VPN client is not working after Yosemite update: Enforce Firewall Policy Fail

macos vpn

Solution 1:

I think the unerlying issue is that Yosemite will not load kext (kernel extensions) unless they are signed by an authorized kernel extension developer. However in 10.8 and earlier, kexts could not be signed and signed kexts for 10.9+ will not load in <10.9.

I experienced the same issue loading unsigned tuntaposx for the vpnc cisco client.

You can override this behavior and allow the cpfw.kext to load in Yosemite by putting your computer into kext developer mode. This essentially reverts to the 10.9 behavior by allowing unsigned kexts to load.

sudo nvram boot-args="kext-dev-mode=1"

Now reboot and your kext should load.

You can revert by doing this:

sudo nvram -d boot-args

Solution 2:

According to the debug logs this is related to a problem with loading /System/Library/Extensions/cpfw.kext

[ 66 2571][19 Oct 10:46:31][TR_FIREWALL] CFirewallWrapper::EnforcePolicy: firewall not initialized, calling init
[ 66 2571][19 Oct 10:46:31][TR_FIREWALL] CFirewallWrapper::Init: entering...
[ 66 2571][19 Oct 10:46:31][TR_FIREWALL] CFirewallWrapper::Init: MACOS init firewall, g_kextPath=/System/Library/Extensions/cpfw.kext
[ 66 2571][19 Oct 10:46:32][TR_FIREWALL] CFirewallWrapper::Init: CpfwLoadKext returned cpfwlib_kextload_failed
[ 66 2571][19 Oct 10:46:32][TR_FIREWALL] CFirewallWrapper::Init: CpfwLoadKext Failed with error cpfwlib_kextload_failed
[ 66 2571][19 Oct 10:46:32][TR_FIREWALL] CFirewallWrapper::Init: CpfwDiagnoseLoadKext return:
 Can't stat 4/System/Library/Extensions/cpfw.kext - No such file or directory.

Deleting the site and re-creating it does not fix this problem.

Uninstalling and re-installing the Check Point Endpoint Security client (version E75.01) worked for me too and I am using a static IP (not DHCP) on my mac mini.

Note about uninstalling the Endpoint Security client E75.x and newer: Open the original DMG package you used to install the client and launch the Uninstaller shown. If you get an error message about your security settings not allowing non-appstore apps or untrusted applications from launching, hold down the Control key and then click on the Uninstaller. Selecting Open at this point will allow the Uninstaller to run.

I did confirm the uninstall removed and the reinstall did create a new /System/Library/Extensions/cpfw.kext file. I did not have to reboot but note I did shutdown the client before running the uninstaller.

However this may be a temporary fix as there is a Checkpoint Forum entry about another person who has also encountered this problem and has fixed it by uninstalling and installing but on a reboot the problem came back for them. That person tried versions E80.41 and E80.42. See https://forums.checkpoint.com/forums/thread.jspa?threadID=21491&tstart=0

Another Check Point Mac VPN Yosemite thread is reporting similar issues where some claim their client still works after a reboot but others, including the author of the above thread, who continue to see the problem return after a reboot: https://forums.checkpoint.com/forums/thread.jspa?threadID=21181&tstart=0

Solution 3:

Version 80.60 has been released by Checkpoint. It works for me so far.

Download from: Endpoint Security VPN for Mac E80.60

Brian's answer regarding kext developer mode also worked.

Related

DIY Fusion Drive: Adding Recovery HD to a CoreStorage Volume Group
macOS Sierra: AppleScript mount volume keeps asking for login
How to create a bootable Ubuntu USB stick using OS X 10.10.2
How do I find what packages I've installed via terminal?
How to export/backup Notes in macOS in one go
How to block bluetooth device that spams me with pairing requests?
How do I open Google Chrome in Incognito mode by default
Can't login in Mac App Store or iCloud - login loading forever
How can I create a dictionary for Mac OS X?
Screen video capture application
How to make clicking on icon in dock == open new instance
Notes app search is not finding some notes