Rework key_allocsa_policy() function.

Remove old code used for allocating SA for outbound packet.
Now only key_allocsa_policy() function will be used for this.
As arguments it takes security policy that was found by
ipsec[46]_checkpolicy() and secasindex constructed using information
from policy and mbuf. Using secasindex we do lookup in SAH hash table,
then based on key_preferred_oldsa variable we take LAST or FIRST
element from SAH's savtree_alive. If correspondig SAH entry was not
found, we acquire SA from IKEd using key_acquire() function.