How to install samba server on centos 7 with and without user and password

First, we must install package samba and accept all dependencies.

yum install samba -y

Create user, who can access our samba secure folder:

useradd -s /sbin/nologin user
groupadd smbgroup
usermod -a -G smbgroup user
smbpasswd -a user

Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way 🙂

#for anonymous
mkdir -p /mnt/aaa
chmod -R 0777 /mnt/aaa
chcon -t samba_share_t /mnt/aaa -R
chown -R nobody:nobody /mnt/aaa
#for another secure user
mkdir -p /mnt/nfs/kadeco/
chmod -R 0755 /mnt/nfs/kadeco/
chcon -t samba_share_t /mnt/nfs/kadeco/ -R
chown -R user:smbgroup /mnt/nfs/kadeco/
restorecon -R /mnt/nfs/kadeco/

Edit samba config for ours anonymous and secure shares

vi /etc/samba/smb.conf
[global]
 workgroup = home
 security = user
 passdb backend = tdbsam
 printing = cups
 printcap name = cups
 load printers = yes
 cups options = raw
 map to guest = bad user
[Anonymous-aaa]
        path = /mnt/aaa
        writable = yes
        browsable = yes
        guest ok = yes
        create mode = 0777
        directory mode = 0777
[kadeco]
        path = /mnt/nfs/kadeco
        writable = yes
        browsable = yes
        guest ok = no
        valid users = user
        create mask = 0755
        directory mask = 0755
        read only = No

Now, we can see our configuration of samba by this command and test it for errors:

testparm

Next, if we use firewall, we must add some ports, or service for samba to allow:

firewall-cmd --permanent --zone=public --add-port=137/tcp
firewall-cmd --permanent --zone=public --add-port=138/tcp
firewall-cmd --permanent --zone=public --add-port=139/tcp
firewall-cmd --permanent --zone=public --add-port=445/tcp
firewall-cmd --permanent --zone=public --add-port=901/tcp
firewall-cmd --reload
or we can use simple:
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

And finally, start samba services and enable it, after reboot.

systemctl start smb.service
systemctl start nmb.service
systemctl enable smb.service
systemctl enable nmb.service

A way to restart samba services:

systemctl restart smb
systemctl restart nmb

And now we can use our samba server. Anonymous folder, or secured folder 🙂

If you want to access some folder for read from apache, just made a selinux modify:

Allow samba read/write access everywhere:

setsebool -P samba_export_all_rw 1
or if you want to be a little more descrite about it:
chcon -t public_content_rw_t /mnt/nfs/kadeco
2) setsebool -P allow_smbd_anon_write 1
3) setsebool -P allow_httpd_anon_write 1

This should allow both Samaba and Apache write access to public_content_rw_t context.

Status of samba we can list by this commands:

smbstatus -p
- show list of samba processes
smbstatus -S
- show samba shares
smbstatus -L
- show samba locks

If we need restart samba process, or restart server, we can list locked files by “smbstatus -L”. We can see, which share is locked and which specific file is accessing.

Have fun

Total Page Visits: 49039 - Today Page Visits: 32

How to set up nfs server on centos 7, and display content via httpd

Sometimes I need to use fast, simple and no-password storage over the network in bash, or an ISO storage for Xenserver. So nfs sharing is the best way for this.  I have a linux machine with centos 7 and available storage of 1,5TB disk. So, prepare the disk:

fdisk -l /dev/xvdb
> n (new partition), and use default options. The use -t (change partition ID) and change it to 83 (Linux). The use -w (write)
reboot
mkfs.xfs /dev/xvdb1
mkdir /mnt/nfs
mount /dev/xvdb1 /mnt/nfs/

If everything is OK, edit /etc/fstab to automount this partition to ours folder, and add this line:

/dev/xvdb1 /mnt/nfs xfs defaults,nosuid,noatime,nodiratime 0 0

The install package nfs-utils, for nfs server:

yum -y install nfs-utils

And allow nfs service in firewalld:

firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload
#if sometimes on clients don't working showmount, and it create an error:
showmount -e 11.22.33.44
rpc mount export: RPC: Unable to receive; errno = No route to host
#we must add another ports to firewall:
firewall-cmd --add-port=2049/tcp --zone=public --permanent
firewall-cmd --add-port=2049/udp --zone=public --permanent
firewall-cmd --add-port=111/udp --zone=public --permanent
firewall-cmd --add-port=111/tcp --zone=public --permanent
firewall-cmd --add-port=662/tcp --zone=public --permanent
firewall-cmd --add-port=662/udp --zone=public --permanent
firewall-cmd --add-port=892/udp --zone=public --permanent
firewall-cmd --add-port=892/tcp --zone=public --permanent
firewall-cmd --reload

And uncoment this lines in: /etc/sysconfig/nfs

MOUNTD_PORT=892
STATD_PORT=662

Now enable nfs-server to run after poweron server and start it:

systemctl enable nfs-server.service
systemctl start nfs-server.service

Now we must prepare this folder with this permissions, for read and write for everybody:

chown nfsnobody:nfsnobody /mnt/nfs/ -R
chmod 755 /mnt/nfs/

And edit file /etc/exports for this folder to by allowed for everybody in network:

/mnt/nfs *(rw,sync,no_root_squash,no_all_squash)

And apply this change:

exportfs -a

We can see our settings with command “exportfs”:

/mnt/nfs        <world>

And from other linux machine, we can mount this folder:

mount 11.22.33.44:/mnt/nfs /mnt/nfs/
#see this disk report space
df -h
Filesystem            Size  Used Avail Use% Mounted on
11.22.33.44:/mnt/nfs
                      1.5T  200G  1.3T  14% /mnt/nfs

And we can test it with 1GB file:

dd if=/dev/zero of=/mnt/nfs/1gb bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB/s
...
...
ls -lah /mnt/nfs/
drwxr-xr-x. 18 nfsnobody nfsnobody  4.0K Feb 28 10:47 .
drwxr-xr-x.  3 root      root       4.0K Feb 28 10:24 ..
-rw-r--r--.  1 root      root      1000M Feb 28 10:47 1gb

Now we can continue with installing apache web server:

yum install httpd -y
systemctl enable httpd.service
firewall-cmd --add-service=http --permanent
firewall-cmd --reload

Now, we create an configuration file for one foler from nfs storage:

vim /etc/httpd/conf.d/media.globesy.sk.conf
<VirtualHost *:80>
ServerAdmin user@example.com
DocumentRoot "/mnt/nfs/installs"
ServerName installs.example.com
<Directory "/mnt/nfs/kadeco/installs">
AllowOverride All
Require all granted
Options Indexes
</Directory>
ErrorLog /var/log/httpd/installs.example.com-error_log
CustomLog /var/log/httpd/installs.example.com-access_log common
</VirtualHost>

But we cannot serve this directory:

AH01276: Cannot serve directory /mnt/nfs/installs: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

So, we install som softvare to modify file and folders context with selinux:

yum install setroubleshoot

And change context to this folder:

semanage fcontext -a -t httpd_sys_content_t "/mnt/nfs/installs(/.*)?"
restorecon -R /mnt/nfs/installs
rm /etc/httpd/conf.d/welcome.conf
systemctl restart httpd.service

Have a fun 🙂

Total Page Visits: 49039 - Today Page Visits: 32

How to install OpenManage Server Administrator

During the last upgrade of xenserver from version 6.0.2 to 6.5, we lose management of our server dell . We have an idrac 6 express and there is no way to manage disk storages and raid perc H700 with virtual drives. The only way is to use OMSA.  So this post is about to install OMSA on xenserver 6.5 SP1 on Dell PowerEdge R515.
I do it with dell documentation from their webpage with some modifications:

http://linux.dell.com/repo/hardware/Linux_Repository_14.12.00/

So, we must install dell omsa repository:

wget -q -O - http://linux.dell.com/repo/hardware/Linux_Repository_14.12.00/bootstrap.cgi | bash

Next, we install the recquire software with all dependencies:

yum install srvadmin-all -y

I tried version 15.04.00 and 15.07.00 and not working with following error:

yum install srvadmin-all
Loaded plugins: fastestmirror
Determining fastest mirrors
.....
http://linux.dell.com/repo/hardware/Linux_Repository_15.07.00/platform_independent/rh50_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: dell-omsa-indep. Please verify its path and try again

So its working for me with version 14.12.00. Next, we must add a rule to iptables, to allow traffic for port 1311/tcp:

-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 1311 -j ACCEPT

And finally, we have to start this service, which starts all necessary services:

/opt/dell/srvadmin/sbin/srvadmin-services.sh start

We can try it with telnet to this port. And then, we can access our OMSA throught IP address and port:

https://11.22.33.44:1311

On windows 10 and windows 7 on newest firefox, I find an error.  The DHE key is very short. Maybe the error was there, because self-signed certificate is signed with SHA-1, which is today not trusted. So we must edit firefox preferences like this.

about:config
security.ssl3.dhe_rsa_aes_128_sha;true  >  change to false
security.ssl3.dhe_rsa_aes_256_sha;true  >  change to false

And now, we can see the login screen. After login, in preferences, general settings and server certificate, change “Key Signing Algorithm (For Self Signed Certificate)”  to SHA256. Then we can restore default settings in firefox, to true for ssl3.dhe….

about:config
security.ssl3.dhe_rsa_aes_128_sha;false  >  change to true
security.ssl3.dhe_rsa_aes_256_sha;false  >  change to true
Total Page Visits: 49039 - Today Page Visits: 32

How to create a raspberry music play server

One time, I must deal with sound on some area in specific time.
So I created a raspberry based server, which runs, control’s and deal with radio stream. I used rpi1 – raspberry 1.
Maybe this can help someone.
Firts, we download Raspbian Jessie Lite and burn this image on sdhc card (of 2GB capacity at least):

wget https://downloads.raspberrypi.org/raspbian_lite_latest
unzip 2017-01-11-raspbian-jessie-lite.zip
dd if=2017-01-11-raspbian-jessie-lite.img of=/dev/sdb bs=4M
#make sure, that /dev/sdb is your sdhc card, free to format

After first use, make some enhacements and customizing:

sudo tune2fs -c 1 /dev/mmcblk0p2
#this force to check sdhc card every reboot for errors

Edit /ets/fstab and force to use some log destination to ramdisk and with less write operations.
Because after some time, the sdhc card may fail because of many writing operations on it. In my case, I deal with three bad shdc cards in two years.
– option noatime (Do  not  update  inode  access  times on this filesystem)

/etc/fstab:
none        /var/log        tmpfs   size=1M,noatime         00
none        /var/tmp        tmpfs   size=1M,noatime         00
none        /tmp            tmpfs   size=1M,noatime         00

Next, I disabled swap, because I didn’t need it:

dphys-swapfile swapoff
dphys-swapfile uninstall
update-rc.d dphys-swapfile remove
#check:
free -mh

And finally, install some software, create some scripts, to deal with the music itself.

#I prefer omxplayer
sudo apt-get install omxplayer
mkdir /home/pi/stream

First script, that will be used in cron:

cat stream/script_audio.sh
#!/bin/bash
if ps x |grep -v grep |grep -c "omxplayer.bin"
 then
  echo "everything is ok"
 else
    echo "omxplayer missing, starting..."
    sh /home/pi/stream/vlna.sh &
fi

This script starts to play our live radio.

cat stream/vlna.sh
#!/bin/bash
omxplayer --vol -200 http://stream.radiovlna.sk/vlna-hi.mp3 &
exit 0

And useful script to kill omxplayer from services and stop playing

cat stream/kill_omx.sh
#!/bin/bash
omx=`ps ax |grep -v grep |grep "omxplayer.bin"  | awk '{print $1}'`
kill $omx
exit 0

Every script must have execute permision:

chmod +x *.sh

And use crontab, for enable playing. This option runs script every minute every
day in week between 6 am. and 6pm. (from Monday to friday)

*/1 6-18 * * 1-5 sh /home/pi/stream/script_audio.sh &

So, if this will help to somebody, i will be happy 🙂
Have a nice day.
@vasil

Total Page Visits: 49039 - Today Page Visits: 32

Rsync review and some examples

rsync — a fast, versatile, remote (and local) file-copying tool
-a        archive mode
-r        recursive – recurse into directories
-v         verbose – increase verbosity
-z        compress – With this option, rsync compresses the file data as it is sent to the destination machine, which  reduces the amount of data being transmitted something that is useful over a slow connection Note  that  this  option typically achieves better compression ratios than can be achieved by using a compressing remote shell or a compressing transport because it takes advantage of the implicit information in the matching data blocks that are not explicitly sent over the connection
-P        is equivalent to –partial –progress.  Its purpose is to make it  much  easier     to  specify these two options for a long transfer that may be interrupted
-n        perform a trial run with no changes made
-u        skip files that are newer on the receiver
-t        preserve modification times
–bwlimit=KBPS    limit I/O bandwidth; KBytes per second
This option allows you to specify a maximum transfer rate in kilobytes per second.  This  option  is  most effective  when using rsync with large files (several megabytes and up). Due to the nature of rsync transfers, blocks of data are sent, then if rsync determines the transfer was too fast,  it  will  wait  before
sending  the next data block. The result is an average transfer rate equaling the specified limit. A value of zero specifies no limit.
(25Mb = 3200 KB)
(10Mb = 1250 KB)
(7.5 Mb = 960 KB)
(5Mb = 640 KB)
(2.5Mb = 320 KB)
(3Mb = 384 KB)
(1Mb = 128 KB)
–append              append data onto shorter files
–append-verify        append w/old data in file checksum

rsync -avz foo:src/bar /data/tmp

This  would  recursively  transfer all files from the directory src/bar on the machine foo into the /data/tmp/bar directory on the local machine. The files are transferred in “archive” mode, which ensures that  symbolic  links,
devices, attributes, permissions, ownerships, etc. are preserved in the transfer.  Additionally, compression will be used to reduce the size of data portions of the transfer.
– Trailing slash on the source avoid to create directory on the destinations. So without trailing slash at the end, this will
create this directory at the destination. This is the same

 rsync -av /src/foo /dest
 rsync -av /src/foo/ /dest/foo

This will synchronize and copy left folder to to right. It preserve unfinished files. With next commenad, it will resume
and append data to unfinished files.

rsync -avP /mnt/nfs /media/adm-nfs/
rsync -avP --append /mnt/nfs /media/adm-nfs/
Total Page Visits: 49039 - Today Page Visits: 32

hdparm useful commands

Some useful commands:
This check current IDE power mode status of the disk:
– unknown (drive does not support this command),
– active/idle (normal operation),
– standby (low power mode, drive has spun down),
– sleeping (lowest power mode, drive is completely shut down)
The operators: -S, -y, -Y, -Z can be used to manipulate the IDE power modes

hdparm -C /dev/sda

Force an IDE drive to immediately enter the low power consumption STANDBY mode, usually causing it to spin down:

hdparm -y /dev/sda

Force  an  IDE  drive to immediately enter the lowest power consumption sleep mode, causing it to shut down completely. A hard or soft reset is required before the drive can be accessed again:

hdparm -Y /dev/sda

Put the drive into idle  (low-power)  mode,  and  also  set  the standby (spindown) timeout for the drive.  This timeout value is used by the drive to determine how long to wait  (with  no  disk activity)  before  turning  off the spindle motor to save power:

hdparm -S /dev/sda

Disable  the  automatic power-saving function of certain Seagate drives (ST3xxx models?), to prevent them  from  idling/spinning down at inconvenient times.
An example:

hdparm -y /dev/sdd
/dev/sdd
      issuing standby command
hdparm -C /dev/sdd
/dev/sdd
      drive state is: standby
Total Page Visits: 49039 - Today Page Visits: 32

Check disks for bad blocks with complete erase and smart-self test

This is another useful script, which do a complete erase and test disk in linux.
The first, we must have a tools “smartmontools”. We install it:

yum install smartmontools

Maybe, we nee som usefull software:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp
#!/bin/bash
#path of disk
test = /dev/sda
#find a serial number of disk
disk = `smartctl -a /dev/sda | grep Serial | awk '{print $3}'`
log = /home/vasil/$disk.log
#next, we destroy any of the partition table (mbr or gpt)
sgdisk --zap-all $test > $log
sleep 5
#notice a temperature of disk to log
hddtemp $test >> $log
#now we write zeros to every block of disk - secure erase contents
dd if=/dev/zero of=$test bs=4M
#notice a temperature of disk
hddtemp $test >> $log
sleep 5
#begin an internal self test - short
smartctl --test=short $test
sleep 150
#begin a long smart self test
hddtemp $test >> $log
smartctl --test=long $test
sleep 300
hddtemp $test >> $log
#print the output of tests
smartctl -l selftest $test >> $log
sleep 5
#start check of disk for bad-blocks a log bad blocks to log
`badblocks -v /dev/sda > /home/vasil/sda.txt` >> $log
sleep 5
hddtemp $test >> $log
smartctl --test=long $test
exit 0

This is fully automatized. We can start this script with modification of variable $test for more disks. And next day, we can examine logs. For bad blocks, for smart self-test and other.

Total Page Visits: 49039 - Today Page Visits: 32

Periodically check temp of hdd

This is a little how to. Its periodically in cron checking temperature of internal hard-disk and in some condition make an alert by mail.
So, as always, install some useful packages:

yum install epel-release.noarch
yum install htop dstat lm_sensors.x86_64 hddtemp

First, we must check, which disk we have inside. We use only paragraph without numbers:

ls -lah /dev/sd*
----------------
brw-rw---- 1 root disk 8,  0 Dec  1 07:20 /dev/sda
brw-rw---- 1 root disk 8,  1 Dec  1 07:20 /dev/sda1
brw-rw---- 1 root disk 8, 16 Dec  1 07:20 /dev/sdb
brw-rw---- 1 root disk 8, 17 Dec  1 07:20 /dev/sdb1
brw-rw---- 1 root disk 8, 32 Dec  1 07:20 /dev/sdc
brw-rw---- 1 root disk 8, 33 Dec  1 07:20 /dev/sdc1
brw-rw---- 1 root disk 8, 48 Dec  1 07:20 /dev/sdd
brw-rw---- 1 root disk 8, 49 Dec  1 07:20 /dev/sdd1
brw-rw---- 1 root disk 8, 64 Dec  1 07:20 /dev/sde
brw-rw---- 1 root disk 8, 65 Dec  1 07:20 /dev/sde1
brw-rw---- 1 root disk 8, 80 Dec  1 07:20 /dev/sdf
brw-rw---- 1 root disk 8, 81 Dec  1 07:20 /dev/sdf1
-----------------
we user only:
/dev/sda, /dev/sdb, /dev/sdc, /dev/sdd, /dev/sde, /dev/sdf

Create a folder, maybe like this:

mkdir /root/hddtemp

Create a script to check this temperatures, end some conditions:

#! /bin/bash
#written by vasil
HDDS="/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf"
HDT=/usr/sbin/hddtemp
mail="/root/hddtemp/messagebody.txt"  #file for messasege by mail
LOG=/root/hddtemp/hddtemp.log         #log file
ALERT_LEVEL=48                        #temperature treshold
date >> $LOG
echo "Subject: "WARNING - name-of-server - temperature of hdds is high"" > $mail
echo " " >> $mail
date >> $mail
m=0
for disk in $HDDS
do
                        HDTEMP=$($HDT $disk | awk -F ":" '{ print $3}' | awk -F "°"  '{print $1}')
                        if [ $HDTEMP -ge $ALERT_LEVEL ];
                        then
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $LOG
                                echo "Temperature of disk $disk is higher then limit $ALERT_LEVEL celsius" >> $mail
                                $HDT $disk >> $LOG
                                $HDT $disk >> $mail
                                echo " " >> $LOG
                                echo " " >> $mail
                                m=1
                        else
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $LOG                             
                                echo "Temperature of disk $disk Is normal: $HDTEMP celsius" >> $mail
                        fi
done
if [ "$m" -ne "0" ];
then
       sh /root/hddtemp/send_mail_script.sh
else
        echo
fi
echo "end of script...." >> $LOG
echo " " >> $LOG
exit 0

Next, we must create a script, to send mail to us, if we have a mail server in local network with allowed port 25:

vim /root/hddtemp/send_mail_script.sh
#!/bin/bash
#written by vasil
#
#if there is an error in syntax "sendmail", configure /etc/ssmtp/ssmtp.conf
#
# subject of email
SUBJECT="WARNING - name-of-server - temperature of hdds is high"
# destination
EMAIL="vasil@gonscak.sk"
# Email body
EMAILMESSAGE=/root/hddtemp/messagebody.txt
# send message using /bin/mail
#sendmail $EMAIL < $EMAILMESSAGE
/usr/bin/mail -s "$SUBJECT" $EMAIL < $EMAILMESSAGE

Now, we can test the above scripts. Maybe we must add +x permissions:

sh -x /root/hddtemp/hddtemp.sh
------------------------------
+ HDDS=/dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf
+ HDT=/usr/sbin/hddtemp
+ mail=/root/hddtemp/messagebody.txt
+ LOG=/root/hddtemp/hddtemp.log
+ ALERT_LEVEL=28
+ date
+ echo Subject: WARNING - name-of-server - temperature of hdds is high
+ echo
+ date
+ m=0
+ /usr/sbin/hddtemp /dev/sda
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 38
+ [ 38 -ge 28 ]
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ echo Temperature of disk /dev/sda is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sda
+ /usr/sbin/hddtemp /dev/sda
+ echo
+ echo
+ m=1
+ /usr/sbin/hddtemp /dev/sdb
+ awk -F : { print $3}
+ awk -F ° {print $1}
+ HDTEMP= 35
+ [ 35 -ge 28 ]
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ echo Temperature of disk /dev/sdb is higher then limit 28 celsius
+ /usr/sbin/hddtemp /dev/sdb
...
...
...
+ m=1
+ [ 1 -ne 0 ]
+ sh /root/hddtemp/send_mail_script.sh
+ echo end of script....
+ echo
+ exit 0

And then, we have a mail:

Subject: WARNING - name-of-server - temperature of hdds is high
Thu Jan 26 11:52:20 CET 2017
Temperature of disk /dev/sda is higher then limit 28 celsius
/dev/sda: TOSHIBA DT01ACA100: 37°C
Temperature of disk /dev/sdb is higher then limit 28 celsius
/dev/sdb: ST3500418AS: 35°C
....
Total Page Visits: 49039 - Today Page Visits: 32

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install openswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall
Total Page Visits: 49039 - Today Page Visits: 32