If this gets widespread enough, they'll just inspect traffic when it leaves your VPN gateway/server. VPN is fine for public wifi, or connections between predetermined networks but you can't stretch it much past that.
Or the VPN-s connect to each other if it gets widespread enough and you get Overnet, where only minority of your traffic needs to go outside. And when that gets regulated there will be OverOverNet etc.
Only insofar as it talks about 1) partially encrypted traffic, 2) using local copies of the keys for decryption, or 3) flow identification of IPSEC. Properly done I don't see an IPSEC/L2TP VPN being vulnerable to DPI - although you will want a constant stream of "filler" packets going back and forward to thwart traffic analysis.
Otherwise, the whole thing is a disgrace and the engineers responsible for working on it need to take a long look at themselves. Dressing it up with examples of "Detection of Malware" is disingenuous, it's abundantly clear what the use case is here.
a recent Chinese paper (its author is the creator of GFW) suggests that the GFW is capable of using SVM to filter SSH tunnel traffic, at the success rate of 95%, without affecting normal SA use.
