I have fully functioning Layer 2 MPLS running over my network on Cisco ASR 920 routers. One of the links between 2 routers is provided via a 3rd party service provider, though, which requires us to use encryption on this link to protect our data.
I configured a simple site-to-site VPN between these 2 routers by configuring a crypto-map on the interface between them with the crypto ACL matching interesting traffic between the loopbacks (the loopbacks which are used to create the Pseudowires).
The Crypto SA and IPSEC are up, OSPF is up, LDP is up, looks like everything is working, but if I do a "show crypto IPsec sa", the number of matches for encrypted/decrypted packets is too low, considering the Layer 2 traffic I am pushing through this link.
It looks like only LDP packets are being encrypted, not the actual encapsulated MPLS packets.
Am I doing something wrong, is this even supposed to work?