If mtu could be an issue, then I would suggest that you go throught this document which describes a feature called pre-fragmentation which allows an encrypting router to predetermine the encapsulated packet size from information available in transform sets.