I have a client in the US looking to connect up an office in China and I'm wondering what type of connections are avilable and wether IPSEC VPNs can be established through the 'Great firewall of China'.
I talked to a China Telcom rep in the US that says that the network congestion even in China makes VPN's difficult. From their website, I see that the majority of the country is using xDSL, or 2MB dedicated lines.
Can anyone shed any light on this topic? Thanks!
I travel to China at least once a year, often several times. I generally visit major cities like Shanghai and Beijing, but have been to a number of other cities. I generally use Cisco VPN (an IPsec VPN) to Cisco DMZs in Tokyo or Hong Kong for business purposes. As with hotels in other parts of the world, congestive interference depends a lot on the hotel and what the person you're competing with is doing. I can tell you a few horror stories if you're amused by them, but in recent years things have been improving.
Hi,
if you're talking about Mainland China in general (not Hong Kong specifically), indeed IPSEC VPN may not provide desired level of service.
During the time I spent there, we opted for:
- CNC MPLS for 4 sites in China
- Equant MPLS between Beijing and other worldwide sites
- Then replaced at high price Equant by Verizon MPLS in order to connect worldwide sites through Pacific links instead of Suez Canal
- Then replaced Verizon by higher bandwidth Equant MPLS because Verizon's service was seriously bad. Not the link, but the service around it.
At that time, Verizon used China Telecom as contractor, and I think Equant used CNC. Not sure about that, though.
Between each site (Beijing to three others in China, and Beijing to others worldwide), there was backup IPSEC VPN set up "just in case". Hopefully we didn't had to use them, because they was down from time to time and bandwidth was inconsistent.
"Great Firewall buddy" is not to charge this time.
ChrisSerafin a �crit :
Very interesting rundown of current infrastructure option -- thanks!
Hi,
if you're talking about Mainland China in general (not Hong Kong specifically), indeed IPSEC VPN may not provide desired level of service.
During the time I spent there, we opted for:
- CNC MPLS for 4 sites in China
- Equant MPLS between Beijing and other worldwide sites
- Then replaced at high price Equant by Verizon MPLS in order to connect worldwide sites through Pacific links instead of Suez Canal
- Then replaced Verizon by higher bandwidth Equant MPLS because Verizon's service was seriously bad. Not the link, but the service around it.At that time, Verizon used China Telecom as contractor, and I think Equant used CNC. Not sure about that, though.
Verizon = CT: also consistent with my memory (and an easy guess since there is no alternative)
Equant = CNC: Perhaps you mean China Unicom =)
TV
I use the Cisco WebVPN (AnyConnect) client and I have yet to find a place in China where it doesn't work perfectly - even in rural areas, but not so rural that they don't have Internet access. However, if you try to do many "normal" things outside of the VPN connection - check certain news sites, logon to facebook or watch a video on YouTube, you won't be able to do so.
-Robert
Tellurian Networks - A Perot Systems Company
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin
OpenVPN is ideal. It functions purely over application-level UDP transport (IP-IP) instead of using GRE/IPSec/other encapsulation protocols that could potentially be blocked by a protocol filter on a router. Route that traffic to a server outside of China and NAT it out to the rest of the Internet.
The default port is UDP 1194, but can easily be changed.
Anyone who wants to block it risks blocking any applications that use UDP in general, such as online games, Skype, etc.
It is precisely because the traffic has no signature distinguishable from normal application traffic - aside from the fact that the payload is encrypted - that it makes a good fit.
It's also open-source and free.
oh my goodness. You're behind on your reading...
Fred Baker wrote:
It is precisely because the traffic has no signature distinguishable from normal application traffic
oh my goodness. You're behind on your reading...
I didn't mean DPI. I meant in a way that can be inferred from the headers themselves, and aside from the port number.
You don't think that statistical analysis of traffic patterns
of your UDP traffic wouldn't identify it as a likely tunnel? 
Adrian
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope.
Tell me more?
It's been a while since I tinkered with this for fun, but a quick abuse
of google gives one relatively useful starting paper:
http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf
Now, if you were getting multiple overlapping fingerprints inside a
UDP packet stream you may conclude that it is a VPN tunnel of some
sort.
Just randomly padding the tunnel with a few bytes either side will
probably just fuzz the classifier somewhat. Aggregating the packets
up into larger packets may fuzz the classification methods but it
certainly won't make the traffic look like "something else".
It'll likely still stick out as being "different".
Adrian
They exist and for certain applications are pretty effective.
Adrian Chadd writes:
Doesn't necessarily have to be hugely accurate. The authorities could
simply identify a few likely suspect tunnels, then knock-on-doors and ask
you to explain what the traffic in question is...
Chris Edwards wrote:
Doesn't necessarily have to be hugely accurate. The authorities could simply identify a few likely suspect tunnels, then knock-on-doors and ask you to explain what the traffic in question is...
Understood. I guess the angle I was going more for was: Is this actually practical to do in a country with almost as many Internet users as the US has people?
I had always assumed that broad policies and ACLs work in China, but most forms of DPI and traffic pattern analysis aren't practical simply for computational feasibility reasons. Not unless the system were highly distributed.
Perhaps they only need make an example of a few, and thus introduce an
element of fear for everyone else.
I had always assumed that the Gt. Firewall, and especially the fake RST
element of it, existed precisely to let the geeks and weirdos stand out of the
naive traffic so they could be subjected to special treatment.
Similarly, this is the approach the Iranians seem to have taken after their
disputed election - although there isn't a telco monopoly, there's a wholesale
transit monopoly, and they just had the transit provider rate-limit everyone.
My understanding of this was that "normal" users would give up and do
something else, and only people who really wanted to reach the outside world
or each other - i.e. potential subversives - would keep trying. Therefore,
not only would the volume of traffic to DPI, proxy etc be lower, but the
concentration of suspect traffic in it would be higher.
From this point of view, I suppose there's some value in using an IPSec or SSL
VPN, because that's what corporate traveller applications tend to use and
they'll therefore never cut it off. I mean, are you suggesting that the
assistant party secretary of Wuhan won't be able to log into CommunistSpace
(Iike Facebook with Chinese characteristics) while he's on the road?
Unthinkable!
Not "a few," but rather quite a lot, albeit only infrequently, and at unpredictable intervals, with a very high inclusion/exclusion error rate -- an artifact of the absence clear and easily demonstrable line between compliance/non-compliance (which is itself an artifact of the 内部 [internally published only] nature of many of the related rules).
http://www.usc.cuhk.edu.hk/wk_wzdetails.asp?id=2791
www.usc.cuhk.edu.hk/webmanager/wkfiles/2791_1_paper.pdf
TV
Generally speaking, the definition of "corporate traveller applications" in such cases ==
"Whatever anyone tries to do from the following specific address ranges, which are known to be accessible exclusively inside certain international hotels, exclusively to users who are willing to pay the equivalent of 1-2 weeks of avg. local income for the privilege).
TV
I have a client in the US looking to connect up an office in China and I'm
wondering what type of connections are avilable and wether IPSEC VPNs can be
established through the 'Great firewall of China'.
If you want an IP-MPLS VPN, BT has PoPs in Beijing, Guangzhou,
Shanghai and Hong Kong.
Check the web for more details and contact info:
<Global security, cloud and networking services | BT;
You won't run into any problems running IPSEC over the MPLS network if
you still feel the need for encryption. You can also get Internet
access over the VPN and that access is from a gateway outside the
Great Firewall.
I imagine we are not the only global network offering such
connectivity in China.
--Michael Dillon