Default behavior SRX dont copy the DF bit.
St0 MTU is 1400
Scenario 1
Packet comes to SRX with DF bit and size is 1401
SRX encrypts the packet and then fragment it into 2 and transmit via tunnel interface
Scenario 2.
SRX config is "set security ipsec vpn <VPN Name> df-bit clear
".
Behavior will be same as above, SRX fragments traffic and send 2 smaller packets out
Scenario 3.
SRX config is "set security ipsec vpn <VPN Name> df-bit copy
".
If packet is coming with DF bit, and size of more than 1400 SRX sends ICMP packet stating frgmentation needed
If packet is coming without DF bit, and size of more than 1400 SRX fragments traffic and send 2 smaller packets out
Points to note, lets say you recive a packet of 1380, and the encryption over head is 21 bytes, in that case also we will need to consider fragmentation.