I have checked few other VPN flow basic and it seems size=96 is not Truncation in your flow basic output, it's length of data with padding that will be encrypted as per encryption algorithm-CBC etc.
Later 156 is the amount of data with the ESP headers.
E.g.
1: First you see actual data size (without L2 headers)
****** 8831165.0: <Trust/ethernet0/0> packet received [1447]****** <--- 1447 is actual data size
2: Later you will see the same output as per your debug, after packet processing.
in my debugs I see "(vn2) doing ESP encryption and size =1456 or (vn2) doing ESP encryption and size =48" this means it's not Truncation size.
As per the RFC4868:
Truncation
The HMAC-SHA-256+ algorithms each produce an nnn-bit value, where nnn
corresponds to the output bit length of the algorithm, e.g., HMAC-
SHA-nnn. For use as an authenticator, this nnn-bit value can be
truncated as described in [HMAC]. When used as a data origin
authentication and integrity verification algorithm in ESP, AH, IKE,
or IKEv2, a truncated value using the first nnn/2 bits -- exactly
half the algorithm output size -- MUST be supported. No other
authenticator value lengths are supported by this specification.
Please check "get envar" output and if you don't see set envar hmac-sha256-96=yes then it's default without backward compatibility.
Thanks,
Vikas