In packets that are transmitted through static and dynamic endpoint IPsec tunnels, you can enable the value set in the Don't Fragment (DF) bit of the packet entering the tunnel to be copied only to the outer header of the IPsec packet and to not cause any modification to the DF bit in the inner header of the IPsec packet. To copy the DF bit value to only the outer header and not modify the inner header, use the copy-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level for static tunnels and at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level for dynamic endpoints. To configure the DF bit in only the outer header of the IPsec packet and to leave the inner header unmodified, include the set-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level for static tunnels and at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level for dynamic endpoints.