MTU and MSS values for Router when also terminating IPSEC
I wasn't sure to post this in the VPN or the WAN category - so apologies if this appears incorrect.
But essentially I would like to know the recommended MTU and MSS settings, in normal conditions when terminating a VPN on a Cisco Router.
If we take an example of an 877 using ADSL/PPPoA to rule out any additional PPPoE overheads and assume the MTU to be 1500 bytes.
AES256/SHA1 = 73 bytes
IP header = 20 bytes
TCP header = 20 bytes
Remainder = 1387 bytes
With this is mind should we set the MSS to 1387 and MTU 1427? (to be rounded)
Or set MSS to 1384, but leave the MTU as default 1500?
Or is this logic completely incorrect?
In the example above the VPN is terminating on the same device as the ADSL dialer - as opposed to other examples which may have the VPN termination on an alternate device further downstream, which I realise adds other questions.