If you use autoconfiguration, your IPv6 addresses might not be predictable. To configure IP filter rules for dynamic Security Associations with autoconfigured IPv6 addresses, you need to specify the IP addresses using wildcards.
Manual Security Associations typically use specific IP addresses for the endpoints. You can use wildcards for the security endpoint addresses so that the data endpoints and security endpoints are considered identical. Alternatively, you can use predictable IPv6 addresses for the security endpoints. You can obtain predictable IPv6 addresses by configuring full 128-bit IPv6 addresses on your INTERFACE statements, by specifying the INTFID keyword on your INTERFACE statements, or by using VIPAs.