Hi thank you for quick response.

Our internal network is set like this and I want to access VPN to admin pool and private network from LAN/WLAN 

Example:
LAN
192.168.1.0/24
WLAN
192.168.2.0/24
pool for VPN (office mode)
172.16.10.0/24
admin pool which shall be accessible only via VPN
192.168.4.0/24
my private network which shall be accesible only via VPN
192.168.5.0/24

VPN>Advanced>Remote Access Advanced Settings: Configure additional advanced options for VPN remote access users
Remote Access encryption domain

I tried to set it up manually like this:

Define local network topology manually:
include
192.168.4.0/24,192.168.5.0/24
exclude
192.168.1.0/24,192.168.2.0/24

Is this the correct aproach? I tried more variants and none of them worked.

User awareness is turned off.

Reaction to the picture you sent:
Where I can find this settings screen? I only use SSH and web configuration.

In attachment I am sending logs from checkpoint VPN client.

Thank you

Global Properties can only be set via the SmartConsole app or by using generic-object API calls.
However, the log from your client tells the tale:

No reply from the gw ip="publicIP" for tunnel test packet. Office Mode IP=172.16.10.2, source port=18001.

Have you done any tcpdump to verify the client is reaching out to the gateway?
Tunnel test occurs over UDP 18234.

I currently use only one Quantum spark, and I tried use smart console which I found (here). It didn't work R81.

error message:
Unable connect to server

I found "SmartConsole - Check Point Graphical User Interface for connection to and management of Security Management Servers."

We have Home>Security Management: set LOCAL

I believe that this is causing the problem as to my understanding, SmartConsole won't work for our checkpoint as we do not use managing server but one router only which we have configured trought WebUI.

Through LOGS&MONITORIN>Dieagnostics>Tools>TCPdump
pic

I was able to get this kind of output.(fake IP)

I didn't find anything with port 18234 for neither of scenarios; connecting to VPN from outside (working connection) or locally (non working connection)

@the_rock  Thank you for your suggestion. Unfortunately as mentioned above, I cannot check that as I am unable to start SmartConsole.

Thak you both for your help and patient

Never mind my suggestion then, sounds like this is locally managed smb appliance, NOT central.

Andy

that's exactly our situation, thank you for your effort @the_rock .

@PhoneBoy Could you please help me set up the Remote Access encryption domain as you recommended? Could you check that situation(here), if I understood it correctly and this setting is correct?

I have no clue where the problem could be.

Thank you

On a locally managed gateway, the default is to include all the internal IPs as part of the encryption domain.
This is probably why your client is failing to connect.
You will need to change the setting here so that the subnets you are using Remote Access from are excluded:

So sorry @winuser , I wrote my response with a screenshot, but I guess it did not send : - (. @PhoneBoy is 100% right, thats the setting.

Andy

Thank you for response @the_rock and @PhoneBoy 

To ensure that I understand correctly, there are two types of VPN: Site-to-Site (S2S) and remote access(RA).

The difference between them is that S2S connects two networks, (An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN.(here)).

On the other hand, remote access (RA) is used to access the device itself and connect to the internal network.

In my case, i require the second type, which is remote access (RA). In the pictures you provided, the encryption domain is set up for S2S, but since i have the S2S blade turned off, i need to configure it for RA instead?(do i understand correctly?)

In the attached picture,  showing how you set up the encryption domain for RA. Could you confirm if it is correct or if there is anything what i missing?

i included the private network (that i want to access only when connected to the VPN), and i have excluded the WLAN wifi local network (the network from which i connect to the VPN).

However, even in this state, it is still not working.

Thank you

I forgot you can set the S2S and Remote Access VPN encryption domain separately.
There is a similar setting under Remote Access > Advanced that will need to be configured as previously described.
You may also need to delete and re-add the site on the client after making this change.

S&*(, sorry mate, I keep forgetting you are using SMB locally managed appliance, my bad. Yes, that sounds right, what you attached, as far how as how you would configure it.

Andy

I just spun up a demo online and here is what I found as far as remote access (Im fairly sure this is where you change it) Anyway, never mind, was working late last night, I see its same thing you attached, so yes, thats 100% right.

Andy

Thank you for your response @the_rock and  @PhoneBoy . I apologize for later response.

I followed your instructions and attempted various combinations, but unfortunately, I'm still encountering issues. Whenever I connect from the internal network, it disconnects me after a few seconds and then attempts to reconnect. However, when connecting from an external network, the manual encryption domain setting works correctly (please refer to the attached photo).

I'm unsure about the root cause of this problem or what might be going wrong. Is it possible that this issue could be attributed to a bug in the device's/firmware version (R81.10.07)? If not, I would greatly appreciate your guidance on any alternative solutions to try or specific checks to perform in order to identify the source of the problem.

Also i found this  he have same logs from VPN client.

Thank you for your assistance in troubleshooting this matter.

Maybe worth checking with TAC on this.

Andy

Your best bet at this point is to consult with the TAC: https://help.checkpoint.com