What do you all do for China VPN?

cplatt
Getting noticed

What do you all do for China VPN?

We have a warehouse that has about 6 employees that would like access to our ERP system here in the US, am I able to throw in some Z3's and have them auto VPN, will client VPN work correctly, or do I have to go the route of using the meraki.cn dashboard and put an MX over there with site to site vpn. The Chinese laws on VPN and the Meraki docs aren't the clearest so I am trying to see what others have done to do this. 

10 REPLIES 10
BrandonS
Kind of a big deal

I have a customer with a few users that travel to China a few times a year and use client VPN back to the US.  They have stated that it works fine for them.

 

Ultimately though, I don't think you can guarantee much and it is subject to vary from region to region even with China.

 

I'll be curious to hear if others have used Meraki auto VPN from China and if it works ok.

- Ex community all-star (⌐⊙_⊙)

Yea my real hope is to give them at our China Warehouse some Z3's and it will work, but I am not totally certain. 

Adam
Kind of a big deal

I think I remember an old thread where @PhilipDAth commented on this but I can't seem to find it for reference.  Maybe he'll chime in. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

Here is the official information for China:

https://documentation.meraki.com/zGeneral_Administration/Support/Information_for_Users_in_China

 

Note that if you ship some Z3's over to China they will no longer attach to the main Dashboard. They will only attach to the meraki.cn domain.

 

Basically you need to put in an MX hub in China in the meraki.cn Dashboard.  The Z3's need to connect to that.  now you have two options.

The safest is to buy an MPLS circuit between China and your office (expensive!).

The second option is build a non-meraki VPN between the MX hub in China and your MX hub in your own country.

Hi, 

 

I have recently returned from China last month and needed connectivity the entire time I was OS

 

I was always able to connect to the Client VPN back to MX64's in Australia without any issues. I used this on my iPad and iPhone to allow Facebook Messenger to work.  I also took a Z3 over with me and tested two of the Hotel Ethernet connections. Both times the Z3 was able to nail up a tunnel back to our MX100 in Australia but reported issues on the dashboard. Traffic over the tunnel worked without any issues.

 

I feel that if the local router at the site allows the appropriate traffic through then you won't have any troubles.

 

Regards,

Ben

 

Hi @PhilipDAth 

 

Regarding your comment "The second option is build a non-meraki VPN between the MX hub in China and your MX hub in your own country."  I am actually planning that approach and have some questions about it.

I know that non-meraki VPN peers work and I am familiar with it.  I am not sure if the peer would establish due to the "great firewall of China" and if it does what the quality would be between an MX in the china cloud (meraki.cn) and one MX on the global cloud

 

Do you have any experience with it?

Would the non-meraki VPN between the MX hub in China and the MX hub outside china (hong kong) establish?

What is the quality, would it bounce constantly, packet loss?

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

I've done some AutoVPN builds with everything being hosted on the global Meraki Dashboard and generally, it works ok.

 

From time to time the VPN is unreliable - but I think it would be unreliable regardless.

 

AutoVPN is really just an orchestration technology - it creates the VPN configuration automatically.  Once created the VPN works like any other VPN.

If either the Internet is not stable at the location in China or China is limiting VPNs they that is going to be the case no matter what.

Hey @PhilipDAth 
Thanks for your reply.
Good to now the Auto VPN works. 

I am more after the non-Meraki VPN peer situation as shown in the pic. 

I guess if the auto VPN works, the non-Meraki VPN peer should establish and work with relative quality.

 

Any experiences with non-Meraki VPN peer in this situation?

 

Capture.PNG

 

PhilipDAth
Kind of a big deal
Kind of a big deal

How are you going to make that setup work?  Using a tracked route on the MX over the MPLS?

Yes, 
In essence setting statics with the option "while host responds"  The host being in the far end of the link.
then the fail over follows the default route priority. statics come before the non-meraki VPN peer, so if the route learnt statically is removed because the tracked host is not responding, then the routes injected by the non-meraki vpn peer should kick in.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels