Just to mention but when you have pmtu occuring in a vpn context, you
have a problem if the lower mtu is in the tunneled packet path:
the icmp will be sent to the originator of the
encapsulated packet which is the vpn box which itself cant send it back
to the client and so pmtu is borken. In ipsec, there is a way (which
consist of maintaining an mtu value per outgoing SA), but for cipe i
dont know how they deal with it. Another trick is to change the tcp mss
value on the fly, --clamp-to-pmtu with iptables if i am right.