IPSEC shutdown in China

Many German companies maintain VPNs to China in order to connect their sites there to the corporate network. The Chinese cyber security authorities want to control internet usage in China and block international websites in particular. This is done through the “Great Firewall of China”. All internet traffic must pass through this and be filtered there. In the past, Internet users in China were able to bypass this firewall using international IP-Sec VPN tunnel services. For a monthly fee, you could use unregulated, open Internet access with an online service provider. A huge gray market developed. This was systematically eliminated around a year ago by means of the new Cyber Security Act, and offenders are subject to severe prison sentences. German companies are also affected by this, as they usually grant their employees access to the international Internet and their own servers/services abroad. Technically, this is realized by means of IP-Sec tunnels or MPLS-VPN.

The official Chinese government policy on this is as follows:

• Any business entity and individual who setup or rent lines (including VPN services) for the purpose of crossborder transaction or activities, is strictly prohibited without authorization from Chinese Telecom Management Authority (….)
• The Cloud Service Provider who owns service infrastructure in China and requires connection to foreign country networks, the connection shall be established through authorized international internet access service providers by the Ministry of industry and Information Technology (MiiT). Leased lines, vpn and any unstated self-invented network communication channels are strictly prohibited.
• CDN and SD-WAN operation including the requirement of cross-border data transmission, shall comply to above stated rules for future management.

In practice, this means that ports 80, 443, 8080, IPsec/S2S VPN are blocked by the Chinese authorities. IPSec uses the ports: 50, 51, 500, 4500 etc. from a technical point of view and there is no official document that specifically addresses these ports. HOWEVER, all cross-country IPSEC ports are gradually being blocked. Only pure China domestic IPSEC connections are not affected. What alternatives do companies then have to connect their Chinese locations to their international branches or foreign servers? Carrier MPLS connections are not affected by the shutdowns. They are subject to different regulation. As they are so expensive, the Chinese authorities are not concerned that these lines will be used en masse for surfing the unregulated Internet. For many companies, however, an MPLS connection to China is too expensive. Therefore, China-Telecom now offers a regulated and reliable, cheaper alternative to MPLS.

The China Telecom SD-WAN platform

Here, an existing local Internet connection is used to switch a connection via a pre-configured China Telecom SD-WAN box via China Telecom’s business user backbone, which is located outside the Great Chinese Firewall and also offers far better performance. The traffic is routed via SD-WAN POPs in Beijing, Shenzhen and Guangzhou to the low-latency CTG DCI-Net and then forwarded internationally via a gateway in Hong Kong. The traffic can thenbe transferred to the Internet in Frankfurt, for example. Savecall has designed such a solution together with China Telecom and has already put it into operation for many German companies. We offer connections from 10 Mbit, which are delivered ready for operation within approx. 14 days. A reliable solution that is far cheaper than an MPLS VPN. Get in touch with us. We will be happy to advise you free of charge and without obligation.