First Off, your any any default rule will allow all traffic to pass both ways and allow any client from either side to travel down the tunnel when they request it. You want to remove the allow all rule. Under The Rules section in the IPsec tab, you can deny and allow access how ever you want with your tunnel or tunnels. You need to focus primarly on your source and destination fields within the IPsec rules. Here you can specific a subnet or a single IP for source or destination.
So for example: I only want 1 system on my network to be able to travel across the tunnel to a remote network. Your rule would look like this
Proto Source Port Destination Port Gateway Schedule Description
192.168.1.10 * 10.2.2.20 * * Test Tunnel Rule 1
The example up above will only allow this very thing to happen across the tunnel. Only 1 system from the LAN network will be able to access through the tunnel coming from any port and going to any port to only 1 specific system to the remote backup network. This is what you want, because nothing else can come back through your tunnel and access other systems on your network with out any addtional rule that allows it. In order to make the remote system at 10.2.2.20 to come back through the tunnel and talk with system 192.168.1.10, you would have to create another rule that looks like the following below.
Proto Source Port Destination Port Gateway Schedule Description
10.2.2.20 * 192.168.1.10 * * Test Tunnel Rule 2