According to the 13.2X50 release notes, MACSEC is now available on EX, however it is included in a "controlled" version of code which (despite what the release notes say) is not available for download from the support site.
I would recommend logging a JTAC ticket and seeing if they can provide it for you
As for the suitability of running this over a L2 WAN service - that I'm not sure on. I can't find any good technical doco, but I suspect MACSEC would use link-local traffic to form adjacencies and would probably not pass through the NTU that is delivering your L2 VPN service.
If it does, please post on your experience : )
SRX/IPSEC is the best way to do it, however you won't be able to maintain an L2 IPSEC VPN - you'll need to route it.
If you are adamanet on keeping the conection L2, then an SRX using VPLSoGREoIPSEC tunnel would do the trick at the cost of complexity and MTU reduction.
Ben Dale JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63 Juniper Ambassador Follow me @labelswitcher