>The mss value isn't as important as the path MTU; if your TCP >implements MTU discovery (and it interacts correctly with your ipsec >.. i.e., ipsec causes the percived MTU to shrink) the right thing >should happen as long as the MSS is big enough.. thanks, I fixed my implementation to not to play with MSS option itself. itojun