I haven’t seen any issues like this on the arm architecture, and I use IPsec routinely also on it. Hence my first question would be whether you haven’t changed the cipher suite on the new machine as compared to the old one, which could explain a change in the amount of bytes occupied by the IPsec overhead in a packet. Placing the new router behind the existing one may also cause a change of the overhead size if the existing router is on a public IP and the new one is not so NAT traversal is necessary.
Other than that, there should be no need to manually reduce LAN MTU if you make sure that path MTU discovery is not broken by IPsec handling due to a missing part of IPsec configuration. See this post for a brief explanation.