China Telecom VPN problems (again)

It looks like I'm having China Telecom issues yet again. They're batting
down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL
tunnel inside of another tunnel doesn't help. At this point I'm tired of
listening to the screaming by the business users. Can someone contact me
(here or off-list, I don't care) about circuits in China so that we don't
have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off.
We don't need BGP or MPLS or anything remotely fancy. Our main concern is
getting connectivity to the business district in Suzhou, but it'd be nice if
we could also use the same carrier in Shenzhen.


-- Thomas York

It's called the great firewall of china. Feel free to shift vendors but it
won't help.

Meanwhile make sure none of your users are surfing for falun gong,
dalai lama, ai weiwei or whoever else the chicom censors don't like on that
particular day

We tried to get our VPN work from the China Telecom/China Unicom beijing
POP for over a year. The Chinese always claimed it was kosher, but we had
something like 60%+ loss across our 4 hop VPN for the entirety of the
project. Private circuits don't really exist on the mainland, HK and
(maybe) Shanghai are about the only places for decent connectivity. :confused:

Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel,
CPCNet, etc, will offer), but at a price.

Suzhou and Shenzhen are easily in reach of all the above listed providers.

Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel,
CPCNet, etc, will offer), but at a price.

mpls != ipsec ... perhaps the OP wants some privacy and authentication and such?

run IPSEC over the MPLS-VPN. It'll be a lot more stable than over public

Since when is heavy encryption cool in China? Export restrictions smoke all of the decent crypto options. Secondly, anything that is going to happen mpls wise is going to go through MIIT.. You would be shocked how long licenses could take. I was the senior engineer on a project that involved in-flight connectivity via satellite, 2 years later and there are still no licenses. When I asked the Chinese officials (senior party officials) about an unrestricted pipe past the great firewall I was laughed out of the room.. The Chinese exert total control of outbound data on the mainland. Even when you get the OK to turn up, they still want a hard feed into their DPI, in our case knowing the sites (foreign flagged aircraft) transiting the network were only in their AIRSPACE. China is a cool place, but you need to take your patience and checkbook if you want to have any hope in getting what you want.

OK, I'll bite.. What crypto options are getting stuck due to export
restrictions (as opposed to import restrictions on the other end)?

Make sure you check this out in detail. My export / import people found
out that if the device is going to be in control of and used by a US
company doing business in China, there are a lot less encryption
restrictions. The ruling was that it was not an export if the device
remains the property of and in control of a US company. The thought is
that they want US companies to be able to secure their own VPN traffic.
There are also apparently some key escrow rules whereby you are supposed
to give the Chinese government your keys. I am told by US gov't
employee that almost no one does that and the Chinese government makes
it a point not to hassle US companies. Your mileage may vary and I am
not an import / export expert.

Steven Naslund

Agreed. I have run IPsec over MPLS with no problem in China on several
carriers. Internet connectivity also worked but performance was spotty
due to overloaded firewall or circuits in and out of the country.

Steven Naslund

There are lots of carriers but unfortunately they all seem to use China
Telecom infrastructure for transport so there is not really a way to get
better Internet service there. In our experience MPLS performs better
because China Telecom seems to hand off service to the international
MPLS carriers before the big Internet bottleneck.

Steven Naslund