Solution 1:

I have connected to Checkpoint NGX (R75) using Shrew Soft VPN Client (in Debian/Ubuntu the package is named "ike").

Start by reading the guide here: http://www.shrew.net/support/wiki/HowtoCheckpoint (since you already have the certificate, you can skip the opening steps about creating one and skip straight to Converting the Certificate).

If you have a certificate plus password, it looks like you will be using mutual RSA + XAuth.

I didn't have access to the gateway web configuration interface but I was able to use OpenSSL (try: openssl pkcs12 --help) to export the CA and client certificates and private key from my .p12 into three separate files.

Once Shrew is accepting the credentials, you can run iked -d 6 -F to see detailed debugging output as the connection is established.

I was still a few settings away from it working at this point, but I found this thread on the Shrew mailing list useful: http://lists.shrew.net/pipermail/vpn-help/2010-May/002413.html (follow the replies). I went through the config files posted by Luca Arzeni, such as in this message, trying each setting, and eventually got past my error ("peer unknown notification") by manually specifying the IKE encryption settings (Phase 1 and Phase 2).

Good luck!