Linux and FreeBSD have both got kernel TLS support (not sure if freebsd got merged yet but Netflix have used it fir a while)

Netflix's TLS support is an extremely limited hack that suits their performance needs. It does not support initial session negotiation or rekeying. They do the former in userspace before handing off a symmetric key to the kernel, and drop connections in the latter case, relying on the client to reconnect. There's no chance it will be merged to FreeBSD; it's not a general solution.

As long as we're talking about TLS and IPSec, though, I'd point to Wireguard as maybe something viable for kernel use.

The Linux kernel TLS support does the same.

For what it's worth, NFS-Ganesha is a serious userland server.