Type of cerificate is not checked. If XAUTH if used in IKE phase I, it's possible to user proxy attack for challenge-response based authentication.
vulners.com/securityvulns/securityvulns:doc:5528