diff --git a/pages/account/how-to/assets/scaleway-auth-code.jpg b/pages/account/how-to/assets/scaleway-auth-code.jpg
deleted file mode 100644
index e068d9f5fd..0000000000
Binary files a/pages/account/how-to/assets/scaleway-auth-code.jpg and /dev/null differ
diff --git a/pages/account/how-to/assets/scaleway-auth-code.webp b/pages/account/how-to/assets/scaleway-auth-code.webp
new file mode 100644
index 0000000000..544ceb2885
Binary files /dev/null and b/pages/account/how-to/assets/scaleway-auth-code.webp differ
diff --git a/pages/account/how-to/log-in-to-the-console.mdx b/pages/account/how-to/log-in-to-the-console.mdx
index 29bb2d9724..379478d129 100644
--- a/pages/account/how-to/log-in-to-the-console.mdx
+++ b/pages/account/how-to/log-in-to-the-console.mdx
@@ -9,7 +9,7 @@ dates:
import LoginMember from '@macros/iam/login-member.mdx'
import Requirements from '@macros/iam/requirements.mdx'
-import image from './assets/scaleway-auth-code.jpg'
+import image from './assets/scaleway-auth-code.webp'
diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp b/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp
index 4ef3eaf75a..3aadddad87 100644
Binary files a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp and b/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp differ
diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp b/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp
index f0afd0bff8..a62f445375 100644
Binary files a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp and b/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp differ
diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-two-tunnels.webp b/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-two-tunnels.webp
deleted file mode 100644
index 2c743d6260..0000000000
Binary files a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-two-tunnels.webp and /dev/null differ
diff --git a/pages/site-to-site-vpn/reference-content/statuses.mdx b/pages/site-to-site-vpn/reference-content/statuses.mdx
index e001bf059d..2e63ed93c4 100644
--- a/pages/site-to-site-vpn/reference-content/statuses.mdx
+++ b/pages/site-to-site-vpn/reference-content/statuses.mdx
@@ -35,8 +35,8 @@ This section explains the different statuses possible for a connection, and how
| **Status** | **Description** |
|------------------------|-----------------------------------------|
-| **Ready** | The connection has been created and is ready to connect. The tunnel(s) cannot be established because the customer gateway device is not yet successfully configured. |
-| **Active** | The connection has been created, and all expected BGP session(s) between the two gateways are up. Traffic can flow through the connection's tunnel(s). |
+| **Ready** | The connection has been created and is ready to connect. The tunnel cannot be established because the customer gateway device is not yet successfully configured. |
+| **Active** | The connection has been created, and all expected BGP session(s) between the two gateways are up. Traffic can flow through the connection's tunnel. |
| **Limited connectivity** | The connection has been created, but IP connectivity is limited. This may be the case if the connection has both an IPv4 and an IPv6 routing policy attached, but only one of the two associated BGP sessions is up.|
| **Down** | The connection has been created, but no BGP sessions (neither IPv4 not IPv6) are up, and without route announcements no traffic can flow through the tunnel.|
| **Locked** | The connection has been locked by the Trust and Safety team. You cannot carry out any actions on the connection. Open a support ticket. |
\ No newline at end of file
diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
index 93ade7fe24..b5aa80cad0 100644
--- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
+++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx
@@ -9,7 +9,6 @@ dates:
---
import image1 from './assets/scaleway-s2svpn-conceptual.webp'
-import image2 from './assets/scaleway-vpn-two-tunnels.webp'
import image3 from './assets/scaleway-vpn-one-tunnel-both.webp'
import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp'
import image5 from './assets/scaleway-vpn-tunnel-detail.webp'
@@ -30,7 +29,7 @@ Scaleway Site-to-Site VPN consists of:
- A **VPN gateway**: the connection point on the Scaleway side
- A **customer gateway**: the connection point on the remote side (representing a corresponding physical customer gateway device)
- A **routing policy**: defines the traffic allowed to flow through the tunnel
-- A **connection**: brings together the three above elements, and defines the configuration for the VPN tunnel(s)
+- A **connection**: brings together the three above elements, and defines the configuration for the VPN tunnel
You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN.
@@ -44,7 +43,7 @@ The VPN gateway provides a connection point on the Scaleway side of a Site-to-Si
- **Name** and (optionally) **tags**: A name and tags to identify the gateway.
- **Gateway type**: Different gateway types are available for different prices. Pricing is based on **bandwidth**, and the **maximum number of connections** the gateway can be used for.
- **Private Network**: Each gateway must be attached to a single Scaleway Private Network. The network chosen cannot be modified after creation of the gateway. The gateway will get both an IPv4 and IPv6 address on the Private Network. Other Private Networks in the VPC will be able to learn the route through the VPN gateway.
-- **Public IP address(es)**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 /32 and one IPv6 /128 address per gateway. Gateways with both types of IP will be able to support dual tunnels for a single connection, one IPv4 and one IPv6, providing increased redundancy.
+- **Public IP address(es)**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 /32 and one IPv6 /128 address per gateway. VPN gateways with both types of IP will be able to support two connections to a single customer gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy.
### Customer gateway
@@ -57,7 +56,8 @@ A customer gateway has the following properties, which you can customize when yo
The rest of the properties **must** correspond to the real properties of the corresponding real customer gateway device:
-- **Public IP address**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 and one IPv6 address per gateway. Gateways with both types of IP will be able to support dual tunnels for a single connection, one IPv4 and one IPv6, providing increased redundancy.
+- **Public IP address**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 and one IPv6 address per gateway. Customer gateways with both types of IP will be able to support two connections to a single VPN gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy.
+
- **Autonomous System Number (ASN)**: The unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks.
@@ -83,7 +83,7 @@ You can whitelist multiple **outgoing routes** and multiple **incoming routes**
### Connection
-A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel(s), including routing policy and encryption method.
+A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel, including routing policy and encryption method.
A connection has the following properties, which you can customize when you create the policy:
@@ -91,30 +91,25 @@ A connection has the following properties, which you can customize when you crea
- **Name** and (optionally) **tags**: A name and tags to identify the policy.
- **VPN gateway**: The VPN gateway to use for the connection.
- **Customer gateway**: The customer gateway to use for the connection. It must have at least one public IP type in common with the VPN gateway (IPv4 and/or IPv6).
-
- Based on the gateways selected, the connection will establish either one or two VPN tunnels between them:
- - IPv4 tunnel: If both gateways have a public IPv4 address
- - IPv6 tunnel: If both gateways have a public IPv6 address
- - IPv4 and IPv6 tunnels: If both gateways have a public IPv4 and a public IPv6 address.
-
+- **Tunnel details**: Based on the gateways selected, you may need to define how the connection should establish the VPN tunnel between them.
+ - If both gateways have public IPv4 and public IPv6 addresses, you must explicitly choose the IP type (IPv4 or IPv6) to be used for the tunnel.
+ - If the gateways share only one public IP type, that IP type will be used automatically for the tunnel.
+ - A maximum of two connections can be created between the same gateway pair: one with an IPv4 tunnel and one with an IPv6 tunnel. Creating two connections/tunnels per gateway pair increases redundancy. Once an IPv4 tunnel is created, only one additional IPv6 tunnel can be established, and vice versa. No further connections are permitted beyond this limit.
+
- **Routing policy(ies)**: For each traffic type (IPv4 and/or IPv6) to be routed over the connection, an associated routing policy must be attached (see [above](#routing-policy)).
- IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. You can still attach an IPv4 and an IPv6 routing policy to your VPN connection to allow routing of both types of traffic, even if it only has one VPN tunnel established between one type of public IP.
-
- Having both types of public IP for both gateways types increases redundancy by providing two tunnels per connection, but it is not this in itself which determines the traffic types which can be routed.
+ IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. You can still attach an IPv4 and an IPv6 routing policy to your VPN connection to allow routing of both types of traffic, even if it only has an IPv4 tunnel.
- The following diagram shows a connection with two tunnels, configured to route both types of IP traffic:
-
- The following diagram shows a connection with only one tunnel (established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
-
+ The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic:
+
- The following diagram shows a connection with only one tunnel (established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
-
+ The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic:
+
-- **Connection initiation policy**: Which gateway should initiate the tunnel(s). This can be either the VPN gateway, or the customer gateway. The chosen gateway will be responsible for kicking off the secure exchange that sets up the IPsec tunnel(s).
+- **Connection initiation policy**: Which gateway should initiate the tunnel. This can be either the VPN gateway, or the customer gateway. The chosen gateway will be responsible for kicking off the secure exchange that sets up the IPsec tunnel.
- **Security proposal**: Defines the encryption and authentication methods used to secure the VPN tunnel. For full details on available security proposals, see our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/).
@@ -134,9 +129,9 @@ Scaleway cannot configure your device for you. In order to successfully complete
You also need to set up route announcements and filters on the customer side. For this, you will need the following information:
-- **BGP interconnection subnet(s)**: The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel(s). The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the API.
+- **BGP interconnection subnet(s)**: The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the API.
-
+
- **Routing policy**: Take into account the routing policy(ies) you attached to the connection, when configuring routing policy on the customer gateway device.