Struggling with the same problem. So what is the non-'out of the box' file-based keychain solution? In my case the app would be deployed using Developer ID signing.

No, I don't think this is the case. The conflicting VPN profile is NESMLegacySession (IPSec) added manually to the Network preferences panel by the user and NOT the app. I don't think this profile has includeAllNetworks flag set or if it even can have one.

Ok, there's definitely a strange behaviour. If I delete all of the vpn profiles in Network preferences, only then I can connect NEVPNProtocolIKEv2 profile with IncludeAllNetworks flag. As soon as I add any other vpn profile I am no longer able to connect my IKEv2 profile. Even if I manually add some IPSec profile via Network prefeneces 🤯. This makes IncludeAllNetworks flag impossible to use in my vpn app.

Matt, you mean even if none of the profiles are active (connected)?

From log: NESMIKEv2VPNSession... I am creating NEVPNProtocolIKEv2 profile (Native IKEv2 Personal VPN). I also have no other vpn profile connected at the same time. I've tried clearing all previous profiles with no success.

Thanks, you've cleared a lot about app-groups and keychain-access-groups, but what about all the other Security errors and NetworkExtension messages saying "Signature check failed: invalid signature (code or signature have been modified)", that are probably the main cause why the tunnel receives a fatal error?

Sorry, my bad. I've created a new thread System Extension app-group entitlement issue

Thanks for the clarification. I will embed all of dependent libraries into sysex.But now I'm facing a problem that neither app nor sysex gets app-group entitlement.taskgated-helper ConfigurationProfiles Unsatisfied entitlements: com.apple.security.application-groupsI have app-groups configured in xcode for both targets, but provisioning profiles doesn't include them even though I have them selected on app ID's.Probably because of that my sysex can't find keychain items saved by the app.I'm also getting a bunch of Security errors and NetworkExtension for some reason reports "Signature check failed: invalid signature (code or signature have been modified)"default 17:34:48.935971+0300 sysextd sysextd Extension point confirmed that extension com.company.appAbc.PacketTunnel-OpenVPN is runnable. default 17:34:58.929349+0300 AppAbc Security Adding securityd connection to pool, total now 3 default 17:35:06.957159+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature (null) default 17:35:07.168468+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc default 17:35:07.192204+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38 default 17:35:07.308162+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0xa032bdd71140be2af6788e2dc77930a115c17b25} default 17:35:07.329977+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38 default 17:35:07.330511+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc default 17:35:07.336086+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0x45e64b4ed5b0a1ad6061e3ba5cc05dddd003cd52} default 17:35:07.382735+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38 default 17:35:07.383265+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc default 17:35:07.518667+0300 taskgated-helper ConfigurationProfiles allowing entitlement(s) for com.company.appAbc.PacketTunnel-OpenVPN due to provisioning profile (isUPP: 1) error 17:35:07.526352+0300 taskgated-helper ConfigurationProfiles com.company.appAbc.PacketTunnel-OpenVPN: Unsatisfied entitlements: com.apple.security.application-groups error 17:35:07.526380+0300 taskgated-helper ConfigurationProfiles Disallowing: com.company.appAbc.PacketTunnel-OpenVPN default 17:35:08.781878+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: root path for bundle "" of main executable "" default 17:35:09.165083+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: AppSandbox request successful default 17:35:09.240267+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.251136+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.253611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.255763+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.259015+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.263010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.267611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.270637+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.273530+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.277920+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.283042+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.291778+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.296948+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Adding securityd connection to pool, total now 1 default 17:35:09.296956+0300 com.company.appAbc.PacketTunnel-OpenVPN Security got event: Connection invalid default 17:35:09.297116+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts. default 17:35:09.297573+0300 com.company.appAbc.PacketTunnel-OpenVPN Security using system preferences default 17:35:09.299722+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.303518+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.305860+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.308235+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.310523+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.314336+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.318363+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.320930+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.323378+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.325901+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.328656+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.332580+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.346565+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.352010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.354244+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.356355+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts. default 17:35:09.356903+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:09.360582+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:09.364850+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:09.368221+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3) default 17:35:09.368253+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -67061 default 17:35:09.369765+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension Signature check failed: invalid signature (code or signature have been modified) default 17:35:09.533751+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: Calling startTunnelWithOptions with options 0x7fb447a0c640 default 17:35:09.636368+0300 kernel Sandbox Sandbox: 7 duplicate reports for com.company.appA deny(1) file-write-data /private/var/db/mds/system/mds.lock default 17:35:13.275423+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null) default 17:35:13.298472+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to { ... } default 17:35:13.760461+0300 com.company.appAbc.PacketTunnel-OpenVPN CoreFoundation Attempting to add source to main runloop, but the main thread has exited. This message will only log once. Break on _CFRunLoopError_MainThreadHasExited to debug. default 17:35:14.230487+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337 default 17:35:14.236639+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3 default 17:35:14.244544+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:14.249541+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR default 17:35:14.300451+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null) error 17:35:14.315789+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAOpenVPNPacketTunnelProvider.swift:304] openVPNAdapter(_:handleError:) > [OVPN] Did recieve fatal error: Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.} error 17:35:14.326776+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAPacketTunnelProvider.swift:68] cancelTunnelWithError(_:) > Canceling tunnel due to the error: Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.} default 17:35:14.351120+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: IPC detached default 17:35:14.357134+0300 AppAbc NetworkExtension Last disconnect error for AppAbc changed from "none" to "Failed to establish connection with OpenVPN server"

Wow, that is some nice suggestion.To be precise we actually need to set PRODUCT_NAME = "$(PRODUCT_BUNDLE_IDENTIFIER)" for sysex to be found at activation.And I've totally missed the uninstall message from sysextd (says nothing usable upon activation though):Bundle identifier and service path did not match (PacketTunnel-Tunnel != com.company.appabc.PacketTunnel-Tunnel)One more thing to note that is different from non-sysex Network Extensions.It appears that System Extensions can embed all of it's dependent libraries.Contrary to non-sysex NetworkExtensions, sysex can have Frameworks/ folder inside!But I actually went with adding /Applications/AppAbc.app/Contents/Frameworks to the sysex LD_RUNPATH_SEARCH_PATHS parameter.