On Time Capsule and AirPort Extreme, shut off the Back To My Mac and enable VPN Passthrough. That'll have the proper ports enabled for you.
As for your question:
Depending on the exact set-up of the network, L2TP requires UDP ports 500, 1701 and 4500 and the IP-ESP protocol, which is IP protocol 50; ESP.
Other than ESP (which is protocol 50 and not port 50), these are UDP ports, and not TCP.
It is common for L2TP passthrough to fail when more than one connection is active.
As compared with L2TP, PPTP is usually easier to get going when there's NAT around, though PPTP is less secure than L2TP.
Use of an external firewall-gateway with an embedded VPN server is recommended. (NAT passthrough is something best avoided.)
Also ensure your ISP is not blocking VPN connections. There are ISPs that block server-oriented ports on the residential service tier. (If you're on a business-class tier, ignore this.)
I was able to get it to work a few days ago, externally through the internet, then it stopped working. when I look at the log in osx server I can see the ipad client communicating with the osx server. Interesting too is that osx server alters the settings in my timecapsule to allow the necessary ports through. I suspect there is a trace or diagnostic that can be activated to show what is wrong
I recreated the error and the log on the server side is as below
racoon: IPSec Phase 1 started (Initiated by peer).
racoon: IKE Packet: receive success. (Responder, Main-Mode message 1).
racoon: >>>>> phase change status = Phase 1 started by us
racoon: IKE Packet: transmit success. (Responder, Main-Mode message 2).
racoon: IKE Packet: receive success. (Responder, Main-Mode message 3).
racoon: IKE Packet: transmit success. (Responder, Main-Mode message 4).
racoon: IKE Packet: transmit success. (Phase 1 Retransmit).
--- last message repeated 3 times ---
kernel: Sandbox: xcscredd(138) deny file-read-metadata /Users
--- last message repeated 16 times ---
sandboxd (): xcscredd(138) deny file-read-metadata /Users