When deal with Mtu issues on all out site to site vpn. Gre plus IPSec plus other uses up 60 to 90 bytes.
There are some good docs on cisco site. Standard solution for tcp flows is, … for the constrained or tunnel int.
"IP Mtu 1400" "IP tcp adjust-mss 1360"
This will cause the tcp 3way setup to negotiate a 1360byte mss which then fits into the 1500 byte max physical Mtu size.
In theory, setting the Mtu to 1400 will also cause the pmtu discovery process to auto adjust as well. This is hit or miss, depending on stack and if icmp is being filtered in the path.
Windows tries hard to guess the Mtu and usually sets the do not frag bit on most packets. The above usually works. But we often find some non-tcp app defaults to 1500 bytes anyway. Since windows sends it with do not frag, the router drops it. To fix this use a route-map to clear the DF bit. I only do this for udp now. Seems a good compromise.
All this would be done on your Cpe or other edge router. Tunnelled ddos mitigation vendors also do this to avoid Mtu issues.