The console output is attached (I can't edit the original question) Console output - https://developer.apple.com/forums/content/attachment/c5c58501-fbb1-4928-b49f-d910722b51b3

Another update - I just found this, which might be the same - https://developer.apple.com/forums/thread/75118

Are you grabbing something out of the Keychain to perform authentication with and this is failing? No. The scenario where it usually reproduces: I'm trying to connect with some invalid code, so connection fails Upon this failure I'm updating the VPN configuration (removing on-demand), and save it After the saving completed, I'm waiting few seconds, entering a correct code and saving the VPN configuration again (and set on-demand). After the saving is completed, I'm trying to start the VPN. Nothing from keychain here, and I did see the above MacOS error: -25304 error, but even with this error it was able to save the conf, and it did try to trigger the VPN (but then I got the log 'session in state connecting', see Console).

True, it probably crashed. But regarding to the log "BUG in libdispatch client: vnode, monitored resource vanished before the source cancel handler was invoked " - is it coming from the OS, or can happen because of my code?

OK, once I'll have the Crash Report I'll open a bug report and update. Thank you!

Thanks for the answer! But while this explain the issue, any idea why the same scenario works when it's done with an external browser? Https server, which opens my custom URL scheme, and everything works as expected.

"Do you mean loading the exact same HTTP content in Safari does open the custom URL scheme?" - Yes, that's what I meant. Thanks for the explanation!

Thanks for the reply! It's happening also on Big Sur. "Possibly the VPN transport is going down and it's not properly reconnected on the wake cycle" I think this is the case, the question is how to solve it? One option I thought of is to unset disconnectOnSleep: This way when the Mac will enter sleep, the OS won't kill (and won't restart) the VPN, and I'll do it manually. Then I'll start it only on awake, and not before that. Does it seem like a good approach? Any other solution to this problem? And lastly - should I open a bug for this behavior?

Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

Thanks for the answer Matt! I already have the key at the Containing app, I got it with SecIdentityCopyPrivateKey() (I have the SecIdentity so I can use this func). My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it? (OR how can I get this key directly via the sys-ext, instead of getting it at the containing app and sending it, but I guess this is not possible because the app runs under user, and sys-ext runs by root).

Thanks again for the answer! One question though - "so you can use sendProviderMessage to communicate back and forth" - this is exactly what I want to do, but AFAIK, I can send only NSData via this function, and I have no idea how to convert SecKey to a Data object. Can you please advise on how to do it?

First - thank you for your time answering those questions! Regarding the SecKey - the key was stored at the Keychain via a profile created at Apple Configurator - I filled the VPN and the Certificate payloads, and installed the profile. I can get the SecKey at the containing app, but when trying to call SecKeyCopyExternalRepresentation, it returns nil. It's not tied to a smart card..Any idea why SecKeyCopyExternalRepresentation returns nil?

Edit: I'm talking about system-extension, distributed outside the App Sore, with a custom installer.

Edit: I'm using the same Developer ID certificate as my main app, but for the embedded app I'm not using any provisioning profile (I set it to 'None'), is it ok?

I just changed the bundle id of the helper app, to be the same as the containing app's bundle id + a postfix. So if the containing app bundle id is com.mycompany.myapp, the bundle id of the helper app would be com.mycompany.myapp.helper Is this is what you meant by superset? Anyway, after this change I still don't see any Login Item (not in Users & Groups, and not in Security and Privacy), but, the app is now active after a Mac restart, so it's already a big improvement.