Yes, i saw that table but what i didn't get from here is, first row/column header feature state. What is feature which is referring to enabled/disabled? Is that i need to configure crypto ipsec df-bit clear and that's it?! If that is all then it is clear, because when i list show run all | include crypto i don't see it, i get from that default mode is then disabled.

and following questions are about df bit state. Who is setting that bit? I mean it is our tunnel which has data to send so, what is reference "incoming"? From table it doesn't matter is it 0/1 if i enable feature.

best regards and thanks

let talk about column by column
1st column 
 crypto ipsec fragmentation before-encryption 
enable meaning you run this command 
disable you not run this command 

2nd 
crypto ipsec df-bit 
this have three setting 
A- clear <<- clear df-bit of any packet IPsec interface forward 
B-set <<- set the df-bit of any packet IPsec interface forward 
C-copy <<- copy the df-bit from receive packet to new (after encryption) for any packet IPsec interface forward 

3rd 
the packet I receive is it have df-bit or not

Network(packet with/without df-bit)-Router(IPsec)-Internet 

that three criteria decide fragment before after and drop of some packet.   

Hi,

thanks for response, i think that i got it now. Until now i thought that "crypto ipsec fragmentation before-encryption" is only applicable to interface and not to enabled it in global config.

R2(config)#crypto ipsec fragmentation before-encryption

on tunnel then i can use "crypto ipsec df-bit clear"

i also saw chapter:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-10/sec-ipsec-data-plane-xe-16-10-book/sec-df-bit-ovride.html

There they put crypto ipsec df-bit clear globally but i didn't see that they put crypto ipsec fragmentation before-encryption in config. So i'm confused what and where should i put in configuration?

Br, Marijo

because it optional we can config one of them or config both of them. 
but if I config one of them what about second command ? the second command will use default setting 

to sum it, I can do following:

global

R1(config)#crypto ipsec fragmentation before-encryption

R1(config)#int tun0
R1(config-if)#crypto ipsec df-bit clear

and one more thing create transform set and put it in tunnel mode

R1(config)#crypto ipsec transform-set mrki esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel

other way is do crypto df-bit globaly with fragmentation before-encryption, which will be applied to all interfaces

R1(config)#crypto ipsec df-bit clear

R1(config)#crypto ipsec fragmentation before-encryption

and of course in transform-set do tunnel mode because restriction for fragmentation.

br, Marijo

Not all interface to be totally right 
but to interface that you config crypto map under it.