@mrmanmsk 

Thank you for your post. To get to the root of the issue, set up a port-mirror capture on the ER7212PC and compare the “clear-text” and “encrypted” packets. The following are common causes:

• The encryptor may rewrite the source/destination MAC, so the ER7212PC can no longer find the correct ARP entry.
• After encryption the frame size increases; if it exceeds the interface MTU the packet will be dropped.
• The encryptor might change the IP protocol number to 50/51 (ESP/AH) or use UDP 4500 (NAT-T); ensure these are allowed.
• The encryptor could add a new VLAN tag; the corresponding ER7212PC port must be set to Trunk and the VLAN must be permitted.

  @Ethan-TP 

Thank you for your prompt reply. See my repsonses below:

• The encryptor may rewrite the source/destination MAC, so the ER7212PC can no longer find the correct ARP entry.

Understood
• After encryption the frame size increases; if it exceeds the interface MTU the packet will be dropped.

I am not a network expert when comes to the routers. Are you able to explain on how can I increase the MTU for the LAN ports not for WAN since my ER7212PC is not connected to the internet.
• The encryptor might change the IP protocol number to 50/51 (ESP/AH) or use UDP 4500 (NAT-T); ensure these are allowed.

Also, can you guide me on this and the last one.
• The encryptor could add a new VLAN tag; the corresponding ER7212PC port must be set to Trunk and the VLAN must be permitted.

I thought because it works when the traffic is in clear, then it should work even when its encrypted.

  @mrmanmsk 

What I’m listing here are only possible causes, so even after you make the adjustments the issue may not be resolved. The key is to mirror-capture traffic and compare the difference between plaintext and encrypted transmissions.

Regarding your questions, please see the clarifications below:

1. The encryptor typically wraps the original IP packet with an ESP/AH header, and sometimes an additional UDP header. The entire packet can grow by 50–70 bytes.
   If the LAN port still uses the default MTU of 1500 and the encryptor does not perform its own fragmentation, the switch/router will simply drop the oversized frames.
   Log in to the ER7212PC web UI → Settings → Wired Networks → LAN → select your LAN (e.g., LAN1).
   Change the MTU from 1500 to 1552 or 1600 (anything larger than 1500 + 70 bytes is fine).

2. The ER7212PC allows all LAN→LAN traffic by default, but if you have configured ACLs you need to add a rule:
   ACL table → LAN IN → Allow → Protocol 50 / 51 / UDP 4500 → Source/Destination any.
   If the encryptor spans VLANs, add the same rule under Switch → ACL/Security.
   If no ACLs exist, you can skip this step—traffic is allowed by default.

3. Some encryptors distinguish “plaintext” from “ciphertext” traffic by tagging the encrypted frames with an extra VLAN (e.g., VLAN 100).
   If the ER7212PC port is still set as an Access port in VLAN 1, it will drop frames carrying VLAN 100.
   Action steps:
   Go to Settings → Wired Networks → LAN → VLAN and create VLAN 100 (use the ID specified in the encryptor’s documentation).
   Change the port connected to the encryptor to Trunk mode, keep the original PVID (e.g., 1), and add VLAN 100 to the Tagged VLAN list.
   If the encrypted traffic must continue to other switches, set the uplink port to Trunk as well and allow VLAN 100 on it.