MACsec cannot be established between two S5720 when there are L2 switches between them

MACsec (Media Access Control Security) is based on 802.1AE and 802.1X protocol on the LAN security communication method.

The EAP protocol packet in the MACsec session negotiation process is a BPDU packet.

IEEE Std 802.1X-2010 Clause 11 describes the MAC format of the EAP protocol packets, as shown in the following figure:

From the packet captures the stp bpdu packet destination MAC was different from the 0180-c200-0003 which is required for the negotiation of MACsec.

From the capture we only can see the packets sent by switch1 . The dumb switch didn’t forward them . The packet  was lost in the dumb switch . 
Our switch sends by default the packet at each 2s. If the dumb switch would forward the packet there should be another packet between 1-4 .

MACsec negotiation needs the BPDU packets in this process and we suspected that the dumb switch droped the BPDU packets as a default behavior when there is no configuration.
That’s why, it’s required to configure the l2protocol-tunnel  to transport the packets.

For BPDUs, the destination MAC is  0180-c200-0003

First solution and recommended one:

In system-view apply this command on both switches :

l2protocol-tunnel user-defined-protocol test1 protocol-mac 0180-c200-0003  group-mac 0100-0008-0008

on interface view apply those commands：

interface GigabitEthernet0/0/34
port link-type access
port default vlan 10
l2protocol-tunnel user-defined-protocol test1 enable

Second solution if l2protocol-tunnel cannot be configured on the directly connected to end-switches : 

After connecting the G0/0/3 to the dumb switch and applied l2tp configuration on G0/0/2 which is connected to G0/0/1( L3 interface) then the MACsec connection could be established but this scenario is not recommended and needs to be tested with precautions.