It's just stopped pinging randomly again - this time:

rebooted 2960-1 - still no ping.
rebooted 2960-2 - ping started to work again.

so it seems that to resolve whatever the issue is, I need to reboot both routers!

Here's something interesting - it seems that certain addresses are not passing from the wan ports to the lan port correctly. I'm just using the ping diagnostic on 2960-2:

Pinging 192.168.40.1 from lan1

PING 192.168.40.1 (192.168.40.1) from 192.168.40.254: 56 data bytes
64 bytes from 192.168.40.1: icmp_seq=0 ttl=128 time=1.1 ms
64 bytes from 192.168.40.1: icmp_seq=1 ttl=128 time=0.7 ms
64 bytes from 192.168.40.1: icmp_seq=2 ttl=128 time=1.4 ms
64 bytes from 192.168.40.1: icmp_seq=3 ttl=128 time=1.4 ms
64 bytes from 192.168.40.1: icmp_seq=4 ttl=128 time=1.9 ms

--- 192.168.40.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.7/1.3/1.9 ms
Send ICMP ECHO_REQUEST packets done.

Pinging 192.168.40.1 from wan1

PING 192.168.40.1 (192.168.40.1) from 192.168.1.50: 56 data bytes
64 bytes from 192.168.40.1: icmp_seq=0 ttl=128 time=1.6 ms
64 bytes from 192.168.40.1: icmp_seq=1 ttl=128 time=1.4 ms
64 bytes from 192.168.40.1: icmp_seq=2 ttl=128 time=1.4 ms
64 bytes from 192.168.40.1: icmp_seq=3 ttl=128 time=1.7 ms
64 bytes from 192.168.40.1: icmp_seq=4 ttl=128 time=0.8 ms

--- 192.168.40.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/1.3/1.7 ms
Send ICMP ECHO_REQUEST packets done.

Pinging 192.168.40.199 from lan1

PING 192.168.40.199 (192.168.40.199) from 192.168.40.254: 56 data bytes
64 bytes from 192.168.40.199: icmp_seq=0 ttl=32 time=20.5 ms
64 bytes from 192.168.40.199: icmp_seq=1 ttl=32 time=0.8 ms
64 bytes from 192.168.40.199: icmp_seq=2 ttl=32 time=5.3 ms
64 bytes from 192.168.40.199: icmp_seq=3 ttl=32 time=0.8 ms
64 bytes from 192.168.40.199: icmp_seq=4 ttl=32 time=0.9 ms

--- 192.168.40.199 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/5.6/20.5 ms
Send ICMP ECHO_REQUEST packets done.

Pinging 192.168.40.199 from wan1:

PING 192.168.40.199 (192.168.40.199) from 192.168.1.50: 56 data bytes

--- 192.168.40.199 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Send ICMP ECHO_REQUEST packets done.

so why can I ping through the router to one address on a subnet but not another?

Just a further update on this one - the inability to ping 192.168.40.199 was a red herring - the telecoms engineer who had installed it had neglected to put in a default gateway, so it could be pinged from the local lan but not from the wan. I have now changed the wan1 connection from an intermediate router with dmz to modem mode on the freebox and I suspect that this is going to resolve my problems - I'll post again should I have any further issues with the vpn.