A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Posted on 03 September 2009
We all remember, once Leopard was out it took Checkpoint quite a long time to update their VPN client. Now Snow Leopard is out and it begins …
After installing Snow Leopard, Checkpoints SecureClient refuses to install and if already installed (through an upgrade) it won’t start at all.
I did some investigation and I finaly made it working since Apple hasn’t changed too much.
1. The Checkpoint installer refuses to install
The installer checks up for the Darwin Kernel version 9. In Snow Leopard we have version 10. So two files need to be edit within the installer package.
- just right click on the installer and select Show Package Contents. This opens finder within the package.
- go to Contents/Resources.
- open TextEdit, use vi in a shell or whatever you prefer to edit a simple file
- on file “InstallationCheck” change the number 9 in line 8 to number 10: if [ "$MAJOR" != "10" ]; then
- same on file “postinstall “ change the number 9 in line 84 to number 10
That’s it. Just install it and reboot. Changes need to make afterwards in order to have it starting.
2. SecureClient fails to start
Now this gets just a bit more tricky. Apple has moved some options of kextload to kextutil in 10.6. Checkpoint hardcoded such an option -s in two binary files. This option is to create the symbol files in the Checkpoint directory. It does not exist anymore in kextload, and is now provided in kextutil. But creating the symbol files is only needed for debug reasons, so not really necessary. Therefore I only replaced the option -s with option -r to fill up the space, because the binary file should not change in size. Two binary files have to be changed with an hexeditor.
Preparation:
- Download and install a hexeditor. 0xED is one of it.
- After inserting the first command, it will ask you for your local user password (User needs Administrator permission)
- Open the terminal application from Utilities folder and type:.
sudo cp /opt/CPsrsc-50/bin/StartupItemsMgr $HOME/Desktop
sudo cp /opt/CPsrsc-50/boot/SecureClient/SecureClientStarter /$HOME/Desktop
sudo chown $USER /$HOME/Desktop/StartupItemsMgr
sudo chown $USER /$HOME/Desktop/SecureClientStarter - Now run 0xED and choose File/Open Files from the Menu to load the StartupItemsMgr and SecureClientStarter from your Desktop in it.
- From Menu Edit choose Find/Find or just press Apple-F and type in to find: “kextload -s” and type in replace “kextload -v”
Click on Replace All
Save and close … - Now once you succeeded editing copy those back by typing in the terminal window:
sudo cp $HOME/Desktop/StartupItemsMgr /opt/CPsrsc-50/bin/
sudo cp $HOME/Desktop/SecureClientStarter /opt/CPsrsc-50/boot/SecureClient/
rm $HOME/Desktop/StartupItemsMgr
rm $HOME/Desktop/SecureClientStarter - Reboot and you should have SecureClient starting …
Its also possible to change the installer package itself. This makes it easier if you have a lot of Macs.
Please let me know if this did help.
Update1: There is an EarlyAvailable Version for Snow Leopard (32bit) by now. It won’t need all these steps and even more some small issues are solved in there. You can apply to the EA Program and could get the download almost immediately with a vaild support contract.
Update2: Finally, Checkpoint released its VPN client to the public. You can download it here: SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard) It works fine, so just (clean) uninstall your old VPN Client and install the new one.
295 responses to A Fix for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard
Ok I found out what’s happened. It’s related to my firewall, I’m using a ipfw script with very strict rules : I don’t why but I think I should have move by error a rule about trafic for local interface at the end; then all traffic on lo was dropped. As soon I changed this rule, the secureclient was ok. The Checkpointservices tried to connect on port 9000 and also on 32376. Don’t know if those ports are always the same but anyway I fixed the problem. Thanks a lot for your help
Hi,
I have just installed the latest release on a macbook pro mac osx 10.6.4 with Check_Point_SecureClient_R56_HFA_02_Mac_OSX.pkg.zip (SecureClient_B634006015_1) and I still get the same window error message. I did a clean uninstall (http://www.sysadmins-world.com/?p=57). Is someone have the same problem and or do I need to check something else ?
Thanks a lot
What exact error message do you get?
the one in the image box above (ie vpn-1 secureclient error secureclient service ares down, please reboot your machine to start them). Service is listening correctly (port 9000 on localhost) but can’t start at the boot even when I launch it manually.
could you please have a look at the console log (run console in utilities), what shows up in the time the error appears
here the message I got just after
com.apple.launchd.peruser.501[157] ([0x0-0x2a02a].SecureClient[307]) Exited with exit code: 255
Looks like permission problem. Does the concerned user has admin privilges. If not, could you try to log in with admin user?
GOOOOD NEWS People
SecureClient NG-AI R56 HFA 2 for Mac OS X 10.6 (Snow Leopard)
https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=11137
This helped me out when I installed the first time, and it worked great. Had to uninstall for some compatibility issues, but got those fixed. I went to reinstall it and it doesn’t reinstall (well, it goes through the process, but I can no longer follow the steps above to set it up.). The CP commands say there’s no such folder/files. And I can’t find them anywhere on my system. The error is “No such file or directory”. And I’m copying and pasting, so it’s not a typo, and it worked the first time around. Any ideas?
Dave
Perhaps, you didn’t do a clean uninstall: http://www.sysadmins-world.com/?p=57
Worked like a charm. Great instructions…thanks!
!!!!! Hey everybody !!!!!
you can get the official
“CheckPoint VPN SecureClient R56_HFA_02 for Mac OS X 10.6″ at this link
it works great no temp problems anymore.
https://helpdesk.netco.nl/index.php?_m=downloads&_a=viewdownload&downloaditemid=25&nav=0%2C4%2C7
Works in 10.6.4 but only in 32bit mode, when I start the system in 64bit mode the VPN-1 SecureClient Error window appears after a while
I applied this fix and are using this VPN client for about 8 month. I investigated a very high CPU usage (70%-100%).
Fan is running at highest level and MacBook is getting really hot.
Now I have seen the new version at
https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=10522
But I am not able to download this.
Is anybody able to download it?
The VPN secureclient has been working perfectly for the past couple of months.
However secureclient seems to have had an effect on my wifi access. The only way for me to login to the internet using wifi is if I login to the secureclient first, which is rather annoying.
Any way to fix this?
Thanks,
harp
Nevermind I just read a post that may fix it:
CB says:
April 14, 2010 at 9:30 pm
I experienced the same thing. I noticed that once I connected to the VPN, the entries of the VPN DNS were left on the adapter (in my case it was airport). This happens from time to time, so I just go into Airport, Advanced, DNS and remove the VPN DNS entries and Internet connectivity works again.
I ran the script and TOTALLY FRIED my Mac. It won’t even boot up anymore!!! I can’t imagine how a simple script could…
…wait… …What’s that cord behind my computer go to?
=)
__________________________________
Thanks – worked perfectly for me!
[...] for Checkpoint SecureClient VPN on Mac OS X 10.6 Snow Leopard Its an ugly work around but it seems to work. Excellent work [...]
Thank you for this fix. It solved my problems after upgrading to Snow Leopard.
Works like a charm. Thank you so much.
Thanks for this solution.
Works on Mac OSX 10.6.3 BUT
Be careful, because on my MacBookPro, after installation and setup (that’s work),
a big part of incoming traffic is blocked.
No response (ping) from host (where is installed the checkpoint client), no access on AFP, Web services… etc
After delete the /opt/ folder and restart my computer, all trafic is ok…
Strange and dangerous…
I looked for a long time the problem before finding…
Did you disable Security Policy in the menu under Tools?
Oooouups…
Thanks for your tips, now everything is ok.
I sincerely apologize, i don’t known very well this software…
On the CheckPoint website, i found this page “VPN-1 SecureClient R56 HFA_02 EA for Mac OS X 10.6″:
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=10522
The official SecureClient for Snow Leopard is available ???!
Thanks again.
No, EA means Early Available. So its just a beta, but works so far on mine. But its only available for contract users.
Ok !
Thank you very much for your help and your doc !
Security Update 2010-003 seems to work with Checkpoints Secure Client EA for 10.6 which I’m using.
But in order to look into it, could you provide me with the console log file. (Open Console in Utilities and in File Menu “Save A Copy As …”)
Also worth trying is to do the same procedure, but instead of replacing it with “kextload -r” you better use “kextload -v”. This seems to be a bit more save and provides more log output to investigate. Therefore I changed the article accordingly.
Cheers
Hey, thanks for your quick reply,
I’ll try this at home in the evening, and post my results.
So long
Hi again,
great news!! after a complete uninstall with your hint and reinstall with the “kextload -v” parameter the checkpoint vpn client works again well.
thanks for your great support :-)
good night from germany
sigi
I have the same problem as Mark
It worked great until I upgraded to 10.6.3.
I uninstalled and then re-installed and re-applied the patch, but it still doesn’t work and I get the “SecureClient services are down. Please reboot …”
This is the log
[ 437 -1610513184][29 Apr 17:36:59] ——————————————————————
[ 437 -1610513184][29 Apr 17:36:59] [Tick 1266699832] VPN-1 SecureClient/Securemote – Starting SR_Service
[ 437 -1610513184][29 Apr 17:36:59] ——————————————————————
[ 437 -1340051456][29 Apr 17:36:59] set_ikeStatus_post_fn: set fn 02098880
[ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0′: No such file or directory
[ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0′: No such file or directory
[ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
[ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
[ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
[ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
[ 437 -1341648896][29 Apr 17:36:59] decrypt_obj: no cryptver
[ 437 -1341648896][29 Apr 17:36:59] Unable to open ‘/dev/fw0′: No such file or directory
SR_Service: FWCSS:0x08c0060003 InitializeService OK 0
As stated, Mark and Sigi had same issues. What did fix it was: doing a real clean uninstall (look at my other post) and install with the “kextload -v” parameter
Thanks for the patch.
It worked great until I upgraded to 10.6.3.
I uninstalled and then re-installed and re-applied the patch, but it still doesn’t work and I get the “SecureClient services are down. Please reboot …”
Any other suggestions?
Thank!
Hello!,
I’ve exactly the same Problem after applying the Security Update 2010-003, one or two days before I’ve installed the 10.6.3 update and the VPN Client still works, but after yesterday applying the 2010-003 it’s broke and I get the same error message. I hope that the VPN Guru have a “quick fix” :-)
Sorry for my bad english..
thx
Sigi
Doesn’t work for me… The installation (at the first step) goes fine ’till the last second. Than I got this error: The installer has found an error…
What’s wrong? Running 10.6.2.
Thks!
Thanks for the artikel.
“There is an EarlyAvailable Version for Snow Leopard (32bit) by now”
Where can i find and download the SnowLeopard-Version?
thx maeck
You can find it in Checkpoints Usercenter:
https://usercenter.checkpoint.com/usercenter/index.jsp
(You need to have a valid Support Contract with your User ID)
The EA is under Products / Early Availability. Just apply for it and after a few hours you are able to access the download there.
Great. Short to read, Simple to do and it work’s very fine.
THANK YOU! Although, you’ve managed to help me continue to login to work from home. Maybe I shouldn’t be thanking you. Seriously though, thanks!
Invaluable.. thanks for the post, this worked great.
Thanks Harald!
Everyone, have you found that after an hour or so the client starts using 100% of a core (CPU)? This is making the client unusable since it runs my MBP’s temp up tremendously. I saw elsewhere this might have something to do with licenses. My Windows-oriented company has herds of licenses for Windows clients – is there a separate license required for Mac clients? Please say “no”
found the link – thanks – worked
followed fist steps and used hex editor but still cam up with error – uninstalled – reinstalled but now nothing looks lik to be installed – ran steps again but it cannot fine anything
help please
………novice
I am running a Mac Mini w/ Snow Leopard 10.6.2. When I install the new SecureClient install pkg that has been adjusted for V10 it installs without a glitch but then I lose by connection to the internet completely. As soon as I uninstall the client the connection comes back. I am connecting via Ethernet. Any ideas???
Thanks
Very hard to reproduce. So you loose your connection right after you installed the package. Not when connecting to your Gateway. What does your routing table show (netstat -nr)? Also please paste you the ifconfig too.
This happened to me, make sure you have a DNS server for your non-VPN network included.
I experienced the same thing. I noticed that once I connected to the VPN, the entries of the VPN DNS were left on the adapter (in my case it was airport). This happens from time to time, so I just go into Airport, Advanced, DNS and remove the VPN DNS entries and Internet connectivity works again.
Worked well on my MacBook Pro, running Snow Leopard.
Thanks
‘Ping back’ from http://www.mikesel.info/blog/yes-you-can-make-secureclient-work-in-snow-leopard
i have an imac with 10.6.2 everything works fine..
but after reboot the SecureClient process becomes every second a new task id and when i open other applications the focus lost in this intervall.
i removed the secureclient from automatical starting… reboot. everything is ok.
but when i start it same behaviour :-.(
anybody out there solved this issiue
Thanks very much. Works perfectly first time.
Harold,
You are, as Bob says, a genius. Managed to get the installer working and installed SecureClient VPN-1 on Snow Leopard 10.6.2. Was able to set up the VPN site and go through key generation. I then used a Secure RSA fob to connect and authenticated using my user name. It was at this stage I got the following error:
Checking network connectivity…
Preparing connection…
Connecting to gateway…
User hendricl authenticated by SecurID
IKE negotiation failed
Connection failed
Any insight you are able to provide would be hugely appreciated.
Thanks,
Lee
Did you test it with Advanced Settings / Connectivity enhancement marking both “IKE over TCP” and “Force UDP encapsulations”?
Could be a bad routing, bad internet connection in general or even wrong key. More detailed logs would be needed. First just Enable Logging in Advanced would help. Restart the SC and Save the log.
Harald,
IKE over TCP and UDP encapsulation all enabled.
Weird thing is, I installed a virtual machine on my Mac running Windows XP, downloaded SecureClient for Windows and VPN-1 worked like a charm.
I then checked all the settings were identical between the Windows version and the Evaluation Copy from CheckPoint that is ‘Snow Leopard’ compatible, but it couldn’t negotiate IKE???
Technically, they should appear as identical clients – the virtual machine uses the Ethernet card of the MacBook Pro, so same DNS, etc.
I am stumped.
Lee
Into my Mac Pro with 10.6 (no uptade) this instruction work perfect!!
After instalation I’m run Onyx from clear and mante
Thanks
upss is unstable machine hangs on blue screen and I can only go into safe mode
SC take uninstall and begins to work well
My system is 64 Bits
Genius, mate. Genius!
Thanks for this – got me out of a bit of a pickle :)
Thank you very much for your doc! It works very well!
five stars!
Thanks very much for your concise instructions, worked perfectly.
Is this code known to work on 64 bit Snow Leopard installations, or is it only workable on 32 bit installations?
I was running the code on a Leopard system, but I uninstalled the client before upgrading to Snow Leopard 64 bit, and I have not tried it yet. I was talking another user through the install on a MacBook with the 64 bit OS installed. The install worked, but the code file edit may not be have been done right.
Thanks,
Rich
Has anyone run into problems using SCV checks with OS 10.6 at the Checkpoint Gateway. I can install the client but doesnt appear that desktop policy is allowing any access.
If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page.
[...] If you’re running Snow Leopard, then patch the installer and follow the other instructions on this page. [...]