Have been working on this with TAC for a while now and we got lucky today.
The controller was complaining that it did not have the ISA-PSK for that host. It was certainly there if we did a 'show crypto isakmp key'
It wasn't until we went in via the GUI, edited the ipsec-map and added the key here, it all worked.
I might get back round to looking at the Checkpoint again one day.