Things to look at that I can think of:
- Make sure you have
option mtu_fix '1'in your firewall for your VPN zone (wan and/or IPSec tunnel) - Test which MTU works once you have the ipsec tunneling up and running using ping (see below section and pretty much what you did to determing the 1410 value)
- Set that MTU correctly for connecting devices:
3.1. maybe using DHCP option if your are using IPSec without a tunnel and mtu_fix doesn't do the job for you
3.2. by setting the MTU on the IPSec tunnel interface (for example vti) - if you use a tunnel
Some commands that could help testing
Typically, you can use ping to determine the highest MTU that works on your network (ping with the MTU value - 28). To run them on the openWRT side, you would have to install iputils-ping first to be able to have all the options.
for example, for an mtu of 1500, you want to ping with 1500 - 28 = 1472. To check it (example will use eth0.2), run:
ping -s 1472 -c1 -M do -I eth0.2 1.1.1.1
With a size too long (for example 1473), you would get an error like this:
ping: local error: Message too long, mtu=1500
To get the current mtu on an interface (e.g. eth0.2):
cat /sys/class/net/eth0.2/mtu
To temporarily set the mtu to a specific value on an interface to test if it works (worth a try on your wan interface):
ifconfig eth0.2 mtu 1472 up