FW: Checkpoint and Cisco PIX

[vallan]

I need to set up a VPN between out CP Site London and a Cisco PIX Site USA.

1st Scenario

USA (Ua and Ub) need to access 2 servers ( a and b) in London

2nd Scenario

London servers ( a and b) needs to access 2 other server ( U1 and U2 ) in USA

I have created 6 nodes and put nodes a and b into group ab and nodes Ua and Ub into Grp Uab and nodes U1 and U2 into group U12

The following rule base have been set up

source <> dest

Uab <>ab<>xvpn<>svc<>accept
ab<>U12<>xvpn<>svc<>accept

In creating the Interoperable devices for USA FW, I put the groups Uab and U12 into yet another group ( USAgrp) and place this as the vpn domain.

Question 1?

Is this allowed and is it correct?.

This is because I need the FW to work for both set of USA grps.

Question 2?

As at now that the above has been configured with just one group in the VPN domain, the VPN is not being formed at all. I have enabled ping and I can see ping from ab getting to the U12 but being dropped.

What am I doing wrong?

Encryption being used are
IKE - 3DES, MD5
IPSEC - AES128, MD5
IPSEC (Phase 2) - use PFS, Group 2, 1024 bits

Thanks for your help.