I have 2 server A and B on different locations, and I have setup ipsec last year. I discovered that on external interfaces the "tracepath" or "ping"(with DF bit) apps listen on every test different mtu lowering to 508 default minimum mtu. If I disable ipsec all is working ok at mtu 1500 and mss 1460. I have test this issue with 1500 - ipsec overhead 62 = mtu 1438 but without luck. The ipsec encrypts traffic between external ips.(so tunel traffic and local ips are all encrypted) The local tunnel IF is working perfect because I have setup the mtu on it to 1414(1438 - 24 gre overhead).
Thanks(sorry for bad english)!