This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bmartins-EUDA
Contributor
‎2022-02-14 04:31 AM
Jump to solution

R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign

Dear all,

We have rolled out machine certificate authentication in our company and it's working pretty well on Windows machines (both domain-joined and workgroup).

Starting to use this setup on our Mac devices does not work with the error message below (from trac.log):

 

 

11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::getSystemIdentityByName: Found suitable candidate
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] KeychainHelper::cmdSignWithName: Failed to sign. Error code: '-25308'
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: length too short
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: Return value : -1005
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] Rais_CAPICERT::capi_cert_sign: Failed to sign buffer
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] capi_cert_sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Machine_Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][IKE] create_MM5(hybrid authentication): Failed to sign hash with the machine's certificate (-996)
[ 11888 0x1118f1600][14 Feb 12:03:34][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
:format (1.0)
:id (ClipsMessagesInternalError)
:def_msg ("Internal error; connection failed. More details may be available in the logs")
:arguments ()
)​

 

Mac device hostname is matched with the certificate we have imported in the System keychain but it is failing to sign it?

Endpoint Security client version is E86.20, latest build.

 

Do you have any hints on this?

 

Cheers!

Bruno

 

0 Kudos
1 Solution

Accepted Solutions
Valentin1
Employee Alumnus
Employee Alumnus
‎2022-02-18 02:50 AM
In response to bmartins-EUDA
Jump to solution

You could try  to use:

sudo security import PATH_TO_CERT -P CERT_PASSWORD -k /Library/Keychains/System.keychain -T /Library/Application\ Support/Checkpoint/Endpoint\ Security /Endpoint \ Connect/TracSrvWrapper

This command imports certificate and adds service to the Allowed Apps List

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2022-02-16 03:06 PM
Jump to solution

Recommend opening a TAC case.
In order to investigate, you'll probably need something like the following:

On the Client - Mac machine:

  • Right click on the Endpoint connect Icon
  • Click "VPN Options"
  • Click on the "Advanced" Tab > tick the box "Enable Logging" and change to "Extended"
  • Click close.

On the GW side:

  • Open SSH connection to the Security Gateway and log in as Expert;
  • Initiate VPN debug on the Security Gateway:
    [Expert@HostName]# vpn debug trunc
    [Expert@HostName]# vpn debug on TDERROR_ALL_ALL=5

    >>>>

On the Client side:

  • Right Click again on the Endpoint connect Icon.
  • Click "VPN Options"
  • Click on the "Advanced" Tab > click on the button "Collect Logs"
  • Change from "Extended" to "Basic"
  • A cab file will be created with the entire debug files inside.
  • Provide the client log file called trlog_xx-xx-2021_time.cab

On the GW side:

  • Open SSH connection to the Security Gateway and log in as Expert;
  • Stop VPN debug on the FW:
    [Expert@HostName]# vpn debug off
    [Expert@HostName]# vpn debug ikeoff

The following files from the Security Gateway should be reviewed:

  • $FWDIR/log/ike.elg
  • $FWDIR/log/vpnd.elg

0 Kudos
(1)
Valentin1
Employee Alumnus
Employee Alumnus
‎2022-02-18 01:05 AM
Jump to solution

Could you please check if Certificate private key is  allowed to access ?

 
 
 

macm.jpg

 

Preview file
137 KB
bmartins-EUDA
Contributor
‎2022-02-18 01:37 AM
In response to Valentin1
Jump to solution

Hi,

That was one of my suspicions because Check Point Endpoint Security client is not listed and whenever I change any option on that window and click save, it reverts back to its default value.

I am not a Mac user and not sure what is going on there.

Thank you!

0 Kudos
Valentin1
Employee Alumnus
Employee Alumnus
‎2022-02-18 02:50 AM
In response to bmartins-EUDA
Jump to solution

You could try  to use:

sudo security import PATH_TO_CERT -P CERT_PASSWORD -k /Library/Keychains/System.keychain -T /Library/Application\ Support/Checkpoint/Endpoint\ Security /Endpoint \ Connect/TracSrvWrapper

This command imports certificate and adds service to the Allowed Apps List

bmartins-EUDA
Contributor
‎2022-02-18 07:13 AM
In response to Valentin1
Jump to solution

Thanks!

It also works if we do it this way:

  1. Unlock system keychain
  2. Import PFX to login keychain
  3. Change access control for the private key in the login keychain
  4. Copy certificate and private key from login to system keychain
0 Kudos
LazarusG
Advisor
Advisor
‎2023-03-07 04:33 AM
In response to Valentin1
Jump to solution

Hi Valentin1, Id be really interested in touching base with you on this one. I have two seperate environments where Windows Machine auth works but MAC does not. The full certificate chain from the AD joined CA server is present in the system keychain of the MAC and we are using latest version of endpoint. TAC actually asked us to contact SE as they couldnt work out what the problem is...We have tried the solution from you and bmartins but without success.Any advice or information you can provide (that might not be in the documentation) would be very much appreciated.

0 Kudos
LazarusG
Advisor
Advisor
‎2023-06-15 02:02 AM
In response to Valentin1
Jump to solution

also, sk181067 was published very recently

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events