Libreswan can be compiled using HAVE_STATSD=true

This will cause libreswan to log all state changes by calling a
binary, currently hardcoded to /bin/libreswan-statsd

It will log the state changes as arguments to that binary which is called
using system()

As an example, to log these to a file called /tmp/stats.out you can do:

cat > /bin/libreswan-statsd < EOF
#!/bin/sh

echo "$*" >> /tmp/stats.out
EOF
chmod 755 /bin/libreswan-statsd


Example output (where we have a conn l2tp-psk)

push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase2 ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 neg nfmark me/him 4986003/4986003
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel unknown ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel phase1up ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/65536
push ipsec-tunnel-l2tp-psk if_stats /proc/net/dev/eth0 ; push ipsec-tunnel-l2tp-psk tunnel unknown ; push ipsec-tunnel-l2tp-psk phase1 unknown ; push ipsec-tunnel-l2tp-psk phase2 unknown nfmark me/him 4986003/4986003

The last two numbers are the SAref number (converted to the NFMARK numbers,
so directly usable for iptables)