When using L2TP + ipsec you can't be sure, that the packet is not fragmented, even if you specifically restrict fragmentation of the original packet.
The original packet first packed into l2tp (that can, by the way, also perform fragmentation and defragmentation, but only if asked to), then it is processed by ipsec, and then, already encrypted packet can be fragmented if it is needed. And on the other end the just the same actions but in reverse.
This being said - substract at least another 100 for ipsec overhead: down to 1350
And possibly even more if you have clients connecting from the cellular network: but that needs to be tested.
I ended up with MTU 1230, because larger packets didn't make it through the tunnels established by mobile devices via LTE.