Without encryption added, 2901 can do 167.42 Mbps. Again, this figure is expressed WITHOUT any encryption and outgoing AND incoming traffic is added together, making the figures quite impressive (and misleading somewhat).
So, we typically half the value to get a true idea of concurrent outgoing/incoming traffic is like. Now if you want to add encryption, rule-of-thumb applies by halving this value further. So, the easiest way is to get 167.42 and factor this by 4 and you'll get 41.855 Mbps. With the value of 41.855 Mbps, this means you a single-directional and encrypted traffic.
NOTE: Rule-of-thumb of half the value for encryption because only Cisco knows the true value. With ISR G2, the encryption "penalty" can be LOWER than 50%.
So you are seeing "66-68 Mbps" is normal for a 2901. If you want something that push 120 Mbps, then you'll have to consider a 3945E as a bare minimum.