I don’t remember the current state of the affairs in your network, but if you’ve ended up with a bare IPsec VPN (using /ip ipsec policy rows to choose the traffic to be sent via the VPN), you need to make sure that the ICMP “fragmentation needed” messages sent by the 'Tik itself to the client PC don’t get grabbed by the policy and sent down the tunnel. See the third paragraph of this post for details.