IKEv2 labeled IPsec using XFRM, using auto=route (ondemand) to trigger
an initial IKE SA plus IPsec SA based on the ACQUIREd sec_label.

A test on port 4300 using netcat and getpeercon_server to confirm traffic
flow and label.

A shutdown is issued to verify no kernel state is left behind

The way labeled IPsec works is that:
- There is ONE set of SPD policies with the configured sec_label
- There are TWO sets of SPD states with the ACQUIREd sec_label,
  each tunnel is only used in one direction. These have the same
  reqid as the policy set.
- For subsequent tunnels, NO new SPD policies are added, only new
  SPD states. It all has the same reqid. The LSM/XFRM code handles
  picking the right one for the right sec_label

Note, the installed policies on the template ALSO function as the %trap
policy for when the security label does not match an existing SPD state.
