I've been working on this problem all day, and here is what I've gathered:
I'm running RouterOS 4.6 and have split-tunnelling with AES-128-sha1-modp1536 configured.
I can push something like 3.5MByte/s through this circuit if I don't use the IPSec tunnel.
My throughput through the ipsec tunnel is around 180KByte/s.
I've been sniffing on all the ends of the circuit that I have access to (the router, the outside before my concentrator and the inside network
When I analyse these pcap dumps, I can see that the ipsec packets arrive out of order, and I can see that they are in fact transmitted out of order on the RB1000!
So, somehow there's a bug on the RB1000 that causes the VPN traffic to be transmitted out of order.
The road to hell is paved with good intentions.