I would like to support the idea of protecting the user's identity against active attacks in IKEv2 for the remote access case (i.e. EAP message exchange), as recently raised by Hugo, Hannes and Scott.
In the SHAMAN project, we identified this to be an important/essential requirement for access to future mobile networks. In GSM and UMTS, this is also a well-established requirement which is "solved" by using temporary identities (can be circumvented by using "false base station attacks"). Not protecting the user's identity against active attacks would mean to ignore long identified security requirements and may allow a bogus access network to get hold of the user's identity.
Dr. Scarlet Schwiderski-Grosche
Information Security Group