I've been testing throughput (mikrotik bandwidth test) over IPSEC (AES128(CBC)/SHA1/PFS) and seem to be coming up with some limitations and issues that I'm hoping a Mikrotik developer can shed some light on.

First.. using two CCR1016s, Gig Ethernet, versions 6.07 to 6.10 I achieved 100+Mbps IPSEC throughput in a bandwidth test (both way, UDP & TCP) then going to 6.10/6.10 the TCP performance dropped to 40Mbps with occasional one way spikes to 100Mbps. UDP held at 100+. I tried 6.11 beta on both with no improvement. Is there a change that needs to be made to enable AES hardware acceleration? Is there a IPSEC or TCP design change since >6.7?

Second.. in all tests on CCR and other platforms, IPSEC only uses one CPU which is the fundamental reason I cannot achieve higher throughput. Is there a way of making crypto use multiple CPUs rather than AUTO? Is there a plan to include this in future releases?

Other notes
During TCP testing without IPSEC, bandwidth test maxed out 2 CPUs on the CCR and achieved 356Mbps, while UDP achieves 1.1G maxing out only 1CPU. (connection tracking is off and there are no acl's)
Using AES256 the performance dropped by about 10-15% which is pretty good.
Followed http://wiki.mikrotik.com/wiki/Manual:IP/IPsec, confirmed hardware queuing and disabled connection tracking. I also tried disabling PFS.