You should use an MTU on your
tunnel interfaces that is below
or equal to the MTU of the
outbound interface, minus the
tunnel protocol overhead, minus the normal IP header size. But this does
not happen automatically; you
need to configure this manually.
If an encapsulated packet of the
tunnel cannot be sent through
the outbound interface, it is
fragmented (even if the DF bit
is set in the payload packet!
This means that applications will
not be able to detect it; the
tunnel is completely transparent
for them, it acts like a serial
line with the given MTU).
For GRE encapsulation
(the default for tunnel
interfaces), this would be 24
bytes of overhead and the MTU of
the tunnel should be set no higher
than the MTU of your outbound
interface minus 24, ie.
1500-24=1476. (The GRE header
uses 4 bytes, the IP header is
20 bytes if there are no options.)
Above this figure, packets will get fragmented and
the performance will be degraded
(but the additional overhead is
only 20 bytes per packet, or 1.3%;
you might be willing to ignore this
as long as your router CPU can
cope with the fragmentation).