Hello Yuri
In the Cisco IPsec Tunnel Mode Configuration lesson, Rene configures exactly what you are looking for. Only traffic between the loopbacks is encrypted. This is achieved using the following access-list configuration:
R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3
Similarly, this is also configured on R3, with the loopback addresses swapped:
R3(config)#access-list 100 permit ip host 3.3.3.3 host 1.1.1.1
This way, only traffic to and from the two loopbacks is encrypted.
This access list is then referenced in the crypto map called CRYPTOMAP with the command match address 100, and the crypto map itself is applied to the physical interface using the command crypto map CRYPTOMAP.
The result is that any traffic from one loopback to the other will be encrypted, while all other traffic will not.
I hope this has been helpful!
Laz