ha: Destroy incomplete IKE_SAs after de-/activating a segment

ha: Destroy incomplete IKE_SAs after de-/activating a segment

The node that gets activated usually won't be able to complete the
IKE_SA mainly because the IKE keys are now derived delayed, so the key
material required to process a message often won't be available (only
later IKE_AUTH messages and retransmits of earlier messages that the
active node already received and synced the keys for may be decrypted).

A second issue affects IKE_SAs with multiple key exchanges.  Because the
IntAuth value(s) are currently not synced, which are necessary to
verify/create the AUTH payloads, the IKE_AUTH exchange couldn't be
completed.