Having struggled to improve the abysmal speed of our IPSec LAN-to-LAN VPN, I've finally made progress. Thought I'd post it here in the hope it helps someone else.

The culprit was the "Enable ICMP flood defense" feature under Firewall >> DoS defense Setup.

The setting was throttling ICMP messages to a level far below that needed to keep the VPN running at a decent speed, causing constant 10-second lockouts. Having turned this off, the VPN throughput has increased twentyfold.

Happy bunny at this end!

cheers, Steve