You don't actually have to use XAuth (you can use a shared IKE user in a group with additional IKE users containing similar IKE IDs) but it's recommended for additional security.
You can't edit a user that's currently in use by a VPN gateway, so the easiest way (other than deleting the VPN definition and starting from scratch) is to create a temporary dummy IKE user, then modify the VPN gateway to use this user. You should now be able to edit the original user (bumping up the Multiple Logins number), add it to a new group, modify the VPN gateway again to use the new group containing the original IKE user, and delete the dummy user.
You now have a choice between adding additional IKE users, or additional XAuth users.