A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard

Posted on 03 September 2009

We all remember, once Leopard was out it took Checkpoint quite a long time to update their VPN client. Now Snow Leopard is out and it begins …

After installing Snow Leopard, Checkpoints SecureClient refuses to install and if already installed (through an upgrade) it won’t start at all.

I did some investigation and I finaly made it working since Apple hasn’t changed too much.

1. The Checkpoint installer refuses to install

The installer checks up for the Darwin Kernel version 9. In Snow Leopard we have version 10. So two files need to be edit within the installer package.

  1. just right click on the installer and select Show Package Contents. This opens finder within the package.
  2. go to Contents/Resources.
  3. open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
  4. on file “InstallationCheck” change the number 9 in line 8 to number 10: if  [ “$MAJOR” != “10” ]; then
  5. same on file “postinstall “ change the number 9 in line 84 to number 10

That’s it. Just install it and reboot. Changes need to make afterwards in order to have it starting.

2. SecureClient fails to start

Screen shot 2009-09-07 at 1.28.55 PM_2

Now this gets just a bit more tricky. Apple has moved some options of kextload to kextutil in 10.6. Checkpoint hardcoded such an option -s in two binary files. This option is to create the symbol files in the Checkpoint directory. It  does not exist anymore in kextload, and is now provided in kextutil. But creating the symbol files is only needed for debug reasons, so not really necessary. Therefore I only replaced the option -s with option -r to fill up the space, because the binary file should not change in size. Two binary files have to be changed with an hexeditor.

Preparation:

  • Download and install a hexeditor. 0xED is one of it.
  • After inserting the first command, it will ask you for your local user password (User needs Administrator permission)
  1. Open the terminal application from Utilities folder and type:.
    sudo cp /opt/CPsrsc-50/bin/StartupItemsMgr $HOME/Desktop
    sudo cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /$HOME/Desktop
    sudo chown $USER /$HOME/Desktop/StartupItemsMgr

    sudo chown $USER /$HOME/Desktop/
    SecureClientStarter

  2. Now run 0xED and choose File/Open Files from the Menu to load the StartupItemsMgr and SecureClientStarter from your Desktop in it.
  3. From Menu Edit choose Find/Find or just press Apple-F and type in to find: “kextload -s” and type in replace “kextload -v”
    Click on Replace All
    Screen shot 2009-09-11 at 11.49.50 AM
    Save and close …
  4. Now once you succeeded editing copy those back by typing in the terminal window:
    sudo cp $HOME/Desktop/StartupItemsMgr /opt/CPsrsc-50/bin/
    sudo cp $HOME/Desktop/
    SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
    rm
    $HOME/Desktop/StartupItemsMgr
    rm $HOME/Desktop/SecureClientStarter
  5. Reboot and you should have SecureClient starting …

Its also possible to change the installer package itself. This makes it easier if you have a lot of Macs.

Please let me know if this did help.

Update1: There is an EarlyAvailable Version for Snow Leopard (32bit) by now. It won’t need all these steps and even more some small issues are solved in there. You can apply to the EA Program and could get the download almost immediately with a vaild support contract.

Update2: Finally, Checkpoint released its VPN client to the public. You can download it here: SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) It works fine, so just (clean) uninstall your old VPN Client and install the new one.


296 responses to A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard

  • […] A fix for checkpoint secureclient vpn on mac os x 10.6 […]

  • dom says:

    Ok I found out what’s happened. It’s related to my firewall, I’m using a ipfw script with very strict rules : I don’t why but I think I should have move by error a rule about trafic for local interface at the end; then all traffic on lo was dropped. As soon I changed this rule, the secureclient was ok. The Checkpointservices tried to connect on port 9000 and also on 32376. Don’t know if those ports are always the same but anyway I fixed the problem. Thanks a lot for your help

  • dom says:

    Hi,

    I have just installed the latest release on a macbook pro mac osx 10.6.4 with Check_Point_SecureClient_R56_HFA_02_Mac_OSX.pkg.zip (SecureClient_B634006015_1) and I still get the same window error message. I did a clean uninstall (http://www.sysadmins-world.com/?p=57). Is someone have the same problem and or do I need to check something else ?
    Thanks a lot

    • Harald Haentsch says:

      What exact error message do you get?

      • dom says:

        the one in the image box above (ie vpn-1 secureclient error secureclient service ares down, please reboot your machine to start them). Service is listening correctly (port 9000 on localhost) but can’t start at the boot even when I launch it manually.

        • Harald Haentsch says:

          could you please have a look at the console log (run console in utilities), what shows up in the time the error appears

          • dom says:

            here the message I got just after

            com.apple.launchd.peruser.501[157] ([0x0-0x2a02a].SecureClient[307]) Exited with exit code: 255

          • Harald Haentsch says:

            Looks like permission problem. Does the concerned user has admin privilges. If not, could you try to log in with admin user?

  • Dave says:

    This helped me out when I installed the first time, and it worked great. Had to uninstall for some compatibility issues, but got those fixed. I went to reinstall it and it doesn’t reinstall (well, it goes through the process, but I can no longer follow the steps above to set it up.). The CP commands say there’s no such folder/files. And I can’t find them anywhere on my system. The error is “No such file or directory”. And I’m copying and pasting, so it’s not a typo, and it worked the first time around. Any ideas?

    Dave

  • Renee says:

    Worked like a charm. Great instructions…thanks!

  • Lorencez says:

    !!!!! Hey everybody !!!!!

    you can get the official
    “CheckPoint VPN SecureClient R56_HFA_02 for Mac OS X 10.6” at this link
    it works great no temp problems anymore.

    https://helpdesk.netco.nl/index.php?_m=downloads&_a=viewdownload&downloaditemid=25&nav=0%2C4%2C7

  • Jm says:

    Works in 10.6.4 but only in 32bit mode, when I start the system in 64bit mode the VPN-1 SecureClient Error window appears after a while

  • ReKa says:

    I applied this fix and are using this VPN client for about 8 month. I investigated a very high CPU usage (70%-100%).
    Fan is running at highest level and MacBook is getting really hot.

    Now I have seen the new version at
    https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=10522

    But I am not able to download this.
    Is anybody able to download it?

  • Harp says:

    The VPN secureclient has been working perfectly for the past couple of months.

    However secureclient seems to have had an effect on my wifi access. The only way for me to login to the internet using wifi is if I login to the secureclient first, which is rather annoying.

    Any way to fix this?

    Thanks,
    harp

    • Harp says:

      Nevermind I just read a post that may fix it:

      CB says:
      April 14, 2010 at 9:30 pm

      I experienced the same thing. I noticed that once I connected to the VPN, the entries of the VPN DNS were left on the adapter (in my case it was airport). This happens from time to time, so I just go into Airport, Advanced, DNS and remove the VPN DNS entries and Internet connectivity works again.

  • Joe says:

    I ran the script and TOTALLY FRIED my Mac. It won’t even boot up anymore!!! I can’t imagine how a simple script could…

    …wait… …What’s that cord behind my computer go to?

    =)

    __________________________________
    Thanks – worked perfectly for me!

  • […] for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard Its an ugly work around but it seems to work.  Excellent work […]

  • Thank you for this fix. It solved my problems after upgrading to Snow Leopard.

  • Tim says:

    Works like a charm. Thank you so much.

  • Hexley says:

    Thanks for this solution.
    Works on Mac OSX 10.6.3 BUT
    Be careful, because on my MacBookPro, after installation and setup (that’s work),
    a big part of incoming traffic is blocked.
    No response (ping) from host (where is installed the checkpoint client), no access on AFP, Web services… etc
    After delete the /opt/ folder and restart my computer, all trafic is ok…
    Strange and dangerous…
    I looked for a long time the problem before finding…

  • Harald Haentsch says:

    Security Update 2010-003 seems to work with Checkpoints Secure Client EA for 10.6 which I’m using.

    But in order to look into it, could you provide me with the console log file. (Open Console in Utilities and in File Menu “Save A Copy As …”)
    Also worth trying is to do the same procedure, but instead of replacing it with “kextload -r” you better use “kextload -v”. This seems to be a bit more save and provides more log output to investigate. Therefore I changed the article accordingly.

    Cheers

    • Sigi says:

      Hey, thanks for your quick reply,

      I’ll try this at home in the evening, and post my results.

      So long

    • Sigi says:

      Hi again,

      great news!! after a complete uninstall with your hint and reinstall with the “kextload -v” parameter the checkpoint vpn client works again well.
      thanks for your great support :-)

      good night from germany
      sigi

    • Edgar says:

      I have the same problem as Mark
      It worked great until I upgraded to 10.6.3.
      I uninstalled and then re-installed and re-applied the patch, but it still doesn’t work and I get the “SecureClient services are down. Please reboot …”

      This is the log
      [ 437 -1610513184][29 Apr 17:36:59] ——————————————————————

      [ 437 -1610513184][29 Apr 17:36:59] [Tick 1266699832] VPN-1 SecureClient/Securemote – Starting SR_Service
      [ 437 -1610513184][29 Apr 17:36:59] ——————————————————————

      [ 437 -1340051456][29 Apr 17:36:59] set_ikeStatus_post_fn: set fn 02098880
      [ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0’: No such file or directory
      [ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0’: No such file or directory
      [ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
      [ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
      [ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
      [ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
      [ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
      [ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0’: No such file or directory
      SR_Service: FWCSS:0x08c0060003 InitializeService OK 0

      • Harald Haentsch says:

        As stated, Mark and Sigi had same issues. What did fix it was: doing a real clean uninstall (look at my other post) and install with the “kextload -v” parameter

  • Mark says:

    Thanks for the patch.

    It worked great until I upgraded to 10.6.3.

    I uninstalled and then re-installed and re-applied the patch, but it still doesn’t work and I get the “SecureClient services are down. Please reboot …”

    Any other suggestions?

    Thank!

    • Sigi says:

      Hello!,

      I’ve exactly the same Problem after applying the Security Update 2010-003, one or two days before I’ve installed the 10.6.3 update and the VPN Client still works, but after yesterday applying the 2010-003 it’s broke and I get the same error message. I hope that the VPN Guru have a “quick fix” :-)
      Sorry for my bad english..

      thx
      Sigi

  • Gustavo says:

    Doesn’t work for me… The installation (at the first step) goes fine ’till the last second. Than I got this error: The installer has found an error…

    What’s wrong? Running 10.6.2.

    Thks!

  • maeck says:

    Thanks for the artikel.

    “There is an EarlyAvailable Version for Snow Leopard (32bit) by now”
    Where can i find and download the SnowLeopard-Version?

    thx maeck

  • Norman says:

    Great. Short to read, Simple to do and it work’s very fine.

  • ChrisB says:

    THANK YOU! Although, you’ve managed to help me continue to login to work from home. Maybe I shouldn’t be thanking you. Seriously though, thanks!

  • Adam says:

    Invaluable.. thanks for the post, this worked great.

  • Alan says:

    Thanks Harald!

    Everyone, have you found that after an hour or so the client starts using 100% of a core (CPU)? This is making the client unusable since it runs my MBP’s temp up tremendously. I saw elsewhere this might have something to do with licenses. My Windows-oriented company has herds of licenses for Windows clients – is there a separate license required for Mac clients? Please say “no”

  • Brendon says:

    found the link – thanks – worked

  • Brendon says:

    followed fist steps and used hex editor but still cam up with error – uninstalled – reinstalled but now nothing looks lik to be installed – ran steps again but it cannot fine anything

    help please

    ………novice

  • Reg says:

    I am running a Mac Mini w/ Snow Leopard 10.6.2. When I install the new SecureClient install pkg that has been adjusted for V10 it installs without a glitch but then I lose by connection to the internet completely. As soon as I uninstall the client the connection comes back. I am connecting via Ethernet. Any ideas???

    Thanks

    • Harald Haentsch says:

      Very hard to reproduce. So you loose your connection right after you installed the package. Not when connecting to your Gateway. What does your routing table show (netstat -nr)? Also please paste you the ifconfig too.

    • Matt says:

      This happened to me, make sure you have a DNS server for your non-VPN network included.

    • CB says:

      I experienced the same thing. I noticed that once I connected to the VPN, the entries of the VPN DNS were left on the adapter (in my case it was airport). This happens from time to time, so I just go into Airport, Advanced, DNS and remove the VPN DNS entries and Internet connectivity works again.

  • Mike Hudson says:

    Worked well on my MacBook Pro, running Snow Leopard.

    Thanks

    ‘Ping back’ from http://www.mikesel.info/blog/yes-you-can-make-secureclient-work-in-snow-leopard

  • Andreas says:

    i have an imac with 10.6.2 everything works fine..

    but after reboot the SecureClient process becomes every second a new task id and when i open other applications the focus lost in this intervall.

    i removed the secureclient from automatical starting… reboot. everything is ok.

    but when i start it same behaviour :-.(

    anybody out there solved this issiue

  • HG says:

    Thanks very much. Works perfectly first time.

  • Lee Hendricks says:

    Harold,

    You are, as Bob says, a genius. Managed to get the installer working and installed SecureClient VPN-1 on Snow Leopard 10.6.2. Was able to set up the VPN site and go through key generation. I then used a Secure RSA fob to connect and authenticated using my user name. It was at this stage I got the following error:

    Checking network connectivity…
    Preparing connection…
    Connecting to gateway…
    User hendricl authenticated by SecurID
    IKE negotiation failed
    Connection failed

    Any insight you are able to provide would be hugely appreciated.

    Thanks,

    Lee

    • Harald Haentsch says:

      Did you test it with Advanced Settings / Connectivity enhancement marking both “IKE over TCP” and “Force UDP encapsulations”?

      Could be a bad routing, bad internet connection in general or even wrong key. More detailed logs would be needed. First just Enable Logging in Advanced would help. Restart the SC and Save the log.

      • Lee Hendricks says:

        Harald,

        IKE over TCP and UDP encapsulation all enabled.

        Weird thing is, I installed a virtual machine on my Mac running Windows XP, downloaded SecureClient for Windows and VPN-1 worked like a charm.

        I then checked all the settings were identical between the Windows version and the Evaluation Copy from CheckPoint that is ‘Snow Leopard’ compatible, but it couldn’t negotiate IKE???

        Technically, they should appear as identical clients – the virtual machine uses the Ethernet card of the MacBook Pro, so same DNS, etc.

        I am stumped.

        Lee

  • Raul Gomez says:

    Into my Mac Pro with 10.6 (no uptade) this instruction work perfect!!
    After instalation I’m run Onyx from clear and mante

    Thanks

  • Bob McToot says:

    Genius, mate. Genius!

    Thanks for this – got me out of a bit of a pickle :)

  • Joseph FERRO says:

    Thank you very much for your doc! It works very well!

  • David says:

    five stars!
    Thanks very much for your concise instructions, worked perfectly.

  • R delridge says:

    Is this code known to work on 64 bit Snow Leopard installations, or is it only workable on 32 bit installations?

    I was running the code on a Leopard system, but I uninstalled the client before upgrading to Snow Leopard 64 bit, and I have not tried it yet. I was talking another user through the install on a MacBook with the 64 bit OS installed. The install worked, but the code file edit may not be have been done right.

    Thanks,
    Rich

  • ks says:

    Has anyone run into problems using SCV checks with OS 10.6 at the Checkpoint Gateway. I can install the client but doesnt appear that desktop policy is allowing any access.

  • If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page.

  • […] If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page. […]

  • Recent Posts

    Tag Cloud

    Checkpoint FAS 3020c Join Mac OS X Server NetApp OS X 10.6 R56 SecureClient Snow Leopard

    Meta

    Sysadmins World is proudly powered by WordPress and the SubtleFlux theme.

    Copyright © Sysadmins World