Late last year I was playing with pfsense in order to replace ssh+vtund connections between sites with a cleaner ipsec rig. To that effect I set up 2 soekris 5501 with HiFn crypto accelerators, directly connected via a Cat-6 ethernet cable, both running pfsense-1.2 (I forget which release candidate) and was able to pipe 20Mb/s using 256 bit-AES ESP (note the little b as bit, not byte). I controlled for ethernet limitation by sending 8x-10x as much data over the same link without ipsec.
I am curious – do you have comparative results against the ssh+vtun getup?
Also, maybe some encrypted vs. unencrypted on the pfsense pair to show how much overhead is chewed up by AES?
Running on the same hardware without crypto I remember getting around 50+ Mb/s. I was mostly interested in whether pfsense on soekris could relay more than 10 Mb/s, which it can.