We have a user who wants to spend some time in China. Are they likely to be able to connect to our corporate VPN while out there? L2TP/IPSEC
As far as I can tell it should be fine but obviously can’t test.
I honestly would tell the user to enjoy their leave of absence.
Make sure they have no proprietary information on their laptop.
Fun fact: Google developed the Chromebook so they could send employees into China without hard drives.
We have a Chinese office and an IPsec VPN to our main office in Belgium (for our ERP), it works but the legality is a question mark.
If you value your corporate data, don’t let them take any devices, or allow your user to VPN from there.
For the very small number of people my company sends to China on business, they issue them burner phones and laptops, with the full expectation that anything and everything on them will be seen by the Chinese government.
Honestly, your question makes it sound like your user wants to take a working vacation while traveling in China. If it were me, I’d tell them that they are not allowed to take company assets into China, and to enjoy their PTO.
S2S VPN tunnels are on but you need to fill in appropriate paperwork.
You also need to have a local person designated as the contact for encryption keys if they are ever requested - and they must hand these over when requested (never actually had a request in 29 years - either current life or previous lives - then again - customers haven’t been doing anything that raises flags…)
Remote user tunnels for users inside china should be via your office there.
They can try it and it will probably work at first, but the Chinese Great Firewall tends to slow down any encrypted traffic after a while, no matter where it goes. So don’t expect it to be very reliable.
What is your InfoSec team’s policy on this, as well as HR?
I had a team member who wanted to work from China while staying with their parents. It was a resounding “no” on all fronts.
A lot of good answers here, I have also looked into this for similar purposes, including engaging in country resources. What I have been told:
- If you have an office in China, you can setup a legal p2p VPN traversing the firewall. However as mentioned below, this is because in these configurations, the Chinese government can easily mitm these connections.
- Public VPN services which traverse the firewall are not officially supported, and may be viewed as illegal, if you are an organization of interest to China, this is highly inadvisable to be observed using, as your employee could be arrested/harassed as a result. If it is an individual not of interest, then you likely won’t have any problem.
- Private VPN services - You are hosting a VPN endpoint that utilizes a static IP outside of China - and you are not a banned company inside of China (Facebook, WaPo, etc.) It will likely work until or unless the traffic is observed. Once observed, it will be blocked by the firewall. If you continually rotate IP’s, and this is observed, your employee in China will likely be contacted, dependiing on the interest of the Chinese government.
So specific to your circumstance of using a corporate VPN from within china to your static IP outside of China - Unless your IP is already specifically blocked by the great firewall, your user will likely be able to establish a VPN connection, however once this traffic is observed, it will likely be blocked.
All of the blocking, observed, arrested, etc. above is of course, subject to the competence of the Chinese government, so odds are they won’t notice you unless your employee or your organization were already on their radar before entering the country.
Honestly all of the comments recommending santitized Chromebook and burner phone are the right answers. Corporate devices need to stay out of china. Also recommend to them that they leave their personal devices at home as well and only bring in burner electronics into china to be trashed upon immediate return at the airport in the US. China will scan/image devices and deliver spyware without consent or your knowledge.
are you high?
There is zero chance i would let any of my users travel into China with company equipment/data.
Recommended full leave of absence. Do not allow any company devices to enter that place.
Our experience is that it is really slow as it traverses the Chinese firewall. We however have had really good luck using Astrill VPN with a USA static IP per user and then running the corp VPN over it. They somehow are able to dramatically speed everything up.
Use to support a client that would occasionally go out to China for business. We would give them a spare laptop and phone to take out there and when they got back we would destroy it. Not worth the risk.
We have several offices in China, using SD-Wan and VPN, and before going with the main ISP (government owned maybe ? at least hand-to-hand with them), we had lot of issues (disconnection, services not reachable, etc.), once we changed, then everything work fine, no issue at all.
I don’t want to say that if you go through an infra where they can easily MITM the traffic, you have no issue, of course. Not my style. But I you choose alternative route, well, issues arise. Who know why, maybe just bad infrastructure…
We have tried in China and have given up
Our user their cant access any of our services via HTTP or HTTPS. VPN doesn’t work. Splashtop doesn’t work. Our RMM doesn’t work
Office 365 seems to work
When I worked with a company that had to send users to China we would give them special laptops that never connected to our network, they didn’t have access to the VPN, no domain account at all, and when they came back we would wipe the laptop with USB drive and also flash the bios.
Lived and worked an IT assignment in China. We did have a VPN that was blessed/known to the local government. Sometimes it would get blocked and you definitely need someone local with government connections to call and remind the ISP of the agreement. If your company is not willing to make those local agreements I would set expectations low.
You guys act like China is some sort of super hacker country that’s going to steal your pokemon.
SSL VPN works fine and is what I would recommend for highest compatibility, IPSec works fine also most of the time. Legality is questionable but some locations have paperwork to fill out. They country controls their internet for the average joe, they’re not expecting it to be unescapable.
I usually have a policy of no thumb drives or foreign cables.
Now if you have an office in China its a whole nother story. Prepare for everyone’s mother to find a way to get on the network because your employees are all about that. We found cryptominers shoved into ducts, everyone finding some way to use your internet etc. You have to hand it to them, they are resourceful over there.
Our SSL VPN works the majority of the time from China.
Periodically disconnects but usually fine. We are Canadian though