A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Posted on 03 September 2009
We all remember, once Leopard was out it took Checkpoint quite a long time to update their VPN client. Now Snow Leopard is out and it begins …
After installing Snow Leopard, Checkpoints SecureClient refuses to install and if already installed (through an upgrade) it won’t start at all.
I did some investigation and I finaly made it working since Apple hasn’t changed too much.
1. The Checkpoint installer refuses to install
The installer checks up for the Darwin Kernel version 9. In Snow Leopard we have version 10. So two files need to be edit within the installer package.
- just right click on the installer and select Show Package Contents. This opens finder within the package.
- go to Contents/Resources.
- open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
- on file “InstallationCheck” change the number 9 in line 8 to number 10: if [ "$MAJOR" != "10" ]; then
- same on file “postinstall “ change the number 9 in line 84 to number 10
That’s it. Just install it and reboot. Changes need to make afterwards in order to have it starting.
2. SecureClient fails to start
Now this gets just a bit more tricky. Apple has moved some options of kextload to kextutil in 10.6. Checkpoint hardcoded such an option -s in two binary files. This option is to create the symbol files in the Checkpoint directory. It does not exist anymore in kextload, and is now provided in kextutil. But creating the symbol files is only needed for debug reasons, so not really necessary. Therefore I only replaced the option -s with option -r to fill up the space, because the binary file should not change in size. Two binary files have to be changed with an hexeditor.
Preparation:
- Download and install a hexeditor. 0xED is one of it.
- After inserting the first command, it will ask you for your local user password (User needs Administrator permission)
- Open the terminal application from Utilities folder and type:.
sudo cp /opt/CPsrsc-50/bin/StartupItemsMgr $HOME/Desktop
sudo cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /$HOME/Desktop
sudo chown $USER /$HOME/Desktop/StartupItemsMgr
sudo chown $USER /$HOME/Desktop/SecureClientStarter - Now run 0xED and choose File/Open Files from the Menu to load the StartupItemsMgr and SecureClientStarter from your Desktop in it.
- From Menu Edit choose Find/Find or just press Apple-F and type in to find: “kextload -s” and type in replace “kextload -r”
Click on Replace All
Save and close … - Now once you succeeded editing copy those back by typing in the terminal window:
sudo cp $HOME/Desktop/StartupItemsMgr /opt/CPsrsc-50/bin/
sudo cp $HOME/Desktop/SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
rm $HOME/Desktop/StartupItemsMgr
rm $HOME/Desktop/SecureClientStarter - Reboot and you should have SecureClient starting …
I also succeeded by doing all the changes on the installer package. Probably only interesting if you have a few Macs to install. As soon as I have a bit more time I could write it down here.
Please let me know if this did help.
PS: There is an EarlyAvailable Version for Snow Leopard (32bit) by now. It won’t need all these steps and even more some small issues are solved in there. You can apply to the EA Program and could get the download almost immediately with a vaild support contract.
251 responses to A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
I am running a Mac Mini w/ Snow Leopard 10.6.2. When I install the new SecureClient install pkg that has been adjusted for V10 it installs without a glitch but then I lose by connection to the internet completely. As soon as I uninstall the client the connection comes back. I am connecting via Ethernet. Any ideas???
Thanks
Worked well on my MacBook Pro, running Snow Leopard.
Thanks
‘Ping back’ from http://www.mikesel.info/blog/yes-you-can-make-secureclient-work-in-snow-leopard
i have an imac with 10.6.2 everything works fine..
but after reboot the SecureClient process becomes every second a new task id and when i open other applications the focus lost in this intervall.
i removed the secureclient from automatical starting… reboot. everything is ok.
but when i start it same behaviour :-.(
anybody out there solved this issiue
Thanks very much. Works perfectly first time.
Harold,
You are, as Bob says, a genius. Managed to get the installer working and installed SecureClient VPN-1 on Snow Leopard 10.6.2. Was able to set up the VPN site and go through key generation. I then used a Secure RSA fob to connect and authenticated using my user name. It was at this stage I got the following error:
Checking network connectivity…
Preparing connection…
Connecting to gateway…
User hendricl authenticated by SecurID
IKE negotiation failed
Connection failed
Any insight you are able to provide would be hugely appreciated.
Thanks,
Lee
Did you test it with Advanced Settings / Connectivity enhancement marking both “IKE over TCP” and “Force UDP encapsulations”?
Could be a bad routing, bad internet connection in general or even wrong key. More detailed logs would be needed. First just Enable Logging in Advanced would help. Restart the SC and Save the log.
Harald,
IKE over TCP and UDP encapsulation all enabled.
Weird thing is, I installed a virtual machine on my Mac running Windows XP, downloaded SecureClient for Windows and VPN-1 worked like a charm.
I then checked all the settings were identical between the Windows version and the Evaluation Copy from CheckPoint that is ‘Snow Leopard’ compatible, but it couldn’t negotiate IKE???
Technically, they should appear as identical clients – the virtual machine uses the Ethernet card of the MacBook Pro, so same DNS, etc.
I am stumped.
Lee
Into my Mac Pro with 10.6 (no uptade) this instruction work perfect!!
After instalation I’m run Onyx from clear and mante
Thanks
upss is unstable machine hangs on blue screen and I can only go into safe mode
SC take uninstall and begins to work well
My system is 64 Bits
Genius, mate. Genius!
Thanks for this – got me out of a bit of a pickle :)
Thank you very much for your doc! It works very well!
five stars!
Thanks very much for your concise instructions, worked perfectly.
Is this code known to work on 64 bit Snow Leopard installations, or is it only workable on 32 bit installations?
I was running the code on a Leopard system, but I uninstalled the client before upgrading to Snow Leopard 64 bit, and I have not tried it yet. I was talking another user through the install on a MacBook with the 64 bit OS installed. The install worked, but the code file edit may not be have been done right.
Thanks,
Rich
Has anyone run into problems using SCV checks with OS 10.6 at the Checkpoint Gateway. I can install the client but doesnt appear that desktop policy is allowing any access.
If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page.
[...] If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page. [...]