If you got the “first L2TP packet seen” log message, and you haven’t open UDP port 1701 on the firewall in front of the CHR, it is clear that you use L2TP over IPsec and that the IPsec part came up fine (otherwise the L2TP packet would not make it through).
Now it is time to set /system logging add topics=l2tp, then run /log print follow-only where topics~“l2tp” and try to connect your iDevice again. Just bear in mind to connect just one device from the same network at a time - L2TP/IPsec doesn’t like two clients connecting from behind the same public IP unless you take special measures which may be above your head for the time being (it’s actually above my own head although I have developed that workaround myself). The log should tell you what’s wrong; if it doesn’t, don’t hesitate to copy-paste it here. See the hint in my automatic signature below for anonymisation.