Using an ACL
An ACL can be used to define data flows to be protected by an IPSec tunnel established manually or through IKE negotiation. The packets matching permit clauses in the ACL are protected, and those matching no permit clause are not protected. The ACL can define packet attributes such as the IP address, port number, and protocol type, which provide flexibility in defining IPSec policies.
A route can be configured to define data flows to be protected by an IPSec tunnel established through IPSec virtual tunnel interfaces. All packets routed to these interfaces are protected. IPSec virtual tunnel interfaces are Layer 3 logical interfaces.
This method has the following advantages:
Simplifies the IPSec configuration: IPSec-protected data flows are routed to virtual tunnel interfaces, without the need to use an ACL to define characteristics of traffic to be encrypted or decrypted.
Supports dynamic routing protocols.
Protects multicast traffic through GRE over IPSec.