/31 network masks are explicitly allowed in IPv4. See RFC 3021, though their use predates that document by several years.

Hi Bob, did you ever get a response on this "bug"? We are also trying to use /31 in a VSX environment, seems R81 won't let it either. Thanks!

I didn't, no. It wouldn't have been ready in the time I had, so I had to redesign the environment where I was trying to do it.

Based on sk91020, I think it would now be a bug rather than an RFE.

The answer is pretty simple. We want to use them because the IPv4 specification supports them, and they're useful for point-to-point links (for example, a cable connected directly to a router's interface).

They would also work for directly-cabled sync interfaces on clusters. While running a cable directly from cluster member to cluster member for sync is a terrible idea, a lot of people do it. This would let them do it with two addresses instead of four.

To be fair I don't think the sync interface is a good example of such a requirement.

/31 are also about address conservation, hence most relevant to unique public network address space.

Aha! Perfect - that's exactly what I was looking for, and my sk searching hadn't managed to turn that one up. (I'm assuming the search is interpreting the slash in a funny fashion).

Thanks!

Regarding the use case, in this instance it is the IP addressing that a service provider has assigned for a connection.

So if it was going to be a problem, the earlier that it gets kicked back to the provider the better.

(Perhaps unsurprising given IPv4 address space shortages).

As other folk had mentioned in the thread, I'm familiar with /31 masks in Cisco environments (RFC3021 is almost twenty years old now, so it's not exactly a new concept), but just hadn't encountered them in connection with Checkpoint before.

A provider could just give you a 32-bit mask and a private IP to route everything through.

Let's say the provider has a router with ge-0/1/2 set to the IP 10.20.30.40. They give you the IP 2.3.4.5.

They tell their router 2.3.4.5 is local on ge-0/1/2, so it ARPs for the IP out that interface. You tell your firewall 10.20.30.40 is out eth0, and you set your default route as 10.20.30.40, so your firewall ARPs out the proper interface and uses that MAC address for everything it sends upstream. Done.

I have a similar setup running in production to meet some truly awful requirements. It's weird, but it works, and it means the provider side doesn't need to consume any public IPs for the last-mile connections to customers.

Ok.  I configured this in the home lab.  ClusterXL with VIP on different subnet; the physical interfaces were an arbitrary subnet and I configured the VIP with a /31.  As documented in sk32073 I had to do the static route for the VIP's subnet (the /31 and real functional subnet) with the "scopelocal" option.

I applied Jumbo HFA 202 to address sk173048 with IKEv2.  I had to configure IPsec VPN - Link Selection with:

* Always use:  Main Address

* Outgoing Route Selection - When Initiating: use Operating System routing table

  - [Setup] button for Responding Traffic: Reply from same interface

* [Source IP address settings] button: Manual - IP of chosen interface

That last one was the magic key.

In my topology, I have 2 external interfaces as I need for this scenario; no ISP redundancy for this.  In CLISH, I can set static-routes for my VPN peer out whichever external interface I want to use.  I used StrongSwan (or is it Libreswan now? meh...) and configured IKEv2 for AES-256 SHA-384 DH 20 (I couldn't get exactly VPN-Suite-B happy with the Swan; annoying but whatever, that wasn't the point anyway).  I used my own Linux home router VM as the next-hop between all this, just so I'm using IPsec tunnel mode and not transport mode. 

IPsec connection comes up, packets (finally!) flow between them.  In CLISH, for the static-route, just use the typical next-hop address as you normally would.  No need for 'scopelocal' on those routes like you did for the VIP subnet on different interface.  Since the VIP here is an external interface, I didn't have to deal with the anti-spoofing and special grouping (per the SK and ClusterXL Admin guide).  I later tested with both IKEv1 and IKEv2 (separately, of course).

Not that it matters, but this was just a pair of ClusterXL HA gateways and not VSX, but I did manage them from an MDS management domain, since I had it already available.  I'm not doing anything SmartCenter couldn't do (I know, duh, but just stating the test environment).

Wow... complex, almost circular, but it works!  I was hoping it would, but I half-expected it to be buggy and fail.  You MUST use JHF 202 tho!  Anything else absolutely is guaranteed to fail.  I opened an SR about the IKEv2 SK above and they confirmed the hotfix was in JHF 202 (and now you notice that SK was updated "30-Jul-2021" which is the day I opened the SR 🙂 haha; thanks folks!).  The SK now states "R80.20 JHF 202"; it didn't say that before 30-Jul tho.

So there ya have it folks... /31 subnet on ClusterXL with VIP on different subnet!