wip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms

wip: ike-init: Prototypical (optional) IKE_AUX exchange for QSKE mechanisms

The QSKE payloads are, by default, exchanged in a separate IKE_AUX exchange
after IKE_SA_INIT to leverage IKEv2 fragmentation.  It would be possible
to do that directly in IKE_SA_INIT (DH is currently not optional, though).

Rekeying is always done with a single CREATE_CHILD_SA exchange (again,
DH is currently not optional).

The key material is derived by concatenating the DH and QSKE secrets.

wip: DH could theoretically be made optional if QSKE is used (only during
rekeying, or when not using IKE_AUX also during IKE_SA_INIT)

wip: HA and the ike_keys() hook on listener_t currently handle only
classic key derivation.

wip: Retransmits of IKE_AUX requests will fail after changing the keys?
We either have to keep the old keys around, or use hashes to detect
retransmits (tricky with fragments, unless we retransmit the message
even if we receive the retransmit of just one fragment).