@Jocksor, unfortunately I'm not using EoIP. I'm just using the basic IPSec in tunnel mode. On the IPSec wiki page, there are some optimizations for the RB1100AHx2 to set the irq's, would this help on the CCR?
I tried some of those 1100 optimizations on the CCR, but in my case it didn't really make a difference.
on the 1100 and on CHR x86 systems turning RPS off and assigning 1 CPU core per interface, and setting everything else to a core unused by interfaces seemed to greatly improve performance in my case. RPS actually seems to work correctly on the CCR, at least under crypto and with the latest RC software.
By the way on your CCRs, what are you seeing for your download speeds now?