PIX to checkpoint VPN

OK, this is my situation.

I have a site-to-site VPN between a PIX and a checkpoint firewall, and
all works well. The type of VPN on the checkpoint side is, simplified. I
have one network on the checkpoint object for the VPN encryption domain,
and on network for the PIX object as the destination network. All
networks mirror each other.

As soon as the policy is pushed and the VPN is up, I can get to the
outside interface of the PIX (the tunnel terminating point.) As soon as
the tunnel is up and I try to get there by ICMP/traceroute, checkpoint
blocks it, and tracker says, no valid SA etc...

I’m confused at this and have tried all sorts to sort it. I need to
still get to the PIX on the external interface to manage it. I can put
in an exclusion for encrypting which seems to work, but that’s a bodge,
and I still can't see why that stops it as the outside interface isn't
in the encryption domain. If I try any other spare IP on the external
PIX LAN, things are fine, it’s just to the external IP of the PIX I’m
having problems with.

Does anyone have any ideas?

Kind regards.

James