charon-nm: Actually use the created XFRM interface

charon-nm: Actually use the created XFRM interface

The created XFRM interface was not actually used (no interface IDs on the
SAs, no routes via interface).  It was basically treated like the dummy
TUN device.  To actually install the routes via XFRM interface, we have
to create it before we install the SAs and policies, signal_ip_config()
happens too late.  We also have to mark the ESP packets the same as IKE
the packets to avoid a routing loop if the server's IP is included in
the remote traffic selector (in particular if it's 0.0.0.0/0 or ::/0).

Fixes: 58f278f93239 ("charon-nm: Use an XFRM interface if available")