At the remote gateway: verify the firewall's log and run TCPDUMP to see if the ICMP ECHO REQUEST packet arrives and the ICMP ECHO REPLY leaves.

At the remote gateway: verify the firewall's log and run TCPDUMP to see if the ICMP ECHO REQUEST packet arrives and the ICMP ECHO REPLY leaves.

The MSS is usually based on the MTU(Maximum Transfer Unit). The MTU is configured at each network interface or network device and has, for Ethernet networks, the default value of 1500. This value represents the maximum amount of bytes that the physical layer protocol, or Network Interface(on TCP/IP archtecture), can send at a time. So, if we wish to send more that this, we have to fragment the data in blocks of 1500 bytes before sending to the Ethernet protocol.

TCP/IP archtecture

But, above the Network Interface layer protocol(Ethernet) we have the Inter-network(IP) protocol, that adds, at least, 20 bytes of header before sending data to the Network Interface layer network. Also, above the Inter-network layer, we have the transport(TCP or UDP) layer, that adds, at least, another 20 bytes of header (for TCP protocol).

So, the real size of the data that can be sent will be the MTU less all the bytes used for header at the upper layers until we reach the TCP protocol. This final value is the MSS(or Maximum Segment Size).

But, also, the MSS must be the same between the both sides of the connection and, because of this, negotiated between these before the connection establishment. Each one knows its MTU, so calculates its MSS and sends it to the other side during the connection establishment. The lower MSS will be chosen to avoid fragmentation at the connection edges. But, even with this, if there are other network equipments in the middle, that can have a lower MTU, these equipments will cause in-transit fragmentation. How we can avoid these fragmentations? The answer is "Path MTU Discovery".

The Path MTU Discovery send a packet will the maximum size for the segment (1500 bytes if Ethernet) or the MSS size informed at the connection establishment, marked to not be fragmented, and waits for some host in the path answering that it can't send the packet without fragmenting it. This answer is a ICMP "Can't Fragment" error message type 3 (destination unreachable) and code 4(fragmentation needed, but Don't Fragment bit set). Usually, this message carries, also, the MTU that caused the error. Now the Path MTU Discovery sends a new packet with the size of the MTU received in the ICMP message. This process repeats until the packet reaches the destination host and the Path MTU Discovery got an answer from it.

Therefore, is not clever to disable all kind of ICMP at your firewall, like the majority of network administrators do. Never blocks packets of type 3(destination unreachable) neither type 5(redirects). Otherwise, you can lead yourself into some big problems like the ones related at item 6.

However, the Path MTU Discovery calculates the MSS over the IP and TCP headers only. As we are adding an additional layer called IPSec, we should less the size of the IPSec header from the MSS value. This has to be done manually and that's why the  Path MTU Discovery doesn't work well with IPSec.

Packet smaller than the smallest MSS on the channel won't generate this error and, therefore, will flow. Like "ping" and small web pages

The solution for this Path MTU Discovery problem is to enable the arrival, at least, of ICMP type 3 and code 4 packets. But this doesn't solve the problem for IPSec since the Path MTU Discovery doesn't know this addicional layer. Therefore, the solution is to force a manual MSS on any attempt to make a connection between the two IPSec gateways. To acomplish this, just call this code(modifying REMOTE_GATEWAY and REMOTE_NETWORK to match your network configuration) from your firewall's loading script:

#!/bin/bash

#Forces a fixed MSS to deal with the Path MTU Discovery problem
#ATTENTION:
#  1.You must allow ICMP echo-request and echo-response packets exchange between the LOCAL and REMOTE gateways
#  2.You must allow ICMP redirect and destination-unreachable from the INTERNET
#  3.You will need the BC and IPROUTE packages installed

#definition of the remote gateway and network
REMOTE_GATEWAY=200.200.200.200
REMOTE_NETWORK=172.16.0.0/24

#DEBUG option: set to 1 to enable messages
DEBUG=0

function compute_mss() {
	#compute the MSS for IPSec based on the MTU passed as a parameter
	#returns the computed value on the MSS variable

	local MTU
	local IP_HEADER_LENGTH
	local ESP_HEADER_LENGTH
	local AH_HEADER_LENGTH
	local IPSEC_HEADER_LENGTH
	local ENCRYPTION_HEADER_LENGTH
	local SUBTOTAL_DATA_LENGTH
	local DISCARDED_DATA_LENGTH
	local DATA_LENGTH

	MTU=$1
	
	#average IP header length(20<->60)
	IP_HEADER_LENGTH=40

	#ESP header length
	ESP_HEADER_LENGTH=8

	#AH header length
	AH_HEADER_LENGTH=12

	#IPSec header length = ESP + AH
	IPSEC_HEADER_LENGTH=`echo "$ESP_HEADER_LENGTH + $AH_HEADER_LENGTH" | bc`

	#Encryption algorithm header length
	ENCRYPTION_HEADER_LENGTH=16 #CBC initial value

	#Final length = MSS
	SUBTOTAL_DATA_LENGTH=`echo "$MTU - $IP_HEADER_LENGTH - $IPSEC_HEADER_LENGTH - $ENCRYPTION_HEADER_LENGTH" | bc`
	DISCARDED_DATA_LENGTH=`echo "$SUBTOTAL_DATA_LENGTH % 16" | bc`
	DATA_LENGTH=`echo "$SUBTOTAL_DATA_LENGTH - $DISCARDED_DATA_LENGTH" | bc`
	MSS=$DATA_LENGTH
}
function pmtu_discovery()
{
	#Do a PMTU discovery through ICMP packets between the LOCAL and REMOTE gateways.
	#In fact, it uses a binary search algorithm to find the maximum PAYLOAD length of a ICMP packet on the channel
	#and, with this information, computes the PMTU
	local MIN
	local MAX
	local MTU
	local TARGET
	local OK
	local AVG
	local IP_HEADER_LENGTH
	local ICMP_PAYLOAD_MAX

	#IP header MINIMUM length (20<->60 bytes)
	IP_HEADER_LENGTH=20

	#ICMP header length (echo-request/echo-reply)
	ICMP_HEADER_LENGTH=8

	#definition of a BC function that returns the absolute value of a number, that is, the number without sign
	LOADABS="
define abs(x) {
  if (x>=0) return(x)
      return(-x)
}
"
	#destination host (firewall -> internet interface)
	TARGET=$1
		
	#minimum ICMP PAYLOAD length
	MIN=400
	#get the MTU from the interface that will be used on the gateway communication
	MTU=`ip route get $TARGET | xargs | sed "s/.*mtu \([[:digit:]]\+\) .*/\1/"`
	#maximum ICMP PAYLOAD length => MTU - IP HEADER - ICMP HEADER
	MAX=`echo "$MTU-$IP_HEADER_LENGTH-$ICMP_HEADER_LENGTH" | bc`

	#Path MTU Discovery through binary search
	while [ `echo "$LOADABS abs($MIN - $MAX)" | bc` -gt 1 ]; do
		#Compute the average value between MIN and MAX
		AVG=`echo "scale=0;($MIN + $MAX) / 2" | bc`
		if [ $DEBUG -eq 1 ]; then
			echo -n "AVG=$AVG "
		fi

		#We send a ICMP packet:
		# -s $AVG	: with the PAYLOAD size of $AVG
		# -q		: quiet
		# -M do		: with the DF(Don't Fragment) flag set
		# -W 2		: wait the answer for 2 seconds
		# -c 1		: only one packet
		# $TARGET	: to the $TARGET host
		#and redirect the output to /dev/null since we just need the exit code(or $?)
		ping -s $AVG -q -M do -W 2 -c 1 $TARGET 1>/dev/null 2>/dev/null
		OK=$?
		if [ $OK == 0 ]; then
			#It worked! So, the minimum is set to the average, that is, MIN=AVG
			if [ $DEBUG -eq 1 ]; then
				echo "[OK]"
			fi
			MIN=$AVG
		else
			#It doesn't work... so, the maximum is set to the average - 1, that is, MAX=AVG-1
			if [ $DEBUG -eq 1 ]; then
				echo "[NOK]"
			fi
			MAX=`echo "$AVG-1" | bc`
		fi
		#we send ICMP packets each 0.5 seconds trying not to wake an IDS or FIREWALL
		sleep 0.5
	done
	#the $MIN value will be the maximum ICMP PAYLOAD length allowed between LOCAL and REMOTE gateways
	ICMP_PAYLOAD_MAX=$MIN
	#now we compute the PMTU => PAYLOAD + ICMP HEADER + IP HEADER
	PMTU=`echo "$ICMP_PAYLOAD_MAX+$ICMP_HEADER_LENGTH+$IP_HEADER_LENGTH" | bc`
}

#variable initialization
MSS=-1
PMTU=-1

#do the PMTU discovery to the remote gateway. The variable PMTU will have the final value.
pmtu_discovery $REMOTE_GATEWAY
#computes the MSS based on the PMTU returned. The variable MSS will have the final value.
compute_mss $PMTU

#We include the following IPTABLES rules to FORCE the MSS on any connection establishment with the remote network
iptables -I FORWARD 1 -p tcp -d $REMOTE_NETWORK --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MSS
iptables -I FORWARD 2 -p tcp -s $REMOTE_NETWORK --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MSS
iptables -I OUTPUT 1 -p tcp -d $REMOTE_NETWORK --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MSS
iptables -I OUTPUT 2 -p tcp -s $REMOTE_NETWORK --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MSS
if [ $DEBUG -eq 1 ]; then
	echo "PMTU=$PMTU"
	echo "MSS=$MSS"
fi
exit 0

Another problem related to Path MTU Discovery, but this time, not related to your configurations. The problem is that, probably, the conected network that is to be accessed has firewall rules blocking any kind of ICMP, therefore, blocking the flow of TCP segments. The symptoms described above will also happen, but between your network and the connected one, not on the VPN channel.