On 13.x the IPSEC kernel module is loadable and a stub is in the GENERIC declaration. Strongswan's RC file does not kldload the module, and thus while it comes up and runs attempting to connect will fail with a rather cryptic message on the client claiming authentication was unsuccessful when in fact it succeeded but the kernel on the server end could not insert the SPI entries. kldload ipsec fixes it; ergo that should be in the startup script so the ipsec module is present before the software starts.
(In reply to karl from comment #0) Aid can be found in /etc/rc.subr, function call to load_kld. For reference /etc/rc.d/pfsync seems to be a straight-forward example. I have ipsec in my kernel config, so wanted to make sure this wasn't going to be a problem ;)
Weird, the rc script already has required_modules="ipsec" so it should kldload the module. Are you sure that's the problem?
Ah, this appears to be a function of the nanobsd build I am running -- it grabbed the previous version of the rc script and overwrote it on boot. Closed; the "stock" one has the kldload call in it -- my bad.