OK, I have not common configuration here. Always struggled with IPSEC tunnels with my previous and current Drayteks, that UK support were unable to resolve, blaming on Openreach modems etc.
With crApple withdrawing support for PPTP VPNs from iOS, I had to get my backside into gear to find a solution. Having got it working at one of bro’s sites, I starting investigating differences…
Turns out, with simultaneous routed IP and NAT’d vLANs, many things stop working, including IPSEC VPNs. With the current range allowing more that the pathetically limited 8 IP WAN Aliases of 2920 and others from that era, there is little reason not to be using NAT even for those with up to a /27 public range (my 2860ac supports up to 32 WAN Aliases)