From 01f72a939fba1000baed9cebaa4e0d0796c77276 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 16 Dec 2025 18:10:46 +0100 Subject: [PATCH 01/13] feat(s2svpn): start how tos --- .../how-to/create-customer-gateway.mdx | 21 +++++++++++ .../how-to/create-vpn-connection.mdx | 21 +++++++++++ .../how-to/create-vpn-gateway.mdx | 37 +++++++++++++++++++ pages/site-to-site-vpn/how-to/index.mdx | 4 ++ 4 files changed, 83 insertions(+) create mode 100644 pages/site-to-site-vpn/how-to/create-customer-gateway.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-vpn-connection.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx create mode 100644 pages/site-to-site-vpn/how-to/index.mdx diff --git a/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx new file mode 100644 index 0000000000..3867bd71e6 --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx @@ -0,0 +1,21 @@ +--- +title: How to create a VPN gateway +description: TODO +tags: s2svpn vpn gateway vpn-gateway remote-access +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + + +Intro + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to TODO + +TODO \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx new file mode 100644 index 0000000000..3867bd71e6 --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx @@ -0,0 +1,21 @@ +--- +title: How to create a VPN gateway +description: TODO +tags: s2svpn vpn gateway vpn-gateway remote-access +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + + +Intro + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to TODO + +TODO \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx new file mode 100644 index 0000000000..6ee38e7ea3 --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx @@ -0,0 +1,37 @@ +--- +title: How to create a VPN gateway +description: TODO +tags: s2svpn vpn gateway vpn-gateway remote-access +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + +To create a Site-to-Site VPN, you must create several individual elements and then join them together: + +1. **Create a VPN gateway**, your Scaleway endpoint +2. **Create a customer gateway**, your remote endpoint +3. **Create a routing policy**, to control traffic flow +4. **Create a VPN connection**, to link all elements and enable the encrypted VPN tunnel + +This document explains how to create a **VPN gateway** with the Scaleway console, as the first step to creating a working Site-to-Site VPN. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to TODO + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. + +2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays. + +3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) you want to use them with. + +4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. + +5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. + +6. \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/index.mdx b/pages/site-to-site-vpn/how-to/index.mdx new file mode 100644 index 0000000000..06f5046903 --- /dev/null +++ b/pages/site-to-site-vpn/how-to/index.mdx @@ -0,0 +1,4 @@ +--- +title: Site-to-Site VPN - How Tos +description: Site-to-Site VPN How Tos +--- From 4da0f8aa5a94cd3689f1e2b44ad50134798b909a Mon Sep 17 00:00:00 2001 From: Rowena Date: Fri, 19 Dec 2025 13:46:04 +0100 Subject: [PATCH 02/13] feat(s2s): add doc --- .../assets/scaleway-s2svpn-conceptual.webp | Bin 0 -> 59148 bytes .../how-to/create-customer-gateway.mdx | 21 --- .../how-to/create-manage-customer-gateway.mdx | 126 ++++++++++++++++++ .../how-to/create-manage-routing-policy.mdx | 66 +++++++++ .../how-to/create-manage-vpn-connection.mdx | 112 ++++++++++++++++ .../how-to/create-manage-vpn-gateway.mdx | 119 +++++++++++++++++ .../how-to/create-vpn-connection.mdx | 21 --- .../how-to/create-vpn-gateway.mdx | 37 ----- 8 files changed, 423 insertions(+), 79 deletions(-) create mode 100644 pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp delete mode 100644 pages/site-to-site-vpn/how-to/create-customer-gateway.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx create mode 100644 pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx delete mode 100644 pages/site-to-site-vpn/how-to/create-vpn-connection.mdx delete mode 100644 pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx diff --git a/pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp b/pages/site-to-site-vpn/how-to/assets/scaleway-s2svpn-conceptual.webp new file mode 100644 index 0000000000000000000000000000000000000000..faf2f312a8ce286cd602c38a45e828f0921ed74e GIT binary patch literal 59148 zcmeFXV{~Of(?1$>VmlMtw(W^+dt#krVrydCPEKrVVsm0mY@M6udH-wO_kO!y?^^eK zsI$9vcU5=o+Eu-O)oQX*Qc%ZWU|N!5Dw--h3eQJiV9fg(@emp~Loy!cTvyj%nW%4d zxXpKrq-0bg?{0TiSZFsHJ*M`M=qzMHFG|5fztc6KA#TYGmd_u27;Ax)k`n3~3di@G zzE=%(TyCBcDynXtdJs}h+Gar}fn;P6`QXv5+t@!=VZ<$^ekYtnH13RT^ngKj_?la3 z#9d4sdw2LA-_iW6X%PU=jfj}4p0f8m@+NNWz7v@D8Rax~&m-^X^tY^Sxy}9=<^X1e zuDX^{PT*;jeK94FvDU**J^_Z*2o7}%1dr@D_->&whXkB0%0RiMMDaKvBhpm-yqF;CQaHe0OLAs^%*`7zYn>$bjpPz(k$>ao;3Cm|0_PXi@1Q%- zOv}uA3%!yp1PcjfRN5nCg2JCD*nAYQX>I&bS7_31GeKloGHy6<)My+C7di=%Z3&Sh zsYFsJ(tUVwBIHb1+<4Iq4Hn`=%leBN_+SxzF#L;YiSYhL&3SE#<=}=Od$`P!VXK$W zT?TsckUbZbp;8ydGN41%MElIv))vVna_ksDr9z!9@8W13NQoskxH!_;Z|-^grWlY+ z!~rC5tag0NgRs{VB|j~+W1+fx$&uCiFhNsMIZ+4ob~-$>Pr}z)UyLt-K<`&+lGbp; zl(VWoU3%iK)*G?H6vVOxd@pQ+5HXXTZ@MEzWc6J$eA%!xW5qbSJeiP^(ZS-$3ib`) z&Q9kMBDtS?cZ)#It6WJGH-*CYf^!ZlUcfBJ4^ZVnsjlZ<1g)v%|M_`c^{lPsyj_9- zpu4;$u@Wj#_%Oj_f*+EuOmuzHjOnzS5Z_)ji`=l@+A`tYe|JIvTZ8S8w}StaGWD~H zD>SJ6;6X~SQo+)!9?OU~k2tC=1Q%=~+>qg<iA!ZQyaW{XN%Y!6lKYFd_c z|A$OhUnV~Jo%tQ}C!)D9&m12>AUo4e7UIF{8(*9kuTTm4bE{;@?1Pb@_FWvPOp3iU zf!W@wRJBR{BV9@8TO^w=0k8zr)JrH8KTt1{Svw@N931`kFk#pg&JRY!YrV`B$|G zJ3*-(>3|ElEhrIDg^_XHL2U?uM@Uk4Q6WF@`lM8{0b&nA^p5A>555G7@n&d6z=jua zdd*3s4fxN#s_ErAfYxd;$HBLXf8)`Vy6IIp2v}3;-U8HAhdYP^;>BAb35%XCf{tZe zRp>R!RSLu`wtbm%p0<6jx~WyRYPeeje}Dih|K8gDoyzux;9gDMl_ES4`pT33_({X4&r7I}pe! zP5xoem;(M()CWbf1TsQ8WYf&64m98Y*~^vplZ!;0|bS zpN9YycAwe&RQr#q2__+}2~-l-2mg+N$p#mVl6Wj)i*1}_lQt+6L6mI{6tYRCmLB_%l=hb;?NuK@(3M=$8z3>E=bMO~qB4DS zDwW`TVMPm-0~T06SR0y3CK;q9tN#`6)m=bdhlc-5;baCFLVoQx{B$TPOeKhWn<|JX zvPh!jbfrMFStmEJDklg#NAyDnh!|5fV+6$CoOmkc`D?gT`FvrB>R{m=?>g~li^JMT zNA+MWH2Fo^`66|JqJMQ4Ikc`a)h*&SM65(yg3evgNoTQ3ymLe?RKCw9Stt`9y3tSw z=OOw*q*I)r2yHia7wA7V8G>UBl&an}OrB!mLV<~JWPXJlq_3b(uMsM<0ELv)+1VoB z5qu!vndWpQ48000l$rlPRckBeMAQh1cvj8#8(zN52j2v`_Q118@_1?s1W}6C?o=`{vmn zP}55~=#I@E#2RB7g6Wazk|`n4Hqc8Ge7W^fd6YZ*ho`WA!U^&w6fgT^T6jNqRf!(^ zH}kAB^AV#f|8Y^^4)}XChqg{VZtYT@S0YTe{#Np41zF$@#BDUk$&u>(W+q%;ugajt zlZ59`DXZGntL~4Y4o=+#!KHuEs}!APpcg05%T+JvlK>R?znzZz6XQSp51jwf1@1y_QD`P=JfG;L!_`mf3mUQ#KeRp5@CJ*$v0r(&Kb@BQ3rEdiA|M2i<<@YZI zk4F4QD|UxQSc&nSlQX(y!tQw=#iMzDQkG`){Ccz^1w~9*B5g6@gZ^qy>2{#Uf~>2}70c?PfHx%3{%b^5 z1_pw-paSi2eB}`UsmD<1waBhDmA~O`&j=Rt*Btm1ag(p#{cYFgWIs5O=XtPVcczF& zy|pSC2u+CN(`ffQPLH;qG&`_UQOE%eLrv;lMp{F#uC8OVnDNl1Dbjxn;)hme#6$Rf{hQ}DuARX z6ce~wQX^Xvh-s1R~yN@VCC_ z_$<>>=e$gZ%E}~x>*qX~Dt&5PkjuiDH`S3}^de8vDWhA{6a06x*b%@cruGc5OawH9 zeM4Lf?Lt3C@YOLlWE;bK$GOW+y;%a1Pe;<}9aae%ItQ9(&gmJeDU{ZWb?d&wbiezC zL|@TOR!E?n{nu2;Luu2^2!KPfBf3TGQ%oM9o0E$#+WWCjL40cPI%1NBSrx#gBm~n_l3{pUw9{wDk z!7WMoU^XLQWx@p-Lt4?%@CNq9Nv}Vuh!T9;eRrnpGgI2eMqQ+AN|mGqK79?H@$#11~qbbpoDApm2izuTliwWunK6^t^2T?pzzAEQ#pDQl5 z^vuNvwX0UIR{F%14$kEg!H$Xn0+JNeHK5R}i}~rb9F*0oQSxj}7}f3FoaG69{T}lK zRDTK#MDg3)2t7@OQ=iDFmL*>^{X2;a5@+`<$bWBv&M%cvU7IerF0P z|CYz-#n;GssKEQz@}DuXZlvvYNNk+q9wQz2vw)T6yP(Z9G)nyr;F)Gk`uzA^qRYTN zpbF6GX23gDE$o=W{!ii(32u4lGiyq5z?ar-kpR@6*d=2P%clKUqgnbC_Z`o44}LC; z20M_b-7-5VZA`_8s6trN9SzfmQ`Qe}xv0u_iGf;qC)Su%{p+!UqLe*9Pt zWCW^AQADBrfJFuy@9piC^&!J%f6rV39?ydEzX|U zq|?#)_Q)BMO;a~Ubk>qCv7wMaRm`_(iS>i^l)i=se#MI2cPk$^KV``eg_%f#5NlD^ zO9wn674L8QG^MJ9U@gV`2*8wz>d~)}f8WDueA?9KEj{s1Q^Tu@V zIw=i$esG(nC97?2yAG`NovP|DGy9qqjx9z`@gFGcF`k@xc#+Xfxo*uRun z4syjA)THD(wyP$gsPeT%Rs)H-vK7o>4;&D)oFFrvkYhD&wXincCsa$16Mw5!I&*M7 z7{7-btvjR`@f99Q33^=}JZ{Q)PDOLaVB(%MsKL_^3OPFVzb+LM%zXyc%lZ6bBmbIb zlEMo<2s|eq<9PfOAX1WBWld1C17k+AU~`d*TaxbphcQ)8XE>(3w^j7v83OAOpr=B! zc8WN@JOYq8_D4{6df}xLqbq1ep{DR z6BwIf}^yKwC+qlyxjktpe*^R zDMFLcSWc`w?>s^l*u4dbr&#>a6mN5V&hO%J6=qKw6^bMLwn>pv-idt79HEYn`OXu> z@S;pdeTcg(OF4a%bJL5|>ber9S7sT?WgEza{9>Fs(DlS3515y7HE#F5r!zFi#$!<8 z)C)cEe!4#v$z!9%NTqD&{%jq#zg{;5${!zetq>wjXzAxjU!7ctzQu`EF%WlaJr3xY zi&$2es8l?-RX(rKjrcvV!^m0K?E`w(0*!jt@=5R?BP8HSa+Xx@Y|*@i_@0CdRDkaSCd&zHd>ty?mA_Mq#^7yspW#xW%myM1AGd>oX} zkCJZhxKCCyD61smaVO=LZUc|Z5<=(0q{&9Co z&K($;HJaOA68~`sIWD^~NFBeO5Sk>Y9xv;eyfoh7LZd#-eY`A(MuafQaqU0BuFHN6 zzK1`*_DlztO#yy}@V;W8C?(>jgbcHixC7qd*yvHIxglcX1!sw628s)lZ^hjjxd9bPko(nQ7zM<9e?u1dOY9nZc`GPEeAEuh7|w;ReVee z@}U)j(S{(xL-h;U0t(k>F!rp(19{IH2G*an$g=b*z~5iJNF;)h^e zl7{($_iqmeBEAzB(6grTQ@`tONahLE(_NRdBTG^2RVrEx{K#`=yL%=fVD&n1|LA6C zSfbJAd?8ywy*-oG^NAu34)3tk`kcs?O-F4hU6kMrw^986fbkWNmso_C~DEZwgrb+I_AsiYXyR71e(>ktn9v5kwqjZi}_h5QBsB>*b&8$ z8hS3&7<|6MXr5)ccFj55pM%))mXSo9)Yz|6L{NUV9bbcB_fDF8bup`V@O{bE_}uC< z$c#s;;e$~Dd0K2YKO+(v>ELEZgRD0uzWw8mE6pcgnHi`?QQ-j}=nKxP4yn~yG z>QJBC6?T%@o&~SJ1GzpSvDd4ALTB1`{4FvM(UUwI!poM!##t0Y{pT1Lg#fgbuf6Li zKxG7zR7xDEDu?6ttAH=Fv!i(}c zL_wUG7jr1aXCOuk$P8AF>?iSbsl_5y2K;uUf2tZ`eJiPv6}$>4};(pWLncqL5m@|Kk0xT(6i#LTHpfv&P0#9LQpuBU3MMY`&`57- zG>hvoov+w+>nU#AiShc28?qz4w*|gL9PzLwAe;&)6Y3#urmrlibXal6~f( zf2cdbtWj2K&mpSWx~h9RYN0FY%_|je6ZxPxj?Dyj#B@g3PF!2#qT^+B-H`NYOB6OU z{P4e>aLzsLvfw7(5%L0EJ6~AYa~#Q_YPH;-eb|V*$f3D9NZgMgbrr{O0;*t{5_BCz zC1K~gtGlV5+uIu~1-?bbQ0xnbtQC^yCV7<1o9uV-@o`X)PQaC8Z>?ABv*&ekmE)NO z+v>IOt^5BWRMGY+iN#&$&PyE8ldE!|l$-mmLUp2Yu~DiP_w$eilm5Lviu+R>mqexs z^%4A-sgUw+UwFTpDSCd5_1qRq6WR$!Qz^AAY|DqyP->N9Hzd^;Yk6j%G(S`9We+~* z8gg#*FKv~zVfC~ea`nJhro>Ht<`@1!cb~a9=(dL@oW$vgWw;s)yb0NsF3fq5%q{eA zZqOL}&#T#3Zuwo|N3*}{fMnnyaATVZOsKxTP{Fhn)uQ)%dGiw%WB&a89|BO2f|vm} zBo2D7iC&qk{lQGWW>TpqUh>s`Q%%kp6*TemEF~ZmExIsyxQt}z@^$TWq|={uB>ZxP^zu=x zC5J;sE4+y?FR)^9_w&~b8 zd~N+1#m=u9{{dRrCC$WA`6?{m(lIBQN>(Xk$X2gLY-)dHwU`hUoi@v9No@358S+X1 zeHOK6E}ye|nOY*+yuIKLj}+Ti@QGWOHu`4|`jj~w$ycmJBJ+_%Dq0v+FyM-#dxm}~ zvX=7)qNj=cxMVnuNWjo?JHD$(IqlDr`+5R}0bmO5)@`0~!e?8Hne^hAP!lE+vd=;|6maLRIxie`pbnQ0VgO495J_iS1 zaEbG~6#aeU_W+qwfp3Gn{<|$LBOL1wp-uZ4!%RMW(WWyVJT`W>f;s>2?LuFhskAp2# z`F-J&n}8o1#X5)NgkN6+qocBUTKXSI5uS3sU>u*2fycwa28h>=l7~h_F`(Hys5 z6{;(}Z$4j&!O}wcr+t^DyPq6j2)^2oX~UD$p=FEoM2$|YFK`-edB)1d&aj;-DQ zWSv0lHLQzqPMde?pjJNbec|!;Ks~#6YQZ!XtFgM9Jj@*B*bC#|A2n?#eRg{9Pd$?D zR|lM*UkKS%?@iwG%>M$u_J#k0Vcn4YA8?ZU|4pa=fpU#rWo{y!qMKAXPKIM6iUJ?(SV0-lgVq@?NSjJP zaNwZ!BUSa&>`&h~7vJ0SLJ}i4(2M<642hzol*>TAT|rpo1%=bhr6SdXR#4?7p533C zh}p_%=atjJ$UW<#iS?OcxUqR}Dv$VQS9-3&1mO2+`7+RNwf$!wANk6>=tBXpWZ&*k zc%-@7thb7c{I6O=UL9~=s_0!h9k{eUU&>E@ItELvtgH==yBSvYVKQn zOJcCR#^gVW7nz3PAYcAInhNRUreD0%7=P84d`qG$$GPuSJ>*;b&jwRS%~)=_S>3AG zXuXnivSb2aoZ%?QKo0(cd!&PJ_>8!M)uI(1uYABmevO>c@-;johM{ZevE`OT)6x7g zDR`n9r|=^2)>W(6uIA~H`?`QfnJ@z2Qtt6GezvqS{;V>O)<2|M}{dXT6jJDv^hbm65L_1E~49@>0=I7=ELTV{EX>Y^)u zIG*B*65YqB^63EaR3Kk7>Bp$jDY=Mi`u7wg*%FYO_-fsBaYvFI==9foPz$qg)eFS= ziFB%T(UYxJ*#hiaiYMW}SM{>e1)KZGKZ1EKE4L3)0#(qb!p6FmtZOKRGr3-q3__E~ z;xniSJC^>QbnBL^3^Jg8wGK#*iW7-)E5h!?@R#ft9rK{loUaM~egtdC{CL_J$jR)5g9sZpZno&?L_`wLZd3uMCp2Et8T zk|1MwW-5m)h;D zp!nwj6u*yn6jk?qWGh6^xy82xB>A$n7uzn9n!iSetOwp~UsPlNjwm=GdgV#PR!4c% zf`743{@l-RxJK*#&U=>0R}qJ;PTtqd@DVQBev*109Q6}eeol;?UQmCtmRkQM!l%RDn$9;@wLK7#g zUAZCkXR+7#K()SdJC}yloAChgJZgqw5ZDPq&ti{RNFJ}4@xyiKJqg&MDHEPqBBNQ% zPX@OVNHpwuz%x4xiNwuW3}ZK{;xBe#21kgL&xMSy>=L)SS7!zhpnV|=nwx1PdF+in z`U6q>bY?EAK#QgN-A|6pn72L!)balLTD6yUd%QHWxUbqn4@mp?YwKLBX!u&NPRkZt zQWm2IW=T%Ybj7MYYz^Bqe?*dX^>+2I;vVv8;g#F-2RW~l^lJ0XJR5>Nw{uS#Gf(vY3RQntHauGDkY3t z#YXs8Hqp8nb_SVMs|lG@%<{f59ErP2U?h9|5b6y&l4puh7m=ETyw!=rLsy9e5^rIB zZV#1nB#`NJK3tEqweo9bp{HIX$@JDo+wyvuCbm=W z6Z!M#RcTU135x84_?Vc_7~~JxP4b0G;5ncYFF1-f(IV#Qqz*yD!oFF1Pftwo5R&>S zB6s&SeZL@re?DKGaC*^t$y@RE!+@QNZRE!xeJyng_W?vl0jzlolYEmreTRUX!2SnLzw56yI+cRFD0aEj3?CF_>eG`&+ zo5$D|>qMF!jJ8vNf|yQY*M(0^E;AC~JrcOAlskRcTz`Z%25ylb$`O}00f*V~;%YQ8 z(frn_Fx#VMBbx7vZo6&0RmK^!9cGN}`AhZ1fvV>Fds*`DTtSrzuRe=2u&D;6(qyCq zNTCII?k!~v0e_TK7Tb2idwhHneSWp&4MP?qRCDZeXfINiL!mltUfkeSj7shK&cz~t zcuo5*iZBpT15dVJb2DV97++?V^3Ll=pjV~`ldM!DUL}s;Pw4AAdRr{OuPh9 zxbTT4rr63|qITqkMR2|qBI-b$Z7?Uw=Yn&DtKBtE6&YV?*bkUH37BuKdV2$UpW++p z({MAC@H|#`sO>CuSW1C=m9?DQUeAemCS#DQ?UwCaK4k&3Xier(?!Ob2>JQDtr4t(F zrQv(n(G$cRQjnJK55WcA zA($L{wtGP zHQ0*aEhdw2-2pB1Xc3%m{0m-C_vv>kRul{hL`PLmKQm&)odw}T{3pA2|6ri(UWA(f zCKKVK4&`pL#FQ=T7kXQlxX6*o0^d4DtH*O8&>CCq>IEZyDJ~zN`J1)M9VUR~=)mox zX4}2F{>mu~Dmfq%47UPC0Z2cr3h=>e`{rv_zEwm%yq;1pJ8b87YDp@&OH@Go8M zPQ)-mHnK)Y$GMR682`paQcwtzbO~=bARF#Cu#v8e#Hb>IjHU`|y6@QM%S6nPpc}lN zjmty&K1atvh35+upGH-nB&=oP2t&R(ZJ&Ip+d(bX$E-J;lHq`mX;H-g(%Wfb*?|vK(wYRXDn+uM}JOTfZ30>o}ZK!J&cy`8OjqY!!V2-0$^S#_iQG)98jAbio^v z^@Q3>6QH&;7TBcjzZc?5H^=$8aY^nQ6Wp1uSqcO1ngEG&gBY_IM(uT|-rL$;oTng} znx?xkY{CGy@ufwnv=*`58`p$;`XAqpNK_N(1B>|z6MlkMV1FtYA>+v#{{8XmQMp|W z!L@(k-!z~L!abWih-c2*{0(&gWGz$|)Gj#+CV%+&%kV_}7REb_3U>zPhOH<3#vV1N zPbWX_&Tt4T=IVCbNo5Ya`N*o4%q978a)lPpcX*b!E9T?3agvYM0B-CXTfmM!+X%5I zgmL@4l_G8jPVITvrnQeo&by*#QXRsm$|h8f;(~>rgHoiiebOuEWco4CEMS<0uc^Q8 zPoFHn?-5M;Hs{X)By%n$M?d_8Iu8z?AqxwSK|bbH)>;%Ab~Vh8%}Z|FaN_5WM|zZJ z(1)F0Kc=?;!Y|5H1(GDa9#QQh1-&F^`r~nz31>AKWlOZWU?}UI`u8@zOh42}`iP^ZHa*f9$IM(4{l1 z30y;owNkM;=AKu7Ox}&Vr5x!=6V3D zR``!T$0-#{YI-)rqZbJ&t{`@zNjvYk;2K8SFh%)Lc6TA7iA5A&gZmyDW>(=Wq?FL8 zcQdK&&tdZCPO>wapIDI43}Wwxz0m%F`R6N1*GUb(h7G-9j-Tk8t4S2zoLIv3a`RLmHP^66%5z_s6^_QmE z=%%8<14bQL1QS^sq*F*Lt$9Et_)47?=U}Z8+8%CWM^$n#?juy==c2!*sQvc@_od*> zrWBE7)bFN&7E2Nj(3&4Ig|CK)OEZYoK6Sh2CkEJ06B<7sg_YULpArmb4I;-E;=OLd zPnk?WEL(wj#d-)jo@jeRx2K)$>gsuJ&y#Kl8Ilia<637yVh`?|54C!Ks@w%)x6J_w ze)Ic7mbJnRXgBSv(FTq#Z!8s(eyRc@YOQiZ@%q~gxr;a_Gb5oLHN&!$nnMstFUK0t ztotuo>S#NdPP@lT*J=<$(NJi1aLl(hKIqblT|7I%i&d-gRN?e>*xiyvUz>r6oq}2LJaCE}%72TA!gVn0 z^+>zE1gq>|iWz230GaHiw~xj4sQHp)fiisAdo)dEES!W{M7oxsS-GSy!S z^e1$E_{jyqmn}~mZXa5s6a7@>o!nvK9Nw4)x5~UV4S+P&Ib`(NTCZAs+8?bm$ecq! zuPVX8yid3U3=N^w)MyR{D{hb}%5eCYgkfATEqc}3hhhYJ&*%^cp^sw?hl4ZkPJ~~LS;{Vd2Y;D!RsEcI!PC3Zig9_ zkZ4PZ2rkFqs*A{lk_~Vfz#QTrA|Isu;P3amUlA5xz2(+Hdi|`NG3n3?y%GV|}y_r;m7>>^GDmX^OEE}QR7Dba! zjELU0&}b903y~p|LIz0;@rx|S>!n4+>MuHc-y7;xE@z*lB8b%hL6zs)FdOB*pFsaA zD(VdS;Vg}7WP?}JhMr|UgFz37+907qjy^^Lm0b-rj$@$Zf!q2`7rqJ}Q|ShjbPT`C zEvY@c^*fq`YzgQh1e8?i@Tgl&w%!E=I4yC=GX4Letfo+uIJ_N)f0KWep^1)KsXA`3#K9)w~whoaJFl zJYW^P=FRMn$|(O`0r2c`yQS$d6AAMNa}FVs9DpdO zU1(cWN_Tg0k&8nOqM<0#h*dY#uj^^8Bh~adu|h3BfCw z0u^q(@i&2T={|99_)%}q7C3E~!S;D3|EQ3BLRe8qlr(YrE`5KVbEVYRa0+E9BmZ=? zyF|oKGfg_^D>yVCdKf}kwNPV6L6)?v=Jj-SHk?Bh)n3YY767?sLIjF*h4kJzG6W#qXowl zTCCpvkGvWOf@(*;$sKt>+-JXG*rmeo^`D62U56_Rs=!#^XT$Wo5x|rOf$PB&dP;cdoXCK{vozlwXIaF$ z?#bO}xtSS-jPUoyuF>#gcGf5g1Dy?(VszLB8(u}X9Clk+u=j(#I&n%s&JKrLn&=hL zcDOg|08dr>FW9hPeLmJ6OH#D*?g=K(!I|HOvrP_UvOZ65$cXActwVGzQ!b8iO}RWm zW~BOxGVj>ts|Q``3*LHX%9M0aGOrE zDMTklSkmEe*PQGYeBbW8u_^^wI`D3(OoN23s~GAzXL&;IAxQS-<;MjNgwDp*Pg=44 zsV)a{oppwCMfG)>y@YXGHAM{5!89&{dzQK>q_(Jcpi5SKiiTOg#Ff@UrP;iX_FMXk z9iA_@F!BC=P=~<%2ugV2G)gp7p?t6Tw6*{|z8>@F(yGszhF{OcU~|2H<_Au4^}nZf z%!Y_E8Ebmj@H#K@J4ZU3ly!`w)$+-Jb|d8GWw$~4+9~M&Xlqy(NC~W7f<`T8MmH8C zAul>5X51IcMOWU{PYP_!mQI1`T24lMKKu-Di&^<+Xgx?YbUZ0d8H+!dmiVP+P5omk za-nBxt~IU;KUvn!z^ZLo-NUm?XUeUn!n(Ud68?4B3)z`St=YZT!BwFqi>tS;g|XVW zt2vj&+R!j5#*@MMmv^`you~>rGMJ@pYSJwVawR z=}FjbhMi)`*j_sPQ11L8+Jg=zHIR5o45lT?xUcmlaZ$LgD3|$ zXxKZrp}z04_hnO_5{%(51kB|B%^f*n;MKhl5;77>)>*DM$kAsqAIrbW)k3ywWlpr}f*O9f2B(SRcQ7%zHMOdAkZ+c3JWISU>k{ zFgAn|O50%g6B=KYnVJpOHS9hk-!dA9()|NX&r8mp{dlLcu(`F?Ic>KT466;9c#OPi z4lCxEKUZYhkNt+d{oN31R7i8f_i7*e2(-JyK&l2a<%?h#ru>C4W;mbSC`;Cw8{^QWC#{3r2zh$rA)ajq>bYD zL*0mlN>*t9ULbk_iM8OBMJ4~jx+QhN?fZ?nJ|G@8N zJyCd0{$|voecxR0Tw+Y`fAc7idPFpM&JN$j$%woP5pNPX=!h1J%S9IKfn|g{CH4Sd=`!&5Z-&F_c*v_c^i>tFsA3j z4v?>z5?aSQMogt_OUa?ZQ*P?SPT0%#=%uQT^c{6s#SrZ;2pXM~-=erl?(^o)^(2IT z0q*O-S4;m~{H7msB53CvX$R8Q($Iso_)z!Xr}`hdM2YSj(pwh|f8uSnt^3QmBdNq~9ro$4UfmwGh%B5?pSGhCll+kgbld~m@nAGmrzRxxBj&N99?Dnr77{F zVBbS2$|hmXx<~9;q1wW+*j#E$K~y9K=wVK-3^kA`$i7z1Z5F@zh98bu!k6L{#a+Ja zVC!V-J*>1zG`JwINimBPv6H>KL8zT2*3b<05CX^83;N3TN?3O;<(2=FCy-7XH!Vh% zBcp3HL`QJ2E{$G2_$OuV=BODU+GWv`&|)J_p*oLmwzQaEerAK=JAD935d{c@t9g?@ z#Y-K4iwS>^xBS_;x9ax&m-Nu^1BBp!cDx%f@azHD*Jme4h9NPh=Bp1ctM<|-r4wIO z74}Aqd&F|^cxYwA-ZGh!6v0CssBslZjCe`Q7#E?_H`dgzdc%u$Aj_4lC0dys*cG=>6cw>h=b$zC0%A#o^=0=`0Wpd<1pP`du#8)R;IiW?aE@ zl?~z`F5Uhh*2n^CR^T3%v*|?UCDbkK)^wrs2neP>E?OojXc_<%$- z$hh~M(@g%x-nn(oht<%zkQTzFTMf6?5bm2^?gn1~CAZ5|BW4n9o*z-2GAhX0Y6Vg-P{Gg> zeJ*p)PUrE>jItyG=z7eIJ^GIfgn7(}4zFJ~t}H#N9NMMLuoS<_tua#f1^Z?v!ua=| z#L}#+G*rgvUMcbU+K}p!jwAdWRNoGqszZUD=JmQopE&y5zq-vn3kibdwIF?qO!_%0rtwogwc!i8|Z)K$h#goN` z@Fk?<5{|V?5*b_A>%dstC^ske=b;r}e$!rw(a6D0ta|c8k- z0~uEEpv!V#U@M~#%mFmqdkE=PN2n{oYp6x!66YxIG3id(x(Aza>fly1r=8pC@9Q(d zWWqIK(xfS7x*lhrq-bRFUlR4}5zvy#VVcf%{|C#ZEZJ?yoSFLlt>)q=M3`*T%_(&u z@otbu1LnimXLALcP8s^+fKJJj|{^!UgHDEz%Ti{ znN>b^!B;jOJ-{zz9ZNvQGBm>9JfC;moP6d_|Kufp4(1+{4Y{3fF{!*x3v@|aV_(hP zH&TB{3p>o@d7y7@i?nuzWKo+2c4q+Z^9Cw`(rJ`Y2ULXzz8)@UL`VkxUj+j3xy!X- z94jk*$$*Wv=^-U~Ov0f5?t*|WXb-l@m)#rjHjFU^(t^><${hp63o(aCCS8vgF;!nN zw{@6qeV`9*Y&{@P{;!i>k)=#xakBy@;u$P^?k2F+cYBCz!CbQxc-g8LS2q0J=e1!U z&fKAQru6#QTd9Z0wS6UiSvdP^@fBUQcMJm8|ML3ofZYb^E5FP?wPud*_&a_3mlq#! zh8v;SfICL6ea}V;=p@f`vGp%<_eP`u%YkS$T z5xMo81C79YlINK2?fw^-4ne|(MO=Yk>Pn`|JG31;SZ*_pP5Peuia6~&EF)YwCba{r z;k4bO;|sc@n>bl10b-AaqUFt8uU^CW)%l`bc zRFbof>ltGe@P-))%aM`p#ncn!-RvU>LF9HL{2x-O6O08X%0xNd=wQ*~iCl*+H^Z<2 z@4F|xO%F2^cU10=LKFrcpyZHdb}?RuG{8R+gCfG@<`V#BxR zSebQXLijsQa$HeP7q-j~kk(IgyBzGwre5zbVb0XlR^aZGk9n4spQ=4< zCd=jHVO7rjPQo8@y(;SIVbF5RRYh!tZ*LJOqKI7?l8g8MBI=#vD+#v#-PpEm+s?$c zZQB#ub~3T;WMbRq#J0VEIp@5ed;hK7-G%O5YgMiFeaihbn@G&wUQ=f8rK9TL**g!z+K9LC9+1_UJScYa^|4VmnQSOyny$NBK5rLs zERkde)W4|kECJ|R!1{i4IPXEI1-DafRtym}&y-Cd<0X2B{muk{$ledi-&r)OGl}Wl zkO^ml(L45~&Q$Ub%qc$vZ4!mK`%|&~Y-IED>2G~&#M+u0r@Au)tX`$N;)025u{&njghlveA;XO_ z=z*usP1%H1xScXoJO=VY*Kf>P#mgkRraKQh^D-@<9hRNg)HF1tn3WIKj>w9~_v;d} zR;rqPzf;06gw~(x!Yn&V$4;>|_agWp-ANuex&|k7)B1hr@f#M$sbeIttZvY;_e1mA zg=*1I=mHcNV1sr_QoRIr`pmvHtq9roRfnix4iia}XPJi>qWYk>x&(2C1)i(SZNWB= zWIUwmf-O5KbY{9->Aet`j&fn8ZQATL-T#{M5hNK)MXFln$>k;pnDyX>1b#1oe`UIe z3&HeJh{BJPO!eVLiromgBCEn+RDtxmiHewRxeLec&=>VdSmLYooAvOHoi>J?ZDp}q zz*vP?@b!Qcf@fbkQj`=>xdc$3>Xs&aycZNT$|*mK@uzQbOLXP?)JS3Pt$Ga$ zDzs-?Nv_;y&h0)+tBtQF?J6s>Kdk^0Kaiz^pNYF*i0O+j>$*@vITVL8EoH(E2!eq- zTASk}rSJ*!<#5Xl>9&BU-zO@Pw^Ufb|70*OsZ5CwewAWva!V9U1}Q{&G#o&fA@LA9>fpqYmEHVb5q)?|ZEo1gN~F(ljK%ze4w;*dL1ja@j)Vb!43 z4d{fN8$sH;zYFj;VSoy+;mier?2=W{kMMM1X67;sR48w!0K% zH{EgzNT4EkXYb?Cl`Ys_`Y6Z>NN;zEHASdIOQWNxf>70pX~pK~u>&wZZ&phpf;&o! zoGxq#wQEz^F8q( zI1lNz?SxiX(xKafX1&b;OT1TwbQ$EL$JWV#hM}a9AeftQHU>h&5C)~M3N-7|W_pKp z3x2(PpO!RSCA+i2x*knRp~%8)h=#y!BMC#QmR<$<4C9#>h=pvhC#$Vw{r!_73a==K zzvc_P4N|s>H5xN|MdBVC){$u=nIx7atUL(+?}HWK->-+(LdQgHAe#)NstXE<;iMQc z6)1B3^_zgk;ymUsKj@@%`oy2$n4D6f6vRC}r+{E8+`Xtww&!#b`X3`X8CSDP*L%T} z_q;4QW+{;>Uu8SO`Fc_24(t6XdZKISjZx_zq|To$e}>yI_blQyEyEy%{K6_Y<^&?;%xBu%B@_xb7HbSO@vbV>hSlc3g@}GjOaNkGrG~Jn#4A z#7b;Yt0oIvAq#hdzd*Y$5@?swD0=ey3XO5j`(NZ2Sfx2ssbvxeRITQv0bnkw`w6a% z*n#)oEk=g)?$YG7r#N`CU+aB5G?aag??uuIwU{?aXtVjyg(hOq#wsT$f>aV++ry-t zTmnrsZ_HI3VrD7c@qPWLBMDhHQ2ye6#rADXt}~_EJ!Vi;Ig2*9@Tar)lW6qwz5ko& zzi!*s=}nuN3gRFy?A^S#NGxgQAX^|z_jBGpH!u{Ua04FlD#`Gl*XfY`T|)SN?E%>C z)p5;s{?-j4gm#8+!ljeV`c(_27iy9v7>Wtfh%fYo$I>%E%yttd$oqU9bi=P$9{5QCL24 z*#vmN`>|^(z91VBZRi8rSSLK2TQZ9*zdF$eLebakhzug0;!e>8d-}TkA%xs-WLj2x zx7Kn0HUU*Z{BeK6{TUB(jfgl3J3x za(K=z-Td6RVgx?!N;J*qR)_CFRGC@5V4U{LMbzwC_+(F}QH_4AC<)%_o(hU4R?Si< z!}R&LV?n-xzeZ_j#4wj^dZ4&RrY;304aW@fChOEkv?lRr!dh>ffO#pgi#~lOZ9)ni zZs8X_TyZY@a?`yWac?$*U_8W&MS13%S0vhnTK@;anEW(~;*D!3S54@t4M#|ea8B;C z;!DluYM3C@uEFit>&*}}rE)UJ6fd7lU!MoUFs^#xtrxm;nsw+J%g;de#;OGD&tm?A z!{kO6u7!Z8sO=S>q2Ho+)BZ@#vrCB)PmPcb zHDfzUO9m|9?d(Es2PUqN*!wCM*EHZfok<6H15;uDWTcQI1|^HoN$BW0yFj~5qxyQ^ z{xKRPd^7&bv77V9C%xOrguvp$Es@ml1yzGP2l+a}5)&iZK{mixzO3Rx zGVFOn6f7pO5v#ni&t;>CjG{;=peE*F3PN=4UB5jV*S0jF-!4&;=Myf1Ylcq{mOB0JG2NtjBFQS!%B-005>Ski?u9kzr ztec1wYlrP!BKY~1j(`qlV(Lj*ksD&Ec%JOYR-7c@z&1c&$W z1O#J>>tM(I{FAbnI*=;Z#H4>326ugzaQ2c+g;$ZK#P15Mk#8m@K(rC&fkC0oQZGBE zBb4ghgAupBJ_kF8JS^$#{;79IZ<>M?g3oZUtc?I&%yxph^n<%5d~SMF6wo%Z!8y~$ z-f`yDeMuzz+rVq#{qcV(4!v*xO?9%hGM(sIA=vKe-_@4=_)yERmW4t4bm{d-aAP1EodQXC&fx*r<4)gNXM$1AcSCOF zY4U?)78E$HxMBM2BF=q?m0~4;Y<}MdWR@Znu^C~GdgDV}2(b|hi*X{<*S6PnDQJ3m>qHBPw7RfbYCY3RP48Wi~!@t0NUgwZ)YFN}fdn@YK z4uJeCTseNP*?UZRM-kEWmj;4gd=l$4*_VX!Pf$&u>ZM(CM6}eIQCK}Q;^QXy`=qWW zMzE*VeMaVxl9F;xUhY``?5ER2PYb&0q-3~JhS~PMof3yLzl&c{R+up#<*bZiX#fQtRvG4p>C0~Io%c+ ze0GI#wE7k>{7fuIm^q&Hkp0binNC}CZNhD*s}2#TXzYUiHFX(yg1*)En>fi6!_Yx! z>}&b=C~}|s4ed`<47~S7Q7jE{PO~#Q64LIlra?sUddx7<;<}ciQ94gW@Ig zJVp&}fQqbJ?O?V;rzRoKrp3~(Cy4BO_dj-J$zIP?H+2U2$B=NwZX@!ENWs=cMYdC# ziFDbf+#idv+X*I623)YkUjOtjGeU|wf@}QcK4Wae-#UTu zC(pouH`w#6xD;JLUqs*2i2v9VR$tXFWk~nqrIk2ve9%@i)%#PYp`J>hfwtLOI{WY=CZs1pI#f35R=))skXC zbcZIOV*TyEytI%PIr!&>fUOjQ~4a)geUWLl=W?NB z+?PT;UsbzW?oX)&gsInfln>biQbR~Ss?z1pg zqZ@62i(=!j&jn*KreUA-UbpCO;o;<f5IvUVZ?$z@DovkBViHpVron}5X^NVOOI8QIN-+KqNgcTW@a zS@&TzX^3$@4B67N3o%{_7|y$7_%M+|x-N8!m@0QG zNpr9GoJXSgq_w>&v>C40htbtt6L}Z_raz3~T|CM;6T}kDl9Vh|e=U(JG=p16VkPXZ( zZ+Q*-c)pb9uVBv?RYyLkv1@13gC8ZK5kLCa6HVmX#MT(v5LXCHJ*GXugB+`5z8}H8 zYwN@Nz&f#B*N#vy!FiqB|B;G5DZirupKXB4|LUv&*VYFCWd^;sBqhvPXm%aF%29TY z51iXr5o;rMqA8qKL#Rtm=O4-T0j>O&7Kmy$^BQT9fPF#0mEgz!CmM?fEO4*(#^-+ebp5^B9Y(V`H_kCB^e&X|u zhO0c8H_*Bj4{$LR^^3E;Gx&igef?Lh^gpH8Pr;9Y{;yySFlFy<^g}}Wp%4Ol{FZT% z9gNc9`>x1OjXGcCi?H+Jj>7&aL~# z0&Y+4Z18m3Ris;ybdiu2*5AM>UPk;6$)-^TRZ7~SKp5DTu>pyw`>y%W=_mv4jIn?* z=q6rH4{RsW^RZXN!X()gqpvCcAjPC>DL(}A6PoU_ zvQ96Gv^63nVBl_CkD!o6AF&0ShFwgq{Ju1%iR*c%tU&k+i`sN+*~-|KRN@FXQrK~C zHAWE-*Y5jG*!AmB0nMIcU8SLxT>&hB(YSi6N{dDi*z_cLkX#Kg3$+Lh!_L(ZA_xR! z<=5uUE20=ve-n$n^T;kJNyn~|d9fQW7pf&p4$Ruw0L>gHnBXop>n>efX>-$Mc4so{8vx@HEg1&98To`+7Ss-9X$z4%Y#exD zJfUQ2?@S4+O&5^>1cyB<&w>l!m+fw})-|h#6&jr3B?%(B3XSy;m9}C)sj_Wcxh8+f z*XmySjmvT3`sWw6I}97?OB~YN0n?vFPugg-->oYc#C*@0orz?wmw$+tl>&mGbhpt) zjVvu0|4CLH8F%`wX=GF|;{p=Lwa~-}URvk(u0UQjZ6NBTMmNkBx{yF>5hp?_`AY4G=4n8p$=IhlGB)ko ze)^LZ_9Vo3-xG+Vz`qEa15$rob+2QRI!S0sWFW6$oJ8CILon3^_ z5OQRM)Rf;5#n>wj@~5Yfj#CYUY!CBIB)fe!WZs(m1C@k?;AncR<3t=we1$A|oO=^j zfARqb!Jfne;n_(4l6t>XP78q_c#>m^7C!>A1Fb>F*};!3(eyl(U*6q>vMIig$P~=C z*612VSlmYY40}VREpr;B)1U!pu6fXdaVa>K+8f7rBRS?^~&{!8p5}Sm?FCJO* zM%7U2Fn@fYg`Iug= z9R;{bYoETN-?3mSC+tXpNs~;bf9XDdITBft<3TQ3LgFJX#1VXa(C*4jR@^0U+C#-S z`bDZh>j_RmBYO>Yw*p1x6l|js@9@j6S`0e7)0el%0oU%pv}CzeD|BfA_sze z)Y+%qJQ@5=xq;32c&^ma6`mlljZ<$EkxOgGsIh{IzYC4{ccflSN5$lS$TlpcVZ3_9 zoKjLrWLZqWE1Rjdn_u3tFpQlC`%6>k>-dCHNL_ETq=vqOnmaP6eTMnwPN{c7yd|W zNQ4o8DihotR>iFd5?UW7oQ^dcYtzgJczDw!e5el0;Vzr+4k;!whZ1dm!%E9-l&ng(BmO|3<}t$O636bB2r`3YUtvhUzAF9&zun`j1$Gx9{RuX0bGxR3VpOy8`xPNr z!7P1`o9GY&cmf4ic@5cCalqg7bZZl zD%e1KIHG0!z4|ksGv?zR0FR~I06F({A)}FEwlAox7m*0L&%3jYxcvp>}D} z7b0mch$VSQ`GY*f=FfCVyP#v#lVu|f4nCyI22KHOnf)x3usE9Q<`_`pYm#q)K^R z;O2ZIo9XJEH`#RK;M$jlrla<-<8QKoz3#zWm0CN#-Y;slm!2xif3A9;4{ zzQB`QA7AAgaiv8YknOWMKs+HqCdEPl!1e_v>oQBzuwpiZB#Js;{e8 z4%6Z&4Y8X8X$uE0O?Dl1s7z5+-KO>M+0_G~5S=3wyZ!xWHRRB2yAUT8x4=UVLVuVl zAT+r4ANoa~Pj*02`I6@_97KPjP@U}&@NC99*Cy=#QQqVA!`p|8xzSzsQ*^37EMheZ z(VV_2BP#qdh*Q{OJFdVepy*xoevoExU7Vq85_rjbw&vkYqz3qZ4`pi&|L)5)$30@- zH(@d7a~MOU1Nb%gk_MeQVG2#^g45V_i~AFV?!q^HsXyFOptvFC=Q>ALXD_ML0#yBo zhd7;;7Md}uPK+Q*T#XG+pr~8Yqv$Hp3i>uT+T(Oc{B*I%@%r)-@M8gXa^P{b6}o?* zHT_}d2zrgIl=-uu9PW;L3!UgPY8+>Q>9+rI?%x=vBepmvh*L7bS{a=kIW3Ta7eyC;N z8i|C=-zJ?7=jy?EA5Z`B2N(Q5IsYTB|6eV!KMMRzqAUsNk7-!z>$+pXUked-9q~U( zNZBEKxL>vhtt?Tc$eYf26*HP8B(7$r+gQ35*{WB=vGW~rR#t2q&ITF!^;ZT@b-kp) z7q-c@>^f9-nRU4<+D{+%)?v_Hz6K-zVPHPz{ST%2pPr2R-|51&$TyJwXFtpCCbmO4 zQw6m3s7L*Tcm5ey?g1e0T4t4FJLy{@i~sdk>fc>A#~J748rE*)%{{jE&*U5T%?y$C z`iFTg?kkOXj^=wd5&n(4armd6ySzF7|KSDxgAVvVhwx+eRpIo<^=GMqRzr~b~ zdH)9@__*=^!~|gfTy0a8o8_Xj;nsTh@?Wb&d(^`W5qv%(^qDjL z56jOR{aH_5XGtFx>ujQ|uc-bsw~WVxJ@jkD&2%Fs^}@DjgOIb-o>kGyySbG9<-q?1 zH1WpI@V_-d|Nmq0K?o>uxxQ*ho^|x?)8R_rdP%_hFrrRvIMyABgA=kPZA*5lzGX$@l8FG$KK``p~-p9Fn} zLBwX=nUC|Rsx`2xwuN@`_u#1E4YZF8p&LK1r^Ga;i~dRfP9?^#lT;I#cSO!$?|fiH zOoUH)f|k6RJtvrmYgg}pQPXNxDZrk+b8FUbSiyi7_!%Bnhycd=sQcUEg1*RLg8Ph| z^e*UM?}$Fh64Pt)-08(nokuyx)P`BNTyvhAUd(5LTe6GSAH;Ix(TToKhE5C|>D*=A z5J0MFT0m4@vKYGwkA&{xG-LV+rYrDuU%XTVO>sHFG4rCqqznjXeT9#Nd{XI{?g+UM z3U1yG7DgQ~5T1mbdWHRDBo>-6w#jx*zDSEii8mcsMLNtsXiaG<=v;REL zhT5yRwaE6or0@@jtj0nmx-@5gqX{^x3&d8hT+u#UI-Li;`%yror*m)*50M;ndoD}6D*a1@KZ;x%L*WNb+yBQ*3J7nLvRU;!+8nh1w%wi39% zbBVp}Ah6#&6U099VHrMv|4gtwv2`9RN2LHm+-Tbvx5`izcpOeao5{2ff3653JDmjV zJMOqx;M*$JHUd7p_Z&@#<_nT_VG~J350+vnp-hdMsqnE6-{U)B!OMCqf5r<7;tm7Z z%k!8dF3DvLZcsBn|Cdq>Po4^jDGkW^cgBl>?l})ez}T&(Ucz@U7PawJnj&mjeZ2fK zgMPG=cZsNTD%e&kXM7ZqJ_N{i6p3J@@mM$n$J@b*+uU?albZjNs>_lOjC&k`ug7@g z!)ifCz~^ioMELSgCJYxnViSE!0u4QjT3y0Ma>)frhMB=A9NHXZMaMhTPP4q=ykdn) zeiG${SVLT{HsAiM_CgVXzDB+y*WiQD7V0I&UC| zhXP0>*l4MSr7r=qDFa-=BjJ!G@9_lPZ3r5T-Evjeqpt2Ptw8fNRv2h(G9r+UM3itFcu1H{Q z(KA6Y6K+in>wYy7_e!nHEUCNw(F>z^oFD?#fUX6czl0-&ghwlq0P2_pNuh_1S#+Rw zHCRT5j&HVH1Yq;+M0>eF8)%@ zWPfw{YH03Wh4C_Eqrw(W$l?5e9tUsvfMmyR-eA`_roBzB?2U z3|kmO=qjawur13GWFIj(h$wS4ECT9*5{eReHF>53rfl~Y!&+kBrkPUGo;L11b&a=g zCL1JW5IV9$eZkZ!x-`~eu=WLFoDpakHyeR_6LTtY2j}ZR74H%l``1=q$XEVEBLTU7 z3YP;tSIPvyzSS$#LubT^0>RHh>eqMN@|$<}pPIegVOLKwjmA&9`C(m{-^yw$@3O)eKZI|sNBW0W*R8U%¥#NBRu2^dThueS zj#OhR4XgdL+`eROz6?v96uVpNghrm#en)hsQ)T+S1`%$wbbTlBEVcC_f^)1b6+fHrnuV+hSx$ zmxiPS@fdZKhBF=$+zf*}nBkik`ju+M1RIMa`MP?C+lzQg;fr(T#NGaU!=Wx%vHHG{ z!bDKj;u@@pN`|s)q0A@jbW#&g`(HKH$NZh&eE`B~E1fDr>odW%21uljaJv9jHOfPX z9iV3R%X{0cuys6Nqn=n;Ayl~3-nZ>gEWVc_%=IK zBE<>0kjdXIX)w0Jkcy7WlVpnmT&)0g*8oJBo8~lRjVf&!z@9^Eu;W}!uGY?~23;&i~4F zt@K9sGb5#*-n2YX6NQo(;pk)5Ub;iWG}-V47J5fi#va8>Ck|HuN2I&AlT&-0&W7tm z;RlX!8Wu`Ndx+iG3uzWC1elz!2bZt-NDID}zBliA9o; z$`?iLOVWtw_yODm>xI*H!Tp2axo1&(cYUMi?168y;pMuKilicsBS@_I;S9A<|I;>y zrOl~+Kj{w2Ncw&3c<`A=eI^)D#y#PM+Jb&cK!1a-E&~v5DHtw!ExJV-Eo}vMwiYg= zwA#+4(zX^_tFhg7d?^O(CYs6eE?3#1$MEo)e~NsU|3y^MJ7v=&n~nLUq^qC!9jtvY z5V{lQXw5Y@vOgs5Qb@(2@pD_kIEgGh3L?E2r){F;9`SWJJBlTLL@ThZYNPIYx@#7Y zb(0YMftv zZ#})4C014QEW<8G6wZXK#|tb$3ShMLLxLhXI`-}g#ew3_kA5WVkz2L;#}(kTQ4WgYHQw9sFTY8-Ya^D%3H;^pc|2A41tLW2+V)hl&xqtBg!!|n z&Pv{m0t0owyB7e{ zRJio#(i{hPcK*VUc)_gF4)j}u804CXzp#PO6dVqArNchI7!{K?0*D~~B zp9$h6>4jv+zj5?Q{YiIx>6DR=C-7D1XIMsU^KWY@0Wfhg_Fte6>kOzMeTgjKcGpUv zy*~nn72}jzQpw|M8X)dwfuW&+C30>zn1pJvoK9e!ZH7ltIoA2t!4&btv{MV4EG1Lq znG2=f|CrqD_XG*92K&9d0d9x5fY13Nh(P5wIgj{+z?)#FCj>o{F!&>bNcs{UM6$nkZQ zZwWvC!ns^A*Hjk+&bs%4<9>HDU-dhy!DW5EbcqvLGb^^4m1}=imf;UqXFqIV=GOkQ zJ5iayj-xnT!|dBLHyh2=FA$1+FV@)G=EM^f*R@RVeD>f{)1Yk#*4H{ z8x>h1r_V4{NNjAt`Oh(J!JnzLzr#*O12K?SPv0BEv;c1Pr^6R(55zy89RjN>aN;#? zv%ed%V18rmE&%~S0+m55m8(lQkZrhw0jGoK6b6w(F(6+SO7}s^FqbO7lK5VJ+APh< z_Hm)Bin}mDH=gRS)Dm~-Fhnp*H=E)-9kZ~8=ozz7^WCN&CB8zT#t6p4U#u1AUiBR@ zjtRr)Cd5JjnncfR2v(tvJYG7jgF0yUeF(xMe*Dm3fNgj$&}6N*4I*{i@$%xBd%8aD zXBxtArd?=*^wj+bl#C3dRdG8^-BPvPvqT*8KVSD;cdR?CexXjepr34^brWwwUDrG0IC870Ii zKFW-7CYVtqHx!*X|3FS>us+#uuwlb^lb)y`LZZ$l&g)foW}wHa zevcDV!gr?!N3ShfH_Epq4u`&-MzP>OH`r~&Fl7Me60{woo(%9}#?g`4;f$W*S zk?RM{mgRY!qaLKTG4>RJ?*+!6XR=fu8c`}+ij(WaG@aT;`w@^@G^oE6?|su|?87!K z0yE^@Nx|`{jKv=+#r)$ciTZjdNbB5#LDR*9uE-ITkyF0Oi7j>glAFe#aoV!{ug%nd zF$nk8B@kUF#&%B$88_kw@3XzP^xawys7YMvsBmE0m1$11rf%~m+zqO}JonJy^y;8l z2s&;IuuJd*_LTlqu~?1vR16U~O&4T9Ql@ePMZ(ADP>Y=CyO=ZQYV;B^{w9d&GFC6k znfmsePs2k*F>inQ1PGPoPuXWq-4czv|D)^+b+YyV7sa)4_d$cM)t?1X(@?&>L|QFI zoX6R!j(1@i4~GPAm1bYdKHLe0Fxg-Hf%=W$R(XBXZrD^<#QTHt z;WuuOst5{bmsNLpF$@M1ZTi+ck7lo$Zizeq7?U}A~C9~;t0`8bfnuPLdYnpuxKV4aS6-U@b`j6VosaJGGE_(Q70!6+`>)n=hM zPqZYU!WDtW?1p%hPlKEq7p#j04$-pYOTR@w`mB-ij{`?r=B~UT*>=PmZqk@HLYYayN1&OhX{k*zl?vZ#=U?7ZSgD)Q zaXpHm8f=QL$d1Y19% zPX^yt4jwtO##bR^)-(~)-)!*MauR~-aD>5!b26lkl0#1OS^bap4t)xX5alduBYW(y z|N5v4B8sEaN0*8OXoi*@){{LYZu4J;^b_k-!jbFSp8epz^o!yz<)KZgFWmS+%k802 z1KJ9(f^6J|n`+>1v;d%|-wn`$$jcfO9HYN3TH&a*2pnKQ?WkF90e@VU(#%dA4ds~! zU(p{0u#B8So{+t{EV0DG5Jdyu|9Z(?NEG}*HZ8=$&nec+6g;+hQ3?e8He1l;i-GsA zV<*f&8o`8^I(Se`YtG0hSeF8y>>gCqiEAECV}p!nQD6fZOYY#bl3(L7Dc6ZXP$xyg z)zrp;E&2UMQayq&ljUFu#-Z|mGw`;3k7u<8smK2z~+v@PWax! zC*e1zoh{yy_6pE$@yo4FF9i(G3hs>@>cZ<6JF-;}0>$#bfN~psa`6ssoMabBT1oPr z>+>Ln=QLAWVU}f6C2{MYLu@eU$X)E~JJ4ZJap~k`TPP*|fldm8JvyHEkl*{3(Q1r@NNi$1HGo5d^Oh1~*$!=9_%3lmmxEJ$# zT#GA2!yWd%@SPZVq!KK&1)q4xobz#*(ZFK6gV##YQZ4b{j3wfrS z?Ngs&cxO)hopX8l_QNw-s^EybsBdu@i{&{}kZH75i@ zsW^4 z(ZTM{?Ge(pB!9eC++jiKVrU=Q8|Kc{fI`AZbQ{BiIJ+gK)XXJYkmAfs*(XT{71ML9 zSj>GXvtB0=&Tg)-s%blqLCL6^M`sP2;vypB4F#kPqF@9YIhbv;h%u6caHfG`q>!Sb zVCsP(fv*u(2NaKd{Ddw66$35~N3CF9lhCx`OE<3oT);3!U2L@uYDI*%IAB{zGm33> zRno?8xmQ|Hq($ayKDgc2`>!v108yW`SKcCRxu4UP1dWCxY#RJCH* zNYWUyi7JT4q&7iMU#G4vqiKk>3!SowWjAHZ4@H#xY_&ww)lSDulOoA37s`_MGtlMH z$0rgEEDFeep?A}cW`=QHkRSYf0 z#id4SRyx#VbcQlJ(dd@kEN)JdfpMSEb-cyikD4Njr|3l;fMFGvtz>)aem>shOmH%Q z+_z0N)ufOull(=>m@ZNz-kYT3c!O$Ckq8%_4W~Yr!o|VamRcFiF}PI%zC{wYx<-PJ zAE&mCE6eZCiFiXk+h7tHs!qJD&!*NY;A~I&P+iJGhF&U&voL;sE}{?DPrI`Lr0;ri z`*?@0=;(k*cIA?4)#1}f46D%=EUK*s*vz5P>t)2pZkVJ)fsoeS@=E(e1$7b|CYkm| zXX5B1f9=4|gW#n=hY*$1wgp8INWA@3tASh!6Z)x4TYUs0?CI@1pT7rS*Sm{r|ej)6%_r?MZhvz|q-g53*(hTBr-?O>-IX{? zL}fc`cS~t+v6?E6RBZ3SlFfpbxT@Dg8GnN$7QQWa{!z3<(W7UM^Jag_D(N_i+p8uJ z`gke_oQd6wYST72B2%ZfaKe%8@0f+h`J&#ZuU8*p9Y|ce*l<^5zx|`FFk z;eHEwxqFDeinPori&`L~a&5HF2se{Tml*Rwwzt4&f=fe9$qEsfZ_cD;dwF|y5z9ty zy|-ux19E>#DYzr>t=Uab8E63p=et!}_<8twIMEv-@N2*vp#A2YP`t#IHV6=IltItn z+MM9GqPNi)nHmn83vJg#>)1QUdwTY%Qw@uVwPm>|gG`Z7Xvl-cU@{o0fmaRI+~a2rOec56Hv*WTC!*<@Dz} z50&`O9S4p2b&=DR`yA)hv8QTnt>w(+nAVBb20OZJ^s;ZsO;wJ28t}WTSC=T|B6tj(%GhiFw=T%NX^PiY>y|kSB?Xsg;B18?3uOC>!Ny9?>hl+sH!=5UY{BS$c|k-t`s$xOHo4F{`bp0qk42^3Pb9|FI)n328zob| z)1}K!{#jwxx0&|HN&M#^_c`d0tQDsDH_>@l&sV3ZbsUxV&p`2M>{3J+_OyI|&hu>R z5R+W}3?W*o@qT6{x2|6^M$#RIiv&5n1}OwJABP8_*f`pzMI$lWaI_U~(G%dS&tSgq z#;L+v?o6_a*cM6*TXXJQZ$^Q&jioVP4S{MkCG6=`_Ug#3$4@3kQUf$WZ_*qPd{z|Q zG*RB3wk~C1G1kVic^YZRWmXeIDppOKrWLxjVwNO$g%cw{0Hbbs__1(w1?y2qlHD@t z=Yqtd`id-hfj$@VO?43!HzWs8t`I~ewI-GPK>?Y>XMLeyCEgK@7$t#=>S789zFr+8 zQg74Bzc{QVM`@lPtJEDiVgM5Fh|0_s;5fe}EAV}wuxP7nHzgsmh=1v2*8L9;$d$NM zR@3SIPcTbS2b!8*TwQXq{Fl(=_SbD24vO=lEl5UjA?S&j;?g=mo z1AdONP6oq$jlv(tG;^)BV1xJb2VoBZ!MadrLn8#tJfvOSA zY;g_Bw=7WJAnxmA%e!6tG1W$Jrw-Np0bPkZh6vu0sLy%CZsHSox3g*;XSY-#PH8YYu}8SEq&*ZL+3G z(?Fn9cSJ*f5$XBTGDL$}ytn<~UAGHuiu*E2AUBHe9I)heuHu+d3lAz>kgiX_B)ZK& zl5HV=m47AWRKT=J^wA@0Ykrj}r(=CvxoV=05KLJCFZKOq#Nx(uS5;;TewD)k=emL&tl>c2j?(^*x1Io%_ZbQbs_x|w5=EwrPXb=J6Dz0 z9T0O>oLUmCwh-#*@`O_Jn^aBLT8|fe06mjrNvIPD-U=7T0mUj5aXP%#D&Y4@y{P;O zi1%1%`gE2XhqwkEe5xVtO+K^r$n7B1)p45uBLD0@()p(TVfd!{Cn+gW`3?(Wj)WuQ zkDH7aEgQ?=t|G5up>f7cr@pF59F69MSWCW#E8~9%{it65#~c43T?5IJ0mu0y31Y69p7^WqNyn+2ack0*ecmUm0T)4>kMpqP7VWJ?VsVXcDE$F zlFJc&uhzo01#d0(hiOym9vC##!JN#Vy3Mr*l_`#v~P6|Y{g zGJlbOn2>q}9hGh-qR3xe*H5KCrwI^=fugh7NE?@{3)ic}dc=u$hUML4nUU$O|K>N` zL7oqJkqrb0D%g(fY71U6BGIg)o4}y(0JCIJ#mRm^!6e=HrJf99(1F(Y$662ZR8jrVmRAcCJkhafz1BjCST$hIQB{v)X@{K z#7@{kOv_4iX6hBD%LmM<5qEQJ^PGWIh#Z3hh!`3Y;n9=zWaNlIIJuKUR;ll^3($(hkDht=kF2sjLf0>WJ?{(WB_SG_KvUNZ z{3t>|M?1puRhsKb;lG>1<{v+uJv{$HO;cr<*qUIVBg}e3Wb`UcSZix&3%#Z99kWN` z4k(!#_FoN&dQ$BP-*(g1 zhWi;7h&bN>Ru*f$0J^)`ZlMI?8>k&z@H+4|!~aLqH-<^lG+mEvW5>2_dv@>pE3zsxD&m|8r2%>~&omBUICVtlvr}nVb0L@j#$!4o zt!RNXI15^4=HZMC+maP1rtawv*BgD<+@ZOs5vMW=cEool$soq+0ONI}E|~sUoC!l& z53g7Dhd4+i8GmG^c)2OCdWsbc1z&Si@^qN&%ceXE%6Q*4uUclDuI?1erRuv`&Kz33@BrBxDhp-RhYyq{MGn`R^S0BdpudU>X%$n%Qg;0~mz=w-ebN%#WKVOD8fz%-}9H8afS{;J=gbvBHC&DdXB zU!QJ2;+2wmY}N6;wI$BL$Rf395#Tj*irN^==C1wVmoibsmLVYD5;t11ZM5WYELN9B z10HF96eDYavId%oo8++YOt`YA4pG3lO#XJD<6Eua-d_LHXN47H*hjTgR1t=wI zRng#p(95s<)f>v2=e_l5vND4BbGrq=wffSS>8YG7EI}9EmE0w>vz+7)m|VCoA!`Hi z8jguyK5JsFMq_;S5pc~v+OVWI?@GMKow@=r;ow;TF%9iexGiIlqT&4Kho(9!(m}0 z!n7PX39y{v1*ZQ?(cf$-tD0L1fvUjAF6_-J~O=%0#!rV(}SJykNXx2kb+sz+Xb3u zdn+tEz$|yCx0Mz!nbJxqhow$*$T?Y=O&&Pdbb9gnLX%P(Q*TDe2=Pv;u&kfnVQ9H^ z-p+Sws@%YYmKms5Hd>Olmf6Ho_|NNOhv0XzP@VrhEI9FA=ga1>ufBXNUnc~rWHwH{ zC1_`iMiwv-3+`0sbFGiQnbIN*Q97_j1`>N92T!`I%wnWrynvpyP)j~dyz(mRp)mYn ze97sqY^?7cjCXUpZpO&vZevCR@6J5tl2OaU5g$ELdL#{P9aG z04a45hE12o0T9!r28$_Mwrpjs{(OxnM4WO0i359qP)KDFo5}fbY$$&ttoy}IaJT|h zKRR00x-A>%dMyod!keWU1l`DO{V8fue?yxI4aAB&wKKN7$?sHV365rB{DD;ylAQ_* z_uvgr@s(PVg1>`3qmRSV2LPJ1`+}+hSy0ckpG5@oN`v_o>5Vt){MXUa;Y-;BrAoH> zx;4Iw-$1^$tIZP3LUUFvVV~0tqLQ1TWf)>EhGhAIB==P^UXCWuANG>g`}^U9U7V|0 z8TzZxN12395QkolhL^v0i$$Eux^A=j=dE`=%>JM~AkyXone-$N0nfJ_j#b+ZR|SAv$!Gte$uOrRzE5I zf)I^m8*BCL>(t$L4F$B#&z=34qd|>qK;xS)e_`k?F55GbL8qee4VHyT?G_U~boUbs zMd7Z3+31e|U1?f6JoyyNyF(I5M=(z%!e<{k2V=G(F}v(9I{I37#Ikh*_98y$*%EYI zN_JARGk~GX*R3n{LBL-opt#wpn6bpI&h&Lpu})AB%$I-CK~%ek_B{ME?<9}f&>yU7 znCNHaGvXs7dxjC$p6{~0l$lVlrgMj*&>Qh+*+enF-c&FX2gf9-lo$(`jj%RD|ZmX)W{pQHoy_tMMn!wIA~WiSOoE_$ zZJuXIj2Mon9m_krnC<+q_KdBf#DtjLA?nr*Y9t@ut615pEfgx!L=oG@L)GnJ6LV!2 z&vl#d(XsG{oh6*urOa(lvjya)`W=56^Ndt+ADIP3fUIB6#F=*6TDKM|C;yZ=YAZC> z9E8XinZxVr^l(o0t8vq-vyR&+r)R3MzDBw$)2R&>S%`LJfS*Ps0Mu9T>n9&5n&YX| z$ji7Qgz@ZHuC*j96KGNI=#dK-#8{lh_q*Nj6f@PF+YMup%>J`s>?a$&MqqQ8M7j-@ zw9O`YaW-hgU5LFq5S%A%lryx_s?Q_2zpo%!K`*gT1_Aa&65tjtI$3B!araMen&JKz z1KmnA1QpY-PA;qyXK~sm?0&;yIu?k#$tdsKi_6zwV$tL{cvKaB?he$nZa|%B z(n2LGM?*ct7oAOz%19}w2O@OKmKiKLTWpE`Q>}YU>^ebl$sw1oFTrhWCPWX(5d8wk zI;PvWD@AJP7sV(9+FD;TRU;us-=PiK6K_##1GQmK_Yg~(Vh<^|90nPE9g8sfm3H9^ zbs?Rx1rms0^`I602)LG4>q7vns5Aw+=!brZvVYMT81X?^fXyslHc8g40FJ}>i!j0n z+4}9p;ht5P=b3U-s9CB%oBZ6x!5DedrUh0vI+55-+2myb6jN^2B91tf_ORrvx`olL zugN5t=twnGSIa{NvnrQ*4w;rRV=uwFC(&s*CV?1Eerz&@DCpBdX)U z9zIHZaXI}2E9(qb16WC`?+Bzm@bzzQW%8R?+kV5}>BMT*6x_2y1S+^b0XvribsH*z zYHCT~yi9uNWI=eJ5?H!~N|HH^esopBLbky2;4n_9RLUvNqelY-B%R~z@4U)9ljhPK zUATi1&TglUw2JWPOK+W*s@hrDxz>bD53`4%ys-22#1;~$Pdb(gVIDl4P8J zfBP%p5L2g@>k<;ZO?aqJZ1ZQ=Q_CdNQCV+p;srdxIsk57!oKQ9O-s)R(!%VY)!=R2 z#^l;YO@4eAOPDHHWs9^#7}(b}&JAD3SGz*z0oQjvFIwx!n1YvvmNrATAu1!SupE8v zVZ$b?YGZnDh-#*<-_?nh1vf%L7rqT>Aiv*Iw*43%9NkZZ9;cZI{zw$j(NT(OHB)`9 z1JhEJEs>bpMVkO}qph;`H{UhkF%SK0lp6o1O=f<3+4Y*|R3TxD-2#H0vUcAiA22b?qEYXc+wcoW*9!IYOCLTjc+@wjx4QxLPmz{Pul7 zj>yxZL$62|?C=Cjs3E*KHDIQ$#R`17l8(Xl;ib3&*&4U}EBxp*uYEt20n2+`+}}4A zxhOJv?#8texRH1xa!978onD>B`Z@fF=^*%0zL7LucRts-$J8pm<Y91JJ&@Oxhpy{xtLdw0uZtqq9p_cq2c!+!h}v|P z%=$S0?_VU6aQPT!CcHUjFbrGOICMkzYnPK_740!}YU`&8oZG92#-vi`rolB(W8xt1 z0CQ}l*^~x$ML5kSryZ9*+-tMV8zT`zlh2o{Bw+lTG{%&DQ}X{4WHKq!VPz}SqN>Wb zZ_!?k#JxIU;(n@phB5Kz3IH8IL{&ClHlYFj;u4QXTOez1NZrV6vzm6uJdU-{s9=+A z(Nx<$Rf=|M9&_ReuEB5D(==XdE3_rc6Bva;5gvdFr|ZjLR@zMIaD@r%QBoDc2TkM;|D<8IIiO)Oh8LxO`a!RiClSfM4$M|iKC78o0V!jYxlRT((1_5iJ(A!dIcOZF*wx%N-u#$wU6t%8j{v9=~ zXqBkv@c_EPD3jOSKN?fcU$bTlYp^GpEUjg8#tIr}2i+{edL)j2;Z8bO0y}|KV1=cO zFeI95acY$)u*2lybB)|gc1y-B`lMd}q0c!dFF9FEQT!~-R#Oc$62qHfS`JChiGT0< zo;@Ok{g*^kUT&Xm?bH9AHaImdXExfXm5bEdr6y(}hAP)x_;3To;GZPp9N4~nh&7r{ z8;K?4+rHUeIr-bia`Stz&wD_d_@eHow;5XJG$GY>Kj}B8c`kMWi)>Z5AwfTRxO^mt zn-B`*$L#h_-JwA={e)Ulx~B$9QCMW+%-AvH5`Zlp`bZP%2dxvHiNak+Z3>$_R`@Cf z0olf%)AjIMh_Ofqj(>VV7cJMia0|tSw&n;HiW5o5EgZ#5vhh6_G1JK?)*K% zrJnMF%Vr_Wg+0e>t>{N6QUqTsk|K9rOd(≈2z{PXe#;L~W1u{ja`V__?b|mXc3T z>cI^M8zW=?(&&SJ@dM(@I2^|_>Ec|i-v`lCO-*zK5>64^g3sr8eh{7SbiLR8W_iJGkvyyz%QQe0)c$Uj+ zK)dFYnTY~K4il(dw^Ms6oVBj4zdN<=Gw>6?SAyAGvG3bw;zbO$BX)iOkhu1#@b zYD9@U?GZyhqsH3@4G^r$-6Xf`<0RnGB*HUILIP@V)( zQaXT-&-aQa)idXUhUk^*q6JFFzx=T#MR*|XPkds+qm+Z;VdtZ47j8^U)uxtl^rtou z`tw+eY|Jk7Cm;k&Get8Le^>!77sCcD!-NW+%C$^R-WY(0LA9)|h3qDZhO=_wPJ{K*<#PKgZ?&?3bxorR$ z7PUnF2A(^Z4KY(tTQ2A=-6v$h^mo!#FaZd8DIfG3Ib6Q>m5P9gON9Q5=pMrqq7)Jv zB5?;1B~*5(T;F>KR%hwW`XUlmVq9^dGIn&nJ_(~DeZMECJYNs zPJ!+0!Bf#zjxk1suWwlv5|6rT1i`9DBdzdb0JK(#W2_C*4jH#%<0RT2+st`dYKIu9 z`OyUU+ZiVmU?@OTr@-XsIRdV+}&wq(sQt!EG>L8&M*I?s(h6Qzn5;Y z)(qZ|-uROKz!!D28>yt;J6hJg8?Yx!zR!&=yjLR)KF(t*OY75;ip zcCxlxcUY;XRxUsxI6>68%vdA3Y66FVes5?L`-h6EA$AJknl*B6(4bJBLBwp-nao5Z zdal(UQ3*CEiG)%;Lywf*f-AK?dk#pe)HYpFzpOg&&!MtoN3rM_rW9@HKs-pLoC~?h zSVD#7A%Vy^*ij-RU07gU73a!0#m$egA8Y^s!jEwIbwkX2zzqh~spg0NVN9vLstDb? zy)A7suME;J{E~)AGl&Q0FJ1*}&*zW|joG2le0>0-E)FSRfnK?h*uLxM%mS&z*uO({ zQ4n-#h9uzBR#>CTmt{%tu)c2sieixvWCV#S2cWaum`uETN%z7$eP0#pvMm7sZ*aW)p> zBBh@yD+v0!K0~9DG(}&Nv`w52mi1`I0_ioE-2?W_P#x6sX!fV**41pKoxBeKgHN7t z6F80bNHVh6T6(x2)QN6D`?CY>C?r&@th}=d0t)0eH02Pl^blGa{U#d^i?QEof3gVw z#*!2IjD`l3+8f`t5_I;n`MuH&@zf?)1dA`u`%nV>YP%!wYCe-{f1G_30*U$(9x6X1 zDE@i*^9CQ*?_wMObpioPdEoO%oVUst+GYJ`udi2Ap4;+x(f2~NlT-(*=;y|w>+ zv)+G>y>%i2>{ciIYWl^J0SGexD}(lfg(q(T%e*JBWo#gugE6nb^C9oaDCXZbh`#K} z%wPVt>WP9xn5jM9IxhS(Y5$*)=;DVo7qsHI)un7wj_to^Ii^;u?quUP{P%54Ol|T9H}JI|LM_k5x9LP(A{|fZ8s4N1W%CD zIt+tdW|qx020Q5Wv_%cSJcA}@3XG!*DES zQ09BDzv3tS^Y-`Y@7(Xwc<1mfOQ*(|e?3&&T(xh=lMiQoxAyZJ8-2CWi@^es<*eK z%Kdet$!y`*L~i&F!v5H5-%61IF16EtznY3*C#?`bYuCa53w_B!~YsL@CoZ5NBppT(*V(uxDLoSX?6LAH5f|t(J!An2h+`jlxn-*#G3C$+7@dY zMQZbVL|lJ74(5Kd^gAtO{Bkxin)5{_;ZWl!;+W;Ubd!DRnXW;J`O^XU0&o0Kz6qI0 zCBs4i^9`#&sq>m&y4U&=r)~hJ92p1pwNCM_YcI|(MZ4}lMagS7X8+cugFt+fWhRoNI zb`ImR(^grjuR-|labM?UEOu!T8W)*~K78#9M9VU5HfL53Xy@`p!2~n9(>iLYzOM?P zj9O<7J-`f+*un@K_0wy!H4>Vb zQLSC?U1Wt9{n)TLxw;HWR)}8(Z{D8I3ot{p;-GueW%U?0Az^2K%QDQ2_=SyqpgAzF z+ek?CX~Id7BcPl+4Nn=ZK`v@G><#k#gNV#PQy716)@zF7)unqf$abcqJm$gp^*rh_ zf~O8%w6f7XMAJJE3eKp{3C#oA-l;8veWoajQ|Gieqvh3}Ly7-2g_g(17u#7t!&?Y~ zfOKGEFQ9|XF#C=pEvMUR;U}cixiEb27=GkXR!#+;EyTW=h;b_@>if-q_j%?^ta!Bn zIc8NUYt*?o_~f3FOmHnsW62)#%&~j!{@XvQ^7uX!?JSM-=B5v3P^Sp|o;gi_vqaWG z>azEIfH~gVmT6NrMfhXG(}FNr+%~^8IvW0A9t%inIw2t=_8s5aJx9(1mPId$Dwue) z*y6>qDDMZ#Wd}&)`#Q@6Jx5I)2feWpt3FK}J`m1}%uOxhY_IC`s5<~TU zluUubZemgn+U`e9phE@(7zWP)^3^GM^p$srKS!o*aPlI$)8Dk+>zx7KTSo4`D{|!P zM_v*aItHZA9KdB8!;r16ftbY$gnvoa3hmhm-5lBMm*zJjb#X($kx-nu8@zC6MKXt& z{QkL&Y8TT&^oZy^!XIG|1Zn#m859RG6fNOAUX_fljif(MM{Ij)GRG0W^HuF~#rIyl zJ|RJLyjif{!wRHwvOE5Axi8T!f;1^_QOVc zcDGb&h9GPy&l~+K9I2Y;LJuDgOpVu3AgzJ;W?W?Es=N`F_KT6(D_uMYvRL*OWG~0Z z<{YP&?1pz;ek(oSU?FB(4u}DHiFk2A_LxI72-8^*ZJQoGJ1{$C3U?Q_k4d+>8AEt- zO|>p2>e4@9eSmSp`H;xV40vsXK@;(!D)iLCQaN)srQHrkC}r>l2)`=elbEi6V?@YM zfkzkUH613B{(?r6Ni4>EUiqBjon9L@e-~~Mqgd|GLhLXTyvrj|_57yUrw~wm#P2;2 z2N|A8pPD~lxlO_T6nnzCHnD9DR3=yJy8{WAz$L*niplbCl0%TJxjnFUN|SthA{7Smry` zGjo2aFuinKbX+FPBk>f%=51Z&;86SlW|hP{@%H+|0qg(#w#@J=(&FGE67$x=ka%}O zcvbH$^JpAwM!iQk-P(t!;Uy0Gy~4K3r-B%zRy?;nb9e;!)9-pcV!<9%1s0#6#_!uQ zcR(g@H4W0)ec!n#zRh#X)lSB(Y{8`9#86bX6crex@h3q|nwUu~62nDzbuMn`N@vkR zZ6oBF1156NwLkQ^89v$`ETGigVQwX0M=0sYeR%~unG zG@vc%&u=&-Wp(0II>TC2dPm?~4Bm3662bTP`zFv;9?w#xfE#9(zcgaiV}E=?s)o@{ zh1wN^uAfk#UvwK;DIiDS`Fy6Maur%53ZyGhpN>9nOHCY(WaaX zg|VKl*2W<4-rRCXBhTUTB!C<9oc4?tk=SQj3u(~nKj~3v-%+>xs-2y=fIw8!!llYa zv-y#P*ZC+RbD?+<2fTdY`ledwoITSSOxnRMR=y29ABPKct6{-L1|4qu(nP8f(fC79ry)zzI;M|!ls;4zk#sldhq##E%dMa^n?=F zUP2JM|9E}}H({8aWq_er_CG_~?cHs{1?t*3hwy5vXvy2Fr2e^PQN0ivsPhayPmb;()mG+u*J8rZkq4oo~H9oNU4}#Uk`Un)UE;wG3Z(9yX96|Ge;Bw=zJUD zhdzIci`oNxa+nv>i!wwhrX5ul;FQcj*5xwpzs?H8B(puGBZ{n1y=w7V?-;Lm+z|$ z_yj?}XXir4y9G!0Tng4WAbP`Iz0VA(EE8w+dMR?c<@1wf^nT~_P&E>?$Fr<%(~=`? z6%h1HM6yXQcd-tUGJdWTZ@q=e!ze7g&;p9LQ6CF>=r&<61TR<>D;VSs8GpNuVc-fO zO9nOuCeXQ@Qe4)QJ-9~xerx!qLR~*0dR6guX6#Y#StO0i`Z~!@I}wUOzn~BSMJwnw zG%s4-BMT)6a-MNuC((ilyoTGif5%a$2L+m<{QM)vy{bjO z0|#TnmL8>lBH7Gi-Isl$`DN75UB7l>)y}Um!Z>IbSmgrdpargdV8g`sO!WGR@Ni# z2>XXS-@(3~XSF@N-}_%Y9nt&v1cGVnpC!qnbmVv_7=P{i!E%ZE_=*w*G%lT`p+Fe7 zHjMcuW9L`1m5j53TVG)=+2{{Lq4BK6@y9T(;3zi_wdAjfq+589bk%|iURh9c#RttK z8R16e^sTdMZ>);HvpC&=0IT!dy5xc_Ps%ZOOash3eWr%#{r%f^avx9LsiTI)LDIKu zt{Gxs8K@V+U`*IS5uq_V43)yOMKao-k*7vP3V@k^mQ6rvt4N>3)zgu52yFg}^vOpB z!x)YMh3ebi1}o@E#13)(P5RLrw;C?HaY!`5#guEu&p^iMe9|(Yui(^qk7DaX+v1(D86{TG`8VE5rlL! zIYHgwl-Vw)2)v*SeTud|_sm7Pz^Yl3Rc}C2&D=L^4XpKo7#KL3GOF2dgKE z-ag}6q-Vb!!E*%BPd5oU!;u^!qSJ)Y^VFnXi>0$-{2ub0?w-@4sh^_8)lw<*+LK@@ zZg0FJSAgpPqRB$N-nhf&udKCNRP$0VR4`t9ZWi0w?|Qs6g}*&!Z_8yzBD^o2*sEW@ zc^j@``(7~D*_Rg=NA0Sxf$09|8IF)5#A9(Lw`CYz{-K&I6TLNd%8Jr!KF}w?0*c1Qq99jrV`rSPHIJj2PrzXxB{9|G-L>p-=ty28)867 zfm0>(Vjj2;)nrxUV&&=`eey`or3jWr5BFMRoJ#9<*(b_M#Kz zS;Zi0-lqYnf_?lQc6Hs3LD5t|*8oXICpi4ruQb=QCCZNNruGXA&whV1ow!_Xtfn0! zWjjV9=K^EJIyk&~ZQM}^q+2@Uu-J4+zD%$8B4S9Qm52p=$f$_LFXWwWf_1Has-hG2 zCPw9f!J0d6aseORxU1_z=8#yk>^~P3On)v9z~8GeNxoJ#2iyk#&C^#VKF@A?or>ji z67(`HAd`+%(+U(!bjBtc<1fo~S|B>{x%x&!18wKMe8B%%LL9@VY06lu@ljwrapw1B zkN3jHKkKJ!0zG;g^muYiP zvHk#!Kq%@xkj7W$l6B4=t$cT)8@OTl%om%x+7jZMP(&-Q{(Psm?9x5&E2=7GOznQiQoj#F989*(tUN zTRmlK$VhCepi`^BD;mlH{jgCW4!o%Psg>OxZ!x*%pGxg&EQjVrzglCn*rJ2^s-ND5 ztKrH%2}tJsboFE{Y7y{XZ6F>`VA96}4S7n}Z`TPGkhfPy>V~XGt{fLp<>Ok8q#g8r z=*FBa*)1@sk}MRDY`M4j?}5Lw1(+C0(M-D8K-kC4*{?0v{bzDPD8i&xJEp6rc2+M& z%AAmNnCiHjHTn(rD8eSm-E&IXVTVw)ZYt5GWvCLlQ=S7Ikd9dJcuKU~>+br{sR)%rxjN zPwQcH;laSi-2T46=tC1SF(c0wkM$jTvb={qV95Vng=9u|4dkc=-Pk678G3=tA0}?X zz0MHw>x)&NwOWUS7o$bj99dVUKSGL_Dp1f)Jy8Ge-zqWGSxw1`1RF}7ZE&MbJAXOp zWor`7opFE>eDc@|g7A^Mv4g;Nkg8JJL+=SqX&eFt!Dw3h4NkKE7oQ1!M1GpTM*WTi zjsS>^>fc_se<6SFe)<9Mmp`UTI42CAn27K;sI6~1Oprl1i1ZE!e!uH)A-ZdmOT~GL zPWSTzZ1>q$Igbq#4*Ka@Z=_zWV^(iT)cA^SvtZeKqQW3rA~w?nE_X^EMyZB-hV*8@ z&+@>u1JSi7n}^9$-2=D7DllyvewvZF zj3O~leX8Gm*5^h1BhuU>AhNV<4#m1hiEL4Sh*o{g#x92Nc>xj9(FpM_`J2c70=K!K zA1IsC;{H1++}p+X=UoBQSQ>9HJ2i-3A04UNiMYGDZYP!f@L&G~d*d1NA3Hu%*MQ!- zc>X3T6yZ# z>IB{9Y|pV+&(F=_{^9?Kju1-=EpStSxIA)0gtSy@Iu?{FZU`>?Fnv}O(kz4#O)LwE z=6KaJLpJZeLBqUfX?3#2Dz5C8)yXi$9mp1UQZw|`^M2Rb3sr8FA-oN}GfnKf-_bW| zw`tEx)=ynP+{4WKcp|~&V6aT)CmdTgJ%kvtcSj2e2$R)s0}8s7HVd3rj$2b00EK_8 zl=(F`+xbwx@*&+m8`x-zH4Lz$(Ju4Ogq2KTegy4RPwH*XK1s0aIn6Xg8o*$f8zl5J zcan%p(D~FRVM`a?Ed)4~Id>{_0L?~hVrv~1hQ!OHI1bZDU4NHT1n9em8~=(YLFJqB z5<8s0ih-2@?hx1;EtLwc^?=*)0^~gvY8StqE-`>>k^K@;O_?rL5BU4gq2&~JII>UY z5h3$%5GPFnG!-ee)rSG!yN{+ph0N&-Cyfn>ag}jU>!vl#*<`U4!dY&gvtgaHlLNDd z1yuga=ge5u@z;9S0Ow0Q@?w!PQ=Xz=PsJ56e!RyxtzSL~UYhiu-r!3G$>Xd;h^i}z zmS+WEYsS@-@Y%yER!#LY35gZCxTzd}?yAyTaU9_~)6H5bn6HqX;DhOPLF)=3shdAF zYD~9xf*3Su%vVVuD+V>A2EJr<>4==ue64=yf~OiCmG8wEKNP;0bQ20 z=7;hUJ>z5PBzYln6u557E>}BOBv}Zw9*0K+kim2$g6<$K!MlqyIhIobLZc4Rrq#Iq z>C0{82`wO*TwJtT<^M(`MQl5dwG$nBBTE6ZlR>_I<0+2-v(zCwiWYN%h+tuWO%n1N zx%mq(G1Wx2VQiQC zRc5_>ig@( ztB6IERqlGs(h#`D79ssIVw6k|;vfy1rCq_3s7?###MA9MuzcD1){tPZoGomL_C(WT zEnitG9+73h3YBiKHTVz50O!uA-SPsYUdWZ%KBlfBA@)+u$AumWIuMqPoRgILfwV%P zvcM8~o11y=@hIckjXs0;y$%g3#WIlndP~Nq2F4tZmm*DF#~g+YfWDChh3s_w1({-Y zku;tpuhHZ+Kz=MhBIUdKDtdBOP0PT(Aq3RSBqxP_dIM)2+eP**~)jyXm5QXp; z@9b|~b$`*K;H(x>4~uDhMfwe8NlgYBJJ}>SW;*)RRC+o1KS47mvbJ&4XSY1YZo#(7 z!j^D_+`2?7AC!D6$Ms?sh%7wFtU@=1eu_gpyzxbHJ!t}eD;NZHY`rm9t_ zEDLJZa!O#@*ua2*isY&BKeOf8u-$$SwP+RrL>=e<)9W;H4!F(7vIlEzW!8wdGWChm zL%M+69OZ)vCB5T;t~^2P*5BsKJ128MtdBVz2<|SBde~?F3H&PSzOy{37MFbxn`5Cq zQExu)8HDPqY7g@6mH`E~g(v?j|7v5+>1_@HG#Y#(>q76D7KWA6Hp)zR%gYrmFVe{e zz>1*6Ff)tR_w29Pnw06`$&YOTS4Yp%a#1N%i@4^B{cU7`a?G35qi9}9^AZp{b6P9A zS0_wU6d>FJf!gdjYduVBN2me6C+Yb)bor-e321dSw&xUP#G?_EyRRo^wcw)7Fo!j0 zZK_uAAf*%OO9%PR@{hq@T<7MTp9k$&(V@IjI-Yv^5uL!-^wNVas$)W(I-Kj3UOp>9 z-rDfgZbix3Te~6R*1{x(QCO+2T?Vc7X@SXtT5iC^_ zVadtx980|rS<4JAAq64K0V^02l{27k@uI;0t^ix=bnaV>Ag4xuOLswLeTK z4O>hyr(x{RUnwi-g0b%hQJAX8It<5MSL9KBs7fkDXnIld876eJI<|D1fqgQRlA1dZ zQtEgVoYeQ%{#ImIoUZ(M{~1$2akU36 zaL-m5a5L-AoIr=;3paTW#8-y5mg;D)qg45olb7Q!Xz?oxaz-|O-++&`Al;=7IOdlI zG5)-8T(1vuHps#P8e}~~ZGN~wI_piVUI_h1A6eYxMdmvD19*6jTLoNAQ#+Iv3b>gU zg#Uaingyk+37IZ8rH(Zt5qdYHxB0OoHCt>p9t1-dd)uSh<)5gPMkna!k%y`a9R2d2O1(zzh;M8&dFAIS=BD+Wr`OT=z}t?UCK@Pv6i za?VR}s#)z+2Cl${DrfnD>(G5nyPRQYP(0i*uhv$h)D1mwfh@(M1_mB(T}cEIs1y1z z@6-@M4>taJ>-y+!|Jl(8r%e7(H_3HULdod|ss8cuLW3<(ufSkyJZbx%!G@7cxvGR7 zn?^cs^W0N`f?RK3m?=sDXNSrxa5!-Wdrz9-m@wE0g zu(LOqky)F$JO%Jqw~u0)P0)OKGt!hoQpKRN+EEa6(Xv1ACQ`ja$qIEV22N7{=-K5D ztX*Dbrkc*@sktLJo!+%x_apl4ysMc^yJQw!{lSk^1NfrAGGD2CB7e1olU}fki=a&~ zCHzALG1NPB7l-?uJVn_*22@NEE>7%R^k}gl+^-cBK^oGt+C=DWZg(`;U2DE1h!2M7 z9LXEGwA~H79+vKIlLGFss4xZ|!Ox;p1+w`eHCLYJ zaOememi)eOp+-a5F{xjXV<#aU#!ed;3ftrwyH7w>|G0+K&(|&U6#x$_)aw$=TEqFH z-d65Gb{EAYm(5(dBcFC6(gm<<181oBA0OHfxaMRx6eSb8HorClEL1D&8PgFO_4?Oc zqKNtYKWwr#3G_Cw<^O3TRV_2zQ}hxWsZ6-dIWso9m=Z45fSw+Dg$rAgQGd(>$9?2G zXlF<74(bwqL?{5e9E131enWr`9NGnwcu)f#=H)rR(zl{iux3<5_d3|)ab7^!$vD)_ z|40^|*cA4d;2JFL6Bt(NNxUl^3+x^^zU&r&{a1WeZ`bpwnv`cKD@o!BnecuVArSbU zh@qt{3?yfr*UMSQ5x~dv7awK`M^-W*2WLs~eyNA31>a)ZrL@1SsVDLQUf6`FU+r;F z*w~Nbo0#*yl^oyS6y8ak#fmB(1S1)&wcGe1_C z5~>SWB;$X|6@b}7^~*b|)qvHWdCG3hG&gCewH2QZCT3dH37`7NY-=SeB61+WDI?DB zS{iy!_(;{EjfH2WZ54n~&+c@%`spw2q|MzR_(;>x=GjWZ2AUv}6!YQ>*^*OK^Qe(> z*wJ8dAb1-k$P_x!NNp)w&~q%t%9e5Azpm^GXe~tU`k`^^68wSGTbH2<3J$^}3KNc| zARNStPq9#Ltp*B3v3Zwwhj4k*&=ix1VHR;@wa|-{nux`+RQtT57xN0o7^f$XbyPqQ zWnRH@s=?1RZYd|>kq{y zb}>}^A)&F=1?k1mO4!nyxD(Eyq!HhG2m#v&=+%@iB`cC$m%JecyzMHn>>(_E>XzNT zfk(3s*83uq%Z*7=96VKfd=1NI2(`Cj!3C(VpkH8!v+~dMPm!x$^s2&CYE1D^=038> z;Fj>@#f(%E_wF)5gK-#pD+K z7PP8GVTZFt&H7e1G>MyU5jRdmGZs9Rpp1pVTVf#o{S1>bP!j|M+nU7laaG-0Aik(S z_*V5V^|7~6<=y7IH828h`gyJSBVdLI%hEmm^rvqYbdob1WELpjRqE+s;qjAar;BUA zk1l!hAx5?Rd7*w`_|e~z#fk+O+tQyf1YPj+Jg1^c{lu?$RAcId76#B%Scd!j z)DcDhf8#X+B(1mrozO|p!@@-55isLidIMNA-jMwf=1qA9IpSrgPs6BHPsi5|@<2xQ z3Ncvqy&zi3%xToO^F3 zCIYbrBwL$T&5)fWYSptFAC2P3!rO>og>=KDxT3P)^8qNz*aI6EhgnneJof(Wh!0Pu zZVvZ!`*XdtVtDDe05@-rYH5iV6HXaChXfNMxL!?vVX_?jVCrXMV!f36-bpbG>4i?s zhC&dTb9+L{Wh~G0Sfra79TgL*=)uVPQiu{(zvQ2TXZ_$n5_t2h(64=J1W^Up`Y!@^ ziB57o;b4U$?uWeo!)pf}DhI4cWEld`=YC@oU)>@)BAWjTVk#*cyMkEk1{AoGiRM+k zWDWW1zt=-FrurS53n#46CIXhPo~ZTni^6fHO;`c=Ix20|dLVB~vtrqv`A%QH(amo- z^B%J4X!Dr!dun-X=~K_;Aihi?H?lfQ(%DBJM23;9(mQ$+;OQW6&E7>a2=sP%ZNTEo@0>U_}Cm|fw#&UaGzZywZ!jN<0?@%Wxr9Z!hX-bM(s-DLS{?# zn@&*jS~HeEb=?9yZn-jKak4*X4`|29Kl>tOUez_nBYKqb(+$7R4mtg5nf>5O&*MuY z>4mCrx2ivQrj-e>!ln;wWC2!IAy2Z`2d#n}dwb?+&1I5=X*_{ZK3KMT(B zF26y^YR!l`+Y>pa7Bfekjc+k7eg0n;TN=zOVsG%Hq6Hv;KtJ23{!Yng%_x?}@m&zY z#uv~=?-E&!1(;CDee6z~`lA$l>N%b54f9?+ngxYN{K`gAt^#_e|8vEI7N05s$@EUX zbXa9}T=!OcQjG;s_5XNS=(GR;HuVt7pqp)1L_cx;c_@?}TGy>%08r2W3tK$;JNcH3 zyR}xrZS^lj18^f2Bt>Ok4!I#vm zlDvBBoBj;@<^SM+Qm_JD*LFS}2w0rD+y@YKYOFr`Q%;YEONP5e9k!oH?Jzap>Y0pAguWqJZ>X1?f#eP@04UkRl~C=@1|}JNWp#&-ATF;68-ooV9wY=y<>TbF3cSOm zM*gs4Dl#YFHu~O$l+>xCCI8&N<1|~DFyMX8wXO3>z2fO<#FAxB z0CJw_T7R|b9-GaovEhrEqZ4``@$F5zQy*Q@2)+%SM4Q9TRc7_nSNBhOZDZw zuRB>s&4mjK8IxjpPq~{!?NNKpkCPj`)q4BwO>K@4m3_(>-umleEk|Q@TnPPFK5oV& zj$;!cz}e61PW*wy3FEnY)oC7DxxK+-tS;g~>unP=WR7~bPO3e2LR$>KAr<(%8;{1a zhR0%r(?&`!jln|RWK723Xl~kh(rk(iGN)D!COGSZSB|(LPc!w19_sPUJv(|VnXc2j z8<3IeT-JHEBx#|cwr+uN4vsy0A(Xqja!Dv3F{u}@HW5@fSb9Ak=RRRAvX5a1DH#OV z5sUD61dHw{=H+%;xp&eZ;@m6eJD&|wN!62lVhl2vixN(gTc-$dFn~le_EXO4UGp9v z#J984TWzwXu65l?ttfYPESue7>hif+AB4Z8*wD1n-UY*{;b zMY`sf``TH<^@>Jv@u5<8e4VXopVid|WYMKCZq15u@{{r4&oY8LNWUU2Z%&$_%O^QV zC+cSHgNruh93NXuH|vZSM`))@1ZC|BZ5bNXM)Cc$_ zfbwzBHXbR)cT4*KiQU#6->~?QE}m_i@loSFw{O*D_v#uh`N_Hp*<`8y$i)V^Xr34! zyVVyZb9+%ncT!&rew4Z+A^GlBWPkI+Vfuw1qoI@i-#Dd>a(Xok_wH3)t~C|@A&i>g zDw(JYb>S}f`OynimHb)X{m!{o_f*8aNzUrFDL$!Kf<2p?+%IV4Hcu-ryNAO?9+Vdz zSYQncs znzneX=T`gOQs^EtlL?!aOGLql4?Z3_@NeTbsy!^VpXrHxCj#*?Gdilz;DBH2F05S| z(y|_#EDQZ0b=Qiv8@$k9pW$Gz5+fE0Ud(fyu|<4QaDBWt8AYW~y+kl>vIcQSR|qz$ zjp>Xr*c%ynxBeK;NQ$1jVfyBneih6(gx<^*c>kotUhVEkI_m3L(<8ev z6OXnOw2fO4x{u3qD!3*i!eMOEeb^arV`(<=^JN@|F zL5Cy>LC>j^KCei^^*<0#ru1ZE)8==1!nMjXdHlx7=nY%u{x+kglW3vcLLM z#n?tuAI2SN!AqBiQB?U}?mZ*6b;KT6pvoVx=c-nMIij1gmf(!{(I!${ZBH1b$CYX; zT9uo=kwvn9kiuQ|PS2v0@im_GCm(YAgHc9+W#3SzJMXp2ms)?FGN9TyKmaemA&?4M zX%~!U1ZNZM^uY*|zZj+x$(q2rI2qbiC6}Kk zD*Z;At6A7 zYraBr#Er~Xty#haUZZgn*tJq9WkKN|Eez(ZOURNFd>I>KGz}Q$oi^LF$_8vy#I}8W zXFYE|Q^e6X_J0$NfHyg@){}XUz^DBSQF!|WZtk7^-k84W=?i$!vKW|eGYBkOqn)tnHhEW3wzQNyIo_AC8OEn-oSLG%=(yRoaNb7T z-XTty^NC?+K4}L@n(_{q;-4!x*6p*D*i$}17d4F=pyGzoO#Ap97+GzI<0pZ`&#lFK z=7&0`s+b5YaSqdfkvxvWpfPIFN>AgA{YayFakf3(=q_(%s+0CFUgOpdST^ypy2W<% zht1Mh4?JAZuyV6cLvhOq(ZD4i9rC@PG-%PG)D2zshbp zL@jvs!YXNck9_5-qPexgo{?W-%Zztpq{P!B#NO2zeg@Gq)pbo%J7$snf*kd@W2t&DvZ zuNz{R855DPS;++SVukfmqRAf4?M^h4VP`-V zsm6Q*;7CWJ2Z56@TGl{Lbz=TuhH~Ur0e2^=@sNF%;2Th0B@*L2$LL?a%K)x}6f!DN zT@xAo!2)rL@({v*`6LO=QO)^;W2T#{H=#dL<)}(!Pz3;&utEB8J3W>S5&>=aBr$)} zh-ufWH*`O_(8Z<5i)%#6D-%PwKdYgJijz;#yLo;SorJc;oNUWney{`}{s8Ls1*-!~ z_#0;TzbG)IRQLv<8L`>A(pLevQm!8s1!!}3vw$I6==C2a*7De=lUU-4+L))kcTWrB zVc_-zFz~$9qo2EKk=sYs0DkZUi(owc{Q^Bp9TsaL)ZQ2X^@z9;t(UhuuvY{2({Z$3 zmaG<;;x8*tSn~i@XYy?#=dBA4qVF?`QY<0-y92Zp784lm#EsLsY@5;WGvF+jgK^j0 zDhf#9!kh!l!M|SOfa67(oeTaW0JprTdK8MK6aKNl+Adzu3eVoxPh94+lW8oNS-&yq zwDuLqO7;XCVQd3-6)rV%i~7U9g&zvFLc*jC-J{rQ%8RE`P9J*qaX+dL zt$3JO?UwDNbGq1PH58`ogk@C9puJ_tPqqjyP?Ucf4|D^N9ff$czP!i3sz$Iih~j*` zD7^x}9YNJGh|fwZ2HXV;?EmVgBN^Zri~F2c zMU7lNos0XKTp>j{=ezAC=P(yH12EYmseQgpm$0B&Kocc%jwew+n8~QhuzF`m%r*^saaJYa_F+O%8lZ8;jm)P)m;Mm>-2E_=2#oCCk2fpDgK#jX1LY=&yM)JFV1COJu?7Vp60O zHR1lTwszx`BKGcdk$dO~PScRfQN?KLN9wnPn8~pc`FkXyEpL8$Vd%i7Yhaa#mIMCh z*m!5eB(8!<ou8GgC9p__gYEF=hd~AUr1Q{lBkUn=~oY8ss%bIPs`g^+qr)xkyri#_HskOj~s;}MDQv~AQ;U|P3i@~rDr8S0zIP@QDoEXIjH^{ey~46wiQqtbB`5#vntSP1?x;3RmJd$Pl!FKBxQz0Lk z2cLA|^KsHV8)*UN*irQb+ibk9DrQF;0t=*z&c_@VZ)klw=y`MJoInFSlIpkr1Fw(* zs`xw{0tQN~t&^_9@0(hz-aIa#lJQT-R>2gfR~Xy@5VrvB*M;ngx2umiKAEc?DsDv4 zqE$l<71t9y>nI*mCxB)&FX+v(Sc;x$q>Nq!T<1;+V@#%LZ~eQ^g;a23Ftlb8Hra9>Ssn`gJN3K#3I!=WpYUT0bY+6$vJueEq>a_H&?$RDh3BwqVr8;6b+{AW z2WgB4Nh6jq{etqr*u`3DTlVNQtNT;qwN+H>Sbf^2IK1evKPCo9`Mp3FmuwM;ulPd( zMJV_bbz#!FWK`6WfD4Qd=aiici}p7ROnW4-RAKz{K@Ti$(x|6__v2 zY%yS=*D9Eu^q{z(nZOX9*d>#CDFob>6NkogFMzGj!vJwbuOpCPtKlx+&h;+^ud-)F zm#37x050738uxqr@6*iB2w$*7U*9OVz+dH;g@C1^*}KEoK)eup*Uz`dnHFAW)zxrJ zN`EUNwBK7>Snk_$pSRwQ+0(IUOaYX@#L1(5?yVf6qMB|#%MpSh+6^3w%+wD~ET6Qy znG-rm;BM{y2ATU-B%ntx$l4E{s<7(9@_i38Mc3l=za*5KeEEoGAWBI@F41WT?MNv# zFrR{z8gx(Z@(gi4@!&nRZssUu9_ws!^E5p+^S0y3AB8&Pm7cOw=H3>(3s=EtCW)K! zD71j$0TA%&>#`H;q3(|Wm8x2A)T=P|SIRUXw)_jiKyPmRqH2hD8ioFlUvHK-MX7g1 z^ho2#(q8PI7at$rRUcs-*lAod5&IrYblItHH1o>A&?6Rw?lTzg7fN z()%BcLInfQ^&f3c3+?zjK^V2xA7d%z$-W82jJVi2Gv*@t5W!7&zbnHwmn?A#r21F%Od|dM3G+8uOJ8k}vPpKE~ ztY!H^J&gTATe{5}zxrto3>D(Q+*r7Q%@h1DKs1{N@h^EpApS5AbQ<{$Iqg1pl=D=x zIb0YEN&g*a_;85W^Jf`^#lK*x2L#?Ch6xs*%VCI>gMS3cHgGSVVsH6q%rT%2|4217 zK&bA80$}pLWE0RGfDKmCp-)XE2_u!)E@UC&ySj_ofYn8z?>9J{`*XyF9s#yws37k) z#ziCB3w~?;AFb+DW4X&rzakE=I^?92W`aQSKc$@Rw9lmu9GwaRm7M(sb^|)n6cu+) zi|KXm_X(KmU3n%w2P-dI553SR!DmC8;(|@XA~jB{Pe|q24Yy=+k}Ya~IDXH;p95Io zo{m7$y!Q!Jxe%QWqu1H(rMeL_jU8yLtf$U{G)#v=R=%&!jUQ)bFn(x^I3S za++~r92_g7&lb`N717U}v(?!Q`jXq$7r4FD@*Z=r6<}5g-m5o(VBkkLcF)_A0o{mY zlcVA=fMcluxgDq(P;Bn5cS>)2Sv3WnH6*~>t~ctbah84AuDxxcgb8SU)_nxLs5?O8 z;~P)>@AQs;tIXVI24pJwzC*5BXyeKGchOB2mqVrPIMD*k&kJ5Sc2@gm4aY8L*ny92 zDKPvQf4g9#Iz?6ADc6|O9ka0a{#nNQu4G> zia>ml(NDAP8+Otr9`RF$P;IH*>5XqWjuMyywVB4mz#`VXl%0)*Iv2G3eC;bwnfk1O80g%%@wPUGNs#^(eB#kdROvF{mFtV zrr~tBo35q@=1(HsjQ4aRee7-A?2R-V9Z&mh&&Tf6(v0n~Y^5#YV*J(fQh{aoZHEtG zvaIWb5Bo=9s;o~z6Lj4nWeg>49VIL(I&)9+P$z<#=Mepahq;`WpKwGW)lnt0eBsD$ zk|I=u>|{1gNjsb7M`OB)n`&r5fdTQVqFED~5=`&bQ~OG)RlW9?=C?UGZRcSqeFlot0klZ_L5$BK%MjVv6ry*(Xypt92VZs5&y-lI#(L{5%Hi zPj2$B5i*EgI!u-2*yd&_{M> ze4|mG1&l!J0KS4e6(2kKPO?erbBc$coNTFy2yFw7o{a8+1f^TlgqH^g1SmC`U)A#w zke)i_&}tpn(oD!y7fEY;a(JRMS6hUBfL5{4JokVVNmm!m0)KosC46TkbM8d}zA(Rn zHa6Y!0FFapS3<^qdU+hl;Ae;{J$J-9c0mX0ulE$H*c1>e#1v17DOd#LJ#Mj=NU&S* zOdH#9; z&Sz3&gmA6Dw=s0SZdq-pOWLA4q*L}pM@CRyXy~M)0yUI}>UMu{;3gQhwl(k;l@M)` z<6=WIvHfJ@o5$Qu-jZCHF6J9&-l^VInu%Iy!F9gu%5ehOK@9rS_IggE>D?YTWviE6 z<~@E!yA~fVb2K3HRr8IPJ(OGS@0zUc1F&nxx=IX)JGX&uq-BN>zxNaMh$Iuc=32Tc`{b)#k638u>Ga z13lN^rhkPpN}#vqEN(n7GD0da7)+lachKuzB>k(j?G8@KTuqU5O;JFTqmIm_k`?|$ zE}Drr-ja6PlR>IFw5qZ4M7x%6W9P4RT7TVFQVMN7;U{HpEK0#B%IY|ctY`8)SE$~F zABz%G%(e2A>MF+uOx!Bf?I3pzsWk`zu5|?a+fMRtmf`o7fNRT7vEEUOEP`egz0J5m z$`J;2kp19$5@(niPEt1}&i?4^G+12Q>1`m=CF1!dosqiKN(IgHP-Ie1jmk(RiZTkB zTLe5ZZDP*IrUXO$S?Wp@@+hiCg&l4s0NghQPFgFg$HK_=+&2yKI^AY<3i|JDL#iJX z7?59w;t^8XGf_}nD!}dYD&@*_yv0s>e?LfFr81m_eMdA-B>zbJa#YpzDR5gj_4s>) z3I&*Ge)IeclHW(#2~lSaIslH!0%5$zb9 zw`B`D3n0IPEA?RGr!I3(By0GT2RS>pD`M6x{GM!hkpQ~&<1^8IagYcddj{K;)JFs- zrV13*RNR-?7Pd>N!tKJ|D$CcV>%^lQg{hZX3fX~>h!C*A?XzHFfRG8Gy8w{^0fMN} z7-h`P91ueVb~B=X43sb4_?OvV23TeCPqV)afNd65vOxa*Jh{gs$8rBr9rirH<_CD= z->L)7gY}N%k5_;E`9}cf9}%B_hPM6@3;Tc5_^50Kbt_`@4i*) zT>gZ8FY&b`<3xGnrQKn}h-&HgJI2<-C%sOd^OI4M>Ni>j?W#tb3wWe;;pG5hqVBGD zu?R;q-rX@f&kambp#K86OLC$B literal 0 HcmV?d00001 diff --git a/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx deleted file mode 100644 index 3867bd71e6..0000000000 --- a/pages/site-to-site-vpn/how-to/create-customer-gateway.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: How to create a VPN gateway -description: TODO -tags: s2svpn vpn gateway vpn-gateway remote-access -dates: - validation: 2025-12-31 - posted: 2025-12-31 ---- -import Requirements from '@macros/iam/requirements.mdx' - - -Intro - - - -- A Scaleway account logged into the [console](https://console.scaleway.com) -- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - -## How to TODO - -TODO \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx new file mode 100644 index 0000000000..20ef876b0b --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx @@ -0,0 +1,126 @@ +--- +title: How to create and manage a customer gateway +description: Learn how to create and manage a customer gateway on Scaleway to establish a Site-to-Site VPN. This guide covers setting up the gateway object, configuring ASN and public IP details, and preparing for on-premises device configuration. +tags: site-to-site-vpn vpn customer-gateway vpn-gateway networking vpc ipsec bgp routing-policy remote-access network-infrastructure on-premises +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + +import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' + +A customer gateway is one of the essential building blocks of a Site-to-Site VPN: + + + +This document explains how to create and manage a **customer gateway** with the Scaleway console. + + +A customer gateway in this context is an object representing a **real** corresponding physical (or virtual) customer gateway device on your remote infrastructure. You, as the customer, must also set up the real customer gateway networking device, which can be physical or software-based. + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to create a customer gateway + +Creating a customer gateway is a vital step in creating a working Site-to-Site VPN. It provides the connection point on the remote side of a VPN tunnel. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays. + +3. **Choose a region** in which to create your customer gateway. The resource will be created in this geographical location. Customer gateways must be in the same region as the resources (VPN gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. + +4. **Define connectivity parameters**, to supply Scaleway with essential details of your remote customer gateway device: + + - **IP address**: Provide the public IP address(es) of your customer gateway device, used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single VPN gateway (for dual tunnels, increasing redundancy), provide an address for each IP type. + - **ASN**: Provide the unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks. + + + The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future. + + ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`. + + +5. **Enter a name and (optionally) tags** for the customer gateway. + +6. Click **Create customer gateway** to finish. + +Your gateway is created, and you are directed to its **Overview** page. + +To continue setting up a Site-to-Site VPN, the next step is generally [creating a routing policy](TODO). + +## How to view a customer gateway's details + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Customer gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +Here you can view the gateway's : + - Region + - ID + - ASN + - Public IP addresses + - Number of [VPN connections](TODO) it is used in + +## How to edit a customer gateway + +Currently, the only parameters of a customer gateway that can be edited after creation are its **name** and **tags**. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Customer gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Make your edits as required: + - Click directly on the gateway's name at the top of the page to edit it. + - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. + +## How to configure a customer gateway device + +As well as creating a customer gateway with Scaleway, you also need to configure your real customer gateway device. Creating the customer gateway on the Scaleway side does not automatically create or configure this "real" corresponding device. + +Wait until you have set up all elements of the Site-to-Site VPN tunnel (VPN gateway, customer gateway, routing policy and VPN connection) before configuring your device. It is only at this stage that you will have all the following parameters and details which are necessary for the configuration. + +- [VPN Gateway Public IP(s)](TODO) +- [Pre-Shared Key (PSK)](TODO) +- [IPsec parameters](TODO) (ESP and IKE security proposals) +- [BGP interconnection subnet](TODO) +- [Routing policy](TODO) + +Instructions for configuring your customer gateway device will depend on your device model and vendor. + +## How to delete a customer gateway + +You must [deactivate route propagation](TODO) on any VPN connections linked to the customer gateway, before you can delete the gateway. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Customer gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Click **Delete customer gateway**. + + A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted. + + You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them any more. + +6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. + +The gateway is deleted, and you are returned to the list of your customer gateways. + + + + diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx new file mode 100644 index 0000000000..7259f5d8db --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx @@ -0,0 +1,66 @@ +--- +title: How to create and manage routing policies +description: Find out how to create a routing policy for your Scaleway Site-to-Site VPN. Whitelist incoming and outgoing route announcements, so that traffic can flow securely over your VPN connection. +dates: + validation: 2025-12-31 + posted: 2025-12-31 +tags: site-to-site-vpn vpn routing-policy bgp border-gateway-protocol network security vpc route-propagation ipv4 ipv6 +--- + +A routing policy is one of the essential building blocks of a Site-to-Site VPN: + + + +A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](TODO) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow. + +However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](TODO), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel + +A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6). + +When creating a routing policy, you specify one or many IP ranges representing the outgoing routes to announce from the Scaleway VPN gateway, and one or many IP ranges representing the incoming route announcements to accept from the customer gateway. When [route propagation](TODO) is activated, the route ranges defined in the routing policy are whitelisted, and traffic can flow through the tunnel along these routes. + +## How to create a routing policy + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Routing policies** tab, then **Create routing policy**. The creation wizard displays. + +3. Choose a region for the policy. It can only be attached to VPN connections within the same region. + +4. Define the type of IP traffic to be covered by the routing policy. + +5. Whitelist the outgoing routes to allow. For each entry: + - Enter an IP prefix to define a range of route announcements to whitelist, e.g. `172.16.4.0/22`. + - Click **Add** when complete. + + + Routes within these destinations will be propagated, allowing traffic from your remote infrastructure to be routed through the VPN tunnel to your Scaleway VPN gateway. For example, adding `172.16.4.0/22` whitelists all 1,024 IPs in this block, from `172.16.4.0` to `172.16.7.255`. + + +6. Whitelist the incoming routes to allow, in the same way you did for outgoing routes. Outgoing routes concern announcements to accept from the remote infrastructure. Traffic can be routed through the VPN tunnel from your Scaleway VPN gateway to your remote infrastructure along these routes. + +7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**. + +9. Click **Create routing policy**. + +The policy is created, and you are returned to the listing of your routing policies. + +Remember to [attach the policy to a VPN connection](TODO) for it to take effect. Each VPN connection can have only one routing policy for each IP traffic type attached to it, but a single routing policy can be attached to multiple VPN connections, if desired. + +## How to edit an existing routing policy + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to edit. + +3. Click next to the routing policy to edit, and select **Edit** in the menu that displays. + +4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](TODO) for help with routing policies. + +5. Make the required edits, and click **Edit routing policy** + + A warning displays, to remind you that modifications will immediately be propagated on VPN connections using this policy. + +6. Click **Save**. + +The policy is modified and modifications are immediately applied. \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx new file mode 100644 index 0000000000..f1af9810ee --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx @@ -0,0 +1,112 @@ +--- +title: How to create and manage a VPN connection +description: TODO +tags: TODO +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + +import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' + +A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the parameters for the VPN tunnel + + + +This document explains how to create and manage a Site-to-Site VPN connection with the Scaleway console. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Created a [VPN gateway](TODO) and a [customer gateway](TODO) in the same Scaleway region + +## How to create a VPN connection + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your existing VPN connections displays, if you have any. + +2. Click **Create connection**. The creation wizard displays. + +3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. + +4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. + +5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. + +6. **Configure network connectivity** for the VPN gateway. + - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation. + You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](TODO). + - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address. + +7. **Enter a name and (optionally) tags** for the VPN gateway. + +8. Click **Create VPN gateway** to finish. + +Your gateway is created, and you are directed to its **Overview** page. + +To continue setting up a Site-to-Site VPN, next [create a customer gateway](TODO). + + +## How to view a VPN gateway's details + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +Here you can view the gateway's : + - [Status](TODO) + - [Offer type](TODO) + - Availability Zone + - Bandwidth + - Number of [VPN connections](TODO), compared to the total number allowed for the gateway offer type + - ID + - Attached Private Network + - Private and public IP addresses + +## How to edit a VPN gateway + +Currently, the only parameters of a VPN gateway that can be edited after creation are its **name** and **tags**. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Make your edits as required: + - Click directly on the gateway's name at the top of the page to edit it. + - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. + +## How to delete a VPN gateway + +You must [deactivate route propagation](TODO) on any VPN connections linked to the VPN gateway, before you can delete gateway. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Click **Delete VPN gateway**. + + A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway. + + You must manually delete any other objects associated with the gateway, such as customer gateways or routing policies, if you do not need them any more. + + Any reserved private IPs that were used for the VPN gateway on its Private Network will remain reserved, and accessible from your IPAM management interface. + + +6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. + +The gateway is deleted, and you are returned to the list of your VPN gateways. + + + + diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx new file mode 100644 index 0000000000..fd48d21bb3 --- /dev/null +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx @@ -0,0 +1,119 @@ +--- +title: How to create and manage a VPN gateway +description: Learn how to create, configure, and manage VPN gateways on Scaleway to establish secure Site-to-Site VPN connections with your remote networks. +tags: s2svpn vpn gateway vpn-gateway remote-access +dates: + validation: 2025-12-31 + posted: 2025-12-31 +--- +import Requirements from '@macros/iam/requirements.mdx' + +import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' + +A VPN gateway is one of the essential building blocks of a Site-to-Site VPN: + + + +This document explains how to create and manage a **VPN gateway** with the Scaleway console. Creating a VPN gateway is the first step to creating a working Site-to-Site VPN. It represents the VPN tunnel's endpoint on the Scaleway side of your infrastructure. + +After creating a VPN gateway, you will need to also create: + +- A **customer gateway**, your remote endpoint. +- A **routing policy**, to control traffic flow. +- A **VPN connection**, to join the other elements together and configure the VPN tunnel. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to create a VPN gateway + +Creating a VPN gateway is the first step in creating a Site-to-Site VPN tunnel. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. + +2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays. + +3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. + +4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. + +5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. + +6. **Configure network connectivity** for the VPN gateway. + - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation. + You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](TODO). + - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address. + +7. **Enter a name and (optionally) tags** for the VPN gateway. + +8. Click **Create VPN gateway** to finish. + +Your gateway is created, and you are directed to its **Overview** page. + +To continue setting up a Site-to-Site VPN, next [create a customer gateway](TODO). + + +## How to view a VPN gateway's details + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +Here you can view the gateway's : + - [Status](TODO) + - [Offer type](TODO) + - Availability Zone + - Bandwidth + - Number of [VPN connections](TODO), compared to the total number allowed for the gateway offer type + - ID + - Attached Private Network + - Private and public IP addresses + +## How to edit a VPN gateway + +Currently, the only parameters of a VPN gateway that can be edited after creation are its **name** and **tags**. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Make your edits as required: + - Click directly on the gateway's name at the top of the page to edit it. + - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. + +## How to delete a VPN gateway + +You must [deactivate route propagation](TODO) on any VPN connections linked to the VPN gateway, before you can delete gateway. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **VPN gateways** tab. + +3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. + +4. Click the **Settings** tab. + +5. Click **Delete VPN gateway**. + + A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway. + + You must manually delete any other objects associated with the gateway, such as customer gateways or routing policies, if you do not need them any more. + + Any reserved private IPs that were used for the VPN gateway on its Private Network will remain reserved, and accessible from your IPAM management interface. + + +6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. + +The gateway is deleted, and you are returned to the list of your VPN gateways. + + + + diff --git a/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx deleted file mode 100644 index 3867bd71e6..0000000000 --- a/pages/site-to-site-vpn/how-to/create-vpn-connection.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: How to create a VPN gateway -description: TODO -tags: s2svpn vpn gateway vpn-gateway remote-access -dates: - validation: 2025-12-31 - posted: 2025-12-31 ---- -import Requirements from '@macros/iam/requirements.mdx' - - -Intro - - - -- A Scaleway account logged into the [console](https://console.scaleway.com) -- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - -## How to TODO - -TODO \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx deleted file mode 100644 index 6ee38e7ea3..0000000000 --- a/pages/site-to-site-vpn/how-to/create-vpn-gateway.mdx +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: How to create a VPN gateway -description: TODO -tags: s2svpn vpn gateway vpn-gateway remote-access -dates: - validation: 2025-12-31 - posted: 2025-12-31 ---- -import Requirements from '@macros/iam/requirements.mdx' - -To create a Site-to-Site VPN, you must create several individual elements and then join them together: - -1. **Create a VPN gateway**, your Scaleway endpoint -2. **Create a customer gateway**, your remote endpoint -3. **Create a routing policy**, to control traffic flow -4. **Create a VPN connection**, to link all elements and enable the encrypted VPN tunnel - -This document explains how to create a **VPN gateway** with the Scaleway console, as the first step to creating a working Site-to-Site VPN. - - - -- A Scaleway account logged into the [console](https://console.scaleway.com) -- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - -## How to TODO - -1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. - -2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays. - -3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) you want to use them with. - -4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. - -5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. - -6. \ No newline at end of file From cfbcf1cc33860f7706ce3b3d6a0e64cc78509734 Mon Sep 17 00:00:00 2001 From: Rowena Date: Mon, 29 Dec 2025 17:46:40 +0100 Subject: [PATCH 03/13] feat(vpc): continue doc --- .../how-to/create-manage-routing-policy.mdx | 19 ++- .../how-to/create-manage-vpn-connection.mdx | 127 ++++++++++++------ .../how-to/create-manage-vpn-gateway.mdx | 2 +- pages/site-to-site-vpn/menu.ts | 22 +++ .../configuring-customer-gateway-device.mdx | 0 .../understanding-s2svpn.mdx | 15 +-- 6 files changed, 137 insertions(+), 48 deletions(-) create mode 100644 pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx index 7259f5d8db..b5b127b11c 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx @@ -6,6 +6,9 @@ dates: posted: 2025-12-31 tags: site-to-site-vpn vpn routing-policy bgp border-gateway-protocol network security vpc route-propagation ipv4 ipv6 --- +import Requirements from '@macros/iam/requirements.mdx' + +import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' A routing policy is one of the essential building blocks of a Site-to-Site VPN: @@ -63,4 +66,18 @@ Remember to [attach the policy to a VPN connection](TODO) for it to take effect. 6. Click **Save**. -The policy is modified and modifications are immediately applied. \ No newline at end of file +The policy is modified and modifications are immediately applied. + +## How to delete a routing policy + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click on the **Routing policies** tab. A list of your routing policies displays. Use the **region selector** at the top of the page to filter for the region of the routing policy you want to delete. + +3. Click next to the routing policy to delete, and select **Delete** in the menu that displays. + + A pop-up displays, informing you that this action will permanently delete the routing policy. + +4. Click **Delete policy** to confirm. + + The routing policy is deleted, and you are returned to the **Routing policies** tab. \ No newline at end of file diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx index f1af9810ee..a7d4786dd2 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx @@ -28,84 +28,135 @@ This document explains how to create and manage a Site-to-Site VPN connection wi 2. Click **Create connection**. The creation wizard displays. -3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. +3. **Choose a region** in which to create your VPN connection. The resource will be created in this geographical location. You must create the connection in the same region as the VPN gateway and customer gateway that you want to connect. -4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. +4. **Choose the gateways to connect**. The connection will link the VPN gateway and customer gateways that you select here. Only gateways you have already created in the region you chose at step 3 will be displayed. -5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. + Based on the selected gateways, the **VPN tunnel details** selection panel displays. -6. **Configure network connectivity** for the VPN gateway. - - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation. - You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](TODO). - - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address. +5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addressess**. -7. **Enter a name and (optionally) tags** for the VPN gateway. + + - The two gateways must have at least one public IP type in common, in order to create a VPN connection between them. + - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read our dedicated documentation](TODO). + - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy. + -8. Click **Create VPN gateway** to finish. +6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type you want it to route. These policies define the IPv4 and/or IPv6 traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routng policy after creating the connection, if you prefer. -Your gateway is created, and you are directed to its **Overview** page. +7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel. -To continue setting up a Site-to-Site VPN, next [create a customer gateway](TODO). + + By default, choose the customer gateway to initiate connections if it has a stable IP and no restrictive firewall. + +8. **Select a security proposal** for this connection. The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. For help choosing a security proposal, refer to our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/). -## How to view a VPN gateway's details + A pre-shared key (PSK) will be generated automatically when you create the VPN connection object. It will be securely stored in Scaleway [Secret Manager](/secret-manager), and can be retrieved for the purposes of configuring your customer gateway device. It is not currently possible to upload your own custom PSK. + +9. **Enter a name and (optionally) tags** for the VPN connection. + +8. Click **Create connection** to finish. + +Your connection is created, and you are directed to its **Overview** page. + + +## How to view a VPN connection's details 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. -2. Click the **VPN gateways** tab. +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays. -3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. +Here you can view the following information: -Here you can view the gateway's : +**Connection information** - [Status](TODO) - - [Offer type](TODO) - - Availability Zone - - Bandwidth - - Number of [VPN connections](TODO), compared to the total number allowed for the gateway offer type + - Region - ID - - Attached Private Network - - Private and public IP addresses + - VPN gateway and customer gateways linked by the connection + - IP type used to establish the tunnel (IPv4 or IPv6) + - Initiation policy + - Link to PSK + - ESP proposal + - IKE proposal + + +**VPN tunnel endpoint addresses** +An encrypted VPN tunnel links the VPN gateway and customer gateway via their public IPs, as shown here: + - VPN gateway public IP + - Customer gateway public IP -## How to edit a VPN gateway +**BGP sessions** +BGP is used to automatically share routes between the two gateways. The auto-generated private subnets shown here are used to establish the BGP session(s), one per IP version (IPv4 or IPv6). Ensure your customer gateway device is configured with these subnets as BGP peers. +- IPv4 BGP session interconnection subnet (e.g. `169.254.10.0/31`) +- IPv6 BGP session interconnection subnet (e.g. `fd00:10::/127`) -Currently, the only parameters of a VPN gateway that can be edited after creation are its **name** and **tags**. +**Route propagation** +Activating route propagation prompts the two gateways to dynamically exchange route information over BGP, using the attached routing policies. Traffic cannot flow if route propagation is not active. The routing policy(ies) attached to the connection are displayed here. +- IPv4 routing policy +- IPv6 routing policy + +## How to activate or deactivate route propagation + +You must activate route propagation for traffic to be able to flow through the VPN tunnel. Activating route propagation triggers the dynamic exchange of route information between the gateways. 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. -2. Click the **VPN gateways** tab. +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays. -3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. +3. In the **Route propagation** section, click **Activate propagation**. -4. Click the **Settings** tab. + A pop-up displays, confirming that the action will launch the BGP session(s), allowing traffic to flow through the tunnel via the routes whitelisted in the attached routing policy(ies). -5. Make your edits as required: - - Click directly on the gateway's name at the top of the page to edit it. - - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. +4. Click **Activate route propagation**. + + Route propagation is activated. You are returned to your connection's overview page. + + While route propagation remains active, the two gateways will dynamically exchange and update route information. Traffic can flow through the VPN tunnel along the routes whitelisted in the routing policy(ies). You can deactivate route propagation at any time: if you do so, all routes are blocked and no traffic can flow. -## How to delete a VPN gateway +## How to generate a new version of the PSK -You must [deactivate route propagation](TODO) on any VPN connections linked to the VPN gateway, before you can delete gateway. +TODO: why/when to do this? 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. -2. Click the **VPN gateways** tab. +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays. -3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. +3. In the **Connection information** panel, under **PSK**, click **Generate version**. + +A new version of the PSK secret is created in Scaleway Secret Manager. Ensure that you update your customer gateway device to use the new PSK. + +## How to edit a VPN connection's name and tags + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays. 4. Click the **Settings** tab. -5. Click **Delete VPN gateway**. +5. Make your edits as required: + - Click directly on the connection's name at the top of the page to edit it. + - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. - A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway. +## How to delete a VPN connection + +You must [deactivate route propagation](TODO) before you can delete the connection. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Use the **region selector** at the top of the page to filter for the region of the VPN connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays. + +4. Click the **Settings** tab. - You must manually delete any other objects associated with the gateway, such as customer gateways or routing policies, if you do not need them any more. +5. Click **Delete connection**. - Any reserved private IPs that were used for the VPN gateway on its Private Network will remain reserved, and accessible from your IPAM management interface. + A pop-up displays, informing you that this action will permanently delete the connection. + The VPN gateway and customer gateways used in this connection will **not** be automatically deleted. Remember to delete them yourself if no longer needed. 6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. -The gateway is deleted, and you are returned to the list of your VPN gateways. +The connection is deleted, and you are returned to the list of your VPN connections. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx index fd48d21bb3..7ea01b0070 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx @@ -16,7 +16,7 @@ A VPN gateway is one of the essential building blocks of a Site-to-Site VPN: This document explains how to create and manage a **VPN gateway** with the Scaleway console. Creating a VPN gateway is the first step to creating a working Site-to-Site VPN. It represents the VPN tunnel's endpoint on the Scaleway side of your infrastructure. -After creating a VPN gateway, you will need to also create: +For a working VPN, in addition to creating a VPN gateway, you must also create: - A **customer gateway**, your remote endpoint. - A **routing policy**, to control traffic flow. diff --git a/pages/site-to-site-vpn/menu.ts b/pages/site-to-site-vpn/menu.ts index fd0336dd55..38dedf245e 100644 --- a/pages/site-to-site-vpn/menu.ts +++ b/pages/site-to-site-vpn/menu.ts @@ -16,6 +16,28 @@ export const siteToSiteVpnMenu = { label: 'FAQ', slug: 'faq', }, + { + items: [ + { + label: 'Create and manage a VPN gateway', + slug: 'create-manage-vpn-gateway', + }, + { + label: 'Create and manage a customer gateway', + slug: 'create-manage-customer-gateway', + }, + { + label: 'Create and manage a routing policy', + slug: 'create-manage-routing-policy', + }, + { + label: 'Create and manage a VPN connection', + slug: 'create-manage-vpn-connection', + }, + ], + label: 'How to', + slug: 'how-to', + }, { items: [ { diff --git a/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx b/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx new file mode 100644 index 0000000000..e69de29bb2 diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index c8c1881246..e2c76827dc 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -12,23 +12,22 @@ import image3 from './assets/scaleway-vpn-one-tunnel-both.webp' import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp' import image5 from './assets/scaleway-vpn-tunnel-detail.webp' - Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). -## Site-to-Site VPN overview +This document coers the features, use cases, pricing and technical details of Site-to-Site VPN. -Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)). +## Overview -## Components of Site-to-Site VPN +Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)). Scaleway Site-to-Site VPN consists of: -- A **VPN gateway**: the connection point on the Scaleway side -- A **customer gateway**: the connection point on the remote side (representing a corresponding physical customer gateway device) -- A **routing policy**: defines the traffic allowed to flow through the tunnel -- A **connection**: brings together the three above elements, and defines the configuration for the VPN tunnel +- A [VPN gateway](TODO): the connection point on the Scaleway side +- A [customer gateway](TODO) the connection point on the remote side (representing a corresponding physical customer gateway device) +- A [routing policy](TODO): defines the traffic allowed to flow through the tunnel +- A [connection](TODO): brings together the three above elements, and defines the configuration for the VPN tunnel You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN. From b50a61a8c28e2150b68e3c462ea50f14482ae8df Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 30 Dec 2025 18:05:12 +0100 Subject: [PATCH 04/13] feat(s2svpn): continue console doc --- pages/site-to-site-vpn/concepts.mdx | 2 + pages/site-to-site-vpn/faq.mdx | 23 +++ .../how-to/create-manage-customer-gateway.mdx | 20 +-- .../how-to/create-manage-routing-policy.mdx | 14 +- .../how-to/create-manage-vpn-connection.mdx | 35 +++- .../how-to/create-manage-vpn-gateway.mdx | 16 +- pages/site-to-site-vpn/menu.ts | 8 +- .../configuring-customer-gateway-device.mdx | 29 +++ .../reference-content/security-proposals.mdx | 2 +- .../understanding-s2svpn.mdx | 167 +++++++----------- 10 files changed, 179 insertions(+), 137 deletions(-) diff --git a/pages/site-to-site-vpn/concepts.mdx b/pages/site-to-site-vpn/concepts.mdx index d841203af7..af56f3e8d5 100644 --- a/pages/site-to-site-vpn/concepts.mdx +++ b/pages/site-to-site-vpn/concepts.mdx @@ -11,6 +11,8 @@ dates: An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. When creating a customer gateway, you are asked to provide its ASN, to enable dynamic routing using [BGP](#border-gateway-protocol-bgp) across the VPN. Each BGP peer must have a unique ASN to identify its routing domain. +[Learn more about ASNs](/site-to-site-vpn/faq/#what-is-an-asn-and-why-do-i-have-to-supply-one-when-creating-a-customer-gateway). + ## Border Gateway Protocol (BGP) **B**order **G**ateway **P**rotocol is a standardized gateway protocol that allows autonomous systems to exchange routing information. Site-to-Site VPN uses BGP to facilitate route propagation, so that the VPC gateway and the customer gateway can learn each other's routes. diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx index c7f7d77e1c..ea2b203f4c 100644 --- a/pages/site-to-site-vpn/faq.mdx +++ b/pages/site-to-site-vpn/faq.mdx @@ -7,6 +7,9 @@ dates: validation: 2025-12-05 --- +import image3 from './assets/scaleway-vpn-one-tunnel-both.webp' +import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp' + ## Overview ### What is Site-to-Site VPN? @@ -29,6 +32,26 @@ No, you cannot use Site-to-Site VPN to connect two Scaleway VPCs. Watch out for Yes, this use case is entirely possible. +### What is an ASN and why do I have to supply one when creating a customer gateway? + +An **A**utonomous **S**ystem **N**umber (ASN) is a unique identifier assigned to a network or group of networks that operate under a single administrative domain, and use a common routing policy on the internet. + +When [creating a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/), you are asked to provide its ASN. This is necessary for dynamic routing across the VPN using [BGP](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp). Each BGP peer must have a unique ASN to identify its routing domain. + +The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future. + +ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`. + +### If I create a connection using gateways' public IPv4 addresses, does this mean the tunnel won't support IPv6 traffic? + +No. Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. + +The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic: + + +The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic: + + ## Pricing and billing ### How much does Site-to-Site VPN cost? diff --git a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx index 20ef876b0b..61cbd41ffd 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx @@ -52,7 +52,7 @@ Creating a customer gateway is a vital step in creating a working Site-to-Site V Your gateway is created, and you are directed to its **Overview** page. -To continue setting up a Site-to-Site VPN, the next step is generally [creating a routing policy](TODO). +To continue setting up a Site-to-Site VPN, the next step is generally [creating a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/). ## How to view a customer gateway's details @@ -67,7 +67,7 @@ Here you can view the gateway's : - ID - ASN - Public IP addresses - - Number of [VPN connections](TODO) it is used in + - Number of [VPN connections](/site-to-site-vpn/concepts/#connection) it is used in ## How to edit a customer gateway @@ -87,21 +87,15 @@ Currently, the only parameters of a customer gateway that can be edited after cr ## How to configure a customer gateway device -As well as creating a customer gateway with Scaleway, you also need to configure your real customer gateway device. Creating the customer gateway on the Scaleway side does not automatically create or configure this "real" corresponding device. +Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device. -Wait until you have set up all elements of the Site-to-Site VPN tunnel (VPN gateway, customer gateway, routing policy and VPN connection) before configuring your device. It is only at this stage that you will have all the following parameters and details which are necessary for the configuration. +Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection. -- [VPN Gateway Public IP(s)](TODO) -- [Pre-Shared Key (PSK)](TODO) -- [IPsec parameters](TODO) (ESP and IKE security proposals) -- [BGP interconnection subnet](TODO) -- [Routing policy](TODO) - -Instructions for configuring your customer gateway device will depend on your device model and vendor. +See our [dedicated page](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) for advice on configuring your customer gateway device. ## How to delete a customer gateway -You must [deactivate route propagation](TODO) on any VPN connections linked to the customer gateway, before you can delete the gateway. +You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on any VPN connections linked to the customer gateway, before you can delete the gateway. 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. @@ -113,7 +107,7 @@ You must [deactivate route propagation](TODO) on any VPN connections linked to t 5. Click **Delete customer gateway**. - A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted. + A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted. You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them any more. diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx index b5b127b11c..c6e3d7bf90 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx @@ -14,13 +14,13 @@ A routing policy is one of the essential building blocks of a Site-to-Site VPN: -A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](TODO) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow. +A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow. -However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](TODO), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel +However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy/), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6). -When creating a routing policy, you specify one or many IP ranges representing the outgoing routes to announce from the Scaleway VPN gateway, and one or many IP ranges representing the incoming route announcements to accept from the customer gateway. When [route propagation](TODO) is activated, the route ranges defined in the routing policy are whitelisted, and traffic can flow through the tunnel along these routes. +When creating a routing policy, you specify one or many IP ranges representing the outgoing routes to announce from the Scaleway VPN gateway, and one or many IP ranges representing the incoming route announcements to accept from the customer gateway. When [route propagation](/site-to-site-vpn/concepts/#route-propagation) is activated, the route ranges defined in the routing policy are whitelisted, and traffic can flow through the tunnel along these routes. ## How to create a routing policy @@ -48,7 +48,7 @@ When creating a routing policy, you specify one or many IP ranges representing t The policy is created, and you are returned to the listing of your routing policies. -Remember to [attach the policy to a VPN connection](TODO) for it to take effect. Each VPN connection can have only one routing policy for each IP traffic type attached to it, but a single routing policy can be attached to multiple VPN connections, if desired. +Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/create-manage-routing-policy/) for it to take effect. Each VPN connection can have only one routing policy for each IP traffic type attached to it, but a single routing policy can be attached to multiple VPN connections, if desired. ## How to edit an existing routing policy @@ -58,7 +58,7 @@ Remember to [attach the policy to a VPN connection](TODO) for it to take effect. 3. Click next to the routing policy to edit, and select **Edit** in the menu that displays. -4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](TODO) for help with routing policies. +4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for help with routing policies. 5. Make the required edits, and click **Edit routing policy** @@ -68,6 +68,10 @@ Remember to [attach the policy to a VPN connection](TODO) for it to take effect. The policy is modified and modifications are immediately applied. +## How to attach a routing policy to a connection + +See our [dedicated documentation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy) + ## How to delete a routing policy 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx index a7d4786dd2..f511fe1011 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx @@ -1,7 +1,7 @@ --- title: How to create and manage a VPN connection -description: TODO -tags: TODO +description: Learn how to create and manage a Site-to-Site VPN connection on Scaleway, including configuring routing policies, BGP, IPsec security proposals, and activating route propagation. +tags: site-to-site-vpn, vpn-connection, scaleway-vpn, ipsec, bgp, routing-policy, network, private-network, how-to dates: validation: 2025-12-31 posted: 2025-12-31 @@ -20,7 +20,7 @@ This document explains how to create and manage a Site-to-Site VPN connection wi - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- Created a [VPN gateway](TODO) and a [customer gateway](TODO) in the same Scaleway region +- Created a [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) and a [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) in the same Scaleway region ## How to create a VPN connection @@ -34,15 +34,15 @@ This document explains how to create and manage a Site-to-Site VPN connection wi Based on the selected gateways, the **VPN tunnel details** selection panel displays. -5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addressess**. +5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addresses**. - The two gateways must have at least one public IP type in common, in order to create a VPN connection between them. - - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read our dedicated documentation](TODO). + - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy. -6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type you want it to route. These policies define the IPv4 and/or IPv6 traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routng policy after creating the connection, if you prefer. +6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type you want it to route. These policies define the IPv4 and/or IPv6 traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. 7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel. @@ -70,7 +70,7 @@ Your connection is created, and you are directed to its **Overview** page. Here you can view the following information: **Connection information** - - [Status](TODO) + - [Status](/site-to-site-vpn/reference-content/statuses/#connection-statuses) - Region - ID - VPN gateway and customer gateways linked by the connection @@ -96,6 +96,25 @@ Activating route propagation prompts the two gateways to dynamically exchange ro - IPv4 routing policy - IPv6 routing policy +## How to attach or detach a routing policy + +Routing policies define traffic that is allowed to flow through the VPN tunnel. The connection needs one attached routing policy for each IP traffic type you want it to route (IPv4 and/or IPv6). You can attach a maximum of two routing policies to a single connection (one for IPv4 and one for IPv6). + +Note that without an attached routing policy, no traffic can flow through the VPN tunnel. You can replace the attached routing policy/ies at any time. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays. + +3. In the **route propagation** panel: + - If no routing policy is attached, click the **+ Attach policy** button. You are prompted to select a routing policy to attach. + - If a routing policy is already attached, click the three dot menu next to the policy, and select either: + - **Replace policy**: You are prompted to select a new routing policy to replace the current one. + - **Edit policy**: You are directed to the **Edit** page for the currently-attached policy, where you can modify the incoming and outgoing routes to whitelist. + - **Detach policy**: You are prompted to confirm that you want to detach the policy from your connection. + +If route propagation is active, all routes whitelisted by any new policy you have attached will be immediately propagated over the VPN connection. + ## How to activate or deactivate route propagation You must activate route propagation for traffic to be able to flow through the VPN tunnel. Activating route propagation triggers the dynamic exchange of route information between the gateways. @@ -140,7 +159,7 @@ A new version of the PSK secret is created in Scaleway Secret Manager. Ensure th ## How to delete a VPN connection -You must [deactivate route propagation](TODO) before you can delete the connection. +You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) before you can delete the connection. 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx index 7ea01b0070..a83bdadc9a 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx @@ -39,11 +39,11 @@ Creating a VPN gateway is the first step in creating a Site-to-Site VPN tunnel. 4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. -5. **Choose a gateway type**, based on bandwidth and how many [connections](TODO) the gateway should be able to support. +5. **Choose a gateway type**, based on bandwidth and how many [connections](/site-to-site-vpn/concepts/#connection) the gateway should be able to support. 6. **Configure network connectivity** for the VPN gateway. - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation. - You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](TODO). + You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](/ipam/how-to/reserve-ip/). - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address. 7. **Enter a name and (optionally) tags** for the VPN gateway. @@ -52,7 +52,7 @@ Creating a VPN gateway is the first step in creating a Site-to-Site VPN tunnel. Your gateway is created, and you are directed to its **Overview** page. -To continue setting up a Site-to-Site VPN, next [create a customer gateway](TODO). +To continue setting up a Site-to-Site VPN, next [create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/). ## How to view a VPN gateway's details @@ -64,11 +64,11 @@ To continue setting up a Site-to-Site VPN, next [create a customer gateway](TODO 3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. Here you can view the gateway's : - - [Status](TODO) - - [Offer type](TODO) + - [Status](/site-to-site-vpn/reference-content/statuses/#vpn-gateway-statuses) + - [Offer type](https://www.scaleway.com/fr/tarifs/network/#site-to-site-vpn) - Availability Zone - Bandwidth - - Number of [VPN connections](TODO), compared to the total number allowed for the gateway offer type + - Number of [VPN connections](/site-to-site-vpn/concepts/#connection), compared to the total number allowed for the gateway offer type - ID - Attached Private Network - Private and public IP addresses @@ -91,7 +91,7 @@ Currently, the only parameters of a VPN gateway that can be edited after creatio ## How to delete a VPN gateway -You must [deactivate route propagation](TODO) on any VPN connections linked to the VPN gateway, before you can delete gateway. +You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on any VPN connections linked to the VPN gateway, before you can delete gateway. 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. @@ -103,7 +103,7 @@ You must [deactivate route propagation](TODO) on any VPN connections linked to t 5. Click **Delete VPN gateway**. - A pop-up displays, informing you that any [VPN connections](TODO) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway. + A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted, along with any flexible public IP addresses that you created specifically for the gateway. You must manually delete any other objects associated with the gateway, such as customer gateways or routing policies, if you do not need them any more. diff --git a/pages/site-to-site-vpn/menu.ts b/pages/site-to-site-vpn/menu.ts index 38dedf245e..fcc85c25c4 100644 --- a/pages/site-to-site-vpn/menu.ts +++ b/pages/site-to-site-vpn/menu.ts @@ -55,13 +55,17 @@ export const siteToSiteVpnMenu = { slug: 'understanding-s2svpn', }, { - label: 'Site-to-Site VPN Security proposals', + label: 'Security proposals', slug: 'security-proposals', }, { - label: 'Site-to-Site VPN Statuses', + label: 'Statuses', slug: 'statuses', }, + { + label: 'Configuring a customer gateway device', + slug: 'configuring-customer-gateway-device', + }, ], label: 'Additional Content', slug: 'reference-content', diff --git a/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx b/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx index e69de29bb2..d5cb961dd8 100644 --- a/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx +++ b/pages/site-to-site-vpn/reference-content/configuring-customer-gateway-device.mdx @@ -0,0 +1,29 @@ +--- +title: Configuring a Site-to-Site VPN customer gateway device +description: Learn how to configure your physical or virtual customer gateway device to connect to Scaleway Site-to-Site VPN, including IPsec, BGP, pre-shared keys, and routing policies. +tags: site-to-site-vpn, customer-gateway, ipsec, bgp, routing-policy, vpn-configuration, network-security, scaleway-vpn, how-to +dates: + validation: 2025-12-21 + posted: 2025-12-21 +--- + + +Site-to-Site VPN is currently in Public Beta. + + +Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device. + +Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection. + +Wait until you have set up all elements of the Site-to-Site VPN tunnel (VPN gateway, customer gateway, routing policy and VPN connection) before configuring your device. It is only at this stage that you will have all the following parameters and details which are necessary for the configuration. + +- [VPN Gateway Public IP(s)](/site-to-site-vpn/how-to/create-manage-vpn-gateway/#how-to-view-a-vpn-gateways-details): The IPv4 address, IPv6 address, or both, that you configured when creating the VPN gateway. +- [Pre-Shared Key (PSK)](/site-to-site-vpn/concepts/#pre-shared-key-psk): This is auto-generated upon creation of the connection and stored in Scaleway Secret Manager. +- [Scaleway ASN](/site-to-site-vpn/concepts/#asn): `12876` +- [IPsec parameters](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details) (ESP and IKE security proposals) +- [BGP interconnection subnet](/site-to-site-vpn/concepts/#bgp-session): The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the [VPN connection Overview](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details). + + +- [Routing policy](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-view-a-vpn-connections-details): You must set up route announcements and filters on the customer gateway device. Take into account the routing policy(ies) you attached to the connection, when configuring routing policy on the customer gateway device. + +Specific instructions for configuring your customer gateway device will depend on your device model and vendor. \ No newline at end of file diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx index 98063a0bb3..12625e960d 100644 --- a/pages/site-to-site-vpn/reference-content/security-proposals.mdx +++ b/pages/site-to-site-vpn/reference-content/security-proposals.mdx @@ -8,7 +8,7 @@ dates: --- -Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). +Site-to-Site VPN is currently in Public Beta. When creating a VPN [connection](/site-to-site-vpn/reference-content/understanding-s2svpn/#connection), you must define a **security proposal** (aka IPSec proposal). The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index e2c76827dc..17bd5dbae1 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -3,20 +3,18 @@ title: Understanding Site-to-Site VPN description: Dive deeper into understanding Scaleway's Site-to-Site VPN offer, with technical diagrams, explanations and more. tags: vpn gateway customer infrastructure connection encryption dates: - validation: 2025-06-03 + validation: 2025-12-31 posted: 2025-06-03 --- import image1 from './assets/scaleway-s2svpn-conceptual.webp' -import image3 from './assets/scaleway-vpn-one-tunnel-both.webp' -import image4 from './assets/scaleway-vpn-one-tunnel-one-type.webp' import image5 from './assets/scaleway-vpn-tunnel-detail.webp' -Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). +Site-to-Site VPN is currently in Public Beta. -This document coers the features, use cases, pricing and technical details of Site-to-Site VPN. +This document covers the features, use cases, pricing and technical details of Site-to-Site VPN. ## Overview @@ -24,145 +22,114 @@ Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infr Scaleway Site-to-Site VPN consists of: -- A [VPN gateway](TODO): the connection point on the Scaleway side -- A [customer gateway](TODO) the connection point on the remote side (representing a corresponding physical customer gateway device) -- A [routing policy](TODO): defines the traffic allowed to flow through the tunnel -- A [connection](TODO): brings together the three above elements, and defines the configuration for the VPN tunnel +- A [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/): the connection point on the Scaleway side +- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) the connection point on the remote side (representing a corresponding physical customer gateway device) +- A [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/): defines the traffic allowed to flow through the tunnel +- A [connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/): brings together the three above elements, and defines the encryption and configuration for the VPN tunnel You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN. -### VPN gateway +### Encrypted network interconnection with IPsec -The VPN gateway provides a connection point on the Scaleway side of a Site-to-Site VPN tunnel. It has the following properties, which you can customize when you create the gateway: +Site-to-Site VPN enables encrypted connections between your Scaleway VPC and remote networks, whether that is your on-premises infrastructure, a remote office, or even a VPC in another cloud provider. -- **Region**: The geographical location in which the gateway is created. It must be in the same region as the other Site-to-Site VPN resources (customer gateways, routing policies, connections) that you want to use it with. -- **Name** and (optionally) **tags**: A name and tags to identify the gateway. -- **Gateway type**: Different gateway types are available for different prices. Pricing is based on **bandwidth**, and the **maximum number of connections** the gateway can be used for. -- **Private Network**: Each gateway must be attached to a single Scaleway Private Network. The network chosen cannot be modified after creation of the gateway. The gateway will get both an IPv4 and IPv6 address on the Private Network. Other Private Networks in the VPC will be able to learn the route through the VPN gateway. -- **Public IP address(es)**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 /32 and one IPv6 /128 address per gateway. VPN gateways with both types of IP will be able to support two connections to a single customer gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy. +Site-to-Site VPN's secure tunnel is secured using **IPsec** (Internet Protocol Security), a robust suite of protocols that ensures data confidentiality, integrity, and authentication across untrusted networks like the internet. -### Customer gateway +You can define your own IPsec security proposals to control exactly which encryption and authentication methods are used to secure the tunnel, giving you fine-grained control over the balance between security, performance, and compatibility. Scaleway supports a wide selection of modern cryptographic options across key protocols like **IKEv2** (used for secure key exchange and tunnel negotiation) and **ESP** (which encrypts and authenticates the actual data payloads). This flexibility ensures your Site-to-Site VPN can integrate smoothly with diverse networking equipment while maintaining the right level of security and performance for your use case. -The customer gateway provides a connection point on the customer (remote) side of a Site-to-Site VPN tunnel. It is the logical representation of a real **customer gateway device**, a physical or software-based networking device. +### High availability with dual tunnel support -A customer gateway has the following properties, which you can customize when you create the gateway: +Achieve high availability and redundancy by creating **two VPN tunnels** between your customer gateway and Scaleway’s VPN gateway, providing failover capabilities to maintain connectivity during network disruptions. Simply assign both a public IPv4 **and** a public IPv6 address to both the VPN gateway and the customer gateway you want to link, and then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/) between them: one using the IPv4 addresses, and the other using the IPv6 addresses. -- **Region**: The geographical location in which the gateway object is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, routing policies, connections) that you want to use it with. -- **Name** and (optionally) **tags**: A name and tags to identify the gateway. +Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. [Learn more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). -The rest of the properties **must** correspond to the real properties of the corresponding real customer gateway device: +### Dynamic routing with BGP integration -- **Public IP address**: The address(es) used to establish the VPN tunnel. Maximum of one IPv4 and one IPv6 address per gateway. Customer gateways with both types of IP will be able to support two connections to a single VPN gateway, corresponding to one IPv4 tunnel and one IPv6 tunnel, providing increased redundancy. +Site-to-Site VPN integrates the **B**order **G**ateway **P**rotocol (**BGP**) to allow dynamic route exchange between the remote network and Scaleway. Via BGP, the VPN gateway and the customer gateway can automatically exchange routing information, each advertising the IP prefixes of their respective internal subnets. This dynamic communication ensures that both sides are always aware of reachable destinations, allowing traffic to be routed efficiently across the tunnel as network conditions or topologies change. -- **Autonomous System Number (ASN)**: The unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks. +Note that by default, **all routes through a VPN tunnel are blocked**. This is a security measure to prevent unintended traffic flow. You must explicitly define and attach a [routing policy](/site-to-site-vpn/concepts/#routing-policy) to each VPN connection, which acts as a filter to whitelist specific route announcements and allow controlled routing through the VPN tunnel. Each routing policy lets you specify outbound routes (prefixes from your Scaleway VPC that you want to advertise to the remote side) and inbound routes (prefixes from the remote network that you want to accept and route through the tunnel). One routing policy per IP family (IPv4 and/or IPv6) is required per connection. - -The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future. - -ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`. - - -### Routing policy - -By default, when you create a VPN connection, all routes across it are blocked. You must create and attach a routing policy for the connection, which sets filters for the IP prefixes to allow. - -A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6). - -A routing policy has the following properties, which you can customize when you create the policy: - -- **Region**: The geographical location in which the routing policy is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, customer gateways, connections) that you want to use it with. -- **Traffic type**: IPv4 or IPv6. If a VPN connection is to support both IPv4 and IPv6 traffic, it needs one routing policy per traffic type. -- **Name** and (optionally) **tags**: A name and tags to identify the policy. - -You can whitelist multiple **outgoing routes** and multiple **incoming routes** per policy. - -- **Outgoing routes** are the IP prefixes that define ranges of Scaleway VPC route announcements to whitelist. Routes within these destinations will be propagated, allowing traffic from the remote gateway to be routed via the VPN to your VPC. -- **Incoming routes** are the IP prefixes that define ranges of route announcements from the customer gateway to whitelist. Routes towards these destinations will be propagated, allowing traffic from the Scaleway VPC to be routed via the VPN to your remote infrastructure. +After attaching routing policies, you can then [activate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on the VPN connection. When activated, the gateways establish a BGP peering session, dynamically sharing only the prefixes defined in the routing policy, thereby enabling secure and selective connectivity. This design gives you granular control over traffic flow while maintaining strong security and operational flexibility. -### Connection +## Use cases -A connection represents the configuration of a secure link between a VPN gateway and a customer gateway. It defines all the characteristics of the Site-to-Site VPN tunnel, including routing policy and encryption method. +| Use case | Description | +|----------------------------------------------------------|-----------------------------------| +| **Connect on-premises infrastructure to your Scaleway VPC** | Securely extend your local data center or office network into your Scaleway VPC using an encrypted Site-to-Site VPN tunnel. This enables smooth access to cloud resources as if they were part of your internal network, supporting hybrid cloud architectures with consistent routing and security policies. | +| **Connect your Scaleway VPC to infra in other clouds** | Establish a controlled and encrypted connection from your Scaleway VPC to your infrastructure hosted by other cloud providers. By defining strict routing policies and using IPsec encryption, you ensure only authorized traffic flows between networks, maintaining security and compliance while supporting multi-cloud architectures. | -A connection has the following properties, which you can customize when you create the policy: +## Technical info: requirements and availability -- **Region**: The geographical location in which the connection is created. It must be in the same region as the other Site-to-Site VPN resources (VPN gateways, customer gateways, routing policies) that it uses. -- **Name** and (optionally) **tags**: A name and tags to identify the policy. -- **VPN gateway**: The VPN gateway to use for the connection. -- **Customer gateway**: The customer gateway to use for the connection. It must have at least one public IP type in common with the VPN gateway (IPv4 and/or IPv6). -- **Tunnel details**: Based on the gateways selected, you may need to define how the connection should establish the VPN tunnel between them. - - If both gateways have public IPv4 and public IPv6 addresses, you must explicitly choose the IP type (IPv4 or IPv6) to be used for the tunnel. - - If the gateways share only one public IP type, that IP type will be used automatically for the tunnel. - - A maximum of two connections can be created between the same gateway pair: one with an IPv4 tunnel and one with an IPv6 tunnel. Creating two connections/tunnels per gateway pair increases redundancy. Once an IPv4 tunnel is created, only one additional IPv6 tunnel can be established, and vice versa. No further connections are permitted beyond this limit. - -- **Routing policy(ies)**: For each traffic type (IPv4 and/or IPv6) to be routed over the connection, an associated routing policy must be attached (see [above](#routing-policy)). +### Requirements - - IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. You can still attach an IPv4 and an IPv6 routing policy to your VPN connection to allow routing of both types of traffic, even if it only has an IPv4 tunnel. -

+Before creating a Site-to-Site VPN connection, ensure you have already: - The following diagram shows a connection with an IPv4 tunnel (i.e., established via the gateways' public IPv4 addresses), configured to route both types of IP traffic: - +- [Created a Scaleway account](/account/how-to/create-an-account/) and [added a payment method](/account/how-to/create-an-account/#add-your-payment-method) +- [Created a Scaleway VPC](/vpc/how-to/create-vpc/) and [created a Private Network](/vpc/how-to/create-private-network/) within it +- Provisioned a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC, to act as your [customer gateway device](/site-to-site-vpn/concepts/#customer-gateway-device) - The following diagram shows a connection with an IPv6 tunnel (i.e. established via the gateways' public IPv6 addresses), which has been configured to only route IPv4 traffic: - - +### Components and configuration -- **Connection initiation policy**: Which gateway should initiate the tunnel. This can be either the VPN gateway, or the customer gateway. The chosen gateway will be responsible for kicking off the secure exchange that sets up the IPsec tunnel. +In order to create a working Site-to-Site VPN connection, you must: -- **Security proposal**: Defines the encryption and authentication methods used to secure the VPN tunnel. For full details on available security proposals, see our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/). +1. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) and a [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) in the same Scaleway region. +2. [Create a VPN connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/), selecting the VPN gateway and customer gateway pair to connect, and defining encryption and initiation parameters for the tunnel. +3. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) defining the incoming and outgoing route advertisements to allow over the connection, then [attach this policy](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy) to the connection. If you want the connection's tunnel to support both IPv4 and IPv6 traffic, attach one routing policy for each IP type. +4. [Configure your customer gateway device](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) so that it correctly supports the VPN tunnel from its side. +5. [Activate route propagation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-activate-or-deactivate-route-propagation) on the VPN connection to trigger the dynamic exchange of route information between the gateways, and allow traffic to flow through the VPN tunnel. -- **Pre-shared key (PSK)**: Generated automatically when you create the connection object. It is securely stored in [Scaleway Secret Manager](/secret-manager/), and can be retrieved for the purposes of configuring your customer gateway device. For now, it is not possible to customize the PSK. You must use the auto-generated one. +You can verify whether the Site-to-Site VPN is functioning as it should by checking the [status](/site-to-site-vpn/reference-content/statuses/) of its various components. -## Configuring your customer gateway device +### Availability -After creating your Site-to-Site VPN [connection](#connection), you are prompted to configure your customer gateway device. +Site-to-Site VPN is available in multiple different Regions and Availability Zones. For the most up-to-date information, check out the [Scaleway console](https://console.scaleway.com/s2s-vpn/fr-par/vpn-gateways) or the [Product Availability page](/account/reference-content/products-availability/). -Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device. +## Limitations and compatibility -Scaleway cannot configure your device for you. In order to successfully complete the setup of your Site-to-Site VPN, you must configure the device yourself. You will need the following information, which is available from the API: +Site-to-Site VPN is currently in Public Beta. The following limitations apply: -- **Public IP address(es) of the VPN gateway**: The IPv4 address, IPv6 address, or both, that you configured when creating the VPN gateway. -- **Scaleway ASN**: 12876 -- **Pre-shared key**: Auto-generated for you upon creation of the connection, and stored in Scaleway Secret Manager - -You also need to set up route announcements and filters on the customer side. For this, you will need the following information: +- You cannot use Site-to-Site VPN to connect two Scaleway VPCs +- You cannot modify the Private Network that a VPN is connected to after creation +- You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK +- We cannot currently provide a configuration file for customer gateway devices -- **BGP interconnection subnet(s)**: The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this private subnet to establish a BGP session and exchange routing information. For connections that are configured to route both IPv4 and IPv6 traffic, one IPv4 and one IPv6 subnet will be provided. Subnet information can be accessed via the API. +## Pricing - +Site-to-Site VPN is priced at an hourly rate. The rate differs based on the VPN gateway offer type that you choose. The following two elements of each offer type influence the hourly rate: -- **Routing policy**: Take into account the routing policy(ies) you attached to the connection, when configuring routing policy on the customer gateway device. +- **Bandwidth**, i.e. the maximum data transfer capacity the gateway can handle at any given time. The higher the bandwidth capacity, the higher the hourly rate. +- **Max connections**, i.e. the maximum number of VPN connections the gateway can be used for. The more connections, the higher the hourly rate. -### BGP communities +It is currently not possible to upgrade a VPN gateway to a more powerful offer type after creation. -You can influence routing between the various Site-to-Site VPNs in a VPC, for traffic flowing from Scaleway to your external network, by using BGP communities. +You are billed for a VPN gateway from the moment you create it, until you delete it. You can [delete a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/#how-to-delete-a-vpn-gateway) at any time. -Refer to the BGP community documentation for [InterLink](/interlink/reference-content/bgp-communities/) for details - the same information applies for Site-to-Site VPN. Note that by default, InterLink takes priority over Site-to-Site VPN for equivalent routes. +Note that: +- The public IP4 address attached to a VPN gateway incurs a separate charge, with its own hourly rate. +- The auto-generated [PSK](/site-to-site-vpn/concepts/#pre-shared-key-psk) for a VPN connection incurs a separate storage charge from Scaleway Secret Manager, with its own hourly rate. -## Activating route propagation +For full pricing details, see our [dedicated pricing page](https://www.scaleway.com/en/pricing/network/#public-gateway). -The final step in allowing traffic to flow over your Site-to-Site VPN, is to activate route propagation. This enables all the allowed prefixes defined in the routing policy to be announced in the BGP session. Traffic cannot flow over the VPN when route propagation is not activated. +## Features -Activate route propagation via the dedicated call in the API. +Site-to-Site VPN offers the following features: -## Monitoring connection status +- **Customizable routing policies (create and attach routing rules)** – Define which IP prefixes are allowed for inbound and outbound route advertisement. Each policy filters traffic by source and destination ranges, ensuring only authorized subnets are reachable over the VPN tunnel. -Once you have created your Site-to-Site VPN connection, and configured your customer gateway device, monitor the status of your connection. If your device is successfully configured, and the connection is working, the status should be **Active**. +- **BGP-based dynamic routing (enable/disable route propagation)** – Dynamically exchange routing information between the VPN gateway and customer gateway using BGP. Activate route propagation to initiate the BGP session(s) and enable traffic flow based on attached routing policies. -See our dedicated [status documentation](/site-to-site-vpn/reference-content/statuses/) for full information on different statuses for the VPN gateway and connection, and how to troubleshoot them. +- **Flexible IPsec security proposals (customizable encryption)** – Tailor the security of your VPN tunnel by selecting specific encryption, integrity, and key exchange algorithms, balancing security, performance, and compatibility with your customer gateway. -## VPC routing +- **Dual-tunnel support for high availability** – Create two connections between the same VPN gateway / customer gateway pair to establish dual tunnels for redundancy, ensuring continuous connectivity during network failovers or maintenance. -Routes to your Site-to-Site VPN gateway are automatically added to your VPC's [route table](/vpc/concepts/#route-table), and advertised to all Private Networks within the VPC. This allows all resources within your VPC to find the route through the VPN tunnel, to your remote infrastructure. +## Going further -Use [Network ACLs](/vpc/reference-content/understanding-nacls/) if you want to limit the resources that route traffic through the VPN gateway. +Ready to get started with Site-to-Site VPN? Check out these pages: -## Site-to-Site VPN limitations +- [Site-to-Site VPN Quickstart](/site-to-site-vpn/quickstart/) - Learn how to set up and configure your Site-to-Site VPN via the Scaleway console. +- [Site-to-Site VPN API Reference](https://www.scaleway.com/en/developers/api/site-to-site-vpn/) - Full documentation for managing Site-to-Site VPNs via the Scaleway API +- [Site-to-Site VPN Terraform Documentation](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/s2s_vpn_connection) - Integrate Site-to-Site VPN into your infrastructure as code with the Scaleway Terraform Provider. +- [Site-to-Site VPN FAQ](/site-to-site-vpn/faq/) - Get answers to the most frequently asked questions about the Site-to-Site VPN. -- Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). -- You cannot use Site-to-Site VPN to connect two Scaleway VPCs -- You cannot modify the Private Network that a VPN is connected to after creation -- You must use the auto-generated pre-shared key (PSK) for a VPN connection: you cannot currently define your own PSK -- We cannot currently provide a configuration file for customer gateway devices From 7670dd26174554999f6aeb4bd808b461281ca95e Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 30 Dec 2025 18:05:44 +0100 Subject: [PATCH 05/13] =?UTF-8?q?feat(s2svpn):=20continue=20console=20doc?= =?UTF-8?q?=20=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pages/site-to-site-vpn/reference-content/statuses.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/site-to-site-vpn/reference-content/statuses.mdx b/pages/site-to-site-vpn/reference-content/statuses.mdx index b560e620f6..c0bdb0c889 100644 --- a/pages/site-to-site-vpn/reference-content/statuses.mdx +++ b/pages/site-to-site-vpn/reference-content/statuses.mdx @@ -8,7 +8,7 @@ dates: --- -Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). +Site-to-Site VPN is currently in Public Beta. ## VPN gateway statuses From 8ddd6953ac9d3b1d24019080d53d3ecb2899be6b Mon Sep 17 00:00:00 2001 From: Rowena Date: Wed, 31 Dec 2025 12:12:10 +0100 Subject: [PATCH 06/13] feat(s2svpn): finished first version --- .../assets/scaleway-vpn-one-tunnel-both.webp | Bin .../scaleway-vpn-one-tunnel-one-type.webp | Bin .../assets/scaleway-vpn-tunnel-detail.webp | Bin 0 -> 25828 bytes .../how-to/create-manage-customer-gateway.mdx | 8 ++-- .../how-to/create-manage-routing-policy.mdx | 4 +- .../how-to/create-manage-vpn-connection.mdx | 41 +++++------------- .../how-to/create-manage-vpn-gateway.mdx | 2 - pages/site-to-site-vpn/index.mdx | 23 +++++----- .../configuring-customer-gateway-device.mdx | 2 + .../understanding-s2svpn.mdx | 1 - 10 files changed, 30 insertions(+), 51 deletions(-) rename pages/site-to-site-vpn/{reference-content => }/assets/scaleway-vpn-one-tunnel-both.webp (100%) rename pages/site-to-site-vpn/{reference-content => }/assets/scaleway-vpn-one-tunnel-one-type.webp (100%) create mode 100644 pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp b/pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-both.webp similarity index 100% rename from pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-both.webp rename to pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-both.webp diff --git a/pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp b/pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-one-type.webp similarity index 100% rename from pages/site-to-site-vpn/reference-content/assets/scaleway-vpn-one-tunnel-one-type.webp rename to pages/site-to-site-vpn/assets/scaleway-vpn-one-tunnel-one-type.webp diff --git a/pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp b/pages/site-to-site-vpn/how-to/assets/scaleway-vpn-tunnel-detail.webp new file mode 100644 index 0000000000000000000000000000000000000000..70cf772e4a357df5ccb0f15228b5a179950abab6 GIT binary patch literal 25828 zcmb@t^LHk`^9TCWwzaiw+qSW_ZEbDacAwfdpK5DvZFh^U+xz}}?>YA`xcO<4^U9f- zWM+~~5;a*VsXyibfVQNVik1qG!u)?UvoLHYKr@k|Bbh=rMOVsu{CnW)CRyL>HzBzx z_~aY)(Of0~CxKtu5CA39zQjaQ4Yr)fifh)$EW2vKMIJJn&3XCAI0omJ4;irzEnd`FFc$^Yt-*+M3=Jn&a=fILOm(uOmyev}SIN zVPx)lqZG!i2-|`iD2@J>hYF2+BKWNpJv)RJyPCf~P)WPIr+MjZ2)^#p=(^8t4Uliv zYO@NL_hd_aX;xanhxciN1<3RTzlvu=(n}Akl=ePVA-N6GxKamW(6> z77Z{wczipIl&m znS0n_ZOcjG5b9A7vrHm`4g|6Zqe7Q6e*3ncVE$jxvsc~G4qKX%*M5!^p<&hsnGK=n zc#l89$z@IPpKeYNBQj-MORazC8rzeZn{9n7!>_>CZh$ikqBAIJJOl=;z0cjg{VK?o zrm6mTz4wYDjq@LlqRK=TpZrPreW)~|f&qZc#TaUXYl?Mq{O+SciREu4P zK2vNQIgU$UEPVr}Uan_5h}7tGqtT=$j(~Cx>RroeoAIYZwPNrnn#bBJTTA21QAut> zlJu$uXT~bRRv={`yB)KnF_vRdhso-fnIarP0|Yr^=v$4qJ8ZRc7OyTVeYO#R0bnV& zc-Xi8nQyfl>O0*IK(4lzFY7*|-342pVq3jX+nkxdQ-fS+aD(x1gHd_RG<9FHq4F;;LdiXJfkN}bPjg9}rq+S95 zQupSubMRm*HgYRa`MI;?LZ-&lGRdSIct%xsG)83{Oi+v z>x4JuF;E6t1Z*9u5zr3y__74>1w#yS1Rxm`h%^i!8LLvcy^={_J= zFUUxG3Dd3Ei<#P!eV`)unthCz$VxSul9w>6*bo@5VM*0^fOE?Yzl$R%+r%VJPQj}e zkOBv!#TNqq8xm#~BmjrZN_*P^MKhHmxm{@!6<2Bdf`9)vCaSC}g{%?1w3L>(hf+po z&vzL9Rr~j;TuSP=Pb7P_tU7(F^yOR+yA6@7vRz#pcKhno(&nPx|H#!EV4&vbPsQI1 zTibvi^E)hHD@6_Lod8etP70bIcQmO*+ZrboE=&+viov3Pz%d|0aan?q%ouFFf-K+_ zjQiqEgOH1=+9cI`o*GvnMJ%{Dc?T;*TDD1{Lo)$_?F$+O2C25ab3q4S4h6DpgY4(r zbwiXYX!B{;H_-rG5q|maMej~Xrf9_wFb1w5q~g$Z)GR3o@s@nWpb5#)IEQ%{)l9}jx7B6ews{i zK#;|t0Z10XDS$&25r{AYwgIcTUD!dk{}G#d(|TDPU*EfdGTF+2M5!H>v{i@o?TVYC>6f)VAr3o$2{PA3+SV+)?`SiO9 z{a0X<1A|@<a+5_bveU;IH7ba4;>8bU*ot@@=@ zIs2`O^x0#Zz?2G~b1r7q;N0G?=@18Q$J}X0+e^$zM3tyqbFrC;{i+vKqOa2L$HK3r zz&GXZbK%d*|NkqY{Uht5rr*l}=fBu3+*Jt#vbe)|IkPhN$G~J|l^$2`n|rICVv-LZ zn)`T+VwQaHeoi_!tJ0sAt|pPd#PrrOLsRmcSOhGf9)7?hYvav4z@t#x9S8Uu1>QFg z%>RFK-x$})1=D$JV}g3^>2X+S0@D2#NY*g34PeQmHH_K_OL2c+w7&zcD0s&-of^D6Trz$&& zVk@W3P{7#8lFZ4JHK_smmMW02C#_S0e>2KxTO8QyYL~&8qH{#bvhT)ILMh++$ zN*BOHujXDzj>=KIV=98<)7Ry?W=g_vMs~CjQW(W^1maJ00|<4k+sHv$q(3sBddLIs zEKM9TQ)D?^A&W4`acE;H>evLq@#(S|+!_zTwG`3o)!Q*HNl3X&xioonA$7~>f++%m zeg)5^5e|jKre$4fm($n>xK2`-+cjWFAxKTlGPfaRJlVyHh-xfDfZNa>h zrg5V~*3wZ(ET1ho-qscV;iL`95gIA|ycaX$VmnZul$S{IQMi}B?!@@bi1y0b%5<9D#9z)YAX3rvlQ2&xFSh~V}G3OH#U6Jswv9n zMC;WUi=}0FwwkGg5`}fCEtG)X&hJ~@uRYtBnP#h`gB8MdMcP$Wu-U@QoHRcvenL;u zR(fXphY1tlwGHqo(^{dd>XDsqM7Qi-djCVCLe zPRqtn+IhZkfA89lL&y~a3%%XpL!%OW#CiGsVo~C&Vp^9Vxt5M2JV6;b5LI%{yk>s$ z>FlB7ID0AybFY!y2v#-vl2=vrwn}}7hV=ZBhK?Z!v!rCeai zs;2Pjsj#d#QP#KwlQ6oY#jrd|F=wQ)jNrhihC1}D!ua6frNW`${K}ZTyQ#8UjydIC zU6Q4759V=oCLmK|laQ1YiFOC|B_Fdmv>wE^<(NuShx|-k2k)}in#!Pn4FePzzCXlJ z5+8Vc7edgDth@W~vJS$YB(X|GcxME>!H8_}41}!YEus4&mwE8c~L|s$ux9|?(j&*%&&zLn!aWghKlJIK&)vC!#SFUlEaTKSdVvFl8p2QO4ZGD&N zVdYdNW-)?C2Ip#r9)sRT9Nikw59`N-jDHHZ!!YO3+je99W5%vzx!(RE&vO2%ODQWs zQ$%x3Ad~e@Mg(58FknK<6irI;m1B^BY)=&BKE@z;8Mf-5%7tGwB1fT)IQ8ajE?j;f zx$>Q*izBoiYb|KF&iSknd3ROv>%q^FVm8(DOxVIxq&f@tMB8H$Wg?>&El zUrTUb2Fld_(~@~nu&v-CvwSO*+Pj74H1jAaGYpf5mxQ-+D%8l8YUUXL-nQ8ggK?bI z3tMV%@wSDR-K^D)fRhv=GCE28>o8DdQWm2%RXl!OK792CEU#@7_r9gIPtZG-yGQpB zW`6wVjMd_Sj3?DK+Rw*U2aA4zZeAJp^1oKbT|g{l35umhOLR2y=-wB|qf0M$!4f!6 zRGjgur+y16og$uH#Q78W?S2XEdsL6PpS>FnS#EQ_hubDH)8sY%d~-U8B0OGKhyKwL z{aVOas``zk?^9&l)<2C-XD zPs776+mtV=Q;<@O}JL&mhKy-To)H_$|i? zOU3(zZ^5ic%M(SUMDu?>J>cEqKAMTH-iXvBKWq7Co{VeqN4aC3k>f?3+t!QLn zK8ARoy+mT2LrPz+u{+xKvj^|Z!#~5bK#EeWKi#s7dcX5q&0QL2oAEG3igVUZ`%KY? zZcb{+fV`S;`JIFttw?`@vStT_K(fKrg`Hi&wM6VNFqP&J78~E<)&5kk&>8{jjsT*s zrG4T5?K=jXK2P<(eQJ-4hm-U7>4EH@$N_Krf=QpKMUDyrMxHXux$)Og;sK?6;!p6xhWC0syjbqJeKn$ z-3v}N@Ye4i=HWN+8a7<}u(q?DtaQ9nF3xyH-0Zu{bNVVKML(q(Te`Ejs}n-l71DFC z}!?V-Od!) z{EAbh0+w#ocC1oK(c4>5EIuWI_f*%tR;;7K$Zg?)K0A;VzDy8e z=-*xC6zZD#}wB|vZi2fQ@Dh=5#JetU@_gvqX`o@806fnVw7liog zc0ZtX%0O8+U>UX0PSn;ETcN2JGYhtsgoyEP#Qi^F;)|2XsaI^4n`O;;-nymNeX0epZ=@d3S6kKE0`eiWV6zdGQK;e*vYw$i@Hs$Fx*ef=x&;JP>;w zX>+n*uY#`+e>Sd-JE^sMVm)m*eC00(_lk{qip-rmUM_?H3jd?^1~ZQqqfB zg`)$QA;oDWUz<-meBV+}owAv5V-e+-|6|D#m_;v_@JcrOZ){%s*8q~$Z6OOVaC&19 zGK4MaVO=77_iMG%tw65$=iZYJ669hX32nL~i5&#Z^>FN~Gpu0uWdB|z-`Y$I-l&nA zV({NfcZ)SMHnwf0XxSb_Y$weLPGv&G0N@g?jgW0SwT{h8K=ML=_DS-Y+628;S9OA% z*}|EQscArdPP#^#tu>@!Sm{MvE3(lrr*YW_esfzbg9;D=hUn6Hj)wX=*XDYG`vZ_M zaPM=8yLG)v7k-@nLkAcN?IZurMV9Y={9elwz_ojCs@TvqilX+~k}xaHgm>xw@A~}> z`1&pN)mA$Yb&N6*TGBh0d*DI3+ekb}giQPywA)t*rT-R_+1zk8LB=(x0fUH`>P$*u z7};z3OLNDUAJ7n_GM+hNZSS8TSA;yo&*FxN4{-9=`tym=TZZ${#sHH4cN>5w#OPBz zm425QiU#H7J^li`0rcCo3MkX)O?7>J9}vf`i>MPZ$v6wp^GoMZBTY)Z_fD33mit7I zGFzSw??M{DHzD@NSv`L0U@84wyIj!~)JL!u;V36o(>Gvq6|< zZ`LcsN3{4$l7+X>e>D*c(kJ1SH+Dx<$2mLyHh6FM5~|dQz}?_ehYK{g34y9>#~jv#eBeQ9tO-RA`6PfTn90gp+} zn<(c)=bm|>06{R?ZvYe$x`Dq>*u37p4exES8xlQ(?UIN+CIH>?-$N*SWDVlba0{M2 zc(x)5fAR>vvyiUx{rMzI5(mm=TQvumX&d zgGE3XO*7w6umu++!I?U_)=78f4`fiaXs&|)$+cpF)eV}&^6Ot`#xqp}hwirt1Iv>L z!}yH%;2Lrx5ZWNKq?9sKa}S4Ycu*9wVG!U@AL7rA;*+)=|3#diy|Vsq^Vn{LJ_e40 z66+_vXiX|r#!+p)?m^X*?nXoTx$ASbZ3aq=8cnndvfToX@=qUkVYDEiI3yOeC2x`g zNa%RI{b+FZjj$$S%DE;P;mM_dPqDDynfR86672{%(&7pL=|dxC{wEEZyySw}Bw&_5 z_G&M>N%W?oYrz*6@enh|g&^A(%iR~2)gg#S^@u)Bt^x~{rUprq-A@q;&Z62RUn2de z$lJy}(%so$goxH=;rzJ>OvNMOhgdknh;nB__kN_XlDNskB)=@RVQ;OnDAo;Y9}PC} zaB~S#TztJI^SdOHby^MSRSw#eNy_7`T~^_MXCZk?E?iFk5pawrmhDi4mZNn%uPlxy zSkoLiDVRm^NMLw|yK0H>Z1U#b4XHsya+epS$vG%m=tZ|3b0#ApE#M@>AZA3zO_x}0 zi`J1xnaBK1PJ|7Ty+@wezzr6*K=+v3iH|{{aEeA@qd61zi|?g2Ju#KD#X@W-o=%(+ zoa9xJD#JYAs!R|xZbm41RGrbxO-020PXziA#x%}y~E z*18^$i$;qdzV3I=u*T)G{^Bzs10thf`ao44sjoRqszS6Q@g^z%gaPB?wHNLu z=`!wAWu}xl-3NP7?4L>Ngr>bF(<`a`S}@vRz#G%(=G5`wst2ye+L_1s*Pr%7K|kcm zcsmzQ^%pNIzF^o#1xsUVSNpU=#K06U5{|@MDOM^-tn3FTjF2|a2aRkq+vKe7TN7DO z^U!9KHi-RTUx61+Lilk6sld+xNhv?oV9Qd*>r%?|ZVe|)_Z;RcIWX{Z|2cbQJg1gJ zvM&TZYJ^?PNV1rG1e#k`13G|i7TUV6l_bJUiKwjqrHwoUw$A0WS$lnqn#p@!XJYb7LkJ9sFZRiDQ9i1tbN*Xxm#*lU zk1>S+HuOtr%HA}p0&o%ipeW^YZmijR!3SPJyyU=^Brhqe)2-Cb6yJgjICtcteQKFb zJCxqk{?`ABM_kv@bCXvk0qD`^CrRAU^T@GZ^?P-&8t#mu{P|B-&vlsK5ZcA~@WA(1 zg9F!UpFNQaVHyg_vw*vKn|!rp1)Dd~)`&+dSdE(gr4lT?aZ^fIa501+MST)#)ws}U z;|0f*ghqZb`^Wl|vX`#QYIbEq;8kM@h4WY)X(TE9ew9X@;t{JsNpXf{Eb<3d-+HiV z+?zjQbb?A%FbLd=dQ@Hwv(oQzv^;r6*3)^roDy0$NH|-P4bbKLTSLv&r9tA60^OCq zTRNHqUDbnX?rx`0L#k{?awO&eg77B5GwT?Qm++rUuo@NSOolO!qG*=6=+CJ&bCD8M z02&MHz6`MqRjQP$t`hf9KY-MAkGEx9xhbe7Tt`k<0^?iDpAl8-^$+dy492sgLLR0p zMczeRo`stht-kOdh^Rjk&e2EqU3bXwFnp_GD%lNX0^sMqpA5p_4~_}uzzDsbsSn49 zf?)~&{MdPu2NHQ9ojs`o8ugC%$>Sa9TIwUG*Kk2msx_M8=(@M_-chO?sgcWIyrNp2 zO^<~PPhbxO*fE?>7?ZzAvpFPzfk-dxZ*%Ku8nPGsUC#(HMu1Z)Vp*rv=DLE~Ts=dI zVPeA0(d~`tuQLnt9nH!Fkkr$8RnHG!wl*zvxJteU%MLuLb4z8){9G$f^+fPN1{<%r zQV^{IV=mUfkTyHdVyWH&^RJ z79$&D@Wp~Rmf|E=^;n}AGBi!ASc@;Cz%Dub7B(;7zfg1}oxq%b57uQip_y|av-&bf zVp(2T(vUAI%%{xQ&TS)2L$7w?ESyEUUO{i_QN=rtv%*)>SGY_yTto;w23DCR)wRJh zxd#5BvcFLDoxKUGCqgDnWro<2$x*4<+s% z3!k|3s>wlfo}#^)A;o4?LY*on(1ryJBEgCExX#)RVfeI&|N{l1h!| zw&lsiJ~h$Q2QD>vLIp0ChbDyRfJ~G|n9gg2t|`Ki;#ki}LS9?1~m!jlCqKVtd$&<%If$W~+PruC;gn|&Jz!5F;n+{lm zoWn&NL4kAk+=}!T%alp7W{aNmEH)=133CF3-Vb(4CO-6pMu|u6aUaow+aWqp;($9V zxgL(FWYmWgPrmWw?`)HJPSaiZHVtG)ZBx2FgJ;+fjYrA6YW=>Kgn0?dDn*5j05mh6?^fAa-YYg&>MRUVwP~VmRk> znnfx~T{y|g5sJXZT7nSK)^_XXi-$thu^l0@9D}awtPe>BXRe2cAdN^4MxdAIM9vcY}@pN{JJm(Ylu8Jj|5a59aWq{T^{dI}o0D8*r@=-cA|u&}3i z9B$~{eG-XT{@(Dl)l`6BmjyeW$?2FwFuAn@C z2)2zA-exbqi;*}IwJX03=3+)WrSwX1VXmF*k6gi{Ynx44>I@5!&rtju$7D8du<`I@ zRt-%JLbYXXCqXkTwNmdrv0oe+*1%K}s%3UHd+qF@jBZ|18?j0Q5pCT%g@7owZt)L5 z=`2uLQ*x|$R;`95{XejAaJQ7TrtW{LpQeIO;}Qjfg}#VqRG0cGkbN5w9Sl}o>@%@& z8IGAU%z7q*spmsRRyiR$(8bmw%{TOrxP7Enpf4l0f-*1W(|^AuaZ{W^%daR+=m5QJ z_Nw?8=3>XGFX}*2rK}r#Q%VV(Bcf$y|4`>k*iOei;HS3b7KMYbKVGGplU*IDq@hyq zwL+75!`%t!dH>c-w&T~>a%a_>CtLQ!n^Y@>AY(bVb#>*tI=C{7MmevQu!%3iyKiwS zCU&FMI?NIQq7)`b#4-hcQFu_Lg5(X(;Xtc%9 z08>k5KC{MK)e~lmf(ur=1~(zme}rRe8=&$?r}K(fAkqz9O23FepA)qcw&Eh;dy> z)-go7Gf9v-`y6FIAq0OB1NBxStrtcn#YRv_(iD5zcxT4al_Ni%-Y^btMs3WdHqOyLN6;@w;As zQNc~%zMQEd$d%=Vksjz44$hS4UZ7hwx!hGaw@3y`NFwAQfEz?Y+_9$WX`zXEl&s|I zQxw5@`hhc@L?L?(C@jGfKNLP1VpU45Z8q>;o?Xm>JekgsnW=aA%vy#t+GO-o@UBJmBwPlwx|^P+cm#KM zJ}FT8iK=zu27?+GI+BnpAZ$hME=7?|#RaC8S0bYVHLbwoU@lcg7Cr-$+<^_bb0)KR z<(AaSXi;}jfG5u&R9tzCri4nqgxdB`C8>j^oFc9{!--XK12pXVHPlQi??kz!bKQ3J zY+z;EmT@-;pbg&*!mZi_3rwRjipmC@t%TCPs<36Hre*=r#Rmon_oMn$|4dF!u?n@N zbi3qg{NCh_G!o*^pfR0}Bw&TMgsBKrw+db-Ne#0fl4M3&FWxbO&co}2@=kNjm*=q- zauEW!bPl4=QuqYQH1H`(*im!rN^o?4qFX(?&zNm$w74d9_lf(_!ilC=ojD zOm+}((_Fe!&liv8^woaRI6gnVM}C6Mh+O@aFiJDVFb;-zuX>Bp3YAvn@WvMGWP&Z~ zz=wdw-a=VWY4_hw;|Tk*NmKUkip;&(+ZUW0p}g?Yi@o^9c9Z>se!bGnN5^syfz>$N zwS~QcAYa9aJpL~iQ(H*H!)k~R&vv^kYj({JR+!}1&eisZMr9`Y`FD`Q0S;%0A`ky( zy7e&Q93u_0p`KEhd-{~VXio%@{1%2D{Ro{`#gGX&eCTg>!gfiHT;&zi0=e!Dq;?qL z6<(18<06K9r?P#`)#bvl1_3yto{%D(bk3b`HxqvGP$@mq2t#W=XlvX?m7Y{HUvZ9H zGyGxPbFH4NL1hnH7J+CXFS)Y`QaTjF$oxFjz-Zc#OxZKM!aFmtfAT%4`x~kLz`hK* zUekovvz720JM=?vIFGW0UO8!|dx6FH09Q2T71@&_dFn8Od^m z&BSKj5Lv`>byd$1;-a%5_;PhwMw0Vsg^GAART&UlU`ee6sqRgec$UM2Xv5JA2OSK( zpATmzB&Z?wv^la0{;q3_eT7bCKE2in)JW}gyyEN5uSn0mSXQZWmWwJJb%(iPpRe{3 zSt_O`v6Gg>_v5I68jAHQjz0f3K1R0d(a(+Q;Vs8($Wr&&7`xwvy;omhWjZM11KD7r z8$~-u3O%z0M7Pt?qGy+sh^(9&7y`dg=q|mp{zbF=9*TK_itq`#LY%a=zZZi4WEU~i ziv&aznhStj6|&IjDg~z{@+KTp!c#Zd??9zb$)rZW2YF1yj<%Y}jW>^81INXJzhg2@ z*Yzb+>k7rj%NC$(9d%{Un+8Lhb=z`)x0#Gqj$*6{lyq?6SwB3|HGwrVF!N?O`oXz% zXj$jTOwWB24ah(li(lk8&JQM_r-)fk92x{g(%;t4Z{OHI>rd@C<5$J0ya+L+h~c|{ zLU%MM`=1HeA5`{Ij;c4Ha&n!TV4%Sy!$mC(-_KzCU-cT)p@^QR`W16YxZOHvKPDPWRi8C4Ffhqorm>xpyGg1O?NMz~8 z8-7lN7Dl%&5qT4j3O7phKcLPe7N!as?cD;O>#isW4z~?7PWyFSwE~+)E#%$aU57~r zKM(TGwoT(~?Gf6v(_ZXHs0oh$OADCpNOYUu^{OiE6m79b--eEAeU{ajZE$M)G5et5 zth`R6d)$E=@k&F<6%%VyNJ%;xCTD0A%WUu&H^xVvcLbMNBqhLXgu^$IHTQDt#Y?;w z#ijk|(&U7_y`h^N>y2_9C8#cwe+|2Y&NEY7UGxM)S?NMaG0;Zrc6`$}@rI!iQK}!l z>;TFmp^NDkcwqJD4j@T5aW*YswuOv-FHgW=6t=>mpl53*KSdl+K2CZRbkt)f(cqdC zq#@!a<=WOuRpI{)CC!xU##HXC2Oeb_)j z5rul(!3u8j90{TdxMi;0!zKw{}+{TL^<A%|s}H}5Wl+s1eXk>9eekbfrXOK44Dyw1 zK^oQQ9XOMhXm5i`#D4AbfrW(`G6+#pkO3gHu&2V4y#~!a3%JN~x#8r#083Gg!K91D zk6<&k2@Cnn`b(c+wx7;V4%X0eh?$*U$|yUlCNl(jt=BZ6uI2QwTUEUxZyU$;-y1f{OLRhqU1+7t|^;q zDAzR;?xafF)(pEJWefIre0&y=kJ=0MRr6KVRA~?VOwPgiu6@bphkhO%pS#-)LEm?O zG29&sn!)o95a@YmNO;L(Pu>;ZOiO-pp_an6V+cBFoE!7~)%T^LPjLgt0HSIqQJ1$aK5u*4=>5c zbp)@C<8Teg49~7_JnFZlN3hl)M{!AykQFWsm+PLd=M9KVJ{^G^Hle?3v%7&9KCA}K zWuAS9PJi0DbZ=RJOR3iIK;DU;6zXWwuEiyP{}|zuit=usmb_twpw|-Y3vY#anLCMg zRq8317EC#YmKD4=@X-3CvKJ`bL(?Q1#%BxC;K&*@lUdwcjKxN`zs>v=2Omd4S7F=x5p3Ww z&mk+J_FSWWGoQa8L0(=bxRGPunk}Oc`GH+Fz;FVO=_9C5IsS$S*vAQKQC2fmoNL1T zJL+bZ&V3c%EIq*vpmo8v^GqmuNtW|9`?%-_yV5JoJ&GCx_W*9D<2XYRX|5*C~Nl(ux$$c7gCD z7p_kTCiYi1FuE8D=7H%27&=LT_E&|2Co#uv!>O%uVi--d?zbCwZ+>xXxjA3|z_4}x zUtNfn5Uy^-9b&ek_;H3H_GmAK7-egpxRJ|^Z2><6X*SBZsu$*BFu$x(-f{RccO`UQ zi$08&&tbA1X%k#2a*Z&FVMXNo(LgNO!C*IbzAhX5lmeZC_Ga*-zfx4gVO{g@ui3}L zM?n<-8oZCaRS>7j5dR>2p^-kMA=mKs!xy`yOm1G*O%*+%kW%f1Di)LC6!8FP47d0P z<$W(%)Aud-7B4)5xQUO)#W48`>Qi8RbqV5m3@XXK4>04MzhoE?sCCn_F=|lZsiWu0Z7RJkn-L9fP5>sq+KP(7jPiEnOI* zzAivqmS&ukbol&KiS~*WUYt)vn@d5N1nJiD`sPKzxv<b* z*e*r#EZ%5~Gv0F8jK$N*6y^@knB>}chjeuogR+k{?P4MjA2M+k!QcemRO|=K7KtOv zui@~DFhY8`bN`HrB~`e>D4S@?xdV36JBC$)Z@6Z*K{NR}vt3}nELkplTJSXGowULw)MZ`slbYo^(J5%IB?_Li+bF{raD?%L?ep z#@GS}Y&FpVzQ07nhA+{;_lNy^zK50*UP8S5_}Tl^;!~)L%cvw$b+1*GL}Yk|xb#ev z*^K8=hk{I$j6atMDA`Sf&_Zm#5b&}el+RPdhKuMF1Sv8p!&hvQb7aZT?I}dq0}jzV zDr$hUd9h=-@rguEhUFqM2}t3%99jQel>+AJJ%`_){)+M3FZIFL_18a{mDyN;ovMwR zApkD>MJ64`TFhD=#cKj|xW8LFzxv^FZFenXRi9MZW!*8{3mxA^2fVkNEVgSLTQAK2 zj+NQOV7Y!ju{<$9@;1LcHqBqXu~P%*=E#<8?a42s zGsw%RlVdfXpTLTxQCF(-UfIE=uN(kWwk(H@>YQ<~?u3JEI9_JF5_*?#nRRP)TIinhH&a?7Iw8#GWjQzbe?pSwmH z>XRsO4srSKq2Wi)=w+T7@LXALx``pzu76wvhzc-+wACuJH2gejr0OhFtii_dfAt+x z)yO=`U6ZKy*f8< zenNSw0A_X7;}PbPm1dIoite?d3$(?sikB4&ZhpfS^c)dJ`AEb=dPCJ%a`zr>UfF7{2t*40&DG9Tff{EnZgWalG}RTGxbqu+oN;Su!mCw24HM6J_J;8K<3PP+0hD>^ot5eCRqSwDV1_t^ zs*ezHV2xG8V;RkV@d@g1Zx3Bd_0Br@n9yj(8=>{@b<03OZZ+*)%%L(yH8t%@Xw2oG zW0wazD5-0T(?$iUElz*vV+7KJsl2TQwYPt@as!|ZbBE6pgOtFdq$R|goptxwNI59gAa41uk-gRCP zJbe){ytKrQzC$#Xt3gNzCiC4r-kN4(Jq>%dROuY5Bybx<1*DQ9kR}#WA?zuz*+#b( z99YRQNy?WZOM|F>NCQa&q2>19i`dvPGF=tCL&tK9AU9-c9l{Bxw|VL`6&ok=>iTR| zAFs2LK+1C<2H~VkA+kky5fy>dy~^(QI81@Nw>7{QG1c(k)q2nrS@X_jAqT5Qaem#d ze2-N1UzP#I63JPE=t1Ff=h4_f1Va@YGN&g3&5cfFh^qMS5a+r5GM3$1q-W_6lrC%L zH(^a}c8tYUZ|GMd%|tjwm=qepmSVDj?PDsbINPa4hS+e>L7RG;rW9&jec1;)r|6~a za#%vpIKM>He`hY0Dm?{ra_ygkI&yaogQx|VrS!_x)`WRgB~S%!Jd`xG3UI4B4a!KB zQIJIHGi<7;jGoxghw|bDQ)z!@Mr%)WP5YL6fMo{kdWQHXS|_BQu0I!@-Bt);2|#s5 zYze*ej}xouJ;+`%Y}9ng&D9`7Q>fs%i}6zH$1<2AwBv+hWwOyE=CJm2vQS@@005U?R%1>c(n||E}UwqE5$RrM$BW*_v+h5*7+IjwT?WegW+zH~D|6~0ZP67)3 z^cKn-0XMyEykxCdY~GF`jtn^kROAtag@;Zj8$88K$)%!1TEp3%hQe;KYN0N!#V_T% zN%ad7FwZ-hQQ%&p&mf{`@>ycg<&>zBWRU{xD@hHCj$UcYKcXd(xK{fwYdec`v?$-PR~H-M6lZxi2xG5$mPZC6Hug3^hF50%UAUc z6aP}edqgNnS__OeAKD5M^BL6%2P$^c)S;1Wd!_$V_<6AwBxNZrGI}V6?%x!2+}aQnAe3|LK>dd(b|*79&^pdrWTUI8iWV zJl(*J3^LmV^#cc!2vTu+z19?wPt2Dl=(=J#14kK=`eOwvF~A(Kz-yk(uGbG6MmFR~ z99x_|O&KDuRy9_1lP;{z^s&f(u-)o)Z}@jzI~h5erIfY9UL=UD_~$9aRh|X;GfK1m zbcbf*QRCTvFA*X#3DV|B4-q3F^90Nw?Q(yf(f@@vLio!y0hQB-9df^sRFr6$MRIw9I>d?Y^9pZAm zP*2^3a#ZVr!w@l(YoJR?Q;T zms@;o#9OU-`5E;-CK8zxIKvm2))HOk(GFi#`=xGNoC+x>#3X#L0UjHvLL#~<=6uBUSJ@;-1sjt5O6uI9)!{0?dvxngLPo1OUVI;lKTPX}W zbdUwnf4INn@_WK9*e1Ba{aF-zmw;$D*v@AnR>~`dA*;Gs3t|!%@I`tRP2lnVF?_qDPv19JIq(Lw_i)ap$Kq^5qZCYMtKRX3euFhDe35Doz@IvNSIY~ z#7(A(&^H$#{oU8v+R1qE?_Ev$<&6H$Ye&_-xs5dQr4i`gcBgbS#y!}t4Vz`%y9*~n1p{m%hN=nM%}#sDjd ze^hoX!GacGVFt1szi@!mqSNmvyj*NQHQW$=Wb#KY58BU9gtlv4l{b+t5}v%NEnOa; zx7CP~Q`3w!_B1SuZ(8Q>K55xt%pb%PCOZu9@;__Ms{D4>%H~Y44we2@Sk}q4mL2Ic z*Kk+yI+FOQjebBQizHCl-GK+7Uv7;)YQpZOD}J4EGp4xtmXR^zpI%(Cv!eC-&~ScH zxWdDRlr;QtR#KD1x=Ti+R7PUF_0eE<-vyE*m%HhV@dgOWJE3g5G5tP8_N?OBu|r(E z%NeHz)Nq0DA5qq6hLCpNXyW)2Er!>9h>xA*_#GMFj&1hGb`>}!WA_Ndezc%1OQiVO zPVO=3F~d71>YeB$$ToUwH`CM3PL^v3gng~C9{dDo6P_AiRDja-Q^ck-RGsbd{f))_ zQshi^^gUh)(-=F!Tm`N}TRsl{Ohmu`;Y*t{!8on5N1fxO<$IxyuXT~IN;(A4^BK1s zX9Dqp!y>0BbI*42#9FtN;1ba$zw)crYP|It^rzY<5mtO*+>ql(4UP2X7Wf@u%VTWa zU(gy-CaKXxdOsE1H}YFjJpIADFl99*SaT^pV3AYmc|f?7&nm9mLRzBdhVc_U8Oy{M znf*J*Ixz?bcxf6q61@L}tQ6L_yYwrzoy4H@Q28Pi<3g?cd7fXu@PoKn-3I~+iKYyB z3CcyeFk_=6uGs9(Tn{vwxYlai+SM?gP7*T~J_rr$=NV&p9wXVpx{k@k6`73ZNXzn_ zXra*lbwa|`AJk^Mz#Ycd$;2gHS1XM~%4KtJGRWP>sWGI#Fg`6U zhLXcZ%V$uzs7BLr!xxMH&iJYRQbHMx_DNQX%V%p7C8j#1!A#o~yp1C{YwO4VjGT`Z zg75q9ov_$#J?tTEmz#Z&O>fPI>J$3dtW8u(k2Zv7(Kl5gNPlst#$~mJ{amhcMqjjq zwl6?RQ7Rdx6IiomC-IXT4xF0XT!F1_Pb72);7%n84HwGy-)}o=@+z4&e?W}bvTohD z3N3c=0QwNf*0#T z$Q-Y|sfPLcLFd7!*EdvIJ+KZw-M{TeOA;J{DqeX&n=F~9(&Xg0>!d5}bCgRo+mg2;!Uw zzEFT93mbS$N}gUkm>L5?whAW3)8ia2LzgjPg&Nv+dRf`zj7o1QETrSO{qNpk&uJ&# z?Wu3E-^KEzZpaOZBi^Iu%ONWR5VZO~QdL+*293qbu==^V=FE&_Bz32>r|++CEY{%o zS`oma3f{|)3}A`NM9N$h9Q8|JP>hR!@e+%@cijY{e6990kvSv}EheeT=7_$WDi1SB zeS{o0+=op@4hupD1uK7Ac;QvF*lalH@KsU?nkB?iyl=Zt>e*0=&eVqIGJA7dnAOuT z!{c-t#*;K=X)HP9Xmb&>|C}97xgs%S`D4{G8+J*$YRicrLP9bf*or;zCCjvY3a?~2 zd0L3}gkYQh=U+IQ1v&(0j@7XG7Wq;HSmctviT_V6Ulmkm6SRrDLk{k8aCZ%^fndSi zf(Ca8?(XhzAh-p0Ik>yKB)D6`o-g}X?OyEd-gb5MbU#l|_tZP@wBi6Yp2-g}@$e!a zFzM0-(X${<=GOz07Z-etwik?UUWLT{_9FPP!1r3%Eu z%5A|y9L^I>Ck$pyG%!VUy;M2H?klHL6WX-K)J(E$gpT?wA)iMVD4W$UL#Y3`C`EOm zbs)JVF6mMxU*c2kYPyHKQ#zG9<);U31s2J1*(4Y%#hMIbXcsDqk|-M{=Is*nWVDGS zjXw@F{u|1M*73qt>r@ixM8`8!y&>m6W4N3PS$fp z=490U8$KBhYJxk7Kay$O+}bhmE-a*VQ<)F*E~l0kMQDQVxw zXGAC&yk|>W6dj-YG?##f=yhX3NX^A53zpHKHM27BRa8rxx)Z96`v%)SoN2y$#V{MH zij9b)Ng5{A^uRKCYiUb%5opx1_e3-^3mz<_ghp+F9kj`@L=wzQD0UCcdiE}YjT2b- zk*F)DNL=+OrEwfnv;lGsa`yA-Z%mG~<{V_pnme0PlB(eCZZQJoy@)0qCG&?XKLsJ? ztO-)q`qGi_0%1MV7`ZcUWwozwaU!K6FpZ85PaL(Ol7Ei!yXT^L%P0Pb327-C`rKpj zyPPxVi?;vLoR352bfTV$d}?oWP8$g-<+ATfWg|0thZ$I#KoxvSWMq~_QoQ@7Uy+nMn{){p@J45=9!DuXu^jZcCk(i~e1eyuKhj$*o$Yj|_~Rr~~se}~@kx9pEBi`BLSn!5 zYpqEJYzR_Z9v7Hkyc`Acr=ID~_6<+(?Usft$0T86)e0BlH=a>KIk!2mlH`-RR- z*-{#nUX`c(F0xh2SYalyl^I-&iHqgqriu9x){exbp4Kpn`pLFLB7A&hNAd_YtQ|ESHdhxN zeH9o~n{sU_I8bY%y@$-90?G~y>iF3u>rXtvWN~n-tFc~f@v`UzgcmfV&iy1i_)SE^ z$8hjAT#_IY%YgK;Tn>umo8RwMrHc1=@b>%V{U61_4>>LbKVHwh+pU1I&yF_DbDilg z#6dfys$(r|T48@r(_UJ}g$Px%!Gfod(9Ig3RK7v={Z0HldGYQ`ULX)&-!54M!Y>8y z)j1HXh09o5nai_8`Wk-VVPq;3V!Rs{IX%itYg`zJL`jyL6Fa~vB4<46vAGlKvbe^f6!Ja! ze&A%w9aZ&c+PQ=XO}1HRUMzs1FK0mUYVDGJuL8R=5O}2>#IDibE`t&rvRiadT`up? z;ehU1Ox)@}FVTZe^@4FWdHnazM)GEWa$8c~8GLFRhn z|HFh-$B$#(f&=rOAlN7v)ZJ8)A)NK<-SDz^Vh|}dV@9&HS0VdT0$YIF<5JV|sUXp5 z#>*yoIXEqKQ#OO8dNWwYk<69E(@K!F)+)x>&24m@+$k?@51QITrET#{#Oj)FH+z2n zfUn5AL^vBUI>u1hd@S*gkXp;bkF}aGdxL7;6xEZoSB@KhK;+zfdvgor3uPl4U6LVb_ZKx(NSPLMe=U@b=+)mv0DEk3PsQgBF>dBsjD#m zeC0FDMz8<_Bju(5m*;yfrP_0VEnu#k3y0Dn=G`t_u8+8h>FAj{;Tc|z0cj0UpG5CF z*5X`F<*?lO*#T#7~Z9Y_2ljRPJXRV1pn6(tMx00#8 z=`#G3#vI*sPY6=6I!m88CB;AAqK8zM#?R+zw9kXWQd9*P2T#55wVE|t9F85s<4`r8 zNTf3lGZ1TE1xl(KI1AO72ip)9JuYFZBr@w!rlU%1b3e47eo5i0qyI~c6s<@OqOBiQ z$;S&;=&?Puc<$Dawh=*Q)INg@5jrKgSankP3O60c#D9-CTFqVrtriMn7fOzspn|c_ za!DS$+-FoxjG<8iZ~6z&|7#9xEwUq+35>UO2X}j5hY;O!f9mB>L5~tCYD{Azf}046 z>l2ZJwF}NO_8T$x`CV|CFaC)`Sq`CfWl;Y9bk#jS@I#QeKVgbB_ND)6UDLog`7^^-;gM%7b@CZ5zlP$k0Cc9Uk$FrVg)kMsuq`Gtv_IQIn<|`}C+J zv^~s5fyn@w6%qN^WHpFZ09#hs3~s+7G?99GWP+G199$~AGHAZZs?TTMACwDv=$`La zc;UAPKFSA&JdS>WYM1-S_PhzBVZ*KVVI*%{{dAfg_J^LerzT?6M{)dgG-+TgTuhNF zJR=3C+!oqiD+_$HCJ)-zu$d_k-nNJCXL)j+Jx;T56ZT`LT8rE~yVp3_X`k2@qU6Ah@F5XGF4l z_-o-rM(kN>UDP;aTJa%LG2d-#Ad5DZg(HE2HEM7Sy(^-MGvxXbnm0ZvC&Gcvt06xM z#I$r0N!AkcN-ij6KD;WUGC=lM)&`KYglIhoa%_y>s)fl9Kuy0-T?pY`2woP}he>|> z+B-QbT#0+d>1}XNL{ddLG2Kq)O&3&(Fx3BqPn2qFqxTeO99EDm^XpQGrKBW&-qJaL zq4D{fM*qe^2Y+V2ps}dC%KHadvANV{rIx5mCn9e26|IZ$b^YJ%2L1X=Fg)nz^`U3- zYtp#nXDAg5^f5hia;5twZ&1MRZNFUyUhv-d|2*ab)F8Wqt4*cdQ}aVrFnXu4az*28 zH(LDI=TfF{WLwK6Hx{gTp8%k@$a{yoArcN$!SZq5Y4ha`6CNgOgiIPT;pyO@!kd@jH|raBI>*h+0j_QKE*@IJd?C-UEP>_ce|&Sis?ZI_~&LaQ1DZ5fW#J!{3)Y-OnI z-A0p1W}UjrrT_?c*^sQLykTv!KS*NQ2?8ic8TGeb5SVs@7WapvK>y0D6E_ z&LYIyZa-tuI5Mjul?l(8Pn!yDvz;TYtU@iG!oxf4<>1f4R^~REY+GMb`{lF=cM7;$ zcs-+jAy0M|W#g_sq#2e7|1na}?_uGQS5~z7j~|;5;ge1$S<-P@wx_jC4->abw|HN0 zoIh7^$_Fb$n~Pl?-W*M_4gRO^P`rvN%I@1gWf#Kv&k$TMG1&!cBkcvIdr5h>DqF&o zNH8x8iitu#A5g^R!~B@+N1vc~O_ohLYc$=qcB1ji$*))!9eA%eS9OlW4>fGG%};*i zhaGJ;*8T!xOlhV%3hm1*-SMx?xn8xKUWX#-`o422d;aRt-?hQXVMqRL?-$>1y)EtB z+?9TCX_%Ozc}0bfsgRkz$@f>xP;*K`%}7GE^#tCVVh=a3jqw73)tDh4$epy9&6?;y z#O0bRJ!q}R$o`p^SE!{UvJz1VSRb*XopVE&B~zrXH8OBke~57l8y=JthNo?ho+ zfp-3rS(t_UnGlPAN&Iair~b@RF@*)bVbIB#rsJ$OX%}W{+}NA%mRiWVun3RgkT$z* zG>H8=EJjCxPdgvQogB1zAbOg?d=yX$<_=)`Wjm#_=6z9Rq?DGHDKiz=keFe z>}d=fA!po`2B)DUqd3L4ilxH|(iQR`(waT2lTvx=g3 z1>0&}#dzg-CsHbjGnbwh&`Czy$2OPi9)sy!86nxNZoRzIxp?Xms5(w;rQSge`8@cK zUrX7`q}oYS+9OSr(;#ke&V$=RDroUjnOpm;{)PuyYse#rNjfoF0%AXFrVjmzi4w23 z5U3Z5hEH}e$pDB$1M(3lD>x^F@uS?xLH7ru6|#ozS)~ezfwXD$rvx9DFd0e+0@dSz z4CBud1#=YBOsK-Cq*6%X`ddF8pgvvm`}rzOfut>7`0=r6iEhj%gmXAbB!hh!sXui%4X>tu ziR>C9936_*m*q9FCG9C0F;Zh4G06;!O$jJ|{K7qytmd7#365N8%arnnuqQL@fcLX%pzE{Ba_s!V9pN4%2hP*c42l|XnSuDjd--pW_eYP9=rR@x`(pG z$k1p)l486oS$Z8${Nq6m@=&OGI37Tc6iYx$@hD%MB!wYvK1C3k6M@mZ1M64&Q_+0IPF*Kqlrbfn0PEo3Gq(VO=nSYzI+F&kg zbf2zkY?WexHSSc(?J$w1hA?p|G2YvLEC*NX24+JN*`L>|wMEM8I@$m>V$?6mwdW@> z?8V)9j4TnPZx}v*UbU!>8Nu}dn^SCWmaYj>oymSES?80EU>}zVmzn?ds#ywzd;GbL zRr9M02+(kyKkbj#k*149ExjpB!sEU9umPaHJFh8RBuq^wY|8Bz)^Kb2)7Ra^ZUdgv(6rdz@q6YL^OXQUy;N@xLH%q4C@ohL9tIKj*u_%)j%ojM>~#>d3CbX4&GEJ zt3ZcA;A1mJE`q$;Oltkvmqb+tg3l1oZKi&hrC(CVSFV9>yXW^lXb=~gEGTi~^jug? zW_i9REFqD`w!{&PWu^puvz~oH>l{O_Ph?`w$7+SmbD47R-~cROPhilQ7LA2nApp|4 zM<^~f?k&RNys4ow;!Tap{xhoOp-pvlu(yktLjH`+hVmg~&wcjtv7CDBfkG=7aJ8sQ zoQ)#B5IBWGyoyu>4;?3s-oSqIP*qnHT3V?6k?v6*L*Q2|6!i;dVd4@bYCS7h%i~bG zDzf$}O*(J$5Rm~d(~Uu53(S_qSv6Gtwc)G9H8YtAq))qb+p!_y!}`??C?;X3RYEL) z1W418G9tm^h2eHhOOG#>KlcL-u?X7k*4Kvkyf-N5CtV()o9U2Jbx>yV6)dWKB80E* zIMtl8y0PesJ6TY$G+@r!MYA%Gf;V-}cRfv?|0|rAHQCpmn$^JYDGNfq`)p{!j?*p% zhV%hC!m=N>7veYFjFyZdao^ssL9 z#e97ekz7b{v5g{N@Fu+xbMdhd{#hUrA1KELSq(8)Qb`y{< z>N(FzF^$)F_}Qj;Ztok)RHjC}k8@L82$|!?eG(2F;b74}KN6oA-S>E!zM*u<- zwr*lf=X|Ly2sQZj8C%V?0ndtFthcMiFgU6;95R%?W@0BKXGNopP^~L! z?R>hJFA}&&4p{NfHD5|a-@4c*`Bip`aC<1`_fBo5%}N*FS8@p95jwK(VAz6?#WdKR z3+TvVg`whvFob}59tLz2L-`Mrq3(GJd2dtCgjbrE`&@wc6{M_O{T5<*+7Z7<-dXn0 zz3K~s9I0wAo18J}<6dc$MymWksXiZ_Hh?A)bdUs?0I5Xpw5sfdC~bM@63B}&!8+#; zA`>=WHerSQ-2etk$eatY!0l>68mL0!#@=uLTjG*rmJ=E?wMXV7Wv1`|+2c6bvr-&p zy`c5+o~quS5|M=lcrI$cOdLXU4i8-cIAK8#!E%QABK538fYD>;F|;!$;JywXHvyOl zPjAWQq1y&gX^}`v$Q84M=f#SjWd9#((!$JSZHk?FxdrH@W; zNENDfvmpVKdtN$quk@a6aD5Y$uwc^G{n-pBmJ`7*cb*4uq&BTSYv4^b8vAn5v=o1v zY;5&L36=@d=MUqw6MXzk>{<6mTAH!fCU0D6;>#oqf{v0geQHCBQ1yNB?yGu$uU~y9 zSm&|Yh(r=!G`E9M)*tVE{Zg9fRVVnZ@p=290{zi~!9%waEVJcn32^p_ccDOWAMV`R z*LZXBis!;R6Hzv5+x308BLjgpayjCE1v?y0{U}BOO^MtBsdBZy$E}AWuyUo&MPB1B zU(hf}x;ulK-9tvqc#~mNJ>%8MJwL;_qr$jge316JeIPr=(z{7iI2`HYI}w>m${G9e zZhe1K&j+&b=ecIuy0Df2GAz`XWGS`rFnrwz77i{%U&+EHsZk0YYQa0N>I9$e`VV{X zdl(h%xL-Vb*naN;u7A(p65w75d7DcbA(lE|=-EDAgSqSz@o5Ur`lYo?e3S;K5cqVY z9KCesH2H`gSxAMa(_z4bwWv&jGAo-&AG@FP0B{#QzDKI7Cgi$t8#{*Iq+z;%d~Gz zx!|6EuD4@{;N~Tg>LTFR8~Zo>n?GB?s@m@lOre8(9=fiec$Zf1Rx8%ec`h^DKl}0J zUB;<13^h<0ZXDCW#3{)9J{b%Iqw1vn_&>*1lg}$~A#8w2TsE2>`CV4C)yen+Zpe;b zY1r}=`LmMIAIPkvw)Qu?_LlK1ZzyTc^9SLtI#Fn~C=I>ixu{*RxAyVQtngVg$qOqb zlwbG>-7jEF!D0gMuXngNUdmj2vmqKjXc}Z0frNQ+L}um7re^&!l_#3xYv@Ma_s%@S!x%XDSZGOQ#wZ-!!99 zxPDB?P2yztK@%T{a0t#d=eSJ2V(12H-=MC0q!Mlu7VjH>_&3#KHfq(`uZ6L^gC+5} zEiO8=5Yt5v(~029QxRqCf}Jix^BB{6I9i<4^hbV=$(H%B^7}Yb=e6wlC{w9DiN2)D zF`k8wg#_iA3#KxY6Xi&OPbe?EDwj?d2FuA=cTRimtd;+zkOnB8>#m=&$$h#b?-)ua zZ0HxV0u7al;nsc(1vIBlSb1|%M$W?#cX0;BCnwL5&5;5GG{vYHpB!vUjjKFDO3)+! zDC9GT!*PSce^9%>@Pn8BVnIhCa3TN|g!Kt6sGz~H2w2;E1PIRp&Iw*;lh#rkSfgo7 zO()O;KacFHv?sV7Y?Uva{8{m=&AjKpk?U<$INKZ6vzek(6E0gAOw?4ExlFC{)Bsd~ z%=C1W-U_RHvDT{;H)}xPGfpjine4++4vUYAw-iU#-{wu`HXF1UZ~%<#xrlOp$z*BH zJ>8nWgD8;RFQ+aSmFapi7f^A!KXG{Lp1>QxO3T6kFlOCr5|?l};Ue}?KaKwMrn| z_B4Y6IneI7Ux5UI!&&(^P4jpcYLPDRs(KR}CtQU2`VYyNNFn5LJOoH;(|JroP`#sX zt}1-wuh+lKn_pqNbRr9uogR*zV2)F!lK}}5)V5=L)3GH%Fj;GB`VW)DJkcpng$G4b zA~1S`>7^4ZEg>AL8@&XCt*X#R{$s&^R+|8cMP|4HZ50^wTKC-K)Q|*W6GX^1P+@~K zhnp|Is3IYb+8odQBh34SUowkbO(E1P-sS3%?6}Fb8B&u*2Yhnm*5-ZUafLtjL28DY z@RXsH0p^c6F!EYk>wm782>az^rfe*ByrtY-ij zx_p^873I*Rjc{2!^5qmGoKNdTV7S$on0u*@z$3S83Or^H)@-!)aGHSn!fRN2?8bVe z01leCk5lB@g3DR);i~^(55|Qk6i!5Txy0&@-c{VwQhLjG{4ws&>Lka3W!JF3I%j>N zEZiubUB|7PD+g@fBVT#@1__cspk)gAiJ4P54h%Ha(BYhdONrXXKy~FS?)p4J9{7DovAiZB zAEC%X1{#9y|FV^l&c+OK_*VzaRB=g`>PP#u*_rtk3Cl$S98EwNF z^^g^p&RDZ{IVV9w6UZ$?Ytw>+nR3r$}1lPvisBR?FfPWn@xO6YnR z;}~Lpu@kDv;^{zjgSq0u8taFv384KpB4UIz@(@>vKn^jw5Q%If=F}ejK8>wzR1w8>V zHUX+_ov**$6cR=}RPsUPF5lDBX%gfA9te{j7K#y0a=9^Ay35;VdyZP(A#BFriygns zj$!5tVG6#<{y%1<|KCy{sM?!>{|gVf BtwjI; literal 0 HcmV?d00001 diff --git a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx index 61cbd41ffd..100b548181 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx @@ -10,14 +10,14 @@ import Requirements from '@macros/iam/requirements.mdx' import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' -A customer gateway is one of the essential building blocks of a Site-to-Site VPN: +A customer gateway is one of the essential building blocks of a Site-to-Site VPN. It provides the connection point on the remote side of a VPN tunnel. This document explains how to create and manage a **customer gateway** with the Scaleway console. -A customer gateway in this context is an object representing a **real** corresponding physical (or virtual) customer gateway device on your remote infrastructure. You, as the customer, must also set up the real customer gateway networking device, which can be physical or software-based. +A customer gateway in this context is an object representing a **real** corresponding physical (or virtual) customer gateway device on your remote infrastructure. You, as the customer, must also [set up the real customer gateway networking device](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/), which can be physical or software-based. @@ -27,8 +27,6 @@ A customer gateway in this context is an object representing a **real** correspo ## How to create a customer gateway -Creating a customer gateway is a vital step in creating a working Site-to-Site VPN. It provides the connection point on the remote side of a VPN tunnel. - 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. 2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays. @@ -52,7 +50,7 @@ Creating a customer gateway is a vital step in creating a working Site-to-Site V Your gateway is created, and you are directed to its **Overview** page. -To continue setting up a Site-to-Site VPN, the next step is generally [creating a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/). +To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) or [create a connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/). ## How to view a customer gateway's details diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx index c6e3d7bf90..8553fa9162 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx @@ -48,7 +48,7 @@ When creating a routing policy, you specify one or many IP ranges representing t The policy is created, and you are returned to the listing of your routing policies. -Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/create-manage-routing-policy/) for it to take effect. Each VPN connection can have only one routing policy for each IP traffic type attached to it, but a single routing policy can be attached to multiple VPN connections, if desired. +Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/create-manage-routing-policy/) for it to take effect. Each VPN connection can have only one IPv4 and one IPv6 policy attached to it, but a single routing policy can be attached to multiple VPN connections. ## How to edit an existing routing policy @@ -60,7 +60,7 @@ Remember to [attach the policy to a VPN connection](/site-to-site-vpn/how-to/cre 4. The **Edit routing policy** wizard displays. See the dedicated documentation on [creating and attaching a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for help with routing policies. -5. Make the required edits, and click **Edit routing policy** +5. Make the required edits, and click **Edit routing policy**. A warning displays, to remind you that modifications will immediately be propagated on VPN connections using this policy. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx index f511fe1011..a8c5f210d1 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx @@ -9,8 +9,9 @@ dates: import Requirements from '@macros/iam/requirements.mdx' import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' +import bgpSessionDiagram from './assets/scaleway-vpn-tunnel-detail.webp' -A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the parameters for the VPN tunnel +A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel @@ -42,7 +43,7 @@ This document explains how to create and manage a Site-to-Site VPN connection wi - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy. -6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type you want it to route. These policies define the IPv4 and/or IPv6 traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. +6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. 7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel. @@ -60,6 +61,8 @@ This document explains how to create and manage a Site-to-Site VPN connection wi Your connection is created, and you are directed to its **Overview** page. +If the tunnel does not come up as expected, ensure you have completed all the essential [configuration steps](/site-to-site-vpn/reference-content/understanding-s2svpn/#components-and-configuration). + ## How to view a VPN connection's details @@ -69,32 +72,12 @@ Your connection is created, and you are directed to its **Overview** page. Here you can view the following information: -**Connection information** - - [Status](/site-to-site-vpn/reference-content/statuses/#connection-statuses) - - Region - - ID - - VPN gateway and customer gateways linked by the connection - - IP type used to establish the tunnel (IPv4 or IPv6) - - Initiation policy - - Link to PSK - - ESP proposal - - IKE proposal - - -**VPN tunnel endpoint addresses** -An encrypted VPN tunnel links the VPN gateway and customer gateway via their public IPs, as shown here: - - VPN gateway public IP - - Customer gateway public IP - -**BGP sessions** -BGP is used to automatically share routes between the two gateways. The auto-generated private subnets shown here are used to establish the BGP session(s), one per IP version (IPv4 or IPv6). Ensure your customer gateway device is configured with these subnets as BGP peers. -- IPv4 BGP session interconnection subnet (e.g. `169.254.10.0/31`) -- IPv6 BGP session interconnection subnet (e.g. `fd00:10::/127`) - -**Route propagation** -Activating route propagation prompts the two gateways to dynamically exchange route information over BGP, using the attached routing policies. Traffic cannot flow if route propagation is not active. The routing policy(ies) attached to the connection are displayed here. -- IPv4 routing policy -- IPv6 routing policy +| Category | Description | Attributes | +|---------|-------------|------------| +| **Connection information** | Basic parameters of the connection| [Status](/site-to-site-vpn/reference-content/statuses/#connection-statuses), Region, ID, VPN gateway and customer gateways linked by the connection, IP type used to establish the tunnel (IPv4 or IPv6), Initiation policy, [Link to PSK](#), ESP proposal, IKE proposal | +| **VPN tunnel endpoint addresses** | An encrypted VPN tunnel links the VPN gateway and customer gateway via their public IPs, as shown here | VPN gateway public IP, Customer gateway public IP | +| **BGP sessions** | The private subnet used to provide private IP addresses for the VPN gateway and customer gateway over the tunnel. The gateways connect over this subnet to establish a BGP session and exchange routing information. For connections configured to route both IPv4 and IPv6 traffic, one subnet for each is provided. | IPv4 BGP session interconnection subnet (e.g. `169.254.10.0/31`), IPv6 BGP session interconnection subnet (e.g. `fd00:10::/127`) | +| **Route propagation** | Activating route propagation prompts the two gateways to dynamically exchange route information over BGP, using the attached routing policies. Traffic cannot flow if route propagation is not active. The routing policy(ies) attached to the connection are displayed here. | IPv4 routing policy, IPv6 routing policy | ## How to attach or detach a routing policy @@ -135,7 +118,7 @@ You must activate route propagation for traffic to be able to flow through the V ## How to generate a new version of the PSK -TODO: why/when to do this? +PSKs do not expire. However, if you delete the secret containing the PSK, or you want to change your PSK for security reasons, you can generate a new one as follows: 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx index a83bdadc9a..0a0d3ba34c 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx @@ -29,8 +29,6 @@ For a working VPN, in addition to creating a VPN gateway, you must also create: ## How to create a VPN gateway -Creating a VPN gateway is the first step in creating a Site-to-Site VPN tunnel. - 1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. 2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays. diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx index 9016f15af0..6a6a039d1e 100644 --- a/pages/site-to-site-vpn/index.mdx +++ b/pages/site-to-site-vpn/index.mdx @@ -29,7 +29,6 @@ description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to you label="View Doc" url="/site-to-site-vpn/reference-content/understanding-s2svpn/" /> - /> Site-to-Site VPN is currently in Public Beta. diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index 17bd5dbae1..46e1b817d4 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -8,7 +8,6 @@ dates: --- import image1 from './assets/scaleway-s2svpn-conceptual.webp' -import image5 from './assets/scaleway-vpn-tunnel-detail.webp' Site-to-Site VPN is currently in Public Beta. From c87d703203d4dadc52bafdb1f2a82d0a74b1f981 Mon Sep 17 00:00:00 2001 From: Rowena Date: Tue, 20 Jan 2026 10:23:31 +0100 Subject: [PATCH 07/13] fix(vpn): corrections --- .../assets/scaleway-s2svpn-conceptual.webp | Bin 0 -> 59148 bytes pages/site-to-site-vpn/index.mdx | 2 +- pages/site-to-site-vpn/quickstart.mdx | 181 +++++++++++++++++- 3 files changed, 178 insertions(+), 5 deletions(-) create mode 100644 pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp diff --git a/pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp b/pages/site-to-site-vpn/assets/scaleway-s2svpn-conceptual.webp new file mode 100644 index 0000000000000000000000000000000000000000..faf2f312a8ce286cd602c38a45e828f0921ed74e GIT binary patch literal 59148 zcmeFXV{~Of(?1$>VmlMtw(W^+dt#krVrydCPEKrVVsm0mY@M6udH-wO_kO!y?^^eK zsI$9vcU5=o+Eu-O)oQX*Qc%ZWU|N!5Dw--h3eQJiV9fg(@emp~Loy!cTvyj%nW%4d zxXpKrq-0bg?{0TiSZFsHJ*M`M=qzMHFG|5fztc6KA#TYGmd_u27;Ax)k`n3~3di@G zzE=%(TyCBcDynXtdJs}h+Gar}fn;P6`QXv5+t@!=VZ<$^ekYtnH13RT^ngKj_?la3 z#9d4sdw2LA-_iW6X%PU=jfj}4p0f8m@+NNWz7v@D8Rax~&m-^X^tY^Sxy}9=<^X1e zuDX^{PT*;jeK94FvDU**J^_Z*2o7}%1dr@D_->&whXkB0%0RiMMDaKvBhpm-yqF;CQaHe0OLAs^%*`7zYn>$bjpPz(k$>ao;3Cm|0_PXi@1Q%- zOv}uA3%!yp1PcjfRN5nCg2JCD*nAYQX>I&bS7_31GeKloGHy6<)My+C7di=%Z3&Sh zsYFsJ(tUVwBIHb1+<4Iq4Hn`=%leBN_+SxzF#L;YiSYhL&3SE#<=}=Od$`P!VXK$W zT?TsckUbZbp;8ydGN41%MElIv))vVna_ksDr9z!9@8W13NQoskxH!_;Z|-^grWlY+ z!~rC5tag0NgRs{VB|j~+W1+fx$&uCiFhNsMIZ+4ob~-$>Pr}z)UyLt-K<`&+lGbp; zl(VWoU3%iK)*G?H6vVOxd@pQ+5HXXTZ@MEzWc6J$eA%!xW5qbSJeiP^(ZS-$3ib`) z&Q9kMBDtS?cZ)#It6WJGH-*CYf^!ZlUcfBJ4^ZVnsjlZ<1g)v%|M_`c^{lPsyj_9- zpu4;$u@Wj#_%Oj_f*+EuOmuzHjOnzS5Z_)ji`=l@+A`tYe|JIvTZ8S8w}StaGWD~H zD>SJ6;6X~SQo+)!9?OU~k2tC=1Q%=~+>qg<iA!ZQyaW{XN%Y!6lKYFd_c z|A$OhUnV~Jo%tQ}C!)D9&m12>AUo4e7UIF{8(*9kuTTm4bE{;@?1Pb@_FWvPOp3iU zf!W@wRJBR{BV9@8TO^w=0k8zr)JrH8KTt1{Svw@N931`kFk#pg&JRY!YrV`B$|G zJ3*-(>3|ElEhrIDg^_XHL2U?uM@Uk4Q6WF@`lM8{0b&nA^p5A>555G7@n&d6z=jua zdd*3s4fxN#s_ErAfYxd;$HBLXf8)`Vy6IIp2v}3;-U8HAhdYP^;>BAb35%XCf{tZe zRp>R!RSLu`wtbm%p0<6jx~WyRYPeeje}Dih|K8gDoyzux;9gDMl_ES4`pT33_({X4&r7I}pe! zP5xoem;(M()CWbf1TsQ8WYf&64m98Y*~^vplZ!;0|bS zpN9YycAwe&RQr#q2__+}2~-l-2mg+N$p#mVl6Wj)i*1}_lQt+6L6mI{6tYRCmLB_%l=hb;?NuK@(3M=$8z3>E=bMO~qB4DS zDwW`TVMPm-0~T06SR0y3CK;q9tN#`6)m=bdhlc-5;baCFLVoQx{B$TPOeKhWn<|JX zvPh!jbfrMFStmEJDklg#NAyDnh!|5fV+6$CoOmkc`D?gT`FvrB>R{m=?>g~li^JMT zNA+MWH2Fo^`66|JqJMQ4Ikc`a)h*&SM65(yg3evgNoTQ3ymLe?RKCw9Stt`9y3tSw z=OOw*q*I)r2yHia7wA7V8G>UBl&an}OrB!mLV<~JWPXJlq_3b(uMsM<0ELv)+1VoB z5qu!vndWpQ48000l$rlPRckBeMAQh1cvj8#8(zN52j2v`_Q118@_1?s1W}6C?o=`{vmn zP}55~=#I@E#2RB7g6Wazk|`n4Hqc8Ge7W^fd6YZ*ho`WA!U^&w6fgT^T6jNqRf!(^ zH}kAB^AV#f|8Y^^4)}XChqg{VZtYT@S0YTe{#Np41zF$@#BDUk$&u>(W+q%;ugajt zlZ59`DXZGntL~4Y4o=+#!KHuEs}!APpcg05%T+JvlK>R?znzZz6XQSp51jwf1@1y_QD`P=JfG;L!_`mf3mUQ#KeRp5@CJ*$v0r(&Kb@BQ3rEdiA|M2i<<@YZI zk4F4QD|UxQSc&nSlQX(y!tQw=#iMzDQkG`){Ccz^1w~9*B5g6@gZ^qy>2{#Uf~>2}70c?PfHx%3{%b^5 z1_pw-paSi2eB}`UsmD<1waBhDmA~O`&j=Rt*Btm1ag(p#{cYFgWIs5O=XtPVcczF& zy|pSC2u+CN(`ffQPLH;qG&`_UQOE%eLrv;lMp{F#uC8OVnDNl1Dbjxn;)hme#6$Rf{hQ}DuARX z6ce~wQX^Xvh-s1R~yN@VCC_ z_$<>>=e$gZ%E}~x>*qX~Dt&5PkjuiDH`S3}^de8vDWhA{6a06x*b%@cruGc5OawH9 zeM4Lf?Lt3C@YOLlWE;bK$GOW+y;%a1Pe;<}9aae%ItQ9(&gmJeDU{ZWb?d&wbiezC zL|@TOR!E?n{nu2;Luu2^2!KPfBf3TGQ%oM9o0E$#+WWCjL40cPI%1NBSrx#gBm~n_l3{pUw9{wDk z!7WMoU^XLQWx@p-Lt4?%@CNq9Nv}Vuh!T9;eRrnpGgI2eMqQ+AN|mGqK79?H@$#11~qbbpoDApm2izuTliwWunK6^t^2T?pzzAEQ#pDQl5 z^vuNvwX0UIR{F%14$kEg!H$Xn0+JNeHK5R}i}~rb9F*0oQSxj}7}f3FoaG69{T}lK zRDTK#MDg3)2t7@OQ=iDFmL*>^{X2;a5@+`<$bWBv&M%cvU7IerF0P z|CYz-#n;GssKEQz@}DuXZlvvYNNk+q9wQz2vw)T6yP(Z9G)nyr;F)Gk`uzA^qRYTN zpbF6GX23gDE$o=W{!ii(32u4lGiyq5z?ar-kpR@6*d=2P%clKUqgnbC_Z`o44}LC; z20M_b-7-5VZA`_8s6trN9SzfmQ`Qe}xv0u_iGf;qC)Su%{p+!UqLe*9Pt zWCW^AQADBrfJFuy@9piC^&!J%f6rV39?ydEzX|U zq|?#)_Q)BMO;a~Ubk>qCv7wMaRm`_(iS>i^l)i=se#MI2cPk$^KV``eg_%f#5NlD^ zO9wn674L8QG^MJ9U@gV`2*8wz>d~)}f8WDueA?9KEj{s1Q^Tu@V zIw=i$esG(nC97?2yAG`NovP|DGy9qqjx9z`@gFGcF`k@xc#+Xfxo*uRun z4syjA)THD(wyP$gsPeT%Rs)H-vK7o>4;&D)oFFrvkYhD&wXincCsa$16Mw5!I&*M7 z7{7-btvjR`@f99Q33^=}JZ{Q)PDOLaVB(%MsKL_^3OPFVzb+LM%zXyc%lZ6bBmbIb zlEMo<2s|eq<9PfOAX1WBWld1C17k+AU~`d*TaxbphcQ)8XE>(3w^j7v83OAOpr=B! zc8WN@JOYq8_D4{6df}xLqbq1ep{DR z6BwIf}^yKwC+qlyxjktpe*^R zDMFLcSWc`w?>s^l*u4dbr&#>a6mN5V&hO%J6=qKw6^bMLwn>pv-idt79HEYn`OXu> z@S;pdeTcg(OF4a%bJL5|>ber9S7sT?WgEza{9>Fs(DlS3515y7HE#F5r!zFi#$!<8 z)C)cEe!4#v$z!9%NTqD&{%jq#zg{;5${!zetq>wjXzAxjU!7ctzQu`EF%WlaJr3xY zi&$2es8l?-RX(rKjrcvV!^m0K?E`w(0*!jt@=5R?BP8HSa+Xx@Y|*@i_@0CdRDkaSCd&zHd>ty?mA_Mq#^7yspW#xW%myM1AGd>oX} zkCJZhxKCCyD61smaVO=LZUc|Z5<=(0q{&9Co z&K($;HJaOA68~`sIWD^~NFBeO5Sk>Y9xv;eyfoh7LZd#-eY`A(MuafQaqU0BuFHN6 zzK1`*_DlztO#yy}@V;W8C?(>jgbcHixC7qd*yvHIxglcX1!sw628s)lZ^hjjxd9bPko(nQ7zM<9e?u1dOY9nZc`GPEeAEuh7|w;ReVee z@}U)j(S{(xL-h;U0t(k>F!rp(19{IH2G*an$g=b*z~5iJNF;)h^e zl7{($_iqmeBEAzB(6grTQ@`tONahLE(_NRdBTG^2RVrEx{K#`=yL%=fVD&n1|LA6C zSfbJAd?8ywy*-oG^NAu34)3tk`kcs?O-F4hU6kMrw^986fbkWNmso_C~DEZwgrb+I_AsiYXyR71e(>ktn9v5kwqjZi}_h5QBsB>*b&8$ z8hS3&7<|6MXr5)ccFj55pM%))mXSo9)Yz|6L{NUV9bbcB_fDF8bup`V@O{bE_}uC< z$c#s;;e$~Dd0K2YKO+(v>ELEZgRD0uzWw8mE6pcgnHi`?QQ-j}=nKxP4yn~yG z>QJBC6?T%@o&~SJ1GzpSvDd4ALTB1`{4FvM(UUwI!poM!##t0Y{pT1Lg#fgbuf6Li zKxG7zR7xDEDu?6ttAH=Fv!i(}c zL_wUG7jr1aXCOuk$P8AF>?iSbsl_5y2K;uUf2tZ`eJiPv6}$>4};(pWLncqL5m@|Kk0xT(6i#LTHpfv&P0#9LQpuBU3MMY`&`57- zG>hvoov+w+>nU#AiShc28?qz4w*|gL9PzLwAe;&)6Y3#urmrlibXal6~f( zf2cdbtWj2K&mpSWx~h9RYN0FY%_|je6ZxPxj?Dyj#B@g3PF!2#qT^+B-H`NYOB6OU z{P4e>aLzsLvfw7(5%L0EJ6~AYa~#Q_YPH;-eb|V*$f3D9NZgMgbrr{O0;*t{5_BCz zC1K~gtGlV5+uIu~1-?bbQ0xnbtQC^yCV7<1o9uV-@o`X)PQaC8Z>?ABv*&ekmE)NO z+v>IOt^5BWRMGY+iN#&$&PyE8ldE!|l$-mmLUp2Yu~DiP_w$eilm5Lviu+R>mqexs z^%4A-sgUw+UwFTpDSCd5_1qRq6WR$!Qz^AAY|DqyP->N9Hzd^;Yk6j%G(S`9We+~* z8gg#*FKv~zVfC~ea`nJhro>Ht<`@1!cb~a9=(dL@oW$vgWw;s)yb0NsF3fq5%q{eA zZqOL}&#T#3Zuwo|N3*}{fMnnyaATVZOsKxTP{Fhn)uQ)%dGiw%WB&a89|BO2f|vm} zBo2D7iC&qk{lQGWW>TpqUh>s`Q%%kp6*TemEF~ZmExIsyxQt}z@^$TWq|={uB>ZxP^zu=x zC5J;sE4+y?FR)^9_w&~b8 zd~N+1#m=u9{{dRrCC$WA`6?{m(lIBQN>(Xk$X2gLY-)dHwU`hUoi@v9No@358S+X1 zeHOK6E}ye|nOY*+yuIKLj}+Ti@QGWOHu`4|`jj~w$ycmJBJ+_%Dq0v+FyM-#dxm}~ zvX=7)qNj=cxMVnuNWjo?JHD$(IqlDr`+5R}0bmO5)@`0~!e?8Hne^hAP!lE+vd=;|6maLRIxie`pbnQ0VgO495J_iS1 zaEbG~6#aeU_W+qwfp3Gn{<|$LBOL1wp-uZ4!%RMW(WWyVJT`W>f;s>2?LuFhskAp2# z`F-J&n}8o1#X5)NgkN6+qocBUTKXSI5uS3sU>u*2fycwa28h>=l7~h_F`(Hys5 z6{;(}Z$4j&!O}wcr+t^DyPq6j2)^2oX~UD$p=FEoM2$|YFK`-edB)1d&aj;-DQ zWSv0lHLQzqPMde?pjJNbec|!;Ks~#6YQZ!XtFgM9Jj@*B*bC#|A2n?#eRg{9Pd$?D zR|lM*UkKS%?@iwG%>M$u_J#k0Vcn4YA8?ZU|4pa=fpU#rWo{y!qMKAXPKIM6iUJ?(SV0-lgVq@?NSjJP zaNwZ!BUSa&>`&h~7vJ0SLJ}i4(2M<642hzol*>TAT|rpo1%=bhr6SdXR#4?7p533C zh}p_%=atjJ$UW<#iS?OcxUqR}Dv$VQS9-3&1mO2+`7+RNwf$!wANk6>=tBXpWZ&*k zc%-@7thb7c{I6O=UL9~=s_0!h9k{eUU&>E@ItELvtgH==yBSvYVKQn zOJcCR#^gVW7nz3PAYcAInhNRUreD0%7=P84d`qG$$GPuSJ>*;b&jwRS%~)=_S>3AG zXuXnivSb2aoZ%?QKo0(cd!&PJ_>8!M)uI(1uYABmevO>c@-;johM{ZevE`OT)6x7g zDR`n9r|=^2)>W(6uIA~H`?`QfnJ@z2Qtt6GezvqS{;V>O)<2|M}{dXT6jJDv^hbm65L_1E~49@>0=I7=ELTV{EX>Y^)u zIG*B*65YqB^63EaR3Kk7>Bp$jDY=Mi`u7wg*%FYO_-fsBaYvFI==9foPz$qg)eFS= ziFB%T(UYxJ*#hiaiYMW}SM{>e1)KZGKZ1EKE4L3)0#(qb!p6FmtZOKRGr3-q3__E~ z;xniSJC^>QbnBL^3^Jg8wGK#*iW7-)E5h!?@R#ft9rK{loUaM~egtdC{CL_J$jR)5g9sZpZno&?L_`wLZd3uMCp2Et8T zk|1MwW-5m)h;D zp!nwj6u*yn6jk?qWGh6^xy82xB>A$n7uzn9n!iSetOwp~UsPlNjwm=GdgV#PR!4c% zf`743{@l-RxJK*#&U=>0R}qJ;PTtqd@DVQBev*109Q6}eeol;?UQmCtmRkQM!l%RDn$9;@wLK7#g zUAZCkXR+7#K()SdJC}yloAChgJZgqw5ZDPq&ti{RNFJ}4@xyiKJqg&MDHEPqBBNQ% zPX@OVNHpwuz%x4xiNwuW3}ZK{;xBe#21kgL&xMSy>=L)SS7!zhpnV|=nwx1PdF+in z`U6q>bY?EAK#QgN-A|6pn72L!)balLTD6yUd%QHWxUbqn4@mp?YwKLBX!u&NPRkZt zQWm2IW=T%Ybj7MYYz^Bqe?*dX^>+2I;vVv8;g#F-2RW~l^lJ0XJR5>Nw{uS#Gf(vY3RQntHauGDkY3t z#YXs8Hqp8nb_SVMs|lG@%<{f59ErP2U?h9|5b6y&l4puh7m=ETyw!=rLsy9e5^rIB zZV#1nB#`NJK3tEqweo9bp{HIX$@JDo+wyvuCbm=W z6Z!M#RcTU135x84_?Vc_7~~JxP4b0G;5ncYFF1-f(IV#Qqz*yD!oFF1Pftwo5R&>S zB6s&SeZL@re?DKGaC*^t$y@RE!+@QNZRE!xeJyng_W?vl0jzlolYEmreTRUX!2SnLzw56yI+cRFD0aEj3?CF_>eG`&+ zo5$D|>qMF!jJ8vNf|yQY*M(0^E;AC~JrcOAlskRcTz`Z%25ylb$`O}00f*V~;%YQ8 z(frn_Fx#VMBbx7vZo6&0RmK^!9cGN}`AhZ1fvV>Fds*`DTtSrzuRe=2u&D;6(qyCq zNTCII?k!~v0e_TK7Tb2idwhHneSWp&4MP?qRCDZeXfINiL!mltUfkeSj7shK&cz~t zcuo5*iZBpT15dVJb2DV97++?V^3Ll=pjV~`ldM!DUL}s;Pw4AAdRr{OuPh9 zxbTT4rr63|qITqkMR2|qBI-b$Z7?Uw=Yn&DtKBtE6&YV?*bkUH37BuKdV2$UpW++p z({MAC@H|#`sO>CuSW1C=m9?DQUeAemCS#DQ?UwCaK4k&3Xier(?!Ob2>JQDtr4t(F zrQv(n(G$cRQjnJK55WcA zA($L{wtGP zHQ0*aEhdw2-2pB1Xc3%m{0m-C_vv>kRul{hL`PLmKQm&)odw}T{3pA2|6ri(UWA(f zCKKVK4&`pL#FQ=T7kXQlxX6*o0^d4DtH*O8&>CCq>IEZyDJ~zN`J1)M9VUR~=)mox zX4}2F{>mu~Dmfq%47UPC0Z2cr3h=>e`{rv_zEwm%yq;1pJ8b87YDp@&OH@Go8M zPQ)-mHnK)Y$GMR682`paQcwtzbO~=bARF#Cu#v8e#Hb>IjHU`|y6@QM%S6nPpc}lN zjmty&K1atvh35+upGH-nB&=oP2t&R(ZJ&Ip+d(bX$E-J;lHq`mX;H-g(%Wfb*?|vK(wYRXDn+uM}JOTfZ30>o}ZK!J&cy`8OjqY!!V2-0$^S#_iQG)98jAbio^v z^@Q3>6QH&;7TBcjzZc?5H^=$8aY^nQ6Wp1uSqcO1ngEG&gBY_IM(uT|-rL$;oTng} znx?xkY{CGy@ufwnv=*`58`p$;`XAqpNK_N(1B>|z6MlkMV1FtYA>+v#{{8XmQMp|W z!L@(k-!z~L!abWih-c2*{0(&gWGz$|)Gj#+CV%+&%kV_}7REb_3U>zPhOH<3#vV1N zPbWX_&Tt4T=IVCbNo5Ya`N*o4%q978a)lPpcX*b!E9T?3agvYM0B-CXTfmM!+X%5I zgmL@4l_G8jPVITvrnQeo&by*#QXRsm$|h8f;(~>rgHoiiebOuEWco4CEMS<0uc^Q8 zPoFHn?-5M;Hs{X)By%n$M?d_8Iu8z?AqxwSK|bbH)>;%Ab~Vh8%}Z|FaN_5WM|zZJ z(1)F0Kc=?;!Y|5H1(GDa9#QQh1-&F^`r~nz31>AKWlOZWU?}UI`u8@zOh42}`iP^ZHa*f9$IM(4{l1 z30y;owNkM;=AKu7Ox}&Vr5x!=6V3D zR``!T$0-#{YI-)rqZbJ&t{`@zNjvYk;2K8SFh%)Lc6TA7iA5A&gZmyDW>(=Wq?FL8 zcQdK&&tdZCPO>wapIDI43}Wwxz0m%F`R6N1*GUb(h7G-9j-Tk8t4S2zoLIv3a`RLmHP^66%5z_s6^_QmE z=%%8<14bQL1QS^sq*F*Lt$9Et_)47?=U}Z8+8%CWM^$n#?juy==c2!*sQvc@_od*> zrWBE7)bFN&7E2Nj(3&4Ig|CK)OEZYoK6Sh2CkEJ06B<7sg_YULpArmb4I;-E;=OLd zPnk?WEL(wj#d-)jo@jeRx2K)$>gsuJ&y#Kl8Ilia<637yVh`?|54C!Ks@w%)x6J_w ze)Ic7mbJnRXgBSv(FTq#Z!8s(eyRc@YOQiZ@%q~gxr;a_Gb5oLHN&!$nnMstFUK0t ztotuo>S#NdPP@lT*J=<$(NJi1aLl(hKIqblT|7I%i&d-gRN?e>*xiyvUz>r6oq}2LJaCE}%72TA!gVn0 z^+>zE1gq>|iWz230GaHiw~xj4sQHp)fiisAdo)dEES!W{M7oxsS-GSy!S z^e1$E_{jyqmn}~mZXa5s6a7@>o!nvK9Nw4)x5~UV4S+P&Ib`(NTCZAs+8?bm$ecq! zuPVX8yid3U3=N^w)MyR{D{hb}%5eCYgkfATEqc}3hhhYJ&*%^cp^sw?hl4ZkPJ~~LS;{Vd2Y;D!RsEcI!PC3Zig9_ zkZ4PZ2rkFqs*A{lk_~Vfz#QTrA|Isu;P3amUlA5xz2(+Hdi|`NG3n3?y%GV|}y_r;m7>>^GDmX^OEE}QR7Dba! zjELU0&}b903y~p|LIz0;@rx|S>!n4+>MuHc-y7;xE@z*lB8b%hL6zs)FdOB*pFsaA zD(VdS;Vg}7WP?}JhMr|UgFz37+907qjy^^Lm0b-rj$@$Zf!q2`7rqJ}Q|ShjbPT`C zEvY@c^*fq`YzgQh1e8?i@Tgl&w%!E=I4yC=GX4Letfo+uIJ_N)f0KWep^1)KsXA`3#K9)w~whoaJFl zJYW^P=FRMn$|(O`0r2c`yQS$d6AAMNa}FVs9DpdO zU1(cWN_Tg0k&8nOqM<0#h*dY#uj^^8Bh~adu|h3BfCw z0u^q(@i&2T={|99_)%}q7C3E~!S;D3|EQ3BLRe8qlr(YrE`5KVbEVYRa0+E9BmZ=? zyF|oKGfg_^D>yVCdKf}kwNPV6L6)?v=Jj-SHk?Bh)n3YY767?sLIjF*h4kJzG6W#qXowl zTCCpvkGvWOf@(*;$sKt>+-JXG*rmeo^`D62U56_Rs=!#^XT$Wo5x|rOf$PB&dP;cdoXCK{vozlwXIaF$ z?#bO}xtSS-jPUoyuF>#gcGf5g1Dy?(VszLB8(u}X9Clk+u=j(#I&n%s&JKrLn&=hL zcDOg|08dr>FW9hPeLmJ6OH#D*?g=K(!I|HOvrP_UvOZ65$cXActwVGzQ!b8iO}RWm zW~BOxGVj>ts|Q``3*LHX%9M0aGOrE zDMTklSkmEe*PQGYeBbW8u_^^wI`D3(OoN23s~GAzXL&;IAxQS-<;MjNgwDp*Pg=44 zsV)a{oppwCMfG)>y@YXGHAM{5!89&{dzQK>q_(Jcpi5SKiiTOg#Ff@UrP;iX_FMXk z9iA_@F!BC=P=~<%2ugV2G)gp7p?t6Tw6*{|z8>@F(yGszhF{OcU~|2H<_Au4^}nZf z%!Y_E8Ebmj@H#K@J4ZU3ly!`w)$+-Jb|d8GWw$~4+9~M&Xlqy(NC~W7f<`T8MmH8C zAul>5X51IcMOWU{PYP_!mQI1`T24lMKKu-Di&^<+Xgx?YbUZ0d8H+!dmiVP+P5omk za-nBxt~IU;KUvn!z^ZLo-NUm?XUeUn!n(Ud68?4B3)z`St=YZT!BwFqi>tS;g|XVW zt2vj&+R!j5#*@MMmv^`you~>rGMJ@pYSJwVawR z=}FjbhMi)`*j_sPQ11L8+Jg=zHIR5o45lT?xUcmlaZ$LgD3|$ zXxKZrp}z04_hnO_5{%(51kB|B%^f*n;MKhl5;77>)>*DM$kAsqAIrbW)k3ywWlpr}f*O9f2B(SRcQ7%zHMOdAkZ+c3JWISU>k{ zFgAn|O50%g6B=KYnVJpOHS9hk-!dA9()|NX&r8mp{dlLcu(`F?Ic>KT466;9c#OPi z4lCxEKUZYhkNt+d{oN31R7i8f_i7*e2(-JyK&l2a<%?h#ru>C4W;mbSC`;Cw8{^QWC#{3r2zh$rA)ajq>bYD zL*0mlN>*t9ULbk_iM8OBMJ4~jx+QhN?fZ?nJ|G@8N zJyCd0{$|voecxR0Tw+Y`fAc7idPFpM&JN$j$%woP5pNPX=!h1J%S9IKfn|g{CH4Sd=`!&5Z-&F_c*v_c^i>tFsA3j z4v?>z5?aSQMogt_OUa?ZQ*P?SPT0%#=%uQT^c{6s#SrZ;2pXM~-=erl?(^o)^(2IT z0q*O-S4;m~{H7msB53CvX$R8Q($Iso_)z!Xr}`hdM2YSj(pwh|f8uSnt^3QmBdNq~9ro$4UfmwGh%B5?pSGhCll+kgbld~m@nAGmrzRxxBj&N99?Dnr77{F zVBbS2$|hmXx<~9;q1wW+*j#E$K~y9K=wVK-3^kA`$i7z1Z5F@zh98bu!k6L{#a+Ja zVC!V-J*>1zG`JwINimBPv6H>KL8zT2*3b<05CX^83;N3TN?3O;<(2=FCy-7XH!Vh% zBcp3HL`QJ2E{$G2_$OuV=BODU+GWv`&|)J_p*oLmwzQaEerAK=JAD935d{c@t9g?@ z#Y-K4iwS>^xBS_;x9ax&m-Nu^1BBp!cDx%f@azHD*Jme4h9NPh=Bp1ctM<|-r4wIO z74}Aqd&F|^cxYwA-ZGh!6v0CssBslZjCe`Q7#E?_H`dgzdc%u$Aj_4lC0dys*cG=>6cw>h=b$zC0%A#o^=0=`0Wpd<1pP`du#8)R;IiW?aE@ zl?~z`F5Uhh*2n^CR^T3%v*|?UCDbkK)^wrs2neP>E?OojXc_<%$- z$hh~M(@g%x-nn(oht<%zkQTzFTMf6?5bm2^?gn1~CAZ5|BW4n9o*z-2GAhX0Y6Vg-P{Gg> zeJ*p)PUrE>jItyG=z7eIJ^GIfgn7(}4zFJ~t}H#N9NMMLuoS<_tua#f1^Z?v!ua=| z#L}#+G*rgvUMcbU+K}p!jwAdWRNoGqszZUD=JmQopE&y5zq-vn3kibdwIF?qO!_%0rtwogwc!i8|Z)K$h#goN` z@Fk?<5{|V?5*b_A>%dstC^ske=b;r}e$!rw(a6D0ta|c8k- z0~uEEpv!V#U@M~#%mFmqdkE=PN2n{oYp6x!66YxIG3id(x(Aza>fly1r=8pC@9Q(d zWWqIK(xfS7x*lhrq-bRFUlR4}5zvy#VVcf%{|C#ZEZJ?yoSFLlt>)q=M3`*T%_(&u z@otbu1LnimXLALcP8s^+fKJJj|{^!UgHDEz%Ti{ znN>b^!B;jOJ-{zz9ZNvQGBm>9JfC;moP6d_|Kufp4(1+{4Y{3fF{!*x3v@|aV_(hP zH&TB{3p>o@d7y7@i?nuzWKo+2c4q+Z^9Cw`(rJ`Y2ULXzz8)@UL`VkxUj+j3xy!X- z94jk*$$*Wv=^-U~Ov0f5?t*|WXb-l@m)#rjHjFU^(t^><${hp63o(aCCS8vgF;!nN zw{@6qeV`9*Y&{@P{;!i>k)=#xakBy@;u$P^?k2F+cYBCz!CbQxc-g8LS2q0J=e1!U z&fKAQru6#QTd9Z0wS6UiSvdP^@fBUQcMJm8|ML3ofZYb^E5FP?wPud*_&a_3mlq#! zh8v;SfICL6ea}V;=p@f`vGp%<_eP`u%YkS$T z5xMo81C79YlINK2?fw^-4ne|(MO=Yk>Pn`|JG31;SZ*_pP5Peuia6~&EF)YwCba{r z;k4bO;|sc@n>bl10b-AaqUFt8uU^CW)%l`bc zRFbof>ltGe@P-))%aM`p#ncn!-RvU>LF9HL{2x-O6O08X%0xNd=wQ*~iCl*+H^Z<2 z@4F|xO%F2^cU10=LKFrcpyZHdb}?RuG{8R+gCfG@<`V#BxR zSebQXLijsQa$HeP7q-j~kk(IgyBzGwre5zbVb0XlR^aZGk9n4spQ=4< zCd=jHVO7rjPQo8@y(;SIVbF5RRYh!tZ*LJOqKI7?l8g8MBI=#vD+#v#-PpEm+s?$c zZQB#ub~3T;WMbRq#J0VEIp@5ed;hK7-G%O5YgMiFeaihbn@G&wUQ=f8rK9TL**g!z+K9LC9+1_UJScYa^|4VmnQSOyny$NBK5rLs zERkde)W4|kECJ|R!1{i4IPXEI1-DafRtym}&y-Cd<0X2B{muk{$ledi-&r)OGl}Wl zkO^ml(L45~&Q$Ub%qc$vZ4!mK`%|&~Y-IED>2G~&#M+u0r@Au)tX`$N;)025u{&njghlveA;XO_ z=z*usP1%H1xScXoJO=VY*Kf>P#mgkRraKQh^D-@<9hRNg)HF1tn3WIKj>w9~_v;d} zR;rqPzf;06gw~(x!Yn&V$4;>|_agWp-ANuex&|k7)B1hr@f#M$sbeIttZvY;_e1mA zg=*1I=mHcNV1sr_QoRIr`pmvHtq9roRfnix4iia}XPJi>qWYk>x&(2C1)i(SZNWB= zWIUwmf-O5KbY{9->Aet`j&fn8ZQATL-T#{M5hNK)MXFln$>k;pnDyX>1b#1oe`UIe z3&HeJh{BJPO!eVLiromgBCEn+RDtxmiHewRxeLec&=>VdSmLYooAvOHoi>J?ZDp}q zz*vP?@b!Qcf@fbkQj`=>xdc$3>Xs&aycZNT$|*mK@uzQbOLXP?)JS3Pt$Ga$ zDzs-?Nv_;y&h0)+tBtQF?J6s>Kdk^0Kaiz^pNYF*i0O+j>$*@vITVL8EoH(E2!eq- zTASk}rSJ*!<#5Xl>9&BU-zO@Pw^Ufb|70*OsZ5CwewAWva!V9U1}Q{&G#o&fA@LA9>fpqYmEHVb5q)?|ZEo1gN~F(ljK%ze4w;*dL1ja@j)Vb!43 z4d{fN8$sH;zYFj;VSoy+;mier?2=W{kMMM1X67;sR48w!0K% zH{EgzNT4EkXYb?Cl`Ys_`Y6Z>NN;zEHASdIOQWNxf>70pX~pK~u>&wZZ&phpf;&o! zoGxq#wQEz^F8q( zI1lNz?SxiX(xKafX1&b;OT1TwbQ$EL$JWV#hM}a9AeftQHU>h&5C)~M3N-7|W_pKp z3x2(PpO!RSCA+i2x*knRp~%8)h=#y!BMC#QmR<$<4C9#>h=pvhC#$Vw{r!_73a==K zzvc_P4N|s>H5xN|MdBVC){$u=nIx7atUL(+?}HWK->-+(LdQgHAe#)NstXE<;iMQc z6)1B3^_zgk;ymUsKj@@%`oy2$n4D6f6vRC}r+{E8+`Xtww&!#b`X3`X8CSDP*L%T} z_q;4QW+{;>Uu8SO`Fc_24(t6XdZKISjZx_zq|To$e}>yI_blQyEyEy%{K6_Y<^&?;%xBu%B@_xb7HbSO@vbV>hSlc3g@}GjOaNkGrG~Jn#4A z#7b;Yt0oIvAq#hdzd*Y$5@?swD0=ey3XO5j`(NZ2Sfx2ssbvxeRITQv0bnkw`w6a% z*n#)oEk=g)?$YG7r#N`CU+aB5G?aag??uuIwU{?aXtVjyg(hOq#wsT$f>aV++ry-t zTmnrsZ_HI3VrD7c@qPWLBMDhHQ2ye6#rADXt}~_EJ!Vi;Ig2*9@Tar)lW6qwz5ko& zzi!*s=}nuN3gRFy?A^S#NGxgQAX^|z_jBGpH!u{Ua04FlD#`Gl*XfY`T|)SN?E%>C z)p5;s{?-j4gm#8+!ljeV`c(_27iy9v7>Wtfh%fYo$I>%E%yttd$oqU9bi=P$9{5QCL24 z*#vmN`>|^(z91VBZRi8rSSLK2TQZ9*zdF$eLebakhzug0;!e>8d-}TkA%xs-WLj2x zx7Kn0HUU*Z{BeK6{TUB(jfgl3J3x za(K=z-Td6RVgx?!N;J*qR)_CFRGC@5V4U{LMbzwC_+(F}QH_4AC<)%_o(hU4R?Si< z!}R&LV?n-xzeZ_j#4wj^dZ4&RrY;304aW@fChOEkv?lRr!dh>ffO#pgi#~lOZ9)ni zZs8X_TyZY@a?`yWac?$*U_8W&MS13%S0vhnTK@;anEW(~;*D!3S54@t4M#|ea8B;C z;!DluYM3C@uEFit>&*}}rE)UJ6fd7lU!MoUFs^#xtrxm;nsw+J%g;de#;OGD&tm?A z!{kO6u7!Z8sO=S>q2Ho+)BZ@#vrCB)PmPcb zHDfzUO9m|9?d(Es2PUqN*!wCM*EHZfok<6H15;uDWTcQI1|^HoN$BW0yFj~5qxyQ^ z{xKRPd^7&bv77V9C%xOrguvp$Es@ml1yzGP2l+a}5)&iZK{mixzO3Rx zGVFOn6f7pO5v#ni&t;>CjG{;=peE*F3PN=4UB5jV*S0jF-!4&;=Myf1Ylcq{mOB0JG2NtjBFQS!%B-005>Ski?u9kzr ztec1wYlrP!BKY~1j(`qlV(Lj*ksD&Ec%JOYR-7c@z&1c&$W z1O#J>>tM(I{FAbnI*=;Z#H4>326ugzaQ2c+g;$ZK#P15Mk#8m@K(rC&fkC0oQZGBE zBb4ghgAupBJ_kF8JS^$#{;79IZ<>M?g3oZUtc?I&%yxph^n<%5d~SMF6wo%Z!8y~$ z-f`yDeMuzz+rVq#{qcV(4!v*xO?9%hGM(sIA=vKe-_@4=_)yERmW4t4bm{d-aAP1EodQXC&fx*r<4)gNXM$1AcSCOF zY4U?)78E$HxMBM2BF=q?m0~4;Y<}MdWR@Znu^C~GdgDV}2(b|hi*X{<*S6PnDQJ3m>qHBPw7RfbYCY3RP48Wi~!@t0NUgwZ)YFN}fdn@YK z4uJeCTseNP*?UZRM-kEWmj;4gd=l$4*_VX!Pf$&u>ZM(CM6}eIQCK}Q;^QXy`=qWW zMzE*VeMaVxl9F;xUhY``?5ER2PYb&0q-3~JhS~PMof3yLzl&c{R+up#<*bZiX#fQtRvG4p>C0~Io%c+ ze0GI#wE7k>{7fuIm^q&Hkp0binNC}CZNhD*s}2#TXzYUiHFX(yg1*)En>fi6!_Yx! z>}&b=C~}|s4ed`<47~S7Q7jE{PO~#Q64LIlra?sUddx7<;<}ciQ94gW@Ig zJVp&}fQqbJ?O?V;rzRoKrp3~(Cy4BO_dj-J$zIP?H+2U2$B=NwZX@!ENWs=cMYdC# ziFDbf+#idv+X*I623)YkUjOtjGeU|wf@}QcK4Wae-#UTu zC(pouH`w#6xD;JLUqs*2i2v9VR$tXFWk~nqrIk2ve9%@i)%#PYp`J>hfwtLOI{WY=CZs1pI#f35R=))skXC zbcZIOV*TyEytI%PIr!&>fUOjQ~4a)geUWLl=W?NB z+?PT;UsbzW?oX)&gsInfln>biQbR~Ss?z1pg zqZ@62i(=!j&jn*KreUA-UbpCO;o;<f5IvUVZ?$z@DovkBViHpVron}5X^NVOOI8QIN-+KqNgcTW@a zS@&TzX^3$@4B67N3o%{_7|y$7_%M+|x-N8!m@0QG zNpr9GoJXSgq_w>&v>C40htbtt6L}Z_raz3~T|CM;6T}kDl9Vh|e=U(JG=p16VkPXZ( zZ+Q*-c)pb9uVBv?RYyLkv1@13gC8ZK5kLCa6HVmX#MT(v5LXCHJ*GXugB+`5z8}H8 zYwN@Nz&f#B*N#vy!FiqB|B;G5DZirupKXB4|LUv&*VYFCWd^;sBqhvPXm%aF%29TY z51iXr5o;rMqA8qKL#Rtm=O4-T0j>O&7Kmy$^BQT9fPF#0mEgz!CmM?fEO4*(#^-+ebp5^B9Y(V`H_kCB^e&X|u zhO0c8H_*Bj4{$LR^^3E;Gx&igef?Lh^gpH8Pr;9Y{;yySFlFy<^g}}Wp%4Ol{FZT% z9gNc9`>x1OjXGcCi?H+Jj>7&aL~# z0&Y+4Z18m3Ris;ybdiu2*5AM>UPk;6$)-^TRZ7~SKp5DTu>pyw`>y%W=_mv4jIn?* z=q6rH4{RsW^RZXN!X()gqpvCcAjPC>DL(}A6PoU_ zvQ96Gv^63nVBl_CkD!o6AF&0ShFwgq{Ju1%iR*c%tU&k+i`sN+*~-|KRN@FXQrK~C zHAWE-*Y5jG*!AmB0nMIcU8SLxT>&hB(YSi6N{dDi*z_cLkX#Kg3$+Lh!_L(ZA_xR! z<=5uUE20=ve-n$n^T;kJNyn~|d9fQW7pf&p4$Ruw0L>gHnBXop>n>efX>-$Mc4so{8vx@HEg1&98To`+7Ss-9X$z4%Y#exD zJfUQ2?@S4+O&5^>1cyB<&w>l!m+fw})-|h#6&jr3B?%(B3XSy;m9}C)sj_Wcxh8+f z*XmySjmvT3`sWw6I}97?OB~YN0n?vFPugg-->oYc#C*@0orz?wmw$+tl>&mGbhpt) zjVvu0|4CLH8F%`wX=GF|;{p=Lwa~-}URvk(u0UQjZ6NBTMmNkBx{yF>5hp?_`AY4G=4n8p$=IhlGB)ko ze)^LZ_9Vo3-xG+Vz`qEa15$rob+2QRI!S0sWFW6$oJ8CILon3^_ z5OQRM)Rf;5#n>wj@~5Yfj#CYUY!CBIB)fe!WZs(m1C@k?;AncR<3t=we1$A|oO=^j zfARqb!Jfne;n_(4l6t>XP78q_c#>m^7C!>A1Fb>F*};!3(eyl(U*6q>vMIig$P~=C z*612VSlmYY40}VREpr;B)1U!pu6fXdaVa>K+8f7rBRS?^~&{!8p5}Sm?FCJO* zM%7U2Fn@fYg`Iug= z9R;{bYoETN-?3mSC+tXpNs~;bf9XDdITBft<3TQ3LgFJX#1VXa(C*4jR@^0U+C#-S z`bDZh>j_RmBYO>Yw*p1x6l|js@9@j6S`0e7)0el%0oU%pv}CzeD|BfA_sze z)Y+%qJQ@5=xq;32c&^ma6`mlljZ<$EkxOgGsIh{IzYC4{ccflSN5$lS$TlpcVZ3_9 zoKjLrWLZqWE1Rjdn_u3tFpQlC`%6>k>-dCHNL_ETq=vqOnmaP6eTMnwPN{c7yd|W zNQ4o8DihotR>iFd5?UW7oQ^dcYtzgJczDw!e5el0;Vzr+4k;!whZ1dm!%E9-l&ng(BmO|3<}t$O636bB2r`3YUtvhUzAF9&zun`j1$Gx9{RuX0bGxR3VpOy8`xPNr z!7P1`o9GY&cmf4ic@5cCalqg7bZZl zD%e1KIHG0!z4|ksGv?zR0FR~I06F({A)}FEwlAox7m*0L&%3jYxcvp>}D} z7b0mch$VSQ`GY*f=FfCVyP#v#lVu|f4nCyI22KHOnf)x3usE9Q<`_`pYm#q)K^R z;O2ZIo9XJEH`#RK;M$jlrla<-<8QKoz3#zWm0CN#-Y;slm!2xif3A9;4{ zzQB`QA7AAgaiv8YknOWMKs+HqCdEPl!1e_v>oQBzuwpiZB#Js;{e8 z4%6Z&4Y8X8X$uE0O?Dl1s7z5+-KO>M+0_G~5S=3wyZ!xWHRRB2yAUT8x4=UVLVuVl zAT+r4ANoa~Pj*02`I6@_97KPjP@U}&@NC99*Cy=#QQqVA!`p|8xzSzsQ*^37EMheZ z(VV_2BP#qdh*Q{OJFdVepy*xoevoExU7Vq85_rjbw&vkYqz3qZ4`pi&|L)5)$30@- zH(@d7a~MOU1Nb%gk_MeQVG2#^g45V_i~AFV?!q^HsXyFOptvFC=Q>ALXD_ML0#yBo zhd7;;7Md}uPK+Q*T#XG+pr~8Yqv$Hp3i>uT+T(Oc{B*I%@%r)-@M8gXa^P{b6}o?* zHT_}d2zrgIl=-uu9PW;L3!UgPY8+>Q>9+rI?%x=vBepmvh*L7bS{a=kIW3Ta7eyC;N z8i|C=-zJ?7=jy?EA5Z`B2N(Q5IsYTB|6eV!KMMRzqAUsNk7-!z>$+pXUked-9q~U( zNZBEKxL>vhtt?Tc$eYf26*HP8B(7$r+gQ35*{WB=vGW~rR#t2q&ITF!^;ZT@b-kp) z7q-c@>^f9-nRU4<+D{+%)?v_Hz6K-zVPHPz{ST%2pPr2R-|51&$TyJwXFtpCCbmO4 zQw6m3s7L*Tcm5ey?g1e0T4t4FJLy{@i~sdk>fc>A#~J748rE*)%{{jE&*U5T%?y$C z`iFTg?kkOXj^=wd5&n(4armd6ySzF7|KSDxgAVvVhwx+eRpIo<^=GMqRzr~b~ zdH)9@__*=^!~|gfTy0a8o8_Xj;nsTh@?Wb&d(^`W5qv%(^qDjL z56jOR{aH_5XGtFx>ujQ|uc-bsw~WVxJ@jkD&2%Fs^}@DjgOIb-o>kGyySbG9<-q?1 zH1WpI@V_-d|Nmq0K?o>uxxQ*ho^|x?)8R_rdP%_hFrrRvIMyABgA=kPZA*5lzGX$@l8FG$KK``p~-p9Fn} zLBwX=nUC|Rsx`2xwuN@`_u#1E4YZF8p&LK1r^Ga;i~dRfP9?^#lT;I#cSO!$?|fiH zOoUH)f|k6RJtvrmYgg}pQPXNxDZrk+b8FUbSiyi7_!%Bnhycd=sQcUEg1*RLg8Ph| z^e*UM?}$Fh64Pt)-08(nokuyx)P`BNTyvhAUd(5LTe6GSAH;Ix(TToKhE5C|>D*=A z5J0MFT0m4@vKYGwkA&{xG-LV+rYrDuU%XTVO>sHFG4rCqqznjXeT9#Nd{XI{?g+UM z3U1yG7DgQ~5T1mbdWHRDBo>-6w#jx*zDSEii8mcsMLNtsXiaG<=v;REL zhT5yRwaE6or0@@jtj0nmx-@5gqX{^x3&d8hT+u#UI-Li;`%yror*m)*50M;ndoD}6D*a1@KZ;x%L*WNb+yBQ*3J7nLvRU;!+8nh1w%wi39% zbBVp}Ah6#&6U099VHrMv|4gtwv2`9RN2LHm+-Tbvx5`izcpOeao5{2ff3653JDmjV zJMOqx;M*$JHUd7p_Z&@#<_nT_VG~J350+vnp-hdMsqnE6-{U)B!OMCqf5r<7;tm7Z z%k!8dF3DvLZcsBn|Cdq>Po4^jDGkW^cgBl>?l})ez}T&(Ucz@U7PawJnj&mjeZ2fK zgMPG=cZsNTD%e&kXM7ZqJ_N{i6p3J@@mM$n$J@b*+uU?albZjNs>_lOjC&k`ug7@g z!)ifCz~^ioMELSgCJYxnViSE!0u4QjT3y0Ma>)frhMB=A9NHXZMaMhTPP4q=ykdn) zeiG${SVLT{HsAiM_CgVXzDB+y*WiQD7V0I&UC| zhXP0>*l4MSr7r=qDFa-=BjJ!G@9_lPZ3r5T-Evjeqpt2Ptw8fNRv2h(G9r+UM3itFcu1H{Q z(KA6Y6K+in>wYy7_e!nHEUCNw(F>z^oFD?#fUX6czl0-&ghwlq0P2_pNuh_1S#+Rw zHCRT5j&HVH1Yq;+M0>eF8)%@ zWPfw{YH03Wh4C_Eqrw(W$l?5e9tUsvfMmyR-eA`_roBzB?2U z3|kmO=qjawur13GWFIj(h$wS4ECT9*5{eReHF>53rfl~Y!&+kBrkPUGo;L11b&a=g zCL1JW5IV9$eZkZ!x-`~eu=WLFoDpakHyeR_6LTtY2j}ZR74H%l``1=q$XEVEBLTU7 z3YP;tSIPvyzSS$#LubT^0>RHh>eqMN@|$<}pPIegVOLKwjmA&9`C(m{-^yw$@3O)eKZI|sNBW0W*R8U%¥#NBRu2^dThueS zj#OhR4XgdL+`eROz6?v96uVpNghrm#en)hsQ)T+S1`%$wbbTlBEVcC_f^)1b6+fHrnuV+hSx$ zmxiPS@fdZKhBF=$+zf*}nBkik`ju+M1RIMa`MP?C+lzQg;fr(T#NGaU!=Wx%vHHG{ z!bDKj;u@@pN`|s)q0A@jbW#&g`(HKH$NZh&eE`B~E1fDr>odW%21uljaJv9jHOfPX z9iV3R%X{0cuys6Nqn=n;Ayl~3-nZ>gEWVc_%=IK zBE<>0kjdXIX)w0Jkcy7WlVpnmT&)0g*8oJBo8~lRjVf&!z@9^Eu;W}!uGY?~23;&i~4F zt@K9sGb5#*-n2YX6NQo(;pk)5Ub;iWG}-V47J5fi#va8>Ck|HuN2I&AlT&-0&W7tm z;RlX!8Wu`Ndx+iG3uzWC1elz!2bZt-NDID}zBliA9o; z$`?iLOVWtw_yODm>xI*H!Tp2axo1&(cYUMi?168y;pMuKilicsBS@_I;S9A<|I;>y zrOl~+Kj{w2Ncw&3c<`A=eI^)D#y#PM+Jb&cK!1a-E&~v5DHtw!ExJV-Eo}vMwiYg= zwA#+4(zX^_tFhg7d?^O(CYs6eE?3#1$MEo)e~NsU|3y^MJ7v=&n~nLUq^qC!9jtvY z5V{lQXw5Y@vOgs5Qb@(2@pD_kIEgGh3L?E2r){F;9`SWJJBlTLL@ThZYNPIYx@#7Y zb(0YMftv zZ#})4C014QEW<8G6wZXK#|tb$3ShMLLxLhXI`-}g#ew3_kA5WVkz2L;#}(kTQ4WgYHQw9sFTY8-Ya^D%3H;^pc|2A41tLW2+V)hl&xqtBg!!|n z&Pv{m0t0owyB7e{ zRJio#(i{hPcK*VUc)_gF4)j}u804CXzp#PO6dVqArNchI7!{K?0*D~~B zp9$h6>4jv+zj5?Q{YiIx>6DR=C-7D1XIMsU^KWY@0Wfhg_Fte6>kOzMeTgjKcGpUv zy*~nn72}jzQpw|M8X)dwfuW&+C30>zn1pJvoK9e!ZH7ltIoA2t!4&btv{MV4EG1Lq znG2=f|CrqD_XG*92K&9d0d9x5fY13Nh(P5wIgj{+z?)#FCj>o{F!&>bNcs{UM6$nkZQ zZwWvC!ns^A*Hjk+&bs%4<9>HDU-dhy!DW5EbcqvLGb^^4m1}=imf;UqXFqIV=GOkQ zJ5iayj-xnT!|dBLHyh2=FA$1+FV@)G=EM^f*R@RVeD>f{)1Yk#*4H{ z8x>h1r_V4{NNjAt`Oh(J!JnzLzr#*O12K?SPv0BEv;c1Pr^6R(55zy89RjN>aN;#? zv%ed%V18rmE&%~S0+m55m8(lQkZrhw0jGoK6b6w(F(6+SO7}s^FqbO7lK5VJ+APh< z_Hm)Bin}mDH=gRS)Dm~-Fhnp*H=E)-9kZ~8=ozz7^WCN&CB8zT#t6p4U#u1AUiBR@ zjtRr)Cd5JjnncfR2v(tvJYG7jgF0yUeF(xMe*Dm3fNgj$&}6N*4I*{i@$%xBd%8aD zXBxtArd?=*^wj+bl#C3dRdG8^-BPvPvqT*8KVSD;cdR?CexXjepr34^brWwwUDrG0IC870Ii zKFW-7CYVtqHx!*X|3FS>us+#uuwlb^lb)y`LZZ$l&g)foW}wHa zevcDV!gr?!N3ShfH_Epq4u`&-MzP>OH`r~&Fl7Me60{woo(%9}#?g`4;f$W*S zk?RM{mgRY!qaLKTG4>RJ?*+!6XR=fu8c`}+ij(WaG@aT;`w@^@G^oE6?|su|?87!K z0yE^@Nx|`{jKv=+#r)$ciTZjdNbB5#LDR*9uE-ITkyF0Oi7j>glAFe#aoV!{ug%nd zF$nk8B@kUF#&%B$88_kw@3XzP^xawys7YMvsBmE0m1$11rf%~m+zqO}JonJy^y;8l z2s&;IuuJd*_LTlqu~?1vR16U~O&4T9Ql@ePMZ(ADP>Y=CyO=ZQYV;B^{w9d&GFC6k znfmsePs2k*F>inQ1PGPoPuXWq-4czv|D)^+b+YyV7sa)4_d$cM)t?1X(@?&>L|QFI zoX6R!j(1@i4~GPAm1bYdKHLe0Fxg-Hf%=W$R(XBXZrD^<#QTHt z;WuuOst5{bmsNLpF$@M1ZTi+ck7lo$Zizeq7?U}A~C9~;t0`8bfnuPLdYnpuxKV4aS6-U@b`j6VosaJGGE_(Q70!6+`>)n=hM zPqZYU!WDtW?1p%hPlKEq7p#j04$-pYOTR@w`mB-ij{`?r=B~UT*>=PmZqk@HLYYayN1&OhX{k*zl?vZ#=U?7ZSgD)Q zaXpHm8f=QL$d1Y19% zPX^yt4jwtO##bR^)-(~)-)!*MauR~-aD>5!b26lkl0#1OS^bap4t)xX5alduBYW(y z|N5v4B8sEaN0*8OXoi*@){{LYZu4J;^b_k-!jbFSp8epz^o!yz<)KZgFWmS+%k802 z1KJ9(f^6J|n`+>1v;d%|-wn`$$jcfO9HYN3TH&a*2pnKQ?WkF90e@VU(#%dA4ds~! zU(p{0u#B8So{+t{EV0DG5Jdyu|9Z(?NEG}*HZ8=$&nec+6g;+hQ3?e8He1l;i-GsA zV<*f&8o`8^I(Se`YtG0hSeF8y>>gCqiEAECV}p!nQD6fZOYY#bl3(L7Dc6ZXP$xyg z)zrp;E&2UMQayq&ljUFu#-Z|mGw`;3k7u<8smK2z~+v@PWax! zC*e1zoh{yy_6pE$@yo4FF9i(G3hs>@>cZ<6JF-;}0>$#bfN~psa`6ssoMabBT1oPr z>+>Ln=QLAWVU}f6C2{MYLu@eU$X)E~JJ4ZJap~k`TPP*|fldm8JvyHEkl*{3(Q1r@NNi$1HGo5d^Oh1~*$!=9_%3lmmxEJ$# zT#GA2!yWd%@SPZVq!KK&1)q4xobz#*(ZFK6gV##YQZ4b{j3wfrS z?Ngs&cxO)hopX8l_QNw-s^EybsBdu@i{&{}kZH75i@ zsW^4 z(ZTM{?Ge(pB!9eC++jiKVrU=Q8|Kc{fI`AZbQ{BiIJ+gK)XXJYkmAfs*(XT{71ML9 zSj>GXvtB0=&Tg)-s%blqLCL6^M`sP2;vypB4F#kPqF@9YIhbv;h%u6caHfG`q>!Sb zVCsP(fv*u(2NaKd{Ddw66$35~N3CF9lhCx`OE<3oT);3!U2L@uYDI*%IAB{zGm33> zRno?8xmQ|Hq($ayKDgc2`>!v108yW`SKcCRxu4UP1dWCxY#RJCH* zNYWUyi7JT4q&7iMU#G4vqiKk>3!SowWjAHZ4@H#xY_&ww)lSDulOoA37s`_MGtlMH z$0rgEEDFeep?A}cW`=QHkRSYf0 z#id4SRyx#VbcQlJ(dd@kEN)JdfpMSEb-cyikD4Njr|3l;fMFGvtz>)aem>shOmH%Q z+_z0N)ufOull(=>m@ZNz-kYT3c!O$Ckq8%_4W~Yr!o|VamRcFiF}PI%zC{wYx<-PJ zAE&mCE6eZCiFiXk+h7tHs!qJD&!*NY;A~I&P+iJGhF&U&voL;sE}{?DPrI`Lr0;ri z`*?@0=;(k*cIA?4)#1}f46D%=EUK*s*vz5P>t)2pZkVJ)fsoeS@=E(e1$7b|CYkm| zXX5B1f9=4|gW#n=hY*$1wgp8INWA@3tASh!6Z)x4TYUs0?CI@1pT7rS*Sm{r|ej)6%_r?MZhvz|q-g53*(hTBr-?O>-IX{? zL}fc`cS~t+v6?E6RBZ3SlFfpbxT@Dg8GnN$7QQWa{!z3<(W7UM^Jag_D(N_i+p8uJ z`gke_oQd6wYST72B2%ZfaKe%8@0f+h`J&#ZuU8*p9Y|ce*l<^5zx|`FFk z;eHEwxqFDeinPori&`L~a&5HF2se{Tml*Rwwzt4&f=fe9$qEsfZ_cD;dwF|y5z9ty zy|-ux19E>#DYzr>t=Uab8E63p=et!}_<8twIMEv-@N2*vp#A2YP`t#IHV6=IltItn z+MM9GqPNi)nHmn83vJg#>)1QUdwTY%Qw@uVwPm>|gG`Z7Xvl-cU@{o0fmaRI+~a2rOec56Hv*WTC!*<@Dz} z50&`O9S4p2b&=DR`yA)hv8QTnt>w(+nAVBb20OZJ^s;ZsO;wJ28t}WTSC=T|B6tj(%GhiFw=T%NX^PiY>y|kSB?Xsg;B18?3uOC>!Ny9?>hl+sH!=5UY{BS$c|k-t`s$xOHo4F{`bp0qk42^3Pb9|FI)n328zob| z)1}K!{#jwxx0&|HN&M#^_c`d0tQDsDH_>@l&sV3ZbsUxV&p`2M>{3J+_OyI|&hu>R z5R+W}3?W*o@qT6{x2|6^M$#RIiv&5n1}OwJABP8_*f`pzMI$lWaI_U~(G%dS&tSgq z#;L+v?o6_a*cM6*TXXJQZ$^Q&jioVP4S{MkCG6=`_Ug#3$4@3kQUf$WZ_*qPd{z|Q zG*RB3wk~C1G1kVic^YZRWmXeIDppOKrWLxjVwNO$g%cw{0Hbbs__1(w1?y2qlHD@t z=Yqtd`id-hfj$@VO?43!HzWs8t`I~ewI-GPK>?Y>XMLeyCEgK@7$t#=>S789zFr+8 zQg74Bzc{QVM`@lPtJEDiVgM5Fh|0_s;5fe}EAV}wuxP7nHzgsmh=1v2*8L9;$d$NM zR@3SIPcTbS2b!8*TwQXq{Fl(=_SbD24vO=lEl5UjA?S&j;?g=mo z1AdONP6oq$jlv(tG;^)BV1xJb2VoBZ!MadrLn8#tJfvOSA zY;g_Bw=7WJAnxmA%e!6tG1W$Jrw-Np0bPkZh6vu0sLy%CZsHSox3g*;XSY-#PH8YYu}8SEq&*ZL+3G z(?Fn9cSJ*f5$XBTGDL$}ytn<~UAGHuiu*E2AUBHe9I)heuHu+d3lAz>kgiX_B)ZK& zl5HV=m47AWRKT=J^wA@0Ykrj}r(=CvxoV=05KLJCFZKOq#Nx(uS5;;TewD)k=emL&tl>c2j?(^*x1Io%_ZbQbs_x|w5=EwrPXb=J6Dz0 z9T0O>oLUmCwh-#*@`O_Jn^aBLT8|fe06mjrNvIPD-U=7T0mUj5aXP%#D&Y4@y{P;O zi1%1%`gE2XhqwkEe5xVtO+K^r$n7B1)p45uBLD0@()p(TVfd!{Cn+gW`3?(Wj)WuQ zkDH7aEgQ?=t|G5up>f7cr@pF59F69MSWCW#E8~9%{it65#~c43T?5IJ0mu0y31Y69p7^WqNyn+2ack0*ecmUm0T)4>kMpqP7VWJ?VsVXcDE$F zlFJc&uhzo01#d0(hiOym9vC##!JN#Vy3Mr*l_`#v~P6|Y{g zGJlbOn2>q}9hGh-qR3xe*H5KCrwI^=fugh7NE?@{3)ic}dc=u$hUML4nUU$O|K>N` zL7oqJkqrb0D%g(fY71U6BGIg)o4}y(0JCIJ#mRm^!6e=HrJf99(1F(Y$662ZR8jrVmRAcCJkhafz1BjCST$hIQB{v)X@{K z#7@{kOv_4iX6hBD%LmM<5qEQJ^PGWIh#Z3hh!`3Y;n9=zWaNlIIJuKUR;ll^3($(hkDht=kF2sjLf0>WJ?{(WB_SG_KvUNZ z{3t>|M?1puRhsKb;lG>1<{v+uJv{$HO;cr<*qUIVBg}e3Wb`UcSZix&3%#Z99kWN` z4k(!#_FoN&dQ$BP-*(g1 zhWi;7h&bN>Ru*f$0J^)`ZlMI?8>k&z@H+4|!~aLqH-<^lG+mEvW5>2_dv@>pE3zsxD&m|8r2%>~&omBUICVtlvr}nVb0L@j#$!4o zt!RNXI15^4=HZMC+maP1rtawv*BgD<+@ZOs5vMW=cEool$soq+0ONI}E|~sUoC!l& z53g7Dhd4+i8GmG^c)2OCdWsbc1z&Si@^qN&%ceXE%6Q*4uUclDuI?1erRuv`&Kz33@BrBxDhp-RhYyq{MGn`R^S0BdpudU>X%$n%Qg;0~mz=w-ebN%#WKVOD8fz%-}9H8afS{;J=gbvBHC&DdXB zU!QJ2;+2wmY}N6;wI$BL$Rf395#Tj*irN^==C1wVmoibsmLVYD5;t11ZM5WYELN9B z10HF96eDYavId%oo8++YOt`YA4pG3lO#XJD<6Eua-d_LHXN47H*hjTgR1t=wI zRng#p(95s<)f>v2=e_l5vND4BbGrq=wffSS>8YG7EI}9EmE0w>vz+7)m|VCoA!`Hi z8jguyK5JsFMq_;S5pc~v+OVWI?@GMKow@=r;ow;TF%9iexGiIlqT&4Kho(9!(m}0 z!n7PX39y{v1*ZQ?(cf$-tD0L1fvUjAF6_-J~O=%0#!rV(}SJykNXx2kb+sz+Xb3u zdn+tEz$|yCx0Mz!nbJxqhow$*$T?Y=O&&Pdbb9gnLX%P(Q*TDe2=Pv;u&kfnVQ9H^ z-p+Sws@%YYmKms5Hd>Olmf6Ho_|NNOhv0XzP@VrhEI9FA=ga1>ufBXNUnc~rWHwH{ zC1_`iMiwv-3+`0sbFGiQnbIN*Q97_j1`>N92T!`I%wnWrynvpyP)j~dyz(mRp)mYn ze97sqY^?7cjCXUpZpO&vZevCR@6J5tl2OaU5g$ELdL#{P9aG z04a45hE12o0T9!r28$_Mwrpjs{(OxnM4WO0i359qP)KDFo5}fbY$$&ttoy}IaJT|h zKRR00x-A>%dMyod!keWU1l`DO{V8fue?yxI4aAB&wKKN7$?sHV365rB{DD;ylAQ_* z_uvgr@s(PVg1>`3qmRSV2LPJ1`+}+hSy0ckpG5@oN`v_o>5Vt){MXUa;Y-;BrAoH> zx;4Iw-$1^$tIZP3LUUFvVV~0tqLQ1TWf)>EhGhAIB==P^UXCWuANG>g`}^U9U7V|0 z8TzZxN12395QkolhL^v0i$$Eux^A=j=dE`=%>JM~AkyXone-$N0nfJ_j#b+ZR|SAv$!Gte$uOrRzE5I zf)I^m8*BCL>(t$L4F$B#&z=34qd|>qK;xS)e_`k?F55GbL8qee4VHyT?G_U~boUbs zMd7Z3+31e|U1?f6JoyyNyF(I5M=(z%!e<{k2V=G(F}v(9I{I37#Ikh*_98y$*%EYI zN_JARGk~GX*R3n{LBL-opt#wpn6bpI&h&Lpu})AB%$I-CK~%ek_B{ME?<9}f&>yU7 znCNHaGvXs7dxjC$p6{~0l$lVlrgMj*&>Qh+*+enF-c&FX2gf9-lo$(`jj%RD|ZmX)W{pQHoy_tMMn!wIA~WiSOoE_$ zZJuXIj2Mon9m_krnC<+q_KdBf#DtjLA?nr*Y9t@ut615pEfgx!L=oG@L)GnJ6LV!2 z&vl#d(XsG{oh6*urOa(lvjya)`W=56^Ndt+ADIP3fUIB6#F=*6TDKM|C;yZ=YAZC> z9E8XinZxVr^l(o0t8vq-vyR&+r)R3MzDBw$)2R&>S%`LJfS*Ps0Mu9T>n9&5n&YX| z$ji7Qgz@ZHuC*j96KGNI=#dK-#8{lh_q*Nj6f@PF+YMup%>J`s>?a$&MqqQ8M7j-@ zw9O`YaW-hgU5LFq5S%A%lryx_s?Q_2zpo%!K`*gT1_Aa&65tjtI$3B!araMen&JKz z1KmnA1QpY-PA;qyXK~sm?0&;yIu?k#$tdsKi_6zwV$tL{cvKaB?he$nZa|%B z(n2LGM?*ct7oAOz%19}w2O@OKmKiKLTWpE`Q>}YU>^ebl$sw1oFTrhWCPWX(5d8wk zI;PvWD@AJP7sV(9+FD;TRU;us-=PiK6K_##1GQmK_Yg~(Vh<^|90nPE9g8sfm3H9^ zbs?Rx1rms0^`I602)LG4>q7vns5Aw+=!brZvVYMT81X?^fXyslHc8g40FJ}>i!j0n z+4}9p;ht5P=b3U-s9CB%oBZ6x!5DedrUh0vI+55-+2myb6jN^2B91tf_ORrvx`olL zugN5t=twnGSIa{NvnrQ*4w;rRV=uwFC(&s*CV?1Eerz&@DCpBdX)U z9zIHZaXI}2E9(qb16WC`?+Bzm@bzzQW%8R?+kV5}>BMT*6x_2y1S+^b0XvribsH*z zYHCT~yi9uNWI=eJ5?H!~N|HH^esopBLbky2;4n_9RLUvNqelY-B%R~z@4U)9ljhPK zUATi1&TglUw2JWPOK+W*s@hrDxz>bD53`4%ys-22#1;~$Pdb(gVIDl4P8J zfBP%p5L2g@>k<;ZO?aqJZ1ZQ=Q_CdNQCV+p;srdxIsk57!oKQ9O-s)R(!%VY)!=R2 z#^l;YO@4eAOPDHHWs9^#7}(b}&JAD3SGz*z0oQjvFIwx!n1YvvmNrATAu1!SupE8v zVZ$b?YGZnDh-#*<-_?nh1vf%L7rqT>Aiv*Iw*43%9NkZZ9;cZI{zw$j(NT(OHB)`9 z1JhEJEs>bpMVkO}qph;`H{UhkF%SK0lp6o1O=f<3+4Y*|R3TxD-2#H0vUcAiA22b?qEYXc+wcoW*9!IYOCLTjc+@wjx4QxLPmz{Pul7 zj>yxZL$62|?C=Cjs3E*KHDIQ$#R`17l8(Xl;ib3&*&4U}EBxp*uYEt20n2+`+}}4A zxhOJv?#8texRH1xa!978onD>B`Z@fF=^*%0zL7LucRts-$J8pm<Y91JJ&@Oxhpy{xtLdw0uZtqq9p_cq2c!+!h}v|P z%=$S0?_VU6aQPT!CcHUjFbrGOICMkzYnPK_740!}YU`&8oZG92#-vi`rolB(W8xt1 z0CQ}l*^~x$ML5kSryZ9*+-tMV8zT`zlh2o{Bw+lTG{%&DQ}X{4WHKq!VPz}SqN>Wb zZ_!?k#JxIU;(n@phB5Kz3IH8IL{&ClHlYFj;u4QXTOez1NZrV6vzm6uJdU-{s9=+A z(Nx<$Rf=|M9&_ReuEB5D(==XdE3_rc6Bva;5gvdFr|ZjLR@zMIaD@r%QBoDc2TkM;|D<8IIiO)Oh8LxO`a!RiClSfM4$M|iKC78o0V!jYxlRT((1_5iJ(A!dIcOZF*wx%N-u#$wU6t%8j{v9=~ zXqBkv@c_EPD3jOSKN?fcU$bTlYp^GpEUjg8#tIr}2i+{edL)j2;Z8bO0y}|KV1=cO zFeI95acY$)u*2lybB)|gc1y-B`lMd}q0c!dFF9FEQT!~-R#Oc$62qHfS`JChiGT0< zo;@Ok{g*^kUT&Xm?bH9AHaImdXExfXm5bEdr6y(}hAP)x_;3To;GZPp9N4~nh&7r{ z8;K?4+rHUeIr-bia`Stz&wD_d_@eHow;5XJG$GY>Kj}B8c`kMWi)>Z5AwfTRxO^mt zn-B`*$L#h_-JwA={e)Ulx~B$9QCMW+%-AvH5`Zlp`bZP%2dxvHiNak+Z3>$_R`@Cf z0olf%)AjIMh_Ofqj(>VV7cJMia0|tSw&n;HiW5o5EgZ#5vhh6_G1JK?)*K% zrJnMF%Vr_Wg+0e>t>{N6QUqTsk|K9rOd(≈2z{PXe#;L~W1u{ja`V__?b|mXc3T z>cI^M8zW=?(&&SJ@dM(@I2^|_>Ec|i-v`lCO-*zK5>64^g3sr8eh{7SbiLR8W_iJGkvyyz%QQe0)c$Uj+ zK)dFYnTY~K4il(dw^Ms6oVBj4zdN<=Gw>6?SAyAGvG3bw;zbO$BX)iOkhu1#@b zYD9@U?GZyhqsH3@4G^r$-6Xf`<0RnGB*HUILIP@V)( zQaXT-&-aQa)idXUhUk^*q6JFFzx=T#MR*|XPkds+qm+Z;VdtZ47j8^U)uxtl^rtou z`tw+eY|Jk7Cm;k&Get8Le^>!77sCcD!-NW+%C$^R-WY(0LA9)|h3qDZhO=_wPJ{K*<#PKgZ?&?3bxorR$ z7PUnF2A(^Z4KY(tTQ2A=-6v$h^mo!#FaZd8DIfG3Ib6Q>m5P9gON9Q5=pMrqq7)Jv zB5?;1B~*5(T;F>KR%hwW`XUlmVq9^dGIn&nJ_(~DeZMECJYNs zPJ!+0!Bf#zjxk1suWwlv5|6rT1i`9DBdzdb0JK(#W2_C*4jH#%<0RT2+st`dYKIu9 z`OyUU+ZiVmU?@OTr@-XsIRdV+}&wq(sQt!EG>L8&M*I?s(h6Qzn5;Y z)(qZ|-uROKz!!D28>yt;J6hJg8?Yx!zR!&=yjLR)KF(t*OY75;ip zcCxlxcUY;XRxUsxI6>68%vdA3Y66FVes5?L`-h6EA$AJknl*B6(4bJBLBwp-nao5Z zdal(UQ3*CEiG)%;Lywf*f-AK?dk#pe)HYpFzpOg&&!MtoN3rM_rW9@HKs-pLoC~?h zSVD#7A%Vy^*ij-RU07gU73a!0#m$egA8Y^s!jEwIbwkX2zzqh~spg0NVN9vLstDb? zy)A7suME;J{E~)AGl&Q0FJ1*}&*zW|joG2le0>0-E)FSRfnK?h*uLxM%mS&z*uO({ zQ4n-#h9uzBR#>CTmt{%tu)c2sieixvWCV#S2cWaum`uETN%z7$eP0#pvMm7sZ*aW)p> zBBh@yD+v0!K0~9DG(}&Nv`w52mi1`I0_ioE-2?W_P#x6sX!fV**41pKoxBeKgHN7t z6F80bNHVh6T6(x2)QN6D`?CY>C?r&@th}=d0t)0eH02Pl^blGa{U#d^i?QEof3gVw z#*!2IjD`l3+8f`t5_I;n`MuH&@zf?)1dA`u`%nV>YP%!wYCe-{f1G_30*U$(9x6X1 zDE@i*^9CQ*?_wMObpioPdEoO%oVUst+GYJ`udi2Ap4;+x(f2~NlT-(*=;y|w>+ zv)+G>y>%i2>{ciIYWl^J0SGexD}(lfg(q(T%e*JBWo#gugE6nb^C9oaDCXZbh`#K} z%wPVt>WP9xn5jM9IxhS(Y5$*)=;DVo7qsHI)un7wj_to^Ii^;u?quUP{P%54Ol|T9H}JI|LM_k5x9LP(A{|fZ8s4N1W%CD zIt+tdW|qx020Q5Wv_%cSJcA}@3XG!*DES zQ09BDzv3tS^Y-`Y@7(Xwc<1mfOQ*(|e?3&&T(xh=lMiQoxAyZJ8-2CWi@^es<*eK z%Kdet$!y`*L~i&F!v5H5-%61IF16EtznY3*C#?`bYuCa53w_B!~YsL@CoZ5NBppT(*V(uxDLoSX?6LAH5f|t(J!An2h+`jlxn-*#G3C$+7@dY zMQZbVL|lJ74(5Kd^gAtO{Bkxin)5{_;ZWl!;+W;Ubd!DRnXW;J`O^XU0&o0Kz6qI0 zCBs4i^9`#&sq>m&y4U&=r)~hJ92p1pwNCM_YcI|(MZ4}lMagS7X8+cugFt+fWhRoNI zb`ImR(^grjuR-|labM?UEOu!T8W)*~K78#9M9VU5HfL53Xy@`p!2~n9(>iLYzOM?P zj9O<7J-`f+*un@K_0wy!H4>Vb zQLSC?U1Wt9{n)TLxw;HWR)}8(Z{D8I3ot{p;-GueW%U?0Az^2K%QDQ2_=SyqpgAzF z+ek?CX~Id7BcPl+4Nn=ZK`v@G><#k#gNV#PQy716)@zF7)unqf$abcqJm$gp^*rh_ zf~O8%w6f7XMAJJE3eKp{3C#oA-l;8veWoajQ|Gieqvh3}Ly7-2g_g(17u#7t!&?Y~ zfOKGEFQ9|XF#C=pEvMUR;U}cixiEb27=GkXR!#+;EyTW=h;b_@>if-q_j%?^ta!Bn zIc8NUYt*?o_~f3FOmHnsW62)#%&~j!{@XvQ^7uX!?JSM-=B5v3P^Sp|o;gi_vqaWG z>azEIfH~gVmT6NrMfhXG(}FNr+%~^8IvW0A9t%inIw2t=_8s5aJx9(1mPId$Dwue) z*y6>qDDMZ#Wd}&)`#Q@6Jx5I)2feWpt3FK}J`m1}%uOxhY_IC`s5<~TU zluUubZemgn+U`e9phE@(7zWP)^3^GM^p$srKS!o*aPlI$)8Dk+>zx7KTSo4`D{|!P zM_v*aItHZA9KdB8!;r16ftbY$gnvoa3hmhm-5lBMm*zJjb#X($kx-nu8@zC6MKXt& z{QkL&Y8TT&^oZy^!XIG|1Zn#m859RG6fNOAUX_fljif(MM{Ij)GRG0W^HuF~#rIyl zJ|RJLyjif{!wRHwvOE5Axi8T!f;1^_QOVc zcDGb&h9GPy&l~+K9I2Y;LJuDgOpVu3AgzJ;W?W?Es=N`F_KT6(D_uMYvRL*OWG~0Z z<{YP&?1pz;ek(oSU?FB(4u}DHiFk2A_LxI72-8^*ZJQoGJ1{$C3U?Q_k4d+>8AEt- zO|>p2>e4@9eSmSp`H;xV40vsXK@;(!D)iLCQaN)srQHrkC}r>l2)`=elbEi6V?@YM zfkzkUH613B{(?r6Ni4>EUiqBjon9L@e-~~Mqgd|GLhLXTyvrj|_57yUrw~wm#P2;2 z2N|A8pPD~lxlO_T6nnzCHnD9DR3=yJy8{WAz$L*niplbCl0%TJxjnFUN|SthA{7Smry` zGjo2aFuinKbX+FPBk>f%=51Z&;86SlW|hP{@%H+|0qg(#w#@J=(&FGE67$x=ka%}O zcvbH$^JpAwM!iQk-P(t!;Uy0Gy~4K3r-B%zRy?;nb9e;!)9-pcV!<9%1s0#6#_!uQ zcR(g@H4W0)ec!n#zRh#X)lSB(Y{8`9#86bX6crex@h3q|nwUu~62nDzbuMn`N@vkR zZ6oBF1156NwLkQ^89v$`ETGigVQwX0M=0sYeR%~unG zG@vc%&u=&-Wp(0II>TC2dPm?~4Bm3662bTP`zFv;9?w#xfE#9(zcgaiV}E=?s)o@{ zh1wN^uAfk#UvwK;DIiDS`Fy6Maur%53ZyGhpN>9nOHCY(WaaX zg|VKl*2W<4-rRCXBhTUTB!C<9oc4?tk=SQj3u(~nKj~3v-%+>xs-2y=fIw8!!llYa zv-y#P*ZC+RbD?+<2fTdY`ledwoITSSOxnRMR=y29ABPKct6{-L1|4qu(nP8f(fC79ry)zzI;M|!ls;4zk#sldhq##E%dMa^n?=F zUP2JM|9E}}H({8aWq_er_CG_~?cHs{1?t*3hwy5vXvy2Fr2e^PQN0ivsPhayPmb;()mG+u*J8rZkq4oo~H9oNU4}#Uk`Un)UE;wG3Z(9yX96|Ge;Bw=zJUD zhdzIci`oNxa+nv>i!wwhrX5ul;FQcj*5xwpzs?H8B(puGBZ{n1y=w7V?-;Lm+z|$ z_yj?}XXir4y9G!0Tng4WAbP`Iz0VA(EE8w+dMR?c<@1wf^nT~_P&E>?$Fr<%(~=`? z6%h1HM6yXQcd-tUGJdWTZ@q=e!ze7g&;p9LQ6CF>=r&<61TR<>D;VSs8GpNuVc-fO zO9nOuCeXQ@Qe4)QJ-9~xerx!qLR~*0dR6guX6#Y#StO0i`Z~!@I}wUOzn~BSMJwnw zG%s4-BMT)6a-MNuC((ilyoTGif5%a$2L+m<{QM)vy{bjO z0|#TnmL8>lBH7Gi-Isl$`DN75UB7l>)y}Um!Z>IbSmgrdpargdV8g`sO!WGR@Ni# z2>XXS-@(3~XSF@N-}_%Y9nt&v1cGVnpC!qnbmVv_7=P{i!E%ZE_=*w*G%lT`p+Fe7 zHjMcuW9L`1m5j53TVG)=+2{{Lq4BK6@y9T(;3zi_wdAjfq+589bk%|iURh9c#RttK z8R16e^sTdMZ>);HvpC&=0IT!dy5xc_Ps%ZOOash3eWr%#{r%f^avx9LsiTI)LDIKu zt{Gxs8K@V+U`*IS5uq_V43)yOMKao-k*7vP3V@k^mQ6rvt4N>3)zgu52yFg}^vOpB z!x)YMh3ebi1}o@E#13)(P5RLrw;C?HaY!`5#guEu&p^iMe9|(Yui(^qk7DaX+v1(D86{TG`8VE5rlL! zIYHgwl-Vw)2)v*SeTud|_sm7Pz^Yl3Rc}C2&D=L^4XpKo7#KL3GOF2dgKE z-ag}6q-Vb!!E*%BPd5oU!;u^!qSJ)Y^VFnXi>0$-{2ub0?w-@4sh^_8)lw<*+LK@@ zZg0FJSAgpPqRB$N-nhf&udKCNRP$0VR4`t9ZWi0w?|Qs6g}*&!Z_8yzBD^o2*sEW@ zc^j@``(7~D*_Rg=NA0Sxf$09|8IF)5#A9(Lw`CYz{-K&I6TLNd%8Jr!KF}w?0*c1Qq99jrV`rSPHIJj2PrzXxB{9|G-L>p-=ty28)867 zfm0>(Vjj2;)nrxUV&&=`eey`or3jWr5BFMRoJ#9<*(b_M#Kz zS;Zi0-lqYnf_?lQc6Hs3LD5t|*8oXICpi4ruQb=QCCZNNruGXA&whV1ow!_Xtfn0! zWjjV9=K^EJIyk&~ZQM}^q+2@Uu-J4+zD%$8B4S9Qm52p=$f$_LFXWwWf_1Has-hG2 zCPw9f!J0d6aseORxU1_z=8#yk>^~P3On)v9z~8GeNxoJ#2iyk#&C^#VKF@A?or>ji z67(`HAd`+%(+U(!bjBtc<1fo~S|B>{x%x&!18wKMe8B%%LL9@VY06lu@ljwrapw1B zkN3jHKkKJ!0zG;g^muYiP zvHk#!Kq%@xkj7W$l6B4=t$cT)8@OTl%om%x+7jZMP(&-Q{(Psm?9x5&E2=7GOznQiQoj#F989*(tUN zTRmlK$VhCepi`^BD;mlH{jgCW4!o%Psg>OxZ!x*%pGxg&EQjVrzglCn*rJ2^s-ND5 ztKrH%2}tJsboFE{Y7y{XZ6F>`VA96}4S7n}Z`TPGkhfPy>V~XGt{fLp<>Ok8q#g8r z=*FBa*)1@sk}MRDY`M4j?}5Lw1(+C0(M-D8K-kC4*{?0v{bzDPD8i&xJEp6rc2+M& z%AAmNnCiHjHTn(rD8eSm-E&IXVTVw)ZYt5GWvCLlQ=S7Ikd9dJcuKU~>+br{sR)%rxjN zPwQcH;laSi-2T46=tC1SF(c0wkM$jTvb={qV95Vng=9u|4dkc=-Pk678G3=tA0}?X zz0MHw>x)&NwOWUS7o$bj99dVUKSGL_Dp1f)Jy8Ge-zqWGSxw1`1RF}7ZE&MbJAXOp zWor`7opFE>eDc@|g7A^Mv4g;Nkg8JJL+=SqX&eFt!Dw3h4NkKE7oQ1!M1GpTM*WTi zjsS>^>fc_se<6SFe)<9Mmp`UTI42CAn27K;sI6~1Oprl1i1ZE!e!uH)A-ZdmOT~GL zPWSTzZ1>q$Igbq#4*Ka@Z=_zWV^(iT)cA^SvtZeKqQW3rA~w?nE_X^EMyZB-hV*8@ z&+@>u1JSi7n}^9$-2=D7DllyvewvZF zj3O~leX8Gm*5^h1BhuU>AhNV<4#m1hiEL4Sh*o{g#x92Nc>xj9(FpM_`J2c70=K!K zA1IsC;{H1++}p+X=UoBQSQ>9HJ2i-3A04UNiMYGDZYP!f@L&G~d*d1NA3Hu%*MQ!- zc>X3T6yZ# z>IB{9Y|pV+&(F=_{^9?Kju1-=EpStSxIA)0gtSy@Iu?{FZU`>?Fnv}O(kz4#O)LwE z=6KaJLpJZeLBqUfX?3#2Dz5C8)yXi$9mp1UQZw|`^M2Rb3sr8FA-oN}GfnKf-_bW| zw`tEx)=ynP+{4WKcp|~&V6aT)CmdTgJ%kvtcSj2e2$R)s0}8s7HVd3rj$2b00EK_8 zl=(F`+xbwx@*&+m8`x-zH4Lz$(Ju4Ogq2KTegy4RPwH*XK1s0aIn6Xg8o*$f8zl5J zcan%p(D~FRVM`a?Ed)4~Id>{_0L?~hVrv~1hQ!OHI1bZDU4NHT1n9em8~=(YLFJqB z5<8s0ih-2@?hx1;EtLwc^?=*)0^~gvY8StqE-`>>k^K@;O_?rL5BU4gq2&~JII>UY z5h3$%5GPFnG!-ee)rSG!yN{+ph0N&-Cyfn>ag}jU>!vl#*<`U4!dY&gvtgaHlLNDd z1yuga=ge5u@z;9S0Ow0Q@?w!PQ=Xz=PsJ56e!RyxtzSL~UYhiu-r!3G$>Xd;h^i}z zmS+WEYsS@-@Y%yER!#LY35gZCxTzd}?yAyTaU9_~)6H5bn6HqX;DhOPLF)=3shdAF zYD~9xf*3Su%vVVuD+V>A2EJr<>4==ue64=yf~OiCmG8wEKNP;0bQ20 z=7;hUJ>z5PBzYln6u557E>}BOBv}Zw9*0K+kim2$g6<$K!MlqyIhIobLZc4Rrq#Iq z>C0{82`wO*TwJtT<^M(`MQl5dwG$nBBTE6ZlR>_I<0+2-v(zCwiWYN%h+tuWO%n1N zx%mq(G1Wx2VQiQC zRc5_>ig@( ztB6IERqlGs(h#`D79ssIVw6k|;vfy1rCq_3s7?###MA9MuzcD1){tPZoGomL_C(WT zEnitG9+73h3YBiKHTVz50O!uA-SPsYUdWZ%KBlfBA@)+u$AumWIuMqPoRgILfwV%P zvcM8~o11y=@hIckjXs0;y$%g3#WIlndP~Nq2F4tZmm*DF#~g+YfWDChh3s_w1({-Y zku;tpuhHZ+Kz=MhBIUdKDtdBOP0PT(Aq3RSBqxP_dIM)2+eP**~)jyXm5QXp; z@9b|~b$`*K;H(x>4~uDhMfwe8NlgYBJJ}>SW;*)RRC+o1KS47mvbJ&4XSY1YZo#(7 z!j^D_+`2?7AC!D6$Ms?sh%7wFtU@=1eu_gpyzxbHJ!t}eD;NZHY`rm9t_ zEDLJZa!O#@*ua2*isY&BKeOf8u-$$SwP+RrL>=e<)9W;H4!F(7vIlEzW!8wdGWChm zL%M+69OZ)vCB5T;t~^2P*5BsKJ128MtdBVz2<|SBde~?F3H&PSzOy{37MFbxn`5Cq zQExu)8HDPqY7g@6mH`E~g(v?j|7v5+>1_@HG#Y#(>q76D7KWA6Hp)zR%gYrmFVe{e zz>1*6Ff)tR_w29Pnw06`$&YOTS4Yp%a#1N%i@4^B{cU7`a?G35qi9}9^AZp{b6P9A zS0_wU6d>FJf!gdjYduVBN2me6C+Yb)bor-e321dSw&xUP#G?_EyRRo^wcw)7Fo!j0 zZK_uAAf*%OO9%PR@{hq@T<7MTp9k$&(V@IjI-Yv^5uL!-^wNVas$)W(I-Kj3UOp>9 z-rDfgZbix3Te~6R*1{x(QCO+2T?Vc7X@SXtT5iC^_ zVadtx980|rS<4JAAq64K0V^02l{27k@uI;0t^ix=bnaV>Ag4xuOLswLeTK z4O>hyr(x{RUnwi-g0b%hQJAX8It<5MSL9KBs7fkDXnIld876eJI<|D1fqgQRlA1dZ zQtEgVoYeQ%{#ImIoUZ(M{~1$2akU36 zaL-m5a5L-AoIr=;3paTW#8-y5mg;D)qg45olb7Q!Xz?oxaz-|O-++&`Al;=7IOdlI zG5)-8T(1vuHps#P8e}~~ZGN~wI_piVUI_h1A6eYxMdmvD19*6jTLoNAQ#+Iv3b>gU zg#Uaingyk+37IZ8rH(Zt5qdYHxB0OoHCt>p9t1-dd)uSh<)5gPMkna!k%y`a9R2d2O1(zzh;M8&dFAIS=BD+Wr`OT=z}t?UCK@Pv6i za?VR}s#)z+2Cl${DrfnD>(G5nyPRQYP(0i*uhv$h)D1mwfh@(M1_mB(T}cEIs1y1z z@6-@M4>taJ>-y+!|Jl(8r%e7(H_3HULdod|ss8cuLW3<(ufSkyJZbx%!G@7cxvGR7 zn?^cs^W0N`f?RK3m?=sDXNSrxa5!-Wdrz9-m@wE0g zu(LOqky)F$JO%Jqw~u0)P0)OKGt!hoQpKRN+EEa6(Xv1ACQ`ja$qIEV22N7{=-K5D ztX*Dbrkc*@sktLJo!+%x_apl4ysMc^yJQw!{lSk^1NfrAGGD2CB7e1olU}fki=a&~ zCHzALG1NPB7l-?uJVn_*22@NEE>7%R^k}gl+^-cBK^oGt+C=DWZg(`;U2DE1h!2M7 z9LXEGwA~H79+vKIlLGFss4xZ|!Ox;p1+w`eHCLYJ zaOememi)eOp+-a5F{xjXV<#aU#!ed;3ftrwyH7w>|G0+K&(|&U6#x$_)aw$=TEqFH z-d65Gb{EAYm(5(dBcFC6(gm<<181oBA0OHfxaMRx6eSb8HorClEL1D&8PgFO_4?Oc zqKNtYKWwr#3G_Cw<^O3TRV_2zQ}hxWsZ6-dIWso9m=Z45fSw+Dg$rAgQGd(>$9?2G zXlF<74(bwqL?{5e9E131enWr`9NGnwcu)f#=H)rR(zl{iux3<5_d3|)ab7^!$vD)_ z|40^|*cA4d;2JFL6Bt(NNxUl^3+x^^zU&r&{a1WeZ`bpwnv`cKD@o!BnecuVArSbU zh@qt{3?yfr*UMSQ5x~dv7awK`M^-W*2WLs~eyNA31>a)ZrL@1SsVDLQUf6`FU+r;F z*w~Nbo0#*yl^oyS6y8ak#fmB(1S1)&wcGe1_C z5~>SWB;$X|6@b}7^~*b|)qvHWdCG3hG&gCewH2QZCT3dH37`7NY-=SeB61+WDI?DB zS{iy!_(;{EjfH2WZ54n~&+c@%`spw2q|MzR_(;>x=GjWZ2AUv}6!YQ>*^*OK^Qe(> z*wJ8dAb1-k$P_x!NNp)w&~q%t%9e5Azpm^GXe~tU`k`^^68wSGTbH2<3J$^}3KNc| zARNStPq9#Ltp*B3v3Zwwhj4k*&=ix1VHR;@wa|-{nux`+RQtT57xN0o7^f$XbyPqQ zWnRH@s=?1RZYd|>kq{y zb}>}^A)&F=1?k1mO4!nyxD(Eyq!HhG2m#v&=+%@iB`cC$m%JecyzMHn>>(_E>XzNT zfk(3s*83uq%Z*7=96VKfd=1NI2(`Cj!3C(VpkH8!v+~dMPm!x$^s2&CYE1D^=038> z;Fj>@#f(%E_wF)5gK-#pD+K z7PP8GVTZFt&H7e1G>MyU5jRdmGZs9Rpp1pVTVf#o{S1>bP!j|M+nU7laaG-0Aik(S z_*V5V^|7~6<=y7IH828h`gyJSBVdLI%hEmm^rvqYbdob1WELpjRqE+s;qjAar;BUA zk1l!hAx5?Rd7*w`_|e~z#fk+O+tQyf1YPj+Jg1^c{lu?$RAcId76#B%Scd!j z)DcDhf8#X+B(1mrozO|p!@@-55isLidIMNA-jMwf=1qA9IpSrgPs6BHPsi5|@<2xQ z3Ncvqy&zi3%xToO^F3 zCIYbrBwL$T&5)fWYSptFAC2P3!rO>og>=KDxT3P)^8qNz*aI6EhgnneJof(Wh!0Pu zZVvZ!`*XdtVtDDe05@-rYH5iV6HXaChXfNMxL!?vVX_?jVCrXMV!f36-bpbG>4i?s zhC&dTb9+L{Wh~G0Sfra79TgL*=)uVPQiu{(zvQ2TXZ_$n5_t2h(64=J1W^Up`Y!@^ ziB57o;b4U$?uWeo!)pf}DhI4cWEld`=YC@oU)>@)BAWjTVk#*cyMkEk1{AoGiRM+k zWDWW1zt=-FrurS53n#46CIXhPo~ZTni^6fHO;`c=Ix20|dLVB~vtrqv`A%QH(amo- z^B%J4X!Dr!dun-X=~K_;Aihi?H?lfQ(%DBJM23;9(mQ$+;OQW6&E7>a2=sP%ZNTEo@0>U_}Cm|fw#&UaGzZywZ!jN<0?@%Wxr9Z!hX-bM(s-DLS{?# zn@&*jS~HeEb=?9yZn-jKak4*X4`|29Kl>tOUez_nBYKqb(+$7R4mtg5nf>5O&*MuY z>4mCrx2ivQrj-e>!ln;wWC2!IAy2Z`2d#n}dwb?+&1I5=X*_{ZK3KMT(B zF26y^YR!l`+Y>pa7Bfekjc+k7eg0n;TN=zOVsG%Hq6Hv;KtJ23{!Yng%_x?}@m&zY z#uv~=?-E&!1(;CDee6z~`lA$l>N%b54f9?+ngxYN{K`gAt^#_e|8vEI7N05s$@EUX zbXa9}T=!OcQjG;s_5XNS=(GR;HuVt7pqp)1L_cx;c_@?}TGy>%08r2W3tK$;JNcH3 zyR}xrZS^lj18^f2Bt>Ok4!I#vm zlDvBBoBj;@<^SM+Qm_JD*LFS}2w0rD+y@YKYOFr`Q%;YEONP5e9k!oH?Jzap>Y0pAguWqJZ>X1?f#eP@04UkRl~C=@1|}JNWp#&-ATF;68-ooV9wY=y<>TbF3cSOm zM*gs4Dl#YFHu~O$l+>xCCI8&N<1|~DFyMX8wXO3>z2fO<#FAxB z0CJw_T7R|b9-GaovEhrEqZ4``@$F5zQy*Q@2)+%SM4Q9TRc7_nSNBhOZDZw zuRB>s&4mjK8IxjpPq~{!?NNKpkCPj`)q4BwO>K@4m3_(>-umleEk|Q@TnPPFK5oV& zj$;!cz}e61PW*wy3FEnY)oC7DxxK+-tS;g~>unP=WR7~bPO3e2LR$>KAr<(%8;{1a zhR0%r(?&`!jln|RWK723Xl~kh(rk(iGN)D!COGSZSB|(LPc!w19_sPUJv(|VnXc2j z8<3IeT-JHEBx#|cwr+uN4vsy0A(Xqja!Dv3F{u}@HW5@fSb9Ak=RRRAvX5a1DH#OV z5sUD61dHw{=H+%;xp&eZ;@m6eJD&|wN!62lVhl2vixN(gTc-$dFn~le_EXO4UGp9v z#J984TWzwXu65l?ttfYPESue7>hif+AB4Z8*wD1n-UY*{;b zMY`sf``TH<^@>Jv@u5<8e4VXopVid|WYMKCZq15u@{{r4&oY8LNWUU2Z%&$_%O^QV zC+cSHgNruh93NXuH|vZSM`))@1ZC|BZ5bNXM)Cc$_ zfbwzBHXbR)cT4*KiQU#6->~?QE}m_i@loSFw{O*D_v#uh`N_Hp*<`8y$i)V^Xr34! zyVVyZb9+%ncT!&rew4Z+A^GlBWPkI+Vfuw1qoI@i-#Dd>a(Xok_wH3)t~C|@A&i>g zDw(JYb>S}f`OynimHb)X{m!{o_f*8aNzUrFDL$!Kf<2p?+%IV4Hcu-ryNAO?9+Vdz zSYQncs znzneX=T`gOQs^EtlL?!aOGLql4?Z3_@NeTbsy!^VpXrHxCj#*?Gdilz;DBH2F05S| z(y|_#EDQZ0b=Qiv8@$k9pW$Gz5+fE0Ud(fyu|<4QaDBWt8AYW~y+kl>vIcQSR|qz$ zjp>Xr*c%ynxBeK;NQ$1jVfyBneih6(gx<^*c>kotUhVEkI_m3L(<8ev z6OXnOw2fO4x{u3qD!3*i!eMOEeb^arV`(<=^JN@|F zL5Cy>LC>j^KCei^^*<0#ru1ZE)8==1!nMjXdHlx7=nY%u{x+kglW3vcLLM z#n?tuAI2SN!AqBiQB?U}?mZ*6b;KT6pvoVx=c-nMIij1gmf(!{(I!${ZBH1b$CYX; zT9uo=kwvn9kiuQ|PS2v0@im_GCm(YAgHc9+W#3SzJMXp2ms)?FGN9TyKmaemA&?4M zX%~!U1ZNZM^uY*|zZj+x$(q2rI2qbiC6}Kk zD*Z;At6A7 zYraBr#Er~Xty#haUZZgn*tJq9WkKN|Eez(ZOURNFd>I>KGz}Q$oi^LF$_8vy#I}8W zXFYE|Q^e6X_J0$NfHyg@){}XUz^DBSQF!|WZtk7^-k84W=?i$!vKW|eGYBkOqn)tnHhEW3wzQNyIo_AC8OEn-oSLG%=(yRoaNb7T z-XTty^NC?+K4}L@n(_{q;-4!x*6p*D*i$}17d4F=pyGzoO#Ap97+GzI<0pZ`&#lFK z=7&0`s+b5YaSqdfkvxvWpfPIFN>AgA{YayFakf3(=q_(%s+0CFUgOpdST^ypy2W<% zht1Mh4?JAZuyV6cLvhOq(ZD4i9rC@PG-%PG)D2zshbp zL@jvs!YXNck9_5-qPexgo{?W-%Zztpq{P!B#NO2zeg@Gq)pbo%J7$snf*kd@W2t&DvZ zuNz{R855DPS;++SVukfmqRAf4?M^h4VP`-V zsm6Q*;7CWJ2Z56@TGl{Lbz=TuhH~Ur0e2^=@sNF%;2Th0B@*L2$LL?a%K)x}6f!DN zT@xAo!2)rL@({v*`6LO=QO)^;W2T#{H=#dL<)}(!Pz3;&utEB8J3W>S5&>=aBr$)} zh-ufWH*`O_(8Z<5i)%#6D-%PwKdYgJijz;#yLo;SorJc;oNUWney{`}{s8Ls1*-!~ z_#0;TzbG)IRQLv<8L`>A(pLevQm!8s1!!}3vw$I6==C2a*7De=lUU-4+L))kcTWrB zVc_-zFz~$9qo2EKk=sYs0DkZUi(owc{Q^Bp9TsaL)ZQ2X^@z9;t(UhuuvY{2({Z$3 zmaG<;;x8*tSn~i@XYy?#=dBA4qVF?`QY<0-y92Zp784lm#EsLsY@5;WGvF+jgK^j0 zDhf#9!kh!l!M|SOfa67(oeTaW0JprTdK8MK6aKNl+Adzu3eVoxPh94+lW8oNS-&yq zwDuLqO7;XCVQd3-6)rV%i~7U9g&zvFLc*jC-J{rQ%8RE`P9J*qaX+dL zt$3JO?UwDNbGq1PH58`ogk@C9puJ_tPqqjyP?Ucf4|D^N9ff$czP!i3sz$Iih~j*` zD7^x}9YNJGh|fwZ2HXV;?EmVgBN^Zri~F2c zMU7lNos0XKTp>j{=ezAC=P(yH12EYmseQgpm$0B&Kocc%jwew+n8~QhuzF`m%r*^saaJYa_F+O%8lZ8;jm)P)m;Mm>-2E_=2#oCCk2fpDgK#jX1LY=&yM)JFV1COJu?7Vp60O zHR1lTwszx`BKGcdk$dO~PScRfQN?KLN9wnPn8~pc`FkXyEpL8$Vd%i7Yhaa#mIMCh z*m!5eB(8!<ou8GgC9p__gYEF=hd~AUr1Q{lBkUn=~oY8ss%bIPs`g^+qr)xkyri#_HskOj~s;}MDQv~AQ;U|P3i@~rDr8S0zIP@QDoEXIjH^{ey~46wiQqtbB`5#vntSP1?x;3RmJd$Pl!FKBxQz0Lk z2cLA|^KsHV8)*UN*irQb+ibk9DrQF;0t=*z&c_@VZ)klw=y`MJoInFSlIpkr1Fw(* zs`xw{0tQN~t&^_9@0(hz-aIa#lJQT-R>2gfR~Xy@5VrvB*M;ngx2umiKAEc?DsDv4 zqE$l<71t9y>nI*mCxB)&FX+v(Sc;x$q>Nq!T<1;+V@#%LZ~eQ^g;a23Ftlb8Hra9>Ssn`gJN3K#3I!=WpYUT0bY+6$vJueEq>a_H&?$RDh3BwqVr8;6b+{AW z2WgB4Nh6jq{etqr*u`3DTlVNQtNT;qwN+H>Sbf^2IK1evKPCo9`Mp3FmuwM;ulPd( zMJV_bbz#!FWK`6WfD4Qd=aiici}p7ROnW4-RAKz{K@Ti$(x|6__v2 zY%yS=*D9Eu^q{z(nZOX9*d>#CDFob>6NkogFMzGj!vJwbuOpCPtKlx+&h;+^ud-)F zm#37x050738uxqr@6*iB2w$*7U*9OVz+dH;g@C1^*}KEoK)eup*Uz`dnHFAW)zxrJ zN`EUNwBK7>Snk_$pSRwQ+0(IUOaYX@#L1(5?yVf6qMB|#%MpSh+6^3w%+wD~ET6Qy znG-rm;BM{y2ATU-B%ntx$l4E{s<7(9@_i38Mc3l=za*5KeEEoGAWBI@F41WT?MNv# zFrR{z8gx(Z@(gi4@!&nRZssUu9_ws!^E5p+^S0y3AB8&Pm7cOw=H3>(3s=EtCW)K! zD71j$0TA%&>#`H;q3(|Wm8x2A)T=P|SIRUXw)_jiKyPmRqH2hD8ioFlUvHK-MX7g1 z^ho2#(q8PI7at$rRUcs-*lAod5&IrYblItHH1o>A&?6Rw?lTzg7fN z()%BcLInfQ^&f3c3+?zjK^V2xA7d%z$-W82jJVi2Gv*@t5W!7&zbnHwmn?A#r21F%Od|dM3G+8uOJ8k}vPpKE~ ztY!H^J&gTATe{5}zxrto3>D(Q+*r7Q%@h1DKs1{N@h^EpApS5AbQ<{$Iqg1pl=D=x zIb0YEN&g*a_;85W^Jf`^#lK*x2L#?Ch6xs*%VCI>gMS3cHgGSVVsH6q%rT%2|4217 zK&bA80$}pLWE0RGfDKmCp-)XE2_u!)E@UC&ySj_ofYn8z?>9J{`*XyF9s#yws37k) z#ziCB3w~?;AFb+DW4X&rzakE=I^?92W`aQSKc$@Rw9lmu9GwaRm7M(sb^|)n6cu+) zi|KXm_X(KmU3n%w2P-dI553SR!DmC8;(|@XA~jB{Pe|q24Yy=+k}Ya~IDXH;p95Io zo{m7$y!Q!Jxe%QWqu1H(rMeL_jU8yLtf$U{G)#v=R=%&!jUQ)bFn(x^I3S za++~r92_g7&lb`N717U}v(?!Q`jXq$7r4FD@*Z=r6<}5g-m5o(VBkkLcF)_A0o{mY zlcVA=fMcluxgDq(P;Bn5cS>)2Sv3WnH6*~>t~ctbah84AuDxxcgb8SU)_nxLs5?O8 z;~P)>@AQs;tIXVI24pJwzC*5BXyeKGchOB2mqVrPIMD*k&kJ5Sc2@gm4aY8L*ny92 zDKPvQf4g9#Iz?6ADc6|O9ka0a{#nNQu4G> zia>ml(NDAP8+Otr9`RF$P;IH*>5XqWjuMyywVB4mz#`VXl%0)*Iv2G3eC;bwnfk1O80g%%@wPUGNs#^(eB#kdROvF{mFtV zrr~tBo35q@=1(HsjQ4aRee7-A?2R-V9Z&mh&&Tf6(v0n~Y^5#YV*J(fQh{aoZHEtG zvaIWb5Bo=9s;o~z6Lj4nWeg>49VIL(I&)9+P$z<#=Mepahq;`WpKwGW)lnt0eBsD$ zk|I=u>|{1gNjsb7M`OB)n`&r5fdTQVqFED~5=`&bQ~OG)RlW9?=C?UGZRcSqeFlot0klZ_L5$BK%MjVv6ry*(Xypt92VZs5&y-lI#(L{5%Hi zPj2$B5i*EgI!u-2*yd&_{M> ze4|mG1&l!J0KS4e6(2kKPO?erbBc$coNTFy2yFw7o{a8+1f^TlgqH^g1SmC`U)A#w zke)i_&}tpn(oD!y7fEY;a(JRMS6hUBfL5{4JokVVNmm!m0)KosC46TkbM8d}zA(Rn zHa6Y!0FFapS3<^qdU+hl;Ae;{J$J-9c0mX0ulE$H*c1>e#1v17DOd#LJ#Mj=NU&S* zOdH#9; z&Sz3&gmA6Dw=s0SZdq-pOWLA4q*L}pM@CRyXy~M)0yUI}>UMu{;3gQhwl(k;l@M)` z<6=WIvHfJ@o5$Qu-jZCHF6J9&-l^VInu%Iy!F9gu%5ehOK@9rS_IggE>D?YTWviE6 z<~@E!yA~fVb2K3HRr8IPJ(OGS@0zUc1F&nxx=IX)JGX&uq-BN>zxNaMh$Iuc=32Tc`{b)#k638u>Ga z13lN^rhkPpN}#vqEN(n7GD0da7)+lachKuzB>k(j?G8@KTuqU5O;JFTqmIm_k`?|$ zE}Drr-ja6PlR>IFw5qZ4M7x%6W9P4RT7TVFQVMN7;U{HpEK0#B%IY|ctY`8)SE$~F zABz%G%(e2A>MF+uOx!Bf?I3pzsWk`zu5|?a+fMRtmf`o7fNRT7vEEUOEP`egz0J5m z$`J;2kp19$5@(niPEt1}&i?4^G+12Q>1`m=CF1!dosqiKN(IgHP-Ie1jmk(RiZTkB zTLe5ZZDP*IrUXO$S?Wp@@+hiCg&l4s0NghQPFgFg$HK_=+&2yKI^AY<3i|JDL#iJX z7?59w;t^8XGf_}nD!}dYD&@*_yv0s>e?LfFr81m_eMdA-B>zbJa#YpzDR5gj_4s>) z3I&*Ge)IeclHW(#2~lSaIslH!0%5$zb9 zw`B`D3n0IPEA?RGr!I3(By0GT2RS>pD`M6x{GM!hkpQ~&<1^8IagYcddj{K;)JFs- zrV13*RNR-?7Pd>N!tKJ|D$CcV>%^lQg{hZX3fX~>h!C*A?XzHFfRG8Gy8w{^0fMN} z7-h`P91ueVb~B=X43sb4_?OvV23TeCPqV)afNd65vOxa*Jh{gs$8rBr9rirH<_CD= z->L)7gY}N%k5_;E`9}cf9}%B_hPM6@3;Tc5_^50Kbt_`@4i*) zT>gZ8FY&b`<3xGnrQKn}h-&HgJI2<-C%sOd^OI4M>Ni>j?W#tb3wWe;;pG5hqVBGD zu?R;q-rX@f&kambp#K86OLC$B literal 0 HcmV?d00001 diff --git a/pages/site-to-site-vpn/index.mdx b/pages/site-to-site-vpn/index.mdx index 6a6a039d1e..e7a30997bf 100644 --- a/pages/site-to-site-vpn/index.mdx +++ b/pages/site-to-site-vpn/index.mdx @@ -7,7 +7,7 @@ description: Explore Scaleway Site-to-Site VPN. Connect your Scaleway VPC to you type="note" title="Site-to-Site VPN is in Public Beta" > - Site-to-Site VPN is currently in Public Beta, and available only via the [Scaleway API](https://www.scaleway.com/en/developers/api/site-to-site-vpn/). + Site-to-Site VPN is now available via the [Scaleway console](https://console.scaleway.com/). diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx index f781b21183..5c81bbc990 100644 --- a/pages/site-to-site-vpn/quickstart.mdx +++ b/pages/site-to-site-vpn/quickstart.mdx @@ -4,9 +4,182 @@ description: Get started quickly with Scaleway Site-to-Site VPN. Follow our step tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy dates: creation: 2025-12-05 - validation: 2025-12-05 + validation: 2025-01-20 --- - -Site-to-Site VPN is currently in Public Beta, and available only via the Scaleway API. Read our API-based quickstart in the [Site-to-Site VPN API documentation](https://www.scaleway.com/en/developers/api/site-to-site-vpn/#quickstart) - \ No newline at end of file +import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' +import Requirements from '@macros/iam/requirements.mdx' + +Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infrastructure, enabling encrypted data exchange over a private VPN tunnel. Integrated with VPC routing, traffic destined for your remote infrastructure can reach it from your VPC via the secure VPN tunnel, and vice versa. Site-to-Site VPN connections are secured with Internet Protocol security ([IPsec](https://en.wikipedia.org/wiki/IPsec)). + +Scaleway Site-to-Site VPN consists of: + +- A [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/): the connection point on the Scaleway side +- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) the connection point on the remote side (representing a corresponding physical customer gateway device) +- A [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/): defines the traffic allowed to flow through the tunnel +- A [connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/): brings together the three above elements, and defines the encryption and configuration for the VPN tunnel + +You must create all of the above elements, and correctly configure your customer gateway device, for a functional Site-to-Site VPN. + + + +This document walks you through the process to create a Site-to-Site VPN in the console. + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to create a VPN gateway + +Creating a VPN gateway is the first step in creating a Site-to-Site VPN. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. + +2. Click the **VPN gateways** tab, then **Create VPN gateway**. The creation wizard displays. + +3. **Choose a region** in which to create your VPN gateway. The resource will be created in this geographical location. VPN gateways must be in the same region as the resources (customer gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. + +4. **Choose a zone** (optional) if you want to pinpoint exactly where in the region your gateway should be created. + +5. **Choose a gateway type**, based on bandwidth and how many [connections](/site-to-site-vpn/concepts/#connection) the gateway should be able to support. + +6. **Configure network connectivity** for the VPN gateway. + - **Attach to Private Network**: You must select a Private Network which the VPN gateway will connect to. This is not currently modifiable after gateway creation. + You can choose either to auto-allocate the gateway's private IPv4 and IPv6 addresses on the Private Network, or select specific private IPs. You must have already [reserved these IPs via IPAM](/ipam/how-to/reserve-ip/). + - **Set up public connectivity**: Assign a public IPv4 or IPv6 address to your gateway. This will be used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single customer gateway (for dual tunnels), you must also assign a second IP address, of the IP type not used for the first address. + +7. **Enter a name and (optionally) tags** for the VPN gateway. + +8. Click **Create VPN gateway** to finish. + +Your gateway is created, and you are directed to its **Overview** page. + +## How to create a customer gateway + +The next step in creating a Site-to-Site VPN is creating a customer gateway. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Customer gateways** tab, then **Create Customer gateway**. The creation wizard displays. + +3. **Choose a region** in which to create your customer gateway. The resource will be created in this geographical location. Customer gateways must be in the same region as the resources (VPN gateways, connections etc.) that you link them with to create a Site-to-Site VPN tunnel. + +4. **Define connectivity parameters**, to supply Scaleway with essential details of your remote customer gateway device: + + - **IP address**: Provide the public IP address(es) of your customer gateway device, used to establish the VPN tunnel. If you want to be able to create two connections between this gateway and a single VPN gateway (for dual tunnels, increasing redundancy), provide an address for each IP type. + - **ASN**: Provide the unique identifier assigned to the customer's network, used by BGP (Border Gateway Protocol) to exchange routing information with other networks. + + + The ASN must be different to Scaleway's ASN (12876). This means you cannot use Site-to-Site VPN to create a VPN tunnel between two Scaleway VPCs (peering). Watch this space for our official VPC peering solution, planned for the future. + + ASNs can be public (globally unique) or private (unique within an organization). If you are unsure of your customer gateway device's ASN, we recommend entering a private ASN, in range `64512` to `65534`. + + +5. **Enter a name and (optionally) tags** for the customer gateway. + +6. Click **Create customer gateway** to finish. + +Your gateway is created, and you are directed to its **Overview** page. + +### How to configure a customer gateway device + +Your customer gateway device is a real physical or software-based networking device, located on the remote network you want to connect to your Scaleway VPC. The customer gateway that you create in Scaleway is a logical representation of this device. + +Creating the customer gateway on the Scaleway side does not automatically configure the corresponding physical or virtual device. This must be set up separately by you or your network administrator to establish the Site-to-Site VPN connection. + +See our [dedicated page](/site-to-site-vpn/reference-content/configuring-customer-gateway-device/) for advice on configuring your customer gateway device. + +To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) or [create a connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/). + +## How to create a routing policy + +After creating a VPN gateway and a customer gateway, you can choose to either create a routing policy, or skip this step for now and [create a VPN connection](TODO). If you do not create a routing policy at this stage, you must create one later, and attach it to your VPN connection, otherwise no traffic will be able to flow. + +[Find out more about routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy). + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Click the **Routing policies** tab, then **Create routing policy**. The creation wizard displays. + +3. Choose a region for the policy. It can only be attached to VPN connections within the same region. + +4. Define the type of IP traffic to be covered by the routing policy. + +5. Whitelist the outgoing routes to allow. For each entry: + - Enter an IP prefix to define a range of route announcements to whitelist, e.g. `172.16.4.0/22`. + - Click **Add** when complete. + + + Routes within these destinations will be propagated, allowing traffic from your remote infrastructure to be routed through the VPN tunnel to your Scaleway VPN gateway. For example, adding `172.16.4.0/22` whitelists all 1,024 IPs in this block, from `172.16.4.0` to `172.16.7.255`. + + +6. Whitelist the incoming routes to allow, in the same way you did for outgoing routes. Outgoing routes concern announcements to accept from the remote infrastructure. Traffic can be routed through the VPN tunnel from your Scaleway VPN gateway to your remote infrastructure along these routes. + +7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**. + +9. Click **Create routing policy**. + +The policy is created, and you are returned to the listing of your routing policies. + +## How to create a VPN connection + +A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your existing VPN connections displays, if you have any. + +2. Click **Create connection**. The creation wizard displays. + +3. **Choose a region** in which to create your VPN connection. The resource will be created in this geographical location. You must create the connection in the same region as the VPN gateway and customer gateway that you want to connect. + +4. **Choose the gateways to connect**. The connection will link the VPN gateway and customer gateways that you select here. Only gateways you have already created in the region you chose at step 3 will be displayed. + + Based on the selected gateways, the **VPN tunnel details** selection panel displays. + +5. Select how the VPN tunnel for this connection should be established: via the gateways' **public IPv4 addresses** or their **public IPv6 addresses**. + + + - The two gateways must have at least one public IP type in common, in order to create a VPN connection between them. + - The IP type you select here does **not** limit both IPv4 and IPv6 traffic from being able to flow through the tunnel. [Read more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). + - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy. + + +6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. + +7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel. + + + By default, choose the customer gateway to initiate connections if it has a stable IP and no restrictive firewall. + + +8. **Select a security proposal** for this connection. The security proposal defines the encryption and authentication methods used to secure the IPSec VPN tunnel. For help choosing a security proposal, refer to our [dedicated documentation](/site-to-site-vpn/reference-content/security-proposals/). + + A pre-shared key (PSK) will be generated automatically when you create the VPN connection object. It will be securely stored in Scaleway [Secret Manager](/secret-manager), and can be retrieved for the purposes of configuring your customer gateway device. It is not currently possible to upload your own custom PSK. + +9. **Enter a name and (optionally) tags** for the VPN connection. + +8. Click **Create connection** to finish. + +Your connection is created, and you are directed to its **Overview** page. + +## How to activate or deactivate route propagation + +You must activate route propagation for traffic to be able to flow through the VPN tunnel. Activating route propagation triggers the dynamic exchange of route information between the gateways. + +1. Click **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. A listing of your VPN connections displays. + +2. Use the **region selector** at the top of the page to filter for the region of the connection you want to view, then click the connection in the listing. The connection's **Overview** page displays. + +3. In the **Route propagation** section, click **Activate propagation**. + + A pop-up displays, confirming that the action will launch the BGP session(s), allowing traffic to flow through the tunnel via the routes whitelisted in the attached routing policy(ies). + +4. Click **Activate route propagation**. + + Route propagation is activated. You are returned to your connection's overview page. + + While route propagation remains active, the two gateways will dynamically exchange and update route information. Traffic can flow through the VPN tunnel along the routes whitelisted in the routing policy(ies). You can deactivate route propagation at any time: if you do so, all routes are blocked and no traffic can flow. + + ## Troubleshooting + + If the tunnel does not come up as expected, ensure you have completed all the essential [configuration steps](/site-to-site-vpn/reference-content/understanding-s2svpn/#components-and-configuration). \ No newline at end of file From 97852481b3b4ccf42f037157755363844f1e2587 Mon Sep 17 00:00:00 2001 From: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> Date: Thu, 22 Jan 2026 15:53:30 +0100 Subject: [PATCH 08/13] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Néda <87707325+nerda-codes@users.noreply.github.com> Co-authored-by: Adrian POIGET --- .../how-to/create-manage-customer-gateway.mdx | 4 ++-- .../how-to/create-manage-routing-policy.mdx | 6 +++--- .../how-to/create-manage-vpn-connection.mdx | 16 ++++++++-------- .../how-to/create-manage-vpn-gateway.mdx | 2 +- pages/site-to-site-vpn/quickstart.mdx | 6 +++--- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx index 100b548181..7af8d400b6 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-customer-gateway.mdx @@ -60,7 +60,7 @@ To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-si 3. Use the **region selector** at the top of the page to filter for the region of the customer gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. -Here you can view the gateway's : +Here you can view the gateway's: - Region - ID - ASN @@ -107,7 +107,7 @@ You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-v A pop-up displays, informing you that any [VPN connections](/site-to-site-vpn/concepts/#connection) using this gateway will be auto-deleted. - You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them any more. + You must manually delete any other objects associated with the gateway, such as VPN gateways or routing policies, if you do not need them anymore. 6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. diff --git a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx index 8553fa9162..0da7d3c81e 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-routing-policy.mdx @@ -16,7 +16,7 @@ A routing policy is one of the essential building blocks of a Site-to-Site VPN: A Site-to-Site VPN connection uses [**B**order **G**ateway **P**rotocol](/site-to-site-vpn/concepts/#border-gateway-protocol-bgp) to exchange routing information between the VPN gateway on the Scaleway side, and the customer gateway on the remote side. Each side advertises IP prefixes for its own internal subnets and resources, to allow the other side to dynamically learn and update its internal routes, facilitating efficient traffic flow. -However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy/), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel +However, by default, **all routes through a VPN tunnel are blocked**. You must create and attach [routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy/), to set IP prefix filters for the route advertisements you want to whitelist. This facilitates traffic flow through the VPN tunnel. A VPN connection must have a **minimum of one** and a **maximum of two** attached routing policies, one for each IP traffic type to be routed (IPv4 and/or IPv6). @@ -44,7 +44,7 @@ When creating a routing policy, you specify one or many IP ranges representing t 7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**. -9. Click **Create routing policy**. +8. Click **Create routing policy**. The policy is created, and you are returned to the listing of your routing policies. @@ -70,7 +70,7 @@ The policy is modified and modifications are immediately applied. ## How to attach a routing policy to a connection -See our [dedicated documentation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy) +See our [dedicated documentation](/site-to-site-vpn/how-to/create-manage-vpn-connection/#how-to-attach-or-detach-a-routing-policy). ## How to delete a routing policy diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx index a8c5f210d1..eb33f0adcf 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-connection.mdx @@ -11,7 +11,7 @@ import Requirements from '@macros/iam/requirements.mdx' import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' import bgpSessionDiagram from './assets/scaleway-vpn-tunnel-detail.webp' -A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel +A connection is the central component of a Site-to-Site VPN. It links the VPN gateway to the customer gateway, sets the routing policy(ies), and defines the encryption, initiation and security parameters for the VPN tunnel. @@ -43,7 +43,7 @@ This document explains how to create and manage a Site-to-Site VPN connection wi - If both gateways have both public IP types (IPv4 and IPv6) you can create a second VPN connection between them, this time selecting the other IP type, for increased redundancy. -6. **Specify a routing policy** for the connection, (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. +6. **Specify a routing policy** for the connection (optional). The VPN connection needs a policy for each IP traffic type (IPv4, IPv6) you want it to route. These policies define the traffic that is allowed to flow through the tunnel. Without an attached routing policy, no traffic can flow, but you can choose to attach a routing policy after creating the connection, if you prefer. 7. **Set the connection initiation policy** by selecting which gateway should initiate the VPN tunnel. @@ -57,7 +57,7 @@ This document explains how to create and manage a Site-to-Site VPN connection wi 9. **Enter a name and (optionally) tags** for the VPN connection. -8. Click **Create connection** to finish. +10. Click **Create connection** to finish. Your connection is created, and you are directed to its **Overview** page. @@ -134,9 +134,9 @@ A new version of the PSK secret is created in Scaleway Secret Manager. Ensure th 2. Use the **region selector** at the top of the page to filter for the region of the connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays. -4. Click the **Settings** tab. +3. Click the **Settings** tab. -5. Make your edits as required: +4. Make your edits as required: - Click directly on the connection's name at the top of the page to edit it. - Type new tags directly in the **Tags** box, or use the **x** icon to remove an existing tag. @@ -148,15 +148,15 @@ You must [deactivate route propagation](/site-to-site-vpn/how-to/create-manage-v 2. Use the **region selector** at the top of the page to filter for the region of the VPN connection you want to configure, then click the connection in the listing. The connection's **Overview** page displays. -4. Click the **Settings** tab. +3. Click the **Settings** tab. -5. Click **Delete connection**. +4. Click **Delete connection**. A pop-up displays, informing you that this action will permanently delete the connection. The VPN gateway and customer gateways used in this connection will **not** be automatically deleted. Remember to delete them yourself if no longer needed. -6. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. +5. Type **DELETE** to confirm you want to proceed, then click the **Delete* button. The connection is deleted, and you are returned to the list of your VPN connections. diff --git a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx index 0a0d3ba34c..0000192bcc 100644 --- a/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx +++ b/pages/site-to-site-vpn/how-to/create-manage-vpn-gateway.mdx @@ -61,7 +61,7 @@ To continue setting up a Site-to-Site VPN, next [create a customer gateway](/sit 3. Use the **region selector** at the top of the page to filter for the region of the VPN gateway you want to configure, then click the gateway in the listing. The gateway's **Overview** page displays. -Here you can view the gateway's : +Here you can view the gateway's: - [Status](/site-to-site-vpn/reference-content/statuses/#vpn-gateway-statuses) - [Offer type](https://www.scaleway.com/fr/tarifs/network/#site-to-site-vpn) - Availability Zone diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx index 5c81bbc990..9736bda6c5 100644 --- a/pages/site-to-site-vpn/quickstart.mdx +++ b/pages/site-to-site-vpn/quickstart.mdx @@ -4,7 +4,7 @@ description: Get started quickly with Scaleway Site-to-Site VPN. Follow our step tags: site-to-site-vpn, vpn-gateway, customer-gateway, security-proposal, routing-policy dates: creation: 2025-12-05 - validation: 2025-01-20 + validation: 2026-01-20 --- import s2sDiagram from './assets/scaleway-s2svpn-conceptual.webp' @@ -118,7 +118,7 @@ After creating a VPN gateway and a customer gateway, you can choose to either cr 7. Enter a **name** for the policy, or leave the randomly-generated name in place. Optionally, you can also add **tags**. -9. Click **Create routing policy**. +8. Click **Create routing policy**. The policy is created, and you are returned to the listing of your routing policies. @@ -158,7 +158,7 @@ A connection is the central component of a Site-to-Site VPN. It links the VPN ga 9. **Enter a name and (optionally) tags** for the VPN connection. -8. Click **Create connection** to finish. +10. Click **Create connection** to finish. Your connection is created, and you are directed to its **Overview** page. From c318813f89cf2873cabb491a1ea99a9e0d54110f Mon Sep 17 00:00:00 2001 From: Rowena Date: Thu, 22 Jan 2026 16:00:52 +0100 Subject: [PATCH 09/13] fix(typos): pierre feedback --- pages/site-to-site-vpn/faq.mdx | 2 +- .../reference-content/understanding-s2svpn.mdx | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pages/site-to-site-vpn/faq.mdx b/pages/site-to-site-vpn/faq.mdx index ea2b203f4c..1aa0c37527 100644 --- a/pages/site-to-site-vpn/faq.mdx +++ b/pages/site-to-site-vpn/faq.mdx @@ -56,4 +56,4 @@ The following diagram shows a connection with an IPv6 tunnel (i.e. established v ### How much does Site-to-Site VPN cost? -Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/) for full details. \ No newline at end of file +Site-to-Site VPN pricing is primarily based on the type of VPN gateway you create. Each gateway type provides a specific bandwidth capacity and supports a different maximum number of connections. See our dedicated [pricing page](https://www.scaleway.com/en/pricing/network/#site-to-site-vpn) for full details. \ No newline at end of file diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index 46e1b817d4..7a2ba3ac5d 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -22,7 +22,7 @@ Site-to-Site VPN lets you securely connect your Scaleway VPC to your remote infr Scaleway Site-to-Site VPN consists of: - A [VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/): the connection point on the Scaleway side -- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) the connection point on the remote side (representing a corresponding physical customer gateway device) +- A [customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/): the connection point on the remote side (representing a corresponding physical customer gateway device) - A [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/): defines the traffic allowed to flow through the tunnel - A [connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/): brings together the three above elements, and defines the encryption and configuration for the VPN tunnel @@ -36,13 +36,13 @@ Site-to-Site VPN enables encrypted connections between your Scaleway VPC and rem Site-to-Site VPN's secure tunnel is secured using **IPsec** (Internet Protocol Security), a robust suite of protocols that ensures data confidentiality, integrity, and authentication across untrusted networks like the internet. -You can define your own IPsec security proposals to control exactly which encryption and authentication methods are used to secure the tunnel, giving you fine-grained control over the balance between security, performance, and compatibility. Scaleway supports a wide selection of modern cryptographic options across key protocols like **IKEv2** (used for secure key exchange and tunnel negotiation) and **ESP** (which encrypts and authenticates the actual data payloads). This flexibility ensures your Site-to-Site VPN can integrate smoothly with diverse networking equipment while maintaining the right level of security and performance for your use case. +You can define your own [IPsec security proposals](/site-to-site-vpn/reference-content/security-proposals/) to control exactly which encryption and authentication methods are used to secure the tunnel, giving you fine-grained control over the balance between security, performance, and compatibility. Scaleway supports a wide selection of modern cryptographic options across key protocols like **IKEv2** (used for secure key exchange and tunnel negotiation) and **ESP** (which encrypts and authenticates the actual data payloads). This flexibility ensures your Site-to-Site VPN can integrate smoothly with diverse networking equipment while maintaining the right level of security and performance for your use case. -### High availability with dual tunnel support +### High availability with multi-AZ gateway redundancy and dual tunnels -Achieve high availability and redundancy by creating **two VPN tunnels** between your customer gateway and Scaleway’s VPN gateway, providing failover capabilities to maintain connectivity during network disruptions. Simply assign both a public IPv4 **and** a public IPv6 address to both the VPN gateway and the customer gateway you want to link, and then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/) between them: one using the IPv4 addresses, and the other using the IPv6 addresses. +Ensure high availability by deploying two VPN gateways across separate Availability Zones (AZs) and establishing redundant tunnels for resilient connectivity. This architectur - aligned with Scaleway’s SLAs - provides failover protection against AZ outages. For maximum resilience, assign both a public IPv4 and IPv6 address to each gateway, then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/): one using IPv4 addresses, the other IPv6. This delivers two layers of redundancy: first at the infrastructure level (gateways in different AZs), and second at the connectivity level (dual-stack tunnels). -Be assured that IPv6 traffic can travel through a tunnel established between two public IPv4 addresses, and vice versa. The public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. [Learn more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). +Note that the tunnel’s IP version does not limit traffic type: IPv6 traffic can flow over an IPv4-established tunnel, and vice versa. YThe public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. [Learn more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). ### Dynamic routing with BGP integration @@ -103,7 +103,7 @@ Site-to-Site VPN is priced at an hourly rate. The rate differs based on the VPN It is currently not possible to upgrade a VPN gateway to a more powerful offer type after creation. -You are billed for a VPN gateway from the moment you create it, until you delete it. You can [delete a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/#how-to-delete-a-vpn-gateway) at any time. +You are billed for a VPN gateway from the moment you create it, until you delete it. You can [delete a VPN gateway](https://www.scaleway.com/en/pricing/network/#site-to-site-vpn) at any time. Note that: - The public IP4 address attached to a VPN gateway incurs a separate charge, with its own hourly rate. From 81506cc25e3a9486d51c9762dbe3f438c2bda7e7 Mon Sep 17 00:00:00 2001 From: Rowena Date: Thu, 22 Jan 2026 16:36:49 +0100 Subject: [PATCH 10/13] fix(peering): typo --- .../site-to-site-vpn/reference-content/understanding-s2svpn.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx index 7a2ba3ac5d..418bc817bd 100644 --- a/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx +++ b/pages/site-to-site-vpn/reference-content/understanding-s2svpn.mdx @@ -40,7 +40,7 @@ You can define your own [IPsec security proposals](/site-to-site-vpn/reference-c ### High availability with multi-AZ gateway redundancy and dual tunnels -Ensure high availability by deploying two VPN gateways across separate Availability Zones (AZs) and establishing redundant tunnels for resilient connectivity. This architectur - aligned with Scaleway’s SLAs - provides failover protection against AZ outages. For maximum resilience, assign both a public IPv4 and IPv6 address to each gateway, then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/): one using IPv4 addresses, the other IPv6. This delivers two layers of redundancy: first at the infrastructure level (gateways in different AZs), and second at the connectivity level (dual-stack tunnels). +Ensure high availability by deploying two VPN gateways across separate Availability Zones (AZs) and establishing redundant tunnels for resilient connectivity. This architecture - aligned with Scaleway’s SLAs - provides failover protection against AZ outages. For maximum resilience, assign both a public IPv4 and IPv6 address to each gateway, then [create two connections](/site-to-site-vpn/how-to/create-manage-vpn-connection/): one using IPv4 addresses, the other IPv6. This delivers two layers of redundancy: first at the infrastructure level (gateways in different AZs), and second at the connectivity level (dual-stack tunnels). Note that the tunnel’s IP version does not limit traffic type: IPv6 traffic can flow over an IPv4-established tunnel, and vice versa. YThe public IP address type used to establish the tunnel does not restrict the type of IP traffic that can flow through that tunnel. You define the types of traffic flow (IPv4 and/or IPv6) that you want to allow by attaching (or not) a [routing policy](/site-to-site-vpn/how-to/create-manage-routing-policy/) for that traffic type. [Learn more about this](/site-to-site-vpn/faq/#if-i-create-a-connection-using-gateways-public-ipv4-addresses-does-this-mean-the-tunnel-wont-support-ipv6-traffic). From fe868a9afb0adf388f8dbd16fb23c752c4b11d7e Mon Sep 17 00:00:00 2001 From: Rowena Date: Thu, 22 Jan 2026 16:44:59 +0100 Subject: [PATCH 11/13] fix(vpn): add iana column for DH groups --- .../reference-content/security-proposals.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx index 12625e960d..8335801c9b 100644 --- a/pages/site-to-site-vpn/reference-content/security-proposals.mdx +++ b/pages/site-to-site-vpn/reference-content/security-proposals.mdx @@ -72,15 +72,15 @@ Integrity is based on **H**ash-based **M**essage **A**uthentication **C**ode (HM Key exchange is **D**iffie-**H**ellman-based. The following DH groups can be set to determine the strength and performance of the key exchange: -| DH Group | Bit Size | Security Level | Use Case | Recommended? | -|------------------------|-----------|-----------------|------------------------------------------------------------------|------------------| -| `ecp521` | 521 | ✅ Very Strong | Suitable for high security environments. May be overkill (lowers performance). |👍 Acceptable | -| `ecp384` | 384 | ✅ Strong | Both strong and fast. **Our top choice for modern VPNs.** |✅ Recommended | -| `ecp256` | 256 | ✅ Strong | Suitable for performance-sensitive VPNs. |✅ Recommended | -| `curve25519` (X25519) | 256 | ✅ Very Strong | Both strong and fast. **Our top choice for performance**. |✅ Recommended | -| `modp4096` | 4096 | ✅ Strong | Strong but slow. May be suitable for legacy VPNs. |👍 Acceptable | -| `modp3072` | 3072 | ✅ Medium-Strong | May be suitable for legacy VPNs. |👍 Acceptable | -| `modp2048` | 2048 | ⚠️ Minimum | Use for older VPNs only if absolutely needed. |⚠️ Use with caution | +| DH Group | [IANA](https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8) | Bit Size | Security Level | Use Case | Recommended? | +|------------------------|------|-----------|-----------------|------------------------------------------------------------------|------------------| +| `ecp521` | 21 | 521 | ✅ Very Strong | Suitable for high security environments. May be overkill (lowers performance). |👍 Acceptable | +| `ecp384` | 20 | 384 | ✅ Strong | Both strong and fast. **Our top choice for modern VPNs.** |✅ Recommended | +| `ecp256` | 19 | 256 | ✅ Strong | Suitable for performance-sensitive VPNs. |✅ Recommended | +| `curve25519` (X25519) | 31 | 256 | ✅ Very Strong | Both strong and fast. **Our top choice for performance**. |✅ Recommended | +| `modp4096` | 16 | 4096 | ✅ Strong | Strong but slow. May be suitable for legacy VPNs. |👍 Acceptable | +| `modp3072` | 15 | 3072 | ✅ Medium-Strong | May be suitable for legacy VPNs. |👍 Acceptable | +| `modp2048` | 14 | 2048 | ⚠️ Minimum | Use for older VPNs only if absolutely needed. |⚠️ Use with caution | ## Standard recommendation From 4081416653bd049534e9aaf3f77ed01a11dd4d27 Mon Sep 17 00:00:00 2001 From: Rowena Date: Wed, 28 Jan 2026 15:24:59 +0100 Subject: [PATCH 12/13] fix(s2svpn): fix todo --- pages/site-to-site-vpn/quickstart.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/site-to-site-vpn/quickstart.mdx b/pages/site-to-site-vpn/quickstart.mdx index 9736bda6c5..591e0c8a06 100644 --- a/pages/site-to-site-vpn/quickstart.mdx +++ b/pages/site-to-site-vpn/quickstart.mdx @@ -94,7 +94,7 @@ To continue setting up a Site-to-Site VPN, [create a routing policy](/site-to-si ## How to create a routing policy -After creating a VPN gateway and a customer gateway, you can choose to either create a routing policy, or skip this step for now and [create a VPN connection](TODO). If you do not create a routing policy at this stage, you must create one later, and attach it to your VPN connection, otherwise no traffic will be able to flow. +After creating a VPN gateway and a customer gateway, you can choose to either create a routing policy, or skip this step for now and [create a VPN connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/). If you do not create a routing policy at this stage, you must create one later, and attach it to your VPN connection, otherwise no traffic will be able to flow. [Find out more about routing policies](/site-to-site-vpn/how-to/create-manage-routing-policy). From d1be08f1fc0cc93fcc5bdc01e57107022dff4d42 Mon Sep 17 00:00:00 2001 From: Rowena Date: Mon, 2 Feb 2026 14:00:10 +0100 Subject: [PATCH 13/13] fix(s2s): fix security proposal info --- .../reference-content/security-proposals.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx index 8335801c9b..06c3c24d3c 100644 --- a/pages/site-to-site-vpn/reference-content/security-proposals.mdx +++ b/pages/site-to-site-vpn/reference-content/security-proposals.mdx @@ -38,7 +38,7 @@ When defining your Site-to-Site VPN security proposal, you must define the algor |-----------------|-----------------|----------------------------------------------------|----------------------------| | **ESP** | **Encryption** | Algorithm to encrypt traffic's data payloads | ✅ Yes | | **ESP** | **Integrity** | HMAC-based algorithm to verify data payloads have not been tampered with.

Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for ESP encryption (see below). Otherwise, integrity is built in, and you do not need to set an ESP integrity algorithm. | ❓ Depends | -| **ESP** | **Key Exchange Method** | DH group to define strength of key exchange | ❌ No | +| **ESP** | **Key Exchange Method** | DH group to define strength of key exchange | Optional | ## Encryption algorithms @@ -51,7 +51,7 @@ The following encryption algorithms are available. | `aes128gcm16` (AES-GCM) | AEAD | 128 | ✅ Strong | Suitable for high-performance VPNs | 👍 Acceptable | | `aes256ccm16` (AES-CCM) | AEAD | 256 | ✅ Strong | Alternative to AES-GCM, but GCM is preferred | 👍 Acceptable | | `aes128ccm16` (AES-CCM) | AEAD | 128 | ⚠️ Medium | Alternative to AES-GCM, but GCM is preferred | 👍 Acceptable | -| `chacha20poly1305` | AEAD | 256 | ✅ Strong | Performance-sensitive (mobile, embedded), best choice for low-power devices | ✅ Recommended | +| `chacha20poly1305` | AEAD | 256 | ✅ Very Strong | Performance-sensitive (mobile, embedded), best choice for low-power devices | ✅ Recommended | | `aes256` (AES-CBC) | non-AEAD | 256 | ✅ Strong | Suitable for legacy VPNs. Use only with HMAC (e.g. `sha256`)| ⚠️ Use with caution | | `aes192` (AES-CBC) | non-AEAD | 192 | ⚠️ Medium | Rarely used, `aes256` is preferred. | ⚠️ Use with caution | | `aes128` (AES-CBC) | non-AEAD | 128 | ⚠️ Medium | Suitable for performance-sensitive VPNs, where constraints don't allow `aes256` | ⚠️ Use with caution | @@ -88,4 +88,4 @@ For standard usage on modern equipment we recommend the following security propo | IKEv2 Encryption | IKEv2 Integrity | IKEv2 Key Exchange | ESP Encryption | ESP Integrity | ESP Key Exchange | |------------------|-----------------|--------------------|----------------|---------------|------------------| -| `aes256gcm16` | not required | `curve25519` | `aes256gcm16` | not required | not required | \ No newline at end of file +| `aes256gcm16` | not required | `curve25519` | `aes256gcm16` | not required | `curve25519` | \ No newline at end of file