Thanks for the input, you are right on both counts: I indeed missed that the erlite does not offload sha256 and have now removed the option on the erlite as you suggested. Regarding the split tunneling I actually was aware of that but you are right that my original post did not reflect this (previously).
I have updated the original post accordingly.