Hi guys,
Our main office is in North America, and we have a site in China connected via the IPSEC tunnel. The Chinese circuit is a CN2 type, but the users complain a lot about the traffic in the VPN tunnel.
I’m looking for a better, faster and more reliable solution. I’m considering trying the companies below, but I wonder if it will solve the issue.
Current China ISP: China Mobile
any ideas ?
We have couple of locations in China and I can confirm that we have issues with IPSEC tunnels every now and then - like once couple of months.
The good part is that we also have an MPLS connection and that is reliable.
For the VPN/remote connection piece, we implemented an in-China VPN termination for our China colleagues and all is good since the first pandemic days.
This is not really a solution to your problems, but all I can tell you is how my company actually solved the issues.
First, we talked to our board of directors, they then in turn talked to the board of directors of our Chinese owners, who in turn then talked to the CCP Representative on their board who pulled some strings to make the problems go away.
You got to remember that there are no private companies in China with more than like 100 employees. The only companies that exists in China are the ones the CCP allows to exist because they have a CCP Representative on their board and they comply with them.
Working within China is interesting to say the least.
Previously we got around this issue by running our sites in China over MPLS into Singapore, using a physical transit in Singapore allowed us to have reliable connectivity and also a security demarcation point between the China business and the rest of the world.
Also we purchased the MPLS via China Telecom I believe but don’t work there anymore so can’t confirm.
Have you considered using AWS to backhaul your traffic? Setup a tunnel to the closest AWS instance in China, then use transit gateway to backhaul the traffic over AWS’s network, then setup another tunnel from the AWS location closest to your North American site.
This solved a lot of issues we were having with reliable connectivity to an Asian site we have (not China).
We pay DYXnet for internet based in Hong Kong with a MPLS to Shanghai. It’s expensive, slow but it just works.
You need to use sd-wan that is approved and partnered with one of the big 3 ISP’s in China (china telecom, china unicom, China mobile). The alternative is the more expensive and slower MPLS connection. The GFW of China blocks IPsec by default if the traffic is leaving China. ALL China internet traffic routes through 3 ingress/egress points for the entire country.
What do your routes between HQ and the China site look like? China Mobile has some peering in North America (AS58453, for example) — maybe you can find a common exchange point and get better routes to them.
Both Cato Networks & Aryaka provide a solution that allows an enterprise that operates in China to use a standard domestic China circuit (even Broadband) to connect to their Cloud network and use their Cloud network to optimally route and accelerate traffic inside/outside of China. It’s really quite simple, they operate a domestic Cloud Network footprint within mainland China (with PoPs in Beijing, Shanghai and Shenzhen - essentially the entire eastern seaboard) and have private connectivity from that footprint to Hong Kong and beyond. This removes the variable associated with how China inspects and disrupts VPN/IPSec technologies as they exit/enter China.
Cato & Aryaka are “middle-mile” cloud networks (their own networks) that allows you to use your own carrier/bandwidth at the edge, a.k.a “last mile”. You can onramp to both their networks using IPSec and existing edge network equipment or you can use their respective SDWAN solution to connect. Cato also has an agent for mobile endpoints that need secure connectivity while in China or need remote access to resources outside of China and the same architecture applies for remote users as it does for sites.
Teridion claims to have a footprint in China, but there isn’t much information about what that footprint actually is made of. Their status page is super basic and doesn’t give you much insight into the operation of their “network”. It could very well be a partnership with China Telecom (traditional telco approach like other carriers do and people on this thread have spoken about) or with Alibaba (who operates its own global network) similar to how AWS and Azure position their inter-region peering.
How’s traffic outside the tunnel between endpoints? Good bandwidth, low latency?
If it’s good outside the VPN I’d make sure MTU is appropriate for the path then would suspect it is being intentionally degraded.
Alibaba Cloud has a product that allows you to do VPN termination inside the country but you still need to do the process of getting an ICP license. If you have an entity in the country already this should not be an issue: Cloud Enterprise Network (CEN)
There’s also a Palo Alto Networks product: https://prismaaccess.cn/
Cato Networks. This is a core use case for them. Site in China, site in NAM, they provide protected transport. Not going to be as cheap as your current IPsec solution but is bulletproof.
Edit - spelling
So most of the issue ends up being the routing, find a vps host that has china telcom as a partner, use that as your vpn server on both side. China telecom is very poorly peered in the us. EX: https://sharktech.net/data-centers/los-angeles/ (VPS or cloud dosen’t matter as long its LA or LV for that provider.)
First advice: Leave China Mobile asap!
Based on our experience, their business lines are ranked third in China. Telecom and Unicom come first.
A 100 / 100 MB line in China with Telecom is 28800 RMB per year and 25200 for Unicom.
Please beware of CTA Americas. Their local teams and global teams have a lot of infighting for the revenues split and they struggle with the implementation.
A decent MPLS / SDWan between Shanghai (or any other location in China) and Hong Kong goes around 5000 RMB upwards for 10/12 MB upwards. Similar prices for Frankfurt, Milan or London.
u/Existing-Finish-3338
source: we’re an IT company out of Shanghai, so we’re used to such connectivity solutions between Chinese locations and European, North American and Australian entities.
Make sure your icp licence is in place, and then reach out to Chinacache and ask for their recommendations.
I’m going through a similar problem. Moving from MPLS to Viptela SDWAN over Internet transits. Performance is not good, but the company wants to cut costs on MPLS fees.
What’s your MPLS provider ? Akyara? China Telecom?
this is misinformation while dealing with technical issues. There are plenty of small/mid sized private companies in China, though those mega sized ones are government owned.
The reason for the IPsec problem is that ALL internet traffic within China needs to go through the GFW, and IPsec tunnels by default are not allowed. Companies in China do have procedures to request the IPsec and can get approval on the business level.
Do the right thing and do it right, stop misinformation.
I’ve used both China Telecom America (CTA) and NTT for similar setups. NTT had better support. CTA had better pricing. This was four years ago so things may have changed.
AWS in China is completely separate from AWS outside of China.