Cisco has implemented the RFCs about Phase2 (respectively Child-SA for IKEv2) like this:
An incoming Pase2/Child-SA proposal will be accepted if the offered local/remote idents (encryption domain in Checkpoint speak) are a true subset of the locally configured crypto access-list.
E.g. if the incoming proposal is for a /32 and your local crypto access-list accepts a /24 the proposal is accepted and a "dynamic" IPsecSA (resp. Child-SA) will be created with the smaller range. In my example with a /32.
Now you will see e.g. a remote network with /32 although your access-list has a /24 defined as a destination.
This is well documented and in accordance with RFCs (the original text says something like that about accepting IPsec proposals: "The responder decides").
Hope that helps,
MiKa