The Apple routers can be a problem on vpn passthrough.
Ports that are required for vpn are more complicated ..
See earlier post.. eg How do I set up L2TP VPN?
Ports for PPTP which you have opened manually.. are not valid for L2TP.. so you need several more ports opened.
The problematic ones are GRE and ESP which are protocols not ports.
I think you can pretty well assume the apple router running anything that has BTMM in it won't work.. since it will need the port 500 for itself.
On the old express try going back to 7.6.1 firmware.. I have to say I don't use the express.. lots of extreme and TC.. so their firmware issues are slightly different so firmware versions for the express are somewhat different.
Try not to use both port forwards (mapping if you must).. and DMZ.. they can fight each other.. if DMZ doesn't work it is better to turn it right off and forward all the required ports.
Let me recommend a test.
Plug your cable modem directly into the computer running the VPN.. so you have no NAT router in front of it.
Pay attention to the local firewall that apple runs and what ports you will need to open on it to get vpn to work.. this is your best chance to get remote vpn running. If you fail with the public IP on the computer it will certainly fail through NAT.. and generally local firewall will be an issue.
You should of course test that a client in the local lan can connect by the vpn.. it is always worth testing from the easiest configuration to the most complex.
So local lan just as you have now..
Then direct cable connection to the computer.
Then NAT router.. but you can pretty well assume apple routers are going to be problematic because apple want to dally at BTMM using same ports as IPSEC uses for L2TP.
My email is live.. roll your mouse over it and talk to me direct..