This is still WIP, so the following just represents a brain dump so I know where to pick up when I come back to this again.
It seems that the current state of Linux is that the KAME patches are integrated into the kernel. All that is required to run IPSec is to configure it correctly, which apparently can be done mostly in two ways using strongSwan or KAME's original racoon.
I'm unsure whether the kernel in DD-WRT v3.0-r29396 giga (04/04/16) contains everything needed to run strongSwan or racoon. Packages for strongSwan and ipsec-tools appear to be available via ipkg from OpenWrt once I enable jffs2 in the GUI under »Administration«.
The problem with running OpenWRT directly is that (as of 2016-02-08) there are no open-source drivers for the 5GHz module.
Also note that DD-WRT for Netgear's R6300v1 is based on the brcm47xx branch of OpenWrt (as indicated for example by
cat /etc/ipkg.conf) unlike R6300v2 which relies on bcm53xx.
This is in spite of the CPU model of the former being reported as »Broadcom BCM5300 chip rev 1«.