Enabling IPsec connection messes up loopback device and routing table (workaround needed!)

Greetings!

When activating a Strongswan connection, the Strongswan plugin for NetworkManager messes up the routing table and overwrites the address of the loopback device with the same address assigned to the outgoing interface (i. e. eth0). So ifconfig displays for example 192.168.2.2 being assigned to lo instead of 127.0.0.1, plus the default route somehow gets remapped to lo. The original default route is destroyed.
And when shutting down the IPsec link, lo is destroyed and the routing table is entirely messed up (only eth0 remains).

Is there a way to circumvent this problem (i. e. by manually readjusting the loopback interface and reorganizing the routes when the IPsec tunnel is established and recreating the loopback interface and any routes that may have disappeared when the IPsec tunnel goes down)? If yes, how do I have to set this up?
I want to create a script in /etc/NetworkManager/dispatcher.d that automatizes the process. Any hints on how to do that?

Any help would be greatly appreciated.

EDIT: I’m currently running v. 5.0.1 of the StrongSwan plugin which unfortunately is broken. I need this to circumvent the problem until the plugin is updated to at least 5.0.3 (which fixes the issue).

O.k., the script seems to be running fine now, the only problem now is that the IP address for the gateway is hard-coded.
What would an sed command look like to derive the gateway address for the default route from an interface address? I need this since I’m working from different WLANs that may have different gw addresses.

Here’s what the (busted) routing table looks like when the VPN tunnel came up:


Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 wlan0

I need to filter for interfaces like ethn, wlann, etc., to make the script more flexible.

The other way round (i. e. the VPN tunnel going down) isn’t necessary since that only means setting up the loopback device.