A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Posted on 03 September 2009
We all remember, once Leopard was out it took Checkpoint quite a long time to update their VPN client. Now Snow Leopard is out and it begins …
After installing Snow Leopard, Checkpoints SecureClient refuses to install and if already installed (through an upgrade) it won’t start at all.
I did some investigation and I finaly made it working since Apple hasn’t changed too much.
1. The Checkpoint installer refuses to install
The installer checks up for the Darwin Kernel version 9. In Snow Leopard we have version 10. So two files need to be edit within the installer package.
- just right click on the installer and select Show Package Contents. This opens finder within the package.
- go to Contents/Resources.
- open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
- on file “InstallationCheck” change the number 9 in line 8 to number 10: if [ "$MAJOR" != "10" ]; then
- same on file “postinstall “ change the number 9 in line 84 to number 10
That’s it. Just install it and reboot. Changes need to make afterwards in order to have it starting.
2. SecureClient fails to start
Now this gets just a bit more tricky. Apple has moved some options of kextload to kextutil in 10.6. Checkpoint hardcoded such an option -s in two binary files. This option is to create the symbol files in the Checkpoint directory. It does not exist anymore in kextload, and is now provided in kextutil. But creating the symbol files is only needed for debug reasons, so not really necessary. Therefore I only replaced the option -s with option -r to fill up the space, because the binary file should not change in size. Two binary files have to be changed with an hexeditor.
Preparation:
- Download and install a hexeditor. 0xED is one of it.
- After inserting the first command, it will ask you for your local user password (User needs Administrator permission)
- Open the terminal application from Utilities folder and type:.
sudo cp /opt/CPsrsc-50/bin/StartupItemsMgr $HOME/Desktop
sudo cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /$HOME/Desktop
sudo chown $USER /$HOME/Desktop/StartupItemsMgr
sudo chown $USER /$HOME/Desktop/SecureClientStarter - Now run 0xED and choose File/Open Files from the Menu to load the StartupItemsMgr and SecureClientStarter from your Desktop in it.
- From Menu Edit choose Find/Find or just press Apple-F and type in to find: “kextload -s” and type in replace “kextload -v”
Click on Replace All
Save and close … - Now once you succeeded editing copy those back by typing in the terminal window:
sudo cp $HOME/Desktop/StartupItemsMgr /opt/CPsrsc-50/bin/
sudo cp $HOME/Desktop/SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
rm $HOME/Desktop/StartupItemsMgr
rm $HOME/Desktop/SecureClientStarter - Reboot and you should have SecureClient starting …
Its also possible to change the installer package itself. This makes it easier if you have a lot of Macs.
Please let me know if this did help.
Update1: There is an EarlyAvailable Version for Snow Leopard (32bit) by now. It won’t need all these steps and even more some small issues are solved in there. You can apply to the EA Program and could get the download almost immediately with a vaild support contract.
Update2: Finally, Checkpoint released its VPN client to the public. You can download it here: SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) It works fine, so just (clean) uninstall your old VPN Client and install the new one.
295 responses to A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Check Point has an early availability release of SecuRemote that is supported on Snow Leopard:
https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default.psml/js_pane/EarlyAvailabilityId
I’ve been running it for a while now without issue.
Doesn’t seem to be working on 64 bit 10.6.2 even after following guide to the tee, still says Checkpoint VPN Services not running, maybe I’ll just have to replace our entire non working non updating non supported for anything client checkpoint crap with endian firewall en openvpn, this way everything will always work, and for free!!!
Hello All,
Many thanks for this fix work great in 10.6.2. However, I am new to MAC and this is the first time I will be connecting my iMAC from home to my work network (currently accessing by Windows XP). While the fix above worked in terms of connecting and authenticating on my work network, unfortunately I cannot seem to connect to my shared folders and files. I also notice that I cannot ping the work file server. Is there a specific way to setup file sharing on the work network in order for the MAC to see shared files or am I still missing somthing on my iMAC setup.
Any info would be greatly appreciated.
Hello,
I did a clean uninstall.
Then installed as indicated in this post.
Then i define the corporate site, all goes fine.
Then i connect and i receive a message:
User … authenticated by Radius Server
Connection failed. Gateway not responding.
When i try to connect a second time : the same messages appear and the SC icon in the top tool bar disappears.
Could you please help me ?
Thanks in advance
Erik
SC icon can disappear sometimes. It will come back after starting SC.
If the gateway not responses this is a configuration issue. This happens very often if your local IP addresses interferes with the VPN domain. Just try to change the routers IP-Network to a different one. For instance if it is 192.168.1.1 change it to 172.16.17.1
B the way, Checkpoint has its new SC client for Snow Leopard in a EA (beta) available.
I know i’m the millionth person to say it, but thanks for taking the time to figure this out! your instructions worked flawlessly. I modded the 2 files in the hex editor and re-saved them in the installer, so now whenever i install on a mac, i just sudo cp the two files to their locations.
Now…if only someone could get a secureclient vpn app to work in linux…
GOD BLESS YOU!
Thanks a lot!
Hello:
I get stuck in the terminal when the password prompt comes-up. It will not let me neter anything, or paste anything in. I cntrl-C’d out and retried several times, and had the same results.
Did anyone get this and figure out how to get it to work?
Thanks, Tom Myers
Just do type in your users password.
Thanks a bunch!!!!!!!!
I have installed SL today and got a litle bit sweaty when I noticed SC was not working. Luckily your tips did the trick. Many TNX.
How did you find out :)
I uninstalled a previous version of SC and installed a new version. But even though the system says it installed successfully no files are in the opt folder. Any suggestions on what to do?
Update: Reinstalling OS X (without deleting files) did the trick. I was able to pick up where I left off with your instructions and got SC to work.
Thank you SOOOO much!
on my 10.6.2 it doesn’t work with the “-r” option… but it works with the ‘-d’ option
it works… but crashes… why do not exist a new version of this vpn checkpoint?
Do you know if this works on iMac/10.6.2? I have had all of the problems above and have not been able to resolve them yet. I followed your instructions, was unable to launch SC. So, I thought I might have made a mistake, uninstalled (and removed the reciept files) and then re-installed and I am still having the same problem. Am I the only one using 10.6.2? Do you think that could be the difference?
No, works on 10.6.2 just fine.
Just my luck! When I try to run Secure Client the key just flashes and never starts up. At one point I was getting the”Secure client services are down” error message. Any ideas?
WHen I start it up it does appear in the Activity Monitor.
It seems, you must have done something wrong by replacing the “kextload -s” with “kextload -r” with 0xED. Did you really used the [Replace All] button (not Replace). Also, haven’ t forgot to save and move these files back.
Thanks. I’m pretty sure I did the replacement correctly. There were 8 replacements in one file and 2 in the other. I installed/uninstalled about 3 times now and still no luck. I will try one more time. I appreciate the help.
I’m in the same boat, same number of replacements, saved and copied the files back. Rebooted and get the same “services are down” error. I also did the remove from startup and add the SecureClient.app fix below without success.
I have the process running, 370 ?? S 0:00.24 /opt/CPsrsc-50/bin/SecureClient.app/Contents/MacOS/SecureClient -psn_0_98328, but no SecureClient icon in my menu bar.
I have a little more info on mine. I tried to manually launch SecureClientStarter and the first few messages show this:
Jared:SecureClient jared$ ./SecureClientStarter
Starting Check Point SecureClient
kextload: unrecognized option `-f’
Use kextutil(8) for development loading of kexts.
usage: kextload [options] [--] [kext] …
Could that be an issue?
Thats interesting. Are you sure you used “kextload -r” and NOT kextload -f to replace everything with “kextload -s”.
Could you go through the CP folder in /opt and look for files which contains “kextload -f” with the grep command. Which files are concerned?
Are you sure, you using the most recent VPN Client from Checkpoint?
Can running in 64-bit mode cause this?
I think 64 bit mode is the issue. I got the early adopter version and have been working with their tech support. They say I have to boot up in 32 bit mode. I am new to the mac. What is the real difference between the two?
Thank you SO much! I can’t work from home with SR Client. I’m going to send you something REAL nice. Maybe a chainsaw.
THANK YOU THANK YOU THANK YOU. I am so glad someone is out there looking out for us MAC users. This checkpoint software company is the worst! and I wish my company didn’t use it, but my hands are tied.
Thanks for setting me free and getting this working on 10.6.
APPLE has dropped the ball on this new o/s all around, my scanner doesn’t work and neither does my camera. Way to go Vista oops I mean APPLE!!!
Hi,
Thanks very much for this solution.
I just noticed that when macosx start on 64 bit mode (press 6 and 4 when starting your mac) the services SecureClient cannot start.
Hi, am i to late, has someone managed to created suitable packet for snow leopard so fare?
I installed cp client following your instructions (two times) but same thing, after minute i get an error “services are down” i have macbook pro with clean snow leopard, any idea?
Hi,
I fix it
I again follow procedure but instead switch -r i put -d and it works, frankly no clue what is the difference between switches but it works now. ( switch -d i found on another site)
Worked like a charm!!
You saved my day. Or…. night.
I am trying to install the Checkpoint SSl Network Extended for OS 10.5.8 and although it is implied that that problem was solved a long time ago, I haven’t found a workable solution. Pointers please? Also pointers to uninstall.
Thanks,
Thank you MASTER,
Was really helpfuly
Saludos desde Mexico
thanks a lot, for me it works perfectly.
_bash
Also happy to report success, thank you very much :)
It works ! Fantastic !
It worked great! A huge relief, I was afraid I was going to have to go back to OS 10.5. Thank you!
Thanks a million!!! It works like a charm.
Doing that the Secure Client is working, but trying to establish a GPRS connection hangs the system deadly!
what could be a reason?
P.S. Uninstallation of SC solves the problem with GPRS but not with VPN :)
maybe i’m just to silly to read but if i open the installationcheck file in the package with 0xed i cant find any kextload string, also in postinstall. am i wrong? cheers dummy
0xed comes later, please read section 1 (these files needs to be edited with TextEditor) and the string is different:
1. just right click on the installer and select Show Package Contents. This opens finder within the package.
2. go to Contents/Resources.
3. open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
4. on file “InstallationCheck” change the number 9 in line 8 to number 10: if [ "$MAJOR" != "10" ]; then
5. same on file “postinstall “ change the number 9 in line 84 to number 10
Unfortunately, neither method worked for me.
Can anything else be done?
[2.33 GHz Inter Core Duo Power Book]
Great!!!!
it works also with 10.6.1
thank you!
daniel (magin)
btw: think delphi!
Following your steps it works!
Thanks so much
I’ve installed the SC in my macbook black running OSX 10.6.1.
Everything is fine except that when I tried to connect to my office VPN, it failed at assigning me a office IP at interface en7
But my /var/log/system.log shows there is assignment from DHCP
Oct 13 10:27:03 gavin-yaps-macbook configd[14]: DHCP en7: 192.168.17.205 in use by 54:55:43:44:52:00, DHCP Server 192.168.17.1
en7: flags=8822 mtu 1500
ether 00:1c:42:00:00:09
Check Point Virtual Network Adapter
Anyone have such experience?
From my understanding the address space should be differ to the one used in your VPN Domain. Is that the case?
Oct 13 10:27:03 gavin-yaps-macbook configd[14]: DHCP en7: 192.168.17.205 in use by 54:55:43:44:52:00, DHCP Server 192.168.17.1
This is correct the address is assigned together with other information like DNS, WINs servers config….
Just that it doesn’t set to my en7 interface for the above IP and no configs are change in my /etc/resolv.conf or routing table.
1. installed fine with modifications necessary to get it running
2. added site fine
when downloading policy it gets stuck/ never finished. this is not so much a problem as it seems some incompatibility with my company’s policy setting and the version of the client.
however, i can not access my internet anymore. it allows only traffic to negotiate with the vpn site and ssh traffic. all other traffic seems to be blocked. i tried reinstalling and uninstalling the client several times but it won’t let me access the internet anymore even in uninstalled state.
would you have any idea were in the OS it incorporates the firewall blocks? i found a clue in the uninstaller, it performs detach the fwboot driver. however, running the command manually, it tries to work in /etc/rc/ which doesn’t exist in snow leopard.. anything else, i might check to solve this problem?
thanks
1. Make sure you disabled Security Policy on your VPN Client (in Menu / Tools)
2. you should fix the issue to download the Security Policy or even configure it not to use the Desktop Policy on Checkpoint FW.
Thank you very much. It works fine, exactly as you wrote.
[MacBook Pro, Mac OS X 10.6.1]
I could uninstall the original Package using your link. Now I installed the package of gcardinal and the installation worked fine.
Checkpoint is started automatically after login and I can create a Site but I’m unable to connect. Once I entered PIN and Tokencode it says “connecting to gateway” then Checkpoint crashes (Windows and Icon disappear).
Any ideas?
Thats something whats hard to reproduce. At least on my site. Can only guess that it conflicts with some other apps? What about VMware Fusion? There is a known issues with it.
VMware is not installed on the machine. Its a brand new MacBook Pro.
Can I find any useful logs on this issue somewhere?
Just enable CP Client to log. The logs are in /opt/CPsrsc-50/log/.
You can use the console utility to check for system messages.
1st – I’d like to say THANK YOU Harald – After installing 10.6.1, I updated the 2 binaries as outlined, rebooted, and all worked well … Until I rebooted again (to continue some other testing).
Looks like SecureClient either does not shutdown cleanly or startup cleanly, and upon reboot, I was unable to click on the SecureClient icon in the Menu-bar, nor was I able to start it from the Applications folder. I started Activity Monitor and I noticed a SecureClient process running. I shutdown the process, restarted SecureClient from the Applications folder, and all works well again.
Your thoughts?
Sounds similar to what some people got before. User Kabutosan found out in earlier comments:
Open “System Preferences -> Accounts -> Login Items” and remove “SecureClient.
Add again SecureClient (from Application) and “Log Off”.
Log On again and all works.
Again, THANK YOU Harald. That worked, as well.
Thanks a lot!!!!
Hi – first thanks for the info, it was very useful in installing SC on snow leopard.
However, I have run into a problem that has me completely stumped and I hope you can help. I have managed to install the client on my new macbook Pro 13″, with OS X10.6.1. When I’m using the Secure Client app, I get authenticated on the VPN and all seems fine, I can access INTERNAL sites. but, I cannot access any EXTERNAL sites, (ex. Google, CNN, etc.)
I have checked the secure client settings to make sure the “route all traffic to gateway” is unchecked. I also checked my security configuration for firewall issues, and confirmed the DNS. Finally I looked at the network routing tables and it seems to be correct, showing my local router as the default and the rest within the corporate VPN.
Any ideas on what could be the problem here?
As a final note, I have a colleague that is also running Snow Leopard, and has the SC client, and it works just fine on his!! We have gone through everything configurable we could, and at this point I’m starting to believe it may be hardware related.
That still seems like Config issue of CP. However, while connected do you see only the DNS server of your VPN or even the one you have without connected.
If in Office mode, did you check if you configured the dmonain name?
Hi –
While connected, I only see the DNS servers of the private network, my local DNS disappears from the list, and vice versa.
Can you elaborate on your question regarding the office mode? I am not sure I fully understand.
Thank you very much.
Do your companies DNS server allow to query public names from your OfficeMode IP?
Did you set the right domain name in CP-Firewall (OfficeMode section)?
Hi –
Yes, they do, and I have also checked the domain name in the SC office mode settings. I know this works, because I am the only one having this problem with this new mac.. my colleague’s 1 year old macbook running snow leopard, is using the SC client fine with no problems. And our configurations are the same… both the SC client configuration and the network configurations in the computer itself… Thus my thought that it could be hardware issue?
Great job!
TNX
Hey Harald,
You made my day……I was just contemplating getting on to parallels to use my windows for getting on the VPN.
Option 2 worked for me great and it really saved me a lot of headaches.
Thanks to you again.
Ash
Hello,
I tried this and could install the program but I could not start it. Then I removed it again, but I cannot install it anymore. The installation goes trough, but after a reboot, I cannot find the software anywhere. There are no files in /opt
Any ideas?
Thanks
Ronny
http://www.sysadmins-world.com/?p=57
Hello HARALD
I write To You from Argentina, for which I ask you be able to excuse my English.
I realize all the steps without mistake, but on having ended remain without network, do not have gone out Internet, which can be happening ??
Try 3 times to do everything again and always on having finished, once installed everything, I have the exit blocked to Internet.
I have Mac 10.6.1
Agradecere your help.
Thank you very much Alberto
Do you mean your internet access is blocked as soon as SC is running?
YES
Only when unistall I return to have exit to Internet
I made the modifications for case n°2 where SC is already installed, and it worked, many thanks!
many thanks man!
Download complete working installer here:
http://dl.getdropbox.com/u/445198/SecureClient_10.6.pkg.zip
It installs working (modified) version of SecureClient. Tested under 10.6 and 10.6.1
Big (i mean reallly big) thanks gcardinal! installed in 2 mins and working!!!
Big thanks again!
I downloaded this MAC Snow installer from GCARDINAL:
http://dl.getdropbox.com/u/445198/SecureClient_10.6.pkg.zip, however, now my Mac sometimes does not boot up. I have to hold down the Power button to stop the stalled boot up and then push the power button again to boot it up, it usually works on the second try. What would cause this?
I haven’t heard of any similar issue. By now there is a Checkpoint Client for 10.6 available. Its still in EA state, but works really good. I recommend to use this from now on.
I followed all the instructions as indicated: uninstalled with the checkpoint uninstaller, removed the files as indicated here and re-installed. However, I cannot connect after the install. Nothing happens when I click the Secure Client icon.
I’ve gone through this procedure for 3 times now. Always the same result.
I wanted to give it another try and uninstalled with the checkpoint installer.
This gives me the following info (in the Terminal window).
Last login: Thu Sep 24 13:13:24 on console
/opt/CPsrsc-50/scuninstall.command ; exit;
erik-debouttes-macbook-air:~ EDE$ /opt/CPsrsc-50/scuninstall.command ; exit;
=========================================================
Welcome to Check Point SecureClient For Mac OS-X
=========================================================
This operation will uninstall SecureClient.
Do you wish to continue (yes/no)? y
Checking preconditions…
Uninstalling SecureClient…
Stopping SecureClient services…
SecureClient stopped OK
Detaching Firewall…
rm: /System/Library/Extensions.kextcache: No such file or directory
rm: /System/Library/Extensions.mkext: No such file or directory
SecureClient removed.
Please restart your computer to complete uninstall.
=========================================================
logout
[Proces voltooid]
Do the “no such file… ” messages mean anything ?
Can you please help ?
Thats allright, the error is nothing to worry about. Now go ahead and make sure you clean out the receipt files, as described in my other post. And then continue with this procedure.
When you clicked the SecureClient icon, did you mean the one in your App folder, or the one which shows up in the top bar after SC has been started?
I mean the icon which shows up in the top bar after SC has been started
Finally I could do a clean uninstall. Then downloaded the working package from GCARDINAL.
Then an install that worked: OK
I then created the site: OK
When I connect I receive a message that my user is Authenticated and then a message that the gateway is not responding. Nothing changed at our corporate site and SC worked fine on my mac before installing Snow Leopard.
Could you please help ?
I’m no systems administrator, so I don’t really understand what is being done here. That said, your instructions are pretty clear. I’ve managed to do all tasks up to Step 4. I don’t really understand your instructions to “Copy those back and then type in the Terminal window.” If you could clarify, I’d appreciate. I really need home access to my medical school server and am hoping that this is the ticket. Thanks for your help and patience.
You just need to type the commnds in a terminal window. These commands will just move the files from the Desktop to the original location.
Thanks. I think I’ve managed to make matters worse. I got frustrated by the constant pop-up error message that I was receiving from CP, so I uninstalled the application. Now when I try to follow your instructions above, I’m getting the Terminal window error saying that some files don’t exist… I think others have encountered the same when CP was uninstalled from their Macs. Your work around solution is intimidating to me, but I may attempt. Any advice is appreciated. Thanks again.
After what command you get this error? Sorry, for not providing any easier way, but this is the workaround I found. I’m not developing Checkpoint software. This of course requires deeper knowledge of Linux. I only could offer you a remote session.
how the hell did you find that out?
brilliant – it worked!!
many thanks!!!
I can’t believe it…I did it.
Thanks so much Harald…you are a genius.
Mo
Hi,
I first upgraded to 10.6 and 10.6.1 and then uninstalled the SecureClient with its uninstall script.
After reboot I modified the installpackage as described and reinstalled it. It told me that it was successfully installed but after reboot I didn’t find any installed files. No /opt/CP*-Directory and so on…
What did I do wrong?
and yes, after I uninstalled SecureClient, I checked for files in receipts-directories (as described in http://www.sysadmins-world.com/?p=57) but didn’t find any so I had to assume that uninstall was sucessfull.
That’s odd. Never seen this before. After uninstalling SC it always left at least the first 2 files. In such case the new installation performs really fast. While the installer is open, the installer log shows Upgrading instead of “Installing” too.
Unfortunately, I have the thame problem.
Uninstall : Ok
reboot
Install (modified package) : Ok
reboot
But no /opt/CP* directory
Secure Client dont exist anymore on my system.
Before the install step, you have to make sure to clean out the receipt files: http://www.sysadmins-world.com/?p=57
Ok, it seems to work a little better.
After installing, I have a /opt/CP* directory but there is no bin in it and a lot of file are aliases with no original.
After replacement of :
pax -x cpio -w . > ../Archive.pax
by
sudo chown -R root:wheel ../newSC
pax -U root -x cpio -w . > ../Archive.pax
as said by JohnB in http://www.sysadmins-world.com/?p=62
the installer works fine.
Thank you
*SOLVED*
When I uninstalled it after upgrading to SnowLeopard and it seemed that there were left some files (other than mentioned in http://www.sysadmins-world.com/?p=57). Thats the reason why there were not copied any files…
Now I did following to get it running:
- recovered /opt/CPsrsc-50/ from TimeMachineBackup when I had 10.5.8
- run “scuninstall” command
- and look! there are exactly the files left as described in http://www.sysadmins-world.com/?p=57 (I removed them)
- reboot
- new installation as described in this blog.
- after reboot the SecureClient starts again
After the SecureClient is running again, I need the configuration of my VPN-connection. Where can I find the old configuration to recover it from TimeMachineBackup?
Having had to reset the permissions on the two edited files (see #111 above), I wondered if a Permissions repair would make them revert, and leave me with a non-functional icon in the menu bar again, but I’m glad to say everything is still fine after repairing permissions.
I could do the install, modified the two files and now the icon appears in the icon bar on top, as expected.
However, if i click the Secureclient icon, nothing happens and i cannot connect to the gateway.
What ‘s wrong ?
Hi Erikdbt, exactly the same happens to me after I have doen all that is described in this article. Did you ever get it to work?
I had the same issue. So I deinstalled SC and removed the CP receipts from the receipts folder. After a reboot, I installed it as described and succeed.
Perhaps, its better not to change the name of the installer package.