Test RFC 4945 PKI Profile for IKE/ISAKMP/PKIX's Extended Key Usage

See https://datatracker.ietf.org/doc/html/rfc4945#section-5.1.3.12

   Implementations that do support EKU MUST support the following
   logic for certificate validation:

   o  If no EKU extension, continue.

   o  If EKU present AND contains either id-kp-ipsecIKE or
      anyExtendedKeyUsage, continue.

   o  Otherwise, reject cert.

See `westrun.sh` for the combinations tried.

The script eku.sh

  - generates a cert using `ipsec certutil` with EKU based on param

  - dumps the cert for visual verification

  - starts pluto

  - generates a connection with name based on param

  - tries to establish the connection

  - shuts down pluto

For instance:

      ./eku.sh codeSigning-ipsecIKE

generate the cert with:

   ipsec certutil -n west-eku-codeSigning-ipsecIKE --extKeyUsage codeSigning,ipsecIKE ...

and the connection with:

   ipsec whack --name west-eku-codeSigning-ipsecIKE --cert=west-eku-codeSigning-ipsecIKE ...

Note: since all the basic certs no EKU the test with west-eku-missing
(i.e., no EKU) is redundant

Note: pluto is started a-fresh so that each exchange uses the state
serial numbers #1 and #2.
