I have a working new-style C2S VPN on BM3.8sp1, and am able to log in to
the VPN only (cannot login with Netware client). I can ping workstations
on the same subnet as the VPN server's private interface, but I cannot
ping the VPN server's private interface itself (the private and public
interfaces are on different subnets).

The VPN server is behind NAT on a DSL modem, and there is only one
static route set -- a default route next hop to the DSL modem.

I have static NAT private-private set on the VPN server.
NAT implicit filtering is Off on the VPN server.
The VPN Server is NATing the workstations on the private subnet.

What will enable me to ping the private interface through the VPN