cjh CLI举例:两个网关之间存在NAT设备时通过IKE方式协商IPSec VPN隧道(总部不指定分支IP地址)
CLI举例:两个网关之间存在NAT设备时通过IKE方式协商IPSec VPN隧道(总部不指定分支IP地址)
组网需求
· 总部属于10.1.1.0/24子网,通过接口GigabitEthernet 1/0/1与FW_A连接。
· 分支机构属于10.1.2.0/24子网,通过接口GigabitEthernet 1/0/1与FW_C连接。
· FW_A和FW_C路由可达。
· FW_B为NAT网关,分支用户必须经过NAT网关才能访问总部。
分支机构的员工需要访问总部的服务器。由于服务器信息较机密,数据经过Internet传输不安全,故需建立IPSec隧道来对传输数据进行加密。
图1 配置IPSec隧道支持NAT穿越组网图 
数据规划
项目 | 数据 |
FW_A | 接口号:GigabitEthernet 1/0/1 IP地址:10.1.1.1/24 |
接口号:GigabitEthernet 1/0/2 IP地址:1.1.2.1/24 | |
IPSec配置 认证方式:预共享密钥 预共享密钥:Test!1234 本端ID类型:IP 对端ID类型:Any | |
FW_B | 接口号:GigabitEthernet 1/0/1 IP地址:1.1.5.1/24 |
接口号:GigabitEthernet 1/0/2 IP地址:10.1.5.1/24 | |
NAT配置 Easy IP | |
FW_C | 接口号:GigabitEthernet 1/0/1 IP地址:10.1.2.1/24 |
接口号:GigabitEthernet 1/0/2 IP地址:10.1.5.2/24 | |
IPSec配置 对端地址:1.1.2.1 认证方式:预共享密钥 预共享密钥:Test!1234 本端ID类型:IP 对端ID类型:Any |
配置思路
总部和分支机构的网关之间存在NAT设备,此时在总部配置模板方式IPSec安全策略,在配置IKE Peer时不指定对端IP地址。
配置IPSec安全提议时,安全协议必须采用ESP协议,ESP协议为安全协议的默认配置,可以不配置。
操作步骤
1. 配置FW_A的基础配置。
a. 基础配置。
i. 配置接口IP地址。
ii. <sysname> system-view
iii. [sysname] sysname FW_A
iv. [FW_A] interface GigabitEthernet 1/0/1
v. [FW_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 1.1.2.1 24
[FW_A-GigabitEthernet1/0/2] quit
vi. 将接口加入相应的安全区域。
vii. [FW_A] firewall zone trust
viii. [FW_A-zone-trust] add interface GigabitEthernet 1/0/1
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/2
[FW_A-zone-untrust] quit
b. 配置域间安全策略
i. 配置Trust域与Untrust域之间的域间安全策略。
ii. [FW_A] security-policy
iii. [FW_A-policy-security] rule name policy1
iv. [FW_A-policy-security-rule-policy1] source-zone trust
v. [FW_A-policy-security-rule-policy1] destination-zone untrust
vi. [FW_A-policy-security-rule-policy1] source-address 10.1.1.0 24
vii. [FW_A-policy-security-rule-policy1] destination-address 10.1.2.0 24
viii. [FW_A-policy-security-rule-policy1] action permit
ix. [FW_A-policy-security-rule-policy1] quit
x. [FW_A-policy-security] rule name policy2
xi. [FW_A-policy-security-rule-policy2] source-zone untrust
xii. [FW_A-policy-security-rule-policy2] destination-zone trust
xiii. [FW_A-policy-security-rule-policy2] source-address 10.1.2.0 24
xiv. [FW_A-policy-security-rule-policy2] destination-address 10.1.1.0 24
xv. [FW_A-policy-security-rule-policy2] action permit
xvi. [FW_A-policy-security-rule-policy2] quit
xvii. 配置Untrust域与Local域之间的域间安全策略。
说明:
Local和Untrust的域间策略用于控制IKE协商报文通过FW,该域间策略可以使用源地址和目的地址作为匹配条件,也可以在此基础上使用协议、端口作为匹配条件。本例中是以源地址和目的地址为例介绍,如果需要使用协议、端口作为匹配条件,则需要放开ESP服务和UDP
500端口(NAT穿越场景中还需要放开4500端口)。
[FW_A-policy-security] rule name policy3
[FW_A-policy-security-rule-policy3] source-zone local
[FW_A-policy-security-rule-policy3] destination-zone untrust
[FW_A-policy-security-rule-policy3] source-address 1.1.2.1 32
[FW_A-policy-security-rule-policy3] destination-address 1.1.5.1 32
[FW_A-policy-security-rule-policy3] action permit
[FW_A-policy-security-rule-policy3] quit
[FW_A-policy-security] rule name policy4
[FW_A-policy-security-rule-policy4] source-zone untrust
[FW_A-policy-security-rule-policy4] destination-zone local
[FW_A-policy-security-rule-policy4] source-address 1.1.5.1 32
[FW_A-policy-security-rule-policy4] destination-address 1.1.2.1 32
[FW_A-policy-security-rule-policy4] action permit
[FW_A-policy-security-rule-policy4] quit
[FW_A-policy-security] quit
c. 说明:
d. 配置Local域和Untrust域的域间安全策略的目的为允许IPSec隧道两端设备通信,使其能够进行隧道协商。
e. 配置到达分支机构的静态路由,此处假设下一跳地址为1.1.2.2。
f. [FW_A] ip route-static 10.1.2.0 255.255.255.0 1.1.2.2
[FW_A] ip route-static 10.1.5.0 255.255.255.0 1.1.2.2
2. 在FW_A上配置IPSec。
a. 定义被保护的数据流。
b. [FW_A] acl 3000
c. [FW_A-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW_A-acl-adv-3000] quit
d. 配置IPSec安全提议tran1。采用默认参数。
e. [FW_A] ipsec proposal tran1
f. [FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
g. [FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_A-ipsec-proposal-tran1] quit
h. 配置IKE安全提议。采用默认参数。
i. [FW_A] ike proposal 10
j. [FW_A-ike-proposal-10] authentication-method pre-share
k. [FW_A-ike-proposal-10] prf hmac-sha2-256
l. [FW_A-ike-proposal-10] encryption-algorithm aes-256
m. [FW_A-ike-proposal-10] dh group14
n. [FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_A-ike-proposal-10] quit
o. 配置IKE Peer。
p. [FW_A] ike peer c
q. [FW_A-ike-peer-c] ike-proposal 10
r. [FW_A-ike-peer-c] pre-shared-key Test!1234
[FW_A-ike-peer-c] quit
s. 配置IPSec策略模板temp。
t. [FW_A] ipsec policy-template temp 1
u. [FW_A-ipsec-policy-templet-temp-1] security acl 3000
v. [FW_A-ipsec-policy-templet-temp-1] proposal tran1
w. [FW_A-ipsec-policy-templet-temp-1] ike-peer c
[FW_A-ipsec-policy-templet-temp-1] quit
x. 创建IPSec策略并引用IPSec策略模板temp。
[FW_A] ipsec policy map1 10 isakmp template temp
y. 在接口GigabitEthernet 1/0/2上应用IPSec策略组map1。
z. [FW_A] interface GigabitEthernet 1/0/2
aa. [FW_A-GigabitEthernet1/0/2] ipsec policy map1
[FW_A-GigabitEthernet1/0/2] quit
3. 配置FW_C的基础配置。
a. 配置接口IP地址,并将接口加入域。
请根据图1的数据配置接口IP地址。
将接口GigabitEthernet 1/0/1加入Trust区域,接口GigabitEthernet 1/0/2加入Untrust区域。
详细步骤可参见FW_A的配置。
b. 配置域间安全策略。
i. 配置Trust域与Untrust域之间的域间安全策略。
ii. [FW_C] security-policy
iii. [FW_C-policy-security] rule name policy1
iv. [FW_C-policy-security-rule-policy1] source-zone trust
v. [FW_C-policy-security-rule-policy1] destination-zone untrust
vi. [FW_C-policy-security-rule-policy1] source-address 10.1.2.0 24
vii. [FW_C-policy-security-rule-policy1] destination-address 10.1.1.0 24
viii. [FW_C-policy-security-rule-policy1] action permit
ix. [FW_C-policy-security-rule-policy1] quit
x. [FW_C-policy-security] rule name policy2
xi. [FW_C-policy-security-rule-policy2] source-zone untrust
xii. [FW_C-policy-security-rule-policy2] destination-zone trust
xiii. [FW_C-policy-security-rule-policy2] source-address 10.1.1.0 24
xiv. [FW_C-policy-security-rule-policy2] destination-address 10.1.2.0 24
xv. [FW_C-policy-security-rule-policy2] action permit
xvi. [FW_C-policy-security-rule-policy2] quit
xvii. 打开Untrust域与Local域之间的域间安全策略。
https://support.huawei.com/hedex/pages/EDOC1000177266AZG1120J/02/EDOC1000177266AZG1120J/02/resources/public_sys-resources/icon-note.gif
说明:
Local和Untrust的域间策略用于控制IKE协商报文通过FW,该域间策略可以使用源地址和目的地址作为匹配条件,也可以在此基础上使用协议、端口作为匹配条件。本例中是以源地址和目的地址为例介绍,如果需要使用协议、端口作为匹配条件,则需要放开ESP服务和UDP
500端口(NAT穿越场景中还需要放开4500端口)。
[FW_C-policy-security] rule name policy3
[FW_C-policy-security-rule-policy3] source-zone local
[FW_C-policy-security-rule-policy3] destination-zone untrust
[FW_C-policy-security-rule-policy3] source-address 10.1.5.2 32
[FW_C-policy-security-rule-policy3] destination-address 1.1.2.1 32
[FW_C-policy-security-rule-policy3] action permit
[FW_C-policy-security-rule-policy3] quit
[FW_C-policy-security] rule name policy4
[FW_C-policy-security-rule-policy4] source-zone untrust
[FW_C-policy-security-rule-policy4] destination-zone local
[FW_C-policy-security-rule-policy4] source-address 1.1.2.1 32
[FW_C-policy-security-rule-policy4] destination-address 10.1.5.2 32
[FW_C-policy-security-rule-policy4] action permit
[FW_C-policy-security-rule-policy4] quit
[FW_C-policy-security] quit
c. 说明:
d. 配置Local域和Untrust域的域间安全策略的目的为允许IPSec隧道两端设备通信,使其能够进行隧道协商。
e. 配置达到总部的静态路由,下一跳地址为10.1.5.1。
f. [FW_C] ip route-static 10.1.1.0 255.255.255.0 10.1.5.1
[FW_C] ip route-static 1.1.2.0 255.255.255.0 10.1.5.1
4. 在FW_C上配置IPSec策略。
a. 定义被保护的数据流。
b. [FW_C] acl 3000
c. [FW_C-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW_C-acl-adv-3000] quit
d. 配置IPSec安全提议tran1。采用默认参数。
e. [FW_C] ipsec proposal tran1
f. [FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
g. [FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[FW_C-ipsec-proposal-tran1] quit
h. 配置IKE安全提议。采用默认参数。
i. [FW_C] ike proposal 10
j. [FW_C-ike-proposal-10] authentication-method pre-share
k. [FW_C-ike-proposal-10] prf hmac-sha2-256
l. [FW_C-ike-proposal-10] encryption-algorithm aes-256
m. [FW_C-ike-proposal-10] dh group14
n. [FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256
[FW_C-ike-proposal-10] quit
o. 配置IKE Peer。
p. [FW_C] ike peer a
q. [FW_C-ike-peer-a] ike-proposal 10
r. [FW_C-ike-peer-a] remote-address 1.1.2.1
s. [FW_C-ike-peer-a] pre-shared-key Test!1234
[FW_C-ike-peer-a] quit
t. 配置IPSec策略map1。
u. [FW_C] ipsec policy map1 10 isakmp
v. [FW_C-ipsec-policy-isakmp-map1-10] security acl 3000
w. [FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
x. [FW_C-ipsec-policy-isakmp-map1-10] ike-peer a
[FW_C-ipsec-policy-isakmp-map1-10] quit
y. 在接口GigabitEthernet 1/0/2上应用IPSec策略组map1。
z. [FW_C] interface GigabitEthernet 1/0/2
aa. [FW_C-GigabitEthernet1/0/2] ipsec policy map1
[FW_C-GigabitEthernet1/0/2] quit
5. 配置FW_B(配置NAT网关)。
a. 基础配置。
请根据图1的数据配置接口IP地址。
将接口GigabitEthernet 1/0/1加入Untrust区域,接口GigabitEthernet 1/0/2加入Trust区域。
详细步骤可参见FW_A的配置。
b. 配置域间安全策略。
c. [FW_B] security-policy
d. [FW_B-policy-security] rule name policy1
e. [FW_B-policy-security-rule-policy1] source-zone trust
f. [FW_B-policy-security-rule-policy1] destination-zone untrust
g. [FW_B-policy-security-rule-policy1] source-address 10.1.5.2 32
h. [FW_B-policy-security-rule-policy1] destination-address 1.1.2.1 32
i. [FW_B-policy-security-rule-policy1] action permit
j. [FW_B-policy-security-rule-policy1] quit
k. [FW_B-policy-security] rule name policy2
l. [FW_B-policy-security-rule-policy2] source-zone untrust
m. [FW_B-policy-security-rule-policy2] destination-zone trust
n. [FW_B-policy-security-rule-policy2] source-address 1.1.2.1 32
o. [FW_B-policy-security-rule-policy2] destination-address 10.1.5.2 32
p. [FW_B-policy-security-rule-policy2] action permit
q. [FW_B-policy-security-rule-policy2] quit
r. [FW_B-policy-security] quit
s. 配置NAT。
t. [FW_B] nat-policy
u. [FW_B-policy-nat] rule name policy_nat1
v. [FW_B-policy-nat-rule-policy_nat1] source-zone trust
w. [FW_B-policy-nat-rule-policy_nat1] destination-zone untrust
x. [FW_B-policy-nat-rule-policy_nat1] source-address 10.1.5.0 24
y. [FW_B-policy-nat-rule-policy_nat1] action source-nat easy-ip
z. [FW_B-policy-nat-rule-policy_nat1] quit
aa. [FW_B-policy-nat] quit
bb. 配置到分支网络的静态路由。
cc. [FW_B] ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
[FW_B] ip route-static 10.1.2.0 255.255.255.0 10.1.5.2
结果验证
1. 配置完成后,PC2发起访问,之后PC1与PC2之间可以相互访问。PC2同时可以访问到公网。
2. PC2可以Ping通FW_A的1.1.2.1,同时在FW_B上可以查看NAT转换session表项。
3. <FW_B> display firewall session table
4. Current Total Sessions : 2
5. udp VPN:public --> public 10.1.5.2:500[1.1.5.1:2048]-->1.1.2.1:500
udp VPN:public --> public 10.1.5.2:4500[1.1.5.1:2048]-->1.1.2.1:4500
6. 总部防火墙FW_A上可以查看到对应的IKE SA。
7. <FW_A> display ike sa
8. IKE SA information :
9. Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
10. -----------------------------------------------------------------------------
11. 83887864 1.1.5.1:500 RD|A v2:2 IP 1.1.5.1
12. 83887652 1.1.5.1:500 RD|A v2:1 IP 1.1.5.1
13.
14. Number of IKE SA : 2
15. -------------------------------------------------------------------------------
16.
17. Flag Description:
18. RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
19. HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
20. 分支上FW_C可以查看到对端为总部的IKE SA,FW_C是发起方,标志位为ST。
21. <FW_C> display ike sa
22. IKE SA information :
23. Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
24. -----------------------------------------------------------------------------
25. 62887864 1.1.2.1:500 RD|ST|A v2:2 IP 1.1.2.1
26. 62887652 1.1.2.1:500 RD|ST|A v2:1 IP 1.1.2.1
27.
28. Number of IKE SA : 2
29. -------------------------------------------------------------------------------
30.
31. Flag Description:
32. RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
33. HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
34. M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
35. 总部防火墙FW_A上可以查看到一对双向的IPSec SA,对应分支FW_C。
36. <FW_A> display ipsec sa brief
37. Current ipsec sa num:2
38.
39. Spu board slot 1, cpu 1 ipsec sa information:
40. Number of SAs:2
41. Src address Dst address SPI VPN Protocol Algorithm
42. -------------------------------------------------------------------------------
43. 1.1.2.1 1.1.5.1 3923280450 ESP E:AES-256 A:SHA2_256_128
44. 1.1.5.1 1.1.2.1 2676437093 ESP E:AES-256 A:SHA2_256_128
45. 分支节点FW_C上可以查看到一对双向IPSec SA。
46. <FW_C> display ipsec sa brief
47. Current ipsec sa num:2
48.
49. Spu board slot 1, cpu 1 ipsec sa information:
50. Number of SAs:4
51. Src address Dst address SPI VPN Protocol Algorithm
52. -------------------------------------------------------------------------------
53. 10.1.5.2 1.1.2.1 2179965693 ESP E:AES-256 A:SHA2_256_128
54. 1.1.2.1 10.1.5.2 3813759530 ESP E:AES-256 A:SHA2_256_128
配置脚本
· FW_A的配置脚本
· #
· sysname FW_A
· #
· acl number 3000
· rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
· #
· ike proposal 10
· encryption-algorithm aes-256
· dh group14
· authentication-algorithm sha2-256
· authentication-method pre-share
· integrity-algorithm hmac-sha2-256
· prf hmac-sha2-256
· #
· ike peer c
· pre-shared-key %@%@LV|sQ=~fUQO:M$CeqaMEnwVD%@%@
· ike-proposal 10
· #
· ipsec proposal tran1
· esp authentication-algorithm sha2-256
· esp encryption-algorithm aes-256
· #
· ipsec policy-template temp 1
· security acl 3000
· ike-peer c
· proposal tran1
· #
· ipsec policy map1 10 isakmp template temp
· #
· interface GigabitEthernet1/0/1
· undo shutdown
· ip address 10.1.1.1 255.255.255.0
· #
· interface GigabitEthernet1/0/2
· undo shutdown
· ip address 1.1.2.1 255.255.255.0
· ipsec policy map1
· #
· firewall zone trust
· set priority 85
· add interface GigabitEthernet1/0/1
· #
· firewall zone untrust
· set priority 5
· add interface GigabitEthernet1/0/2
· #
· ip route-static 10.1.2.0 255.255.255.0 1.1.2.2
· ip route-static 10.1.5.0 255.255.255.0 1.1.2.2
· #
· security-policy
· rule name policy1
· source-zone trust
· destination-zone untrust
· source-address 10.1.1.0 24
· destination-address 10.1.2.0 24
· action permit
· rule name policy2
· source-zone untrust
· destination-zone trust
· source-address 10.1.2.0 24
· destination-address 10.1.1.0 24
· action permit
· rule name policy3
· source-zone local
· destination-zone untrust
· source-address 1.1.2.1 32
· destination-address 1.1.5.1 32
· action permit
· rule name policy4
· source-zone untrust
· destination-zone local
· source-address 1.1.5.1 32
· destination-address 1.1.2.1 32
· action permit
· #
return
· FW_C的配置脚本
· #
· sysname FW_C
· #
· acl number 3000
· rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
· #
· ike proposal 10
· encryption-algorithm aes-256
· dh group14
· authentication-algorithm sha2-256
· authentication-method pre-share
· integrity-algorithm hmac-sha2-256
· prf hmac-sha2-256
· #
· ike peer a
· pre-shared-key %@%@9AGL!*(KJM2ImuCYi!QP,{6N%@%@
· ike-proposal 10
· remote-address 1.1.2.1
· #
· ipsec proposal tran1
· esp authentication-algorithm sha2-256
· esp encryption-algorithm aes-256
· #
· ipsec policy map1 10 isakmp
· security acl 3000
· ike-peer a
· proposal tran1
· #
· interface GigabitEthernet1/0/1
· undo shutdown
· ip address 10.1.2.1 255.255.255.0
· #
· interface GigabitEthernet1/0/2
· undo shutdown
· ip address 10.1.5.2 255.255.255.0
· ipsec policy map1
· #
· firewall zone trust
· set priority 85
· add interface GigabitEthernet1/0/1
· #
· firewall zone untrust
· set priority 5
· add interface GigabitEthernet1/0/2
· #
· ip route-static 1.1.2.0 255.255.255.0 10.1.5.1
· ip route-static 10.1.1.0 255.255.255.0 10.1.5.1
· #
· security-policy
· rule name policy1
· source-zone trust
· destination-zone untrust
· source-address 10.1.2.0 24
· destination-address 10.1.1.0 24
· action permit
· rule name policy2
· source-zone untrust
· destination-zone trust
· source-address 10.1.1.0 24
· destination-address 10.1.2.0 24
· action permit
· rule name policy3
· source-zone local
· destination-zone untrust
· source-address 10.1.5.2 32
· destination-address 1.1.2.1 32
· action permit
· rule name policy4
· source-zone untrust
· destination-zone local
· source-address 1.1.2.1 32
· destination-address 10.1.5.2 32
· action permit
· #
return
· FW_B的配置脚本
· #
· sysname FW_B
· #
· interface GigabitEthernet1/0/1
· undo shutdown
· ip address 1.1.5.1 255.255.255.0
· #
· interface GigabitEthernet1/0/2
· undo shutdown
· ip address 10.1.5.1 255.255.255.0
· #
· firewall zone trust
· set priority 85
· add interface GigabitEthernet1/0/2
· #
· firewall zone untrust
· set priority 5
· add interface GigabitEthernet1/0/1
· #
· ip route-static 10.1.1.0 255.255.255.0 1.1.5.2
· ip route-static 10.1.2.0 255.255.255.0 10.1.5.2
· #
· security-policy
· rule name policy1
· source-zone trust
· destination-zone untrust
· source-address 10.1.5.2 32
· destination-address 1.1.2.1 32
· action permit
· rule name policy2
· source-zone untrust
· destination-zone trust
· source-address 1.1.2.1 32
· destination-address 10.1.5.2 32
· action permit
· #
· nat-policy
· rule name policy_nat1
· source-zone trust
· destination-zone untrust
· source-address 10.1.5.0 24
· action source-nat easy-ip
· #
return
VPN配置案例汇总、VPN汇总(列表、list、全)vpnlist
http://www.zh-cjh.com/wenzhangguilei/1193.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » CLI举例:两个网关之间存在NAT设备时通过IKE方式协商IPSec VPN隧道(总部不指定分支IP地址)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm