MTU path discovery and IPSec

No -- it only has to be enabled on routers with smaller outbound MTUs
than inbound. A router for which all links have a 1500-byte MTU
doesn't need path MTU discovery; it will never need to fragment

    --Steve Bellovin,

A subtle correction...

A router where all MTUs are the same will never have to fragement
anything. A router where all MTUs are >=1500 will probably not
need to fragment anything. However, it is possible to attach
a host via GIG-E or other media which supports jumbo frames
(Frame relay, for example) and need to fragment to support a
1500 octet MTU. Currently, this would be a rare occurrence, but,
it is possible in some circumstances. Eventually, if this assumption
were to circulate widely, it could have similar consequences to many
other errant assumptions on the internet.