VPN

Why won't charon-nm connect?

Subject.
It just doesn't connect at all. Through the strongswan-starter service too:

мар 11 21:06:53 alex-thinkpad charon-nm[12431]: 01[CFG] received initiate for NetworkManager connection czech
мар 11 21:06:53 alex-thinkpad charon-nm[12431]: 01[CFG] using CA certificate, gateway identity '185.xxx.xx.xxx'
мар 11 21:06:53 alex-thinkpad charon-nm[12431]: 01[IKE] initiating IKE_SA czech[7] to 185.xxx.xx.xxx
мар 11 21:06:53 alex-thinkpad charon-nm[12431]: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
мар 11 21:06:53 alex-thinkpad charon-nm[12431]: 01[NET] sending packet: from 192.168.13.12[41634] to 185.xxx.xx.xxx[500] (1128 bytes)
мар 11 21:06:57 alex-thinkpad charon-nm[12431]: 14[IKE] retransmit 1 of request with message ID 0
мар 11 21:06:57 alex-thinkpad charon-nm[12431]: 14[NET] sending packet: from 192.168.13.12[41634] to 185.xxx.xx.xxx[500] (1128 bytes)
мар 11 21:07:04 alex-thinkpad charon-nm[12431]: 16[IKE] retransmit 2 of request with message ID 0
мар 11 21:07:04 alex-thinkpad charon-nm[12431]: 16[NET] sending packet: from 192.168.13.12[41634] to 185.xxx.xx.xxx[500] (1128 bytes)

It breaks into port 500.

At the same time, everything works fine through charon-cmd:

мар 11 21:08:46 alex-thinkpad sudo[213717]:     alex : TTY=pts/2 ; PWD=/home/alex ; USER=root ; COMMAND=/usr/sbin/charon-cmd --cert /etc/ipsec.d/cacerts/ca-cert.pem --host 185.xxx.xx.xxx --identity anonym
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[LIB] created TUN device: ipsec0
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[LIB] dropped capabilities, running as uid 0, gid 0
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[DMN] Starting charon-cmd IKE client (strongSwan 5.8.2, Linux 5.16.13-051613-generic, x86_64)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[LIB] loaded plugins: charon-cmd ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl kernel-libipsec kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 00[JOB] spawning 16 worker threads
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] installed bypass policy for 169.254.0.0/16
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] installed bypass policy for 192.168.13.0/24
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] installed bypass policy for ::1/128
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[KNL] error installing route with policy fe80::/64 === fe80::/64 out
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] installed bypass policy for fe80::/64
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] interface change for bypass policy for fe80::/64 (from enp0s31f6 to ipsec0)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[KNL] error installing route with policy fe80::/64 === fe80::/64 out
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] initiating IKE_SA cmd[1] to 185.xxx.xx.xxx
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[IKE] initiating IKE_SA cmd[1] to 185.xxx.xx.xxx
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 12[NET] sending packet: from 192.168.13.12[39873] to 185.xxx.xx.xxx[4500] (1128 bytes)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[NET] received packet: from 185.xxx.xx.xxx[4500] to 192.168.13.12[39873] (38 bytes)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[IKE] initiating IKE_SA cmd[1] to 185.xxx.xx.xxx
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[IKE] initiating IKE_SA cmd[1] to 185.xxx.xx.xxx
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 13[NET] sending packet: from 192.168.13.12[39873] to 185.xxx.xx.xxx[4500] (1096 bytes)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[NET] received packet: from 185.xxx.xx.xxx[4500] to 192.168.13.12[39873] (236 bytes)
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[IKE] local host is behind NAT, sending keep alives
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[IKE] remote host is behind NAT
мар 11 21:08:46 alex-thinkpad charon-cmd[213718]: 14[IKE] sending cert request for "CN=VPN root CA"

Immediately goes to 4500 and connects.

I understand correctly that if the client is behind NAT, he should just connect to 4500? How can I force the NetworkManager client to do this?