1. The following should be open on the Checkpoint.
Protocol 50 (esp)
Protocol 51 (ahp)
UDP port 500 (isakmp)
2. Pix Ipsec will not work if its peer address is port translated (PAT).
3. debug crypto isakmp sa
debug crypto ipsec sa
both debugs will show you where and why tunnel is failing.