Does anyone know if China blocks VPN’s within China?
We have two offices one in Shenzhen and one in Shanghai. I would like to directly connect these via VPN. Both are on China Unicom.
IPSec within China usually works fine.
IPsec in to/out of China usually works fine.
What sometimes happens though is they will isolate bits of China.
We used to have a customer with several sites in China in a global VPN mesh, 90% of the time it would function as intended. Sometimes one or more nodes in the mesh would drop off of the global mesh, but would still function meshed with the other Chinese sites, so we would just re-route traffic to that specific site to/from the rest of the global network through one of the sites which was still responding to IPSec globally.
On rare occasions, which usually coincided with a local CCP party conference or similar, a node would drop off of the mesh entirely, when this happened there wasn’t much we could do about but wait until they stopped blocking.
I have several IPSEC tunnels with Wuxi and Shanghai coming back into Australia.
We recently had some issues with all sites that the ISP had to sort out as our IP got banned in China
Otherwise never had an issue In 10+ years
Our Shanghai offices use a P2P/MPLS link into Hong Kong and then our to the internet from there. It’s expensive but has no issues.
For global connections to Europe (I assume you’re Dutch, u/DutchDev1L ) you can go these ways to build your IPSec VPNs in a reliable way:
- China Telecom IPMan
- China Unicom Gold line
- SDWan / MPLS with official vendors that have Chinese licenses
3.5 China Telecom America or China Unicom international (they’re a mix of solution 3 and solution 4). A mixed bag based on the fact that the local teams and the foreign teams debate on the revenue shares.
- Global vendors that use 1, 2, or 3 as a local vendor.
Our SSL VPN came under scrutiny recently. First round was solved with official paperwork. Second round required some creative reconfiguration.
If you do IPSEC for a small office you can use UDP and connect to VDIs outside of China. UDP traffic is less likely to get snuffed out.
How often has a node been dropped and how long was it for?
Similar here. Two pops, one in Shanghai for local breakout and we went with P2P to Singapore because of the whole impending one china bullshit. Don’t wanna deal with the risk with them just Ukraining HK.
Our Cisco equipment only supports IPSEC as a p2p.
Who did you file the paperwork with?
No real pattern behind it, maybe a couple of times a year, but it could be anywhere between a couple of hours or a day or a week.
Thanks both! I’ll take this into consideration.
Dunno. I work in a highly matrixed organization and that was handled by others. I’m just the monkey who took the initial trouble report, opened the ticket with our ISP, and then connected the ISP with our local contact and the right PM who was multilingual to carry the torch.