Don't know if you can see the fragments without samplng packets but as far as I know, the MTU of the tunnel interface will only affect where fragmentation happens:
- If the MTU is set to 9000, the entire packet will be encapsulated into IPSEC and then it will be sent out through the external interface. If it turns out that the packet is too large, it will be fragmented (if allowed by DF) and sent across the internet as two fragments. If fragmentation is not allowed (DF bit copied from original packet), ... [ no idea - to be investigated ]
- If the MTU of the ST interface is set to something low enough, that will ensure that packets are fragmented before they are encapsulated into IPSEC. This means no fragments on the internet, which is a lot better as fragments tend to get lost in some parts of the world. If the original packet is too large and DF is set, you'll see an ICMP message going back to the client which will in turn lower its packet size.
I've got tcp-mss and lower MTU set on my VPNs to prevent sending fragments onto the internet. Not only are they filtered in some places, but in one of the previous JunOS versions I was running (10.0r3 I think), there was a bug in the sequence number generation and the fragments were blocked by screening on the remote device. 🙂