When routing traffic through a (IPSec) tunnel, an endpoint might need to do mss clamping if you are experiencing MTU issues.
For example, you are using a site-to-site VPN network, with a specific gateway as endpoint. When browsing websites through the tunnel, some websites might not load properly.
An example, using iptables to fix this problem:
iptables -A FORWARD -s 10.1.0.0/18 -o ens4 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
This will set the mss to 1360 for traffic coming from 10.1.0.0/18 on interface ens4.
The 1360 value depends on the situation, 1360 bytes is the overhead created by IPsec encapsulation