When using various vendor implementations of IPSec (RedCreek and Cisco to name a couple) we have run across an issue where the MTU must be changed on the PCs and/or servers for certain traffic (Outlook/Exchange, certain WWW pages) to flow through the VPN.
The problem is with large datagrams that need to be fragmented for the IPSec overhead to be added.
Lowering the MTU on the PC, for instance, to ~1492 alleviates these issues.
However the proposition of hacking the registry of 10,000 windows machines is at best ugly.
Is there something in the vendor implementation that can be changed? Is it an RFC compliancy issue? Or is this strictly a system configuration issue with the nodes involved.