20Mbps WAN limited to 10Mbps over IPSec Tunnel
Solution 1:
Even though CPU was the third thing I checked, and I wrote this:
The Mikrotik is at around 25%-33% CPU usage when doing these transfer tests
Which is confirmed by the CPU graph
I've had it confirmed by external resources (i.e. a bunch of other support forums and blogs) that most Mikrotik routers just cannot push more than 11Mbps of IPSec traffic with either 3DES or AES encryption, unless you get a model that has hardware encryption offloading.
So it looks like that this is just a hardware limitation. I should have caught it much earlier on, but for some reason the Mikrotik was not indicating to me that it was being CPU bound.
Off shopping I go.
Solution 2:
I can confirm that the culprit is the CPU. Here I benchmarked a Mikrotik RB750GL and I measured 12 Mb/s with AES-128 traffic (and only 6.0 Mb/s with 3DES).
Your result seems perfectly in-line with what recorded by me.