3011 - seems to be without hw encryption. What's the point of looking at it at all?
Although 10 Mbit and 2011 will live, you will run into the speed of the channel in the main office.
If you plan to expand the channel (and you will probably have to do this) - look towards 750r3, it costs a penny, ipsec chews hard.

Definitely wait for 3011. It will be enough for your needs. Regarding Ipsec, as far as I remember, the developers said that:
https://forum.mikrotik.com/viewtopic.php?t=102453#...
IPsec accelerator support for RB3011 is still being worked on, the HW acceleration is not yet supported for this model. The CPU is much faster than RB2011 even without HW accelerator.
Q: But HW acceleration will be supported in the near future?
A: We are working on it, yes.
When this will be, of course, is not very clear.
In branch, I all the same as well as poisons would advise to put with hardware ipsec. Hap ac lite is clearly not very suitable for these purposes. Currently these models are:
RB1100AHx4
hEX v3 (RB750Gr3 model only)
All Cloud Core Router (CCR) series devices
RB1100AHx2
RB1000
RB850Gx2 (only starting 2016, serial numbers that begin with number 5)
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Har...
The most affordable is hex v3.
3011 remains questionable whether it will be finished with this feature.

I have 2011 for an office of 50 people, should be enough. But if you set up a lot of rules, then the speed can sag. But it is better to pay attention to crs125-24g-1s-2hnd, it will be more powerful. It perfectly holds 50 users. No problem.
It is better not to install Mikrotik hAP in the office. At least 951 models