FreeBSD's IPSec stack is based on IPSec implementation from the KAME project (see http://www.kame.net). The IPSec feature is not available in stock GENERIC
kernel and a new customized kernel should be built with the following options added to the kernel configuration file:
options IPSEC options IPSEC_ESP
Once you reboot your host with the customized kernel, the IPSec protocol is available for implementation.
FreeBSD's IPSec implementation supports both Authenticated Header (AH) and Encapsulated Security Payload (ESP) protocols, which can be used either together, or separately.
The AH protocol protects the packets to be modified on their way to their destination, by cryptographically hashing the IP header. Consequently, when a packet is modified by an attacker in a man-in-the-middle scenario, this will be easily detected and discarded by the receiving host. AH does not encrypt the actual packet payload and is not protected against sniffing and wiretapping.
On the other hand, ESP offers...