Core issue
This issue occurs when an inappropriate Maximum Transmission Unit (MTU) size is configured on the router.
Resolution
This issue occurs because the IPsec VPN adds an overhead to the packet, which can cause it to surpass the valid MTU. The default Ethernet MTU is 1500.
Configure these commands on the LAN side of the router ( both the VPN end-point) :
If it continues to fail, try the crypto ipsec df-bit clear command on the Public (outside) interface on the routers.
Refer to the TCP MSS Adjustment Configuration Example section of TCP MSS Adjustment.
Refer to the DF Bit Setting Configuration Example section of DF Bit Override Functionality with IPSec Tunnels