No hardware encryption at hAP lite.
No need for action=fasttrack-connection rule if you only plan to use the device for VPN with bare IPsec (matching traffic by src-address and dst-address in /ip ipsec policy), i.e. if none of the forwarded traffic goes outside the VPN via WAN.
As for the MTU, the amount of bytes occupied by the IPsec overhead depends on the encryption and authentication algorithms used, and the encapsulation of ESP into UDP which is used to facilitate NAT traversal also takes a few bytes. It doesn’t matter, though, how many layers of NAT the connection traverses - the only difference is between no NAT at all at either side (where ESP is put directly into IP) and any other case (where ESP is put into UDP which in turn is put into IP).
But the IPsec transport packets do get fragmented if they exceed the MTU of the physical link, and with traffic matching, you cannot affect the MTU of anything else but the physical link. So you have to make sure that eventual ICMP “fragmentation needed” messages sent by your own router to the LAN hosts are not matched by the traffic selector of the VPN’s policy and sent down the VPN, so that PMTUD could work. Look into this post for details.