Setting the window size for replay protection with setkey does not provided decent protection?

On Fri, May 29, 2009 at 3:00 PM, Dan McDonald <danmcd@sun.com> wrote:
On Fri, May 29, 2009 at 02:50:18PM -0400, Doug Baggett wrote:
> So after getting IPSEC running using racoon and SPD after reading the howto
> It occurred to me that doing PSK with SPD directly instead of using racoon
> for a simple point to point setup seems a whole lot easier. (plus no ports
> needed for automatic keying).

You mean manually-added IPsec SAs?

> Can somebody give me the reasons why I might want to stay with racoon over
> SPD on a simple setup like I described?

If you have a sufficiently motivated adversary, he/she can capture your
traffic and replay it.  There's no replay protection without key refreshment.

Dan