihO-#Sd`J$wt=XmfS|N=GsMs%A=2GQ3P?#wGo&CPEirU=cX!9o z-OYeV&rm~t<2mm+?>X;}@7h1%n!TU3YwfkxeczO;)d_vcz|o)qxyhEq+@`m>sL8h& z=)6xLcevvf(z(7w{C>Z4H0I-@OF2wPF+3lg>Y!d0IoG$B5KG=NvNLfTGKcIT1>bZd z)eWeLy%XIjx{p!M)B>*EGmD`qRHn~`Wa}UVIR%XL8peqnIqq7ReiR=(rP83IcU`^r z*?MxLn|q?)u@!8wuy8tDz1@wwD)&aCQHQM&QJ4>lmb*^oXP2P_p0F=8*^qiV+eQaq zddCG(HfS}uyw_UwzI+Pas?{1n5&m7umK%6sWk`$uYGx8STfbAylP4w?aEJxnwC9Jn zP^?tYaNhcB6sk(JJsf#dN2zdIzXIM4;lbCWC?Nf5?nFcTRtc0|?rpb|nDlFd`881t z>7Mek9T>5*sqWY*C#UYoJeG`hUU0~8YWu*!;^@lekn!_f&w2g##4$;1y7h@5Fg#~q zr?j2;dzhb+m5!9`YZhbA4BPnznTA9>A&~FV=XVyYAAHj4U&Xn|OqN*Es1ZHZXIoPr zy%X9d;XmJ=buey~gucC&hxhriupJHsImKTso+w!C;w*XXjM$I|`M;UA=2-$(|?u}>0*kb6W8euu|_%nk7|3a`4a|wGDO!U~=8$ zJgGKMq{{G5%fyb!{JCzsWW=GPs}IG}VS9VA$gfIMpDJJ~7eSa3*-`5ogUCVzb%PLo-tEY)5uo(3(8SSVwx`#37 zZsDI=GzpohJzY*H_?Ef#r8`f7%XQVSq0vq4)vfNukOPxJzI;}4&-eFe*jCd8?A^i- zXrx#+Q6lSdk)mJrRC9CGnXWL=KKIc52BrB8PRGh@!7kSxzMGn>sG$!L^IcoXlgxf* za<^v+8sWY$Qo|~JD%ObtG(vqSy@*XF2nU%zzzI@cfYAb?#l zGT+av$p}E{FqJwTIj}w2&vF>-ee-C&k9|j4E6a4ZXHX5+=aKeH=%`6_^!K=C%fy)&_|wZn3yW~h(Ztn-kmvAY{67EKDuq!HKzF3Q@xGiz2cv_ z^5=#bNM*B~qalzEJ0B>7$S#!Ud?x}yBNZMWzT`Ui)YXO0*?u;a^Q$0;!9qk8#hmcv z_qY@+ip7?F|b4R7Nn18)oeif6fw^W#h66Dxt zqgO~`(Rum~%zTJcHA=yB43O1fY`dWyHTp1aj=~ymhdjO;kuA(VQ^l35MQV!5>5M)g zkD>`p&z1s5LwH#v$i*#>?m>YhH;(}4qJ44J!519S!=i!l3lCiTBId$~Wl5Lxn2v7EcG$hyo<3D-@)sb0Xs_q@Jh);uQ4Eoo4Fw~Kf9-0lCM z-P0D0V8QD~nh>QJbPM5u{f-i0-Ua?(sWIrNE>Z#dD@Wq^P zt9zHBwGE1g0su>m3>vzOiOarol^rpw%{9%|;j+F`b8x?@>(kL%IzO4d{>{jvTop^} zdg(%m`}&lZTWIoYnkTc1@b2i^vVBT(lgTdlf45*A`qf0zP%zSdS;ZLp8+%F|5#_ z-uyf9=_zmT;+X~J=M?Oo`Kp2bzt~!y5n-+a2BCBm2$BBu(HIJMz0JS-U&z{sfw#}* zKQn=O(kZrJe4f9tbn-uf*jMu(D}J?50KfYv8vT?TVJ0Czh7)Nh=>q2*yZ>?n`_sr^ zI94TGC1+2qUn*-lMIeCpWw|r96l|fPTgtqhSwBhL>AY03w62_26<*_&476p${yc#K z79aLGKViss@=>n(V*k{s$^h!YxbFsxBm6$|CBw6qrs+@Tq^ZP}?qPk1~mY(nQ_ZDWt#O?luEw z?9N^Xc*-lXBl*8Lyt4nq;l0K^0ls{BuaaOBEW<0L2%t4^VVf6bPVd`m^g1*Ao|?DO z0Nc@#8dr^o+FEVB`Ift&(wzV54^n%QhhgI8kxP`rR#SM3S0lri72%~wJut&&*oB&3 zfimrOAqSudwaRa-_&-mq|9EWS!S)E#>h6|g)`yggMn#Ms#$J3+0P0n20b#q z4Amj}dQh}|^j~ui9y?fhk4?3MJHNL#ag83*Y>b7H#RO zp?+P0G{LA;tlF$KEhh7Me~UZ>X>uC8%J7E{#_mx6!`Gz3?s;%`R>pYOu=i;6hidB3 zKd1WJZ=P3yOR4%k(qH!T8cc)c%DZAy933L5eeT&aVWDThix=r_om_4Du*_)LIlGq4_A-Ws51O#a$g~@8!ldL6pLz=57nf zfSgGrtFft1SsMt2Z@A5--@8GL$Ydf{KOOkQ5dB1}+6*4q82vlm`&5#OM^KuXeg%%V z{xgi|Vr1n1>V7*7o%-fNcJaWD4!*ec#0Qx8%#k@_L>DVyJ;tN+iA*zMbJ&wCf1fuN zH20qN@%OZd|2FnL9f`DmG82)-mfI=2fPweU20(BS8mnN+ZI^XB{2DLek^)1Y2_db9h=f7#kvn8M2bg!O$xb+k? zs;U%#e{I=8P!5)h7C^(|84SowIhC@2dHFF9hlZGP=0DM^*v8{kV0#ns*386!aLBIG z)Y-tTi#9+tQeG?M^FrZB@#)d;zp*te3sJiVR2|a*CZL@Ouce2cZXz1LyElppn88lg z0?)}A$f6snAXX(FOlH8<)cSMfg9VIj{`il<`TA%-?No))&R^&Sv+A=(yT96EF^h@9 z(4d1&b3be(37-DT*ZH@{V=X@t*=$L&bqMU+ZzP{Z33dEOCXIUn><(MS+XdCi!)6>Qp5g#2W;VJMpZ3S0zi`XT%ags^+J~YL#cXo%cTe7N zt}5Fnocp;St=21%Oqa8aBmp^R3o?}lkT2g4k8FmxqWtfxON)2E9{6R7=G0a9r-#xY z`45wruy|3#6m6j=p-+g=-+%hw#?Q>taS5|N@W^&cd5}ojmEW2`h5ifPV6%v90V8*I zCzS4iLhb2VQ(S|mPt&|JnFokEIGAEM0D?R1&}sxn3H(4}w+@7TgIMa~3AcyZ zEML8)cilwU|D=5O5u4!tbeXBQ)O7&<@9iLxTE+L1`}==({~7zNu~^S21#y}<&!$Sr zu{662{^!>FiGH#wGt7!-n|B(rc3RK_Oq8K%F zW9J`UPN9ecG0a>7d9o=E&*rH&)0spN+}7y?2h(mowlEV=w@%xLdH>Sw9>{F(>vbaL z-;GXIOfvr*6Pj%VdN;n;F=|p9-?Z=Y*NzN4-^Ml5Mw<}n))*aUI!=El zl9tDx+Q&kXFI8HZ7NgWHKUL9(SjLHw8Z<=T;%SGY=nLT{Zm4*~GnQADZ}9mX)uS~z zBrA?Tg3mrAmY5>7N0_E+JcS}htom8XQ;$%S{$rTlgi5UF% z$9Gt+|DG20n+XV6+mkSTZdVPyMQTJ)3|b+qS}1sYG(pgPk-pDC-W`a~XxEq(V>V#U zXFmoNO(=v`(#?jZzqz=@&XND$3nIcEy8x1(bCusA-1|9BW`FccJ$JJb=h5_kcDt7G zxXDv){UTgDIeg4gJMw<$5^*z?h^odYWc6v;F>Qidq&&O@*vY5()YXgl-am0m(~wX% zkk1_Gc2vm5iXJf;Izxb$E0F}JjO9ZAxzPTx47NxH>LB^mN1#5BkY>++o5a_r9zDx; z&6?8jQ?}S=+)7!VBx51->qQSK4x1Wr zr_4W$k`LU3tPu_0o?yQk>}S7tsj6S|SNtHV=y84MP1GV+nZe&lmkLFnhH_UqRZ4#) zd!v$|A-IOx4OUJ6y&GcDL6~C)o8KPBR-M0pQu(qXB>$aiHw8T~rTR-OE&VIPo~z`! znx>tara*n?xe6dgNAVvg z4d=^4T@CM4Qe;Bk^Fj--SQUhK{V{76VNNyjuz@_{GsXscr zIKJ7B9;d$8I*p>{r0NV?%Fb9U3&D9D^j-WNJ)Sbl80!Iyn9p&x&Dm)-^~QKpmF&qs z{@6ja{)#{C)qHxJg0sz^rFo7KO^d}U>HH>9pQfD!;cjnp#9ndLUES)?4N^j66K_TOP7{;mkZkj9?syld2qRrU@w+`l9G_JSWR;`Nix z3t#W|q+9pEQqFT5lnpHt&2FH_`RDyib32$&2JF;Hq$P0W)iWlLf@G`+Ml~C!j9I>= zxZiy3=Orycg{g+a8`96ami!fZ=Iezg2j?hPkyXf?UHctFjU^i)G!BxILgo}N`r?wS z=@+WsZ`-dr>XY5HP3@MeB)lKClnON)qiH)Pr@W>F9O8Q*2dHt8t-SbH3rE>d>N3E& z))h6*|1sn{pBHFL&x`Ka0OaJb7)6LQG<)xCFDo}jDZXndE+ddB-KWkvnT~p;{NziX z=AzkTg^unb5Q`=KTDH7xavrKGQp%=={Jpft9JI$P(tX39k2U`sKjv3xL~3k;MQrMF z|I{IjI4nla`9%-OlUvcw$|25!6mijG`=c#``|BsC4%#r>;;x(!)8)%bc#oP{iLPst zyQM$PH_D10@GwCyw?=2}R*KY%d4&Nf2f=Y^`Q zATt*vy{1l0`1}xr%^m6BXOWf5VmDt;_)C5oy?~M)>zN-$^;FhrVM>d|5BM!MRe0RS z*c4Znux+3$siLE=a(QQHdgTGyyX#*&6@NQ3CU{JqO;)`_CBj?0_tp6=-ulQd4^D*n z8VJ{fFrq07|Fp8Bu{%&7&ed-=5QUWv}mUp~ z;Chr?7%c*Qc?PN$vbiM|-V{B4x840*`LV3SR@!MVS2@?3+PUwyA+YNS4^LKm>$3b~ZVEMTQ@>z_p6k9IZh|686Eu&9(Lyfl>N`wdH>c2#D zjVQXojkn|TTyJOj!H4j}inziWl6*=jIh*Ued&_zJ#3*9R91!$Zym9%+&qW_b76sMZ9eL!Xj==C{9QL&sO zYI#K1qVXFV|G=Ai;c*0N(sj15I>xyXththm@dmEjmVoy8!e{*xWL&p|&DbSAN-R4E zf8VP3`1jK)9&KR!bGJYDedLTgZgg<0;RhhQMeemMrN=DbM>PYms*SCx}?Xy#voQVTuF_ zv2AJuRf@ON{KVttf19Sd-3xBq^omjoyC1yU5biQxe zS!Fs|C1XNkHM3Zo$30!3+S{X{sVp`DZ=m%dd7Z{kV@urQB5IlV=~LC0UJRMSPXuyz zF&Dag&94qy5JZ5eXjB9=+uh};ZNuU)B(AL-4U5q#`H7H-PLsk`*S~N3zjy0@m5Oqm6nH2xwQ!Wt9P%Itt8k@0ET($+6#pkoVF=z zrE&~1YiaD4_qzfDhudwFSztBBNw;_YYv1^*sF^+3SW#H+BF55WUY_SNC)9DwDj!^q zSJ^a}H90Wm6m;vP!%@cY+nerJiF5_le>WY$u9jj1cS$yzKw(7!s zk%S|PxhsX$plO;Bq!CruzFD}w)MArdW3?&|jb$bj6SiLj7OJ%d%IMZx#?)9$E4!E- zM6W$0nBmClw0(tGFE(koI~}~+6LJ}dCFTxi)sb?so$6!c&mT#p(O}Vx76>Jh*{4^? zA!1dl)!$Qgn`9GB)haPCDPeA|v9gMbQDa)bICDbSX91MN4`HDeNg>4I<-6S7vw1Dhxu%E2)F5>Xo+8I$EAB`rj&{L3=k8R>9lAA)u4s&o^JP@d| zp7}aB42`vAY-YU>Tft_TfSV2_(cQHxCb2@G@$tMP86PF}=R4~k0d#sai}gMcvFnD^ z9mkqstLEC@UFUg|W|E}|I+_)as~r3cb;R-Q4*1Tu>y`_1wH;JiVbr>DGH^i1<(n>^o9Y-; zLHdz@T~@JopG9(lgty84f&G6_9-;p$#@~0x+D{daciky3M+1I#H%EHFK(l4FR*~ZC zZYYUL0ZN=Azwzx`d2ilu_!O=~4h*2v29Mz*!AAJ$p|!5P9xMCu%28~}8jSZ${8y?} zqf46zpkVoS9PPBR#*?}ucMX(L;AE*pHQ1SPOd!b7;F(O6u~dHyRONZEgLnN%Ou`f= zHjgypwO(8uK1PeF^1Z1HdWlf{JH>s;xG^9zS4=1ow=g(Kv~vzv+jh{EmM#)T&Oj&k zI^G~v5K6+xFlV=D5u1&OV}(cz#mn94)aH=I20Q8S#kHF3vMPfa=w8(5VSBa`F&sS?t=!4O+U4i4v zy@|}$O39TP)8eT2;A^K({;*@4WFB9?x>|KcEyX(P6|>l^<@U2=LrFPmR=(t%Jd$e; zGiAxq=Zfk*yjJ7NMdGIdR-GTjtI45bl>OoL(50ujFy5GY_Z9bQf00IQ70ZQ!C|13; z4+YAlYOPJc0$r&c@l&~FtO_(qM zti58q4U-_~1~2-|m}{8SQdS#W%M*3~B9fgsb4No4sESg2a9e}jDb-s-e@vf2vc1^n zE-HQSj{W`J5C@rny|0TcR{E!c)xi{#txIKk<*uW9j`3JB6U+KrpkGSFYNc zVtseg@$J)(-}&5|@Reszffv1Uaf#wTu1>n2lk7~Hd!lqKxEwbe8oybXc4y;a&`0+h zx?j5t%$u-cST;&)Re#kmsg!AyeEHKUP9m4;4z8@Hx{-iEM^0W!925E>c&?$6^}An; z><4x=!^fE84!Lr2|i0`@XnXuiR9BEO_QdK$=8Ce}>N|p}>yLC2LRz$C}tSQ+fci9b? z^V6NOn3Q0)3vsrwB?OsRxxJ>kI(pPo>%`QH7{gG}$4dlI{UZ-qD|zOy1*9dRZl-+V zH?aD=W~ugsUOn61-elP)Zbs#OQkDrfYk`hBN8Rs`c>+jW)9pwgyoP@}@U$oNi|N3( zQL1nJs4B8uGSPZM$44R*C)tuOwaJRNn&F9 zf+~3}VyvZ6)bi#H$E1Asq=gB-kt^4K!5@C->?n$Nd9dBhK~DL^#i;N?Yt0*=us_q) zt^DH&q=rzo0sl(J-FSC&=kX7ieMhNws}8<0YIY4(8V7UN)m_F*4cf(+JCdR!a4Ge= z6o#NtCf)&0Dhkf_XJ@p1qa$V`)m@Uj1jNb#f7Fdt8xwSzBcjBu#^gaj20Hpgx@En| z(cIr4wpN)|cgf0uCd+0kBM$Du+Yl_KFN}`w<2GG8;qHRW z^xPQGs+q2%!Z?kLbW3YSGtq$a{)_g?TR*2dxdV}4opE@h3Y&(pny$6BXU`} zIUeOrms;pjKu~Q}#W3AyYO%RZdXb~8C4^P?gFS-YG_BPQ#wcGck;d0p^P;USK8-R zKtIjnl*eRm1nGxjR;tsdXgYSWT+E3AiC)SuZ{pclFZt%TbQ-)YLDW6U6ENyO%%|4OCV&R=aa=}^7)P+Smt;kaO)d67T z#bAFrl#VH6-6zd7#sK`=>b-(sg9)~4-2f2F%R#9RM~3pw_lrCUd*ePgT^ZwRLT6o> z;I=vG%D}^nGqj6krIhfK4$*hh)NUSC+@?3j*(muYI;Nz_;i^#}76pJ(ZbHgFQ@d(6 z=o>bj8%5f#>j(*MuVo%B-+SLTpq_sCr?-h%CO?H;Ko?>cQ}KcARG6onam5lLn+xTr zDif}gGd0>=Tbt}2_@!2z=nbHI(dTwdFAtD;Cswm4v$Hqp8GK8Fey?wU$hChK>P^ zhF^sUg={ck9Fgr7{7W?IZG?iJp8f!= z$=y=&o7@Rn-lQC(&WYFfPga+!j?uP*ao;}*7=rf?_5)XkvtiE$HFb2UNZ5NYevR(b zZ@J7Hb9Vj&DR~geeDL$**Ze?gg|LJHmG)vK5yV;~BU6GFraWaxXtuqsCOmc&-gv0mUp{;IotoapgU z^;3Qj)?RK_tvT{nNx0khEQepXFIw#Fa848aUadvM%j+=V{GK6zHkO%L3fN6AWo&2j zFp>*>7gpzJVOeT~nVOQj2Ya;t~7o?0ZT=7v}C;K`jgvOUtjjyP04AmYP)A4W>7 zOpOryrZnE_=ECU~ZDzMm?1;MkEbu za`%|UI0}2e!LDB^1`1(;F8ol0OeyWL?BWvtELD(Aa(SgCh->KS`JwsuJnyJ(2shze zPiWk2&p=-oW!x2~6{)cBIce3UPIQ`^ikUW!g~LV@_n6A~2YAD)^;HY~>nfYJ~7q_W7I5>!#b{$ zBlViKyGMn755hZZZ_Yq>u_w|>BP8sFjxp4y`lm~Zw(+tyI+a(yuI>8GpuFzqxJEhl z#RQX29!G$~Pm49$Ay`A^gS-6lx!+=lqLSCM zz-2P6I~lf1ct$rGdXR7CnJp&S8EnYjIU+n_lg0~dR^B7?`t-*<$Q7~MJyOp?Wra*kjWY$Q0~1N#1WTi66PeBUs$4j z^2yFS?8rkEcW5&PvR>qYbh{**{_2rG+BmJBi06weE1l9O{HtZp|Iw3-A zZmj~#*|n!MZ11?=y6kx+#j@_b7r|$Fs8#6T$y`QZ7NsBBT1|UHfCpR~`r^=+MTV^F z`{hqhjc>fW#7fN#!1X2l{Uz1tIKM(i->WfeoZ;}7>Q^UC_XR0k&>f0c(}3R(Uy#$V zGW@0}@LYW0*Zc`FASg}u(oaxwkIRoZi_JYZY7-Oz>|K#wE`8i{y~gHua%pCYaX=!D zqzrV`0}-eUhVK@IZ!5v*>QV!Ci12d3@z_vkI#|pzHq-OZ5=zEr7YUmOZ`PmGU@9Bk zAZi~Gme?Uaj!^+dE+n zwGGKO82>=Nt-^5!H7GFghgXp!K#`R)zjx=!fze>AU^1TtiWUYCB*Dlg+K84q)Y`c0 z#r>L^PA(RU)tgiivR3C6#M(n84kGlLX>y*-my197LB%F*zLk+pP-&eqtLV|JoT4JD zn9SXu@=oa)U3{Z*RKqhsgq}{X7pJAh;Co5r35W9zE20C+)u5h&TMmJ0{c4oU8?aN$ z|A0)ijEe(`>+-6AgT+G{OHjm(iJp7TB2;_OxA@buC{GxxZ@v3I7%M zla7UDu7t-h2e~fZFP>BYgq?5v0Bn_#@B!^@pNbaiY&L#9bZ1l!O%l(*%D!=YL57Yt z4?wP`#ntI7Iu)6`j%amv!EMhe?d12_PsROmGI&@q?MWZ25DMGG9EGsy@(wjqdZM!k zdD3>0@njgNB4^Vs|Qm%>+XXBCFN z{9gDGMo3fIwzWlIie2Y9ofl^PYfv^F8U=G^HM$s37AQHUnQ&)HU_T(sAap<5ud(2f!$D%9P!piY)+ zWjwK|45a&7%nbQma73Yb(9mA~Ma+@K(@HSvn?@Y^t4Bfl-Zx%Zp4TwGDwh@Xy_M?X z6oC`<>W8JF@)jzMBF%`7gUQg*m=L#MPr^%xnAehjIbG#&N85zmCP{fG*>sM|Q-R~< z>Kws3^3Ux9`)$$f=tLBRlz=c{G!#a{eifl zZ%|a*`{K}%nl-@{`o_@fsa)1eNlW`{rn?-h~$>-3BBmL&LboixV zZ;aYuasXjN*{zKBx$opR69K!p0X&mRW;f56ciL~=bFc*Vv8vI|J#rp+jkxLp=9yZR z4%qK*QfM(NoCl@Sy_u?a*`nh{NCq3l(dG0@m@`a|`=t#V-E9swN6kag82e`d@hb#| z5dZ6$oZ<23bd@?@7KA5a*TnuIGI`PSF;wrWaHl*6*TgJtMws-jf;D5xvelmW`?k&*_oTl65FH zkWOdcOJ8A=SV{%tx~H-TnTN%b)7Zx1=L^$+8meGZM32p;vlE>g0$6`n%9;N4fDzamQ?WckF zp^fK>L1-hlfxGiDHN)kx$&Scq@WF#8&ITFh$=PH0{`}gPu5FQ#1e>LzMyxKq4$}$4 zuq#c?E#hpVSV@sc3iGte`F?@&$Oo^g*zV`cp`(=4*sAu2$~%!FchqZPw+kISS7B;7 z48k2g*GMh1F~_43?=g}4XU`7z96sdZaP7?5=N*@yj)(x(yFD?|FdO-hb_DqYkaz=H z?#fh@zwBdkQE)s{8k6FP;@JUP9wQ8>eBHkr^Ov6>OP&b#IC{btUw2A1D78}tm8!bG zWYZO(EbFa?y-9HFf6`oZCCam1;_L84(^Mgeix4q7*0<=nxm~EdY7;H|_MwH+TjXm^ zVm;~%Xm#eYkh(t!MQV#nyoEUCr!7mlo5&G?9u4to$5yd>=B@mMe5CY(=gOzQ%zm^? zqg!wB^-n$d*tA{iWhGYYx&snz&ivr&rNcQSK7sC3uMmaRXm=bFP}8Zkw%zWX){Aga z#cRMTE)c#xU?HB)hTPsoB-7I6mKCzxJd1B|#3VO9?UYJ~#)_CFxZ(qaxLhJxK zxCa=jo{X{IbHd@pb|^|?k7Hk;B0r@kiaD6u@qX9Pn{A6h5yH!soMi59+&#nEa z{4U*Oxx(;rZ$@FX<7)GE%>7q{^AqlScB*i7xs)wW}f?OE*V0$&%;q@oSU0xjE^uEnoN>19n$g^DHTx^@b=DoCXkC58h7eeQ=WQRiV|i{&BLxl@L0b|G0%;q z+P<;$TA(MJJ;|)Ay-ux!x9cSU{S~7%n?ew(d)UuP9vy!sqmZ z-L$}$)#b3eND*#8G4xHXSA&?VKTMsC6*s>cU{Kr_o5BQ#ob8Bpx=P&kIsFWbFkW0TKO?cV&^-> z`-)?8u(+I@j1DO8!(PFSW3-{^iEkToT&!cTV7%{HpMxheCyR-InNrGILqfpG42u>g zE~~yuP?hq#yy+4quV!bS{L<=QuTxf6$wTCs2`y3=NDf)hb6@TcKaDQ~N@x>-r`eH|bf$01RotI={qL1_; z*8#p^pW-vpi&^BCSzUkG`-<&TD(Y@hM4Oi?OtD+c$z;{3mq-I|5P}Z|^E2g>U#q%J z==2K7hnt{~XkXo!82#eIG$uKCB-mRmeyW@pIv{?yRT_l8*(!xc22sR}wO@-Ri8Xe= z5pGL4g<-o$?wA^F4^YC2h5($m*cD@JhO~PYg*~S3xXT_4w0L+QouTv%yAr60>Eg%_Gh-g=#~LTxnqM zhK0#>cxaG}>9Bb7=fPwB@&xfA^`C%TJ%Nh1loR(Uy!tz0l?HEYj2>=r4qM=9{YFe4 z7$uPAf%VRMajK@b&|XUi80;a|Tlpg8vFWZNBQ5g7-F5OYG<&Rt@CcBfe!-W>VIN&7 zo5pSD>&fF#^JOD9`6@D<;~7RCabJ-Q5)K5zQk7snV{Is5kug4Gc7Iqv)}A}a<|xW+ zKIF50D*`wB0o0Q^@y#Rk1m-M5;MtC8?TYQF;ftiLGY7Uq+LkRGW_dK?PVNqgy=%DX=*1 z2`cBz`xKc}YiekxkG`^gsGehwS|RX`O<`ln)y{919&K8PzF!TGt_Fu64ElGOz(4rU zkywq8d4fjB>NOl(kG@;lQe%k-q*c>V!Mh1Q>@z&FRR+Ro#<#2buZxDqCQApm1HrI;i z>iwn^5)VT_F>$M-mr?xT`Vln6>QCokEI)dYRA5K{g-LLR`>bM4T@d(nII(8T8>p<)nvAO zjS(|0PfR6j*Z8f$$)_Llmim?-D?m2ki44e=)4PP1SKrP{6P1u*9jEv}$-H}Ff5LaHz}awR(~ED&tJQv2LQ( z(KUcI*ke6gPlP+7cBIlNTu&dBEA|!l7d`PTi2)u*kl++OLY(1zoq{oxRL$TeE z$&z`gSL`+hR%xZ5v7@uk>g?vEU>s{Z=5Ca`^aoz=n7%zB zwC#zClV_`7AouZ>8d98Wz3ALE15eSt!NFwtb6XRJFzOe^l7_gSsqN45u(HM&awc!& zM__!sx1J+1l)fwT%^jZt9e$+CsHqt;6K0cdwA;F3YtR$NiVkNMTn;;4z6+lHqRbNy@!k=Xmu)3^z{P8~6K>lbsnKg$` zTTu=v#N!6c4CFdotaEQKT((6a09bR| zAxcpMKB0Zo!MNAzA9HhaWz;-#GT^pwN;hJ#QA1_Ox*R!5Vuyc}Uy`j5L_X? zpXVS@;$N^$a!x8a7++^g@iX7Zqs@`GJgLC@QFFy6WO}#c;4vH2^KfyDJf*= zbg;Yim#L8cYWKRxmyccTI_jod{avn6A+-BXoLFI_+XAymxJ+>t=BR+a@DI4#Vbgil zD?rc6HBL1Bl?7s}AU)Tlc~Mz(?mI+NU~jr4Z8)u2^!n_`l(kr}#und~_!1{?W@lY2 ze{ky9lWrHA9F3(|tidHY9D-rUN|5nc0CO(Mg9gz%l@=OFCKyHMNWu29#9{)xvUU_# zs(e*rxvG7S8&`DDFY+L0F#2Z!C$1MV%r(}4e_BPM`KfQyd(4F_B#Me$u!cYUa$0e%jr+ph9Fch& zWxbppQ(=P@pYb&2J%0}?j!l>x+T*w^gbFWvVM7lcqLKi41yF4v`RyWYJmapKwHr_c z?qZbbsUtQ;*Q0Mt5DJ4>?71<`9COJOO)ay2T00%Aj;=K$#u1l|YuNl{7gv;R?G0q| z&CTGaMO~@8vV9G^Inu!xsuu@Kzuo|d)!KT3HI-?OdcOYRZKcgLW;^D{9X}U$Hiq_Q zkM3Q)bvj%->cL3C)|RN!MOA%p6@Iq~XvnF@N&95MME2$lKtZsMn=)el0eM<))GFwJ z%epC>i3>+Yj0JVOwrFHP?M4QLO_vD+9|2_!rwA5_TT!}lX}3!lX#_msPZE$Gn|F+NRs5b zL*R4T$w>`721O_IAA&sFaJh@shY=~EgS8b3^cRI3j4w!NfL|-pN&7xKzYt+PTCOFS zZJ64wa#ZX>JZA%kCg6T*@ji&GX*wQnkZdrlw+gxWlY(^kg93H=&19X5H*T&5>0Rt% zj;9yCNJSf3B}ke%bK?wL`r$g80(MwZ@aaY2cdZc3DI(TCrvvc%w65Mo)w;wlq!kme z`dh8H`kqg@B=!i1_JT_m~~xW1Rn6dMik^ zQkvX=2udf=&ux?LhYc zDKSS{f^N`yH-4!6Ufsn(##2Zeq)PRH#Ak(3d`cs5(jo=8am``e_)fi89oOIYZB`yM_f%>z_h@ zur0ZE%2wj@XJq)DOXgz0hE)~XG||Mf>XFMe6$w^cwPLm zwl;QGqY^8kvmmp3D4Ga|dFmf=oEpq=5W~K(ekxpI)pA?5>N&D<>|;#z6N%60<3I6E z<}9Cio29 zkl2pvn2?XwxHqJ1)xuX-j#GB!t+(n-zPzebXV;{WgUysaOs?;R^#Vm4f~GSAtgc4~ z?w??$IBA>Vvj|@IK($*obtZ~rr=qM&RxEnuF#$SOs(6M(#gDY#Fw5{$B&h=cQ)a`w za$HEfa+_o#Go^jf3Y{%BZLeO?(eEJpK{{F-Xy3uPTnnc^!D1+_kx!RRGOa7=wXO*( zW$p)jC^xqg-oPe(m`xP6JNjJ2jP_M#7T!`Y8c2s%hk5qe2`!`tu1UX~o+=6Y~zYGH`r4A{$=X#8%^ z{IzjLb^JDlxQMd<@sQ1UhOj2f3Ii$_R_R3H6tL_%!cnb&7T@AnQndWGku~${!6D$l zz9*O{t)>aKe6yH*OiDM$R-bMX>#S>Jgo!Y{ZMng}EL{!vpg-li6b*Z>lqq$3&?)rI z5CLWM#g#WztKZ!X#@#9s-LiL{h81lljBr@=V@n{Cj>fwDD) zH>tM5%WlW`fvoiRkMj4%S{|m$R4FJwYGoRvJ=B;Ex}69?t*J^u7B8zu(eWxy4y(Kk-wih}^XqsmWhCGCceL#)R-rzE+?H$ii0 zw?TVj3@P4;%MWviaAS`*qeP5qMIW~lIxvVL*bKC0(+~4<8ALkTkh5NJoG{J%yX9nu zhf=K};(TllXQ#i_a~+kD-y73Syob8&@e%YCkpoI4;6FDKOzr8YR2)FZ+k1*BsOC@c zZO401q9x{P5YzBK1P{It%zQv4Fl!NSFOG^Ra(9qZi968KMs@uAwP)fZ;UY>XHd@|RwmF;_v-E~|i}^#4kTsW=&%LMcz{`h(@y1|3}za zN5!=*`#K>IAOs5*+}(m(ZYuTa^XLv{KLh1}4X#6<;>>#;XMJ8>ptj-|7HkuGaa z-lhdbvr7?cqDyMarn0yZB+0O|GMacvW?wqt(xr_1t9-cQ^xO_J+mTeqVe1|Fk|=sO z${AXTLQosVNuLGFO!St6h^|ANli;uZDKo)oa;6@v8fG?^`mJW z%H!DcgH))a?}9PWN%`zjtexr)3!-*-=xHr}=Q2Q2R~ZX?(6y1i7ng}umb@$K?ka(X z5Y3Jo2xFxYn;f2LTN>Ns!sI(YZf)TAK02mi1?B}RI(MCWp%lf&ie=9^dUf47>G!(8 zqJ_pXq%sA=$!c$F%16q?D_n>3kxqXO_`4CnK`((=7=ap@l5P72PG00_XN`;IRP`Ft zdsj#jJ|OPerPbUAYNWVBD&B+5z@eFFSP26gv$CSYYX^+FZig2zZ9zIodRJP2iOuGg26$e9n=gK6E0!u7!L18>x&>TY zX*2{)pc!GgMe|(8_LfqA()-zLJoYT>D)aO{yth3r%$wIO`tdVnVsqR~F)kf%MAto< z^g>R;=t?_`lmyj5O#|fraq!BTCbz)2v)Ro{98wH&UK|q~+K15v2hBXw=(LAjM2D?l+ayQ>&zsF7+# zS7$-IO2pQue%NO~u!sm4Hss0QnQ!D~;3AJ?!N@0%xY7-!ARhHZKQr;vVWQJnGihK| zZ+1+yPVGQRQDwejAM{_a6_$$Vp?tkUsyKPvU0gMK5kC-h;g@Iy^>q~#B3W^M|i{1fO%lPyIQUutMLBL$%klDTlypLl`>lU zrpt3KSzMduF+%>7N9-49VJb0Eyno7sNUS$UDzF!la4?7SlZ1m{?Ob zu-cRZ&hLJCW4JFyGrPwi-I=Ld>Uv!~I~q=$Di*2Arq=H(0nb;LdW@j93$@4Zp5_PJ z@-^I|mjul+!X19~S;wCrY7wS=!Km&fFRVyJ^h4l*6j}#G3Dkw4$zAVa81Tcqzlcxf zr{N9A7^bje^|^%E0q;;FdM8?$AM+5PC3G4Gza%WkU4>AyGGdV>1BS7_mMFCBipC%9 zH68$TwSp}7TI_R3I@5{mvUdv_6vzqr48UJq3ECH%;_#pbD4{aM?}fVBkYBH!wB{!o zcyIBwDf6m7-c|ev#*yY{(6LL^)Y5f7@y5Pbk#`)?t7IJ>hgYgjUXG|7j$F7RLu2e% zmXA(K=U8Evsc1i=#*QM_zQQaTx{Be~*X6^M!GTD5&6`TWsk8dBJZwSu5U6%@0Ee_X5U!%6V296SW&v3 z%U-;?Y11SgcV}}AGP;3RPE4Q4Vi_R@9<3RDS9`kMkaT66nXc=sZJ;8!#8>JkdwIUq z9ulYh243^})Q_oUHQVKSx>{T}lv1_M8GwHgJhf4w+g*#<)7 zWlA-W=CM83bsR>l-3pY{CIvYvujl_Jiiu;$PHH zxllv&>iVQzpFLb0)}?)$kNd^Ph)DtY-=w0^s?FHx&u9!Q_b1VINB9XIV!)l8-lv8Z z-yAxz>}Z}laG6vb32%~!FK3Ji0FDc5FT`_e4{mr#YH~ORF^xYen$&GyMu?hUD#W)( zeO8QF?n{LxeOJHNZby5*2K9s=rg{R8H=}g}9aPDh(dnq{lFIFLqlLo>zGtrSe-x#p zOV(dWUB^>85;bKX6{YHxW$)^qh%5AbED5Q#l~`KtV3p(epeiZVu2!X6pi8o3|Ry5w;CWc(!_)7w*2J< zqtcG0I*wDjF+V<+Va@i-falqUPbiN*vFyNQJJ^Ea_SPDjT=6RxA|$@`zFE2d?AS3Q zzcHUmgS>LZLFLAscJhVqWfu!;A|4`{@ zVvT73qTl>5{%Tlq>6MqC#buV$dOwqADmPziB_@%IVMYft@Ny2*@*GeoOY0!7Q%8nq zpt*P!yPJtKglp#;%A3xgTvEF`vg39i+eLFX7xcTYh zXuzSnjd|Eu!O`66i$W9s-Qij{-nay$cp*y4V0B@>C4WtFWhX9Tf@5U<47ks>;QEa3 zxNG4(_Pk>i`J3T04_cwzz=ovks4I0Z8K6podhbsH(g@%GNp9GOTQ1RArtyk(#rXYG ztSUy%Fjg;Gf|$d0Skk~#mC{Dqdd$)RdNKHr1!NGl)LyvM4nD`vo%`aAxP_JiZ-s+V z^AWPAldbiZ$xy`^%vve$aO%enwdLe@3 z?FQzN0bc^%S-SEvy$%B1vc^u$+P4WNzelNywQU=aJbN)hf^ZX^yh=dq0kCGQiJDb` zDNIgD8Wn2zu86#-k=>gG{)vwXd=oTfD4YF27Osv3R!v5}n3!8%j zX2g(L`nUVpn7{z;C!p5mT?qH{eFY z?08Zp=*mADzZ^l&5x5SEOhlv963J?_IA3Q*jl`I%Vn<4~1S|)-_iC$uE(%CeRl>J7 zC!p7-e1}DFu83`s$z8|d^PbMVFi-E{5n*Ket)@|bbkA+V!mehO-ASMdro8DMd{-TV z%}Qy(0=NHMpv`Uy(k81IhJ z?kBHN2}t#L(~x4B0qw%el~#@Cu(+aOr_C}B`hh5UvkCI?SXi4&$%iE&*S7P|Y zBVqV(WKydsvJ!SA;U8ZKKTP)3cy_TWwdHe1MUk*NO)4ARq$-rZO{l8kmSwO=D2FW- z;Y8oc!YEv}*hi~_vW<9$ZUO9Pec@cI2EBwon{y4+TP_GSY}gOr%(sUo%>k4nJn}n6rh#>&UpmtvGpGD?9 z1S1(noXHM+mLD>#3?U+sr*0bGxNOhr=?x#CD@o4~tg>YaF5|C0t$?P@Qn*5I$`N1K zZ8Xz(_rn(aTZEZFwG3rwXNbL)Z?hO@%XRD$wtK(-;GgHK*fx)7s6Jb`^QE~Gf8|CZ zY|M>{9o&0=MljzUiA;bq0L~=DdU?K|R{ZHI+q~0nCA*MO)N}WnxuAf&!dK@QEYm7E z(dPL4oC@xR^l*LDwJnGXZ_av*aVoobBW_zDB+6Jh-5-@cmPC`O|8~sV6ZlL$!1Y%u zPo(qb0Oe==1z=Bb+bcx8wq3Vevp(*JT4n#`=Zx-9O3V>6PO5QM8hSR+Mm8a(x2)NG zG%1d%mnFgU=R#7@39F7bPmF<_HY(sHRc7ltAaEYcj+hwd{NmNmCYzX&*3a3KX8WiN zp>Ba#ub=s~HioKpDFe~7mS7QaoQKRn-n-~oZ^SeCs3HryYo+(jBS1e(sD;Me;Ccxl zrSu2$_-rp62k=3AT~szyw3rxK;ef;_ZNpMzh~D7d2)?J43-N zdFnPfubzT368K(mVrP*qU}P#KIUrfr2PGGQ7cTH%P#%GpyM0FKePVQ7Rh|mj$gU%A zd+51I+;~DjO&HtN!H1rjco$mhAj+dc8w%Z3(l>S;S)?z$;Zjn&P6u@iZj^-6^I`=C zIKa#9$haZ#jC<1l1VK>roJch*JnX&rLYcGy4L}29*yQm#jTXroZDjhEB@@$lxk&c0 z&ajU?4s;-sr`UhWm>}r0Iexh>AwIzQNb-n39g1O6Vnnz{iVjXp`an0F`z-_@V}`BC z05rmPo91hP_jKDtfG4PBf@F|`Zi>_!qN@jX4xQ)CSfats%X-t${^I++*G(d)TyWxm zu10X%qw(FgUH&FMp)ha}uEvk|qSv1%fe>~%k|N>Jt=oZdf|rvhjGspTZ3Z=@&{eaV z;K|fTGqiOZAf9%ioS@Hd{fI^!6}9pF^oI{Gp-%srfQrT2SJ z3XGGcSc65&!Y(>>B-Vrjdy$hqHx6cr+pSz0>(dn{V{O4$}OW8Ho zfe7~NBXn(G`lCA9$5no6JqMH2C()k`y)l>(&fC+T`5itQfJywjivWiNdAtvvd}f*G z;(P(_S6?1OIT~yDr!1CQA3L!2>J8fVLw)O*gm5bLuF}H3rd^Wi<-IRq#+N#bVDwPn z17Cl|{?!rFtjldWe-_4jG|(_@q4US8MyIXJu4<60DiR8!z5Q*-@UO0Y@=v~U@BInC z1~8#=xB`(WF7}Y{AG$(ONp(krH%dMz@abEmwBqdbjyDxD>GX^mW$<%9$V@vUF7X|( zRv0{Fn5!UN*$e<=mDaY;GA{s*ri;D0hpVh(W*&h=0nKp}No=0v)jz6bQA!)K<>jlvOJ+{~XP_#v5{Y~W%cfq`N^Wx^x0bQ=5x+q1W8 zp5PB{@_~u^qoh&oZ!RH<4bcZ_1F*p0HY}~P+n!{of}Cze6DC>kklA!=fJW9rEF`N1Kpy_KN3|Sr(0wffM zxq%8`3U&?*PHKi}aD;#JcEi{eHtI*Wz2d=Qn zeRS4l8FhY94l8%q%tFvTjh8A=56LRRCMUc5OhIo_EaTh!sJry*8Rbo!-s2k+kso?= zMq{qEzEnPCv`byL^UsMEx6dFzgHd}F$JMQ2&B)+(R%X8E#_u~B5QAD_e(S^H%6x84 z#8>V(e$9?TK)IEI?|4M=9o|H4s^Ts8<@{Y<8yCa&pLV7rIQ^%q;QbZ!JDak?bZUZy zTiJMEmw)ObC>|uy)$!;R_;!p?MPVhL8fh*?}s(M57;WP8_-(DvFUji6r9Ol-SYyIX5hHf`x!@)2Cy)f7957z zVL|iIa95(Q=8lt9zt}}a8XanS*u@eyVra`BG{+}5Ve1EMBk+-M8eM%*_`(A~*~EZm2`Q01`7nl;bJv&T*8=-MX1t}rC^Tym zxaA+Gj-CoxDaKmN77u9nF`vzC8md?ImW~_5w(^+cwFJE$R_$x)k;}QHljsZ*vb`8< zO{xIC%b?wf#;q570kzzwPG*^4NU1Rd&0quFD%s^>&orjOn_2k7P}aLoWGjFA%N1+c zLFAIbRPj}Em-CKV+S5G^|F_x7^L%|3k;Ncr<`6Oq7*gm*5~(~ylZK=nQns(V7GU-m zS*s%2^31dDw{QyZqXi$ws`r*4ecA7*wBsO=2FeJW{qf;cp?XEpk95fI5O7Z#%9oKT zFx|Mx{x}zO^gHO{_3b$GcHAbck{;i#FrMUzD*>wD=179KMecy7gSi5(PNuPgQAV0_};+g0Tw{T}e){8Q%0mn$evWG04@KO>WY+yA_?A>_rm z+vGC-FQU%})VEiil`)AyRC8gDaJ^Jea+APq#>lVEY2+6e5}?VFl?!2!b)f#%HJz3l?fZF(CPYEuJl0$;VVbSys9 zUVUz)-JLLMU)u@kpV-=ZuNhj9^{+;0FwSp zWvD_%jZ$?Q# zS`MkdL&G>|h7s{4?oCWf%^$d?ctJX9eKU`pd5(*mF5W=9JDI?`{h0vH78HBre(|{* zZsq!&V?<9B($%qTu&~Bm$_Qb79t|Bd-f2)!{+<4DzxT$5hI-txm$tgZu3mJy+GR{) z-rtm%NtAU@a-RkQ1{!MSr%Jr-D_j3AU;|V_9S)^DE1$8b%gd!?(;90>Hw%B%&72=# z@}4ylquMRxZh-o~^+Nt}jep(ydWx_gN1HWXnb4lC-}~U_7ZYQTqJgvIU#RFbP)K*( z0n<^B-90s5$RP}&6!TsAB*=I|;`1E;nmr)Nn|GX_yLQx&_k4GV2&an&Ba^Vmv@BHK z;*^K~4Y<0!65j@6WRXP^ojbwy)_-aciZ}l7#+w%|>>xqD2#nJJP82)Jb?Ev0FzuMQ zHqK%Jo>6@SYcK!nmBE8ziWJB=N1vm?piSduZoQku>G{nkq_X9NCqHbH5NG(bKj9)? z{B6Lz8Zy}SD%)i&_S_)S37zEbE+${a<<>a<47|j@o-h?O^lg!y5`N}`YphHyMp^^i zR0+c`PzA7IqH1lyi*6)($pBu_T@2-(95PV<;iCWQ)p#c&_C}vpTJne2A?yV%_cD6D z+@!g7%U>7$3sgk|-E>Zd3#+C=r#3#5zTrhL##O4R(Ue%wU28j*7H5MLLZ!VRr|ArN z#FN$3=Fzx!FrvrjzkVJ$y4yEMJ6wfF1^<;QM)D63Ai9U?t~4`R1{DS=uI$Ex1= z9@2I|ma`&le*Woi8B<^r^Og$STdM&{2s?9aE4$%%PX1hM+Lh7vp9i zxi2Rd&0p5>o$?QftJHVvM7BrJFhv}PJDq{w;PODxed*H-+{hkCCwlBtEJ1#2UD&fh zM?LwK4G~G8)~HmT-5fCj>a@~C$ z<}SO8Q87^DUPeHZ1>8f>RZV`Fajb4SAK(YQ!X2)p`1~D>|9WMK7@^HKu&s9_84l-_ zUyB~te|MB9%g!}Dlr}2)$g1gqXXc!j%(6NFV=+k;V1qS?>lC}`3Cs~t2s*Aa_kysp z7qbDwwbR(M%uhf~vH5{;*8;?%=6{pN{$pAA4_L~&yJ+X}8_4&Te1|}%`fXP5rj^$U z+owv-_U4>#hOnZNSzj&_CO{R;Gioi6Gt1|1L)%!NG5tFEgvw@2bMrDcY}=j*vgn9)rfb=!i1C%P&8OaNpZcFP4mhR!I12x7E7gAv zXy>{4$+-lHX&DU7 zInz>;NO-6OmW~o-WwU-Dk*@>nhGgn(lmrFA3;BB?Tr-sdZoC(=#`{5`oU{|5%My7- zp0X%q5cu#`-xn)gbvly}=B-RzrSe2sxsa3rW&$|tK$H>rG$x_Ke1 z?~cIPdsyDD+eb?*x@Z$vB;>uSB)pPN1ClDq%T4=tIAVx`muxli=xt ze&MK227_eZR)IwKDua9<>7cQjM^c@Yw%qucs$^-BWE=)A%XT9Cj~!nSeWK^MbmG+m zYl89Ma2NAkYeJ%KYM9vMkjGKed65$JAnVxO953dk=D@d^Aiz(zGxie*^u=`Xe|z(zxuAv4W(8YVf0mcVTun2L10G%gJ2`lWw7k;^;^2eFO#X@8yJ^c+K1T=` zt3v_97(qY9me4@gu@}NG1%6fqHn@%@6&dh%&}(0%6kfaXCA#?^po%aUqUf9HH9F*# z>2wgw?<`y(VPV9o(5NJY?+jz_=nI~&GrMZKj;q%Rj(c0ibv0Wi=GGw0rjO=Lcg4oW z(#q@3Dn7WB(Mn!$dx?ynt*N&YG^*RWd$d?DXOVM&R-ionJU~phiYMiXG;GOq8Z=J3 zqp=J+EfNP)1!O!tT5)l4#^6f~W~*7ce77VlJr9i*mlGPDpRTc^qcWs{PtMALETbTr zKDHR|ka0qeFjWXi1Caj}hIX1Yv(Cq(zqY1^j9}@_e4XG^g0#mj2EC>--|Hpd4a>rks^fYW`pCkrA5JaHC)b}iYZl2?UV|sCLqTJPU`|xGanUi_!%A4TC zuiiYqga&WnrQ{(RRh)^LX{Tl?+=VP4EwY4#UxOq$yI^hw{XUa-*EsDg)-&6j z0w5Ayruk6L2h&O$cxH;YM- zlKXC>5i39`jNRy>mGpErr8?CiY(p9_7y3j8!ptJ7ZU*fR!irq)=gy+_Z{fYdKi zDT|BdX})2xUX0(@h+>u#hoQ;r$1ZeC_#ma3G*x8eDUsI%9x-T767^^&QyPb8J#0tw zoW*W1b`T8>4T(`pWBd5flQJpu_t#d5AL3kJ>?{j#HZ!!iLsV_=3$~D{H`VCLvDO@j&{${q?U@v(;GG5LHQMjPtsgCp> zgjXR=$W%TAUZEuTD!ji`zMF2Dg%l^!#|?-x#8uFj3IWsL3O3uNmxiQw32~zT7ITC> z^S)@;dPK3>t&UPLCev#%EH&CCi$&q2CC@{ohV!CCA)o=By!`xcPD>5W8nHc^)a@YknHJxe6^x-xn}t!bKQGxfl47 z8P)l${i;yg0bHP1qDUSuw^KYe(efqgM61O*wOY4ar8enn^rgvCvv9y0roZ;h_HfX| zosTGL7?F5fpPU?22Z#AWryy#dZ`3Hyd&thZAlwNjsfpH3N8n$ZgTKO}e$@3Vm7J#a zJI)Wt9$i;hr4Cbz*D{UeEGL{j?B)1kNe=97g(nkgT&S0jrTW8HAuWA{v`j*J89w^& z!?M9PMPQk$JqvBH4IiRaTLQ%G=m|iF_nz?9QG{T+1hM&jP>)fkD5_y17&Z_RZvC*i z*;R*2`Qw$@s*Q|%Al>BH=Y=eEbRm=Wc}bZ=qj^3(o{_U*%f*1Z+%d$ZoFSQyPYbhr zk>UhLHSQQsJ^hp=5`ZA7DTsu}sqj8yS+C;fElvs4(ab{a-sj1a#RewEJev()F2leK zpGAwyzGTwvvM#e>wz(ITEYDkN;PVX!L_4~0s@ez^!i5W)Dc4ead7d}Ae5$pR@_3Lk zG65>SvTQ?+jI9!WU}Iy8IW&{l1l3tCC^EF}zh;+V0Qbu03Z%v!F8A`Q#Vo-0X!3*c z6G+MaMc1)vx;|fhUUsk`mygnR*wItqXyBD=aXvLqS_HW*AWoHuS~c(7{w$C`({)^1 zJ4-480aahX^RC1VG4)v z!_tNr?2j;6U_Nb!{)LhKd+WwoikkgtR96M~B`PeJv;M{z9RyP2O^2w>!*WesV$th? zhj62Ufr1R*Rx8izXt8^>f3f}v8;7g^TiEy&^*l+IC0(kX3ZI|m?&5n6jocY&=!(wO zq=$Z5l*w;tdmPW$Ue2KlZ%G5QRYZibe8n)u2ARQ64*a~Wj^Mbsb|2cLPBTB;-WOEN zQp`$n`t!v)3mZk#u{0a>EdFR581i*QMZ~01z)X>4xiWQh!6t-;$UHm_@_EsaJN_*l zoXI27;&x`5l)zy*r3g7WBTJ-Jiw#4g6kcV|FOrm053SH-mzUe0VNx#L>%+Q8s@8Mp zGns1B;%MHw)yfyW+O68xX2fN;PWXA&GJQ;{`9oFqU=a)r+{?Vn2GCQGw%^NO(y3FG zl-vXjE74es`@AHTOmM6FPIWtN_DVWF+B61(f4Uvf$iLiCAN;N@x;O(ruI=bP&A&9* zXpMlT3wcC+dVf=Az%}Bf{4__Ub9EXU@av8}%>U!o25_L8}_du zoW(R5-eYhd&a*sEF=&{ZMV?nX)&kBM#fT*eem~Ij zRJobvmT5K*D<8(o^C#PN;KTQAzekISk^g>F(X2=zpGs07m7GK&nJ=fAOWyWrd+kWlq}neo1w92sm>z)BJnkbzbF+zW7mPrCAI2)14A0)QmkA}a?5*# zWXLRYI`OYf8WJs(q-Z>n6>z}P0N9#=_e0k8U48`y3ETUiqbpCwm4j3 zGfpdiQ@@qaqlW^b?;*TRo_KmLgaqYub=lE>=LjIZ-@|tUY*FoNC6TRDd6V}*NCa*l zh|>9zrk1`DqGrTV0KL!RSZkWaWMnooG;xUs@mR@7abV~nN~_9@0^Ls( z4b@E3d0^*0V??e$?iSbXTcSw>X53wF7o<0DX)1B&D$kB4VTlH-|9XL0p;qyZO*h|l4DOD@ zyS}3J`b#@!{9pG1$>4g!om-SDB-MFhW=#@|lVD(OU_E`&-6oa&E}Fax!Ob)`2(i-5 zeAo|&p;&O>DFYw=odgO08=xIn{)?=6MPip4e`ngFJ=n&lV6w%0`AhJNa@OS%kODD0 znuw1-GXlb^vNRD$!Jh#J40>}!P>@R$B``BPtYT8D&=GjrF6yY0p$YS~o1YB`ysqRVKg^F4JHA1F3@lb2{Tlhubby`MZ1zy?saVI%RZzhpv=Lr5k7 zj~QPXcJ0sPw~Or5?UEYi0^{OsZ%S1hKO|)FROfs3UGD6zgD4<}{WuJwukS)W{4UlN zUhNSSa&BDqioZB{C{>*1=T{8VL^Hj21_-uG?~R*=d3rpsYXmtq+N}|1R`+JYxtvUC zu=n89nKPZu+yk%n(!GVOX3h^wo^UyASye&GwyVz1iI-5-)fkE1Z=E`u<&Xg4-GX5b;CtIC>=Qgj>1Ri zQT+vwi4RN)kbzC>M^;!SHc|S~Z5}j#5-R3Yb#NSdp`d?jts$EQ$&lKcNxSO*3^)x| ztowL-{&arFHdQ~we6Us>-IY9FL#dQg5+dn+u|)=a9bs)gN_wmKQxSfsTM^iXDd=KC zfRSY~oDhpJPDr5_bH98%GUSX;PKmsah%Fi!wB0KiZ#)mg8mXP=AX~Ek6zWrNG zH)%?Jm~T6yw#u4!B%>5!nDF2cwmGR!N!?C_a#_7cL)V)9Ci`QWb!HboGm(D|oCOR>1YmmF$3cTl{IbpWQ+7XCQ{*%Y7uqi$EuJrk{`8?Io+alT z1dAi6zI|ze6z|xCl^moMK3$&>9<)wN17Ikw2J_m3C3~t~SmpG5m8Y23Zn2T}dK~Gf z>FI4AA%#4zkm!q#3k%3eYKn|BZ0aCB{?(!0Xm1=!E46wSz{P9x+p+|th~jqy{l0}%V!yc=OG=vWiA%Bp8uW4h zct@tNh!MN7HX19=uS>=DgK~tOipEA*Uf1e{nZ?AlDnCR8 zkN_-K+Gs^eYRmuiu(O+mmWNXBMqek4UUuCA-eNA(W`k`#W~AFKx3aKY+X6|VShp=L z$BcJy!fGfWFcjY8Ycxa9T+3qJ=vKXw2YtXx61|rG?`E9g8AY+`p}KOd#^FOYtNf4X zWpwHD)gNaa2BPu%HRE?4!4_>&+=aE#M-H5y-m7Wk(e2pJ#H)sJi5F$9EJE#rNyOX z`%j$5<^cWJvxHk-ZTS%Fu*@_lQyfPYQmb{j5Y6g*=vh7Z8VcwLqGY+6`k*+uUqswi zSVE|gPZrhHgV1ujWyNWEiRB~JkfC;2Y9Ls*?uJS`QGmR@Yw`Y z+Nk}d?)vwSxj~!8HR8%PZtZY^gGSidNPxH2oksq*Vb{|6ZMN%?nuA-c!YL~P^n?R- z64|3}d(bc4Acm=IL2v4iHd5Y##TPOHZN3ryO1F0!9WITn>@>1*BNP&0WK^GJy<1Oh z7Sq*5PVe>Gz4&}`u5C5tN|U6Mc8(f`_qKM2?($|OpV72NeyF)5wWvrL#K=yRGV`-3 z0U|JHF<0f4Aj%M4FU7satzUbBDbiD$XUyIysfdaSS08FZ!87efuyS zu26g#f^ZIVnfot+s3-QAN~%1fuUwDY&4KTP{lY0|%2m5BV>~%8Sx;j49z;CuPVo)A zx$IWGH0nLrZY|1)*{o*J8Df1N%Q?17X)C{|dXD%(?7U5~&|(^rP@*kT%3ea$xH6;4aJr;$s6wwnWKy((q@pS&y~Rd> zi1FPy@&{?dQ%P-4n(5<9%`xXrsZcyXQ%(WrN(1vMfdPkqT5_aaWS~jO6^CjW^v}69 zygj&-JNKhDzBfoT^mjB+w<>&=Sr0y_koG$uie!%0GMBj$X2h_qb7vj5`Rz(oL|cXx8+&!zV(-EtHBmUD;lX;iX2z<%q|%YnO$D zpz^0(IUJAz$;3&c{&l~!6URg9q7?EOfV%1J@xoM#i&bqtaHbfPFArLET)E*GW|4nY z%L49lHQz4&xYJUbjjfP7S#<2_3oyBEf>*5e(x4hq_TQuKqRCVeliQ#7>A3t5;de9a zZ^%N>=B+=6ez2OGMkldEa&UlM<#D5B?dd`$k5`7Vg@%^zQ4m*kNJkwukIdS!d-(ic zEC3c--;sIb!qf1ruEBXiI|Xb(3z`AYUJNb%bL*uwHZ!cuL z3_HZ=1jUkc2W+45h+Uqxhiv(1Rm<|LjRt;c*|o_wE_>kCOUt_%?|GiJop~{C^teWE z^jIsHHIwhVoUx_#l5LP<=?D;xYY31(O0BpP*(k-u@7J>7?ni@`C7vHlcye#;V~y4g zt7}?XTjOdLDW<>n{JglCyK!_wx%e4-x3=xgKXSyGPi1M7NURU{87kQCA3hA=X5u4@ z1vUNlg#A0Bi5-hR-oMi#7V2Xhq?8D@KZlcy4(&2yCCvT}o$Syf} zfx=(1QMt6q$abxG%i>>PBWintB_fbSQmOGXY1L~BW3dain@*=CvZnTN%I?gwQ*0#;AKhU8d|#$}qn z#4K#{V=1@t2hvrSx&t?Vj}p{lu!G!J(rSN(eG)Rv!-x6(&*svE?H*n$V%F%@QP(8C zTJVBJL9;KLaBxGn8zF=(L}#NJqOU%;Fns5f0em_w-vt5*oid~EI zh`DDjV!Fa!w2-+bL!Rywoqv_w3+S!u$fc>E=dAS z^n(Z;5ltnAi@KQkZjMns>qDhSrVM$7U`h!E83_txVa_8yV@0TU5zLwqQNB5R8#J~a zUMHj;Gn&y2iNc|Nbl~xgHZC`74Qa?pfx|+qQjttfLBw7&`6fgZ{8Qrbf)LnC;OhVq ze(pl1NQdY8>wa>_Jxskt{O%J7JfLLDFPqBFEH*McoFQk-#g%6ct_iBMxH2_csuho! z_kpO^fN=6Dhx6gLmfzWYZz2(23;%}|?_YOJ59Pm3*7fB@-ksN9>>;fq0Ld{kv*gj- z>P4<`BO>>NG_K`UDx>M1ZzJrBVX^T0p*p@YM1E|PZHmQ~Py%K>O7Dv~pQ$8ZSovT% zp9mbpR9H3Ogjj2=d4OVr5j0H%j)_ zP^#(sV+A|C;aD9m7YFZ1uNJGnBK}XSG%tY*v?oa`ddGURu~ZjzkD#~LgP;ZIzTQOc z_=3CtO)8@eWKcqhz3o-SjL&GRkCg8c`s1dZ!F>5)9vYl_j6&+ife4rJxp{DF2v>6C zkOdL{NZ&hPlQhc{np$=iBDZBl;y>gn+sjcO(HR3H3w)79v`er2hl!)df4eLlVo$fe z$jVP?Q{uhv<*A3v59)|lZ`bz9!NQFNyL`9H7^MUpeb`6#^RYpTb$1A;L4L>;{)ldq zXY}BTdgT841-H8X;R`8IZ!SOGHmnxeEY=0@eD!Gi0g)f_UVgsFFe6<)qEbntC)TT)6-2&u#>WhHGa+vf;PRI(vQ>#%q}4 zZaf^aRNUtwZ9W|)fTb6aT@^ll1byL;H6lsVzIhBqW7QZWf4|sb-fU}yYX!Ni0E@_* zZPFSNgbxw>c|iyz?q__%>j9ND%*@55rKN&{@{zIMzoRUfVLpe4hrbV_mxniG(5g?H zy&|Yjx$8V`ufX(HDgiU6RMp396kd8Q0RG2Q&9)#>(21&*z|lYTLL0ctyV==zLfwGH zzCHXn4bz9I)iz-EtFKe;@u=PQvE6|ibROuC;eUqzD_PQ92+b7gjpcqX(#2O1Mw=5x zc4n*to`HSBFv=IrJ>yYzSTNXimIL~uKSkghzIZ`bOh?mgSOiRkjjT4-SmbG_jWFxc zV2>rEv-xk|gfv^MsWBX*-qk_Egq8LDy}_=4l&TeJrzD0QY0ywaP4=Mh$5mnN!_B2Yt9VU$SY}>9d<55SmgLauB^EGnO=IX35gtJJ!8Lj7;EhZN_-K{J9c;}w_<+@nQ7Bc$><01bM) zNStKfH_32vY#(Lp2T{+5#=mXyvW5+f2aiYgDqc0N`GmAP?bO#9tVp@(*tK3z+#E~~ zoH$J>4~13!euwiJW?UgPX|KClUUV83x~+ zG!zutR$-#A6QOH7HCONZR+I9i(*ZX;;k#g(Q9|x zI)KhUqsibvH1}dYN9DSu^Da(7(9jTSXJ_x{%zi12&zQxGaGPezH$4;e7KDt&E8SRC zBtj^6Mu;rJMOJ1ItLF<84HZLSo}(iUpjN2@?looE^@x5Zx)u}Uc?v`&j9Yx}*@?|^ zN}_WC*#|tD{Pdkc8tOzuQRWN0Ano+QJMC@yUv5?%+Fm}=lVRD@!tfX&=9_2Z`6I{j zp?`;PVe+}n%UIUnGj%7DNa6jX$3^_&TpqH{yh-qoRqqA7e6wHG8$qjYj@oz&fNl`d_2&L`; z>t(JdaPBJ1k}ywYc$(1X6tI)6w7wkPt>*A2D~&PH*eq!eS3YTjy#VC`n9jB3C9 z?mmP{Bfzs-6TX_8VP>WAx7?EiW}yhAE^tY(q)*QB;_g|5(Z}H7VHoB^3AxWYL6*W{ zCtHT$YHYB~6xvUQP4hNeEBr;l1yDPlAhB>P_f*8|k#qTNW9b;hY97qpxsbfHWR7H> zQ}NT6?>w^jhsNWqy$H=Mx5y!dKB-Y=FOg0^RLiM5s^(2x8+HnI@M~-EnuGTQ8gR__ z;R9s)HYA8Hk<_|UQaNq1ByVhhKg}O2bY?p2K*Fw3AxACNc>l1DeDoI!6ZmWwjBBue z*g}kS8G=ke#2XOa8*G=t|Mbn-2T(0Y?~oY<+Ms^V?Z;`Ax+eB(QA$DkK2&cxKi6?G zsPE>vUZ+=0saVtM1P2Zd2+KSnbpq!{R56jBdrMVV&Iol+j<7`caeq2pa@R7g@mPs( z-HiAQ$dz>0KFVpF+Hi`+nq{m*D00&ly?A_{W;vGn`?F0~5ojv>=7>7IHuQp21d1>_ z@NRD-Mcl@THS-^wWUxT3aCUoRT6^X%l33h@cU7TJeq`-1p2R}rrr+hie~ev6D-7UM z_3Bo7AAv1`dxNykB?Tzqtxq@pjuby2?5xyz2K0lKp7~a9a zpr;dM-b?Bb;)cNz))gS@om4JWiJ~q^FkUt$qF`v6+d!VBc?+E1)4KyMCbN94)t9bs zFv{x6$4Oa)G(ya5^p4z~hHR^K!Nwa7?cFWcd1@)7<8jY$A8PX-a3xV)7RD-oYzzR z52O5Z7hQ1Yyo{W+Ush$dyVu|=L-c>;#6(J2I89>=io*Ka<{^8Al`s9u=_C*}vkLbX zL3`y;ro3A+WbmJyvw_bx*;LY^zisD#_!YJsL+tZCWWl1jA*PR88C$RVZJ7b&`r^=U ziFqlb!;L-KIm{R^FwQonm(g&%4!A+0$T--;o6*UOYLJYBPB{vXcXGAhn&TiZqh zgy0Z@77{GD1gCIFfS?HkcXuex6xJz(%cPS|3t@Q5Rr@MFWGtT$@ z1x5|(dDfb1&ilURT+L2I7kjoQ=8_%OC;wRLN#KU_EgP(t3#}V#O*u z_bbb;ra}?(#2y+dumX-SvWtR0CM1y0%#6TvS3?PGVn;_DPu^0SJp%Uuv)t@ICniWH z&CCSqwYwJm!-FJ$jRMu<%krgf9sSVXJH{S)$&Z^hB=p3-0&cZuoiI*6J z@x-3ElvAZnhSsbwAP3G%X%ml1Ztmr=-_I(|ac>&-bB7#F3W&R1=Qy;Gs8MO$bx46$8D~YVjV* z)10SQ@d}9jqA1Leb(O=buDDq)o(HAls28ktVhsdTV>{L?PN7C?1JbBO6G(ogloALe zDbQp7wt6pGGHK2b=36-XV^Z+0x*%+bLg)>x04qa%@2gOKe6IM*uV0TJ`^u zCjb7}St${p&mBviIT)q{pSUfrSdG6Hwx!k4_vs??n-EXe&)@Tps)11BYJmx z)gxPez0iLQ7{C2cOkPIJ*`|>-1znb*rbh)cmVs*ta7QIN9a%DgFFB>P)jirM_Jey! zOcu+sAK`esl}47;i8aAh`F(|K$(2aapx4WyQ9WgAn{ik*J?=Q+@j1s6(h54XPCX1$Qz#yCs4I_Ukm!e}NPf-D^ zZxgJ&j7osPGiy~Z>ACVN+w8Ns+@6RO_YB?M%@rEH;X+qdsWj75<&<^X@3yje_C z{(iN)F#DjX&uUQ)Fi!k2C4cg@TcgdU!ihv4@F_iyMKop$6|n=_!1I#wqM zTI-D=Lja|7L#NU1UC4XpFt1Bf}poy1q@@&bti7^IKBdhp;Q?>kF*5t6POD0autFQ`CnfJd?Ig&0}!Y zC3y>)Ro@$#oGHjT+XzD@iI|AjyVWnWu4#K`%X>mO$^EZf+JXmt8L&KAqOGQ?syd(k z;>8PcM9*>v!|ICTmsjHyOn~_-=ZR;D`3%G- zYc;$-emr(P3VBomap8r3k^e2}sdH>QyznmheHr0OBj`VdN8m5T#etK4ts$qbn*wj9 zN_D@u9WBP7pq_Ye=##>Kt^34#=8K8MiGlZ?rxAxfZWTU(vrr1sLvS$4Y?V3t-Dw?; z>hR&hc3(exenf=aY^_fnCS3*R1F!Aa7fIOV`Jq?UPX5$VHh9UE`(l4I;{XRcAt*I> z=I`q$8Wr*WMj<>rJm%GWoxQ$ss(Q3XkFc7W+Pugste`IHFOgmenm4XLh^*|eYiWo@ z+d^7!v+?0$++T&f|6PGzVfsyh_Cz};r^}qkoPERf3V!7nwcsxa+9_UDlHF8viONbl zUiMQ5eWMT5>>LaOk*5T&QFJl$_l3%^xS? zwlT6bDZ9nu#AvqC19M|ND(7&aNsY+-)hZZ$dma4vWVB)=iEgc&08k+f(68mSot27w z%32^Egf`lah@6hIi7Zqh%@Q6^%SI)%k(G|_GNWZwhxw4gohv^b;`qJ6d?YV?jckd0?~%N-74V2&u%`ywX=krC zivF*8T?d0OUAbscmcJ1)#ca)|KdIPBoSo`7U$lGQe0{1l_piX7<5@BU{-jL6lxr^mO_BL`KF>aMLA913}VWhw~nw`|GXI z1ixDXEHc4~K}^nb9bA;DuxE|!e#46`=R;nAu_CqDg8RG5jK=i4vs29N9A~A%@5pGl zH$N37Tn{IDJGWeU00 zy;XsAPFeabse@jwLW2tdZ;^HoEOIB%pW=1jeR7{gvkfmK&e(GwyS#I87!{|#)QU|T z5%WloclkXhBSl4m$`a?TF5TZJ(h8wrQAiI9-w~4nz3XWow|VT)feulL$8)a1BW(|N zEV_ORHPxp5PqkW&Q1kO^vK@`Pl^;JeHhErhCHE=_@-W(GnmHPWUX^Q z^Y|X^3p^2=iY>1;S-eG^fYXUqQ*0UP4(X?-k9QXe`Jzb$#_&?9Xp&jx zjOSRjYX#>fCf<_v8{2IP40zhtM#d@(&s2$KVN(c>aMbEoIMKoH@tO3&uufY{dW1zT z)#7;(b=SzOA6#3yBVeIHGDOT z^lIaDlpm>1B}DG6LZzt^CT zeE7r^mNwM}_K6u1*|O(n*ocX#e;4yzKn4^><(?q7=$;$=I0H>D$sGygD`qHv!vTVc#Vl$^+UJ^QkeCj&!? z{^cA8leTWl66;cTW+s&-Eiirqnjz?#7tqo;c7v5>@dH{>F)%)jF!^`C=rc7E6;8kV z90TEVl%B`M?4CuZEjloHnt;i0g*nuk6=ZGPs&}87Gt}co!E4{nTqQ_x?i(a zB?0&IurjKpV_M<2Ku3r^T3==7y?`qe=_Nzu!4mW|wwy_?U+GWP>_8N4&LJ1?jTl~n zjL6IiH;kC?|5zV9oG4=MhkbLMGZFDN1Bl2sP0V2|bY)Hl@w6dLp0L`3w{PFBa|u$X zIL$*CRbIuM2eW*t5^+o!#$<06TkFOyBm%SMqfxrYExMn*86u_V(oBo*`0(h-wv69( zzrN*Rv&VUrkT15z%}rft0fms8)2#`qkX=p!olNo&1HH5_b2>j;H>>>v3=Amb9uf{s zV$*yD_j83>E-vRln42vQ?tj5Z6V2pPj}*&{9Y2xCh*Q|>m|YDeMefEL@)_+|ntBbW zsSPS2jE{ti5xl>rM}g@6!SlMx2)~ zqM1axuJ{0zfY&B{eSIL#c)EzFky70zRgZJxmEy}(P#+V6bI7`TV=%Xbkn7HyPn~l+ zXBS}Z>{O`+A(}!+cL9Md;nB<*x{`_iV*w$niC2P-H=w$S77=h>%;}7IKNBBca#s|I zWH&(cy1k|xd+G!G`}cxNNmXiU6PBm&d6$JtceiFYlhRw`eC)!po)_CPZi`opEjKsX z70=%PNa)f8d!>>u3_HGG>8k!uV^~=T>Ej2cne1r-LfAq7sk666DAqcg8o^Rsno9VB zai>1Pq3ijZ4|d(!l-rhMOAr3<@=&#HkM=s-c*&MzZ$^b`Ue(po9jqRkT8W6KRzt=G zd(I)=8PM%UAn$BzZ|zHtTRUfae!u{|mm{wuJTK=jMz0?xxcyk@I~WOz5-6?;2RwlQ zxSpb29!WOU+UK>^6CrwDcOLXQN>M^O=xYr0&l^uRrcB9|Cvv^`b{D=S zM@EXSd9;mu^vORz+>hN!Bw?txQNBWrIuXCL>>*A{X?yt}@&i?%e_V#wRno{0>Bya` z4Q9*E-I{9iVZFM+i7$APmSe$=6QNgE`jF*>n{t(T;E8gnJCE8I{>W}|^s^*QYCzuzpSPk|i7Pu+IB}g$3k!{Sk4l zc;HDN`|Mhn2IR+pcAcUFgc1F%@ND(#wS*lZZoKB$*YiGyjh81bM=R`>BnPu6kQ4f->wyMCz||l{)5@Ru_N}_$7_6(74-dDG;4)H_tnwh zeOy~^@@QX!y(-;N(UML?(^gzs$}IciI(pz1Jy($nihcnsEC|g6P3`t%MZ2(=noF2- zw7fThoM3eQ>k>{H%Q`-?t!}kWUCo;+i~g#x#^OM=qHpyZc2;Q@rhJiGLu@~AExgf> zw?b)QUyUCmddvsnGnsqj)0KVU7om&-DE$&My;mLGa;|&5%W->pADYkcMPNsMjh1=? zUWPe6$uXa9t@qR5bdBWo+e-oGO+ktt*;^rWiHcxueifQVbsmRy1UWfHr%HIE;kYco zS1Je%rvN_tDAkFtB)4KMHfON~rmX2fQe((9aqY_$D(JfX3gCAezGv*G{?-O+ukjj>-qlW|!p3`e3kaKFa9kC8A-2a`{ zVSS89Ei_f4t)#JdOdz+K7owr>6&NGpiC>mwwb#02tO>Ify$9ay%@A*23i-WB=!(gC zJwCK76xrppHG!Z+ved)z)R1^R;f*gG%cQR2Rv;$Swz2L<@9g~ko6Xpvp3I-2RDgD;$~1EO5s*SJc}macgJUrW z=B~KmBkbpORJL;!E4)rgtmn-%c<+vAt9Mo8n*DG;Lorchj?+3MCu<}TzSq99ALQkh z`_p=I97V4&=5$^E;WhI$X$THwI}H8ZXeE(#k*+7%&8&cVK)KfL1JppdJniaX7n>AlV==$4Rj255B`?q{`q1}t z&jJ=h(LCjgpI{ojy~$+Pg|#>eO0eq}Lkgatk;O`-=kf77H(cx2Buqfv$&wuv6pfiw z!CfIS#|_um({B(vNoXz2melXhqaf7TSFx@ntX*YriEFD`Bd!`?8Yt-PIqCYk`lOJ{ zciv_9mE0S-EURWsV+Wp8`HFCOHqnkJfzbBK=-P|PJYwmxkLD_MY#J!JF5klkJl8U%6pak@rW2s)kl1=_C za$20D53H~j9zF~%?QCdJx|lGu4zGC$Jhs{&^_xgtDhT{Ex1F*>JD+4wwd5K5;t=YX z+g9tT#NpYJ*)m*}ebf&@^-ddZ`2LhjH?qxs?+Q-?hPq=IMB~~T-ID=-uRDa)ez*$e zMn4q#*Chhye;LaeJ$Yr;4@lLDvjJ;;nCelVB{M#@dkxYtsD7puPU|3=c?pjj?JH6U z+HR{=cwoBd3IjVT5pkr=DAEne={9^+FXNmn93f#b@)&a`r}J&{sqRyk#9#R{X&$4I zA;vXHA$W)ctZ*Z9#jaar7G3pSlxwX!)}{X^9uDU`wbT;t>ea<(ll&J?fDuH*TL8vDq8EHHaqF;)Do5~lj# zJ2OOi!oi*{rcX&{M9iY203Vi2^mIs$6jxWbz!pc!-iWmo4TF&ef)!njJYbYZ51K6n z+Cq}@j|B;MEYdkrDP`v%y*@t(`jFkMW?9FQY~*ce#kOa!2s7yA?w4Tkk^POjODuN5eGfL({--EeYb-qJ-0H z5Rhem`Ym+3dym6@Yttx;&J!|$>VsPx^awl4%N|a1Vnvgy1`8}>rVgN<$%q4-SzfRe z=r4NHfhh%eWg>R#Cx1`P|EE$5a7Q`LxH*HDaqGw56NkQiRlYsidd2gM+w*O6?(X%a z+)vQwdWMrj`H6M$f|U?-J}Qag&Ls$W95dfkFh!Wc$<+luob`+ag2D()2Crh%1c=9a+QW7=i`k4B*l9rRHu{Zz^K z-rLsWmMxG|>nJZc7eT>^nKOPhdiFynR`l?hn{Iih%h7G(K$OWRhmb>Yz@2(l}{$1n4 zlts8gN=+rHww;U7(s)gsDvtjcE;A}90i6JI{a5E^(l0;gM&X8i?#A@IK)LRay$$ky zPVa4fhI4vhx*DssDoEA>flulI^=*UUj#w@Q@q~txDB~k<2u@AyXrsS_VxH~um}!}t z`=8;HR{yd90-nYqC<41xorFm-EgAK{?!wl|i+z07KL6d=9+}5&ce{r`qy){z+;8r< z?MJ`sN?PJt{ciWh;kCr#_DU8%16}1i!Y~zq z?epk5voW7GkB}iz*m=Eexz;1qfZH^k#$($bOV>{4oid;=FZ~MVW(#UvQ*gQ>#;?8H z<&>8=hM26L^NyhE216v^-ZurZ?M{bAY}s5`G)-;1-n#v_8#c@d#sA!Qe_D(ddgxR$ zh$d!bnIhYTeELfI0tbS-)4)hJ*k7p^&>Es#mu(SH6_oQCPh z=u$}+xSbKO5>?ADS90O$UtT-i0kB;_n_+TV(%+|&)$W>d)hazO=8ZO0s+|u0&HMh_ ze);z|agf4o?+RUx5Yy3v)|^>v$9+E^sA3-h-=7HkK!-@xpN_UW2JL)F7eAjryBdkw z8E0&J($E`xXPCmeB$?GFFf)bPYNyY|6+i@ zlKxKvTpu?eIC%2bET%cT%^)nusRIp-lCc@}yZH6zivRv!qDA_%yg>s5B+ONWGEg?6 zYf#r}O_9%1Pvv_E>X`XJd2MO$@p203mCHM671-~OpHu~~eSyrtf(tWE;?BPJfrLdY zA)|ul7Z7iXbKj!a=p*AhE!_4rkE2X{ImOqGg^53nW~p98CC5#F{+PN2Nzhl%)Q?Xl;u`oVyQxCdFg4m8Z1o79+8%yE#I8M+mK417333yJ1FA2*n*?@;8%{FWlIMJ!|!p+wg_y#N( z4b-iTQvIlfr`V7j+I)g1xA^Q!HnDCT>%Mf1R`Odj!AQ)=osv59QCO9zldG2fFYe`k z&f7ojdkz#NJOjm??8iNCiUm874>lECk*c;|T2Zn+>EpP^UY;sQaG!kyTxGbqnGjb3 zWmJar97EPm&|lDWOYt=9UagS*g-M+XLPMyo6SH+(rqN5wD>^%EYSvlshf`y=p zucSjH+Lud`!o>2;=kSdn&k7v$_`PS(mK(P8@~q2R;$3ZF z=`o@!&pl5zl6B3BaKDsS{M{P)pXyVL94R94JmK5wevAQ{cjPgftOMzHNm(wfz5b5t zbh2A2NpD2qxZHIfcMXb5 zh! zJkpzPR{Fm<|7f9N?@Zs>Fa!6$&%BpcRmDGGW{t)(igw9dZ2p~kZ4wfEjR9f_`+#}A zku&~s)_2tRnf#SYTA&`0<0Id7|5lwW=xhC{k?bG`aG=F;e-=PB``U?|9Lta*O zY_|GFPf?N6rlnC<(OaM{G}>OxP#m~%G(P|_4$R#-f(@4KWQPI@#}$Rb@1fJQ=d(gp z+tX|G<8Ev)-WuDvq(|7KQhpw%Dx~}-&oelDNQu^o$KcIj9||05H@Sy_@;mSf==(zx z*zRrxhyUL6{9OOx)fMmWg=uIPea#>wPr(OIcYHMOL_U1P9U-C%72T#%6v#4 zr;;)jk}18{F=mIGW!8^P3;amshsY`!u2ny#?%&#Uz5qTcV$Ofgz*lN}8(4Ab!F%qL zD*U=$N*ENtYSQ@BZ)x&~Hs%s@tmBdNzBgICP%hPvaVCj-s+1u}a4H9oflq$Mn4db#M)nDM3c{heJ}RBw)e-C z^2u5sLbQ_%JYVtBH{JbMC`6HyEyx>N> zhFI=>F_Vb4GGfspACa38YQ?xWDdfJ6oeaVoNI#HJu;>ZI4NhXoq+G13epb-Mh~g~i z!@d~Oyzxc;jo3X-=p@^=n~v*er&dHX7b~v|W{&zC*SVGMmPwG|_8nEh$(3e5TBWjV z01u4NMp{VhSoAf597H(B^30x+t+R=@={^7Qm#C#>k2&6Bug7Ixx-^B^mfI(5^yv0rwXPVmkVuc6zLf% zq__IBrvxjmtj))*{Fo~)E?665`AD~Wfj&2?ovj(?H`ZmUql;XhMeQ>?P}3eR_rp6P zp(d{P2qeS(Be3&>J#2m?fkrP_2r1wN+9Cs95A!s;P!l+k^X#CmC=kti4eng}wYLY@ zd3$sOJzuCYFB_i$NM_|zQ$2_k(#a|wGqaZEarq{mrO|U%5FNqrpSuec=#c- z)%DVY$K{5Hl-resLddj{RsikdNYd}RyUk*@BEjNxg23{!xNhgr>u{q*sH~7cQShf} zP$R=9QJok;S2-3T9%|}`{oaNsZH_fn@PC7UtcTQNvnl`auQox&GOIQTM%jzGHke*2tT zv2cFDquPE6xH|xIGCI@06;$mbN!`+Spd92c3UjKnquW24`JnVPXsIpJYtgp8Db{wj z##*+l`Q%XoFGh7T%%`eq=MG->%P;lU`)z8PkH`V@EVg1OCTgtt`Ud0*<>>8j(PGCU z?s#l(!a=tamUcS5u2l@ZxE6=#=rfx2b%~U|zMOXl3p#RE39rJL;`OaA&tT4@jacVB z#cx1YQ=y|#uaTi5WalbV^YN8?zcW{V&7}B|&@B`P+enE1ppy&O|36YJotFs{s@C1O z2rEdZoZM9urlvK{2kYx5g`uT^y|1zi^gRyU7|BR`YxzDY0TL6<4*l(i${ak;FYp`dw=QZe*_44q|7qJZNFo5<`viZ zOo?zyMhUO?Xs-S!_ePRhC*t;KD&Vny#xi4C5bgGa*e5bz!YFK+QLA(g&vvlQXbskH zB2D>p?rMrwjN#s>@S^A0lf-V4n&TK+-51{|@Guy~R96FN1aVoYUP#BVa9eh;mE)ii zhX>G|zZ1s3@fBz3*Ev(E@O73!KqJh5UIWKXY+X__sDvV+cNI-v0-Zby#&^~lRjr(m zHXKDiU7aWlDinA3|Bw zcPJ8wSVUqcXU%Qzak`KR5-tI_QZZ+JF@9c?WTLZ3E6E{Qv`qh0j}*Bbo%D$-p}8^+ zqgc1-htB?Lq8yM(aN^80A+Dg`teBjcDz}>(#==eEHP6*zi7rYpD);~YKav75?IWSTP`u1B4x2Q&k0PAz2Uo3LvXoT`4&tOy%$SX*@^(`g#`V-X94`<(+frqF7E0a{IWR>AI1HmI{N4c)(&S6JWt97yRPDW*JT7} zzuCTS;`dI~Qc|X8J*md#65)hn{*9%v(Y1B8ztyMFj}T2P=^2c3EpqZEq&(eh1GKx~ zIR515@I&V}H&yA^bote9=;Cq~W(!sD9~9nwSEPR6fBAV2#zjzZ@T&ER=ce_a^0M}9 z@hkzq2VtHt&9{F>Zp5NH^|*O1evq5j9e>&W0j1t}!> zi+)X2uKzrFFH zUNt7t*!X|iQ)%L-WIu>s?7X~$8QJFo|zUfoFYm~pO4--)AUaZ zR8_rclCnyk|6F^(l8YI$BOzHSq~;-gHh2hWtJ@$Vs&?&=fmdi7e*P!JGSi}1(WjO* zum2nXMh0-(Bc9*B2g|j1feKCT4F#Vw7pLmh>Bdlx4B&;CxQ8s*T$86Qg#t{dxH>@M z6`ktnBOGytg?BFcbv_TjIg$KB?N`{_{m*%_F}M*CYFe$Oy$MI;#NR3(gPTm}Z#@8tGw+>YZEIs*U7 z+AyNvYcZ(ki6hz$_vadSMZY7phW~*Ww{#X;>l=Q-qL)wNcE|+&fAv1b*k_u;t3Y~l z6cl=}6voHM0mR};u=HW~F(P&qW&-TKG`8?vG?u2%t>M~m8Jp;+@sk5)C)S{7wwh?P zCaNV;pi_wsjD3^;;R_H+{#ZK~=zO^a;292z&NbG8At1Tmzj$#q{#q6*OLqL@&Q)1S zL5sJR7gEA!_tKN^b+NsJ7_@@?l~uBZpdnwIRuhI}G1slkkN7uz)kOhEvB=w+{eOu> z%MS4Uf)x4~F;*=cdo2ND8^)E2XQypFLa0LGoi%>nTC!yB zY|id0?m3eTXsa7!(mFieA9YX;@&2PN{AJcezUbg8Sq3BqL3SPW%&fCg+P=4!{7Oal5P>zM}t% zDxTPLX>aW2YFvHqmC&L!PicD2{G(V6ZDFXyl9n!+NlC7A*GpqzK9^EX=IRsjECUu{ z_LN+MHNsKRl!PuypQzA4UOlvJ_@E53if<>4VKIh3i6yhXT8UEdHS$H1%?6!xpOJXz z>G1g4eM}%=;zTqtIEL*;M$fvp9BXymD^GV56#iu9Aw9~oHT!c+;88!HKGnFSn>qM}59GC=XiLNAYqcrn{7kUaN#qQy%? z)_ny~`3wH8cVw;^?#n5@B)P>QpX2VW^Kzr!I2tM}U1(IDtF>g=>UjHJ@9kR&4-cUt z?K-=}q@>k#i7&lR4C>|U%qDa{n|>go}W6W*J$H&bPZZ#-+|V7zxmqu~gD4PI?A zRcKdN)k@Ldtp|pMV&LH+@F^*&(UAjOUCkr+=8fZ7|KNhSX};-1t~pLjGA=D; zHpJx=RFvgVMuutpLzFRd+y5P^dEKYvPikqkw)4-RRc=b*Y5MRC@Ev#m{AW#5$PZz0 z^!&m)7b$Z`M+_pOrz$csLUJ1(lOIGfjpNe7KDd&^YImN%%LC*J!~(;z$Z3<3lMi?Z zsi}}M+JX&h2*S=(dU6Gfcp$m|!Du-bc)BtBazFMj+G{(WIMr!MROsfB`JvY=Ug`%d zEBKj(6@zftkaMMrSmCJg=sqSj@mV$rj6ZC)n}A(~TB97fg61BLCq4=K`e1J~6x%V- z=EwSRBr{xDC&qnBWx#=>ZSN zp$z1B@QXiX1h>+;w~MRV`tnSGcZc6YDM*sQ`eIABn{+&mtIs^wqEm0(`|)h^6)qRx zBE}cD;nMS+)1T+tM}R^WdfBUkIoT<{D=m7Srp`)wPRdv9bxWSf@Vk3W={LrT;8O`f z*F?!e634v^nRygKu49z+S6$I$Z{T%_@BU5zdrxW8V&tIrOkodIr|5U=x4wbxyyGW zaBK>VRlg#Fd#lfKH?bGgm0BpIigV-<61q94ErD})s6xtV#0W_>XyC3kRQ zA5!7n9!jXFA9z4L2CXsnLLZ6Cd>4n)YVC*DtbNilucyw=?~Zhp)CwuOzpC^2-3Pcg zrSjZ&(FAM136yQG@0&{N zKr3ZUcX#S{l&z90!*yxS*{l6p>F$mxbJ!|$@FXEN-+5Sw`_M(D-3z+x!fAJ#GJQtw zHCF66g1+q0ZY{EpJjhUv$+xG+CUbOuJ<)za1Ih4i8d2$^Yzd@*>WTEv zeoZgn+62enwF%^_<6u>^(iOt97#@?4nbR(&%A=OrC6Ypnu<>MCY!gORS41qJZ069(rt9jo&k7E_}!naRTsLm>pCB}S@umZvCR?A z6f&kmdrdZZlkfQNAePl;gMtj*a<>9tZwU%PP?ok`Vo3ZdEf zEU3-rPS|$yssUChmJgl#Y&{s_L8lhpnNeom?Ez95uz%A^DK--sQUO z@It-3r5Mtc^3;y$fwVe~kU=cI`Sntd!}Nyq?{gnYTQ(nS)o-iO8w0YJ=3&fMs#AuBcV4Mg{)c*WX}P{mUD&Q6JkJrTB*}z>fwRvayXWH z>M`T0smVkTVLYFJ!R2swgGFBUu{@DHSo=jc8V0}nh?uNv0cU`KaTiFd*&>{l8FslN z9hqvrQ(U6o)f%lJ|`jd%YaSVK>zaGcreBqe?JIq*oR^P zmIe#2+XR_xgkX_b^q#&<_i5}l?F>{P=QcyBdA)Xrnwq7sX}a;gtIg>8@eq$sa9`gy z{yj(X44>I2Nyd=~i*E78E4r=8#y0cyoKM;5=r{$3d-{opGs2>k-y!x!Y()~7ki~kb~e-mnyF*Y->1}_Ulg?U5b&0>;u`+sBT)_p`h4ynqh&Rd@akR7KVKGk z*eE5oe+x+KP3LTK>Xf@l2Y2Mg#5A)#ayI+c|8?PWzZ8cMd^AH00@CN_5OtF4bdRWE z`eyUvxZ!}H4AR@`GCP1x@y)DptNK4^!~6s26IU{jI)Y3b_~0#%Y14Lf8*lvsT3)S? zTFU;Z&Wnzu>TVKg^@7A$6*;kkN#eE zw%UVP*JGoOiB{xO?OCNK%TgDVO00szt;@~JmfXGsFaCgXi1#BWo!UK?Xg#nM{P{2l5uIKmV8uCw;oSE((};_tn;0GLHK&ucc{l2`F$3aWOLs zp=I0P&IKkwV8eA+u#0eK4qkWr1JfT*VJI+BPjUtFs(;X8vJmk`>R?%TAiO^WL2v2M zR=dd7Qo#W<LKo6KUrRw>~~rKCPbDEq3QpkQ=z zzT}+ds19T7sJ^$GgK2s(-kBfz2qS=s&FgYs5p#%xvj#+&GB zv-BOZ%N$e8f7I;k{`$hgjheqi=W)-}Lo*bgqGRTZ`AOwj>=sKF0~ks`5L+ksQBg5I z)MuU0DSd26zNcX+llxs{WaL8R6Gs}7bd1EVgHm0=`uxoV`sl3|`ECL(1Mtn(+4(MW z8Rv>eM#llWpKk>B`viCUerJl*nSwVjOu1CFA5SJ@Iwa)prf_a@Igat`*@?0}#eqd& zlY(rcbiR+dG>_4SzF1jzp{Gx6mtrA&OQn~GBl60`q}DLimqb+6J>!A2>;A~kYqnD` zq>9^TpE)&HajSS?E7K_tql=fPsoq9GZYgI*YqLGWM zw)6#xpI_-hWgp+pp?WCe>5uNDjD=vkj>!t|V??zCP@fsM>)F)k>pDusl1dv%d0zg5 zg~Nhm4 zi>*Frb=4%nGjMRHJvGjm{JTH0LkKp-u3d5bV1xA(Tiw+r{SdnJ=K5Y)i}+T$7jHLP zjENIhMQHv?j{)TLx;G(q^+dMG!>Dv)<7Z;u04=(h=Gf4Dno!SHiZOkIhF@7`ivO_ex47jfy!Ij9(1@PLBJsbg;eDsBm>Ij|{b6cRXk9I@vZmx{ST+}MBOVvQLHon=3%^rf{`*UxGaUO>k557pD8{P>x%c~_fyBbE6mhXEau+K^z+-dy zYIJJ>?(gxjV+a5|J?aNzHO%G>cG>T|`A3iOB%$lq7u8NbNkb#ag>lA^h5@BW!57s8 z1!I7e^+EXH2}Ond{dwK>p58gTw$5mh;5%*m)(-hw5AX!#LdF3lJr5r7%;%m!3SoB+ zk)HlD^K_mL5x%40`>-odk^cA}?z&MFd=dJ@U;!`4vEybD{5ZoVL6Yd9t|Bnmn#k=Q zt!s0nZcA!v;;gVg3LoDb6~Pgfi+$L!KMy+6>(Jcpy>0#O#p74~^Yr58u^576_IiYA2=D;7nb0VU;hBBLn)r-WS`8X^ zsMEqyxhZDJ)^O5JH~GPQwc_flgFVnvEHa=Z`Pm;WaDOtF*JS5mtAqSd|br&01B2 ziq1CTRI07}KKXMWi>dnJ4q`p`_^YOUv0+h|F#E+~C(PwpJ0IQ< z=f>9tpIZ2Gsa%$e(2+apq!F~!)Blsb5XR3|i4QZoatx-2Gogc@--vEWM)i5jzBUz#|HNO~*he)G47z!{24iC#_u`F3cG!znzU%`gV&0C67r36z{gUFRa9!p_nKP~=5-t->K6E60e}dS? z5lnPxj@-A=;vIP{8|Qp2OSM0`mrS!5$(PJMLf~=qBrc0-bhv1t*>C%@S=a8hC#+au z7ovHSewwz9>^MgjKHMRUyz$TZ&{o_Rlr#QCT@~{RZ zZcBF4w&pLo%P+@@M-_$UiVV$8kY*eu0}(#&^L>IAo6Jpl0xxLnslZJm78%q1v$)7V zj2?U)%nxA`T#iq@iVTBl&s|uZ+GM=r4PCfrX(R!*9*eH|3(_=5R~qaQo2J*T2WEDS=6FiLZrJp79C1R_d@CJ?(PO* z(Z2`xK4-hn+2=dnG2Xu%jN!n?C+>URb6(fyGQ{8|);|`St^B5pWJUI=2qkKmlhL#l zQ7+Bxsb9#Wh!!NIHcR&Y{;+(wE@D|PDGbB5j8C5)R4w|7eac$MFd!5KeJ6DstFQy5 z(OAq>nzuYRTP7tLB@V@V5Mgo!yK&v|BpkdWnU3>2-C3DO*D)+}UQ<2VapR=W=1$kC zqPaTV==#yxx`QL?+5jMwQk_XDMB05)bZ|%P9FJ2uLk=bzlZ_9<@q`lx351@X3&j~&?m5dp zblcBJ5pW2i;e&iUVXdZx@*1L(pIM+XPDa?6AHp+)96>LqV&flsZmbj`w_ZCZ~U8_ zCtZ!|(*cK-=OLBi(g7Om^#^Dc*Vo{R;OB_M&*5t*@>j3UDtAQlv>WPJy$)QUopXHi z^(ohI@RUoL=g|BAWeRvunlkh;RHg=BEcdQsJ+lN|(#nBu$;Z0YxQN zr8nD|@YAAKk1|7dB%Z^Wh<``RulXq*`F_!B<~Bg{_62t8WN_1Fjvv`^&fy?Wf;Y^T zQ^_C7cAJ8WAL2BV9~t)bW^nw3s6Hk?Qj=zxhFos2;rfUsF0yGEK>KXt5h(8rwF@2Q zD#-W;_c9L$Hz9XglR2aA445Xo#mwxa5sJi2`Y~m#rnW~a8|WSG!zE4HMcn2O`FPmz zW}}}hL!W~r(FV5+-vL_$mt2!gKhvrWhi?{@QUe!-VCfkr!Hqx+k4L^Z@@ASa9k)fw z_bVEYIiLZ!gn%+Eqo7-Sd2L7B_wk|kHS>Cru!wQlNsWzxmhnap=YqpQ#&z?HOOvG+ z0zsT3C_i^(f?bp~4K=8>#ciG+d`*_bcMirjl(byim5oS!!=RKc(!kF65L&Ui*T2y+ zJxrz-5HjT1bS9vqQ!uh}gBe9U1L{rVgT!jk|sF13heYV;tpn8A~ zKbG$!5;p-5`+`Cz!3Y0Nx-cPXT+6^dNme+ z&;nUJj>kSG>21~q)!>;5hrH62Pt=ACH26=R_zh-Bd-6sH^o(0%%Qwxp^39sf?X~EmD3=+_Bp&;%B(~i|}QI0iKjGO#Mel;P=i-LN?R=J&W=Qh)7R@ z;q|!^Ifo**!j1MjD{v?x61Gyn*rY)mkUml5gQBuWL*5QOvjt$H| z0kaR*Ju-zq5gQMfAs~u`-h}%g1bqYL8M1h<&QzDg0OSNr;`t_COfruA`H{hrJ*5VU zwdX4xL+A~yf)MN{%xgvT5!^v^i&-$;lKCNtsBaV-gSR(xkNFNwcn=B$1LB(vTtwok zK-n^7uOhnwLk4iYsZSzH#a?EHhR74B>4$|VYjyMSl<~|Ql6Nw8vJ@?PPkviq;E)kK zgl5z@UK=FzNHU*|giJm+?NUnvUwEmsUeOx}bs-}$1@9rG5A^6rkh!q;BiJ09wd+wo zLb6K~FvTlUuTB$DYw$rEk=!1*id?>kG`I8nFCXbML}D^{SbsluUyE)%xXB9`wD zQIAKSUpwM#yw3v=%+EJ}5W;*e0!i_Y-V^MIv|}Xw<-HEAP!1EGZ7eL__^`k#0e*>vgZ~6Daw_aOoPF?LdTE~j2e_gh5#(F!H) zf1?@D(`951HQbbP_iSA!D( zn%VX!{tub^=62QOZV3ZGcVw*#Yv_032Ql}fzB5_zBRd>-t+NT1?q{0^2J2W1@RV>z zF0ow0{oUEU*ts5vBB?MCXhq zx(DQ}oy4))`B1it5w5HTt|TTXsn7A;yPPLdD-ixO;M1hy@-L@aSQO^uM-3%=o`N=jr+qxn6qgZ1x1lBIusX2Z zDH`~~*>M9Q5*Y-t<5|-u!tU9$(Z!R~5fL(-AI@pG_Q3kNHSb;Lv`s)lwZNjDW z@$!B2U)Bl}LR6D5#p<kYTL! zp1B9yNxlLiw;9vDb0O%U;*MjWhATZe9NDa zofi?r_vmIeTG{qW^K*JDhux4~;1!VFiFY=O_#g*}uD+mxpmvt1A6CSuNSiWM5U86lRTxza65fjSY-SQLek4Hkd8ax_8xaxVv)fpmmwk7o zsHs3tOT7Rn@Ozr6wD9?QXt#_Nr@v(8(m-hzwA3+ z$N^%m42is)5Rk+|d>}d?@3!;)x9-3Acile#8_h$#@Y59(ZOjR&P$0xxWkc9e-<70y z*SbO<6fi{zGpA@kOgkh_u@-@x)TUWEcv|(7oNjl#F`54o4y&5ytF#)6Jlp@s7)s&> z_j7;NUsRG)abPuni8w6J6c{`#eierk^`9MJzs>3$r1GAP7vUE1WGKwhuB9+?{^70ufQq<* z^6;MQ=t>0eq$Xk}>8E$m+b zVp|~(i`bwp2QDJvU7`5fJRS`)jb+%$;Z0>YG5y#owjExcUvUBYw@|WsL2Q%L)$4sz z`?W;gAy@{=Ya6}osPHe_a!J*v2A3Ttyh9}i(1533y0@~?7II&r7Qzlg3Mp;}D6#|D zE59eEzh1s#)%0RXgA0w1+Gs7KAfKm7q8?he17ITU@Qo|B%(dJvG;txx3f}j zH#RLW7IzdeHkE7@5l?Nql~v3dR%KW9&|C-P{@;sm4eDZf6pdwb-sT6ioOxNxY@g#H zaWkXsr2kS14E&)Kh&fW?{#_|RvRgthbYZ)Bj~pNCx!t!{=p8eT-W&394O?6R$4}lX zB`IA-60rvp9vCFH%13%o(j~7w8m_s`D$vMF-t@cf*=qM^%S)qkcL~07{*oWUNs&jv zk+MVR09q)T{ucA_I5=P8E8etrX=>H(PylS6}oAIMk9 zXwl{aMz8)kf45n@@jgLEVNc!B`niFEcJW+|pXzbLOx5Pg)S06-5`}Gg7|M6QB9hth z(Ku4xeiquQ0@aSMCVlIbqq#K*vCq+1c9?sulvsn+1@Rnv!dMZTADiPH6WnmmjMrbR z1frE?d{eW7y11asSX+1~MD>1Z#~;JW<0}DaOc8pFacpg)ZX2_uA@o84-KAJ6>LNFN zNs~Zma)8&;kR-W@M(%&~xn7APHal}J!E=Wb5j^jt5P`vOJ$XyZKsQ*J5ayhl77I9;j0XAHCvN&5^z zE=J9`;hnmY#`IOio;8MSn7cfmprTv0u6rX)r-SC6c}wnRtGykhGPI}>uj#4tpf?0_ z96uRGi^g6hRUaYL=^eLJWEF;Z*d7>8S1;(Dc5OSE-a$J?E;_WOgH`*oPVQ_l_J&MT zXl}b#G&YyBJe3jZ&+>e~#t-p&RAXzojaHuaq2&$F1dC)Rr(Hd-?B9`N<{8Ku9!Fqg zXNd0?Jtnf>F_;*-?Dicks9|88zkZo-w0$N*-y&?HH6Ffn=~6?U+vG*1jFi#0HmW%ZLhH3tZ~nYMgGK zYM7dIK`Sh0Yz1@&OYOV8HpUO=*s(*#{KW8OC>euGnI!a`xz=PB#w~x7Jl`MHM#Xd) zY*Zv-=??dNn0+*NB-7Rk1-?C^etZ4d?Xw{&0^}LlY2q?|8pnrr%DH?ev4PjivU>${ zwBGg!LQqKt?rR4PLM9;SE9&}((o9f8*Tm4v-nsTL^q`=6g28zSEZcN?n6uyPW6LM) zgjSiLdDke9p9kohe&x5aD7!Y4sX~{euC|vtb7z)VOP#L`(QAv2(2a-QVW%lqr`#}N zZu6&fGdsR|t@m8`Zk^M?eInBIAUeAk9exm6;H-6}dSJsfP`R!$Ut51jSk1 z_!Nu$R3e^q$0=coWmSJ2JIxV}B2ezo)PCKaFvyaPP2{04A#zJocaj3ir@*h@sV>Z- znB@-?XqpOD5<2ASAMee1KmRdpe(nl0>01Y)dc6_n+|Okzj)4pylq-pE@k8BpvS;?Y zowyNROHyT&FrlcVH9}iLbG7L(NZPeRVc7dO{>_ew+$;1(hLQWcFjNt?^w0fuYhnWD zhmetow5)uA*HYLG9)dTpMUAa*HvWTWr_*VPcrV>s8E$41wk8#iU7lvB)B1kD}&W5 za%$x_M)ux#C=!u6aQ|f6Qc_m<7*kw#?mt>@jy=CT7ix{Mu~?k7`2&03`bnZ71;MKK z=WMs&FmeZh&~4GEr(XlB&4^xeMr1Z%3h~BuOhra;=b5m9!jHXD7Bjy(_nehgqR;Uh zt@j1Z6&(t8Gn;gWeB27c-_J(Tu8m%2xeRE>BHzeOjrZoORft%B<6#*x@k+7uC3(?@ zYM*K-QK@2-+_a-zm0*)^UkU%CL%^^u;2k!#f%!{1!*8{-;d#-3Nns8i$s}8|&T1%|Ei&DR zyBi(htXwBcd! zr$rURYwnR3A4PF+^6+c>xU>B_ZH@Tf7i!EWUZ*mT&Tlaeeu;a(?|Z?)(AEi8>By@X zGd$b`PctO;c3M%M=dhkd1ct-1&VozsRn?nj_emzA`G~_02BiydS?KyNfru{bX*^{s zfr+E+y{nzYOmBtVO7iSC=|VmET@H@Ts%qp>SXRf%yi~!nTTm+pg&o~n$a$X8$#wHWJuI6zMjF#Y+;7Tp(x@tN(KHf@H zJAX6Q)U$ch#y-fD#ina(^SDp@nhJ9MBu^017{(J{lHq=(oXLqL;xD2NLjxClke9d$ z$wcbe7`hWldXa@3W|vJ_HOY|p4J9y0-rag1q+JoQ?|x(awBJfCQBE*lyCl|rHQw<&{ zbh-2D7?!<)w5eIRX*05S7KKg(1cwY-rAi6#1U;yrSy0RU>U3@Td=%FZL z&b>@GH3}GUKH=(W`%IzaQhyHqSM=P`dmPhXEZZUR+?mZ5ZT%e{d&X}vL!NrLS26Tg zAM^VGob$8UAwrpgN|BENi)nwcG&KHVX>jtKdGjIonq{Z!?}xHK+J4!?%VHb9PRe)u zs_tx7aP!NZrkGW)Yb5gNzWhX*4X?xAD>*?xUM9#HuX>^u7nTtx<81)9LaOw7clHYd z>j%MLPPV{-^VJ?FXGx*jFZ}3s_SNoNlZ{ZR5|2w-%pLBehlwbKg~f{sUH$fJym!0( zE3M=2gpwB^f}wH8e4fsm8x@9gc@?@hD5phzM6b|5+PP^gyCGdCo^D?iEVJapp|Jx` z$eN$?uSB!+42OT5yk1Nl$e89iSX~cwkecERU$LC3@|}JZTi2wo+QvLt{3&eVz&^=- z%cKrQ^8O8^7{RnJOo}ZSUt=BM!79_Z?nxM2k-c=U!$^;FscoQZOtR^8kOYU6OM0QB z&akn{bC^3m%OzYJZ*>}~=hg#vV$Hp+^6M8oBo?rr)vL(L>~3qpJf<`+dJJDr1Mh4Z zPR}{hR1b^`B1M~lyAO)cdjPsId2xgS;c=} zunFV7v_Tj75uwL4{F>C^2e^Q)=5&c2yqV2vd+I>Kqhe@rXYVTSCa_reM(0TxCp&Mv74?F+vSL%RT+qiuglOvNH_AZ-r!<%0 zIU0GlLG&2Ok{?gWdZv;!00&LwVb3@4YqZe)N)#=Z-i6IF6sV%|d14nWh;v%Kvi;_` zwaWThquLZ-m}li~^L@unBIlDU4$}{^??n%_l0?qIPv=fh`*%a$xVUkam~FIZX*Z6w z<*yfZbOY)*G-yO1+C&8!Y8N61e0egXT@`B;JCNn>r<{E->xxRoag0dZu9ky7!IDRk zCJ6C(wj|vhELFhqx}S)0FMXe^Zm_AuEli+#ufMvGA)f;}mZ8zb+j_oLgR&=TND+^u z@gts&iiFVUV;doTa1Ys5@=HS7apS1&ue|ja(k_jYc#sygau_qyLpIA{D{|{FhJL0s zNlj=V^l9wt?wQN`$IT4*W>z*7@8%mFC+Mc@epfI8ra8()DNk+F3iQ%IfEytOU>cRm zj$XbNp5i$5>A?>@{Q=#jHC1sG5X5&JJ~uEIC40a7%bHjAH)|fxwc&UBOZB*dO)8&M zwqYXAqUfq#c?&5^ha%L&9Fal_UKm{WM;`y%=RfJ6?!jcXC(BqBN!_`6&hy5lzla~P^K!mxPSWbP@d2UjRGIzFGIr=3Xfpzkk zH=FRfa>cnW^whsd#lp3>vCOgmphKuBtpe(X=6;Z_GrVMgm1jo!tv9RJBrZK z6{1A$f~!a>7+4*4Qk&wNIxD60*iyGT!*Y^C1XLk^q#N(P-jCnML^+>2017%*^#Dam z^r0t>Xf*iVZF_3ACMN9^cy?JQJ-d9?9bS>~_4b0M|2pItyqml!)1jq^04vM3y%qPa zTx*5Vb$NT`@68*-&0S4{Pmg;+CM#!^6%*ePHY>ab;o#w=+{(#@HUOJ>gY$iZ-I~`ub&G+9kES8VLOpmYJ zML%uk5K?UI5Q8s1lff9MgsI}I;(&r;RYigUJbH<4$a00I_z z(@7JqV62rQD%tUZTtU^78;N4I+Aen$bour1l}DL1+8jSfP>a))R;MPqB{5hn+-RKo z%SK=J_Kt^Gg(d4y2E(iJlalUX1FTxN=s|;$dF3YK;iGSjVOe$zTGCoGPAhiLpFFFQ zwl{SAyxXv!A#WnNFk}xThAOcpS1%W~5G)mVudhlvlbAgMa=_Cb9zQJjmfmSZN1ZjA zde^neI34Ro!_PtT2IRg^yMF{bto>@a!-FbnvC}TZ{FV74D$}i+PN<(Zb>j<5$J22t zJG`@iK=crilyhi3BbuGJdk-P2=|Kj5LPO}$nrN(06K2815uMy)8vpZTtEG@pZj$#Z z!Og0pPzRK-#OcprP5SyulW}3sC%qt}ZcBI|M|~lSH}OABSt1$(H-^aS$L)rP?SUzMg!1Vht)50H0OYksnx??{FI-TE|&DDZdc) zJa!lOC}y|4P@eoz+mle?(3^B%$fyCS(P@DEnzUnw_IhI&^rXe@_od)Z`?|?C>Zdnw zki)HJskhx7@{1O81IJzHkO^4ShmOcp*KVeB(W6%UJ4PlZCiPldx-z8*L1cl>5~`CX zF;%f#b5jE|lO7^oEfQO|AJ|ftDpwq!m|J8Lf`TKPx6?|Iw{ekPjH5^o`S#=@b;UjK z1}3^%0i5m0}*dF4JqnFZoaNNGR%3w6zW~6v^GmF?R);jkuS4 zl`IToj5j8iJ`S@h)yAq5RqHoLSurR_+X`@%iHKV`nvDboih1yy@Wz*Rx{+(Yg*68g z#KU_D_Db<&32kr5;JoW*le*-;YA_C)MZ(=&Pzl43$LbQPdCTNbipR!nds;2z`@z4a zQxZw-=}8Nz*h|%;(4SIBZ3?S|^)4MYCwM*L77u^qZ}@PpaL{+!!e*62e5=?#R5ytv z@Ch0A?NZu(Drt@3o3st*l*;+OKp|uQFV!0tD`M1|5rIx+OcczhzX>(#T99SDRDJ~h zhwASx-%nJBi8yc*%{oCgsF(=J7R@wmt73$?2t!OrJj4FV36M#Yv0K=;f;a2Sq)&5V|3vkRY2FKiuQ z?`PgM=qe`LMF}s0xIIw6LH*I5YjpgeCT4YQWO zVx>JXRnynlF{o&CTE|dFD%2*jNNuah*oD7Lk@N&LiK26=SN;G!c~^01Qhy}9|< zcchCLxN8k)e@E+7TvoD4_Eq*jLw9l{tZ{U6(y%PY9BI}RPz53BCJCJ|8z)Ev3X-^@Z3lr ztFCinRu?_7xNV^t2$ubN^ZE3fIIiF?qbp+z05yVA{RuVto#*;zP-rL&&w0DpD|Y4u znXVZh@+W=j-;2q=uQbFo@INlRnw!Sjhx97H{g&iuI3|lZqs0mYLiI%f*8dm|(>+@7 zzvc$|?3I%yWuw(&&)cvoA#@<$VkNsc3;c@(z?+J?kXy@72wFASffvL{0w`Z5@J)m7(SUD2{~^=)C(-j(Bh*zy5sB5hYXZarZ2G(~_N};4GIyTt`py9qC0+ z9A1$}O&3e8EE@su$ou1gOygQb+lwlb|8-sY6!2`~&-i-YzyooZr|!3kFrL51VdA1x zsmNb{=M>5q^)lx(YIuYBdoUDM_wDH)xlje#XHI!5J6&H1-&j)=}NE_#a`0e2jqL%~d)TK)#>)1_{sT9f< zujDmBDpq+6#^Ifhv=Ks10&k$eW0HI3wybDS-FZ%j^sID$=Onf7veyfjsf!KwE zE}|!}$qBHOjJ}14*S$XYl$O;RJ^iL$7J2KLi(8F0ygOnSlJ4i$PXVf z@`wu@MFTMic-SH)@)Xc%ooc;c>Z$_m?T@rxc9=lf{lD(){SDT62H#m8UBb?H8c&R6 zSKQIa3#8Sjko*bCypY$JF`;1fZzKq0y?G|MDTM+lTn61EJ#ijT;tPL<@kCrm?fyg@ zjB`%19{bfFf&J=_q-74701c8(f&c5@_7fvRT`Yresco`+1=xXo*Z6#ldER2XDP>+B zD-Qp{V5T0re!#Tfr0IDzJ!_8yoZSKB$zNypCn5TfVM9;su?wF(L_fjlWyZ>J5H{{C z{zq6=(G{hj)c(idzqlvu?Q;ULTYJ)&(lmjdTSU{A6&xD(Ym!?a>LN&5<33c)0t&$SfyZ7(kXls)T-!1pp54dB$K52%3x;LEYVLOCG5Zs1ZA1WRsH>dmj zW$Ld)$dN!z7+--A|M0n}-sLYmDqaf(g6)E|h51)HkGRmkXqff@4O8`=h8a*WBhd1u z{<~89ga|Y=EXSeVNaIt0Gz~!;ezf@m-D=HmtoINT=qp5+uEF)>Vv|s=hhr!96uUhR zy77PXs)0xU-O>-PQz;^)TqI5L&i#^~xM|{p>v92TD;i0@z+gu8v_E8u%WYB@Fs0+K zt*;Lsbtu`cf`rHi4BdJ7UOFp2K;n86(VPd##?}C1*Y@|1x>r;dS(bM{0<)LZnFU5a zy3dZ3#Blije`H5qSgILB#s<>HzE?fTilMdqW3;Us5AcN4v>!Q%$|tpA_iMfA2>AyB zR;RQWhv2<d6$CZ z3j8;?G|Qsn16W2sWx5FDBZLZx0-Q~~kVh6rkASdA4BY#$$*!__X(>IL$GgEh$;hrN4w?8TODmNZ)Ph|-%r3~QM9+|hakU0@5JoPdkxlXA7ic^e_ zsY6>kOGJbtK!BxNb31-Arv>!lc34PrlFPSg#5EG|+H*a4NV4T!-|{{J61G(B&DSJgB(fAJ z?o|1mp;vh|AwZ;LdZfE?y#B=!{_Pm~~(D@<(mOLQUl9 zq$ecDOo{8qkxyvhy#~nWNf~8 z2OMBK?R*`qd7p=%4&)(t{w-i$uiMw&DIb*!)9wooGq8`Eu%I3e;9b~Iiy9F3jDpkt zVL5g4MI|8Q$%?|-%U3=~vwVAhiUNgOYMBC9xX}zPjp=Wu`0rFzRb*uuwmTdzE?o9^ z`;jkfnEAHae$|Jc1w<6P8RQ}X;{Oq@=T2)UuUZFD?iYyXOUZh zC|zZrgT?Fol;~+H6HEZ;{~1`Sc;~y#juWXD)`-~5u_T735khLY;ysRqSOorA z>-xzI#y_k@Fge@+>8#Pp3Uv1}U8bAuBofn>_R!Jza-q`Do8zw~d3K)GXg61-6Ig{vyu5QNM_=gzHMsgnsJDykC0|JbZGcrMw?$P+o zt7z;j$jzxt3?zQy89UpHVR`3ebUq#+u+$0&ETtrYHBxBIT)UN&N6Wc2p+YjM_~V3U>HJ~qXYjC~=;^G8S^mxlzm zzLFw$^lr(cfG`Di<&jC$^vvBIC_gm{=tO|hfYE-DSV=#o*yuOXf(9r#sQ(YtLZ0i? zLMmHS$S9zn&=daOwcz~kt`?RkbOnr zoRH?W?qW7qmO#j+t#osFYQNz$uB7GS?It`2L|WH~^{pWFJ-gQqJgg7Z(r@AIr7%F+ zqMVSruVwRqP3bwR?KnqMXnJLAdd(qjQ=x3mS|)n%&Xsw6OiAvm%JF}nU;h*j|NRf3 ztfC~rOHAsZ5bTa{>?ak6jV{-R!HtyEd@QQa-<7d9Mv-|d_7IwkC>x&wjATA=#(fV0A0qar$7?V9= zF^I4n6-?h?Jjy;BwTu!MP$1XIj3&OVV-1cWc4d0YdHYec|7W|wnH>!v|Z(=jOmkN{*K@r5gq~L>0$p8a-C`;h0<7& zZPc`ge=^YjRf&5I1i`%=a2DF<5dQdcQ^{sMIpWCWG@C|6Vf zalh00I|7)eBm=nk*uN0+|9@&{TdBrQdqh?VjrMb}Wbqy+&vAASYT;21&8I?j7d-?| z`c(4}G=8WqLlt+3!avjse_pQ`f`pheMlN^4%wPj)w05r@S5j2cSJ5TPTP%6JTg5mA zcS!lk8Xk7#Caqrxz!GP5bQrrOO=%pErm`OVM2$|I%>&p?Lepx<<#)6Flq_0yD>N!9spUVhM9ZO{V(i;QcLcVa=|VCuv`A?6lsqGXP{C3sR>9zFJU0RPeMNj5NU3- ze*X^c>k2vmIa3Eb-u@)cQG{*YqD+r&%WZDGA54DxFMmu!>-dC*DB=U0P(Dw1B$R{9 zPx(HYFJDrzWsGcO$c-C22)rY4cl%*{dHUpFkwOR#*fO7*VEPgpH~23>3ta@JmMbo28f5P(3>+s)9uj>&L@e1l4i-Z zI0-LQ;Gaci#MxevF?mJ`-<*zc0a<|4HKzEAE@%A2eAaM%se%)26B=^|4J&K{%ZDwd zOU+VjF*t>I6Mtr1{C17MeJ<=M4^ns6L*a@QPwa-{ra7HvwG*(a1~0BtC$DS+F&ifX zdP}_B$_+jIK!cLk=^i@tk&pPmv`21amznnncY#3W%1PP#7r^zaxw!7d@!BaybkxZQ6F38TtuQZFRfSD0q1}e(XG;s6n$mM2ugCZ^yT9I;iJ_&1K1vA ze~HpmzkTCdK8(7rNFsV3)bU8N7ERbLgN9V`k4<(m*XoMEg=C-LsxlYcdcdcn(RVqZ zTp{@tEP*7|B5g(aIF<~hRDt29gDdP*k97chbFq-u-7V+3Ut6GHjFrW3cg5wtQ)sv4 zjh#Evw12@Xd^3u_dq+yURbO+49;Z^MEx&lY3MPKgi-UkV}>{ zo(b$VO}zZ_MQ%=e9b-57|Jaqk$A^n;^R-+aTZ?Sar=*R#Ld7|TXt1DvkDP}9dD;$` z#oj?h%4yxyuO%29IrxWY;wIBWse!U3^-XS*tdPBfhDFp*!>?`7u2D(~PxrBsS(juG z#DTsM01@pA4U9B7(9fN1G!43Jq)CwQSQs9cVQN|bxCkS-*|RFifZSb!uxKolDY`T! zblkR#F6W(^Bp6bx8&2ZEJ209DRXy0m0#Rp^2F~pp4Dr`7-!MI{VU1gJTbxV`?v5tW z59SH)F<}4vRK;5Uh`KKyPXP)?Nxh15fk3A^$CZ{_RsNf%DQOZ)X4jjZ_Z)L$JsOvPP#p>pe42MstrS+aEJ%@`8uj zNg5!nD&Zbu{`kznFGY`zW*hJ2zzSGxp~W|Uz~Q;66&DNCXh`s@D`;l$kygY4xL< zwM@#drouR6*5AH+KU8yromYQ*$xF;*pZ}37q_>nIhw6Jt_o>d*my2***u|qaYNO(Y z`Fj7*=egf)cRAo;yH8Tq0$(joeqU%C0T-9m@Sh^M)Krk6DjxY4u>rO5xGaf4-(4W7 zLxSc^O%)JRh)Z|hJT|0W-hlUU`wEopSjqkeCGKVzU5H*l)o$JmkHauz;&Y##EO6=b zW~+P0GUI%~InLvHC3s5^l&Y9of1W3P^KrQ2Bz~Cr4J5mR!t--+&2=@G<1G1TnGw3c z{-gn!+Xm!HSio?YcN20xt9*WaQgV7pVm0{vhlFW2=NlmW)}RB6xLae%>aGVoT4J@p z(#fzd7}p;5q~%Cm-4R5{F>Y#xYC>(tbZ4VCRJQh3RlDB@)NG_(Z8;PLm|tYuQcR1$ z$;3)k+J9}JzkLzx$Pe7ARQ)t)kU;vw^?_<#Pf8(rqgR&1db zd^xfjzc=lIV-d2h`V+C@QUEd@YcG9QStpDyBI9N1wvne(-AfLYWW_2O{B2pnDRC5~ z^fCF3lkRA?7W|oE3fDsqb*P)~O!0iJJjkp+5rS}ep2evo+SgU*$eQ!{GrT{crRGAJ zqfNW#>E>(up>VcB@$S|2b%Df>;yDoSaM3gC^=suRtOXx(c#SVq5#n$qGKTh0VRvNk zh59!PDquRDZYIpIr?A_PRHQt3xs+&udfnqK51}KNu{|floC5G2)NVN6>GOvP2 z0dTyV*D1zRJQAqh?IHT`#ZfDAWvc^^hhN^~O}OPkBM%aBb7payB^nR4Xt^FKBEpID z2}dR!#SF8eN={UQN8AGybRP>VD&(d8kozwXhnS>x2PbYTapNf+d`#L}fc1}IsgMUT zNeG@&(C)&)@fpPYt33H#Y5F4y;h{!(B3GMfuJgLB;nJ+gG-6uwf9TZ!O(|8x?d5se zVk-vCjP-S0X4|6^^GS5vr_a3snQZ{lA2QoFpMS}0QKPRMJ#?-aDw&_*l?geGv zLR5fc-cMm@7Uj+^4vL8R^#k^Go0AEC5``QP}9J~SdfWw65plyd*Lv+cse z!wS0~oZdBDWKuA`1uXZ?S62c@;-r8%cQ0%0TRe4X4uvsF2T1{ z$!&EDH_y`ye15l9)oQ8SJs=+QRzH3?yNUBP4&wkvS=g@|p@R?4S6^P(&^ ze-@Yl=~FRx|1ns^eDvTtMD7s0%g0bHLdOs%VM8xVA~z)J{07Ww%2;0E0!WaU;JLLe zxe@EPn!#$nZz5cZh^O_!bGN-F*-IcNzY#ivX z2dhZ-z->LMteh@t;MG^>Zo!Z{d^Tl;obZCpEwSQ(_&>VxJ2lfftCeGT49rkqu<+^e zw(g$?8DzxTz$&&(|K15%o$E?Sg^~7OtnxwBPlewvQi?PxvW>o~*3L|Nqbf%(#m{_k z*f9Z&jF^^M2`guNf{er~6emBLxJYJGz%Ts73}h&^Rh4jE8jtETwztiutK2^t=*0Cc z{Oj=YYwe{(ebC>o(2B2P@>%v}S?K!Kv*^o1@U--`Z^_Afgg>-A9>4tPEPwjZ=imK< zAHDEbAfTA{i*%imwA15ctJmjjTC?C?N^FNnofn*<7d}Zu1cxq=qEz+O>9ZX(1Gc_o zqB@Irp0_#^DHfU%x=u3bW$901^Qx$7o!;^hXXU$`%(+ihiTu7*B+uORC5Uf(?;ouNwf z8EbWzqJhi~uPh>crvm2xI4cnoz{8|`b)K~;yu#R;h}TXzqu&#@^#Phb%3NtL2McTM zOt-q<*$>Wt#*Ntx z#(2XhCN8H?;be5D%gx^deUmIF(aQiJ`&NQ%y2@rM%4lt^!Y8m_sDBoID)2;5Z{gM9 zL<#h*hJ4wC*?l7p_8B+-$o4B0>@!M*_3z&+FuG)bznn|6^vvZy+K{`octY5|F?lU= zO^HzYBo{r1wJHe*GfCu6b8+&$BI7aWFGa>b#AqpaM*k6`l`VE3qeXl5A_<0bVY?;I zsw=Bwro-l5U|xQ*K`Ek=r~R2JN@gaPe6Ef{f6qICgGh&M<)X4`1iYYhsmG&t{7keo z9;h$c1zt6uPAkoHUS>>yOJ!KkGUKP?%_+=1c@Pmt*vJG`Wc{(;zEkVstN9gMUr6m-^Qp^-`+(xSDEQOa(FsHWrJTTNrNZ6Y^fCS8s0g!1;zT

LuZ+?Tjz}v8+ieuFg2dh_SE-x>KxB(97 z3cVKT?bcR>2M{uP8^_&Aar5!wtbV#w&A6ma?wWvly%lMvQrU@NHZ`B=VWXZo(!~R! z^H!U1d!MI?sLeSTzP`Tw7J@qcuiD&|S{-jvQW8ecyl6|u3$^6e)*ii`&MB{_MZQe0 z>=|i0@1Vo+b#tV4dzLGNq&HEh2GuC9&q%s@_wL=>b|P6yLg+(u^b`>VHoMk3AR20p zKY)6sG^=+>MNMsqJlce-{R?e1J}D=!x5Sf$*+$b7LbIvN1d9027*%*EC#R*#jT|c3 z>PAMf!QmZmyC3#HZ9U19xN=nTc`QDFURr&5Li1?@y^3+wf3_K`@ox6|I!hh#*JBVu z#Ip&q`k)+GX`Vu@@>ZcVER``T{@@9+6aGx~YqvhL%wvva9a;h)hg2V|(j@;`m^d@2@IaD{#OLkY8U zB|-SMwLhH7b^~A185s%x$>%Kvh0aO^Lh7@+IN$&W4Ay{juRnr~iTNoHcME;F)COAD zz}0tSkpU+}EV*3_!)x0Rsqu+rg+Z2 zZkOb}wRr8`RuD>(pp(el^@d=9!&g8%%2Nnz^t3*i^xM=M)Y$LL{JKr`xUCg@6!EHevLE3N+2S=TD zt|$-f^1DT%L%ae=GOI1;L5x-7pw@=Vq=g~!7QaED z_ub-So3anx5J}>`!vCU6efs^TV+5GSKXljbG+0G0w}PO1)p=--<=km{CztebMu`YZ;hoUGSyqe`Ys$hiA{;BJ8v>b~U~Ky55`l1#~ChrAWd!oI`R&4xPbC z>vHCP=g#H*CCwuyQ`q&*JeADr3gspNo976>FD}HS@TUFWlj9GqDsAkoy;2XY0YmjD zqn<6SOVv3QZ98TALa}3p3X1$TFMhvM#1+}$m>y9Eex(wS%GJ##*t z9{_7*C42AtzVt3-$ba9*VaC#VdT4;?8|0iLlhEZru_Z{VHA~yUM?^zX#L(;Ip~7ow zjN>V=#eqI2>v?P8=FFX_Np>np*CUSb5v&tg#rxcfJt+jZ%ZrrF@5Y8Fn+Q#y)w$dL z2|&$mzQ#7(DM|;njW~@?OyreJbc$NHLp%dd{LyPD2EuWLOn~+^qz3Xl$1vPS!6G_O zaW3Pq2sh5=ZCgj6sm&n5lR?le9(z;0?+F|=@FO7IwV8`vq|Uvu;^tWIB^;opPak&O zEmQGhMQOh=oyExg?m!NY!!mb=#%Q&P&0}blG@2e$tnumot#%7HQSAC;e-{pRz{7-nD|t<;(z? z|E{y?2-ofO*398T2#~%8Ei07oe1!lUCWsJPUv6+%OqW;AXUe@=G8@hpf& zruYp+@&A^Y3PP)CT()SNybWNzu=g1@SAYgF5cD4i!V*s&?f(p z?E7w}hEX6yIn6S9To2L05J`{H!0;D^M=v|6`4KXj1#wR_I${j~J|z;$!PzVY5&=2G z?r;RghlCJG($H7Zey%_@01|@wA02}3PN9xUL-$DB=Ac@T{fTL6HMLQc8(o(DoVgeJlbmJ5Myjtm8dEd06k$MaJM=pt*Mt9&Z&{Umws4oFM%K>U&S zaSLP(+I}Z+n)f&M43kU}1n(A*G(#=^mSMG)FEt&uh}qh&->vx`>q|IwW0^CYDs2UK zN106IfSxz8f_0jqakB-0D8AT0l%w+#;$Ag7!yn_Rd}+(|mSP@|o5DjP&tA_)ZXyd; zy(-g?k;TAKATQk)->Bc zsr~2eMb|yoxnj2HK0EdQG@VvKzC#>Ez8zpe@FW8 z(n09?v!m*E0N|xZ&yN-h2hY9R`q|oVBN-@Z%CY7) z06HxD=sCR7j?jGlk>jGlE&aIJ@Q``Euwx88{DQW!co5D1U<6k%S--*$p`c;q{Zf%$ zSL4erJ@;d<9|2czEtR5@d1pq)z{-eXATq&8Lp*HOex_H9+wIXAvp}Q8N}^)}#TNg~ zV4OoYlSIK&vP%2i(TENnP8O%%g5{7Bq%o@%B21WZK%Q{?lKYIzd4lW+P)*D zq08MFE>O8WODn16@=F}(O#6+^kbS>mtzb7o5n5*^&t-6zySiQ?Q1-4ldGvpl#B8B| zCEDlt$=N#!0icQYQTGTBlCt;ndqg|OBfUg_fvMZ2Y5Kp7h7%ute>!xE@X05EpG>sn=wOu~s0zt||E zF(W8KrAjD#k2{!;+qdeip7!hG@K`{iCXWNUK^>ymy5sQGiH3zI!Se#$-9qoIMRV7|cCOPidJ zuM?Od;KjI!Nm~h`%`F4u=pOYN%JYtW&*A-t4B(dSICe^0&7HCwZ(txQ-qDGW%GO8! z&FcMU-xu3c`GbPjc4_m4ilU@fFm6_gE1I6tY`C!pZ(7wFFlw_$n|JUcfZ6y)5**+} z$E{-#Dv@rh0F-S_6~_vT$(={zng%`?sC zy_!k12iDG@eK*K?tvd2asjE4!%SJOnN_U#A@43!#|!)s^?wD zMGzsiS^iz;okh67(-sg~P}&o-c(@{?MiX@e0En!}(>y;QuXzX#U>%n!d9* zDb|$uggaW4SK)aJ-j+0R=0$qZ^3g~+8$^YE{K`N^;070w&~`*NKOlX6V+7mUy6(8EvQe z)-uEm74J;w@H#BX(>vJid`WuDks#cc@!FgIBmk*iNkrk2T*jMS7Mk@vSgkXwC4~s? z@H_6;k6YmZ(&i#(%QsAZ9Ua0kgBPWOS}j4JF+DX5Ds}l*zut)fk=`I~jHM}a6!jRd zwcOI%EA1>|WYUx*XWRov`(%=?$z|usfq!o(0M76&SleU=01GhV6{Mr*dyqASDdp4a2NdZAFIL-uo$u0a)jN$sZ4?lwxZpb zbg0(_yDFGKu=)Ak8Q9{@SoUbh-p2(S@1>}iZ$i|Vz&GE}p4`O!r6Sa&>V=8rHE@1%idw}o_xMMM{;C7p2IY_)m10zS#w$H zB_nmiUVgh&y%{V-9BDwVLlyhdQyezbIRaQ|;Km!}s7`pD3>H{q#)`oL>e5sKEL}lw zv*2ER0Qcms*vK|vjx_K2=!u7T%xyA%>3^;K+KD5^<7CGqFyb~k@P8L(Dl1H?^0h0+ zlu(6Zw2WROyyR3)q40aeUj)H zf#wUKbHk2bTR^Kag#An(I`FV7Oc1WE_KAZ8z;ur@UmLH#ZB({^cd?%@pv@~5UgAZT zE9?%N4<=KN9IGev&4+WfJQ1InRxQ=NUUtXQ8~;K~1+(nktEuNyym?RW@ho*jCYUr6~rF%QGe%9dhRj(*2q z*aKSbg#X9~sOEF&2;+iW<(_Bl(tn7(^_CplWf4^*=84`%thr6W@4{Ai0ndB>9#MTo0|pyqxSpJDEtQd^X?6i=w8Mio+IZhk&#k0t;}xyge?y@^hx*Km8<4r!%?o{{NDRtTUB0ZiZGQ|fjSd=PK^nYbMOyUGUd%ZHV zdq+{JxQ%%~rMu9GO()U)dgI`zt82sT`}plXIwFE=Ymzz$bzRB1K6T8jn2#kh{JHhcZOk} zD^5~g*cj%V|3E2|4(M-+y0iA71PJnndk)}((?QtkLI~=X98t{#mU$CD^yxA|ZQaCJc#i z!!t37hw7@K+B|0c(Vt(VKJ8jsUr79M5sLcMFL%M~j}$=AFFtP=-Cl;uW}#TcAMK;j zsOwJOFx%{+8W|rDg}L|#!CZu$On(UfhhO=6(^Ikcd$9xC8J^5}0+$SChQ%^a6~7E& zogA;gJWEdai6&Zli?_FEVQCZ-ePnlmB&RzI(nlh9O`^S^+qVSKv&?#BZ?`wnRjHFJ zJ#~XukNQL25Q4d`_m$10r1rS#OKJa1z_igPUBauiyWiPNd~q#5{Y6*H0hKoEh-BN% zyQ|!V)jlNAo(m3chQWZBqe8uGS1RC3iX7)wmsBn{_~P$f-ifu`<+mA7D!(kY-zQ#u z`0a8_{@d+FSNdvKyn1Sz`t@E}`(1&5WTmduCkEM^dvgY*nznF~Q|=3#tSA0A-v?9f zW$oAv?RvN+?)vTo{I5{Cibyo6a%5U96!b+V2&k8f5!1Tg@1xExvJw5lZebS9!M9h zc3RRbdHK8;s`s+0tm1gCM?D=iK_GDGFpQVZz5dS74d_m`MGK-sH;EcbAf^ zB@aOi#V%Iw@gq+KHR5IeV9+wW_()GA!t z8n=^cPcHk4<2e$_e{4a6hSf*SYU3_hG-uCv7XZIFgmZ=J7$hp0cki?9i3!5>$))f;*D6a+`zD2C}ml`&34h|cF)jQKV zii0if?$w+uu#iKd6v6TC#GWeCpQtXdQ zLpaIlB{(ZlL*uY1ZK~fP+imN^>UxFuuZ1m^hf|8_eOzwx{bjSyauV$3w?XGDOptfv z&~3fMA~d}Vj=5opI#Mm2DA!unoCn z_xzuj)>%PsS9p5Gl@T|U11^-3w1_#MyXQU=ht3&6q6B#RmjZ4<;SWtYT|U}#Tb_nWN7r8n}@=AJKbm4i+n9b zbveht7>Jg|rPHeH>hGM}#u^ZtLiBi~oxAHvG#H6ixIZ++}N1 zFh9d|GdXYk2(@h>1*r@!g~=4Vy=a3@J|0VGHRPo8fpdTzVlUUR8Nf_rRR*n%ag>P8 zo|KFx8`JKb+0m86sG;rd{G%ln>SjC5Bc$=EZK}dSIn5v8EOPci*A4C!ad-=g_@A$A zIjEZIsQZ_yF2y27Vlh7MUpIWFP!-B{I?kERMtyLByyx zFW>AfS~4zgahLnSU|HB^A*e-+yKsJCKG3@G9w#%4{0D`GpvXX+R9MQqP$A{saj(R} zZS~aM|NJW`MG5u0=q=b}8m3QtDA#I@wf+d&$ra^hD(N>Y%8E%@?TD~;()*^OI8J63 zg{fE+88)Tdm6FcHFV8vNYib8kTR)1dt?Eq2*u#1NmXoVF$0b3`Hv_(Pw-7ISws1NtBkwv z#Mw?ym22rE+VF~j3Nj43W(bZ_e50$xF{cExQkRKo4MF*iy>O$Ilo9=v=C+>8A9Arn z8DD;N3q!rDJ_)G~g3Nm)`QdGrzDr{o!Y5CGp&etpYjF-TdWzp};BSrfe5NQ;9Xsf~ z3?Jxer5Ro6$me4wpvgX2Te2>N4fPD8Xqh~XwdxAcytDluJgxtutb{?6JYS#X)%H#R zy!R@)C5c;JIOGtmis4`X%JoRCW8S&Ed~qq0!JKu`E9&$g*P8Lz)BiUm{8;b}N2LVk z$e*{#8?{Z-*0XEuhxqB{3Eb{8hhOUcK~n!pjK5*|P?-R>Nbu1ziK+9_nQ$zZe!nAZ zis5UH2$6|@GPX!-iDn>2yhpJEV8dQPFt);+ZT5@|lMv-S@!o@4K3Ly6ZO zedkbyTS|8w<4ki5XzlBWoglRA-**-l^!^RA6}w1i-4q+Pr#v?uAdNR2e=R0dTqskf zY94xfkTD#%J37H>T|$XA9gvLMTlD z=JF1Gh^VKvi2C~dzb+1+O4zp#eb${J9Vj<523sC)I-PCcPpiQ2Ql3P#aAYg9&ENee zdV0lp=-J}}(7_T5IvSLn&VN!;^)!F_GEIjx4qQVuCHAF-yl3P4;n&E=b9`-EVJ|Z7~JvAY=cwBGXb_>^UBgg;GN{L zQzT{t=DZNIjBM#Y(-q-QIWaIAJI1VPIFnl({)XAG? zW$R$yZD`yBcST)2ios#FLHyi*vH&`)l+iX*jEK?AON@NBC_QvUf;tkVc&O?Y^X3hy zE&Ak-h`me(gNw~Xsuf>;%^Bfm)}2Qnb#>z%(b%$8E^?)ZWksJO#pKYj8)-I-G+BsJ7flXFj4oxh&9WS+6z zA#FIhUMeEy`8aW($rHz7Q1vlFBS@~Tyq$>Lc*167c{>an;}Tx%%;}D%Bct7aLbd+% zq}97Px6Y$ zAA`}=A@GMk{YacTA_g-Q(KZh;zktwWP4v5EM-0CRoiSHc^vM}cFVuIwfey+WO?Tbc zE;Z&${T&Z+QD%=!L07QJ`JPae+Hs36fR}&a!;k(4-^>sR-zh8EoO?fa#AGsHq~5+I=XcAhs^{|p!Lo4t`A9fq6n1YhGZsl40mZn| zt@KyaLK(J4q8I6x8`@jVbU;*5ERqKJ0^|AS7%R&UQL}^Lj*YeZ`^t6Z&Y_M+_@7t& z|8EYt>nOGrNYsODQvxN}!@E0u#ABQq#C{`WD12S6;J3X00;_VQ(yIfh7?{fZ|4U6j zEN2O_8PC3fd&*C=JhAt5fA5!^{}aq7Zut<=LSL=%wjPJwS4-Oq&%@=mpl)M0OPR^! zW8Hq5hEFL4ro=Wt*VVwXZl^X*RBZRXF88w+ahF;v0Wi*t-zz!TR$NL=k%{IZ*2nHe zFlK_ts*1gg52v!QyeT8$Sib|FEs;NMbj)$a4VwjH_j+*J77cb{k(b~7qlT)byiv~1 zWzZk|mu!Efp~h)(`|Fwuo5d@HK0~*5&I!6}};^df&Co6aF>!2RvTuy&4KQ2o4@*I5qwRC^1aP_Spb@x)UW`LKx z+BN&h{p!*g*v_9}H{=p0C&kyEZWsJn&)EO_P%WY&d-ydZ{HU3ThlFVx{E5S^#j)tV z$)n`ggT5|9C)fqzNI~vu?#?~K912EFca`Gg4hFfaFeDFXW{0DCb{==Y8s6D|3`r2_UNrrR_2p|v%pZ1{HpLd)U#bc?!Pw&(s+a4yhkemE(!z!He&31XSZ^TE~; zvgW%a``UbdK5Mm;nIZ#6rtC1sV?E_-Kc0;>K=_S^-!n;z$PVN7bsbeF-Du)D3G4X^ z_^V_8txCfWihAw?GF+Q=G0a_5hT6*Z@MS_Lk_0)<#TWgG3%vawh82;VQ0nq)Dw{Q99Y>er( zwG4!XS8z&uBL@$7Z5wfS3;ASxG!48y3a)i;y?#DP!wLPZl%)hfQRpes%cG(&*ynR# z0sXKnxKJ{pw!PN+&9b9PGgn7Wu%oQJe|P!~ng7XmXw#`*kA`6;&Hh>p(|u1&1ro?( z+Goyi#r7gP#fCez8Q`T{|CT`kIKf|cvm{ZhQW*ww@us2F$1+Pd-pz(cO#Qdq6cF*x zx>=_p4MUC$UsVu^OJzmw7>`nO1)td^0k(o{oLnH{HvzZkBVK0TP?gfdftu`&^V^nB zZ^Z=B72saJ!wKK>aJLy-O7EVp)QQW{{>W`HZjBEldKpZfEzK z)`K4-s2nZvq%*Eq3NC@fuFIGoXaOd20jOV9L%ScAXRyYMNbG6JUs)o+TV;|z@o#B% zNE3I9EHvb)SzdA-_-7H_Jpx%gzc4XrzQfllEDK@$mL?E3tzMZuJBH_is;oP%>w`-B zTbD(UsHn|P^qT?bOSp&2sT(Gg*88OdhxzXhYWESw?mX*zzcO0?+figN`jbBS2W8e( z&BP1K*s#nU{qtq1)t|h42j(FTuiIjueg@Mch!tK6W#hzz;UpK>s0a0l5&CS8AmE)&as7Frg=BV%=kGM$vywNh2q}K^i zA6#MXZEQRq5{{YH#DBhiOdl^)ADfpBdCQrYJVK7Ep`EtI-QEf62zd;Isi3&&YJa|f z#s#TuKTj(15MjLf>|lzoFu4E`TN*A2y27!PKO>Eeio@puirf?M!dw{fE`&Y@;v!I# zI4YWXS5{@G(^+iE9VLub2L0;_(^7MHdT%DT7dtsq_2;=nui%|y&t2)tw_^19)X-*%4EEeTxoxcp-J8S3TgLKQ`u z;NhPTSu}SZo*NH~P`uPCpu`DMkj(#WJ1D;g8z*4V=yge_AeO{(%JXIE_i6LWG=PjLAOPUggU|W%fyV}6DFlw0 zhmYC^#Zp5i#{zrYZ3;-5F9p4h|MhF-gyvIi~W}+HK~_ z{t}1Qf=35?1(UsWe6UN4M`U@+?i*ga$F{gAD8J@rYP%4$~=#?$>n*a z!d2^J0_5^gsSb9|*#3Fq!yn(V__Z<~KPvF1$a>8%xc_2U)s;w&kkq;zuvEdq0B!6| z-y7c?TPcd5doS40C``GwyDdcWI|6|-o@pR`|7^GdxN}-sL*UI>L18d zGVB~7WLYQlpU+`~-qr5L>GkUEPzOL9#Oy%$Bs^usqiS?7w|lCM0f;NM*%am?;rmIt zLor+h&w$mpG9U7!5>e@Wf2nWOM!z<9jV>IxiTJ}w^lTTF`5v7_1?aZqGSthjfw%lT zM9y2l(kU$d_6ncN0jV!*N3Qnra4xXpBAR{Zr*)E%Y;2wmhPC_Px#zbO#6`t$>XNpd z^!K&lYIFt?hLnSHa5`8Op!Cp-LU62LHoQ!ZBEHW33#5+f5b-pNDP`--JvelsLME*P zM}mp%7^l|Z1x>_31dd@uxVKQCX6AMH;p5Y=NjytGUN;AuR4K>wuwoDO&p%l}12h?Q z{6260f`@=(j=U{LJSCL}nmYF>7#hWPZV)l!rim5t2EF}+BEC!2_Q?CT_*bLa&H@=H z+@dFcRB&Angen${Bo=!~w2M~~EnFQ)#b$TE*Z9luAvHdBFs9f7TelEHwdIIi3oGB>9+_bKqzk;eIzI8+~o1DS*SMZGuZEh7)7 zD@{4g3om&^hP*1#XCWg_++MP?FrOU~2anDU^2)Vur33sjB@ictLqh2I`-%r_dHm;k z$wo|vfvZw?(&(d!Uw=U&d5J_S-S9w*aR@N&DJC>Y2_D7NZOI&Ww<8sf>olc~PjUyu zW#!-}d>$%g7esO+KT*eV+*^w8oysgJRllmtXajLb_y=B~)_(zV%8Q1v??q?s^j%*T zOyujedlR8ohx3%7oD&TTpastVHW*Z^^o*q5#uL)E#?^C2j2a3HNBXK2kIMMVOfF-< zN4WPoq3#*-Tv5GXa`5m>6~ZLD*%N^XaUj|S96glcFJKH$Rc?-bzxFIbW=VR1l*4}f zS@7UZxlYOI_(&AEBidWkPT+02?SIdx+mB))d>^!=a6<6=zbEnsod3xxR8wBAQ61Y& z>H`1HORx7LD)AF-zw(2fZ9E+#7%8CirGgu$N9E+fYqDc>nL6-Q@r+yX@1Z7!SRzPvvUhHl3 z>gDGgegae&VVpnx2)_#J>x8Tth3Fky=@O>{TXYid40iumOeUd~^ashfgc>+2=%R=r zSW=lJ+2tBQ1T~MU>LHCI(?ti;1g?W2fubvNSE^jw%J7;hOEvLTo)KIT1PGWvC*=Np z9L7&y!4)aI3#|s;A(*_~2p{q#T>p$Rpm=Ry9cHl-3d-%vKsZT27}##m3`q`mp> z8ntBo6m{}UuQRXCV`a=UTO#pAil;~=PwDpDsD?Qr7WHg`lb7l`iALM~6sj(ZU=SEo z%(Yc%@W6gWsD0K7x@r;*yZ9oA!1d@Kht?58E`7tP@%~uy&Wy%$A9wyARwVNT}M0%jUYLDq@WAG-r5|okEiR??=~$ z8PVV7MpWh4X)i`uV9}Z-RGpW2nZ*)JZ!gRRDpx?Pd_tsEP3^RPfXsx@*m?wAV%#O$ z)3Z*+l$^j)w)$x!?KTJE`x~OXJ(?e3W0Pq!a0$zd`=+6azSNfBYPe6E?!}1G8IOwl zA+}0Z02h+P5?O+ukUEaQu+=|G2ig}2veDs^PKLce%}cfq*of{ zAc1Gs_|0NNY&aJ+Wign~j-%PKp}myWQuC?Fzvx&6e+flFe0Xb=62%3}s{wgzo!NR9w4E#WP-;ICH;{`{dzr{w#4J%Vl>3mT321SwGqN#mxzY z7ZPv{evh&PwIR`kfL}xR5W`@BB<5SWC9@Y})~+EgUqX*(q7ql_-jeIN!uH*@#;Ao8 zNFft?4vQL4Tn-&-bY#{zeoEM*irqr)-0lf*Q@S?+q@-K?METZD#2foCxsN(hle8*p ze%9#|8kr?4#wpAalcz-Ds_9;WXH}?r-Y$+zb~l5WjRwo5+dNkA}Ri5SAL5cr)hi3ezBeW#PPRDyx@5lT7Vj{<#8_^3 zM@^toO#iJ`A}jVVz!RNGt5#9S=YFR!6iZ&LHAhotzfTV}1L4j6*7TdN_%5#~n>}Co zJxJd`1{W%;v8i(# zM@T44xMXx7NQ6q(dJ<=NM|zh_d1^)9q3xO|5_a-YP!ox~aix~?8ZDUrM6u!cZ)|94 zDB%v3%xgpD*T&mt?#IA8k)NM{(MhL^3G9r&NBBSj^z!nli{>L;XsbT4>X8S%d7-ky?PJ}8--6kGrGUb8;w>iVoF-I%%i&cIG<6~& z?5cTZMbk_6tAMbbIw9Be1puqj5JtioTjTa>ZaTA*RqXKUUJSlh*}-QOcbm z&vge&17>#-9@KS)@S%Ib^KP)2`Gcur_ZK;N7Rp&i?biZYkAecf9)=tMr_}sAV=5(J z*Z9$*PWrYq4shkHw<$>NH-`ffTayXe*U!w}FU`NPC8`s1>ipb`H;)A#@1_kcNVd%J ze3@fWzjVRAA9?9Xwh{Zlpp!W?tfDNpjhLjMONdCq_4^k=|8_l{3;r8IR2D+w0M|qJ zZHY|gO~_&o3opBU)HvfyjU;MBj;r4}N5_n-lxMq-NQr3#cVO=);RV*Cxc}Vv*@!z# za4zdcg|<(5Os|aT-6N2h`vDNz%TKm4V*+OM3fGfRhbHJg_VQdvNOxQ^EgSBh^F*{A|9;hA{PgrBG}zm+-@W}5-ljbZFL9J$Y(+)grO4u>QV zrd!Xw44VRuD?CEyD_&xh9{8I<5n$ys@%n?VKRtCWw-mosDlk2|+WOdaoxEBAXklq}(Gq2=fBj1mHSOYq|poyj-+J`<9_!rbz z`gkz9*)>zv@GyFq>s5K5JM7po!+VNP?;#pkf`Y5f022ia* zh8h}2cmt=q7bQ6>+y=rLl*q>bnhIBM8jN`sG(-%Y z{rh^}5D@KZltzn5(IAXGkjypZb~s=JghI@E4;qWDE9o63bQ-7QOT4CZ{Ic@wAvd`x zwR=kCp|&@@8*f>+Qb^j!_(Buubi_H3@uhmsIz#D?ozV$)MLy7~P|3GCo$iUakQUqI ze11FyQ>%o8%nH1w%GIY`H#oO#vHGiPB+=oIjm(-)LBndt&~r-<19QSk8krMS73b`u9i;(g}VIF&&QXwD>=Qcy)XYI9WErP;D$yroX- z$;`VYfGNY(iQOe&14PcdDTrxlqRZUMr-9=%{blf5{3+RKbhD)rw)=|QFf;wsr{=vS zV&WgFhwdd`!1KJ9h-1l|AyB9<2|8@|lHQ&4GT%MpFKNaOjR(p{u_3^xcyOeo*TyY@ zVlByhv_DR82H@utp`g+X7bO}~crGEu9FlG`?{;AD7q4Ps9S$xskjRj~e+b=OsY;?! zvH#Fs|0yv#pvn&=F(~NT_=Pi`it$0gSB{gY&ObS=cOOjnY z2k6_b{(%DA-E$k#QfVFi=l|wIG2+fI(Vk>Jv4!7q;<;v??kJjLJW4WA!*~i)gdpix@vx z^$Co;_cz@DIP{Tw9Qs~QFg*@^Pn^cl;a1!o{xrs)iVh?~%92>1&#B1ZVg9l-x*GR- zH=uGh?F>Sq|G8ZOYh2=XI9-6`x?Erct2HEZ7ApMDUGILj^L|cUvC0;2Z}Yddoct$|6r3%STyZ4x~F?J_*;Lynj@y*AM~P2fO;oI-sNxduIJa7+I$I#HgQ2M>O+uef=79LjLA;)i{ zDg0c?yXlur^1TsUPRE4<`c?YxB_$itMnRXXQd_iZOi}li)8q^oxmqGoAe}%Go#1{) zROsgTODRc?VASKr+ue#yW(|+6OulsAV=N|h=Ah;!YHHwBhQ*)UOEJZR^=+9)Fj~Mx zN7hpwff5E0mB0I;LgZO|FQw|ex-$vM^&5#~wV%_N;Ij_cV0|F?(Bj8g4~wi~U<$TIWkuAKs(D5k6rrQ`%GbAXIDXe^_BI}2p z`g#8Gl3tHgt2#ocAiZ!G{&?SZj8w?87+sAvt2Ti&p}64s_xm!i*ZTEs)45Qkj6Xlc zUhZ*09<$hn3MpE5={J(J`h3PR#!bAIs%ayaEISIp=Cc3d2b?%?j71^8HNvszv@8-6 zUs>Gg`PlYY-0TkORr18yq<_Lxt8OpXnGV?<^(w|Gw#}_{c(@-T0`lzl$2bsB*oyU{ z+_Gkp=PN*xW3J7vad%?}+Y{h*cda^MpTO$T zkh-bVYFQ)LgX-FxnaB-CV`ss9_E-t-3I>Ll_41er!?V3_U*51kvz~+{;xYah{URoW zxWfK?p|-7&@j)!!N7g$p7x>-p$B-%`bPWOr_V3^q`O%5_BK0r9vxF|648Bew;h*XtqL(Gz(Xf z$b&nQ5but}aVn~=Z{3K4 z)0xtKqTLRoH-S=kviyP9=EL8aHXQ?wk-C@ccq2!I)u10~y|<0AerHIU^&GxUzfW4L z#ev#7RW}g2BAH1lq=;@^zego%-dpkQF7=dtS0ZN@{zey-?mG;6a(sL|EoGuh7M*TQ zJiGOh@a^$@!TtS}tlJ}^oG6m_q{V9Smrq}{dQaE_!jiyv!>^DVnaAD65?1|tfN`xy zv)lo30n{0X4Gl@Cb^4CKD2i)MUK;)yT z*2>O!F8R&l;9*4GXrjR5`SNe1S?-}u=Sw|)GDVBAc#knWe6ArdU=qMef1w|q(RisvE$u2JKk@TXF`rm{15 z>IypcGkO{jO2{Bc`|j|gjl)T_GEvBG-buqmZ2Y#Umy^%VI08+HRaFWtC$VA0>Jw)` zVF)^*!F#CRkb!0R(SZ&w5?YnBK+$}P%A7V?=OHBDB&ber=@eO$X2Ek~v~bGoik|uQ zLxo9Hi+1*+)Y|w|V9VFInxK(4Z!BssTl6WLliH`Y@sMzo83__-|58NI-311YQFE!) zgyHsVE-ba)LgH06OZs@elJY4ujMZdZTO^cZYkVCR5kMX?+p~inWwTz#%R1{knIfBS z_lF!S_{)YlwqncoMyrC1R;SCI<}aNTDN}LHZ~g1)93n@{j_7t?&icwC0OA#5;c&UU~M+(-VuuL|(wTJ@1{q6ewbR3I*d)%q$9g(D{s}HdJ2l=(Q~GOB&P#|GkC9yFJKs|yw_+n{vyASaSaM-Ch?T46rp2f z3YhRl3A=#eR%Rwx(4L*upI6TE7ivJ`WQWQkhl!`;Cs~LGOa=Yh>jNw@KZC=As`|w4Sl~ zW$?M9u$j-#%Ko}L2g!%ISm(g;mp5t6{Zc7a`=(W6`2KaeE$L{!q$ei3z-(YVqYk)a z2l%8F2fmFNQaNk8dSap32p_uo5;^N(x%>`|Q zd{Y#*7N_=i?4#}QJ_&j@rhWFWurZPicLr!`kCNpGGy)P1O$RCPc*U5F@|){yrT! zebL!fJuLUs$%GcTrO>tYEvfhvL|4W=ypePS7C?#jPDpF0(E}B-PdUKjtS|ErlEWgX zR93E7WZX%ARDSq`?p^Kdn=if|@T~~X!o-eji#X4x*0O> zgGh`0J*atSiL}gio?~|RYi*ffTQi@37o2X5E0h*d+>FlP9jhP9=1vlEKL$h*atd@1 znidr8cSys0+=cc5#aJZPD}lrCGUGb>z@zIo^z0~?;LDkQX@aZIB9OY&Xe}+NoFS{% zV8<^f6jSFlb3R+7NSi5cNx^Tk5TEP6&)*D5DBZsUQ+!JKqMhaY6}o2#NY_j%%E|>u zl;owlNCdrRV6>BokwVX7?HD7!j zAVMK}E%|uK>w7;oe>srM>=$&<;@DA|DwYAr6mk1J^>|U$q1*wbKwccSdTYK!iBDBvi z-@TH`?LFmzzk@rARx|$F3f+v=PN$C9e%<47^GKOizt@qjH$8g z{es-w?FrvLIky4HU`g!5f2eh&8yCEi^!PkeRy=$ZSV<+u+r|nKrj^J*Z60D zfXs03YGRA$43_G7m6{sQJ{JxXY?eznPJMi2Y&=?)&4JdLzCJr^VrhozCL<_Qs?$VH zr!P-vjCb-^HFBq`0Uutk?CenCwW|Q9l9ua;mU|C9kvjns%4kk}!; zj|MQ)PE@X3!@K>~$t->uOX&$)P{hp0Qr1%taa{fM_YF-IM}_?=YtFvJkgUz~_?Bq0 zOvkWb&HuRvFhssRHnKZmWL#;wFf*a?%vvR|{l0crvkACuJ=qgCc~9y48j1twN8oi7 z%fFBuJ_jlX?Bo`|^4yXYI{si%^ATCqjz#it-!fV}mGfx1KFns`UdnydS#&H@9E@Gi zM8Bk6fcy=i?Sy{CYU5{d=*R5KUp@!Z)fLn-&K`3+Dp~tif@{TVPd7=ru3sGrM4ST| zOad&~zgKsO;mo6vjRucIw9Yf8p3>gAfE&o)6shyY_-ylgZRTJxJNMv|BX!4-Dt{RQp7l1 zI61@i5wb!wOA&l#vA#EH;o@fa(sQv#?y$|Sm(i}a7EeKte9qt%Yxo1O+3= zw_!>hXy@B}I^_=I!6KlnFj3kXx8AtDyMyB&ieGmAK_anWFNShDy`ASuEW;$nHd$Xm zVe(IXt#KyG%F)#MTzjGpEg6O$AR(13fgETf^YB~5$FHkxR`)w@d^V%+beqj!uMXTw z7Fn4avF)0$4z)ySl$8h6ZXzX~4^3^Bz7|JV^)g(v580q&5Q{{oHJl9bD}lK=*lY(v zuYJ8h#rw58Q))^6g%n4>)Z3cf(1na*pEH}?IuZ^}C8{w)InoRy?$=3ttB<}0}m4m z*rKup+pmq-T(G&MYvV_*7h1ED1}0Q@XYMi%?b?DJ7h{3OQeS9@_UYxbpcXCO!gieq z_M5)#>7T0y|0BPNkHY4noFmTL$`bmFdGGRcyBlZm(ZK7H`Y>vt&|6Szt*_KS7^csR zXTvFoI+ovtPy;Nk*t1)WoQK8Ghx2Rm8jcYvh~quyx18pz_8Vs zzT;=Lx}BEA$Hh^EHv7x$kIOUmtA54`O)2Ey0%6xfVXjTQdH2a8O21NvoF!*7r}wqV zHj9yOU5`WT%Ron&7M^#Rw|ZmVsN>Q=hvn+D5|upZu$xX=?7Uxsb_L8@&jopYw<#bB zA!Wsfr)Ue$q|httgHgmCGl-Spj^E8GwTM?QjhYLe?%V$aWvxLlJ1>RmPNT1nm|1v& z8cwILE030-jq$g~9^P6v<_Z&z!Qe48!4k*Yz8gPdmZi?3+%Ce zVqaiBsx%4Ekb5o&7O0B)7M6iW4n`W*469h_Fi4dE=o}2noU52&`5R|$xox)-`fC67 zYU?*R@e}yB(ZYUMrK4~%u(z`%21t={oQ{L}nB+?{19?8L(;ywuhQ3Gq&G(g}*0X!u zuFw$(H}~XcKb3Y6+{vU|cF7y3*ZiNPb&NcP`+$HP#}l=xDx{7kLRDC}^jRWy-H(j~ zFO^$BCqD<5oNDX9-z{!rWM18Fog+Xapwv7rF~pVJI<#dwnA3cqRi*>t@=zWdhtGQlm$|7pr+{DU=@*&|1L__!z}o_ZKt)_vfpajG~? z|CKl7I3Jh(wdT+QZV5(K7UhnDXpw-jl(|pfFUy^d2W^CLs?<%-i^qJK+(D2U3m|Bx zBtoJ;mQoJwETSAs(xZymlv7h5OA{U~&L{h~u6vV?C;EPq8H{ic=>yv09Zef_C$*3!4~m@q+cGQ`5t1R}ZMC zcglpG49pAqF@iNqw4zeU4?%(S9TwdoibRs}R5IP^++9p#j8+5Oupz*A?_NGWLik?s zF-^@Qwl(&cQR!9ZIBQJ2T_vUDbb(o5kdcYgw zBRlTpl=gQgYAtzUkrbBxEP=w2CxA|6i}L=o#oEN1xyF0$$bZ7(-*$S73p z$=j!tzy}>w-xH;Ko~hbpo=ANMLi)5RMRG4qLhmga`78suEV@RlL3^VD_pka7NPC{L z9;i6h?mw-wHxysITwf>;kJV?&)W9TM3J};|YY5Dt)8lBKPOSnq3He|ji8=*zLz}3X z-5$KUGWqRZB&A^}2dNBBGlG({B-C2NsdQez4MmeCVPdPKut3SRM@oW?vGo?$t{PJ# zS1X6ycbRB|@@hf#t);CTDz2?ds*UKI*CZ{i^R4~IErHTo!H$=>#Ha?~w1r4ctEfX) zqsHs1e~?)wI4GLl^e9T{LO7b^ez>3r_LzA1+`2u!!>;F%Rj~3VLFe=hG(McxJd$eh zC#ss+CKp;qI<3eOoVkY%>g`d(OG?~V_^Cmm8D37bN!bFS5L58I@hkK$jkN#=EkE5+ z;HkAc#C=?Z!bPWECNyq)OLy^LN0OGx*v z2YZ?XC$EGZc8H|oxpLs4ZBZq#Xn$3hH}H-*djZ7fnG){em{rE%LNi(e$n`by>}vO#Y{%v~9@?$}RpB zJvrhqbxlpkuswOT{Bg>stQGdMg&u))EY6Pimj>N46lPpV1GJ65fqyJ0@PGemS)i_k znNg%tW%cU?Wgcu;)k{h_4=uv%sEI7jj96Wq!3yL-%dq#ye-0e#wY(D)@SJnrxKOA0 zRm49?)W~Q1cYgmrZ_NZp2#4d7=`$URa4^|GAkKXweP^;f&u6s-uFENuV7;(m!7jY@ zjg6uICB*wlsRdN$)$?Mh!G+Q7*KD9kf$82!#w%!dr{_AH4KQ2rq3H=!!uo&WKRYTrmK zFon6ELz+QbtI3KYgSjksd!Dl)B$9y;&5Xw6!XhpM5lz{As2OiNU;PR04~zl zOFJw^i{9GKPZtd(l~Yqn{P?O-=u?}?w)r%)vk{aJPYwyyFiQkCRE}2mU{S=As{!xB zj=0TBX}a;?F$CTvm{MIEMe1P*yc_I88V1#DgBIt8D9xXGc$xi;%%40eE?MvcTR#T) zl&tgi-_N(Ty7G%?|3#ntz2e^wAq|9Ak#{<(x7U+c5VK^}Szp6%c+<5Sk6yEWE4rBi zmK5w}KWmxt2qvL%BOYv~V=CmHMyyRiru7Z5l!-G-FO1wQ{1AO^XIsy;HVRobZ?g92 zsM#R2G6!zS4p%ezlam-qaC}t#k(tvpgI59VQCU=M-Ox+3Z<=YK>V)Q_5zbA)FKIb- z{}=oCJ7SNN3Y3ExX=3(8!sC^&>6@KtK-4?WuBz^S{T*3ia330Vc}|QYFLf({TN-SY z2yR@jePlos_XKsq0#J=$cfBG9a4UXM07QIL=Dnzxl~Z`g0M7e0;6N+bjTZ}tuRlTI zwl8&9Ys)ErEP$&PnL>C zEXaoMq#t1Pu?r^bg74QttQsTH@ZP&irKiAgfagz`LLT!nwMK_J&tKX$<4TLpd$#S7 ztOwHjOO^oriGSf2Xa4q(JIg$RYdL=T3{jFiJ{g|7hZOgMm`ik z>m5mPwc9OVRW9O+ zwNw63Q)LRGKoOeV^cDSe0gqF4%aJ=SDghnrawsIy z>NJ@o7_tyfCalRNd}zk}P@UR9Do>%-;MgK8b&Q*9l`IXG(@eEe(nB(@PSU@mCnC>c zb91xLGYMNxjiMa1_fD=Y@_~eo0z+8-M!xc9?onC`~KWwNM8VDb@yICcgUr_X15qH_n!4(vSJi@^C+huY>df?KS&4`$X{|H)JT21Wk&KqQBa&jxj- z>v5LdY$+A+Zuaq2HM%F4wl3p_FuSGs|AhqT9~y{S6SWv038(a6xzZCozfUby3O;)G zg4*68*P!JH3Di)z!VrwNHoY@E<o<*7ye~CTi2Co1Ay2Srl7QPum(3!<6swJ^p zB2~ldZ#dqZq-QALLud|ckg-5Z)FC%uXo4BYl-VE6$eFPc3k=X|O!#FeVN44ev?p&F z>&d}c6!|Id>gxtMD0=Ji@5vwZMqXHZ@N~QsG5PmLbp%y%xUMwXyk?2nnT{~2W6wu@ z3HAm47O(D&CSKPB%UyX_eLb+8s~z$1vCuNeUwk1E^jmk18SJ)mu;fM@z6By3KHdNE zqG`qA*Md25($*<6b52j3y+MNQIC4=j;uY( zLfYO|cbyCcf}mGh16Fb|re2GG3!86b_|EfJpPC{I5PUs~Dz!++&BvU} zqaUd`M)q2Np-M~($bi$(J4E_oMtaSkUzw9H53~S^L+?3BYxB3Fg$-;(irLfEP#^}W zZ{z%X(JR(IqOOQ$cMrcEU8=C1S z%H4zfSb;5vtcA|FWLZj{Y8>w^2O!waTSsT9=EnJiOuzK!ASi%Glh9JaxwH1B)?S^^ zAHVh3DHs-kVt}CRGlj?KHiRT&~5u;RGiOki&MMN=ix^EA)uKoozR0 z`Gk}HiUzG5g@zZ}jwn7oK5$eFxCIq&a3?|KE3d2Rl{C{h49a|Nfqq5Lx0Zxsxx86m z6BWJ18s{ek^^Qcs|9KuXSf91^OLe;B3vbj24ggL)i6-!BDY@NvqncANhFftsQc0nj z3DtI4duZI0wv6N-vzN++;=HKH6G2>z!@Qis&gguCt$ykJJYm6XzYwO~*=dNLFq`O1 z#|a+pIR5AgaqX?s^5K2Y?9-+~=^n$y%?jdbvVs~GKhj3`R_hTWfm*;3ItG^p-m_B- zz0f3a8%6XT7_e~cUz4$)dQS;sJGlX!RE?-6}wbJJU2Lghvz0nL%I zNxx)PmNQ-dA>Y6bK-AE6D9gy$^s8sVL)OE@D_VL1KCs$Au%B2hH`X4JBMQ@JVcVG3 zqs1TG53(K6m`j#H=oT(;Ii(Gbz77hB+5<=6S#6=LFYt$)~#Uq zQEmXnPNd@cJsBJY1?5efm)qxe+__L?sr*R?1k>$kc@ePs=JT5bht?+%ubur5_yh!s z;$E($au}r3cUPoLA`GD%`|jM(NoEk&x%X}RJ6VoJ3}fK*JN|k7oSvyKng5`N>Ri~! z5zNXs7@1nYwim)t=dQ*m%(yZe70sF+K5t89zx-o5f8E816tE|6wbl<4MA6}2^=dvVB#=<*=n-hcF!FA-FQhP4VsugL!_;F{v+K@ff$Hju?7f9M z-RoCW@K>|ZNrpI!!l(I2)==*EO{Ko@!EzIP4Dmflz0HqA3NI%Z-{(iH*%o)s+9GU! zGR_XZAc=={agwtK1e^KF3ToAAc`In{EFVOXe}7CVC6h-YNBV_2$JS`|o)K-Qx8&}7ep42{`8F#6F$&e>~>MW!n~xe)AT z-&;=PuE@DuF6c1l6msm2W=-7NGibTG^7)>2g;_A)(FRi%k~(~k{jBpvZeybzo=(b% zW&=xZSSHUa@|r>j;J)G+W{rk+wNG~js~8gfaYAR^{Jff8IzR+|$ZB5spVP>+hpdon zIX&H%!B}gF6e;I!5f+3(S z8R6h(tO)LHJ^0Le+nGPd=R8gKxy#$5@_lVTAn+A;Gz5{~^TpZiIcuTSd6oa9krsni z#7`)|BqR|-Zar{)*tej5kdx)%Xh%W;- zW6o#y#^D|;rj&I4;ZLC6or)3phDOX~xTh(b^ziqjm#uUMC4gpS<(JIRdES*PwJa#CTyLjs$5#+O!eyXk&=46l0STbxKCidh z1W2_~hEqH zETeNs2dNSCQpOI?GZsNKr07zbww<-MQhkT?((Tt={uy3-fdJXi;#D+-#mQJzd#;(P zMaORYeYxzHhS^VwtRzBvA8e)yny5|W;)s0;-JA{Iu_qJ*U7*u4Tk~J-Q(k_3r)WBUOV^v1Ams8$ti*V zej9w)-~fmXD9uu4B?TqmuS}+UQ(En?&F6bVf#WWdH~rb}9d=W-b6TCZaE-asPK{;* zTW6E~pn0A2{J5;FnP#I41ny9P+54JxO0%HIlL77($4|f&J(|Tmikg*vCr%nvZ&Ea- z*Pvc)(pP4uPbU5R3uO~oBj=r;VYw##vtiC}e#^jZn*g7f*qTOS&3D%xFXM&LIf=qY zUGvzNj~3H9b=ET$EV^|}ef_B)Gb0S~3}`1AWj_T_1wh1UL@dw!n!@79@|(#}3_hEo zKzaCV-0$tyV1YZ|J9L|OErf43J4CUI?iw|vR>{0FA_Ib1ytnT2|B)N6 zM+CV0d^&Z6GV4x^%el$LXw?&{m}@ooPw$k#eN|cD-=+dgJFP>qCsicYveuCg_~tT| zroUuYGdmKu2Nt%YkD#3Woi5Rd0$G#_QPJV3c% zkv9=>f>XISdNG`O+KLk}$#n(D_+$ul!@L=VVlzZ+qreT4l?+5&g8wB#f9_Zh>HuW5 z6DBpQU}yu5v`md1Hl?CcMy#}aBpR*554MceP$66r&ywAf+SXw3kUhCp1BwE7oy&Zu ztyBX#xn)|-%$1D`CxXay7&x`qh+zgGsFZ~oL<@6{11J&$XdMi$(AifmSD;lh-<3s; z{`k>M6Q73@-$DDkFwc^8m6u3yOS6BqK^Bdu9oAd$+LId+7P;dMg_ zoEhl~S+j8|lvPjF57sR-@$=a69Tjd_0vYCqFD2Vu0kI;(;oYIF%64o7>~GQ=?A8KH zU`%F_FMo5vs0eVl+xy4cS%9VfTIO7t{w@rVgY$c?lKS|lt0O}Xc)!D7qA2^F+{fO#GFDpg(n zKc1Y5h$^5>G>%M#4_Xx_B(S*8-#Xp8d$jt9)SCGR<3L0XWcz(XzYj3_A^2?1H@&Jr9r^`Cso3At zxA$+Nu+TtLBnhdZa`5kU=uia=j@4cAxkzcKzQCs-R4rFd{N1J^FeoN~^v}n*fBdBL zAAC5nv*TmH|B|{0GMSnY9)R9FhthrZ`5zK(j9#p-TC@zN5S@PN%mz;~aTg%}(DlN+ zyl1YVab!{!*T85DLKf6^!uRKrj@QFM-rPRe@CheUHI?VNFEitPwL5Ir)LMEr?l+jl;2$EkBA#etQ~aYF>ggTmrmwY{D2 zC4GcrInsJDX)=qvslJ0}usn5KwFVI@LV)vN}4UfNR{G3uT)4U%0j=%}EkSScrT$|eoE%y=+% zJk!Kvg8@_PTOHK6s!VWb+2;Q=4}UVU!D8f>uh@IDz44+2@jSVnRJZz5+%n>oNP9uV zZhKLVEztsW^AtQ&@{20cV0|bkM!#t8Y&-(sY|;NGa|&CKrcjgA@8Eyr3XrTRZ z2~ZK8jZT%Et)N3ea2VD-7E`xnnwXhotn5gd)<*iv)sxyH;`%|gU3vtc0L$oG*I4;` zZ3I*jxO{UKb=M9(1vLv!tEyJRs(*t0PssRu2wZTLnRoE8$@wh!-&2Ag zs2>tQ-QlA&`MB9FKCg)PfiUpEJ==FOznHM|Xi=tX^6-)Vs9Dqwtm*^4qY>5S@Pm73 z`N)_ZUT`$2WYLJk+M_B0ofuh@Q$)_wsB&Q92v&UGPv1;4FBXQJZiMn~o?fkWize6> z8t^xaez`aH>e}k^QIKr!Q1L{&sVg39z}S&YCu^8y@U!cfwip4ZEfqQZTCi`>cb#$= zDRuxyRDRi|Cn5%(eE=^WIS8lwaW&aiU1d`T%)_T^e|Zx@LrZHt*B$bv*^I3(C6eFU zn?l$tS%7Pbn3%$0Q1x&PY?7h|7_PO}qjr`Bu5d(7! z>l{$wi)GQ6ryxA&OW*trip-LICDoHZG%u^fa6Lnw&y}rRMz;Y!HnAZkC9S*ml+8LJtDuG0_Y7}w3v@hAQ zj{@K9drPY?g-_|?TkV`M8pwyS&A$&#TObgtEgE#}HTgpS2vzXdicMSWE?ylqMC4pD zA0@T`r{*7eaj=y)M^cN=ot=}jlg+MweI)y?6B}1L7>+y>*ow)x3huB(snJ52@W(Q` z`d>qU|Gg|C5p0vA*jwcFRa~q%gv36F_?oRsl;2wZMsiS>PcyJOCZKuDi>L6@FI^>L zdQ1&wD9~7@%&7gj6LzWAk~78BgaInsRKsVWqnnJ)X(@Yk3uJh$@}OrxQUIJ-ZF9YG zf_wY<;N1=KxNz>YR7+B) zecP2+b>Pb11Uf)9{1otiWo84*ue@&Re7~DF`qxov?cnCV9Q;ScpE$&K`@&*=s&w9% znuwAKJOte@J^2w#xL28n7C+B_2(EI|{rt@TYriIHqVQruJnQ;+MV>R(>jxnHXt6fV zq51f=&FWW_N3mP?yX&w#3{Usuv_(t`4@tZ{=Q@)<7Luzay*D)g6q!kJk2Ug8u@pbL zXJ}ER^|H>ICO5IZ*s&?Fu&aANrg5#%9_&8dB@m18qlKivv8!RvHg+RN`IDfBWJZ=nOy1ucIa{-Hd3 zT>9e5X6mSM)hZQLrrm5G^|e_|mG^wCYuD}W%@7H8S63q1ZENXG5yb|dMkKkh~b z>ws6md>IJJ&|jeJ-=~kJ&6g4t{~Omg5e1TIC^xy^h}6sk1T4F6=Aw;eoKPInG1mHU z4)_HNI|~amVu}t**}bs6IA?Dbpgss;y0r6dfpUuA00Ahg3=9aeJ<>>%_P|O1iDqAb zM2vd?T5KR{T2NYfX(1LN`R1r*ujoRh5lV&;?UDI2J#vWT9h`q)MkC}X>5|DUycpk? zS>rAzo=8Y-T=fxW*RM+-nh@Okp_9w2k)bAWhb@moSQr=__HB%YL9AtpwW?h8&JOkl;dy7^A?vMEv3b5im!=HSPj>DC90*I&yWUc zwyO3s)dN2{OO_G9=UW*IP7jnuyA_)PN^i*CYgX+F?sn=E|Dh0uC2kg$L_dpH&i!A7 z{c7-DhiBUTC?GcQ?K2OJZoA9`mz{W8x)_C7AJo0S+}Xo%724ohak__}{c3H>GNDlk zZaDeGlEO+%3h?(kzZGiU%chu3N9h_P!?>Ta#M_IRn&5TTi#~33#ICnlj3(hLQ_~Z0 zEM|ENcXXHI&XDxgZOj7)Lu6|zF!YrCW=}m+&>t$!TU?2+QSZD8nyj0Fehnr%zK@kn zHInpOXPY-ar)eNlZMkJNtGQM}1SQ3F)V0dAg(&YHGE9!+IJXY%}2 z3UgN`xFp&waj!!l4Ab(Q{9IQ}7rQfc87@|bBNN1Sl^s`pHY=YIRk9>z*5M0CPNHzC zT2-s!yr`+B=Y=LqgF*s)dUf;a?yB{^t-^U;*^KGUd9CgI_%-SLFCg}(7{MO_?zq|v zGs?UAlh3xIsfmjn=snrJJT)Ave3pt;^L3fbKuS-@AYIs~3MlJ0b;;SyE7f&%sF8+7 zAX*LCnf427XaaBU~+c0a=ooKzf$Th z$GcGkFuj~%l><48W)T-&EV#@eM^`SC5g^;2!fYBY1MqIJTAi({w_ZtPcs@&u!0kN; z-WKXNI*9+M(wm9TQ5XB7)x0&cu{UgX1@Cc& z<}RXDL#Z&Z;yzV7w#%CudCdX5BUdhz0Ve33Ez-V}XA!VLt!xB(nj8~b-x-W87%y>1 ze)hlu7<`6mylx&gcGvbANUKVOV)13$)bn342Vg4 zLymYGMpCOjxl9~v43y~YHq^Q9^XT?WRklqWTDYFJGild_QwP}2mF=8p{T(9{AWVCJ zx+t^$BcXySMWEdx$Y-E=NGT;OwKkmm&vQFy8AWxc-BON*3=xkgk+;r#MNgIe?hj0I zx+xbofJ1UCvf2#x7Rvatq?#TB(NA*@a&XgLgz^FC*f3y)!F<9m#0ign%oiDkh#C<> zDWpIv*QOeW{(U6gO&%{UlYVUyA>u_MhSD&-%EOMg;W)XBN)}%Mv`j_AmG8uU=w6XV zT982`5%bhAZ($P`V6(4TETmTOYKr?wf;L@wx!#*Ig~>4cVD|He!ES!ihRMf91Iug9 z<(`oPoREm8>No97Nwx~7)*U543@YV(@Fzd=0d4cwNA!EQ0!hxpYD#9WPC}U9^;BLyr@?hTx35K< zP6PHqkYnFB)vpkrvA-2jGKQ3Le;^y*l(j3f5H4yYWJ7S;+zQXds5Vv-e=H{?pwQv2RC~!eot)J6UA@X zxZiuyYUca$Ro=nqaWa}OY)nW4IiCj-7atdze6*@ZP-obDMynGZ7ss4>m zR1sv^0-KbXT>D5~`%U>T#1BnTOfbTZ0CIA`T&wUg6}^VZG(3iCdmgu=*<2IhOzyxT zZfcq-$Kpr=tLtn}GXAEtRg!xe`yH9YP%+-bw6J;Jsnksmf7R%Vb0v<`q+p@RK8Cs8 zH7IpfiZ=es^Z^Y8RgW4^@@7v9+Re`L>UT7LNfeu zThB7GDf4Zdq}tA-?ETc_0Mb+tV$|pdRsJtJ{0pD*aFs{B7C$_XKBXDj4UQA@THc;| z`&p&7VUE?Gw!BOzRwx6{!w}zfNz%oa3YjqlrftyT$555o&1n19XUq2zFxDN_12a#-NaZFzo=>kZ(L9V^;)>E1 z%=)Q3gzEl@AE}6Fuj4oK2%JG#;re(u-}w1qq)XD8GOU zGs!D1M3)9NH#nYc#`e@V+SgnTeN4C+n$}iFd{scL3)~tpRr$ERXnDnRFG-_Y`}U&$ z@;+HI1E#|9+D5E5A@wbbj(|5Pmh6!shU`g*fYWd^J{yW2=8oN1rY`E7JFf2HjC>)z z-~k>QM6^q-Z@jrE9?{7PSI?f5*auVY*Z2{o%Y+ME6a3whZTpPlG0{A4R}X^AL)cM2ccipU)mKC0uf z?^VU?ovtvw_Iww{(Y!9kfQ2{8a|BfiXV9-MRL#osBvLC+NwYxK+6_o&B>bm%nhX3T zSAX#YsdHQptVX`o*0T_2qZnH_j}jnI%1~WJ;q7iu9t-F z_`>?$O#Y$cqznNtN$~MG9ydRCT=w6ti_+WxF4u@%`ytc*t0x^U{0DFUA&LeGkd2Q6 z&Ex}a>7ZTYvMCVI8>ucNPN)^|OX`{*vRW(XiNuHcR_l{M)o63MTEY)fI>57&rZ7el z`+@h-4|DB7=+ih^pIuq(p;D62n#V>?`${rDDw)J(9W);Sd+L4a#eD=_{P;}l5T#rE zW67sX#TC!E{*8&4q9alF8H2_ZDWcPe<%u{lb4&&}V&U~%@YrgiQFI<)d$>0&t@Sb;(@&(Dr`wZuYC9sc9VjOycwy&oMUYt}mO?Df5ZKD=XDo7m}+J z_x6aoWZNX4f!G|MvWd7i6+l^%o-kH>3!eHDVM`5&gF%^Sp2QQ^oq5g49qWCDOor65 z-}N@YD;9G2u(!!+MJu1f;F4^U!Bf09O0hCVtxyP^E?xLG?!4yA7g|PKyaR9rIQU68 z6fFLlX^1iv%`S@N`|#8KO@phVq#u>MW9u=Ce~~4de5!;Kg#8jOY4WXS>o4KE^L9}O zE+oXED`UwY;n7F%RKMoxd5^%2c@+K!?;}|amav-}&ruFLi9RwV#`sdlB3Ed%p}HL| zs#{_4x@DO7J)$2gUKL!_no8KFo*S9cRNv9*fSOP;WCkP^8_>(e6 zdSTf1L-zjPL@x|&00Byd7KM++W{a{}yI3uGyfl&)>Fp@i#)R`;@kN|p`-!yG#yu7* zj1OPMP14B_I^vog=Lmv;lky(g7aAVl8*TrO7GFI&wHeyEiK~b!eN92z86@YAZ1X$6 z;E(nO=F{pvU^%SCrDxc;50Ts6RdG)Wwu60M-uhUWY<%fyyg|y%Fz=+EM>S9kDxUoS zFP^ZedzORxp26^^&ev!czY6`kY~KweFdMM?pLSQDK2ZfY(yKsQ1jte?fbsAs>YDH< zAv~>zAA-X~g>m)HFu=ywlUFu)l!?&URcE$K>dr}N%C1E!z(I}F<{YK>;mTVc;q3-Q z!rdF{smmNP7LwRGELQ=*zDNRELHi}wy&yD>@1Td9v$SeM7PWVtQ8L81N~$v5MZ{(r zAVE~ap6>5BzKs!TtW|ooC6YFiN`j?4H$A=NO?1Bl-LnldsKy)*56|?#&v%)u8rGrr z+aalGPmMcvfDi%-fbp>Hn?$eDKpfZmaB+6}59p#zRq72%GRZ-Ur8N#DaXN$Qd-;w4 zd#|go!O7WKe3zU_+3uTOiZJZ_*fu}{_C9hVmQr8B{gRBQe#T}WwaRzxg+a|{)5ZJ~ zwwp5y)@vj;yj9AU40X9nHe^-N56a=LZruIpPTiu{A{e0|QQ}VWi4elcE{dF>!YB+^ zXY%WNI35*GBG^{OvGlWL2-OfYlprSi#J@3g6#6tAg$Ni zhVh(Mq#0ZG6ieA|@1A4hq@GKH4a?u3xpj>XnV&2-OoAFd0{Px)wV+@1I9=*z7pE&X z!)0D}w!%H+radW&AdY|S>L+}Abq)&VOpkkm4zLPCAc0sic7vDkN3%oSklP2lmq^#; zq5gYtNP7#+A@@idQNNI=QT&-Ubtm0XAMTCR@O`dNgFVr95U8{sBceLTRoknJUJ8q? z*UNMaS+wJr_wW3oo56a3hlDHma4IGLqEPM-IBBk-Q9d~VNW8yr?Lduex6@a9GOAVEoE))A$dgd$9uS=M}VI=!YE z=Mt!x+F%ezF+7ZJ&?!k%poj3>_}U81)If~xL-spD3bsHpbPSBvguu#64Hkj9^w$Q+ zM##=A&H8u;1$gA-_5~vL?^O?jHjpF}Cy}mY+4Y;^aTN2WW4RT(>kG+IOuK2{1?9$w zA9NZd&M)ZOnXw(;zw)vATUOY)Mxg8@d%oeTv@;H!&)S;#dCmdg4RR=+Hs9R;EJ{&G zazz64WsD*5BEpLj#W15HX>@p}7#Bw&e+8{$z_6X0{)i)4zSOcNa)o zc0$lNnYoQ-y|tcYwLpqjZdNYj1u2%tkoKJ4Yz-=K!eKz^u{yr&*#Ct!Fx^8d$wkM& z(67N$0;{9pQx9#N)G0w>%VOYsZ)~$z&4`!2QD?KSPr|>Yy3}q>PA=Y>rwbAedx7qs zWp9c;^xgl2g9K#cZ?klbe&B!68IVT0hVwlZ{vI^Ls z(1u}6E5)r@+{w{a-cDyBX+T`=wW<^Q_Nt8h@+JMrG~$K5qX;5c6=U_Ic!sG~q;sTI037bkEvd>XO^9o+mu3(Qn??L)jhW_?sB# z+-G|@x;z&|&7e+Xn}q`Swwt}N5)8n;#wvV^&-MY|`hH_{<$9gRIJ(zn6O#4dm(6ng zXQ>wJ6|d&q#0J-U)53Dk7Kh89rj1ju{cyE9K17rf-{X!wE(z|OACP9hzhxAuJxNhU zzehfDHzZT0HyN3v7Zh869>;`HW&K0E{0%s7IUv}nj%}|LVE|h&faPHGCQWOZmH!c9 z0d!+#>Tm|l!RJ6G5i1$t7HH?5{}h$U{w^vz9ceDvlz~Zdr(15NQe1f>mRn?i%w68{ zIle_gc0M&~v|cjBZNKMO=V8R{lS5-v467uC=oCh3A=W;g2q@1`VEWj*ytUA#FYYEJ zX2J6oKcj+EBK|j){@&M=sExuir~>&>NYzRUV54<0;dU)wy9zx7 zQ5LtU3NDYQU5}R+^OWjQvEpUBw>oFLqRwaEjysXgWN!wA)QYO`A z7w}Dqs`gSFy?O;bND)tka*~>s|JFzOUb6U2B&az()x8*`Aj5te$AotT;AEBAGDlT}9vufq0SyK! zJ|(5Kk{1#&W21tSNsZ#|7RL9c-FxOg!9fY0{n1d2kERLBkNMP6aJvytvQ23J_P%0a zZEwFyza{T+)$psN|LNt0C0<)m6Kxu@bc``_3rk+o)FqkI!|l^BuR^vBFFJZwiVq5yi0UD6>sP&|28g@AF33*5@Ja@s`$I@Ulp>@wbR_hLq(bdIzAkxA6C(wnmOV#95Il-w-VV`(S<~&rA|7% z6h$!Di%ezWye&94m1F|q1~3{7q5hz^MR*H?y^KG(7MV4NI>p18E6NTnwoSTjd!aZ# z5E_Iwhnr~S$+kAow4scoY|((=KLG#L5%D3KwI67(t-BcCA7 znOM%UW0!X(v-JpqUdX$hetF4z=6T|}A1Vy1mc-4w-lk|(dF^CL{gewexZSqL4CB%> z_Y(fIy$NrvcJbVmHHtOT0iSA!*LT5xExfb1vm+OdxU=ac2?-VT0-|$pLbjbfFC093 zd_-2{mf2ns!eB9p6t?myGku6i95&KMZ$S!)U+l%O+ za4(7Qy1Z1frt{%`qf}IB{-93?WKk)fnYos`78Y1n$<<@^)%i`q zN7#Eb;gEGaP9;SrE!C{kf@lx_hJ*Pc4pskSI6$>2wQg=U8LH}3Od^aFznGSGK=}J@ z>VUZ5X8u%0BR|shl^o4a3Uxpa&Bw7bTBNN3M+=2K>MErjw#BU(cX@?J3&_2be2rLC zBm#~p!JxSRPV#6LH;R4=CCjHFp|f?0n6^yRsYe5z&594_v#cl7=%OZ{TBND-VW^W* zHj|y7Z+!8-GolSYt=yYIuHCS2t1x~DoFX+^W6$o-+D+;=JT$y&_-epGKdfEj8r?60 zC3tB+odD*?iJ=QC2EBandw<97>SUSVG0WYoY#tHKg6j2-W=~nBIakE_4MQ9S0s%tG zRz72xwWyZXS8@08;OLQM%sUxNODv%i?zDtbw1uWc|KMJv^mlge)`){!rYzqb86o` zk+&2C{lANNc~5U_Pik7FAIEa&DK}Rw7MVmBh*LuySgg*Ej%63csTM6*Y9)g}&CoCJ z0EvrZkF?y?nzSP7rcB$Bms*LNv?wdiBgQsci8{p%U8**vykLTPPEN&>L`Ae}_IqaJ z2VKxNOwh#)l70LPaD0O- zg;m1ye7m)3&Ck7@48>_5Fg&dqy;Iei==)|p9SxY+b%;8zs_R~OyR>qD`Klec-kb!NBx^Vhr+E*d7*-6$;J<{Y1P z=pxKW_PI@OB-{S5;Jm}2yFv$k^M;}Jpl!j$Xnueaot(abX!Rq+!;xxi=^Egb@ukcZ zAZEy7dz&BL@VtC?8OxrJTiU8|iANv(LT`f=sZu_Md1^jZ>$rWs=m<-Ip{5+)&Gyk8 z;r58B|Xh-3SK}EIXdBeqyDUbYKK1;;apXPkmw875HVpvKVB^PYE`R|JWgH1oD9f)Rhel&;`(~524CSf-GO2jyCpJxUv}HiV07T$3v$fgqGO~J|F>C z#{-K^qJUeU4BYiXT@1MBsuY6?=e|0*cMbZbKBVR29Ed-bMweoC{wv@T>BS~ux+nUk zr7Q+RD)M^_+|A#vue>-patAbE7X+j}sQ&VIZ2@qc?)C>T9%{12^Q#TWq#U*6(bc7M z+f0i0qo1(eqkM?iyD-gh`$SwH7t+QvlwUQkn;CEAbqX|8!@7w;1Sj!)a$&>=Ui&C) z6I_AN{q29Km+RnX#>qrF`e`$xe3Xi~Jyunm%53?#-S;g=!uLsw@WIKoJ?Y-`rl8Ow zjqbzOcq(;X+7_XVdVgiA_o>Q(lf=aPNPAP)qyp$9(Nej3bu9-AsAw4Rcg>O&z>4s( z0@ks37wWZCLN54n`=tp_U^?>mM)pegzXBS1r&jRgS0CWJ|g>y z+~q=*V!55j^5F#^-&a;|~H*~1>_HAMe4pRIjOXySP?4}3Bcrcu=&}W8<>Y$%LKCMS77{xYW zU@as5cXIXybuqB}zU&Q9x9H=)L5rNyZ4Cn)`_l`_*8b5shRrgN<>~KZkAwOu#n5Qw4mjwJ@PuETVkJzQ|*_>Xg;bB;Z3H9Fq9YS3iJbXP@u9aGBS?8?%% z4<~c$&KT1|PeELh;m0A>{O07SBBVF4Rhj7cH`oTf(xMQs4)}f<9%@&Rq7kAG5sJ_v z{xaY4{@wwU*&wLW1z=F7*If)8Q6XIoAne({hlzgLL+@7-@Rvj#!L7^;_(H)-N`n1! zbFpU~eGKhn;;z{iC6GhZh3mH=I7;qvmMF3{sZ1CD=RU+X{q2-VK>}DUxa_3JZ|O@C z5sB5d#Z^1a2rIj*%)O(d`BE_;Jg;`LKS4Yuj$jWa)@`H{?OyyzGtzDIG;;Bh2DBiE zCYW@>`0^`+(uXvgL9#`@B7eST(nom?_9!1FS2;-vDz>$m`MLlC1Pa1#jliE_)}A{t ze|%Z|qF_{ML!+%-L==d-O+j-k(fb)NftTWf!F~U{u3O>^as~ zph>HlPJhZYDa7^&cod#a_Z^!xTJ2}+;G9UVsj|2?C z9{wbBUjHWSD~2B9r322@ii%CA2wQTiMaRs<+@aVQ!|}f%a|#F1CiuTy3YR|Q&Lo;* zwt2BimIHC~KeV{7vk_=c8z+R^kG5x`JNsUog=X~iWHia_vMD`GrVD5*%^6LTfk+(r zro0n;I;PrMbXNBZoSzN;S;m~Pn!X z9`T(@efoGpV0BU5YQ@ZPI{l-keUR5(+r#3$_mCaG>qDq6sZv20RdZDjLi2qSV}iVJ z;@!%0XR3OsijmLfq;{o4#;Hb70Ky7Sl@9HEE>i+4vgxQByr#~H55ZtdldI9EZVC2U z1ISD5UKv9z@K7KI_$q<*1eLlG4;4ihv#YL$oi`m2ycltDa-8cp6p5@64SM(#KAGc` zetAxN)R-HY4P1CjrMB&g-R$0=U!T5A-1XC@@Xi3vE1I1z>Kl*;9Xk$WZTf=RzCH& z7`X(t!f1{4l&e8lMTlnBW3CdVEJWJr>nqULj+sw+WF%jwY1xYA zE7AYtb-! zZHHTb4qgw>!eJ%^^-N3WAw$T^(eo{EJA}cY(+JqF(a+f3<17^!L1*&?TYtYLU__*> zmt)DE;o7aU9j~xFil$M3B2bf(?z|Z0S_FN1$xAkNAsH5~T8;|&^*_9xo_4l*1E}5K zzAIn3A693F6QP9z$>)XK@a<$f?`3*>O)bv9JB&MI7)mc<7#U`%K;Kyi6`Z!dQ?Rm~ zTB`EDtd?>*{a2u_s|Mmy6sP>KA*A5M-OzRLoU5CL{E@!o-S;X8I)lZ8l6|tsbK#w; z;%a_04D|BJ9)xwd9>yc&HDi!mfU0!TC@T0xZwXNsSrCr1NzNJ`l*x?Z)5+nQ?joPilaTxIOAX!F!xxyY=!s+N4nt0_1KbMzAL2c4 zm*a7qkWAFv_cUc}Pu@cqQYK-};-PM%Gc@eK)lngT?_iG1eWw;fu?VOUf$Rs9r(wwKGxaK! z`mOn`k^_pbDoZjbMu^x3Sb(##Q@>yRVMvYG`S}(eQNITU47K98`T517f}pN5NnfNb z8a`nF7ADDAQkWNNnX*)?5m=O)oBJuxh9Ayko!xPZNr!!O{qR|;^3dSptj{9#n-X{J z)w6PrM$U6sQ=4tI8aj?}ZVWJ+4OdiYXeXYc^MURL_yd51P zfdz8!fxZFzLWC{&|NHRmK2`%{pd5YjIV4O!SZeOA@scGNx09J_UL8asbrNTaMRG z6cD};fC{aD=CPEt)Pi}Jt`m@)n;H&Ek-Mgq4V%kbJTt-z{P-^5>&9%uaYM638NwZBm-V({K^SFS** zD`ojpG5Ls=mb%N)Cz)1X72b`Y^+6=?;7Ov^?-ni>v=2%WCdoV`5yDVxHp95+^-`qK zq=omrgvyYQt8F^J;G51g6+V z1q?PmJOln}jOC9*2?b6Z$YQH*x>_V3(&;Jy8LjLXiu1-Kozi9bw)5QnPLe#xp?nku zRH$a=fAWSDF$#`pCQ{5&-3IcKNTlF%y&B=(BcO7CO%7GeA&HUjDbenVS27(41BiZ5$8 zILzJPbApKF@0qb~Jw4Lj^`ZobfmLds+qadv*4HVv7v*I`!`x=RdB-zxvSR`Y=lGGk zjpAT~WEwf^Ns<(l6D@3mp32-Y0@q^ZdXG)?1LU(J@o4`@ToD_yE!iB5IYliZBB=dY z`H2>^kZWALDgNRiAq-CzA^{NjXo(frtNY2EIXX1g!7rx;xYLuRO!B zz3{guPckS^q(DB~E}X#_MX@*Cx#d`n=qq$^aB!4^g9Ddl^J{zt!EUnu4LOXQNJd%9 zZrwTb>)@M+;%N_f@@#;0gtpt^94!Z|Y`;Ak^eP)CE2PLnX4lF=>c6Db`XC0JN(VkB zoA@?9rh^LI1#oh-SP^I)`?>Zb`z7m@|7P(^-}TA=n@0_au~R1R1}C2BLn%qC{?~HpkH}Q z*EY5&nR+_J9VrM(mq_JI`GTLTmC-w%n$3d=w3mZO6OJpPvyM&!DjZ+vyUEpwAjp`l%II$U|20IYqUV?O-2<0phSq zvDD@s$LRV&4t$Z!{+Ux6HgGHp8X@>AcyuX zhC&ewX3lP@f!hZz7O!Lr%Y`jTkD=>Mq+@I}teQN+i;6B{ZdF^o&*rCF$W~AcY~A)? z{iV*YQ6gN5D9bCKJz~5KT|WCl6fveeM6H*8rswOo(C4j3BeN(=vp%)Hk(H1WT<+W9 zgL-M@W_=Q>CRZ*%U5_;7s(#1N!*i|tnM+6Mou8A2x-W&UK|LgUBTKV1Gh3;ymr-DH+0&ndP% zIkX9&zP*p%VgHO<v)CLWr$NTAV(B5s90FTeem~0eal+dlvTBvJ1WKh((Rp}kk zxQ%*1mdWrd)9^VF!Hep=^4l+JGwly0=R>A|s=Ndg4!&A&{^zC-7?h8|v7`~E9qDVO zfP`puzz)Or?b@#-%2N0NOh6GoiBjM5@1ffv7E{JlBxp z51kq;O0S@`i5n#ak)SJp^jy@7sbTUqTwJbETI#)7SA%@l;V!E1Z4X*aAra%Tp7`)-rS8DB2t)>zK`I`7Q{Qs zysI9}Tx*npb=gg2bo4J@uYsM){xX{Np66$4)4v+TcSePQq<~AUnTl?9KP?dU;=CiU z^X0-sHz0!wsB5V-E{((A!TFrrQy(z5W<&(aI=YRP^9&(hwI+Oa7-x|X(_|Fgf7-U7 z60GD+8mi~{!TDr4ZuF4R=h^#Tp!$yv_$wVQ#XFZ@T-nQKX^+Ha1wFK=bpvf#pdAHP zC07fwfVqW{nxgCTTSUXfkAkO!YjkizOUN6jT>ANQ!rj*KQ!t9MyZRjw4-g>qv zPYr?LJ%EUAi4En}f~dqXA(ogdY1vB+YAzn9dB$`>@=+!Dq8l&+69sq$%YCvPb1|-Ip)HzwE(O?*E~h6n z`GMZMSyag6D8F5Q!K`H1k`0K%KOO=6;3w^yOC0Z)KC0<;*_1h=|NHwKP%v++Hz?3eG0nK{a(b3B z_hQaHsWp-YvR4Tmrqau}-l`AR6yRpTuH)|xExL#znZdHI-_w_MMVFQ*yZwgNiT#pw zyY{~`ubm2;ia74QssIb}B8FW7*D+b&IS2zkGS3jfszhgHW^qtprn7P-S1_i(|8SGQ z^sz-?+L_Sg`1&cDu=XQ|BI|Rb`~@ljGZu~9NKKe4HFIlpVJkWZcW{uniAm}1)X2jA zvG^%kyiFOkk{_}H_M)250P)N~hV%s(^x^gnV+?C`$P8yLRX%#5^Y{% zm?mH?mzBQ9aYkw+0!JTWx(W(|$RzLA)SpwnG8=K#J*${~m}iw`cMG3Ne;CLSpd|e5 zO0Qh{GD@sQL(fTMOwXqRlk{$fl^&r@m=;kqlRmZ4F~ts$(u;zZ_?>vp$`A&tW$O+| zKA6m6yFD6xOS9IUhYbth#d}bl-l_irH+3{zn`2@0M_Y!k887#WIHAqQeoQL4sAn(u zlLm`(YktVC`D>dQ_4cOq&}@DT?*2tJ-u(07|88~sW1{)L{vZG$GSRCB{}q=*KaF|PPwJ0d0P3PQC#E$D%(5-b5rEK_wXY`#boI845MTN%w~UmPe?ZIR>_UB0CswI3i9oQ#DS z`3JY6CAf;Rq|AITQYW`suAFtT)KD4HY3#~3l+);yPdU%6&+BVUCHeFf+loCNSpmdZUV2K|jS#IHETTi2t zgjB~>V)>+Q#yMW%x;){Vkz{{=yii(vmo1oIRbziFQkF8J^a!YXS6*^#Xt?+dxc+T{E{X-XEJknw6Nva)cmaY!a5 zu*pGHalbi{ZfkvTHDR|CQHA!73X6_V^Kd_*(qNWJya#t#ZI|}iy|xqns~WU2m$mtG ztmWo@A_}+RYMUCi#}jjbVK%*r0a@}Cba$}85s1XnvAZ{+chf0oh&`T@j2jqUKc~2o zI>hlvjqetalGCp3adW`9+vqUUZiN&SNEu+WO(JHx3XUBP3c?uKh6ByUKFGkCtO)P+ z#twJxCu+23o@4l3;xUiVNlUuP5MW11nQczAN2~svhpPJZs3MPIQ!+T8T>`Qh@W-V+ z2m*!;DjLn%^stQ($#8@c>RTlu2Q9fvQJ;-b2L1YzEpb8d+s&ce01xUDdSkVFWJW8$TFg-1p1i~ zwg4^gth$z?JH48E%6bVXc=|x@aZ?7CV zAKexz?hFgXw4rlYg7l%UY+btMV|rEbBrxtb0qiQZU~jF8nm42M*zxhH^&|OXK`}H8 z((K1D{nci*pHg6rj(FdDz5IqjGJx$q%tW$GDt>>cqVQQ9N#CH;e$nuov+BpKeZ4U zKCzi#g&%TJp@VZKknYoR_@KmE?bH(&y9JDdvXSWow9TXbFWjf}yLp23qfj`DfwWW$ zvs0b~4v;@Gf|PAK&@g^|kC9yjHrcV zoS}}!>s`JP`HJbAvpM7&+u4<$D3UVetOsMcV;qE zX4>}^r&N`aLiTK=Jj>_o3klk#?^E6HQN7;b?x>l;f)YM+j-rUs)T9v2MU08I{Q<5N23{T^$)*^0)l45 zWA*&i73Vq7VEMlmYh`agFL3W4V<|!3-tPxg5T07YKm2C5+H|k@qrIS64r)F&n6Cw4N^9ZTG$u zpkzk)t`VpscK#Hw*=%eGCj~w3K$ILIpGY|ZI5pBhZeledq@^;m$?!e{8>tb&duaJX^rfB3B591Buy_O)T4uoa5=Oh_)7jRFLW)seuRvDe{k)z;;3$qLNjILiJS}nkTvGZ!91u? z5)O(^;~kz-py#pfuU6VjmSZPLqUd?+qE@HDI?P1#1*R)tj|eo`*Xi@S{KbZo8fT~% zFlvq7qPP9_gDymn3;BNHpnd1i8pQnPY3LhKwy5l3kB9aBVB-2m0U`y8iZ=^CT^}n+ zuy%^$pZRn!_+@`8gu6&$A!w9X3zUsoJ8Vgo-F)^QDO}~_$~wnCnn?L7fwsdZevj0Q zoT~FlqHU}kMO`3!*|IFquIhR~1gySnODMTWDq}`$zZ_rpuV?^HCRCL0RJ1eEE08N! zMGUaHVTOnC2m>#(t_q;n8E?lymc<%ezuDSRTuYXQv|nXy>Fl;N7X8c=^PS;zZZ55Z zpQA%M6&p9|G>e9EVc3ahbNA|Cd&ht#}>^u zm&cP&zfJ?o>!#!TnQu2+rfY2v1sIGPD$RQkr+wkv+2I~?(f z&Bw5hYBzgXe+zwan(HHu__X;F#BE|=_xz1Qq3rnP=KE~w%~dqe6IIarsoFf8d&DR& zgAl5j{rA%31m2{4GRNNJ)n2+t_?_2#l+V6@zChbuzwY8?%eZoBHIqZhqAcQAmz8ov zT~$Yh(whQL$};UOg#QM}yB;6Vw7BdCONw=H5 zLB!$Znr@-qGF`oVLD`1Ks_>Zoxar`tfEX2$y~<*6A#(^T@}qX8Xl9WhLwApk^-DoDFSi^TIde6Q+gh(Vc%} z^#P=(x6|@_Lb8K({mxT$Kkc{#5)kQ8e=UPgF5#WN)|B3^o5Dt#nLG>FbyBx$_R{gL z*EdA`=3z2uFQki7g7

DFUDWYY~vIQX;J_6Bi~+(EY)sCm3P+;C z*>{r@d+#`wg=d6K9wi^}MF@W4 zIZVq$VUV-zc4e`3eX68sTlF^pS3Sv?YE~t|83nK&wl*aRlU3I}6?@_x&7>9r6V0WI z*t{|R%80H!O`z~YojEOrnRTL)G1>kORemLanF6#=z+t6|ir~Pji`sqN8vwz2z+-+Q zdumvUXXBT2jcmxEw5licFVhgnn1??jFMTOtPINCTuK!ay=f)uZh z+Y2Y2BM%yKzC^vZ7e%MwI2AauI9n~&!ws;-`M@oFP%^&q09#RK-abLj_UTfKPWY7# zs}{^=XgI=92~;W{SXW!SQ-pwo@zpSOD+98cSm}uyw@c=b=l*QpXNtfp%?9i&R26b^ z(7j9)S~y21oG8c>3OkG}5**s_6TAkDNF23ltjXNc(rhQwE#?_i6gXzsa3210_Gz9E z;kDYTQYb`~&~lab6yeIY-la?uEMCe&*}{x85uMiQj>n75bjBagPDp)Njqn1hD1Dz! zzF*9$BiZFTln7j3QGwecyqc}{w@-EuedSZaIDu>BNn+`$P*xNTh7Wk^lvyR5G#VE_ zM&JMaR0s|bPZ>?G^c#3mO;EEqp>wqLLvHQ}tnt|YtrMEDl35hK47V|Ge*OCw%l2T< z${tgF>~WYV>E-T*-|Logv^e4&0j>PQoqv} zhAgd&w;r)2PS54J^t9khnA10YA2FCW0bLzkY~E@`a$)&ebdzB`5XAk(s6O@0eUyPb zCV=c5gR0{?&+O)k*W$t!LZ8J~Ss_r1rwQ6mO-P`A-}R)ts5wT9V|efpPGtZZace_L zu$F%gW*{}w4AAaY2+S1nQ1;e zZ~za6(}0vL4W1Fk#LOhU5Yeg61FUTc=H|zIv2T1(uHU+{lL>g#`1$!aCx7W7*AA4< z^Of{|749rzVAAC>zj2`j4{+C~kq^?Zm1xv3V&=><;(mAit{1+iDTAkm1;_)0;#$E4 z-!1*o{J^i=l>DAB{`oX4$i=0Irp+;%*^Rg zpi``6Ejc-yG!E(IV9ujy<7;Zc<@UbfwHu31z6HYlRudAkUK zHS@`Gx?@*V&5Wd>WLAXetoZ(Li^Q4NR$wLA^E3Zpme>y3Oqf~HDNZGt?`>$PDa+T6 z$5pK_hJLMes3!~Z^GuZu0+mAU(ZHy4TnG6zM%C{(x z-y2ANkY8j+?-?(_F^nt0F`D7$s=pPM#ppDOkk~va=(JB-6*RfKrtiOkyM8~+4gux! zK6u;=I37HDFS~Y}`&*x0u5Jki9WE>G3d|SbiFlc0!IAC+@aT}W*U>)|k?x&0*H@%` z@o-$r1;N*T3d^gSZev<;EohuMMES%ok zP4S)H%kRo7i5AL03WzN`N~RJx%%DffoP>XS71}fYp#}H{HM@-pdOF(s=a=ZI!u^ex zM*zszk;G5MD`%OQ4dLu_4>4lW7)76eXT+c@GXF)N8^18{M`rdpSoO)r>D}yt4y@^s z3Z{6Gh8yeEJLan$_cCH7omKEoohL#58~swS14;Mx3XbrI5ZjI}%eygK$Z&3i7qsuP zz85;!I!#%z104&&imMtL**Rr_qz|lJ_!3{;=?yz`Isdam*e#j`n|+OYcpD~{YTmb* zu6lcd?t+LqSdecXclXyz=jmFV<}))0kQ0~k9;{vA}N%WpZ zY00vVFaA~xGrU73E(t+T2h2?jyfoSw#h17qr=@~IeS8;-$v6Fq9^<@CzVn^DVzIE^ z{Dme)L|KY2OI7D>jAUvBbH+R?BBpz+Z?kb3E}MZ0uham>X)1&^cIxif=O*=yZoeLA z)A0xk6NUA68TF+5$jv`-hEG&w23>itXV#D3j;Au?<>l zQ@+Hd3HLP6vvWP*7#n@7)yVg5BTLJHWq$-B#McK*;2mMOeEz_qLw5Oy=WRa`!g-$& zGwk;~jAL){M%!5z7-M*EjCy73i+gYLDL<7x#b?DpA0hQsGA@BllnL~)7K@Z zNkE--HH<@0gi~-jQ3Hq?XF$?LgVNSo$y8ui54kMh!y~2!Jbr7xI?*4B7t9GR!|zrY zdpK{pXsg<4;T4IW0{9OF$y7pN!+sS!s`YL+1Yrz5t~p%Hxo;u9r>-?dzu(9}xOf?S z;XIC5p&vMCBF)eYdD*hG+?QnpRKaK)?E)mS(UwNR+>(TzsGyIow zrNC}hPz-1brZE{4^?7qsyqeP@V9Tp@y(B8wf7~ld*e?62_#u_Y+GdAzX%Gm9>(eXb zMq@lwExa^0;%7jfO0@n&Q><{ZIB~|#5Pm!01PD9!5n?gfz;f9f^w)Ws#bwZ`WL#xQ zb~|#dd}An+Lo?)=jSqkSNdJ7|8f^^*`4|cX=!zC=Al%k;yf*m1)dN!B;_9J7J3exY zb+P3ln3QL_wfdjRUv=ucnl%H2?c2FKo6023Av8*zS1Bn?$fqMERTv4#b#u7}zY4_i ztPm2|36zRDBYs2{3K!e~BGc(**GV^{@<%2+ zt9O?R{*F_ZrFh-5`FT0d*^nlv{ELWlRv;Z0k63;OX4f}i{&bWF^CK^I=d_~dY>Ru> zXy9;DQO!WZV@C6h)9s5T?t1sm2+I8Orvq75f=LcG1xHT1&kUT318Dm>?*tXT()YTx zp10m#L;5t$d87P7)^WbM^H`6~(!r8VU3&IEl8e5^T-}k+_l^C}0O@rMm;JEB zy~41q)Aw>;5b)Djn$^g`Nv9$OVVzZNcR}YYaIp6yxwn=00V4Mmh{Jj6wwhN z!e=%Nj_G39!+iHVw+2_v2wR;u@=JmmB@n>X>U0wQa0w8-tl04R%c4@4(3zt1b?zwT z0soSWYEZTGvq@z58XGkHM)G00`287sQUe+ZXVxQXvUFfAQ`aLA;*8Jgtvgj9x(kl5 z=!WYbJ(?~@-H-Pu+JN^<@w@@zc-z_V1xU9dE_wBGoMpIEPje6eZ;V~Bq2dOAaEmfDpYFjU%mY#>0N zwP4hMx34%x;)s+COrd5vJeV%D@hqn2n~r+Dwpoz2p1tG4z&k!6`2RCeH+>TJ=O3G;8xuf_?+kS@h1rj^O5( zY4%W07kBwf3}0EDE=k2&a@N}Q0h!xnvoP~>8bk1BDem;z$uq-Ycx6DCbo_{5dIZMFKTO0M-B=H6p~F2wzr#g^@8(Sas7usz zWCycAF>m2?rBO96FPp^l3z|hOAFZTv27MD@$-o7M7ci>7bHb*}>Eu62=3FX|A{>R(*Syw zmgma+m!NKzF4j~#fb$%yQU0=P5x}zQT@f&6cXdK!FtMvTI6BTtOBpnmG@k?l>!&<= zII6J6`Q7#*R>_rI%u)*u(?l?eK$vzN6X!5wPX>bpzFx%w(LO35?KF5-=QM_ieHhTs za8N2i5(-by?{LF1R?-_nFnH-+&fgAE+UKLbd1{M28FoY;TlzEU zEUpT2FOtA%_T$5kkDhszN^dF@mL9@3^$+7es9FH*=!l3$w)G|4B7BqS*9q=Op(qI> z_-tN1<86AE66gbA+p6r@ti77uoW9XIZN5R~eQADo>5~Eh(`Bxvup*(koAAF|-X&M4 zqL{4?V`x(}8$$L%p0mVs{}_Z2;kHY#W(vcBPv~Gc(c^H|Wp4y9sRjEHE=S=p+t}Ss z172RNwp+J;7!-REUQHX^VYQv>dLu1fH`0r^O=JmqAW`sKF6KkpnyOMk0#{R=bOe5{5=y4a$juk2 z8_-d6e$YYljN_c*53`f6TZ0A0d&L;|^qw{Q0TSl^p*m=+n`{#)pXp<5O<_^zJofmN zAEPM#F!(Mno{hvR&ribGE@%W+s?h|fbBs|@GwVmCmeAjU^T-J=K18QjwbQk*24}7V z`ZrOel=*CV{N1Wodw@zh&+ER9x(7s({9DI|Bx|75cT9{YE$zzky8D zQrYdfSyeWeEPtP&s_QwQVOZ691z1yGU`IJ^{zrTzYMDB}kmKzbYum+(d~_bOR#8by zp7T^;5bmgoGkJ0dfskddcE}7cz2AYH$n!mCn(U-&frJ9~74$)Apa3QmFLan?q!M~Q zj|ANFn-_q`L8@dph$p{k_@av=lbAZVMMMpx*rcBFfncKb8c~aDN=3m__$@U{~C=LNf_P!qv4QMFF>y(!okJa{!50IUl)Nf zNx=6cwdj|cc~eI#9E=6{HY8fbfJ>U~uLoCy#)0u;>b|#(e=I@h1SO^&Y7{=h4@9}s zb`(PfZZAjt``$`A+l?U0E2#v+Rsj$c!CKk@o?}fF2%YKrNsHS zkBGQ#n_iS}>muEB1-8>E2krh5d>ABiN5BVh3OX#z_cpYCxypZ$?v}DpD*qOdo33KOx|I#qvaAv z_Vv&V@SiPg#i!5<2RWi*!*XhM8}xAqS{xbk!>L>#0j?Dmg{T#lM5tS+ekENdTvM`3 zpV>feVx~%Mjap8F2DV~$$=}((D*L#WClV*v(3(}zz_P=iAu38oO}nm6V#Uqe_uYW-ft1@5Q=AEseNEv_k6kfvi(kO=3~mfHgFoivq-#wQyR-Atg(Kw{bb%qBA)a8D@%YPD@w%I-x5Do_ zU(6G~c(^vyT^PEAh6DR%_1jXP#@vjVf8( zp4Kt5`EeeoWCv(lrpKJY`+ozxFY(kVL~d*n#?R}D6wS&r-w8*0S;mc~bD6C?Y0OnT zDa^r|i@0yX@93e-De4)BLn`lzdp))SHpDfv@Nr=J)V`TedV1hRDm$<%QDkJ3~AcK~XTUXPxdMAp&}PmLHs29Q0o6 z%C)aP&b=U9FddA=ieKOgb= zc8|epDU7@)Qc$B*@?D6^M6yM~M^VvLzalXCoOiYNu@a}%jMQQg?mk_rFlmeM?aAN5 z!@(?;w!uWUu9(|d6ubzaDAw6HbT42oCh)e>{*Z#mzsn6yd-WZFM+1HI*(+gZq<&WX zJ6%to@a8@k#pC3wZ}3D1Vwb};>A}z~x@a?lCxbxz^3ScET~#Z9L#gt;eV>)?D;Nn#&5DC!7ks5*qU4#nuD!g$joeMc2B8hXzUN6b03jHsYH&4DOU(G=T z(~G@XCQZXjM$Lzw8MxBGI9nSuDDmG8gmgPYRwc=f z%I4ejg0eC?h-Kb6=(=pPg@>Fnk~Dr8Qd$R4V-_1z{T@u72SiMu%$5#5uPgrS!Hz<^ zV3$TOdvpSzzQ;(?MLUJr;}h%oxb1PZfNmf~>dJ_}3lSZ?j4TZ%evhaM8yL}Z@3wO# zg9k&iCkFl!1&=+kosl8-`Au3)p_+xiEMWn-cq;8z8m#$6XRl8mEYnSs6fOxMsWyPu zep^nkP}+M@l+B3n^K?B}V5d+qSue~=WF(QIwn7MezC|JPLN4gEnCybkALeJ=VQy@a z54?B59{-u*?Df7Kj(a8Lx1A6ahINesMGJr*+FfzKZ|PjcJLRV2%s@ll;4obkw1yW< zc^Y1F(#KzR+fnPQ#JP~IdUHO~o)eVWGWsHOm`F}l{6ZKnr1}D_lN!-R2IWKs*U)x> zdp##O9+h}`Sg>4AvMg$bpE|*^?k<2i8-_pv>&Rt~D@uDRwpD?6Wm-ktqEv#<#~9}T z!8YhfafvhcFz6f2jeWpgE!>w-DRe?g+fuEyu0 zl_U{ZciLi3AyoBvw%qC`7G=UC$xQLr>k$XGn9~JFj4e0;fqV6qzenxC-ZnQ+aH;&Z zJa~zg8NC#UWZ4W%dxLBS3{ z7}OQC@nIq~n_#$_x$D~!cLCds+hwq&)JK#8#iAh_n|(|Yu`#ELfmJzrA8=tWs)Z{ zLb69b6|Mbo{=IW_tvfZeu1gqsJpsPpXWeGd>j1@hj;ijv?bQnjXMB!Xc==OsLz|g-wFpo z$fHH^Ke+-fOgim|>eiX3A-G(JGG|SP)yoxY3Fb4Jz#l#N&|fFvZ7fW)J6I!>VysGv zC&%y=1h1%_c4|Hh=vqsb%sFYez%8q%xObk2u{7YOuLoElZG`*U+@9Ygi}_3AkmR(> zTAUSHI*b5!6%CitYE?Bv8y;2gUwV^TMsm4|7Qd2q2WstQwkJ2(9W7Sy3;P_hL6+;= zuqw7CsdFt-?oBp$J`@qz)x{Ns5gbPy=cU~kHHykX8Um!^}lJ}SFj=U}W* zYwT4iiwljFnz*baK*7B)0rQgqPW=+lW0;9H{$EaDNmx@aQ;xax5zBrVT{&OR)^NkO zEHz(q@3*(`rdJWWgQLS0m3}?0IR;a#T-mgdS%Odlay>`Z>+yvP+aC6v|KBdLoeD0f zA*7P4U95TEH?kl=-gy-!^JY~XKwKJwUx#GtqpX?36BaLQJ$yaAm!tseTJVuyMy zl8P`{Co&ZE_Ua0e-EnqSNVN#1)HI4N^?9}FTxH# zB!%IdjFuJPsj@{m*lf<5Re=xFTX#8({>JOnF*htr06;@bp|D7{s&9g9;UxcSdhmGHKFt+-Zx|J{%UZ6-X37<(SOO#a-3m_-3bFCMWif z6*OmOL5=cHW}Aa<1ZL!h!w2-I{1Q{U>8ccI&V~2oR2%>51RCxQB~K9~2k;%)5Wl_- zJJVo927yfn{d%Oi{SAK%)`aIU92Out~8kavu6ZF|tOQ1Kx6$ z{e*SZdI!EN9LPpUe8F7Ep9C%%F-AcxU$(hfg_7QFck#1#WV50rS-+AMXniM!&Jj|E z6ePC2EI0X=V0uh4yHE!gbLKw$y^r;7WvL{8>csq=3H*pcU94_WLoH%2Q8@NCn~n{` zTi!e2OeGVPMX}LfGF9HaRHLKnjG?V}q!9E#d`f#M*Q{;(*!==}*IR&LEMtvsFs9z-G-FKxU3bAP9T}9yUP#;xwZPBiV$^2IZOj z`T7MoZN|?fZZq6gFARfkv|+^0{WZO1Is#DuSX5`4RKx{^)%M8uSARG5@owX7R9z;7 z&~oXYg@fnqNtwJF)*A5bf}rs^s~iuH&lQFqWK zc~8h9@U-5FZRTl>pQ|l5x7c?6WC!!Ura&fSW6CvYIeEX8S5bhdlG{32+{+&iuHAF( zSXJPoRWUdD{m~3O_9{ z&5%FYWy8=q4VQ<}h8JGR7^?u_apGw;4V0ipzVAI!Im-yaqg0Zq5ddd?*YnoXbn+14 zv@=^jdTpCSmmz~j;~Wx`4J5NX^0HjGXFPt~)!Ht=hM(?Z8v4&E7u>2>lN~ogJWt6B zwRncV8IV7xdtVcQfghq=i-JH+}+l8`P@N76{-jHY_r7pFf*K zn-qVjL2*0a&k9n&Pac-W>b-;AzN|$@bCyFb^`8`>30<;~VI%&+F)lp`&6JBDXs|z&x~W z2cE`?cI1B{x@A3Md#H5qJp{x&b`YzsS#DGQUhg3c@m6mU0sQIxIlt2Oz>}nivK&Yu zjq*!?tF8v_>^NVNfxNV^ru>GZ_pHtihn%FV>bc;3Nb5~P(UMQYAj|Y8^Q*rA3OGG8Nze>gn2uwiKY3GBDygqEourocHt)bd1&2W|k^S)6C(Htkr+89+Qfo2W z8W9m5ytM;jN~W&@4w5ertMP^UwmuY>X}&LSuJ6l}0byBZ1^Wh_uOVOrW}ki1%1tCs{NB4e=x zhTp>CQQgVpH9it70!W4+U*Wr9w7umxGvcABoR>mF4}0VOaNy$@lvk3}VCeAAJ6OlM z1E$(4V3 zp!VZUrd95@JRa!q@`PsU!>Y%%z9 zXXhNX$tbydUMUa{9d{fj=OZ@LhlGDHMYGlJoF4mXs*~eq{xC*?TpXOYi1* zDgFCAP7U5~i_{frwm+*N=Y*IzV|3k`iXDEdhGLN+=3W8h6-vKQS_}u%xw!JIsQsO= z*o*H8v_2F(FNtS4I# zG58V8xB526)}F3=%A+&F3L$iSY#3q|qyK|VNx}`~!U`RzxcNGDLw70zw>uj4*V%@t zs1l>IU~gZN@0JgQH|OQR?kGz$UDI@**JK3CmM0n=eMs~Sh5mx@sX9d_741YJaG>bT zGR!6u(TD=itw(=gz)da$*V$}}oXU9A^TX8T@Hxwv51DGZZz6BFN$NvreciYCCA;qr zFiuIVUA*64NrM#U_r>b99U{H2`>@QH3la%hN4|?ZGX4uW-SFnGDyL7;ZoB=3`Qu)B zwpfi02*ql-(hj6}{@!usbCB@NA@L{ra z;(FH_n;$o--wP?=ucqo~6<)%`noFuJ;7&HD1+1y&o91@`%;VcP5qC6<)-koMd_09c zub<*nhyy=p6$QcU7h0gV&B*UI%4Sev>og#&{#cd6jyU5UH1}a zP_(=W*0ms|DSf1YJh+>41ot0+TO;&dlX3a+;#*U>Ucgc&T-w~z#BMF0%688ebxy(- zpOEq^5Oqg)8^!zJZ~5#G4+-~N98>!<`I1Cq9hAG@*sLffv6Aw();p65|ca=UzRKEgaOo{$wY;=|L!RrRGe zETK~!n|tq=A9zPaH;jQc-CcC1MwzpSbeI{U7y!&sqHC3?v(tv9Rw{|>dRGME=#3_@ zMrykFqV(c$espX2B58*!tH^_T6$yX&iGa*v4XlhtQDg3{S$l8X;ZQ$c=D??)ywjgS zx_%Z<41UeW(8NveL`b+dP1m>_|>bA+*Z(r<9q#qb!7ifGwMD##Bz)B6NwU->IZj__5zRk94Yz-5-}UR^fdHJLikWr3r?p5G+kRu4eoLlxEdql$tP zJxRCm4ELNGiP*tI7c$hxz^+9(mCpYZXPWhW@yh3h>PR*_hn{~?lfOw+U<0o0r20Bz z@pEyx2WbKEzF6iyWcIK-V%yC+Di(1q4~T_#Mj2|!z9ch=-A!7tXdUJgs7Tof#1acM z*c&@|oBoTh-8COQ-t;yTd%bHQ5pjxkyQ3*|mA2#vFwVZ5xXxA2I~TF*PYJlt@)_Ue zQbQ1HlyPay=1CvhHxAL`@db~D zkJ(u10{h83FB7~{eh@CdV{z`>%0Slh@_0 z>g5QU!EPG$dsI&wg~XWMe=s16mj7e5+4TK<=RKIrUc>&NQip-~sJ)h_8(Olf+rFRT zSj?oKH)Lc~;^NZ8yyZ{ajQ(#MFa=a=$=PO$d;tlmv+Q%@DeA4`5;?{1jl)kTxU2iI zz}X$gX^O{lscoo1;&q15 zPDVF%IdGgV1TQeHzXKW5Aht<7(L?(&x3WwB{9{oNn&AW|WMLAV#5)oA**Xe=<3D>o zeW?n*3moAvAP6KF{lzdO6z>)hf!4I0A7elASDZJ_7l2aO&2%C_YS)_$H9++s0b<@$ zAqJvwrYI4OPCSqL(&Tb+m)G9)URVQqPN*s1k+WZWkHzg`edfQr!MNiGl<~g91Smr0 z=!1dnmKBgq=QMe>2ySVp9-WeA)AeyNAzIeSLWY*D*`bISlJ*Y%izXD5{b;?o5{Do` zfQP~)2g3_seqd8v|NP~r=kRvECaM61QDHE@w|89#hjFEkk3)b2*!9!oH~EY+Ou>kO z-CnR*)^^TscxQ|)=-bPEkWD(Th2!6#;-c%TmRYJO?jee)m{RSm4rTptaqeAH3 zY0TKOV&QAMj)s$8fNll8j;?Qz6KX!YRn@3sEKnEM&Iw`g@WKQ5@$hx;}zK*<)}o$nz89rW&AsoB26#lZ_eM6@FzK>%PJi09DqJhMu>pYw>rz@ zKEd29X*_xVZ8t+*7HyR;a%6?7|GH^vpU!BzNCNn=wGBJ9@(+2J9Os9 zcA%(q(o*+6G?YVc@_-lHWK(!k>33WlGZJf8D{Y8v^mgfd$K-EyX4jeCLP%mKx<=e- zDcW&Xu9Seo@wCgmrotDb8prX_Cek|TYx4^AJWZ%ct(y3Gbd4G*>vuOtBqF*6Y7_=? zH6rIjR1xD>PP%ANXa3|4$&n-cdP(;n;BLgGii~^V#7#9w96en1J$$c!qunOi=V>_5 zUSv{ZG1Bo370@e{mO0seQz*a&_^hICV{S`vh%VIK`B{~^zE&rvZOJKiBPvL^S8v#E zqpU`D-;xlSvHqsrQ%3j%P~lbh*^c^>;YSF3Wjvbd%Adrl&En3g+!Ld)9&wkj`}=e8 zn?urU+IK;@Te)p4GVgTyHSrj!fJ$iMmr3VeKiXMFx_q!sp~k*QLulBR%$!t}i{@3m z1ji!!>=iJGh#HO=r-}q;J23=2d8ddS{o@@%(<@n+r!4p3sAhZ6{td}9rGS@b!5F7q z?x?);?@fPs-pv0+4^=lCY>@Ll)r$g&PR5bpPl-Q#zMt|tmpSMddIUt8Ah^A5F|!K^ z1u|0Xs=VdkrQq>@-3AG5W;V*1+hG~@pBM%t32^OjgqU;YfVxnJShl1~av-xMNmImY zgn+4y^tNFWj$@b?RLQ~0JhclTZ>kcy4KhMUi_tBrxUJw;|E-0 zf8!kA@4^S%w$u%?*Sj#(TvyfE4L@qN8Cl7&!bIQA?21um?6Rf(`6c~(KnSK2=K^w_ zestN~QyKieAHewd_;kZRe_Dx4dVEsv*1rsq>7KfnljG?Kb!-Wq+u7G%_s4<4ug>`16%ZVwT zTMHkTyu>fGe6QRPEQ_D%TC=t1mo5v0;t~9@^xynHxv$4EE)RvX%GiiybQx`b{2ckQ zEf^TuKX9mIJoOv}J|c;S;*ES>#Xnfd*mN%-A8+Mw&p;r$@nxk2WbNd{gffQ}Wo#hb zn0$nhRQf#04Iz069N6&GlK9_IJW@XD{h%c?#YWyc$djmJ;rL0qOGMHvu{R_WG-wx+ z$)t{SYtU8ZNROpz7cT>mpsn8u-sCrf?QZj zj7+sViR~P}RmX;6QKogV59?xj`;(g;nVa9|<_qf8pS6*4;r95Pd7Y7FR2Ab79v^gF=e(j>0S~dBADm;b(NyRVNmpb0^dAHN+H^r!MM@-hkZ-Ow!TOR z|C;1#qtzT;#1H}RQ>c@zrc#+jo?H4&SSk#TKfq2nOepI~=@M--!@{M@duQxv zrY&-ayed4M)x>sh(73`Uz2EDsjb^l(Ne=-T8J8oE+!*bB#|S5=y4`-e2hu=G+AK@d zU>Dj(*2XxOQ>qKLCPqYX1G@LN^|%7b-8*#<)2~6gcFV~MI1QKyiPP#TG$@V}8J^vS zqOUOM{s++W!3K*w#=NM#BO~<#*Cs;=*qLEvG1oF3>HKrkjCzxE`eBe-x8a~~rv!oV zL*t}15aY^+a4(ssgoiy{zAVCTjF!?&ixkWN^%!q_1AKLg7-25%u5pjy=gInPT^)_m zJfaGSx))~7k&MgnC5}pj2jPMTvO|iJw&qCtvr}qd(4m+Ito41KAy}5~*Ks#l2laG4rG-11L9)GI~ z_O(Z|^w`kCIJZvdN~ztM@T6csQog|=E!xzy77+I}7QXv0j@d`a z=d;glYp2~oQb5Aju4q8Ki~8oz)?&rbzK`9Ku1xCrz?`rLo9dC{V<)4$a?RRt z(uD%Qf>hT30>owcQBaU$ntxD^_Ki$>cJ#oq8+aXbJzuAzC8}|OGo$%A+fuFpFDpYNbZIhbvP;#m@{5rh7?a%Aoit@M9Y?(m9)&@EDvD98Xc2E)e zEtN`V5)YGE()wC?i-Q`|x~}+Qpd7nrj!sUa?5KZb2j4uz9s53-3R6=7A#xL>t-1~P z>Ys(dRd`MFx?8a>w>0ClfN2RJ!;6-?r={V7^jaVT7F%1kg9h|$gtY>%z0XUSvtczt zc9(IZh@aMHY!@}yeEHLE=wX-X*3#K)hWC~$iI$PtPgKQUN)o@U6O<&#ibNxI%=0CT zwjwdK9=s1}Q$82RZiqDuDU%ht4t@eI2{jNr^btVee%#uYJ<_OiRXd! z1gd|ogsb2*F#<#A9fto#MOzAh{y9RgeM%TVSkrdLY<=XPq+=T@&BwRNWEKZ}$+Rb^f*QjdI2Mx=5n>M=7An&dcs_D7Ri z?fp9RDe)XMO0-ICPVG8V!1>wOl*%*GQQXBqr_iIRD8n&U67HrvtLDG>CHCIu<^P_2 zl9Y!-?-a?8uu=&TC$pmyEf*DE33fS|tnLVmR+mf*3OOE~-dIUbfmdPfxIoXsN_BZ> z)yx$K{aJ<&baPQcrBEJ?5Umg_G2af_XM~5Rd-5>`7T|8q9V3#C5KHDq<#%s>IStsE zoxL%)lAg>D+n2Hpwt4rT;XeKjP+hxAzmdAczU|IH#G3tEU>oGU&(2S@cfY)(uWG5i zSlz<18G!?(vtR-;xD2`<=Hq(#gibdaP33lpiaiayb2Z&i^ar@xrM#`~`##*_Jy10= zxLz9+GGx4Eu#OQ<4ilZxruGDV+V=ZuTFf0^+U~PX)N;M_{yDgF4c%q|{Xc1-DYx>C zv$FjHL%`@qzPX0lalr|L^4$2?(HhklgUDIJWJ3LA?`WU~&mhF+j=U zwG}i<=3_%V&)I*b+yuEh{^2)JREi}PKL!#c1F~aUAedS&SrvR+@0c%=2XpiXsRvRe zK#=Z|&U095A&#bprl|u8i>xtlrQIKx26`G7Eabkf-Q)!Rc$d(xPcVy9WEgUVW%ZGKy?b?stqTV@sOQ?6xg;Yj5R_88@g>B#8rCY?3<^j~ zYx3Y=(h#B@*aF;^n;6%94jgO(GPOP4t`m6Mvog5+_t&n|V)mb3ad>G`QE0FG<6;kt zi`iRjKHbb^GdphVW}jELpzktx&MP-^!QVEVL5)*w&jPmWI(={J#!zEGHIcWss+;#` zb)S+>zlXa1z>y>>YGN)KJlFU2DY@s#C!^Wr=XOv>t}G5kE{E>xsf8#^$|BvEh%pZ+ zV1IyNEtjyfjBxYGij2<*zYjX0C;>_&ngS(dO@PWz^wE+;HG1rW2kbbx||06H6>@d_=s<})%pup>c zoJOVl;?9MKq8j(tU&D2YM>qd@43X+i!Cf&6j#$;N2cU;mNfjvNXb)!haD7KTQ#`QW z{b$HO4DqYPM_KwQB+{v8==+Q( znhOOpu3xVEl~Rop_PIJPV7H@Yd}*BMRU+TuNw43S4Gu={9=ghl+L+c`#}q1Dv_ZZg zo$G=kbV1rSWUNYK=EI@NIPrQQSS-XRJrdT2ppKB}?h(d|$K+Q*0D{Ti*mko$T6kG= z+L88Hd}cO%W*Y0PVLUk8a$G%fY>#|wfpSwM5 z(c8Aa)(J5=#2B0C_pKd74!I$_VjmNWJ=V}`(E7r^`rGX;cN5JHuh-2a^W6+nU9{t% z&4)I@OWEM(h-g9vhb^H^$dW~ z)jNJuK4gf+HBd5nsoI%NHZ$?^7JP~I`eeQDCa5W)t(pI}1X0a~=+l1u>>C$Jor0Xc z&war^p+?a8??o@uA?Z)%1pB5pO84v9$*=vN`A_x+MzVG0T6kkZ&9W#s>A&bMgKnd# zcP_Wy`9~4N{>nmM)<*LHlZ_4u4>PZ_OBkE9i_d;$ffj;So7&wCLdlXcb6py9t%c&d z7`{GOFeC+2fs5KA9?oGX+@rL~r;b|&^I-4z4!8uIN} z+$$&3|IX?H8GmK=s-fi`AD@|Su0>9szm0d{>oM2)$Y6EJcu}jfBO#vH0sT*dAjDj+f|dhAk*I%*_32Uk^e}S6ds5?w!wR(x65nn* zh)iXyxk)m5MH%%C4)PPq3jd|YQ;j^A#d7iw{v(x63N>qcf}J1-Hy|%>%*eSQGz-nZ zcko{sCh01npF3qB^D{)0aSC@02#&qMi=l5JxgA!`1IAZj&kTHz=EiuYpW?IF&^asS z8_uw>2mgKxT)rK9^=84koZ#j1g;30kX|gxbA|FTwK{QB&(qfW-R(8D{cl^OUHj;85 zWXT^@d+AjxrOoo$zG952EsFNBf>8FM^!U3~=dB>mT{9Px`jbfm@I|Wox#4KqB-D;xIaC$6)Kni18g5;vmG!%{7;U+oCc29JY!YsNAsfhk3Zawzer0H+ zI;TbK;yxaDy?cwFC_>O4vO6*BOC9N_b&&7f?|L*xcJxabb0YUV=A++Xg}`J=MOa+G z#4SuFq8Y4XoDGm~#^UanD`7-n8>`X`aZfasKdv3^Xcl4VDUtbrE=)a!psI!_&e?pi z2LYOEyDiS0k!+n|v)fhVr;w=}i8KU%MMLg1WW>XClfZEQE&)A8f}d|3Y`iw9C*PA( z*xmA~ROUk^rJP`wQ}uD^6vc~C=e3yF+5Bqv);-wH?e%aAj&1-ylueVX{)lS)PMPWA zbH^O>tdP>5@G~LJ%(MgkWu`th(f1(Trv%^avbEO^bgILPq&t7!JX3u55=JUa6P0wu>h6LY?j=q@+tjM8wgei9E|Z~kOa<6i$K zePprA%zJrm8jwA-l^q%`?z@?JbMDsMgTF-xRF(3X!o3cGU_BP2Eq^N44^({;tI8B_ z{IBBl3p(l|k1n6Y-U;3|pnSzQnWgqWe=QPd2J8+L(y^XbO;vgwN;2yCxY56vdGb#$ z;I*GAhFb$N_d-@t+Woxpv8th-a*GRuiA}>rBm2EM*$r+Vrl`&zRV+3ezZ=#QxB+!L zp0VKY!$jmn6{Z{FG(!$KVd;V6Qfq%d}` z=B0S z?WUcLJ(Bgxgso(LWDw*bpWxs->r!-0LbB7nVm&o>?@^5LI@r}VOP(}gE6|O8v;8v@ zA_Me_B31tf+Z?cP^>f-~r{5SVJ`1)n9NX>dl@;w}Pzl1{R>+YKC8;426y($m#>iAm z5AW_o93I9cIXz!~%8^eIedo}5ujML^?ffPmz_}Pr(I%hEBPR8`int}E79qV8tKsbm zrb$DlDl3)`SyxvzoeV`h-H=c0f^uumScnL3ZNR*iVIK{Q4I=B`%c}iKKrNZt2T200 z8sD%!(a{JWCQy@9&7KgB5`ygtb&$uq7iVo1*42-K6qGcge|{d+SdEXeaX@x#!n@)k z*Tdog%R>AI^(u!4Za)c{QVr;d274~VSxlNI*?lWee_J*Hb;YT1lcY&te0G%Yt!WcN zGwCm#e`M+z7YdBQQ|U_J(h;ksJ{@`>Vg7m_bc%XD0!6e_?{f;S>V{ZQv(~W0Z3pjsA3w$HyuE#VCXrewf+?xVB z*1))bNmmB$11}FoF16Ss22yl>%J=Q^xw8%C6P<|uKqZ0}JhAbt&%qOx6Z%$0p;RJw zSj+v4)udNIS9Kb07-}>YlB`r<^;X7?T3X`gbFs?W=o!FmQC4f8#}X4dae*xkK6I<00`Yn@7(b1Bq`s8>lYz zvGNjQn0o@YAQ$s?A`YGzzuEQG8nPfN;>+sBrN!{N@Jz7s{9A9*C$+OnTTO==2gbXu z55Kzi?Cl9%pbt6kW$j}68^mshxTG))=}Isb2{`I20V*8xwJaXDdZb*db zm${ex-S>3VKa*96wmgpa@N2I4>OwtZU<+gl6fri}ccWYTrKulcyMVq@kp|~mO>8Gy zv=P0gALNea=vMQR>9@O>wL)ji2#16eoCoP$!%-8RL(kALD?@s7Yu9ml>In>-O}?=# zwCO?=mXiHoM*0CBFMD6{N+k(ax{W`2#Yo)WkA1kXsnt8Hl*zg3s4^kZu!z%GZ{O=@ zi*5Ma3rv}h-907UZ-c>Lx@Zoka#Fxt*#)pqf12OeK@kn{KGu0X9o%wh^;6R(s`~Kj?f(6K z0`x$g&*9r=HCLp|Mz~y4wV}_JTC7zsVrkGNuT?k~*JX%`IlmiXem5E{ppR=YJgxxi zCJdo~MNZsU^Nnv2M}i!VgWU%XfB9$-HThnrYcm%|ub|gPx@2vVL%HUY43L|?!Tf-7 z-=f*DrKX!gZq@qcWKA^1JFD?5u-$h>>*tb!xc!IB%(G0GmecvI44kzJG+#e89Ezr^ zPy9@;6GKP@bMXGOad^XWB1g2b z!{~(An;a`}ikaI<%3rHjb1s*I04|%xGf7@C}0{mUrMpi4_S)M8~XQl0{QJw~-nOeEB0 zIK{`P_cqTHXXK$8H@n%tM~f|le;K3wvkK|&1ig6jO2X$mlZOe;yI#Cp^R6AhpC zG?hMHQTQV9d#sa^e%$%a6_uQA!_-W?UJ0_IEzhljxO<(B^HqDH6$EWj^u7I(GnWw; zI5m`y?qSo+^k(&5a{i-a%g~_Fb!u)o9TDa8uHj=DU&)2rUQPQA_+Gj(0bd>N`xW$F zY;&J@jQH1G!|k61?xMq%+{J=gUPxZ_Qp+uDR`u?uGo7Q&e+_%5={F>Ia%~m&MjNqP z`JYJ&x;(*rA3s+?;hvdNnGWSf6hiCg#|$Pfi=}whw&bPKnunv{*iG znNinb5J21fM8e7z!bkI}>xj1i&79b8S8xh|TA54bCCg`xi)Zk4oC?sKC+oKj$W4^S zB`GP2vnWFicQNpxB88k%hl`r7P{Tu@5I}Y$GVny2c=jZs+axqmDcp5$JFtJRBEyOX zWvb*j%oziXhGSEV%&HB#vyJZT9JRmUKEPH@$$EXSP9&6cc1<|e8&2{GUS9?zts#MUh z=50`Dc5HmOXNtUsJQV3du@}xrYQbZo*fVigsYjH8N~4>Eyb~JCrzz2tVm$a>iwUYb zBB_EB-vc3um)kc{w|Z34zo2+V?Dw8H01r{i+1RlXl&tCkX=@hzulZuDJSFNwzussf z2cO5mC^~P6%&J;|KymR1Zc9`5;qnDte_6Y&OUHFsE($ya-xD!K%K?3wBg*r8r&BMh zVjZ_>cQ0E+1Q#_j-#yM#r^*ojlHQP<9@R0ki9gvK-AEi~W;5-xIAF$xw7IxEOmlfq zcY1_pEd|5h)Ag&4RaaXV{9EQP)|NeYDa|Mg{p5_h?LLO<92_D&fO{#SVjAu)AJtE}N_ zG3$O+Y-gLFb~)$5wX{e!_q#U?_BK5U6)h{hnNC@3LVx?Us(KAFw1kwUozJ`^Y7Q1) zRaN7CK#ghpIlSRKl@`E7Ewx3l6?cIgtI&%1794JBrb>Gm zU}wHoJb*2C^n}*9eNRPtC(3*)@u7%yD;{L2E-SCZcDooiAMui=Td>5W*NMC2`xN=Y z(2+H&;s<*D9D)ue+5WAsV`xYxxhX^zWSzt#`fK<_TZ7}!dqnF=)%eGl2G6IV``doG zQjw8pviYdys7gElgM9>dz+)uIwgp70;y~qO33c@DuGDOyBimuJ0-g@xUa`?s{WWVr z8(kF1L--MA+rO)Qd0ZkHgW-kQuLe_U6U;nQwXb~qTTc3$oRVY+*~(bP>G zr}AbbCp~9Q<|6L13RkqRNDfKd!-tz2she`%-W{YZx$0mWC zL&%FQDkL*5JvO?u$Ozu}h8|iA{I4#T@iuvFIHfiWu|mG2x{<$2-uC~csGV~pp8t4=Zt7F+^T5UQ6(R|40_N&?=SPs`WBV46^VUv z^M)T>y7f6Zw;Xn)_I^zG{}kiS0k3=#PWKIX6sLYj6M@$ij9l6U8~$3Uud!_pNvlrG?5rX?Ri&h|LRSY7c4bC zIONwq8)wX?5`6iDD*N^Ol+8tK_-moh!}Ee%-m6_!3! z#c4D!I+)NSL8UXvVR&Pfez&hmrC!C*i%eI!2N|6x*J(z@6)-|(lGM0KSc`TjpL!0h zo~Qx#w~F(&UsF;)odp>~ol(=JT}A`2%9Q&rfmB{_M47T@h?tVaeIDg_^Ap>zc*KaB zX3&h+6+^%X=pM?U}JS+4S#vS_*1k=k{r2&qT$oYbjJZ_$X<^lz0T^yo*w z)T+DXVqEo)%_fGb$-EC#@*1ON<@H19i_>RJie@hFCfMVRfRjDBplW%$Kxf)KE7nOQdQE_&RaQ4i=r?zO@m7R3ex zOaAn{&@PK@tJ5UQd8Ix%WV`a98sFf%3!y-s}Z1&eDxxkECzYa z?-a0kUPwoh>G}Oe9202eiC0=Z!biv7rpPOhT0u2Fbz&2gE4M$UANE4yFT2x7fd(V% zC2PU}NHpn4xyLcjTI9rFNB$&!ecr_eY5sDUUg1~F6WtOi-gHj$rli5YCZH0yZIu2J z(IYAKu=CC5%BFy`L~*OcX2-g>*6*L)4%Z?1c7Aj#nelXzI1|WUi7kS z5A(6aiMqJt*%yT19xs5P*|NB7@YOBD@2U5spUQsMgi*L)fF|U<78pRCbi-4m{LDxA zH2E(Lw+&tiUZPWc9Cd zt!0e;$|WJs&zer-+^3tySR+IlLUYA7JU{oP&>S!YP3$|EJ7u;gVt3-#!QX^7+Fdx? zCqhRrRjcH0W`AN0+W_rb8@6dSU&Qy6?YBAyt;`xtjNh7CcT>e%;~|?Fr02H}Q2c0; zG3!{!+V3}bL#zXq@A}YVv-fpgHlaQmrIK3DFxGv@ZpMsAcCYbz?6tz(jX@wu9527T zV59Bjq`_wfNU4DPYNumn0WtbNG#~2K?Xh^v)cjue>FbYAlE3etrhJdEYaWTh2 z`^OLL=?t=EH!@lJ<`8dHEljeG#b3CF2UcPs86TQ?7ch}0@G}mV9CBoC-b-uW*G>E> z&;KYg|Jm+*DM$ZlJWrf)HX@I)lD{g3}t0(9HnZ3df&Eh=*Vks0VHsKX{KOY<8hN+p_E7Bl_|H& zwzpkNxwFL%=lbaC-D0FV4ic7iHt)Gmy>^wFg4x_?Pz*%1>yOK0H_sGk1{y4~74z0~ zgQF^nehmyXzA#7Ya15o4y#R1IX$D0+{(_!8Dh2K8-Wag75%6}78D3X%j69H{->*=H zYwn^HJtKj7rr+p1I)FH%)kojnQDoJ;rWn#+5tv(q-Os3rmnKSZDMA*quy%nl7!g|a zo!)~5wqWZMan}Q{qYwkS(D)cnZUxbL}BhWGhjd6CeURk;=-G>bl8J?aH=Q;4d`tT5|A_B(OsdM#jjgjk!SFLC_ZV&kn z?NMnM8rtAe)UsG&;GJ(M)~=XUv4Fb*u66hYS=+50L$Fa1aIgLwyXnFG3S?+3fT7jod_(MzrdJ&bGQWq<+`Xvf?y{pj-X~q&^zF--g`$T z5&aEku6`Zb7+qF7;KNYlR}7%SeMVY^+@l$hGd2=+$x2ST;C+m5WYmk0L`-;|)CbNd z6934ze``xFy2u6~!>%jG)c~5K^2koB_bV%*Qm8(!{0DwHtV`Q|lwL|aTOj@z=JKV3 zJI9PfMpU#Y9_%tPmu&uXtp>pE=@SoEggY}D&46-n0Us;QRp~t>@ZFDmB`RNm2RsyJ|tC0zxJt+P;bg)&xa{pJ`%BH zW4?)P`aakMM14p?zS#9c(m`l9G!n1rTB1nLz5W$4N$7U)9Ln8WO}IC_X`jgQ?dWoW%NJig*g7X#};8l0k*>ZyT+Y3 zzRQ}gt&v?e28dheGwnT6=o3x-Mv%;hpgS?P&N{?0ML^-Xub6A31BEDGw$4eN9Bur! zfK3UBP0pj}uX$+$Y+<)UQXjY7x50^)@1eNR@H>HosE&1Go)I z?&hOVHr@1^OkSio?5dC;a$uEL4LL~4;MAc=(?NY0AU-1w+DQJ&6G;;5RxZ1kno^1q zeECmp3GN0laZuow3H|W+!gAqx`tv^etj;jT((iNMOrC`Wpk^g zfb!G8bK5(4o0Wv1Qy&y|@exjBN@9R#KR{Ip;Lh>s7uzzIQmm$bo0(Vk%1M-|%7E{SyA4VY6n;lb4ziNRPp!I* z&jDvy8}5_cA&WRkj$=%a8vE`a_I+B@B{dvPD>gSpnxm}9;@A4?#XV@ht7AWBpnkj} zHr!ah-|qO~mf>c9EQh9gO3tg4W=LdD&HS>CoD4jY)qWOatDZzbT+2`7)O zm|NYxt=#?6T=D)8&qMEK0dVviiMo)^S?*kbsfXnhD}&vdqj8L$I*Zm4)m_Fmrui)H z#MfjJ*WTehz9efeC5cj|X2(s+s7K}j;TL4RU4oPkm1p74qbO5sr5)TwrC`k&=|*38 zDoi0wc$%!vyaGj!F z0D0s7(Hx9FQ@>LImn(}$4U&;{+;=I!WGc~~?-LCy_tvSRGyk3jYPautE>kR1G%Q7NR1ZaQlsRH%v@7l-y_#L2r)ma6L^QIxpEcSFjF6Re)`VL=Kj~ zt*0;1(3Dv&U%}Z>vfcEG=^+O6HCv8I?(OmazT25RweNw02SA4VD9^ zrh7@2m?ku|Z9(4j7fvum@QtDAHq+1ebC~1};OdGmyoF#aAQz2A1Z?dOaeFJV+5Yu6 z3I0${1Rf#4+`3717aa*82Y^$1AFFDHw_z8t9Rv6j1+J9DMJ5ITT+ zOAr&2BU{90XLnQ^OafOuvr}X^0VU2Z`m0PvCntN;Zv`VIJ zz=*b!8+4m{5y$lubQ6g>-r!wGcOsfx^1?$@^zqwo8=~A6@{)Pw9pHun&hSYH%!q1!)6dZyjIojN~5e+WJoZVYbaG@y8iV1*6gLA-yyfhorYcZ{WsW5}_6-TZ1%4v#g++|5jHUbgOopa}cac zAjE|tiQBUX0>~c2hWdo>|9EwOyx(M5ui$xRRlg#p1ft?|_qd*{%jYdTcn+navbzA( z5F!xZLCB9@>ob;fd|oT;4Tgf3QYFdl>4OYqduak#HIDouo}-jgzp-T06BXb%zpyKE zpyMmm?|ys&?(kLw#x*&Fo zM$CN5+Bowmrb(cdbcQh5s|>Rn11J_IXd_e)QCcO6n^K|=_qobso5 z>HJED8}gHxI$pL@Wz(pH-scl;Ubh9{W7G^)t=G{v=ed+(0SY)*B5gNm#W+^wf2>-+;LRbYZ;w6@M*#+?7M?M0_7P-} z;|4fG!wec==f*u#NF;WdxxghlpT+ZXU0DFssU6& zX_>K?kE21>U8VCU)H*Po+Rx@dW$3*tuwtk+d!za>UR>xY#ypP^Xg_2fXjAsFyuf#6 zS{PWN-Ok7H&TDlI=&C{JihE=GyE)yr3$ zCw3+8S4>{(^yJAgmzTJwZtz_32t9S^h05lacf;-Qylb-oFQ@q?&X z4kty8y=J*0I44B&uHajuxyv8HiIHa88EY*L7_T8X)Rp_sUFL@*Ari1k8l|6$a4OFo zZS>yGujvQNH867QdEQW81bJXQE@U1Zv1wH`-zcz~S+P;!d2MIPw~m4n$I zj67_A_g~BQr9cw>fPr#df5g9vwmuLtj%M$>PRp|n7L6p@P}p881SdLa7o`En*_mI> z0STRbSdm5o+M7*Vp`Pc&7}7beJ;og5C1_MY3sXkHBpIgC(=;9!n6+pOS-saA_RWJs zGg3J@NWRsErvU>gjhip?o!AbXMfYDPZy75fy%&(B4X6P)mwTXf0$lMrSDDxxme>9d z3m`c*$uJZH6{S_yYeZ*;*kY;0H6iqmJryNKKg0g&SuCVYF9?j|Iw>IxBa$=!8Ox4o z@~6e~KpO38)Krf@?c1Okus8Wv63vD#T6C*>Dr6t;WyJ1#{5&Vxa;C=|KN=Ni$qWx9 zPwAW|%kj$+G%ZaXfDvq#8=6gPSp-)6mQGz>t;mqDuP@mIZvnpyAJ67|ryqu(F zRX@?>P1^Ot3g$PEh^NAlT21n%NJ#z;OVaObE_DugQALgFqS2E%T;X2b&Q=IaM56Nz zAZhY1?%`MC>v+EQr#zE!IU@que>9>PwcH9?f zmbXvwYc95#VgLJas;77q8&N?0kzGZa8#H3RlOK%fUnlJh;QGl zoK|a0&n9FG{Vor8=J7i`;--4We;`?FCk#ZvM){#I4Us zFLk+M`fdw?C?W+fB}4j92H)>UNyfwD@}JJT985HQNrkgMmu$5a_eRwC7d;Vd&H!I6 zxzYg3jiu9UyRUkYTr7pSN1m1Nh_@O=x!mH zrHh7%4W!m<<9eOSs-EN{IEyck4k4c36Cjqm~w|=*6^v5dhWr zNBS2cZZ(xzI7HCNUk96k)f_pIulUYJP`fb)YQ*q5MWu4CE(ubxH)Fu8w14vb9Q&m> zft&fs6EzK?P!0eVn7)p345O%L8HRk91%$ARD0lOx6rasF^(DH9+-Uo&q*Z-j#GC2& z_gyv8Li&y^xRjO){r_-z)$Nj##-uF8+dRYI!q&dgHs8C!RjA2}yl zedz5guBw#^F>h%jLyh3X2=Z$u9g3bs%%%2ifndyATGgN49*mveOz~RXw?skq-0JTZ zIt@eC6bmEDEFAI0#m16DbkrLiYR~PynhSv&eDa>vrp>7cOWBf9SD*6SKtGbDw3jt8#lnC7=ZVeW!W^TQiV#$pJg|g((ug4$ zt;Pqm@%m3%3a;#~r*^%#IF=3yE0tG%%{ zgRIm|R32`CEEH=6b>oAY9w3-21$^a!P{#qphU7epOEUN@a}ngNHE4CK98=Ng$2>&?Z?h+wo5T05=^BL#KV^D z5|_L7WXt7fH!~Dv0m-F5hy)AySUm7T=ySQBH6q@^2Fif5wAs9`P_0*H`vcpu5J003 z{91tHT`5DaYl?6v)Ghe~C1|L4{ZjmG^SjnPQ9N$~5I>XMOlw4VIRUh*~JhrXrfYGU-N>ud6 ze1Nj^9Vz>G`K&_;mE}66kVbBR8;5wyW+5&)!S-jI)!X}i0b>p7cKb%( z-`Y!Oaa0l|`CQkWX;xHd=@2+mYjY9u)^|6PTl_}+SUZMYw%=KIG(TdYHTI4drn$Bb zj&bHpu@q9E^o;(wJ}HgW_Ul-s49ltEUsEEHmhT>}3u{ZAe9ta+Zx@RHC|48;xez8SJqVD0GE1Nh7K>X^5C#PD-y~;`oFW-zvXQe{3stU^=E4jT2?d+OFIa z#a|@=1wWy?3?}{lvx*T}Vj3-DJ=C7*S5j!kud{n$onsiA!{4((U?Y#YYu&fxmk~lS zw7R0Rj`3*jyOKAF1;3bi{X!a{gWRyYE}A8XtKAI}a+N(^s^3#7|6JKNk^a6=?1@u4 zAspU~r19>uesAKy1Shj4XA8Z8?3zVhfNrW;z{|B0VcV`7wPH$6YM?+mA^ zdi?NN!X-pBk(Fji*A3zzhO3_2HrYrHNN!T3#WT#o^ia}j!F=k+gV-mXP{i~L!{EOgN64L_eE#cT`wAyB76G@$P zCel}z4^$qo6b_jWD*Ik2El+w#Sw&nvtIc*IjJhjDypmXIY*@!GBiAED@|qurou_>q zXv+o|Vpa>;^zo1XU{O2v|M>GoPA)%5*=mU?BTxX4lry~Dvu^k$AOj^ePgFH^6GPp0 zLcgp9S+D`T12d;Q)y4(9Nt<>wxbCFnNZ>KnRB^QH`^OkJ9~Y5&yneyDZi@L8vnO~~ zt4vp~F?FY$hRIvhK4PmOHK0h_A>*c>5mL?m&7!R$!L;2YCL}A!mn6Q9dU|(-NBmzt89MUFb#1~&C za>daIOe-k`WsR)Hb1^XNKcUz7q6gTs128dy3yF2a8%Ee$UHgLSMZK-j$hcrKx@#0O zZRh87xrjXii`0m_?t{_i`*hR*ud|7bMt{nWuj9@Z>-lk(Y3QaM2gHyVLf4XsQdN)Y zk^!TWIYN~ff(celdl!Wf9>7^M0Q_e#KuciiXWGdJpQTQ?PKw+i4)TdgbI_#PegZpS z>I>lYAZ7mkO0rjKqsR6;v>qq4m|2WW;N1{P;BdshO|07_dQ1pW2@A$Cr|5BnUsR%T zGL2(I?@Y1KymoAhI%`_I+X}|6Ee!e@G;8`uEst7@b*L?|Gn`~B9%#*bleS7HhSBxC zF3~2V^R#ReG&XO8&Dj<0J{(RO^H+wb#0+gIvA#yF zM2?c19u$``Y$u!VN*?!*=Y*v^icGg9)T^DY*;s_R2H;##H1i6!oB`*oF>dmK!H$#- zgK*B1hXkjU+CBD_Y)P8l_h5X&VXM5Qn849ag(&HgrRtU!R`neYwKbf8{yTCV_P@~M zKT0|SfxVBK3v$nGbz>g|3vvQ1=z0WB3$u~92Vj_5b)ATT^_hr1cE-)#)e#99(b~9& zc|*hTz4OyAWsWdT{rsd~Gs?;3Kc0ySsEh@hUIUni#FS#Xn1WS|F8gCc^M5a(`e|2b zEd9fvgn3I;oC!@3JmCw)7Hqt_GS{!K)+YJo=N%6wJ|=%0c5~{V7DyUBc;(-)oj$@( z-<=ca!}{QWFXXyUy=-SFnn53vQ7=5dpzYj4^=Mx$MYpu}X?KLKiAsVay*Bci`uphn zZ~DToSq(=L4BMST7LK#B3V^L=Y!J<*P|CfCV8jC++<3RuMB?sb-mMGEct~|WL(^z8 zg_^k-V&1P`tl5a0uNU6;%=wp z)2pW6k4cDUIj>B9eZPtT(8cO_GCo{>IX$uVe(Vojn~96Hjj2D2p{hoD_Ft*b@!930 z{>hn0ajG`NC9*2oUVXfLRbRcE8_aO#V+jgP?|>~Ke#GUNwg0X{2gSR|eyMH+!4X>N z-9QoTMP0dovL|nE`m<-V^yg5)g$Qa2FEXd{o!R%#VgG>%sKqg={+Nt(LHs-7-e24w z-5cbAHf6&udvoNu3PcGRbt|#sL(d!i_@{Fd=;W`>nU|sY2bR3Y}`0;(yRUZ@_{49MQaqkkx85@BrN4l^xw7~h0kSZvV z+GDw+$g6((Y4G_CS)_Hxhs+VqZD)HZx8vBHCZ$ojvt@wIoZJvJuPAChZ3hF=7xdLF zPP+7813ylGt_L;6{5v&0tNXewyd%=60Cp@)XRX$l9tueewJwR?k=<-+ah|}`>5&F^ z1Jh0`gcH-xn)u$opA0RbMSv17UnPe$&OvIZxYymEk=>up{qWx%4;!+miI`b$5MB|J z4<@7e`spqA72#{=ZZ9sNnOaHJScnU5HLk-BJCby+^aN4S2xk^$_{>8@pn>b#)UUyc zCS5yd&>_X4rV`2+yMB{~7Wk8UuvbOeC~zkVCjXhoNjTi)Omj3RLBEMC#EFAFuGiI# zdva=A;H8IO7>Ck?g$dh)Y=`Hv#9$fz&GK&^wDWqJpiyIYi(*$y$Sra-3$bEQ4Yh zdXV&0#4@8xhO*v%6k}!0vx5B648E9GhO^&55l@rGHB|FLP1|qo?|Q_M^psEa2wI60 z4xVhHGuF#pyKMx~Q&UA#YLa~bBmXdf**}fEk#}q@EkL@d4E$F(J~i1?9QgAo=`}3k zAq1nXL*zlxPlkRTzgj7RoWc zun&BGd-P^9K{Kx^{FAxfFzU_wn``s=oQW&>b&Mpu`80SGHzYs}EB-zECAXRnURP}# znNd0`+blP8o7bmXC(2FKq-z(>TLPJ&pQlq;JVm zQLjxhk~s@6ZOD`|Nfv(0AIIG~7+>c1y=I!rbYU!J>=_CkQ!n+dprj>P$P55oR}M6J3#jDP23 z5%(0e<*kVRkS*dA_*#4Ig!KnJoO=YAv@D?7N3COZgp?~qy6t1ghj>##YS+?<^gj|j z=r@I|)tGydv|@9KfjhEH7by81)*v@%Cp=m{poB_<{0}K4to}P@ zHm(r!@6s zwWI>~DjF(WF59vx9Oy}W!sao=0hE)`r9L9Ti}!B$=lM{x&o+DV!msVG;vlG;8t6k> z-FYNP1jrGuX`Eyhe3C6CSSc{$E{d5b4l6p2MM>>P7eoV+1lEnCJ&g)f^eP0HatCcE zzL%N{cXanqhLD>=*RILNqC|2`xt9P&+yc8Oduxw(M+ZPzh+) z>2mf3RK$U+9k~5=n6)$~^sil7|CM{m_%T;k)?$a5X!s2Hly)ZsdO+wK)r`B)#N&cw zli}_gMnxwvD1qI>GLunP7~1e_WwIp9K}C;F>)?+3Bap5YjtSeMGDJeRhxG`8Cn5?6Y9#-mAI(_gPT)oF@PrgddT7 zAV!4X+blR?h9{;)TR&v`P&Glg{TusvorWpyd;Fe%^`}sgb8Oa7ZBwZ@lId7t>dfq3 znZHHu_#p8&&a6*d1ZjnM><UyMYw ziw#uSbSt;cBeUs`;u@a&5@HLyR|2LUF99Y79ae~jLeM=v8oc~q@Q#yK2yQQ=6*Yn=KnE>kV&RsWn*Xv$A^O6p_#?f2=-0#l6{eT~DUB*w7({LJdfwW&V zd7g~Xl0dX01~2pa*C^3PHmNowdH@QFu!5p2L!x=W>iq8CT~r|EL9!Wa5^rwgPeLkr z9EY07N^4-j{?uZqclJZ>YT#y->BEgBrpy%r(MJtGHol-&E5^w(D?OucEL(iOR(u>( zsNWq4#Z`AvmVm7W7o49%2>L;L26%DPTj%xjf*n=-sRc7Xb2j-X*u^r8a@3!X1Emo| zJfqW%NFXWi#m78aAknGCF5DN?QXsgg-F0DOwP%ukpnE}kCmLF8{q`B{T~rH5WnG2* zotQZWP88%%E02pe-~AU%s#T8kyh!uDv6SZy1kqz|H7g-P=Q-oC<{vd4Rga zW1LB)4}OaPN$z^0r!({S?Wq1+<)(zYN@-%7W_z2K~%77{nXQSrfv^4jxRr=t9%d`o6K_3#Xd!M)B);&&5yC;+$* zUl3wS&mEt;yBOtdG6!uR`~7Fh;=(B4UU%uS%#L$=bJui;j|aD(&L|ft$s^DK!0)Z6 zGgu3kZW%lOZvafue*l;nW0p-wP0{h?z41u8z@YM4n+J4lMB8$Hb<%Qsa9kLW;IUgy zOJ;?R`mppIy|CT&2;E~}jo(0$7jRl<^El#5#D+qY;l9^9R|hkJx!v#y*b!q1dqoJ;{ED{23Shj@E|8f9rWUP|Dw^@ zVK0XNL=LJk-d%0U!Yb^huzFI=3vk+R+(uBLo|G0eY;`|N>XtE_oPI}&^e;w;8#te_ zvWCke&G&l!F2@=??{7L;`Um(XI~f0^DNg>`19X1{2AajA+pjk0iRbZXe~9sysEA=@e@F@~SeJ&NYq`#eWAFwIvb^69+_xCE_!=OnZp*l!xj)>)GQKVM;XI1+S z5aTy&;^ejV+hL+OU_6ZsWmlVQnUh-XHjQh3kW`%)ktVrPE*csUY(T+vCRs=-H-Q68^ zcbQDH*nt!lN!9an2Mn^YXtmU^fg5zUJNS1!TIModHZqO+xYyc0yAKH`&jO{RZbp} zN<+twhd+xp(kSS_1)Z0T<-HX1I<5{o#oQn6r&%8QCG9}dtdvsT zr4S1;c#jr4>=wz+2)4RHll%TCjob-rBy$)FLu$>3EZ`5Fp(r?!aU`J`>$V?_L=o0$hIaYL#C(5y$$RGiGSQC8PW|%W7nS$9?%>7d zz_U_+#F$ejNBVvRYK*`_h@bJrR2##I#f>~NnEUsC1j%=;^1+WLdk^>bvYgJ~5;>1} zeZZhKJ*hO6=L2D5k5Gwfa_O0Sf$PTV9Cyl_>baNSWYD<%>K6|MI$O74?s`3mrS%vD z3l9~84Zca@S{NMNO@=-`H@hLqliO;Y-YW3y-*iScB|Ai$Ci13}qwj#F#tv+3D+m>UK zqVM3J6O{6j2Jz%(U}X}`A(5^r+qG8b_t6WRDt!&uc236`#lhKT8J{@((c_PdeIp@g zxol3yG<#v}N6Ja7hnkvVJRcSoIv3%`^QALEr0gbbYZY~uyrZg$9w`pprco?Mbj^dh zS|Ng^U+tAw9>BQq86TJql&A|gZKqtnoTA^&b6#g-@P0<<@ZCJTOvqF|hy2i?jZ^Pk ziI;lL*3poHH#%D5GWyX58N~b-%5MHDVz}uJ|AZbtqc>$>DewQjcR_cGBsh`-2I)Q6 zLqo0I-qsQ=VAnhL*K*QYu2xW*t+F=8^v?|Vo)grYfnftv(h_^(8b%}5Zg+U<3SER$ z8F4Q7hNkgkd+s)Fm~kvK#`05V4La%bc_*q5piDfmSWrfX4<9!{oFk)Y?%iW42r~Pm zhd!#U7ezuZ|eH-@2<51Bzf$3tYJj5lbf9A?*w;x z9tGuL?tw~3wkEc+tSpXT}dtSfhbPWyz8m{m=TrGD6h^$#Bg)vrg zvzncaBN(7cfyY~|0gs-I$d!4E8(YbtKV}yg^I0j|6xpEYeiEoz? z{eWnoS%O%iKT8-si%2uDrK@q}w0O!S#oJ%oweK|(NzIv<>Q$P*jOf&PE=jZK)uw(d z3rQhlPKvNL7%}{Anc;7J^%qSTQGEs;NT$hRH26? z*Cnri?dADiT-Mk7A2Xqv*1|9@Mqwp2%H@a$#*}11gKvR5`ehv%u~)E$JFau?0`F+$ zyrc*`8N9_C`2^0+t;r4ZXbm5 zpsU^hwM2&E2eBCA)>!r`CY)D~);PiN>l#n-xd?ZM1tdGqzYE@5tqESl#l*}v@tyfy zC?T=?y)1IDXcs4Zw4JuiYtvdG&2{Y_HkZe@$>bGei-1oZ(~P+Ov$0ys@f!O+Y~lKE zk!GpRv^berpV+d*YiE+_=wiQKbhv(h|I+ne4~=4~XiAYn3Rp&u5gHn>bj8}V(CStS zy^1t1(+4Z&aua)}>e~KX)ll;>bIe{9IUB&miT7hi3Lq8^p`xs6H1|pFJxCf-K=iv5 z%eE@T=O`n&I8znpKn&8UE8b)}??qp#lcFHF#0*2G4G%-W!cVDUJZ!ckWkP_#KhL#KKXDDAyBv##O^H;B4yx3 zpV5u9Be-~R&cOk!-wUOiP>vs||IR^T&8H)@j-w&n8e5EFJov;Bro9G|{(BDZIWko( zvd@gW>o0MbN%fXZ*?RH4BG3vqzx+d0-n-WWZJL<18??F}ne#FR7AvJBueQ1#b=gyJB~$AE@LS~cJ3~SNI~b)$49(r?x7?LHU2aP?T$IQ%Yn~N zK4b!p9ZyY`VacpIYL`3*_P!l{h&&$=h6+_na2H`znq(-~)plNc^}34x#UTRtvFr*U zQdQ{z9>Zn$tDdBoRI@*dU20(HUHxH7XMU)lelM=(Z&@>z`4FzAg7vIQ@mLYPzoCeb zyPzsvw28y>G35vxQRNc=Q>xMiV5WX$!`N+a5EE&Y{#0j+mz$-OE6qT!oqAk%I^+a} z_KH0PWWz;18s~{PgkCusYUUoVDLpinb2xQhr6ZGn;5;9Vbi2B*=Wft(6AIkP2QAiX zXQnFAhy<=xBuT0Trm<(U0voHVh+6oR-zc^J*4z1o0S>z%nJ%{!%D9%oQWg$idF7z5`ruW@0Cx`9?e(lX zx@A`~=IR`QrN5j>R3{C!@g-hbtFrfNEA!7u1wrHhQ`tOd3d z%5f#g$hLg4+C!~jRw5;D>YP4{W(SYVaPD=+m!}9mb|j>5<%1Uw;>mk62DEEVktjoNccQ4 z@4FuUx^A9+;JH{MU^cF|4_RH=`Ao*wQrhr4U5dZzfiho%P%kP_2zKFj-MIjOAwuNz zUdf7;Cu_x?96q;mrT`oKFZvp%%@xKp<9|uiuN~;Z+5}R2Z~0IN{B&1LN7J`p!-m(E z!vW)#-rXXNn(eNfdltKUiL5aTc&k>kDRcZ;SlU>!|$DJm-!+O ztD2e~llujoQ+qc^--(v)A1BZ4Lc0dp%K)SI76S-muu7L^Q`p7!{uT;h1{)~&mVdwO z3pc9o{)J!Ga6Mc^DXs0^;u^Ry9I__T@a&kw3wRRpx=A*FU+EiPM|3w~?%m(ScUv^R zD$>^P!?H zpVx@~)HsFR?pKgNLi^!Ps)N3O^x)rl)B&mX(UR#CT?QE4+!af;VwCHFh4)62tKY%L zcVQ#i!Vk&9{s{WPZ{wJbbGq>&oxJ3Qyg-d1BxAXFuhryS=y;wu8MhG#{_D59-ACO( zqi)dlS93I=+WmHt@!mvs=qmr48=gSi!WmyvHiIXqduyrYE1@4irJ|tG^wOQb?QhGT zTdIA?GNP@UBrJV}uH+Zczx|72B^Ak-Z+KIUbrX<0`99nP9u;;PBHB1$jI+P?Gyb6Y zYMb(iFsk+N0jg{<8~#c_CBi)*ZAW`e)s9qHIr?~vyx$zFn$NN{Dxll zlZa1?xkJiDnVYrc{G)lXdE@bN>TKg|Otcg16Qd7eLVZR7)jUR(3x7oaz`{L@NFuZP zhHe%sQk5Fy%rbH|caLOkF~(lF8HW|)oxACKbN2^ho`S+e$!SB2dG1^L@9g_jQawT8 z8UEvQ13Wq_8(jih>(}oD31X{P?{U(mLL&Y~y=GzKv6`6Hp0%5+Vv2ghp1d&FL36UQ z#sa(v(p3jbc<;1`^6$Ff6Y$xF!WK$Y@}~YRKGR(g)N+CTIeAc0A5$cbha4q9Xn#-V60L zP2})+%aY7lU8I!Icf=$RCh6_*^hVH`Ea_SHZnH_zs_Q1dgWnIQCpLL{XW|qOrr3V_)ZU@)p6xfN z*Q{NCzS?s!mj5IXMGyxPR={2|dbGyl*>v3w;9}b{6ikKbpNXGE8qT-Aro<*S7!y?c z46SPwSkbAdsGCpcN+U3qhArTP_YQ>71b?~OM z2LJJ7?^>%e5Qp*a8+kC_tB<62|128Q=~~i|=L1ncVsgyet!pB>ufiiQ1AQK$L(tWh zSJSs6?`sw#HI6{wQiehL)OkKcA}i&yfFglI|L+v;%~M|lY)4V6M9C0MxGP6M6=}qF z7c|vwI}VKPzD6JQ_76go>7Gx~vb|?)8^Whbtnz@3I^;YI zYnxju{7AOlL7g>#0UwX=Ci_*9J2t+VP zEHy#WO%7tJ7Ms&&47?x$OkK4ENs4Fjf*pg3=Aq@peV#7E$KQ9Ta6 z_6#!Zw6Se*9(?U{A9*Tucae|#R!9y3cvYsPy6#F;@DapYN1XX`mUPAmX441HG%%3+ zbXKaG?{m(5qPV%$`NY!CU}_R*#?{nA90%y+gOGr`hOrQUguTi(hqThNX1u?T5CYs7 z`>`=;a<6Kr(&O>O0~{@K3Y6+Z^O5%Y$)27^1)A}6-(dya%gGA`a1&mVz%o*Ul7&JY z$G-OX0f${;RzyZIXCr*$+Gq^J$Cl?CkW0mj0=?J_TK_1T0eU5d@Ae)biwCT|VQc_% zFGXPky>Ku_;pxn}uOc=vXKCu6C(>rie(d|ZoU|gVZIMsi^ji_H&m-%U?Ua!>hT=e) zl4rkMcUsR=8b+!rV&X}#Q+7~dt0A~dD90E*8{q=2gr5O)m9*-I`{9t+sfR) zfn8~JpX_YlBtaLoxB(|bEYT@AsIyc@^8{4ZT8i8A6qdcK8L-nbsr=HUiu-5fQoJRk zzpOT`>TB*H{*em5w?WNa!@2Fj1GMNvb08m_GKtCT^p~Y}tM{AnW4%KD#ijr%jI zlw+tzAL|363xVXpnquawlJ%3K!fGi~Y3L0P1os0QT$Qq;Ip@S_W5uQ8kpMK6Ci9h; z_4CKT^_D@PH@9zjD*G(9+gVpYqOix8kwl?-{9{C+!yB*%%#s$-xq&^%^^6kWtDH8G zW8&}%iGYW!b2jCjo>nU7<9eQev8;TIzb2(`O?CL*Sc1$YAE#TF#rmJ^9@RfcvF{u9 z4I<&LlYOvOg)aX@8bfeSOHTh~E((UlUl_60PYtP&sKCAJv@9jjj?rg2kOJ=czP^vw zDC$UxP&3%*l}5$KBmNQn{m*(Kk=ip&Yp+53Lgx%4Dc#JBs>sw&_He6BUDc`xt-GEx8;v{8OKHUYjL3rfq{TXWsq3oW z^aVvI(7RjhcVyJ6i;nTV$!dL_^J&BvxrP7X=}aYiY@zZRCroR-W)&h$Ga;?5B@I^g zKUr&mJqEX>vKi+@y05Aya3_FU#BMc2^v=mc7-pA!aace8WCNsPVo1v9jV1M%#;&5h zPne*)$KFH2>;Jz1`alK0VKG=+`V1Z|YhhjY;hWFPd4Rb&@)ed=pu2e4@+dBmB=v!x zZoVp51YXR5byUY*gXOk1T{Q}6Y1{o#Sq#8#6|Bk#?$H{GdFC!q1iZV1uunB^rffO= z*_t;{>Q@3SdvhES7YcvS1tn#h^E5z9NvRC!|vCCQ_tS zDcQYkhfD+bUAROA2OI!+OP-#B#c6VY00ii>BG1OHy8?jzUT!U4Lo#Q}Au}ciZ=0oG z&w{n_9JJE|vJO^Nbe($-21uAndD@_5d$lI}aQyR9yi66911`(8`v7q;%B=GPvj4~4 zR{&U5b!{&NhVJg}Mj8a9mF^T&x+SGs8U;y}5CKJ65Rq=_?(Xg!W~l#p*17x6xo7Sm z>i>Rkcs9&E=j`5V_p{ep8x_xXOYT{!8%PguWZSx5q+avx5-nydw6|yS)3+leSHY6t z$lN9$eL6@=SE-_HK2Chp!BeOtK;;s^iVQG?VBLM_v?tg}V6;%l((vdHX{YZo>E-`)M23Ar%abcvgFRFX|b%pU%(M}Lpl2n zV@wGGm*4xSpOO{oD&R}5Q1<mB5BT#0c50|RkKyIMkFPuKA=`w$}0T|82flQ@( zEs;hBj1#xPecV|_0;HkYzkP!=YS&-VWXPh21N8u4x2ah`nxOr%oNUkJVq3rLCrOer ztu$)ePohHf`8!8{+4$Rh%_9LWf}H~<;*wH7^r-Ps2LRMXBvs_B+K#B{VcYt(5&`v+ zIY$Als_Ko~;~>R0CN*jg+Lh5hbQg47^221=wstATflTsYo8FQFPmYm?_iUAAKTQD* z&I8=4FYi^X3vR^85+4T|G+TY2OSEy0@ULH(rk>MCjj83 z$&^!SebQMEQ$B3lN5TU*2G*yCWdupN)ut+k<@2V=3IKfZFb39d*+Y`z@FjktJ^UZ72r797h{;jhJKBf-u4zBKPPOo3|lQ}4W@ zz^!1c3zQ`QT~nmZ1WwBJk{XOQ1SDzv^?e?;WzYMo_dp|As&ojGMpC3pBaPb+&~by~ zS;&a35Dh6FK*-4vw{kfqV#7EZ~wNxJ0tLM<1*E0=;6;8X2KNK9?oRWxEX)O zk8$U>@nhUf9!zGa_F>;g1!`hO?NCDIAlXVEK#t495{YlE?>W{{Uz*q>7PO|x125o{vHM5#!n(y z0TK|bsaUrK0Gi|yDN2B}={-idIye5dNY*Z$EhQ_~)6GsGbfL`{(+eDml>sJ|k)J)A zS9DwDdL+k>kMXQZ2zrpqCmTQ@&UqC9PNdD8Tj#zY08s?)Zr`{rO)F%Vta*z_`~DNu zZu*$s5Szabe*iAPHMjtrSyM(2msLv^!2eBbVgmqpT$LsjvLWuG(yGT7nhr6maBov| z8ekgI9XEHYjO_j~IKNg&eSmfrrwxIfZ~((L%ElGHVxz~uWdLq&1MCaH=JZLZvXav$ zVkC%dUOFe+H*AK;_z}sTzXZ4!*ULVr1$YL|8Ez}rU*Z3Dfl>?S=JiMW}zP-OtMMPYv;h>m4O^VbR zL(>Coj`Se-Pp)Ee1Kz*;SVg=$4*d=X1hLWgf+SA-_`YLO^Usvl39jdJd-S~L@f7xQt@Q%c%`j^w^SbNqmE8Q#5p z%cq|m^z^fMiIOUS$AhT%!3mojWyzGYfO1*xXFcH{YYRZWldY_sp{kRHLC%L-clN~FOr72i&vI*m=gwdsI6evxl+2(+9u(g)?sUC*PgM9-lKFyPH_EpKov<557)*zf1xqocXpt z>Beunoq6{csqxPzM>`WY{hDy*Njrb$Eey`~aQ^(bc771%V9$Iov#^&zeU!f5#6U2~}3=e@l@j zxr!8y$7VSRxHZW^LoPy!!e<1R5&=q@r9Vsp5Ck!6AV?htf32W0xrexUUICHV?dyMm zIA%?NYTQUi0BBYiAj=(azCA^~OB1*B! zaPV{O@>S^2Yo{s($mKW~APs41Q9dMEWJW)j$43CLX?S^6kup^Qh&+^5)$_`P`P&uX z8xO9u0TUKU{&$OMn!U%&!38v9l*=PG-b%jOl9-{ww{5#O(tof}uE?pn5${KZOY(dK+RRz;{QfkTl+B^NKj zG+tanhc<42Wl0CVWy^npAOA*V<=<4=?< zm4ZG5mS(LzgFc!Xeg&M2L($fL1qWdX0INHovZASSvOR{r!j<4|s{*cHayC-Dy#nc&Ojb4n7!3tJ>k^b;$E2L9{ z;^6SlCL?FA0U(Y`crXT~1$bPHV$Pt^l}j~om=Y17VkOj%DEBM@Gz;9l3GwKRC?D2! zXp?-ZPFduK7u8j)+Y)0QX)WNM?5~G9b((eow|iEZvFZdkPZw)DWWJftTm=e~kQj5$ zsw6>~Dj$MA-^q>*%T?6`#p16(%>`-A%cyp2T#mLFjPjL3`na495&-NQ)H(U#` zm)Y{;hV$A-%_T?#a0%Q;ixGfyZpe|nzhi94B3(wzz_>FO;B+EzZ;n##(*wIUXj&9= zXMg*8SQi`!{-7f7N1^J1BKhIL%FDiU7wS^H^9m}L;B{mW>>dt6xyX zb#k}j*F@YOmjeH56yW3?+Bhxw?X)wYI3;*yEMuj9b*k{V*~2^iI=>kS{oBLS&Yv;< zoN*X?4fAJr&5Vq5vEA717$?*xk&#-*h>Ey5_G@z#r}W*_qg1 z=Vttv=b!Ow!njYD0{?3iF#X`%rAsQt&hqJE**0#`5C3Q%KTaHpj?KZ9>o+7tk|d%0 z{;$!;Esslqe;hhs+(*+MB2#7$-YPY@X+qx)$bJOo+P*5 zk$qbw@!GUfqC#y2I-uUt0*k_9!wa9}uAyPP6k%mr+&~3lr}uU^?0R9yy+qIC21*Ap zKmrL*9^(dZW)6k`4>xZGO1y7vR3QP#4Jq}WHO8iymgG<};i!|1#@cK{jPOaIa!rwo z=E&Y{vJxCo1Tkp1NiPI$)mA-5>&BR2Xr2YXlEZtq>bt$HDK=&XKvPL_;fDDctBzyi zxn4zI`+hZ7%NPka<&rKmorg|Qz>%OQMGMJoLy=^1M;0UqGdhNX14)vn2B`EB8~Go> z+1OBug0qm|Yl`$aJmZ_S+$1euIp|8l5fmb=9|Cydu*ou5odshw(5EsljPVJ%{8%WHnLDJ$3r5dfCehuxV1STkkJ_P*Gc6 zRKpCAJC4R*eo0;GoujGS;xhmZ*}?H93Yt-Dl)wr_o2hHjqrwwhcZuZOG3b+o;RQ5l zQ4Z=|B=>6E1PRfm0BXDprvOBDa99!WneVt#L@~}q(g8KNLz5FB}Mt*H1yOG#Rriz)A6R3^A$;cG*wgD8R#S>YOBPXKlCwUAxe$ z3N;6JZ(mcuh}_NW3jsKJA%OhyWdzXKYMTV**%oO`fBCRYU(hJ3a^lgRH=p~`scy6OUXYTPM(qHwPQRaY z8lr9F+LiMF z=eW;95(0qiTQupiQOiopT+Z@|@pvAnhJ)eVaP{zkf zw8mgdH|CA2moVOC&_kdnkKYF9364q_i-X_dIIYvHipMMCje6?o}Fs{5&Wb-mS5I&)q_e#>{Xw1P zs_T=0BRL^sLgbxO9{oD!74~21V}6BsfSjIW;?{8<;_Yl>no-WPj=moaT-ZFAIe+?y z>P+Tb*92wc!CdUPvEfEg7lpJN&H<=``{3-Pi2_;&KH)9%PchF1p=LNfiK<_#Sg!@f zg?S3dZi9a0mJrP+&8V8~5_DA4e-!Fo4W{ngkhQo*?EbhE_+O%cPBx(m#O^}FPG;WK z!tp~l(-H0d-sGL(IKY^vBkDK$w5MYa;A78`*=~Fs?GB!IYb5t|uoEJz@Wv0H#yI`j z-HabT?e-=f+B3XybH+t?opAKU{c$PaQoyCae;@^@yE70Q6YA`w;R5@0CLYAX?%sd! zIxnu9O97VxZ$JTdH4E6_jop#3>9zEUF(|<;>KfCFQQ(m`zy3UXymTD&wR`}bZxn&2 zUcWU{zIMj-4I zZaAl?V$^8df?DGM#{=#)gE2;MlSaSX;9CazBC(mH=%K%G6nUlCI7PneH0>%)y9@zG zVq0)E9#Wld+>rC~Bj$^j6cIe6K2m~*KhGQ&s;uO`BCx~@h6qT}e5(MCemU&}- zBSo};NV+Q^Njl??;3suQrpc5Nx&r&ESmF_Ifbqs*f}O*r{U)QoU!dGe_rTS~2xED; zQ!jy&)k)WwvBBvMkclF}10fDdG5;u0BBIWqe-oQkinmhzKsanv30$@6`K7G;ykA@Emp~KiIs!Pkc&quizRhLMri%bv6KYx5 zp9oTr3k+DM0xu)F)B`8+P1GMQs>BW16fI}n5crM~H5}9h6jRPVf*KLg{&?VU@6J6f z2X(VX#vvcuJTGc;_5r5HOcMwh{Pj}#dUzM;Fr9=l1)z+tR6MmbIO8bt%W|fLSSx8> zy4uIkiMSF60v5Px03Cuk1gt2A&h|=i*@Ev?k_`Zhg8{TLZ`5JGciUQ}6~$lSO+iCG zX-s{ZxjX>vgyRX@s9!#Uk<&k zHKD7K+_7v+Jfz5xw-{)V0bmk+6aIdM`FCQGI1m#x+aT&v@yecv%s7aWi=) z`;J#N6zu;55=p0+v14M~*nwgdc4tN?MsL@6}?ECV?&sdF?}!F)J?DWv0`x7{Pp z&UuC77sExT9#D>3FuW9w;{4P_eEuZ*KE`48ue;#%pE+TWdO!6xl_U< zDZ#0kMLB?}isL%&lVIJE%aexjN5(wHdI3qa@6w)93{j%uf+)0^U`SHIn;MQ$nW4(y zAub^!H*2MOtt3(MR0_tj57BI0yG-kl2a2o)F_QEj%ymarW>|cN5M$o$mamo2Tc7at_Nrlt)a#KE?zz8T4_)hrbNjGh)I! z!^?c5ia0xkty3jC)~fD2+S=(zcO6GKsU0;H~S zDd1Az?@++v1dIc)YVGm`l6vwm)d`jpI^t-^4RYc1F$Lqex28xXH}DkmjU5kw4mMQe zxJ#Hg1w;jZRNa`|ptY>}4mRsEbQ3nB`$y3GHVop$Y4tJ~-n@Na#|A8-m^L`Dz|BWc z>Ul7@2_bGuK&oHs>QWtCX!J)DF=Au|DJBo?BBgQB5q4jyf3hBK=O#zaQvfr?JmGk2 zJTEDs;YR$_vD452X&);+(rab2m}x?be5GO zrkhqSgh*~r35E_razu5*&FH$p#O9o3A{WooAdG3)z;kRP$U%K?TsabaqgX2T$_h|* z9Q2K}#RV$7t-C;pimD5bdL)-X4Ds5Pb6N-FR^+8CEvq@`+J$sYgE|m-4;Q`c1sGDj zKmyfaM=)aMxB&<^K+8jYi4^P12N7s;KoMBtZQEc>QlKFaqQJ8ze2z<`!0iT3E`ksQ zU5W$bYhSaVG=Z+XD*z$ORBfo7Q6GOgSUIh#H~v&Gp9M1*-_SjT_KL#{9TRx!lM}#Rc!y zwMzhC)zx|?N88E6htO`S$=Bf0A}3vqf(iAudg`d9A;5I^_H}?%^8s?y$EIDBGne`u z38HL=i0qctixdzC>6Ckq;^s`B0B!!_WkBbb_!xLYH*M2F0QO^F7=$4c(N# z+yStbREpp>a^B2N9hhtnyl7{~hTo)a!35HIbX`zo>?5b(cs`BZ;$twCwB9?|O(of#cqTnob2~t1eXTxUzbRlQy1HGJ# zKoT!AY1Va^a+O_x+6lIco7XSNc&IYy`Na%%Fu*p;cEr9n z6Ygvq1o$64cq|L1eIa#lDG~Eb4#Y?RnD=ep22trnXb+{(4wfQsljXY=#}uIB7{^1I z8R#p#WQJn}0cPriC4id0czKjNo43CN2R%nxk(DF7S*4uTcv!KHa_D^r-KgCls+>Xr zU<>)31O2H4o0FxY{?lhF3V!0qL0lA6OD_{LV^TwmNsY^7ki|Q1>!AcWatBUYj4}i& zc=++B1EDgYoP5>4wM_WDqh4ag1D^6VJ_b;F0Bwz2nxG`=btlBS$;C{atyB%suT3>? zKbtjikW5-g9jOFLX5!%!ch&2~iU7fQg43x#Y?r2+TSE~>%S;~)i--5{VE;cz$ zgFxTmog1{?m?UpzCl?^+0=DB%I(@Dj#Z?-%)iH*BuTi_c;FzooZr+wM3wk@rJxdU> zeZPqi8IKFD(?#e*D=`LE(DF{lg-L9y5hFo=G3E&BB;{DjaV<~b;+hughvUtmJ)3o` zojYZ;L<46yxz4GVvVN-`I4n6ST^f}{AJ2~XS7;xhMRRAAx$f0m$tpf;R24TM-9~^!EyL!c&Ytq&+!# zsUD#yE`9oXcsJ=fY^u_Q>5^+V5a2NZPy)L=6l&A^EBUnEyQ-SzDpUg;hR8nk3^SuI zz{Q^c^EW|WN^=aI`Wt8-5#6;B3!z3>2b9x)jnFdcp+DY zFHo7`I3WK!4I9+sCr|$LV99**1n|<;tCA^QI-QvQo#k-Tb}8Ue;QtQ=cw)SE>sHB& z(|2A_qzhX=E;j!GauJ~7^~)E$-@GVf zKW;{U2!JFpHe9_vE-T{zgz=VQ-q3p%;*#9VQG7OQo*KWFKbVC!j(O#YhmJdaK54ZKE$Htm< zvK|}DsLH@#{MV*^5_Biw!?gKa-0W`~3tQ@$Bal1Ftra67= z0CfJXM!mePoBK2XB~3U!Sw`w(C6Gi=j(MSoF~Mqb5b~RP1zCT*Q0l~?J*uyi;5oUC z8II}m0wdmdog6wP+0Ln#j}7}g+C9b4$^C>(DYqu+ry%;_z4}Z5u$`&_NK=Buq#Z@i z*|u5F1f!|0fc=CVR0ojfqx-g_O+?au!Aq6M1x9d%G$VLJ@SkB>mW0`#2Yj?=Lk?an#6HcsA~z+08|Ia_+7oOhXE*ya+d6eIrc9R+W6wzda*H*7)+_ro z#nVZ58gg3mK!#J3epI63-uu=YpZ9={V{8pkrWF_y`QE?+^rrn&?6 zVYZQ^xCNW;1e;i|_Wr{0gmp#3etzxpd5l%-mD8DRk(YX9fGD`x0a8uEUR+$mgN4M& za4>6{oZ?PC%zRwDQn3wlw>J$n@DH{J%_vqDdDc3dt)eU(>{-$NK* zAEK{Q{Rj0za@gIGYXQ`db)#89xoV9obem7P3BhIL12X*g!YxTfKPp zv>pzyPNdYnLu40L%0_*0T-KFfZ3Go`XK+Q`**! zAKa~D8`}x%FfR^wsEd{Tg#aJNB!=ff1nI_cgl+jI+I4Ci6!4&eG~S1UHmd(%zoW=G z4G(EZpW_%WGG@;!(ZD^+ahoFZJm8@}mYs2uo0U=yq?wLcuw%O+$28}h{TP2)U!33A z58uY+dUR*s;e}mPk3sV-^ltJ1gKnIs4q;s2;S4YB;Dx;UDjJlNNh|W(^oHpD+=AMPXmLnmWCcwTw26Su{c+g3!iB+KGKV-H|TZ~ zm&{QgFZ%)8w3bbC`qzIz8Ue$zyqgZv1w=hu<5J*HQsDo`9*%7peOxiJ`t|C~S+Zow z^u&o1N56XYYA~|HL7#(;{mF%j`KFusqrLr|-~Rr%ETBD~VZFmi-JDPQH^#i1r?GcF zz3%=HK!0{70^??$wCB6|wm;3g>Bm&gUI~X8-`t zN7bqU@LcEuo}iCwTne}p_z$B1CmJrSb{{;X`o?%0J2x5J2-uDBM-iM=n>GU+#lkOk zY+ZCQ{9iTyKPF42&v@L!n7>*JZn*zz3UH&rZgc+jOF48M7lJ|joU0GwP1HMQEdU{c z3QnM)r&zxM%!v>&f`%cNliiSWklmH`>QbPb?WXZyNx{0-86^UKaq2BVL4~IJTCHDWfdUpIaAZFfLwZ zLc=ty@vbj@bE4UVmflIRybRL>9Rr7#g z&%yP{f)e;*e!YfiBip1IH@v)rgUOJN&mgnQv5w_sJTy#?ZY-*4J50-Oer@y!pdLso z`&w>tp&COSk!W%jO^_ePYd1c0L|*8hb;tT5Edo4k^%=OLD1OcIu$|Eu`qK{$bx~^D zL3&y*h=(8^uwVcUzUk6G(_(zoyBZF?HeFx2!nWrXvJcaT2T`7{qoR3{GQyd)>i>N4>Qs zO^RJJ>y(HknOI)t#ojNia$!U0?Yl4ZVwdH(JcfEY2TlGNBHNYeP3w$vG|R_)66Dji z!ulbpm>AL`z1Zg2mUv+q>E^5-=7Dih%vs5cAI3>>V|ds6SY;#)-vFpJ{7Wnzk_pp2F&9 z)dXbK5Qy z19*N1z%$w#0G=4(LIIz&Gk@qc`pzf2x3M?xe40P{p)ud)Y3%r9c)Ot=W9;w7&OE(t zwqZ%#d`Cy)U55+JNQljwy_xvT(;12x@#jW+yPMsQ{oNGAJniwn!o+3wYj<efN`?01&MVz|v^E2#-iSd4;Ge!ttA#VObbISCGN@ z&@$j%?SPs*c^m>#D)0$6V|2k}MdK}pakH1z*fCCH`0hhD4u(%{qS$k;tYH!M=m^LSpyH0~}0#Lws0ojE7(u zH`$Efnbv(s-h)sUu3TXQl?3!dZ&tmAnO}PH7+$Iqk}=jtNV^KQyJ@;1ZVc{I27I$^ za?UXAin=bfO)}rysnalzG_WJR)DLry_ZI*LEhj5~6hHRY*6GIz$7pc*7V6G!7@BqF z%pXC<7igcRUj(sVc=EyUd}sbiQ?DNYOmI;*`Z0B3+)W?Q{G*ie|X zxZT~Erk2x_{&VzQ#!Wx=e#x|HN6?Oag?%tbesDA5lA)>%TH|t@XviCGiUzlusehIa z9~zF~S=S!w^HYt<3jsDYj`}f&0t7kjeOkl8#^i@}&I^r-veVSWp|y_uvd-=KhUZXqNjt{P{F!&^3w5>^=7AT=n0%;b{II;Ht(x$xTQern zzqcJA4)!g3y`Uo^n3Y%BJKLJ`JFI?2wH@Xlh-J3Q&azp3&E%bVH1mMB+@3tqP5UaI zR=ZS6YW_7&y3;S>XS_b`4ZxwZT=c`)CD?r>Q@>S>utXKLfmETpSOX zcc)=kWB6|G|EAn_KlDp3YxZ~cF_z6qXA>XY*fv;hyJ3p{>WltqOg)jav<5EtqB<2y zM3CE_^Te}2&Jz|*wCrYn_T-20nDTmQ1v`$#Pcgr1KS3Fiq)4Z#71-2iG%ioy=DWSz zeAoWz=@-^G@9W2k#r<_D@QNP1?q;-;laDe(h!AyZxJfXzX^c zi_iF_f6lvXU*y)yl=B_s;v>LA4pd|8acNl8wYMIOC(qNH2M4{4y%mo6_YFvQuOGap z&zcjU6aYeiT*hA0)_|T^I9Az=Jr1>YCIU-mU7Fyb(s;wLq0&TzPCGCC5ND`#3?)73 zIrHcI_Qquu&}5&fTI0U4apd0~PpCZD{QAakMP|1P71onpXg?tp>~yooVY167?Twpn z7^|M`?)GrbcM}Kg?dA6IhqM&z^jL=J5ALr^H>_|b{{(SKUW$(=Op*kB&En{^_b+C_ zUmE`G7@5g8RdRG3I7!P$Zc~${-*BFC(oHjDCF-$tA1(#{_b9-&j`=NQAo5>CgU31j z@tbaZI^9ed#%SJ+f7+QaCOn@`<8-r!cltGMq2h4@p3X>3MD_^yP7^9J%i8DH#Agq~ zcN3p|2DZm%-kss?ksCMK8UJ>74s3qyeLVfcKe&LS(ShAY3xD>;>LSJL9lLr>|l8 z3(MXap5OFq(y_AcTgArB9yYA_!?HK&*yAwqnlQ%A*qd)>Sf{%Q@3c4J?Dq7_ZxhCz zhSQ&Mv)dax6E~k>x!e7|&cDgao5tge*ZuaT0O?4YrcRz*_4@5Pcu?Zu(uM?a<3J2B z94;ur;45)As+}`Ek>CDezY)VA`*8 zCfm5e|4Ll`!tkJi#_VJK`El)B3j7l(z*Q#tA0J^YIE}qoGV^JS2FC}v49&Z7qd)!` z4n+Gq{m{RO+x|{B8k3F*PdnqE?@kk@n-lOf5i5GLfCU;a#3@f&+*-WZ2*bH*2zz47Oa%Y2*X>%u$T%(r=(G|ZE6(uC!1 z_hI-34c8jH>68}Feu>ULJh;)|B1C(L;Rm4<|g7& z;9pFEf7RH{^|NbS3b+&qO#ur|@e8W3)6l_yEv6Hhr-{sb)1P^#n|U|({IKWHRUzvE#$|F$JZwNz36?Kj~)Dw}-L&wc8uN zc6awZ3HE?vGNabm}k=+UEl?e9N$Ab0NEl|%q$ zB1g8kPw4*%Zl1q!^Oht@oJhIUO#Jrb>F>_nyYl$)6G@&dsSlub@zQ0@1H(IwRQf0;k)0?}cmtmxuE+9>B0QdcNCoh8)5+2n(GA?vNgZfOlO}<3`Vgk#E8v`C*%QQ% zr@qZ($ncLIJwjTRQhh3AkBl1=X&xa>lOFv=iWE`HOa=3n4ym^!EIKhf=?c_J5~Hj} zCmZc4iWCIhTT!E0Wux7bCxMzj-craqvBWy4xEqSyp-kJ*Auupd?%jVNF=IqWy+jUG zet)#L=6wr9rk)zc&pI{6NgKxDuU#1b?(^?cfbEZMC?dEx{TYA#%AY^i&ZU4$0haJ_V8H1uEd0;ldd9!`CTwHJOyS z-hGBa0Rx)c25>p?>!}JNo;q`0>ej3*RVr1GyLa!&7hg?O4zoLV?n$$c8%mzsIc3$F z^|I`@ReFQvQ;6C2`m7Ux&jfPf#3}h|(zg;jRxAbRx^`@%;HgQ+JXfz>FAEkglNbQy z5+#Tyty?q!;1^!Lo-$poUB4+0A3c`*@8pvDb!&QaZo(4y+ko4t=Pmk0a_7h@ZCf>m zpI5T*=VfyA7%p;w4nzW}4FuM6wCxfF0I5SjwG;s@jD>-$}(P#9Zv;qnLl)fvt{COh5S z?>|R@e>yGg-LB3&2R>1KbodH=6| z4XcgV?f)eOw2hCN7QX+MS_w~l%==Ogcsk0sY?Yc7cZV^{Y z`>4M3Pf06a^|Sb%u7t5=rd z#fr$>`HN&0K)Ws-+iEIIgG#E&{W)pMO!;cmU`d)JvGnLONOtYstDK_iHf@vnv!^Iv z*{Eq-DfM14NeCd7VQJU_uUx&V+>hl;myi>u&Uo$X)vgY}@Fh6n0%X+(<=VCD8ZJrVgfgJ_XA10o z)@z{b+jl_9mn$vv7W|B|Cz6jEHPHMsZ!~6rVR;E?+RcN9k5sXGB@#!Fs+ z!lg@=P;YD3Zxt&~wi`bj(hp5$VU5W(uwTxj^CeV+kCWb>A-Ql`{<8prY#t7YW$ zB{J*Ftopro|9;uJV~Ki@mDb=wZ54}og7i&0}I%jB;{Dpx4eGUd=n z+#i<$E(Kf){1;H*ZQlHfqu5t3?aL1<;}ls{XcOZbjgE7e&#a3VsC)ON+F8EC{x#zx z=MQfBc;hYY-qdhx_2*yn=Mj4+prBxmPow~LaBEL!dmm5U4|{yZ(v0g?`W8@R+_+@p zyk-1^*oXb*FO9H$hjw8;NPpgB&-a&@|5*>O&x14HR=oaH23YZ!r6ubq~v&2*@wQPt-OT`bSNpnHf=AX6%T#AK3|5GR(Y)y zC|$yD{P&@?=>sN=zY<<>CDsSq_6Cruj9yMIPJo=fF>@dz41bK!7*g02Ye-xoJ z0e-(OBPKp3YBxTa@Hp80*yA*D*u(SPZf}2g`g6Z+6yPMnhE0w@f}J$HWims$R60rR zJ#bix6e+0onKNaSXwjkqaJ(j&GNzYUF=OiFO|HlU@#8CSNN&$}^5jzg1@h;WlV{E; zmmt$Ii zTk^P6tx#6Q!pWIhq(C0I4xsb&nX@u<2O0%Lm-oRuI6s#9tJ*sBo80l)%nt2ID0IdYYEQL+`Ds2 zZeG2F&7c4D?BV#%xVagfJ9V_2IJ8?q83SI@jrrp@|AL53tXI<2a(Rq|NGGIE zX@X(?uw4)=3D!J%y&+BlNu;rzHePqf3-iEyvJ9J6E|uFiu4;bIpE{;=U?0D5`nZ;h z{)}N;Ff=iCj4Q0N8b8h_{WG5$&KAGZ-yeOG{)X<)*v35dWx{#;7y6k`8yV6`P8~TQ z5hDd?9-QM4^Tj%(yD_xmT9<21&9`xQ&6EBJHa&jyKrWs+sr7#O!YTQE&2q%y+5f_i z-EeFSh-md`md`w$1AAp{7o^XLZQHh!j&0lQ*tTtVY; zdVTqWCOOtZ$ES4|&YI3-d*4F@fE~KX0}XaJ+AMQSc0ERV<>B(JyIwdW zUTrURG>(jQY3*0D=Q7E+5FX83mio>w+i}I6cods7cs;yp?vtOd{sUgrTz3AqR2r!S ze8Bk=qwZLD{TXv7Iu^BsSghNWjTvU_#YX(vBGdbpS2Fl7zGkPPJwE@6Wa@N&Zht5S*sjS!JrVMzC>hA5#p5i`LI0!1Q0~Id3`<6( z6pl*4Z9GUnL_zP^cQXjTupHqwgr0etVabzCMui=OosgEE@`}Zsil<24+yI2;}2@WQO5k;D7|W zB0kHWOgl7#+I+0zt^Mbp5@k^1Yc}o%GZiJ54i(*;FqbF{_J)JNRWGF5sj1z00}Vm; zK8VxjZz68nsr$os1FoDKV5+g+#iw_0FVdfFgRM?KhCtyAsiXk^AtX%f&4J6aOrZks zi_g5r<+CZ)>DwoF^myTow24>%FZSxG!o?{)?IyHYz?NJ5u=)SZ!l2+>rLp*P3d4`q zfpTjm_)pwr3G3(g^&huFapg|$J9akj^nJI_ftxJ(di0hmMFID=YI5V|u~1KX7)Yns z=@*Abn$uI3Qu01aFddr<}fJ`|4h0yenRRPQD*${q1Wq}j@2ER ztcZDgcwk3d>*64htErUC~WdrW&#kabtQcsj;nU>+=25+$d z!NOB@-w-Rg)TyJMLC9p;Y=XwK*kC<#zEX^QYM?w<4qZ~kjwqyPx8USi2*23%!Dqfq zO^x2X79;gA`8LDsv6vW;M(=+=;nFrugvHWgfP1=H7c#ur`F-1}kCMe*kO<1ZPM@~Bi6e8Q3%+E~ zc5P3+%H*l3@pAA%H(zF^_FIQ4@SVrL;wag=j$n!gKPb^PetyrdLe*U7U;ns8H zbsp7DKo;k_Yh#cY-|W1jMBBW0zxJD)Q1%c7^zZ_Etxf9?OCDt^-t3V#%6JqbY=@s6 zblAXI`$c)4X1K&j%Afo?lq3^RK`2@Dq+BSEp!osedLRP2&MAeAaPczSETasx{a8%& zT{GVT(IeRECB3jhPx?+top+!odaRhsu4AEcT4ICkR3WZC=VYxMJU-CgGM_z+hq7jV z#gCiaHj!3-F}=ssf0$j&6L#CCy3v(!_w8`PF9_~E&$!ty{a$PQsNc-vt#WPip0Kk2 zD)!b4yUFmWBpjS_jzadib3Rns2j#u-*TL0Ew=@3Ub%0LGq0o?-_6V-R}?#SBF}JA0E6pf_9yo zFSPpUFzHns#}!<>44_cY*1nGA=&UqP%kdta;=2pFF9&1)pnGaHy*tY*v8pK_RRI5; z$yoDv3Wa6D&Cgbwq7vq2OQ$D5Ln^|Hv&p1 zu-G%yK{;|A@aTFlo4XCf1JxYjx7u!zW9e{*ed%%r1=oZ|$n47G&EWm6gHi3ciMNYc z54rJz+8?s2b>_WTTBBTDC)?j8h;?17^dxU8!kLHOzX`e;&X^BLvG#7t^&~3`yf`nhoeFY#*wbnYd`rVyFQ4#TUzS=KE_s+8IS_zzYG3|uk6EQQjQv3jnz$JY zT2brh$BK6`xp29jm*Z%Tg*v_Z;?1+r=)b<5W8}M0mD*K{=>=6e+rwYYxWA%(81~E* zdXQ{4oHrKWXb!a>e#JH%KNkJcqFZf%O4$3Y&CSrl)qMWJe)9jfkU6-euJo?}aCat> zN5)Ou?f?@Zm`DiQMEc^Pgv1SL*Gxw7_RtHD$)(A3DpRYS9#c?& z@=mMQjeW^=%wf4i(5Epb(*9=tP`UaR5=UUdkb+0$V|ymEsLw1%dx_nU_aI!bmKo7e zNXaAKL&8RPQB*{JoB;ru2wp(N{b0CUsiH#pZ$KgrdT45_UP@#(-G7o1Giu%a-|hU^ zK_G1UF#Nf6)WH}LNv=*$1`jM=@=+gt+?{lLp99q59Q?z_Z*i^te3s?DOMtVl21 zn!?+sL^G{^lOolcfd8ZJL(+6ctKzhN8(lc?%ud8_#-NR?WV;jMBM;gUIPVKTllO*5 zDBVyTNelrN2cy%eh_t@Iu%UlMp8mG?zk~`ec$;otMC8pY!*It#uODOR#Nv0WAFVMz zDCKH$84OxIR=-dnfL=6?V3o1D;yBgKcSI&xK5u}bP`B5KK+x0%V02whi}daRAuZvs^0T6VP77$g(t zoRNl5mB}og0IwH>Ut6mg+F^Srp_%mw*BWJxsp!e=nGb(@aqDK;F8LkeDlbKNpw*3nVHG0t?ld=}s1b0WS(fEn()gM&~oZjoX) z91g$sqo7kr5D1}6o23vihdB?=eXKuR!|8Z6``w-t*lb@{cBvG{3`U?!Y)XPUl_#Dj zyc|$`*hVA~taZa@{Z*cKJ#iV+D<`{smtFp3kpT8^<1$LVi;ks+>4GLSCKfY_gkv#u!zfFL%G0+K<(;>b=-D?=Q2Ew#C z=~Gm5ecg_AE!!`N2#Ko7_zp|GoHZkhA5b7T3NU1dk8@g( zeo)daI`Ox;>u{H^)<|A{tgiq=;K6<&scE|rRzDB~z~0&g=(OMl48o$f zs}sduZuU@50qHQRH4XUlf(C9+nEQRbbc{#j0D_Y!%oLJ@V6MEyLZUTA37bUUPG>u# zb=f4|>P6c*kt5JwryMpFHO(#6Iusf+1Zi~Ku=)C{Gm3(EAdS3X!6`;sGdAu`u!yh2 z(dm-w&RwEXX763LC$!W`kh^Aog7A~*Tp?`lO7S>r^irN9lP!BzIsO#jqfC0o`6cif zFwf@nB`on{e>ucA)j>z>9Uoeg{YyBTSi|8 z>m5@XX_1=cd_IM3`kK1^b{Uh)4gVWABYQ z`tTK|FMpw}bD`0T+sw);9*3LW9^;#yMVYKULdnx-awA;i|N8!&C=KX9YxO?XN4fmW z$VfNuuVunGNQ}&ynSMlAOPU`fRgQOO0VMcsgFqd(B@uh;x4T@1#AV0^UieS_ z!Dgv2N5y9LO)Zv9*J@AeC76Q`hq`EHZ0xP8b-22DZ(lmL#N;OdN-RRQBhBS{I=DOz zDxHQ8gnbhPh^yV3^pa%Kpl_uvhx-i}hmPZHxLyAr3qYsgD4npxDk@f^M%k(P_-b>JUQJjfzedVjr7fLKG7Le78yP&gGsj1**{|^5$C1-LcRb1$vYC#|GrF z``v9uvC>Gvt*(Rm*&D?+AA%U(a|fDg)3R<|0{$w!2v zK$ZEAWG58d4{C{?!ue(;>eFxQyKpvNk7w;LZOrEO)FL!tGjigds&bEJ>%H`A3bNfAsb0V)5qZ~r=AQ=aMjUMOpv($HdF9K@)9MBz0bq5*kWOok- z_^rgE5e3>23VREK4x7-$YBf1VY%ef*kxbE9+;MPJZV_0_$y!WuN9HkswaOlvgO3bI z7uG{AzrEt?`I1XL9t+-|L98<`u>Qj(0+hw>@za``T75RlbQ$^HE)^-XI@&|GEB1e> z*(=l_Jf1~|nts>bU3PnayJv44rr89^P_^njeydjB^HbPGH$H52ztJQq+&p%_Awr$9 z-QMvN@PJdV&;$;4BN0;WNPW!}Ni4Bgmfj>oy^72jbj8U0l9xP^#Xgw)>+JNrO5HuR z`CNZ5rzMx^LakHL7W4HptXMur+dlKSL{2K1EOF-T={r?-_pkWFDdICdELU|)Gmlrx zxEhq9gCLkSC7Py`59O76BAvFVNvqL_)}={(PNrnpewB{fu^rjfV_sn2A@;vr`dgpw zq%urHSZ1~FcQ?DKy4gvi4S=`v`P**UNcUlsgb^8l@fgeEzm`6q?`r@1(FoUusCvG1 zS`eL9Gl3`*6_5{QvuHPu9iS{~6XBo!4QY~W7Qa9%r_ya;35b%#x)W0_mI{V1p|TLF zDSbnlibJ7?IEoxiB9e0Q>{UnIL{p~oysevNIeTLV@X_VR;+}JF$EBdGN)m#&;~oqB zBPO?>V*%jYjw9IA2$X-+Pv)>l_s4zv;YQm6FG`$(my;0gwi5ZgLv>Xiv>y{fX3M&* z@4OB*Y1G<#$fVP>zug{{+3MZ(p0O}vkkhOi<<85*&ENMn@M~gNKr>Vli>-JD&lxND zWP^~#<4v%H+0En)Oq1!D8kCtmt&~cM#!eX8eqagnZeIx&GflAsK`)qu8fZrAVU%bb z3W9FPbui0Ej~g`?f`EqL3txcQH%tiVz$3RJBe&pz3tp!~y5SArhdj+x_`nw+C3$O#%JEDINZa zif$nlcAM;=&j}#Ec#{L1fYyOJ#B6?g`-som4HTV$WM; z&@5U~puV-HVr+(4|Imc3i!eO>Uf7CX%t;Rz1n(sPS~{+T&<#1R2 z0vdGh2)2wlDb-t=z?J`?fj_KQA-v}62`V)^f3wkn?=)&@NPW|!Vop92W3uaU9EZWo z_YgAf;9cT^b*}klBk%^zD%eDQr~z<rNTA!Uf{w8B!{H4q%3i+&GzC1MG;rrO-(8i>_ppZsE zy0%-E#G!%!?~NJ2I5EtVeWT`2e4Wc}&Y<;iCwxd(9pop~mx@EJXXl`Y)vE2CjsPDD6@87K7CQjOd)<-1eS39z#|3eCqFiEdC6 zNHI9_3Fb8m>3vAzG2w_|Z8u}&x?nk+EDPQ**vw+;kxzJ-@KaW7x4WBRax(?Vf5H=d zG*6;a(+-H3I4rXlw=f{)gR(>ZhsWhuk4B?~BX}XR=&gLpX3?<7m?(`%(Gbv?v9J3+ zIHtt-W_lcUsEoRA|DCuLyt_K&MWDCZxi0jHh4?Oa3}XW`Q7M&UkSZw4GYKfra|+n} zJ#YTUBiNC1f1gmeE(Dt(ql8!OD_m>`wXnkO&y(b&<20W~x0kTphD;8S$z>q8W<$89K{&c4 zeCHpeIwrZ7=%HWDHbRg?@rKywXpiAD*>_U-!R7zHJ=vXN<#x_`UmN1HkV~h*xF(6~ z6MeHT8b>McZvP4Dsn=|S-P!)gU^hwtDZuQz(Rvto^jaMf2|)Os5mvRDWZA#Dp6yOI zcx$V8G02-PaekkZYv-dM za<*dz2&VJC4KY~$@&d#9d`1@UDq)EklbHc-KgzOh2Fmz$SALEYKwZiABA9>NXVqu{ zo?)*Qn)e|hkErf7?N%E=F<~}ShzBHOR&qbodQI84M&SkHFj3`RE+J3n3)uU599R%Z zHX`>%=At7{IBbXMat7C%Y=U&gG^C!kf)8eQP1?-5!-i)Td_hr$V{s*Tn(Rmh#C^&2 zyzZ0Peyd1dZg7)Ra*>Sz2kJJx?nmJNX_2*tTPINt#|%`6(9WRgMTF{XS;}tOZFHe? z=4vQ0sDcJ%vTU_EqNcxA0a|~0bQ5uf7wBNaFQ420tuJ#dyzvC zY^7v$XgD#YH{`ceHCVRYAmMvMz;G&Vv3X2P3-mlRz;j4*v)dLH2MHnIGA;Ju_la?_ zSrBD}VL2?|S365AD$pB48B)cx+!h)rzUnh#fx>I(a*2#)@Nc?;Su5)+the~a;f-Yq zji)h?mq@40Hl*}dUyUV^tJQxxl|-EmDHqG#4ZEVd&_gHOBLj@mEYD&Hi%r%sP@uB_ zM+1wYKPUhH^%V$Ch2w*heW8Zyo+dh`0(znw82bR5@y+0KYCr>Tg=yD~@U7P3(P?jl zTIB8e0vMlh0E2^?xWd|!II#jLXVDA>Hgg8JWmcal7LWWMA)!Ogf2OyBNfjmwEe7;urhH2GXl44S0OU>7Bj+tMVq~_A~ zx9sfn$?idgxM?EQlY3%-+-VvjSD@MDdI!xOYzhiMZHydpSlQtQnV&2lE#$Tbq%IAq zPZ|asU*70Kv|b9t8@YZCL72bXKLN041t>SG;7|sfXw?lpn7h;Jf!hHz0%*sFw=qU% z83?6K0vf;;Al<8AeZytY`tskVV`)?F*cEn_ozQoVupRWB=*1Ozhy_8M$iA0u6>gLG zKtFixhqO^cq5p`SfZ42_*RDu6FPUSD<=@9O=swAQfv>uqE;W;xTu`S^q8(s%xwKGi zUN<(_pzLt_ec&1V)(k0gdwpb(q=CB^=PSa+t_89-BoWUk~~cQnh^ zzpb$1@K>Q7Dw2cP0^@}!XVbm5=c-b?f1Tm{Ixfu#9|w*2?OtUd3#|IaFaqzhN=ZHr zaAdPdVw(UOXDk5&=Kw1-DkY(}{X^Jv;x%o-Z5`k&%nKP@Gb$zFx@8*pw>xdkwY_Q0FxlQ1M zvshr+{*I~+mr0e=*K{Tqm=_|Zlt@$L6V0NULn6sgS^QPH=R$AFsfk1ogS8@MLZ&dK zneQvszpz#Dq|)*Hi#irAcWBjbvVlPl_LkZRanRsTyeL?NBU9>y^M1h>?YtB3JyT1x z08$UFnpX)FOkZBgHf>L=f%-GbfX0IZb$MBbLpg#qEudA99+9aL2|B&^YoYIXl8dl=AI{PWRqKP~BW_;IKir2ZW;$Aq3wF^}Oja$IMI8UFZMQ za}N=ikW5Lo>`6zgTA?FeEibox*;LQG51I|2T463U=RDmVJ{B`C;j>3 zTd(pQj>c3dl_NNBv^4p&z*(-Pze;C}jpWZhLn+z((OyqAo+ejrlG2*E-Qx^-X-{gP z?srNF&85^EASnRUGPxzvb(>9YI{#aZdK)iS9xQ(lhR0njzy(J%4er3IOcs4Uc#!Id z9vbn(KDswHl&9Ss+F>3`U@FTeBveAu-Ehl#shlR2CS?V8>$ms9tT3pT-}_uHuGTl& zOQ!60C;r|v8~$uL>DElKA+M4p?`A8XOe`2V}sPEcJR(70d(ua~lLGzJS) zhr^$#pof!=khPAE(U(JJ$aT7HI%5Vg@duO2YD{Ro2UBA?qOJ(A z1O{ZHW$1xVXK(<_p^95BU&se7RRX+Ai|w9|eSTmV3ad9pF^1o1NG_a-M_ zmNb?Xh%|*w>boOkje$9NeO-;mj!bPOOY|qPD-e&p*>Nx3tT^A>IINTPKQjP|e@>`7 z$YM~dh%tzi=@UC-DaY$bI|zRE{H$lYU=a<3b;=ux%!A7M5SlM^vh#!##1(6N2tur? z<2qh|J71Fw+%kDi5Gkh|~ALthq z{9@!@hZ;tsyW!`U1#w(TK5Ow_paGAEVo9uwkO6|MeUmV-08Y3iOACTFvqG$_$5uRb zhPluz3OLJRDS|VLbDL)WvZq!9M5-_ZsYnlrOB`|U_J2m$ z1~)z^e>wew^TKD?1tO?Xx#AWy-dI15N&6*MO5aO!b7H@ zTtAY_rXyNZF*c$Yfjij=vVZTWEu7$WYxW^pL~s!MFR%@~KoailK9x91(UC)TOTOWp z)u4*bm4hN_+2r3;QY?07zndPV9N0NiH62N4Jroq<3okII@l;xA9(4Mrtdb9Knh?mV zS|)pjc}kV86}Nc>h|t!7r_Ig_(n|)?*O`Uq=J`*F0E(drXG}T}J2_nxaIy%zka`rd z6?V$NwTF{|gPJ(FoDe)ns1%K=b=meENz5}Ax$JDbNY>&jjXMAYB#0~?Lo)H7EIxYz z@Hwf7ecm_3MizKhMA$IC$UR{q6{Jq-&B$i{DrLSw5BjnsALw zLYs4OXqdB5z6Q-({W#I#LCici0xhqz?-<~8cSM^;_##tl6eYyVV?Wnbu^fnTp9OV( z)nnoh!g(o;y;UEVZv}vuPI6kp@mScZ_iG1n=qyO*0zVN)K9}WY+1ttgWfRV@`3Hc< zo%;`LRZe8iHV(GKPW-Kyc^^V-h_q{v+<0w#X>1<>L9s2hW*&ey0^a1O^Mq66Sntc! zQ>uum)MNvmgL(GN6z8_)emtU8S2nquMt{&D5fY7Vn7v;5wE-TzH%nS9*FcX%!6}u_&N-Y**n|h&->nUS*E44<91F5`R|O4<4lu)B$glMS{iP@MUOeKzfB#z_jS_wE? zl=Z>s```Ak^MF>zW2EV~ip{O$WcV1v#V>*|fbHG04j)bt2SL%b8GA*M?a8wlOSo=v zyiZQ|?b>{I0Lg`uL{$g-WD))0%@s=&llMQ6QT&YE6`Z|0Y$_RqEUE%ktA7W0ApPgx zz#sD=$#9fWAxLtq{}OCglI}nXAn3;r0%8Sa98+$EFX*UiYj=e%iGp{=@0G z%dlB|tBhTP%8i05xtlO4P!pkA98Y+ifW4Q4-Eb6m;$Us5!j9Rt;xrnLw34c^dtj~$ z!}dRB<+3%*qC<8!G{F9^g24o*%p>jd9UGHm5BQUA+D7PuGNk?il7J_~UvMIdpV=Ne z4YDv&VXeTQ>L_+pzfqI3dF*%l;z+{L{+2zH_2=LqWo<$!Sw;E%48h`U@6YA+Bg*cl zlFp#^W{A*o8#2Q%>F2}J;M^q($*|WJ=FPy<+!UZ@#3m+@iM%0lxG)=ijdQx-^+AH` zq(TCpsmiuf*GwAJjzd;0h5Gl4u%8%4Nku<@uH|XJ{lIY@J%8AF6*D zK7F@~OW(^L2jBIq{PO<1$-WxMGZj&)CPbsG!`q>t3I;KW-% zN7Q)$MonS-w%^tnhsDtj$>|9rzswF@<#usuu;{cAnSYotZ&fbW)U2MAkc?S2Xm<%T zdhWCskI608Q2Mlxqw^k8_{T|g0|N}7<2~oJ6jTB{7O)(4RjSue5xj`~WQ8+pRkK5+t*54d4nBFxo~UCR3h0 z%EBQ?XZ&UR1Ml27|J2B=_y@9ypu?otD|X{C=J{+X{JO6XlQ>6B{4mE0(NBHGdIUW$ zU6r>seUnqNo(anVuC+S5qTmT+^G=J>d+o{Gi85vk%-$du9SJzR@IRwA``aj(+eNBPfz*+juS^yleY*yU}j#mL+%3u&Y7F zu19_Ws5U{811xr9J>JJAR<)IfttxnJT^d_*&B-a&5p8pIdD?+`>XQCcA;rhpKHMZ zdF8CY+pLgBHk@26%FD-jO}4hsZLkB4Fd2o?%Pj{y%T_SRBaN`!i*H}m&+GC1+iwMz zZJj5cgyfM-vD*`@yJwdRWCM500_kxx?Z#B00R8U0w;5BR4+*t)q9FEl>Of*Fo}l+} z{}>Bz+r_zka^*iKc0--vQYFF2-gh(Kz44Jmi^oNTO@+k{uQT=kvu{M~ce}KI@Hdxo zP!2&s;8-~Dy71@q9cHd`WG?z;vRI;1biDs4>jC=S@JFyg#GQt&2zJ57wX9YF{w_c7 z$bNB!N<=yhTyFxuS_Uz^qcGP>0!0X=0d)NQL6v)j2eH8)w^T+);ddlX-Q;*nFTmBn3kFpZ-k3B%U;t$d41KT0Hb8rrk6 za5kmGr^E*Jxae};(BI-w8#3Sw($Y{p^stANc)!n@;iaWSo@1zvokWO7kYLq_UH9tN z^Uof^k|?_AHL%QR3(n25oM-`)gy2|Xk;rHcRI0aFj^%BCc1?h;)@JX;M)1kADmvbK zd5s+1>!D`l+*{1FNI)6nU`8aCi!XML;Q;r+)UlpyqeG%3rjeN=u%1{0y{hrvURhos z^0bJRfvc^ViKNls4FSZ)-kJ6wDGnn+Q`<{+gp1Q+Y#zHt0=csHL=>zpfE5N*vF%SN zc+77*fHpuRg85H>_%0DlxPI)D9lZ#*KwIwck6JD%8W6u`=i1Xlyc*h)iqeSt;y=`p z=oT)%g{0_~aBU(pXUhX&?@j8u#WEM(j@C*Dalw4($7T&iWmjFgKo*~0!-&8fC^BUL zgd+?F!%3KezW*yfCcgjuwA~)R?x7)c-vrKYpm6O$M!HaK;aRPuKfYN_BLB4qmPs(r zMe|j^9UV9j{p=x{PNbDv*9r}cs9>Ne`aYP20x=znHUJEP9r7gRNL38<&T7*9#)$ zN4GD0tOigQqy<|gVxq7Yj}F2R7jhJ>2ic=kRu!pV>hW;r(+(P!2RN++m5;GeC>EXm z=#mmGkRJ_Ni>FTOx2SM{#Vs1MI~ukh@0PFNw7lqOXPd*|N~#kjjkPna8!L3*h=I;& zp-LO2WTa2zIedxQ8VY0nj3xB1r48T|hG;oTn8`YVT^XQszFgy2*Z35jw<=N#hnC>d zU5#ca+ifn3bDkY^vLpJmua&<2a|Fglc!mL>+vvOA?&?yd=Z@i^D^IdGiHWD1?a)1+ zevb`6q`|eo#B&8mCMK)KouTC!gaUGxFkEmp}{1JhLYo?TDDx7lM3|U1)Q}%b@mtSZPy=(D7fM6VI#E5i)d#2xl;VN+OSEO8d?m zPBLVI-a98Lc-gtGgnpWC6;F*X2EInTX?)s!KXlp^Bq%(53o&$suhRb>D8gdFCaQnG zBE(|qEST4sd7q1=6*3d}2cr!{a*H>$UOh55E=9a*hz;T=FjY1#kc0w>9eMR{edA=4 zK~X))Ms~TM9b?l`5oHo{yodHfe1tbnxIb^Li z8R*d=SCFv30AODE=EdpBavZ~wFc>s6aU&22Za&YiDvv2#q8hcjyF9R27w!?xkbV!l z6&6MQ*UTto{u}Z-|Gl8gDf? zI|qz7ch{=m);MYd)h#+N&Oq%_soW#y%~HO89_sX!ey|Ncu(c#@iL`m)Sg1r(kwW

;!Xdv}l_0e&AieTY(CsoXAnopk%^0--Ta07az6ywo-ykug}>ohBn@Il*0AmBU&up z--X|01IiRd$<86NAZ0}gg+Z?S_ut=utck&&`8}bdU~C5qCh%!%SAHkQ6H&x<9g9f~ zebjATy+4^7;V#E%>s{LbgzI}Qed(q9rhacKC5YwJ@^^Z#hW4H&(VZ`e?0;GU7JW+J@Lj8+o~NTu&}pAaCafa zYFb?`Lx1OJ*kK@6Rf>qd-Jeb9XYsr~*wAjS(>|9iclSj!!o~=AN9rxQ?0&~}+ehsQ znqC^bF3||{@5!r{%SfVba;1hN>Fg~S=6T`6!R{cjsg5LPp4{)DLVeRMLXVdr7f(uiFyu_O)N%RVcGxeYf^RPRcQM9WqnrewHPt+)o%{77L>X z^!T3dFO+CbrG}a>2Ql@T<)v<9)=rO&_D`XXtRjdw*jUgN5A~<^I~x_4lk|J;)g8e| z*7XGYO9=>ci{Cqg_->sY5JzZDctmZ2cT-&qHmK>vqx}n!?ll z3Q8~cWL;Ha#ti^$0sFbLE9|bxie_mKgl(AdR6Aj06vm?(%yy+yHU%Pv<~D9kfA!I} zMIS%h6vSx;2$~9@o4$qzYw1MP=ke~AkTVI|;c}@F_4r)mpzGoyuD8pBr}#RMlbN6R z6W^)@)<0I{<)Ha$CAkM3lGgzT(l=m|gP|fj;JaMuHAjlluw8K@dCU0*9Uy3khHNO7 z+c#&XMh#~@k938@oXCdQT&{g_P%=Y4`h!uDxHZyVeQytp`DkDn${AZu(YLT5y&?3< z8f^unY^^wL$9*jBSPPzhWgS|KSsFQoODk&?i)tttFj*&t>@%$F!+5xbJA#c3nr&=g z$u&+@>0RIbSgfeHfNa5Gxn=b&aF1Tsg?h1#n5xS28YgYs6D(4i%vK*rAGCTk!O@Po zOwf|Jh#?k)cXd!}DiqGls29Yy*95uT;qXRW--X+&Be)ss-sI--y5;wR@s8{CN(FsA z6Wp!o`SBWRggR@r^YrJ~MQMS)qe?6zPLLHTW}K3MmM>18A{Q5T~*kx)~%*`$N3%B7-DX;lW7r1xYnt z^%g0BB@B*|kRPme(llA-wL|qqMba&vB$A|No@&0V!oy<=K>pSunvHo~(hFkkdcHb5 zg0cWhQ_?CDRzkh&4|qCyM5XL?q^|dzCE1EGv>-m*@m5bB;SFTtLIrF+KgOUEGlggO z=#WDNoTi>I*Sj6fF^T9;L^PbM=)HnGZWQ-ouSl=E&fG%J@Y9m=upU5(UCS3MPZ5Xx zdHMu;6r`Sya48MSb3~6p1G!w@)fG08z?ZU6Jl=I#tU%T3L)HR%}MfkyjznW?ytENAX0L^2qpmN4t!=`cS20jJ`RX06-qiQ)b z0Rr+6A;?Ny@{r1%UTL7oAMZO(SlTqNWizuS$B!u z(seqe!S*G{1Udw1Zq?7d&OY0hst$vXWOAl*fwal*hp_3#7}P(E6|Z1VS?j`T%&n;c zsK&J>`Z}v%(&ldoed<43CGR-51*z_3R~Hh^Ic6Pu0j?AUz4)%x5RNf~wg%kYZo5JU zN4JQ1lf`4as1eBHBk!$>^GtrLb7l%> z76vTbm3Pqt?_+VWG$$Z)P;^%pE;%myA~l2MOr@PxoQI)UT`hEXH-H~{yPGb9#}VHd z9h%-%3QtQUPqh=7UHq?K`0UyhdHO4hE9k+yKhE2#eAkXnN2d=z-0XjoJ%JQ{%YG-) z2n1UG-JsdtRb(G(1}?Aud=5K8fV=w^3#6>@OQULP$7(^uMkM2}>-_a{{_`X79r$gPB3~DG!vk6oc?cJOW`BWE%%Z4q zuPZ>Ur59{~)&iu)CUAj5b&^Wnxtrg-?=2Ot%D9jaL}3J^U03h3&UHbp#NLM--udlg z|8lke@$t?w3YX;0^EISF8YQAR1Xn|9<#)jrkCmtC61(xYlL@z|tJPsrPKINF>4D%R zk>2{ed0t~9p~29RMJM2*`R~f`|9F#o*F@+tY;rkhp1|z7SCbtLc1F-Zwq`i)J2MKx zAn%~X5@8+VeEdFJ;d)FmKa445jAQ*BHaV@R0=~dw=`nWsYWqThqcxCqy)PeI@!f_= z9qs+U-qK9zA^UFN0bDj*3L$BS>#j(4Ts_L|vR=4{?;Poam~7B$HiAucw9*n)-Is~E z#0xr0uk>|U3*Nz?7sbd53j6zXg@htY;zi|4zw|;NkOFsl3Pbh5X*jv zXvraTzgC}tbjx?BPg){v!XnsZ;ct`t3x@vlTn2Do*!#uyYEyPDqtk5!ZH5G`^qR+vO5KQzbVnPN&f`Ju4W+;d6c;kcQ?FEu?@ zE~0;%>wntUpJu=Dj`;CoLngD^&-#&gU=(|-1Iv!c8z>U6$tHvF{nh) z66jWF2eniBaY4+CQAxGN$2Sj@h5wW*Ki{fUTOF*82N{LeSP!(;p4A)J2u*H z5FM2)cph387h*$CgxTG9UwXMv-Pt^}1=JDK(fz29m1%SaXN@2!?e$WQW!|dlbak}? z7rjCF(n7^$GoKP@HQ4=WmCfDC`k?>SuKj*7`;kNFv|p~yhF_1#O~FR9u0W)j7Aw9} zp}Ngc!hJ*ffsM|%82rOiTMvmA^1!R;#-Sw)YhjnUY+L~R|(=%aou@c zH^tJ23s2WJMvVqe&_$)iF?oZGooNthb-LO|_vMhs6bYP_W|LQqQDOlok{K$g)Pc|o_h3sJ zZ&`RKgFr%6X8nCoXXlI5vYF>0+$37MVeICBS3YTx>e_=#{FDvJVX+Q2m1UCQ72h-C zRMdw0>YwP+ky8G_518<7tf+JB{d^Ec=Y2Ok6o5x{CPie z@a!zA>X6aDx?9dipD5u`3@EiTk~as?qPkc8XQlq2i~S(ZWxq7J>JKHom$CHQiT(RY zeR#z$ZM=;OhbS)Gxb&BI^^gk9;nI8TX-Ck?CqY)hCe}V;1xxubdrLpHXfpWjw}H(K z4AL@%)uoE>A-2UlP`nXF8$bu_;uot4tJqc6w|_=&$j9&O8PF~cW4HSf^?i}o+P!}L z=k32DI6fi$Zi94tJL2wHV-o155uO*qdAn3i_qCKf0!iMlXVW0;STkZF3r<+$>&0+~Oax}t+U3Zg7Q zKcJ#UlktRKUGL$Siom3nG}SzE7)p^yC?Uj+2P=YZ!0z@Ym7M&>mu=!D{B_45WY^{Y zgm0xw*WM&Sc`6O!Te?9;EhJGqmT4Jy*rb&Ki$qyujXlgJ%{1CZrQO94kmncIt3Qag z2@c?o4Krl&L3d#nzDUYaAPHo(-*MYNT>iJKQe?NBPkzdDSNj(7CE@b$q$;Edj6QWUR)NCNcEJ$9f2Uaxzhvdqqa z!Z1C*jcfMLzx97`gihDqT)Rdpu}Rp{C27~g(D9N`wTq=o4Cz>+)dE00Dzzk6Exc7^ zVI~6e$(&K6X*6}Dgacda3RjC90j6b(0JIwFK~)6TQiJ1x?yF{HckUMLxc-AN{}?VlB-o@=uE8zZ=NE0@**ll##yD-I@n; zy}uQh)>TSAahun!ap2-X5^}#2`~T~D)0>R}wEW7hL;rCg|LfVlQcpxv_q3MYi4Y9G z2pv|%&OiR@-UP>%rr|3!$zq|PPkG6N>;qTr6SH0Oei?e5?266Jk0ZEvQQ59|aoMA| zO6Q|q&`5KOa@*44^Mc_FZi9>;z;&}U67>|PJ?H8nF_II*Y^05N32Rh z_!A8tO-`0N&g4Yep}IU-rB{Zxct{Nt`?ai~GRX;=D6=| zU!FE*TkP_#hNQ+Loo*{jj8zOaBo?|FcYjjS&V~@6)LY@zU+=X(4x!PLQ{DgccMkWD zPh7Eh_u2MbD*Q`w-pb+@P_}m<+QH);b5IDUW8>mIk9sQ)w0edU8aqIMO}+>8K^l+J zUOEThd9*y*d+S#<*6vB6NeX(gYC~)2I!$ZKztisj3DNwbq^^rBV=i%rw^r{lh%K(7 z`#7Pi`NA4RB0NfRgL^M6x=u1jv+`8A`?48mZpoMVx5JFGA&H+QQ&UMg|4dMWUyGGx zR>X%`FS@pG{$*@FX4fPI{1>BLB9zbl)=!1j@bdsnq-hn|kEX(ds(&z>Q#f@LH18Ju z?pxTK7{U~hs>PFBr4==SOz2MTW_{ZCc%b8I06w2r$v0;Eu^&ly9~!-I3ODbA1b`qk z5$V|2gnmNU9*N@a;7L_KtpAI(a~S+C+CM5-o(R3W@_5iEvSaDLA??sc9(wyf)iI_3obQRmf1%T|KFl@kaz*5o7=u}B6NtOlcKBM3>T&fwo!Jm&Ic&NFrZ<;JXx zda9gp?V~G9$tn}dkCs&G#7?l=)kAbaE`zf2L3|p05aWD_!8)PbRV_6|pMx~1`PK8Q z9Z}}O0dqtwROc?=#my(wIyz()yMxl-&Ou%nq;r!Z)_hYNOYJxR!TPsjmDqPTXm_3P zDQW-c$1yOIaKw@)oLSa_uKcq z{HI?06^s72b3lmEDz|6!SO=#Rq}(NeGO_S9Y~JdF$#$SZ(ba}}I12#|yM=g#Row3; zaZ)Ar(;}XB`txMNczZ>q_7;Jdc9=(OB?4?jMt3UettU4)BIdz2r{kc;$G-ym9Xj|~ z+}*~;XjR4VX1;k@sMDbHYOF>jNoH$tdwHF+BUdF>ad&y39RkfPrpvIS!9ce*%`q9W z?IF-}=^A?s|LJj^FF9|fJ6v)#m$rR}H;v}abZN4kIELzm?6~|xSA^a0-8AQ8NR|a2 zC)J4Yz4-90NEdm}>maQHI&@WW@rGN+=kK;1gjOEs-m1$p$@LPKc%UHU^K*uY3ma}- z!WzxoUxdY!x<{^UETuvIT68`%1X)L#<>2eDM)EZRew>OtER0~2H>sQ5svS3(uNfI4 zXZ8>FKJG=f+tB;*YlavSm8NxBW`Y)ADFM3A zmoHJp=Jgmz?T+-Nrq!yD-saBG3jZBv6S51AidQ=^+v95I44U$1H5D%hrk<4PP{qUER&MUCigccw}kkJbm3vB6YMDRiLQFA;&=vAk!vv%KZ;9y$0Yn8&%LGSz826 z#xA`OY2B>5M#LszFCPEAM_0Ulkf@fdoY4u!w#JU1Lo(CzIC*=2+%zcBgyrsI+g>L) zMq|FTZjRKDc&PuE8E+-Jlc3}x$Ktx3byw7YWGIA|_q8X1lp-G9V_!GN@>#Ex#>Z>8 zTp^P6#J|NmQXlYrC=p0f9uAkPWqq-5@einbgy)Fj8Vu$gDbWX+SxeQue{7`^>J7+@ z)9BWwPE z3Ci~VwdlKD&VBBkzvCo!`75Tt3^t|*uM4jbY@76C^X(_9Oxw7M(+;)^E-TALCxXIZ zfMujC&uF2xqRFke25eF!_4&_X$DqVO%JEYOn=g}UAIjeeAZHqt(=>ig)Q5@?smoMi z^|=?uwBP8EShp)N>Dgkic77r+`~rnuxgiJ8%WQr@f6@N~vw5{as8^VgzaRl?YMv7fI$!e-CyGmeoYt2dmY$u!}Q^Jw>i(}-!A^iqIVU)9!d0w zk{JqHD1?JTkeKWCOm=+GEpLE$=FUPal}estSqWN z^OVH@tpy;)&%9paOsH37ta7B|mKQ4WtTCs>B)wBrI)8@=6Li^+EG_2#Em+118P59a$tH7VD}%E$`RJ*zSLh2%h6Vt6B=m||FK$b=jq$yxl-GLJS3V0+}h=YP^V}Xn--MphLBck7xB=h7Uo~blOs%I^KDcr zjc-q5jBd>_?0?Mgh9G{F{v5#yZV_~!37U4o&%}dRJcC;{UM<&9(#k)#*KWb3zJOfW z+qyW_KSE*78R>+K7znziObI=7yPIB{jGHaH5zlH>UwE`VBl1?ES#ex$tTo@w57R`9 zjF&(}jl3pJ6*E6jkk20cq%r83%&JG{sRm7s@CH)Kr!kC?dK}wboTtn^HF4^c%A}m} zb@Y@qOew~l|3fn5mwER}qppz10~H&~vaVi2!2dYhQ51t7&`PLt-Q`a#2a4b`%3}T~ z3XWv{k(k^Mh#{>e<*JBB^Tj&Dd{`oOV~zzWf|cnopU zZEl~#W-o!F5cR|6!+}7^nxU8@lfd&rDmr57$;KDOP7k-_=D$ZTwtt}9*S!*xNOHE8 zjqxY!PYnQ+H%h0ux07T+%daW~X&MJqY!JA8F3Nnm`C)pk<8nU-{fB28u?~}sKD=CO z^r#l%<`WhsRTT4g;f5tG3k^@5`h&*xeZehn3Mt^1Q*_1l@w%hGfx_#QY5lbYxOSR- zz?RGQBPRK!A99ehH{-{cfja+4xfJH*feWrMMwth3v}8l9vY!6yWvv{wtgcLYpGW`E zB55D9-(5kwi&o)tvBRl_?w`ZrBZ1a@32yn!XEtt0=QUqSV&1>&{gG-iAi@pvs}V!h zfp%5?Wa3m%Cmg}mR>UUL(t|1(~ z8#Bfpa={l7H1DWa+9&twf-ihqm5`yC1wFj9a1+oSfXmL*8%TxLL4C&u%MI%^-705g zC~^`d4N+2TyT#=#q+hHGb@KYM9A>2_UrY2%PgGvA_BtB0_+!|(uflawWYVXlIAge1 zS_LmQJ8CoCuU-GRL`F^3+b&2Vn>uuefSmzTwYKYIK~=Za*o$I8C6blIc{d63QMx

{me)1 znv<+XZM$PnchoXG`}nm80?hTM1O*I0PxZ9)D%(nIrH0S}hhRvmR*ScCHKmRJ&Sex@ zFwBw7%85<_gWl$6ldXyA(~P82!3Y3;YR#l(UuOynoC5VAG~vRjjZ$)#oqntFv#P7I#7KaA?BvF{kZo zD#go&kURy2|D{3`F2*&x z6eFVdU_fHB-cBUkIe~7yqS1rUqqPW-w)*+a>FfDPad2;)?eqgPtj%B_l>}q4jHal^ zKlQbaR5(8kS)`)tYw9OKqj{A!an*ad6o3z`WT_wHd?v0k6LBu*m(S1+lVB)Gn8;Y}BT)fj}Ms*m(q>`KLC{|#a(gWgepuo3U{ zfJtf~Dr#z~Y-}nia2$Y2IoZRs>S{=Cr$*7nGC{`@Gj;{K&Frll z`3>>Lw^tr3|4}S4YkK@J>``aeDf5ol`5<~{fKe+^kCjnP!aEnj*e+?Mu1UK@pb(+S zc4MWVKTvUBwpD&T|9*-TRegiw!)EfOIt91*WArBVcKqgMvn(Qz1 z_eU`HtJQtjI|9@MiTs-bI+y>#$uC#BQi`@TLrhy^#>)ciJqgdRE5s011?Al+~;7S9sAxpzT z9M7zQitqCC43ot$OD=o7bv3%*u32&uh!j38_pl`{QN>d6YBM-O50;R!EAeECPQvjS zo4>7c`wl^b8<2B5Sm7xX@Mk0n`_nEqZNV<GwV>dbVSd$;o>Ti@jzG4c#gDi=q=<~dgp+caXhKHkS9B~+r9m=7P`79QHBQ=a zDP{0&dWzAMr2CV6I*Pee)(v zKvr0-R&96Tu;!EWrpoR`El1G3B$)XyG_*EhNzbWo60u_?x(pYS0GjUP&5=I{F-j@P zx5)q=Eu>aEwTL9|l?oOp*H!&g1vsw4jBT($4L7d6lnA)D)^d)bBvqT6hxFIFlbEdtDvhpS`rW3^^x^i6#Q9Y2}c z4wq!wwRTI`htsa^Aa8-0cGM^P?_Z{?gP-OSwqfQBUPdur%$>|9$ZXymfez|u1DF#< zA*UK1Q#LprW~AUvd1g94JMg~4>Q!rv2W63BoHC^)y$g#mtG#$LJV9KCawLCfR74;r zOK?9$C^l1eC8xp}D`CE~Fm!c1QwoQFx1O4V{OQJ&Sc@ZMNV~NIxE+|DQV9xe2}k7G zw}}YZnlJSyYo3Z3_lnrSMgj;sy^rr%E^k!4{57?asCgW6b$9jtvJP*VRNP4v#aI@K~L&f_cl*&?2dpjIq|Mx>Bi$E;r-2MKM8&ey=y^1D3wV~4A) zePS$Zoq(yMwBt}ukwyfo@Q5V=@S82>c{5*&NQ+4Ch{g~=RpQRFZSwo7++>Pk%kQ7R zn~yR(T93<&BtIx9!N9x;&7B%g;Gh8^`7#Q^z;i4a6DyCmO9$26QMFNlA674Y1P6Uj zXQ8wW{oUFinAO)h1@^{7o<80N#QP>!lXF4-%x4AIsF3tk_59SZISRoTSvCND`HyVm@%61x%bUIq!jk?L~SB1&yhb>is$P>LZl-@D&-FB zmqwjUI#u1_ftScegVM^g98b3wj@BVyMzqrrclMj^{i26{VF5cDroiHPX1r=FqaSP=gTSCg`3*0|5h`a#u(O(*b+7k7 zZ%>GRXgA($ zJG!El5ICD6K}%C?a4;XY(#T1o6z? zh~xF0K$Qp54W#&sSoisVe({+YFC`D8%`SOUnvw;H?KV#byLt;P*%D&y_8AYh;*6&^ znO_;Q)4o*mV!xXrZcihiS4j18D7knn8g}B&_he`SwiOt;EJ#e4IH4p&-eZXI>Dscj z_doI|LGHMy&;Yt)gN-ruU3_Bs7SF?zZzJ{EAD$Jw`BhtZf%!W&ZwXTxK?7(E z(tpWruEeJBS=N_5n{Ce3} z4$u!g-hcA~pilgwJ8Y*zFiO(>MX|w)Qk%-tV*R>^wRVe8k89?&>Lp2`DZ1e0n>1C? z4Rd7!o6@a#5epaS=4pU|)`uJWHTH(xO<7@Y1??lx0H!{P6*i0cC0z{lAKJ3JLT}5L zrI)vw@F)102Hx0T4 zr#EX^#;0SrjV_Y$Uyt5NMeO7ZyS@HS+SHTOX-U?0?Q&Y$huhb9$6}X7^lP<5UY=5Y zbsrG|eq&ZkP13JnTsYl}ji8ssc6iask$*6SKPeY48|jM|u*UxMDozlrY2l=hRW8Fb z8J4Q`H!z9##yTwI@@JVhOV2Cr9BzH*6myulSCSwnq6Mj&^YXQDU-=L+Pu}n*>Ft(Q z8V!Z?r^Ext`GU|6!Exg(fmZ&CTU=K%N{C#njHYTFs0H-PxGYcNO-}a0cWg#0TFRh| zaM5*ub>(q7=Q{E3+?X61mZ`#O+c3ae2JL1bFZfssaG|gRBcZ+EGDx+-vZ43)C#gr; z776`QWjD+Cw?Fmki%1jaF}Aq_$e>>9B3*eW{*}bH8Ww^Nr@5q5J*9J$G>FJj{#Y_f8fPRg)S)rEtOLE zwrr$4)6v64cBa63)HoF)n;S!}FFJj1^4w?oMV9b92jij7mY{}GlyT@RcKj)7-^zO& zbi>UyNI>EJ`7fMpyAEQStO57ca>yT{!0^0WPkhg7uXlTSdU5o9)n_U%QU6cgCd2?& z?r90%HU*C(Z;f7nLoLWv?ylj0*RK&{k`Jj4O-jV$ee<;vN}<=sUwJ$fx}CvtPcjZ* z__S9NSRI(RcL$}~{c@>L!aoeIx%8GIQbF~BeaW?%o^d5Wbf@0MEVk`SE>#HCYuio> zk}KJ21r(~d_Z>F8tOeFQ8tHV$#C}(z?|V$SdJva?^6w_);C)l73+Sg`Afho#3p2dh z#(dYm;gQUQw7hq>9d~F2slQSE&RCQ9mOY2&IBC%fL*k+fBQM<~G3ykA{$Dy}cJ+#c zz3`Z~j-|Ve7qg6SN)6T6dWc%KvlpbCwnJ6z%9LU@hYoxCE6#*YkzZFHA8}Pa^ZtCXo8_H4HlIJerI&5JR+DT_7!$N$ zoO*&QxVAQ@-%WzvSW9)#x43fm`r+pv5dn~uh+iGm7I+D8iB;QXI&86H`n`={(JnWK zY{eUtM8UD_qhAruezaHCD^EEJV7ue=zeypb5ookGpp~L zXRm-33}ks^+PsWP54?YqLG1DJPNFJt-M(zHc_#Mx_ZIalTOO930a$o!CB8s`(5u%4I~zQChHaS48@s~nVBNCrWp zqoOcf`L?VtO9NzrZ*5uUm_#3tQ@^KfI3J=UBZwC2wd4EN9d9c*ltq2DZYStHax>WV zh5cG8dL2IbG`L)5)8m;+<`PTVU51C-Zg!ZbrC^SUttd}QsaF@52;0(4&uNcYJ%SBd z=A6gRvO>dLT9KJCc!*N>k*w_dMO1l9Ldz)a6})Y21oqh1dk>u6YK%Q@Jevzr@Qz*y zik3G$z`Qc{T^%n&m7&q1ZWl2l6vG@Qh2wM%WZ%#>UpJQuFS2S*}3N79S&k< zVt#;GfW#aVvnFWs6$hh!FVjxr=nFMp;vY&(6=Jio`I@)Mk-aR(Ja$oA5pdrx_=uBu zcK@27B(?{qFS_1-{b6pd#X-YC=GZDBN->0*DKl)!?_W((oyuyu_(Xs0YO)rNv*$Ts z^-VnfN#>T%5A)JRO9-I;fDQ;|xaGy6#}+4ElL}6&ZZUnce^c6|e>}*#Y;Ovx#l7zE zWnZ)TWp{*^e90{wtqvuTjm!o%TD8!p@>H!^*y*OCa}|&5Q4cLT^14E&5XqKS5`#3t zw%DdT%u^K3b!I#3EYXZ0r*)-6ybL!VFlc&8+;7~qaPaF}@rsH0O8Q$0%D$^HAwo2-;QQRq$V$*tKX^49w@9ND@DS}X^kJ!1&gs@=OVarWlNrJUw?6rLU%lo0 zz*O7u`BzS@fU2q%QKYG_ZCDI)ONEVBJ?Yj#^vN_|!`tnvk5Xq11A^GRR5vxYetHg4 zGMM(VoJF3xcSX`io$q3iw41au!sszd``|xx>HZ)kAI(w!IIn*0^9>s$ut_o<8+*Qe z@7cd(=^l|Y^_38Wc}3mX?_#GtBOGmVrvoEjL^z=RI zm9)G)D!MAI8H)3l6}~>drL!N`f((4E;A~NQ7y#GC+ra|1mu0pBQZKxceQes$zczhM zqNn7P$$M(&nh!`ag$zpeEp3j_fbxLI0OEHbtY1w!RlQ@F4=+J^u1)nZA};8Z*NWNt z(80LlS>Ycl@#msUSTLfFZN_Oa0Z|EH|A!W_*EXU zaR{(Wmp9{uYWJ2l+GJ(kK5HjZ`^2r*N*pOaYueLpZQi}nF!dH#R!C-nWz#n*$Tj8W z$f?k4XRH)aWGy6gA7~Cl#qV-ygSe<|POhue|?UQe{T$oGdz7^)4=_8%rM!5_!TFb zdW@XNc*L#s*0c7^3%5Lj4D;2OBEbsT^KWR#2PTs=(?CyvRsepUFlxHCgdjUW<@U?8%r@jSt47!NJ9eshPTC-9~(cN)CC(!x3s4|`ulbK}UR|ZjMN?ioM6%TA+-)5VLHKA<(KsD`v)tO8 zzsiAPz_gyVVk$iYLoW`tz8xlYT*r)=mz0!)I~Bgx+099^z<*qRO%2j3Q=GDNA;wLX zQL2otE0zMGgW7kS)e0g6Lc2H<0!so!tu@*_^~p&T6d{g7@+b7t1ssBvxoJRoFud9M zg=FEOkNL-_!mIu>a`i)(RXeM0uz7yFtU7Ay+BW&|#7kt53IWz{IX^gZ!efNS91rx3 z-iDUssqJStCBb8_W=7k@wAgqoZ^TYqhv@g=`qCVMooLuJmf{y~mR|YDBYddJl|(C5&o6+jR+* zCIo;V5iD#poW%+-FkI|pjb>;PADzc*$YgDfT)k)%mFk{Hd0D#a z7Y^J+cSMfddL&PjUQ`)u^#Oj&H`adka{wY#uB8=_?j{QZGPb3`7gB_EFM zfFzFMa|%9{>C8Il2eq$|>N}XsuS#bkV*GGD z#rrTz2z^xfb=gTGxdZ%(Lsz%t5)54A%{iUQVfRgqG3~pC%%sUp?GM$bZ$x-nLF;i& z#o#D8A(!x9J@J4S&q5W`DV>D?kGTyKE5i_iU8RPIxSD-W|MwC0>w2msuvxkXL`A8H zZxIx~41#u?=@!PFf!)`k8M#nSANJ{PnYXXYmss`Q3J8yr5+>h8O;_b3&LOF{AZ_Uu z2q6yL%61`0zrDdu&R1xr@C&l`x0Q3LVj9TQb?VTzL;p`uFL|ropxAaby?KY6ic;2HLKif|q``yNBnLLUJR7{dN2Aoj*;hDC5`! zZI_fQ?>7H@@3I$kr}L)aQX6p)P`-V>CuoD)G^GI6U6N7q3%s1V7?h;?{-(5~!#j_p zX44+=Mjhgp(}Gb=?a4R()ui-u41c&BsZ3!-gcp8iRAg5=m)SLVP+}0K0TrzSB+vJFlJmz@Hj&o1yTw5P5 zxba$!G7`)*?_O9gJWW$jlAKqD0rzLOh$v<7 zPAv_p#Oh>Yo}P_Ndn#l)$A!1@UK*d_tP+X#*ozT&2kfali{WFA84;J-e6GWvrWXJ%r?!RHoD)ZGf&0#*{QbL$ld3xuE)@mby!w@`ICd)F0eY{SF& zbCVm&6wD%{bI1wwR}t6sDG0(Mv^LXhxbc$KV3L)WB-YNZjYdcO%?~8Q{3~H7QA&;p z`jzEd4%f1H!HI!Xv9T6{F2J|C0MM24JZFbRtI33NVQCAH|GVtc+;S>4Bki1sbLR)9 zCy3IHu8U?}0-GtjdC`wIPW=)mL4$tSU2`}hO^VxIjK)5X1^Jb3H8+R+OgyZOht(0t z-iqr4D0qcoS4lCS%Cw-`5HV6vnPkPidS<20H^&g)flY z7PS(ZA(qQhoowUd_mx;a8y+>#;la~IP%Vyr;nstMid3p^Q6LuiOXhAr+X9B#uKZM3 zp{TMyD|+`UUtX73ykdSB zxVNvrl2%6d4w~ki9o2R_-l;35x#sj}r=P52pXeqKl$@xWKSZjLmnpe?6Y2V6LtVcl z&k_kj)P^;R+LL>xqkYTjS}dM;`9}rZWEvgeq<;Oqgf&76_pI%V*cfBs9ToTGC;4Fm zm|rxKvFWLEXM5|pXJyQ=(N&fmSpDe)>?8OXclFk~XUC13?PMLMy0!)p`d}WzQ4R&s zr6tYD9Sd^17HusOh^>?fm&*Zw-+8dqEM#BM%>~{|(10ynNpZ%Qolk+Fp>it`*^!aP zTKI8bgBEs38 z`abTSKP#af7bm|0q@fL__uqi)>5PUaPj1-1-2B0ycx-3hcVGWyKOVfLG3JQt?XY)i zO_GFcdG+7y_VcO#D_wKC)*^o8I)+-e&qYmb@xo%b-(Fa=*B`$C0TXCo=VMGFSW#26 zy1{|OmiQ$)7eDoc+ch_M$a2MlYwC@v)LDef>`Ed<{*;hKx>1@Dc^X{Lz7ov#bS6rCfA^QB+YL zKkw;l03+P%y*@xJ1Fu&cT=@_OI7UFG;(%#_XVdx3<>on_|h8V*Sz*PkuEi#HZ@- zbnQ1#vNKWznOvQFm%3;HZ7x1A)j}Xwwru^bPQ+#BmSyq83t8LSB+&!{oFBFjY*l3~ zG4SZ;-0rq+)eFgLw;F=ddSk#L;repzo}|$_4!add)29R5FOQgUOt5 z8Yl4A2Ql=6HMS$FPo#U3Bl{VT4+OI ztSE$E7t+nr`l#7cwIqxN(3$~uB=zvgvrEQa7qGhnEt@ao6m@uk1Xku^Or4gC zUSCd253Pz%ThGhsG4@3ndoB@FRB;vW{f`#9be50iuZ9|QA250VK!(fHJqh*^;_nK5 zqN+)dVey>T^j6h|BnzrysIt~bTZYek4+gJ(`@CRq5h`GO{dSa4A$wu4vE}$2nFK7A8c@cLrZQFt4#+FqIhY=8Zu z#(0o~B){)OXIgwqO$dXI)F?xA9SOG{zxFhCsuj1YpKV|CVN>QhJJ_Dq{L%Krd*uE^ zx3D0FgS%ko194v%qv$WV@5Smb5>>7^d5?A^nkB2_T%k?y=8@04aS0Q)iO3`jR7<7^ z=ec{x0Ag6FE=b=98O-_R>+9v$j0?r&9^RRuu+X}AbVV+>VY)15qoB2sox6IN4OEed z!7U25-bT8qM4s)zv=R;u3`2hS8G&ES4(p>nusO7Cug1zbB%ZInW?lk%9sRnxy;#L1D~qP zDro(Gq`e6=)b0B}UQ(hE60(fSR*I0Zn~Fk6DqD6#gt3!tOj1eqkew`{tYaCwu}{dp zjTwx6-;J@18NcbN=lMR*^Z9e%a?07%u_ zue}9$2=bc%GE^W}Tl~8F7V8`pXUo4$EOTLtl5rlhNSLpK_vs5M1>>&4YaU~vQrSM$ zmo_P+lZY+sI?5nz;E>5CG#XjuySuJ6DjBcTv|y05@gL=EC_&x&ROcny#c{Z&DX4A4 z|BCMhIaDSos5@9#IF+s9+k~B|tgynlMI%#f5)MZ~HHQd8vNBdd^bqt!yw3 zw_b;*^Un>qfS2^=;R~t6-Y`F_gSmDl8blrk(qZeIOMSu}omT%GYi=lShCISqx8BcQ z>7An0o^F?--FG2txkBep^alBBI3x@eFJUbrPu`pEu2`#DR$Q!#sguBNcEs*VJ!m-o z*0iGEzfAl2=R5aqQv+G4JdsUmOFv{>?e}huN-#J^VYbKj`w8oYj_19Bfc0b*nQ>uwBYElg>;3eZZOz6FnjlTS8~a}Gs0HU5GEZv;&up}ih@Q-hhI<#p zT3KovxN~{hA~mMj(JJx`yxrv-o7!dpK*9~tz<2UpEbt^Ri;*WycK!z8m}Cb$rdW3#?rgN4x}%*5*T-{wZ)fswv6y&?Urk zh1a7FSqUjZeS2ZeOE#W2Z%D78v_3x)X{}ruY^xsn)oe)z z5jnxSVUx)u_JYwXOb5OWaV!MZ)>g4shRPG_oOHUb+dIaQX5P8|*JMVqh}gn&{K1Ew zs>JGg5RT?OHVGUt-2}k;!{DJ_Y29Ep6fc4`NN?d$eT0WJVbAZBaW9eC>#_))MH7I? zE?Hr2+8kHZgk~2bFTBFuG=rI22}{qP1oMi_={Gyj<2s=~7}_qNm_NoM^Wdd}zZc>+a5lsNv79Fj@Na4`^yzVSO+;?_(`*_LJUQzJ6 z)V?%3XCb$*fLXOn>fSyT=LLro<4C84SKNxO8&&n;*QDnnL-O+88*kU?d4=ct*0q4C zHZKR_M`lvLNMGO$NAb)>An*56M8p|W1NIf?l5~P!oqqr7bROsN8a=H9*+JOtbwgrZ zkpmMBFh1A~@I6;1w=?jhkPGB@*a9UIRu!$gxQu|WM5Xt5n?R+Tj6oejfehjpIHN%? z$oJ%HE_Va0j#}(+k+pfE4PYwBpGki$XPBS~esFcx>O z>x2w?Oeot?W6tG29JpwW+SB5@s)obo@aF8o5shoUaZ@vlM;{(&*oy@ns}@4d`gz?c ze*JbgMj0t?TMJ7Po(s^izOLEH=%H$~ceJ>*uzhqB$gjA0`^@^Y_E}~tMcq_0m0OckL}52IuREtc;@Rb}+~}m3 zzClkI^!xN-!wmq9xcuziR&HT=q2FZ53z!+#`Gqa7yJ2tWqkwi{bT&iL-(?Wyy&u7J z1iRL|j+&G36SQ+irN|eZeEL#aH9b7oKxVyKM7}`KRGnpd6pidYla~GR9m%6@!f$maRHX^3~ z*pK+w!7Hcc>U0P^8&#mm!^U9I?R}4(nB2kX_%)L`#c>bXLhZ6#kcWG%LR zYH`fdiJIlI^re=lKsk?`q?`SpwjuV|N(H<*(td6E2@i)0kM__gd=iTWUU@kBvNJTe z1O0N$%kmlR89*1)YP#2jHZ$yK-(wgWCBqu3qyQP|h6J~Ye4O=LkPtw9rk|}Cl>@!| z8gPU3!7^mSk1$BV@moTJd*dM6PD4oi6TmfEX$ijXLL$OPeVOIa2Dw~&F}>_E6x4e z022CL4SZL~*H?O|?=d3u3xm$dR!4hs5@33slr^O;`iE!nQr)Az26z$bTcneee&=9` z$wHgPYv4|opM8IfEFPSAkhLTZ2x(Ea{SaBWVL9RZ_}=jsC%7@8F>~leVJb{~c?DaY-l?Tr~;*L#&N9(>$U)l{P$?Fc}tNTD(j1y(@myO!@fEUU& zVmr1K5sbnS!Mc}}^eh==)Z^;dkPT9F}yoDO^?Wtnoa6x+A-oe#4xotvGI zEx#vV)jt==ow|?FA@?G2AwcFKbZU`NsXly5{uI=#1GsugDG@ppfoeqOXt%GVhauXI z!#q#&p1ftIDf2o**~?z9l>VqsV0Yf~s%UUB5ykX5n5-R(sXKT_rgvlhxkx|PN&WPI z?gX`9`)k!sU4dh*Q=_tv+TgvSTKN*u>AuHkH_G07EAe50&Fp~su}n?oKg{}^|8tg& z?q@SU+P9uZ$Ih+`1sWfE2LavV)a^3>s1V4)BNy0rX|~es$KN{iJTKo=Pda}>Sz+~J z?h8g3pWe3OOmvI1_B$Y|8}eaBlG6`fNIO7rmY@D2NR@a%wCyFZwGGi0C!L{v?|SLe zg)=SimhUr?XFQZmZE*SR%EE< zpTA&&GGu0aZlglTwsrt zT-8_cvVT(eEAW1fIepy}-Z*Yt`aMi`?=$^Y(FffGMB{I}{AHc5PTOCmb_!oKT(8DC zt@WirQ`RubytiITkjTk(jS_Q{?ef9)77s$9L^x*i4fu{20!OV*S=>;q@k z`~Tkip-;CT-1J&wn7lVo=Q`fNm>r;MKbQS>fVCwHqVZn*d7e2N z2@FDHFk;-RpFVKT|1nkWCc>D+R0JvUJA0j;|Lq^1`sa#J7O0fY|5+8PTf0w2Jy)6Zisr?k zZ^2hz&d8FmBHm!yPWCe%3rzyCPuT2Ax0y*>(%O3EOCRqnofWdroIBMhdhnP>@SK%B z+uP?{1HAwQ9&9|LCD-blo%N%mQB~xhoBxZ!{P7O3q4JtKOES8D?0fm3i-XQ3`*>8q zd-6Ro7gG%C;%a)Mr`Or`C@mu$gY$f`EkRG%tlS%3Jjzd-w$$(ETM_~%V;_elOvA&f zsu0D8?$QJQw)4LX{y4K4IbTSHZQG#;oT~V~Hwg$XnM2?BIxXE>_%KC~(wgYa#e~IX zJ>eEKnA74MxLyev=shJlGmw@AutPTk557*kD=TA8kc_|h%Y->Y>M2hFKD*wr7l`=q z@3nkifB*6$KLa^&n|u36>E7b&oZB8&WIUJ~Tujfs{VEzR67|G1ciYFaFOnsXLznX& z%LkS;*c!^u6~Ym?JyB5!nhi14BdSSG53~*bx+nAoH3nh4&B@7gnjP08b!dMp{h!}j z-^y3ta?Z-NUPft~htK4~oh@-HvvpzZ_JN3bM!xpYct>zDDjl|_B6kq8m?*5mg)V;X z+rg6Zw7H%>$>wRkOq)hh6<2hX4X3-aJo<5Mqa`71p8plE;9yO4f15%GnEYb8+C6 zY!I?aM4U(y*k zZAdMZV|PVGZsElVuYz0|)>~#B%0eV|;RLp}&w*O;A_r3XlWh%4ADgbv{Gab4jMRr#dNZ*en0aARo^MuQcmGcc#v4nb3mQ*A$l&Z)C%C9SQTh-%lcHW zA>>z#yuhLlw|Gn18b+2SI##t^xbe(#-t^W`LDiuJ7Q8D~rmwCr8Pr!|-JK8;3Nmr| zN}3qOjTodJyb+W)Ev4PXS((bt3lj)(>uA?*q)oT{ew=2!IAuDS(>CM&nq~Q@i`}z( z-owT(u}msl4gi@Y_G(f}5Mh+%rBCDb4J=MH88q1(wOZw@hwUIQZ?eFA8X064Zp$r3 z_pc;uzQm5CDvtXR`T^N9*>%d!qQB|DFOYN2e@EpNu9{I{=9t`Jy-&VrYQ924kfDXw z=BQ>M!zyGbsnTPMRwdg~u-Scig!hqw6jhy~)6SC4y~*ay?r1X`XY_VAvd07C6|#!JE)0a5nrzsu4R?`CNrYi!sn1%~AOUS> z$|>XW#@KmZ-^a6Ytc^UVXR29dAh$eP=~^{8i{A$B;+s z;G z%+2*=btSq(@Y8W{dhQ2nj2!c?Jxm_Bdo@a=`Z{y3{HX=NcS7v;z>{HpO`kp2z9Q>X z=WTX;0N3i}YH_a{pG?k6p11u8QtD4#>4Ad--P&XT%x^?*9lq?89LAK_?Pz&SyXzSY z7Z}?GJ*qRER)2`AgGPZw3~|pBA@=pJj=xw_bs#K)1^{oG!wX`_%Z@aOi?KZ!6O;FZ zRIAb{k|v|?!ZDrq_r9zMRSfW0m5Wt>snRPUh}5Z5I`Jd1S+?(E;EV#!>Fh$q@kv>Q_-|LFPR3Nw=S zrH3+G6j$44LQv>ZC3>9rk;-K@gddV02#YF7SCEn%@2d4qlOK+3} z{{@%FX{ep#m_{v=f>ijJH~D8DB3BM631*A<;^CHhU*MPcyDAFQMNL+lLWj)FiWVZq zb5&I@4+n?pjQJbduyMTF?OSV&yM3hFy(%u}-+I^}cgHQ3`@Tpdm{7o@@`3O_(MZn{ z^+qiK*HOJsA|hwnI;F;q%#5quiWf`f4%)sEIwJB0d6&7L`M~tym3p0xrBE zI@QTSy}eyg{IiS-c&7w@U8~FRw%2d?SfckHpv93Zo zy6u-wSubiEFJC#9C0{_Ty%rky@Hx^WC1EB%}^+Ql<{fbMx!7Lr__#jCN za~Sw~M_F4_T|mo`$#z~MI7Zh61l*LaGJb} zET6X_t~&Zzfl($YAESutNK@|!rj!Jes}TF|6aGV$EP7@M+`7 z>{KsIooAOGly%VM?&YD8zMccP_DY#9GlOYYabcxZ+RbDaMi3 z;mC;)Vm-N+s_G(2~|nFjFaV%^}718_nqvJHUq~jJX9xhrKB_F zOAaS7aG5zx#hAdTX1HMMenck8by1$DF}aBXz*;F8d{=EaAJ0AF07mLN-Mq1-qry)U zqxIz8AG{;**!X(UW0$!k8Q`cWAUxKqu=8{WNqoB+;D=_wI)auT)v7#y;(Xx%>bW5^ zNICIT`hZ1Pa+A!43zqZVa#7p)x~i%wVrt^mb50awN)f_Z^-EzFC4f0)?L~E?J=TXh zMMD=q9YmO)Js(C7ItnS`Npy5Dq~wuob?$!~4%&=*Pa*ll9JD?0+wfe{m+JyuS12a{ zY)QG@Z1qWsr%z%h%Xymk-B%w{DzCW?HJh!$Bo4ZaAO=ovxTd+R2oLs>;@tGu_BXWoR9poD76bQ|m7LR?b zcRmrZVV74ga)9!)pBGzl6QfmAVlT}!V;=pyfNIlLk;6O+SA^tDb4eQzzGgEL#dJ02 zL=zeqdm8M}6?GZT%o z)=NH(QO*SAt{S4pbw)D7j<3~}0TkF-7hXCc6hbndoA4rC`tr7GEcn?3vF z>o48cABb(yFwgEwr7#qC(PaITv>i73c;4kWA?5VVOYdTmrNBdDh6l!_p;gj6_Ft8Z z5pXO%}#y#U&!`8EoE}P4^v)v`0!KRqg%E&zWjTQ^I%jOwJZmus;HV#Uwf+qq+>7*3$c=k3Xj!`zEw|VW3R9m%$s;JjxYvwNU0c zJ$l>nqgb%-2g}nZQ^mRQWgh`2x$>Srg4~iboBQsWC*hu88OacZ0xjt`fe@9Ed1=-L ztHSaDkh3Z*zxThBzo^?GV|8$(1VWKG9?H@jxnYpNsp;`=qv*LvjmeBjt}P#LKLx3V z*ij$WqjLBb2j%x)as_V{DX{BLV^E|`scN~xE;BHqy2@!`SIx4P9bZ> z2rmVDscmO{?KYrSJ;PB2MjT;&!lyNiQm&O|AYIB(z<6C9oTb$|b^loD;&<7l?K>Y1 zN&`V36TJW~?dh=Sw9ZY}#LHft_XX#EL*U!F=X%)Q>o(-@{(BFKoN1q~QE_ZL#xee` z%(^}Yb&t%t;9n?lgJ;0EQ?NYGXv2l=F2A{9PEr z%0v61;lb}n`DjAhaTMYz-L^?JQ;f0Deb;V zDKxz9xq0gP$9qtNM86y{r?H9gY#wrD7<8bQ0pXPf5z#aKrVH?lRgq#&bk5ld*b-^X?l#2S#j^(oy1qQl;%b z6Tshpy8mUWx~h^HV1!pesF&1`SLvwYaFb~FrkJiswkW6#(&Se?9OQir`w?w>uZ|Fl2l`gPo*usoQjAVe*a-qkxV!%-v{ zI(NWpr*^e{U-BxYoOFZxJj)xcc))DjY3xQDF*>bF9UojJM6tIF#J^+C|Ah8qv`=+C zFYwcw_dX2^l~EW9`B0^LpYr&1(~*kaFvx(jBAgrIQjMR%-=}x6x&vUjf#G#H=3WXu zz0{jc?>>6$wHZZEuLuAhv~(X?NTiIT=av9o3ot3c9yQ)HO zfDeK!^onj}hz!}x^S5?PD;t|PmUQuk8}-Z|+X$|U&d8E)M~j>`Cvw@yf9otgTG>w{wUe(|44Q(%CCTSHYnk+U7O#r)Jv( zk(sqZkD@8HO`iW=+r)*H{oiR(`{%P1%qU#s+~=QJG5M6kWUBN-xBRGi+HP4Z{5OPo zDz;f|PWIhrdfQKm}QHHH>9${+=SQqN4zICb?P%W zB)x#wi1{98DW~YHx;y7?lZ(h^1w-hlx76_LcFr;@1DZ{ za!V5dnx8*jKXbKYsx$PI*W*yx?-^k(${~=jbC5s#oI2SQr#zda^{wlxt#aaJ?&%_j zF#72R8VF&MlLY2O2$kmJufec+&)yoIda54D=Kk$h2jhSFHnS(Z6U!&`3QcsP)q@SY zeT^If72R@NxuNF*S8Z6J>0E^CA)S8l-1vcp?1C9ut&2rj&f2d=-yz^xnrq>TZqZGF z2)L#}X#fxZZlP)uMSB(72T~n8|97wX`?bGj?CqUOsXuEi^OZ8+zn&OH-v&+_mCU!Q6H0z!ZP`2V@i z9sNU+`HK)t#p_M0ym2IGMaa4)oxLcH8!r@MxG1^q$aBSOmbUwk(gg~lf%@8T3O?OD ztzQb}hIFi?b3s^tWlwtLV<4eT(~$_x#g4=OB{t}HQy(T3e7*^b&D|OW5Kl9om?gut z0Igwu(f54X6TWd|i}(?#L@(agiM+nlf!Ub0j5NyU93>7kfrjB)FmyC4=F=koub4yO z~ZQyCr#_xA(ptbjeN zF|tJ8x7JCPk*?}iKa&lQ(9$`nC0FC#ilQLJd%%xDe?Zt$X8*YFMm3)B&LqhWijrb< z`gD`HfKsf8@$(WRq*=pj-HXQN|7kGK-rnB%Q2Sc{S30UxcSv2HjGf`^Ts^- zG<>hly_nL?dRp&$49}T(dU}w4NpayxAiGenKpb=->4&+_c% zNA-O5SP??xm2mjl7!mUlxmyTy9IwI9b#G2PQd*k8k^n}zJ|NE5l}KhJXMZ|t9C-D+ z&VRV;XUWrhuUSn?nYW#+w1e&A`oY{#SA!LaVHyMV2ijeQY6gC4KI$|r)RRxrQpV?ahJE^W6vO zp-A&2N|Ag}k-Q0BeaDHyrueLwyUur&Q8aJMr_P>#@EN-^S^RpW#I1?G5u*L_jyCd+L({YQU`QhO$-WrBRh-zSh7>^Ti|EP_$Faw z-hQOmO05pHR*gkq37SV2siXf6V17r^X(k(AXX_{Xz~^Xv)atA20=K}|(PC_I9bf;T zn||!V1aP&(Ab-FB$0M|AC;b~!{1^F$yp&W**D0No0kU62ReewO2$_DU86W#L(&*bJ}ojlQ$iv9WokAfZwmqxoN@^ur(3*iGv++=G71W6tAK9F`rN-f{5i9JU7pJe@4ztb zk2H?^#kPajIB(@3I}>C&WM8h?OX1vVL%Dt8lim6R``WuHdXQQ1SH5ff=MGHz>q-?vtTI{NcFQeDc#Py+N-JvN#LNDS};J{3yccD^F5o$2RzOgGI?1 z$u8|}K&$rX%v>MShs^)3+E6etdV;!L)J`QVU+9P}TR$$)^~Bt2`{5!=w$+kTcJBC9 zu(3dPoi1f2LAJQySNF159Mt-P!ht`(V;GUgQ8fPYt{DSg!| z5nUaJ4fjH$5B-%Z#kL`N+m9$@Gte|%)P8$&A+>`eKyo#2A?==*ne^;&yW=&zyf%*- zMVG*GOIv#bXYUavcxUyrY0SJWIa<+fMrV+5WEmEj`HIMmrRQMRel& zg6~KDFZ&H;I^9;8Uc)i4r`3XLz*%sLYBq5I^9Qr6^>0%F) zWOBxJM_2L6BvN|CMw;nZ<~Nrm_A7<1M@FVNQPXdRj@c=H#QNJOsPt!pGUvZX%8lST zBv$Ht)=P+hII|Np`0}7|kVADiN0cuD>+oLiu9jLcMHLv5q2adSmh;dc8{NQ| z9i#ov&<#B8AF&|ZUVG9VBKuFqEy2_tcTe%2_?y>S@eBvg+E`NlPsS}c)Bt>!5%i0> z_|Gw$^|{_YA`=$1VAn{&b*k?PDiUrZ&NSjTwYE|w(B-X`S<-7 z)t%n+;&OTZ6A8s5!6uCT{tVE(97}BC*V_-dso|lDD;#o&G$nt92S)j7#1C0y$FCv+ zT$7FUUWv!k>-^qN@vKgUdyHF;jwX6UWEflO2^6+W(Pbvw{_m&=J@A`s^FEG7X2>&x zQwqKVJfbB`w9le@7`)H7=HnA~rNSd?w%%BeDAOh9P6M;12h0M{znJzPL_6&FWJLXa z-VMJ)XIfWpP?z16m6RRe4AFo6T|yIvM~l499P@2CndE9T3p|20TN?8Z)lm!#bWfP z@{q_lpX<(s=;xZ%mjO%TT9R{Z#Nt+nek`d@1j|+l$&txh-8?_fHeV}(#U<3)RU6yM z1-g@pKZPM*H(Z&g+BwBq<|fi9Ba#3vxg+&B;8%2^&|F{M)6u?;=HxIeI;qg9S76tg zYp5uc5M7c50|QGtm#d;EK&TRUeEYZsh{DRzq3H~Y+NsMH8VGY1sF2=o2*h*xrp(9T zGi)NoKaqo{a#FLzg`|snK*Zv>y;?%3NhOJ~23TXTk)h7=Td!=xrtwM@4-MpzF+i8&B*qGNsxOg)*Rul-5C zd_WYFJ>7j$=4eQoVM=bddUb<;nK7yg0gzV&y=AhGaIeFM)L@QV>D$S7Pva$s`s;2?SFx(p2)3Of8n~3jp5G93l04; zA=R7rU1kt+>u{vPPN|^Zb983glNE}--vio^Wyh)(;Cks#4VSHk8fPoYQ|1wUk(9;={v5WgaetC=MSF_ik1_?o8WEiGIa!H>Enz}q zX4@%;-BGCq6DJc2<|%ex>}xUDDWc#X`*8A(V;c?eIb{IHWBmkU7PM^SdE($+^Zu6! zvS52VrZm(&9umzqBKi!UqJXDNvEbeWu8ho^6p={>n2`9AmEzpi5i)Vb07V6V^gRM@ zpu`4Ammh|A>n{}Q!!PqMRLQFBk*B2C&=fE+o(>ib_o;M5F>47haP@#zMeB4Uiki{r zAwV*b(`PY8&;I>7cm>pTH5C>T%D31J+mXY9f7moBLc!y{%jmR#GCMu|;F*+`x7&N$ zkeBEXjuLyKxzci&{{rhg3%0a!V+yVq8;0l{GQ*sewhVE@`RxDD@1f9Rim~&x`&l~+pFGCQ4{Pk7b zOJ|oMLY4D$N}{~iR@7Ma%k>JU$;KE(X29L^b{emszLDR2~exVoLe6;K?y=anix;1%SjO|ffk$iS~&(9h;8gMEp+DCdM)pwAlY z`*Y$_o4L}d?3wN*JjaY$`BN01R%7*8M+@>84T_0H1tf`Iq2pqP&JIiIZUQ<#} z-XVe{_+-ZMI_?0{cQ~+j{zI|LEM4_vce#|lWDq=}KIkMRXb2ZevmxNdUXzHstSonn zGEDJl3c4Wj3>y-TO7+CtXTbF$)&@I1i5fcODzufh&mY6FGeQrQ(qrKqXP|4sVQNQ~ zE3gGdx$_w3#JM`LZjp^lZj@1tWstiK?$U@$lB9bRMDyKX1w|N{Pc<{0mqYEod`c0W z3sw<}F0b2{=?z{s=Y*%qgtK<& z4a^xxv|pUL*A#~PGaV>=3KK4cvobIDbh2fg~-Txqeh@ZhNT*vV;sZo2vQ z>9@u0>~>*rc43)MhgVCc{gi8)ag5vGkCPi!ylme$GP*j;$JE^O$6bPN*zfjMXObnl z8|K0i!syW}lWh;TW`TcB!2ZF_F7i*98Xfx3)_r7+$#SvZ2%ukP&!7}keHT;=w3EXD zM0hfBXmQKx)T1E|%kcqt*ixMQmlXGc3@%A*k$Ebli&4@oV%u~D1=RBt8GDhP+&Vy^ zqnoTLWoh#5_pd#htc=Z9xzRNxP^M^~sgm5G#>bg=n zr-ftf4#Id^G4%-l71%wGu5=ZY+j_60;3e0$=Aqbx;IxEb%gPAGRk9s=(32AdLuIbk zJ~MC>q)?$%UkY&MWJrzC%`ahH*tWQ`vf} zMBVPqs{w<>-C7A2M+d8p&p-e`NVWU&CkM8Tg=wt>Q%&>XP~_kto4J+-W7(H3d@Bg| zTx!(U2g9aM{~=EGsRchjVUWwZY;2-os6kKeGFci|r&7Z+BYYj+w~FC(*orGh3m4Ye zV(B@ObX8urVCyWlE)Hw%>V(Bf=;9~Y6UAH+h4Ov^+&S7}a5%~-&ZW}sYLCSg zltXH%=8WuO%T+?4df`S)yC`ORy!C-u-iGhmTeY_JH6oxi#gD6Ci<*@%O9e`a*lT_; zC%0DD?NGJDkhsy4v8eJYU!K-Crts6snh|1Snk*Xruymxb_EQ{a?>iWQ8~4G~?rIew z74|hSIBq#NjXW{7knot=D=KGIhE0WE%5~f$qyvZ(JM~K8d)i1$_|fqfF-~$I2ai#6 zpQGN%JD{%d2iTpyj>0`>$p()th$nblo|Bku*Y}|PP%>~2?Z8#Y0>zon-eTTTz01HY z&Td=1JWg{c9dD@Mq5CvEneuF{Q7?~PepoRrBj}@v6lIm7=k_RQVQ09Fkb;JG7t}e_ z(DU57na?}B89?%Do7EcuD~<<0$>zT=Jq~}(q%-M4l64u#`T%HhW?okgs4zr&)!3DDsW_bhnqL+7!}7jz-4Lk`7*``#2EA@|7vA!w$(3*- zqhOKG51ifNjJc{44?wW)sGGalgCE64f^M@JyHpBZtis4x`vHxY zd`bk4gry!z|vaenx()nkhmnkm?nAamX2n(~I2`jGzQd)fL_}|I8BzI|3In zHK)*o)R7TB!llJE*$3l0&8TQ*iuDN}JKM%;>7u8@5_+2IzN2^F^gMFE7K(2Q#HgVF z)3kLro-i+baGq9(KTyNI*kkZ$ksQu`Gnn7SCfvaw<8)L?()0PqaB?@4EL|x|$UqJ#uefi|FBC#dc_JFY7?|9EnNU%Uj9SQ!w{JjqPSpZ)uT+ zPN*CZl3g0%S2;YYO}FIx!-EU=+m(!3gJ&GRXeyPUapaLv74L^ocng&4X$4Iy9Aud;X=ah_DY=-Oojldarr@Y11TUaGC}rfM2S7o9xlIS%>uYcBz9*9l7GxX;$=tUd9WOQg*?o zD94XCtMD_Ei-M^(TJqa9h1dPs2^$?%yE~cAqA(D;{b&`j{c!QIBTq)$ZB!Vy{2ghW z-^)ore&CVWD}Y}8!qrre2@7%0gS@$A*Jl(t0PSMwl)g{gyK&18wmCc00*kKbhlSkU zV)L^mV=0IC4yB%4-r8r&$^q4QO_aZb6H z-?*X-9eS^f(NUWQ?2g&JByJg4?~STpQw!?G5l&d{cMOQ*WF@Mw{D*$n6Q87@_J@xK zI&dBD4jB3L4N|caG^sT5i;B4ABNDd>Ht=B6#l8x1YWi=3)czNke^rg&HM8|U>&n0O z=7uFc4Mfx_c{*Ent}o2JG#s+D%^odinD@zEEr=!CG-aVpqwX0wdN4QK1=mV-v3SP1zq~E_AhycYD6b-MnWFd$@GjcH^LB9UKYUtPUIP>ldu&6l$Qwve zw0)CmpF(33L00yf!G8XqyMt_#j zp4$&`)jDk+5})FB=PoO4xnIf~g@c?ceb-uy6*z)@?p?kb5EBL<%{XTD%`JfJbWS(NH zXypCA{S76?Z=)#_Ut;^6o%Sx#@OP16R@I^SL9k2iIitt|@OZVT(`>8FnZh&mVDO{YXe20VZne)#uBQ-9fCL=DLfSS5V<=s{8qYqjPB&B3I z*6n*dur~);yakBfXqER8K8c=UZ&(F5;nebYPjL$HZYGSp?Cu42I#PBKL9??Si(qOK z&BG`)dM}$8W(8imq&Ss!JKXsZuZjh|FyDNg7;brLn9D=pBQcIsml7Xz0-Jne_?S1Y z%Y|dEcDiO23N$mG2W*0Agi|(^PU*T$eu}|GYdru_x>v*0*7?;R%X1Z?^;Crj z>qv;L;M=3)%z5eL?$kqBZkkjXQgr6CMWPioPTCytcf^rLzS*tyWLduP;a~^!q+$6ay+#&L}O3yVMI)R=G)=Ep}E0ekbDUop? z;^CQ;_uP@X-=-_Z#@4YPpw)@EyA%24Y?(9Sy6&JE;fFYUOuY1j6X021Pb*MIx79&c zT^{^J$OPc2X))^>NzXiiUgN3zw)dH|yR{p{+4sSPFJF6aJX-ePZ$}b4uhff@_a38w z3c{xNYYGeKaF5Ox5TF#ke~Y&L37X)2TZceb2VMEcwHv+a4k^L zca!n0b59s2Gq&dovlbWUkA(Zbd+5)UKPL-DOtrbufMn*M6l`vA^PRj#dsm%Sj8Dh| z=N{{35$3-!ewGx`a6*26!}kF~%u8Z&5{aQj@x;spM0v??oD}Y0ZGHWpPEl1C-@&qTP*ek=V_SCwll z*;;HRY`Z(z#7ecOlyji=hMFzPaN^Z!gB8|i|4UT`ABS4Xbl6w>6KkDbpTl?dyOSwf$EKsJ$D;-c#t991j@;iA&%^Q+pd>=Rx2BKK5pO6Tfoa)F$jeT zp&8cn5Ro&S^RcmDpQ3L4kIAsDMus3>Jlx_O@$K%5=2}H(BR5RmlLx-(;jb-44{vr$ zkQ8&Dn0k+h)a;3ywt4GMp@&78#s^s(^&994Vjla4lU4$BtUj?1a{I&ubhEUXI|vix znD38fF|5iB@ZT1L@vXtNs=b&$_z~Aj^q#qY0KYL6k2pr`twff<$gMJ0If6Pu#8SU> z42_mEIp4e&LV0XVvTqqcm-UKRsGrGABzCQ8n8hqvA)b&{3L;Od%pbImgn!B8&<(Qi zixV_q5u(h($xN0_EA4v_XUE96_uS=Lv6-l0qgm;EJ{1|ol}fE^-Z(*?Gr}_K8|sCT z@-6THR`|Nii3@yq%EO3wTAT9)A4UA=R5ygB)_Y6?X@p{iH52jVSDqU**)J8C!YwmF z2I7=4#VS5AB|#q7i69^M%a>BvejH7Z2zbL&8d|wlk@m{+A>prg>1t9UobHK7f)KoS z>YRF~+-gEb+^ws(Q)uM((YSRx?>9I?x{Hs03FxKw2Y<0gMODOf^+MHLP0&so3$w6M zI;XlBa|E;>ihqk|P$9Ld+;H|2J3$zqdd|z|9s# zxeikmiU?#%VUA)e?2&ZO{Ojoq^BG^hoxcW4fG?;9*QHLL-O!;jH4>Im5WVTdWdDJ# z?)Ah+f;j8|F7n|x_tg23=r+#gHl){fHPiBFnoZIFGEfAQ$%33nrvBA0u~V7QG(FzJ zck1H>%25gle%EvKf_sJg3Mmm7L=x)*wNzn@_e2hRL;(w}u4|6_bYd zzT|3U2|l|bQm*{&U*7;%$}KaMs|&YlLd_3ZOola^*ACcQlSdLA-a0$sjC7=_o4uV!~yv%`HrkO-89wQ~aa3WDZ7UhdnPGd_J z*g}itfaR$Xtvb#A?VDR&rYM zOgZQaO$4SUrrl|7fZ9aXO?pjA0vYl-fl!f6-#gQi2c;%9p9$K=V)vP-A)oV|nKBa- z3JH7SFI1r;pdB#1U#WsVW9Lf9IK;iR?ch0{6xm|1J9O;M9ll;UdZ%X}+*Vi(BU0D5 z-EI3;j1U-y$;v0wo{;G6w{YGAUt_{snj&8nH0_%Bd8^!I=Ck!}>h#Qfn_p2v_woOF zn%Bo2t+0*r^LLoy{UArZ+p4-p@d_H|Zf$t|(wF#V_@35_{57bcsF(OoEkf(wDBnKZ zU^i*3`n`#Gq;G?!*PN)w;ut9XbaVy3?{su`#*?rLj-{9d`Tje5J`KM6jMF%xYWc>T z*kf(*LkEHq72ibZ1baz$IdgZf(9nU@mFXgHw$FQqiuco~*v{k-zeb&X>+t55t-c(I zzE2v47yY}W>K8{R?o#(rbEfOtbe6leEbM&cdK_9QmSj^TwZ`01P`lcEljw<#)Z#7- z+{q?f%4NBsOhQMH30deib zwF>XCZQ;8BwF{ONR zx4m_fWF2VCf%$(pW)2;guYSB)b2$Xcs@5L&C@hPsAT82;~CL1 zFcSC{z|W-}#n(_E+k%Euw$?4U%DC1S39-dGv&c)@+BW95xmp_qYJ4g1jr-1Ol2C4+ zp1rbild>?24v*xR_jpk9&7zewBsh*26ZE`qGJq!Ut*iDdecv7ub)|xz_OZ!RYn%If z5Yk!i4_?WVQWK>JK)QvuY{5vzq$(f5@m7c5`F1YP<96U7wYO?@KK3yat}t-DJjeFQ zQCqZ`TG?08?dASzPi%5Sonk?!A?-*RRAu?qDb(aMU+(4UoQtq*@rvo9VFZqn(NJ4{ zH+HXyH>b~eUTnuS(llZa>MJe$+3z{Hj6sc;zxoJhU)cD!GSr0BsaR&{VMn@yFSS-B zi$aq`?pSVtHH9h8mnWy>q}iQG_eP^x)KaBB;gG%oe0neOM?-5l;0cBLEbwsyHrK|3 z(Pisz8}8TyEZzr$@Y8)JS6dDmI13;Ad@@PQ?p?RHaaA~P*`0f4312*Q>OuVGlY2>E zneWQq80=N43$@47yyw?8fx|4aq~{&en zlu~zXfF0%HX1pWB>(hhm1CC6a`^N}A4|zasGPHDj-`3P-Pd-Vq?&Z#P>%t_S$?Zbo zBK1J5zQj-@&WSXNyQnDt`6!6exYw95?sbK4Je$`kWW6EkxYw8&eM-7@@ffJB5z%1B z=Biu-E1lRnAbkCG%8L^j+e685?)5Bne|W7tbLekVt(o`&Mqit~>h|?nNxt*FDfW{U zmw7_*P>8;a%Ig%`oN;wJwQqW}I!SRKBT38atZXD#WN`ZTlfzTG4a&Fz?56Ub^06(k zCCZLn5((*5yRnKt5<38mly}?$`idqyhi|NcT~_p4m5ZHEq?wj(+^>%k))nB28u`+C zX6n3=ms3O2r;8eSHCo&Sbi_RJohD+`T=S2=wG4Ku`%sJE??`rX`NuMRYebWBSn}L> zE!7Gk$G3Ybl3(D|%Uv|Yu5JHYq9KC}BkuG0Zd{>OeOs*jR=mkDdC>in*h`BOT0C}N zd#x0Q>@To{Ha_PkLctDSUq8E@;BK$XPM_ksPIV{l(Wssq313D3fwJ=uPBN9#{7U7@ zm^>Ur4N3hI0uZpNwoj0tt0CQw3Q_RWow3E|D)5fC#~r${goz?bi;UBDj18@Vni;gq zXEHh<*tad{CWiuZQc+HxR_t58^DLqoQDXXO5tScqLBbQ9RL8T79*mtbph!u^+Vm$@ z_SFe&VmoA7og)29LW!J6qB#70BH~JJ0#|;e#}%G>fvv=*gt~`pInv;5B0Hv_S<>>eT~%B63R}Jm$ml|LiSw+UYunq14e!=AS*hC{ ze1Q6f!@(S2Q}N*Qx1!5UxteZE{5mAnSK4<>t)_DA3VWzBz)SpJtves zemY7mMxeg0&M|rqWHit~Xm|IQhrIE5KPv>7a2qYUg&J~08&R(2OLGj>74#{S)m(0=IlPyrnS*0VfYB8z zR!MHwxBH$vZZ=Zd@laN1N+-k*zf;&LX4?)~klZ<-D-2kW{`QKAAGo)B zzdPDx16I_zdklNIP~*&kkdtQhxYX^C4+D|w(0hhMl=*&5M^klpUdURJ$8r$DA^@>* z8zm5%hH5uWKnH!U^r&>&z~_ZZK8S+pp3927?p8SVIMJrP;$s?kX4Ky%LK46%3bC@;AEvbAY%&b?15dfnG z9X=-2ria$G0k}W?%taNn2VEYY!)DnwFBy+ceiEm&NW#UClF4^0FU1SH^-7fix_3wpOC7;HKSAR@%aQT9|KC$-)AE0wT|Np_p+B^ITU?bo!6FC23 z0sP`*+3O$bdn)`n<{_X_5fb<^9Qwv8BP9Jlo}>WKq5bqaWOP~)EB`-e1I&qlUqjl; zUK#m@s@z(ck`(*UD0$_U={tMt{+HxozSBuh`Wo?e8GDwln!cN9=7F6prJy zeLATL=sU)MKGmKtxN8u`)en1GaC1p|Rhk{(FyX|jg;WjxG$P+JRXEiXb!U+!Pw6Lj z@o%rsXNmnu#U=a9R{3tulGbi`FGtbh>VveF!PE`2r4NS2C0Ry~0PanTXcbbB3HpUk zZy>gG3jK|*QeUcKI~(br2Sx1_ToNw1(y#uLD^w79s9=q8TgAAtj}-OUbId*clILGT z`ZX}^3zH)m9z^WWSakKEx&MuWQ@eR7&GI}0!7A@f{x4Cy{L~piz3-zB^};y>BcvZ7 z5sA8aK@d?u6klola}5sA=D!LbviC(`ulcX%)gvUQd1z@%iJq3FIj$wK;jezhjsPzzbL8^S<8(E z#Gr?s-&8*?_~1L*t1>b=WDWBIj4$dUu+0=E;j(|Zn@Z}HssX{#@^QDoI zvRskVwujS?pZ^zm;pL%%s|N{}r9EwjU&0h$rTzinnB$Qbj_;fYA)Bp|qtfz(Bpski zF=9}r>N!BPzyt5e>u=%bXEN(~6R74K^Z_iW%0skKR``KtbDgvp$x4PSp>?n88I@HD z9k}v~_<2pu^lkl7$N|Mi2Gy>b-dHQ2pSMNU-Am{)LNLEA|DPSXD1hym_>h~8M2ff&^@xZA0=QL>b# zcZknnyS8ZQ<$)M)J z)*p)X6Mrh!3#@rTd=!qBuW(ziT}jw+{EV287UZ_Dd|2QEc0ptQ97fHcr%XJ8P4O2W zsGeCIedjX39pyeSSi0#PAq)bXW(aXc zSmKBd)wR-hbBmQXmp4BiJSiy3Tr?C_NgcE-LERAB!2*)xiV+1cj}lwMVQRk;glWF!bKr-9yrUf!-%(zendrU@ z7%+FG4{JTNHORmJ z)7xxX%kl+DD6(un%MXqfHA&|6d7l2=p?u6LzfQLHNp$i~!41CB%HVGur-ijSXIlfw z65q%}22LZNM~aywZy)w(e|M#P*x2`qg9Oc{T{pypJ*e!zOjxGMCy$1f{iPq@0QBP; zt~8ccf9)kw4^Fv-EX>PY=@aQGu@EG-ZHvb!T(ayM#{J?c0qDk zF!!fyy!dFk$+0n)yWt7vG# zwYyer_|21#u<@tAZ5&@1BKEN#W}_L@`Q0{pGZ$1g#^vklrTKkbs4WXnsb~JKQt!XG z9g$fQDqez@cQG=mha2UOifIbD+Lp8fPP>T0{kH+9oCvmAa(_YOstz^O3P5Llc>hax zo~s7n&1SZmn^o;A^ZhJVcTu$)Ywcx#8Ajkic`gOVZeaf!t4qTaLRI6nA+*tC(&S2u z>VfgT*LS`f$kiQkpX;d`LS45jF zpW6MdYLC%6+wy4mW|{jBZeZEw=g?I$lHm;Ck`biSMwA2QLr+;>&aT6w@|T(aP}u)* zDDIVgf7xDcrFv}FP@Ylswbrjhh95YW*&GPH;Rvyy7;wz!5#Nv)MJjq6>&Wl0h6vAb zvIo$lFk?^4-y;w3`AAcT{iz@mxD2+ACORSZc_~rSA)eOmNgwo>aCM@NzPBE6^7l=y zm9~7jSZ}>P+pSgiDDz&almDXJR#)I*TiywBSGoOC1_w?RvTK&GJ!??z?xFe!Z#JVw$b06PANu_-R_PjdtkHOUEK2OX7#CyCa40u zrgU~0{M#M>-^>%HtO8$1{jLD}a(IHAqLH*!q#$K`mpH)~orRU?)+!6tk|&1V7jPYF zH+#b#{rQuknVs~>NxTW*q@1aYgoLzul-vaPs|69kg_nejgOX);2Hwg~sT~};CUX20 zu19jH ziUIr6xu_`c-WO**@(|7*3iZGZ&elkFLulFk#FQYv3;>U{q)K0h8x(n|t--0paw1xB zFZGJi!+FpddFgMlUiC>6)M%3$tIqhDHD*cgK7ML;epk&Lhyy2_UlVU{hJU1GSts}~ ziZUlwdP`^-?9-N=g$sW#5sm2k{>@`SP^)mgn_B9iX#Y{$OS@n`|F@~l|0jKi#}k7< zY!3c`tMQdu94b|(lzT@xmN~CJq_*nR&xL_}Y}^Sxvc|iKC#>y9^b8!Xw!yZ7JT@;2 z&5x*ddOUngoI9vzpQeSXiGUnm3iEqYGzpqM{Z4)=H05$(=e`Fj)vZsltTzDX#6P0x zmgwQXoD%_?nkhTA!=eJJ4+|-b#0wy;0s!UoZ42wFCAVA9w8TNDs#kBt!{*!Xf$O>D zji<+R2=9hq#ccwl{BEE2x;=W`Q!v(FQEn$CXi1rYcRIE}^iFIgxA%8d`>k+Wj}6tR zqSqHxheYfMcOT`6IP_<(^`enSOE=$sgmt~$axn?;sU}`CuTUU=elkooCaHWIfelzlpB5Z`8YW>CmR`mE$7imQB}ZJIjH$F;DEV`fp*0 zH zq^n-ii)yZB^}K##`VAJVhRfR&i!%U!uvQ$da`z(N)KOoylKy&Z#%0o3+N;O6PDPtM z8}}vEeqSH|aMwu9aGLcRJ?@jAMUSXVu;S_Zt*s#NZaI7-4P5H#zxQa^(XksswJ(|; zbw+hvdStv-sXeU>85GS0OPfA3@~1I*&}%(27&yk@-3pSvUG@oAr*8VTLSrJhGE*{t zn}2>O$0n;K>O7;)$~4yb&Du(KMkgl8I#`j&gL-nzJQgVFRlF^goV0h42?}*EG^{MN zV(ys8ef?OUtah3zUHMX`a#V3^z6sMCRb->3_h-%nL|;dhnm7yYuy0yAP*PjJxCi;7 ze0B)3TL3o*GaFo1Y4|JqV7m1zw5F{oL>53)ie|ok9h0a?*Qh3Ea((thjjIi%s)7w> zV)F_{eM#`Tr>-Vire&pXbF{Gr2rUgZKbFS+{z}>6iImj6p42u~4qnK>2*Xt~z|hcU`nd&vl~2wF}VGZZITHQ|0Q@oEE}|&|9$umV1%PLn!$N z`X;IgqxIuO(o&obb6}_n9O{sK;9|loB%`+QS;YMGAsJh&Dvt%s99UKhUjP;@*ftMN)SPCGCdpaY@?8C9PHFV;YdWQ`;ll(aEps{2J^$npu#z3@Dny z+GCBS?@b$;+$0;uuYP=RftX`L22ifD%~qYs(AWrCnn@kvMqj6o`%6KP@b={M$ua}F zJ&HbR9qpKqTdub0Sw~fnoBMLm0T7jBN43v@s2#)alxOpg zBdBIuB>Jk!e9;b<6Svd$sISu-5?;&Hf0<06>CC;h&6u6*O(QOv&|ffdSEL!a4+?B; z(>ILd2<;}NV;;Cp(H2{4Ri4e)*t>&4AX*5GHbGOAqiyu}aY*sI{G)yZgu|_t-n)!gNOe3GRwt28{_rzNM1W^LkD0_uc44FSUgsh@exlJw7`MqA*g&G1iN^1Q8?qwy;Ni`Q^GyRZYyeEWKo( z1;Jc(Lf6)G*rVv~=1^9>DTFnr{9rI+fGtT>ZJUiDRNGY3a%JAA9xIT(#0SIaK@>l;dpy(_p`k|5sr-0| zVI=0fyrKC5ukR9U4xqSJnG|#~(TlHL-_kom0)3qF$Jm+)vZTlVSQ!0Y9a^C>%bh`M zCED1%;CWZW?`K9x8Kvbvdux>6IY#12^0 zrEP7o{&bpX#af#%eI!c@mB%Wm*$n?OJK2*Xy0NOX+P7$nDZBB*V zQ{&+`hX;WYNRL$Yif6j?A3XmobM-@Hy6DTOx|`jG1-&5IYuJ(P)eSRwv{(V9)h~Rz z?4$7G9M>~_Mr3NF)BP-kbttYhudmue-7VMSIb`6*U5DQndnZM$Q?5xG zg`v`tJE^~_OMfwR)P?ucYkh4kS6IN?fzd^6N>?@A4fz%vO5+Wl95b1#vG7|+hH&am*9|=O*Mwyc0(%_}=>;EZu z{#}Xu>muZkuJrn*+=o?nsU27c=g##$Ysb5@P7xdHI~9SDD_-p3kWW}GPXi?)haS5Y z_)gitFmCSPF$ITL;c3sKNKkHrQD!5qf(t(*(I|GpwMY=ng>tc{W2?hb0c}tn3GY=|7@720;dGZ)R4PM*1J%tvt zh@Zes8ekh~;5mbZ3qgN=vp1lJ8ZQJt)$-Ny7n6E-)A*m`{Bd32b!=rcJv;jnTcxyq zjq7FG5$+7bu@hD`E|MwEQ+g;B{A)!i2E3S#dc^80gi$B2{y@k1Lsu)t`GeEXpbd@v z_svngYpz6#e5wIaHVw$yV-#4?Psp7vZbi;*c4=e_=vc0s&#Pd+JX$%`t=3-e6Ri1L za0xsS$o&ImS$r>(q;(o(7`u!H7FeARS8!jp&YM|96!bGt2DBO5+$P(zDkLH+YkV~s z`Cgtq z|4j7cVs2%o!rJ#oQ?br7+u6KFhL6gS|5X+PRxRvfJJa=`=3k%XBU`)Sx67nup1vwB zhaO+94Q?vLI)w>3kyQ&g(1R*?yI#w=|8Coj}H<%*9h20l~K^Ub8x8Rof2_Hr!=P%UkvnD z?nU>#{$`7;(-W7KQ}b_5Ba2b?1bYe42`c)~a)e~oA0AC0*>yIiv%jD&@%tR@BScS9 zPW3)@JN~biaOdRF$;1rjLK5;SLD2o>f~!;8g4IAV@7F3`=GaZ?C2s6^Y8doh9I3drbFSQ^0u_dc887eXUhLKRiLw0G_^ymxne{1+~rG3iFu zWnUg(?hhn1^4}9&fui!S!kpJ6o4tIWuFH%dqoPuc|AmSCM*;KJIn{GZ%a<#eEcET5 zV-ez=?V|u$>oVN9$pk#!!yx|AUmHJh~ywy%nsgDnmO|nab*E`;C6y72Us4l zt17TJLd^Tb++W$Q!^USf>qzi{|A|D~&vGuHjk(*f_ayI?L5yyHnuYe)#7K|tEjjka zBs3)5B#PvV8t4Xoy9Dx@tVFAlD?{_alnBJVn{urisSyk}PIC8maYn-P;`8q3c3Gxm zrT>ZH!Il|fX44IEnVwF6}l@`_W z!}V7#bHX2&g6IQiQSnl-!|-z>4^5oXK>QmeH^n1QLF%Gl_Q8UhmI`y1{`Z%zek@?E z9sA&B`ygFDuILZ0MGwo>@U#tJI!3tPSP*L8C>gfUU$Ho6*;$DFcIE40+jLyk1C!Z+ zTPN`69&x!!MW;@xO;|}@`uC>y_sli5y>L?M=nDppLEH7f&f$TF)>xtb$F_b?RSoqn z`}LDKQ48;b-XKPNy)r`+4iA11PV(6*3Ql)TM{p}=l54N%-Gy=T>ff69aPz|dd{DZ_ zk5wocadn9<+)5!d781PqsB1%6(1bWk5^c-62Ev->1m0H!*7w5?oi87ykFu zdZUr@@Up8w@$QrlvgD%**T%Stf;a_Yy;4`F<*QzF`H1Ujd)tQS(Ei(}13zhQd>e^F z7O{Y5l}}K(FASln5Wn6zgELRYaUBUr0PSWV@>25mK=YsTOZV*2=d^%zLU;RM-)?U) zZ!E>^1ee8A=!vxg65KC*xCs?eDI>BTlqA{Armw$}eo!FE_1Hr&#YYWwjTegfsCohp zN6C^HE0h2aF6bFYI) zElAB+?db*6O5S4o0tHVMlOe2LJhTNh$^~AUTStv8Gv#I!qAUNNN&9J(>=Ul+f9UxC z9r2j{+&)si12^%t`P@G5KsmSIWH_Ezl+FFaBDeeMNB#edngzZ9`q?dEPvjDqs7hW2?W zTAgsEN-xwXx?fS7z4YBFHuOW9)QsD>@sKJvN7(dJv$d<4JgeCe(AK7`&%NaxBELd& zzEhL%*G)vF5EXP(woXLOf4iLvfce`Bu zl9<&U)5mAwoS^r1D=j%4U0%)a$Y0*s9j2E|&U3tHbj7-As@bHxTQaydoZLue{w$v_m?^`>Lm`P~OP*=?Dq$Dvpd&omhk`ZuaZ`884c$95dDVafs%qrATutzUMg#%TieHh|^uV zHFdJiE4BLt#AG~DiJ&f8Yw`6a-TR3NMT~*pePuPmXBLRouqg=;s7l--bM@2kR;tk*Yd-AM=p1WVE)IB`a_AY7N zOe3lfohhr>s>W>$?1HDY_WpSN*FJa+$ga~M3Mp>k@|7)0-Q083f9`|2Ck_<|uTd7A z3KX`+71?*=)=GyjVnSGO*z{q++ozAmt+X)0+0XS7!aT6N@QvQMgTZPgWx#lDs+ufJ zM)yORC7VqKOm*zbSZ0Q5avj7;^f+@eqyB17+#i+UV5>ASy=;^Q6 z&%RQzZq>C}e&)5Wq&Mo44LS}|vTAxX5Q;t1RM`EbKbUpwFpSZsMEw`x`o^>1uR(QQ zDGJmM{8l5Q=+Fn1h_jYPKDqV@_C=uz)KS;1RxT&Zg`1x1o#mLte7Yz*OQG=EymfM+ z=eRezH4;ALSTmnl@Mz<`eq>jY94^zq-a+VM-D<0a?_My+iQvaeb==n%dUZ`_^49@I zM5ANHs*3M)sGvh@$9plwq3yZ3UfA#~#u}A7bGxIORLA9MJ?=X}10ZLQ?Iw6*Gs=rm z^rft=9B5=&FKEIJM=FRma$6M;Tb|J|E?jI{?q*ODb88#OF02?yRh`gp*aS*GVP#Si ze!^XyO7;#9e+8@mc$Rq0FK^q$)i;3vBTHD=9(bBc1gIa_Bit2M0x&$Ves$NP$}Jg_ z4YhHi1m z+Z5zhwcht#NkvX`2Dkbr`6eg1?247$ixnxO2Ou#b)rfITTL1i3+68|r;oJe7@v+0V z*u+7*)3Hm%)kNERg}p=6PM9DDYnN}CrmD!kK3TNNVUom2jZ$2#U^0Xu=#ohmD*TbF1@=;GOPe!w4j%U+alTzT(t#MNA}W45wo3Q<*Dc5i;hp z=+H|i6Hw**m4}L*-~@)PnS6u<`(0c~Lt#hZ77?ooW;0+oq1$;shDU1I+rZ%qMbhQF z<<_PXT-3NRYAm&Q{Jm+CoO@*Oa1cnQLlZKiHP~o-FZK5d7qCg_o;sQyED`>QCyMp2 z(8?_wD8xJ|7wXd$npd5t!BJb+7&d#$OSMdI6uIeq96tSqI`|x7zq0v8WB|5g>9cRV zl`K@7+XM29Vq`6!(+=tV8H=P))a4A zpcgW&TWjqJN$&B)(&1#u3!}oWC>nDCqiD@n#7+|!v#~uoPWaR^*sm$q@@}!Wsg4|R!G1BftjI`_dZv2qQ;u@Oh8K1IwdxS$ zohq2e0XS*5r~na~@0%KZD;u*CmRpU=!h{f2Frk7;_DJ4>*d*sh($m<|dfJxUkmU#j zHcaSvFJW(35kpHXrdvhHi?<~+$~|@%$9Z5;nq>e+uf=`p;Z}q4aG_fC#gTjj+`eOd z+jY;%NGTvTwquw*?Y{{7elEuf_TJ_6k^|4$`AR=*y@plg9c>Rk1?S!D&c?@XzKc#}5?^k@@4fyE4 zNG$&#Pu!4L`iP=6cG0@YsX`+b5=}G9ghbC!;ud+V(Xpe=QIqY-s;AlHQ#f&#QKW2w zwwGSP#TGk}wo=t4+hjksDOKh!g&D}JqC8Dt^?>tP&BX^fkZQM!sLTF6U2@x~LQLpb z?&ZGL!*d${RoYPd0Zv4ZnB?sdqVhhswN@GF$>W9Knpck^cqqUV{lj<^I| zM?V!TKUaUUH4DZqwa_ka$UxA*XIt+Do)9eSc+_L}vsl$5d%yvwjYwkVEQlv^c{q-< zEjM`sa4*HTg3RMpuL;DEWw@nj9bja9fA#F2`}zd zGBV}jS!UKW6j^;2_KgBG4YC43c2e9IFqh)DM|?>;g0On{cHwDl-3Dy%&d4K^^2$N4 z*(R9$9_GUNt@Ai9e8lnUYt+p}>+Ny4fpnfPak8oIsp3wT)Kc{XxvUdtHCE@g6HDBq zg3EfNBFe6mW0YDn5kmjoQ&G|fU_s|ROTX)M8^x7Wu~vLEuZ?(vhzZxi+gKaEuYI7f z_9gZWIl(AdGf1oBcF(&u9}g4*Y>;`o%~wIaJ3*DJnOvB$?NKf;^9Ilub|f}%g4fp%vRvRd6I?jOK@Bwd=5_AmS_|f! z34Cf0*ch}p%W5km9chDMHo=l89Zqt=R-8>~rT4-`vXj%Z3a?^4CAx zW$}2Hutq5k?XBk1o39&tc0Tc#JCDS?w@!R&;82+{#=-mSIiKV1oBQe?|NH$EKU&eB zdRWkw@g4Jz%%;ZBYbdMN>w9-+gICAkL#TYZiB55#AP>ATu?yEL%C8Y&me@W8+6O1$ z9p1Y=n1T1?PqdXU3`Ir%fh#5{N6J z{w>Nh=gwIF|KU zRVc*xWk?7^m1xwll=D8$^Woe+SmhggD=@E0Q3s1aQs=>-5k6+E4<*08qSV{3-V$@el z__HdJ=V2XXCcJs?V4mUApDpYTRkd6FEB8lwk# zC#B39ZvioHRc@ct+m*?*wwa{@GwWHqsq=SNOtL*m`YfzvQWv!(V#vYUMoU6M)LR-6n3gdNi;Kua=zmiK_1u%A~23S%hP+Z~bGG~-i}hVo5~ zyrV!taKGq1qQ*si6|&9*v59%x8|XQ3mQn0&art59rG{R?RoVc94a3j=?jrqI0y-@n`ri zG{x1m)eVB5P{*f#=@&!32)?@^z5QO%-#G8xEGTrdVgLly9(l+GeT9Tml#vj0Ob@kn z^p%YzVq9f{^I3VxIX|*SQjJU6FqMhe*87&_TW7AP##@sHy-pm5U3g3r$fu zn^2W-u;jI!H1b&dM!xP#Qbt+HpTdIRPPD1XAdSF1VjL)X|?S%v|jz>c}SzQsMXC1ODNU5giZ%K+cb z`Cr9{oo1G!1k+S9g{$>*|AX!-E&;zD=@($CjDr2fDq=;0u(CQQg^jD9L?yp=Iq$s2 zIK_9oVeqB`7fq(Jd!FzCEMUKJWqsX;BL1sZI;ni|nNgCEzKDJANmz*JXykWg$Po>} z-$lp3kvSYnWu~3kF&_ zMW^u48jW8E?=APvZ8L~v8DMM;+JXaF{q)!DEcUK3xL%Mf^#4$rAA0xYU0E9 z^+L*TWgR#>UyNEe}+`xxeM{Ur_b`{kz=3unJ8`zxtW> zgP8XA5DD2lFiV+73Q(3ul3=(?;bEhyrs9mBS^rh=#m(G;kWUTNoy3kQeDAi;gcj}E z&my|+tph@on$0aaK$NkhpE=?>i%D>*JuP|@nG{>nzhAbjB&u+@fdpuqibslt$+p&- z=}G~%z*!SO&CJKzv0fbVV`22Cn1{D=&&zYx)4Hm+TE9!-DTL>EpcoPwZCuV_f@sOq zLh-JD*#opFt-C7;*X`cb?$t|uaA<4}_2|veX?1T9>A-BN9*Q#KE zOjjkim7V4{)e^fTYE5r%hWY=GoYNbhg2oSz#%W!;GZy-dw_}W5d=Q4B3&N<3dkK z;5jwtvP3U_NJi{&+N4>8|6ZOcd3nR~LTG-|+hBqpP7`Af0BDo7t$xn$Qu+ zN$dG^ESbaTEF&^8td0}Plz8xs?46EH^wnYDzw>CDiLOLK{a#Y-MxSsmAy8eUcp}+L zUq0`VCOx4uQKsJ*?hu%?f>uPAb{xgy5&m~`Z+LCGOX*QPG=>HSEc~TsHsVBQ<+l#` zu4Vw$-GVll%ayohuukH&bro>jIOuTIx=78yY}b1(1zefYieMDNAqRbw0dSIvnM>y( z}C&8<)p<&t-f&}SJTq=~L8iAzxcs25U$@wRD+DzI>CMV#THLKxUqHf3kMR%c>~ zI`vd&ZVJ;xf@5W8Ufovf{W~ZNMG$JNl3t6^lqKGiTOE)%K%alXw-Z|rPgmI5iFS@6 z)=x=zuVrUJCpc2^HD-=^)kTqqcUkrsQC@~7MsRzb;HFCRvO)!Zo`U`=SfrdkFqMAJ zFZTPq?%ATr=NC#Jw}u3PGPc|1ZB$R-Kem5!Lnv<1u9capi`pV3xZ9XzHC~9p`=>8~ zPMwmZ!1k9&AfvKC!;NBoBXJ<;ME*#VT0>yPVFm23+nhc3MX6mx&cR7>Z^p?XOUuEU z2U}hqmR|$NnZm&66I$|{;hiVsP67mYo3Uzl3AQ7G8Whx~iRFy0n~(dh-H>bLjQP~3 zho9rYp6Fbx|6A;FtLKfpFXb@Tw`XxqNIwaOH6Wf&3CO{@0L?P-K(kENi?wEgw5>T# z2?uP6?zKkKzD2sk61QQc6IfYum!g`wKqi=!co15f z=q&lxgM57$XN;N{%&T4Xkehi9oz~B~_x`N8Y->_FQRybD+(9jc_0O+z>fs)-NsY@r z<;23QRt&6uM@>HOy@WL`7Nj6F%k52m;xYAAc!@f(7hlWbq2e*$H&USN@--y@<~g@6 zTBB=_Lr-o{G!WX=jFbL$BoA_q?GaADzOME{7$MpJe37oh;FIaZ{6mUtc%XfNg&i|5 zcN9ytNwr9Ec;dg zrLaMgNShz>Z8@FmnxzT5GP&-zv!s1g%kja zsVCRQ2eQljx|2)!h8wxBxu(7%@0Dc3&=-#DzwgdZT*k$9^_XvYCbu+n68KsBFe6 zq4_}f>w4LSDmQy4ys_U%Ufmu$&MHg;ziN1f0)+9AhYNs`D|#A(A+(N6H0EisZHO?o z6zmCaM;y+^Ysp?=XM&N*cZG9p+C50TAh7G02cZ_0=Qvi?+Kxq?Sx=0>STR=98&s9V zaw9hNY%}hPUAa}WIV5K$IE9Cyt$;jmDU3?uBD64fSu0JEic?R98~{YR5L7PLNg_8&XWr)QPlB3GmZZxpoR$k&i9A)QNF=&N6aM=Sf?m|rp=qGQD zR&dzAeM`Ni;@ZeOY!I|JxXNn3P_nH&(^e6t$%6qn1uMY@@=tdDMIBO>K%3~;o@vBS0xTW zNY9~*T!_f~H4Fp>@EM1k=iNt8ps+}eV7~3RLi{xI<0Z;%vyF5`ngB1ocFOfO3%F(6 z1ht~tqzR{QFWjlh4toi;%5I_pb z$?hKXLuNn9nsyPNd+@oL5nk6PMzhH}alX`C(5()Zc$f4@=KQCD-8lkrsXq$Z76>VC zijI^CJ=U*fY#w1eDINkofr*Yb6+I4zGD4 z_|u5TG^{=(Hbrq46Ya6Kif;Zeh-zg1ic~&t(=@ecki|^2>lG3&Wuh-XpYC|szFh+L z-(F0`3}tHzy^Os2;)Ri`9kXF4GnUQ>^V@*=7pQ`L8zm>)pwuoMP=ws>-X1AzsUT?U z*zGbVBE?x|>($L1T$W-fyoNN*IwcNWN?hcerSFwThRCc0w@4Y@^Cu4uA3-sDkb=^d za!h2evfrv-FKr^eY0ocwtz+cmyHpiTEX3svv5DxRyZQvt5GViR)r#I~G9J%77O~ga z6XKF(NXJ{gkhoVf;`{+1?Up~1*9NX^b|Us0NFVxyx)F&(ns2cAu1u*apRYjGlC3H@ zp5Eyz@4lP*h2l}OgrKtEo?mwl+m2}#={~rP6JGw{C&#Anz}Xo7<*CO`0|RE%+cnpu zzRtrzh|_#~GO+*(8`dJ38aNc{RcsT+%ycFVJOH8_*RrSgjJp(;8Ry_2HR@8$1H*7Q z+`+uYWo^GKte7X4Fs*A)CM9g^%@Av;5olzrcKrUhf)cQN*L7&Buycgwp^_5OZ-=RD5uod16R%;TPa+~&1B z*Xz2Tm_&6%8Jl+_eY5G#)%J-h`03lb{Hs`xu}kA|)BQro$Tn26ZB6E$kROsPz?zn4 zOsvqHn!5dn^S+u@ZEG)LHnm`hgJG>wz}g8TFInO0k>?vFEs8QRUq0@;%)O+p z1Ty4Rg?(8FNCPk2FlYrD?Jir7jhfie30eOn`03Qdyo+eP{2-g6Pn+5=xiPl3VwXm(nJ9}w)Tga${8

y$Q_CoB-_p~J@CsYUR_R;E-~H+-GtM?` z-XH-9cZ)nBxVmjMbl-SbWc6_yLtD8}7fwNJA<~$2r`dFMMss~XzAWMzGhdc`G7}$u zqxuf2Fl?tuY{M2l!ZT@`&hxdI^Q*3k_ zRNFI-n6-)#LCEn&>_1unbe2ObrGXKis}9WgRk1ON)%M#hS+m>{_&_8aPK4g5mu$lY zuvS@IIho85YkMKdb3%ONG?Ql=1@7M5@maV+9h3UnX z$_KdJl2SGr5vQs`8fQ1j zjb|!1i@XxG&zQ6L3^r`}2937OTzDuWjT4ic-SltCS}w6p+&nso^}S5%S``_GGPVkMk;wgJN&h_u<2)7Jmz+MfXM=7MkQ^iEw^9*KC*bma%ZJL zk~cq5V%!ZqvH8Yj{A!UFxAm@GzLz#l8q?I}^(W&ORx4Zg-`Q6Y;D?)5x&nHkkwM$` z@lzc}Do(TR*XixddpT%J?Rmh1p;&uEMZKhkk;}{q5N?whgLhsVhvLljlhsATmCD0J zp|2TGO=_Phjf2?N$+7!=$k8cv83D+7LK3rWi1=NxRGJ~1BJH5vjqN4%HoU>ba!vLW zJ9TNH!SYGRlDqelV+o&+9ZD_0S#~5P=b{h+#10$wjCg37x3_zDxvq_^d5}uC)|uP= zusxjjEdYiYBbQOB*`c@TfsBIhj4yX7(nc!;jGZu|=U9h@yf&%558KNvoV@HKyd~6l z?6&FnapCdu%LWUSmn-{OZG46q!`;0nxmjMbFNwF1dKb~HhK`$kQC&lqAj@V}a!rq) z%suT?>Oy&BIdNP8T&FGzGah86$GAIM!Ww+|7S?h~oCN zWrqDE=RwC)mHDYi2P&P_Gws(-_y4E25A=xBMMyR$z~0zA`eywEv{I^$UFI7Q=UkuI zD5I8{-Tf%3&8){hK*dCOzqRw(;{8{8k6%a1sVOI8cEK_rZ%co4&CPEJeQRhU=QK+a!_K2HnO=uorbc(`miR$Mm-m5krPtQdI{Xg)2@^uT@xAR34|2 zr1pC5lYea}(~H+J)zm-IxR3W)?=V73;hz(K-j{^nsK6P?=C)J4%JgN&YmqUOUVM!yMa;E7<0NGLg#3|f&k8? zijVM}e{uXZ8`VP7+R5RY+ScyD{d+U#_F~j!t{TuqksfY_ofr&&d;^&)SwK#pF`~kNh9!}OeBV-^$YoO8Ciaa-JZ0xq= zK_7kwBVC7l8*uZ`ct&u~v}J2{=Vpt4fqbBs7u(T?Op^;@S9bq_sr@)<6lbU17N?Uw zBsYa?bp@{SNv*WF(@HxZ@1U$LAvjq4eE`Q2!u9kuRp^7cmgA;_EMnK!1$FgEBk;FoF+8X5SZ@Rb&7`08&vq&? z*5WuV;~ov>6J6LaT3weD;IXMZpuf#GUa(VbU(mAQGk4X&{1QK*Z9{EU;+F9_@gk>K z3M)^^Rri+pxnZ)PIR!7#Rgzm8?^WCzslv>wD=xkOz;FdAL_7>gS{rGO?~d1i^@S1_zB}T&fCp5;}L9_4dzH zso{($S^STVPRm49lJbP+8ATmfY~BFL&{vJgUH=0T-Plas=$0oi*B(Inb}wYAZd2Mu z$zs4Mu<8bwweaYWUe9Cx)zNBSw)#*A4cDyU0O~n?y}f71YtHuA!krVWhTR!dWZL~D zRG;X9&dl34l;^hUn}RwqIhna5bSV?}??{2NI5^Q|>{pmybSNYSvYU6EtgG+BGVhg>M!QRpO7T^H|?XCw@MuRE}4qi-^rH>^o7 z;G!h}xt?{_sCtg}qab+ZQG?*eVUg4;C=9Gi$uRQ5*fdG$Ad}9GP94_oxKuxRvh?of zvuBuahxCHvkch9ZH@Y{UCW;I)oRxbAl|nTo+!p?9@u3UeC!nAb?bHf&2&fjO^cgml z@b=%;yth=@9C%3Sb0>@+GZb|)6sP{qaZzmff6j5Ke4N_(jpWi76%CF|{#2;@%p+;! zr;3)gH;MMJl2F{zJ(=*OunD_yA_Z1LpTI7po-?%qh1*@&JlvFXATMxsOT&EG)lJIe z1iBTR&)a2+`oZz0*w5%rAzBd#WyRUXFbc3CI(iYH-?`d1KR;{0X-7YwQqcA?Y&BAKz{Bw`1ii{*>0KY zidpC>t@ox$1ydeED|Y=3;g=xPXdkz?pv(;zYznoz)jt%|aqlCXPU_{;NQjOaYRweZ z>Tr`*vY{wV=<~^jqJQ zYVLv)MZNp05yq%tLC~;c-ZbzE!bPX1yaBAYPtV6W8wPwp7I?VtBnT7()KI?v)fe)R++px1UP{_2j&(>5_b&EE@I-zX=tAIMrsH?;w=0_%Z#m=*H4g-cQvPdbkG zS;vL!GVtI8ci-9lp|O`CmBlGJX;r^kqMk|~DrAYnUp&c;A$OK_jj12_W46Q-TM(HW zyY+CKCGQVR0K=(q8P8In8SvQZ$&=F~Xe&1X_6Mi`0-@i&d|f6jb6W2NiuVb{*>~ek zQvhuFnIj~3Ndq^0AB7MLX(g{7EFJ%39#-8})IvjkO_z69JD5NJEtJK=wy0Z(6j$$2 zx8Vi)Dbh`M-0xfSH8!WuI-YuL*;qKtFI)3>e$6+EjRA3G_JK>qlrbRSHN|($?b>7& zWNYM#q?E31(3~*`rHk0=>YWvb(s{?eipj{k9Yivq4MaVa;neB!adp|ICWSb3)hWa7 z=O1Jgeb+d)Gkdz~zqgqj&g9lR7_@uo_6Ojpd4qMkRsQJ@TRc7H>e|&5AGEh-W3Ycb z$M6G%Y)sgn(1%7+Sb!FtRpcGD_`a~*RoMlnoz}$Bc4MEtMV^oe zpNaX&qpbw6x;pvOI`)b}=Iv6l?GCG))(l>(_{7)~$Lh6D8@6jK%q}5B0@CBgzw|2p z5M4V)ytDP83Kv9e$o*&T0HhDonV0WM3X!3>w^HUa4Z6A94w*hLUoc8pc6WYPG4RB; z3nbBcR}iwRicp-Hb9CKL@8RFgfJk8VUupC-Ge&-hl$(R^lo)nUE+?0 zr*1|82uDmw@w<)rO|(@Z9woV7p>b zg@be5e`xv*-Jj+V3*o{S7Evm)nkJ_0CEX!UJM$)2{Gnvk2@ic8mYr|e`io#=7JyE& zZYD@8wKUdoIpEJd`;Ah?YeO=7@uv)Ju$mrWx(&dFY{1q(UHTQA?;ZJ z#Q%-q%%>$0)96Z_7j9<=-*`go0TtN#iW~5SY<|vzl50{W?{34b(|@L3e`EW*c2{bd(+61DLIdp@r!?uxrk>uHP7M54TAd$fvTT<2g0dO5WtY-Y<69sR z;rSR1>zW2gIeT%Bb|LBZvVlE}t8Pf$hKUsStc$ zTahSARdMEBxgM>}-@wiPtY4w<*;DxAC?q`oLl!pET$*pUg#r8#z?^(Fp2F`l6a>jI zJ2~kskV@JF^OTlOE0HQopw7L4pm(DomQwA78c_^59K;0x;FSv3zjoQM87nuf?R$Uq zZ;;Nf7pn04{bZlU4{W?sw{q(4J6TyDC2){9hB1~?najwO!C77{%K~_sW;+1qR01~; zgI18jEhTvLv7r6g2q}h%^>J4rF7LsbKm6ve!~FY0;}thQ^scDvC*UQRZtd(ZZ7orr z3t#4+QW1<4pp&296=8%G!j;L>Ovyi;)I#N%&-G6GkNeE{@ZmH(rvzmR6b%1`2L8|G zOy?xtDajHZ+~{5W|BGmP8i_SXHz!0U{U56754PF=p_=|5s_Fk7)pRg_@T#jfF$vb8 zr)2&FP6-AQ7gyWqJDEslx}=hrpADv@y7r_edm;A+AX`?Sc+249fK2Glv#bQR@`vLr9q^JY?BelHwLM(d z+6F`fro{Q(3f_>9iB?YlUM9@jhO(=Fh&YDwKl*B~1oa0EIMWfaQH^AkAezAd63!yXXYwW#b>^rry9yDJl<-eD^>@*_mNK zAZ4-~B%?w6R1?*FPz*%yv*(`n;6mrz)I0gt^Z#OEf>`_jD(I;0MlCZ^$A10wL--Fz z<>9vRVsOI3e{w7xHH;BI4us#3wQHY>89E+_DP68~Xxv=)42(T=%j~A8-19jv!G5SK=w0gs zv9CDffZB75v%u}_RCsg{B@7thf{CcQ(DV7AHlkkOn4M*lkgBr6zH`JMFe>pgRnWU*arK8ZSeS;@J!TCRj4`m>+_uwh@3pBqmVhi7qpuJo)$gcdA2TuE6yjxi^Ln`tqI=aGnfvkU8*C*)Wu394UcXn2!Cw)j!t@%QYn{f3E2t#>AC^>@XEovqcrc<7%9o*&l! z=cnHpzvxch+$n+AFFlhnN^^-p=jtcnp33b*I~jIY$je$vr>m}$^^qM6qpsdzNvWj} zm`oe>R@(#cvhU()e+%CJ_^U+JAE{5(NUGRs#r*)emSi0Q2v^I9s47iqsBt!xOHM}{ zowH>VfN@>=r6SqZ*fx!*fWoK*=R2&AN4--jeoxx|6L0($ z*(jzLw+LwoKUYu@0S}_N6VD4~XR>;1T>)^NMN~^ebNETF-7qTd_bV@$grK~_Zn9Fx zMi&vZrO-Q|QTJmcO#*A-GsCF&OQ#2x^-g;J_g~Q1E1Q0}pk@f&fkhh!L_~WkE_#P= zv_v}aMS}Tz)RU3%3tQ#ZO(oMW%(}wGiDtcdcVF~>&#^>&Te0r@f{}vs>M~u-ze^SU zwmiRbPu?Dq-e$)3oXBH$?LG{QzgONbjwC%l=Oo^%jq?ie$rmt8^2ag681$y8e0A}e z>G#sVAkO;!9GEXKnr~8`)pS`!`qB^aq4CJF>w~|o)Zfd;e$HryS1WVphxX7Vi#N#e zScln%^;i#YiyJ`wfLtE*V68=FcPs3U&7B+nllag~$UPmZ|J9ml-b_CzcD>*2xGO{T z_7A!kl=X$gXF=&TkwiKvMnxT`Tvtc(?doE&1H7L4Otwro7Z(&L43OM-&257znD9X z|10K>o~x2qQ;rB(j4a=CL4hGk!E8j6K;$`}di7(m5F{YS*@s=wtF8H2xBA;UeM<=+ z)BKSC@vWS^aP55$P|ene3a>{p))xFzkUaqi?R=}p2Bg2IfjNQ~GOSyJuxI@th~V8V zptK>3dno@31KwGfi6a__3wy2lFP{E?mhB|5vG4Q&cE_|OZkj`FBflINWm5lnxvN5eVSGn(NAib+tHZwr0 z79F~bB712I!5V<6w7xJhy18u)v5tZ46zc&>9IPK;k@B=RW$lLi>gecF^&|jv4j#9%%#RAa) zse~DJude-{puq23;{Zv3m%ML!2~X9ZkrYtglJIMGs;7Sg{ol!{rfJlsW1Lmad25`) zgdaYq8QT79gW{Nojr-(3iEI6k^0^)RKT7$STU_J3!_`DTN>;W6OF-Tx3LE3N72X9YsUIFmY7SnWPxI=^PUc;j&Tb71zNG&tcHkoo=oD$n00C7eOYdR_19>OwS*oXCoWO}ShQ1&$+p!z=cO;==dsR=W zZQB~@xFKOUaZqX zM+k)b^xG57BPFO?AcK<-04>5SZ1g~KsdZ|Mll~BKGGCx^kVUZnty(G*>b7_FPE4Ep zI&Yg;ww1y4Yiwo*Enh?9wJZ3|n#ZC>5PHL}Ldy@fzl;@@1-8~t{xTsyAEu$||F~W@ zy8q9#2pVtB0wh+p8&cT*7!mf0DW4$NZg9cK=c^cs8kwWVs5CDF2H%N67VvnN@W!TyTh%o_n>KT7LQoMTCNlDcd;u|xlqjEULEM*qixmhLtV2( zzR?-Rkfp!MI@2`DKNO$bExy-sA8>l>ApAqOs#q*}33az*h7$NYZ@|Jot!;L2W_IyQ zWnaCNE%%_gz3pyq+t|CzJFuLfuimkf4;O>T&yqub7IT?68lRbOOkN$u$oXvmstsX& zeK%j8m4skMP~?DOx+MM(<74DD0gHlRH(OTueIX;1kbU-=rMJlxHIOLDna4HL&0*Hr zsjj8IX|QTmOtRq^2bIjZoeqi%e62U?_6h-E=ytq?&x-C;=@-7kD8kpEsS*QeFP#co{k5?v zTwq3J$i*e~sDmQHuAMpJ013gQ5N0q9CG(zq<_)-kBJh)bZaiYdd=z3h+*dyCNX{(j znhRuJ5S;HC^HiBjVBUFj@)*F;urQRI{op#($+1T6wPp#3cJ|7JUDWs!DF%p(J|io% z|E5n+&3qtcc80R%oBkEw89te)DE`GU4;2?+Osq+$9IfKZM!fw?gSSPcSYj(ab*3Nz zldYRjHZ;L+A7Wi(JajiNt7PEJPybbV>uG%1MiByK^G%$=@NgEjr^n6knqtbx|H;0f zvD*T@&0K_ND3q3ypV1>{t+0hMgMEaPmaV~3H{j;QQGj^-PI~d39QT#T+I`|N(bbbM zOdV#mJlQU|tp@^oC|ElQ!{`HP>06u9nZQB2fkUvUo@;%ta@|^J;XNA3>u!f=H32SP zRKxC`ZpQU0Q{J0^*%lf#@LVzl1_6Y^JmZn0xo3CUnPa}m2Jg+m@2}T+%!1Sk0R?42 z02WrB*Kp`*EV^v!iqdx*dvQT-wT;Yf)FqxU200&j+ybfAp%rRZliA7m!5lem*@x>^WZ44`^#}5+_Hgz&nA%N+EY-ZmkY~`E zJ@UhY>0-=ob5|$mXc1pzF^t(T*ExFdFl6Td(|{WDBV{wHS*zCyH*|URYA$Q;2=l6- zReVU#DR^x+0Jc_oPrZDtoSFJ`E{B}P`GAj?y}rH-vfkgMSoNAZ%8=fl_TM^(v-2i= z$T+euls?B+>Kw-E`0<7VhU@amV4iLYO+a7S5ZjY)ioNk)MMcVT)}~XaU0*|JPG?Gc zJvg0nsu4F7hKcX_DWTB@2P!7kunc+aZra z55cu?F{P?I&m7}%_Ulh+&o@y@HVpCQ_RqScvLJ##5}(pL$4;mpXsk}wB@>p^vqyAh z4C1&_x6Q|37$m}I_1Ic>jz0HIzI}zpG24a-@RW6odzDxA-81uYp`(F%fZWRIxz7b| zbly15inC|$*D)LOsl&Yr>(pIvsj-z-S{G#yYsKg=<jXrO0fx#3yc(JF??EWQHBbM>6CTnCpAY zT-RKN+Ag9#Wv7`TrFON)mpsheE$$-cJ+-GGu(ilB+j2M{@#0u;?p5A!2yC_P`cxJNe>v!2Q(^E!^*x&SDZ6q&KDtw6Xc!2HjG`hu z8_OxwvlNo0W^N}7loY$tN<~R*D>#Vqtdo!CKo#%}NBGdSDoj0?KetB7*Xp9szwD?t z**`rg=;j|iDNv0}Pl6DAOrOBp4!W4_YuDTz1xI-@?6@x+e;36j%9bEi!M_ zZaAsN7M65UaV>QHRu;@8sg$FMe>ugJcBfu%m@y~xBbrQh&>&A&a)=IWcTS!WHaS*s{g+%tskvogv$Two6%wj@v^k8y5DyDNhZPBV|DAYaV55 z#XH$+PH?Xz?Be?7^{mKLiS{j~4^+W5@}v|@3N_Z13V^b zXXY@YQjY+HJvn)-^&IlnR#ZVMvl~;ctJj8Fa@GkliLd$3Hr@yE0VpU0Pzj9=~o_y;}TbkD|P4=Bv1M?TqHL1r7@_ zKlt7u-T~9AaJ}v=5Wj1Oo|?w6hPupgsg;V5Qs$ngp%*1SFlf=M4B|?&@B!RITM&~2 z+bA<@pPj=e=R;vTX|E?L2ur@7D%QUu%D6McKLxhQwStYIC%aC>JrA5arIj}Wd8~?G ztJw(90wm{UnjhHfbE%~S2MIhU6>23tpLH(a*7Dge0_jF~SkbF3fdU2=FS<35_3@i? z2{1+4odie`QEeWy=Tx@gm8F<=ryKnok$|FMDrSzQa2{Pc7p>Sn zj5p;c8)*^+zkX| z2nA(44jRq58rF%uiKx{(K0EO1r~MNw&#AGekk5S0%e9q<=@244_pzfaxKbj&4d^Ng z4IA$6bziKcL-##=($b|k^&+8@Ka{LC)o1rx$#?dNL|~c(9FTZK9ptF18SXTFdiP!X zJh*X|tMSWNVwHZ)<(k>;mu0DMYNb;5`lq5aoY4Ua?XsSA8+iAM zr#y|{`pMr#h|MCdyH%%0ho%Z24=%kkH;#x7YIAs0qO$ufEm=@RJ%#LM*hzmnH~}B0 zM2yzjR5|}uVd;KE zj8%OG=--a?j)D;H5ZEL=rVT{6u`Ng;6_cIM`AI6^0N{-%EiTe5d{ZwpXSsBl?+#mg zDF>v?;mi_YIvI?6>-qN~`hCe+{Lr7v--qlo>>NOVA+ex%jtT+6-WRORT@6BVHP z^W94=p|B&u64;53E%e>LO#-psX8?cH@=7)7mv*389u;f};xN-`kmaZ3`1?I6j zPsiXQm1p8T3E zx)z$5o`sG?tBP@-Y=D#>dz0--L9CirWpO&9?12Gw0TA^=n4W-9~u2>YF@Q zMo(}Q6w@1cj+~^@Ye{3qJloZA@X&=eJ^=%|L1QK{GhhJ!IlJPgz*Z4&;L|4Ix@<9Z z(Bw8ZE_afu)U?K>WIk?MII6Zpm!2UYy~uE)1z+I3#!m3|g8g`o_s0!jyCt8dd6AzF+Fd0%SZ z0Jw3h0rZB&J?c`XHLIom`o1mK_RzzqT$H2qnR3Y0-Eut0v-PsNPoDur+ZeU3jd7}^ zTk(;BbK-Z=g`M#ouzUAYvFv}BMmR3MpzHcJsetK!HK{o0TW{xzCIE^e zw7SsG``?t=-8Jh{Sh5N5sr*>@PqQFhfVjw>!Sx1Mq^yk4P*|gH|LMHzIyQbd0~jvi z1t_sUa67WHO`J@~=)4<9+0y+o@@X&y^Tp8McSW4Osv0pC=L{p1CR=OUTi+?&;cc~e z_AXuVE)frLFYooeE~$y~B*?&_nYMNVtR&_P61~uWyH~xlIu$C5;+j zPMMhAtNC583hMVf@rP9WszYKHqMZ$#N748tfJO?~!o=CBw7p88O7z9>OHou-ouSV_ znd?{Mpht$jaM;WgvOGpjY|w!4IbO%mZmLjPw1V%iiKFbqNID{Lm-kVm6~3N%R?M7o zwz@|rIeJ&&B0&ODU=l@v4DB-)acM;`G<;fwlC{e^wrX!c&s628l(RKtM|znxTheXR*h})@cF=GaFlWooefP^+mvc3> zjHAP7G}KXoCj`;A<%BIfj>?js7Z6YL`Pf1w+3Mr6!diYwy4+_7koU`2y2T}LXb7Kh zK*IJW$bF55CO66PA3^oV@-*?jhXs#Pncs6|znwXV#eC4UE3wQ`(!q|vePH40TsNp7 zMn~SW+pTkkDQY@=9bPw%W3q>)EE))F=T_F1iar67kRb@RmrT|4!!hd8zyLzEQV%Cg z`3WkBb-eyo%vZQY5R0>sL~1qIw|udcjK=y1hUwxm0O{{nuF2TtPxzoF_C}qbxU3`! zt(tPBy-2G4vSS`h6)Zg?@Yltfty~K?9f6KLZ850DqQ{BwS-;PP_BQ`ULn@Z(wa6 zUzAIAgej}y*XvY*IBlrtP3$We&|s>Ch1nZC1<;C;I$ynUhL)NNda&8RKzQ? zzj;d1XFp%32ApcPisbXoJ!O56`We~xJVv#C!Zi^Ja3D(T;773Jk~!-!x)gk>EOxX`_}49@RX_`N^U zc#_85Y@`=$l73#?cc}kOD_MsV5}&3Y!?tzUbAIS+Or%&-rS-_^n$6ds`SzLlA%c{Q zZ6p%wJ)6^(cbQAn&#=-WmaX!r9_wJAvfdhUH+&$+uTmIhz)hMAjJ~r205_`e0&!7T zB%q&J|I(Nuad~z}p1)>$`2d^Z-qWkGbcx5OqCl}zy_R>e2$7~ZRMMN~z0Ff2)s~?l zE}g2@_9by$kqc~BL+Fw+OifCx9IOI{Y{Ib(zR)qdio9>5t@d6<`LwxC8oS!oz9zy= zP2miDUiJr^iN_*! z=kB_cMZ?0UPOYt3qi4j(>#w7F=wvVwP@_5eJ%e5^perzn?+`-f0&&m!jcm9N&WDE* z5$$>RYZaSSUqor(x6QD&B^J{N4jd6$a^kB<6Uf}X2#?UGcj;*y;}O|6vo3qJo89-y zy@L>f-UijaTg=O@o9rf8Q{tj?Q;Dbxh>|uF>certo%J9^A@t{ge3^1dV|^{i=0utK z9k^`)Y=Wo!$Y;m#IPHzO_J}gpK1-xc`G^FHozl?aMORuG%*UH0a>8w*&A_=)FImVu zyOw{r@fiQbW}l&K(a#$d8xU7LPs{G|r5%xqF*A7|rE^JfL2R*X9`LFMK1JR7Zv2W| z+L&T`kkfr1=7VqLjj($y=in<<4?L-<*<5@lRt)2lQ{A5*zA6yw-}HDx69WSTGz(eH zY|PyzO4#9Su+C5XNUtXI*!5VoJlj|KR2|*JZMqA61(&_BA&AkGRM%oMo|8vv6<<>N z&#Ddu`mOZ;1?q5jC7XuK=Aapm?)8OfIM|hNMmS3^E$5;Rc90Eg>opsP1F<~!+TUV0 zrX7S+KHr)vyyVw7meUgHC$)eRcTuGL>dN%)0h9g|dt0NJxx;V~10i-(4mGYaTG#5! znQ|}a&3bY|;moz|7o~E&3!G~@>y>knP>{#hms#0B1FohQG`+-Q4g>P14JX1|*8`9l zHuStiSnK#6#R6ub1~;UExQ)D2^L0i^~1+Z zo%)gYl)L<%r#|I@-ivir{)+W8fO3+mwg4ay{#loHp_7osHF;5i`jgIGFIR>z5<`!9 zQ7@ne=B@Lmv$)|G^uJr{^lL=IlGrb7)o`Jg6dLVKloMkrN6Mccg}0@E`;8zjgBXXx z3^4Q_nO7fAL07iM%b+Q8y=1J9^nQ?IQ2zNUhRq9UD~;_e3q^e13>_Kks6y;+PD}p3 ze139(Y<&UaVm~KThOgb267(1?Ksxre%Y8VZ#rvb!Ya|MxjSCzIp+IWK26z)KGPHz> zbiCTgMLDIHu&LQO?tAt_AdOlWkZ0cuF4`;^KlZ5$0*M01wChOQ5xCA=AO=hdwo`6GgtF^}MOVz_1v zb0R*yYlbpVsqGAe_)7cfaDP@$p8T%K_vh6|N?A02I0bnMq65B7 zew;{(QnWuCYMmt+7eEfR2tkg?!UfGj>CXYna3^pXaO)r{_j`*rgHlmzp zw*pM+;X*-WFg6=VTDe-Z%avVd3(akYMe;c7NyBU*s&nL8bm~sHmmpY*98RpYy=mBD zNbiTUr=jl7!K#vIn*QbUz~n>|CC*U;zNK+rOpYSo+Tv^=mlsMXIZa?vYq1@6^ew~O zSL<5#8Pk|Guk%f#>e)n98!$}^qI9s1t#bkp1pdvBsT|fO#QOok^ypkeI7BTg8Qz=h z4tw>lZ1AFAKkM?^8slE#L7O(?J<+_aBEu83MMLfN%%*p4)E?D#E-D!4cUqY9IW7-E z@9AWG(ALfWV?;~gOARxQ~rg{`te|W#?SdtQANcN z-8CH((Q&CM*J0Zlsi}l$U2ogD=O{(Ied{x+@iVWB80}6kT^%sXwF@qO8y~!b^;vg; zAFrDYqd*!H3DjIiUG|ovF+RLF17!g}y&>ZQM>5#P?W7DJw0m}7>aA6x3@PU+EP)~M z-%ptzCCSNN{#FM9p=xBLFH_;R#B}su!{4WMEmb$aF}q?uxWEe*fk8aOaWYBR zi;m1&;X?vQ=yg`8Ek$;@^-sg{*ZuqU)u@#Eo!!|?|A)&*9yeX|!Fy}V+ldNGR+>Rk zFxgS=l~r`bV{3Q8m&NCY?<+HJmsd*-E`j4**k86teO!dD84HR?F-mrD{TOWb8vy9n zNec%PW1ptWToPlE^}axjcMN~r5E1SAIYC{Lb9>p5nq~-UP+D@5b1oDJ& zbguj?aXyjOa<;hJ$}bal=xZoSXaF;%<6ZI{$5Kf5kh)#bm-srun81>-9iqlb@iQ z)?uZYuZOChMeRxuQXlJ64!++vX^9D#dwWHxlf6CGJ6CQ*^~}lzQVG<@U95ou?@1_g zNjpa1`0@RZPZzjNd$|7l7^zG@SqYGsnAqLrEbIsK|9D)NcX$T)+*&Zo$fj#$b~>9% z{1r8G+L`pn_BpcQ#<}s~A=rc#1xZJS6_-(OmIDTX24j~gFHg^eja<#Yoz*X3n-Th) zMLp(izMZ_6{!!%KaI$|Yq!G~93^unZXbGa;F@{Q^#h$>5WK9$am3c`p)k@n6;PU!ZNH2z5U+K~$D!cf$hHJ)C`Yo&)fVR|jOz z%uOSVCfajrHj3oCLMf2d5wtPME9E;5R>3!H8XOwv0PTNk{gev1p@&BNRE--u^m@tXk%uU6Jkw<0nys3o(0tEZWB0KV;SpG+7^gXq;EU<@?N}xB={z)xPuz= zV-^S!Upuh^k^dva`aRq_6?}|LSj{~yDKL1k9|~2EihgiG1&q_6H*{ISi7mhIkukss z2y~gWIBCmv@O2dR^q$xvUWBr!bVrFp7w1l#B|)Kuf}9LLn0|2npmLt!e=$!DxCr=` z)Oy5%OSEwiV4D<&y(5Qa5Vf%i@c8bz&0Q1LjjLd(t3*YP#$6{~pqwm&-b{?WqgO7U zeTmwk{v!2R6Eat6tGrBWpe6q=fZMNQH2j*ZwViRHNB-DiMVY6qDu>Ak!aoF?#Uv2F zWpI<9VleERAIYLg%Q6A{NWArbaU;?&7Aw>I?{4IeP55PcWiL0j>*Oe)@V3EoDdODS z5nZFP9y8PclxV*{R2ujlYVd)6Y7q3`a%L1K!|_kl(7Gsr7r;EvPk^CvXWfyyVwZA7 z{<`LW2gJ&g`QZ?wJvV?#kW@l7A2Z(71>2E{7RhNrK-g_!U0iXxf?%mc#gWt2SF$KP zboJR*oSDB!y!dDg%$qOTyPn9D_Mb}7FAMS8gFLgJx9s)0%6FX%ijb*$VNGa_c1-~p z+)J(au;EI!oy=4bZbq$xGe~WBZOyAS8KpZzHkb0L=fr}-ckB4Avm{jcubKR(6cR{n zaj4l(HAK;p&HJb2^;1M)+?4F+K75r+_}_CP>@xNsB!vE}z{p9`LxBUXkC*CByy2Jk9`?_LGx2)Xm)D#>yYOD`domdmVc zdZIaj0MJ>t!3PKc*L+%Cudp}#dBuR*1SRp(W3HssO06bo@^yXTQ5uW0%O5|Hw$?Ml z3cWz9DPF0}uc@30`lgfy=Z&sO$xksA%_u31-_K!(PWw;VI@8Qq$)Z@Qd|(Ams_l-H z;$}vT`c|TnnZVNAFJBoHo#;aA<>eTU!IYlLMY6W>2kSEpLJ&zkgOL&6gp zyGqQ*BFF6DYHn|R@64+2Qfp~E``03w5a;0g#>SvIRHY&0c2)C98+AD=$vs^@=?%x9 zQ#qvwzEQgi+@Rzk0R<^5FILEzR%j(nc;0?sHZHa7{h% zt*oLOJ+};IBVY)kdgt-Zr6n8kpRS^$_EulBI<ejEp=Y3DN`nQht%IVX&w$Mr z)ljlk8^tmp+hD5SeBKQ7o6{4D!~U$2Cnr2ToGlFTd!O>>5;R`sO!tbTp5|>BNF&r} zbMGCBDadqTzW%>X34gon|8ZH3)bA`QOMDR@|4SY?ygB~jnFEmwX7>ttHv5KLBt`*V zpu{Qw3HsTZ{1p%W{@{1c&$+r}0m=?7h=7TH*1p!RAhT@}6;<{+wQ5r+u$)_^>b$PC zyX*hO-g^f%xp3jWiUr+LL{v(Es34#sMS53JKoC$+dN0yJdIoHKLpnYnZR3mJxxx2?6F^?TO3PES`?H6p8-TVT;r zA1~Egx5iiVEZF*<25!-q{=cnYeJfSVpRl$GEfZr;qu<`-gxVG1MIq3<5YtFc7_)8u zH_`6<`FDO4Zja=Y<9kjr1fX$J_B$2uFz$cPWp0y&0I?wb@)fbI0U)TFKK&XV0_$zk z7^#p76-yn1W1tU%TkVzYL1zbH@Mk@EZ!8weT+M*%_!(zO|J1xSQ&99C}@BFFI;t4tLIzsYX9*658Z%e)W<% zcU$?94KMEHw?z=p*4<`xi489);}|)u7IP+y(u0IAi!ERO{rl($_zs9PNDQ4iLMl;5 zXItLmBD(YP)jnaJxizXdmsanYe{xxrL#kW<`jjnfvIwG+CUPwHoRpn^_~lVKkXdjV zbNJ$8PlNj^V3c-@^?%6$-=5BMP+#c6|7aWi=A2R}WTx-_a%@jbs`!7dZv;ZTp$U%s znYRD)n(}>oH+etb)wxrF1ek$xT9Gw+dQvz}sM5k(KD9i^EFoe4eK4g8yJ`tpoPwpy zsCpDiYy??A#pW1I&H&Ale3?QEohdkU?{3pZFJH5ud(8&BJ zZE)CB-}Dus9MqnLIi&*ff^-A_MV9xyEq0vCdoG~Y){P<^mrbCnXLK@@dlZA{bzCfd zfgS#Ql%%}%u`YT?cy<`-j@|rK{buZ6Gfn2vEbx%tROp&}h*PEXKH3Ql-nr0X76JDi zh4q5_Y?C;0|NfNtGX(*{3b1_jSWd5s(@OsdqR1}8B*f`ddi6W{^NsxMGlWM-caU=} zd@i$Xk;O9icu1&S3A8{mGs7fw=4FUm-B@IXRyzrOB)S(NI!s@b*2I7KIhO&Fm9lI zC0f-%Hi|5B4PXBnz%rW!vgW07ol7edgJi117N1zN{}O2bstAc zucFZ+$F!WK@!6LiSr4zT2+?vIGYN^m07`TLU1Jx<*v?M&pYfpIkzBK85l zinxEBqR!WKhWYQ1`+9Am)zTf08|mKQVI55U+a5)D_aU(d{TaP*N|p0Q->)<8gboRL zE?q5&_IWwjrUTXdUk~b1pFN+i1iky4waeRD9E}S%rla>fm zSS3ADR%@Oa=|Ag#KKRUTd9H?*$O#XyW0f?)OKBl+UG$HQm^LTL+-Y>D&7QXl8e*g2 zXYbf$=@i)dE2{otU8RQ}@0QeTm(*P<&R>;f&}!NR#KNWZeDxxJIvBF^q8T6;E}mgX z3win0NX_n}Y8gY5XIFqIlxxmp+(b_S`Pj1(Gyl7Db>QXk?x68EeHJL5wpj10Tr*vP zOi3uQQKaTCAA8m}gsroT90x6{c#%dw))Pb$**&StCoRWS6TSLn=(7XmakrwTN)0Zt zZr}I{i6M_WSh(ibMsO}(=`K2pg1%Xw$XzT(P(7SW1r z@0qJQ>tAvBKr%e}!`dH6sKwj-0ciZ3bbD1xk1HLcVh_+ESqEVXTB z?-;J9lHPk>IXenjZstfTGGND=Md{fA2l}3!V~#=X=!!f-B#KMR7{H?7dW1Kh(vyj~Vu`t(fz+1llPMgLA@dDJ>t75qm$rdCUTCGP*!QQ$}NDlc6W zhhW=-bYgWj zB>5;MN(|PJvYni}3-4;s{=Fy!dLObrq*7IQhj8xzR_5r8b7l&alw0sQ4_0QFQj$(S z${#USr1CNJnR)Q#Q#=eR50dQPzhB@TRh*hQ``yqOB zpPB+!&GYLcLqOKvxaQitgPnQrg3`qGi;zvgb+L!5vGpdFdPigqmycg2BBN>z?Y$;5 zO04>>LvT8yR%3+z(q)zXDY&f}fvbbsdyRT2t280TE7SJN%k}NJF^O>CB2DTuk|xck z&H^Z1YAvSq0;*zaktD0l<1}F z_entq##p;b+eJ1@&g_hzV|%bZ*%rJw1?9g#LJ)fX23mF=j+GM-SOnB!Ep0NXu>%~R ziz_(7Wz6U0(bx2mA%mSeKQNFBKVcwUe-;195VDN17!;oz*rc@Wpqxa&z^72%)M8Vo zu-0fvN_cjzZpF~Ej`*0#&S)=)=kfiP%$$5+-^mbvtHw~gb2n{DZ7o_^WPSPph(I&a z)3aNJ9@uMaMmJDF!j}10FNu$jvo5_@HHfyBNMM1ZcE8l_$B~*)Qg&k^v${HfMM}!0 z!f{#wvK|C)4|xQeF{kSPg?u^dizL#zM`+B{t3_`X@SsHPXE-ep!T2JzE4kcsd=8Q` z_r@ilnpOx!WnQOEhT1_q%Wt`VFD#wGEsY! zp*Ty#^cb7HM{AtzOmIv;78|#it6$Byl7(}+U3h2guYBM~U0@hVYsk-S#JSZzj?`!- zcjT_7Z`eapf^U8HD}G#CbaFAut4~1&c=nAjsbL;&o~Y3BiCg#3=jppmg}WYSH8hWN zsbaxZ+n4EkKXG%<;`;IQX*e}LEp5S4gG*S=bE_rlxo&G5^n{8M=9mK5XN=^SY^1BV z#dIp1wFvPY@BM!Pfh{~y);c)G`FU>1( z9SqyWY`<37dk0;U0hc_8V4v2uNSw%CKG@pI#p1_EiS3Dk;<-V)$EZc>0HoH$COk(c zC?YWg!PC3Mw2k8YsdZ7u$-(Pv-oMc5aiwGA7LkSd-_?Gg0~4ibo_qer!)Q4MnFa16 zu3mibb9jAosjGWTe)F;zK<%f${zHN9e0{__mBsVxW!I_4sDZJ)b`IMBW>u>stsoX8BKzh3o$J7PC}q0l*hO)`2c>_ z8>3Gg!VCn#rTGMT+&VZ!0C`Nh{hRQxdrEt3adq`n8c*ri!5V6bM|$0xf=5=2XPU{O z@tf-xMdgBdz-sAM;{*#Gv&zi2X_>m#Ud;CMMR5DLgs*I2TX9>Jll;!n{0v#}(x{yH zXZM7s&@9aSD%+xCo_dqUjy!}Si%n3&oWd(DXf1Au9f|Sj5OpLG^k*4^r@h{NjYmU;y#3j&#y4lv zqV{+JCdtFVvx+2*-dC^=Wke(rPC{m4((w1?-RC>AoL|r$n7$e=t-`mvcE9Er0w6`T z_T>%Ml}|WiWTErCDpASPqq{dl4VSW>cd!ojK6O{-XVvLm^1VwVHfeB%8(ZC80z?Ns zDks;$k8sgXG70N>cV^?yxk_t-&ZTg75b5J+*MK&x$>Wm+BBVU(8%RSA2Dlf6bij&A zG{LhM>cu@?(>43>so;oDq4J*`mMl%3$pXEFe8GJA_zKqMz9&dr*>R$MepK4If6{w|RuM7!Z;oI_ft9}$2CzD5566~4Yff_5N;^v7CpHAA7wNCOU776U&-^Yz zT_SpN9s$pYn8{0Kc+@F_DfCfH>siY#yS!)N-;{YvCP0Y`ZvCINdw>i~i{7_0Mt+_Y zI4?jC_Yx4EWO5zyx@qs%v1RhGdGt+vd){|sDX?yaweA^*vb#PEf1w1h5KlEd{{myP zmzQHc;0HPN%hu2NWk(*X{PD~GQTPSkCMR=GwR2Yqg^F!Y4``;CKJG9!iPr?VqHs5 zXg9P@=1%{7cNo4rZnc6Ps5L46-_@#o+i%xNt9NXS3WduJ#HhRmHt;RMlxs_yqPv-d zeth?zik;^NeVa&q5Ya9&M_%2;Ym=2{dsp+uP|O)=6N{jNNS%B@r9lAtSR2;%<<|9} zbf&g>8A=N9q&2ck)>*KY+duzzl@IhFd6UQID%PLNPb~j^QjZDotE#NrfbkEv!QyY{SZsmS`ZS1E}y}+;1qaAh_YKHjTm>lT0oO zajy~tlZoG!fey{@DzMPeqXP8al~a~+5|*l-4W5&f%hs6eLcpnr1X$$iEwal(?D=et z13tlGrS}f_6{EBb?30w@MSQt+N^Cs#DLXNks7!R*&+$(U8W5x%kS{R)`wt! z^>sWu+c6s6a9^dh7hWvFa^OjN8R?ne4{*r%Gf_m6XgpE-rcOl+Qwykj?)SoPF8l~A z9=7@goSqw`%|K`18Iu4RJ&|3Sj|+1ZB3ze#L4r@FHU#h>^_`ZtT(>c3%Rc`NJP)jC zrDj&Yk^>5zLmv!v;J0^{cn-Gtx7+Q#g;67}Smy0fX~HK-e6N~Ejq9>Dakv&bnCNNs zII&P@=Nl-b7vlMuLy=}N*N>PL;qhTJJ1k)M!{UZ$k?@2kBWCnr&VbcHNBz6Muc-l2 z0Ylc)sl-H~20$9@IM1&3kILXXwJ0vt)5-ZEQ-9S)ifIhg^M5qPG&%lW8rd+_EKG9@ z9q2oniOrWczUMKp8!KNkhLAE1V!jP~5)-zA3`T84GG3n?{oI$iTps|lbq}LK=7RA` zEm~nJw!l`~i0xfkl>r&*12N*7?SThzXb-zm)D+|$XL|+=8D4>oUyiFpkBY9&HBgmE zdmccR(b9WF*LpZNy4Ya|H-ud+Ts3fZ=%}x-R_%!(zM>&C)WRCyr;)zEXE^%iWop+l^2eni%75hCnBpWx2QA7nj`znB7Kf0V^`v zx?u4g>%aCm|tBUGW^xHC~9CGUDvR;V1R$`35MclGyX%DH?0yaXSn4Kb_cRQvXg>Y&*Yro`5H0$y{Ig7kfBVQo>C*Qelq_-vA)(DNCO>n~k8*?SSTOzNS^vDH%V16aA@$#k-WHO~sSoIM1sb`x#H;r7|;ErI5QyvS3AC6mgXA!lCQo*Q(v741^HzB_}EQG7|SW_*IOXGdwx zJ`6Orm!;CXyt-PL$S1jr;lR2sGHi!Y*No{WSQ$~&MI#;Lz(&%F2sS>uhk~J!3u{?B z>FDjfL8aOP`vh-aQXgW!%XQF_9BZ;Og3D+hEG#MHAKg1i91%I^ zg`_nZsyw*&ri^RdKF+3V;_Cd9#n$D`9_9Q(W$7k6LSMGWg*F4?XAL&?+!92RR;)Dk ze664U#surKlD&IE^*6!XqR}E`3?k{-ss}1&TT{&JO~glO!n%s1ns9E6vd?IQvY+u2 zn73KbuNXNy+avEfGGU9f{Un2`f9?fjK`d#62fp{h@gdIIWmwJrZ&GD;Z3xK~esm8d z>*9IR@AE00<$Mql<~D*Op;CKqH#v7I_BN6sbi?-I?TKcz90K}6MHrUKX}M8Mu7Q2^ zeAAsh%%k{?#@np+L%kXPs4mf6KhIj|?2y^~%NeEl<81n}MLYTs0hyDw+uPWo;p&}& zW8EpMPBTl9jL{j7#dxE^fV^9(w_N7|nMKn##WtV}t-%(s2{U;}I<)3M&wOaMX7{Q1 zW}S!Y7Y9^2RH;Oc1sBguYP`bFWBh271LY`AiadP4Asn#zAS0vViUYlMt=6ulRcg8*wIpZmYx;zhwojWs z%@#1^KU-I=P+?@L!N4Klk?CJ{=!eK^+KWbs%=Fgyk*%zeyxo!e4kh-AM!L&|B4P^H{pQuTsPel~myYc(Jwp?*09%{{CFXylWPuh2F-dy8S3bPrN3z zH!8YvC(-rm9r7s@X)y0CB79l|sG&B1e#cXSSuv2QYpIwSQ+&2t(-&OX9J952o;`2{t&&QRbSxUyL%7w1= zi4kkj#nw5Mm!-S+a|%1YCau3_H#Z4xUYF>5J@d?as6o94F{lU^@2=S>KFGH%iHTwS z%-=IfG;!SeNhM{3q{H>?HsPdLOqE!58f^M=pR25=04z#Wd^Y`4 zY@*WAxt|VrT%?cn<~vXOjuGvCR6Ux0EKY`ZIlD3WQew!Xey-_A8_rkpV&J{(`U!!? z^3s$`fB6$El{zwHRCBAmI0qd9&VYgDtH%S#dqBgV9FSx2FrCi;YT_ImTKZr!vQVnJ z=+jO)%<}Q%6Z9J|*0}A|?}&X|$dOnx5z_8gK>b6rK&DWw!hOaf#ev`{iIBhwbSgSq zxA2*g=N{ylHA7XZZ8MNd_x3(%d>}t%IR26?&Y!Zi(`_&Q9&{DuQrCf+V9+ZtX|GbR zfKg3Ngsq>>s1M{3xZ8EU=}ctaDzI;P22Fo|ujOgx2B^2|6myhv#>Vk$xfc*h01M;D zdI7`dQ=R^deY8KcC(B*8mZSO#^}0=ms$3ym60mK8Pw?@FNeyG&2;%#n+OO_*r^cnm zb55MGL1`6kj4iJp`XK~XGoSnQL68jgk~?3{)E*RT0pCNv?D@A?XQ;@$uUs$Zhp3sn z50($4H@oSQyQoIcJw<)HsnkMq^j~p)t_rJup`bbis+AIjW4<+k7zQ-`uKx@UU_V!NAStcH7ntzmdcG|#@JvAa@cOuYQAU2ZH-d-%@ zH4jDACZ~QTx=9dMffE$kdF?V88?r$7rIjA{`gVmJBNG$nR`=eEvf|0*gi==cwx*wG zAmX2BnEo;~YbBkKCi=h$`q7mwf45yXWTThe`|XM$zOmdRN$8!LEJU2*3^lI#M^hlr z@>H^K0FpV*f1jM+Htty(Wv*%|^^gN4Uab3EQHXOfWixg_P_9C*=_j&1@W`oD2+d~O z0^wN^1|Tox;%iU5R5nn(AvOb3`ayS2>L;TfF9NuD*@KJ5M^_QK38oSo<(7?39ToW} zafSiE- zyS6#J(iLa_F{@cQ-Z9KQf2d4s3Q+<0FK8h^)O&L%=2?@Chwj!gCS z1-qtSLD)$mBOPy)46IGbY9@o4m6D$`Wzj*0UzS3cJ+c(FJ}c?yQIP%=5)7Azinlvc z;6tCEW_Hi&PIT7%v-d&3cMs_Rl7>~a$4FucM51uT#6^ST^=|b;=fjjLg-sbl>SlQ! z{^X}5Rs=U16X^Nf^Z@hc5W4mM)Y!a2Cft@}50}PAZf$R;zj2W+5biR*{>zAKJsSG9 z9nM3}El8H`I3tI|qTRv|v}O~quxzGq*DUmJIrLs8!KzkFjN_YV6Dj73%6M7^1|+8M z-zB8n9%dqaYNGEqqez9PfX}&7<(AsacPaK~Oc=fVec-mn@%|hgbH%8er5Xv(_fFO} zRb{?9&-U{f0Np;a3fk>b$+^$vIWF|PYuI8H@;@MNN@ zDq^kTR>6-8!RLswYfgg!OE>G4WAi+;gpAJz+&^hqiPmK04v~!RWg3B=fLN`%_PwMUii&BWyfyhndYVjVeX}? zG8U7=t?oxhQCpnVxgV+7XRJKc-&%Z6yI8OIB&E!|n|I7x9`L+i{hVp|$Bp&J-8S%u zEZhH4gE{@*M`%N6#BuhHy3xS-Xw%5oO}{5AjY7g z^W~M&EqHgD>AQchJ{&{E=rm;9j647HNBv3L01l@G>ip#YFPslYRE)YCYM5r1N*{MC zGXU+Fd-{6Z#uJ`xL9YGDro(xtp82&C{#W@vUBlv`%rA*R4l6bRK;xoa0Upcpt6atj zL-e9QowvV!G%Py%JfuW*jKa?Ao!9ND?jXLAnZq=0#w1(W5C0Zs(7>2Tv3WvKXf;6p z8e@W`{^xHzM=Id!HFwKxHuyTRa6(GOGH&X^A1C9_BlPmob%Jpg1LWq3jY&9`{Q+q4Oz&u80(mKJQ(uEbjCvfb@|hrOU}4SwX!#dR+L}y z^_qb-({E)N3ab2pd{@DXk6dXRJiqz^EeB`~h9;hl`r_I)k(30Cc?zp@v9 zzN0y*b_sew`AC5zJ|royJ+FWdOi9>M5IoxeKu4OTe2XiPtgu4khC(~mrm2~VWv^jI z<40Kg;oK$>1+Wg?>~iNXp7cLX3~;T9(a>|1bPv=94d(BlMBnV*{Sg7B;6h*(o$nD4 z@NQiBahc`z#E`#!bt4ENO8N?y>bMMLGM+TFDYE`0rTHsM9zXSD6enqFeh~Wpe^*ie z$IJKs&-7>Ez#7xVvxR4zY>J%kR2?DEqt0!bbkGyrj~=fVCAEDU##jwrA6Za6A^TsZ z!CPGF+<%T(&G$$!9WY8sWj-gAH0iR-$1~ma-C0+yi6R1i8HL+fy3tNYr|`N%mo0aM z7G8yCyHDZ08gIc1BGDo_ap7XGFz>?t%bjgOmha&2QABg(zlfX4^DoUa=mGlk>i>m5 z|4+i71vPI)xh~;jnC{-_QRsSu;JenhMR#N*cM|%_ad65cxfHx5=YpMW{;><{?dhqg zTET-0&o4E1NV}g<{<*<=XpfKZ?8G(ia8@YJ`SA!|%P}mhc*>hTj zZn2f`-j60uvd(wkYfTNZHe$N=k#pQ9k)NN&0}qc6?ABNRwxT5$PoCXBgLC9#W(4e!KP04*8QOhl^bck0ssw-64NJS(-F$ z)H3zJb%e*hfT0JWH9c#6L*Yj)^B?_D3F2{2Pfwfma0KqV-$LxH{OqwG4u_<#hfHa_ zUdeZ+)Lg=*Qxx%Xgu36q@ly~^3ORG!E9l@t<3|cp2Z9k;J-GfbM$p5kMrs9`F)1sP zPDgh_q|85mo|ks-&-lYDNzdoYN-g%4#dGtqPO;Uy5C*lK?rNH-r@vYpj{EZAO@Yaq zHnvXB(4&E3DL0Doqj42A49iR81-az%OQ>&=mtDTdFx9w|bu9+o`QdZOY4|I674ZIc z+x$w}4(h&w6JT+0Lpe~1+e(dLlbuNPY6Ydn8#)MW{@+nFkW6xI?bvoSzqyG5=dZTQ zas2J%^=ofy4*d1& zxK~Br7Q7BRDvb?7oi-=ERH$6N#d^>mh?==hH~)-u*Wx1I{xJ*SKcZe3>ICVu3bF?- zI$6Xmf7h|RT=0iyr!D~V618MgMX!g{}HTzyeWSvVI|AM zlV^Kqz%9k}L<{|)<@UStVPux~@5TovQ5TOQjf+a_(LGVU5?;Z%43qS$%le4lLCjzN z^x+58(aI-{#VETIq~doxtIszivX}+$NQ!}viPtCyLPI_gJvaX_|K0tX(V8Nu|0q61 z*|IRN@T9Z!|CISJw1^thqWl}-xl46*1q<_1n@M(fFyKAkiq<)#x?kKl^q!+m^y{&G znFpMIh8^|v9p&Tzll`y_k>Hruo&D^-=YKIi6wv_2hr%D8auqlfuyNiTSn%}P^f)a^ zWx$iO3dM&kEr+M%3e1vmE(P_h@bqIpMOhV4rK0726k8?=o{2!C5j$dOKa>#gBf*~S7mIW106(3pF&`lUW&7M*oxqLTuLgkqBg4#YEfy@{bS za?OE1l44zIh|`2?`K>Ozn|R%mAkyEW`wOS|SEBCw&?lr2AQpE<&Z0z}9wmbkim&0m zua z{=eoEH}rIP9LM+8s|In=Z$2eB%^0@H3Q%_W0A(k4NZI88vmo-<@>11ZWh`fNvGTgC zNCzs0MTo(Gf=jHvcH_Y3-|4!4N(Sj)9oJ3C?iKa}8C(Thly4e8EX98^(DuV?X7(6L zrH*0pfJ`4+50D`rG~URX$3|K0p7B{RsmguC9p^={xt+5A$&M)D@$VkzGndC1pQpiM zol3a}{;u-!@nHgPA+gCs=sg27eSn&}YQc6w=8EuLhT-fWu0aO}z_1^WIqlPpVR*

gUgTEbexS){OSE>DH}3$*k+12{(2%fA{HSzu^H;9}&CH;k^{b51Ub9 zkt2#C4AOiV18a7IE6*1>P6`9dd@#w#=MNDQgOb1e#g@EV{1LP zCykkA*6zrHogM`M1*GU`s5@2vOcgg3jPO>C0s3yR)8FLMZ;c_y=ttL8X#8|*k9K^+ zQEC{#J=@UtXp0FN3ooeTm21f2#R!tx4yzq0$Ru_0` zTvDpcyoG1W(u`_Er}&|cPd8wV7-{MX6_=meR}TN~zq=CHK&NualbJ6NMdyzJz5n16 zjTRxKm}Xm)0(u$Uk%ZTgqtaQL^>yx3Ddh~ac|9{d)s$iwINw#sjdTLoqLu5rPeS&n z?D{m)&_pRE;b*KVQVjmRd#K4|-u zqJPNtNwSZ(@0oP6e7h&Uc&GbMD_(P1022t5$Qg_@9X?bc8UG9S#C~+o51@QU9d>|8 zb0Zb~_S|=V-kl6!V9Gur>7&jTF9{bR(Nrj{0P0a$SruR=Oz4%GvrGHV>45(+Uw_u~ zpC-1j!p{(B6N3?e#)PjI#Z~hx1c$h`A70#sz31e?i$;fC#~T{i1uf=`aP2D<&woy+ z<{lo|QKdz~g}>f(IV|3s!)jE>t%XTKU|?EL_ie74g}pX8J3W95eEb?PdekQSeYsr~+(3sxZ8{Z+oGx?Fp+?#F zU84j&l9p4}OU$KlnQH9nx`>`JW@TkQ3~&i_jYAGpkpCOu{%?f)QX33dO$&YS8BV<6jud#(1z424MgF67!}I>Ltq%+^^*s3b|H4Ioqu2gKRtQYY-r~e7nQ2h@92~}P8U{hUaV%(z5=a=3c>b74s8S| zYvvw|{V{8GK}K)pl+rw(-nnH4@zIkQx0%fs)f>HS%s<+8SHDTesR~ni6rmUorN-a@ zO0n68%f zJyklm(kS*c;MqUKYhZ9Hh)e`JfW=zZ>TMK37scrYSmAp}z;zNAd#fUQ?7X+UNLHES zG^6;mOKw4fzO%g4yq1oz;GX)ZYw^w6jZC33PZulU{Hssm@?VK`yQCkCB7;HZ5&9c; zpxV`Z%N43_+shiwt%uWGRt^k{aMa-NV^VEL1H_;|IpE#bg6-Wuk68mlU7Ekh2Xx$1 zSk2{roXE$5x3EJVy5E2M)BT3*&&KGRUp;dbh03v|+&6aAA8a<`VgU+?B=Z{k9{fd|a zF?IZe!Vywbv336djM!0JQ&Y3IMOGa-J6+;7Visy!*&f_K>;9hlb(-{Xfn7qnU~EEl zL{ITk#D*Qe!*HN8-y0|M!;o1hv={v0 zW{av_6EG1X0T`IWYhOy!pUD;L$cvyB%jN^I6olcrf?G;)H`^$ja$JEs(m2>S6{5^y5VIs8wh5i)_XZgELn;ck!xLjK)pM zl0v{d0TTDGb8on7lRw$scD^_>U@`x~{pcoN=+!w?Jm2Oz*{K&!gqVi%+`fXR6@6*H z{iBcFcNW00JD#t7&dtSmLLf;IsLJ(|tEXw%ZSs?n%0(HQclmo}L*DOGN5=9kst=5} z1oX(g;C59)_jVdocb>#>KX?G@%9~Fx>=(}{%ClKMRU|z;53$iVzrXMM&jSSdmlcC1 z$Y32OG^3q(JnoFjj$l3lZOiz(X12RAa;J4H>&99X16&mO3VxoHa)_$pUffRU8jLa+ zDs-Iw+`G1vzdnhQUQ|NI&5jwX+|)J=VDWmZ6erYo_*}?ZHBuw_8m=y`Z=?*5-%)ey z5n>-q)_*=m+U}I0#y*x~HlkH4j8+O!a$)9a6U(6H&l~bgUp9vJz>9s~sbGgVU}h$S zwHdd7_J5j8i2GPSaIx_kV|b`q$H>og+RNYP*(OvZSVMH*~!thQRHmbS{A z@S$BK;h}P}kTYA^J713?J|FK(@iJH5AIz)W0y{}hFaeI;$?A?WO}}j>9V>UjmB(`V zyYyA1>vxS=W^@M>kzIfDRUWv$73$>63Qzf`Sw9k>z%v&bkdDDl(5UB;>zMV`tphm^UEu2^w}SCazPq*TN)?d>Yo05qmdm}q%3zh$7+d3yG0}}D4$M|crQ3hZhD<~W zEkE_PPwH7{X*ytQPaUdQ$u9aRY*E&M@L#6DIRXG(xW z(n99P*b|1Cl9U6aBHA)u4~p}VP%+w??k0N`(+^ZAyEn%c+e+ijC27+KKd$a;Njc4y?@{n1Lcb}cA0C56e?hN3eE0`|u+r!qvK>S}Uc z!Rwbk0t1m`F6E(qVrQxM3@!d`h~Bs;yAMP|q6XIVP6OM#N{j|5d}GMuqJf#cIO#mr zH7?ufSWa#(k1#JLjW){a+`u=9=LCq4K>t4Rx(7e4@!iWQg41xjg zzmi-Vm%%GMCp&NQ2^eWCe{^6R7c%L4Jf+)Qo^Q=0eyd*?t0a8T;yPxFkuaZR@YWYG zYC&?w8!|2$Qi)HlnUjHL%jeFlgK|y-nw~6rw^?ZN!m1KNEF#-m_f{(0W^UPDw~z2n zsBBMcF`=e(3oXSBE(YnsszYLUvB-x*mz%N*>Rl9R%bxc0d(eUSU1e9i?OfUxZ5QfM zi1gVu-Q33y$11OM?x7;?a=|Df3EooY`O@ltjLuLL9G6Mx{!~aE6v819^OX|$vfF=8 zHX4i*Sp`N7mQm+`aF*tzHxH$mG!e#_dp~y=fOI&K`gmvWU7X|L^!kKVJyQhOEg1?d zyECm^sZg{l`(V_cw6`O@mP|sI&kp8-wW4P^s&+XcO|2?L%@G{f`_fg77rDKLU9m2q zdJcWX_^{mw1H3Avd7VdDsa*=fD`^E?Pm2PUcu86m0)veaNv>~zHFGwV+ZCWCBAuQM zTyj0KdUMxgDH4-lqn7@#owD<3CPqNa2~92!$|ujePq#C-`AIZ3tS4P5pH@XgYF*o+ za^)6EiulUAw0dWFgk34tLPO7~nzT+nmJ}B~%hs=<@8q|fM=IGCUlnPf8n91I>AS9Nn7IMLKzKkgfnEa<6c*;n5*d%c1mVGBnb)mbK5U4z!`)GOC%Sy<0Mw+ zYz!)=93V>|aA`hv)eM`sK`dG5B45h)#$rmK7#^F69GuPiyV;>s4^(=IE&-=k+V6_r zZQ9;c(in&^5N-B+Rwd$+*>mkth&I`7d4%{uz$+P5`ozQ zl)FhN>mPiBw2 zW2uG>UIQ1Ac1BR6F8%Y{ZU(#BcH`gpxgF#ZL08aMBbADTa*uIHYUF5}omqigdOA9a z3{iwDB7D&|NNsdAHc6x?9&GqkMT(>ZLK9Ddt#sLx0_%K!)0EV&6!e$`{)^4MPbtQw(K$Wu``=GKCDv_9nOr;RL-6 zTXTtOI>gN@alGa^wgC-A+A0oH=J5f&yz15>($GXUGJ6EXUPlhUbP-j4DvsbdYrvfCsnoRtmfxM zfNwEC{ZCBy6rw%KRP@E9H4~Fn(uB^E=b+?BqxCP7WU08XpP;N$GuP>dv#guGp`N;{ zkKGAupj46&Xh6cj=8%=5gantFI9o(7SM`B!0Kgx+O-H<;PL2353nQrlYd*d6HEJeO z_sYckiMjS(J^Eg~cKFm;b^ek9x^`^4UF{-^INnr(YAk}{IiL3zwYNtLc1B;k_{7N>cx+8H=?zY@bmH#u(!gUh=kJ@QeB!(UI7hEJ ztNmtsZ89MOn>(z(f8vRIPHOGGll_L-aK!NN)RbcPr@Lhm#0mMqnw{jVfeUBIcBL}Z zi{Er5Q&Ld8Wz_s~&_)ZFmw%qu<)5(M4tMlG^q*s7{Ot?>-HXst1*$uKg&sZZ0|Es( zqVb=OmoP^2d&f|CZ*rfe;52T@^PD7HQa!_9i+<2E(-Pq}>T_%UM!v&(fnnEgF~SFQ zDK3ibN@4OgJmWSG>Ub%y%hBJ8O)ZhnVrqb;^eUJUyj`4zddlI-ck=g z1}F(Pnzzj{cBtZyM0Q;}_hAPB5l&`3z^2o6v1LQ9>rg2yhqrdg(suA0(f6 zC=$|obEP$8pCTzPNqkT1B|<#HuKrADC-W%`uy>usKH`A^tWDyePsP^X&0taHvy!(U zqARe{bfhaIu=pm~#iKz!_v@}0(&U}eJkIsUk87yQb&qd6D8J361gD}7gLZaIJ&#Tu zc(61Xjae#ndvO*I|Xd2~Bpnsm6>KNx{W81d7*CqL^TtrBK>nwpyb z-pu-Bhg76oaz6cw=@A@^aKD?sJIyPGvk(}t5fj&iyD!xqkKbdZSXVj{=C#^sr?~;9 z3>kQ#TC8BUj=K>o^Whfd{QT;w{rgY+-o0<8kIDs5HMQ!jLQjzu`bZEOZPO*>9i^Nh z_F4sAY3I3~JlaO2$3-kLgtEC<5gcT^ZiTk5UsF97-SZp|xu^MwNh&F0O6ZEy%f*f=9MSq1hRk;MEb# zg13}-DeptY*H384g~Zn^t70}Td}!%}V`gvBU6~B^!+4_eRsfrIY}Xw#cF!D~ivuOF4K3?G@tHGj&ZBJb~0TlA}$`QVy1Lt-~F_Ted_g3VVTk+=r<2v>6NtbON0;;FS$uE)<6j_`@u zZwb9@f2$z!c6L7?C+rR!9uD@_XA|FU{CWc|btPLzC<@N*b=6IJw@kp^ImTw7N=dBP z+EQLB{DTvMCmi7?`!xu?PX~E&QMhr$Ak0Ql((~bVP7H_K?d#oZQ!e3eItt_8-^A|7 z%gaCNmvr4ZzV0=fO)|ZGaL}^g0%~{M3ej=KVR4+W8dRsSc2F~wY zO0!gb9^KXL(ZeQbn;MDqeN;+aLDf2#^fubhp#V&-z$eL~dru}rbq?Bs%dMh%A$Ur0 zeA0CLi;_Pdekmw-Dugd7`s$YSOr23;wSh*S4N*cYZvR#qddGs?Bk-y;l!^ z+if}pygE2OC&(T0p_0&54{e9ESP!pQ6S^KHBD1qIHbPZ8#&k(lFA=hB<5m4WR+S_t z_HRVxX@@n#b3W zNy0+>{S#CS>5|8STUXufc?S==YuW;xOvVj8m`Z0W>uonSUrd@B#BzA;*6A<$k!&i& zann_9W^8P=qz7TQ+KuvE=(3KYjSZ8s3lEtpkM5T|uKi_9BA^sv6m`8`^nTL6Z`GG& z_XQ`gKF>cU*m$W~2#MEV#R>pc$v$#Ee05~U&>0-X;OTZv3umdV0jR8+5crgkAVv=> z_gOuMO{c_;A3e%Ue(II)X4+}W(_ynL-j7(ytn+%ab#(m3AARiKAW=&*+UkmJSI=C} z2)_^@U1YP^m&t0@dJp8`A4eP!87%d#?ag}3Jgxq4duim%grKIjko}e3i%RkjBO&&+ z4`PL_joeoH|Lwi&!taAetZzS3 zzZF2sEU)s;r-Jz^cw0d7RW?X93LP$SG%UOT7L#hLcjcNBOA|7&enKPvsC@4gN3ks* zCW2Sl`3wwYR+pt{iCNgx`WdpPt`e2HOHHC@pPzCTK9DtG%7H+^6v4V(;%Za6+_7I@|@z1#<9$*AqtdrwHtO}rTE=$YGsPImp{d{Bx%cF z^+8*A$j*v)#bUMoERSA=b3K%}owmKuXFWdE96`K$5^EISfuLkrIXK&J@(t*r&XsLy z-!XQpzb64dE}8w_Q_r)a!KQSlb7^I1XILZS!RvAKfC|a)$vdMW|qG@nokR0JeS*N#dG6b|lKn(XfE-OS`6q||A&QVKm ze|yB@w(Cl7{ZsImCZ2aAfj>o{r@2BE5qW7mMs%P zu;7H??(Xicjk~)$fyN2exVuBJ;O?40fW|GjHxk^nk>P$bZ{B@x-o5j)`$wOBcJE!a zYE{*$dJa09_&pSxQ2SH;%Imq07PCyjAAasgHtf*p8H&Gheen*0qdy$q_+7`mWwrh(L&lj3iSSgPa`fHy;d+d_VP3)~`LNef>&d(*<1d0RZuv4<-V+ z@RiPND|?rnMD9FVdbRs!i6ST8ISqYkvl6eeY+91{w$FL&KVlR~{d1lI9{=Is^fJHp z-{IMRT;@PKSlPiuKT7bA0YXG1Dyp?iZOj-q$_9-%_Je~}-&sVNK+N2j^o59J-2LVD zY2LqEX+yE+=taE^WXw)gU6bF7^V4-o1nLW1%}0GvBm!Gwc!+?6$Yl*(rB(G8=Cbis zZd$;Rj@sCB<5PHLxJ$P9Kus_jU~-nm)rY@H7>vHlG_QCGi}Nd>esf7Fco%lv`$JZ+ z4Xl{_vDh~?i43WpZzikFO7c9=E@ld1y*MZ2m?#; z;#cDDPGh{E|DJKBxQ1UmuK4~d^z&4LPKvliO@6KC=#P6RRJ(RJ_wp63z5Av8_m(Gc zsO&UQN}$zx!TJI-w`a9m=N<{dKxFKO-#b{oBXcV>q88h6@N7Igc$G5(i5u(zJa>!x#rVyZwU$i-GyMYNV#X7#IZh;dp%vmaRk7sh6P^t+CB z?ryCWg3!yFnMnA$qN)vk`M{b&^m&z1d=h`}MrHEJ2^2EkSK zQ(i7qpqEkS+S-B*4La z>hMOKG|r~w7-nq`QwLf}*5VEN);cwH4-!qB?0W)@J1vi!|KDifKaSh~i4_VEc=7Xk zWF_Qt;?32SlpSMJTUdB*th=5jnG9QVjAlLehx|{{E=Dr_xhCm0Z?0V@V;+4-{omcF z^Tmokd)KlbmZ24h{_TFW$L$6VrJlguoN;VT7?k(^%W%X5;~tC5MD|7+~#Q?~o4n?~Jg3+Qgd=L|1QAcy6(%A#SniyeP` z_<>xI3&xn6VpdH%ur*sa;_Y1ki;k7O9S7Yjx5D36lxNjfPSPRx`yTHTucCGl%$@(s zS@MG&QHX1Kd09uR8(tMpFn%klt2pa(uK!9C-K+-pR=^i z1bYyKOvcXssdvz`41${8zoy_dqt0=HTD(9h(9NEr&C{%Du=q$IaX_6EeiV+=_88==5c()S!3cVn3hS^KV-BQAxKR zu0Zn%~-4UiPkot=DTWf+~ zkA<7N2m>+87Wf-yyVNEF+js#|8bxSqvwI~Nd3g- zbBg=2+~a*EzaAX6dkwzYyv7NT=SXxp1;c*n%2vO+bUrL=!9hVeLn(8^XXbhR$*+(8R;q_KYxQHKeJaCRo2bY$_n3a^3JAAS(G{OeMGx$&Q;iB=e@bQ zq+oB+(j(BjG-q;)UemY>ulwO_G#;Zp7@9JD-d?|p&jYzj1r5G^chDI-GBxiN`{otZ zKl*+2?DVeX;xGbs-(j=#+q4m8j<{)y#P-|!_WM4&ukY7XWUEiC>;5Nc@!!nUc{r(P zLo)RO)k2_b&5Lj(eb2r>d0NQyI}PE3F0vORm_T<_ux7>NE)ip7wU%-L5-)CCA!8r_5r3SFW68f@HC_D?E!*$u2K?jod66|?s|aS}JPNJ>M@agC0I`aAkNYv~k<8YXhD zvT2555^7bPY<(U7<$3$xEYE!>#k=RexACLx?VOh5bJQ?hd%gN`r<{kUH?yqtMQ+sS z0kpNIZ$W0Wf0(LBZM7?_A}WMRP*cHSg=*he z5P%3i$RoTgd*o`_-tFcJGcQIX7OF?#(pkRR?vQ#1+827BTO$Yu75O^3wYS?F6ja{K zEdT!=8U0PHulrN+hsf+V>R&07s~KBxU0r&2^|VV1m|B$06XzaQ_7sK>U$1BI0UySVdAl~4HsN@vab z>qliY}@MFCA~FFmJg4Y$kx z(((Oo!tgv^Vw1B;-~laJMk(+5=E*2-oT11sf4LnzYiP-dntIdG`K&3u*46S4aC7M^ zem@c+vs0x%E*TfmSj;K>W^3M_`bug1cAjR&?f(LiUhzRMU)6QZ^MeP<)yt@y*9Gg8 z<+yzT2O@oS>}({usfTF8L4cWmyR6OpsCV9US&VTpPr9hg<6e7Ds(~Gc%`2Y948~R#=KUaWqpiQ|x90n-0rEr@VcGId`zBz)ypW|z#i|)|nw9Zb zPGEVR#r>)YGF=4)aN0pTJfU)WdRd4re^qkEUcJeh+?9vvD*pPIbE~}$k?gQD2@#?F zI)0hXd=L?C1&sXry^5E5Cu!aD^iV7s6zoRJJh4N?6)oXz8B?5^Z9RIDC8m)^nVysz zheYS^KO~_G%#ohj-5Z@`==XIN;jWFIuZ&=ll%Lf+W5?8-# z>4Zmq9tb(M3O@TM=BCWn9oBBmmB!$Y%osX)+$|rT#Y(KjcCq}LB}jzkC6-f{c0k?K zdsiL&-#yxUwVt4sHH`7T-@Z`&>Q3-zNl*dF3zfEZQAwPw#@9~nP7F%Q%q)juS&Tko z;FRS6OkX349kc$uEqN7%MJ|U^sxS$H!Nk_o+oN$xZc6cL{7A{y#8^a_bLrHyw&0|u zy0&KOof}d#isYO$iD|)m=bz^8$?ub&eFD(lb!+oQR0e2-b#sH2YGa^cva&vis)L2> zcC!FTVYX2vAh1>SEg^Z3w%hz-9S)JMI=~y+Jx?@G3V3SU8HXqd>yH`z7kKwSScjK+ z1QoFeAFlROVHVMX76dP% zXd3ciFS5M1i{IeOh=K6{rK1KjYy|Mdudi1$z&u+%CMzK_Giq!s8O}E?oa^81^-DRz zj(BVvB9>7nA6F}hDMyOJmjL?g@q%A#43oYd>fUhLJVu@4VIB6ua}#m>3SJfA0^5x+ zt8?HiE3Qh`^6KzJp4494&mwSnvHp!>U zDG|w$-1)ikqS$oW)RIUz^a$H1c%vnrxkOVP1_&^e8RfyHg! zh|o(C*RLRXZPvH`>$i9^N8g0`%lK<-H2a`C+g_cAMfj_>$TD(Kahbpyq~vK{+tLJa zzd2E-{fWEU5t~OJ7NcM4A6KU>K6MfaEo9+&+^*Yq*+G+v@*g?6cu-Lw&0H}ZS9u^o zixyWyt4_n1PlKOo)VJe{6@LFkX#cM7TdrF2Jv1DfCkuo}DrOGBw0JIcZ1CFUU+STe z7XN^h+d3y3@g=mB{B>=ImgEq&Ns5DA`RVjH*_}y)wRc(;FgpCTiJ~w!D=pyZdqOZ{ z#1kp`CmebcP6Lj(e9^+EQ-^$PF<~2zQsU7BzmK25j?Wzm&mCy;7LvG4j#s0J6y*(; zP$k_ahuA8eUcl3*Z#keRx`c^+_OUXOVcS}=m$~`p>d9Z{G3k1}8e}xwt9C&a?JTIP zhG=m`V-NX7X1?shyicESL^Jo&&1r{%KVD{917!5q?<9UX7fmS>KPON zg3^Y-tzc^Bi7TVvU$ct;Y+iysNq^gL4M=@h^Sr}i;e>&`TRJ=6JsmxH&77!}%WvT9 zdDMuTe0^QW4ou7K9P7F}CA7oqT=O$*WO>j(3g+qg1ehf_6+i9PF_6uOrgE>Jop&?u zny5=fVp4L#?vKvhd#H1{Olo|wC!U*NLLGOnc|o7r9|i2y?gjK%_ux+Ub6zGes)X=w zD?EU1A_v#FZ4#nwvzcC2m&6M5Dh+b|EHxecJeWORCT^;{*LW*Tn7u0QN?OXl{=U>O zh``zMNWXZkbO;=8?5OybonP4ag}VsS3|%LRdEq=%7P-;pq1a5?60%G|{&VmCNygjR z;A@d-#_Chdw|`_20E*9ldNvWb-Z@x_-aTD6*V0J2k5aDvnY8chFVBCAdDjBIc2ZKa z(0j{2BI3=pmKk_R@z7xz>cK>PX3NU)zK2Oz92riSD;ly`IPJdt)3n4MaLITvD!#7$ zp&tiiF$*%hAV)k(ID7Zx{z3Pb7xF81vHaRFAqys9V5(^cW!t=S3M6bWB7 zN%j_bjb>@kyIGt&ZK)h8#dEph-(`fU_a~#0QCi6r*!^P-FIBfst&+Z4xZLcN0+m{f z3_KfN)hSHsNZu^44OkYry}gps()ez!uR$T~(CjnIu{Jq3PA=?8RPrgDd)c4|fuL?i zEf%97f$eJjp&2D9*G*meEnU(p`@FDNBDo2s$}ePjGqn9P4W5Y2LFOfXcVPGgNn zKb_`6?md!dzQ<`qBCvLzzx~xzF{d6$XU5}M&ND8( zYo(0*VF0gJD~0^C+k1EQ*h^Agz8dt$;zX&m^Gj=UiBEaLRZ?{g!g0wz;l%WJ?>&dF z%-K0UU?t1M5v9L-4Ys;WN#0s_LV+eNFKm(C@mgH|oCrTjS2D{kdHUGK54Xa!mH$jV z;v$~5kn>c$#Vuwa)(KZuNyc`j7j^GsLr>%Ky}uEH^PE}xT@fG_#u>ZX1HB1L@qkew84DaQ z_a06bR{VUkf$ey9#cbY2)CNHvlE7%P^{Q+Q!h+!Ue7N-AT^tIfNjO^fOGHw|Wka9m z{cQB?IE;G^d-uc~Q}33utluguph%Of4%QJ2txoQj1!ONzw-0#_W`gf$O?-VWi?8z3 zGY8_4s8keH`@fqDC_aXqU6*juObs?p)W>e>blYHvIJ|;R?h<5-AqoLl86uClf?>`- zsU|ks^Mr^tglINUrN;Cd&%dj7;XLX+tLwfG>l}2kftcS?}xJ&&zEH36BT&I=3sqt-4f)rqjkD1&r9tm6Via z{}>M`Fs0SvR5_flAuA!Lpk(bcHu8aDMIz8|H$sNft@~dj@qGNP%Z*N$B{KMl1Otk% zK7l(gjQuIZq>!=)!%1*@3{I6u38=Wulpray@hm3qzoy*{mJAC?_$vHH+O?PfipZ51 zSt6T4Z(^J+X*gA%pONq!rF)v}7Pl<>#UX&?3%9-BiIWuJNpZ3(gUux;&mopqX^!lV zjZ112>;nmX4pplUf9?Zgt5KYFB2^ylh+1W*MMX0256T++cJ1hn_gPxe+W+`*Diyji zBgU@0EZn>&(^1Lub&L_6#==&-@}brolw%s1DiHO)NTvCv{@(Ai60bAuK zPV23rVLT!054?hzT0=}Wr#jNkXvjVb=_G34JBzw}Kj<4*{P0X)uG!rb696Hi)8@t} z=~UEhbSe^jS(Lc!>wis*JCPol!*k!cStyeo?h)w$ z9`iD)YD%!G8tY&tsZn{psv<_wl7pdfvL*PY)cOQkL&$v#rEpSrGKw%Uw^*noK2Qm_el=()Ot9o1n&BA8UHEH92BJN`4dkRyyt2uX zAa`m0wDnyzTS#PE!rBb+@#jzKqrB5lc{WZj$T}OJ<$$TQUEc8@-gXn zLmh)0YXBZ=kFt3kXQIPuL;1?G!#jb)qLD#pP@!M=F0sfK6S&jHSw(F5SgD|Omdc(O zRN8Bu$91&DLRqUQKvY?e>-;`pdqACS>RgeBhleE~*Oq!)W!{=i~s0VT08J)Lc)8nxi?X07XvG-hQl_!B0C!v$HB zs-vy=+p(-*5}74M2o)9A_>Po%89>)euIPf+G#Q};eXoe|@+VvB8%wnR!lhH!)pe8a z)RCod!Z_SGYpyqz9cQZ%9p@D1TKDH%iOAzpcE(d%G3mbOB@F?QwK#W0gdy00K|r3g zmRfUHGilY~*pZdTssatpd0-KOXMN5)saJ9rASeAv4C&FJS2dO8-vqOl!{i zySpXPi18pFZNQIIR;fjXFuO*#K`}})J^jbF6ySj`SzqNRMe93n%m-v3vIRx{Pm6aC z+dQD%?Kwk}2z$VtfyX-q~J<2&=>`Z<)=)| zBCjEr2=3Vn&A6{+(=B~XNzJDJp#`vN@QVaKtO~Zl#f?hFxitd1?mtdSKcq7e7l~2h~9EOJL_|zf?)u)G;mxsH}HDv>eFL=~;T&)u>}$-{;;XsdehfNqlC}?a;8A ze9*$@s$$W;J&xQzp(WsUOj}sL7q^>_kz99oLg^c1d6CVUt2R<~>bUR;5s*_#E8BkU zkH6aW5LA$^Pb0;+l4s;sx{$L~V`d-rL-_IB$G(V>%{U|)p@qaiZ);0qF$waYDfBRJ ze<&refRr*_f_I#Ez8DDXKqlQ-g>{n>Z-eeN!1}zsoK?7{oB{&Pfl4)9-@{X$e6nKv zflZVTTx^ZAPk;Yn0@HwIBW$+oJ#nj3uXYz?EHTgW@;FSiQYtbv zXDc$|65DGGi+SzhCi)g0V z!_f9hRDmucaw`PhY$q9Ub`1V?>lHO6LJb2{r_UOg=*JUS5*p4wAnkc;Rs&OqQo8jKv63Hl+(gF*a7x&Fq8dt=p(!Rx_r5M zyGC4>QZ~QLEl~tVacb+?Sdaru3OaGynH5K$pY4DS9r2FyW8J_hCtUfeaKsL?t02;!1b11!HX;muA$;OsxfTGi$-G05+LmNuC+fm5PZMKrd3{`%3TOaM660M> zGnVV}t)ic2P9albfUV7Sl7t2_^jro~m#t6Ra7j=`!Nt)RxI=t|WS7D$nG~?Ral*oE zMFgq5aA-YRR`2)av60@_ZnHbyPJ%*dq{k#gG2)utl86*TAVR{rjBs1*=JhW1!RxxT=(!Sd>Tt0gC|nD!>vj~RuP=!R>-j7^o1o(rG6+Y@+` z9Kr@~Irg`rg+-Prx}d1;#r&xE}ckmJ4s~fy&cch1-FI_r>f% zt#ZmRofnm2{q)jg&D30yy%pgwa-L@}?9lX(hz6OEPIlXWr&Al<`)+X3N1{Q9$irj* z=V$NZp7)r(v|8)WE+7pK28_V$c^1eGe#-~@^wR_xl3ppe>$B*`4BJDrW}m>P1M7!{ z?poPD6{e-9%&)up4?fF^v;zaCtAe73Tqg)9FJG^!9JF}{_cq+S@iqj@V&F%s z#a6{QW{_NYHGC2!I%Micor!J~zo6xz7cH|Ro8#L+O6(GuyY-nmsZUG(tg3MZgbd%u z(2C;r;A=k0#*q`H2^A{WhA{K*t6K#ZN{0Q6rP_$u>kZ>^D zrv7_xvdD2T`@D#qDamj7)r7uZKh$X~(Y&H6Fm#$DxMOs*261yQ8rLF!3uJ!tQKcf} z&6Ca^^n@>9gFZ1A69UqOz(b0-fhj{#VFWvCclpV2Co98H52BLocubeX02EgIv4mS{_4JM4mJjUK)@|nUS+7*}_L%hzaQFkT91Iy>_lYJj*Jvtm8HJ6lbn z?PflUcqUiahU}qRD-|8T{mP%*Sk1^OmDvcw-wM0FN?`BLNySe#XUom{rGR|84L@k^ zSeB4XfH;L5yWdh$_e__QW_ziGxgRG|k?I!k=9Lx#RGQm2J>t|jbV>+ z6x`>;I3@zJxWoH%vtA_|QFh}p(|kd17@{9v(XE9_%%dM0-j8OfPi@Xr8FuK}X~m=w z)Ywog0Bx=C!8iKmDBxBrun(O!y<*MDs>U*R6`2ALv1kPERRewlPvzG|bfA-p<}%k0 zko2M?v@$RP(Yk=*SM=y^ti61QPqWzO$LK(lx|A9%`KYajdFORHpvZNKpP>ez_~atbPtgN}f&-hhv&p4D=hKIZ&Gx&8H3Y%>sv&Q_6P8Z2+ih zsrT#~9x};0K0IQKI8CO7(H0>&P$+N2i^QELN-+xcIM88*40?N#-11fu*iB!udr6#2 zNng=KCj3hwErFrtn4E@9%vY-Rv=q|oHO*eGS@wl`O<%5)8>NI=i-yUlZSESU^X4yO z;qNDu!lGxr<%!-8ALTNcrjWYpjnT?AD@z%lED_Um@>5QQI%L6aVlze7+S>eFCHnhm zZXRc-YMm2!OT>%h^b~s$V0~L{Bj1}-YF}4gTKF<22?t&s$2eirgP9Uaet!8Zo(eKo z7m6+HKwgyO7n))X$sZ1@x$o}G)u<~%DNBm8d$xKOKTFhU(BlOCbQZ>{L5C}Nc?lB> ze#m^OA-gyyBmfRbfXRmMRYTGwvBDJzg8U<=%%t;{15;=++iZWorwit_o3ElyiVOH! zO|RBs(4_H012ty#OSwUN4lF#pDdyultyoLhgJI06&ys;Gj>(}QxS$MXJ7TUX$vSZ7 zY?=FQ(MBhomd`hpBKCo3mM*en;e7IGQudmjj_|iOCH>pr7r^zef;^ly43VTk#!o;z4Dy#U3B+$vBw}K}B~eM>CuGD1K682zN5~M81}BL%5Ge}M zTNeEilg~+73rEc^*`U6tBDwX&du2xdGAAFytSRpK;mShsDS2mG3k_N*hz{$>8g9{V z@g6R;6L^w%(urDtT%oWwdT3&)2^!cmL>#POo(~^~CZjBQmO4fM6nuA6;Fp<18i?V% ziczjw9jsBMA!eoYDotNVs4G2N8bIOed6ww7;wk6lg-92)zZ%FY=6Skm$-3M{GfhjB z!lI9-=3Z4Vmj66DMsXJ!Ski- zR`WHR`v)_dK9&l}bJz}pE22b?PT6eX!3h88K4qHz9gW=XGL_}V`m@`+N`&VSq|7eK zf*3hssNVb7nY+CD88AeJVLArahgxNcIRGVLqnL z9Nh)a-^7UsbCbx!^)b5Zs6j@w)=xhw{eZGB_3LR-v~h~NY#!5H<{6CBZq@-TAXEP@ zOH@?-{h~TJNoc~vEJYjm6av8GB>Ttf;9nZhJ1SSwIZ-@8Q3O{)^DOLT;9Ou-XX;Ho&OZ>axvG4AptETKnDRB`BFYe%JYa-v zm}i`cD(VajQjNSBT=L0YPNeDFw9ru4he>soVS+Qici&rR2iLd~(}mm+ZrBMOX^xD8 zo<0^UrP?fgj%GR#jWb$rO55US87Ps@pTD8RlQ(w-%UB96AB?iXovk&Xer_=<=nFeJ zi%Aop35mF}a$yQ9#(CoTT|69>>RU`V@*Pn5g|rrDn4^d$I6gwUXImvOny)e-K6ls& zUg0xZB4$Q$u^5Kz1}aK1=iv#z3j^ammx7kU8olLtEVKEgwGl3b|3Se0sdY9X&r%H~ z{@U*{HM`1!x4La)VBu*>QI`PI>Lar9ojaa0q4az@h{hK~aWNOX%04dZC!K?B)Nh+Z zU&-Cy8QWpMY**Q-pSEyV9!T;wldrdj`Zw`q&h2AO}&VJgL;)rrsW>}$I*zJb=l*9kLoh{dr?{s@P1 z4>J=#X9~?wS5p63NIcE(tg;|En($@ls?Sv{>5KgEd71j|-|3>#3v2jzgbNARp@i)7 zLOMtMK{B4&^p!JT18ySOgh}dH&==Y!d^UXm%;{7iFW${w=jHrgZHuwR_!5F9nh%92 zvL24i3}#6(Sd_qn8gfBH%IIS_O#oO)S*t zD=F{Q+Y~Y%@BI+OC6YN4LZd(33h;<;on~_CR^T>e<0Pe%m5fV^Au9plh?^BuR_|T- ztPkNCAqpzMC)Vt+raXVS9>Y2{^66oLM$xbmyVQ|V!N9?H6r4wV0N8u*An#Gh=9s<< zdcBL^4>suEN|Fq`;Y+Vllk7G(HoZ}uR5C(O#MVA?K+^%juetv%d( zic49Y^#>#HdR!P6YU|0r%aD@VA09u9ZzGDow5C0r3)~=Q;-42ciXQc|0kPM9EUcd^ zcNZxCLyH96F2f_Al^Z4VOY$6&Pln>-vj>HoSdHU@=O%@dv;fXYKTq@v!=r;l9;MPl zuF1u4F?7|o3jjBl4Cck!3wtxAh6=N_#q+Z`$vtqc_+)@AuEEAq0tZy$m{gv1e3nTe z;el&`@+H~orSyD!ns^~#Hd)(~7_%zm7J3$tqD=EjsyUkSj$P*&){P$~^gRmVlA}IQ zmTmU60%5zVYnpX5o256#@6<>lucVkTk2>INaA_i}e<9PRa!;D=&@2^d`H&wbeS zfsaVwYhZbsXzXw;O@Iyc;afx0R(yycyn$^5?U#u+GGezxn`Xou4Fz^dcX956bc4mT z8Xj~I-fi~eLy2FQ8|hGen3xM&auX(x z&E{miDMv%iB)YqxlpBoV!dwp*-FfkqB`FW_OEQU#j+R-=pk6CD7Eh{IPrseQyiF!2 z4a??owpo?ERY{JIV*M=<4@Ox3PA+fg*_w(-(9je90uxAUN&(TwTye3A$#&JRrOw4-zD?BVHl8u}4>ytnFe(LVezzwIv zPa9{3Hrbv*oUiBA>6U*Exu!rp*ejLY)Bt>*l-40XMzoE<^w7;UN)cA~`BwJ(`Rtw4 z#9D>gyfr}fE&6A}HvU>3>X^KMfKb0%Fz$ojj75>uY6%B*Dt$irTMjF=E!%Eb!Li#tg;i25op~{}GFRUsk4ODNOZOp1vLrRNUB|iC zWVSvygWni)VJyP_B>K(W#Yuz$>Eq|%*Py%J&#`0M&pW^PE&@}-Z^5r+P z-6nHa>TV28=PGF%0VcHsXDM6er@wSsn{DBViNDaG2|hMC3>HheCY)8`oF#0r2$A~x z+)4WCtGs+-`upbD>HMMBoKYG86|~xu`2j+uacjzYr_WpGc?Y=J8({S^CE50llbs@< zH0~~C0880;29pH*1|yd6t6ElJj%~pE(*+bS#fk+4p3r*NE?AK?`_elJ&NxcIsOdl+sFi_R5BD^<@?iau!{vE(V0{SzUeUsmVl- zrT%djceKPgFA6{1w@X>X%$PolYV1_fvfljUE-yKKvu9HB?6(>u)YcwEaNWv>apjQc7F zS#8CDPdg?}ej?62$hg-jd|q@|#b@oTDvWN+l)>IvejqZwX!2gkUSTWy%G7916h3N7 z%kjb@_MPR?66?DOOjz+Z5gb1yyZ#y0-gdk+nk&FB@5}pEDr#!D*ass%FPr4+&I8YT z(+3n(sVH$7E4q3ms-Bf2cI;u8`X6w~2PL(A3WsuCm9;m1NY zz*RoM*DSU#yOrJ(`th5kzvZK5rA88l@|xA~*ZI#$$yFa*FD`U~jl^oYE5a$y^i0zZ zRK|Pso=Y)R*;l`!w>oS%T7_hy=2Jm+8;SAaL3q8QnH)f3tKp<#YGE}NL8$T4)2u~# zc-&h2r!U}b@7V;c?+1d7c@d$w$dm80h4cQoZK6#UK}DU`R68n#j=*xb-UXd!G`%{d zzBWDqD2AYzc^g7WL-UCX{?1t`!H!qwBHTOL;uwmR7_v>ebILZ*hkA{&NF(?DC+*Ka zY$jhhN#!VAw$~qe(m%Y<4E_*{H0*#5AdCon+Lf6p(U-A_J{@=|^qq>Qw|SJM{1s)A zl=*7F4v>h=llPDx89-FusjfGccUgj)K~rdfm_fvti8zuQCKf9QFa30oOn%+x)*BD| zk|?DmxS{MkzI4YPzhuC2-0u|3gO4z5mOp>v#^O{2^sZ1^Kl0j6*;V{$qnBNGVWcoZ zCihAu<0Pl&k?y4@K^T!usI9a-Ouv`;=b+@*-cF>b(mg#Zr>X zZW*_{yw10nu}($-OQO_OlR7^dFBr;~6-AuV{961T4}0;y-IRDLTsf z;ja4|Rob&z612=)WORr`N%TQxRI{6ZH0=*Gw#DGWEr|VY#T&N^3RYKs(^wC zV&ALIoB@&|pkD7&E9WsAn=9XSkgn7muP^R28$2|)WYdMKS|83)9Ar2|sMcJ5Z_#nJ zA@?|%9ke<17uXj-S2PZeh)(J0URDrD7&>ANdR@ILq9XJ%4s-I|3+U11J?2+#uWN*Odxu&Dpg2{`0vY0BGv%N&E0rL zxp)}6IA$887mw6)p?Zxpl2lYUlXn(9l#1e)V*6EQyG)>5S7nJjC@0eT8ama4-0xNS ztz4ZFFFYjTWue+XhI;SqUrRzEJ^GQj)@)A@a&c5NG(1DafSf7YunjXTWd0d+oadJFY{s5qBNafvO^^xm5h?2q zBXSf=IgWF=U|gR&wN)Cxu`5~q+pzOC6KFP3)qeRf00uS1edFe==hP=5J)5%wz&;G^ zz6jO)rMK6rP2LahMct-Vbi!MN$FKDe6Fp7DDX3SBQAkA!*YdG$e9Ah5lUrEVHgvi) zYSyEYlaoudHJ(iS@plH7AT?2bR{;+u&0NPWwN~n>s*9V z%K^GM8RF9fF3Az`TQl877?_)=eZR4XJ^e0Xb0gt+ny!VW2hTVuJX(HPBn07q)1uNI>k|^l6;!@y0a_xx(zcK zDPvf-!vWhU_z)+o2?A9{*;=;jKc@`Z%bKKATXGQN!ReBE)0oO`c}Z3-e^0-dR>-e4 z6u@%DYO7V^MwKwIVKTGtasJW6a^*JHt0i1fAK0&HSnNLJ$=h$%eSILJk#ufY5%qMY z%p2vX7AGHmin1f^fHQOvu-2meVFQb_;+3kl=iz+|Y|Mu^_nl6uN>_B3Z*n}9g>F_} z3C{Q}A~}KtASR(jRFw83v7AIUeVB_=6yF_0+v%#vuJaKayo+W1j1*hucoBY4ZpICZ z7FZXvw)kIEi=pR@6pj#(|;<5OROl~WEuDt0E#Sw!)!i;%L%5z-U*GzHeIaA6`4G@dZ~u7-hi_5=hEa<{yRE}g z;WqqV1JL@abErZxT2b;reEgbj`>kXj?-F0EsKj{SgpH{hirv&D#E9PdiG2%)JjAJO89h{xsRvN@bEe$fSGU&`Ya4ibLpGE1kbVAOF=l2! zW(>%+wW6gjO3b)?fWc#XbbLU~t$F;bm^u(nhh^KK>KL9$wwG8|VEpF@=|@&C=vlaw z>@-#yl02!8vP0X9mPve9`$G$>aoxs?PvOQMrQhXsLH_xQUYo0 z_2Lgfcz5D%X%_^)z7XxOIrmbxZuN6xaRmF`o$zpszlkCwmyrZY5_|paZ6Ma8%qgK) zgN0UuQU+xvb>Sd_Ar-P#sSOE3zB>p%Sghh$O>zp8kmPz>T6sHCyZ!mV z4Oy*cz-39(5aonS1>jG&T~v62SW zAZvn6vb%#z6lrj{>?{xtu(ig1ekg#9aT+f7*g$IJ+=B@H-5+Y^S8ub$UK9kqjW8{( z(ym=6RmBbgY^)%72PpOu9UOzWS6bCYJ_I!)`Wjftb20w0#7p|2C?`byiYF{>YMn5S`gzZcX^h&w7Lzc{H${X3O5$WaH-vR3*J|D(IVH zvi~W?-+q#hO9M=m^DMfg46Lpyh)8fD;j5%_q}wegi_z8fNZBv!8-=MVyyYmD zD4E7A0go5y;)Nc%R2j)%iZ*95eK}X$De`p*3Zy90bb0s?kUm$n?;I-FE>0G9xkh8#v|!iBJ3X7 zD5KiyrRJ6nLf+8k{mpz@dv24?L^U104mwomW^j{~{?)HaX9dCaE8sebwbsa&pTcDh z4CQP1@nF%OXwJPGnH)cbb}A&4E5P_;p>hw3gW1k_;-o^Z9#=hJon;0VOFCz)v*%3H zZLPT*&{mO3-zOYl?Y?b6m_EWF*J}M%Q{zN0#K9LD z2UvHGrvw$qWw>``v2Uw>iR1pLOWn9>IXY30Qev;Sw>$`3h;+l?3u)5I3CbBw}ZFi|GC}fa#|0WaK)cWQ2 zF-STnvF)71bJ>e_>QM+DV10bP)t^z1%GPLRDA3#wzr$+x6Y&Sg*ot4tPnc^Ao`5FH z-E`8Lf)5~A(|aSV+v$=fZF-#jST7b#{lTR~u1}HNGBYiW!@9tBvHg2tCrdx;3h)i# z%5=pEHS*()E7?V}_n1%p*cGlE`-EtPUnwS>)GeZ*nCEdI>mhF3fB)A=u& z*wV2|aeH0R*Y2AKNW`xvwA-TdtknrHv)r59BG=MObJ~(OYMh3SlomYe*uO~8w0^L#^@@|wgUHyb2kvB-VH+nVoR-q&dnZ+H8fl`MGmAo-r1rEI^(71 z@9zJIFvZ%?MYG+(-G7&sox9B~e+W zj(CMWj8FLB(RQNt=l96U4L1v zr7MM3($53zH0(NVcVjvAs#ibFhOs_;pe*4#e(#-bCYPrWOCCklz@3&Ly;*zw@w~A? zlih7~q@|(yY4rPYK7jxq-3JSSO34Hsi{`_i>*gP-!8epv}jUF5)ICKrLOvrliF5&#B1a9oSh_H z*h=6#E7Q4Jn%CPuJw`t<(#w%yX(CXVMS#vk4jOT$AtD%mAX5m+Y0iZ!BgV^<_}C;PtrX{N0D?m`j5s zm&Up1muWI$IWNaWWI6iu#-St2G||OE;c9X&az6`wzf_N3`qgRV&Cq>J)Nw91sk9n% z?!DFy(V39y>r}NY%NCGsJeFE0XUqy;&59eTQxc^RkKA&wwyguMYrIUFo7mCKi*K(y zeGkz9iOPpHO5VcxU>`*bgahuU)m!FFS2!1bo{{(XNRBpT}^I^5;P)ckZ^@7bFZ)h^LA`6TnyN% zdVjZx%=W(5*i0eftHm@!4F8(9AoQ%^edsLoRASVd6|V79`Io2Xkk$LGd-)lcL!6~< zNO27KmL~m7&y`thwSD`j>i`dbT<ULPJfA-;$hK1iN%%%c$8}#Sf2WZKGU;QzAU2KA93Z>yvWp5K?8$?FwKq})^sjPNzXi*ntv_ra%p?i=Po4eF8jAuw;VUQ@U$-|02$Z$ z>4e8xvG}lRXDstXY^wJ-AnukOXxmJ2AVV@!afLJLGHX$PL0}{Kxs}IP+ZyUd_Jr+D z3b21xN>$%ce8rthSs@+{CDcy3j)P+s~45rdwuw6s4XeiLpAvKReXl~ZHFqJJmDVPRqp)L zJiuo`r(4RUeJwSfW7pTd{q#F)H2E4qK(ri>cW-FufWMND4(GI^s`lhtzua$i%}RQp z9op`(@oL>e&On;vAPs&W_FaWhxJo+gqeXy&qI0A1{cKTefs#ArgJA|Ec$zM&^UGSy zbY_3(pUBn;x<>9Ix3<$w=a7KOoP%lAy#dB3PetJKjHC>p$1*PJYE-8d<@D0Wq`A)5 z+@V`Z+JfDLkDrWQGH_doM+7!;$rlTgsR~Q9Y|jJWr$_#>{KZza@%=?C({56JQhUBN5jXN6Vx1Hhvn%ItcPDj^-L8)F*9c8~ zG?NmK&8VN3mo4 zIr2_zX2S;KG0_U7*6pJ4Ea}d-{)I_we~C4)f7QKSC-TCpN>8iZW9X9?W5F}}0cvMU z_m}E2IT|hn4V+caGEy1h5YVW@K%BBBE=gHc2e5IFY2CpU7JsdL5B}!% z8+Y?0n;7teK&f?!7TVH#@$XZ2EzKX6PV2u} zc=k99|6&_4$MIrONT9J@Y~*Dyy4QBR>Ylis=8~b34jDr!u)q&F*?{ymd=opG`UNfy zeCC&0Bi$=k-uRGqA%R^yO~zs1$Nm$qAB;2=(rd+Q+NUSmaxX?Y6}X2UPZyYb?nLV) z8<cOaA2 zV?H6tl50QJy+THx50nK7GLYWz#h{qvWlJoc(xs{SZBQ=U%>3kda~%MdkoM5OVEkJd zt0?8cSKn>g=6|!!z$QoGzE${<=Xb43TixxzX8qkJKYpe`702t)*<>;d-E&|60du|4 zR{h(7?7-AMrH>*P?Kwnm2|LEpGj5d|{49IXYW(*B7;Xhm8Q2Th2vf8E3p;|}&6{)4L(*=?&pgZF)hkMKDDycg$o$ot0`;Whdd-Y)? z)sL0r?iKY1%vd-W2TPnVaoBdfb%50Dc1mlSl-_#g2y@aMmjuBkoJV|FMe5x-&gM++ zGtM?s0&*5%e%AXUvjA@UV|MEiIj;O;id!l}Vs*yWQ^AVi$EE*EF=8;)>b#Tb4Sq6ZfW!G_1FbceqZ> zgq0stbtJgbn!?Dl^Pyz92&!OUt$BX+2FPpqlwb%4eYp0xY}VmR;lRvgHyD>D`*l`% zy`i6b-wBA1R}S#%($yi|FZy*=T~+8D4fSx?yV0q)z!HO8di6obaQ?kEb)!!|ZS<6^ z7_7fasaVqDJu@R|yzV=dzS~}IW*-OxWyt(0UA+{uLd^Ru6#YS6u_5;~GK|&+@JZ!F zx5)M@yX?0oomm0pQ8dxjr&WqN+S*NvQtNuTFU*#%W|WUASw_zJZ=?gO-Xvt+OK)wN zYmVY3f=>4zPh|P}{Z?Gza|1;)B80DzJ==a6f0vf#cG-RFi_?&Nus2*TwPkFy+aB>z z`AC(HbRj7et^U2pK5Q_#dad=FiJ|`;PpO9sZYHH7UddS^Hy_d}^DQ)+{(e0KBeAhsq&-S;h)K|tIVPAkI?@;j?$~;h{0|r!(HWFmD`+r@c|MO9 zG3G1#X9mbousG*KJSZ)3q`_y)f73`fe)M7xncqs1Dx|#C)HIResw`zIM-GMpoIN$O z%4wFNkc%oqJA)Ld#lp1t$|*z;lb*GNEf7acVCLY7CO+;BzaAF2B}A^+aZs4V9N=xw zI3+B{o>Z6@)sX+Ov;@z-<8S#+?i{106(@2mWJ*O-#3y*4V-)r6Dn;@ob_ zKE8!*u%X=eAoa_s#JKGu@t*Ka-l*2!PYZmnKySpXd&mATb>`G3ISQcYG*>=djD5W$ z^Jl>9X@f|n!CuctvB}h+hhxI0t{WrOAzKn_)#|%R{Wsq)ih7YMIMzz0wimoV>QH;h z2+8Nt%}p>r?*eMF;|-AfSv1g%x3AG`SD$iEdnwrS9bd6m0Y)4N;vt%FCEN+8+2PPT zrrpd-2{R9zA7ArpI#fulWDy>^F0ylPtD4wZ+T_{kHn06%W@K{x^G!Z^cL3nf4fggQB`q%eFCS(fVr=ww zYCb&lQ5rnIon|sF*7)n5E)b?*j*>P5#Tl$t)g>%q^0L0?eB$JN`NLnq_SgQh z)%!8OG-p!%Zuhh5lAenCp5NZt>CvS5UaQej5XE3Tr0s0-%yWda6b2`?S{p$Fwu~1G zC3hWG+Ss?2Nxio{kTjldRX!6#Sjzfu{I{O=*7ZH~Vx?E5g0_12;Rtvxw+aMX7pZvE zip@CbJ%}={J+2DpuXw)L;^Nm*Y0gPd>?0vgrVbmrIO}J-SVJ={lY!OhciKV%gDj3( zzK}Qf#C>v03l%^|A0&}s8LT_dTXO(5CNTA*mN?I~LQgF}EG=l72X=VRr_I2X-2y~V zgePZH!u_6F^v99hN8Bg!VR*CHX;EH_r`;*~+vDVj#gW5k zZm%TKIi`4@K)(TXHa{QGw5GUq&=TX&5@I;)!6^sx?(NW>0L6L;NBeKs!^xp1I>4!A zuj^pX*T>2;?#pdb!$ArrOUx$0V7zXak;JZbLS+l&E#L8%9uFxHd9LzreVN{=VI{@c z%&e>PgmYk~X!Gi|pO}@?rFK`ou=UQ%;HEdEW)$~ZAZfs`H>{D{F0#Bd$*Z^3E#6X_}M3JNrq#qH=>6Cy*nZXDO?@tWtj@i#(gmt?#)~G>}XardxnJz z9#9%$90xrRe^Jg*ZSOh!>Q{VpEQSbc8?P|AQxxMKVamq44Sg`sBorL#g-ekjB6o7J zXfW~Nke`+Jc-K^nw3Ckh>ddZWJL=m;_13QIbcOQAR;_+I=@{6dA!x45s<|3^mJ(J- z!SBI}3ERS8w&P1MTQzofPf72tH}XJY-m!ej?u)6mpq|{bPVlKWZUJ~w+VIX9g7bnY zwHaMye?aaFTV}1FQo`s(jKl_{hwZ8GvvthW1INRO&obq>z1o_UNr@Blq+cjelou42 z^J)N7e|oxe6P|dK#)#FA)4 zGWb*%hXl4X%yB-vkLii=GfnF(zXaZ2PU$6oo#}n!dh}w9IRIw86`i2#YR$K$}%-s-2;iuZz~f5#%86n%z2C2tqS z_cEw1SF7{wuw7q!W-;xefr^|0$<>y~GWB12s4L-m-vsROV0HhFrbGB+-_^+Gz@5d= z#iq0fl&ZDQSW3@SN;4`yw)C;kz!*M(T?5d|>Rpc%POA+0g+s~g$=cnI4@2~%k>)j~ z6(r9pG8K#RLS0*IOs7u!;gk^ES8K}9#-JcJ0IyW~M7MEmb3|0Kxt5R~)Q$-G6V%es zC}T`I35zREMx5kPHX9!LaJ=itYPp zXKjrluzLs3;KWC`-IaLmDPW*(LjNIJ>sL4S50+Dycjk1^kQ_|XyG88!(FsDad>Me) zbqg=902P%e<6km+p$5y#ErfEf6vOm3MJspf=|$)s6kDjjvb3zSdQ3Ty%#Og4D_xhF ztyz#o4qilpwF`_4ZkM-;U0OUP?!g*D_EcBc41-C%MF)Fs2J!5vUZ;qe+T%-|T|0`X z3H9)$Ro=5dmP0}9o6V>@s7eXXEn3vXo>!0h7Z`Sjy&io*(n8|wpa|`X2FQDzU}qH1 z6x+V-S5kWdWV4JwU2qwSEftpQ$tEsKGpeY~RO=87P+&qm8xiGrdGIBt6pdpC z!?ynA{p?Hh(hc>iP@e$na9{4@#*kuVVol+E>2edv9j!n3({X|qAZNJf=d{hY9JJc{ zP|UG+O0^VX>w;EXO*uW0?vjoGIdvkF5nSRzOt_Dfgf(fVWZ!Kc<0gw@gP%oS|$<rJ{qQnoOm*kQyjCGssjmH8uf&muE8*`kL2G6C^&_deH6oxUV>^ zoFfOzI@?h1gmV^?$`7#T*;9|SWIyIwx^`T$IGr1|A>FwH#ZqoajqOGRJMBZAd1hLN zqED_>>MQC1%|F9A(wuVr{QbJq75myMJ%+>9;)bRaSGXaP!w$JRlk@WpM{@z0$gE)0 zTHQ#1Q~vDq%7&%^o6 zp8w8^Id*p&jzcdquLQQZ;cBr)N3!#{>YEZ5FThJtG}jYnESsBfZx*tad@$1u@w>nA z8gF!{4Kww32wQ#QjqE%tYP0w^(nuUa;?R`m62QZwELnN$bKu}2jFf>_(=kITTh3Ww z6BTDLJ+$DR`|0@hv$sRhS>XB5#+^vVAhE@Ij2!G`FnJCesbw)Y*At>f>N*maytatG zoD7IP-kw>!>bDj()01-4=8Gju^i3CH^C=sp?XzWIj4HYfL91vIaa29KfxuF>CpReN z3)!lQR`WbT(+QAlYZjn(&kbVvis@`o1N1_J66Mv#WFcy1sW7F2cZ{c=+JtlXY`Oqf6)<>y0JUb5-;O#) zy=6UQs84m*E3i*oX1HxXeW#)E=1G^jKBB4>%MEu+29dQ8FG-r;k1{GH@jiH*b!5Th z!K>rhhIc0!Zf!LjU}55YvU?K>H)LDX_R)-;s=^HGT#r0H0`w4?NujwTZ|Yn%{FdJc z*8z1sTTcBB>o9AtCZfve(b%&nz(Qk{>*NHUl!XcYbW?9Lq*k>kmt<~L28~2zsc;7Kf%jsU# zpPzLSl3e|_eLKW@Y9H1IW@Rr<(@F@votFQhlWdT#auI zYucQBR*(Wy+tunOseg=l()~F~YpAq65TfLjgd}pDI7u*t_dNM*VijoKgQ5#7$O~K^ zm=_jn8ExGxMI)Y#gt>%Q2illBiwr-Z`C{0ke#dHZF~x8(JL^4~t{p1Cb(XU+xY5Gi zE36?cK%F@^REjVq82e_zhmv4Drgl|we|PaPy^4Ka8l%Xb8))(UHtg@C9hot>tOh3x zE_3SiWXuWIq~z)LNR4#@VRJ^(D?;;%HE+X-M#Lm+bMh!ax8-qDRoFNkG8)tR zX^u&`>t3S+uB|?u|egy z26rZzyfB^Yag%7d)n!6VP0Esqb`hQ8$p8owqjD=6%*HL<7Ky=bkt7oDZ3Bt- zd4$~Kdgmj^8tkU&%H5vGB<7L19wgxU*<+!p7PdA5NE3qaLmrVd&5HSfif ztMsH~zmubryJ*3)oy;2%?HjdTgsF{OG?U9nlqb8%I$Fs*|Arwqn>rxYVn2o6BJd&; z=?#KGXjq=D!Uw_J$25F<`dl)2BX%S6484Hjjx<36F13QEFB`aE&hL==$2)H)pZ7Jl z`24!bjJMwH9DEf3OkH(FdB1LxJxN(m?rD4V(3c79%8IO`8F`4UR{>?+>u%`vd!!0t z3*?fI20eM0MO%+lPwrI5(-4RP*Prg^z6PMrb!F33Z1&Qsu3l9R_SB35;P~(W_7sqp-`te`weUM~C?$RfZlZlv=T*V*vkH?c!#N}nMQ zsKD3pIC_3Fu|%JjnUOQ5n0LQ={B(^EoLqEqnBIn&-!eM^VqE4DQqaU9`yn&(_= zI_S7L)TEe;yWv3bX!?9)A8WoO^p{p8@)ahzp^GK0^Pn!v-R?2CB}~ij7=4fB&UtYO z2-vkZc_ZNLaB8U3ituw|qd^%LCQ13e5u5en@uLUMnJ=HWq$Y%wXd={@(M)i$kGi!5 zN>Xv3Xx*=HTvvI)+HHS@>2Z~a9E1P5?bBZ2Pr)*4EXJe@qQp*m8a7_~>!bubq0I1QBugxT}W0 zPc)4x$9o#x+S{%nUq9$c7=G9u`V8j>#?5cQ$sNbNP#;PKVJgUy$0R6UJ|nXj;qu?9 zRaT^f!@0_p{S6jLU{Py^`82N&CW^rZd#Tcmz~^vvdvzlIe2depzk`KK6McJh>y6!q z!M-Hed-^iN(!8T#F`1XjK4-<$ucpjR2kp{ZO-VeLxR9aOIe!6^xLF~mE+_FV#Fk|B zVb3tr<@;_RfOGW~hO-FCnh*D4SMzxz%&yj0Oc&RCQ!I3xHb(`$KbBIU%l%Hlp@EHE z?N5~EGrc@mt$Ed|%d=!#$OCS-8Uf@>dXc^l7tNur&qkON-Z`fx`dmwEa~)$bJ!$++ z$9vN9n-h5AZ|wr6^rWqvyfX>+5({3w&W@2-F`0(|UsUgRj^B>i@kA}G=!bv*GAD^Y z8MDOpBa>N&^Z~n`6-_$@8+AjOilr&4rDpA(dDg{|4ZIsKl=VnrZQs^&%^MCUe{>V$vc}blHZ#riO??C`@ewIL@*5#o zmlqa#FWFe0ZsN%0NyhuEZ{IH&f{!s-^}RE~$!hJ&l5N>< zgk`}Y;@xq6nbb5m>->L5zEzj5j^96@E~?o0%m10MKW^bxXISOk&Bk|qZ8#@d;cw9v z)Ph!hc^u=0z94KtPN0v>_*1@nqV2JBjmA__$$Ra}$iw#iKY)m>Wb+8{^yq$iU~5+z zeV)bO=<)qn} z`i97AB*#VNG-sdu>Q3iI_2IEXyw<;hy&b|Y*&C^OzshK|m1eP)54IvD#QQ)t8>){w zXp%jURzdO`2RrBbjthMfG1kHN!@Gi>h87tH`_>EUkc?DVF|VD7~!(et(>q>T-F1yu^lSg zx@7&t%0le*@K-ml%@Lp3SO~|}A{8hnEg15?$0Z)r3G5_8H{ z*Ck9eW>%7wH!2!}@X50*Vjk!_BT@UNoYtLYkyWIiWaSLM#XpEu4j*8Fj*0*A`uMC`X!CE*(xV2& zD|o0fSS-t_JyHJuF){x&OB+t-_O{Tji%V|PWmX9ETMs~A_MA8(uVBaB z^lust{86uqT0^SqQz#7`DwB#qkiRB&!IA2|A`v2eyU|h_(wHCy1|PZWvJo2q28N`! z1zE_HzppJP=VXrf5X%1P8lfA99OaR|j{A2wjscWi>+!e~SZUVUq`W&@XtL2j3cPORJ&CCdsdr&qhQpfnSy)B(*gTBUSZsil$ zdaeKNWn*4nbnFu+kPy^}2UN!R$t4%IA;SdbbA~qc1@6t(d9>5a@Zfjc+6c8NmFkE4 z5JR(wu0Q5=pzH0x8jqmUc}|1bNjCJoW5}K5bN`Ja|HIP%`A}8Q5j#L^u$pe}KS7|< zu{#*n7~ZD3#gn+^8tPGz@~X>yW|v=gO3x@_G%9)BG<6*Pv72{?Xg+Qs3RKpesjW| z40}i_?Y&}e+n5ay_D~8w+U!0C^TRk*xg^>&y5-^JDnxcwR)Z5d*C4-F?G;fDloZRX z7Ks3SlFG_y$myV!B4_mgMLegpa$Y<_xg^0y8~E;&Uoa^_YTvTShx9M0{x$p z`QK8UuSsyMzY;;TY_cf$<7wh((XKIJ*XY4qegzXnl(BnV3-Y~VI?8Ms)e5zx$@0l+ z^Y0HkzoszLzdO|E(vC{jdeGNkqo*dscjy#nYPEmS5$m&>tpT5H^w@f`rn*zrP5syG zqkIe>vqjy)0$KCNN#x#a_-wOD-xcBAnm7adJh8L>WfA6r}@BHX~EOIy-*L!4q2yE}4pj>5UPGz=M+{N>Yojy=* zy5wjp>3!8F*jA?-Afmi-YRlt4ghn2r2~kt4gozO#jB>a|+YXE8M1&=+&ZNM|+s6Rd z*<_pM0ZFGl0#EE*C*D&tLg`P&zd4@TiGPHEv4B4>RRDH8O|sdR{dJoSM6QD;~ zm`h=mQjzTjQ&uk4m0C~81Gry;PJDe1WV<~z(yMQC^3m{DYVs_Mwhwv*Fxf_5Vyv2+sZ>dqQ@SNLWtMOX87pJ9hL;2 zOa_8D{$vyOf`35nBk8ZYI*Fkz4f!G}+OgO!?3jsLV%VuaL-1+v>F@9XqBq(9Xbl4# zeqT6~^?@Y?eoe6gjwQ&YupV?j`GtY|wEalIta!c-KCODH?e}P-2e%iSQ&bH*Z1Dzb zJ9&LRuOoI7t9+Sz>$&rtKQZf{ZUn5J+!fnuGS!0~Z)&8NHf~|_M1wq6_-^kQ2i z>4^ni#FFj}inMkPv+3_C8fm$tG2;(MKcfw~iSFhBfRSGQdjg{H*GRVI-EI5;c6ss!~N8Mt_*PA*Tv9 z0eKCU&8Q1^!{zg=O=fnyt^IRG$FA#Gl1F{qL&XjefZ6#UZ-~#~Y$j!!kcCnE&%1{#~g1tgi=TlbWK9IO30fM|i)F ziRru1(g5!1)KP!fQxhqA7^5wA6pv)fq6kQ)08eThn#l;@rN@;jkg|6n-SM39=aEYF zCGS)j%>MA}avVKI`p@4fkp(Dl5viPs z5v2IPMzzS+fxA|PoztZ7McE3>UB|pOF@%*CFhCc|pI^Cb&m+B=YGmCbbve#>Zqw^t zFL+3}?PcxOi`k-YKD>zt7dM;5TiEilihZG%bn`y=&W+@&nNZh4FBHiiAEm_gSH}fG z;#k`xfH&lQ&;4;7&I)NU_nH>Vbyo;{k$v?$lNx#Q_8j;oIsLUEw{HVDyD|&J8-m+# zwjNfD-~+$7hWkT}QX{gBunq1V?VSIcIkK+RQ*HR&H7H5^Ro@;XX~5N>GnzIE5#SMqO5wy*iYZH zUT*X-|M^NdC<9u|6MsG?Z;TgZ;L0a`*m;Xd_-?@I{#7bQ@<0nDHW1cC{<#K`0nqI~ z!pWo_t;f48Lck7Rb0`R}V*wv(Yp_IZqz?o0(n1<(mQO#lTa@Aw1yg|33m$UEk!R~4 z0@3GY$2af~Kn*^VMw|Z28?0DxrX)M^e%AAMEGIR$qY)3j0o+WT_n*Xk&bw&`O$ncJ z8vZgAUi){7M9URW`^W1%{n;HJ*DDLJ?ZeN5jMjG;Zw)rD_VaFvhPsD~WUwR`osOB=m7CiXDx{LwPBgvMRp7EWJ?(CtF3N+Q3;A*&| z!LAv=J^6OTV=VKg)aEnp(5aU?h1+HQXBKDKiG#mC1a*F&7dSb&k^WS%(kHc7>)}$! z5KTVEVRyLhI_{f6A2qy6ZF8$+<5xoZ&IG}V_ZvS%8-poh!gSxWzTnbLOQ92@x z!Mnx&5B29iONvu_B@>O8wLSG-x>Y$;Z29N#iSJH4Gi)=p>d#hMhtD-xN&g#tN+f!d zEl9*6#$#-lnXvEjEGIOh2dxIlaqjUqK5jp73I7J#dnK&WW8m_PTeYWCFYc0x0`d8c zJ~fp0sKw*;3&Osma@q{1+bqzv_3BPTW+Nw_ccfSg&}!5$hwmQ1P8<^Bqesm01@w&BK*ac? zsSGMKBk|epA5+(iYN~N!4D54Y5BM&6Z2M1LFXFh`^G0hba)vfebHzeP%Yr;F>D~AT zB-Q7U>aMHSU|92EfCGnso{Wl=lrCLhj&2hxRkNuAKoN^N4yu2X^5^N&IV1milCdc3 z&wob$+r7OxW3bY4K?d5jG#S)j@CA0_tg#s-O|+q!e5oquR@(0HmKQaL3gW z+jCo5Mgy?g#=h5Tn~9~99Mf6OPP_`x_unO8GMOQZ+BapRNrqr|g^lj$iX??;W@hrk6MFA($KemW_j?1c$(6`C}qa}J@j8d zE}N2x^P^@%7T~l1=~61Qr$XDm4~{siyS&SLE1V)dznZf3`^vX6O!FT%7$Tz>#a}l0Of1z$8 zIEra$!3Qy?*Q^F@!P!wP{goBnDbbYY!gHzne!x*67yIo3mH`j`%RGn<=R_4DsrMZ& z`I}tb_!_T1{#t1`Dbw%zLXjYnz)QPPN$m~J*buG=V>klO2dhVb$QZ-i!fy`LjZW)#F&Z9&XQtNUS@Zi7Uq7cP*jt@GPec`O z;bXr5IOJ+&qkSIOxjgHtOj5X+3}jq*-Wo8B^P0Y7=$QpIQ3!g?k=|6eF9=V_%chN} zi_`(J^G6CK!)8Z|rB`NT?j>lLO<*d!=cIrR{t(|~?|c#pY=_A`hm;3HG@7o8J8!gC=TE(D1aI{(hYz@+&H59iEOm#!~dNl6-A$~(E3&G)IL9H z^ewr~2B6-cM8^>Dfa-%LRB)7$9G_R)@C8%BYN(H+$~keYGBD;h#R=@uyNv)*UoPL1 zhY+%6K(ZGj*_5UD>YJ&4qaUsd>t6-*rNeui9H~-M^#2Nc)RxX-CzS!|kCKXof^{sL~O&Sgh_t zegGLI@pZT{)Db5u{ErHNwcYOKyVf34Pq=^RM76s@DT#TknYdfqX6$Oh%-wGjTD$Cl zfw_jCmBGkKN3fdr)so}Ab-SD19jVSIC9>LLLfprCkVQ~9HD=Qgwqsx?)l5LHQ+G2A zo}=huGLjL#aSiexwf6r(?as?qoiccnwP#!#rnXC~dWw0*ua)wd?tOw2QzuQoxLGGo z=)|F)TY3<0b4F=KMcfvzOejeCsW^R{FBWX4gG1#Ii=Fy;AA`de%^skh-=JmWNCot3 zJ(yqPYMy7|P}uy@38fot0B*-Ho2rdUhS%Kgu5I8wx~KC@&ys8wGxRl>SiKH&IxDNg z>0q3Vhp#(P23N!azCpAD{^3Nx@>qiZzrbQWBr^XGhB#{t7X4dYA-HOfjYJbWr8l&x z^hv>+YBL55;ij4Qqw;~VV>)^78f%QcfnGzzyrL9t;w2S(Mn#N@Ql3IaYi~zWej-gp zkL^2Icx`CDUvEVf3#K&TFToXhrM2mJ{BuRb9()?xfOV!QaX~veMyNft6jmW(lf7>Y zPG0r{mLy2|x5gy7eDbEqdpI9bsxxZ^RSo>#jbi^%w*5c2-Qg>pI^*oGYLw`v+%s13 znOM!#9O{i_Mm#9;${r*vvf)*?_6x=UaoTfcg=d>4(AQa$j=lPh(N2c!Y6AxBxwD8C zDIH)C7q(0`#x(b;#Ebi%I%#>>Mb;qTo{1PO{cv)g^1fg5HUMPPaPFtavkP$Gk4OOd z6GHN2wwQ`GP4jaj9?z-`|KD7Xmd2t!a!?=ojYcQu-PXfI2eA9mm?Ph3;ztwEk)Q#C z5EtpAeQrp60n-N@rv_huZdt?_ZL{kH%4j%iuit8aoyisxa;`~4xehD!a^?+ag9dpj z#u;@nUzwlH)IBA%xP0i%qogO5`19ob^E_N0>4zEzJu<@_?n{^5JzPbTIW|i5)d%i? zA<^!bAWTSXVL=u_HsZyI2INb82(_3I{Qn`CZ+^U}!Cn!wJ^WM|_h+ zJ#aqc5fD2TVMDUhbYQ^Vi8Cq*>A7KG`DNot5Jkvj!|NSOV&S)t(?`CS@@sZ~yd~sN z8Dg;wA_!$-|BeKMPBBMl*ejF=VzY)zg?-Y4omN$DQvRii27_DaN_)oSutTf zFzyRu+-2}E4N*HPiE3;(vXg|+(K25ZHiV0f^v$3YHmQ?Gs4+5bl90GzV1DzIc(-hX zFJ6FF95TxeN$qic1m&dRPRbh2uK8oq&$Dk}iN^i@Q8~O)237i}2KxVp2sA)jVUE1q zoH{wogATk3ClkH*?f9`jq>1vz;`ZY@B_V_5;fVg;9T_I;WdKSf@{5(;QEkUbOl}*t zn-aT|{@r4&q#w%b=XBlt5C1FGyqo*`E@*tL7Klx#QN2$-hJ)Ckk1wFl-lmmSyDG>> zs2by#XoaiJ}U(OQxhR{KztM=i3vTy@EdN$C+U#G1LnC$kBoc?*#cD zsCNp@I~4dgwX_a+bo?*&{0SJ3@usc?{tK})csd#~07~*Z71a)~aXHqryK2I)v)!G| z$|VGu{E+5x;+IdH1>jsDs*|_>2xd@=ZVy(Y=jA+OeA)l6cCI`s$+U0hIHS{KG1Zuu zB$b(^W)h`h2xFRBxs*%lWRYT_rY0_>CD^Jhh~|zPnI>+jXqh_Yk_hhTs9Bg}ih`n6 ziW`ggJv8%v?>X=L&G*N5zVj{TymAf)AGq)5Irs9ruitfD_l*@Agd6O(KNbGtwV*!A z54MXtl%uU<9a6A93pAeNFW9o4<-ocVEKewJ&o*$* zKbrvO#DQb~2pPa+F%By2M%+Sq9pwED#ARxjxK2RKp|Gv;BnHcoHsYJ`c@>wXdz1j_ z%R6&Xe-pU5C)--EbN5`|X@bw;4_9rP*S}ARZRyYcQ zJ$E^vG%3Y*wQfc{d6obZ^1t$rL4ggCk83&e7Jk46EItYONQ^A!H_eP_PZp}d-@E7dJMn_nmyIXnB#OIQ(b1y#9KnN4}j;Bz^6^}yR;!VDy+p_1B zk$Q}GyJ#Mm4vhZjE^aR7Wvfg)RwDYKByJt_)R%;1Fo19|j(s;JCWCZBTMAm(lgX><3+5r2W0(qkxdIx6(`FpSW%rA>#AT!MAtMBM`I9r(du zrToRk37T_uaNymX%SB^Wv~RvMJYmla!vA;}loea8zcD6GmYKN1_zlzw>F?PuW$aZ# zi6x<9d@vyiNtu2~v|&EZRj`0w(6Cv(rxk6aJ>s`C*>J#WQc6}B&vlTKY7mVidHm>F zXHm-pM(h4JNvS)|VtH)o$f1oH@emCTC^%H3Pbh<@ zhT9xmxSHL?iWEDaMr?)l_VhRoo(xoV!aVIY-gQXnb%h?9jOUDA#GLzGNpvJ?*RLQ& zeXoX%iqNeyzVr=dA~fH1#ZZscmv7$+Nk-%YE!UZwjrDV)d6U~9P8p`aI>v^*D0Dht zeSutPm*prd;HPo=_EK^W$jcN)^o7_0D{aRqio8r8Qt-73UO|VvjGyL$ybA3QXP&&w zp}1@EDiRR7U(2LhoBivy|7RMxC%PoPw9|REPWk~FaD4Hoh9fYSyG#Sl=H-DLq0=V_ z4~}L&EMP1iydKhR*L`zSjWmJlK>I{i}g^4@Nt<0Kz z-?i+Ii>!j92Gyzmy8OS9@fd;+#t;!wwx(duF0g6|*o7tjwLm%gc+)>adSub-Z~eKyiYy z;4XY{PUuSf{YRky_DMiHn7$PQ@n*upYCCJXM&?jIFt!AC{8 zmt`MKo_rh9znlYIIY}#t+~)Ucf1qN*U_qX^AmmKB=y6=aJBTZqZsCZvF!l2Ppfq#5 z>y~=E79HD#Ai2-!sYJeWXI3x_Iz|<(@P3t`g}o{GwmR@=ZS^svcATQ9Z)0yhVY6ak zEO_D6K;0oK@neD0ftL?9TDW^=qP=b)7mfkwB9+DTnYRsg^3;P$TIl}QrFOx#pL7E| zh9_zsuq{+|#tc~%XYm~$ba|1&vNCKDY;+dxwSC}3RVS6d>Sr7D?YLW&84*b=f{o1f z!s2UMtETwx&!WK~&T_h`WUe~L&Vy*jApT^nQd*aXmdv-=&S;oQrkl3glaBYlp!yP< zFTSpjM1HBnXFSKHZ1;EI=!;Z$O8^o?T*0VoN?idK(2i{hi0HbXjl8K{Cc!;F4MbQ; ziroad6gKks{C%qu!MypC$;JK{Fukak_O6YFD02PR`~STbU_n}nb|~8oV9rm}3!$O12Lu2J7>N$e&ilc-gy*LjoK^h0l*0LxC1>NEBJvuG~F_qzxwDMT1bkns>_ z1k$+3>`RMBp-))4jf zL<-6L8bFx@8H|VDux#f>8)4%$(ehWpol=n~#um`$A}QKnug-881g~%oa75%>iullN z)yJiAC*FIYOH|3<86JU#iV=Z(4q2HAZK6^b^v{r(*k}`&`vLn_lYrzRSCd!^YbOu> zq-;sVZ{9<+b)92<69S&Ny$keoA)t5;;0}p7x8tQ+79{fun8SGXST1H}og~L-RB$^h zV^sCT*$Z8FJ6CXMb*FJSO9Z4ija(g9d)%)?t3yYkO)es%NY#KxBb0PvfbBzyS07+c zH1Dek`r`^f!5(_^D90#l0Q6ox6#&|xOLw#^0tBVd3b?^p^oe5Vcr4aG^L>|>t@h3q z>t3QMd!nA1R)*pgdmBjx02q%rExOs*pZ%eZr+?I%Y&4WFcA}g1pg?;nI$;lB zEV;u1SzGP{8vFj-^6avLVkz{r24&^WT#&%-r`sii=7<{owK2^c8HEb z=qQ;wTl57^YqN&LMkEO?DSVgz1|UvqzD(Bn_@{T7cz?>EqgG4sqe|mNjT6)6X7rY} zs>MFF+Zb%oB`QJogJQ|1)31d7SL&0*iWcfSJOz2F)V2!70?TJP-DUGir}Rc`_GBOG&n5H zDTgbp%Ef`0TV?{?*w@Sy^2@kXrgn|fg{S~BkCJ&H$ofIWCxE`6^7Byj6P3Meh&u22m!Tk?d~1+3HuLN5QSq8e$8hz#uvseFMNYcp%!1-r~OD(uy~3 z)6h!sKtpssS|Xkd1Ddun)|{m@MPswWsbgtv_#vzQmrP0U{Z`SumP6Q!%KH5&c;Fcc zANva@^o-BfP?H|yI7s@I6GB64A^Vovv)F@eCb9f?+3(VeO{-{C0tA!L4i?`Z*zD{% zQfz3t<{d7X?UvF7Rs9iA#l5|1=YfGgnURqnmmO#yLNt4sQ9r2?E}I3&sV1Q^Pr<03 zsI|HG>EBehYcfb@@^zu;_L&(jRpyb~;Y6Vm5Db@^d4)tF#rl~3E5;^S8&kMf=bl?tlvYhC`-e;A zawmaJFNmv4sxy&y=0ga_x%Vb(H(}@D#)A)X0kVPkss!zED<`(z2n{w@uq zbN5>EI_N0l)TUocbdojb2mktBZD8;(tDdAOYr^4UkkKN&I`(jCZwz&SO_*rMBHJTo z5m802jn$CCZ#=8$mG4sn%pSkq)>MTsEaq}p=ZF4U_Z_}?W6HwhxFEiN>u(2l zr(s5-y?`A#{DrA1U_SR?AsppV>Q6O5?er$mcAVKgU5B;LMmbk8uh?ZZ-MB`DCc=}B zl>)PMRe&_lJ9)s$M zb;cSSRN~yX{1{fRd*nH2u^3Ub)I3S+gY>J@yj6@e!jc)Tn2_W{;DTqa1aUx!&BP)C^i2G}OhQtEgiwT|90tNc4Z0O{J2p8D}GDz3CA;!uNR7Se4I)H-8uh)SSCIbZoi-AC&T`ci9vW7!lnIz_zwaj}8kq*XRJj!Ks6_c{Yi zKv6r*ln3nd4RZSu(l|63CPQP9QK4VMc#RQLk5+kr2{h#&mbS5)oMO`Ksye(~+6b8` z1bkOEe79$YB=f~Xj3A8@%>}=wTBFOa*RD=a?R|vwb!cVwTH)TOqADoun-gl!9SlJU zw;5)p8XyOgrncr%^fUYaTA3QBBn46et$9Y`%q_((uwm>?+gIarB{Kz4z;thaE zgpDmekUdwsd!qA18DlnxKP1Z5t)6GYWoctfA!`Cb<>ooalZ-L?2r&GDRL1C!0^~h9 zm-g}9%?>%mU>oc$L#_s^l%Mm#-50l_UL2~|@YO>4zlCDm1-0tpqrI}pshyQ8IFuw^ zTkkW=vFdR96&@4Wzw{;ZLQL{2_b=*|Nz%H_c?5;rsz6sP0o;7%KMB~p1La8z(6i{@ zviHqI{;8_Xn4>n+Do2%$mQl7gx8*b z*TgJB7$-aaHYKBZ_i_OI!iExrG3TBe2Pg#lkk&VcO6>-f=nfhp+cRH0bn%s$4LNm> zs1AWuHR~6g2Hc*40yOAP$9$+=pWiizwyU+V4`w00S}1#&Bql|!&o$8>bFt}N5V`P3 zzUzy%;&#jepl`&jdlqJgBLlmcK&&^fu9qubLv}BXABbLKKs}E|HBq| z`q`ac(0cpXSS6vcax`zw^XEy|v6~TZLD>)XNd9&p)juP!l#T}dDTi~3zZ`gN|JP8{ k@Gn8=|NJ+LdzED9Zrw*DOQ+h)YkF0&l$U=bYz!=R5Cn{+#c}cU>o3$zE$_&CJ?s&z?0iYY5j=S0KIf_zoT(9;uR| zoHiaFp(GyOjfLB{aFAk?;s`uE5*tTZSxqHbSw>9{H#1O4Tw%(J1jMXALUODWlJ(xAm?EgmsI;898Q;9@-p!ja8?bt5 zYinlO^Qk{0_FW~q|7;z-J`5AGAI|g?^xPxC1JDJg@!XpvWVA45ghFq>j@D4Kj-$UJ z_yQll`aP{hPOSUNN*+E>FluQagBDM#!N5$n@oM(kBC=Dn;6C2F0@>jQTsJRbGw{De z5(fo$5jz^UI&T6FSsRfFewhoZvu5RVTf z!Zove@ifZ}AEgycDX0_}6AUfq9ou)!%l);7DjWpi)S0N=R>rJD>eZS~V9t(ko{Q6wU`&Q3Q zjTqIVbdf}JtiSJ_yWMOtXF;%#!pS**DBSzO^x)&CQtMv0+!%{m`%IA0OT~6OXDAQ9 zdOkEk9z@R7LS;iK|N4U+k8~>@pL#=(q_O_}l#)}*k)O-Za2<3o%?F1sgt_ks6RYh$ za554p!dq!um-)Rl#D3op|9Ok)cU~MxjN+q>xNr6Z90ZUT6!<;Anq%LalXHX|YRGDz zj1$_B9#fM={Up?2LNw;<2EWJG-Nx3>>H{t-s(cMGm4Pz z7r2>iWw46*2P#L6U-IU?cT>5xnc*3DH1m|h-@gX`9yHhNpFFRK$U1Rbc@puvJoC*l zN9BV=!6*t<_j8|u#)QV{SSr0&UBgiL^kD91k5K>4EErlZ`(t(Vr9P!e7+v?UC405! z4EbmL>grWPW*>5ivXxxnV?Rq$(qU@gZwuLk*!+9ZeWI_7 zBvJS^jN}C$l%9=PHD@C%AEy$o2WxARCBL7vq?@_f_#w;ko*3TaFXV3tGH=m*v3*N7 z|9-oeQj$pOH|d7#{g9Afh24gjQmz<6f|kguhye(`C8Q_o^U_BJCs3i~cyO zp8%V?+QB;tWX$Zbo{AD4w4irhPa#hkG)W3`ZxX zwf&{F=1h#-{x{D&Vdb)-Br(lzodfZ6t3bL=%Bo(IgYxqm?L^nAIh3lz!#9Bh&}Z4P zYN@X{Sat6=Qj(FYe_fbR@{?tuNRtc5yEh+Q+Wlljb;WAs){426P)*i(*o+EOT$Ivq z0iHHbxCR$vQv6iBPeM#WWh_8x@29cN-C7Cp%*+y4c{2=0vPvCek>`FZ&S4umh zn0F$(+^o>7Do7svkxaf4;y{oohF7+up z!~C;(=b}}InLqM4do$q}b^QJK<0b2*$%)1m(8`kJ&8?KDmOPfu)|pmbkMEQ2kow&c zzlFFJKmsT6CpjUNB26GIrqzE$FT7)Er7FP&P3tx7m;BQH74vM+`JsKP!%W_5@9&i) z0dJnqbId5(=-Sm!Z?ujQStq-vx>p`}tlnA;U~3Lf=o3qDWTRD6PxHDb`fwL$`mEjg z{QYuQdR~!w(Ls@rT2s3DbCj@v21xXaDi`Nryq?G`kyvTZ?a&ZwfS8Hh-)Ow)b+eX0h(MIc=cduEgW$4Y z`dcPMcY~XVfCw=U53x3Jei>8QwWpyniyqkKx|X3_LkBqrBL|aIu%Y%$Yc+aVe|dJf zVOfgYoLq=GotZdJD{g?>W>#}At63?ojCD&W zkty{TB->=I9j~RYHF4&0a%%&AKpz7GFduajbd{W}A9M1Gy95~Tg;W!lvwIZ<6s8m{ zr8)rJFS|VxRM`+}0DzIbAms2XiOehIAC*y1j3HRKOEe*+MY>Mm3)N?GNt#=C4T#(1 z@bjqhijDA%xNEa*iEOF{cPWU%xw{uADsi%H)oq50GMidzS|mKsN7{#{>j_6fhxb%Y z3R}jeIM;QGG#pdJ2b68;bg)I0*>GlPyqf`IM0msxf*XE*T_s+c;Nn2dhlYlF=dQ+w z^}*vOMJmM>naj_uN27}6m*s)O-S&6v8V74Lg&|YHvzfCd>x`a)$oj#CY!ksIPxJ2f ztfSH+Pvo`sj&Xb5`N@YwLN!)9)+1&5AesX+mr|e7_T%-lt0gz%F#bdyXOp!W2UOmO z?YG(^L?wa>!9a7D8g~5^723~mnPS81XtLGewJNwGxLHd(5S+Ycn%k7;(378JZ7@}3 zRl#L);(xL>iR6;x7OBXs)T-PpiK=uqeN*Q%3x{rZZ&w<8)J2)OwSq@4n`lF5E1gLe z4V(I$buNnTWw2(rxrEPXTeujQ)g(1HyxmT4>6;tI{Jg5MYwJ5bM8SL%eZ6*~mS&At zb#&?myr##D>-CN18YF_w5K_4TkGD;?8h31Wd6$SzInS`2K)MfT9cUc8%Cu{VwK&VMNCW8zsd5EM_;DPGW2}`yfKRhw)tGQa0?+wVX z9a>boA*GjohM8i_ckn`Ywf!pB>iZ`$9`RQ8&>b;WtDP7NJr&^3iL zWiJf3VGpOjS)g|Z+f?T zo~kGdlppG%wNSM3>?#8z8ss*x_^4~{A{%=(7@Bxb16>rv67(6fc3!&aIe~1$USP3; zoteP5558E+*VW>kzaf%jFCh5ROfqtha>BRs{fCmh(i=CgD9iUg-sqvl^Sg;(whCx^ z^e(6xJ`}9rWvHic(rx+9-;YF3P0I$LeHJ!!j5EH zLnS*kH9Rg{`!*gSJ_X(lTniufhll?dkMOTH9-cBj?Z3CR@j3o6h5!#Q)DiFIKgJm2 zu75tUxG#?SAJ-f4pYVuqJqp}6B!}SNMiWZr-1xWljRhPI@1>5ck`nH!W9?yU>+0#? z=9Nm)xr74{zg0By#KWUz{qx0F(q`Gm!z1u^)HU=nR8s|5ySebawsEtv<@0lS`-cyn zq#pp+bg}h%&FJUi?CJ^dlVbX71OV6m1LkL9{A-BU8!0A3HBClYHxFAzVZP^l&zPj| zFfuYqdf3*~q;H7R@$Nvl2AI#rmf8E#L;w1kt188_S+TtesXIjz%l79*Kf584Z zy}!q6+j_b=d;b}(=j!MsE%*vky@5soSLT8CR5X(AEWL#onaS zBxlOmV3$ecBG9Iyr7Pf!2;-pBdT~ym^`cc9sC;KLNJnJWxz7#_M*8kz?1w#tQ-(c0C;Kv0!wshD+WcWZt#wPV;dr+zzweZuBJ}~d@3Mee2_usTH7kLLSt>}Y_X{^ z2PrNh50jYt^dqaxCAiq3$&ZVfyYMNvQldb#yXrLmHp%kyZia^48}Nif_Q~=Sq+-&5 ztQhHmC%>$}EXD~K@#Vg{EJkY^0RHs$@rnWF75T$&j$uG2GxX9QM8pyY!Jpv@6>qL- zaR`e8T6xRc#ZRwFyit%p2yXDdiKxW7;Sk^+w+HW^W_~))pK7=!#mR;dgCpD#A~mW! zv8}o=hY8%4y{F18*-$5^B7vOR?RK(|@%Aw9ar5}BoKDq6!If~t1x~Qm8~c2oq?wj! zaFFq&Jl?LSDx`m{Jz{CiFzGorm{pezsfS_fEh{iO;La5kuUZim*JmAyupmzA15tJL z)o?lLW0Xr&hcg}kH(#EJf_R&()m&y!&Edgn8TF_Q@?~l|FEPg0EC(gt{+|gC^ip`n z3bY{H|MFD<$KMY-U}}^|KJ&pi0Wz)UBYfu58&wTPT$ps;?uwK;-_!FjX%OFaNUx;p z2o=e1E&Z3OQ*wLoA-LSb;PZxj}FOCnD`G> zE=tM)%vClwpe!8@G#8ZRW|&Sd-e;n5uVi!lSp?ER+cz}sOR`d=&F^5D6t9Y18Kg$*^nLN{}+jQp@a z7UHY&&!e9ca_pGwT)O^Ny<&jI8I8xJQ`+6%_D$(9MDn$_qH;#Z%U0ZS=@n27JzCxz1AtO+}^Vi7TObg%`?V zaaCBN2ig>T4c8=R)_9O5qaaLJ4vEr44BjK2d_@bxk%oq1t-6hmRBN85*=ceZB~6tXnJJ8DfFBxGUDDO zLv5qIkRN3G@kjlDsFjJ#)L1Cw&`< zFx9XfH3jk`{kbC7FG1qdI!4cNEL*bs^IE{>!za4bLnlWbmBqCVm9P{~ssAPYpIjy_ z26G;6{)MzLhbqbEBgpp6tv+wW8vw0M!j>A+UgJD<_*$-ZPL_G%)`n`{m)Z;mSvAMZ z&Mk&wn(YMFsCSVxCoItR^s0YpLz|BnpUs_XaMBlvO{)Ilyx^QI&q~-p0umazo46aS zs}4?&X@1#{Y2sT% z8QS7695?vixxBgN{tMSrrH~V%HasxUf!j0xVpw^8ayzlQ4+Lsys>D|Pg`?`Ce@`JI z&d+}~<$HD2+c@Hd{;J>;7qiMdqEip6ryJi~wvbMOJ&%2aI`r8+Ic$!Gn~>oo=zC|!(Q!o7L-rSlS2 z1pn$-91!83+#6Lw_Z0Zcf^pl!i}Nt`h=IR5Jq$M|fO708nm;mlXCqU_-49@TRo(e0B(nT(B3hCjdSE!9_;H2*x#9_j?JJ=Izl;Sp!Gq1Xx zE(cMx*EsOB48`Pys!FK)a}7YxxeSc|rE~lisqpS$+=@&D4Fa*L$uWz(Jj^)a+#{V8 z>k@KNP=e@7;!AL^K6*G*kgepc;?GJy#B;FRGfZ)!9OxYtPuEzOxZUrjuF{xf@UO-6 z$}&RHC4sr{-kSk4n6<)K}f()_(^!vGy&fdV>4O&lbw z=Pp08*40KraXZ|qf)se-&(FITQsAjoq$;1>_Jynzqy%~I1e2Q$JVxG&BGQ&jzQZt7 z5g*PLsYUCj1xzmF&&Gr)^PzJOy-r(DUeYWHU50#!$>CgpvWU>SR^Os(3&dqYGpnWZ z*h4z!%fQ9Py@R~y!;Rj=IqhL@mG%wh^?cW3$|J3=L|C|M11#c2Pn9HF5tH7!E`|$y z(QdfQY3qst{^irt(DZ$c1XyK`#+&URVSA(`@D1RwIbzL(meaU4VYi_6 zDK?W~U~M&~sFK5AL0rSfxaJYc19C`Sy2BiO_}|$ePv)G56p01r3H{+2;2!QxxwOOD z!q4YAYn=CZXBEwB`DaNE@)!`kqwP|w$L#TUo5K_BbDmRn$+n6!;N1qSb56_BgJdt_ zvtMKnvrRGl(V0Y!3>N;b8mU88dhjnD@e$?`TP-3G5Awpv;-DNGs`U$+Aohx>D>2mI z;Ks)Y*k!bXOkpppRe@wZ&K1~jFFQX8Vp`Ge|6Y#s1e~r%o5|Hmj+^D85<{o1ZrqVl zr|Rm|kTX>V`88a>lR*I=i{=q0(WivP9sa_37P-BpE7ND;VJe*W_D;tj6V#_m&2kxq z#ivM-6(sg$;N}3$^L5tHWM`HU+tp)RgRz9qYdW=x?30lq)<*q zqrw@bt{IvM-wFPlhU?=XIm7Tf#bf94p}M$(pwh0j#H*+D7pYFyN)8h^HH+iH0RqmhsqsYJ7%R06H1h3;mlnvJo z1;_RDkN}=7jMkr5l>}x#aZv~3PAoqvj@_tg3%%^SZ$ZC>F+ncnUKj+~P?Ui~Dlg|* zz=gEiKS3a)*0`#`0uVO7M?^hk#J14ChjuL517R)Eogo~Zu>3jerYuJOx0Q5>8Zno0 zauYkwPtvMv=V)zWv#6yxKjgk+0dkm#6by_nV5Z%adwep_fgzbyu`RjUJa@V)T{JFh zzP)!Z`&;=65e4VuRl-}2Xi64VFbYU41b%a^WSDqK98b}83JZDE)o{(iql~?&6mEgm z_!hMUhfq)#ft|2%&q5_EN?^}4_j>*dOfoPOgkK4lx zIAnv)8#8%f?HBb6_*{L$AcqAP7fVt9rhsaZ7n|xI+=v5Q|1nh1b%JOjhKHz;SXB%h z;&iQL(ad}X!!$oad-FxEGH>;uXn^n^xOgY~FmDugsKsW!%e}P*>W5pzYq3?;V#3J| zSfO5Qt)rC#X#sygU+#XvU0&9M&>dT5VB(QvyVJcpoTRV0qPW08kVoI{uzaMscp}tSCbgm3 zQ`Q}s+7qbM)Ey}zU@^vfkf%17;-%8=KzYQvK*101{$JGp^lBhm6O}eLT1Cx~5uxg9 z z=sM_?a%Wjk7xd%jQ;>P(IdNR})SpD!FF!5*xb_%^r(@%P_S?~O&8ml7(+A8U{>FbS zl^ zNT3cEY)93D#7JwDR zWz8U3aFXnxI6uCWY}7rlk2&i(Y+Fk|;sh5SD0z8gRFa4_vGqxRFg;}N;1~eanD%S* zCh%w@N)sgC4~i>1aqpgAX!9MJZFrM1(063t_j8w={*y9WMkJZ-@p*=jeQDf~UER!8 z>}xl#gI)1RovgMdXMs{Go@LsA5_H&AqQWcXE1jU#{xK@LV%UH!d-_0c5>7YNfhhy( z&r_h>1L|IxV7`xb^Pv*9u0BZykcA;fBbE#?0T_#arJ7@v)JkHzP`v1mV|HRQB~^}*Umm?grT>pvWiHY zs2TmEIW=qoTf-Y|tolf>o0;Q!n$nI6K-{f_=ZZxa;QaAW^J-msp1Yz;W3Egz@;%xt|Z=|#$JeVzmEYLO=HFKv0>a`X`82 zzO+aI1;5hel9HD{DpuziZ?#<_oxMdovK<#?^<;#+qB}J2L`pFXUJM^r14_-)5XeTXB55xm^VXv?CDi0_!mO0X+VYU&QhQf zOwcuGX;#C2HIO=?$ga8lWPFpRUrVGn?|QOxg$8}o%&yfVaq>#1S0f9!g&{|V{7H^_ zwqD)0JvrBcGW_-9u3pj$^~a=E0_BYU#FD*P>*u+6G2Z*(D?kw~pBhHCAeQuQ`D&nT#-*W(|GLpJ(?u!!$f_lgrb>>Pe|?s|e^}yl#@g4+Z~5ar z2~_=fws%VYu16PwTYsl(q}G->pk~hY;cLRoS2_mDGw|Bqjn1`>+V)V&rkav6p?s|} zMvw?NWple}nVxiBVW}Yj8zy72AMKMeDZL`pdd&r1{L1{I;aZHq8&eRYiG%?lKQ?oR zVF%|He^w!vS^f#D6qona=Og=_M}J*9z~f;hy(3qOPgN-B~=%;1BnDtVV@j=LY4E)6gOGM;B;ooXwwA1Yr^Ku;anV^d=MxMZ!t zyWbhE_Fb;AOV`*icIkugD)E&tW{uXX%Z8yJ(X>7;OPxUmko~W$O6SYp4lzxi7v4D8 z<|%oGKpoFo36B+rcZ}Dj^f`SLwVk}%8C^}FRH0jYnPp_YIw;B_D&SrKE4xQ!^5S2%87=ZyvmX<%A^_oYM|v@>aVbayKk{BOx`IKM^NzAlOsS(n zgu8k2_YGN)LuJ*MqCf;L^u~&xb?gQCg3)tJ(!Y@!7Z+U}bK&fgTX~Uu@D4;W?+}LY z$c0RhM(Bfbe_1*gyNc^qjkn82N$eiXh_q?gya75yw#O}RS419{sK>?4IWaI!S!faL@31+N5SRrQ2aDa#nXoms=McD=*Qnyi!i` zksXK&`1)SeG9ly(1Gq{(gtfs(g0wlh{VEoM{Wk?Xr9Cz|st(&f-lbWzI!w4Hz4jYj zVb<0-+vsgl=WxIzZDH%I;?QWsp1X4x$Izmtnp8BC_U>c$KBCe@ohM&^iqjAj0n=4G zC;fp-YLt#yrqxbL%P>7J`fYx&{X?$1oWU-?qjbgIuUne(h#9Y}R}b^zg~PJ&Wz16^iejuDbaV3OF+r-NO<}kY@_7iOBUzB>$q<`En@mG=x$E!-~E$S&5SHQM6Z{qq>1& ztK@u~PjdRAi6-%D8$xf*{Zr*LC+Wg^_HEco`{^0@GJS#ZH6-pw5TN_K(p4&5+x%1{YkJet}wBjf(C+dD2oZic~s`F^YsgS(0Zr6%vM6aq! z00HpUs59k>0eUtsWgQw}(c{*5d*Z<0k0BoPIi43^Uz&9bl7cKyA~mS4XPGq*&Q=XX zKPH4j9#lvkoVeAq0)I$zp6`7Iw*%npZ|n_UCh~Y(b-NCvid7|P?Iyt`3nqQdHeVd{5KTIG0>{iPyWv(O{efPO%LKd9t9j*H>O=lw(AEOZ}L<4q`o8rX6YtcUuaT8w_v z1vKk?(1;M+Otw*~OEDZ)L-j71XGt5bc^GC{h}Do)O@RG1R#@m;S&a^vl#CR-mEP1Z zZahLC+g6(mRc5u_>eS@Ft7ZK7C}^Nh;5TwO>y20C#kR$E4u33are%CE6s6Fi6~DXD zo1-mt)Ovd6v)Tlyd^8?XKXeY`E4?bwS&;_~YD^Y>^h74XV;0U&^W)+@+-b{#mh4|} zS_yH@Qm(S2LJbvqAP*2>LnSP|T^T;l-m3}d9d*Y7?yXp8lVf0Cn8c1lbH##Ib-u$)F~DSf*$ zn5T{_7bwK>w<$W`d<-r&`wsQDWguaFE<9YQv!awdZr;?j-h_G>{aq-W2C*Y6cO(lE;>m;R-rU~Svr)T{Ee_u+Zou-LAwBvlZ&76lEL&zwWK*C#+kHl zeXD$stcBzkm-bay)%1=uwug@EUVr_E0)}aZ=J5%80 z3jdL=)0v`+I|f*?eifjwq;g0w^*CT zjJsSbX7F}?mEm#AgNqMrpRI+s)WgHk9DV$@1I&vHJ+jSH7P04JqJ^9ArBd5RRimUs z*?=gm2w;mjI+zUN^3A_;xzz9R14qmoz2f_za5V#P*os{3d@croF-keJ`I7Josbq=3 zXd9hsA_)E0UYFN8g!d9fL`?T_Bw$!7Kh}phho|uLV)~18~t|P8Oha$ zc7QFjD_m8r-%xY~VQ-2jrDAkP^d{=w{dVF{F)z3&ftn<098$Ox;eVac!K)P+Xu%FD zDlFwyoA-zwpHqmcY=y(6A%Sy8)MciX7GnqXaA>asAUa~nYeSXay4|Dh+al}g_|U|1 zM*aW?&p`ii$>dMYtmH=SEWl4t9@r49-^o|xKQU(axB^t^Nd2Mg|z z1}&xW7@*j{J1Um1h=vT>;A(yRGBK?n1u&_bhC94V5d7AgXTfuNM5x8JXo&fMbcM`w z73pjT!Dipj7zC&E$hywf7PhRX3#)OeYyEJ;NR#iI3W1_ZEypUqW-!(K=6Fxk~kGhCJ)li&k!TAec3i{SM^#HElO4dgOr0*CI{Yc$YahS&yJ4}3O zz{LyB?A5Ay`i@3Bv}4H6d{VuTuMsxmIM1-2yjIEU6Tq!BUgZlIw{bYzY%GO{px9+p zfA7W0k~zizwm2*te=4cA3BOvIIyFi3kg*8^_8NH5drz1R?y1wR8HnK02?dj~AO+7O zyK)5y=Wh93QU3hTKCIs_j*uWUYT?0<_q5p@p_B@m-{q)r{kLm|uSiBmuC82@n*%7sA(sDRSGKH84Vor zSpnw^+&(RKAB~9zKD|l|YfIYeHedp5XbS5$*^j*ul;0db3r$ z=gycg#;)zt*_(;D)k1$RbU94zvculggsOAE+*5RfGhp~Ed#~3I!#l?=oc-z~^`qI5 z=YnLH8P9_z28+2SsQGq4V19Xw>eAv`3%`Z|WGri*zUpYgE)p_B6x=FC*x9ahN;y|` zq1#XZ2!)t+Ezs*HT{iaBWH`?8$RGmkojw+ej*9tz&Psi3e8-`+7R&Lh%wx~%fvVg4 zM8OD)t6$-#C4H4{Pv?yaq^S0FWqXBRlJaZ$v33S3zk2k}GpIjq&x0>pY9?Hd$RH(L z;!(7R;E65>uIfz!BJXJ)u(l)wY&%p7IhIncs$9h;YV-HDNq7lQBAyFBo8*7F?aYMM z_f6p(X=tP4HrU-`=WW};Qu}9i=s7BxEOU%|QFc}7+}Za<+k9V0#p>_czyG=YIXg*z zL_ff{yK<^=M-=tm2fcuZH7|2(t9Y{DxJTb}4R4svfH<3=sbR@8av6;vh}%G;jES*C zoyJ+kXV*FPUF*W2^2Qtm8kTSc>4VYJwEPOcEwg8rPIttDwVcq#7MC$8xu;FL0Md~V z7}z4m5#>Z`!ychDI3VA!7hA2`qmd;SB>y1Ms#CVYI{p!q0qas)v18igYIZc_2F_o$ zg&V)-gC*(zvjDW(m;Cq40CS3DBiu~IR?ih)-$(t-baMXs>dY;f-(qx&t7r%Lvl;OYoNA+PblcI-_4`Cn?X^LVk+2wAW3;S#Lf0M@fa4>|Z^cX*YiN4jZ` zFWY&kqfFZ!;w*xF*T>;!#&a&V7sFZIeEK5ORSnzgKD}pX1~aqmri17>k*3vgvoUkl z1N12+QgM1OK37HB>>BCKCg~sGNEvt{G8dh z?+lG$Yw@;}dE9(`ME8^P{EboKOwO2F@&wQ>$$iJqjgRsH8(gI#euq@HaaHYWd55`& zvDs_EUSsc&&39sZ9}EaEcqb~*d+Snb*dD8Z{NOM7n&@svzex-VZLAT)6m+nhEBt;S zq}TXG67_tFdYgP^Ztm$0UkG901`G3$Pg8|G?H#*S*WCIa996~jA45+oX#>fq0>H7#DsRYrZn#xJ1}$`8Ci& zuRlT?i8$TuZ=8h-E$Qp8h&BkEpZQx$Xx87FbZ?g8U1 zVV4`)0fFpWugyRgOr<}8YtQCA(tHhqntm(*s|j zDYp0IlflTj?R8hffZzp=77NeI1a&v*!zu=s&Z~whQ6hT3cR<3ei1C>=)4Di|qq&B_ zfQ7-lr#-as4CUiil-=~}BN{c5J;bp>8SdDM?W0}8&zA`w(DSdM2S=}0b-lS2Gi(LY zK&M=-7xap%C+Y1;An^wi()#{~Hta90tAL!;;8JduHyP9Fb+4QByzi~E=${QwkY`Pi zE(?m(ocvA``Lu3ojhF1=Tt+~s0%!6%mnDO?m)N$k1U(d3;<< z@xnogq%2p81~czkz5x(@J}+Qy9TCl}@nnwN1!(HZ-N4GeFb3nnik9D(MdE%-MdHrD zwYCi5?eukcw3_Gf`y%TKI}-23`IIC8@~5ImODbQmFWTGA{%XAiSZ>{MF=H8giT5TH zWp*!+Eq_1bNm*76mc$SJs+siNG3!aGckyLHUFYk0!bLm$7i^CfJ9_U9o{YlGRn&g- z-F-=F!s-aY(%o`wMAd!rK1sm8=QdrE-F~X;p&wmKcfQ>F+;k1-2o&dER>}aF>71ls ztya)1pyDA(@Cfn3Qz8bd-FW`nbL!Q8$})tpybEtvqoqqhZzs7_^5hm0_DDv=MO5WD z-_46Gbg+ONuUiaV2>7k5)$&W>!3sSZSpHMqSVxILXzBIa>Y|aOWq}_B5R%u*3`Mv) zlGv1lseLzGwO}Z30t>E`a1!i))1w_%{iWuH_?F&s^oiE>?N@xFC%<;;FZ|lDg$cc{ z(Th5R2wd^uR`MaP=#Xz#&KyUczw3~VLSQG_Km35Y@$t>EJBv}T9l9e%0maFuQBo)? z6S2h_sRevbr;m^9M<$jehOj5`9(*{7w&mFwxXMQJy37Gw?c!`15?9#RGR=eZz_yz< zZnfY<>k^+YQZ)Bx|Vx~1#AkWp#8Trva`V5!LWtq0HE>Y-wyct{rF})JgBK zHafE>nkWFtX~Pq=ofI-57)&o0>7v)ND1~VeOfqlNb4k+vHQTAlF)wdq=ZxUiXb`bL1zCtr>fQ%Zn2ep}ES$kI+ zCYs_t`G3SHj;=EvjWo&NcD!Nnhm*ZPdEjqO=(J%BSzO#$QK4j4(8r+f%YFKnD<{c8 zu8p_cB!# zT^xI^LM=Qrko~+%{9pq#1V)d^mD{iGu4hL2h%j8vlT90SKCd|SDxI}c^Q6`H-ko=T zIozY>xkiZ;;f`s%3q$ZZHM%*ZpQP+KRbn%PgvsfS49NUXJKF#y6UdYpYm&p#iqcP| zU7uyVes zM2RXm_BZ+M&cpul^rm)1MJ4mi_Q#uz-u^U=cUUQt9_vbuavZf2-?E+T{BCzYKf)q( zG_kW``f_BVLjX&nIAR-uSDql zE#I0i-Mzr8gY`NXHmb`P=IL1o{_KI-g)XnVK2u@=$dBF(uGJjKQO8AJYMZ)Jve;Mk zDfKOI$Sw4})yMN;Ffp)y!Q@?xY6p0CUznDf$^Gh^LfptXRw(^0Uvo~&fLV+aU)%BF zdYZlDcvalAo8ex$05Mk#%NEJ!SQo+{eO~j@9R7{o6f>wFU((><%00JwLY3kyAE%>% zF3dpVJC`;`BYBsx3tDbr;8nPW2n;)zcIDSW&|GLoBTK1ic? z>YyWiS6X6`5-rtL^pPQv2ZD_QD^R!G>(uBT-7vL%8#8oAa?9z^&7O%oZiLA|oKyFa z-3-)AkJp1Da5Dn=;gtQbfEH2Mek`W~7|w9{BIKJXs!f%rz%@#t(F($Qo?J6Nd_P+9 z8X)0qOjHjvHCFEUp-3AidbQga%!)~PTuw{ulU@DR{7A;+Q;UC%{3eP4+Mv^i?<4pY z6aR52=+tPe9XzBq1Tyh`&i$F{B6n$TVb{CE-TN;@B@(edZCfwqaxbE|9nwX5_<)3zMyXp|-(U^Vmte5XCDyIJmJ;yBU>lmCp ze_$yi1FeYZv=)Dz(7iiU+v4h^vc;~&)iD)1E6_szTk`mqtmMo^r7t!ZqWiJMKHN-G z`Y3J0;c9p9YLQ)@Ug4~4kkmJ*aW+8to&;upeN*GwY%V$J)VA>rmMnHj=->od|D8f1 zwzGd!jn+}3Un@?K*nH9Fd?n5Rmu?FWQ^OURac?o?JP?2fU=>!YO)Z=i78?zdv;FF& z*5k@Ex3$?2B4adUT*y{eQ`Ffruq2Zg_T)`Qf`)VpXiF#CiXl~E=KXrG*YzR)-W%}w zcTbE!$rV$e*R}hT*RZ|a3cV8!B zcNkF9&7>_|YeFtcocF5SfG5yo6_GK8lmfvE-2YT5#3*&!12AKEE_oY2grD_wY{>IF z84iJdzbAtC4-I8Q7LT&$=F#S7PUh&=Y2$ZHL4gwouv!nflV8-@=AVj#9@_5fCO=TI;`CTD#QW$b^lrB{?OTns>qO`o6C zZsk34n6((G6(kO)`+i>Bn78Ggnlo<(i42VgJ^xmYsBAy%U!SptI`Va%udJ)NfjvFD zUx%9f_6)81vi3vpZu->*^s2h07x&V*T&CcxGg-a7g)T)SL>WzP62weoxuxN4!qzaq zhC8V_xz}9#rA#BgRSHu31lipVO*#v&%^8eeaViVBb6=DCV{xr5(b3PD`@(|7KbfJm z$9*Z&HOkhyU}Jnh8%}q_q|xD#=_&2jksTxB1paJ${L=fMfZHzAMp4+#oAeMNdg%`&VdY*^KI}8Q zHqH%*Ipx0O2W+bTl1IN`5_7wZu7$2VlJ$+gv+GhIzy1B>ws9gd0R;mK5IOoR--(B{P zKq>%+vGZS6ET{(9p_wKXL z-k;~$uDFzwpeiuB3g+CK7lzFj8!EGhdx-RAophrG^i5)fMzFxq&Kq< z`N&s9m0cIh+qXVtX-1=gns+aT0+y^=^`}NEvVCUUHP)cetrAJo>Tu;(4Z?rc>3WH+ z3=iKtMV2;h%Ol4E&WlWI$~;ZBCGSeR+rUP>v4WL!IhcbcXqGQss3x7wTyVIpHOp-t7bt43v&`Un1pqt!Y40aY!Og`&_*mUXij=%iV|NAXE zh*iCByvYYg(r5q=YFQsKu?J>-b{eN;^1!`Z8@V|cVP>Ci^6M@v)f^`LQV{C>82OJD z^H_rNYBa=HzZ^KRZWWczsh%=B)azvekYt?GTInB}rQ<_aNi1zB+SCFVi<~807I!4M zw1FxZSYW+x#Ub&+1@pSWE+Ms~Yh#0f3&y)WG`#j>X3=b_O$oFD@+YJASDa^SGosv zi_XVynNDJ;a1TJ$bg(m3bl_ecrqT6NI7`{%Hi>gBS-o0?*7nxECChLd4QJdi8!&O8 zTH871^XZg=IXgd_flE>wd;E^rD3rH|%0KEGvRbo5a zr}X?s@-+Rm1b453I&S%M3gdj0y}Dmf&>)^I^p8={OHelXccB|tidP$@Axo}}R9V5o z2*dM+|9ST7_B=Sj8{Gk}Q`>5%eNk7-g(Jxucx<@kBaE*fPo4M|{oj7U_sj_Dg%Il1 zMQ+Z#0kyK^ODnV9cosC>d4u=O@dUs(c-16H$s6ub4LiKYu2#zGMIei~ohMr6A3eUz3o6FB$&#A)pRRy*WGoULTr!!PbFlWp~G^Q7c+K4;J(&%j6xbvR34 z#}0vno&IMY@SxlLwHKvC>tW8X|Dtd~(~Ge?lr(}mSFd{ZMi6rl1JuF3gapV^aAh&& zV|VYjVUwyR@Mhw~z_20ztUYev&^=Nn@LpNntk-}sAY&%;<`3x*ti{#P!-vwwrK&Z+F5O_f7c=zR z?}2kve7<0jySsQDxL@7G3R=%R7jTvbbX2%O0$pRPlcSrpodbBQpNd*&c)WzWEXBl5 z#VfPg^T{LULCY=#)DjaUeH`>}KfbdF(>`rqezdDH{x&Hxk+N3&p8o&w0(j?1OBN_I zJJX8(=+oIPD#!YKgGNb!T)d(JYA@F;_E%%VM*CL~XHA}C9Ley`0-}Ozc%@-p>)y=6 z?(c}@9ni!@ANS##o+SB1hMip6^TI%YZr87Ebi)E5sM$4=?&PBNBG8F*Lz5tpl{3hc5HCU>qwWtT($@JR7w@0|EFWy}PQt8$4$u2La$ z{D!p}xio$|KO@9bjr{t_wMgf8plk+D5+3?XhKRG$ViG}DiCf?i|7=ojG>Vck)SpSh z=}dx2&iKXtK^26%P7^A<#UT3wv0G2O@oiUXp_Ed9p-z1dp9a_7kivX4<&5p!3hgvvx<5*mBTqIajS{mJE^ z>Wlf-rpW;s5uCutr)C36<{Dg?ZlR>TW#==DuNA=8$mi3LiCzYBmwATrGMoJqtKBk_ zmibUaduz3$+spM5M6IINE?{h`s6+uW^Z6jq4iU5kZ9S}r@yWbG*4jg4e5^?)_Dyg7 zn3z!5tp{FJg+WVi_tUik_a=t?mr>B=%%;W7QdX>1ubw~(Wr^6g8kL+>Ub35Zm4it8 z|7rP&p1A$U_1*6QOlLdMm(yR;3U1K~8iVpi)+d;oPgGWO)+j6XfrlUgd)h;ityj-M1#G^98>tT8PKc*M^PM5;lj-_! z-%2$d!qN9Gi_C71Pb^83m6jSya(cb!Ei^k`zkj9Pu4z>fEqBVzSF`+a@=jBr)7R77 ztPpFpW^UN~AT2UE)POy|s#x-PnQ!j+;9xuy54ImN4-CB8{shy8q7p4Z+zSH7VQ#H_ z|ALd#l?`8?ZUi0}9!wMKghYnYEOO)}W;Q#;&pB0I_}0qlp^x<~%P>yVRm%UgK4r05 zLa8x(P0#$YxLD-Nq$i!ckM9Mh_|k97B|Znq)cmW90P2`?)*7xRKRO8-DH^izX*U(Q zm+YIoYeG~x8T$9oEXVbNGE{mf%2cBq#SQQdI2Y2 z@GaB6^VSqx0Ni@fM2QTqz`aq9fML*m{pB71?IlR?Ss0AYFA(-$9AXE z1>`uac?ofiuFH%98a{C;9Tz#7tn^%6^~#^0&k-@v&T?O0YQp)-&c7@i%b*JySj-W6 zW_Z|3Aoj-Sgo${R;Y0_^@YO!R09hy3ZBjI%S_G3{?MgaOF8GQ+qTELz$W zA;0c}2lwUh#AV>rdcnb$bGkC$@Kgiog4VE+aLS9572Tu#vk6G&IsV{q*Oc!3o3h-Z zUI(6M{DGeA1o|`Go&ayh^tw+3VP0Nv&7RdhD z&SmDd+{|EEz$V}GcmBa3#p76?=De#mGKH12QHfY_4x+Cdu@TKxiDyyp%c$ieamQ&f zK;X`+=V?uIg8U4IBu{4M_U`J|+~D(TLk~P9+laLUV)RjZkaInk+tCPxf5ZdK9%W5O zja$yH5JOZ21gGzDy;~srd&bD)EouUUn_zu{#dC+_&0FGS?oE0vdmme4itljD_T4qo z6?u?}e{YsYvDlH@=DJ%x(U-zbU0R?%X;45Kl)ia|^k(c% zQd=-(o4P=2KKN8S`@kD`JsQEk;|bW$s}pk~TR@9~P@>atlQqQ=4F0Uns&X@)+GJ z>KT{WQKWaDVIj}Ql_2BX>oG|IBFygkqol-W3CE1Skz^TO;||5b1%nd9k*1&o6cg=@ z%Jc4lb=x=ngXW=&3@HhDCeKpGhX(t3=XeCa$DDO9IC^T`k*le2C!W1eNNOrGpQEp< zP%zs$c-z%W4^H-%No~`vW3PF|Vxl}7IGNLDwjlKtGQ+2 zI-VaLE{4%Uh-{Znb~1(?nP`S)RA4$_IO;mEovhDCPb|w5XQm#4Nva&7_)$ zZx)O&+yO+OF?i#?-b=CF=p|_&bVLF$shE$=p^K~))~YPL*?ly-M#sKA$2*dY{wBcH zOEQyv5^d{y9NYU_|NKH7ex^P&gKsc?odUc1O=P5#fiByJ^jc3pLO^23V$AYID+0R@ z52{|ee*fY0JPR4H5ZHpsLY_6YS`rGj+C>Y_A7i&c2;w4=&SB|oW<%qKc2i%i;FGtm zepR5C11J3QE`f<;>*UK7&q>_ClRL=U8zhcp`W6Gf-47AaHKRH1ip^&Vx*AZ`t-QH{ z-G;MdfXo-p%7RXZ3*TyHRuD>tW|0iAp2kJ^z6fg*=F^O)sm8XEEh7b&xd^~8%whp} z8_`;Ih24g)5Oz#x$_|A=5%}A7y3O2ZU(*UY1z~9dYk|!MEGI?q>mt_ZO{H6>!3o%n zXK!c@BPQX(1GKBEb&9TltByzcKG+EQNqP_IT}O-Uh&0OraU`kkVA5D&8m#11aDJtW!foj_KKy>^Xj7y%WkjBFgMl<6fbUJwcrG2@Tex)av@Ts(eR2Xg!cK-3#Bxb5Cs06%145>9oRJrOe{ZpDQ zGR56N=$bGc<3Wpw3wm5)R3+#Z1#;Dw9$3enQ4lqeBvTZIN&Au1kT=rC{c6S2_pX;z zq*%e47pHtCS9c*xM7R{3`n&8l{)N6m-O$W~bSdkrf(6V(|9EB;7hN-Sp|h*R}x{p=ccVNQd#Ipjx03)L3Eq<;kjcAa&@Xg;+fd$ zuzN<;TKa#!U$V4BOEslKL|xq2AC%8XIQ7cGFRVv?H3TCg-HOeQ>c?DietLARb!Jrt zM|uGH&v}_xQ97XvBLNmHg?+mGzZ$r9n?xj>KLam4fLpOtbVnYK?OVKhoct7d zlhDyt)?MHfzaS?IIZL#fap0?alfT0A)b4>72SIelnqbf5L+UW)iNrab?}#ni_A zU3rMI=d1&Yv8~^D$X|F-R#+w5zDr&Mfi5}V^8X~ zbAfb?9R&0GTBmu#sgOi+g45tnRkgpy0gd*)itcX#&Vdi%z)jYT&r0@v4&NS~eTt|U zwvta4-SBF*xx3@=N}s1AN6nC_<2&9hfrbItaudId2LBeM#(FT9}*B4E(YpDU^ z&-j2~4y^P@pbM%zLjGUqSNLB0h~y{#()u+uNPhCi?~ z3&&}_ay@#)R}-54(PU3$<*4Aj)qYNtX@^xKt&i~fQ(f(w zkh+Xu&Jab`c22imwRiJ4rrNuyWzbW#&~+$0gUpLuVUChFd!o-*l*>73%67|9pHaVDIZ^gi z9I0Mj|A6*9Z2xtX$(xBuxro={vp1Syjo^XaR$XT?QqfIEF->-X6zl zVINXd(#uIqE%n9A{b-^zWt$2Zk{&dZ-Q@azD3@v7pm41!}ij7QT;z|oHIJ^E}U&LH%kMD3|dextZjRjM)w!nq8hjY2Ie!2nvUsPtqY`aD zoM`-}{n<+^5^2?9*2#fhWrfptv@d!vYh;8r`}oV2WYD@KR(SK_i?>K)6Bnf1eSxQ|YJ#pzZ4eA~z#~~NJjz=VzXRCDbVCVJjXwV!G>GqQ`jbSS z>%OMJ=Bw&Y@#L75PZv<$v4`KCzn9!=fw%OYW;|-chHWi+1g#YDo+$a}ydb!HDT_Pf zk|^_E+7J9lLa4a>UUenm1t}8mih-RqOG<{^JY}xpJg)Cn@a(djC6U!DU4(=2`|g{G zbisgC%GQ^trAI6NE5yLrfFqCF%~pMu3|-Ena^?Eg^~TF5$Gw&p#rNg$D~JnLC8v(m zD4)V_amcH6+(jJ##%u-Ty2K|Tf^`P?YU1q$1Tv<_a9S^miHjnA0IfLjNetBQTk(_= zY`wHdJyG~r8wDkH(ucR}MVzKdD(bp%)@!gG_eB7<^vR?bmctq*mlLnQ>oqSfkUx`L zuAhc!JY7+Pm@5etxft-MnR#ZDo{(qK-sdC;8kR-?=g6v)b3_O|om5E-+S9u*#uR1( zwIBOAOc>qJb9tEfn05PPzOv>Hz39r9$;nCk#m*#(?a4Fj$JyGUF~!%`p!iznh2?YS z0h3ho7Z#jiiasW)ZAA|iZm&jUVZHNU7Q)?b!Jvw=Sy|M-+l4F8Z7Aw6{?gJ|0dbv1 zbS)HYcETwqF2zVLk21%R%F{^|lsPPKTHM~5;JjL78b*yx z2sdZ_HinwV+c*n~6w`)9YiY8m-YpNq`%oRzNZ~aGh{+pE{p$5WjM9QCdiwHbtXPly zdU8Q$_8VV^@EL@7pNJ8#&Ut-HY-XHeD-Msn&m8LWTc?)(G-SMUlmWbjIbrLvB(HHW z2D!hxD5W$|Gn?i0$qyNgsla-+m=~6K>vcO>X-ezt{F0`Utl7^KV~Blw1v`vzZ{~)i zMZ?d&!qLf{*pBF8XSI=p z!OwmPVx%Jx$0-xbqaLx!^N$C-C7iYX)gjv5!@t~9e5W~V$0&2y;}uLHMe8MZI!>3| zy!7&WmO}F*nr&r+jiS<>Jkc}(QPnnWO(pf4$x&|YyslRfF|l~sFOm%!kokA7c5%d={r($9tpJ#%;4-%T_w%6>^+Wk==iZH$`$s$s1ytGVjobRY3f&5y zk_0OL@$^4D2&icIjQbBd@{#CeCY|irfa@(v3@1+jxX8BC1tiG$tE?w??*tZ@BV6oi z%jy8)Mi!>o@&gi*;<<@+hK|-AlLOPHPSC+0LoYGUI*$Iqm~xdJ7D!n;Ub9^!SIZ4@ zh$D2rxs7#(KSiDd6qnsi!%K{sEn^h7U1YgR!eXD0cStZvm8u#_^>-jb(BD|0Lmu&+ zN>q&`CQHA?om4A--LWhOE&;4l&p^1^+Qc`%pGrSEkZ_E4qoHST}( zs7f?BDfM}Pv~E~V+Baw{=l6Kda}K4SLp3@|{dv!ujh2NATVAECYoBOqsfqR4YN3G_ zS;PvT0-xi$*zfz9_0?8Y<#keIvW{`Yb-xuEhv2h>YqbGwP3i7XWyDD^Af!xm_%aY+ zbiyFc^_5AYxXy=JAur44q^9i*zS;YP$nUh9w^dpG^!*T-b2oGE%g~?Dph^3ozff>B z;+`cbTO@ktz4O4vYP=M93psw!`J#{9`!se$blCSd8O80vN60jGo;GMm@AI{4-BsHN zUWS(rDbL{mvagY3S_0?+B>D3WZrhC{YF7jl?V=Bmc^hN1`&0&dV2vHdLYl$u{ zWZNLCZ+$@ST4RlJzj%~{Hes0wUojA_us9cnUMayDudV#I*A16XQ??46&iRVE$WIe$ z=Vf`WW}k+rLF7)A6pYRR4CZ`o^A(K%}Qr1a0oi7l;E&afql#L_!bgTCc?8Rb&+Ymh@A@Wzu6&cp77P?MAnddK zP3Ex6F0Sjl+9owG*i@)n|5I@wnS6^saFVBgn7?&yugEivBOgs{#lLCS4w}RLDkK%) z65-uqxh0LjaliFlWa}hZj`mR3CiuDqW5ZMZg(Y` ziRkE}dAsGHXn;%tb_0ibGxazyH0;dkZ9tmy79)1&BIof}lo|i~QA%IW3w+w_ z0q!nS`i+MDIER(8&k3t!Ij&rLy>=2M4IIDKc)@S}vn6HonJm{TE^V=Sb1@VuAG=e- z(om$X*&Te%(Is2~VsaWXTF6iy-uUA`*dLc;IS-xBYm9CVvvIl5W`6(Odd2ehVBI9DSz1-5P{GY9 zw<~&69jsj#|A5EnSd5$}PgFs(HYVg#^;2YeS?j(Ayw-ZaE}Idco>vN&n< zd9c>zua|{Po=pC!r@7Tm4(3JG-14;+X8d`8(l!N| zAUlJh+Oj`addON2>9B0u$dyi2q`0Y`1OPmj^7X0OD$W`jLZ4q;d5Z!~Pi==pB5FBF zINo}r(v64GZx_e-rTXUA2S2`Ff$H=%^##q#$9+3v+kELKh4)Fu=_=3=a#`?b#n)-9N_E>o{Fuhi&j5AFBe5QTzM zt{%I8hCMN53k8?&65uNFf0!!1q}xCXYR&uj2`F?-W@cVFE;R~fp5q87~L$3LS}%RY;70$T=HXw zWb8GPEI>&^g18qQNbE4OUO*)FubQ72Y$}G&xrP_mx*BTM#NyEw0%CCloyG(F z{V9xst|wq3^u>K@*$K;Xw;wR7TuV#D*+{>crpH9##cTenl%_j`4L)$p5;_fsnEgJ1 zI9rz?tbjtWh(J0{qu*(A@VUio#zfdqrIJ zI)Hyi$$LHdMNFvV0jg=%zZFoq@(%>RfDLW&Lu5$!m$5Uh_N=${y_j0~KlIZg7Qq?- zYlwWiW@y1B2lwAD1+(ts^?$K`WewN!F2DmP*W=Sh7E*}Mkp|{lpju8^QULSlp|b9m zY^Qef<h4H>qJCpfxnEYi)v~~xgTI|lIl^9&RvNx~2S7OI>>UW7I%Se{w(~6$2D+^;?FGD! z_xOc7$U^MO>6{k{F!Q-iK2uxMa(jRf-7P2q7B_>lOv(m%-);P>)9lwj^$@*0gz-ti zKFwbnF6orj5m5Vc+(gp<<@aFS#Cs^y4sqAWcRFv_zM=lSsjBO{C6Sn7|AhP{s%NWt zcOYRXY5s@p{BG?!ruFdc-RG7w1=(*(&6Brfq6Xkw15D}kK=2EXvj_hFh9-T|6Q~rC zr1!cgC0!j&{HJ1uo=q6r(;Lcu0{-4(i5~9xMZcZLB!P5UK5c(KR$Z`fZ&3p}@S z9-UYZl~@yObx=l41D3`Y1EKl?jyI#^~$=63x!1DQ$F zq%Q>jS_MCw-7~jP$=DY!ICQNuSor>0CKiu_9rH%FMII^~2Q2#oS;voJgX{?g>|SqWNRG+N3A?5S;Lc5NYX&KnPdM?)3r(SDXzzV}wv*Dg@)lY@ z==`o3h7DjiCzK8*RIaFyTw%$rbKZp%h#X!&ahrcj5SyHEY0c!D|4{Cjl=FnOH%SXA zzxgJUsNS%csyN$>v-_kMxQ+Da0_=th2E>zgnydrsR(*&1uVFX4MRN5jD=C7Da6ImI zB2kra)`G-w^@ci+CNh&So@kk&N?Zer>VC|SH7~j~^yu>5AtEgv*Ws~;QcV$iia{#Pk?3Q_1N!&xUpk= zBNcQGc(zmt)<(TGR8)6^LV0P-@`DukU$3bb7k}6+Ixarmuzc+fbX%>uPMd0V{Rs3n ztUGlX3Nl$6lRy)e@jdZP$Cv>#U4Tw&bmW;p{1F_6Qbrk=5B6GIrZ<jNkOgUKb@K<^%(7OuHVq-(Vop=x#o(%z`Bm65N^5B5c6+}z_gXn{XJ6mUuYLRfZ>LZuJisakB+T zHq__Ncl0Su4b(jO?mpmEH$N)=J40n&_ZO*|bN9(LVj+r=Nm%46x)v70G1?#V&wB6? zrdPBfWPlbh336QyfP5UPw8r>mlvQNBB4hC^hmpAtrwiFL5u7x>#0GNk?fK>0T=T%h{Vl3kYT52|K_ycujO8^iB{uJiFra4Em=zZqo(LuRO$ zGBVyqm~DHDj(=_ZfDYTe9zwJ7$|^%n+36*?SVR%ayQVFL7T*67UeUFSQ%RW5& z__KKyMqppa0t*f8F$l9vOAb?8euU;fgWj0&7|0I1t5%i#*QhvB7u}nGhvl_lM7xkf) zT3o3h7OB z2KC02c)xGYTVD)rUcpkPGtHEsR_34AIiZ={{I)j}voG_vK2cH!ty0438dE=wBHci5 z*7qsk=r3Dv_@&aV3dKSvwG$n;rmNb`;Rk&{6Lr{P)-88}I} z&`!7v9vM>xI!ibGaH=m~@}6{Jbp{4~vT1*z>zF{jWzn&xMp#$E+7^E6h*p^9E32=( z0#c41dG5SwHn27D!CRzHq8|l_Lr!x9W zZ_LS`|2iK?u0!Qz)PVB+*lG_71+gx?mLj@MtVnS;ii5Sq7J-Gz7Y_TslTIbj3Tue|uSXV#wY1!x9mn504^9{~4Y2Py&$19xN3rNbzr4o;!f~?`7jg?pF&fdfA zzAL$h5w@_2154-iLFE4QlAUwoIIx6lFiNnoe$GnK_?p$D+^Zq}W_$RsU>MFQaQLLg z_;45f8Jq4(e{5Kc5E3Ado9O)yaCT)ciXW-FTE}-z6XCEF_r8I5&cxe$(ZZ}?F75$s zv%kvu&c$&2#Gm=nI(K{{Ar{CGp;^^WdGo%$Ey))ZL#& zWhU#;Y79}1x4>&C>C4Pi+%ghp@*mxkihejG?tH(ZOettxF{0s{nQ5a-w%-tP=6ZUI z7H>3Sx#K;nfztD2njev#k!gw_0F(D>L6Co(o3`X&btS{#THLKm@6<@Zmgu7k{aus= zGQp_HoxKSj^Dyn(1tiktGDe@qmJE}nL zA(%f3?@$PN|BTiD19$^q}lh}D6e&BPx#fz4Mp)s(d61q(u*Pf^Y}@G9YJJ4w-mDX@konekk3=0$C`e-NMJlL&6^iXoO zpI2--xw{rs54s$Ebj)7zsiv@DGPJ!oCEs{vUa$8ml((#_U6OE4De95`k0^RH;%d7f z2N8rRIRj`dSz!``&(g&m4+8VPrmpJElN~@p12YcJ$>k2)ulgUO;0up^x>h5kpIz!Z z(X*2+6vkbl=pSCNmvOD+@@h>Ewf+Pe*+3T(V?j4AL4=(Rk9;S#Zbz0s5`6mTbm$d! z3W%TI|rFFCC?gNe2bjd{AiRT^~qZ#2d>6TK=p4eTjVDp5qaXS_r&*DaF z?&YTz<0#y!v@}<1ygD#%tjc{FLuMcRw>qrgluM^ar+H#oh%$JexpChD?cpa&+0vJwRUF zDnbFF$?>@UPP#dX=|9;&G=4fyqIAnlh~=IQ9Fo%W2+cz_XlLlE!G4tzc?5gZMqVQJ z)5fs(LH-W+Hg6Lj|;wYU-IF^R|qU^~%@f)yzCanC*4k z(@sA@gUTI)osUXCQ{Aub$nM{q{B#9-_YTo>cVrQGLtw?>L%qvH2HODG5!w5dV7x z#%MRHq`BqLvDq}XmiFkG(?|>Y9?wgt^=N>yZ|-ckurow#n-MVa#ql1g5It3PGN0|D zo5nWY^gc^ciz<7y9pKjz!oYQxKXWW0(Zm=v@(YN8II!mU%<};?HZ8VlRNrFY-8;qKU_{+GW7GD#P2p zvS5xiNMkJOsoRO>qRXM^!{+oFhqb5ivLP$QnvS59du;vINiJrA(@-azUK=Zpd#il& zK!5ZxUj}FQcysMS9dZ&X%$w3a8?(CPcOidx#e*RRm;{j-2I+kL^X*~#jpW(CEs>AB z3f`u>HJ#Qu@1LfL5PeDQW-~Hr>Of;_q;l?(%ikijf^<$l-#z30jC|*RdotJW!)U3g z>t6X>Dk9G9sEko#+Wlox4^Z6O;{IHHMOyg8AEixE?kFIxqVuZHRf=~ZMDa=O2#5JS zvHL#>KE9FG|LgnUQSr+*4AYg_XZfAyR4zIu2B3X*T&#+L6X*(WK$dW#MSN#)b%Swm z^=H^Y!NQyIa^~8JbE_wrkh7O7*;65ML~{m9A<+#T=3E0*N9LsiPmHWX94#+6H-`Y6 zcj^S_??|)=d=W0$%ndRzO$Ms5^FM=o9s)33`#Ikg?08@~T8g*>Nszvi>SM}s;THxw z=T@A5lDs@zHCu~#WFIR=vPHjniq3LN<~xhdajpmo(HZHZMa|Z0Bj(l2C!Kz^m^vZ*RYWF7-w@3 zv7cP{d!++ElEm(RWR}lXrYa&N3R@#``#SGb>D<{e2=69LBFB<-fZ#mkFIdNR;^Ixe z2Q{M<42Yp_U)N^gsq5LSZ$jL|^wQ~RXBaOCz5I^c2dB&zgLozI(vF;%Sn9AtEe-J8 z&OA^d?;L9q6oj2!D!+B#xoHoRryC(I6`^n<4FGT^l%1?*(2oQvXkQ9!=z6_x;q3UE z6yJL{YORYOA>E$;xZ<7*i>|~fKX8GmU9*>tK4AL}QfiHj(0NNVnl@r?;ULBOUi5o` zc}n(#*3^<9$7ejDKK?th;p9}hE^Fu_c@pRB`23+Hnsc}so!N1woT}bIx%~A?w;(1B zn3%2d$Lex%$W-X~c;owhm!em=m=L6ei~PexS!bFiPC+?2(Wy?4zM`~z@i4BWZmF=} zjFNLS>KW#VLh6PZY37&HyXxN=9{Z(e#5U~?*CtnO<`wIr``JZ;740pocd?-Iiq-v1E zzU^Ml;I_@kma_EhYJ6(eR{N9izCkLpOy$?U?>5el4n9Q^e;>6WcC6_pC;p}5t+dyk z{3W~W%Vn)f*L|W-ku*0d?U|}S*|d<!nGH++3{|@5d(AYSt9jQm}mh#ie1uS=u_>geO+ZS3s z(jHWziQpzE@I54c0X}V$Dtu~3Om}&?MqK~>8~IUuL7mfz{6q8D*KsT#_(SsL3{qyE z%%kmapW;5;iH?^EjV9)L63zY(MfO=Z8OhKZTC*R4;1=l0qaB&|9&(BKz zTTT<1DD=o)C7Mx+A}@P4MSVTB-AyPvt>Zq!cxdgc>l(T@CH0Qi zQAa|Beuh+oO`^}-6>$SCP!OJ`5!Og-a0eRz%Xlx*cIW(#*PR}@x}fo{jV|VW5t%JZ ztbZzSm-uRoU5uRYR)Bv-JTsXQbSD&@*b}ZDWOI*0V25cF*rZt;fjoF(RR$A@G**tL zGZua{+THWE_(nzXI-V{XFrLnQ-2Jl$t&dYQCBB(Gzo#~aE;?mgudDP8T<-;f%Zr6% zo~0GI%iY{i&S(|pX!KNg3)^~iThRX|iH9BF0QaX|qU0gX{BOTPGO-fv`x(HA@Vj)A zg=ZU9LHCu)ocUXru0`wKt;lB3-eu;Si>8`?z25&fYdZCqfo%~*c6xD2`9{?@I?d=C z)jBz9eH%aLycvGAEMiE=)w-s{8V^U|G#)=@K8Yju^k0daG@~`kyhj<#vv+Xc^`P33 z;kYa4{kQo?D;i%f9wDmQNnD~|UVKy}wnwbAcX;NLGec*GXD@uB*{6eQGZKGAQrQqf zHr5q-TsqvYflt_3razej2(#5MdDKxd*8WE34(e<}PrtVQ)x8T(p0+%XC9)fQ*Ag0z zd~eC6w^Kjt=zxtDW7JXPYuMJPey!h#KKMx$qZ3^soKh=yg0>y1kh3=qZ}*L+-m!ZE zr37rN?yN0&R>uXZaAzWH!KAnbYZV$+ow% zw!jjS>;rVwnIZXtYGEC7qP+Y@-pYFRkMI8dV>qP9sK^)U8SpDT%3FX{*>BnDtkx(* zKJ@ZuFRtL!vY*~oWmez@ij@*JcTv#=tty&5g75D%V9EJDyRfmRvyw~u3D zLKgh;ao?CBBs%x~Rg@`XCYc-+wDH4CjVunM$8$8OzD+&{R%s_uEzpQ(EAP(^URn-0 zd01g9=}yG`f|AKdEG-qSH^}=3k!4JvfZr!=3<3qtVpk7p-+G~%#i zaL5Nw)1}H;%O6N57qB^k^Wj^ozOqSBjR|~)ENc|B$mi$n%Y>EB7#kxvb9{!FOjkCNWB>nsR{-a~jaWo&xN#q{D zE?Ra4KLj>jIB5Q{cN5~;q4A}bf$bS43yiURnnW@{K;>v=A3~E@!tppTf}bID>eX&z zDEoMN4*VZ?m0@XR*W3t!dHfOZM7N~9pFz{m>kAV;lUrUX4e8%etped2`)HeEtEc{y z(>pC=1_lBx?Zp)-wgwtakcZV7TvWv70@ROO!V4@$_wyC47P*Cv$ex>9^4HsUK zvR+z2Ln^9EUTQWaVMkP}eJbLs2|=RGyU@pJiUmV%3l{d&_1_8{g}$M)U~kNZ^UJ!3 ze~8?*sas4T+pR|{kIw5vOb#`jak!&Wymym(?mzV#L2ho}i`mh?&g%iBQcV~}0yX7? z@`cbg)pP5YvXSgGAu)t(4|up0h>b{guZT~&aDG=;C+kSqrShA_&MpuLixTziy}VFf z%wX@^X?eiFQ9mN$74TThC@`4A#qGa!RQI=HdItXIqdYtnCd=v+eR)Ew(v}?Y%NTsP zfTQ(wJiY%q#XMs7*J*PiG4_Vaq=VZTbagePH8PxB{d}bjEkTI8C#(f z0B*17 zndbjGV4Cy+g|IG+M*9~$p6OhzE1uecXag}@$(BmcpS{mn(A`> zFMGKP_!B)jkxsS+v0uXX# z`<@ZL%f@InYk@J~+X?5Kq6 zYKdu*AoLh0=k(@ZduAgB1;^@V_4KW<$JvCGTAmxQVUq`5ZBO6hFxqL`KG}8{_ImP? zR9LF%S`ZzEg93%)2WZ{e4!CuZG zPC7@lg9bB7g8h{}qUv`hzBkI<>`MBRFyMlev!9qyG#!cqUVM2N8Mt2160Y7*BYznS z(6y^H`+Diff}c5m)E_HRHBMZDD4Ye}q{)9lKbq$;Qtr*!L>GyCC+AFwC5YyJP=q7T z+CWK_N5%=97Vry$g_JD+cy#OEb#{Dx0=3^%BVhku?0scZT;Z~Af(8#ExCICfgS!O@ zF2UX1-7R=Xje zD8^6Hr|<;Kd(8uynT`-=&`q3~#=6+kJ}Q5_jUU<^hI+sT^tpZMpQq|oUmvL!#aoZW z*!slso(GPYashN0zD8sqpPzpR%tvl+L-(Q+Lt7>V!N5&^$Z_xTUnGH}`*h(1SMNWJ z-P*(CBhz2Q)L<6YX!F_W8!1MBNNCKb2q;9spMonX;dW$_N}bb3az9L8kb9}Wval|G z{J@mjURb6TJ}gKkx=B4kz8mY3+s-Okv*z;6f10LmS5AC;GwDnL=H`RHkD3f%eRuaV zUg7Q$2KsJhlhOX-;#m-YyS|A9z5TiE8C41D_2J3Y`*ph_WPRj} zZvD-Lu>JL?M4<2o7OwuPi}Md>4~Cc3N^R-Lco8j|uOvZ0VsZz&K{P(ZzYS2Qw2^P@ z74%WsS@%lJZQb-y`(fZ*x9`Vk0*gSF{e847d3zW56)Zl5x01_aP*Afr!x?urB;Mtw)ljNp+b z9;X#pDI!BhxE(>P=OzuBiNQg&_yEhu<=aI-!>kd}gA$5Jr8UNVVi)&O7bY9sXOt}N z;nPTSwVH;J4oTBW3<|H9<90OGZi0jdN~|PnO~cv#O>KdirWybg{`KU$fy6ee$RE}o zx!l)5M9J}qnli$7Uk>Ylig)nJed*dATNgU9a0bSXm_7gYfH4q_BGhi)b3-{Hb~d>C zoy&mNH)?x{b{b?`NjegXfdAC}Z!Ul?5QEsoF(w4usEQ62-vk5yy4{97i-8y}#~V}| z7l@(xsGqVCHYo}j*Ee;1bbNeMULysYD|aS3R3BjFJOe%KMd6sTLY`-=SkVK}^GN(> zJ_$TMy;xc6sXsZq^&JGTYm%YWy}p1KTr7mk>uF$LnEv$J<9rzFzz7&DJfO!*AGa~7 zc56%9x!KmW`}tLv!tlFjbxtxP3sR7IvTK@+`+yB29<~i5FbZOH&Zr&rP}Loesk!4| zv?`XDXxwA?H^n7jMZNSL;EFcbho7~D9DM2eC8-6UKZ;*>eZmsx0Lj_?w#iL=lEf2TwXeXth+Dg|0(xR65p0Q`EhwydySliH!}rv zpoVu7kclQvZWfFjB;npnL2~(DzR0{^?K_S#db%hoVLtAdC1x}`YuD~>II@n@a%Y6q9*|INdOh^qHhZ0RRF`YC*ADUGJqliVG99@lBi!{k> zifTn;?-F17$-J+VHY&;OcfQ-Jo;XqVeXi=#6>&1m^ZnJ%g!|{SyKk2}gVDqSKDSQ| zq0IMBga2?Nq3ftm8RvKZh+1E2HyULUy8rR%gXg+{pLPh`c-Q$b$=KBKvS)5DZ`>yj zNg5avQVAKBG!$42iw}+`X1mh8#MsX)gkRG*+1oTRW&&3fTnbR4^S0@1n~bWbVj1Ka zI~W0|MC@(@BxLEHr96J z^(MNZTsjzUyZgWTbzI$avw#AfQU4mx^;$bB4-zCbqutB(Q3^+R=({<3Is z+Me54Ibq@R1Blt(@M7^bp>ZjZxVA>sAeX_AHQt$|#`hyDRSSzPr`Fen+x}rh?22Mg zQ12F5EmFQR0FUou2$K@L_^c4l(2!Y*A@?6>0;yWT{L}ujKCtTuh4rmo{ue{YpXx6$ z*<-(J)%Gqh%*k<~eke)9cSVyrSP7Ks@qJS9_-B`(+v^`*D*wA+2+8XMBrD4grtKASBNqkp_IiCLS1GWm zzPU_%-BGol_x8FSe|h%!Vh&ff#u=0rLXf}35LAdK7GN$e|ASTkg`!JF41v@xDJ?a1 z;8J35c_w*}rSEGYOK`T<9Men_H_1i$MuJWgw*-OBV@-=Xg4&I1(v zyNv$VSI6(!97vb14_jGTvHI^Xp96h;9`{W}a%%2^`^RTkZUuL3k{U!SM{gHAHezo8G3C@v$OnTA|(bze((`e2jUgi_KE(Hp}06T#oh7tt{@N?P`0? zRY_R`Sw4&P7Qy~C&b&6Ei&Vk))68_@3i8fJ0-_H#as*J~;|+cWptv7-K_zSt$>Cvq zFa(B}gIdjh|FtU^9@JwEb<@(4l+;+CoqZ<%iD>mzVgul5hUw~I2n*9s@g^f`Y8M_4 zw6kOEY}DClJM$+v4sK-+|#+(+i?FQJZk0r|L^~=>7nZ^ zmas}Yf7f2+W2=a#M60t}D$|?G**aOVyMu&>pMo9rsO6>zlcoJuQla(u+P-3VY`#9131uCt;WSQX8ikFn5PN1jE^m2FI-)B+UIAGYp>cnxe|KaQ>lU|!q0<&K zvZ*~xR`Bz9f|5wHBRFmq0_px4+2R-+e&NpW@qZD&UR5Yow>{Yj@@73+sVU5py2fIZ z$PD(C)P9OTBJK+=VqW)Eq&+wh<7UaOGm^WL>OQ`PrIaJs>~3+t;Uvk7$mp!4M>Ts9 z9A`ugt3eZW;P{Kr9`HoFxLh@Fs$Ul`L&wF|c6|4s4g z3{pX40krJe_(^LPesLZG*Vauj$@$E0_0XLRNXO5=CUYcTv|j%hOf-M7Ggq)HR?CdT zBOQ9u{a=*yk-^V56$T0kcS2Zb;v`zg?!*?ZG1;wvUTyiju2X$EKXeg{oW}}RyBMQl zQq$Ir(XZnB)ik(=>YJdy^pzTj{;FPHy%Q(JIQ;*5 z@%MYEwq)mn4sC6QjHStKrODEUq$>KHJT`tQdX!|$8PM!5)p{!!&}@uLC!Zb(Xv^cn z_fwRVCA1s*LeUFuF-G6trnhE7GFs*y=Y`f6H8c;$w8j6#cqNBQz1Yf%>FamI41?ec z4!~8YMuRyr+I;;C-`Wwdgst1~Ki;b@ee#dB1^rf*CUW8WUtBrSGi5_v#L+JrSbb~< zD5oiMC19jhQ*l`FqunJ3#0^A6u(4!Y37y_EVkB2uiq-zu5Vru_budX}w>Eb`h+%$r z^c2N=l>~J^MnIQ{T7fZZcQ}z^rQs~*eFvt5Px^pz(GQ&*`8XFjJRzj_eSfU?ENPRW zQgTwtoc7YKE(&<82+@}xQ!+CPjH_ejjyOQ6D4JEc0KJ?VG}Dx)4)^zF^M5bTDBpji zrMv{C;Rm<67vO3ogU8D9V8-Q==MT#1LRdAKr7^}$4ZnRm-byLcM@S+2ad}+MjGgr- z(=C8yPj?aLDCwh<7Grw9NKZMF=nkpDWG_emYt)HYq#pr z$tdqYibw>gDn#l{6mpE@)muC=q%+tg6=(=atSu8&C&mQ@WZ=dKs8#>MB4@c9WApOA znJ)+h?fSOC{7>>KgwS-GoRB;gv3Z`gGQ!FJ&8)UIhDyc*TUKN5VSgK0^tl5LC@_kl zYFg&`F=Zu`acBKfU#D~^h=p)mvl%dMhCHwcBkW<>7|ubo9dIo$+aPK?8g$e+Z%OL*Do)raoNEd zh88}UX2Z|(2Ekn(Ws@-5P5$C4kik%|^Jw24PpnwaB@e?)@)5XJ^(vf~G3xn)Fx@0u z@O(eR!0dW%I(-I`+ihjwPlB-c#Ju_3=FgUC2sT))Rp{ik{rD%`;J-fs?@$EyFO0&3 zmVNps$R<*bCzf!ObXLBO_R<)(x7@V7W?%YkFtm7QkZn9y+ej}k_Bh-cIAcQ!F*74M z;eR9#p5(3AH~wLa-a>w7a&OWskQ%Ie$v^yZ{D&%{8<9uL5THuTaxLb5_Y%GPoM~#w z(P+B?cn9>yeIXB%dT=n#mk;nz;Hyn#wOq#Ww3?scv|Z<|(bG@5hL$TIrySmu?;L8L zSYq<(x4q&2$M_ z{;{fi<`Yznz%4LQ;{i((Wwf=*Zh0)8Qhr?zYiBcEP44fH(hJ7OX1PLfgm>bF=Ib~2 z4{fxau}nLZAeG}S3BOhQ9n9&SvY9;dc+tyy#ff2S4qXPrfwga94HhIRDay(;t*-E% zV=84zOf>mnn6zeirAz24QdcICYyvK;ZV%5hcX=CkFLR4ruBTqjSL-3h^Q*9N9JV&a z>g}oNJ`NniBN{M|TIZBb@KhbBsf6^1sb)xpp6<>~JVcrux_(FE#&c zO^nM#BQ~Tmj?OT&r@EVO9FyvLmrY^@zjLxo_k}1^DALtet>k=M{49L@b$Z~v2no6_ zDL1xgX47R4oZJ^pFu+jOe3}xmj4Jks*1Y^e8ozT&^F{Q%l6>%`Kaa_SLZY`=oQIBJ z$yanS!g%K6p9hU3k9vPOw6$iL<%Ah$805F7?dp zraH7vmKedDOu>XMMWiP2-^>&wEI=IV@xFxI7}iNte3@~nzMM6ca;XW`S>CWB8$i7# zZ-B*QEKcsRt->?VW<8xE%UeKv-RFjDlSaIqEGkY$v*D+lohsbh&c9BC-LLOm*m@tO zdGqzt;v>@<_0jg$xY6By(Od<2{Ofs3pz>uBTC&=~YBn8ADupE#uy=D~X?4WTDQ|?t z7+A0ur>(iLegE4zPN%Ix;aH0gmQwUYPsiBk^6_YMCk=nzL(5+BjjtD@?uC=f(J^QN;tQ}742O-AV~dsC#2RK;w%j|LNd`yBT`ppx1phB89+;7yIKS@-~Z*D zmzdA(w>V#I=fP1Gc;)>y&a+QPtz42<$DJD+;c?5vl{4e4kY}fl%WV~i#~XdJDv!re zL{`~;9hN?|V^y3gukLcZNFwljO^XCfELE{sZ81jDmVFc4m;i@VK0-B!MVUF4&9|An zP)H0SUkGgFo^wwQ#Ux3#wr*Axta;!hAVR*q=H;#{%{JpFo(_DJ=ReMZaU1&r3)s25 zi~u6H^HDMI+d(e65fWcCPO)^;Ctm!%Y_d@5W@=H{M@PJrcP0_=xQ*lUz5S4X%KeY? zjmm@YD`Yf_vQakX;`cPrqmx9e!G>A}kL`ypOP=`=UXA|Me3MUUwd0J!uxfFAf|*mz zE&!|S%Ss1@luG2APy-zSg*og<&jCc$qaR`1^gsUf6$;_}i5^d3R{gUs8hT;3TN=JZ zByYM2dPTRN8(uOUMW#70m=Ot((T#(T_CR;CO`m}=Zk8)51pVDWa<+?cbgUJn_L9zo zPg=8z)xF0nkEyMHV1FQ(#b-wv4%Oh08LkV1;;2VMms5*^JlbStNzuI~aN;!kbT15^y}h zWqGUhu$e)eXVE@?xeBr!&h3}Vx7!kGaXs)A@WQx>ie0a4C#U7Gik~vX7Wb(Omz>=q zpnBtNp0OYCE|J!)5v7P6i5s3t8Y*#4t9xVpLP&=`In;t%d#YZ_E`+}3!WsUMeI2=A z)4wcJV}gCv z%ws^hesr z47U45d~s~+V)Y}V&MKj>ZPT>#t-?=+gR4p)bl2&d_Y)uK7GIAod{lntUn^>1d{+WZ zf{+jcPF784DoL98f`cpkZ**ZM^WJLA#8{S`wn6Ab1&zFhaKMG>z92{fjzDM|AIkoK zN=JWiI4FdVH*zQv!?_2~!fC6mTOBvZlxb^=)m__%L&jroc&BHrZVG4A0L-m6K(69J z1;_tu5G{+&b=|T4`RO(-?}y*>^60zm?R00+pd7+WNq>squVa^sm548-s?ab|&aaf` zQ{2%FiHL!ExB}Iy>H<>cpa>F)f-f*Awq2tVsMV!9@R=?DFsuO*m23;pz|S6!*Xcs&r!7 z`r8^;^O~Mp^zqv%#s;e~QEG*6a!x-9Hcpxy^9>WHY*LtsOCjekzuFz_4|I63^+WKc z?oX<%#^BUD%-X+FEB>NMq@i1JJq|mp=1Lq3J(RJFOK#PR6!+6oDD+~g8%lFzrHeIO$4HO+EvF;Xd~ky&<197&|z z+Wd=o*_(_Tr=FW#rqM3ST%wf3T)!eNDvFt?-$@Mr=WA(r{*`9Fy@`4XpKokB%#O*; zzzMj|aC!UdUDR}gj3poL>!T$AxX$2HfkxKx;|&$f^JLfOxv1K4kGc8&c-*1C6Yv%A zR7gpem@t;sIMhVTkmO11p@CJYMfMYEZ-%@pJ#-iJ8Ojf}md9qPZcNgVi`QJd)e_ql znywPAoxXa{nL&ZEGXiH;F7xpi39<~vN#Qq4N_XC>SL3dedRRnB64aov-U1J{QCv@w zp@8;ud{5aB&%3{PC*@0BPXS_HPoTkVdSDO8bW1Gn+pKUL5*)9~=vTfG{g+@AX5$ej z_xoX>QFmP8p`aM9LMCehGoxH{Q+EZvZU^75pJk1f_cNHg$E&~KX$rKTsr$^0}SCSGENY`|Yt1l9*kGKy#?%Zy_7N}Hfl37c2 z6-~yqKLwoJ7Rd@_{-FE=nGR(71nwM%MI|6MR(^j9|s#qHW+E(_<)hN>%&yq4J z>*qqpY~dnez}e-R=mW-ehTB6+(>YR#T=kZ0-V45W{k96V^7+}q_cBWCD?i%xr>~6_ zXloO+JZ!KzrL5xQI&eteCkv4~6ot60>$-%g1i5O6rE=cNGI_+JPUq!IREocAHdrMJ zl2ID?`vlHfMA+&~UTB=RTnVMfj#VtO87vRLb|w}HS8mkFB#kDM&EYAp$20tcMtWjlLcuzs1N_StP1>%G5gEw8!+4bFe0zaNK8%dd{g8a%7bu z?gpB}k+y%0K|l}(G^JGLv$+DMsPoI|?^hWv#_ZPT$i0(}&6lCgbruSa9_76lS2YTX z2|f}6(A<%PiH_p43?3|DqnS-HP+g(n=;OG^V^!ssNvXkb>_DSxOj9=kXmzN5x;_TZU^NDWB&@%V8=-5lO6J2F*QWRcJ(GJ+z`4 z^6-&XUF5h2q?$bO*dB*Ngu#-KJuND3&zgauvI}VA@$_beToHS&w>p4AwUB!Xhi^{X z(*=WDRYH>TVw&UXD7iwLxS+Z3sDuKeTua;IFvm0|OBX}?V{jNxtwwOV!(J@2Aq3Cc zkHBW(_W=H>>1><4a`VpoQNDgaOI#H8&U*_%?|8LL>LvPgQiZ7F3`?EckXk3zyoJu~ zee)8t`?Ns{uV*ujDQhb8`C2thZQFbNc7WspZW&`X-}OofQ*Q|RJ(b)CgndiaX?6*? zwAYJkCnIm;EZcc=gv91*Ta8<5;OjBYuKa*&KKf9}EUq3rjddEj|3!tLmBKgPquk>Z8A zozP91X;)aOLmaFq-4BSg1R`#l%OQ+sv+iLGGM=4^J8@S12 zb?}qUtS1N_(nh4r%$>>K!r@rG{k@|H+rYoM9{w072F-4>1aQnbsPG#EK!f%gVB1u# zp*ErI#s=t_9hWrPRd^U{hg*__yGMW=W*}CZaz?xb%!RB&&cT4Sr-y7O^3wnn>=%8_ z=C{+)3#okHjs4w-8QHim{o#;aufeF37)_gE?b3o(#ONN{3NHM0lJL19abe~s5whci zGG%7>O9T3==)*g@h~c#+mm_v-L1JtR!UV#joe&s9c88Ik#2AoJBGcK7o-fGk?v_h` z=PCxbH8yD`8x;NbagKI4qF8rC-83DK%|)Smx2fZzg;u0tblP72v(CtK(N*_9lka~d z;9cK;yyy+w3tnCZER=NE8uc9$qUh9}RSB+nMIfDeISOm0ldSzs>U5X_2G6IJiH zFV*|#>_n&B*Z9y=pT@-QFyATdL-8h{S>S#_DBylg>V7|!M$#*{i#t@a(B5ch)&4ym z{w9$~J33BXYT@vX`pg%pjm)`C?1S`-loND%^}GVbb4Tds)>f^)SD`3$>U0O(2IRbAWO++k`ns^ zoT-($juVHi-Q^%0jH4i<2gd~K1M+?nx-2El%!uUI*5|Nj?>S0Rxzz)ag!x6rD7*E! zC7P(uUo!tJ=nW8)Okk-ui)KY`W+85Ff}u$nSFPeM9D&2*{X5{jm9tn;l%ry`*?5#< zuWKj`ew_l@G&qKFNzUOH){O2{c0-CP*o#JalZlj4sksTBeQ9ql#iiKDczb>OWcf8| zt`;--b*H%h9hjr$OWRdYj15csWGN)iYN zBLASd`<~S#@|?9P;;~y%oweT)H6Rx;(5G_5W5`<43J*y4>nqUa87}NONCHcez1IL_ z-2(Qzyu~YJH6w3D1NE~!XP`HHz?!TLg|qA#O*oKF8Tzn(|8L`$7G z0!&iX_0{Znykt>t^daMYc7cFgp3hShTFu$G-V#tP+_W3Kg1jEPKTxO3i!e)K$CqJR z=8Trd#!pz0VU7TM6=K*fAq;;nw%4gqXp&~JpL207!4aowxw-{kPZ#;(f?hN_@13fY z%5|~cr!#7r8l{TDzDMXih)8#srt!!C%^+sY<8a z!6R}IjhIr**@A44*!z2hGakhkEWM)u-F%G~>1zRHX4<4!tp4z>aF6g&kVc8wGk>3bA$d(rf!h9;O0ZPDwOAYB+hXoij~e<&Gui9 z6)4zH+!r^=uW?wmCp2DbxtT89_=RJtn5WbK#qE?{l_4mTvM%1B$diWxra(4}9@>{6 z$dgntQSoSJeOuV!SQJmj@Y+A6bT_YpFwbHRIY>5>S!UYKcD_Pg+jI`!fG3_~-A4@2 ze!#maCE1)hmnRYn)x_Vu8_N7Z{IABCpKlq=fy~gaLKT!bj-OcK#oP79m=yB3VOW6d z3$Fv3F-=xr?wn?cPaLf)|B~O#qWcf@yJII{onoUTC_}ZOECs+@%~!97+2lcZ-~E&O z0?AN+J}gq9{rfUBp$&TkX@9mNR@wX}g$aTprIHw;LvGh? z)@u@NZsG;ef>Cw4T8hdT?#PjnaW10F^u(jN7?%tPdJ}%j1N#!f3jv_A#$e22IF(&E z>U0?$BSO=tuj`{ivyI`+d|KoqVh>Zc))Z6?0V*QC%W)F(B)PepcB?y2YBDJ~;$HA6 zi(sD6PssFlMH6~03JlSRL}s>ZTH^#Dzb$X+hF(c}j?HjliD(l!i`Y;a1Mhd-MB0&F zGy&3ZY=$JtEH4F{rd#HR^L7(X@mmA!91fpn&gR>equmbAvqX&OGYXD1cG*myXEw;} z2^HkZqv+TRQX(w5#p^JZ2pp=&;Msk?dLutsX#^fsw5psogAutJ2i2$ZoK3IU9#TGp zUgruZ0t-)N+r4=j{hlvD6AHx&#$5a9j#atU)mHs>_#F5vky}rH zS0u`f`wwrJEzUm|uUEzD+!3nraX7+MMDhU6%fH{x(}bUulKm3R5rQ>-C^J@Q(hs%@ z(Pu$|J6y9v?9nEHWo9;>2|j7rZMA+WxzAjp5%wV>&u2mytFDFK`7{18{WmJI4^Ev# zk1o9;-o}1+=ypPFRD!Rzhaa7Ko4Ae-gskkn*dmk0nrIlsCu*To3Y8|5WJM>~?os%4 z6toZ5rhh@$2unLEsSn{f>ut7V2aUu2Wr~XO>t=35#%I)F-lCQYu>E#rze)Q&qm?aQ zmvRh9c+?=ihL?ZC~#nF?w6=>NErK(GV7$q<_VzAZ$spU9hT4~ zXkkfN`gdw1vGju`rRLUib>q1z$ldnjiRGdWo2z@Q**xTXnl{7KZ`lEm!ygu+f@a=0 z_W*U|$&W!+&)sSCDp&|+*{nj1f=ngeQn5hat*#o3?#T6iCTr_zhn{BupZRKA8vAQ6 zdx2l6$I0~N$wcSy7n}harS~VBu5VBR-N&6z{MRcD?pn)@mb7UX-vANtu4Kpk?%TNg z!}r6r-{KFGaq%hEstCAiEil;zp1BV=hINbKlH`vQbm8A9Of%e5$DO8=mx(D`_e&-} z5e0M()vLCV0ks|cRvq^vYZz&zOvcmy!ZjYIDCZeIxzL<#RPAqUW_7F{fv(Ox?EOPv zQ7L+?vSfFJ#8c)hdrEJ-{?V4%of^!Hnc2cD1cm7rX|VXlUq75nKxV7kzta6NWe4ize?z`=QQN|HO5fyuktUTgR3kXWxB2hJk9?NTn0xs;w2ID+;LuSBaNaPo>yAR>T; zF>M@3g}EZYGkGsbHi<~LhQmWI)$w>p%he#ITC7r@dh9P4>8-}-+{Am^r+A*n1AC{6 z!0W7FM1~Uf;*%g{>#mh0U` zl$SH3Q7GvX4khvz{&?zp?4H8e*2(+u`S8?>m6xJ$=s|Ur^ojy4&ePUgSC$7XqF(D# zp6+>3f4SM-2=V4}nB}BaX`|v-vM?yPdi&P<^YWBdt_W&u7=<6&Mxzd=cI|Aa^zAO- zSf@>y$orWc;$z~^ueB<5NGvaZS7p$8-z}7XQbeX%BE}fG&9UYc{(N~Qr%+>I*nGQe zIR~mmNXV(TtU^<&#+$Bp^lZMY3D-AU`xeiTMIq)7gjD+A(Nqdn3sf92mHZ$w>-5ao zSj}=67+pGy)j=jI)V#22eLZw{kgKH3-@qmVmpQJ0PB?UF=gy`70(WHBJuT-)-uT}% zY}#J!%_rMZJ+@A*BM1)-fu50bWxBFH&&EYg0%y!zM|BvxeLF29rM4Zk$~4M>-F%fU z7o#(>1I(2R*>;5^Z{ACCJ`Xlkv$i^e_=7hZTsO26&I&+p97MGF#PP*J|TIi@4Jc`#{1pRa)8Ua2Qx>lQ&;Z3I5Z@ ztlf5gVu_o>6o*%14p13aY2L=0&aap4(HXe_k}FpCk_;$ArWfulbm5a6nC-3a%|c85^p^|y7N&t_J#)x**}d}l;aoNNYVN-<^zW`XF7t8 z!Vn|3?n4C1r!C#GSPhhLxG6`I45}dq@3`s&VsA1y9LX#U6TbQU80UO3az}4j=c(+Z zvh7?EV`gEo-#p@?dh=lu#rh49@iw9xX}U~;pOx6QmKHbZi4h^oDCwB|xnR8r1#N}T zDLos%;e!v5fJbB+imZ&Jprz|;VMLy_aQF?v1diPDGS~{+F{1El;0VyQHI^^9E zk<7iU`#f1EWT4aH4=kChjX8G@Tjx6!$6anqF$|*#JZJl!EY}BI6!9Mx7fEd?!|&dp zz*cYTp7J*p}bJx%!TcEc0J_=Bt0 zmf!f}_cJ|F;aY4MldKbI8F*y@gN-!K4!0(KLsJgJ^zG-7ty28n5Bg;qVZ_+&TR*1n zN_973oPwj4bnezk?l!#fuW#@2Wls(jFrJpib*p|X*V&NAZ^E!T&Raq3=OM9kEYvL) zm(4((_-GTs{ai6hhLSbCYLRp$G}x2^Ln|w-DiJ&_2Z|0?hv6gJHhPAR^Yn(R4A=F! zCJ7|371bhATmH8yy5GovmQB1aMZu?p*$PGY+hE7t0nLe6#|eJz45t#6vEO$lHn@S% ztPJg75^d$Xi|}^FTS@Wtwud~0e#9EDenj`;yR^$~v5oHE%@~lu{FUmA8y&64vy5o| zR{{3}zd~@6VoO*2gUOIr>TF3Yf>>tHKVYGRgYToE{&x?o1i5V@6-^KwFJt|Zk2Qs; zXTidP<2IhCL9D^1PENUeHr%Uij8X1SEP^Z(Xkr|n#hRv?ID2rBfq%yDp-0kvYcD7- ziyKDD449X6bGIFP-VsR*kTt#Mym|p_tlQ5hSMij{h7W<{C0R|q%)cN*Ssc-$S*&uI zo)Bg4*elrcZ$#5*0&X10$b%zYf&t*w@QV59SLjNttQ}p*^*dX&SMRpTpxJ=T>pokg+-fdt?yE#!tXN1~#K~zI>0C zPVLkJv|WE+o2U;v9d3~xh{7$eW7S&oU647S&Y+0qa|9OVJKp(YdDp zdFjEpoHe|Y2xwt5{%A6Q%Ob~lk+*|P`0zUV!#nT}T{l&Xcte}J-j?j{<}sSpqEB7# zo|{hVo9^o!Gy$SZrZpK3+61iU8&ee&A*I+4ild^ep{ zzWarjl^_7HFv}flCv4zQuQf3DXSjICtr(>2HuwgA_qLQ_wimU@d*BSh0W2-lr$`l@ zh{T__BzBK1D%$YeM~RuGYd&u~wHVS39S-d97MQYBt~PMbsOR7J2Qa%&jp!}$z@~kF z)*h&!cG^HCpf@#ius|4Cp{8`{b=-G6!MzA#QhyJ--{MLunnd{D?&+J)x{s=7eWN`5 zDIp#3p8tYQJokS8L70Sbfvk0FehcNn$84wTi+5t71Sltpcy5pZX-fa287~FbMwf;q zlc2rA4k4ZiLxR1ewreQoE4H>ww-`GfRF~&bwQ)DYw2PW3 zrwI6V$lkN}(3BeVo0*NpN!r2W)D9xLmEJ&R#DK%Mfs|y<4LmkSByTPEUg~XBQmT~^ z_&lOF#!qoxo2Q!j8lvQowN?&_p3Xp>Rmn`xUD*dn>zgDK0oF1Ud;@bGPYEUg3|?_} z?8Cdw4yEzP95$9vV_zSWT9iBYZDcEUvbZCPr+@221RNx%qlM z+*IdBs0wQeM(s;tzLw8JiLO5!rvECmfR(;a@+a$MSMOx|iC1?3lZseki$$mQ=jTBV z3#(dxVx(~w56~*Ox&heRy4Y`g6 z#YeBw5=L7T+uM3QJ>$0U-slIXvN0Qv9nM{DUJ>ifDVPoy{lfAD5&aFZcv5``S_-PHBiCIPr?4o%2J z_q4m5cpH|+H;;`LQ_@&~WZLjrtdR=BmGek8Ng}r@Y~&d^!i#@7cc?f8_0N z9gBt%h-!nFDh8snib~OJJ73tXV$X}8pE^R`Cm3FeBg!Y{4Gb4ET2w8JacK2(`Zg@s zw5H7^jZ(f+D}4ywNw|0F}T%g5KWgXAT|(< zAC9SWWOP%Kc)5f2axTLTWxWV3^*PT5jo}9lDkc|vIai(!NmY~n2uW+BJ_t1?y8C{3 zr=T1;fVTQdSmTLBW5;#qwwV6CS|)J3WgciFO#x>q5)=MnLdzN)cKJQG`tr|??qb!j zfix%AMSPTBor=llE4pxBwMArM^?*IL-B7U&puJjyJq;16795lFBOOFQ?~m8rLr9E* zb2ID0n3_R{3fwC@=IPGj83vKoQI*`L@xm%8N)DZLDz`A-c^LKxLos6mUBJ^D=E7PO zI5y=Sq4-teBcFR%FXPQaSM{ZOJI3yGc&p@2u(R@1cC5+pv~ltnE`UMctwE_cqnHwG z9a8$Vg~JK0g9j4!y?1HieLAjf>1(9B^``SrDctT4D>j&iWl`pvI3a0Vy$f_YoRm!* zKI?dr^|(EzevfW|3%b52Qj9diDTPD~?U`Ob?8RHWIo;)B3a#rmN{eOd}{d!ED~ z6jl14%|Exs8WDlDEr6^ENXzsewGW<>fbQe7tBKBUs=Chauu65sisob9wq3*#*!}bp z#J&hzmfd`yt~~d2>HZH{*tc%ZaTo=AE7bm*S~T78QAD`3^cl;?n}zjBymyckdS)}M z5soYXY{l6-A@GLGFfd=@)X4QHl0mvC|FKn)EwY69PcPC@#1V7}mj(9Z@xhI%w-nL9sU5dz?H$_MuX%b5b;RosGX? z!|-Y&z2G}JzN>WEA7vqa)f^2fZbhmL4|kn!^r|}U`FQsl9OblwPN&)H{k_2`;b+1} z^XEAHU$`B;hYUh!;7hB_J!_}QXZ1vTaZxT8<>96LMMoAkynY-15-S!=JTdfTXuV}$ zibB9_NL;ay&fr!)ZQdtRkD58%@VP?CU?XC>biKvDncS543z^Dj9U1{kF*a-f-x&~b zC$cT3ZxS5qeOotwcC$wk@yPSPoMAhxH?KKs*>8~Zd=5L2#d-x80#EkKoC&>tN3G3$ z9)bLw-p^3Y``(7@wviO#ZzC%2BaPX0557Xs^_WDk{C?CC@}KSl`g_+MRAaV2m0A@e zZ{wcn5!)RCHZ}ZN2}G^lsm5dO#XnI59ERQJ=@OEMNkyxP6+QLO`WZB^dgdvq+;9r)S)w} z+K_EMo8$k29fFKYs@>{hJd@`Ygg6bz^>sd-)lsR?BC%eslh;t5U#r;$gO#s=a#8>@ns_e!7Z7s2pyi!d;oq`V56CiF|pvS(^z^qpU zeTHgNY3#Q__Z<8Mp+lQ$$8n-ld>{(1;`>aY9B?2K&m#5lX);F`9Ec%1$xBFD(bK4( zW+>ao=blH`)7NW1NLbjE1&{16Eb9x2;&b=pdnh@)_I|pBeNhhEmxK3Gt<S+m|#OIXpffzT0W5NMtehzk*M+o1%=KMkH>`fsO~T`Wa1G3KN_91H>Az2vURJvr(Iqv{ zEDpmH%b_s@EB1@MGcGZ-xf&fFKP*1ccV3U<0l!u)MYN#1Y#b5-s#2wNvcat?opGRv0% zR6X1Bj#^_3Bh1N6mUa~AcUD)lJD073p^kB&rw+^K@hYAqiyj!CCyWAK0os*OJW%ji zV>ISUOX7w!4;of%X5I@~T`v|?xj;kDQKils8{(VC-I|XyYym!xDp8!+O z-x_WAAtY<37p%aXFWWD<*Y5qYxtdelIX0onY8y{i-X%5`Ivd1OGpQ%^yg?@B*FurL zMt#{zn*awNRSM$<p5`Q7SIe>A3!M`m%01jl;5rW{8%FH&<%tr924@ ze{chWuCKZI_%hKqU1&3AvFS7{qoI2NjTEAdWc~?MHu3gM!L1643Bt zOEe9qDI!F4L)D`*%o_bsB2)n!K+k@@dQbK!6L2w_Qaii2^f?p7`|ZpzkrL0Z6Md$Tvk1$p4LPdBY$jLI`c z6<89|xsfCDrcdUhs(tm)D8b{BD%P1eDaI)ZIqA6z)^y>YrF=jjD_(dq>87v_*t*~d6MajKd8UDLDUPc#m}MEtut-69ma z&t#{?I4M5r{V)Y}eCH7-egStm{zN>?k>yK6pQDHgP!MVK%I@_K?o$c-u>brz$6Q}9 z3HX(-vR9suLE+Hhi2iM@M5G(`@4vj-YkYJ6wOK{i58o9mqf6lpM+`IRATrX>`s#UYT@*5l!aFW z&9iF~eSxw`+0NRORdn;K^oa1@8&r75R_YUaaWnCCi=;K0zoDaV`uw}T*uB#2M_vd9 zjg3zXL-jj4%sHptfG;s!_V-Ncs%lG{wdQMGty8U3@wXnYY?c|>e! z$`e>F=$lRK5lGT@SS^98+y{4`GA}5JGAsj)dP2_Ig>^qsVU9a*-OLdd4oq{|)GD?k z&=F?jyKlOpDH)a+i1rY!#1o1B`WT4ILm9upK3JRJ#x9}7WrT9`dj0)x<64&aa-gXG z-T4v*AB0sqPrU7GCa8c9OX;jB63@u@H_A>*@~BVd02`0zw`6frD|#?DppwfrhZWs9 zGvp(Ydg|dUAc4S=b}^o4Q1(a#S%1`SXZ8IKtg$>$bOFm(@~b>T2L@e-=XY#mz|8u& zpfZL!3Z0U{`}~fpL~fhMZ_bNiN!Qb~K2q#*ZF z#eC$NS-^JXX~p)R7`EW|mEUG6HBkNNHRdynTT#;7y9((Dtw>x@*4N;TIE(A%|7;7$ z?L?R6rDQvGDB7Cg`!6*doPYK=-0X9cf5Ln3jcjTLo1e6EJ*_lPN9wbkblFehw13Ql zexFv}iTTDmk|{N3b0-;=bGfYO`F-?ToHjczqIoq?D0Mk~Sg-hVg!}P=3Nf!O%dPNv z+1e*kp`YHeT$Q_wXZI*?ZmFxg6$uqsVf*yZG;@YZ;46IAK7QX3=`f*Auis)PX6jqf z18=-R#h(oDv(v0%8SpxN<^R>!s@6X~-#p-Zv$rTiT*th?J;(99!~%V!-|LJFVxHQZ zB0sImj>1!+K4BAL^Uevuv=4|zC3utGkps_Z->Tl zYHJD(n=c@|5pfD(VnU7I{E&&%@>Qz6umuaq@_YZf{mk78W>84piBQ)I6Tx=AlkEoa5B4`F{bCv&F9RRSCH zeDmKbcuywyZ0ZZYy8F_C(ay1-Q!qvgHuG=MeorlpS?~mngi_X}8BqsE!9T5=mEfZZngPx^@ z`{HO|Jae!Ubf6xL@}mldnd};C3~Mr~)Td6xkzb0?dHRUsDs3sI-Nyjc>8mvx%R63f z>^`eCFx;R=K93f!hDOFE!nPHYKt=M{xHx=XU}1Nvp!n-!mx#l=!U3hU*oU|xzuQw) zgq<7y=2CtCq2I1!i&n#!u*%DBXPG36lv=Ss5{GFzLV;W3G))siHTum&`NM6Cx)VHk zzXf7rmUQQJ3^R%xqFsR67F%<1xqe-ae~gAdtzE-Rz$mc3z9IJk=x?gONV1oZw1Sr% z?Dg}of@kCLT>8v7zu)wCOhx4J4;!<(f!ib%rzvfdx_6Ktoc#2r=Y998$5qXn9)1!2 zUqrSeH{iZ8@gMIQA6<5%(1&cg(rMB)CXuiSeR6EQ&>f27qH6*W15`_r8mxnU2s$`Z zKx5cIXb*>j+KAj5Iu@t#s5dc^p^9RUqJQ{x>RcOR$vNqIgaGzrTbABG;ed<{rxn=N)6Ex%l~qL6uceuA7W zTIHu$XnPC>D2E1aW@C>dpt}D->O2X}3>ed`C#~pyc%MeK<6Jh=;d7Oi69F-z(IR=72JuxOSlh0pks&7%1@_`+m0V)PDfts0n0C*K+Ng_it+Y_B&r?`v#t zw{!GeSy-8g*%mKjey7fwC^0?Z%?jPRQG=dnJGYc5znDg6JA+2vVJ4LtpQ$5{@MTZh zQ{1ILq@0yi;E&F&{O`UgPhQC|envpAi-Wy|oP%KqhYg1LyS1$miGUrrj}! zXyy@|&At$(03w&5S>Sk=JYDRglw;eCYU^#aUhVj%0;db7;%pdBVtO9kIs~c`FZAp! zPyn?M4xoOpV$tNE$w1=GpCx&r8_9c#44Iqw*&Jhrb*C;O!W`ER}&(*>OO z`CRVmof#WtOcHY`-F0gwt~8k|sSR~=9_#0Lyc1{xGq!Di;hOX3zD&KCWoKa<(Jkul zX|$Uk`dOM+0xoQMB?vMWV1`9nUl9q|#*zj-B3~}30e-zMsOxw*v};phx?SHMx{28g z`9(C;e-6j04@$GwW!F*UKh+M{REvIo2EY7#pCeZfPGw_d&35+Dmf~5F!b8)yB_qF6 zn9Vv(;~y+1MLSUQ=tyNVkY?-JaL?ihOw{*$KH%3rwrnMka~b~SJvKUb5SInQ44=uq znn!LSKPUYD;b*Vx<=}UTP>;5EI>!5)MxGl%x z*M88S?Yuv2ZnOFzlVj`)S~D_^)N;{ytX9TE*}bJDT{7d_mk^BIO2My8CExSvIVe(i zClgA4tF!wa4K|j<_9#Nbm}adcMFTqJrSw1jhTflp$s^>nswDSn$>cN4oZIdxi%Pe` zZm3j|@?52Ahhu{DspMB1wWZa3UV1y*(5FF|qD+MmkKg?Q5g%keN{8T_N20Q@C#$Eg zOUKTDxaK7hpYM7lE@zvcW^IBiTmm0$g6HI3mnz;#i6X8JiQ$w5_8^-c`weN(&vI1^ z37rL$wT*6Jt`j zzx@b{B@$9RDv@ZRqKopO>*-T@y)%*`2(I0v-YF+>Ou@#rG+VCOnK<*odGwrZ9P7Ha z-IqfDu2*6Pxb&U6`cqLmU}d7iX%-gSOXCmT9o-Izq{y&y>cG{*@lcJ7hFnR5=hy#W zecrcu>3s4f{pi=(akUcqzOa+8hz zphNY zQ{mX>HSI@8;Xnm$e;qK}Z*s1Xp%Cj5+@)IL^__QJdR|vq&&)U_^B?qc1{LR+Roxw_ zy3|KEgIgH*M*A;0oDzKhuqfn^pq*Z}cSK+gI1+$LRq$%Rb^BKHps-FVHIF^ z)GVC#?oc^|O9UxzW^DUA}k`9Q%9-kAQklaXGDZ__)rdX$@AeQ|1M& z`M56Gl$H-rD2eU8QsX8>Clw~;id-Ihn zPOtclckSf3ji+5M^yTE4=wpEHI_WLu$EtkURbl-|KNBp@v-up<0b)%K?_({gz>T?n zHwbHSONpSzT7Y^~8Rcl$mj(B?oW{-%=b&cu$FOKsp2B*jg6sXK z{TPa3f1=|P-R5dXIrd|)mpT!+5;lE(fBl7irjrctB9Q5Coe&!Lb&wkKS$=aaShBrPy>279N|ygOaD2JOShMpx z8%TC05U%IzMKA*j9T-*m({u0$YnBHv)by9OX;NOtRm^> z>kfH^$D}#IOVC%cFYFw1^60TaNf>z~{(kk=1a-Sve6CH} z_xS8~8)4_u3y&TjlL){bR$xEopT*-Pn@O9F&z>|b%SU_;5_4WLzTY$B+A(`5bmQ!` zDHguG71^qh^^hpiu;)`IAXQ2)YGk)#=LN8l7WUDNbyEd&TX7|~CQ5+jruUO#Bt3VOQA-{B#? zJJ(qCAs&ZEqH8&x;yZLatx@IN=Ta3kZS#N9Tc4*WM;!hn>MeEm-e3J+(WJapCbZ051TA>x5TB=l zA~p9*vMAD>0K7J98MzkJfoZiy+9$6FG`JXZK75R%*j<- z*sgVDRgXLhrnf8HdA9*he&TBvO?<-@06{VRGf>c@8@k~_)x098oKG$&j>i8cy7l4l z7J9CKJ6aR){^Q{3j6y20ZVivV8zv zT^tu$@E10SAh2btRsIiZMyS(wFK1&yJBJBD@|}0Bb|211F#cqRxjB`U2K(%F+?uffk&`T@KEJ`Irp_b)i!SB>X%u8(qq6;R6|g!^V>Xt z*XQT@#(4NHj7BBTI;!R{*J|Hyq}c9>y)5TYZu{c9Mi1tdS3j1`HJeG>DDA59G}vGrU2DxXb)Fj=n_4-LuQ67R6Z*2hI2Zr}9nDjDX}(__rrR2=DUkL~GgmxTM)wuR_Mzuk(P zMsiLpguo`gU8(`n*o;^O*n2b36=mu=O-M-~P7@D4Rm0RgMy#-g&YdC5wN!ebX5(P^ z%QV$=>SLd`k^QEcN4eXak#Bt;@@8MTNBF;^gwbdNepC7#<>9N+K> zCIi1v^U$c+Jis#778M6Y#(uG0IOKFE>{zZ4* z;4wy8AY3m>Ki-P3VMin$ktXOS}c|7gjOBx(BvL2OD4R+?x0+9Y}tI<3en7c zP?=+Sx!M98amS&ic^?r((aCq^3tTa_-o&gYmOPSwX*6qh3k?NOu{2`MA)^>2iysv$ zL`CT}7E7}U_VZ}%f9@)jF(ePuBdtT&U{Wdg5yIuny*PQdU@cx zTwUKszv%b5Ts;f?Bzwju*Q)rwC!b!P+E2XH)ZjiO0i3Efmi(p-cQ3U02{!4Kis{{C zR}=%BL>!}HP5X7g!x041*3msgTmTL3*co+7ogNEl6mB*R%@Hlh_kU`u88)ZYs4EmI z@nxCesqQ@g4FFHY`B`iw@1<@(=jcD*G?$Y1(tsA<=s1W_n#bi z>IaKacC}mxnRNSLwG_8K_8@^=deCWqFo|9*zND6F%?vUY`Z2#XO17C+MB#(-d0Q$j%Q z$R!{sB&$UG7TG#kRO;b%iDRt#v_8J2;m(Ou;#bk|`YJ^)Jg2GR)?s&F*T6cq_eCKD zzH(}s4N5_=4oSJ_QuTUXAC0=aEf;2R6M))ISLy}{E?$zI@9=L^3G!Y=w<(@2uDv_u zIc+}^WhC?c5?e(~>31DD-AT);s@r1JG_xBHx%OgavMpL+Rbx+PkrfM;&m(JkMnbU#Cij zbongg8G?9^+=fvseYKQ&QEfQtJr?-$j6PT`TAHk8wZp)6ZUlLplbYN5br|7X{HGql zn{hFSF@qU3=>~M)>}4uWs~NnVVkI;F2zr3iOZG5GJ@BY2?3A&EeA@Jg$-@zLGkF@q zJMuh8mZeQzpQ2p8u~z>2tR4I-RSHOfe7j5Sezi!?o!sm@$|P`a2I7ctPQe+6Bi#0s5dnyKeu0YGOz>iC zVHCpGZe3MPItP}y20w!ku{=7B=k$q$s)g-wIvk*Ei`s=i$n}al#A#A4&aIUGnO6Ci zRiip1(8cT%o-kw~wAoR&>jr;k!k01fEiX|QPDpD%I77kG73&)V^{qw9=DY8)q$h(X z7Q9TugO#J^g9UrI?ujf)whm`^Q9fcPqHehXZ>v^a-OxM1U}Z(Wth}8GiA6(A#1I?K zZA#uGKhx^0=;SMAC^{#Y=;<)YZeX30P(x2dQ7wu|5qUw@EYc zruT4f$)?aTa|jChCkfxw(0epP9EfGTBq*bqpogZLZM>5uWNqX|@9~+HK3rut=I4bg zw7IA!d~fy-h)cyJB%~T2zLsm$?^3^=;R`3}FnqAPSSh7YS>8P_{=zsysVSiupXnc= zsKS&2(eoN^N&`Y-9!6>lxuWWzy$U_XWMFk#d1Cjr^Dg)#o)3I&-FrwXUzHAOezh?6 zuqBx+0dJ;q-TD28HU#^pj$cEqKmIVB7drY@TrEp2;z735(EVwxa#oqejuh*Vdv+7*cAq@0&C2o?FzOmea{y z*@}WgSmbt*xMeYQ{#mEmj(N5!w@@u+3|XaqKWMSuVsju;c6uCjyOYew>#}!qNr8kf z9=B-k(Tc#%tu8qi7h+OvSW1e|y!n`@DDqJJcr`h&6CY_c6gC`)_^6yRM{n^l7zyhY zmGk!dU<$6f&X@g74OfW9*({N$WbYGVRQT7guT+bH(X|34#c`h_s%Osp?cGCZgKK@p zDIB4N&zUb_u`^Np%L2>Sm>ThZWmP>^K0{R#DXrQ@)_h6Q=G@s67oS*N(EuBmi`RD6D&t{8{ zwg%@7+9k2mkz}Bh*OMrw7B$Iv9==Wqjju1r(2SPt4nNE=pRUC;7|9P98G;ljun&uE zN5l=L4d=DB@+a26XMf~nl+Y>ng$SOSLUd-kw5)qCHXZFZRcRGSvMqXw3QXDr(kUgy zGCSL4GiVkX>{G5u1jMD)F(xj8ffMwRivC-H*k;;w;tB0Rm|23h&QZaA_V{*G=pTwJt_xaJtg_-NC$0=j_G)x&Q;Wtu z42-MPH)@^ZMD>~V1f&aPvCAgQZm(M$8;%k`r@8BaT(V~>SDAWKquy2vL4125a4aW+ z!Z_@2@+gydROK}p^LUosSp`MLHhU4nEb!0m;mJt1nsRySO%9|3$VqY1yMFDN%sy(k zKFy02s7%9*)q}TLUhDTlM4|`otNA~aw51)ofq?zpp9zPU%zE38T6y%nu!eh~W%^g| z?&SYmh3#~uS1+^pRWyS)E;LjRM46Y}e~Q{qg^#nGH`m#(YcL;aIi)>o1Xvi0`FqBP zRow27nBi~UN8#j=%s-c>ovZ&TAe%&(k*`((o?I+a zrS0;{Yq+F$hf=$#a1r-pEhut9+&kivwPY1#RX7YLZH`z~|T2Rt5PfG2C zrZBNKiv+z1S`Fiyu0&R6Osd`j7{A)1hfohY%_g#((0 z#NS0y7-`1w@ZQJH~JnNt&1F<r!zyT~ zZM_cP-D%j(Mpi$un=b^9ptH}J_tXsW-(G3$E1Y8F-iXzG9vbD;X?2NA#UqFyIna&! zyiigj;ky-n6~?g@o{gu^44a{p_AuH`V^mtJq=ADq5PcOPHXs6#cr{6Q!Ljj*((M>q zn~<;iC+h?1VcTy(wx`o0A=ld2YGT583*aB_h7PY5lYXAB9P0Z#Q=jo1c{bbO$w5$Z(yfAc{;o5=p4K&t3H|v&}3B zJ!4;)rwr-%Efyo+_kLzqD94yUIWoOo-{PVptk`1@$c z0*}wW(B&JVe%NXsdB8#>)aT;|Q%O>1I9d43h&p;D13~m=545>8US12T>$TPR#U+!3 z;_%vgYk5JhT_Ki)qMH^UcuiiztAL_yaR6z>^RM^@rBLZ({ldKPt~Ik|kEzBZstaWQ zYjrCFtMj-pKTmx%{u=%uPuBifB-qlhxf355t9Zi`jl!Iq;eFt0;T*0;kpcQ)^NI#1yjNkv0X z#F(Gm4hE8I_C%lUb%d_$5zhH&a5uBC@}kaDdmKT9lJK0V%ZW zq{sruL`xU-oUVQn81T3P$CS4M!#A8gxE`q&C>A0*Qoi+vOcfDbd$C&j?)P;cybmv| zRF$O6KsY(sXS8<>Rk{mAoB9fOumixJSQ-df2@%u%uu zXC15;^=qYAfJ(qaI!YSvP%e6Sc#W8BNld9fo%#!|8m;>t4=q2o!dHt2UPkPPJI-9X zC+!&FW@+<=GPtTCT&VR^__yXEZUO@Xc})EY?YcLc#AaK#=s!)0^v!f&XNm zs59CpU(OMi&d1TB)ylp->QC$y?dpMmXbOcFNKLWpR#1?xqR@%@ zPeOL_yxGyuYys;8+m#1}Ju|AkXe1jvyqkXOG$XJV@Z)3ux}uL-_t0wspEh2Z&&+U1 zURMRh|9*O*TFsHsK``h%`e?vQ9jz{kf8i^TK(zNULm0?-(tMD5V!@7_c~~ zkiUhEDmeIlAQb=de1BHAITEn#T`<~JNybTI2Xw`18divKBHP!&Xr;ZvC02;)0M;KD$22_ugC#>A5#xTJS8CB; z!G?l~`r^N#)W*Bb+=F=n7!#`ci^;m!GBV>mwPARc4Ldj__uGY-&n8z9?8PFiJ-B_ehOIJ6SZUS?Zp!kB)Cu4+NeTcBSb;!*4Gj=UjvTsS)rxaU;*%dri6-_DunktUn=Knvr3HAjrc^Qy3@T&gr7I&8 zQGT%F!EpylyRoh2VC9JE7I9b+)0RV%2W5$WFP3Fkud61twy8mLuTpGa>s6(dq9q1% zkg!4sqTw9#;>943>;_~<46{e64#~Ly9QALwe=!smh_RM}qd`cI5V*MJGG9E5GkKk3 zW2L{aliQ9=^Osc9!QU;1SP7tQqxBc`O!Y1`R@g}Yu@4ldO+i^bI2|?6YcpJ;+N*pVv+|`bDztWSU z>WfI~eqX;VrLN1D@|kh6ic|y*F}y>9qu|Rv26lOv{B$rNU`jTV$T~SGF_@keQk!e_h+a?6f8TF^aO59 z+7k5^_dMC@u6*}7bY28*d}HUZU7|q|Zy7H5<)dZg4U8(G-oihyzg+?x#3$;iFQPNp zwy0A)Zudk#t2=5HYCK4eC=zZV62%=NbnAT2CXLfHnoeUu@0{&g_aUQyqf%lvL!kI> z`1#|{sQ*ylfFSP4`S+drI~Es-5n>+T9Jom?7Ie(Qg(``@zr_ucP!L^6&JiBb_(-hKOE!}~pC zYMb90$U#=K2c8g_m>CnL6D}}L%5-)N<)4U`r?` zC*vOnJO}j2;E21Ukrd=!c?TR7&{$=4qFKjaHMSja(f^k~{NHn7T>ATg-xX^D{ilf4 zF4z<6d(hN&;$j8$*TG{2L|#p4iq2E8HEcFl(cFcf5H$0gJ94*#d2I6?ph$cDu*6JY zn^J^T0was|4AWP$*>l@)7i>5Hy>?9(5{LU<9LDEm+)ekNL;j}pzfb(nLkKleNG6xu z)|@FBsp0oHT{ovK@LNf%8?uAqd#)$`Phu0}*L$)9+KY#tl$r@wv0M&Oh-Mzsbt~Iz z85uhHbX-C;XW)Yq=yKe^a;^M-OvL|}w|}1)&xqiP&`LzGSI2J1mR>w01mru#XtKHK z#ANo;1H_*n4`RQaQ)x%1V~xyhzD3L`!OU9BbgbOlIoKM`z&~c!R!*#GPq3?G!)N3l zNfwLhwYMh4!2Sn{{$}Vem0&nR4tr_Dcos1+da;PNN*ed|1z6w?;6xmwbf^3{YxzF+ z^4GO4K(kE)pm90|St+v*aehsqsqb3oE56i#r?KV9(Zw(SY(O@vD4zzR9vBz|Fh(r5Z=| z-d@~u$v6O*(FlK#&9&oQ8%Wxj!x4p|bMxlS8{a=Svg72%oRzlUQ{OenxVgF6g;{B> zNUdR-;FXs^ zew2R~*Fw|~cv|5)HAs7T#_-ZCv-z*!SM?^nZ-Wx^__^suUH5-mP_tLDR>M{a7QoVN z)5-JE9-~^{4ANQXghy@CRSB4K7YkMg6r!*taEJBJSD`pTEXHeC=##El#j7nz7x4|MAEECmBHnkH3lB!)25afX0{& zc-^%t%eb}75{W$A3A>(yao|vvD#s?n@#7>($D*GH4>t|)5jxhe`|sAeT<{3N&0% zQ-n@<8iNK*S)8%Zk2$g=DD>U)wH+D5afjG`mQpHfR$fi$NBL=<++HfN70);^7V%BW zf2SM+8J=<}l}qlfsfiIb;{;Y7??dI_cPpH`w}f#h?C9LvBR4xq$I$2}AF_rlQ1gYw^o8fAk6~7G!8-5%6+kHA0hsU{FP8qf z7hb$fHCCM4hNoZ`lEYmR3!1GP7NsJCpz+Ijyq;-{;md|l@^`u($~U~7quX@A6@QZT3^`2KX^!RUZJlR9 zYT@=J2{w_GW#fQ7YhW7y8p__fSUBphn>{q5)t{%f#HC#OZzuevx~H(%tI-`aZ#uH~ zR$>deKn=WCTg#?di`k?C$!B~??$4(IZ%)RL#=VVO+XjoRT#ptm7cj5=Ne*wmtTg{_ zDjT?wpcfOPxJ*oL)UN7>*{=Tuu>XJ*A&!*BIR^Gi*g;mjB`KT7Gtqzn(RNiQE7*-x zu8rTE$Y`IEs5HAdKQc;eCXqKsBb&Zz(`*vv1efc+Ea_;?0PX+RAM%L|zN)<;rr~6Y zoPs*40j*}2IIf0kY>dYO&kVYdQ3I_P5Wu3U$qkVA?)m9u9U5vPv^9r)$Ln+ykQKkP z+dL~3v2g7HU_jtuXiAA%csh3Kt+j6_E4cM&#GNGpvH=EvkIWbv!SJJ>ySGE6_DM^)>5ven2 zW5&)lwltM$nzgsByyn#Z&Cg)^>O_%8?V7hUM@5FQ;V&p(=tIo-Loa9kKqeLQ!%T>s z>jvU&+&P*tir<8ZYW2Tr10c(e zqj9tRyX=rgAZ=&jkzLv4`2h=qN3Q(W`ZEfg+AQrnMVp(dck9O0+cVE&5z}qoA)CCe zpMHCk4Prs3nT|s|8rTGvQ0&zOSdTAdfeP2moOCgB|5TxZyd-Fg5x@SsLW}w(7X$Z0 z=<4!ndY`4%Do;XgIs{EHYNi2($jA+M6deju5y4uCzz6tZusx#WdTKf1AzkLk8r?jX##B-{#n~ zQ3R&8DIbhroJf22>$P%zT*We>>efRaQfLPRp@2A1X|h&Y)kKFRX6SoJB$!L!EEGkeGJzjlliPF zG8+HBwmMLwU$%Zg={;)OJ)1C}ov+`gyax0mZ_XYdZsNkf+pW&r@8Lw*B#CVo?*xKk zIU)&~iFA+!+_!vJBAY)gwup)r^t%VVnmsfzK_5mJze0y)E5)9}omjI)Hr&F@lm&C;tm-GQvyey>}XD6v#UG&7Mi-nwYB@ znRgMuP)d7sAUnk^GT5>1=^-{s8fSxOnp+^k`kS{?((dRuc!TeB;8EK#AX}+|I&x$g zku2^|ej4H_0PeQw+HNp? zMYdQ43_1fAm*2KZd+gfYw&_?n>ZZOyWd2`h$A+g|_#3+epvQx;Uck1!8GnH~yO^~G zYx$Icn_U7?<)*fSz4GjQ{@Vu_3Q6GO<{3^7^HK&mccOt>9Gmvh%uB~XY};jiS(-qc zr4e#;2EF?FgG}M=)wuKR5-A<_`Vaqta2Bv}uh`T~ZW$34uT}}bPMj54)ET?VF_<+on<4Fvn9=h&7!ECn`<@~^Et?^%7LC-=fkXp#@8~e&PxhrZ z{4}-rNBbZ2$Of(WFW6kziugf3n2)VgdhdD+WQKU&xP;NaW5L12;E3{+w%#|rMBIGR zrkKmy#c-JGYHqCGv1y_M-#Jb84j!fQ;ngX`jC6-=>qD=^Cw`oQ!^KTZ3Xa#ijEo+# z2K_%6R!@>XKjGB$zL2_v{S)Jjks3~?*ruA~{Ep!|^oZ@?vOt1=c1PCSjm<2scaAz^ zd1-)3wq#w+zyxF^H*3eXKctGVws=UDqhPw^X`$Tv$dTk*M3D+TAy>fFPHeoiW#fHA zlDV!MfsFoc|65k^SzL>^S0U1qo-1;mM{<*&JQEPR@Y$r_oGJgASuC5pU4oDlbr=~P zEEYy`A354bnhM_xUCql{nF&pJ>f=V59tV;F@C@gy9v3<9>(VLE^KZ>gaxT38Uv~2U z!Lr^ONiHaLv8%)2eh)3aBO6aBIvHk`n#ht8a(YRpl~GY_59x9|=KntAW=w`Dsyb>2FvsD!-3!*}ns zn^*Wiv6MiIrE+342lLyY=nZq5@3!}3qlF?eTvI6%QLeSJJxKV5)ZBIlbEIO5I}11l zWA%OOwvZ`w19}@()H5lnQ!>vH=&)H<4|$F1SlF1}ZAVgp-gz&!paXnbRi~ zG*=q8X}paH1~~spP;4>G`Ug@@_bzHy;Ps0JQ+CUZNnBl;3y+0h%h8r9_GeFGf z+qYY}(L6dE>m_>D&+>2^u<94;TM@Nfk1v?N0`|(6#wEwAQ^dqN1trsYY+n>cq1+!_ zy8OsQOG%215=?2ggOe~&`&O#kq;<3nQUoH#FdsK;f~gfH#Sa0d`K251M8L1)mI(JGit%w%pFv zGeC;^j-?sA#USQfzkw2plu|=PGRbjzBbe@6_HV7YF-+JY2!RuYi(1n!MVNC)s7i<8 zpC;0Ka?6;wg!r4PinZQUsqJVfRc6%x@Nac~NF0H$-C*FPAQuUxd}fh|$33-(dXyX~ z`dhH_p)J#6QdJ!`6bL553Re%Ol79ZR7{>;XJeFvsnG->QmDd{`;`vzgrNgf9t;M<;@+mj(CeRS z<~NUTs)|YnuNhN{i;6zpc)0lrQNo4AeHMMW$gkMeOQ=lQ@fBsCb7TIz)9hiN*#<2@oVFm1844`JSxy6SUFQc?m&qT4?$tdJnX?9Q1;MGt1Ye7E<-q ze&O!DU)VsG4S(*S?HOCgged^7YLUcTy(Y($ND3eM-BBZ&WzXZ}sbteEL7R>a=!p}$ zIrp6I8*J-*dQw!?JJLpSGuIOfFfM7b&5LEInQn`9bZW+J#;b=9t4pr;zzbdSBZ+wH zkt)4r@Z8C=#qquh^4g}b`KN2s{W+s=U5}4a-42ZZJqzH2jlF$p{)%gb|6#cocsqKl zcyg?exUXq9^q(AHQbPC#`wZcamf4M>GFD+Wf{7C2OC525-spoLvF4tlO1f>& zSY(*{_ES0uiBI+~qm}S{gtTlKjvgP!DQi%z+euVv4k>p)B1PG>ku@I>gM?ksk|;j%ez;bLT4NJcEsBIkwLuw~&?S1~lL_|QyaOP9|U{o&*t8;zuxSj56l%J>?!v^uu5jEs>Nu{Af&I`U&}_K0mwey#WGlu z@Hr%%y_{Rs152b0{Vtd-_7ls+?`CI?$M%g!Mg;>uD)m&?)iD~sN?v;Ie=qnBFtc^A zL0J#mh7RBQRc7k!X@BoBUddxeW}t>&@=e0`Ba_(7s)OeB^D9|ZM5TT z87OU;#C*531l&-Em&Ht>l1eFh#M4&&9pVO`DfzKXdIQ$LV?a#ut+*p7iirn5p!)OU#-Ie~1HyVquAjwPeN}hh;6^90NSV1c^Su@v z^~qI3^y}>})1MeOr&2%uvJr|>_-N0j-!7+FwTw5IRFDRO>5S+1m$)hsTm%kjF2p{_ zIIcVWtF9gK=qiOGJUF<0to?Bu3Pd8}Z*Kr;R`?D{WP*A1dB0sR`$DGFh897-D{flH z6H!fqHrDp(-moUkW*=>5(dtP(;0?OTH4iD~E{T|E8y!@H*%y-={gM#d zqtu)3M?O?)&nP8uN_w_cD{o=dt~2=7kl$?^w6cFWBCx-4UCg_g^JRmHkxjt5s5EIJ zfn|-YCUZq@?RIHsN^WRCnl@-$umI&a&tCI!w`Prz`tz0f(1R|cpJT4HZ~EuiV9wvR zG4{)y^dtkKv>_{fOI6ukbKqnip=)72xph&IRC!j+Fd#Rr&?vznM7hv>odxn*UMWkt zKyB6TwIwu_;dr`Kz2vaqF>fM`H(23rJeVzu%&g;bri^rC_ zp#|M>?7?mxSPSqP2*PP^oyMZwqFnY6nE@o4=Rw3bVTplxN|Wp`q3dQA87<^ z(&gRPt%BHUeHRmsCFl7NJ@Z}_=+|7S-w6BswBa@nlI^U;ak(HC7j|>!JG7n4$U5B* zKKEZWR1H9)k7?xED%g)T`XFh|N?q0`=uP_G-bjjRoGKZgWyA4GtDI(y4zr(oxo99m zSvfI_nRFc5=?1D%JvhB)Vt>LxaP9*UkEu7M3`dpN$9yI#O34fs1G+{JzjuWkQ-uww zMWwk|yZ_(qfCaj+@~*CZSUz2%--ufa$p7JtQj)WdIoieiKdik~RGeGdwwnM!LhvL6 zceez$LV|m6hu{$0rH~K^?(VL^Jvc!NcPU(|a0yyCyVm-;zy5pm`g@PD$3Ch72fU1$ z^PTgN>wa!qdR;qi$75Gx{qr|V^<@Kr#eBBK3!yn20`){-G|i$DXL#kcgCxbCg9Jj` zM9jWG4&CriEd`=J`(#tATBcfOpV_1!{V z4@kUy24i}H`27NlGi0@|)vQ0opw`X4fw{^$j;a3&144kxNsawQYXA=?``v+W3 z>tv+CX|D=@IK-c3N^?FuL$h7e*KN7dAgceDaLBS-WXBTuzagpin!v{~+{>+_w zf&@a<@{bqSUpx=&lT0Jecao!G-Syr}$_zd@^*k^^{Ud>pz$}T4kJ-)Y1FgX9`vc*k z!P0nShP_4NJQBorD8GY*ZEOqZikiliC;>Z7po^`dAkd~Vi-frQq~${w%6y(<Ag@%W}tGX0W(^>&X#cbBnBe)nQ3${)yM%HDBMN?DYxVENw45#&-c zJWg?2*6(qV-F#g>pT9F(g$rQ!v>7|wFBKV>4k+fmF9MukKCofcx@{21NWIo<$xXY} zx6XS{Scs8MK|oYy4q3nKT(tQ}$uE&2@l8vpMnDE|yYy^7d`!xH-+-z*5y@v04kKIh z+^bc3&FeybGQ>-}A-h~l{znmlml|~)XU&7lB?kMwZS$afREv_i{gIWcwV1HRl@K}4 zN4AQU108UG#w0u|Rec{&xm|rQ@-{OKUN07IY;vq~WV2CJBE- z^YGGTW$>sWvbLm1rjkVOEr?4TL@>E0iZU^D_X77U7{;2YI`k5PMJA*kq>(TvoNdUK z?Cn>X0Vvfo@Efz-%T-RWxcai<-+cKh6Wk;s`$0i_@aLVm1`}ADO34r?8)Cj(?Ng;! zfkY1%Y0(7kO6_UVy94T!x68pKc`U%>x1hwTRPqDP+KVaOWRT_<5j7dGCjq_6Is9;l&KrN0fy7PpWpy1M1wtM@)QD3lH&G$NM%j{x()#)U@3_2>T zOaFADzXjPomz2wt4Dj789v{k=a~oPR1XFKueRR3h9Dk`?8uGCX7OH-BYsj2X#xp;p zUX@92f|58$qvLlbTr@m`<5T#_bwlmIkRu=}+eX6cs;T66JHluKI?f&hn zVvxaB%w%X>IL@L)PsF9; zFxQ6PO_)tS*23@l&Wjgj&u0-RSm)K$2BkZP-ZNN3^^38RoTI7|C=k7d2;xx&(X;m$ z27FA4?zKb5(3Qw?k=BI3(>LWCS<{Bu=g)Wwh+)B zGjQvvf-sZV4DU*@ZCjjo6x$oaAw#eZ)#DDB{aNpb1@xB9hdU;pH_ERSqJB0u%!+|z zX=_`d2RnL-Yi46kP*oI?Nn+Kd5PrBka*C{+_4L0AV7TEmm)9MLW+Wf75CX_mK5Sz_ z7o*!W4T?M7e-{$>bvqX{mj46Z`D?8|2Jg8bXA?V@DBTeSVJ#=$D{`J%c1;rg4y@gq zz{W9`Hld;F!7~DQr-=VkF&y%KPSbGc4$sbYrd%GnK3(yz&LwXQ$2DQG`@A39-4snL zC>EXV)0;$}%I9x^5om+u2Gh*>Ok@k&oMi1i&2JPv zFA2yq#jlX(YDaZ5S$EJXQBFFf)rxhKZC2U%xfz9LTkQ{dZwut^&ZR8uoTjoW%%h(&GL`Q5Gv^A zPoETPTqd0IlNhkARr8H^olyejOoxC>xNN{6lb*%G9+a!NY+r{KZ;|57wTDCG=1uou z>Q1K$K~Jco(^;TDp-&l|Ruzr7SrR?1f~*MUr!yz(2oo#cE{|Z=7r&SKS|Le15lLt* z+ZOGt`V*b*HE|0sj0T_Y>5~h$`h8#4(5Hhv?a0Vh?#~?FN=CjtWXTJ>8-=kXHe~?h zWzL^ZRR!Ax1wb*`@h65c(s45g9~N;ugKH?Kn(VVz5o&9LC6zYEclR5t%}ON2?WRkA zM*|*Bd9n3ObQ^8ar+?j*JQ`;r*jbxh9ZYjve2@HI{YZP;s|GXHpUcr6?Bkl9WjCF8 zcG=WEnqA4(;xiB>;$%#GeHV&4KG>2vwSpx`>DRJTCEKkyZ8^QMVULKad_9nDyKA(f zxbWGeVAlGF*?gtGKY5={Ho4+yw_^k`zx0^e=9|g#-~J7sn{1bG@;+s!@X7s{w~u4< zzW0G&KWyaS8z;ls!|cCoZ-0{)&j;F&>{x~D;O$&CyI^8|P&}xi022TjCB5WLRZ>dp z=htZRRXKpSZxGqdAT@|)mKa6b)%X?vRP^Akci#t>%(;EwIY1#>#I}aHu?mijsO+sSm*UbymBd2S~MxOm;E^Fk9 z#AR!9$zu<7<2!j8jpwJK8LwhS?`5FG6jRCk8ha}q)lrRu8)U2LR2OHTH+{4ety*kp zP1LXb^#cO~>c=J|Qwr04%4;+d*C&>1&2K+M-Fp>_>g^L5^`mP9R2M(IB>7?7%vQeQ z`FN4*bcGfGwY9KKJb#nF258}qi88AHfnp=-_U$^e$vC}jKbZ}5b!$T`T0Q?otzzaR z`K7+bGinlU=8xUmQWOl0u=0w;_yi;pj)G{#vT=0PIne~+`$;^=Knr!(%^J|a;6qK* z@++c9;r8MsPU1$(Ou#q6c!vr~tEkLj+jFw=z0iw8XXi^V zTTEfjh-p{AKomit_2_Xz_9L7+@&L;c_*@$zHBd zJ^4^bGQBdtznGgZiHYtrKX;5a5Uo)EQLQ)%<>7NWD|U97>kr>{QW(8{K)sgCO#9`f z|7#4yO`^YPI=c`(7u?%B$7i>BZ|oa~()G&O=v5Gx#aSE^H5L;2O)_e*1|kRlW; zTDdkF*K>lV)TkyN?N&iJP7*Q2Up+RO3-7ewSet#52gK)-pmBTLn7W=@xYqesvH_RK z=TYwUjtr8auaO+UCR?QCJ=guGKF}6zUC5NP+b{&@L9LRy=&=V4T!uu)jkmudyNdDY z+v`~OaMz>3bM@jTNo`8pGvx}u%>+?@2*O4~1D9-#JkQIQbQ*VZ(uLlsYGASLilvIc zP-(IiOJr+K3g-aq8k8AG^&}MO!6|cO%Ct&~aqe<}W9y#?izL~;H zy&=9J3TJjf^+P>IvPk15Zx3(cg&dIu8wuU6as+y>;TaFTqxL)G>HW@h?Qa~QF=QG6 z{QcWZSvO2#`sreMq4i6F2kdHJMrrx-!bQ0nVcQ|{nz!FiWIkKyPE(-+!$mB*km)B+pDvEmuVpXi6D7f4)XZ{yYc3C#=ozn~qLVk~y0x6H-P-u^0QZa&OrT7&|-9+0IUx)(9v$ zMHe4okvs>BnUO~2A&=#&Uon2UF`)75$*j;mw7uT9pf`leCHxL`qA@Zn@5Z8`Eo^#J z@pOu)2fnxCi2eT*)cjlQffDpA>(wOz7D1lI2(RbodY$e-Ef&uL`7fcF?Cd(9wtO+~TO+B{esHgRmcL^@Tqx|P*x|I{pl@FzpWl8p=%ugg93**; zaiq!&t15{teruDow}lLvA1_I;KGvo(L59WQw2*Eay5i+VS|30U-LVpIBijxuOy~D6 zFP)yszhttn8k(~%P&;#TBIW(iLaRHECZZR<-9SHUMM)moYdPKyyKIH_zYu_sOe4iwpE;mW@Z%|ab8zOJ9Ke|8G4x)FAwd;jtkVq~a;9yPk6aYBDo;#OWu-^8 zJ^ZnKx3#Z@u4FT4v!BEl%a1NY*wvgE-))Uw;6X9<<9+I%IHF(vK5 zBpHQKyHbND19x{rhVZ1yn7VOZzUywsuc%L*t;ez9th`Fa^Vao0ZVB|X8Cr23N_&rA z>}1oyE6+*x-cOP@Qx-y`ZnaIP?`Z!Jw*0lBy`Dqy6~)3Q43mMiDQu~saL~y53KUzO zH52Dsj=_Fm%`aJ%Vh6v zAW4!T5&}8j`xhQzlCEP@nInFu>$1)FS?c^`dYO#Mj@vo7&A(@ioCXI2pm)wq!wQSO z=P6Dr7(N+xXLU-C4_I;+uXYAQ;sl$Is8k{1G-B~w0F=Q9nRIBTpB_$8n%`-lQ}g}L z4*yquoG#)!57#6>$QBku==C_pnZZiwL)xIvhgQA<5pGOI4R%!-i40E#@&@cT^Gf+t zPr5ueH`|%vkT*Qz=$exfExLD|E+m7$pa9e9sCITA@;Uz*IVH68&t>)juFmA3?(apL z)vMIEpR~(#4)|kQ@Y+bH)5nNuu~?R9cJ6H|Gx7xdvxR>o>v7g|V*Bt0$%KJ-SV@@; zJzWB9$_&|*^nHv&l8(x(9lk;K$^@#`O1AFj$nY&9&mBoD5~J{@kAklzF`{$^5+XR1 zSa&t43we+2sId(~b`kxP#N9}VYw^THT@K$y{&-jblqJs0oH7tF-_Ap&PTo;f37B}0 zr_~tjj2i+zc3ee&xv2s#LFbdB5_z%#dZZJPIkk?5xjWB?Uxl=tsBd-0c5G!O4$90y zakK8!>=|ZVRSSRcGV?jq;^uG&3n{D?wl+VV*~^*zw6nYT1=N(OsoVlabQK7}ydOKxnw3C4uqS=Hr|I^MU?g!*%u+&nxNV}&f{~9% zXGfSQ?jCxreeZ9hGjN$Ox%=`ZzUMxe&%bNANICB5^b`x!i?#(_V-?i&1ul^V+!x># zgX$T!E?eZeNxE;d>^)W_oSwv@k(Qb|HgG*h%UEqL-R=9=FliWs9cSP8JG{Vr$7XPj z&y0yv3h+vhwp}ssT-!^v)87Any*sW3rg2;X`qWK-gO98VV4>H?S`J2*ad;p2d70?v^fHgS&RteUu=9`a6i}xaFX-skG9Lbu~|pvU_$T{=L4-YPSTt_il^` z!dER`J-iTM@fD+&cdVIt5&T8O_+MrygW9E_-(`P%R*)?(EXl~SnZt;1JGe~?a78&5 z0)(4oFN#G)dRH%9(b`r`jQSy47Ld&i1ya@16f>}iD{h_*R4z-0jP-hDP}Iu%P!PUS zUGeGGdf$jlL&Ea~i7}5_l-$@$U~WnrArxI;LHDBzJ+4h`IhK4jCQ{juJc>zRTT!L* zzydkqT~eUc0Y+DjIvIBe>PjI$ARz-$G`QyLNcW6AF_nt|VezGf$&?uSyDlCZEY6MF z0sau@w=8p3hbYm9^^RS_QSRZA^$49|LWL^1J8$Q?=0sSUhBqc3X#h7V;go5voDVHM>cX-1B3zy5(JAH~=nHertbA(rwD950R)?BB_p5&n zt1J?WOpZjHo;hvG>Btq`-@n@Z@J8C6<`z2?osW{~gZ>KL!Xda$Ghf>s38CHZ$(N!V z*918=B+{>XP+6Epj%bDr@;jKgw6T#jCbh7TMl@;IaB;0bpNk7V#wO(?SM}@z3(52v z4#BIZl*TCQSCd)X@L;wvSok``;03tTFjW2`IPg50;Wz}LPw~>{?gDM=*M}}PgWu>+ zDQ8jq+y=5lnhqeIzu`JTq0h1kFFap4FQBt_9@gr@jdqR=)z#H67psjBi{4VUVc5bY zgHG|fQBtmLQ~Nn=6G8CNClBcC)NJRj2}UP)F0p?OKJi!>t(D2*UwXZ%!YXCuWu=C2 zNYTVSJbefVKokIqW(|+sYYA&$H471ok;Vabbu(}LDW1h)BfXxxI1F%Q=c35NMWVum z@R|&A&YK2MU@M4SjC?Nz^S>d|LpLDL!rtH&87$+*#V&p~nUL}WGnz#O%mz**guE3m zY{BEYHzB4s39G%tLZ`l#3Z#*qS8kCL#0`;(DRjdq00%`zs?CSIwt1%(BJ@6MT>|#; zOJsTAtAPpKdHkc|0=B5<;)=hQeqa%pS8LL1qXX*$h*=q>qn@)05EY+b-HOoL9$FqS z8;y`hHCj`zw29B)MVUy}I)`r!cutxtOvo%osvV!1EPcNiAjwZT zRKRSYpDoN+IT#DuaSqen_QHyt7UUE;4J)qvc;=H*&eV*fBIe5fo4_eA!5Tt_%2EDn zw`MP_D$2#7tudV+Q}8nx0g}90Qbw|(15!-dx5xn%Gg7kak1L7<+@Z4lll(y%!oRff zR}C23-oNfy0|~L65A4Dn3-!?N60Tp#9Po;Rj1Up<2KRF}S4AklSo5M_@0{((vrC9) z>U_(5#2UPn1wpyH6xJ5ujPqa{Cgky_!oYA&&)uV=SkPs#qEQ>>QLSyRR0*so8n?(s?H^ouZylbv9UFW`wfnr2S zZun=mE_}AAK6p#3hZG=ESo*ECjfFF~@3fIJ6F>ZHWyh?_F7qxq4Z8zOoX5%uCokU) z&t}Qlxq$?xLzlK%U}n(D-4s^mzd2NR=~3$)%|lx`5$NXpX-%)r;7qv3$o6g9$YJ}) zP*U+tT_bO>@GceBV0;v9__+tR)e&ttT+Vhd;S`@v;>1=bq+sr5u$HX4lvw^AST)R! z!&`(S!buX+mKhXjFD=u`2UPMxEphE!I6ndtu@@vVAS z9fnNBmnODC_Qh}+*U{^Y28@x=7QH}2`)uToha)y^ne(S-Gmh3XG4rR5%y|ALZ=Xv} zlPr|d8K4B=H~d}b`(8?fDhC@iF%FJv6>%17ZSyrp9ZtS&(iIkhJ^FwTdZBJ!a5Wa9 z@Wg_s&I0Cu{azf0vH@>&pX0KD*}Hn$0ouPKVN-yMmYt!2^#YbHk&ge2^lO zW_u;39@;;^d~>cMPY{Lm4zI*G7W*;XAFaFiO?E2whlpq2z45csx!U1nlsA8~$N%|t zI*d>~^Br||wDKl0wQ~BJY)*DJY=#b`-gPg+d%Z$r<1LJfmo)+SR9ut|U2y#(q=0qF zsm~@xz*bj7+}IJ(0>^w!2{%$FM{Dj9!0i8bVJi6_GYR?&|B0e|q%I#;U;?)8jETy` z<`3nQm|(uS@#@iNrlhA>19zh-0;rv(qP4y<#FBXdL&L&+7D7;80)O1Ei~e~b+L_c!++OBY3egn*VT z|9vbT&Yb^@{2%5VeC`sHo;hd&wB{kxh`!uvxe0Z)KUtC|HFXRu)~v6^06Bqt_~4R0 zZmn!xA}1pG!|{Wh(Zlvgw)ChblR%5Ngyny2EB$j@{_z%Mp!VLUpSt$1rRL6a5IC{H zpg%EO&m-C69Dzx6QvDMAwiH1Yjt~!$l{qqpPqZTW|2ee-+$@ zh}a=@l~EL)+S6jatl+1Ihx6u6@!EDBktf52D9w8*wwhlKTlw>lU5s6<8wGX?*q;t zMva~SLkqq!BT)bAS9PZ20jhU;(`ASJfYbTXKBbt=Z3{R(vf+=(7>3-by9rl~r}c^K zNB>1hgzayF?VrN%rvkeRDYYGrOA=*dg53*}x5qEGh#yS%;6tFSB&`rR0c%OnWmj|l zqyewrP_v1iVN-LI_WFdyF)qRBoV0~gK-CtsbZhRnUe%VZ_CF^X{2$x* ze;+VFis0#)@+Q-5xxY_aH%*24JVQ_F$})VZf-D>O)N$y#=_Jse@;lI<%<_=D!Y<$l zRH;9pEbQ0{gARB2u|*%Xll~ph_pe9QQ^uHRxQtYJ9*3sh@AS2-x&!6tLea)qiTKIr-OP7T4lYMAn-eQYP`+y}2f4|a!)5=-l5pkJ-GA4j zk|Q+Z{3)8MkFc*>Hiheu3pwxL%j?w)rV3tmVTK)9nJt*!grkj@_j6+LnH~`r@7{>^ zKlEPB9owqtnTr=?WEtvM~nAzvx*MP=(o(clX~Wom75?(0rFIW94&lq z+3dRi39|Hwfr!!0gXp+-9$fhCtaqyZ)Ei>w0YWs79^r z1K-cvZ1bPxF^NukU`CJSD>gY>!zH>eog()~X6^oKDADyHK!kiFu5`k));^o0>C{dG zmXXE=%)XDV935lV0vs1!v|`854&tU&AJC{cm>v`^$f< zA@9Zi-%8^39I8(_2M-GeIReFEe~p?97?C2Z#r*zXG{xPDHk!CRDA9tVci}JH;;~K8W-k>;%iKo`Xae z^>A&C5_mPUC)yNfonK$i=^RO{EB)K@-@k^g55Zp@-A?_tazFI+Nkp2P@EeRLQ`NDm zFM$W(GN|7(U&6RUSUr`LWwWA|Kys=zLggzEA*u9B`z_JdL>3sgBj1)G-AZYlJlC8_ zJ0eoV!f)ze95RxW_7Yku?TPW+;{yqdgnsdLddX+mJ$ZSQ49v_4x3^w!qW_f?db1C= zs1rqZ6L3UcU4 z{txUwm<-`oJ~_tJwzYmB0O=%2vOv_lD(WX+9S_NZ7J<)A3tK+M;9z^sUj*|!-^!4@C z+O6=X!n)Df@4#SozsHX>+y{lt&DvfGi85;)K5!2<#l)>>VFSYf5@lhdZsu#T25G|6(asl$5AuFiffi{vrp^59#a8_0CM0QLEZ8TB!tsLP$eoNW#P>7}8@z*gr4!o4>yo5g2bvT=DLLG%lTeIYH@jJCV*-7aY zvlUPE#4RgRa9K9I3xnq}p$trm9JKjrZXW=jh;y@SBR}7idk8J{O|UuVuK^s8kbf>1 zsMP0jnjYKkNu{M2f*+@??@Pt2rREU$5QueLHl zu?E+c!K(%fJESEl0uzz3`+#8OE~mn!P^zjnX(@!0*< zX~pRVA36Fd$XPmLUFzNar*lL=hk$*jx?+ZJn&AD!8p2@u6>K-=)#kHI(lL|OCgEnj zFO!|H|Deo>DNw&=pB7jwRY!(%z$0$J#V42b7J( zVs*ovS6EY0j&_}>L3wu6L5elfbW;mEfY!9nn=})luD77bG=I4y)UGMgvAe#-H`|?{ zP|?)HN0pCBESuMmYmoF|)$RDmwvjYpP^2sb2g(y7iMR;s-R%j4eak-+Zf}q37TBE_ zFsNi(&lsKvwVQs6E86W5GQIj_Smxt>{cw_$Sf(-T?7U+QNfe%4;eD3|Pi`j6kgzKv zL5eY%#o3;XBi?6@&1Z;Yal@>@blygd##f61}?44PPrg3(m@kb5}Kzy#v zV6p<44?MG;X}4RB;3-m=o*E{PtZ}7#IU?bL%HkKL5B`MGZAh^3p(U7cYv{u(7nw4=Akpa9)ohnv3sb=WAy(EGh z1IbX8v+B&p6JLZU41y&K>ALr?N$NN9_k55M1GGT=+!0c708Jysv2}wUKS>Ued zL!nw}9J>+>6RBo@5XS+@*AwaYLytd)YO!MC`52$>qWi9?=}xBm3d>FwFlrTjsDQGO zkI+VV5^m{ERr3>zwxcIz>oHtf79<+<5xF~}fB;pH`aL4X!rIzd~mgS$LlTW#@}TgVhte3| z5z^jVL)|MfK3P(a3j)5)i2ze9AL&Yi!n_RETN#yR6&ixv-re?SL6#NuDuWgNIefCO zRB@)N7cpaHX+{~WZb-!b`oYgaD&T&`Q^aG2Kcz7RuRrl^MNCH?in+K88e@wS+8jm~ zu5yUj!1aKNk`eEW)EL|Ga4RdZV!=VZEApy)CxJoL^tOJF-DF!{yV0e&T)VEn zf1$w2WN)&))#YS$^eU(7Sg_ur1N0$?zY8MQ<;Us4xgQ-?Jyc^dpE&dbq^X-Wz?3m~T&~lh2?oyGVm`e>%4N za>H*~3f0RrRBDW0yi2jW4$|drWESlf+(1}c|heFqmP0tu;N!VKT}9rbTzYvtnm(3JQUR2fBR zgazv34+91EgZYN!XLfqKx%bJ7Gx$uaMHzcbl1lbZ1cJNV_Ga_T>aAu!((VU5b~T|4 zrkut@TA0`xgSCOx>b>D_8NOi6YSjvP?4l9~eJPg=dbF7YEMQ^p{7h!nUM2;JTAI(6 zF(oo4sGgZ5#{IZdAw!M8F>IR&aPTm5w?nXl!e5#fBF_TJLjW;;v(~fmedybuy<$K~ zuZDyugeJ6l;!S5UNHpo!fDVlyme4M_YU}pmLFB@1Cy{-UlF%)=8UJnoRwA>Fsp*~+ znGdrRsiVga7K4SRC($#I7>r0Xcvl2F4sMx}47XrcS@qhw{OP6h5Z0;3GOrJ8SPAB~ zU!{btJmuU!lny8qt28XC$UVWgN_nIQ3dB;5Qs$@9ZjO~X?4x*$F0b3m=bsd1@(S&_{=Dt%1mgedjv zJU4zHX9r{VO-T77x?(1=0pjky)tDNkK<-Ns105H$+zB)y5 zI%#i!z?;D}AG&c+>p~8hspv9X3RdlZ$YHeato!eP{7uJO&9y%9uS{+ zh(@WNjMvqE{$yC;3=AofaE00Ri$?5Rh1XKbdeZ`F--Yj6iL%X4MMR0^KBr{kGJT9( zw%MDiNsh15xpvK8BO`^?OsezR7@I| z^-!aQR^CVM^`X~ef z<_Rtfb>W=Tma5_&c2mvm_fx`W)XXw&QG{GWps}Qi#i3p_6X=z|aa=g-ZJqHa@h3$a znO+d`@!uRVx|ClB!d@pALB(5W1BkbRga(J?FFnX6(D9nP9Egp8Dg-T7@C}A1dE-j# zJ~HSma_V+lK)Nr}veESk)Ai$0^(#a9-1b4vZjQq6;Oc_lPlUj%sAptj_y@Q%g)M6B z=8^l7Dp3SHqO!@%xq;Fz9&*HklSXFE^5Dl}(iwC}=EcgE^JDk-#$KNQA!0Uzwi#5s zn9Ok3!M$D?)dc1e8pEd@0YFzt$c)O=Yn*HuG@KT4NdO;0R2N(LvyKz;Hj(}c10lnq zgfHYI0VGL5Q4?en(;V9)V(m`tnNQH14kqiZ^eZ@tGL zZu3#2K!GtdP15c0e0Dw}rI+3EV!qSQ@8-bp34Rb=b9g>BTR`B#k)$kH1Im|ghVz9V z4xOp^MTLwHBSiWh3UpzWPJ4a$M3y~481pn2Kq9b5-<#yY2EtQ5qi*rN)rzu4{3KE- zVg@C^O^QT0A`11R)X4mrx2>r~;(miGfrowb!gJdsWzjTx^$igWL2#U((`d-D5R47BIR?z*n`^9I03H4Ue?u&%Po z7L@@vegFOl;Bgl4*h<`KIElrD4Wh!Wu@0BO@}7F|-KOACml@%~O}nuo*ZUivUq>?@ zHr&i=8WMrQh1OUE{1Bk$;VB*DcMleaFnBuVpt5ytpImASWyq*4baVot1v`Ja$-3;qpEYwrntwKmNVZ>#TLu$D=nf_V zI;pcQ#q!2uI3snOI)i@0Gsy$pwD*eL9*qha-S~T*er-PKnV*+?D+8t;>4kRz#s=g>qD9{pm?~j)^c0Kr)i@=V0RX(D)6UB|0UdQpk5ljF z+x<@I9%Kw8U@E2m>lN#&_5^W334@0nId(ZLb3}shp3HSRJo9uOdv;(Om)(ps<6c(( zZy95PEr^rfH3KMR65qvN0)8%Ys&sb6p8MMuNMaBTh0^V=4)Z+D?w4s)$l~O^yCbsi zC_KZJbo*8ybUwmyq4PO=j#!V76I5H1rgW5yHd%Y!_W5L-HIrW^zkd`mz<>wsPq&Yi zV{Mi`WlKw=vK4gyKd!PrFE;-*YVvs9vG!Qc0UMM1rQ%eSN~#?FP|nmsQ0(i z!n9SW#OhC76w_y;BmX)MAk8A;2E{Eso-i(1v)va?l3NtI9H=L90R=&B%c4FtUe}u=b~MV1q(sweoiD)%+|w3I@jt3R^@l! zw|vO4SNbC;L#K-I8R%V&xF+3f;8+vH&eG*6SNm8MTyM8B6w;LKt5fxucN!3q&TXsn zh5h07ipv-a==@fh5=Yl;om92qi~1}>X;rqmU(gEvIuY8V2tVZ_-d1lr5>7Drt1|U6 zM%yL#xSIUnC7%cw)&)_!llk{XVo&kIUjqn{YEO^Bxr@`>eETU|1u|Rxje41}1=UPH zU~L*Logbz^aEF~(yUWRPZ%?W#`FB7>Pc6~pWU2d5Hxvy0&MRgrbyc^=Ga2rVnzC<} zs*UPmyX*b^Mo7fV3lELpM|dA5J^$5pe4%*ikXOpg>*mvGnH~|7lksRN)>)E2!hgvzyGNH5d}~Amr47f+ z%B378#zuMRsipX1`fcWikMW+C;chcx1h%R9k-p^UbY1MOmL|LAL)Q3&ZqvZ@BWk@@}rpy)Z1poTc(GtUKIQ?^7Km{B2N zyY`{Ds)n^YYBSu0asg-I(U{u@gzt5sb$|qrm^jblG-4nnCf)EsYZ~y~WQBXU?}_N@ zFBD3K*mV@&V#SBa{qJ&WaiV12ImOvZ+|4Vx^)ING!=S^LYNy=nPQ9O6n|>R7hS5A= z;SqarJ8r%YkLlezzK%|KNthZYbW==uyA^j%M_c8Yg8}2cXjf}GPvJ26F;k+xhRNFf zOI*@z(H?=QWz?*@H+1R~j9kCQ+~@VLcU({}6#r0qX=X0rr*G)c&;hcUoW3+fJ{p2He*LF_d=p>I&#b410-<6%;xXM-lF zWme!+$^Trg{?+!DNn1b;cExO18g#MOnmjY{kmeX2#iomO7eJO_$|f;9STLvxy^dE* zY(B>yzEUW29fvz`-k*NV8xVfp&qA_ zEvWw2XQ1$`<+(L^6Q>Y(O45mp zFbQik9aNdqE>)p{w4O*VJ+_l$-#n~M#ugmo*s#QdKU@6Xrr#;9GsV;1PJB*;m@R%9sc1#iwWnVXohNezkPSC8^|Z z|D!mciocE=t-}$6%N`7$ZJK!b!vzR4yYFIqtMi&fxb7?g=~(>Y5%i(LX{9tGN- zu%}qTe1`UJQ@DKd{FQ4D`>lS%KAqKcON~KsB)iX?w{^$CF%X)RZeMGwC{pAU>T7vm z_MhuxiycCWnzvCMkwH!AY?%|my-(AiOsDAE9aKBv*9IS$!S?Cp(I~laHwUqc0lTJI+pjO03+1tLY+(1vVqdXtJVLI5R}C>O zV27xO%m~*}-%6NN8_Qj$e4MkrHXWTWp~;3a(WEO!Ky(D=X&+9BD5!g}M%9Ewuc124 zLkhq9G4mh&g~-&950~N6j>}>%87O!h)`>V1b?w>}#sDy4-7&kZiDqV%ysH!wrI_X) z>R%}ey(PZWFE*%^?snCy597-=J3$X;Jj6d0Z4=ggBc3cyT`a|X<*DMiGnRQ_3cGUJ z45b6X&0C?Xcce3jn_?<}sI$BZzp$K#JlHtXlPYt9~%o z6{dO&5gzu}9gmk)^U#dC@l6Nj;HN3@Ig9>}pCf5pQggfhuCun;(6%Ph55^t`gjTEN zp?Z#eP^VsHx}kmy8fddcR+4ep{3y?wtzjE$>1S$duki*UME-J0C@NllF zApTqft*F#DC27M#)C3#PUv8WmX|aC7`arYTV}HE~G2XXQ-~Gf!%sV_X9bx?Dswxv- z9AJJls~_}?^eppm+03DZO6qem)z@8-7+VxFmz;Wc8>!i&N;%bxb z-e@H`B1)~RvNs3_V8NWR0#ouIqO^zwVJ2RBG4d-)4rIk^AxGj53s*gXL5dMZ@o`~P zQjtluZ{TJ(C}iH%M@ylnJv`El>}Eqcy@d?B*PEdx!EM#Y?xB1R2G^?J=|^-LzR2uU z0tzCo&ch@>kEML*fmkP^Lauowi5u&wVp9&W+{hiv)JiFXNxeb@VTaQ#5I~rBUslob z0N&P!^@wH9gX?6T#HR-6K7Iy_&T77r<*FLjCcq7;U&d04edW}4M!B?kn)=a;FEm1evk zX+%7sR|_`Nl>zq>{||3(8CB)B_79673q)9if^>IDNOyNimk3CMbc0ANknWIfkOt}Q z?(Xi6MZ^DgpLotbXP@U8QRFYu<{Mpn={cA9Dm_V$>u!uXL& z#e5x2` zA6wZD!!675iU%UM&Q&-La-aq;WFfzDo$y0B6n-d8nkfdmNj~^G>H;0=-(4{UI0@&q zm1He@aF5_|Gwrxn5?N7nCD+l6LDurpT`!;1GdAm~54}xmb=K=N37mFS!G!#}{$Y5e z)+p{Or1zTG3Ed_NM@ZPuU$wo82pUXei=i#4(>$u*wlbY>$~^1^8p`tfx+z7$7xQ(N zKMThjDFnwF&-To1TV1xL06dtEgqikd(|rTfGFUUtvpJsRGL~M8LfHRR#Ltr3pozj{ z@_kjY^G{D?R|Ts1G|2nYXyZ?-+%5-Y-P!V~OIvQIYvf~ES0Kyq7;lq-qq`Md%Zp>B_&CL;N#rXsosEyOp9X$x@GuNPzF2g7{g{sDyaJ>2OH-x7a#>%#_Gt-{ z6~vHWz1);sIOP*uTD=R5`=lgncuGleU+$D^+9s3;MmF5|3L`!fdEFP&*Ke$c919~( z$Ov@NvM2Hs7pu@`3Jedy!v0d-q4?2wht^pZ5pAPS@awEj+FBxYj(e54?vI^u<-<#E zv%ea*i@D#s*7#~W&Sqn_z8qthi|;x;tNYJ1@Ed~fFdfdbh~yI@46pcA16YS};aIX^ zL;2JJ(|*?-Ze9N)xm}>A?TB;y%)vff%`Fny2#@HHQ++BQYpXKdYR2D|O8z1f{2^U# zVQHT`;2GhXR}o0%0)lmmbhnTbA@5ux_UR5q&Zt^p`~KZq)E6mu-pe>J?kHtoaufs{ zHg{ib=TUNI!;@+f(f&R)J$JJb83U0l@-gV)yy2{^5zc#kYA$r^E!9zWcPN^R^P|f) z(D9(UIXjonsw0@OOF8Nc{7@k$tWhK4Ve$PQ7`s7D`2!!Jb3MlXex4M(YkOXB)?pAf zNBdLJF5x{d36fT&nX&YSKIF#Ni$Q=0*gax$d^d2l2a!S9DJff?^F`GH?_(Y_(Y`zE zPsPMaHLZ1=19m07bGq)UoUKUtat~e1)=*a3^&-bc3fpm6_ME+hmqA#Ju@HiWW!;hd z<^nvnsl?t9=51|a1$~*@3oAu!tH&G3oY$vigY`gm4s5|M7ZHr??^67k5i}> zsm6+mrFcL&$BNw4sI&WX1RX>0c{Tgg@~Dt;4K+51N%>3%_-Jp3CL9$*tE#Dj2#yJsqn?%2oP#FmbG2UT@ymc4=XD%W<;LXspx* zsrC^V?p~UTYmdj@-*6KY47cF4>~X+{4qevnZJhhHZ_>=)w{<9*<(zL@g;y`X>}k6K z^N{U+b5<^E^X#Vns_AYo^3u|kYDB#*{QXbTj1sfKTibzA@m>|LT5TLQi*Pe}ny(7* zvjD9HTcg>gf=;(mK($1h;e2~=P?eE7PRAzy{^8gwPAmi`=WrEq;0)&+=HaTMQJ^fV zL1xzW>}cLPaX5xH!`!jsYvyKxaY}?I4*A`K)3RhbN$2K_L1?7w<=(8Vdoc3VBn5z- z=tJ;}`yZuyg?R5xH@_R@=d)VRs@@*{ibKnIZ#MBR(rzK1>3fXszW?Yi2F=%Q;bIW7 z_f`w)nSxi*$DpS)h~8y5<>k9VAbQQ}rc&qX{ws3ww=7QY4a~!#HQp>PEJ!Y%%VE!C zQPmvG%MX)<6d=(s5{ebrt02Z4U^#(gnTIhvnSCSrxJ>rN`zD7hn+zMjEQE8D2seUC ze295oK!L;$j@(}2L&huosdb}?cC5ETJ0$Y7)A`EAVE{r|g!}Ge%dU0P&DQB$lL~b) z2@Yjm=OX25tH(lCuaX)#s70TcY}GLpZI4p1S5V}G<=9TqrE35J)UTbuE?o4k^Ypxa zUo3=AFuYK=QM2js7MGmejB2+$HzJwnQ>mdtjaX{Y_$i*p#52WD^RXG2(G49wyczu~ zNYg9Ra`A+>sl0Aghgt!fWgLjOc0>CtU)fL_fV5!p#!51xr5SqN*vt?A{JvrJ?m0R} ze{x!E~PPBGid25Ye8^QmE3{-nylcMEMh8sozrqi}5U9c=$R$ zcd4~EMf@fa?A@6%@9=}4k%wDrhB;>7I^% z*pAm^v-~?MV$!oU=dJVe7wq(2YFzGXJ*|3+mNNFl3#zyAA6Zs>9;|9qskT}qd2>lH zPDI-e#T6x^%(U@_(bX5?Zy|VK)TtYgkdO9;IZ}Cl;i;|NzXMC%Y(6*)w)bW~SRpj} z-N*YEX#aOtZ=dAr@?9UT#biTIAZ5z+oExAx{01K#J^B$M%Y}|gcAXxE)u*3qyG6vK z(bbO87o8r;te2;pBRVb`>PS{q5u9X6MJfoPrc?IkktG1rE=Gpkq)2gyC1&@-w1Lz$3{BLn$+e)-+r9AIX#ofM?WQx47=bVx;$ij2Qqr7cx=eZN& zJpi)-CLnV@HAzecIZ5tgfn)W@d}l-Ru*$xa4y)imkB^=KHP0iwVfAQeZ(8`;m|7_C zKzl$;#TR{+O8f|U##cggxi|Uqr^C-?+-@g z$}t}E2)C$M6jL#f=JR}#Y`1`^QTgHgA4CNX2Dk})1sxgGO9kpK_ypKWbjaKeD^f4^ z7RL=!-EZ@?-B0~6y~ca~mw5RQA0plYNHCt=!02ZX3F_fVH^@c=)tgF$H#gO?j;t!_ zNR~qzy7V)Z=V742b}Ds9MpRvpfBY>mAe9V$bKb(iZoZ+6hR>dvHACo5%!O>w#pguK zfXnt#Ua%~HdP5e6U1s(5+E+HRaPSTihu8IJx9w;uV>n~;qvqZ|flq*~DB%v_p$su* zw965~0oC*S$2nu2X1yP5e$|?dy>nNbb(>099tS;*agO&#Sz%0ddJ2>lK6F;F*bYpe z8<@%WyhX?&5On&4xqDWSL<|=w=dNE`GRN!^E-PLmVLSj|7EU;8=#okPQfSkBqeFNb z5XN)_GI*YzjBR9cFtbfue&X~W4VLQ=)RtklGqbnPy^dIN=?aCrMBJ(;|YGI94TJ;Jjvq=y+D`L<1Egztu2w#J^6G^KyJH+FnXF8vModrEYJ) zGlD(ACfNk8$)2HyJ3=zXhLb|E4=SwRzFh9T7u)gvg3D`GDJBtvwaBdk#HAdv4%J0a zaUd|<%*c?mhXWM@DCH*~R!Wa`h=X_vN~GCO6;N!^DVYqw&4WK2cC)7Dt4uQ=up;1* zaiuszT7=qcrx7viP?qC4?Q%YhoXU(@!b}zFkkTizS0ga-WQC1-Y{u@{PK%l8HGAq@ z)^{Q(pw<|Og)w=ZZwopT4dczVJ=#)hMitv)(vww}}JmeY7nmkI; zM$DH9gF?b-tghXk7C++Nbs%DdY!qtch8`N%2-)ECdw$dXaVdsZt$2^h1fsjIunxbO z_X>R0Tl_R8D|ViI+RVas3UknNWuSJ^{rH5d_X7LeYu!sNID+r5@PaqbSEiM;6Jw*U z0aRxro@#@PmSr*>0}9jlE&^#lnsP$??*O&bjl-+tcQ%oD3Nu~I_IV(UNGpza(Zb0i zY;^5d$|ly#A)h37zbVl42$LkcpulD12}KJ?c%Jp<0`6^u`Km>Uk-qQgX9hO6RyrW4phVHO1 z-+kB_>ep!Y>qYmW%%=AyZ2iC6piiDxhaVb`fqEFXq}j}O`_XkoQVECIKHh$Jf%?r0 zEDts$Txz$Y8!v!kL5YfzAKq-|x*kRxpBBt(-yD%b^y8r-^;_3J+9v-IMZ>XSY)yOYY%INlU2Wtmg;CC;9Clju zBIPTIM~x*C#pr97g_|p7Z&2bAGMOe(ul0?+sfylKBXS$!+QyCt`$#nq-s;OulJST8 zL31+6Do+rcC>f{wa&gAUA2OFS;?g8}h(EA3$iUn3zgCUCPZ zm+z08KBR*`BQEZ z5Ad=WHZEduW9z6?c&?u$nczaNziYd%zBpUFS~h>Z`|9SRV)$2ja07q{(QU1^ip%ZsFx6~T^FR`x1~4!Fv*~nI5kq5&RsU#rSZeW|IA+{ZqpP$rudGM& zLBKGza!$`2V6s@i5F}2cSney6%BQ1h21haW?FCZEvxi}?rs`Yj+$54l*UJxg4;Npe zU8|hPaY`ZNJ(E^C^-`H)$g)_{RafIX@*+Rj0DQdea)a!H%|4C5>VsHZ z`#LK60H{N+-qF&smS^qo$H-LbXwTp1hzHD4E@L#R4t=wpQITJM?Rddj%vKStZ0I8s7O`pUWE0208vyo=WgM6}yIG zfW}P9&jA=Fh|q6P6%mBHWg$G&+VSAWWs>Oubnfyo=DasDo>*(uUiv?i9Hvnz=m8eh z!gnnV%pVP$2n!U?5ndV_DZ4ZZ(ysOm@AP z7x7~xq{}I?w>ub{7HGBovIQDYb{-04@{|@4r4zVNXL=yZH}rwu3@$S+X{ws0f=+ep z4oZ}Yx22>hHfea?nl>IDYs91d$k)vjR$i<5iuxiUiG}|`h?*GbCNqpLCs%-7?W`sa zz3#4WBakI402+3O+7-w|s?V<|5}47{yQQp2;I(GDJ6>Pi0Muk-g`&9g)^9vB-Qp8& ze*9bg@GsRw0&2jy^~V0%y=ETP?aNJlY_3x-kMWcR0=qt>#M~R{xptN#1X!W(V7f@L zV*udv@j*sZ{R7@4M2Uu)7`(iD)eoRJ%_7eXu`_T5QAut~h5TNM<$0W)=ANBGe1a?6 z5jV)C4~TK21K`S3Wx!mT<%WTm+Qk+w)Ot+~V&+r7Zh-}*)$_P?VRNY#%p?rz?Tew! zwy999%X-k#>EhL?bK3t*mJ(q6nTTsNbbMLx z`ujbZm)nM*R*JP@sV)m1*Nacl=f8&j`%cI6w*ReNCO@@~{vlL_(w8nf6Knb;dyR5+ zk;QA75VhVvA=l`fl9NifnqZn?lWUU$IgHL!ey4)RI=73<*&hxGw4KXDW+toZ?4Jr? zCr`}#5$Tft5rJq96|(x#y1zY?OM`*uiZvhTiYG@thHa<5r&K3EQL?<8LoT;me_4Au zHJ@#lD|hyIH=523!FLQ0b*r+N9lIFjS-0m_prWOfh6g_iCbC+RP^LJ4!*jcMR=W;G zw7uE%iincu671SriULr}SL904iHl;qW!jv=(m$$2&{D{V1l_+yceaWcr#OW2Tn&up zI00Q8%lm-uWUCvJ zmyd57%lx2=p>?RT^NnlnegH7anx<}%?oKQCW8hT8~2sqCz*#1az+1h102J_!` zKxsP(a*5$TA6Wl&5cwThHi%HqjOj>+KN~1<()AoFhH>fRI;;T$#i)=Ty89=*hreZw zEM1(F^0W(XPr^{5Pp1R(#F)a&IFCmRDk-z_&R@7taPN?mrRK#x6pLVO#J9`vUWNV6N9EzkouK4r&Y%fPl|H4_nEPngTEmqpB?D$rx}URsg8E3BU+(>8_f$ z?0O#hiV=(TPUG#7OL1<;(uC{dt}Upgd75t&qd!Fy_t;RODRoM{m4EG`Ax|nLt&*oN zLQy(@Kdxyy*Puee5YT2Zo8foAS@82sT>a+0byLK8D7Tn=M6+6P(;lPi*@LI;fQ=M9 zp;rb$-D~<*@z*=pxv3PtX{w5uV*92iCD>gvSLdVMsihb@qeJ#xySb%1|4GL9r^2EB zC5)}3jn_wOC2j4(2(}5t%QoAALV-zbsH6x9Dbs3%Pny#n3wSeJafsP&C!)qTSX@9* zjMK1?R2-jiuYzE>^}AqfAAtH-KvJR`t$>ls#tk=HKe|olRdu4ZMNFybkN6P#Bf9|( zql5W$BzoO3IVr4DDw-JSY>iD6y>d5Mte!}Whkk(-0R6FE1aR^@ykfP zQjR@#2$eSD@2+45YDC5etYEF`)xLIva~ZuxH}e4ihs-9S)gtiX)%jq>wvtAoF@F?s z3x-FF32*lYA;MH=hz9Kvr27Dk@zB`$;~Hs(#*0tDjOb;f+xKDinb}MIaV76EDuJV( z&llO%A@k{^vO$6#FK;>6U2O2aSWp*A~`Qp(}HzhI3}F*PLHk#G7NN} z&H4RA`McTF2CzJyfo48Z^L=T_H+Gc*UR{t{D`bru; z82Hhv5x6YAv^6hzTrF;!Pvt9rUTtvs@c|zFg{5BEEkFA8swAa?P{NS1SlRQre2i)1WUc{XP<}5Qr=d(bKYE4* z@b?q#%=3ado7Wo>N=3RBtLCME;JS`3#rh&lya*<447?C5+MAI$k=%Gy@^*2jhgPf&b&y|A=z_Z9N50o^vK? zkV#W2kZ5RwlzMyrcx9fDl)JF>7!rm45 zdWd@b?fOI4{)sTQ`)fEXB1ByDrW0@9GEy7u5&dtkAa5h+P%c*}Lx~UnvmE{(g#apo zGd%fQgqJ-Kyyqm56sKn4xHTkKTjfR9m8eSyxZw$y0im{b0tB&HZwyEt3!1(Z|y`9M&`xD@} zyl#gPCd#g=QUXHt8O&JIAfD*%Lt$RVr#1u;>G@2PPQ99+B3DFwWdpd>1oR0eC$xxO z=GvawrmpP&wmbfL_D;Bk1rUeB)z){`?=>S)42g%a=6sE=v#fSfnYS!xO>~LsIaaX= z)djhHkbC4dc35T7>6S3}IzhOhq;wEAeNHQDOH(v!mrDZIvojRZ@KvuDjx)nUIB8E* z1uRal_l9m4-Z(bDXQ=;#a@77`v-N7!XL{*ca1^JOABTnD=_NtTJ48xRM)W!8b0*z* zArnTv#xt?ZQ$i+$eTqXr=?C?AXfXWinMVmhuct=A`;tZ|ues6*>=T4I`zwXzG*Big zFYdiw!i3L{Djh%No8B1y2MG7iT45#|LH+B;nlR%!r!%wgNHqh3KK0Q3?)?$r4DeP2 z>y=y2cBg~zaxFcqWYP&;ss0LV=lwxjtN(4KFaU=zQ8%nvniyvw+w~xdrGGoxlrT>D zZ!i6CYwo20SU*Il!NP6K$17t_5gSOAhuvjbQsn||xcqh=3wfG$ib1`k6B%=vvv9y< z(B_*iM~^fAA2Jq124#}HTsW$orBLd-%FRPlO* zk#r<%1KC|ovrHA>3g_v`mGictmExcqy7X$Us3ub`KXr>^>owPeuyUjo6<~fe_YPtS z)Tz{!?7%eM9D5Ib(YB5MC2#^8EIicveWt@)7d=;c zAxkz$lpa?j%ki#ilRaGc zSs&+j`Q_t9oawvhc8Uu$sGyfcF0y?a^PUXFbl#B6;l%m>@$hz{k7U}Fuj|4s7W-VH zoD6t3CfaO!#s%fL`_`crx!|ewTcADOaX!Llk-1=aiZHAYVT2OExuMSqXrocs24?+} zd;;%~97e?MMkwf%DJ#zrhFMt~*8b~d{(I{fiVzJoN0g9yiMK0+F>j>v&~?u%-f+5Rq+3`U;bFz9$4??+11&V$?(W)_C8r+Ezsr&g~fcA6dlC6vJ5=eJ)x9knggxj z+c&+v0ag_*gk^I?S_&vC!hiHoXIgL2nKRKV%DJ%$`FB(~&*GeJNzW-OIJf?Oq29p= z7E9%#ReL|b3@y=PJ2d|B>A(LEMAmSqGUXogj?}vD;6lD3Ete}3WKgedPraWZ36Q4$ zi5r;wEdyijhpeZsF~?2=*Q&@GS9GQU*_I;xHoj{x)c3VR6Vb3CNQVrHFxoE|3!v!!teL&I+q?tf!S_I zJ74!#!9kgL*;D?Fk-UGBj=Pm}qKu7Anb@2HO@$EiUg7;6o{Veqps(OT77WgL4&*VtHf}h6T&~`}3Q${+X zi?ZKkqqT&5{E2?P*&iEYYt$!_I;~fye0BVvYx4V+xDQ3^DW%~WD)C#uHAd3tIrn4J z$G)A&rax>;vV1YP&WCXbC`sHu28uBeTQK7bbs)BoA(GX72eaXctLJ#~gw1PlU+IO= z*kF`wL!O=d)XZ1%Gy^2y2bc&e=X+?q^_|%#g8%V0en0u33xTLb7F;B|Hs4a>cdr8^ z6C;9I6#beq+2NT;hxz>o!=>~_g?=M^(V0nVT8YgZtBCD72|Ho1pI)0#8GA*i%X!4M zv+Y%cIP87-2FGkBUozTt?v6@Tn9Js73+Lzr*M{45#HUJ_`d9k_fUUJiKEixkm%NPuRQY7I)ejk(V+&X-jgw=ydJk8T$NY=G_((KQ~I`=LxV~Y`U<= zH`J<8&}AE*k*=>0!Ql%I9?s`acL;`cg7?S63&uNtz1RoLa6R3l#Dvue!lAb6xeW6? z{YC}jY!gTx;Ye8?GqL%vez1Dkw6PR1Ma99nFmxkwC7~v+J#-w-63mg+$OPu4qNk;e z2LAsZ%UP26M74(h;_Ck&;)pjt*Yl0B@a?s^=h&BP&cJm(l`h`IXw}YTZz`^l!*hX@ zTVcF(gM&FFMiK7k`(8s#Nb}MDLr`-qviuIqDeC z(ndoa5QTarzzcI)2odTNUUWOo2~g5y4jKM-j+&6;{l6am>bY2(sB}6~FK~~ryRc6Q z0~#C%5B^4FCXdyyd#J6oSDX4uKAHyT@C^6sQ#Aq{o79hVsLBsxHnv9POPskse}po+HD(<9d5<2 z0~ZL+B{Wa2SiN2l^KepcN$PA)!h4{w9q=Rp>{QP@>ATWnAZ37X{euqrKX2^MLDYNT z58tS@Wh!<*3;bx|AEhC-eevV$H%&6G;mVMz7ro>6o8r!xl|C}A(RQW!+a?CQbdadD zB&bQIe3hb@9<`g^SjxAy|B7$@aVHC)Ki`-e>G~a*lW;k?fWSN|KZ6-JngXcC^_wHe zo~}mXOt;0IyFjt|LBNA547P0eN088*lX7nbZ_{t=Q*7*(hKw<7P4O&IF+{*541QPnrpD#i-_IqYu$eMQ6cr2)? zgZu5vNkxDmEx_fK`wx1xIBJz&RXXF|yWC|9Eb31zh2tq~76vGs%IY~X_L6Qx&bCtd zj*NeKY5wy=F9EnU84dJm%xM^z@Y6Ry4c3;B>Y?i@3D78pN97Ye(N_};qge&^{47m} ze1`Jcd5S@L>91U!6~(xB$g?{fm)ltoY2yAOY58aHyw^uVSc5g%S8Wqu2zA)l*jy_o zbMb_39DV#@NC<5`liPoj4LRUp6o0F(d&s0_sxspTT_qcT?eh|dl&l&|(UhUm?RLVy z3*~=Y9o~8`U>G=)zyb;;|g0seYe zGmHT#8J4&WdI^w=1MJ6nlR}p~>BdrC1=%;iR!vfppxPJ%v~Hz=@(iu=i2=7Rysha5 za=~5tynLml^mOBxE>vOj5Z8a4f|(H1nJUX45j0+8pNztIp%OaY^jcMhw>A-Dg6RQA z**;k4p25J(50`4n%*TM~DTa~b3*^+FpE|#1^Qkq*4bL9Gwj!+h)BpMA`RzR8#w14- zM>F7W^7lZ>mydg!8_YTXG7+nXK@Ql~s^LQ)VaqW%xsa8qf~x&oPh0)h5&D6oCv;v* zYp&g1w-J)kaPYV2Q7Vnv!uu9ZDxQc|x1lDG&2lc9L{ljFDVuo{V@*14rgN2n2RlyZSMQd|UTObp%czC$4a_|z z-G`blx9ys6@SZ*XuYNZH{vNlD{sHY~9AXu>vDn(}kJ{H0Nf4tNIY>@F=1%hT03;o9j$Lw&KyuZV3Q!G+OTp3GAOo zBS%zno+;J0?P&!i4C)oviCHxtVva9oxE)xitg!??dw5TIFwN#wX)_q{9g{whu{OE6 zT2HLqb7Swyey-Bg_CgW1FzV{@!J3q3R&^xB3w%z$qpdysFIA>D|MTZi!l|;A=#NVq zlSCxbT|CicGS69*lOI=n4)Bah19KH1Y!kixp@6UG|KTyxfZ%sBvh&+62q>vmss%p= zqq{jR*=ThQ@!#)|a;ABCk-`a<60L#(mA_X-DBI4;3v?#BOk`>+j1pnWN~C@hBn*pL z_Wlv^j3j9Kt4+(1{wX6?3JKk;IStutrR?u)C;$uZi`+r3$SL|~pXylp#Q6rM*lFFn zxcg=L>V6mFWPqmXYGXFbea~bw5bkGG^;CTms;za=$?13Qi|3FjB0sH#fr!b1NajkVb`ZKcI%E1q^3m#R*&mxa>`=H`uBvzj`{$wlRAM z`oB&k?G8S*4aIZQCajB2$Gb8Lxy7`qRv_WNO|(29MeNq$)PrvSxn%C+v-lGa`xKnG?(U0eg?+jv_nI2l+c2$&YNk!LYP{I5x^RwZ>{8 z9p=jmAW5I0hLbX7rBw3i8r&?G zW{8H@&|v;NpzgA9nrn1dMGp{yK|L3{+X9D+NHsm;mLYBRH7uE#tdx@vt45HI`hg zbI5kRG!r|6kC$TmhZjHw;}GKd3u3XemuPmt7hKXmauVi9m9K+d5;#tV4uVPpWngIn$N6<8; z<+U&h?f?>^9l2bd@brCJk`80B^sk7I!+iQa%!U%_@_Q#ZScckLWX?W%7iI3Vwk`%M z&4n*KS1UvU(MR7_IGokT-K{cyI~iOwX5 zO^?G0y{M<%>MwKtvmoi@2kF<;32Fw}{=Dv}hl5b0ihUDO4MasH{PI%pjvu1s&93h) z70}NzPCD@&3+3|TLkGQ{99vEo=B*^#^@kPaoItc}XLe`ugHntWu2bvW2WcH!_ZHo1h zd#7prrAm>e3O2W6(#><{mTkazr}~j82Y`rh<@Tqa=t#wpV{gprWgPaViZT`b@v~AQ zi-`IhJD1zOY0m>XPQ?;S*j64u_+&z65m&5ZI9qPSY`R89om*oMC{`kp6N>2{A776) za|6whXq)ve+E%T$;%*u8Z>x~>@Aa!=TxJ*pmUY=^3c|8 zl&Aj*wqzaOTfkhbCEq5hODX@8Xe%4S_ys@cq`KxO`s(11_bf7Hc=)OPG%B>fAbXEP zO#|&DEnR0Ap9UqtFG-x{Q(o_vbuL{7%n6qMHJ*JXEp0~#_Yh1Gxl#~obOu!lhY}7J z3WKXE#d%Y9SRT3^wP_0=p2U(rfeYMTYCFPZ;AL*AWa_0@((e2YKcmw~Bj(Qs&VzAMMTzgTl)IryRTkJmx*7a)f1IRd5Zrg% zQFs#g2+zSE?9#}t`&Cplr{%Q8k?B59q?F0FiIIU0o1ycW*(Z9Qm%q@`j+^-)F8+KJn zsy+f_uiz6njV>nSu?MLNz@x13Xj4r$26Ws!ZBHqmLh^?8L%5c8z4VgXHgeS94}M^{ z#(?E<<81<+d;R9r{6-18HsiSQKs4ZbsWslhz7$=cQXtXn>5-i-2Ke@y(OEZN`ZuPX zbYkhf4A2jEuU>Gi=Q+L3OqZthc?VeBO`;G=MD;5s5}p5AtmK^QMmJ;(u*w2pNM*kJ z9gG|355~GrVJixswZEn0-)=dys@qP@`t3p6^d^;=W(!)aeaHAl z*>t?A0!qsKd7?C$;3bx>dmztkPrGTkt_L*IyQG=see`t-tErNi74|9DF%P-dxONsz zz`GZ_VN~l`7aLLXy{5UzGE0i^M;zGM&(JK?^Z?~{*@$SC^rQK;k@&Nu+~}+(ccMVUBiCKqV^WVb z(Jp#1Rp8~f1B=mukV?zuT%OB|<;~gcl(@NHW)j>*q&Czxr)zHNi-vRj%0`Qs82JFt z2b#)J(>z(C)@?|X{e{0H@)APm*@rMiyEXon$SDDSCCVPB*>NEUfXX%VeqXPoKNknabz-zzV;)1E zFG0p}PfzMjp4Mop#*ph?o-UM_b9jA@MltY1p-D%<<-w$Qar2QTDL1k8a&d^I>DMCU z@U>~o=@)K(ByXmkUJ37wltm5cXY$-kj63SoIUZ93^P||u+^$Pkb9_7~xgBK`7CUSBrXPQ^kyNdTteTqfauzZ4Lr+`8K8>tdyd+HH=dzK!mP<2E1MYlTMcy zFdU85w%Js%U9;()S#F4nkpayn*n1EFB7ag@Z(fNfv-kUEzQ;VKiv@l>=LdGSbGyb; zetqvlPT*%<9+00X!}w3L?2qPzp$8M4Uy@l(%LnrV9zDeRkV^F1NzvaEG{hg{$_n~utl$!K?i_g1srRwy<~zYBO+bviTwsxpsBBWb7A*Cie6!Seo7>vUP}pL&&Zp91w(W=#l`fuLTHxcN&0UczIM4iP)Vtkt$z@w- z{CKG%j9|)^3*s;v25d%A1S_MT@p9gm z3K!`r$E_0DE7*T>y{H$M{ycLGYd&?SKJ*=lE<`-B;tRD^NGvLHm@oP1wU6H&6?7}Q zE&Er4&RnIHL4Whrq7$LkbIU$B1zPi|!Wc)(`MzZW7YW1x1Ec<7+U!h*xaL*=eTxK^ z9(EC@ri(NF!PgLMe76H8)ko7sE|>EVFKQ@@;lu5vRD7&#Q2cU^mcPZ^H2oHxuD|+Zv)oXqpcSs|)X<=12a{SG)Vxj|LIRfb*yF*|FW7Jd61V`^9AQ)1y+> z2Nm+Y*qLQobPsNpVqpGT{5!sT-ul}DTFVz5XNFoKYx(^xOtpv-2NHZCu6YJ2|*TKu| z`}hggIl~6;UNLh0iS=@Si?EW*NAN0qZBqiL5n?H6Td54`5c?HO}$&)9C`?SEUcgWuk`U{SDm1_&CKG+QWsPcYm83vi(AY$aQJaN-=rg zYl+GS@+xYHw|<__#QCijpoVT>-@ypd#o@Cplu2Ti9pbtaxpAC$>vA}FmF=;=#cZ}9 zvODV_&w049Zge}KakhfNC=rKJbddgK;JVkgg|BflkCcQNroFA*STf|%BJFO)astA3 zfL&)hX_jB4s1;z<28-9V`G-ZW9zryoqPFgB_qnML-$`2g#**7nwAp0Au2)uJ_1*K= z1s}R}eLa*!a8c-R`1QZde)Fw8FLpCrtV^|L?D&LpQ`@p(&T97h3VdK4P|3nK^-wt^ zk$+k@O{SC{sbWzgcP-kXGkQQJYEHL;+dHIy-=9`pAb+syyps;<$4d1gY4;C{1jLzr zDr$P9-FP0+M_O|Xtbu*AL#2lxi~x}X>%h}hKM&mQFnsdtezmAD{znnd5f4Qh!cN^( z36@L#Qh_{TGt6kZE&sb4g~hvzwjf5ejAHMIVIq02BsQJm+x|Dd8wxUFV`F$Ptb3=S z3bn^e^;w?*Jt+2^;~pGIW%gxASFdtTJW8w=rOv#Ht7U``VX*rP>KU=P9VfuCFc^pF zLuo2m2ETL+jggz@njMSUlL3nF$^mD^;PBL?^mu?7#@>8rC{je9#A=NM^P1*6U}|%C z`V54%WS>R&>Z#-L=e0$+3}`iY-y3eM%JtB{-1+gG!aBDj{n@bgVlhW{X8aGy=rnWm>4-xC0 zh-Q)Fl(T9&7X)m`VI53AnQN5WC)}ThTx}$c%Y|F%aQB}?WNvtir$&&X@b<)3sFf%w z4skt@2T!cDzHsiDOUr^MsQgSNdAru)wAsi1)EgUq)Q91Z z(=Viv!$s%aAtyxB^+Nz97B%H5?kVwu8C}tpLz-5dLVg$W`i|$jbs&;0mrLa8#5G>0WpZcUqW+z-VMEO^H)iyA z`a+27q`S~_|J0&<$H9U#pGV5cHKU)|9|Aws zr_QsS3e9bpPdE^Ae8&yIo}|qr>byv0-;r7WK7Jw$p)cZir=|dIo#gQXEA)+l;lp++ zd%V=zrRmh1s>sLvx8cbPgs-arwwC*P4%Ii7`=r(L6tzCzY0Z%PkgnKs-5i^_?D6ofuXQA!zKD{K{CjErmPaKp-EU& zYWgd{>#*OZ{{95vP?jCoaQNHX@fd;oilLzq@#4RdoOU*SMMN3kM0i<0t<3uXR_Kzpi!oU9rWKfe8ET+hwDs0E(o-NX zK5@HvNX+G|^tr%?HN2}x@}T+0q79Lr zKm)7U#K=HtQ5U;jqlI*N8Hgf4X=XhQC)|97pF@iK2sR@0$7MMFy)nvI7NSA0NoS-f z8EVvNG|T4)*jQN!5}f39iSJ21;DvsHSKcSQ#|w7$v-kQqo1EIZ?x*B8JL8O-Np?fA zq@f%OKwflz{p8e?(7gy!R8ITgQ6cKWfbAs-}Mw3M)y`V75=Jwgd7?O+XF& z?hB~=+y=fK3aHC2a=+*{)&wnKvX7EHb9< z0op^iSH3Xu{U%=Qxl^i^4>SqEPL82kG!%|&0tqz4e2y2iKn^YGc_YGG?ZaOV7vL?^ z@-vbkw(MBfV>1%zk&I=VA>1zrOB^h9JAzV<0hV?C(hB=A7v<3K$>X+{7<53%e!odl z@uD{nq{<_+nvUB~$G)qi!lym!HwCif5h>QL)g*YjLmI1)263*=z(AjgGOvcY^SU2} zwj86tpficm^ua%XQNvA%CIBYv3Q!}S6Z`e|n3p_A$DIwubh^0>&WZ8AIyHV&H9YWJ@uq3VE_;nS z);6DMOaif;Js7%Qx>?hkdL>{P&cnr@xexe>`9ER9rQ#S!7cVQJzflk<^$vzJr#x1EB zMe~S-H&@Nmh6NYx<_H%;J4<^r{p(HAj=rY&0httVT974JsHgy>ASCYkyE14Yhwv3F zAu4MaOCcbY!eQii+Z8k6vX@BDCtUyD6hRizA*JPXd)Qd)1<7sCOC~+t?R{~}=XN?% zeqUJj{hi68gAwLiJojAE1#KePrWC$b|2oZ*3nEMaRLuo^y=W9r96psy$znbzXKJCPi zIa|lhxwy0LlD%zWUYiBlvxJUUWh_S{Uo=g(Ssit3ra|Jq_4>r7;7}|K&v8RyD*NzF z=*UNUbu_3T{c) z2W1O`KtfA6uaUS%P+p;9OjKf%@qe8pOc#fwP)<(0{2<`;nvOc9!VF*q7hf)mI4K&5 zZSD>t$}iH$|7OgHwOxGjmpRZx-HYg4=Zu{v?_YlG?Er2vp}kCR7O)KbsC;|DBYX>W zAL}ak@y)Bq6!Y$IchSkLW$k8v#4T#}ut+}c$Aw3sYQ`)BGKv4}{0>VK^5(R*dV7zTOOeV{S)O zcw8Ut%=tm!`zG^UV`ws-3Yer$#k0|NQ4{E(bO3nsFF&=rcc6yuU@&Icy4rnjH5dGG z=1U+R$B!G}`X@W+RU_`;H4VvmT3^){w_J=r+*q-qa^7sbB@VkHY}%YdREz6E2UBOK zMw2*b2YjPk$K=8>f3tv#zDeTe+SMcyZUCM4y1Z%=C#O3nSnv`8p&WC4az8Zm`my!x zoW=+AUBD@bW08%G=x)yf>dZ9eA^0?h0FKO5yB?4QsYT*pNfK}k#{phY}pq#oCaeEK>C#aYss@<9o+fZ@US zmaMu%>5NpY)RLd<=X2>4@YQn$WZU11Q{u2cQ#~BHuFTy9ht?fbB?Wm>tsJ-Q=gNa6m@v`ydOOKrNy>uaMu??V1 z+l7Gy6e&}RM-3IeC?zL{!+e)s<$u&FN^G#7(Z%RqnAM9Hq5iUpZ3^hPUbXwKCzHbt zTN~=$u(=6ZhoKe)MWOs&O)YIPvbCa6`c{!w1u`X&VC8QW6#}a}Vr|16m&=@DU2t|+ zE7hc^2k(eZwE9TVlR?O=z=$P!m0@FpW!Ja+Q>qmCE=r#}jN5RPR1S6JJ)Ww=0%>6^ zRy#oU;?q3Ayh%HHxc%De@~c-JuD9=#CjMZ25s><*3)s( zj84DunZApbg(gtDXoYSW+nkxFsD8lA;&tmJ z&+;Kk_3saoDAme~M&3jllJH%7_m^7i78kwV11=0bzZ zZGq265M{lwF3}PFid6W`W^->Rn5}QFzd*TOpzM>c&3Pi)=a8ScB7Nx83O^ygxW-?V ziKU$Dm1-=*&66C~zh|AkRpbfRoI_UgwA%gn_<-ubIXc}Q(&qeeN04dwr^P~3_v2fc zUk}JwuDbwuMH!$QSrjs)Ttb)u@<}vaZoTb{ZF=$IBgRDG#{Jz+t%W8G_=MRRGGuPT z-#I6!!@8TlyEFEb!SwmNINPUF$#_h|`xh9OM3kVVfeFe3^GtM_PNo4?tdmHh&7U$W zDZ8~H?!$X+a+ucQoPsVYA|j?_;lKXXhHp+Kh44+U`QryJOWVXF=E`qBeFj$FsFr=} zH5bIp^!U+obbc^@itYDEX9xf$ffY#|#WjdxGzss)7^E=VfgVYKAJtB9=HHeNte7&beh)$vr*CjrTa*>)uHcMrr*Vx9@Bv+j*{q3B@ zSUuFrXwY@}b(aQFa=~3}U-}K96{~>31#8LSdtuad(2|s=bPhjt5Z{=Aegwjs=XRD} z-x=(~_+8;dmIbvJOfUQkVw=*&9BwUo*o0B%Ff9}0fE%eo^A&7%8cBQR;og1_H1Ow| zmJceTvB36lPELdJ9MjeFJK}W<4O9|OYaUgvzS06p2vnQ@>_FCwFZgCro2bcB`LoQ{ z8x8PvY_UyTRuPf4zS<(2O!kRNm>blJ;uN}ufMJmjSgM+5p&++Az^8Og@W7Dw zrdMk2LTOejyb)>Nv*zM94(dh^zhE|%k}Wif8(Qj<=EP2c=tpNcD4ncVrv7{{yyUw- zeoq7qLmCDv@*;^oNB8m+E1JKCO;Os%XF*8b=F>p)a4cOW3!=X`Q)aJGPX@aV*6^mw zYN*!{@IXP3LK3F&zz{d6)QC$z6Xe(F7cXha?%wPd2x$22s;e<5PUN6JzVOZzw>vYW z1=B2O2j6DIhN(U(cx719zvP~7_BZVljjDNE?lX@>j>Sr8U;j^7Y)tAuO^AQ|`%MhQ zW4q0nT*=ND?%^I$7;)+NO|$6!;I(EdH%u{KE5$AS)rAl}6}>2P{18BN-rXu5mgt6Zv`NzP#5nzQ1{2umh9NY$4Y}a?cJAJQ} z61|Ze5>oQ#W%eW*;i?%(VX--J%?o4-BdVe`h;SK{JDuQ{_A4BE6nY;HlRb@BO^S2< z6h)>ot&vvZ`(aH(awk=xo3NjQc&Dnq^v>^K-&;?9M8RA?A{W)WX*v zF9k*bflA1hxTNvqV=b zKXkNn@sjH_K)^vlGg7fx0Bd3wxHHUD?$Dc32>K${ROO{75siihMl-w7C)kHZyTjqW zFHuhka9!IX>7tKbiyJh1);?i1)KPlE=}5P~POogym&RS^yQNfSRFTqPH_v10CZa60 zxo+2Wm3TK6ny?@-XS-ZD;(JjpaU#uI#=p<2<8_2kqCVS6=VDcU)8(L%(qkXGtVjUQk% zJcK+9Er*Bv7bk00Im4_+?X2I$4>(L#e3kumUg6M@TCDp|Fck2l!_Q^3<%mBTH!5ZC zUld~z^UW7H&lSqJ z6KznxnO%~TJTz5I2F5-S{8*hwxp?|t$Jd1ciu6PDUcBA#Gi7{PMmQ6Z9$K!n9}-cD zW=@?m58E(1jzhY=BV{(Y#FYo9#lF8WdaDvb-uS2`-uFee1k`G>fTF3l{R`YC%mtG= zT-2Tl=~&136FA8C;?P45i_&KkPpeWv)1ch+{q-s1pc-2jD)VEIMqv!f4Bwy#Dz5c0 zK6|_|yo0@T02Nlfh^jn&T1GM0Gga$ZoA2^^XQL?Eo3=;1GSE}3!Nf=iK1geMTC6(D z&}2JDX#Z5>NP7+;Vep-MkGQo=ou)%~(A!FU=n57wwScj6i-)GfG^DQ(v4d_oKs_p|S+JCBVP6?|s5l{J?bof7 zjhOTAg%E5^$7W#6EumEElqeM`xy&0_DV>+UWHZb6LF<)3t3|!x>A{R4GtA6gJB<*41efxFao;V<2nK_r)MTSpIa@k zBOC35&e=ea=~}-Fv~v|+9Jl;EsNcDa4y4RpXY3RYMWLVFv`%N6)AX5D_M7$wrztsr zjn0UDGNXzIKJGJae_N)*W@ft0u5UiPJeyC2ipHd4OgSOqFxKB5$#L3< zzVMlW&*SE&XiCQy;TliAFfY0*vsnnPjVi2C@CBF*HNzzDWjS`b=FbX( z8L=l-Orv|5{LwYNwwZg0xANo}VZcyc7~Wh{B-stNSwPTCvP=?Fobi4pfPw(P9lk|A z;h@`KP@VNq)`hxk!AOPB)^W1KJ;z^Pa&{#~D!Hud2coU7TMid)d`24rqfuI0>{JT5 z7Tpq=DQMD9NH&dXy+4|x#YvS}{FM4sDb4?TNwo@~&9E?iZZSS(1Uf!|pzTC~x7WT_ z=PXsaMdiK|ZE;T~E+nI4Geiv*KG_x(TH{?CyH&TYBApucc`{gkC-S=;ngJYSMM)@h zqTECrlm50;l4pT}#&z~BnV!JfnqRm*O~RWj%SPAHNmY8!PEC~MmI74BUv~ajF)L?H zz|e9V>j`n0rU@Iw6XuvBzM4|!vF=k~F6d+KUn=zX6DsaaSU^7a{oXoy0A4!sJpnj5 z$&cvDf5h*;iuBFob?Wpzp0{ecOksa%I9nlbXh_deE6{7?zE_ugvL~>@1a4I+*D0m0 zhi=+0*W{6Zs|`B4UqhqkCnD|K6;Svp@oUe5l>Ra zH{iW?yRi4#>bTr`MPasqdhSNPKy?qQp2J?a*je!_+1y8>2eN6T>03cs@5weoN*H&f z$lm?wwEE9&$?yHyiU<-$;xoG^&P#?msFO?^oYNRn4IeW6)m)q}n5beVa5l9Mzu;v% zD=`gE;{pY4jWBGjlr69km}HX)lLQ`i0v2vE#c2Ebn(1iI7#HF5BP{~cuq^2Aeih0h zA3a&db6X}=vgbS?)xmCF++Y%M>gnPauC%Ae%cDmDl;wqn$VPJCtyU$=^eT!o7h38Q zvP-G>?3)|3Ctaew?bOovRe?~QC$}1)@K1M27l9V6)szVtjUYGMnRw-~>-zSG2Q;}J ziqhc)yw%aGdvys`3}NjKyb4mVp#RAen~F`-qLZhUzv7X-1U)|c8nnI&G4_AB)++FR zZcrvm-A*$X*_o^Ji7u1+F6?5`t2|2Zr0*!T!+SU_f*=MV*ve`}N@D0I zMQl9sLeuj&O}0Jxxnh36J6oJxcp80BStYx}JV0e7>!d)Aw1^mlwupaG58%t&C3aZy zt}o6 zySG24Cqym2!R3pWuU2K!#a&bQR-7ajb&JmKOFStMk^5h7mV1}00k#A&FOfxe#3ua{ zD(^zA0my%y11MbD4HZLB+@@^DL(9S@x;PIfkVl& zZsI_-kRaaqTqwCVs9}7JhpI%G0w!nKbD}Szgb>1`={LTEh=}{@aIs<5a%0AA=#uaH z1qKWZ>4(w4?>*Y_?O=7x&dsV3qmdCFs^y~$*kpqsCF@r$f+@+p8wAQDjH>D7K70H| z+1SqrhSzE{+cdwoYMEik*~_w7q6J2Jge~+>NnE?N2y{J;v)n&s`<`o>s{d?R2SXn> z0j<%_>WDC_YIq8?+?9o&dSiJV6S1{%JXl$Z!gMCd^FFPrNcl(9Qx047cdLCruqSaP z1|iIs_~(_GLO!uirm80)UM+|5!n$nfoF;X_UaCFYuMeH@8WCM^Z=%lZPIAgVS@bS6 zZe0}!lME@>C85xEdP=Bw$i->AuWR>)tcztlorxk?Zm>r4Vlx^bnyJO2y6;YOJ;QE2 zR(M1R?gEpgP(}4I8k8u@u7kWSEp&YO=k-uamGSg|rL>oE+&G z6$Ei1$1Z({5GpjS_qfV!wdCZK!I;S?D4J;b1SpUwh8O_+xBT2dcZh#CQ1C^&>b}E< zE$L_YwEL?dtD(^MZ{=`Z`!2rwyE@dDMkUo)WoAJX-2PR#8+cA!IgB^Aax*FNz zh%Yn8l#H*c@;-Y;ZWK6 z*Tj-3T!c{SiyA!1@-?w+Y@j0bnO2Sj9OjMdaBSb_Lx(4Mxi=2(a~mSKSH%jb zU$5=y6Ad57Ntj0Ne;cVi@SEc-z>b=vSAySi>&**RFegOTF8FXI&-Lj8@UgO^&z00G z>)$`zJUs*EM($Tn4v9^LXYp?+C-5V&!_A`~Q(++ew2^|GeNss1na$yK8xk2*Tg^0c zUTn9lpWnFp>U8ED%3(sq=Nn93eIzEPBPJjC`8MZ*FB5+-aCWo@_wcjpQ`7Rr2KDD> zv}z^H%u7GN%50MPf#BUa0Vy|bwu?=w=j;8akuvr9Lpyt8uG*pDYl7i^kXUZV+C;q`r;pWZBfkOW1(|MQ$x8l-pAUSt zP%p@<_NjpTm%8w)7)jlp`dWYVy(uT3GCjD4Ux~HJDThfV6#>%FW2Z#`+GyLQ_ju6M z^R452{t;+K{G&me9O3Hz(alFq-#~u}V2IvCeZ$DD4$X^gvtD~9hYx8H6<2%2IS;$} zsA0rXEl+T3mvtd=D~ep)ZhAvStj@}RAyhC zHlT?WlE{d21oLPbEJRKzvqs@(^L=1|hN(Dumom;{xcd2nTBd3U}d zNPmkOLkuOZ#9nZ`nY$w-m&nTj) z`u1GF1yA{tRCvz@K9!`fRF|;$K`QqJ{nhiEY#71W_uS<3tlZ;ils#KAJ&e`{Ul$Fd z8OL64w^7>qP;Z}}di;yMdvq5N)gEHryiaaoKKw-_{oYIHRbQK8^1XK4jPOm-1<4If zzEl&+{Xvp?Q`|4#DW`W{@7JStt^%X`uB0BaC$2qjpWT$K_*Bbg98ByqCIQ(T#z2%dQaPXluPaY;ByBU;JW+a11Ungj-@9sl~SeZnFfy_6AeG zd45Hs!~{_Ry3os;Vw^uuxx=H)igLVjUKwQ;Z-r6Sba}7DLb;O|GIs2+{WuxXZBQBl zJ>q(BCPy>)QaERlTz5+oCYxR;?^Rc`AW%|&kQ$`)>BGZF)Vq}yo%e{le2(&_(g)at z{>v%z@1L%MXb~PWw2RTL^b;RbQ*3MYzjN8G7v~sn)rh?b*HoK?)`9(uKlrH))xYbR z5FI9|&*mQfd>m}45GFAw73vZVkWxsBu-OYcHA*@-a8bQp&20x;~2{D(|EDts-Kmcb83- zV2bjMOC0i@3s=%rxCsd^7uYPvmxtkjh4}kX$*zuZmWeRl;~-vu(M)rwMb>Q4^PhYU zSFQ>YKaGD5l4XC#@g}3%w79zcHXE^>M9#T*}X5W$EoPrkL#yZgO8 z${zY{XbkBij$LIbdJg3ZG!_N(`0Myu{|dj=P?z8>r61*W-mnyYAy0q8={P|!*_Uifc%QN-4~X7?~VnI0xGtife&9LK)3uzbK~1%X6Co<6!hO~sd7hx{=?9V?Y^LW zcgwt_r#d}ThtXNW<#>7-iC`+(g1j*}CUUt1*ftKXf0`vbf)- z#Ximxt&B>-UX&GvVz~9bol`4y+EQ97w5Zj*XAlo&b+TDSeT8j?kLEuZgo{iPajEv| z`nmYm`WGv#7|#gm(B*W?MfnjFcz4$!BGhZ<$jZHV@u6%f$uc@>_&zl{2z)rg{$(hTHezy~=gQ z^E^!@AFysR=_qW_?zh`iH3?D8C5<&4?-kbN@7c=<4h7(I)z)2Lw8h7P&5%72w;pau zR9R*uIJbX$Xm?ZkMa<$?l)G{9D1-~819h@9LDM3XPNz#hckSEmzYGm?5cRuTR@`hr z(N~c3$=x!UMQP#d+mn^c$4JrSSl~Lx4Y~tUx_m7XKbersz?ft*%*X~E<}0#UhWr^7A4C~cYGu9vPYPj^NolIY-es^96r!sy8$$B(l;!w#spr33@d@v} zJ}L+_lsQO>8%d3e_x1H0TEnB06bBj9?1Z^w|-6{x8Z-iFPF3k z{fL?9y4qvu0xP6__b)wm9Ka;sAe zhVE&6gSmyl0L|4~7=$j1fx9Uc`?5mI;K5~^#9cC|xi>J2S=K>z%cY`3bTQQK>Lrm$ zIA>J)CH=zqsGQpQL^fk6KD#9+zO&lJBt7rW$tzmMbZd}n;^ zn!IF9>!Wh&ozRcG6c=3N_)|~_KJTgN;XJ0;Ns42 zPwqAX2x;Sp`{uZHo^Tf#> z50|RX3zDR45r#FX@C)?t9=uiS=N+oe#O94%cyFv9CK|v5+Rtwtls{LMldunR!Tf=! zKqm^+fd9HA{&SslCkA-6n#e*wJ*M+iBI~tj!NRt@oY(d@nmq(a_Qa?Ff`T+0ra|T2 zO9iWUW5~xMfrZqm@Wz%FSN+PWDQLqRo>UX+ zBnY7g>f`>LS^`^NeF=+L@PAd_2 z(;pz-!UBJ=yj$0KMs;YQ1S9xwXRJR?T-{WU1DUi52dZ9JBH+TVFx`6i0!LIO7+VB= zpmF`yjH=?X$I;r6`_x-Kt$Z6&5Ga^DIjE`z%jK#z+B-f9v-bP}XI!wfedK?6R;!?> zcm8)mPn+z)_#sjuPm@v$uwFsGB<~cfF9Pode_E_vm>Y0ufE4nY0KH+pHkWB!aSr=@ zLo%GSK&_Mr7Q9t^uY0tl!7zRP+cfd-_wM%v%B>KV{(}YZw;wnjkdf4@uShaqY99Jh z%b~_(Na*4sv{%4kIPTsf*g#b*lWr}XVGPLV(sL7~fz6^K8A+y1p|ppx`!YsgVS5R- zICz*#_W%B3kO$Hsk?6jVziy28p><~pBHx$J;==ZVQODrIU+m-KxBMDSGKC(?_D+m# z%{~z!Df!sY{rlLp&?LCrI)J6StY9E8JZPI`aMDP5HFmIiUMU{e=Ig%v=Z|cFNIfC ztdC8(L|X>)|G26LYV@=q^SeZMYDrUUn-kmLMf8G`3DHel>mcWRzT1`f@hDhmQ@tH3 zy=D*Zcw`_po$C~)2pLQp#649xkb4|8o0lCZ9IdIwb>i^7HQ9yof2VcEO1}OB*BSKW zn!le7^OOk^J{7l6;Haa>2*^e+;z%PvFZ!jE%`xLhG7c-Vv2hHKr;O-Jr*htM;P=Nqogv zOki5Wm_K~3bj{Z*RnVX)w7K!0D&F>?)#{qx{;L4^$K6oTbxzT8PgDiZFrw=ho0N8$Oig>3rfu^Lz{{mdl44Z3iS~QBOcFq;IpQ>I)rmgi zTbFS1=Ga0%P(*oi>@)#_CNsZOQc7h@pEJ9(Kx?l$l%{r8n^FAbAzYIC>+0U!VuQce z(dYQK1JY?Cl7{)0m$iG08i6u~+=P!}0egQPrm0TShd#pS65*~N#^d4>4%jvLIl0eO z`8k6b$>QAE?Ad_Tw07bv#UtU7FdLXmSm4bFEe=rl&WkSbKtf#7&|@+4XJl(Gr>)t+ z?S6n$4*B35wKt$V^R5tQrxOZy=;KppKBPH3nOy#n0?rAj@UOp*AYg<+nY9aDcgD1+ z?XDI3*M8~VkIvCl|8tG{$NCl6fsJ@(D>%b657?o)kraq( zOE3`-mCO&v9FN!`15-Gge8Jh71&IUgYhl}A)4dmwxgja&Mp>!jhXUAIaRTq0eh{0#NB!dS?rTSF!fH3D9b_oj@=rcj&|rNn0MTOCGQ(0RQ4HNZ=^1h7$)?Owd~ z1Q(BZuqOCvh^nlpatWFu9>UxWsyn_Bn2D3{SdNG(k&cSA4-IMx}%u&{p~xbyT-Ie#@p=2hjff zXjzo!s1{g^4n)ukanAg#6mI(zUXOjCU%5P@H4C_Je8O(1!=UzoF5uyG{$%OYWD8#L zQ3Wr7*j}Lr-1$0NGQJ&ixYsM|JdYjz?6sI1E-yuijMsv>|HvG-i%yA}%_jZ6v`_j% zp;+I9_*b=JZqkGbtKM~bC50JMH?87)cm2-~?N^h-b&lVK_f9r9n2qNNElW3k|3?45 zJbFnYd|GqUH%<$wo zNVtg#&NC{QpOT_FUt*8Ve*e4NwKNH%{cqpv|}2)Em2=zjPV; z5|C^;oI1>Nez)Y*#lT}b&8a0F(GG-fW*l&KMW5fJ5IEIO!SaImOYAaK-J+8i)Kfw*2^EA6wQuh))fdPZGX$Jc?mzrsY}5hC(%m>6 z+O+{82hW}6QrHa@LLNV@tX`Z(e*2JV#vUWF|E)R|0J)UJw3xIt=}Nf4`RqQa>`n4q zmE;uJ&+|+cIz!0D@efaT6>_xY#Mb`uTyFW0yt@)tM|ipzFx!nH^)S07NdknNU8hU1 z-lm1N{C}5;yJH|Jsuy%G_y6uE2>c#_P`rxWdf*+^IgoVp0fi*I#&TGfMAW(lNYo%X z2?%J@GWEKC)N-4ByZKSXDb*^+PwnC1(ypjib3pNz_zG-I-aT<#{9Zvaw`rv-OQ-C+ z0!u0dON&OaV5nPd zNDGk%B@tFF4u3QAWqEF^^C|A_XY|w`mq#lSi)n2hM>JvNF5!1uJzcQPGTy>h*L5d1 zcGZK)dM2zUIRSD&<{k$&>9qR(=|GMzOG%cu66u5;(!;=CHp3S$Q0fHh`*zox8%we1 zH2ckf!xaJHR7+<~^bMF~DthCfmV>mHaud%8T~R*e#fCNGI^2Np5bM-Fo_n|~Oppzd z!B$|(L{$vgKbK3s$*U~+`zm{ZfJFTm$m3=OG9}^x#PTrl`IzXhN!G1s-tm+~dS&9k z2uE^{r3oIJNsE^2Vls=(K}|V#=_a!yrx8ro)pwmd_H$h4Z`o`+IM=K#5uuPjXKD@?h!&XzCu4JJ&K1w2HhF^~_DE{Pf*D>~}8%gNW}S z=w#XFXxKn$^VyTBqC51RERR^M+iQ7)kETUg>Vk^i{uf1WeeR#83pzr5zg48F*gB_izMJ9(io4XV2k{@z@pH2Fe2-;);}BS6wOnC$7Qu z^esRiRu#6s~cD=?O;FpfrnW$e*~y?{S_0^AjEru{Ow9M>v_<^v z;&Vn8%sz=ObWSpS$Ex?y-sL|H4^0#v5ux~~jqVN4Mr(svRqgizSQ3IyU|JlNRwDno z1e@9ZVuA}z?w*V4P+y;@xGYNWPY1RuY+M8>gDPF*>$8H(!gq;I^vWqZb=6HBN%-IM z!k%^Vo9bi82Gc9!TddhRy-k{__{LOgpraqCk z-22TqXed@z3{wjm6g25yE`RZUN#!JB`wKeQlbb^g9&(uF48(HRXv)+R-Pb==mp(rT zx^#Rm8+=)=V6!(?q+TuV};Md}^V(ZJ)AGEpT;EGp?oB(*r*MvQT-+>3; zWxwg{RIDF^C(S{!+V}c#UC+Ygb`l+1YQyD^Du_6P-3Y{O1ntL)p}BzBBwxQ$`>N$* z-+aH$^QJ`yvOKZB*^~cu4^ZPon|p~)Q{Der?z&Ns1S%El1~^4SRbkI!Bs;j&rZ?}M zre9aSh8{<|v*|Kxp;N?X9oXwrq~L|uWbge^NwtB=ZM3j5}Vf;pvH}`mk zApOy~*V{$%_QGb=e!l$ZOa}={lUcDhb9GlguJCgmgHsJwW!wTwe1u7_WK+CUF=ZWA!9aAvY?Yy5 zimVmhAzJuI*RRtXdr0T5)3@T3P8rnY>~73F7kbY(A7OJ=gEdYHe=UXt`e7n2(QX2# z?O3PYQAN)neBiJ>*xm8oMzt6TUOGUW3@sXv*H6`&l`W-8q0Q1Z`Os0>Ru+uG^aCd8 zbAa0++3V6Yz_ZCb{#IY!YnEG`1SejS0Y2qA{SV8sxd079ofCj9yZE8t`R08oa)R7R zT%XCDZxmrf(TYi%doqA&SrnD{i8H(aCoz=jAh(+?=d5l&`H-0Rh5gq98daM2VpBwQ zB9V?3=m^^cz>fGe-hKC2NqWt`kT%j(6)}aZ_5;iLP&I>JwOp^70qDPcE{*5cgozaM z(|>e`VBm2(%g?Q=;?WPVpkMdZnLu{@RVCz?QVJ9ExZ5EEW0vQ8pu=7v6hy`0)HS0j{%c)%-#zd>#`*~WewyYS`!wwj z{aw*2jA`*o@_tR!XYEq?t=WX71^yE_)FCV`BZG|@Xpw$5QTQ(Dwine>g zsWqqVk(X~M{bj>+1SIdC+s|nL3G(a%Z^e}z+kc`m8+3+NnhFmr#~Hj>VHXNmd;Hsx zxa9S%V{(77y6{aI%gsd2a@i$V{Bk7e2CooOv`AJxWDp>(NBZ2Rav6&8KK`hNO`qBs z-YfJ>+lQJ!rYDIq4voSyH`8;Hxhc54#b2l+;HdidNny6=r}BBlE?P;y3lQH*yq0du zyH{0~S>~rwIvtwGY=EB@@|bbCHo~96`;DE~-j?20Qe0cck}_x4vjIxi=pv&=dwMjW z(WSHg3_V@UC&jO!tT#b^Fyp(adQ3~{D@>7N{0;!y({P6*Bs(<1`mtTEi|mmKxL+Hj$&(T_{0 z1C$8+zleFC3F_@17hz5xy+k~+BC9$wtSC}usg+GM7590`*ue`d(>3a}2+y3x+OIF3 z|6F)(Hzz9V;$(#u>!I_?bmLa2;9?aq(##kjCGA^|WeU|9?AMM^9R2E(e+RU-v-{m% zB*#*Su*?e>br7)@ikr*cMiFw(f__yd0*%}xYhjn*SJwjQlAQuco2+g<7q+vd;G-1_ z3P|*$xz((K3cYGV-*@Q2&wd&K|2o1fLzBc1* z8R6qAM2T(}u)CBrh6M^NqS00UjALItcT2JtrUJI+UCbhiF!|9_v z0Y?Lk0b7O+=YzCdI8)$sj7I^JaLFff$O?med8LwcATN|%E{8{-si0wQ&UN4ng)p8x z$26P|gUePO5h_C`a?f>+|1Pq2|B!hXY+6istftth#{>QBYtmp1G>qm->0|kiBX#}w z2>QfEHFl(+SFS(duY)=tfzXp+GfOizZORnHryxD}K9}9B)3^M?q26qD(FRdyGq;>G z#_gl`Z@;&m%l#ny%GthAaf)t@94Kqa{Ur?1ExlhQ9iLu_%f?yFPmSO#`Y*G=-2^Um zYN((WQ3@*JFjJ~-83~*Qb#F*?GgsMfvmlT^FVzVBP@4ZAg||0<_#fc zRHpbx!^(v;iUM1xi3~}KKh^xtG^if!pj3Pa9U=`CJaj9s%363DY{FoYlEfA4tKXl5 zH*C%MDeWTnQw~Qj+M1ozkV<{o7Wkbg(&kUh(>(I23GWNgmdJwD!o^=b^!{e(t3RZV zF!0+=PM(@GDaAf>u1^^I5`wICtPD*T(g zeA5;GbVE|g9g4@-g5STY8GHKxnTVQA1&kC6$bmkWCLa1k2832gZsf{*<1YQ_a7{|9 z9Phu%wm|I(0LuLq88d_v>5zerm0qI|uB@-aC(DHb48sLC4VYvKyz18~UJDWZdA|As zF28LcdDK$}8iLJS*e%xCt=7?$AEIRprfI2CfLPvPygS3 z`PIt^$+tpRN3KtVE=i9bo&QzWi0yWIhv3QQ@^<3wTviRoNAh#1RCKrRvsCLaHzwLo zVQF+MmZ$jID;B(7rlFy8f*UoldzohjdoR?E_75AU`6rrq zPvTa)(IcFUmh5Ygw8ePGb$k@4n=2f>qYkEBmb!3{Oyn?! zhclis$w-dyVQ;FZXo8#tLEzZP6q>k|kB@6Y+==IoY8+tHYWrrgMEpGaJIhwPV;{ui z{j-FOj(-ZELLq8%%{By4?o6g#{y~+-jox8zO>Ay)^&31RRI>O@W)IhdfTZvit3m?( zk@!Zt%Y(a4E4kE`WD~cg*N!w!&)ZIxU|tFAu8tOz+^}OvE|#+33IohQ$>#TzWKKjQ zImThjQ4$m@3TrL%&^S1TRnJ zz=J%FS4~6i`tof|VHC!a;~&KIet7L-*sL@qLs<-XUigLzf4zk-E}snVI#1en^$&h9 zo)$m(S}=OQ*Z|ckQX<6&bXf={52$J6-69{D`$@3%8?veMT!RmkBSt z6Wx+TahPxz6MY4H;ULXf!sUG+n9jYSS7use3p3U6_gR44x{s+iBF{m7#lH?nkgE~y zyOE)|Y1HbQ2;$QRFR88y?zpb3en-bbXZOnittL(Q&AsJ_;NH}c56N@y%1YCEIUs|Q^~GbN zChvGxiE_&AU?6&wM9mtKNl6uz!j_=)lvS=Rp+{&zZ@UaZVomTi%rI@W$Jwx;Gz@OJ9!}k?;#AR8FyI#XV zI@cKM=G$LifYl{6f}{b;$x7XQSL@)y$j^x z5_~9sJVW-sGx%iif`r?)Az==C|67pf{{!(r4!;`4R-k{NN1I{Ws1NI+@^SqmhHB8Z z`#3%3-wTd;>SSsUZBPd3us=vIT(nqTc(t3U@rb?$WU3O z4^1jnO3c5wj>Mc_vqp8(gPkeb79QN6tYbe@G5oQo2FgQJJ`WTv_ZGRWP@{!xloQk94?Cp*}i>9Ir(pjPvV~W#T#2WkIQgRvKcuHgf^n(l#j-c3)@K%kD*{FfHai&3+0#&>q1@BGfx@Dv>V!>EXp8d=a^@-XQQM0os^|V!_YdbgV=Hy$L9;Ut%s^ zyqMhp;3lAmw(Y?Ya0Gr|2w?8`;N#Dvd(W?wjF_tg(<~)Fr>WP^8XE|oydz`t2rm4R z0eKPvVHxGZnDvOQJS<42VJoz^WXV!_;E^sV(i44Uo1q-k!#aKye%rRKN}8-q-PlBR z*oDG{3hA6#h*|4HCRwzzN<9xzkASw&CzK<^^)KvOXg97LR#?t)r9KKYzXS27Ut$>C;=H)xw}hIU~yE1$j(Q9jx}Zl*SF zNO-V?GL+*D>zJ|Q<@uLhH=+Y_#1C?mB_`q6m}VWkUY_pyx?FSHgXUF-de$MmBkiU7 zt^HzOP!{bQQxv%dn1V z;)Wa8XI|=N+veAqv*d=`ACNKQChEhKGBSAR2m$ejfNlMj65Ri}|8d!%H^v|myS>{( z?tl16S+aDg$*fTV^l>Hs9)0Qs^W4UG5&C`qqYM~0$kO2-^dW_(juC103+eC|>fuJN z!xjHAB9-NRm4xl`;+uAjg)$I@M|V13zWk;)MRfnzCOyCWR<63`KAG|BOe<%5eFqGb zV>u?%sp$@u9q#F zalfO*`pYy{)JOMS&MjNE=p4CrZE7ClKFVH2ZAR_TBRA|b+C!i&Vg{CBPD7e{Nb|=& zWNIt4OA;U3s|EQ;Y|HB~D zPuSeGc(9*g+bBa=qsJTj7rlN!eb!jwj}ht;2k49$m;D@wasyqF`AM%bitEWN|o zN2}03#E9k4VVj{0(lc~EJNF-V$_uZ(W#dBGy!i{{|8BnDNO0trEL|qIKk%4*(Bsq8 zJTy)T(VOmj5}mV$ZFs1I_AvK<)2F{|(1%+HVY?hJS{8V)Zpc0!J6#?%dMhiS^i*<)Qa zhJKoSUOolOM$;4n%c0Sz4D+->S(XQ8(mDn?%0hWl3Nd#o) zVkHMgj~Od-=FZorXeDI7CXJ+FgZehf;ASG6uwV{)oPbcrGD{@uIgy2BI6*I4zTCXR zu%F_h171f(ix$(Tg-ufz5Y+M55pV?dUIcKA<0i4=;fKg^$8<{T=y-S)Rjw!%%9pqD zRqEw5d(J#*(zv1JQIENxTGcAjKs{A3pJ2&e6@5CtSeNf1!eJ-tDqgr8v&Up30f%h107)k~=lZk#L{(_vDG--+~UA9arR46Zv z8#b_UuTi2GHy%~h18kall7TF$Q@fUV+Hu^p1G(9A=9*_kh$-bZZQ3l;fBjWv%$lua z_!K+Q!;=ROxuz)rn()*sElm}NLP{RvT!i*<1C0FvWZHf@HjD$L7d+IOsy8jh{Hxk5 zTBNWMdh^UPuA0=ZSI4?$+f{F*5fa$WvYRNRiS5djtJE8Bl6uuG(DUCo!vLN$ATQyy zjO|!o_mQf)uW&qOF!+PrLm@ZM=JMsr$eEoxn5Q1_3Ii_G;pvyx_TZt2{k2ks3bxN< z-*4KavGrr(RJnKh)*{l;gMt$%x~=Zr$4El^Dur+FwE$Y&(P^MGH%< z>QyW~QoY*h)v6}{x#^#lKkZK^nwJPN*mkeH`-!~TXN68)cJuE%H_(m?d z@I1+<_%~}*U#3i-DPMovOU^y}42T(iAY8)0ZH;{q`yjf5>!I@H%9)t$hkDFz-MU5R zg~jUK-9(R@#LZljMh)flTdt4~Kl$7|pq8&#A#eBiOzybx8Y!zpEj*QeRbZou4jz}d1g@yZV9m4}vSSf=efe!)Ip^XNq@ZqJ1RNWcO~UPg>p8c3JK~i8l!CMyN!-E>)4AL6=+eG!w$9@sr=cD^B=G3}%YT4XYROdo0 zF$N}EwcW-#Kf?1W(|i^^<}h~5XJJ79;OT{9zJhw=V(!K~iZ-zC;(>YNMh&F6J}d_* zhdHWZ#qx$F=4p8AV!y_6dwAR8_=fi{yj-j3K92`4@G1=F0@w$E#`D$WDbwscg6(5A z)dQ`O?gPLqoR4eiT!y)xf%^{51@MByYc(*Zz~gsE=35-E3l}Z1zE4)~VUW~~be_go z5YQjYzrQL;UQx#lk7x7&9&$5&on;T>&_2Qpl_{!T!kEwCiOh2?Y~VP?zK;DB$2joC zc3ct6k-!kTHEL9|eF^751k62?bWU2oe!ZQafC+5k_*tt29r`qN+6?X2R%z0xk(AN- zi8w(Y=c%JQ9ARF5ShA08jCP{u9%4~NuPd;U1lzo#&X3stu)k=NvBxR4Gai7}tXW;p z;fw7!vtuG|PEDSVF&4BR#RGjCujet0t6J5`dOTG%yGQCZ(5}J*`_44QE7~?NgJTLv zPdx0we%V;(o61S=NMIRvj9|Z;qWg0dJ)iT~#M}dnagG?P50Q8dj2@31FWSU85yvXd z-Iy^kH({T`afov=#*ghDcU=;0Z}byk=&%uT{Y7WUEWIwo@z$nQ3p>ZPYf@LQ(`M_j zTFI^tHf-1^^YmPZV+rSfc;#Pt!Rgjk_s_qPyZ?Qiv~JnlY+|gO&(RkI&Jh?tj%W0x ze!aRj=V3nz&-0K^yaq(CHFUql+yl%I@{a8^^**j<_qI4TaV$>J?O8>)6Fgbr;g9pQ zUE9{Kt>=}pvDX}EGrcc$v@co54)%NO*VqR*W*lcFN))$ki|Yd9qsIk^X3YQLynt z+s;@Kh7i48L>chIycKsoW`7~)Ar}O6zfT376O#djL4}nj4jf7(VwA;|XVRxl#?)m# z-FkWsvO6S~b)}my$VSu6XXRMWm^I9YG1B1=vdo8iEQ`i?l*%%sqd(NK4C7!rf3T#z z4VSc|o)es=_lkgtc5iiY#zcXOJY0Z2`@(B7Ve(X|uQw=|q!uk+Dy>>J)B61K)N?QE z1s#@-)X^uUP7k9^!cJvHOi7HhpZv+c&<}nxG2Km))@7RUV0sFVL z0rb)*@9(QO=rJ9Sl>h0Hs4u?lqc=z!iJY&$pPG0 zcGV@5$8|c=E*>Z8MgDcSJs>9^*D1A>6~^J+)w}->b|U~X2y@a`N)q4%GEHy#R_k*9 zW=c$A*&LR5gJ^x>jrXK-g|c?xiyPp(9(>#gxN+kr=>>dIBfq}xH9-D!!m;+gyUYLe zAE~a(30t;kZg$ZwaQ#rdAFzb>-~;v-ETit-f1nbd8*PrmGGAP%@uFMvvTCi2jO+S^zkeX6TnI8N7_h*$pip&Zz*mFYkD*i(ApKVNSQ=9*VT`?js^ z=Jd`7pU?}$jq>A9LuKgjk#dO6p}-XK!$*xZ!r&*psVJ-ul{y}AnBDxc-@pjCz4iXb zMuxoq$rrL-Z)#fUjRP)7Z@>RBy-AuXvo+mEz2N%k62il@pCDT}9y|<#cjQ$X%^z%^Z()BevPki{vm$F8;5pH;}WbvlE zAC?uWH(6!7_x#%Wfu+-v_2T{Um)?@54eA&H`+kp41RUDRV) z-+id>KYZ__&t(5LE$pU;V*-W@yyp1d``vXPXe+ICncq9zd&+S~b+COlp#$lB^8Js4 z<*V=d*>=d(-v2)M#Bg4>ZoPRl&iHkP-HbwS#K_SyTD=~zPrvoyr?PSVTE()B?SD7i z`H(DMwp8XQLGre?zh&bF+m_hp`V9C{j_q`Wk$X>deOZ?bPPXm!>}zjJ9VHaYDN+0C zoA25?@p9Tm>(=T1q2og!7NbUwmWR7^l`~I0QN4hEl&-J7W!C`%bP0D|CH!#%jeQL` zIS|lHQ`i(SgRL^d*aJ_+f2I0$ZdP%KnmE_cuPp~`) z4jgwS^~Ucby&*pJ#N&);?5|!~CmnaR^!&QFl9Y|i4!k9Cv&b7}jthjy?e{%mH}4bm z+UTRtzLqxnP!>18SkC)V&o9l}41GNO&;zY6xI#z2alQ1S&TIR(Y9{a?#?9dQe?C+9 z$NV&Ovo_AI8n`hw9k`QX4myO?2$I z`NQ@D0nkB77Vdu-IQx$F{`X!Fo3|F~P4Q&KaEu;5FLwJt+P7|QH^ZMO5!|+Q3$wRW ziN!~{JZBFjqWe6zUE01oYK$$1hi7|tJ$@D}(1#v6PrR?k@xp}*UtkRHe(;gJ_{KYW&RQiS^>ra_bzT@g@)x;VmojhB2Ppm3+YIwW`?hWD z7<=Hcr*+>OZ1Wa8fS-H)T{-lCHcBeYlpea>@KA2#FJtw_x}wePk92unaP0}Q=C!xG z%l?W9$n1aJdau-}QB`W`etWOJ&Sc<^KP7EWl4o9hM-D%*jgko^OMbDD2^>+w2JkDmkEw>1xB;Iv8!1dtcw zm2^U%%jtfD2N2l5Zoc~=onO}&k^8#NwMCT7z;XJ*t8eP^-(^O;WB+*O#n)t=zV{O6 z!UrFJ+RnAu7b{jMXUE6mdaaLh=J$h!$bcUP+j(jDh+oW87}xv5b^fVUqnho{_dWWI zoOS9+c3ttvlh4Y}DhEQM+j}2LRo!pv)UK(R|01{C_n0iigGME_uzxIGyig80puHV) z#A|`p|NWMGfZavQ!;7F6eDor=hSt&U$r)Z{PE{s(VI%(@v~voPG3a>uWS&WASH(=9<6mw zm^XjE-1Sfw`SWQf?-U+9)<7)7YcZeR7k#hSL)aFF9Js#`jo2rD89TwwX(M!>{`m8+ zrJY`9U|#C0^T&fvcD3_)>KM`U1LlrvZoEU9Hf~@f7yACsTke)t&G)lwite9&r4JU1 z=$NyPN9-?{N8i`^XNt~oAfiWUzZ%x7D|p4m7vJ?Y3_+efspsSxRVvs6QxLItKlG&S zPq;1_K5~>C(5|hKq1fICI95QCKdavR7oK;f_OF1=X$Q7%XRH3kPncj2Pq1YE=V8O8 zg!XNf$~RG>9}hsDf8|X%{^*W^2WohQ$p+mY>gfX*9Gm7fp1MM_=4>B%^r`3dwIW00 zbG_~?U9zMSl2zrQC!W>oso8>K_eANwiNPE3r!Na(J{pUVCE|z9HE}nn+4V{-) zq~?WZ^%@Qjd0RBwFExi@Zv3ZSYaiR;P{E${e)_tC;Cd1B z$)qXMZ5{;S`tQ5{YlJn9^N)32$FYZph@3|fTl=^Bi{p21<$Ls62}=|5ckkYPj4f#| zRjRPw7lHNU()BQA8V4+Y(J}zdI;2sL5SArM5`V+`u$*b=?Q}?g9G@_UbK3S8r+nh- zGQLZ&2e~kW`DlA#U6{_RekkYZ9Y6r*9^5owVw9zeG-g!OTqhTjh+;7a>c}5s&q*^0iq2~NH~Gw zsoiB4|HURvykqLH_O0Zv7o4MgDPSk2@B)4ZhUF@bfFrPn5P&x%yb3@6x{nMVGQyq! z*U~xUhJRcoCmw&a5+Tpa1?Qb*^TaoO2FUqmpQbl|bLF#d`^k%4{%eFogL<`Dk_0n!N#=g)5in9tI{I+CVdtEJ4;Os#U4Oam%8TWQ z!wyM}yqw+uJpJP9a{ryTq}~g5^L5u4F#(~P>Txq<*eG2p+CjR1^0~B70_2)2F13qs z5Gj}!%atu7l${k#6wyOrpgZ=Pv`hL4fAx;|#_ID8=9_55S^*-dNjzWwE0^&GrH?PIJU{Qj;a8oY(^UfrAT zdDOhF;mLvXd2&~jTW|P>jSoY>_8RcRPln|`uDVRFSHdT!ZS;^H&nI_2)^0MOj{q<1 z3S~>%&G8R8eF~Q&ubq`jOC_RA~$EE5<`wJk%|q7%g44LfW-$W!EwogY>2k-c`rwane_B5HSv51KE~((+N+YFTU<&H~)Qg``mx~P15b{ z4|F>w<`dY73+xBTyX&s`oBZSEJB*Y9DGqO%*|*#kr>5lEU>n1KZp^;V!zRX*+IN-o zxJ8e7T-V{DMFl0xulm1>%}WXINPR&cP+=~#V@~HY_9@#jr^Mu~XfJt;vSXN+-cWMj z*@y13ITCHdQ}g*(|0ma8cA<3YaJUhOiOBUPleXAbNm@i=O=|}Hpb8?f;1(@Hk%AizEiipwra+dnqy!i*);DKOQkBUG~@WWv;#&*wVJivJQ&G+T1OaCIBj!euyIbn-^Ils1veR-SC*&UR~|M&IR>d^Dc zV^2M&55k(tRhM6C?Lg)WTytp5YmQ8PG5oYYJSSpB&XEVSws-nsMae`Z;;U3FXY*!P zB{7dYcz?N4=Vs{P{Ppo?U+Q_`3cFq{q}LV<;k>|ouwjFG(x7%Vn*%^HCsy%nv~7Tg z-gp4hNaswv@A$2kp0crEU%f)N1IWn|>V=OGJ&v)O=;8~`)m1CMrj8-(hY09r^m-B3 zP`J-{=7m@Ffm6HGasG@xxWz+9oR8UOGva@8L_jf4OfuCt?+13Za85R(3WN3CjpXSkH8{vtd8NH07glRNv~; zcJ!QDk6QCQ&O0{2z-@o+x(#~aGQ@6t@F4)Ww_~Yc&o6NEmtVbyevxtdMCSi4I$s8= zN5p$QK38vt{bYpRxE-b^{=eD;Hbb85`i8!1DDm-vQDY`Z=cA91Gf(?d8rqoL&^A22 zKL4hV+;Q_i?FJ4P(topiLoE8vvQN7)5^ zX?@Uyn@~Lce&Llj42zAMwwQ+=mf;kp5YT zSa^Nn{DvDQo@)vyVFzfq>>C&B@LG6Ly`vxl&!lEe8d}>J7Xo!Hqkr(x3M}WHIdhI( z?3XE3LWb&j5*O=HLI*cC2$|aZb@n_ZBDM%fQ{0r4E}8hK4fe0f>WKv`5D;_R7$-2} zO$PRV-1xxj3ErEyVZiZ)fL9>&SCS3K0JaxyIuWq%BjmJ=;9-LIq#-1su=GYHhoJwb z6OL0a7~`M*o_ z##HwWcr777m)mKJdbt2c8=D%oI<Vm_Azj`GsEJfEZ}etf^IDS?ECZf;mti6zha0WIxsN4=^3OubP5qaP?a^@L;0n|YafRi*7q$#J4@*uL0q;eH815`p^& zR^AX7tI$8HYGJOf>cLX>xP6|oh;83h9BFf_?o(y;c)~G?fcX^r2=@)lXPJ&U9CSPu zpo_kt|BDwbmL_#;rAP}a)A<5zg785Ak$sqYyy4ukZQG%?e^jni$?7ofO6p~fz9HcF zMgReUfOdWws{I<8oD0-*EcGzRBocq{U@Ej(RlP&uJr81m^YN)lGT%0hF7bgeR!6kKV|fRXt;miSdAm@(YHj{W^;F@b5Do`jzf@-$6b1XsREO@feHLxa+8yjlkZJ( zbI(0Vm>Ymc>6G#d9zOnD193s(!Slzz7pyoj$C7Q6pJymz$vB-;@o|(flI6`f`bf7f z9b6yT+Vuc;5AEJZZNUwQj@I>&Sbua0`iFY?^<~Il3lx-`rc7r^{fd>V-Nz+X5>3*v zEt;3;b_e=y=?#CKD&ppFE|EahowypU3AN;>e)KK!BA)j5S~zT;2$9PxguqFNza$ z1N@ti(-?9niGzm5ZQ-2MD9!SjPrA`Yog%vS^H~_)em;xG&n+z@Pc-Yv$?8`sCw9j} z#?J(bW)(T$Svn=e!zL*4ewr_hA8%pHhi`E?u==?}I4c4S8Vtbo>eiJjE;v(_nEh1& zIZ*fG>!QmaySjaP&OP%ta>rl(E`4>dZKq$y7VBh`<$4#MeVQDgUj|2v`c@uz^q<0h zT0DGt$vR)HH`xb?rDFFz{FEH1biA}v7LJD`OEX#0Q$Z&~C_b1p@`arVOnmUmT7i%d z5C{nTq6jb_;l;3yPJZgtu9YDRR^LbKm;SF+p~Zf4J@o543K@rmOL^$mCYRZi`Dw6oq|6MiPsj5oZ{nIb1=@}&FRskPx@-S*d|ToYY>EaKvh z2awGbeK}albkFTK=u)dXX*qdXQJyIy;I&F$5ZKddeb$ks{H)e;f7Q5N|I1;;i?=VVz1~l3YX?vQ#qzQ(bz;SAPGoOcu)U>&-KO z`^*yjnl-AqdYsjI)TwpU0%rxz+i2EybNNc zFj6g2SYpk~J~EjjoYTe}myGg`Qp-j5)0K<^j(B;pKLYnw^;h!-i8^f)UTpBH9uU`gC#YCVTl z(cSkyt`@xK=^-m!9B*XHtG!T1>YH5J%UkD9fUZCsfvOAW9vkcSKN$)92o+~aqTmGpQQMI-Gv45=ZKoxmy&O+KI zRYDjx$jDw}IFs33=pVZ$Sbk!a$Ff_Cp$Pud}Ul6`AW zKH+HjNUfaskd$@?x<*h(yWgfnNYiN`x}RE;RNJEspv>_dN^j@1dDhT2m(k{RUpXAI zQ%4*=3L`65Q(c@>&TC(zFKy9w$+$U6=YO~V^%1${|1M4Jb9Rp$WA6|5euFnIk;Dr& z&kY-oh{KAsOqtRVwkjiiABT*Qyir}3jQ<@x6P zx|=+t(MD{KNq4RFvu7UH%)^K32cZkjI?c76&-Fxja}L9d`>rV}2MSH@HTS|CLeMHYdqt5ZIkI<%YcCUZZ_LQn}MC@S!E%@fApGKLZziHkIVth=cPPjL8 z)yG#lci}@QG=p?0xjAsnd}c%v78D-wdof6@ynScm5OFB-xUal_fdjIdLqU%M+*vqk zy!AQ8NK-07%QKdKo#b45()wCnXy^kRSZ0oUgyX{j+xc|u(p0xvv3W`F^uD-uk9iJ_ zQG=NJb!*G}13pvPi%UZd^HCCoCtK1~*Kz)BRpg;;V^tta&EL~)idZt-?SRhdenq*A z=X_jjrdvE*c*XTj$;552_kza>SqWjM*rYQJ`|B1qwo*kKI&Z?AnR;e{;EG z8)0eXSh?h79I$H}8)))*$-*k5S###<`}J>~{82v_H6m!K2Zz3=TP_T9%k%s6?&(D2 zUToeHy>k=cKfma_CYu`R`nTAHzDUV!g7y*Rur%TO=K>mftwGJorXe zz}UF)>EN$jyzx)>HEkm{W z$qtAYEmG8d>Eb04CB~y_V*Z)#o5#b3$*4{=oO6(!RL)8ZI?XO435fBIn{G13dG%%55|2Fmx#Nvj7 zXs|xSu_qJb$?K|&U@0Pwufj`pX(>yy>gyg%OfdO+&unN@N{IlSO@jD3&a!#-d+M&r zPqQF28otW243Z_3NA^72S!S?o2Ia>5#q3`<&5bQgT(Rs!rUv!vxiO2$IpZ0VxmR>4 z7JDM`T>covc*ctk77ED0m+(lAO|o2fSI#rJB299Dy%5x&YR~HJ-pmt zDS)Gl=mj=n;$E0NS^O6dUi8?{aP}Ns%C8nh@9Jc{ZOf+a8H93Y)|`3nJ}=Yuz{fbl zcIB!yssxPYXDEbc%%0<3CfJmpy&XsB{-?BS+6m93OVTZd9rl*3TOEVEod41C?WGIj~5Ku8ST>?xbU1!JFfMf<5*Tc zPpw3-mchbiz^9+9rCm|CZ3Fq(|BOSjIOGB=>TT|q^2qN!vU<3J^-rYG*y8YDFI@0q zOM{lGgajMk<<(xOGxGqfmFTZ1kl7-G`2%AM2cw|4q@S{vao!ZK4Z@;hY^#`XY ze&x+~oh3W@Q52y-#2G)!Z$7v{=l7$}^=0rNwG_ST(hKDJt1opvip_UF`qX`-@RbUO zs+A`%-YA%n9e!q|OJ`>M1aEMerhDuy)O|EFoXW{Z1?FYWX?Nm-hV@}h);1sApH?lJ z>VAZoZJrl;oY50@ZC5Q{xvyqXOPjRr4lR~SxFu@QSffhCT>BjNk$T_^$J(`P$=roY zWWZ+w-CmLOZ9bIkSEH(16$GYiztMld7j8K$d9jA~9Uo1se=>$ze`Abczu#(V0h%5Q zwA~m)Jb&DLSDCqc>@lUUvDYBa8akX27R| zq@G&fp*&*Tgm*^!aL*A+^&NdB8rxhOQmlQq4Hn+meSkij^V3h^M}4ducdhvPV=85% z$U|n@Ok1s+kB2oBl#5vL&et)OcO5WYgQf6J;z537NV*qRHskb29s3wdIhgEK9i!L= zgMDYQnEXVyI`jkP)NZR%t{sZ{!0nhB%DVY!|X%i5{4j`Y7izrv5PY`L3B- zi;oyHA>%pE^MSs~%81S#JE&5xtBg{ts#MW~)zrc}zu3-EYf**B)i-*EM?HW!DHgf@ zT$AyL4{q@}M_d->zI>>)an0Ha2Of3PrR(=U_KbeqtLc=*)U%sfz{mRq+Y-=LX+s&~ z!uL}$J}kl;SHFHe_uP5)osZR^p|;f3dogwTEE%Ks7X>p83u}Me_(3gwX**Fr&cuA9 zwgYPe)`w_QJo9~*o{Q+1#I{fH>#EPqjQYG0J&%LVz(;O}!$54qG)%1fn{RRcHF4&W z^2hmEUO(RQ;}dT*=KJYMVe(|~D<})kZ5St%?pHcPh?G!%oQ3^72`tl5MxTx#pq)1j zjCIlsf^d;50)WR01A`y~C;K$YI^e|+WhXQY*bKyM>Wvi&53>`GFYfYA z(lC}D3|72E@>Q1!B-c1@Am#BQ>As}tQYgMOk}_oY-`xWX#Rij&-~s{xf!zUtpWG>o zY&Q>&T)sER4D(J_WPB3z{|mMa^K^1 znN)@Jc)_^9$M^2xCd5qekL=!6 z9(hW)+0aSmX{Yp)<9cvkS3Q2D89WtA0W>4j(g#+^EUj4mI3 z>R&I)b-D)~%bC}2*d#YxbE(@4^}N&i$^&`;1xq`zuC2dcEggHKN2NU{u~xnDs*Cl2 zo40iN>?f);*eExvH5SV=dGV=Ly^539$*ooi)pgQu3K`>pLh!g=hsvLHA2FD3@f#hdhW72#OAlE1NWL06Lax2yV!2B9jQqRG_=Q>$G3JvGODUGbR^q;-p7^}9 zmrw2QhAh6q8$40wJ@@ZdRGGKb;d0(tr$eSoo;s){7l)Y)ahMF$gFx696**ZN&Px@p zMYCqQd{FmE)ONw%Xou_GXdD`K(_Qx|cDnD|-1+hc#fcZVXY_!i%g;YkP*9s=->fcr z(2Rd7J4@dB^z7~qN?|WMtSD@v&xzgxzxX<9dDCallbiKKZ%$1{PU?t5*;GyMfq#vB zk&7&j-uZBVdnu*gTz}<7ZuuUE0rWZIV22TVot|=RPq{-6mB6~j-7mG;KsJ<0{f^1~ z9&zI8^|}wPZ{5WHp;c2an4b*%LPmTy&Mp6Bi7Qy*tR3XmUTB@rE!2J59(d#_myhN4 zSRLZ9Zh2Y{0;;A;v}Maz>OP*;bnnQsU0M~bWONy(tT@EEV@3*J8L!m0EV#^%!zUunX2E5v~ZY7@%`clWU+nv%nvCrwa z!E$U?_~5{Vl>#@bCH8+`d)w{fM}NQO@(Z0+@RIuBq>k=)_&d4bs*CiH zxHs}O-qOzP{?pz{=@@U0Z8@U3v#14nPbVkJfaYpV%oqVCINCnXfm`psPa5jS#Rl5v zZ3(-pcM3DgVLOT^^uV!6sr%JPm*3lV0EQvs#<^#l;>Kg12b9yXeS0}i4J9}Tij^C* zfh#UL&y~-In9BN0H%A&{h2dmlJbkf-wi~S9cvhlZvT=?T8gVRayA$}HpwI5*FXXSE z(zlS?c*n<7X{C zi-(N~N%z8JW+ed!zuy1w6FOEdl_Ps})BCIzk1E^M`XS|sf4z|IBbRF*Ved@biMquI zdp-}>eajo^b{wsnHPSILdN;HC%X2*4AGI&qn0!Q!L)`M=F{*Im-l9yZecN2ahV`XGtEO(x^!;=UXrZfD>ea03 zK0rc)r6)>C-Vy8Qd)#tpfR=N5TcbL)>dO#0tkgeV>)bX0tN|#=6wqpBYzOZfE0wr@1Hy`GpOXkJq z`W+t~^u=70)^v2Q!}LRT4{y$qU6zY=>juM+x>s%|$oKt|Fhfqamw^tt!ge1E%RLKn1O#>j0s0dbm`vPwp|pv` zj_``-VT|*~HHJ7|TX|QBqzfhZGVXd)Y!+NLO;-waAD=YzdVFU}xV@$H~21^+7vILg$sT=h$ zevEg#1oC2J4jLSMvdLkzyb$q&mX{WkMNH()VX4G^R%{YanMR8x16FG&Ksk`ackB&^ z1q_NxdkH2TKJb8lyq2+s>JUDhBdUg-=m6Y z%%H`=oBd1SfsFJ+`T>eox1XcZ__MP7w3n5uR=W=nRaH4bJ)*lQPRWPj5KK{!+r6@} z0!(O6eC(*CiY#9-0uS~Av;J&6!Pree6=!qCk8AiT{90ZmmrOoe>P&mh%|+u`G!`No zSlRvb^I03xLC4)|t5=+cwoRJjrDGd%nWK%w<$E{s67`;x+9*R|}ulqc68;`ABQ7$J@W8KCFkZ4?D3G()jx2}zHe^o{tIMAzX z{Bn`0KR4X^Cpk*c2fKfE?dKz}-9u}?lx;MYX6@L=Vtf0k@iN|NdD3Gl&*z->9LIxk-r6d4 zrN7#qkcMkP;NkGhaxb`V;7QvejPZzJNZCn!#1ZHp-u0NfFo)nd0KL^G>Lc0vV^m+! z`j&8Q2%dJos5>7yXpdI^Z1WQG@q8e!wJqXs$j&{Ye)!yL+LF=n?1<8H#$C#0PPain z`11T`?v~`D{u}jYc$l0?V;*gpt%f-G(w_Y$Uwr(rvf|jH*rN>UU}JtpxmpJGg8z=l zV&&pb_no?p_ZeuYurLwnHvh9y~%(@s70<^KKqKUbqhjWP=sEWq@d zhY4x?ENs5Tn~zeHU;NtQ@!b?jeVkoeI&q}?KjLu2LFYT-aOM-{f#Y8jm%jF%z%+J@VU(4Pe33butNyYr*@UXb4LX7CuB+aEuDQgu^M~% ztqakJo8G=t=zoQjJNrD(OdfV(px^?kMoFM`?N`6eS|Rg z-66NVWhE8DX~oX^LM<1~CGky)Gy1r{J+$$>J951<m~8ldnjbcrq&Q2<%TLOi6qgsD-64Hf)N5yWCgn|v+YxLFicfB3 zTfdCc#LJFf$LaHP&B0Lp^`JJEtBx5rK@SI9B!9Z)4^C-W5d8C!A*oOQ9Oar^No6I) z8U3#Ie+fLSzUJ@hI_Ac|FvyUbe3q7UpDZoOFQ|GY@kxqHlELDPo{#1OzxYzETt9TH zGq8fRH1jPFeo~yDUYNs4vM0s;l65HT3QwIY7CG&-(_VS|?YI9`qjv4G3+B#6;c1Fa zQ*xSbN=@@oMv}(k&3w}AI!U={icV=VlvzO>cUWssL# zaE`OYV7UTc;`u6PN=&}8Q65&G>_NlV#eKCr^80iN;)bYzKtNy*L4fgqvBsQ@4|Z)n zUy8A6{M(&>&?PU?oBiG&EYHsP#>?kz{4CC{v-(s@>&8B}f4K5O7lzh&XUmscx}Rop5Qnqt zY(oa(bhIB7$7K!AP54ZAYF=djfj9SbT`u7U4u%Al+@55 zCEYRfNXO7AEirTsIWWL?d(Ly7-+9jSz3=w1tf_**kLw;diCw!HRCkRH zt(;jc7i3RN<;|)a0cNA~%kH&u85XIUgZlk)EX*R#Y$=bgT#L#u0IjKC>zVyx-cu_T zGreWAxu$#F)W?1C<)DP!Qyb%T7_rC%c6bb4v9WTuLz#xbU5_|26hTo)2>D8oq@8ja zy`l30WkZx(qnazvMTeKOoztTW)H4LliAS8KfgM2$V-*IfO%Bg?zL`OPhA)SN6d=?W z?E~~@SHf(-)TprHSD|O|FtN0t2(GEX-I;UKMvc+;>tmO9$oH3>Z4rJk{pI&fzr<{X z#Fj?f4$9m)_5*Vr>Rmc{CoO%b!oGaOX92`A&vlys_;L8TW3>Mr%NwoUoowWuQ)2mS zCCM{Ax+iViR^vJ|#y6y&U^c*W}R<2ocQ5GKh94 z1Fb(n3=)IUjziOt!5Q^Uo+wy)9E{Autn&&xye1jTA*$QNB>}bcy=ZE?JHS45YW7#aA+jK(fI3z!pQFlZ{mN|#U-UxWG)M&M&nUG%zCzMdE(w(oo1 zzvB1ZR|Vf*H<=yq+7a0t_(ty__LKMJ-+J z*f~#1d2x)es)ou!jzBE0u1>8dlHx3O1I{10`z>)B>L1(&YFVPsKA&ru)YLe2A!=Vi zYkkEAO7U-0P-}UdLE5$09z-*bh>0Vj*85UG*~9UVg-;r0^940Ptn4J=*CmvyEyA5{ z-Aswl?j?B$jk7-g9{y?Iv*+RI6V~4G7ktmZfBv*NH<$gAo}u9&B@QUl!Gfx7`(z>Q zOl2r|(;86IBToQ<0}KrahOp$f^kb?#33wrjVQ&`B$s>=-J&}q+P6Cjy5PdrT>Z)gU zLY#NpAAFu;lwp3oGMLv*M`pvWFf^MVLjMPQ?74u=VM5(^0@OLb(gS|o6P-@I{X`&< zt{24@?8r0b7|J}e($_G(GZSTuV@h_tQu%d8rClo2tw%<|L%>KcDE^{M=6>8^CTEynl4&T>4f zwU3w-DzQazKyVvtgwGx|a?WK5{f&&-|HFq_AyC9G{#bXhU0-oXrRckwMh0*n0c5wmvX`-a7_ z8%jJ|_FrddofIr89g;Wsx@N`taL$rHRoI^gZw%b+HqV(kr)Aqy4{IfC*%y4#z(_*p zl*+ICEmAgOB8EQMi1aU4ZWjSFKoCh)XXSxSZA8D}kR~9E73HTI?TW}?jsl+)3kTxS z)(LP?Bwd(Tc^Pf4-(UK#FZXZX_0Lq$rxyPAToeT!<$*KVACSIIVPC&i8QS;NdR_}~ z0T+D=bNwM7)e*cmqdI5a;wi=8Q;e8ggj4E5X+)RrvY#2-VMo#tM%-cw7P;SzS>lOk zky|_9kr^#`@vlW~B*2NY!=w2vNvx2+@hy?ttpPA5mVt5VGXlnqBaUWPbLHYX+5-Nq z?~?faKmWBR(y6iKT;(^Tm%!w(sOEat6slzUdUu zRop)g5V=4wXjJOE@wGcWLdwYZESFcSEPEfH!iJAt=>VSN{i(dO9Ci++s3%jXlU3a+ z_Y%2eo=z6iXFU1)TN3jh-uPpP+2YJA$&@M2iu56;BLnM9zF_S&F0Gd)UGm=xzrAov zEp^kWG%aY)0z{+svyU1RWCiurZPS)}#dUkD{uG$F(O?|u2GDD_<0f_#E| z^W?e0Z3d^)qoebsuO>fBhoY*m00S_fxNKqN1cDB)2q$1BEh>^)NG#ZT5@XmDOs2Zp zEjbprdI5&PGP43J)(ldRo1*xTk*5f1`>*p|PDt{*5Lv(P_2;$Vet2wd5vv$Tov<^j zu%lSHxv*HPUMD!5nm%g5rKs9+LG7MDuNtk-nxxf8PG+%IjVvePK##>BtBw|0+sU%2 zmF#yZO5Ep`VE8;us5&;nTE=VJkoNncp;xr4?V^U*GafBk?=3IEauZ#6xbIE}i}U#l zy!x4k=eFNDdHtn@s_husr6XbKq7A(cilTs5T?|PO>MH6=)xd8L#O-$BT7TpaB?BMa z&DE+f=2km$-JR1YZP_ta&yk8ETlLy+S2T@grRFbSSGDMmaZvzEo;~AWb7(n>W>*U0 zY+AfJW~<-qJ3?*H`}7eP_B8D;`R6~b&Qa|V!(jbUr72~xLNzwRNy`1DdNn#g75RRi zCx=0CzA8b$)Sog$^k^=m@8|}TaV&cJA@2cnA#4$xk(BCRS zhV<_$XV=iH1I4wf+@xHizt8y~ZzQWe$F;dp@CE%6`ri?T*%p7p=j}{xZQG~~UGp93 z=p0RYP8Km;=!#Vfs>ViB2?ieCd!(>BARR`hl)Kxxwm5i&Pb$*y zbTgrqZOAhi)4_Ta+;`+KzvNx`Z#2*8?4M#|;6GpW96%<)ar&?DheMDsmfbiPN7FJS zeUyM&SF`1D~`b#(%iM|8(;A!*-SF~^hBx*>uVoI1hCI)I>KS_Sj4+}?r7A{ z;3fT*9WiS`?S2-*4Csae}OSpcWS&5E7Bdo^{;X<5ScI$8GaY)!O;o7K4} zu^4A}K5pf^AauD~=~r4FwHIyzk7Zj~FEzf0K|NqU%}Ki(v%CbkS}*;i!Qlq_xBB(iAL z0mcxhv$Mev109bUERy_WZS-5BFKPXB_8ND+^O%D_Yy1673i{_&@Ndx)z@Y2&-*wDj zO3HbWhs(Qeond{$-6V>%E`e9=53pFN^*jJ)o*kVVWiZk%1ap=iyp(8ic49oV$v#WS z@3vz8&1!CS?WXq%JV2~#;0qQ@U(6$1!hQS8pvg}AE3CPVN4bc0;F zzD5*Q7wP1FD`JN9v8m5#UY;*hnr^Dt+0b#M@Vi)r-yO`YoOyK=i>~DBT@p=!+fLN# zs3mlB#W(X1BUhX{YltgAOnJFg9W=Qc>(=5z$0^YbIlj%p%`}9{sfTM$c6d}TT!PSM zW{Yv}s*73QX`Am)1vT0CHlI>#pSivudR?eekfrMWPPN9_EZ*p@xOSamsH4tB>`>Dm zbbk{3tqzaf>Zq-QGVCX4s;E)V13B-EjShj7(R+U|L#_8IQJyWZwcVo*j(Ezl7=Ets z*FdjGqs;9@ujxGpME$z}tVhV~!WM%JxKTpw2PsVVJ~gSN4+Oct3j+W5_5I&__KP;+ zQ;TK}4-VyoTytpdN{r>#fWc9$2=pnV6y&J|#uqHxd$TAo)RF2GWT98yAy@GMeL!yB zcF_w>#aYVJ72qu93IXw5)PaWfN8cFyab^=85g7-!7PA%_zk zZ6wTDS1+k%Rc?RfO(|;M)Nfeb!$L*0^IJKdbURi3@#WU8t>Em7QTNyx=qGnNwELUk z2i59CI+TLOf#U`0NNvB*Zc@({NV>dMje0r15t~YnyiW?#EdK82mhpa+;LV)PzBH zwo^GW+hs*Vxu$=P4sf0y*>#c;%!R}|%f7d)naxcL3e8gd(Zv1}B`ldIrPE+mE|l2R z5t|UjxAt9dmnRyv*-bq$rd>fhf9W`_$??JI&mHiVTLI@fcxTuiJ%|VD6+Hvf0kpVk zj^2cK(gS)aKPHd)v-~;F0R|xhjo}KHtXR^fUv!ZSCj}b0S>v;1wGU{-R1(hMBhBKF zJW0ZTWnKThZExQKiOH>fkhK7y#apQXkkCu2>zh2m1RCLlmmY_2|lzP*==13}~`&z6UnM zAHJ_di!C?K^}Xo)=(QKGiRz^=jLEyX0(q^k;OuqI7);9JeA*WdV;XF;q7q7K>CE22 zdLASU%7!LfdwFkkFQ!9vT4?wO^FY!tAqESEnoq^b zH8H-}-nZKI&hgnvJZ{0NA{r9`(R~TC(trqxtHu?9+|nU$@)NAPeb9~jghD%NtNWfu zd@Q-mMRG#|l#H2m?B{^1$*mBI*Dz%+7iP#na6u0rQ=M?fk4$Mtum)6fg>ZFX9F)>lQ#j%Qp zAz4N1R>w^)K5&SNCZQ$-5Dz@-bxX`XhN9S8<0xb$T-fa-y*{%u-i9ff*ISYsxqsot zd=2PwgPO#ldo7T5R=SZ1lXk!1iwzCwIcPdIk;gG~jS>;Z&%~1^<5x`bE?O*h zcSVnL@>#u$#Z?(AzfT>=g|3Kr?#K&nVY%ySz3If?-zL{hn`5r1i1fL-BF zYW`z67SA&PvotIUArU?LLc8p;f4gva?xm(aTG%QF?_j({U-kN`&&K=Xu%x$^qJ!7w z1bn_#B7$l>o^RmU_D9f385@_FV!HR~qBFpIPl(jyR{R`0VO~#$3?=w)eEwkgfO2mJ zdSb2qS3MS1{5Fke&`Inn7G2Dzgx&Ut&37qhXKvUsBTR)7AyaNY$uXxbbkD`2!u_cva;gOD}bd_ADj zmX5UJK`orJXQj>W_O53o(38UZ5G45k3N(aZ|LX*FC40tO5div6qzPy?y-D8EkThFL zK27v)^EJMIIYnZ2oZyMp^&YLs#kh(QFUx0IR71U0ew!+c=?0Q?mvJokLiiV#mCY}l z0!%x#N!&*)I*{z|5r0X}HF2VOQGIF1k{EMpGoGM!sEJIvh6eI_)1s}gdDG@}Z zoj31j7X8%iOUxO*$h|A|0yFYMoO|t3#`)rYx3JllSeX_1)~>J%VrvEghihMp0ksxA zK{)$t+_RnRZgIMJR*krN*(!~M!URrzS*i`3XUx~+TP-dD!M?k3B>KW`t~*OII+FUO z+U6O4sm?}#12MPHo`^-ST9u9)yyJ;+oJ&|-_r=LGYS^j-UvXyN=C#jGwlt-d4oTNc zQI3w>L}BawZe6p}CNJyOhBg*_!PoU)`i7dtGmRo&!4e25xF&;}6I6*lCIy>~zpd$e zzYuAs(}=35n>Fn2bg(oioV_x?|bpUZ|J%8i+(QX#!SIA|B;Xty2dtX|a zMm5OyG^yHl=6yoL-uhOv;^rt3lJy%Ytak1Oq=sqoJFBf8FVpR2agFZmj$ml2dE#M8 zT89(KT0=fxdzhY}mH@Tw8i0N~tYgo=gk7z&yo^fw}ekZmt0ZnOnk*g=!@n{!ZS)FY07W%Stnf2|g zR5>pJ!$lgMf?khmzOz>$RNGR1r&wmuWYm=1vJ*rV;pO||8?B2IJCNpy$!}r!usu+)E=S@ zVB&E}O#|`G-O=4`PISvx)h~4ra&2M&lTCbyI>+cYwH)VK)fX%U4TiAozw)$G>YP*4 zH=eF^GRZ5KxZjQBvAPvGG5pt8GlCfG%5{nAi&M54FdNNslGvPRZv62!r5Krwz?uiD zP2GlU93KR(ou`LD#-t)v+dtoS^D=Y&+H*^v&*97}os~jS2>oFiA>osE?sF7CY!<{y z$Xe89+>uzpIoDvNs!l!`cUbtH=IH9od0Nmy*z6W}%gJH)r~*e~lr#`Yx@E_7? z&G^jmXOe$j;88!9kn*K3QvVz_iVFA~kQ3SGEH_k$?i|kKHW{QY$RU`Gx0w{UyCLHj zIVvHW+`zC3g7PW-+;T?C79MM5%7%%B&@e`9O}RYHQj*MkZGLR&b(D=W+6=L<(ke61 znNFhmVOrgH)%t5_;!ANjn|}eTolkz{@h63}R9uU%wAQ$T*dcFBA?%JCj8 zM^<0g=>r5+&7JN1+B6>}%g&Dir5@n&VAqT z!x&WWIks!jMK}|0x2r~qc4>2DQv2rKG!9Z#yIh_|688n#rwK!Div}e&?-@Y1?UG7; zPHOBXWCukyUvAzkNe|L(pVRvYGi-6ICySmTrbfwi77Lt-A?;NPJL_ce%o7H?Hwr>D z$e%H+0sFEA>QCK%ko*v6)hU*_x;J|CT_Tm2{!$bA#ymXL1>L(BXwm1pmFtf@)_!B= zA3saxtmQACB-YL%JcJow8Ju~5WF^bg>S#v0`>X$nPgp3_QkM^8<$X^idT?vgrDI8< z;8yUCpODFO%F^lV z>Pj@`=46hE@;npH_6_iFk{^{vQCB+&Db>Q3MxQ**<`3UVb|qxWC81E{Z=gBZeGw~f zzG8#Yq4^3I$Zj3tnBS5X`>{OoblqqwQV|yhQ?O4x3@>e4{Lg^+7tDORwa;~7|0x9B zU1(dzdzx(0k_*u9VWmGRe90X!{cvBPsMDdFswk1FXkxXt4m0Pmm+`!KcUvZDIY`@dj6|Y=?w5RPZo%Cv6(7~ zuWuM{^h1){_X@${Betg!W~}9TH95fZj}@C;nBQ-2+;3fN-KvV=lyU1*-8E#UKO2or z+_YvU!5Fci3_5seJ7@LuooDL|L~9NTw~8qQC8=#B-fOOB+ zSZ}h+Yi|vpk1HGWpr|c%ZrKtRivmf;Z`0}xb7U<7oTDYqLqye-KHWM5_K zwc}k3q`3J!M1`eM`<&TL_l1r{tH7EsYAuD#sGxx~#3xRA!oJ5)5(NDjIeYJ{9{k-~ zzV?!cW%odx-<4!jWpFkD?EU{8yZ;L){z-WM%SuxPx1+s952~XgvMCi1RkgjrI(k=! z%IW89`%uLN_g0f1a-aDq`=GjQZW)VX&A4HIFfMOz`9KZ|Tr}XB#5?rE+3eXtq*7UL!^}T%FOVn8m47 zgyM^)T1%%JOC!P=-30{cF=J5!ReLU47IioiM{tQ zCzq22k7+ee&lFXjlj-g3!!=J@wSAp7ui_1B&K8iA(RR<^u2g&SgUC?*?R5^`*XI-n zHywn+w>KI;xol`pXN$`qpR2=Zy?T6GvffISNQ;J?BGPLZ1 z%86|zy_Kla(r8@XExz&kx=CV8PkZll&uZK}6(akLT+oWxX^v{5tW1Ehke{R_MQ;~6@rqW|>e76l7wR{2eWrwcjLwFl?FyZ}y*&aI~7;#cVh`pU7eDeMPr zlFci2PB8QyqKPb>@x4KKNu`reSe_DDG9!;`*R#d8j?2Mi4zN|n5<3U2dni^pC~V~C z%Dd+`_&>_qj2&-IcU`%402OxhpaY_)G4)FY_%<-L$i)+h{YUzGWe8p53JQ6X|fxN_iaH_w)t)2xO2~( z@~XL}E}F6~Y!cXa*xe+e>~+tpQeONaK5b0e5T66K{Kuz9AA6>{H9iaZoRTw-{bK*0 zT*3Va>jv;n9;BFqNUj56@1+VPl0qr85cJwR5~%CZH!jm?^ft2I*l2= zsf<#Se?|4}kkatwhzNXL&&iI0Ik+XApQ+~6`@Iu%qYe>yxHTE81I%N2PNX!-unN3V zX2@ifP%j9Pz;vf)Fy3~~yd#pS$%Qfg{mP?`$OmHl!mF5;FEDG8TA)8wxI3QkA>`!D zVYZ7#;Qe$O4|Y1iuwHd$ds8geFH+zg(bjKeMKKT?P*sB^7bX_xnoXmR)*3{vH%_+a zWsXQ06{C5n_FS}x^Bi*q|0wB{C`Rpi1^OOrTA)XM4CR*5il}MF_x8vqX?fE6og3}N zVfew=-_1%eRkQWOW*@;I9z33kzziY9QHD#2;{_`|!7N=(tIWQYfreCsZPKXo+mKUk zSw+i?;t)a_sFG$u?pZ_Xp3S!jCQ72wfSi!jN^5N*oxH} zmiUVQMe*}&{>3OJAPm@wx&EwsIhd~2p)KO%9x=oV&W3N-MUBGhstp_6cb8q(2ldCw z3=uBC^!JlR%NdO{UkVmmt~t5M?m|gASny`^bM@bC8%oB;FM3-Nw)u-aAaL!+gMU6b z$MoXBzU}abEN|AXtJTPCrHpzRYbV$#@zEb?B zu3@2vI-OBQi1$t{9*z(j>8)bk-CvY{P~9&-^TY))&qGzrl1EhU1>6JQxF>S=FKY=! zRoR>;eIcF!+KZ9l+Eux*J*K`CQjJh%-08&_5$1#6T%)I`_l(bqKPbk0Mt>(|Fj7ww zS^6%T!X0^`{sSs&AuEYi;*(V}{mEV=At@S4YjLh54e>w~W|1a^2H-^st$eNW{rP~u zB}bK9M2S|TP%E0byS+ONo5HufkWpCuUOa40BeGXk>{WZTl!&L6He>tX+^m58^nu&E zKyafd?wsKa>R=Nfjk0*1eaa?P^k$z6?=TVps3Ah)E|4aCICaIlctX3-TA!tC4x!pmYF8=32-Ml;m7{Tk zSch-Am><3a6E0s8&`A-?I^#%g(c*LXp;MRI^`{8EEhjAnA~;gu(n;l9ZywJD8^@yX zLRVkcC-d4EMJI%(mx7u3;pqwJe8Vica#_=W}0;x__L*rl6j4+z)b!gxK@6 zdU*Ykx!FDcA&HNunF!}|=%wrlccl57L%s{03@b1&yJ2YErFnITXQ_;O| zdubV)=8yCG1=5)|6l^B)m&A&H%Ld66IzIWUN$bTg54mbMc}7tEt=Rnwm+r^A6u^(M zLL^_iU?+&uz9Q)J-Se;1f`Gn&VzWq4#Z=)Wnk<6@amcfXo~b#MM`zBzXgGf`P9V=3 zi0ced>@#s<{DI;(+MU_(T|_@E$&mUDSdwS=(fmVUu>TxaM)r-CS=eH$u^yi%`ip9f ztQkCNgK<9P@m*TjcP+b^wS?^uc-|a#6&c33fPa)F-GUunRgbb2Ap+OwN=@3jQoh&b zgcdYucibOo#KGOU-Dp*1kNQ#R+@l#Re`EjL|Iuq;5q`hE19XM$;grtm{IRY79qAN? z8WqH$hF7+Ip1|K@l_KT*$4PsPqbpu{(%oP0FRtd!RkIbyHQ2|3-||@+2rf$JB;{hD z2##yI)i$n61xWr8>*DX;6^jOeFxkArZHU{%!Iv3K>b+fmg+GDMCfj^7j-$ra2SwF$vQe)I6M`skTHgNH=`fpHY-2-nF;X&{VT_N$ddUcg{x8r;@|OPR z^t0$32MM1wn_+-Req~hEFzNPkD?zL4Gv`aH<^J-} zMg@YDAH(Oa!^uZ09JUxNy4EnlhT#tQe2R)Ts-LIReYIyZiFo5o9 z<@nHM!x2!TGP}mIRD=Qf&YZlf2+7Jw@!@Ac=O{v#sA|Yff##i zW2K)Q9D8in!O+>x#NwZ7SlhJPEuKLUL4SPxy_<{aaBgnb%=(xzy!qYzcP6fSOd|mA zgVClv>fH{h=UZR*aI#)X`uWg@l1i?X`2VcFX<)Tu^fuDe1yR?gKA0G8JID?&|yl&wzcp<#F|pd zOP%cd|G(PFe}i*>G=pw^2?xFD!R>MlR54fPFQ!rq`t7 zW)9(R_`g8Oe+m$xy!ZkPdevm!T+NVpT8j9 zP)(+AXZeDEY>H%GID=EyH8ard)hK3ZpGL(~9o1I<$?h`PQ)XyfX?{TTA-1KeLMojIh01sP1&kb}IC zOg0aZ#ZRhy@xy1QF=xIe-8y~xb?~=rGQTxD(T&1~G!z{$l*|(W*pG)JfwoSj` zWMT-!#kIPVB^8s6fH39YI?>RKKxwl>I8P?cm8}*><+?2}V|NN}9ZHcZB6o%Uha4KU z+ZhP7PORuAdM;`=p@0-FHMg^!Ga5Wo5Wz=7@h^dH`Q>w^tn&qKheK;h9_!i%)Cet& zk}#NV9Gm`oZ$OkZFFYQtqmJzRIY2p7E5epIWje$dSGhrvTPg`q!S?}+w^RaYxy<^lYeHYR(PlR(pWb*6c;WN{% ze(g%fO%)mmzD92{E)6-r@KDQMBL%niYcu=SY2KtuO@ z8Dp=J%o+yZknB0*!p+n-7A+5+UDUYldVe1;R@diSH?EPTCCiaK-mGi>X0R1l=>kj* zN4FD$KMW-E>d*T}Hmv1^w;Dc(j(Eo3*BV0GFh+Wbjia!H`r!}zZ=6-F4<(S8bj#Gp z#^*?82de-)GWFBHP$$vYqXH3gV3I*jx_(+CtO@GKdxM5 z7{x5)US#46KUxq+Cv*-%RIH=2mB7h50omDw28PlUWL7csz4j_lDomsv zN4*uSHw4$Oej&{1ZVma6cS@71y+Y1yvnHp`TIqkLk@rZFWlLB!rY*`5?WRDx0UbR# zmpRr6?@#Ad9mEdEaC_|ODIZd&DQ+KeWhD_6+YY5MuS7x@=DFh->u8ND*pgB$E=HjCOqVp`zS4SMI5hx|g&WI=TE1F3z< zppS2#FX9hFJ-wt~yxwUXasGJe?yQs-sZ!+a#$s4od`ZF>$z%D0_pXHf-PULPeiyC< zWBE1V)VzKAW2a8c;zL50dR|8Z@HyV&$#ngj4=9h&i|&gDEr+!{i$i}Z(yF_d_-Qp- z6iv|Q++ALniZ`CdeG9U`h=Uy zO6rj#X2Ff`?Z*r5FhZ`D_Xa+@ZrU~06MRE-?YN8UNiW&HjmIho>KBe%@1;w}?T?Yv z+Qbf=>on=>dZ*%TuCWtO$zZ}c&k-WHLhh16RXbg@Jin_A24Vp+-ppZqX51LF(u4)t zZX{7%vzGmfjQ*n*co{}|0w$}MuXwwhyc>b00H9B+q=VFAa6Mt5ZOpOCM!74?BN+Mkh4xeNQm(((g;)V$wYh%JdB)AW9x( z2>W?vGQ#nGJ}07VFV}Umrc`8#>wr$=gI9;GERDUEp5$s~2LpMc22;3d4VC?-&}N@P z38fodG4yb`^Q7$Orn3&Ub7kt{j$Fje+JJ6OahKv#u)@W$h}`5=z9&o7!vbfeU>(e= zxcQATzQdOPA8~yYihp6U3>)vZ45^nK_lBv-Pi3?fxjMe0(2g%ODzH`Yjzf;O!qNlq zrhAvTknr4#;pGRUZ9Qh_7>`)zeEr5+pr2!A0+B;-=W1;n?cPojR31;50aQ^i;-5|> z5XJ>8u(Wx#0_|+;iPUSO2%d=@nSixz2ShCE6SlSbrulP+-{s2WgXu4~r%GImwYli7 zP&e1Q-p3p1*+4 zL2U)_iX3JtHfkd^w@EIYTl+p;zwfq_O%!aZ)DIeXbxqG>EyE6-~&NR3%OQbc7(iMg+I zYxxL(D)03XyP)@@M8-wI10pGtdUET(Uu zKpY;sruWRL_DeX6;4+W9ok;lPvWskQKVjO)I}?nbH#jx1H0@OZH6S(p7uE4X;?w68 zQDLS{Zueq=v`W>pJ#6>L3F=R6O=@+3^iVA1UVltvLxKgR`gdrvX8_X0dmrXC8GK*o z^0Xv3``Q!VezF%-dZsKbgR0C8Ov8HS7wa?|bVbr~uxXaM5)8ZV&O&-)I?dXH<+-g_ zwF)#5EybhN1*&=Z+&OX86RwPYCgY>VyA3reMH(DdlTAUoP%)b|YKv&KT-hg-{PwA~ z>KrB#e%fW4h;&$7w%&U_YOcPOE_oQ{XuUpHp5f18X`1Te{zSxwmJ9)9R<%-Kt|hOU z87s?xZncu6krRhW^8@vyXu@0$?gVD#Ir+$|ZrdP&OWA;X4|7cmR9G{5+U`P3=YCfd z?#yR#DLu(iFVavcbhYC5l42xFfFy8wkY|?Y!eIrf=0bWxt~(oBA}S^F6dZcbJ0Wr3 zC+%hm>D&xU0(vUV!1=|bYM3ems2bsvklXea$Jy1tFfPMFKhcMWxDlXXR~Uc>GEV#_ABMF6n>jM z_8d8TZgg9d_lY&eyaT`6A`aGUeL_{B36E4$3*ynx&X$gHLcMOOnR=a7$NG{5uYUWD zL75IqEYr59eqoO5#&E0AJDSNYzI!z`Q!(U1k#xvZK^L==HaOR%&NTnHJ$P!4&;6P4PN}uau}$LUHtCW}; zSRuEqhV}k7$qQu}r19J(;Dx|$5uSQ}b!OjVKay4NW03U4GpY9O)(73n+D8%DF0TCs z^ztcuP9{fUW~b3V<&*1#g1|xepU02-WjZ=Uokdo&@X|U>6)f0cQu~T7?El?Ugv?l# zXq0eu3d(zutcHJg6=*H)UY2`{bZDEY8NsxmUh9A(%0U@D(!wcV3<&bk=J^lH0j?KGXAj}umz+i90&nK<@dzR9ua zT#kf^Fu6LgcDhwsa^>{qZoD)ccs<>nAIE94o=XZ>;HaG32xHx~?ELn`x!rB57cvB< z521C>@x7i7ab79$=!<~QEpHGB{)nx%9Ft)RL79zvte9Q(1v$5NCJ>T#%EU4vSMO)j z3;{EaG#cEknIu{+R0f5QTm{Q@iTz{@IaZ{lxpo7BA0$W+?-Zk@OgKz9`6QS@#CxO4 z$+foo=W^f~BOwZ*jsx+UJ^qHi zoE%5;@I?j$VkznZT?vO}5-VH zxlp9@kRxCm-?$G+Z*GH3QcmoAdI;@HAd86*xjtCTb-TPW8~($!8nm7sZ^MarPqa4z zxkrrEYM}8B#9qcH%+o5LVKMezJFS=T`>lN*(_i{#3mMHk$A{8nNh)@V)4@;CAhBJbSnHG#KcW z@qPXlVXo4HBe^r3WT>h5#EA5#LafFpkN;5Oc)zM$Bb>!}py8pyYnit4rFPUOPW>Ef zj(AD4l}?xC4I}$ScnAopR@$&du-o12x`WYb08OeI_?#g2a+AdRqbeRt(oRMW=+t;z zr8q4o+myv37A_O2ji2ajMXFSvjdb^(zs@$jxlIgPG9-p&Ht^IUuhUS!S1x-!=tCfR zSHzM(ZK1>bTnRV^dbDvzkc3xHP{?L4Jl5^t&LSj3S zC%fJSSm^|#boVWXIml}tms7FIsQz?eL&nHwWi|6Jxtfn11Xsex3cRT(pA6J1iec2e zPetA(S6ec@S>u2Wu&r<7WgIGm8gorNYB{~wc3!Aomu>GFKn*tT!46Fjz!=xdjq4(W z@C_Yi-`^mPHslQUIRp9jJhsM_b!s=60de&AGAV`cB}EiH3<+DFC6igC zEg9^wDl5EP*Sl(mug{TOsPHkx*Z`u*L+=UetAi&IQ|t^2hKI{54+qzJn3IGG+NKc1 zQ#aSd&fU9kK|zquu~B?|61CHDC?HrBWm@ctNO9FhqtID8wn_aS3tkCxu455aX2EPP zu`I{sHb#NhO8NR-O`1mg+O5)s$p-O$wsXDWG0+yY;cWq3^FR zUi{F72XJ3dfW*!{G1C^eQ5)G&F}E9NS+iXYkLB6cdi}4D4AqO%fx(B~DIzDU;88oc zcDoR_76WFo+x240W$6kAPr+FX)ofdl!mKO7u zOJYTihufV8CNy)q>+D00zk4h|+aq)l@BN!El5b)!Z%#Ggs2;)f)U>kKj0=W##mn?+ zcvpYg#1MGY!;w5GzYlR)P8mybH7EW@xILXoF}owKcI6R#J{Tb*D?`^_LMj zP@+S6UPpGDixc)I5wxNZ=SeiE+1zr0&@&=FdoIO(sT%2cb#Ue!>0OVSRh)wA%;nBI#sGKC09(Ll_}n`e!>C$)`YsHWX}y-r?3_1@kbtVXYM}1ViT3n zdd}H56l(@}8=f#|?*Fme@biMlk1PFk@=?nY)74}Ez4n6>7T~-1F1`(}_p-a#Cnvj( zO4jSaV=2g|=!|$PUKYa=KUgG-P2xK1Ig!U;&Wma92IWKnySdWfNLl+jUzA&3HB5-` zdgn33gL8$D#H^U<$!j(dmF3`0l76k$>ra6+9_EhIf-1f0P#-bfoJVtgHe!L)ua?Lx zDO@Mx6O{~V<;>~2i9D~e_tNsG5OjoT$dY`LU8qh@S$?Yk3k6Et}!wjx>ZLXv>$e46yM>wF1G@8EM)v_P-gAGZkAArA zZovQAF!i-#z)kPv@|Y4=f;_!P54!`(`Eb#EySdn*`4e#4C5--W>&Ym3t6rPMyN+Ll zt9?ZRk2ecHzf7+F1Z3Ds6v`ORORoCzxnyczpPF8HOU%GRV_erIch7qr-AMRdQx$x@ zWrXs)0A3@pZ+NO)0EH9Xs>FWMZMPKV16#jiV74+8o!4;$1HtY$g0PapI(E5=(- z8=$-z4xyKgqDKc_zmFSlECLb?e)m?Z_)bRuEPLM&9O11aIYULiDi=jlY}Sz-waGnd z1Z`g71?t6zf_5fi+X;7Lp*&rOP}R?O0ic&dw>uw7wqU#AYfkA+*)(|z5e7P6bB`iK zHuRQi>W3VU>|eI!oW%yyyRPYE$Iar>%QE|p1Tv-;M_Gq-;*`cyeDl0(!jkKyE%7oW-9m)oB#F%bg)y)&1JWo+p2 zpTa(EoVI943A%iLj}Q-@XY3a9x<^NdWXUAgMKb-VgBHhcwY9ZzpWTEgwG=jo21*U? z>3orMYW~j@#z41xXQa>r3q43fSM4bDsMHEgMl;?Q!!qqgEM$+?I|f_A5?qw#Ktt@c zKeXN}bv<4W%=PN8dM=?bYC5`_1djMv^`ii4SgRUDM4hcPrPT0z`N)l%ybnE|gXU2` z>GQAxbGjHdzDHjbI#;TGN_>KJealDGUb;99-=A7-YaKkHiP+*{FI9C2UoV|P`B^>9hcgAIzwS)VsuifEZnGlyW~LQ5cLhopvl4Rk zJ{$uThQv^&)`;e0)h+crt???oEh&c634}^w?G6|tzQjcRq(Rd?O4}As-||C>Tz(*K z6E+$(yvG}9P3MyUDK2tp%heBzhzEWGW73cFBt02x&hCvC_mJsLLvxU!mSX)L!ArNHfl^)D!M($| zmf?j(UA|QrwgN8kB^k_uYHr<+rPPfR!#pgAoQPoeJo?+E9U1Svn(?c%k;ha$Lx7Bz z2^mW_-$fI7(3iU1XGN+A#k_h>im$nOj7@@PLQJLRm1nM;Mi&))k6shgYcUD?k4&Oc zgv(z8gMC=^nGahoVP~I-#?Jh4>ECv+K|zYWi$db%ZV|TdGT-a)bjXm$_S4TFbe3?Q zk3Hsod6X{_w)>hX{?#P8HBoe!EEanhzbQ`nbURIJesMCU8T}5J{wlUu zb3Hu$9Ck)X+C7(ItGs=kVt_O{W;+fboNFb;*HyM~RJe56iq^^1Pk=|!cg0i;i6$^e z_3?C!F`)03%iO;&fb8`f-P_#65>DGFL%W?B@rbiq3jsIeATpys&U3rXNM{u-aRrq*$@@%}3THQYhr_bG>uicy1U zJ`^B01M{7{9FxYJG89JMy6G4h1;h!i_1}GhW^oo!!c$ON zVyGe*LYrQyzt4Ro^Kpmeflsge?|@e;YyeTQUR9B6@>Kp~r`bb>#WX9YN@gC{F#}oV zIRDC0!};u|)$-XYo^_rBo3Q=#sbP9a%=Y(mK|ERd0V5K+s*w}*zE(a zYBk5ZAT>eiji#RgXXZKVb_q?y_CIIjZmwTToGL({s}6zd;#46eYPcLz){Q%TC3{sw zhNkEw^Oj(r^w{^yyNgAMNVlEu>~+I1=i>*&aH+__Q^M^m% z7LJG9fDN7{kgXFnxTKLDaUh!`VjSa)73ZTr1|9r(sm1Deg`Xpff>n`HprS1G*)T}_ z`-(qt=qOM}(B)TiGK_0qOVI~z68tPjR81IPUAy0V=ah1KvZM2V|rbP^|=q5E)#UG~FNsRClJ)^C5{u=G!Jejn35#=UqGQoY#a$lTN zFA&{U&|G))j2F?1tmQD|*-MMEpgBqpMak+Dt(@a;z8L2<>L=T7+$|Y~@(qiMr4PH^ z?mONGbS#&T&JzOdBv7ME?6a2KFJslyGHsoFR(+=-InjwmKAj*hxV<>Vy-zf;Obx>n z=6y$D`H`(2$@8%Lq!*jEs|`f0Ny}fzp-zs#^E2|~9+X$9R7##^?h9JR&s`U8uX|sZy6qAVBh4nBZKq;OfqUOul#ls_#$-eu+KLhP)9k81bso^_*mUY3y_R+}`t z>Pq3{4(vjZK^LJDfu%RT+2|?XmC=QVKpJk+gWb>R>rO1$3y8n4wo%!~-rQ90y{(oc zUb+-*t``Ic<#0mBjgB1+x87-uLB2lyN@!oCJsc&>&K-UffeqCt*IZ_>Db5lT57Lm> zVB=HI#CHthy^FGjhfQm9n*c4Zau-t{HKH4X-H>#_ho%1(o>_o z39QgmX%@hg_bK(swd%ePhgJ2H^0xvN2FtU7r$ObQqGMZZnKwKH#Z9QOmS||pSvsm^ ztT1bZb$C5;(e$yQ_v?mpBbihP@=e#oWN$0$@K^Fw-7Dg8%9V)i@wkd;c^%_MGE#+i z@Y|ilRt2Krq$%;a!rDcTLu~6ZHE}DmECxy*$N=NXF-V#E*0`m}(bBA|`r@R^YH&qP z1oXk9o$D}|t|EHh>ooFWpu^I>p0*po7)5_#+Dnv zRw*s=Q%|`a*ZOhQsb%YZSvqKn%G&b$@gi6%%(Ig~K)}RvZ8><{a&iz-=KP+NXADj< zw2Mt7{PbWyXct;d?bz7sbG1sJ3jJ)Xq)j0rP$<`e@2|zs7F_1<0~6a+?+Acc2TieT z{eFnLKU4oS?e3Y!9$@8rk!-n-0k}MFjXJxn+0+#OEIGJ1^MXIA}2GaZ-gWZCCSyHCz4Q|yrGdaTyh6~(%-BD=QK9 z8tA!C=n!IUtF{_Od^QcAeo`m6-uz7WYhcIs6$7`Ke8o;B1|A95nRRQiSx4Vp>Ido@ zN}A25D@q)je6Zkgl*8(^zH*`O4b8g+gpzAIUHZ7m-o5q%|Wat0Z_`}sFOJ!tPPTCbOs5b-Fjkygre>n z7sCbMl8gL=#eYfn$VWXjLERY{)kYiKt0VU;B`hu2i53xwC&$iSBj*IbO zy>q7zd1>(jEn%)o9bc!fCt<%V&=fOHr403eG^55OBjW7BQxXH7I7rj&=Ugh? zg#+B1G1Riuo5&S&?omw95Ufj#2X2J*r_ss^CLokM7gD9;%usx{c6zc%@YAbxJzBhxulzB={zh z(Y5YyoM+}e*Uj!{^9V^l{E$H|17WzHs`!kmZ$Cb`BUT<^2&=>c6K1ZEgz7lrHzhLX z_uvj6fBkSw;&5VgX2rE|U9_QZf{eo9K1e(5=|< zOI)m02lw!K=8HNwen{)>_3&0z2=P&Ku$o0W|1mytmbSjoVAAaZH+kF}F~aUBK1E1` zzD4c??zHONGKg9C$j;ns1%BLiHo>P!y8K8?T+;unEqkdcPVm^aEsaU)fa-?`f4Kzc z{IdM*__ByFK99vo9{)alY^lQ0Yulm6uwOkm$a$!*34QAdADzYYP?Ye^Q{=^T>!;T1 zNhoR8@U;%~j38>LW$Cy1rj(w*M4=jFZ8fthe8DFpeJQq3DB{P&9TZ1R(d;<{huwn%m$#z58y5;%RB*nuey0~OypCZoG{mQ zA|yBLEJr?vt18tI_I#!wrYO#Inmy;r%ZEv?7fYxY;dr&c71z&Y8Qf{ zk9zjuR;Nnf78-p%^CY)>-`og^@SUZ|ypa)Z{WP4C-lKZ8yVk$GB#dsGXm%xN+c2Ar zrivZX!&uD1!SYcwXb=QD@f_jbxS3A6^y9R}XTC_mM7N zKK~fNrLMxXqYWJTo-HlLAHOX})#pAM1hg}w0u@+gn*01J+B(6>uX08QnLs~cD=)mI zWpF;3O90ZX9-0XYP;obDAk&9c{|weXSZu1^uLdE{-ca$@NZ~eC_}kz6&5fzAXy5*7 zmlwRpiY~&fW{wi>E5E%b+E3$Ct=tc?PZc-?-uDP1zmIlqKdf>?F>V)pGtx>I23-VS zq{k6mxP=^+M)WYVC^NtL?NHnlO>fyv>l9*ev)m7{ybK?&akoo4{?#vTbLcxPvOi;) zS?Mw)vUo#qf{Q&ZhDvj}rMzCZ2B^*%uN;^_TP`beqa{XFMK=_@P@RWLyEe2=XQLPC zCFSLGr+PzY+ehK!jXBmB_dz_AI7-1XpHu0@&TkH!fbNBKzhmP)t`7$ft zgWCJ7i+}pdeXKOCmCv=`q<%5~Nn8K;`K-y==UKCQvHdM+qN+`Z6mtJId)s#LHp;+x z^s9jBI|=07p^q)4zPoyu5N5K+QFbr_<$Y+=v_-pFSTttqdnwX1P*`e4%kCY-5H2Fj z;tcn$Ni>HfkacZ)y*_apS{Ws< zC5fgSUkzJ2yavO$eWD@D;YM$XiW#1gfEw(!Pim5f7@}WxVslQV<1CN3q%PN??vXQ= zkYI<>%%ClRo%mU7v@atGhFMo@FQJgJuTi@Tc;^|UBC|Sui@LR+PQYPLM`X2ZGtU4* zB(bv9ClqeRB`4}}LJm;40Nu5aZGZlT^7}ld2)MaP^Sb(Eb*K`!+_o$-+hLhm+j1$E z#al)q^VY~{Hac_~b7L!48)|R27Gk3KH8wl$4)?E@j{YFt%7U%hRum{D=y5(8&bPbC z`3{7}L2s@X<^@$61yo!*8#A#VM${Ul6L%1vkT@ntJ@p+c9RBj|A!FEU$;$1~OBf1U zy^oB&VKdoIf*>o`fltKP3Pll2CSm^!8`EikoR)tVW9rv8rXH zz=n|o&o&lQJ5jJjdPDlVIwD4#8aN%4(E~1 zE3XNuInV{D{oQNfH?9YFDQQssAe`ytDSb1WbSQ1Qj2zRoNQduI==3{dm#ysJ!mYCx zBhNVCc@Aqul|E%Z;e2nB5MG3{52{|r!8=)X3 z2v=)l`sG{OA3m#k+OuxZTkyxB2h+35?ctHD6$?AnF!G*-dkNRy+m5H}l3K{ko7gUk z#}%x00R+^*x?`Wpr}|#48BE9GN7#qHnUJ%S=nr??-iNpn%EC#NH7HEn{Hg`Rdc30o zTo1l-&Yq$~dbaf%OIlCwz&?AOV6J_(l6d*nk>VfPAD)T%;Y8w+i{yx(%8_LTYq9hc ztLYA?7ZCRM^cxE0GDHLWyq9ghfY)L^oG?lUxu&7(8do$`f$RIeSMBseCv}rPF7OOW zBWQhSU@;C^h9@HEhRYMrV3WWu^=aBeMl=nLbk0SQNBy~N7nl6Ad5N2(QJotX!zxZN#QNluvTgQ49d>8|E2qr3>3ANq} z*~6LffM+nLzz7_Y@<+%bY&FYV??U|A8$Gaw=owZ%& zmgZM?RnZ2c$0Jn((|*4R_#NJu)KB1(t4e%rUPz*1lzJa_eB+sYZ;ay`(wr0-On~A# zIebSiUHEB@N5Sud&s+$bKY=DL;5oWNX@`hIHjtd@ef>fs1L0BVK$^JNazz;#;E1I1 zVb@P7T*kRp6b1^_{{07qwGFL+>ekNu9C&jcJi&+yCyOgUB#kn^7(bn9J*f-E7`n`- zE4yltkoaUIGU`UqC5%JOXwsfJdna{=m-%7{Zv_PEx1Hlh`T83FUKMC_6QW<97C)Ga zIv3-Kq>W8y5DC8aP)nUUqX1P>;i0QXuFlq_0_x6DyM!NL8^B^=-}}d^o)^j_A4esa zI4p@xx z=T4&UxXbzA&2|=zPc$euUm?^tK^UN(<;z7PQDd*eT5ZJgQ<8L{R+7pP9;bn)L_VTl z{t{65$u)3d%SkuIV_)Z%uEIAu-Ot^cmLuq-vf=h5CyBV_VJ1BL*|gbND0<^OBUc-z z3ePiqm%Z$l!>cvVKJq}Sb@bx8F-|j;IREcm0Ga)?yAD1r4+%LTgjf12=Zywhc}%HG>7xSX_; zZUlF?9R2;(TAC*9d22X`WfNI4EzmLs?BA6lgp6M!CJ(c{UkJjk#5!$h znDU(ny4+`fUnBT89JXQ6W?W5O-)Xs{Fm+a3BwYbfNz?DPur-$+q>KJa$kf}JMr&U# zeb!_=5sPG3vFs4vD^za`qspcE8SUYR?Z?+hiOpaw52Ga(m_<>>3(=!u^3<{|f} z_$oFqbNFA~VRI+MZgSrWQk`6xikK_dnE~;s*S{}Me4%sc zN!|j)qD>fDLPNftl%o@EabxSrnWON%ey-q|61SE)+9)#Y5H;*4Ujt(7;3|LR9f zjP)jqfC&TZw5LTLG01#_Sfo$+eBT zgQF-lXZ&SCW@oab5XHO52a&oybsv)wp{tS_S`NZwzr>_+{p^BAFn7l30rE+C7)=W| z*n^a+m;-Kq5ji|+x)OG_lFqYnLp_ISLk~8*i)JZp!BuK8dF~9`h{0}uaHf%=+yLJtMXT;EXJ&Y%@&fKZOX_-(n8iIjLHS-;T!yr2;MPd+h6M`6VU%E!M%W%Vn6xrpY;^Wvze(@%@Ch^|QyqN!(h z!i)PS`1&==h*uN7cGm1tlx87;Y|*)e^1-VVWS{$ZmO*Sg6v7Ya7=jaS&YyMvo)68Y zj>hcnS`BJm*z^NmIiivG&-Xre3~esXnnrqlcs@tlo2hIYp}VRYLp+lrtrc9HhRVmc z<>#%BTkl$Yn|GeWH#a%X7}0t`ZRqJ_cVaZvs_cuVuDqb51S96-^lyc?Dde*r2BEy) zc^)pczke)UV^-b7W0nGwu%d>Tofe@P8xS&VTwH+8R)t z_myh4YSD`KX-q`#e+THEW>VzXsBicQy;Cr2C^gi1f{R&2md+bp7n4h8VOaLoDp%~; z3TB0Jx=lNHA8z9to;_%O9f zuz0#%A`U+(AnjoCsgikdz!whX_?9ah?#mN@)z;2?{wi`yXpw>nzk?nzf{XO05!do~ z|8kw-mB%3_6-0{iJdYmCQ3(BL7DTHlzF?EO<1|^7O>@^(`DUmxYao3g_b+GGm?i}~ z+?kPl7q85FWJtP4pCY)A%5nym>y8K@BiW&~cr+gD%viyNx8zH(iGeqmF80U?K)s1- z?~D`=!Cd(MCK#2tyF-7|=`rQ1x(U;0+Rc`zsiXxWOilH;!aXg7)g`7QZ|uUWtY$T+ zrujwxayxy^*K|p5oqmT)&$5*A>f9_0|E`jIg9iJIEnGld)nH3KvC16V!$H50P_Ox! z_cP&yNulFB%@>H6ZXY=DIvbyps7Lxuj3xll@HxFp8PzvSh;^lZob0e;`#4JI{_qG@ z{1<-Rt=l{o9=I@y@hX=i|OpYWvxXDAI*%R z-h?*D*i&Qr%9j0%s373g*DBH!WqDT(0`A9wZSmB=L#q9a z#nTTV;74O|_yVQfyomAIxUfjjRtGsUV!bH0>Q6Y6#A}WsX&WR58_4ghkq}%tOa7M4 zbYA$J9~608X9BC_19Y`c5lXBmh^$q#kGpl8(HIlI{k_*_MiVA3P$O$N z3^UYA=2Rdv2Jbm_&o(Dg=38H&85~=raHQEgUA)rASXZsef(emCzG=L8^xGyRMAi3* z7#yUhxQ16G;m(X~+|JF&$NtaaRZVd6aO^P}Tb>qvX45brq_%*LFx)E_t_a;-CAnOi07#CAT1#pH=ZpnM+Eo9Yg7Ha;poPOt1iy;1C!`qWSp>xSPfeWGqMpw9D6?-X!h3%2DJ40bFnFoB?LGghRLa#kOzc4Y{I1@_9fn!T z?Ayib{4Hd_sc7w@NP9{yJ?%D-z+%+buz>K!Rwe90F_R>rHexl)c3aX=DcadJqNBO! zbqg8Z+jpCf1#0(leE4WlwaIt8YtJ?M{&5-_S2M@-d~A(-s=-iYZa_Gyg# zk750Dp^XfF$d@d!>APQ2T&YPIEEBQEB2phes>xRMmJC}r9@{bHL#7=CVu=Jz>o|b8 zrD89RsEuL-sg*0FNrWfD8(;Db5B&JCwtqvKWd&jZYxO{34BUMFNZnGsu47;*{)L_j^w^&B#hVdpxZw9maYgFXI!v8ij% zuU{3(PPx6`(jLx>kb=I9uM=5RMDkMi{%>zc_$nDfR5MxPvA4FOBX8JMBBjOZ*qbqDfHrLI zev7*b&W*t{=ik-IZz?w0z7$Q$UPWG5Fsuz(k?rTGeou^=&2`CDt@)t)&#n0%U;m#E zb{=?Fb{9hI!WfcVQ8~PZoQblk6S!7uBxF!K_Xeks}Sr#+V7Ji} zc<82gHW#WBbtmuPK!5)J$$#zszrG@i#Q#}!j*AbcvttJ#?^Y!zqJ#IWIDl89rhoQP zWWu7J1^Uysgy{8^44f(~!0K9#l2+l3wSBc+-(~?~<*gsz+a$l``lCbrhmENF3x{}q zraYU`*-`ZKk!@@%$GCrlC{2HjykUPv<5{mLV&lTXzIN}&8gQ8kH(tabQ}~V~L}!@j zi~V<(teEaPp(r-XWN;6ANr7fA?mtnV@hbC@wvm3|_=99^bjB)N^bscGNEh*v^Sd7E z%e%QEX1id$rY==i>zSgFzGPynalH4LhbqzT)RrSE_dk#`LJRBYli0s5T=E>a=*nr; z#Ju3ntc3Zc*~#`m;El9#lC%i-=8Z?X*hmy`-Gk5zZH205D!SGSjB#>>x|;JgN?@z# zwHN1RQM_d5PR4BA0y_+aX+U$F-1(H(w(qn_|NhDS2P4|hk7b(3hqi}z0{k`AK`Otz z?KaFb+|X`Q6M<0|Zg(UCi=zE}u`0*8kW*`Cq@8yw&i*61hKqYS+5| zP*)xxI(>C%5H^4ioiCw8>yn0KIFCH515oheqnZbGBaWIPHQXV?kvwS^2ey%M8GM$* zb-%E2Z-R1QxkWz8GfzkQg8wXIY58*`SsdTyV0EnYL&u3@@GfF9Bb8@dj(~ngVnpD5 z#)zN|z?l^%P%>4rr2z&qa$F=&y>1lb>-Aj-a>3kMWJ#Nw#Vc=9^=LAd7JzS7g#<9*lm;ory#p!c1Wk$nWWKNjT%6Rf<7@R z3F3+$Tcnv`vl9zc&>VS^)J`a~neH}kAMlW{B9=J_Fcx>8Q{MN-`o(aBk*-tqhkS@3 z-CAK;a|%Inm1+MvLDNVDv}Z;JNJ_l{pU^9%?og#fD7saPq5ASanT?0nG zR}#BJnEZCzx+0zd9)-{?LT;nje=>_#R~R&)Ly@B$j=*GXepznNEWZTU+;$Ke5LtYD zQ1<)Rq^BRp-XrF%ktk;bPoeKrF)q+T9k;5eU0~xJQDg>O*8TL|jnE9NDql(0e?~cd zm`C7T!~E+ZG)bpWV#*qOUMH$f@xVx@7Li-t_Z)AjpU&tW+I;fk?vSXw@_By(0_Jt# zP`xowtxd^Qx8D_Uaq$p&;RdaXTkww9uNsf4vl?AlL#H%ViwSJ6%FYztDJ#i;XJcwT zVqB4XpgA_81=hsW?T(_|&p_VW%Nt!OB3I+Jg?ED%I>i;=UaoR_Yh!`IzG#tv|<11v^RGY09ED zMYO#RYmq`xH#x9Yhifk-N02H~5eOLx@==#h2JKA$7+1@Xzk|zpd|MB+d~cqNy&}mN zy{x9h;`X{ng`tE{~_CGj(_$Y^gx?o_>^zunjNfu~_ z-GAkG-0#*0P_O7R`_j0Atz4n*FrMtcev{wbA2g=!<-`%zsH*xDj909iC`qF& zM&OHNOSmUBRZh?!L6B9>*eniRa7hwU5sJ%o`TtOgA2HmS1S7huyP=szJ@mg}_N`$1 znAllqRnqvzvR>;s#9;{%4$#h5wk*`F|t31{oJHo#%n6JTigt|Q`DS+x5W5h zZFNfgE2MX9ogHzKg?&*?C)TL9Ih1ZcRXPK1SMgPhO(POLOA-S*eQVkM;<8sBOkay? zx{#Z-FWlc>##cjNBAa^`zzezp9y=} z236*vcUy(6b-6?maAdL>x^Zi9i-aj&^}~NScmvxKA~D=w=keZ0p5%=b1vuA)+Sm5H zy^^CwW{KG+$E}u3su~z@nnErYy1&kIIPpY! z;-|1NW!^D_xpW*YU-*X))$2JRgCTq4MpcWq_rj^mO-~7*@wY8F-6z+XuD=jj?^xY4 zqxZ}#Gpt6>Oh8hnU5Sn__#QXyt+=H-*59oj@N?3sr=a6mm0Qc5KJo~cyH1H4HsWw~ zx@d+0)8GyveFaC2HTc?%r?Gac2 z=h0wfMZpw${EQWm=xvgG5SPkm7JQUegciJym}$H&--T~kbyQ?ed8N`_j45%86brwU zjWeAe>dtf@bGX@E+#jcJ;SB3Dh1C=*|g z1qrKjC-7BkeMp@_2XS)AR~oSaR`Hjl&*99!=pi{n;&4LUjFGPUT+aRhmnI$P74EXu z9w|-ghw@+yjINb=xPOZq)PAq0ov_j#m!Kxv_rg}d>p-8nd7nWqoFFu9FOU#VN#^T8 z1F~GeSP~_pk#Uir+6&H!OWUVL6j}{M(Te2tsK^AH5~$tU`o(mW?_G)=eNKVhmn`1@ zO5oHp>DPW)Up!ubsbswg==+YY^0~Us~N_DKq zAz@zVf{;?nXu7&c=rPdc!fw`nI^8ZA+5&VtxFv7FuW~uKeQ>d+NoL;@W4}+2x=oZ1 zsH?Y6=QpVRQN^5;{&`OwjPAt9&t9HG&eNmJSL^9h&DoP`&f?15SZv7thJ*iZ@jb*= zD+6Icyj{T*anvt*BCiMn;*trWe-TZ=%zY?5Y!mb~kuJN;nL zO%~Vs9&`OyI?$+`*Y|!6>!zurmjOS{d1dUm^nZ@{+=efHOdLwL+pe-ew^vvjo(!Fq zIxa5I#Wr-Q3T?b<>MYD!L@hDHK5fo=M-I8{;YwWR&tDz}kH2@72{Js`^;(g@zDKuC zN!Tqse(YU%iB4ub9bHDv9^~qo^TE~G7LKK++Gg^ zhzyEI($Y@Ya#v?ZVCRY9_6whzs#5QC34G6Oo`@#xxkz=B(w`t*Uv;y;Jn^Klmh?c)Z1V7BKX- zrnj@QI6}MMA~sGMcrZo>DyE#BQ5(orc`2XXJg3YJ5H*RR*FRu^YD%c84}(T{h$8GO zGl*W+b@JNB{)4G4VBknPgZIZe>z*~+pHy{C@9A&nu`u&8&Ux;Z-9qfc5I82GwW5_U zfO*J*%o}mYls-UeR&P-pLW=pw;3||I+D=K@mHod&$z?pDVGWfYaxRyXd}Z8!@;y-v zN(&Z5XS0>{o!3G21TR4J)Ia{2#T)npA}|COgA6M+xzI)&E)=E1RsHp4J$ITMZ<*m? zZS&g3LAMW1$AULHU4Qbu59Bk03sypo}p?c!E_<2TWdZ=^e!anBn1B? zZ~s?{_^(J_VS>k^T9BO`;fU?^gsO&@wkInLsLSVFPHlMSxhRntDNp85YLmK-Qag|)T{ zmlKZyuCa9sgJ$Fm%eB($)VXgMC>4-!t&+b|(Orehx|2HnN}oXPMJS6GIcLPF z2SS}ZF5c^F7fwK((|}(I&qv-DP+PFA%2IDsL|RNF=Rm%B1X{{! z+e(qLuKzcD_5a8AEOJa|>z-66dnvh=IsCs<#A`@r>Zxockv^OCQEt~CJ03j-GydE}5VB~TQ2$?L1~weY8la`tk^TPcDO_Ei zDY2_LMxaGLgX_fU`*;+PQ`b@=M)L`XAzawb%n%wWJjf&p{2BIz@?>Z?kuHbVbis%;Ti+dS;6cP5)MRMRD z;2H=|swM#9#v#Lnt#TnXp%yzbBC_sU*_HPcG55#uev5dP+}_~55yopn)M&59AD-kd zdAw?P6YpsDGmhwA4%fCP!5En(&z_~pTg#=la4q#*3!Z@14&8~>qj}fV>H0mWcg`Yt zNgKpAzSf){ez+H|`5lEDPsE=xWg9?;OO3Auub}Inh{nzrLnN7IRt|vIsqy_k7$eh{ z)sb$DFi?|D>=Cf<(jYCML-<9 z6d$7{nVzTPG^}6D?ti5;I$_(Ktm{&nDy!f5wAvk2n+}HmLLfu``o;nfSB%ma685|t z%qv9`Gy&_K_sFT&617T0z*#V@#6kj8CpP2>LNXEjee#F2;5NfE3X13GHGTYwG1To~ z(1e)SES#CYlrUCG;Ih9#*u>+q{~N@EL1ML--EzJ?-!Df%ozSCpLS^Te>yf9SBd1Cl z3k*_oi1xIwpXlvXgTH%nw`sAH)jE}Dm3gMeB)Xcl3u?pe1+mF@D-48x92Yrzx{uGk z<1J;_PuQriS6K8KCQ?G^@s_1eM|wiu)fLwJohWs&=x)Ou4ecCWLoCc zL1jM|yGC^jxAW|;!b0XU5SB&0yd##2j00=VgoSdtevpwUdS@*uGr%eKBA<=X=~26p zgRc{mw+!n(LKGSMwKs3OJkhWwixo@A?TEQ+E4JN!$?tv}H#DWs=Kl`?=z#D4ghVn% z+s$`~No_3W*RGm>nt{0UksAdUmu(&aD97-n<)^YA0@cI#YHY7a$>@L~S{~f$U&Kgn zyM|_PXX7+3f&?z;?R7t8B!Bq8aWD38H2uSm4{v`=$YGe{jrqYK_S3X($}F2ddCd0m zwGAr^Gt$jPyuJhQ`W}eChIEzc);V{+-JLH)JA?p#S(ZJdkFG9ui$w)@W~$EBBY0`PLb`<_jOnUAG8jg`#k|fGxYGq+n`i|5 zOZ?BGz%zbQT4Ew#$5CU%LE(GBftOiefH=)IzOs;cX6`*HB7@Mx6?lo(bE7S47)N16 zlfI6h&^nf@f?$~wdUOoq`c0{3FmR10hs?PrDW~-#Nydb~%FA)wo(9%T8pZq%U#FNb zwqC{4a?3a}30FgqgsMVZN-XQH0AXLZRh6lH7t7t9wRL_dy)QhwZuO_rMd7SNy%V!M z0$-jsIi$B!DFN4Qpat*g)U`4Qk zGl>2S|HLUz-W7(vl$mVXV^i!BVQ`6> zonD{oy_hv~YdTz(|0c#Hmgz+5k}Pj_AmmV5rrXk0cQEz(8sqxt$VU>ot&okcR$f2y zEh=)-A$|Ps=mOfajQeHU8q(j|JbD`Nik~Ht*N~u!*MrmR##~izibI;6UDB-uopXpw zPdHPTl}xCej&t%m8~#;g_(_R+XG2)saHm@lS`;^1f({TBJ{zup7nZ}Ri9LOjs_*Fz zV-p+^AZ@SpN$q{v%mwiZUth0JW9BG;t}S{bU7ZDN{B+Dh$-YTFcQ2~xP(^bDDZC7H zIx(l-=rH%qWRjSl#*)PXHjJHHUh|(Xh||(K6DOfVq0@3C7LblhTPuKeuUW@f!puKe@g@w>rwCr5c`f%m__;eTU{{+zg&nMz3QR zZh>HmKA98WDQ;%OyHc$9?WRUA=AA_Av*eHNC!uz1YWH+K%qV~kU*aj1q6CLsl(pqu zpHHpKSs?c{7wX*{0j$CB@0%I*%hEycyv>4{Y~=oGQ;l0Gg607L@dBWcDAI7f#y4EB zeH!wTwsjtCjk}E=E$+o{RbQjZc0(iLoOgb1Fnr*&5&sMmB@{?-Y%a9-=eNzHHDXGan3GP9`dyU?cne&>VnEotj(v z7t78@K;&wO#m=UOLnfl62kP0fx$qv!5aS2ptx_r+vM#(x_f{EHgaJp&d{My!#|ne? z-nnt>;+ zMa}d&;g8Y&uUl2wp@qQ!_o zT*)B})-ghloP90i@3FMtH8Zx}zgOVn0?t-)BJmQ;vAo7iYU%Lg&6@ z>8|5?vg-#z0xvO@_nH^-T>y*vMd@WHDgnfb9vzstPw@r}+~!6JPkE=7ZmZ=XU}sZO z;n|y%j9H|sD{;zv{Q^QVjO#>UV81&;HI;mM8b`+W;;8O|U_Xuy3^HnVS46CBEtZFq zRa8SKuM^Co6>-=FSe`A}`hMA)dj@up=qs!oHag0QeEMU1kNQHf|Kq<`0^q+%Fk0md z3EssxnyKodn{H&h>JlesG>|A()y42Y^-qg6pd6a-Wx zh7M^7>6DfdP`Vo_>6`&XLApyyX{1|nknWD5V}@qv9^!8O{La1iobQ~U)Mn4#@B74B z>sfD!+CU1jj}bG8*z8#+(a~24;nksULaRtF{>^h7Q&yWuc>4*iM8N$GZj+8ssoXTr z&6yIwF{Glw*2SdW!j{4BY0BQ%D39}AwN(Wu($|*5D20+j{CNj@G*?u#k|TAr(^7_1 z)9}#9qhoApE_yQ3F6F}0Zgk?wOB>6S`Ec(tlrOs^_+-7wrQDD0!Z@7_N7l9>!{9>W zzc(eXDR0@epU1RCrGh84ZroZQ@al3|4t*`M7))zyd7*xeW6OcL-z6};_ko37qJwB! z?EN=#r`X=jSTCn{GN2$278xzod-iW_6}Q!5Fl4)!vU74q2#%r*TOA2L@^+c%B-w2f zuH+Hgn(#Xhd-o}QeCsTiD1{cM6L`y2Qszzo2h|tCpe=J_8k)ilY~jdA6;e~WOG%1I zmwTL*MS#ssvEC?#RH-tA1SRDq5|6O}!$MdbC1Ygs{`b}CBIT<~av+Nw!ZRDoOyNgH z0t3AuWNEhWrbmV{tSUCcU|oIOsf93ggde0q{QBv^Y`}#_+SXm7e9Zy_NeAiY#z`WM z3v!*_jdglpK?w5nr(7`U!YQkbaS#?MsQ|5%4z_RDa@n&qK<|0G@c7-6#CK zj?QDu)|u(B_+Cq8e#b1BJ(bnD@WrcXR{XT{=65bCfab-uPv{h_5f&g|04M=wpB&GM zY@FfF10ekis-Ta524Md2^OVkGMOO5J#^Ae_5~=qr)|8C-Pp7_k{;h3k)wEN@ti?qx z@itM~^Cb2?{a@0S|Ext89|ZbhVmwLF8f8PCb9|63*n9U4pR;K*%C;7~!#rV%63_^Qs>!U$UXt5lD&`9#KIhK{fEo( z`z%%_XAt|3nB$iJt@F0yvN;8ws6dGXvsvw8G~uqZV4kx3!dda#I7N<)oIYcNPDf~0 zuYAltS|s6{RtaQ`a)PEyB{o&bQNf(+DntU65f^2;)5R}@Xe60_7n(iznzirZfUqEe zG&t#bK==4R*NC4v7G%f(lhZ-VkDa`QA8-S2`9 zn_*A3&YO*OSVo_C#IBvFD4YGY+w=TxHHG3Y1vThN_^(k40X8E6-`f6R?+o3)Euze7 z&@?O8{(|u7v@rHm)cXURHjjDAv|TFG?{D>(XJd8I@X7?7WsNgsu``` zfUZwm(>`)ogILx%29IaDo%8rms74ui$-vB18}#SV+(IXqVtn=w1%n}+%2zDd_u6A`j@qj76lKu>{+MUf40N|IB61+?^y$7gsr7TMhZXTw`PWw z6-SKsFAWiXb%gFLPA;QSpYyEV!dlS`48;aY`I1qd9;*m4$Ia&v zNHa6ooAX}m!S5ZMcrQ%*$r9Gv#aFKozoad6Y|Ow=9r`owk9)J z2agX0t`HuT5w?J!ntX})vDT_D!0GjxxlB8ja#)Z$;?kcIxeQ68014k%kZbT>;Y*3f ze{IlzjQp<&{Zf2r3}mju1O5xlsV(7t@D<3AZ-ER+X0t6s?#`knx;Y|p0Tz8I9HDpn@Zxz5o6zMtq+)dfc#a2{2EWb0$iNTwy@Jt z2n$%CJQt>y3?MrhvExuf*7^zYP!}%2;cpglm)q9z1vunfs=&z30pS zT6>h}0I%=pT5BbI9nLeB|K4?nHr^?{D4+K?4p(Zz7rHXx9Jw__4uRtwnEQ8!ev@d- z>*YM`EBxMb-B>Y^r!n=N`oDBCzY3=L_gLIJBX$#&@?MZo$`PgpZA)4MnE^KLw~w7r zvl@V)BDD}FYO+s+L1>9v0I_HY>-*t=4oDEC4aSU=pkZuGZRUleX*@P2xcq7?YUU!@ zjaEX6*{|yF{X-D`yXY{)k)*Wf>G@Hmi}_r4?hGsN(W!oVWIf)BPX+p~3H=n6pKFKtNaH{(5to z6h;w1G#ED7NBc(JO|;aHqL`7KbA0*G#hr(J6+b;E8> zy_DV9gX*Lh6wj(ni7-iztpZcbs^MSvdS-?OBuQ5z2}512Cknr%{cEqh#ah%*Y&h7x z*Yhou)K9a-aSx;TA(5efdGx;*Bs%DKew;Iu1fZ?9-g4?O265&9nS#PLGv%aw6D_J>v_$1b%1AraTAU-jUb#@}WO*H3Dh=ZG(yt0x6WbTeG7EP%8%#b(tI)X@Sar4Wd&M zX(}^pX5OD;x&m^Wsys-7fqtFFK}@RX0wgddA)jPN_OwTZVY-9Un?njkdl)zx%tj8= z-wL$Gee=7kFq9X&H90q+#8m9eiI1S#giuxED$#$Cr0xDuTh`1cW~r2N77BP6_)NLZ zgq49$rx?I8VomRtUe;fQ3vMp~(x`0tglW6_9b<;HGxM$aMlWiy$AKO<& z_SBC89sIVvug|Sc7A5e`_lpnU3;iA8b8O&%EywMWK)CH)T2=i2zjW0hxq}#q| z#OgHew#9E9WD{@{h2SRBU%Ae&-&ZUU7qng0Ne`nasUJx5e3wzATQ)1em&D_~XDE2^ zxfNO3imQm2UZuYgx)6f5G#zSiZi8sOt|khhHN)B=y5}Nt~*=*tdg8oGpK6`f!&`aV4!WKbFnXFpox_ zO--P@AYMsrO-vnC0YdWCiuI=vT%>I2PiFdwjR==%G2Zx0+h|m)R?$gb!Ji=&8%cDr zP@}rDbo;9iklQv#b{h0N?53JX-~FfO@#fpd8$r9XvW4I7f8bP(tYD3|-gvyQaxFEw zjt3~{0_cx_(sblFe7$2#Xu6hICI|ywz9CT)-1d5>2})gzh?yoUP+ok9J5Pc3^Xzi3MM%1UTA+ zbUw;Ox$RrdCc-dn_Io;CK{wn*w>rIsFF^L&YX1>{dC2d$tL~v(O_4(1{lh~ru_lHl zVvTD{t%K)Hx#?FbGag)JgmZ3gG<^H82hr6 z5$>_mm$ETLH`zTO!F;}lc0wd@lXm2T)Co#_(n9D zq0n(HO&VFe+qAC7O{+!cbBM-QTi^pa2&DKbj^~G}QehZOmkqLEou-UD|&!d~;%>|U?!|d@7#XcyL z)%%+xe0}PZSGbt{lh~Y0A9UIgpuiQ<1$o&5mK>tobJUDmU zA5zLBB*1SO>m-pO$Hc?iJXM%4j7UupCy_Cd*>={B(+qPH57V}VC^WYV^+}IlR`*B! z9&D80{ZdwUjaM?I=vuK^by~oW|W~d8W);9-m(b zi&K7hnk?*9t(ds?BgR+H25<$e$ydvP#VCu!VO4=#Ve==mPJ@yeKXET8G19@V(ZYv) zl3tK$=Pke+Pdo5X(Q7+ORwUByDdv$mFqoXdW8l5fPD}dS&=*;LIAA3_keddXjz@8$ zJd-2I@N!FC{ppU3C=gY&kqr*jSH(g{sk?~2R&d_`kqt%j--r|&;RA}|{)UkwQ+ z_`);gdtn04WRhX(Tju0V!yO`)$~vovvv*Z$?1Kfr=xF}W0KXFWd&X)NKkX>zH(Bh3h#hCw^04|udxJl959w6d%Z zZ74g!1$SUsfV>-XrqOL7smB}D!3$maxX~W;Nb+crwdQgvT=bfcN5iqO(PJZ6ANCgFepvFcGi2>N-uolFeS4cF?l_aTd}*2 zpZd#Q@Jgl~7ry{{HeQ0<-1TAa7K7|m&)DUApF(%4YnqNj-!z@z`IPE`V=`BI6LJN@ zA4{&3iB$RYxeCHc@lCcPe9pk0;!EMst9}~8nkrJ@tOeW9*wB_4ji!q#Zd^l`TA9B2 z^V1odwYd`o!3EKaJ*a=q)UOF^y>rop;%Jcjp3zDD!u2$U06uC=O}XmxVf!w)gs|={ z8`ERS#AVGB7so0VFluI@3=gu0=DKioic-bsES}sy;Igs26lL0y;r#aoh)3W~l&A?Y zzntXi`ctz?K>r#hz<-WS+LLk9pa9aae;a(#{gtkT3%5=mPbgA1@b76diHPB}$PA!$ zsM`J-(gq3EhS!VAN~94`v}pYeZIe>m*0sjJ%jXSyE{IAw+@6G9d_wX;hy*wDXpn6& zN=l?lWbTW8JdTLZJ!8Av$J2r3C~_}P#F`^&{?sQjdPQ>wSFP6e%j3dZh_@ax(dz%><4!!Ap0zD{Cb=o;^8dxiRR0XS$!Sk9q zUwezC99c;zl)$QE{>wlKVFA6u<2(xLQd;yS!yZmtOY!m(J|BxYIa7|y3H?RuEZ1NQv1-50R|r>LI|=eq=4WFqElyB5WH42NDPrwb+W{p|(7VUh##*;YC6 zJ2kMmxm?q8y-K$$n{V`_FF#b%@Sf)VG(7=v>>soVi>U^9b6y64bfu3LDBN~q#PNIS z*j4fC^Rdvz`cidt5@9n-h?YWsb<_-Op3j5cq6a6I>ej0>bLMB<@ z)%D0I0v!sNJ^eh%if#NBb|s?|pJZYFc0Aa}M!;_);MHG&ywnQ+me$1hWZvcFnurN- zNK-i}Y38#VKp%=!=6!@8CyJUHL>`SQE2C*uRG;ndECJ?z$#!+MFD*aV2=&OxWvV*xCA$DdNbLQn)VG0N^u56Mc*!< z(%f>fMj!c2oyF}%EC0kOJDERinvsqmH}k2xj*vSAY^N+_D8SCswIFo*oEZx5b$oI& zkNUY~QqEM!h1D;;^^9nWv!uW|BF39_2ol8oNkl)f4jQOjbu&@ZWCyTB0Y%yu(a18C zoooB!bOp6x{1@jT2A7;ulL9&XPHR~wz!5<+vs0tUb(3&;1ifq6f^Cf+GI#P4rmz2e z=K63ny-XRhY%LING-;@DQYg<-f;5L*hpqkM?70V1~7rVY)&_ z`IiN6(Kl<+3m+dGnbH{PgZ*Xa#=y%Kop*67NAhT}@Cv%^>Wl8B0tceHzUe`!MC ztCq?jSZOF5z+(&tNTM>-ZyJ-pO70_6bCn(ZDa)T?w#sdg*MN=N9I~Nz$MxskwHcnK z!}B0}NJWv}sB``ftn5ttW$gNZU|7xELS>Ec<>D0&_~O0}FrXlOxSfSSL(C*V4_@e0 zT9%b$PYs**rNklf;3E-Oebg?pD(Ro8@1A#As-8uNepr&>$dWxO3njY%UmTSk4)6=& zr-|0Dk}ULJg(&SQR>)AWO)v=~BK>2odg3%YD>tmM-7DQF8qy6xqlXS;%E~Mq+FObG z;Fa-54pU9w{i-0V10meVFf@#a@>;IkGtbQSFL`{p4@=_4xMPF!o(#l*6<;qBbt=HTU|^K-RJ6D6t^_Umq%k4Zmv(KB7BYrQLDVrG|#4~ z$z}8<>^l+Iq=ZyduO6vRH%WEzf zeTq4}1|D=&#kB(Bk%OpSG%(3=#t5rYCNiM zDREd%gm;o;9TR|8_}GualJ8MSwn2SKG4Y~ZmfI}0D{InBl!ZZ*s!ddVK)W?^a57Q*nM>(%2Wki5q!B#pl4?Xm1;EK_vvU(=D?_YbS<>eFRP53ww0h`Y0YllrDZQ zbm6zEfwtZNIo%*jG4f$;&}YeqxurVD;Y1TKSS|}YLfG_hbx>X~E>p?T+(z3)L5$}o=}Lq4kyKx(%Wozy$JRAwYp;xk~i9|R^F`M(zIs`6d{|e zu%2+pNw1MHC?o46Sg8e%sr_MTc?j>Eji3hw%Jv!DT<}_{rFIGv5U7nXTm(qKjKEv^ zXtq-=cdK{jz35a!h6A21`{N0xv@Q1Aurj%my-a0T81EcH zZA}9lsI)kL;p3qwE z#}VY#t}VQK%J8{`ki_jXba;~V>J%Cx+u3+JFBn#^-HVlIc+Z1_uF+rk1cqMY)tu&e zu~8|q&Q`yzdz!e~xc9OpmX~&1(om2gMv&f1vYPWnTn{wGddYhaFa{>t=c=9LNaipJ zkSQrX_&h=F=vq)zU43;jH;M6p1d&YhVy@&NGzV@A4eu13S{+PJpWt2DKS+%IcS%?2 z{=+>K@(d={c}}C4gljrvq65H{XIZ#Cvcqil%-q@#`#3!%_YAoAdsdhBpYc;tT8+2A zv2IQR!kfuR zxHqz$6{Dmu7Y&GoOXKS3d}qDm4sJ zOn$YOuFc|s)5P||y}VugbFQcTzT{rpWu_It`>LClTM3?fezi#Ph)34% ziZm6V{DU3=Lu*ze;EfdxW~f~>x|D>j&LbD^T*Jb3i}kLupy#PC;QaMx(Wf)OA)_M# z=@0yzLwOR_MIFbU5fznptEI`qVGeOLN=xsWCJ3nA0(A_D@T>&a2?O}h#EVUJbUx4 zgeUBTLtaRnYkhdi7VhT49DZ8*eQ-}jbl&wd=dp>}U$fi4@aw;J3NUN#>tzdFW2;}n zfCdn$0WS)%q?scEu$^Ps%B#aXHSE>}W*T$`35-Y&hNApKN^ErOiD$VKJ+E^`ddmO< z6q8f|Au&YkTc@td*MH<9q@df80dw_kHNB!I*!9Tj86?$$vt>&rUN%HJd}>}vaD~-1 zO4)Ypjh!@$$kC$zNmPWs9WWPJk$!bVvQ^zLCWy>3L5hN94sWAjWW5mgI+vDNfNs{G z_!qdtdu?Jzrp!IaS{gEvP!omyyxiQqDY;sg@j4IRteKXGP^?5zc#cSi z&d=wD<0+X=``*5?%}sSXoSW>_@>7X; zsdgeLFE;-ERJQyYw+OlXbGf!>Jn9!P8Bv>(ri0))uN!~BuO0J@_l=+dyizBaKL1y)%xW zvGWgXy?s=zqqJLH;*eE-XUa|-v*}VYr^u=y30x1l)4*0Gkt@65Zie(rpp)H?u<)FD zXHhbvA?01SSEcm1Bk7kuX>2m1mBcpK+@nYo|Ck-US_u8UUdjgPuCwd1&5xK*nt~1{ zy39*xZ45k!+kQcLl7&B~N_<2~*AaAGT!r#Mvduo1a3#Sp-WM-sik6F2o0+)nMyPJ{9fXt{xgZu}(84Lalc6k2d~JdrHKg?n0H*=O5n`@#paA7q105h=-&1En#AJHp6|%+BWMJ?~{^k-RXRK?R9)o z<_WqcV$(HM%TbV9SZob^pbYeQ$BNmJpYit>BH@a-$N#1W)wjS})F(L|Qda&l+jZ)E zuohJ9@Gxxf1&p!!YRV$@*oSxaed~)Rh4G0Bi$VP*P6gstoR4(9Lq*3Q$n`BF%*a@` zx}qXw_)YUViOjmJ0ATGXGLfh%$89g8 z$-f1Q0wEX)otG#WH>su{;it>)4O(qcKG+~C?_j^VXZ2aYfbu}>jfkLCwD8R(H>z(9 z`sK0_`N3&aAf8N(V8Y!W_wqg|4~vx{3mH3d3q;r%^57HS965XqLz0X+B{N+X^0LE3 zs+KNg2}b}ZrR7}7m^*66)#q$#=3GA|XZiDl`@slq9`MhP`Tb{|m4f9fRPf$PpN(b| z;JQsxB4x_U3vso!(Ofyc715>UMR3}D_g?+T5IZr>cofC=HADRh7qs~;TY(q%{%`#m zaZ@5N4Rr3WAw`5|zi$*F{kI#fX z_l@&Zc*^8~}4o@sNR)U&~A=+~SA zU^qaB{$AL&A?KnU${MC%@;6IR%7IUr5YXVBn0KN?eEePK3jfC7~S zi_k2q;#SWi9Idy)3_`<R20-!d#RtV@pj}PmnwYJ5wKYD<<07(q84mL>H3#hA{X;ACSgMTjBHD1PlwHmnpazbirV~7q zu(wDjpvYaViQ8X=FP_Z^0Je5-e={qU#ONg5195|jRd1Dr?T~e+r2}5bkYkBU?0|@8 zw&s;2pa1k^z(h%NO~P+Q12-w#jcN!WDIj zH!GzqLWfMrZHL1>V~6AUr`Ivd-EXm|t=&|(fo`deYoq#XGW~szsHM=Ec}l5ywu6m* zP8Nb6;{*=|-}Mr=(e!{levC7C;{D`xnP0H4Y?MBFTy-y7J=e`?s-Ojrlbbmy&H=aI zRI;OEw0C!-+d;pavBy!cTv~Q+8_HLvnPw4x56eauD>8Nl27==4J*3%@m%F*SGez8S z$Ziv)&Xz=LD3ed{HRyl){R3DY{^zmp z+3{pi#iculH&PZ1JF#Y&#Z4tC|N6TgiDo|DCRpEYPd&TPVRFhR#&kw#viU*$0&5_o zBUyp3sNsEZQ!v(G&yz^Gf#srdyCsE+(k(Y;`~CQItDMmhmH}tFLz9>9%Dee?_p#j3 zh5qjc-TVFJTj^V(t{WdS^PYEYT9CXA7_#{5`{aIMPi~(UnM3r$tSgvF#Y9IH*z`zN zW-srL);h#5EWf3sHF0>Xr>DoHgTJ()UMIAYgkYJ!S8c6Hv@**bfNXW=Wlc#~dJl>F zN&Y@mV~y3}KDN*C-*?cwKzdty{Q&-dpU}T<>@_QTXa$Z1TLiR1h#n51a=S80jl)jp zrl1#MG`y?!ZL37#wh?i!a^p_mz8Mo?j{9#uW=DAOf+fHlbC<5_7&qH zWm%iqB54df!f*>^m~||b_i4Yf)XSwTy#0OBIG=NJs9rBZ+08Pl;JGfp8bUvR>`~wfs|}~CS%Z8vXPU#RE;zQL zH2ZL~qxL%Mev@hJX5|-JwZ_ihOWYlu2mMYhUw=wCL%D_HNwEvXOp@v3i!`$`Hafnr z=j`kyFI{3w-Zjdm?6-1$|5DR%PlYH*z}la*+S`HbtBS6!v3Mm%^8)p&;E-%|T56ZQ zTl5n#rbZmg#4<9vc^1g&5x!o7RA%MM+zS7+51tm84SDgs2Ss{qeRO<95wrWPmqKE} z6a`+Covm3D^fUOy1y%Ofmv=8DEDz25D|I&wYtPT`Vp*UiuvChs2s$NtYBA^+a8~Pv zsq=0!4wi+$G`5qqtC+~4D;rGgVXzVWwp+%%jUJ>CC$qqd9P# zz!f*M#)ZG1@xwbQd*GW^+Vjg0_L!JvXQ`Oxr9eWdWR`=U#qoZWx-8)yXi1B&I6Dr8 zqE%Xh?y#h3#K7YShwSMUVy*2O6ydfXzVz)rRO*wz(|f@1#yV+ABEyR|i4 zA=*Axk%3}DBkI1(V45&P5JRie>Oc(d!bMH!)AN*ut6evgwPvteRr!^ zA=ITj=S~GXEz~fKz>`)W;qs!udv8gm+RZJGQKb6-&MA9AbXp-B~>46;g*Ibm9JPoCx zs`YNaSA=Sj3aQ*N2)%g)NfS}Kip8#{WTQ5j_b?b}SiD!e5{_C4l#5x(#~6l9^B5Z;U|wf%VSUFX%z8hFfL)l#RJb`Ya0 zvhK;6aMi^PX%S!@DD+lL?_fCi;qX}%Xbt8uDSCh-xr@LjeNOD%%q8LRmLCkwA(I@j zxD3pqEQ1Z9IGy!I7p+LS1m)xBx0SB28;gr6UmPbHIWYcUpyrC}H{}iE3sW#OX?wEO zcZN*}O(=n;MqY|j>FE^WZfx4Fd_2?=Dk)}W7h$n58vR+YHTcFn$Gz9u6WMd7F!+`^ zMqpIS$AV-lCwWp8WY!rx-fgNNGK&$yTdS}^lKyOzo=6*`OoEgJ+Q^=l;6d)QY2cpY zUGniqcNR0v+?51q-sA5GY}iP(2uXN$WfX4kToq~xOV}F=-gB`mk>t(JxXck$gJ>k2 zkH(o;?No*8CISHXBBDB&UnTBDwIo>-gk@wF-`T&`^JCv?E37+>8NPZ9`LpshBe32Z zcgp!dAWipcw{A}rEu5DdE@dFH27`0Rt0vy++|-r#vsTiguvOZk z$a;H%H{-0#H)Q0cA4mk8Ck57>8#QR@mf2{FvFV*8zm+g!6l2p6r ztgOb5C%wT?W>KfEyv&HB1@+blJjKt)4ie3Y;4E|#=yXgv?POG237|Ta=b1jn=^Aum zC#E$Ky-_WX+(o*HqHpj@a8McTZR4=_23Z)eK|c(cChvmx9EiQQ^vZ3fcA2=`cD$#2 z78+ODHS|Zj`H!7AA&050rX77+&)C;-3L=)?A-gedckl@;_ca+_J+RKEy7$WXBs#UL-^KVuP z4F`N?(Yi=3WW{BPn)=SNh)?dH6VF#>8v{w9j`+%IgQ>^C!p>jq9J)%|VVWV_mH>MS znNZrqUO-dFEot*BSI2-qVb%K5)-}FmJSZftRom@gRtID2Ie=7LHb9>ZdehpSQQ_XD z?3RnQ5Rc!e%`4#_PrzX4sL*3df7W@h*TW6bwE&I^GrM{!BSSnfm=d7EE+7xTYEy=B z%xy}f2BR$3ru^+=+GtqTHW?LhSc>Fegro)OK!7+rWN#X&;~Zd}9GCI=F+bLh>N+TE z%z;*3>LP2Lfm+GkI%GMJ4~J{+Vz!ti!sE>3qmD+$r>&MtKbzI-Y=y{@M@}8X_-;8` zT4W)Gn4shG#*L1;d$iX>%ZZvl%$_Pu43yh47qO3OJ^^*!JAPVyq(f4oEsdOR!Ou2Z zBoPNy_&xSP?`p3P^zcDlxizrwsNG4hHJ#6Bsk+!USfO{_kUx1 zAuoE0n^E5Vrda<3)5ygOMQ$>phA#iHg99$s6gz>rf`WzPdQKxB;#%j5?>&!pn0U^g zdu;ZU8uruA2YM4V3+YSARS?a;Dnb0@6yYBV!B96U-Aa;dxAgPU44bkmPiD_W;s4qTXp_a$*@kl2pM z*4Yh91yNQfA*qI8IWE@xh()yLWe?&Vm6I-FSj35SU(OZlk*1QVrG;y3(opHDsutSX zR&V5d54>mz7Z9wp&X*5`e#(A_nqWno=oD*|nV^oPntV;^@ZBz4Bvt}z(qfBhrd3Dr zM2{$I&w{N@kCIIgeOyYn<-X8?BLo%o!CT;s+QaY>G>T|l&~&w`_iVYAveI&bUtcnY zYTU=x)#jKVrTrCtGFP6*vCs7yOtDLMQra>HA*il-6A|CLYYdLt!!k^AXY&leSU?nB zfl_o*1tf{}boS<}H##+dJEX>?Fb2$0d_BHwK0I9$%-H9ft$ zc;{1^W~==oL7?hg{ad9AY#KTBcnQ@A^zkENE|*I(@5SqpIv4pYBKg$ms-fb=t^3`& zJ&IRW+RrhDCszA;?uz{6^oeF7%iNx^8hUYCT^Bi1HSSUn)D>eb6Hp7pLs>IbCU zuZ2e;X}4cG=ZE_h>(#Amnl03yip6wJr&Tk%f~cT!?uL*sZ!=^d$xF(}$5TF)Cg5 zmkC#fnv*_WW3lUhXxQco6haX#7P6!CVULMcQ4R-hF4s%nXq*1Hne!wJ97q+|bh0Cv z?(qtT2cABu$tdM1P2I+{vu<{HS+J1(%wMxqdFqB)qxgxom|8IpmWQ_T=$(dEbEGpF zyL5WR-1cFPrB?`G{mReH>nF%TeQmSLEo4x{cDy+;?j@*pQ{Lb9;rvXO(rCW!Ei-Gv zerSPOu50-qKU>`r|ErYq`Da`cQFh^1a?9Ws)#+carPnhzO1I5Lu6M0wNqu7$-wk#IAeG{;3ScO#4+M;Qmt-wpLsNxN*&5e5PA92l4K`SXf^@4NApxh zV%Q$qvn&;oJwP93#&%TwGQFZuPAz9iAA!o?*lAaH6iWwxtM@y>pWzLGlOWfw`Y#C7 zuKA>U9hU>c1G$jG%M z=zHnV`>&tl(zd=)=-Tyi&O%6=0Dg{wT{R0zv4?E+>W~{-M*2FZm2V7bQ4QO9HZ{nJ zS2^B-4$))|>$j&@Q31l#20n+WN;W0roC>bf<~Ry3LlD=2>9;uI9&ow@5NHaE-2n@n zaMi91e9MD&#oTz}vnTwpsW^^*RrpX;$q*_&H96;4L*{dY|E|^(C5(3mFY5FLmG6u` zHAH}5m1F8*Ys)%co!O0(3WLa+4*jr+qb*d-j;=JpQM{<<@GL6^O+dqVRFvO2bEDYKR z);SJ1_L4&7ZuGr&a%j;HN42d-bHY}d0@GsAPIrsIO}lCJvg}=@U=vZ)%OdJu^svWX zS=5NvY1+`#)2DG=sGD=yi|s~1tixS#beGr5%k2pUZx0If=cdceCi|<>?2Yn01N*0$ zZl~hbh{oUetz-{Ai;{GVh%YB>N~W!uzxi=AZH7sQlFc}|bwXPX!7Ou_(L3#Z^za>- z|6tP@$%PqadlFdY!wQtbhl#!EA_tLSAVPW*R%t(@9n{w;6CN%4e8;@+3u}bPaYNx5 z+-=G!LN9LY$I^sXDSEZ!{M8@>=XF7eSuUu0G8=C24P5#8ngISDC$fO{ObZv4(zY2X zxSJ3ma`h5>Eus@#OuKp;wOh17BQ3(t-gpwf3WfW1n$57*`(nMLt(k>HupOpjXGELQ z$=PZj<2J0)(=ExKyl6`_ywTksOg0_Zo^sr6r7^7`pV@kPZMwZy-nmoXym=zyv6YJV ziFPD5J*RgLPlRs9d5b04Pcr*$atPt>`1}uz8_gzNHmGN5bS&J^Pq#*iHS!!(rC1q& zLX0|a9!2FM421|aMSM#6mbT?rC_2ekFW?;s2FkHTbuK?uk9HADoieZP!(Gt}{WNZSi9q?33_Mp{h#gP;DMJ&s zqK|iGZ2diN3Xi89P&)^+I3-=Sr@~A!N3`54k-ZzKDU8rbvzjPz{ zfHi%H-WOjin%ds$XSecC(<3^1PGPvlr*ob??p?D17T9mPz0UT(ss)}1D8X(dD8Sk- z!W;yHv_VV!H4i!#SZWs!wh)mbUjCZ)Uk4Me6Z9E6kAx*r$b*96HTU@WFqC6Nn&4&x z=NfQKYMKkQmjT`Z*WV0XTO_I7JFqs&*UWQSnt0^(m5o-gr0(R&)$rF!AHj{omouNr z1do0$9Xx(dXXJj^7$KX0Ya15|#+b1dy6TgEWqGLOFmZg^J)p-s>Xjh+=)F*_N$TJt z+R2Pgy7)z?)Pf_K0r#H3q9D$U5ldu(0fm3rb;WkIJRVh);NBM(pFOq`PIpy zXQel1Z0_FZ7mOqgfXOfk@s zlfrCWVWQqs$L zAJAKC@XlYxM`(oLd}Vr|1^FAv^COY=H6`ul&{l-JFp5rr^aQ;Ve&dVHRkT?>XKu~N z!lX+5A!|4(H@)y90tj48fn?6U1UUAMSK-lmHMmXE3|SibT$+~sFmS!?i|fQpT+Hqt zaoz!DdqnriSTfVS-V`OeBF~%dWBzpBnX>Tx`1#c#eR5a(T6*TkSt=OL!C3`nk00iC zN!FYDz5QAmN&}dBkRU|!a?EwVpxZ62v$XrQ8`{M0ueB)o0=kFli^tfRd&MD6gpqu%WsidY~U^Xey_D$)^hm6 z{x_5z9{pjS@=XXvPhV2S*!Qqwu9nfdAa>sBFag(%+6rB-?wf9{1YH_IyE&-~kOLOh zcfIk=5U=;qx3Zj$hek?o#h09^W_nsOwwobut`J-vq_i6jon+YuUpV#yT?}>7Jg&{A z9)DcCdo?&*Jqunydv!<8VdGQj#}*^eGhL3wJDLkG#ym-zY}QT^+fHX4bcpXbT0CaC zGbnWRXk5wo9Bk-}Si)o+hB?GCk*6!yf*8Gf z4AQar1v>T@MLU&yjhE4fD}C1qJ#w9=F>|iSe92|@3QRr$U$*DDG-dsDa}Ha_(;6BE zZd|ha*xE9XMoMx_BbH$%>&r<(L|sA2>*$bkZC-oot3iH=?kRn*(72gh4_P(=QHr+N z37|1+ttzql`p6XfjbipC;Pc@ zL>gwm)`%v79eV?hbQ;(@FMjea{1k}E=vL}FmQtuyoQQ&P2E5Q^*IP8hfjX{8mIU4R zkg+b@zL44a~y-JSzch@XQu-7mHMS+S%clo-Z zGONj{>p}2nbAkP99A1JdA+dMOpVln(WR`R@ zUQ(Js?4qtIbM2stFz@-slMbDOF{ez^w#?J-*|go9C!o%LKh(*~+T6I>n<eP@v#dk$(%pdTUjK0?@{8wZclx}(say%%1Eq`hI@ll2dSEuPTV{Jr^Aq*9 zuch5%!5tG>b6Q=U*@?;&TfFvnxm^q1W?akvM33F(y%;wQ{pn}ama3kpp$925&Kw+9 z0>!?W^(ql|0Zt$tQevy!)1|A|X%$G8q)ES-y=REgaRDFDq`)v1x+Ftz#S?b>khyWQ z!0MMUGus^(IdbI}T5+QRN8FwgSas`k2gRro|CVv>#fXzy$5`4^wMG>RZJ~7MOBMI< z)7u-Gl#>t0sds($4ES+Q>3q8QkD9?%SBJwyG3<@9%krX;mUDK|c#UfY4m>P7Mpbx) zyw(fq*!{`H&{wRE=l%~^ZO8UV3DNtP)N;GK9qnYpy(x4Jh_CF4`4)vX=B)9+ z#e|~Tn}IWhptYNSkt<&V9uA$}pXVn|Nq*=ZwMew6N_0Yc`xSQ1r`DVZtD~96^OXZ} z*u7thD~ad2o-bLw(o5<&WA5oZ8nMsKe^A*|AIEdJbF&0Tv*4#+V&$t?h-m+bLC>H#rCo>}AHK)lc z`=RNn-iMfRE5?b36M4>6hS=lT5?iK;z1oKd9~x2anjQ3EoBm??nS^k*R6+U4{^$4s zaU=}i$_U7u{St(V4s!<6s3=;ZgL@^`OsMTqon>|@-tXqb^xta<1jQ+LLZ}QN=S78W z9~0#JaKs^!ud_!IR3wA62*|H4$eGYe>L1&FVedQ<)J;fG%jG8^7h3!nZ>5_i$E?1C zL*yEd8Of;c-C35#knWyB5HA$DKGuuTyC^>pc_WCV)oXdB+L7|O8!Uz6$1&5ULEkMC zZE__}knTQltIG4;^wZvaRlOq0gAlaBqH^DX{2>c>M zoNbpbQ##^j^riI*tO*k*VdXl2Zbtgvdj+kefX4*Ap)ZzyLge(Z^WX{;s9umiU{4aIjH@6aN^A}^CfD6j>yg;z{old%g z#DslX5&G7i%E2bD&2rlgCpiw8hoe4d4zC=o9u<;om>YYcPXy^Oqru1R3gKw9ajd@jbsA-alMDtxjGj$viduRMJ0c5c8GJwDkr&RJw z?vI&90qdPR|A()y42o;p)=hvQAwU8Ix1hn@r9*%~mzbrL@sN#9t%$oEQL`^|kJXKiD@w0!ZeDSTQ|32g z&akesy2HXDFz|FjA>>Nv{#TdrA2io~X2+cY*2m~rYs^Ifa2uNIU|d)s6-f$Lf|Jc+ z_|OG~1!sfSi#VFDDyEV16)`LE*+WTtS+c-mzn~;j!cwm8^%!fzF4D3c|6o=G>^W@f zam>Sf{!g5qe3)lZ$&4pwHto=t(#N1O3=*#``^cgO2HiS1)ed`JBGu(xZHL<7U}uvy z3XDK1eb)zYji`s!tV)?R@X&$xp6^O6 zB{+Fjixps-LVET>Fn0E4;tA=KzF1$ub&KZ_BI@LrvlN_7-dE_RIEjxo&Zh1m$~ho@ zQCU)TI0eTHzHC&3!mw}*ZYtu20??zFYrO#r(W?A2IJ-hj53UN(!j><8)+p-#(V_m~ z4{ixMI=?#O%w2PVVf@{HVIbfs+L_UhQ9s|3ci`F-=dGfp6e64r+wM1qbS3ZfHu2%v z24xRG_V*u#MN$$mu(GM&hp9XTrU#U2ovPuI#ObcMU>hY3c~LG zCgrEd;4**M=L(&=s+54@GgOeYP}yQKuohn8N?t>4tFV5#hKY3-@Rs>$Y#l+u`NpCs7RG+ zVbm!tCBft@uszr1O#6wEH06PS$V}8bv(%wN3c_$W+Xwp07}^j@3TnWLIV!@*x5`Tz zroX6+(!S<%xP1ic-zzc^x#hiUJa))3POu_37{D4H>t&m4Lc&ni7J8lb`{NX5AfOZg zaLU}9JP(gfWgTvjGfx9rjzeu))JA!(NXb;|Vt0il$K^01V1X0k@pci>M~T{>;>5_~ z5oBf=xl%6V0O$xi$jdu^SoX8_D>90s;P0BOVZ{tqSYP^DmFd6g_X;_$HVsQLXc^i< ze8jJVIBhIPx&T5Agj$57GFdo+*N;GgW!8ol%413~jR#`AiMNGUeJ0hy zFlm>YV`9e;?crV1{5a~nm3#3NV<_xBh17O{GWdO2Lu3SL_(C7pe`aXpXQV!f=}zb; zzx;A@$I>vtE)g{lFvAwNwcS=Us<=ygb={B9?r?@~DjFSLNfZhY*AE}eq{aR@UpO^< zeaP*|+upM^&!s7mApN#iZ@)z{Gu^MoW+5N6EkR=3Z4kHplVOHoLY$j${%|U^^b_WC z&aAF?F4VjhPPi3Kh-jF0%M>2GpSM&7W}-6i-s?cxbGT}!OHvnA=3X3ns$*4tr|2}B zRhIzx66jTlWa1Mg; z4}%^y{IM?2w_lBPkoezx9lihR{58z;`25abCg+>SqNCPJ?y*EP?b-m_9T7vzNuUVi zU~OKSSF`H`h0R0U$`VXq!eOJR7B1@p%x$ubwpYm=dx3<$^^qprman~bpd3f3-9VF= zAI&{&+HA2sAn%U#L8|6kn~dCu7Nc**^I2FYl9B4RYDM7ZkV;%8CfP?_k7MoUQ7W> z)}xUx-UK19hHl+wh-wKaKb^i%$8XC{UjW!B(4%HrlRnBdzV=U~l;O;0dgMI8X}-w2 za4-fTF--^iF4Ke{ps|Po7}}e`A+K1-eob*0CU`0F@MphU)tjtY9s?7D@~I(I&srUg zIE1RY>7+U97$xQXB&r~TbO!eEE6J+;_Oj7JR(H%sI z54^h9k?5(%d|60T3k!m1>`h3If?GHn$Ef7AcGtzmnt3Fzdsh-Ed8{(vT+Gh53C(1m zsM0#AE;G9)D|No@iXug!eyt$cb-Eh+%K~^mQs( zC7LC)6<5yfBBe9VA~e|&e*L89kX|>vk_buo{AhnJS4DGOv#n^Sx%vo+r0KTA5!_D; zEjlG5W-2l9R43J~@6t`gh{h{GAS#1W87}kv*E*WiGB|)Pm)tLsA}I@N ztXl8GBTUw0M7ERE#Gx;1T`59r8jl}OgqRQ0dg9t)>7McDuZWJXhD64l_62&eZwzWp z2Yi}N^4Y8xYvN7{pWrYr>08u#4Si?#9dU}2$c9oMhTuNU51*YqVk9`-2@I{b56uc; z9M9m4WJqP;WDKUduFk?jlJ83NgBvc;7Y#9{%?BW-y1N%qM*c%@Pv+DA(-$xo2?~X**;VzrC5E6xR=Z(<{eL6`J`7qcgL`k?K{^# zU?_S9?eQBF@8Q`hF?RJhE*X3!3_*6yl+J41C5XYs4ZxzQv8BuIuwot_U@>ly;)yWX zSxr?c-(*m_JMFJh_q2lZaNFhaV}k*4lU-{Sw>x9#S;IE^?rXE$B}@6Yf)jMjU+m0` z_q@H0q{pn{S4jnJ6@Myud^_NXrmkBJ3rx&V{>yR2g$LI$B(u7-eeOz)Tb|l;F_=;x zOxtI7`qlJTXk0vCe4NK=b zZTrYjReUdD2^vfHhw1-JVl!B90{9-J(*3-k$pJd*eu252pgi>PM||Kd-iIEP%b!R` z%p&$*{q%2GootZK!Ohz!{kM+J_I_kA7o@a?A2Cd#B} zvYHltetjV=6Y|g(w94D=WCguIIF4!tZG(%)_#xhy0L6(iG<3ix1#wgoN6HROKcWJ{ zi&3O=-s_dk*Zeg#TRv$u2pg2i-G8peTdcg7miS0MMyDI5!BfC9N=BV{Uey2MhR zm6(ow3*#x5Fx!dx^pymO1;y*R$r`y)x@l4}ZJSI?t&vPH01Ywk;Oq2!E?Tt1sdfdN zLb~6BI*tsoc=iG&x6=u2Q(X2e;{&t|NM+;IoBI$kAnG>FN4l|mBgQKMVh)%LeGLGr zn@;2927@O6Qf8jf23Q1r>Wl-~Q>rTOW$g?ym83hVJ<*&R(+UmM6`Yg>)1nPrDXFhR zK2zH6YvmNf3c11SId__U*ITQeV#ed?0l-N7B9h*lD#zL-`_(Q;+b3UjJU_0uhD|nm z!@fFu^Cw-;L+Y5;OLTPGgYwO+n|_rPz0WuAyhULS_;rkU4l2G>onf$j8sb3s{_G?< z08EkVq$ch1pt4NUC6`UoqH#0X{*e0Vlw~LD#{WoEPyl3d7{Q3ShfZ}IBS0&_aZn{S zn&6+3$tVKeJ%G+JC*O3<@MMCv=rB$_POmMuKp)12ENu;$=RK~r*aS)%rgCo3Ve3b` zBokc@X6u8b@^iiQtL}2Gox;jXZ0#-2wWr-VI3sp^UWSoa8Jh-Wf|o!0wn{IUMR>uV z5xxg9wMhuw8)rTs0o?3-^$#{2tg_Lc){dSN#dGjznWG5Gk_)@!<(_y%zE(X0#XtXC zLc6ixS66lI(`|EF;>r_bI5i&_fPsupr`5D6ZveNccBHD9A!@HMjw$%I%3(E3+SH>h zy0(o5vGGnfLbp8Gf@PQDm{2_%pdy?ApYs8kX_i~6w##%BPf$tTwTPqok7^9wY%`E~ z^jK8y9E1!Hx;QwETM&K4_-CvRd-Yr%17j&yOdzMy5tkvE#->T~LI!L{FpM&rqoF{mFDsbMu;&3EWKeXa`OueKT#U!t58}~7jZ?T7+VnU0$5BKb9zh%ZO^F1(Qt6hP&*6RGrzOh_(ae<)=Fx8 z<*_<*ah~k*31J+4z}ew8yFapcvddNp5C1z0AoVl*s1Ob{>ySY6d6$!JnhhzcX}$R* zwd+c=d&&Lvk>|Z-MT-lOvE*sbXZk&4W*2~d^<7XZa938Ytsq_7wYogafbRHLnBo=}>4i%g_sL?$M^z&uETrLGJ8>&gLc)}= zm7nc%94I~!r0P92#)s)y7wT>f6tm>V)S!en(l!KfK`ML;u~4%ghWV6`p!J5^lC^dD zCU_||j&cgs!$#hX$}T9^cSeNVVti#LApD{4zIZ;WuDTj(GZFVA8alKUs{X$KWyy2s z*0zQNUU;ZOV?os~PxW{on{7+nfsK4N#3n*E14P-7;QDZ! zS>$+fuG(s4oWH!xF(gc%zI%re>$ttM$iE2n;31K?jOEC6WTomo#EADUMZGbds`P6` z?iIGndEd825=Nia1LnQITSu8`c5tu1`q0&F{w7)3F>|_SZY>726u0jqqdkzN@qoldwvcCt~n4Ee!r*A&38cktvk@9is-;Jl`Wk4+>Uwtv}KT0>W(^gx3#G|IC@)w zdB}Hjg!Q~nZ+ z*3HMoG0%+0p1|_C3a@DV(VBiOkY{wLFFqne$ab|10C35x6|(lY8LmFZ(_e*>XkIbtRl>O;0aWqp7JMGeRD<9P z2)wQuyD^~j4w8Ds?3c6y#ac1&nu{G=p{uyUtB5c8R+gI!E5v*=FjikH6^%)p3OYs}|u}L2KT@ zjmF(rs<(?4#`L(8bzq9lJu=Z5@3Q$`+FrW)LHfsP=ABIM##OlR_kG$k zp?`Tg{spE(abL?y>~~^uQoM<525YiNvrU}a1q?91&1`l&A8?Au6C=~D9$;7L-p48k-`;I{LNZEOa;F2stoEd9_ z7?8@0zk^Yq5CrGqJmq%Zh)X$SNPPP@zSl`U#M$yifJZmR z5sx=DgaI8qU+mw*6CEK6K)dU~=EN4ihAjuNjULK&}261F%N~C%*G2lzadkH zU6JQb-9&C^%aCXCT*D3CiSv-9vn71V*B=45euqW^S0S*8E%y;8QcO!+*8}t5mhbLp zcB2XaXRt2iYxg+}5T_;Tp0w3xzK!9*iZOCW;hoL{rb3nKkH=w?z=}h#3txu8M&^-5jnqc@MFXlk7I!LjY(YgI zZG!){{}dFG3sW!*KkRV3!_Rf9Vub83vFZ569z1*eCHQX73Gw3xxzHOVXmF1{WRgvu zt&f4IiD@!+7^1OU9oHQ=GE+HR=bNjSyhdJ4_kpMP->;NMd|- zB}_Hg3rj_dcm)f2{1Q)MMDgOMpn22$mk>i4<+bOBJxc)@*_&W}AMO|vgY*k zLB+7;ol+3y88wzHJ#%Jm1$k$6)f;)HtZFwL$*&1&5$wy&>7*;zrY{aHP-I?p4OkEB z4oQzqnhSqd@IQ?e*q%K0*k31WfaJo?L9*l<35OxpRk%}9N;VUtjyAP1eSF#HED!bp z<8W7~B0j!aE4i->wB%PaS{eySXp*(1On>kYdVNzf+eAS@1bfzYL7Ftgve0XPgT3c0 zd#lBLf%f?i`5_5fN(vLegsms^BD5>*oc0*KH~~0%sgh{p;8OP6%l(dRe-K+vXS+Z{ zXt>2kIzej*tve$!4lj6ra3WsY{L504lr=jgC6QD z!wL(V=>}UQcXG0TdM)0%sIrj&C7s&T38N1f$|e++6fvEay_YJI*Y#GeywiH?i{ z_;nbY?Az>Us?ot$;d<8i6->)1s8Sbd|FKfsT7GIb6{4xg>|UtqX;Ve@wiJMSZbF`W zG-o_r9e=U2l`+883>HwC$Ox=9j?wn5!I-_6o})hG+Q${4AQhZ6y8bxi zK%coQ$$@6Q(=>Y4Lk%h1jyk#z3}<5&^=YDnZx;2Gg&j2%5z$wBk0RQ!2NN0B@t*BWkU#QC27B)4h43 zd(0>wZ)ZWzeEY_;loNwI7V2X&jKz@jNPqx}CHy76?g)7H9WW-jU z3B`bxN;gP9v8)4MS9j-sEfFoimU)X z+&;%f@wu{|YQcrw#!$;UfM&cm{tasW-aS86r{mA$jX+DH*+a*e6ixB0urOz`AC)2-^2W^jEqU55-q^Vz#a9) zQiy*dB!fT3<5(^_SEXI z34cbAao&RM%R~1|#8624$b-z62+4cd|p z65OgnepWI@^*q%=xx3}B=(>hhfRn_jgA$E;jNi0@G0^r%K*bMzU7uN22Omv^3ESiz zXfyfIZ5lB}2mm@jY~Ij!PgH*0V7q<;soKo!J|t2yG1V-c7W+_XB1L%(A1~ol9s$!k zS(U62oInWe=L{k%i*0!+?b`QbN;?pzB~A5^^T_I$jJ~UkmH*}wocNHv&&JB6BwWam z6}eprCo{9LT(!hAn8skj(DrYaVBm?9Gvs{b+&uXK@A1>6!AyBOKE+h1IEV?&Ecj~Ma9r|;Hc9NnSd#$#A+kCg~3`OWT46cgZDh=hUh9_Hv zi~P@b&QW%@@{j{{XGGq>Hs7Qt=S5LKUqO_N<~0)r>MdA&&6nsk;i}cQeV-98!=N03 z0_M;OYIY_aufm7I$@1jc&Vuxz`_Ed8yqa>5(YMZYOxTy2~&5rfyRG% z*7T%w((JOl{xWC(w-U5+Ly*AiF{=8$m8WRe>rS3gle9o41l9KXxWO9S!Icf|@n6c_ zHaqKPc4kX<+%u1_A9|TJ6{G-~u;L!lgZJitkdvco1Mc%n-a$cJpA`mMz5z4Mo7ki~ z8Yr8QXM%2jA(Tp&Z2#7@X?Q;pLjW$<+!bx1?Q2m^%O16-<=?Ev5;fpUOAnhAqD$T& zZB?+2G7&n0-V5M?wcv3az?PIM-MyI_fK#=S+kpZ-yc z%+Iq+2m7cdjXTP-zQG3zwU5e%LxzbNFxk0ZIN1WZ*J-22x=x9c5~x(%S_&_uG)7i8 z85&Y6)ZcU1?%KCWhq{)m^@d(FIsDH>$i?)s5?M6eimq1tUCRAfbb_Wg`nbu&SuNQc z`fBtFzOqku@KQZ<%^KXE)X;8i z%?+ginov2`xr|gJ{xdEn-M!w##*Oc%mQ@uW5+a9jy@gn7FN7q{b*4zn(+AKP5Yvyf-FPgTUkf^F#60WK{VB%f0qER@em#jiX_)L?2?_XQuf+|;Ep+)l{ zL(|=rd1NY)E=XN2dAu~Kzv6R~k`b-@u^{c?RpFE%>??@Nmhqf$gWHmtN-pZ#gRtW6 zRQ0TPzwxf0au#jyvk&oR9%zd1oCh>hPC?cF>$J-?-|f)%Pgt0-!PuYXJh|jUmkj?z zN(E`Bnej?nVAa>zg_G8#+?bUlOwCUfnxIMzy(-8}?9z%ir6=^bftyUKYMxQ;Vzbph zymqp%{p~d&ZJMCYh7^uuzK@9hJezQ8FV)E(A4tnrhZ4k{f-5G8<&F7j<_<(Ye@BX1W7Ean2zg&2r z9;2UR$kD;Ktr`~JEque;p~u}uDCg^LPJ7=OM8iIl&+e`INg!aV@k}+lht=wQ$8}Qr zCHcXMZRQI+n}i&i2Fc$N>Hm5a2*CNiELulTqNKPJ##8_jWsH`F()9>$tWOWXj?JrLt~EwmY|Zgs1D%mLpu7Y)zJ7C!rkY&)|24MhQC zJakK=?`M(0r;y@Ba=wuwTE@+!L9*;;McLx0;(*G!BJ>sBCd78&x9j+i5i63rS; zt|L!c_bsuk##z`c`~b9;`MyB@ZQGl>T8EEe%*HrYP15+Z$TvBgsEfKT&mU0YGbq4NW+desykE}@E)YEmoxefih+MTjp;z7dEk z1f-F-EIS`ZB|K7 z)#*dQ!pKO(#mdTPCkNJ(O zHdXK=a{@#6^ns&Uz4tL4#(ue>(ateI(t~b`So)gsJm5_P{lka}ySCK0*b0pI zek7Lkqu*CoHQ6?t1CZsR>iPl)M*Eqf3TFH~r*ji#($12G49@Oau~)cX?SsP*S@oJu z>Gl&=T9 zK5m=*q&8BUBptQgw;@T8apk;Atodb>ol(^+C^q=f!x&rm8vRil%Ea@yqV0 zR5?7WxhBR|`zBR8M_Bo0ml5&xeJd=*fj~0gkh9%1Q;M}1p%e~tB4<7N7oF4R-lj^9 z2l80GdC4b>S_1AQqD=Cf>S-5`Usyl`&8nH!%`$xrP6mP5&V}k<&%yD|g9?hU71RJK z*aDOO+Y)J=C-kiS-Q#I9uXjTgm7HIWqnkc|`Xy$srxI(@&0D{F92WYK9LvH2`bslp zBHVdYF5Y+h3{$YMeyRxy9I%)b#s?iT)^!RYTNeCyu2ejK%iwNcoi^!RwDzNfMOZhD zy84(bFJkwJJorYJT#;17vE5q{HkT0Svd&T_F}Xuf2;l@|zC6@s;N`y*&Emr9Xsr}b zFL}9+;Hw<#3l(9bYS`R^jv2_&SrSJJRfYPjy>KJSSVju4(&W-dgMiY;HI6t&F^kpv z_$j^zGceAr!7HOs&$REgCzO^4oL>oxSs9Pog9iC)G|Hk%ly(PGHmC&QpaHLtJT|^5 zaPA`ty-1|k;Wwj7hp`JIwGg+p`)b0CwcYR2XvB&voy|Mb=&bkGO9qNQqoXMFZlxy5 z&P3(qkPaEC?KnTa%W%A~Bw`RqsJbU-0sb$yi8z9Uen8Cz?V&Ssi>gK2MWHDFb?oh1 zJeL)LFREGgVC+@^Vl`8LT(@E&+LsPey%x>z-pC1%=4je1g0U&^3*AALVc7QZoCvuf z%i`k>XKnhFh@Z5$^Qmr%15ooPvDjuG@UYC5(qqj=5ml;oQz16X((V-ov@&PrhAY%?jBe;qq@#HDTUJZN z-6`Vrdl$*}_(S8IA2z~X0pK#)Ds}}I1gZMXAsoLyBMA^!>V8>$iuQ=xt-}SWT>cZ< zv;8#jabrLhp9A6Q%oW7HK7jF@JAxJ0^ zDVw;vgQwHs-hD3(u0ZLt4}L0j$+FBv*9{f_;efoyh^U~;YB$6a!QKe=>(TN-Rf=|J z^yMM#O04zTpIGKmW8PHi{MjUA{gW17dj!R|A=jpdp)40MsaQQXcX;<8FLOVCHFKcR zpmk|tAU(3}KiKf!lG(pz?>166%2Bf(Hoi+*jWU2nvV!4lVp}&bKu)h%IX!E; zlNr&z=TLh5-i)=)8l=*An_Ip$BQMyB-*T5s_A3KfA#a`h zj|@^VJhF`66O42(6p@6W?=0ZZqfOV;wX^ut&=r`sKm6i=^HTO>-=sPgz`!r84z1G( zoSSG9ZY7h(A9{ga$I6o@JE_OqA{WUSgHc_(%2zMX zXyZmTsM117XEo+7HRjIcXReyuIZ0Hr(k65?PHz59Q~g7R|JCLDG9zGKXk%)Q%VbDp zO^zmIk~B$mcn4CcT4rKr`Qpnm+cG#u0~i}G`4I!?pQ!q24o%X0+t<_1Ec^zDBcBby z$T~DBWTYiJOy2|T)pvW6^?BK~og%Ei@QkxzQtGB6NU15rejh-g+6qLWHIxX5lXvVN zcbb1rZ8rcJeN{x;-AwJ4>vh)aNZ<)&Qsw?;U=;SYuTl2jf z#5iR(&#|Ako^mCMjC>E`9dD(+Ka<;^mTTy^#50h5%TETI?;#zPh-&@9cvNF^jqV0y zGmhtZNU3Jj`I{7Ll_!7m(vIY)^6u(u7UH|w?po4zIbha&uc-o4@nGW))Qrm&HD3oQ`3 zyS(bEfQ01RoaEfliV1I?BRf)^^O2>-TFR5gB1%Qv45rS5ipaoGo>H>vMQa?&q)%~! zTc5de`L-7XvcrXK-`r15*Dl3BBVqa1)+NL2XX~`y-<;GJ=Dg;Y4SejkyvGPbqxv8m5Z@~XZMiQRpS z$s2m#C3P3|Q5kTd8{&UWb;bPF%!!>jNR+}%*}_+|`Uag* zWzV0x9GJ^H(;t?#CLo~uHPLZ8RWpG<+oa#k@Zyc-!MOTB)R0JotIF4hk`hEQY_jfj zyrs3xiCLMbg0z6Qr8h7^1%~q$&u3q=ZU&N<-Q&)1E7q6Og)ye0eSQCkL&A*Ap1toB z2XX!r9JcvXN&ozZr(<0#eeCy;`c&3$NgT%b+Zr*<`9k`Q)L1jz>t|*0ckh!nSX|uS zs|*~bVdk8vup9>t(;BLv$10bpW|e5ikF9<9MF;0{b85rVR?^iXHEipEQz-D5)-Nfw zndHt0Xr_%mqfUsI7bX+a6O;46k;hMY$=;h(nJH_Ax(-#l4UKV3nw#UKOt5^rr#cet z_$#xB&?1-fijdNtb*oQ^S z0=pdEg>EvOAU40OTF|RR(0W@cs$zYwt%+htphfaNI8L*cjSYQ)#1c1MTza6Ba@_f<~q8yWFEVQ=VTLI#b-GNeS`YKH^+eW%*R4>U0{fi(1#+U;u(NK?B* z0t__Klk%9}p7XIM)Efl*6mrXnf&Rf9zDg)W(0uc_{9Ks+|~KeywG1ye>FbFksy`w zjh7qH$)#}$Q5@$e@cJl;9TywWW6*sa zTvHtLK}CC`gbja?92B2{3a!6Wyd8%@w3FA*`?+O`-VqOw>O2v}dQ%#^&B=RRBY>>X z9g6J}zMyZJsJ`I2En`3V?&v&VDxlp8CY|rnv@=QFWD+%$#b!syHTidhHF}F?)||9E zIK8% zkd9;H<7}n!X-oMpcJ~Z)deKBJjWTE8IX1;N$$rv?qd^PYD{;-9!qyeNkkBtImPIy} zqGx{V+ISX!3N#}9(K21)h?pg`KykYJ$?tVpMW7wpp)5)tyOq0ih=F7I>c(#e#spHi zY;5t@^rwlsnCxHKJbY%M~-0S1ZZW_uP$T?|@KPkM=yIa<^K0i`;^WHBT zg60Vk1YO9g3HIvm7Q|Bw5~P2|QBN*8G3+xcF@=@#AeS0u#^&*ryrSWz2WmV;La5!z*2VLLST|c@hzfD3XbL;g*s&_LYWa0!`?$uQ^c- zkl>m8<;-agbdDSpRNvtQYG_%}^3JYL-RbFnzMa#jb=%eeRcQM=_@N;4KbC6JzI6D5 z3-i^K=;zhg{HMX{e8e49PyJ7e5>}m|RXb%0V6&cqLo0Tc?G6dcq6e~`i`|g(Tx+Y7 zklRK`V>0+ zpkM#rP)`!%0=_cp0p)+fTD>_o1l7U@+9fmdHHVo8K{wgre*6N+a*o8*S}0FL zM%kyjYve1cS;ty7crr2p0zTZ)P(7`33(Iy`MM1*ByBoQrmDt=;s;dscB>A~e7S$*8 zfc$z^ugkEUieW)N8SyKV*{gHA zG$vV1X5K9c(6yh~#!q-rJBP+U;R#qPJ*Z+&5hkl$ddg5)-XkxK5qPUF=)bcc;Nqw= zB%My#F`;ca*xCGFW_<2jMfI;}(YQXOv5Oe@VuJ(`zJ3T!j$9Rar3y~TpAK~XMxKJ| zh^fYAP+HoshrK7x3;rFU&)nOuQg6X~YlvBs;HFluz0qAq>=P+k+04teM@@_88IMiU zL>eZ{P*BKuaK0+`1v5neRwugZw`~-m+Kz6bnYDSk=~vhf!j*WKa?C%4yuib*bF=oL z%YRJOA%H6+&@z`a`AIYFIQ0k^P?*5|#kcEWyWz+7G3_o$;3^#(aOPL~;9cDRsqcrc z-DeEw)k+3tlWD_CpvfmHB$7`hbFxen;%#;qv;E)qGJ4wj!=Gq6>FNZ}{du$4l?-EA z^1aiY2cAKfq@PRN{`?tC5`JzdE3tTHW0vsbUFQG|-+plRkx_lTtQ3uIkjVEoC005c z$B?jEVgqH5t8MhqjH#G0p+;+V~ZchCMi*e*I3b1D#TDQLr&*u z3K}p<v7iT&(V4lB|irxk*k3TDZ}i0$~R_AEt* z(>ToMQyuGdfr_B99Y@Bst$6Ft z?)K82CACCGjgMKExXRmsrkUgT$I zEC@98Z?{&j$QC_o5gl@Y>Mc8H>>{FxBI+_*dK@xY>Uzpbt~{o6>)y9(QjI^>B`!tC zB|)@o&<^GGdPYA*fM9?pxwrZsG*}E%yN?N?n;(9>_=y~C@hP3_R~4!nr1>!N^QN_^ zxK49cU{d3_MkZHat%9w%U8?99-fM-?AE*T@!SI11MSt4tFPZz?KH2H{3zKvdZ^Z#{ zq`W%Ygb^r2Vi+l54+#Y`KgFeVE4(Qck)ZADk&hNv%&;OK8qn%h(AG&^1$OIgSa*5z z_-}^s$NG4_nAOj%NVdt;Q)+sA@qnG}h#M|4%_ zEC4)fYE{9dNNU7|i{#of-*)VsT53)uz^Sk+iM=WIq>aFnLkG9c>$^@~hTK&yxRRsQ zB)U%&v2zQryN0(iyC^>WH6{IHTss-n%UeN!P zw|<_uUpIPx)I-cOeTl~jg@!2+MHH#ew;L<%S%~9+#}^{r^dXY$alRB~tddnQy$6Q{|Y*R)Br6+K1)#GztEvS?*lAP#GqtI%agqNV%KgrRY% zosr}@QuXKlsW~64!JqIxZo4ADG*C;7|iIPmJ<9Wy}0ZV?;Bk=jqbU>xyo@ z;j>2cHViBo=_fsEv!Luyw-@4KcyEkIJI=IB2LeYn{g?sb7vxJJvOz!gn=V$^8<625Cdj~Klf zol#N?Eu>?K;;q#6-5FZE$u$M7nZ_`#F&$! zG)7zHl3jxU_sCTfWck+4M{N}L_jCb=@E}qH=jT=RkHhxe>ze`%^gF|iZ5?+%=_sBl zTGNa2dj;>0)2POVs*dlyZjGI`_vNdwf&&BwZDth!CYO|98*FDduOm8PIjvXT_*8h%9Z5M-bC+^L#K;Jc;v!D)@pRg=y)MszGtkQY|ZFEL*h!)BG4S*Vj zzMsWS)e(PQ`j#xT&D8(-=D-!)Y3qwqAx4&Xh~l85qV-WQKW$e z$x$NVWN{wN)Q)oMkXBUmepp+MZ!WOV_8j?)aJPSMQOKcv)RUC2ZgtJt`N+ssD$-S4 zg1Jbq|0ksF<0pCijUsYl&badGPtqAg@r7S&{|{eZ85P&Ib(sJGa`6y6SRiO{cXuhA z;1Dc8aCe6g9I9}4cXxsp7AV}kaChy>d-uNX{$7tBqsFM8=bU}kS!=I3=Ux-25W^^Y zNcl8qQD~W1*t?LC6H1^&P%vHfNw5twE>gXS>7vzCLoLIonQ_*+{GtVTbYX*uz>Ugf zCM5^>eh?F73*j3q_T(k#SB}C>*>SDOi%GNbiFan;TlU&1wBgF^yU_kKUyFHtD1u{8 zK2v?LOnBLietZL;)BU2=g38tcmy^IM>oq}MVaVs`|2Hc9;*C%uI~lYc=~qnm&PYIg z)IjgfnZZ@>yi#suzoC)$u0$IEo|O=3aTfjR(cban;Cw-K+9S1Mf5-UQdB|#86MAnB z(n)W*=l7*Wm=cZ=_w|5M;m?|B?jS!zcGcC{&0Vs<4j|zU@EgJ4P?C6Brp%$;X=Lf} zGAGI5m?jP2IGxqJ{7QRDCM%UKnj=I$bf{VL9_`Hw*jADzo#Yrzho8vx#%CB?EPzPf?uYt zyOe01&mRg$pzD4a%<89Hef?aE6sI?0ei#T8l=JsaUPS*o!*1m*-E5a+Z$mHw<=uoE zjE?Pu>)#hyfeLICv4od^V5{+*l4AF)u}vq{}~|+ zsoC`OAKB=C-PL0`mh?z`E*e+t60z%@j@UZUADtKtTz~$Vc8HbZhCCx`>h>ncq%fG) z+>7*SFKy3BX41(a!tpBMt)`hwD^5bOpWWs%90QC>(CS-ag{iI?MxC^iH2a&c)Cj&f z7sNYXxOe_1hy2%TSQ?LB{B>8p{`dv9{M%S${)l6r*B0G`wbmju*%(JF5^QG43@~#d zwqekfx#qCBQM`FuUo&fjqv_|-3Yc~{BBLS$waXafxcMuXjo||{Wcg=uhdij-ZO7iZ z$uvn&u8|*T596yKZeN_uWVv|$-(1zdz!SeEBn;YnHgvl4T~C-Wp6LDSPwP$ZQ`!h` zPSDcMY;aw8IA%$==s5)Iym0>zqXj*`jP78u8B}TG!!^3W!T9}eq*$}R_1Vd2*b3xa znb2RVPE|GzGD_KYg=uwQGV<7R&Zqz59Laz1w*PuFd1RP7s}Yqb7giN%rCpJ(uyOXG z3XR)bHsckz2J==wJHVJ3Wti!DflB+UFd)?e{9=2;z4Bef0}qad^(b$ z`CEMcKNNE?jUgSf-KUZY$#VHXusn!9es4T>XsST|%vX`YyO_kk^CMh;eYN$Dt2@_? zi0HqpJW}@TA;10@dAR304x@dgdp_7#*@NAKT^}n>>>n!;!`6^1r7?vE-|Gsvu9A|s z;~jb~iTQlugn1&bC8}TH@KyP2HdZmSRKd629Ua^BX{c362)BsEND6A1=i2 zfBaPulao;vt{Rjz?wwTVZy*QJTpAS8vsn~*Ls%^IHx1px0vlw-x-jSdLZ>`(8r% ztmv#p1)i_Q;v%loO7LQNB3pm^+8Q5m*-48K8C)cI*y2mWG?VPdYN9pOF+e7g47@9=Y#Whc}+Ysv?F8Z zCPD0}5qfTBxHsB!@4G{08VnhUGXc|2&=&A>1?Lk+?)_9g@1; z>mTQqil4xjm3iUfN=%OyKp^hvp1FYmrr+cUk z_9mQaXlViG+CHiCJ+m(owB-e^87DQGV3~Sf(QZH9a^RHd{<7`G`pN!HG%PYz1!^P1Z8$*Jf9Vz^#>o?PYoxM9ABtZ8ueo%8k!lRV^>|eQ`GC$J9KDlf8omtY=13r zIZp=0q>0|qCqnu?ZFAa+jcKpy z&n9ZHHWHG3)eusM5}S|q8Ws-B2&n)0%ToE+gvh-NBmb#|t0zM#&J#-XgJ*G*JOf+vNONWcNa zLFJQ&#ftnqjr?`1hZzUp-h)&S(Z9c|!!_it_0Fs;zs!@PhN?hPOQMW_Ma&`|oR_WW zUpdr&hI#60Qy{Ffi6eRkiJJS>>2dG4tFWWO95>q@ns4n)rdW}7Qb zOC4u#jV%k5>D6F=f~}22iN?i!LZ;l?^dAmBPm1SnIl5yUX-q2Du5|^EsZDac6L=qB zZ`1#rqHFbm`$Q7lS3FvUS7ey%xlJoW>fG&NJrJq)V6y;vTM#}J?CzG3Z$DcFMjBGp zL_`xCL$eW_V`&^yNK{`1)zGj)D&SN zR8bjsd*uYw`+|;fRmd4^Bq#)vaf@{_3sq;MIn$cHH|N=RE^8aL_7Kc5`^;neW$(R!gp>St{`+h_TlQ6d(Qo$TxqZ0lg%FxT%7oKo8SD&aUT$FVI)iA z8z!(3D@|b9Of#+|ZB-v;*RY%*AaZb=X|4Y9f+o>mtBoI=qe|8A<-rpF zsjJ(tcyn_Y)Myw6`tm9C4`jo`Lh)>V{%j`${FR7D^3$)!!Gri40Ho)e;gxXlm z+#x=RMxQXabq5vuln!s3`ai%M`Uz!TM#Kd=q{+H5R2CT{@R`-R$~rzADbcOuTky)h&&exd+*;7;m*gf!-Di! z>|^bi-W#zx1RL@6rnq=w0SrvBD83zT{}j}F%28noZgKNq*%rYVkBdMgqLtG>vIqql zIuB1rC6HI1r??!b=^wCHvhoV|YUBDKt3kg0JK6aEB_cfZ3u@pNJ4WJ#>%6xT?qa!+ zv_D-cS8Fz&k47|U;q5^c`DFjT-f~`L5b$IV{)Er+q&o~sL*1D$n)XM{@N73XJK=og zel-3oIDEHhGb-PHvtMaRM7l5mD;z zGyW@&cJM(0u8`o~sX=euMFd0&=`I^+fz!x*y)t54KoLJ8%9Jl=5J9v4&CYazUxqm( z37jzBEhQ>c4hsHVJQ^tB?$2vHPgX9^1~Qc*2|2!9?oK!jGxW^&oC}nwm*RSQ?WkJ6 z_zPe$nJB)>Mj~QdFXUAJoTN$Y9pZYR92%2$=suz*bIlpx7x7%I*Lx}`ky)USDf#qp zg&m-L5WX<67%>wxaE!0^F$1k}=}72u$){fqX1{?A=t!O5$8WaUNa(HsRqXsTt{Y!Xj;@*~AQ zC$9HYgBlGPO#vywcfKR0tab#Sri%LbfLvFF9(XDXu>-?4r(c~*H+20suVm!YFoNeZ zxW4D5G>(0WlB-_ZRBfV7=Zy49{Sl_}^OOw*?B1XNcThm=`SSzhYYUEg)<6*~IPA-6 zIv!GLD%vAej@vR+T8;>h)OQ*Ul&(i_l=q(+RU8sY^qZprYJ>0olul*j(?m9KX*bn5 zGNIMNXt>`?_PsV~!YuFhqpo+Jaz$P-7|}Gq-CHIcj8qAv!&LjsfYCnbZ%qnJ5lU&+l^kCI@mx9 z%bD-g`%}g7KnDG`AkG5YJeUi`%|?=B>JPZ`4Sb$JB?THdfN{DuD;qQ18+R4uOxHzgO;LCJ zFz&EzjS6iU8TqV+?T)%{E4ue7>FJ}J8KMU><+-q2r8;Y)SByA-Y&BDseRqMUl*pJ) z%fO%j-Wf@!$9LIVN}hRs;$nC-CU-uViG04@#OSvXxZ2-#=QZRH$73o00^eJ%RtQX2 z8UPjoT@TvaA4Lb5$cg!!^3q*xa2E_LMg;%flr^Bk9o{8y*z@CjUy^>S4xw?KXR8hHT&=bYGPJ3*(T9YV-#N0I3 z5Y=)`a}||g&LtY1yTZJ}g|!FI`_gfhnNxCL=a0p$hIiLRlEKDY605yuUz1wCWl6c6 zKM971O_YbTDWP}^Y@f3t9=q-|86>xv3A*Hrf|flhxV#}_*Qo(eb=6`SU(u!7b+oK$SVpz6nsV#!e5NvXi(@w(ZQgy zh{Vu{MZ~S8EWF7$m>@NeoQQ&ylAl~nyC=pz5M70DYsP{Qb|kunS*y`lx|Ow}A~l2o zt)c^19cr$|d1$JJ^H2RR`hp-_fpgm9@y?UXk5YWDj+R2!t-?6xxMsK_3(vqU>YkW6 zM$-4`6B?-x{j%3ZBrrCXoKhcZBTx);p16br5db^wdC;2IK57Lz_LuRnd-j`Dzdf&& ziax&Vi58lqrOp)hzS)yHfTatI_yM`6x$4e|3G~H;O3m|XDU#P|Mcsz8 zwh)kKq^YOSh}xNK(|&~RaX1lLtk8 z-Z*hJYd}p>eC)lmt*M_60X#4{@3#<*Cf)O;JM8b3-N5CuDf1ncSnU>5ljJUY9LaP> zzXYT697=l}CsP;8#8a_bFE}muzC3;FA4!&1bis@}hgFTdXh9+g6f;2fe62YIHu_#B z5xqT)#KR83`FJLrD(WS9#pi*T_i9SjZRGSXaCWLqNAQ3Hw)e$oqf^&w_#*E@lFNZf zbzm!OHkW_#y^Zgi&wsYTf0~*(4`k-`WcyJp;Kdc4yUZ^+xvjMfpwJ!s!rVzS9D?@c#GfXOnl*LnIjv9cLY>v=0>nMPPSol`FZ*LON^L*aOe8{7#ko^q!=&53(}W zi>lMFL)|#%=^1}@#!KvTUY|0|r8E&gL$|3_)SB}cU}01V3!3%@-9KQFB$I6A-H%~;dAu6zKyZD~*m52)U= zVW=MIB>zBD42vevBVZFWYKe8F8E^ZBFX4fu-uWOQySE(L&S#}UF2uKWj((bY+^JD; zF%0xcGW+$tbn~#IFTvhTndM~;mvtz)1G=KzPgV`klijVNH%0Ft+p#85$j|V6pU;0M z*lF#FO;=s&eng|6R|u+;*z^7s2V79 zJ13R3db#%=t!QVrvdD7vNqVMfx`ECM)9g1a^?yLHE0z+DV6tTXmJEJ#ppH@fa-cVb z?xZeM6xz1nBm-gQ0XbV+w0`{aAr=l)$%3{l82yTikTrllvB6cHdLkEiRQ6v2m&sRFoGvlR;Qh4R@X%dHS! zMP8PDko(RaH6-RDv})ih>$2zSlhbnjY|Oi)i}}=Q>&1q{CmtQ-akXnN5x1Se}sIN?NCoYL=H`&gm3750`(`udi0uw|W`&PWWS@3%S&=%-y+ucoWfz% zw|Jf#Er?s=xIbmF(bxQK;-lq!%_o5uQPP&@7OVN}fs?|OpLf|L`h`b2TzGs#&#-do zMy%qN&1t-CS#85FCqyeVwIS5TNVP3UuOeh&oL;BdC&}Be@TA3%uA`i zj(YxHvjd8*m6z$4n|wDC$+=viP}gpv(zH}}vyL9l5KdbntvPkcmuhP1P%Q zTuZL5;pY4JGEWHHF$ATO0T_jO-chE2mT-jl5yc19=Q7fHHlS-i;(8b<<~(-2;lyXz z&JAu^{%q3e`_*CK9I&v`QQER6h<-JYGm=!?-BwVZhdO;vLBvc{E)zw(il0=l8+7%= zMKa&4DNw@ll`{Wuf~#LP&r*E>*c|s)saq{oo&)`+u5;#V`I$SpcfFSt5d?xR$lNm= zcWGH|y4`G>6Rk8atxPmW+l9rlni>0}wGw{RRf;A#N<)eh+vdS^#H~Mxz25)o|E_r0 zyv-H)d7OtJ5QntT@08~m#Ue)Pdv1>?-mVN-&kAOsy>2sY46V(b?-&6AU00Sb$w1_mtY*rLX z1x}z;AjY4{(XWUfn?)`x0T(6kT3ko_vOJ!Zy``?E4Ay^lpEy{r2#^BK^5Oycdu(Qd z!Cq+CKx8Y8%52W^yWmK%6a98KZC7=flZMhpee5#_wN4n@%1OS}a;46Drk~C3|+-&-tFo;h%PXt?b-ZAsmTls|Z*`DEG z(^Z`Dil2&B#O32)YiXkV-gGFd3)FL~$(6=;9t}8El76$PYe@`#Idm<#o*5Q(`AOJD z$)nul@j5@9{|oAS*5U-E$e|tu`ee6@6S2?0u1*}>GJUY>oNCgc*ANBYe7p+ksQ?>j zXlA7SI{y))qcGq~9{3!;7Tw59AINIpuJSoQ%_m;UB?sLX+3SS9E8^Yi@C5x9V9Zt_ z?IK}WjRkUh=T2tYxH4g6(s7MC!Ro`fHxV8u;+B9bEN@IeDoDZ|rNh70Mi1p7_=)qw ze$HXcc+a!#oI#M;3Rc4GVNn*(!zTXr6!|95S9$t7Ds<=EDnmc^hRWCd)3;_qCF1&U z{>c>0J2&@w>O2&GZ_CJW=EK>&JdXfVfKo!7~HZp2@U;DPA{TTpl*!!9-U0W89v+VCD?kU?apa%T?*1R z5BYZD{cz#*;1oNJ(R_1}{wdn_xhhx?8ghAe$%e$1JTE*YTp)^ZwweU5oGQW7&fA-aAFd#2>x#upWJnwx0>+tce z%$FXv>jexIfY{20klVs7J@9t|Pq{WnvY*MgYM%F;8rySLZk8T=w2IPO*T3JiS*&BcX1RXR5lk#;XHFR!OTTl* zTS-+uAxr*BVzCf+zUK*k@nop`0zh+{XZ3}HpBYVO3m1@F&6j?GHIAnu9lW!zu}P_I z;fr3G#VjpwYfiP~cY)q6imtpGT--|w-4`P2u2tn~JC6cPG?TCS-71{kg^u>ENHtFl z3Q49qDDN2Qf2}%k(Tx>?Z~4B)o)b1{Xh;IhX6`jV=BLbF3r%JUO5p zep{tlwN#Z7%}4@gx4C^DjYfe`v^dPmNkf@WjPB9SvZeb9#;$0FJtS!1FS?(H5U&m( zV4TDBUm^mM)%~zDO!5!?JA#`7fUK2v&$HpcSuM=SB&y6`TXb-oR3&44V*>}Z@6tbx zkR}!Q?tQ|8xI;7Km^#n@A|6)-90u{blXhsEieh zaYVgh1WSgB@zjc0(}%>1Nrf$?P%2Jw(WdK^(jq?F2$SxA*U79n@-9lnOI(6a`M2oQ zCOEU=!)ZPbTPn{B^=h|7FM}?2Obc#Z*-^q|LygsND|}UC-tlVEo>qy<8?VikzXpbQ zZLZJK)WLs^{1kV?(?yL%PI8pK>p}XsxdPXb_>wpqx#Z2%NkcP`Ae^8fe#$baR~J(_ zeSsQ*-cCDNRlRDHg%;nckY!7|*hR8K_> zN(~*uFJ_aNw|F13@RW4z*pGg#=^t{GJEVm2Po53RmW!e4O+!uOg`2^>YQVU#YE8m* ztr|YzKNU_<-oVr?2)Qg&3YHJ7>pR7w#plcvP$c<0GQ-1LyFZBBHOVi;Rv+J}KKO z&5671ZEL#yR@E-lH{?I*c3}Y$N``1%*+wtLE%^t?!u+4JoL>To4KHzH(pbq3#A>mLv7|wifmUq*sbr`TOKO-@>ahY44f_B2q|%7NOGsn z(zIVCtUKMtO6BtM`rw7awg|uADI|Xr6lN-FB?S!L!5l=DLKy{iGdz#;iENsp!j|vr z0@_8^iGQXqJ9~7}EdD`AVdPuab?~dU7fiR}xDwmyLh6~>UV+cI*YM}S!a(Z!Z`(sC z&0&Evp_s{Q=*HDn81N-1p+OVWK3(Nc@;8IikIH)-U*w*#R3z zCnpYz1LemDyo@*R&cyOv%03+RVn0!H57aj2CJ<@x?Z?*JKY3!>osgwSmf@*K`Xf&k zsWw;fg3fHeD8;`bW^g=0g3xW2f(V=MKk5>$@42*49`MFwMI_`JAw;(8PEci?gpTQ zNVn* zCx;n3mV1y-iwJuML?-_x)k* z7b1-LT35V>F|VmP2qb3Utkw^5gv2n|(iHq@ocy>{aA2nk8p%Pktu%+l3R4zD+LbW8 zme+c98phUEC^8e*M_U9;6u%Oo9sZlwQsah`RSaNH<1^>|G(7dagWxn=7)QVI`{`Qk zE_cR$yVpES^GY53w!2^>GVC5lZbzz}c%u60dNG;`K*)48Xq<9mp6T=M>bxsjTiuG& z@Ye}R%UQ_5`~@4Jjh-CE^R%YzB5Kj%c9cto&|8Pw{IBva&2cHrZ?#~BR7+D$Kt$)< zOq8_k1wFs8@PcuV!z6{b#tJ=CYgOA6Pvz8y z<65rBr)??idP|%e3T1x9?70qazWzOm<6(z|CZk+=_ez~vD*)<0AGC13Fj;qIvC`my zL}*97pSalRP)D8_15J&s5S^Pj`}Rn>Sh2htxFxECxTE+-(=$G`he(bRCEc3X!%iyr z{tk%_fB5F!F)9~^7@WzA`9NblIu!Lz&M^ITE{c~v@W8>~cP zUT_n&vDw8X1TN*7rhy2x^Kws5;upAo2gr9E1mW{NHEZ@C4<-5; zR%hB7w~p}p)hw|@0h~(EA-6>L?^E&3>r7{tz34}TIZPh9ui})#M1jVU!wt{8i7~E= z;sWQ4JYQ5Y>jfgKd6X{F-6@cSnx2GPZ~@5!nTX|55iTNXEh4j2Z;DGS8c96JtUzSb zyg+z9`O3zBWmXs|mH!b9pS$W{L`E#mRY6w0m zPo9duR?s_I#q&tyt-A2_9WPltx41#vt>6$>&>WXQ?A#JY!(k)Vr_QF#<_mMx8Enn) zi7Amn6*xe1qM$LVz1R;1P@kI?*JM!`a0~E3>l2K8;VU!py1ZM-yS{_s@|G2lmBp2_^)G9WW54_@tqFWZ+Tk;X*flAHwKM!aFs&+ zIG5HEiNXls?=W>?&j`P zW)pzNvx;>der)5-)8V4Eflivc6qKTUKd~I`PgHi5BireqrcPiYeM1msaGX%WR>KiZ z4c|p`>5kHUI3P@ly5s_vA?vD9S7M%PRm{ScAMjQ|TXlU>x6&47A*a7OrqQRhQ27Hx z5K&gmCW=R(?uR43LCk8ikFJL2Ct`|$ezVN@C^R`3#@nSK+U3pE<=lBw?e@U0a z`a>C4LqDZsA*%4CA$zaNrEV-TeCUk;fB0MOh21YQS5e=pDKB-sU1R!!p5UgH=d;pu zNEVoUCLB!z?i0BF#v1#PX~-LSmi;RBNe5F&(eQr@?ROV%i?rG_r=o)`1m&s9j zQo%g)K%pyFaL19a+5waWxa-L)N?m=XsP^PbI@zy!ue8IHsC0~BpnTpXa%iEMd5$+y z(8dFyIayEK`t;d(;q}Uzux|Md)x3?oUn6nA16;)Cf;rUYra4)`6)^gsxsN37BrJ+7!)aG*hXq4i4yeNP9ETi@m$VCflYk*I8(sa5b zPm5bevZUVd%i7%I+%yYNw@nuo8l9AA0#YU(1piG{DsSJ5K{$PC@8wU0Mqm`23Ij3q z>q99HMibkmcl;{DP7#;*j=B|&4zS5oRO0f3uwA_0D+9buZZR6XLhfc)KR453D~!o! z1&LlgZ;<1`bOBK-@89x=H*Wzn2uOJB??y_!WL9#%eL*U?|62f2%J{XBzvu+4weUB5 zh9pJy9sGbUX!5rRB%}*HM7Z7x#Q~s2%;&vA=UD*LtYBU;I zRD+8*Ja_1;Ci-|qsFL^KQ=NyeubNCr|D`qHe85|hJyhXnH7btrktv_V=L1Xu7p=AgAKUXMRbGCz&6(@Er95H}8^^`OFzw3~6Y{gP4D=~< za;)Wtip$AxEw?^FN#y*(oh8!_%3 zr1PC%1()o{&KEP}ySZ{L#V{hsyxLIZ#5S+wwjgyQg2uMwz|66=v30(qLv6j#BM%L>NDKbcvS(HPDFb8wTB010q^3L$&DNdgK z%Yr{_BstZZjm9N@)`}DS_B)Gh1tzd~vGW#uVNAeZoelZaATqc~bU&3``^|i%hyuiQ z_@k%7HZVgg9+ovvZAD&X_{zCoq?HsGPqob}IuI`;toSvd+YDbfLN{&ZtjDFs@AW5; z4{26I*SG`R`xx|_XEd*yCT~^^te7`jCx9KkzOwumZY2*}r9jLtw)dp#W%>@^^9(mV zzy_B{IH$lf1gg@w6!u){p8gDXDaF6o#}SNHHiG3%%5e+9;wyGclUZ02mPni>#&@Ff z<~t8U(qrG&_9ANbuo|hYyzg;Xr_&5%OlwK?;n~f>Cv_d309k%-%xRxBnPlFm;-fE} zEGp@1~dXh|4Q*M918sXnFR>NFD4hz zfayil$G?ghB8g?yoC`ET&lg_qK2T?Poe$aiusdvpE2OX&cX-`7=<5X8Rd=1p+=?xX zS~d6In#w|&O32Dh2Pw*Z2dxOGC2(2xvFh|8KkCsf5C*^5L9|1-3zj-5Bo40L;WONZ zzO4_%M+?jnw;OJc%Yg+zl&HqGx`uJ1E~F&%%W&IFxC5-C`n$=(70>b`t*M?sw<&Xb zjs(^qf@0HCeVI{PM+Yi$IP6z8-M-rnAXse#7zlS7L%N{~UWr$+703d28IGJAG4EGg zGYb#y&%6537!_?&D@Jzm8o3TPBU!kk4E3)zKvv$S(Tz9Hn#djJ?dwFJjzJuj%6W3p z8)hJB2dgaVZLEyz&p;cmkO;I0i}ItiOxi*W=hlSznPta|VnYKc7`& z2<(_vt7jPJU0;4-+0!j>RJr;LQwsT)|MXk(yh_n)Grh^Fluzl8K`&TF;-7kRVTs`^ zZ8b9Vdku_WI;~NZql53I%}|?T6$HuOvoKdz*k1kuiBWbZPSPplR2z$o4M7(bJT2Rx|r*aNX)e)OXFJ1}Tt=L8*pm*dh zoXk0iBg;j|z5GIt@fr`7KegO8QtWt;h)yl3WN{My`LW5`1DEpzn*`@z#@29h#(QRk zUuRJz+?NVAFp5(Nos(ca1_Z*n7eMm)h*a5r#QuG*DYm8--b&V{(D=@Ld1n^iEA%wI z>#o%IUUc89^XtNdgC>URFLl7s7=FHk*;GO))k?CipO2-$ea@4;DgDRt2In-^qx5Pz zS5FW=^k-Kw>)dbSoB`P}EGU2R562qT2*|x5@?jG4AVnG*`-#Zt=3X7Xsdj}aVd&mP zFc+b&UL!wU*IQtzcjWSY6}!{dLmUBrj|~=(5$*;MhwZ~hs0-_yqLRUZUOHy{#79sx zE?GAQMA_ThFB+>V;@>eT988ggxANJ?{pqUl>=Jxn3pucDm)fM3&*S$+627{JBlk}q z;b^-%M!H-dXd_7?C8K8jT$m?arD#n)W|~7m3aRu;&GfxOYrn~E%t)p$3ddhR}klMG`R$9m#C_&lCxR& z%X>VuW9;Q?uI5d^xIUs}ajCl-p=bHkh-X+obRqC`c~J@bbxss05KPuB&cIx|_HJZU zbGF^Mbw&@)pH3l6@-wDv*&vD*m#Vcz?W^XoNr+=-0 z`!Q^#wrz~sis+q67g_=n7NA-@7Dx5}c7_aE*-y(cp(`vV)MM=Z7Q9 zMHXlOYqDHlUe4KyhSCP5!gE5a~q^T|y>Cz)yyIq3}EU?06yI^u3m&u^=N z9`&m_CL2;UfbrnR&yS8QPtds3-65z!{>aE@+Hi9ukbdiF+T~(ILf^H7X+0BR?uYLB zz`ARx?K+ZbBDG^AD$>ffJsa&-8v%8NQrTR|7h!tM@^`Ir2@HkJD7cgFsNRwKu5);- zRhuUxU(5y?8(VG`8VpQ4km5WU`nx1B7$}N`t^$$|(~&Vc_(;9teD16RV&X`B1%HO< zJEDxHHwrJfKTkJWOad)zZhq#Q^6Tz@{fm6d-iy6Gw!QBv3@bI|%>Z#o=$x4sdjgU& z4-@~m2JqlZKKTm;2Zu!J`Pfk5*Krw8&%W#{-r;2^$DLu`j4iwbGAIUKaxm!ai&~c(jX#Mgiv+K zd_0++si$14z&5YZ%pji4?B@bBT^ml?>nEQ-vxL2Q39Y z<_IM!X=~F#FM{6(>kptGC1WZ`axiGMM3_G3-CymiUJ*{a1A52kUGCRT<%dFOgX_V_u;zZuu0Cdn#=Q;zdK9p!9^`s()k*wL!s}ip46*1m}fJp&0&$~V*S<~A?AZe zqb|%-F9L~DG&cmTNNz)oaV8Jk_BXi=sZgyxzdLEvV9-&5P(@nwgha9%&wL;m zmrdcdMw~9y)CAj)jeJdWOzT+F)gFdYj^$JKTR_eDhTIE{#Up5cci|Wpcc*$EPIi=k zr$Js~V`XgyOwT>ok&~vv9jo${^xe{PRuH?f8u%=bX}1Aoez{+4KT182r9$TEStEzU z-B>irQ)IattY)4^p~TV6+8jKj{sLo_!6+}64=U-~3#ziRtPE?<>umw;;wyC@S!iRU zjZg&j!@j}~Fh`DCr6pRZm;Qv3R#h5wGM4MNOEQ1&f*QASmgjC^fA<%DK0jb#zugjX zdd$i-;T|CN7FXNZ!j1yfSg@H*M0Z9NrdGB9Ezg>BHl-qzA_p`oZLDPukoqC*dUE7W zBHuYIl%f%dos&LjVxG7zzc5EWKT8Qp>8L{b(ca)qqxGNCJvk1&TQMvrP%llOf;1&E z8OW6D)B{O5?aC%0$+ytwJeH1Ar8fyy1jcJ>JC4y@{94^B*?N4gz>}qsdB?9~)Wlr( zp(lE)f}W>M2h4j(d+G7??T+tOS<)7fPeuFhW~)TtWBa0oeNU^qn{{i=&@9Z)CiAD_ zDs>*Nm&5n(x#5I9P$2Le-)10XB>DT$Ws;JK*^jNaPIl<&G+%!+c)7RY7~Q-;zjj%_ zsGu@Xty7G+KJ2XGP;dNu^aWy$!x?}C@An;8*^%h-S8%-TTVCW!1 z!Fw8-y_#|0FT6lZKS+{x?Sy{Ap5;zUY|22s(*hHYF95CFj zg)#xS|I$)1BQyXIPPw~pY{i4e%$)Cm*}5tH-69?y`m`o$fMIoj@$_sPI9qpEmjKwz zs$FO=<4mXeT>{FSZ@8&6(?1=P>I$)Bnu(OG|0(Q`{=AgsUSH@wH?>w!k6I192-I!! z_}@?$PJ}RPrx({w;?s%Gql7d#M82hX;N2hy&mDX?MNpd@G?(1}_{gv4e8y7;C28+d zRc^l#4q3VRjV-FXW_nwkxRSM4(HWO=vJ}CLb3I{hkd1DwBQt)pkei5^ewZjORC_Zw zwO70Q>tZZN`B435;^{CWZ*<4K8S2yZ1EuA-3BX35(fj^r+-dofIm8Hwlt$Ivw&lQg zs@&L<+?q;0Lot+eDq2xs&#gLIFdHMO;PF(INu`n`eJ@%feEZW&e<@=;o)>aJ@55zy zrNyUslq6n3&u39y=w*Bmck9#2i!vJ3s3Ei(s-KT^+@!o!N#cXyd@`koTxr1uRifxu z7-Vm_fi#6V_4+?dxCa98n3~pa1Z5wNnu*lc6Gy7C3n!J~A0WN}K@l4deNyb+9hAy8 z88Y*OnPQ1d?+5HBmfrWY{LXhs9@|G4#pXAR>@L4d zc#Bq7oc4XA;_d0l&++2lHCCH{V{Keak|}=U`#6+m$kFnUa1iX&V&0o8y7gwj<*58d zWft8!_;VWD3kG@YNy|1bxu1dCopTDOl})wd+J*A!d374o7B@0;3{$k=(?^c4u#u3# z6mwR$9Xge{ria$ISFS>}8db0aq;1k~wk;x9azuXsrrnwU`VXdbxlHuTe)|K~V zlX)1SxS8Cthu|mTeY+vin?rHr;V=xi_!%CGJb%dzh?ZnZWln(gMR}Rj^4SB&&0#~+ zdO^FrEIkIQR689ncU%kgo|@#C${|_C@LH}9-WZT+u~6jX5Z)640$Qdn2)+-WPJOKVo>dS0~YE6(v*R~qkhZtIeDEF?53lJwjC=w6FYp4 zSoSWY1v^FViJj-jSvkEh2sz6DwL6Sm!bKxclIV6U>{_w|QulLr!DAWG?_iEy#12H3 z^`F%nx0|79t#h@HhpKm;gC4mZ4`KTkXYSjhH@j=_H_`7hy7rH5gbLDKEk(`Gns1;R zpQc`>!gsHbZ1SFNmUSvbFwR-L_On~R^%?^pGJ#Q99iCUQduNO!T_5pJH&H7XPJAEV z+?3P4C{=}Mv^`QSJ1pafW{nv+oRbK?w4PpBzr{YgJw|W66eW+mTHws|wQIicmnxQm zqSvLo-Dr0?p`EQZm49rRt%0FAPEc3R!<( zFH_MjYJQ6PeIV(2mgKit>kgJS3y{rKCyCW?BeCJ> zjQt|Lt=O41@W60sy5S+X)mfX-)bvhEkuQ%pI42c-INbhO*mys?7$(5+_(y<4tkwko zyAIq-mlA4@N|M0x2ShfMqwq`gSmIh2;JFN_-Al$Z$aM_SmwS3RRzxD5GH7dA^XB>) zRw8xMsvzCOS)KwhH}IhdGXEH_b}#yZ-AU6!aoIx8gd@6>(0Ysq5OjkVxIQd(+8G*{ z?1H}!N22}_zwCJ|tEuZtpYF9ZF%>LOi)rUr1SSbXCZp!9nO*6FV&HC+kYk6lCEM{i zt-Zc{9vt7@4Mh5FQJ6*}-rob@XW+fh-U8fIr0?}nOG>lwBQmv|BVIG>k|TWj0q^FC zCirBc?KA%J&6TPcooDw|?4QOkC~vA7wG*O~Sn1hV0sLhGej6C|-d4yBX+?0u-sACk zvG)Rna*61~TOL}C<92qml;?lhi5Tw}@4kP61H<}5S&dKv2oO-K#7HZeH@vKWk0K=Si~;cpoJ2 zLA6XK%-DWWL6a?`xF%zh+Q5s#*&!`y_brjmJJN9xDH6H?c>M@GJpo;06*o`s=cDM$ zsX$j8J|vZSt0KlmZ!GMYUHD({t}CBe1S?wBIa7puUlVg@k$Os17&&-y>N#$I+GxIe zyBTq2z%{~WZqu~p8wkcTd~K=8YHNw?;ey?kr5w1x>8XbfJGu{SFyenf@e=ng}rX%zDbPnTSlIw z`vK#K-AXMJ=2jjOv-oA!<*!YF!x|&eADYJPJn|#{r~JoB6uaDl)P~sJ%`dTqTTA?V zx5m3$*zbDj-R2@2Au+XzMy*&Lm&uyDuoSBzL={oxKHAq~^Pbi2#rwfQ$Z?mMs^6aR zqrl~U>fD7(K4!*uL5~Ok|22)rS$*T~e|z zRI_WkI>utR-*`{Xe`hBvtXAuhveraxToWhIPSyk`*RPh=`4&8SF=yTy-B1ml_ z+CTp9*~&uw zSrruswrk|?%HRpW2I|;=FxZ(n9=$qg_LD)?f7=~2r0;-`3=;|Hu6-kOfdR{K&1e%& zD$7FUe5~G8j!6b2(LQHx_m$1ebUTFyXyk=48b0wKA@c;gBrgj0w6Lm7HZ~2X&F8GD z%7{;?Q@QO?Imt*jCITYXT~=6mWFaq_HwtD@Zi;Jf#GeTKVy z=lhwbj>Tl{E8TMwk%wNE5y{MkX>tM^-Us64`mRaiX?|>dud*=1iKrbOtkn;`Oa6DN zBZsWrAK2O}_2ERI^nLd4!8Z|4}% zB}yikverGSOsSYO?84(PU~Jm0}9Ay zdNfb8yjMNJq>9Q87c|8Yv~S8YM%I7`YV*1B=vLoUDB_*PYO4W7=c7Qv{?8WftX7?0 zDkD#24@AiFKwJAoeZ+x0*n4C=E1x70JhypnBVJjKd%5>1$!k#n6>alvtrXEolgtKGkr$~B8&XD$X*Qt*fky=q{|YTflaara;X3FkW+W0{Rd z@>&)Y8PY8WF7!Wtgt-0bs*4CQM7VFYtfk!=P0%nAFLGQ-byUXmTH*B8B`ep~@-*J+ zaz-`;1;M$%j+ndz+z|e)o^s!M&ZPj zp*o1(Wwh3O>esC0yqIZ7Y?|N>=iOqh*(YA(_^Spapvssft>U;THj445kTu`$>N zWE&CQMH25>yQ7`2XPHu+^EJcaGGv>^ zPVtyU(mO|9Zr>;#p$e+p)M)9)6o$E=|Ee z+U6J0dX$+&A>X-7|NUTgY~oV3^G!fpP~GnZ9|Y)O2Oby>9HDrS@BOyK{wDdXZ+;&Z z9%6LlB!d<+Dnw&N^4T6grP)%w-{(@H_jwNbW-NJiK7`*00vRF@RMvnfsXY5%6Vskw zWZT|XQr#x*djqynzj^Ae$T{Y*T26}Pjde1kxFPYT8s9D5Vk5lYSg-nU8fY7AMvfIULUFtSmY7eEGWu=vE`F^JN! z$}-g`takhP8W~TBjPmrJ-m4pb`SK&lV{ceGr7y*~`D}Gi|7rKd6OqS&(49o&%xiWP zR`epqf`#qtKrrPzB@oFL-xC4$?>j~lQUQX6UWQJni;_cXX z4MKHwIctDx=}s#=$32@XTH%RpahSG0Cacb2 za2PP1y4kOVI-k@QN2H4qvPHCnwVZKSbkNU=w!ZWhKj5dylviR?&$0lnSZ;}peC~B2 zAWS2oIoep()nkWpnro4UZCYjlDy2#2FKL4Lgl`!>Hx3gNya0~b)w}s8Be?LE+8SxS z*U``G0VofQVIHcNkatRl_uPJ5`~l{UwEq@3K6sscgxCubv9>^WVK-?G`3RFkQqH9d zqRwWQo$&|T+DjWdss{_SOe>2Ss&ZFiYc?i7^hHkrSwb=@<7pm!Q+@WAC-{zGX`UGF%O@VxK4$Uyl$J)bnG&+(p641P0&CUkv~OiP zS05})eBOn(^UX6OrCH7M7(eG6Tz0NDDoHwJ_TmOfsU_)mh)cHHd~qRUy_{zo{p38RC7|JYqt^=^o%nt9>sk%I^75wY|3K z;^P8g^QbQ9^o}b{1h++4)DNTE90PB;eG66pVAy;wG?|5t3oGKoIeu3QRWL6fYX(w; zwXoM!Yn`F5ctGwk)%&xK(1U}jQGFl~{bahj@Yt%^bq1HjvQl?i=^SXHVObyfE(Eh>Exhmzf00`fH0*79V_5)!p2ac1RpZjzTt-JS{>M z1>>bJPhg8;j1pu~0mX#Smu6L4rckXZ`>u;_Y5)EL4zL~&AJGcSxCm25u1Ctj?5F~xkg zEVk9TZ}In+FVuI^P@~eSQLVK1(e_6hH!$0>upa5_!jBK}+EelR?wMZ4nZHJ~DmE|! zi^-3b?pPT--i>LL%-v5EoEfU~T5L7#!@4p|b1Q{2EcQD2Nt;&;pych!Cb2~?Ug0)y zcu+{EQR8j2n}ep=^-UJE%?+7p=RxV^6%X^}82Lj{a1lKY7~2bkO`zzJj-M7+3G+%Q zn_Eu5>^{z#{L2Ek0e=j#V^jt&{+>K_;-!j6EVc!HkL7n`^S8%65A9dh7mX2gJI%sG zgdPtB^#y0#X1jaOZh28K8(CxQ%_dc%@4x|V7g;iX=uMx4+Uco^=WTWh}r_Hiqw z68pL}ST3oVul%F>0XuJs;MXT=_A^@wOx-N#si`Ci!v^agts2F$j|=r4h52AyM2O#^ ze}|bskaj`ed9s7sSe#(11`JalR=cUFOo4mOW@^)|j%`BPD%Fes!Y_UaebY|kw`jhb zFc#q1G{o&*&oxe`ZW8tJ?IahL<+*z=i}@O%?awaP=5`ws3Vi&kYl9~n|6(+JXE*K% zw%loXEV=Puw$RhW4mthQ;VVU$I(CF@f3h4D#(Dg0Az_c= zwg}I8qk)N4GvCTvO3a8!04mQ(KO4nY5SEbGce06;FE{LDvA>tU-kLb$jjN0lg;VU2 z_o;EC`9Vz4Y$(}QD1VY02zR{{ujRg_nKYbCq1k!#O)nZb0+xN*o#?DzD<12)A;zly zQs6ekf>v?dJzYGG5$8YzSeYrc84hP&og7!eT4BIvD831pz&c_GX23@%L z>=x5Z7W;miHhz_)It1NM)`TKNSN>AxJkat`3UF@o*>_ecTHg=nJ*Q-j5#E;r91pde zCf4^kD{jwj?Al-5oZJTW4c#PfkOh~Bz3^eKMPAbie5+>=%@TRb4$QIH)6s|paq;&V`TdhEVi@UFw1hqX*r${Ji1Ps zSZhwiaR;+gJSwbR96}8&MucbT`RMyy>2GeE+TmE+Db1u;AvakjBrIjSh>|B@SFoEV zSs3{Mp-T+ag7XK92~sD6Z>%c;Cs*aIbZ#Aw=_ig|*b!Irv90<`Sl6RZq<+vn4hM%r z^qV)pvB(;=@}>uw&X_mE(PtE|gw6{u<4WhXOu7>JAR??~&&$d!k3FO|cWl|NwhB|} za?OJbs7L0Y3@&6oF1j+k0*7Yn}9)s1$Clz6Hyqa33;XX+(yjgH`vSFb4@YY%DOjIEKx z?)*|`tA(K{V--_Ab6MTjw$a4io8;S$k|{{HkYIYZNWy8N5aVv~T5!+b6;tMy{S>N?d+{0B}^_YyC3yNXYfT;wQ3j`!l~m1e9++h-7cO z(DemVLu+u(wj`e6>ll$ZMNVa_tffxfj{$Yc z)1#Du|&dR5_a2`m8KO^ewI9HysU)=qyclHHf`E`X`dhN8KWtJnAD>^=A4+ zp~-k{$34q!Br&tOB1}zoWczQs?N5k`+n`X1m@Y-sDLwvg1r8MOMC?eM*C=ULj=CuR z=2nfVk7rHsr~rPcaUw@M-9>f_@9*+@JvBZxSZE4SiuJ2aWUzgZOXu%}JQ&?W5MCto zqL6UU;|BFR5hS5>2!`(X9#iIoTjC}YtD*S)fhR=GsEja#cNmU=5H2N}f%-=>jDBuX z;(lf5x;Suo2KxBtIMY;TOr8x2{pc+DR- z7~wBb8ab>MMIDI+;L=PgLQ#(q2bu1hJ>l?v7XRq`LG*FQ%5%;Dll*H1a-LpZpU{}- z2oyK3u`X0vJ>^top(a5%p>_=h&)avIaB&OmOM~Vj(y<`d)^+>|_isdLBdSsF`Uv<1V`C!0E$W4dv*Y4kMJD z|2YP+-?^pu*yZL)k#lExQ37iyU$iw@dBiAh;d7JZU>SR}Ea;-UhcU5L5(!k!+U8YXWPH^qI-5S-$POZql@)aG4G zK?d2M^!Sw(ejT9l>4A_3@B9U8Dg<2?aFD|;8ixO%7i~0B#GqXTJ;f&%c3^{Rj{8u- zC)Lymo^QMrR{)lk0;e}*hgipi6~cJDdn0Up;>?d{8xBm|)K2@Uj{zRAp{A+5>g7%~ zUVmxDfPpK2f$|Q&6CG5bs*k}<)_lq{HvFS?_yG^moWgD~PHeVvQ{5MemG*N4-8J97!*zcVitESs? zYN&K8ZErSB`IU7z!;4->^bh8nrtJwD-q2r^zHCaD!XZ@XTqvB{erXKLSo8z*BdZF0 z>Teg};nft3f!~A-!SjuSl?4Q~NaLBxvnW3$e119}DxWIT?|IY!(S6 z?gfAgSNv(wZ_bwizofh88BArz(=d&ru(TJOe=N@Kiry1}62XpJ zUEZM&)1+*V+|N1MWq3;Dk((<46|noH-B0v|%gR9yjj)?lixIjp?1!AIWL99% z&(_WdAk#y5yiQ@1NTi^P3xycEtgZHWOaJ=?1kJn8HA-9-q5mOj?g+g@!NQ#<=|rKl zqt0OoQ4v&Ab>eZWDXcs+TeSwTcpn=LILTrOv(-#wMP+?g!=;Q0lZN4j|B<_(nCb|$ zax!Uq(4C15I*Hu*w{gw^=~y_^wx5T*TqH{VamEh>%>-W*t|};%iuG7YgIz!!r=)g_ z?^)Q<;Xz8DYC6}S0$V{9605b$EPqgtTzTT7e>=m zI;rdS;V9Sx;a8ZZ4MH?hT&yTt0p2jSrl>b-&y{YU_=UsKFLNw{EuA&V#<-5KMU>y4 zP|Rl#YB7!UlVcuy4P$GY`Ic+#G(T(=ddTrI zdB89(>py-9N(#u=-;RNCKpXYk@Xtx2__R}VAEsk-!W(sX?Yui`&hmVKR;>vdkw=n| zs%p3lQS^rv5j-Hn@vp~?9V2kuyWllmb=U-q`xn0_0>3Y5sd_~=({M>P;5XwJ+i<(g zVqgQ+S-k}AUoMrRN0AOItEz=$r6V*s#VXC!P`DXDz9&p5!!|Oll_)|fMx>c?*TLnO zWzNx3SKy%+Z>z6XQBWobcYH6%vMiIZQcEZFj%G>T8(CE*zO;Z)-K6rx?YYFU{hD@Z~qaZ(+&Iur=RkQJz9> z6sqp$?@Y0;2LpuLw4@!)+;xi^mHz*3hn$elUHbDQrC;1-@chz-uD~86+)L`>#-hDm zb(L8T6Xx#>VhULuI(q_`shv?=2aE5a6h@%Aj}9A5!4@Qbx598I9Gb$L4Ay_GfzRfs z5qR(zzY>y=tVu)lPf3<=kgkQFYD*il>NAM$fB$29MGp0Jb~>F5iYnJ(7(0k|Y;~K6 zf)LC808&yF@pf`J9nbeg`kM~vMSuXoGe#lwSr_HTkr()>`s=5d0rQW2N%k8-`Q=q+ ziux+prYd|TU}2e*Q^Yy#fJsGU)%Fab9?S7=X8A)!wf#q?GJFHp`kf?Y-ny2{srp6l ze|LI^KuZ@uBoBI$z&jIIb-J;!3d1RJes3 z>lgDE7xHf|P(~Fg@z~WxDo%__*VpR~ZT&i_DgFl?LLj`EpniGveg4oMjG^XI4{K@^ z@rIg_a35?`?mC~=3zQO%2svkpxgK#cV`Ny{QUzay}=;e5y5duz^ z)<82Rm!ElB4v3gCH!VCHD+8u6naKQxWcoz^+PVlJF>Ti7PhkmGb-!gc<9_*w8(K3w zk}V~e;69#q*tk;^jo3Iyhh47FHypX)#EB*@!Co(WHctM<&C0~kXBKl5C}q`R#+@d|I)Vd@?=+40lcI;6ifb+!-JdR!Jpq{*&dcGR0D4g_pgn43PNZ zGTh7~k;>e0YULg1_Rn2i%i*~Nf`A80+gNGcBGa`>=ezQUV2qw4CTBjIyg`^^|Q#((xkBXEU>G`jaEuL z&vzDEe$|7g^Y@N0_QXkQqk;h2ljEh^sP`XB#jT&Gqr+t?Nj&d^^_x9;&BjwN;3T=f z==z-$f0S&p=rruk_u;xc_Ns3q9Ss{LSHCj zNGay%PX&V)P{mf}zucUx>~fI?Dfj<^Y}y?A{tILy*8y)}U^F3vgr@++OuI7v17B!I zrG$W3X85^Q&|jge$c8lEfXrH?C!4SPEsx6+zy7dlmG~~mq&s10<)HUp z(|OaLgw>L}jS8rOV(dCUWy$ydCPe(b(AZWfuQrm9^3T)1f!jiNaIH}CGVT!EW-&sN zN@)OVzcf!{#joC`bxw8kCHObgJ~;eWTBGKoM{;?~gnDH1O0~3=hrt$V@UoUXV1RFB z)FE+xXk$3;_yqVDaoRVLa~mPGU$UDj3;CD#T#Eo%PwUdrl33 zzk+i`q-ZG&pDuql7cl$4ttMPdpJ5`_@Vm?Un$3)pYT^0pR?H3~623;g^} zjOE0v$w5)NIAxb4+>WP8;qP7*=O+xgGA2gMTm!vhstp`jIHVY|?&zt@iqXbYhbb!; z^|HqT#bot-Lq;gUOlecN_y4KF|6d%n0BZX&Um}Dm$?S08Keq^+1goLSl_9-MR1Y;Z zq$C6FsIisv?Ux&M5)aKe^`PrC%X6+}=i(obO~%H5^gaK1&Hrp*f1Iig zWKnKv4Wg_(*j3U7Rm#$N#K9@mcNCy5N%iXN z`3IlD!T555_^Gd4FGpZ-R3rydQ~H~xE!`~Q5MS2y@`3wwL?4|sLp10y#1M_OCX zhNx?K?2xh%nn!yIj50`h#%VVTbk) zZ0o;5`JX8L=K_GVF%pJ*V2yWCJeGsyEVTtKvurEDnnJ5EsP2i!ysDA65N`ze`=rv8 zQk_^Nr2SA<2$0(w?3L_0l9bclwtG=xz>u98{6np!W`?XM@qKv=WV$nwPwdliWB%vp zJMWGb@r1Nydv1kx@fIp=rqA3z2^R+THR&uP5UOTiirc9|~vF{QN* z7J+vz%^b~_ioe0k;t(TXFtgB5jFL;>LyBmL2*hl62W- zOQ(Usp1iIXyEinwgye-*E)a-Vd%%k2)~)>|t6Uv3_%g0myRwCDWw90qWpVoH>m+V< zNk%(&089DJKiGkaT-1o8P+Q*j)rxkR)SELJB6JD2XJL9Ue<6wm2_|ua1^NSMFk+N` zkeF2p^LHwS_DaO2(MY4*oD!&lJ=La2)a6jNN8e#9t_KCl&_v-!$D>_f$f;%$P z?<$kkPT^|38?(WIk=TweDun`}M|1hLV5R)b^mnI;-|@clTP63F<{H;MRzL1Yu?U7f z{Y8S8V}n+RBCWQY5y8EBN@sC?q+X2JusoJyri*+8S&2QJ&8FC!srsDBo*s!USR8@m z%cF}h%QcSlw*-nheJwt>K^R(#5b0TBj%8X`q(eVBJzrwJ?bO!;#exoxa0G>Ff66~x zJm$OkyECPW-j86lZHRnEh=S!y9WvkyJgklp8r)KZf3OS~!SY`n1|u5UZ@u4HnG6iM)gh<44RbO z`aG(i9Tr%qmRvG|T(1I=r>*cA$5sDk^?FH!zSBbfx$O!euQ|3FoS@6r3qm zigwSpUKB!%r_CK}drET#od}F1v%QGs7}H~b+rldftBgyK7VGix@uG=|iO*TFQdCq_ z6ISoE??m|-Qoo6d3#a{-*Okd2T&)oo7iVP9tMFm_*!27i38uDe1_CJaoTW&@f&2fQ z=`xr|Bl>AK=h|NQRhqe@jYRZsuP#(H zY4?JYS65eR9kp(Cn-}a~f!ww*)nC;VvhzqZR@K)-L2U@elnK(otiw= z2s$bNBd)4V6|vkdXH=#eB(crrT3L6taSqfLE32KsOJY6?eqCfwYrpHB4Lo}wTc1*; zib;!*$qFw5jL?t(kIIPzAK<0ujuia1KbmB!<%a z$hFfjOS8f5a*KbsVocpLZ)7PjP3f%{4xlk0#7|Htt?0lP1W^OL=}7$oMkA zxp%*&SS~9I8aYZNk*M#P(^O(tYMJUPE}K%i35(S2^5^C)4|-_#^2sqg5;QzrZlHQx zbAQt;nl}B?c4+K*{diP<|9S>3f!?qCkGminz zj!#DZ%JRH4(IA$81Y=QsSwl|zteK8WB5WryQKk?#O{Jw;^l|7XLktN`5!ZY>7U1A? z$Y$gdYm7Up}>|f3qj}x{ss;c6omjEZnA1EBc+PD;Usk zN~(! z8chx!y|_gou)X*b#_dYqVird#!g|&gTH%^n@K-edC}4ZGZ);}>4WoB03DAX&V8a}H zoWf`ARc$sa25@|XqEfC-pw+05BYZpa$mK6JtFl;-xa->V0}N4{*pON zb^OmgAP9fgz_L9dO;sa3XcAvEvT?G1w$u^-nn`q6k*l4u8vkHJB3qdMnu5ccq!;nC zznFRa0YIs^yGL8h#rD9c)6PL`xG}UH@0NIWW?|>~>vwMW&YwWogadgm5Iz7?Td8ko z>_Wy`tXvfHe3_1KiSFRAufwc!U#?K;`ark18fG8y=<(JPg2N{E%4$)P;yg&D07ml6 z5ngMg!gDWXhio6o8L#PLFFtb3`%|T^#_x3x6Qo~!WfW*@oipd!**={to{I*K^TQpO zMS_?_C`yjzghe4)%=vC&LK$$N^wOZ-@<>5iwG5`I$Ps{zYZR3?rD9`PD zSK~9q6amaT+V?b!{jZzj@9@#yan??mI~e-dqX!Fmq1Kg>d(c#z9D3|IX?KF$J%M-9& zXQ#Li9}IAv5a$oqc@5WPhB;|*Eq*!6{MgOu7uppUIyF}QWZ1iP&+oE3PTB#-z*jly zSTY4y>%MRY0uoS89=QFW`FCuK9{l>SjDfvDjQPPjDO8uDRHh;B zPczW?a|4n}voWMvVG{EPdS&CTgXRr~?XDC%8eN)_1~Sk2H%&t|_1*o${(?6Zm}7Y`e1=%n);YY_X6p z;56r8tYiK6LO#xdzn){}t_&q8<{(%oGEX=on&)B(+H5s3`PNVYu+B2WJ2k))zx z*IC8&8dDQxr=Q0>;B6`(WL2ouSkSor6y#!NWaLlU;E#ewUUN7-5$k;w^CdO!ZnA1p zsxPi&vnTb8ToZ!RVV0;YgfSx!-Ti8he!BEj-{54iMuC5<*=n&QF-$Sho8X;!%ujrP zeaR30Uqpk02OM)6eHbBDVY0>9^9|0pk!2XYZ}ea^NQ`vj z=W3kZmfewDDSK1VZ@}gD2}TT$^dkLjp@CV(vw(Ei2FA<|_a{z0>(LY#Cgr~6nxk2X zn?u%ZPmxgk1y0Z*3%l~%G~If(XlRrYjf&WadW|6;L0_+F)0EvYgGNrp=7h$e3T5$J ztqk}}ma^4c_8>+}ey}c9E{ogP>fPytis!z)8-O{r&F-Br4!6NVNMCy|F}jYVHiNy;;BqK3oxVtgZo5B{GTe+ag)%Hx%`v#^H zuMBpwJ^_d5>IMiLmUqki=6nYZ0bC6P=Tj(FH-{uA$P?oFEXz~=H2i$8+lrhQzFUR` zGI>AtFW$xMb<&QQNZ4F!inkr?=io)F^TpC7pA@MQydSO{jJa)1jr}`uo5w_LN8xnD zb>VaSh6WA|1-`MV#M}%Avn&fey`U`2i+Fc7VPq=p??rLc$F7Yavw~tsMEfxEQ$HMY zVE+E;uhx?3N-$-rG}mkdRw2_>O)ak&B3~MpVovLgs9}TeEmAKx_F4+nC@^5@#kx&8 zj{b3LsyQ(_SNv+0>2aBmLCS;O8wp#hrjlu4+gn{_54a_EqPuVae&M z{vmY3bo4LknyP?u&whu&-nD?XAn??Ycd%<6+M{J^v6nuB3b1Mf2@JMxBcg?JE%||u+)E|{BCA#wDNZRMEw1_B^4n79x+@HVD4d{@ z0Ly!T`={Hue;1S@^w)>3srd)bEN=~1iwz7un_&Vk8jQ-)Cn++tVwG}o0wzu9h2{a^b*1J`Hh_p5 z-FnUKXyEzb%5ZsKmq|-o)%3xjyl*F*FHgL$3)vP06_@={#c8i}P7|+g%_jf2y!iX7 z$D5m|eb}Vsvmo3Xtzy1R>=@rkHuUk(C^8Cx0GG0gjQ0mk9^%4(DApW5mFbo<@m}zNB9}Z}k1B`(<*p1H#8+zhGd{2z71DCgwOv z&XbE+bfj6?zQ7Y%o%5+1`B3Pl2oUxyOBJRJnBFw(CEeRmgUo%rRiH|3JKYj{c zLdxOGP&kx(R3%35pc@L{b2#s_C#`nvGTN_3fWmuk>_Cy9(W)zlTQ&ikHhq>3^+YIb z&yVISJ@OTRbkL!=M17eJ4YwC_TD|*aA;nN#V-jf7m+`W9$$HRNylr3{t!)rIBZO*a zD9$GRlSSlDWh(cyl+rEA{!x`xN73H!Pvlov!x4zDHi^xTmqWjDWuh*I^2q+F^YB69 zyD!V(V63)1R2)Bzlcn-qPy4-I8-~?aXO<9iK5bcCk@6ree&gaETu^JX*;lDB{!_V|Z$cxc;!vrBU3FOF1+F%D*mxe#Wq1vFJa34`>jNq^ zR3`CrXxPA>Ar1?{_#vEqv84Og*ZnA zF7(m8PUYGo>w599@qi}{hm#ta*H<{A0kU{4dg&ygr46&WGCCCA>%irOEBXAfaZ4L9 zurJSMsiRW*d0Y_LhKUD05FwgaLtE)&Z%LxaeM)w0==&sAw^8)2B`9{#pw1cd*3iyx zr0J}c;;i*9O~YmCWb#`%(GR3gK8%Pl6e2nnN9kOq%`$}C;@MEhKYhW|Qda2e*4&E` zeOmo!)ZTww3;BC@n4dx&eMWf z9~AYm$NnH!GJZhvkyLXG?lgXpwTLp4(z#pQ#k9DX6I|G!G`H(7P;05e3wFP^@w9SD zCtffdk~l!`(YTsIN2xn zvT0%b#Ufc&ru$l;qNORpYC|;S!wH3ZKaEy%AngRv)~eGLYhj-6egwY{K4(36Rt2{H zLY3jbz~?lbF!ME)x_QzXs}+&4Q+iS|yCCw~JJQm*i?4@UuvG9`=N*tsW;4_STm;EM zqG~-*+4SeMd0V$}*G>mfxsOi7!0U#?Q9Fl~f~}-rqt6VqiDuOTMEiRbue{*2Y#^xe z*Xa8}6H6=li6dg>ywQ zWb^He5?5r>wk?P6SX_`QXbqg%x!X5*7Yo7*q#$i}(lfGT93DomuEOy|dSN3WAS)+oby9(~i= z3V#!VN58y;rP%ZyObFuIeT3jgP(U*vBqtK%u*L`iNyYr~Jf4b83?N!i%9Ft_#sE|I z9+{j`At-()G_S5*K{#E7zD0wFIn-lPo8Nc|NP-mR>MtPZ2`y|0Vy{!iK|@*jSxvpy zNV5HgoAtfR@!8tMTHHkL^`rz0t@{F|#Rdn649#EemTlvcHO_vNr>*-&xThZ}~mbz||2nYIf;LZgq@lJdt zV%@S!7*YSb&9g2m^v)qqfQyDI+t{{DyWmcLInIuX^zS?v)j=wPKVD6Ys5SeJ<-Wa+ z7~!s&mUk4o`0*!Sj~nKla0n9*E;OH&&9iFpod-USH{7R=R;S;+kb0=3@o!&AB7DU- z@K}CfzEJvO#{D)P0XDX3yV3L!&8Q9K=5}qITw4q?N)XqMmrmjtjvg;e)~g}9B{|B^ zVT~GTW$SAsj5F|jhg;ffN}rcj`5G2yPr%j0%qIBbYb?$ihfyc?mavG3F2P&eAxuov z*`r%AjdB3lXx(sBaamJGs6GewN7Iu!b1K5Ap_cgolt%K_;zx3!-#si>w|4$Jv)tfR&i0zxAvRG-nPQlPAjL(_Mq4UkS{4= zx=fq<3)kM$K_AhP1I7#9cOZ-6m^Sat^%VNHy{{K@75m>i=_?QPPv&1uBpbI_6r!>R zf_Q7-gSx$>BK;eE*Eh^kPS%AlAnfF+m6rL=trN%u2=fff zQ_BpR`O`kI$Atcx+3uVBD~+EM)GJk}l`G-Z2>au{o}UzrG?lcUQ;KWV?aZw%^(70D z;U@+|N+IYrF(2^|jM@KbY-2Sah@d6{WQBR);Avo$nCSOb!b>P|PnELk@x5q)D3HUqne5uyj(j%H#jxjH`Ez;hmss8@?HCIT0w zf9WB*S7o&*l?28ZEh9Lrw>)8_#W9q11S zPwv18K6(8{5A2(m2Ys+CzZvNJa1TR$}sif$!UN+MBKPe@VtZate&?&@!G9o%=J zQ20JCko_7=K5J(1;N1GY;umpHTM+()%1= z`O>EiCS+A|7WIr=y!TcKLRXVGw2JaLvI-8SZxC<>JpY6YN7f)u-+nHgl z7585BqNcV}o$T@oqez$0X{X;LQzZdUxp}7$R&ADC(dGEutWe7+5H7}V{r2-}mXQX})O6#s` zo^f;-9;EzqcBD03^YW*{GMN7ZREnRGO?Io(mRxo(!?pBrK4KiajB8m7;Z4#X_3^ znwPAj>}c^G9ST=};aSU(%)=54cB8&5xY9w*d)6SB=6VaG36WGNOS!gA=y)|K$#5|0 z6ZLqWa(VgMbjH!POQ+t5-|%*8Eb-!g)?CsxvE#e|9;I5k8b?oSwZk!{oHH6F8ZWNtor-Cgd`d@ipr$-Tg8s&BLw4MZpPUh2CR`z+q@1-#&hj z??Xf*S6aphc$S=ap9}#8b2q#a0ezII;wHWle3az@jxP{QT+1bPe7WwDom5@w>$>@B zw6}f{$5Ns_hZf&ntO4=F<8X@K^QOZ-n;SCM(8?{ewR)X+wUQ8UfpY-omN5PLL_~~q z;|C}5a+e90+ZW1yFttas50$)IZ+S;|ZQa`|1{eQV^|<|(pBTUP`3Kz(cuV4d5Qeor z2JC4*hNgPQY82aRxZ8o(UbHkDnTTBTK>jU@{VrHj$%eH!1|I@TT|tkvRffJpP{xJ+ zT_IO7r^j}BYrLpKbe24D`ZcDFCiyQU6l98RB5_9WLDT@oalST+uMynyO?-X@EqH1lErAv!rB)2;aKjucMd zO8T<0vvH1fIN-J(T;3lj8@&Cd#pESdqLD3Ab|jome)yn0-+P*$|8^Gw@B%oCO?+H& z_6REbAdx4qFxeza#CgA7E8}apF>$mut(-WvcnrL%8)6FHnYe`8(la$x_nL9}G z6R&s11q2cS);W!Qb3M=XH`zOAN1pcm0@Co9-caO-Oy`t#T~V+du2@CVZxGX9WBEYF z$k!NModzrxYESolcj}^=sn()k>U2L1m2;#>nsWf?$%!dTPl)b#o!&CP^(5ItWL z4xZLVr%IEqWuI}S)P=eJ=idnciFK?>%f># zOif$bR^9eeFHcm`B`=s_ceWT>u_B`9Es!TGZaPkO5=H|Cd<&Vk&#*PWAY#);WOMB- zm#@86grDONixRqgZzOPuX}&lN22K_lH!`OLAHCp;*0Y$%sQ_l^&NRb$Gzgo|tPX&7 zDyD@fxQ9hcvlG_j*M(w{0%hq$hn&-Nxa=`;k6o(qq>W;IqoTRsLuA-!w>Uy$+&r|iQiG%DqMZP45 z_wLyC>f~x+?_~uo?HJn@J*oeK9STP>mYz(Lt0s7nQcWZ6e(maVOp-oku<`c}(9L8z zpoP!Q1G_YdRRL~AxYDVT=USEF<)X3%FaFaK@SpS(7Xqv;a-;}DnZUJDbbO%N+f66+ zqm@Y;O=nD;ioZ$eZ;-55q2^}mjL=O5?oKo3rxdeNiKd#u7vkr@D?fyO}N-3#yHzEw7 z$k3s*AfkjYG}0hL#|%;;N;8xa(jrJp%ODMdAl)59cMUM`Zatp!ob$x*{cA4ey7tW8 z`;N7~-_Ke%Nku0sKcwb~?w2lSz=Zgo%v%VFDj#XpE4L;e7H~*XDtTUO_b~(Z?Gv30 zzj6JjaeTQbk%54dBPZqV&q&(&?y zs(=Rc^xUJCc9Q!hgG8gdqq^8EZFH067<2#R8)RR$+A__{o8eV{KxXv*MPtQsV{i$b zwnbsY1GR+P&iNRWMFRBj^_#VK_dM#Q6P>CDK5F%c2V2vV-pqh^#8}qUxF(H5BYf_4 zlksPOTftoA5WUbDOSSmg3fZAJ9X3+5p}Bo%ZLXE|I4a@u3v*n!x`O1PNB#M0u-`Xd zh_iloIEaQ?bXkB%lA(iHS1?Dmtwe;5^xm>q{Nn5WfVtpv^K}$yB>#%b#ND>=*+hK# zh_y>st6n|L*Wo;g%}eCrt#=QU(7rkE#>wc!$KftV=7$18c9U`PhD0sZNE$D{_9wh~ z7h4f_M&l_ZwRg=GN8Ur?ww#ZENXOYo8Bp3%F*<3|Fr%T8+=2DcvXal&$2&g|yRZ5NyzY;;CWQ(^*y5KUlv!N>cP_aXj5?sFUvH_B*BG0kgM z?q>8payss>61FsxHb>1cPc zfvphYSE}SA6Z!Uv)Eukn0kM(#@?|%K5E|_de=^*I2jZIUX$$aPkiH5Ztt=`1h4j_Z zU1AZ8wAR*@&M%Afy=VW@3voNG#w=OXw(4il$>+L+)$RAYHPqpyJBOh zd-{zU8{zb#D;DY<_oe2ewMtHe)vOHe+6}vk+)b7W^${@=yOkAG7<6CWEAT|Y=<_p6 zDNs%6`N*pf#>E23;Cg7>o5$Hvsq~+;pG~y&;vcig8CTfTV$%!4_F8uM^i!v3SLnw^ zJ~*o-@P4jkRDE01!PRoDmQ%36**;SWYX1PA_fz4Rkww$FPTsQ)DIvzmN9R2lY5~Lh zgrmzfG~8jN(3_yynNUJ*R+pwg|^%pLYX%KVjgXOcFlj11Re zdD&03{F=WMA+Ehtkxof@GR)N+oTsfIJ`yw-nP;|oi8ng2CWn%jCqX2Nnx zGE0y8;x8kL)Wq$+9UU$5ptIFNsVP!lOr(bHjIb77I#{%i6dthYDJ{yBax3V6MXk)j z4zmrH{^ROEukl8LD$v<7^HmG%uCX3BT%9KCX=1XV*0~jWT$pu~YI?hd_N|vVjHjn4 z!gIxJ32pZi6aqX4fSp4&C8a7qD0w63jGOrEQT@iz{Rv(2#9pB~=f&rQD|@54j@cK_ zAP`7$dRYQ!3*X`O#q)4Yot{cm(I+x5@ zTnV)l{iTv=QfeOk*$ZGHK&6p0L*2jq|n1UL1QKQ1%yb*HEHGGZM(cbgyC!clk~ve9Qize zm)b1$MIVovviC+PApw(l^D;I(t9R6}PWrHX+Taw3lZ5 zM_P$*nyZ6?#_0`uDPqnQWLbSwmTSYU-(TvzN(+hkP@~>I-k84EJLxrSLXa`ir)9k{jm*wr>RehNeoW3;suW88@aNX3b(^*qi%#G>c}%A%?B1ej4ASB0lv zi7$DrSjXB0b4w)L`5`|d=9=DBbjoO6=bDnvAPv8Uyxy9bDqXyT`X~afE?ia5%}x0e z{rUR?{*B@P46uy?U$W0;eEtz^F|TNJ&+Fb0OyfJ~RFZLFKT~o)H&sZFbfZapKB#(Y zYmLXF^hI#4Q@gN4GXoUKpqmSlSVIr6T3I!E)?WwOJHXC_9eiaBW|IP5{pnHv($0T7 z2><%Yu92Mow33%_qR<|0GBLbt5nT1kHazz_Q+W4f(7sJ5C6Rz@Y1$^^rxH$-+xv z59>iGj0@%IPI9{lPYikL6$h3S#>Mr5X))J=Q_BlB;3d0;sW4iG#qC$}Z>aDT{7<6z z*VAlfl`Xt39uJ%Pj-F`m?G?~y6RQ_M^rk@IzYfQcNun(mA-P8iu@>$$` z+iCArpe(J$nmrt{M9U$K24sH>UVkYZTt?;?^A>leSBE&RyR|_auKuP*%6%cCA4M>h zofRBCi^gKxuW*$g(PdEH#?QI(>4bW=&6Iwi?MmPuI%VWu_HA0fG9$%wUoY(%eaGMH z0k8_6tu=<`VlAseE*#YE?ES9s8=)khIgUz-=B0-+B^E;j-1>9AKfWWPAbj_kq9UuQ z!8m8tm0vYWKnyNI_UJj$JYMVDhwnu|)usk}8r+@Kg3|Oky;p)$rn6wxM)?feKL;Ek^>d7@8xhP9pXGdiZ?RP8 z^|(^;U}Fp;%=xyXb{?%#d-ZAdYl_tO_B&1PEyDqSkYu&&FCRG5s^0w$sa2^@s@Kz) zM)qyORSfzs7`kuoM$8Y%)9cB%CIG`S^L3tK8YmM9GEed{lw56O*fEKm$QEmi6<@le zF-#WNC|z!vB4n)w9w&gADj6&8y*R3$6I9tHK2`;;cMi~i7UsoVqW5Ytri-_LwoWx z6$X~TK5BobQ0Punf^;`_-%5XL<>cv5})KSJdhO?eX~b+d~swUXz5itp@rVwe#=?vmPG zv<2kXPc_k%dpX})*q4^l8+oTTLjnFBJvGAL?%VFmjJ)PE)|UW>Ye3}ofcVY$XK7}! zOG!kkV3Ed2$(*cNVsTl0nsE*+G2~pM#{r?m=~`0rkA>*hkP9VPxVtk#Su|YuGg14w ziH?(vjJIAd*u0I1CU2|6C1Q>cqi;6}Ot$3b(iZm{V^cC?8iY>4E*NZ{nAN5;93VVd zXOnb)RGDBpXd)SR*S0OC3cDg2TPp+kV?kC)@OEBef%lt#hByCXRrDdf#n-=D0Mif8_fAeU%4pvq%x=jLz#Wj$C~>*b>etoFjH2$OMCd zvC#?|^h@>9h1b%4-C0K1+bG3&z87IB(;dYrKhnIXxw$MJ-#^X53BKm!<=A<6c!Mwh zf85pY+2JE~X=d10Kp?^?@U{lY_S{*M=Zf!aB;M(neRBHIRc0h3A))4oqs^nST)aa% zOZBmICaX2nqt>_5U9)QmT2{N*6m?xsE{A?e*qi$Q--DF6w9prYo*R>--H@;Q?~wsT zsxx)W99h5W^1Me_&6xm?ZW{$-a2l|5g@p=JZk*LDf9e)97}NVbkN(F-v;LIerL}hV z?YVJb5wDGp?9poGOe!u@u+(n!JWnpOi+5?a`#%88g=e!J-JI9U$wWyYJbP>KHX0Db ziYFwJxydPT=VLCZ{h9Epx<+BXct3FXQ1yQd)xSUE;$fB<XJ3aQnyGJ<^gfFl@+!XOMHYXKXO>vs@woFuIbi4oaVpZ$UmQL6cg^Yt+MkOJ>WN+ z29|EkukqxDfz4yL)U5Eq4$B5nlAK2HAS*d~Wh*7H#M(U)#x?jTlAv>il+paL60JEW z)q!9UBmW*e80?;Jeq8xYe^9xut_v(~)Hz?d>lovX^h`4E=wiN8s!!*_X+X<#*J6 zO3Y&%V2SH<2~CMt^3c1agqk$Prg;0PD>f|U=`wRCpmrBGt{1PaZ}=L-C*eEtKCLJU zzu7F=GW_47@PFN415=3X9Pb7jSks2I2&i+5(cMEVthJANeL|QmGq>)p!IR`Fg4$7w z%oM2vtN0e^nM4%0_p&ki^rXbPDcPBlHKsYoI9CP+hz{Ub;~aHYH6IN>sH)1>oBwO+ z_!TSreFnIA>wGwZMCJ~Zbv48D{|K)|PedObySa;kkcQXs zH-fxn;*Af-j~3IBPF9xx=bULEQ)Y>JuIt)fgqff(3B2Y$fcc5FmCMm~91*)kKRDmI zvP%q@pbYK;$efW;F&X1{-H;D^4*hZc2b}vJ?!21Md-4xlwI2R|)*?9q6E~~$uxn{P z^Mn3Ud$i@ip4Hw|qVBh_a%O`{?1D}IkkLr!20dV+NQLJ%elXCslDsrK-1PQC1l0Wo z)EIr#lu)KFvw+C%%Y)#V+s66oq13;3gr2fV_?Z$_wS^l1fqf@D7mjCw>XHukubM~&MrDew#C=S2BXX{6^Vg)dl+q}XKx7D7Yi)k^~l&2qMj^=ce$Fq!@qZ6 zf5;8o38cru8!RKEpHO%6sxSjbuWR!@3FlCbvT_X zJ>u)_N5RqsP4RFqju*N~zaAVm%rohg>17l$wtnINfu& z!2kRF)ql+z|CC4^f;-qLrX9zmq;(vxyHK01JS!&5gS#U?BB3Wjxy)>Ynld+=$5TTW#s~7Wvo+JCOP_y#=Rgv zHDY>L1zpl#m>h}k$-^wRgXVxj3g*RhnS-!z-at%7%iRU@GghjOZE>(U3fFobl6Wc% z)Y^1Lm6gGnR<$(Inv7VjBhX9BeIywvQDJ{P4qEQ<1xw;Nl>X|9szNH zi4`p1rZkYkkDW4R%ebn;-@}u<|5SI*Iq(p~u{QlVs1I_;EHcmK?pvJSu9BW<4RP!E zJzug4ZZ)hz8tFH=Q1RS_@7u2p8T3l7{e z6BhUaH;B@@=ql^!08VmR?7fgq4%0Lk3lie7(vVuM4|5)ILP8MfN<=$E^J45U^L73e z5myY3ipGcE5;(*Ei|!yn z>~Ad`-83D%@rr?Qzn*l%v@$e~B{zbB8GE^m<04Umd8{neERA`#L*oY+LQ-3GA53?p zIy70hRk6F2N}FPFKZHV8jf=Nno zs1U+_x~{E7B3Y~-W715uDrDX&P9K%Ih)U39D}3-cGA>0SZkrwhUo;Ywj{tj9PZK%W`_7;=jkgI^96O zZV9d-f)0G_9h?60I8*Vu%|umnEHGCgz}asCU+e~BqS=)?-o)``xo?bhJIytRI<{EP zHU>l9zpm7XyhL-?7BMy~AZRr5DRMBbp{wmOHua9pF4Y08wE8iFPN5;Md257QhR~Rz z;&W5|+~LHhbye#IPR87AR$)Os(S&})j+QIU)0VNTq$3wNdHQ9FL^x+2) zUdfEQKJxf7^(>lbd;^XO%0Y@PaoWHMPK|Q?%HLmNg3tEBV;ZRD<*p3RxP zZ?umqcbrtcHEhcg*J*|7v*fcJTX2TXKfH)GaIDvVv-YWh!!(|y`vsLnZBqooON3jk zjOw%H!uB`lkum!$25$)jlm_1!B<&{R@yzI03xhybc(!)MJBsM*j!vJ8`tUp^EF!wo*Y2IcQgWaJk8=+)l;+4s{-GP&K7VBVt&&V$4mtU#BU1 zzt8b-9Sof^21QMCYs5n>QSE9VX;6Zpcd#UOfKu3N_XelVT6Kj%x%mB8q!|6FiL0LCqK4L4!%BcJ4q%1F_{+;1|rOQI5becqfOX~n3bQ0;)9!R>604jh~ z@&ie3kr^%1KfXA}y3FpRI?6Z=7p5e;Y#J{D$68vZ?OJ9^1IapExW0!OK474+>Tb5X z*HCrRk^o!W@7IXK(uu~e6(aTD+~8%?Z+X+1HQlNl_wK;56|tkbe$rHXev)^8W!Tt{ zU5UvnXnpu&wR#d*a|o2ONMKL)?YPdN%bhvpkNU&Er5v@lE+q~)2cVCHsCSlmf6{}~ zARmD%0!zD^DZvX|Bzx?1dv;0Zbv#RTRdr{k3KGcq+af)nSN&-9@;%{uDSzZ>4eoL* z&iF@812uBv!H1SC$S7|^x1?()7$1yzpWe#&5nuJzl#j)B)HjVvA-Rd(LpV%KgAgJm zuEhLC#B2nl`r`JL&9?x(CGih520gXZtAy`jQHp$P3)+#DMTY;YirGk;qL_%y^$C3U5O{}!iQd zSrtNR9Cq_{il7x84%<~4Sp4bR5C~D<4Xc=d#Ac!&EpMq&^hHQ6ps9dI^UMdiKnv43 z(}!va0xl)nLs=^3x`jms>(OHs4xh)D)M~5vU43LIx+TB2<7Cihv3P>HVflI`W-pb% z8@Y3zu+1g721DrVYwyntOFmKYvYE$4@F(YCyAX?fYz523Di=&q#ZQ@SVwv~_U(B!o zNgi&E@IAFx%e_~{=o(`FL#J53ftLYV20t_{CC~YB)w}(87cd{@7tm=55JSna5b&5v zNsp77#HC^v-UuTL8Efk%aq}PXP>{N6n~9Ra$dBpDBUFiZNyrB<1GPpUZk<+6nVP#)n1KbH-t&zS6p z&28_6)OIxQWM+Mp)`w@Ome6t)8oC*@AJojEM%3a1SZ?zhAD!yJX@#GJwz)aJhexhC zMLo_|6_;pk8ck&(2_+|dx?I&b*p|-X>8y5oZ+btLJz_Z{noY7bj2`4bA}(k}j5M-3 zhY1MWJ4Zj?aN%|3iFkUAj1@;8z!M^S7Syi&`K!# zxyQSWVZbo!wY5iwizUvk(B<)k2}yxkR!DPzL6&4RF(J!Zq)czn-pj5llJ zi^aTks@ut7mq7Oze;`%*#G-&GZ%)b#o=`j zqc_zggFaX+FnVRQyfTQz$mUgyEoj2)G5>{Xi&q;+2B80zf%p%g%6 z;}x&d6pv))?$rC8efZR@u!|bVu!$zI>w58Z}IpFaV(S{>CJAlC1$wPz5IY4*w5G>#E7 z<02ynr)xq-!DyMGAA7gp5m|+e_O7mu(ww4$!;rLNJl&TyY6751HsMABU&2Oe&gOh? zl_}(CVE-EDbG|3a`xvo}GWb=kw5{$zbhQh*{o5Ovjv)e^s5-5SB!zmd${fuUp`I1% zi^)oCb}ue|m2S!jzH(10Y5Vtk(^>a-rG=Grrvj=R2Ul5?a)c}XOI~eG_G4=c06`QR zJ5-XdTNGz@AMK!Cs~8}nm(l3xoS7}tF1?;8z!aofyFoB}ximKAV6Z++_SieVsrv-G zjVdSI`!T&zEzkWaNZ_y8LQXJ~tP*7`7P%Y3?1#uNtkFsJF4Zl~<4*H_);+`>EAp*E zJ*f}6=HSse43kMP%jT=i^}J{OXgcYR-H`fN#o7!(Bf!sf$_Ui!Q3>erY>YE^l11#> zkClh!%M7k*fmc7WFUBPpBeXSTvrgM+V# zm&whKYHj9oe0Oa73%}0w%RTQ(++@NT+$kp6UF8F1&-i~{W??UhIUMM}m^(@6N2@Uk ztsP1-xGM$e^wPWbYK$!|`j(t9Y<;Xehpk#mA7jE15j!}Kc^t?p)?xsyhcsI?~5hw(7_ zw9LKn5B$2GCpE6;^$eCW?jO}c(Z+a;3iwD3pQQn3H}1vud86V$NdW*S?pieoNd_(J zDUy`NyCIYHGZn+lM4or)!FM~jFR;MTWikpIqN^cEN%Aj0ZTD!5leSScfr}Oy}g5N-tmR6G# zq@5Gyd%98Cm#59mx%_Qg6(~lj@9NjBE?q<%=dYjLv!9qDP%r-;bUZ@QP$z&WS*6166xj`}kCqzB5YK2C>9+k*=kzy{ z;t&td{b@bE3quOZL_$ADVAC@n$OS>VpPzmC3E>UrUDG5B?(UJ($mnM9Mns=lwjT#D z;8Cx_BT9`!m_m1}gsZ+iBCV~$tF?GzFdJ%O@Q&;bNM>11Pq=rgN9%b8%+nNLQ%POg zMnyl&2kbUJx8!X&lT7%a}uHsh=1$QXM1hZHqeattk zj*-q|w6a(w_~>u_7W!b4E1a70qybM#2Qk;Ou*Rz(IWi|Fb?`OhAgVbtC2hV&em4%* z)Ze$Wt39jE_-dy=C860;L zLSyXJl}lN%O&}R#BM!5m3P6ae*Q}|Sp934Dm~es+l)&N7iN89;0=C{Mn`|GMmdaW6 zsq@_CwZ44wT=p0~@sfAs3woYCuRs(F16qpJBFZC=02;{peS&lfKMV%bYo#1-8d<-* zz%al=jO`zsC1#c+ST6qDz_+e#D~zHlXk7S299yvuw&yDh7t>$1a{CXtek70J#aMtO z_3%=MHMM&Lyj{+{ltf||#?!{xy06kFCeeOYRlUkOyAm6AjppiyWUpm~Q$f;=GgRsv%a`y<`Psfv0$L=@GFR>Ott5w5F4O;HsAAVXb-Q|x{mF^^E!q9M%)EY=;HAkg?{Z(SB42PknK7xtjWW_SMFUt zh9a-MFYX@M=dNr^-VIpd-64|q%urD7%6zu!VHuODt?%kvZON@DEVn z_d;jlB>U2kzA*0p_7j^zsDfD=BZ9q$yh;iHp8mQ>ZYp@)clRdXDr%z9r|43^QBs{0DR;02xe$?;xx6Btm-G%Nw zyr&G*l#2@|FB~(y2z4j?`&a|se}iM-OE_tySlRwt@`hSYue)1~K)oBtG2*=3pAiUy^z0*(W@4T|EPBJd%(RAC4|}O`@EfX-S0hG(vbSm>rH}z47~bqdKi_E=EoLH+y=WodL7hV zWB&(D_17#}hZ7u2GI%q$eGV2a4*XSL)I`E7bJ2clN+h0PDLyp7G> zw&ql@;`N_pB%w7>AUCBEvKDU10Bj zOt1caEfNH{WCm+PpIv(I0Tug!&q|7GDKF{Gh6W*t<2`cE4UGSdz4Vv5iaYr|bx8tT zEoNlPP(;<~t3hJvcWL?G`JWd4YEyi9w5!_)`wJs@H66*i!dGS#=oGg7cdOJtB?6~= zcVZ>{SzxW;B}umS#dA<+?TfU}cK<$XQs2nFgY>c@sqW?fX`TM)y=uuZ4H|erg+Wrc z1Fm21i;?QHcV<@eXTJJIi~-%14|O$$6MjsOIzw+h?W=zGdlz8|eMzqM->Jcd)YmvV z9#oy}+tv4sxQ_3pA>WqyheZrc)7EevZt{18!g;h7>t}|Ddnv77Me$-H(|p>2*FV)dWecwex6hs4ep-8t1e3+Og%d(<@C;;+Ry13m#$?D zFRJYijPW%Kw_vk8wtsZEW)PqyZqPjW5g$=xj7)D}7OJPb$@^GOSVY7_d_~3Zh18kP z;ukII&b%IwX2@q|Cnc=Z#>XlQq-^EiM-~lULlK7ZHV^^L1^_`{7$Njnn^`xvyD}3n zcU9i?4FT@%C^`$K?AgcC4F=Jk?d~l;VAHUs|LN{748sM!YOuvnuWCMn(!Tr6B{1Sf zy?Za(*+(ysP++bZUl5_BteCV;5C;i6=BU1s!ISxD-+<1-Q%)yKnS9tO%B!}C)OgvW zH{(H^Z*w9OM4?$o={|QVlvIjxb^M(m*QGRkCSPUmqjSAZ1n=VOp1Qe!Wy1>lVAnPG zfc@hmH;I(}E<1)EwS?ija`qV z2^qPBv~Z_LVc*AQC;0+4$%Xv`A>a+|OZbXFH1))}qW+p?9pJ9l!)e{Prl&hxGv1fC z1hxLw>13G*cvi}6HW~Dt=kiJy=Cmyat(XaQd~dz|=wb9VCE)lhb}PFo!Q72i`5~EK zzRu^qVcXGS)4*5|P$ngPeoT2JPm8x)=zF0wO~e;1W;803 z_%eL1`O`9L@1AY)15RG{Hh^Q@f@*UlrCToL$!_B!NoCgg6+*7{?Y1s_Qd#}L9Zl0A zDsFImTyyDe)pfj4I5ed(B3D4u3WXks+liZu!h|wb0>Pz!hj;M{dV# zh)2wPgoK7-BrQ7#dG-mxqcyQ&(qC@lvy#101`%xq-7cW!unG%5@$k`0n14L?ST{=S z%9qi1(o}aUM*qp3tOH1pngWwjj+SCA*&lxU?x`)2!AY=lQw=k94Z^#sk@9*j4aaI7 z4IY8^a#KXGmo;^(%CLa4J`#rPqA|6%%A`by8JzsVj5SQXeaS9xP_gD18*0E=n$g0M zseO6$j!Qv}lE&_fV1Qa`%hiFrn7pj# z9gnjYzoj0jxR2U{cbX|D&_r{^_M@eaaohxaQE6~_$uz@G%}5$gq2Tj+X;8`*=^Pc- zeyD)ArKYba+V>RV=e63wouylpyReG_#clZ=%N5q_8t)#@Yl;~(EBTm8%--b)Y`rmK ztg~Y~ogV8ufmYzvDM)N05~@~>Z|0gSgw*P2i0yFX?m53E{Hkz2&2K0BZ0`+fu`|Cg z`a*j5QE52XWvLVJf|dwOZH5IfUZ*e)BbD6y{<}^{tOk5}x`(_IpJ}9vye9JONDDI@ zr>o-bUeT2#p^FT?9X%f*B_1jv{~SaX1Z z{mG5AAQE?$b0G(iX**+N;TVwpZZUAU94VCpLHG-R^?C2?} zb0O7fq1?luot6Fi&p$hqnRozgC_OuiqV6d64P`i(+XoG0%-E}4^loUJIu zn*dQItjma4=<4i*R_I-MBc|Mrb(o8iiyRE#NdCcOq`u9H`&w98E-fekR1vB`eIg%n z%zJ1Xa#Ft1Z%9cE@eQ4DALoDkMfIl5NOAf)(obP!>_9J<4-gelfEn<8v)SnKNhN3K z@a0lU&^~!p*OhO%d4Nap(*@!+Of;s>h)Xx?j` z=9}NV-3R!=YtWH?{3@#%mjR@MuRxSYItiPu2u%1k&wA?_uhmgk%NnOInTb>R{MsZ!>F|iXaR(38g#Mw z(Pj7(cC-M5nD?DOAy7A6JNpvmeeBoh);aZeAr`2k6vGqb>)VQL-?n@|O#LukPwjqrd=7|PL^`7A=_Kl=EoTUBDXjBdDy9WPdi2cD#$gSA4EQwZmQT{H7K zOy19U^Xx#)S0IUb>o8B*UcP)zw~<2mAQMBgxb)MC2?B|qILEb?M% zr5=-$wnl8GIL*seAlt}qRCga>VLZ5BP8aBxS!~a+mU@4;^@!jg{P-{w#7h6gNtq?j zM8?AY!B=f>Cwr?Lc%jE6Eb@?h9P2RYvW4xoHDcQY2!m{;Ncya* zm_4AHJl^1d`0_rvpIVR9MF3(VH|HcFn%=Rltu(Yo$mUjzY#GHVTCua5q-?! zT*!w=^{+qm>f&4$oQ!Nw!qH=FW$A38TGpdL(NbEDlxzn@oC!U!2~gMZ)>WeRcA`K` zcK(PcZ*^FZq>8Uj+{3b*_Rg{z)M|H#@(?&dHPl=KA)oDfz^bf?H!erWH&=YJkza&# z<~MX1lyURfDe1Tw2f!a5`GZsfhCGX%2*jeQj+tF)S~2Gd&7}A>`Sn;$>A{e#=dH zSD!U1EM@S0?iW`FSSGxWR@k{cwl?3ZF>}^N$kf|GIc?tvKfKaRBZyl~GF%PY ztEkDNiFxJcQHz<1kuet&uCZr(X$jS9w1Os4cbrDYFbaZhtIUr9O`h|?#jU`r*o>fK zT}J~f(CK*~qPkUEFHAP|0z1~A;UbVyQ%sJEHwo}#E@BBO;jxDsq;aQPTf82huwk?! z`>bj$kgh!M35CfTH|-P8R@z(?A$P&!UHB`>(=P4Zbz-NEYP741495(95HaYu*4292 z=y1HqzljiA`Kv_sr!w}gkB!>j-yTbfT zUgQ0v1YMvE>=%gr5@MLa5FRjLk!y+?Y1e->p^4~c7H^OGNQ}}5y_fRhhbV8^&vSCt zQweVLeI9`CgNBkm7izT;DC+ajgm)N! zBg@5y%d|n!=^qQTl7U8Wb-SJU5eVPK!Qq9_Hs&~EL;>C`rmfsYrIeDiHZR9uZmVh@ zXgxFZKKtSOA!zxSEJ^9!F6x5U4>{u`{4@Wb+eIzJ8#ub4ArZYHV>n-YfVQ0E5S93e>3zVI3(!_3j>1 zY64%C!sw;a7hb=zd$*>OnuC^U!X>3p*mq+v!D9L-%n&JCHig>u5v_a_0rE`yN)K7k{>;a`%{a z3-R3>OgJgdoQ@6RKG)g4*Z)E8GWY-yyO>(Lg`kX(VfBi?6`>&eNw+c;Rq|#x${ky8Ub&r3y5^2l>s^3oTzW|=d33FaSzl49i|Lx{!Zk=qVA6eDDN8b}7#B!MUY?Z=Z z6ZE8GWnuxiNMg{GQ35r`c~UI+5NI3}%q{^r4Jmgi)jcrPL8qKjdo8Eq2lHv}e8^tD zxNl$;D1DAz8iyWfebLu%ackL;xAM4q%iyNwClhU=Nni6}NsN0O(K5d8xH0mQZj zbdR25L>?Q3OMH4JB$-5bxhXUoq>xl^3f|Z5mjsGPuL1D>=!;aXryazE8$3!)Kjp-3 ziFMi6!s*@A01xeZYA7n6E_W?qT}>joc!F%?I(fq|X^M#VrEQ5|oT9Le?XJk(d<+>-TvzAUI!9@O49T3S6V*3qmG=IHyR zRGdM8HoGkI5K?SdIrDkb;F*#GKF7_+&{F1`Bt~$KR<#*h-JKelCSgKVeQH+ zAq9cWDk4un#-LK%{4PiL@!6X31se=`rmlM!9#6t3UiEofP#gnvZ7+R5oLA_a>T~|U zDo}*oZn$v6%tX!iV0ADX00AEx^q4kl&!75T1orbAR6J3sn4aiVCZGa6TVG&^{E>F` z`YP%hz7ogH?hospdiYj*QUrIhW_pr`1uZ*o4C;!*WTc+qtN<;K4I?UnqY!qX+Ol&J0fq@)pbw};`OU2z)Ue7bJhO3Bp}(yfJxkw^yc<0((< zpdqZesc75y$^xhl@Mw9e*$^^Z+txT{Ti5Us1vPdB``Yn|3-jALl?)kNSg+R{y`tV;# zhprNih$~s@mo??**sI?6c-#FhAlQuaiE~^z52Yvex?S%!Dy~}jZ~HEhM}wOV2>hWn zecF{(r}xp{Yvzh!xiT9z8!R77-QrmL2AUNtUXXCTPEv=lqKy@GO4tHin4@I{Sfd+Q zZS>?S6Uq!9Fn0&y2|LZVUN0p_x7gk?VjE*J`~X`p)UtF^KYNAU(fGQwh_50L z{`N{eAt1flNHom1-*KRqq+ettHO!)HmBs9wY6%>y*N>Kqm@hLfwJ7ON--4UjA2WCj z2wn6{J#FZC%7J~S-}5Xih=-gZfTK#{8wptKj9vK!I!b{=W=3oRLIV5;OV!outg`ay z_mAoS>;(`OL`GrOYzeVi%J)O+I{8f1C#57!+KWEIo_<}~T>Z4Vda-78mwzCe_{fXW zEGV1UeTh7720)V{(i^=Zimi9pD2-qA8ryVc?MMnAi#M^;lgeF1)5wWFdFIsM%@rxk zK;VMz7IB`ghdm5qR##CPF~J^$yX=4Un97jYtU}q>alEGpU*z4tk}c)663phZ33$X0 zFRB))jOI+MlExx>8-axIuD3nC&=>gEgA)nQQUz>7;JJnCOCh@OUK*yBF!H9vxkwiG zcVXu|m)^W&`#|vf<7|^`=12PxAp7F(<%n)Gx;>DPfo=seQ{{DV{9EM366G2j3EwTN&Yawk~+t9VJ%B7 z9|ai~vL);H5c1x^pW4Pxcbb;YsT-NR31gKAB%ew4K2oq6;AF@q;7)!a$>_C^w(`)3 z^v0TsG-f~~C_0tKjSzpKiF8V-cIWj&F;K}lrzmYeig4)}G&_Evu--PnyChlb^+ zcuA}ElkVf&ANxJNyL#K-zs${?9MHgL)c5-CDK2QJV!~<~whUwXTmvprd&4`A5~7Q{ zX)-W>SJ(JK2s4~U0>>kxcC(s$)^XuGqA~`D;RmRs>G+fxuI^WRMiIz5VCL;*v{EDa zA3_vNJD0v_`QNqhmx#YJ0uO<7?YnKa`!M#=d=Cx(e7>I>DAgvGbLjVt zUA#x)=ytJZKeDB|rZdIyd|gD7;^afJOw;e}5c9*ncdDxV)p? zC!9s&a$7@3gx$w_X|~qNY}lOoIryEUq zf6x1U*Y*85|IFNT?tS)IYwdOR-h_#3o(;Qc-pv4=M6IM*E+*6jR~P+2thQ=AcQfU@ zHj}S}mpbEIlAW9zQ0c{G8p+a)ChUb!GEKW#3vl9kVgd}sCumdVpZfNS>1xh-{<+f1 z{#+xOfy1FpAeObHiNL8Jfp9dfWzROgz-@;T=q?tPLTG8xl*yhY4VnbP-$Hm%2!f zvYv**VSLNaWroe0)BRkz9A!ju*TGme@(1~*fd>HPh8 zj?2RhR&={xF9haAJ#NldHoK`xPpA35PPoYYip+S`rlfc<(?byx;v}(J9&wqUrv5M&~czJ6rLARLsXqdP!OeI9-{gH;38s2>P#SMXKA#VYZR&+5?Ue?Ma zvp1|fmP|~9lwzs6Ke}ei$Mqtod;PHA+VHQa|0(ND=em@>qXAPdQ@h*0Mvgf-KYk@5 zK8d?5CX{YZDV8d0y)tsW+OpitLG_{ExVsIvd?d@!uHdI^^kWMzUyO0} zuvgW81d-Rh6vEaB5VfP5YZuX5fb57XO>s8vNq99bb60}!QzIs4H`z*8x>G)z!`487 zSdBFqUi0<&1WHal7J`C=XLAP+Dz~1<_O#gtr?r>09+C<#U92bzd8(Mo>8thHPki(D zP{BUj6lIA}|BgL_B)Ref2!+qP9y_g&h=eS zpWSR{VZ!2KbKxK3zdVMK&RS-1sbV7*HlWn1C zA3KaF=`=C0uW`kB(kZ%tK-j{Rc?hRxI)%-_tkEVw3?gv@#gr=efx zpaw(Y!{;k3LN6GeHp4{o zb98d=K@YGLefO=`A(K}`WTF@CT+L6#H8_rGW76FV$4j4EQT ziW;r~72L**^`;x)Jo#g+TrwNOrOJL$Sq>C&28HG6R8VASF{k#fSaol5W4CtFD^AlM zp(lHI1J*K`Ld$z8;dU5#5|sdVdmpmbn})x3jMt8YKO~?Ij*H;?+XJs2I~{-V&n_VX zuM^m4=oc9sxV`F5R-Qb&yzyb6v#0sV%O`;fz&m>E#g;m68g}x4U^n$#_owCwf;(mv z+JOht?h8sQ^K6VAhA5c5k_ilTes&&ZWrJT;r`lfsXhY4(3IC-*P5i`6_z%XaMhXL* zIlFKMZ&hkY-9kGBjwOxb&zRu3K2*CdtKAN4+3DLg~icKWC$ zKR$o%C}FFkLs7O-=MPgq4h9-ZReX~hPa2NZ2f)kO@XabKD#I%YG&lSnPMgeNrDM`6 zgg6NsbM1Ef;KwY6`|*%mrSXp?3$wFxxM&%X8G4ncl#3S7reH#qe1g8Xv|reQHh=6{ zAs2m4P}9dKYG|CNe|H*1UAA|!L!YfIf}uD?Gsfv4$PAdEy{%l{>*@bFDAh2yB_15; z(+n^8IV*XVbw(qKO(Vsw@&p##kJ-{i-*qm?d=SAM{biR)jWy!3R13<)#cz>XdW0Vo zpMwV#IfKR20ucQDet{3fFgoq_6=-=yTpR^)_7Z@EU&yfFk44`|)7jRi&Kc->-c5(#3uJ!m4SJME|w;_rF~7=QfOk(u?Rlmc(PX(3#Md>5c#weO!Z<~LnH~fUJ9y30{QD> zPJz$3AkQLlcx-<>r}{|`aPxggt+Tx7Yv@0#PYa@e^PS4i*}ZB9vF|xdM}x=lo~Ecp zZDJQGS}jVXp@N^a2jTivBhaM-f1IAAXpCf9aZz~ zW#j@03Nm>!I}Yt~ujVN&ORp_fOGSHlQaXm_Xr3@)(ovTXe@ZpTRZA1~_?hPU6g! z%2_2%qeEMZH>E`(6h|7&_U!zUDt`ZE3aGXCNr#Je-16b?5@7a55rM1%Y&e%bb6`mI~n>-d6!K6qS$gpuM}$hML!V1zd#N8g*`+K zW_QTPQNFkd_2)c_#iBElndb@uy2x-A%;rzIN<{UesGUSYH_l}8T$NEbzY?5KQTR>3 zv&)?)qC{c((X>N0(2kBAVLum{sP4ai?mIqOv1r|N{P*Q*LbS`3;m#8M(2p-|T9S+Z zA(wwYiz7M4;v3V9q!rs0^U_&*Prl38xDRk9$Z9IJi?qrn150_Yg5iY(S@HmS@&Kbb z5eo-#`cLIBU-n~+S^riC5nEVZxo1z&CNbkPzYc;}GLKj?3gk3MZ+z%7hh4pX;5+EA zh4$f>eW00X-UHfAj*#+W@b>if%T($(_d8><8L1hVR+ZYUc!QP== zN;A`x$!I$&NJXZ`e8l=j*EcsnZj*T&)uh_aO7;&#=mU|;%+2*rcR6C4cA7B2rkWQV z9D#f{-m@hdqL-(!juj?pfoQ}oS%mV&}DV!i@R z8dXHV$5y(3Vbn~TC($u(A_q;x%4t`OY3|$dx-dQMP~KbX$;ff5cQiO?ClRb7qTh?G zw<2e3c?eL&iM&C_=X$?M|0kRm0f7&0K4DAT31m@We#HXmb#p4N7W;pWSD<0wsvruB z;!>|iUakntDFxL5+PEuC8Z zp&0yeG=A{F4n8i*%=G50TLcOp{~C32+}QSWD;Wz{PuJNOmKZS_hX)o6|4-omJitPm z@nQze99W1D$H*ojA0^;KEnMPIWKCV&f|eAX8tcvXR;?ndB2?ao@OBO|I%l_H~$x)E*>fkrVmC!cdM9U9V(KV_RRcAUri!pMA95ylIHYEm3hdo zycoAoKw@Wr>vEYsGh02$^(+NGg(zyo{r#^f7&E=N&GF{wB-O5a=$3h{8UKwMgkL?p zQQ5!vl?(x$>*2~JZ)jIOmWX3asvO`tm@r4FHd+ZvwMh9{rTGISMox)ZxZg(}W9{z- z7X8x={&FV6J4Hz96o}!fj4b>)rh#u7Y4Wb%+Ujj0RR5p1@V^`9@94Z!!@dwTmuTS= z2RwMFOrY1Tf*bv^k7WgSgyrUr{Iv5BO9<%a?~6ww*7!oD{#_DMes{xirK#|?SkjIc8gPZp>NUSNNDg8OJ;ZwXmJj53Q$M9A@%KLvhvCOKy*D41 z{SB>T1w>xN&&AiO6$@DPzv=T$BjeA?DdHxhFfJ9P$5+^gqc$1(+|c;T{ybWdn$sCj zN>9e;?hR)b$)EgVW%R6E-OO>;@5{?*z3NN)Rc20S99x?PVE^PKzF=>`@=kxNsy-;$ zsnF3+TuNUBxfOv8+-x6#?G^MAKC~;fuQbuMpgx=OOX;8t@dARS)1D88a*30NUrWH3 z(t8iYMiBJr^wZPhkZSF}_V9m1mQ7Y{8eV?+iDDQaAt$grSEp zTDPmZNr_EeSPBWf?XK2JAg6k6IT}mh&z&NmE*$gH6WT#`ZXaKKCas%L`d8K-`h?LL z!gSYRSBHAw8fxe=@*zH&!;;;NDSI%cp*WpY3C>VZ!^b!bP*576NI-tvI^}mdz1T3g z$LaKxcV|MV%Ia`g(9I^jnhBrfps2#(lTCPM(u)f%Ev=DXMi!&+cjoqM)z#Hn2y@g{ z`k$1Nd5Zn*{J^em%M_--B-U*M&?N+*u;2@jitDqOCM1Jw^kg63?evkd77Nqq)mCrM zR@i-PxUE*ST?6lH4ZMouA*RdBD)Ps)DS##-n}%E&g7P8v0aE*a(AIl_hvG`fO5y_- zNi@Ok92Qv1@pQ1^{<0R8LEt$<#NCY|#Oxh8@uFIBaZxr`Pk0`zes@iKAu}W{Uo97; zOp(lYt$no{R#s3`ir}GAsVMu9pFLt9oJAl)50Fa{tsq&;oC)e38y_Er*-YF#!d*^H z|8bpS+j^cF83((OUkJbE{Org^{UyUos9SKa(>PQ(I=yvKfbw>VOzWM2^64plpl#oX zxxG^`KGB4|2p#l>qTwokX6q1kFZKI3Uw$u0)mOdXmvOD)$XT$)&@M3k@qlVi@JwJJ zW)$7#aw;z`fAVl$v?5AU-jrrFwcL0&vG57Ocw|C_M9pw}ZQ!*-<2YC1JdDyEB~jfL za^x~xNo{yRaIJ=|3}>k8o8w)l9W3R4gT6n+;;Qfms9|OS!cTGxP{()3vlZ3r%Ufun z-0E}E2Jyfqr2GqD&F8E~-JU^~a9=U-%f6{@Nv(^$4HbeR6SNZ9DwUwuR@Z*WvF8$G!#Iyr)3lvP?}h55X(kl}*W|(1h=siC%Mx zs=#w@C-zbkw7=)%-Cs&XHhreZYu5 zTgyOG>b~LLzTtd{rJ$&2dUT-|(FV(K3*oF^QYm6BGYhh$F>t@7IhnD=jVPXc9=dv2 z?Kt(A^7gl2!{v7W=5{|<_QUQ+ZJ;Qg$4{X#0((nMbDRqO!5TpE?0U*Q zR3Hj&<9Nb-j2Z#D*(R64K#>)8B?Ie~f?*61R(z=_^i7+tA=b0W5U~||Y0wf&+j;;I zUN7iS*8B3sA)MN#u&C(J5OaBZrN-+2m8E_7B_7=IT|d&h0TbmAda#HS~U)G!Sp~5Tj|!hP|QJ(7YY@>A_7~k zIYmZ#am%s?_@{y)vz~hJ{((GVm6;&Jn}w9BzHTawjQQs99I)T%mB#z`iLibZlyxwQ z^oMCVYTjbi5~kl&lI};@$B1OnAlEbfpv0GYpC_>hJ`4&H95xAV`R9OEA9>{zimSk0 z2HIH2T6}Jv!mK(lbR#zm|FGB1e+RwT=Uoa?s4~3w3`B5hP21$O@!oDsot)O8y5)#E z3!KoomyiB7%S1!p0>Mf>xSZB?MSAd&3}EJB($TgTWbj@GVS>UdCxEMVF!nx zi+0D6rRod6YK#$lZ+|KW3!j$Pn_*WimB*6PxRWh4W^rrI+MwM^JG}G;JWM1>)!=*} zYtZPJ1ri^~Tp;CS4tEH^Uo0su&fW@F6peaI!)ujUNVnH!HC{NHpQN5G6Ck728~GW> zPCvUOx(licvnIPr*!%hYt%N7q9!g##;1D0Eth~HwxR+d^&cYWgV`5^eVmlAmwYler z7|Z?(+WcP>l^gs(ObKX235z+$LLIk@=yUVI&sYJ;23V`R-W7>1HlDf9h+#aNJM;#5 zi*kg1sroluF8%-}iKZH3`59nMaathfpVTCnFiKn254-Xowy@{-AQi-&T{hSty7h&& zyzVqnD*RYQ_RjcZal^EG__Z9hO==qXa1gg35kTal>ebmbU3dpEq7qy)@0*rl?7Gxi zHf+Qtm~tt(JNbPhNOsip&Hm-LyStyngQGuQ^5Y+{hbbZ`6zb~{!5zaHUR{Vfnh5m6 zESB_~+w++e8pq4|Kt-(mTCC>7Gpwpx{*K9E-8c7Crv!Vg6Q#i4x7yCSknnA2vfws% zo9lAOo}F6DaT`lMLjAzK*U2fTQZ_R4s}VF!?BaxD+MzNcocPqc8InUBDH@uVptyB4 zv!Aa#PA9*@q6*{S5=-$+7Yds#BzT=%=aZr!T3WbXwMyylPB)}nxw&0V)p z-J^S){TAp3-HzPLQph3oYpUhWOC3A-zNQ>AFseK|KZIqBdfi=P;?FsJxmv#tsai;H z9Kz|L27Mp<58C>VieeV%eKA5P;9OAus>k;2=6t*SrPiIJP9lZNf_o*v83 zkK^jupmXCqXf%JN&?#CCW|?Zpy#WcNOYx zi#YMpCLBgrNeW8Qwo+P$2dZQim&%>hAj*O=6a=(Fl!ROPq8KPTsz^*&QHEn*D4Tr2N!$*?U_${8TRpO|u&jyXj z4VD$A_Py&V?UI^YviYTpg^NbW>1+dGXA2g~a5=YqSz>5BOKQ;oUG>l|hJC~5A9wV^ z9-W7dI|hKE1TWDAL1UP5hQvK|kH!^whDs>Y6yo=imIkgb_qtD?B71*hLa=l8`?E{_TT;hIko)=EpQCkM4Is!ml;BY%lPW~Ky7<(jW!Kpe6yCe5SHV&r?-?Y3{- z4PS?nS=Y1=yB-R`%2(WRr_*2)3$EvWj!2|OAx{)@qUQ?EC&~YTwrUv5gs+UABZ6=Y zEAo_X9F`UT5DhRh;-8TUWzCo~_gb@H5@Ozc0X5dEQ@@De{Kf@MSJEwH^p#K3(% z$?+aMQMpnANP~7M`#Xt#fffn7Fz)Zq$%_d07O&yJD1DW@0@IIW)8D8bHhfb|e33V@ z%&;!-Vt!BqqSP)?GmN=IrOT%3F%NAt=5<2=a~dPl{HPps3=KYMLQ8d;Qu#I ztSHcqtJmG_0$haCu`i59z!}MDm~=-FJepWJN(nRRGVz0r^9`Dp170#2o$XJ)+KT1M zOeUK&K9PLNNW2yh2{-f4@2q(NkEsPQaJ+^~1FRtE&tC!=Oik{B zOLu(imVXXcsm#BhSZtya%oI-(UUaFHU7fV;8AXWfeH?E|eFb_99?ZdCGL!nLbzuvI zAH4@MQAy-CFg8!@Hy#NmEsS~@d2!hJGs}WaSnQKj02I5~hFW8Nf|nl|$7`g2RvOyW z9D6`R&t?6tG;L|kLmyx<>~@VEaCN(z9?dm6!1nc=H~%7&UJC)Wf;CD0*1C>UicE0CXwvV>{DI1NB#uJWQ> z%3`X_s{@{5Rb=pCFI*P#YU7w$`NQ{j|6TC%KO zgHEL6SlEP==!Lh(fYsd6^*%^;Ugeu$U-8mblcG=xsSrXB7egB-HFJ}zV6f?x-RZp0 zQdRLVX#Dw_axrApbEHvQ^-E+qr?s=8B1v1E{pqLN|B?S#AF?reM?HY*oWsCO5FJ9A zwRS&pi6a$6p&a~;RC9YAJRUO4Sl*lBK1x?MOB#WCLh>G%H(E1b-LfZ;A3Q z@~sTT3G8k4*;LwvfWjx=ZM`x_ zU6RiOHqsH+!Ray^Y0$?9oQNIcia5f^eqGuvRz_k~;X5ng6j)pb4pt8r^^YG56iehe z_2G~B=aW#JGPx@S`SGhW28a>qkFGgAo&n1lG^q1$p+2r2K4mLo3T=4pOSF^OZg_o& z(_|)uwkZSsWnhR}QaKVvX}9xD*%^YFvum(F(GDe zDP)^XwwrLm7l`J|X+5$nqxLP#wo#<^SN^-5vkyU^CIij5*dU_G@Bd}{K(PfM3+&z< zUc(+HFi)SguvIK6${Cb21co*$T@WAoZ~{GP`i|_cbSalY9xr1MS*e%>4`p?Tw`)2w zCRQ0W56RH3Wj>Qn5(hs%?4Yx5-x=o3`YWP-2tWC`CoDbcm8=j2yltWot?NO|3@1wQ z3nWBddp`8I-NRsK-<9rvU!0p(L-V#{YBo|lnRCW)p|MKk_~Mq~ zy&<$M=>%x2f3ogISFS{3;L$f_v2g-@xBEcfnTF@-tX8kMOh7=l5ZmR*hzY!ZFs|4X zFjIYLk#dA7F}E4ZQI_NB;hHixa_q9o((ZbDHJt8FaNxGeHf?gOyr~aa{M^vjJ$8Eh z+Hq9;AS;JJB=~IJRKSq^Bd3AW%AQ3|R(+Gin2cqbTOk*Yz+#;Mdr38~VhG zasnprOcnO&$0`m;%hv}%5CLap?P6`=0x!C&bKLtpMTB@5r{J}g>*6r%m#ns(Y+3)t z(FpF~VImD7%|EE^zgpj$x7d?+JPM47s>C5#zb-ew+&IL_h0~i8UCVuvgbmr;-c=#V z^Vn`Cj{<2hL@tgY6eAj(0QBMjgkNr6AC zbYC_GGmM~}PvpW~PJe4h85`n3C3J!wlSl9*P55^7Fy)iLt&$1Mb18FB;nix5vFM`r z!!BmZxJg`O)Q;|9Ni`ZlR|1E2l6vq5Th06`sr#aL=KjN;0lVQlpnH~)3YI2Aw$Z@cPbfWj_CM4wbqR~XD5l1$-pLnKyge$XB zDAWMsHSyIPGMMf|SX6|jxiB6lJ;7fYcKLXFK56rtUCgBLWp4Xu-`(E_aBL3QcZmrJ zDNYi&kB{&v>ZI#F4+9u%Bna_PNx|9_PU1TGKqMxpqq-@(J(YOq6*sTQ4Ak)<`U|WF zECriI8+>Y6bk>=nVm5dI$^kzNLF(#Rg;e502HHlJo6$a=;$rKw+>zV^3mHKrKc%S4 zhy0$vhWrL{I^UORDF63G{pA_7#zt%U4w3c(wD_T_fET@yqU+ztGa1Bdb_hJVOz0ItddNvU@7+b-JYx zNkQTOoCW9DNbNXXm6qhJj&VjOd1y3$yuxiwaV`@ugl3A<|e2D{X2Ba_4O3dDHr=gDBArwEXGX5RPc`_#WHt|3{cp zVj~6oS9mJt+dP($jZja%?|8gIv6t)8e>@eapz;_(X^zcsuo`>MA6F}82~=owP$!U} zmT2RwG;ia8F2#H}2^AX(Amd$q;;(u{@cXhF1eso00%S9%DYKR76aQ0_1E9_NuJOMZ z)EHwv$>c^ZL0$qEYt3U+S%Qm8xM(gTd#ztNly_;WOixnkfzv`xdM_*b1DN@-5t3MC zIWt1A8XN18yDQxsMe~0b8&IVv)`y;|I?=WRgXjgnSW>7^GP5o{SV4@!C|Ydkyr+OA zasky+mCL({oQ%cl_4M0YU@RF;JBOp9a;otnu^}?JX}}hS-hb)GQ9!GwGWyR056- ze|udltT#fTwGX>I)~ME0o)M2F{>^gwX*Lr3n^?jHrH!28bPGEuWvdsw5H-p#xOka6dGf9od-D8)VGA7J zC8@(WDDx{FN(>2Em4S6Ka6lWyyeOL}4lilaH40lFuBuB^9MMx`h4?UVb-y*d*!^JU zKfx(AosYG>1bCLx!&L_T3+4KlVIy5bx^XOpx_}Vq8_Wc#5;)o$UxJR)zUHt*Z0O08 z3oENB)=k~HJ?{5)kXl897K^eFVGm}jGv`3>EzLV?M23;#4E1CU-y~_X=LG!)n-mmJK2J5b`RC4oCW^DycT#tk9(iB%x>pl8+yjqW$VPn9pey}}$ zzLv2F&tV2fM5U!h_<_WfdqiMp=#+Qn#5CUC+e)L7(+S&Tl)3*mALDpTX+ZT;OERg{ zpS?FiW3QYEWWE;-@BsC-q>bmFb6Kto{HmN2=_^%wJGdX|7}t269* zuRGL3Xmy4g^U@SHEVz^q7@A6>s8dvKWSNO7xoio%Q0tZRSISln&P5}{d8nXu8Bx9W zW3>Gs>h>rf__;{0V)}NPx9ksa^OKGS4MNKQ>ne%T^Dcz4+e>*^M_fJL8A;&8o?Cq9 z$7uqn{sNXHLN2$_5?0HZG*;Uk zFq^){r=nsSkwA6=;rO)pRD&)#aj`_=wNx=*;rpG}kfAF&XW17>*j2N-7PPZ`z3sg) z^x@j)mZ$e}ef%NEd}{2<*!#^0UnK!sjnD8&EfC>i9JE)KdKr|5Yz$#Qx}L$x2OdRJ#PRZr#K<^v0yUlMnsk z?l6uKAClV1`eW^R)FhqFr6YW|q4)lgl>oeqH?C=u*wmb);Q!a9bAyfSC|iyZDO^wO z|3%E!#O5^vn97jsVj@Wsiloe-k#TYq_?-sjO_)ET7olk6zeXazD+wJ4lQJrjs&^R( zsCSeA$f+s_$lqqs-m=!X(Eb)XrTqP)opYr%Yqq48r>N5PJpYD@%h|@b$IJ}z;*-na zv+SFTv@XqZ^c=~U@+t09?NegwSfNx(*=r#Nx7TD3=05x8H zy7I7sh(}X-rKq09v8cbFD2*2gzc$bl{yAZhtIuM$$af)WG4V0TFDLlG9vi%cL{u4- zluX#>?>R*qiFk^%SO4H&!MnKt48nsB@{@7zWp%D?q-DzV`@P`!+y~^taQ06Z`?!zS zRx!_l;?w77mZ%@;mP!Aa-lpl$c-{~WMl60L>-`$t8I6Q3UBr8Hdl{Z&;ekSAy6I+s zo`%C~UqOlIB0w1sPd6#{%f2lA)HF4w8%TH+#?sfoDf4!es6*t3N#Ur`PQpwsS^V5l*_t!U-wGKdb(-SPsdDDB%AebZJc>^fUTFntsMV^D05w6NN zDv6k|wVs|CpDg3_pjp!Wpl1)c-z`oN^!c>3JL`p=Fnddv-qHe{onoIfEz2(xC$qg| zWXQ90mJ^h-e>oEVry+rc2+jT5BpuFC7Q^ds*=d9yGn!+sB2>)~ZX*^Whu6^LjZ=oI z^N^;9dbW0GlKc9{4bxA=7V{Fh-ZXha*=o&oi&}M{la%RH0?o}7FrvSO5g^87z4lG5 z9_ws%qg*V8>=#m65nqNdubk<@((J(3beg;0?iB@>C08{<51;uC(?rdhr>5xy?MXA$ zitj7cL!N$&2O(rrlKiswKl_50!aL=%F$@`bZ70uS6~zNN_2_sr!AJI_xx+;*I^`uC zNs$)53fMy+WF`CAOxg&x>}I)RCY*F;`)CGyIDs#!urruxxM?GUy|$L(^|`~trAobW z;u{Ic^~@xZ3R{6vuWtjPO*qZlQCo&|`Uddzc9mXn+LJB`3%n|Tm3Yv#?%kB^y>GoHe#Wxsr_%TQx?Qp@7yAdXn#-L z)X+}E|0bdksT&xv0Rh-6N8hjQg;u_^?N+Fz!H;VZFsgkdm$oD*0&dEp-jGL;k*{C; z9j!CwhGNv^b5t#IjRO8$Q!8f-J6HmYfW7vh$pp_z!f}br(mcDVm0+0T^|oz@oC{N6 zIM}(8ZSSL!b|J3@UMzf<9N3QKN>~OaAK{OBX${L#^nGb-1#BN(;oBj8?!rd+=r4qc z3_@)Uz>UO`kjSA=up7+no|g*ku%ItBOGK>%4VS=&{|!E4!KA&8z`k|S{X{G4SXcov zHYL1rbPOcsFiCKEAz_&BhxIO_R2h8e9u45aEu$YD$(FFxn@s$nasGNM{oKNd>AMl! zcbq%EBGYy6%p35G=9jc{!>KTz`Q1+BQ5YZZ4}yu$q$@&P zY=mv3uq&FG8V%ItBtl!Wc?!e|qK~Avb7!m2&P$}jQPIk9VJ21IH0z%w)CImv0kv`m z7W?efRzIl9Z+7t1Y(Bf)z#qiNIlDYN#)(o^?dF1nq>3X}b-f9Ot#{>X#YGm9KnrEN zu9{s_3-gZ0BPxbm0^FuW^){8}W-Rj(u>)g22Gtu*r*BF`<@N#+z?J!bV%iVQ*u8or z%bAV2L;i!d5xvj4r4)`9{fc`T4*=Pt&~KNDE5|j4@tte8j6n55Rx&>Ohmut$t>MUP zQ}K+v_UFXE!)l4C@I+n;-!$L@qPFptpZ>?rN%V}Kj{Xdb;rOV1TsHf#CxjWH>t*_Q z4YLfEAn!y!N0X;>y`)F-eRXP^<(_U0+?Zp`=LDC-H&MW1cL=#-dCP4$pUGC?@=P3b zk@R@ZN`wGXU~#$~r|aQMHbHFA5-;GMtS~GL2|tum6HGaE+>zCpd_seWb9^{Myf(LC zdg|m4m?%zfUUr5l%YDrt`__oSs*HaSH4XlDiaRkXual<8=3MzQ4WRrTocDJFD6hi-o}-|n>84pDJP&0<-0laTf6NFVl@#j5Yk3fu#p8D$ zCLWaP_^XwEp^X(5nOUBCSp#!x_0>=I&?p-D)8OC}>HFZb$1aZ)N#%a6gIuQp0gCcY zob2=pLBGg3hWT?k5QXKg1^^thrhu7KK$PLOf_n+X-_9f7Yb4~K=b&zevT$vFX^9SK zWRn$oXl6Glag?ok#DH!n0`8|2j@nkz`h5K9Z&TmTC~tS~NyiDcA>?S3)_G^wI%ewN zjzRKAAv~Ly_>t0_hmnchhenh!O&)+Xe7~cqFT<PZ9TJCKNE-yzpZ~QG%cE!*R4_6Ad4;u@YvdEfhma|g6Tp1N?j!>nZs(Lus zIVKvpJ>e5OGh$DB73okro%l)2J*9}QE`-50{B&FP_$|v(HE8}ztOQYSHi#cWa4W=Ia>L{cnCG?7i>tEvqT-&<1WWb^Pb z65E9sB$=$i1rQmEd}Yn@r#b2Qn{uN~o)i}MFHUz=vpzg>@?64#Z;vi?w7X=Bx+R9OFmHjKNk0Vu46zBZ~k4^r`YtBuQV%wst;&KKAVS^yQUuIdouBcfs&| z(suQMA=X8X)!H38tJ}hpvCC4Hf~(W7g-5}r5#VaZs9ePPZOZFnSjG22*p*wx>yuu^ zL5(FN72YjA$ji(#yz4LFa`GmHe&PGt`M+=C*b$`>4CBe<2#_H1u*a~f2wtBjTj%xV z)wynXdS_lw`Q?}H5)sOi-Sr@CmmHFex%|NQH^pehy2d4;?0Jvc^e7K*6taqf=_O`J zR_4rBW>arAx4Xbp`Ab~kBmRg=do*)~sE4^s^13empG|0%D6oS5s`d0zqg@7@!QOP0 zXsexwWc$h;aP{+QQKVrGe~|6xyOk zK)9Hr+xAIk$U1uE{u)-{{`3snY%|N#3=bUfJcF6p25Y%i)u(Rw0)W*fy|TO}gY$fH zTgbcfeQPbReh;m?6*sM`Ws=IJ1ox&egK~01+*GyOGixn-sTW_6g zo1}+_4{*YWYbBZwA8Yp7yTNUnQYl;R{P(sM%8L?6=E3xQDi^7VbY6rUcCUO^gx|lD z)uFOgNQ36QIAO6LktO|=_l^;e+uNwgcD>nLI6B8TRX-KAh*9Eps9tn^EnaBRH9oiR++6Rw<_3CekFM_&swZaO3iaT_nw~Uj zu0)9=Gl&i}PjO%xbp^q~G*@4x`Epg92f^JR>W}b8^VKf5L^M|W-|nlTvmKPCuzf#p zbrygI?lIYqufdawnkn(CDw@4n=w4U$#)v`v47EX2Y&3dC*jnDWAIc&zPpo z@|$U=X;6yXKXOh9in&0#i@q1!L{b$TZV9lRA5|7^UT9JefKM3czHhKCDqaS*&hf|p zuKu2*M-46kOGP(*7tzvx%kV1r0 zvB*tNbGa?tuJ0+_zY-}Nm2%d27Bz|Myk$|;R<*Eg8wtBoozLAo+?`#f+35ic!_^&--Laltxr0FO#XgRN$Bhe7A?#*w#@%f zf1Zzhub}RU@NsX}(wHC6)))rOX1JaleTupfj(eY8hkGA4QiwyQuQ+>0u4=&5dZoXz z`%CElIeW`ya$Us8t1d_vMUSSm{cZkKyUW@8stM6nkkNH1 zTGqS}iGg5H(dYVa!p&C?pVHdny#qq%7Tj7glLZWOyAQwDzbJex~r*($*?CPduKkiWF#J8 zJ9+|s1~VGIXCR5xsEek_9Os)XvUJu+i6v>+VBHg&V*bEXt{C)+g|e`fF$Gx`J@w{d#imJU&tjAH(?*pa zc{d@14ZS&dyclf9Fy&{Sj&B>W0{*%<+>3`c!S)9Dw0_yg>u|IAnr(xc*4(};0&x|( zj|H-TujFO#et4x?z}b{fpRZoaOfCar^&WjZx=v^#mm<}M9WfX4W3xTPL{u?~%E8?XU?*3CxfOdVrNfu+qMh#gs%yQxg)GBDZdE}gK*GVqsKH)^ z1!7oYmzp-dsctGD;&bFY@As)jFUq8H^0Lk`2DPd?1?y}b!)&{njq42Cj+4WIp%HoB z>IIq6k6rw=L`8s9Vje-+_s$I)(qQhG@?TqTt5IpJamj)Gc83pGOGPXEzHKL{z0g7> zL!_FydlIcbd>f2!(S&Ky*ENCceV5JvKl|;1cUo-JZnbW1G$PQG@_OB`0hKT}UtiS1w&OA_MpqAIM#`&&9}UOJ4SD5^fFu z*n{q(objjto1UNIlYCR}i_zPI>|ec}8=Fl@TGx|dTD^)iBn<@MQGts=AC;aoCH$N_ znPF!Zb;eYg4?8^AmZrg)@7fpMn=lO&xgP3-hNt)Rvr%`coN@e0PU~i#d<5e}DE>;? z->J>JN}DM3x$o=~wz6(1J1kHup1~Eu&~N;(ptX-fQ0>&3bjCroa@OLx*Dwn9$lsF@ z6?CQ^X*g4*2Jz2@8Jm4Pr2llY$OIQ!#$&%3&4?)7#TVeQzimEOTf!|n^nga&7X@J1 zbmsVF@a?ovVpi3QmOau6z3YC~e79>jxffA6JEJ!$Fl0vi#K@r|ZPwB9?KK=%HLo|v z{ea?{4nE^)nZAzjLQD->kTIf@c-n!d*D~9faSEp`LxQb7?v7`?&#+-Eez>QejnaM` ztuQp2s~t0CCvC%GWnU=AkTWwza4+Gq6Vu+~vY7c>?3}{_f~GVd*EBt`n}1H!KP}6$ z{^{Y*LB^v3@;^xk#~bWNP$Bv_dBnPHH!(p_o~LItKL@GKU*3v~4n{(kpm@Nebaw4S zq^OqLlvDhd_19Xib7>^|zZkg|U)YPw>plATW-T%-tlGl$0OBO9{^pScrW>8Yd``~R z7O`2-%vnR37$2ZG6&;ZYbPjFR$sk@6lqS7;q*>-U!7upkTkX}{M4>~gU&!Q?&dIjd z`>4ve?|5sg>NW^1c;l5M`&Da9B%d8&9k^XSS#2aHv6`d)mrd`|x` zzwJdFfjzaaW{4Cd!;?hJ3@g<0IxmUcCYZBEu@WYV&MJHm*@l7-rcT2jXt zK4&2ZZ$v(Se7yNq%38TuR*J*ZrL(MdIDSTK(w2W)k^+(9TzCJhk$l|iK4OLok(Y{} z_N4VE&c;-y4XNzI4QjjerSEk25vBzk88yE@i-#TTeO9^3{66-zx@h^>PbassCFe%u z^GRyjX6=Z;VjTb=3ZJAdDXBK|P$-;^UMV>e)C+lP6MDm+v3>6>9@V~M3G(p*%hg)Uvx;ptiK+(ZRkZ2{u&KNe)rEO3?DLs6IdCaI&Pd95Fmk zk2wH_@rQI5` zegm_yjN!<$PNRcTt<>1hKt;E_>pONfVf+Ex#%9U68yUV4T^=rAVB@H(! z&)Zv)x%cA0!3l#511J>#221XNa~y_qJi%uueEm_=bBZam0aRZE2}9IPB3)s79_abr z>?j)Mo$&Ge?nh~!XHku7{&U!RQDe{6B$CybPiHD(69whpTcvvzcaH9w%hvJ!X(U+$ zM0z*sQe5-R>T&eEzI%mduirOXZH;J*M-5NY36BBKxgpP=dC@ySXXQijUWXqd26v^n zQ@(#oIVTeP^lyAKWpio@Vm z+`YJ43&q{t-QC^Y-QA@ygX_n$_q)%x-<;&+N+y|qCTp_pb+1c)!U8uD(i;<`6Wky3 z+wa%3Y@)k<+7};9n!`JzxPZZu$)8LsYgh4_ZzN%j#_ZJxef*zyIK;P6e#(BT;(h&| zOW3AZR7RZV2Zh4rRfyUR;oL};4b%?-q}Ye3wl5yDl8;N&x(dz!>k)_(SNIFEmb$}g zY?K`P+IiY*P^;=%hhSCiSDxENpH;}L<4LO=`DdvHfz>#GbbT|6Kd!cBN!gyr8q7^x zgTx0l#4VT4%dHh$N0B zc%uLh;~0`J9FKf|FW zRN{=y>LlNS=9(y(kG5Qq@c6WTtLiWYxEs~AW)&*l)IG*~?~=y%`EpBYEq^r%I{|n1 zFjlW=2^sO)vfL3>O{@kvG;I!6XRp_bor|8s#*-#nwF^8a@VI_t-!^~GhS!ViHVS+% zxYX2|?+FCe$BL8|X?+XNBLM8)g5fd0rYDX*45vPbwaxt};Pj+AhNI=1xVu&?1tFvG zyG66*tb(mV=PpZ_$<2E2JNztvL6rVF{pXNN zF9?=5(s%;Hedijy=FZ1>7~H-eH!!jPiY)&*j5Ib-q4t-<&NV*y$E+U5=@|jqsZCdl z_<>?dig}rX?}GITs#>Z@V>jVHIM?p=@W;N6*22V5db(xTfl2!N7C35^o31Ivn{fo% zaX#BQ6D~!uj|aU{!$1(YiYUOX1P{OLt|61t`NERS7dd(~L3uj9Mg|radH5>L^G%&P zvvPv3L!>l@P_k@vG<`;3k(^Y4*cgluOqZc!Sd;fq>X10#bVj1N-9LActJ=PaLtk!W zeagC9(b{T~#>jW=F;i{Lx*(5lyDC2*Q1WwHTxIGA`mAu2X7pRy9BD4nvO>@lJ15H` zR2yoQn%Qa?C&ocLetS(jgt$PBURi8LVmI_0tkGDaqB*I0tEyS4@ADQ0{T}!a*BAFy zvPlE#&29nOes+nnNB(SE)HC)A2wi?d47Y{qj|oTWRMk5{+v}A6&nMWdsm1v;;JZOv zDojn!nes9ALC7=4xfy?6LPBB2ZNY{)RCW?`YA2=pWhLwrSJK<5iLd4f7$V|c4 z$}~9&qKJqOBINeZ!)yyE0HNXvZWL@jugJ9efSsK#bA z)uVzO#Pvbu#hN>Er#5M_aps?`?hKqFMebQST`SZXsqB&c&~&z#6sFdNG+3O1?V_m? zYJ+#l?l5FGoI7ekF}rS<_;k)B7VQi@UH0Ymsu{BfUF?Hr0p8dXVhwq`wt$b<`7iKT-mp=fY2j9uy>Fst^LFCt ztMtQMKhNdn=4$6}!2?~ZLll-twG=bBEd1w9$j?`h4g@X(e)Nao+2TgMpLDb_ILX( zPKTkJv*x_QarK4S?fd3o)7Hbh&@5yJ0Edkvg7p>~ zaLM_{a8Ta(3xNq`#lc){!L@zTZww|5`q8bWI(!IE$oaivKeKCPfH}j|f6+JWK4EU% zmTMBv;2U5U(>jysHjiU$#~S{CF_Y_apgTnAu>NVwkU9lmms=f}%ue7hWgShE#Jo1| zBsdfdAnlmyU!OM8Q`60vcq>_^PUHP*b9?9&q&EE29}%5d&OdX!gM z6S+(%%`>hS+6f<2)YVlm4Z9p7M2q*}l~9vMHJ&HI2Nstm6&%Wycf)HziNBr%smyO_ z-)p8z6f-k8JPBs~nzXK4X&1A$U&GqbnHo!EVnJZW1Rcu3tTWAh$RbOS=n60C(^rok zys6B#)bYS!9?*YAKLdN-7Z?^^v+xwXx4gn7b2z*+mZeYm<|2Yt!`c*8MG0%lf|KGe z#0xfBhm4r-u8DEzQ=+^Ly@Mzc0kFjumete zy5RqTH!(rh?!)~ovRdpN%2VkV%exX%=|ae1bj%n zBI?SDJQXlC^HD&k zeOHI#jvI7O!?CPe;t_-2)B$-l)W zaBnhc-IW4xBrxc`0rR2sO-T~f5Fl4mWm~_}Fzw_rG0W6Vzwu^$9#~=cq264Y!0p-H zb1dt>9Dd}V;H@&;Ga+pM;xmtq5{C!WK7x&kZ;GgW;FQMj}??)>m zJCA%@Q0c*E_9k+H)W-DrD#-HNH}rEzKE`vOR1W+DNxnRDf}d&X59ba+^lwWaiayuc z*Da=AlNo%OQi#DtRFl7nL*qs`%a(`!GB-J|SggUPT_!a>a#Z{qN<9q;xhXgQs$YDF zH4Waq)Wnzrh&5rvcOMK?_ezu1rXqv(00pSsOqLxQyBp+F<*SZ^O$trYZ{cdroOqW=@WcdR9uq?}yM8nKp^ZCvlT za*p-T3F<*fBEQRm;-AKy>M7<~YuCxeHT=xLn!E{9`C&;t0PE32Aj4KTz$=jWqQN;O zR>hZqWMYuGL$lBlW`N~3)qftL?Q}3|Pl#Py!Tbp6L1fQCV*F~Lprdo@ta3NK*S=l9Vmagm#Xk^I6)+9}t%Bp zUbfYiQ4OgPb^tJ@2-DQLqZgpB>?Uz}fvPg%q$ogdecD1eAK!_J%HED-7~3+y9_={S4rMgRDjnjx*{EL1wyI2EUTAj%z$S>28e9&+ph~Dh{{ag0m< z3cZ#o6=p1J>o=4rC}dyz@Ejj~pTgX&O1y8VERzKnEX%@J#TQrs5nXR0iq@7;>5vy# z6KW>HQp1fF9l{9|IW0##VN1b?HX|E9d+|-7>tnv*BA?*z;_Uaf8>}fV=CptBJJVCV zE&hNIW8>q}>bxG7VYpw=k3P-0jCWNS{n5($@O)nCVgKNP1w7eG%v233_Lb}Ho>n~j zFsKrYy*g97;9xoL9DH`unaS?HusD5A58ODntMWS8ntuSHV-WSqa1(gPlH^drVqW>`;>PcH>U>T$P1xFfI zv>(*WSTllNe7ARxh;+B>1(3}WF(Gd(yh`-EPA%@By~D?DvtbLbc(q^4bm)>UxP%}g zZFs#+qk^z#N@ASaU)5{uXJt_Al3lUJZuzLxwA+4sw9P{AdU;Md1WclJ#7_!NMjs!< z-K*}<7+9@)9MU4&Ck~rB7Efbeu2fuj-`dkiOjcqc@zkq6gX)rZ^ z!|@V{tH1JRGKmFZ1xZUw*N%;iodH&i<8ma3y*b_)ry>rKUUmtxr#l0o7Du&u!~PiA z7;l2c`Rq?{C2o!QB*BclC8 z@ik6f*}P1SX1#^JX@@IxJj-k~5k|+9*IN04>R?nHi#hiRrTNtxkj)~`9>t(58R6(t zpfNx2!r3DHe52E4qVOx0T-Ppz|s{kMiEo%wc(5Y^Cq6aLV zOyqGtr=U98k#S9$@MU?V*4}T$fm~Mo*QTPl7DFsRJ94f$Pp)rrF;#*EIDA$PK|hb? zPgX6gf%ic+ku{=im#>NpDe{j&nZplG_Vw8URCeQ&E2;OJyGVA0N^do0xao4VVB>q@ zZ!u)L^q?5^5`&)aKb4u`U3WPJS1yPBTF#Brq!!NCE7#w@jtX2d$2a`6JzB?WCsVnf zX$znGJ}UI;Gq3d9sqRjaxwkJ|pgepBXrTZfUt<8#D+SP`aIiR}$YYZjTf`%UB5B zF&tQrSJ7ASH<_yjbNwwQekT+YB%E>#aRW15%GmKQwZHPJ5;<|35Z+MJwO-+szPli% zq2<2xMHbk_)CE#Md2EnJDVZxU!{46wr72b9AD3dDZ)ZrU$_svLIMM@>>Jl_P1h~4Z zJGxB6uAI&KRrRzS`t0iXcPBoIuKUgohCbt0_LN_4l=#5N*JW{}R28MPe>UQJn=1^p z-1JDGLwQCpA!bdNuIx%X^?mqlCMIUx@lK=SMh%Jd7Cu8i%ZDg&ejAU?~zC0y z9h4ls9QX@=`AQKvm1Xa)j^PU- zj?Zm^dg05>hf5>|HujO4nwp_8e3w3MQ4S%L(FbKBlEc?61I@KO|07oy@=Chm1@-+uYC$EW zzcyyciDg;G7l^gvRX%fVSrduD!0Ai}Ng?tnlUMIy^o*sY|Aiw)d+CYWXcBVvdC{Tk zI-s*`e&4D;P2r+_Ufwys(GC)lOj0nudB)Hg$49$1=R}7T46c5|&8$Vb=NBt`i2eol zy-BP~5zEC1DVp8O+R+KC$h1S)0{V_a?ZP7R2A=p%)B@HoW_P$VQ zpu#tAut-AjvCh^VMPPXM8x6N}Jk#jg_k&z6G*Z2V>ayh&2y*JI%Hoc1baEuBk zh@ZWoh}7LeK*SE=Z8#PA{-YXw+5ZtD7;i?KZdq3``PwQ6Ojbtv>wQiaj9c7FNn6lxztU z+Oif$TeTt&^#;ZD2(@F{{sBK|K?|z0G{32oRL4CV@0?&O?5#!BWH2k?5`X4yXelBV zqvYC{YD2g0@-(S;{ISh_1L=7EPEd0IF7}G@mgV^h4YzxqcVE~Gt}-}!xs3eteErvW z*LSW1c5ZOA<4(jKM#X7ntK?;92E!eUU+M+^Z1j0G&2{8N#p}d5GR|S8>SYK9rB=84 zm&1d{K(ItOG$Ze$Y^W@uM8s5w{6bbF3%;Z<;OGxj@qVBut!KBs3lTUA7fH6h3PxFm z-gov~y|9tf;k7d5Y`C6l!>a43H4?|}$>EEb=ligGx+2%GK+|OB`_*e?5@)c_B;lU} z*bwXYc=LYCaaZK8O)(Nd2q7jtQg zuchSr2X%UN|EfmoSs~rvS5bW3qou=7qZ`55QV@h7C8GEwwlw*DRDUMsl3uGMxPk%G zD80|U=O6lohO|i<$9ATx93Qu+*EXtPNDsLa-{4Zd5K5|dwl#H@`h1xwxPR?#N>CiZqU}7 zYJCjeiLf=edDPTC@uKtE>oG; ztrdWUNPN*5yf^M6)I4|5CX2`h6LAp5B$K$Cn! z-lm!sAGy{5RY*#e4+ur&eIjZ8f&K5VzRBzl-UqGK)gb?mm^D6gZy(U^wKdFOjVZxd zMR|TZW23BXy|&e9gX}Q($s)1NNE=Pm0YDx{LeWLV$jR_7aZQ=&J|g{=YZt)fyU{(o z^y4QNpfR*kTihU%D63G+$;aXPkciFBd-B|N-NhXolyEs` z9cuq@&nzzTyggN|x7!g3cjz|%9KXU!5EUzdi#+{eF}?o{S5Ppz$q3wHF+<7Bip`Ui zFKGv%@w zXp-s)hYALE+?Nf4GG11#st708Pz6gg*>?TFgk($iG7l7DmAqS)6~Bz!ujjQew4-$GKmAPzVwz-dJ8+(f3I`S z1rjjcmL)o^9yIz)zdklx@QUEG)vRp&^d<7xs1~n+S*vt_J0Xv{meb9*+TvdG*-RRe00`ln|%P5Sk?_$?EIFw;&WG)~!Y`rKbnBb7%mfQnV{ zGpRoW9!Lom4|Mkl&+m$d=LnkvIwZzL5D;StuggOa;PUPFy9}kIFdOa%A5ys0Mj+&L zK&!>9nwb&gvk{mjv}(h%v+yr$@Fy`6Tu8T&p%}~VpcZcIUE}0SpRf7?qUbNgpY31N zV4wPtT?CUOf|gfKVC+9bFIbIvK&pwP<6@1-G$t^dR!eYs*!1Kf!;zIm3{%%4*d##U z5>z1NvZr(!^BY3B`K^WyHF7V%G*Zo-9o-&jDOc&KQ@PJaIfmTjY&cA|gU=i(a*^c& z=j{5wgw5u+v<=4i zG?wF}U1dRDqZpJo@2m}T|6F6r8blC}U%EsIS1~h!E`wbBI{_!$onILb@9;vEfQW)e_i(qIe|7(ybveNefXm{6!$9eL4UI@6VyRBPe%H zkBYyseL8jEL%A+mK>fn9l8JT+|boV{A-JRKyhj{0k1NYbX{9Ll@sL!8s zKZlYDi;4LLlbH@Mz=z_BQHK4ZQDk%2A3q@A3R?N{{6{0z+SEP8rHzih61PY z+P}HyO1~M9vGX98`Qwuy=^%`|ffCP)3Ih7zklm;%JQqWj(m{j8p9K1FtRa#gN^m+Q z{PC4^Dj2sDrwE0zSm4ntahN_lVz0oF!gxgMb(SZCdh2w#9h9*q?bd_%GK`9y?ZE37 z@!?Vx&BopbWNoer5nx(Rr?@`>G99kdPd7Nq z*~$7ExB9^4oVZn3czDG9>aBkY^!niS=*pe^+Ej(VIaZe84 z7wZMIZtT&P>d~f#8|=B;HXlvytw!=sOW2JWtuB-s<&@ua#_86(_)TxjEq-5?aeC`K^MtSOXCIn?A~sYCG(>c!aSMKSRT=pR0TB%?UNC*(r_y1R3SzY)~9Gp4lAA6DI7o2@n1j31Y!jeF_l+ z9HZn{@x2t*48abCcjle>)wmkOGod}19n?f1_*&$RSvC&WHl1BYO{%#l?$>|Cw`Az* zb%)SNmY(Kj8{j`Ha#X#9Z+DmJR`>e3Da(7=X#S-cpeA=)GRYJy^Qt3^jV-A{5KyyY z?F&&+z764}H6jTQtv`5b-8HBRQt_H?cyF-tpCJqHT?sGK%MzVoIeCl)5g~3A@cgg6 z``Im7|~zn}L1 z*XLS1v|nm1%f^qdfslsjZ)@C*dN4c~Z~AryHyDBs#)4v32JllX`7E%QlR$d1pC*MY zPl&xSiG&i|Z&vBMs7&Jlg>8KNecumu|9kh-p#i>MuFgKJV*k(oZ`VYdc0Z0tj^IF< z08h|?6&~q)NB=5ZF?q8m{_2<0Jx^?&6GrsYHz;8H%zm)wSggvYbzU?X_`Q9y6Aqw8wHEh>?(H2t*LQzYPqaGYt-oYOx9zXM0yb`}<)0F;k}qsmMiUAN)&7h*R5PZ5_DwFHZfi|1 zen3C3xr*J;K`bJP!O$f9MplwI7aCKqN=$5QthGp-unqCzYil#P1|5J#djo273dB4- zJqs45y6}7u_lC>xU(509cJy%&s}jp-e9J1m z`ZyBYa&`9BLbysePbVLZ+*CN$8(U4co~n8{Tzp>qC`~$`O(Et~Bz`z);fi|_h<;<6 zJ=k`(!N~JBNhrd9Ua##;Xxkf05AsGm&5+VmbZp1m)k}p+Y~G_7A!2!^s4D>+kqe4% zP^agZhJ$%g5vvu^RZ;4!1wi-3$*8;dgr zyAn|Zv~oyDuwkKFFk#p-0;AL6+)U=w5yZ@ULy-v)3g=GxIeZ4|+)((4X_D_jwb{FJ z?$llJT<$d)AhV%>N6f5R@)#1zgdjQjJ;|xWqS%+*R0{ikxq~^dRd~YE3zUhY9LrLB#J!e z)9;snU4hbydko-Q@b)A?(n&bUW3vwt&|_vL~5e!!A$T#N=6QT4qpsLL!XuAod!2JLKCz$Me_ zIQ2SJ@D4R{V^GVQw#W)904Wf2h~#BE0TZIF?Df6Pjj7lH-(f*N{U^MsWdyIxU)s?}1A5 z6@YV{&?uNvS^WgN3ZxJCkhrs*LoUReL7?Nm5P?B0`$8{ZBFQLy;Z{&)k4WGCbiom@ z#DVmY-zmVH6krEo3<+fX&s7c^2Z3$yW{6x?*h3=sLvVvWg%W`hG97c~kJCP=mJqP4 zvaYZrF%W>fNM4g|^@q(LUh2oTBB@vaO`q@(X}WDm%N0VaEPz~l{-j^n#0-){T&X2M z3>7n^EL>H0lLlKVC^0@?3Ok+Xd>{c%aW~0fhwN*l3Aqk06VakUkJJDic3J6Fe!~wg z3@P;N>I#1)v(f$#@oOo9(SlF*;wK1ReB(}QGj#C|*`TCKj4nDee6Df5?)x#cKQm5g znS-c{clg>@iJA|k`#FDrvME$Cyz)C`PBw09wsY`<$}0;2fZ6rsVqt_eyUAo z^aG3dAalJ&guVvw0%_kdyR@Gg3E(w*L>A^zK~l0Qk-VVQ*p+YJOykuNy^9m2MaD2e$n^;qg&%9&IQ9~z^nPB8Sa_WqNae^o zNBQNV9E2}WQ1ZB{hvZvYmy>mYtR+@Ki%wdN2cwgP7S9QVk+eA$!TS%3zdHX$U|P!u z-;7y-iyx$uKp%;-IFO+4coc7K4rdKJ`H^H2psc(O;1{`c4NHPpgI<;DY?JXIa#zSr zmQZf{8(#g3Pyku4U>@+;my}jU8usC7K+S4t zp90KuAsYIQSaSq*$&I77*|s_eY5dIJC0B$sGl69H_AbYB*v89{}6 z8baLx`*|$d#CQ6c+dopzhyvAjzJJAxr(Y^h@ISgRJ5)d58qS*CsiT>gigQ9)c0>Uy zb>+)ilXZ3lt4X$sBf**#t@sQ$PmNOQ?-v{0eRJ}S(MNMao2DlB_wkGytk>5#VU6(d z?!`Z~P9`azg%_(Q_lK9KwCs!DBZiMUaj{i(dzR|r4OsG9v4HO@8a#`$@6QSQV-wy% zaeqd!{jXrjhkl7b;Sv(%B?dGZbkt|m#_e;7gt#7jNEi(G)zH9`vOtDO@iMgn3|Ujc zha%9TLnE@u;Y^i~cLJ^fLGII15jeDY;vD#FD&O?6Z+J@bPS}0su6HzP+i)K8_CdR=e*@S`+ zWMqsa$TpmJP)Cf}vf~pXU{{szx&kHLQyy-9$DrRJkpBW02i06IZ)!Ah8~5?*6B}$9 zc2rmTy|7ilaO1`|A)DBUKWZ`aYB~6}$)sj^Xvel)Qf5RWozxOvAM@BB(=gi@8NB>y zlp7A+Q|)Y$;C**$xOuyYo8>0Hh4kPLAC3v|riP+4HyqN*#~qz=YwyY;8@Ul$#5T$N z#&d#GD4V9R4HmU$euc7LJQ0erfeCzv<~;DA8HVYpQ~)-4&e@L!un#D ze$dYE+zXvfu&mFpHIa(wh_}RUgR{lsBcHjQVYl6^rMK1iGEm* ztT)`Kf2kYhY)6+8OB+X(%IYuz!ki7l2BQz{n7G;?RbqXZInDfBB-Dcg8#?vC}0?MLvzSa32p7ziSTq->s}|GwL>KA9h{&@kHFv0c9pK z*oV5mCM_*lFE1M|GHY|ytt+M*k}|hjS_sV2uup2qvRl#S2aWtOk-IN2K?HJLQ^>l? zH_7G~&>4>hFx9;ai~Yx z^MdceG$@~S{!rpFu={f(;80=uw$y{Cj?@4J6%Z*ASdu@ zo6jlY4&*(1DSa6*QrGUTeM^Qri-IR~tblm5#-Vgy=buKRH01)>_T;)guhc~#O2$1Z zwut$-JB9H(7)$_qBgCmk#bMAMw|A2cOxm^~T?rThQ@EmR6eA4|_Qj2L#>B}*2^Lt{ zlnV+MImg7x3`esP2d#<6!$4L349d%rPNeUf;Hl`slr{2BiQ1|Tijn8am`)9(_}Gfr zz+7f&8J#O>UKtX3I){>RDx1Z#W>zEP20e8Z_}WeyE4nWhGdTRUlWa-`KurZE6_<&@ z!@%1H9M=#eDPm_46A~`t_yW3i4^)Yv2*@=4CHvDO;lu{=RTg*SWUJ|~dL zD!>lMbY&Q7%rxF(+ZLk+}GI1F%6*AQjUtYeP;Hd5jfJLi0N~Qp3L%=6*oE` z&3(bQFZh0%U{-*A!DMXCk3=66zrwECJ7B9Us!FP;zw#-_F(&t@b+uwtWnI~9H++EnY*m@B}x5x zOrtVf;x}AYr7|U6(5Jc-lHs)Mkh(oL-vH$i)L*W#Dm8SYzZ^Y#68ZGEFW)}||C(yn ztZIL@flJ|B^P1jGA82446W(;-h8b)*-G04eH}}7u3-Ivx>RRIPX4S3T=ypK2Vle1b zbaey$VZc!<^$;-^jbddSju1u-xu>eBNhgcLhtj(eX(8IPe076f6l|)nBb6;3f|d!y z1&IuF{ZZsD{L`}h$DJHh{^eG23^ZQgU+84+5S|sFhg1 zg>g5WmNqkWvtwqC6ogT_gDhs>ev1~|hjz(Gv`*3JHTv&{R8}|FvrUiqE&8j}#`pQ} z+Rd0A?*<_#&?P^Jr-h=^i5?fP=f*~2L5ydGss6B^QFQ;VS&Y`F(X45pGi>Rj;ugb{ zK;J$T<&ZZU>{?j(%qDIz#I@O87axj2WTGS}8~BET8LpiV^fycz{WhBe3Si6TBu>cj zIs;NN?&$j02E${6fSC{bg!%ja@FYJ@W>5ihp91bJV@l$RhGA)F)ERV*fWi^<4#mQFRX=yt>;Kk7R6db%j}gS27S9RbZ#Fkg2^;;g`H^4gK*121^zjz$ z+U~?sni?5Fe2cP4o22<$-C_{TQ6gKI8`?1Fr5+`bnf08?VL)DwT06e!o<`woA2ClT zB$7&!wA9UY@U000l)vth$~k5&tLt{FicUrNGk6&wE{s+0X6l*!LW{E4#^gq$o(Sf= zk`dJ4+K;#nLsgFzG>?1Jh))US7!4d1U8LtS@828x6|de{@)T{zgi=s{#sZG;SWaNZRV@*X_&c+wSw|R;(+?m5YHlxI1O+hMz7SmS(L>xI@zxX&VPN8DKMG@ z1`ah8ZzW3289(pIb4b8wQmX{c;U<1di*&aa)r3MIQdwnj|b94568tJ|~T;yF|-AkTd z2T{V8{p~*|Y$w~L6q5>a2^v)0NX?;8OxmWXKB3GuA{jEFR=sd`@EK0{yQQ#YQuLYBp%}e9a@~Hy&>9cQ#ji(GzIH^~vE%-sn|O-nRoKFvMr2D`^Ez9_l*a^3N$#Z=b|Qd%)F$O^KRciXNr{m<EU<(JJe*;^QeA77CoS&u=?gCycQ7Bfa#|W&Uz(JZ0uj5W|JwwC(GY)I_P(QLaG-bHeee>=0AekZ1GC`+3)ULH zQlhN%XPVK{?!^?W6-x3EIOtf-FTM{TVn?gQD(vVJU|YTkF%s3l-h%1QoUZPeV<6!bAM#-rZtH(C;+yJhRYlqrnm-#r%a1 zfuk5c2`dDgLAm}w>@MwQCDyT4#W9IlN=7=*;4v}Eit+i>$WVn|w8$`9RTsS0VZKO* zxS-o=qF+22{e>cr%|98jCajQz^5rzId{pTSinnvm7llb>)}@y96~-&>&zf_4|zO+hSwuUfk$CxoaB1>$-kT zL^O6{&`Wja@Dy~t5vbm7#E<}KEH#SmYod2x{eoq*yJMaRkE4O3)zx=+61bF@K@E=IPjI`d33gv<&(``yo)3~o?Da< zd`@<=(S@J$V4`M=ydt2gNZ_lMx-^Ok^~ej853A zi#&@05}^2t3F24D6!wwEq#HJCam!Ca8P+h-4TasiCB9&2Sn_!tom6^(*)6kF2Ou3* zc_pqf#UJ$?L!WUW4h=TF!jBa>Y6U<$A+fl>xR?@Y1sSbrqhHq}9%Y0i|2@{&BQUcF zDMl9>a*izEPn=BB$w(&V!3G^*3~5zzw&-R<+6e$tS(tyAD+#y!>=UmG#QWV4R@o7} z_BUFcRERmzk?9EMhg$5NOEtm8K-f!gr@*-c(Y(5OhY#P+z7m8*{wE^z#+fJ#r=aRTVW-|~yu7f^H_Jk}Bk7Ca)F^iDq;Pll8<9lQOC*}*R+ zhI1${fje!OSnvO07x67~+@mjO%e6_zq-(>Ki`f9_)4g&7^zsvlmMyA3XXxL0Ma#OG zqQbMeKCs9iMg9nNes8+WK+Mc*JhMKQ$-o&7Z{);67PNIaT1OZNH@_5i#^e^l##iYn zErT@`fi5;Fg10qbpR{~msHn!8?Ov*zQ@hd$p#1*~JL6*^xMc0z8I<7rIMf+Ue{x9e z2;tne*yWtsGhhk5==ne6x?6bAV=3%aYmEB?FkPPplNYt?3Gxz@drl{&g6?S#uVcck z$FmyCUs{Gihn7*8L@N|aDtO_<>}rXkCErZ&u@#+U@2S6_AJUD>vSe${b|D{4ME~hcl2HEKS8bT8ZGS6XvN5&R&7~(J+Enw^Wz_6%`mEDlmsDhC6o3T>5}{ z0qBm}{Kpd}YL=m;+iJU1(=ei2Qn6I^j!hMP}$`u3=9q#R@Q zH#&9IBZcP+R_*flhU|%%+7zsQr*fHIPx$XqA}FUUNs`hLn=>KEv%%FP=*=C~A_f9+ z#EBUk9PfbPI+uNO3(%T0@hbCL_M&{W-fk`PG~@3A+H;x$+_a$!1s|pYu(-h?W*STB z{@hEvZ{W&iae3V%>s9w$qtr*u_WOLVT?i0HepX04wW|13Emd)Uzzz8bZr-${8Cn4r zSMMKAaPNx_2{3~9#8oPUJhO2o7v`lZMkkXh=)On9qB~jPrR8JWu!VV41SBA2So|H% zYA=y7BQe__N| z94XDVcLs@)3xBAO=2h#9wFMoM341(*-YJNZ_2>%Qpk;(LF;vjo-Q1Pf1~#3Z2MCt= zt77PoUNAt#$a>;NIWiW8wUZy>tQ<&ceeUZg~ z-`~v%AWvl&O`LWoPB37We1^u`DY>uFb9;=I{&_pjil`GpZrdZR#nII0QgX~tqf!v5 zY}QQA9aCcJo>Lrtf6b-8V9s3;GX;S7I=;1!AY|YCQ%TxOQ?@nd<=bFNcvGbUuUFt` z)R)Nw#!sWf4*UML)tK^SVtp=kb+1H3rE}Y!ACL&IuX-o3u&;P(4@w3F=w7Q=E~$fQ z{~ud#8PsOjwe7ZO@fP>ANTIkpq%H1Nv_Nnv?iSp=1b4SW@!}Ai;t*Vl1$Xzr=6%2C z`S$FYJ^6d*S2EXqty7NG^hA`3^AbM#-{{9z^d7l@G{-P2psjX4x6Qx@?akEUTZLRu z);*CFe3T$dZYpX+|Nj`jow9~+FdPWvOPEE(f*h$OZrPDsjf6qF%=~ww1lIq zzeJQ6r~@MFQr^2 zF(YGc85575?XoaWK%6}8Hw+Sc9fq^U+_s zRoQDX!s%+rg4D$iJQROYSLqmxEKw7Ek@)-O7&72^h)HO5(ZvMKa5__VHK%R z)}PLN9%Lm*3vA(&lZ2tzf5YWn-|%f22}~)n*yFP5{VE(0bzUcY=+Ax1ZA!~WT`y4x z)+R|y8ZL}|%x81t53F(69QxJK_+85FkGyE?=s>!t8P^5JpJto*Hy$Uy?IF0!syeHf z%uxdSHY}U3T7n0E>wG$2u7kayHxo|uylOo(7poxDZ=BWkhUNQ9FYhu^w9q;1X#+${ zv3%b~%(~Sdnt2qH$B&-XnJZ-4=?he1~e;P6}vvKiKpsMdm+3akx=%yhe%PokELrrB-+oi6osU0A{b8+bkIxaB zD4?jYt!<-Z*52na?Tar&Gs`#eE+JweDilE)H@T2n$MCHycbH?m_&p#U@k&0V&}BpX z3%eM*&u*MzQwl4r!{B}bFy+sUsX9yIFb9{!eGoTZXNF-grs%bNo&`edF_NAIDNlQ}Yu&otXx*K4jK*{&X*el)TDS$Hng?O_7BNt*2DQQj!~KV$$(wU5DbMi^LhDZSe798QHhwNb<+F0n^m~1y z#PyoVTT7}~BbaJOnw9~C<#@KB=o_}lXYfa{&GizJ+FyYdzUv}kj_DZPS0ar4jT|&|eSn|Eg!@DvX88jXl zwBXpzjeghmJ|Yh>P%;|K_0Jnaqf?@FtkPg_=J#rYqQ1ZT*dOHmTK`?|K-+MhK*ukX zI3z==`kr-7jT!91L%&x=?hS}<$j*yG%K*^@L4v;3%wh1qs%_Izv8M*+*k~uPm*mTC zssbv2C{f-Ku<69e*vywdV_`HJHwb-o1?^#sC0n#ZaU^lQ-C zoC~WRs|Q=s9d~?(|NWGzAoZtDF^X3U_7@KdumzT02IL3HiE{tSKw;5mkt8o@dO!FD z(1?%KD#R#_@4n2^p5mu{j(3G|gmE$9{>OL28FtadO)qAiNmnDY(H%aJSVm{tYs`sm zW-#D-D=;z&O<9KK@FRDqx{nZ9QJ@xSV7uQwp0h1X@W2>9r}EGspk>u9K^Pf%()4&qEPB&tIheFeRkvu_?!u}IB>RtK408(~SS{M6H`7Sy zu7ZHF2P+T5FACH2d5j#n^E3(8zBwcEcQzqVE$}YO<=-uT#K|9MVW&0TP)2a~d$)@} zwP&F@a@+KbK!gH+;LK)PPC_WR7=2BIN_M9!9OjlPBu73Jhy(CyHFfhXH)U`A+MlPl zNrlRZHOshP2H)B#+9}MU7y6MLeLLkdKflfftTT)zk3wNWZ+^8Mm^xrlR?W@x6A$sN z^i+0>EUroYwe-P^ooWgit{J5*uaH%wPf=J~=@Q_xzc^=NlyoM<`3sAVV zkm%-fOvo0p7K_d)X%JE!d}z4n;k@e0J6w73-l;#I8#6?o)L{=RaC(eB&9Ub**%^rBCUJ+H5y!KH?!;-7MTd^o&ppKDpIeft!DS2X zk`uLU^OeN(i8SKg4ElA!lC0}`9v5p$i8201UaI0hkKfTPTl^61$Mj3qV5H>RpUy7l zJQ0^{$t?g;?P~ubq8E$ttE6_H^ShCf(+4V0-M~}0vcPa#jQ%x{Jhg;ROjQ1 zPK>ZTS>99$7_|P-0=TO(eLj`9x?KQ_8ppU=6PqwVu|)hd)wqjk(Q4P`Kl|n_pZLRa z5RDyFLv2fTglW&YF3$%!5XmKue`tW0jwdRhW8D_{i79Tj)W-eSXN#w07b~E#Fg@Ez zcu_6HA$YQ35PtDz&3m&n9)ir;5gwi^=AG*j`Sp`Ng%!kZjSIk}_|VCGH#7Q)i2gUI zL$L{6klzXNPqvJG_l`ykE!GRxAi^O^3|{}?h9o5N>$gZ z*6%d@1Al~w=3vWuzgQ#*{hgRLp{ipXpRpdQNo!d>&tjRqkKO&`4Un!mtX+|d7{ZU}Er8vX1LRhT{P?c+rR6s&ZsdDHQX-q#xx(j^^Naxp zjYkkHI_H_yLeHlH$g&S$uj4{?(=LO(J43dcfS=7zYLDEAv`MBhJoaJB1()D2HX^e4}o=*41QPYvd{ZVknb?i zp{0X?ib&wCZ>-?aDx%i3@-AqT?-C9hSPahr2S?w2y60tS90lWMJ9~VpKWnmrfP(KO zpCcyTQ_+MU`*Z2}1W5=CBs=uza$}dYt(D~8XFZed``KS?)EvR3Wv_F_W#B%~@##Uh ztbg-VByy@mVwoF#x40p9gC|8~?&%*LM?hwp{;t`qYDk&r0-EQ#^ebNmn=>w=nnPvf zgW0lrS|ToL-7Bb04$o=>*(Y_$2=1vN3wQC_}m>X`aV=uuZLX;jPvmFrNY-J z;~qFlUNUQjtbH>aVba!MiPX`tu_$E1yIQI{J`NOIM+JTk(xsCD^hAN2^CnS8OIsm} zewUy=5`Ph+KD@nmvB|$PnYC9MkN>1Zz?Vln#&Y!FDq@>y^|$tYR=8{1T-R!rS`eZ;9Pe0qHP9yoGSjeO020a76j{rRvkjX%L; z0{;fh3j1d{Q{_PZQ3TN!)0h)kd?u^ccM^6Aj@C*wTr^y#@e=0%>CKuO!*=8ePqC6=2rl|h|cdo)?OYdpTJKaq)0}r)YWneIE z8%?>R9-r3I`-E!$sHaUe)!@F-tzS?cv)cW$5&gAOcT zqlHM0TCl|vGkzKQ7y36VijnQngD08TUJsn)qL*tNAT|7Rx{O5b<`W=((eK}T(P|s= zfRH*NYSof@sUC=OE?7Z)f$aHq5c1EFq%25-gohZv2R&KJcS|AS@jx=305>_*KAV-w z6$hfzqN3(*z}^meiZ!Kv4C8s;=ZjEI|3N(4hV_dGv&futs3xJnx6IK z2y8YD!rMqHHzrIgrGysnEX~*@OFOI&_|P) zus*Qyg0a=ZQy=W2)lbF-k7WYr7BD^bPcfhB*6B`uT<&;JIvQq0RpE3o1zT(VB4o6n zjV##!hEp;=XD8i0;KipWj3rm1F%}v|B(}h-@E>NCO*h5oWH(Em3D>D2ei|O(+H)Sd ze;K6cGj~Rb&5ijTR@xUebaI(xkR*Br^^^SzfO22&;Yg)X3 zS6nTf%8J2d(1>{BP&f!dU<>{=7%Mlc$yhcEb9zg0cu0Se@V7u)f=WbR2zX027?VSX z@mH{UlXp-wDp+qBe3fk*6Wex<`KsY}vix|$3UK9v>Mm&k30P_0eR1Y*!A!J_2y$<4f_;bh4MQ%nA;x?V5TpE-5kPbChlKuu(9>Lrdf?E$zGF59 zK-9O)Sk}kzK+kUt{_yocXBKN~q;-nMU*7-umY*GRWvwMgJ@jLtNzL>`2XZ@D#D#_^ zATW_2zRLc7TI~XG&$bb{vY8s28R|QrASLO1$Lb-ydcz)(`Di2y5KvMB-o+NGSHDH< zfaq&3ee3pU=h})5MTu5QS0`6Rv}m5ea`^xOJ!8=G&-$4)IB~Ut^70vfgwG8o+1+J( z?b8M`ov2Z*rxge8ta$rTy;R0~T7xec#kCi323eOGE?GT4=(L}2o{LzhS6D6g`5>O$ z=GhXR-@_HxeRx3;Dwn$aiXp(P)kI&#?Qr#*iyJ%yEzVrZsE9-wL%8FNey{x*&hRQweIQ)!-qe1*9%_#RoTniS0(f86(i74;fjL-lOAmOW$rV8@eMonDcev(n@(38bK2jxHf%i( zcOs4NvkzLX(5!&x0wb(bMb|s410wu#UiK}TPVTFf?^o)`v&&xPiaU<}ToUMKtXi6g z^(%5X-2m(T*p zjz}?350;x)f$HszW6d^wG1z-wMcH515H%K9d!ZDObIw)<+=Js&Va15vV9YTfOjmOE{yewlb^T}1{N)nW`9jki2#2S|aBxXg_DaZGYdBpDwFI+UOvg#lS z?Ku3CD59>yNDIG0ofF!hA5q)IYwKp{ccsX@d;9(#4_I9Hmi@2bkYfzt4G863sAhiK zh7?e9kfeVk2!8%8lX4x4ndvbRePhDWM=Q#6L>rX<{Q~6`=t)(!v>K!BGXqeT{C%(h z>?7_D%2?HAjAli>2>pxN#$|u*)|u^{%3gUv*s0sLyX6%pr@C=o`usIhNH_W}d1%o} zJ7F{{MwTj8i_4SitRH=hJB*qGPi{Qqqw<)fydloe6uD}8F-7LL0QOKpt$1bMR}q?- zmw@V>>}}@jA!Y2xU0oIh;zIcH#}t2{BSp*p&Qy*irZN&otQBSnhg*90EdgCZG;M7E z!ex+e$k}8lc>Wg6BV4DV^mCBvTp)@OPd3@q-W1l=Gk&EX?*>MkBRL3D`IDs>IiIqN zLqA1HP;ltK|Mn%`DN{td!8P~B%e{$5HN0`j1GI~Wy zxy82V=&^}8{fchcag+7idVsWSILT7_)z)lp4tTWW((QqF3Cq0CWXZxBmz#^toih^$ zSTC%#hC}OCQRU0(3p<`9wINxwHI4+B(dG_^ty|MUZ!6g_78A8AXb=$q$01K&h_y`IDgcJ@&Y92nAbVIb5#`^#e)tR@0*R zDt&v{$$LTVFh$WL0+stC8$$8r-ZLB^Nt2#U1LA>CymH%z;qM5QTkx9?jM@kn#9=Fq zid(;!Pce_rlUkx{o8gj~=BxOE*p%zC6q$Q(ExCa>C_OFP!-v@2xa9cT69cGj%dFu> zuv0xXmb~kIXr_CXl#|uo+9=y!Xld-Lkv`@Vj>3Z46ihW;`cgBs88E^i`B?G+W=Hq>c6Gbxcd9xKVK%cT4BRP(Z`XK9et zFG-A1I3Y)n00g`l!Xiq#q`p^*$ZOND>-gAwf>49ZJ<6S{WS%0E;>-)wzbYmh@XwI; z9>9>!rT$LbxoFqjfseQ;;36BU54I2BA*RrpCm9j|&v2s-!^AdM-Qs1k5m=0~;V+>0s$lSV88-KQqz-s|Ns!^v z2Q;p)p#_2{O6VEAW$?k$M%&BxF;Te{fw1mhAUb)(67D;}eF3YS;~D!_5VSsb`=c@O zqM_HF+TQ*8j^i@9T3zODAuN?Yl16dqH zX$r`_;r))DJOe1XkEr^ddETBw2!Y0&TaPsl5CKY!H+7qC(NVyS$(ZSMOSUk^f+b~ z8_QEg+v?Sq8GJq3gc3iaA+y*j~v;Os9S?qIx9i5!>&cpgbGC)VFtoba=MZF-j(KpQD|xth(K zTOC@STV31w$VAqTwHbar;w@&?z7iw_u-2iyf+9M4 zpRO6KZv7bK2Q+~3#}p?iBfzJRX#>x+1;ia6Jx`bKyWC|6wfLidmB({h4y(?hE*tu| z(6CfDzupRk5DTIqZ|(Y1n!p)uO@u3Kjf`fOL1+8}R z%b!%X&sNkyWl1`1pM}Omk%%x?{Eq%GZ%oV_wpZ1!3wWQTKw0(uo(p*L^cUc@=)BRO zw!_E~>%?q|XY3BY_q?EI2v252Gpd%}X@$qC_>EjFaobb>a`brVj?qPQb2XeF`qO|> znBvLh&otH5GhJXaQ(Q`b?J86OcC?ys4D!`iyTCn<)vOD*)H(v*HK@9M1Ue`4_#Br@ zRqEa^BCmY3P2jWxKg-n&;LuuJ#$8^Fdkl?DtuTzPKB4X}QS1X7JVO+t3yyg?n(>YsYzgre`cJ12`{yfSUd5b_dF|@Sp@N;K)}kZZFuC*Y8@Y=j z;3=WV{QGNR>^i;8g^V}}Dn1vALiC}rmU2Hf9DvvoGQWoaBqBy~?)4P?4J>Q^vMOcM z(o*xZKfMx>zAAH_z10nmQQYx)tr_SsrL_3C^EJ`kcFQOYNms8heK0txTe*h|6*I#) zJC5blhDEUJ7yqYQ5$>MOzji&`-1zGu|IP!FpW3!*61H2!i)Sa4Tk=^uXtA z;%qJ@w~?~QVSoabE*gU@UE0eP$0*a>iO6<$Jga-83VTl|MOF^9jMk4p(Hhm&XIw1A z=~0iS^-KKqrDq^6e-%|Etm0@5x*Y9+%&4gI|Vrnn=EfY!}Y+;~k=eni# zXS%^EFy^-RL7qTZem^^2#IKORcE|_)rJ5B>&b-Q-K?Vf`tOZsHVw=D*kGSWhKPBFZs~K(u4%`-gO|;GCW=FHA!)*n)f9JB($5`XBmB=-RwQfd!I1X0&x!sI%d&Lw3~t3L;GZ#V_fOlG$rkNZ1?cirsbud1U%qiU!+ z(?xHXDvXTYWl3agBWiuvKi35NezF|LvB*C8R5an|NfeY9b8jnfAYyelt^o;gV)8mC zqwzkrt`rZC_Rrq}&B<*v#mT}s8B)O;OD8s)IZtPCh3n(|GT?g!lO&QHPA#sRXKMF^ zjbr2IO5Gs;oEM|oLrhTY7x!=EqoT9GYRB61ntzPK$cS*0vOVbsrG!T$#LqLs(GvGrNhfRZ%KS7OVUsv`Ws?kRiI&Rdtu z!_(*(g7Ru7q{IGsS=-F{u>^l%#CB~k8i$g9thdcU>#S{U6uJ6aKQE2TyZWS5KTvHN zLn`~y$EO07wlJY<#Z^o-qP$|4j+F5==GIg=E4o^i~i^Q~s7|NA(Hc;!7PK_=bwC#361BYX0o4T3)VO(RK|Lq^b{mZgs21Z zxPPR7@YohDka}lvOZ~SFRrpv zX*2Ot;QBI&-l1g!nDfsQiM_7#`Ci!#^<2GWHTAZ;Es(7gy`WLfGuxl-=GeN}ml__L z{_43(pk@I0mq@Z_;0fTYSx%L56Qmr-%jrFva3h$z*+t+l+@g{8zr+L;`iG6V6TA=yBI>EeLFRteg6R)9&-9VaCZuMpos2%^_HP-WMx2#80^icdnkUpl zRmsq$B^``Ukm=6Iv{^O^=y6o;VOJvexmG0@<)RdxWICQWAy*k5Rdddw-J6RB+)3?Y6K9kh-B2FLew1MK$2?)5*VrVQvGgQ*Vd(d|?=4jhM zdLv)Yt@T&UBGG`buKZL;L%HGvpUhI_YQM5?L#b~Wit-_^GGwP~<9l2!ZkUDn8m_~gB1^=vXJFZdo>p8~@M^aJStdzmLK@%|fsmbw4hBik3}FUV zm9N#qWTRu)=~wO*Qo*3mJ^L=sCBu6lle5pFRng;2J@Yw|maV5oY@w1o2nWvm)(Bl3T(&o>FL z_=WZ64~oMIDr)}vt9_a3K2@MR6{>k9bVobyW0cP6@g#+{m%Z_BVABw62?Go5rGOyI z?E*;7`>K#dAA9!MRl>XXD?K|_ov*6E8hy^HxLc^;yWX?))akNkhJVkZpq8o!f(i~J zj1A`KyR-O}j7rXyK|)~kD+^+m+n-X`TNVled_HbaUS%xB(WP@?1<dGD^7w<)>KXoDe)@ z(HLRcvo9~piwYCN?*P9P)l}mSKv*z%Jf340R2td9%_~3uMNJ8g^CN>sw z{oSF1=*Rvp-q*8G=T(P(nm@0qBSe_+Y=sG@K2j|i=`3zcUFuLPwJy>XQ5X7_&ClHT z>BxhK1;)gpJ37(EI7}Hx@BgR%KI`{sy44V*5bgBKjV!T(agJ)jO!* z55IE-l#d!pruEK{_rxBM_L^_xAsyTDO={c5ZInU^5NCH@xP_4&z;xu=ndwy-9R(d+E5Jbi?f{iAR*E1<#rgD~~gTtJOcmb#Unc8iHi|-k}tu+d~Wjp+j z;i3|c@|eeGs`~9c^4p8a{5_ockvkG7b6f26_B>@Gf4l#mkBf(LmMUu=!BvJvzna|8 zIGG-Ys8)v8nm@OCDIW>PC9brOr-&^B7rc?g#_CUAhia1#G;y~b;Llb@2nrK&8P;6< zd;3by1&L6_CAxn2AdFXZRonx*yhRKg>iN6g*=5pgYQ&gg+Y^>OYXTK80Vs1yp#0X7 zG@ozegE5|~IC?sQ1@MYA=-wrfih1?Gb{tZ^nfGxqB0C;+rR;P`R2tx;Q-|VhF0=SV z5tB0491=7E&l6UW6A<#5U;tr+S;L@jcKMA42%60?e2g_2;A1o)^!33Q*K>B;4bdVg~r50LtaFW$09;%&?A3( zB3F58=G7N7uTpihx*W@WlA{Erhn)#T<7#AFOxn$N@&k2fj`eDsV#eN9_bva(T{mVz z!TGD7KOQC>7L&|@nHJ4g);pXw*=Jwbxg5QheO}hbSThTg1=X;=Sa_W=r^g@7DM5@A zNvo9{O0^*T2x>-ha-dr_o%^bMOBGb={>fihg8e?daLXG1p;MU7^{`CsA@(M{{3}|$ z4s5>A?$k}vjX9g-ece}29|K;IZ_hZ)x{}WB)wn%xS_BvZY_*X@8Y-pd1cUBqJNa1R zS#x(&Z;ski`#8(vW=hAdQzGliGkx2r*aav+FWgk5+^rf%8z?GQr|_#vKmG|k3Kl&- zxhCcH8ZWlJ)EZ)ifJ29$oWi5m%xpPs;J2%x&c6RCLIteLby7Qq6{4;wNIy?5eObdY zJzLLv+&4pm001y}9qPBbg4aB8C~g(KbMrn$pI^W4Rew(nX(-DFqrPUvQZMn9Zvi|b z@ugLt_v-sJ*~oZ3UEw9DkG9616FU4jikyGL0^U8hDL)9OVxx=xp!U%Hb8((lB_&44Oa8 z8u`T>=AC!`JG*V8{#&s8#<3Fh*Awr3KS-)bpZ0#=_Mr`I1aE=%`G5XXz3X>O?Cgs{ ze$%3H>~2#y3nW5$S=g5$=lgHm{eDpC^i9M2+B)*@;@sCgSUR?2gmE>9$;0p5(2xr^IN%yT~^pZ86cHQFmt7kSt# zN_?g$B#R{b=7C0rC5b74A6714HmlSC|Mu3c3U9>8?iN+GFHib0x4N?4A%jXEdS4><=tu)wvS$$l1(cpe9Tp(#)z=@wj*K z38&9En~Nj!N!YVRdh{|O;9onioc~w+{T(U2svpJf zj>%h42#e-SCE8%eeqr8zO0ZArFAsB2^##Y1fAyndt^K++r1kDg1a(aYo%sltsyj;VuzL?ZnxPu2w8M(TV9mqWS8*Y!NNL~GfYW?BI9lEWS zjeRv=l@~R3qE_8p8?VSTx6QE_jx#@to&4y(b-GXXg&clRzdG=ktucm5!wY7rEgOFx zZHe@^@EH<+g|p+^I`mo&QttEDvB~NCjn?6}ktNE-%q(ZShdk{44}Z>%Jnqrune#2$ z?f7^OzoJHH5@>o2{iOORiW7F1q}o025UgP_P!2k~oo<2|e|xc-{~HqcjI`|U_(XWOnxiJwuxfFf((>aSB2C;`lFd%ZSNj6wOTawqSh@ZmB}-gK^6#-2It z`CzPWKw#BJ>km!JFBxN55TstgXKoBYVQ#>kyKXA^mr7cJ^A$Dp@L z>kcoVUZJupZVSF()gT>r5kejp-d^+A1aiI0R?^lhMikWQ0$!Zl2Y(dCcpS0tC{>p@0aU(YVf z&bk=Rh@^5bO{Qj>CM+BVHTaDE7gap?>Lgy^B4xgc7J0Yh9>Otu`#c6Y(OO0lPC|Fg z_5WAGOk{ZN*CWB)_t$P-eiSNuZ{Xe6GlP@FCe|D=72hbbpQlpe2**wv5$Bh~t00Ie z=%cW_5d%Z(0e5Z@e!DUe(Uc6ezJe9l?ZTIsy-Zup{!JJnPhfTDO-KB$BwHVM17=Yz zKYe5GP6yYOfIhNYaPjq`ma+7B!eI=a%-pEo%R(kkRl`+S)j{$Bop%p1zVHtan9ec> ziE2fIIIXs7liK6kJ#m|E@X`Y`tO!wvpmTdgXo*8>_*&=`&V%}O%j@wzCWe|dzR^(4 z*SzEMamOu4@j$WQ5PYU%CF+A0aqLzq(XWvBh)MVT$XH-2<|UvI-+Zg~07HeeT7OC` zc}Q=IsU=FI!xfM?zhMnT-9@&n3X``H{t*NMTJT*xau6Lr5T75A>XuQigflx-9I5V% zxiIzG)=CBU5ygvMm2C?5hP>7lHacRg<*QQMQHFU9uOq#nzcn*X4z%Q}2)2G5%vsk- zW^K3{JF3)*J=;&u+ja1O6kCm%S=uou>ce}KOgm;yZQ_tkk=A8m+?~3j-yJfmP`l|p zpzl2#RMAJ))F1ca5!HOZ5{PI!S7|D8{1fJhA!RTE+?jX^Xga08|MpwrQJqK<+w!yO zDdhL75+0&{U(Llz8LZ0vb6vCAh0=L|kUNN2%squBmRDuR)h{^)ASxx4$HB|aE7#R> z8%dulS2~NUmlWJl2IyZ8Bl!nS==x}dyxU{*-NwXaahu7m;yVe_m9-E-wdpVWsgnMe z8hII34<1ZiPuSq>&a|z2cS;HG;-xWea4O@iYD^k}?}+>+taBj*cblMh&V_;@*z|+k zI@Y_(+!|sOb(gmGH$$lZ#r2`dbgnA&I!?3s{tcr?^sLGZ+(4PG0Ii*14B_#r@=6_6 z(Z+v_ytjtRPL1t8_yWb6bJ*n^x}_nwqXsUuQZ#6VfRBF;j$w$1gtNXQ>%s$R5HG+! zTrrboZvX%}t{Y3b{Uj{|r%#bza(^+F4)<=i?BPv<^w62pkfEAspURejPmJ7)t5QH?E{$alo1S(q@3D{Z;j_evLQ_|oN?Ux zL@x?@NQ^f|SU@8@EY*B`BPf<$gL>O=k~6gsfBz?s!_hH|>;i2AP2 zEa?R@&(*BnW^jpfS*OUOfWnm((teok`vjujc#N$WwBQCpxYIctQ0ardYAk$gkF4`+ zr*v+TPL%VwFrtGhLF^Z(hGKN9sBr6i!=^~^HD=>06Mo=|NWfMRzb^GWBI@-oIZfUr zFMIM|9(WD@{?57(Ls4||@&>t4&q>&303;MXYh3)e_){bd2Hq2QIN4`jH*$qbg(J8B zjQtRl|82={U`-N-Y9P}57IE;QP3AGb%Ksrik@nHRA1|xO%joII@8XbG;fLIp(};aF;3U=z{arR~c5&T31VL zVacoFVKV!76`clOP@CZ``wT;3(5OH^xXqf!7xjk~`1BI{9Ho zOj!dtEN27esSoPBqT$=!NwWSXe?8jXg6izDD!xNIxJ=QH=u`qwN_S1aPkELjP5*wE zIQ8vI3Yy{;_@UyA9{~{FvXfPbqUmvuGUUbmeMmYdC zlIG;Fo(j+v-|gwJH4n6TR&0kCyo^_1HutHZ6@{LHv4$yCDi>#EgoYCb>6Uq9EJe;6 z7A11F+uC|jzeZDgPYEGA!7=$B`+aT;S$GI2U~2^>-nDx3do+A>_^imzuFXaZXPocJ z;qhs^?3==W$Mw7} zQ(+yaQA?|1TXoppGJP}rz z?*6e9>}jo_pPM!4GB)QtRXk7Tys-{8vj(t-m)eUb$|BBhB_CfaTXn?@Yyz#0lBJ53 zd*4e6t1hUJlc3iNyg_fWyqx#lwmLDd2o|xtMzY<09Eyq?4an-7c!q4ZVNfYCks-j zsDbCZC-!?~yVs9cc92=%vMJ4it~x`9hLnLbJ7zaO%4;p7)?Z!*)k~6puB__}2A6H& zcTe5JTA8J}%)tnk8`2IG^8Ninqy29tlY-zMv4IJnn^26O(z!%jGorT=B?lNv{Bx%S zLa>UNsdI!-nQ(LV@isUsc!n1`Eyd(Y7%PH#;*~2JqPQC05gOz~N>d8;Gq?3GD8Cfu z5a3XR^GCBbL?P(8tintvCz@G=K{-29yTL|hr)GfK`~GSU^!&QeEblaWuQ&44e4Xp| ze2<&GjZyuhVj_9lU6IgQ* zgvZL|3%~E>5o|hj6MNs>O z`(5#=1a&uBk7;=y)SCHS-xq`WM<5|h%$Mea9rq#*{c^_8ph9zKBl&Qa-Z0vpr<0iZ zzwqhfcDxPpFJTu74wwL$4%6tN2BKtn0hp36>TJs(0#~8~U9PZZQ2SRci>EeWk((qU zcFFEDmBu#%pt3>PPv0$~2<3StwQX9JzAYKxbMz&v4$Yw8lDskTNSKdEm13asv~r)V z8viWQiJ3e-qPxyAs)N4d9U&Vy%++Ajz?DfGPrBswnK>Q5tb865CoHURBg*Yc318^L zqDL&2L-cQJH#J!}oiR^DVn-!beTK6k-OH3^zwzwlebef!HDyn@mEnrS3RhM>(d)@W zUcR5%LOel9bpeN1Jf1*H!K0!6s^T{AJC5b2^5j&a@qZl^P03c!^8rZ5@eV{}ozhC= zf>Qed9&1&OnBQ{wA8{$bRvIazyd%u3#6u*zZ-QEQuP~vqeXls9GMmHG2|i>tY#Gtb zUs12S4!ys_eo`lsCADL_lqJRC&hizzQ!erCUwTd-6A)5Vhelk&d1EPFckd;f?I(`; z>*EEWJG*&Jj92%UfqL{tC#zoI8$G|4O+}u070f<5-fjY?Zoh3=sH~?2ch|vFO=9m( zarl=VXx1{j3BEe~9}L-h#()nmu%Bv@qveS-JW@lM>yu+FScQPiR3oDP?Uu9`l3Ypc z?vjfEUUrZI;du|$XV5cn4*|88neur)W8p?9I=n4<%eF>?hN(Yj6dU`s;|V=7auf79 zaG<}32)S6Snv>VARK!*&>HY{@v%qszVBgns{%1Wcg{rc!E$Lj4(j!B+5$dY1c6i+p+1wgVT~Tx9IAAGC zI2dx|@XjCWe>mJWLHP5_MA@Z~d0D`1C&;ejZhKWJl_Sq+YbfcPN9ZRZ-q=XlE0bzI z%#pPOjz^0&CN^6joDj_bzN2n*w^<=cDik_X2Ff9~2S&jv(#AtSopW>3oRy7TbF-0Z z3T!yun7wq9i>wDeRf?q*-$obwx0+1hsmLDb{vUJ`LjWe7p@OhL=Ef>x1GtEsAM;Vm zECsTO78dLAtK!o5-cP=Z@EobsZtRWq6jR8O^1mPk`>k^uxF-B&c)@u*OKKsl({Yus zf;)zp9(i7gmOcd_agbXMRX-o?18tJybY@rjI?dY$Q0Rg9Juh_QQ1*hpaO`yFLP zTW<+1_ByX$Kbg?mdZszD61%25rmS@lbY`tjEi-G3tgRzvGwh}VDdaA?ByvHuMLEy= ziToWXpPH97*D!O^t6~#|@b1>2p-C0z_?xOzca+#t!;-0Ti%E)5@@GR497%ft5plsG zW=s#i60(e20?h#<5yE}6h?i7CRCsJiVoi+v+acrXd)nx2MS~u_YJC(VLg=!aOYZI!{LNi46mp>f_z(f+;p`?rien7g>bw- zumcoLC@(Zf6?BP&`}o7R7)5xUM|oHVx?pdr()Rgc9sj4`XhFVySEY2uJ5rKW@&W_T zT>URqTwSKqhVRgbOoEK00fX!Zw}dZR5C#mp8?C2kNDE`U$P$~lDp_nfvupL?FEY&W zOnPK<#$mRkoqcJ)-x#p)wdm)=lBfR%EMn! z^>QPAz;cfi141`+JSn5mi-^FX>%o0EAtale|Fh8HGHAWaAxVieI!|40;xqO(0e0Br z^dnzi9r^vt+I$<@@Zb7sfgt1svaKS;&M>?lGB*1F8#ENf?0|byy+3VChuy0g+ZWQya<9(z&6 zG>=$B`3wJ9u%B5$wfk+r|F^%Blrh9(l*E^_Z_#$dV{n$%|8jI<-7C`gIq(N`6K`Y= z{8!JFHPpsG<>$@ff6{fY-(%2oU7wCQxrc^|vEKAO)|49~qhW%v?-p3Ny+oo!WRFHv&!#w2+` zn|#?~aO4>)23#^nZwpRO_48N1G>&YG(P=ADF}f{9xQnMsNcNxUGj+YWl8q1+;7=mm zFe@>Gzt1sJ1=0MKyR?+#d)falmw!g?)s5CQVncWEI8gS-y@;&-wPcz1Gdew|1w&l^ z(&IN~ov@w%l_0CPWIF*D1-DJ#&X?8cggp5^hUGPId^g~1^oVsmULl*|?iu~}9qiMB z^gqX1TN=Jfmi|xlm)nQF-g{L?!v4@Y#OwOnK;+Z^nT1N}KYn5&FjK{Q4b#bXIU3=` zQ^fni>uLSOS9yO$7FzCzdhclpAXBsdW%+*<&^0=huSicLYVMc+4`uHG)a18*3)@kU zq6jK2Akv!%gdRXdM4F%=5PFpoBE9z}UAhpO(xul(3o5;Y-a|kLy|)k`lpBBNod0+4 z_sO~QG4D)f7>1p9muEfCT5Io(&oOUh66sA(SY9qar z3Eve{S(9`p>AaV#eA=ObC*H?_FAG*LjH9tX5xr$2bockWe#;MeV1Hz-;qM_@dd0qX zQ{#us@6{9@a+-pR56%72Z?GBQ`E*g8i~Pa)i>t)dA9Xh8HdhLbkkiY66vqVN)5QhZ8o=B|A$;|TVkZ`(I zLhvuEhQ&KAEUCYqD(|e2JA7H$Bv$fA;@TxTSA>xNB=`_4Hg0lS}zO z)9^pj@!y})L3e*xR2FppQWYgGCJu$({h;IW;_JYZgM5QZtc%f;2--2g zv9voi;jqQ~G4d2?vDMon&?g|U^;C~1neI51Bsxlw2dN%VjvDF5iufS>h; z6gZg6Dy23=w|-Vdi0s{}z4gi5#v${%;8JnxgegzYiI=U};pZmEXJ{p;r*DZJrNaI@ zC;7+E=T{y}|NSYx`$V#rPC2@g&N)C@xS*Yvj0wJ$mL1^tkY00dJ2rE;YhiQWK0>5zb-P-m za-qwsX}j}VJD0=|@G%#oS-eP_YR{w&DwCShI-Pya(`UO9q*i0*wvcr%v$n+J{#W?(nLgXdt(lZlC1t z8#4#-Xu3|$KPA)oNF)!o*>jTOU*j7y?TLCY69Q;Hu5=Ffi{{I+X^Q^-qJ+1XR=HAsX6~N0 z;zGTA+7mp5@)EU`MIXO-*jXjnO=*ofx4@23{~Q8#?N)u+t^PT~x<-Vf-Rxf6^5U6} z-Z1f;z?Ugq_%@F}!7e!pWec7n*MEMQATk4BP(8N5?qcW=-u~#PEr=SGC{frndabX9 z>{EB&I#63mWU^?p+nc$^cISO1s2FK8`i?OBsw`fYT`}t z8SqdW7QJJ32qW)$3F5U?l+Zb!$^AZ;pW$k(=3qs|PoZ*}jT}JjD&K^7uj`tv3HM?S z`_r-A>qjr5JxtOrXoWGz_Z3i?v*O;f_g}^buTW^J0EIYHTzF}VHo4ik_a|YH7Y%QQ zJPiXfY)!vWe*}hC>MB1pXkj|4X^B0-?Mz46BWjAyjDJ%4)eC6*0GYsQs~f=diPyqD zTzKFf99Rg8hA`S!Zv3#CzA&gdM@h@XgqeMF9?@J%EOIVsm+Y#~{H{eDrkGRk<&3^w z&&bd4m}TR0<%$(Mti-$)u03(BN7reM-0QQZ1+b;16R#Cem9X#sdI0n6r z_je-tu@%&6@!m@lpHABQcvq z?&-;))zM(PBAcBKBVif7Vl-Z7Vlj0m`nsw^nQzVFM{6GH0K!Ftqds)d4N#lsko{ht z6_;bTLnSY?Z`b%Dm}BI-OtnY+O1$f!R<)zX$4iA6zg1c>tV!DWUdgQ)C1+w(J6zJB zM+1j`itW>7zAncSwxriebexj$A!YgoIEB9cfioqS!^kY*eB%t&_twaEd{)HgB9O^X zN)>Sw$4QLMGX);JlxGh)k0rv}nB4;aSnFQyj*TV<>dhwakmA@}T?$rf^e!04-y1BM z-$+aoa#LtxqQnvgU&S0h;xWxmg1dNceH&9v% zE;u$13FzV5?3()|dr~EKLSem=-`;t=|J8Ec#A$}lMjNZO-I6)#RzlWe>qcjCwZ(1S zVkdElX3U$S^JMTxix&|xllIndiBLtW?Q)SyaOwiJh0|UD+Gd&vxMc!KT(TC(D8dsC za-qIQPS!NOxCZ2(0URqUn#)IQT}5cZ&x&mMw|C5jd9K%&toDr9dSB2{zSkyS{YE>5 zI)mX>!uaICYFIs58ExeJEt$m~EE|BOQJu85LZr5^)X}d~TR5-v85c>Gw4d3bk3${S z`s}UyzTp9PpN5FQZ)rz48>ke50YL2xFs(gIX(|IJ18c=UFaQDoMAehWeHE3@E{KbS zc>GC@adbwhG#o3mwIsgnY!Ixf3rFxw6Hpg9JxV~unw#mLDPk80bHWD!be%Lk{p~I5 zHF45d+KN{rAiD?P;=t&8&7RV?Bse~|DOplP5TChj;t88Tn%80>?gqS4O?DpoWbGDCg9B5ywi=)Co}752?OhMez9ySHp;8xcCMeJXJQbk3~4iyk3iHC zvzPn^=pc8G>XB$GdD7!b&@9A6%R`6!edUfUx$Ow^Id3N@5NDy?btLsG?DuOK|k(3tLHC}F#?bC$dbT{^X*l9vO z9v!Lvn*TYmq8MRMlDp+(jc)e$XRW<79LxO%#NG7@Z>lE?-xaFA{fa_SE3mhH<-guK ziIcD#uaP6>I*9eJ08LT_j!1@@HK13VB)wxJr+2tE%9$DS{QQs%N6vw*FmmIfh;mPK z(m=53jsnm5IrUEYZ%cX|VaN(y+MM4#JQ(fC9YX&#k7eAbavmR$F;Yxl3qP`NlQ$@H z-nSI!tg85H($PPCOIpk~UmFZ&iw1%8(!HH?i?qtcZiY$Lxx_j29s5Q+D2ERZ51W7S z*EdbMLsLdGEch~x*%)y6g{PRlLM~3f#`adZjLnF_z}Z++URSBlftTBIjJ#Q?%vFs~ z#oaV0<7uzjE>X^BuQnOdTX7|y}R+pf}=(8WSA!Q zg#cUvge2qB{hGKT1>1PKpfA)(z^PFQ7bK!Dhrg5m>A4&6u{T^g02NQNVdR4_K4`X%}bnL zN0myS9CSSV1QD9^amGQtv1Bvwb-}So62stWc3*eb4B)Qx{Rex-3k1q!-#cBIv|7FC z;31W;(4~*BGzQn*^93~|nMuL>>P{NKpE=MHh7XC~$@1ufx>DZQQ!gq%34>w~C zxLqeREdvaFJvS`*%`0!|G$@a*E-pEQ^Bc?rSHSZQvSxx^Gepvz{+4O`IV)Y7V|w1h zW-h@ZjCN027q-gRJuD~h4&1@~V%Z!S8A-W+eaEh~OJnzVjmt5|!buA`k*5lMScB^? z8?30yeWCwZ@|{@W%gOq8eA*`j#j(My(s5%_<3;qeJh29avSt8vha!O`s&iWN|16s6 zBejy3lrO7Bgbyd#-yBHVU0@@lm|@1O3LGH zVP0&Cc?$1362(hz)@+lbqJmPYVcBJGTvpt7o3g9Me9JhUQNP&Cy1fh%quwA`=;i6Z zhD*Xb7KwbQc%!$x7iV(v6;&tB1}oJwaaVcP#04G4WaRqvlg<=t_*}KD^cytzpj)MB znB4>CPy4PtOsOzx3yML<>hVQ#h4?u7-O4^viA-e+7Zt|)V(TXJ--V*f9~#B7~e}p zzi{l45q}3Q)>%_`<7lt6Bwluy2s6cxwLNOiuuYU-uiB&Nf4v%@j+?>UMm|;5YSVsSldBd&{LS;9F?e@_2Vb+^H%5~2)>_3Nv;O?C)YKmR*Yh-CXIaR*zvn;;E=_!$XAw@LCeo=f+ZtPH2PF;QNlHR zY8wOXI#{J~a~>s`jdj$G0_7W&GFl;)4ztV_n@VH$`rJ$R-wimN`QLBm9Jo$$zw`Wb z9#`@1eA<3YXeKT%y;cKpSWDucdHlP1Xn|;^NudNkaNeO9J;Nk?@|$ZnYYY9DrGF5*Uau#%eZB1f$UmGidL)ImcOI~vF|Gkl`a

(6JLBwfL z7yb{vUVMGOK(%`UP)V;3wF-5hByy`?CeEICfRiPYv}Vh39<$wMj`6il-S?i59V8}4 zOQp1pVMN3f?(72d&BLE17pdNE`vwj7>A`UQYNx2gfB7FCHocJP#{no!B&g@_VB#yp zlXC#i4v7^s0{0_aC3#%c5OjB44Dm3*MqI2Z)IX4=O6#)ji)U6wOm__t&WJxiVSS(w zD@DB98WRL?m-6e`^}fm=ASEJrsyn+F%Q2HW(d%{u3w0y${>xK>1FdyGV^3FaPuDU= zX)Sp4;v(HO?IyF*tb~6&iyPP$zE05*?hTkcMIEu+iof<`vi#TTc8KrGN5I#iC9SwV zTF9193JJ}1ugGE3lE=j^ppIEra>F*M~@QJqhe1 zaN*~tb%h0#1(e!I= zXILOQT>fbb0WfA!t{y@06Xkl-N*&aD>W{xuE$%k{s*vzd!GA9Hx7V?&1LDSD1M21X zegBPl*I*E>s_+4R= zQL{J{-C@ddWWH&_piStQl{H!P|6tlAU+_TmL_ON@K!PeBU;|9eO!sQcy{e=ue2>Nbbg?Qh3he~?Ahiv ziuJ{C04T}vuyop2ChAI~#^t@w%5u3|SxDG&SdtuEa4uP#AAcS?h(AXm(%~7yBF9IW zz_a8ASC6fn<+gl+`x03t_S!4KSejD!C$`OmJpM%#FvP*P)wj~!fYkXs4H<67kh*o- zcak4 zAQUPq`!-r!GH%7&4F2_D%oJFG7b4!%*WIWN*aZih&nF3R1C#JmF&+DLn=}v+>~W`w zO(*mZb6@l!t4UGIS$Cx3DRv&HZ}e{UvIkC($8sE%1ph@=W6qY#-+V%^8!02vs2gM<6uQX!N_kz@P^6VGo&p?)HV0Vle^R`ZGB; zDk6?qRvgNM^0%=lo8CBqf`k2u0fFRZiH&Pa2T;bdT)>MrY&%ESXsc z^aXQx@KNIrpF+UDVURljMmG^iDVB$S zThTY5p8!Ge7b`9~A-|F}u#b_48S`D%Kmk>8Yq{U!mf~{prpTuYJ^AmoZ*i`0EZXct z##A2bK)d#nm1n-Ql?o!j6#>G^lFkqhdfIszB}S&-?EACV=+aW5^w>5&0I#v>^^ z$A)hX;~1FxkRGAmLx{K+CZbcE)G&SA1GKztn*jFuJ!Mm9WugcfoKpc0nDvtbPaYkq zW-;-H!o0nf7(n~*thtFIy5&se)jghO={>=?qbdosqtO$e)2X~4IHhTfA97SOo`%fC zYY=b}GKeGEj@^R*Lb8t`^)R>x-s`c6Rknz_FD&=OEeVO4xGTS$;#eW0HU|XNk%X!v zFgbv!YmR({jWgLoUCDJV#|@$>@Dt8sx+BO>@~RgXp&drPbE;VuM8L=wFv;cs?VHcL zXFa25@)P%Om5{sa&!M>D*OqvUki13P zsq!f=0w=nBhAKYgL$ln&;4Z4?exT^J&j!8RRU!ycj9n90gH!-cG!eA@GPt#rfsm%v zKNc^pF4+d@MJA-yJNA|#4<$R1UymGP{@pX^ZDH|xIP^-V(xB^f zdDP#VJ#$0CvLEB?4jA0Be)>FzI9#fH)T2TAU+&L%-80n?(``7D>un%IV%E&5JTgWL z#<7i63VR%7(jb@%RMWX>U;} zlRxf$+VZySQyKjGdm*5#G1&k`7A#Dt*x#~@yBKug`vKnRjREl=o=9R3_L&c7{xZw? zLabq^Wq%ZL*05_ltt6BF%^3R~)n|bL8SF1Xb$kO}n^849{#;8q4;C@NUo-dO0>B#| zI$ZZ5V~q>Kp>H~O86wM>lTzBqWOYk^5dwr979)Gj3EDO}y)?Ey+w6lxJZ_iHDPI&_ zs)so9BFu~vIeq?cGm#=8R?cB58#%-M68xC^R!n`v+zhf(33oKp@&>Oh8Sjlua1ZfI zhz&%umRxMh&Bip$X5B1=w{$o_nWSaaT@DDC4NpMZFusjj9E2iCRSepwc7Od*=J^m`FB1P<-9fCdcIjJWz6YM3 ztUvEx{zrJ7m6I5w$~+Kz*0^yJ2UK-d{B|Ro=^gcUucMJ^+}($5?kNVg4=+*KgbZY9 zlyo+fDd#1tYkZu? zT8rB53(7_#8El-_-XD)cf&e^;?oolvb1THA*|zw2_ns0^`T=4wCxc{n;FOq!3}HoN zF132s0B>QO(WLPD4q=`FHja)}*dOEj1MVu3gI%LDSY-a*WyUq6SkR*%R;VNhvhP%^ z@1C(KnCEaLw=tXul7RJ|w>@9)z3GXnFOA+dE3h(HdLqQb_^tH|G9uP@m3!aovfcuq z2?72fA>u#tJOrP)OTSlN$8~}--al9|bdf5UCqr#e`-y(B!#J!J!0m2;5e+E_;% zo=T)0Tn9pY4d+Nx;Yb4f0+GjeGQ~fu3lS|b*(Ph7!`rydTve0*ESG&T;V(C#LYj(( z(Q6wNNW?KKcr9zFMR~F2IzTsg3d}Kbz4Cc?iCa^BYMCfMozVTPzI{+*3q|F_QHf+{ zh+gJiALEhoCRzL0Yd=be`5NC7T6!R5;H-E|L*#)W7hE(QC?2CUKS!~LG~7m^(Dw1$ z-$P=63t#{4JGOnq%Yfq$<8%1ibE?OGLzo#e+zS$c zdkA>1!^8E7Tn>I}pT_|b%DXVvCpQZWa&iqZ|Ec4R`DJsqS-XedE5fQo{1iy^Zy$d6G{dDTfzT@ zfZ%dQ49MY*aRne3qK5fHnXon+`EqEcLt7+6jd(dQ1vN?q1pV;!y|xo0%Xy-5M2&__QepYVAZoBlrtq3MMKVa1<>H4DRFi694YL zY$d=cr>L-Z+Byiu;>P8?Er8?bBGAZ(fR1d0MiwcF7wx`ztc_Ic#+wOILco1jwS4Y_ zj40|ln-BL=ir06W{EaF7&l&wdS!<5smrqLtA#c3sdLxYNMuLQ?6rYs=RQ$a7y|4}I z;@IigOkwB=q(%5B54b(bg~Ppj!@8Dc-NB{h^R)8ozplo+ai#DoFY|ag`!1H7h7-n* z^}<&nREvQ19bYM5AfDSh+hZEl6;(WyeOahQkDuOSTiIs6ryVp7kia&vp2VV57*(mz zdK7hr$-WKIB-IHk`PU2ro68!NyhkZ>IiF#l*~@Pl!tT35x#$1G)LSq_8Ft;m1Bf6o zNQrcbAV^7fhae^0QqnPW4@!4~QbTulcT3j*Lk``|&>WuUJ@0qEzi?lBU-z}wT6?W0 zCg>-v_U|q&@VNo986&dWKe=TFl)Uauk&ExPzl<-bo{R!O2}Sp8zDu-c{^05hPc$Wr z&QBDz=w?zGYC>MvS%%-QxGq>Gtew=1l#VYnA2%*!pMJe=8fASbk|}huJBXoqllj|; z4Ov=(WLtZVH*1-ZW0JoDCm|DPL@qwCb&rx!+m6uNg5RL#N)P~z?U6s>c?3KN;Ul8% zd|So~a@iq&%*mWNZI|czssxO#43^^jru_ORV!3}-XsV>v^yh3dbXHU-6tmiu`0uN< zR+f8+!s%D+&xE^0dU34HWr?;mGu;T>!lOaQIX50QtJgAK`jfd;+ImridFW1@1D?5@ z+8g=^QqBzcm`wHqXcHo2KJubC=xNmRpECv67UnJkKje(TN;1|K+t1`kWIxl$Fv4r<= zyneaSke_+&Z^B7-4*QHXNE&x<59D6iSI}Td*BKx)i@Fw`syU#hL|dsYCWiM8XW5<+P}^mauaomb za!^w7_4{5KpCk~E)9gqL8V%eMiWky@FS#zrW6xiY>ih(~?N%Xi({_n9mz8gXQftJT z>PTLO>?HV5j?)h_xj_2<0gE;)eOfUZ+a9YL(hdY2Ai<3pZZ;VK)ySg{RMZrFd%{f$ z+Fezy=39Svhi=}7Lb-awr|H!1#fi_{hY)8wZ$`;OKq>%l$6eW?)~LW-lbdJ=#PbhUD*$Pix0M>Ma@ zMUdDN(_LtT_Tq<1qQkD7cIH{#R)1d1IJtNtsz}mviT#FR@Gc2%H-us?f72;2u(r0g zS#1V}4=8QPq^&{7Am(H*j2Vp~qJV(XuV^2l+Z^O(Av@Hsxz?*Z$l!iR?tgt}3KFCHh1&E%-s?G91wi%DK~jdSlh0-4DVhs$ z0weSJm#vX$Q5DC+IL7k~+52;{NxY->$Z_%9F^oB;xs&)9zjpyve|F~kFK8hm_iM%) z@APYN-;z<{d%A88(8k$Ww3B&1q$zqJa`k0H;>>@wyqp?Bc1w?vVTwo7&+%=G2xt5# z!#PXTPwjYvC14|&>|KV$oqMwbkXvcppp_>6^ zs)3es%ISS@N0wqmE@HO>qRYPpCPlsZDgHn*pd~vFdDg?pZXv9C?5M_pr$szBB|Y8K z4Me6q-Z$l{{s*sr`89)CP#v`!Hh9TVxBb){i^K#KWyiS^X<5Kcfx(x#qs%~~BE6`a zmz%3Kt_bg0rNiC#OfFtYFk;8OFRlk&$+ZQao=@RUn=&{Am#SY_AuZi6UBQsj)J(T_ zSS;217DM-MK67dBqmOO3zL4$M5s&s6|5d4X3CcqPmoR(%;Q8iH?T%NNBZj#lyi)S! zJ9#)03e}|zib>d*i6s_NjOyzpGd&!d&sH8Pyv#m=Nbi?huiaoQm0S|pU%PDM?f#A! zYA$m7%xtSZp_(boT*&%G!wA4N=fe!DbLT&fsMeM4u&Xtir99pxsdqjEhR^pC{woy? z{hp*WM>rYNW-w=snZ#VNBc9b*%4ECv`CoKGV4O?m8gjK`k!IxzvuVljN#xgXoxWoMuCHlSWig{xB*3tZ8}VCC7D-)W#vN>L1i%#5Y)E==*$^kz+(;b?c}xY zd5>%dPLdH(^uyRs!AaPoxIT0wBGZtqH5(O1|Ktz%cEZS)K8c#eMzg%Jsp_ zP(~DMxdJlx!1DZPzoBQbLR(3Tg72v!tktM3vSZ&ym*?3$nrEx(UVZK{iT>NU1DzUz zBg1#TU*9=xbk`|aq4}IZS9lvuX@HB-K2GF<<1yBt-hBq~B&cCIHXJ?e1u&DJ)fG5Ra5u~Um$>@xsXat8 zbT(70D1mczp6!}NzV{oFySXi{)rNK`J@3msu0K3KDE0H|w>}yah;*d6tL8Ymex_|< z5eVv=exCGVJ+WV|0M|-^?H+8JPXrC4UsBAX2A0(Cp5NUS6z`NTzAKPue0G}(s1<0* zFE%6q6CHROFC#7mnAVgq{@Fc41frjF_a8qkm^OfR7Nj_z@29$8U1^FH(E=xf&bzB| z$ZPy};TsN3vm87RQA15Nl`)2bKuhuFx9tK@HOwxS$GC+d*Mh2{L}~@Qz272)q5dU9 z3qq!4JX|^ga+tB+c*4Rrpv0SvC0Vu1jI|?X`v!;F)iCW^zXhgZa)v zs~ECPp0iN{x<()~jYHQ!X40GNKlpv=41KUODWCA(WqAmw`N-t}rCw|)Ql!?_k`P8- z{vf|_$kd{9fzw_acXjQ|GRjUwVeV9-(V#=0ZUlQJYB%6*JaRTQU(aXc?MD>6P1*TF z`buZ+;i%Q!;{G|5L`W|-4*yGg;PF?owwZ%L=^ zF4j5jT^K-Xmb8*EU8!c(y>AYS)Z+e<(#ivqFlrGWa?rfmYMPNf0 z*5GVeGxWUuyT@po;CZCMVDZ#zP~c1X4Kq1S>Xoc)AeFcdu3Ob4G?f5#&AJ?6_W#Pn zD%v%QRXB9{&q-4~4TzZT_8gcra_V;)ybhEi{Ptk~xq$!M$;VU28!@X-jWPWO3S>37x@sAr{QsNMoTLF z(FeOI&yBxRQf52x1gKa27>=1}laB^a!7s!1wl)9j1@Iw`2O>N)W3c#VIM&zPc0Qdy z7OnP*wO3L*)=-Vc2hSoxNi73Wf5!w7*&y1-B^Dj>eWG>g9OiQFqEb-%U5X}8L#LEs zlfyXiryA}OVb#20uK`2P{#)hQe?Xd8z)!zRc0NvGevT77l(kf-Kl8!v)}qO8C~BJsI=6lsQ2ZI=-K7CU`{VXHm*brTJkq_yPi{V=fh^f2DnF*4^%wg+*) z1>&jzSM$6RvMyl3iI4O4%jS;h8eVz4i>n9x3c4A z26Rw`Pl6&!Y5$ZQN%BJ4u&D-1#OVk#og3@2Y5$vZC!nT;VJG&x@CvDMB%@}5q&Y{vIAV|i|+2{k7J9nPeuLSW1I_ocwkMZAYR_NpN0pm zSlbmAh4(jqLf}%??eupjB10}%Td$w>&GXz^=K3E{&j+nq=avXg+AMs&QV_L_@sZOi z{CdX6kaS{dK;_)YPHYW1n+konS$p|{-QTy!;rUO>BX+!J@V$-kv-?AWN&P6c_RM&4 z+^3KnyezRZ=PXC+&%Ky0!k}?#MRZIT^hE4&YQfw$<7cha54Bo(azx$FRhq*6mHkn_ zXnJcwSFBBoR@b|h;gr6e`L06HuzEW?FYuQo49(KRb-EO}O`oH?QXInNMiCM3{LRVN zZ#6SzRd9w2qEi!93$zxT##}1niO`Mr>zY@s|Dg$2P^>bFR_{is`hUBj>ZcoC+p1Ss zTk{MpcosI#C$yQIz(}mvRheT+vp>j>sL8MJvFY$VE0_F77xZ*bqI)saqJdbF|6pu5 z!c4P`@Z9rn(<4lM>^7;tYhf+z3y1KcmDs;CK01r|WMI7gvijmyNsyTsxzvn$@!|!* zYJW9>u$?X@RB;}}-A~Pw8VqK#U9NSGwbg5$pBqaxfh}N7D&~o$k!z|@*$qX>%nyHh zqo_Xl`G2XP7u=K|qte+vNhg+Bm&Qb_DJl2rPtOZy>8sx~GbcMLXTUwUxN9?aZ|U^& zL(|$GVKSoc-AvUWgtJia*5`^*x7i^hc`LIBj@!Axa;LZ>J(7>b6)t`Ce6HGb#9Q#)xy{^F;q%*4+e}+}cy_ za^^{@EsTcbEbVaVyh${Z@ZYL@dzJ#0b9R%l7@s1%Z=CeN`MuSpW%`i2OL-A-zVV3)Ih-Sl+A_f&Yzah!5hBx%fm-ekz(fBo&ite zR$QTuew;04LqWp>6~b<$gFDt`SiUwX$Rpk2tP}Kr0Ji$9rPfX2nNqGvJW@=~+iRZER)oru->vOSy)_y(Zc2>J& zF59QI#s^;IG1i1ty5q-Y8=DN^YzGqrNde*=-B-zVB9UMZ?d2?)qN$eZpgVgZZr{)7jkC!|t|s zy+}m}y3`l>>XCK4H26StFNO!wa1m`~iqQ8;T6SNbu}fQrr`U2PVkd=y&Bc*eT9(8 zK*@9a^FD3gKl)6^9DT33@`KX{2_BftNoyhh*6dG&P|Ne3Q>oGPoQ5n~sfh1IQF=32 zs^xxv`l#6n*nno=*qQ%ynd6T$;f6NwNA-ST5OL%Zsb9i*sZj7!>gXVPRpq&JD`9-@ zKos$aq_nVyrcp)8y1Tn!x2Z{~lhuuSs9ALG@zvxuK*Q|l`k!Jg3!27vFGB}qg2f3L zCv45Z4b!+P@n2_r zmXDllF!Y=k`v4@HdntnZzel$FH?c`7Y#j(U0BRA6%TM4JO@3}>WBGRv@Nqxo+gCbe z26cLSI8{okJ_{J{hRvrxK3Fsq+D@e3O``c#2#t$OZGXET+F2A@9zW%6a27IfYRvMv z>8}B%a0JV8xb`Zyh}*X2%L~{uIj0C%7Y{4=eJsYmqOog#@UY3A3n02%I$ZUgNvvD@ zIr~diHPUO^+}4eVa#T7S#(Kd?`uwqpgkH^j%V-6Df+v3ymo0_QzA+x7+n_!M(q! zj~ASDjQx8xB6u*t&wYGf!I^Px<b!4;*wJCopJ$`+C!$bfxQUQ>`F8~U-1p4us;P?92t}y zO}LF+zG;72F7xD&u~#MUxV4EvfdGSwA~zq~wwX_`x09#EO%g6k@?af?VIHkg*0k0D zYqAS}w^w@uA;0|VJ|hR^JP9eC_^s$fmkVA2ysE~_d}aFtjVN;E{@tLPe2h@(P2#5Ggn!tbwwvm8+;(>eo}8j6xbd6g zU4~Y;@T7qg8eEnJvxK8q1hUklxH_KW5nA9jc~I8ajL3Ry<4Yitf#AgNDw$Ow_YKsi zk*>{=Pa>9ziilfMv&wkG$w8{pjht>h4vvU#>HO?PIa#zvl#oxX2UoJD-_R zyY+^&t!^B!+6C$F1KHli943oz%IiIdzX&`9Wva4QH*0T#+}BB>DLZi1hdf?^qfX`FBCu>osM9`$-dl1U(GRTS-CkU^ zZFXQ;DqArL#P+y-yA^iJRb`@tNVRQAaA-UYVAhW|QLTzFFn zc7WKoy`XGT)XOF;g(Dr|Q96FL-Jq4BznZORT`s1aoUFIQV=Kae6B_zj=xQ=wpK~kT z_G=`3Hdn_v`r)Bg@fnRiLO2C9`99%KPsP8|#o4yf6ga{jxf&S=_HU1hwNfbvOXTR3f2bbs;%_e#_v5 zc;SaR+`1+eO2dFfzY{r2U z_FigbX7+*zKOtWz;dO!mpO$8ChU2jU9#$KUoxHfH~H}| zFB-xYT>GN3S@pf~3}H?a_(xJ_!J@onZX01=gMxEldQa|M+bH`gVicwbZ=4kU=_jQwH2;Crh;NITRSVZ zFM~hG)p@t%7%L=VnthiQ#;n`gYuB{No9OgM9nTh85kDz8Sr{|3bhwbf@7*}fkL6ty zeRnE9`IUbNOk$S2de=zqF=e^39h%cog`sY>&<91hrYJp}ksf>moQ5`ZGz5(z2z_p^ z!y3Q0#gaI^2w7g@j2^6y>leL_%}9Gyw7;*in_@Uz%B{B8u7%?)_%k-x+{ys~?~=0y zu@5*_zVv2gr%bz?euL{^ zdm;09^&MB43{$TCne$s7+io0Q1_Uyi*{uog?ybqgpj1LSde4s#j~Yr`uL z_Uyt1?=`1=?^b}v?qNKM*OBCBO#@rOtYV9bls2v`$~Cx#Sk=0eKL4(5rlt<&E?Q|z zE3wolT;O}i+cFpv!ZYP9Cv?_T&(ywbY?nPe4-OlV>ldXD6tiTP;{_h*JZzmBLsMI& zj#vD`O3;VqVHV!%taRw3@PYd_uZFmcaU;SMNF-``Ss)lk^?EG4CA&H^8Z*&t^f(ck{Z) z{TK@gAle7NjXgxaR@+A}>j(xMzB$=p`X`OAk!|NU`qwY7qhq$`hEHV2gXSxg1?<`? zM=&e-Tp3Ecuf;uDD%`*?&!<;1Iz1Tt2)7FB=J_6!_Ij&2#LT*s{l*%+oPPDn_u(#w z=O_rR4$We25rq5?GqI4drl?PAAx?YFIpUfU^dO-Rl}H%mBwSELTC4^ zY3&i8`cIjo+lxHZXS(KJo(w;rSH440hu-B-48=Vo%C;i}zVCZGt^@9C-;K(xCh#&t zrB5r}xXIj^NsBY#=zCHa_9+g}L%dt*ZTk_epWQv>g~CM+J|(lDy~ zrLE)9Cx*rrsf}_Mv-`rzuwL7XqF)Z_3he^vhx=b(@bD1ev(pFFbxhyCMQ-aqgm$V} zMZA~G`OLtiY~H^Blg1=qj~5pUo^$zB9_wmy--o{%Dkf2&QSVXPvDT+6!M>7hG{Xw3 zGB0||GLz#37Tqo!f(`4Z5+#e#XK!gq6v||n56hO!Z^eypl$M9vzRjFr36p;Nc5hrF zR#iF0q|> zP+Y7$c^s*(S4yI-ZOAu0&iQa1!_NPMOP^Bai_XoDsYJ7V`+L4FEECX+V$|E!w{bKk zw8!Z$C{b(&c%ej@Q4y*Q)tO#JQ?O8JzU3> z=UpNh8TaIAtkMEEPc=fBZ{Rz5FxN`MIGF_Og4Fq1b0Uu%V#;{$B$=Q# z_8=~nYRE~`M6uz0Bfl8y8&IN+cE^fILcX5kZ(HFDWG1KcK<=CqiI;Gh7JVBb zrz^P*J8i*#!(S2RLmw#@8Wn?epLo!87k)B7(((agXr()ZoFtM8g*BGJ>HL%23O9=+ zA{R!k9{Ng^S48?OLYY#1?j)fBwyRX^9ChK5|1{cUFPO?!JjWK~Opy3}XbQ_)36XB@*pa4bq><{;ujKKcp1*-d_9c{a}VWxr- zl5lKqFZ|ZYrXp#SPQ0aax*F+OA&m|dQ{!Uvq=@LMmZlE_^KH5%WjG3GQAtEAKFPLp zT00pNotbrPWNWe1kUHjy1WoI)MU=F`h_d6T6GgO>=%m9Kjnb*Pp`>;S07&=gBiCs0 zrTta#Q~woBSC?lL5Ebbc64kvA|L8vV%tsZ{W^|ja#7IRBZl7Ng^}#~tcRa{MQ1r}} zNkzdEt6%8YwPH&@4e0@XJ}@@|^BEOaF@#s`r_qxoNACxu?c?eEbd+|^R=LP#EAyZ$ z!cJ&iJOCavdYBh%UzbYhyIc${rv>&aXp~A?BDDtE&Ojx~5H99?r{6X4s8hM^V!^n- z$SAe=d^%pKnBL`zb|KF-FRQpt2a+HCra;J57`E#jC@XY!)1S23nY2HS@F{mZI%n!T zZgiAtoqZ>vn8tC%}*=ctfSo@w)tL9(W}m)VW%Cd7i(6b z-TP1jOM6O>aOrvfU@Zd_(XPP50Gm~cs`+6JfauLK0NZz3%pRAxjwmub`E$+}s5WWhw0DPpUtayU$H}FA zu438=K@X3_C^x^f`@h@*dl+(4_^&Xx1J;H)P)s8%Z^-LDyNm|H?Nq=q&t_> zn=L^cyXvl&cTQk#hQRtUa~FKx+P)wx?=b_-1vD2yb!V*;Q9RK>ED$Tos|?>gY-HI7 z{P}u~;zJLGRJQ(=S!%iS*6eW(9x1;uek2_b|3QuR>KH6-`Y=720$1xHl2X`N@W|NO zZDvTL_?zWc+cHwseu`VSOj)I96Oz&jv#52(oe+O(g-Sy#A+v_4^;pLBgFh5DOek+t z)JUN1r6~MNqUnEX4AHHX)?WiGbo%1#d>^+(&ZwVPf@g1>7U%`a0p+Um_d9kCwE)DT zD!5EKjWPaeBE`=F5T`myHRbe;@y3}kK4T@r65elJv+qnqbKYHX4dk4O9N$;LUsL=r zcWIdolT#;JU2yO?De=z~XQWbp97NM`WK(X_K!G*r%Zxq>x<*)_67i$S-=6b0R9>(| zE?s1|HqnfUz1o69>fe_xM$oQjgfz9iUc|SI33Y#S1{MpdlVf0l+dr(Mi)TN0cBrB8 zK1N(t?5-ilG-uc#DdQ|kE^r+{&)8iqi-@#4g6+;;lwD41-xL&e4J~;N07!`+dPK+y zB^roogLdk2l-jhMn&VNjP-{O@?XB6)D5;ZQ&z3?(Z4-1Num`Lj8>ew1!$P0P0y?oh zRUyz?Zfqj76ZBsXT;AC3hH-!bw>G}3w8{1EA|it2W6B!q#1ATyJLCZQ}?;8hR~nb ztwLtQn(uBp)PEo_pV~L6e)}h(029}BMpd>w+dfv?v%98s9l`PrB0V9Rc=XSjaGUhq zlgnxnn4#Qv)45Gh{T+16^=E@_Y0)sH;2JSGAhN#hd((AJV+o&M5v(!rr6EDvTM#e9uTWk{Ib6o&k~%2 z3?d?VTYkoNtV;L}@zRTf=H?*PKsufmoleANrLy##I^`L)U6SG5M;fO-?jr>+fmG&$ zbzNr?t&>*yve`834d0JOQi>Erm#8ks&oFiVEpI3fG1AaN?kIg!gg5_W zPgZdC46!+E{G{Eo?+OXF)`!I1=4F0=HpRkyedwyO9+9DOG-yKT)IwOiJov8ty!O%k z$n1K9PX90&u~Hdf+;`Y;B3#YRqitCEqhH*)*K<&EOGBZSRv0rcgs~O}I(>`L6yKVQ&emz^n z=R~WCL6Y{<6on&DwXI(Jh)5^EqldERGkEX3+-;OJACkBst=lwRF{EuUz=D?pu|Sne z1`#6lGAloeYL}kans^!*iKIETGLt^~6DIzFJ(yEgPeNU4C|Lzy+gR>mbRkap$1B_$ zRcN+02zi^ojmRlj4})QYvIL#>4<-UL)c-$4jngLp5uPEBO<|DFLz0l|fSId*=SV#{ zKa4F@;rYXv70ry@(iGqBTm_6qx$D(C0_abVq=T2au`OSJ>cWs)lC-blLzIVKBMZW6 zR(eSdR`zS|IezTG&Q0GZ<@|Yy=NnG@L*5F{$FZqmWHIYzJ6vf2BsGD95?v42;Wit1WcODLZl>g3wQJsJBXw{wHb7KkE? zqK3jLahZBz;|yAH8npy!bS{MX=b)ztIec3_RR$9+(+hCd+D7djica=l>DF4>mfu}F ziDuP_hI0qIeQzpET3~sb71s$vx(<;%r6h7QYwI6HCBTSHWcplN&`seNHYHQwFZ0~0 zrtd8L31F%e?awkY9jDT? z{CP5+ zjc=9Do%q7<1+<5zK!V-)RY92O1jI}Z&H??4;`i#EyMOFEoT6m5zg)fYZadtT>D9jq z0I=Z`Et0xg6x5Ipu2O-X*1qt4ix&9!HO_z9^>NXbKjzP8yMBSRmKgim@fEKH9rQKS zfL~5FIg7#V?ZEVL*UXoVDALg(nY#QXhSOmFGCX(mwl^jbJT@S|5>eXwnN|He)kq$mJW(1}s#(-^C^?J**F04@_JWJDY;-+j@VIb%Ofo z_OZC-+zzVyIu_<%75w#@>Zi4we_x`Xiuyj1FxZ6& zLOOB+a76A$QQqheQ++6*HViR1!T6T?8PHnYuS>Zn^Z0eml0x^xk886l{3X8*3~$yC z4ll7#%(J`;$4dhjz8TwotfM%qDJe%~$HiH+%X9?TNjk&KR;?qYr^1`?8kp?1$rhb)<+4xMv&N;8T z!fl?zZ2biqIoE$vaM=_BTUY7|j$6CS8*3_ny}a`rnr(4u@9cDe$?bDpm}JX4dM*X& zpatgkkI^^hC^-Js>;%Y>S{*Vzk42*G<40vXlvC>yJ}WqjOO3$wakMrYukZun35QI- z`)_3&WWGMsU;Vc4Epbwe$1<-0Uuejw95=NNv;<<5f0W4@NbowFE^lXUz2Ngxp{~9N zgLYqKhzEay#1=Xloxc5HPMt~Z%Ivr`Q2Mb=imdXGs|1}P23F!OA#uW}COVQp z@>UrCW7OkV6Ib$wm4Brmhco2)97ojV4A-wp0^i8WpmOA|_Az*4M2)kfR#eGRg?sXv z6`UZTm=`CL2XcnBMnx^r@0uaWrry0DJLn{|8b9vDr3v$;IXC6e**SVp`&5GmY4s!o z!`roLC~EBB#4!v{X@s9ZH4^z%=(*v+11B3sOEUIV3?Ov*YkC3^y+&yzKCsZ|an~W^ zJbfU>EA|99*MV00ijR%-_%ZkTamL(fitZALS4hPBd)Kzoo%WLHV$zDb@3x4#VxZbj zH;cD~6;sDQYU+=~zrzl;4Oo!J!f|8Is{QE~UK1a5Sqac=AJ1@jxyJiKYlW)#YC zz6y+C7>=p!3@bf*6m2J>PqbI~ zO|3DhH~IWriY8foMFFv&ArVcRvs`_A?Qs|=nVQX=iJ$NNZ%(7+pNHK0I>N;)iMp+h zj1fj!5#zH~q|kU@eDUpC`Tr|A^u(|jMeT&8HO;PgZzHwToOr=|`36P4Br!M3@>2ze zq?T27;Z8k9xQ>l#R)6E;QB<`a&&L~`A(j7koi*SZ>)VZT^!OAFQ$2}%XRbnxW;g!| z>3vc>KhdQxP4gR~_oNKmS?S|PcK8F{^rxAz{%`Lo9V0}WpT-mdspBQ01yuE%^T=YP z$nLg;dFD~^Jf19P*jgHQP=Mc%GLdrEt>&!ZOUz3U-yv*`>Te*lzWEAdS###3BYup=cu43b8eO1ndylo>F$Dr*l*EusD>uJwYr$7U@FzpIHhv3Vdbg*dqaN{+y>^Mgh8AVj%Yk z7C<9fQfqweRab3{H(5@@q7A^4WW)@MicCFW{jr0KFhN;VBx~5shBbe zXlKvl$pl8-+lzpqCrEhNnl{dvvT3J}FC*#XN9XX)`g3G)>tYediXQs8>p^_=24v(f zIL=Xwz4kB)P_BLUfUGw$%UABnG?sg7a>?ZbHPNLyP2$=k=WR1>vXaP@qk^j1(U%y_ zqdwjlmmRX7nya_9jR`DgqrSwU$DSDv#q4+D=YmMIa-phkcb>$#8Sn{_c+s2*A@(Jc ztG>nTEM)5k;TNpGu(5)r7Kki@xxaQZ47+be-^WG9L?R24^R9z2 zNAv%gsh5xevDjAfK)fc(o9>CNSMI3Lo{qh*O(v_A>F`O;OHLyBOzfhYf$N16YvY)rK7qss-w#0&9Q$FeO1;x`-|N96gguS7YcWp zV$#;kzTiRZotQMDA39mtcpE5CKBo(DuIYw8@-!SHgm-*G&_$f>d`{V2Z<(V*!W*ka zhfT=~fHGKsDk`f`0+ppM86)7L zd@t|Hw$iWH6CHKYXYCil!a!= zZb_QJeBo_T;>mR?LPt1o8e_H(DfJ)5TekX@uc`oy{umTYe)^0*QgA;(oZo;>T z^x9Gw8K4j9eTT*j6j6d~J`${W*^GBuYCmT>rP4-SBN*`Tb6n=7wI?ufeXldUPQWq1 z%3{9E=4a|7@=f8V2)iIgEFjZ6xd`yHM3fUbglnG@FH)pZzHgFprn>IPA$w7Gc{Y|R zs$*^EFS3Y069y1?zDVX8awm>vRIKLPhBD2f@T-FuRcre@-|G_AUq#3!FRL;#@mi`p z?^u0F&p+DQ?S(=ZKW8Wj0zne(6!gTWSh#TFLq#OhW{zaWRZ+myR-qc)L(}79LG(+~ zQ=~-U*#!8;hsq{Wv0xbERyx(`UV+={^hK}$BMjnledpusO4I+8$}1p`d1y0LQbCFV zH~ElO`T7gq>MG|O9D}LbIx$cI&&PiMF!>oOm?bZRA^@l6F{dTdi{TieME}f}b{<&6 z$!nm+8zJ?oO>2hMKe`W2om3n;qTGFki~Rm?M@aAXqXc8Xt{h>a`Cu}2n3k7A7v%gV zyv3au1Rj=iy}isLa+?YD{C|q~PD6Pl-pTrdStJ>(s4KUX!y&vDW?DAC$hes}3zP1Y z5$T%0&SKa1&dturqYhQ3jR`Ml*71>oRNC4g;&cWor&6rFnc|LQ|MXqJqqj0R)EO9m zv;G4tg8g`^K-A@HzWLp@oYBH*c7%_-N-wI>sp!j=eyvBoUpDLNM{hq%R-4 zCf$;F!3LzCyY72;(ShESF=nn=- zJBMRvcqxh`4IC!A8uWhihj%vktxxLZ!3iAMdpD_k>PU08NvL60H|+Wd*6yDyPYQ?{ z7pTq(f9AGX(WB~YO?#yCsT)PuGASF^+bcK& z{2&X5pw1f{1Mr->NSe2=+tsf-^~)b)$kz$0IdS@oEaP5YX-3Jb*NuLAI>_F0?&NLu z1UQVy`L^Q~Cl$RyiEdm(7>2DsqDnsfC^w=i$k^8{w)u+Gc2H)Vw}0KzJ4`qV#Tho^ z9Zkd~7ZvaC5(nYDV^!z2RyeB$*hEua4OyP)ihNCz_&BeT7V_cSPi z^qsZY-{-U*@}?`{l80GSEW;kZfm)eegt}IJxhIg=7yFv$B%8gEq`_}@FWRxB1JB+A zF`8FSGo7ecsWudLS+-7t`2OhxmN4l*JE$Xn%;F&!8&>>Mk(+^!SIcd8n9L1eq1b!+FFKCBb`i~``n|2*H5&G&b;(F#E5{VE#vhu4Q^ zU8}ILkiPfCK7~qds~E=69)14WzsH7cr;jz<)Qq(i%CalvxyoL+;f24bs{^`02A}?jH{R4<#jasZjP{J%_!1 zDF3#}s~5A5_u6AzkTXotH>cw*$^2!8q`8>$URjz>CH>(MYE>uG@U6$3svd<`ruNCX zze9U2w$)ZUgrlGt4 zM)s8NIYU{mz_2hk!QrGmI^L22KJJYa4%-!49@$s2q;XypmD@Oonr=cSI)mLIiJwH9 z-xB)dhdYpk?#i3#)ZIQN)`XXj?%$DZZIAf#&XhR&_iOC*s+Rp6*m$T=G~b)DocW-! znzr{eTu|!yoEVsUq4<9XhjoG{z5+G+EIL;T^JFlU$CAKLKW)>@ zI>-vc4lt0Y$jL)~lbV-H&fsEy)+vqQZm*@AZeom;yAgjaJpp?C*586L^JAJuYTuil zkJ?rW%$lmemSzLI=}V3@>OPuOp@$u-qOH}z}E%ujSJO_p)TOv z-wZ!giETv>NqgufN=*M&kA1p1gRw3U`5U;{2}`-~SI2rA22s4eI@r(?L;Z5jYny>v zKu&r-JZl|J;jQ^c_e>hPR77-Ld5jR;3G(#4cc~LK#;TL0j%p-`j<1T2M~z8eX%Fg5 z$lLcKHlNB*ICqfMdbLJs+@oKAz>n@8-!2LC$s*58qfB5Fp)}klZQRS;nF^FIg>DVB zgm9h7hlF2!0e#)JXc-PrW#@2`pINmc^}_}LFqz9qmIp>%lM@UmeFfX@KojAWFnzG;Ah$*e2rbu)@drLn4lW&qXtgal@TURJjb4&IuSC1?>9P-(nHGS?_Y z+ae>aQ`z6@{v`b@I^X_tUKt`fgGYGfVIu-%xdJ zE_ckK2x*0;`}uw!9pD(HJBub%5&_aH_UOC8d-JMuDD&r+bgm?%WVZgx%S?9HvPMyM z{w>Z6GWBvvx01PHW|ozjSxwTzX|W1k=AnjaK-%!^KDy{3Rr;TX1yzK8344?F`g=o< z?kH#$Mt1Y6PZyG6t{ttq5L3}fHCec5H;4gmTjz9)$pqpj@8E1=YBTXK+HzEzm5sBa zb9g8tt}3PvR0KkP1Vrx1$IkF!tp}NVPXc*;{tAcWY`A9TG-8Ji)H0N^*R6IPy_zFu z1db#Ef7g_=3$wjPaFJE%psYIv0t+c7m8S$npB*??!mJ|TgQ{2;z}oHPu7)dXo)D%x zY{Ld^qG0e{#(~cf&GCJY6j-tXG~Ji@CRyZoz+PB|Z&GmO^Kv~|E5RIxCr5$Ba{f|H zMdPwmL98IJ#_Mk7STX%S<_^~922*AIrp^w1S+D1ICUa6~%OVD|coMJPy1Z+ZU&H>@ z?pGN3;zz94^GD@Lt79v+IffBA3)7R>Z&FI^aEq;#=lhSHHu&pf_u;@|SYG>Bj-wyS z-*7wcnd4UD0X}~N>zP=#d;l)!tS$<{wt*TN)<7pmVJP95=2FQU_cBS~ItX~45UNos z)3cYdDPGE~#-M5TlK?C6%T3_8=;Sv{Y7C3CUw~HfaT`b=p_;KdC=%c$=xVsb$7WDFd zSH`&i&dB+fovgj~UUNPZjiBS>z#op^fxPmAjeIrvlv`A^Nr|4FWPceqSZhj55)2Yr25}}kY=~;kLU($cO5`` z5;&zb8bD1OpAFUmUE*ZIp>VV2b}(0?^T4G8+}BVEd=;-Qv)_@y<=s*JWFLb??XowQ z5ql5MFq(Tl$Y&tTd0B};;}wTBWe^f+@v9F(uU>jKRs8WlHDMBlez z;d+Luou#X-EVgoX)Jv!Qh~;}>=IxVM6^FN^i+%3J#J)LtO%|QTd&&0KAb`N};r9Ap z3_>##e`{X`)y=#_w-h7G?4Bzhus&Zzmz?fRTJjyLs)!d~5Gw{MfDWBO@XF&F3n9HN@$(?q{tKJVcApf2t~ zgB1>Boh$M-usf~o)N9?Mu=?R74)`pU+Y1z3$HWKtko3>W*Wn_sPQ60YtKv^>UL>iDBl;z3X1h zv}$wsN9gJgIwDE-*4}iJrp+TLqG{H#0oV2{r}OS-BXIxA!q~%oRw^kn|Kh)XmG_5H ztYZYnk+5xw5NHi_NsI4bpB#R}La}w4pL%Qi4`6i1F?xk>bo25<@Z0L2lzjyt&^1dcrQOz16L#^PI#?9PaWv_JV6{h z`j)h0V>fKE;?8Lbn4PptgpQ5jQc2XSP~t!u1%@;OK10Z8!!dUYG&7`+HXA;FSUjp{ z2(CFW2#xUJSO$J3yNRMhIIhj%zkgte(+ZII1Bxd3$rBzyqlt(leMdS?NuG2FK%z1g zYIg8!0r)fjbo3ni8{oTH^QI8+#J#DaZ)nKI?qF8_-cCv;*!|dv)mCBHIKG0}LtShg zecEpz^i<~KBmK`efc!U4zET~u>qBPZuiD4o>H<`^5FvA+Oy?s7Ru}m+vah*H^_5@8 zxp?hwz(KY*y&0@dSW5?H&!m3c9~znfbfGVb*;?A22UAl_)O06CRKO7ow(nqZ(Gl zKQf=vaiWV|VIHgN&nQCGd?0@mV$v`6+1$6=H~JLw-r?-rSIU$hw|O4-IPl*)qz__P%$SMQ#Nu+Ai^e=#Y zp5NItHdp`kp12p2o`lBKOcpzM*j^I7&B3<39f2@-WDzc_Oa#S>df_5dP!7-b{+w?0 z(f*$P8$#4oWi~w6$Y*BY_kwKFGt7U@_$|sPVjVyEbO!&{*>9+9hJxlf;lMV!>$e;! z3Qw9~?1p=*@WWs;H0h>!XL0$ZaS zceylkueeU5%L4+j93tx7xwhUz{H`SkRd16S_bKwfoZ8LUw&W;Y^rx1D`u^Q4DP5LsFW;bqG_BJFRYgl6KYIY*dq=l@T}jpWt-BI+Oeu-b$g&+Twe(XzK#Nq*DUGZcA9Gr z8U1+BCS|OIw%7is>yK(zGHi5bFRZOgp8%bw%gEO)%Ito>m){!Y7R=f;#`Xu0tVwb{ zr%mgh^%@8Q8~!9c-&HFUZyc)p|G;L5l)M2O(#8$8>3R8v-7LK z={$EO{y`=DXL33J0!E72QVaiZ{vG!QT2iR{>HyTAz)MTd-KIdHgPF+o%tvI|w;xl& z;N6d+k_}T&FN%qQz2Lt_e}0j^Q%7p}>WfEZm;KcpE(a$tygwG#C090=|w@8 zVv|&ba7(=%&J|7!j+pN0zOo`c^*zh22iD+|%}}3_1xPskozsI3nXJxjs)PAnE*DCM$}kUGX(0uhbOf!xB1_>m)e_`p;!IAn}a zneahP(aPsBX1gcx*X_@uNPW8;j-mTSxo^HWdBq~vK(}we&zV|8@^F7dF$A2#CelQv zSEOWkpkUdu(FKQnX*0^MAneGruxQo*|<5zvad8b7#z`DLV7v1Li4XuIqpUz}dh4y6H*WJO*YeR81J%X>*6cfM($AKR#zUtzld_zLmsgrNL zx?TBgL_RFWOf2f;PmFj%T_vlohB$~m{~nO?4jw%ElM5>=2$Q>;s5-!Sr;Bo*YzZJh z#*}r_x}az5kaa{zz2&X8AAoH;eY;p9jFqQrP?_TVa_-5seSzX^9oQzh-~8{$CaV z(R13HNM7r2P3ruOuFu(?n~6}bdxzVlFYiMLmJV}fe{#e-q^lysIdTM77Hq!pK>wbe zsk>{G6Y*Bz&sNWwr?yPTDx2(uvDU9wwCI_S35_jQmv|!cB}!y8n^%lF_Y~%yz?&|U zUkAJu;U@tx+;AG$QE>ArfQ~nxf@?CuJ%`pIyM|G?&OnxkP?Q!By8fd?5{2oU?rRN` zM&(vmH<92JLBH%ZuiG!?waIJGH?4;o5!Z$!RHvJU#N2DCv@JldVdmBJTmS&B=z1OT zn)oMe@ojiLlp!R)FzGfWo{oj4uuP%M%2t~8tNGV{$U043^S{fk`By0aoln>Kvq%@) zamn_1tMA5vh-aqHS?dny?12AH-xqO5O3233b@g(?F3K9bx?_E{(rhx`^JzTZl+M%5 zPOWLW73<1mV+RW^eLgn=D_u8tzHI_l!PV=MGEz4$mF;7Gxn+jgps3@Y9itdvhqNDl zy7=7lGT5ZoZPDt3^)1^y6PtmM;!A3^vWZ=uQKe~_I?RTs8#EOo*UbzkB9*a_?#&} zf=81!)NNZ-i)2|1S2Plz5B!JOK+i^N5&6*WD`z2?(jStT8_AWcM89Lw>TYn)RGtKI zID_{*?PR`kN6Xp+*;jI|90u$A+HF8QNqIgo2{ARnXyyxp4*6_M`Us$xJK?Kw*08uA%RM|K9#EBJ{84qf*x#5P`FxZjy#u|@Z64Rl>bAMxN2DM?cH9~ zcYQtMF%En^ps8RxJ$GntL1>xAeMt4b1ZjL>;*!L9?Y>ofx+4Rta(hk zL;{eUxbPx)eC+Co8T)9e%YtM$3oNiuP0sF8ajP1KofYoeCPHxJA7A%$xmDWUB?Vl` zi8+<$g1@hVGfZ63rnwB~%vWpu$O6Zf?u&Xg#`BSH+ic$skiY}S`XmLmiJGxsR3N!9 za|5ighjaLD`f$EwN~w~f*gBuETWhD8#klzqjxe+6^9<`d<%L7bp2(AID*>_ z7bSFOFk}2v#7IjP)PZu?LTwib$huhO#?bK5q*HVed>Yd%zex8zr)d#FG|##}x1R6f zfTMU?Hcxn8DL4*k8pBtgqpN$+nPL#1NXw+&-o-md?HxCS)|fk za&O(RfAN*-yuL%qT=J-33;ceI?OIU|xx;lzH4SrR1?A5^NIksoUplXt@H}6wv|ub1 zdnUCD>*6p&7O~No3U*wC%pagB(it1>EYiI)OPGh~jmG&U*BKiXqha{mQsEpWKvi86 zEo9lbnaF2qU{XV@eb(zegMhI<|G7X{f&<*eHy zVmq#^6J-(5caYRLEDkgyGWsd`*5pL6LJ)hepq|5V(mLHn#zD_#-ucYKwYnVTbkAkn z)Ydz}XMcr@4tEcC%I#)Lijn2pYmKi@wsXvdwQAUr@}T5^a*8Pn|4#S6g3P5@%?f?S z3FGzX$!KOvixf96g42Pj_*!60Qap{+h!XIbx&7`edBG6GIGVS&mkfC*2$jPBCUn`i zvxhnJZoNL!pxt96DvfI|==kqV0pcv;(c|6as7wTwb=JR_$?R7R>rhVW&4{+*uB|Xq zWDIi7T?s&Tns84dHarBm<7%jZ@%a}7EH449{zpatVai(5BkMoB^CuWA-z&(8IXe7z ze70(ol@R0{ua#^iV6i(@56{xaxzg!xzFM1EL~XEjob zDFhFd)(Ha*hxt!0qBbg{S2z+nq0D}%c_|xpIKCT468f@}FUS7J&=~Mr%D2>WO6(mX zLd!7+i)18?f?N*Ku$;F(8J!77@;h*G!Akh)uWMMtuarm)`0v+HDN7-IoZNahl=ztI zTPCHEBNoFz?ukU%#`e19-zgsEFnLVvZs%62FiH$))uO*KP_qy3n(GW<)1x1hIblf%O;*VH0s?mjMg0PCo6ww!r+1l>2=Z6adtIj zq1Py{eaC}PUFY4IGnC{Ad8kNOt0GG$j2~E?LJrcj?x08ak7?jA{^DhB__Cec>*bei zO#-oJj3wsP5%30QEa_WjO&?Ek+IJP{m%+v)ihAU)TRm|^zhp&&{4wtB#dXQXd|AJ7 zT2X}6DpbaRK^QyXO1xo>?^6l=iKPx^zmSkP<2`XuxaPR0_}+toiyt9W1yZjJ_PRi- zdgH->XLh45SF@Sj5f@DdOX%Xh;AqC1T7x|k9Fv#}om~q5SX|qIQ2>QLfSx$h95As= zD*UD;>r96fk%XQb>?ng~zOBSQGP!9(taqkjoXG^8I)3b;{V}ieDZZKIT18=c_IY@2 z=-N<`yhGh>z9=w=R>bgIM>ObQmos(tFz0*rI5(PbtQYX6Tn9Jda@waB_F3)x&`_o6Yfl(he%1j@^t*1Tf;V4T|OkbF*7J>@QoI;cq@Ri=`bwVsiNR6Ve!b=jgpLIDA!FDOQ z-2v`t69iIFNF(a=B5Mmzo7XW5%u*E&QulsCa8Yyvy&`qaI*-@rz*0Ygp;4rHjKB{MGoZl1y#Bzh?+{b)rAOb(P`tum0KIGQqqgzzvzyKX#y+RAut-B`S%c{FtddRIkt$TLwNEV;quH{*l?|$F=2)5uUy1z$M9+ zh^gF?xkyNCG2oxR8uEd<&Rq3-O?thIPnJJFIU!2*PdI87^IC%2bzA(SBWQ9D1>xiA zXJFUg-+iM7lZ{>P1Up}P31ok{yb3k>uV?(PGUL20c8@h1oK+#21oGX zX{bkq1r^nmuzk{=q;Hf2QU+j=>3v-UM?e+2vF%v*{II=O-kL;C)91rJj)L#^O0O6E z3Q`&4GVHML#o)z_+1|m)a3hQq*GZO7okl(~gG!kn{oo8|aBDu5@@>|~7WynGs&<2g zb=vIG1}_UxR=mbiScZM7z|3B)2d=8+1a_`F{Zpw%ek{$azKIbcl1S)ktc{f z8T(nhj$Nz1vkD17e-Y5*#DdwMMdz#a$8!mE?nHg%%Jd4|PBDj;ywEQ;i=y*8qV);1 za?-O*8NzP6x9x(%(R6L6K6uGowbPsX=*3KGsl~cJsNnqCPbr-@ zT$9eOejk!31!aCUZ8b#mnwiKJma5JYbf0^QCgDknBIcAH^B@N}VIcu@)sE-NSd1{p z7$$FgiFKE2_#_-On)K?jdIN7bErHN58865aKp?LanYXi{GK;HAH2u)8Ma^u#QzKj&(bhq8)N*5n&dOG z#bk;kn4H&;fW zHOXgiN^oQ4dH!gqH7}lbk-Yu4Q~>fgUuV&&x6qiCz_|aunObLlqKPDzSF#1_;M2!(H5Cb~%~SmuDYY^~$IFiT$65a1;O^YdpWRko zALqhs`xj#Gs`FVi8s(H3CqAG$s@|=I~H)7wVm|dvyfZQ!j72FHaZ`w z&HRhZQk70j(2=Sk{-HAwvSa=FR8#(6i=}L<3kI@E+sN6nx+ljrPEeR9xgRfMVr>&8o z&ucy@gk(x0*sSZ9+u^TkS1-}Nmk;hqo}5nbL%Wv^)(w!jMu<0k%@f0^+MEPCr)7*C z$Excizx_!1j-Z^bm16N=*_oinS;~rIw}!61XO^T?buo83huSxtI;$$X)fN?(14!ki zQ0`&AfV=r+!bXwBL^=tN<(ZJR_uoARrsSYx>kfoCZHu-LZJ*;oHSs^!%0n@+V`*tz zQe!3I4W)b5tRmzTNce4hc$*jO2ahb{bdv45eAO6GxCvu0xwkYvhNU5TJyU-WB-T{t zrSp8D9~_gyPegdW{@E(zbiJE1<_`P|wlm#u-SJ?|IIAntJ~&o=#2!zg#8`yZ|Nqs7 zS!MXL7Ft|KBB3OP!+$q{Jclina=p_(!U7QJO^w9lp@A?|{gzZ;8(_;UL?(xAm-z@_ zXKF3b(E&Ao#+W+D6Sg?{Y29itV|A4cNk#{|bBtdJQylK~DeP?Txtk37#POVrbnK5$ zGVL5D@ie#4(np3+iVLguQ=|%-FE`a#e|k}-P#ml!R;!5BA}r`FXTvWKA6TKL#ZXG6 zhSS?y+oAvqYA>7V?$W2w1EbFu+Jc){)1AzH21Xf@n`ohNgpuf1BUh?1rVbYf5AU!p zc#d0&xDCC&1bRznoF)rkt~@$jvzJm)&gU3-abk}CiUF}e?it z#qjmsG3u4MQZ(!d=fC9*>3n2MZ}kq{+apd^v)=U=cLD{xTHV_5xw3G z`7<#PtVbKp4^F%Dcb?{aMJC^OUy6YsDCzFc&+mfG>pY%&j~#Dnd~R7%dYftxrlXAH zY_LqNtK@fV-(VU%bBa<$O5PDO5wWGu$=< zMJ;%_Cj3o?y~q&ibuV&kr;fRy{YnKTv@W?c3M_T($Fj|_r?2I#s8tXiTf2NR=vIim zc`^|is$8m$BJd^gxjkEBnk`X`0tr+Zv@6zGZV)DqzCD@EDecro3pcv?)Fpngaw_|` zR3SOWe!5qcw}cb+z!w+cwual|CnlWZ09x9=D92f!J?^fTeQYp- zj&F&brT?jX54#w1J+Uf>%}{7|N~g`31byM_h*R@A1r$31mi}veGh9b<8@Dd#xxA>J zz5TAb_uakoeym=VLR89OQs*+liPtCRQB6)Wq5tZ=zX3c?$s!rFnhS@3NOrS35uo%S zAL&`d^@GPtk?^}dI}J03GiAUJKW)(>gj|#!JkveE6@Ti}vDhg}muFGvEgZJdV!LBC z8GtGtZt$j6*}Q8>ZAeaciovigA^Y3U1oMNK$~wnM){%6YW{Q}?NY_FI+2s-xRA=hJ z4mXq<+NhXF5G&+8qB1M&<37QkD4-j=45(-$a|VGDg~nK4cWwwp>Nap=4l(|{uW+F` z7aK@PcC}o{X?hYV!l&EK{G&LY6FjsD$U73GqgE(iMB-vG|BoX;70;Tc8iA6AYzryl zs$?f9ixavL-HK|yv_E_THy7!4_{6i>Zm3IEYP_{06`Le3DL2ZG6lwLy!L|bNe5Bq` z&!y~7%;|yZ`5Uj;J-TvvDI`@axt2u{Nwxml$YJnz(5*gAr?rha+|IZ~*MKZ5T1j1u zUXLFv^!_w8Sgf+k*}d~ZNg@k~TJ(>(b&y+*u&TB{;mtqKis=7d$8fa!B3_4OMgPkz z(zg=jjJMi|<_(?~^Tolrd3Q7s`d?n&J&>W9XX0_Sq5yP5ee1vPy zw<57dKi4HA;Ubu(KB`^y$)^H*pV= zK4l`F?xSjAi&BbE6@{((5j#5+Zi2oG9{goqa zGcz~+Xr3k!BhdV5VdI8$G}Dhe8RCpla1E-4zCUx9V_RmWHuyX@hV^C8D~K5%jt90A zabvo1Q2%{q(d6neC~c-@>D0wA%|!s~iGO4w7UJ-^cdmPuCyCNWQdu)8^<3W|F(*_$ zCjfMhbCpq%7G@f}^ZiN*xU;0C;#wKphmy54B8@>#Aa^IkbwWhG`Z)QfZHzD{H) z7%}bJ8*LiU$Ny_meSXP*zWDwL&RBjOkHg=7qe%w>(ORrtw?1m-VbiM0e7fHulKDW4 z{{Gv^{N15o5ZZo%9BT@v`RL(kQR;kZnOe!nVh%Wgwwo zy?$O|ykA!|R_Idn)26?EFqClgnwZP%x|H(f+4MG(UzJDvuFGfTn2eAGKm1)Xqk*nt zBmv7uwc;n_O}D(=;cRkaI}cdls}!fjI1w?ochoYh!e@jw{Wd$rlaeq?XiCUDhwn5q zx@hs|N`K&ND$G=^MKFu?BQCgY=Q6R$KJ<=TY$rKU^_Njh4jr8k%zlQ}@TV(TlVe&SSJHTma)kC;}a2i*dy!+*e6NfPxD=|7NAIAM%>sua`?VnY}nzy8!`Gc zL^syn%pCk^t5CP#QdK%;$z&lMAT*O#WQm_hkNucN4}4f+f~+ z+Fng+t7E4=w%-m$3?02;ES;}5F$qU}`VT&fx=kj3D0IQJa{0H$Vwq(C@b#sx_I=>$ zsdX)sJ7L-jrXe;Qfc~nGyHuxPBe%0-; zhiC0Pxiho*Tkrj!e{M>qpoh~u)dn-%G=B3s-{k|Hqs!Y(B9NQ)n);dVJu#!!jkxgh zVnc9J?p^qKJYq2qLgwQ|Bfa^Y*11d|baeE1z_oC)x&FP|FQ98%$MlZKQjK@(zm-md z&kGLBu|jv*g>pG!Vc^>)-`BnNI3@5>lX*cBGSzC+Y8K%>PY3BjK&xFi*=@~PkOiYyKO1t@0l;O)!AU5?z!#ztU#4=wgKjn=F9i- zS1zv{s+|y8&UYp2T}wM)M#JLIq7xeLiq~8m2^m%MGlNil@tm@FEsyzNg-Y11t@iY= z%auuU#-8MqSfOh4`4Bg2^R0i@GwqLlSL!)p3FuAp`-&M+O|}OB(cz=OGe;Y8v>BYu zPc?sw6u909r-`av-Ur#ACk+8pAvix@RMtaQrvm>gQy1_z`JE=C1IyRD2@fX7U8S+{VMsh zk;0kpp|#G<(8q>p1c0GOLDoy$V_R3mrMqN9&coFwzA+C_=Zc>$vUxqW(453;+wRrL zCp}0er^7BU=S62K2R%mrvyOnj@63TUlFPZnYbLV}yWXR<*f_bbXAWxaZ_j3rIR6hz z4Gy928B|prY-VL-Qa_q3;22K zQ&v#X$EWl1DAan><=`@LiVc_>qr>+n3cH+>7olkUdi8;|_;ldq{@sK4W67gz_ETt* z)cjr|ug~xmEwnM#0+OIGbYrBWS5tl24{1>eo=z#)>!SB5AGe_weUQoJSiMhuN)v&PcL!mB-#K~|4ZfO60CWjgcn`4pxqM_Lei zW+XT)Rtvz={5=Zu?DdT&3zgN1zhNSf8>2Ujf6!V-C5DfRw4%blpk=$Kq3MR9LKQt2 zRf=62C~o6JjNQ6Zv-!mLb?Pnq@9)1^$Umu^D6PY`EdEkP?j502rLuN*^`NBYk3xfV z65*CDq#juk_B}m~UdOOzyn?`0r>o0{$!#V(twcK9RA|##br|XNCh|zp)mvOuY zJ&M)fD(L+_CTY<|WbDYH7^SS3qvB_@8k;}7Mq}eLrm`w{8U&B0TN5GkNtiNr zQly!*gBtuJihI>k?WxkmvSP0eonH5`XKSs3W!cIu@-?Nu4tali@GSKj12$9_a|(KT zikoizn>@4o;In&Wd!9tu^&$%Vc(t?L&gPj=f3=@_LgiyAI3w(z-BMn=dZ~*E`>ZOaM`Vps^-83YG#b2I! zePVj%p&?o^F4h5Onn)D6Tf{yTEsE72Oeq8#9f zh^(&mO-+U3@%eq~N!^iT(v%Iw3+VNsDy8LizMlMK!I~nJeI<#bBSN z+39G}g=IoEW%OXaeYIN)>^tnN{BDnxxu+%6^<@9%>W%3&2K&GUSXBF9JRlZOvEtrw z)#)~QmZg1f`Bt#Ha?uwADgMO_Y=i2|UN8dScM9CM@AtR;ddDLGb4>`wWx1kbuBVPE z&B#g!q75=_jqSSGM}lNG<8*?#Wm5L_A=gJ{m#a(fJUo1MYy(t^;NYJbpTi(CGQq|a zy&Uk_{H_O~bf_Dal8py^8Kt+(fFIXWgG}fbRX**uh11;4=x_uMeny;*dGIdS2vJ*o z-peiVE{>@Sa6QS%oq*IjIObxqxjekWX0vrSKa{@FZ(wp*qZ`OCH|V`B)!5LP6@dRB zZW*&W-u2!4KspU?KS4Si@y*H15z{x;a~vag1P(qle-bc1kUVj%--6%r>0%x`fVHs~ zRn-#7tJBjn->v)3rggj6XYaqMh};G%(n-tkf(Xw6Z|l`ylWL=f1oM^WXJxSoI!Jf7 zFHo7nANLtG0EIhZL>>-cCfMxQzuk!zu;&e!g~D%U&>3~zCHV4vr|vD-iJN&som(` zNJ9c=EA2{MM;m$qoma#UngU2xXrF2*_8BH&hjNIeO%CfHPpdjbDUPSLSZ$`p;r3W; zMhSQ3bE^;j3gGn=JXJfwPFaaf_LdQ-=4chFQj2+;;z3+=qdT7533uHYB~-Sm`Lp?-sBKDW{iGB9+M%`xg=R~? z>rB>ULBv##9~%z(h1bP=coLd(9NGH259ynMi@2LJd`GW?YFC$sw41aa_G7dP`;grC zR<~&Zn^HLBY%FqO~b#1y-2!x_VXJd zR@8_(pwHve)E{<5{CRo@tDBbn{EjT1LIe@C6czO3t#gbt>Lu4b6`bo>TGztCB84Kw z0$aDJ=lfGj7uU6q|0Bz=+UpO`5`L%1s>i3cP9a1Na~ac}OLY-Iy}15Ksv8WnbO_SR z#=c;Gf04mrNl{XZ$%W%{_fJj7N$~&$01hcLJh-AUGeqayh~)P={b^oG$SuVP{6!1+ z)o#{{QOVX%0ROL};b`JP#ge;c3hQn7a5=yE+X9faFx>y^4n^r1A8LWT^cG;Wy3+B0 zyJNk1-dG&ULtoX;D#1zDLe6?aI@6s`*hfEN!iGN#yo3=40VcH6zcFEIKR5j z!c^(bR4o@%AF{9H^$Kg18B_m|sO5EQr2 zxvVX5NGwVXi7!%U}(c=RLPU=yfAFO zu!;+PO5-}!3aCE#O&|o@boVzym_D$yl z%L;A5hR@gXC#gO{<|KYs105+Fcdr@(-=J=-s+u^f)4#_C7wE-4sj$}$EOASZU74ZVB-wd1;)JWs=UQ_Q7Q@yW*9^_ z`TuRU~~oRW34lvrBg6OB;hXloQX2= z0sgzbF@j5ibeBkd87axv#%isb5m<2;R+=UjlKW2$=bYPC3g|}a&27lrGA<)jK1~Z7G;mqY9*;^^Gi|+TN(<^55O2Tz^Gfg z-}dZJP(4mSJ?7&6FYF#8cdIwnbzk}|#u@>5J_6D-f8_Ux9r$JGt$F_Xj({nD*#VJ* ztzzX5i}xZ!I$N?C;GTHr;}d`=c^ z67t0${QBt5pjt;JYJW|$on@SMQ{~k=0B|V}YNmYas?U@!{$)!UA>wF?hxtClIG`1I zd<@(+L3j`g3oZJ#HU{?{3|Di(U$)UuHZ$U^scH4IR;bDL^9VM3qj7BlU=bjXK=t%K zJ@W)^SWSXM zo{crSx?S({LIt%_C->LoFXd6UENtfzkriXMM$#|h1H0we8}s%79;PQulDImP$Amp~|aw9Cf){35t0sX6t%0yXzf9ie~(Cp31$iwvRrH%eTmTPw( zPfg!rf;1W*o~t*2emufU+3`7=2A-reVN+C*fA~{t`wmb5J zI_I`mDqhBF$PQPTL9D9v6wY@Q_6@FrzbIC9H5QHMa7cageeSYJBV^LR3;0JpqQ#!m zald5++P!@MY^5Jb#l#0cN(8qx`M%7%x|puSyz^j9;jlmC@c0)e6+&(x6ABPs$AD4gIJxBM~3h4N{ zWOL;*l%o2)Jtp=_W-)NziAIv=AarxIE(;!#Vz!BR`SMSV(V(>nOlAYN^s%z3PJxbU zMnGhc@^HsbFEfGs9>MmB0bT5l4`yl4E7dkt-^XhvIfm?0^>Y0T;5g}s(iow{zgb}a zf?3S2@d660C}#@FBH^A5lO*fuchWQoOz)jX61YpQGO+!!p-$k25$5)>YAZ8;BwRopUxd;dL?i|QobO$>OwLEUx zvIIYotyD{X3%ipto|b3%AyJ2kh?Y-p{4}0OJ`aye`s4RU*HO zgePq%&}mb3HwgI$XNAA>F*t)n3Ngz?6k2xI6XCMqPAFRoWg4mX3#X?1;t?0qGre0Y zVLo3-xfg!`oEm5*uX7`EMJ6mj!OEnj?3n+s(po+|00>9jUiuiSCrfJRN7|H_nwl!O zR;d>snev%s0+20_93W*+YE#k$6-TjCdZjQ9GG4jh2^de@lMCRU+ZVuI!D+q8$W6B| zk5cbVq;4R9V>n%MM@@G`2Vi(6-m)`^o)(;vYD$(X#Vv_avnh8LDs^r6hV}e27#(V7 z1Hu^}y(>fNamD*pw#Yx$zgz}v)U|7J?)I@|_&!&9d<_8ZSVvps=fKpqtxy{~p0&0T4NCMIz zOgVht%-?jtI{~?i4VMKqv<=DWlvGY94_}|S-}Q!&uQUUOZ3;!v z;QVh#BGXq<^@>m4n>C7vy<5J^mAQxB8Ocs!OEJdfFS{Lj&NbP3-BkYOkY|s#pJ2Di zbMbjj#h+&kkmzCZT!%j-tnraHBDGq2H;}fi6=vst**qtU6nPWNR zZ8|F@asJY)TqBLlt%3^|T%^Dl0A}!Fer_SiK8DxgvgGZ9%;1RSp@~K$s)4{Ky9}O4WA`9u1@f3N*Kgi%Bp4Eh0NiP$mqLQx_>} zMTVca^Yl?GMS^Wcv**E`uJjGa%H&v5&YV8ej%o(1vfqhzJ+UYLs8*gkwhxQ_>{_A_ zK;SO7)a8z@XbH*JTYXdL@x8D+n<)(i{QRM3|@f@Kx~+H z^TYni5XUJeLb|LrFx7rYUxT>g}8o=|o_yZ>6 zwO`TiYF|{*gOXeKmlfFwhW~(LrNb%0n^b35C4DKo~B`_Dxlr#(^xvd6{1<9E#hRTE@Np6cZln^)mGpvpdv& zy+*gOF=HJO%2Boy;XbGe?gzg0;#_E7EiO&x1%Aayq{eK4Ged37GJ*28Y{V&ShS^>w zpN51O2RKBIg91uE5GdeWlJWM6ek-tC5N+TjW{VkzTE58$!5far4NN-|c z*19+m1xBwC^Y|Jm+Bvq|nXjZV{-tT-Mw9Ua+syOn);pV;PpodW#le~od88*!%MrNK zln0lUX9Eq=Xlv<2QL*DWp?`E}n_G!90FSR@eIg8jbTJd=ixiWg%URfWahh71bEgwR z9j3f?kuxgzuH64-{h-c{%wD|G904H*TBTSsn&=8CLR~imrkNVOC$!i?c{GdhaN%gB z3W9c-=1Y1eK-@9WwV+AsZGhKbmg*K&xx)oqiQKZgbc{dq=0UCcPb+$8r&a_kI@*DZ zzs?Yc>kuL>;&pGTRh2LHdC1*+$Ll7U)MQTNY9f|h5Ybv&4&XB*_s8JG2VIjmnxAh$ zwPQ*{jx*s9G5&0M8vu0R1mSj!4<7EEa4DMdwxe(Y1l;+e%Fxj zZ}CbOZDnlZ$@^W;A0@XH>q=y;laHAszZ)cE^_+u&APH{-_V(vM3X*R=zp;g*SsnqN zURHCYH4|FIdU@8K2`>B8ze3NufZzj1 zFYN+YswZ19N4O=SscZ5hn?0GsQUd`DD<5b9Fm4z179Fd&OU2)-5VABKYZ5dLu}>7h z46yMqo2-2;9*e`$)kjZ+ZcRmX`Xn~Q0;f({)?_yTJ*d{o?a{ZY^$2{erCWP-wvUEZ z&@KjSksBUSnC|`ImI(5(m$=GqqG`(22DV%H8Z&0o4PHa>PSfGsy>?HRPT3$WLw!J# zISbjo7>gdor)#ENB>^&gHIu%;<=Ix3gMfLmo_2XY{daZWg-69nV|p&~Th&ao?&!OcjI1E@&6Z7XTjE1w65D=1xk@Z zf#MW*cMI;)LUAwdZpEQkakn4^iWG<74#h3FgyQZ5hX9v-_H*yK|6pY%Yh|way<@z5 zK?g(p=X?NN4D*?R>$hp|<$)9?0=%e~+oRRpES^`Aqc?IJ2cy{TzEWHTtV>OPtj0IG z;kCM7@YVMyyyE#jt?L&dV;O`Ps*rE?$5UD5X?*nmR*tAO_4gc7y!(2PekJwAIODZ_ zy9^X!_d3r`6Py_^jYgI5_=Qy< zAc(44+3QI({+IvHvT!k=^S`%k<%GP}A)QgpY4K&2WfQdWB-*LzvtsNjVKp6m-`cgSHRKwM&^xDvAqGGkW@~*f6l)O@x#VgtNx@unBe!H@ofUT4WGpA1{LC~)Eo}O>_-Fh5 zocUbJUIc@&eLmJAR4i9`30k! zBCZ5%qj5Bdmc%1mXlV3!tZg4%fkJ7?-u(kPNDok0bGM3tDYUNt*7J&pM>F7l z!)~s3Dj5jT5>*#6i!5jH;0}QW$F?Uy>|1ZD7hon)&9@S$GbU&o)qY4 zi|=|-I2YqO8!o!>nLMWW=*iSR7S9v%ZkGO*!imqb75dpGOPRKGX=$#bJzuy1oWa z3T^YI`KTRI_y&FvMkDaB<_a5PJO9x=Qv{Ht+?v|ARR38nS@HBg)5HhNrljkio)l5a zTnojTB*Sp$+P6Nb%^sHj;&Y%NkwgCsPHZYszbB&p_e+z)mxus)L zDf5-^f5F`OQk~wEpXZ{9O_V_htRh}ajW_P+8E^c9sZHnsU#6+nNb#D7-dZ30IZ+JK z5N>DEJcpor))Cn&>Uvi?G#fd9Nr^O@QmG}?h3(4w<-XvZ5 z>>>nt2zYNv+H#zs#D-=7IS6VD)3cmcY?bu$7sRO(Jp%U2ysjwm(_~DWbMzTLyr5GB z&U6tzOzgOlgO5sm#sehuGoVv)dChILSt!=-*C%>dd$^4lYK6N!>LNu46QdImbl7)bEXVFciF=X*AF!UTT&?r1x)G$4ugs86jB$}w5Qi%Ad6qT%yMcF8 zR}n3xYK0IifYhE!9@T9R0c`{FB~reAm#5$Z9v!_(==116gc-#a<3D#IZj10d{RHek z#Rqv1zFDynitK{l%`j>o1q;DlT-#(fJ!SF2&(Lf)oh;=$G{8A8*|tR6U-wK(?P=|Z zvBw+IaMJwDn8uyvf;6r@ZQD|uXw11|!)syb28`H}+^POROrCEqL5vB; za(+8M#TUN^Me=V_tHpj#KO%*VVux;TWV5Ah)O(gSGU3586A@7VUi6JT%#FriprZwu1zz*n_JE z!0=h#oO3fD!%sigWK;aTIUdl7v^K}{Tlj~yzVo0JZ>q{vp3ef;d;~uP{4;9xK2^3>FGj*?Ak%*l+W$q24+tR_**{cCOD@4hY@-Y{CIGxkVQi|* zjbeS7E#1STIDAYtPMY_ezw^>Z(TA+ zFIogSw2_Bo&D~hK{@ps#6istX<}||B@`8X6ybA25)jGrd5`vFpJ@4IS-+}|AO(cSU z$0E&F|~WKU6(^Ev%{usfS&(T*T6%U6M!@cp&VwGK51E!srbmYna+$lm-ayhe1n zW~q`%ZJBEuL4B5Cr$@pe*IQGC+ZoF7h#uTS5fM!Im_A29kmbQz}`tcf@uV)Q%e#}T%M4MXvk=XDe^;~EHwn!L~bYnM2Q8q~A zz=S(J%PCJnKiX4a2GQ@g;k4@QIrz8_R^~CZ!V$-9IH?kPC zr^HR|39Y=Vu>u|fIJ^hhi0)1?&;sSyoTk)O2+y6Fvo`Xzu6JWezS>>QsRf1?TgaSL zgEaQx&jYO2$0f&VEZNWz4GHmgTOz|kGxJ;Hkml3tejS_3J0-{sOMyFFtOqckdWlbl zJvajDkBw#o24a)M^{0|ItUI(9^&?xHNUWyyYOw^H+BVch&jc`$@uF%-?H*iA1(_@q z)%Kw@H`TrfliKMmt5Tk55vBCbe$9(J3?ZxSiZ$^=OX z#up8KY-n`xkQP{Gq2@VksKVhNv>@;^DKPU5X-`We*Lz7p7&Q~jG=*NLH3}4Ah@ZSB zddoTtPyN;xcR|`4A-3OxNU=A!7EMI&H>?L6Spiu~@dk#1^krn$KPq}Z83=h${d`K< znW?3Czk)pyLxBUTa2~=fHn1JI`Oy*)&ECc~ZG5l1YvKXhfy74Y!nJ7G^iUSxXkQMD`etmLxq z>1v8+BPix4)z$xn%l?Nb$wl5(1<~`4rbmW5Z}hQdTJ5p3{9A*|zJ~RbgL{4oApal^ z>o+}1Y9vEmUa@;Mdb#)kT2hilI$JRRKXX=98Weg*yPPZ`PSO1h~ zoUPoHyf!%S+MBP2utq(3kZ|-MIwBNVlBuBwSkw4_~?9>{D&vPr`kJVhT3@+Dwu@&_ThxQ-!HvZF} z6pisS7QZYd<i{ zIm-*|Hq`ec-2a)NG5NXpX}zJ!p+N;*8S9}meZJ`f7DT7fxif_JI=^gW0(K>}Fp623 zCr*-ssv??&39!CdWv)rpey{g8>d*T{9KF}!a;{Uyu^ISL?sKw#Y_yLpQ^#rp<^x01 zyXsKSQ#sqfL=#-zZ)GQn&LODm*WT+wKJ9yh2`)_b)c@#4Yf^JOxou|Z@l+}H(2p#b z7kV4#Krqq9-rGk{K69*Mh}Pq6TWEu|QbXUk$4(<^+Y#f&S^{K2L^-apc{WLy$9@ccXLuRvms{t=$Zt>=xC#y0Ds@6~1PKWn#3 zD*M_e@MOL1O9I#4NBjFB42U>0>QcN^V4F5JZ1a;5*h~i@tMz8eY~RXhc#QG)RZX6P zSwxxWuwU5Qo}zy7jO2aVytrUla&zOox?Py!UK;GZs;v`dTi8zd!k2p|oqrnGqoytO z^zjmbO2{uC>fDg~xFz~du@}FSiEiWBYj^7Hs#4H5^>lty@{6%{kzl(DmA3wIlNg*Z z=w*C0ce04I=C9B|-O}HApMz~idK~PzPNA4$77u?%a*hRN9XuMu$yM$m@+jQ(yfIk% zz#$aG$Mz$D>n(Im`&*mvKi5SkgI4Rt2cOnE9}A{(8?3IbFB++Fmc#Wj{SN*re9 zS$k@Cx+Z5_y5D8j;=_-yjgm3#v=8BTWLTd!%XVg!S5UKakhR)6E*f%&I?SK(^u#1= z$<1evqR|uFS{Ya;DjTVG<{!s&?-KhDu-)J@akP6|ldA!$I#^BJgF~dmk+a<|4zv0D z+yE(_hcBU*l&B|se#jqT3KZwjf z!Dsg^epe64H7d(mygEK;%XG8ZsIs*$ZmM_N<0bJK$wm>GZ`b{V_@95^&9?Hp#5umf)G@vLmb*byALa+Sh zc#AvAlH|@M0>CtG3c^sC5sIx!t#YVNvpel@W7gc9Cx zU4gTMSHVNlS>{AMcURcu>aBi&QK$vS7;Gl6ePVyGh<`JHGVgB>B1`@6Cg#g2r`zYb z-cW7-oS)mZlVSt|z7Ho>x5$=61HLbV&TagGS@8Qy`U<0t@7nd2=9zYdX|+rdJE2T#$G7{A zlt4;FIK&E>R~IW7$*3igIl7-{%W{Lq!j{lAo0_+~nIk96)lIxSF508%%zWX9^qA8)^OQ553EZm7G+@nMtd!3P@u9s)d}TLm)ATTQeh9nbQK$Z0;`7qCGL4=pk69N+9A* zmygg>VToAg>#r#-9`nfXj3v2=z=q$AI$9LIMxnIJ9LSPaO4magk|^k!S4sD#^Xb@u zG>%&m8u}#v$en<<%nu5~i%HL4`&^i8;fldY)}u&XBc*#uV^c2Ngf%(vNd;UcSC2wC z?@*v`s0*}pn#$cmByH^r1$pZ%gbC0bZdg4Oip7F}J5f{Ey|AOYOt=kTtZ@)ZhWOM^S9=f_FX%8jM%h?gDVD*Ra}M zM(yW4{)E}wb3<^36x(y}kD zj>==jN|gc8t;k}SNIh1knSVx_e%Z+0NH=Nwr?x>|YkmPCf967OQ^DdH?sir*K|o%~O^B<(duX{eRq2<6A<3nr&{8u&#D`xm+L2?N$0SzyFad&$PfO`XuzHjuh|2Ndm9n>nm@s}V&0q06 zVqK;yK|6XmTim|8GhT3h0I4O1BZ*#PE*Jw%_94G0cE_{%FIzp1?tT*+J6t^mypnr< zE_KdrdvoxZCW=0RQtww0$fUDS8y5)ZmNt3n)8O6q;L-^sR^#B>-we|wj(%m851M>m zYy(I}km*<}4KWvEyez(lKWaaO0ugim<03;A`Sj!UxaB_@iFND$8py1ZRPQ)lv$G6EH2krRbJhQ(W=bzQkXS6#`CjHuQPG{4_h7n2i&c0|T9Rjwc$D^E z5sjmUN_0OZeDN*$mUsq+kz=-1i~DvkvE#9Mikf5NjPmxqQ09sTebD}Dg)>9c#q!e5K zb@As&5y9jY!367$0r&wd_`-n6l4UyZ9@g#Y2%u<=9mx?#R=dF(361t;Jx1%)v9j__ z!El33g!(PY&KfDk;xqjO#5Z7gf;^Ux`c#MEuaFDu4abx{gNDiTf~LkT84)lS(XYRLpyyGxO# z^S|mHEI%?^zZiykTQw!_WE(U%)bM6dMwWXOnf(&E@p6o|B3qg)b&!DsH_|k$nuNnY zlW*%EnfQEWb+jWBI~UEo+QKOdn@RWK;)5#Y&=c~dUYy>!)>-)0i`@M3-WrC{=0EL6 z=zyzfO+{*+p8S>xBI(yqIVM6+`kc!nUZF!(YrPvYur}^;v{{0uvVul7p7zMp;X2d) zv+Yaoy#CvtTeA;%!J6dT{goX>5=-@%M4<_7G)?1p0C0{eWSFCoi^#W z9qkT&&JTV$Ts-?AO=BvcGzdO^)H8Q zd~nDuiu^yOZs?QRzB))M9A@;w6~LsQ}Cbv zcDf^CJ&DUD9xxmq#+U~ZhQvknSTXuMN09mm=psxmHd+BKy9VU?V@YV$az&<}%E;Br zEiuc!6uudwDcM#CS{1>mvDs$3Tx#)@;IP^g z@WKB(%VO8<6U%@V%SXca*ewM-cH@r(|8)obcM}KN#a)cR15I{s^54w;MGs@&Mke@Y zi`h5=c;m`BaNgmI_ExZqT{8TA{z~*o>ebA9X)xHJnY>$qh@dHt2WevZ&FFe`83r{8 zG69*B0p*}TiV`KgOEr?=M>(9IH}mq@(Gt^}h~aUj+jf(VgM@23*m!r+?H6S`t$&mL zrs{PI=C+Kl&Sl>Y!v{tbEaKn;{4=;;i~NXWYkqJw-TfWvVI-dLbFpT|1W>Jnt8`+M z?gn#KiDi*9UrPggWoNb#zD;G(6tF{Dc<7GISJ9EFv_|*7dK%U&Y3rYY?^{i)^|K2 z@?GcMCPpv0?dZ*2=zUSVLwoL9g@KUDXK zy(g1mi1&|Go!PRjTNkxBy&S4rWGC|)+W`T!Jh0?yrs@SVC_HgWiM$2ym`lMpyQ5q> zmPKgvZs4ZzRJN5^pX{wvD@fc%X1lk8i3RujzI(X5^xCgA3bi7NlfD73w{Ezjv1@!) zouu^k`ma~VSw)@_ret@!y!L*;ncTM6je;t4l2Pf*ddp{!Gar1{Gcd)wtVNMNIL>*+ zEs{HyG3i9YJX*DU`d-jh_^5ry+tX$RG@7ML!jPBPLM^}-b9&(UTN%yuFoGuJArYHA zn@^CNrBc5kX{9CS#4s5XSo~&Z@TSh2xRHqfq$H%*j9nwTTS^cY;ZtT`S_3 zRrm3-PXf$?q>F%m}tj|kl z&=^*3aGuM<`wr|^vLoB;2b>WQ@4MI^aS;p!6Af~t(|3=4+1@A(7CYLz@Su6x=F=v} zw{~ga%^RUio1{LJd`NU38|DfDcEttc6!_J#74_Kt*fSx2l@IlCypSWOV7B8eM6~zl3bFFz?#_T4)d5HsC_h1{8gB@t9|zyNMy0%u z4^KlS?h$E^he-hMyC-|qN36Kert6)@_om_oljnt#WS@dvS>p{gJ>}I({F1c=b{l+) z(P4jmmG%}!d*R-fcHu*L3{L{!*f%p7D=CuzCowhB>Zu2+oC|wXP99O&7%w1Mp@RNs z#G19P49nThWNzUt@u{l(bB&vM^QZ~puD@Cp~&;c`&A>{jTyy5tDC9*y&lJo-Nl?N6C)-|rbGC}(mhjbpH< z?2OKjc#ON?%*|={m@C%3c@f+LQQxjDsLodymZPZU@M(U({jTY{JN7Go_tgxr6Y8~= zbX3)$XZuYUULX@~;z$)M@~Dix^iF@leS0HpFRvdVMBjqKUf=6r<;$w?i%OW{tgmc#a8d3G6(k@tpfnL$~S$i-i? z>E??a*ERp!k^k5ej+g2O?Sre-f7hk37)n?w=Y6^d1a!Xi$ie2cjYr8zXIGA{wJjz< zE$YR}Hf5iGiS%|Q8V8cm(<-Kj6X|}qQzr1YZRoNkZpsl7`?Qyl|1Qh= zT7vjp(z%noAPe>XZ|V{tq80B>jvO9IEiW=xKunx?{XDv&B>axOzf_|R=_768?wiy0 z5G-?q#h9eR1DNgRD-tD)F;ny!Y)A6+n{21KCq*=>4Ib0k3>A4Lu)B>MT3Lt+yAzQN zT{1x7e>*d4-yvC49-n_lq{VqLGsCfZjk=Fzn1uH8>2U>E`LJ~T(>F2-^&zr6I3B6- zp4bfKVKKNwZs6K_59^a>2?v}$)tG?t(p?5(3|Uv>UyU?xX8t4L({~gQ@O$6?aDPqn z+t_}jE5J&iehORNL;yNal_r+K){gx@0>1ybcV1GEu`U?aw(i(QtY(K_Ktg=+dZ^W% zBA?gIOBbS&*s<*tTf_!0nTWbd$YOzA%4-yP(?G(kv8}c0J>w0wmiDeB<{j{$)S2`U ze+wv3PF1eVW#miZN0?%Xw$qAif!gXQP{de|Wchj<|L@w~aiGJc*)W~_i*!t7moc;} zccwb;f%7)v^h_y;i)L4|*xiN*omI_^WZvnsQ*QmGbY5kd`i8vkB+W=XLi9Km{l$QQQP26E9xyy z<=2`#*L`#SgCI->GFU<0k1^2q46yiR_A2F@;X^mkBb`ynN$d;X7ehyIQr$N&F*iv0CqZ71rf%F>~RRm|k}g z7v7NwceFG#`_Z$(PXb~~ZmI-+sF6E!N(DyAnZuMH11o%Ygk?KVuiQFsh_Js9TbJ|+ z2+nsr$Vi!q9B|R>qpykhEPA`4%g5ggd^_sn`G8_W&ge_1N?z8nsap9P1lLwibl;cS zCt$b@Dl+KwwSry3kPU>kxQjaKuKgFMHD?R6(}p#k-_9kiX^ntZbd zWH7th#V-1OTJJvc4C-0zVBs)h#^7mXjJMw_6k3CLUb!)1y0F}zMv zD~Qtu=49)9qVc@C80+z-^smZ{L2YYwrG`lpse)AF#wOjT0^;BSnX+r!<36#yBFiiI z6$??VUT$^FYu2(yk$~$qTV1e`Zp05{eq)-R8}>aaRSJcu+R54sWw{mPJzBb&-uBMJ z9bqkBUj;Q?r$SlG-yTQ4MT0Yw@-p_ouFap!MQV9XG*S;&b-t61l?xJ1sa^f=K-29!=A#VzsnrE_{ zkO<4xAU%cU-vBi^RtV$?16Q1+;FAVZBvL2`_ECzMCcoF`>}9S? z5gxmW;>H-^7O7+^sd+<#oomcxKl2#25@X(!px&~#OV3Y^*wpti^;`wo%0JWihzY(! z%+6~vI82k?y#)NY`o6_lrr%W6{$d(P1V3>GrSWOgv#Xl;B}R$)B}BxT1_*5F_pT1Y zQ7{VbcPDa~JvgH@E7fHV7s^ZM!I>*Sit{joujOgmf1lspod?ir-0RFh%rO( z-a+$HGT_j&#vh!RHaHNSR_9l8Y~r%j8dw8Fx4AXl2&XtO{S+t?H}H~tbCNoKq-{rz zf^6`~o2^9s8EX^y^j}-!s1b`En)5}buzSin&Nb_ zmWHzXEZQsuh9<1RZ4*D1GdyR4_i zUq}+W&!h4==}-qc8d0Fw@!|#!AxYq;&dxug&76^|8WRQ`3WOT;sLdAK3H4 zTu9a5bh_=(jmF$ATR|L^?HtT~yeX)YKRi&+)OM!a7S*l|3$u$*b-_74UJo|U-B3pE ziu1?KNDt92Ygg6`XS#+i;|~C+!jPhgYnTh^Aw?=}VJ4ijby^lPpLwTBOg9Pq*Hu zQMe^xN1KWrX}>;b-n*~H?cwif+K~*@+K)g32~2(*T$;f5Hy9@jwVtEelPE?K{b#+l z(}4ltDIe@f0WALnSE7U_MO({41`2IMziPUQ< z;Lnci=Kb-_!&B{kp6$gkiG8wU*xL~pJ~Pd&uGR3>0k_5RVqTHOXj_92$}bSlw{7`h zf~n=0GBfGzxpM89b=RE{nL=peYhWQhAce6@B~?=AvRbb}aYB&3dZ26J%%KJLlMXfr z+i~r~WCgc}pkT;jk$PS|VFQPBTU=!ie&hzKBHBNiT{(rM4P&=cqh`KR-$V8sfgHK_ z>La6IM$AK#=BXMxFo<&9=Dk=jHJ5I|(6#l27#ZE|%!A9-U^GT}a`?`F6qc%669Rq% zQ`5+oAii4zQjf#C<}05q51*TZ67VW}*IoOSZ(BUrVMg)HYF)bFJ+V8!kq$f}OlCl0uDgI&KqLF0H(s%4s z2;X3yyk2NZNH;z#1MdMSf6pM4be^mIuVVg=o@U($1MNW+S`}5H(+Y?l*(SvC#d7%~ z=->OX<*YRe2Ep{$4lwW)fkeQUa^a`szYKxQMGS(to(5-*!;D z?UOy>{mm2`6^wYlsU-}ip5n4CxltrmTZJai1*(_db?!YZhIa)xEDYGgcT-ZlxgO0& zb(g~2}_X= zJ&_>Zcg4{bJ!1-417O8e?M@LngE|qz9G^*JTY#gT7E2!?b$^3>T+ z+1nV1C69sNcm!}&?nsQo*X$+Le`qC+5~ZW!X@nioxA(wHNbK~*DcxJ?vxt9n`iJ%{JIdJ?=3Mc;$%O5L%!e}cc2)8i(hHqDY@o_U2h*=t z@7@XL+O%^p4k3Xy+9RINsAOr5m-+98XZh^3v9D>=1UYo~%^)d33!9T?GfP3ldTKpQWmDHNTL&bxaDJwtB2*w@2l8y19&(-}9|X5oTkh zdu?SF5})yBihpg%VFHv3G~WCYM+-(?KyCsAub-ZtqWo+lU{_~IQ3oN0QH4ofZ0h}N z6aK*PA$^mr=lM+7chAyIA*iz}UJfdp(AKu)wmY_z<1_&>?Mhfh^>RXVIHFREz8N2} zNMT=oZHU5DIuuxJF%65OfSr~Z-!vel}`qG zLpY^$#amo9&y5aHiI$3#-`E%ncO^9CiuoW5w#wS>si56|)qH5Ithy&%X+U3|dcTbw z?clR*5UX(jjw{i2X67L8A+GH;pvMxcr=#|G6W`H8E>O|(UEl&f@i^cpx9|bma!Hk<;$^3z3%U>{Jp8P=!|&eu+olzd9v0> zL+(0pLo^XJ=<{yR)gab!N_89G*A|7E6!E zh0IpObDFO02fR#cj%m=B$Y~`k7PUZFN7OIe|9JA;sz#!S62mQTc#MsVrsdOk2yN z--MbTtG`g*$>7wXVKE%_<4mtzGlH*_?WWrX_Ud_cD&cD>VqkDp0Nsh8mQ~NugIupWPdrchev+08rR=MQ!QFxUt$s83?#Zwg!mG6iCO0SL&u&lF|G6 zO~U-Wucv+PeV#vLf{$zdswBv_Vr3!L^pW7Tn!U|UE#t(#pgJ&5^C&F-&_keFr74Vq z@};dtUnL3OlMzoNZ8XND2+n9J*9_WjM)6VZ^pNt{JkD)O9RTaF`0tuJU- z#!cYm4+;@YDzQcxHm>997Pelr^9iR{!VeOQDRSv8#A5%d zfd<_qT_dLUZAwV2=T|!RM&D)(O5S>G1jyUb<|cL&$;6xL8OO^f0=^jo&UFo#0#?*T zI@-6}`X6a!E1FBWdnmB4D8TWH*rjr-o2dx)KDH!&uNn#<<*k2t06msc85s9ZD{QGnYX+q+3EP|9qU)n98 zt-k@}fnR}}t7_z;X;D&bqh|n>0rq8j&ToUMqxt5+n^r4u5tCG4HO6=s&T)}r<$@AZioq>5@(IDjEE%e>*IX1q0e9817P zJN>1$2B+spe#KH@pRFZ-J>XKhQ1n3f5%o6)&zKmHKa$ZAw9Tp~sU_jK(&-{ox62%U zcFbL8xAk@?J2{C?$`V2ivRw-R7L@pjS~MVvu;(IuMr8c}k`-+U%Y=`)ytYpVecVn$ z{J`NM!%bM!hPpoi-tK#FcpT9N)D5yOGkZB1q6X>8?5K*YH3N2Ul}4GCigv81x04(5 z>~e3?q{ocz`Q63Amma`}3v|$LsT2^D0fA zh0n*64+*0)(t){21jZM4Q=#C0;6g zqL~F^V;0eNGFvNsZFR9v*Ak5hR6^kuY(CMcQofXK6rxl8=(3+x9BcabbO21cm9<|h zW+Z#gPGgmZQ#8923(RdeRvi)Ffr|Z&+P{fbQVcF|4snVn>jffa%(_zW`HQX!i+Rf# zetoko?9ewN!x?w`=X^d_TTGM$^LUr)JCu-C3a?G>3U{@^Y8f4X=| zDgaVR@yShrNz2P-tTeLf&z2}}Sl1LPqC1S{+v3mmCZ;Z4l!vyAT&>Oh{UA79+nI``h=%A9VSs$tn{ z{|mb3^vK`(y>a>7r2wb>QI6GYE34wu>=!ze)zlWlt;`M8K;MiD?DB~iJA}_Y2a-y7 zSrnJ%4>i3XPu;76N;;AzLn_e|VENv~GsZfunS`gj74gE{L zaMxDt`Bs2IP6bcM*3kiYeSZwM@*|?8P zGbJjCzd{KS|Bn4;N1|TLZCOMydp6)z44TUxPTupUfdm+jp!E<7Eh)Ycf9m&yh{agobe9wJMF6j#K;eT$OhumI|T1D{x0W*{5dD- zlHHo9!zTtp7g&==uJt6O80-A*|EUA4(LF|mi^n35yyFGMfa+%7j`3pi3F#LzoPj;k zI8$gkWTAZ8%gQaZrntvHx_?Xo%_zlVg#W1A-tXse2!_uS(8YnkUmh)cu-6!HGO%oz z<{iQmY>81!1&AheYht8hKB$h&+0x-fxNDpYN0K9`*3^6VA7+4czgo=Y0{f)#lcj74 zp3cV!0sXs*!P9dHum(hD0=dJ+Q&!)`3N6YbA@KYu!g~JW7EBNjJ^aC7IHf-F@2v{r z`erLj#K7iFgAyQ!E@|W%s_-z@!W(EipV$b^xAb3_tlPIoZiRcjkj6jrJM+32P0O}BJ z8-H~=FXV&myhn}dfEf~pA|k{RpU3;K@!=gApqtQU$&j)GF&4x;Q>iN=#WZJ!QPc3# z(Loe#9P)1I(rh{hN8g%#)W90?1PZI)M)j_>JCS76uFt%&X{WKNnRBftMf4^bQzHX} z{Qb%?$!}vDq!W+?Xq;Fy)~?}AkAtS7s}^C7F-9dlep6S2B=}z`BcwE=n<23XBRsHa zo^yu<%I|7{SCTa5^Yf3VUF<;Kh#(6kT;%1E;~)i(M?TUag+870bgKV%H97bd+nKS!gqTCiW9Hf^>a&jqg^fYrTtwa)o( z)=2@5s2Kq%ZSp86XU!(!D%)$nWE9isD9bC1#jy1Srb-IVK z*ULZffYnBlh_;H%=ibx>4t~D~S;^t|`8WW(WwLAhg_&M+zC|WlJhHub;fG(-{!Zh= z=$`VA7%1)YM|}_d>#qQQ+baP@5^kBR7*dpzzTROaK=~xKBK(H}DQXENF>xY?i>sh7 z>?0U})PUWLCMBK$o0&PHh7h!&2>G*IHX04|N+X|Fd$u(G6AF@vMmpO@%^48i-TN{2 z6N#unCT)VWBzP890{X2bx)X4vBbLN!>@sZF+@2+>0O~cCXu?eeCb}RkBRG#^B~0dx z{gA1%-gm=p@q7NT`kvZiVpl1F8eKE|?@tnp1?}|%sA|p3GuyiF{{iSg7r*WCqo;EF z+9iOO)E*Wr3>;UD^c(Qwf?G{2ND=U!Iew77cao&^N1wiw&8z0ieQ1!EuGSFdCKk!e zabK#8_0O0?WdUW&T=Y|UypxioN~>u$t@=sLFmOSD&ePLNc*H}vaGn4tMHl>NP9R#0 z*mw`cX7h9rfwCfHx&YJ>`~+~Cn!}Nhmi)zc`5zZfDGdm&&%)SA4jEYp?}sg`7ouJR zwO*93Ojo_pr&>RjpE@85-uIU6XReC@i$#AYfvkHeUH~}#u#lN50J0SalN&P(O!rTA zW?Zn1c5sva_Aq;RroceCcI}$Ph!H~<0u4rB=w$M7O>cj;-!q--v&qYS{hv{Q!_7E; z?Ao0PqrW{&ho~c>{obUt$F<*^@V8yVO2e`+nuA?1OdssWJ5zDv8(M}YPH15!ow>eC z9Frf@@ZLN#tv$W{o^k0+Ti7XeOnH2yHj!y?n!1lf`0W2NF7ezQ|bIz1Z zxeDn7of=})faD=RC9Bkz!_ahm`ZP$j?x^`jtrKds**`_h`;S`^H^N@_FN+rfBs_z6 zrM2~u+C2m?s{kD2p?=gvx_SMU^uw0V^~+~r(v?CdxO~Unx_%W~nbWE^W#@sDBr3MJ zQrqk9Z2)D^PN60#weSe2nsTXucTrhI#I{!`l8% z$d_75+}1|`keXymW{g#k>-yCTk`4f7lg@(_=wMSfte7LEFwx~iX40^pa{AZ-Y1elw z0E#NA1!ZZxg_FtH%6ZBjRwuu10goIdl5`w6K?Z(W2iy9m%Fhd@LDQ}!K#^=(KWfTx zTko!oJD}OP2B60Yb_+CCXJGqxd+7|#S!z^`>EBjCU(Sr5!ge6FeGcMK#4eu{16WlP zV00Wzavw`FXfQST^h<0F?y1|M3E~+Lmy>F0e(}0)>0J5o+y3%#%g+GZ5CD0mTUyx% zET7xE@7%m5UA~^GT3(nJE5GnFl^RFf>T2hw-;QESD*z~;=&=FPZN?Vat+Hh1WTkb^ zf~9nl&q?~PhjyyTfGMMfV7um8tutv$Q04ToliJ_$6D3sul-gDVj&9%hL!tv1AQ-(b0fV4jmqfK;uc2SPqJE_PMqpyos)cC(3@K8+ zw&SDQ`g$V}rCUx>pR`%>qAw03ACw24qUI@04Nx=A`8kPXc5vYS1K4!Lw&A;X9$~xt zW_b$G!Yhgo06-t9->x6Fv=_z}@iE|&V*qWR0(grETb)-`do%!A%Po5h2lx?B?!yKx zX~MBVlL#r&WdhjJShY`2{d!cjt?RVvB{iFMRltAZkgnSH+qbTX7sgmvbYg$rxphaH zV(Wc+fbryGj=L!%d#P5Pr&mO1-+rlP4IV#w1-rL9rSrha0NdjM06(jM_0~0uBpI}G zY1-fk_>ki(q{E>@L{s2MD_<;9xbowDEGjUJn!g15*w)fD8UxJDiT-<`0Cqtv%5bYY zfo5t0lU|;YJt3Dqk#E0fgXagxLlhiu^yxtGT})^f@0ZcN8tVc=Cupos8PN-%{V>U1 zpp-Q4J_KX52TThb1i0lP-w*C2NA_-$QUDj5bsK{1()F>Wf31!UYJ`uTyIqEKZzy}Q zMZZq-?r1NzZv&lQg++~Q7>{JP$B=E$aG1M z4S7}v_#Pi)b@%3EE8$@G^NM(2R?qjr)KNnrXC`5{z$xS#4q)m9ZSw2y z0<18U3CEKD@;H-S{T!+W>Nw)Gp3?`qJ0jbn?uwX1>eDZZ~L zODMmBp1#CikR^+lp~F!&`6f>bt>`=Q%@=Le>_YCs<>WZD*l8lfUati(!J*9TNKdmh zJ2z}WpKMmGYL>;rkBr@9YKn64iJGWx7d8dB+aV6@ewyv?<~tY9g1!zAY39*6hl*<2ad?o8gsFRXYBH(^W@!dYKJ!Cod)*NDu3 zekPnLT;tHs)tUJA3h>_KX9ryE`I&py^!EHs82wCqdpJK9LiG<3$^8(50_G#FMzw0{ zPg|QYv0_6&vtB)H$I6jImMmQ=DUv6b-+%vIwLlqBx2@so7&MyJ+3AiCzmvb6ls>(C z$%Ts-#n0DQI&^3!HvzDI|NT@MJa~|P+-XAhkDCJjQVMYVxqc{^G3o06FC~$?*=`E_ zB^2OzdUAS~6z>NUD@6+E)<|mLaO=5lkwz(;)Y5UH%=rAHme#dP=ke9Si8HoS0%Wq{ zn7X1Nn*abn07*naRL>fHbpGt!{EJRx2|iLAGF-T10KlNV23vT?4s63#<5>y{5ZL0@ z$P76Os5T+(JhtvNN@_M~r*WBKWoRA7h!q8zhDiVd^aF6WPtrkKsCcDMq)wrv0Dl@` zB5fVcLqLc?9~~#{d<}C;E1CdjwS}66MatK~HtV9Q+0zVLPHE$@e%n4ytu|_M{f>i` zxV=0EwiM5R=2iX@Rdm~D(=J~Fq`ivC?L?Wd^q>S}&ZygPH^au{3E0LYt*Gh9?aKjK z0yS*g+Qra<+yt;NgKGB#<}9T4__&SwllET-x1zJMkpZOr0ub~fwojitv_l$q9jZXr z_`a=V0JiUE%bQmx{M=^CFG_yw1>`P{ZJYC;1-n;<{kQ=@NI_@2PaoMWiJ>vdEsA6M zx0itvmjO&jg>Y_V}u5h$9J=#k0 za$7a|g}lKnnhiVjck)w)Yy}jwX8tr)aB$ZKos`oIfnSo;0NJji4QV7QH2c07w^#wE zo8S|IwVw`{sG3t`!TXrVe+(dxhr!e?m_!Co{RNs|#gO+iXoAIKhids2pd(J;L_v6~ z!x=&8#Cj4S@BvWDEvwX?4FHIlJ%33B2R;LkMi8Gs1A!w|l0X^)0Ukh88UZ{aK)Dwn z2EisCx|J+VMvIPG6aF~fV`#S-LxW(OliSsgAKW25N6dnDS{8sfFQsPVPLdWHVbpvZ z4X~nKo6i+&rluQR#X2nk09rgh6xxjhcmlEGh+20k`~xLliQ?dM0M*OqK)bm)G?FU= zOa8SO0a{t!X_|Xq08MxIpWm-R7 zY}vDU75cffb{(}|J)k{G?L|6jzyWKNXULK`Dz)ke<58=TTYjnO_wD@M3P2LzYtVU! z@(e+;oCV8DiAweH47qm?TZ9uP)^Z6B62K>@mnBb51$tWb9Hlm6v*jxR?Nbjem*rEd zn(ZbXjj{sm(b5@tiH2IwU}A!B)SAD8!>*`pNwAhcI)Pj(jUz4|sMVgMKuKxUbEGsV z<*%BgG&>O0$6In1C@n96+@}r90iMlc)!)|-d?qq`;waR;o`P<))k#;Uc@OZZw}SIv z9R&`J=?>FHo1m$v03{k@<}yljq^Hch4J}?QA3zf|p_W5_`Us#r7aXQQ<2kBNOw~|b z360ZxcWy|BFUBj-%<|QtY4@SQ%AErh(2fBeY6C!fg2k$6s>QhkHgyTCQ5&;O@6l>X zh5f_vy>8hoY1?OvW<%Z}|Cgv-PZxR)@7bYp=?)J2QW=PP1)=};K>IvB0OP%zSHo^- zQ~7B-4g*6No&82=ou7kRitfxSu|V%^)p&UEE^t+AkRN|SMG zKf%o^(Cnpo2aY`+jJE@FJ~AGve9}(aLv8YlXRR~=S@Y=lOa!^QYtu@#u}rN_f@RyW za6tZ`BOg)zu!gKA>lf}7{opv1$osfZ#+*I6Tc(WqT;DnEJ|6>_8dY~FRBO~JM7@~5 zB?Fj=sD>?N8~eR|Uz|pc_YP^LWg~NxsAYfTq?47-{rfrv%={&or(Tca_W3X=z;T3r zQkstcY=@QG7NT*uzb{H(gD9rsuu=nNrL6yXIly(VzFGe0w~*zdgP)jsXgs9`2jh zDBwz?#8Bm@dy3Vp9NDwW-MjbjcSjyzh5q8jOXBaJMw%sPs@vNyVQW{?q)9dY8ECE~ zPnHatDxUZ#vR3ZQYPLqePgJbh(rv*uj`BE_?e^_EIH~=B6e^fs{oOxq3jEtCU_KO{ zV*<^w86F>UX2NJbCjRX-a<|`2fxnCb;UZ(=^+JIwJ>42WBxXB0@nRX=uE%+f8GD@E z^N=G>);SU8rwPZb>wA=GjbD>4UtvpoOa+YiIit2h0qX6+K_eCFv{K-JlRY{DO|_eK zgNB<2G?)q~_(;2tEQ^{s^uK>ENCA~3Dbk|e4>7^?z$AI3f@7SxaZ-UZPP?9>abqwsJ;_1Y?14-1^F`;@l=nK#Lk}+|nHjeq8+A z4~;LD@0T>C+H+(YFMuE1+R2G=B5c3pR$tm<(=bdTO&GUzKfHGr8b{ZKHamy?xL&g6 zDWqHJ>lH~3ATSj`*jjqRaN|w`RilX~A``$>&<(&L%Oc6BiNnb$0SNX5w}mglAy7FA zl#$f1e@OpV1glvI^b>(eZc&~!exQOl1Th(hw7CUS0zIKQ*Y@+V3T_2KqnF^q3xq$s zhZEXye-~f|9m}Vt9|14Z&l-RqZVM$4N`9h-DCf zT{l!yFn@^(ng#LRn6cwSi?0mYUI*2teYz}?3R{&)gQO|b<4~OT0DF$2?_uxt)KLYi zB7hHG0w{`vQ;YB6M0q-btQKwXK<0&G{{;cnAoyAv8hZ4NjP1&~i3GY$EiG!Fz{PW|}=z>AaM*F>sCbzsLjCt$=33EnGR9AgKWNDF8Z@_-s1^2BY{ zo?ekaC-QP+0C1%M92eHSXd{u^{h3EXX!LQb?xTmWnd;E6V!p)msTD}AIE&U#0GR!COG3p z^7N1cJ2uOtK^;NMVW4A4nZ4<}#6cfWrceX2EKDm9?B_vMF`nxqf3wYdd0Gf9W1u+cba=x1u~f?M8cld{SuZ4@k` zebxKmJLaQVDZf#|SRi9AY|ZX5bh>`eusri!gBz8(@Uk2dP=-YEjHu&~o~f`MJ_-&o zq1Gtd%DQmu={939CCBEH858B(FFVLwY%7QIw#u+%sWWKbKYGB^(y>K3ite4ZcoX@W zvD>=m2sJyQ04(UTb=6#r&$^TEij=FPa)X+VBWG@wz?}I|eh|zS6;c?{FT_N+q9U&Xr$f`|zGkWduw^(1!H&%jYbbAudgla1rYc(PQX| z@&tp)&rhGw-YNk^%jR?{XkpV)3!EDJOhen!G=p*h2h34ZIxu@4q_gBLHMyxh%6d6O zmZo?8G4(d`<`EVe7Gu$5;Kb#~-v|94q&BrFOYQaIE&w{y_np3)q;{7XhkV4V1+==B z=ze}11)P2IwutWV4~_yV1uR)$354Jp>gxfI#-Go0=4w3!KQo>^%-kD)KHKk2dR|@2 zpr1+4`*(FF{}AyVOC?S}QxSUD3o(^&Mzr0$Da=GOaqM~8%QErIm0>1sSn=%sCay{E zzP=*`BH{x&MH(3T=T|ly0nG(CR46AjISWC9AbRv@vS{&Ad_X>u_8mW!tl4u(`oQec zt$Pp2nl+2QltzykD>dpgmL^S`%PrW6F+z`dX3m;ZK^x|sD3PBmU%oqNYJE-2+-=Z z+9{*mNe=)^3MM%wjI?n`kj6N^2fdJnS}UAHQiF)V5rIf*x^cU0LD(3Ji0#gtXj2Yw zf=6Hj7G%`c9P{GjF){$QvzRbGz}CfRF+5Z=kiaW712O+s;44?*f>NMlQQd+|n2I(6 zx!pNSp5n4`1#I};f24pZ>%)mHogOZM2|l+F6C}9t$0gWX^j58*2ob`mrWfnUi8{5$ zqT}EmPSC&ms*{wc(hxL=jGp^FPm zF#?W>lPAOW+F^Qx4 zFqP9ohnCG6FL{bpRG^iBJp1eV9~S}qB-1kZlfXAAz{?b{7g|z5U!L;*6ksRw=JtF# zFPJ!>wiulSq3ua+F%BY}Gvx$&*?xkP zbi1K3Y3TF}nuRnsf$q?;LZFjcr92qMULNVd;X-ZJZ23yc@E#3R!>i+mi97f>OlJd91+)#CM!bn<1X+c`+<(UM{P4U)&rWA zw87Z%;{wuk*lelRup=~EtH^wq#4uW;5pcj1Z4gtdbs6kdHtsSQ>7yu}m?r@(YN?Sg z$qTF}fq1r$n%KM=N6?3M6={?B;O>nuXORaoD59RqzUk+A&^qq|^A-bDBlq{?N41UB z;P*wl>HxK`z?QIwjt%BVnWp>;zGa&@rtNallxgHAHdTwkRX5t}h^6V2?jSoMpsSxL@-gou*i|4s;uLX zrhQDBb{Nv5p>Pq23ji#S8ovbhIabZLCC30kQ)--t`Yu44yVo!3*eCsYNKiePn)qhU zdTH5xsE!YU;65>;;BYsbWIk_-tXVW&>p=Y$+Tfjn_XH2xVtOui@z6E3#ThfErdhvi zj!^SI4;EG+65+6rf?r*HBkh&{AmbquNJq;dGdPY-?QiQ*{rFy_rY=OV9y*mZZwVOy zd)hSjuy5OD*mLzzP0`7NyM(M47VVgg>3i$F44$N{r(**gE)M9+@#1!2Q^5Le38q=t zG5@*{mTA6W{<>V_v4!fsT)KQ&d|+cKUfj5N*?c667tR-Ib@H^oM2QmV#|z`PY28Zd z)%_SBDV(U`E6L#kGiH<>+ct&ByG)tV$oqjFiWC(ebQSLw;1PlM%g};lP7Vs^vz&i4n~Q${C!Lodze4 zn=ct^bUlLR|UX~d;Vkv0$j5>AB1yYtwAT`~t?Md5O_b?frr zuAivQOimnW+bvJgiZZx+V?AhQ)^~#dZq$b6Qx@2FJ1=u44$*^6xK(=M;I8u3q?I~Z zW?fq1^zo+UGXmUMBxPzgRq*oeO=wqkAFROI^fAx|!tM*6BtHZoU|*c3&GHDmC5Bxz zf}q^$9~I#Q0jbrrdf^YcrIeo$1VOp=lv^G9k6(%{%R6C<5nJs8b79hJO?KPW%Eiwlw_54GQ{ja?BIWIsYWEg;OZizgE+(I6Nd1 zwB6RL7AkG6avLZ=1`p%FAZidb1sGE&UqTrOP10VYW@&n!`c7F(5Gq~fTx!>kwhRdd z(RSp7ue+!w7j2l*o+tY&DYh8%0FmF&o`LxdW7?79zKPU%hlzw>MV>07Z8l zKxjyQS_#eDCK`4NVT*tKRu6sRDd%%04hG$z5tcAM0LnG6VLDa&o;D#z_iLlTZ4~dw zI3VUH)u^S095t&5K!5q&GM$JMRAztmZNobD0AQG1!Au^|LtBepQ6p=;S%D=u9Ob~S zv;c=TqP%6wBLuP8&Iqul$9mIz0YM56pYWjXRz3KJK*tfB0^P3f7zI(*!iMVoySEi= znK5pF#K2)tw3m18^hqt7&m(#@)B1z0RU_>R+C-WXxGRs-r)%U*DC<|uRWk{rVRtex zM`3`LUTV{pb@fY{N)MpPTdcBt-l~dJZP)>H-pC-WFF{q>xaC$#AeJ^mwdV--7Qi7? zERWlBNhdn;3;|Dq`%E`?@(|_U@BlY?*v>O(JwAkOT-r?~cucUSM5TJLKMH%E7$CHh zNqVnYJY6QQI0|5en#oU;r$XaLYNm2rQIn5axR!S2bD1`}A521I0jG>=GOzTrq(O%i59?NOYN)YmPRnWL2W`F$VOR0jdeO| z{Gw|u@C21mS%V)gCedy)fjOFy*t%l2JRdp@@}VZQjqj=aA>X9VkX1Ezxj55%9-b zqjo>*x@YTZDUUXgAGt8Waj|^v1U<-(`S@a?N97-A)o<)VT|DxJW-M*X5<_g;XS5!? zfd z(t%G2&=!=m*$PVY3K=ox3d?E8crLbB3n#&82-5TLG6J@wHJS^)vutDXyOx}A6Png) z)&x(6JNRzk&IPgz`!50nOA=_h5AODf)|FcIdqJB)->;M}zFnjX1Js_SNt3kL+TW~P z1_=azuwH)2{8>zJ-=jlVw(EB_!G11qvVK~wqc&PC_m7hTW*ocH&l%w@H8JKW$HEGPV{mOgu$9Q;kSc_>6e?BwZ?yn0z@H1D2nR{OCe*|k8&MW^+SOh;m zKaYzSFFvSTxpIRA3l`Ku*b5BC@L_Z&g5Qs$KzImENnZbqW4*b0cM;lO{wY&BfyO_R z$DfJ&p9-#bDI>JJL-Tu=yxeiz6!@o5VB6k(5)ogd*#oT)UDtL|!;{*c*)n7h-+1wy zFMZc|f99Do<@l*n;)g{CYF_+Vxx}*Gw`}?|?Q_R65Q&4Vv^>h`Y(b}9%MkR^{E-a~C3YM9u+DUR;j29PF}ZX>1t zjjI<`D~XePe$=Zr8nleE;PmLxU$j$zr8*|8ESEqcw}106B-+cQMhk5Q5}2bF3qcQR zp6%bhP7jPpiEVFk3Mo6e z)t}l{Jk_4SS3(?2V)4@!1veOWWZzZ=3P}^@9}`z|U0<#VSMaN^c~YM5rqRakk5%yu39eIETun%Mb~bl})#Th5<8rGR>7 zq~q540{}nS@2nTcB{kl7C=0ciGqP+VsgPRSHmvmlpRm7BDc$DIa@dE|-aG<1XT}z{ z?h{NVPtY!B8!SL@Ydmed@{pV?d5Wn_;}&L~q|Sb|>Kq>Zb6xp575JESzKesOIF2rz z`%UF1HG4U}sD*tKfIkl+vdc{EWXF%nPniBl?jHcTa7z#PVto@}k@qglUmXMhox(qp z(tS6^8SUyOOq>*XU&n&Qe&ubpoBYhf!?>NB{dfdp{3^x;>6STn5j}8>Jj?^nZa@>6 z+r7#21hko!V`e{Wv{H^FN|qcl{3y~~hn?FzD*rfsSr^jZ^f{YAnZhvk0ozEKbpZJ! z0gz69-UrzoAN1h6B?x>&M>?`h=0_Pp8FO_1Ha&@+`BTP{?+F01-za05S3=~W03_0r z9|@{*9C93!9~kc##s+OYX9GYv}CmlGxD1Z1qq?S6teA%{}ACB*7$x~^T-o#OKaksIdfJ{o;)eVix)%Uzn@g24}bdGef%?u+w>U1D>GR|I=|07-s}YXnrP+2{Unxe`r?|mtpS`KeRmD zer^i<-6_CvK>p`8_T#62m*V;IYLkpVA9&9{ei&cBbxU?1IwU3X=aUFjaru9`zv5-d z`ZJ&RwHWjNY_dDKn*tb5iUG*En=j?$?T>_e8-l340$%orgzet=^y0Q%I!>%2V5=~- zrw{=jhSU(W>{PnGyEHAL@z4?$LJ$-GEyph)l*{K+zy2nl6i+RamK}zMX8C_gw6X4#0Y z`O=^EFR9r^$Ed)y^cobz3Rupf3GJGZCJt~66IfK$K?i=nG99KRN^_V;t_N43*|_2ljw($qCf>+1MX`+le^WpM=9 z4P}dH?~rvc^e1igOB{jhC(}R7!pVvj{#L#L{ayl4T7L(3&mN^K^mLIFn`m^o? zM@$&&qU~XyLxYr!hq**()a{VA(C%A)@S!eNP}|Iu`|v&vRl&CZwM%EpfsIRK*t|W^ zX2T&$jykX}?%cX76|zK^G4pl+?8*uImjH~=cJc{|*E(3Vg*gS(fqY_|_8a?K>t@lz zj0wgeO*n>48Ye$G^JZBv4}f|w4nb{?NT4a(?vPb%DBDAtn0%NwdBL?lW}JsLwv6n0 z`uK^I&JbCFs@yP<0sRc!_8tUYq6rW7ue~1$^3lu!#~49aYfM2Fp+8YApq2ysPCJ$aU9|x~+p~lD%=3#es`NDXV zx2%m-XFi|-NMny@^6;PxM|P%uA>IdQC);j#hIKUK(e+)RvKU#B=3L|;omflCEV^gd z(ZKEZ1Y|qcFDi33U(^G%829##Ygq8Opy1`>NB5;yi;CEiUl)fPwQ-IU)4$f(w&apW zr0`ZBqfpZxS6*e=Y$NGy$spDbvd7Wyq$$JrPO^B@8W$X2S1(;vThP?hch(CwPb=d9 zCDJz{cq7R1j%7Kn&dvv>ey(x;(`VNCLk2wU{A|BxdnwoX9weyG_r$z;KS{M}Rh|B> zG;vLDo|(_K?O5c&0%d%MA_vpjX>H=t-;}$2#R@4`wyZou`4KQk>~UQ0UGwAfKgInO zb2!qAfG21Y9)RbZ#fukDc?;kPi6VSK^U8GmlvY{nuFQ88nVxe&y9!9zbd8FV4a!gzlUAkLJ_GBq5) zAmcl?)2nQN7T;s!qZ1I6hqNXg^JQ977rp1Fsw0kqt*oMcLE*+l+!lp;cdT2*RQAQR&GxCIU!=X z)@010zo~};hK_!uAIqknJzN`O`(f+YCVO2}Yw|I^-`PIYNgeK)k439sy4ch4P!30I zD~Tg-rXvVo`rA$ihAH^2^(2rKl15hH1UoFyobd@x(ea*+eZzX#9m7mG{dsSAgtX(c z0sVPT5YysQf?L7)JNb~j=Kv`+K0!MEbII3~r5bK%3Tdl+gLsIn;Dd?7D<{VY1X_Y8H#89Z)w&cJ01>HxNHqQA)96bV!*rtF{PI% z4^>y-j-WZUzX%W^iI!>S8P$Hp zh_b@oZv^nIezlMH(CR}!rGZ1%gpgIJ0Qtl8J5O*|p21dSZr7&`L-xI8W7evVv(5k? zA3b!)0@RZe@aK+tG7j@$zBJqM%F!13hvw{cdIiMK*7iybhWBcMg$5s(nD`y`og3(ZYg}kD&fZ3oubn<7p7JUl>^!Y}&N1xZ zU)G1f_jB|+@99jRA{OZR6d*Y21GFt6bWd%J%?Q(o&;zK+)F1!XSUPr8NWLaSd` zasMg)roWXxAP)&FTQm-qzlLU9bUJkCu*8iUN1Jc_4K0`#9n%Do#r>s-kllP2IZZ%iNqrdAP*`oN~8Jn=hsA- zdrLcr;C5~bxGC^qQGm8Pc|cLVY*}%@NwED}*IM#D#FzT7r%pi|?YRV|^>==Vy2gFi z=f7fgkac1{ZVk_OrMf%b|C$2)qyyWkhUeicFNNn|P^;{{I22B8B_5n&w5{Gtx&N?2 zxDEFKwyW|~c5Yv$_FmZE>i@9DyPNY)6wpa8KoM$6x;n!voXpc6CZg$N+&;Nx9BQue zKrAx}cg^RY_^jLIv9dr-LAP^Lz)*l=gC->iGI_()2SI4#7)HS9-klo&8a>4)S_}kP zprn0FnfUMP`k~f~?dNyMhos?2c}Y39XU|?)yKcSs!1n9d36mvTri{{~M>k0W(?7d* z?Uo%ocS({YiDmNlKgjT*U(5Op8zgtGTyhyEO^zHnCZBd}uig6x6f*{X^|d}g|Gde zZ)qoBNr7Ol=AO^Sk6+p5nfK<8e&#;3D}tTjyf=<<>CBb)#0%}u_WKZ8myApoB7)`h z#$Ogd$8`3z#@}86yPvtbN3A71V08O@|KSC^#D$8hLKlaJHWedDHpn*weMd?*y4 zhXzn*weMd|(vd0s$t5mPXzOR=2-Vb$B>poCJP2g*vJN zRqju{zftGCr>a_8dp$!fjgwpcQA>;(b<{j^o$&IR;LX1c_|rDyJHzeV6tGi(GS=HC zh6Q%w9cFh7<2P(<*l(uYV}fU{Hm>dQ-`D+zTCexj{{N($J9lnN_ikMzZoIfM`tGPU;UBiOiT->!`uIB)=m6*m`e@2JwOX%o45>!$ePV7N}7cF@C)S?=yVyXBiv z!zB*1KWTcSf8SoRVBRdroHd9wUKa-4jn=9tVxCX~# zJd-}OJY3V7`1ULBLvtoS*F22BrlHp4pKEHTZp#V ztt;|(>$dk&UxJuiunP?w;kPRn4m2FK32RKfmx|g7`B3X+tKtWB%YI9ZgVU;3sVspR zGfMmR?X-TUPMy-NOJi*r%#_wJfr)`!2<_1{dv+7*|SSF>|%=&#Y?hh&xZ2|?x_Z8nKGp{Zl2t^0dD4&8#iyrgzv^lrc9Ysu_IZs zWU_D14!M5)S_m3(5o*uQ1JbisZ;2T*hRmHaQzB!V`|8!d$j5c-W9LT{iG;)X%9O1j zd-v{@3;`J=X^OP6f8T!1XZrLRGL3b^p?Z{e9}2IAXyp5T2wmozm*1N(I@Xl&3=U_~ z7=K>r!tytHo2wQ3&;8o-wxwUHV&y+*li;5Mr;miYxd@wJedyE6kEa$0UBsF?z#sDUMVP?y+B|L8Am$Gd6 za>)pwbl%+AGIYq-n&ihHXGpzzb)`b3s+w=sjA=COQ`iWmd+bp7xOMBcKL7H|TI91* zHA4q{`4xcDDC%#1cnF%vLm4~f8(Fb(m4>q}w{PFZ*7~dR-GoUvWbTP1O_o&B_@_~P zzJK4IvUtf7XqaY_IkRWV*MkN+vU7h)C?W7orG#=&#pObbjYQ{Gb%VFL63+O$B-Kwf zt~{FbuHhz~xw?k)nPDt1v^Zh;GhGPh3V50Zgq1;Pg_(*lW0O8aA-0D%#kJ>c@^P() zYkGScTQSxxfC7`xYhi8=HwD}ja8uwzpg?NaklCq%QT^DN1$J&t-CnO5& ze8!4F`$&8@xy9Ru(0}ea{Cz0^9WacycO6I8=ZB6@$0EcVJ`g`Bq8OR-p~?&=O|bwJ z!hz08^)O_erGaN{PY#g|4{r){jr-qtwhqq;y>9mMLTmeb=`TZDRwfMk+Uxnj-~WmB zIO!Wo+nr(WNRvMs|Ig4-^L|HJ^XK`Uvd^l`hbkA|NGsFd@7Pao%owH;jk%DB*z!)70Cqj;8a4bx zZF1^^?Z?O|n)NDLyp(k8&`!#fE+t#GZj-!ua*H44P*)ONg>BKn&QvcQ2HFc1Dkzhu z{2(L08I8Jih8@x*8pq`6Oz!Vdm-#aNL;muIWrXlP;|A zclBpJjBBnYe?92O`Cz-TXZ%_sTRh&HO1gOKqbbyc+2h*7cyIsGHDRv)%!ht-=4w5K z{ME2Jo&|QehFEff^$ibg4CcdAsNV!`xwhMxBV?7O zQ;E9Z-u3Itsv~6*>%#h4bq=w0pUD^&N_(hD!hX<$oE&AbO{6*NPwkD+98U;lNzY;9 z%hkDtS#2|)pr8fhDxGPwYkKn>G99e$wv#^0*E$&- zb;QKZ_?h@2uP%Tpn}&<(u0j_3} z8y3%+cx;CmKlBU1OY{h%Jp@%aAvX2k)hgcNJ=R1|9)@ZX;~G9-9d)cY>{q_)L0IfR zPO2II^*UPh&Y#c+=d@=ti74vt^7jt1NxsP zbtwBR8jvzB{De9%Oh*mqNctFhX^sw>p)yKK`n{{O>Tjb*7zso4AL1xqp&qP@p{Z$C z7+L%Y?=aer_R(29Wn@UOEU@Zg)$L7%S^N<^4&M~lHOy5OT6x)Hy(wR7{3+j~E!>)} zbPTm!h99i1&b~3X_ z_3G86bC+(g(U}n2)ep$oQ^$fUg7Lq9?+!7Vnn{u*l`Pnf{zbpOvUS@wjTZs(F-x{w z(8OG+vSZ{oW901V=jx3(*+8(ILnnSBb6&vl2HI8Gi3^trAwFMkfX zrVT4Sf9?wea z`n_k5;l5W27y)8lV1_KA`5QmRvBx+5c0ZGk{Tf!hu>9?5%{}9qaxB?rc-x9$!c2T# z!^%G_e|s8}k3HWvr8DvE^|br(-kz5U<`j3S)xSxLf>=vu*8lLQ{u*oskS}&Vm}X{(*uA7!A{!mWc+vS$9JoR zJC>UQ|4s@#!)f0U!x8uic_J}wkr4>s$2uJ+icgrdICTKfFCCya7I>`eE7@{_GizYVC$KO@eXmN z<^&H&x^*2gB$B5dI6;udXxi8#Q?BrYW=^CDklG!AH`-<+NM-?k=JO1bY((T?Y6PdA zq0ZLCoB-=f~=t1WviiyJzYfFP)0gC zsOHER7gB?u&=;=TlEU9JrYr55oyc` zyPe-tgWoy6Y2%i8TlFCi5J<;3B_E(pPq2-YV~c(76_wjoDNhVP@sR*$c>OLRZ!ql1 z6Ua-*8kT8+1!x2Mn5WsZKV5k|RGPt4>-Qo^dE{+rto{o=HJ&oDccKGvmi93uB679QEuK@PNU7oMvKB3xNr3|SBr||dI?h>s z!eK>=7A}(W7cR(vFZxQ)9$j_Ja=~Tk;-6&K?%lBU=_QdPdrGU8EhMeKzk-qxBSw&7 zMT@B1VqPqdE@Ora^2?ev%A*x3l$Wj0@VtNjzU0i6Q_h?@3vJTXvU1gGNtG&vBukbQ zDXcM;GiMIHXL{qOH|`%h1>SYwxyCaBnEv)K<8Lp+e$TiD2sP!Wiy! zA-`%vR?-;>H}9OGJ&_|Fy-Xuqg0+&Ng|YJdGhyb+^!9txNONVlajzhd?QxC2`w9wJ zFJtS&-%b!$fAegvCa!rlS66@YY_4yL_qJ}bz6to!3|U{Rci-N{VdZc9UF*g=n=n&< z`_&$1XHv#tUUc?2e0D9v^*OXOCJ%FE9J>pvEPEW@yOw2tw%^;+nKDhdxw`t>)41>d zGYS}*`oaKsg1B+iG6*=!vVaQe)!Kya;I`rz)b-|0Zw51eAZ5?moFpv zOI886@=Sv`q2BV#BH6cXjkM`CN<6(H$$_0)q(kleGHKaiohbHhQ9-7x`c-1ZjfJ=? zrEi-mGJVY{@lBcn6H0;tk>u8mKcsidN>ZkJWBfJJ$s-HkM?2pVob;P9Za(BWktN8& zu$kirDd1YCd3WR&QGu0N-+e8W>b8=U(2C%zX8XEjvTFVm={;(;bMnbNEimFEv|+tW z8rod}o(sR9kRC&Slp^J7@dc%AH9r6gLG-?)1p!;Od(Gk>rPqj=3OLfAz|5?11BHN2 zinM|9Y28ASy+CQ4Zv99B-!mr;N{?YP#6K{HbZJ;pnsyo}+4AL=6Nit>h(0a!q-z2# zyEm_rZ{}>3jM?%4II$+otZVoP;pFh1EwXghc$u>DknG&FUKam2R=%9DNWq@&jY`Ur zeRlxNcx$_~P6QH=cJ;y^B#L(oA*iWz1yPKQ{25`abK1b{au-0@H+|bE$i+5ay>LqE zwCn|1)K)-)KnK$kFyLgH^yB@#+c#xYKcoW~OLyh`Z&I^acPUokV~K?6S-t3c8Qr^?1m-It_tC%IhfbFi{%Pgc1N&rj|F-hS#k2C{ z;a$mAu$*)rI0^Y%2U}Qt#kL1)1`+J5S2Tt69lJoXBfmbas>oviuLi8Xi~MsJDJOZ0 zRg@;B(#mMG+dnWH=>Af9s_Q4krAgPXB}e`eYTGWDhrxg0!^v&R5XhRTKOdK9F=MG# z)bGcS%DUyV<)`rjWcb{jk}h)&d^0>3^1HWBOrMDCk@*5kz)t<$-s_vByq}gpw&I4ZCUVNuEJ%t&!>IU zPr^eMk)D(n93Q<~RFWzU+DpOG)%4qiZ7?#3SJI7+{v22A&)<$7kdb{_O24u5Awv@? zfJP9OPGum{k8@SmDPJfQEB1MX56vK0gpuE99yGxcd zsdVhv!S3ZulQLyW;h)`c>pTBkoslQpD$hU5y^=hRoo{?jnlynhU1IV?OvyV8R(?X z<;z!e^(21$cp8xcfG^mKmo7_8*yix|_ICQ;y?0M&R5(6>8Lq^bd>-MW^4j$qk}yGh zr`oxzAmQ^Z7!-c^@R20)^K}Xu=5gWTC9MO~yEgENfd7KYF<0X+S5} z{7gENmRHh*A8?VV4FacmqP{n8-on;^1X`}4AHyk-pF$Idr`Q=sb$-^5tH&&-~e^#<|jld4$FnCcgXn|EB=? z;Um!5@QiDYc7AaUb3eN&;HJR4Qb6A-8u|FqQ}VRLA(rs8VS86rus`3}ZSaxh!F2@h{PBGigm>Pt{oAF{r(Z(TFs2%Wst;)?}rI8!5mA|klKFK;)oU_wj@o3!`M&>f*hxh?NbmZ zRl3YFZsA@9UbtE;%!mL0KmbWZK~x?qo~Dfu;Uj=sPZT7f1{wj( zn6cvnlyn?+fVdl1&IK?$SHaPX=S~TMR3B*g;m+qhzm zGuWCXy@Zx`$qzoe<; z+T{z%yN@0|!C0#%zmefqc&a z{Gk6R7s$iJlc~XJ#wWbw$lg8Du4Z0o-hHS5L&rBGc%B0n--YCNPiQ;p6L{|U;XP8J zPAe=qVvBxtQx*5sMga$1-!|~rk^FOw$7kd38fMb4 zG;?p_(~tM&*<9&wcP4LM>B5R<4>NH!0e@TpPuEOMM3cD*r~hl2naH-QiO=+O_GjJ) zkD8GAnY``sH3Qp^38R;ZZwuDJ6RLlRNdK}23Ij6sO#qkQem7YsSEqhIC$*|okc#EY z;*_&HGW?rw^<(bVtvk}RVO`0RIZ%FCyFr$(`b9NOc=}n-Zl419j4LNko|13IO_UhX zqpQ7*E*)D7!BbO?xvp8aLFO-7juYR!C4Su4(yDo5{Sf+Y(iFM+$91`n)t4MuGfACV z)to(I(h~UFxOt1rTewUzXG||`S~f$RSF&L7a{2W*4swAFL;|T)X&*eWuY!Kegz2YD zn;|EDI}M=ruB1a5=7p9}IojZS#oH=`5yrV{y zMJw0K_!0e~Mjs#(zn>*(It*OllxYAbXnUjY#UGg*;F?o)n+NJ#BB7n5{=Y`Pj>WB${3V=ip^(&Mh18+Fl z&6ckuChCFsZr~dm0N5j-61XD(vFfKO&>S5g1yEN4%+!qHYl{I7+cQ-%-ue?Nw$}Q2aWMHR{W!~1yXeWUCo0bExOqe(YK+|G!`P5+rf!Oxlo7c;F)V)45<6^~4Ad8`W zH)s4nZ9C~^ZHIm;i+&g>Jx9&~$eBRmVquh;vn!#cmj_ycXHFiKDI@#H!+W7u%7iLU`MdFJ~ZaIosgI%0kJug23r$b z_|dtxmtc9}GBp%joHKE->;{-$tV#pr>ws)|RcqI1*U=P#Sq$Jii(C5b<0yZL%KCkI z=hk(ZKXnv9^3B@+WuQq&5c%M)y+RN+R>CCGzkN;cdSl5A4Z}16XwQw{_7o^tRr%#P z8w^Lf$BGw8wL2C#k`Tlq^@ZKx(4SXY9kz{ljL??*u6vX@i_eGHwGrcSA}d5*r? zxN@Gho!aL=FPMU{<}0mwj!^Bz)r+R9rYOxFZ2b8rXnCKJY7IIluP&TEMkwD{FAva& z3qM}o9{LU#(Yv{V*911{>|>*T+rF|3izL*XjRnB@GRzxfz&z&qm5UmeW;*WPx`9RP zM6zksPpUZ?3FCvZ5csp4`t_hZhIxe?g$e=S#Q4R6$TRE^pa$=%d6QAM2vP@Ho4E>? zM892;{X5pFhOhyK%(yrB@W~@bu`>Yl1@KK%6*R-b-3wfps@u9Zcq*M>twd!<>uNcr z9{j?Gw?K8fY^+?r9r|P&_&J@n!|;VZ;Kz({@(dUH2v9$M_yF>2gp{b(STf}(qziuA zvA|HY;>XyP&_+RgZ!9n!!n@_r?oD`CO~x3iB~{S}1g!V(SPvk*fNGt-0KjWxwkgwn z{qIu1@KnCMc_nwQTsqfhiN>Gzl;^JV5PNu7aqMaA_hH31d4^VAXlYD*6UHkY!A`os zz>NRL-d6xfaXeoa?(T3L9PaM!8iE8u@B|6LHMj*yaJS&@?h+)pySuyV3G%&Hvwb(W z>>>FlzmJe@*qfR5uJ+ee)pF;~9f^huUpZ&G_pM5nK!3Ey1=D+P`0C0Sdrmvf9n^eV z3%tOcm;U*q8;$*)-wbQww!hPjhW=?xc)lC|e0MfMx>>860PiMZ+SuPs1a`ZCP(i;L z|IXq0O*doj9D@l*`=I>U?d|^k<6@(B8`l&dpjPFZ^3tn&C+XO>xlEWkR|kPr05ubU z)3Q&G&eHhD?`6c8i9!xSa%J}D(oXvK>8@bek)y{n;$fr5OO=XWBc6_uGka#40npAE zrojP=+@E76OqVVlT1&s)-SB;1_U%8Yx4&)Lx=X|M>Cs6RE?p(JZ{N}23~TD|#?70` z{aC74A$k1dsk$@XYTs6p?w#8!_*%F?UWo$$mK=`8a8s2%Yi2FWpuWGz+Kt}( z)}8z0w_e?lb_bb0cd=Z;O>|VeeEG^%9pG!%_)ck)Fku3zQoe+w!NQO6<;2qc!&l-0@QEEaf!qc+4Y_5w*=^Hjf{M95fBIMf8j?6^stf=_k4uYc`6L52 zjI{u&#Y^Y~7Y7GF<~4!^2X}1-z!OV60nSFm26N1>t>pfl8{oteIRh|t-o$|bR1!-* zh~JLt-2x!gGX;HiY+NpNTlIlRZA^d~e#$vYI$XPWNyZOoC&eM&P0)h#0BOg+q>B%@ zkoIj`D^rK}lG)>i%kcvT;0NF@h(TatSdT{15nOrs0DwKX2fc|zV;qKI324xs^dQ9v zVoV&=QPu%uEb-0vNPNkL^{^_YHspuL(9lXH`L8m*-GV5y1I2EypuR;&7vP|Mq=wEmi>#JX^s)9&XYw z9Rg!q&pdnL3$Ecw3L=qnjP^9nV zq|xq;O9J&Hu7}uA2F(dYF7qc%mO0}G%hCP&6{sU; z*$=IHOPgAS0lbX_Ky(7_AG!+>j`d0v3&-~FkWy%OKeitr{o2=&{iy5U*gTI$Ke~74 zrh!~92?3>@0NC^&8)T2L#C+my=ZESGC#Xz2YAk_mk3wFY5Nl7V!wXfwO#+HRR#F#Ls zpR8ZD5Pj*c_Gf}vS@INHDYa;z&@ z`db~h2*`V-NT=MD6tiyjZEpWDD846w$X7BG!0fj5i=`%j$|4YfwzyZVy(_sd@7}s4 zO}@z?nQ|7AM&OWrhOuq(kS-4HRclP(AqYXR4a;Y$KaMv~A=PvrAjaLBcfbw(Nb^pP zRH}F&cj8YS2cu7Khx&$T3aBlZG)OrxIhZV;^}CKM)M3iQ7LIp3a3Q^Yku`EA`@DQB zS1z1l(QzOW8STKzv%POjgIb6r;I@wtIf7J#SpR{Yf8gNfE!y#J)a68|UxBkFjwF)Gu6@hv-lHw`~`S>T?Vv*tu!>9OY;x*x8|8DU2yMRR8Aq z0qvF6?87tx{r*pR^7w_0(M2&H^RO#cyo9o3`Us^r+teWdiqD=tLEGW{1_Hvc{Os2> z_OWsCwBf2ZIY1|=)vnYd{*V)whJBp%KD={XjHRii4f-MLZXRfz9V#UnLgmE7L7f2X z9@Ud>WBl6FF?P;=jQ#tb&UsM3 z)~FW{j1hD62F*{?C)y57(a}|{%(!5PM+~;Pv0KK?$d71cenWn3UH$2 z0*)Mk{Lyd$nj%?Z<@P&x2w&+S+|K}-)5n30R&8wDw&FMGkociMdiSuBT}nIRY?NykKB(@qehXe znbYf&e(WbUUeL*rENK$;cO0CKW{t-|jPo`(t*gLQS+{mI2GwtdrxP17(Kv zCO%87JRZQ|<0no5FrFnN2K^@4vt`lrD8A3zwQ2moRq+HsZA=HfbLY%1Gv+MRdN4F% znMgCc;lyJ$ffV~=d5l;+>u}BbP12}-ZHXN_mc|txH{Kaz=;uuP62%JR_PpIvyl7!L za`d>?!@QB*BTBqo4KZc_Coce8r26_jH!gBJn^+-z*% zR?g2OYvxUm{?q=DJzLgjT)cc`D!B8y4WAFO+tLa^a_*Wpag>y;+7Kek6~VPdE-pV= z4emegBzZYW<$CP^%4}C)&KoRg)CWi%n>Vjs0LXF!fNFK!jPHSd%;FX6NXbfdbWTKY z1uQ6TOdX`h5A0D!*Cs{c$^AvnpLhv90np4+U^ha zP2l=01mMF*7C^Tj#fj}@-vLf20(`Zac9YgM3IYIGr{Kj|)DOAMNRL=?6N1z1igIt| zD^^wkVb(9r@>yfBezU}foBuKj+@6sEl0KF60Kn5{&o2$jXO`yOM?u8-Ctc?;Oh~LL zR?VLbuGyI~d&?E9HQ2`Ap#HN2DsQc(-NAWT4dBu(aPI*qT7Fp4X3l`Jh~y|(M)St_ zjA7d|t9-VVM~@!r&-5dtqIr!OCmuLgzt%Fbp7Voa^Em*SWT_J=Xhx25vJ-0UVgP?#z+~_vzdI~q9?e|T4=pcrza0RvgDzjNRh^!hRSw;cvxihv?o{u~1s+e;gW&hxSza+Z(m(F9zCxWO2@RHMa= zEu8>Vk`Db^RTW>v(Q(iWDOIV4BMw#{{;~fc)24k}ss}9YK7!0NR7F8uqpzT|cK`N2 z0JK?S5SFew4qZNf37q4DW$cpupm7%EvL%K~wFfj*&2awIVSOjK9W{D51^LH;bJVPT z>BwQ%l%08E92~m_b*_&-7#;Oc6go(IaPX1(ZTsR71^ojAs?(yEa;x)jsW=Xxu3tWn zG-87;zRJOV_ttfAIaAsR2S?!WZ0rQR)FWKMbzlAKUjwTk!^1Y4usgn=naAjQy`ctM#b&4RH4X?R=ra;6j(W@7@dKpgFJl0z z=TUVBLpuB*?dp_}L@CnhAzE07*|VLnZ+Rw39cXOKQJ@UQ_OH-~tno!_z|q!7e+|bc zGlM^M+V%$*b}^mTauzHrB|z)kg$p1buW@ka36K?PTrj{K2LSy;t6rGL;P&(_+C%{y z=2?dl^hW^PZQK<2Cn#XrE!(c!1VI7xX%~hBbLHSnNb^mSN$<+!B2MB^}6e%}m*^1Q?0l-?OjOlUX z+BMZhMBtEye#1fc*b{IVcq>)Ba1O1_wcj~qXV{DhWY`wxK_eSHALF*P0L zVbs_OQl&x}6?spSI;H#y&duPM&^1lC6GS$7B@jvO)E<2X$~Wc9$YFrWyt&TgpLyUo z!^X_;c4Pmh?k@gl$eqD@F?u{zpA^!ior104)Nn<6>LX6*HQ{dlE0gPqbpcMg_ND#9< zbUhB8wG|*tK5MLVl#nnd$3D(C6x)mik=91w@}yXF({3Xm`sgK_SCZS#5}~>V-FQ*K zp+)h-m(O1+mksrDCiF_70MLsU6x+mwWf;4;2@Q_bS@N`*Rrlr@0Ccgzu|rO@9Jnxu zV%#SV?L_{nDEP>D2#hi83tZfxIyo^YhYc47qR^*=;)~Q@nHD$8liMsjbVXAvcju-R z3Vd!{F7+lCU5nP6)T={?-11BKu>V$;XPb*(W9~SpRyi+W*E@RY>eRr z^B|@tT;P-(B9SSTS~;ml5S&}ouSoIq$MQIdaG2|D|k$L#CfFZmhugtHRv#C>a z$@JlmUy;F8_mhobdj1Y~Uvi3B%?#^g^pE|Nv!4YzwwE`F9jM06h zYQ6*j<9exHO66ij(rtd5pt|u`|D*}I^VnXh0UV~DJaYcFsaaS>?+N0PG~3oMlYt%U z%J}6+zh+yQc>sP_$+gMcJb(KD5-;ZsSA*6i(p6xIspOvFka@{xjfXjN%7&H z&8x`VZP#!(kpN=U_0isQD9A?cI~wMVbxrdf^m(SqlwJYzXIS@9)R>~|)LEIcU@6I* zyReY%yre8$)_jr$-w$y3K@M*)18RBMKK6opnf;VB*Yy#W!4IH9pffnO3C5<$lnY#n z);f^+C$JL}K;bv_+R6a{UP)4<*M7qAyhMie^b{Poyd)_W`k>M4%RF1 z2Mxu@UqWRBIbb>VaC|a`{e@!}+YPJT=I1n}1iNUsyar&`7(mt*EwH$7UP&)$YfHcZ>jm zJ>ttTx>(cBJFeDrWa0}d4i~}HDv0tz~(hfl4B=Kkul?^$X19?Q?d99fMW)TWV#g3-hbeb>JlA4YOqWj zJ6M*kTBoArXV0F4DE$QeojZSC$$@0}w@#``gKg&SFGHT~VfN3-4 zC~#S|N+orR3Ei1SG@ceuaX}F;j-ZK#i<)T2Nl87M{rdD!&~N=8o7A3hYJ6Cnep|Vs z+EK}K6zDs$8~U?1&^ooMNz0}U#1kU&Y15=s5LY(_jzC%#^Z>J{fehx8v^uhPn}h>rS1NF~ag(icEn;UJ z2F&1P92CW;Aqc~bHD@Z$C8;y#72X=pyoU)JLe~*ta053D%N_w2TfAe;Bu77-U-2Wb z!=Lr74i@N%d{Ug2bp$e~`^%^I_0pwGxpL^mMFbJKG3P-g^;t3=f?lMLwYIR<8=Pn3 z#7_jS#x&A<>@w+sTeELnzo{SyxhkJNeh8Y8W0Ihy1;R2vykVOc>BI+MG8{L(dt(h0 z7GPHL47pT)YT&Y4y1AL3Bq>u!@$z4(KFAf|_9f>d4=UqAY`@dMaWZG?HHemX1?YVM z`9-6FF?3*iqv6^C|3TZ(NE7QB2Nx>yhvKOyY_~?`aiP><&?G(TmOzHJ9UvfOFK;*8 za(?5=9o6f|xXD=@K7s{&Tfijg%e2s!K*MXe@G4T2=yXbi+}P zY=3VQWM=-^?%0&MXd*{7)1omPgyC_?3vZC8p_s2(T(SLAV-kV5BYXbTw$HXgPEpo3 z^Rja81WAWW#J&QzBJq2=vmg2!*zwYqNKvC}J7+(n+JdtHnV&&7Ym{iAwLEu8V}N6< zFPc!H!su9oB>YY61c|M5VZ-{SU$*y904Yf?UjSc>pLAn6X|$}4Z_+thjEJ~oC%3xs z5-kIuTm2>k)Hu9U5$lZ5$;bnO2X`M!>zak6-M~4jXEzx0J!8#Caohx z3Xiy~I$`AZ!L1uMJPu&6KOm|2qahGYT3p7sNRD#GLy>kGvw{vA2KA3Zkc>aJ8z6m} zR=}YF4otvZ9Wzd3y}e!o;1AoMj=4y{N+%fB{urA<2OhLAjpeg{S8mLdPz$jPstV>! z7zpv}(iVN;kp~;pcbqX-9+WAKwjl!a9M^b&WbYfi4D1$EK7|Yw0_BLII*SK){9d_q zS+7)6K;Uv*pJsZoQz&q&lRl&~%c|`Ib;kb9HpIMp*fH%>k9jvw z=g6J?JG(QSb7wbkIoq4CbT@vCo%7RG*g$p`$`cUGRYn3_UB8)31d7<<)x_uQ#&6?h zVzv9Bn~B#vjX(3W+uPrbyZh;a0&LWre8??1Xy_>Auq<1;Bu?jilv^`xn!)A^v)MxJ0Lr?AWzO#j7(wj65xL zUNS8Lc)XeXqL^}$ zZr;9EzJVT6inLQqJ82Rx74eP&&QHd}hDq*Knt2Nr`^QHvP6Cfl01EQ5B8uG`LveO4 zY-qTUrhd*WnJjLDr7PA*;ez?p&6I-|Jzc(f9hWejk<_VD$c2lS_ghXDIW@ zv6*HQ{dl40gj=TDBrW| z_hin9&T{eW2?g}1(~?|J+=OjjH3yd!O~WR!s){rIR3VG}jvJZDIY%=e7icuV1snva zcs@xmR?R|o#{Vm`D!jOB>m%nT+bw3cy@$ z=(M{pB_Uqg44iI{;rAN26sL~pgNsZaD!`E!dOCSydbWJUp@*?OI9Rt}qZ$$bj}O2R zh<`&rBlXwuR|gl|&@fK~^&ViZeqSS|7b zmWYv=o;6SNcJ0$g_UPP4{ha;U)mHF=T(n?%1c38I#cFvtOOVs76F3L5?z#@0gNst4 zTbxQP6EgH1x~f@+#`2tKcWiJ4*k9pw*L%gtsTxBzHp%b}n38Fu^dq+i73B-_N zjfQS_Z(Y-O(u8>>U`XKc#KAqdh-iSNLl!jY->#0-ZT&0M3?v4)c1&+I_ksv7b*yd& zc<~sZA-Q@96mm`GT;5TAT1rP;R@1cW2<3dFNHj0`IeuUVE_aEH8^I4jbaMe#G0NV}ZktX6MEgDD!P_c;aFuTy#S)BnrSw>O7n=s<(=& zv)#>tF32L#Pslh~9&+DBjS&-|QvQ!5VHe4`O zCBPfXyT{>%lmd8&(FXYe489sl~VC7~c#~v>YPttv`$Q%@+F#svweq zQ<1lM_wP^-m%B94%X_H%mt2p}aiI;(LZnx-Q76^C%Ra)o=9r^>4d3j4iISz&v4q^b z1o?Qu72{#2>fP!)RRxhGWjZ-^c(1mlLO9fTic56{cWnSp!1@Yk@#UPAO7yyj`?87{m;N?Oc>z9U({1*}f>NnV)tJH0+ z;2`tL{=s_Z?!v#{BP>;y9NN82$0J@kv;k^LsCSj)2m8UMmGks6HFBV?m@`(UuCorD zSkLS~_OX%s3!2b4gd(`jK0|$@R8um#S98Qu9PJ=8I6ZOTfboiZ6VjZ6_WlhEC3n$s z`pNI}rw&-)1fxHN+BlNXv z*Pd0ZSn>Nsixzzcx7X;fAwI4y;rkyl95kK-RO9ng4D(Ge>e|hlk}6p;U1WVqc)MTg zbTPObgbvO2-F}s#(9uX8leck^P_st$#1l6*_8&A{MV`6vZPeg?T}dl5IN!N* zSK4&!E?%AS-Zx!DxN-h`WzWLppOEx%-mdXQ1V9h zVnqup_&5vV;|CymPhD;~vt`6>^i{MTOx=7iE8`i6%ptzxRpak6?{|XAQ zu1}piCm!+Q1!{|*lKH=LZ2FXR-G1E^_^TA)^vk*G(!EzQXU%Txx*y3aaJaE8a|50_ zV-6h$c`JB&T&_Uw750_G;OZi04ml&K>+J^g!4YWWCYv|$riKVBS*oaBgmIBuhkEA7 zZN=MkIbL5pb4Z=$a*9!`lVdQs$Ou3kgTBwF;1r|IxfBq$8R5B}Zv9=K?qwQ^5pokO>-6 zcO3zqxE_hL>?Z*}-UL?_0lbVk3hI-f91X=QPvLS8azXJnWpdMH0AN5pdpEA02dGjK z;@p2qryr2N!`=!WGf$~dKal|hGalxHbwchf=7ASt5WFMkL(rF(3h@FQ0vd;*+mm9% zywHR+VHuqbxuICstjA!8*T?6D9NV{D^_22)H)Dc3``LMFb5_fiC=6WseW=(;Mmra%){v?<+3?BACj{ zJ)+=}8tS$@yl0D?KDt-)kPCoQYH%{%x_(72ojU=#6+qgSnjDsamywWzl9yufhH{Em zQ+H}OtXpnhzY2i=n9_~)OZt)asn8~3;*zWbxPhMf44uoH375)H+?xG>T#_s!FO+J4 z%c6L3%?gO;@&c6X`Aez@KimJ6^QV+H>7Yu%zaQ=XQ-O2pzGS;UbL;>>_*{rP9Jn-N zLo7OlmiPFM2by$7>1mPY@2LjbmygCykVSejh7$!fUe9hbtlI2 zNUZD3GspKM-9IH1`V8}$2$%SjrC63I>q$>f$g1#BGehF zAQ{%J^~`&~ctVbOaKug7Sc?9bc+kxs1dgP=Pv ztYTYc+C1#wm~js3D=03WC3jKfxTBpJkI3O2JAOj6*SBcz5A>#Mwy*fOwCo4~XzItL z*gfl??JGQVof1$#vUjWYPsYXZE>0`2|{N9Sj+`3Ah9BM*&M`G$eGZAZAjSfYK^!Ba#f$~@ z3OBS3vG1yy2($yb>o|(B&3Vir{b&rm;X&(?W8-18QG(+vTR!NVJ$+=KN*b&?>4!Pz zwp>J8$p94?rr+~WfE@cA0~rnX0|Z7BsXBj}qq#{R6T}XjFgxWROxIlJOZB)-~(=>eZ_< zciwy)xICA7_3Da;M*?jJ&h7Uz$ntx$V9LYGkU3_?k00+}S&pCz$uj+4_i&^U4$OFB z8lqaYYIBw?TQ((Lym%3B-n{9Hba4!%cm2I~yz`sjrQM!x{L$X|Y3$J2tuq=t%{!mw z$8a>}+dPdOpNz|H=*JlQyRkD*e>dk9AHVtY_h3Rep2oj<8fSjnyR30Hc6`##__Mzo zH;(*#=a297Lm<;UjXmA$KLd99KOKPQ(@K>p)m^x7VO98d1D+s)-LRvWg_E)8DY0^D zpabxBZ(dBpThG}c{QYBrq?Lz70>!>L0CHlb-c4SDM2<%@$e4J|^BF|Pd9!z{STT*2 z=HV{V;v&Udq7+nk<(fpk4YwuzF>P{fx*CYd8OjNn<)mL4=Ffz`j|CjRsY{fG8#aQ! z6k+4jau2S$JLzuGi=3MQoR*}QMFYP;KrQ2#c&g?y6>l)5{4K@*LuauQ6u4?vmR zv%E0MZkQ((zeAk%umobsK}ubxLD9mQ_ACnx^T@g-b*Q7$(9xMT^vg8u?Sgi0^Y5j= z-!WO5_Vaff#{7FJ>CXATi2|GoFzm_Y`)}m*gWwV#;>egP)X<(>D>NLssSDAJwPC`N z^OsF;>9eCN>r@`Vq6PnD~U;84Zd zO%Q)z5RiGLf6~AhrbFN$6u7%sc8(!t&Y&OC2>6BqilHHjN<)rOayv0!_B5Pn!L)q5 zK@YAgKu?x!`yWej;YuT!vH6OEiKGL?m!Q8;#ECUT+|o!#k}A@>L_4MV(KU)!W;k0 z8`}fteG|r%kx!<{yb%Dg>d;#AF)n*~ky~w348wdk`!+vx|Fs1NV|mqyNpbHG$Q;)y z3`=oz?Hexo5!+8lh|x112kxVF#lvrwmu?Kp`XjeAISQT2!!$G6xt^k%rmQZbuej5I%T2ipbn$Fk9#{W_@ez>MSe_DI@u9A%^&yO}3be(Jq+HbIRA?0;q~ zG-IO~1GWBKjH4!Qrb$D8cEfT2`&A&AmqM}qQ&;KeUQK2C#*3)?aN1|sr%fE1f3z)B zuNo7j(hiMT>m1_=`w?kp^$&}C)r@gLjg9{KVLS+LwFy(VR)S_OB2De_^PBCO^+z=> z_V%N0XkU+TVE9e0*wS~>TJ*6JZot#t82-oaoFl%eTowD`$WpoTH+~F%ZZ-i7e`Vx}xDAe+r^$S56geDpY|HZY#HqZTqD{e| zad`T&HJ;#6CC{c-D3r-4@~$la>+Eqch1u(N!Q1?pG3fhw$<_QoF*ZssnQO4C-f%@K z zEyG;q`Lqd|dyBnWUrOI|oVIG>>j^%`)Ka7#5a$rsMFES&I!ZqYGI!|F7!GE6bA%cn zDnbQ$QE2||U`o*kq`O-q&byz~IN8AN?d*UjR&?0t`Ja8k^Fi1X*-K(dpN(l3b#vq; z-8n78IXYo4LyuO^Emj~L!Co)vA}c}>b@1s-&%iK%f(zcjs#FsL_%taJnL$R@B1)}= zzdJaZzSwHlzd_O+#d_WA6kW5<3U_64PrEeTo8S*Rm~x;?mYJME*?iglCi!jbUo331 zd1{8OWdT3H*gA(X)iB5ee*3|}%Cwguiug`rnOUUTucBr2Oe6r;sXj9)bnO>s&ir4V za!(YTpSwR&$11%1qJ@1JAt^1`RyoR99Hm1`-UNuN6>xBDrC zqwKJ9y}f!#!^>7%La9du-r1=Tc5kG*lkqM|v6=+?-hAL{*pwUq^;g6$oFH6DfS3Ni z8QX=p%b500sektkKi9poL;sX}gXWwDt&zU-vu{iaTiI`=;AIT=9XOvLRrsJvkZCo> zpj5%-&WPg?lG@JKwx(aJDZ_|Sl*D2!-Mh6<*gM7CXffXA zLeDiy?9A`JwePO_c=9gWp{`Fo%XKb0R~C*g2G?~tNdZD1p-TZ}pP?p%)jV+TL$~Nwu zXnuyYXFP?zEc@N>9Fer-8*)&a3g zrguVqEfpHC;9=Nki43l{=mAG#rp5xC!$EK}#2d1z2to%{u1Pzq>lSG&Jz6fM_pdF{ z|6;noOgcDT4PH20cjW<&gWdKWN47uI`8}hLB!uZ5B;{O?Gdhz!gI zSOzzPIPOr#nvq(stY_Ih76SFVg;U>_@or+FV8(&woJ0#B@IK7%jY$t0#4x_MlTeVgrGNUxBq*zkAO`yWdp_l{ zzh%DS`}iw8Z9kZDm^8V9nsk(nbWJULudUx_n#4j5QXK9|yi0(c899%8b1zFPhYtQ% z;0#J%@_VD;8Jmu43X1_hty z`^UW1XDgf8msk-WLJf88ge36#o5QxB;RB8rOGyFu{X`ZfWAt&3O>}-VWWtw+|$nw7q8<=iI9LWn;(f|D=PL6ZUX; z*uOH5Ai(J#6EG0=FXmazKntG;d%oq&1+=KU_en2wur8H8aF1Gjjn!7WQ!iJ@?Hosp zBTKg5>3j*2xs1V%I+it9`Fgf8JYzz)RF?Utif8LxnpAjIy6d9$qH86l86D>O%94C` z@@?qxot>qEgwG}tHMG3t#oNV%1WWcK`oSMmw!YAq*q;%arAI9b%o%d)?cNX$wUvo% zAt_|saaJ(skh#n4IG?NxhJ7kqfHsTYJ%MqtN&=Q0R;}+#0@O!7%5=WmrY7J439>AL zsed9v5^`1>lZTsmOfTb$ILwdSc5~0CtD>-3^rYXGYQ#RG6VjAS8YDVotw^8hd~tut zVl&P+aL5$2HaVQ`tb~kY=_a!plI#22XoSzCf9Xu%|7$x^uKwq?eQj*_e=PvT-wf&u zW8>QOIQ@_;5>rr4h>v`{^tnNoG)HN+ceH>UjbbKK$1_IClY9A*5Dw;fvMdgxZ*pJX zMs1iWIQTHUVjGBMyJXUc!bsLLoQoPLDQR@y=V@x0J-HPH4CNVIt`<_<2~%q82oJlvyYTfN z!gtyuL1-F4puZ@~$cecGCgwoLS?UOM)2Dg3a(Z$Olsz(idD91FUYk@Ror3$9hn~e2 zJpB+(-%Uq18HAg%{sV&lPe}NgUR3m_o)X0AWgiu!L*^x-}XFXTL@{(IC zDA(!hz5DVL1$h#xkQf~Od;fGVrPV5&CN}3upQc>m;VzTLkVHH%Fl0WK9EXC(A}e3| zS1!I^j^F)^BKYGbC^ifuNzQd5MUd^kyAvN36p;lxi9%b8fQJ6UzCv@XnQh7iUNM6bFzOw?^@beLZJNmi;P+>5%ZjOirO-o zIGzX(V$ktJArzgUBEY=W&6--ZIFiG1(s#Mm6rox0+Qve_^N7yCApAD#5u?UeAp#LJ2TJ zrui0;qB70leFZss19&>e)+d-;;<4zdwb^dcO+bZOOyVLWJeKya5x5E)Y3O3(97S@+ zo>LB4W~+^-%28Xir)@VHWL%n6nMZeWQwC2jtS{vHCkQ`SM&+kxqs#bq90w-^vkKU@ zvib=8Y4nuOfVNX!2aAFVFD&j}vooZZ0)a0Qx~wz_iVIKHSYI4Gx;%I~+qU1_8Z8AI z3jWXgYUqw~$G!CY0*`)a_$Dqvo0o}4umZE0|5W=ncH^7^{(sLVko6brhnAqA5LFEK?+mB>xmBz^T{pfb0=p zkYQY^bbWSgg5d5t`}X#V;IgyF{OGp^e;{)Q731O~EGd-8=~@7rbS(~deg8tQYqu8zU zN{PaLI=6Sg)p>F8|9-pvgR~itFG^z&R{aN@wj4>2-;$>hP0-i6dVicIN zM)OYoR}>U0-l7%YInF#((j`O57~-lf*vD&Iy$!YUQrjAK(@>e^tBo@LNW0~_(Kt9C zvzwPfsTM0Op1r~s; z?|r#Cng1S;RZT6Q$&1D8FB2XNz3kd9)Id}$cZhFYjrrea*NrC{xY@2icx=SdE3$CV z9_}6cgAFM)-Zj8ujqc#(fP$gbRpzs_4(y-Le>Iz86kg|EoRRv0d^jhAqX<{%J}mLg zrJDY95i5s+=e&r25zNBl4Bwgwww?mtWZ>%8>PC^{NM_*%eXqgG7^gNyY8W z%bJeS8k+ASky7rNp%An!>CbNpz6(7St^}34IYNG)3HpBaGgnmCF60ULH`LGdsPlf# zR${cT?{}M4IkdRH_4nsFhh;gMNMm6N z+|t^9z)>@-FS%qtKQA<`)`VmQN6w;|7f%{Vgyn8~M91tJ;}cr)EX37%dYIzx^D9p& z`mZD1$GIUBM?a$AW5|QD;*qbe6OJ}!Sa?Z8QGe=|IVZGrFmrs0o}g=A(S2-)x7hHw zvz zU-vG5F7Jykios*8LM7tX<73dQ(xVsfJWb}L#gGF9L}QQ&s=;>jzMR_ynMP7Q@E+YG zL93iS(4<7BvV{_uv^nI$Rm`dN_trREtPFpZ=EQ}HaL2y+J<|=*uqshVS^EZLnU5wW z7b_6$)D`xtkogO1*IQ(%^;3&0WedlF+wP@%U?0tQiYI1U^j-NpPMYO&*i}0jbalR+ z)$fneLb1)n)u!{|zsEdW5jX65#fdZ}Vf+PGiq2b;{ z8ofj)`t|)W=n}XojchB5PA1!(i@BsA#Tdr(+=gTwGxX-LCUS$yfI5fVKrrDZ$g(HRT%#^da`;fmV|%ZM-?ma)Bmza(c!^?V8-Wbg|ijR}1EbcHMG3uFUSq zkw~aRzK*J@1xb8*jTpm&sIab8eH^7Z70|*`FGc>n4Hujz4EG7k<4z|}q-`dAsJ8TP z8#_xn#_~+e9q#QTX&|Bj!m2^Hyfvea)f`7 zu^I~gXAS-_48nrPx)G<;1@UQy^`c!t-n;^d6reFfvQLy!10N(lCA9@PV{xH=f^Dkk zy3r5~RY7o4EI~v{zyYF9ore;wNuiUM9 z>3Uw2ox>xqSo?&Dh!ffbHr=s2dIKBfI0V1c6Gw8Y9kAhQeGnjYgmA*oz6$UuYq8As zPT`$m-&pE;nm3TfMaAaDmNc!M=y=!lYKOs8^~Tvs2HNoF6T^eWf1>|jsLYnsj$mxj>I;P6uDW7|okPvrgmBV|%N~PGdO=F1qrGx;x3`JnYuoOQCT~ojyQu><_bt^{|jf%0+qA^%LtOvlBIB zEN_@~VVmeOf-MS;yyRePq&z~R0V86H_*_XJ_Kk&Wv7WRo@ZLHE6%zC?_y>_0jyD~8 zY9OL)nsk}2^WAYMMtkZYs~SwdeA!n0(V3CB0zcY?B((wxP}FGSic6pAmi>KuQ9H=6 zIJDShEvE$BNJt2~mu_Y9rotNh8ZA;t4_+Qz@|Q4ax5(fWE#Yyab74Y?zboa0y|h@f z5PEuQpXcSfvrYSJgbQT^H)7wS8$=q%&##9(OsC++B%-@)1NRXAWEK;{T;rHFqE~Bu zY(#2$Wcz?hvTU*Nei>FMn>H(=Tp%eTv(jK~e%xpuKRl;erPo5iZej$6tM@qN@Aw4X z;55)OjI4Gp2t_6)6&OT`kd@mK|8TqKTFmaV$F*GRTB67650ih8)^kgs=m-+=eW-zU z!q6hzEr`XA&sko0Qxl&^cm&Nm_sM_pAE|VfmG8ogOBY6bB`$3MBloX5PhX`fJ z5I%Sbu8$!YLT_nsI(dDd*$62R<{Tta)X3XyACWpBy#b zoE45OdEZ1(^74MV$2Z!~yP_6rZ;H=<#|+oaO$~`A{-!%?%Tx!<;iKO72Qpc%G$k+M zOUL_aB20{{6=gZqxSA`l;y>UIq81a58t-$kq+C)a)^~(UQ2NFQ%yEMrxGqyK_Eyh^ z+S^=E7&5`tudja2GZQ1{DZ-_MF3mar|F-m93E4>kT&e0>rcxCNVbzvNTFCJJy~7p- zgFe1R&vT?ix}K6|3QF2}ZW@~yD=D%mU{To(TX1<=61Kk77aoZ(Y5qIXKlqFjFaQ1 zL%2`*<>O0a7^Uvcl0m0O(rY0ywQ08r0z6gHaW4OM+kmShPeq(&qp>Xf9iK0bgkACq zCllp(I^em{&(^3SiqR7qHaAP>^25GiK&;KG_u>nTtm(DNvAPL>0hz{T?|1eb_GU^1 z{I&&p9bP*8?+-~8!h2|hai2%hDP&k3PQq@jOza^rG+gKGDja*mj7`;snyrl|d>Sf+ z6NR_ZE0MryF%`>k`hm`>Xa#-%2L3F&{L(bQXL1;$Xl}Ul0|2GYJf)4tacm6<&U`HW z5sNcAjOs>~exfZ#jZOA=o&B6sFc1&6V0>&0Z^}(V!6{F2M=_q-(OF@r@Y{5hYWu=x z=Grrr{KscxuiB#}9md+*Pl)JnY+JKwoL4)GX=ZD667fv#l4v#NrzVi5t{cL7wfuo! zXq!_uBJgL+RTG3UhsQiu6CNf?!Jn2_FD;~OyWp^V_yOniO{-CX zS%lXV<8+0p&)=Fs!qV{rFY)JGJtsb&msl>Q9PQ#N0ZOCN=ofE`MioQ{CR=c>H^ zYw1X`9?WxDg1{%~pgZ~4x3h^qD){z)fArlAd;SvLH6si}E3*#_+*c$OZ%H3MwN2@N zel#7?xL~w?K88PSE4(Zpm^1sj2&6Xc#Ja-X5giJgqyBz1kGw>>RQnxteqS$$fIkX4 zNaE;tnJ#aFwyz}w)Kv!sG+~}Y<9p_-tv|6it4fGPYS5g=W8Ji`Wvi1n0*^VHLn1I` zo>AsjyZo|HvmZ-ftL<&E6CqYp4flgvU!lVevTr!V=;gjO&%WI3QpJS7s{3(jHL5dJ z0)}!n!%ZferERUvU47e|CXO(QKhMx28A=C8FG}v3-_E4y@W4mPKa=@E?^d`WB8qtq z(8kGG-#c`q%Om+9gS)QrLjKlezkWo05)ghWXsXcVQh;W_$+mKVtlsHNxpJ%>TL!Dl zE5Bsm!fkYQh4($Rp((_>0V$|}r~~)`WmV$vrm}})9im{ebu!I)sxy?H@W?{7x6G8$0I1xA6(>{-ETA1 zhF&xwe{9~mJ8(+qt8dM+E4WRI%vW%CM2o+$r~>oY743Ap@V%GlCR))Jo$NBm67+=q zRmR$$=)_iQWaXkUi071u*C_q`tC+)83x@&+6dJPNb?yyD<_=RaV=4c1)lU^9A!xO2 zB*IpdK;`(OwldngIA|~5gQ?i?)1SGP;aCfqmM^p5NN_t{sbba&&9Cro_w+kX3fGUWn5Yr9xZFdV(bX*mgTOkuXwc=v2A zg0C3^q6Mx&?ZF_QFFF4;2_B3lpl|D*k(KDGT5045!T2|5!b3f!pd;+TbvI(+sF}@& z%}tB-D5BR(OEllWjl-}vg|$1+)|pf{d9M|M{{fZw;Ie5+M9(dRUNme6~KvyBZ5qS94f=q3{vE*(fyp}KiOwUlOjhZP>j=R+1l zE*_F_K)@jf0Tn=`r|w+xd}zZHxmx;1v-h*2-;pC&MeJOp&tmbN#CHm3HjKotTl_V% zH<}rYO$XyHF0pbYE03=HZj^&e$HbJB_2pg4X^Z*-KeX3 zTNo7=j@*gj+)j%|#Hp4oswq_s>0{V$>__ko<}_Z!+NKsHwBO|4^O=1S44-*a?a+Xm zLgcy(6e|cTo z>@fUE0v*>St0GlEu}WW%vSW}1Cig+~C`o}fJfR52Do$yTX}#KLZ+@#wIuky;NIt1` zlpS}2vrG?u+Uu?#=0jC8x&4K!VK~kr+*v9{_oZkwhs!VL?-MtOIy&A+(T*-)ZQ}2v z&TyE4WMWq1?6{t@L|{lZZ?l}32CO)|wn_hQ<}bCEGzWaPbJPJ$NM=qcp(<_K7&2)r z!NlMusZcljQtxdGkI9F()^MQUD+ZVfE5L5i@%Pv6cBx5Hm-bI~E#9~JH^gmfT`7~q zlyCxHVr%8@=)r@xwk06d!l{qZnVdS|RIFvt@*r=$&u}l#C72{}<2YxQw#t4Cw zXb7+Zj&OEUnD;DQZIZt7M^wTKHNz+iKo33z@2s`phTq$($t7X=_;TTPtaqa7ZxGc! zJ>SMK_)*7X=ss}<<^C5!fP%*=xZ^gui>!H#`KG$q2-2;hR18pj{Y@c~f0__+e6U_Q z3&|knaCu{qN#H99}eXLbHljo%<*KRVd;^WNy;M&EYkP z4tdp-*-S$fokH@4cQ{%Boa3M2tbSUN)~X1Deqfmu{y^eGNk0C@Xbf4v51J+4DCAk? zKYV?fU|eo+Ar(Djf~I;nKLF>n^!iaHC&Rg6oZA<=>p97xUE2rH;>J<`QYmN6pEuS~11QPYbqSsa2ZQ zP*(I%eAc=Bt$yq2>*J#+YM;P(osTZA^=Jtix(nk8RegKLFQW{L?AZU?C&$xDN2=+ESHuxY|+iYwWen!7+9Nz^Ehd{Y$_q$x(8mv{l#R zZ%reFIo^k%BOlx$`e&{o#01rSE=^@K(jMs>qd3P19sM`%sKLX?NU#vt!%GZ*4kthlt}k|Ij|>|g?RtP zH*PpgTfLhG=ej`zgVU=aJX`YZFWklx2@W*&p#>c>VH=ZYgOmJUYpw{@@Sn`}A~)JI z1nZcc93ZD>-q(9^6yM~A2honrj^?f7NwyybyE=XI{1bm@_#vpZs%vNU7i4NJ^e2IFQ2Qi47z# zc4#;2a#fz=#(B8fxAeMl8fDnl_6+{;VZ2*BD+}9{){?eo(kJY0q@$9E>RVqjrZom7 z4^L&1WeSV*6_8NoNJHQ3zHS$)2%3ebK_lYdh9pCRDL%&PZo;=r*ED{uy7=49TdS0x zR7yebZ&!7xr`sgXvh|f)d{X@Cs+T=nr{Q;@%{+3%UX9CD6FOFbn)xN2o*tfx9^%?s zi+=XW3fW;R`UMa*CsTlW=*XY?({-{qF)fwsTV4DSEo2TxWnG|IDSDxtA`P!9{@}11 zCQ$Jh&gi;7*RY?6HjlhU8)YX+a`t6SAN_ABv-J=3gy9jDk?^h8{`*Pyk!kyYZ}f^) z76C)gX|)oNnPeO+as`h|K7TDN?qljp6r6;%=lkJWe)YI@*+R=K;w;h?seJK$>t2e1 zUD4obYH$EO76I+MtYbfD&$IupcUp*2lKP8-VVqXcAL)DscZl+8XzBrb+}GdaARg9m z&4@EBS|zatkgkE=e8KAI|K8VZRx5WiNqy~=49B#ZD~K>3cZ7_u)tQhtN79u0q?Mx; ziiXR!(xq`X*WVy4s<($+0%-aZ6oV~Bk)32Lh8}YGO>vn@zvT}_BY3g~7+b@fDBmPz zG~->U%Ep&W{6Z`K+kFY@8MxO4dpYO{N-c~_{a9Mkd@l=zu&5yG*|$OFX?bL2m%rmAi$GNdZW+SQqSzJ8hz6S?Cw(wAVk8%R#?tS) zfLXfGN8+%$xt_R0KFv?IpD{!RMi*m$#r4W82)DKb9^B!8sgKpvc5wo$} zOxc?ssi!5+*5nXXTO1exC`33;psNF6Kx!U`=drs}NFXH|zGvhTd&7G4=_*Tx=0pnr zgpZLbP(2x%YK|)yNVG#&RD?C8pQDBK)c!^=y@i0%EpCjbNKkbIgD46VsnIW=w~hEw z{xQ8mneDG{)L`pOm;ZBU&^Qz@h?VC3rO#p7@DxrWLe2|GXAEQNnL_@OG2HM;2>YPT z725Z)eY*w*lmgjH0a$GuYZS*U7Uf_DNh30TL#^KTkb%R715@Ud-s@ICwY3aN$p= z#DjqIVSqGk&sjm!<>I&qzW z>pnJ=O|2k!TGHHfp{`Vod<`?p^Vlk4f+IUm<4Pi4um2V(n;f_Xg%@<(oiM`I$1G!T zV822|JaIpZg#MAwfyIE`z>N#hpd$jPWyuIv><|mBQz17HdzFOg9tWM4SYw_r>p%L$ zqnd^eHhoaaSK zpyy!~lVoXP&8!WeBBl5mZ4#(H4(xg2MZy}%7rO6$C6w6d!z(=r@EzC2rzqHHiajvW zS-KliNfWx``OpGYxq>*}bNyIB`DU9{a>#57)53(qg<@HS--iOFO?h}vTjk=ht#f~i z783IIdwcab2j#wvK7KX>2aRB%?3U_uRTjdOJW#U1QYmC1g#qEGU?71`)rOx+Jre1i zIh>|x#9HEWvtB6>8mm*bt!N=ON&zl4oicLKMXrOdG$)qCmP`Jc`Bm4ZuOx7$Zd?JO z-$vEN3LS4Rc2p1gxdao6CEMYHwCnQ`48xta#%4OgW(@c@Ysw9J83D&atDE_uI+Ar z3>I@a>@lQO5qa`rM50x8pS*r1EWSYKd35EQs(D`>0sgr!b|I@~WgeAuqVzq}We<|? z;W(00vZWe21U5Fn>pH!lSsexmy5#9Xcrq#CXNFNepA%XWnr`up%4yIme0-4!X1{+a zU3-)(i2)=9(`(uc=qOMl56+DA`2@&yk#*0ixNO~Mr$xXuwO0BtUX1Z|J2X>ocOH!A z+1ELYpaQBR+}o)U9IM139H_;w0?t=zfF{1CB)IMfAu_<4kbhMi!o7oxd4qAeL)vdQ zlzg@)w%tnS=;b`KAoOYqw%@!*+-e~E~XR$GS5&_k`rql4!@PZUgT zrRSfhk2oc+UQd)uG6}Rw4joxmwHd%PNk_C_bqNaqFm(%_ea9~^iF zvpgmp_Etlh!Z^>NSj$z!D1+v+W$?LA+=MiaDch3=y@6VBIM8?#Y_Sz0Nvj?6n& zJQ&xl#C=KXAI&l}5zCA+Z;5CRi^kMDvs<--$wu^bkp?1>vc#L^bRu^%HZwLyh;?oR z1c$<{Kl05%M)rQj+Yd@2k#c9Mlh&u3YtxP19rssB|xS_^R2 zD;p21_Z?3OsNP|%N2dyZOUNt7)ZvP*@3I8AUd3b5gtQ`kBCl|%RF3pJx-dZQESgHj zAQSzutE}B-#ob)JH#+4&@S~}Fu!X2OT!#^lf-n8!6oA&GuyoXT z^f6?+e{Bie=0{@PnfSWeXv%<5vKENVSGn9=??T3s$?=tMK7a5RJ!?)^yc$8BZMzV; z;wgmsaVj_jD2%)bCIc|44Tf}{? z1MhK6A7UG@texm;&3=$s;Ka9kF@X@R<{}n%9l449k1&>Kl(Lo<5b?_J^zIj7Xm(X| zwh0@;>mBobR7{?I7Kt$$R!h3XWQTI^G|^&XPm;te&TxoX^KxHv(}ePVqxbT)a53b| z>__6zN?Y9c_5nuNTpN0Vy8V>s+cCh`QD$uyysv2j#(nQh%7i<~B%wYZ18|3ml#Y)$ ztZ$L*5wPbFNGbOfwM+_wEgdw@#DfMqg+aY{8O(%L^0au zWC5w3AeXz|4-JoJD#Rw8kW6YG@@IGg>9W~??X`q34>7cHm72uu8wf-6`D5@Mc_Y$n z25}yI*RYV>EhbKnw&%;HVu0;!lEmq7Rn%s$UXl9<+q|uGbPL*;g^lhr?y10+m1kAy zGdD+-PmiwiJ(sTxM{<8LpzYBXJJ%~#5kIW#(8`wEd>~!(33z#eWlimy#&9b%ivi3`34SC_I9sJ zMlXfyEIHL5dqDW;=BCT605?N6Z$#edCgi~R$W5&nQqJUJ^PhentHyZ%rAjudHkV`g z_J7*xe(xY-q^!3ip(qX{q~qQ)Icf>(4&K>Q_U+ltdHgHZFfLmyk7;#X^ACrEi$(!T zl-#*@3$+~4T@k_L@-(Z=a9cfmo#n+24}8HGOjTBN!DXPboXkmqBF`f?)wY`fCc-OY zsFAk`?iG$PwZ=!Sb2^GZ;8D@7I$?9UKPPU2YJ7K%%Xdm}81&Q{%9mnu0jFzO25*V+ zRp+(^g72uyk;uuWoTXTKdov}wn|h{RvFU&_^)2X$Xshp`eMQrC*D>E*@FQu*DKXN9 zk>t>I>*Z+u#4MbA*BAQo(cy|^G9SVrDHcg_lHMe%rQ7Cjg<_cA=Y^XV1(OmNzNUPwG9kWk29~KjTc~N?u$mZ zo`(ozWdbBHc3#dz7W2E{Q@-#n<;jLa)vZ+6wQhIW!s*L2m5&I{OX@_|ql^uBP0p&_ zih(t;osmG+Y#nDi(}I28Cqp)iY-ff)-$DRmF?pfj7^JBZMv1PM54#S%oOa5fgS}Ds zD=4D4!g=_gcD1}yZ<&6%1b(oeO06dXXH5(}IHT{pef-c&w`qUUp8LyWg$n{bqV;x_ z_HPM4N95y>XAhUxAhhxd@bSIUmX zckk4!Nq|EbnD5YeXV8?q!>o49t^OrdQ)Ls^Mol?9DDFX{&ziGWM7v(Pj%6M8laHL9Fz?m30QRrr@GhWjC+}NG zxLJ0Cq_|0*H9$IQ`i>S~5#P{t3%+I^BZWEyCgAyH1*gzcbWUKovh2ZESFTqyEGfAU zvM7e4tEQs?%=G%P(HY*HE%%j4&7JcX8@6RhI2`7^WEz&sd%yDsLHClqUvs1>&;K_R zxan93fc|V!d{a4s$iijrmBXeMGHfV%+J>42*OBF?mYHr+Uzw}q2o$ZN!+)MKWhq)` zn{+0g3%(4ma6Z^u`!?fs!m93X5EB=H4JoMV&S5Z1`gHAiw3jGq#`nu9J|l*oz?zOj zjsdqRQ>*xy2=M)agTc61$;f7hle5YVn~h5lE3UWGj$DV$|K3miyMor`!PjUBJE$P7K)Dfr7GiMGCa`A)D%Fzt ze}a)+U-Wg2vjRKVhdZkzCIiCFwZfx$7GM}ekKr|Z-=^z$y1^Dp(# z8;yVCacz+99DlC&v!Iy`4x((Q^~*ge7@&05C9buCkSNZZJH9wmI1Pi7myqIzKLN7U z97R9rxuB~Ik@Xmh*O1Q2L`<`Y)iiIHqdmZvB-T?FgK^7WHgpA(+>lCiKdBk zVAL9MkcKgHq-)|Q8lFa{}N|g#3@QRY5{E*n*RnU z<5Gy>ni!9Xb)_|^M!PGtBSi1og4?)*9sXjsJ8zl*Hk>YTk5b`s0r66RfmK-13Bz{YZWR|$2Rvq?jF`^vbVn_2xt04IWM!JV#Oifv z4D#f0{IZ+eBZQ+0YF4 z;*XH%Nd1qW6ryq{_OTTlHXQ3_wPm()!=g#va$~*~yy`A8?sK?f4}SAUC+$VyqFoA& zh{Bw#by;|+VGR*|U$65ZZ(j0Ea$Q8oU60k)1$arqErR7_Qt3X3zB^7^1ea;u>H+qN zJtL##%Ug`v=OB`>s znQWO7s(x-gcRibG2@NonSJ+guD-zYPd*t|{OFBJ4O6(h`_9kGPRl%Ckb}a~ZBi@@( zqvFkGtz4rlysPV&GFnv@+=-RfA;m47AuHSQ-i^@C{LhA`;o0Hf+;&B+%s+<;Y04ws zZU6bBEmkp&va>l0NZ7bR-*pj1nCCo6=QTG>Qik70B!?FAnaBGTLd4ouK8=O6zadfb zO{eLI%jV2haZ~2$t3YbOcwo5c#=KOZ2TRe$?!lZO=^Qr6hqs}{ALEW{sJJR$EZYXEpG`NxjfYNu*%K?{_~aE#q9kt!ullJ{z&!!`HbypK z6pQe*dTdx6z zzfBpM)N(0_@Oxs7kdlg4;hB|CGq;FWjH|!3_hRl;Wq#Qt%g4Uwol}SKB>B`?x5QD8 z%o+xQ%Q7m*KdEc_(%E0ukM*5sB6|vJ9Upl?EGwpcw~OXo(k5-i;G2Wh1;Z)(z0Ga} zgM?zyxCXZpSEVPY!|ufz(yhAnl;c~taoIWaG#ZrnEwSR-OOL6g8e8XsD=K8HY#j2S zjOguB&RQsw#G|Xnu}MIPh5R5iG>wR?h@RID@yYvi`S8H^DBiM_T7H6=qMGg`;uiut zvsyG~lA#8!VJG+%O(+nb6_ACfk2@<-=`=8!oeb=(*v0lp;0IqB_nrKSI<_0=zpu3G zlB>|FgIGi)R;7qm-seIv2Y%o_I1&+%ld}nx&R(#mX8>)TL{*f!@)xpqOLS zf}G^0n@%P6r7O0x4)4!gH^-=YqoJ8=vDX)w)C1##MzM}mt80lT`yX(+SKHEMR~XK@ z9JDp6Xbo%e;@Whp24j+PuS$bg_npqA%&)%rIJ1%oPghCRCUPZ;jmRYEk#>tAEOd^% zMT)F{l-YH!#=(siNARn4HZA{JuFx5C@fPeecn&-kR${yApfYr#n3MQ+AW*;1e-2w( zl}sU!>%*HHvel&l1wH1;5lrkwq?v1z(;Z%CoDJPb743T3t|*C$k2DjA{E%aw{xvOW zUNqY5H6)lj zAU%L*37zEq%+@2LFq{`}RGH{K_pS!oD8g0f;;*l9pfdPo>n=aS%c*J-Y>GvVIz~1ZCAi&f1~h>4G~8ul>R*-!zqOdL{Lbi*V7- zMJ2k;kgRMZs$>4fC&S`vQv&G93!E%Sl8WL{$nGb{lv-Vx=Z%MAK$_gDcx`4BxrF5l ztCyKnrnNtRmoqimwn_hNNu;Xhwvy*WHf!c$DQ_6cT-i`pY8$13KN{D)T}N6ve90ZW z&}s3QkY%K@HhVw=RWtcCUo7dsP`s@Ztn0c{0bflO-`IRY1?XW#3*P~(mWH6VjWCNs ziS5Z#nj^u0tP7#nOsdU}^l|b?ziU2$(|n=Rv@;0!FC2-zIZbuv>aD1XJ zc%vH+TnqM|m*zg>B1>l$KkDhc+$BuB{-}dHlBS^ewsPLwsPPqu?2wEGUh( zsaP_h>)F+l&K|#4%Axhjl_R)W2G7}#T1zcHjtF_*_i07{-08>s^T(JHfTUfj7Y}CL>-$E1p)tbiKSq5hc(SrPVG7A>Y7^Nhem#qmo8HKLU zaTa3MPR9d!7`xi~*5$?gSOGtIRkD21(Z4r_qQp;?{>d3x9}MH;v3@o?MQ+frpg=B? zgs#*7CA_OWZkto(&{npBd`g^`g%N2O6j;107r7GO)yVt9(0_7`EcTb!FkR-MPVSJC z0!3mivw34ZYD3piF8#8RrG+IdX!);Hl;tuKw<2@ilk+w9L*3&-FsjBgdX z6?o^7^JX8vGWjY?{UOUpTwQpfv6OP*&&4}gTVbn8A|VSB_&nka=BhFXNC-8pHOW}VMR z$zw(Tec@27LZc3x_>Oqfv9Ot8*Ap9Yx*sDFS*X&Rz(uuPig0F8cC5z#u4Bu6gJkQL zW%v7t+I0E3!0xZ8+(}H;`;T^JXgR6iWf6aCEZpy}S)Cv+ZMh1Qjh=;rni&rvYGA1ies^M=QdJ_QrXHbPNDzo|D7{*ks&y|!6aX})1@29PGPk)47o9v zV=1-S71+DWn2n7qv92sHApZ#F)>Gove~6;KO7Pn*n6RG zMt*b`@6`xYt7d!h@(idFd>UzM^;_2_XHrZ{*Ots$%Sf#tvaojV>vPI2Kacd4SXt}s# z4QwA*v11$76wGm%GRf6f4b4ifaF(^#^mniMdpWi51Uovv4)9yfMcL3AcdD((plH>o z#23Jm9xs9WtJZtsr+;kK3VcXZUU%qhkrYQG?IER5DG!i1OO;sRNc{iEdaJ0of^J>A z@dSbd0t6?)5;Vc3p$RU*-5~^bmxhLf03o!}CR?Vt8pZA??U&XT9hSSafDOHiuffV^lGOwwf#xYuN*jfGK{KJPkB;#dJ?&1Jn zF|ZG}dHImEE8-b&E7B#}-F6pWeXdh!?%+%Re=>n4OvEW-IM-#aH$}^gl-UI9ZeJ4) zJ2_DgD~Dg4{FGSqq(@~C2t41@FD$Y+T`YJDmz|Gp5WA6iK^ps}Fftzk5Mz0{x$n61 z^71~r-V0iR#^QX<4^XC4!TNN0mX&V1Iu|@2qRPfjTaBM2p2RF`w#TZ?@5i`<=etYF z+M^9&iY25=CuatyQ29bQ&1I&=utb3E)nU=~_zSTKBq;L4qjY+19KGAGY ziF%H=GcBo#xce)f z`p`s;pe1Y93>J^5`Me^Fs<(~)iSB2d;7DT^Y7xh+_7|N;>hvA*y@?CxWGvhI%t28# z-q^E1fnTDI8zqB+cSY%`l=9$vSl@zbD@L9luj1C(m}&JqF1|&n4p?sf;%Z!Wwy3A9 zq<)MvUeu))|8}D!Okh;SWi{7CJdIbTt0Nye)#kh4)~~-0Z$8iz@F~g_+2ChhA5-5* zH+sOa`7A9Hty8+QgZMLa>~2Jd_zoY$w3(r{uw42(dW-Kp%R@9>W{80EwvRBaJZPr8 zirh!jqtRpQEoScNh27K}^@>xC9)a~Kgqd0$sm&>;<&6Ux{%NoC|G62`H!fK}!=~uk zG9z-m)Ka572%8DqsC^}jqj}$`y3JaaAUrd;gn3F?%9lc}$VBOkf_KNI^WX;4K+DAC zj+k$R5=Rqp;QwJ^$Rwp7U;6^%0q>BDrq_kXmFkMne``daAn-a1dCE@RT}e|0K>R(P z+B%*rmY$4!9|!lRuK$b(;BpQs0O^flBcB6Bz5+4nQ7qFYj#FVo|3!EC2BP1qdTCJi zusSB1Heb;qcR&!wD!abs0GY{p6zH0X@|=aBhSQAyx?dA4J})`_jbmofR4(~hqt!FT zZ%N=j?AGfgS@V<0Do@?F%dc1;oRohJD^AWvA8cZnOkGFUU6eqMczkzd3K!$bKg#X1 zb%~SoFZJZ{($8j=cuhD$-JF$Jc--m^=L$m=1S(3|_PulB6S#uiRIRQdqgI-`Sxp*0 zTm9t?e9m+wXwNlNig<6%-6EJKNYb*UM&w_@ro28bG}^}-N@>)$7TN2c#%^&KjcE=P zTn3f*=mi8X6ZGkf4!8@&ZzY*NuaY9up|NWI9-;KEang}?!S?j3lL%2Ron&&ZdtG_*9qh@z%^ zOP>IXZa8;6Bxl8Nc%FZ>Gw6Hh?L^~-2~d;r6X0H_)iqiEOPW)E>5(y-6@R-#bDdTx z&w|D~?z_nr?^A zydpxx{rzDdbO!UnEGyNDpd)m)_qdf6>w^K1-O`KpW34{(5jtSGpC-HxN&_Ag&M*~R zoi;g^?I?I|k%e=39$=%}MiIR5X|A&~l#BUp)Y8A%&}aeiqTXcS?;_uc4@!QTepW~? z`(D@MV>=j&_zOM8Ua@*MgKCH=+TEq2f1%9S`(-A2;b?pCR<)7DF%Mn> zfBaNw|8d)QHX%yF*9J47q2#skE(UqhdM^51;&QZn9<7y&)EsS=#MjeF)3N?PfkzhX3f6%v7uPe!L1ntR_eWMpOoW$)0Rkv1<)TrU^!y8zuJAy^uF?PZw53j z#^f2We_WEMA6}Sda55rM?#3+qLrIU4vHC!E7r#Fv^6m~=ymSM9pkopun9z)X0wNGVZ+W`K2~v>U zp05d^(d84E(d9qZ13MR_4!G`q$$zDMFAsc`|`{U!X>|9cOE zk(41){oEc-j<%GHhJj67Q5W+k&?1T(7am|(H8a?(ov6M4S9LSO zQG>}e{q0f${Za;kKB>`NQn-IXnYBXGa#fegy=154N89g-vM96jtq6@;P;?ynOLk*9 zCcDY`^pjtW=&Zd+e&!*+Y_>z|!^dzF{KWPk3mvqZPZgTul}R{`!3L-fE@w`XPyJ`u z6E9c$1BuKh82cd?smWkZ1H1FEA4=(yXPAYTYTs?D&#A%lWWn53GkN!Ut()V5pF47; zt(X|`FUMfnbDo2(^bJ=J_2}vIO@f&tU!7l<3zLN=R zpy_Xfj6NXZui^-t$0}xH!%A&wL*yNVqapQLxSW1~@FCCIw&)J&x(0-70w0yghTcAg z;P+k&tfReC;3p(q?-V$uU5un@=&hw;Q7?#cSnCKZZt^%@zS~MPIx4(oO93`KwK3rm zd4~IcifAIVkQQPWYF4?WycYxc+%mGx}SDlYihkUChD#%a)Gf6px^ip}E-YYMzpHz^$Pr5CY_=!YpIfoQ@~O86UNr|M)?Ad-;=j<5<^dPb|(=9uKP?1%_;wgk!;o?kny2$P5wm!Iu2YjhE zht3Aok>bBOZG6;JG#DS+EX}fMktGE(UyE9SEk%vetU?vnP~fSy*u*Q zrb5eF3SwQbrCWv-ELGbMSE@{T5B5-5)nK2Z0&Q*)M~nX9Ton67G25Hnewp;3=vLFS zaIRmN!qCKcAeM;%3%qUe6Ty4PBXAe^^r-bV)W&? zF~zb|{+zdHWzBb~l!<@d`4W2z^Vau<>_K~PWyCh@MOZ$Rf#bd#;0s&1sy;iKg?vYa*0nK7UJaG0VWiE zhi4D?1u(cxA6;fxKiL^cI%EUyo+sBC=R1!7t;8d56TH##*!(w-^Y(?~AFV6Z@t-L7 zEJlTYt{tmpUgC>N@0{*)$S+Yd5^C01R1XA_TH!p1TF2iiKXeHR&^lrWi0S8F!8zPO z#StUx=>y64L@hArL}rrcY!Q$30zA~O=3_sQNmlGutjUQrpy>17VAw|#jVTNl#QaOD zqNa^pYfcpO*~rQBj^nlqfqzYOv;^%mggqnp>&R}LwkwgxUGQ&S_Ms_pkyT<^WRjWSL3( zJF2!=ZiVO#5n4N@sIY&pLpIXVxQ9Z;V#3g91M{Og7SwF0Ba*c1-%^MWRw%Zgb;q?P zi_p?O2zYfgp^oYJ4d@i(1^=njsHK)<6tN`TXF03N`wAjvGt{qB@~eVlV8YY6CP0nK zSlni;WL(qL47&N({#EHBv&w*xc4Y&scC=Ty4>BjHs~sz|COMF4^PKXwXg1mDSL)4) zp=B~Ey=XrFdYMH4Ys1Z9?X{#dH0!2|4-x`#DLkEsv9i&SO9|6-X+~Pesar_hdnZNU zK86psc)KH;0M|x<>}vM4Zlo2?e1w9oCpzHm@({V7?8-nHGYvaAugyM9n)caSk5s9( z>sKN2J(wVzok(Q+f=be-@nwFE_{19Iz;j(&~qKy0a5v|+%UT4Mh z!vgvE=Ya@9!Y3d_Wv8CT$l{LDeKJ;fEP}YX%MhRA$cMn6FZu%$+xWiGo|m#3^Y#|A zrn(X2tO29+Q!l612D(EGNxbh+@27myP?4ngFYDm`$g?z36a=#4F%5=WlL!QI=;*D+ z!n>;}iwA#U0GMK0Pe6*>9cKa~9DdymDVEPopY5z=yon_?9LQH|$2eV7>+KDS^&4V9 z4rGZd6mRi|uuc{gMuP23*0m8b(yNrR?h)vF((6LvG3Q88!)d9*I4bEHG9M8_Y+3UX%YrP=E8t5h^@zXm0sghvCx^pDrZJCFwIwxG* z`|;(POsnS$B&A7$Bb8F8m$^@uicWoOdG*ovwA}S`0@72Lu%}odM+U0~Qc#e~xFhvr zCr|GQ4VIv6uNy$<8B7Ggq$!;wjuQ>NKjM1+`G5ojR3{CAw*-EKK9o+H1nVwAv>Ny> zZFkS3lAmtnd8Lgl#(3FEkZDR1bzC}yM4_*Dz51t%=n+D5M9)%3hG z{W|!oRzZeYL?QH3Nfp`RUf8x7o@1w;o|DC6jEXo6b?Kfu0WQt@X|!Y^oiwNX*F}x| zr>e<%_~IQ>zIMw+bs3Bihop&R-#;s`&Q4woo)^|xKLYEmdiUU4w{b@e8Jnge!GpDRvZepED%+?f^oR_il6dq+;U&Z7;ocL>`4iCP?c zTuO9buT1QnPn9nEtM3p`ukao8301oTM-XFckhJj4X%@AZVfX6_9%+&JN-I+mnE~H* zWe@m<`%4rPj|nL?RnX~I>Xsy_y({Pzr8!?AdyI&GS{#+Iho_Gt$GrbHA*a|^rkpF; zyxYzpywrL%@O=$Xy|*|0>LiUY>0GlaA9F_L;t*%Hw6KQv?+LcaG%dK?;YvIx6!V7j zob}2(8v^!{>!l-MBJtN56Y#3Ld8^F(fJjc}E2k9QC5aJF!s^?LogB!ddGLpLRo{LA zr(R}F^`N()C^!k8Z8lZ=Zs2N5EPR0So)!ILq;NCa^MLwg;RF9&e;R|HH-p%e0?xc$LU)9EZuHb+mC}-p7OB&lr2i5g9=vhz_SQ3*sG3Y!7bS;-;nI zMmrD<)KX9vk@SXUkQJrQSsgqO4zI*sJ7q`KjyT5|8F-f1rf84Ho2B|a+nBn zWCEcbd5x`v&i?Hn3Nv^yimU6)k?io7)DnI@1{byI=|z}kWn}D84KPqyy{-3r5(jPg zAnp|&emrIo$9Q|4?ii@s{f2XF*V=mtsY`OZ7qOBP&4mYp;?pDFH~^mtnhhf3;#NLS z%Ts55Ocw>ec($>j9-}318f9PaY)1a=(mxL?N^0!yZT^k*m9heYLCYK&@Jh!lI)QuW z%MMWws^Nqx9fZiZkRo%$686twGAW*^1k{|}nQfw<36>$ z&5bZGy@*ElwX{*(pfL(H0bFu>omJvV*qD&`W>p4C^V;|6+H~@dDOz^>?wyM23U90f z#le$= zoUv!dDn5yH2+b1LFIvmb&?pJV$N$H1$8GvQ^4*7i5kE0szwX!M_f#lK)9aC-n@MZ+ za&z!OrS$o$al?ynzLgqwESdw;p}$zmFM36*9jPMPu=|$vwi&4XHX$}M_I~O0VN>-h zBbCoa<@2e>t<}c}h{Lm0V~u?W)#;5ko zkaYJ(_TO~2@Jr`0GYQblATNJ8|Bgf;e45&S$p;^PBzU2Fb3%=GG~9BD4ZWVm>PY)u_jdq)% z`^5QP&o&b}%;?@>QW&O2eO_|HV>II*hd%ySL6J%zG8h+@$gNWjv<1G*S$cob<#@z& z`|`rcFTfv*uei!C)FHtu`RcYN04*vQV)1VoSQdTDkqT zuqe@K4sfJJc6*b)UfyN^SalH0Aj?8B&mzcn%5tNXudmL_3ekJ13|l zd1ZU9mpFxg>VjVlz`)*4d^3jLNv5DQXCN{E0l+l5Wft0sZaI{60~Y)F$Zx(r9P4_{ zK)nj^BUNqEtJ&YXIX_f4cFFk`#+B}nuUIJ}T^qI3v4Lx$22en^6cb*k|Kju3MqCD` z;IF#^ciD1=1oZDQw|v;U8K;!9$2yZVe+SE?Iru>{wDgryy(tW5D;A%YWVhno%w@F1 zik7p?S&V47Ppeg4yqUrfq1$egnmg3K87xbHX7PZzm;ED@n6;cAi6Dar7Yx_ zd|B}Vw^LVqTzy}O^P!~)=}c%tl99uVJpIVhnqXcUvOZTk24uo@5v~dOjD7fg;}-r& z!q31p7RPIWxwS^@n|$!Zd3=??y_!hV#OmgWrAkrl=`p$O^#61FFg9df`pS(qh7rsj=JAwm5>B!e< z;y~AvM#8h7Hrv!2Z}4;0{90fhNUu8fU4b|7GY8>d57d_Vnq_!Tc>1b8)A zuWu4Wt2o8MCgVZCoV5)r>NzDw7(oPs+?#s3CXZ^SV2~XE_9GaS_TiA+ZlqYN*gRd~ zc8Gj{_vEmCX>WsH-)euVc>f+dNtQozW|voC`}05o+Xetpd>mHq0vDJ#&h>i)V1Kd? zsgzeCCkmB}5B`?)eN5DX0S~G3d5moLZC4cN2GU0w(SOyjO}&*P7pn%msS5nw&gDv* zkE*IcLN502onM{YH&P)v3J#&T*u{v=dnB;ZI!jHVM|s5k>T&AzC%5&jJYBe*HyG@83`JWv5^SKMGB4H3nc&*`VM zg!C4__4GoXsUNs9Z=Q3Tb!E602Ye%7Rc0wcQN^^P=)e#tNT4$hi}!I+cqD-UVA6W6&O zOvab$eIl?fbBFxve_zOQ<?3DLWIUU%4$({8HS(9Np zJmzWL`=OB@C80VYL>5BKe9Nt#J?dU{#~wgwPP^**4~EnL{2AinDQAR=zqLwV7HB3% z77yv%(W36OW_X{psKo&)jPOjcyMGPmf|FcE%k8I2!c_ooQ{IqSW#ehn6XXueJ zoFa_+y$i=zrfy)e{)f>;X=ft0GnEO=CKs4kmCBzq)f}npn{=M?kFf;hOv`ocu_{G7 ziFb43^!D3t+p=q!C3OT6V&B`DH^uIV#;$LD-)Pp>J(fO5@kusgOmpE7=-PjA)jU)Z z>X_$Tts9-np$8kHoI`vCD%}GU7L`1D#QS%j>}J-;{@TuQHXT1=l^6y{x!+NVAH-`J z*2=TD_L1`yn40!NEKPfSEbEsZD$-o`kkjSIH=0H2AN3kt3zxvh54`K$TBVh#I7XmV za#{Q7Q!mMelMxkZYAZIqBb$IS8slfvP#4*Sh2yu@oxz~h9L(Pivl*@OK7?b%GqUa* z;Q@A!_c!dq_L`F^$1RD%r+wM(-NcE{(Xv3>y{UF>h1cHiyB}Hc*JgURe`7O6CE)&R zy`-VFqoUq~)ixVP=_50)^8cV{|HT)q9?PP@E@s_3 zzhDwdJ{~*~rKD&X&Lc;TjHp8lQ zPF-=)%?TNml3ClUp}s;0Jt(hROznKR1|!w9JQeEhn9ul&BmtYe-b7ZN@dUQJ?s*SO z6TTIn?5S9)G5e)PZSh*Ck)I4gQa?E571IyiV>ovV1I+){bNMrBKu%9+LiYFQKmMxf zhpIuUavBrW)y>JrgPesGNTj87#D03BwB@5>FR93AuzQKM+J?(@1%n0Rp{XDk`v66- z@`lF*;xz`LKQ+h07h+&CH$*A=iyPC;BWP{jNO59y8)Wif!uNmRzyFWukj6ey445|q z{*Juk$#?O|f;riY8;VRj72f@eMHieBuDRMH{SbFkX z=(b(eorf1H4m%suB*nV5MG80fYTX>KD|D78f}DeweItb*&a2&J>g{=DnGb{`gqMrd z%MPrRqy3P9uZwI#OQTFzKOeW4DuJH6d?Zd(hkI*AlHD~-m8$hp`<^=qogKIwwv0LG z4ffPN)!-*A7x*2+M=I(?lQ&&aSkAY2=*K^I^=4J2#fUV23glGVk|mb@ve~~&eZ?jI zjE^!8evRV4S;Am6d$kp4I&SCiy$H+=dvfHU?56?Yr@fLs3a(Iy<%jWhQm3Yn!8TNtyit#-WzPP7TdL70vu|@0x1 zs78Etzo|t#3?wzI_*p3kG`U5TXNdaTeC=845MJN7`i(z>JR4nhjNHHW`rB4*s_0d~ z0w^?;dY%w$MSJxkRB`enr`GHf@OanYDo{U`&(QB4I7v1hWE0WwvvR@n`z`RlVAB5( zLgQ~l53eIXT^w>;M4dU@hR0t@4$EH@ZPq{LLz+P$;gd99T&_x9y*=e4Z}Xc@`V3E^ z_5(g`N#uW}zEM*6{Gc@ayQF7ZBC_Po({i;a^eeW+*9NuLS2r;?S8a&T(_3lqkf&DI z5cTnRf4YVPv-cy_%&NirX%M~B(PFfm3A=W?MdqtJZqD%5+obAy3cV>7*)oa%&@VcR9RdtM$%Y3Io1B*`{?kaMWIq zLHVlf^nPMm&idk4ad{&vm+$RnTQ*=L$E%^b`!@#5RF-5bLAt(FpEz2lmy8l6Voi`T zBr;f;S6WPQcl}CC7v8Q^HSQrp5b^F^AkjJ!dA4(O+4fGs`EhiXAYE;)|7L^7kz*78 z`Q7Ays>IzQYy1RC|xD&JVU@ru5 zN@o~o{`RB~BPu_8=c}0_(WW{{kvqJ_Etf}h_1jdx9_J)_Cyx17r9xgvZ|}COrHf2@ zqnz(>^C2b z!93RHGx+4Tk)X$4Y&un4t#{ijdiCxG=1n4=$98uY^(!UXV_Ce~glPq>k>orBu*A*n zcrAmCI({yq{jOXI9)vfgOPuiiD%y0N0)>|z$38Mguf@AI{LV6~xVw|i$)xszf_L_u zLj<1FAOs@!2_TKEu@b!h{KlB%k3}`(=4H1Okw(AkU~F&9ul*>{$aQKk@OwzQ3)Lxo zx{HF$h!UljGq%98e8Nf2D#3aK8X1`n z{~Fu;)?!&E{eP|06jUg$eMNIa&F*9m7q#+AM`c)>cEuNY+ZaBFKa-7~^^O4PWL|r1 zhy9t-DMrCgVYMfwV=DepS{hhWeW78C*X_l&!oCK6Mq+>GwKs|ns-`J)Kmp2oD+O?5 z{iWs3R&bedVBtN5k>}H+-3=jBz%GVo zwke+Yqb4WRh0;=tq9ES;bU-BOee=o>#?0ZOuHDlyu!HW_o?D52uJyv))zEt2C_eAu z>%POS`$SO9ON0oA@aIYL!-;8fZo5og+uGV#uM4C|-H`*1T>!{b6jeh2cDk>5n^KHB zex2(P7R6>#&SOD9plPkmyK_4iARMDl zw9}wg{~#M1PNUB5@{0V^3ZaGyMcC%+A<$pr2@+&}M2;EcpJ~5h#rhd>EB+V9x^yvl zEZ>fBDoVBCGf(H+9(|M#*Jiul9Bh!PX2R@Dy(*g~ty1sC@Jmf<@EgUTrFwL_A@7r? zZW^(K-<+Cls?C?yec2e)k1SV6CUal=Zt?I+^2WP?XT6*NE8L3f@Hf^pa+rcw_YoE2 zFh3A98|=_hzynTm10JB?IX!x4mWgSw7&Y9wpFw84SZ%E~YNZk9I6>=Vuj$Des;L{T zBC4h<>jZQzh+usDE%UEA)THvzxY<{wWp}pJgoh}481QK})TM!+Xfk6#8yPwWH?K>p zp=@obLT2gWDo+`qh#A2&X&1s)i^a8;6UwhJtxS9W?QrtYEqOn}h$Vw zrD_mMOnN}({dKg@B;Q?eA+OT`)P1twwpjP$7GR_^vrt7DtHgNdOYrR!NLVz&cF|1xC+R}TMGvuHeQ@rb>)TQEYp?N1HoXjtNe zSWgvM9m|@DDE4wGf|f3=N89%%%eJIX5D}d;r#ABXf&Dp-StN9Qt^=g(8{;rXo=~3$DE!CCg2N>ze(Cy~% zd9~BAc47*+z;dm#=m z^kXD|_BEF3Z(k(xo%;$dsrS=t#xhqyxj_!Z;F*IGYF2rNg_4DfQAj5^inZcN&l>g3tQ}O^{}v#D;KH-ArD=IeaTp24+u4As16yJ^jHIZcpSOs% zKto3HetNBwWtz*xZI4;!Fa0AG>c>Ug;1}+5g$B09D;ozxohh?WIB4Bi?=;USZSY_v z-olmG&f-smvho{$(#hj?oEE|9s{Ik+@qN(#NgnTdv|hY(V_=xZF zq%=_i;9sKX`^owj)k=&G5QqK8DXaah{|nNEgkw6?R+bHkPFCtLV|R zvB!0|8L&6^*TZn2hXScN-aFbBi(g{HXD}`goF1TV+OWnNUVS%@#Zh)|*I@9G+V5y= zVO`R8h8pq3QhILP6p)8y-#B}-zE_P`4`Umgr+^Ey(!Q_vQZt2YbhjL=FQ**@ z;V4xcTlnQR5YO3UzqbV5FaO~EyMjz{U`gY%B!ZsatPEHEdx)%$6`HCTR1%&Y0hxoK z_hWahPR5jo5Ug_kme8H*xw9`^p2nq~r>RH7wzn3i^sEbxqxd3v^p58-vH0f=eiIBW zzODbt(MFEn844|0-CdBT&;LBOSa7nttl8(-+1=#;A^`}E<0fmYS8D;NHXW(u`PkR9 zt3EDcvQ)l6tk9Wq;D#~8=pL;UxDw-Yz}`j2KoZ~JCjtj3OIE6Y8*eXBM55u zL*C8IC#k?CAHGH}-xXEfZU(66!f(9{;$G4a^(LXO#=3>!3&5?)M4omI@c<$p44?VJ zM9pf58X{D_%L8Po5NPxwPDx1Mh%hpQB>6#Iz=SnTOENZaoot)&ez-ZKg{JMP@#1i9 z9+dR2UigZo{^3l@EO&hi@Ja0W*j%x?8qaRsw@rH=16~YgYTj>toS(S5xyK=NDVf?h zZ#FKo({7v2=*>6HLKtaFYg?=tL@PEwDsTr+f__d&(yr5^{PvBsvtg-y9H$uwP7hw; zDA54cOE&PxJOJw11`c^jux}K2eIzvoqQJLL>`Tl zpq4{QB8FAVD7GSZs|vhpOVNh(uCQm-&2WHejYxB;*JA(7!S9v&xw~>Q?%gJOJx&G?fsjWMRVw6z_3A;friM_;pyS3-WpXj z69ijAPK&HI+8h+IlsoFB<%9%(;*(2cHVdX4AHH04fe%%E$kr^?o%U|)d#Bn*dV25? zAx(vz6~rlPBvo|&e9$JEr#j7xe0ql=vG4{ZPsWYzTSCdJwUip<`Sa~y=AF_91{gKla??r9wVCg*h-r|NYh}rMGVPU^NCT)~)_=6{?_NFS`ivu_NiL(mJa% zl%oCt45kF{}znJPsjCoY64y{eSA_g06(Uajz>4NY17jpWUVJ*2RctCwlCh9)*m z@ddWm2G3_Jj7{f`O2n6fv(FrZ6Yh&3L|b zlrnMJ7KfdX6Bi=oD;Sl}WT9rRxx$_GfCVajM7>b@<0!Lcu^k-f7`x=R5$Jvq^%}3H zI&+y`6nB@EzUS?P0!6)Uye{rR=1gl8SMd8wBv!c%k;r0^wU6+xTk(~KX;2~{gt%zB zZi1t+|Hs9h{ec6N*THo;|EYn88sMP@@>S?na9EQM@> zoeFG;vfy~Cwa87NHPRqoK()Z}GfI9Ne}U))Kn(}sYlBAPqoCvREH{GHLe_ue_p;TX z24aJaNS`?!SgT)!$C`|+C6CpZCc?{ZR|$kYT52P#*fx1YB`}2;OicHqr_IV<`s`Cu zI~qh8GKvX4M#Ow)?=Es$V56&l25!bv>i6FRkYtGkW?#wDk|#hepK4S>-Rms2QnKts zpr`#jl<6d40;L<>l zyI3RDG6QLDbB7}oH}o$Xzavqxz9z-`TTkLDp;XacV0ylxKYsr>TZI1#r{t@b0Fq#B zmEl@MNGTbu77lU_6$Y6^CpyXH?`hU*`tExV?J{E){sW4b$0aj4#65M^!>WtBwA?PO z?Lizchk7GO(Kh^z&{fepYx#G2gD7ti3ZxJ}#L=W%j;bbDZ6_2bc6az;(a}%PZx6ouw1fXcDLm5@pqD3^um5AmXx#AVS^f>tzDI@a3mt#K4qDN;C&(5~{bhr-OAg8HLxE@C| zeD`x14ooqX_j~jOY8FGdv_aJ?fL17=^iSyadbzNvC-1obJUhTN29efZFJ_@zy{YhiKFeRRTC7ADbnF;6^ zxqOBoN)NwC&%MM_cd?od8oqq(>o<)RN6mZvPen7w(&_GU|D$HUQ|RGy+j8$CQTyvk zbKyDN^Uv{w1y+= zx!3wH5JRQuB*XO{(s-rEQ7TEF?`_{w}gt31lSGDKeZLm&^`y{KAk)r|_|yEkVo z!cH?hbw<6Nb}N?#wPjnc-`<5^TP5?@k1b>FpaI7J@$B=RxYs6WRKWH921t zJuW8m_{Plavcg3l@G&gk?(D!>3|wBhMDsA~2iKS=tPA?bBH4qT|I(Z~gQ(L}Ii^}X z^_x>Y4R+6-!ca%KBu81#8Q2%)l0PhdrQEO*gG3afTHU~RA$>~AspF0u8hr^OWG7*K zoEqB(;h~A74%}N^$4*oZ+NZ)tOu;L$i~>skD;hl3zUlLJ>oY1Db>~1VZgrP`s};oK z-|CMYw4R(B{L)}?)HY`CxubEnwm^1yO5`z5bUai=?q>5Wuxu$ktwgTm?c>ILr6|Eg zM9+`%koY%_z#6Z-_kFHq@%CCC#y6%N(;p7|GiT7F0?5*e+7^*x5@djpi z7J@o)6l+*SYzsWllnH0Mc2(PVxb^D20}m(4(&m2-tnntg>$SOu7u&h8(zln{XOryF zFdv~3&7i1mj^`b_+&ya+Sl$87(-PAwPEkDtX~qUy6V)f1%7MAz*1|%WaE$@2sYWW7 zl(f+=?TB4cy@o$i2ML4T3v5cwEFUE&^(6@~ZsXf%Da=qxp=XV^ADU*v?i)%|L;=gF zQ?_@m2Uw3{+Ddj}wbjO%S!F+&+0@-y{0A~vA3XcWLG8?zkJ~trjVYTdOjl=b0Gd4e z8p^)JC0@_~^e8shDDszoHDWYbwQ~v_wpA=7YiqyW46vICLC$6Fz7n?e!rTH6{Z3To zcSz0^JZc5QCCh`dcmO4anirresKX)K6!=+jUwVFI#?ZnuXyy9-80P?2Hl7nUyik+q zx-BM)v&6c(%U#T(XW`Nc+fvOJhX0+EOJJvqx+j%2F|e%11Fzhj?k1_Ye?NvyEBn{7 zQqG$6rrWg$&bZ6wTi5Q-SrCa-%%F#H+<8UU3Y^FY?es0<&A%ZLHLBD982=RR`+oN` z@6{BBrx;C+eLjScxrPvKU31K6W@;F5d&98X%wQNI=!x0xG&Q|*-&A@OPR z4pCbwU3uZqLt)uZ22Q|M^dP#2KGMwXXay~xhqH`F zFu}mJhYMw~wY!r`?EH1LX|9j8bxr?A{i^5WtRbIBv57~D1vD0@TMku`v+t3=+cSS(u+e0BVN+gL0FDWk!53CS_g!bD zZuy-&ybT8yzBQiDiq6A9S<}*h_V0ia->zyma^5K~^|u+kqIBaSB~;H}6i!THjPaX$ zJri1*EGjGVr^a$dp;_Co?&EM{n&*${l9lFXr+r@etP`Gc3b##Dc%#0t=XvHY0p$jB zo?`Wul%?})A$Qf@6x0=^*SLCumP;iUKTzHGZZUCNjoRE}_m<4T>IL68lytWNcP>{e z?GhIaVtQ&wN$AK@OBmBd=I;jLX-Rst1&>3MseNn6M-KltT=%7<)YYm@iPf4^co(fG z%qYrr0u|5+wgAZ=8Qy$$^WVVO+za&&??%#j_ITZuNxfeWBotfHQMY#fv0MT_kNKdK zl%_gcsbO>vo8U?P%y)4ou^N6C_A`Y;=sAI(u7Qd~aXS6Y5v?zceaj`Q;10~Hw@hDn zmQjAxt-JKP-&~q$P^TO3KWP`S!=Jn#uNGf*EJ6%VcrSC?J~kG&Ai4%ei?k~V*E<_^ zXHKn#%gjCGIw)i}AMlT?TR7fYaumTYpfUW9uHU2e_oycRpzVpZUotIlvCs6Q z5KtzA9_e{ag2jRlTt{y@f+gzzY;D}`G1b*7Z{7F8VvizkR@9BTzpa3A9_}UUC&BvYdFuXOMQ*#L+b@u0DCxAp_oSy<7p?5H0U-KkQ+SK_5}yurD<6`@Q=dCQFK(k6?j8PN1mzBS z9Cq$jXL}=umq8kJz8{IxIzc|sm%whgV<%qa+kI;0Eu~T8- z6&XT2$ceZz-`{Tlef>-JY8)DkEQY)LetpFgjX~T9J&rDWLN^dKe0X1bCVJp%7cBXA z0^Mp-Mc~49)v3gYyN5T%WoPN{E4sQIew{gf9TD>u{^DS zG{zy6fMWDLFrJ`~qE#3l?kS*RLS6%EC7|iKuwc38Lt|6`>paoEq;qj`U#ac|6pcJm zcF*#>kLl1@)+nA`Z}|%~?{733a)zl^`#PU~2lhik9^UEp*^gIIuW;5D%JVFVE-TSY z+N{xdy*i{XhZAGnC<>*QVqJ4DKi8QL%gI(NxDq$_9ye;lBp)|XB@-ra@8<*noxeXzLkOcI~eiygs5EBZB2tWHZ( z!nC-j-C2*?IY_TYwSk;!c_%=~pPL0@V2a=Wrd^Ux*j`fp4bcOy&R9&YT>|})$c=Hy zWZ=s5XViIXnfVWo-$vv&3SLLfQE8=_95!9NiP9B?UW;9BA&7D!uA}|`N!NNo7E*8s z#NJ~UDghRy?rN$LHC`5B(d4KZ2Bno&9w%edh`mhJi^DDJ%+X)NQ(Ecav97aF-pgUW zshJsu!oO0`%_&rXJxKv8*b}w-lhDZ!8sCnBNFrJthX@3Vz9OAI+zbLp6`a!* z{&|x<^i1UHOaKjrZxy)l^lUE^)0-xVOlu*f?L4yhMAQ8+#MKIfE`AEnU3A9uu-WD) z;ro;}mfD&ry&1wsc)^=SyZ5p{TT;~cB^D20UircAc7!Dje@&X6EjR?rO6h3P%Pv7( zkO|urvfrI}_=tj-^Fljv6HN+dgI;?WkulOf0g*4tuxMrB%~8t9Y$+h=!!*kabj2}uPc_s6k;JvJ z@EGHz3P?6u@z<;^POcx;_kUKV=ecG5IG)T3iCI(xDUzC0ZeEF956|us?C9GRF7AgZ;i!HrLQ$dN z`t%bC56z>n2C%=dI|BD|;H3Av6fI}N4|JoKvI?XeIs*)gkO{%ps2N+q4sA75Mm||? zXn>PsEKCbM(qt}xd`FMO3i`16EccHk&`3JPVVGodA&nnxNQ+l%&<%N%CFqQ(saM7k z^>M}Hp+SVN0k;o)+s&ufU$sR^FqHjoTfE~7sw+wupIj+8d@^$5jJnY9HliP`om-?P zXT1`4{WF$FH%rYA0sgPs+z=vB_c17n0)X?$1BHZO~BY9a?QhXdistN#N4LI1u@S4a{Ud%t|RLM@ztq&K_d zPKTeMb?Z6t#47@OZ}$&u1qw-nKxSU!iUnc-^!(2e(lDSh{b3w!5 z>&MH(hT0J)ov&v?0jDo@)24;r|KKJ>I!Y6O`H@dw2u|ob*d~AczSf6rGG8MV_ZuG7 z+Pk|xNc`Zm{YdKVRchArj|sdB@X-kkjir*lX5BbV67m4qEJYu_^@4v$V~+bfhL1@4 zCryFBF9i}HGOtuS3#8F3$`(RgIL2=#$HlKHhkxRBB_!8R-krv=#>B&}R!Uy-f+_#b z2p5S4vU#M9RKWRX6W(!9V55+l%|bA+kqF3xv=fp%sBQuRpjv$W{ja*pFAh%FTwXBX zemko7SzcbXS`Dr3fk#LZFqi$f5GltDNuwR&pdM8MB=X`4Wk zHVzbq{xCd|4OB_=30TGX&^-gsvtO4jcj?-?jrMgLZ~%XwNZtH+NhTI7R6u~sCL1e2 z;LJ;Jvtq?dXtTV*fwX)A2Lj*)AW1+4{L7i+1?rsQlEVnR_P*dcJLibzc4V&$)V~S> zU4M1paoyV0cI^I@?Uu*i6-e39ftebOTX{MB(AGLlqH6$XR9ms-haJ`xq8rj&05E_^ z*z{|A(9sTXp^A!Ky2S#bIKOwmSvKI_k&;Mk>wJFYog-}IlXqLo_T6L)a=Dd}gi~%w zNdL5GvE41eB$$f0{=SjkCfYJ->|0*f=K^<7;YR|uWSLTG)7Q3i$xkkQ3OI#C@+{fW zEqkE)DS!u{gb;1iBH$=U9?^g1L3tI01f@G{1w*PcJ;GLvtT#HA3L+n=U@df#g}!KD8_FeAa3; zXsR)aoc)A3N_uz$Ab#GQS+XnJ!_8up7AS-YH zp)Y7&AFMV~p1@22&mLGq_|p+U4ZsLs2+$AdXjGbUaDzSA+pjp)p8as1Ar*&HmfYJS zFXO(sQ%5Oxoz^lW8I$?qRoOdk-sV67kM*7ZpbMdNnex$fbgAFy24jwja|ne6;A3Wh zyEHkZOBCa42j(;Y1_4TuKn0w?_r*z)*e$4!9R~^6U1xQ~M=kbmC17%cP5$6jyYZ>9 z+2;L(cV7{0J4qdXy_>F}rc^w(Ry+p3t@>rLuWieh{cNM2eZU@ieVU{x8ww;d)!8L$ zEY;9r`jA6FCA)x}!SEr>zj}l^vORC2Ei?Q|y3(ch*p8POFXk`dmdj4@bb!3Q&L80X zxOUBEUneiUd6?{9c6T!*^&0Q1vGYYb$91-N$+Avf`Zre~I(Ay2|M}P6BT3_;&L2pM zmnu`v>n>iZj6Y8p(|y(Fy9b{6+&+A)q&oN4Tr@YIa@{>IJ1=9_F4C{H)KWPg5Eh!*A)iX0Jr^!u>9)4M|$=Bo~PBYDqSt+B1ntQ3r4&{(Eg$$%$`vn5E*o#HxlB3gB`5(ENpRTz}FJ3Dbd=(NqkBDXZJnbyEFxM zN&!s=W&|%0NbmvH5CAU#0da}~0EXmBZ*4H~s(oDhDv^|uG9@%yqiLmQ_y&QbdZqL- z!q57((T3Fl4egNgW#kp0G02^~08lpAyR|m*TUCd200}gPsj4^tL zRek;0hurSu(NeYMJ{w}}Taph6DgX`aSrSkYEUAq&&Rq^Y_AKAPuNB~h_u$=f7j#uh zz*uaS0(#I+-((AoqwlEC9(n3THbs)0sHkIGGDCgvjl9b5bLE|qG%V@YwB=*j&y0p55~!D2tq{O&zw;h9DvD3J;tc8ZOKy^i<}<#T2jr?&TPo6e<6R=v$v2*RNb2X)qCK(7+EW1S@+Chy;KbM= zNl3t(GZKy!b?=i$R>+daqs)>&kz}bC+FReb#Xlt;q z2snOV_ug(B4~e8Bd-t_74sGnY+;+K-4N_M~3AU6?y{a-Xfn%(wRyJy~$0~XTT4AyQdyyFeD)<1f zVQoQ`vDu0W42J-uMeP>)^zJK(NP&5W9e;jS&oPYVU-|R|(kmp@{uT+X<16aUzKH0s+E-fKLX(cEq{@*D6 zK?*HeC&*7(0MyJIooYM}66n*^juDRo5FOF$eDQ|4qpIeT^6Y-%Id+PGpl9TC1xdT} zB?-Lz=LIfd2!OP9^%~V(z{krgPt-*n8JZLz5>3b|L}!d2p6vY|Kl;ZWa0ppv zicvXyghB!qvkKS{M&i1(_zqxxquPp%Wx#6xxFoVOuZxy0x81z|_`O%X-U>3e0HC#F z9%FnktFfEg;iPQ^#dAmrQV**Aw3+9}I?a_wZ@<#jp|P_(dgN1f_z8W~FLEi+MIGR= z=y|h}SmzDaoV-%Wj`OnLBz1y#N9dymc59K6u27|h=AayMi6(?5lFlYDci>YbR-x^V z*I9sZ*>V;XfrR=E55J)gPDM4x)_a?NTDZV2)q2eO%X-S%)1*Zk*9Pc(crQttf8pn> zLzT5=VOF7lz)ehl^f{`9tH9USM;EunsctZ5M?N)FlFD7Imew%3#azI?XXP3-z5Oj@ z0$`oiy7%S4t5Ng)WWu4Vopt!$TJQV0%6az_&-IUJtT{MtI`p`699(AZ6OiWrb=eXd zdfhp0ekG#-b8v%ybi}+y#hMNMgA^JL6=m0$XZ~9+KB{@WR?pW9{bSl@nNL9Kem|MT z_)cIa>(XBO0LB`}9KzOdE!o74Bv+&P>y@W}(iHgLr9fDv=t2BE^oV7P5RTDR^h;bE z&`i$HHEELL$sOXtk+|d#zn5H2{9ZPx%TP$R1R-(<$IwCY#q);vcmv{b;XGB*p&X9! z{G<)}!ZB5TPqzcKI;T8;&v>o;-dRzD2OlpDTlMcR59wo?4rv}p^T00fKv+9iOIWd^ zwIwXMf6pZ_-m0+f#p5{7DLy&fj;{ZRGImt{KlR@KD&6vG!vm1VrXBzhX*$3VHu5+d zL0S(G=;uX0+2C^zlUny3+DMwKb2F9zFifD5WlH!a2*(TY05~XY!2@5H*<{9pZch1q)}mbQx-PsNF?v-px14^aGn~*yN;K ze=B2>GuPEGfIaF_vF@ybO=SqQr?8~rNT)wC2;9r>peb!ZeUkrpz}{gIfg4eVM0LuS zKZ7z<2<0f~%8E;x3lNXGk=CL=qopp5BxRg5`LwwQIP!dn{Pbn_auvNK@>i)?;Bk+%wISD>X(PrjkObK7-Zsjm&#Z?9 zG*$pM)1|`RK(^rE3mOYAIDg1a9}=q`PvaD@9Vg7&fnbsY)F8cilxzgPBA@_C$=VH? zx%A*Y*Pri_S4a{9P|lEzxrWW!x-H9%8k2k(`2@tZ6Ton<13?7~?IwG%UwJ)9KbDbW z6E@V)wNR1Ww0Zy8@0AeH$VQy8$q=BCPqYV^|5X5~kH1naU$V&g0--s;p}%H*#3kj0Gy3mcMIh5-4(zn^)kYLx#K{1El=6{5Pq^-zKM6muSuj?9q6lvg^F8 zX}~xam0B^^r~(6|wC~!}J$S=U05*(?5_tRgfi?vbbB}8!^ZYn3!g1HW?GBV3)N9-m zHY(2WU4epm9C$_2F|UlUQZ_bS;V10gGJlz$R8v-58(+}o1gTOuP1MlW*w&tXc#O2MmTQsJ!o$NueC^R z5|-&>MZrQiiOTCh8S4psz>(O8Z$0mJVo$s121z`hD-#u8xr#KvcBWj4A;oW6!=qeJkke`NALO zTHhWm?Hbwp>~P4@-i+K@Q<-O&QMgieg3C*C8})fWMm{XUgPS)+cnS6LkpN(K^X9Fx zJ6k7nF7TYHA)plgzb7u~uNO z_KwSY+wO93gjNI}zTo4B2A?PC!6)T6JxRfspJRcV6I)49+qDw zOW-ZWARYc33jD9Wcm6rl_%BOM&8NxC%XM;GsF;-{wz_yUX^9JYLjG{=i4s4_d5I3` z!ZDsceje^8ml5JUE$?T$5-2Qss%7Ph$7L%#D~X?RkF@b)ND|`0b^Mszf%v^}p0eIl z59W~Jf9V(qz~ugI|Qt~w-zBsI-BGpBkxc>l#N+zfgBCFs)C+1cd#MIsX0 zm)}YaF$D4<<+xtXn|#BkCeRGpGVi;ueZvagvR<|nae{$LE^6mUchU!1{IS%0TeR=u zMFy!ZHo8B{!!-d=5taRFwHwMC@wawTr0u{yLZs}lAOFnQm%!x8EKG80eJ-HI4OS&rkt(Tu{!{sCfvkBLn zeVCnp-F*VROG)bKMF&Gs)%-yK6C3`4GF{*xra;D@)vq_?_yvjNTV$gYRb_wx0B`Kk z;aF$2RM{Vq_vKEm8d^)VyVY$&wrJbg0cijOz}kBUUEq>_$DebBoqP1Y4$8q_cMs@e zcRn*t<7lGMK6Xm~8{DzU5xx4ly7p9TUVL?8KfV#+3o_B-hcfWca(+N?rB{c$d>870xL?&mg$YQcI67$-h0I9 zk3=8Nn!>JwelC;)7Q)so089nl>C^S+A8jYgb2L(0%r)mh8l-?4`An&-dl`y~czc6` zlH3EJKIFKw?3n$^+dHz!TM&>#d6AMNV8`+6FQ(cB zeYn)kj}#yy#90Bb<(n_3*>uf+#^|dl6Ex2EI32K2%lbf`3kEzOAhe_dQ|DcCkDI6H zKlouE4{SwZnxRmU!UEs>xo7yb;$0kql`LIW_I6u)U9UcKzkM;Ot~-bVG`;bWH)Tt- zilp0COLDKD)s*xq&R0fB5*wZaR1%q-P87hr{z>Zyj@pFVIY@;wsf%Q57Ld{TLf{^1 z$VisfmU)LKwJrkgvMw%{xd}id)|WYw%&a1B>+l);I8^+!hwLOH**tpWFbAoq6A+9! ziBukeb*s9hkvqu&S#{AI^CJBBI`104&kw*O06CJ)j3aB)qB&pMm74b##^(LQqo(Vg z_*dS;drMOGw61$?$72_3K2k=(!bNQU_p|J+mxg)W=U#oc^*y$YU2*%<{;>e3Ii#8M z^>^})-qRhE6)9T8*KB}t%6@&SBso=Bs^<;n7^nxHN#^BMa!g0yg9`R5;diyj`Nh@T z$*8g6dBl3TeA!Pv*A<%?a$0AX%ajO#IWzgA(RTA=Z}|rY`Zna*@$SgyB{}VT`h&SX z*WkxHuR2}!X$KpU&)6d_T&$Fw$vxr{tu$r5*3lC?RQIX0aNf5v12fpoS0EkPLXydR zWIFNOYwdJ_!N;^HB_7)(x({^+Q-F$f8|~v#-_*<69D&{iGUr0y>mQKzLIl*J`cA+^ z1XBJm7jtX*vR~w3{YZb_6)9d!Ql}fe9OhU)X;HA=KL6;gzII`XqqJf&Z=d&Oe0&e_Wx7XI@f) z(Sy)ukWbyD+nJZ73rkDL!_D7wPCl);o}c4?65{p5^Jj|>4U8v96&LO^b15L6CY;BQ zoTvIHe>|S+9sTRI(fB6~M*!Mz9n zHW7kkBtV0YyPV6s@aPZ+0Q+2Zr+c8CDrYyey=aM2wwD|*0Ae7uvS{91-#j;x2YDng zQRzgAkTxJW>6>oVQA^Tr%q^tP=BfWHnc>olNbu1oHkDIl z8x2*zJu6oeaJa@j!lQCpu0plUK9KgS$rA)Xm2-(THokZZ$8IDxIRON5ru0q1xlbw0 zchn?*5NKUrZCI+hkpiTB%y&G_Gp5k@8v!b`1Mn27D#nTaQx;$h<&&<7Y@edi2uT+x zjGU`hW8a{;Hix8As|L^DAXP)2vJ^g;k>wUfa-)HLi-Fs&}bLPz4 zneRPw=Hm&`fk@&7+GuQprw&UO&hx`a;0IM?Ybo|90oJ}y8nl-<0Xu+!$SXh`2j!Hn zTvK58mpYLht<${)z@H$~1~r{m$X<|Hw4^w}x_GIB9NY#t11!M)D&sA@MQaPN>VT4^ zbdbsy4z|~j+|gdVn-~-6Yse#7u*f%n*^H?l>!ZSYfea1Yb}F{?5JXH4EEN!hJykT^ zuqn7u@?2N4jTRyKtzEN9eep8~qcK4c`VsWd4$H(Fv|Q;A)Cc~rS{~(tA9;`$cKop6 zNF8Xm!u#%T4UcP~t-J?|zYD#OFqi;zB9qXLW;FcIB@NZZ^XECx4h=m!9ba5-eI1QA`$?mmJ_$egF&+Z&0suvt%Y51~ z-|oxdTtP0%3&@05@btrRBV*&@dbdGJ-N`4vwB!!fSi5%3k2-W{jDwxn%%vV^Bv!0e zOZ=SWns<}~PXJ6A2dmXR-1*BvJk*Q6?ckr759l{d;}8A1Wa+Y+M{Kc~(4DeF&hD+w(`D+n_4E-e z%t5Fhaj{KHKC}-bc>I0C$>OwSRlvjCmaN29OPJ7!TnGA0jqOvpb@(h|3>*V0>Qs!(4qh{MP&CzC{YloI*d1rE47k zg&u%e>;WVDZ1<7Q0=+I&K>!U{xDOs{)f#u7W>&tfZoj!2| zjAVgETz)+Jcl;E;5Jq_T;fLeO0EIu-a36n`cQP!id;D;u4K98k{J3WFk9u!LaCqjL zDPkf@JUkbTzL+^0D8u+gz@ax0C=`;-TK^- zBS)So|9>{%slj!J1beAKg=z;M>@Q5!Decl6NOK^~fq$6;EOKVfnPa8&vdp2$?7#A| zWa7t5_s;;HluJHq*J^Uyy@#z#oZ_2P6UZ-Td~ffK9c6WDOKW4%Vte4hhiu@zPg?!M zs@c>jU)a|=g}P#e3U+J10rupOVfNFCh1R;w8Fv5u_gY!m8TF_R4U74z&40;!mny;2U+AF=K{V5;w|>2ybn+?o&;tXlL4*3XNgu+ly{?bt*Fgq1-*l6<&}koA%%zqYf`b2; zF>lzZr=DU97A&xG<;r=Rus~V8dbORXa(Y~JfpzP4uG17~A&)@gp3ol33T217uxJ5j zedU!`?Tj-{PnI3xrKSu1|E((v4Vq)&nqO`9Puj97R!gbU9sXL&yOa1O9cj>>q|SkV z)QfGvT2HFZ0F6<;90-al`Y*qrWg5jsQ&r;PfC+sLjnnWP_)1JbAhc-$ zSnqj?AG8UFumI}j%*CP;-mt|mmxp1iFWSlfEO`@E%w+xB;O$q-0Y{NUv|?&E>|J{ zP*-?LIiWoW4{d_Xg|Hx($O~|yfmD<*!orByE9zbCyCh^Dn zb)xM855rjHyioo=W{5$Ib-Rv>QNA1=6ZKc*gKg>%mLWIrcRMnd7#kDCJ3o=zATN|n z((oMOWu`M4e?k~}^FyXdO#4S;M%FS0ZO+%6VsxS`e@=`gKd0uIO%`4@wvG=GQE{=vob4u1dNuK!NJQ~cVeBY@}YuV)8% z@&e*b&sD;`%a1Vp<5%wE&wBJ{{1763A&zd7ejzN?kLTbbA&k-lKduNbVO+^O>7qAa z@-cZ6GQuMyP6npjWb}-b06m66Lr6SsJdFDcNzF)?>Q6rS;led~%KX>E_WEtF-NnhA z;_v*#00e!iO&ApZ&g7EmMuE*Lhi-kFWGh1_D)Vj0Ybl=`k8Ioe3plk7P_D(XqS3`{_HXB zypNPms2llw{q;9?zyUhhRStg8mMn}@%kT()qdzRf_R{n%0G^N*_!|LJ5wY|U?97F* z5N{icV=60txPv#EbQ90PI(a$(qL+6REdm%fZxR4U8c)ZfH_C^!xR4$Ik9eWnZ5*hQ zc;32MbGcZUCrqRbdC&%r-__g3Xv^{=uTIv24{aZv;=WyZsw@t7fUrO_np@PHwhc6x zo&#N8K4m26)LoXeQ!ZdkkdZ(ei(&HRhaASALmaMKWDhaKGrkBQM$_YDd~3?n1h-@ZP$GaCjNP9z+-qu-l04Wt@2Wo9v7Dv=T(YK;uqv7l_dBKj58RKI}LUIjUh)H)xCE ztDcEG+#~iU#6`>RF_{RcuC1{f)~~UFL*I8zNlZSdKreHr+ANaChz1tAJ0#0-x&eK+ zZdMz^f0ZA}O_ZKuGqsbRNlQPAyLf*1M{O77u@yUt33}pbxX(&XGL|WCvy|PNsp`YkiAVCDK9E}cki1ZLt$JFeTV1xy=R`qALz`g zjec*Ojh9QdNq!~D2z`$_&^LGP+(+8GBWys=4l?C&r!+SYReMMLfQD3gBO9uZYzJE6 zbqc(R;)!P(Y|%`QDr zvkFUOk-UUBTtmJd7|pJe@v_V;B+iJn>m8Zy&SjMcX+pY8L?!$~Sa$iQrjN&q(x%of z9^;>MAA0}qapa#=r!=i;4x~Bo-{(LWQ^FYYU!*8ZhU(O*Z51n4u$nb%_%DwRyqGZI zU8n5+`=k+BzrIyI_+UHgs3UzFb*);ptWTe7t$ew10y?W&pKC6*pMQ={HpUpfjwY}g z)vMdV2Un7oV^_~-)ykF9_*`SR-FAn4^695`e6y2n%9PJ-p|m?^&;H(~O`mR8UVTk6 zA0}P5+}hv1`0`6zvSf*!+WHJT>geOG*-0(z?YH0YN!F834Yp4{n`|RTjkY$YpK0IC zoatpfHTY?3cvKT>d`we;no&KN)ZsXw*STa3P=Y%oV>~;w8%R@YsDkUATweXv&;>`7QS9 zrz?F+EDJ!i{Q{k-htdW<9R0U6M2PauFyxm z;g_U0!O!6DWhd%F9RHEte;IWQd1skUad9C{vaCc!yo^{Jo2sdd8-7pLDn5`W_UnfR8e%qVgc9?84k z$9NDgH&dQj)SKMmbo+CxJP%9I9mP%bA0FgFJ)@`SZ}1ECjfZg`!sGr~`z88!tZpIC z5Pz4tCgO5Z_sFR~`6>2~j+|C|N|yif&3AIgPnclMTeh}J)ef;|o*CjF&DnW+@4)+g4$MdU`yY77 z`VY9>=b537-+c3pU8T7+`F}r0+PCL+^Lg!cefs(woOsVaKg?bqGscDtdDbqtuzT{O z9^fT&+;=BV4B2T{*EiY?b-jP&pY(xD9jsX4VS_Y}KC)30tFO6jALYGl*)p$BT>g@o zq;Gb|fsBD?cd^tRQ-Z?;AOCn*@K1@Jd?ap&lbSXeDHbR0$9=r4)UZs?89g=f&Mskg z{+Tk%;vu99*VHJXl3Do^7Se?)@#6O(eYnQ+`AwZS9ycDAzE5)?&4Dxr(j533ae#?Q zzQQF9VC}v4-nY@CUpFR8xXA(|uj+M;6_h3?KwtQghA+K5<5sO&Wdr)(s_oq^{TV>f z>=)Z8dx5xFGiUj=aN&JrlWT+Bc*FJf^wUGE`vvD&snVqcdQP!-1xl7Wu$0{|5OUhI z$oT!-x%0Hu{07+vJ;1d>yLCO=hCVmgF79!WHE({h&6zXT0BX?~tXJ<4yY!OoR-$+b zd*Ou_HJN+ChQBbxZn^1tYj#3YTexVEe}S%3x4zwY)2;UOGtb#lP0ot#FN6DXtE9OK zaC_=0Ep6i1F*>Mag+2bnld>y%pgs7&efCwLNkF61bU-m_!)~#wFYT%c=Yu}!B%fg~ zykI>p=wjz|J}X&&?4I6meQz7_%8OQ4^wvGBiBB%8SFh%i!+M7tVwdeg`?F5_iOpow zOOxSkQdhbBvP+#emt1_I71SxX=bzurmWxhY-h6qjZ=X;`Evs9%flrRpuVZJ=U;2ms zft^lH$4tvPoA`$ndk znw@Zh-PZpW8#D4n>)Q2P`{a{P-4xbik3VS_UDDI4R5{q^x6EU&y5_p%NA_o*8)}7g zP!}evs#LCQtu!}hUb|xXG8;7L2`6&S+_~~U)lEBfKC6SzMG0VTU!p{D&HXd-8#;8D z{P&jWs63iy_ecVsrI;Vze~%3xHbjaCpV_024)VN1z5F5l=g)E=j;W<~?huB5JS_NA zcKklj5|10d58=Oe%`OdPWeQ6LJVVB*L}f~ph!o;v6&CUd*FA|7@*@rR;hD7Y^znP* z;zHc$Df+utSOmvC)Awl(q&bl0K$-)8M-KdE6a&D3%N66@G;O^%he=6*Kdj(e;_hjyA6=CA{bbC`x~M@oy7EkWC~W$4}U z?^wl36|^P4kcaUHJD|7<<;(lTui+65?V20zu>Fe`wY%=V$3~4B<>8+T1U|EUM>|OL z0O;n(v5&QHf2KV>bfi6_FXaOt8f535dyclq=T1&Ok5FER9(t&2gx0Sw!~FXf@ej7eO?E^3BDDwn!QFU6U!MdQSG_9AXg`N7;Tj!vl**{*Wl&bx3gwbt?Emrw zkW=)({f7l0zqI>%ae%Qay%_s@waI^r8sA#4_W@g?(=zejYK4D)xxDZG*WP)^Fx%|^ zTP_+`vx7GNTU7mX$}L{}0Q=_K@7zSei6=I5Q$=sR^|qbW`5c)G$ZxrIxLNa-t+eAP znx`)PalJkL#3R=Eth0;{=gnK3Y}3D-;ya8s$t=~q_uOS?oz=YHu#kp)!hJkWJWbr6_`!v| z!*h1=2oGVT$>dT$J%vnDBa#7rA)HK7fQ1H5p*`*ykwe(G_z;TZv$(W|3&?V7&*IuOYsg7~<- z-KxFW?E)yD9y-c?TsqUg{)V_*dtKer0l9ncxzi4=R7q)NTTv%-du zPjc|GSFfvW_)D+Y71CB7<+NONG1Igsw7d(5hI#D4$> z((?QdXrvSp!<@SNMHl*fwrbU?`k>xPfaRUiI^SXQ7yO`|Mo;-xaz6Uks#(i(*t#xb z{>xnOpfY8wW2dtWnu{z=C!$GZ}qlYulKT;8|TTB+ryd5 z2Bii(QuC`=rKWa3Rr7i44#f>N_^<18z1?y9Z8Ft#uE5rXR$KH%*1Y30d@myXCkqZZ zpthHvdy^e*7W`qTM~`I_o>^3d`w&cge$j#}^F48h&kq;Bk9;zgXd!)w7s6AoA+J<_ zKiNF)8JCPuDZ)br@$h)M?CwK+(sLhw2J8&}sp&&J{J9V1$K%EQ{EUEBK_yXKm!{lxY#p$?O@C!TytHh|s|*g4CJ z7L7DPNym$$e5I=TY8+{Nx?f_ORmcOs-~a~MDud%tqYj-q>oA}D9dzV0bzDE$D7yL9 zes+^I9N9`fV)R??&mTa*@ZKSx)oa$-d9oYYu3g(?9B$UGUFXjgD^{=vAH3fWT`F0! zgblpsZf*aGv^}v)%69R%t6H^+({#t3cS##{FKJRnGyyyYx?8kp?lw=+V#P6e%&)EN z&u8=Gvx9~C}3y2 zjBe*e6X=Wt>AQay2O{|=w=AbX|E^;G<$QuXg}&y`e5{a6;!?x^<%0fZ33peo-G%-2 z)!20k{@q_RiRGc3`Okt%7#y43xHJ+%exhxN41EhMfy!;^>xsx9RZC z3O3}?dprsAP+V5?TDGWTTO1eSaUa0Xcz*qFxxqiQ1CkagoL@VM^1Ho!z|MK|=ljm6 zkt0XitFMiW4u&M7wEJBScu$D>Qfj9NlZ4=(7y)*{<$^!)!ae1N`{2)W{GK?$rIvwz zNFUeaS%=`x?x1H86Bvz=@Uonjb7-*?}AJyOHN8`vX{54OX#CFfHeQnY5}qNG;maXO*> zj5AL6t>>q;X>AYOcejJBn>IaTB}m=VZ68(Mdd?JxpG=+uP?x+h3Jr;g| z&bv&<@Dg~O5igpakaw8WM_X6p)1Tj*M_JD|ccmue#i{GRN>dq)VafwY{LPP?&pahc zrDfL~|GhpDeS1r@IGSQYAAK)Jj-0Y-r&E--MtzSyh9>u~lFwaMO$m~cv@3mlam!&B z5g?R3?a8z>R(1})=|`KTy68ZSjI_JRhw_bsw}g`y^#oqxq~_oku6&%J9wCe}BRa!0 zIWrYm)iKbu3q6^WW_rrZ3+lu{Df>8me>7zVCzENTSx*Ss$JP9uJ zk<8_V(5$cI5%E9pn2$J7yGA@qO&8UBPvnr4p{|+ug8V2f`0ZLwR7Psad-9B#5V(wn zRjLbh#YQA_(Z2%!0-dDscxu-ONC4Ex_^=hvGvagRJ`nN=b@TXM-zXnsD8z~K3hf`s z@~*rf*6;Hp$}{wbD1NAKR8IDPGpAL&sBx0*lU2&B>Yf@ef~dB(uWVGAx>6h?9MNgNq*eN4@3)j`Zy;#gWHq36PNrrhzX54-Z6~n zd*qZZDWmG&$SJh^EAJ|=p9wYTUSy zK+y4SC;!MJj<7kizVUf_#Q#XHuw(z;yJPh;yZOc&yyk}-QrC`edZKp!bg@e=?ryX7 z;hY`R*uh`1Vx<)>yk!>-1)0s1-%U||bnGAIe&+{zmMvG#({g}l$r2^(^wUqXQ(K)T z*}%qshOF;WK-wcS2h>lpa4;~dfK5A-oHRs?`)1`A56|wNbfG|I_uR)_2*)oqEIfzw@pR!n&=uka|MWG@fiwrw97uEE zAHabysVSf@weP+6o@*k8Q))3jpHtug?z(Gx3+Ovh6Q$X10R76#FR{|4O54`0TkI`? zcuexQY}w+Acx*_aAzHCw1=ltV_9a>LF~P+FI*!%X>u^{Qer?;HA=^dUHF4(21hgJy zZ@lrQ+r5l@OxwsWQn{tv)@BRYD{6A=F}`)2@JnPwor&EB9f*X+C6mL?Kc8yvPnu+N z=Fa!$19Zp`^t>~6tW~X2#j`C_y0k48==rI%E_wgIFzk8JHdd#)Pt?To0F`lUa$9;x zgWb*GpaC%09g6_{d{Lo_v}<>|FQlmZh*w{78=wHJ{cpY5uD|XY=Nsv|t6prE&zkmm zcC5hM{bWbAvJB62VrR5~j=soGc=uiLx}q2V{=0AMz^T!eRT-hJJ>uWw4^6#Y;5Q3d zPBjnmksW#4w{J`ER$wDQ1i}&~iivwbBig`0K7o2T{I+e~?D_8_nclfm`4FHq08hvS z3*N9GBq%$VLwRl$(ErQ&pR7RP{VY%3e16!;_AQ&WxXhVs8&9wNp&17d_n&s~5BhfK zqr*?DSGtx(!F`K*{g(VN*OvS+#|}NJsnfW0(R?dVu&@!}}mzLjepngnb@-qe*!{IY(nZP~QJ3hleUj|0DI9D|v zdGi%;8F2cP8S#*9`V)1CyWguXyh^seD$6?|r))-3zUR3^yokhDm*|E#asI{23->-= z!9O|VJcs%nKpSI9s8@)adfl}zML-?0nUw5&WbQn9=?3~mGVEiM=!LhmE#><7rg4D2xM|ZbPEP?H6qc_* zL2qMtvz_;eWQ24$>KxiEJR{S@W1jH;(b30_)|~Z&4?mRFK@7mk% zjFVZYidL>{IcEX8d8#Dlv0+ZgNB5~yzc9v}17!vYKC*M^rQySD;>7oSUW={JeQ)HLWtG?sd=WKv*$qI zcS;NfVt*AT{Nwj2QIn7HI3ayBpeLgwZ-~n;yYP^n1lh$QEGw5Oew-*Gr#`1<5W>SX zqzTXQEBE0?JZ5YG^u#~h$Nd>;cn;V2J$~^YGYG=D@(W=+on=&1?;Ea%5&;QCKypx2 zR7#{9r5mIhq=p!p0i;1dx}>E+x`&~=yK9E-?iyg=%Ip6oES$o#I-{-mS>*AA5 zWKFZ~k9|iChgwdWb^U&RNCs1-wau`hQf>E%$eFZTfPS2$Z(w{U#>3Y3ZZJ_--OG5j zI}Y-HFO?aq0Fwdcv`8%-(x*LtZZ>R{&QZlZ??HF2k;@*jhE{)ni-4e}!)a4DT>}Gb zTrPjg4HD+f{z|ufvkkWSC5*b5oS5+J?P)4w5eNyKI?h80=~QKNFtw_|RWlyrISbwI z^E0$*+V=vjy=&|=?yc(0_U`6`Z7YFWo)*ovKpW;4+Fk1_*3g~d8&RR1NCS<=_Hmfc zDb`^ujIeYmhVjNfv|B`U=A!?2euc+kZon+;Ai&k2hRN1_>TF{WJo(}%j9QRTU^%l2v6;nc(L(M_jor>Ta+Oo{hKSax-NWqXgm$k_B} z{GRL(pa8dy+rwsYj1jf22JY~m%czna({S{!@I3JflU@r=PrE#@hw3{{c51YaJ7C7v z76~~bzF7vj@)f2C2^@LoR$k!ld)ab$cz5WHE2|J3l@hgK5-p82*Q9w$Y6|3`keICA zP~)gY+hy<5N)|(21iyh}bq(*iCk8h1uy<1q+=qqU8f)U}CJ)ru^j|N}<(T}_jn}CG zuTe7`tm?8={_`A%F&IK| z;F<4db6W>}w(Q^-0VUSEtHFNO^Qg!hJ+I6bue?e7kq?m<_SNL>z^=dEkp=jT< z*t^d-_WCLGQvQcev;Z6p^)ut%c%Y6GG@z#w5wL|}bwUkKzi%#RIC%RVhzucTMjCG+ z*3RFotu0H}L>f)I>Sxm^vXN-qfqOJ9f3qke@Xi8uyF->07E6t?-auM* zoQ>GWVSpg(*^(-iQ4t$4;Gspl^;9hxL2K=KIW9C**n?KZGY2T>@HIVL;o57-z z!K|l-8!L}$qx0V6C{{VPPb}2K{2)TZGhy3s!%2NV^Q>Qu5SKtp*IaWsE9$D&BR$Qi z+CskOq3HN)d=VljV>ZN4pw#4ASU3{HadG}m?@k*P)`0O~2d`_lqL~=uH+0OIl+@># zrWW28>UFzER|yK1Usgp>&uFtm)aFB5$7B;e0{zlIt28||aawt8G8()tHIMELta-@< z@~l{ssd0Qd>n@ham9%BoYo0mhYJ14yks!&Yn)Mz*dg?WKlcZa+L{wWrHeo$I1xh#yXflS> zgZs9iyQ^KQ$Q`wA4G5<1jUcg}Xe#w7Kq{~AD0uKjnp=^&EH+=kdxev48ZKMwBI1kG zRJ|;MTn_o#Mg&FRr|osJx?Kn?sw|I%zU_nLyW8JD^|a;0<+I=M9}VZ}j$8w8O*D>+ zU~9A8kSV-;Hz0v17bke?6^HkQGWEk8fJvjMsnoE!BN7CMvmSUQMv2TC+K0Lvb10ik zu2RkVz}m6wPF(l-5*Od{A$s382@lcjOimLOeV^4}OS5C)*SE?~b1FR4-2iypwzT|Q z-l!y^FxWr-EbQNObCb3Ni7%Qx{dePb5AxWqvA7taI$BqVZk!TsW*mKnQxE-Pr}r_~ zcScC&bU7^UwNJ9;@4Mb(j^5C8Z#KbVPLI9oj3Eyt%Nx6{JJ*ucl{5gj7d-~w`FxMY zUIViiK{yF)h9eZ;-gi*_hSaYm-mY&(8lr=W?xzkw?}kf{dt?j|MS3UK^eDr-2NGP0 zGWjnZ&A4wL-l72b>yf@7^B32PD6c-|V&~VbQx&3G3nJc14bgUW|Gq!Jj#|#|krR3B zrpd$##Q5-2My~3zY836tw$?DVZ2jLZYI#jmV_lrHKFWajS1|j#aCZCOcWM+-iTooZ zuttZ_oB8gLM6#n0>L_BCcDAu0C&+bI)Ff$oRsg4-X1RgMwxNBDmoPXe!iR%njuO3t zkMop{VqhK{bgJupj2fex=ot*1W!j)#bBO5OL>{kXk`4!|%WdQ3QmwpAE9*9I4w53! zitIS)f?|frto`_8d^wPZW=cgtq&wepgQgN&?0v4DSZQ|Y{C6-W$#k&>I1crk)hvbG&@2iQj$`XkcxAIkPwlp z@|zmfkpo#$ueHQT?QI7FzQ}X&b`Q`*w9!sHH9bwEU*z)J8fv@8Y-9G~%&%oUd&-9K z1)rSt2O&1663w~)G~WSe_UsL6s61bq$;=Q}duup_2=5AA=GMIxQKe#nO1K6=L$!Ikau}yPE%;XG&zfs9GfuC81J9 zpI70(o_#i)nDra}QxaMmOYJAarVKtfuoZunAZ&HVT z|9Oq=6BE5BJ&~`>vF_6Cl<<;p5AJt+ry<7Ydo%SGlBwY6Eu)=5XzyM;(*cZ0;OC5h z-k^5MKTL0m$Ipn{1s)qsKH*Y1e@T5kcb;DnyT48=!XIiET zxA<$0K9qM)B4j>U3Lc1wUu$*qEr)4_Ogx~rViGf=5AfyYmLLGK>acW=gF|(+y%`Ot z7h^h`fJnVEM&ApRMIJgr4-7l*gdA2@rR<`r9C2qW0zPR(-2M*LgMrc^^fqeR<8`u# zEWg|C-t~A$FqzPb=)Tu1$!xZ1quDZnk_ymG!b}|S)_omwSPh@v-0n5qNo=T_p5=@0 zQlM|=WXb0D#(r|Cwu_bX=}p`GsUp@XQC~qLEV{g-KOy{*P}|ysL$e3*l;2J*Y37Sc z#de8HHx(|8j=tN?j+BnI8G8i|+P<_^*AKeoy!wVp$hLi&=3?(bSc{?8ZQ0}iZn|06 z_WW>E)4!(kIafokAK@Yw`=RRl1+7HNd>6wDFe~H_yJJ;;y@EQGWwe^lVI`V9QUBEF z;h_Am?_Vi4bB67H9_ps-c1ycgy&_Rq$LcPu*SGZ~;%wZ}oSJW)Y{)ak)1}X1%raL?8@=~ zG+Fmy*K{teJrW_9KYN_z*5;Oa`=7@V%iz+WtzBn(rc5jqr1f(jNN&(d8@v)b(DXj{ zm|OLv$Oq8d7pV7{?!VgFTDVOQn1QYhY0BEb30Y(v9@{HdODA9JTSD&`Bo37Fa$G`C zO7W@5&?`?npyfS9rAK;dCM?x1u~tNOU7T-v|AQZby4kjoR?0G1D^*!ox7UXx+Cw#p z8#2hi&|NGBUQ7Y%j|hrQ{4Rg^s#Amwz`M#rpc22Xn1W^d=c{I{zkuf!!>5_vPf8v%l@aL z!1kBR`VQ7RyXN~}!tbY?w1Zmvj7x7L^72v;W{hUa_y_22#JUsT(fYaArz?;1Ic4{W zwT=Zg;ohz&$Xc(L)k3t?eTq8GeIJh^srwU(0iw}e>nj@RlNin2W4<-h&wQb@_Z?j6 zxZW|JO}hw3H#*shomCD>9{(jMl`LPP*TWw#qWC9F6IpM>r0=OE_c+YVC72&x6CbU! z9sygUdS#X$18Iyh@dAi7^-ko71$~Uga>HcNWopK?RpaoiqSL#nA`6NjA1f`v z$7nmNzc)_z!i_hlg4Kxp?1|3=~MiZzk^p~~1+ zYjuO)ppMqMJJ+tW7Fs9cXQy~Fl&Y>K_5h+O7gtOg`(rtte*ONJw3f*5`1fd1S+;Yd ztd5G*ZGs@VQQ#FqvsLUOl7lH5hl}1KZ;#8f5(m_YNyw4`Yt47lgA|r@sKUNwmc^9uWK5n3Ox zFtIROPDBkGQAnBCz}Piw89OK6sV5PN70Hvr)j_>!Kgf#ITq@Qx@yXOQ$qYuRKdmuOL!-r=?5ha6Um{X+A5#A3f+df}u=PFk2_{to_mq4_&vF1}!m@5Cg zuF{Pq0rVKkxzpN9FIVnh7ZO$Q>^w%}l z%bwasQ-?E9b*9s=UIkjlt+tD2#k3z38lGdGoa04%%7A6>>Q!66GSx^|#>!}Wo#!#; zz1C^pBXGMt%W=rA^mNF&_4(2@h zg`V*`{ViR*6)x3nWQ(4x$XAZbgpif5@dwciQHdIRI@Ys?R@NW1n_>GQGYUYpxtS*W zBl*NSiHUz@%R8@T7xG3n)s##b4E^-rRL$+SjYVC_Ik0+;8Y_3yE5( zctJ()kbIUUSF|_&J=xzLB8N+fMG&=z(EQwpdAqUwSj}Wu%uw`bb~{zrG0=oexmxkU7aD3* zJ!uWsHBpS=GjsIkJbMBz)O3l5ytnJ2d3(A6To8467@EQKQ@hh76|Q6XeeKh1Nj^6# zgErIp`V4ms7LbHIREZ(oOBwj-AO4(BhbyUC(fd+6zumeuOnS_J?w&_ zvXw zicelXoa#2I`TfHVA4W4x;H-EWX!dOgh5Z-$%Vg&p3{!K8 z1ofrYwgAyMoZJNxwsheKnpP#5E$G|H?yr3$>?9=VKF6}=_unT2zkSm}XC?_&1%r8C zGjEW6dXX;XCQX{Y?*0z-_C`C8VD)iQbAuoLCgiYcM~>jxYI@@H*17{+k+Syg$#vkI zki`hi{FDa*eX(2h-rz7B*yc7LqP`jtICh(>b68&}Ta=`A_6tiSJ5w_J|J&U+M4wy8 zS-y9*k6gGRxAXk*&d~69s2QxB)_tL{tdK(oL8yJR*_zzjessrpA zS(^-v!Q+h`?+IR!JgmVL(PE97fM=k^Oa=F^$Bkb559qH?b6*Jn#`4pyZyv*pdT&mc zz+948F)5f8n9&%Sdbups%L;dDM&0L_e%$jB@bnS#<#bdA$(U2pO@*p%Ero8xlV0ib z3l?h6WdNALb6TTZYxUCp!P1y&!2JN0KEXQmLkEY9?6-?|xj-5W-Nh7mN>IL{Lg+V! zO8*U5&Cn=4mk=4sRs!S-c`aYIxSWZD(}ERk4v_~+yF6%H&I(uJaBR=kFdT+JPNbH& z8obf& zS?#)R2Fu}yBAom#ETA}kpDSTzadxfoz#m`jn>AWp5=gFtu+@ZTBFd*=r%UiM0STQT z>TJF^P%h#2@LyJi1!9}CySOPjRnsW9{IH>&lcLejs?HAw`=cVz%?Sg7 zFTYAy6CoyL3wK($;IESZ)&zq@hLoB!@OROgiX0&aO}j=}_*CGO;Z7WD@SbZQ0{Rh% z_c`6v?9+@ry~RLolnrtXxgqBkOyx~yR9 z<7Q;GZ%ybDV-hz|IU8DYU>`$U&a!PYOpCl1!^9(~PgqWC9<6j@ZS8LFe-J_-&{MA? z(bu9z-hQ2O-dd(%{NRf~$6|QZsTLf>{QZIiGy-Zl4S>F}NzdM$fnn*0bj&yM4AEsGE*mo3k@G zKOzv*7C^f&3QsooIP!n+U#Dsm(@Je6&=rJpy&jck#%fH0Im0_U+xJR&i>)(qR zIbn15tt>)5O%(4%-fkRY@!{1A5O3%0-`NHJ&>)Vyyk_TBn&pS#Ij?AdDh+BSADGy< zpzm?4+>es(CroKR&vSsoYw%|u>IS$jT1i=^v5&GGP{?3low>jYCs5+^X1iOX=c*o9 z<+$+gb(M^X;W>MB6z&C6kDL6DF*b~Y0;ZH&rUcXqShM(H9Fn#~du}RsiVVKf#`D4k z?D**T9^SfGAHe-OJrNHp9_5oWH_-Q4_m)%f7BmA<{CE;5h6fO9k$#P8}~{#sI(+RvfaDY0w5_#?!6 z&c69+daN<8rB?1V)=Y1U2Rz5hGRZ|``bF^+gIE(4%|QFieE;@@m>d}_-LnczWIH|i zLiR}@Bc_xkl_A2WCx0`H!tHU0t(vy!8e;RPF1jz?Xw{~Q>7mK*lgOsM;!cw*IEV4g zP^l4}&ynKIR1rkmi`zMzgX{?(^iIR_LzYQLoHTa7Y26Qa6@_glrYH$A$IY1ay;c3S zQlD!5!Pof|+MZ#35_K1NS5ifETHiBC%7adlmrQsFHlK(I&vzp;E-fm&?;R{X!ZTK| zct&l6RtGjxf!BV4?NQeDe_zl{thd_CJMMd*=6M%Lgpm&)-tjF57r<76fd>j{ncSz% z#0R9bLk^>DxF!9Sy|)`PWi}P5ZS% zhwKFQ$3yr>(BNsxx;@UqD5hSKwTfB|?0^aXbI6k4_!KtbH<-gD6=%pYBRr_01|C_j zNALk=9Lq=*i5(n*_tC4k3jPP|$O}*9x~rB9s}<4V|Df9bc}~W-?47XRT_53XeKPlSaP)i*g40hjC)nNGw{S6ktThYAr0e zelEYDfN~1o`l+0RgeN0Kn_;=935GhBjE&r{i~%?V+ulsWf8k{+mr1_DGr1>3B)w^8 zPk7svWL*YC0$_19WZoeFJYN&H%H6~a{jfrn>PefwZ8PDPMnNz<-C-sE=2GjR%1lCN zH8?q{8WflAeH1^j^<5|uv;w;n_pg<~u$;fDd%&eJ@mwy>yH-*=47{v2RF#opw2lh7a=Z(vjY{DCh!&Z7 z6?nhPG^-SiYiwKG8;!iHEQoWpxv=8NSM=FNr*`*p>fScr7pgKc>xCoT4jc&N0sZsh zJ*trhbMIUg3yw?xw+Pw<7U_WJX`J-L74?%MD&9EQ5b4NwQ7WvB1E=rj|1GxOcvn$- z6k+jQ_(?MUeNV3mIpCV@8rjsc{DXSK(uifY{lebtFM!{aj-@oMN^_`LJjK6>=E1&? zEK|$gSDY`;J*314i-$C-oKK2=<_E6%jWULtfM(m56cFeaCU!fPui1gY_buu#awli1 z*K#ec*2;TnE6C59G@St{$JCE`jJumGD<`UMSYE~#Y_Nvn5-|+75=bpvJ(Q3SF zD65*h%SCLNeE_U{gczYW+Jd1rj6c4-p{kCSf>Yz_L#G#x|5=7PG0cyF4|Qt81(Gt{ zuG&*e{&CI{yd2sG(u_UD9?LpCmk#7Az9mnP!8vw+>atJ4yF*Q5}mgZ~8xk#Nc*0V>a zFial|iE%^GW@mha5Os>3+>i}?W~5HGk} zzA3dpIaV3}Ae@W&2)J3m6D+QP0+qC4RXh#^v%R8r>kMX;j4dcDvGXB2(a}R0)$COz zra4XPUky`u-lwv$JVsEd>fZVpd7g+`BX3kkU!WxP%>DI#Zch53OFQ{a^z0-5)EKB< zei3w6yhIbkS-c&j^o||zMx%v`1;0XS<*k*QObG}-_?c?`Svy+aqI8u27&3{pEm55# zg39vO{Fmi~fSSc@+Wm26?q7oYSHT~8yLN^kVAM9}w3?h4GHSKUn-3h-4t?OhEp{*FW zfatU3%)c<}UzpOdcq>n5Jj>jA{^;t_4g}ZW-O__K@YPiEK#oWUGSivkWS?X7W~7 zUNC5$My;@Dvi(m?T$9u0NMXR2TU||B{O{6XiZI1*CjRm&MfcnevJmWowNVWx8@=rA z&>1rB=NP;&+xgzF(ruc!wp~jNRd&c7-$Adt8{CN=t9LA8dQ}!u9vHG?!riiephpvD zrcC?qc!b~TdTrtq+%vbJouWM8Fk#878*>8syCpvs==z+&QD)E%I&|TO__ak<`9zhyirdn!0{6B1aTZ_ zq~~z2E61{bu~V+p(Z}tL$^T*Yi2(4kmzV|*kSZ7YiZ0RQK)XzqlqYP62+?X;m|Id?M*A%ocph{1?_lYAZ8edNUx1MfuW`{*g6ie3)z zjI4+0&cDRDI2Bi)~#MR(1evwD_OKD5AOY6`$ANazoR7s`vAn z!zl@Fr?0>W+5$ty!)_vqs|3D~$h{n09Pv$<(lWJ$tHGj-QGA={>5Iwdv{0c`{?9>r zE*hlEKMbnmDd$b~*K`~KQe4E~0?7PZQsVvQQAT;UqH^+DiDe~MdOG^+W*!53a=ni% zR-$iWc7d=%NCmIC$kTu$5y}i`qNT3R07($fUh5oJdryARCm= zq0uB2*arSf$Q*i@Q-#rifb4G~T2~*l zq`1xxuRx&lEbP>Bn?iFCpY#>**vmT`%AwhZ-Tx61A}no0j@dbQchu@E}7vMD`4N3wsr;~s9(~Du;alUJUVM3evQBa(k zViJoN8jPfW&4w#IXc?|jYhT;wz{x&mZWR|`YKt++Iz>IK;%j*zX)<_oRXpm5G|$JN zs_MIA6R}f8Y*)Ydf@n*+8?RHj3LJWxIUORXIE9->pgUbXE3EsDk1b)!D5|yiYPz?s zG__Vb%)7Bx2!$!tVk2bXx!n>bj6TjGHs43?SbbU1<6M#Z6wdPHin}}v&phY=0f>;G zFLb?=(sR>GEY-;kVZk51o69jWEkzo4<*bkKZ~gM?1_7}3I-Zh5Sk2*NR({?}a!@4y zmLB&2r(&5y@lnQUC1V7`C+p~Y$meJzNsSyRNXl{GO?hrf@06W=8LS&n{>z#I3Z@$$xu7RxVpX=B`z$YhvVz(k)3s3dL%FVv$Jh<6FKq z3KTBTdunNl{JeIV(wgux9^5?;50f?o%JnVvS5O#MjcgmBjdD9LwT3_RL{Qtg>`lSg z?V8NCog4dFZmm*;M4XeFFMIZ7MMmJzeVc0YVHmu|dft7pL5EV|z&1`0-0H7AONQ!2_C)$`0_sz$9smsd%*6hnaT@IFB*{WQ*go^I6YRpwI< z2*A=t75o15w!qf+FSABSXGbyTBHr4y zBkR>p*i!sADxzW1v+t)lJWU!u;WhyvPv8|2{aJi}aDgA~?qIZ-v_(i`1!foqQy&K( zff}W6Ti15x2Xa`kCd(yD``^s)(&2Vj!<@qq5vEe4@dtMt{^(w!d6Q0}cZ{D}1#b+9 zx9#)NzUYcRoM1*6ivH@X34AQG=#g13PU{Wed2rBF!C*s!?3hJM^0408HSzYfJHe)~ zy2Nqo4%T5rO1qwc0nrt>!>qn?Xa387di|-!3Y_PMoGTT$Fq`qE!>od=EwiY!O1(@>gM4Z=2YjJ zJ{Q&~qyeOn6^`iDw$3>$O&_+4o8+_N>>BcWAdGW;kIp^Y^mVXxa+dyZmRMR;`3F&O zmXG+#hARzXyfP-4(U1;zLB!)&f$39QWa&lUrNr!_H5RL7De)U7Qy%pcNH+lz;xu4} zILhZgDe08(TDUsGo6zXt#3XVe-jHiFS6@bjkzKnvN504#7}&Csu%u4^V1$&U&IR`Y zzV)4@R{7|u1~)Ue~aAiFggY7TmMzbDrYavecvG zx_G^uKDuhEPHedm9Ppgt?jI4=M5eQ54K7UWqmSJe5+I-!aL6d98mE}b#{N&zmnEeh z9eUF-e?7P@7Z}kM@)`H7%p%Q<%f@M`r|u0u?Vm1~kFeGvB0sgQNqgd3=^FA! z6}_Q%M8+B;fc{d->D6`T-(yo%HC!gVXWgd#tG%$3mX0QTWln^{lUi!Prx$j z^ZS%OnzV&A1zJomysN!%>eg3iw@hT?i#JC5m_x!|B1UU0*vX!EGe|jQHuPS`aDRj; zvQq{K?RAz>RH3U*#ip&H>ZF5C=sn@0wpY^d7>$g{qEhHZ{NC8mMhjfc0ZIvKdV*d4J= zdnS{|z~v>V@PWZSUOCt^)_a$l1;mNB<2pFZ4Td`lv?A)SmMHVBf3!~WXE>D!-OkbP zdyfZRO)6QJg2vxK`rirByrliS!o5Ga&2IrDo%|U*GkJA!edvGQ0N>5e*xJRiLy3=^ zM0dMP?TkYt5gesIBlhS9ezE_LNVnpXh$SzomC5IO+Bz8IJp71H^f@b`WEgd8G7Q?X zA}|z~f3~0*_KDNRyZQ&_%W+@KUrFV0xz#fY1_gn}IJi|k5uP(# zRRtuvybQw(^wrVV_5Q+wCfrPWLL}D)@U4keKuME$_aGAg}j79Ys>~Q8~o%3p8Opp{|+S zep|LV=78%B`4A?*Xkj>XXe`=OOji~7>Y-Bf-8_iw1Pa{%8YRS1KYk5R1K!WE6{mO=RiNS;&BI;^t1Nu^IZUZq4`^_rju`D93-`^_cI5p z^)QluOsOS^2X~)yt+8A+RR$5lEg*(?9Jk70$ui0Ca<-3B_KUOLj1NM1Ob8d70TtY4 z-7~Z!x8VT{`S`yl{J5(`Ld4dsN`0kZ!@y!OhqmAp82{jiwaR4e&5u^t^5$V~Jdb=z zs5`A5MnyKbfMRp4fB<(w&|cLQm%E~t*LH(s_Lqsl0Jr84`=6M?z_xWHCwcg%~&iyUM8xy0XR<{yyfejL?8 zi+ao+tK#QZ++7;iPY`{cIeqx|DDIEAip|0Y4)fKtdu`Og!KJfTrZ&frNtrDhF5C?? zMyTQPMdM>PF>S7i-YS;#-Ff-d;WSM}$5)9>;<7#XcCFseAYpI4Z6jg9E&7~bvkWpq zCEw+L*(SFeGBZ~Nu``=zy83j%B9KPfkJS`&6`q&79*31NhSKLv>3bOV;F;!8FUXxb z?d5Zm!r{9sCjnV1uR1p`&BwZlUd$exTc=#Uq(Q}9x0u(ebM$${M%4-YRcXn*G%qyN zVcz4hT|!Qe5iQLrrwPPFeJk8vbE2uYH5Ny%rQ;G+ukU9Dl^STZ4p_dtcRpC^ceUkmaceJZYA#4yN$k0*}$@K-u@f$ zhi*CAx1}e+hfgetR9k8IuCET4lZ1Se0R<=fl#02`t?7eW?``d<4iQVPLi;fDR@9kE{&NGTosogOu)0gw5NG6B zrC+-~>(YCPyuc9Jb!|f*vral%qu#WMad03}(^ufr%hg|=l_nk$P6T69h z+`(s`ldED#L615t+XYPdB==rSh9S2_LlCDu&%Adp`aOKg2=n?A)kd8H$l3G6I zzRod3sDyN#y&Vuebkimf8}Ni3wR-G^hb?;6aJgS%GmX+K7D|GjbUXkb<`?xmU5$N$ z$X+jt#PtGYQX58|nmhpe*B^ED;Pl~!^HUK-39sG>KIt@D2&}OGj}J7F|BvAGTf;%e z^;CxEZ|btwkMdpXl=$+J(l>$r-`whYCRZrXeVCu%IuY;FyAzswPMkCQ^iJZ|72uI- zxi9SIT{%2E&FQ~(3j%6|ZnqTtuiX++uT&I0_{iq+bgD<8%J7fd$0N(tF+%!!Q>0_D zPGPJ8o!a$i;}(l9-^%Pialu z#y8GJXWys&572P`oapnvq5r{OnRiVFfV7Dp_LteYRalWF2F*S1_kH~&BOs#=?xYQ> zCtcHfKITqGSGbZ<(;&s}D=E6TA`?z~!$5OD~SO6|130MpH?{wJS`P z!MA^8f|})^MZANN!ekm;8VM_$ z6>16zcn)$0FV)SP4|=b+RDFFKeKry23P-m&JWvG;^k{AfI?}FA9Zv?#EBtp>z>#T+ zT?eAJ`7!i{5cWI<3yn!;R*s3wtwc$sVrblDz0Hp43@;F%CwB?rCX(}a9rGs?UE?5s zBGs7XfUT7zO98KBzTx8x7St{f1G-m6P=5Y>F{ah%&7ezPzxA0CcKQ8@AnNBHu1;5C z^*~i>Fl-w-x-<$xhrQnWa+q?aAYPY4`SKa7B|MO868szHL4$&vy_>I;pYq+GO}gqc zB(n^IDzm$BS1^bZcXKdTI7OMid`CqGv5FWQNYiBr!U&7Mc^eHflJ@X^1}3Vv%^$a- zzTMwAQ_zV~XMX&mtzkq>RoX}2ly%rpTX=lM6vcZaerlUK*`@^m^+AlEJagj{^9l_x zS;-2}!{p-=4LO`Z58kKlx@Ti8;VD?-Xh`l zT`(KQ0?j8xHW?>u#oXGO1srJOR50Wm0R%L#23y4;F%Kzmd7bk-H>rr|FgPa^ze0G& zp0qHl(ulGtN|rN!#%HlroGr@%UxPd`hc=bHcvk{F`Er9;x&rfJBD6!@ypYP{nd5l; zoaTjXOUVYT_x>3)EfR*S3_aP%>NKJr${w7uIoS~=h0fv;e#zjp{-ENX7d^dVQ8q;t z--#Sm?Cx_aIrD9N60UCBN%sQ92Gcr+0sqMH7xGz~b0vn_rNTu{TVA^PftBRtE7WPJ zBg$JpOQRlzA{O1#ENE;bg{k&q4kJnJ7^lWRFie8{tW@haV!@G{$ zH^Y?PzAqVJ90?V)f1_UY(c=mj>vSTtz>Qjh*~BCxNqru^4Wvaiy9-B!D&JsOw zQ`pWrE>pO3AT~4RA9GaMck1HN(=t=}951Y83zG) z$fKkpZ;do+h;%2g?BtlvLLtX_yhp+D!)w#UK2ZM-YJ9TLA)$MN6dx{{NiWa0yvo)Y zbz!sYM~|+}!L>dRLW+n8J{pGoxvb8USwkOGa_l=fa=jMMdf~WK;ptbTzBgnmUj#|X zy>EJt-ADF%0g)oJ2S;QZ#)X<|xD-d7TsQd!ajTRZ#o-^ck%40*zzh_DVno zKC*blsOM-1HU867!hORI$xxyqHj_<+-6PKtp=3;li>}Kx)gybRq>PHt_X;Uff2CT50UsPDScm-{&4_*pzud;~uKWBvBp8)^ z=hHj*BBgJ8)H56}3}M%bQUq#P&Hd$bT6}M>(R9OcsgSSW1RxqqdkcddP*hVgT^LMs zi10CdcO$Y)+fmPxNThp7EMR!IBZ^f92(@vU-B%6!yyY1)`0jIr=eUkTelX1h^eqrJ zg`+)^hU*bKpgQ?&RZB)nhf`MzJII@e)@E}st1}*R7*T8NLqG$PMyk(9O~qMsHa#8;jo3wAL z;?<*wez%jdMZv|5SoVaql2pb1n!+Cth_hBny~95&i=>*E~wlY=X`18CUAVd*#)z;S(dne zJ$$tB3cwZ&7ge{v?Zdhsqv&mrO2`~Xq_w<=Lld`mIH0)TUnZ%JnIBn;`$#-s2YY8PC3lER3) zcspVbZoT7CAd|nfQDtxVV!Z+bPlG-mTjNI!l7D%Ig1$bK*ndG6!PwW_rhBHQm6^&f zN~*IyrXV1`9?0n0FmCjYF47vLY8vECHb8J6I!jTXiz@VxRuU==^AwaG<~X79 z5j~{K=c=&i^(sFc$8EGZ9@8R$j)m-lcf3R|-hpH*diDo-U%-b3ahS;I$59@B4- z;M%cTBBWuE@)+{#!YZ$i)G6*}!eU4U>l2ofsb%Xa7Bd>Ng|^`|J~66Uv;&0H>mn8c&AB5eOlaP63H!s4=Qpp<{_S>;<)R}SHPyXajI zza&cH`DT+3hsHq{H^=eZUn`MYY-Hb3sV~p%+b@rcni*&dGoeH2j(32hE<chdY4*n@O;!=MP=OIL7?AjGmaFyk(|JG}4T}f+{iM3XYNNA|#_D85f(n%Su&%MKY zlA+rr`#2$?8=2zorLf_2WR2JLqI|K20;FMd*9wiBF)P)reesyXhaaj?yX=tI%x?bY zCY=Pz?8be2$v)FCU8o@g{JFJ3Yoi=(H&hWM(mV?lSi`1hCH7uTc}7s4LqbAYy0WQx9~bf^@ZjO~21Qw6Wj{wT z8n$hG%6obzs*2`8KK?%*Bn1K)`UOly+ng1UdWcA~Rn1qdspfb2GfYO=XV9k+4;Joo z_^iT+Uc&tNqcDph2}qX+dwB{z%^hV()%Hvd5qLsHqxqyU!>p}IEcohbptziGj?y>M zE#<;11?zE;=Bd~WQFC9@GH7Pt8*bus*xe&m`M0#r#MMQG@CT789{u1}TwJXSoB5{6 zGt1YM8H;r&`3x`dN!$&m?U^0@9-%N<^VP4mg@oMuN&SG6I@P*>7tC*_e8lviy)WP9 z+k-QRSzMmcJ_QL`lR(-gvWPyt6S*qG z94lILC!SbbjBpO2fBo?tp}+Lg-`_vse|Y`jsr08eFFqOP{Q2#V|EBa!=66i=V_A>K zspnfQ&D)E?TCE}-`fk^M7tDrm`_C%; zE*)rfo?~FXjdZ9tjjEY+uO3Edk7~Hu{HIk(*BVb5zjj%tI5;_Dq^_?(0nP z%w(@|IK$`nBqJUZ&->mGmsS6CHyPTuvlVgbrQ-sy{oR%#OxTaGtW`Sg#7P_EImUy{ z-xvw@MvT8&ewJ@iSMzay{VG|sN!2iM=Klc6KsLYPl_ypcc`<+2vHo$OO-i8j&LX81 zgu?k}=tGx49yw2Pj&M`Db+-H{8`Av#JMAFH)|0@=Kjpx3?7hk88OQ#nTKO?>a1!Q? z5@oAfw9b82F4K~p?MX8yyyu_aF^u^UWc=y-Wx9R4DGsbs?Rf>dy^m0q*6o8DhV-5Z zFw5JU6PTy98T*g6p)*$556L6LGi1r7G9_=62cJ*O8(mqQmF=Hn7|wb0H#`Se}) zL$`^qUn5tYS0ORWTl+oc9kyYVc~74o9_^(+@vOQKQ4cGFmEpbibB-h2tHZs`8#ca4 z$7may>W93{&v(qirOHDKzogX1;dHb^dJX-7bVfssQ7c2oJ+J66{>H zYBkRENGCgX?v#ufJWa?kufsO?nKQC^^A_}(IEdS&8laTPmS4AG2kSW%57+jT@r4T) z_-yZ4sT z;^=qpE&h+L(WPNoK_ICg@U)EmOohtOXc)))>$w}Dar5B4`I*)&-@Ugojn@3U#^9g` zyQmW2faXN45o^By06+jqL_t*2;j#8ow^4I>e#jVXCHqpkb$eRcwrejLvgVcid9%yL zt$Sq2{5dik6VY>h21%*XMI|Xf(gyYGYo?t#JSz2?w2<*{y)B>hkU-MM$4T)MX>T=Qv2JvsCiq*euHpLp|4V?+A6?k``kaCZzBdZ@Sruy06Eci1-u!c%y9jsl zbVvfX7Vlk|S0KuJsgKAzRN16-%d(V~r}`b<+;I1vbpHG`-d{HS{AbR~!}CW;?<^W! z9u36NJp8;le#SHZ0H3(m#c4$0fpDe60u^jf8<$&s$4p;|?UzTP#S;&wf+r`1f*O`4 zDBp4MuVI1iW3yJvhvXy7K2DyV#)yo|~%k6}S+e0fG~3oG2q&CQE_f(OwI zdh;^{d}ywMTBL6N#)Dnm^cF^XOQTog$q6T|OJ`~A8YFK^&on_Y;d~WbpQ!b<93!v( za*bC~xc8RAr4KIOqX>%k)zQn-8*|=$Fux3=h9b8qk9hZMfNb0n&aKVC+FvX;YD%V# zbVft4t!&kLau4iC(z*OaQhRqAhj%KrJxxx$IBq7^DRCk|P_G@`a<7+{AoX@hz8WNsz;`;6;%?_EY*zAZddnDHD`52sH4G=906pKU_`nA)8A zij+Y6djOf%6NT9Ik9e{8Tj6ST-o0m!6fRa$O5mIhx{Mh!==BQv$ii=y2oGe+o@bl}| ztEJj+w1mwMt}qo!C5K#>F0! z1@pfMOd7H9P^K$WrnK6TvdPf+@KS|;!xFeXCBSh&jn0+$AaD*}MDyjyAt{q5)5XAf z`1j(4V9|HqOF_J3WY0`{Ox~B+TTWW`l(^+87OqfO0$~aKe@lS#CV_}lX)@x4(c5Nv z%g&|$-@^Wnluw{7C2Vr?<05TZ+QR%l!v24jO#)_d@X>*C|0f)`;nQ(E->75T6YTpZ zcwo6a(VmA3QS0*0@NuL3Mn^}`j_&W4`A@e=bo|~d;Sm5&gr;BQM~j<_3!A zxw2)Y{Uhz9PF);`*Yybn0h1?BF0t|K?9=NRHDR}J{{ea6fyPpxKmmzQa}dyuO#zzk zSFV&402jF}J^}3XE?>SJic*EW4+;@DfYr;^|Ah(_l!`Eqmnl<5nKo^@lmLbh!DS#gH9-+4~~*ApjBNZveouoHEr z^nbpe3>Yv##*LpKef#v*{H%`L$x4mRlF%qEQKFc9vt)(zf1#hGO`A3f*lqmY>Q@ES zV#MGjx=GZ+4G(lzY?>TtIicIViHvmov&r7QCk^Q>Z}*;YbXJa~XPD9R-tVG~^8=oi zF*D%3CA6y>?=K{j-{_g1_pYB{r-l2|8Xd!VZ{@pmZn#Syp!vHGfIvpK@J*sb2?MpW z$$%4&>$pfD&}q)-=y%gwJg=dQ6dTa#rgzhX@52(fT_r%UlP?t2%9RZgK^%N3O$M#% ztat%fhy%npt}^1Gd~1)PP}6;oSi+vL1i}&sOW;pSfb%A|;nH!zWs9yqol!W!Eh2&7 z{&0&_>OWD9e*$Q#~6>fb`l`=(u1?F$#gID?qrc%*r-rRZ8q)B6?{ph2Q0jM@n@G>V9 zKxjL(lpdBGTTY!iB{gbPmzGe%+P!;^q)nGrMvfS!nw?v>ZPWBQvggopN`mLU1BOYj zXP?oJoi$H&*ryS%Z95H zmcY#;f$;ms&C?b)11I7Ba5J>Rt-(XMFWnmLc)QlZ`fv7Z*`!C0Zql}G8yPxm7);$g zhQo`#*RAR$unyth6Hh)axpUoSv^Z_Y#_f9=fs8GRza!>CYZ5us>ru;?&Z zSOT}T1Z?c=+`Ct|u~Qf>*hxQW_{Z?ncqvGnAffC(bXcHmw)>T!+7$il_J zmtr~#S5NpSEP;PX0`?NY?7agmB0v89OGRq7ZdvT>bT%ibM}PRiBUE@K#f{(nlX?A# zQdt4~MQ6Y5#&Zf&UQYti_o3^hiW+D0u3j09=g(hp$`9L}>HlILf2CZe`KM%Yz48O~ zgJ#qXJII40-5uwDB_B^a@_#c=-EiIh1;YPDJEFI+MXt;Jzbfw#ed4;z{6XaZMrMD& zgcJR*@Dm|37UPa3r`YiAUz7mBK(mFK655$nDp!`_!-itpdNAfhfRU%2AHsU%H<+eK z1f`6aFcU#%ZNhxAW=W&@F+C44N(ef?vk}O{lFO7SqtPc%oRl};nkaqyJud_LzkswC z<+Hh8!RD{WN2gAY;WYQ5k}FpZnKE{SrZK*I_wFf)6D9H&6X1(rEdN}0JKF7Z>(6^@ zH($6lj|E?Uvh=828cWY>C`VfUMHg@BnKn8a#)Wc0^!_Kc%Vem;e>Tj`FQ{N-jvLV%$p3>YOHZ zYOU7GFOSk~E4IbvR;p{bE;pY9+!u+s@w^j%ZIKo|w*W4D3jp?GZjbZ+ypI&u%f~H? z=3Zz|&R&BoT@2cp!;AUf*>-pRygZ)$_0%yL0aAJOa;4-^M;ET(rpm&T0qyJY6yv|+ zy!uD-z&i2IWbNk7cCk9U;eX~nxGlXljrz*^XL9`aXgxW^zydC|{%PC!iu1xE<>!kI z^2Ux6TX+~soQP|%EW9>lf>5&e!aX34{h95~yh1sDo4RR{xdP-~88)VFtQ{y1mQ8t( zcegKiWrpJB&xJ8hf4>fvQ!uZ}19+h<$eY(580{hQxe-oi+J^1)zjUtbtgfNT_daYy z_BA(MDEg>jHnzP3bzFIo*2=cNK^dxieHn!+*Gp@>c}q^(^0fBwWfAcHoAPF#Fmqp= zV?yyAU?kd`8ciuc1jKhJreSFg7 zDR>^lm0o@N%CO-hL}@y9)p0Ms>Wew4;dn#m`h%$Bz%PSP#)9Z`P4f(6u+-s=-4%NJjKDMN-1lLLFV1Mu_| zBdBHi&DUSbn-j)K#flY~rP>>g4u_>n zlRAxF`}XZ8A5Q%!kiQ1rMn9B|$;Vf14vNUZ8+q@Bxk>!=ZXEBK&OgvBFMqhDWxUZ? znEx6oZBSS+#2uOuf2MxFF%gt;1QFvH?vJD2;vz_cXc%Yt+STan>V~`b79YNbB@mWC zSOPb-1o(jA*HQo1#^{*lR(1lUx02HrTvUkLR93HE1N%YSZ>8#m>vEGzz}8kAi{CB& zO44P@CYiJ6!AZWJJvN5x3yiZEiV*{VQ2aY^-~kRgfg{aTY_;+nPgA}FfJ9up#QYv~ z3OES4dQ*BUD@%?%vTx@$J>55P(iD1XF&A?@{NnP(3v%hwMTr+L0W_cE>fr#9uSOBY zUFSl+Lgf`3d65^Mkj!#oMu0<>)s@SabWuq#;L7F80G~YY!Qy$PEzI9>SOE{sU^(h= zB}jYa3g##T#lr!Idv|Wd->*`lY*k&jdb^wauY_LmP`{iXu3WwdeqseQPYfX7f{L;x zC}NHv+tsT+xm)B7T>Wk7CE+4Fviuv!=6^;);EnP=e&nFGSrYUizc#Jgp4VfHi~db( zSIP1Pvn5UXEK;S;gPN!ITZ{tj*XTPu8JlfFdId9_Oc}?1fA;iANB#qc2wC6a_(Pu}*g-zLaS+^(m_Pf%xihEa;)QdPG(~C!CfUyk zgkQaOIZ9vG0{_Ghd1wC%?$_+29RC~###3aUA^jE9?E=R0Rqzr&K_aaK$L7Ak_^9HI z57w7;jmEK#YgaAT)5Uo*IP3LqI+jOp;_8))DogU_jeWeg;GmvJ$9e5Hxq<^r*e9ql z6-XCE7n#C;N7?Flj>UQB658;*$|ODxKw-OcuDZf`2XvGW`(NZ-b`5?{Zq~naUSnUO zOyRt_jPnISP7hpT8QQNoUq{d>am3HRC2y@O_&9g=w46F|RMKV426;muYUiXz?PRg z=NdZZLq5-+KO<*O9+yOklSzU^i8YKoyZmVa-;X`ZIA{9X+Iz-uZVCN?#+TJC>*Y!1 z$BrKdVEB!s!~sN$7cY^rI1!y)u1VvDIEZM4%mW2V~nWPr6*_Uzf^q2^81HYg82`t;K|QlUb5T@yXpzP+SR zmky_@uZR86no_Cay^=j!R?RPI(xkF#)oPtndAd7!pl!~NroJx=7k(r27c7)?>Czxg z#XwnBCT)dYx$He_a^=b?D_8y?n>KBdv}w}lT%ZNqW;JPCSg28a1oJT#7k<#Lej=dq$Uh`50%&FAH9hMX-wI= z@h5ra;rrymxij92J_;bH@WSIwWaE$DfhLx`(yxPjzi2KNr99Ett4A!{|FGmssZ}_E z=1)Htzyugh9zP;ax2P;%&Uzc^MRslbMS8cdrQiqoM;3u`&HStmteMKlstAyU!5PS~*M`R0f&BE2b^> z*$)Vo4ei-hdOunRfA^z3>r1;@1!OnsL4Hg#B{H8#dE0yy8OIVsJL8FI{+Qltc%!p4 z?3Y`A`3e24vUF}#O4?M*B`@`81)zaoq%L3-L}b6D9OJ}|Y(sLzdead!V_qkY9guP_98Pfxo$UkL#9w1K-^t)}~oib(lAt2wWb08?~EBB-C9+Z=TPUqo$AZO)$?kf zrObc%`3K0b3EJpx>4&zcQ6R2t`gtXQPf@;fd;nn5dB`ajLLpPip2q|H2>Wv8+p^?~ z8QM;fyhX|)(5?|_t$v}d%0K9=zi56=nFI&F`{pxkk6qh0NrHs2bdKcM?{eJKC#9 zYaA-lwuT(sw+sC%ro8>?3(~V)O?k0vb9t;@F`4`ETl!Imvg6off8t!hIb-$m1(*lC zxtl=Sn1N4fT}VS2aZc^=a5XuD`I~*0e1(!7=Q5MG$GWw%8PS^)nE*-}z<;Stxp>8o5@MJTc8@jcu zEZ=`KSNkjZTeIRD>H1)K>E61EG$@ryzW($B?YrEP{4T~y_g2;9d5r7FkjJD~`bK;p zSt+fm=28Hd?a98iW6OGN%cGdn>E=$GC=H7x(dS~zidkgRsORPQ(L)N5Sv!!=CxYn&(N%!vE^w6Y=06fzJRAoB45+#c3 zsq$`q1ZfFq4tZ&ibbazkDN>|}(z-uI5q6gzg5-tro`)b+u3Sm`g-d(e+(V|2t0&l~ zmG)jhBE$WD??nouA0*MmMW&9tBQ5`;E7vIfdAff0-stTb6vwv)zazmP74D`nT0eMd z73Y<4MrRCIJo7Rd-qRV4@nU{2*88>m=yUIl=64LjQ0Xi_d<{z=EP=2D{@*0PXA55p zk|#+jdk-Ge)7Tm2pSCRQH^d#pR*aH`3jV+G{BIX*U;<^}m&3nZb~yjrO#;~ZiUnT` zfz}W-V7T}zcV9!*BGK1A{BV)9Y~CjTe+o#}ocRDGU4lkQJlV5jKR~^T^2w^>5V1b%$J{wl@Oe#)Ebeumoy@a!yf= zM~oqYPNDK5AjUdUD`x$g@z&fv7JXab$+*SG6y>+9MEO%ezTbYK6T#nGX zSv2=!Y4+$dI$rt4_1&V+0p@%sm1;epWl$?8Pl1vUkq35x&;yEr8ky!B%cMpu9W?~$ zVnK8C=%Ir$`03{Ar^Xk7rlW_BNT0{*Nb!5BN_uGG53mK-Q}yw54DQ!fF>(tuz2oA(sTH`a%YiJo=icTDqSX} zWk2DzIxYe^U;XymRV>WopczmGG%aIBl;LR{ku&c#ROfN^dUG559{Us9i(tYvXg%4B ztSuNla&NKD1w6H;u3ovS^^A)TU+2%Cmlpv#)_kD7RI2>|7V>8S792yKSfFajs1N?F zUjCIl_}H_|P63NJ=r6xr``wcX_#oIBJ9Z2O14&co!N(*=-i)$r!BY8k;~IJ6Qv#Fm z0M4wC=OFt@^EOJJLL~q?HN{xiB6$lH179)ZG|GN^bU%6JgC!UzNtl&tGm;l-K(mc0 zW6Es<`rT!;Df=OJIe;MrIw-?()#}TH**~gm-X7gw(n9;KR+F~cU(;vGt`cQid!Pv0 z@RE*!jX(Y%1D|T9?VmYEUio1B5P5CD<1%F8=i0A+LBG^z44VW6(_Zw|t2BY&nL(iD z7n(Yv&AoQHivGxOmPg)r5AkYUa_2A3Dr#Tav1OgyQ>Ctyuiikepk3MCnX=`<9I#e8 zH!dZQ_ZuVao*ty>4(;Ei8gIl^;$nOhDhZ7y^nt5asfmYn#{Fe#RwHZn6ZSW@5y2*o z(-f)GdvXQe)*sp5IG?b;Q69{XV?z5Od4w}i&+}0P1X5Rc-}O$;e*ou^;wbyb1vN>fSshHBN$$-UJEI8Z%x^Y zzSq4~6-kD;2ZM?`t^_actp44i|JDI?t67kXFHR=NU3`vGXZG)KESW`GI8z( zNu4eO`Ul5!EJt=Rl}ENmid5+!@5Gv?_rtzJ4Mu1}LQb6HIFDbt2rXaKk8>A+Th=vl zENiC=#h4qPeeLu|PikV60Tc{E;DRCd>h+ z@ZsTQ89rqJ`X1Zs4%xSBE9QZpq-@oCIzCtv_OU%Xw@Ba79|z`!-jCMSahvnbBC>w< zGHHwco;By4vTE5^@>2H}m?uhN_e5TN0Qg=i*J&nYD%Zh$zF&s-Y=g35%L8qnmJ^5e zDNufYvv!crWtlPMRXksMO6DB7t$h|e1pf2}=E{0q@e^EhH3WMXD&YL^+_O|-rbJAqR z{z=FAlJ|_`J+INxSsc^(Y5e(yqG6c742ID$J)K*I&gBR*UT>sK=HX9ge#Ti|ybrs8 z1U%t;UiaPzI3>{8)$@7348xNy;QZ<7CyhUx2`tR64D&lT&YzDPC!qk(AOe5RA^cWB zOJ{!f$~gMnFuM$)KW*_LPPcyZW=V)GqA8OnSHFd;=N9=1ziiwh4SCa70}D|s=8qpeD0AN# zA>Tt=u{;(*KQ5aqH5<28?&HSi7DthBgPxF{Bi@&Mh3~|oEFLuKHp=^B2TI<;cgw5K zcar?Y$^hJJs%g>zjLDii2Nvo%WXR+%p{ym^GtndJ^($-)%6q5 za$m#Ns`)nmlXtNY%r7lEKPOo*uTX0=R9*yHTo*5XLW!4v0A5Ti{9{WRfO|H-#OId5 zh{cbah70M;Ir7QGmwU_I6>DK3T}1Y5+aXiO4FXVjcVJOLQ035`tpF_IsP^QCZwv*P zRtNxHGx_nmMKbH%G0-mB2cW2t)M)syF60Ro@Nepy!=>W=56b#g%RI0L^^b!^`=B@G zNUAg$0I(g^a;U_07+bnOoBF0?&s#)hz4MwZ2H5fN6E7(5U(I?KK*8sdG+8Qn_{sjd z5S}~jEy+``q%8YtmIBlDTXvD^DBm=La^x$Fw#@@=HPjkY@aYp5R70px$qE4EYRL92 zzskpNjgVH4KMyb@A==^{Eh9;i6!J*-m*n)RNM|wcFd;>_oZLX)a{$Kn?8cJ|4u%GcJ9GF z+t5$jDQK~G*RM!_7XYQKSmbjt2QZqZ7I=d`PREyM1%weieaa|FpE-x@gyz)JuVw&r zsH=eW!M(?1Dzq~*X3Zm`U+5zFijMabBDrqNUb9%+zyJY|*JQwew{ zO`b}U!^8>4Uy3y8!EbiSg)Nc5E&xJZlf_>`b`yq37W8%YHG*YzALU|ur{h>54+LTEERq-UM<95=c;T9Atv=MLuQX`c z8FP-3OZGguP!2(0q{Z0UuxhD%^4{yR2->LxrXK3p8z661^tTtJFy;mAZ<~KbUax2z z%}89r_TRYiV#==TMggW2snf|2QI zDdfo)#zMPtB6w>64cd6nq}>Vrr%F@s!A&UZSFaDG8wbrwj`xK4xXUfeyS8nTnQxDl zE$dfF{-R}sV=qh2-1tCqEC6;^zP~=&nz9x2uY3Tb*sm|6Py7ZM<&oU^GfDbPndI(! zYXK15sokAm^vPpKbY3LC?*J_K0QsUw{~P2LU;n;eyikVpXsO^_j=cHN4%gHK!o2BI zWX^kIqtE#I&6^_5F8 z-M+T8>pocLoLyUg(M9!cv`NWw_bRx_a@m*3L!!idP9BoM__(p)R|2?*)ZrULlEY*K zpEn5;#n!oD;)rME$Uz*!S-2?XlxH#KU~3jQH35A(Z)-jK{S|#~WzCgMvf;0D-&ds< zw00kU@&y_4&O(6LmF3==jpfk(-RQSd+_oy8(2k zmLHZb!+05|`~_t0`EJW!&Sm!OrvTh{a`*mvbS5~L#=W4c)+;pMhNkeCJei{o` zB2Ha@#xXNv*3!9Q{y3xI)h+nCOu310@2B-et2bo1p$15(#Nn{81i}&sOW=Pk0nSf+ z2~C_Zp%l!MTNZx%og9Jf9D7LH^%@qgYd39@JqHd-$-;${O+P65zvew$URVPEZ3$rP z0k9iA@FvP%KE?0E|V06U_K z_<|+M2HuLekb{yIw4yFc+6-B-2+XewZ~`||M!%pMmsS=rDNo}{WWtc{x^QN>zx?z) zfQf#(NIiGvA{LuRu!uY&M-Ly?#XrG^H-|r~@sD)#fVHQZSCG`{GfRhFBLG}XQVkx0 zDVt%Bu|?;oc^x}^M8PC`MzC8UOQY6LpfqaRLhB6jq5VSwvea&}t=p6@H4w7{NIkq8T3mNm zl#0+WB~bAG*ultambB>foPssf`k{Ttx6vMy55Yx(Wn4_}1As+MGQJqE!FJehK3^aU z=F9@%x(4!&uZ!hgkJQ9=&du1C`J#eiDN?0XU~2h-Pqd86uzSfeXqS&$C_ODYQO!$& z!_;o0ZOa!rHNw+U19k&J#c%q4<&6G`nh{qo&17N&@ zw0UZvq)dwsWYF?zhdw|#emG$aOcZQXEi*3Q+!tqSL27$We`~mEgi*t*OW)B*_Y#1o z)e17wCgj-n5o@W(s zT7fOht)CnqNs0pZS;YH8NcE_FTh{Q?&A5Y(1c9KVpQ{# zb)jRwrrpL#FZYqJur<7Tqc*BB$t~~0dOj?vAlDAPUPc?O#8{ewvVT`CGY)cU{oY%n zv4Y2Z2HydIjgI$;V5gL316D5nPQLwm0s8q?1#bzSQp*s^g8)=d0|-70lMIIysA5_I z>}($bUynaO20(9G>2!ZV1^kPasf?}s5&iA;7bQ)GEYLL0s2>j4_Ir2k7MjDz3$5~8 z`HQI;iE%GIEu3Sh1vqw4SJi4v3D9`Plvg0%p8=f3kbS$iY2Qo)@Zl> z@({)dHDp(O{VDi``38(P_C@B!{<44XPHboYSwXCVCCcH0#n%dcvoEj@WzL>YwK56# zQmfC>?E^r*ZS&6n8}CpcyiJWewJzNUzol|(eP14IX+EQUg)$-7Mu77)PHLvS4(&e- zK=GWmU9uEugqo(y<}Zh4;zZSWELEWfn+NR@L;C|YT^Uvwa_9DK_8Sfeg69inzb~Wu zc97SmeFqS%XvBDlDGRXWdhDPlr8_hQ$@dt{Rh$nrA(>)(vtMEE;JDro88*eojFRQ6 zqm60-+&!h^l3Ks-p{)`CWSll}gxY8&Z*yRR;|*vda$aEn8#C|;d_+j5+WT*f=;iT9 zLUR$fv>i+{46Bzd)xLix0ODU@4&jF-i;?z(J~x;oTA5)kpq3-E<5W(~XS%}x6OSJ` zpa6f*k?-joNd?FKySGDAxt{jN{d;ynzRLirZ5-0lv-y;I+Bo zIKXDkVU#z=*=6iNU_0`I9<`k_X3d3hdR6Dg%lMMSO#&y6pTqpRTtA-hV@CmeXen8) zI<$&E#s{o7bS!4Thd^qR(q)FtYwu&h70B_b^2v`L{CJ6P4*Ic%^F{X|ll8;SW z8Y&;7cdsr#mJj3I^t_Ma!k|DDkwghF8QJ2-2ttKh7-?L33wOgTANLv^U3B4YTDvE$ zmE(=i;HI}Yqvtic{G$u^r}gJ~Bk8PMH?5^(oEvWCG2RU~znjiz{dA$iEsR&o!%gSL z`|qQpk1pJwKJ33S39vmV)9kRD!>viH)~%CN$x}!gXi(6$=LH-9up2;U94tPn+*3yF zcar`_+wsP@2vdb6aQjGrpbvByXn969HKLLhgUCgH))|2q31Yb`R}GJ_yYqYOnQwys^Ch%}xNhX=LlqE1=Po z5L-n7IAD=#&XYHc5b2+?(6-{%dIB|7zz4xYHWB*@x9K))^|)$SQfrCZw;zV~VZ)Y> z1E5XhwU_gXbO)X{XJHkH#{d;JRMZR;~SHGnrV*-($ zjCn}Q_e6T^! zBm`2Z&CLGFt^NtopXoSmsGT|=nv#3BZika=5kAJVrUu{Dp^iC z_8O-7XUv=v{8V9eR$`{#LI=7ifug(Rxx-ksn4@;Bcv@ z2fhid%tw^BvHdzg`}s4pUs(m3T0PNU!L?Lr(_(w^V1UY>qm3&nm|GLt|^QKQ$ zQwqbT%tyVd>UMEzxbp)F4@1iYjbz#l&X^V3?9t8y%Iczj$4?MTHT!5&lv?|g8RxiV z^Ji+_$)H7y;h^&zKi<4OvUjlT9`CQRRw7M-cE*(&s&t(9a^=qo@C^eVu1cNe0Lv37 z7(MLShxG$g^@eQ#E^k#$+iUm|M$P9V2lwHFPCQLRP4|sIeW&**EYh(c{IOpVsG}C? zCd25es#6~#`5@&zoqwoUxECAwOFE2T{f^A^erM_I z>W`Xx8>vK!=K(w;}qlF;$dO= zM2WlI1Nb22L%<#cCJ%qO`R(ebi!R*g?0P*qKM$71u3!}|D!&|`f86Cj;SrKJ$XU3b zHxe<7&S=zwA3rV0qRBoeZPav8K`Vb*=C`ZyVAtq)w0OH-uWWyurLi(C-md;|qYq#I zx&%z78L=oyk5dA9k|gbQGMsYHk};#i;l3a^YlpvHS~z7`0=KyYA|~x~r#z4{0W=0L zoc~=HOdN9rRd}FJ_rY(fc48kKLeivNH!Rkx0z9|~T2H$X=P4+dU<*x^D)WZpcF@aE zvE+7NF2>HBKB3_W076+=JdxDgg)=9#T&^Lr=P9TfHMB)X4Xo#0`2hKRi-S69c+V6h zy9jXRA`sd;VkXdSiCpYmxxM+F0)`^OYNM{c_}KTEOhSkit@=tD$_2R z^RDt^{Dr!50euGBwo|7|FC75_a;s$*XliE41`{1~Pb)yhbmZqePDGszKyL6G*jAoA zDP(X-ZMRYDhZ=n6&)tEo%|QO(sHyYm`{Mx)6jLoKYJ{fFoJUqI{R&(BQ|W@;7QdQ+ z?*_ObkVx$-I@-d+w<2sSKc;?eDZOxxZHzaj2sR~ulC%n^{J$O&ERTBraVM>7iGK9oDm=`s4c}g-JuLN$@ zwkG@?dJfm^r9Io$ki4jOe8}M<>=jbWlv|*w-N%EwQlr0SgLWROq4j58(aHGWzMax* z0qiXKa)xSQBWrb(Kf#yZev7TZDb9pZ+qA^} z2rAQQe@m1Id0*BxUpVJ|4S#yz8>(@6@%$A@05FFd(5#MvPT-$Bu$)o=>pL_kp>`5! zTeC5MbZO4p|A0F@O1H*U*6bDDKYpc>n3cY<+r=g^m!54G-Sa)DaT zwD$@z%YN9Cqz3#wRcfK0zsu4uX3CSz%E@Ox;pA?ZB%p>n$1m+f(sThG$5KIP4$>3@ zwRCCgmYT62EZT{!)mgDs9JV-7dB5ze|Fb`uv%bSV$KgW2kqc?gEf+5&kgJgQsUv%| zer2oGgU0VXm9uJ1V!Zsa_IsV{ns?{}5E)~h>WXxcj|0z-UzSUoy`0BKV5>Lh#y&Vq zt;=(-LPIvQjv3n5q>D~w%6dfJeC813%V z^yVF<4F7~BaC=EW$4JCDiKgZREh8tws56$u+0~zor4KRFDXFE4F8)TtnGb308sNkG zR2A?BZrqHGi9n?9=6dmNK1}A)x^c#wWo>c(aK^iFM(@8WO^n}T7_C44w)Pun!k4+d zd-ut~gWd}}g~A6cU;1|K-XmwuoKe4ppE`Y7cI@0G7qIB_UPwJqhKBQZ?%It9r1x@d z4;NR+q(6S*gzQ0imLIRA-Mwe8?1vUxD5o6&y@u(TKg%+A4qIGKo;oF`uuX`6^oJ_@ z@R1{02Db*gj%6M`ax_p!rnNto$3K>L2``xD789i zOczRiM$3mj>0NgoUqUZqp?LNzwv(ZrXU?3}HaU6nl=5XfUVui+0kk1`4OM^A`DM>} zjkJto8EjM6`DH`8Q2oM96Tbg@5@35!1BZuE#K%{6p2p5=80`Feat)^rOCU%B7-Muv zQ)SfaQ2-fFlH ztm)Ec$*x*ky!V&I#UGz>Dbr`eFSILB1~tFt!M-H7pHllKWtt?=5K4`CfXiy|0AME( z019vZX8;f1iKl!sjy%)xQn2_v&<2_qC9n7j`gv)|J@c}+GXhH~z>kI@E)Eut)V?Da zOF8gR9x6Ezq=|!VXwY<0B($U`mG;1u;l01CMU za}5s6U^xjBW9u}wKGP*d-FR3DwQiO|!|S_mK7~eHO59J=)7QCe)t+;)AaAylI^;un z(y=Z1jflV)-7#$4q&6(U6|HJSld%r;v+k6xS7$FWCNi)(vkV>#bqZT-Cu8CN;A6dH zB(}hB{bjR)Y(ZtfC?)eGk0*~ERImeVD)2=9sKLZ-*As_71K{(t%8T|RxuEy#S0;xR z>8t1ilX1YtyHW;+z!3P#3~+eOimw%fOOP;LM1TEVpUW&iLBhCdmVx)wkfm7SCyb+8 zP6-2Wt3LZ$8h|eB<0=RA7q9PtVf<%3AvTqx#^XLCY{X`O24d-o)ukoOBa9!?!viRh zM=aQQq;1BJu}z+~MIVOUS=tLExM%(6dNSq#M%wQp8i9R=eav&@*3I(#ee41k1#D8<$HdQj$kqY zRce8??A%>G|M@Jo0Uy+D)NHtf$x|wTL}9Xgf}CETp%h_e0b$Jn&JF5PAKGUJB{6JR zrb?Sc%?DWdsxe5}qc0{(5(~h~9(*hj)qFg8`~ptc?xp>W2fJ+Bv>yE!ws3Ly3bj#r z5K_x3Iq_j&4|q%{g-cgf&E(6Mu4!LlzvrApY>H#5O5GMR1M=a)LQ;)HHC9W{^7z=k9bmZ7#b0q2Vse#fCR zpGotMeS*@lzS}pg1)s@aBIFkU79II5jV6B?XnI9|!mA{<|mQx!>>uZ z?rQt-*rCJdD+#1%nW{e7?f2#|v@^#g#}B(^P`~Cph;fi2Eo~lqV~S%u4L;EDV+S=l zx%GX{hZD5l@?*iLu+>W2zuXNio1Jv;M`eaNEr%49-X>Zw^hiPy5 z8q#Kz65IkFLT1*@DKC94pe|rff%n<(z9yecd0Dra$Bq+251X1W_-TOODF6cJM4!Q- zRUqbbgySzBOfSU*!#c-eXtF&*%?%d;cE-b8xo5|A>DsJ}^uu=XDs`Ih@uvJ!P6W64 zVW(*6y8vvK(YcQRs>zn~0zVWc#rPt>j7x=G5M{8{elb24T*gPJ_z7tD_YP=$FI3r4 z!<-)o>9)g`Fhr@E>j(DjL>s{a7at$KIBwaF?9(IO`C8kB_IFc2j#j=BhkyPx3Gmq% z>W>8ym$2vizs5j_j9I3B;0h6Un+16f-l&!4AYz<1n4-p8NT~EoW9f~~y;`13d%g5- zn&|E=J+GFp(%PGaC5%FV2uo}YF$ z65ycbq<-x92^l+KqJoH9x9^f>jq6IiI<@5lUg%#QJytc$jvqfM?c21F;>C){{I3_u z=U>dn3r1{w*}o`#o`oG0yohXpoubj>-jw7xm5~5lkEc3Ix^!uE!eTjA-hzdTWX30- zOOhmsC0&|S(&@2w`tY0Z)?_(|Q&-QNJtw6~6qV-98V4A*w9I$$(q%Gj)@M=-+Z4KV zd=xal%gouI%P*U7kP9Bf1Pck!4jcRezMf()1}RY2$?v=mqwCw`I8GicaA$7m)Zr1` zD$MYWzig390Q;&`EGG@>-5>O@J9_k(eDT%S^3K#*()XDzQodYS&2#pgx$?z=ZzN%Y z1d=yb4r$Z+Av`=IhY=@Cz7YKQ(^`3Hk7`L(Y)7kcUsahg>r?r1!6HeGGMMJ^ zPVFT_`gB@%GR!t`WuHE6YI&@E8wJuh{0L$W7(7gh7A`1_8`i^%#Wi{7y$@vr7IKtL z<$KFY!}@ii?HATYDxC1o-;%%|y=?ta{NE}(oH#6j+e88eb|l31z!u$Kl_#2&m)_7c zqsAFe_pR6Bam<_Ei#O-yrv{7%$dCXUJlKAY2u!m90F&FaX~WaBux7tMR(@KUAND^N z1E~8g{>4*0-vdcXLKaonqJ(>OFEj(WQ- ztxkbgC?184#~KsT9th4OF;Md*Vn!ez`T36qFaL-S-TYC7+v*FlgKw@6Mv-4pwowtt z9@7S5t=?s_0yKZtMXad28nInCr?8Sv@glon0HrWE8WEx9m;i={HLbz9ma5WCuFkTR zi9R^p8=TcNnkWxSCF|nde{Oax|5c%R${^-|l=9;a0Px+)rwKam=7zGsUp5sJ5RBW* z=5lIyPS%1%4VEQQZn$Y-rRWH$H9lQ~7CP0<|HlI0Jhb9o3$iW5{|Rr#H#;df%vm(R zfJU0zF$*_h7W2HMZ&2q*aJRTwt=Ca)CwY*xw*Y!H{`vAtF(!;DA#%CVg}*Rs;`SrD z(^VLr-D|=)MjJRMY~p9UnYXZmM5N&Rj`CK`Ehiu8S;=T}SMSTc)x)lc=7}V% z%}O}47m%I60?acONYq-x9Fj};4fbGzw#9TJj5(kHcuE60zbGw3qjbz2hvZDs{LFE9 zw^_RXN5&<@l*L$Rl&(Jbg$ChDHmj_==v1-VXsN))(`KH?-#1=bWZ7nELe3pVClh!z zw_0_t@x_T0HIz&`_V=t8TB%a;AunIpga%+Lz9YnQ-01eFc9?e5QKrCxYFqY;0B! z1ActJ-jZFcd8EI=SlNwQ782D*8=5j-k%CGw-qNJ{l8yrR^kvTr(oJr4kuJ~dhZUEX z>LGymz{TKg0hh$4_-zWC1Sx7)uNLkAs`;(!)E{As5%sAwbhfp4%UGIc{;JO<$Ix`~ zV1Hi_kdr~6_)C^s-nhEzCP*xw)zWn34-{gYpfaDP8#_%m<34{**y>zFPf=+x8S!!z zj|8f*7tibWG@U{0b9sz{{DE()Mi4LXXp7q!-7Q(sp>Nd$tZzT>yc+w}?qFOTmjFbR zjt~?20aKO)jbvxIbK12aeHp^l zvBK1c_|e^%G||RhKy{d}&fQG+HO8TL#>i+!xAj@MUjhz^d#=s()5^PZCw^`v;$P+- zgamUp|5<%S_%{pm@rt>CrG>5-pLz1{;|cX=uYkA$4s;H_r0(LrxNR4E#_8VL$Qw#+VAWhVBkcsrr>Da-R(txA@n!7S*rKX8guS3su3nVTr)Arkf)1GgLCi}~Jl zdNQfoRe>tE$xFS1!$c{JD(s1};1&&}Me8ED)Sa{Swnw?X5R}!46qbCt8Qs3E@aK>9 zR386H@%&&o;(XV=^zOM0C^$-kO5K-Q62@ziA4`-@(Eb}NgfVewp@rpoO(HLMB;T?X zymSOpc=ZDMP(h7}uBTi8a0aQd0TE)mN z0y6xda%DnL1lYg*?{Ld@vV5G70da}euHZa|PwOEPtM8o>ph>!5R7Idr<#pkc0pPog7B$I` z+7WMyKrIA?hyI&Lz^S@GI#XuB9xTpkKK9rDvThPZDdw|c{%xgFx4p&}le&{4KLib# z;XrD!-cf)~i!g$TAxxL4~3%tjZNKRO7p!#aEg9=(oKN4NvL#ko*16dF#EX@XO)T{E$+c6*muUeF7e( z&NsWl>d7yE&AM;2}6DEZ4i1naE`8zY?xqPqz9w*}c@6 zh8};Gzv(dyxejlQx!h8#Hh>C^ReEHre(SV6H(#e6g}WIs6=bNn|Gl3FSkFmSyR%lQ z+U@S|aM*@0Ahz1}hWE|sZm-Frl*%pN(vo(2|JCa|?>k*&SY$j<$A-YNnpJ`dhvPNz z55XFw;#lwiAaPW|Ll%ywhy!;xFQEX_xDzVtEsP1pr!xZt4Lrt%+e7DnUFLFXu7`v4 z0&hq1Nh!`%oZ4tOc6WsHGn@f9(?XDug~%4>vHZ?RoTvTZW~!JpJ?Q%8{y-8_JAk=RMKJM9DA*( z^JfiK7SJ;ftsD;lu&YJq2Y7Zj=IM3Gb4SuL33?~_%c}>bGdK@co!(bxVpKy(jn94V z^^y4O3tiIr6*cuk0K-;|9uTrt?cYWkMLn7= zv2zN@2>z##)k)xs>rH~C>niKHtaARRStx>o1Iu#t0=#@%i{}%j!{eS$;<$Q6f5|-K zw$&ypxx_Xflw`#POY5KoLDVRK_L3V8Z3X&_%?^-s1qlpZ-d$k^Vtw9hd}M0IV1wo8Q=L{3Z*RE2XnNG^$J7kSA5ga z#&uZ6j`$;ce%z7z0S`^IrklFAzt<9gpwK#p$i3hW#WZsGILF$(r{*gZ)YNZb=VPf* zwlbcLzzfL!2DIByo%oV@3ByDmCIx<*Q~`I0TAi;kL?TtOmrOs>2m3e=d}{H#2d2ed zJ3#24S0ze#1#u15za9RCSHy)F9EbMCjle#JQRP@$wqC9JezeT_EsHaw#Bs*_8W$JzHy*V;{@cd6lFEu6M1s~%nJNY1JUUQ zrL;$;HTQ+`iU8>rB|yn48`DD}ft?O@f4Rtw2T53ASfy})OnUXsA8%wiJNj1CF;d!Y z^H9W+kF!bx=-lqGc75lOZ>tm3l|Cn)5%}h$6>4OM4X{s zU0(b74G6&7 zpq*s4;v={YYTIn}7Kh4cOfG8wE8B0*#Dr2R-#iJVV7U7lQ0!-d4x>?`58R0pY2Tw5+7tnyYkr8M$4$Q!I-__ zc-c?ViRnf=Go{}_+ZJc$BYnbSrP_#M0X$eB8hrC%=J;W;K?w45M;Uw(vy^42 zJwOxWzMoYT%8V2AdHDf{O1QP4-U)E5t)agZd&V0G@81EEoPgq!f^RqO`^p^KwKLXl zM_ei?P%`xd4EC7$6qNA&6j_C;a#Rza|8}8H zO3Ytm7MVaYpBm~Y-K?_>$(4E=>XzK?ryorlHz#2|ygwZYz+2l@Bd1l!{eWN29(Ma^ zWu_DDReSxu9qfj~wO?;;SMFzSa*J3!j_7CFEh(gv7)rdarjd^yOla0;tSy22IR~Q; zib7TKTG^bC`S;?LI+MOLjq^due+?n-Z^;f?F=-TKLI<;BxeQ3?3?@FbNiyzF z7t}GVl#}S4nL{A z4^j}~O+I05F06izSMY#%ag%Y7_5QZ{_}4vGV6GgA)e3;UAIfzVAbeLrcR3oC{9?VK ztNY;V8xuG@S6xWJbK=^9fPf%T0vVX}`geYA~4F0o)r_peTIQquFv5*OglVH}50Rj7oe=@d5dT?7rE(6<&R zGf<<=I4Rh9R%R>PL-WS;_cIui#Mn+-Bp9!)kg_`%b~D$VsEzv6NSew~)C$SdsGPPM z%^x9l^%OiQiwWDbxYG8NII5c>VFx-`jkmhg6!e}RWD9Q;sqjANbEU_5cHA8tX#dkB zlP{^8(d=DuZE^K9>%!lXrbB=Hh#KNA&-oNE`#1Y;FCzM3rhSo{2{Qk{6$a>t#Pm+V zD6Gzky}dIKQ3(F>B^(n+XXzOmd)otza~_Wb+gxL}=V@O%vk`q5v@a>-E@{YEakJRY zBu0wJzz0MA^|`o$6DqEpFr@Ch9i}EZ1gK2BcgwmGjO3kfjQ7vOBApp^CE|SGIpPvY zm)0OaouMi3M*nn-f#L;eb#O)nGY;@0qj@T&x7Od#I)Qa6_ScR;nA`1VJ8S&k=zITc zEDC>z!+Rt@+&H@x|Mi@smACDaW3bC$k2neAdRbb*MPRmTouCWM&9CfVLgbrkzoK_k zi5+))LMX+fd8_dkiq(>GnmUWT`zAdgzpqitwa|5cofc|uG;XmFvKgj9!yag?uIUy$ z=J7p~&|msSpgpjdbN@#$q|pJw=9Ei+^WN!C(EHfS%pK}8pW|MP)rs;c6DgksJg3Dx zjIE;<1Y75Oje+I|sS{ahQZv#@5le`-3L(e8kQC6guEBuQb@UC!{JLgy* zUK$4LR;!*i?9TC0vNL`Eahe(IWQb;|F{O0TnMczErk1;R2QbgH8b?`{uSZTK+DoOv z97q#nZv{;v?Ad#-EIopxn~>=j87DoAaSvguK0I$RR)+{Lmp`=Z2^2YL@S?m>#Pj!I zv-}qCzLx>niiFdB;@Y|2RV?lnV?TrWeb9)g?{e8%Lfk*|pZogT3~$*#_y1n{ntJ7O zNrS+-197B}rpmLn3_&~2?s!%=Q)Az@G=8ve$ZH?icg7)--D(Ys4;@1$A_>i?*jSrR zyFQFT_bE!XRQ2a5^^sP-ge!-b2%EtG+HF2tm*>?k^WgpKtY(IgH~0xb=>aIIUZsmo zy}PjiA@r!`wdGM>t2e&Y&IR3I(bhZ?!i6Cw!nMWV=DXN&fIpS~XX zj@0D!D8u`o5iLWDfn=a9+7a7KBWf@bXAk!nL#H5Ei@z_3l~r_e{u947aeqs!nC9>N zAAXylFs`Gq;~l=w7ZiPH(GWQF^$=nO>a9%{h>SO zydwBUn1A*@DI;U@XU@ZwThUNYRyx1w7NnxP9t^rk`!kQYypTuV;7NF8X26RLXK~tV zLUxsRpxJKt`gjfUblt-lyUA8Yp@b7C2GC_*ae7YN`= z3ht&gbxe2rA~18?jaM723-I)qgh}dyS^oO;tosXJFdy1?U>eULYcoA1e;lby2NL=r zau)e&_olDDN0F+^u7Juwy|QpW5w7feY_`FI1P}scH^F@)pI8IprkS6O#2JSIbrWHT zjl8!knZo>cI=|GfcD(h(u+XpRTfIQEE2Av$iB?xLps!@>XwGipGsc&82PRg~U(+vV zxBj=X8XfM=cA3T0jJDr9!D|##cXE)c(W^!zH4VgWeTQcW)69nH7fL{*G35DPXPhl< zu1~zu(7TMFX5~mQ82!5$!$rwgnd-p}vIJO1U#(VONO9=wC)6LFfw6WUhPbvRI;&Pj zPe$1k8nJI-B)u^>sL;Rg-=9s-Mpnl|9~bP}%>^{|-W{&JP~ozgYul=}`(pH*tFpq1 z+xbt1-jA!02FX{mp96Rb7ajBUAr19cTUgC-Z(BkdRa?jt8+j@hP$ly5B*5RJ9umXe z2ew8DxzL}NJswKKHp2u5+L^!I59S34@7s$t-V69qb6CH6=YJLa9Mcw zhIOp4_l=5tGQwTlC)AKI2CgKsXOE>ZjV4#ccwO{dd}&rI(+~qvCpRi45k4D2ab|^_ zE=3Q;KV#(Q)V0qAWh?E!9BYz1sJ*uwFPrZQm+`BWsw#i?(;vNQY;#fwCImVbYiOWi zPni95qL~4EPuF-wESUWs^gu;C5CQ{};=_I7|YxPb-ikf0iFwj@u2@^@ojmX)*a^MDUj*4tH1sSL16o zHr-FOD1&BIhSam9b75Vrb*H(wow=6)oP3GJhVC{r6=@ENpdn(pa{0;J9k*d*K`F zaVFZlJ9A^@tEu9v5j0D&LOLCv+hsh;l8j=fMQx5%VNmr)sybTWpCJW>9ww`z$fcXe zWYZ=C+AyMNX7Yc=(!GoS+rtqegBZKeWH9z!i4TCA^;Er?jjuSTnL8*K`D$j}W+7%)yeopfr>t$EC#u%ZyA z(geKW6mjX4oq;(-r=|W&tnOQ1zjf&e-jw2H?$ChH2pNbK0_EJ09tzJhiu{{T)F4F! z!>+8vGVZ2UjiBZn+?%-T`MwwMgYR8$-7cZPn_E#rjBf{EQ`QWlSgh$sl+ixF`{ZIE z@2&4pW7yE1r=z-p3%fegE4vWwbh&INIThB~9(XFp6sMud8^W4mWqqGat?2r6yN#=6n&4ddTS0RHtm;e3;PKjPyQspI$LK;I=l#j~I-UyRG_A#~T zNCHB+O6q$>c)ZC@f%_h0wf~CdqucR}G^=pHz`{PixBJ-XE~VuNGONjvgET@gEivrS zt*~~zhg2N3d>*x`l;YsS%gbpntM?x5^4%#auv5_;_!sD`R?F)9wy%tEe9e^Eu=cq5 z0eB-M8P3^av+Jd#)!dH>fO>_}9WNn~_?!*}UPdv`)1eH7s;s?7AJy&c{oY)dt`3mh zwMkPuiFU2FH~J{QF_~`{)OpEHmIdqhwzs-S^pz1@Y_MHOWF&t5aSF$u%CZ^f;fjQi z%1ur)@D|I4e{j4Z>BIKuo3HQlqe9~$a;b5SNAlKvjGwfrbluG|(!Z+OUpg1SQ& zX}b?|F;#OY1oZ~QJL=8rTSBwjhot}kQD+;`>?{EKDjzCM)SWuwM41{D%c z9@W(3XT(SSVkA&bAo=;LimMJM5>;+@&=lS3hm*H1)d1~}hOc~0{vYkW@%(p&nBzfi zGML*}1(TcJ(jr@R+&?n`WS=!FGs>nb&~Je`^cWHj9R$={cDse3XgGoMl{&Q0@6!hs z#LJz=#WqXzYBOR?2Oi}4(<)4lYAqTA?bnSalc?h=O9=b9@_5${cz2@q`#cF}hufq@ zrHS991|snQyv2*`-qPG~<4S>x4CxQ@*1}?m#T$MdPdYYbRmGt)=(HBuhaH6XpCZ=c67lZ-gjH~{CF)ITx&vyT$Gwp(nrX2*5n zKLpGdp{-j*uHPOM=ZWd$~x8xkx09me;*)odlwnns`W#q9Ntd4iw?N z3i;2%%>@50;}JtG#{Y64Jd9eXNR!?0el{UmczfJ5(0PCauQl4HyIjoup+~+8A_cTy(Z!u|G_Xd}=3X z66rORN#lSkXqU>smu4;w`fb3t)ao z{-pGd=7=zl96BG4JS|E}=NF+36WF)Y^@X6uf{Nvnqlt*)3uTk(vim|n-D#ZpI)$s3 zf{>sqHU3r&lfIkCH83=Xu3YqXrCZVeM0?J)ZERpw9|la58#3Jf3Arlylk7ETR*{rX;-EjrlBf?VJQ*TjT6{gHV8wBxM3>U#F zDvl(4R*n_UO@_jzOA}KlywvGng>R9Cdtf4xWF`;w=c*X{5f77pi6dHjmiDFZs(*C@ zY1SAUy|!=-uRz%h*V^y*P~WT0&YYMn_Jx9mZ2ZfX>rCQUp1w7p8Ct!)TFWGkJjx_~ zCKH&GBE-d4vE>2prdTU&;H_P)n~`c9C`=bfLT}-iglPXQ>#8m?bJx`;=_O>_Qkp!r zbuSh39sfL$lrVZ)MnB(PBPHl~o?*rGXUiC{lPKR^EGHvWS{7Xn*~)qNpb59|k$(jP1a_!4h4jYXRZ-|X)@&FW?~7rDeqkUngLqVcqz>0?^$0+EFw#r*6$Wj?vvkzB zw85&~Qer#%e?G|njr!@ucoO@J<46ntiN0ieP!Ow7K$=azQp7^|LDNS2yU7U9H2D!N z#Pp|JaXsYMldKx*=mm55`G-JknX9~+3#!^FOYH5*2VXoF4^##{ch$jgJe=9G(-vS8 zO8KNRZsa~Zo(A$@7T!&{E?#@K@qIVZ`azq+`d8=y84MvG|BAlZL>f^+b;1`Jk$DI^ zeL*h>bH#+DnZnBjuuAbH_LAu^VAbdPzBhQLU7X&cjOL#=w%A3Lj==)dZ>lXz@XP4= zQf|lCi%Il>7o1!(3LdZA^Dp5K-;S?ad#!$Z^!fYo%XKxxOl9@*Bo^d#hu&^Fld04E z%(@xTwXNvw7svN~K*#jC5spW%nxbalG zSJ{n=)-L3~8=7H@Ov^qfW@vRiFLyP?Up=WhCROBpW$pK}%Bkj7@KHGcO2cp9pPbM2w ze{d3ao+z@%Zgb7#9fW^=?ciFb49=Y0nB@OD$DGo2ZDtx=^*?mK|AyFpPPu~^@b_Tk zuMdMf>%LeDFf|#D~dMv%U;ipFaDW^ zN1=RFHKmK|pt1DhXu_pnJ~&875*JAjG1Qf(5_S7^(u`@3-K=OZk|kjYLhH-udV_N) z7M=2sXXPO=Us| z#}vUAp!=IYOp2d$R5PvVM057s8Q9=w2t_lgK%w2p@K2hSkY5JN_9qNg?mt}A$@tI1 z#Ov`psG|%}UAnS@1Z#F=7lP|_1WRX0Ss+4%^%Ge%AucY)PUK$>x~i(o@x?_7u3d`P#B$5S%G-Iv;)9RZHXwlUeVK~xc-+O4&XIlnU7mC< zJ=ZVLX0FHRGkY!Tmq59f%~DU1k~;I1v-Ha4Hpt)|uWurCu$O{ujp`5aIt85-IF+AT zKJG`wSQCVIl#pQNa}n!4d!_NgMlYU2lF|9)gvZeZdnCy7=WbCG6FKWOfgcOmwiWWN zf;;|13Tk6Y-Id+@%LD z2eCBjzyO{8TITJcSBR$Hhfo>iVdt$3!%u#(S$in&StfzPLWBxv?rk-ztDEP( z-j|BQ5GtGNP-6yjerGtNe_3i_f;Fa^JOg8W>nA37;mg9PMqM3m2@K&pjXV=k} zO%Ic6{rwN>?u2jl_@MXgsNLE1jld_0@p}mB?jnEY!^8JZcM>@7&#Sw&`41vd@RPF` zDtr2OEz1z55VHI|`mH84S*vAdFT*G27%mg&`VjBtu5eUw$M4g?Mtr|3HCt;;W8a&4 z94!vF`~5hrm`#6oa4%kxD=NV+5|_o%5zby6mNBUE3vk33szXWe5#4uYFH^TYiBWsx;Of2D;sfqWg|f&&*}jm3|vCj zmZPwZUp=0_!q=bfInty5-q^i4jNUKeArbd5n5!c#vN{D=QL9{s)ruG}AJT1%$Ev8L z`&;+rMwNC;kj_9_pdl`M*P-7Y?}}M&z2QwMQ|MtjdktgRvtS?I6ddm_n2&# z@b&|YY=UeGUK@8ru0I53(Fb;d@Cf9y7@BB~?IR~~j-|=SWSpYk?J}_Fm49&BtkIe) z5*f)RQpqNb6pg1Bj*S+YGTLd{UvKEp;!Hke|DzJFH|!Dp`%9MU9uU1yu7+b9YCGKL zmoz&4S>3QoXy1SQqXsL0@H;mgAdA$Hh2XDr6rcQ)g()5G z-3u>?o`7Q0_4p^yn4-zU&zMKujP}CQ@rl$FE}@OHjP0zwSFN2IE8v{ko8@lQn4igm zVjNdC$^SkdU7=8w!Q5_O`^{FeCWku5z#r07>Sx?jbWz3{DS&~y!G0&*->pR$xhV;+ zMi2^L=)hP5BWk$O*67?+q=y-NA?s*r^Ni34ctWqrOnZ?=ylBK5l4~sM5j?FteX&gV zOc}<2_N@{)XBH?CY$j#ntD~gR7}V3>BJ3@$w`spa){=fpD<2)BGMP;heyAvr2r&f9 zsLyd%^f!DxOvRL>1eOY44@&>3etpF9-XagRjQ8EJk@+43+_9Zvr<@!i0QWF{>-+AB z$s<4}I3Ok*k`tDBNsT&=bc3CBFf=IW1^iM^st59yxMoF4BAYb^u6F{7{O$iz%EalO zqmY8HdVD%ymI~|zDhPU{y^xbBWjr2>U&-b7dLpGMs0^lAmCxa*XnejZg^3^%nf`o=}$qx=(%S>j*L-mXUjo z@q3(BzX&L<`PD!DVhk5m-ufZz&uw~ zhK?qtq^e>B4jL8p%@FU=cnqvcvXoe4%5((^WI>_r(cVwpxmYQCaf2q4ER&%)G3DaP zJ-cLTh1sf4Y0qTy5}XH=q4U`z=-N7~XmbX+ zq!6h|#2M>B8o7OLQjf_yzRIeH#6ngIf&}DE)z@yPh@vCSMvw+qR%~CU-jDAZa{dDi=c3eCPxs> zjKdDvTl?{AJ#+N9=Y;S2EV2C4m7+D~H-@t;-A)HsF8jghngkz|S)A$y5Zr##=AkIj8ohG9M3jTg&iG+^ zlTEC61UCIvi|eWS8a;XlYyAt3%BB{RY!XvH5ymnH{~<9FMwScjGeWcjLMqYpn2}=q6qr+LVKp|M&T-DIn-NcRN_u85_ z!`6Sxg&;^Hzum2S{5%su{Lky*^KgU{38fo}F_k9d6&QK+(78virp1)WLk307(7kh( z#aHcr-qgq{wB~;cKCf7-B}N(ZCMPfBD1w!RZx=@F0}d)##6B*EOYZBIZt$aV;faCa<3Ma-D5NeW`|Oh@Aen zU|BW5736pP2#!E_Ov$^L^u;Qfbp3p+DYEQw$T0+D7PQz_GF`bj&~E5QOpO@t@S`m1 zY2ex%{o)B>_BWqgQyc8)jTsg@-5>gGPSR$I&oV{6>yowm-xv-R3FF-PP!db;(;+;# zX*#s$RfL7Gg=rz1pkW&;bQr|C3@U|H56uz_HJ`PI4o#)wnd;_z%Q$xE3ic0+CLeme zF*JGnUYf@;z@KSaezCYh8RlZti-ZHc&M6m!qNlc#m*niGBw`A`r2e{2jjKGzh)TrX zYzU91S@)m$uDjL_C@Nxq|$)t&_Z+aoV%$vwZq%ePylbz;IS5LM*=KApdBN6CW z&k_!Y&_Py|`es=#tSoCzV99fR==P8Pr_agk&SK_H$5!6k7N6g-2qX=7#-1Xl*ed!MyD|`LzSOA^pwp!wten|RH%VR zy$PwDw}Sg+g0)u_D*i4fxg-z#gw8eUPX1b4) z)7I2l_gBt47R(wlNBNb0rTEh!=M|2gkm`$-%1OYC3w-b2lYkc2BLFc2$v8%i09X{qco$Dq8Cc2jl46 zM2zaQQ&?9|ozjkw&N?~qD|`Z!<^q@XnP9{Mw<9iz0Hp;ynQC;4F30oQ$g_Ew(O@5Z zE?WGivu`l6s;a~xYb|t=jTdoS-s1CJ+sW~R1wrTU$eiO6_s^Oa8!e27-`&_no;5@a z`Z`TtU%ukD@zOgCw@#ZLsU}<#R5EA^r(4pYu?gv{K0|bX6>q50kni6qkMq#q_KDX5mif4D*DbpFa!mpHBXe>Qep_W zX}6kB#p5yJoA+>RxH9Eun+?(d(7WBSsQ|NG>~#lz&Als<)xsbB+F@P97Of1U2Vh$H z5%V}pYXyh|#JT>{7L~zf{6$*skiqVqx3gi2)@B0at7r@fqO^oWU{_>3w%!Xxmm}8D zFI-4*_Jr?pS-hFv0>*4laVUmkP&}dBv@pZvOli+S$RB3{ctZA71yY$3h{=@?>{Yts2n&9_=f#Kh8OPrg|xPf#jfxx_ei6wY@tM75;i=fzNDmgq!@&HM7UIt za-TZUFCKK8Uuo=ep_|Zbnj~5Z#t`2L1*&B`GduJ!Xk^LE$tqSG9r5-dfYY5H+%PFk z_L@w)a1F`ZvkMewfQnb01*SN5yxNi1Y*f{iM;opDtxJtAyMzpwKM;RKTAHz?j#ybrRqo}M^?(nScYY!zFIS^9R&1~b}!TU^km zv%lYDyO`kT`xkTbtx+tFQns*L<&$JfdY+1#!*`1p;*!JK3zFO*8Hs)4E7XnRDuCuh zt<>d*i)lkzvGKFKUxtV2REleb5Y=zBr0EX-ltRS&B&6+U=oaerNJ7FVoKPH*batk2 z!VL>Gvnec;{E$|W67`QyXh#(1<5DhS=%ZaVUT->vv6Kwj!+sit1PCMmE?LjuZ2b_Q zMDm{U7ynp$bVt+CJ1b5HPJpR6xEzr;yAq~*=Tc+%$y}A2qOLa z{35D==7mbFT;?e7WeQnQ?BJ{4W=Q&Cvm>)j^D(aEkV5vmQG%;pyeWfaRFy0Z8b@Uh zCjq#P!h(>IhM5EX@2U5J)ROPNUVMq#J&J8f_Qz{mgrrv&Wrxtp6po9c(iLE*+51S@IbUa<*GsjNZ?Q(u zNMGygt(6x_4E?ws^p-2|!3er7W0K6CLt?C<= zi)glVp*DJLny@YwdFSbIQ)`A4LMVRE3d5VYOOac!8#n;I^IbMYqpO=W*+WIKKfHAZ z4XTAJo}vM}$b;E)BFj{+t)x+H)FswWf$^hpQ!(G@#DxN19bLD(aikFD#``#XLnXOu~CC} zg}WHe8*Umo(%=^Mvp7}Cj zf~?DbBHs7Th)=Cqj=J)UD=X+T@c*3Y{ixu|OT=)amryRJ6haiWLV_)g5LzezAsCQ3 z|8U`%T{mn{!pkSWs`4Yy6|LC&Qi>Z?esi~5@5w7IhUC%Ba7LH2%pB32b0*I$Gn7sh zxTn`^r&dhVZ7kQKclHGj>?BwhiAqbnPK)uT<*Pyi&O!|M10}5$rc%{I#sHXXW^u?` z&Lby4p;2rAWJ5ap;vHTSOTnRFH({V84^n$U4qZUX35w3pIl&@JV;{{sQwDb=OuNvH zo0u=y&L8@aj=TjaInMSpIe>;v?He_0!7tp$BDGOd!$B@rqYOO2bVu8xt0RK9h&p3N znX+u3pC+BOa=}0H2Z*zxvU+SP#$-ru27`Q-?hZ6SLeY;EY%zGwLB$k+zsmQc6#DfI zzpog|4P-t|ibatp6-cWd+^llaRj`+haGH1k=~DWwK{0=jm>OcZ!3zC~OmlV&T3Uf==3}W-Kj2($*-2EuU#jm>C{g`B!pLz$vIp}f zR@qW#kuesL1E2J5mGvX}I_58mGCpm`*V#?Q&p!i54n=$gMNHB#3`KPNYNbv@do-bh zYi*L$KGPH#I+jw9MUxqNqw#Tho2WL-6vY*4C1or@eA0bryg>_uwMPA{%Lt@_Gfsn+HCOK*I;}GrM-}@HBm_yH&sznR4;29XwSbhdj-LT(XP)Mf>Rv@R= ztMYd0p<~p~_kh5N4Cs4`sZ0?vtj?GKH3^^?DJv1BJ;IO)!UP4Ey)FzcKjDm)N_S9A zEl$(j095s$6B%F;9=w4P6Z7TF>-<#=pE&?>!`D}9NMZ``_SX#JL|eG-iOp=dqG?zdzDC*ff9Ejb@(VIuttZg(8CS?E(y;DStX$|Q6_%AR zM1ue2rDDbwyW9v;*3%JjUq?*t-9HLODH+gOz7y=MG<#PU=LP#K=qFMzyp-ZeGmz;mX;pE#D{t!~F($d*$!}3T_Io>78BhX;d*w|-M zm6^yrSHe&4cFZe4Af?ljmQnpn75aEC{2oL_o9@~^_j@;x9p{A(UQi~hw{ZW}RFd?q z9VZ<%h+W}ij^FL+ljR3%7(|(M!;Zzz_%pW%i%#$70&_Y|Jeg@WwU0U-p!(Wwh!OY| zuzBs2vRHgqAwJ!K9t z3H9qdutx-uo?;MzH7^2{9lc8S8WSIC8@58i7?hC}wxBnof%2ZAY*I817s9-R>kP|H z5yTFEtonOb`ojiCU%0UaTn-iy{#p*(^smJ z19NV34=--}cZz>+zwgpq-ixylUw&tMt=x>FMg*7XEHQZ%o0qB7!PGueRGakj`J^}; z9J?HHt*2yh3B@k6>2e#-D}WM*{ehmkO7*?LGU$M?+$B@hO`I$BrPk+kom3}rhS~2)35HUAJiy75e!dLc()4*<~ z|KH^BIYN98qo#xpWa=ym-}%h*Je>XxXSF?Zkjk@B`4WWz43DRd|Jh|TCBDT8(2oL$ zI@0dtr693Feu~VK60-+U)k_#;+P;tiD}Zp)FvoF>+!F50cb}%>1^HGGSX^comuGh$ zd4SNl-g$g#KV!C}V>I^IIX0w$9J}bzWm*F+2MW~EhhP6Qxv0U?5|qC64K%2dcCgdp zeABn+vKwQzXZ5xN+5Q5VXq;U_fAq01q z;O-8My98<6-3czi9n!cHg1fuBT+V&(-2eT#)~;1mbB<{c82R_2uNAP}mgfuzWRdZE z68&xfBk&>KSIc=vqedkyu%%~_8kM3{}esvEdMdBBNZv^5|*Nutqi>Ri8 zSz7as&o(t5T)}65+p(7it{6Gi00>9fVW99GFfm4s!HTqibD=qJ zWgA%pp;+mc@{fl?B}*oTIexOI7Yr*LcC#^r^ZXj!fMBis{vo{74&qBdw=uy!7;T*) zqgZ@Z`4OWxaF|jBNIV3H{;xPxJkFnJnaB9if?bwjcBZ5O z`|xt_@c~F8BgU_$sNR3Cja2eMRi8b3( zc6Prq1)RP^4!cyVLgxsJI^IBJi&LNIT!#xDKrv*Ka)@O1uQekM(e~pCYoa&eR@YzB z$mtddZwA%$eETNdb$z=`MJTr;*>u1$tLo zm4eF3?rT-i^eyw2gLlgKZ+=Spp0|qs+xP|Nxfy;sIP+tr zc@z8Qjvq5Fr|Se$JP854_tR+one=>q@DI}qmgSR6yNEIa#lWVHqeVerg zqJL&(Xc&qa{+6!mQoU6JOo4yDjbpH0({MQ;@9y^O;`cmW#5Q-p3TB>pPb1yDp-b{< zD2njAEdwl<{GzVy{~;5jCYWH)(#+b-;t-pMOcgV_0`J7mEZ=0Llwn&BCh=F$TUhk( zY|9@G0A;?nKDZLzp<@F&tq-4m@;M>!iH_a3BW-a&&U9RRN~vq8VE-{|t-C(wc@o96 zAUR~XLq7f99wF4pef%6U#|9Gl6z3;I3`EjH!>9q)A_hoajYJfE5z*A+F`AEdkt5l)d=}@)wj(*l{)TKK(2}jxvb2@w-lqTlZAT0531JwD zd3J*{k!$2FkG86BrlDS`y}F&-?LW*{iY1*d@jjL5Bd*6HP>g4Q`_=z>U?wBBcPp+fJvR06BIC6V z5U-d>USNXjS`5}VXhC+`o94n}muF_cAdLzVtBr`nar>879XIgtZx3E5Ch608!#-3= zKNmy5Q?e#GQZuj+{z0B>o(@;yHqoOwvw)*J3O)kIqwqpknX{eT@+3aZiAdz@XUWM~h!6hk+kn7fDjiQ?lW!tQKU90DcO z{dyd)oB#zL&zaqyA;s!dS2R==X8w)QABdLQz2y&>)r)@}BX-YWKN2Fj`)b^Du-PV2 ziFS?yD#!_-l1OGAX$|Yd(VXBaaJyc_oN3?!e^QG2Yye2{KR7<>4RH<42S3BLT#=S4jRQkZ6 zbK@$hRV98Ls|!c)7iS>fnj1`vW60Dy${n3{qLUb^x_}qjln~Cv1;R%QA=THNG{Tb544uAu~|4=aE}UhiTw|za{O- z2zu0d`$M9eI$@)0;9c0Qo!WVf4=T(e#LFk>Rt?7ARs|4xHXIe9Ppc@cH#OhqSP=5U zd_;9bxVFGu8n7Z}laJ-%`;hc2)`AIM4NGP_VRbEVKs@i!I88MSV`O?VE3L~yG%3oI zC-7%tXC|N~2B+b;phZ-q?C>adn>uz(C?^B3jQoHHFt(I5$89by)7@jD(`;uw40e@5 z9l5-&?K@OI`MnE>xw1@en5=`%Lb|h2AKJkP0v+vQa9auazv@bxpDwn;F4QmL0KF(o z$5mhsa+zV2+Nj^St91c_&GjZr!w-|V#6LTaF;ppL`-?|txGRMrr0_na)f5mm)yI{E z&U;%ZU^<1~)ze1OB}o~NK@>qu`lPn49RicwKfK&a(tm_`(X=4Hupn z`O)mJTJ=)=E0YJ~rLX@t_?v)!t0&UJ`H=K)DuhB~ltkzHpits4GjF?yi-*Zo+t~aaYWY$FE1p*e$_@G8 zi!f6KBD)Pvu`no$jE;>6{2o)(1zdbq)$1r;#M#DwX6v7jCXG6X-1=RdT?h4ECZ}~g zLfJMt5I7y#ZB#cpLR=Tq&b`w;{$eU%&C9`KI&cP@yk?$le0Jq)-E?@|XsX?s$&OhW zlX0;!y))iq^R2YEmSuD6EQy5MC3r&j&*Hc4fQ1St+XQvRs;1IDh^6tR-C>~?5Qkw5 z#+`+Z3jV0D(i7&duP1b(IWn7{Pf=|nVPPP^Zm{?6-l+M$J)$)r%dZ-&fQ`6v#j9#CC_r(z{Mlu|f=ns<>fBMHE#B#!0F4G}1UX zk6n-`i7%P(b(qPA@yI{)nT)|ASAT#b{4VN_;y)eU?@yduvw_8E`wF0R(||&nPE5E3 zAsvPG7RZnJ_<{qQSqHUc_#7n#=tD+!A!8TEAF@{;{VZH10E0y<_z5y+DkKmnFGk0F zxV2R~*-EHwxjM)Jo5=?3@9#}*I@W$2)ht}~pgdM{g<$$e?#@oBOxMUF9thlf zAy|S7J9_u?ejNDs0EVNVClPYWsJJE=OZOv>7jlzK&WI<4VgdQ%y?iJyRux?P5< zcw@_H(?m<2)kjdw{N<-BYmM@>?+j#-8EjK2!Rf!^0p~{7r6DoOqyoJE6CIPSrig8J;z+#KXdPS-I6h7aKWz%g|`$Q^(jsLHnab%JcN#NR*l zgX)wZb77n2UcT;CU)D}9U;kmBOpzx3OP)l6+0$b*eSkD+9^DM$=gP2n!f8WQF%g5G zI6XN&7nHMzHj3*rKjyfwB5#szxOA#uFLApW0tp4aXCnKv1SI$Q9d|1&M+2%4gY*Sn zpERlK`u_E8@$_cGc*BSw8quXmtcTP}8AS!SLTD`x7ocq?gX1zRfE`7FM;sho9R`W94N(O>I( z)aWj~HlD%t9b$&NPnA01ru}lW8_UOBh+k4`Bj!+s-cyrGJ0UUYNFtPZbVA_rQ;tJ>5391^UV!S6WbwtzTYP>Gh)s%-!B43RXZ zQkXb`FN4e%NFP1x^Y9)X?YYcP&DAuWS22-!uL8EO=4c?dgg>0w{LC_knOrY@Ix{5> z)F*V8+Se(jVnc^a)e8~z-TL0ihmQuk*uI#ZT+a(;X`M>JeCIl26`|%{v;C)Gg)jB1 zRfOTMUHFJEQH!M=m_YIagm4zcQ?Mk+KKA%K&z!R!tN9`K$=Rx*k9XlsiotGDzC^1YfxUi(WA5)>w=qo2-eQi#suh$^ysP%c0|&+1d5p zGuOuG%mEo;T*F?@`zspF-j91@Ea4O?0EHhp{Wsq=uWKKR8xt$J*H1-tk76ZLr62+hC8lU3Hf>&>ukO) z^oef+?dLjKp+eQ^Le=TvE`9P->}MbUAqY{7G^=6kr{*(0`QlIa8zzF+n_v`PFYVJ7 znpeIfhY)bE=;dk=>Lmd#>6ZrgB1e4GKphE86wB>F{11MZH{o!<5E1{z)|Z^yqPNlr zUZM5n4he*03NyHmXTna{S+!$Nivf0@VBEqiQ=ycyb;nS$lwCM{d0N3(GGtzN?XMT! zQH1{0!;3AuUjJV~l+A)PT1ajeShzo-BBs4Z{z+644nx;wD(i8Ti!mpxz_)AoXpG!&_?bFUy(&RwNyI$ zKiB8ON|0orSYe@U7-cH+dbS|P)Lq5rSH`Lm^ZRjsx}{@%J`Yv3Hq&J@WeN zSm=RX=!lk*NcED(+zjw%Pt>zLw?nd2<%0XviVvuI2(oWBfwhGGME7yjY&yK8w+heG zgDTJCVk|l;6WraF`a0zRchAp$S7L8^F*-C!y?_^KdbF7fxP*m4R#b^+Kxb|tm@XoW zQ8J%&>ck|qe`hHnhAW~^dx%q1g0Va)GlIBu?_vGvIQ(T{*Amw$4KA?@FJO(daK!0y z@8auK$&OxdQ)12s?Uy~^n;2K)x<)Cfjk4^PLw7!!Vltl&MH){DtP+N9ZP#v{D`&s_ zDyVUcoVfm4S)O7ClR14-X!M>-1Emla>WtjdYI-O0n4B8znsXEQQK<{k&pNkKNCpH62{``{kvF%JvX$SI!A;KPh#PyS9rSS@)!r zhZMXF7u8F`HBib4Ev)hi&w4z-85zNZe~!JTR88e{!~ z2%5{tU#Bwz4KgtDmSoG}b^Z32x(2huHYTADcx2%O=w!6EBXbm6FW2Yp!SJV|_e$@U z9hSJ=Xy3@TVn+sCI(_;g8MRK$@^!NqxyTBo>Qa)gPZiGp`6$>>+S=HE&t_>G`zE$d zVI3;g4qrP3?N#-Ww3DPy_)e589DNv!m<6v+$0qkOavX#UlFC!A{zMmx5u$Hvzr5v; zL>Ddr^#4NTKcPkdOvn>%0rx4x#KRh}S<2?nNv?*>J~sZA;f&z`#Yi2sA`~KZkAIj9 zktLg|0T%QAj2s*^mfqKI@g{TK%9D1PiB`Te^QOtQ=6aN@)~iGMtd*lxZ1!wOSg%+2 zpm>>ba-1;Hg}Cymdj8-2s9!SNG5`HtJK7##f}?X!{NJ00Kry}nS5}DSvW2}n$1R$% z-yV1LO7+W%)63D?U@vQ>gWWzxJ5kAiLx3(t6tERM5-hk0x-f-r(wmnFUKpLz+>z~w>=;nQn>XNyvXg_i-P#y zTBt))w;T)CPb9n#GvB1tYf=$@e%6+!<*DWGGEE?PS!a?`Y%2~vUZRg+;Ep{$Ynt+q zXUS$5@M=hGo^*A-+t-s)%?p5UvS65ELs=Hit)~iMzv_14fd*nnM>aSU&kc=5k5IYa zQ7op#&1LwJ#deJ8CwWkplgIeP*SNT%ykfb0#z-IGZye6%CYB5!Y!>Bq7fKWmQ3r%S zh59h(5lFslf@1x1Gvn)x6&4;YbmHspB&A}hHE(@*B~SGQD8XK6Qyx6AN2Mby?ZC%d z)Rs=qs{S#pZ>OXS)CWR`l$OKli84!EBdf*LlpSD6mab4ip8OoD-l-hWPT*PP9KKCUeV3jt*Ue3D z@IA`rk|2h(%+vOzAtuZVGKMJR<*1y}WW{5# z*pa&Xzxux3Vd^FtiHrsDB&QOluuoQrSTMxCuyF%O$63o}czIZF0gl z($-3@1aLU?^o7)eV8%}du*YiOm3}FjtoRy=5Y*nJs}j20ZimE%ZBrrmKi{wK6^n@R zC$eFs=8imnZhi4@AvtQS_(2N?otPo^qU-pwIq=2PCc}}S9>Kt}OylryM@UZikitE8 zsowWO^|H^2BVnTw*2vH(-#mz^k!xYH5xxZtjDht%Htpj{ROK z##ge8A`{@A;odlj#7eL2yOQlJPyPZ2qNhLB?Re?QbGn9r<0c;4)zUm@0o$Dt{Vq-u zBl?J=J7u&E)+nMqskfP%!MpP9Eut0&SmpdR?yR1*rl|&qptijs4$W8O2uRGX$*W_qh+DUFQj8>l#Zp1 z2&_4BY)_IHkV1uNJmUG8PQk;*JUavcpoE0CtQ4De$*}q7x0^^GQE=rS;VIB{RSB1* z@PDb!)?x9?|G074A}oD$TJRBT=tJ2_^-}{3@*+a+lh$k{i^=k`V5+;e1(v-5h#;p; z(J~@z1YFu0=&6Q3kzV1c1ipTxpl5J}PRkN4pk@$?9ZxdH8j!&J#SYr(TSO?j!2P7|v= z;mBicGZD*OX-*GvzY^`6$ zr5dnFZ&fs>lNtz%Tu`M2*Q^kPVdBLDhmnx8ohPlC|N5>201zuJ%~k&GtQgm^HF?O) zX<$T6`h{Hf=oCw3N52*7t`c#?I}aFAulcyh@-Kh~0~3(xuYZRdgILEf z?2x9k#{`n*TC*v)Tf`zT4lyYlffSz4@^rZ~4`6D1&9UtxzK?7A;6NPcOZx&wxe4Du zK2-KhE7yV!xsGc|KH}zX-F=c=o3onMe)5wxhKdx?WF5PkDUeqBmbwM3TZ!uS!m~7s zFbez6ZcAI^>VEsfIiFM0<$>QCJaqS2v8lV(;=o>oHT&fEBM0Ci%)uomR4w6Xi(y_Q z4X$k2hyUsqeLOYKA6AP^qnimXDKR`+)v;JU)`FupepQCq1i9GU?GOo7By9iA-^=Cb zMRG4G+mxjQxhBu^6j>%b^4zS#a^xpcePcO81&+Q6L)4j1b=bv$@q zn_1SvXkwWhKS5L2xD+7r?5WXo`u4f!4_&(7XIF z;|Kqg?5~&OSZ;yO&W~G7weGEHtWi_##BU8-Z4X=ui%ZcF84Brx&kHM2`sm$2(E35t ztOsWtvHPM#_^3ytV6K^HS!`e1gW4L$+QGCTt=J z1xvLq?JLU5H37etNX^xKY23VgKQ*BF!f7q+Oj6cn22s77x>ltmDX~&0J~EZjnS3)Q zC#IiyRj|7@t3R4pD*H5Ohq;iLJB68wZbbF#bHuh}1}61erfEE@wOi8i@?3jyCbBGx z=ne4*C0e%`j^WRMtbdetIWrF5{l811D7;;Z#`{e+;UG$l-Gl^EgD4Lo=5Kr89Dfw{wpyH}hg(-Hx&z7S=FaciEY{^L54+ zc28h`EKg((ZS8fRqpS3l(q+gsE09E=-DHRYZh!^815-_b6u%4}rCG6P16$Gq?!HYG zf7h^CGB7@J_RoXz!yy1*C#r9V{#RV0J7j%vc1NN{WV|pJ7XLC4nY!Eg@SXx8%6a`O z8nXOhV9Q!6I2~C0r(juh;c~sVblcNAC1v0m*aTQ-jNujXMHT{0)_y@Am_y3G++o&avYAc3~~4f*|tww1%wDl#H!X*|V&vVWO$)$dvXKFwZB3w4NvIz=wF7 zSW%QMyvmvl3w|{G!#0~GQW+FP!-!~*iU4ldtc{tOQ+M!>k7^UuvGd=IjuQ_22%n*O zw=ax)Ki0m#jP+0uTslVyC?5s(+)gJQ(R)Zu-V5z|$-#_Y5OBj-&vAsB{`kEA!pD4) z-_HhtzZw*@x7(#=uO)X&floO;?!&$-p1jenkj2|!Dmu@9`jbdx-;OEO&HgKf{3AXi zb_4Z~i@fqAe~i6sS>yAMqgMd4)+57#003z@%%A`!fW2#U*#(>Uli&WyF?=(vt6T)L zwAWl;C@f2J1o2s;tY!_SrK!Y^+Cu0cej`}g&B~Yct*G-WEFb(nvKx+zaTbNe=+Xc# zwVb6C2(C0Qm@GX7jeuK!1m#b)Kye~BxA6SwLa3&jMQ3_W-Cv^IsuD$%9-DW9U{o}| z8Xk;&@?MB`;R>dUYEZVprT_Y#*zBL@Kf{N$dWT~tkxs)J$EE;CDT|oEP0_dx@Bo3c zy)>*B{vl64j@-`DM!OwNH0Vf!WmrnLsvkYG%L)PyrsGYe^CA;W?n1$bD7iBi6%UoO z&cf}6_(UA&%&QN&A9ij}c`jl~bV;q`a5Bo=TADUL*rQ5#r6BES(eDFE{e{RsJ(64| zW{4eg>_?|iBPbf--hfOOT^2P?mm9to8G_5^&V+pcP_cdhciYzX}1#KeDV&dAb8EzMXjq@157Vv|OX zer+Ta!=RegUHkJUQ-l{ref2(@R!TYXikJ@(k5&%@1bhr|mr6ofPBhdPt4ZcF?MnMC z7hoPE+HRTUa`+wKaRE3}CF~JUFMUX#Gu2z|kB+9C1j+RYwP~hVHIv)JT{a903e^ib z6_mM7C@p^9PoZb=K<)5))^htcZGi6jv@178IpXg+ww*Pdmz>BT_B84j2nUkSjQwU| zj)MEumW-&nElXHzv!W{!pCyij*GV!IZC~MH>|)eBI}7d`iz1D;rpWjH(kMZGiyONu zqt2E#lhtUBmn(=J=dHW%jPRSq@mX^8PR<#Pz*@9lC%;^wo$S2b@tU_gBIoI@Wp8@A z+3`ce+Z6ESd}2Psy-l!5`@uH*)_rl|4S8-lOW~EUi69^#;I%{{r}IaNd{)zY%-aLv zGMSOc`4c}nn&Y!=pXh-+vWSpC4m8#d1Fd8tD`A~c%Vp9x{an5a9t%v&&q7PjYLh8# zgM%f&iOuh?1*U{ymbTJb5JNBt!ZjdcfuK8$aA~mS%&9ovl7YOWXAf z<>3)3l1!&oC3Oxva~Uiq=#>1+lOz_{g}g_n-oY>d^#4TZeu!3 z*UXs;C+~UrN^NN~WIl{(GdaQ}e*QemcaD`%Pzmf{s*N{v$A>dKod}Z=i8nd*W>s*j zFP}k*rK$XUz@U*()8pTzvCaCMism3D>`< zlG!Z2vG5BXXd~&WCx?sDo4a)M0fW{ApN21La!r}$?}?~F5TlhW6^lCxR`}!LrT=lL zR$|lra3k_L6T%Q+K$ws^kw4-ALjG= z*Og5KTx!~WRO@{Rr!)4~4hP+j+%Ki|ut-rEsP0fv5%{;2Q1IrIbztQvOVQydU+9Jf zR%L5~1ZN_%m`QB-@BKM@*A2(X@EuXI__AvWK=5_^8=H}~X?gp1k3g~QB0-_=k}%2QsMkS&cst3lz=-YggA6JSU%)mX%D6wAZ2TlcO9zj_@X$lK z0RQ`@neX12W!7o0)^QGXPOi_m5?}99N_$B7(O7>%CX;6mS?q<&btVlz)Nse3W&Q|z zB*Y*8z{H1wRGVzQpj@*Xm5c&$5)Da(tAcntLe1VIib$lbvMR%ghP0hF%2GKn(bgY@ zm5jlb3vpyJ#&%K*Q);lRK*EvnmWw%RC~w;2Om(a%R}RBp3$O0GibI)43w!KtN!($X(D1zw+3lyLG_v|E*1vd^voK0r zE?rX=cgDLBg_^gVgWph=C?T&iU6y;^ID|2{SiEmY>!Pq9)v;5h9sj9q?qsPVR&k87T;=bB7NQC9)x6>6J zNu{`SzWqAWafKM8eYu{)Rpdd9_d?E;qF_iF+%pYkDli%JrinBp5hDdnZH1-KBk6d9 z!x?PZDNzH}IwoRRX)C^Ah3?3Si3lM+itJ|iP;AXU{?u)LLe=PhFZJs?q64`!G(z1k z+hsFl!_j0+*49Mu*)3AyD}95F;-KF8x6QCyxEfGLsJse`TqjDMbCi)M^gIh}nn5w~ z+J%;Y_*CTbDQe*x`zu1|GrR48eAUY8dE#r7;FHzunef|XdHY;$XQqIw^n2hj<)28M z4B%~ZzNb5s+y2$NO#SySe$p+wY?`Xl&MZ5c(XNdLfjNg!;oazCk{2Q_8=jN9HQ$Ux zKG#E!z45Fq3>JR4*Sw;ZwFB-t;YSX?>ppj(g~=$v9M0XP=Bb#oTVdmY5|jaVqQ?R@ zg`<&2(@5@%=99{}iI+06`RhzFIRl8oL`EgUg(lx>6cB3d2dPL~nrRBFm9TEwYnyn+ zLz?ev^?V)B+z=1j{G>u40F@sacMcB<(p=6&pw??eJ0;)^moUpmx*z#Flwf-H(&l80 z>sG(yOOH~IFmlksLB&Or%?V+P|K8_Mfcqg4xw(~^e}#I_H^BT~Tcn8rO#2^6>vnzAZi{G>OJGbX@S-E5t^-zRL7>%fL4)bm)6IX| z8V`Ar-2RXFQK`^2qwU~qnrB>AoR;{98=&2XmUsDnK&-OE*gq;9y+1q_%CP zpdoi8hgma@hT7YLAo}K4WSKcQB zv-@F>=3LW7DD6K3`+Etjpw|;Mspy~ZHS|9IGk1Q7dSm)NicAAtW) zkv=9nRf2&m5;&EFlsl1(F~fZm$T>rx-LaE!dUy7Y4$9Unv6LmaI+YE2&AJKS`5HmX zz_^HZPt>W($U4wpX&NMg3}XN<^iU;W1`e)13dKmExx!FrXdK3z7#vPKs3i+s>BNj> zNPZW@78+WTyj4R~4pP(+Yct=^HFY)9CQ{MOjS~EddcVZkB$Looyv7fmB{P|b36Gc*kl9w6L1Xb;H z|270p9hW!}1fO~4`|-x|YjHjOSVtzLOQj=tR0XXlVDpsT)f4`S(u}EMq4{s;qm{n4 zb8jQEg;hyVg7J@<6jRj=g1P*IfHuErdyS0THnxU6;K9s;3nz&h^lP!A)aV##=&MC4 z7kBL(V>+GBQfD4LkH-~%fKQ{fm)`{I^@PkHrXE@+3G1&ZI6ySYwg1D zx#p`6oURMk=IXu`LMnor15zAMs*hgRtRmn)#`}r$+X!N_wxhSk_d{cmVWp9b`lKVe zH$SsTk2+>j8)%ar8a)X<`R4Q z7SQZQga$lz>vS*w5sO)@tM$5@;dUH(KQN|d+`hn(84={`ezpqt0-emjsCS>xvpjdR zZt>YrXaeG<2$Gzn3dE}!Z*CzeM7@VxXr8D|6Ca}N+hI;bGuU0HIY6V=Rxk77ItGQS z>fCDlmz(HCJ&-iYnwiG9Ulw0xR^gm9SJEEbpthLipWQ;aZjI+vmyOR{Fhyfe;k9d=hHt)7Xz)@F#2bUP4%Fmx)?gAoP421X`W z-s|x;+ikP>6~jE(a2kHxfLfv)0|)NiU7pQP3CR;4$e;)(sFoH-36>u|8Zlq5D+okJ z9YP^lL*{K)2>Rw6fw~-IVmkWKQtelwgy<-n{Op2MIA|MIx}aGa{2RMWE!l)#{r=pqt*HwV%n1LE{U3x zM_+x?ig7s)bl{CIJx=Nh?PpY|1;A5N#%SFsDPu`t8WWbDc~5hLJHbOA&!eDBipII{ zYiPyl5|I&Cza!&M6MW+_*57%=!7%;<*ZB_v7!vx(*MZbwWSn1avse31ydK|8-v8_N z7Qn}FAe5hkWOygnLV0eN%;JyTY8QA{qJT4J8TL;zr=NUf>!7?|na~xxfo6*{pO1~o z`F`dEVq)93;VE#GXqHsXLtC-J)x4D{QHq=4#)VnFkLWqcVe|~lM;XT69mT+zHm}St zmQ&2$Bn>F``A*yd>=c=64eryj{QQ_F4e24AFO%QW8iOXFEPM3r`)2F+2&u5x&xO|+ zUz*tLUZCS@=j8q=f(LBsa6}TaGyT>|CR2769B$s8BPBZ%zjWr>N}}#Ou*~mQDohu#c*mym?OuQV?i_C%2}Z-B;8}17Z?7< zk5I*sDOcns=8lS;-#J8jWLCm>rY%jrU=gK26)!AIgWt{3hh%;Q{*i3utm z9?eF(6&ePO%4C;-0Cvk^Os6d<`oUUBN+N?sGVVwB7ayhap!x}iivZI6l8q2QNR*n} z8%_J)+V5zhUC)uDE5YW2gU^#=87O;e91OMXixJnK?k!J_FG6GpuoqScs#jJHc9~W{ z7h6orsJ11fSf5xU^87$1dqOP%#G;lSqS&r(mjqtf@*Pxv`Nwu{)3pdjDQ+R89WwPa zKmF1xXsO{wy?)BL+H6iE9_EemIs78AxD6Euo=$B@%GEe{8gc^vb0bAM+ibit_IYn; zX&=lkghO+X1a#nW&DttoC|1G!*^hiuEJ%+M?)C@$o7ge&%UvFNNM{*gw?iErlZ10y zs3JyNFld`~^WHXXBqA7{s@a0NIx8P9*b>{FAP0pA(lfyUY#n z7XE*viU0ixJ@=8Ur^=9;&k{-u$@;#L_7x;Pdnuveqqk!Xp&+xqxm>xoDA5mf*7zyC zcg}kpp8yHlu~-G;;?fb0uY)Zgso7D!3M=%n7c+l7{ICQlHgB#v^X=mz!V{4Er*2{4Lv!VwA#Gq zSJ;j7Ng>sJ=D$d*8O7&Doi{66de1aYdlSacZE?~PI+_!QQB-zBpy!7wq|>|S%~gKS zLR7B*?wZC9&iqKPDZ;X})MA~Y`b$&k@$N-;cl1$e)$+EnLZ?ff!(b6N$5!}3b3Bum zGT;D~+WhvIs8Ma?j@o*T(XQ*Ao4+1EXxJxFx)N6)v2!$4V6s&__SoUG^t*om zMWJd2rMpwNHF5OOGVuCnNyqJYKJRtWdl|!4xR_B#0BK-1a){yYVd)Fg{`-c+*sBG} z+feaMNV&y`mrmh}bA>YjC0fVf1HzNxD&>%HE!UHX$?Dk55M7C134b5&1wU@e%xZ8^ z+lBFQrh>g;-vY0MpM5Y7rK>OT=U(ySOOs9K){CX)wEJVfpl5QVrN2qW3qQ9sAJwI%niC4k zmEnYdG8MACJEM1N!$mu&H_AB;=&OkUKneHUSc>fr3QMP#pZzf5=~YH}v;p1GzXkcb zPwV=>g{77ms_=H$)KXdB*HZO5x*6lBgXOAD*Fe15jR_raUW1Lhzo|VpIdM>NDtY;? zao!jaf>Ri&KaA7yLf>egmbhbkg>6+W6>!7AQ2%_pL%c7$!!ecd6-rCz2Wr;g#@Aj{ zGO{_s>ia; z`zEk@EE7(C^wJd~#%HP1kovhXYnxeTQN!x4H(9}N{1lTrk}^!$8zA<@9141UtO~a5 z!qEjXpvbQkJ&o*O@S=pW15Bu44%hR{qdDJ%G((>drtxFd9(IZ#hIEwj%v$~V6dB~~ z<;>Y1r#*!HqX}A38VAxvKC|#pBHOz}6|B4|_N!hRPv!?a3#Qd_A>H*PR6K`RPOnl+ z2U3y3pu?q`F__IEyxA>2XgMRjP-nV5+H$45gU5i;Nc~#-%%EOMPRid9cD*CF&}84W z&2Sxmy!e|qcN;E^*SgW=Xj#cH|)JhL<(?M`M~Vgl+J7jAQj z{ZHl0j|G&W)?t2i`M2`v2Nh`=zt5qDA8b(YkIKThW{Ou1{NxVWI> znmE9;$ROCT#YO>5Gg>fIMfB+QCb_>;U%EzO5m$Rs5mO62;{-&FJTcGCWR z@#s>rg4y=);E9>?#54Db+;G2@tbKZlPjVSe+%KzE7gea~Az5|2N@4!5(hV*d6MWgJ@89dW*biQ;A*2(|kS>z5;e;flz~UiPyrkUFu|&{y zpEnLU6X&(HI}w`)BN>={?OF;VwDn(h&^g2r&`~+zu>lxRd6(F(>kq)pF1?wI`Ba^3 z3(G!rRoT2z1m^rk%lWdrHUxc>NcRg{1))53rIvt(?)(aX%)%|5I|-qW0W7-hXunBc z*)2DD4*r%m6-p;bBcc;AGU+rXE;ZSWl+Bdvw6SgF0(n)ZOB7hZm%FvFOTK5p%dUP( z+KHij4Rn7kS>BEp>ZMv`d+NX=pOV%|z8ICtrm>56DP#&zKV0oO5A>aL&ML^UCMo~p z&f|iF4qWby>*Putc?Iq^J8tbmzY~Zk9zI_WJTA57GGKc@nFTO97>LEO_3{?-brHt6 z!E;eMUwvx2utxfZEeYge6B8qw|*R_WmpS^(MJD=P{rm ze3Ly^8nD_;@pJ!`e_zA zR^CjO$;iYRg(1Yr?r#V_4O!W5Rd)kUhsR)q4^sG|e-i29%NnSPI0m9$Bz?U2v=CCg?6UW3DY(5HGb z!7PQ7h-fl$GsF#&_Ld5iv+PwrfH<1~_RZjI1!9F7X ztHP|A`IXe0Vf0?wLw&&}kbWi5NfZzNU2$_zEW zh;COSw$aOYUa&N4iS42nEN~{b`MBkRcCa<263Qkp6HX#*rbK+*h0y$87QpIaHs+c4 z-$t=tD;F7;`AOpCpdSh?S_hh@R?AW>OJW3zL0{~}vpZ^rhr4#x?b^6{EANk8Sb=kv z`QZY$@YkPG2L5_-IO?ny&U|@pYO{y6R|PUl(ztbRvi$_P`m^Euwz4g5A z4+O!Au5{1O=VIgH|jSI-OG-S`el?j`Q*J7g9nY+ zr~++BySI8hh>Q;(7n-*R@)!PRl*9r3GUl-(X{^RrK0XLTJrzr(l!p$1sLbGWVA*Nz zWHjQ5*Z_<6UKcNE#mTKRCHxl-97a95g$mV$f`ekgnadd4Op3i~S98h#{H$6u*-c0b z#Uim7%Tu9eYOeM3Jsd69%Zm_+*;I@~rb`V1!Kdk0RloYJRp=#;GpU3;t?EB6wOm*} z_GNH>j$vQQ{Dp)o)b9bKgX1-yB!mkzIZmkpnGA0Q(yg?a4`IuN8(wVR9gY~otZz1Y z8%8hSX0JRV`lTTBWV=xzYPUDL8E@an@P)A|U~C*OJx^GieVGW(p+sLF-Wi`QBy#mC z6McI&G+C6L+wJ?}@$ER?cczD&E9_dGeQnp{@qqP-PH(xTrFgst56=@I{NheJVLNjI z7DI7lfCGO&sc3dK2QRAwBU|S`>?W+)D=p#pFfZQCcnMLM%jjjIkY`isNRpQ9?zn>< zSOUR-%d!8R$oo2WUEU$V)ELvM5jwx*30rRGzf=Q_0yqz75$W`}sh*w(R9GSd65rW~ zW5^8+^V)|ghtWUKF_=j5VnTb-a1K0X4+fjYoJhP1(J7_#BJZj9vo&$AM#Mkv>2XXy zt0xjV4B-Ccvef+)ep`4NfGU9!(=sLv=VQ7XLC`A}1-@x9&6-&0mLWZohQF7&#@QLJ8eDPwzbph;zo?a-D8+Plhbk}h> zVUz+K;}s;rcuX!?Z|W#|eo}J~N!g~Aj_V|mG^-dEs=cu2-xx5AHQWk0!*(IV9AlqM zjZ#0mYZxfvSGx4r+kqOL>SLM%H=b~C2jpQfrkWqI)?zA~HTi`arIgTOub2ATsuQ2u zSc~|r!{*QZN1y1;>iBl0*X3ckx*_+^;U|rcy`FUq+nD=U4m>>;x-lWv#O6|tficej4ei4{ud&mS#1;6=KiU}+4)Wm2Rk^M&|ddyK`+3Xw}GE{UpCYP{HS z_{z7J2aZfvX~51%?8#(Jz2d65RW>!x44=eH$b&Ryl%6R4skuA3PO#1&6B14z^NyNL z4!on+F)C$`&4pq-tV|#2%~*lo4{*Znx4!zNtCxj8GZn`I_NCQRm`|aZ-FM_x!sNq@ zJI9q><|Sv1qe=)XpGH&`HDCTz#u|4rST{S*8qcz(F2v=Oa7IPmZMJ%-F>6JplGY7Q zabwxIoE|kak;PTs=e9>QDICmbeKk?^e8T((VLUk!Ro3r)PFv0b5*+(1`YoaUYi!CPh%E8Ya?uvPY@)|$ zB)VR7S+1456HwxfskIKSmt$aq(NY#p{WO!E3GGu zLNUrhK37r~hLt7+ratj_Rf$sJK1~F(f4MbRmKd|c1$l>*A7>t(K9)9+6uwMP7<#7C z=`*?P<5MHBlC$~TM~HMtv$z$%>7c48eYabSVvCMJ2y*-R;&PmX^kv|&K)#27%``|U zmQG1SBXusPyXTB&=QNeY)3BOKqxd6*L6gpWGAG_-Bq8i}ES8Wb$aFhjJOP5MVh*zx zO4>Ouv4N&n5x;rl%k=0Q6ajgy^muKm;|pt4tx)!MbY@rT4R$O$VbA$pnumow%G4ul7*W%dSRdFD zg%pf*Hqe8LjVh^qI~XJIQ?(#FD-!3k!t-wbf8z`3*FCh`5zPf7Kt4BCKT!k&XDnNr ztH`!scGmMqWh8~Z=Oo;y^oubp^T01&s1;0AZ}Nb+QfJuaGw+-vpU{@Z=Xw_BVymYc zCZ|i5I+>dit4GfyKBl5R&FuG=!s%wpch<1igZ5Wvp$@;hh#xVRiW>8qYC;iWl8eYn zk=#^`OZ4jZeqPs={!BW$@zM_L`Ktj#k01cd(54ct~z}3Kcr#}8ma-)ApZ*xnQpjT@|I6% z?Uf57aUTxTnH>IJe-nMG$wN}j-sf@$d@o(hp@1-HpKcILP)CQiBjZK&06ZqW8W1W1 zlW}8*X&_S6k+ynZolF?^=Cix4Wn}*vT;-z&-k$98V$t2r?cxEnvO+S11bD9>Ln2&T zsvLr)MXn74e50m@akouy3>Hi*<;K05oS>gAUZNSv=?U>O&w_N|I~n^959#a#%G=bC zPNl2?2Z!81{-~G6p2CId;hzPH3S~<*_==o2HF`hE@(Q&3t4rKl)5nsm%}w?=K3C3L zEyzTq)>Lg5ytX8-g^vBqn^kSp)kEVq{fs$h^B-k-zUdIR->*sUyocb081@d9_MAE} zHJ$#KTq`Qkn|SLHfEsoAG`Pi1blj^gKMl9|UT;|x^;};?A(O2L^12;`qE##kRIy)^ z_9Ns&eQ#3ywp9xo#I8P>9ruBeA~SlIu4oQWyh3=Rkl?XS9giDUG?JnN*-I^Bt%@UeTE4D!tG}b_P)tLVE9%d?9E&jZ9Sk7Hui~j z)(k2ZaXN7Xu6E}55u^I-HPT#R7%1-=^2M1U$kFpd^Vw{jBc;_SkC1(D#_1jA+q!23 zw0TCn$OMpV@9ovR7OC!^u{lkCAIV|vsnl;)8AN)M^-=tk)WH0mOVg%OzKOkW-iLb~ zw+r()99Ml$Nj5m44Df(F8ueQx+^ymOFr%~`;-WY=>m*pGPD*E%^H5rEppW_&KFVC( zr3ZudGI{tYjbjL%FiSq0E3@RfU;L8yn3SNm(oJ_K?xZ8`R`wt6BenG2-Fzu6BRJ~K zW;hs_{vj6DZ41Rj+eQDB4t{v2knBTWWz>n%=armm}OYdZ=jjC85l@h!Pbp(GY zNk``*8$px;87cAmuOw21G>Ub#SHg?TpNa=DBouWRPs9CuTom>rbhCwX!pYH)%q00! z&~BBK>CQOuS`!_4YfC`q)?UBg;UAvwbi(_3eX|QiA{~P88B^)pD$UhRCOSbBw1soM zf9OzNo2#gvWmHmrx@tQI(9ksd2%eonR90)0U_FsUGF}}@)p-!?hWKsSvfHV^K}=<3 zI@rh(uByJ(4*zA%muWaEo`Jf_}0c&{iAJ;0O@|re%&2@$b_~l_l>I zWZU3n;_DZB8|+OMf@tgU{q_A?e(h`lW&}WsW2J&sjWrLK8r0-|YlwPuA>w#Jk9~*Y zXDBIC1H{emy)pNM-xA0qMat$*5Qbm4>pd6X@laM$>6GQ$+^#G4Xnsl1Em)IZqf^Dn z!M@f?Se>PMx8x+{DiHd>`?9OZCQN9a|keFTS!?8ocoV9VI>LJ=evkmDY@6dfMb z-0ev)esv$dk1Q#412Gp74ytmeq3pKiDZlJmJ*fy}`z=#51FRnHR5edp&XK(KQ^yXO zhxZHx_TI|Kola+Ik6A1-Fd5ZlHc5nhmh_P?H_C5z29s}O-WiaH+D}pi!D~a0h*K2H-|Mt9-J+6y^fr*c?>T%3#^KjyLIsx38;P zA3Eg(C+{8P?GXWyJ3RqIx6mf}sK77VOhs^5C z*{Ty2g|xFHh5O-{EU*Z+e;bBSzHo^PU=o9a|6~Es$O)NW%H1oH?`6>VU`k^fzo=DVRV2_DW$QcU_F>#t^fT=a+7XcqRIkQ&;csvNhKUxH;-r! z81NPy2smloL8T&z$3lF?14=qUfq;gABTxTKVHExC7*Xiy59Jfg6^H?q(vVwVTi5|( zsq>4XU8T|(0n)V8L?6@jFFA>;iQy)HXCcyR2m1;?vRo>aVYfCBWY4t0qS_gCPjCh( z{F*T#YwKOlza4KBHZr{J7pE*0YcU;j8zf-TXllCIzDTe7XDA%l_Y`}|;jTfQd(+ag zo21g?$iujySoVL{!q5B?c|#Jt|E*=LIFP+pl~9BS=?+mso`EW*{7l2NhNUIANrKeJV- zDooN#(cd5kLVw@G!VrNz~;WNfgbrihJkj z5{?hvn^2SUppN!Tg(agR+D0!7UBbeP@Y+q8Nt|v+wol>%tk^1dzjwD&YvA)%Mntf z!}LC4Z6ShZpyGO$4=Z@Uzrmjv2SeBCESB);wI)5_itG}PiLKK%Z-rjQ6I^yd6u2$R zc5r|kJ9-Xk_FxH_bXN-C!8>7_^4<42GN%ENqmAM zsD`$VrQZ7X=lnv(-sNVSNXis3b?De)+>62KI;P0uU0YOcHe#jh_Wu?;an`t+Q~J z{i#wJ?u1^4d(QmOe<)f~(35XL@J+ZNC8igz&y0LmLueE>W+r_2iwyDrsCJV1GU7~% z&D{!6v;t3z)ns}WWU!C{r0@36A!x1OdJ%G!Tf%Q31i!_A^`5T+sQFNG!UhWShlPZ{ zS7*^jj}<1iftX|jqplm%osOmKG-)ebh&eQ8MQ>Ag>2?TUJ1jjai$W`x-v!{ z>HWopDC01~{h&N_m0n`C%h`f5`VITNf(|OF=t8|tuwr?krJ1LFrWP02{BM@xwAEeD zxad+a4P5ZclzKwD_0gXSlgxC(Xwn4i9H>3fwwSBhQA7otdnny=g?t(6SQq1~W~Z*; zn&zctWU9kwS&cUk<}*r!bT#hyF4JS`Grs)!Mr16+LXlb7@^k+TN?zz#3q`FS#prLe-P9XYcN%*RoW zcYd52F5$^&o34dWs8J>&rH0lsB4r4CnGw@^|YRd@U6a5XGtKMA(kH?)r*v$Sq9FeEnJyNA~PHRpA^8A}90`89bP=M7+ zzHJRpO4_sJSyJqb-$U6pSwiqlw9jAGaqhR>uIKMF+%X(?4Y!c}X{py-$8z|Gtq)HR zH?m&dtzRdTzqi(*cQO0D!Sc|B6awm=t_e`M4h8vem}*=n`}WK6doJCBN>^%|`wzIXHdk?i{Kks~Jg4D9>jTRMh-Wf{=arr0WhTAi9`jAT|3??x zeKmKVa%=AYhW`H+TLpOl>Pg7x?=@Paavg|J0l3oCUK9b(ao_)4-67T_iVEIBq-)=F z{`Dp!rqWv$klYH5A=!v8Fgi7+IOR~Ju^jmtGcR;{e@MG44jBYlS_sF)dxENe^iv2@ zIe;ULrj>>R{_&Al94N$FMe`ZuW2-Y|2~t{PD@yd))xgRWiImT?T%64i&e`uk$axeM?{u;Z_t3jv@E!lZpHL%iJhHJK~;t!*bcNsF;V#)vSW)q2h=gJuL+5}8GMi-za*U`TdMqIIsyhzrOqIV^Xi1~B7T|$~XZ8XEXn6P=+K|1p?Ur1y`BS&rblC7XqXC9m{y8 zd5f(Mw7hI?s<&N7UqP5|R2yS1yrSlucFzHfn_23@(p8D~3 za0S@0pbK<^A=&7`fpx=XREHBL0nx4sb^0R{n13u2%Q>JfhuihPyI!hY%Vpvj%rYz0 zFrL83@od3OU%cwTN-f!3^LX&Lf7vc5KPTVOK%zFdG)erXz%>zqUN>wXV**!|Au^Ba4Z#um0=o#aodvwC??IzP=cm5ynT1_&nZsyiP>bA>h zyUnn|gc-vgMO(V3Ipk=3NpG->;~LY=dffNg(>CBQ#at&TKZh7Z{DMMkX!;J6B_Bqk zX5J0Ujk__$Hh(2@xOKKV!GO9^&ff4=`!x3vO$K)G$W32X6M=?w`&^Un&yR2Erq1ku z-E3iI92&p%2Gy9nsa?uaOV?y$iJ{JXvE8zvRR$jSuQ47(bG*kLsKA6J_;D)X%?Zfm zRfK1WkaYnlqUp;dM`~mefWJMo0}0Nq3GZM^O;Skntv%plNi>IY&}|PImuqcO!S-^M z(YxG?UdDXgn&bEz-y(BjHbII^GIW)qo=@X>lNew+8P&je^scP$mQbIW0udSmC&JBs z1-5G2i|$aVa3sL-8a|R0A@7)1BSO8h)QMN(tn`Q(T;N+t?1ehx=hwy*HS-wV7U0V( zYSlbx{P>Y0Z2g^tL&JC=nz>h{$md<2jyxIesvjz>kTwy*0n37lEAg1zOGep31S2c* zkB|!cuM70b*i_Q$EJ3#)rEs2y2dchHDwQCK=cq`foNdeU-Uq$kxX^65jj-hEwOeA* z3%j^ukRd!0>da~79a!*548a4K-Lc(?<#B&HfKVHSW9qo%8^H9IJ6u5-HRde3HhBO1 z%O*x^?27R`9;h2)&QBh_i{C@R zgVqWQRtlj5^fBfSj_8|(37Gy99lneL8A)I?{2KcwJL@fVxR~MxU}7a#-a5AXiu>&#hf@~rV6QRw7nzxB+vCcDt z9%UH=X3kZeGn_^{3mEJ^TK&##-J!vwCD?bDcULa6=WtI}-m~X2xgSnncR>B=lOHxy zLWSPNb>Y`5=SkpX+h$1*h|W^)sAcA9X zG=!c_EkFZ`8NHE6zgf(nt~9Ne{aXh;6KfCY?Aj|X_cn#2#cGy zxDGe;H*?)@L0Crq)l$Qr z?TqZg05rlz36@{HVWTsBK`kf$IOPubts0z}b4b>@U;qq+$dFf(AKL&4R|o?Q9Id2* zz14l^1f+nyDDPyGdq7Qh{w#<05o#yRq}miOe*>3N&-k((Ax{<$kfLcrw&k_ME6J9#+KKBK5rvdGf=xpg z_I3FLJMxsV)9Zk$Vp+b0eAhF2rQJunP7A_+j`4@`%t4GBUVk6bN< zye#$2WHlElg8{~Vmnq|X1P9r{;q!N1QYUs_P@Ton%oLPw3he0;^?LAM!H5_J`L3Ortk} z>kG3#gf0g5ULll5XyP{mQh>g40UYLivk9!~WIT|z3NhLhkTL~Pox6`uP0i`gvtm%| z2d3;m)(o)>{|`<;nJ+v=7i6|Ye{u}zo4~ST;i9H{TJUnWAKVF9`F2W+hPZ{wpla2u z-+B26HD?Chkyr+XPcbx+>72qX72U4^bGu{eX!boC(p&&dBqk63O9s9h5ErJzSWv3F zJ3t)Vip?!-1>EX`G3&e1?#vt1J{m|8)WZr!=S6)7#tgaj%yi@~^VLPFGLATaD240v zJ4PIV7yg4kBV!gL(IYS?$jY&ka32>_W}-LI@jRNjsdz-uT^94(VF_a`wbabgmbcA!%;h?8#I!n?E-ngE9#b@ z?$tz7<1326;N8O0h0|=Ono%czANd+Io)@ykXZs=%g^88XQ>5QfzSU6-@8E=3n|ojwKk(6=@%X+3WN-Qu z!Q|%r18Bf>ndd+74t&c1cjbY4Q4&oD(s;rf!Cs;YrKK(B9jMSG(oE$KL>2iy0(^S= zq`jQui*d%o_vmz>FB7F#zmMuKoXDq0fbEqX#m)il%SK*d`A3L|Ty(PbzCjL2mINjm zoEVet5cR&!&A!Y@een^X1m)pz>pr>{`Gy*xQ}0h2!|^`jZj5!l>R%6y4;)l6>#>hy z1MV@8DPiVPaK|J{hW4gbw=B=;6^v5$=_M5`FQEQ2$Fs*``2(w|Po$7Wfog$q-^=2F zOmI8+R@$xq79^}tPocumMJ}4ReKBTMvSA{Kuj;|OV?h|q@>>kQ`evzGJ>S0tls%V= zOUU69LmTl>{2*S-pXAxJv#}r7E#yBNDQdZq1d<3h`hu2zw%a_LetusL?f*Us#b+-} zk9-p9@a95xWYo(G&fO>@MPM<*Vp*swYPGS};Vakfe+$uzRtn#TMWcz;t7c?@X!dJ@ z+R7ohTuBaEL60)KwkpdNSS4X6MCo@LZd>RI&=Kt4{?PT^h}xwqH~VT|@9YU$WD3ik zW&`l?1Eu-JZc-U45+5=qIuKg;AP&J;0tCZs`vkO?EcnXW#53z$3j1CL*!M@Dm8ZAX z>5&8pLj0umz(~jc&#=e$}F&PTP4oo5$7$gT3HAZ3AHMB zr`LhK|B}7nJIhSCf?UiO-bI!RlpANOrC-I@4wET|3;8l_krH#^1x?v*4baVt2;c)z zq%a+Q=_s@YY?b>6S+wpopGA zIHms2>PQZ*Xj^0wl)*^}6}1!QFhZ3&6CGeiHJ^-K@A~t3u0#pbH?iRt>s<*Tj)*S% z6gz$}_kO8PDud;_C0?ixG752F|M~e>?=OkH=OQI<&Ogj|?hGD(mWjHLF6dwgp~DhQZ`=<&eqON|CEAm9-XDy3T=pO=T?1~ExE#=-rFnyRC__7q=+y(9EV0Ev zFa5k<(YksKY~Gg-t<`GJvrLk@Lz31|BUf4YI?#t*g4SME|90ye_~cKla3PW;b1AAM zk=lev@gyRb`F!fl#GYqK#(}13K;^F%#^zS))G30Lfc1mA+6s`C$j#o7^6s#LCD~MZ zNz8gw+pi%$0QOiuiQvr3Dfgif-XPS3>y<%sI4(v~zg2GHFtZLzTjU4ja5e)L@=D*2 zzAg|K;KDTZilt7ZO^yo<0kdw03f_l#ElkZTcjmUQpoKFFKUL9KY_V#e8DfK`i#8Si zi+{>jeqLyFuC^6fJ6qeII@_kFxPl@W3!g}0UW*&YWDN#I-gY$@3U@;*;@#~OL(E`T(S_t_S5 zlXzB%g~?%dyK{9?1)>~b*!73*h3L-m?N*nknU?qSgST?=AL|@Xqya3^7U%yz zf&MDopJ8t8o#8d#R=+tGs#Gt*B^F<$p=x0mL?1rEZ$m~1lc4az!5BYfv7pfmL!jO^ zFb~mf?SRS6Y|4`?*?PYm2i0J%Vs`i+rbIy-{DZ)3wVm}z5W9n?j^@1^`rhRL2#GL` zyu@vy9Ab=9TfrVK2<;0dl{d1vCgL%#0M8Z3OigX(K9X#5V!?Yu(jGYmXTk722%no) zL~Y{cAv@5S<3eh}avaEGX9&iykUvu13bEYeNLOv3F0orSd{>{S13H|ksR+#*0&hf`j)GKrjbsp*a->}|}z(i`Q+4<>w z@?pn=Wi-M7CFKL#9`LG3$l8)+Oi-b-5y6||!nh9jxeOGah-i=|SIryrIVb^0EgvzM zqS3*wz}zZ?6$33x&q4)BT+4Tz5cvR)?zO&5+UH-a}dm6J1DDCFC`EydbYk&WI1O2^#>6|z(g{;4|-M%<+7+0GkC6;wN) z_N7@0unLPgT9NI}{t}{gxZVdf(_dMWBpdo_a4lvAkQ2$tq=km}zWm6J+d|VdY0{TM zjXP${W;#F{uZsqLa#|c$_hIW~FmgM3v}Dj3bRyJlkM$?QZWTcvjh}ZHdJcVHs1zgu zvEhaU;TKcyAZ9#)3QbhHb*jGU#GQZpdtlq0wV7J1g!~-z75D@d8&06gP`E4LNF55hKAN-BqL&1*qVYz!7=V7>Dp zi(UoMQT^91p!5P7f?do=MkL2+^kbb4DW!kC;E*k@HJTLOd76BU+MbIAg1RrE@Oc6e+ia@IYYeDJBz_NRP?Sq0Ig=Bbn=V|27AfIdRaWqO zg4=xlemTi9?9(j$npa`3Mg7=#XOw^!1nb zVUbvwQpg2f9t#uL^(kcXvUT7pYw}C47z^-`YaiouD6zNL4qv&-XpM(qIAm@}YJsuS3b0@w0x`s;YBP zMl`;l1bpmGpG6g15Rvldq&DwU;Gv<6lGgZRp;tkOswL@c)@X@W7g(8wU89_mNfK`ZIiSN!>q>Je-92h*c#I3 z>@xk=L3ZhTWUO!w!x2y~;M{$*QzJ^|v!XnW43b2eFyPLR=*O+P=^*v4Zytu=uM$n^ zM^jhYOEtp5EcJG(g-UuSQ7e>6g|Ou-q8)ksEGOTaJ0&6rC0YhAHrw<#1JX9QXCv;+ z8+bgaN~I*VbMJQZxW`aZHY^+bx7_g`!+! zd~U%9BM=^?`-S1|z;j+p3609H0%WuwghVKX{rp9qD@{aru`&OmbO)l)JWGLbrfg3b zn8m1HF_Qcs<(4ckJT2vc?*@3T8T4OXxqz{c#|(vBm{(jGWCy^BFS-GswC3|b^iWR$ z+pv)Q9BY%8GLdH7;vuAA5ZHGUq1ZYBad><=T=L2vVwUc3_{A%EPaP)PcYw+?T%1BMqT{L7 zLPn9iOm+KVU^7-IOlq7C0}OZj>?FAj?%gAMlWRJwBpH+y?B48k03J+A-qfD$17|ql zsW@MhAYj1bhF4C0-Wnu1x@1?S)r?C_s$g;5C!&YvY;fuq)7g%dd%mA$>b)Xa%-ob4 zC-j=-`TAqb1JCB3DO>OdCkLF^A(N6k6*%H9?Zf=yZd#tLMh1+5dPpoRsLp~9QbXk|s*VH(86~s9;gpVbR4C0`%Fgk=gV2Lvi!D5aF-VfvN205}h&5V6 z3x=-^Zrg>xB{_!QA*nh?%&YW%FY~L-cKiKqN41Jb-Zz;0xW{s}*$6n9brU&m`Xd!} zT?Nv1QR&fE1z0e{hC=*(`wmA0wQ(EPx^ah1GF%Szp5m-dsr%Os--6s5sF9Ps0ELoM zph6hJYZfx1GO3}D<{q47Drlv-^nmYj(PIC+qaq!~FK6Dv*=$WnqWXw$?vf@(Ww+i4Oz*FINXN}6^pWFsin)K+G&QGC4b{8KFjhUB)9a`EMxCp!K<|6 zKKp_aC0;xLR1P^Ef zMj>RJHosz~qhfCYrPqa=RDbW2vy_z!LFhPp&A|pFd$+Wx(5pc1S4YxYaE_;>gk&yc z?+2nYLkU!|@!;SJy(wF5c&5i?d&ZOOl=myU-k3ew;GXHub^2qm55~oreJly?kSqnb zz#7;8mI(e^T*WK*&VsKZ%XOEhIVdAUuSUL^!NMTbSN9*Blubdxmxi+0343Q}(E>v} zahv9m?KG>drKS9U4*4=Ap!{o7*TVzbCeKCV<=8Y>$xx~hglL7hJVC1JiBZ#e<%Y6r z@zi-PTLWSlhu@IrkyX0LlMK4M1~ls#F7W=R0=^?^kOKK0c%ZB&ypIhgd&SM9 zJ@bixSjvfBj%JKye`HGg*=Vjq@CpW+5uo6FgZ(F}t(7E4{$RiD;zz}l&X~+)**AdZH ztC}`xfjpbDCTEjeNFFCrB8-NP>TwrXd{o+9rD7fX9pCc^iL)K{pKhSs95FXk_vtiV zxxk>PAyo}OxbU|myPm=WbRp~KnV(f`L3S?ld#jyROgHke)H!+|kmr+?z-^{^R`c!p z22&v;~o` zmFwm^`R-9JZ|F-)_^!YQ+(AQ0Ux;W&xn0H>f?iV=5EkBgnYpJ;_SfLJw+=985t;|E z)z3{=<>g|bAncl|G)j`e>zsizYJ@P7j^15X?%L~BOa)^7hT zT_icKg@sw2A0Si4M!i=8<6kAFh&y|H`g3QmPZThWNJx>S&lwz;XYH4}KnJM0Yz97B z^F+*Ldn$2z#u5py&ee6r=c8&Mos4Z_I)uxq1iY<<$$zxRiWYEVr$_BxFg5=znM}d} zU;w;5&`tK$EUkKGx{WB(GHJpvDjxsNi$h&?Q)ZTmAjF}3mbOV{=JQ`2Y*p*>x|JOd z*|rnC#3~c#Wsj_IZ-oM=Z{MH;P+G_#K2>>eh(O6@p?J)O=)=H)I9F8@`WGJUj|8uv z7Yv&})SLFYuNW`gA$xQhO3xty9y$z6S0S!9j62V&}_i_7(|OaNy8viuBX%_>m39UG1%66U}v32Xo>e+rRc<(W8p2A zP&r(PHVHLmFPyu@3d_Az1WPlMrvai3fLb`qCeGb zX^?&v|Hu_nC8&eoo&V)W7Iz%_(IHMyaoeLlov_RJRbfyTbUEVElOvy2V+|a(Z|6!_ z)b~MnKFqV#L?(@2J(#yCteRC)C7|z-#hn$ez@l)kaz|>~T1nwCemzbT1Oufm0VI?! z5{WxkHxbS{mh692tnF<}6A4W)BRSH{x>~g3(5ow}^%X)jZCiSgV`Hahq>PcuJZywo z#&Wh_{R=JA+=a=vPx$L+gGO|Tlvg&2acbF4363lti3id?{R_{W^Gp=red;@44pIJP z@VTShh>M2hafaMBd@YeV!Y_6_#){CS-x}J@aYkO@Q#?os=Ih2!ID|^HIl)z}H~onC z9GCI@Rdk;j_&JKeyK20T{aA5iUVO+$&L|&fAL1q->}xDq1JYP-;Mh-R^#ELsDJ2tp zi#FT+c!s6zy@a$5+}||;w{7ACWWn{4NeS(ea8qP2|9fK3X*0)kwtsuJ=`knV%^Cyt zNZarD3@_}FFjSAMU5q>?ID=8u{jsl>{Vyf%!S_F;zvc2%QP}Fb-etd>$n~URkr5IE zeID88Oms>94T0;|ZFAa}-XBdSVAAVsrP}EXszo%0q{;cjmJB=(M}gDxk2UUU%W&O) zag{zljZ8(!JahY>nBPlM0x%sNX)veEYiSux+N4j_sMr4f?)cK7{2_q3bv(4j=6f>h zE1gXd7M0b6mq8ioB9mKmFT!$%be2k#L_R(3^BZHzb6Iqd5QM@;xy}xWD%2Z~eLqh_bJ;hE zb0caiirW_q@*TkBX3eCw$DlCq%o1~cLyyZFB%$`7&&gwyUZpVAAyyM(?Ct_Ec*@1V zxdAvNQ7%{VL6QZ+1b+lv5_?9oKaZN%l;J0DcIKfuDmVaZN=jp2Hoitbxj2{4?NPm$P6vf}wMnJVh^uIX;|s4M8NcY-Zb4YaDCKaRiPY?j@e z>!!3X3R$G)?7isyzOjN4-l#Cl4tcY($!atJCgqL&)+%bNQE&gHpHyEY_78m7RJWD1 zBE9)V8pJeyODTs9xF-wv3n8&A56-%e=^J zonz!RjQSjopEzG#@Ey-mj38a-AE}2ZAZ~LJGEW-8$^sqJP}3%Ly-uJ6^9o@jwGqPF zcICijKiV#lT42_EtYX!bfBX<~FohYJR4qGIo062*?dnN z@xT6d$8qOzs=sN{aq}?v?&bi*sU;VFyd2v+W6+5C9hj|B1UwiPPP?}dz%y~hnhf-WW^FVv?wpJnI&^IuT7y>KVhRqR_z(!H+9kAiuKXyibm~KEM43 zk5MKomP8nCs>jP^psC5ED(>@v(zDFQGR)^(91`S#G&K`^I;$`sx0m8LlSujM z_VIAZc<$YOAU4e=Rw2qn#nCIgZ{LH%_SIK5L5iYvv;m}?$ja({DnR@l6I@TDT_&#J zKRUj=vBiGHIfMW*a`!pt2xbdnixci5c{;kvnV`#T!xedLwq!F6_vt7^@ZKYO;IsVe z=uT*ctHC@Q8R@Zi{N!<%cJtg#`RlUW$6NQK-1|X5PgAKEC*uth$L_I3F~E4>D(n5j zzG4~%`%Qg(n}KIrr0J8T$!amH!{_6{4Q#~y7Zs-ZILErQ8O%ga4kd63y36^6qPw&H^-v-^w9!hWp$+I^3e}&!@PF(dZ2^~4G9hmQCLFTq?ZUq{2$ASKHc4@tA1z#r(0fcoNPZBU z(V!#0+W+^0G#@O=2yZ^Bp2}$Rz8CJ(U>@klmO?ffH2;oC)Sj;+mT8k$f%bE zj79U=S(`VvO)kZ{g#X_+jz*L!r^<(47=NbR%tP5f5G*1@2H=j{&iy_ob$?XNXgx^@kutUK*<@zQ$Kn4F32I)VmOLDEBX`&5Dk>&&LAk+EIEr`p_Se z7h=m9e|nKm-%(piwcp0B+Kx}P3i~%^LsBZt%nVXucnI??U76joVHc`K&mGMAB6o*DhaK>cYo+1TT` zt6DY$r^L{puidwcYe$lMhcd<*(LQrQe}2zu$Q@((Z(oBnV3-wG7@u3%q?p_TeG)?} zLoL;kIBW{nZmr{G_Mf4riB+*V32K&c4~sp75^MEHBt$5vfUD*M?g4jfr2ZWR6SZNC zDn>uD88=+zHl!d5J{TF8t-zZ|VmVMZP|>rhIbaC_G)g>Lk~OsGD&~;NwRLF?k-vn! z4L^b5x)X*!2ri9Z7rg!U(PRSM{@tvHv-vB%7iU6f%8Ww|&O$uW<3cDi|6!(iMi3)( zQ;?Ur%|3@x>>Ji1t&TEWo61}@sP*7yIkrsYt|*Us9`rOD#W)ImPJRRRlFJ~PE{^0C z*PoCIoIn`zsBex}p35*EOXw;jI30fYHJ9ee!U{5aTDtnaJL?#gxTtexs2kOTWpzJ* zu*x*(pF9U^pg+Uv&qq@CA;HADc9pe=vVWu@fgd-vBQoqXTJL}h6SkSowJDS|CLx%{ zkF>5S8ACq1dH*`P17q%$$@&GP=!o`V@ij1EIlUOQ^oywzeaU=;w3K}==!EDKUNQ6- znC^|@i=kA%cN#dXKDknVj`#cg-aCiokGJvkt9|*FG`=GW`=?Kk$v&J3Xrp-zbRiLN%bZpVWSo#>u-e1`D{&mu>{Z_C7= z3hSU-LnYRZ2mMmx zD3=@B+x1NU`c7;x_yG|9z{V^Oge$%h)Y$Ow3%+^FH8hHf^#JE|p^5>6e$SmF@qZ#w ziIG5xs!$kK`1<&*p>rgXs4Wr=MB|$oEd2cqw2>HEFFk)Dmo|t$&6oXZcpyJ#nt_v* z)>Pw5TscD6*)T>Mi=m*dr45eE zcRt6BAnh@dMt;WoeB3Fot3u87yTl<39(uZ03(^5jtx3~1NliI4F{*7 zm?^OPn$ETH+*Qh&_4N#>kDU1;Pvq?Cal&kB3GDcsU>bn}KUhzo{hehq$#gcY>$f;) z!1qRE2c)K6{t04@kq_;jtvNP-Xxwa6c|I+Ra$Q#j5ex~E zo<*fpX<{ULii_fe^I-|jxZ^H?`)!?kbSUq6?tK#{jauGvwjGxQedbNpIL54f|}W3SGvvrY~SY9GS%X<^x^X~a{_g{ctOQ{9`O zp{*THPW#%}R)08VmLt?EnU4J>!+Fi|hJQf1VkEF9!EH&sSTjmgGkJ?fs9}2x-iy>* zVY0Z;urQqk6n-cXIlx2hHgI)p_!-pdsQB>?v)71z zMk|ACY=2WA6Sa5V?fYMLaizmO6BU8O>u8j>{KlHsdbO!uItovjPU+PMi|!};-l%R% z9lcT-jhL8xvD=Y4ljZ4ai{%s71VBmJae7Tm?ji~Q^6)N$2_33i6HZuNjRHkTIWk^-8=xyj$#6)dOvpElb4 z!h4q>Z;x4i?-Hl7+|h4w<{uw=E&&$lHB5?ui3k^Gljn}TtwT?$Ys7!QGKhNJ9%49( zzo~xeUq}2eD)~5vlh;?2j%quL-EjFf2iMLG3C@r!K;^hh*oUtz{?e`ly-6ZFjq$gB z1+}hy{Hc1^+D>{Xf%3F)*IH{>NZaVyViQP1=imd_lEH zKa~1Hg;w$%u}S6qEg_?3S>7kW-PKh*nelCceyiiil2il$ah*-j)ncxT!E&*BlcHEL z8L_Bl=98!kxC}g+tQa&}0^lKh7@WvtU=H)+_4?Ul57NVfUM@;0&dnwF5a|LuK8D@C zHS{)pS$>B>D3;%qogQHM-L)x~yCE79#%r@IaeXjGUvD~;z+*i-T<}j3JSNs%Y~1_K z<*^2P1S(B^UZ{9tR3fSlJHl0s#G?Hbia~C4fmD@oTh*11a`AD4?jQ7yc%-;YXzChZ zA@q#7jLJB!wLw=y`pI3!X0WleRU8EIsl%hVLiRHW>cAe%v*jq$o&xC#3861XIk01& z=F**99aSB7(mK*Cl@A{|pVDvdIqqN@I}{E`F33OZi2m$L_iq)QQ3_wZU!gf^PybIJ z#EHYv5Tf7eu+dR{#}#}}t|9L!1Nn^uO8}dtK^cM{Q|522jTp|%^B-L+u*X({qsRI; zd$;1XgCA8A3&+ydfeWQr8B0S2Ck){E z+#k~YgD^B&?DfXdxh;7-;TTJ&;^-#yAJ1I5_kyYbqA9aq$!BOj`>$xnkczWi?fjdo zqXP(H(<(4TV$-KsC}%PdDC8wf3jV$rNTgS_*5M*2_fIvSiZ_&v&1P5^yPyhz53J6! zDOacEjd_ARO1i;pk|nIZIy+`Lx4bp-2Ge*mqBT91)wMbCR{(^#m4m;V&RE{qi}YWM zd3t)Jlk&C_P#f{q#a!>2R%tmWky!8DVoW$_*_qq!nOqtU|785bsGXQ1cZ+Fs}Xv6lw^ zgeC{U?$tW7<3qiFI$Do>$Hj4axacj&TuXM-*a}pFx?$VKbM7eo5&xx)h&#Rr{K9RC+`8XZ`f@Seo zniek$Qitr%Pm)~)KD*P5fnRKvPh|{*xMgNuN!n6e3I1RRtxaDbt_cQH(+ZVnl_|D(BZ)oA}O#|Cz1vYe<+QnL(~|G3oL530x2Si;_O^ zB93UJ8e3zwz9dos`h9_N8)lY+^lg zR-!%A#@;kgP9rsOXB*2Yl^?2H-vmnq`aYXP|Daeme&cFzc_R*(U})9YaV!h(l>485 zeXLsFFwQ8!5_{K&PRRO%vj&9#+^y8#tC%;@P1I-1*s9Ne!p#pk79VFq`hqQM$>(le zCiUl}c7de{v(BB2bD0=kcW$qjPVk+Bp`xc}zAeMEZBA@AXKg7MyUqnz@b259_9iZ$ zFDlq5_r5=r(uK`5aJ_#UlZpdgO@3O9IZ1> zFYRVeM|jhrkAa$lC-qc0YdpB=@vRh-JZpOXx2L(|uWK!EByH)~=(8N4v<~wG!^3?Q zvJ^p2nW+()UMu6M|IKkdBVdPdaGz#x%Uh2t97)+YO-V`b8T7JzO|Kk$h$T|}&zO#! zXV94=x}SXNz9oYXZZL2vnsIFUP;_RKc-#+limRdd-=+;n-yi1L^^_?B$kwEBiit=6 zdl%NLgj(lsQVn_v7w*&av%Y!ni=oM$`QyS4MvCbuhj~W_(FQ6q%A~4Z03uh2HG@=I z1h;rvL;AZ^mMigB-!BbYcg~Y1u|?eO4Q6&<-`O^c4~)B7zn~TTuE$@q&Y*E;~P15W^g{q`+s1xj8<)e=miU7w_zQz5{URW6V3Mjy(d3}`U+7Dpw zpDoJf1eh##Dy(%>kAvaCO+k#o-4u_+4Z*b{ZtVjnG49__ZNIP+#OL5#CxNBb5^{uX zOyioNgqgR0kn2Uem}^8G6JuRPv*ti^%fIR!{#4QBw*Fls`~Uk1oHc;tNKn&qTSYM$ zP_M)Oxuzu9!_+${9|za3D;gvL;BtBk(41@V0IPmJr!J~Ji0YpJ8Gz2~*JHOZ|E-jm z&23r+!rN)gQA>?c8Tn(FczOPvnUC$YdF)7JId8tUJ)9Dv&R~SVps6s~Mh84d-w2CQ z!A<$)3;O$aQfMQQrCV71Mc~3D*8Sy7pmIjH z3QamYxMI*edL&zsDj7&D5t7+&$&QFrp0lMi@U}K>K>CpHm zEec~|d!~KGPZ?)<;zK$N^DkE+zSpPaxze$?2mwYxB0rAFXOr(-X@!;jq+sUIcOl=d zR#dCRz4>^qW3fb2Mp47V1UxwLbOu9wTfqa{>j`4EV!uxaT)Zwkl9w3g%r%}nDzCjLD*d&HQ^8^K4 zW|K<6XEIX?>jWAXsM3;J-ELWQ5`m%?{+olTQsu`cS@)}8J3;^FDxASTvM={%LyNbU zK@+AuMVYax>g$U={x2Tw5s90PW|L(^#ha=b6yhJRjXBVpgr(*9jOx;JgOS+8MENH) zDyPfOidgYkdEP;AL$e&M9_ z_r5dvdR)v{LT9?M>Nm%s63&iclcboPhS>Cdxi0im4o6=}Pc4qzCRrgGxA>Z=BdHBJ zHL@eW&qm<9=f96fI8Q8qFXH%uVjV@f2XclrhYgh5+KB>-^6Ia2T*el-X@}0#wafR(E!}b%*hLSXPW+1g7$J8M1(@@rH?gx zYalm2f0V=$4vH0lbxLnF!?m8Z&V$3EnC$oUG&32}OAz$LEMMr#Y{~X^;_|p!lTR0` zs6E|$P8^U=GoV*i?nF;!X-BaY{QaeF8xm<%XY@rSHvLw23c_(~>eR=kL#Br}?NIq`)R-Ha=H8e}!JLjWaHK)*P zIUYJQoqGKf`{e8-MIm=FnO46iVHKi|?2P4;o|rvmRSUI$lzcHI6xsl7TD&s|HKUfYv`eM;~k6f33@P12WnH|bP33-qP5aIGzt4=o>Ac5#KCWr^F#$@(Q zxYg_kV{;^S7hZ1EZDnup-`wnfcsZl|mV1P;t<9PV@sTR$5I1O*Rq5Y2xgVE0fXO9(En-eX;E+YSxOv*`i$i>9z?l15V9xcXp%8Q;vRRd&`FYygN4P_J#P{cYIxh0AP;(z2e_=~X*hGIz-3X4G-E z=0Ybb2fz#O3I8T$Pe%2|;*@$r?sr=_=@!nXG4rKJKE%Txx6jw@qvqB@OCG}NLJ(R6 z9QsIFcR9>xM&|M)ueIN2-sUzbsQ06j48b3L8js(0khtCuq6z zl~f->>&RCwFtynIwKD5ItjU-v*l(Em0L^-Rw={H;#ST={K>(QKz7Bmu$=I{L~D86t70&035g0U>@2seR>lSt`KV zWPESYbw7k|MC)F1N-$T8yLPJHo7QxA9}S_Jsec=PGb)KarA6{rXEp>q5K>1bN|gW% zsO;q|Ei-0gxrUQZn;t5mfJom2g%A7)Yq;=Df1Co*tq!EFLJU|D$f`AKt4B9pwxG04 zTdkh-2y!vOxApzAU49l2B^3w!LxJ$w+Z0ezU+ld^X%#`Ms$0{7vOCA^CyGfRyMuh9VCgmK-gZznaS`b=uajSWIJ!`p&{ev>$||{VoyLzr<-9y<^&kRVY_t#gL;*5fjMzp{q{a>!N z4m#9}43v{c4C?Y<-ZRg!hJ@pj0LowP?F)C4E}9?@9xk2eRE+%Pt`(pPNuQr?bSV`4 z`x*U?8WooFb2Wx7gnpM4b4HH=IaG}2wt+3WCBL+-#jqbI~%?5e|oL$|M(?H z0zv}na5k(q+e{et_&xDBI$jJP`qtDr!6ia32JA(FM7YOaXEp<-EVTp8=$>zgW<`T} z#-D6Bsr)z5Tm3fQ(Uf+(<|lz$>f8)-t&K?6&MMeAKi1nvQ>~SRj9{4eF8RNILwEcT zDs3IAn|+rG{n`EF-1onx?|)%y5ShuBaqDq9QD1v%gaw%5rbX;er|XJ803Oe1bKx45 z$K);3WQH|n>^gvT-A{XOuwKEK^*#NOEr(U)<#f>!Fv4-cvAiE}|0pT=I5w5$M%G_c zo-+`gOHkYu4_P-ZUpQ+Gp0ijtJ52}y$aMjf&f=zs@lxX(Tjd9{o}f4$qarN-2lTec zYL90dMLN(sE zEWyq;Cef7Z19UVvbmjRyrADoG3;XwiHBZ(ZNBNF}~#77||phAi-?E{4TC&DBR&Jz$t3 zjQ%a}2WO^>!!X>XlmgNaSFK2Z%tc7epUcXntJ^fD!AxrHV)X#`F7?7oEa2z;(@WX4 z1DES*6}S*@@uN(KYf!ndIfM^aG2?NzBY31!8aG?vH-VRy7NNe14vo0sc!~uSFX#P$ zFw|^Tsver7Ec27W2&{sYo69)RFr82ddVX+Dcumw_Q7|r{4#Sbinq{X*glVcP%n$%q zq`(JBh0@F=Hie=x&L&n!+!GctvN}?T=uV!E;2pq}ekCVCoCqUtpe0(z8JB6LZhH5qN4atvWwUAU zLdD1U(_B+D8f_!miRcu@AujLJr^W;1l)G0CbU>LLV849k6*@z0%QoU0Z8Mo=G&w5T zxGUFdgmMKYgqC4WiU1A_&U+hT#ocU5-`lEDR!|L|nrAqjY5EO4w@od*a0?+uLFeUY zC6rDUb=`6IP4c8ecotH1Ts~E8$R)Xg9smjz!x7!G-v&=-O_03}c-%D*N*|Pa(;#B= z0ffg?U`i3=`Qtk|_9=~cZrJJeG95<4I}KNmoH!u-3Y$JLgVjf3(T_P7Bl{P2il{k0 zpyXyN@P56#5CII@m@uEcmI7S+o1H%xkA>#vDt^>QRsF-hml24~yTYgzHdW~F4?F#h zP^~-q5@S1~GQZLY-2lEwqjbH1U4n7HaUL+Rd9fmqHmGEB}BljC_eVq<$#`1>CZC`-D@q68NRSA8zZ)^s8`K)DPB|+snQL?6>1}cTM zE&%)wDIoYmz~PyPon7Yg6p14}>Z_z9y#0Cad4&IB=Ts_}*(HT;gPAqOvh{Pgzv7VP z;9lBp_myQ@dugxymp~!xROj(-!q(f}?rl?Shnwrg(d&&YF16S3S|*2vu3`wAZz zqti4_2Fd~Z$2cUXpc%5khDXcUbmraV3+3$bzxcd+Jl*+#KPtgi@GKF1sJjM9IPHQ5?3kiF74F2hSqb#Ww)Ir~pBRfc= z15la|{Wi*L<%kvzKcSxO2M1tS>#_;rIpM;|Q$Yoi;+y}O$8<59!efL7B)@QA%S+Tim1aBDLkAk{D)wj3%U;=7}z1 zOK3<{V}sNRJ(#XRVt#3HOo5vY{*5gj zX>%mzeJepf3M-EXIL&&UQv<>sg+}x?Fu4V&z7EWbdj!*5ThFlpVqD}Of5y9mN^wzo zAOC_q44*-yM<+-WK@_Va)Dh9=X5i^-UOPTdFzT{y zlL75*bONkM5)pt9z^fT!?nEr|9%8T^FMF%o%JKcPYM=Fc66UnmYE1^v+=fqEx%Lv1 zD&$*Xk;;h?pc4e}tG78$oYfxlKE?;sHKHDpr>s+O%3E6bIcJKK2EDShM~z@zsxFHB zD>6B1SPaGb4(o!5bph%@zg2}sE9;#00%4e#kO7()5<~-$MhuI(vV@;1X`m>Gu!+W2 zH#4{cNN%YaR6r5*06wztZ=B5}ArFDyt)_|-$od149DR8a0DLOEvGmmfsP-L*4L*Nd zvI&}w-_iO?4i>8sRA>`yr^Hwq{x{V%*>~16{6@ zZ&Rr@!4ul<@!|W~HQceXk_r1^(`^K2#gkt9A4~NP8>xv@F4K*c$^-^oKfssMkTin+ z6nG|inLJJ{_-jXVt7ks-IT$g0e=HmQ6=2P9vYWP%0dZnI`S zp-<9u_w5V>E3Z)yjYPSL#kA~ya|{RM9`555-dS`Iy63cR2^@mw)t4|TzJZ1bA3C4^ zn%@POM|$K=2o`0j6anN3$@mx14d!_km|eR+gkRq^-5oNkTKR0w-5P+eR0!ZqJL|>= z|6)Ng1y9T~1$KT!F>H1@Q3`isOL`PMjEMK8QV^q$aSumlg`vQ#!7l&g^gr!$7*4hy z=9i=}Ua(%kCYqz&yN&n9V)gJVU#}3pmQXn?71+3HjQu__0t-1#ruVq?jHOn8*4}NFNlu*+`GkzoSYvV%&fVT;S%y0B}70 zB#L#b*?=?nITq)S`#hLYaYLF+Bg4faM3YE4w}{;AJm$ZOO4K4~K6;r`(VoU6WidQw z+3|D8r?hVooHWB_f_WVD`ujm`lM|(0LQ|{Np*Qpibu=)QE9Cm{$@XmNpYORG>~OL7 zZtsu6rk>Yrf>L>;UBqYS?`J#h8eFcosV)bLS_^(vI<3)Q79ApY)k>FaI-x^9^`aqP zDlxM-I63by47BuDc)hg$fkVax87Lvbr6<7qqsL98ObV;{`8$fW`DzCYLa)~-GhfF1 zW>0T=^f5V@QvY=EAw8mQ)teB=SFOk9>1Y&x94&m@nbEMdi7x0gQ|tRMRSY^X zq$N7lpIrf&^|p?AcJ{s*aXUSKZ;LeT&G0?&i|!p66kL0}IVQ1~y|y_w{8yOkO7h&k zu8)IA^!oe_1JB_v#nUaXJ@k>PxX?@Y9yZRPCH7RP|1fV64@;C|hs43-DT*H-f631N zidHyXOeF_om?};aGZJg<<(QMcn6nWu)#gT5b7%GzPW9{Jf1?-wADSl{`c)v{_yGrW z>m%t~6>O8l(%*6dTB-$@UB_`l2+apRG61@TSytZ&K)}0zL!QOe*13ITboF8uP|P0- zI081bN?uFQ=Xa=-#c5VT6sR#4g4t42v%9FFh_d{x$;zE$;^X##uH@v)9Jlu&BGGJ- z=3MbxFmJs9S>hkI5=lQIZ{N3ZLJYL(*$Q6SxLE8;HmQ;$X*Z&l4>9OEiBDHEZ@#ky zKk%%7v8E8_e|IOgUf7PZUUw*>DYH2-Lt&5P}XBuyUE0_=;3TkO6KdFTdHW?^ppk**`6 z3x4GRHF(5B)4r1JhNfYw2FEA%yp!}r_VNt0_%61pHgY}NtyKC&w`{5@_p*hQ{s_)c zhN7~OUGMUcZ&k;xvYD^%g+qnmp~};*`KD+WTUEUepCY9(gVI84jUO8W63Bg)RKztI zxUrPT+(PWgc-FRE#>74yF6+6Aw5}mi3lw1Vd@hmJv;o#D!+xiR!nsrdhrIhnj(7n8 zA^gjend%yI4s^TIGn#-7O#gd8;;FvX9P9jqs7bp%)u9r*CIIoLKUANz0=|k(cOgwbi${dx9rtma zZ}d<`eii47a+8m>UxzUf%D236ak*H8xx_t#)x(x|u+9~$h!q)Z(X)}7T?fQsv(TXJ z&|hhNjeS-AG=Te7Mv00l_ev(}SNZY6_aS}b4ad6qO3Q4j=z;cBpsNcf?yq4P`t3Vl z5G)D2GSm`I)hn5AppsLXo<9D-3wrB?1yY~=I$y3sT{T;%|JTC^xQtoEGnv1F?puL0 zo1@@uDf72$8JCNDR-j(pQ$#(#y_w@e(QDJnK|;3#qm@oT0nsSW%~m2;h*EF~)sakw zYes$GkPjnT_1t5ftLM(N(a}a*(mVoi)AW&raHcZdhE^PYYR>Te4ChclDP<}LHCosz z8A_l?bioUdfbpHu^dzI23m>#$jYVbs%dJ9&0Hu#-4+&#ju+6scKPYmLj*XrXf`no! z0ScypS-v$gTUH!>d6*Y0VC())`0EBvGAnEjfrW(@UaJO9s7F(GYD=;Q*%3pfhXXYG zj~UaYeY9x-an$Ki#j$IZEF92M#E9xm=`fw0_aw?!ajBTsxX6?ek7n8IBJq|dN29k! zn`89s78NLV8-1bJz8_m|qN>3i2B+kO>I(?*?2`;{qNQa0{#SOBJQRz5( z!v19ctikEu;%5^R?2@@fNnpHJ5vd5uH5iclqP%XA3k)co2g432Y9@JKrbZ(RxWxBA z8P++z=*^SzF*Ns=@sa>~u!n!)cU(%?+c^BQG@g75C|eDOQ>@6M(s};0Pl2eeLEK~9 zd3;zX2p~v=Sqm)pzV3i8p+uDJrR63Q`>HE-c4Wo*<9OL`3sA2N@VEIuetPW<4kf^Q9;aVS#Pv^*Uj3gr z(Jy+?4eu4*y{2ziU8=tFm}$J*!hf;p~7Ly_L=8eAVeYY#d0aXwCyZEl1 zfTzX%se$jAXk)JKAJ?BBa+`RgET<*Rj{;o#XZg>ct_x}j)jA7T`i7$2ZCj3a|7t@! zIL0kXa(|TV*_MtzSv>jgFlVLSy^$= z3B(y$bYK2NqRhteZvdSpx&^j~*x9q_4^(kZBAjBQ;=}@SQ{$7a1hI3+WNE)p`tEPjLclM`ze{v#N9v$ zZ3JHe@b@wmUQXc}9!e&{iuxg6f?gg$;oAAF!=4Q(>~;nUp%p8wURhm=m3Eu@?&~xW z9FQ2=98MmA1fSKop^slI`rbBQ`38A2Z?S4=85w2S>_(0hR$@sg`W_$c1_f5%=B7v} zvb(L3t$Srs*uyxrVuVHAfN#D|vNSLCq`TtGG-AX;&!S#rHL0dG)y#7iY9`cb=LF^= zbwHiIwK=>$W1Tkr&?>z_^>GXBr03%;L5%q@bG2GO(Dl;$Vs%0DAr{^#+8X%FH@P)k zgI=(Vo)ClS8|HI4$OKV9jZ*q-Q#Et@6f}`M2R}NyCI!oZUDT>3B*z*bQuVGj1)_<0V=5}=#!F17b z#9UI5lke<)Ojlx)!k*;|`o4wK%6~qQLx>`%L~9sZJ(vv2!C*X!crmhyUU0N~{2ch1 zSP-$&$ddiaj|K{Ko;F$FPdQ^%>|fP03$JNa&xt(j_25cwLx%L4#IsD9&;xH50k4c9 zv?i$nr27l5zYwT~QnfKw^ zC|1!WMvwFPcxfR2tqTq83R!5O;?f7?8E8>3`sMG-GeHEdsYaiGy9{u0(P3`Nk#R`ez(2{8yZlcHvFKP-Rt z@;SawXmwd@Sj!7gCBK&g{v^Tyv3ShbygT0>zmQA!%=-PT&E_r*paNAl`k$FOC}s2L z*$&EHTs&<09jQO1O#(N7z$|Gn*va#Y49uhfM;yz>dF(TQQijyChZR= z6R^DoVO7X2>$ss8jce;pfU$hG+iw^*$BmBcsa98Z$owvM@tcLhv%nTP*3FDb6mZl6 zda~2lzt=rk@6EaNE)K^7gB=k_dbAAgXv~3op8h1bqK2H7{UOAqS~nBL#NVYOVL=Qq zx8{esfdvMdNeXoa+T#^~pFSGQ|iQ3pCCW(+@UqN=#xCVL2;KU2+HtB3 zrQ~P_F6vck2lzcV3V}!%@mEWza6sYdSA=Ajnr8AFCU;`;Epjf0wz?3*>R2puaFK1J z7+qYkPxj#bp?zuxk?_9Nbc%#J9&vLTs}3tg+f;eA-&xgqUiqR?*7(^^E~C56eT**Y z%lao!lhFF~M>4cnpeHC=Y5)MjC)i2X$q`ARF}V3mIN5JMdlO~E=bDoke*21eb;CfX zFy%cwGcgM~VOEApYMI`7u=ka3|2nP8Zv1-eCR!Ue^}1;?|h7ql@(ipP1vz8( zYv;&V4Scow0+GiPDU7-HxrDt0$}sxw(+1tD=*LUgV)>nshk5S-EE6dMhXhlb*tbm^ zsm>W>dDZt;Wqp$Al`864UH)OrPiIrp7Oy=^^qq#%0Qkdy8yMv@MiPbfF#w~$R!y3F zXnBM)Kp<3iywRw>&b_)!DRcu&yTYs;tQXxfnjy0fO4KJr&xF28Q$uJ>J)j{wcHGKQ z7qi(-bE9Gb9+QE@B>zUUEloK*pwVm_8p`}YkN_EQ0Hpjd2ed@1!A$>}uwjJnj9;FP8 zlYx+@+j{EU`A&?RmP5@gebUzQC?PvQ;kMv-2G_Y=5@3(ND%OiPcaVt8gy{Q00`P1i zn#%>T4RQJ=B}*47DY;rlh9Zl`hqot`+joOzWbPH+Ar?n&cqqsx;|t`{V!pv=|5c)_ zH3i?w7^zXF50BcC!KKUD{?Wg2!aZ9;}eNgE4q-^7IRoN_w}aH={%TV}SkY zYU)$kfS+EkM+k7_JKxnhrQo89od?yG&-F?-Ev9!f%_g}gt{=@i|2)JT@aYJrE? zz#~$)CKC8`(9CzrHDC%C5NqN6Ni4I^G;B~Khr#KNAaUL1iGA9X=%eprQJ<$RhMw%m z_L=b7d?^!G19jcv1VT>3{FGg`o;a9l=up-NeSa*ZX#VMSm-CllT=2w zVEDCbk#g4`vwvaXpD=4_c&M1apPGGn_}majXJpY;6URoTJyKO3OR3HGaNEjCpXTK{h6Gsw8zQJ5{o2j8twG&hY`Adpp#D zPV}<@SAZ3Chroj9oW_X`MVrHTeKyR;x)J_JkhQeoy8h zp(l2fQwBeXWi)SV)=o&}mBZy3CJzn~isSPOsQF^+O#ERr;;h9ed!eV=0S1#^5?GKf zgMvJ;e44Z1TsBaWI`ME0-I*fq-dn&oD1h)iLjH9+Qq z>i$#H&p5GY%SWCa58p&{@GJ#>3#l&j9`lepC?NGy+OP!~f~4FS<-+_y3q2Spd;bU< z@Kf5Orpt8GW&5guv|XA)g)`Z3o))gV7CL{iO3z#saZUW|?ymutfYt-TE4Vy)D0!j+ zJj3EaG4z~Gwu{Lb0SiamE$Z%`Ct{!e{Rx^N-y$o`wQQzscLU|-L4+1p#s#zIg+wz> z33kdxok)`1*idTpfN$>&qimwh&4vLF6xx#Fhtuc{6W+BqNG<&01n?zYc|0Yf|<{Q*1C00()#gJ+4jg12!xG2WPLZU){t-0^@xm)7_I_$AdJ|U2CZ6!DRcreZpw;pt$>`YykUD&36h14JB%@Z11GSPK3>EM2%)-`^56R zQ-z$n#^t4|(NYDQeD5k&b{RwYjz!`Jd4%{Sb5OmewqF)qK$&IiXY+I};0ElhHQ^ng zZb}F%yh%bfAR12nOpgI43*pu|KQjw+ebw}Zx4)f{6JI0*GUf5Yu$MA%sIxe&k(IgO z>}~x%jqSN&jeoa5B(}=-^$8aXtBNugIZ~xD>e@EzP*PjTg2RFhb2PgzMfWMri8q&e zZQnavP3|OBh@hDrkOtkkuvwRrz^92sz70e>I{w*%d4b2G)3pt3-|X&d?U9~ItR?I=U+`^=k1K9tJ{&M-6cv@ z2I?I4fq!!mZJWa3E-pz^dO0MY|9bgVv^~D9O^)CbResT2)We>QcriGz(m53ZV|ecj zP1k_Cu6T}aaB#NZcBhbMP+Xdj6l3_kx#jhrG-s1 zMeVzc#w_%0%WLqMwbp3G0zoVbvi3UkejElWzk~>YQz)?;`vBq`L*EU7zHELI;!9ci zpgb)8{pzLa$ocQ}k}VeNLaB0uHU?(@&35$e7oaNr zm*)gCZ#ncpCYwa@`C`o2Bext++*0H+F{|TV9@darBNfSHVT*Ar>$C zp57b#yvWU`Gt?0)>)opHq<>BfkWVtLbCI(myH2i|kWD;v{ziF#3WZiRy~EDyj0roh zYYs@ayp5Qi4SjCi>yo)_6$%pXFY~X_pfJS!geN4C`$R-Oc8-YeeESIadb}`Xi4y(2 zR(|>FVFcwbWd~MO!ZcdSBz)pnGLCYO=9&Gq7qu`LeSU}tO_4kdpXdpz>FbORRVTSj zA+%JcKSf5sGfBG$pp3isc3gIK;Zrk4H_iD}SN~V5_hF+n=Fb1o{RFg2>ppvjsXH8b-)<&)rZUSyA^(ITa2@W?elqC07O`s@ zV!=bsbl9{*fMVUkP@DSVTm!kj43>YWFuVAAF(>DGo_@oJPsv>D!??g(j*n|NjHDdm z;1Id>COWz9iUxcRo{M`3eSpWLax*vnS53je2keV=S9iVuZK7Nl9h z#uDFL1EEhFNdxEVP@oxMCcrlQgLF*Nq58^;|H)nHX(Z-c);o}6LXXS>W798Q(PMFG z2ssO|&0@0&qt{+N=(@^3y~;VCecw0XrB|x-_orlR)CQVehu!Yqu{1%z;|R{r2-f9D za&%9v?~efaDdS?JPVF-+^y#)G_hx)|uh9@!z}kk_w%W?iZ2F@m-E)T017(=CmLuCK z5eD}gyF&<^cX(?pP|r z4L@)HH`ulkN`NA}h+m>up4%nHCzOMUdI+0g@FJeP`BZC12KX|Qfij^_n(T6BCdO;) z{c{k^FKCq54ww9vsmLcwu6_8xvMQg(d;Ufk#_$mgG(dQdt;XA9^#&6qXj8 zohKEIr!DlGO~q0BFE=3=ILnUzcKL7p^o~~ndvdDW>{FsG`Dp1)^GnMP{^xR6EW>UQ z(sm2M$4{53&tsD(Vh+zh-Xo8NAy+uzmX~J1)g0XD_@+Tv0D8#Q%!TDdQqv`_N83J) z9`qZVc>iSksY+mt3Eb{iZ^EH+BfklP`_qtbQnv~sOh*;59|>Wu{?Ye{Z{OG74<{s_ zm#P0Brrt8F$@h&LA6-fcsKh`T1XMal3W#*KibxKmdw@twgLH#*cOxm?H9AKP7`;)? zzQ2DQ&)Xfx-t4}2UFZ2pv96ZY?6VwaSEZz$&WTvd@mDFPpX?;8jJuI@++;Dz;{2FR zI8`00t9uc@W5RHih!onMVoI3j?b zxUWUdh_26cOSCy2f8Y?!rGM`xFbR3`!YTY1JSmgFmh^W9{+QPFrAe3fz|Tb^e#wX&&alzigW2l_K`>Mw@g+9)>)9XK|1O_9 zh5(k}o{ zVlemL?h-uy@fFnF|3D-KUZ)u_mFeDT zWa^$Oyg%>EV&W*qA$D5F-rA(0|DDklXyTMG&&5oN@$5HGCND!>0mvPLUjwg#Aw(1) zynu!M=5H*?{rkR`Y~UCSxp+zbzUVR+cfTYH`dw@xz9{~wdyqsa@&?mx?EaWb z$$}@r{p<{L_Tctb(aKK%L+y4r0b`vU;}eD2RMAVmib&>i-Qt5)O%b!NTRZKLuw(Qj zSiiaC1#AGz>PS}JY;Z;H!{S&Ec^zirmyJ#_Fn<`Z5hzlj!TkxA^=#W1$oZNv-0w152QzVAMrAEkkKtIaR~rF=ITTXdB^Sa}pM4mg|Dgm>P#4>^*_#8aQl+H& zZx4Avu9y1xtud&d9g02zv2gW#FTLS@PMd>MA$a=ZeWSfrjr93%`Vb}D8Apv`T>Okz z9bf1H9@A8)Zg2Vl`OUwy7Zjuc87lo0OYua`zaGUKC-HAW=53^GY5z^A4h>ZBkf%?i zHDDBlTwxZ?mo4>5BeJL-t&DK|!L#~++|OeenFEtgqcYa}a4}UeJ|tr)%3vK&xgDV} zQ1@*<#YrUJwQ{ws5jQ@b8JYXYcg%m=72Cwj>Y$ag8&@6qVhSC1$txVui;AD7+@nT1 zdA~lA0Giv5K4Jd&U0Rnkv!d5Z!9ZJ^T@lefQ$xu~@WvS4MVjp#BmT|)RXgltH1&4k zTp{51<&0{+c?z(M%?JOl4~DZ}S{KbOz2@i+bL4;me*d%8t(DgNnaOH`kIC%x?^S3G z&CQ&moh;<0J>6`UIIqxsYaMQHg_7AUhIHIw!mDrH`eBm60&>ne>>O=v6~8+*fzPdI z;P@DL3JdT0Jyo9;-_0j!y-shd3dZ;W20fBEIb3@utZ7}Mk7oF5)+(SB4IqXD2OCh@ zRXGwbY{qSJk=K7rQ@q{iv=8cnayUtbh>*?Urq^%y(!M-@yW_pc*%$lboZM*m>CVTe z`>Od;%_M6Z%q2<@vM%X|cNe9SF8A!`K;d-r`|dDOPUJ5M^1%^qN&SyH?IRgyiChu% zogYw;U(*ennL70y4lXU2x*?W-DVRE3*0VZl{$N~b5`!(q&g{Z=|9vaOIo#LxgbHIzpuiJ?6 zO~a(uAR%SqXj}K7;Xk}LB_B-k)@>K9-=7CGcfBNo>CMHzLRIxSr#xuB(o89%{6%B_ zlwY zI9T^#(Zgm{VUGu_ZxtTqCDJQ1JkLen&oyfmN~0a0Kz+1Aexxsg+JW4Wj1Jbvf>bm< zBl#ZMbn`Zy@2xNiC<7&excjGoKfjSo3kxInQ3@d~c(xMAN! z9fk1Nl<~PsFQ%>N@l0N&b-%#s-G%`8wCJ!FQd~b`W#%prW0F*e-L8O%sJR<}u<=HX zo)E(U)x!PH8ogKGg$W+v$7MKGGaa{&$@syyc3!yk<>BnPq2);OX9=DI3*c}b(?($y zq~@L1Amhj^kq$Z-<7j4DwUHtUG{y>fH`tQl`+K&+WEe=b-$%(=fW8j=ByrsOdg72D zL|PBbN3zxqU7kL=5mrrpa;R6_eP^j?Wq;kv%07X!&kVPyYfeagL&KP1YnG={kS~+J zIl>yz#W$(*!_`cy>s*~@jO1)*`kSJokK8ZN^cgieY9O)RTI*SsSxIz4!WU;P zgTmn}|GYWfK<7hBv8#p@)>aBuz-uPg-j#Ns;*Sm27cl1Xs3WUFGne)*c|qq7153{x zoC(vk1?zIh6_a)bOY5adR_Z7P?nmQ(0rIjxKx9)Tj(LX&rxy#A490Vsm|OKB!-t6}DGJckdE`l==t0L&#*RxfY>= zeE(3P#Pc8?QBo^)Y0YxCr1a)?)_9B;Z-0Tr$u|cBvEtfN^TKjePwCreQbfAwSq~1x zmjDXSxjcwhcMTVU{d?=(TzWn>eqP!wqHqPOjh=?>{q7S342U!3JpfjxKnE7+Ddo9P z*T1go&mVKem!fgtXPyN=1BeyHgQaLakrU(|ZxddWODyus<R=a%bNx&wYmydYVu>Bq)AQL!#z;{)V?lAG^b$kB5lUH{tFWI#&HwZq z)VT|StJS-Sw%0-4bZs;Jbn_J9n4|2s-wL*h@{$-axlFnwgb>x`mrbl%Ef)}1G&Nz- z&XM*63Z)TFNCF!%?_HVV?#OR$vA=kbwD-3p2CK zk%ASn*{!&<&A@xXB}w1gSLs)|Hn<;O>7D>;tQ$mZh|>z3+{a_W>=fkrZH>uqOiEO8}mN7DpqQw3}nyieLI@uHa}FI|N1 zN1VaX1SQ=TZ4Tb8+z4;O!8n$q{tlrV0l%t(Ew>*vU#8gp!&^=*wLa;IzxLeIQhj-P zSF6Bf@=%crI4QN$-sM^QGED`JWlF;zA>0x3kbenZ-{Nhw8wriT>jV;R2aibrTX}Wj z?lecf{b(Wu3T6PL66!Y#<#{yX49c3k?G!Y*>H;=3*iLxGQe0E(5(dsG?JG$+IJ(Nz zzs)>xWtgO@h(A>6_(Kc<@B+*_3ACl+2tvdZS$6P0C@e%tGMe5i^JHCU(0&cudwH;B z+6J*ApY6&xB1KV;53IywCJk=;h*+uI-n_lpNM_G;Nl*@*r>NMvcFI)PDmKnc0tNWJ zqVZ~N{z(^Cpm+g~jY)`@vT%6G!B;0h32z#YMi6*XutBob5N;u7GEjB5Y@Gy-Ti%^G z1wW@#52toS1J0^z3)>FSrBl8=ub3nKF&Xtqv>8{q7-`t$z%*ahv+g@0*IS7LUDWqu zwlEL^BAZ7VxAf7|GG>?IPML6DHTQx0dcu1fzSDhP64SnvLX-5F2#Ggi}5 zivZ?=Y$to4HIQpyYtKB_%s7O!fACiIapqVmSeV*flO0@U`Tfg)2`=!mFAX*{|;9~#tvH!e^i-df2o$4HSHr3OsFVwBW*Pl@ck#u-VUV^JvFX)+7)EY>TRYQ@&s6eKA8V_)uD)L=0ePgZ z&s~O0y5sxs82J2CXu~2NJ^UT%K*7!$TttAUFxsAIpP%39q8Ou?Ec&plWkRz;n!b;; zP~Qqt9QVzQloios{_J)_YczX$P{ZvpJZ1LA1LIprS)YHvimj&vJ7m-#66=PrX008f z>&MxFH;YWSER$bwq(eJzGrh~#u&~N{CPNk}qOTh#^FTF%V8bOW63MUEpt~kIM=PU( z*AOnvnsf=o_OzhWOxl(Hqr%ZYrs(fb)f7=3PJr`WI>>getU3hf)g?V$ zZ#xei2R+&)7Oei2|2&pyZ;$f(B1}?-wv=8oMoe|mDaVUj z#Qd*b&yu=)65fY&3Yiwgvnk`9O1q$NOkWo*kRU$d`<*rQ(40B-bx8!9`x-u5Kt{fr zy`EG1;Cw!b?^AM>#L`)p0bXI1L9#FRPd#f6J~Dsg$=dTUZtI8AA2U5f z#OO~#gB6z;3r0dB_4;|f<7q1%BUGd0Y@Gfj{;q}uizDhp#^O=rCq`}eIkZvDeFM|I z!;F%%^RA|OXQbNe^ z^1<-S;oj%Hwcl1E6ppjY=&s(%o5h9S8<_^*U!Uy^!zUlG%2eBf-A?XF7KQ^&>z5o_ z`y2xl=zV8Qf$zFYbXKOlu3LHy>x8@J@kK|Pp3sSojLw=c8~dM5t0}|hmX50=+r16K z$ouF(&&6H7M%}foEl*st9^Pcdmj_^10(hGx(Hoy`qbgnN?Xh<`}o3B4@m0rCcCB| zCcm;y!!G?U7`tRnPC$2RwB`|6A@(60^ihnNOpcCK??gcJ`ASiG+PcOi-pg#gCoD-6 zoiOq^jo(L|BII8cU|v+BiX9%Sq(BELah~)-PT_=}x0zXW=wbEG(8)f3n5;;1fzkjQ z`_FKa&qE2tZhbpRgHeOR-gngsa3r;9RS0n30g#YnHaC#@@-$oGvKQcehQOGs`i#~3 z*wG5U99KR%hPW>rRuZ2D;Y=iS&6CMI$E8Xb(WHd`F|x1MYEA#lZAfniGy9%Xu8*kY zO=irn{P3vse`_kG0;~eVhG5@{&Fq~7KA1klV~r~U_}irNs77}^^g@cbizMEI7iV`K zjfRNQoc+fm4~38mxX=e9t5daOHfJ({tELYZYxSKMI5a;ChIJA?IJ}<|yIrdX`N7;^ z9#mEn$^n93DlQ z1L-_I5n<{7)a!wC{^&wR@E$N~c}BENXZb#)NL;M@qMEbNf3uR%b!2eICvGN@c+Bm~?>U z=Ha*g#UWhu*4=;066wUC`)TmRko$VgpYl(?pZ{>fPI^-5#x=q*BF zek7ge++9&o&}L>L_{oc1%_P^WMYcn_eCuge-Bx?1w6nfvrR=BY`<9vY^Jc)K_4PoK zWlO|eWvAqf&aUksZKlB_t!5lfMB;EurkG_^`{UmwOf!?bgr)XuQShM==}#CTG>^Q)314o@gye67pK33L^Ck^g zlsI*_-^8{t{&Z@Jg28-RV;8%JRpzv*SZzPB5EOTt!4Cu@0ZPA@$9-pOT3D%T)^g5&-O>i?;!?&jgvq$^KLT! z&rq0RaVmr#=fU;arw3$&eHrYtD(k>NT)x`$|K!v%0T-gDyf5}#gr=X}fc{8%fsr6q zkCqnnH@-a6X9BBsqb?8cpXYN&Jmc7$KTm#)S1u`9yRy&C*m-Dzqv|dig=qS+7?HW%j-`zfiBeP zewk^_MJBBc^`Ko3?+s*t?wdS-5I|7w_TD{_oefEW@wgSKWHTb$q{u zJ0#5P(=5=);w^1q(I+NY&6svg$L6ip+#SqwH?G(R5m7fhr4ee`W^ET0Ae#e7W%Sc*C_8f+R`WXULv(t)`0sYT@uc-3-CqBgLZLX130GTw-AQbppF^T-Hw@dtHUH45c@?fm;{z6B-L zD4{wS>i$!+>e~a(+^EOW6in<7fH;Hzd8QEMPx|rI>q&^j&kd$kC(Ax#zW&c^Q!P5m zX%aB+RCSo3yfPQ*NV#P*^td_ zN#e{5Y!GiSey(=DpkmjwEP09}orSRsqh=Dhj&%(c;Hut6AfG`*&M)-G%dMVs@<+_3fRxSo>aUO% zlbmYo?TEGLtbr3pdOWk9_HB=F)+o}bNu9Ayh(jZ|70#|QM*BEb>f?F7xLSW;;VDvT z()#;pEMnuHd2q2sMeOz_kL0V}&1bQKtwFais-HWVtIZSNW| z)2liBY#K~z+98X&X+Pp`gUVIDdeD4fpD+A=N6r@0+Ozn*_mA`PnpzcP&RCn5+xc<3 zwRxNtW8&e?Y0ldL8g+nUH(tUKBqoL$*@pb8;8L4jl@E}!3iP%@zt*2x-_!}o>(%7u z@-Nmsi6W0b&!tZfhZx|nsA`swX^Hb|wsHswlXpdMz@z3V$HJoVDh89-PV5O%Wq8|@ zZJv(hNt$o6)k$RXBE=8zEMTueA|_X^C5TT?C^DyYh{3~yMC5hq#@jJWX$^}OPGYc| zvvBxp>B484lb;ppBKMNnikFM}wJqe`AO4x`#iZi7X-i(8QIGHvWP_caB*Hl)Tr<<_ zh+SB?+bAwIthdYXU`oF{RYiAKv$VnE_JMoc-pVJO+$npg8S zi}I3kn*MW}B3-@FAxlIqCY)7Ozyi^-Ho@?-rm2yuJ8IzJdOn~C*lJmBR40-0J13*~ zfbe=#VUG$Sr;6%Fa*9SfP2%>ynh-Oc1B$Tup{eaz$c>ZG=%DsE#qRTSu2%4NME_y* z%vEPWkVBr}c0UuDpB(?-AeV+wEzELzo$D6mXS?{=xr{?ZRfl?-2IX#CwTDNGPKmng zeZs;O|8{%QnH3qwzul|Gx=5X+QYQ#D9kg#1#6;XU%zI+K)gO6%yD-%D z7=Y)z{pd7QI9Fo9)w$NNvQa|@ozEbO1cD|ZMztdu)Q-;g<3u=C_7^S)kWsJD^*;g) zq?1Lyh2d&P@?BWs;uh;75Nw54Z)a;Vwr4|a;t?>KdRd;i<_SNlZGpO*sntF`6!LgG z>5&R=wzRNaE{a`oF*i$l^Er1-*7kA?;@*7lfNxz}VbVA@i*RUq5FG%`l}8MPHo|~z znM*(VutTY4=-h>MAZKU8nWrMd_!jX(jd$CMuDq5?i`I%XLul}TIYir$Q3Z|i_d3&8 zYz=&;_x~7mCxg0i4ILn5hHX3tvGF`?6;o9>r`t~Lm{ooHn@XW7oO2k%D66W`!flv- zhRr&E`Iyv&Ik=6?Ll+?K_W1^M#Xx6E4;f_|-Bs3e!i$90zotuiXe(^DSxx5Z>Jm}$ z^7tr8m&Ef*dFVwqnxmV_ew$r!zk5eml3oNJw3v1{SQqwtz-(9FaWn$v6JNWjR8AG3 zx996z0C`5%km<2uaqP_R=1|Qun}56B85PufhdU&xyq7j}RVAtJtu_@^e|-478+4}d z2zTG@JWQTiR;c*ZaqnNC6--ZXJ~?MJd6hb*48UG5Hl#>w=smG5mb`beUNe~kv!+cimP)~%w8B8@2yM3Wl?(*>j0K6|WwNmbEX1x)WZMf?)ASXR2rzb*G2V$w8k>R+P_+_PXk;`BlQJlpx$H+@*(1OIb^^ zYqlTed_Bk{(`(-KO4NL(O_hQ95p#ojgOB4A<2gglIO!p>b6S8KUlOYI~tE{bnC8H{nl(|%XYfH zvS*2>`@LFs9a*TZFn}JfH_SDFX@EpOYu=ZZXAS>mcayAs3@f}Q0o_g5%oL^QQ0+|2 zBhO(=BPo1Ot<}0rF;h#-b*>g1DfrpWpwiri`e}mYaH7P)=Xo`cdiZ6Z9}nq?4Z}m| zm=2eVr?WTE1nFzD4xio4z6ejie$I}~5rT(>l zLL#>U_!)c0(Nw{=6{1?9WyOxDfq0H(5{2Xcot&gV(7ST9(G&K3%#)8`p4L+nEucg* z4tLKt?~?)IdWXZk27!1a$3^1SU0QMri=<}yZi3@uf0T9HN}4jbc{6y>LoOx`tItEw zQkwN#mGsbY8P&w;MsL_$9mKbkT_D!vt>u5DCpGR6l25WfpIJ`yol3xCET$dW3s3B! zYE;)pxI@jJKmSBfaD+?nIM38~ioWew-1d7HBe5Xn>vEJuN@BV8C{O1WM}V2UINU_f zz1BwHkch$75=OW554YpGT&KdYM^K3~$Nxyl7hQ;Qbv$7SznSK#yR8sgtMFc@EY)qT z5IjnQ_mJ@p)9kBZD)U}NuGxUMD}~R$i(Q99<}SJfhi)?^9On}o+;(_7UX&Y_c4RCb zQZ3aQa<~6HvESO3zJQ)b*EjyDoZfvhJ_Jp+u1(RX^7nnaVcvRCCpfpA-ShO*r+!QG za@+B=a^C?SLDwm^tA&iDMQ*HB((eY{LYX-4&X$f+rjOFiUqbmD{LFQ1W~TaujeZbv zBws7EeH{la%)@RQz(z;GA$Ud^?{CHM`(vu80B^8GYu@O{XHV<0!?QdNl!RIp@ zxQ@N%21NZ0Uf`TB7Me>|4UY-;zV~f@Z%u^OZ3aWRB}Dc64lc2Oj#brqt=Q0wH;*7g z^bDZ#*+9TQf4TWgzjW75lxbB?fMxDCA+|Ea6i?LHY-F=q*)mTh`+etkP+QEUmu;$V) zs+z}PxV&he_o5j;aIGC!@w>-qFiXoTo86#m14mGg)EjxbUR|+FU#(Ju+(>uPCXhvw z@eW?nyo^Bd5z79Xl-tTioz4e4>T6%ct%UJ_lnJ#xn!RnxLz3&~W@p_-$UZ;xMVI1w zGGSLZOd^gruVHc1j5xdM%0|p(8xSR_n_eCgwif8I+1B|P9l9J-j>X#*b)vq+oj*iI z6IW|`C(Pjmdb%y{<1M|&g?(mA=X^-DmCf{3cebq(|9xV8ZmCjlueV~Ukm>U6%N+pw z6=~wzLWc|YzA5>!P6>yXp9FTA%;RZ&$>}?gb7%IA*~*-mPfGM`)YDZ@9c%{(rs@VLgcAFXhfNraVs@%2ZL z-&#zZzEF5uEj%mL<+>I?oK=J@BK20wtL?x&nSL|4Am=Q~k=I`Y4*2KpnifC&=7GUc z2)t3UN$<$6wfa)O+2jmx#@L}bU!iKl5-;2?@w&qNaIS2s#dsp>*rVcH^6rov@>Ueb z>wc9iwVL(swUEiwq+y+y>Y^B&(;e;#L+Fxh{3J{>CDicAxjkaSF{SSGUC6}>mJL{#E zYZ(OsZh0n?^%=8ZC=_DaumGZR*>}v)Dc2a!BKTaUg`kCRK=e=cX$~cw?OO65d5#yl zD_U-GxHL+BwLgs9yZv)4Tx1+@8;V=@KFchQ63?MD)fp(M0_m=RT4^ zUwLuRR>7%#L$m}mA$3^oks(DxFt`t3nGaQnaxk1a_Jq_yHK9E4nW-!5DNWm^%tjdo zH8>=4uDRzfa0~5(A%EUJGW_Z!*K^HqO(EE@92IGYxC366L5As@H+)*JHW&@n)cze< z%H{R)$$$yrVbF_tEb;b0F(jL+R!tR&e!EwFhVPi?Tm_iM{YdtuOxqfL4rma~RF!Ov z{aHzILGUBawJ#rLx7_;ZiC^AfbnyYwFaS^IX;WM_QqQ$P&tIX3^UgU7s-hRiWCJ1r zJ_ypyp0|)_XI9fF@n&By!tp|NsS-@tm&fvaqWP;2O?=jy7T@VB25Blm5PBOz>mGrD zmF`^X=#N>Ck~sS5$=HlP`#5!s6)BE`>KG-F&yNStu7T~k{X;a?HTdikao258HPfQ! zo;049yR0~M`nhaIyZlzapeK}{%cvz`XI5EH^gmv!>ro~^u_o3%cTJEf?3q&c>FPw; z&c>YCCoC8YxVGT6hRV;^A$IvrGDyNK_51bB3YqG;uzrXZ7=^-WJ21Y-eC5zAB|IJ0 z!*q|e%BdjD79f}R$5SMUV{MybZqxF?+28_$K5 z-eLT@ZY%Coj)A;=o7P~|xcZIqs?7ep^RYiocn<-=yi8Su)`y~E6xu|UKIwsMJ#PkW z+_eRzVw88KX)vJv7TVapuQ+;6u$?|$UU5MKl{5EWU!SQtWo9EyJBC~os8XZR;>9bc z<`B-SqZBP>i>rY9A`$mJN0YLTK|`i^TLLEQAZL%hsh$56k8=eBPv?%4RpT;uT1x1= z4}viHg7r5>zF^ks3g5`K68u7w_@yQ#t%Cs}EzJBiC3RS$4E0pI&-RmeQcf)Rt>&h1 zpWGTteK7UD`b(3c7cGi>ofY9tnE$oCsbxvy0VBtyIb5=_<*H3y>XR>mC@xP?ZD=(E z;Ns7MPN^g(xjl$b!#T?Qa!n9ZQAWbZ`?RSCcX@K4qWN0BGD7gD)KXATm>yplWLj61 zR}%A$yUC_b@2$n68u7?g3)0cnbAjM$a8CoXlDJNKINXiKTO;P_}qHKOjvMIz(WiZL-YN;IL?B%qL^*X!I`uebTLtW z+rJ|&W6k{{Kl4q#hmh2L+a>EFlKpwN&3IFPhAz+5Z}^&%;n^#Rig5~(c;^znYZmO` z(q^)HN!t2YP(7E8l;%8XoH@)N`txzOhqauEEcqAqmA&ql=yz_ZfDzkqv3}E+5_$kg zubv4{%ioeA$0Ha;|6btIJKx^s6wRZ+SYD&bD7=LTAn$22orKz1*dysh_n*A{FGwlr z);_#~FK+dX{Ihbp zO}(|&c$L93AzIrwzq2dbu#e1hO>CCWHtqUcQB2)IcnIKMr?({rBkI-mH(Fz&nZT^u ziHmU}W@?w`zAxd0=e*zoNnshHRjfZM4+|hk$@8muFG#|?^A6>IULg7gpU4q4Rtt?PoN5EMOkilvsmCK@LyP~h-Olc6iITB z#euf%oc4IpSmELzTUPpP-?mH6GAXcPkaVnhAiAcg6$qDtXU>raie2Yw?R#`` zjO1;_SZ@NymNWAQv;2I(NEWSTUl6}o3-wfQv>(5(xC2W3e>+e&ZF1|UfYRz|Hu^fo zOxrOeS*OBaoUWWhOa#Qx#(OBn!^v=}@PDoVG@$beKsfkYV|>k=0`%NE#AWXw4dE3@ zGP7G2B*^A%?aWfl4%X(h=F`eE1uI$P%+UlG@D+ZngFd}>wl4Yg$GS(QN+L=Z&9u8gKtY9cRA?cY))4PyHQC<#1?{|dT^(4%mqPL|Sm}J-h zlkfFOA##WN)Fvklum1+6)uXdgc#`a1ClCC7tXnXhWp%3okQe5?G&W;UYwyQvs?+J? z%r(pSplfRL{kC3m2x2I#Cxu0`(1t13>13T|L{Ibi-l4e{O79y^`FrI{YNMf4KOUwR zTO|Dk0|&f#B|BEIYyz&pWz^gPFNf^J!zUwYAhj5cmkHYk_!#o_ZGJ)$m%mN?u43a> z4>tiZzcuiZ-r+#c=0b;1`O#|)g~uIJCG+5;l1&TdK4tNPt)HovFNtC*>?kcxh)`s^ zqbU~SN>EqiR1k44t+$Q4ST^{!tez$jN~&Lo;RyhPXay9f3e@&RE6@7^LTEQU-_;q6 zlaVhj>IX1FBs_oBOCEgXGWZip`MRx=O+KjkW6(QY&93+MK7_)T@L$C|lt#b_e%5@Y5g4u}qQ)5*g!3o){xx)Ut~Rgz zk&Z^oHH5V|>jma3CoW*3vp=bShsc@_OW3S!n{hs?9=^VdXlZ&RCjJ`mAbrr zVV0Vr%vj!_K@<5CE%g_Zy6k#N{Q=e3nBn!H!|CjfA$4+l@9ee4I(wR%`k2b)iI!Ca zUuxd#$np^$+uP3D)h{ty+(B>TUlOGxhgKP@DXeW_0O(@!ifG-Ram+2GscQlV$&-C< zvZKmTO%vMd*0-v#RzruUh>Z~r3S&$$zkn6^uo{RGAUMWyD*22(=wfppvpk0L(Pc!; z?aRDroE?~jVftuc3}&Q<;m4Qopo|##o2sm1Gp8Y81RhDNw6Sy36Z-%a%8HD|-ekI( zEYkA!9@PVMf+C(dg-t{B+%8Ed{p)+od}eF}tacAa-OYT_iyS1D z&gY|Lxj`Qtv*byWudk$}bC!R@EiS>&@{KkE2I0E`jH@uo4($>{WrlNCR8@6!hTF!a zA;sEdG!WodJlD(m(oDN;%?GZ8S6EsMLg_LLt_;(q%l~j06EZ6?>nlIU(K}#@3^p`3 z`QsC0^)bD9gj1(DhhHA2Vvb5*P;)984)1asuo2f=q{;2`Yq=zg91b7voWo1jW1;k{ z$v@AUhdQ?8+g(?uXj<-I>9Qe|7YTP}kE8h;C6nsBEVz01 zz`Y%*XDL$alZHLsM(=YlUrrN1Rtg3L;!YnHmON9L2_v3yZHhbYAqtyjPKTpcDlA7x z5hel84!BW@K#QNxq&+zrYw8tygUXS$KCi2~tLK9yaS1ya&%l=pCD5 zYp$`cy9AcsTGwCKw@FEO5QhzGjkRlX!peQP&EdZAeQz+T5NIIgtG?bdhyjNxm)r<> zBdf)HDwe&i&Ly*KSgihP*7$ zF2<8^D?AtRe5=u=5OMYncF|K-3I69y5=NCppf4$PH{Zi)V~p{|vw_(2SlSFEn(kRl z_p0M-InC8wPlMj2FZP!xN;T~UbJ2`KlBY&?b^SL-tBs{6IQJ>0AIC@9vCF7AWnqr3(Z1pl)8yZSJ*gnF)S`jTN-pc7*WyDXHz@1xgy zS~hMH$$ZvIGRYgiYEa$V=8S+W=Lm6z79+(^N5NDgP80Kvy`OKU4 z8xf12PMa|F)^&z<%=w7(Kr)S9Fs`j3|7~gb?sW0$;3L8cUB7&e)bw)8IJ0<@9`a6c zoLAAPe_TlxrS5i@?u|V~Ap=3*h-2}x71tiKp&{yT91-X0XjM}tZ{vB4Bw7fyOoTvh zc#@mW%GA-(h2xwN1WCmIkCnR1ED>|z*qHZH&(4k9qv@DEfyba5V$f`(pfq*;zhpOe z4u3R`*7|syW?}*Vpd?qFG56- z{GJGji_cNPk>$fc*?5AJo$L^NUDgooP-jhiH5lA^6DnxbNpPB8IXaCoS3XV$eeS!J zRy3Js>RSBVKhZse_}Ly*H%%Fk{xmM`Z~rHVSX<9N4>F{SmYnBb2SC?#-?6;(#MEyr zcD3Ipt_|x5`;J|&Ib6`SsA6j(D5+w>Tf?sTGklQ&Pf_tK-D#ClQ(Ans;4Q`%4UunJ zN-u16!Q}rg>$<`ZX^&)62@;RY3S?5`6_mVl4wMiq%1Mp;P`fB^hc>C`LSxYi&r&A2 z0jnqI=p+RzF2X4@fAtoye11)(7C2L{#yboCfYYx+)?xege z_na~LTa3T~_=ocke;@}*BZV#RQP!80Tu({=!%h@6%j$3JrF9Qq6}QS2y!2j8%3<-z zR9TALRGC~1Xy%^V%g%%6c0@0XCfyDE9dr2OdvLx(i}9Q&U5(J@E_;7+&cJ+5BYURX zb8XRo$(u-gWJ~HGKe`{VmVu0wM`D# z^`J&^{paNY#?k?|wt5bv?5!U!3|Zg!HDd`E;rmJ2mv#LMYl!ZmI$D7Uy8XJZ`4SYk zzv};HUBkJqU(U@YNXUl1HdAU?QPgR=zkISjnNn$Y`a*i!8Dr4hc&?A0?wvult#zT8 z&%H4f!Boe8f{5 zrhyo!V38794z9b97ZNWcA+R{Q%RBgxs3(u@YO4!%#_UB` zui6dZtBdKDK;2DTf6sVZwkE8u8iIH`owKpRMlUtCq_{IzY9q zS2(+FU5$8_V1UaJ9n3hmut#8L>~og8HlHxNtcvq!fm6x-`7%Qej^z$a7@x_@=N;Lh z`*F+ks5{v>m&d>7#Pm1*%0H>u)h9fGT6A`LAc$pE5>_&dq3wn^t$TdUJ+e`r+4cJo zcZ$m2i@|v<5aKctUFi2T&6ijcqwC#OPIckXkF(Z>4+DD8FL)_aZ= z=H#zTcoI2p!$$1V=k5>SH{m zJ|h!E)&FTE!Gg!CoDP)qxQgpM=f?&MkX%bgm!QW>( z*OrFwoV^~#_XtjG9;!n59A^YFZI-W?MV(ae2lhB`Me~QbB@>cLetAd?B6}{!XycdG zJw0$jLzZ90y>ouG6?Gg`BbzE5u<07)vhlAyMzGNZaT6oBtp@y0p@z;i>J-QEVEmRh zpxix%t-Tm%I5w8AR`@^tYWg#L|Fwgxqy-ogYAMX}^7l_|iY2qFCyPbrxx|V9t96Ey zRi0<@9@N-YBU?1N=v2!lu-FI7X@lwyt^ujwBO`DO#`fxqv$Fgz6)|!~e*~A7>IN&| zPchc-9@4Cd`}wVgSbY-&SC#8?=ynd4H)O#vtl3XB(%hWW(g07|=&EygxO7%!qd}uD zkLMQ(JOw|J66-3!NB7zAI4Y)3Rh{}a?R;kYu;Xf$xYT!5v7+9< zW%;drzsA7Z?vDW%*$#H0ieWLNnXER#!oEl%3w&+w225KF16J@JZtb z@7ZUHbqSnw_)<7@3Q8&Rgs6UxGJq=dhe>7sKG1>${$wDU9scs0I|6uLj>tK^q9+Eh;gqQfl$ zqz1$${J~W#QNeVDV#A8c~ngfv%6!_4BA0RY=_~2*P*zpWhJ#rRzi^opHraU z%*I&%7~Ew$^u%YEAP*ECGEbi9L~4@5?U+EY(4)`jczLxRKpdCu@{M;X&zQyNbys|V zY%Y0fLqfiD-fpDD^s!uGzGoifOWOG%7my~bZ=XF-n-GoWJKdcjJE-N~tGft<8B^Wg-wE)n>crxCY z{s3Hhd+^g*OB#5ak#3zgXQtD8FZGL%+nPA(qmjNQ(!c%N9%VBpzb_lRhgrWX&$a=w zLri_N888~2ny0x-Jp(0S+Fw$G0DHS7#>Urh=7s2rv@ijQNcfIGe<69err#%a?P(L< zf5TR84FcW@l*qYVSZGAo&p| zpRM|5M|G>9!fHoOzDl$LMpXDz_9t1JKNGD1G1shGo3$n(RbEfe0(h^Y%(gIpSNya{ zHY-Q^2O^#m0Nd~<>vHvdD*1;x`1ydgM@kB_sle$idQKi7t$-ukM99?wB+F<%JMb@4 z8lxrk&WFDerHlG=kv8!Wsa_M!ZLJ{$)WPTKBMAY1t<$K1oqSd=zn-IKDWG)gBmW~X zKhxJ_#)-9(xxHQ>e)ntdx8qLjBCx%g&lT2)y3*vp=B=8oG1q&wO6zy!S$2K*?nNlZ`rXq0^@>2b6&n9n?edG-^0zG%WQZBVWEXM_ON@Qf%|p^9kx zivz4au{_s5>rYrCB3k^j`u4Br4GYiqft4cFjl>F)l_6Y{Hl98?fBZV+35CS-g}8Y7 z5chk>P)?5WQ|+=t!gztH;^OynJ11XgtiPfrB@Fk8&e5>gb;zHT)h|Q4lJllYn~qCU zAWeZZ1^!YLK=LQAUbykbo?n}lXp@xtaz?rgz5Jy^ngVGG{FfBqrB1t&wJVo<0fn?l zTE8xmZew$q<5exG3f~k<+6VPHr0f8C*zmBy!$}e9av#Zo2hu8^NDaID)%SP_Yz9ln zxyFIoz_CHY-XAL8Y}nagV{Z^uR<~iM_GJiI1h8cD6xIZqJx^c{>VfQqiN{gSCW$O< zTvy23!6qA!4`X@%nmaxvDYW>()>>{8RX&WzB4u{sSl_zMG=>R4~i3Na+t)c~h5y2f^=(tVE z*uWF8JBlaqZGbSM51VM7UN--`l;wXZwckuh zQxV_;?3W@d{}z>{}}J*Ph8vy;!h%$~gaY60y7C83P;cw{R!%yaDd=2bfKph~@B z*&?5Z0Mbai5$F$&fC%(ymTU{3*8MuEh8Gf#Zu+VzHYTLidOw--KMB-^i3B*k6YX?|PJlU%wH zK9_FxdNn*OUap5w?4P~dU*Dwx7hK`O8Il6svPkVm}}u#P_0%Y2WJDl zu-z#Zavmoge9wnI09*oE5cH4dNWnrG0*jAvJHkk*V#WbJz%KNtS01;=hJE4B3cSi= z|C47T#kfseFD*LXOKUY62&<)Kz&cc|Rs)wxMlyMs)X(3NYCn9vhn`K)0Gh8}vDoJd z-@_sspIdCm!24y+;!V3--0=QeKf3m5o0YdP= z=W{f<6RnJjqHoyOy-3okNV4;cSh8rY^643omGYl=lDxkC^LqHt?olq|2g_=9XNCBA zR%FsiJWa@-8|#ynUvBq9eyYeV4fj%o9O(fe<00P2c>I5R9xpFP#VRm@Q-GH-UYtru1#N-UuL#5?2jX}Tu~}Op#|k(tN{2KB(iHeF zDZmCrp;+mPeq1g|!a{{{{2=fU^}(dDhc>lHWATOpsDgUp6L($iHr`OZ29RL0DojhD z%6@Klk`3=Ma>7v7K_CHAn!7lUIkONh-kqe!!{xzvA;_pYn0g)-%INt@Wwqh5B~nbi0B_z&cK;yBp@{ZgQ7ec#CP z7FW9L_H^8cvD3sWUVa(g+1BXaySCeUN{r!JPo!2b7zrE zBJiQ%)~DZbDY0V&W?p#hgOWt;CtySlcho+lJ+b@xW~N8L~yn7$en4-)T~<^a;%fe%TbxkpUk3pZK+iJ2}O#P^7Ux0 zK0+)LFrHZ?kE?u7lfBO{$4Lk9r=jw)GTgo^Dy-(xx_CeD*sZr+Dsbr1)7nT9a*aUY z%4Bm}m{;_B*e<&6KF#+lT=E=OUm>b@n=yl z8^--b^O&*Mu=xiT<_hzGj{ul3nI|47kdfEH!C#jDEQ!vWWRv+uPlI>%&a&x@J?Qv4 z3BS$%{#$=8JonyrcH<+@7`7q-;IS2obpAs(<>af0qZ523x)j$M3m~jzK*xesOaL_F z-~&p_nZt=^!Ps{PJD=kmj_|{`)4jhq@xmEj;0yXxP;&;b9Qua<2*^hRRQLV)q+3XX zH;@A@J~}ZB#U&{}`|Bw#NvdL8rJekYCiZ{lN!1)F$zmn)yO{;dpOg@2i>U@a0G)s3 zT>>T_vWvAY)tAW&J{**)XKcoq9$;VWAbHwRYCr3!t zkQ@n8T!cpCC^(TWl$U&u>u@g=8BfE#P;NMebm16}kDrJ8>0_D#X$qt%@Rz4RO>JO5 z`ec&rRk5ObV^4nghnL0~vu0Ugc~CATqu_)P|CjGzx`Am5{DmlhbPb_!(UNvrp9k#X zQ(78oc8jI1`;{blP&W*LO)Nko(rJV|ZX0uop97j8v8ajYa}jV1`(j9H;t?BX2H3vD z7AS$eA0C;Jva8pmrDe(sG=LNKwVV?vMaVuP880S z8eea>1uEe~Z4fuQ^M>#y1t73Mp2gW%vZt57L1L(H(q$uC6DGy9rTqa`niW>Hp)mP4H){lz=y^HZ2&|~ zQnB~Bhx)f?Y;druSLarec6(MT?u*?{X&u=BWZ$)M<9bQT3fxoxbVA+!q%(WE%}U|` zrUu-8sUeMuB+F#a`328-;4h2LJP!tOb zOcVoDEG!HZLzFGAG_OuXpAQfy}7qbkyWT#(T@qP;axl?_P z`fwzZO?~dX*#&&PWkdR(Aw73DyL8e9^}~@mqK%X-0K{ggRX9$^pc^)AED65t5pQ|3 z=BK_3FtlK{^cjjCU`B&uTB?3nK314E_*h1#{^+tr59L#$jU?tf(v?@OK{Ib7#=!1f z`vfA@vup1jDLUwJ70-T;zViNg-Ve%0x>W_XqE~X@rQPgg@%4vqK8NM%$2$b(zAvLK z?d<3l$2rIdK!G)IENEk3CV<1lty=2{dvNp@*0)D9Pv5fRDFWQ@vI|eDC!qLB2SulS zIo{T(KZNZFZHy%G&9eBNzmRmr!h7)pu&Dq2quu&9;~UApNA9>n*2~*_JD|%ltk>uw zMfwlE(taD)t+xxLL-WFG@AJ8Uj}RE}Lgycn;s8k)X-RDd^{EX4v;cD&%5c%p0cYEY zL03D#1K+VeURcuPvVSDM*p9Kn=J_em4OY^;@ z+i{@kb+1%a47Q8AG>{I@w_GPBv;gk_d&^7uEwefCaOo$_Do}L){zG-7_-j9UUB5|N zKfeC%=*R52kLIcWU|6i7ENC~j`=qPVe|^kQeek$3;)CWM zj;A_Bx@q zq=p~1qNU1sJ&|NYntPSzE>wFY&XX4l%zk?4O?LGik9qyRo%n&k!cuno72Tx^`fTxZ zt)1VIel_@jeuWwi=0_}*W4wwoP8#>RZINzc)T|&SiDNCG?|h@RfVJze!)vSj+1(%& zme)~>kOd1;a-n}C;fX|c)L}iy|DZ|%)dld0ymx90zAnQ@==sf+Cznf39#*}!407G- zR_oh!KFa}jP18OH(g%-j*~!%zbP=e_919?hG%EaM9>+Kyb2@WtUA+m|(hk1@gEVHnFE`ET+kwC|rOuCEo&M=>(Ng|GzgElVcduC za1DOpIez6n{D`MzF!dRKKB9$dxF-(x;m33E3-{s5u7r48`K9`oEn7DG^5x67b?w^q z+%aRu^ibG74X!MItSuG$KjawT+cn8^{WFeoBR;=;)herArHU2{s+x334kS77cjrJ@ z^cO8#W;5o^w__UAcWdnNdhOF2{jB-=lD}%TwLPYZA88Ni;_?3MJ#)(3g$u20spwek zpPiS;FF7~;S*|DJ|6g-}<(JpGrJE$RxOlt$G~-L@2b=51Alcxd_p;fsoqPkvnBcfB z$10J?WOMVtEtmLlxl_*V>i|r6uOP1LDb&V>BZ^3naFjX%2qI7v(1;`37z#m34k@u! z%NA)<_M`L>HgOyDYRL>kz+&4hHj4lM>cik4yz&^f7=8Wf8`rmj*~tk9eQWWfCR_br++iakLNSr zP;T^B)~I*1TMS>K@`mzL4(g50zn^CR;D#&U=Z^xR;SUCg>dMGTu@Yr{-T{aPq{bK& zZ9si^H$ulA8(!*$#p24^q^}oPI$65-R*Torz>+B+~*r0Rlv!cLE^di!BfEBd; zPco_jC|5&3Yi)r61qv6I1l2nGT9TpYb;J*;F8~36teM|^;nHZ~$Rq8^5pvpLjtstF zIeeRd1;9YS6!h-x+`iqxc8fpw*VAaZilz< zoAxJ99AyMh=BPekCw*~+bVg49<}(K(b_qPiLiYnY4xU{f>}Y4wbKDjlg>myo=_94d zv2v^~qX(3}1bB{RWk3a_ZOdxBx@rT}i+@-w$4C!-8~wSIlQBj6FPuHy`9fPDeFiW} zT>#htuQ+nd*a-Zj&hUe>hdoy4e@G_JobrX*Yn_8|NR1X$dqqG8+Z}Ut7D$K!9>E9n z0g?`&2@C4*m3d~Gta=01qK^|WhJG8y`4Ry~bwxWzuADl`yTUEZua|B`#(6FEH6&5t zD{V`^q3-lg#veRluHYUC=t%c)3)MZ6WaR@0`~tvc&OlFP{(^-B%&v7^iGYw%pWW&@ zaItL7I7IydVU(S5OdnVzU=!nOlpA20{>=xaTGD4p8&FO@)L?}^vpF#zQtaXzMwq6^ zqB{URABmVZ&`rslN*~;~cD3^iJ)WrjfM5A#xqbDDXub>m6+<(CWT>kEK!*oeR0nksL7&~2ksIJD`LYGRWz2RfJ zc~Wx|~J%I5+*8e#hL!cu(wCSSyFG3uf_=A{v9#<*>t#&^Rim`u=EryB}r! z?;GVO7FahLHf`r1A?=$zM^@$elh4(hVi+L9ZeEZTeZsh49$&-! zq4}P6&z(27=AUT}g1xQ1Y!(|U14gRtPol{g_@{62(%;&IQ9d*T3O zhHLOAEdC2%XX-Tt@Z8$1TetJyc;k)J6h8@giU}FH_{1I$&&WUc5idRw1^>8ToL0Ec zEM8{*Azl1R+>lSSCZ+GHAuKTs&xv7wB;R;`&66cYoCENbc3H7To4C1it*9hNiWe#DF9Z4c?=dY}jW%N|Qvs+>u@_{QGoo zW~cSmarF+Jwb|O^FXtRH#0oe7&9X%c?40AO`El6FHIC3mc8_TBY7#ldG7^>=u1XVu ziJn_)bM88J$6Q8iUPPuUL@=9QoM>sx_uIj1;D0l+?bCN zgytvSZ~K1p^2TX-8PtCO3UcJgCW%YEx$94$jX%IwHc6X_v^(KxYOl01ru7B&!&rNU z@^Yo02L2?j^Ul{;e<6PM>{(OG&NJoo_N2W9Acej~SZEi@1#jXmk#^uIjldD%@4o!n zF7MvNb+%@gS^`%AkwP<+^Uu!X7;M5f>NwEqO3@;*NB2`XMZvcuN2F_EkRg3EDRv7rr~qF#Z{j5|Z01tL?0% zQCw6wWbraUPt}z~bNcbSn{lH`F%Bp{^^3PzC{w6Ax?Y{nDgA(OXw!f9N&+=%7v?$j zd#UOO{EVb{)#t_BY}unZh;jm4FgEEk@SQp_)+j&u09YVJy+;zgxNJgqynm~$;^id% zLFYs&CVD~r0_DM2S~Q2I<;NI@E;?B08%WhsPW<&h)ltsGc0oEk(kq$Lr&LCG0=UT7 zqtCDgF!sG(w1?(doR?p9+w0>$s%yMXd(;=W*$2_Ogy}=hJ$W)(5>EQ|h%x{RZ05r2aVW;Scp@&B&-XBk!APTQ!UFpgd8VQ0Fj@Ge^@uh=ZDf z98w2E+tDY!{Pcahv3DnX`@7AqZou_AD{bf_p-rI|9Qo3BX|IS;QQHagR6k0aXX4`w zW&-Rdt`YSAkcKw;I{==v4SnLHk3O>Y?c3Y7ZQCtR9&|sb0?rg})6a+DdB%*H*6YGc z?8kXO+fJ#QIJtXgd*QifrJf+Cz5VuB>(b>Ut0Itn;k+O1*4yr|fw$abQ>T7smtB6P zef;5j=|IpEI(M-F*IjEZS~U0m5(iF0Tm93njO+hTfG3lWMpQZgl;`l%B%KcI#2>%# z<5?Xh^_lzdBTl%_=&In=CCi;ix za6MSO#4?05;TpAKG@-`hMnz9w{*Weqji<@TKe24Y!4H?1Hu2dbCH(olIGKef`iJLm zO~@wGGG-JnP9t95_1)AI_U8OEZHSKlDG3w`W6Ep zk&KD+iM*U<3ZLQ|mw5St|L&dISt^gc-Y982jn_Z5T#APzNJ=GA>rMH2RfqmQfec)U z!xeBW)scrBp?^L;zFV2rZ zqYN&kjPbI>+tVYb{E7Ni8h_$pSOTK z0klIjmV}fvY}!7S#JT0X3Z8$KK1ay`JK$fO|G^J>aYvg3KjMVGg&!&>C{gf>`kQm! z`NepM_h0A+TJb!%cl8ybN%-!aY3&=27xjUNCh@}9;y#UTm?xrogmE2@PkH^Bu`Wl< zc>B7i{)D;*`k`%|vhs{3yO1|PQ6ym+jnT9^0QUVV<8FaY+FVB8ih5G$Tf|`w+N1s! z=c|Wnyu{0yMkmITl(`|~rA(bq0F|`G?p^GWLzzjJKAiDGn&2OwyF$GQ3oZcUyLV9! z{q&!*5{I!z{kZ3sST8SsO8*Kp)9MtZ*{^km4;X~+<^vWkmIsevZa^pH$vQpI>iAP_ zm82Fa(a!Bi1V;5FE_6b_0aSxFj%m)@lLs$rTDkEe(=bo)6xxmZ;4st!xQ&VcBpEr~ z&XI5U9_q&_g-7q~Yc-{sW!shwE-~qr*Hr+@8TxCWnZCTNNx$l&;>j+Bs)DM>Q8`Kc z{_D@!3`sYmcez-p@{$~V$N@>}OFHI1$`Ws5@(J^}^Vr)l;!|3Evsgt*z>XX@+rdej7GyXw#G ziX^^8YiV5SGPEV?8cyhPs$G6*FB{XNhk(*;ws!4WPrqQ{LI*qF66krQMRa?f=B3W)$-=TFadz(9AUzWy2UKB{W; zlED{f=u@WP5_toSjQT~0pS=G29H76@hv;h=Il>d$Hluh+za$5e9Qb1#VC_JUAoC#- zeOKN7sL#ttr-aRWn5Tc!99^(zaVw(rFHzzvo*QHIVB<8<3u!Wo?=)g_c_>e2>Ed*v z{G)Z?06GUNUo5|n57#*DxPR)s(lK}868XsHIU|=D%|!pydMA`EFB5LhIa10JzmJhl_dXH# z5BG`b$Rl3v5RWTyJ$}qHBfk)w80OC!Pe>JVMEH(J$4Kf*?}mEk6!nlS-8GR$JTNhg z=fDrHsT5Oq6i>^2e9U>;ScF7A#Ce|>H6{U$TSmPih{i9qPccWK_1q@adB;^oRHoH1LfTqV2zh4H@s0A!5z9%)q2p?O@Fvjv`RmoD2Pl19$u z03QXXS{czzU*1EcL$|Izj-?oeQ#$I1G;QC3!`(0u((=$o`ZB1eh)NJKF7PXqDxPQj zKGc`}Zb{V(_E5*Tiw85Xt5&tD z7wy&8UibZJ9i1@yq&aKEk+?tnW|AZqE-rTpg}`V-nNcb+`%#WQ>C!X+!{9V2ZG4)K%M zzla081Rv;vCxb5B9~dhQ%p@!x?~mL=JG>aAd=1Jdi-Y>b^NB}H=b!i{N?Dx=Z`{XzoP#ehH(qzOfY0JK zfBr&y=+P&wP{D!@(DlFSG6zpXKH>VwrxWarw-8a!XC;dlwM#F$z`r6s{?tfYy=I+l zm6&{^hV|@>9;c)hIHU#m`+U+D_S&28TKzh;tj{GED$afz^Y(i-XRZvnXkr9J+`4tE z4ZiDE2mK&I`jOASWb+pMB%pSS)v8g|F1@&y9~H)b_MG{)TVP+?R?V#INhhREw4`O? zANSFCdw%qrc4NQGtYwR4ws^@>d*-=O4q|50!aQ}_OuO{Lp4O&S%hb)@wCOW!$U~1? z-6Le2V#6lub>5j)vqp6X3jt0Ezh}sB8!_x|D_W#Ts%ZXvmGOm_U$Z+04sd{##d*ks zBdo)*ZEUvcNLe{bkUKX(vst?~Ev& zszfonsP}o6OGnEXT7a0h-!<6k)j7gW>2{J9wte>ei!a-(Ia1&)-n41i)Vg&!G1Gn# z+Q>6Y{`t2!5ElB(i2Po7X6cgtNe(1AkU0n9FBRy5!-e@XT`J9`F13*&Wt1)~`H+qS z2jyeBn8}C#bq)ZQ0D7a7FX@sTNOIud90>1uNFBOlX(qt=!KwUvp@6d4v$NO8c+9ds z=8;AByafsgwERuwOgq~BM{`E~0WQ=xqyt<;|7h5sz=y;*A?}~OQcm1oMeon%|KA!v z@T0I)X)Tz)z&`k3oCBT+)0}o{cbhQbbNfX?HU0ZvWBvMF?R(I3dY)<3wYQx)^GEB{ z>3CrQ3#@9@D*o;Sy`tKa4!Y}Z?VVfL@DU@dUE6k6rAlSr-yU&9EoaZQO-);TjJM_k=+wqd1xQhqS5JM8GptATt6PWflqo(U3khgM^!d#f{SrbP~&v zm_D8+AuHds1Ud(V{nI^|K)RoNl2xx()n?3`WjEe-uXR4*cza) z0zV(OM;^S_r7~~5=~_t<=C|u^yiI9-6yVv$9(?3UJGEP9O=?Z;)z{y&7X{k&yQ+_~ zmpoX!kp6u1sTb^_`|q?e`kFJ~<~wZachg)_^s`A{+v_hq<$z_+UVW@>YbhcZkV;w{ z6X!}9YeM?5L%UWsf8o!m{->YXO@Q5Rl8DQ0AAjdQI4ex)f*M{x^v)WgRqLp)XdIDps&f(o=GFk8XBCrw*P!FAlsM z0Coa04}bg_mncGiPTWyn0L{4jMM|QPK04>D(;oO`aL?{^r~6vM(loWyiK{?KD34@DsalOuS~6XJWj6;xl_tPC#CNU4LuawvAnJc^_M_ zV1cuuapT6?vrn}wd33r(pfSK@g$fmH_3BmHA0BB%OIFYc&W)*T3wy$AuD;4R3O{Vv zL)PcA%j}Lj2T6ML3O8Q#+AE_RSnb|D5^{QJ)XR3p={;z4r!)GM*L~j%Ed-2kq5bd+ zd3Zqb&%ez9_$j6yj1Ch*{N*<>atI68L|P$zV!9A7q{}S)kNQK0xZxV;A8%qd~bVwJE8xISG3$#O6qCesBun<4->TwR)e@KX%82*oaX2PIjBM}JLiDLq* zR;8j#`%RlM%bGTA?EW<*ex5gP9s!Q4t@`0rtzdxyKH(twSG-s;2M&?;Y}lZl$3ME! zk+$IH#V#dCKH(U^Vu6P>t5cKW+io$wd9Wq%luAp@XLlU@6MQYwJrA$JX~rM^=7W1}t2t zkfbH&S(i@7`LS>$Q=1;$z}Bo;Yd`(G$nF`60`2|ME7HI^v~TAiA73zW0G%8q2fUm$ zXN~~Tf>u=%|MVF%ZSc?$9*1N0KdZh-Y+}`pG+~lPqV|+7o$QDj)tu*^AmtBr;z)kn zkxvle&nBhn)F-=sINEUB$Di3Hy?R>l;>A1|ZVuP*EV3cb*l4I0$tettr=~AV)!VR+$VZ`tU?fGY)mXV`p z?1{%8kxzc@%_Cj4?2SVnPAvK7ujD{xxEZg?g#F$tb4KY&6Vhi?)Fr}=uYS!>#2Cxr51-RdcN1wKCojdrE`jxBKNK!R# zsFD?w)asUBw)oNWyKlQuU||Fb69F(d<{I8 z&_exwAbI>{^TO|E_m{-Th%ZP$dR_jK9R3^;FAwwUKfq;WrP_OR4A;Rae^ zj}Ab2lq5lMJ9lCSL&Cu+f>%N>$718tqfr=VBBo z>HZ@eNW{}J%Oo*gc-g~09v1u$MkmBcOdC%V;>7*9kLQ&bmhL&TBkk!Tr4Y<4v&6XZ z=TMMvjfZg$&5XkEkB7zM#P36y!WEjq?bjfQ#|{4f_$w0;px|yF1=JXPnwq z$Ia_{eoTPz77g^?dglY{+WB~=PaW_lZD{`IUmWdUs7~wN&FK_Xc>sEY1Axq$VpyS& z3^m1Fpn)GWadRXg%5ig)H{+PF`QeZZ<%cU#yoin0vGaV=TYA!kH`#OdU2C6xKFQXt z+h7wu|H8pfBvf%;7m-IAH9W`bfFEVyAC3hCBSSlMBp(+#`U>&>nde`2zn0CK9Kd^& zbpv9Ker=2`TDrn!&6;Ch>nq-prOT~d>($c#SwaSows?B}Y}vY1x>ZW~*SmPXa1cAC zU&PxaHDU55$$=yXk{tLOaDcfpyg=m82Rq)wBO?jvCGMlDM8HN^7s8t0VLm@c>qHbD zW@V_S-Ls4ko_J(1@`DmvG(!5o1Fje>f*7>2W{WK8hD}deU84H)9MZmiQ>`@2l7793)e_>P38bZM&XHNOjkBBIo<{#pTsMM zG9p7ju@LI#bqj42Ydb}YcpiE@b>)32^RmY%|J%12mN$WFDqqycRJhd8csZjuX<Sj4+KM=QJ?r%+AQ-d_iM~ZctF`O{27y(=|&{q%*S&^IV8>x zQJm23&|`dIG=_UlH4zropSX$X)6Xv%<(TM~nn#L0*YtBxVr-foUI%_h{Wg7>4os7g zPa>UoUx~+$_pjhjnMse~9302EgP$8{m0zL(9FLgEpTJLO{GK~lTm%m2BL_2{_j~j+ z3Xk~9skCSh6$VkJWr08HH^C7valVHZbRxc`#SLjf9}Lf2<89%*S2sX^c4p4YmoVl- z+=$l^zqx0Rl_jh8wlYkJ^Z8S0Lmfl9f8sT2qeFDMvAxxhe$JD+o~%82O=kuB_L)C? z=krd3`t@w^1H>FFP{AV{HOvH%a+B-_;XWuKYw$`m%N=PcV4ZeSv(>eO+ zqh0UkjW^$F=bwAFgr7E8?_L+!1-&lxqwcby? zFhogS|Nn3xZ9)!{Lt4HejKLP4;P4O6@%xZ6gz+4|58=Oe%`6RhrF9}bBm$m+aAKh{ zA{gQj#{I$EABhvE!F_lpZ9M<@eaJJ!4bNN;Nt}4&f&bL|FrgtWIb_%fm$2;AvAtU{ zM_Ti!26b%0#4iMZ)^uHs+jK;`LizHpvvbJ9PuP&VZm|Ld@;k^0kO_G9&6KIGSMp2g zdE|IC5|6bsS&|ov%Z3dbZO*)(Tw)Uo?eDzzq4ntA)r|~olcXW8r1XYzlpM*>V;VPd zLrKvF>`?a)QkQ#Ez}QfadGi+-MwhPd*VpNUMJrriAM>`1{>-ouNS1u|2p-YynkP)W&R-<|~`+3n~n>BZ# zl@ecq+o!ryZydZiu5C*j{={=usZu4kG>_4yGP3G8=++xNuZ(#AfsX#Slb%#8)|V?= z%G-cVRg(|Rje zrs9E7GVozdV~kPjVemiDBQDRRB_4TYrtJ`ed!0QmoK)@#iLz2w_Ask&y|(#3f`9F7k7X_8I9+7ocMj( z{1Bs~TmR56+SFr@#>1AiD>WW+THgGH+%EvGY3ZRFsjGtL)I9)3@%%Enr_8k5#`S9~ zSMI!)CvP+dWfT`b#xVJMiB(4ULpk@+CJFq=j0XPX34fu(+!p#ud``+}9E3JuoNZVq z^-ZEtut;$)2j!YEb+XEn-Ky1U7?tx6l!>y0F@LZ!hjJ&z4Q2Xi?hMW48?E+{&3=!} zp9;?|0gQdW{^s*IV=c^AJ|?w4W6h!r?%*kF)!wv|ckmQrM+_R`k$&%}7EPpC5hvvD)NNyXeB+ zZiC~;A2C?e(OS!JZ^a7bJzk)ZCr@rWSAgbMUwtDZ!0YYuJ{K$AXyYh5?%Z?ElwQ#9 z)VBL=?AUj#MT_R{f7oG_41-0vb47wyctZ1IS%{}xxLy~Wr?nvSwb3Ib|NJQqq>MeE zZV&6EzkUD!KmbWZK~$2E!JoDerbQ%O@K2->(hxh`hxqt$AD+V%|F{dZx#BX57Y_?@ zJpq3b0nbFDAz~mN!tpj>fz09b#)Fb$IzD7g$$WAyrCJoS*lRk% zU9wnVH%zo{{YI-K!#WYhpyp(0t@$-D{9TujEUwmb! zcR$I2#Zb3!UAuOjjQV_NmCBd3;WDnYLSSl_6FOSkHZ85Ktd9>MUoCRypVi%ub$>hM zI~(=toA$uqJ5m=uCS3qa9Fs0b?Wup$CXqf%{O2!NXro_$TNdI6+N*E8WeXNAQit4c z1@h&y%P;FK3-$%9jlOaP_k#dKj<)9%UCN3ptgltqTyc@zClI=#%DZIg3cKpE3tWe2 zs1HDDHt7(>;n${B3kO?ox#J!yUbLtKx);j=JNylcPMr6-B@tTrunN|!*)f(wi&*u; zt2wQ_0<9~QFXtBX09f0%ZQ+Kc(3g7QIXxV7Z6lC$_@hsGzt}Ed_^Lh^rItUmg%eBu zNpc{`fg}h1CLHkjSL@-Shh)))XRlpa%8w3Jk& z2>9B%X@lJ`nR6Zo_pXXn=xgQK#DwC7Z0_0(EC=|SDxP7o_cqt zHX~W>=8HSq$Z>N85)@HB(eY0}CqS&>cU)nOT6VOS;vYxk!W!aho#FsAb5GfFwX?1N-A@a=Dd=sRRcjuA(wOHS zvM)Y*LxvX0+p>Ant=E7Dtm7%?d0uSz=g*pM58c+sZh7z(`{>Q*eUpCXB{#SlmlaEY zwwE8j*Sef_sa2_2S9$5=%ct+!xHm@H&BI1}y(t6bq3l`o9t|3$GUs&a|8Y>fd~EguU{_-B!6q1NFTUHtD?=?cNtY zx4Mm*rpuGG-gk8Mewk8!6~)IqfZK>W`r54TzjUw#V3~2edf89b>iE;_f@=n;&6e7j z=O40<6Wgp#1GNtyMdDi=G7`_oC&3X9Q0cL|`+5DEx9{eBV_TQPPEP?Z0d1yz{h7w| zmFdT`<|F!C+z~%}4#v;7c2EDFR0odm>quB8rG{*ZF}ycd7kFFbK6!Wj znevsbr~p+r#1v=BKlGk{)TVXo)Y{WG%9ktWKRh}1e$F{PQ^Uhe=wCduhi~1gmH$FG zSK1lSvs>4${)>l^zD$`i{)_ulo_6iprh2t*-757ydGptBfSE^YIhV9aC_U-m&(QYh zvEcB`L=^5rF!A|ClT`Y9;t-!7E`A^RMDe)~>A4T_xleSNh9v@?6e_q-DV_s?czB3+ zuxp4eI;{@jQB(+mWpxbG;6Vdrp>4ApLgGa{KIw(rn>TBsqv^HX zx_Pl;Mco@9@b;Up*Aega{uK^GO1Q-Iq0Ag1M|w0k;`Kc9G?%8tFT8k%Yf*uK&ph^^ zmz%h_0K}ek#;Mk^Lpy&)mng1*Kv;|%h4lC#`5Ax4lKW5{>5l`li1)j3B-Oq5`8{<^ zA8U1oxYQ+S$vfl^&Fik|>-FV6PP^GLjon)O1_7!_&jN79<6L;bxmxejx;k~~esUK( zQ5NB`@Q&`y@HNg8ru@l>_u&PJ{4qM!KtIX|%`cy@bRQ8?I~5Jyt;1 zWt#i5+tP)z?1&?qO3E>MfoFNyBVEUnKYr8a_O3lI_qdA{@AfNBwR@iV(2CqJMADT- zT*3t247>Sa8}`Z<+Gv%s-2yx2PMd6d&bV0RIK%+hSod~p+iI7de3Ul&1GTwEQj%kM z08z?MQZUm$AIqa}?pA0cH*okH+C1hI!11Ns(7Tg8`OXXh8x^fz&$f2M&{5XnxNbJ_ z!#A`s?O?A=S}tkUGWOw{FWX&LpJBI+c+)r7lnwBW4L`45KhK*fV4|}%Z{OASYNN}? zJfvV3%=%sc!UFLshX8{a4t5TF_;ssV>j?X4&TPmCfXbyZOL|7-24G+#3eQ$9UFhHu zWsf`7Re+{nf88TK%21y^3hv#rUo;!oV{d)u(q~ARfb0C4A}xi4W+dSwphSS#^2I;d zOOFn6vH-~S8@Eu2vpVp1PU}i`{F#^8ts}+=)Ggo=uK-QH9>P?3DY~-+kN~<=I=qhE zbkPZRisR8o&g7`}6l-vFq=9LBMJwmuO|ZFJ7v=^9#^pnm~En z#Br}%y`x)snH_l0djQM;G$20!OX>k|LK(vQANRBug(N>ZChrl!pDSVX>7V9I_q=K~ zJVtF7Nd}`<07+ZQ!uV4|2@sY7gKlU9weRn^=xy%cz*SZ6#`~Ur%FJ2 ze%@Zu{IG1%JiGSZk>2lJf?0gvW6Esx&Hm@K)yIL6R=-Ib@nf%j`tE2uzhg}sHDR%U z#tLeq9ky)oe7pIfSJTZejLB+8G*CZ@fb#IZOWlHl56q4CT-(!{Y5qCsj7x0Rw6A;) zdglFE8e=t8Po!y)6qE#}>ZpqY+QlW|dSU;2yiA{recAeSsc$cTxmrM2B=~?aPd+%& zmN_&J0nX8%F!sp@4tTp@)^~R7NoV;7mgS4)`&osn{v~)n3s@B=bpYrdvm2iN*-F*iFB)%>HqI(FWf}28X#vR@ zr;IUZ1A4Pg;FxPU-8b{QukG?vo7hFy-*3CcNAgmZKHrBiIpO_Rt;dDedcK5xJ>flD zIQx6sDrwWg+Sm2Ge4ysb6KzzT#rmLB#)jT>k)18Siq)#wv@a*wMtyv_t>B=N`Jvd3=2L z^L@@@t-?hoFtY1|LS8FcOlrE6H*~H(v!y-o(&xSw?iDRpou<6tYjE7B<{3Qy$FH;r zbq+sx5cRbKc>^m#yf|CpGy*?q$2cwGC&ml;{2r};TARfA@mJsbh>FHl%HT@Pfq{Tu z@DBqcTtme0OuTSUShx@VJjd^e6I@~*_=of%&L6o3`sv~(0-g{KKx90V3=^kN3I$9@ zIN>402^A$cEfr4712eKkY8|NQY(>?7XOfch!ekN(L~8FILaBMFN0tF%8SUMhq7r) z??N6$3K#Z(@Jt;O>-l@n5I_PpSXd{1iQ*A22n)316EhQjMvl1XI>}Q$w+Dx`AucaE z!9kC3TwI4}2#;Th7w0|C@iHXVk+g}t31vy_7x8?O_el;UIgsSQ--8311GWBbT)*1h zfBt^^X5xp|yhC@JHu(bwk-%OKt5#caqS_!$)8(wo1&DTuHfI6~kS5cAt(UnZ;Rv{w z+f}@<*{)Efy4FQrwx)ueZBFQ-4Wbvtsz@b`uoi&_0uz*31(l~p-NUsBX5$#; zPg%-TtSU*=*>+*)x;Ehc7p+BylRX>*d$}Z;IsToOZQ-nGwq^5rJLBRT1gNwIVUSdg zq(x)vAnOb7BU8Wl*j|15e%mf1f@Kdo+`64}h4O7^8+D}g`!C0v;8ycUQuaf8`^Djg z1Y1{uWgWVnRrU!)PV)0E)mPvyLX>`Ca~nfYwxoH0`5P2 z^9A_|?34uchhs)cRY4`|dBs3G?C`@Ke5~K3t-YzbG|;t0hfe;kL#xmO8T?X z;fGoIDu>xQSKKB*WxNCWr6jqSRby}BxOW|V9{SP*fiWdiFM!QGHu2pz?EP1t_IIF; zr}nZooq9;pb(;F>C_At3?Ov~_{Q0bX*R#}jXa{_y0CRDr%N>?(JoAA78qYm6P-DG{OEx1_d&>D&Ij~8Z zYPFBF`~`FjUyVYQcJA1#{yIWZ>o-cu`COuiFQ)mXpFZBaZIeG4D~Y|!#rH#{%BoPh z`DK*)BcMGJu;nFn*{DTZ>GE6d5|N$6*Ba8jzd$bKta$RFqV$SyppGSxF)uuMawlod?XR2aE&F zFI8(vdRsi&x_Og>v_%CZgAaB-w_haTDn5~R-i#^Y_w7ChG;4pdbr(3kW5-sPv9huvbQ_UflNHC31K_JiiFGcF#WdPXP8_&|gz z6Mnz$-s@82FY7~23rQF6l1&6aSx&tneapvy!WyHD=R{txCY&v))G`$-iEk_I)n|s- z6wN2?x*K&KFAugYX=`2v)QKg z>m>Pqxjr&n(4&0rzQDbrB;1c*HA@L!yJ|WRO?fP%C)rS46*6oOmOgi*7s85 zrFQX?0UFe!pSn+{GMf8`Go(c6m;VG8-y>3A)~~RJg=_H7j303tiD}}`iSgoLfp%h? z;Gewyg&g3e=Rn7Tn^8ct5U0ft&%}+#$6uo`)y1E=kH?MQhXnEX!SDC3flfO58I9Z! zF-|Zezj%0N_aPluGUgX|AsoNNu<*<^9xtQxA#OY@dH*kPAWSrDKmy2hFf#G@#0$@f zY48s;Ls*C#_YZy{&VS+>@(B5cXY#`DUvcqtfi867w11B-aYI_Jzn7NqD9ypk9jE(8 z%M{8H$`G!J{=ZkJWO$MTNe(1A@ZZOQXcPC)kUMPi#&y>J-e+~}?MUe+j-<_426pe> zsrlHnDSFjjeB=&0Q@|v8qmTwGpd;>cwb}jZ(+T#?gmJn~j5hw&IOZ&!jsmX$2a&|X z0Z;*iu)#y3r?kMMURMvYXCAmwN2sR>9L;IJs2t%llA(v=by=*Z_ z9nb`@`9&u+HmqH1YgVomt?gQ04t2@7c{(!x?dM;so}WnKbFTA+P3kwFzHK-5KHmD@ zGt%0fbf)TuzC1vaLv80S>5&xb+vB3^{J1evWJp-y$8qeqV|_u&BZolaQ!nUm1BSd{ z6$KJs()CE+#BLJE@x0gNZz9RhIAKqrexUlgzE<%a0F`>@ zmR`f1+xNJX>CT8dyMxih}ik@&7IDb?l7OKqVfB{@!u#8&RSxg?QwpMzu*$Gxe( z`jU?8p5Zyr4~s~W>HEo_*k|v3VxNqCQ-Ihsms-v$$gD$C%a1wG#hdCn5U|JiZ)F(MdB7f z{d1{cxVzukc8&nsGcUc#!Tv8kdCR4B$4h-ds8>|}CgQR58EPCOwTnX^p^E2i#F&V; z8F6;*i1hFllIn@4hujp62c`S?tryh~aye-H@a=uPPx3)z-jCmDoJ%E9sqzjcW>Hz| zG-_$>1x6JpTvR|*YaMAmU&rxV36#0dwhF*3AvGEO?taElixI|ipPL^R;3J8{!o{r1 z*_V4CK=18XNy(z87O8C9D(HH=P+9h7DS-Hgd$9#yS z<1dnu{dw*j8+d6~>)roeyWr}(T&j`bNIyZ!aJO_RZ{PZx`rlm7Bfq2@(O>z@&>MX$ z_qyh8eYn}^N1Bm{ym-L<4x)1;9-t20k29uB6yQ8r{CHZbK;HL04}B!C4;TmEMB{+W zno3%D@%)+gtUd@#9QVEhsx3R5;^knRERp0dDo9ZO@$JO-1tt!);w8(v1UxD$7D{zk ze;wmKqG2=tAjVN}>Qh{*N|0WC^1cC4oO9YasFqVF3xfVx=6u?RIRMa@J~=>A`pu5( z>L2PT1XI?wt(&FB;`&T^F;40hz7oL6*m_PtJOJXbm`ND8X5u1&d6mZ)vJ+1W#XSnJY=1`ZM2TmRgMy?YOQzB@I5!>rNRMBU8TkP{6MY;i$hn zuQfB0G>@L&l1d3Ap)o=PAjz7D3V_|agy^eY%$GN4jpBn!m$Ul_xXz{iwAtrn=Cc() z&GL^3d^9U7l??#-Kh60;?RAK)T=uh#lu8%ImG{X5V2V^OC2x`(_}gUk}?~o z`f5h_T^Em&m_9KvapUn5!$bOm#Ys#Po=KbP^gS}2`&S62BarYArxywxqQt}Six(_0 zEToBF|45v8{N(+g;6NrFKT`^SBz|UbGV{+gv%e@HqkJ>+`y<)K)5Y)qNZNRue==4krMl5;~Jat_9N0c`Gcg9>S)tu4(=ei z$mS-8HbzSp&b2$PJk1_{?JI#ZCAFc7j&1_Xef#+bqOo3}$X?&HE!XjG4D^ted6ErU zm@lJejwQ-ZJJ(wVrB`kF&+{a$ImLSRy;A^Jb(cKaq`XW&B(2z( z12Fijt1h_a$DJ%7r@RAV9JOAuaE?o#vSIaCK98psA(CgNeK6*NbZ#~2&nsD4z=@180U*s@INR2(T`gcKl5j)%2=JwN>9W#Yy27QA z(1Evl#VQBuP#M7S*6Rf9aWp>eXp8JQvRaReZM!5092$&-CvC4$_bTy zvX%`HiQd7+tvgBj3aPy9HcLAE080U3Yt=tS`efU?o=_y{B0fdO5%X)K4%o9!$79#6 zS}sufESHkqv*%aicxq<>sJU`yb^Uw&1-cwBa1B7<@!Kx7K>{3)Y}!;jH@>%&B~=V^u-C1G_2^=8a`&KA1%iy$dDI5vvQRxYfSCdILe`;_Fr1fdQBuH zh6E>d%VNC*a5X!wllPk*(!u%Nm!CMe&GByZbE0FGBhViSkZaoZq=<*`PrNCASPkie zyxPI|X>@Fp#&&o9_Yn&~0;BnX}=_jmM+JPI&_uZtA z9q3^!An{#TfH*G9A6`Edg8E{(Xq7-s_!Pq9^9vH))$2%qr5N(S%@?W&DzVOz#hk# zQ4jHhr1y5{0|j$**$UPCBNr0Od(~Gm8V4N&I3vMKy_sWBBY=vKMlCw}2OD_8+}TF@ zcN?{At3G0O(RKIPHR?ZSUVOcEmsIWWJFc{I+gG=~w?5+YD3aQM|Iye+T|!@b?4JHn zoZBANSZn7WF`OCvQ6?O_-n(a?z4GLJ-fxeh-zo@|Ba=RQ)BBpbj7uJ8#*4EqyG7$+ zo6lA6z4Ev{p?+AaL0w<(8cEvK*Cx?`SNlYaXLa%PPGuqAR>z-eNSVI(+A%in)u(Lm z^PkuhosQU{HIu%}oS8>!4bq~hfj~;q6H>?&Oe6F`r1nb)=&x9{lECB-?Z@xFuo16+ zV=I;{ur2FX_&iEma&jVnf#@_I9~`S`9tn;qr8KeAaXUptOfe=R5V0jxt|9tim-uSpL4uW*2Q ziC+eeAr%h@_u-nDg!sJRW#&ki8O=ohK!Y@yVo}w9_TIccG*>ac_*01m2krbV0wI zK#izP(0{kwf!SHprrM?5j&i9tj=is5x!5I(#7=FRCp%dT_XORUU&$a7AZ68>^(B!t zOCX}8z6A8#^uQ=d<$fidap$FOWWiyzb#@v^T4_J6Bd5|ED2b){k~Bg+0Mb4H9}6Uz zJA3+9k%0~+0RY=15cY%Do^gpNB)CuofF!It5CQ#<=t?K1z*~Uktl19nBe;tN*3vJW zdtxHMICbY(a^a$-yua+;g+4$em~^yKF#+du<;kh~o#>z%(wM)IR$*+;7YTT}N?=Nz zM#l)C33?W3(`DlIGvet|*DuO5jxyA!ceL#i2n(ntY(RiH*0LEB=*u&Ka1}+bm81lp zcRhl%C%i^iUhSh=x{lg%0s>V`^`9&nTRUycv%{nZ^=g3^IUSgzUi5#YumFM5c;p3l z>1rf)&%f$U*Ch$yfs~vB<*MA$pXaz9R`R*v_*#B^wos8m%4?7MLKas&L4A-U+$w1` zj{J8zwYQ|7H~F#r6cwJ5elBTC#UpfjdcBTrBQX1U0URp7`cpmii6> zFvIvC`_hwcpy;*9D+M6slGNqbc882VC5~snqS{9_66mjq zUj6TO@Q6MHAcQ1&0UaZ!kI_A87y1o#1gx(ru#YZD-Ei^w1=SeL833moX~%FHA2fPj zdyjZHN|Jd~1+=e_^lUvJ^C#*Ue@%UW*sPC4jH4Zr(B%V8`O1~-;a9(MLuPkhbEd}S zXaV!5dH*S2h_dxkxlG@TQ0VvG}gPGeW{%<0DY9C zai1D;gBwEwY=bYmc1n`{*KATzA-yJYd_*Z;x`f)Ig^#hyG7!dk!iOj70YJ=$iu?r% zx>V-}uRUc|Bq7d+7*s!m{>0e9(I!h4%=F{_2paE`Y6d`kXnDB)>=K}vDK8X{^#o~J z91`wfy<>h(nW~vEQfYd`*dO@FI4V}MlyqAUv%Azz0N7<+yHz*CGbVaV-N zePsGVI=N5O5q(sm?8eBN>X&p$4*V~2fWEI^G^rfCg2Z9;#a-|V*Tk@B0f~Hx6P}@y zGLjFV8K;qWpO`=4zw4JcdMU`Cb)?BGUGNVT3bYfS@z1ER_y-!?$6ee%ejksMy#FH{ z(8|H0n&|M0Bry_0lFvyFBsq}eK#~JV4*U%{kn&DfplBH{JW_hO^Bm%!3mZuQ6PCmG zB*Ah-!{&B^j!g@T^NqCYJJvmhjKYRAydnZ16ev5LAT9y`Okiy(-`rxgx98=z+C#5=CjE)` zy8#MlZTn@XjT&*AU3JIfcKm6*r6=(sS+IZ0kGG<)t$yP+l3snK zIc3BGN83{NJyKP(Q}~>`)z9oju(RW>62T{Q8kvfzH?5 z`LOjJI9$?~O&mDPt+wPiKm90o-W)E4J6T7m3yL3Va*sED?2D58`@#Dk{QzVK-Qd*) z5{(=z3))+M@qW2QfKe_1MYI9?6Z$Ig(RGM4R0J&0;i4AAQoOgF{?NC%2aG~TEk;I= z`sAqpiKky;Qzm^#)pbnubOCD<#f!+G&jv|j(GK*VuP40kIutt!IDdWQFz*Aoa%YpC zymuWOPxHs>dR9M*%(47h4VtKIPTuuXl5RDRhVD2&=NtB;+Wx$=7d15mGXWD7}V`zB}qM`)JH_`Z&Uo z<2()m*Ey=WOXwjqVOa6WR**h9L0+t1gAJMR}J@wwVcHeX3?ar%uNX^7L zuYbjAM_8SsBzZW~a?sytmpqa{jrSksWB@7JnYo$1jsq~Go^-El0-ST_%kTbx zz6*798hy&~ad3jh0s4ZG=BH0nM$#55RZw&5@dEUoQ+w&yza|T$?Xzj_l137jAct@v z>5Kh&-aH%i=$$e?caux{ZrZTPB~U3hAA@peUjJFTkC8Ma&O^8L(NXh_Ud|lSeN6i- zmys!?CDGGaS98}gN!U}R962K+NX*MPc#u~g1Ty0Va~E~xXg`j*Fsyfbqzg17S6pie z^n!z*Zgfr`0RRLCkNn75bv)JEBJer8>a5G8w=q}x_wHNgYbEbc-K2=0&Dc%w&{)^8Qj5!><+q8a_e<-5w^HG3#I_~(0 zM49L-v<*_j-^lnBsWm;S%u@AHvRuS3#g>hOG z{3QWyXuw3jMK(-wl>OJ zQs|(!lw=svC?P3Uj?bRftH1LZ>78!pT&bhKbzQ&ZZ<3foIt+s!1q6UTsbi)X&d4KB zkz{)=lrP7><;F00+XSTAth_2zukXj}kp=_^cx2F(uA8v7j!2?A^C;=ZJgRw1 z>wo{tcH8BrI4FWd+#@<>-LP4Ew=#~j6<{Fx3*p~MXZ3N(Pz)8FB|Vcz>1cN)fk+p1 zt|Q6H*7lPm5;>0RAEWn2Y7!_vIu0WvS^l=>_q-Ut_ViHc9zP`;F^X3-pq7nR*kY<;X1(w0)P{d z7Y14w!{FV^mM^ob&TMJ*H1;v(^{IeP`VLmYH>_V98_xouCH>5Cd31$-_TFeehW*wH zPYOg^W5;$8@TqaLO&>H~eqykL;>=}$Y29RO3!SeRN9v(EUvuA!Zb*tF>PSV_l|E7W zHUQrW>B)`HFQ+z@!5~TVbvwJat1CctK=1y81y<#8kZI(wn;b~YnJb6J`*!I;9^@Yn zXuEr5v7NY8Yt_-Xoob)G`-+Z+cW|Rihu1#JKN6sWbe>dmV0k=z^dK#B54uK~L&GzD zVb+w-qi6laun`Pr@A8WbroAP@Oy~~O_0? z!CNIAJ6MK(=1O;FU6t<_mrM?EzWefHH}um`Y6_6DM%U*o8T`3IbF;8GUz6y!e2f9u zec!TfY1SbV6X8e{f>_xE6Lm&UCMv-6ZcAO#WMRj{#(3+Ht34_YP5 zl(x1~Re;`4`UxMUIBk%G6TCYl|NJvK5KRtI-Q)Lx8yaoy!ZrAF#V_Skr+X)+=b1Q( z{zMLb;fi0Pi-#rBiHCV6@x&PwHly%(yl@}Cav%Re>I;bSq^E{2k8=gDiEGSFYT-Wkr0cXwG$-Y%Iz9XXyzf|AqpDuriJn+LbCF zz$1C1@6V4_tL#{drktx}bOdP^fR!pbikV-=nb3b%M3QG-SMdNx8~`?SPaYvjH=dbK z$OG%+0EC3+(S~)lj*TOQ)1XNkmnda3k0FX}zie_T9Oe*?^8#Q}cC2~l(Z&{wx>!MP za7-J~ooLqy{CRiw9@pmwK*L5J>$!j(NH?W+jF?EtQ6Bb8Frk#BZP5`|5(zi;5%@cE$`>m4I<<2{--sin2MC4)6_SAq6bDJrtuhdU z9z5EhY{l|2R@)fZzbayLDXix8G1^n7G54cgU>e4T{Y26y- z)57yX!WF&)`T$zi(Xn&#=eR#coyY_55M7@QnzU3|G?tVX?N6PNzG4h;6ncv!6zhmC z^+PHdU6#&Q(OdTOeCc1Dul8={V-w5F0GdT4^$Qrr(fs*p*V@V-{ggAM50GQ}<)rJA zvX&}a(fg;E;QBMam%dQaVeuUBkv>6r0Y~V|)C*%~q(wpy;604vyaIga>lwFMc^|LE zBtZr^1Rnqi86&u;pJa2eiF(q1T`E`Y!p8*04}Gz8`HC95>r{?u?oV5iHkXtTqPD<4 z&ZLZI##%kbv)XmRkKaqR!djn`e%mh~Uu};SZuF4OlVL1eBqb^7H~H0X+{!^8j+w(V z3=9FNQC{XbbQLo`(f`UZZ|`4fKiUvIq>QTuOkhlrCJ1ZZYS^$H5HwSC&y9=6Ko!8f<;g zPfFP-H-3zpO&izx*u!X69re#OE0;-%e7b<@)|wykNq_1R0g}_z)=eF7MbC4t-1*d> zrnyln;;dM@*v9~ds-}NE!GTSTiSdCbxCQD9b2XmPMO#FwNzft6$1H$L=CgzGg1$qY zcT1x4M}0VeUlr6=BZuAM#=Dvw+e!0iG!O7m0*mo{5W{F2bH)jOk^_H|1AoOHjxnQm7k$>UET{MAF?#ISvCoz&RVweQRjYKq#qj6lfgktb zm-q~zi62*f#N*1Q5`V7Y`CwN?^SH$4hYMHI#a-~{$}3NJj>q9X)t^Xlm-rkH3-=if z&EOZ(bB+H<3mAzbE@AO&xF-(x;TN8{hF=`$Bp%NJ>?BUs0C;xm*6rLk-gqMkc#0{B zj!w>t%x1k*%o`+2ecw#C>;L;spQ1_&nnXkJE{K-Je{%#DpitOMDLLxW@Ag{vnUV zbRlj=c^r&ZNJpGNJLHwTCOPmQ=r3;0bj0NbjbD zaPngVCXCAIMA0}R8^seY;6O>B&&JYqC+bMuz7$|p_>eY|=$AZHzy|u zU^jG`v?=FeeSqzy?Tz>7Af2Z_{l&ME5{EQ_23ro-uQ&~ilIdrHW+Icv5z!pl%1)r%uQA3^4!2-{`^m;@&^$z@qV`vYsh2UzPMs)^zW}9V z7|fb_)4u8ai6Um^7etLR_UE4*z^t$B{9|>9$Z@;3lr~~-9jvmYWI3v{%b2$6LmxhH z4YB~gv@2cU^*e3{_x1kM9qAPvb_w+ie2LOf zeA-{_B^F>Zfal=oKeP`r1CX6xphCz&14mT)IN*A&{_N#W^{bFZc(&&eXnDN@E%KL; zQNKLNJ*U!>8Doyiy81s^1Nukum67%I_@eSqS8o$9yMQxAX53q}P%@TkbNW2;Ol^_B zh0<;(?=T*QzDESc8v0Va-zu5Az(1#v8hem8#yZ*$M;qgiuQ1lY5BNtrAzR3MfwX>e z^#lClV=?0*jPQPwDtEqQ1m|>NoA^%tv>UvlZ5cn^POpjsKl3D;k;xJ*RCB~}{&*Rq z@obSaiGvGu3iaTMU0!5qRd~S`eLgPa=ZjG(UYv2z)^^B=7ut5a?W6u4eb^&Em&2GG z`xvS;p-+Y~arOR`;%lCE8!VEoQu-w_K}OLQ{Ak>Zn4d4>)y^flxUUZT5}%xFZ>Y)M;cu45BFR{8232h;KDU}D*9U_ESeQE5eQ@)D$X&L zX2xDn>4| zX18{;^|tL`1=7fX$xHN>G-Kp&`|*LUHu9qLY>B=UH#+oawMM)-0&V%_@+O!zP?~7+ zOT|z5<)oF9zS3p;2O24o#fFo2h{H9|3F*UgJWjaJ6;@ojc-;8?if9p*6&IN;!mE%z zxh5P)IFN84;lLW?fPgJ&K`of4cRgkajlH}vgz=XJc(!9MVeaGr1IF$Umn$Fz3w#!p z?&Jrc`%6fPLS@PZOD_z#-I4`G+W`O24ju_U zh$diAk@BbN6=XZ~Pe65*$diU^yv>ls5rR+v06+jqL_t)MP$nXIUZhBs8$ZIA8!HHq zi`NT{U(6lEo#!rE#r5Y! zI=5RsE3d)T(iS@CJZ{c;uPmkx*{&Sz~Q+# z0`c%TA^gK1{^35?l}h6uzlM80rEt%cH~_L-c@BU05hs2njAy?F4bP4pJ09DkM-NmJ zlP&FHf;-+&8058m=iAc{v$zsUgRi~FroR4$ZS?d@R!zpk zdAW&C0E@LfV3D>vKsry`>k71GBkmSVnPhXc&7*YH8dkPu?R3yWotRmYFWnp(5Xz-( zCd&l27HBJ7a7$Ti=!C(gdRZtX`i0sW;VzYCsp2mZt%7xAw*|F`ls|FiX?w(C(JZ5F zS$W!?Gheok@+(%hQd&sxxp}U(@)gQ%S1D~#$#&Ff(VRKXuVwmT2^gF&gXhcTr-Tc& z1r2SUJiXY@*Oo7MfTnD4aa!bCN?R!kRmb__4fIONo)Gma!Ds)(B^>w*IIt$Z4l)iv zXHA>i_zS9^Wbq&6K$spzPg!c;jbCayBf_VQ|0p}w?rLj%;RIsrxM53;#WC+6|0Ty5 z%QjPN5$5Z3l#2d-#kd=RHGdW_7E04;w%%(n#lUIWXsfL*@6jAo@db3C5R$lr0|^J# zCJq3WGN!T}d~I`#dzkhB;KY>7U*Q=$(v|-=-GjG@n1Z)ntLE7l+VkxDF4x#1*$EqX_E9!RcFJ%=@4Q8M-C`xe z0xDby)cwf&yV-yf_py;(ueBj(9c+{Oe@%#Aqx^>WGe0BlxWUHv{mP%eRhrqOfAo8= z1GF9xtrPaL5nZmdAr~HJzrEW-K<6SGc>c-u{pF|I_t#%+eGlKoCVtt|(*$5+W!X!G|AW#$HVJiR3v*T3?PK8&0Ptsn zoiMAk7X8(9`ga+9kVb3m|KWY4eHLlG{$m>;DR{zxe<=shVC193+UOW>upwPp3Mqe; zV~(k!{7TDKE@N!s5)S+aIZzyK#;Y=6D|=7_h#Nf@2j_-Z|G}%P@#{-H z2NYqmlWpv{$-O?dU+(IzPh7o)SJQ9!H$Dc4ihziK(gq+PpmYyJx)dZw_h6$LIYI=K zR1r|RLmI{g(%sz~-8DK#J$%03=Q+P~e*eLJ-tYUm&vm`7SEy$f9pLFF2eqOqd|`9> z6&>|D@&SDi8 z3%Vo>LMf|FcyRY!vu|5uZjDxikT5x@5KD(pIml|g>Eb5C0REBG5V4ktn%5_qr|Lo+FvmXcwVV8cLUgRR)~8|lX6_XDK5oZAt5gN1%L+2 z3k08MoG%?}V0s6P%hXciDBYu8sjX0V%hZRnUD_S@R}XE%C&zj|Jh#&KcG=a?I^Q4~ z(V_Qwv>rm-q{*1^aE$^OLWq&@RHk%5L;vFRXmdvSQ7eE#--QS+^FDblT+{&nN$o-Cg}@juvgSRC|*; zn+_^pSYlT`@u<7S&S>h#kdn8Y!3f8?f@xaKCni>+S{`Z<5nb$v&DBv5wZm|;vTnh` zN9$;M3s<*;xsZW+`w=N`ZE#N|8Dd;D@qD&meED}wWm|o%<3#77%f|cZzm>QSg&pKZ z9jIK52{9n3XQU;lllsb)S`FJ9zy9()(wM;Dt+Av+?n3`le9@ZlRm=n|P#qo7{dexe z>|V=p zZ}iD81p#xIeq&>sn_*qdcazOJYuK8GX8r$Ex)HmGTcAiz z9NC92Z!VY2no{}xbBtVcUOIi|Yc;Vr{9X4)DU@tLT14FZ$NPN6XXIwpoRqfCMzJE! zbkm_W!|jLBbF%cbi}D&nj`vX4FL~Mnf72}SCHsa&b~RT01C^Ob1&?r5#FogFnZcT7@v%-Xt=_?xkI7cHR#p7oAjy3j+-V-wKj%?Zb_?(a=H z)gNDQap1JkWPe2hipb3i1)2)55gK~< z_94Z>8Lz_Y_fbZ&zQaq41JfOXs!K=B2#I>CuUB8*)V{madlUAV)fG?s?a0JivCh|- zqwr(PYSeX?h6S(o--!Qtz-{3`xVrD<#|b3V8GkA3C;&v(=y%<=lNS!;aps9$I$#sj)>^v!|7ZMKvbI=n^(n<48j%XW>!H>olx zE+_orSRAdJA``~`7U%gMXX{>2wgRs#Ghhl{`a;ZpJUi#5K``QTO#m)q zU)Dkk#F#1fb-}i%lp<~1Q1N}7x#a~Mp4^;Y^K4-KzG+?WJ25n@tLA-_Fldo--uJQN zqLn+y9~4%%J0G6eH`&`|;fH1o=WCRPr6+wHJc=k5;%Sq07Q&TQEcdv2$Ui&d%F# zcEW1pe98X0W@o6JZR|HvV>7NwLYg#QMJP!j{mLZ(wM@+#Z7WUsC(Yk^K>d}ir6<^M z?)Z_XsA6bWE(l;mgnB zp0m#Km2iWui))X#zCO!PMC3SrK(9YUHa5HoS);pH`XxITc2Tq~r7j+E@r>;9-oY1U zzRL1jsY##V3w^RHTJL4q8J9lSKW<${x7Q$u@JOSJi}u>3dVbeYKJ4Kg&P8t*Bd>kZ z)3c?o9VVU}5pz`Pm(t>X8c%qZsfL$m7hO|vVPrkEZE{LLvy{ctK(}kTyH!+BI4@&i5F>l?bE*6e3!M)I`3A2$4MWfl78TyyXxXWw)m+$FStwp-4{sh9pZo!$ZW zm&JBLa4MBw4J7=2X~*IQbWZCmWTVAmUTj+JVsYR%-{yqTtX zumjmL85%nTH}r%HZ3WT7b|y_MNsvkK4F%F5t3zaw@$qL5Xt0O>P>6;|fVz6pTA%r! zTlUuphy(lE!?;2;)z?g0IAZ&=*ocJO!T+t+FNF39gy8~cZbOkd8Z(sT5HOV#;H`7C z)A-!lsbN+KIw%}AV9w7^TU_Y-`XJ*nLxSM9Z&~%vFUtfETb_q$S^D4LbiuE%Q@^Mm zzBRrz;FiOhkCFLU`iBHLhP&)>i)FEi{dyDQh+J=B!j38}6-|&hdNby!yzfYEYw&wiO%UL1g=#*GrD)@cutln1snm*Ewl`8|P0G#UO^N zo@e5JT;5wzoKrGOeQ+$^do6NC{s91bRq*^v+DdU2ILqVt;tO$BR;~&gH8h7EJww`i zj;^t)q0H@`=sD{AQSrI^wwg@qs;PLN{*y@B=MB7w{{%)r>!Ev=!)I@Ww3ut!TA#bl~46fikzeMG%BMo(Q{P_ao7rrOHx#Nj# zvm~rO6@x%8Hb*?RuM_*@RcjZ@?+rjIs=^P66SA`F!uG%$ix#X_fZy*NAiT@%9k8z0 z9>u={7f%}NPOTb!kEe(aeUpAmxeqH_#k#ypbRm8k89#IJv-xvTm*?c>tODPoNZ2p> z1S#QGyqA#L+K)|C?MMe{cb^^$$?m%wv&*|jb#rmO756Os%4nJD`6$~`1Y8>s3z8!&^4v{yPi*&R@H|G~@hDvTYGbiChr=dFozLS-{#Yj-ZDXop+=f(u?sb z`+7eTuta+qBpqs>XW&V`A9hG_be971ZrW3-iC0{G&tyoj<^hv%d3+5yM(5sJFkHHxW_O4cd01A|K90qf*nMMm_x5Z{+%3!L zNTFl=@T+`k$}k~WMMHFgf{E^G(^aVA=7YVNu2UdF;0q@|D(> z=<-w(L{kC-yim~p=qbJP?DdIj1viqrE>#Kg`FP34_gph1UNbt_V-vLNlfE$x)~>W`9#{@!K?? z%4EqZn;HCI;Y^}-cWD$SB9 z%GFXYx+^6KBc1vRH2aiu*eow|)&q;GmmOf~25E}cEn}ueB=-dwL@qsa_?2-)zT~0PC{IoHwW4>=_f7~su zqZ9i6t@EmP(`UciA^Lv@w)tr10J(0-TYweKIzXt0bvXHhf zw$D>|OF&jQKcSAnuuW3o)z;qHC$Zr+H0~meKbnV$h1?p2;fLo6dbp4+@pWBgk_AR* z3^l5YM*KZ9_OWo*JprYGW+%)qr4x*n2X^Gt*rw0G!H!A*o#d&cyHz@1X7GeIr|B_` zdkkAdMFsiPaDVj)!5BoC`+zn~d9XK3;B$G8iqsTO>o z&@H2r3R#VRowOC~xQa5#^92f>Tr(`j#ODqc1EdD}lmz{=e9L=~R z-qIbI4*A@&h%m<#wGel!IO}iz%wIyYlXTI>zJ-0i#oEqWHtJk03w$z9uv5?24b$9w z^e1vb6`~b3lU)}M<}lQ>z66I;%4-@uz6^hjE&T8Vs;M1@yKuai;y<0U%?vq0mvj2} z{fpfGiA_N^%^j74#h4xXgr_tMIUy#ezSw`DIczsqe|0F-fgVnjA-@pg_0j;? z`r@iMmV)1UyBVx@N>&|-*UWn1HN#Z(PW68 zYEN`z|MPFc*sCxxc1S%X2Q%Y(q^}E3zT>_f|4|m#t#w-I(U7dZ$q_J80ggD$XIr-n8b{&Z%s<3$d0#~0H(-uo)pswCRr0l$7up8eTxGJ|ttDnqms3P! z{krrV_;kErWRR!!{3Dpf$;+vMVB9>j@6%~s^dL=uxo*yZpWW5xo$2si0kg7%I~2=8EpPBxZ|c|@0sMUHzk=6nb>+VSdC8uz=9tThI- z5!T~Jcj^`x3bH&px~MuZkoXz1M8}3i{Ep?y#E^OovH(`vWxYvDS~p|tbxF=;QWjP@ z>t-+R+8_kijds+Xbf9HMCnkF?aF4@#Zl}zZ%Ds0NtrrD{CLpf+FZ`U3OL!|j1-$RX z02mAPD;x+5v`dPm&K~U7pUl$}7Ab|Vmktih?LHgazF%_~%nREdc(FZ9b&4c)@b3L< zC&4JT$K`Vpn25vpn7E6+XR@l!cq-1851KkM+V$tU~t8uq>CZ9;R-%;Kk*3tx%q?X0>Yw?E}#keb?P0^hTZ zxeG#O=Jj}5rkN%tPuK6Z>V4b=foA;`*(XTLW7^vwmiZioQJq-E&gb{}_+*7HOF-xt z{1ExL(vpeOQ)7i5BWd)Y?p;y~iE9ztz9gZxeME2dx zq@D`pr6!~N#kUSx6;K=F;!12ZcoNcK5WFMynlh;Dw(Rhe)uAwZ7#P zV?!c1`BYN1yrFTYrn(|FcB&W#pP5_vqV1hSo`3#XEN{2;$fEFso_8wDKaY#$gxygJ z;$i5WGzRv!NR-%N#~yyIfHu6)K)a8z9ct^gU(+*r_H_8YaXjc~65e5)AD?u`O_BK2 zUVhfZ=d~&*Babr~gMN{c4OU$ex`cXVn^nk=aNuf5-$F=(D zQG(OF0GOsryCzR^cV`)?NHD@1`@nWO0&PCN16Iw<_OYVL^1 zt=kZ$JiJG_MC5wj))HRBZq)f**nek<=gU$&BTb4d-t(Umb2s(kottHY2P7HaO#f)x z4o=d|O^?YNyQPrT?>x76-dXXZ^HFRUf(wWfh$|Sm)N9Y?)Qvf(@r`^?eO-mY;!II} z@Mrmz_1kymfW`XV=!lYw_J@hNE#4xP$=s_uqb^&ieu3QLm9F0AOIvgT1^$;oUp`PC zrQXZQqPdStyoJw{>r|27B@=R9CCZ8*M`Ak*Vn7(J(<*DK(13_nn%u38`ns_pu|)XvQ#56BtAI9QX3GZu(-X+(LO%U0rGr#Xk67T{W2 zZ-(Ok4-pgWC1^Jd6vR&`n0DSHVYExcm7>*#cmhKI8JfGUO`F;nd*w#&nhhxs@SUy;T6PB_i#uN zV@n?ov9_hMs`oy-D;+i1);YgQxo`rpOpa{n1b165g8KyDfs1GAL6e5E`k8GOM6K!P zf&k1$=(oQaeQw9gY9oYM8e4LOpoBOtxq1(_oSG7`YVCg36r-T8R$P1HdyC1<2Am+ zeel4PGmv_Yk#FFHI)HTY-#0)sU8OzdyW<5`C3@O=z!zW9(?cmPoMj0< zzJM)%_tPnHCM94t!6Z*4IYieU)@lE`_Z$!(Pwbb%dME?%F2Xo)>&rL{I>pG-oN}`3 zVxVP~k*6&2+OdrDcXZ`VsjdK}`O?g--$>^#T22XZqgTS(H~+9vpxrwf!u#mk$MnFC zXi^L1+vY~kFn2B=XjNGx6GOJ`7x?MuEgoYtyyvZZ%&ArUIVgdudYRj!N(2H zF|sxc>wUN<^Su9b{Yt=&el}*~CPLCFa6e62=&a%9q`-XZ#&BQ=D7rQE*^5+g7HU6} zvcXZ>P%H=??~W2Xw5!QKq=e7eUlCucl@|<5&Vlqs^Rz#*3|f->fQw6qrs)W59bdDL zmrVF4abqz=+kDN&V%r z8c7&^@tpG2H&%sv7mGo1xf+!u4t0Y&|5jfkpx(`ENe1}6 zPf@aNa`&%)@feM7DT4%c69t zkVgCIY0-*HS;i%|FKS4){(0aLF^83nLwcm~yvXP^ScwAw9&!q2C4<1cH zzV?_nFFcdn2n(0h-9><^_%wnS%VZab|f_ z?AIZSJoc@>avRGYKaCVFYTvM-%Pr$~HvMmV$e%T(FK22~K)4OT`LH^vf@JI;&KM6z&|3Lr9S~3O$H+5*Q>5Rrz;B3&^ocHYlUQv zqO8qv>F|?L0Y~P#>xjm7{>rr7_3!~NSL?Hk3iFi%l;0MLhhytg2}fE^I-$QoE~jsP z-E)?+w55SlZ^gHo;qbogpM))86nq=1%0#gZ?Ij8UI8Q~z#_mEjlLVmyp2 z;zI=iWzKIJS;8}Fy&HGIZ2LZ zIys9>fU%f1XJy0Fll@G6VlU+D6jtsb@y*6Qc&3YO9POtZ>;EW*21~2lM70#Bm+UuE z{Y?!Ba`7>gCTQV`_;k$1k@OXldC-NQH3@@H3T}G;?!JGS{mKyS;5IP4QP6h$y;%Um zP$&>7E=vz!>rLf-D0lO>Shol3Umt)j@u|1(NcFD>APuB=`OALXTdP2i!vy!Fa^q{0 zEH2-tB!1l9r$$TK!2L7x?=p*=Df5`?#DR-< z6)3rJVVYM2Y2U?*146m%(QxcGkAD7&K{b*LlYXQy+eJa?*`u?t##GxDl6SNH5)ei4 z8ka?lEmsro8gM*W%tT}VbHrmj0m-|+=I9%S6}n@&M|pQT^>0#kYb~$p&jtmnd?dW$ zrTfW>Iy*^5ql8I`e%iI43V{SMvBy7B3at?u2FBt>JyhYXO4fkZyg4(H;Ymx%? zp7WUJ$1~pm1GjBo*HATZDJeboDP(xj=-0#OG2uC5AhFCi1D(qpIDQ+kPg?qr>F{Hg z{0v($qPwbd^6kl5uaBQ?NmU`!t43stRA>$0BeKcl6e+7wuXk0QKJip-dT*z}X~7)w z60`+4oi72=+FoY2_j~{R2HZFQBI&g@MuYFDS4i5y0lwl#zCJtAo8W@BBbDqjU$`Yh z#qE*`3S~bzcTV7owhCaU6+FXsshmX+>2pfiJO8Y&ppYDg!u^8}$J*^$-J;Ih1LGy9 zp{SVl=qdiEV5WV(!}Pn24@L70EEwqppY(YsJzRj->dc0q?zbml;PyFumDups<&$F1CRwmHO4ym8iN z3$z9~}EPzP$x zlC6Wetsth8$o6RUTw^=zu3zbZQ3O}`k=dG7AB^2-vW-(Ia3zRIV=HL(xp3q@hH3^H zPZ*7k6vobWq)2U6h$|h|XD(Bg(nJm)$y6`u8bQb=#(tB3#bkNe$1~#93WQ3$K=Eix zv4qSVwW}FWR66T*7F-BA=>YB%ubI+#;a|FzUFQ2aKudb&K6N+th@$~~TA+?5jNXEV zCj0(a)=JAeV{RwM2s_`>v*gJKJDM+(wWUISi%8M#vM{LT1CGNxE0Vd^>% z2np-qZS9IhePwp_n=Xnlm2jvs`6vUF=*1wis#cRi-rU|H8KEJ$$CSNAosJ(B)12 z(BU4*+=GLtU)}sak5|mwC3Mn7wRls@-pe_RP(AR{wo9O#?BTQ4jLSw_FM8EuA<^QhGUovzqN_Y7prelig&Ryf}eu$|HkO=;A6!Q^Gz8V#AJ1Jud>A)X0wOyV*t+}R%=zpt39rX=MU24wPI;gS zA_uo6d?p}Zgq`9#JJ|~1+%@OUpn)vheKX!WVlh&oI`!z}@arxvs2-vZnS9*6dD}%Y!>(|QGiwuh5c$dq9 zLuFkLKXBhApdBnEY;}UELwci_1bffDXOAiFuh$qG{2?S#-Ds4B`B*AnFZa_@Xfof<*d z1!BMY_^L2hdZHfka7P!`u!B8BaDN6NX_@P10#%XPq?S4JM_m8J_4dwvBtM~Shz#JG zqM05~ddYlG`bkgDeM&fHVDMo%BO(VmI*rp=&*EfW7!t)fU^J1!0V`)t68=PV5eGfJ zLR>zO)gmJqlrze``+%g7%~%6Mshnju4IHgYa0HqhO_5||T;Tdi+k#(+I zruYQd3ViVDwUM%^l~-UwUG|uuRxJP!(Z~kX15SVO9jM)OfCx^M@}EGswScZyrCqpF zu~D(Pz3&0DR7fKq6LdNqGA{>mYglrvfb~;I&9+=n@;s?yb4e{$xcE7KrEcz~WAaA1sd_Cd} zQ}B1|NkLvTb$~fP@oQK^N7J~0bnyN3-ygAGe=$ut)butL-sVBhUfjow+QMAlOch@+ zTLq0$5LmV}C3LRv}}^~iu>OxQD8vzHBg>{b~4xkE8wEwvy)9Bla;N}JE528vqDq(E$DlG zJz=swe-5v(4v?JCC8Mn)P_ZGJd3Wjk1r8qHZo+YF6RGmks{L)F6AEha4xs;$>tKne z*1p54GF)J6sL>|zU|Q65`_aJE+`SvUifq6xlg4cR zb@slFRVI_TEyLZbrGuE$lW2p^^LsuhR9vEim5mW1+CBs1*Fn9hHDW}wfgmI<_q(25 zE3T{#K5*b+{WVpwifyA~$2vCDBzv?3;YG%E1iz6#U0NFZli{9>@+O355KCySHmZ+? z(ykJ3KA0z+^y)3{gVp^bGfea;TYVw*MG#W`ZGinKdWKwVwvrj-iR0)4rD9NcTX<=J z8-{k?2L!vCT^fwZ>hcMYy6heEeIvbefi7M-OBVP|(88X_J8wMNA&9({F1C%0C@{1? zS$4gyZIeo=oXo3h512C)0yw@!m(@uDl8eu`;z*<64=2ux2z-7DxXyX+_`zo8rV{tr z`x-nAI&ai*J#*Fmf@q)BoB*Z9Nax2$8`nTW|_ ze-5?B0yUGylS}zN(`+m(A&*_Re^->iFQAj3h<+F9i4FtIje&V)cya(0mSL^e7&=od zG3DTWX2ksyeD_P@CRlvv(R(a;=n31#gyT%Vv0qg<LKx-R$w1K3HZo z4&51MuoPcNdonFCEUV$hHrOe z)??X_`+B3QaA=R+DJe;(=>!dl;$W2*;eJN3dtK6X24Rvk*NW#HaGqY!Ep5hc>Yh&h z@V}q&IArh*n`5FUy#OuCVuEk`f*~to?dCIa6rdE)PyT+m)8)zsv3_N?xqNRJSFTfw6@8MrD$0Hv=@BG{q){;0uNc$+KhzEA(^n#JaOOq_CknOj_Bk~8cG2@ zZ7EwBs$Tq=V8sL;MV!`nTl}chP)cj8)uIQn)!H(1= z##;cBBEK6LGeJLz*PMCc$zUMjGOa|Ou7_R-w!oZ}bN^+gKZ`z~%pzBgS@0xQ-fhLb z8$#-f*d>&bS5o|&UpL6vw%vLcvZ(uO{Dncy?+Q9Z zCN*znxuR=M_%W&Hn=w=!*UQH_c)*;k?qOib2>jUU^w6TKF>2foI|EBsRRTz%<{VT4 z7fCId@g(9h2D3QSOfTqDlkjS`8hUoLPkuVn2KxALVI@;I#hGm08E;A`-P4hdj}+c> zUOnphmtT|-1UV0QCqBaT*lwzv^_tQu1RDQ5C{rLb=@qOC1%~Y~Q>oV!*7UN}X7KI& zEo*25{T;d!QTLk~@LOWDHW3=mD0cP)<5wdoxWkZb)2GWHKj}TJNc>piTi`*jqP_qq zkAagEF|s227GM#?#it-SKGsLOT{UqH)N({y!0mZ(L;N^t#9-H;FyakjMjd-e4(qTH z_mxi+8B{I4oi_}~^Iq7h_qhGcAns$5tVpf1=ej2gcQ&iG4Xw%o|9D|6fw&a)OI6EM z)DxOlT7FJhuC?Y#9{hEdhK~|RSoMfzQHGhexdkDC_#a~;NwZD%LDG#Svz=TSZry*| zo;NdVkA1%Hmr_e4K4oGXupRo&h~M>uzg2p_GB@;FiTi&U5T*ASOw}*k7hj6+ob?nX z)2L9)8Gj6~u?B9_*)C8K_)wNUGp~JsXFbFa1c>^lZ2#fzkFVn|T3>mdXjjgGGA+ig zg5RJE2?0!<1=^bk7k} z$=!RO^w21V1jE483I_>v>Pej7=Vd1rTcz|ft&9FN*4<5QI4vi95nz|BUZ*-MRtC1O zMW^_8Qh>eAd+ud`^St}`dy4=LU3yFQ*Ckid; z#f9WRBRc-bn0ow?8sqnownGZgWN@OeO@5FmbRdP7i~&#vq|Cj3Ht@5XN-EP+#Qngn zMm01o$!koqo|sSUESQg*GJp-%YCbpCMNRMIg(?O}kaGnxj=u12AZdO?J!auLgrbU;To4kr{hh1E4#18X=gE~`}- zdcFRwIi3VTDS>$!iF{44N9NrGjk(f_)CpxO@vAim=}iKY5DNTk)Lca@A=d9}G;;mB zSxKqiP_Y(eOXg{^les86Z4hy3+vTk8MRie+qvaz23y~LL)m@mhBjMK;a#jqog@nva z?RCIo_P^S)dYQ>AjmQju*fI$S5wj=tY9zhC1h9VI;p3dpMzMb|+PTMw<68!T@Wi!D zS0ir-pfK$aRjFU!8YQOI<>H*ih_0ia@J$wj);{CDCY>`JsPHT zvWq=j{1j!bNjl+FeL01(&+v)lrNB_MK>4?5Hq$OmD{2!Aa+5y5t>+-a`HK(3ygn-E zrm9!ZE2h1hjYCvRcH`!d0$x@>-0i=IYuZeVs08RBSG$eEE?vsQsvm_NC%0=(x0EM8 zFaq?ISds_S_jd%$GS^$1Y__y=(=smAvhc9jYT?K)icL(!57YXxXBz65UE00}ONXkCeM+iBGh2rk>5HqTTOywi^+sWIFp5jAq|INYStsF56!MHLrCn@#Am zqf`rUem@L9dZ3nEO|dy*zrVsJf{2oUQO&1vn4$?)X=g16=HP8fVB?5_RkvjeysoyP z>W*MSAKezg=GPX(J33vyK!qP8dknD?m$EaC4cBR?o8d!I=|jv~IZ5}4$3Zg_mwU5w z8pG1YI~ZhuxAAeC=GH|QeepAONn6odK5!&mW+W$ zSsOv$_E9>Q^+k-(SumI16c3ZU@&4Kwg0iSbI!p1(eD!DhJeG|`NRWRmz`4OGHQX(& zMKC3$>X}j1s`Bo>z+Gaowl<~9wm@pKb|#us!ADW7|5yHV+bR2tksRGA`_yP1X+TEw zYV4FMu}ncY%byt%CWrZ2fxKdPO&0K7t~f}{yWneMcH8|P+J{sS-lix%&0L}n3w!jd z>f`&bTRGR?#LfdilknQ1Rj@KuUUtKvX?U^B2pI$Pxl#3f)~iaQBa*%+Gfkvjvx=1`PE;4J zr^c@3l5_SEG#+Y|Si)R@UKr`a;yLmmj=X&2mCZsU0fD3v^*G9Q?#^>BU_5)&y*pD3-=`RVs zEUEqQ)!z%@E&yome9GknJ`nXJ>T3lu`e}ht1Oz+H^t^7Hf)2%PRnS$Al0EgxPhW;g z!3xq`d_<0KXb07;i6#^J;65~M48Mc@ohq}R8RnY3Kre)a?1f^?m7Q(F|5nm@p{93B zxN~mTzf(-R@IL}2oFXEDs^vx3={&S{`=AM#&~7m@M(*2X-ew_gCRF4hFm>L4?AWe5 zWS+^cr!UJ$q!~Ve8t1dp)(LJQY|J~Lo@%}*pe;#))@4}T>vUfuO~vGk;p#rqTq8dc zF>3XvS+SqTay~}@>C>Sb4GR%bz*F{hr@zX>!$q&a8QQXyMzf{jza0okKFVppS_qy` zj){NDHOqWT;`x$Bq@*XV%i}yWc<%=Y&!lcNz4h@`=~J&)T08?3JU`HA(W?t&PYt#b zlOw)zsstn^WhFUxFbD9H+jc%8`S35I7qFKOtRQ!_88{4zG(b%$C)6HS3i=m9Np;|A zdXHNY9jo#K1`X=1;_>r?2CCEs8s(%K`mExe4?@FmRi|cL4#E)pv%{s1C{%cK1o=a| z8B`=bMWCQEn6X30qIZ#Vh#5Tz z{<-9Pftz6F9&M1GcW?^O+O+G>luE6&O5JK{|Bq)#0TkYRn80sHs5jHu6VT3n6?WYw zWD|%uxLZiOXCLScoUnAmdtbZE|i?Tx-ZQ8dDVujkL-)^=rc{D)a%~9 z^v7{=@InmgGcxyC_=B^v99hKu`zmK5Bmto<{xb<=h)c4?Z<1>G`-r>7&OgQWoB1~Y z^nW~Vc^2&sb@Q);OPY0j;Go*8<`&ez51X)fuY}ai%}foFNG(aCBVJ8xeB5O$QU?Eo zHT3-+tt-TFhcROIk ztola??2&AwWxc{r{_vqp`hQ*kss4M>A`H@#SDRWh>Vn6)svF;)hb3IHG3Z^0r1|}5 zvGO@c!qNU58quud_VhBme3$TDN+S2gs-lYCSK8wJv;B*QDO@*hwY~H@82e!1hdsT% zA4jW9It6Gco8Psy2)2@%Er|ND?sOaW`yxug`rR)j{vS^9Uu%07?Zk43f4f!VLFC7< za!XqwUTsYNk6dev6Yr|r7C|Jz=3l#j*7v{I)BL1^<=QYc7?Wlk)VEP!9d+IOo0>El z8<|7=68*3QpAuMcGz=_c(m*=zVRRUcZaz9*&AqCVQ8(F6W6mQJMd)a$+s(5mIx)RV zk^tZ-!lSV>6w{MtB~j&)!rGY7 z8ohXx4DKz9N_YAq78I$=@P$0i!-*c2S}&;0q6V8V$LmXTqRp$1O zVVVnci36>Nmoh+E$w&EEYO~kgw?@)AZ>08I<#L{N$44awwz$rW>t~w#no2ofqk0=J zXXKIrtJ}JsHDOab>!ZMC;GB~>qX?5M0-Vyojp5?dwsN@kbXDSDK+$1r$2}nhgNz16 z()b{&G*kt7V>LcSSJ1)Djh`r6`uEB!``~UX;&r!5S25UpcRYN6b@K>7vw$>JVL&aR`Z91@YkP%bNOuE8&* zqd71P#NmApQf8c2IL2kLRb|5WJQaM*HR6hnZ{0;zVIr>6>~#Ls*(EKs3==E`Kcc@0 zBiz#xww3Il`I?pGmh_@vYr*$5xpD z9be;@+_1GETf&5xXi)fxCG7S;wX{5mdQE8PSbk2P5XyAeax13Q>Z&X>@vAJ5`f6D0 za<6JEG-HGZXUD!%mmV~O-F5$JA8k?dI8t%dNUB$r=``F3K3zPn&n8_u(IsO*Q71at zGpOrIL1OOwhWU{6ve{7D@|`Sqi7(#&G7MHWGAqTl7lAO`mOAXS3{O6(tSJ#!VJ4o{ zG~q7Q5S-;BHwPVMD>%4n@fJCBqUZcNYVn%|q22!9*uH2k1mEi4!YwotG6~*#Pw5{& z|KM<^zig=ke8{GD#HTDs75~3Xpqo^}2#ywo$Z|2kOk7lfIL{APKB23dOAXCyNrw5l zsNm^!4wdb16Fvr+_~Xk~XPTx%%N}R|IfvPWi9V#)*>*r6`DaZ!ia2wjGlN-;PWt~a z^_Ed}HNm>>TDSxV5G=^TA-KB}EVu=C5AN>n?jGD>;qLD465QSO^6h=jz4!kdqvx2j zyQ-_|t)~d~^<->BUZ5feFu4*_6Sd~HU>LgfI01N_5ziZfP(D>t z2Tj*wg8Z8vSH9WzE2U=(R>{cHm_5@!A=U(Lj9yc+m7|hmU~%oIw=-3!H68G|a-x-! z_6@awNOP_&BV2Mt#s=J|)etX1%FtGSIfd7;{@B6|4VsHqhS`Rbpcc=Xlj5E1ua$avK`MN9!L%nb~OFy>WuiU`~@wheW&R-)Atpe#ol zBobwV|4Y)c~>K{JX?gTXt>WqGyH+wMD4ntULHWuZ*k>52_tjGo^q*h1Ng(&oVs zm-W?s(=UQ8p6b-7XncAKs_wON6Kg@$b{Rt29rz`ew*U9NXq!*$U2>fcOre*|Z#8 zObfHXcZvj+nUYyRiUm@krr>DISssbw4D)SGa)>c;+C=@Fl|^1QId=gbF`6M&9VDzr zu2GBa%b7B{*<0!PZECS+$BoG@w)aYLq=4pWeH8X}WMr&XcPT^&!0W~PDVBw?3;}9c zQr$k|E2y5x_c!w_!V1L|^&*R?~#dm8Ts=4Tn!Nh1tO_c>J(_VB&U-K`kNvZSrTfKBmxreriNVV?+_J;kuX{o)b9cs- z)7wTph!^aWYQ*7g;aj2stO0K1h3|ZaxMtoen8ljYFJ3238t(3oE|kr>YdMn!SpfH_ zgz)QWXB-2Lt%#aX+c2IO`|CV!B>cxjzDuRK$JW^A+bZxG_nHw?M4}+(z|mJ4WG-R0 zf3Vj+m?RC-z~&?8I%r)&OM&+UYcR4kE*YT($uQ%q0p8%LsOazc#@m|E_}OVWF=WqE zIWvh#-#@0q*Qj~F*9Z78!T4(@MbBRp`1?JeK#U!ahpcxy!yEj7+odR-S}We+6R604 z?HQY_te-l&?aGC_{wgi*82{t7KHp=%dwNel#bcl(EL;qTGe3LL@&^C@*79O!@bwrZ zP@H!IF#L^7I}dN*eRZ$z0gY`G&i$sle$3jgJr~cGW0{HtATVDjxyX6V>ENB;O#kKN zD87L=P(@$f@%-RcfAVK7ZP#wKTp4%1w&i)310)M{UaZg-zP=MqyEx^_k)831m?;(}O zep>LdVPDpopzwh?9+)VFOfE;a_sB&Z?>6J{w7tP-(4-1i2M~1tLr&qv;T4BJOPFJ_ zn_d$h#ryGJ(+uk6!T0l>$!nS5y_P`~v6Zduhwf-|)Q`&`JmLV8N)h5h;=W$t@0E|i zou>y|ph^eJ^PNQ-l(<1&m2H5&-5%#F^c1rfnFVK8t-)Z_;QitB&euRPpQ4nQ|G_As zAwwaThYrVKc^;C23?NkEPgW*?nBUPffLW53eRFXGR^x#)bh{${@hON1YCcEM;$85F zSQ!f~Zc*=3KWSp{MerQHjaMNWsf_6m6x4`#G>#Ylq`AM(ge=6c>6q33 zUi?clg6{5_WlKe%u{#vammKUV`J_njtk+$t*^hB(Yx!e7hhn^oCJ;WT<0yD*uCB`M& zu2B1RT!qV7Q^8VP{c+4MzHO>ca@J2JY|w14Tb|Ab@mOk|uz)xe=ANq_pK0Fe>M{2% z0vm^s4i?OPtfQtY3co@AaH}JO}7&2 z1`VrIJgSdB0zu1iuDZJe@m9?Hmu1f0L{L z49_2H z${19Y@5JE|7ZK@v z#@+0w%2yr}2nKGZ{z{BVW!|Rj177sWGq9;7Nc#la2I{#3>HQ<=&qkwk_NpBbwDf3I zu|G_EXD_8dIhNaJFc-p`x?j3I;O`07QD2AUcCoGzRj#E0lU96yh4N7MK-gw_N zN&gbS(NDzE5fF4n2is<+VP+`7jowpy<^PXtCgROo-Umjb4pU?ixlZ`M3h)0AF|Q^Z z4BlCobn0z^(7fSkuJ(D*iOhoZ32k*W3x5YPG1dF_x-t$^b^51{1N(XOXsT6TYvgWC zDoFE092|;;nxf$hy+U!jBxEV3C;^p33q8=g=~VuhJsjKnc8E&s(1pD~b=6BDboUSr z1%=I~-e`_Xm=#~I&jKAt7WcgU^#@;{S+y!Oc6eCE59dmr9E|IKSzwb^xrMG97j07r zc|pM6EjW|dYL110w#(Vy8JBG|{~hJaNVf1+7rwP%j;Ud%scd%kZ8GZ$0De40)XiD{ zXP52rC(B=WS=n=~QB^eONnxJ#kG}x*rEePq?YXV(^XQAn-2;xfb_ zWTeZ77ML(zj12@4$q*Ibl@%(s92P~9z)E$&WLXk5Mgqm9`GZ}3>A_6n4u;8y!F}M{ zVptj7B|3rp#*^vb4}u(BTC+y|MTS2MO6i3Iu!po?84`!lv*Dz`44B8M-(mRBlizur zk>9wt&0}k1yi6tOQi>Rrjk};k^uCYLHZurm>QKb|`xY7) zZz7&oTg1rUIxTrCo%ndxcTfX0di&0~Io~qYV8Cnov(80SJDA{FQ^P-jHL`8cgxrB} zhr)w2nQOV-Mnbc}{%8|V=ig(qale+I1+PO+z&aKB5Z%r`C*8`xFN}!w?6{?(=>&&j zDfrqI9+ULM$x+;IWFulfx5in*$v7XpKR(<>&5@E3XMUaQv5R&fJjDEoLsbpuj5)#+ zL6lG-qB-^v>D`uXo^fYa%pZgLE{i%%s`W_yJ#Cm7>+H0N2zgP?I65B5B?!(Ig2;A_ z{>4ifI|iSE0iZ5|kmxoMl}$bQl|oZEijd@#VOMpS$0*Mu76 zqG5`}%HF1*Vd>DgeF@3eWQ%;X|D1Lct+Vq)lN?MO)Q@lWNw;F@@pN*F&ZaWqsQ~4p zq4ifTBi8@-TvGlJt!v*65ks;Lk38G@qdi-NON*vM?FnexWDv=r_ANXd^t$uO#R}p$ zatom_HPCyxt`Mw+{v~Z+K{f_godTON*TJbJ@u{d+k??0*%oWe)oCzbmq*<{*ho<7e;04}f`;ayht? zWoCp!4tFNFL2&eb&HUnqi75KWuFoa=K3x2zYBqE*H1Km&*g}jom-=rl@J$H6$?UJ$ zp;%cSnze&pI(@RAvk^Y^5N$e@r)4qLJf1l}3cs0^$-w|r#+24xhgxS`pk5=K0Qs{< z>-nxbw?f%k+H6AL7?eqQEhaNc#Wka3cacfk7GI~I{C`vM39g5u;Vgib9=TSFB^p=lNn-FF5CL^FV5#mxQ5wr%KT`S<)~h;(^c+ggZd|cvnqCkK7>_WN_ejKUnFCeM{A;s5Jn{l7YBagOQ+n=VVFLMd|6@Td9$<*=mQ z)jbf*&swr%-sJ>O5xYb{rpW5^gWhwZR~t}w%^$e-5 z9q`VT6!zk2bqoyGKfb;}`cJlEvvKQbwafG8d9>iwQo{pl3A~t zKV4Kj*xUAM`~B+CO#LH`K85h&hYYDs>&$ri+W#yA%duq;Dmr0mG0Yk84m_5a`NZa- zA|D!bgS-}pBn%Nr&K0QalG8k0r7eMbBDz>_W5)iTSbzAx z{$G}m6V$}TK1h;m zgnv17K^8HI(N~eGBOc8)l7(R+nN8d1y`jS^l{;0l2BHtiqP#*3W4qR;XwY(s4~ zq8{hw=hv|ff!&0ZRViY*_rCHl;*=A6OfFIkv&|qRcnyju)H3>ZDyXBMRsINy)7#ShON^?}aOZsJ$uQM{<^^_egG4`obZW z=>iXygSTSnE(6@xN}~d)tzM+klW2xHWYbS{{?H~TXBRPYA8*Q6rfw?l=zI=+Tibr- z_?AiWhgl}LC@W%gjJBz3(+0`%!nY(lah{Rj;iH`*`ma_08y5llTon}0@3$l~O%zWO z0{TzO7-N%zjl7%D`uB)IENn~wA3De+NF{qg!R#`+ldvzlIeIX1vnbB}{pz;cTVzq7 z2=2|I3mt+;KSPzS)5XR1As-QkDb5z;OoZ2YT78K(GdLUgB3Jp9{qdu$GB@ta;jGET zt%%&^i;6N!iPV3)#v2|Mn<4oykiBh*d}mmv=bkjaJ_54iQuBOXm|pN0H$0g}$*i{w zno-)m3RBTX-0lhbiA&8nc08S5))wmokai7`^vgB7CrZ061xgMuHkE7`ShE$$-6PIy zaxaz6XbG-RY4wGLbQsTOUo@V~Fvg%(srQ>Hc&jtorq}-2Y=a7j(@{ONwhYIjuiF55 z>fYh9H>TZvuej`rqx8IO6~AqZkel;k{)^=s2&ld!mhIBDwF=#?b|FVbG{)SpHy)RJ zI#4ZeEQPNd)u9D6GkWC8^zVO zH<&YT|2m%r5c{d)H>r2c3fI2Oqm98hX7oHZe50%VrCjR9@B}SK+=rqfV1@aVTVWau zeRF`YHPm=z;N4Ke|DkKyc)Vp<9>OrY>Us6|X@s60dQEJuN011J_apauERAno_M`HX z41jT%gW-bz4Db3)g>Ixx$#z&4M-=DL^AH`lOIRK-`k>H1IvI^TPlQAWV+Xn-e})s# zOkUN0{=J20Yd0TzDT0U<#@5Bu<(w}ipmx;iI>O)Tb@ezE*(!qgZ|B-Gg9Bi48*d{g zC*ElK&(Gm|XLKZeU+D91CCs9K*Z2}mvs1K2gNy{U#ysi_lY2hsE8#wU1k^W>{NV@8 zZ_QmsM$^QJ@;gG<4>{FTI~rT9qcFOTn4K|L+ccUC{Nq>yxW`AVN*s_DVd~{USl{Jp35BB^3Dl+Q6$X1McUfXuik8X(h#Ai%X zO~1}5Joaa?&(2ayYRb8PB5{Hj6bWJv;ViIwCDxdhV*Bxzu|iDcPWe^QpqqHpNHCkm zc>*$uCsTqiTMDZ|+ITki>Ota+(a0|t;;s0mk1CHr*DJB}BS?;H%YOZ5a!15F$|$xw zgSEU(x;c+8*^@^cZQXlMAXMwIn;itk!ANdh6i(Z># zoCtHy^eyt;wrSnQilU4%2YxCyL!gF{KeGC>vu(v`Y3Hj>0t#qtGOOdj4VU`k*U9h3 zi)T+O=Z-0joSCGBgZRm_*E}b1gT}?5MCfOvqs7sv3y(a;UEl>`&*DAe!rL|a?5%9e;csA6q{St>=UEbB z6nF(`@j=A%2QW)4!zs`b+>iW+-dBwn*(PWK+TiEbN?qNyZ&yanoNNM+U{h zl~Ua%B&a01f&`$hpB1gMyUK8j5i3^7!O0Tl?X~C9bO46z!^a$6?P}d08#E%Cjx@G^ z_PQeT+~ZMebm&9n&m#MF{7KS@G12jOO!Iu%6LT8aTd#0f7Q$V6K;$l(WxHQ;?>&9^ zM0-feuJvxhJ|I%*Fd zx~ZdA4c6)ESCG=Ut8E4_)+>%+Xe|%BfD3P>if3u=+Vzg5iw>?~ELkLS<<$P1!gOB(bo4kggGMuNdBRs zy+>{IiBOu+_Nq(Qa@Ik4xeD%fS|uA?zC-CSQ=S_HojEmor{wS_DSH4~{^N^z*m!e0 zc1l;g+_YQfjW>Lo!kZ7ir>(fm^?zPAdugoI0DVlYSgs2aDnpfSkh=129ok#;jyE)v z$?|vI^Il7tcWS}be|#*xAOI@DF3yBc>DKG3Y1$o}ovGK?$%qNHsECN*h{=fj;3#Kk z3D?(Y*VkzzJtpnXC(b=}HlSZiHaDB{M%yoLGdP(aChW60A-l-!NPUi|4afhc&N$CW zaXQ%~e>qlFL8CzNIfsF$b0ZCnD@>rvmQ}Dhc;`F_N+mA-|( zs-yd=-XgnxcYlSfII;dcIcZ-DR?-)3Z+BqcJO%bdqT!V+->U2!p~rUYVi~N)#ZHMi z@QMkS`ZyFS{F3jucY6JlZxmPM;`+vse?yy)ZAS#xWVhjg#I#7DmQY z_z@iUU3b^h1Mn+@B~i(2j-Vw;%kk9|+YWE0B2>w8iNK&e1e_9`$KL_s?lQ6>U^YoN z97$D4dS}7$OqH849x3plA0+lw_Of|Cp1misKS{iyC~ztxP-wA(oL{vTyGwL$v=&g= zsJM{UC^3%)ttHQgd&L}0fpo@X#U8BVa}~W~N#9HIC6?<-PmXH$gw`1^a=d$l*?a-# zEv!GNrTLzv?67`R(3^@qT=0 zcgQl(NxxrjcGSYu)ttm;7l2^ek1IQn5g*Oc`6a;<{|NN&I&#*zLmxmai_FX2RI|g1 zDUyYB#AC8%#`+_u_nLQu*E9AyY62^$$$TOIo5uUr7MCVC= z6jMNGK?pv)*4rsOV}%>dhV;^#6v*s+IEwG3YL96BzCL^S5!;lh|1p5J)ia8S_;@g> zqbC?8f`^%g2YrP`9-BqtHN_~%??(<=7(t04;lk7>hIPJB0qpd88RWYj2&zWB4AqYw zB(Ms{{R;CLW3rv*i|pK6><7>qi-*;vI)=oy4?}+vcnxc8mkNecv<44X?_rzj3I7FMRnv7U@4w3D;#+s}B;wb#HG4H2q4S!aFH!cgXsB*b9;W zFuf1i>8U|EH(j#P*WtbFXCaQwB%VlS{oU(^;K>!R99y~qy8V{lIzv#6QI}}+%Fk%J zBsDObT!B_)fqW#Qgv@c-ML7XF6(**l2MslKgCslUYca%`HNL2^VKu)RyumTeMuYSY zrJ9-#tRW=D?#~l^Gmo2gCq=HOtdoD_xcxhYKjMC-xD_J>snebG zO8ZdkL%+j)c$UQy)^7;Ir|;3WzNcCnYSd^$jjM_!S*I97H7{)*6GDA_JJL?(^pOKc z!Z97`Ydd~^czX*S=&6x@z8e#*6m}ea)OHV2ye@HY8e2sgicLkMN8@$MfTcEnZ+VCfcz*P{E{c4YLi6h%bE@`WO4H#%fr%zUVfq$NDoN`IU>Se2N^rnug629U zSzVw@#8sJ)EOk)BcziUT)(%CubRJD(kFJ1&a`s=v{@I)tHXwfZ>>hE4+DS|M8XcTqQU6%6TGF;ldtn9 z{@m;%u=6*E!TESkh{Zf9MXh+zXUn9%^=WyQejY^Of0_X+%lrG12MPU=dOxnvNPi2Y z*rOik9}|5%uJSc%b9t+`u+x%E>-ULzFUmE%T^zZCO*ln4i=<&6xgJ(gulsLV(bzkx zn4a?nBS>uJlWXjqLv#>)mat(LnrgD(4G#-P(=-|?H2k8W$(AgZBT>GG8%M?KW0*^9 z8+rkBFNS+?48A4odBjm!VqSHx6-cQim`8T2=<@KzO7yyqSP$M02SB?A(439xCOMVr zDD7!BYva;t4EEyQrr$u#N!*3skamkrywF5@ntNAPciiSNm*1Gk(qgg*+D|m&VU2i+ z@XhUU0p??W5%7Buo|PUX1)cH79@glWeMyb?L?#y>tr=&!fXKJhAi| zy{7aw$J+g?UgQMXLdwG?4Rc-jXDeU84W;WD#_qTVG)p?pxN(dA8RSHJbe1H1^c=en z_)^;*VSscxML963DJ*<@v=RL?|(D5 z`j>FZAqMe*4{sCu(wk64=1Jwv>G>LC0mYoJdsM1WF&&JCXi@pijOj2O!8yYE6S)u- zAE7(L<9Us6+B&V!sRgPI80CB3TZQS>F=d#%A2H>?$r&!PSF6$R-U4;o<`7h35tI>u8Wh}WMk|e7t{hQtE-_`Cn@X<%X|sm z_uP`gwKtVg9j8axs`)-$tl+u`m4E6|lZARS9ATX9VU**jL%KUlbu1iJhe}a>xyF6o zqhCpb^$Qnt-RFw|{VgKFh{H;2od)54$&Tty$y({_*HzK4qxsMpXXX2YROFJ0+JApO zB=s#V@Pn<*n_bV)o|({9!wrn?Ud`eNC75>Cp#>!Qpp8@)e|m-P^`zEP#rtzFNJ#kT zK-t}3Qqz~rn#5-pdcbFfR7tIoxHpQA8-paT9{!x{N;q9qMs^mDIag|wGSRDd6fRIu zGRXZN%cQEM@SqC>#Gx*23AIbj2Lb%{0dijDTibtptok?0D3rStb}(OT-&RMv;KNCc zR_fG6y{mVP0W8C5MU=-J3dQ~xXx=@S`#w}N?5&{xQZhsAobKEF>!J+ei$5E>zo~eGPYG~q>^X_7h{MP)fbM|~BeaR2C&jFiIvhs5P)gcam?whdODun_Rr}J?g*vY*9uoS>xzLmU|rtzj&lpqT7 zqIzklNc1DyT&#&_bnkY)aL*?Z$R;KvIc55w2(R(7%%p)&FLiIrN#hB zGx#*3YPr-=wM+f`yTz(M*zUY>(SjVGLy@l-u8T1t2f-m4L{Z<2( zcVrdphMJ`(EO$_>P$I}Jv2{X!($!YAS;>COiaFpE^U86AIGom43=wTOF!OWN&nz!r zDsn%LR+f=RF?oBrN&J_x8DZja!#pR2+A+ZM{FTEsfaQcmJR6u%3ztBb#R}Xq$(Z8A ze%7wjbgbUU8_KFMhhC?qtqCVK&cHT>&DJVmr3WvgTrB$@3~{k?3%5%lzm-Jt$!7BL zzBV4+#Dh4!wU`ifPj~?pZ=@O>+g#RvizxN~*BJmNdCTEBdEM;J{kz`SXQ!hDj8*lr zuGwr;&!wZTPLIwy&mPWQn*yNu$F;T@dM<3s1I)^KGfOhynXjbq&?h#@qu`kx84_7L zrJE!SyjE`zu6hyuiX6yav+Y^OAD!#=vq_wb3ZtOj&(Ij`!%_|2&(0iI4#d0K*#E7c z4^~l(7AEqSt=HarijAV|!1ztqs|bQtfFzK+8<}EEsH>x`Us4e?!fL9Ey@@*k93@TVH#7n z)n*g1V#jHL0CXyEUB4541e>4GK5LMM>Nqb@VOyTPN+(`K^(UGfkw$2FdN9iQFGc|F zSI1pzm?hL>+UNc774EL>OP6#tU<2vv1!5?Y6N#_bz;fLm<|Sc8!@*~xrQaIb zSi6R;0dL3_N}>0&E~+#3oUW!Q4U`89b+RD-fiOF8fRao-feKQj70E15i4-`|Wuki@%X;W?k%k zfRD;D7zQGNTtI5@tPIxKI?mRgFYbKFNj8RzDW%2mJp#0bvo*%5MHqd&_F z-eGm0W*yHJ88;tV%_a+0pH_ao@CUAhH=&6vE^-}xbFUzar~K6^GhJ#rB{uq#55SkA zL%{LU$DsoBRP?F;GSCP9^u#*IFy&roPL zGdbFaWh{+JKjrFh{oXfan0W#-867nG32AQyAYKrFP;S`zu-v z!)?p#)GRn@6&hM-QdtQsSAs`6pa5qmoG63$J3koo7&H(PO8qQbp<`jBj1I?+obfcE zLL=T==+QWmDt({CI9X2_1UlZp(GbRXt&|>da#Y&&D=mU^D%wy9MjR2qWO!~DMRe(Tv7k&F{2`ZASV@#M z6u#4Cx6tc$a~!BkTnRPnK)^?uF}rN>lrbDvrfZfN-Gra@MFu>tie-fZLR`OKa-bTs zOh~E%7V5y5r%Oru1y{H?jc^*=zZM5~ed&QtV3fAg<#zXtOS~nKC2U}d&y>PxegNXQ zmlFYR6vghT+<9eV?c$(wumpwK{LOyMf(B3q*d88$Z0rgPL?>o=j!8F5vxAuF42lze zkGi$kUJKoPp+Cf`kI(Gd+;_l!{YrzZ;odHmRvoB3?6s3-d5JrR+sijI)k=Th0hg1} z-%m+eD541u>||)^JHhQpwO;WzcQ$x#K2KzAFSv+tM%`!+ob>UO8bn z+~g}pNAS!2NUIO>T~S|@Cx|k<^F%{S?FZ4vM(MTX__dENVRCTdK3D{0$NOwBqGQ~glq@0D+K$R%zvFF$1ZSo zce)kzzUM{11~fJ2;#TOL8#1L7QIybc;5koTev-dDnCrsx2P$EEC-S{whL4$Goz0m>;shY*(&il;+pQn(-5w zM+d`!y`%oTnME8?*(5+Qi2p9`9RH<9K=D3)!BqqjBGr=D$&?T|ml)U%{Qz}UM4d2y zHfS^Uv%Xv{1j@@uArxIfY#sXQ_ug%_awE7P1E zCJhkg7mv}UjeK^aDs;6BRQNk&9NZT!x*)}(Nvb{bh8Va0xZZbFW*RA9iylz%ITVq$h)TxfTD&$Hctaer%k*}H{11Pd-U6Cx!vq{wGTORD5l4>0ovFFy&u1^ zfzstW^%1vfOu(rzsFy z)Ps5qdzVgA6w^=n*Gp0}B9=U(cITRqFB4*hC-jsqHXuB%RLs&XLJl{-pLz}rWYNDb z(d)5_6zo)caRle0WOWJbnjt|b^uAqoVQBwFU7OOtegRkl_?4|XEt4fc;-~r_RA)L; zS^Nf1as$3Z17mjg>&@dhMBJ7;^qRrFa7(Bhn=Nh~eymcss6*r^j$z4!@B)$a7+2sJq+TfN7JOk&5o|hp{V^8Y901@Q#}>hzPuNocaec50q9`d$QAI#7vS` zC}kSQa(4^On*UGjc2Q1{fn(gd8pe!jT~>2_Gu59p!}i0V`U zZ0aQj-rMj&PBJ5J8Y+bL1dpPgd#^&51Q-Dlfm6+aMWwSH7EqjR26yImQfM?{trA~e z*6?UW@c^#{`L?h=`q&p1tNZha`8Qn>Ddy?97NfUD9VNd z&$`uyV@W#uewnhJ_}Gnxmpkt9BZKS`c0Z5?4C_)(Uy5`CA5^+B?xN$TWM3k=`oWYM z$EaFgw-q|iH=9w7aSyt0ffS4@iG{83F)TV)7E>rGDqSSCY6p`>+}N+p2pGM=QTPgl z>gcQ{SBC#QGY_t@iq6!1`IHivl)raFA!ao{=!l~+q{G|UcOVFfdKj~OxKyu@&?;7x z@U?Or@b}+@f+&Rcw>I+TtZXZVj4pGp*p?Q&0EWGK&OI1D&!FQ5mlYlY4n3l0cE5b_ zObPz-pHY6b3;>sRxLG_F4FR0K;8fqwwO~fiLdT%ewFmJ7{SNXF#5B%ccf_}JsDL*< zww44iKH)po&iv@WTK|syl+89Ky0Af6>2{6SghPNh-QcTpISb)qZ(gTMNtJ~BLXc84G&@pgl#PFPOYs}IaN?1 z^|-*X5M8IgAosrtHt*`bTz>saW8ctYtfQgj!&(-DI#x0=<9PWEv8%~L+mdKT#kmZ+}ayFvC1 zn-&)exvtrR^&6A#)-)l*4EbdXk0cfBSmR#0%2&KGtBd?N%qm>-)Wn3sBSX!tz<|%A zy*Od^Zg?{@{f^H-1C0Vlm$vBK69lDsYPWaq3BDMjA{IYK3#xc9)Le&lPmq#Mv+=lE z<0?r9FypTda`Ahjk!nx2*F|Tob>_X{(K8}v3S~WmBfM4F@Eg;_!U;rhEINIVlD=yg z&&!adO>mG^({^A36jyxkS?x)dvID;@<#>Sp`WZ@i@|l$|^ANLI(WR%NhjsFnEJ*r53O>mmJbVOrRa4xsgx256_779+C6;=_^ZDkEVQ9xkjT*)3RU@1 zL(Q1>m3X~om#7pPU{ojaFbEql${M?c@eGz>_jpCs7!wO5l1zT!Da2Em3p&NPGo9g% zkhypC==x#A(syg-wW~A1RB3Tkv<&=|WsHiDVaB~D8H9aFe`7`@N9NG6k*v0rXDq6o z#L3o0l%$Bk!x`h@g7j$U@)cs#{fM=P93@o!hO(0dn`%2g0zPzj^9PN^6M}||CLvrA zTKZRvIeJg+3eWV8X%FIPb>pmHUOXvPx6`n$d0MQw8%#}Ru4MM9Qez8I$iJLJyu`F( zz-joN%^DWZc2EOtxK<)Oo`{=oEwl-Y5#4?qiobL-?!4$}Ll7cPrMTrwsq~p}Ppv-_ z1s!n?%ziGn_l*H58Io{#m0C=SJB|b#sP-Z*iHHYfv(?Ef zC?Lwmnmo>ZlLkhoHPy$M8zq!4FYTU_LU0SVlKeOU@?C|65`bBG(cZB{Dcd}D*-Lp! zv{R`VE$QFZ7E2}*YSj^5m&7q*=!9$MvitdoS+IhxdX?}AU4!ydjfXZI4QeMg`y2zv zGM>@LwDh?ue05^BrgM*~_aeWIl_u7jZ(R-EHCh zyth6RlE{a^-b%H{N?O%@{$yJ|3JgWdj72kTi4l5H=0?u(ajczQW>x$_?izW)czz6B z_}G)Azcq4T(|DuIr2t%<+3f(mh$g-ie?>VMi0$f>gTV8t;@%mS*FD#XHVRCQ)sKFl zdypDTCjP9feXPEo?k(-KJi0^BpT(|U;B1mXzBVBC@Q&rP+q$q$@K*AU_5GVax4zEh zpG{|YXv3~V5oou4xBdT&-+vd)C9nC;>U54Y0n3lsC)&mj%G8B~kAilv%s9ft{lZ&~a;0X42^3 zakD`cj6VR(Hibk*(FV|@-($n4UQR`iRm%^bHnS$2O00l(8?06gl?0%TP@xE&`l0_Q z%|%D)X}ZjGkfh5!@a<^YnH26-BYYaHwW_Z*Z9!9o3D>%r(@sf+=wPD>CV5%gJFF7O<5 z0~0`ZgHM_5*aS{`mbltsbKtud4gd)wrPBS{wA9;#Y0{Sz9N%c15wfJ`?}KJPwTP}c zUmH_RMm6xwDsZcKXWHs&=(rgB|f`fCOS_84E`Z}fw~7d)+)aO)oDL<2l-Dqlcs97y&U+sQu}#d$hOh`q+JkwED zBzRdrFH`QnQZHCl1cPi}Y_#waZV?RZ?s_hOIadBW+g+2HH}-u<0`wBdvE>QvEQ9nS|c|aDT}PW>2*|((u+Qy=xo*U?&0UBfV0oQEva% z-ontB9-;{D1#WuNB6hqeH1@l9E5RK2S$F*`s4&gCMYb&^KyNbC&bV0Szv>>@AH+5) zBhiuE>;W$AmYmXm6PE^P?K!#gIS;)fw?=xUQ3N{_W;_{Q$KhZ1*Ri^Zug^;+JK}m> zg*nb6|4_?eQ4t(V+{u_kVOl5w&8aL%7vVjoatXi2z@xnM41zoonNAhKPMoaM&12n5 zi806qlN1U+jn1kbU4K>oh!WT39h6HS)$Rsx7}-4xh$P?;Om2q!`ONRwj`A*7UB%_w z#AE{UW(B>)Q8kYtrTZHp2Y>#NNEUYopA1 zdQa(>G1SJcSSDy`2rW?C!9@tm)cP~6Ma-R>-xjkPhX>mU&X3N_q;QB-c<`k8h`c5u z|No))mbid60Zg^7<-yMCxD#H!T;U&s%5Xj5^HeK$>Oe>fI5s{M;_z62Jck8Id70DE zAI#gp^{RI?6rbhS3sK3^2*Xb&*lL-zVmqd@?aAqW&2Sp*sA!Du3rEm}iVOR5>V0?m zZ8e`vhLoH`f)BaZTDR;t8oe_H4_fjVb4H?i@sSg`A{3Q6$VzZu5~VRaJ`@{HJ)e#M zXkk<1ax^D+gygh2SPefc9JcSpj)pi3so8tXW@1%aNLw4r%&z+n2T0hFoXYvXP7 zTRE)-jMMKeTk*x9KiP2_fBCIc6>bR84{mGT5Ujq@DC3Ob-2xB!JT~{wwZPVuKK(7X zMG~rGqSNsikWBjuQ*;!kGG6mVsgm!RH6k2NuPJt~Q;>E4+6YqoHNRczd7~!eXUbU( z7DNsUb9fYd?c#tCHKalP8iKj5fnsvB*brvr9w7jkXd^W_n^b#1PqqW&l%T=hl7~V! z%Hz|r_Ab+P^hH3Sb?l(K@HoG}&In8XkM4M@c zEz#6~;(VTHcz&>CeMy`@#*~|kPlY^KAGGF9C_P$`Oy}P@Pn)v#oo8=!V+Mzfxn%Gp zd3-=mWVZXZyaJ$*PQ`hbg9ahe%2tukt(YY7VT<_f%NtskJpuqcM`7hzXu#94zX>C$ zG78fh-yp`lNMHKzy<}!Mg7Hnyy`cqc65X2*@%i)pU>yukrs<8t zLnu((DOS9=yE_yp#oeuVad)Q#_u}sE4uPBRoN@0xzaV2|?X~w>b3X4gxzLfbYbsw9 zs!P7*W2yd86&{u9lC1~|CorVlPHg-RKDZ{ZA-hw_%A*+LGwgz*xzQ--5j!K7)9(5J zmt(cTLFV+EK)|Zc4M!Tb)efRVJL$CoOA`BjMo#hGJnOP^5k}bR z`kt4V(4V3!I_B8~@*Hu>%%+ypGXA+>^_WAaGWyMzmy z?a3V}WV=#(J^nVzbci025C#(p2>57Y+5zf$J#o(m{}b;=ax0I5k89n6N5*3Lu{u>( z9Me2_y0y4n!j4Gd^Z6gezVyaA3!LxW@ill<<9oqj$tRp3|nJk3l1NV5V?j-0}bQPLgNd5K4go}JT_U)fL9&KMPq~{%8dHip< zU-#CavXjYv)S6&0xC%zdi~RZ4VwK>DzIPdQj3~ej1W~=EM5EoJ6gz!mPdeAf^F{4} z-`q-Kj%RZ{n(rL%^j1`q|KD1x7VbvMwQ;dxcurN-IAfQ){&%+Vl^u&2umaGhc)P57 zF=N8?sNH~0Pn2|(URrsJ3d=tH{1{nMp40~7SFns^*)=}T?h(O>>y-H}wLo|XFU)g&rk|a3EUvFe3Kgp2RC6V?Sy~aD1S>>2we?}}U7X^=RXV1dp3c|N z$cki8@0qC(;&+b?>>ltDhPG9!_7S9~H@lPb0j-0BavK>RC2~AU2##ZU)D)AbKf_VJ z^!F)En+z6tkumuBa9pri`IfAk*qust)pQ^v4_WP5Zamcha=Ba+snC!6YI3QlZ5Wqa zgG4_($298U=qVL;B8!UPVNK^D2S!+@j1Rx^Mpft$>mcmqrSJpTR3O;KEQmNOq0x1e z2wKx-Lx|2;=C^&pTr0WmEIGbk7L_%cdOn&hbMLa`0&e{{yi3VoOc)xHW3|?2(j$_- zRO~*>vu^e;0Y{%S^;hP``g9&@0xnS-x$UDbKk{XUST0Nm{Rq`bViyAq4sXj$byhEq z5X>t0bo2S1RLgGw6BH{<=<~|4^w@0wMx79(e7O5OBMRvEHX5P2) z8*O&mZKq6>Y{?Y#{krdzK2!~8Z@Lj45L}j7RI&H`NeTgjEgY9WDa1SIQud^7@EPmy zOF6bXRB~7@rjYZ#CHj^D#r zv@r6<5x_#zXbd)TvWSrsU}>UdHNj7feQ0*Sd9BgSvRVlDSXWl>bMYae=aN(*Kaofd zUrvIlVpg%D!-@*{gMmm2ipkk}r#=L2-!qzeTsVevojXRJ9~N9O^f{O?KAdi@Py7p! zPT|+ev7K{{@N_=gy#D2t#DTgTM+(h^538w&$Khz2A{e#u%az5L`Ji2WP3jbx!-GoTAht4?VWKP@@~8<*s=b9nq9iI7v@4NkGNw#nK7Jfzg_)aqUgFqkY+W;SG^b+&J5)~ z96hmk7#*GBsRUM0z3jaoTMk=}y>ufYw@d$BtTSnyHGjA_K<>LD=lXkPJi%AY6^QQz{v&AeEFJxlt>gAe_OT9nI!Zq<4NHGC$8 zj#|8So<&(w&Ox=ELUpGo#v<=fJSZ$I>f`!pC$(dbQ|2mZquuN9%9 z`5B^ywvFYB5%xdM#;F68WBEljNf(W0*4Ur6J9j2rM5tUeq)U;0-G9;q%y%SKH{6sA zrK&Nl&m%M^KU)b8!wbd4Yjc_V9$1LS*_sL; z@bU0bMrNzd6Dxv;!=8p4RlX+IYrUmdkf8-f9E4OT(m4H)9Ztgc z<%0SIr8p%5Af5rY1A=aw0Ys`7pLWvjFh?3j(!7lKxMtj0Qfy7;t97GoQywvIW*iQP z?LkWf4L5xSyQxK8zHFujsz|d8M=^*St>e6Zm<{_?K?_AqLvgiI|LWI;#>O(aqwHo( z0@Ah@>Bo)C>~?)DbJT*eJ4BRJCJ;m#eiTU+Uqz4Ha3(Kf#Ht1D^p)r7@JVo62hwYuopH))p6-i+l7oq9J%K=Y|kJKiWERpT5;ql?TIn zye_Ij?RTZ1P;|h=Ilx2G8@U^=ZqK@#0Xhnj%v-x2hO>GZ6Rz5eaXc8ccmCwp&egHX z8SQxIy=`7eZ8WD7b=jDmkk=)4ezQpWbe(mc8a=LCVUYJ$`#!t(z#h8}QnQ{Bnrdw^ zE*%qA@n5B~#r^-5C13k+J%VhHHx2Q|+L?qfkpK@F=n|Na4piRXTlQSC*+N)|6gfsy zvi`4(xxs%)iJpX{1DRR4k`GY0s6@AgA>Zw$Mp3!!V3QS&c`+j#$(I5{*3pZ;_yFbd zEZ235W7|E0Uk*`zT(}%3c;BNmMJM}oi74t1l=d}hN>P3__7D6nn{2z(~5t*i%c-$>9pxNzjq+ULT*RMK${d=SRn!cSm^bs2n&y5CufJ$Uca$* zV*yzaICUwSaCBUMgRiNV?WE@=4JVV7i|C04R%-b-uNC8|&5be#edHuZwU|-61<-t+ zzA6zGiEL;zZO2m&bQaFM?kG4wr-EWRysisO8=wC%FK9@-4Ip2Kvq_eFEUgD}Oj;3Z z1Gk>pIY$J{=SbPWa*OK_q#jBP!px@q=m^ zasRor@tdsIIj%TDDn{;GTIZndBjx1Q4Uai&VBM@QJ$BNnwSdtv_>^~f!6@xqpb^EQ zntX4<@${_zb&_a?5YKJ^-gLO8Bv;=d>*P8(+`jUTDB9cfjZ1Q@e8GeavL5>+Z*9-(AC?&QEILboXaVaUt&+4f?;CAR8bFX-(mWmX>#w$mF|*!Ib~EbR zmt5mLJ*O$2bvIPqGsX`ygMM2w6?pvp=B13UU2O9G7=p^dR*ENoekMz*`;4y9 z^1w)uF5XT1w$P+d)5SFxJ?05{g%Dx&Vc``@NW0O}%=Ov}C+qgb#6z0*wtd&tGl&26 z@I!m+8&0_?x&EVhFAZs^c@mR)`gjhwi>Eh}_4HlPs$(zqNLotxf7h+`M5BoqY?jwW z3Q#6xcGca7@s9t##{RVkuaQ;3KA%lsMX770GjfKuE_q;&wW6s9Wjj#km!ZOx+s<2f z--GAV19hVf_=jE#0-A0M81&}R!6z9E*jiOtwpc+LsR%Xu`~G^K>b?50PrR@-T#Zmka1KX8B$xg~ko$LG zn~&~?QT}GauaTd~_knhnVF>SMOZA>1ecV{^{X+L@_c;{ z%K=L5(-RLF-p>R*)Q+RVRsDzxA~2o@gWGTK&*qu^H;j5Io-|@Go}zzBq`X8^S@^__ z%iVfAgP~=nFxc5X#(pcU40YQcZ~ez1foO)5e~R?m6v*w})dV3N@;gxGnJMvG*R}ZV zL~=;N|6zPCKEMevds<-H5;74Fs88mcJ%}9_Hr_WMJXZy0;j;(IEltt%9n)z(dl+m! zqxL9ee|^E#Q5Z_)I%m@7lg!fL$2r8l#d;1@BqCXfp!BKY9S6e*&-bVjKo3w_*fQYY ztqoqsKMp0+#uk_3nluN|#MSrH%!Du&G!mVA6czy^ z;if)U5OZz_%NSjE`E;3fmJsBhl~e$gRb?aznhFa%6j^E^82fVL;uuzD2W9j0?G?@m^k@6T3e zUfxSZmtPv`sAEwIl{kK4?`PG@&Fv3>^HW4qZ4!ApTCdTzPkhjbNO z$Lt3_-D7ay59Gjz-AH3{=%GC6y*H*$n7{lho60Jj65;m%Y41QvJmh^7ri1vJWo$gi z$Hbl@mZp-Y1fwD!Z&GjFwytn%Z1=OiSOCKtt4`xk;fUtWO9*4u(+d2VzG`V7V7?LF@yC+zUBr!uE4|yXn&$A-5|*}3-yxjU!h6f*7}e$M8;pR$ zbqCWc7?bmPNW)Fw7+}QF%CHzeAxOa19u_7uNZDbGms<(|Ac|UEc+FR?@)h3H6v(Hk zzP!W_rq!97F3mEkmRsP22iSgxgR|V}4T+d8GuJ$vDK7qKwIpk6kai>#>Ra9k6-j!{ z@%`Q|RyqEiMgsr;FaE#y#|C(Y8>*~a$=qC?->`7Wiz>N#sV(HtwYszRsk_~2wt>s& zm&70TSM~2-o4nrATwSl8gmJ5hb?qs=seOkd-@>X8(kaiI_Nuej)w|+ z_~jG!GZV2NjgG(*zJ_jd?QdPPBWrB?YyU0W1TKg1DC?~6d%qMS4sY^=Y)z$T$44TK zW|@h4qrXO}4Ewn2cH#+fr%5-75BE=t*UpR!;@Wo(-mTTcJ}G=gh0uxTjEch*MJb}E z=RzM&pC5^SU7@2{O`_9<3e3lI74v)sQLo>u=B(e>`DM}sBVotoOT`T3eio#lDyX9EOqVre>=`^M7Y&m(hm~7 zGE3DJ7KBD`a=s_*Q9`j3tCk+A5p9zTp8Ay*8($0{}F^LcR@Qrq457B+u1spe=9WBf1XwY+#= zJXma7tED#koBhJ5$wJ%gvw~wPWI6NS+N8&stCx<~y+h1lLzUQwgVHry*C&J1?TuHn z9P2l&(u!Ai%(^47uBH^*iDSLvK94oNo^1MLA^sU&Ng~gH*>l&?V4km~#r`4rHlxIb z+AsMAgAaf0+h%yEGi{C9*1j~}-RxzX*6O9_T)qTr&ixhfQ}8agso=POU;iq-KV<1g z=`ub|uxAd{wq)g>8n4_tWE6i$yQ_ss5St^m$8-{BSd581R<#<{6J?v8GFqUVunxLHj>uKds(G5Kuk|nQ2GbFLgUiU>T=@#B9eKVp#c?j_o3j zRs?V#q@)9$$U?E4uj;_9q}B?J^hWw$uu6@EyjG^6Pfyh^U8RXRtqB@2hPj zZZLx0fBr1g&sk2IlfSCcQUW9*5ndM0^TIET>Q;XY0>qD2otuA|DQKp6>hh8 zwm|2JtH2hn|yai9}PTMi6+<2b1UkE{os{kO&+< z0>fXicMuTwv{Pea(4;tRG8)(yhdWePtmLv; z5vPpxg*+}7Yb$g&HT2d|JK%RFRc7q?v=&3Q%^9NM=)cQEqcTk01LwdI#H)Pdd*v!A zTy8}ly`5!jYsZRvuUWyie!0~C?Lf9f0v*vbGRV!G*pe#cE7tGKDUmup^NzlJwl{P> zh*MB?KE3XPLwXKl3Np(S<@Pzh?ZTh3L!HzQnBz1qV>l~d0N;X&5a!|!ZEC(wf^&10 z6skl^Y}Wu!GRV5meLi{n+U7?S3igAhmKjO8MxQS#NG>=q({twXG{lfXocf!{@y)@e z@aa5p%~mH*rM$3^p0?7_Kw(|+&emc=e4U|8*_)QXT6FP`^9@M5I7GCBjZ^3BSF7*# zpSe$7<$P$F#A!Gym|ldmO1bwFQw(wW5;Jb;7raEahoI9-d;Jdi_(EBR&R0hN`%D52 zl3BeuaR`OW!U(c6oL`+kzos%azs8tQw~vc{-C>xp{oD*W)_~8fifD78$l*)=_MFcL z)M96}UDCMgcW?|k;2OIVrK6oJoq4KxP2&Aa7U3_t(XQ~SHGFdk0;Bx>zMV963&>#t zdIH$1eB!GgLLM@UbD`4mzI$g4?layujQi*X&M6e8hAAm}BK~u}S`&yg?BfYd_WJ+) zB1r_<_EbSxf~ULIx;Ll)$~dZ>Jy(Tu+R+163q_Ck)nDTuz@R;Km7DM#HSc z^>(2VL=z5Xh-WwhF+Vfy`6jMNY_BGNP`_~qXNSb~jns8-+_GHN>`6=326)*=#-v=B zdkgL3#pgN0cuRXmxFgor^1$moQZB^{T1wohhcs(xfZc)l+jqmaF`tKhMvC@6m$O~& zEgk5}x`_6{xvM;$hQPKxsmYbwn}WYmQeoFn@V%QkY@07{^T7lP0U0}X>z##+os@!# zUbkn=+-9#I+|Sk$q&+6(b6z`QI~LoNz^lXKKh1D9P^&*0L-2c$74t(eO(2b|T>fk1 zi?Gp!^|mwL+|E`CO|RgNVByvOkBfg32l~)oVg`$1X-G`xYimEAE_@c6R~GQI=Ci|; z>;EQ!To;$hvoHnzt%=ZbvFw<3^Tj6+To z*Kumsh=-Bf@!J{{kz!H!-CnTB_TvdQLiIwi0$q#yeo>}SyC#!aRFUVcg+ApWsdR=c z|IR{>-Z%fbv4Ss1OD0bWkF_zQIj;>tQW|`OX-c4crQwlHVI4S)EQwAP)3@l`CBjbj zY9An@n$&H=6jadgvXTL7s7lUU4*FiEkZeh$+E}l}=`ymj%%k%Dd5KL9v7E=Ub1(jIY#$uQ{4Rk?lWV3GQD!&%~HT0&TX_Tr7x@e{%6ytliZWjd%BgIAB# z$&_M2s#1X9k8$LnA31j}yy%YUH{>JC+YqORa&cBfTrH{LC^lO5JzM8UM(M}$yT2(BlJE{*2srK!;v6MxRG$r0>HAA*1IZI2G$L_`%0h$7#F1lz!J>lsxRE{D6LcXD-lu< z^7fX0ndCG)#N{AZZ19Y7Dc2!(VhO(_Q<`H*xBL^z6Oyux?3T~^X*c-Dv(RAqk1AV! z3^{~&%JG+%h3B^%L+$1p*Nf&rAFrlAAIy~~rtTKk8x)K*I>euQ>id2ySJ{xco<4KJ zf8|ATDQBo)Hcv4HE6j;pgyXBg!~is_8OaH-q|Sj>Ax7F>9ae+uT5hy9pomVVasS}; z^pCUeH_d@|Ww|F`Wj%=NwrVNI`dP}M!F>v=HKEmV>Bz{QPuVpgxbdA$eHBpKzfurI z|NgBc+Qm{!6~?C|k!&L!BGVs@|4zdz_#BRZg*r@fDJzJ!57 zpxB<^xO!$rr9q3~Vd(JUk^8Xm+z)Cl>n)DcnCct9<<>&30y!GQ2|waD{v9=qlUnqh z6`bEQ_9Sl>Ac|#67tVr-jr}wG-d-;=W4<#Qc}ViF3zMQdG|uFp-E>f^Nh zxbZE%(we&vx@`G*uC2lNJY<@v+TE!~^5H zS~qBc@L`z$=LA<)*OG<`lwz$6F&qB1WJE?NBgV3Waw}h^U~u%U{o~)v4%buMq?ovT zI*eljSW^bHnj)+-cigVTFVgO>8G2_Cy01s@0-Nzbz%_W4Q!J}YC1SGlOe{OnXwli@ zYc;V9D`Q?X#Rq(9`XO?m%WO``IxzoVnsY)|K}cWtG0mZf^Dr`}xXj!0ZvD>tzMjo! zZn@4HUlOHks*xldk54GwQySDt)rCXKI%ZLf*I3Tl0|&HmgGevOt8 z1&ejAw0Ok^q}^EmE6K}qJ(^ACt1&+QT}0hIEaZ7L`1@}J9f6I<>)o>bFwj&&1m!@C z-eavy=>UuoLHfz+C$e^aTJ2t92Cw~(2Yy~y#b5+?%gf~BLB(M`ywi6dmI8Gi=?WZ114P(<3xCJ2@gKe2!=Z1o9y%=EzF#a zl@;nn?QLazWDFQb|MpkKcX_a6k*tU6CP|bdCK_JeN285kntI{xSMQ~QWF+q}?ZHxo zjO8KNF35aS_^PYp9ox{~43(1pd8EI6MOHr!{CJza=BrMtOFrn+2 zY<0d)=W=_9q<6rf`-Wk;Xj{UzknVcK4pRUezfXGYE2@yp$dOJ#`fKucrF6Q)7i>#J zRG3IcqGn?BH=05z5X--MjGk?&I6{xB54QIhpn|iBT84&!KMQT?+fKEq(taSYR})Z1 zT(PvEGoz?fdf|l=(hw5PZNgg{L&EECN6@ye${%4POmtn;rl|ETe} zXZwfqhwym7g-$*|^yx&K`i=W)RTElZSjzOF?srf#0$%e)G#-0g=Y1xyd-UVJ5=HWK z5}E98+ShONWZi#7R_lrh1BO|1CW3Q~4M|l%6;Bou$1L!i8u`2Ye{JAG;GvEx(iIfj2 z#?mJqsJs8ER}@V;{xdVovA@Z{dSYG}*JK99SK&w)zE*#-^D+2S>x)v_iHES+JX;gxB$gJI++MrG^t;yUl^o;SY?PDn z>Ie2S(cdp93ywZBDxIWAS-#PFa^(3o*w9sos8DrA+L`AhGhhTZ?rQ(Dp+S)p)IY9A zk5u{yW09&V5`c6sy=>L8^PfP7e~V)bW)G^5`9L(c&XLwPjR%#c`5gbz6M#h?g$acp z!F4qkXv_iuOSs9c%Xx2Cmj&aGaF?YZZX^({TizE%@+HKMzt4VCSBApbv20PYK@CLM ze(Icd@VgslQCC3ESnVPH&_`Q?CW${hHZejhk`%7Eu`$ue!y6fh-uU=AJWt#*skAML zRf}KYo;|`}@NWwAe=pTKtzlo8<|K2O9#YE$)R>>**BuQB)T#(zXNxd-Mrg!hd&T@X zEMG5BgZ_?ZH2?gN6dy##EW>u-gK)E7Kb0d3e5;S=vt;^5IpcDB)i;%;TxlSgh*RaV+LIiLFMc;56PrB5zqgCd9!}1h-XFDJcD3=sNeD7b z2F}_{*QA^*H=^cx_&=VdYy+@qhW~^(o6rV~J6^jT={iEM5D(;R{-MMCMPIuXT}{4q zdf?C!|MTc1*CbhdW;c$0fpI1zk>_R8xVNk?`obh1J^9^u`)AD!<%NvxezP9d?x<+j zogysr`{{Rj6uxG5E%>uoql!$gw0NUCd#FM=oVQ^4YwzPHg;E2dmXBwX2EUTa@;nzH zz>w!FI<0xY1N%nH49P?%Vw)X2M@-P>mFyh*v&xg-Z9>6Vq8eMaU?E6$$ck0Bh|A41 zmUH-V+;y~LE440)m-{TUj3&@O0O6t4C=(z|h-JhPr zZ%-ENZjS9d0ig`l-gn){-MrnH_mLM@5V&6UGbQ$4hK@q5NqYPG_y1ufb5+WiSKeIj z^loli9PKc!Tm~boeAzkAk>ADrN%T*s#kr4u-}hxTDGVDl{5K+nRpPohd=HyZx3TMHo7-VbYbwJ`d}PNG zYulgL_g{VmnR7?P{AfiZw3`CZ0vu)!=`#!Z#lU)dqiD2-6;XeirD6D9bq602fLWqX zN9zkf4PmmGnBnKu@@3!EX-Y>Af^UFrOyMrvFs%c=u-QkMB#|;R%%B(>U4D@5lk|%k zVt}QyWSZSavWw$*Z8XxF=oYl3AE*I7-!$h0bvoapc%$;{BQfd~#?fBfsw)R8Z+@!& z zwO!|{o#FRc1^*L!sZwAM$EV}!76AAIM7@0Z)v$735i)%fo{m>Kv7q8DGqXKGmNbPJ z-Iq3=zfeiO>&&yn#{<&-%-SO_d#X$->9?}tH%XI`ct*TNeT<~k#IPh<(uUsuy* z0@Pu~0(JLz(R~!rFTZf%bmR?&_d)Y1{2A=xA~G!0DCI+c`$ufKSaZK|+z2azJ8Y0{aW99yJ}q z2VB5YIAh3B#*zw5RBW=F^!>^qD8bZGI+9C5Iwio5#>(C8u8ex%sD_iTV^nSbP7&Zt z@eg4@h@%J~z=)MC`HR)|7>Qrx>aHida_Q+8y~On{nN=J*8tn0lcwr?czcfk;H!L$BUZ{dv zFizZ$zNKTN-MCM3qt|Z{9-JQgCsFH>F&$(x`AVivqa+rB6;$7GTHR=&p(K3Ls<@Pj zuhK$9Y~p=o7ro|~-2oi?i_wthhoHv|utCYqjH|QgkRyU4d zaSm8{fAMaM60t9DPM;{Ztv5f4?Px+Pn#5PBi)12Ffv=)M8u4D9a&@&<7 zb&e@;dckfT)O`m6ZnB!C`Jgy6MPio2y0Q7k(1|R@K5uC&pMI)<6k?FTLk+uRIWd>R z7Ov^DlimKyqW2DqOdP!^rHIG-gizNc_M(coOhhLmJ3Jr0nrux3SI}x#MK>R$XFST< zltOC-bLnm_=8I1b9i!?qHi!eI5qEU0$+kkM*LRuHfU0Uiz%0Iy-hnB#D`#jizil@K zk=ta3{n}OY^EOsacci@Izlvs5JmXCC>}AL$28eNc|Gf8_TVStD)Yosl!&R>n$erb^ z59Q%&Cvv4y`{X<>77xFN@zAr|pC_Ekn_L?0=%0gjBn=1YAzHhec zd73e9!Q$JH`C92$Zw_<2(L-y;-T~9E_t<0G4V?&?_0hUbLM%Bj9 zS>T8JFEK@EMe4S*`ojPelG&EZm3BW=^e=WK7-5KWeia=9nY{ZNKDjjlAuWOPwJGE=a^6QmwGv?UXAP1$&j(3FP(;= z3nY}_fUKwYG4MYzN1{hnC7a7oz^MA~c%O$uEs_frRz$%Vql_b84v%lQ#BA>N`kJEQ zqPj~gEmJYT?wyt;{6Z=VgR}7p@9C=!7Peb6VpCB`qR)NUPtnOSNb<2N(4`N`_^gt& zma~@cFXlSznD+n=RY?lni!V*33)ID1dCkFG|_ymtf* z6Uf{%!@8Bh!YUewVtA;pIi~>xD8PP?WvY9_=Bq%I0~tq?-q}*~=fK}L7BjF4+=X|( zL(PQdWpN4i^V*HlknC-4-zGsMwH(I<;~0X^djyh*E=}YvgTTUca+Vf+i*^u&c|!6HmUXd5uMTOOLO>YPdL)QKoOAi@R& z$<*%XN94QPWH5HYXapuiVweF>LA)$%bWC%I*H_j7Y{xDcE)tQau<+ziSOZ!Bs-^^K zz^44b`_EH61l+(;3<~&Ek@_6^OViE;1FtN~<4* z=#lHel^(4xBGv7M&P_qer%+BuhfV?aqmto@>+W#C5z>%Mqr8A`=!ajMY3lUJ(Hs zoi?QFAtoC-eMU|89AqjGflk##U?g+FD%bhSX1gaOunzMxQABoJP6n?U^61=&!*en?T|yk4@UB0= z*#Lc9GBhfbDMr(qKI~z00a)YX#@$oP#(bLmAw07avI*~4CZ({?dW8nUtY#8?GX~ky z`jK;=csi8Qxd5kL)TmI^=0Q71sA+t$wCBGL*dIKc>Q}MG_u2w|MiXJWvDI0m7YC23 zY+m3PRRVjXz)$jU*Dwd{0ikc>DMt=E0D3xsxD>G0?&fe$9~s>F)bqos&=X5wJfR!} z{;slbah9hNrc{WQ+Ny6@=7d$`S5u`5e{d4IZ*s12ZZxVMD^|#K>>LduL}6O*^+>%w z{hB6xD96#~eyBS-?&-1L>bJ9ijc1m59I;{iS;zp4X)Y}GbUr}fT;c{W*O?T_h!2Y#afbtnoZJ#`tfc!N?WbX#78UZQU*>we&;<20bMI2!0lZ zBm2T_w};Cd|8mey`qra3bW7_ee037NI?4yza9 zef?x%CA=`rwyvSD*Sj0GsP9x+@K{<-7dPynCl?Z~f)tu+IthpA=0EC8Bk(@_T`rHc zu?n#qpMiSsSTezygGW2bzX}#=A;{Qz&)7>ceMq-87T2K_N|Vw-dUGt=Cd{&4_ac<20G=<>YDey<~!=a3(VZY`i0cPP87 zfUVy{Yn0n2jz&49O`3AG2vXa8Fs}X~MIwq&Ey6EopLkK%gmDVV=$Mj*76~i3+d<>v zd?zofl_H~iG8GOqw4abH{gfF}qwIy@z?wsQqwuTZCvqZOv(+ZXA^#R~I1^fV`ZvDMMgF1YQ;2 ze2^?mus!)vH*qE|3ZGf=Ye3SFiAU8QN}VX;xRMq_Fn=4leD*y72JMBoLu#c(NID?u zr6+cX<+?aZwa9u&{;)v#kO@uTpZzjA)goh*oCfGK24%V5$%Na6fpxE9c%zg2t1ZuvB3yn@+v}5F__iFjQcOY0%W+ z+ul8_hmz}-_)>p}I~;-qn7jz3xc?I+$mo&H;))b76hrGDesA*WCRyhfDqozBntSj6 z>jI!AW|edaU?VH|UZJ7d?4mxKvfLYNg4o!HE410hpdBfo--?aw%@Pg#j$kg^Zh&nl zE0f4LjYdx>VyCQo)OZF59r`e%nUxr2=;FvS=__nrRxlAyv|WR6g%4mgVB{FE{kL)_ zo9o#dv1X`TvA_q5TEfZHK)0j9*Mw6ma-D26?+tTIxuatLz z0{G=1HN$SxJAFUbSgD%$48xOWofwNH4IRTO7&zhrL^g$7JU9(F3YU$29BhXixRWpU^}%fQaEQ@rVb4?b`bTA^dRBO0Uu6p9B{E9pk^`k8`qt zF*-cr6k#2TbwE)I!8#X66g*y`|4<_CetkqIqbHPMGKz(CNQ16I+uiSl!)Hq78RAxA zcbyNX$8x|1Wdt3`hMsse5u2z4||3lsS(GN)<>e7M~95MmvZljQd}QO{aDAcODHw){SCqv0KA(I z-cpYFR*?(;V1b{!re;5sNgpdWImISuS6D2An;xe-T)Q#rUKomq8<<6f82v_ZtRP)3b zU^@O>>PLb8fBCo}$jqh4Ufga<2)1BSU(Pp#<-~ayo?C=r*xJLnL z+5yW~S{&&XiqsQ_Rx7{Rkvw0!K@H=1%yBpx_Xiz)s);#`vvvkG@qG~taT5fvsnHI> zvq`y}O+RLkYQcMI$#PkFbuOWT4EoYrw2a*^_5pssa<4B&YoG*x-MYv#b3p9h%e-=Y z5f_IuRP2Bip?4O{je4CbXs=HCy8=AeB0IjY4Dsx4(D<^mp?BII_lp|+G`40!kJp%5 zJ$d$+$by|eMG>RZV1M3fH>o0RF`#?Dm%CDQ=)R#c(Bn0+*IRrr^%$B2{MQnZsIKjl z$TuF>y{-r}3-GKYPD+N4%Sng?9-r7o*uB{5dyRPb;HTZ3ZNltvtzp-^eW@|Ud`6Gl zSrN|2LJIJ`!`*5|Mej!!3fvj{@3s{jPdzhyR*pBb*RlsRB3&bfrgyHtrEVL^1h69^ zyg!Y`CIQA-!UIp%yc|^id}Y*o8I4KhtU%0t94jkse{_%m(uX-diPo)oMW#5r(q7~w z0D2VJ0XT)|1TL0syo4Dw7gN;Q@wCHtJ6a0y9C^3z4|&C`7go-Px$ z6cmWvxM|)9B#%O>Vd&=;Z`cb3Y~v4HJ$!pj;nIeeSC8lmX96%0`C7~u+V8a}5*y#+ zx{;fD#(M80xLi=^V=wzzhcN|xigGF71~8fTq{*tQQ?GgtX{I;pE&*o4jK=YIM99Ho zYQSZc^T5J+{L#|irX$wGL`%ZyDe%NI(m5?Y1M!wW8ZsLbME9iznXS)&08|GjzTP1= z-(R5s_9;Z8weROL6PxSSUX9B@mPivoirxna+HRX~G5z5u{T_jmbKhiqStoT^9297M^9?(yY5< z?IWkd=`?1w+c6`0{OCZ`0dr8hiNB+c_jCXYpoP%-?UJ|Y-Wi<}d$x3~fEy6A03ZMv z3!aNDUXAEhAEuX(Yx9t_t;htEmY!tye(Z@bGz^Wf3pzy*h|EWGJa);NTZKED6ZfDJ zr38^zUq&oN&?tVUc%Ko^Lk3!bFb>3`FG^$gD3AQe`eZV^8d!PJU3ll)sj8fQ(rRA) zPf9ST5(noGl%#0OvBWb�_N~IXuYG5)hQO6 z2)y*kY(ulO7c>i?Uz6`2I8T2CEf$|Jk{2P;A2wW@S6tRwfS(4fK7qw1&rW6-NSnbS zMtqA)!lT($XoseIe*LUmsnMrja(QBwfm>&|K%960Dh_VY%ewoWVy(7awHWC99BXCt zY?MThM(}zpjhjwxB+(Hx^31+gC3Rn_#sR-Uj@h#*z6fdXP5OXSV*9fqwiPFaf*H|) z2_b_hutZM!4Vd@~j`)w~I9ncWV(U8SW&~eU7p|kqrjCWZr*3Nr^%>{UMgTw1 z#a28vh#6Ie3#25q&6J>OZSh-{3{J0h+y*hGdHC*@7BS4=ZuO5MV5kcTPSjxgXxb`k?cveGygVsnZ5=cbCT9o!~*54({$A+}#_E;O^GA zySuwP4A1+_%=gW#S@XB=kG^-EQ>S+A+NZX|Tgma5yNs1JR>!x0@GSKRUcJ;<+~?n7 zX|5akdqiBnx8x3HMJznX z=b*GBGBsbNJ6t4$IsmY#s)>z~w^rMqhkO}LV>?3;ET|gbLMbw! zOQGv2hQmgw9r5R1-KUnMPz{w;slQMNStK#Beax9u$c6We;%76-!Z zcbL3sPbpOYf4_>B+A1Gzr%l%xaK_ZjI>U^f;4pK49_MfFQ5^FQC4E!_l>>JS zlb*+0be(2&rS}`bRNu86g6xISK0>gB+~)BDF&qAR;MsM>UU6`=I^UN*02e(k zeyV>57kA4VUC`ps?XPAPSY@rYHeYu(Tq=_qG?L(qkg$*h6Gc5Ys0Zi>p$iDiWUM?2 zGq}L{P`W}GW^h$rbq`am#l-2+yLY=fdn)k)xKfu78>iMcB12{`UtdI_!HL{cjeW{u zO*m(Bl>{m9)%lEcHQ3z*1(01OrRC-8^WN^A6RZn$2Dwc|1e22+X`I$Tu)Ay z-1_7DGnog(^D+!ZulP5nje8!kJ_L6|L-2?Sq5mJlZ|BorAx>N@qU2O&9VGA4Ediv< zW1sb9Anj8A*neidZ7!z}(wM1u-1==&pTp{tOQ0T9*BMcdV{s)7Jnj>(wpL;DV!82c z+8M#N!+Fuk+5~SVZSnhkby#vi8BI>S;IrC_LT_tzjm$1LQ;jKXgbGB9f4c0X(!F{h z1DaktNspL9ADyIj-fnBkH}|Y`8!XM(r+d|}1mLX&tp)1zyss(S3YKP6Or($Nm6C)q zV=Ss|F&Y5TI^rZoU<;+C*_N@TR9AI%%#(pf%aK%jxxD6#A3Nm{Ol3MY!r>8fc~}iJ zB{4q0BQ4_c0_#AzNMrNjIS1MwVtSTDP-hzr^n~l6V;U3|nJ{>Uf5Lv&>T>TN3MS9} z?%F6}_+Uv8<9Z)L03-h`6;}nLmF3^6x>&>a(ZP!h5#$oaI!k|xQ1FO487vRp@-2)5(ZI#>mGFp)_*HT?I9MEL0kt$>D#X4I1I}k(>k5CilpB zR)1{o`V!OonjgHE71^QVuBL6czSpO|XV)P6PKDwV@Y+h$```;obk%t9T(E=9#{s?0 zYy2d-k|X39mA$(iJkWTZJ^nJ;CZ>}XY>b)G$Rk-UA)PBC?>XN{WY1^sh-UAggatRT zkrB3@;uYqS9{w%VtnTVPT4kU|+!;%$1F0%CPVVbn)T<^)z< zE<{ig33a^U!gQK-HzkAg2GW;=F!IoGH+nbM*0ZLIu>JjhSue?Qr>yP1jjg3PlrHW! zmxlrf0Y>*hcGq0Kf$=)?qCXfkaSxSS*|fy+5VEF%zH=909)x+z@!t@^ttN4hkE-MH zX!EF(#1{`rX79G)o~a|Lk&y4&H0Z}AjL(uH_#v+=}-0&q!EI$}MHuD2t!h7nLe#_InxprpUxfkoc7Lb`iQ@;qn%$wQ2 zA1$dkR_vS+#Yb!NZDrykRI`M8ii2 zH!R8qd+ezZ{|3A7niG47!p^~;;R#^YIFrbh5C(Ox0;jTV@~3a=`t7>mx!neXV+~d5 zsN{%MyHi~hjr|*@Q;~KZ^nQa=vMH)H=TdPiS5N}A90Tb;$cDD1^tP>iBHwE_xo z&q&Mt(d{BiJm8=1AY0W0S9f#=Dy{eF_mjTEmYF+M*Y}3rQ2n{fFs$npxZhoRn5LB1 z*q|_d&~a{{@8UnM6zuTJ&`+rtzV0hz_R0Gq7H4OIG;XCKwQ^2ye3D==pcYQiVL!@zG`9nXq= z=gL);{VX+mqUj;eYELcN`CHse0ff8; z7GiHCQ=^XQG~?tp9PV(VUrx7bkH@A%*|E`IJvVU5{VvfcHu zO;d<29^+F1=5@wB{|Z|_mEBC*y%8p?jGBFeB<}R`!cY2Ta>!C|rad&~x*1cz)63c~ z&g#84NeYuba&kLM4f(BQ!{k+wKHcp@>DOqiU-zqP)5)}29C|mQxp*Q!0BRL^AF^oB zMVPvHOr@~PI;@G{Sr7~+UMrf_2}D+rZ#&k6^Z16m8v?6Z^A6^ujS?{*q%PcBxrt`< zgpX{DzGFgq1@(Jx|D=R?{^TR6JW1kidx0QaSVO~nIOIIkbIzPI^`iwo;G#Eb@qilR zWyIS$tVxCY8S8MJ3(JF~CN^bRxe=Z$%dj$@q^?y+=J5T9O02e=JD*urVukP1?)Z*& zsXOH~?H}p?81Du-G(&bf;Rm2^=(*`lx92gm&q!$!kuYSoujP9sX#Jjd_cszNjDk0>#R#+Bv`aRk@O-&}h+&Il``*DG6 znpwBW(fnP=>&^^~fb#%y-tq2ByArb{u8|P5?l*m5nik!aa+i*`mnrZu01rv4L5pei zl0Wf+`R_3FM}5G&9H%~t z>d#1#Pq>wJ&=;y=aiI%d^2re=A zD(-Q&AX}PBJs)7t2j(gpj>lEBhgOVBauG2GqB5J&jkq-}oZ* z^_nmq0`{sXw_9p3G17`yt~S!T@;^9!gaqm++GAi))h>)B#*L}nc*zxU^-9XZ@h;>d zYEkCrR<|SOY4pQup3Ki!$%=#>LH`ln0LfeO{E?rl3XIQDWoq3uUH-5Fo6jjsCpHA=lv<(CLAOKC*Zzfe~l$up8EsiG^L z{-o*;Q?*$(`xjFoH5z(R<9Z`Q!9E8T7`44)dp;bNLX#G9qwa1Bm&71?7etc&d|w44 zit)ksuZMbucBSz4>XZ>(VfN_tlH78?qtWy<4_W=X!i%G|1d@yIu?Q&T9WR4f~tyu)l1pKv!TV+OS) z@@(#dFVO^9eIk9rPlHm0FoNw?$|=Cguv~4c0`=I-XR3WeVTzWqNn{PzF|XMU-?yDE zZ<{|8O0Pii2ZSwPmxVu>1E>z^m5=g@)J&FUTw=cNtfD2iC5*|g=x-?F0A~-EqOE8m z4oBLTsVA+=#pp$`5ZGissVCl34mBr7-q7;8_>qh(R9x!bO0PCT6OeY~YAkkDxuds> zTBEP%t>xjw9#Ql1Ihlt?oF9ZX1YEdl zV)&#geXpSM)Rb#iFT4ghn>-}j|4QSRZ)cXTGmZ0(*QPau{X0dwW$$s(=kkd$-$KD0qObI?zGhMpi}pz|p+oXjze5MEx2vJq%K=v&q^@S^O?X`>Lv{U9z&W3(eSP z3659B*1}$1C4{2#+v7kxfUErW81PxZ5ZPaOTbf6Bnl)<`&&_oC^+BPtLI#fp#&Qkh z71?`cSHiYBdpPd4Ek*DamFdBK=9<|_wGK+mslNsy2tMj>oI?xNd_p7Q^_~LD_H69K z7z9gHCFP*#mcTKBjd_7)Z2tS@kesJ&^n0Kxd5})7S>u#V6$JQPpwCr9(34! zAltT(EE}fA%{N;#`}{838Y@!&U^AjZv}#)%9)pNuOy;8(SZ~eG(@+k+Z!^&m>7;M= zmvY%QI{V_^_5hy)SDt4C+#B|^=O{7zaoIRFPkT9?DLVTp3ZlZ0U6iU3c~$5Wo?c~4 zEj?;e+Xx@hn8VSwe^AEK;AC+FM!Y#ugPB51vpHKOB0^uMbL=<_RcHuNi;mOK=6vBF z!2;K!bgX+us2p3H%bPuMFPjc(MoAp+tdt6aDtG{J4XppZ zq7T7P@Z%*^qJtMl@eCuWhxJu)ZQOxbYcbK=RoBiEx@*O2n+mimY8<5Ii*{ z=jmf{j#wbKXCm`d5jGYoo9140sOPrAD*i>Nw^<9D%LunPi4IwgqhyboSh5G3%}A2` zYJ6z^zQAH1=PPWU+t?m(2p*b-aVXYOcOl2yVIaLZr#)x12}UIo##1J+SXEyd63$Dd}y@+SD7=x36(2 z?dR!k$WO@A95xAu&>d9|zg$ONs+p>lt{emeV?C}d1)gEM8r3G2rA^(3y)RNcQp&Ku zz)yeD`9v^X%!LYPp7qBo5e>deA+0BF#G>oN`MmRCvA)zwM{{j{n@a)T%Bv}00x%QkvM;g;HJ@vSdM|yib}O6`n?<*2aSh$c zE|X^uq!*l^j%W24EZ-w7Rvr`u)LSLRdswUupznn|TD)!pmb^FJ`!@Iuzx{-XZC%W< ziN|ebYi;x6ux-BFA}~z@o?6i&PH#L6c@||3B3zd|O62u;q%iBu1+h_A{PCJj(ZOAs zPxl+g>!BDy0X{MIST#*R6xM&x{h_$h;^X_5d3j-Wn&a@bUjS!`PdL*tv-NAg_#K6K zPj%HPJ)rZ;w3JS0q7Mh+MHQej1}X09pfQHaQrwycesd7mV@cUFjfB$A&oQ+iH(Ui{ zlj73#po0VHuS8KY=!!~}KJZw|G!_g{c$vQpzCCJtTlh!oats=lN!^A26v@k)vPrs3 zdaQf=*I2On3N$WIo&UJW6B)YQ0BS%P=C5CZxs|OMS7U-1)>z=?$^vHXa~!Xa=Mp+i z)I{D5c~`eRJQ(}>qklgSHGCp+&&S|^i6sXZbWYp%)QyM2?*Bjq-jW;LsL*-rR+_kW zCiVv&jE#vbzl~rFoY}rCPL6PZ9<~K+p741DaT@X6mc~dAKMslFQKkMy%L6+et*~1C zUk@gY^gj+jG~79m(TC|a8Hvyd6GG3>lB$mD#k(eY%-o1&r3#FNH$1@79`KqOGk0~> z$CYoxvGW6mb_FD)**yMm9A92Qa=+R(Rm^Jz#yUgC89PS*2NL=v!?sfH(o%-g5(m?L z)+XcB>8wO28R}vh$N}ETKMT-gz)8w3!%L6Q5f79l9(JHet1#w9`i_^!*rN1=Bt)cQ zQ3OKk58(4NAj2Uu1xsyr2WBE`afO$Jlj0a3A>8*gCWT9~_1|Yb)_>~^jB#c~DRFRE zVY{5p29X(AU)RNxiAAA>o;#-+3MYpNad)T}$sz<`eET9%76|5f}h zy9>~cf*^K3Hl@FZhClsjP@L}+gvX!K^=2JH9A`m@C>(EGkI^9sa& z1aFw>yX(Q@Vcf2`mh|3t1AWyCN&|z=;Ud%BdbIDj648MG?p@Z}yZTLQryEl*N}J;` zpJeneF&ZwPXD&fYB*Wr{7*I}kMuxT)cJN>dWqhE+>%>k_RXVpUaV019y0^uO!op6F z?cG&e%Jwlv58+I_5DU0OX{!*f_2CBxb#9o$G!NEf(M!j{qI>8~BdwNb(6y3t{C%;f2SMkZUd20nVS_o}>Z;2VKB!30e$qc>O5#{D%WNhM*ZEs{Fe&M1kKV zOHeFK%%&WrIsN*E6<-K&sWwuX-OO7FUCm)Go_E(cTfQI<+^pP3SPHzIl zpHq$Jx3qS3bb}DzA7RdP;}W_n;3A`TzD;QK3Z61gqO378RKsgd6Qn>J{hd7lKD(%y zUd)yKcmCnG$+k{l9?(Gpt=x#U1w(4ncQ<4OQPDwg{khYpg)Vt`Vsc=LUu-uXbZgyr z7&RPxX(6!9#@W|I`0cZU1VEq>ALLIIf~VOd_;xJ_mW@7;1~KoYyz>rF5)&7yZaXI_$&8EAFbDv=WOd< z>e&xl3jduPF4pWgH>3_uIOHe|?v$+4wU6U}pLgZ6&vy`cE-3UPi*@FH$UOYFx4KYF z%OB|)oS&P|;egM-1c`O#9OFFL1LrT7Malj~%r@vwAfcw%Tl|u#kmlCn!wwJ!S}O5u zgE?v;+z$B5jhT(nEmhGS9&R7Z?tiwHzCBT?dSUa)N}F_Sxzo44h{RVQwbL=TT?*O3 zBO@t6xjE|@u71D@N)yoo>6VBCR`@g%Ozh)V5*vY4m3IYx=IUD<(89mReS7~-?&EC8 zDT|*`TPn3CApN8XhKj5{@8zC z>7LK{>Cg{A^G?W@=gU3+GR@nmDENDA_3i3@w(V*qo8iR=#ZCRG->LJ|>HUHFqGQ+} zi%L)zr)I(VhxM2v0e|x{=+M^BE!1gB;8pQKy>Anx-_0xM2I3?zxhP?Ye(qi055%l* zSv-vHpv&^$;k?m= zvsS79%JygUfBoya4Mgt&dhu?%l{-fR4zn*kBV(QKSl7Do34q>fD~beTyxEsauWfx+ zTdtwoUJj7n!>9`0`>id9Rpl}0t5m_iBv`OWcmUmc*T2DGp|TQ>th1*ch`;=|pq-yK z0|U-Zm&)IirUZ_6cgh;u|9i~X|4*X!|4%ahUq9rc8 zD#>=d99ChhlGW_P$+)qJtJTKq^c%>+YBb^LR`>GsHv@;wL!c#Ubn-tCHTZ&LEtuh7 zl&c#1c`FC+S@X|IZr{5YNc z=GVuHHkXgDKE|yC6tt%B1CST&&%H}A#` zL_$FkG!^lWjuVjv9h@_SWM+W`QLkCPMv%!5tzjEvNlIzZh9`okdfKehzaXKZG0RYJ zFvw3$Pg4=)DI7w{lVS;ZINb!i9;)Sw@q%amynKbL76O+55vk@1=%sM{t#6cq;Ruhz zJXmkdk+m+;q{$GCBK)C_Q;u3&1^J>fVUTdDrxR#IMFZe(?!x|@SR+9uO$65Oiot=o z?U`}e?VD(GC-?5lz|yLresG8c#yA9 z!uxxBvck5#MZfG~q@z*=S#1KGN33LI!kY!Q&At0Bb9{Hm1>z%OZFf-Z&{@!B#j%VW zP6KcL@$nFmjr-WxbmAX35%ue=6RGo3v#r%Y(=T$5^)Ku&Hawp>Zs+dYkLFQi8GDLk_f_Z1}euSE2qJORPi}>~nZ5^X>k;8*|g}8u+-j zS|fs8=!hsOc|VENBanHnZO54L{-^XuE$pdOFL)xYKXm`i`1O$PB>0n>(Z#3Lr1h03%LUrboZ~k5 zv?K+?xHH6T^<>422Lf=0TOT98q{gn;&ytlH{0`mOmKrtMduOikdlUbu9UGq?#G*dI zK+Y!H{%jK3OLdaWJxVC|-rnXcnwsb&)1E6RuJw1Fo_LuvQQqrbq=dZDS`$eW+h|=4 ziYw7M0+^AW9t)is%=c2-g{6p(c!gs1nj32G5hh{%FAI^iEOatSZ4Kujw6fhW{V^Pv$B$I%IB zwZA{3>ce&!w1?5B_hr*J$eLUiM9TE(zKcqJ+M3)#CFB`)Q@4;0sjNjai+Dgr%T|d zU8>S)GSF(?E(vK}QM;_$DhxG_VD@*;1am0rA&vQP3N*`Kch0=${T2I8K0)5~aZ!4> z@z{dsJ{rn`=nu)bDLe4z*!+TX@uU5r0a_L_!o%qW(;-E~VZYh_o9UKYO5ToY)N1Ra zj-9;rLr}Gy9f3*IYFIUzocKYyqbX>N_4JattJvnWgb?yofCiF8E zSd9{}d5(346FQVy7R+>8k{BEj$dwiU=uS|JSglwlLK^W2^@+&MYOcwZox$pk3F zi-Nfa=!XWT`~J%25oLP1nTuzNk;p#Y<+628lL=|@6k+#&=Y8wcwMu8@*wJ?77om(~nK0+{ytR09^P1JTzsWd$vBUQ>lFqZoQVA5XNC z5a&y%{@2+i(e&iV=o1v~_a|5iL7t>jQVt#7B&6L=`m;M;MXhgghMZ1b?#b{-^2-hv z{N^dTp@$u!_s^|E)~)4J2Rfv+S{O@Dg@k%WHjRVqwPi{2fajf$s{MZ!SlIXL?!%^8 zD#rgp1^?%hk19yxV{*mMl{Pcal_R7uv|^u6wN!9;-$~fzPoe-&Eb!xy(S@7BVEpxL zZfNOkB|v*7=_=@B)d;qgGa(C*bw?)W5IPfLfU_&fsS-9@YQc}S zy#eQEP8Sn)$&@JaH&5@y`cs1%M?q`RihyerkUrqOP#PU5rTNcOyu`MxVx`S%TvcW> znN!+H^x23*P|8>9Qx~nM&S#mICiW(euw7O#9Z2r^dGiOhT#VS~uV;@?Cvs2{C@2>_ zV~$8NDkSP|Bqeu!UZBRr+@y_>uK43ZX*xw6n438Vr|6mMuwOD(GkE6s+d+|;2u+w3cRFHQkjZWNCjFWjJOFO#Xf=wr)&G=zb6*+tWD=a zF1Vm<{H2D`eAyV6CFzvkvQN8rj9{Dm-e~wb@6;210{#@cxSESR1LjSq7tMQ7cO5rw zcsuuUVh`1Y+x3Y2#)s@z0OWse6~Q+&vG8R#z^d!Y8o622|LlrRKs2mje}*3c)*Hgm z@!a&g2$g}3F3N?F$%n1F`NZfb{AfT&b*SkuMg5j``OIWm+7K1)3%i%tRE|L|v^X+! zs0EZVtmR%J5dhYADHpXAWc{?5%g26|{b9S~wq&p7wiFsu&xT^k0~ud%1zhX*#){;x zPF$O{#pV?xLX^f);vt|9k;&FFD~8aovJyfROkEB zM^3PYWtO&9PA|=NS&byGT|GBjOAeze6wd8^>xFdTNh5jP4H-9*wv|=Y^;<*BdDo`j zzxb<{3ghNbye*_O~0!;CP7jDYC=NhI2c zIXEi@1Vp263fz3+3l8GqRtT+GH{Lw9p=)}r&V_8Xb9$RbB`t$tRmim2{w0@{()MCx z;yYE*02@<lZ1l=gMA zS!3yU;?9i=Rkmkj9zp7nWc7twi(|ue7YLB{>kEM5u!~&7PW{}L8uBE`rIh;%Q?;-< zI2lPI$RE=^_1-UJ_CH|!|L1Eq{L)~#$wnhG)7=PVs}?eT*pYBwq?@1|fY9xD%~zsq z(CsWOKVoU8&-40iej@E=wB@L;7J&^;iRZbc0hoxtz3v{2B%55!hxmu}mDp z!-72igGqs0n#JR1)YJvI$Pq9{m1$DRJ>4HN-$i;j@jXe$;?Go ziTf%pD}U4h4rYig$VLAPGs8ASv9Gd9&ttTz{hiZCp`h>^nawdndb)14`LdF3>yPL^ zIt_{+N~f$(LN4(+Bdob_CE2H;FYgTIChkXl8g)=#$Z70Ke+C#g@es|ep_S?-0wAhc zCPV>^c)wgS5;H5F#C5fP{U%f=0I{PrV|df(j0;x14JLboyY4!9ORj&fqCJ2K-t;wTTkI(P?*W=AK z^Xb>CIpXU5t~_?*S@JnHdiD^vW)Oc*_SlD9pag4Ae=_U1R{f2u&{Zf5O_)Un<`k z&mpeY1NPKWS?&&h!6t68HuD>%ILGDd!tNQzIv7iY4f&^&Tf8>FvNvVe@29<*Ba4B| z8-buaZEDY-IkYG6LD|7~9UQVja(yA|jq$yDM4wQ&eAl`?3Rn`_9STQT@0?G3C3CVd zbEvDnNx1W!BHBQwLl<68XBsLe;H1i`y9-3~eBZVx;V~H)*cuYgaQdwfy2+%sYW}h(%GQSPwi*e<^Ms#aiaP^MlJNOIiZQeG3$EQ5EIYYbfdKD$$V94hv!9`ou9 zy%NjVz&KArTKYHyfFwJ}{@kByextoE=cWLT~9#^yH@-(-Pg>kUvM&MJPK8pFwr z`;Mu{AO;!(GZLM+>rSO;4y%U6m-Y-*yVBYH0g!PKaL)=Zdl=Rd|4CGvR0Lb}IevD} z44586nZoKctZ^3DT7iFpG}Z~Dfs#}CWg=aaGPvYk2c`9CzRIBEU zy$gy|hjkV!6Ho2_K4@7py3mJYV_Mh2wD|qEYHX$X$U6WR|Ic{GUhft%8GM| zO5>xMq(SXVmzaL}x+SWU)xPPS_-IU`oDmb0;v@((RIWD}z-LbqcRvO@mSZJ^5WX9~puHHknBH8ZW zVC?S=wEng&W+CDAMbl;kdq2cy|Bn3xqe8J*(_pq2w5hD~X0F5RDuah6!8Y{PWdB29 z{;ST2bI528yp3?*LwwAe*7pALA)y_Jtu~^9jQWEe7nHG#?R`4|=aU|0L(VL^m$$k8 zcIvrLc_5!F1f8#K6}QCt7~iKLM!fyngk$ETkS1w;lxuoh%E#0tCxTsMOC}i^WorEs z8r||iQh=5k12lfcB*blqc)a#hVQMlD9QVd&1LeDYn{I~;)jHPNKBs-h67&W8P?59g zLS8QllaN18bcK=Px-vgg#sy&_uvyvDAN8XRWHz{!kR(0Zl2X?F)Jo+8yi(U8XlZu3 z4n;LpVaqEZD|LVeEz7!Q}4tDJovxEEW^Grb>fiOR5u z%Tr|?Dy#SBd;O^E@!cutlTs1R+jWP6lTsqK`-iWRe^cc-=dE}=Gm%U@mTE|>>O1Xz zfeQ4!np!S|56rPN4)NeRWLJ_?O<}?PR?&7z`JnNcG=xG6T`I>RGu?WoYrcC$L5-$ZvU?Y0zk8m36xE-)`_Q$*3*n%Skh#r zQAnJXcauF0jpyIzaAF-B!q65nPuDokhe_s>b>a9kR{$wDc5 zoKIR!5v7HE(=XA4b{h4cJmC}egj!T`mI~qE65<3$lQ&EZoPuk>&JH+Ky&shU3#_kz zKPWSnGVv=wt;#zb{53Tunj57S!=#Jfu6n;t&N>YSe(W)J5b>h}Zx(R% zxC$HFp_+F`5$|zpzMj2Mc~n&9k^~)U$n*ml&{_m?)43g@3e)5reU(MSy`e}^Iu(Cj zlWchGt&H!;qf-RLILQE8z4x;OIG*Fc79=TJx2DeR&DOWJ5fNyUk2xvH`2Kv^t?Z}z zS&$#CMNsy*M#TjmJuJJI!j|a^GYs+6-Ykvu(*e@ML$H&xV5axFBV+b7 zU$k6^c~JO%l>q5Ah01*W^4UbVoSal&9iL#Scm>#vJeOMYIz5`T$Ns^vz#pH!it~~y52jC%;7w#brt@qVx{#^ zVkuPPt>sD6%wg@|!S;HB`1EbqO77>BKq~jLnDOD%mw~P_VQ}3K`2?cHOiGtb$WPKj z!1TQ+$7SDAeCvcCV`j5BG2s%%^~i-*HqMrsb0O(*n8~9pM23dt&3RDr{xE`2-4?(F>&V=}*1Y<-`rS7a{Z^AKQqy z&Z2Rj7_A7{{gXe00t(B?{gCad+mQi1j%}9#A2BE|L%WBj+2K{mGjYHBO2;7%Vw>e{ z@ql`qSY)vL{XpRHq2ByxFNd^};401oY~uUkkdS~c7$sku9@F3n7Kp}2zS$LgBlr6} z5@F!K=8E~;@|v!S$8Ylw-T}vlmDANzm;;5drlk1uRskt$&*XS;17LdHHYzut>B0#n zXG{h)UkFBcI_pdNuKrF%M68Jd(HIb`vsZfgB`Q}o5vA&TPsHJJ566mwvfeze0^E}$ z+FPZnV`{$DaWT8uMiFnfp=j4PsnM>!hz&xs+ztJAd9T5Ps&$660W_0OREbO^EW!z` zQp~5X8P3OZx>u7Xv}{8GG-PB@o%3=Y*L4nRO$LgK8I|ay4c-xDU%qt}!Ls5J;{cp} zA%v+3uVMA`!T2Hc5)fcrz?g_`ZLy@$CLlpEC4yz zvn2|^cn19@SEh_alkq62fDu$@b=$$nGulo#y6~DN#gJHe=X{2UaS1&WY@+!CJlum^ z8$Cv~!!9+*qo2!hIC_5Y1>SFZ37^w$ffkdQNQW=&d0*VmRmSty_iRqf zFVU^IZJIej+TZucLEk%4R_s?bhui{l{wVjn8+}ZYa$EP*yc%+a3)c}-V|Cz<^OY%= zNS;QAE+W-I5Kx<%q>hoR3ukvcn81iwPa_lJZ%E0sZPennUHWE9^GeIJole@-1bAm2 z1RW;C)ZQ1H%OYJ=di@oO%bo*UI*qw-n; zf1MTRalzHg`J9?5gDd{9W?y!mIh&G~S7(j*QFuwi{IYAohJR^sCY$j8QO)u?p@f8-_fXBDCE-k{aYkYb+)B9AUUM-R!D`q&%R-wyob40Y5m{y*b>~uB~ zaw3dKE_gMe*xc#u(~F11f?MjOb9KgxQ?D^8ZlCHs66$RI1#Ai$V1eP%g_1`~`i}W; z<)T3Z-XJS5#>sE2p_*J#HXos|IwBI(jwMLOv_G7M%uYN;Zr8pmr`z^3I*L?4ncwv% znYJO9PRd)80wgMj+(w{x%O`Fm=Qi<=VTr(|d7FNqc;IdyjkG)y)Dpc- zq`Qk~tg~a>`uACeL5iR!Io>(kKl{PK68O)v_ZP#GZ!e5wP#)-=f(Av+od}wF(=o1QoGF$r+!S=z7CIm4qRg!X>EsyHTXBKcMd^Sz@48pDa=q@??5 z6k(%?#CsQDr~91t@ymogRkWNnes}HfA5LSjkbUKk|J=DR&K@U1dF*e3bQjm36i8u2 z=VK8Y=_1wRIpthMV%jX?bJGSFPXWgp#V70`Mex~S#dTRFoy#d_=HDT@Z^&@%Vh01F za%HdwBHGsX-?R%|oQ-Ry`ZqM=Y2$uEy!sw*x4nao%J1^5WH8_+#~28m7q~!-ienu6WGm%25$H|u?1pQ;WI>*ZOvo zZM;ZUz-Q9SyZyL5VdhbSe!1ruo1JC5;-Lu>*d1*|fj^pFM552B#tu7_Fr*THDSt6i*+i4>5g@h7t))xw4) z6wdG8Rs8nn`3J`7dayGR>Q&-r9dQQ#*h_j?5wCA^>s$;e@Q%R_&^P+$SOeR!g2qA# z0MKHX`Ia=xhJ;yE3`UZQlKe6a#oD6?&fg_Q)rE6%xAla5C_&OXf+G;VwU+QY_!YIUj= z{c|`{8DJ|Q>4p75N9V=5XW+41m;n1WCt-;AV?U3j`c?I_0HF(U=$#Vzzg2{4D(=rE zIBcOd;+g-@HmM-v4m9vS?8LQo--f@9Tbsh2|Gn!y@9sL$mz6>IkSn80`25jnRTUXl|wyxp>URjchZJLKY zv$j6w1$`HbXE{aInWi}#*5Ix}qh)*3esr}Eyx;5}(@3g9Zcd_MzE)bso62w#UiNb( zc&>>Ev!!ko@)5V%suS)_VK|KB=zGGyn1JKNxL$p;{#MzN&RSB955Zq+73j$sS_Ru3 zM2)(ijKg2P^$BZziG2-7-#~ERpL=D$n2OA2ss8p!2AQ|!les|Mt@R3@jwY>j4?>$XAmsiZo-ST-JAN_F3S<0Q_@lYPg-^)qF&b(&% zz=`p^By?Crl(=rKh*&{S4;NxaG*c$+4+5Sy;b{J+E%zyr z0=03Y0{4TWD2<#}sW!=>b>#z^uPp;#Q)_!9dbGK16;wl6l za8noHdDYd>FZ`Aq5+C#iYY#V1{WTXt=_WYEe6aJw?=m_^p@p)IV+)C!$*R}e!Pu`v|5gOG&dJn^ZiBfy|*UgTBAKCsnR66R`7hWU6! z><+ju|C*6(uh1H*)Hry)9WDU!t5iCGUge+&^u3zmGX;mBu$R=a-M~DfBY=t|D(!zn3!ic12ux*;bx3u ze)fOoia$DN8wJ+VFVIcTW52)tkzGhEjog&*PmEWM=bd#-e!{|*g}mh3HKa_zXYPGu z`?!y*I5P8R*+n30^QN2X984^AU0>)63|%&{C-g>%7?JOP-#gp+l^>ig*+Da44DM9{ z*#_pnU~(mz*CxxdG2CbUIr*VfR1KBR5i5`$;P;M#-|&${)7jB5Shes|wdJN-Ht??P z1hY)%ZRpjv-MN?JFkYS)x)W_^T1-6;D z?mE47^GBV~UT`vlb^^WT5AdrbD&<#OxYj9lG*PmRaE)K|EPAe|L0&N$(Pd-^XnXYb z)ik?#FpPD-rA;pN)OsFGp$YKtpyGblj=3RGVwo+rQlN^V?QZO|WY&uZrZD_SvP3>A z7JICgQ$7SR=OIzs1_oPy*|J=y%pn5Q>Jo5wQx(ttmKj}|4H&SA=XWV*=xk&VR=u;> zk=;G`9EaWO%?C_O>WBD#pb^fu@Xz@fZexc7b}1hBdm2qB{sbZ9hF-Tq{@)XeB^1U2kK z!VrcajhsTsS{R)O!-_S8nU7h+($XoZe_PNG^!f0SZ!tFrAEhV$531h#pUpRZ`={Ef znc8aaQJWSuqNS}(m!kG6YE!ZI2sL7lT2*bmRqefZLd~iY31aVr7)c26^|`-~&*O35 z|G@Rjbzawbp2zEX97mpipK=QSb%9IVU9wvmzsY-nIr#vfGerXSb-2h6e)>qO9kTfh zIgM&oCaM>!dHaZhQtckJ{%xQFNjXv@OYhgKis*g4@vM*T7fkD4e}Zq`0c6EI$h%c< z*FZ+oZ{>rnSC?k+e_``k(Mw=wIe_t8Pt3@_PTgH!$Fw%(;(O^3jxibZqU_zX$eskY zod^G!zW(s9T3n(0O04N6#Hlt&)?*j4Y|-hCWED+MXZd#HcYa!@F$k0Vn#UsvRijCn zymfarqC%DFn{}6&>+Fp)ON1&_9$7QE5<4$4fehj`rU zf3`!$SSArW(mZ%s&lJiz)ztQ&`t>tKcQ}n~ozORhmK%=&8RS-N_ase)!^_@)h-1uJUJysei%~n(~#d~%twULBl6Vw^hblU z@GRfV=ZP^DSN_YG(_TM@!lzy3Es}BDJgpn04dmb*Wn8W%iL& zTuQ^wdUau%F){Hlq~a?z2j~0U*L#kxN-Xr%-v%dj=+35D4E_NARIys`MkMWN!2OMh zalWL zsv^=*kK;`gEoSM}{j$Ysist^{YsHwmd(!0ly>PeOmy1PVgMV$e@BoG-Cc3ES9UUWC zb%uAgR2T1IJ}&BN2Zy{1Jmo0Hh$>7dXU!JGin_&9Ar;Imf80x)OHf}iRAwqKeW*Bq zOz}~2 zCH&qpxMx9EekiIyRmP&_AdNqUk~Oj2s%3QjOq4e#XS`r{T~b(>rQ`eBM%>m?CjIu) z$<*+M1eCLlQQB6?S*{wc#<|uaoLfjhVpw9*Sr-ISye$aQ;p%~Ego|OiFK>ss+~4aB zBpU8*On{4XsuGFodtOWN%wpd->MRV&JP(%M=;(z@@+JqrehxW%b#Ccf7i%l}c@?4d zcIkN4;vw)z_`tiEVCp5o)Dvh-zB&RQ`W%eToUV0B#(e&K9riwKZ%ugebx{1fHRoJ~ zcs5_qi`(}p?gWe2MfaAGE^1$hjx4YsH#W3AUy~TNo#3^#z8uFRyGd)wx?4j^8d-4~ zhR^eCm2;j?>SP~?8s=aY+lSvu3jMUpO=e`EqS8GY)At%yT8qfcS6IrPWovqY4>aIY z#+rA4xyc8d66 ziD(dJ-8LKcK-@p&oE?JV^;{8+>4Q)H88z*ieD|7Ut+zjY|0u6mf<@wOT9rl1sA^4W z|AMgDb4Ucu7YpueTB};y^y|u2@m`vUou#q{OOG+9Qc{Q3BYjP!JIH$L);#*Xt5b^M|LckqL!)&oxDLR$Hz8ak4v z`~T<)VA-W?S7|r$XBWVX7Q*X~Lw_~~-6_wK4Oq4Buhw7qP8!#Z_tWKG#@V|Y&#z=&v^{jd*eB8hUM5Ox=9gE3 zDA+lD&9!yLn*W|YzKz(KV-gWp{!4v)z;}ng77ZjK*emXtyuEc(U`n+8;|JlUy_p+2 z_XGe7>Tl%x_GUdSK7?>Y>%Z?gKe8YzHBVqFN06;A1rYDLMu#%m8pf&oJm@YG3FF)E zSDZV}z@#xsSGhL1q4XB-;9g`vqGea?oW3!V5opQc@rzM`d|&#!Ej6Sr94cn|IpWLz z<7x9^pQY3oZZKXD$ac8Dqw;|yLqjI*k-1mXV|g~v+|BMsl`=_g`HnBm)Z0)o0ID3MYp89$BtGjd7*|$S?OF4z9Z>U>})*EDY zmq-Vh?J2q~nSG}C=5%RXqGF**%+7ZCHE@6V+hP^oy3*k(cQP**O|$#b?U9y)H=iGf zKh%}xA5{A@$H-n?*)2a9-bGk)YI>_**gIENjz^aT;{Iz2fEo8 z-`9m3PsMbKZBkUZ^(eETd9^etzfty^L4?s$$KCGBqs>YgmwgGo5%tRgWAehebQn+P zYb1?u+nTK65cz|vix?%xf4dLU;=7+&ha7vj{%y|=RX*1bT3rbdrVYy^^p2VPZ8TeW zrYUK6Cov_5nH=u;+-V=nQ#ZbCH?Vz{t35pDpgpRDGI}Mxsvm6kdgrU>D~=4jT6kCJ z(1&|hL*UOP(nUzYr5DMf{~SsCe>7Q~Z{B0Gb7uz)*`f!)*X%O5_l3L19Xcn^tOF6l z^rUx+rUuK+1*SAG*loI9-O19H(Y{6Vqdns?@+Hr7q*vF=&yASsSLL7K<`++V{_w~` zdB-v!e@Mrfvtn=ix`~SfWBwGXdZRHPw(-sy0aoR(0;-j zFN8@q!6i1x_u?+J|ievo#~+wKD;A=DwZuZH2B>Ar^P1 zvu*yeOI?AVBlAm8i>2{}+jb$)0BLb9>NBS&!8lpLD5Dwrn=KsZ5_(!T_HeoPlsp^t)%<=`%hg%7rw8g(_;eb{`z>YQT~z?sql+9H=%!w zcj#!Y+UQ1BrvuRinvNZn;RNeY|C_0czcSnX_jK^p+#9JOyt59|3nS+~OOqL&0L-qi zln7mUS@ybLTsmxq=VZ&aEN5qPw|p-RCwGSQ)sDjCdDyL)o2vAS=vM~x(;8@x^p~1@ zJw1wc|EQ$BR-fL?a&Pn4{ytsfB_mGxIE&)$=m<9lhnuN2uQ6fZ+_9TV*_Z>*9|;wr z-9#Q*h?=6jMK8QBZs!UN*$OmVr$NZW>~Hwr1OA!>Mku7l1wdofEFgc6*`GYxC;9ff z&|17;Pld)t%Osck#F*_YHmJIUZZIVb$;2R{+v}P(Qk=a^WQ(NYmW7ayKfL2e{W6zz z%_V1^w6YKaiIsU_U93_==4eC|#W&*i*7MO%L%nyH1BXF-{|_g%e6T{cWl97&>HXW4 zqfUJ(?{`*jBEPxFaD;_9I2|?G2&r=y9Hwy@^zH~+|00amBsqQl?U8A zvXkFy?JoZ09js?git3u3=J@`57?Z8Y?^+W5;-+$*DPpF~TI43<50!)Fz{xWNzs|#l z?P9EaUP7r1S5$m~**7>|`rpyazWMlGmGaDt4eiuw4DPL< zVFxm%RNdTawA1tnY8_c4Dn9&_s#dC?MUySm=GM385l7h<@onz4T|9YnF1a^q8~BD zcaw<^sC5F~Sm!{wuq`$bxiT6hd?w^iX?fuK&A)WtxV9bs?34Gx)R=YV=4=&*m@Qq| zOZK+K%b&;O%kKx1apg@Ketux}<8gV&>qw8w^LIg2)@2+E@AaMst2|bYPF1eDNu^$V z^tI7U`Ee95hM$3Uq^r#@{6_DIdSr*oJ;hp8p*YnM75C+ylOr*mJKDcZw1|46Z^yGH z2fQMlXYlcxbv-xHO`Mbz*cd^qhL)TT`M-8CGmm_`BJXr$z~4GY>qppqIIzJuRz|f9 z#2(BwRke7a5bfj9hPRK6tGviC{y(4T$&jV`khPYC;iL@RrqV_mJ!WD^=O2IBy`MZc z|7j{&7P@{>k})n$#@V8k7MqdW@c!yPw`$8@W$UmFbt}K2!KY6&nY9GtFE!^-=2^jA{vwI+ZT5p?yuWW(@81s1+v>@20H6GyMKBc7f7(_7iZ6qgTHgzDVW#K- zr~RzAofMAXy@$zn*8cgxgzR6OPZFZ~jpZ ztA2lnr?^=2xf(sk=RB;O8yT(Xq*)fz^yC3P6}F~&+)bV6bOV-s|C#3fuH2urt@pwN z0lmmCeYqc&_GT+nd{({~6v$iH^HEusgG?%{$}(=$S`NJW87j5vY*BSboDhB)%zSiG zWc;S;sVsshmnz!2uyP^k<(MP7hYH?`VbbO@~Xbxn}dn5=%L#iQ$9?esCDE` z&znNdF||0o>}C&dMy4O?vn%;x4sMaXZ=SrW@YRlN<7B>B74Xvdq=&!W`%lSq*_FQv zP_d5yB|RilE4#i>)a}Q|YS7Jf1zV`?)@lSQc-%f;^4bnDEErxD9(BBko%1gWN2)`9 z=PL8hmszm29d~P&rjk3{L+G*m3VIa2c-gx)U7@9Vw!9{Hbl`0L%8s-7r%N)WsSV=Z zDdN?KGSnd^k#S?UglQ_(u$Zx*uJUEe$2{O(!YhHdCR5`So`0N&4OM0#+)5ckLt(6^ zJ}NlpGnRt)b^aeHgh(%~BlgsnZy7ovaYbUtHI-Q_RRZIVzmJl6hi4aU+a~>g6{BhG z@C3c3T)Kzi^V4O|tF233h*RG~{GG_%j`b?MMvPwXn?s+}i^jl*(l_F5nUkBp z-LS6ATm>wsg)sjl!M8kn@Nx_3au%9Xc%C@fcVLjm`adP@k%ShF-X8`bLAy3{TBdkb z6Dr#wZ_L%_mxJ(T=HyIr3Bx&AjN+@X2be~>Dtd+H0H*i{@x|A8D&gARUh)ZgFa7}c zfcnIaqrV|>Dpoz)!x&C-@BcIY&CC59n;$;Gd-*@ccMsZ2YJ>FL8*>dIw&iP%qX3vu zj+8}pjFjjb93ZVFFQ0Okb0yX3wn%;y0nSpD%A_S{WMot(`{EeJU4_V-QiKi)iHd6f zUB@tMbS^XnVn}=6c)nfyrypl0)f4)0Tec007-ivG_rO{OFVa&PY^T9%sjwEoVZ*MN z3q!(tMv&b3DB!j8F8woZTE@&C3o*gxVPYC~)BkQ{iihVNrHfGh^Mv2C=Lw=YUyi!m z*qB4*jJz)A$E2{g#x!-FlBF{CIt0(yysRMyb;+@N=k6NN4ZMhOy5JED!|lKG75H1F zuN`z!%qhI5Lv`x>>{#c=VnL?P~JY!?C zzOSQg=Z{#X%L8Q0qXDDeed%p10TZ)n{ffsx6YYdnbah}EVEM2ZJkKq@pu zTl?VYnD4L=fL6`FfTQKhN%1>|6$qBfw_2Z?MW^3Qe0!rA<#Y7-_Y(u0#LBkrBZJ>m zwxSMXZzHq)KgnmE;%`mBH6iluhwX3z=PYqW|`J6@;&;2peKRWrej967!o74igK zh?@h%8IP33#B}uHH34j7AEd;XK>sIP;C~@tZ_=Yk@kHahr_!4hPw9l4TZ0V$-fmyF zcu*DdH#pCRu~BlIhRIu!ld+UVaCG!PFIY2U#l{ShAO9hY>77&KG@+nv1t(18Tml>Q_9%Akk9?myO zyetkOd7SaQs_;4VnrSWVJb^Bf0V;ofbAuUqe5VL6^m|+R)_mY)$@VW@2mZx2%b?lj z5Djs*cSggMJce5wU(NsCCcBmCsMfn(Wf3rPD1mv&S6FcJkF0a)BgM(kKoz+UyF261#lrgNQsH z4uzBoh7%A4Iq>9d_~6N`jJbeBPE{7dtYiU1Z1N?$L52kF$A9=mRwUB^sEX~SLSC|H z5i9w~xAqeg#i>`vi4H|Kuvyeg9sUeQcSfYwMY|$0=H+IegD=Nw1b}MrNc1ECf-^Jb061$l0>J@fZYRMUi|4TSDAsoIKOJ z$7>OgM*1%Tv}buni3=q^%rd^Xh~9Km(i8|BI*1?}JG=FPetJqn&y`bvy(45z(_?Er zZr$t6mtyRNvVXNZvYzf$Hk*WOH#g(vNZS6JibKIEXBz$tifzA1H5?ET=xT*}A%6*7 zF%`QD>wa9}ueV$eoaS48!t?BDd?m9K@iy_!oDg%MojQc)SW3towkPsjOQ)+r+nYl(=tO1(kVHk41U^{CiNtnZHeDMv%m z+Nd3Zt~92QHHwUND}!E=JL1UG+Fu^LZ#_#T`U@@#>NLNtK)pRRXAInA-{0B-M9vtO z^jvyoEck6zk%_zg_WkANOp>)OzQC6S_cv#nXbYJxUo!aTV zX&Y{QNZ>H}K6}e;Sig=T{f1rza*6mk~6`m_=KCY)>oJo48^zBxaX zfYU!j0Uml#XLn5|Mm2=@mWv!X%#@&W3S}sPr1#G?mXZ2qYX3No!JL059(*( zh${xs5Dt^CQ?e*EbMJ$OyI=cT&q>3%-*wC4Uu3qtK-dl>6a<;laY~xfbAMaeovlt> zek1HWRFPg-qcMEnkA|Z1vCGt&;{u&-dcgEyd5L2|)ze~)`1l&oyJI6I2LrXuqGt8Z z#YNJ-lqG|bmo_5lF5E$4b3Q*PBY#Xm+KU7VczxH)Q$*Ui*yy?2szZM$P$vGd%_()C z{7Q%Gbh`8vRX&2)Kg4bd@UGTGMA?9;qquYdgiK8~*R>EP#rTbRb&D_>M zXe-Qx^(aF@#h=n!vzb)ytJW!u>wow!t4P~~y}1{_L>&&78d{yAj4lcZrF!6|hIvw( z#zc;}kez5H+&o3b(CgMFVN7l2tUS9(_ZLflxG3-B1<;Ri4L;gVD}ImtbV{~>8?8_A zIokFZm`OP+)%5x_qH%m7aWwW?@Vod&4@bM{{a==J-WeK&jo4RTPO&2@_eO_@r>NKh zhJx|?@qjzG``5JjIF>9$jU-Ft#waO8IiRl#SCog&SC_;8NdZO>&l*0ZEs?q2;yB8F z&kJH4Vfyj?H2H`2qUwV}%Rf_HQ_MfcWsw2UQ8&S*xQSoI)U>eGJQ}2#k&&Xv2$+FY z52^0od_Z=xz$ewfHq!aQijSvKy2?s6C)4Le#N<*H(ea=TJ$?AK`u@uAdS`n^>`1wd zj!D8vj|!tLE?N9;X%D$}sAu+%sqg<7I(ADOV7buZ<9_*8bzaqwDq|sW&n|6QLs8{sZ9EjPx$wNkf30 zb=D8Ytil?TejkjW_#RpP>FhH_HupkRM!vK))f0Kvi7NpE(Wm* zQ5Nji5@rs*@)@EDpT9pclHv>fbrq?!70gGfXNiG z><_lO^huVbY&MGEk75wmE5?ILnVz?YpL>@hqr%p^JFIi>H)#%`nr*i_vpZKHV}IJd z8?*0zI`!r1{cR`3=AZi>V=jCNrprB7CV%L8@jw?m<0K?q`V|YqzNMzhimrWTCN`tu z^n};L(Z-7Cy`-Ne*+~1bW_25P)r1$0^kp$YoMznRQx!^!+vilR|8yrIb-BB=OkR+r zB6!~MRqQ_Pgv{!)GT(n+lJD$_NsDw&Mt#|ko@w+fSGEU|?W8Ik0Q(w%># zzr(UUoi9h9+5J+#IC&hR^V^MtVGmiJm0FqT_z@2%I_b^}yj3hF2!?ktNV$4ln@~W- z-j;6zlecL`4#IF8yu6ykxdN{S5C$M>t_s&pHoTJ{&MNdS9CwUDs;lA?R5jCAua29p z+!DK-KnKXVxHa_e>PI|HJR_1ar_Ian6DMv@D(7XSy5fYTU9M{h>C8B8GGfyKs~t}>aTOe@I8Y5Tvc?xf;%ka< zFZBtK7NLXb)*mU&bY_0lmqqB-i>RSs?bgH9l33n|s|)WVm~p+IoP1Y=9R%ecv~c6MV*kRhvX+iEA9{X&v&ys)wMyCYfqo3@g(rt^5jNaiO$<*O*< z01GIHXvm73vkbB7yvc*Iz;@DPt*ZL`S;`?;6c$*^<<#A_r?}Vsmjq?ZQ9^}#5u7_T zZKEzDKMvYaLXnwYj4jm@{cQ(}iHJ5Co;j}&E<$UBaMk_ zaP&y@oJx67$G~_Q*8rRyP&np*=ozsjy~oSj1FormNClf4ov5ig5ou7aKcx-InB!Iz z+E)m7A&mM*B!E*E_X$y3+%-!YmZUutnA58Z>1pTVOPF>oNikgndIZJ#p*yavsHqXi zg8iS7`LnYGf?5i^_w5B!ZjF8V`iaQ1nmn%VK<@R!Z*(7LGW+9&o4yw|FO{@sP0x-N z{Qi*trN2tq67|%N2iTUnJ))?~kH=XX@xJofa!M<|{L$=MM6!s5D$#NF$%im52J{5z zwqB;Hu5sRCGzt~8)5fNBHOOyZItHGx*?h3bLc991+F5IdygG@}O&(Hp|LldoGV@d# zYc5}2R9BGpHDiuAE091JbBUVO`&qm1y(eb-S9F=%+P}gN7q?v5|N0-mst|4~6zJ)s-6*@nX97it~nhh1+yoR+jwXQJ|Kv>x{&!P$Jii z=vaOoU+1LQ=Ui#5 zDdavF`2?P{3>&u*_yOY%_^AB5_`l>3nNMF(uh4ipN~uh6n#HB!Sa;?(V) zUPwprE}(34_agc*r5bQ)E7r7+XmgI3z=SA?i5v$s5IXiSlxs{w8Ye4E18kEQErC=7$qr{BY0hUB z@D=dn#vPqPszS=bkcD7!P6qD~vV~mSoepCO&$dYY0&EZ$2^8k17LnjwXuQuAwr2rJ z>hKmd;$p)Nz|)r>_j945`b9$V_oazYG~ZndI16PbgAM$V>M-VEA}D?yKp!$+ICR17 z(D6v)@K2@(&w^LS83^DNz9t7EL28eI2+y`!x4;99P6aN{j@IIjO27PecfQMnf(ThQn1{}?GjyUVZs|Y>znM7XhAFY?kDY?T| zFrc2P(>=w(qI|feyxmweD5=`QBXcw|Pu5uSt%$Y>`bmkx7dsSdhg0P?vxEC9K0;0+;*1U+Isz0R$By4KI~8a$_=6BpHHo zC}})cMs+M}tV+!+T~-GS5^I(`TZFWHJua@lB8aJtGiqFPX!Lhd(2J9XN^}|>w^o08 zO^~1Rg$psg%pniW(>0%Q91`bN)3L;O8~}4XHb)DTWvaD@eUf=6MNvu^*2a;KA12*L{{sz9KtQP3n#A`H2u<-y6 z8Wz(_h=Y_Kq)urd7ww)8Rx4}q>MxYez2sd?iVpWno;kq~Zw{Vwce1#Eo;~!6n+>UR zki{w2ANmpb5XW=`V&;VDyEPz!0>86w}+;t8Tq*IA`ub`iP(;v`n$;(-g)V)kN%M_&v_57})}{Oxad zHiZGGu*DhJ@qycpVXNb}w6vzt#9WeC=+){KecAr=%|I7}>U~Gvb{-3Y4&e*Bd0=Dx zm`$2iqibK(Zj7Mr5q)r%Rb6%xD1_lTXp0&h(YVS7#A?w8=XdF9a01UFl$hq84 z=UzDDH_bXcJqXLNZboZYEeYd4Ghpf659oSoCdFff`znvAX$JSkWt{)9wZT6eBK6tmWRtU5N}u=F6ytU z3){H$q}s29&0)P704xU({JFC2LE?%)N6>jKLrgm`cC%J2b7epSlk&)aw#?4B0|F?1 zkQztlm1;%?LvWscd4hX00(M4>VK2P& zab=KTr$AIo>xgd#4I(g5L>{;}1JVflMUKZcluE!{#l^ zW^jnZs-j-2>5||vE3EwOS_578Ha|lWTL#AkHekv#?0T`|jap>-2wx#`0xJpNJT=*Y z;%&DPHQe!E)FQjceAv9AyO~Wx(;$2r#!J_-ASXr3GoyrgP~Qcqrb7eFV(CrpXeh5 z+L{W~-`vK}Svr=Kr;!af`!8^^m@4u!v@zPKpcO*vVnpFp@zr%S3A0dQ;41D$D>I>* zxEb$Lb{pxm19_LRVUBc#qcY^&s(NlQFzr9xQ}7l=k~^DT|7xm{o*k+uvIai7em2QN zhi0`O9SnB&>-Br`z6}XOG}`wAKm}icE3WzoG7Ysio2I7EBhdwsr-j;^aW>XICT17w^|ir6^2BagdEgg{j>lJl<5{wvV`;UvePubV zmY%9Q#Ct#q$yCKSq-T-6@g#=fIf5eGd*Ad5*L)ZXyB(5!qI zx;6foHB1ff)sgXvIP#WS;9;*a$TB|kY$GDU7y%saPFjvC($A@GEGo`9Y4B4TT($4J zcqUhz_NH~K&&h7?i7L{0WvMyDr`yA^RRh=;^4}s2)5zJe%=t5Rb^F>TrQY)pc=x1x z?P4@2zt--NAar^;Q0A@Whp-hugtM_*^C(IR^L~x-FTv^;0pnc$07@ZkSA2G;Mhur1 zDvr^xA+o9B1=qe06>VyoZqYa7_u6&TCNClCh;^v}H4Lrq8sJ-C4D=s2% zc2qH9EU^WyDQVCaQL%XCU27GDi$w=pGss*PdBGAF2j@`U9UdQd67czssybZO0Wsr4 zr5$E7{;^3tmwU1h1pLJp&d9FBKT9G5zMqHKJqtD! z6bg=)j%Pj<^%Lqk=FiNzt1m~nL4AimYA0rS91F30#a2?)SHXK$xPgJ6wJ6e>2mM$> z(XRk-3TuZdyGu_qGEwb;Uy2n&+e|kKl3@D4+717GuzKnlC?6NcX2VJkcYf9R75lTY zhOXpdwWa@uzkWZ8o7kS0Nhk*tGvFQ#dpboef@eiHZx(|huFpmTivacadwK_fNf``+ z;CLHLT=`VF4J6NCsOx2qgK<_5_A?3*76qusN1OY^{8eaHv<&_eWOoTImMi`A@G67X znzj2FjY1Ho#||-gxXG>Nm%GTV&>_#tx;fUXiGeM2skO6& zdzkLtDMFz1PJWAi(CibeW;0-DZsaxKcdW2j=I7A#@ptKf zb_C(D45I$07}WKLhxFG^UsSCMWfnXS=C|bOgoo#cj#lpXJ<1ee#@p8^;YpY0U_pqQ zd@`rfEKv4@R^x2GroVimoi7>5lG}hZZ;BI;f?q!J_#J)tuR((`HSo-Cg`Swbk*pw1 zMda=TOJ(3z{vnFO@e7CZlO--a%$@S2ckxy^HtJUy1b!#%zSBxWd3TFZ0Io%v&W}~9 z4se5_-&Hh1)}UCqFFe0xv=E&_r^HJ7Uj1ENl z#PrV@U3%v^!s17He;_%Tnm@`kdaRWY2tDArZfx4&3ZU?AW>nzXl^5~Z4keonJJ5R? zwl?6;Q%jsEJfF|>7<0a(A8VM5R6Yj?hbqD_=cj z9DELhxi*iW(S|fVd6%n468$?mPrr=(Zx+CoHJ1@_o4CI@T0=c&6`(~x#DU7rqb|Q1 zQfmO;RM!*jjMyK}6#qvs#^xF{#*q!NW0M$J6)*ZPZ+G-zJpvY-@Q=>ymCv$d5H)%* z1Q;#8LZ!+E>%#rR&XS{u*qQ;=CGTVp$d%4T)Bc(b;e#@Mv>Z-Z7qqf))hQXeHa3ai zw3Z>7kUC|510RR4$A}IRqxpP7YA)OHag#-i6NEV#uqm%!7FwWq`rll^{@g(by7*Oj zNw`lkO{jO<0dCKu1^a#FTSRaKVa+6h`XG1K3PZ?y#IzWa|v*%&wsy>Z}6mnSi1+_WhS*4->4ad-{N?Yn8BCst`B@ z9}&?dP|_G{Tp~M|AwO#Ri{4nRNyXr1coDBWHi#wHO(yV87$iANOUZ4wzjk!nYT$*? zjwHXF+kI#xFzTO6h%NN<;mO6u5PSdUDL1^G-Pc7^%p+uxt06RcvP!`jzR|`xYt}^w zey|g{f>k*D+e|zdX=^pi4hwGziA`+)AC5JKRALmrd3CmkK_kHi<3(5(_6Gc&q!jLf ze$lt^@BMoN)=Z#=wLqwMRFBoFJJr{fj+K?Sd#Y=LApKJgW*ovRPxzr?9_H1|z zvZ4bIU;J1FhFziyQ|l{{v+*$ZfI~tUj1v?%eBa1en~PY;uCJJrN)8I&kJ7?rVPHHK zuDYDdUgIBGx%T#VjAQFUR;=^Y2libdaAA1PH*R$?$wncwi~I9+etDt2wbB~N0l32Q z{^LnL#einwHilVo9?c9jT=m@L_U@mD-0mvCCSem z+3Q1k@_LhfJYnkdtB!G2=vFwR{pIu2#4V>G&0nfGttjCbZ{EQaoRE2;%mUQCuBd=Y zaSL14A55%%{p;22>prJ9Q=+%p2;ATt=eoUgWv&QEraz$2BVgo&2B^;?s8oMFEMbswE9U9a~X? zg3>?W`!|w(9uc+ta$>h~$7`Ey{+))g)x}vn9V_s0V{e<2*zc}W1>XZ{m@f#}UTMK% zze|{cVegk1;*C@!X?doU##$_bep%ZFGk3UisFnq=hd+i7fKYx5J>^z0czn-(<`C$|`qljniFs^gB%&r0Qg>EFjc0c~Rv@%vx%oKij z>^88J89(HZoZ?Zcp=dDBSgx*iAU$CBB5-~bU+?d0Vs$PA|;BW-_&z zfh39+{~f%_@Pu#%4v*rxovN-(+kzMF?6Jl6;?K*`7wU3I=iz6!`tIOs^6 z4&=dc_k`rh?NN1P_&(=9VCTd=3UnW&-+J$soj13=7_v4<x9;voYnEP32$QY@$d`Qah9Xl+D&Wm5FB#t@d2qrqts+`XV`18hL|nmjC#>e(~45 z*)FCaM4F}%&w~x~mTZY#9oHlkr*&QI1YO4}cW13bv_iK3KUJpUNm``Ci7uGef1fDT z)@Z_1tk_Mk`y>C;F7fi!`AkMO&Mg2CB9^|0oMtre0%C>_AygiY)|f=;d=Vn?RB zG2{;%6n3$i!E7Kc^w4=hVa{kJRLeH&7Ady67tE9S5y5Pcra0d}V-7_Ve-q;40PTMd z^+IJ2~t}rtTchT6L2A&of?jg-nrw-cP z#@8C$5r6W1C&RG(uUbDYuj*e(kapiRI(c>CP7FGCz8Hkh|FQcX_9Y}V$ASy}Du#ky zmCvB4zE(MxTi1qLP)b?^+WOdcF5?`x7mo5qACN|uXoHcNn?S}*ncxMWtzhaQbjf@_ z#TBI`GHA1Sn6xR-A+t{%f(WtNVdnvoDwxpZH=O6gKC{LTECt%L1AC<@8X^{TjjpNj zPuF7_&By;Ek4$;o^nOU)y$nOH!MDDo>2`Rr(w#sv| zU0_zKZcD!4tt$_Uodos*Y{L1q`#j%;roym~Au2$~X=9Q3kQPsw`9%ycl4_DXR!40m z(K;Mq5k41!U*FSQ|*KB3~X8;!5Szu(#V+2ERuCf9<_{ zI8^`tE=jMHG4VX&9_?!CYJ_uHR+?Q1{J^<3A!uBY`!%gh*St@rEwy6@M0zt(z#B6dox z?wy!%pMW@o9C(-3tQ(yTy zAub#Z?!%{&8ChMFV*%&t9T2RCgNxlg&%}WzQ$i%(PY7$>8kRoQo}}UadEeLp_7c~D zg%qbflLI2#AI1F(;Ls;yd)p<*N7VUgz*phspODt>&A7lcTxk z#yy9x57?|tO>oCs@)gvcg3SxPem`i}`&ZaWPeYd)*%g5*v?Mb$C_Ne%DdcoDA_C@C zV06uj&CAL*<}|xdNh2>Mt!wNCf(d zsG3Ffyq$X4=lLbr#LX-9t_AZ;m!qA3JP3>6X5?KLzu)27C@Lf2US7A*(_3VVx-_m( zbfCG4w4hCR`i$AssLB6%@KuA|vcHQ@^kgpOy?mGD_wjgcLpz(ZD#foexX(pF-~WbEsxWg3A^!a(QN}sMuZhlR{#!4eX<3o$?(8KTM z(eHg658gR&apas_xCAjN{ie_Byjh{!%{E3yrCOfdxqT=A)Y|a z%?>7oCN=4ce%h6pRuT&z9p{Osv=kWfg{T=44Tyfvc#ijUM+QB^;a#w1~$&bw7U zT+Xi_hVZAnpzuwYA^e;@Xi3)2>y50`r)w6Y6+cpr(%8QgPyeyEck^ZdDu6=+JlQ6r zp|PQuIh^6l=uzEswMJm{ROsUI0&miCkRHdVhy?bb=qaqCM5U@%kqLcMwq}!zKI)qe z&)ZhtbNlFv;>*K<>)(YNy}>?)hBv&D3hJaP{K2@;l8&7Ny29yKTA{4#P8UZ$Oyc*N_CO#IfE*`3}e zYA{U~rb#ouD+G8o}+8#gF?cpOo&x{IW zEBZ*wCtpxl6;T~oh&gu$Oy>A5c>1X%sNQk|R-#p>Y+$K(2wpastp(7_(`dhv|NT;e?Pv(h@zrf+U$_VrYO@zXmci@E)y z!3k^UD;wq|pzmH?IawC*()LRc-4%sjt_)hIOyAuMs-EkWuS%Hd_`rL@{@;dbw=IEq zZto*CgJ(2<%9GytxwFSvy$-%ylM?r^Z?3{GHx~7aqzzt#;Xn=gK0pu}RUAb60Z%!xg2q zO+ZmP;<5*6Q|jDNI>Q;}Q^zEAnI%7RbeGTG^5J^A%phw-Al>(>b@fFl6W?5xVJVAl zXz`EK{?e_?#WfJYl)6F-MtdGFZQ#LU->7nT(~5_s`%VnT?HhmNAm92>t$%Z{&~eVZ z>1y$?YvVqv{re6PY}Bofy@0#ONP`qAJ@pN_&D=pwrDWo6Jwu0)7rWD<7j}?oKTI)vvr5h ztw!N|&He?f$@y%OS_BNbupBYGm2Q0GU(DfO-5xq)SHiRw-f<{W0)3B&3)ke1Z~i2n zVRnA*mDmW&a1I+jzO}#zaeY`}G7}IoC+Q&AbvH)Ww*D)X>a)<%Hl)JH34{xGcdlTv z+;cTo}3>tt3H_> za5gTAlY7_U?cOmv?Yp@qPVkvNm*h@J${(A0Qt&c6e&~4F;DTFCzurqS)ZKI8Rs5+R z`7aElm4b==veuRJdv?CjQuz_X*W(5#DDFApg(EvDyz3)^_cfM?&}&s>F%_NfskV=s zQZxm{q~7M!)MgiZCQ+8-w!M9C8$Vt=*i>@?E$?U#EB%ib`~NjN>6+#F6lrWu-gC)`+X*0yOS6x@h7qbDoHP@42?jGB-UlETDnyr;9* z#54z6>?(2x$rXUs@_b!VJnD?c)b=Tad`**!15N%#ldkT`-rA}v5&j%Uu27v>Pf~Pl zy80?|rhO`Nq7qvDcHXVER~&mIGg#~}BW+Ghb-7@6Jn;L8&~^Ox3Xq5m0j@sn>)S{9 z_Q898@WoguD0{@$eup#A9emE^EAyCK>VXfpibm`ZYLAggS&e~Ucn@y-;BHF!-Rbm) zLjT(j0kxcaovgsFc3HTRkYnq`A5zu!@%;k7JLBmTIZg75N*`t<5@bG=5|=aNSM%yrdMr=2Cv3X{xEe zkrhG`A4%41X=(Ga>^}#qc*3aLlz7@Q`~s};Xt~pO;}9jiLS1C|AapeSUYCsLgV!<< zljwOw?%va#RhW9ffnDw!TYN&`6*N*Q3x#Ef|x1JI?z65p56wEyBGP={W{dFRUA6OA6 z(s#kC;tB8DJ0C@H==*_bXvZV8k$0c9#z9zBx1%qHfVj6=!gzYlpO91tt-t}C z2;^YnqdrhP&=BQjN;1ZWV_L7z8pE~4^{QyP?OqMuatZaa7Rjp?1?uP zogvh5u>7AeTWy#SztEvT2%Z)AEnC)7li)YIrMsBA!M;aJ*U)Ud$nEP#raJhd$EZ@i z=-zd>FPgmG{6Kwd9ln|4uV^Bk^6_ig zL?7&Q%R9@+L(VLXo*7SOmKzCnMYDKCz>BQiDmvU~1`_cQFzzz@3Goo194nttytjtB z3@KR;zVwU0sfu5#F&Z&j@=50>bg1UWOX|-|8$PKIRwTg+Cemr;xF7g0L~o7ShttX& zks2q~6$xElg^EmLqiYG^b1Y1v_uR#-Vq3b8QSizHs%6C|-3Ys#cGKn8jF~-Lbg(RE zXU~BLQtU@1Uxhgf>bbqfK>~TtPU;2O({HU5eF+%6(I|p?Wy8w}OncD&r%xQW$;CMx zZ)e>snBUHtvB|~8Z1UlpP@axd%k~@NUoTV!KPowMKy$o#5P0K(WQxpJ**ND;HXRky z#c0sTkz%-zwCFn6gNshpoz2bte1C20NmO7VqvlgT(< z;+2G=O^p-OkH`j9$Xp%Ox;x!NoQBQzDdbB~bUgR&yE^PM=Dc!Ztcu&+zam`>H3XSb z`h)q!V5ZBmPLmKDIf*3U84>O}^S1{E11a9e=ihwIj&O)YJY6FkQazfGvT?NeuRObbmtF0ng9XMFBGH!frZzINQ=*b~mPWT|~Og4-Wa+6^7m>ce+QcxcZv{NODkgDWCcm+PW$8 z{xyZxmLEw*<^n`w!)D4UN^6HS{-%9#s5^kh!8QPR~pOBNWEW)#2|9;4`ml@H5>$I-FLBPU5mj0*lLgEybkb@3(06 z1%-g0;jdDcR#y6h^bGPR;B*`liOjQ$_>*8u&2XpE|72AIvr~^VSvX*eO*yV`z(#%r z)Ew~g_6ace^;rTp1Ll)}-jfvxo3{X+irOo^iitBB%p|VbZbIzA(YUlo9knhqz2m$; z!1r$cOl|1-oI=UzW3(G-kr!I_SN~kWzKW-Z~c7AeqODA{&!qPF@iLb=;TOIRM z2v@lE9)v5j;0yQd(dhlohdAC{cQKh{Ox1FXC;5n@`f9=*)VgsT9DfVHf+T)lj(<`1p=c+a%;H} z?8j8e#_YJtrK5iHofhC*0Kw?u5z*8TY~=YL&^sVrbq~`oxW4OG{))FKtr!Ro`>FKD zYdTmSC{T!7&+r+M^k-80AynbCb>$E43SyR}VYpG-M@86X*M zdJ5*3Zeu+b_lds^lrOI1aiR2q$t#3&&&1P^;u@D!oJ75rs&2{9qU-p$VLTpdJR(g7 zYAp%h|3-LA2>A|a$l5fyGp6mW`LKXWFg66WvxbYB4&IzW-qM>^WD988m*GC$`2)o) z7^JM5-2-fpB=L^vKd9XStWy~DC%%T}9M7P0JHZkca};x7_z?9epXpgc)!tx?i*Zew z!LatzPAD(yH zp7qlb%Us9t+UNA~$uzB8eb_6Z+K+@k%KOy})SVkVoBG zcFGrcvST+(#sT!b8$`Di9VrUOD#USmKy_3%-4fNZ>|Vy zndHblV$~A#bJ;;)+mm3GAPf|86X5W|M?+Ix_P#c`b^+ju!bhij%o<)3GXXq;))$F! zHW^$42tByzvga!KY=%NEfH=T~f&0_nngYlkqGTeWej(h^pz_pYbHz;a+n-iBw%gnc zF@y-j^;TwdENC}UtU*|PLt}EE(6l4hDTc#l4Zq?FjBT=F-zAV^sAcL9< znid`p6Pg=RbX&4VkNN({GXaSlWQ@%qKH+b|p36Fw<$Q|_ax?j7YL5!zScW6@?c2}w zbkY(&EJLT%gTw*sV!e#?Ii^r%JKP}~$qAJuTtQFaGRh+F2tJoxrNitqd%Cv*&Cgyw)R}6#|=mzicEHi!BK)1~#r5l$d_{KuzVE$lR|6Xj%hLR=5tx zo7uZh8AGtXO53U5r?_^v2vs1xTRI_8g;V)|klp1R?n1(!%=_5<b1ZWKR+)X#MlP zWs;nV96(_;AR+wr$nX+A_WP)p3R7g3>NL4dW*XUGrBWa4ZvV!J>7mv?B(1mQ-<<>9RzlgGmDoZg}9c0zv+{wE6#0e#M8Vd?|;EtrVne?>Yx0yrg}b6m2MN^D*Pu3yln=%`2=LR^jmHirR0_d`5L#X4r`~N&bGGt zrA_i|#e%NfS8q1kN7AV+Rh`P^MO_Kny-Vsp658KX*IIaQv>GYy#sZ)qGGG+l>ek!%NU&PPDK>Me9GsOW*9iuxl6rmgmi4)a?x_oMI#9URj( zoP)n3_2g+`sjtBwwG8gw&t*#LeF?mDL~2$xg!e!Hd2~R~(uXJ>vao279=%zZQ(}09 zJwE7Z{lPJzAU+lWq1bPeXkX&1?=8CJn7zYU>sgVy`RvCmde?k^tXvvhg44HyGMQG= z>(DW)a)Yhov%qB%6}vvhbqU|qdiLp=y}9VT6*pod7btprJH^nvo)5bBxXUuRM-UTa zyR5p#FTzOM=0+2BRqP=AA_u4BAzj-!inx)Yc0HGWMhk^N|E{5E&~<~;Z9~0HeWxWV zzw@xpkXmn<6t&T76lNh(jdZV(0f1c9(;d}>x5oPCDKkcW?NSq!j zc4G37c~}ttK_?Ck*;q_|QqGeK8K>JV4I%4|QP;3 z(?49*_VZuK(LMVxild5i5Sdh5bov*lg1z#nrjLs|(kkzNr0f6A-JLA<_KHO~tK$RP zh5B8|ZKe{8?>wI%Bv+Vyhb$$HcbMzS{p#>__Z~@>uKLzdH{z^s>Asuw9oId~%Oe7^ z-l&i+IsP)kY7n>w4J}`0Xzf#zmX)+sBj69|U%#_$1a1MeO@Kkf^zJ+FTZdI9gw+#I zI7lK6exmxS$E`5+hq812X&S%!GP-Y1`|w%CY524~HiVa!*{*03Pcm6o?wTWrk8pi95v}$n_ptCJQ zI#_tD@S(VHbwR-@pSzLDsL=qQ~p*pNfLPdTaUUcSvNGWiTrLfEjJ& zRQdOjpZv`mij@O9`#zd?sWMN)JuL@qbd&6Ei& z^#UNpI%chyUR9AE>8bP!wn)qUUSZZ$W;1I6x)LDv@tIf-4$v;vwtIyzK1iNlRVgp+ zYzlkss9Eb_xAVOdCw*Oxc=f9XeXmWE`*3S!EbuL*SYcKRNprJ)M*)iZq>TRC`0r*L z950rwNBQ`7zOx>e^ZrKU4`o?BMt{cXnKj|`Zr#_zM!FHtQ;@%h?0jdK`Kdo>T+sPW z@3YV*8+ie0s@AU`Am)h(NJR*Gi8F5idN(=1RPUMyWI9tt#ZI=E?$uJo=OutpPo2#u zDO+chGVgm66tW8DmR39Md37V}&dYJU3^aoH^g#!~sPU**e{bR>YUBxYH)a`cYPX#l zS+`lK9_%JC>pL8s?lH^KvFeNe<||6jhftozqL+b@aOstTX)PIX(=#bT5x z%WN~m!OwYnYRypw!^n%{78K)*u`lep7(B$uROETIw>UqB=p>3cpwDF0d%M@ml-Ip^ zm8|${NRTZHn!fY}XRJ5U2I0D*?}jPqa3mw+NxiBlSB&ig^b(`74Vg6Si(X#;MedYR zB8}^c!(6>cL1+o^_${!5#-0mkp7X*|pIBGKsR>ITB-4QT_0;;;7JO0DQuFa+sY{&) zYK^>j6!ECMfz2q5TIMDFNiMgh*FRI?@Rg{?p%eJmVc*$IE37612$+3X#H{N|t>L=| zW3(}r&M>6wvV8(9{(Gi^W8BC(b(8KwydomYW1HfJ7;m0nofdIZ=mQel2G^Gpo^SQ5 z!vn9`=LeRa)t|8^$86L<0@ZzTahkLCii6!6iQoV{-1%fbJ5)!~AzdLq$x%QkWh+y6)w? z*u57%ygcg1%?Id>c8*)$Ha;+JEo%BWkCDa(u96%l-F6G$8wKESktXA7Z4*FQZb6Zt z6&MdLH4<+-$8G#A?c?)fr8|9!qHw;^#u>gT#?Y8jUvLUhHFegtIK_zl+*@om)UNR@ z{#$i2OxE*xvno~0O*@6^htOi6-eN$YB zZ5lAf+L%cd7$qsQm|FpgI=Q2l?;qA2A?#TNj5ZZAwe0-0X_8x_aZ<1S#Q&8aDb3mn zGaueeitO>GK95e%R8_=}w3%w$3dx@ha*r9z1i+_*@=DydT45UNg(X_=8xeAzoF4n| z+>Q8SXgpzGjPqe}U4&?VHLpiYjK^LEbZR{6rRu@yD+M|0a~QLIVBjJ1rhK#0?KjHM zgDc!tEhg)}ru?M08)geA7(Y<-QRyZNn|9vzgq!HK0QX+M9E0f^1f|7>nf0uG@ai-m z5bXJS706vODKg;^H>|_36z^AnLK55bW&-~n0y&eYd10@x)NYt$uDmLVAwBNFt%D!z zileceN1OCc53qA3wZg6CS3;TtU5#qo2@%N^bd9luut%$T<=4@sgKrUA79kqtt*xfs zlp7{%sT5bBOq!cgE-ATe&lM&F5*Xwgx3DQ{!*p-c!&};w5wxk z71mF#&9^>x(clg)e#{AfPL1-RU<>W~=TV;};KIm;0N6PMV<=6f_;} zOLIKw*r-?z`QQzZQYbV}oUfujpVIFG98?b?<*38EwOv0MdY$MO=aAn~``I zMT6lRcmH*d=zlKB?$IRu*@s-uwSOzV*kWdp;F};mMUE-mx&il9TPDj;lPGCuXTYw_ zYVX51n|F=JuLR_mF73T}+#XZFoOY_p7eV+&dRfT9_&D_qoOwiMeM*ch0f{nfJu95N zIXP8kr0#gyHagQ~vF~&gbWp;l*Q?Ckbdzvq=h0r%s$Q@17n7{FXkQpl?W4WD9{RLz zyO+I)aE6_C$FZ$OuSPP!WVcBalhB5s=p+bvXMBN_YE0`)iZX14@&h?8MKPAKL~9 zo8mb9??-@o#cIC5WulEG2ttB72kHRh>pds`gx*0B9y{a_zYFdDyw9W<9tSj|^mgA< z;<_w+F;haRF$#dJW18jfIZuX*nnt~!XvUc=0dUmLaiobi7j8(O?2+|oL?}G;-#-~l zmg<-H%UOS)tvo8hO6Ik51O<5kZdjKFG8QNuvD-N-S41Evv+DRhVyM?{obhblQ-@oX z?ChoB>!14F^_o>sH^ZO^+mr=;igIaN1L@TVx&peUI# zVbGB%*z*y^f`&6PvFHG;(Cd~$en8WM;jZXC)gOE(f65LpCII=4UVZA~Ef?kAbr_)4 zJx5)oeG(q0#Pqe+Zg1N0NsZsqJrNNPjQ#O}oa0^*l|rI^mn3We|Kxec^2Jy$5vgj}5WG>ZpK5nKOMWW8yE4Nq-3egn$Rxg*&4I&3a(Vfz9 zEU!qse3tM&yWH;sZ5|uuJ;{;E1fDT%b%e;AaaCb7xrv5q^}dGQh{?DvK=G1Lw(;2^ zx7KQ1WnO4H39Q(i$;|CI_h8q?;@Z0_ZeJbPQ+UKulV|VhwuzODuqd*fS^f$NoFo6? zUAJPKdZ>`sQZuwX;A5H|R`{4;B0!Fg+u9m*f}1R^iG)a?2hSR{_I0)8;@bO8WBssR z5;Yzr(d#ax_lJWN>_^VTQD?2+Er0S#IOJk;NkZ}Q8|oY9){kFhQNV4>Nq8vP(^CzG zQa=?%Y^BQD6KsE&EpdEnyVs?oGCQS@)D<5d*C!42^ly4;GP_5IyQ7HK@C5t_mguA= z9>0zQOe5#C`XVj=l62<%%K|r6@X%YrQd&(bHHA#bL@*i%vD@_B1{H+5Ubwh1@E`OG z*A=?ij>TIK|BVc0ZsS3vJsQ|`w{a>CP6JveP=!pDNzaZ{uW?*QlJoq z>T;TxkOzj`HNX>A4{{M44Xz0JK2TlFextXgvINYe#;7Qe-l56*fmUyCN=&cxExgfo zIV0jy%wM=WDZ3yh42IZ;8v}aOZ*?DjO+*T_sk+;v6GD$MZQ4IwV`L4m!}~s&7$u!g zMX|fhKL7SBEGDPM*I<|u7goMlJ6!={Z<6o}vI70&F55O_qL+j*MO;&-VZAgQs0@Im z-IauFziS;Xr?0tHfohF<^te%(u_vk4{kM#aL?9F{ey!e+Lna`Sjwa&sWYn6EXuhpj z?)SEP@q*5aK$s?OWOUNYQpnO&1Q@8AnqE%Gq^MlE3k)Ot^9vc<4J!35OK!`FnwRm|T|j>tc~;pcrRpbtPcA-D^GA}V#KorD z>ZMmAR1xU`ng@|4AGWf-Z)yh%*%xPvL+oU0j5M-F_*7?sn%>>}=Z4`tiCrzGQFCL) zaUhfzRVENP`d8LBcha0}GiQK*LCb9dVO^mF6T0k4*9FHb=xgE8j+ znrP$UEoPmfrk2QUfvdo99PuQ5l+20)I2YI6^XN-b%a|45vx%DAe}#heE@PFSTt#Lv zhpL#8k(o%bzifV`%Qd8Kkijk+Q|xqjIyg7}N?`c)&UebDi#!S7uz?GcxuEOA*@cE9 zd06*2fgUe z35oM)f1Luyt(^OuktOw)dNxcNUNJqs3TR4195)Y5-6I5;1^`?L+-8d47!5d+uww;a zOHF_O{w_)~heWc_muyZOyb+>5TfoN4bx5&`E2W)LQ9ZubwHx8@k+ zF3No?zllIRwCX(7R6w+N7$1vQ2CiuES5-*J3=PPRu^U{!$kGMgU}t`{e$RTBnkDB7 zCUK@s!`ML+xkESwtb?*FbGkn2SvnK)psp*z5<{N2yaK0%L>=i!eeiDA;|%yTMh))o zI=<(Q%n7=%Ng*(+a4a*;i;v3SskI-CfU}G`GLgYBqfz@UH9t@ok8hC9NxQm`Tu_@` zAc9m@-^Q|UqCAt*lQ=J05jaT34-5s-;qF(8DCQQP_H*P(+|UIUk}1=ACrHVvOoo+fTa9$mAovJ8AoX|A%d8zA zqmx=^Y*uofk>kou%A8_#8>~JsiJlxceLXkHg&_x?E_u|QaYzChG+=cG)7i79tp`q> z4|W;V^mL}O?xgx1>R`K~$|t3Ej_-j9)fWl2U3i}8T3_V1g^avi9Ry6t+unq2$E`Zc z?kBrPtV;{&NBrwr&)0YhD&clxf~VSVqhs*&VDis^R&|#eF0M z2ATW7t`_$+l`x>lFjOd!s7_5eTIWOpD(CXxlg*oJxn~Mo_vgY2sB`xw5z>G_z2T+q zS%eEmz18VF+WO4%E+u&Oe`>n?Zsi=7+0)Kq-if9@yOEEFUsYK#v*u6fk~4v;`1Vy+ z045W-U)w6KN5%nhHPDs;r9!T&yn{$` zv;f<$0r*C=ubvMV*>A7@Zl-O@5q~Y71{{ru(Lq+SqFr}iB!+0k$Sghjzi_aH4h595 zqvFq@Z$Pg)(>$GRq(iP7#mB}CnYX6vLLL`&L$^@_H6=mPZ&3+LhDTo^#dWXSBY%K9 ziT&w|=0>lnLr^|?C#xn>$`jNn+&y>xA8&{YYrCh80 z32bprG*#xq@jz$SG8XVBzTWE#bYgJ0_(^mpk5t^vR*dzwSt=N;3${IZeVEQLcdDxP z_-BVjh<{HDFFgpi{3$CB_X=@t*c{dCH#U$@2se1G!NGCxu>NK38xLY1<39U+BA&Jf zszIXsrL$F*`X@G?O>@vu#djAcS<33unIp|Bo?a5&WMGL0dL`iWNn6PXp(c5=EDselaW^VzJDHjq+7F@m{&h&?EiO31V*JLJ|GQj_U~ zOF*6TRhutCYHCU2a2`EN|4q@WBnzUVHxhp$)PMIGCSS~C95J=&W9K&Ot~k)zQ%i5# zu{qb>dAg3VE$LlDnUkcUsirte*8G%@rMN?abH()V#@n^$X&fOkiRa5(zqL7W`sEqW zKCPVyyxUpZj&<2c?~EONlk-Z6h0i#SX~u?Z zSE_lRNB`Gcjr+WR7iEBq_qohrbBEp286#y>Y+YQuFo{>Ay;*k{R-xpH`ykusZ+}v* z+pk`qwyGZKJW+vh4iZ##v}7cU?I+iw|LFLc|(B9wO+fii~2 z)Gis=;$DYu)aFJ^;J@rPJ0DAzGDx_MNF2p6CJq~RFbXJS5$NCIxUNSaK2{33}&Wax(F@$qT>Wr&?3V>gnM zReQ<%7&k(^Hb^WJ^Ph-nJo0mnrgKqpvN98pkzJUvG95!E@un=U7)vpaxi7dICV>4C z(`@`3a*tE@Q-k`W^qdHOf;_w$6sH{{X z%KDeL2T}PRzctYPcl`ys%_!QL2U@eR$*5Eobyoc6jCF7GN}3uAoT|ADUl@K6c~E(o zps<3k3C%{aG(NChDhUP29nd%w|ADU4S{}+*t5HV#d=p>{RAc96CXDS_4-luvNlkn>gKJ|e?B|d2CkzAm;;Y7gE>|(^M$kA}e(3I%Xtx{+% zy6)H7+oe^1ubP`5fi4>PTF)6`n8{%m2FoJH$dyr5()LUF?e z^|AgQW9kTXWL)7fQLG_i25$Kc9%lrc&rRW*GeAEp*Pfe7rdeh{gb4t%;O67YaYn#I z0OH(IGq3;k>6AaayE^}oo2t97lKS~;kwq4JN>4ZCJ=fSyWM~i9id0sgf_>(>BPUaw zhhpMoE*6yWE6Oaosnp~-|Eipv9LAsn_H}|vmYC-!XQY6dUviEea4YopK6xe{|Iv0(* z$DYESFvG*(o@|x7a;3>=RjfJ1vkv6~S_amSJ-2Tx3dH`IjOk#EhBv$}Od76b+YGKK zvV(SbK5ffx3!p=57ixL_IOmSr&xJU5PnO{K{KeW-ENq^T&BC)P)VpfkAE-M3%k-jM zi`yd>xnru|zwnsYJD&O59NZz*`nFevEUh>ax_D~WlvX6_yKp@kifl@AyZ3%T+S;sI zdJI0dD9MH$pI@mj`rrC+k2u>};D8bT9_9i^46&q|Y;&!-vO4)_gxNoGk9)(COBsew zvzK;{F1tDLgR{|JvW$^sLYB6wrl989e|Z8!^!QN z9vTiwv7X>As*|fS0HevM|Noc%FT4<#>c8J6!Un~Bb7f$z@2Bkc%c9@FoUE7YV!5s< z|1uWeJa-O3I~T~WG*BmFCipEA#V>dF}E^?gA)%)NJ3Uq8o=}2N&Na&gW`pvASlQ2g*ZyK z$eZYo-zCLgpiuP&{xA?rRJJ{OABwAut6)V>VJXmkoHMIEWFTN{tgY4aZ7?m`w+uRX zvkl!I&0;ehO?O~*I6;HsA@xjQz??#)(AA)bih89VAtz%PLx#Zm1s=Y_k68CdwB7o8 z4m?A^(aKO7F`PoJs`l5q$GIonur~R;H*mgrLZdhzUqYhO;M>CxS>52_y5(u>GgT;* zDhaCmNO)ekC5Bc{wMh4*SS)}35l1if)v~MngqOspa^^axcth+^%{%Auxm+e0sF1Ipy8u8wa_TmS6e4nyI$FVOGemAr+ zb_-Ox084pi+S_9As+k+O8MS=$PVUldRLc1(9k9qa5+0(wMRd*^BA?*`C;v;0FePtV zOa}2a(=fT7pfm2dP%cH9AV$)5kFe!tih8UqnNfqr@4eU;IyokXf-&zI1PmQoJtaL4 zDNF|%Nk(RQ+C24i61xTk)8>Kf6;pvywQtnxAO)PP+}okBMJ>kje))hgyK z=w+kMhpi9j^H_AfVwk<}ae}`6H0+xfp7uCk8E2oNza$)AR-H3!g7<;d_2JMEmJr(FUH&2`OGpA{wDz;$ejMBg#?i z1kgq!`_LncN(7roAw^{ipGVCh{+Gk|;p9iX?j?%ctE0f+z=J@H&ZB`?0|;kZI3nq9?*{7i;d08}qaQNN zfR~uQ)7i%9A!%^=OH6_qL2IsB&gdMZ}#7w&r)z?omCO3Wr&&68MUW4K+$FI#--hnE8p(>Z-A=^S{(aGp^Ax#*0xcZAk^(EwU*gl4K||)2 z9#Jylc7UQhMxx)89_j4MI{yqkOfER0b}ZW$=}7qP#`_{mdv<PtBIC-U zc_dEyHH=WJc)8QlMH6Gg25>jEHw`!GHw!oULz#LK*Tq8eU(vDAO3^LQ%EU{>%Sw_f zM_I_B|DaZMD7yHW@P}ugZeM$!o{^D}o>8~dPUCHLyco< zY+Yboz_fI;jE6|!`#y^?G+WFe$ULw#S43R#S z;9NF|Lh(YuogbrA88+IXWf@GWN#(p^^^!Lg$1+PgeBUzDbV_vEmJM39-FGfC_u?*( zF1s#+?x^lGujKZD26||gNJ;PX81$?R(+wPn-k=|%yCQKTZ6SG}&7--aU7_=#$DtPz zs}PcL9O@ZJ^HN8p^l1$O+FLsAKMh+Em?oRe=IA?hm7#f9vMxv zv`e-tJG0+F+VG%m2#FiuiZiDsmXS?y#N;G625Nn3vAXqJ1E=N`$QGOxu*uY?>aZVi zuyKZcic2Zw;5DDN9%aY;JjSAH>^9M*}>D;vXba9DhiH8+~Rqy<8)z4bURHDI99qvL|C7&U5 zdUTno=h&kesoC^e^cnzt57mG+V>kv=1pmaC!k8fmiL~m|>O+rA%8;jFrm0j)n4~iO zGq<3=-qO+N^-@3ZTD*}i?{76xa!jM=7;nm#K z5XYEP+5su2S3QeOkBy9tPa|(5>SFO?x!Z5PPQGn-cK4P`$7>uno6DB1o>QWOt5(&p z85$5dsL>_EB`GRG?%SAqR+<%pGl>Taw1l~Xv)iTY1Z(BSd)XV&8~Oh6(&cRIYGv!m zs^-CLeAhac98nGN6rt{=0q%@rc$EBD8vj=g3gCs zU+AEhn}&}i&lzgunkk?t9ORIR@`?=QruF6+_JwP6U)zLRhqD*F!|OgbQ0-j~tBy(| zy1C$5Z)mVn-pK53?imXO#V~V*IeexA=F;ahw<#Q0cWQ=fGc{T39dx=|GA@2zIP5$r9%{7Y++O*|Bg#;j zP+drpdEuXFTmN+a*>bsk^SA=i_|6>9V5PZPX?Bz|X53kIu~oK(yG4$VikJ1&aTGjA zewSp#Xs)^6>bSwW&bn7cJQR?4qLp2rW7dZczGB^UD2db86=!fc|r7c9}xi zUQu|Nm6m0-^W1#YLH9wKYS7msZBUc<_+345AaR)$+Ok^xfRz%Y05gp$4P+fMtEg+O zs$H4TP-}Y-XFaemdf)$8Y0^A!eSVbXEbiiX7``&6v7w|?J>)nup;4ovzEI2Sb+g5n z?Ll;)wO@B=e9X9ld`)-r&;~Soia=06*1)L3oPIEZPTmQH3mIRDKZM_9BH0Ov8Cn=Z z*I0rzQ}5F-9suV%q+$$FUr9LtO_u~$Y6F#z8zOxkX~rW7vEf6@yabtSqGL5u8us(BXwE5wDrc)PsJlrhRpy@1k zqtoLx37rCSKi1WEHE-+&{6@wnrv|iKh@b9440|@BGN|Ns)B*hhmX!7;mRaL@v-Wuyr(=|_sI1K(v;6xcJr8a&*=pk zS|$W9Kr$a5hlArW<)8&#AG}KLH*bILIsDmaetouvH!TV`S}-}{6u*9h+TXVgwR6_=lT-<*9K2Lp|4lP{78V9qnfhVRkxn6yDOTq zjDnF{L$USvYDDm98TcuI5H61zj(-3Og?_%g@$q;0diWV`L}|)JM)_T5bH}zGt~Te} zQG^woE56HO0jMlaS%RsReS9gGe!=rls!AmH9 zIE90I;bi_*%~4H8n#T}i&7^MxGB9RxwYGh32M*xM10$`C9rY<(t*vYvcwG73|5bwr zMn7jWzo+=CilZgpdo>w(3L%iaF$D(`JJYB4{I4k}C;;|GCOnG5qW@rrrTE^PIXc?% zFf+TjxG=e}F@fw&nOV5GxtTw)GPANW!fG%&xY;=ByE581Q2yP>Kid&Db}+Ozw{*8f!WpID!T;E}U8hmBPKc^3Iu0L=ee-hZvHXzT#8 za(b?=Y-8@o&-xFR|C0R=E&%iM!u+R&`g<4rl?&Sj{I3Db|JqXgug`KwU>ooYoP@Bz zS6BGMR^%VX63Qp7yum4ZndyX0G%S9!0yrYV!h~PHhy15Y2?ctoQ%{Z8W6+Kk}#Ly_;>zV1Mc3P&Xi|Lw_OXSB_lC3OcmJuYb;Odb9V zk^Udf4uc-NHB!mkv6Jj?V<+^J4s)UiaKn@f=$C^kuhb34Q~XMr3c1mQcL3uxk|gvf zVhSmxW<@Wo)o;Sv!?0F>`iOJZ0Q93~Wm(NSS^|n*H%m-=RL`kG{6DgI)vhdW5*lA~ zJkes7fRp?9@FEkMX;cIwvQ?*UdMP6!ALy9VBx#(L8->%14rtjzOo{lnZjSo>Yjo#9 z*(|9WpejUr80r`}V{`Ll5FR*-+o0(i6U;SY}HZoz-y(E{uhR#{y!8V8)_-U^6fSn4F*kt~^d2Do;*$n}gl&r@f3c zc%X9ES%<($(SApbXQ{cp3!-Ao|NJetH1WGh^XCcJyiMU3El_Z{Uv%li+}Mt^dh#Mn zn!G#o&R<#@JI(XEtWOT5WTX2&Jwa?9w`tlT73FHEQDJcQ29=Y}=B&n+E=qZO!9hi9 zer$xZ99ZyRa-cNlQ}r~=qoU#YOw`=6|LuyRbMCI={^&s z-YoRTqsPGf+U*tM>8<3ij}qsd%%4@-6lA&9Z}Ht;hN+p`}eltMg~>*Y5W6fKh5+x^T>N}^s>aI`q{^o zl6#leT8e_F+u5&>k|ltt%0PW(9&QSy!v<2n=8 z7))yWu+XnEF4`GFGXa}-;9bDow>!y0%I9>|lhM<_W88+AL%?<@m)I+sO!0rM_V2|X zjqgXXo~u1?jKB5(JEvLMcZWdR^^h9q`u#hPn%)RA7nPFFa|`!)v8trFeV&1u;$rcQ zUHY$`Tu>$l-)}H}oi^v89ypGW{zCq%6lRtto)47C2`TRhkUk7sx9&MTvcWQGr^}Ks zwn{*+jk`7Nw|}bW=YonYtk({w`dGKCZ+*>Cha||2Ft=RNm7TGWI=w27d=F9Ih-VI< zI^vWztG*_^eO?s(!)MKaT`pBU`tJE4#=uTwmfJ)BftU`^q}2k$)9qpSz*Gl#ao0F| zKy&|cgq(^4da~RvMZG;S2=0NIPLeHrN_?k7{AB+{W&P}y+!zBw{MY~&pEGg%2=*}9 z+k+qO!fty?8)3+E=AH^J@gcWGxuZ1a`JO4hxiT+{(I>p)XcnGN0=tj-BJJpz62tQt z$m6yLBwXEPpO2~<#j{$V9>I<~y-Z67RtQFBJ?oHUb~))zHXHlL_SYVqKK;(M_a6YB zlk+d`81yGv)uf!~Ti!rS$GJmHH8M;_fQiQ7_DZbluuj4RhR-YN5Yx4^UbYaVwyBD^ zTT3?S*m4MUKFvViy=I2EeW>LF9Z>DV5vR|(GFSniR{Uko2Py1%2P;Kk=i_3wQuSft z!Bp5T*7KApjA2XCletUz+25n#J*(G3GMc|KBFPz|FZzB{KJV(>OqzHVz-8hKMt1LR zpoGq)y5XG}TJ^5=)j<(L!?fn4=~_yGp(1zTK+RyqSi`Iyw8RPt(Iak!fpyaLI;dc@ zN`5L{%<9V;UaXA!zXf~kUNbMwfjzFN963+sAV|SpvM41uXxAy_H0E8kTBF9;@E-3Z zo$5~hU~lJigGRx2#NMkFEc*$d3@0E)Rwy+E?z1_q*&Q$VO}WBg8!yN8?@{G3$WPsqpJOafgRz^2 z$Bw?{6zWeImDqBgDT*x@jz2_hj30<^Kh0RA2mh^SSND6p$O=A*NYpu&N^Sc%9HYi2 zmR6sFx1x|_y{jc@%D-1V4LfRI+VT>a#l0z}3VIN%-|EGlnpE_i(hycFlAi zq3gJPRNlSK&P|DVzFh{*J+Q>^hrU@nfqeA{1uInfmT@6!93gikTP%%{ey=S9Y6h#~P zkQ)?s`K%@Wh~e}-j(3WQwwO6-B^4K(D5plYfxFl< zuG%%e*E6N1M|6t0?cvF?wD=dE)i{c(cT~R1Q?25VlTm$K$8VkfS+jc@5a$`5F9l%9 zI1k{M@SgKoZ&2_da2F>uWXaett@w7R+=n1GkGaqt{a{)lx&(?R<9gP*A+7pq^?u4e zKR0M&uEVCqpZqC+j_e9W^7#AkDnlug;FY z3?>O^ww7Y?nUUJ}2m{PkUt)`Gz>K6XO7+C+8!oVIE!mnO_a9dlu$t(AbeOWwfP^Wd z(oQkEr$6pY6=P;Uy_((NSiP^6QXk{OXj0~i=tSK4g>~F@8VLR>iD&dN?xApsW}ocq z1#QM(^Y6djbW(FCzKL7HwY8)9rS9iOqV?xraK zhfEXB%)P>mAp0IgV*2`bY~8%t-8kFH)8Ajk)|V)*Rllq~qE+vwb7*}J`wPCoOu$*Lo8X22Hp*Ip3Ii;9_cvm}9KlY-XP0|b zUSn{!^_LBWp<1)d-z`7f1YPrS!}@JKVLc(>NW(S`YlS_D3^xVIa5olr>a*!vbMtYWzH|SuTRevJ^`K1_*UgAeRe4ji zIVgn${D^0?+I>0nx;>{NT!T{(F`e;l<_F2JB(8~g)j=_-hy`(+IoczdFf=daIxMPr zaTrb`;+n__;XHpvU{a787~muUrV_KOc5@3pgSfxZc+5rcHqr>LUE~{CK+L}|dUm6L zgGf4MAhulI*1g?W8qiFxb}jE(DXmZKh}mtTx?f7xPRcY-gg_@h1W_t@B9!upy`i9X zV)fOo%}9(a8n6-#zLiTJy_)MMWD#{wA&B~{_Oz2urA(3@iCOLJgU)W8YYtfl>e;VK z1Mf#>$;jh`eN);B+M+={cg$Tnny~eNL|M(6LDCJmxHR4_d`qx z#JIhYG|iUfNvsj1-^kdZ&g3-O4i-L?U~b;Ch3E1b+?$oq^)9~-mqA>!OrOZ17nNn# zJH1E2pHvX7a5W_23nVJ6F>{&^@=w1t(7F&N<&ZJ&VbmG_{*w)Wde*_q(eJ91f=5y3 zSmdivvyCl>x{@>HdFLB*%7RyNpAgCN3F!kK*&`3StN{CFJg`PX=f2zG!@z4Xo{9Hl zY65_~1k485P=A8{JP3LPs{z_MvdlQhbP&&?%OJwVXR%axn6@J{8WF*&u)3D~;}$JO zAw39M7a=MeYszmh_fq9*h?vz4&fsP|bEaHfal3_@wy{flr4s*dQ~$r7s~BpXvuNse zN`5m*)Nf(}o_UBfm1g~Y7cBYsJlTm#O(J0p=C*lLTTyqGME0*^is(ex^&rFc6f|fe493O@zX%dPfc&lHB(_3ERyu02UBE zvL>D!$+>2To$D{Zu(w(85Hn8CRYWQMyywL@S==g24Uu1=_dGk`-ER6sB<6EI=XV)1 zC#){rb}TUVzn%2W+Ze=k&rc|AoTKEwir3Zph$78zb0;gQn0?;bw@X?s)=prlcJ00s zhVW=l3gheS5r}b}`_Tw%1)@5oGo>5MM)Ra;{7n(rNY8&F&fb50v)N8YSjLD`|V@Xo2no8 ze%fSTviq6OkV^E=#AzyRLoErA4t05=?R z5C8IQ!sA*VD-sFFDY<>n@QSQ++3lXy@UzL!=GIT4`GGvj^ON+xN)4Y>owZ^5eCriaSbYvCZ6k?En{M}o1}UHAd#u`7%dz9QvkZ288EDapjr)&2FZ7FyEv zs}fvmg+0F$`L|i3=8Q*2k9N`>Mk9ZbO&aM3jgo(hZ1G3ui((?NBhAs0NsCu`%sGj` z7%)lyw^+Wy6}2Bl6>4rW^#Rhq(mBwfzC#H(kJY68<}whMd6}0`zi2-+IOcs_J>;&w zd5Ik5e_nJYSPto-Om!6Ylu7GGXe$GiidCWZLif4SMB27f5+m6=;tW3SG;=W8oQ2!U zd9Gu-c;9c313PcYT<`WwGb_Cx?wmZXharXv@oKa!QZh@&6J@T`sOEVKE;*MCDuI3J z8M%HYcV7j&m|3!#Ew8rc4Z%_jQQ1esP#ZT2CX%;_Z%5y@mV?CqxbNY zVHtU0X_mDVHG+ucul#Mpc|)$2&)fJ_h~J=~`}x6=b=4$q+mzz|2eA)ZLK>lqx9^vX zwG&RxKd9Fb$=|CEdbZ=IU@gPhz$Y$xUX<3SyDZO)a-6GQdZaHlp zB0$z11Jbefg37rU zW8h1V8HL37!wD@J;yBpy)Qw5yka=|zHGN1LgT%?9>yF=ir4dUU7})la$P(PNk~cF zTXN=1@G^B}@|RW|7b16$!5k#c-e3zNId7CxN>Av(itR z=`2688gyjkutUcqvfFF1@Art4y&(k+R5TiFD&J(*aW)0*8Qmk4G+5?PBJBc| zKiHnhRjq5^odyFvkHd8D*Y)LGJFy>6;R`dayTh28%*N_U7n-){6RRs-1sn_{=!ld1 zSR^AZetm!UO+f}b=!Fz|Y4K#RdGn4i1(UE(oRIWD2h+|bf;qt;fr3cDRM(F14(3#Sm$S8T~ zSS*x`8~Y#%?LEolI(}p_Ma#NB>1o_VXJ5lKmbr|p8+J3OKUiJ6C>(>)RXT1#Bb26 zbejJ#{K_17!g}Eme1%!KYYITTCR_3O%CY}e&u^pQ3o(A41u{)oIPY)Tdji?_w93 z#J0U^%Lv_z-%?vqD?*G(*yR8qK)ytukLLp41{UdXCoOT7I%GCKS$1DLf5 zTeIGifFvrL^yNR8)GLRv9nDk?9yZjh9M)Ob6+CFDNND}D$ns$aqnr7s4L%ax= zp+v^!D6aeOLT4#+$D>iJLe*^ijZ&T9y5CC^>`ju2eQL^Ft2|#Q8S*^dk*Vg8bE76? zQmF`Z7r&sx)3J+4@+9qI)Y?T|phzk@tXSSPE$|2SYxqqfsB# z6IhPy$UsNx2Mj)$gL~BI-6mmIy&iFh>-WecPerDA^e{)KK1fJbz;OZ#&x@sUGX#Z& z)GkQFyGQ9_X3zXwVdXIp{~UAk5_h%s>?iODs?q9LpVNA9D+DW-23*i>Aj*CzZL1V@VoHS{NH?~w!Zrp z2$%=&FIMEvH=F(pHZQc9fK5jqi#A){Sn3QOBpg`ES1Uc_OC_axm6%I2U&HsM{MyY* zOJhrSoSrDXe5o_pXtl>WBgOwwz0xXXP4$RoWVOhF4t2|cDTdf?oI}=Zt(W`T*EE;8 zs_es4rmx=S@2GJe&plMH$P?aQfGvAZS_dA7v9S@Bv>bb|Q-}kf9jg^u8^^eiqQBxw zARM_v26Vx{!b+T>#7jo+_mBVhSZxhtU`_pgjMaMDx{G4c@aH**hngBP+;4G0$Cg^3 z;<0o+5w}5WWZv8ICZTrMcsA*V;)ps2Oj1XgK0kY!kJ`M}Abqa3{K=t>OShzX9J@Fc z2G6(6)E{>TTic95#wu8nW6a>N=q3qD;?hlnVYzTG9o`CA5nLjC(Z7jZbBG-P{DMQtTE8f9r3B4kH{JXE8^4HP=u^D^EE9qJ`4|?Uv zC|kI>{gUQ^g%Lb)oDBO6mmGvm>H?T~*}pEbeF^ta&LgX{+PX7?y8;$TQ^EMg{g(VV zpZK`+Ld^--7wSPLiOjmoDfKHz3M(JHG61NnJU@#1crC?G=2{CEnw*MBr~?9&9k$^?|z z=4c8moUw+7uz&#Z!J7ySrR?6>=MW>|!5d{$^ACOhO#EGPlKQy8IaKGor4#HC`W{9X72VRKjTSs|^E#a@4~ z3fEfixI}oi|9dG$lGPI_HfB)`n0H3nWpEKug~2?%#w{oCMcyn(LPu}hkb&EvgY}JP z=L`#bxbDUQyQhoH_u2+a$qLm*R>H%@#%kW<+l?l}NbYX|*1;$p?1K<_JP!B7DqEGq z)x|n5O_wQURVP&)H{*JPo=}^eNdBx`Msi+nUm7xFz<7A+CjyS`a=)-ZId7J%t!=HT z;opkpT>D@5J@1P~^BG>n12#YkLMW2leNw#f3Z9OWd*?wsW1?*Ft(!4mm}ZMYBq-;) zKVl%%P5~c9uwA;(_@kgDMo&CJX{HWIjX7@gsKw|%M)V~2=qy0F|B_;0ccEerQZ>4L9G53y@ znaS~qUT3`%sE3zmYD$-uP}Z_PxUQLOzXDi1zgr3;iSeXvr1&_Wh>=78y|Z#5~hJ-t$}H&n@IuFKEOT&^GR-YHLUm z;&QxS)_P4e#L2}c#iD;9I6=nie7qZZe9$rpyB#VmuTh@l8ZMen)B3W$S}`Nfv>Ok$ zfvhO2{I%dc2{$y$?0Pn9)+&kiC|44K zRDXMucM`auY#KAY%eZc{cuCpH z+xTfNZ2m1V1OaNIFk_l`liodVtE8UQ^Ce;gY6N!AK8<9U-0idOKAwLJ2>7ApJjFSs z8d7R?oi*~hFJ*EgIskLerg00;#eEti9+79@%1R>Tbb z%PO;ab?r!wY1{mmk@GfxUHI=Oq*9Yr=Kb(;H=yjes0JzrBN8T&nopqk)OZL>i zIZlImJkCCC9l{VH;QTll?(D){ zg~Nk?L#@`NsG#m`Eshh!q>BsEJH!p;-n?~h4-5r!4K)*1P51D*A63UQLFS?M&`{UN8!^{WdjpDxJo~Jys~<_Q3z<(cQ#uB;^Vo7Mq1bL#;LB?FZAY46{}pW=+JFt zG69E$c&)rs)2gAjLYRAH&C9S2^)2cMQ=0G$bSeq8;RVN0a!H!+eQHX}(s>LzehLPR zo4M0J3H&4kO^qQC3(ZM9)uJR zs!#yr=E%P8^T6Yn0_iIHZ19|C_k}H9pl0H9QERvM)5exz8N3E<5(bz$xyGuKY9PLm z+l;E%?e3(nodqs$t>9-Nv%?x%RrP#0;N&S$m@)ntC7Oa#zF z6{fisFul8`XfA%mpl)-!^|_mimtdM-*iFmvOUk|N2%Ua&yCMh{Ud!4-z^zcLxjN4o|7)73!cgDDa5FH=FKV(W zNfw`wbjQTWzng!UO`^gj)I3!bz*){MGKZo$I1+Di#rYzxk4(tohUU=heR~f!$yBZw z5kh7-Z_Mnia@|FwLnd$F8y#@CS4>a=_t`!#ZCy_Pe8-4gPpMQUzvm`qt z(a+SIq1hNE&bhxt_y%7xO{6ivvR-b8;wxr8c!ShpIvd43vm?H3oEDstCbjbBw`!q{ zOa9bqUiCxu)6VS)vUFq?YYgmt0*3Y`SGQocxO#?Tuzo=KiXDS1ZJ2HrP_3A?RHxBg z$>sF!${U@T9PLVC+Eh!xW%Dju+JvgG4VRC|-MMUK;_(u*KQ6GCLL=|&4itUaBjv4mJ)s~h7K44e2hGm zVoUkZ13L~tVj&t<{1^-Al?I0q6LxM^`9JQ5TD?ySX(fBsD?e;ssh@?y9~*4GjWXZE z#$5vbvTkT&kWZTPB4F`(S%c~<{FJNJ6INYKP}l#R^SoB?j7~*oJ;HTuHRKaOGR#K@ z5Z0xX@H2s~v~xs>>`hD|B5EOl!m5N1>#y`wmP7`wdN|JUFJveZ(mz7tEp;h*@*rqS zSpqpQFTaenbg-KaBlCM9U=xvduh!hgFZ!j z9fXn(cW<@?di*%o&r$~3e%o9v7gJ>O-XjXK{gBhC}85l7@i_71H z<6TDUvY4ySFXn+&!`wxyBr*ByH64Z*@(SAxBbiWe3uixD&WmU=+ zOk9O}{CsDzfowI{tnJZ^>5R>;CYjt>{&l{5HrJYl9FA4_JM!_sH8v*3sP#hK9sKTL zLjkm}(TX4`R$kPYMPx9z7IofL8sgFNu#0{8VwKwSVtZtHHJH={b)!-Hktcz9HaRN8 zo*Cp*Oc|!@taDW1P~n7bcv!oyyUg59{ov~NQ|r*(lFnjiC3~YUUa2hM`crf}kAKtF zEr(&ln!{t05H#zC=V1}?L08?wb7n`5MGai0SzpF`(sI$1)OwiYl?ho|dC+EF3!%w0 zo7p~kczHnULovYDuF?hVlKB1EcVo)U7nNO>(S7iweXh3v;4A^Hg`y;y2f?R3nCe0? z@itROIOaKdu5S8!E~{#Kq!;-Z^;+F#haEQ1Ih}66PY=zeK z+3$tqLzL-zdg1%aM$-)0!)H)5qT_BW-tdGBD@w3Q@i!3Jv_+?s}D8 z+0hrLGM6-y{BmwwiC1xF;Ocvf3a(F}nfN7Oiw-@UuM;Zgm%?l&Pd$VWzQunSe$RJg zBDhY6ZW{BMhB2-SYuFM9@_;U6^i6Su`ae9tqY@^Tq-nuk3SL}bXt(;YDl``RP(eRq zIq}U_W31@i`q+mEezQ+VZ~4HRIP_WZ%!v&i3*}tAoS?RjQPs9mXd(!L$9$R8c1Z=T znDSfF4<_ArV2<#LGV@{fnzODL)LEOi&?T61GR!`w9K4E)LbRH96mj_zBbHE|btize z<)&8We)Y>{B(?VO?oT44W^Zrg!FkoJygo&;Z9JH*7ZcGy3~9#Y#f~a80t4lB+{Vm; z^hKh?{=;Zh};Z#>)}k(1!Z! z;TGyLhXA^d&Mzt+kQOQ&r`6^5y?2p)`tRAdI!ZQcyf^&rR~{Z#T*x1G#SW(+Lf>ko z$JCN^?Y#{tjall}88`~Z{E*3Z9a#B;Q#>iE;`TN7zQ#sa-%`(}SgbJldHjSpYzlP| zxJHw#bgljv+gJC``VkwAgh!St*o|s)7UH9DR)QgCyr_s_t@uW!@-{C@&F8lT{~7+y zRy*+|mZfvj9PoJP1rEg8l6ehAqOFcPnx z>J}J_tcxeMa1^%75beFCs$(PDZrJSebmMbF)0yiR&VzrgJLW8$t9VaSCx57_$4c4i z6vn5(efj(NB`*OaZKZq9T#jpT^fbY~A@JeV3C?S&H{-76Lu8gO1$yD460+}!QMl#S zSh*+rxJAWCz2bR!pKha`W`Vy16{hFWw=Q%~?~kJ%cbE9-$|_X%pdTTdHC>~$+}p{9 z%{zQ2rVrsUmSt_dS#SwI^Tx8Q=yLZi0IkxI48V9f_CBs8fluydVplHRMc%Sbb@AjH zUcM9FF2RqvtnrUp^LfXe`v*0o8>4;6zeM-tP7oQTv}^esP;jZ%*X~k*=ti|bIkvKe5`xvm3u;s zdXr_ZE%@WuC-*?^U3dY3y=b{^9SPISXd0-khyUEp!R2yX3_7Y@7GQzzXvg;+Tkr9x zvMrJ+J>%eLYP=72qLz}t_glvWX*TD`HecbfUhF85dY*PH&43@T{3}*sF`J1)M-`>d zY448StL|?~GSINHRVDF$EMym@KW}y44$Im?6j=tB z;uwj}X`*rhuI*+a->w5fOQRJU^$6#{@o=9pBa!!0jF?rANopS=#@Rlt7iE4s*h2M1 z6MoF`%t|ckIgK{WRNzwJX&0EdDlJEoQ>3ri^ljxfbdrN|>1s zCRN74m|kp*ou}UAMF3{fHRgGgm#!_Jew%T5I`DZYKc=zrx=HQ> z6hL!bz|9K{b^*H8w(jq@=H}%ZS+Bl7rdrbFb{YHROZo02ywZ*mP)E^s0!mk+t0g(v z(a~;+F@nlxYZ3hgCL1*Q~Z)T0|R6%ORW( z#CG5L4V7kV4Ywaj;R-s0AAt%n_$E)bIVTyXkW zVt26c3%uN-ly7RpJO^kQmh;bIew1S^Tk+&W7|(>8!(XzF=~1GXXz@QrBsHhz#z{`Y z1bKAfI%XqcBn57JCguS0_E4#O_X487to6_$gT#l5=0 zWBubx`lCj-vYr2iyxN8^YPV~)iiJ|Z4M*eMT#1$n7GI_5`74P2?*dQIdrsj>Hnydu zC2uWV*B`wyH*$}E91i87Q%k(dXBd4Cf8-v%-oybRaZAkioy?9>QGgsx1N{C8WU1y2 z_KkttkG!aO1bmz;p4H&bt;0GS>Y(y7TgJ7cm)j<7pAP#9ZgD9t$(4|GOAlcBl!}t{gGo6OwA)P zZq?dSDsF8I4R-f7^}(h)Sw7x3UMn|VOD9i{CobSiDe#|Gn1;3s?slG((1Z8*Er8ru z9S4|Y5%7M#(BsoF2T8BKp<<{kEJ7x4S#FCACH)O9ZN5_BHSOE48O*%T4Q{$H>9VeC zb}l}8Yb*v={$-$Gca1U_7E_`BF;H@0Nn!ueiiv=zTvk6U$Hm+QvZd+>J|hONea>ki z=CmQ$8W?A?k#oSPCZj##9mZa!HlcJ5S_d$e$5j?P$+!fxY9Im0Syzw3(n?5Lc)-gf z9h^6^2K&enpPRO(HIEFDO3d#N<3`B)9oU5UE&dm6XBpP?8~=M15R{mR(l8MLl@4Jr zLPWqozyhQ@q-*p5k&+T=7>p25>F$n6jqYZ^Kx#B&b@uz8>pVE;`FV8jy7pk#wfp{l zzMpu#-!}#FN%i6_;@rWvyMiTQ8#R*uRB+#Ay6A8#(VGQdjw9^3cI%B=d}HQkX5ulY zcLEqQgbf-O6fyNno`-T=jm|X^V=1aifqAe3%Y+Mdy9!F0$#**_9F}u&Jj?siN zQ}wo3-F|S;ZSHY_@LQ|g8Ao}pUqg4kpG8SWx|{*)+Mygu(E$YUC99nZI-%EaDz(Ks zCjBDr-^!t;n%IB3t#gaE)9OptH|E^B8NOe>K zmVasVw_=#tt*$GXa8KNFAeh@<#dG>kT!_bEA@dDb@uvO#BWmShj(TaQJ>YF4Q}D-6 z9AYWAE%TJ&yeiC)mO>h$Zc4+QZcl9>4xvwDV>4Rzr5EcZB%tL&D;39k4|2dA%TjGG zdqZ znA7d)`Hvl^J#H&%m;GOr=3ZzY-GgmoTybTUdyy=7TeGEi418JLGHTtVl;Sz;-}!A{ zX1Og7jAAt~UHe5ByqMWky5DG#)lh9`ViH{BuWl1G80gSLIei#p(LEci^XEjR-2 zSpPOGeN=De6%-XC@NA3G{5Hc!<<=H7wwX9nWxh8wSh z-w8qGJulj`{&B;IsdT3X=z_T?R$?2PC;dD#*6NR4)z9~>lVeqSrI??DeIXqEPBKWM zFy@{^k3p^k z4viPW+`jGIY@OmPPBB>2osqLDoQN}@VgYfw`mWt65ZZnAn_{EmuvvSBN7!+4OnfMr z+&{Q(pfbbw%7n`~V_XwF6i2@X3Xv=4Ejuysr9i&npg5a!Xvq>H#&F0qQY5%dUTP^! zUOFCpU?KhVM)fig$XbjTfd4xD_&@=DX@M}Gojbib-*MvCcJ3!Foje=z6YcF@Sw!s3 zaN1Qo$pLr;UKWy72TZ%C5V%cCOnA-l2r=Lo@zM^m#%cprUQYkjEG!ZB=6_J{3Z9D8 zuLWM_I8-e}uWJo8LVfy<^9F?y`n$UIyA&7fnH~pEMwJ5dKHkey8yKA1{F0 zySwXy!m!Lh!gSywm%R)JxFK@O>fyVJzIz8!TSP<*?Y&5D^t0;;EDt%z<>(C7krMLb zQge88XHPYW>FxLc3p&?k?NXTu)&p%O{w%q&VOR5sPM#C_;lo|FTcHJ&B2^io>a$aR z4o9J)&<@pK(T=yyGr3M$f7mn}et$FiOtEz6qNP4y)wit?t@K!ZbQf}8R5YD1u@~O^ zjMIF2?;2IgkzHGpA1P;9QfD{t?k3M=tZ{{po6Zt5@TUI7C)Y=9N_*;oE4;4i^Kb9( zc7ms3-^Ay|>dto@{yCG`-EQ2}gG}|!_A$ILPB0H&3}rE%A)IKDs=@G?mk}zM^#rXm zqd4H@NOsd{fHJZ~szwW1Jcak8$1FciCg9yYU0*I|^-v*kzh#f$WWkNlofp?o1 zh<$Nh)OJ}ULJ|l(5@;2St-{nhtzs+=2lqd~;uC4Z@07V$93Sxje9ET*g(xzoX0An= zDh+)mMbN2*DFBxoE@B!VJ{Nf>D7!nC+H8e ze5}}>)HPWQ*r|gSl~E%V(YyPeZ8*6U+^Gr4vy8Xts;hJ*MM`EgNMQM*R|fJQLf4EZ zU6zsNTDDY0-Poq=AumsZs*VAJS#d?Xk&>}ou@kOCb2W=Sn={?gT7GlmgS|z2%3Jvm z_oJV&fMWS|9>6yA%m$7IsDH}PCbG0*LbJ{VO|Y-#d(JdP&+Uzm*}Z5i@?@G<>A4*1 z%(~RPE?p@g6)ml2iG}hte%OJ)Suamahfx1n>v_v?rb_iA!l5#Nj1s^}SokLErS`eI z66tvV1F0?$CnMN3?3*QUq~=Y0yGcPc z5+m8|wRJH%Q(O1)Oh_2DaC{6D4Cx7?+@x&T_O3R1tw&2(1rl?Vv_o61_dc5dFjL(b zOL%K-sK)~BZfd>CoH^a)xbQf=h*xOFJ^dL;r%08sp@li=9qPQj)OKH z%u`I`PU&f0qO{}Ox_t`DLAblibW?$w&T-Bo-)P!oD$@>7)^-s}!qmL%3yzkT#0giR zC($a_`L;a<6w#Vf(%tJ?*w>#TN8X;WYX7)WehaoFaEpceotAnXwF=1Th1}c^(}h55 zahGB7FN`5hOTQTDVHb3qcO}-^nYs;_OQ`B(+Kln9%0oFUwo_6p>Iw0-AFHQmbe{EA`G^itF8M?=+IK7QO~mc)xscewz=yd{UO#;nyi3DZD{=soT%+Be zw^giYeC8K0i-(?B`+H%OckiT{%*OM-S68a`6C$OKibF~TDk+obz3Wz!XQ#<8RO&dF zYq4Lx@qJC|TD0w@IFJzRa>7;K?nzJ-{nH=CDS^DAN5dVZUQscJ-zMaGW=uBW(qNw%1z4guSEtbH171)`3)uJ82MvC|s zB31TV`Lfc|172~3Rukq{mm(4hycd|5>Hix4H-rX$kO-nq4bo)WfCYrnLK=&L08LvkmJcv9H({^ZAN z5ovW@Y!_p@W@~b(DD*H2y0qA|bXvNvx~YMxaqW*Tt!v&8&H}`KegyEUqU~rFdHOx>Sv#JbnF#{BHn#rzSax*QM7-R=bB@G8Px6S3va!SA3cEQ_ z-lHxhe3!Ah2WrBHEC4t-MQk^ibzNU}#5pdXIqqY=hF6y9HFRc1|8zYu_p7;T#k2B& zSOLU|lOmWk)lB=L*(F-#2Z1Bx)fmWn}Y*>^t$lzwe|Oi2bYX0jiZ%;zBU*oxO5jLoNJl*+wlB_m=ljp?Jv!cVX>VtF1;rwj`xpF;65fk_q=q3q(4*ys9akfXTC z+xssZiQUxW;*6d?vQfwHN~uRIqY^Uvn!YLSPtuEvm@aC7;)DSp3t`o5s>CuL-2GhZbZ6nQ@^^%A zfAL+i+_m`?f;IKt?2ozOHY?ADz{Dx4p4`qy{Dm}vHZF{!px$v)+ld~IF7{coIKIic zGKpe~opH(Qj~=(4$7`!(F=z;Ud+?K*o{Bl(VF*ZVPQ4vuCBLDOt&!sqOUaQMJf(8` z^RK(kZ=KtEUoX<^-Z6VO5+tk#HTc$kx4Dwz!v0tC!G=R!9Q6-c!QV;J3l)&!?=cxTBIS!JCsn_Z7wF{oMQm|d|Y3x8lqOY zo9<(^xjk3$nytIBRZKX}>iv77g5YzPFA8YcVe!J1Kl|h=AvfhJbygfd3T?-EW?r}R z$wpyzXYeX+ccME!l;Vy$b?g)48#XE1UbC87oa70`Y45UM9+>DdRxy4E9)f}s|A}mUg23Q7U&bDmg+WY|*?(`_7D|lY)IH0R^-KT5JXXbroGU@5k|`xU^rj z-wSq-Wx7F)^Fe2!H9z!6gs}O^<5%OhxE+xnjRnZf$Uu7m0!Gl(S zCN=qZJqr=J_%nm*zFx|GiZfbNEA`Md9p^v$G8Louj&3CyMGNjFd2&ClWH!6D>bqty z>!#ga*?BvU!=cw*FspF_1P#&sMS;Trha4)V!u1pJ+YtmHawDg zDR3+~Ch;S&*x#l_A{C2TyXUR%;9%kZ^TyxmXWiJ zOI1=(H@4z?kbEq-_>B*s6j{6wSyVSO?sS;O44781{4eU-Ha6pDU!%NDIvXIW7 zx9jC>%|19FQHEoS8)Y}4Q@Jm%0CUv8KVN1* zEm~bBpIr9d+`2{pxXI^NXb?=`vZH#KqnUL}&p;H%vZWT*WMAeP%m_<7Z&@~xv5c2m ze=nFF5r$IwNpyC@wVO&L17(HdLyEh*qHUj*}Lj1Z3w96w}OU2{`3m~;N}n|YelKeB}g<(oj?9hUKrOS28k)5?3f zDwSndO_q?PTIbnShwh^3optG=7I~}#zUVcv^UTXN6potJ^B=jgfKBGEHH~{e*1A|a zAQ%TK%rl*JIcY+SE30BuWukPCKGiw3v`pdT0y9&jrmIM}hT(=T4IAm)oyoI5GFNTx zm1VeNh(nNqU#G@ibcSwy`I&t4hQ!E?<)hF5TTf&sjEjHq)P)A{Hf~yKJq;OhzC|*}S81I58UhcqZwELNnX$ zWlszhQmHe|CTmp_Y~0m5>qCYUeFL%y<4S}C@QO=iWx_!M9RCw6C)@PH9=LHameNXD z6fn}QSo`;McDJ43EySnt_=qL&u%~rCaT@2EXvTYT%e#j_u7$?A!0fsiAxV(Qp=*1+ z%Wq_s*N<;%-i4Ii25BYj2!lmtl3p1%hs7i$={D7fv>#r$xIaC1RYCqQ z@187oO>&iKkpQ{BTfQjzZ~muivN^>y27AT*ix~torA_hTw^l&^Ve=HS^vyM}mQM@; zNL&S~UCt`|jlC2AXDafCD>8gKG4a_*(zG}i-x~@s2GF&<+xrpQhLa$UCLAeV&wYvR z7U(&`CY(@!%(TC7xi}!6;OkaG_qNJj0gT^g-y(~S?%gnr9C1NhX2U-eR zaIBzKRV)kIW+Y2k)c16!zF9H+@s2?p5)_(?ygr_V_}7zkussLqLV?Csg$sDbuqRPN zo?+naL`esFH*GIm@_f_cCQB#3lK^^Z*czS0mTtXbM4NAALsebn({5^1cz1KZUb@Wlcv+1;r0@F!2qIWTe-k^Hf>% z1PJ|(^NsKK#{YR->%4ug!9H^Qg<`$;Us0X&j!1bdk*oF>w{eJ!+~uHh!}jL?MrQ;T z0q;3}kP?yRxvYAxVSb~Ab=zc)z>IpvesAMyOLrq*fjN5UEGH~#&%Od-@bL{I^|tN| zFK&yO9JPRBhIY%(SxL5U2WL&U?{7Lsyt+eiRO$jkCMv><6^SPJJp9%@@$YJ0p)9(gu|KGoQU3i7sfq9* z&4hZg$CHpG2RBZ9gn4(1Y2r;4Nh*Ef4Ju9THP$@XPC8vJqX)Wn2zp3sx-Gvk_OVn; zFq1=_d78dcK=JU#@=NRmLTL%6ZsHaWh%F;GK2$d!>Ti_YuM%tCNY2=c?n0j%RT%Do z5V7{`NQrH87P8Ow0aE~ibNU%9XZgIlsJvoFl`Ly%gJ?)5M+Tq7t zxq+0tR+g~3wOH?J;dM4^gY!udEw{MlQhsFi6vA~Be4C4+9N9XEWOyUnc=A{X@YKQ- z@sAvjC>F_7MBK%vL}$PGdH?erX7}>dbv_sV4Z^NPILN@Ic{Hps%R&qJBw+1a;kVz> zCoMNWH#Kwxgb=6Mdfs|2>Oakg{&{o>0?W%d%mn$0qU-zzx)#p@Pt*@88~roj7Lk$| zQBq~I+VH18h4VY8;XSWn0`Z`2(JPr;ADXyu;hRtLMY(D^$_zN<7w3YEsuK|u)ApB|^PFA_hfC5cE+0^o z!a3D}aF_XQwO#kkYytmGN%+|!thkQ`R3STc6(Pp3S__@ar97QCg5*&bONl$?Uq-dD z#l?*CtFzTJy(p47EDLfg&CNgrspvPuELstOr0woYQpO-m@j55=o*oxo13ss$_@MPkLbnY?%etz zz#WQ}6|TsH8J<^b@|=kl&YxnWkExomZ_27_Cc^ex4gyRN*dvgO#Z$kMNk`VIm}?3e z1l|EX@zw3fF*2yBpvE8B84MhuI0>e9#ZCkzF{^iP3u)P|+~oj`(PZ7j{$NL^7_P@F zUIcI0eq=X36bzFVrz^rl3R!&B3wjZe_S-ENaUz865M}Fl^;&UlQmkZVaFiuxhNJ<0 znBS5Zy9Ht2kFOOzQjl4gGOF}cubVPH&ZhXybYpXyLdu&s;~lR&byu)9(UG{z?ecuO z<$wv?I8Zt_nFgq_oR7Pz=hOex#<=S9ORw3arlxbKfB3+?ol7Cn9)E9JETdmzk&^iI zA~dPvObi}c%RG<#44gH;9Sp&JY-%b}Y$!5-)+a606}{3O-8;SZf%`ibf34W7*P7xs z-bk!@nsSd*Dy?Ya2$CPCye!_e+N#eQ=Mi_b<-Yf^uOM&6VbncQVn!6GEZ6BIj^9@EN(weR$TNE74I?6Tqhp%Kfx zgBPO|sVXv~ugO0K$?uvXDyJrglZf3AP5!|l8>aLhNyArG9^0UE6K}Xirz@ zo?ka>Ki5bgD+dwYe20>02at~WLN@P_7gw(pMobblpFZoc&tR-3Oz-dH&;loB^% zZ*`%QA1k|95}IR619_mcBrWCu{blty)q#_GrVs0 zy>qD%2v0m#YMW3vFASW^)N*63I6feIC)BpNYn(YZGk!Mm@7|a!gC=E$dgmXQuSXA{ z+g5BGbyw0EsF%rn4_!*v?|dqWh{_ituh}?*K)0crHqc(5oVOxWurx}D47WL$8;hZr zp#(iF4l#Yj4^2?^J?i0kgez)0wDNKaqH(Vk3DV41d&qx>D?DZ{o+}3+ zg%;D)HU=Vy&AG$&JD)RjTaR=XS6`)H2CUNde0uX~wCqZ8YZv1+An5{;`CP&KE`0iE zcJd|ZqQ?ZUy8L#qbV!*5zZCp8S5s8ULg=w0H-tPUKUzf)%oODvv&Q`kSYw{RjzZq( z*V@f$2=mUr)O3xXwc5dw2Y0^khP7{RmZ)#}@xhk95Wd!owTrK-Pq;J9x6!^j+VCdeEi%}BS=x)k_F+^K-ADbSPl z$v!+lo_XN1rdz~BKkq_Z0s?qCrvrg53c)t^?zmO!LTEo*l5*Z8D*3BO=K|bXzGSI; zyuKtLMoLw4M{+8pn5Obf(kkiN~7(JcW9YK z?Ys*^Tc5sRwx#Wpq2hHTON0gPKGb=4$*U=LBoX8yzSxwoPv}zT=2zahe@%fsWHJI`;aN z3%g)Dn{Jv&RLRpLMnQEBi{mYOqII64(5Zj>M8wP|eYNi>VB=zqCyVpkWDB9J7Gkiw zqrNjW$I}3M`1Zx-&Gz0l`I>#?IHgyAvSq&4h zGimMN=D<}RvWzC(f)|V>KtZ`Y$`))yR%!G1d zhaWVcbriZ~xt1Y`<2D0(%*=MgMh>+3G!$7>3i*ECd${M?%&hna0AjoovhA~QEMFdk zApS+H;MGtC<6dv{WM>xL{^o?wtOcg+U6GrZ&1r&6=#ko2`%*M@XXqb1UhL%t1pk6mDbFTc3a^YP>1I#C}DyDAYj=9>H$AS zRToK@51Ro9JlMG3eBN^4DF9Tb#H8cY6))rW0~bz|8r_E#rXfETrU(cYVwXuDDISP5 za~E?u#BXy@w!Rt``Ph1Mm_Z9U7ws5i;f3mT3oATQiOst+5v~Vz(cyP&cclVp*>hEQ zRP84D8_(JVVB*NcEKy$$?10syGcivQw&j4OlHG6OaDrRSV`Z(+mJ(I$`b(zgx9ec@ zeIoBXOlgr!d@ENn2+NA%6C~4k(-Wh@o*f_W?fg( zpDcQ4q|6n$;P5bfiyj)c^pw7CFSxhRDetr1n`5b6<=m=raci>^y)aJVvemR z7SR_=^@gWZyL_=IR@46+g}7UL(Yj6KkZzvHa%jVhy%tHEuW(08EIvrfinQ*TYo3GV zopw_cCy;i{s38D3Q%|pl2ZaVJgUGTO``y51?9@I4CEM*(4oSa7)(%NN|{f~x|4aV;Il!VGPlMZh}jgjR9bS#6}K@AMVTjlE$==VN^7+$I7k%` z+L?ma7aKH`CI(4@om*{@5D3!Ky}+3bskyu;`}?bMMKIk1MOZtFbIMvw$q_eN#F9ZC zZU0#)6*PW4W#GKCbXi+>=|rQnY@-no>G=B~dOawR;S5OMF0S}mFFqa}=9#wmJQkK| zeH_}q@y8ci1}B{!-907pHz0d=94@uMds2c?#xl`ooiwjfULNO*21EwFFmIaV2p0&5 z;xK~v<;Fz{q%&~J45iG7#MjLX&AzG<_t+E^)v=WRrbU!CtDLdyWZ!A>q>{*FuAkNm z%6vZHuYSiQeX}3~8+=IiaJRdfp5^liZ8W80YHh7NDA*`}kK@g;nx1t)9CKs<_o ze<3?mzwbiu8MNR=H4$Aj-FnwvxzDWP4IK~l;2F6)6YsSu%ED6?wfuk4pzk)(-jKgD zUv3t%V=lmZeDQnJWnEvHC^yd}@EFZo`PYVpugv|J?`Ws2>uTd9XM_#5-W0ur;y$n6 ze>Wc!!Mpdt{h6U9xUAM;cCOht0VwCXa(Ly3?mII6V>n;w83kwiBPl9N%Y?p%Rw%8I z?tl2=7Q?< z8I*QiNZz-xj#Wo6JBhDlX`Ip>hY`Gb>NGGbh_-~;Qp{_B6c_w5+XZGY8i#Z`Kw z(B-?NH5SAgy!e-8<{}_U!7>|g|x*Z8hcI65z%yfFswX z^?bQ!M9EbMJK*jVuxXl7P>s>sd^O@FLdoT8IzOlDx8j4Iy!t;byAw6qR*oj9?V7Zj=8QokPiOshk3#^~A`8jK*vRYL;&uzbZU z6oC7b7`j)+@sAjWD|b9Uh@_IOM1Jk$3Eix~U!Oku*>KhRZQDSv2-72J&coC4fBtiJ zh38B+D6QU^FVi@Hm|Z3kZtRzL4fr_q?rkhOGL>ivS>#qrj#p9*T(J9HdrllknMdlC zy|<;EcHV9^%&W{`N@@%_n5_5d2l)Cmt17&{+J4>`p&E7S)t3lNQ$4lT4_<4>98Z7tQnS-oP(7YV>_wpK+kI6R&43%&U6f?%Wgq)pCah_@Y;wEbMPGO zC$#s8$UnJ$4_An!+rk#=3K=01!Q6ISs2{c9)YP3f&pbM02d(P6^Sks4XsW}YgFCv0 zt_|CY?Ms|``wWjc^9M=IkAhU_s5w_HaoKdSwY+ii{Wt}N_pl()W3_2EG`Zn$mb1_d z3GG@-&5Juc^dy{S>~+1Qu17^zq7u8zG(bI^2GQVH^NyFV2&FZ;`T*JWk^L9$9t-A; zGqNs=p3}av$@6cnHr*?2*!--7x`R9H048CfXP)k@_5Eyl>pecdK{PiENuP9&5&JZA zbYQa-^Wn97NeXq&%c~61*GX5cMNcZ{*W9XrW?fuD5Rkou)r~m^5s^ z@_OLTEa>Q;E$c2)-wrAN1iDyJDONmNedK=Y2kE1(k(DN-DrGhddh`$w;}ewt z5T5JI`Oy1MIU9eW;QgX+E=>NHJ>3zoKEgInK1zu)T)>KZamO#9JWV#)aj#v)UeWh& zypOy$pBQx&KVcuCfRqXCc>RF!zygV@0(0^C)qTYoIS{>^gGN2J4}U%$Aqp zmPtVZkH2zm=$E^6KM^t%>@|BN?}DcQj#q;~=Br$_R4X?*vjiMwFt^>k726uR#=pvI zhy(g(_xi5CJdVVrjOmWX(;-Tck8<-Z#j<|_=rpCjtz9f2MKo!P2CKg1B}jsCt@<>0 zX-S$_Z{T3X5{|tN7Uy69hpeViNp_d>cYt27J_d6FpPod}ek`cg=8N>%WlCWr*bT9& z-dHd3ha4jWBUt9%a5g=^kSMvH4?>`F2FG8EiCD2=V8*fUF`U*<^P5jw z*>GsG+)aLz}_ksToA6WS_2_OZ-ThO!7@~W9^hE6cVwgg>vgB z`T}adEA9$sJQSUceC*AAJz`j619T)Hu&WNmC<|^F7|$WSUE~`X%4~d6zlAUxD}6!i zydBF|khSpqU6(T8qipxOD6U3SMrblw@#8!@@?&(`mTWa^DwjDPhW2H$qpdmSK_R(E54I6UWi z6AQYsWlzFutPdowWX~{Mv}ElmTfe;8XPy?ep=He1(J83bVro8iSv1~>n3++>f3c9K z4^w-(+^wx+!_>$7>_hI7a&hNPncHI7p&8G^b@AOGF9w6L@9EN0zJ$@HVHe;0u2~#~{m|yHDy-w=a>+4MWCG+Dkd-6R{ z^36X>yrqwoP^)2Idq$=G@?&+!y=#hvVhulD#P4@3@hz_j32oepsJh1n#V3Q?Jc>Z==%6EeJW;!;c!Z~OHseEyKz{^LJ3+nJPOIYID6hjTpkf@}*nr@`SN7!AU)8zaR;Ks!_6oJXPd^_#6-8a15>+V+ zbI>WCtZfg8!6R``o*z;K%Ht_fG>s1f*Dot-!rw$39fb5cj@k_Id^Jlo;(!wzd@gsz6b zpNn;Hik2Xg1D;;d-m>$k=kaF;D1uD}N?wWjTnUpy_zV~C9G3nHZ*w6id+xSfRYK{s z`H^xR85T)F3&%jwi~K_8=?d3(@044TCN3Bf+3p93xRF>bOlE5Q3O_%8AJI-UXL7NM zB_5-+l!)?B1bh?_d^Y_;DelbZx<9FgXkU4)mBm|{iskGgvfoAdK{ntWmY9u+S*GAV zV~u`vZ6aol%ck7$=Eo9;F-os{dCXy{z0MpPK~0BT>)w&HJ{7ThRSk-e+-D(Dx3vH1 zN*?jW`2S5B6}gVJm7z*ERHIX)cj~*UwCvZ*xITBcqRr-K{hm!K?V&tM1%3Ir@SfwZ zWNoR7SZb@=10QymcxcN+S#`@JC>l8|X(7esdzbWTZsn$&m|i@!0w)!p>{I(AN$EwX zMiiZK5>np^y9)Yy`fO`FUQ_T!XjQ)jbf&>7^jIPWY+k8hm%7UA#IhkRKj=ab* zI(F;nbbKswL&kWZ3begj@RdNvzVLi$E4!kD^l)7$xNi7WtfkFDg6%Up+GEK9v-p1= zVz+MC+@ih_5uR{AkuB@>N?20o8<$RIkFs#H*Kx^NJ~(WPSV6m*2|mY}KjkhN=l-G@kLDe;WqX}qbm z4|m&tpVg__{z}GYWfc^1N;{5ys7rPew8xBCPIRU#mm=xaf8=Iu_VBnQEVv|!-^SqE zWf`72{opve=()dwi#t#vVml z`$jGdnbDEJOAUHk4jN6#M zcW8YI>3j6hOZEjr?nZ@&@oVk2wWn!Me?B>Jn0}3k>8W{tM2j$byTE16o@IIS;t2;S zwf#<=lrYtkBIn8{DM5CIr!wr99w#v(oYt@}59DY$VtPUrq9uf!JanYT7t2Sjwr%(@ zmZ~1%k6}J)h25@eYASN}{x0eg-X(OG*DFU28k`yjoIU!ZVmsttm7K6iZ2odCF}o(q z;OY6cfR|2>YZJ)hm$&ovLfI&$`b+t&2R>RGnL)ME)z z-YQPTkqP+~+Q^M@wUo*C*G{#^699O)XL0!4jcV~)tK;M?Ncmtty@`9Z@Y@>KYdfH* z>uxI`f`Hrj3G{g>Jvt@*FII~LNzp9nQ@fgKx&QY^eL42LSs|())gwl(sIccef53o z=s0AjZxgR;!F*V z&1Tj%6M8*G=*MGXH}q3mdnkNqy?$2LKzL+~#@+b`oi4EHev z#5s^eyunRNB7(L~vv16v5<0vx=7f4bYTG}uC~Y5DTii@)5HV&yM&$#Y(#c1I%gH2C z9gQ1iJO|289a>Svt7B=D-Lt@Ch82tLN0{_n<5MZEK%gVC=8dmnsZY}z4o za6<6r#{9t2(F+zxvQ3g0(#3ka_h2m4=Oxo7;P{jLKO25b^_S?8$5q}lfbk}*Q{JLS zn31B4gO3I+$((#*pc?w7vaj}TJt&u~IP|?b$Dt=>u2IhZBw^b_JpSHx`S=>9iebv$ zvxg`0!|g-ZWnPDEyWLB*bP0W|j;;no?Sb(_C?R+x;pB7E;@6{B!f%&S+Go4C zIg>Hrv<%{75poEl;GrDt0<{vTOq}D5+E(C@J;WXa!*n>tEl*uoafvv}%O$h^UpwVO zx?%iTI^KL=IksmDEWHMN{$2IU|2%k1&9x46@jbju343rL34eh`C@FaZv_B~~J@asI zcD~vApp(2Ec5DC7b^v#j5NbN@O|B1OE2)xNxi)bEwtM*?|G+^!oLpC zSn4t6@JYP!W^1FSJ~s#NiUNSrh5*o5m!grzLb(p}-@n)F{JQxWUyaQKO1i6L`AwX0)jV@bd#Pa2Wejq| zYG$lzZMrsL_3xZktR5OmS~%W0#4WEOmi%c{*v~lAfb-a@ST;EJlY93&Ryekz;S(Zy z7+)-F{)oKHEEHSx+CZl`EAEgN2d614hL1D&3vg;Nw@3RcAwhVRX`Dkz9C+MahuEI{=2 zi=B@o--QMKv}CvIG?+Kimrit*yA*lnls@|P_$8{b_~<1^8Fw9BqyQ$G2Q(Pr=PD9q z6pc-`q35+VV=1s|%^yV%Uo3D~td{>T!rnS4uITF)3>F9;+$F)?webXZcM0w;jRt}R zch}IkyL)hl;7-%Hd!xfQufBP|H}hW2Kewvyt*$zEpL6$FXYaMwuAX)EU|K@G?GxS?rbG0#kM4__Au(RVB<-9X$Q z2QgAbW~-QvW2X^rzxG8Umwkf0Jd#3RmM&X?pni2xuYP}Oy74M46!7pUBy!fZ9`Mr{ z^fCnY#JL1VPw$M+A>QWQV@M;l3wN_W`1r%Iz!nT)y!7Aa4#UC4zDVR|4i{jNI#RIj zJxS>b#O9uhESM~j`@UUHDP8CyIfX-Czw~v%;$MC_$LRVNp|-8t@Q+o<@!86@6)(VHJUXCG9^vw+wx(CD$paE|5;cZM6n{5*(xLL!ILlUc|T# z0ZSeiah}GpFkLhZk|fY8TBNa(SW3uaS_4gT2SVovVpAn`Q>5^VYQ13T+~j;j@$zg; znwx`FT)^@Em~JHMkiCI#aVEe$PO<)Y#_%F3;?MAXhYtGvib2?@X(}Fk6VbLyGEPCY zQNuNWYn|TQHvg&f%lb(W=^;`s`DVboIbOo5w}&H_L_`)yVdZZEE-(mFEQL9r?-_&Q z1Kwbf-kw{gByR#|5C=p=LZhL`k>8)M!S4?6H5_RE_uEC*H*#EIzR&yJ-7J`|Po{p~ zRGhzdy_r2eW70(Mx^I6CN=GpOg^`|oC-3@Izn1iqsmL({HJXE`e6%mc(w{H;X1suN z6HN~|?rQz@i$wxM?u@l~R)f>B$zzMJNg(a-3d%tzK4C^q7_+ojWgtuCyGy%&?@|m* zaR63qLgap)XkQ1#1X(z>DwAgZt$~V_4RERw)~WO2fNYCiQBrOB;}a^tIxkU(a;X$t zh9AG)m@P6eRecUykkR7C9jm+P-$qpUr$hXpjj+8HpzJ7FiibQ~a57_i@k}PN8StS0 zupdVEa37W*H$zTvb*{9Nunp@L9vKkuQQPb$HSb;Dhw$o!w&0u%ClCA-8{q$r$Gq@3 zHt=6xdYjEZlA%KHX*V+nSwx4rMP8ofx#D0*!J(Mq<|CNwcO zVSo77I-K~~eJ|m2*x}Q;SPVI!Ctuc|YbcVqw#g5{m%83*!u4LLokTN(X!Akqv$x2X zN{&3*HfLu1m_*Ee_L9MyeKSAOF!L>+G%kQt z&rHJ%kx3z5aetD(+j5jq^iI^1OpzNOUS7Y1DgAzmG6R^uLO+>;H^~X#ixJ+<6%Y`d z`}ys)ruo}oJytMB+$A{n!#k3>ILCOufLTRe8(87}-d>z$oSs4{!QHt-_xGGFN>BF^ zzmzcecf_PH%fCBP|4mlW(cCpmM1YPSN^eDdpZnUJjU|(k`c+ENiuvjS%bYWJt*TP7 zh;xED!WvJCZLsw@o~Qttei_#@$|W+IB-3-yXRg~;H-PPBp_)SzMr_x>#KoCP7(2tc z`2pm}qF*#%u-P{#m23SBS*kUa>T7E}Hbe7o_dJ(;XTp^CJ(0n@L+PHcTc0m%{!x7Y zZ!G{MFL(g#|9td6eg=XO0^xPq9V$$PsL|NLP}teOd%vjVWE&LEhvztKyt*L&uI z3X8{b{Cv_ZIk*;!?Is$yqc?3ha=CC~X4#_~C3Ocuzp`euLkGZ@Y^?g-mou?LuFBrp zTQW3wS?OSe5EPI18EuE6hFLR-)B}o$(T{!Q`Xxq2QMrjy52nL5rO0kT4s_M^A7$5uxC}+Dp+#kVQ7Lpix74 zqAL0@5gg+nd`)0!xI~ye@^a7~15L5$$~+GRkC3OIr)mstU;$Yir=l?eJ z|6$BMM({ABgIBww)U6b>WBGzBoMu+>a$JPO5Kq*(^z+c@$y)<5lsVr0&=LGt8nVj5 z8P73ez?@4TtP<8-D*}OQoU7TJPRu7hv|y)C^1S%0Cs(adme`pV=%?v_^NE#KYZ?KA z+kXFlqu4}(5vr4>_D6)TQ%WurGqb4U8a+=NYa!+dj#7j&&0MCRU1f%rEQAAiH)qE^ zBWChuLg)IO!NuhLrhU?;Y~qn~v8j7|Vf_^pCw=B|gZ`jKNgX)mSbu;ebiqHB1%@~B z@KeLF%_MaV*SXLCW|{r>?ETl=zM>MuAE~b8~3cz*0TZ(_&c{n^bE9c<&EC$204BIw!qP{=xNt{$5P3}univNRU$E8&t z5btdax>guafo@t?7pnmcXwBSa9saK`;Quf&q8_3YHGPCiMSG*0UeuCc!{p4p(Kr2! zioV?fPLXhgxAm*_8?T0OT0eP13%!;8V0QWV3_2!rfq+Y*ouXDQ%@jsE>dKip-Vyd7 zXVS6Z2oc1l2EFuj9u9}YA>bE;c;NMJitoeeYBRab@Dnw!9oxy^C&N|GvxUm>8N(R4MJy>Uuw zL5~r`fA|R8zt+S4zaR2{S~$iOo`f9}Vuo|xBGR-L-EPv(AXk5Sgy$LA(yvj`VFx_P%-M1sVL}Q& zxX+$Ta2XaKe)2|MN@9l*`390!n(z3cks*8dM~1$rUs?$(~(whmNN zF^$(y;F!{irE*3`2oGb9&7pg%=`jEMV9JXhHpkh3yU@cy#ie3%@#iBvPBd@Af#6%8;=AfB&&lR@%z(N6 z8%ndYvyee4!-REWkKxR7Ukc_7?s!-PzkJ>q2R)2C@9Z!|eaz zp8way`A|+_T-4#URrx<`vQ-@}I=;$`d7MTv;cM6wa+ny>bxc6pJfl;aqPXHjHn+n+ zODJ;9OrjV&WNYng-4CmTCvQUOS00S;*WBVG$@LEZ6|oV3sC?||KyPW(G|P>jnR18N zAZ;j`G5XV|O7?u0I*kU=t_}`_jLhmzXqCR_EhHf&hlQS=n9B1^U$xti)OxijS-nbI zg{A8PV2y5K-v9B|e6l0NWp&~{JgJoFt?fjf|N3U`CL@4cL?;J$sYa1Q(QLG-$HG_L zJf6d;9 zoB3Zk*J~ZCrI0xS&$%_Hv{dJ@;;Bc4>qKYXshyNiJNFc_=x?+2mCdgAWbt)q<~ty3 zm$$OF;h$ptW(!PqwwqmwXKm*+z^htBifMobm6ko>^PCf|7mw{M(qg-Y*{R#%zgO$^ zGsWoXnA7(HCM7_L_WLcx7fKO~)H5MgWt065C`zFRbCL#Awe$~%*1affkdrFbkt4`M zyq-BcK6HO7Q?Jp`^Bm1CX>T~5;=MtJif_zbqw|(J+h>BlLitdh2sCkYg52NulIV_D8!1!4dHAJeF{~^t`dIos|if9T}=MpUiCQ{6Y0~vyo1FR z*J5+W1%w!Fj@hnjhN!wQtW1N0H`;BR@An#)`RI-js-O0jb@a%eD5m;#7pCzDW)ha3 z_vpYO6Z5!fMhOd=^(nqYK*^{nQY;uri^w*ao&hfOm4+B!Da!hAP6LR3SUUSPJpG5oSGIdi9 z{Mg7Pgb~c4u%eYpUx4`A4hwjV`^=b4)i{cqEVTT*^`~PxJX_eGtjZPFpZh{Da+61< zYEkn_3{zH2CeJTyS7h5oG_BEekt|)r9h8!w-^L*FYRNfxuu2)HLVk4@oEj9Rq2-uRR}^*gMwWp+lFz8soacHx?v zvpHC6h7OEKSo-cEmi7juZYp^8Uq1Ypea9NM;d;`V+v8qL*}@@-RrQi-j$Bn!Y}thf zwOienI;|j+jN?9MUe?S|j02v?X!=8!(e$@CSD$PKZd-K?6Ua#`3P|*a6Rb~H2hjZJ zTx4VocwMN{|2SLYfVLbux0qP29)FIA-iPwN!}`Wa zr^%yW4dB|uRbiy%{|2>97dB0iPvg@Oez5x~Pr$F_qQwOBls(NgFvKY+;GmYy?_3DD zdQg}}r}=<|LN!Weg~wvhq;KeT3a8WI{VRzvC3x=OzSKA^BiHxy1-uV2Q%%&1w3$GE z$|M&V-FGQw&MG9Wa(&6yC)D7M3-eA;x#;6!v{>m~{s<$h z9%|zQ>wk?!dsMHrC@8*HII?)ZnluWQe}E;Rpl|m$OQP)ePv$iurMu103g$5rogX`O#xToPG#rvg#iJ-iz2wtDJLA5rTs+({grn>bnVtX%d-DH8+8 z8HA>~w9g)QHI_&XzoZ(z*8H5koe0 zlC)5)vn_!b9PvA`cr@HdYJ{{|i1IdLK4o1w{J}^d#uM2Xy_bFMF1x+pI`GXrlg|NE zlXkl8#h;e1{4)#xRAMZy8xBY^gmnx^BUfn+{v1;~V##8t)1poXzdPtfuyCqOh70F$ z_Q&O?GpUI1(Bf}45laQI-%jJ42$mE{IJRdHX{qVDl;&#u!o|=5P(l3!X|LvhHvD?y ztvadX%J{vwviO8!5o%gOo-y`FpIaCl42Q=}Gq}#hOQu-N7G!Q4>}XwYw`jY=$11Q$8CoV{&?YHn17svoO1H_1#{KwT z0!mdIDQi#XQfQ76Phrv6m3wIdG5HFSdBg#(%j#`g%N;)%yA|14D;VKby@`D39@gGW8ceib2K%dk`*>mH5O0R1DM z)l!H3li2MQ+*BnGaZ}MqMiLi5;gf2qJSDw8MYm1-mAN}W5P7$WSuPoQKRKQyTcE6l zgWv;+Xuw2)c-P(OiVeB{(QgcpPCHRTMw7%|w^m@)MODt)r!?ek=c$&Qc#Bao^o+WGzNGp>t zH28e8>=aBo1h9U)#dfQdkVu@k(`i1#PKV5-LGC1R=s(fPXfZ00hkBJ%yUnk_X3nP57sLIZr9bf|p&HjZ_E`b=Q#S=FL>sNny1JJo<`6++{(fD@Zw0`%G%b_5T7Y zzlc%?m-3Ns|B4k(BrA4Hb?hdmV(q+2K?YCqHMZ;f+~TTow?<^STPRttJ^nTA>dfv3 zW_GukG^LAYSc5|;)xQxnSYZ*qA);)LW1u+F{RC@s;et1)qHOH}L$!>@Y>!StOpG}N zaS<`TB>k?2jpVMW^rrqPv)sDKLwQekq(5s|!hYD8C(U#`>%R55>zUolPVyfnydNC) z2r|#m;al_T_*i!y_)WFQw67Kt+HS|lv;_ZzBjOtHX=QR)lo+PJlq(lEQvG<9B*GVY zM`vzd9ls)4;F0Ajau7=(A7pv#6`l7y}le@X~{a1M*y=^8I6(*wD|L_h2_eLDx;gUpb|3a za5vWE{Ld_|sA1r7*EzzN3r;!GIr%ti=r~eX^x#7yzpnVjRAKB8c@ggdL01jtEHcMV z|D{emH;24qa=IgQ`#q=w;#yMq4x} z?3>&-^wo&KtE5iW&88W!^<0n$qdTD@RisaV5kZ|9+fBJmR5}6m#jBXoj8qp4*?JG% zRTh@6Jm4IP7{~20Y)X?q`#vaVdn&S)E}x;cK4)Z_AJlwS1vya)(Uppg3Dn{C!PzXD z(@H%z^@dtxTew61ve1f7C#fk_u+FuVciasMGWgoS=g$@H-^GQ@X>ApD$jjo$B%t_s z#O0h4kDVaU_r4LlT+;c702lbq<& zl!D8+IEt-wn>_S7C$&(u$s~Ax(r;{D>gJ#+#d0<;BfwJ$C$=QM{1JvM#BNOyTkZTA zN2f_xL*#*zhABmN1OmBoRZ5cU(W}!oxnNQ8iOY8sEou&B^?u>UdF(ZAOY~^?wbIqW zPwBh*RnX%k?w`H&)uz^F(i6G2zVP#bnog&8BTisk#J!|h{kVP?S=vd;bz5V?wUSLV zZVw!X>mX5Mn1JgJ!&=z4*4=SM7btKYWSw2cApb8Awxu{Wlis~NB{fpT=A? z;K+l&*wwX_z@0{m=~wR}39};xe9_#{RPtaW!`OGr9EyqKI%c^Uj66zt<83<3Y<6Jb zn#a(93tn*cKS>f^|384cznoXlRHKn5`&AGnSM7N_SW<^Gpo6R0NFigP3RPhj;-Z*} zH{0kgk>2?+Oi!QP5r6>C$D$vUttC`r8`C#Qn+r6oYJ2`c$Yqm&O3sNk`gwoknzidoan?TtmW~te z^fs?btvkcIiYk%c6FFezp&jNfM=hg+*74zK!1OY>P9=$V;pC5JBI+C570P}5szN4 zj-^|nxt0f6QTD^5-$S=$_d@G;1ZRDJB-L>nxa^KH=lVW|G$o(8KLGn#CNa5Bc}{#32n3EDZVda|HQh z8{rvOxr!gtTtQa-YJBQz82I8?Irn#ZYlx?!_G3ZyXe42d@~g~_o!4E@cTWTZmOagz zWBdksVkV~Tlc#(}HOJda8v|jB!<-aLyy=P^;lv@^Zhxbn@o1QxO$A7ws<%_gUqYv5 znHO{E=NXc}rwZpiFqqK1Y1c)@5>EzG>rrK5GK-#3h|yM44kK3$_6=GrS{>pQPjStr zPjR`jbkAs$`SFSv0ytNk1b>YFzHbVrbdsB(vcokSw8TG_9gd>aH|yYt+O#6Xcw?G^ zEDB7=zG20XcP-oUh_x)JkESv*(jW5mTb$Widm&)}u{1_le5VS1p@{!AR z*&lho$!`6fE_{X1;9xW)>qy<`mp*^G#Xy9}?;A`&!vgplVPbPb%9yWw!B(fakc#bf z9$&oitjfbmP@wQ?Jv^n_s#-YQbjj>;%D+x&+%3K~yDYxLc9A9Bt6#nKDh097q?73CBoRZ7Va0dAy?NwdyMH%&KOjz%Ia6Y3 zLy94Vl{QuXo!6V2hAY+$igTad%7u)MIVR;;X47D7__V8+XH@tF^6sVtOvbIA`-t;6 z%4kFfRcMO1uLevSuZo<)B<8?*ZaCV=yMp3+f@1%Gw?cpAO~`4E!Tl0WZfmq1B?5GZ zAXAqDV^_S4{9etC_}|v*3$msXSe@NTo<7#&*?{!HLww zO(QH!(~AxXOvE(@9VXl2r5iO>lPWYy=_q9#WqhI#n1i8_2Njep*1p%vwl9aPwY(y^ zTvp18o}~6!06ZYnomRyqdDPqZfafGZSNO?tM6ERa#IQ?utYk3@^s{0_q~`GXI6c@kCmtVphJX|5=p{Z7Me8DWEhjji{zzC~DDpWBfPH zO=qd#r+_f0aGbJ)vCJhWYf8QV$PI1z;~Hu8-0Zw=95_ThIA_U(3!knB>NMs zl*+qaNf94#FkJwn*KAIg>>y^;9R6D=`@BsbxF(OI5qu z#xwg``OgUr(4H4$E{__`!Qv;ASSQbkL1~^e^!{s~TTmkKWuU-(L=4Ml6s+*KmRMjRTWja=c;cgn5FuaUQe(uo2J zW1|%a$IfRQm!(1E-!%oELgMXRw;$)Otls}`;l#oWUbN9X3K?(vQk))O1*M6;Ew0frMMjk@5D zn@!%`>*}t=M@zSq%&Kl(1X1|yhQ#(^UL(}+@5Fc8eY~jz>WDF8q~xH~9~n&g4bp8M z!hySG=8^>XMWE4Gkxoh(1Z?wvj;0|VV)y5cvW`kNHC>Q&=v8r;61w zYeQm>Rhw?Ecq(acB4gCLIE%{9*k)&RjJ0>GN{=F(W#+@m(wc6r1fDn>3$dkW!IrP} zN=a9RLFyNy06`?Z`MH{qt{Qa3<(&7wi`I0>AR=!1tx6#@MpC9_^V>E#md z{h;)Yv>PC(SB5-ZL5Y=qJSX#VOkqNI>;12Mb3J#HINOH1H_sSDOc-;Tr0-2H1MrjJ z=;jaKZa?5g%&g7yi2Z`pN(m=bBX%%>Y2_1&bG*KBOD|S${$#(uy_)nPH|c25s_Ja4 ze!c)JsS=Hnk_=thAv)X^?+m<0+Bk3=*owD2d}54-Vn}0wV}~vqAzGtjQzG=8leUbF zWwgiI?e9%iM%QG%n%y{do3gB^kbPLh(@)jYTo#AAEzYGE-^XhxdmqfUChmxk-x^Fm zxj_$SBS9pC#XjIDrBb^Zk87UgIyW+PqcItm2`tRE?V8P5jY37}4~7Z>-TQcpraeWd z#^cQ!kr%DZ{v1mZR87)K&nL^dD~VMPYg_hedEc+lV&bTbk9}ux#)WZ@|DRVy6hEfI zgo;e)C~-4or)BJZjb3TE@53W!oz)B$^l<<4RbRl_Jd_gudZ=fEX=)|UTCj~?&2o5N z%a9(Cf^n(SC)Ngv^{b|!CpaUPo-MY?`qJ)OD^0}RhU!!xm*#%my}skA*K+o)9s|;aNS>hEGAPH= zfo@TjlX|2)xYZGjtSjOFig4%Vm|*$Xkta*a6dpms$rjN1SXE5rx2y?0x1BO^{?jVl ztyZKs)bXg=dNUdzTWv`e=QduSkXU}8D8Ue*?*pM;0(vqeC2quz)Z@#j42$$#q5a^o z-BEouqQ$l0jY~eJ)Zb_kbxAH~)?m-&)78!o0*|z25B1%ALL}|KGtHP`n{qcH1M?E? zWhy8A7i%M0I476TK;9d$ZQjwx6n(>vK#{Zjoe1OlG^qcUFdDjD$NZxFoIX#Un4{CH z*?W0*4FfV537NAvM6{w6?&CGN-QOpF9Fv>&mRoN^)3vKU{w38LF)UlET%PPJVnwGp z>u~`8wx}{)#Hfx4)G)s}2W#+2KIIw(+>^ z!3ELktFf>({3t05IRC`$bi0eH9GnI38LK;^14Wg9Zv{#aUf&B~&*))sc5te9SDJUT zZKpd(uDysM3T)#>YE`EadEbd49B-K$prge^-vSO}$pIsV1yMR6cpXe0Lz?r?NBww> zXk3e{7VUT61z6=n{qO2-P8JmLCJn2D=DZ*z(OgH+cZr8nkrj!y$I&sT_2M26OBLf5 z*{aUHkHE9nau5~#VnAUo2TdOK^OEY|>lPkc}NCRTs+t+s&c zBIHK9W6N{~6zf?{9so1eychfHywOe?j74Xjf*93_lf+G)L_f2myWHoKPg@F{pFWZM z|M76-CWkU^+T?$AIX)gS-Gv$u4a*jNRR`Z04x z{oA2rhSUjTs^Y8|y?tvPS=+8G?hU`sO}-E0)#sHOW5biy&K9qK0fTHQ3C{ibqlwd3 z=+P>9Ap(4(#1?ye7mH&(7bZArn^z?vXP_X{C^T)dNwg& zSUyIc{6$Y?5YUu00Faq-+wn>=4E>T>5(hx<`3YRl6Bv>i=|o|sYI~5Ih}oOYgGeQ) zZBvpQ*e<_C4|y7hIgs?VxRSCqb{1X092qN&M+f$}~ z&^>?c`nT`>diiXdwSjSJkt{OktsXr#&OyisU>bi$BUJkIo5St_=|tOC&)d_Me)I0_ z+rAJp1qG|lAA+*gFkw}~dlaIvy6;3V#FN0G*xc~-q-mtC17GbE+X_S;H9a@z6@ zgtfmDhj$V&daDK6VJ0{BA*K{j@ajGHvb^2F);#}N(GswhDou!bw$F;nQh%{XvR%E=5v(P zBPKo5RSn2JtNVrvHnr=fY^}TjSNUDGfv1IPVLVF-zCjK;XU?*`>!BS!Qx2tul??DI zo+UpcR&t)>b`cfz*Fl)jUsGMZO^F$8bwhI}#9IU7l_NM*&bHUXGo~PTyS?dmItamv z2O!T9BRE&hax!s&RB6!TMtB&)RH`En$P#0zwNt^$(F6TT|T!ti<`f+69vC+hUR$Y+FayYn;8v994yM!Fjym zuIV>_6IW~GOnTg=B$P(xVmH1v=DX`$KfB&^Df0=D>*-&aI>{0@&9Q$dSuW{}%B@#l zFv)avwt96=);RV318}9GLWi&QYBlbWq`bC#L1d7DL_pm0T1a3|b(XH?YHcY%<`#&- zt+Uc5JdGahqTqzps0GKLozwcQAcfPbIu3JAyE?o$sM^q>EMG|EKXH&=w8smd7h6?* z8uD?F1p>`SkAkdoL^POr3wphxBpbW4-m=pZV5F1k!6y#;1z&?oOCvCzLqB&I`YYDg zmk*1-MfOw*QW$sFuD+;ha%+6_aia0lD|W1ts7Bc{JST1coeXdh+f)elVGUvW7M+0Q#ai+B9!%Q&XmB+YLna}ifk za2QT_y2s5BwR!yH14g{!a5{{#Fl zkj${*OHL)F5`~EuOrMxYPQSWDa?qB@yr=JU0-fJMemJRw8vwL#B^Xo4ut3i!A!S^= z2*Dq@#lK5>7eXuH_%204k%{jbi@Rh#WL>|~H?$VLH`2m+aM-1;2t;#@{kHz;9~5NR zHvC34D8br&5oOo7}UZtg5Li)g{m>qC+8P;n=C_X~z0_86jm2eVhIIv=Y?X-Y4Kz1`ylWYN_89VN@#apIzNT4zrv(&IqlIvli$sVi@B_LTo%-U$&h%c z8)B21@SCqBE$H@ay^TRKOAl?(*9_0YBL&7IY=zm2iop4`*Ev8Yi}+&8bgEB(0U}QQ zb!AMb`Ccb2pgAR0_)T)ZYwdTb{oneYRyI;x{_rXL=8a(Hvuv{qUh-jXOZV9uYh{ME zhd%*y>kpr>DdUC~JX%87Og$zvw5(b_1>a<)Dy0kS@fddjFXx;4G*6u9M7ZPAPgjPg zw+nW&c@6tg?qbSL`tLGK`980-M`}4H4JgMQt+(^81T;>j@<<#2+>f~EgV*id2=xcE zJAL=-piX~%M7@5eI0&=OqP1T-wOtac-!PwCv7Z!iD&n&;zmqYkE1@8j)P7jXO=iBe z1I)wTkf5H*amYIpX|&e2d~=jtcZ@gp&|zt3^n6VeJhkvDtZxGgkEEchk!%9C7*_DQ zcz8O<{ER8>W=Q#I!Z_M;O z?Vy{3Y~P|ft=%bo)_UyGdcTR^<1wt~!fhDUU|JUR*|HN- zhupm!#{OBE*a80}Q`OXk)o>7cxkK{NWP5KyuU1z}48*k>u>*qyN!hsB zleKA5^kEGNHox{OV*kYhHYR{o&0gh7?Q8U^EFI3AcWt5n@Kpcpjf;cP10kcSeS1!6 zXpN4A=@Qf7LM=j5pz<&tlE=>W6ox&e6;;>e;|JhD{1BD-x-OEEj~t2>QVbEd>ZHK2 zjZU+9Dp8QIE_s{RX${vq0ps7fPwU%8yOZd`avMVi#-d@RE(d&Sq;r=dx=yQ0VZ*_S zoUXgjyAbaK3iK1>QvE)25+kcH;%W!}C=lN$QX-aYu9pxI+cMV~SyPyoF;pKnOT@mR z!Cu*5G>JZ1Y*<*Q)~2$HDV(^G@X*HC2kjhDq`^BkZVT$eU}<*AxPGH0MJh+}FC;6lUfvKL$hv#mvweDC7=q&%^>cp1R7_^TsPT z_n+ZbqiPt8U}y*h-0i~Z@WAg)%#jA2eJw8xYU~$bT5o3M%(r?1+XQ^p=Ti?jubxp@ zWj2K!rJ-28zptDl9_C~^2AK%}%_WA48{Ve~>sOlykz$C``-dg$?3jAB3=K#0U<;O{ zFEZ(?zK?U!mk9q+rs1^qwFlUHbgKut9lj%kK`>xvFilk zEE@QU33wvm()TexEH!nQB+@W2588w{hkqvZtSJ4(mMF{m-P!mc_I+P)?u;Uvya6jo zxGydj;%6g@IYuzR=(|JA%RoJ(T%H@w^{9`Rq;x(NaSE%Rrl=W3{cEBnBa1ZyydNKK)fJQL<}c4*zK=l8KcUwQ`{L=Ofo%bE4( z?x=^>1U+X@M16<&Q879R`JH3*Jx(Xsz+6(YVm=patoRR#!(5TzrWrBOr81Y|D9*h2a%%`2QhY79sd^mSVRCE*zG+E<$cN#d+;abgQ$lS2$v!q1sd!(Ir z6OA~a#lP_bF%2rd%{YqzAIaXQp~@fE(VGVcoUtNZ2!zc5c(6b!4VnGmHSC=iytAB; zA~rORb~~Go89^(dMM^h?p6Y3=-{aGU{XeG_glM)|s&c=!t=|2@ivc72J6WWUhvSz6 z%GEa3eqv7MGbGjw$xKZAV>t5|-tEYrW~*j}>El~4+)qOuJ~@a?Jm!qwdaU+5=mZa(cHeV~%#-1Tj1EXX zOlyv1G#(ckmwvO4T_5riRvNLLuB$>NX%=+>+@c0|c^({HLU`BT&oBbs-K~$F<0Oi@ zv^;-f#KFkg(RRVV>WZR?tD1aDUZmAvS^XX=^_>qxrnf5S9Yx;KkUy;&AMx_m5p7fSA>Y>Bw5DC6LMq;QBkHLtk zS#hfVT=^hw))Xe*n`aQ%O$Wm`)r6vQuz2obU;{1Nv zN)D^=HRc0ZVDy~q0mjqK*C~$D&&p^-?{cVqpDLQmLfH^;H{UK2vzD)M_)q_-1)q|I z&vCVCi<6P9eH(h}^OUoQ5m&PL_Rn@hr>gyo26#Q8qe>ba5Jyz#6;)ThXzlnqFU zDGp`nWjK*3&aIxJIIa`JYHqqYajxUCUe{=rz9f~h>--Or+}8Q;56O6Y;yz~*SzcZ6 zJgY`Nt<`5SdiBnkEW01U!KCl3?>~UcgBO>L*3R9kfOWb}Q#oMrtbvAJjB9DZwsr)X zT+6{4*@`7x{>8;E7~{~Zg#^9)Wr~y4MuR8DBDme#Ye#@|j{XAbJdT?ERp0GZhr?q9 zHY%X)IOxGGtEB6*Eb&^rdh2_$`@27!H<)XOH6fdh2k^j0XOi+?181oluliN(yG-N1 z+Kym_Lp)f!uLLHkwIfe2D$Us7|1^B354o0kk)02%HKp;%zfU_9b z`$0Q9VuRA)Qg|g$b^bQryjAkY)yUlA^|REZtz19X!kR{=G4hcDH}~D&F><+ywq&=C z)3~=oW45p=CJ{73bdw8a8@1Qddl3z6I4z?~5*$^$qgJ$A_RWWux7a!a#Dg`Ld7x?m zR&arpo%lB=scoWj+I0*LbR3r3@PK>7I1V0X|{_tobjiv}yVWSwn)fIrfS#J-b`YNv2Fh zG2Q>dvCzI=`!Autp#5jxfbSRq(?n3TDz! zCZvUeU`c6sD7-jKVYsl`*&^pKc-O4Pd5OTEj6gFXeg#u0{$zQ4D0N{0+}OYtpP&xj zyPv+iWa6VPPat8BlD+T3c+*a!9v2B1Mj*!N1_10nvgrB^31-r`^eU}V^CqK#O|AT0 z5j?#fpIBQDJl$k-{PhMu#e|J1H~)MbA`$cso2pj=0M6$#Z#QU~v3W3QF|nUR_}0)ROk#&&*RlHS z*>T3B382KYUKwA4XYwpx3Tx`z?)&}JF(tU4?v{%BT&%FKax6Df8q722S>F9Ig1euQ zuY&)>9`+Kzx-_U!t#%@i1-GyHo!lDC+z$r%_t&*CR1$_g4Dl@XOL=T90Tb>Aw9Ki| zH5k-e2&yPk9R&H{k8?+75xMD8t7x#vS30(BE;M}~zDJC4ESYSFRWmiP^E$5nw)ICC z1hJ~YP$D`5n8F8_!d|D93@h~Cqd%v(3BI(5M`8S>hB78rJe;`o8~$NYqpfBNBVIy9}jSTm1=bd;CUBiMG;xP z-59ggZwOug8WZ>!!fVchx{mR#KM4EpjNwEt?2cK#MLNL*F^s@fRPl84dt}P7tniai zqj&%b07s8sxR0ll+xw5u>Ng)n61V6Ov76?Nr*9Ejw*K0EvW8&8r45;?O>x73eYH{{ zm#B9*OMr@0MvC{Ad!%n{K`yi0K?=9FW7D4qQDMw1ZgRbFy~JIVDDVpYSFRyx{buKv zv-v+uHUm$7iwch;7KySw9PYokkvYxTd&(^)`k3T=s8=JvaM}3ljKIx`f;Y^HD~q41 zwdtkw2)Ly~Pyf3eW2w)2tEc{d@%2^#ac#@GFfJiTf`#Dj?rsSLCpf`f8+UhiZ=B%4 z9fG?{aBtk*8@;{u`Om$3?f9lWd^!rr_2l z1khUB4|v{68tFA9WYbFRElsW@B^?zq&8F<1M_3Ogb`$Mc{xmsU2Ja7-5DOukq6vO# zu*i^@zAs!LU2M}Ecn?;hUafxt-}!xDDdH6mb`XFw+nm)iaoeqRkU!V;FsB-23hIrW z;NNFxc}=Is;P(@c(Z91ewgxZAq02zBqMQhPj^!4lMsehJWsw9xJqD8ZuTN^4f=|?0 zM)qR@uwp;)B9(V$6GKZ-WtMBS+f6Ilo*$oRly`E}^%$sKP6-&xzFt#JTkWtMK8=LZ zee%vb$NVwhe2KYRy3jd*vp-_LU&9c2Pl39(@M~)p43wE4R`@H8Xq?UH6i25}TXntoX1n)`x(6L8o2u3?W1%=HUMJe$l%bR(SoMuItUS1v^x_LaPZWV3Ki} zcoDrMs#{1D9`_x-dsPqGxKf_kZbBawB~C`*aPNsE*8X$;H$z>`Iv;ip?wJ~MyOf&& z|I!wHQ!7;Kp(|hlVV%9mDUINyzoX4owT+JcQS>!`y1iB{$5hA*%yM~xkn)p2L$>e9 zTcuDPM97mXbS@K{PQLpkakGsMDt=(rY*VRheztD`H|qZ4m2Q#Lv|h>)vdMc!D@sGb+;e{Pg3Y zR$3}S4j)vYdjY5LH`G_H-x;Qx;>i{q2Eyz_^O%n0YXfx{k!JHG+@QiuWs{i0P2%fs zy*axr2GUUsHUj)S)F!&roH)H&qJ&u zRLz9V{0g_`1(zsAm(>;G;E&OUQm5*@Y|$zaspK56`|q?*)V{&Nc-lSPZ-t)M-*G*C z3iS-m6V>=MFrkW_tz`F`=$&SZ|5Ys~P1DCdcZ}w2CDEPjNJ=CZsQ=~ya2SdMBJKp- zqkWsPRNO-Es9S2RaH$!s#MJJCrdE57A}CcX@K+|q6|jE*Aa{OBT(US?-G-?ub1 zVMU`#s+|vI-c@qQ;X{U+AS1>5-pjnpYnRX37X7w#=biuji5Ju$;15=a8pG&m?@xMZ zTCHj0mmbdPmwGNGno=lh4Vz>=pGU&75zgut-lnlk9{R@h_!8V(ZdoQ;NS<^+qqcXZ zgN78Mq4jlh{EWV2@#BZmSxiJoQ*r}K8^BO1f3eL<&8uCx4b?FvQS!)TpIH2E*@7fu za$k)SIAQT~f|gpv8j11%Q~bxdNSW3FPE`>BtJja^eat};<^Uj+IOLYdS@z1jfw~Mbr z#v44mHHZ+ZY6H!1Y~gibG#WSC@X+(C|1>Aj85^PMYgaI67q8bS78ILXbJ&xP$7fIX`*vLY{XLj+2ebv%D_?B~&Xdr})DPlRA|#s1DdnJu zMAW9CQnSWBI{TkC^kAC)ZtN8i5#_QwKgwDxT+@{*mzKo1rn%M=ME=CfyGk=- z&;1Y~8hxJKJkIpMa@JF+t;n1oxD2t(& z!DS{ZGYHK_xpT~8n67XJaH2F?_gh90n@Mxh{79nLR5{*g25QA{+sXynStX9?)v3~@ z($Jh{K+^lz;jc3-=yD5iwgN2Z?IXNoXam3tslC)P@m@R}m@B8fCV*}=F!thS`RG3E zvZfJU!5_a^JVZKKl^T5TbcQD1d9DMsyP_Op$E^PlM|%!FNnon6Q_CkEMSqrw3~5l& z+>6Y^w3ii6PYSGfn!8pT)!cVcdn%dPXXw**La}~PSMkhgYXXxVK#E4@Xfy0=XYx*g zB!n4rs&f6eiJQ2Ii7WQi5kZ#jz1obn`kGslN~xlB$CG6NgdW!Tx6}OR zLvJ5R&gl8`I#7YrEtyi0MgkUnCPkSN*UuPz`9?3t-*%{zTSUqR zp+!t+a_%KcF*yQfQ=_TWlO0EMzjg@tEf4mO)vDak+3Ex0^1j!ijq@GU!gb&mk^GS} z%LL!7Rc8!H{<->~;!$LBOU`ImAi0L#+KCaMCFRTvrXIS~Xtn*`r6dQPW*52NaH~wzWBj+Tbc~Aj=hJYC0Py zxvugBh;#cE4#^RItvrkqAL*?htc@naOd*QPLqYr2iA}Qc^BeT@$2_PA#*1J-q>f{{ zu^W{@VY4zlze1gPt4$CGQ)%@yR*PhuUjfzX0Uv@?7}AlRc*Fhk95&*I(C-^h zYYBcBwLob*Bl(z5hJNw-C)1_jGH;1JlI}$oil+-hCEYam_aO20RFC3 zFN6&{^`g|KPb7#DN^jRjw9bzPr(S&4*Thjwks2gO?qlbViAbUSRj=Nr3`=?pHcy*$ zkx8!C(f@Rt#+RH!{(5Vj>gyTf%GW$cgax?bzrC_eyWVgrNAg zH-fU@5C3P+lq+wN`XPAGBc$RZv}p)qNiFGQ9df41yq)J>!_ zbFqLEH6R;%DG*z!>wu)y7gh&qehTF?jDnAbBpQL6EdN|iO{*ZGc0PGTQ5gBJ1^pa^ zX{)F<(}cT*jhUl~+TjuWpmovWo#lc*ES)VCsmtE(goNnEfR!uiB zNpSCg;wuz|O)H`e1+7dPMb4{RND{Z*=!BGakQj6OU3_|v7b~hz-|DJ}k-y;m2)#e} z<6x+^@!ldg^7a77VjOdfJ*PX*gozf8sG?@=HzC?USZ!W)QC3SmNBDtrE!LC@)yl9K z^-|TrOY^o`4eoSGM-q~;NMwMsIpAuYFm{_~Lb%xxaELHAGqsm)^3G^Il+fu@>@}at zCW2$2bU(_0_i}_g`o3YNnPQ76%9*FZ*w--PNu0D!F4e)OVA6uUmkoj7>yPUo#?|z8 zAvwC_z3#&9=YW^xgP5j9-?I0zcHBeBO#!hM4U;6O#WC+@qFe~mp+vtPbm{*uqM zr`{L2w?F--GmMyUAH~Zw1+Ylv>F2p?SPvYT?My{^R8rXhYkt`P?jQ-!?r!SpV%o7y zuz1T~F=Qpu4S?$e9#bIJBjd^Ax0oV!Sw6=BBm2h`+l~yg&9t_QHRtX3gBavC;61H8 zETL&lKJWWMfoT@T6ZYr;=~1IJj%QYD_ZzwDVF8rZ!_OgI>=5Dg89uvW*_EFdaoX6^ zpSn_AM^yV3>mB80_IWyqAihHxuY8a=gggK`Bw>L#4y^bs10Ge81~5#~=BNsr-6K14 ze26KyTsgpunEkT+kX)e0C;CGjt5gZ*M^@oSxGS2)6G&wu*l+c|8yb8FotcShU^$v< z-~7E)WD)O-goaa#r(?01a81|lxmj6chi@-q9Nj1EWP2o)A}5MPaFmUFL>ro|_$Ex_ zGpMv1kwBv4lC1HD#+&Mv4Yb^6*T%*E;^t}~u&8VJll~a3lE95M+PyD*!D?chJfuzd zc_V|oqYc*!sJtE5!CS-*y1L2!dL%g8-tgMJ@E{kw$v|WO5vQJ>)1N!|g#nJ` zO9MT9!L|dtP7*Ym&dt&&JoR8)vgIzJl9!KoEu<$pF`~PN)EvoFpZX?&or)cw*(B(& zmuod0^jkKIQ$lKX(j+k{99#4 z3>ypqv7L4U9LjMkDaLRpte$J7MmYR5wSjyoGMXbTTI*h*LCzZ=ZThM4H32I7u3+#l5GSj6bPJ7izI&*MWxJUyeM%PS z+jS!vgkO;3Fszzv57A!_5EtfMAB4w8*nFDs%6Goj;M&gQzIesI>tm9YT;A@sAP%Vg zV88LT)sda5X3gmYvmo4(P~6d(97}o8Y)D+xQ`5Z0q1#_;H}ED(XmiWjxmw~*&$CD) zR;&1lfaUyrYq9C)=j=|gUPpjRZ{jrBJ9fEdivT%H%XHgAERT!*cLGa^5W-u6q#WbHgr|rGg>Mf(-Nu5_w|FzC0)%9Qh zbzmFsxiQ-M;7`pdP~{h5)(D!8IgaF8PxEU2(Q#r{2sLC#=KX{6o4UCnmAIl*KgT;^ zaIe@0jziW<$)^4$ZC{n&TjDXnIOR8@cvt}w1#MF{fp&>7@?Pi3u0n7{z5C&->DQFha$``LfsxW=kquhrP_U2FeY%AG5zcz#GR zvH)#0M;=u#PBGjNs#c~2PSK=AY9Z@bPN7zsJ>PXS)3@>5CLZtUDIjql+AHyRaW%`y zPoTU+8wWN23<;R0flIi~f@?;H568UT05ootHt`UsaX~yvg!i4Ef}GMb#0}CoM&|}U z6}j=}+p%QV(+V_L9X7K>SGB-W%G}!!m$`v;6npcx?hr3>oHvrIvogtV447HXGW4NX zN7C6$bfSWVU<_y6pr6lEo#A{!dJIa$T1&1H%NTS^l7I31Y{Nkd)nVDFg)oi_m}Hc- ztE9u|KZ1rY11C-y{#`|Gd|-j&5z1XEDCwPTvp;rWa~=L{%{viohr4JA3b&sDS#My$ z_aQ>I1|ROhdO8V@@>>z~XbMZ#9wE&t3t;C>4yDewVj^RbiE2GE#^Q2%*yzyadx`|{ zG#P~Exlokj2rXHXh@P4K)m$`B9j) z(&GL$Me}jvZ&Gwo|lpoIc5B+WkNtHTIpe>>q_vJ>ZzY#vLm_ct(_}@`s zWvMiW_kSplK|1*!A*%yxupa_@)%yeMT}CcU#UF%fbZNOKLYh=Akz%r}(4s#!#kejo z;^4T|PLn(D3`b2) zFJVZ6l$cN67F*GvS|fgWComqi->>^&c$^0nO(!MLe1k|klAnGhPVmq#7ViS0bqnBN zrbR8kA^D5YNqswSH*-yV^SZuk6STcsXH2V=>hQle-Kz(J&sLf|J2P9hpFXiS`oHft z)X0iYNu_3-w{8M|jzp9S$7N&pq;c2GEv~>d51~eqX{)w^Wftru_q1$vfep9diz}4+ znuA$RyDRm1Bn;{U3CtHiBn)UW5xBoSG~&R~<+{=-?v_vR@Rj9#S@||uz+;M%5%KP% zt@HfJg@9ZV7c-k>f;Fri^N}l@0%pcg)XXI=FZX<99kjDYOz@LC(yRfT1Z)Z0O*S!I z`9U9-_?w16F^KU{?R_BG*D(=xLaYBA^#9JlAAk$J9RMSolt&m%*Yh*)&O0$ro=&PU z&RuLKgu@q~JVo4=t!#X7K{vF<3)JLT%fu)WV0`R}M?x4EIykN6>n%X-*UYvNe zkLKA+jSe4^NO=$A*Q47P^gn#WR8)~h;>65dUWzMj_E`<3 z6;G|#SC%pz9hNX9U8b%7|116fJ~}!GDvVvA>=S_|qW}tPxc_Jr{7hO0+xobv z(aYk*jqcgXMIGQ=2y^!Nm(r8lx{xFhX13yTL3?5Yw4^nxXQC$HPAwxkl)X_7e_@mn zZL0?q(I9hN9owoFP9)x8dddf^GY@9as#AMsxu8bP&bctIwSP?T9KdycKoI@UtI{ei zGF)P~JN$XRg8Vd@9@ebrYvGw@n2A)x#<>I52VIMu&os<%^4HwLW%<>4D1=)SO9jKD z{o%+8JU-ORC)`bH^t@jSliSQ=^T*|cx3pzm{5(eWPbrsmHevzR5*^Nqj;hdDYyRzck} z)0}sR6#w%Tf^6*K1jf+hsQNS@a4hRGc`TF9UHlk_(fICUi3q;h%&jn9JzGbnmi4VZ zN;nb~#Nj(eErr;^Y#O+{h2SmgmM)r5m)Z~LT+|5lQPPHmdd!qczN3%Cdm@iX-awiE zU0uyGB;qk2q*M+pCK0gex&C4WLzD^oPggput4OkoO+Y+rbJ*@ePM|tIO!thJ?_hku z(XpDl<^C41i2uQoHPI``GW7u7 z{~*D&`XOpcUB_>=th(v-e=pI02(oH#5-4411ql#dp?wWYidgoU%RxPiqh6b#+`9k@lkSA?FvJiFMd$(o!&kY@KY~R*Q4Ayg5x5W-? zV*baz|4p041^Jn}76~A*?JY;S*73#QtPFZQ^b_RtN9^vQv@fMGR3>^k8nbR{YIeCn z-O#6p^^fAIcu#Q?8s@s;6SFstYV1E2FQqa5v%dOk^c!$i`sSf~Gly(~b<|AV^3wnt zh`SQK_9%&BqDo2AheOO6F__|eOy6hB5n&Dq@Ps*j_R z`wS^4ENsE3k^H+k@^449T9pI?)9hf7O$+IvkzrqrE~w(tS1rTW8vp(S*&Q>gRwY|2 zPsnhf_{U96rUXoqw8_4pkx^^X3Cfjve{Xa( zNw@7w%+qVE$!l%0QfIY@^t`7MA9ZHExr&|;_*@ZEzSXo_EsjRD2}D8n{AU56g$^^& zNontt?HZVMJC0aZE{*Tgh%J=mBwl~BHF&AUdzE$(G);AyRSsB6Sw{d|*DaqwNYE5g z1{#Hmz>;BJR{Ce{x^VA{oXE6vI@%+$H4nG!mu$8-|IR)3#0>qw|&6$&N@}S zQ4eMejRkZ9l`$r3CkDxG#jnOo0qfO8&`x--#a>ar)NIDo&`1a>{?O&1&r09iFGh)m zOmo?P+$Iq?E^?U7E}OMeZP6MAS@!VgXj{mqmUF!=PTuUL7FGQsu-CV0=x1&cT*DHo zmg{k{*NI;r^v`L!+bv6?o9g66x8Mc21?qUQ1vf7x~UjUVQr|(*r_)v zYbV#-sZ3f_3PLaCNl8g69fg9-3MouFRD%T0%_q&`oz_ti)S`_4iv(MAK;nU63RiGE zIw5E$yfNKw;r#?jb@{}pAA6#J6$#u)q+rkC&_S}awa{9Yv*o1vUg)={_+w?KB4(D< zGy%Js{-AOs^u2K&A!tQ>4sajP@e2X$srzLTPfA3-eg1Q zepVP?yFk>603`HE;?xiPM+43eX_f_!%@~+JmaxB%YPde`6z55}Gk*`j?{+$PYCNPb zoAF{v`A|wKA?x;I!%ayFdK`hTo}Ny%=8|=)QON7%p#xx)UUB<8tV+b6swZc+(`e?Ep^awW)f!T$JMn$VZMY^-8EkwDwHD&DgCcbI+8i!MesK zbm-NL!%Ui{Qi_89Vby}0D~__duaSGS%TBCy{4+IqA^*4F-`XA0ih`e-rtE0_Z? zP4S>nWbSSy{cob|Z(0iSAc87Na*Z{V_RN+&u`|%B2}o=bIw?oZYLJWRu5#eInK8cDij!dh?2|RDIyGHF_;cd}nzQHMROZrNM%XyOXMKdv-v?S}si?utz$Ax3gMPLi5Ps8| znfx_Q>=?5T0PzP02PYsVC<87^J`%{9S-B`$bIWZcrKaM}qX=+8a&H{VZ9Sl8gv7g$ zu0x4cYgUY8!7*cK~+Ika5ez{E#usbckzF9llF9GLqmlmG7oQFnH`x%fw#U zGC@^V(g;shjc(&049#5UqGTNzxct;R|6DGA#myg?FP{u74qm$3X+9iN7lYz1fY8Gx zAF`W{{GJ}8Ud39dROR0vz`8rW?el2W{CcVHOueeY3?Z(W=VK!qPGN&A6PF;& z1F(OR`x^mFwZi@vvx6;^`dt;$rai78qK<7i9r zI|CFTIIZ(mW?T&WNzB|u&C?Ua3#RU0Gb6#G{9PM6=^HDT#iIjYde>#7ORn_*@A%GrLFDqu9eO7S^X;UdNRSs z+hgC@z=Q!T4;R)2aff}*;`@1>4rH!|$YX~uK9HLX)JqvW%%A=qs%$->Xgy&Q=@53S zzBySUe=fIu?_gn6RpoN}qZaZ5-`e`nD+q&|Z`SN_!ILtRGG%HNJt@v!o$Xgg^bT{$ zok?g}zom}nD~y|TT;pRyP|-mq_?|*@;h}n_{g1ISG!H~;ZG|bOj5wjBW{1vttuCk? z<=jhHA~t{ZCiB|#c&UQV(P^{uep@iBq4EyVC3w4z#wD!lUUoLv-<`D@mPz&3|G_PjZ_Udof&YGvNZ zHn0)=U$7OmjFA@c%(J4n4PPWI?{mdNi_F&lwRZ_+pPoeeO+U@>1G?qm*%G$t7~z5N&xj zOEoE0Yt@xGoN5Hh=CFO&1q!O_y1Sb{xI<7_1rl^Cvd!?}ZBJ_mvycJdb_YT7%ODnp z0mM{`U(oerKltr*$bc?nms4*G5|Rno;?2(R)YvHNvU686X z9p|F2Ia!F7eU;O^K#%&1_9@sgF8-9A4Zpc##fT866nAX{E&oq^VvharGl>yi1ENZTOT!QROqbzw>G)-)s-L@ zS+`{!sULm?$V*=^rk+PpRp?57RrJ@mFE-b74r30^;D3%xECCS(H*Ye2-^zE7+^f~U z{J1v3C+)JBS5~)jMb~D$s69;>j!aOJ+hnC+FH-nHv@GZ#B-zmx{hEL!Iz9g23kyPv8@rPJy%Bik#W*$Al?4jgo7z@q}JG@=Imj5lgT zU3w&m5MlTk%XMR(A*4%dt;j%M^-G8=roYa9YEZcE`7mZ>ClFm|s(ehHPSgUs+TRk1C&?$uQVBTd9l6qcv*!z&0ZFhd>mZI_Tt$r&G!EEZsoK)R7p_fN` z19hxDm@Ei-!_{bD+5AHmKYx`%MSt6kSW7Z2Ye$8y&VIaapvmV4;BuVEu?q$C^e|Xe zZ@3L^=tb|J)MEzfu54W#1jE-+k4{s{)HW}rtrOX!k|$F4M+=Le-V#4l2SRTzrI*Jn z__>7vw!0>bxlB)b{{uZKkwOaUbe1`vQ`!p_h7>U3T-z4a@u3;L*5oV!_0l_jIrRBg z%;D%6_RL@j+3`}d(^UWx;(43^iZkw7RoC0y^G+q(99VS?%Z90Cw*&b~84mI*%~0G% zLv}}h+A}g8A4}P8lDT(ke9_~T<)32+yf$7Px;i{ZAk_T3H|IG&DTdhGFNJM~Y6jmY z3AK9;UnmHtR&{3o;&yM?$$hy?5~a?f8M{WfUB|4RG#1Bm# zC5Pd}@&EC79gze6KrV#rn8{(EX)3tRj7aE|TmHxT8x{t)+iBgTkpInPD3m`#Fd7?{ zb$^Injj7H4p>T{y>;p-YVJ%|k7g2`1fkxBWi>fii9f}i{B7l(uLA|In>4ebJ3FFfd ziU~LZ+aShGo^tP$zJ5`hC7f8-PmouN>8}0nyQc6i#L(DY##_}lu{!ZG)v_&&|@Y3!BEdzm>^*R$?Bht6HX zm6X^ICi9xPJ|^2xu2HE=Fgc`Hq-8puS>=CpkZ5lGG6n{lxfG%zxhj1b$F&B@)a19|&$@}ihf3&%VRl$UPhf3TbU-C)k8BHegBlG_^39iW#AHQ~Acf`6^hK}r)D z{UBwe@k~KDaNlpOxIe~AB`{7hyfnJiC`Xk70bDDgp)&p(WM0u2Zdfmjw;w;x>h-DU>qlqDc zXNaCIYpPw8LwY6h2@)`Sdc5vbWT$n-&OCX6km3!Me9t*1XWf&+^uFm|_dKP2I&I3~ zu$ZR6kh^1#{aiB;Lr9%Nv&3h*x+wC)`E>c~YL2`W?d^M+@xO2OphfYCr zBY2Z^*W$Q;1T9Aov(yafX8>2qoOXZkC%>0~C3VeZh0|+tGoJ93e&QQHMpSQzHv!Ua z=}gfu!l~c1bgnTT z;v)s0%LoWNJU?8rIqt~3$t$lDtGpL7iLlx2|o>E6I>bo7HeqpjW z)Vrxk99=*XbGoIfVu${mok`B+8gYYnjOLq8N#*GJJ=f1k446j$e ztc?4r?{@=GnBOgdCIwz7#vDeZir*)!yxPg|@C;!ZD+qy;GM)GEcpK-zuNJ~dpfxX} zyK2&*>lT{3kY?`VOylNr&ub~8O7 zn{&u}zT2eoL(0@wS(}c-5SBYs?sba$7jSktlg;yMiq>uq3Nw;pe}h;NdE*GkWrfh; zUgr%rBlMO3&08If@4`=H9tiEjn=Z^o_jW$fx>JN-iGDQ7)G3B0^pH#7c`c4A9G3!d zRZ{9Ecojl?Z?e@x@BR#WN#>ktQ^^2K3N}e+E8|#xpITBboY2pwl_Dw+`5Lu#)&&kU?(d`dgD}bSF-vroxNPYT+L#} zj>N#;#ksC~QI^w=chW69ad)=MS2k~5)ng?6hpqcLP$Y!GF-h}ktW8w*Bn{1>Dsc6& z13;dJ<_&Q=Oq|ov2iV9s`yfGGMmvGh0zXq&!e#8_UyBc)%(aL+e7r!7tmE^KC04t} znkps;>z?=kGaI{W4o~yO=i|%b!a~yleUzvB7=Gzxn#=HtSliC0yw#Uf#N8<3OtL@) zAyFdlElsf9B9dmI);q*3r#92G*+k|6`J|_}yExee9_pM6LW@5F;EQOg=+Bm1r9NZd zJZ$oFXqd{1$n^_wYR?oAPJXv$dW;M^j8^!@<;Mz1LoC*WwV%hsBV)fU4@o5ijq^TQ z`gU-O_pCjJu5jYl*bX6iom^7y^u`LI^=(&re0(fSedUNVSQLBiMkF>Jmd8k@&a`Wb zQC4T??o7(jb8Z)Syyz5jS?|ZyNxK!jTfZD6q>s*MNHMWO+1Zj|N`U6SN597By;2_M zu}-9XMyqrs9^T`&Jjk2Mg&%CvxA7U-VRzEN zYDl{jlc4>Q@6*K!=NBsooy;uf;h5BPOJE$a(KXjqf?8xzq=1WB7%ginpSKrun5Cs6 zZ!_NGsF|H9adcFwuV0UM0OKhqQyt<%B!Y$;n-QACKo*0aek=&~uCMN9Qu!g##-*>@ zn6<{=PpqyysdGM~?RC%J3%tB)|5}Pe7kF?53b@y5gGcp-prv)s@)l+q<3Y{~f`!Ir zc?4V+io91t{^@H=tj5V5FB7c>m0{;87%bugTfbDx9EK)DN{%?YQ*N$u5XV>(55st0 zu13mgjrSFppMV5K$B6E)@jg^OZ>#xsT!4=4U7C(HS<+TOd^q}MLD zN2*tozCsiVf?&4?ud|}1mc{QEGowuEJwkffK98Ef=Q$qemi5jzc>^2#dE2<6bd#tx z1d@F#ZgWP6xA<}VV3k%|CW_nZ!4BL@=n7%+s@r|-6vEgu(QM~QLpRyaVq0p+OS~}6 ziH@ke=Z|odghb9T_4~yBj>ubbz-*q+-z;3V6WJtL(I~hla=CBZEr9osa0LP4cO{e@gdnUJhz{4>yDQoWU8wyTQ;jTP^~wdmlQV`>_KSf^l^iB#E30PJV^H`6DZb61P`3d2>Ezm+;(Ds17|IK-!37^57Q56y-e z7G9~0{kJ_0&fD+NK)9*2ypJb!lf#F_FC^BXgLftvN;IQ5RY~f4p1jtch?}93)&!m> zt}s%e_8*Fy3wRa-4tfae7pGO#U)cmAw(BN^)qAdIs-wXUf|9IQ;(}E*THWo zK!X8E5Z~dfH06o=3r0-Nb38>+-3zL!yWA(*S9cwN8{sc%S4k5*P0@Ypw>$cy+sDxy z>Jv|m-FMty-oA4IyhJE58&vF4Fqv{rz5&X!GZiu`x{N3j!-?5-Q z!I>oLqQ{68ZK_-*sb;(QpziB_(0K~2az_f{n}=^4$lY3mn=l2ZrS0n z(t1p~F?`B<%^o1&C@c`y`txxeS?ALlW&mR?ay+L6NSQvF=V_9@3Sn)MiC2=(`3MV1 zzn6sO2GwoL6SaV1q_3(dX#abqb_?B&=)mRzj`jN|9t8cl!7_wecAn&p%~o8k?sjIo z6@yS8wu`X*fH}+Y#zEQxlH#`~&^=pr@c0hoR=uBu?RRDS)^>XwDegisAa+?|5aavy zB)qc>vQ#U_iOUiO5BG1j67uw4qe?u6xL0Vla|x_q*G{Z?jNW(LuZesPtVaMNiM2__ zo=xWgMmLJ=g57v>4_@wt-`BEF@JYrf{Up3ptR7f@T%93D6K1%fR>=Ozk2a6cuG>!1 zi@&$47YA(=SK5WPFwHW^cVRshchDZDd~YHznZX9wLgQLC-sQ#C99!FL9mBK3xQ9*GO-k&C`HM1+gLuBH1x z$3rbcecN2Xx$Rw8YRgP`RKxM0w$$1c_ zB1k;@JuY1Fo*{kSJ*vdn_!iHHzj9lwP2o=VKXGP{hXuMZO+~f2g1ptwe&1KInGG0^ z2WXK5B4*L~Hou_pz76gtPgI|jVHs6gg&pM8jXUA0$j>p^v-7q#DAE75vyk?7s6sx^EtNr!wAwi)lbC z6G9UDab#7qjj`laSlociW6CH|=emRR72aZgbAW*3#0 z|_!^){|lDe)B z>*DHjD`*rx9USR9)Z@mLBOA2pdQffRJGNLOTJz@Pd0dyP6*LJ`E6qye!>mv3|Kigv zwy9o@m+W@N{?5)_2Hj>P4v6>S(cUq7tNDi}@}?{A_W1INR<9kfCz{-?G+6!B^a6@B zyJ|8uJ3o|Ue5yB>turSMuT{EfG(Tya8ngJ6pLA@2nl* zF1Ve+0sP?#g~uZ3Dco=&G5L(11974gZTFbR_pCWnV{yp%-3lA2P3UZQP{3uac? zt`m3;y|)V^D9rCswTeX*eYlS5Fm~g_5koNNXBwT!ajGF6YO(292UT&Fd-j;}6&51* zrt@M~{!XUjL{fe%A6=`?`aqM#fE8@YkWwG}m$w^V*I^LRka26e;8B*#I;E2+RES=b zbkBGOH}epSZ_*eK_S=YVehze8)|$tS+Q){D%sfOHgA8sVd=f@_x-{-R%Z0^Q6yA4x z`pl8RLN|^a`RZ5rqvCJRo^C*)%Hz2zVx+MsfkzS%jdvu50dWXGa6OUqZL5||Dzed~ zMnLU!L7`9?dzHP091_06HZOz1OX_}@}?E z$peA=DSTVrs;2Wj@8fnY9HL@R1jpd<+$g12H#M`=>@LQO=!Rw?3MGa>=%QN0t>bwb zg-ufdfABgyv@LGfP2jNL+_Vk{FmdTcf;jB5;g2{XdESnVHrVarCXjPAzMzL(WmVNG z%G7#N+>LG37?5%tatxi|x;Liju)|7iK5$B5G5UU0*2Ix+1lS`vD)91!&H72L2<}*bTPR*1Tan0_!Zw- zSNF6U`}O*J4jdtx;LP}JI%gU$mg!v-?IsJb{eG35fNG}>@idj5jZ(B$vxpjoaVBw; zRXD>IsnYh~=@V6ze01~B)yYCrj@NyGau2DPo)_38?K*Bh8#(W8%@uU=P_6JOBV*#f zxd7<9pn~-9y$3EY2Z^aA30M_buWCa${huoqaon|XDo_w_ z{Z3TgDZE~8=ctQxXK9@-yZf_9tm3ho1v&fk^tVMVHnLh< z&*pgZiG@I7kzSRE96Hx!WxERt+JtuShseSY>h(4v(;~=*SOlv>51T=cy|?aJmpozqFl}~OTgTCZ#EU#7tTsFp$Nru0!WgC8Yi@xYw(Dfp zd5EOX5g-4M2%J{`)Ys_eeum8%FYP%NEV%LT-PhVoa`UR(Zcw%Vmj3rtIe)oWzgL|K z->M?eNfHE8MPPg0v~dPHOY9*lE@}`9S@;M^tWK;_>`2omo1E#7W+vb$70KCjLt^+l zjUXOKn&p@@IvPnu<8vdky|GujRM_yM-`&E{h5#-%8rD6T6Dg58A^k;z z_qn&~?*l?ANZ(QCZL^SIXbjQyqfn4OlEkqv*Kd*s0|861!mkAknzbBpxoOn8pQ@s& zd&WAJ7KG*_E+Nhn12v6Q_|+r6Eu=NZ8+HBU(S$^Z}$BML0KwuuOl7%0_+0Zr)MR@JImHRt<2lTJXdQp5-fW2?byQvg(qZ!We;I$d|erq)&?0?kTTCN&i!)A!pJ zC@1SR?Q6HPLe}~#ykFdvH0~tWrJJs{Vw`^VRBriDc5r_Q<^HDUzHV~uFrGhSiGaGZ zQbsE~x)S;FMKa6eY=zVi`OjMbgmns}Yh8G@x`l{bgy=dudDLFh@|Ri^t%MG-=w7|m z4-3I#!S(1=v?0e8k_+=$bpFrSQ1~xd|vd|MhS{nc;1} zyExzDeWvbJVZv>!b~{1U^EN`bs%_u*sj|gw%-ne6AvCX=PYTb>r4<>`JOo1C$OZi> zQ1vD&U~mrvn@f&lzQ5>?V@rI*!PFD)hYQ48o*E;vZlpYHOyCu~+scl3Mn!?lLrG_(ceWhC zwDHaT@&HF#s2lH9%k}kU_6RD%Pz`*`vromE6{ezGH+?cE8_Cu^&Ax$_0edfxx|cJu zC*5=uJ3X%xN%J^f8i%ed(SXdnPkQp#`pQ=QNEc=C@sN1X#u*i32X)-LLBKl~y<2h%K61Sq32Zyn5e}NAoE^Oogaur(tX(to6Lwbbks&m9j zh>uJE7?IhN2FN!MbiGr!PwH`})nNC5zH;ujPPdF?ul&Ff<@k++%*$?59pa-iam1dvZz?i7c;u!Ej#p-u$SI zDD5%0UkKBm{PLaPxpD1A9n{hL4)(g|4PLKb-8#O+D=+1EX3dw6K=uD9wMk#Jv}=e5 zdC>b|SBZe#E$41|axrkKC6JU9d5BxrU3J!Bhsj8o3^%C4G3j}5InB#5axERVC(24n ztaajWZyT|o_C{~J4r=Cud^Dd%M_S*rLG~^31!#p z3iVMs4X7z>=dKx)VU?(%!ljfx+%C@NL_F7EW@)&p*Uk!5_uUc{U!^vAC5E_Cs@K$L z2NWLSLzwHyKi^HVO7(f&l6{-<4)fr%bBR3PiP4OBo__?0rt3Ih@$*CHQxtMJY&zLvf1I3B8TD?qV!Nq`avQzn zPnxK0O0j9RJ=vxu>x)r9ivr$oIWy|@u22Go^iVqYgKcHc_n#i~AVYzk0k0K|!w%~0 zy+A3u9=2n7 zmOb_@N9ur*IO;_+8`fm&RNH>vtnqyo~2-8B19Mq*RBEs#qYS8K(oCjKQ z4;?)-4$RtR*Iy$0CRJpslK*Iivd8W=|DaB*7Z8@n5aG?EQY`2wWv*BvLh824PVH~yM*Ux^H}w6X{?YGek-LKTG% zZA!5NDvsHUJ!oOI5Ml23$n3gB?G7S_rrvg9aQGeBCvq5ooS4y)t76y{_yPRkedSTT z3}^_lCs}~BLm@0ha?S6$wHz3SPlV-xLR1wW1C%tFC;VK0)n8w%if=Zd9z|u63vhZO5X$8P~*E zdL=OeyDK7U@%|zHNZ=i2thpDm@3mnnUW#|xWK|q|pTO-{YxVxLJaf~TA%TF4;#U?( zmXRm9N4lp~5SE$u3y@0}>%K~Sr8M-u{7Gvexf%kya@rOV(6<(B)K*|n0kP}-zL)?o z{R0jet_%c-hd&qU6+Wk;LOu|_KXw`b711)NGpeVspc)@3Ns$l)EuUx@BQK7fosPa| zmpQyY^*nj_Y2Al(*i>-r-u)1j``(>k4j;4 zJe^wIs~CJ{-*9}hd&YjsC+2@LOd0W6ibLCNdni{geZc@dPdvWj5p~89;aF(9KxWx2 z*C>H>R82UcdADoxUb^c;$*Je0*ylPhQo};Ry6)l0*Y%oG@xPQ4Uc%-UB27Ox5-A`1 z-2ZH^&{}Btmy*ob=L1^P4lW?57>I(xH;6{}pOJGtZ-#0>r#{j)EFG?Ish_njn7Oy0 z!!udLWRg{%o=g6;=>(RDcLK-l?CGu>iJ}%NS=?-{S~rOB+$t`E_&ZFhuQ?!=EW@as z6^FO)O-q=g?47OYu{VlGQIq-XCW1XVcd>>p`ubn%S#yXk6pi&OTqSwKfW~t)dYT=R zC_Y%E4G?yy*Q;z2V7}d(mW(fHXJ25;VG7ck#@W7GQpuo|XhYy1@nh~66qmlK z64CqCXd{XHicMQ?+&i@x38vV6&HlUISK1~XO$<9F!yFNIrPF4JMGKGRRGhR?$8M2A zULQ8uP!#{ryx_C})3oUqNBw(p311SF=hLIeKBX{G+-8H?^UnlWKt_m}pUo5@pqZDL z+TFvI;3jfDTl@k4I@SB9^3ME^ts$JNC%AD%6Do6?@U7^^c#!HgjL&J0;T@OS1_r)f zQn4R9=L;jRH3|t5T*8gS=d6@_KB()`@D?=i_*Uk3q{0>|AqzOKjIL8@y`<1I=!fGkBJHbFM-YNq3Wf`@#&%`M^7WNOvm|2 zdcn);ia3Odd!&h39)Z#}>8)kySmI3R_17vhlds73;vhNw2_gpR-Bsjf`lHlOr+vbm z20YSF5lnW&nVn&Hkcmu4=YlpZ!hWCcn8=vCJ9aN*nmBegDL#an|lyqilrBJAm&zF#?or*3oWr{JkkC$txLnv37G9CR6HsWyxqf13D9S*1{q{*(&mk;3=*GIy@#a6X<$>p+Rdp3FO5(^AwP>8+@q) zWDIHgDojs=An-OTlcKKP$gJJ@-5zBn9}aT=nR)Sp<` z2s#d5wpCD-;f~#Yl>ztTxGWK*9hF_{rwwO{Y@n=>UzExd@#zQQP5KITTK~`tVR8aT zO&Fz-XNkTv1bYo2mlSJyMv%_8Y3uvdd_}Q%5t&1drDSI`{%i`4Pk}U9&n9RARP>c4 zEkD@IG;7-N6S1*z(T8IX_9;|1&Na(fnjU*=8VZ(0R$rq+^HpFPhy1>fs{^;cq5uAHJqr{IeZK1Wo*j_u>v&EzZC* z?&lAtG+bP%6Sj3R%Hr_ zZ_MSawO>`yZ&s2ZN0!ahWTt8VG;OHAId=G7p=V}3Qd7LfFr%5l-ENe}7`;kH%#wd$ z{nAy|O^DAlc+SN}>w3o7IhI$JIPG$Y&iuzrQuh~+mBkp7wT_?Ck5&WgGne_j^a^id zSATNF4ynE9i&;Emkc*oWSQ)WpyC@f2TbOE!=ev38;;`m%ZL?!HlPiZ^d$<0bZDmx) z1dp29jBcdvFg1J4f9#g-`;5jTy+K2Cf#o^?bC6@We<5%?Gu>42fNyqXU!=f^Z0?CE58WCw zKjTcx=;`m;v$5A#`<&u>?A3d5$c7Tyh}L`7#cBFj&_OJzP_Afb+JkahYW-Vut3{Cm z_cI1p$tn9YU6ONC-Wc905|8$pcEX@1LBy0`5!h>35?vXI^d7}F#5Ig^uJh%TOzTFW zw5m*T7^Sr?j@k*+h*@Lunj6tzHS!9*>$ z%+r*ZX}bqE8bSozdb8Ca{O-XfGU%IkLY0A}RLYEK=ZUG-VJY+tanj&|nFQxM8?%}1 zfXj7A_RrqspN^3@mS5HfMox{Vr?1Pk(kD;W*WTPbsrHy@P$(z`6KnPJL%y+i-?h9O zy~iNyBU;>{xZRGw;N*KuZ#as(+xCIjJv`;_1yRfX)OqxMI~+QIDBCVu0b9F$%P(8e zdA>Gi))=cEN9DOUH{Z(s#`|GOnt<0Nn7CmG@p}PELr!|yi#tCUWhr*S$A?j#>+_J9 z^(CEIxlGfnm)kFp_#CY!L<01xth>WU%_zJ3wHyjd@cNdrZ+9xz)cTUK6S}d57X*#t zyf~cF?yTBj6K&2HMsszrXYO;$>>j<%x($9pFkE2xabK2FKR=>UTt6LVv=sb|+<`22 z#c=sOx4h)zw6W}YC*!FoN+VIW&rvJx{z&$(Q!FWcm&dKXtLs(>#Ti8)89frIiwOEt z%~aOMgmdb!m|!IN^Qi~ z|7=$&WqoclE-@+}sA48{{-0XL=b0O3W%aJnsBTv|+x6bHs0u`kUEla%D5XNo9COfP z-i{iaxFil*TmkKnM=iFBK*PycX1i^PJxjJjGcn>_bIjzW9QHVdP&oeOcw+0PFY zo%ZKttMhj!W!{i#!A6Nze8}wbr&FXThJ}>)y#-}J2NV{o8|F?n90&wT^Xrd0JZixu zYNLfpB-HAW9ezYp{p?boa9$fT z0Q=q2X&qKku&XYy+W@NK(zHpA61R^;`hbO@VV=uO#2Kf0oXnELr1uUT$#p#lOa#@DCjAzF| zKhDd|7S+nn;>=HWXxUBH3gg(eG6t7h+Yqh3iQ;C(l-Relh*zC+I?ucD7MrQ?W_S~6 z<|byDZF`iWJ=`m?=QLu4NO~E*eM`nF(wwEomx@WmM(pq+=smSFMPc?HZTGvv23->4 z?}L%6WcUn27LuR}n)9`yl6XY^LKs_LY7lF+Vk{$RrCxp{0@6uNnUM91V}l_vcz`W* z6oKQCw`%QWAEurCS)WOMx1F7Q3_>?`=D2M3T=Pf6?OA+cjMOd#Kl}N0vj6gRmP{b? z#M!xx*Pk=)0J+H5I@D)@3_M-BuoYGLTA%gk%lJOFZD6flPu5=KZp zFu2>##j{ito7r`BJ4+widV{6QFKut)aYhs5tW zFOjh$F?g06!mJX76)-mO&yHNS7a@&jd&5)$yI5L>;v?6HFO@1}Y5O&3u+Nq#w8yjE zxS}v@LLzUcb=>?IQ3BNbGlR&zbII zN~Xp-#N~FB+ss%D0Cw4d*gfscD}4cAN#%U$BMuTl#%l?`R_F_;|KDVAm-OE9FW$v8ht+MHdPFMt zp2APz17N!*NJ9p7DD=X*H2ls-5iS1Bb-n6BFw5lyilG{s1r;Sq&me$4Ar3y1Qd10nN*;%~x;h5%w>n!@ouD3#D^#KWe+hlP<#NaF|NK3d> zCV*}PZHKMY+@L$4of^UX8&XqWCfw|o`q$#a#@V)||z56N&r?%rvS0PjJglHI;R>RM%+dv~^<+7d67S&8Gj@N5mlYfukAF!|oZg@6{;LSzM zAs4_?l&PbjI&-4N>Z%qdR1I1}9M86C1)e-Q3K* z1AV_-%|z1!@k+H29?{b&zC6q85>jX5)Em52Bh#$+2&){A*L8YXl%p_+oytu@AR@1m&ecgAV%nprY|CPomJygScL6SNL7ow#9 z%B+Im!?Io~^F5Cw?fqgLVr}NH)CT=3ypsc~RX=*Rfw9Ozv=uEI4uHCDWN3KR)i+kJ zWhld^G7o8ScQYbTK=lfRW=&Y|Y%>Wyih8{#6M#KC((%5ID<)HT54&D;!MCsi_07-M z+B1<08w1{ueZWWH^lPK2fB#^l;0{{0)9A;z zFdYAGr>K@%^`^;X@c{6J%wzd-*Xe5$znXw*e;y+;xm37cLPfxM^ADReEM&UGECFd% z>5xBo3F=Q0X+=E$5MjJqxqB7Y@tKxJc^)>MLpa9hrHOkmJIdLgkqJbQg5W1Y2jqgH zuq!s%@~W5wnvorrA#CYRcctJTEy^p!x(O5x6|}AS(@Oshg5wKD`~%gbC3GjUYz(PN z;!sHjXb2-hX_y1&gJ=4i_nwQ@MvK4k5O})CFWzlIsiKkJh9IQQhz5LWw08H7Np3p# zGulq>5TB|ZFa?TGsV`a>H8;thj8<4kc!z6M@h?Y%V6w(&WV6O1_2vJ0R6*RxK36g< zX-22u)7NGN^5KMR3LiTkeie2L=osWiMI%-mZHY_zdg}UXHu#bYvu1IFnuTh5?&0hE zXJyKm&@B!zv;baE&*C0qIG?I%8g78yKRozrU`G$Kt^T2AdOK~qDyK|VK^9oTKx`adRR&! zM&SQ%V+~wV|5md3s+uZ%@YJfbqVf7k?T<<($iyPNEl?yFis}N0eWUJiko!pom0Ov- z>tr+whO(lmL^O+T`M}w`!hkUAY_ezQc|EvO{k_xwx`V$@DsosT5$rZ}wk3o5*qbzy zBYwc;=P!oREI=T0=!8q^-{Gj;u5bjPec2P5ZKIN-pX(V1hF0EBOs-@EL|kWvJL3M- zF8Z856F;W(PoMs;8-#Gfi+##az+%J@@gR>nwlg*NNS>gn=DXmooj8&^^_Le&yY8?H zF{qlM7HVTh*B+$bO*Ma?qmV2uAPE9sYqlOGA$ifz2|wq4F7+1D{}wEMon_FU+em0( zStD}l%J5~Z&tZdq>_h}A`OBog5CN+djQGZ5x zY3=9KK`p3SZ76K7tnWv$m)?8`Heq}us;Yx59rr5V`Diz0U zmG=UMI`4$Ra_-?uj=*}u(Mh!?dZKpAL&VWGHbax>Vh{P>E(Qtv z!;WRwAo})4B4Ed2=Y4qt30netLeJtR%!Tk7q!QAx=(+lBU!Ai8i#P7FxOzutmk9Lc z=zR4S5@rCIl+v-hcN1XCs00jIrhUH^g-g*WFdI1-yoCC=DnBp-a{Iq5I!D4UGp_Ar zB*q@`t2SzOZ@54jdNWwI42kV|e-Ms7{QnS+Zc$aphGrLp;BBn)?6c-f_h+k^-W7im z{Pn^$JAHccunbs1jQKTz9(;d$+oySu*EZLKPh^Q`HPAwp|C4hh`v>R9|Nnz?bW9(7 z8=2gH>;CT@_h*&-azU=&a<)(m*sB#rrE>d?l-kh-d)l5cy~(?Gb6&;5>au_NV$Iy* zPZXpWM{=Ti#`5F>Az&&6nW1Mr`PN+h@t3^<2&1RgUt^9PXsUCyz^4$e{+SNDvw=8aZQcS>tfO_gq8 z!T9gE!?q#BGlDczYqv9l&5-kf#oZOiOsCz23Z}>hE>Ss{z?GtBFdo6i-p|3R?2GL& zO!w=maV*2~0@wk6XgdGn8-Y}jUCJ$zsrb(=a;Q4i7)eZ3Yit%e@04h9rqvvhEgp{K zL!w?(r~J0*$V2!RKKD!PiwcN+S*ZRk_60U))01^B+sanf@-4vSQD8h|xUHsN@AtXw zen2&o`^)|R_AvBSC^PC6dntzuiw9h|3sw_b7R($v-F}bxDF2T6!k$&-KDg6UIP&c) z28w!iG)g~?xP0Sc# z02mKj8#(u|27wg(e^}2^CD z6B8M}Ev0(q@KwiX36~9g;}z8_D-;gl-CIJwvj!mSwhWL~(aITE0?>}@8s?!QBvdaP2RW&!4C9A9MOWobOi}G2wVko+Gg4V9|Tzf5}#)kPj1b0@1$Aba2sN zND39OA-{4Jf1O;I=%!i7PBiYd^o({rwUPwtRuyJeHML%OZd=If>GY4+_}2=EjErx) zan0}7`FrSXE`9|L0ataDyxZ?O_WA`n>{oIt8FfklKP^i)PHLLTfM7x0QfD#%$l*7D z%sYL>b(6W4!V~w=AinT_TiBgGiQGV(UVoIiOGly!Ghts~9$369ykIRtOFj0Xso;~h zx&e`3r)_+6oGh)3;-FxWJFVbRt*YYrwru1D@LoHZ)ftw}A?pq={`Jkt|B{#Zl}Or0 z^Nl3`hJ>f8xB?e!XtW9~3>WWsC?oYUZ!8V#Vt>@IVlCwQnG!Qr(MkspHLSnwe>pS9 z7DX;O1()~HE|MTelc72HGe*g#t=qx*M9 z2A>i#RHeUYV|fC$UUhuB{HYt7p<^qfFi|ue@!`MC0pKd7VdP85HB>?a-z!iqfIM^9 z=7v7#q|j*Gr(vcYKxl#LQNh9y8VO?x(9txb_o)EkSH68mI#tIwnmB}AxWHf&is&;T zG>ABGt8QyN z)%O<0TrzwiMvkf=MpBPofWd|)>o(jD5PL(vdl6uR>Gm0oUNhmF{MVM~AEuzbyNJjs z95+ZKy*>AOf`|+cnu$TOqhTf#WCT1W&wAnuHAcw!*j@%ViHDsmuqpGMFim+u4q?^O zOP1e@5OSaijF`EB^wg7_(Uo~i?koU4Lh!@8UYh6sFfsmE#HPKT(+OVEgmJUG5_+4R zd`d;bud+!lnXHK0_Q<99 zdzj_Z!f@WD_Fnw2J531@HU;0aJ0cO8mBY6OqU>qRJ!DQa)h;ru`bGeWSYz&OiN&F9 z=n@WgnmM+N12akW%T#$ZuAqI|gDy7yf(CF>Dq#Bhi$V9#Pf^4K86=%E8rl@nV018a zgS-OQ@z7{3gbTe*?Egoa->G<*uRY>aBhZy_w=iNB+QP+bO4K*=dj#_>B8D;ET}|xg z9Wq(yooe6ydlZ0B!SZf;B*?b|NaXka)~8%$O&w)~kcEXc0NwhA%amw}ch0~o=bi>8 z8cp!?X#^x8UaT}Yt6PlwW{n9T_Xh}2}~1U+?dFHcp$5;^DG7o`9P z&Oo4@iJ5sa(DJmv+sLTj<*)MxBn9LiReL>E`>SRK5++!sOPy&0x^|kOznyD|t@w*# zlxeRwx`6={HBd}740(4_@yD@tAJ6P~mDlw@B3!ei$de{aQHPDG@04%eyiv|sqm&-3 zo0Zb6w$j-W55U_~@d{Qm=Q=`|snu^0OMGpcHU3?Nj(@)<`^AeFcM7%z96Vuv9+F?{ zH}n;3qC3}6TW%2t;2=1%QFGVp7J%8gJ(4*+WnFRl6(s@OAZyePAc?(BB*s35ZmtS- zzWtMPAdXz$xIM4Ce>S#^K@)cZcnTn6_@mR5gale(md9}~ddLY8a=kSjOkxTn{s4=CU&a&jb&P7)Kn_*Cz$d`OVhB2$q_OPd1dB6;oeeq)UBOx!Ps)pMlp z^wWozv97pzOw;^rDFrFRpDjoq8vW>Nn~7aQB1LaE{euGNCN^$(L--q{7=4VG#TIFnpUQu|ej{e)^!3RfkYXCk|A7?0wU+JsBlvc05=w{x6hNPYPE^mA*( z=jEj~Piqj)lb5AfUMj|5cHc23bU)6!0&ek%xb?h?l0eevF$I1mW8DSkM>xA}1@D(_ zLJt}jv-U%g*H4k4h!GlBjV)>};}@!6@O0+1v$C#kp7&8E5<+c53&!Hf6*@bBhL?=&gWJ7wQ5a0R- z0x&t|x6`*NG-g#&K+n2$YCC@1e9Y`KVYVmnKo$l>~hQKLrs0&1o}O+5*ZEP@UcVDe~m$)EZd zgTwp?bKq98G9r?1yVBew0rE91gIX~lQ=RR_@V1d9N9||EKLuJa_!d3$?FhjOydF&C zR0Y(r4EJa2eW3*GYlA-zqLwLzqPS$gJRCx`L#>#MLH6`N)~DfYLEPeJ zF$eQMcZGZVBi$c8((5lDkk~9I3rhvP14*1B_4MpjH5LI(;975iSFRqYY7N>&%%mW6 zUJ2ZZTGH+uOYNGWW+NzZ&i>Hz#{xN%79?5=kQ3}aDg9A18#tevkb7A!hx6u(PpV-s zogqb;eh4Aw2#1Q7%3Fm{dP1YOWwbOG0bkHw7{Z~DBjaKMZB=w1PY0lfwhK0g2ZoHz zX)+7RiDRY*mlrzqi~Q`TfxEflf#}O#Job~I+WQOs^=-2>w95gbaG?*ywHxj*?3mTZ z7;kW;todQXfpi7HasHnlN4(@B4`}1)&=f>t#^EyS{ob(vvhrmO_Kk&cC*s`%N`QGw z$7{aZ&Q-xwgf@F-B=0_1S!QewvNRgS;9MJLMPEBID+BkIQ)y$i12pefYLv#L=C~8F z-^qGMa~amug&Sy$-}}yKH+lJmrXPj(PxSY@Iilpgu{SnVo47wUrF&W@Hj9HN69a5~ zM^>m|pm7Z9+nLnR9HYPsS?TvrsU&ivsdF0K91Y%X$1c;HZPL z@4_C1AF7lW(gk$AiF?M#R7`t~A_V9X^o}{VM{`3$Zw~uTpu1j7;E<3t2EE$%YK7YL zdXF0uCu_q}ZTNb8yTq<{Wl|35!quW=FD6o9%srBQk5!j>aJ)=iUf_|vWJnbPf59s8P8b`+CoZ;J3u!}OiG|5ed1bBO zq23wlr3!Ec$eVsXRF{h#Cg5qi1lM2R6r2oL>oGwgRxwcP+rS06{Jt>-L1urzG!{s) zLI``E{FmAAYi^`d!`|G*DmQ2NHudeT#(`o1z#{#pl}yHgbg#mgEOE1IVaphrYOYN1 zQ)y(EszRf{oTr+aNo1?BQ}MQnZGpgngv97jiJ?{sD(HZt>VvdLQa4`FX!@Q>-EIX; z%~QRlJSbV0<9QrSebO?%U9Q%7$^4-ky0)y4D1ex@FaHxW%eU|G_K?aoCca-l1Ii*K~@NdUC*An-iCdNGY0 zL%_zG9NqnVk2;yl>KWGn2e#+cDdpPT=@5!%f3A0vmu5LTvfRS6XRiV$XEsrzs8RBJ zvt=P(yS;LLpqcXZ7NkHX3d{4B+rzk~1-pv7>pY@QUe}|!1`FLF>#;hMNWt4Vd$zrv zOo|ZfPsQ`@z3zwJDq*Ld1g zB@telz&;2^T5HG&Bk~_c+XEf>^JY|ZTpfLzUvpUsp(}5aN>`HIWSQ`K;c~(TO0tW< zO^02lzWmR2L4nm~n=f#ta375#G9;f07gU1_LRM7*`Djec`({xSpyPpOY+yS<^gGfZ z6vlke6hwph=a#msQ#+mO(XoNu;F9QQ$q=jEo>GHJ&!~yr$n|FT2c6>U{v##3S$bO8 z{BRQEx%M8wrcJD~peu7jIyv#uASQ_BT{5Nax6_)@##$`qtdmf;n3EGrKrFI40qL& zougGGHny^KQv(AM0EP6)RB0!IF=@M@&e&Dp;;dbb04OJ-TY26R7qo9@E(`hfziV%< zp;O6w7gNx5={MZC3IM!9{D$6A@%xGP2y1D0g_lJYEqpiX%2-LkB%6X|vmeQNQ*PwG zAw}?09w~k(d%QTVhpkBG=esQ<-SeGEG%b%x^Lf7R(jnS|l8V@IiNu`tP3i>QyvJv1 z(Ml{4=xlq}+a1qs;DMWJ{*NENL)b8F{Zz-MimP!sZIxl}S!nm{7%E5IOrgJ^hp)Y& znYl-;yrA1_g-C97?HsJeT$iYV* z2aPs*-X8H?rc?knse=S-kJa6z?W@oIsr)QI6HGT?*{fY5b1&x~eYD+rIz$Dw&e%=X zzw~=$Ty?=*M)!-pN%RXjvc^47nPKdH`_-nD5FJiTGxw6pIMwhS`TH@iw=kMtrUp}g ziaGInl;KG6d^T^D07wb65_WS>Y5g@mnsvR&&xv&C(4gD0Rxgj=A0FnuvQmM?%XO{T z7_DW8oJ_ye`ALiw-)2;z6kB+oh1w@vCt(dQ4Xc-{es>SeMFjOVeo^ zF1M^|`J*!Ht_L;0y5$88(5>5m0&rVCTWeL@H!5jREtuRI9g|lUS0F+Bybr~Zi?9mp zops#(go<$n7({w}{oAoP>y9;2L)aovZ-s z`7JFhIquZ9;FG>lz^I1Dob@i1Px-wz@$A3{$OIV=8*RdB279dhjX3f%55Rd;HcZNE z5u0LjcYJbp+GeuUtllb^_ho_TL$wvonRNrF+QvX~NgzrU`ezzL)lo7<#ZsvaV1q?# zmhN49cN91!oq51{H^IQHKt*@0fN+5$N%Tl~lnx&ncsmaupvC5z=1!(;Tt?TN7bkKr z+w2cisa&`Fyx$+Sp<}dWqf5{Ry=UB(GSAgKoVI*XLw<@)MStM;af}xK<{x7f1#IFb zq0oE|ItXa|5XRSCgl=~MPWDp_Yy>(5tEF!El}YCW;M)e!!ga;SK9eTe8fGqv?dt3l zN%p*&Jq9NmjmCS9$9)aP{=A;(doCmbB_~CBc4Fdt&~u$0NE#DRH-{~!PUwd8FBZUb zlf%su^Q?AS>HY*gcku@&=)7H7TA|m%j9D)nhA@S7J*O@P`D|g|^bqn)>Y@C#^ug6; zgRBK}bj1*H4lVN(N;?gkL=?=;DuAoK^p!em&Q=}0oTgmA^78x?CcH(K;jQhZ ziNpw7lkn+V@{hn&636i<1L0npI(dYk{;qTn8tqGU=30@Y9n$1()Bd5MyD_`AFz@K5 z`&BM#?55(+rlu_YWwIZw#!cp@bkb+qu=}8*@J_q4ob3envwdzs!`F7Bc<&-_$w*&C z2-zrHWg^HjnhPJ)Je*AXIrk(qUcIS3vDBLwTO{gPVjr6JlbF-Ab9r7aa;<=T`Fs#F z{3b#|rt?+M;4iYeIEFCRhR?2{LGrN;#v9Elx3Gt{So70GLhUZVlG>K}w)FZ`p1b$N zq%Y@kxuGrkdP=g1*?GaMAnnQG_t@O4qqARg^ndoFzrAeD`9UJmYS6^?+!@j1<`|&P z6mi0X=!qE!o)r(^x-F!r_AgV)&Y9690sFx%0L`D!WyKNmNlyenjZBYM1`2=K&jw#^ zRvu47E+~9lvj>Chl9LkKcxt~qn}eGP>d*7zP}!M1^yW7PPfqS-13qK;)+e+T-iJ{2 z9bG4AZqk92x?XTUndhUH+oxMMokm>-<5yus!lL23?l~#LP1e&P7`Lm-qGV;ZZ1!yd zXlql{`AufszOu4DYbM}VukXCJ!<)T=pLpkpm~P6@rvIQ#Tug2VpX?x63*?@oONeDu z@A6!woqCXtXVPQlY2Wm_r0I#^BsyhC(9NQaTYNR8d%L=Hn@y(2a9!t!cz{Pv4j9{U zF0Ssz33&%qoN7ZtIav6 zwTWd#AEHfWYn0kRTqch5U*Hh5Y?sXP)J z|DKYX5(oEJApXyo_3O7Q5azHM>92la1nX;XJ-Y^gp(i3#7E(p^?cp==u&I26*&v$WVk+G{Wb%yH&+t2q z?oSTvFG%*yPk5I73#t1#D`?F&9Gs19gs%HfKY5p73e^JX-cKril17Hz8iFCncD36HzZn2TnSU*zH$<2Ws+w(cqQ2rUClvayt(2V%4! zUZUPfmw%`r2Uc97cvnAt?ZTNw;9sB0HK3sES`;$1kj`X(C5kVh6nE(8jVm{}M>NmT z+^n*gL`_`2QbItm#U#7vM(+?-!N->C**|X~J#7&Thni<#@B+>2csGKIcnNndNCzB- z`S;_r`4Mk16vL5r~lUvV=N0=mbfb;|Cy>@mg?TQPqG5+)L_pp0p(I@sHi6n|?BT?pfT@rrKzQcQIU=pH`O-c#*5lFx3ULmtVuy zi*S{rK`Zh0u0Em7euKeV|E4sZkIq)PAHp_%CQgLlL{|u;y7@`H31}G8A>$Hj%Z261wYo~Mtg*6K z1fDU^Sz+x15}aow+B4ysPj3;*rVGu-Fi|dPr=wHaGeQH)zG}+2Iw{X)V62KGeTx1} zxkk>uJN}(Xu+AC9zL_|4(-VVpBdC=p6op^|me-`xm#i3J6$b~W<$WJ>2f3e0-r?b2 zmaAW9YL9T_t%|o|Fubuj)AEESDbs;PRe^KSagYc|Rn`96anwh%dwP~4)8C0yPdF-D zqK(zkCj-ck;A?{+OylCXyVLni=ONI_u=NEN1Q>zXgz8~jj5AIV?~?2i#+^lk|3MUi4Kwsioa}QZQ>5rnq3jl&UkU~y-@cxkne3|o7P zfT%-ODu{m-ln0CH2)IEE4O*^Kg z1YGv`F>Ih6&B$-EEEake268xPU1jiVQp751Gc4+7mPSTw0q0WCUNAr8wDBL#wEsC^ zPkj5Iard?5E=L=Szl*3k4>N%%0B!6V=z&Hvi9n;7IjAVBD3E?u3J)$tORrHN*s0MF zE~v1BLbw(dq%ftmJ`nZ^mu!2@xq4_fjTU1+t>h{OCv0r;{lg>u_EV z^l)ZGa;q}vmcUGHoTBaWQK`ie(|j&{5F%`@am2brj-_SOjr2}6e0_4G!ouF`VklR@ z$XmOq+;DSq)5P|=vXjmdz1aEh5B#^K+86ExjCcaIwt=PxQ7zXb7rd)LFNm>wlt*X> z6y~H2s(0}ykfRc?M_uWD>WThDcvr5rL4&~v=z7P6zM|*&76Hl@#s3k1B@Qz`ejtmbk`!eCg4T|TkCo_w?mTW@^L?eO1j z=1Y*s+rkX8z96}N7%_CM6PLaGj_wo3*NpVUA)M>B@}9(gC;DV8<`I7Fp8U2ug^aX3 zXtEYtJOq;*WqiFFU69!94VS_q=KP|~^NlkGJ0xSXxL2yiBUv3M<0@@yWREqf2eq4| zuKQIZ%k75xe*Frjp5xOeDpiRg3w~2h5n1$I=5%Er`?lKVv^Xs(2_pam; z%Yk^$j7qJ$I<&8{FuFxB{hZP&%h);%JW>WxiG^;qD9vYcf(5RY#C?r(gv>pG5x;N=wvV$Gp7uV z*4%QoB5x3@P{#J7wdK`{e=E;NC`uW4OAKZtmg)GT=9>^rtLD)p`7ou zkGUDne-OP-6yIB#pB}GP^Z^O$#YK1Q+MNiU)ncQ3aO?gIE31-e&ZoV$6n*b`Yj4^D z^`hveyY-r$ zO4rccAR*n2G}0a4!&+agLD5q*No_1n8B z+NWAjT(wBh+?OF1CEwV*(Vp1qTV7;&uXUVe0pFx#lCM}Hh4LrzY~M$>??AFgt~`m~ zBCKduypU9Y{aC8oz?+R#k>x*6j{lxhV@Muj)AS;uKSPN?*NC!;&K6UG;+x-5ZL8A) z*F?OLp-U^(Vj)0hxl{qQgGj5duw(9~A7@IsfQcc;OEmz*@`E*@7*{DYI=>`H9BM~# zoGX{`tYm*wsT!y`nqUh`E(-z_*-%si>)k2aa)Zv# zqJ3lzN_ni!UW?c1l?+y->~CkQEC{=R+^q6KoksqP%28hMhiXhPG$KgIdO?e{AkkrG zf(!cPM)MKz6OhS3A~g`DA32yJfINa<(@H42xR}5x{p1KOhEqqhno&8VRx#;Jd9$66 zNMZc@1caRUB~v1gd|K9Ey?oMy&#S%366+chcZGV6Xoj!FDtea{L}N@b3Zw#oF20P^ z#3?B;JpXID`HxvA2>VfYM#pQafi2(4%H$80a-=&T)4gGlvnsE?f&Zxs`620xiE9_sO_ zaS%6O?)}>Kj3rr1bDn>0t@tH<&5W>i4}kk~N$%;ao4B~4xjhC5%Ru82p50+QOH?>A z>5I|aCYJl!a~&7kH810>w&{^VTXA@eA6(3p=?I@1Ry==A12)Xl8eL!07@e+mL2!O>s~DEAFysXq^VtwXdb%C@(ERe zMz3~9#Ak&IvKQ>kWL3|3Eeah~q}{9h989DEKrd#;@YO|6O#q>$%EKgkVG%#@e&mw` zcL;u(Mvjcjk-xz~tSn39AjBb-{+D8$6q$$Ipx|+6=|&!2s>WvH^4~YaKWPkl6e2t3 zU>?6`B~+v@o&hBwSAHjQFaM2)g-el)g_2l~^t>YR9#kW!=1TyC{VM1e!+=wj+HRYO zve@umJ#AJ|aeSakpv8@%vlOA;V$#a))VZ0~dCs!{G})Y%>~uwlxJJ&7=wf$e?xzq( z4B%EL979NNfiz;`1OaCq3IUeJT|12$v&cEO#ap|b#ru~4f*8r8<3$NgslGY2KFToR z3n%6I@NH}4=;gbY$oJcc7+0(0x1yMUftAxzT?9K(y6IoRo&!I4|dg!@jONH+N*7A>5vIfTx%*Svvf6IC& zu!P%Ix$)6=`=NlTo~{ltX$k=>mGXlyo<;P8#75Usbbp#qDBsn2^F8o?YgwsTy+UTk zGooY{Sp-TeM4j$d;+vx`(Fl5)flqNqai$S1YvU!07sjnQxqSS49S?aLMG)<1mB;Pr zWbj*N^yzOo1GYedrO(*zL~SF;vqSkg!Qw%JUhloO^CBK=&3%&>GP>*eeyp~NqGk!{ ze>{)>4Q{@XXn{IN&m}3FQmPAVni~SeqN=Hmq0dV5^}Pp(dv_a~0=tS&ep{O%G0xWDLEk@LQE5cH-+nw~S_o zEtQ0;Wk`kx&~YI<3+wa=YG-#a63wKLt*EI{-<~We=t%8pMRvxNUBTiIGyBl>|(nvex0VODBI~BSN*X#@nzfbNQD&E(-x{F?^|9%W-a_R=Y>;64OZ*8 zxr@A{waQT>RCfMLTK{LVx60wb0O2jWqgEs?QsN()EMOYW30BV5C|Hcl>5oI62Qa(r zn*2APKX73tVEdEo(M=*xxC{Y**0Tm|hbXAJv_$V@T*C4mbs3<>Qpz!y_smr^H zXUg2$cPWT6a8~ax2UBWWAQIlCf|`y&AtUKx9+$@h&5IM|D?#1M(t}k7R27q~=o9m=O4xSbG_J2R&91M%*NNpA=uT@S|3}pEfXW>Joi(@x+H5gv-~&%v=yBF zfXQxy1z|-VD0&O|9GP>uxGJI11^F#P*bs`L1=k%WVxcR?t&ENpwE@PPUtYRT@;N`w zy%EVqw={Ib8UV0C|C~7`g9t@X)abXG=uooby5w)u8N8Kd2__uAa=YX8ra^~k_j3#k z?~76LQXitOH4IoQu#BnackHvGATAnwLG8jG;jzCwH$K+xPc}zccpY(=&s3UIpi94b zacz5Xuso729c}Xl7b)?m^=+x&%(v`>ud8cYc@Sv`CaDnsF}DlyJMCs8;~Sq*yoQ++ z#1%RG>fhII{s9ajTVk?R?fQ~b;@8`_muM^vqD}d32ELoOJ4`$fbQKdFZu1e&j!ydH z8Y{h^a^wDqVG)J+mc>u) zT%^g10%XtbFuvcLmr4MQ;)Ukh$CDjl3>+0|suOKL+c^NYCG z5i8#0p{k1UBa0rBV7qN|)1KFaI&^-qQ^~@Hfp3dcxTYutPSzgN_AcJr7NC3V;lmtFVN0BW5YgeVeqZ5J@#$n7a$#@2B{;!om=SEix*#P$3C~Ro+mjO^MP+q z&8zx29+P%+f$ZBTJoUoa_N7nWuUh}}#*j^cjoVW$NE#M(A+Twn6YkN!s3FitJhVM5>4UN7 zE4oM&4;1tO!pCST1k`6(j|2pycOcx?uw21noHX`AHpwKwP5Lv$!zfccu*pMgPOuDa#lwq`PT&US^_k&Ds=kjx};ISP(ovYwS?5*)6Jlb-p(i5((tm11Onn z!(_1rNjd(`WC>vpuMu>Ay-&K|XS`oW(J2VQmFrF_8>e!p81Jf)r+;TlPn?@#>`knpgS^^P7Mw}WgRjeL8@ zP^HZWO%Dp8z62{e)qWZS&mvTlbjJJi7_JI7|lO;#@`9Veui-j`+NsIjI~8L-Pl=;?5&e*3=pM4<-L zx)SUgI&!Hf;Ux6=YLwlXas`GEP>R5Q0v_OAqbq#g9TMQVo0XedH9qa62A~erVz{J* zr64f6|Ay5V1*2hCr0cuAj4Y;G{b)6_q+DkgI5^-V_=JiUy7)DlwnqS(NHwfhtVLb* zaWZb^$~ScF#jYqi0pZhte5hYgR+AFet8WF z0sA7Z!%807Kn&v2j)my7{EUInA8+&r zL@20hH~DR#@(-!y{JP$=P~X0∈rIU;?yf;{m8I~qw39(z(d#02S~UKx-L7HV zr~-Shi?uO#Y6|CyI_Z^@K^f*%O-t8RhwHC+pGPR14eAHo;ks-eUTR!StxDtsM1=^% z*uZNblQyI0KR2X#AuQvrn2#(?_{6aV+3J&gi90eO;rnjQ7qg@zJPQK->OrllA@KV^AZ?JC=ky~V0p}Fko4?L0c?fs zFw7nT-bG6wl%kN-%e%W>+v>k-?BZVdEvD8(;cc1^UzaUH-law2qet2f=VtP;i~nT# z4;&LPY5s*{;-w~|z{lkMq{8N94kg^-MP;Z4U$8OnWKYH9Oe_5Y+@;b+#BcZ*l|@!V zN8yPRW6XP%r0<4vdbhftIZHqj!0iu5&;L+(X6`5kPx)en6ywle3$pBzWo zlS*?#9}`SWJZ6{mo)LB*xv>nbNjbrZp$|b-lryqM1O9}r`_=BK(_Hr#>F9uDwqaOj zA9!}=lN$?8%c8&=MI-V|?WX4YMi3RdX)aw5F_eA%s_!*h!wzr()}kD^`Tw$+=XWgE z6j=M`8~33O+uVC3j%%f}b9;qXEk4?@mx2!o zKThQsZrRj>z8bHT9TqLlf%$OG=y zTt-1nH4~Ak@t+rr2Xy)+3fxxzpPp2LFPw2<4cdt!x9YQBEG4AKpzIUocH0k@)R9QQ z7n2S6Vi;tP4U>;%*fBp|3}ZPK8tw{xq!u)@fJI+RP*9=7HCc)XLxUPX z87~&Q{#gU%#%tWj5jFxiV}iSb_NJsryQ}NWUe;<0AwXcYPk#MIIP#Z%r$?0V(*V1gei0NQ(A@g%B zYz>l1S(dG@bvf6y6Tf>-{>{Adiej@OXyK-rj7_7#0F_FYojq%=;0_U&o?_C}Wa3Cy z-!SYr$dT{1l6sF%(haDSTzjQ1wY~eArq|Z?#1KPZmgZ3*I9WS!+1xT(uCTWHpLciQ z)8GS7;)AYXLRYcYUxmc>Rg!c~O^WZu47XG%3?}cP@lX=@V2*iEVD#C(WXqI~3b$2{ z?+!d%^5ecfsJeq;XyVV9xF(#-2sj(`dq+jBy-u0@|9QV2+%e93GY7Tcz&w#@I`j(g)lz?ho#mci5LNSl=j(Ibrk8HaS&Lv)QO6nX7xv*cbM2I_zDT zjdss`;G5Ao!+nelW_fIX?1Af(ozyPOr<@k^w`1%NWV^J4qLd->Y57e`iuujvfUxhB zC^YGo8a}Pt6Eu5eTR4?=H1e^lH<%nR6-88ngi+e$)Esij)y0o#JK(?i2D7iFf)L& zLphLUVCuDCO%iKb3h(AE*MNYpEi^SXJvdXQI4xoA@s(aq?BsQNmz;*|5zYRNeZyo$Fjxt75F0UG(PugLvF7pW<~=c8 z>j^g*FSdU1oyXa}KsNm_b~%uvPUCkPEJhdDtpUJ5eD8@dZG{R_4m1L)oN_DVHTg zx_r_|`(YJqhu(=yxe2i@4^mQKC;?E%Pb}IEpKMF_#w+rGLL0d{=U+5ZpasqNYL<9F zqtDM*Bg=C+nr0nW(0uHnQDzW(b1iZ%^NaH8O$p`oLqX+R0%ol*)C}F>q=4MYDd0rJ z)B9#8)e9Nd?(k@Q`c_@nb<6m2`+W&+crTye!IFd>5Ypa5>byYR7_rN+p?hEqv{kzX zp^2aE+7HGXUZqmNBc;*|2_9R1`88L2yv8%B&7vp>G#tAv1lY|5)Ak49u=K1(V8uo& zkWtaPFB=gHSh*8Gl(X&_;E_}4_ptVHe!?7gV7mv>6v;t8odA*!Uh8%oS8 zvs~L7x!LNT=`tdztLz1~futhCw&?J}ia_eH-wN?};Mu|F!?k}+2kGu8tXW6H67_Uq zmx$)TN+@_XwF)2zzS!v>PPa!+hb7ki&U1T%X+bO!fyqplh?mbtk0+Y%HOT7j$y{y+ zc-G@I@5pum!a#^`C5UpZ2H1wMnyez^VX$N~XYjibmsaZ9z4(L}S_DK^w-KlA?YpK z3aGtkBZRJ?g7*sXS|1#Jo1?XFR=S-5|>OI!BDU$M6bK)OC5Lo}NBh zm*f5GW!-7$M?j}X??V-zvnn0Xc(B`vO7+*M!O$wJlZa>Teu{Y9{9j@N?szv4v4SUg{aLUb`}>a1mQpa z2B^FifD25PT^UI4VvvT&@&GBZCyJWogAWn0NUOA4tW8Y7#9t$pCP_oXr>Qab)5w7D zI{DFc{<1`Kvh-{IDVo?RkzSK(Mxl4k)nV0tts1yEDA{>;nq%pn9<>K;Xhx&C@<%0J z^OPHDJg-a!lXEm;W_=eWW3w!Q0#VPy5M3GI3)brwn!Dwx@mftj40`|kmSiE{4*SW}|0)~I+k))M?9Hy~Z7%piyHZQIEipjJq-zAUJ; zn*V^g=W14Z&hwku0uuoNU0OWn(^j1yTI za~`?rr(C`n)O7?pptq^e&|XV43e&Ejf*U6PNPYIA{^a@e)Qru<_u0Ru#&vN~>#Qj{ z1Rga;A(8F;EMJnKS4Os(-g>WGfY#mh$>zJ*?_c;-X9x)Ufx_75K&SMV?c??ILDF@g zz9p7i>)2~r!pEjwr@`oJA9>uQu9rk{!#0WCMoKjVT@ISjkV5#DxhMQ7(nvLMPt&8; zsTSYQlds1&Usc_#Y>1%w@1{7y;EF zta{#BmsKUbJk5?(%swI?0F^28doA09P?tU92Qnf?@B4w9~~X+mH|o%)=Jx5{o5g_^v?ymBgji+d#e#gO7rDO5;#nYL&=0b0Dd}R zK>J#67qh>o@pg>HD1uo>Py%SNpk#Q5)fT13aS$cdsBVzp&pz@xqnb|5U_sG1y zzg%W{1Hs%wm<$sKiFYsl2HKd4z!}~k`5%q)^5;J)j{(93zvru83k<+T4QII>=t`x^ zrV}fN%bb@{i(z`C-N25cC)#!mOinJ|1lKY?lBS9B^(G}>h0Isb^ z)Yj;{8YMH-E6g_NmP!(ynCSa)_Lr*vfd2U-xTp8LE1kykf=WRmG|Cb5N?lu`5I9|u z5O5DM7P!lIq03iZ1$2dw(_|}nl{usyN;=eehJ$=&3+g(b`TJ7tbNkFE%CvIx8Kal! zJ2sYXVX_lOTI5=41~56;!eSQGKclLqHo(hwXb9vSnEe5!JT$*zqS)bqHS>X#$1+8) z9l~mJlK#eDf6lE3sLw^)pv$7zGq^j3+H(-0Cl(|uOmS5iEVmk};fd4}vEzzIS>Jy* z)t@;d>~cib5&+P)7FpB4%rLp5${)3*SM59lNOjp!hH2N8ADYmlpCr_f-S=f%?Af!Z}z`SarXsx7&2A zK5X)1mvQ6dIe+pp@3d?!9?OY4@Zla9FD4BK4S3d~AlxHueU{%3; zZCgL3k&H2{Jj_U<^BUfa4gUy_&LS%_^W%O3R?@6bXLK;b|#JA60Z8)vQ>;S?X5e>%{?8$M2ro63ij@F}P17;dY(sR#%#=$le_qTn_b z#~AR}a%r!USN?sp4fM$lI|5PWjnzC%{^wv43nC(L0P6cuz@t7XblRPZ6ncYjwj_S& z@hE{9FP^QW!QR0TO=k+dT@AcfXv!S&qb^`hEs;W z38#H-aUOe_T&4+Eec_c5iL-t5M=sJUAQ#C}{(g#kpVI$ScBCCCz^M#ly_Ie&<}Ce< zi$rO*oI>BH=hFM2sfo(0P!G*+LOsVn0pN!?fIiOtLq2SQizCWwyDHqMb3l*;OyFwY z)QVmVBymTEuz+50m<&b%7i-@Ssk1owByMDsZ*RZimWzoQtswg1zxinn8lzCai7(?R z)TYG}I?LWZHoCnEE4MjRx!mGfjFSv|hU7&nhuP80*qr;>`%zPU&%{ERgjebDtoiGU zp4(^t3v%?ig@0@ueiZ8`iW?sv5%#cJ?v)MbouOj$pA`X{<$(keokiDT(oDGFEzqdD zj7m)l2GUYtIaOjwo`vQ^iQH!_EU+rJEyy!K_=RkDQ8C4BT$>OCh*%3gk3XW<$gwj{ zU_X`6sB;Lo+0L6pfP-KAd38!+bmQ-Aw0{$zQeu@+X|^EOJN%7(FN;{lw;1Zw`5Mq4 z7;030l5TNY?|WAczUJPV%4mG6I`Y;9djNf&zRF@Us-U>$6}R>D3+KBXVPeju3#iy< z<6{LUwZdke<{5Z2pISiAfjnxuiNR+t(TOGfyUYDT5T}Q#+IVCRXrfT~z+-*qqF{PY zEa0IbKz7oyxJS2cFhYjZI_onmcbrGQll?rs;wG(1I$ASnI2=`xH!~aYO(Hg}cr!M| zdQk)HP>|PZSJ7p~MrNN)A+zbl6ER-jn8L;MCPv+=4-0C($4h=#Q4jX)KFH{r-`7z` zbGOt6J}cj3?gJ`f0Z-oswzEA^r*NXn&+gYd@%?~}FWyx5lk^q2n}36dabo4C4WZhD zhKlwmXY6kmuMrc{u>?vz*q##Wl22v?w124Ac4tC$)#!W{Ha%wz`w?D0T+1r0 z##LZe^Up?l2pP3#cDOBLm=f1rh8nT@rgixxzP&GqOLEkV^gg$6L^!iYD5bT2H-L#e z9Zb&U{pmJ$$$m}|S~$n^-XP_@FJZ$y3K$Ul@B(RWx)HIwjy zrb-8t;fR={cPWl^9-8?j+WN^S1913%sv)(0tA;FiBm}+aSrOb0(y>!NFJ?DCauSzDQ9Ol40A+G%A1;@vCl$5}@6u zb7>(W&aP|LEr?@Ub6dRnpiXlivU5*0U#AeiAmp~$l&&eh`{YrDZYHHo%kxszdnWN* z+MdDeq^rlyt)60kJFiQJC|gYN9$tE<>@*5dOjHd|)?iop|GO7=n}dTUg78+oeG%po zS(sruoiiQUH4&I4-C0-``Rn7r!W_&oiE}t-@4<|l@LjVi!Y>ezq*Ib`TSh$_FMtT~ z%vLkRksl#I$tf8%-~E7;m}>;CME57dWs4Eg&zO=qHMvLO2g?9PU2lw+K*uK z(;%qj6tTcQwi*+&a)ee`&w~8^M`ZW<1y@H9hafR;>RT1j8BvInd5$1AH`2^*`(!xq zmC>->tYZIB|B4(zj-F@aH5kxXM8wN-z1A0(LlP0v?N_JmxMwUW!lH?Ehp4#6>yr!6 z=6R=TE%#PFyZ>~xa&NavN(}N#K<6(PVj|YUy%rdbIR~drF{6+G--e=%ZeCvH{Z134 zEtQxTqbY(p`d2nG33wL9g`JPgT<2;0w|Da2v>1TO(D5}`Ob${p4=5zNYgs~sHDKxw zY);Y{G-E*6q6e&RIYwvhq$V}HXH~z*G(m^dHaec+ys%U zyK3<+8U@{w9N6j!Mb_#S89nXEuL3s*tJtx#NI|VuD;lhEHr||M1f|bkyYdExrO3x z7k+c0*HBdxLk;2?kO)jV$`qWe*DoG9m9Lry!%Yd$J8f@DVudq#SMWAc=3T)Pb|c#v zes+F~@j@I0=Wd8{deS4qVE!8(>jhlP73AyfI#5&Y6$RPZ$)9FiQ5T#k!k)H!N6bT^ zvWCfhr{BDH?ldSyut%jgB!Se5QhY8v6Uoo6*-Q!hf8=2}hT=p#cCnP01=ymYvS5G_ zLt+b_!Hn9}!VSh_+@evNNIL^D^tOgaaC;OM#b)gpv*3tw)9BEhErYPGJ}G0a*h@)! zCE=!bpZ~%Wh7QzqkmjXnEG}hRx0-hE6UDeaz|BvQA6rK1TMyQhy!}D`_Q_H7keol0 z)tU5p%+Qmndt*#0Y1^gQn61$q?Idm$sfrc)`@-VZ?!Q?e|3H*wKBe{y9yzN$J+|9j z#px416SJyVu>8Nb2{R5sb48)6(ux3p_0pcp1v8#|(xdERd==FcteG6n*}quoa}CN< zq*t|x1+Wj09?C&(ll~|TG1t#iC~>&z{GlRRd1J)hxau<=Gi*=B-u|0RBJ8DGpw{(q zgXOx6x$YQE2)d(&7~iw?!(i~#ViMmlvg(SE^>`xJ(SBt_cD`{xt7>0A+g@RCSklut zP6O?^Jdea=*S~Lr=_@awN6Bqc{BWwjUr_);&nZfJ(2b$ua5o#LdwaMVFT`=U8ck)}*Bnir8}bGB)nv9x1OQ9XvF{^$~$5DrJfrUeoA+ zd^W*;qYq#W>`@dq#V2Y^lHRLn;>-S=b}E!`4^1L}Gr5%LA)$3)V6~pmj!Ehj-=tUH z&08ZJ2C)CiRtu3Kql}4V<7p``n~R^H);uD*~;OPw9v6pcj4TUeh}~cslg%qf7ReT_)URXq{TGo z(HoInaV9C(@v&Z&*Lgb@{11qS|D@FvMK`I-D+&y0 zlwz&M4-1~ZZbj?Vet1AaK2$0-pXoDKiqUK#R842g4qHqX($8bYNEKV{52Zec%TAz-Nku!~B z!k)C?KvU0z^&Fk5$#-;n;j7Yi{EE6|evxE8)!czpCIPMrn1r(O*_FL8 z_OHLqbE2IRqIis)Vr{_ENkla*ibNJ(bsF#;HywrrMAnl~TG85i8uyhB4io%KVzhzC z<}?Qp{4WmF3ln9@uS3FP2KkClZVQi;{Zb05=zxOt6J@s=<;qx=i$vSQ@bQ4ey$kz$DSnT%C0)gbZ2IYdIox_pDgY=$_O{*_iu^epY6>v7>WBn zGHwO2EhOR52Eb1%@NUzYFXmRgoot^GwE}iQrtcXRc?!?6a^(`)-?8p5%kVpW)C8d@ zcfh#_9G&uHH$^4&7zx#Q)R(^X3J8B!QmQ09f@M5c{|ix^&{mn(i9#k%4%MSWyTKp; z2&N`nPdOJEram0C>uPtm)g~WIq^yV)72^C}6nJwUR&8|I_s$1|8OS2>zq*a}vf=~|;_!F4o& zuMQ=ol@iLX>{Z`wB7zem-`;8$zF94oC1-TL-m~g-dRmuuat_wN=3SzoL`{%ax9ZJF zCZ`>2+Jv_}I%4m)IPbi?Oa}RQ0I2Qz(g@?Q?Qx@lD@Pd$D=fEr1FKEKZ8727a9*u% zJDx2TlO^#v3~GTn)2FdiuUZ%4)iImII0$JOl$|S0gw<5p?aq7=M~WSHMCW`g1$Utm zYw1p4zX%VK>p?2>bc9vqZHO=RY8VMO3ix~2d5!Ol;B-EuWZhz3l0#H^d!m<7LW-O? ziQ+k}xzk3l6gl-k5@)1FqN7HI>#3-JIEX`XhSQoxijKIyTpH`+Os@Y{;pMRe(nibO zZFYvq*USU*#sQh_7YwJRepr|q@f0s2G0@tccI+Ba3n-4rDThNmqHQmJGz5fXrw*1Z zE<<*f6=P%PwDJ?mG1kqfHI==U*M0kZC89-NnA)n=uc$HE$JHYv1LDg6g;)A~4t_u@ z9+iTUz@stfBo=+j5+)o>242Dhopu*0UC+vE)JY$xaD{)Fc6BIjr>eOeHZ_T7QJ+@~ z1sqfu(OYhH^Y^AXB}ene8mAKcY>8cMCBJUg7vbNPMaF&Py{vz`N`RfBK2!UlH=JKa zeJP-v1t)EpU)8IJ?zS&d1BpE&5SNTfUgmttttf?jMjw}f6*|K@z zGSFhB5&QTkk1$`-eU_VIJ(qLbFc-N9^l4P_r;8el5~k0$P{mJ9QSsKlMrHx|YH^D! zy0Hlo15u5V8!R6RsSHy}5y%2*O6s8QNJt0x; zDK=q5B^{D03U4i0m}>YO;tO(KUV8LRM!Mb)zJ!5PUbLB$y&r5 zR`eqI5`!ycDn5&Pa*v|ta#PcywFgo|t*A+b8#IO99_SXo>QJTBL6K#tcid;ha17pd zACTdfu1L0_kis>GOoevZTBhxNVpdZSnMsGap73G5=@$f@=o<}JOsR+Z)RphU*SxK0 zOa%#x5AvVBHP0qC3<@ytAc8dQj?%g6I~8dn;_Z3_7s|L#DwS4( z?&I|DWlW^S!*9hH2-hHTvL|c=_g!K)%Q~vs6|&00iChApsdjQ*QQjkR^w0qG@9_(t zRE38_-(aVHAxDuUJMy~~D&r(uOaL@LKsh5-*#_OdF;Ru+hL10!{N0kD5a5JcNGu8S z(mbEF#Aa9H6PYTW^pIVKkSi#0Z!aq#x+=mgqqf1~qAEbv;o;6u<}9hlkuEl5?cw*kM<*{-|;pg03_%Gq+>V zT{ie2g!GS!hACKb%#O^Y%Zp4@n#z;lWtSq|3iC!20~ksz@tKQnl~$9zG&l`j0O3cQkPba6(^ zKi~zqE$67-14@3V^6A|emLI87msCrr3dS=OIKgyE?k-=lG9_T5g`$;qUJ#*yp-*N| zgip{0uX2CZcaI2nQ9Qp6HL*`|yE0di=nW`J3`Vj;v{lB2l-bPdH&GM49m&~+f~V`` zH?kIoaD^`DdIlaRZ5cFRAepz^HcCwNY2| z0_6CC$f!YuorF>mkuVwGi2_X`cU$OiCbg__?j5h65Kyhu_+fn4nVvV^T?$J2qzw-O z6dT;M<;cRbeO_OoyP=W)bbotri=0p^$H5pG7VP`0Ph}6nR|&-EY=BD2Bmr9Lyc?sA z%F9FjTLkqvSHUE-nnpf~Kt8dr;dRJbKH0p4+DijH4PlhN`=-mdWKVZ_b9IsEtzb5S ztz_0A8>~^`Gs;d6ltpmzzOdn7!|tb`$8ZGw*J3D>-(sKh9vb!_QOk(gWTrQ}^iP!1 z(z9DSTQ1^Y>cLs5>qJ;iNS^LMu45Y05KMn}!b7~5i8DixYad5ZNesX0i`ut>qk119 z#f+V34rD>3?4)doL3pLP&5wjuI{azV5J%ytFuH;%cyG^%@?R@X4m6haj&Yx~d$q1L|G1s>I5VKLnvj>c!#6JFayi z3vHdUMitCEmYE5Vu+uTUp7>2aw}EHl#%038EXv*m02Dl54~lwz9)r-*ek~|u124Pd-_UG(5$(C0p|Qg?e>? zneJe<2lu z&R%4?%NHYO#OU@wrZT}AknARlr&GVu&iZhAK>3=In!ezra-IA+MW>_QCI7zuckVss zSJv~R_D#(Ci^bQ$WFVB+Q?L;aA?3QwR`D8Vu?TVZ4?A1s-naZ*jT(X7xXlux)_E zv48UceG)9X#4K|Wg8%4CfVAWH=0luNu08cpz)zp*X?}Iohl30&Bo?v7QltYf2_=^= zBp}fe2TR2JshEO`2E&mxx0PlKl^#@k20xJNd95r(z0`J*RwTC?*WxITsVT@vkTb>N=Q8pZzWQ!Iq8|TkRg4VT)jR0= zXxg;ba-i+X=I3|p4ab2%xC9?t(TSA%&Q_m7_meGCad$>X?K=0@>LV^b+g+g~gmKNO zW6fR^&j7o9u6*n(p)%b?*7yJ!T(uF)H-c-ct+xr0loH7efJOZ%$vQCf4d}p!@!faw zSL>>jk_f)kEG)Vl`Eda`S9m8KM&HpOiQamTzFywQvLNFEQKWh=3U+o?k!7w|Rz!sj zT!hbe=JMB=gQTHxJtm#W`z~v2Tl0HL^b@}JA!1K{FXn4xn57X3GdwjRh!wLW3qjG}^ zo;0+B7WSKOGVFwFg#JwErJde*o{=zILTa^g1 z`Gk#y|0MiMQatju#wr8hh0e5!otYA>1Y$egylAbpCx0QYM(+zd8=)_?8U64k{ zf7tiMiT}yI@09n&NXtwQet5cXg_{Q(_^Ek$NfTd3)=EhT~RzK8xXW(WNjCH($94yznxIYd-m~lNd@nE-KX%j4{F~&HGHdDg12T? zpZUT?zWecWyBTTS;pVs6pNnmADiTeK21h+kB_l{_8y&4%SHt;eI>Z>EK|P$L99D(Q z=HTakO$Pz2Kci(ln=-C1J*0zWr@RkD=lWvN)?(SLdwM3jdL~&e%af-z)LrhHS$Z$w zks;_~)Uxr?#+`_t^df|z_3O7<`=nQ|E*O2DvzxGpSO=M8a-(Tf)u^$Ax8wzg&MXq% zon=T22-v|&*ztEP_UQA_VSvkI=7YASEJ>GyJjwQ3Xd_Qo*(PEC7D=}O`I+&w($LgN z00`V*hId8JW+>2g{CD#EB{y6k&KuW!_H9Om2f>sm*-p6vD#lb4N)EZ9#xWJ~$$|8! z#=THEEuVV0vUH2OTB`6WAUhwSLFLl{d<$N)xgvjrYXa_AdG-wR&Tl>lD3XG#hF|GL z#gni`)yq+%aAa%BI!I+{X1Cbw7_GZ?Vkj`tEGALOvEN7-3A~_TXN|NChVyD@Yp?M{ zr+62?W8MySRBX^IS$!_SX&sQa7z_%*)y zU%1Bs$=B`%jM%Zr&Sos<48%|1aEQ|=Fxu1n!&_aJ6Z7PfXcPtS8yXJ!80the)Tp@~ zhs45~9Xjo{vimjJ6y+H0g{}t1%1Vb!GzV$~#ZYDRUX@25cUHkzUaA$w6prQWlZMO& zTB=XIAVASFO7&GR{|fv)=C~S4_~%w!vM8wLw$v2zxWIY?D>EzzcV(t%goj7@&MlDUaqfavXWAX1|2*4p>l*;HNqMJ>jk6{4k1B7vg+xb_5 zG4;X!&I8EmFI9C540&itF;GaN(gu|Ya)%=8R!&1oPOHIFnZw+p{SEKoP-B^-bu^5D zbfI_~gR;!Pc8({U{j8ub86BXr39sN9eMqel%JlaQ-$OBc-yWk@mB9s} zx`11zvbPQItM@fVaE_6rU1p?ddkG!C@}Awg-_&ljlO^~-$8Fm{G1$r6hJk`Y+s$=e zx(r)NZ?(i1445gnkKm@CXle=Q)Hscie*P>TM;li)+jzk$fW)MO;Mz#z96T z5<_CgFM~t<#;(PIDFFxQTl^Z4D1#pppAj?t+JF-=u)Xr0S4a2Quk8@RXkYthe?O)r zLJZ3=e4&_bj9Sd&$7r}_m=?$)eXB$#K0>n-NZ>P#_6dTnT*d)R*X^ZfRfD!@q(bwD zewYkEOOAJ)g+;o4kWmCyH39r2!M7YL$HfSEw_%kAJkn$)B5U};yi4JOA#iZf5aa+XVvlhE zlZ&HUY2ecLl^el}qTL#C-hB^INvEQX3pQ*XzWl(V^db@h?^D^2ot5zYEl9;5FVdE2 zz+q7VnyoGq;Ysm6mgp4-#Qiq=l?j$msbMX%?P85I2VJaD2iJgZ4ISfnxBhD`uG#Vm z6VZuDKef^mQa1-*hu7TON&N2_XLY~c$vQTx+;qMmsraQV6^K6MMo#|hjUhCZh@@mG z%L9{M)++l{y~_$ML~#>cpUlQ86wLkt*U4M zImA@Re+P&j_J0#S9e2czXB=?v_l(zI@fmZ6$7T#18YWS> zOmy`oGvf1MVEa-02;ZINz_zh&xOEz)+`;be62ry(|0w(Js3y1UZ3U!=bP<#iqzH(B zpwbD_1vDs9q)SsehTalHlnw!rUV;=+klt&gh9*^d@1cYm2qXl)+_`h_+~3@pS?gPi zf5;zsbKZ0I-p_u{v-g%;I4-$*I;#$NE)Gt`490ydEnd-?nJWVorUX_{1M+b%4gI+K z?_W-^4tl5(*yO6XlBphS8~gFCx!eh_k1-u>eqPAQ{9PXU*xmN^-u}oNeB-e4XRYK5 zyq3pV^Pj9=J$rXdDqZ`SPR`eReAwd7ok7ll;^GXHnL?@t)yEyfpVKP0)?e`n;5ooG zuPR4}db=88(xp#x6EP*97GrMWVl&308)dl`XDE@L_O_P5AeT$5mfC2gApx>kLrJ+BDQTmQ3<**WbuLyB-ktBOoF} zL_w48QHzcrdz-rs0=jUo*$#`2FxphqltE-!NQy#{@(rh$6Dyaqluhl!xgu* z?z0E(!E~X3O-lZiWQrg1KGNM5NQol2Q}-azg_X2fJp=_ze#(1w%5F?vtwbNUcftLO zyuOpu|{lj}I!gLYu3Vdp@#Xy?T1`b=WyJH6F@I0Cvm-<)`bL&iOH za_ec9AV6h!&G4b;&H6XyT$XzmgXYO5YV~}j5 zV=!4-@p^M#0*&ajXEkv zx7=`Tc!5F!?KcdK)16))Uf1u=_oOHt`X0obkWHgd68Tlb-bixeX2is!qjeX;qJ)!G zEwK`fGIIkU)2SH~*ICmRQmW-b|5ecCSEgbDN<|<>fa@|kF&)zRhNnc5v_f$*aDa60 z-S-atpD7=hkO~7U2d_83t#F+@{BqSkn0ImK7aR5JTc3FU>tgPnk2`lss3N{=R)DP{ zs3|qA9rG1myy|CVrE@*DIFS*5RGKE&_SDdb!bpGN#L(VH^zK@$5FG98aw!-Y!LXz58z`*UbkMA!n5@#oLM_hn%O=Klc3b|`f zlh-wpoV_}verD!X{Wl_-*syb0@k0L~?t9d0X1VhDiQfbnZ|jc(j+#gZ@;5a7nzOO9 zehj4+JMtYjqHG=4+pWcuHEzW{#@~xe)=2)SK>Ra}x|PBj$7;317v7ka75bK2m7YFk zmh*IT3Jb*+*3Z=zXHvFQAI?@{?fu|8X@0e9ew%5}2OhesC~vXU@athL{KM|rv0pTA zu%EaN>ofwEFjw9_Puq=*xO3ULP-HbCLM_9#RZ8Seb#sQ~aa+=K5ty3($3atz+_`8~5%KKt^&Vh-n$1q13jk zj5PUF(jJ_a(Xa?`LIpjtzT>6@3nFh5xdEKpy%_sqZx7t1KWRT3cVCbYB`pn75u~u` zGU<#67BdTNx7k1i-Q^C`3^?vM%mw?%qwcA9N2EPXFm5W6D*ABAitociH_Ca6wwy4( z$>+mnyGyj{g0oui_*F|A780e0l#~~5a*@4%OHcpXKaQegny)*gWbNYm4Bu>Ljb0(? zyQk8}rk2l3dhglGK9EFzn09xYyY;Km#>w77~Y(IMQ4zdUwPr;)u)w_yaHJ&nWS{;*ZJRz zFlK@ylZ?P(>a*&PXH!O2-t%7@nhYj>^2_Sx-q#*vQn_vEzFsVZbk9dPKyP4@6; z0h(A^xplzIGmD4FkzIE3nm)pw%}zB|Uw~Vjz8!#t&fuj6Mydb$N+|==nJ=c5qfF{A z`60os-;H`&#l#kW>oU-LA~hNAIxNYU)q9=q)Y6|F35`@lbSE%nM6vIq-ifg=P(7(> zk9r>keR1Iinh2$FZ%Wzoe(bXyhyf=*_R;MJ*94nw=k3*pKAh&;S*(y9(QSE|H_2i2 zScrb0bn0@+^6fu2_V-=>Q6K%b&(Mg{C$r}=cgoUKXUVgUs{^V^_g3ElYJZq$8-GHr z33pf&NktR#^R;e$bImNH>Y`CGiOdCxaBYl>YW|dq5#wx%%)S$z2RQJ4>b6}u^hosI z9`etl^p7Wc+L5^~URg3xzwo14PpZ0%v1xfP)6)N0v|Pg3vn=ypNuvFVknk|QcvTHo zQxhqtX9n?Uv^G?1EXo>*w%O6**j&z!2hY@u^~~wUzP?i?{q3m!pjFR2V!kTtZ?}UZ zsp7vjb>WWwX z%ZZ-?Ts+eiSwwN~kSj!A4;rb=>7V{IRi+2dU^UO}r|Q3L6?q%Gl)HW(sX7{-N5^Zt z&E|v&d`~QeXGU417cdsHTHsU9bxzUvI7ZDd{SX~>9JGkG*#q1fFRD(p<`3(~GIiKa zQ>gYtR*l2(bpqRHRMqS4>T;2eYlSWbGN79DkAE8O50Q5d(LIxURwbe55o~4=Haso{ zLK)ysV*L1$5!^RZt^V=wUMg*J9ewtm^sGy&riD_gcHcw~9&!hRV``&n*)+~Cg67mD z1b=q{nTM43(*_Lwv4oZBGMk7(qsmFHkzV~`Gpp2Yy88}PoWyx}O~z^)PT!ImA;jYO>dsH3;#4&LNZ&Slntq%sp-UV5;scx>S;F9&T&e{ z)y@#jc7ULZq>J0$=4fF-??jr57P?Jtn}0r9?R0^OEx1Az5nrG`(W2_2GUoN&+}s=< zy|NLno9D8=_U;)&|CjwCgdkBL;&8BP0LeptUCR09(S7SL2aziVI%k8}6Sv-{U|dm1 z?5uwFYT*Oj{cvDt0W&qiAK0<#yPBC}z927m&=&RX_FyjP`H>NI*IFk*D!BJR-MH%0 z#^-a^JeNvEp5NW$_${&w_)!*NYYkChe!6kPZ}Hn}ooHf{_Q`!_7rp&u^uxoTdIuo@UPS#ix!+<}UfgvRdN!--PmsL+Bnt(?Nj&qGU5EmHoMoJjt0dDH zx0=el&uoQjPa21Lq9$VK&?$50gI|D>QTD0Q4plSIu|~Z%`pC|pBK#Q7KS^ffOWgib?;O8kS-L)9KA`7X2jY#`j5kNX##Q(I z57pnj>!K$f;&2O*aS4~%G?UCFoMsc>J{@E=TU#SxG#Kj0%b#i0q@&QQS0#2$g$KWD zBl~iwX|z}yexLUw7N0PxGwFH!-MISmW$M*%@s5Z6;RAJbbxM)*q*tDfbOy7h_K*pV zL0f-TvmM>MaT;)RP>_Z(N$A*ZF0cjM%_s}?Hl5dt>DPu^sB=JV1rc!%C8u3O2uog2 zTerp=w8D!~U}Q9h6KY;j!oKaUgTYu|)6ook9Cx^)sR?`CYP2LqPCZ7#hL4%1b9(C` z&9a|EFay1Ce;ofr@12&^`g<$%ECpw2wSLiKx0R`8u3q!^0Q580pK@lJr8LM1wc-sY zV*~DA8=G41jV6Qlq2YLm4KWHgQZ|XA>v+431JOw;B!^S~V@RJ!{r(Nv)vv9M;#ivc z)BJ)s*~Mh0aG~O}^q;;q(Hw5e7Do{U#g*#m7^ zne`llc;dQtv}zaGcVy34>s>StkQ$eNrT&hJ{t?P%`N(cS^;q_OnoSI!$_2hl2d?WD zFOFo=<>!l>I<%{)<5W0sV2;{C`{^QkUD>-L0@QY{ogbdA_Km;gX2T3#gIK~ZJnc9& zCaBx)My+S1;(qtx16N6SugscMP2-NXZPeNIxr^x!CZ~NoH`B3FH!GWqYBnT2`zZQ% zyIWsxi4~tsFRHA7)d9{(PDoDRSH%Y-2ck{ZOdU~`Jah_e#M;W&>9QUbm#EFE6=c>u z7ee}~pb#yUn<7z-KMy>2CP%(BV#=688__KXx2E#r3%2ZwSxq(*kB+t{c-Cb+wm#jy zSnq+h9R7lEv{H{MQ3N%}?O}8`XA27;w)=*o$T33JTJ2$UJ<~<+4ZL=jPiTd75tQ2Rq;++hlP6&|R8*=n0$4*wre z&y+a!J$R~3kHL7!XJyCP(@RGKJTTe7vCmue#rTX*{s73S2LA`na^lp)3Bx?Np$puMI4Q3@-JLU?IFS>pU`wZP zrrWZA+Vy&}#6lU;b>@=c@*LNH&ew(;bs2vtIp-VFco*^|iWS(_=VtO$57#!_kMk5R z86)T{7lIxlO1;D4Ovc7F_}Q&OIQ%mScHPQN9NI=i0K3JF%rxlF@H{|!8720mGl^aP zxJEPrOn2{zgxy@@)-Npl#RSf0Q?DT!YX=602xo?&{itp zJ@5nb?rdz##9->!SpezZ3W!~&p5LG`7?DBeY`Ig96ojey|eHl4bA*H4=+P2 z^CrN!!8*(ok4zm-8THoV9))!*-AJ6u7I&#M;6GX)xwkM>Y(8flV!l3}WF`2AyEV950zjSPl(l{W4CMNG z@Ix79gg-(Loyl*_6PTp2#J4j61aX6an^!i8GY#eC4}FX=9gN1iIPO&cRl6#znctV5 zX_vjj#(CuN?&lzM>l)l4;+kkx9^6L)jU|#JQyEMhdEJxDE`|FL_jkoUJD&jW=Y*Qz z9nqZY_?ozxZTPTu0LK5kwZlx})vrhRkN^VKJz3_6TFiL!#gl`j^Ud?!v9RUSEq;-G z`!PJ4IO3@^h;EwLgUxI5dR|6a6%}ii*fqUH;;O6rP0bJ7JOlg9x*3Funn__FIsyulQkR>Bu2xwY@ZPK)p5x4;T& zoY1W<>+{`{wd2x()-OQWp9y}d8+Xo6;m|U`J&G;(qdjA1haU$d=gyN2c5X7;Yoafb zN}9oaobNTPy1xNsr~eVQMpaOd$0Rp7qq7pzrUr&?a!T;&p>tvptA4ffut1UsMuDg zAv)|fCG>YE=}c&_@22_F^2bCiO@Ie@piJa0gK?# z3GkzMYnyk=rTlp}I>qnPd%H-1KjgQa6ZULCWgN+&T;}fFc@L`y8`!a_JO$6s=*l%t z&lQ)VC*bMV>wp3AFJ8ws%Ll6nXLDRjdoE;=myc3CCN{3Y9viAm=V=M{=XO)n-9hs% zMVO`g`~*0cX$LfX0wm^H36D#1WrL)S1nPTWANaIpD-?)bDjbW$Y%I$fgsBPQ%L|~h zGWm60%uP^e`gYsSFzEh5Mudrw|G*kz277{g>ft?lJx^RtV;mX9VZ(wK^8~`g_~+j; zxpM9}kUaAn*(uVBk2f$Q;8nbr##zS^=E^n}K2cmb+6sp`Lt-m0X3pnZ?Kr=GaA+;{ zS+(2Iem~+-J-gIq9I{Nxou24oaIS0Te?{R8b8s{inY_;G^P|hzc`dGAE^*r}yrXC!!Zp#I$9O zJBWB*6vF9qN3Z=1H<`+~P?Z-4Q8==4UJhM2n$U*)BBw>cN3}_O7P8tUTx*zCX7zE6 z9)8%3cwG7^9piCpOE`0`vHk!+uZF8(@5FeUOhH6)uH>7p#x!w221cD!-)R5dlRNlh zfGE(nS(*l3U~nU#2zpq*nf}$x{(0I3sL!Y){u5x1sRQ;zZ{f5##9!$2-sw5iw>JI7 znaMm%AZ=$?nXXLKP&|#N1m&tn= zNV=!3niu`MOQ@i|m{t;`f?8MUFhF3|*3Ui#)GS={`&E#8w!U*VDRf(X(gBnc_*jvc zoJ9nV=Q|j@RwgITT)Yxm;MOPeQ_b&?kC^rdo$Ac%9aXwO`p@j~iP^WX+d$p4zP<2YPe5;eRTkc(fBaoer3q>#?K3T=?uxSx80^x~WjJyrxtdt^ zZdckC(Wq0&%8ra=*RQQWs8m$!rOiA)yxl=TF$c~L$#e2v85!HEV1ku4@^2d^Q`5;SnE>wL^~caKnJ-LMeM{E+D~ zK*l>W-LqRG>^_Oz2@^tF;89jw`qPfdQnZwFLR0Ou5QP?=Jw6tuaQNMP7W&3$Q?B@F znq&Y}rl_cXUBcYBzJgY_FA&wZoH#b_g*d6K;M{t>`hjeZkYm6wcH)`kD!#DB=D%z~ zF-4DH=R|*22WaySiz}D`PhzRRSI5P1p`RJDv31JpV*8TsNfK}*W>ON+b0k~gELNWQ zDe2;iW`cw0S!b=;XOnzawGYHPouF$PBC9aut|Ih`i~E&HTxrNs7)^ZFdYSzk0l!n8 z7sYXJ602-JhqNLj%}P3*OBFYf4MtjlKN^_PqUID%rlD9kajLExQ*6}9aFc1}twI2E zSO{lHahy-C6|T(+Rx&jW&>KLQ4?Uv|Iu^Z=Q1YAIR;x{dbo|_a#0@L>C!mnS5O5ZG&g#0>NTz3PE-JDbjXWWFbu?yn!b@lSst!TnI2KNbc}z6&~2IA95g z6Y*$Qesm0pufOHArB4mJTt2Hgp6!){fd^|f9ZF0!g4A;PGD-j zV0p>y+PqWSp#cWP^jM`cBz zgsgW=WYX$;ocs7ME7rvN7=fkRF#=!+YLD0VtIKy?P0ZVc+GsXk^fo$89+< zi93CvUs`OnpmMjfW4vT0z0s1ErtO-DgIa6dUvFSk0a0s6}RRzgalU@(A!d&J5NQW`LdwN7CnWMFO zzI6|v?Xw$vd-_tuwOldhpUa;I4<>Y%b1Z?z^@GqLCO+2nudhBf zXS=4unRQ(j$ItsD!D$KuD5;PrxOPn53xy+%0Dk+yH?lF1TcAgfMyiW{TGY!t#S028 zL&XF6%&~bwgiwe1CD*ektK(9b%GPrjc&jx;7*6WjF`UQu@ua}tt%WIU&w)`Kq{C{` z*LEo(&KWVU(AS6*xQE=d@o(+1Q`TyuH%9%I8L*xVV@IU_f_S6 z0j6%(OaAQo^f`!vx5X}Y4!;L2PElr_F`f~F=YXzlFT0*P?I(! zBe|>%2S~os%@;6Ua>EpFItZozNCrB9xRV}Q-!ZJa!*By7it!U%+{Xu3ja>6{?uFx< zwwr1Y%VuU1K3(yMC)hzU>3hvo`DY-3g|N9Am$kcywK+8Od`J&!Cw6-ubYwrkP(-od zzET|Eutb60 za@S9*@PNboIZ|{JK985%*Sy%CefuEma~X5u_3U?ac<@o$$@*+I*YjtwVZjd?7O__^ zF?jsQX+-Y}1;lL|`xMOK%Z(Ft_$*y9lJsB4CD@-ApEN#Jm%VxU-SLIuQ>#`8e?M;O zyo3#b57;^rq|4R%2|hVv45(q+#!{7?CK{ZN0?!r>95`ERo+#$uKH31$&yIt1$7c_A znWDSa?a&c~ai!MRw8;B6qO(;a2uYse{Ue^~bGIyF;->qL0hgb~%XJGCD5}l5BISdv z*q93sL0gva`SJ^8OxBB}P0m{fW@g`_{PeT-%H@AxnerJ2L2j0qfKweG`c^tTfR%RK zWygK<@^llo#B?0XNY;-XeMEcn*!gzx$Lon+OBwZCbO9^am+~#J`qFH5KDJfTK$((& zVR%6;^|f3yaHt?K;7yk(LGg)`WAI#cLQ;-<9E4 zD}_fyA2glCh|`~VyUOS1?pczGMG<7i!v>PeU*+}B8xU=z0)mOXO7gGU3|gXzi?B(i zX!%XM?x`Cge1w1=X0N|GxASY7^A-|<~vfVWn06S1grp1E}hQ> zhuvs)^)Tol_0+RLJRy7Il+0tPEsP0^n14ro1ZI<%?T@PA1)wuK{EX0<>q5g>?=B`< zEWCdvYO!kuB;T#=(5NtaK+<+8QDiA>;kXx(9_-IW_NKVW=WKvh*WYxW?xo@ilL#~C zqBSKY2fekQ&&uo-es#swd2u6Mu0^xh?DUG(ApeI-f#YmqjwNvqc!qLOeJ^sgKzsCn z`?_Td8Sl7g9|9K`U(z!(9gVkAg&%@a?r10CqXDuVYdcQa!HJK^W9|o$V>}pLY`K-| z@hgYQaF57xuxrd|B!4)6be_ zKim1KN3o`egj~8sgzR1Rf1LOu+Bdd*xpxUH8t9%j9|*Bf5aLrsw1( zwIq-CN}{7#?)|zD#2Dt5$>hz7*rK~lVo2o(PJPFap&(|r4Z{~lv&l{tjEv?G#AX3~ zK_NdHF#F$CMsrV_erEfph9qEVR@2e%QR0Xv&BV9Nt9$hEQEL-9L&)t%G46PrF!{s% z7TPIqL@#{AO{!^^>7tgxVx~s)lduLd@CT zzDD6r6F|`@9n#zU&6Qzls@NQXd6V}#{bBvUj+SiC*gk(T32+61GyoE_uE>qfX6PMD z+1;1ITLJVod2n~fy8c^le#EVpYVY}Qppg>;HKZn`L|vlLrK)QLh#4AxZ^9iOa0Z%Dm=i%8euXK4Rv-g)M~A>r;@KZVi~}T zs}bWNNF}4kqqMQqmwc$?V%S9IgL`UT_jz(p!=9V$!@AYxJ>uu?9r6Z0Bds$-jq53#GxXNr#I3NDjP=SSz+KqO8TeY7u><9H;e1CZV zy%zBI15I;ww;w=-zGuROG^T;Cvuby4dz1pdGhv(CTPK0bDhjuwWPJ`d1l9GVO4=D^9^@#$(JBRpqPjB7JU2$E2L}2Jr6J?YGmhGzURs6N8)M zv8=Y+rW6lwyYnd{4)nEA{Fw;z};qpVsr0M(~2a+m!lP;#dHI`ET0O#}*Db;PfQ`4i- zRd^IQ408U7(Q7LHnd*W#nE{}85c`SiT^rb$^Gt;|sI1#?FV`QHh?%shkNgUK=KgkS zzAq=t&nEH;nuNea9CuHh-LrGb^vmL(EM%Y;!^JeM#`_KlEW-D%YBWR)yHtPMtw)|G zMIrh|P2C4o$ELlPq7bZd-fyZuP_rz~KCN-5X?rd5xyPJKLgS;3P6%8Rb+9sXyX@+j z?QTS|Nr)KR>3{(EMhjH@)70vp z^gpk)cWG}DBjCAI)(QmmbYg`T3fDT9)t#X8ZQB*i+Wm&hf=LvgDa}60FXO%ghi$&K zz5*FGQWC*+u%Fc3?L!Z=chqJoBg&pwh~TV*JI6kWj$Kj-qdFMs@OHM+!h|kNqq4#B zU^Zz{k4}!YE@bZGT(4sWm+$gL)SM;iKEZR@Oa_u|9z-TXXy~T-GtjE4V?{QMpvZAr z0;vhG)7XKW!yG;|elw|+UlDpSth$yScl%0dMl0cnQtp=J_GQqExV48?P4{;tQP*3Y z0;5Wa@{uD8EBJ}n6CakGX%mC96D#(W^}J6iXUlO=qk0~j$Us^Zeq;7L z_`0(|cy>VS9YRb|)%}7V;w+BIKNK-vJFI(<11!SVd{-YTRDFdJP}$InB*&j;rbHu{ zY%k3}I?PbMV9qWTrZ;s)*%pTxNA}iijZK6MaSK4M5TVnlM*G+w)&>hijK=k+uJs_r060}? zH@MU)sc#l7At{8oy0tuDx9w{nJ= zk1Bgd6Y2hJYdBs3EATCZC~->hk?Yv)IxNaZg*%pHs~TtUPYyMTYTcyS(W9l=NRfBu zT9S%pl!(lZCSIzD6D~^9PHbNas9K2}X^M^w0cgo>k7Z(GU z$y`$?mrRiE^HaCej18&GQCZgh+o`Zv?hfXOg&;M=bO>(wYQgQetYk^vCCl|29<@=x z81UjP7UrM^I9~1ET6SbrK5%<3_pkbmKa;*c1Zod?$R4Gso<)OVy@CM9$Ut)~Tv z)52JyR>$B^t^Z8qK|fdwW!Yo5M`>^mhoU(L(^$|(Q% z@;{anI71dVnOGU5D71LaeYf(3#J*?c;&t`wZe?_AJ`Xnp9M>SNto;+moyb^iS=agqJ`{sL!c0(H4w93-n!MV$t!EU!>9 zpGatK2p)KE2r?K5T?3x@NA?`{Drz9|`ST1u87`_R4i4g8x`D!~&vcmf95BatRQAN(nUV7m4f z8N?!aCIFIE$YrXd3c#c~S892rM#t&>MKtx7v;Pm8Ym1wbjHD=3n|igITwP&&ovBt@ z>bW^pugq?qHYc0uI+F(q>9Jgu4=&W2EJ!noyGy;SByi8oh9?3uE=AN)i5^j1u<0!y z5t0jXiPds9F#liAnxy>HS@tlQ*~QttQ{%yJ*JK;9Vn@=-m?+3(YFwq|U4wXGez{~R zb6vfs6JbDAiPg`JVRQ#K$sy4UY)e*vCR>a!(c3yzIW`NEb{7hSOKAM{h)M-Hr>j!-5gTB^a#df zASUV~kZ5=%&tR;$4xq;%oo9tyQx44zv2m4+|3JRbzYfFSH_V)@yT9>Ud+Iau2t+n; zZ8bBGX1)X1@jFW>3=4@qL#-8lA+9ktN%$z4YXdd*DMw*(upil*x|RvRpjb{uh74SD z^FVrP|D*^1wVc14!izUw=GH${JEO_Gy65#veV}ugxxE$UyDHRu5rAus?r6w;)-!v+ zE_jJU3pw-ergZV<06U2>^|$-`UOw)9 z1aKs;*fUO|;aY67s+(f+iln>b^iGHzjRuPKx8v8S4+qC2)!4fNhNF+CJH)IpK`yhX z)XfL~F6#V0&mm3$J51Xlmp_rUH)^R?h0A652oN*IZ+X`K&w-eqHq2g0Oc_%j@4~sF zt(x+~W&|hcnb5VutJVOZSg`N^+IcRraQfYiz8lqny|ohi&Yyg$rWLArMAnXzgvRb& z^Ta((?8zFxZ3^<1NW2Tbu=M3xi@#o+@0E^8jUfH-|S4Xkfcye{kuHVmhs{) zOPJ8N65V)E9C%02YMs4wH249s^d>FPxLe#=#!0m{nFajh!EyUBQ3)!i{+mfHn5@L8 zvqaX0KC*2QcII`&C`0d0PQdms3r13)z!k|=EB^|srJ8-ImDp_F*kP_I zJs{@i#^$CL0OiF>v-OUsTKaU(0V;GSx{>=~Z_jzqM-om`FX}yWi*d*C& zlas!Rx4!gUE2fWZol?=+?`f94S|J1;5N`4qUN-M|cCCFF=CGf+I_*Gg{DR?b`0;iROI;m6w5IbUKozY6}040|?7XH0w>?87}Y-eO9J$Si58? zmDepDgI!jubR3ih2ZM{OZl#&5@+VOhxn6M;17d$7J5!O$2ER~=Ynj0Is|*>cU0;>U zUW8FWe%|+aIHpO6V@ABHD)M@8=_(rDG%B5&EgS2_^ptMgDLzFAY>* zM!4PJp}=5o_otCe=~YWPv7A(MM~mz`?=B^YJsS83T=W+7|4ydruVtLZ-=VusbO>r9 zGUTQG_C2T|;F7?)wg%igXSqp?e~IgJUX)L!x}5RWbAu->E9H6(p2f73NLuvN6ejW2 z_+q=uq~zJUi&Ia6aM-j-qi>Y_di+bbHH34c-(kgPWpdf;lY?d%(o-4(l1^KwXA*Db zFBsRLqTZv4gIJx0SD#cNkHMo|8pFcIn)Me?h(pD#wY4FAMfHcyvhL@N1=#lOOSM({ zlv{Vnc0WuMYr7C9rcW8gkIOoOQ(pWnVwJ>kU)Z)TXYm@5MU?hb{e~%~F9sOQwNvSBM3I+r9;h5<=5AKEEYFZ{#!%O( zF-R1L&H%v+)~S0$rY3(o+S?)Z!;fgSm*sPCmf~B8J6;&>2Z+D#HNVnZ>!BheDU$6D zq2UyzG`%EDSGo}W;LW(m{v}k$vC&b&Ml40sr(Sb!I&D@fBC3f;>4Ze|{<7=Tu#0FK zytWo3>J(FY`%{&`pr|AC<*E-g!IPg4_&xQs_^K5$vZ~*Ii==)f+HXrTpk}ZSetJ=M zJ1Kh$#Y0;vc}=tw208XOu650w@yE-1uG;ZWyqE8oV(OQB?Y7#mnpj<3Y6X*P6FD7N z)(3pMz<4R<^l9TRl|%u6m_ zqN*E2I?Yu1pBPuY`YE%ysF(cq&Gh&nQ5pboTFKYb2pL)1KFdh0A_;zb_(3|H-fkVc%!;as5za2jx9 z$EO8KL|Va*R;>$Jdx;HCS2~6MfgGPH;eG@|pBM50#VBy>JQ95Xd|F%+yK+@?tK02D zKB2EtJ9Qi}@#x8siFcQ%(cKP3hZHFojl>eT->9I(K$vz+Qb5XnC}B5Gp<3I2*}opu zP>$Z1I~(Nm+0roH)OJGbDiaA|FHkCQSfuv!cIui>pDdnqbPNzlqQi8e4!e;olDvZ& z$?#Ufiz5tB&xoqf(w#cge^0_n;&|rUo&JeaTe^@dP}Vr2SBq5SJX)vYz_CA90j(Nfddc2Hz5ssl^MwNQije{X z{L1Fc_f$M^flgdzVZ0R$K>{3p3yvA`e!91%VgXpnOMA7=qG3C8#W2Xm5(}THUNhRc zfv#fxZ^8ec2zfk~Qc9h)@B1|uHTjc=`@S#49a*!xV<0A2`ns~Q|dG3Ou63WI8~9T=Rfz30D0 zAx3qb<$qmTUJy}SYkZ*bl>5>n?T_sPOQRPKZT4BQOLBY1RztLgJBc+*&8lKmwp6`( z)^VW!Y83OPYMH$U*5ztvA}OwB(Mz3k%>dks^y^5J`kBZPL&PbkLs^)D9(h1G(T zaV9mkeRV%)p%fx+|I(>mhkkn@Uq-L8mgB9S=6_4y99_ul4`igr)Mlf^%?-EVQw)i2 z{=M;=*QsS8UwdqxImV0d%cW{1X}<+Or?zOy*N`W-nv5Y8#qYi;(UXm2Zf;r4*JA`xWe?S)GCh)r8Y|Gj~L=$ z--3FLBO`ui&i<*){4XqlN~Z3Dp~{VxZ0YEzG)}&9rEBZ9>Shi0KiLT5A(5M51XLXU zfv=`4M@p*Pty~vShAYoai);Xkx~%IU1>`>Np&G*a4nhnNT&fK(ges7%+I2oEuwJlP zXAoE9{m=fM_)AJ6ZvI9f2}iIS6A2^}Hon7{f%cGVD|@W1{A2a`Swdya(bt@OGHiu- zs7L_YK<5unMY@L6Bb z^|$wPsIGIGVw{WOulpaVV?!Q&XV|?+Hx5b4`#K-ogoGBTO+Q8ULk`4r+G@CE{RdEq z_^0r+@Qk61D-UL4zJL7~C*%C+nG}EYN9ZpwyG_%@!HyGw?85vV*aTQ5#iJm6LXUz= zR?>0&ZnwS>yNr=(X!()%|YJ-=9=sxonUmglpaqqOvFtrkd_^k=E0BB*w9I> zbXs7sYqdHJ_%b>w0BT}i?C>{&+EJEdT}#%#uS!0S`%mut&%<3$N8-s-o8%-KtMIawg06}vrJgwb5V4gJ!dXU_4z7!0 z2g>RBd7=iICuN@L?7T;Pd6HUKR8%-3U0Z8+uzJ}RJyofdV`FNXUg=>1`9bWF&iH2aFTA&wO~Zs!r~&bQWIs%x5fbBfa^#;h*f)AMW^&;lc?S z$U3npywcO+3JB0VHzHY@=a6nmB150@8)s&C|B_?uc?7T$Gsu5Pg!O^8m5f(~L#ZuH zG@mXN<~E(kNV#xoLl)dYX=2)+Azu3LI=3ckBRG6^noIBPT1~9-I`#@<8NUC zY$O*qSQ6WVRT0PJO@)3|b~*`XJ{s+gmvHQiQE^=?7xQW+*__Och`KJ;BH?n>|89pN z22QM0tGw0*hAN9|ipng>$o>R`dRrt3XkG3jUm8Rg*yNl)i=H&xT83IiSCbz*NPgqh* zFUQqOuFVk(&W2zg_k7sVkp(s`-#C5dwYp9}V0Yh(-EzLF8z$mW)A=|(IPFsvip>cO zJRTyyUZ7+b!ANLX7i+8dbTyW8}3VRvQqCS-#eMua@0G%w4n3OdsdJq5 z|E1laD!ZuJ0C#-)CL6^S%G8w`Tcj9Rw&W) zx1Qvf3usR-VuTnG0!ME?ZJN7smQ*?tMr>9`>&OA!|99rTb0vrO5G*IlZ|8&OF2qg>EwPS+%dK9Nf50bOMfHZ2k?H+9&G$R zSU#_j7+!u%J-l!(g{NRJ52>Ft=bIzHeVLi$-)-h9cg$DbnCnuBld8sHu67CDVYJe$ zf538;kNwpS2Pvw}|kWdI^%4TYJ{T)+2v@(jNncNRWaRFsZJ^aI06 z+Cm!L@<2^2Rg%~_f6QUO88H-Da7o=B-wFOf*DIRN*p%mkeh=oUWxjhph zS6E|2%qa$aj}<8<;hfMmPPoj-&eX(g@Rb{%MDkuo&%9)@W%_$0_yy_8DmI!O7QxK8P zjL2=$-RsF)+D|SehX)OGzPPAQG-{iUj18zM{mG&x<$F@*QbP9=$9Vv`QX1nEy_T2$Xhpw`Cj|I zSHH#d(L}%?kxOZ%bZkbPbR1*vptJUq`IV)NHwD%n_-De9nZPvl3VY0vC79Ehn;;Z%o@p*p;Ae4)eZ zAx1c5Lk7fpLk@jjwZN_qrvxGIyRGhMTJNKp?ZVn2=+@Vp{F&i+S>I1Oz`6+n<+X#W zCoaORw_Kz0u5xH@n$5s*AB82pHeI2+3jgSo+p)8zXa>7jEg|C@PQY%+OWDv~kIitc z@u;B!yInBx^&Wp-MAhi&8A@o}c})&{wOkaRSkwiwNwA+2@w>;Qjx>bvyng#{x9u~B zfnut&@|FtdQYm|1s#iK;LsL7?l}AI3d@5z_37=AuMn8WfZh~=@ zfWAH#LB==?3v=GEC+ZA^*}0`Pz;zKcI1h3Xql-xDx9mf_9|+4j@6C4CIBxEE3^H(k z&C&l;Gn zSV>ENHWL(SI(JZ3#$j7Z6!ZYh9D*X`vsPZn<#I+O?KEpRMz2-zIwqh1RY7K-BJ)l? zc8U0E#&aO@VTAUc48W$hOdzo|=@IrE8KJIOZjhAT>Hkz7$WZ4+PU!aUpo~HN|4%AR#E$DDV3c9oI^{NpQ zRoHRO*i>%RAkZ3ODYqVx_8%nO->r)<0}h>?U}Rw43+)vY5?7v{m&x19FWEvv*!oXH zcp5)C@h%1XmsgU1S0z5Ze6(uRr%|rHk%)3TnE^h_g#9(Q`k(#K9}g7A=Yzi~#I0Jk z+@-1Y*YcT#o#PNkIQ)w-ApVr3b*fI;x8Mz^V7WOq1Hso2$|VJ&+XQ4It}ELqB6a`mP5%d+2a5R42>MDJ zVFx_?!6%zMTWb?)&u)ZB`$Yz^8{=)Jc;inty;R?;=So1&786=ieL$h3V$T;tZK?f~ zS|=lnuV*&iU3x%@&`JgB?d}Chq_JKF z$ngMGfE+LD0Z0$%#X8t75*|hmpryELNg^n~jAKUG#T*1fLzVK}uU!5aNb&a%{(oJs z$@-7Ph~{rE4!v;`G#QE9YBdi-Gedc&0>cEzoMI|Y%GHb&T-hT^m(};4Gtq5Xw6iJ7 zK@-uQv4#5fS@q3H^DW8zGcn@7Ut=#o_%+T68Ug2UWi^w%1)Rew#w}L>Tt!)^%IJA~ z`7&)g(KpHq0K|QG+)r}F|@5T+^^q}*Y&7e)HPjE4)L3M?Jz1_dxaoJ)V#t?bqswR;y4`cr7|+Rfyf}XLm7gB zhgBn(b26~6lwOBGiv07o)VW zu)-7In!wW+Nasm)bg)HVN0Ap(pY zR;aSZ8sGZ9aC7smWWBN)k|H|odU>5f4#>#6{oR^u33)x^g_7TAOJ4sZ76VOw;iC9% z9jw^r1MUn8JMILpe`D#4_*>hiX82b0*9Y{R;@v4L&-vm@Z@t_rA|-?Jn12UkzX^a= z+=Jt)0H5>X8eQ$u}GdE067q|==}9&w^MWz)2uZ8e-_7DbYw3q)PK@_lkStOlCk91 z^YWPP)8B%ip-Y3a0Iqm-Gc5YhsJ+oR$IGo;)4$cE)iyoo2z{}jgO@sY_;fo(;WRkQYa1=XZT#}a(93IIO6P6Fb?c)!;Mnyn<%-??!gi7q%W=M1 z4X+qd{O}*u~|b ztVs0;U;t_9pE8>+Blot7;vzN&;a`xKZ#Fn+t|SGoEdKoMib-&Pp3nH*^m5<#r+Taf zOO|=AEe}q)+#N3zxa`jdpPW4LXvLr+w`TcF@K{WC-Z`tVkasNft81Bk5r7!c<31(+C5#^z=q}z zgc_Y>+U&%a#wpwx3Y^NztN|ONS?En!Nq7SoMv6*V?v2`!slUz)^E&bcf^qf6m<|4h&>`xwTg zRoMruivzfis-pal$7@$vC?!D?KnUG4a`ZHLU5Og6+pFhQANw_FIcGR=Lhi8HErWda zrz^I1fOrzsAUT|{Jhh@q6kyz!D~6`){`HPk;vwgI z&O(+`xy&1(yZIbK`ckBB;z^jObm-lBcSo}Przae{U74^7qj3IVnly*hIVfN+p};#7 zx*3M;_F<<&u)!A*w|g#)Rjn|-`BV?Dq`CVhl(Xit!3spUcN&TF#jx{H&X1WFjTa^q ziX!S@9+NL&sl|=ATWV@Ez@EUdaGou7{v{~wjQ7pD%Z?A)_er(;wf&tKr9o*2U9WbQ z53w}T@(~de{A?b3@bww5Xsl8^MZR{gC5YeMxRys{boDFj*er9XsyQ_P%rSu%Tle zSZs{h#zH;xubCZx(pLIXWQ*&3bR%?T02@r(BS3Wy*#CNY!D~IIq5faNW2>cqCYbe8 z_t7?0=lHYg{mLTsWwYw?0Wv!VW{XyINc4IG8~$NVC2R7=0~CG_UH9LLBa>c(z^TXC zMr1DG{i)Wy0ibgf&cZ88ZT;}cazTVtLTMlP%*BzA(q&gX%%-7mfA;S5`nQJyg zlh1bW=sR^>=8Rn6`{aSdmQo;Smf%?zp7Wt8*h*3G)Ul`0ar1*#seT-E84pype|vsk z#+E5HT{b9Set*SspJFd~cY*gP%6{5maB>~&QBr@ge4-3>8u6 zXhn40_e018SkfHd@3s2E?U08 zl&Q?HIb11gRhvaZ_dV{d;&qRd_*WKvcS1)Mt2#+j4MPYTBP&I0{^Ka|Aqf}W#Mc4v zWknVR$lg7MjccNv4G!MW9R2beU0w4!F-z}9*$2XJ_0#_WmJ9_iPAv7YiS0byo=xkJlHzeD9* zJAQ}Cb-^V0uh~+;+8CYm#Wx+E0K<@Ve2x3&xA#;i?9Vg#n?L#@yY0>GR;SRF0rm2t z7_7MQdZuX7AdoZ(y`E{$0U^&l)ywfw6A%RPHqlLW2l|WF#IOY0!UfL~WJza_?R#R- zb}!8b`8TJ=teMcFW^l4{(3wU#`hW*&dE$9Q}SOPVjTlIYE8aAIQ3KW z^J_=yR!JE_D#ys7J_K8UVxfzQgqpE03DfkE!0<;2Khsz-dcElVS>X;lVrt8mQY6y|kmzIM;OIR~GSWcS_T)P1dDo*&Vtfn#X~4uHqZ@ zTrP!QFYY*YV&i{I`JjQUeIH?-cxVoox@yEVB)w;Pf*gze_-d`H!D<1R;gtuQUe*f` zG~Bsw9kaXBG>JR7gx>4s}4r;aB zuRoW)XCIr0H$p#?-m(6W8{OufxEW{Wxvx{+BwVL2_^|(9zj%cdgOu%R>6EcQbN+@Tx-Wp% zmr^2>p|lk(%nOcv+MN@0@HXI;jWj+3+Y-LhY($2w0-$^RMDX-@qGW{qk@L4;)43J& zW?S_|rq7?fpEBhq+NjL1Q@J79x095((4U%Zg8X*$7mkfKG+hHQ?`0+D&1|7EcUp=; z{(I46UPQZi5Jj9Hh)Vb8&lD~zO$z?Nuvez%3m!if(j3a6h~$M*T2k+}V0kZ>c;gv+ z?H-lN_LM{Vt=sx#yca(e-BZg3_(mDnVDx&rdsL>pOhHO-1eQnugKzdm7WAwfn1-Sa znTcV}R*X$rZT#|m_kh^RNui045X1ho?id`yJaNAotCoEoJa5|?wuz)zoYTY6T)_SB z%$YMYYFFdZ+hAy61g*)-)(*Q9hz!W?r)K(zbso^{JyQFxPAKWPwSRX)K|dr8svdrj z`V(<#et8fiUw&%x_%n_l`D3YP84hcGCH&TnbHRNCJ8{W2Z`taypqUH3&%%BsZXm#^ zX2ekb2>Z7<_ZYp{S;HDA)v0`V3 zFz95B%f7YC0g4;iS4W2)WTa$;pO+b3l)!>2QK1HC}Pn z5&YS{iv3^h>s2r{lxQmJPyWYeobr?0*zmz8(sJcF^}=dYHn&9|v`MvwD{ckN`SsXH z)2U;YIy1eSk@(wSv3k7Apo9kKwXk}8p-z67n%UzfUff&#&rL=OO!23gc zS?r|59-77coHpJbt##STsCka55{KvrJJcnD=oL!VZ?qCjVS8Or(n?fK3whtB?G!cM zr~x@-`Y32v(%vumnH0uZMT<7FB>36%FnlIO9u)W@qxXdtdUtV2nYBhG6 z?d#Sr##N#`%VK!V)cq#HOh^?4sh2IRv>w*$3b|aCSmHco^cLGvEzP4u5c`8`w}F%i%efjSuIY)V84kcIWO^*ONEDV8Vdgh$ zEt-qI-h}|*UvWsfE|+V_7uKn?bjxi*?dBT-IgbJ1Ffl03mZMSBa-&>JB68~3_M+oo z5VN=#7e-+=jJlS+(1rmZsU&Erb#(RaVBPt9@aezLBs3`m3SY_Zw-W=YMMkYRZV#Qj z8iYSs{?M{yAW#OI=AGkxuL%L5T@sN^-QkztB&c4sEje>$Yb)lvU%>=du0GYF?vvj# zL7hV{>K~AtL{wZ^=L*05xe1WuWASg=_fH@vLliHiHQCFT-%9xO8QI5Y)CCz38>i4t zA88Xyf!5LsN=~BR{l&$*dZ2&%j4Slu0NX_2ThtB;A$$;s)eRQDOBd-($RO_Hw4R+@ zfmytdh|sBV%xUvc4|Q9d{STzKgZhW_|F?o=_?sH>0avMfe!_R~5a~+?&)REq zxqS(~j&V5X%Gr@6+LeuC?)g+r(~BxqjQk{u&1M87C8d zR-*c}!FkEIcWn5A^C^jz67S1S^$3`ygq=jq%T|F1D!oJ)BomcBxP#54pgIGNi!Ep` zLV>1Nob#Wybmuq7)TNB?KDJ|g!NR0oLxt?;e`m$91myFGCt?AdFwq74A$xp@x5IjqWw%nRIvkQ|46I988 z;-l7bQV;!qb|Q-;B4jUeErDqQL-!*)IH<#T%AUw5A`p5d76|T)8S3nqjWDaY$p~wp ze_&Is_R-SuTNY;bFhIM?jd$#ybR*#ETaeWO1OiyVb73Y2ZDb)r{G*cnD`)xl$Bu(s zONp%e4e1Xi140NF7jUJr#%4js8}RO6o%IqqTmAA#C@PkQ<9l2DmM6deZ+w$KoI(Ar&2+;9qiwhFtJ(kxxli0}};-?rXl` zY#W))fnG98HUI{Y?-q~(IF3P041nJl9FGaZ_>67e>E8+8kRpUaE+zg!Z~PDR@|!?m zyGXLjS^>WGJD%_x62qelo{vu*2<+U3)4ckBa|vm{eTa4@6iXBAR$PVpwza85Une-X zt#gHwXM#MBB^R`dO8)oz@Od>zOy(^$`2W76EEPO$HTa>#)P+g&} z!hm*C>z-G!%Wqg)vY_?ZP5U^GDceY2D*yaz3WxP5f1-<8&#Co3WG9-bw%Mg=z%#Ut zK!||P+Ifvq7V-!Fuk%HZ85DcMzNSs2NJn=Z@&7cK&@?0dz#A$5w~cLgT0>`MLS$||gwto!dR> zsoc63_c>=J-U0)OOVs|SIK%P+FMj(*u8NPILQ4+AV^>L~oUygpmE$Xc`+JVF<i>72|8D~UblR_Hp|cTm||6cd`v^R!SN z&E_rL66jEE5A;l+RcwCHJtJ_XNTc z4Sh*}sbAKm__~LaM-r&_xmgto9&9tJ- zWukEfJ?WLES4s;|x?q`C*F?u3V0QUIA&_+JAU|^epRm-Q*!wHfwQ~ZV5#zh^p9iWj znFdhIPGwCGx7w0Mkmm-j*3nw>CN|0e>`W5k<@WK&<6uc@_tZb+nYm74W=ixSePrXX zg5bKD^;02IEjG3HX>i-8292u@Z+Z|&7h+x8MJ%Om#{^kMu*sd)5yok5%i5Qo+SuWGJ1*fM_Z2p+An0!O2Su$^N>JyZ zsO$zXzkQp4J;|hgP$PJ>fq2n4TQ%IkxZZo*acP)#Np^fX+;Q5*=CHzbaUhYVX|zXh zv7{W(vK#p^g&0l51?t zf6=b=xuqW5V|`Xn;uyhHke_f8eM zlvP-%c>TP0>%FQ7l5-!XU~UW!jBQ0pQL$oTZ9op1qAm&AW6po*e!<-bvq;{ukiAiA zt`Nx(AwZ-vB%!#!Da4zp1NhAAG?326Q0GIm-UGg&3l*6E4 z+L151kI=Z!rI9Zd%Sw}{*+Fw95KNh><8jOMf@u87(WcA9e1t+NKPqE&n45JWW)#@T zO7512Wjv5z{1Y6mu=wgQfCO&KIP0)*TWLL46GLzvlAy2inE%`d3;yZFQHz1 zg+9|k^K94sB%b2bs8X67v`}zqx4}%lf3QM|@l|+i27+*#q2MuF+XIMbAxOtLyZ*2v zs+?=B&G}6}?=AHlsmBd{@)o2+J6_w)iQ@ZoIsGk_Tth1M%WnpuyP~bcLq_w@bTK>G z59Pw|fOQCFY_#VX#inAq`42IjFMP#2*PlWw1r$f(VJJH&IPSA92}E~oFK0f1b(?TX z$2D;K-PfF39jU$wuehttgwmDO<)kd-6x4IQ(tPwX`H^>Q(34 zTe;qRM)T#0J$QzFr~3SE`G&V@+NWB{>r}?c<@3(n*zN+G*e95crDNHd^-MWm7B|B(${Ca}Z1^iX(CF6CpmnsaTe~8adyB zIIPd8G+v5PT+3b8yE17<|4p<@;i5OvKdB_ULl9m&u3|rv-6Bs9VJpGr?~t%7mk9Qn zH*644EZ1mdSq*sp=Pa>8(?18T*lx)Wd!yh>y*#oTUtaCR@(8ul9Yy}-Mb->z0%Q{) z%-Z^QE|TXJ&E13zlvV}%tK;(HvzCz2-{T8h7Gu&xT#nMY$aCdDqN)Lq-s^k1J38~R z{wTLV12YZRByIK4%=iA}4^ES$h)!M^b(^w}jfR<0;pKO?*V%XtDtW3iCxjgNka%V; zyTQl6h{2OuZSKI9SXnN}xqz9~{BLub@_N2wHaoM&AiD#@3**osYXrI?J zH0lVg1j0&H73@m}G|F^KfK_(W5#+vBV_mrBIyTH&ds)T=T6L~DVIb}f#oUR>5EcWH zY+hUTFVU)XwxvO@`yVQ>ep)9M`j~Z(q0Bd|S8evbN62#W9TBf#b$>GVLR{l%To@65 zN7bMupl8f1iujJC08NOY4xfv{i*G28P84|}WFr?JJP>{$BQBzBVDwJ#B0oCgw~fA@ zX3reRQk0$HnPJmu^r|;%9C*a1D_|FRZ=1H?a!gD6blsyJ>u4bPz9!9Y;_@uCAOe>R z`mx{Z*P|;>pb=1T`1F>P%~QRHAKK9;&ir=LNSjYYuY4oSkpgyG)>38kt4HPW!b9Dq z2~1bsd3F9`sTbp(X~zVOcThg01&<=ZQ2`7=G*&d4CJ(@dS!n=0EMe_|J={TH$-z}u^EERDIvA)`ydHi&!Sg|DS zy-)45%=7#LM}g~-8oSKvU;KxSO&ynPe()ujkxfT0M*-l_l80zJU?t#@QG5%cdxYBjX@w4*j)Lr`G?tzqXH`IIYoZ5BK;x5N z=iF6FPEO}D(5pVTA2ox|+v`<&@$Ktlu^o&pEq>*a-_BCA{vhn!`jtojs86Q@b51TR z)#>sMD&SrG%t|Iq#gZ~|ez(VCgdRzkyckf&W|uqe6;wLWb^s0r8hID#W25UMD;2`%#kgg+jsn>Xs0eOMdzgonSZ8ZXc^6SA1dCk-_VP|l^9RLxbEIh?L@Q~Ift zr>b7%1wGTWnX57RsoqdmND%Q+MZ8ibTC!&T6N=Sxjlmpp2umExgck>ndX!=8!n?H< z+BD`7#Zj6tC-Bf7)3$}16=<8^Bq6@f8(0;NN5yihQMrRrPf9jQH|W%x)G^(C`j&9( z+f#_NO5*mo5HtGt(`{e?PO6Y$3%g(ur9(=$5759GFz zxNREdeKjl0(vPBP6kmL{{-%vlvEp7xkgHsnKfW6xbgw-T{Hk<*ROl)Uh5t(0+nnVb zZQ2lW_bew3lIFFQAgfnx%>ljCPNj1m+3sRI<~W9@7b?}#$uT&~5ejQY9q%lDYXqIZ6Adocpyh|i+UtIuCM@gk;jalTfifR{7!gA?Edh7jp zu}H_-C*gl>Q<^Nqm40U07H$6M0k{837?Q?_;X)6sNwnQb$Lh#YWOJhShmH{yIwSBm zky}&Dsi;yXy7M2qZyT~T+-@#>l?~YA0zvU*JYF{8@0ZQymAJIsn! zuwZbr_n2qYGoU|1@HN=}dDX>0$xpw+(eR`nkmkDKTrr0SvZB8rWyBUb`PPIoyh1;^ zf>fLlK?!LIQscn)beTVwo~)8`p=M>Ny^^FBC4b%c+|Y6?*#-?gCqGm`Tj!?g9v$i3 z>$>Z^z@QO346RfQK0f{rILRin^H3T35MHbd?384BUGjLHTvT&eqwA}2k;f0 zzRnlxSVH2CgP8Zxl_Kx3JiQVka4TBhl0TA!LDhmKNVWI9 zFLH)5G$_fnE&Lbsjuff8Ch?)2^)SByl4-hN+j}t>dOE+BOvpJn0q1Pm0d_F`le@JZ z8~okqaC+N@o_@SSj&>LAHi>4Y4&?1Fya87{x22s~UvSrYjI)*ZzQW#Yo;brS6FfG` z9rR9Gy{jY;x8Lz4*H4cZe=fpfe-UTFLjqvuR(Ec z2a*ZwRv*n6R#3&KuAH`84{(cK+f^F2tBD$pJvTIvuRe^cUGb^U4?R9kR|)wj%XoV? z7~kD`KJKt|_ya8f<$OOUi~RUuqWP$)e>zJT`gISnkC~6Uf0MiEZ0%D2u#r=$Alhj?Y28%xsV(xc+Em(+3kmX;pQKw=+{1|WI$Ld2OK4_=qM`=&6G_teL+9@`^Q(bE< zUZO;q5D>rEC_%IuYoMGze`z{M2J}^&s-33R+vqUZ}lY=Geb{_4x$&0nlPtQyIiT6DkEs zoKAg-A>0dgY5AOJz2lp~ODo5B&j)xmU+U!9G;ZG&Yn9O~`N!)HJ2|Z7_tnkmtuZ0e zG}O2^YU*Urjiw#Dh3+!5m=PTp#dl+IkT{RWFYi|M)B*-bX6To|W(V)6Imw6a-7dXf zv?6^r*!)24X9;=59Ix{r?A7=LB;?Kq8hEzr*l+B`4zh_jHHp)1#0li|f9j>Mw*Jn1 zzdW%l#*c)3C!1A-b+HRgx=Dd#+Mghxfl4TYF$$FSF`xv|AqPqZ{tJ_Z$J#`~>~+@Z zN{&)1Ua7UM&bKn7z{(?(xBffYP^U4XB~l&!UOzNo!h364K6t+I{yLY{q{p#dm;At- z_V_w?+Zqd#sE3c-i1Va9zG6W>`OWa@s}Cucp64jAO?Ra-NlcQ~DwD!|twv@6{)_CP z+KKtkMg<3pl!|^~qN3QOeA-FvCDY_G_K2adnShxF+;e>~0QG^m&@+ZxMx@d(>Z zro%q04<0$Px0)WEe@t9pA2Q1VFDi(K3pc_Qqg?t=xdY`tBc1Y0<;2(D0|$=}2`W+p z_Mu=n==_4bOuQNPaYpWZmGtp@bwlC%yJ*wC1h#a;_Ae$Yy5;Xjijm1+*mfAE`6!hu zS}8Zxq1|$&-w~bWZFVukQmSFu_nEVmH7V>e7>evUZ_*I8`X4%85ngv6#SsYE{n(U= zqg2oU^Nfn|>`4>TDC!J^@oFSLhVP^EAOl+*-!Y=fcExGsUyynqX+VWQHSh85yV7-F@RiD*C!qOq$mWcsHU&o;piIs?1z1r`k2 zG~0ZyoQqW(miH~FrH2^2c*o0>*n<&}qhgoyf(d`;TG(U3vni#Z%KFw`%9Un$^j`~l zjy^rY5hTUlEES#t%F;3OXgdU{B&^cXqnJxwtytYrZyb|A>13B)$GyiV4h&EKfaniJ=!FOJ?S@ z_-@?u?mw)}K@^+2em6X48Q4i(lW;Po9nKLY=J-kg254~j}|L9;)x>pV+Zrq{}& zuU~fuOCZ(_)BRL-k6U#ys}@}S%UypQ#Cz-FhV$AtY`mo3$v#% z*+_tkK>bdboz%HYB)xNf&R;!`q$Av0Xs2KX)&P0?_Dny`+DU0 zKOeXDzL_hE*|}WZzsom|(Ejjldl59QXW4nD8B`*MJuS2|k@sWy$vlo|C$W>Os}^Y+ zi@^TV3ar|*0Ijy%iVDNe)NA~Rgs0_Pdh_xmcdI z7CcM4Ie+xMu@c{B4;l%Zk> zkJ8%fI9CGg6I$xeLQKUew}^eO0>75$zw0hX;F4$|Uv3RFwN}))AktfMc;EW3?zLeebd}HHthAD`%ukIm| z@6Fgrq@1U#B7>WMDp_~-v3j#HK4hQ=X{WRPTKCh-A6Da!I;I-ThgBKhV@LD)WUoA2 zPtBfaW5|>Y$6#VDLdech}`!=WWxG=`LF zg41Zk^qzDHP;q0n8x34PE@CY0a44uO?*h*%bA@tpWKFPkms}{}shXV1^tf~oo3s*R z;N|yeQ7?7ZGdMxZVW}$nUJ~8Cl?S|1RiQg*#lWRexPY?vjX^=n^!X9Q`l;zx zuZ;Zq+TN=pkp!CYk_wMsBV793-Ga-@3%4JRHL%fout5Z=9^bW*lUv`xHyMZkIz|$g;A#cte|cYgD-iD6WQS zuLA+kndF`fnm_zVtl59vq_AvV&y#xA^)!2WUFaqe49ec7G1Aq|hkCo+X|TtM>}kob zbpBXx4ekUbTY>QN`bsEQJGs`P3wKLtjx#|MxV7{Hf+6sxI?LAxu=2!iCn{{Ax8BbQ zyYtmy`w`2kRK8a_bY^_1t)X+Prepde!pvy9fpYP84Q?7FMrx4G;)iQ(*fgJ+Mbh}c zO#)0aL2#e%u~qhKKQ_s*1L!1amG^H~y^c#Z2gy<7mv4q=w{=58Lo1^JTAkQ3SR6gf1ORqO=8G{>sq>QKB7e;`)F^jjQYhJVxN1Vepg3!WxWHhb6BK<;dF5{f6zNNOG}1uZT=8 z7OQ?S34cN8L03S7y;&`GbuwO%(Fo+OE@dHLPjEaoK1KL4R$n)Gm4-ElB%BV<7Q=9K z1%kx7^yU4HYP~A4N=kY6Hr|q~h;T9CK1-iy@W6ZVHIakAq@_7Gz?}@7y_BA*-e>vz zvQNyYnJE;_?DF8jSKb9ChdccjB`Jn->~TUW?JZ$tuct=lfs+at=dCcAp)IsT3V%g^ z5vbt7)86@-04=dC;T``bPOX(@RU8{JMO-vTi$F7C1uq=Krh$`BKP*7Zo1}?t7q?>zb>>DT_&V9UC439_i(iEwoDX3s7)Z(8!mmy`!|Ox5~J ziCk(q$zDM|an?2xEUv6S?8cCm&=d8;7Z-t!?QER>s8#qDIiDTQ7Tn@`5S2r7g!15Y zak|Rt1sD$*#qi3hq{;mpN}l20B!z`B_NY`P(W?kK5G zaI{SiiyKhgVB4=tF1d)_9-1y)4V~+&>&DsA1`)jLGM`M4aHB>Z^_z$jk9g+>%AYit-h01 z2CLCmk56=8A#KhIcU1}L-4IorwC7%ab{KdEdArqNVTYaAh**_+;x$&iQnkJb1FJWX zQe}~Ezf3S)FHm>pP*dk9u`toe9ss`BS63)!TwpHi^1)fKA=BO4dl8F6Ejh-||z9f%Y*0m;``NM@BOfDm#1q*a|tgoHcEAI5{{o%Vg-5+_zA zvpdMX9puwu1?+imurUqVp{baF^|N(V3su4;hCp3eq#Y~u!Ah;n94=V5dzWeB zU#I$u%XEv%r@sDOn?Oi9gBW_F=&xA(hMJ_LtU-?ebFCrE8`$k?_`! znNz~~ldmHC-=aS0g`K`*j0-znX0^xfg!NJ#2dz6D`L~~}#2!ACYQnVz!0$47lbmZY z>o&QTMD6adMAfc6^McN~(5vtWtG(au`3RiY7-2C=V^A+I_PxvOwQcUxabq4v;gZT$ z&1ap2p9LIMbJb;Jx-(%s%1p4cnW{jrCpk=lyf6v}6(_#rsYwn&DU#Gp3?2;IyK&`w zDPU$#Eu#nhSw8o6uSNhts&}P&c;$#Q<)E_~>5;AaRt&SsyFm4qyNx!Azq);YYTkFZ zG8+?xJ1kBn4Yt~HlACM=TQjOD;`MS>GAli*KfC?R6rQ!zG|JkP`^D-yrM08=0!h^K zD>J@nU`RI2jOzsYYq2fR#|%uleg^HwHvzFjVk{<3c>-KYaf=1?3kKB%2JyL*0yAvLWX1Gd6>_Nhdh z-n8@kFYjFSQNxFi?r>h60I60-eJagbx!-*FgmSQ3ykpc&M5EY1(l&Fos)odG;Wxzb;HB_@$Ki#r%?&on5#4R#qIE2{YNRB+b zx`WK`ZUN+lSA5cNztkz=9375yjMn!GBRHg;0;_kg$RB4}Q=g$!hb4I>kkHHQo1Pzh zuaC{EuXodfP2lU2=&QJ;u)J)q%uUc98KLAYvs6z#yIeiZ)ti5UYbK{y9jvpCEr z!m;plbY+@nt*g~>hgayZQB5~@Wdc&vnB(+;yATo|zI1jC8m-)&tJiWh8Ph6d?o<5` zbtx&NtbA9Xt5aN9nmUz4e|oY7hb@MMq*4kQvwQs_RQ)P)!sSx1J;$pW!eyci@S~$8a0B zo5sR5o22-3%7=&}Vc5kW#EG#l1dg{gx-XCHy_|fnPFq&Y%U0CmCB6`jC#MMZ@J`r- zL-p3h6?xD6PrFidOd|@Wz;ZLNXBZX(;|~d>rKkDM<{oR1=&=`}s)75gg5+xlb(|17 z?DKgQ#Ov=6FKHPTSJDhsH5uU{a8lo6># zBSpr|pv4mxOk}v}pRGY^%m7-xsOBLJln;1wJ#q4Tr2IRk#x|H)n=RNMlsONd|a6Z7SqEp&C<-{hP)e0>W4~8feA6E93-X3Pc z)_SI_TU#&A!4ZMgENv}C{tfWjRqOs=$RQ3?X`UZHSxTkhW9?MHqMn`jpqVfh>b^SE zOrTxIA4okeQ7__BVn;&;m{ly1{Qjuj+>`}Lepg&fmf@zu12sL;pHtt%sYzK@rrg#? zWGRXZoFY<|f*#_pbF1QoyvomTC4VaZkR@tSq%1&Sb|N}(^|17p=R&GSj>Kw=`RLe_ zptAeP_m>-ZgBxPUXh%a&5`QUIPJ=JHqTO}pZXTw6nXkD*rkWOSZ2D5r=Hap+wtzk$ zr!}eCXNMd*N@|FdU?9qVghN=haPNBY3;rYL6py9$(sB5Q`}{1#CKO95sDjY1=OcOc zezb$|`oLF)88d?IUZzQl>*hc_r#`Zc1foUcjy~K0mHNg7JooR$gQOnYgbDgBQ$-c4 z{sQ^}YLyn}Zxb=pwe6ijd}xm&tHc>G(69+fYkCE?9Tt&f73L=PW#(uWe%=+@E3C5a zQc{U_o>|2%B2uQ%NWJXyuBPVu+#-p4n{IjcJ>z)U6@xGa#QZ&>dTX@f=9cHH)D$SI z0%E$Kku`=3Ahd*oTe7c@N1|f&yy;Da!(%Tw^`wI_`F<2%)gT(AI83RYBz9?hN9$GH zs;S89O#oA~pb)VvC5c*}zyI(!%7@qMiXQqa%BH&o=GV8G*U9m6{360B4O%JPJ&|dW z%+iUiocm4zrtj*}$3xwNEmRJ(cG01lIh-2lk*gq+izfvZ)2VRzN+l)&!FnI%fe z*Cmb_mghhEF-*2^gn1!sGx&tu(z%=v)xf~jb_sPA`xDd)!zm4oYgDhzaou`R>+uMVaQ7{jOpf8$Yqf3VFIl8I2)lgY3E}=cV1F3>XL3)R&t|^<-VL z887nuk6q3dj2T*$v+^*B3uV@=lJit|$CfskXs4&-PdE8Nj8VL;Cl55Vc;aJEU9S2P zEv&jR3@_4yDs1aRDNTWRC)Ef7wL>u+mc`Gu*01r$w56!C4=C*m6r;)*OuLd=G4gn> z?LzYjakQmKor|Akj)g>XRJBywA+q;KeU7z-F7!W#nh@zAnv%-MaH@#zF-uXtF`rd`%)NzzH}D;5*fewy7&4$l0gHFXj6Xe= z=UsmuGUs5tEwo;3Jz2~=dp(4ZjdFM{8#0%KU#I{2nDV&;GQ$#*Z-C#qae)Lj1V8Kb z_Ve+)Y}r_J7b&bFy(tBCQJ77t81K zXdKXHix@ujB0aBFPHL`1BO*WB9go@f?hRYatInz+voMo>b;k2ASfv5J2yu9)-P?BL zoU+o0L-h{P^6&_boCUl*m5yMKHk49T`vDe*u=r_mUn5-(>y+Iu;j)HEy#k#zDRU3{ znrTz_iq7F;?&o8dsO0xYUGFn&k_y%2;yjrrPEesTxGW1>V%NSvQDmRcAik$KzAp1T?xwXooUA&T z4E$DJ?H^W7B}l_2W7;d&kd4sN+|jB5G7=|P%50ZfieUVE)egoF6r z1`k(*QFeCawqO&_ilzX_TIqtSzFXY2vQzj`{*`H!tyjF4*iU`)7T*TmvXjO1uiP)h zY$rJ)y78p~oN(DQmFY_cB0I#ugqxzIS5p~Jcw112`7{&{OK{|(*+{xZo%8d_8YX+B zd9^~i*LOSG$Zs#~eJen_B@GnOs%ShBSiGq85+v%ekso(E`GU%%rMo}I&b16s*I4+xEtmdK*w_-5;oY;DhH#v-EY|em6W?E}VO<*M2&<_w$ z+7E<^5$b*fy2QB5m#q?CDoD6L3Hb3szkMxNThFl6iv3byCGks<$Zm~*D=o6DVZ?@U znJjd2K!KPf00|rii8!b$sqwSCHl1PG#K9;}wCf|Dd#8%1bMyGR==+ekrfK#-q|u*V zj>oxc!F|2{=qRSL=0z&64B=OPLnm`SdbGlz?T z8NG4>L7YEFuYCP!{i>+CdE435Om30&@=#`->M|f-?NB`+l%;ECv_|5*;BrtJKv(sj zn(tO{X=*Jy#X6f7*3O=y3G!Su@jQjvRo9JKcwO`t4NPp~=#<-F1iZ**A%y7ZYFA`? z=PSaGG3xW{^LO=yZ^xvrtx`DD^GDr!&Tdvt+nf*kQf9shJ+dXCIImD2v|mAmj18DL zj~`}%iLE{|+<#$F`)R@{&O9Dwch3=(c-bLP+F;8?v)f8>c@%RQ$_Uk$Uv&Q=m}O_P za(B?5%jAH}3qEv`OgTk2v zYe*;=wnC}*p(6-n*%Vh|xBdrfbr$|gIf>% z4=|_e!SU@DFcWStoFQRpWZ>~q?@b?V3O;QZ8cHv1${7-u94&Dtb*|e*oT-6lPdgT2 z%4OnY-2Ln~`yNX-_Gt=n^k#J#VlJ6z@}i&odUnQ!Bz{Z^Q`L7o#8vGrYx`|sLfc

W;Y(+b%!kzNC8@e~en5f`T>x6ILL!J9x&GZN>3k3FGYNsEUMBw-7bB(T-M{XJJskl=MHaeZD<-_VQ4 z5Ynb8uw?U_L>lXe+(A16q8&z9p4#~3dZ-`4Wv@S0D|a~l$izyIN${Ali*0SP%Uj!RVeDo4`+`c>7?sYy7Zl5X$j%)3|YJ&FpYhf$OoO zu<*V$>FBO9{)HMmYVzZIojb|J_mAuM9h}e02^gQ&(*LOdT$M%!68zByXy|HY8H_D4! z4tz=f)rkn4tMQrH`(7>qzEE00k4v)Md9TT=VYBg5`*;&X3 zKNsr@H+ftL5!KHdbNJ6wP#+J7&dSaITF6rw9ifW@CHc|!3~$uchxK=E%9}WtoIc1Y zojy$|>`LPoO#+JwsyaEjCIuQIlsBzQYhzN0|M2jAmjq_qW>q{6={=3n$6dLQRPK3| zx{wCcU%01^7q;K3l>*ZzL5H0tvU29ba0OASc-sPN9rVBI&&BzVFblsw=Bt%);X?fi zkl6Zx@i{T!7m{`FE(&xQKF1<*svkI3u|0f7TW_AgHQZ?I-Gk;R;>AE z*WKeg8}$1L^y1U;w6i_v=M&V*(zV1~>u9X!{`?w|`4f+k#X-kG9TM1k(wuPf0%V*f zN}HR>x;-2b?YNnVxaKxs;HClI-Z1$<~5UVWdMw;&)*Ea2@Y7*Comp-7DJD-b8Xz`Lz zhlUHWd^-Co^J@FEP9h5?Wd*gS;&IHfP>b^BdaGNEjkKtjxh=`=`OrHKNK`8=uENgl zYaUb(O$N4k4*gnEYJOJKRBrIS1QvzH)j zSuVaM`7v&*i1}Z_HW5blp>b!*Tz#1%`NsmQW(iU^>R+l5&ggkmlv6;G?PnKt{itDj zCh;R~40@tt6Qf&pnQQ^M8T1_odTE&%52fq`5bANCfO9Pv0f8TGUMvkI5&M?5c;r(7 z#YnS>7M;0I>M{rQYu6ixY4j=huoa8?_TbVS(fpb+^@32PicK1PrT9~BU+(CfBb06< zG57XInZR+UUzJFdQ^&T=RZ7^EY&NI9|KVz*33!%Y3zi8QHxPiBD{v4~T^+R!FX*_E zAr~7!F;H?mEz~{ALTAQqc_W^|TZ?SG&IHXD8eqw|@Bg2dnn zd0_tSEg8R>W^@LE2@c9CWk|hIbnf@8=xuJE0uwt0c8<+*(P6>J0( z%5#}LInRTJ3N91;MPM|2apXq;?EN4h@L6l0kDfx(j>d*v-MC{j%Dl zca*cVKdEhIPe(WQ1$T?%u#)tpnZ0UE_21G$Q!o@%(m!CW6&}D*$*VA!vK1(6hi zO_)p2Qk6gph?)q+#u9Kz+^XGU<^j(_30C7zM*q67=6`+1nIaB&mOL~hozCGN$Z4fX zrmZfjpPR#j9pxO_c*YkD2v?`bqp0BQ2QDyd)}#l+y@%6RF;64 zVUmeEJK`S&#j?Q{YQ5M+#%0nN!~7Ubcvhd%@z?5N3-*lhHr@Bp!Jq-Z62(w8g=Pt3LkIW)T^i{4)}>jE=ex@6^#f~$|?)u zrhrK7ZbT8=27}h?msfMnkoUJmygkvQN;zRoIQ(SyYx{61`v)jbAatqX`P$}JH#_X~ zm;7s%IQisVu;K=zdg4~ulk7@_kw5bGFf?jllFdksF?nK5y|7UkBBFcMqv9j;ZtO=( z*Jjw{3i89Si<|E3OHE_QWUC4Lh60^5#SbU**5Yb49226){!)5C?Os`J6WJh=2t@Tp zgH6KxkU(VrH^11c_y;Ca++30D-WS3oKPi76{Q(~l($`zQoyG~=K;o|fuGiEnv4rz~ zEQop<`lNk<$tVNe8%e4O0+kH~dajLG+P91YLPb4<{NQrsg`Ib1=ubLXOl0b{CA-$% zb+FrU>a6HTyIDJA7SNzNJ77$+aL!okYuZI11Mlk<-q3o8`AXo+)OgPD&SvU`i}{Sf z7IMAw;K2kZ*s=9;Ih)OZr{y{0`VveuAglv<58i2ErFS{4%j`d@<^A@k#t}%KNg!W= zEw-zxi+6~#$Bf@8)z$mboGjGk#)U53QVm>`l`Uo8(Sx43=0#)Ofs$NeV3qh885a^V zXW@{)4@HCR8K>YS=_kl$`a(&fThs=7+l;w7D)#$y>8PMvwM^#kg#%>~j9yM&sw?zz zWZN^F*pO0&r+pT#9}Bih8L$A%c`--O`9+&;nnJxMS?`OO@NaBfV$$6}7hUPZl;3oI zIgC9gYZUa@AA-2x5`4Z4t6=CPz}I49C1L>$1ixGVnfud;ea3pz?gTAIOa+OqU6o;I zSSo&pk}*8ue$JEobQ^y6dg5&VbTh#{zb{{wmR``?9uR=ODRRTE%hX zWs!N8piZGUlfsM@Nc{)6W_Lt+Y4D!a9q< zX>R_4&*SX6IyEJz3s3g$O1BT^vCp&_dJAucuC5D_V+O0a z1|1enf;^nWgMV)=SFew|%6EmC+ivG~6E7Q_wn&JR1&Bo4R#BB^0v>p{-#F06IUDg`i& zx|0dDe+x9BTb+oD!;rp}cGwj5m5e15@iV#H>F>qH#;$2s`22{|(p**kcdc@eas2@- z^jb}{mppk!_Bs{q_ErhHz7KZA^%kC;s$x6yHa4%+T9d|V8SnS;MZx}*Rb&1;Y}drA zV{#xy!@ziFXhJxSZ1eNoGNmEr1DPl};*9=_UO7cKj_w~$>bZ;OG8BFhEUWGZna8D0 zhUD_gA1WAM+Y4Uwps&qGx7+H{R5dAqxzOJzU-UwTz48(qe4fUdEuhRCxImD6H$BwnKUX-90wMNdc zfyflBhpE`^Z{;U*ci@+qFnjpw+uN6|C;wB%e1$JWx3S!c&jckzKD2GC3a3*@Psj(ylmCs2|E(*!C>@Y6luI{bH>Z+jh&WTLp@QqA zUH`zq8;spA+<*LCLIN$jV!kjUb!&H zQdGZE5u{1@sSm*&)3f_|=a73PXXjD@I*URiEs^&JHI#F7$Ryd8$<`5HcdFS)F;YUr z>)pL#71{7U@BYd5r{%dI_^FU%J3!V`hL`v0^DGi2Y>(mnSgcu%g3#c)6R(@3+izP9%Ku~U|9b_0 zfaKyxDzEBUD2mZhPniO~KRp~Aq9;JWCKP{aP9?7gcOvX@!!?J!EC+{|iN#C8!Sxea zs2`HbC2RoYSu#aDX8f66SQB&2AH7WcnD7|Zp+tK0db zS8^#&&95yQ7g}|qkxsmT4O66(MXl+h+2p!At;KGT>ieR)Bl#q9ArZAHEKO16z>$PL zr~Y>32WUudN9uno?Y~98p-%Y=Ht?lDScx|hrx19v3qgUrsd095+F8eDWGfQh;Ir=u z0s3=VX&9suO+~PUN|Z^}`pbU5<@A6)nNn{5*vZ04zt3%1f7AUk7wPgF&v}_}-Pr~R`dpKxDzA5=rYqLNL zfzS5DE#UQytI=&V*&eVT@PYW=wb+P0ss{$ZBGgPo(*KDL}|0T%!9I!?Y3Bj&n7P%#$F?oj91O5pS03Q2cz=sfk= z236SoVpn8}c;h2%DR0I!lf((KBFX$6Xh~f~$i!$xLpR%j*1B&%DDpgw-#H$C34zOe z|MJxGy!bz{<3A<*4+j+m7PJG0>Tg}q8+iM4zr7mSUYU-BO)vbM&b|lebg<`|bdzz)#&PFm{$GFeM1;xii?cp9mU+H@=GebZ<}WK3*)9}W&F8SU z)Z1sXo^Eq1vi1dko+QhoUkvJ}B;F`qRL2GD2}=vRZ1j`kg&^zp)COGMzs{$;9dpyh zchLI$=EH+(j=$XY7!&y?KYhKx!oi`I;1A&aAOroB>bS-)@)4_Va;KXD;Wv!c8>Cr;LfY{KUS>H{Pfh z74u;HC*%(SM=FYS*y4WIoms}-`hY@`>;u<9x*aY$>#g`XaAta%nubOinTv-<=|!GU zM6WufQKLv@s92+jSbO30&n=6^1~;MTY@opAfJc`5&uIGz@)6zb6#~ZWWXen|EIB97LGfn}8 z@AG#)BCDzMBAPd-{ofm``+i*VyHJFbq-4I_lzENsE}=W5)4y{in_`SpfVVO4X#FlP zaix;exXQJ)HSoaRVO_Bx z^ES_nNKocY7C&&h)?$HFuf;o$SO5r+Y_@-j^qHAro_|x^2^r^DmR*9|C{H zeV-r)hnUF3tm(4C1RKq|yD-WpCZj9YWMGzL>fnS;q~+^WWzaF;T!y zUU|vzc(a$V+f{qm-?rPwx_6c9jY6*>xN+n1=t$+=9Q|ZGmty03jk*s{bC}cQK!|^g z^F*(9Kf&Fh_iD2@y*K=SBI(8}9V|`@au=?J@r2px`?OA<#>}vA4;YW8X;Xh0_XOT;>e?Z#-(NwBw08~*1HNe()dY#&OHIn2x#mD%b3xwZq|5wJM;?xIw z{-iMLIy(##y(2E`{AvNB7N{|#ZQ1=!k}~OfBy03#VLKa}p=m^QTWYB~plUZ6`|mRU zzt75l0B@7#2YT5(QGI&5?zg!!4G!aDeozmagwSKRf#Vy;Q&b-7?(|Y;J{=2aN6VV; zn@epr^Rh%6@uN0#qDC#lbi`>dD{HiU=sS@24WkTgC-{A5_%;t5BHvJpYk_%lLP z(L_o*<)Y$`fx`5iZOyu%E`VY7z~P{Dfg{|15uyLvRQk7i49dSxVCvCZ{y7t?ws*)z z;7^>fBDVG%ml-({%yar?7q!gfnJlN5u8jFPuD)^DH-`&kn+MUow^?z`JG664*_n>~ z5SvTbI=;;@o>&v>jCb%h!Oo8(7wW8tP)Kz|W@^r7^00ADj8x3~3pvFpUof2tYvR=o z?xQ9B4-vPWCSn1Qq+|{s#rxh=8WAI!Tl6NHrPMTpng`2poWX2ab7Z^(U*P4Japf#Q z7DRNi_?`h(5P7-0xxw@$nd%o_-66>GJ>K>CdfN}`kVd8Oh{Zv*RMw#6&&;09<}&+D z#auMQPz(;ebCHtZ7-JB&X`~UW1rU?}Rr1(lJ>QnzuD*iN(Ro$mkBXxZu-xJ>~KS&oJnu#aG#=O@}7ve%#iaZwKxXyZYuU_OSdjD8@ zxl^&N{J8lW$_aEWf_Cto`Va7^iYkhr?3|`AWZdi%y>@Qi`*I8)c=EJfqpbY#U{QVS zcClIGxddm7k2G(MjM{|`9A6wpkKC_k+?o^n>%6Q1FWPNL^$-;WehU%#EM`J|9{TTf z#9UuSTekW&AaF>nCn@Nj1W#|x^oQ>J`aMNsQVVwNpyQG<3@zn#Og6Ty1p;f%O?HwV zmOsK)Nam?6x7a6OD&HUxZu))r9}{z0D%uPgjE(FSw)V3ndz=9!1eKK zz?RU84cZdDEz)?SZIAwRt1MozT0J=U$9}vaKMWJ~A_W~Vo6XTUj6uzikgtr6NxN?( z#Th%1ANi(`Y09lP4 zNk=kj-&^~2R2zT0_r?sk28NWEyP~BM*HLV(HuLd!NfS8Bfuu+rFe7WmdP|kud39!Vi<<&)?o6wt5!Mt(NUJsZJ_6>YA|{Z0%mdr#`=dZ(?wpQ{HYg{8bGx+fdIBrzD^Dhr0l4WnSig;1|((UmsBPH~|+B|kb zBQ{|AmCfGLR^ZLztE$+K8-)F|*K*m|9%z1iY_9uKYh9&cc`-_NWR_)^^I*?WxkL!E zxT}Up{vADA3T^I<#sP6a6YoE5h@d3v+WxB-K$rkT>oG+kqv#l%r@DmsVTs)z_^Uq} zSVS?tOl!r9)4zVD<=gryOS|3f>r&PSHrwwgN_6}=x;5&wT?^Bb?H|hL+_cT>fwIlJ zZ|8VnR*~vF*=_HeeXxgSxjHu2^w>&>`$Okpf8q_Z`3d(#D*H2aUcT5IkF`S+^I4uR z0DM>FW;wRDMKPZkjK7-3C!IWgTdm_c**TcmpiCV#vAD82dz);Pgl3;U@*UJpT_Gu8 zuc}x0f^bAkJed*LyC14#V6}snXEp5DdHLo38)EM_3^|V^W@BA_KF54i3dAdGeu-Od zIYZ^t^HyShUmQ4eQ2v+qsh#3l2={~Ina(bpSf2=3NmlA($x%!}sk{ay{fY76&Yvuw zLzOr|555e>?1qSC59Xj34pMvSr>3dlOhjc?G%_(7qh+4BngWHPhp2R`C+>XAPgw%C zNEl<%2DQ=o?-alpjccf}OXw zAHf|Ck=ySN<&!m5pls>;xb1-Inv5Pp9qPH|ZFlN01AXJ|xgQ|5JCqU{{Zs)TxNOj6tf55KYS&F7hi zV0xC)dXdFEiTYQ6TW-*3s9a-$bL@~zAoLQN^$h{n(NO(>SfL@SnUC)uJ%sk91%fDi$JSGqfVFY%%e z`70R^>-nI;tG5UWR1eqs8QPNGwm1dn!kw;Ioh^h!vO%X&)kDcGM_2V~IUNs`+&ag( zNT<`Ox|un?QQ07Ax}+3Fr`_SslcUSB}}9E zVO`T8ajZ0(CFV;FspmSqA0A?A zy(Np6^R?Rq_E7i>vBH0$){2;GZh_*f{L{^ z2X*>p#*l31FEh?VKkOui-V4C{J-1PCczkRv*R`rC?XjtXSBtqtNzjSjB``Uyie-k5 z@lwKDI>Rn^OiNR;>5+(#MY;^5L!RGzxM60$lg`qRx9ab4TeK#T1tR3Fr%Tu8qrN2) zpMV$BuHDe=ha-0Xtl5UiDg%mPfvPgej77>xOUe@KGRhR_iudmihc{VPobjl&jji6`aV!c}Gy$*>QvaiP}Hfh|J;AfNHrEF#d8`oE@Xk9&GJ3QQ-0WZ$PU?FB^ zmImLY4Pb4NZ)QT%Hn!83`>vcgqx~B|#Z6i^a4*rauzG*)&DVbU5a7JszLIsz-Jk8u zS9SjN^k4!~TfNT{I}{m2owG6-V714anzfcBdfQ>Yteec>kd zLRegMIK=Co(JL(8K1G1`DV)~SIxUfe3LytE8I1-e>q(2>P& z@Ku|>P@)+yTt!@$CXr}a%rxsO8WPf(MqQ!1Ww6?ev*F+ktT-Aaio)Sr4SC1#ep z4DHD0kI=f+TFte~SSy=cy7rjWR=&yZWeh}yFf-2IVE}h7WVn3)o7`)e*>+M=7A+=b z+;rnYB4F5$=WBv57l_dbInMX~V))lfy+q4y+}jwtp~Jb-0`I6p^&$^@TiwovD-kbM zWB*$X0pGhS-tYigZs2$6>FHFL-Lux+!_tZboI0kQ654lcUCDtI2vFa%FhxQ!S;o3z z2H9vDn~lH=X;A@P>eQhHYq$(NEdFSm2&qMv6~Pg%%`+qd{$G`|WyV?^#60@z4_^{c z{C7lAJ$L@bU%V7y=Np%E3J!7YP86JurK8JVBGm6@2{}lA#CJPgWZ>Foi97pg2;g)n zm@*PejbTsNJjgV#I#Xhk9~fbapRxdb7yRBZy}w*)^%?+&h5iYRY2GmzPM5`Qy{ciA zXUAG@d=LCY=EsP>=HKWm@*rdjsfeP&jB*StA!{)KhPZu$$W)vH3lbQw%ed{Qt$f;Y5*L4YbOAue1Ehn<5@6QK@T!Mx0*=^en9+cHlpV1%d#?l)HJ;fB~ zhon?htAww5QPn?2q!$03NVbr0Sj}GoBU{9w*%Qfa)1p%AoUXcjg(V_sUI%=Hm>=b9HRs=GYeKTj3O4pv(XSU%M0)d+$jh=me8v^zRvJNP|^;5aX* zY#idYIQk^S^9RAwBbHk`&0sQ1IV5IIh>Hdp1BR9=IEE~lU}j&OW=cOSe6YxZD8A!y zxO!|^$;WDtWvxJ_oRHJ~!Y!5GJs^QqU%W@PTuG2RMspbrMu2xaWhhk_sHKH5fJGd^ z!D?vAuPv{`7s?0rPGeow@)xG-{G(oQv>{$hQ9_c76fzqg{Rxv`pn_N^g(C-ReNoHR zuW}?`xqbO!Y0&Xk_dbR-4Jm=If{C2bUJ|<4(?{fM^5VD~sapuM5QnJO?zLmS_BA+- z_i}_&1VPen@Z{M_Wy=A0TT51;-<-<`BWFHfpYm!%?(J|qV@$|rAIwc`bl~GbH-rvR zNl;p(0h8s^LDt&P2bgB7E1Jm3Y`skSU_f^cdq!bYkaoG8Ko^ML!r+dH&EPR`Bwsg2 z4t2!0soIPX2g|gL5S?xt!9O3)2LBWmaA~lIG9ft3vApKFM&DY^^tW>YL{m?gIFtao z>U&aL60ELe_QmVs(Oc*gH$x#^E%+Qb9yU@e_9!kVda=P$!^a?R?0ZPneABP&@^K%D z*{B28f@73Q6;0x;4wTpDBfJFmwKc#1~L#7p1 z@H=&N@fym}qU=|4^mYFTMf}$Y9A*rEG%(sG~rdVJHE zow5#ne~drgE5z@1*NBAxmCwzmT;}H1b{0$urDzttnH^%k@U{H_mS(ipRJe2)a0{x7 z`fSRF$+V6+#`|IJLq>GU5`Mg1wtNnTm&e~T?KN8p&E!0e22I~Cm+p-FkR}C-Jk~on z8!Jf7=`#my>;Byw=iblE6tu~g&J=KD?G6#ltX2)aAt&x;G7QdBMU@yuoHHr=F#uMf ze8yOc^-}fr{KAO7>e?D?CaQSg(eJ<2E1&wZ!rTn)YRuPpSj=XttK$tZJ$KsZd`hXXHROfvFqYpL*hm8WPqHMu!ib_;@fU-p}{Xip|6)QD&VS^?;VetXJ@Z2WlOZ9K%0`CH&c0%<=5BH@StN76; zi-H~WiAq!!$W5|I(QrlZ37Ab-vT!_w>heYRC(LvC^xI&MzhCX&+4f0aAX5`ax#S#X z8@cJZNPoMAlMrx##Qh?vDz5QO4njm{NOCQNQ&B-V)sulg3u-SCK4U77uYxl|hSj3R z>g;i1D&M46#@5Smu%_x4Y;aqry}wUpIHRjUj*rdlyBNuZ;B||!-{SPSqgPl_*SK-} zp225C2L@H1oL^e`$gEnG@J@|`dwE7eNhaq-5DSj9j0%*?(*UAII zw?kzUD1W@pv#+nY5hR}x(c+>>SZ9zu213#1+!IIp@kFV1c9@~xx3 zP8V8ng+<#(KKKEi5h;^W!~dB#^p=?5@SgvVNiC<^DFVanyAqGR2_tf14b_tMASCm* zdzR)Sc0Xo}Kc&`D!sO7?i_}2A`wZbUHa094Y^x_Uj*!Rh`zSs6EgC6nQ0P@+bf(Z? z(wM;xwTE2YmnB2GPBu{i!z{1OPW4u0CB1s{M4a!h6}qc}-d8Edi`53+hI2|tKaGSu z83ZPa96`XVgGOTY_kOY-My1jI>@bYq*XS1@PAuBbVy6(iup2iNs#?^T5ehrHX z8cy%f$szMYkI0Bk*nW@W*SzAS*cGOK0ERE19UNCLPyjq5xLc0?UBc4LP|sE+s-;wO zkqW<}uIl+I1CZz&smQkgdtgjgf>nk!8BVY2@l`5}+mJm5&Uz?q!YI`Xbz$^6t=OK_ zdC=&-MF;DzW2vd5sTa$~ZmdL{W4XZCE`2H1&8f=8BkMG9kqsRR`y7e46Z~HG6Il1^ z9zeTILO%wMJhxC(M7rv+vO2FJz=voiF={aZ*bn8GI5{}2=3Q)8+Cmc;H1y{ySKi65 z;^^`EBX0>&N??ZMo8L>ue(7^SJ7yK|y9mxdHl`T4NeFWL#u`>C$6%5`^+tQRoH^BS zm+R;Wx_w1=VUhr)a-)_6eFP9;nEO2%(V(OIYkmCeRduwTa=bL^9IJCNfD^Ay9u+Sk zTxL>j0O-YyH6pqxF<_^LWwMMk;}3wedDqVNjmJNePssba!nWUTsL3xY3QMr>$0YIZ z=qRA4>bFzBrORc|+!sh*ZwbC^=X*c96e>MQk+TrzO?QVAd>hCALEk6-@$OUd>c0&!8E{fnhIo>Wj5Elb@LO$q-#YKS6(kQtlO|T@iN@(itqcv{ zeU=xiAv+KFPH&8p@0+hd$2q<474`YH#fsSmOPoTz;VZ+E&)+7^C>A7`?$uk1H?wkw6ztjDr=ACj^DP*ZYt5(~QNf>rk!+Ws`ytljvPw1m40HJK*h zuo1Ja+>$0Dl76MbrhB5~qE$-JS4tZiUqiHlXeSY&1+(ZG(g5U9XikMFe@uEz8oPXo z4NufvfFmkw78R8jTw4MRCox4m706|#eX`muLH)VagcC4aa(3pl3Y`&THjeH5jV&Qj zz)2Nl(nv&Y3|gv>b4_wvYIG#S{elMgGW7)bX0PAJ*?0R1)m<5%s)+U^8TN~qE*tNu zAUU0<1N^a;Z2RXCs;P)1X>z1R)fI!^>LU!{wB_%3MT)Lf3R0eURMmyk$Du$MJl5 zmzWb1%JuC@G~eWP60Eg`(%uB-oCsR#?2mV)tD~xD1XxW8g;shx75Jr>Wdg3Rv4bCe zFEW~-!3r6<|JeNl^L*}5P>oH_77i*OkD4zxs%%~UoyFvz+Jc3hXtK{VvNs`ps%){K zr-0$*zmatkV6pYJe)1;L-TOe;CQCZGt>CKy_ps?&jh^~%Nxv|JDTQw5`@miO&XQUC z-O&|KIt84EZqC1S)~}-IjI$o4zm%R^>M5G0RXhVhPdzyD1A#`%9b6@ygxsBmT;e>y zxJ8miq!h<4G@-0d>P^DSeSSYIp@q`QwCA0a7xL;R(+kL#qb`)%5&O#hN|BnSI+)iC z()&880WUkKVZ*-y`>f_lco+kQUv|UClaKH%hGz)`t#t!HT5VyRHV>bb%3U&(S|(*) z$mw%G9y$nL=n#W+e_U?v&sv=)^oZ=QK51{zsL(_b0X9@OcOsjs_4Bez89$BS&WkS9 zcRJ*g>)w$gmrba4=uhG7 zvJ~ri%Z!Qsagwalr+e2tu@;Us@zbmAiT4+dTO%mjOq;gEzFfO(lG{HV+HQFqgs|6x zb4*-BxL>+wvOCWR|LkXXHXVcr^>9UXe&!^3-9cr7VzS>BM0^6%q8|MPgjBR-*z{S! z+t?)F1>0)K$@`wqeQ`7QscNTe3|D%zo@m3ZeCX*^>AaJX5f(9&44>n<=q zmy;L&@zgsLRDh(dNiPqeJhc0p{zM9Qx{Nw9SR*#y^Bi5f)|pPFWtSAovY2#nib!U$ z;?1l*sbMvjR^O6~2%~~u^ppSWW7pxL0Te{fLp~Ijk%6LaU($BIr^}#I9P71lpQj?4 z>|!*1t1{e33A`W?mcg)k|A=TPhz!Qx&a>Vbx zDrI}$tMZy1RoQH3Hw0)VK^gpdqWIUfn!{guXM3cdEC^zMMGum(q8`o9vTPj3mS`1I zU*eVjF`d#oUyqFTSsAA$VNYh((tfyVM_APSY#dmRZ9kLC;pWZSZMvTiUhKdo_nen@QF6 z7&U^Z)@^cwS9w$s_mqwL{1WT8dqhbbASL)HKLK{x|4w?bV^IkhLzt@yR2cI4S3=lZvDb$AY!21X^y!5@z~hC} z_T$fy5^`F~9d3k|Ss_vELyzSKJBId$da#KNGx&lgPomI19`_b)R`mELJ*%fp*!a}< zOwD$#5Z;X|SqJuw)DYoxI|~||mjG^#d5WiLC8=wr%hSjOvh-}tYoM>ifGD(OqCv)o zzcO#d&8bj?a9$pV5oMD=Q3I`L*`FgJF#v#L#M$-K~|vV7O`M zp$C=`z5cq_iAbubb7Wn6Zt|+f068(W-lzK#*cuuJg$~BN%F2~CnxA0)RNiYo;AP0G zX`rT*4Cs!#>UW^L6BtK^>}l<9^~E(E6i|DkGu*CPJ6&dL1biGL%V)&(YMwmiHMBHD zr~Kt#=>f(Q`n)%qMWpw z_^6aFsL*h_m}kZAw&)JPce-eT4L<&@#{y;eapFsCy@xLZtd=3*+YqI2;pc6H5C;EB$e&FL<0uS^}RnXx3zb zN#%P6bBx(yt9qV{Cyj)jC{Mrun+3&*c0p00fd7kn@zQT%4@<)e_fXqs{&T)ecIvjc#v~rmX-6l3mAomsaCj?$f`#^){v?lGseB zf)H+!P>=YAR5bP!(3D@*#`QoLh~XppN+<_ADFUud$^`0&k2_AA#GE}*?R?fiA_hiM&Q7qR!Vbz!J^D= ze~ouLT9YJ%h>+K!DZbcO?;s&3-IO04nZp*;%iTm0@F`KMEsXJNV7ok1Rdn4;R%56c z;eGZJXDAr*=;8G0GuwbtsHt(d~D6iqBrG5v-5H`WblfacY%+)CUclOCgtv5#ln)yWb9vlt|o1PN0|!=Ur2qAlrDzt9OeDwx@wgS zu{)KsK-W~~g;`*FVu#0F9mrqvNj2sw->0R87W$jLOYEJ}sqLNHKBj7ZSNzTF-VCnJ z)rSrL0zzEF_m98Ye0gIm_5CjAcp5 z&IN~$-*;fg_+FlP*4VFj0RMLBNSyXDz$9x}eTFFk?0y`%obZF!w+oVKHQh8f`rZ<6 z1v^t`&v$RTHPJ#}g=Lezdb`@H&g}1S@3pgEvQ@4ZUsUb-J|f_YM$9jJiZBuq5*o2r z!LcRG#rk-VfmlwPv5!?9x1-KmpXxnC1|)E1M6m@Zg*@9=M7pGR)9?c`M(nX6dht>8 znBB-Povc3+GgAQ0&WCZir4}an{@1(s3r^~|mE3Iqt)aN-I;)I5t?Kc=jslf)9{t$4 z5WYwJw1%;xk@`vzxZ;&3aFY+8$9E8|U5>T`+0TBZLRw zw6q=7tJ9Z!56yAgm=IG2$7OdSQ&y*=!QKainr-M2VR>P0R+^H(;`Y|a4rz(BWbI~= zoo09Y!4hVB*mG)UPnz<4)iog^;vGKz(MD=04}@{a;N=r zx9#)ov7(siO)%nH^G@M)`&|tMLJqCcr-TnxtNu`oHX%X^6sIt_?Gp9kT*LK_%ns_l zc>xT|0k{1VKB;MHz}}b%c?8FACXEd0gOKeLgyj5d2JYODDoNvJ^)iRzE$RTKprWbY zA-Ugdo7SSBq)B}0-o{IMX=V{T^6E)^bRqQ|wwv#~AQXSuhJT!pF3rJd6XT<0c)LUC zlO?2KX*&p){D@D=ctVfDFRCIBNnA=)A&LK8M1u@ELrVC>VevOCD#w0<8?sZLQirM9Cax ziwED#cG+iCaUbr9`p zzy%jEsr%UdcYZ5g@H?6i5Bt@i6H5_yNzHfIyjVgiVwZyXT(?8DugyjUoF3mG0p+Ll zmZNxL;e53ElHvV>G8l|24Ya1tT!4l$hQgHr_c9n4X~c)HSauXfYUvTJNhC+xD@^wi z9dWW97`>`bSmsKWN6XLP_by@iJtaKp^_5UhBTqe(&QLIUx;VH`3YNLyeM3NeT;S&2 zmTryI*|`888jh*|m}nKdTV))1ikM>uI1~%#$53RgP{>Mh4+qRr#MSCOV-WljEWX=V zw$R&5bbUHC)d`I{Cy6T?v$Sj%t7;=6i-5OiltRHWOZAvHAFWAjH)B91W)b?fpLt3Y zbEuK;@(Z>)GPvvq#nesLAar+3hb*2p>S(CU#74e-IWb=^qEPTuUL2xb;-=PYFUL$9 zFdzXSnRKGgB*VY>{dAj&sor2nfRUWePQgsR*5Vm(dS%~oT}|FEWys8|fzL1HVmFc1 zP9CZccqMw+ct$U-`-UhNt=4jQkSvzC%>OM;{ml#Bd2|oNL2ktG=kW;DWF`nf@=Gbx zYf+$?4>$cLkBvF z?j8EMD;%uXmL5Y84|sNR7V1SP;8PL7&O#DDdFDL!mDqPU${vMdLI0`_p@G1{{w8ok$Um?wvwaXygQtn zxPl4<501 z>(NQ$uxJ1qLd&eX)umSKv=`7$A@zoD3U0HXtRfxtviThZJt(C~K^xX%1KJy!XxF(e ziQ!xK8^|PNyf7Tyf&=GUdrB+Bfk+U8tsHDsf=N{m+T(=Jv97>hK`%J{*_t!6uglT; zcnsHyL;ZFS#^uyYeA_kvVq8AC4r#pJ8)z#+aRS>V;9CWQp{`5}X$*&%=yM@*4jMRi zSC^OAVq5M5hi0jNQ>SZ*KOpfQ9 z1l{H?FR_%yL-VDT`xVA?Ht0zj&+DtHpeOTOp@~d&ThLod{jl$lGU&K8vWo@=o{A4CZ;_|;)ymqSbBM)Uh_P5+aZzWuGRP6 zZcX{aTjmd1sox{o@IF~&{OLl&4D=K^7U(ImsI$G^Vr6HY<|sv3;d?*LSgtapgSDz@ zCeAFc+l*JbY8AhIo1#-Sn&QBYjuwg(&P>Zf)YvOr^y?dZ*TOr$<@)wY*d;eCNFQnJ zFDtF6`GkYoe5;5(-72J+dzT>G%*m{)Slbz!;T5PKJ)GlTHicxC1<|4j9-W-^qQ4m) z-QWU%N5%UoBa+?6JtnH1)P3W=)sp7<6^=ae&zeQ`hOX`^7zG%V%Z-vQItPE*i3iEF zjL%FhcrXH+3l)gUEy~zDA-7e+yvHy!lZyk_ou`Dw!8f@^EAwcDztd3(&CijhOG_6V zVhimLhnU!e%XeFyFL9fnE<9?^7IY~X7OSOv^y(~|g>OfSNX#s3e?OwK!#3(0%c-w#xH0 z21XJc?+*5drgMSV45(drfZ!S>KhwXN0AdG;=ZJ_1_-s|R^_M*zp!MCedb3LgvvHf^ z{@}#xzO(#lt;(JxDynDm>9W7BAa^B=W4oZ_N~!x|@g(7;ebSQsEm{wsE=I`a6wq0d z0%LmJLO&+OM5Aa?GK1p_)1(8#>oxgh_P&={SweLu1IR?$;BQwiK_f3)GW-`cJ{ zcRU`g74pL#?>$0!A~wJtzjHQ$YazIp^y0<5T=H|IbXrMe-*4fJbo9DBCb}`aq4nFI zFeHe16y-AZee`cOBh+kD(9Uk*<=^PQ?{S(n7##nD88a@Lq{to{0P?Fynj+_e`0nc6 z-?i)P?h#ccdb1b+7MKJXF>j_z9TjSo{X$kkMiN+Q+ACYIu+ZD9%|XC-w+_?0B}a)~ zJ3CfS!Sd4u3-9#myo%ApuYwSEg7HoQJQ|>FuVJe|NFM%ob1T9i)c&;+DLAvd#GmpL zRdh1HaVS*^CQx0f%)i0=b%Ff61FBd`Q2k%iPr;7;k#jP+qJk@EIyYLvi>lgzJAK$a zr!x|S*Fav!d1GE$)e9J=D!ectZMQEX3Zr~SH8%Bu+*UIWEftPY(J*WUagq0w?cOkx z(XaFxqa$m8hu|(MgAPW0$VX`^Lst5j{*N&XzeYcgcThy5cn)kx#2UA$kcP63$dZwU zCvHo8Fp&(K*ufqWr10L2^4z^{Twe&yEWL35suf=ZJt%t5avj?7{4(G&6Z<%cX`YTj zYi;N^U}woeY^os`fL&rLSKt!CkF;PFi_1VdV=VgmwGQnazixh(Hn^2qSjU{GyPj{A zb!4i`saqq*7sz0c*KwF-=5;uP#GoxpS4MnSl(X#_NfaFE^GuuR)8TLIc1*=yZQSB3 zknbhsRyBnQ*Xsi%W_Ij+$Pj)WTw6?YQrCgM&ctx$pGCnS1G$#@|EqHJPanmfp%0cP z6f7`n34e*g1Gu+6F25oW^}8zV2}Y?k958(10pe z@Bfe&$E?9KC6yld$Eml8Y#Yx;wPmiZVKAnKiePrL0gN z=p8(v)8#>6m{t$-QtF3KblFXPe*8b989ymV>BDt~Q!{14VISbai1;#T+b8U2-+fLR zT_YEHsQc5~S_(*0N^8LJBc$%+cN!Vgxd_AlNF0{3pB?=9Z+?M#g&RlnZB{xvt6Y5b zi-An}yVeKY42@@^UIX?m*-g$aV#IZ>w%RRE?u=V; zB&MC{5LTx%7-0{1KD*|t5@{ou-6Bp%e-vT3H8TU=j6$?T#4lT%33l8ASN$%HTvnn~ zO4rZB6Upxr>ky&XJBl9FAv~C$k?|y$7VO|S3*Y58VR|TJWFt zh{!1XW43+`00Az%UjuqbI7AnNIEGGwWW{rDtW$Yhqc!_s?IRvOX_ch3DusXEPtGo6 zn=T(AR;dq8n2QQ}81Xmp`tUVZ|A6-fw><42=}O3fkm7drqVC%Of302wEx;Gs4r>qY z5iP#5<3V}A(fvqUR_`R~;?r>8&JyzxIfr~1gUDR2mc};`QS!zcve2ee^=nk>g^HGn zAn;Ey$(F;-*3glKpQY>{+5#Hi=J4I&=R1drJq1L1owCGk+5L(~N7Sx<$r|yB`Hjws zk3SkiECAbGRaXbqH<=+8JEbd!gPPx>G)gBUgw;a_k^JzmMc`39jzyU54QAtOc87N7%~_{E^rI@9-Qek9EgbW|dX@fPOS!!6=~m>J8Hj(!KN`CyzzHHvCX z*Wk-F%AS(uLIxdYY({=KwlR|kHfYq$%))@Dl_XA+n6)I2$gWSYVvxjM%BaN}4TQj{ z2on3lf*{is2@ENB&F9hRY-q>Nz`tig!yP8mLmGODdyb$1Aly3_axE;ba z7YDYHa%fZE_C613+}%wcy_ArQbVZ)OcNVK^L)>onpXn32JG4*L8G5Ccn-KCH5ed`gji=-Mkl_?5`fvo@t#9mzMfl>M9Jm48 zh?d=L##^7d|6)U|Nr{<|GlyYpB ze@SV?Xc7#@AaCME_{5L*kT}Coq-FX;Xc2ef3D7}$->?(<4jG9XaH(#(TNKs_Fk+5& zqRR*9DL+ZQ=r+m8Gg>zo6g7Bx#x;uGVO>hd5&PdqWidGoz^O>}Y1bqmboo*($2TqN z0#C+n^OcTpU5<><4}pYbOs@NEs+*ts=UNSXu7YwdmUJxKT6sriv4_{P77M;NFHN>O zB!>KP>l?P6jQ5Q>mU+Ax9SYvJ6#rt`KH1}>9-zZso&vK!6`0iMS?>|_B zeQsAp#UYo=M9|oVa)Yf$Z@ zK=$RlwWveC#0;CQ!4*znrU>#qB+?KcZ`EUh%0+Kwp3`IXy=`D$urUdttwC3_$$lx~ z;4dO*-zxWe*ZIWo=h&Pcp0{Asm|D%nn5XFU!)kT)4Ae!ULSf-?_weY)U}S17hs{LM z42qk2pGQ9*+Vzo2H`fPN z#l_4a@l`AC=*vJuSSj=TKl)YD-NA)d^i2sj~{u*r5IFr+}N{7(lZ_> zx}^9M@Sp<>^KT=z6J(+YOMVM5wcn@IDnxAx(C52thks(ybo{VA0|WGc*(`*HBnwBD zBOHHOT6DIehhaMRYw>(nouY7JAdcxP^>f`-D?3G#-bDMscurc#N}1Jn&4MW*nTgf0 z{M1m|d#}LL^19ph!lUa0kc^rDk>R-NF4``{{b$tEbCRpW6;i;K(rZK1wL6A63062-f@qjb%e}Fmx#`51iOfed#&Xm&T}Qg)o|aKBcFunMLjH{)cZ^nI zPA*1xN~!Cf`zVRxMA`9o-oATSIqCVxz2t`ZVneCeJdsZc+pRsQXESIqF|^9v)0h# zvW7l{L|8cBnQQigEYuTuV4iw8HDfC4-eIYYz|H;t(e<8DO+;PWu!@R^f{F@Cm!?u8 zf^>)t>7b$_QiAl3v`|8bN)ze569EAcr9-F*MLHx(PXY-&l!Q(oB!Q3nexLVQ@1Jk} z%$iyAW9FQ_&g`@IRn)@_i%Jsb#lCWnk2bkmsN6x1?_{2hz9;+4Jh|rL*XVFVDR+LW zQ{oDf@BS|omlX4{+9$HIJ)z)A_?ae_i9oY6FTGw>Rym?=1Ll`6S3x14sn@cnqxi<@ z^7_B>MZ9dh%-r&=-#?6PXoqjF1^zWVI<|<;D<10Ue!#dG~|7C2><|4m_n+mA`^B+ai*bO3{PI1$>SDYf@gPdEyb;;R-BA@{_**A zzNIvI$bW9m$oE33V4}xVlVbSQyM|x21iPe1b0@F8j{EjA^Q5U}j@PTB4z>*fOK<#h z^E1|Y2{rDjy4>$FK)R*RQocS#Wf=)Tb_~VhwLb1g{|?KMQ2OCCh4b|vO?p}I-psYw z;?{96wkq9y)~z^#&~2HbS+{TIYNbqCBe6+|(Xn@ppO1BUJVd%!LdSc>;KjyCL zeyDSOAvk9qZD2KC@q(XUlHj{Hcty?UUcrk~Wp7{nkbnG4Cl_MGHyk8oUZH>UJ*!bk zqL}U2=i28s$wm_6yLZzPZ&Y9JO^d(p_V)LM?;U+Vu9`!%S3UKVhtGFEUN0`ta?BR} z{r2eV)z~4m!3>tEAX(bCM2G4`=wzc=A@a$HVTKyZP$b%ruj`S{tnb9gfe!%$q_yhHMyeDAQA96-~a#a=?^U+;n zj72O@={D8n;mXN~r%MLF5SlDgV|KRhu5zX0Kiv|-w~N{lEMBBnCcfj-SaQ~q`O_c?J?boVby26B9`}B8wY>* z=%*%VjR`O2G;S9gWSp^Rwpci1bx)f^NU#_FOgr|u6u-&N)~XDA^JHUY)*vG|dAz~h|t#P9ON zPvNw0HO?uG3$M-tIFW-0jewVxg*B#ycT+|{-x6PGeecbC(2ZVASo5k0C=_bZeDYZC z=62%K_@t5kcLncxe{g?Ed*fzySLa!Cl5kivn0Y-i+`R`XguoVUsZQ6Y7DW5iI!Y5aMK&n};z(JB-eufu&q z7Yvy#O~OGPb)maLa$0j zU-$MAi(`^zH4Em8PL3~6rbWG<%tTWdF)QPz5`rEFhYHL#8sKd5>?B3CR~?(LhC6+( z{|_A>HxmB#gLWdI(xT~ENVx77Z)6c`=6k~)Ds4ixroX5E^O>k)w&~_uA(fw^xO~m1 z%b+TG*ME((doOeHUrcvCYrR~1&|0-oCkLh9Y%MvV(4RO@1@;Zx@`+ zg&eSZECIRKqIg*S-LpthWp2t}&Bl8sQdWv9UzRQLST~#pCZ4_7&p6#@d;%gZ&t+MT zOtAN4Byoy%d(DU_eb`s}^9R=U(@i-@%FgFGOe2(sS0Y$QhiBd}eV^Tsu39Adl5ff0 zVab`Wy8VLKHy5V?ND;c$#`$6Nvy;+pVDwoBn@4tCu79xqWWrCMU>myaT55%JeGZ+{ z$=wohK-Qm6k3JiAKJ<=VYp?D-ZEa(zB9Rw%?TIFZa_N3$KOdBvY34#_g;Va@iPT(^ ztkQ21I-AYMxZ2JZnf$>v0{*274!4sY>XP*CL`XwB8_^Anw|8GphmYQn13pg1?{Oq47~vDBV>P`QWI6)w(bv90*AVOJo`=n}))^IxOtiTrmLk_PgL|#3yY2${5xNpLC%$}Yqc!Wm3FvP{ ze-|)MF-g%6KFAms%7Z-Su)d^uKc1bSmMtD^7VI?qX>(NuUPbxQb$7()`ig9LO!+&>37+hHtBa=F zl?81PV9%+~B|dsyjQr&p|4_6fRWMY>(^}wmWS7gMk(dH4j^3M6t=^@Zqb9zu5^ZLq zJBKbcN^jzHt-aE8W#T#2gluLQ_m+X*)K@G(>Ptz>`V6P4ScoY>6kLBM+otsh$q?uY z*A#Ae!#k8bX@B!pxf-3LXT|Z3G5QW9M7UfZ(>D5|_8a@(v)<8yFQzj+66ee>ysehG z%sT(H#|G2#g{8KxFHO+sBV0}CcF~uyi!qWHSVvB%1_MQZDy(ZizJ;dx=>AN2Xri|7 z_Dn^^R4&{uvsSKf;KJwhMgPkYAD=Uax&>huOGee=38i`8rmve12E*9kwU+1>G2iBj+|&( z+V8g#Pu3eu`>8@4Gw=CE==G4K0_qnP5f~p3Tf&mgUcndH5z1!l>+oVQGv)Pc#nHv_ zo-Yodq!f09p7u<$P#piL$)7+L4#Z9QAJr>e=8d))*3ZbXkJIym&MXPIk60ESW7I5%85BYdt>H#p3YxH3BX4OD}4=aitKPMdi}J=GH8+X`zhOqSrx zS=i6EKWx?%x{LTGeZI5JMbpRd84Mn@RVz@|zvXtSePON5RpRBQx?t)HP;l{(M>gJ5 zPgTq?LvZSK3gEGB+L!n+_EhUtnD32=a>;v`Gro3uayZqbMSF{VtNnt%4{(>SB)qyP zPLTd(*M;0aP9o;cE$AW<1mTrfY0_ohoh6Xbl1GQaaG4| zlqS2G1N(ZfT)*!zG?Yx(+8~wVbzpo*2JaGQ;^Z zxEn#BzwLU0B88R{M+5zDpA;4AOLayq4({umf8}^?*5y_mvb?o{C9X#({=479sYjdE zoqr3rFb;2d^@X7VrSzNX>qnw@sZNR{tXh&p+Uh@281ZzIg7CK`sb&-@HC8!G@uE^fcsbYSY-QHUI zp}mAOOkVZ;8rZp2_+9dPWqnq1V?p^k(IgW=$v@P&qPm}*oH6`HB!3cj-E%XAHTJTe z8^Tvr6=^XaCeHTrwRX05o7=(nN~QQnc7f-`#<$=3y@}_{__P(kHPq^M?5l0LAQO*k zv3LvOAu5q)_uai8oE{IX5|fWRa54^6H>GSDb8O@hwZ4B{L6l2JF}MCZ~`X?U@HEP+ax1UtLfK(RE6k79j=dX z6N&eBjhl>z-I;y55v#hmSgP(Yn4JLn=Dnc@N`X@Xnk=B1oLhAl)3PD2H4);Vbb3IdpG zGp6!bm~y2PBDZp)(#@50wdw1Y7(nGVrJgxPEuDT%?Z@*6Tp%k_%QYBPJ6fvW(A6Zr zSVXDb*5gUPdj_xGDK6VZP|{-QrHYFV$%msv zGUx87(2qcrnh??ovU}~D} zNZ`ve97svE6nl>(1+4$q&Xh3~;wb}#%82ATr7r^wkoR42T)JhVMFW)}wExEQV;ArPG1RcPQr_faA@pAR|cXuUnlVwmFbvrZ|%^vwO`EBo}Jtbyt zzE>eql(EISR-2@qT4BwytfVV+>D=j4pIRTDt3Vso0{#LI4g+Xkb8TFqhf@tCl4PJj z1>h!1gKiG#IIyJkHI(NDzQKXR)iHfzGeD5KBERo^)Q}1|tpA1sLtc)&R7?C*cH4x?=cmCmhE)s~)643oKt!REmNqL^=U0lt$j zkHV7(DPX+c>Yr*gnwR(XAfhNnA`a7i3dtv3DfwKcaR=u!Q%L>Q6;-D1H|gtvwEiMU zSe(2MXkmO|8A>%n>pI}wX1&SE;aaGzLTb@w&d}SY`$>3z#Liq*DNjJ%Y*+ZnUUVr% zOyg)fidZOeWDWQEKJ~KOb2W~7MKJb>mVobD++3^0@MgDQQj&DgG7P&3FcLiM$)bF% zjM?V&&pw*;+G8$naFcUA=x2{q3>JyEYx)aK$8M%kd-XsMxRAjqJ~)6OY;mXMqp+w}+sv zs^agew(Rw;dZZn$7f7ypiA7B8HMh~{<66|!$8$Fu zkMdZ*BT%&0w1_~<)+bfonY+r^vZaP8%iER2Lr77MA3;OnPJokW0SVk;YW53G^cqCs z26G|)9of9YAymerE3f{X_3ZeajbE>T9z=~JyK+GXYI?K$nf3$O?}7D}j&%QqmTyi? zK2zCdTPew`{LLQ7t)&O$P)!19vYnm9zf^ zpq5aY9;Qss4ju7;jjM^T)X&B0G->$R2Tr-fR!Vxp;d4u&2!`gt-(o`IT&Ba={kmm2 zaV&dj8Jd(<9z57TJSL~8;}P7gllmhoWA6NbH)zb|cq1;m;F+GwL^t5x4f`2I2n0S4 z+%`LIZ2m^>F{`E8V6a$adM6H7y&VL(vGR)ksr_-s6^pd_`Y9%@Y0>R1+>dqM-wpZl zigCb&KRnF863t8uleauwq)nw)202~HN@T8iP{5cL@{OOy+rjYW1Tl;o%I&?M-*2b5 zmd4IpM31-QH5R&Hy&ulK={F^VieHqxil`_}J6b2fY%9GS4s)$r3SkF-SBK3Em2d=6 zl;}FlI_n;>)7?Tm80dsPI^q!bgWPn#je_{ zto#~1KcUaSvXjbCn^XoL$kNM?sFrJ|4`*Ghb&IvQ+$X0CVg^DQ@Y{%5vnb9%okvI$ z^rTP6&Oey)9e(e6b(5X4Gj-w#`xXy0c{~dx?T)wwGQd;x_?qQckY@$gsM2&%34RJ% zh1~Evdp*aA2H$q0G?#ypyo5T;IntK{PbdNp7sl}Jdho+}&LJRjx0cp^0SDYpYnF10 z*-1z`Y7=1J%iI~oG>==}+c}k0-cafjtA5{VZwfr<2Afj_)<}lz4XnNy%Z#B6HkY}& zyUfgIG!?3I`s?62%dX}i|IN$8&}V2dGtDe>bMONbJxin-b551u?1BrScKk)nr+bXS z?Wbn)^P;5lP@}1G!zdUfYx#!>pF^A>q^SjBjS12`fE|$#Ll3BveFbD0m9k5~(cHmC z=C2ak&kp;VQffI!q#g?QOW>n^h7K2kU6qdigt`FW!G>BYLmljRdmvd2;3ili@8W9A zg0cr`q-yLSVcLSwqo$#9*BIsu44$%mgBBqpXD7Yzb8wpy)@nAv=}c5-M*H;W!QsKw zIaqD!Zwc{SV&eh_)!cRv&~zoEeUI{>m~3Sdm7BH-KkR`}5+poyx{?0nJHznYOufU3tx+?T3E66*hnVo0Ss#mhf<7+2%fJu`JQI* z^rxyPA~z{=WVdn7A`#2LdiB;YI_R7M2mpBVlEpvC%S&f+J}yM^$GK%Ki%> zRn>b^OnHftI&J*PwBD&2;>P5=>Xe-6;JpY3Q|slP>Y{jkO3P^x9qw|jx5=L-GIns4eQyv?4AtG?V;MeJ~)IYf~{40gOp#qe}VRFe;p4#)vj~SSHoZ+ zT8EviYb{{0!I<)^Hk(K21Jub6A;N!avd^__{Zt(`Z>s%z2A5VOjbB#)bNtG5bzL9I z!t|nEdS222}0P#!vHR75AuXs=ay|G*#qpWNz&NNZY) zn_qUO#%6;D&YM53F0G$08P&68vvQL9L;~?J_n=m8XslYXryD057o)?a2m*q{IuUzw zu`p8&?irryk>L1S%OAomV!B83BCu)PhTZk|Hza_E0fA#(_z8SGrb=`&;W#gvqdfK0 zN1jR)6#*Xi&0|79AFNdV3f!?VAd%=6L7g#FsrKD1eim0gl6n$F;raRQSLk9NK9~=| z+QlX_W;-F9Pi<+MS;Y_Xs-RPyfQH8VUJvADa<_dC_JXrPx1N5E_0IJ};VnmOseEui zB?$>7&+iq2m|i9w)+nFEsrS}d8R+Wo8|A@)v0|=AD!{ZYYl!!LA*@Q#4}a|kC!wK- z@J>xtkPA>@wvB)hKGC|#5Yq1?nTGu>hQhuZMfWZGT0>O3y9~PCD~*lh*Gt&%d%JJ$ zL(ATI4B=Q{C%Y#xIVU8DxBSY*T>N#;vz6IVS)`A_PF_)x9$|+)s9;Ix&QY^0C_xJ{ zS-4pscqlsM=n(^(Ky%ht^&4_*HJl_}*s%fPo2uQ!2A8SdBsr_beFLClII7G7IjgxPHuY=ZxHOE} zT6UU3Ewk6=L|tXKU^ci5u>Bg@oE>)hP8gGhug2)0S~h+LjRJZb<}8`#<-w!4M4zz? z)WC5A<@nG1d2kNVJvEWW=trZli8hEuN#8>&wq;Ln>@(|>r;;Yq!6a3nu0*a<@9g@I zAj3cVhKTL;Qkj-ccZvqyvZ&f4@Q6-Kz+lQ7XMg$}EK|vf5ZBgEtb*|xhn0Kt6CzFr zl=a*U%Y#|wmfK%$?6wG?5{fEQ2c|v_`XJC%Eg3MZh@U#nn6PyoXggHhJ^^oeqFUXHanb5*?dls*E8 zm&)s2>5feC-o_da1&}PPJ!k}+<-`tdk`-eB-Jj99o<_%KH2^B0e_go(9#)KP%LO2B zub#uRi;vJg1gjFu?3?%7^|qtHNM=qP>3GOI6I-FN>hQGhSQ+Ze48N8IVMxu`_>cr} zr>=}=y8HAMs2Sc|1sD87dG<%zTVPxv$gF*~k$0_kJDOCBrf;)2C0!gh*yfh0bR#IB zMwWt_tgOlN(nDyxoAm^4)RsD1$C$kh$v$Nw1*k3!zsOKSpOu4*q%&D`&l7Fx69Wh8 z7yn)V1zAGUYXJ+~-U*i$&%B=`AlCx*wiy`N_dFG#u8A{ugSek|@q0FZjH=vH3LB=# zzT`HY4HXPSR^q+Ar4D;@Yhjy(CdC&in->Q6`1OXcJoWcJpdf~KBBHnr)`C?j~y>)KJa*&3QIg^`TXv36~6TOCam z8Uz?sGpj}{Zz2v==6*sChpxc*jQt}=FKe|ZAv&)y4h)rg*Vg7tkYnrbZ- zbp;>ZjkxDN7Gxd6xp0!6i*Ve0*@PP{+p0SizVrnne~fXue2FMqF&E}1+RstDjtTvYaX%tRrN$_Fi`-Co@Uh=99;RUPHOI%baY)8~w(`uhlE(~-6Wzj3cm1&2cx#UkLU}A~8UFM_ z(5h;2F$PNQUv7OOb;rr&1cp%S@mrzE)uK8*SKUVU;GhJkr;6QVUIPGCpgSx_$s`eC z+Oa7^+%O$TAFLU}xqLsO(aOoJQ7jbmr8KZ*wf(`MG74d~h=RxMtygg$d&)<_`-t7W zzCkm3MD1aR^@R0r74B~!@6+a|?gzE@9IJ09_g?t65ypR)*Jmh-TAgB8M*uY@_Ko#x zCCh4q`WnaE^Z@UYbXXUL8K=jd_dfl%nUJ%Ro9LOxv8z_vG(Ve{8p4YhD~OXZtNB+m zXf)w+#ElF@UsMD-XZS!kFHQZzB{o%rU~bw77^u3ccI47`PC+zg%V>#CSHh%_*`e|E zro%FAi}QRjV)wxbdQCl;%qtuam?%8pWwwqN5t)ovdOjG#V(1?0@*HU2`C!lpnZ$kM$6V)}XW0cF z4Xb*$Co%i$2-chX%P@7ZDR1KEofJUueUFnKdPj>UMmp<9)7{cE=wsyW^r%GhV6Iuy zZJ=aK>7$8bqj(?Zz$p;F2ZGl!ivu>AMRwbb8ctxPq!JFt6yI7y$Nm;vBA@Q4qgC~n zYYSF|?78_7Y)sBiC1^1I9ocyV11HOFr6<}XK-=6ds2T5sCTS#siB8WBs3@2Q?9<^S z_YvrzcrQqbvct$BpQ!v9hfc}i$^UOsmm7ZWL$DVGzF0(oH|b=y3=RbSnjV}_%XYx5 zSBE+t&aTF~t^RfaT4MPxGUCUA-n$}02jE8^)z6die2!)#hP)BPTkv9Y=#(^#rwJ)` zcU@M!JI1Xp)17pIvrw<>pxRAeb{+NLI4KW+&Kg znzAROTTRZkA2v{^5(IL8FZF1YG~he>Rnq}Be-!X4*z+8|$D2(#PGnQ(@%l-+mz%`5 z1_Site+HE#hG)MpZ*vb$LiyoPNazil?`VY&ofGO*1ylEoso*T>t%e>CnP!KCMSLP<0$_@Bh6*om6ZjVW;F}vnbzpMaxqR=a$XK4m^PTDSC^+00KS;biIsp1LNe~LQ#@Kh0dwqbHl<{`#LJY$D zH=XP@>B=Q&=~}z=Nz5s4rlob(OVK4t^=DZn_f2)zefN7#j~myh0o40tyA&;k6ZmlR zVdF+0kVL7c2)N5x0znO3%J|XoDQ6EoP%1U}xGGNW7iprZlOmIQscHrS^wvWVu}psf zySpLay`nhS0vsd+J&7tU0mlZx8h0A;!`F?+_+vq|`DYYPQkvqRMZ5yhG2g9pK%8*jtmB#W)NFsUKijWng{)fVHcPb2=v)*xrrcGO%e3*1_8xXaWV_1(6{fVe zD2HNBeb2pONMjlm{-zqh-1pGL4;p)l<3&u4>>Nat+3#_L=oo_@5dE(p0Ke?e*4`N) z@E7qx2pK7fuH{Z=GQv2E+z_~tl{pH!CW|tuT!=OENIeYd&k2bB!=beGxTuL+S`UJo zWAmT6Aln*n)Tpr506s(72B&9`)^ohq4aUvd-Hjn=2CnYxUqvuYD{!tsH!$$PU3jtm|_dV=7Y)&UG>ZdxC%)8^Lg3E6dOon)^AmfzQbK{8#w*`#~$pd2XA z?>VnGlx9fti#oy&kK9S}%1=|8X}XC4wh#~Aw}`$!4xFm@1V-5M0e-P~s*X5-1RC~j zGpbzNb%w`CKgSo(zhFp|IYjbwtOj>v*lNVRnadC1M`R_C+5}}#Z31o;;NZ&Je%5YH zqxKziKMnf$Sjg&85D3?Ku<7lm2NAXiZi|YE)XMzC|9o?aWh{y=?RmjIx{$p6cs0pE zb*;yH+kQAkf>fKln+k0e`JK+qXYxk#z4-mu8^elKcyiizRktb2sM?{c zKE0z=YOIOAE2*k$z1``XF6DMEpDc7V{452oY&MTxAKq#V+GA)sWz&csRvA7MCsj>d z%hQ6l@KM80>XHSI!+zNrlH9rgtMAJtHYEKXm!qIVnka9!qJ|8cJnXhWg7^C z!A1w^7J0OiIG8$RqgmSf*T2i%(lP>A+m!=qdtQK3WT%=<@jXic6GhC}QbV0Ma%Ty; zy}3z39oaPQEuL}0^DERr8!U7C|4i%SExV4s)q2idQ!M7jUHhVDOp7x?S9VKHrh})v z^;Cdz{C{@WT-U4RJ>`%nHJv+M!pfGOM3O7q@G{qlZXVe3O;}Le++X zZR9>W^jh`H3R1&bC*1*$FXqb=4?x3XQnQiJHk%9O&GR=QBSdmdw+yD&&%j)j)a8Q) zV2rBaE-v|Q#EW&}sOiq8Vgt%8xx`tA!==wP6m(XhG6I9~-k5j-#<(nSA|Yi=f7dv0 zMMKZc8fW{*P^~N87)zJmT8K%nuAAHpDmO73LXs|i$KhttpSRhW2@={DOa6W}Ij~nG zi7$s#vdZGKbU!pUU+dZB@<86sH;swKYyA}#k&?a|9cKwH+7UhUl;)McIIRr+P%m(+bQ`B| zH#jEC-9&1GUCD%f0}DH1lIs9wQWWe>HQtr1Vx|z2SPmV})$0MUfvpFkSB(F9N1=~* zAhN5n%XLj_gHc6wm(?XSMAZeM82?~CM+x+ncMSG2pE0?ELI3 zs4>QPIXU%)YL9CR_N;;-WWTmWD)Ka+gwdXQg*>Hscc&Se9lCKrgrI>HtkkelxyH(! z7+kH8l}Mm2j+3~bd+v(+-y(7Im7SfYek4wmPet(67zJ1Ub3+g^4@VO}C=$R%hhoLj zSRE57s!ET$6~42r5CT&~uuQpuyy|gwB277NxzLh^{_8%}UHPWkPh6#PFh9)$I#;X# z%mx!G9FC+478e?8?Dg)f60?)2cn3h!>y>7ozn=hl5zV$R)%1z9<34OCOIIqDYC3DX z*0Mbecdzfar%(9&d4w^Tqu3^a@aUHP6(3B_o>^kxTur3mI!Jmk$y?5k|s!zfJ{c3mz=dhlnk^ zF*HrRX3zMicUTqq>nGhWDEznE_|WRis?`8yv!ne4OUY4D z{HQD&o*Yl6@%9<-Y$y$F@_Rxy>NFQ6{@lFU$EWAIUm|y8YUY%?8+;9l0q^z`PS1;- z$cr+UIb}f|hd}Z?^&RivnWyLEP}8v(H2c zOBh2Z*DT5n*Rkt1Me0|AYUFxjGqUMYwW?ovxVm3)kv``hc42>e*7T<6*Hq_PM0UOw z4+?PLRUSX-a31>Z!7lzG`G?c-$&2*OS5%bY^nFAH5JHm2e;Z< zQ=TeM31#KPuHp#X@K<(Cd$i3w`DIz=9kWCh8(Y^~)w)7@V> zad!Is(S7?wzzs}Zy{*30BQw$TfG4uO`d6Nco?MP&ViZ=LrO#M8Bz2=Zw4de#eh z?+|a1S&A^^jTop*ZvcB%<7=q{uL74;Mt8u)NFnRb-`|>U^!EC6e03YLF#Pj4GGcF+ zp3CF^w=U&zBJ02xZfh$ZP}0S=%x*a87q-G^ygKw6wWdSE%{m{;sa)g=!506zT+^0r z*YRhd@;(0Sv*|&qzPTTz8Ez^!0U+xoTJLY=bp5PT@aaCW9V7d}?^-3g?vkQ`>ja;? zMQ%vIF|p!-tQ+()FH+uf+wsuz6Vu?N*~a&a6jj>1|g)Xy<91&@D+PF1_|d{ZWlkM!w+Kd8#1Y){U39cb}CUks6&b(;p-xGXcDM zZ{e%lZI`+duV4SpuHMDV{i7aRDDQ7d?*Zsst}fn)NsZm!#<3eP2s}DUFnS^_I%9LL zA8Dm!&ll~`Wa69QV8i3F$x>!jcIsKPk8jB!CbF*Ro_+9_nWoi7D)aLx@ZP(8&m0G! zq&j}~0Y-;+kFtlomd+`qS1qNi?>cFPSoClQw(3_ zfRpvCp-AQ>xqmpJSY@Pijl*0OK-t06icaC6S33WqxwmY758|_$%7dLx4kqC^EB0`l z&ch1diEOle{bZ?oeAx8?BNY7a=Hq(0beVhYF;@oPSe+LWkZF<7UzyXsImZ!|aAprs zyZ(ndgZU!uyY<1p$B9*i;*>@$EWZJ&Hrs_fas^@!_xgU$)gX7k7C_#5IGyAbkTy9x2b++b>{<*^?guTk#P>)pya zU4;|029-CY&X|B$wcf*U6 zx_bTT6Yf!0qxO`V8skCewOSBgH||zt;ckbu5k31hpyG`CeNfNl0m zS5WftCI`{pMv>K1!(?lS@q1vju@37k+rL*Q?G39k&7d-L5e$$&$w@1D@gPEacMS zpu4~)DW0C62cj$f{-?0GB?!<7aJuUt?vSZ))X&A(g+b|rdHBLAiR2MKB1lU5RI zacYhd;o#@#4gUg_A02$-f5`ooIPqE5c*H6;^j3 z@20=!KITd^7NkC~>@}QEUJNQy25o7?fag&iZrmM<>AFt5+}%fI)~^r77dhvwPvNYy zMY$IVO-gPpoo7wOVXk*-H;3cG7k6n4n;+F(Eo~<(DGQ-L+2Y^hcJ7a?#_PMSG+$Ef z%>*|hO5C!0nCanxz4vj$3O%up>}VSb@&)}c_8i<+a;1~t$MPQ*q_lJfT~rL;x(ZTQL*T@;_*_92=h4pX4tZ{XBr(_FF; zayB4RYwn*aN2f5ggYxftt*J{v<+2sa*{WU7&-|K{uK>4^2x9rfEa6Xp17s;;)@{Ma zV^GC74v1Yi>)4^Pk*-tbSxUG8b3kg3Pk`q~l#P)6iF~TqYpL{glmoKyAe`6T5T$fn z*HCD=QXZ_fU&4W@b99ZC3wiO!dXJ}Z@3ni#vtJ)Z5&6Y>mSoUwhZ5uMudrrV*4S~M zmfVN~Ludby0bLXOrBK{^pF~C6>+Q7l3|i%-6f}>j&A(2rhv>K$Kjrd=1pN~#J+@K~ z-e7=>SUT2aUt)O@YwBgEV7gYFVY^RPjU(2P1u!o#I7*;O2}9 zP*;~Vs>_-(0`Inda$VlYuPT(u z@c(xo8)?pFD5fFCTgGWI)8J^+bX=;0g7$B^JAtN-mo^8PciLF);QY;BS+(#7T`~di z1P-+iNAeInmKxs0dt9sc3=A$6MLmQ-YE6ckr!(&XTsxX-@w!nW@N!u&dzKd*pN z=n-s^KG}XqA&Tq1c<@?C7}!y*rW~Ya`sXj{%;0U`Ye89Iy*Tt?40>;dTPge#%GQ~* z`E7^xgHqr-CXfZj2heNw2#`XGJqB$uKP1RWMlN^p4u^4DrlXrSs%ricbQ=~ksrMz^ zc20zx;I2cwiLX+6BKO8!wM3Eb>e`4dlfgo%*Ov!jkmf0lS{=)ZfCCbiA%Eh3X2^Wy_`!{COY_oihwfrr0(cMMaHx5Eh;XhKQz-N{%RXwr{gP1Plv3>lo zj^F`8zCUr2?3Te@#x0lArFb&6mwJ4fZS zU6;lFPu44R>8-`N53X~JFiH7*wdzY>php8ZVu-7>Y#ZeW0fIGU;OC^ojSS4(?LGPg zRLc3k$5aFy2(|9^ZNce=xaOhW@<(5hJ!Ong_eDf$^j@IEpTd zzKxMO{e?wLjdC7y#IteUNDPQi%n?;#Mzjv~UiMlE`t#&Y;*&c+qcH8l0WoR%uPE~> zo}koBeFaf&=rI`*0^(l3b9mKu!|f_Ro4(OZ3OU(a$MB!44V#gA$M!Du0w#OI+yb*v zBU^Xi@{$e}-&d2UoTJ*48~& z9_tpR@!uu-KfuQS>A@#ln(l_?HuR*a%g9V8yv-KT3b4P`>c`_=xv0t;cNBQv{8yVr zKy+01mxl#v+n1iVd-t2ljVT>vXK&1(H#)jtB&MjNdr+!gqF4M!;(jmN?a{oSQJIcP zGk0zz&zAW2Le+UyA)}g2t~x>o`N@1W{U3UM7>EOjZ(_RP-@gNT=GRLOwyyqd2C5w8 zO}&T6Jnc6yD|P1S<$A5M%4SlAP4B|VIpwNrfN}!%9z%drTb;BFPSKHkwas%Cmp1A) z9q=btg!?}bT9#g@YCpj2S^Lb5@i}m=y9@9j8Ei~+-?JO=di*ZT?PR~U63mx9HNqe{D>?;nFPY+H8z4Ct}GI!Gf^U}7OAx&Tg zJwXIs>WS2kQXmBOup}{)pK8rgB4rqX`d8x5L{$X^Y)`Kg)de2iKO5XI{|J3GW_gn* z%+fX<4^_Jvt?<9`@IPVkKPQJvr{?p&Gk4ea&`q0Eje6Tp3j>F)4b=__ zPvqVnKtnSVg{o5c?wUFkG`jXPKxX-6JKKk|^q0BNWj!;k#HhZA#S>+eKxMTTot#29Wg!1;H+N5`7+hj67}{IL6@uY zElIQuk9?fXDZu1Yy_S_vAXdrur>?pG=YDH>$m>Y<-BwJ&P`?&q#OA4|2rkN8gpF|u z^)6al{N|>yme8Wn0364cpkE`Pei8hDxA$oWD)z+w$h}1Unl=7?*5J#)TIE|AjstL& zQ?jt!dRoUBGfp$>B)@q5DaQ`kW4c3!;Ccpxl#!}xX5S!3xhZpNM-U(w=}_E%R`>F5 zv+ewbZ5&c+$wl+9(2#PmAMfr2xae{$?&dQa!3(a+6u7~r_jO!v4gaJlj$D$~Tn+#= z`fp~=iR)*>Mi;n`#v4}+aE?*SSp$u*nfzlB+u4P9|Fh!! z5;#q+(pczur)oY-xHm9`;Tktnobto)E50iuN6ZhT${^wF!U4(&TkiQaqg{F=Z~LmS zx@+YjX{faR@&1Z!U+lxe)qka%Llfgrmf6C+!wqCvsQCTO{kBq$6y*1hGG;~zdJ;bo z2nc`G1F6*v0nN`P$+KJ|tr zXK+JK!r@==o^PQ@fX`|Na3gAeIhU)Tq>~Xz_~zO4MP`2;+SQkvQsI*fBl%grY)H|CXZC_JEQ!eWv8Q&D4dhXda&j!1zo;>9kQxb;6Jj-uL@O z621pb_}KNz`65Ie{4+}TnZ^AVVv2vN^}Cq-S6FJAm&Yfo~Ifpx&{Qr~;o9)(asoZK7r^r#m32(Z_UEZz!- zPq%JVz5f_k%n>{zxUb2O-wwOOy)7}usrlp=oKJps|8lnxdx#ROr~h#_u#;w!4OGaf5+B*5klG|D^qpeNsOkeZd!t_sLKQTn!8EvCJS`G1#$!%i0`!Zq_^g zW3szf9So+5G-14Kv$t-4GJVPT|JwV~uqLv$O%+9LMMOYEgdqE(q(zA>TSO!X2myj1 z0*SIHTbfn@1B9Sr%NoLJL#NXi~dXn%;-E9@sbmBKynq&=(^dviCl;9}D| z164^u?~I-9uRrhb61kx>6Yf@1$mV}CM3?BWyi_!)t~6`^#iaLLIKyha=7F0(P2Xs5 zesJWm`18d(pCi0c+)F6lIUTKZ&`VzOqp;bky#69gt(r$2Mvg;AbvL$w=QH1i=dDy4UFPw|IpDc&|*EIvBh=1A(o*#l|w zY3b0~qnt`ycT`{wQb#tGum(_!Z`a?~# zXm9ejx$%(~U4M+{R%=k$mE!ubeMPfAv_4h~_UQ*#-*)yP$JQ2a>u=p|7QfKav0A(o zl|w}&5El4y0W-4B-|*;4`8sLFmeH#^+I!JMEY~lwzk+jQdFMyHBazR}eoHhaY&IBc zIUtF}`@YY5#AF9sCB)nJstw`#d%C0W z4f(BU#P7Sfz!g5;LD*Lq4LaQUDLQ+Pf^bNtE|_#24k-nlQRx-mYwP-^ncoq&{SVuF zi1*o|;%m}6-O4!q>q>@}kCkxu&Y1!WmJ?B_nBW5q|I8h()7Iam` ztb8qCZq#(i>E?q&dtDC+yZz0#JEC-K#DD^Xlju2?f zYfqfbMXxV)T{)IKST!EP&Gf3gS9lUBiCM@uD3tJ1su|2_QK<_ZLBw9YRw?Iwoh5*UjXjk zGT&dQPW$erQyDn3P`iQRSs%Q*`tLP@b9;`4(4Ls(9A_w{xH=fuf-0xH*vWDRhB_Qu zY5#CdhRFoFAue>NlhR%E%3cqhmlHYv7DY);_r53&H!+tux>8yyc#8~o>K2K4S0}f8=k!h3 z9n|o|MA}B-YwT8(N97=iYgICR53v-Ae6|*cZ@q-v#p5 zN!KW6y3Pbh7u6by8z7wAi}E{PeekHk5@ao~--2vx)N}i(p2DY^y6GpKX;^0&wr{g* z)UBN42Q3YwmJg#;sTk766EJx&RUvb^q;edcce3g$F3HYNddRza!_ukq*Ag{yW52Ii$j?kz z>zyL-z_m-S-yuYAu*HbFtb@_hmg(d!$}|I08JV?Zlga^~=Bn{=HZP`ie`~_Be#ug| zYGm>7R2;qgqW8CiRAg&6D>=vne z6HsxpxA{T?yrErE7HYizU+T?Ym@138gS{4?b2G4qOSKO22l_@jCQv!N<>nPcZVNBf z={HLqt&MV>S53DE+e-C6ll`Aap_X--<#tylg628F$RPp|?lU@G=7b5B6}#ARxpI^$ zr=J|D)z3E330pBW0vkx)+I*>(b7g{rUSx+l7P4BN=e{Xkrv+40S(%NP()VLwR>?g4&f4)VxVSGm6PvF`?Ts(3Hs)+lJNZv4P8z@DF=F zPnz_o*NnT zv<#EkD^5Gh`Ms~X&j@Z4vnB0lYPF{_=PG@{A3k&+9?drf24}5`wk8DmZHira*T}4* zh`WAay~OGG6VHmB?eyD;nkMS3*UO=A>^nQf2Uo9v<>*OJsR*}5O?ll)Rk@xHJM1bx zZxxJ_Qq}&N#7QF4yZcF2YJ+{&U&iASlrGKJA}Nsx?=amF`zr*Tb-JjAS#^QqhIU5s z{fObhha__wTzkvtvhYvJe2~KJ+GJ?SYj`<9W=>lDtagCm2m1V1yCe zbBsdu56~P>j1)#%5BDY99?8!WX7kvXrAg*x6_<|Y<2Y;v?ub{dnf^G6)Q6#+O?$l$ z5T}auyBCn#$tr58p({y`AsPV9S`NpgPjCunzd_0z8{7jy`M541MX#> ziRgG7`MBb?yBa(7rD=v{>d=7~9hSygZ)3z8r&0x`1rVROOwwIf#ZY7@sVN!^n(iS7 z@`|AtRF!Y<;oNiL;0T)0Oml87=|e&9!2X^{(f@`U3d3M2a%&4HEk9MWUB!Ux^sJQ; zy)0$W(`d>yQLhD|Um_UFc9hL>vHnar)^T?a&Fg7yOY=f<%vICn?HiEH<9^qiRK8k7 z8SixJZ5wRe9Eu8QwK#vBF>dh}on$a#IPKc>+f(DoKST zn|9c>+zNSp6DhlMzg*?!hx5M| zUM6H!Pn7AqCbl8hPOp%RXxHrx^t5Dy=k4SsdA4*7{b^2`n69OBK;D;#7hiL0Usp!< zyc04dS^sC`fw_~iG*{ADkdHE zE~}tzk0~?p59J>^@zvSyv6vZhKjh3(j^!+E|EYDoSEt`O-X_V<)hBe9O|@uNOoUW! zGn-|+Wc`*SsgT(uGHzOjb?C0+OY|(Y^sa_v1v^|5lsm0@x!vG*P+IO+V+JbirY$!h zj7Nq7k-F$?HBr&bn>d9Z*P#Bb-8*661uk%JH1~LK`$ee7T0HkAdk&k~^O7Uvi@*k> zCnM<3&my(+U4!hf!(2|#$B5Lr#_=3o^hnZgCHS^Icy(gBT1{b(%lN0k@^${21_=)yGm8NcJ4O$WI6Vr5K&uzgMZuSf2?E!dg(05(ef2JZn=A*!kju}PO|_&3BZ8M4}#N4g7-&P zX-=c3ZJs_;lBY;9RhGF;IV&!$7nUK~AH*NAT?amLz>>FWt(lgxL14)_O~c{jRH+tA z+u~n~zmBZFbE2T7!YajwmY#}K9?h`-Hl+%8Gn*j|!d`gDd4gS^6Zd2($zcX)FnyXA zsy7LtBEIn^`(iYY*5!^t+ID^RJ|Q1ZY8Lp|O28zbVhXXleBTvxoE2!m-kAQfQ<+s&5Z$K(3ljhzV59Odn#d_~bV z&WH=#KcfUS_GZ_vKF{5*yG)oU7S;{zQ@^qm@u78)jKuB#9~VH zkr^U{y5X167T|OZ##9K3=<1-av27(*YW{M5fOT)rQmcv~v-EszNIEascM~$WWgY(Ca zUs->S_ewg?AnON@7@bT?r%BBo6)$_>A9S;zQ7i&9Ti3`9V_ZH z9xG5GbCU6AeM}*~;+A$){BrQXQ=T$auq&vN6<#d5c27HlJ>3Tp(U!cK?DJ{T3Ta%v z&0qECQz_4WO_P}OGc8Enm5SGolW1Qy7#rdLh$KGan(oy0e;LYM1F z**ff9g4UHUV5FrRfYX5Kl(s0j`G?xaUa`OQr>yr_IJApXP!)hMQ_FXU^@5` zUCxMl(M+)Du5?JG4!QLn-upWgeVRw@=!ye~A6V_(G4_<%>HcV#0Ekron;m*un+W_; zuBz;*bc#L8L8eiBurG~~{24LeF&Yw}oH_44X*f5P|GBEGsRYHm5M`ejnbBmDsYLIF zEj!iPa>|Z=TJipgR(mP8GPve^jo`v^Mbqk-QfQBn*(`LD4p1qct)*P0s=NaQIpLKr z78L9M=u&{&4fwdo>1U>iR-o^6F4xe})qVU`t0|w)CFW@P;0VS&tPlP?ahf+-FyqZ`|xwV(^$eOo2 z+kVgnUH%5lj$2^}De0eGZY-qps>F{gpbQ)ewew&3TjDoeDAPm~x z^?-$TfJ{>Hto-=L(%ZB$F)OJ-WBJ*{BKegP8z_+dQ_7a=7IXT!+B`8|2K}SAWLBA& z^iN{%10G}2-4U&y4lnDYN&Y<$hn*GzY{zi}jwZT4sfBAorm#~E6<>dYP?4M)Pd3ra zx6!Rk$KRi}bap19@xJF-;wV&&Do88O@6qXT>Hx zj8MpY7;y=qgnRS{=>tK1LBLG-_7UP8VTsDvK$q_mK}GdNQLK473$Y1SCN*yThzEeBa(lBV19RLjynG(9k=aOGnK*_X#Vj(IPL4eh7$BFGRh5!<)UnJoG zA!+Qp3Onqf4BQ*gh>4%+anov#v$_Lk1v`?~E$${q5(0C81XkM(pRK)b+L|Mmm=M!;Mud#>>(SHoZ5wTy0q zCw)YWeI1I!H}A?Cxh{FNr7?^(^A%7g;-vq;e7=_itX9e_Yys3)If9H~JdQ5(f*C|$4+HnwV6IVDJlXCQ2=9No2?%nmYFN6iYmMp0d^b)jtLX44$M*#-$42s zBH2=ejGs+`rVkK@@7zF^z5$LIFI>$uG*eio_G4;>H5E=?x$jz2IH-`dZ=HJaPF%C~ zfe>JIXGpA}AnXMP^A-V|{O(s6IMv8-oU;^gN&d^wjrhUW1*R~~AfyhJn1(G&C>@Fl zw(xI-1$89R8*FL^9dE#mz%Jm(MWWRkeJZX1`7%hAv|tS?q)r z!y+4d7fzd3+t041S_5vK*JBNcWk>^j`{pZB!jXLnE+v;=BWaZBaaNdbWYs00AI@uD z2V@bG)5rD+RgiH*JO9*qo5co>`2iu*Kzx*JglQ6l8yqll`$nKdh3nM5tfW4!;uy1A z&A6dK^aphslo6|lo(>{J&)El@fpb_R0_3mlZW*|H?J-9mLqIUKT>_K`q8&05yeD^y z0%JY(kSCk1Rj#cW>X}S5&Ud9Gn~sl$(9LuV0wT}PLlidb)zeAA1@z=YTJnb502}gU z4o}%&fTW{!6BRJ}BF*N6KyIs{0vbCk!^!R6iw7cbGkMnvYTqbNStLgW^U*wDES}z8sqLqfVZd$^LItx>sz2O7fue) z`A^5-$#F6>+&uy-f2>=L_i*1|s}gwHFE~M*oI9w$_A?kEH#7l<62(z>r1k@*N(XW- zx^ABwN(Ow8$5pa*ADtR83!^HpTmE+kgR2S-+$`gLK5tD%A6;Xx*2X$}NW`}#vni>` z7U0%D8pE_sr3Qbp*zzt$FE(%4VZBAew{JBp1OmMJ!v#EbZR%Fea@yy%R!FYGe*x-$83}-_{hYN| z5t{os{)Qe)EJV}qWxz{QolFuP9MnmGA^F`{D>?phaIKCD4e)xBSb73q;}-t@nJ2X{ z>2XDzo*Y;%hFA-u0^b0!R`g+_lkED;g8+`Qs5R)MYc~g!FS&&R?|V#4y)k!O11{$) zo?UKiZ;&7EEWWY6BNdazT_2>bY71VEo?=fCPRoM5sCBm*P%%!<;sU<1?Z}1R)i85G z8nE3PGIWb7@<0C>sy7mlhqfOycVJ8}=tj2G)M3pyGUDh_uf75zd9i=_^}dSUEKdO9 ztziPCpb4v$ZkSISY1;9jRiKyDnzr;<@U3H(4Xz!y+3tioVWQ8 zY(txkLH+6z1m^~3B}|KPkZU|i%?@y>F2}RyE~~{`p1+sAl+XIq2?3(Q$2p-0oX=)|0-Hu+1q1FMBTPz3ASmhFZagZ|R$A!q=kmly|-&B0I6EWB$yJrOTQq!vz zIjX9yS%2EGHJpkk20$-$S-@Uz5(mm9`t53-B?UH3p@Fd%0eC=aW|S=RZ*g;|YIeZh zp9G;EcE@rK#PXQ$k6#f=KH@tXgktuq{oeR!?n@KJ1W;zsnHP3V@hB@#NdN|k07V<_ z>yw72ex{|M4|GLWQj81?511Agp`jk5oX61Em&satjMn=#Y#Q6z+wxNYi@8Q%$Th6R zIy8j6^0bV0*G{j}92u1K2XcZk6d-_=#kqK z=T%KRO)iX0Fk^XLSplX&O?Iu+-LK0rVFB8MU7f`0CUUT4#-lncAj~3;oE4-VFDz;X zZiB?(yoWK|+(_&9AT#rm_?500iNnAMym><#@W(Xtt9^u0$0Oy~-6$E*g85`%mymUw zFqe|8)iM4?_{1zY7UAf>j`=L*@udZ#2OzabDB!&Wty|8nC32E>`whe>LCz{&-6SQjrT7}eG66a`V>r`R=E~AeBqiux~8vkprTS0VE_5+ z7nU7>P~=v|Tk1e88(4>e7iP|Z2fWv;>ewK8!0d~>Jp$_<-7>Tvz{U$rj828dwu2VS zD6X~^ns@TtR$Oef{)Nxcty+NOzkRFwx;L!5=o_8{h|(v{0Ss4(<#1hDs|0YKL3^WD za%JrbADzr82UKW92~KV_3DF2_s)TdY!QIRCmW_HRV^j?hH~UU3-#lIFXBm6r8)?1 zl$alp0aQUFUMB5kL2<4lRxY%s^ITmF@baLRnzBI8&#J^y(9xjp+&0kt^g=1VNw7Ix z6zp9J%Iw$l$aMsJ0oJ+s`N{gnS{@C3Mg%mF5MJ-gxI|3_x+dt@Q}LU{@e(M&6#%M1 zrY-$_x%T@3=+$t~_IQEo+}&=Qb9!Bpn}wBNT-`FG z-p?E18JDgJic7!)zehwm z5BHso9y!BNa&-WL$NN)13wgWw&AXWB6_KAZ0rb0l*DsB+BPzXwJ!qn zbGnB2Efh*h9*a15L=YdttnFted*ao85h;c@3E4n zVt{IH2z4x0yyt1Ei9oLHR|Za(X~|mE3d$`e8r*dFc(f^!GH}%?g{TWOoT+axZYfdq3&lY4A`9`Jo?HPr$A%HLMVOV=h7g#`s4A zUv_Gu_!4xra;lG%>~y|&EV+liG_k#0GR>x9k$5N!2)CL6U1`C9C)M<%1mRP1q~G^3 zzyo!M3i`-<;khL_sWZN8FI0YJAF(>EC=Au!l}!$-?e_7{$B&gS8<4KXl~&kM3l?UU zM}3q5!ZZ_=-X{!o!UW`f^eS3WLGWeS6gK7uA4YglYksn@qc|GIgp|gVu;m&<~0PQbdo00$Q1x9XeGz2K- zuzyzr zI=$kbgzZjPI&}uyAn^IN926qL~D{;RYOJ38I3f*N7& zH^g|iBe^G?eMIt}SLV|P<>j*{uLVs_h9%06G^>V@jB#>z|H-n&gepG~>~+}*pFJlf z+sHVP%pbx9uLZ90y%+paR+I3aqYIvEO~VXVA6$@{p{)O_q{v@Se`puE)U`@sETV7B z?Se+jLk^~R4xYGd=X2LL+8BqW?Yif zW;ywlkmIYe$sga{=g6wunQXow(opp@m`a#nEGEZ=g4(UXTJk~CoUGPb7^j40l|J2y z1C-u&naarbQ-&xyF=!z60Xl8T%MAyRV=CCPrnUMvNim>q1+)tQ<-o5(C7E|oV>G|C z4JdX{A8Bqr18_DsN{&!9Gv42d(VP-iN5t?rFKnBvoQY-MHEF`{y2#dQe=}i01@=fP zCx`dus+V!CTcsvz6}*~g{Q*VMlVhIsTL&ES(bq~|W^0alWIJ^QCsK;Bjj@mB%Ou@y zJsy9AjfkfHBDdu^Iq20cT$; z=e^z!;8MbWzFcy3y`nK^MEtY4O9h!N*HCvAkx+6KA?M`dL_sXb20ljDY9B#;sj47~ zY&$gL-O*X#81QnNz}^XXZSLXvXWxddf?o+peiP#KLi)wDZbE<=f9J+WoR|PcI4#7O zy^S5_@M~^J2^3aoT{t-gE&)QfFwO}h$3?rXKf(t=I@1Wgwm|6cKXv_G=+m5PLbkLs zyrz!+tixo6omSSQeaWvXl~$EXp67duzA6?yPCs@TwFUAB0`r)va$b8zs-xQ*6o*{` z48NK}-re7cY5ky=N6 zD&6?RFZf_V{>C|O5?`njY{h+v^NOeltpre#lZ$qka=y;@QX^hbJKiKunC=<`vYrLq z=pUW|B3mxTSEg8nG5u~Z&sxc`@)JT=idHOozk#WRUaz}BFX7fYvg;#8X@?>>IeG?6 z%Y*BRoiQQ=dBc2=m>~4n`~lJLxi@qo`kPrPh}z%4?>O~M+lDS20&rP5;c04!w)SgG z33IYt(>?d?msqU;;{pS9lcjaBn?K0(ShWfOsye%tac-&~(I-fGmS-FQdo49o>xsYm zyl&pfB@&Z1dNB#Noq4Sr0$)6CxLx-7_JF;somb5SjNrt8U2>@9wNSSVe3iKIzn;AM z8|i1bDDF+{SOj*xCE!(n)hR8{5iiC!a5(f5Wqfsd!l^3_-Q(|AGF_C&p57iEe4kWR zM*CDnvl=p)u7T4=$?`e?fnt<%^gU}c0glW*uruWiStcVI=neqN=)F=V{Q|cmW)B{y znt<<{aAx7FN`P8sD8eHp-nB_I|q~Jl+9dV___DzmoTm6S{KtyU&Nk z#y7MHtD?+b{A~XoL&avD=ZrSn&mT0n@zbbG_O>*@&@7%IGewhn1Z|w%ogXECMKBW8 zv9{XBHq{xiwO=9}dm~gK%CDdKZ+zWonB8~-Wk)FWWk=TuCu!(UKg=wk`XyHB`{;jx zE1jG!QV)T3U3y>lFakcla`Mqd@__Lmr%v}`Z`1O?2i`j;M4M(lQqdppEyd znA)o@DIuWtK7T*mxzQECgZ&n6hmT`VLrYJ2YMy2RvZ)Ry@ii9K;mY9s8sWL$HWhY7Xg%%Zx z@(24|7ZfS19Es;KZ$o9IP_W+g27NP3ocXBuL?%%8WOSMy0Ps1qNdpMuFswV<}NN-ytJc z`jhE@i*bZNa*>$>4_AlM$&i$OYUrxg-OoShN3<&DKS%nKFE;w}?GtEBI&ymi8m9*` zQnw;QeU>_vN)<`9Ke-^LM^bprbhBJfs?`ebw|J7VuS=Lnsl7WxHOS+3U!Bx*sK^#3 zd~xR0-X=&Pk8^w>XLx@8HHLs1+&`9`3-O4d_|}SZrqF*dTw!DOFygx%<0A_63Y~Vu zed$yzPCc|Sb^}y7ZFFvQ6*PZE^vuuBr;5Gi}Xw=Ofl09 zN%6bptJM4%NqMxVtiu3<53Yn~VtG{QAD$&|_lR3>rhbZZpfqXF8sCdU(aSYE_z+9O z{NC8P#aqVvfXaNJk$hxMu+`f@FVVM@lP@f<%1@RVg1g|S`&vQHUk(i^k4PrYn95p= zS8lpQscf zRd+BJ->l)?*gt91d%g7gfu`2xZ5!OTC_^f7EJeWtX_15 z=5$LL@lW9Mb)Y)>36qKj8h-AZZ#e!|uYZ9B!aNKL3EB^O)_FJ(X9VSIjYOju_idnq z3|G+h9)6Q&6MlmCWhTcoBP<<>c!^-Nt0Qo2SWj_q`lc*A^U@wd9==wZVST|+{xX3x z@`aq^jca~geBEpeq1wl`QSid-aLx~>5YN`kY?xZs*UG3{bpq{BitbSZ`by_H{2$1b zl^dG0uJ}UVAvru3?gqHHqeQ?p5NjTODiNCLN&F?K^)9Pk*aG$D)3- z{x|aw6e0{?G;!uERd%N*L(9|4gh)m)RKw@`COt4@Ow9e`W8j$tQ487^ zvCj_aZ7`Y|Hsmh~7;6VO{>pmAN$cM+kXvzG)}lGlx7$hi+e4T9`A#r8sBj{YtElkv z1Ekr?0&r^)>3i$NbP2sb87j4aO4o3z}dn2Oda1 zqot2=mJ)Iz^Z4RI?MDqz#3{%@FMeee68&MG0VC=I!9B z5bUB|2rl@GN_ug8u{4w$e&O6PM?xIYGg-+j7d_H3So!n^X=zv58qkMuzx`L$H9x-j z8uJob`MQ)a7V(bXF zX5w7qqvOkC1f`GrwM?+9g#%dr1^c9qx8qaC;*AV6_DM#`$L7E2QU$D5n>({LU)XEzqs- zk$`=DCef!JlE)=oBvtfb=iBI;Ogr81@=R8ZIR!y&rn5D@HB4 zo;w#=d+`^C7hM-$Z{OT%UxNMsjSO(C(UYkSmNjd*@taN%u_7pat%LsmE(9>b1yN>Ntvjc z)z0qzn!qqla!he7KXuwb-|(Vq2#X)!kGG^FlUGP}!Q&%20_w0g+uZoCx25G4Diod; za>>`H>2V+OaPdX3$ETL@2wBe9j&kGij&bOl`VKb_1sLL6P*-W1Ixa!nlBgrP294FK zwLXa?6(+?d$qcb1*(Uj@U#Uy0_o#c79eq+Mo1ghKQ~E>uhnEerP4B{Rb;(cYbdu3f z9pPemm54EHW^{$M=g6xGy~+IQ#>u!^J^4p#9k_0s_+;W=@i-aEgaxKQ{oT%UYGKMnjINQthEfgMwu za^i0iVEdpWwn-iGVa4gLp{8*pN7F*w;**7Tim#^f+^^I|h? zvz{@Bkx5yw7fcHDf`3(wSCzIhCS_z1u=Ub94ywc|rFSXxDo8F|O|bwv-gZ03%h7Gg z3krTR=kz=4!1?e|rnfv24A=DKY2%AeZWOJNY$yDIFHDS%t%21fj+{%FTl5L}6H|4T zDTYbK@X-s5FsAP17v+e)O%+T=3p45)s~UxzVCTwbSKIODTxWQ)mj#WJGmP6Rg&@mh zfgu@F3YELU@~j0~aGbpcRd`r14T29MuN;C#ls_BNF>=T7bL&n#`udS|`v=FIbwbLX80|v;_lhISZFH<_T;~_S``!EH8edfpb?txoPTba$1(B88;H+rY57?+c3-Qw5 zq}$tu%_-~KYUoxaHvDwhkGCCI9EJDaSD7^pT%8?eyGpsa97L|pYi+2g)C{@IPHNSv ze_H%0Kf4n?+o6zT2CGu=2>-euxzrq}y5ErK^GY`zS*EWB30tKu zIqhuT#LsH={jAFj7yNwXat<`>@;)8=wpf>qnURZhiu$1XtmVwE9hFU$7c#Q-6n8fSKrmNu^Tv!K@6Z1Za$Yf*@YVSY=AT0fObJ|v$TZE zJhtx-q%_=Tw^r%lD^Q)Q=8C2ZycXb0n}hr5RCb4--odNYDX8*&^+QEZMWp_r`yupK z0blv`eL9@a$9`z#Rofyo>+XIyBmoZuEA)Bo^8>zlQ?lp$d#C9RdUwa!ngMip*=`_F zQ;l?EjUh~*kJ8?NGloa-+pX0G4<89x^2NC&=G71nXaY@u^%G36ylv zRFk~yHu&P{j-w{8Wa80KYCEwO6>?JE_K^4rDW48WbN~i}@m^f}1-Pjm@FI<EU43~ea#2dsX6rwQ3Occcu}Lt6F`&a1ZxF|hBvVakGkJNWw}><* z5*qRgBveES8SzCzCPhN~D~*ICgG}~sX=P-Ff6$;HA%$2XJ^2TX7UK8u6N7jV-2eDR zjSEJ?K;&K^o}h0i|D;9}{)YO`H0m;<4(Yv$n6xzFSH;-L)YQ(|!rmnXr*#!kfaM_d z$r%ZW=*{DUEUoADsps~FztD%X#ktwUYt;1tGNW$)dh@`Eliy@V} zt&N?tpt}goUlf9f^kXp_4b@*HF4iJ6n(~TNV)jm^R6MNQtn4(RPpPP=gq=*x1eL`< z{(~Kn6QQwiad8l2V{>zJV|C+VwRbXS;}8%KU}NWGXfaIv(vqk3%D(8&I?iwF(PV@Ln?`FotE?w0@Flb!QF#6k$j_E^Kl!OG6| zU$MDZn*HCfJ=Xlq_Lp3LcPISVn4p@osgsz!t*xn@i|D^=T==h^{x6mPKF+@x6)oLO zZ8XI#5uDBlnM65x`Pu)$_MfZ%OV&^S&dMRc$NwK$|3lS(V0{!q5aeWu7^&f-7DYLP z+5V@p|4grJ>TGZG`H@`B&eBDc^B*k#srVmU!fcNd^B*Sa?^Wjv8NsGT%bw@tP#QH`jsdntOJt{gN7dOy4Y66C*d zJ5lDija*sfUy9NmIE^x~^K#t+Z=IHP-N3&G*|#!)pJl7zr7&w!)HlgR36IlZLRq>q z+;tj}PO)aO1_pw4>J@68gs_w6$In>@#oa^QFo{iRgu8`;A~^9WArzewshD`D&(?G0 zfxyYv33V4Oj*Et%385YMq3VVuLZ~8#d+2laysJPP$a-e{(6Fd?Ca8`0cL@EQPT(bWM`BtHtDZ$zX26FTOmodHbFKxaVq4NkSHjYI*#9F ze6vF?Q<}oqYn3V?-p<6;eP9JDf5zQ-A+wVfX-iKn^dGFUCF|xH|mdQ<0t3+svk@qQn^3S zP5nbyk4U-PZG_bE8|IUksd7VqD`}I1Gc0Xmr$fk>gwM?!c0AOO@!R~G>9Ex|m>xI3 z4XR3>>iE8vx+RuZ!I!l8B9yNXjfn`a%3%XSokguPXq-5Il|htz<$ON!2W;84cdL4p zeE^(_PNZ)2`t^`7leS#H?}U@6RxMVWz%~<05p0uiwa-E&6csV$ThnJ@-!fmj5N+8u z&npAFBr1l;t^j6Wmo7;(F_$8~U60%z6by zVFk{lD_&9N)Pzk%PfM%uk0Y)%J-1ctJi4r3CBEt9!P{eCTcK|4F8G%&M3|rD`JLnj zGgbCnjGrYbwDBT34-}yRE!=98ykVd5VNs+@v}Vo2<>9@Ig@5={$5zeJ=4cur9KR-g zCT5yYMk7z5&%H(L5kvsWFYw-zt&XxGw0)i7PQ!ATe3b_*wlA*e7NvR2!$6O^5%A^a zvnUUB4sw8m{oC@u8^KLuf{;@`lKpd8h&cythx1Ef(q~C|v5x|(`+TU?)0u0Tod>M# z6v@x=?N}+4w(UZUcbXTu(rE*wO=C~D6|1Nuck;b=2JwDv?su@jxdr3s|E1qt>o7-# z#;cyEtZ2|fK5P=xijDNhlq9@5zcPk!86>tDjJT%aCTYtE9f?Xd3DC z)2^WJ^f$CySR9pj%ewiDN&&h;`ZLocope<;|IUQgMtM=XmNffuuE`4SsvmxDi2LOA zUboQi0OlDU_oQb=vHkBGa$pOZN#5he{NtG0s00VfLXI zsdL0VLNB}O%|qGI6rhnz8;bLaLeYNV%-47kku`p`Bl<(N&{^~hb%i%+N&3*=@J`um z2q|DnDdgl2LtHkm0+ds8()TWi*LKyP4KXi(UWG?9ar%q(f(z`YTiALF)|(CbUzFw zz>eGpj3emkz`fB2^g>ZxW2UmZQ$fZ}1=ZJtm5x_VPI7^4yB`B`Ml}uB3_Lj=iSX7!;5;E5?CEM&QQ@d-}xIZT~elHX@LVe1YY%@9aFC#3q{Eh`a~qGRbIoy_F7WZ2ppR;g)xg|yyo{n8Jwmruk6ais-$E%LjvssHuv z@wY~Xh7{)*^nCw(L4n2h5(G&X7n|k3^**iA*)Zu*f%R-dl9xn#t`p8}TcN`}z-Unx zN>Lo)ZXkvJTtCzgSt_ge*pBC=U7LW@fs;vSixQJHh4~wuH*lW8NW3k2mVfd z*QRtwznHFPC8ab`&9a2qZRJfU*$?Jz5{ztwJV9P|LYh5){0hm3jHm-VZ}q7z1uBjh}p)*e?}6g zu@Y|q2|M+M<{f05=#2gnARO*s2i!TIKAX5klbp!&4pL)r;BJ4;a)w#H!2m3$F3@iN z87)`zFYWY_A2XHyWDJ{>FV(bJD8>SR^XAJ4uzP>~>t8p7vp0gctIzGI-M30Kx5$h1 zy|JUMY1uR$+JTVef&vNfs&E*{d!i~QPb9p9)|H;OZdXj5bO{9|my>{o5b<)x zS>7SBEf;PE!iQSgfTr}VvJQZc>i?Z*bnEhH9Rz#}0c<=7@a8XjrNrSQ_;+wI1x`-m z>Kp6q1s@cWG@*})-?LF_u4joV!|iWIit>6jaqnn#n>Vop+t^6%#=N` zqCpWZ2B!?s7t}iWMcxY_A92S6fLMdn7{YH#{%_3G9N%G(DQrBH_y|=|yspp`w9az0 z9Ox0I5l(Kk+zfFk78X0pop#hMPiy_gP2uAgA}zS@&qHjl%PT;HB{6iL?Ny1ttA%N+?e7!m82%#@)eIGv;xC?J&d4$A4f;MepX1fKN> zx0jBJ3CC|1(D#Z7()g@YKIOCTz(Uzo?V+pu99-fNys4&u^JR()eWD$UF1nXk^bCoh zuz>JL$#>mKq_fYd_|(X^Dl#thW$FDSPjvmLhUEK!v3E8&D^M%nNHbUB-u7JcWL_WQC)dst`?YHA&m>}kpd-R?M{8t=T z%*Id-8&w2^H3twD!ELbnc|QxAEY45Xz=|*O;Wmr;cV^n}5L!8AyEAujX0&%KT{A=~{fQW@l!9Z&Roli1Bqf+~U)zmz^DDuR6yYZX1l`)oKF~yUJ%}vS zS6Lb{ffEhm?h_5lh#djkF^GSRYsXW*0XJ_tp8E7d^Xk!JZo_Y-M*#>oo^4Te0GuFg zDXV^X*|d4H2NRFZHj3aka=H(l*@ekGx-|oTFXMai!`M8=OIbrT(Sk7Rtd!_V6B>m| zh?ag77&==keJfFVi4FLS#mAb3cg#-_T|wU!HcSwDKEV}T-wTq7DC8%?)#=9T=w!^2 zr3{o@!K9VdilRw#2wzuu4xaqX{Oe2&M?WY}C)00}P#!*6QR^N?EALU@UHiK@N<21d z(zjY_Rl}4_DL3jduJfm5Npq(KKSpc`AcV97r+JOnVtM zC0dw=d