Hello,
By default proxy-ids of route based tunnel is source - 0.0.0.0/0, destination 0.0.0.0/0 & application any.
If you needed to configure route-based VPN with peer which did not understand above default proxy-ids, some configuration was needed to configure proxy-ids manually & it was:
* set security ipsec vpn <name> ike proxy-identity local <local subnet> remote <remote subnet>
This was OK for a scenario where there is one subnet each behind two VPN peers. But if one wanted to use route based VPN with multiple subnets behind VPN gateways, complexity increased as per VPN only single subnet pair was configuration so you needed to create multiple tunnel interfaces, multiple VPNs and in some cases routing instances.
So to tackle this, Traffic-selector configuration was introduced. With traffic selector only one VPN with one tunnel interface could cater multiple subnet to multiple subnet communication.
Now after VPN establishes as per proxy-id configuration or traffic-selector, if you need granular control over traffic to pass through VPN, you can take help of security policies or firewall filters.
So proxy-id (primitive way) & traffic-selector is equivalent to crypto map access-list in other vendor device.
security policies, firewall filters can be configured as vpn-filter access-list in other vendor devices.
Regards,
Rushi