The security gateway needs to respond to ARP requests for IP addresses it allocates to connected VPN clients (call it proxy ARP or otherwise), because these addresses are part of the LAN prefix of the gateway, and therefore, of the network prefix of any host connected to the LAN network. So the LAN hosts cannot send packets to the connected VPN client unless the security gateway responds to ARP requests with its own LAN interface MAC address. I hope this clarifies it.
It is better to keep such an addressing scheme since any change might affect established ways of achieveing connectivity (such as access control based on source IP addesses allocated to VPN clients).