I am trying to setup a simple c2s vpn using nw6.5sp1 and bm3.8.

My config is basically:

BM (192.138.x.y)
VPNClient - Internet router <

No NAT is involved
BM server has only one interface, setup as both public/private.
iManager is configured to assign IPs in the same class C as all my
All equipment uses the Internet router as the default gateway.
Have enabled proxy ARP on the BM interface.

Current observations:
I can authenticate using NMAS and ike session is established.
If I attempt to ping from the VPN client to an internal workstation I
the encrypted packet go to BM using protocol 50 (ESP). BM then sends
ping req to internal workstation using the iManager assigned IP for
client. Workstation send the ping reply back to BM using VPN IP. No
is returned to the VPN client from BM.

Any thoughts on what I have forgotten? Do I need to have to NICs on
same network?