The mss value isn't as important as the path MTU; if your TCP implements MTU discovery (and it interacts correctly with your ipsec .. i.e., ipsec causes the percived MTU to shrink) the right thing should happen as long as the MSS is big enough.. - Bill