Last answer help me to found two errors, first one was in incompatibilities between values in profile and Entitlements. There were one wrong value, and second one which you mention its a group, which must start from team id, it mostly unclear things, cause on creating profile step, developer apple portal don't allow you to create a group without starting from group prefix. Thanks for your help, it was a bit difficult, cause some things is not clear and as the result, i've just trying. One more thanks. :)

Big thanks @DTS Engineer. after 2 days of additional research, i've mark next points. need to sign bundle, and execution file to, one without entitlements, second with. First of all we signing Sysex , than main app. Commands looks like next: codesign -f --timestamp --options runtime --sign "${certificate_name}" ${app_bundle.app} codesign -f --timestamp --options runtime --entitlements "${app_entitlements}" --sign "${certificate_name}" "${app_bundle.app}/Contents/MacOS/${app_name}" Also i have to removed keychain access group compatibility, cause when i've trying to run. It can't be run cause saying that signing is wrong. But after removing it solved. In console, i've see the error. Entitlement com.apple.security.application-groups=( "group.com.ex.company.appname" ) is ignored because of invalid application signature or incorrect provisioning profile its super strange message, and possibly can affect something, but not sure. (Maybe there is must be prefixed with TeamId?) Could you please add comments for it? and second the last difficult things, its** impossible to start VPN tunnel ** without profiles: (For App and Tunnel) Its allow to activate sysex, allow to add vpn configuration , but when all its began to says: nesessionmanager NESMVPNSession[Primary Tunnel:VPN Satoshi:1D0EF122-2CEA-4632-8CD2-D09B7C8CA5F0:(null)]: Received a start command from Application-Mac-External[2985] Found 0 (0 active) registrations for com.ex.company.applicationname.packet-tunnel (com.apple.networkextension.packet-tunnel) Its happening on any laptop without installed profiles, and looks like currently its last blocker, which i can't understand how to solve, could you please help?

Its actual for me too, i can't understand why, but sometimes its disappear, sometimes not

@eskimo if you able, please give some advise, WDYT?

Can't post it here, but send it to your email

Also i've tried library from github NWWebSocket i've get the same error Darwin.POSIXErrorCode ECONNABORTED

Thanks for response. For some reasons i've write my own code for clients. class newWebsocket{ private var connection: NWConnection? private var additionalHeaders: [(String, String)] private let delegate : ServersListUpdateDelegate init(delegate : ServersListUpdateDelegate){ self.delegate = delegate if(Constants.shared.isStageEnvironment && AuthenticationManager.authToken != nil){ print("Authvalue is : \(AuthenticationManager.authToken!)") additionalHeaders = [ ("Authorization", AuthenticationManager.authToken!) ] } else{ additionalHeaders = [ ("key", Constants.shared.authKey) ] } } func connect() { let url = URL(string: Constants.shared.socketUrl)! let endpoint = NWEndpoint.url(url) let params = NWParameters.tcp let stack = params.defaultProtocolStack let ws = NWProtocolWebSocket.Options(.version13) stack.applicationProtocols.insert(ws, at: 0) // Create the WebSocket connection connection = NWConnection(to: endpoint, using: params) // Set up the state change handler connection?.stateUpdateHandler = { [weak self] newState in switch newState { case .ready: print("🚧WebSocket connection established.") // Start receiving messages when the connection is ready self?.receiveMessage() case .waiting(let error): print("🚧WebSocket connection is waiting: \(error)") case .failed(let error): print("🚧WebSocket connection failed: \(error)") case .cancelled: print("🚧WebSocket connection cancelled") default: break } } // Start the connection connection?.start(queue: .main) } private func receiveMessage() { connection?.receiveMessage { (data, context, isComplete, error) in if let error = error { print("Failed to receive message: \(error)") return } if let data = data, let message = String(data: data, encoding: .utf8) { print("Received message: \(message)") // Process the received message as needed } // Continue to receive messages recursively self.receiveMessage() } } func reset(){} func disconnect() { connection?.cancel() } } And i've get in any case error 🚧WebSocket connection is waiting: POSIXErrorCode(rawValue: 53): Software caused connection abort also i've trying to remove from server side, and client side Auth headers, but it not helped

Hi, Do you have some updates or maybe useful info about NetworkExtension + Notifications @eskimo ? @houmie

Terrible, i thought that it can be solved. Ok About Lets Encrypt, as i know he can work just with DNS, but if i have dynamic IP address on VPN server, or i have bulk of servers, as the result i need to have for each of them Domain name. If lets encrypt solve it just with DNS its difficult way for me. But without, i'll try And thank you for your answer.

Thanks for your answer, its rely help to understand some things. By the way, currently i've getting connecting... and disconnecting on iOS `return IKEv2Model(serverAddress: ip, remoteIdentifier: ip, localIdentifier: ip, serverCertificateIssuerCommonName: ip, useExtendedAuthentication: false, ikeSecurityAssociationParametersEncryptionAlgorithm: .algorithmAES256, ikeSecurityAssociationParametersDiffieHellmanGroup: .group14, ikeSecurityAssociationParametersIntegrityAlgorithm: .SHA256, ikeSecurityAssociationParametersLifetimeMinutes: 1410, childSecurityAssociationParametersEncryptionAlgorithm: .algorithmAES128GCM, childSecurityAssociationParametersDiffieHellmanGroup:.group14, childSecurityAssociationParametersIntegrityAlgorithm: nil, childSecurityAssociationParametersLifetimeMinutes: 1410, deadPeerDetectionRate: .medium, disableRedirect: true, disableMOBIKE: false, enableRevocationCheck: false, enablePFS: false, useConfigurationAttributeInternalIPSubnet: false, disconnectOnSleep: false, certificateType: .ECDSA256, identityData: identityData!, password: pass)` where is ` let identityData = Data(base64Encoded: cert, options: .ignoreUnknownCharacters) let options: NSDictionary = [kSecImportExportPassphrase: pass] var items : CFArray? let status: OSStatus = SecPKCS12Import(identityData! as NSData, options, &items)` and let cert = """ MIIQ9AIBAzCCELoGCSqGSIb3DQEHAaCCEKsEghCnMIIQozCCCPcG CSqGSIb3DQEHBqCCCOgwggjkAgEAMIII3QYJKoZIhvcNAQcBMBwG CiqGSIb3DQEMAQMwDgQIU9lsYPYNUzUCAggAgIIIsJz58NghTdos ........... " from PayloadContent of com.apple.security.pkcs12 and this model is using for create ` #if os(iOS) IKEv2Protocol.identityData = config.identityData #else IKEv2Protocol.identityReference = config.identityData #endif IKEv2Protocol.identityDataPassword = config.password` currently i thing that possible certificate type is wrong, i've also tried RSA, but nothing logs on the server side is the beggest for RCA but not helped to understand whats wrong, maybe you can give some advice please? @eskimo `2023-04-25T21:00:07.473671+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #34: deleting incomplete state after 200 seconds 2023-04-25T21:00:07.473753+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #34: deleting state (STATE_V2_PARENT_R1) aged 200.016332s and NOT sending notification 2023-04-25T21:00:07.594665+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #35: deleting incomplete state after 200 seconds 2023-04-25T21:00:07.594710+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #35: deleting state (STATE_V2_PARENT_R1) aged 200.004168s and NOT sending notification 2023-04-25T21:01:29.347037+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: STATE_V2_ESTABLISHED_IKE_SA: 300 second timeout exceeded after 10 retransmits. No response (or no acceptable response) to our IKEv2 message 2023-04-25T21:01:29.347698+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: liveness action - clearing connection kind CK_INSTANCE 2023-04-25T21:01:29.348127+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #28: ESP traffic information: in=0B out=0B 2023-04-25T21:01:29.388964+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr #27: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 543.259052s and NOT sending notification 2023-04-25T21:01:29.389123+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[8] MyIp adddr: deleting connection instance with peer MyIp adddr {isakmp=#0/ipsec=#0} 2023-04-25T21:06:48.525678+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #36: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2023-04-25T21:06:48.530929+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #36: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} 2023-04-25T21:06:48.644748+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #37: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] 2023-04-25T21:06:48.648190+00:00 ipsec-vpn-server pluto[482]: "ikev2-cp"[14] MyIp adddr #37: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}`