There are a number of possible causes for such a behavior. This FAQ will help you to find out what is causing the problem in your specific situation. In this FAQ we will be using destination device as a generic term for the device you are trying to connect to. The destination device can be anything from a normal computer, to a server, to a network printer.

1. Are you trying to connect to the destination device using a host name?

If you are using a host name, please try once using its IP address instead. If that works, the problem has to do with DNS resolution. Please make sure DNS is enabled for the VPN connection and correctly configured. Note that using Bonjour or NETBIOS hostnames is generally not possible over VPN.

2. Is the IP address you are connecting to really part of the remote network?

For example, if your remote network is 192.168.13.0/24, you should be able to connect to IPs starting with 192.168.13.x, but connections to IPs starting with 192.168.14.x will not work as they are outside the address range of traffic tunneled through the VPN.

3. Is the local address in VPN Tracker part of the remote network?

Using a local address in VPN Tracker (Basic > Local Address) that is part of the remote network is not possible with most VPN gateways. Please use a local address that is outside all remote networks. For example, if your remote network is 192.168.13.0/24, do not use an address starting with 192.168.13. If you are using an automatic configuration method (e.g. Mode Config, EasyVPN, DHCP over VPN) you may be able to assign a local address to VPN Tracker that is part of the remote network. Refer to the configuration guide for your VPN gateway for more information.

4. Could multiple VPN users use the same local address?

If multiple VPN users exist, pleas make sure no two users are using the same local address (Basic > Local Address), otherwise one of them will not be able to use the tunnel anymore whenever both of them are connected. If that field is empty in your configuration, VPN Tracker will just use the IP address of your primary network interface as local address, and of course, this can also cause an address conflict with another user, that’s why we do not recommend to leave that field empty if there are multiple VPN users.

5. Can you ping the LAN address of the VPN gateway?

You can find a ping tool directly in VPN Tracker under Tools > Ping Host. The LAN address of the VPN gateway is special in the regard that this address doesn’t need to be routed at all. So if you can ping that address but no other remote address, it is most likely a routing issue at the remote end.

6. If you can't ping anything, try re-running the VPN Availability Test

The VPN Availability Test can be found in the menu: Tools > VPN Availability Test. Then try connecting the VPN again. The results of this test depend on the capabilities of your local Internet router/modem or the Internet connection itself and they influence how the VPN tunnel is established. VPN Tracker automatically runs the test for every new Internet connection it is able to detect but even if a connection has been tested before, there are various reasons why the behavior of that connection may have changed in the meantime.

7. Is your VPN gateway the default gateway (router) of its network?

If the VPN gateway is not the default gateway, you will in many cases need a suitable routing setup in order for responses to reach you. Whenever a device doesn’t know how to reach an IP address directly, it forwards its reply to its default gateway and if that isn’t the VPN gateway, it won’t know what to do with that reply data. In that case its important to configure the default gateway to forward replies to VPN users to the VPN gateway.

8. Is your VPN gateway the default gateway (router) of its network?

For more details, we would like to direct you to the following FAQ entry.

The Pre-Shared Key (sometimes called shared secret) is basically a form of password for your VPN gateway which is set up on your device.

Configuring the Pre-Shared Key for a new VPN connection

VPN Tracker provides setup guides for all major gateway manufacturers. In these setup guides, you will also find information on how to set up a secure Pre-Shared Key for your specific device.

You can access all guides on this page.

I have lost my Pre-Shared Key - how can I get it back?

Here are a few tips for you to try and restore your Pre-Shared Key:

1. Check if you have stored the affected connection in your Personal Safe. If so, you may be able to download the connection again.
2. Check the Keychain (Applications > Utilities > Keychain Access). The Pre-Shared Key is usually saved here. Enter "Shared Secret" into the search bar to view a list of all your saved PSKs.
3. Are you using Time Machine Backup? You could try restoring an older connection with the Pre-Shared-Key.
4. Check your firewall or ask the relevant VPN Administrator. Refer to your device handbook to find out where to obtain this information on your specific firewall.

After upgrading to macOS 15 Sequoia, you might notice that your Mac constantly changes its MAC address, affecting your ability to connect to your VPN. This behavior is due to macOS 15’s new privacy features, which can assign randomized MAC addresses for network connections. However, you can configure your network settings to always use a fixed MAC address, which can resolve issues with VPN connectivity, such as DHCP reservations failing due to MAC address changes.

How to Set a Fixed MAC Address in macOS 15 (Sequoia):

1. Open System Settings:
   • Click the Apple logo in the top-left corner of your screen.
   • Select System Settings from the dropdown menu.
2. Go to Wi-Fi Settings:
   • In the left sidebar, click Wi-Fi.
   • Select the Wi-Fi network you usually connect to for VPN access and click on "Details...".
3. Configure the MAC Address:
   • Look for the option labeled Private Wi-Fi Address.
   • Change this option to "Fixed" to use a fixed MAC address instead of a randomized one.
   In some cases, the Fixed Setting may still cause issues. If this is the case, change the setting to "Off"
   {S_1478}
   • Your network will now always connect using the same MAC address, helping maintain your VPN connection stability.
4. Re-establish VPN Tracker Connection:
   • Once you've set a fixed MAC address, ensure that your VPN’s DHCP reservation or configuration aligns with this MAC address.

This process will restore the VPN Tracker’s ability to connect reliably using a consistent MAC address, resolving issues caused by macOS 15 Sequoia’s default MAC address randomization feature.

• If you haven't already, you can download VPN Tracker using this link.
• After the download has completed, launch the app and click the "Login" button in the top left-hand corner of the app home page.
• Enter your equinux ID and password in the space provided. Hint: This is the login you first created when purchasing VPN Tracker in our online store.

Are you a World Connect User?

You will need to download VPN tracker World Connect. You can do so using this link. VPN Tracker World Connect must be installed using the App Store. Once you've installed the app on your device, sign in with your equinux ID and password.

There are two types of IP addresses:

• Private IP Addresses, and
• Public IP Addresses

Private IP addresses can be used by any person or organisation for their private network.

The two most commonly used private network ranges (range of IP Addresses) are:

• 192.168.0.x, and
• 192.168.1.x

When for example your home network and your company network both use the same Private IP Range, there will be problems because you will see multiple devices with the same IP Adress and your computer will get confused.

Your Company Network:
When setting up a company network, most companies try to avoid the above listed IP ranges, which is also recommended by us, in order to not cause conflicts with people connecting over VPN. However, there are still some companies that use one of these popular network ranges.

Your Home Network:
A lot of popular home routers like Netgear, Asus, Google, D-Link, TP-Link, Linksys, Trendnet, AVM all use an IP Range of 192.168.0.x.

If your company Network uses the same IP Range as your home network you are going to run into problems.
{S_1182}

Here are two possible solutions:

1. Change your local network to a different range (Preferred)

   
   Possible Ranges are:
   
   • 10.250.250.x
   • 172.30.30.x
   • 192.168.250.x
   
   Advantage: Once you have made this change on your home network, you will never have conflicts in this network.
   Disadvantage: You will need to change the settings on your private network router once, this requires access and can take some time.
   What to do:
   
   • Login to your home router
   • Find the setup section with “DHCP” settings.
   • Change your router to a different IP adress (for example an address from one of the ranges listed above, for example 172.30.30.1)
   • Change the DHCP Server Settings to the same range of your router (If your router IP is 172.30.30.1, your range could be 172.30.30.10 to 172.30.30.253){S_1183}
   
   After you have made these changes, there will be no more conflicts between your home and company network.{S_1184}

2. Force Traffic over VPN

   
   There may be situations where it's not possible to use the first option (for example if you're in a coffee shop or hotel) In this case you have the option to force the traffic over your VPN Network, this means your VPN Network (company network) will always win.
   Advantage: This setting is global, meaning no matter what network you are in you will always be able to connect.
   Disadvantage: Once you are connected to your company’s VPN, you can not access local service, like home router, local storages or printers.
   What to do:
   
   • Configure your VPN Tracker connection
   • Select the "Advanced" Tab at the top
   • In the "Traffic control" section, activate the Checkbox "Force traffic over the VPN if remote networks conflict with local networks"{S_1189}
   
   

Download VPN Tracker free

There are multiple passwords that VPN Tracker may require: Your admin password for installation, passwords needed for connecting to your VPN or accessing your Keychain, etc.

This guide shows all password prompts you may encounter in VPN Tracker, explains why they are needed and lets you know which password should be entered.

Administrator password prompts

VPN Tracker will occasionally require you to enter an administrator password - for example during the macOS installation process in order to approve the System Extension needed to allow VPN Tracker to work effectively.

Account + licensing

To log in to VPN Tracker on Mac or iOS, or to log in to your account on my.vpntracker.com, you will need to enter your equinux ID and password. This password gives you access to your VPN Tracker account where your plan, team data, connections and device information is stored.

{S_1327}

Pre-Shared Key

Many VPN connections are secured using a Pre-Shared Key (PSK) or Shared Secret which is set on the VPN gateway during the configuration process. You need to enter the PSK in VPN Tracker in order to connect to your VPN.

{S_1328}

If you are not the administrator of your VPN gateway, contact the admin for assistance. Tip: Admins can share pre-configured VPN connections using TeamCloud to avoid PSK confusion at enduser level.

Extended Authentication (XAUTH)

Most VPNs have a list of permitted VPN users - e.g. members of staff. Each VPN user has their own unique username and password which they need to enter in order to connect to the VPN. These are often the same credentials you use to sign in at the office. If you're not sure, get in touch with your admin who can advise you further.

{S_1329}

To access volumes and files hosted on a file server, one of several available distributed file system protocols must be used. As of 2018, the most common protocols are SMB/CIFS (default for Windows and macOS 10.9 or newer), AFP (default for macOS prior to 10.9), NFS (default for Linux and most UNIX operating system), WebDAV (based on HTTP, vendor neutral). All these protocols, except for WebDAV, have originally been designed to access files hosted on a file server located in the same network as the client accessing it. This can often lead to issues when using these protocols over a VPN connection.

A VPN connection typically runs over the Internet and the Internet has quite different network characteristics than a company or home network. Local networks typically offer a high amount of symmetric (upload equals download) bandwidth, very low and stable latency, very litte packet loss, almost no data corruption and a rather high and always constant maximum transmission unit size (MTU). Contrary to that, Internet connections offer a lot less bandwidth, usually asymmetric (much more download than upload) and the Internet has a rather high, very fluctuating latency, typically at leas some packet loss, data corruption can happen as well and the maximum transmission unit size can be much lower and is subject to change at any time even during an active transmission. Some of the protocols above can cope better with these conditions than others.

Issues to expect: Slow to very slow directory browsing (because of the large latency), copying a file from remote is slow (limited by the upload of the other side), copying a file to remote is slow (limited by the upload of the local side), directly opening a file directly is even slower (caused by limited upload bandwidth but also large latency and small packet sizes can play a role), and file access failures are possible (caused by packet loss and/or data corruptions). Please note that none of these is the fault of the VPN itself, even when running these protocols over the same Internet line without any VPN, the results would only be marginally better or not better at all.

Unfortunately there is little that can be done about these problems. There is nothing users can do to improve latency. Improving upload bandwidth will always help if such an option does exist as if bandwidth is the problem, it's almost always upload and not download bandwidth. Switching the protocol may help, as especially SMB/CIFS doesn't work very well over Internet lines with bigger latency and if it has to fall back to an older protocol version (one older than SMB 3.0), it will be a catastrophe (up to not working at all anymore). A problem is that SMB and WebDAV are the only protocols that Windows supports natively, whereas macOS supports all the protocols named above natively, thus it's required to resort to third party products to teach Windows alternative protocols. In a pinch one can try to use WebDAV, but WebDAV has a rather poor performance even when used in local networks. Dedicated NAS devices usually support NFS when enabled, which could yield a better performance than SMB.

Such a setup is called “Host to Everywhere” in VPN Tracker. All non-local traffic will be sent through the VPN. For this setup to work, it must be properly configured in VPN Tracker and on the VPN gateway:

1. The Network Topology must be set to “Host to Everywhere” in VPN Tracker
2. The VPN gateway must accept an incoming VPN connection with a 0.0.0.0/0 (= everywhere) endpoint

Once these are configured, it should already be possible to establish the VPN connection. However, it is very likely that Internet access will not yet work. For Internet access to work, several more things need to be configured on the VPN gateway:

1. The VPN gateway must route VPN traffic not destined for its local networks out on the Internet
2. This traffic must be subject to Network Address Translation (NAT) in order for replies to reach the VPN gateway
3. In many cases, a suitable remote DNS setup is necessary for DNS resolution to continue to work

Note that not alll VPN gateways can be configured for Host to Everywhere connections. Most devices designed for small office or home networks (e.g. devices by NETGEAR or Linksys) are not capable of dealing with Host to Everywhere connections.

VPN Tracker automatically stores a backup of all your VPN connections on your Mac. If you have inadvertently deleted a connection, or wish to revert to an earlier copy of a connection, you can manually restore the backup copy.

1. Turn off Personal Safe syncing

You need to deactivate Personal Safe for the connections you're trying to restore from your backup, to prevent unwanted changes being synced:

• Open VPN Tracker 365
• From the menu bar, choose: VPN Tracker 365 > Preferences > Personal Safe
• Uncheck the connections you want to restore from your backup
• Quit VPN Tracker 365

2. Restore from your Backup

• Open Finder and choose "Go" > "Go to Folder…" from the menu bar
• Enter this path and press Return:
  /Library/Application Support/VPN Tracker 365
• Rename your "etc" folder to "etc-backup" – for safekeeping
• Go into the "backup" folder

Here you'll see a number of backup folders, all organized and named by date.

• Move the "etc-date" folder you want to restore up one level into the main "VPN Tracker 365" folder
• Rename the folder your just moved to just "etc" (deleting the date)
• Open VPN Tracker 365

All of your connections will now be restored to their backed-up state.

3. Re-activate Personal Safe

• Choose: VPN Tracker 365 > Preferences > Personal Safe from the menu bar
• Check your connections, to add them to Personal Safe

Download VPN Tracker free

Opening files over VPN on your Mac is easy with VPN Tracker:

1. Start your VPN connection in VPN Tracker
2. Go to the Finder > Go To >Connect to Server
3. In the Server Address field, enter the name or IP address of the server you want to connect to
4. Click on the Connect button.

Create a VPN Shortcut:

VPN Tracker offers convenient shortcut options for frequently used connections. You only have to set up the shortcut once. Afterwards you will be able to connect to your VPN and open your files with just one button click.
Find out more: {FQ1859}

IPsec VPN uses a different protocol (ESP) for the actual data transfer than for establishing the connection (IKE). Since the ESP protocol does not use network ports, NAT (Network Address Translation) routers may have difficulties handling it correctly. Only NAT routers that support "IPSec Passthrough" (sometimes also named "VPN Passthrough" or "ESP Passtrhough") and where this option is also enabled, can handle ESP data packets.

To work around this problem, two alternative tunneling methods exist:

• NAT-Traversal (old, RFC draft version)
• NAT-Traversal (new, RFC standard version)

Which of these methods will work with your connection depends on two properties:

1. Which of these methods allows traffic to pass through your local Internet router.
2. Which of these methods are supported by your VPN remote gateway.

To test for the first property, VPN Tracker will automatically establish three VPN test connections to a VPN gateway hosted by us whenever it detects a new router that has not been tested before. One connection uses plain ESP, the other two either NAT-T method mentioned above. It will remember the test results for this router and take them into account whenever you start a connection from the network location. The reason we are testing with our own gateway is simply that the test requires a gateway supporting all three methods, with a known configuration and a simply way to verify if traffic did arrive at that gateway.

The second property is not tested in advance, VPN Tracker will become aware of that information when it actually tries to connect to your VPN gateway. VPN Tracker will compare the methods your gateway supports with the stored test results. If there is a match, a method that your gateway supports and that was also working during the test, this method will be used. If there is no match, VPN Tracker will immediately stop and show an appropriate error in the log, explaining the situation.

If you suspect a NAT-Traversal issue or you think the previous test results may be wrong or outdated, simply re-run the test:

‣ Make sure NAT-Traversal (Advanced tab) is set to Automatic
‣ Go to "Tools" > "Test VPN Availability"
‣ Click "Test Again"
‣ Wait until the test has completed, then connect to your VPN

The test dialog also allows you to tell VPN Tracker to not test the current location and forget any previously created test results. This is rarely needed and also not recommended but there might be situation where the test results are wrong because access to our VPN gateway is not possible (e.g. it is blocked) and thus the test result are just bogus and say nothing about the true capabilities of your VPN gateway.

Setting up VPN on your Mac

VPN Tracker is the leading VPN client for macOS and works seamlessly on all the latest macOS operating systems.
You can download and test VPN Tracker here free.

Launching VPN Tracker for Mac

The first time you launch VPN Tracker on your Mac, you may need to grant it permission to create VPN connections for you.

First please make sure VPN Tracker is in your Applications folder and complete these steps locally on the Mac (e.g. not over Screen Sharing, Remote Desktop or other remote access tool).

IMPORTANT: macOS notices when you run remote desktop systems like TeamViewer, Apple Remote Desktop, VNC or similar. and hides these buttons. You MUST be local to the Mac.

Then do this:

‣Open System Preferences

‣Go to Security

‣Click "Allow"

{S_685}

Now you'll be able to set up VPN Tracker.

Troubleshooting VPN Setup on macOS

If the "Allow" button can not be clicked, please make sure you are not using a 3rd party mouse or tablet input device, as these can look like remote desktop software to your Mac. If you are using e.g. a Wacom input tablet or mouse utility tool, try disabling those, reboot your Mac and then try clicking the button again.

In case the button doesn't even appear in the dialog, please note that if your Mac has a MDM profile installed, the MDM profile can forbid users to approve their own System Extensions. In that case the profile itself has to approve our extension. Please see technical notes below.

Technical note for Enterprise Rollouts:
VPN Tracker for Mac uses a System Extension to create a secure VPN tunnel and manage network traffic. macOS High Sierra and newer macOS versions now require users to manually approve all System Extensions. For Enterprise rollouts via MDM, you can also pre-approve the VPN Tracker Kernel Extension using a special profile. Our Team IDs are CPXNXN488S and MJMRT6WJ8S.
Please see Apple's Support Document for more details.

Not using an MDM managed Mac?
If your Mac is not MDM managed, please try rebooting, as macOS occasionally can get tripped up with System Extensions. After the reboot, VPN Tracker should work fine.

Unable to save your AnyConnect VPN password in the Cisco VPN client?

Here's the fix:

• Download VPN Tracker for Mac or iPhone
• Copy your VPN connection details from the AnyConnect app
• Connect and enter your username and password when asked

That's it! VPN Tracker will store your login details securely via end-to-end encryption so you can get connected faster – for the best VPN experience on Mac and iOS.

If you are trying to establish a VPN connection in VPN Tracker and you are getting a "Hash Mismatch" error, here is what you need to know:

Hash Mismatch usually means that the Pre-Shared Key (PSK) being used is wrong. When you get the "Hash Mismatch" error, the Hash algorithm is being rejected. However, this is not due to choosing an incorrect "Hashing" algorithm for Phase 1. If the Hashing algorithm chosen is actually wrong, then you would receive an error that would say "No Proposal Chosen" rather than a "Hash Mismatch" error. This would suggest that the client and gateway could not agree on common crypto settings. On the other hand, Hash Mismatch actually means that the hash your gateway calculated doesn't match the hash that VPN Tracker calculated (the two hashes are simply not matching). This hash is calculated out of values exchanged between the client and the gateway and the Pre-Shared Key. As all other values have just been exchanged and have been verified by both sides to be correct (so these cannot cause a different hash, not unless either side has a terrible bug). The only value that isn't exchanged and cannot be checked in advanced is the Pre-Shared Key (PSK).

Setting up a VPN connection to your Sophos XG Firewall is easy with VPN Tracker. The Sophos XG has its own unique device profile in the app with many of the required settings already in place; making configuration super straightforward. Use the Sophos XG configuration guide as a step-by-step walkthrough on how to set up a VPN on your device.

In some circumstances, VPN Tracker may not be able to store your account login credentials in your Keychain.

To fix this issue, please try the following:

• Quit VPN Tracker
• Open Keychain Access from Applications > Utilities
• Select your login keychain
• Choose File > Lock Keychain “login”
• Then choose File > Unlock Keychain “login”

On newer macOS releases, you may not see the option to lock/unlock your Keychain. In that case, please enter the following command via the Terminal:

security lock-keychain ~/Library/Keychains/login.keychain

Once it has been locked, you can then unlock your Keychain again:

security lock-keychain ~/Library/Keychains/login.keychain

(You will need to enter your macOS login password to confirm).

Now re-open VPN Tracker and try signing in again.

If the problem still pops up, try this:

• Quit VPN Tracker
• Go back to Keychain Access
• In the search box enter “VPN Tracker User Auth”
• Delete the VPN Tracker User Auth Token entry

Now re-open VPN Tracker and try signing in again.

Last resort: Reset your keychain

If none of the tips above work, macOS has an option to reset your Keychain. Note that this should only be tried as a last resort, as it completely resets your login Keychain:

• Open Keychain Access
• Go to Keychain > Preferences
• Choose "Reset Default Keychains…"

Afterwards, open VPN Tracker 365 and try signing in again.

If there are any further issues, please contact our support team and include the application logs from this location:
/Library/Application Support/VPN Tracker 365/var/log.

By default, traffic to the remote network cannot be sent through the VPN tunnel if it is using the same network as the local network.

Resolving a Network Conflict using Traffic Control

You can use Traffic Control and VPN Tracker will send non-essential local network traffic over the VPN.

Activate Traffic Control:
> Go to Advanced > Traffic Control
> Check "Force traffic over the VPN if remote networks conflict with local networks"

Note that you will never be able to reach the following addresses over VPN: The IP address of your local router, your DHCP server, and your DNS server(s). If you need to reach those IPs over VPN, you will have to resolve the network conflict instead of using Traffic Control. The same applies for any IPs that you need to reach locally and over VPN.

Resolving a Network Conflict Manually

You have two basic options for resolving a conflict:

1. Change the local network to use a different network address. In most situations, this will entail changing the LAN settings on the local router (including DHCP settings if DHCP is used).
2. Change the remote network to use a different network address. With most setups, this entails changing the LAN on the VPN gateway (including DHCP settings if DHCP is used), and changing the IPs used by devices on the VPN gateway's LAN (or triggering a DHCP refresh, if DHCP is used). If the LAN is used in the VPN settings (such as for policies or firewall rules), these will need to be changed as well. Finally, change the remote network in VPN Tracker to match the new settings

If you decide to change the remote network, it makes sense to choose a private network that less commonly used. According to our informal statistics, conflicts are least likely using these networks:

• Subnets of 172.16.0.0/12
• Subnets of 192.168.0.0/16, excluding 192.168.0.0/24, 192.168.1.0/24 and 192.168.168.0/24

If these are not an option, use a subnet of 10.0.0.0/8, excluding 10.0.0.0/24, 10.0.1.0/24, 10.1.0.0/24, 10.1.1.0/24. However, since wireless network operators sometimes choose to use the entire 10.0.0.0/8 network, the first two options are preferred.

If you have a more sophisticated VPN gateway, in particular a SonicWALL, you may be able to set up an alternative remote network on the VPN gateway that is mapped 1:1 through Network Address Translation (NAT) onto the actual network. Users can then connect to this network instead if they have a conflict of networks. We have a guide available that describes this approach for SonicWALL devices.

If the conflict is caused by virtual network interfaces (e.g. Parallels, VMware), see here for more information.

To establish a VPN connection to a certain location (such as your office), you will need a VPN gateway at that location. This gateway could be a hardware VPN gateway device (see our compatibility page for compatible devices and setup guides).

The VPN gateway needs to be connected to the Internet (e.g. to a DSL modem or similar), preferably with a static IP address or it should be capable of using a service like DynDNS.org to map its dynamic IP to a hostname. Configuration is easiest if the VPN gateway is also the router (default gateway) of its network. If the VPN gateway is not the router of its network, a suitable routing setup may be necessary for traffic over the VPN to be routed correctly.

Configuration details can be found in the configuration guides for specific devices.

Some kinds of software may cause issues with VPN Tracker:

1. Personal Firewalls / Desktop Firewalls
2. Protection Software (e.g Virus Scanners, Malware Protection)
3. Other VPN Clients / VPN Software (for example NCP Client)

Personal Firewalls usually ask the user, if an app should be allowed to send network traffic. It’s important to grant VPN Tracker full network access. If you have already added rules for VPN Tracker, please whitelist VPN Tracker.

Protection Software often sees VPN traffic as a potential source of threat, as it isn’t able to analyze that traffic because of its very strong encryption. Please ensure VPN Tracker is ignored by any protection software running on your Mac and allow VPN traffic to pass through.

Other VPN clients should not be a problem, if they are designed to co-exist with othe VPN apps. Unfortunately, not all other clients are and some capture all VPN traffic as soon as they are installed, even if the app is not running.
In these situations, you may need to uninstall the VPN client - we also suggest asking the vendor to improve its “cooperation” with other VPN apps.

Here are some common examples of the types of apps mentioned above. If you are uncertain whether any of these applications may be installed on your system, try the following:

• Open the app “Terminal”
• Copy and paste the following command: kextstat | grep -v com.apple

You’ll get a list of all kernel extensions that are not from Apple. Just compare that list with the identifiers in parenthesis below:

• Little Snitch
  (at.obdev.nke.LittleSnitch)
   
• TripMode
  (ch.tripmode.TripModeNKE)
   
• Sophos Anti Virus
  (com.sophos.kext.oas, com.sophos.nke.swi)
   
• Symantec Endpoint Protection / Norton AntiVirus
  (com.symantec.kext.SymAPComm, com.symantec.kext.internetSecurity, com.symantec.kext.ips, com.symantec.kext.ndcengine, com.symantec.SymXIPS)
   
• Kaspersky Internet/Total Security
  (com.kaspersky.nke ,com.kaspersky.kext.kimul, com.kaspersky.kext.klif, com.kaspersky.kext.mark)
   
• Intego Mac Internet Security
  (com.intego.netbarrier.kext.network, com.intego.virusbarrier.kext.realtime, com.intego.netbarrier.kext.process, com.intego.netbarrier.kext.monitor)
   
• Fortinet FortiClient
  (com.fortinet.fct.kext.avkern2, com.fortinet.fct.kext.fctapnke)
   
• Cisco Advanced Malware Protection (AMP)
  (com.cisco.amp.nke, com.cisco.amp.fileop)
   
• TUN/TAP based VPN Clients
  (net.sf.tuntaposx.tap, net.sf.tuntaposx.tun)
   
• eset Security Products
  (com.eset.kext.esets-kac, com.eset.kext.esets-mac und com.eset.kext.esets-pfw)
   

For a certificate to be available in the "Local Certificate" list, it must be present in the Mac OS X Keychain with its corresponding private key.

You can easily check this in the Keychain Access application: If a certificate is listed under "My Certificates" (and not just "Certificates"), its private key is available and you will be able to select it in VPN Tracker as the "Local Certificate".

Important note for CheckPoint VPN users:

The Mac OS X Keychain Access application currently does not understand how to read private keys from some CheckPoint generated certificates.

To properly import the certificate into the Mac OS X Keychain, first convert it using the openssl command line tool:

1. Open a Terminal ("Applications" > "Utilities" > "Terminal")
   
   
2. Convert the certificate to PEM format:

     openssl pkcs12 -in /Users/joe/Desktop/MyCheckPointCert.p12 -out /tmp/out.pem
   

   Replace /Users/joe/Desktop/MyCheckPointCert.p12 with the path to the actual certificate that you want to convert.

   You will first be asked for the password that the certificate is encrypted with. If you do not know it, please ask the administrator who has created your certificate for you. You will then be asked twice for the password that will be used to protect the exported PEM file. You can use the same password that the original certificte was encrypted with. Note that no characters will appear on screen while you type in your passwords. Simply type the password and press the return key.

3. Convert the PEM file back to PKCS#12 (.p12) format:

     openssl pkcs12 -in /tmp/out.pem -export -out ~/Desktop/MyFixedCheckPointCert.p12
   

   Replace /Users/joe/Desktop/MyFixedCheckPointCert.p12 with the path where you want the fixed certificate to be stored.

   You will first be asked for the password that you have just used for exporting to the PEM file, and then for a password to protect the fixed .p12 file with. You can again use the same password for everything.

Now double-click your fixed certificate file to import it into the Mac OS X keychain.