Extreem low throughput

PDJ

I have a problem with IPSEC.
I have configured a IPSEC tunnel with GRE (I need to do some special routing, so I need GRE)
Everything works, but I get very low throughput on the IPSEC/GRE tunnel, both ends are connected direct with a gigabit connection.
When I copy a large file over the network, I get only 4mbit with spices to 20mbit but a very unstable throughput at the same time I have a ping running from another machine and it's going from steady 1ms to jumpy 4 to 20ms.
Logfiles of IPSEC/Racoon say nothing special, just that the tunnel is setup right

Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=109112871(0x680ee27)
Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=127719491(0x79cd843)
Sep 8 07:58:41 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=160971926(0x9983c96)
Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=146599732(0x8bcef34)
Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=228854563(0xda40b23)
Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=15753609(0xf06189)
Sep 8 07:58:43 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=164379843(0x9cc3cc3)
Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=160971926(0x9983c96)
Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=127719491(0x79cd843)
Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=42417108(0x2873bd4)
Sep 8 08:46:42 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=117860727(0x7066977)
Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=162027152(0x9a85690)
Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=2195156(0x217ed4)
Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=164379843(0x9cc3cc3)
Sep 8 08:46:44 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=15753609(0xf06189)
Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=117860727(0x7066977)
Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=42417108(0x2873bd4)
Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=205171083(0xc3aa98b)
Sep 8 09:34:43 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=63644472(0x3cb2338)
Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=2195156(0x217ed4)
Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=162027152(0x9a85690)
Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=55345065(0x34c7fa9)
Sep 8 09:34:45 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=107959198(0x66f539e)
Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: renegotiating phase1 to 172.16.8.17 due to active phase2
Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: respond new phase 1 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
Sep 8 10:21:15 	racoon: INFO: begin Aggressive mode.
Sep 8 10:21:15 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Sep 8 10:21:15 	racoon: INFO: received Vendor ID: DPD
Sep 8 10:21:15 	racoon: [IPSEC FW1]: INFO: ISAKMP-SA established 172.16.8.22[500]-172.16.8.17[500] spi:25c84f02badbf0b0:d128d5730e184f7c
Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: renegotiating phase1 to 172.16.8.33 due to active phase2
Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: respond new phase 1 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
Sep 8 10:21:16 	racoon: INFO: begin Aggressive mode.
Sep 8 10:21:16 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Sep 8 10:21:16 	racoon: INFO: received Vendor ID: DPD
Sep 8 10:21:16 	racoon: [IPSEC FW2]: INFO: ISAKMP-SA established 172.16.8.38[500]-172.16.8.33[500] spi:a9767b2315e70da1:b16ecafbf951e190
Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP 172.16.8.22[500]->172.16.8.17[500] spi=63644472(0x3cb2338)
Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: initiate new phase 2 negotiation: 172.16.8.22[500]<=>172.16.8.17[500]
Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.17[500]->172.16.8.22[500] spi=205171083(0xc3aa98b)
Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=64373214(0x3d641de)
Sep 8 10:22:44 	racoon: [IPSEC FW1]: INFO: IPsec-SA established: ESP 172.16.8.22[500]->172.16.8.17[500] spi=30180720(0x1cc8570)
Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP 172.16.8.38[500]->172.16.8.33[500] spi=107959198(0x66f539e)
Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA expired: ESP/Transport 172.16.8.33[500]->172.16.8.38[500] spi=55345065(0x34c7fa9)
Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: respond new phase 2 negotiation: 172.16.8.38[500]<=>172.16.8.33[500]
Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=5852710(0x594e26)
Sep 8 10:22:46 	racoon: [IPSEC FW2]: INFO: IPsec-SA established: ESP 172.16.8.38[500]->172.16.8.33[500] spi=155524182(0x9451c56)

The MSS clamping is set to 1360
MTU size is set to 1412
I have played with both settings, but no improvement.

drawing:

What's not in the drawing, the GRE tunnel runs over the VLANS.
from the 3rd firewall there are 2 ipsec tunnels, routing is policy based and the redundancy is done by a gateway failover (gw1: 172.16.9.1, gw2: 172.16.9.17)

My first setup was ipsec to the 172.16.8.3 CARP adress, but that didn't work very well IPSEC and CARP.

Somebody knows what's wrong in here?