Using IKEv2 i dont think you can achieve what you are trying to do. However, if you use IKEv1 then you can use user certs for the IKEv1 phase 1 authentication and then use user credentials for XAUTH. With IKEv2 it just a one authentication, either user certs, EAP-TLS or EAP-PEAP
Regards,
Sathya