IPsec and MPLS VPNs are complementary technologies: MPLS VPNs help service providers scale their VPN networks. This advantage is passed on to the customer as a lower price tag. MPLS offers full VPN separation but no cryptographic security. IPsec helps VPN customers to further secure their VPNs if required. Both technologies work together well.
Before considering specific IPsec solutions over MPLS, the goals should be clearly defined: what are the threats, and what must be protected? With a clear threat model, it is usually easy to find an IPsec deployment model. For example, if the goal is to secure VPN traffic against intrusion, eavesdropping, and misconfiguration of the service provider, the solution must be within the trusted zone of the VPN. This excludes IPsec deployment on PEs. The typical deployment is therefore CE-CE.
There are various options for establishing IPsec tunnels for each of the deployment scenarios. Refer to specific IPsec literature for details; examples are listed in Appendix B.