<div dir="ltr">Are these throw routes managed by systemd-networkd (i.e. there's a corresponding .network file for them)? I'm guessing there is not and that StrongSwan is managing them separately. systemd-networkd by default will remove unmanaged routes unless told otherwise. There are two settings that can prevent this, KeepConfiguration= (from the systemd.network man page) and ManageForeignRoutingPolicyRules=/ManageForeignRoutes= (from the networkd.conf man page).<div> </div><div>Hope that helps,</div><div>Anita <div> </div></div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 21, 2021 at 2:57 AM Robert Dahlem <<a href="mailto:Robert.Dahlem@gmx.net">Robert.Dahlem@gmx.net</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi, I'm running on Debian Bullseye, systemd 247. StrongSwan 5.9.1 (an IPsec implementation) establishes throw routes in table 220 when activating the bypass-lan plugin. Basically that means: you have a VPN tunnel giving you a prioritized default route through the VPN gateway but you can still reach systems in local networks. It looks like this: # ip a ... 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ... inet <a href="http://192.168.1.160/24" rel="noreferrer" target="_blank">192.168.1.160/24</a> brd 192.168.1.255 scope global dynamic ens18 inet <a href="http://172.29.254.11/32" rel="noreferrer" target="_blank">172.29.254.11/32</a> scope global ens18 3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ... inet <a href="http://192.168.180.2/24" rel="noreferrer" target="_blank">192.168.180.2/24</a> brd 192.168.180.255 scope global ens19 4: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet <a href="http://10.10.10.1/24" rel="noreferrer" target="_blank">10.10.10.1/24</a> brd 10.10.10.255 scope global vmbr1 ... # ip rule 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default # ip route sh table 220 default via 192.168.1.1 dev ens18 proto static src 172.29.254.11 throw <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a> proto static throw <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> proto static throw <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a> proto static Any outgoing traffic goes through table 220 where the default route points to the VPN tunnel. Without the throw routes traffic for local networks would be sent through the VPN tunnel too. Now the problem: when I restart networkd, the throw routes get removed: # systemctl restart systemd-networkd # ip route sh table 220 default via 192.168.1.1 dev ens18 proto static src 172.29.254.11 Of course now I can no longer reach the local networks. I run networkd with "Environment=SYSTEMD_LOG_LEVEL=debug", so I get this in the log: # grep throw /var/log/syslog | cut -d " " -f 6- | grep -v lo: \ | sed 's!src: n/a, gw: n/a, prefsrc: n/a, scope: global, !!' Remembering route: dst: <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a>, table: 220, proto: static, type: throw Remembering route: dst: <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>, table: 220, proto: static, type: throw Remembering route: dst: <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>, table: 220, proto: static, type: throw Removing route: dst: <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>, table: 220, proto: static, type: throw Forgetting route: dst: <a href="http://192.168.180.0/24" rel="noreferrer" target="_blank">192.168.180.0/24</a>, table: 220, proto: static, type: throw Forgetting route: dst: <a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>, table: 220, proto: static, type: throw Forgetting route: dst: <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>, table: 220, proto: static, type: throw At first, networkd remembers the throw routes, then it removes and forgets them. Why is that and how can I prevent it from doing so? (Actually, the problem is a bit more complex and has to do with disappearing throw routes when interfaces come up "late", i.e. WIFI interfaces. I tried to show the behavior in a simple test case.) Regards, Robert </blockquote></div>