Hello everyone,

This is my first post after being reading the forum for quite some time.
I'd like to ask for some advice with the following subject:
I own a RB750GR3 router and a Draytek Vigor 2960. I managed to do some tests setting an IPSec VPN between the two routers (mikrotik's WAN) <-> switch <-> (Vigor's WAN) and a different lan on each one. All is working great with aes-cbc-128 / sha1. Throughput is about 370mbps through the tunnel both ways.
The problem comes up when configuring the mikrotik with a PPPoE interface. Using the same configuration except for the PPPoE interface drops throughput to 140mbps through a 300/300 fiber line.
I've checked IPsec Stats and fragmentation/out-of-order packets don't seem the problem.
Though ppp profile used has 'Change TCP MSS' set to yes, I did set a rule in Mangle to Change MSS to 1360/1352 for ipsec packets going trhough pppoe interface but no improve at all. In fact, no packets reached to the mangle rule.

Actual MTU is set by default at 1480 on pppoe interface.

Two RAW rules defines IPsec connections as notrack :

1 chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.80.0/24 dst-address=192.168.10.10/28

2 chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.10.10/28 dst-address=192.168.80.0/24

Ipsec Policy is defined as follows:

1 src-address=192.168.80.0/24 src-port=any dst-address=192.168.10.10/28 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=XXX.XXX.XXX.XXX proposal=draytek
priority=0 ph2-count=0

Proposal:
1 name="draytek" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none

Is there any known issues with 6.39.1? First tests were made prior updating from 6.38.x to 6.39

The devices are in use since last week, so I'd rather not to downgrade unless no other option is available.

Any advice to improve throughput will be appreciated.

Thaks in advance.