SWAN之ikev2协议multi-level-ca-cr-init配置测试

最新推荐文章于 2021-11-20 16:03:57 发布
最新推荐文章于 2021-11-20 16:03:57 发布
阅读量563 收藏
点赞数
分类专栏: IPSecurity 文章标签: strongswan
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sinat_20184565/article/details/103038148
版权

本测试主要验证多级CA证书验证的功能,远程用户moon与网关carol,dave建立连接时,carol和dave使用中间CA证书以及中间CA所签发的实体证书,moon主机使用CA根证书。在认证过程中,carol和dave在IKE_AUTH响应消息中将中间CA证书发送给moon主机。本次测试拓扑如下:

在这里插入图片描述

carol网关配置

carol的配置文件:ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的CA证书名称CN为:“strongSwan Root CA”。

conn alice
        left=PH_IP_CAROL
        leftcert=carolCert.pem
        leftid=carol@strongswan.org
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        rightsubnet=PH_IP_ALICE/32
        auto=add

carol网关的CA证书文件researchCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem -noout -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = Research CA

carol网关的证书文件carolCert.pem内容如下,其有以上名称为"Research CA"的证书(researchCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem -noout -text                  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Research, CN = Research CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Research, CN = carol@strongswan.org

dave网关配置

dave的配置文件:ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf,内容如下。字段rightca的值为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",即要求对端的CA证书名称CN为:“strongSwan Root CA”。

conn venus
        left=PH_IP_DAVE
        leftcert=daveCert.pem
        leftid=dave@strongswan.org
        leftsendcert=ifasked
        right=PH_IP_MOON
        rightid=@moon.strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        rightsubnet=PH_IP_VENUS/32
        auto=add

dave的CA证书文件salesCert.pem内容如下,其有名称为"strongSwan Root CA"的根证书签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2028 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA

dave网关的证书文件daveCert.pem内容如下,其有以上名称为"Sales CA"的证书(salesCert.pem)签发。

$ openssl x509 -in ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, O = strongSwan Project, OU = Sales, CN = Sales CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Sales, CN = dave@strongswan.org

主机配置

moon主机的配置文件:ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf,内容如下。ca段指定了moon主机使用的CA证书,以及CRL证书的地址。

另外,分别定义了两个连接。名称为alice的连接配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。

连接venus配置中,rightca字段为"C=CH, O=Linux strongSwan, CN=strongSwan Root CA",要求对端的证书由名称(CN)为"strongSwan Root CA"的CA签发。由以上carol和dave网关的配置可知,两个网关的证书都满足要求,这里以rightid来区分两个远程用户连接。

moon主机没有中间CA证书:“Research CA"和"Sales CA”。

ca strongswan
        cacert=strongswanCert.pem
        crluri=http://crl.strongswan.org/strongswan.crl
        auto=add

conn %default
        keyexchange=ikev2
        left=PH_IP_MOON
        leftcert=moonCert.pem
        leftsendcert=ifasked
        leftid=@moon.strongswan.org

conn alice
        leftsubnet=PH_IP_ALICE/32
        right=PH_IP_CAROL
        rightid=carol@strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

conn venus
        leftsubnet=PH_IP_VENUS/32
        right=PH_IP_DAVE
        rightid=dave@strongswan.org
        rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
        auto=add

测试准备阶段

配置文件:ikev2/multi-level-ca-cr-init/pretest.dat,内容为通常的ipsec连接的启动语句。

测试阶段

配置文件:ikev2/multi-level-ca-cr-init/evaltest.dat内容如下。在carol和dave主机的strongswan日志文件中,确认向对端(moon)发送中间证书的信息。在moon主机的strongswan日志中确认证书验证过程。

carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES

以下carol网关上strongswan进程的日志信息,在IKE_SA_INIT响应报文中,包含两个证书请求,一个名称CN为"Research CA";另一个CN为:“strongSwan Root CA”。但是在随后的IKE_AUTH请求中,仅收到了一个CN名称为"moon.strongswan.org"的实体证书,没有接收到:"Research CA"证书。

接下来,验证moon主机的实体证书,获取strongswan.crl证书,使用CA证书"strongSwan Root CA"验证CRL证书的有效性,在通过CRL证书验证moon实体证书的有效性,验证完成之后,向moon回复IKE_AUTH响应报文,并其中包含"Research CA"证书。

carol charon: 09[IKE] 192.168.0.1 is initiating an IKE_SA
carol charon: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
carol charon: 09[IKE] sending cert request for "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 09[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
carol charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
carol charon: 11[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 11[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
carol charon: 11[CFG] looking for peer configs matching 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]

carol charon: 11[CFG] selected peer config 'alice'
carol charon: 11[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
carol charon: 11[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 11[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
carol charon: 11[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
carol charon: 11[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 11[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
carol charon: 11[CFG]   crl is valid: until Nov 15 03:32:58 2019
carol charon: 11[CFG] certificate status is good
carol charon: 11[CFG]   reached self-signed root ca with a path length of 0
carol charon: 11[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful

carol charon: 11[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
carol charon: 11[IKE] sending issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
carol charon: 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
carol charon: 11[IKE] CHILD_SA alice{1} established with SPIs c0926788_i c6825b4e_o and TS 192.168.0.100/32 === 10.1.0.10/32
carol charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]

如下图所示,carol的IKE_AUTH响应报文中包含两个CERT证书载荷。

在这里插入图片描述

以下为moon主机上strongswan进程日志中与carol相关的信息。moon网关在接收到的IKE_SA_INIT响应报文中,首先发现对CN为"strongSwan Root CA"证书的请求;之后又发现证书请求中包含不识别的CA,即carol发送的CA名称为"Research CA"的证书请求。moon主机将向carol发送CN为"moon.strongswan.org"的证书。

moon charon: 15[IKE] initiating IKE_SA alice[1] to 192.168.0.100
moon charon: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
moon charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
moon charon: 05[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
moon charon: 05[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[IKE] received 1 cert requests for an unknown ca
moon charon: 05[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 05[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
moon charon: 05[IKE] sending end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
moon charon: 05[IKE] establishing CHILD_SA alice{1}
moon charon: 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

以下carol的IKE_AUTH响应消息中,moon接收到了end entity和issuer两个证书。起初moon认为CN为"Research CA"的证书是不可信的,但是任然使用其验证获取的research.crl证书的有效性。之后再获取strongswan.crl证书,由根证书"strongSwan Root CA"验证strongswan.crl证书的有效性,再通过此crl证书验证"Research CA"证书的有效性。

moon charon: 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) ]
moon charon: 08[IKE] received end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 08[IKE] received issuer cert "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 08[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 08[CFG]   using untrusted intermediate certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 08[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
moon charon: 08[CFG]   fetching crl from 'http://crl.strongswan.org/research.crl' ...
moon charon: 08[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 08[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 08[CFG]   reached self-signed root ca with a path length of 0
moon charon: 08[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 08[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 08[CFG] certificate status is good
moon charon: 08[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 08[CFG] checking certificate status of "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
moon charon: 08[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
moon charon: 08[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 08[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 08[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 08[CFG] certificate status is good
moon charon: 08[CFG]   reached self-signed root ca with a path length of 1
moon charon: 08[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
moon charon: 08[IKE] IKE_SA alice[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]

strongswan测试版本: 5.8.1

END

redwingz
关注
专栏目录
Strongswan app 使用IKEv2 EAP 通过 Freeradius EAP认证 连接 Strongswan
taylorgogo
06-11 4950
索引环境安装链接Ubuntu 安装 Strongswan配置 Strongswang配置 Freeradius配置Strongswan VPN APPDebug应用 环境 @Linux uname -a Linux szqsm 4.15.0-73-generic #82-Ubuntu SMP Tue Dec 3 00:04:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux @Strongswan ipsec --version Linux strongSwan U5
linux ikev2 端口,ipsec使用的500端口和4500端口可以似乎被封杀了?
weixin_30145703的博客
05-11 3187
从几周前开始突然连不上了,ipsec start --nofork 前台运行打印的日志显示15[NET] received packet: from 116.253.84.217[500] to 162.243.153.127[500] (604 bytes)15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_...
SWANikev2协议compress配置测试
redwingz的博客
10-31 611
测试主要验证远程用户carol和moon网关之间的IPComp压缩功能,两次使用ping测试隧道连接的压缩与否,使用的报文长度不同,内核不压缩长度较小的报文。测试拓扑如下: 主机配置 carol的连接配置文件:ikev2/compress/hosts/carol/etc/ipsec.conf,内容如下,主要关注compress字段设置为yes,这真是本次测试的压缩功能。另外moon主机的配置于...
kali装openwan出现/usr/sbin/ipsec: unknown command `–version‘ (`ipsec --help‘ for list)
cherry12100511的博客
11-20 1066
linux中发现/usr/sbin/ipsec: unknown command –version' (ipsec --help’ for list) 解决方案: ipsec --version 有两个横杠
SWANikev2/acert-cached测试
redwingz的博客
10-30 478
测试中远程用户(roadwarrior)carol和dave与网关moon建立连接。认证方式使用X.509证书,为了对远用户程授权,moon网关使用本地缓存的属性证书(attribute certificate)。远程用户carol使用有效的sales组的属性证书,而dave的两个属性证书,一个不属于sales组;另外一个已经过期,将导致dave授权不成功。连接建立之后,在主机carol和dav...
Multi-stage:基于7人集成,实时,可操作的海岸环流,风浪预报系统
03-18
核心模型ADCIRC + SWAN模型在每个周期受七个风力强迫。风强迫包括确定性的北美中尺度模型(NAM),集合平均值,集合平均值+ 1标准偏差和集合平均值-短距离区域集合预报(SREF)的1标准偏差和集合平均值
swan-aspnetcore:SWAN ASP.NET核心
05-28
Swan ASP.NET Core 3:我们都需要的东西 :star: 如果您觉得该项目有用,请加注星标! **注意:此存储库已存档。 ** 与ASP.NET Core 3.0应用程序一起使用的一组库。 此外,还包括用于配置项目的配置中间件和扩展。...
jupyter-extensions:适用于SWAN的Jupyter扩展
04-30
存储所有用于SWAN的Jupyter扩展的存储库。 浏览Hadoop扩展 帮助连接到CERN的Spark集群 实时监控笔记本生成的Apache Spark作业 - Contents Manager,具有项目功能和SWAN模板 适用于笔记本和实验室的SWAN帮助面板 ...
swan-10-03-12.tar.gz_OpencL_opencl cuda_swan
09-21
本文将重点讨论标题为"swan-10-03-12.tar.gz_OpencL_opencl cuda_swan"的压缩包中的Swan工具,这是一个辅助从CUDA到OpenCL移植的实用程序。 Swan的设计目标是为了简化开发人员的工作,帮助他们将原本基于CUDA的代码...
SWAN-INCOIS-Proposal-v3-compressed (1).docx_swan_incois_weather_
09-30
weather monitoring station for use on board a ship
SWANikev2协议multi-level-ca-cr-resp配置测试
redwingz的博客
11-12 385
测试主要验证多级CA证书验证的功能,远程用户carol,dave与网关moon建立连接时,carol和dave使用中间CA证书以及中间CA所签发的实体证书,moon主机使用CA根证书。在认证过程中,carol和dave在IKE_AUTH请求消息中将中间CA证书发送给moon主机。本次测试拓扑如下: carol主机配置 carol的配置文件:ikev2/multi-level-ca-cr-res...
strongswan 配置过程与问题
琪花亿草
04-24 2万+
一 过程参考:https://blog.csdn.net/gaojinshan/article/details/508205131.1 生成证书1)生成CA的密钥和证书:ipsec pki --gen --outform pem > caKey.pem ipsec pki --self --outform pem --in caKey.pem --dn "C=CN, O=TJ, CN=Tes...
安全协议系列(五)---- IKE 与 IPSec(中)
weixin_30726161的博客
12-13 971
在上一篇中,搭建好了实验环境。完整运行一次 IKE/IPSec 协议,收集相关的输出及抓包,就可以进行协议分析。分析过程中,我们将使用 IKE 进程的屏幕输出和 Wireshark 抓包,结合相关 RFC,利用 python 进行验证计算。先看协议的一次完整运行(过滤掉无关报文,如下图) 下面是 RFC 5996 中对 IKEv2 协议的规范说明 由上可知,IKEv2 协议由两个阶段的...
constraint check failed: identity '***' required
山不在高,有金则名
03-30 3457
03-29 19:16:56.979: I/charon(20761): 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2
IPSec IKE一阶段协商失败,报文提示INVALID-ID-INFORMATION(18)
沉默的鹏先生
05-26 6688
环境拓扑: FW1 --- internet --- FW2 环境配置: 双方野蛮模式协商,配置对等体ID。 问题: FW1收到FW2发送的请求后,返回的响应报文是Informational 报文: 原因: INVALID-ID-INFORMATION(18)指对端发送的加密算法或者认证算法或者对等体ID和本端的配置不一致。 ...
使用StrongSwan配置IPSec
热门推荐
Xiaowo
03-22 5万+
使用StrongSwan对IPSec进行研究,是一种很好的理解IPSec的实践。然而StrongSwan在使用的过程中实在是有太多的坑,网上的教程也多有不完整的地方,几乎没有能彻彻底底说明白每一步的,导致我在使用StrongSwan的过程中各种抓耳挠腮。程序员自然要造福程序员,在这里特将StrongSwan使用中所遇到的完整步骤记录下来,希望有所帮助。准备工作准备工作可不是简单地装个StrongSw
IKE SA和IPSec SA的区别
bytxl的专栏
06-30 2万+
http://blog.csdn.net/jiangwlee/article/details/7395903
strongSwan.conf报错syntax error, unexpected ., expecting : or '{' or '=' [.] 解决办法
BLOG CodingJiang = new BLOG (“hello world”);
05-27 5732
版本更新旧的配置文件失效 解决办法: charon { load_modular=yes duplicheck.enable=no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 ...
Failed to connect to cq-bbjf-swan-32-1:41834
最新发布
04-01
"cq-bbjf-swan-32-1:41834" appears to be a server or device name and port number. The issue could be due to a variety of reasons such as network connectivity issues, incorrect credentials, or the ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值