An ACL can be used to define data flows to be protected by an IPSec tunnel. The packets matching permit clauses in the ACL are protected, and those matching no permit clause are not protected. The ACL can define packet attributes such as the IP address, port number, and protocol type, which provide flexibility in defining IPSec policies.