A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Posted on 03 September 2009
We all remember, once Leopard was out it took Checkpoint quite a long time to update their VPN client. Now Snow Leopard is out and it begins …
After installing Snow Leopard, Checkpoints SecureClient refuses to install and if already installed (through an upgrade) it won’t start at all.
I did some investigation and I finaly made it working since Apple hasn’t changed too much.
1. The Checkpoint installer refuses to install
The installer checks up for the Darwin Kernel version 9. In Snow Leopard we have version 10. So two files need to be edit within the installer package.
- just right click on the installer and select Show Package Contents. This opens finder within the package.
- go to Contents/Resources.
- open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
- on file “InstallationCheck” change the number 9 in line 8 to number 10: if [ "$MAJOR" != "10" ]; then
- same on file “postinstall “ change the number 9 in line 84 to number 10
That’s it. Just install it and reboot. Changes need to make afterwards in order to have it starting.
2. SecureClient fails to start
Now this gets just a bit more tricky. Apple has moved some options of kextload to kextutil in 10.6. Checkpoint hardcoded such an option -s in two binary files. This option is to create the symbol files in the Checkpoint directory. It does not exist anymore in kextload, and is now provided in kextutil. But creating the symbol files is only needed for debug reasons, so not really necessary. Therefore I only replaced the option -s with option -r to fill up the space, because the binary file should not change in size. Two binary files have to be changed with an hexeditor.
Preparation:
- Download and install a hexeditor. 0xED is one of it.
- After inserting the first command, it will ask you for your local user password (User needs Administrator permission)
- Open the terminal application from Utilities folder and type:.
sudo cp /opt/CPsrsc-50/bin/StartupItemsMgr $HOME/Desktop
sudo cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /$HOME/Desktop
sudo chown $USER /$HOME/Desktop/StartupItemsMgr
sudo chown $USER /$HOME/Desktop/SecureClientStarter - Now run 0xED and choose File/Open Files from the Menu to load the StartupItemsMgr and SecureClientStarter from your Desktop in it.
- From Menu Edit choose Find/Find or just press Apple-F and type in to find: “kextload -s” and type in replace “kextload -r”
Click on Replace All
Save and close … - Now once you succeeded editing copy those back by typing in the terminal window:
sudo cp $HOME/Desktop/StartupItemsMgr /opt/CPsrsc-50/bin/
sudo cp $HOME/Desktop/SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
rm $HOME/Desktop/StartupItemsMgr
rm $HOME/Desktop/SecureClientStarter - Reboot and you should have SecureClient starting …
I also succeeded by doing all the changes on the installer package. Probably only interesting if you have a few Macs to install. As soon as I have a bit more time I could write it down here.
Please let me know if this did help.
PS: There is an EarlyAvailable Version for Snow Leopard (32bit) by now. It won’t need all these steps and even more some small issues are solved in there. You can apply to the EA Program and could get the download almost immediately with a vaild support contract.
251 responses to A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Hi KK,
To know your username, open up a new Terminal window and type
whoami
That should be the username to use for the below commands
chown [short_username] /tmp/StartupItemsMgr
chown [short_username] /tmp/SecureClientStarter
Hope that helps!
Hi Harald,
Thanks for the tip to remove the 2 files before installing. I have managed to get it installed and running :)
Thanks!
This tip below works !
Before running the installer just delete the followig files with:
Open Terminal (in Utilities folder) and type:
sudo -s
rm -rf /private/var/db/receipts/com.checkpoint.secureclient.R56.bom
rm -rf /private/var/db/receipts/com.checkpoint.secureclient.R56.plist
Sorry Harald…I am very needy!
I am asked for passwords…I leave blank, I type in my name, I type on my VPN user name and nothing….
Hi
I type in sudo and get a password request?
Is that right?
I was working with a XP VM in Virtual box (arrrgg) to connect to my work since last friday. Now no VM anymore, Very big thanks !
Herald when I run
chown [short_username] /tmp/StartupItemsMgr
chown [short_username] /tmp/SecureClientStarter
I am getting :
chown: [short_username]: Invalid argument
Thanks!
Very good information.
Instead of modifying the binary, I renamed /sbin/kextload and created a script called kextload that allows -s.
Thanks.
As Mo realized before, there is also an issue deinstalling SecureClient. It seems it leaves 2 files which then cause the reinstalling not to install the SecureClient. It looks like its installing, but the install performs an upgrade instead and the Files won’t just be there.
Before running the installer just delete the followig files with:
Open Terminal (in Utilities folder) and type:
sudo -s
rm -rf /private/var/db/receipts/com.checkpoint.secureclient.R56.bom
rm -rf /private/var/db/receipts/com.checkpoint.secureclient.R56.plist
This worked perfectly. Thank you so much for going to the trouble — this has been torturing me since I upgraded to Snow Leopard on day zero. Not being a professional VPN administrator, and faced with a corporate IT department that tolerates but refuses to support connections from employees’ personal Macs, I was driving myself nuts trying to make IPSecuritas work.
All is again right with the world. Whew.
The password is your user password. Once I have time I will come up with a more friendly manual.
Hi – Ok, so I am the new boy here to Mac’s.
I have installed the Checkpoint software after modding the two files – THANKS :-)
But…I am stuck on
only root can write the concerning files, so open terminal and type: sudo -s
Basically when I type this it asks for a password – but I do not have a password set?
Also – I am slightly nervous about this Hex editing business too!!!!
Yours….slightly worried…..
Rich
Ciao Harald,
now Secure Client is OK.
But I noticed that once it is started to work, showing its icon on menu bar at computer start, without having any VPN configured, Iphone tethering stop working. In network preference I see ethernet IPHONE not connect.
SO I tried to remove secure client again and tethering restarted to work fine. Tryng to stop secure client do not reable tethering.
Ciao
Marco
Hi Mo,
The terminal app is in Utilities folder. Once opened, you type the following:
sudo -s
cp /opt/CPsrsc-50/bin/StartupItemsMgr /tmp
cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /tmp
chown [short_username] /tmp/StartupItemsMgr
chown [short_username] /tmp/SecureClientStarter
Now run 0xED (link above) and open the files (Open File Path) “/tmp/StartupItemsMgr” and “/tmp/SecureClientStarter”
In Menu Edit/Use Find and type “kextload -s” to find and type “kextload -d” to replace. Now Replace all
Do that for both files.
Save and close …
In terminal window type:
cp /tmp/StartupItemsMgr /opt/CPsrsc-50/bin/
cp /tmp/SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
Reboot and you should have SecureClient starting …
Hi Harald.
I’m not very computer technical…
Which file do I go to to try and change binary? Where do I find ‘terminal’ to type sudo -s?
Hi Harald!
I have now got it installed, had to go into time machine to get the old copy uninstalled.
I didn’t change the files in text edit as instructed…but have now!
Now to try and get it started with the next steps…
Will keep you posted
Bob,
I haven’t tried it on 64bit mode. What if you try deinstall it, and reinstall in 32bit mode.
Rasers,
How did you look for it. In the finder?
Open terminal and check if directory /opt/CPsrsc-50 exists: “ls /opt”
If it shows CPsrsc-50, it has not been successfully installed. Then follow the second section above.
Mo!
Did you really follow the first section and changed the two files (InstallationCheck and postinstall) inside the installer package?
Sorry, need some help in installing. I downloaded a fresh copy of SecureClient from Checkpoint’s website – http://www.checkpoint.com/downloads/quicklinks/downloads_sr.html
I followed the instructions to change the 2 files and installed it. The installation finished successfully and I restarted but could not find this folder /opt/CPsrsc-50/
It seems that even though the installation seems to be successful, nothing was installed.
Anyone has this problem?
having the same problem as well … downloaded a fresh copy of checkpoint, did the modification of the 2 files … installed without errors and rebooted but the folder “CPsrsc-50″ is not in /opt at all.
I looked at my other mac which is running leopard, i can see the CPsrsc-50 folder correctly, so for sure I’m looking at the right place …
any idea?
Uninstall of SecureClient still leaves 2 files. This cause the installer not to install it, even if it says so. Have a look on this post to clean SecureClient out. And the install it again: http://www.sysadmins-world.com/?p=57
yes! finally got it to work by removing the files … thank you very much :)
I did the install while in 64 bit mode – rebooted in 64 bit mode, failed to start services. Rebooted in 32 bit mode, failed to start services.
Double checked the files… everything seems to be in order.
Has anyone gotten this to work on 64 bit.
Thanks for any assistance.
Hi. I uninstalled Secure Client and then tried to reinstall after SL.
When I open the file “Installation Check” it says
Last login: Sat Sep 5 11:11:27 on ttys000
/Users/Manoja/Downloads/SecureClient_B634000031_1.pkg/Contents/Resources/InstallationCheck ; exit;
Macintosh:~ Manoja$ /Users/Manoja/Downloads/SecureClient_B634000031_1.pkg/Contents/Resources/InstallationCheck ; exit;
Unsupported kernel version.
logout
[Process completed]
How can I get around this?
[...] challenge is to get third party VPN software working again. I had issues with Checkpoint SecureClient not working on Snow Leopard. But I got it working by following the hint on the Sysadmin’s World page. Now [...]
Carl, don’t worry about what “use VI in a shell” means… just use TextEdit, which is like Notepad for OSX ;) I’m sure you’ve probably seen that before? Use spotlight to search for “TextEdit” and it’ll open a window just like Notepad does from the windows start menu.
All you’re doing is opening the files as he outlined in the steps, finding the line that he’s talking about and changing “9″ to “10″. It’s really… really simple.
Good luck!
-nate
I was never able to work Secure Client (downloaded version B634000031_1) with my Leopard, but I just got Snow Leopard and am newly motivated seeing these posts. Two questions, as I’m not very computer savvy:
1 Do I have to delete all previous Secure Clients before getting started on Snow Leopard?
2 Pls explain what exactly I’m supposed to do with Text Edit.
Thanks from Canada.
1. To be on the safe side, just deinstall and follow the precedure to clean it up on my other post.
2. With TextEdit you can do the changes described in step 4 and 5.
Harald,
I am no further ahead and am making myself crazy with this. I cannot get rid of my previous (non-functioning) versions from Tiger days, and I really need to load on my new Snow Leopard.
I am by no means a system administrator, and I imagine I’m doing something very simple wrong. Is there any chance I can chat (msn, skype, etc) with you real time to get this sorted out? I would be incredibly grateful.
Thanks,
Namaste
Thank You Dude….. Great Help…
I’m not a system administrator, but mac user in a windows world. Our system administrators are not likely to help me with this fix of the Checkpoint VPN Client. I tried getting ipsecuritas to work, but had no success. I am reasonable adept at tinkering, but not familiar with process for what seem like simple changes, e.g. don’t know what “use vi in a shell” means or how to do it. Is this simply to complicated or time consuming to explain in detail, or can you blow it out into more steps that I can follow (or direct me to a source for that). Thanks.
I doubt it could break with 10.6.1. The changes are made on Checkpoint VPN Client, not on Snow Leopard OS.
I think they will deploy a Snow Leopard client in a few months. But I guess they don’t do much more as here. Checkpoint treats Mac OS X stepmotherly.
Thank you, it works!
I hope:
- this doesn’t break with 10.6.1
- CheckPoint will work on an official, real Mac style release of SecureClient for Snow Leopard
Cheers!
Hi there,
I upgraded to Snow Leopard yesterday and was pretty shocked to see the VPN client not working. I tried out modifying the files you mentioned in the procedure above and it worked well.
Thanks a lot, it was pretty useful info!!
open a terminal and check if directory /opt/CPsrsc-50 exists: “ls /opt”
If it shows CPsrsc-50, it has not been successfully installed, and you must have seen some error during the uninstall.
Just try to remove the folder with “rm -rf /opt/CPsrsc-50″. And start the installer again.
my installation fails reporting error:
Check Point VPN-1 SecureClient R56 HFA1 B634000031 can’t be installed on this computer.
SecureClient is already installed on this machine. Please remove the previous installation of SecureClient.
I’ve already uninstalled the previous version
Any help will be appreciated
Ciao
Marco
? This is what you still type in a shell. Nothing to run so far ;-)
chown [short_username] /tmp/StartupItemsMgr
chown [short_username] /tmp/SecureClientStarter
Please provide steps on how to run.. Thanks!
Props for extreme cleverness and sharing it with the Internet. That said, I must do my put on my corporate hat for the following comment: “Check Point doesn’t support this.”
Thanks! I missed that, I will try again. Appreciate your help :) cheers
Rasers,
if you install fails with such an error, it seems you didn’t change the files inside the package. Could you please follow my first instruction. So the files “InstallationCheck” and “postinstall“ have to be changed. See above!
Worked perfect!!! thanks very very very much!!
It was installed and working properly in leopard. I upgraded to snow leopard and tried to change the binary file as suggested. But I could only find /opt/CPsrsc-50/bin/StartupItemsMgr, the file /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter is missing.
I then uninstalled the application and tried to install it again. But I could not install the application anymore. It says I’m using an unknown version of mac OS X and it only supports Tiger and above. But I’m using snow leopard! heh
Any help is greatly appreciated. Thanks in advance
Did your installation completed?
Does the folder /opt/CPsrc-50 exist?
Did you also type sudo -s (Step 1) first?
I cant find /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter. Any help?
This worked perfectly on my Macbook! Thanks!
Fix worked perfectly for my existing installation, I added this URL to http://snowleopard.wikidot.com/, which is where I first discovered that it was an issue (before my own osx10.6 installation) in the first place!
Genius!
-nate
Thanks man….
I was trying since 2 days ago to set up IPsecuritas to connect to my work’s network….
Cheers…..from Switzerland too ;)
gabe
OMG this works!!!
1000 x thank you.
Your site will be promoted all over the world with this guide. I will post this site to a known swiss apple site!
Best regards from Switzerland
Patrick
Thanks for the tip, it work perfectly !!
Perfect – thanks!
Did you check the permissions. If your user in action is not member of group wheel, just change the file owner by:
chown short_username /tmp/StartupItemsMgr
chown short_username /tmp/SecureClientStarter
To copy these files back, you dont need to reset permission since it will use the same as the file to be overwritten.
I’m following your steps, but OxED won’t open the files. The error reads “The document “StartupItemsMgr” could not be opened. ”
Any suggestions? Thanks.
Sorry, that was copy & paste, you are right. It is on line 84. What error do you get?
Hi, This a very welcome fix but It fails for me on install after changing the 2 files. In postinstall that line is much further down the script. It isn’t on line 8?
It’s works 100%
Thanks!!!!
Thanks!!!!
Thanks!!!!
Thanks!!!!
Thanks!!!!
Thanks!!!!