Thanks again for the answer! One question though - "so you can use sendProviderMessage to communicate back and forth" - this is exactly what I want to do, but AFAIK, I can send only NSData via this function, and I have no idea how to convert SecKey to a Data object. Can you please advise on how to do it?

Thanks for the answer Matt! I already have the key at the Containing app, I got it with SecIdentityCopyPrivateKey() (I have the SecIdentity so I can use this func). My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it? (OR how can I get this key directly via the sys-ext, instead of getting it at the containing app and sending it, but I guess this is not possible because the app runs under user, and sys-ext runs by root).

Bumping this old thread - I have the same scenario, I created a VPN + Certificate payload, installed it, and now I have a VPN conf which I can access to only from the containing app, but I need to access it from the system-extension. As I read above it's not possible, I send messages between the extension and the app, and it worked fine for the SecCertificate, which I sent as a Data to the extension (using SecCertificateCopyData() and sendProviderMessage functions). The problem is that at the extension I need also the SecKey, and I couldn't find any way to pass it from the containing app to the extension. I even tried to pass it via IPC, but it crashed ( "This coder only encodes objects that adopt NSSecureCoding"). Is there any way to pass SecKey to the Extension, or to access it directly from there?

Thanks for the reply! It's happening also on Big Sur. "Possibly the VPN transport is going down and it's not properly reconnected on the wake cycle" I think this is the case, the question is how to solve it? One option I thought of is to unset disconnectOnSleep: This way when the Mac will enter sleep, the OS won't kill (and won't restart) the VPN, and I'll do it manually. Then I'll start it only on awake, and not before that. Does it seem like a good approach? Any other solution to this problem? And lastly - should I open a bug for this behavior?