There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:

When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.

The conditions for my tests:

• 3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
• MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
• I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
• Simultaneous local and server monitoring of port traffic using
  tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
• The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
• The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility.  Each was tested separately.

The tests:

• Netcat with the following commands, in turn, on the server:
  nc -l -u 501
nc -l -u 500
nc -l -u 1700
nc -l -u 4500
  which causes traffic to the udp port specified to be dumped to std out.  Provides a confirmation of the tcpdump output.
• On the various external networks, nc -u  WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501.  The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected.  Remember, 501 is the control-test.
• For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.

Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.

I’ve filed a bug with Apple (#7720101) and encourage you to do the same.