Thanks for the suggestion, i imagined similar approach as well. That would probably work, however i should verify if that will not break the stateful firewall session mapping in terms of ingress/egress interface for each session.
I just hoped i can get around with something with less overall impact, so i can first test it and introduce it in a phased approach.
IPSec directly on the WANOS suits better the overall architecture design, but since its purely software on VM i have no idea will it perform good enough in terms of throughput.
Max speed per TCP session varies a lot depending mostly on end-host OSes. Usually, worst case is newer (2016) Windows server versions where i believe their intelligent TCP stack features are intervening. With careful TCP tuning on the end-hosts, even on windows 2016 server I am able to achieve the desired speed even in a single session, but there are too many hosts on both sides, not all of them under my control, so OS tuning is not a solution.
All the Linuxes usually perform excellent too.