7 beta 5. When creating IPSEC with IKEv2 there appears to be a MTU blackhole.
In my particular case the actual MTU that passes is 1422 (ping size 1394), and anything above will just not return or pass.
IP firewall does allow the detection of larger packets but there is no action to return fragmentation needed. I can only reject them with icmp host unreachable or something similar, but that does not allow proper operation.

it would be really nice to either resolve the blackhole, or to allow another firewall action that will reject with ICMP datagram too big with next-hop mtu settable in the rule