New certification path

I have been thinking for quite a long time what certification to choose for preparation. Finally, I have decided that CCNP Security will be the best choice. Despite it consists of 4 exams instead of 3 in CCNP R&S I consider it suites me better. Security is my cup of tea :)
The main obstacle is that I need Cisco ASA for studying and I wouldn't like to spend money on it. Luckily, I managed to virtualize it in GNS3. To accomplish this I used the following great guide: http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/
All necessary books are available on Amazon, but I still haven't chosen what exam will be the first, probably Secure(642-637) or Firewall(642-618).

Checking IPSec encryption settings with ike-scan

If it is required to check what encryption and authentication is supported by IPSec service, ike-scan utility can be used.
First we can launch it with default settings:

ike-scan -M 10.10.10.1

This command will try 8 default most popular transform sets.
If you get

notify message 14 (NO-PROPOSAL-CHOSEN)

Then non of default TS matched.
In this case you can try to change authentication method and add --auth 3 option, which means RSA signature instead of default pre-shared keys.
Moreover you can exactly configure entire transform set with --trans option:

ike-scan -v --trans=1,2,3,1 10.10.10.1

The first figure means ecnryption type, the second hash type, the third authentication type and the fourth Diffie-Hellman group.
Tables of possible values and all other information are available in the User's Guide