It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen. Thanks! -- Thomas York
It's called the great firewall of china. Feel free to shift vendors but it won't help. Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day On Wednesday, December 5, 2012, Thomas York wrote:
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen.
Thanks!
-- Thomas York
-- --srs (iPad)
We tried to get our VPN work from the China Telecom/China Unicom beijing POP for over a year. The Chinese always claimed it was kosher, but we had something like 60%+ loss across our 4 hop VPN for the entirety of the project. Private circuits don't really exist on the mainland, HK and (maybe) Shanghai are about the only places for decent connectivity. :/ On 12/5/12 7:38 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com> wrote:
It's called the great firewall of china. Feel free to shift vendors but it won't help.
Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day
On Wednesday, December 5, 2012, Thomas York wrote:
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen.
Thanks!
-- Thomas York
-- --srs (iPad)
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price. Suzhou and Shenzhen are easily in reach of all the above listed providers. On Wed, Dec 5, 2012 at 7:50 AM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
We tried to get our VPN work from the China Telecom/China Unicom beijing POP for over a year. The Chinese always claimed it was kosher, but we had something like 60%+ loss across our 4 hop VPN for the entirety of the project. Private circuits don't really exist on the mainland, HK and (maybe) Shanghai are about the only places for decent connectivity. :/
On 12/5/12 7:38 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com> wrote:
It's called the great firewall of china. Feel free to shift vendors but it won't help.
Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day
On Wednesday, December 5, 2012, Thomas York wrote:
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen.
Thanks!
-- Thomas York
-- --srs (iPad)
On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka <tom@cloudflare.com> wrote:
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price.
mpls != ipsec ... perhaps the OP wants some privacy and authentication and such?
Suzhou and Shenzhen are easily in reach of all the above listed providers.
On Wed, Dec 5, 2012 at 7:50 AM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
We tried to get our VPN work from the China Telecom/China Unicom beijing POP for over a year. The Chinese always claimed it was kosher, but we had something like 60%+ loss across our 4 hop VPN for the entirety of the project. Private circuits don't really exist on the mainland, HK and (maybe) Shanghai are about the only places for decent connectivity. :/
On 12/5/12 7:38 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com> wrote:
It's called the great firewall of china. Feel free to shift vendors but it won't help.
Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day
On Wednesday, December 5, 2012, Thomas York wrote:
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen.
Thanks!
-- Thomas York
-- --srs (iPad)
On Wed, Dec 5, 2012 at 11:25 AM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka <tom@cloudflare.com> wrote:
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price.
mpls != ipsec ... perhaps the OP wants some privacy and authentication and such?
run IPSEC over the MPLS-VPN. It'll be a lot more stable than over public internet.
Since when is heavy encryption cool in China? Export restrictions smoke all of the decent crypto options. Secondly, anything that is going to happen mpls wise is going to go through MIIT.. You would be shocked how long licenses could take. I was the senior engineer on a project that involved in-flight connectivity via satellite, 2 years later and there are still no licenses. When I asked the Chinese officials (senior party officials) about an unrestricted pipe past the great firewall I was laughed out of the room.. The Chinese exert total control of outbound data on the mainland. Even when you get the OK to turn up, they still want a hard feed into their DPI, in our case knowing the sites (foreign flagged aircraft) transiting the network were only in their AIRSPACE. China is a cool place, but you need to take your patience and checkbook if you want to have any hope in getting what you want.
From my Galaxy Note II, please excuse any mistakes.
-------- Original message -------- From: Tom Paseka <tom@cloudflare.com> Date: 12/05/2012 11:27 AM (GMT-08:00) To: Christopher Morrow <morrowc.lists@gmail.com> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, Dec 5, 2012 at 11:25 AM, Christopher Morrow <morrowc.lists@gmail.com<mailto:morrowc.lists@gmail.com>> wrote: On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka <tom@cloudflare.com<mailto:tom@cloudflare.com>> wrote:
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price.
mpls != ipsec ... perhaps the OP wants some privacy and authentication and such? run IPSEC over the MPLS-VPN. It'll be a lot more stable than over public internet.
On Wed, 05 Dec 2012 19:48:31 +0000, Warren Bailey said:
Since when is heavy encryption cool in China? Export restrictions smoke all of the decent crypto options.
OK, I'll bite.. What crypto options are getting stuck due to export restrictions (as opposed to import restrictions on the other end)?
Make sure you check this out in detail. My export / import people found out that if the device is going to be in control of and used by a US company doing business in China, there are a lot less encryption restrictions. The ruling was that it was not an export if the device remains the property of and in control of a US company. The thought is that they want US companies to be able to secure their own VPN traffic. There are also apparently some key escrow rules whereby you are supposed to give the Chinese government your keys. I am told by US gov't employee that almost no one does that and the Chinese government makes it a point not to hassle US companies. Your mileage may vary and I am not an import / export expert. Steven Naslund -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Wednesday, December 05, 2012 2:11 PM To: Warren Bailey Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, 05 Dec 2012 19:48:31 +0000, Warren Bailey said:
Since when is heavy encryption cool in China? Export restrictions smoke all of the decent crypto options.
OK, I'll bite.. What crypto options are getting stuck due to export restrictions (as opposed to import restrictions on the other end)?
Agreed. I have run IPsec over MPLS with no problem in China on several carriers. Internet connectivity also worked but performance was spotty due to overloaded firewall or circuits in and out of the country. Steven Naslund -----Original Message----- From: Tom Paseka [mailto:tom@cloudflare.com] Sent: Wednesday, December 05, 2012 1:27 PM To: Christopher Morrow Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, Dec 5, 2012 at 11:25 AM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka <tom@cloudflare.com> wrote:
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price.
mpls != ipsec ... perhaps the OP wants some privacy and authentication
and such?
run IPSEC over the MPLS-VPN. It'll be a lot more stable than over public internet.
There are lots of carriers but unfortunately they all seem to use China Telecom infrastructure for transport so there is not really a way to get better Internet service there. In our experience MPLS performs better because China Telecom seems to hand off service to the international MPLS carriers before the big Internet bottleneck. Steven Naslund -----Original Message----- From: Christopher Morrow [mailto:morrowc.lists@gmail.com] Sent: Wednesday, December 05, 2012 1:25 PM To: Tom Paseka Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka <tom@cloudflare.com> wrote:
Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price.
mpls != ipsec ... perhaps the OP wants some privacy and authentication and such?
Suzhou and Shenzhen are easily in reach of all the above listed
providers.
On Wed, Dec 5, 2012 at 7:50 AM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
We tried to get our VPN work from the China Telecom/China Unicom beijing POP for over a year. The Chinese always claimed it was kosher, but we had something like 60%+ loss across our 4 hop VPN for the entirety of the project. Private circuits don't really exist on the mainland, HK and (maybe) Shanghai are about the only places for decent connectivity. :/
On 12/5/12 7:38 AM, "Suresh Ramasubramanian" <ops.lists@gmail.com>
wrote:
It's called the great firewall of china. Feel free to shift vendors but it won't help.
Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day
On Wednesday, December 5, 2012, Thomas York wrote:
It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At
this point I'm tired of listening to the screaming by the business
users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in
Shenzhen.
Thanks!
-- Thomas York
-- --srs (iPad)
participants (7)
-
Christopher Morrow -
Naslund, Steve -
Suresh Ramasubramanian -
Thomas York -
Tom Paseka -
Valdis.Kletnieks@vt.edu -
Warren Bailey