You need to enable ipsec in the kernel if it's not there already.
cd /usr/src/sys/i386/conf/
cp GENERIC MYKERNEL
edit MYKERNEL, add the following option and device:
options       IPSEC_ESP
device        crypto

config MYKERNEL
cd ../compile/MYKERNEL
make depend && make

backup old kernel
mv /boot/kernel/kernel /boot/kernel/kernel.old
move new kernel in place
mv kernel /boot/kernel/kernel

Restart the machine


To install racoon2
/usr/ports/security/racoon2/
make install



The Racoon cfg files are located in /usr/local/etc/racoon2

1. Copy sample cfg files to default ones.
   cp default.conf.sample default.conf
   cp racoon2.conf.sample racoon2.conf
   cp tunnel_ike.conf.sample tunnel_ike.conf
   edit the config files to suit your ip address configuration and proposals.

Default.conf holds all default parameters,
Dont modify this unless you know what you're doing

Racoon2.conf
In this file, you specify the IP that the BSD will use for IKE
communicatation.  Set it to the same IP as on the nw
interface you want to tunnel through.
Also, make sure that "/usr/local/etc/racoon2/tunnel_ike.conf" is included here.

tunnel_ike.conf
In this file you specify the algorithms and traffic selectors for the remote peers
that you want to be able to talk IPsec to.
(if you need more than one, make several copies of the file and include them
in racoon2.conf)



2. Example how to create a 70byte preshared key:
 echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
| head -c 70 >> /usr/local/etc/racoon2/psk/test.psk
(head -c 70 to remove \0 )


3. If you want to access the remote peer directly from the bsd machine, and
you have a tunnel mode SA set up, you need to add a static route for the traffic selectors ip addresses.
  Otherwise BSD will try to route the traffic out to the default gateway.

   route add -net 192.168.1.0/24 -gateway 192.168.1.1




   4. start spmd
   spmd

   5. start iked (Example for starting in detachable screen)
   screen iked -v -f /usr/local/etc/racoon2/racoon2.conf -F