From
@ZeroByte post_id 542346
This is because the packet is below the inner MTU, thus it is neither discarded nor dropped. The resulting encrypted tunnel packet may exceed the physical interface's MTU, and since the IPSec session is technically not the inner traffic, it is eligible for fragmentation. There's no way around this fact - even if DF was inherited, PMTUD would fail, and here's why:
Hosts A and Z communicate via an encrypted tunnel between routers B and Y.
A sends a DF packet via B, and the packet is larger than the tunnel interface MTU at router B, and router B can send ICMP fragmentation needed message to A, and A can reduce the packet size and retransmit properly.
If A sends a DF packet via B which is small enough to fit the MTU of the tunnel interface, then B doesn't send a message to A because the packet fits. However, when the encrypted packet is built and B then finds that the resulting packet is too large for the physical interface MTU, then B must fragment the tunnel packet - and technically, B could possibly have some stateful information enough to send an ICMP fragmentation required message to A - but this is unlikely already since the IP stack of the physical host will see the crypto engine as the source of the packets, not host A - but let's suppose that it's doable - okay so B can still notify A.
Now let's assume that the inner payload + crypto overhead does not exceed the physical egress interface MTU at router B. Router B will forward the packet to the Internet. Suppose somewhere in the middle of the internet at a link between routers P and Q, the MTU is lower than the B->C link. Even if the DF bit were inherited, router P will see B as the source, not A, so the ICMP message would not reach A for A to lower its MTU.
Even if you were to propose that B should receive these ICMP fragmentation required messages from router P, and figure out which packet caused it and which internal host needs the message, and to adjust the message's reported next-hop MTU from P accounting for the encapsulation overhead, it wouldn't require DF inheritance. It would be easier for B and Y to always use DF on the outer packets and do their own PMTUD and then dynamically adjust the MTU of the tunnel interface.
Thus - if you know the PMTU between your B and Y routers, you should set the MTU of the tunnel to be low enough to not require fragmentation.