China Auto VPN
Executive Summary
This document describes utilizing Auto VPN when business is conducted in China. With regulatory constraints posed by the Chinese government, specific architecture requirements are needed to deploy and interconnect the Auto VPN domain within China to the rest of the world.
Overview
Secure VPN technology provides the most cost-effective connectivity under most circumstances. Chinese regulations has placed restrictions affecting VPN technologies across international borders. For enterprises to achieve cross border connections, there are two options.
-
The enterprise can directly lease international dedicated lines from the 3 Chinese telecom carriers (China Telecom, China Mobile, China Unicom) in China.
-
Additionally, the enterprise can directly delegate a foreign telecom carrier with a presence in China to rent the international dedicated line (including VPN) from the 3 Chinese telecom carriers, and connect the corporate private network and equipment.
Note: The above cross-border connection methods must be used only for internal data exchange and office use. (Current as of 3 February 2018, subject to further regulatory developments.)
All devices located within mainland China will connect to Meraki China servers also located within China.
Architecture
In the above diagram, we are utilizing Meraki Auto VPN to connect the enterprise sites inside of China. The above diagram also demonstrates the Chinese approved dedicated circuits connecting the Chinese parts of the enterprise to the rest of the global enterprise. Dynamic routing such as BGP or OSPF can be utilized to exchange routing information between the domains.