I can successfully established a tunnel to my endpoint device behind Airport's firewall (an Astaro firewall), by either opening up the relevant VPN ports or (more simply) making the Astaro the "default device" for any unsolicited incoming connections.
However, the tunnel is unusable because it is not possible to establish static routes on the Airport. VPN tunnels on the Astaro allocate addresses on specific subnets to the endpoints, and these subnets are (bu necessity) different to the default LAN subnet that the Airport implements. I can see incoming communications (remote machine->tunnel->Airport->Astaro->node on the LAN) but the LAN node has no way of communicating back, because it does not know that it needs to route the reply back via the Astaro, instead of the Airport.
It follows that the only way to allow full communication over VPN is to set up static routes on the Airport describing the Astaro's VPN subnets, and routing to those subnets via the Astaro.
I believe that this is a generic issue, not necessarily limited to Astaro. Other VPN endpoints and servers would no doubt suffer the same problem.
I am sure that the Airport is capable of static routes, being based on the BSD networking and firewall kit, but for some reason Apple has not exposed this as a configuration option.
I have a number of clients who operate small home offices and require VPN access, some of which already use Airport. I cannot recommend Airport for their installations because of this shortcoming, and in some cases it has been necessary to decommission the Airport infrastructure and use Cisco/Linksys instead. It is very unfortunate because in all other respects, Apple has done its usual excellent job in making the system easy to administer and maintain.
Apple, please, PLEASE, PLEASE implement static routes as an "Advanced" configuration option for all Airport devices! This should be a relatively simple thing to do.