feat(site-to-site-vpn): private beta doc

pages/site-to-site-vpn/index.mdx

@@ -0,0 +1,64 @@
+---
+meta:
+  title: Site-to-Site VPN Documentation
+  description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to your remote infrastructure, via an encrypted, private VPN tunnel.
+  noindex: true
+---
+
+<Message
+  type="note"
+  title="Site-to-Site VPN is in Private Beta"
+>
+  Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+</Message>
+
+
+<ProductHeader 
+   productName="Site-to-Site VPN"
+   productLogo="sns"
+   description="Securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private tunnel."
+   url="/site-to-site-vpn/reference-content/understanding-s2svpn/"
+   label="Understanding Site-to-Site VPN"
+/>
+
+## Getting Started
+
+<Grid>
+    <SummaryCard
+        title="Understanding Site-to-Site VPN"
+        icon="rocket"
+        description="Learn how to start using Site-to-Site VPN"
+        label="View Doc"
+        url="/site-to-site-vpn/reference-content/understanding-s2svpn/"
+    />
+    <SummaryCard
+        title="Site-to-Site VPN statuses"
+        icon="info"
+        description="Understand VPN statuses."
+        label="View Doc"
+        url="/site-to-site-vpn/reference-content/statuses/"
+    />
+        <SummaryCard
+        title="Security proposals"
+        icon="info"
+        description="Encryption and authentication explained"
+        label="View Doc"
+        url="/site-to-site-vpn/reference-content/security-proposals/"
+    />
+</Grid>
+
+
+<ClickableBanner
+    productLogo="cli"
+    title="Site-to-Site VPN APIs"
+    description="Manage Site-to-Site VPN using the Scaleway API."
+    url="https://www.scaleway.com/en/developers/api/s2s-vpn/"
+    label="Go to Scaleway Site-to-Site VPN API"
+/>
+
+## Changelog
+
+<ChangelogList
+    productName="site-to-site-vpn"
+    numberOfChanges={3}
+/>

pages/site-to-site-vpn/reference-content/index.mdx

@@ -0,0 +1,10 @@
+---
+meta:
+  title: Site-to-Site VPN - Additional content
+  description: Site-to-Site VPN additional content
+  noindex: true
+content:
+  h1: Site-to-Site VPN - Additional content
+  paragraph: Site-to-Site VPN additional content
+  noindex: true
+---

pages/site-to-site-vpn/reference-content/security-proposals.mdx

@@ -0,0 +1,100 @@
+---
+meta:
+  title: Site-to-Site VPN security proposals
+  description: Find out what the different encryption and authentication ciphers available with Scaleway Site-to-Site VPN, and how to to choose the best algorithm for your use case.
+  noindex: true
+content:
+  h1: Site-to-Site VPN security proposals
+  paragraph: Find out what the different encryption and authentication ciphers available with Scaleway Site-to-Site VPN, and how to to choose the best algorithm for your use case.
+  noindex: true
+tags: vpn connection encryption authentication security cipher security-proposal
+categories: 
+  - site-to-site-vpn
+  - network
+dates:
+  validation: 2025-06-03
+  posted: 2025-06-03
+---
+
+<Message type="note">
+Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+</Message>
+
+When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you must define a **security proposal** (aka IPSec proposal). The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel.
+
+A security proposal is made up of several parts, each with definable algorithms or settings. You should define these bearing in mind the use case of your Site-to-Site VPN, balancing **security**, **performance** and **compatibility**.
+
+It is important to find the optimal trade-off between these elements: the strongest possible security may be overkill for your use-case, and slow down performance to unacceptable levels. Some algorithms are outdated and not optimal for modern VPNs, but may be the only compatible option for legacy VPNs.
+
+In this document, we explain the different elements of a security protocol, and describe the different algorithms and security options available with Scaleway Site-to-Site VPN, giving advice to help you choose the best options for your use-case.
+
+## Defining a security proposal
+
+There are two parts to a security proposal:
+
+- **IKEv2** (Internet Key Exchange): Establishes a secure connection between the VPN gateway and the customer gateway
+- **ESP** (Encapsulating Security Payload): Encrypts and authenticates the payload of the IP data packets traveling through the tunnel.
+
+When defining your Site-to-Site VPN security proposal, you must define the algorithms/ options to be used for IKEv2 and ESP as described below:
+
+| Protocol        | Element         | Description                                        | User must define?  |
+|-----------------|-----------------|----------------------------------------------------|----------------------------|
+| **IKEv2**       | **Encryption**  | Algorithm to encrypt IKE negotiation messages      | ✅ Yes                      |
+| **IKEv2**       | **Integrity**   | HMAC-based algorithm to verify IKE negotiation messages have not been tampered with. <br/><br/>Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for IKEv2 encryption (see below). Otherwise, integrity is built in, and you do not need to set an IKEv2 integrity algorithm. | ❓ Depends                       |
+| **IKEv2**       | **Key Exchange Method** | DH group to define strength of key exchange | ✅ Yes                      |
+
+| Protocol        | Element         | Description                                        | User must define?  |
+|-----------------|-----------------|----------------------------------------------------|----------------------------|
+| **ESP**         | **Encryption**  | Algorithm to encrypt traffic's data payloads  | ✅ Yes                       |
+| **ESP**         | **Integrity**   | HMAC-based algorithm to verify data payloads have not been tampered with. <br/><br/> Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for ESP encryption (see below). Otherwise, integrity is built in, and you do not need to set an ESP integrity algorithm. | ❓ Depends                         |
+| **ESP**         | **Key Exchange Method**   | DH group to define strength of key exchange         | ❌ No                         |
+
+## Encryption algorithms
+
+The following encryption algorithms are available. 
+
+| Algorithm               | AEAD / non-AEAD* | Key Size (bits)| Security Level | Notes                                         | Recommended?        |
+|-------------------------|------------------|----------------|----------------|-----------------------------------------------|---------------------|
+| `aes256gcm16` (AES-GCM) | AEAD             | 256            | ✅ Very Strong | Generally the best choice for IPSec ESP & IKE | ✅ Recommended      |
+| `aes192gcm16` (AES-GCM) | AEAD             | 192            | ✅ Strong      | Suitable for high-performance VPNs            | 👍 Acceptable       |
+| `aes128gcm16` (AES-GCM) | AEAD             | 128            | ✅ Strong      | Suitable for high-performance VPNs            | 👍 Acceptable       |
+| `aes256ccm16` (AES-CCM) | AEAD             | 256            | ✅ Strong      | Alternative to AES-GCM, but GCM is preferred  | 👍 Acceptable       |
+| `aes128ccm16` (AES-CCM) | AEAD             | 128            | ⚠️ Medium       | Alternative to AES-GCM, but GCM is preferred  | 👍 Acceptable       |
+| `chacha20poly1305`      | AEAD             | 256            | ✅ Strong      | Performance-sensitive (mobile, embedded), best choice for low-power devices | ✅ Recommended |
+| `aes256` (AES-CBC)      | non-AEAD         | 256            | ✅ Strong      | Suitable for legacy VPNs. Use only with HMAC (e.g. `sha256`)| ⚠️ Use with caution |
+| `aes192` (AES-CBC)      | non-AEAD         | 192            | ⚠️ Medium       | Rarely used, `aes256` is preferred.            | ⚠️ Use with caution |
+| `aes128` (AES-CBC)      | non-AEAD         | 128            | ⚠️ Medium       | Suitable for performance-sensitive VPNs, where constraints don't allow `aes256`                     | ⚠️ Use with caution |
+
+\* **A**uthenticated **E**ncryption with **A**ssociated **D**ata (**AEAD**) algorithms provide both encryption and authentication in a single step. They are more secure and efficient than non-AEAD algorithms, but are not supported by all legacy devices. We recommend that you always prefer AEAD algorithms (`aes256gcm16` or `chacha20poly1305`) for performance and security. Choosing an AEAD algorithm for IKEv2/ESP encryption means you do **not** need to define an algorithm for IKEv2/ESP integrity.
+
+## Integrity algorithms
+
+Integrity is based on **H**ash-based **M**essage **A**uthentication **C**ode (HMAC). The following algorithms are available:
+
+| Algorithm               | Output Size (bits)| Security Level   | Notes                                                   | Recommended?        |
+|-------------------------|--------------------|-----------------|---------------------------------------------------------|---------------------|
+| `sha512`                | 512                |  ✅ Very Strong | Suitable for high security environments. Use for long term security. | ✅ Recommended      |
+| `sha384`                | 384                |  ✅ Strong      | Balanced security/performance. Good alternative to `sha-512`.                        | ✅ Recommended      |
+| `sha256`                | 256                |  ✅ Strong      | Default for most VPNs. Recommended baseline.            | ✅ Recommended      |
+
+## Key exchange methods
+
+Key exchange is **D**iffie-**H**ellman-based. The following DH groups can be set to determine the strength and performance of the key exchange:
+
+| DH Group               | Bit Size  | Security Level  | Use Case                                                         | Recommended?     |
+|------------------------|-----------|-----------------|------------------------------------------------------------------|------------------|
+| `ecp521`               | 521       |  ✅ Very Strong | Suitable for high security environments. May be overkill (lowers performance). |👍 Acceptable     |
+| `ecp384`               | 384       |  ✅ Strong      | Both strong and fast. **Our top choice for modern VPNs.**        |✅ Recommended    |
+| `ecp256`               | 256       |  ✅ Strong      | Suitable for performance-sensitive VPNs.                                      |✅ Recommended    |
+| `curve25519` (X25519)  | 256       |  ✅ Very Strong | Both strong and fast. **Our top choice for performance**.        |✅ Recommended    |
+| `modp4096`             | 4096      |  ✅ Strong      | Strong but slow. May be suitable for legacy VPNs.                |👍 Acceptable     |
+| `modp3072`             | 3072      |  ✅ Medium-Strong | May be suitable for legacy VPNs.                               |👍 Acceptable     |
+| `modp2048`             | 2048      |  ⚠️ Minimum      | Use for older VPNs only if absolutely needed.                    |⚠️ Use with caution |
+
+## Standard recommendation
+
+For standard usage on modern equipment we recommend the following security proposal:
+
+| IKEv2 Encryption | IKEv2 Integrity | IKEv2 Key Exchange | ESP Encryption | ESP Integrity | ESP Key Exchange |
+|------------------|-----------------|--------------------|----------------|---------------|------------------|
+| `aes256gcm16`    | not required    | `curve25519`       | `aes256gcm16`  | not required  | not required     |

pages/site-to-site-vpn/reference-content/statuses.mdx

@@ -0,0 +1,50 @@
+---
+meta:
+  title: Understanding Site-to-Site VPN statuses
+  description: Find out what the different possible statuses of your Site-to-Site VPN gateways and connections mean, and how to take action based on these statuses when necessary.
+  noindex: true
+content:
+  h1: Understanding Site-to-Site VPN statuses
+  paragraph: Find out what the different possible statuses of your Site-to-Site VPN gateways and connections mean, and how to take action based on these statuses when necessary.
+  noindex: true
+tags: vpn gateway customer remote connection status
+categories: 
+  - site-to-site-vpn
+  - network
+dates:
+  validation: 2025-06-03
+  posted: 2025-06-03
+---
+
+<Message type="note">
+Site-to-Site VPN is currently in Private Beta, and available to selected testers only via the Scaleway API. [Request an invitation](https://www.scaleway.com/en/betas/#site-to-site-vpn).
+</Message>
+
+## VPN gateway statuses
+
+An VPN gateway always has a **status**, which can be retrieved via the API using the **Get a VPN gateway** call.
+
+This section explains the different statuses possible for a VPN gateway, and how to understand them.
+
+| **Status**             | **Description**                         | 
+|------------------------|-----------------------------------------|
+| **Provisioning**       | The **create** action has been triggered, and Scaleway is provisioning the gateway. This status should be momentary: if it persists, contact support. |
+| **Active**             | The VPN gateway has been created successfully, and is now operational. |
+| **Failed**             | Scaleway was unable to create the VPN gateway. Wait a few seconds and refresh to check the status does not change. If the problem persists, contact support. |
+| **Configuring**        | The gateway is configuring and is in a transient state. No user actions can be carried out. This status generally occurs while a new configuration is being applied, e.g. you have modified its settings. This status should be momentary: if it persists, contact support. |
+| **Locked**             | The gateway has been locked by the Trust and Safety team. You cannot carry out any actions on the gateway. Open a support ticket. |
+| **Deprovisioning**     |The **delete** action has been triggered, and Scaleway is deprovisioning the gateway. This status should be momentary: if it persists, contact support. |
+
+## Connection statuses
+
+A Site-to-Site VPN connection also always has a **status**, separate to that of the VPN gateway which can be retrieved via the API using the **Get a connection** call.
+
+This section explains the different statuses possible for a connection, and how to understand them.
+
+| **Status**             | **Description**                         | 
+|------------------------|-----------------------------------------|
+| **Ready**             | The connection has been created and is ready to connect. The tunnel(s) cannot be established because the customer gateway device is not yet successfully configured. |
+| **Active**             | The connection has been created, and all expected BGP session(s) between the two gateways are up. Traffic can flow through the connection's tunnel(s). |
+| **Limited connectivity**   | The connection has been created, but IP connectivity is limited. This may be the case if the connection has both an IPv4 and an IPv6 routing policy attached, but only one of the two associated BGP sessions is up.|
+| **Down**       | The connection has been created, but no BGP sessions (neither IPv4 not IPv6) are up, and without route announcements no traffic can flow through the tunnel.|
+| **Locked**             | The connection has been locked by the Trust and Safety team. You cannot carry out any actions on the connection. Open a support ticket. |