IKEv2 VPN nm-strongswan issues with routing

Ask Fedora
,
1

Hi, I have configured IKEv2 VPN client using NetworkManager-stroingswan. Connection work without any issues.
The problem which I have is with routing, setting ipv4.never-default to true have no impact, every request goes through the my VPN connection - which is very slow when I want to download something form the Internet.

I am using F40.
Here is my nm configuration :

ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.replace-local-rule:                -1 (default)
ipv4.ignore-auto-routes:                yes
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-dscp:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     yes
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.link-local:                        0 (default)
ipv4.dhcp-reject-servers:               --
ipv4.auto-route-ext-gw:                 -1 (default)

Any ideas, how to configure this properly?

1 Like
2

Perhaps analyzing the connection log and the state of the IP stack can help you:

journalctl --no-pager -b -u NetworkManager.service
ip address show; ip route show table all; ip rule show
1 Like
3

It looks I am receiving inet addr form the Internet pool.
Something like this: inet 55.55.x.x/32 scope global noprefixroute.
… and routes below:

➜  ~ ip -4 route show table all
default via 192.168.100.1 dev wlp0s20f3 table 220 proto static src 55.55.x.x 
throw 172.17.0.0/16 table 220 proto static 
throw 172.18.0.0/16 table 220 proto static 
throw 172.24.0.0/16 table 220 proto static 
throw 192.168.100.0/24 table 220 proto static 
default via 192.168.100.1 dev wlp0s20f3 proto dhcp src 192.168.100.103 metric 600 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1 
172.24.0.0/16 dev br-3747aba357bb proto kernel scope link src 172.24.0.1 linkdown 
192.168.100.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.100.103 metric 600 
local 55.55.x.x dev lo table local proto kernel scope host src 55.55.x.x 
local 55.55.x.x dev nm-xfrm-1278781 table local proto kernel scope host src 55.55.x.x 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
4

For the future: strongswan creates routing table 220, which impact routing.
Removing this rule with command ip rule delete table 220 helps.
Of course you need to define routing to subnet staticly.