Because I do not trust WPA2 Wifi encryption for sensitive data, I implemented IPSec in transport mode between my NAS and my Mac.

Mac OS X

Open the file containing the pre-shared keys:

sudo vim /etc/racoon/psk.txt

And add the IP adress of the FreeBSD box:

10.0.1.5      password

Add to /etc/racoon/racoon.conf

remote 10.0.1.5 [500]
{
  exchange_mode main;
  doi ipsec_doi;
  situation identity_only;

  my_identifier   address 10.0.1.6;
  peers_identifier        address 10.0.1.5;

  lifetime        time 8 hour;
  passive         off;
  proposal_check  obey;
  generate_policy off;

  proposal {
    encryption_algorithm    aes 256;
    hash_algorithm          sha512;
    authentication_method   pre_shared_key;
    lifetime time           30 sec;
    dh_group                16;
  }
}

# Mac <-> NAS transport
sainfo address 10.0.1.6 any address 10.0.1.5 any {
  pfs_group 16;
  encryption_algorithm aes 256;
  authentication_algorithm hmac_sha512;
  compression_algorithm deflate;
}

/etc/racoon/setkey.conf:

#!/usr/sbin/setkey -f

## Flush the SAD and SPD
#
flush;
spdflush;


# Mac <-> NAS transport
spdadd 10.0.1.6 10.0.1.5 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 10.0.1.5 10.0.1.6 any -P in ipsec esp/transport//require ah/transport//require;

FreeBSD 10

First you need to compile a kernel that supports IPSec. Check the FreeBSD handbook on how to do that.

options         IPSEC
device          crypto
options         IPSEC_FILTERTUNNEL
device          enc

Assuming you are running a kernel that supports IPSec:

cd /usr/ports/security/ipsec-tools
make install

Pre-shared keys:

vim /usr/local/etc/racoon/psk.txt

And add the IP address of the FreeBSD box:

10.0.1.6      password
chmod 0600 /usr/local/etc/racoon/psk.txt

Setup: /usr/local/etc/racoon/racoon.conf:

# search this file for pre_shared_key with various ID keys.
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert" ;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
  maximum_length 20;      # maximum padding length.
  randomize off;          # enable randomize length.
  strict_check off;       # enable strict check.
  exclusive_tail off;     # extract last one octet.
}

# If no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
  isakmp          10.0.1.5 [500];
}

# Specification of default various timer.
timer
{
  # These value can be changed per remote node.
  counter 10;             # maximum trying count to send.
  interval 3 sec; # interval to resend (retransmit)
  persend 1;              # the number of packets per a send.

  # timer for waiting to complete each phase.
  phase1 30 sec;
  phase2 30 sec;
}

remote 10.0.1.6 [500]
{
  exchange_mode   main;
  doi             ipsec_doi;
  situation       identity_only;
  my_identifier   address 10.0.1.5;
  peers_identifier        address 10.0.1.6;
  lifetime        time 8 hour;
  passive         off;
  proposal_check  obey;
  generate_policy off;

    proposal {
      encryption_algorithm    aes 256;
      hash_algorithm          sha512;
      authentication_method   pre_shared_key;
      lifetime time           30 sec;
      dh_group                16;
    }
}

# NAS <-> Mac transport
sainfo address 10.0.1.5 any address 10.0.1.6 any {
  pfs_group 16;
  encryption_algorithm aes 256;
  authentication_algorithm hmac_sha512;
  compression_algorithm deflate;
}

Setup: /usr/local/etc/racoon/setkey.conf:

flush;
spdflush;

# NAS <-> Mac transport
spdadd 10.0.1.5 10.0.1.6 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 10.0.1.6 10.0.1.5 any -P in ipsec esp/transport//require ah/transport//require;

Configure pf rules /etc/pf.conf:

# IPSec
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port=500 to any port=500
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port=500 to any port=500

Add to /etc/rc.conf

# IPSec
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"

Run:

sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet6.ipsec6.filtertunnel=1

Add to /etc/sysctl.conf to persist:

# IPSec filtering
net.inet.ipsec.filtertunnel=1
net.inet6.ipsec6.filtertunnel=1