but reading here i understand that this is not a good solution about security bug
There are NO "bugs" in PORT FORWARD. But it isn't an optimal solution to move your encryption server INSIDE your edge.
anyway i don't know also what ports i had to forward
Google L2TP -plenty of articles about which port it uses.
yes,i know... this will permit me to create a tunnel between external users and ipcop; after that could i create a tunnel from ipcop to the win2003 server?
Running L2TP thru a OpenVPN SSL Tunnel will cause ALOT of overhead - and seems completely unnecessary.
Why bother with L2TP at all? If you just need secure access to systems behind your IPCOP, use the OpenVPN mod and you're done. If you need to fine tune what your OpenVPN traffic can see once it's connected to your IPCOP box - use BOT (i.e. "Bob's" vpn cert allows him to see the file server and the accounting server - "Mary's" vpn cert allows her access just to the file server, etc.).