Start from your path MTU, add any encapsulation overhead, and get the effective MTU and the TCP MSS to clamp to — for both IPv4 and IPv6.
The MTU is the largest frame payload a link will carry — classically 1500 bytes on Ethernet. The MSS is the largest TCP segment of data that fits without fragmenting, so it's the MTU minus the IP and TCP headers.
For plain IPv4: 1500 − 20 (IP) − 20 (TCP) = 1460. For IPv6 the base header is larger: 1500 − 40 − 20 = 1440. Every layer of encapsulation eats into the MTU available to the inner packet, lowering the MSS further.
When traffic crosses a tunnel (GRE, IPsec, PPPoE, VXLAN), the added headers shrink the usable MTU. If endpoints still try to send 1460-byte segments, packets need fragmentation — and if the DF bit is set and PMTUD is broken, they're silently dropped. "MSS clamping" rewrites the TCP MSS option during the handshake so both ends agree on a size that fits, avoiding the black hole.
| Encapsulation | Overhead | IPv4 MSS @1500 |
|---|---|---|
| None | 0 | 1460 |
| 802.1Q VLAN | 4 | 1456 |
| PPPoE | 8 | 1452 |
| GRE | 24 | 1436 |
| VXLAN | 50 | 1410 |
| IPsec ESP (approx) | ~58 | ~1402 |
1460 for IPv4, 1440 for IPv6 (no TCP options).
With a 1500 MTU and 24 bytes of GRE overhead, clamp IPv4 MSS to 1436. Many engineers clamp to 1400 as a safe round number that also survives an extra layer.
ESP overhead depends on cipher, block padding, authentication, and tunnel vs transport mode. Treat the IPsec presets as ballpark and verify on your gear.