The VPN connection initiation for standard connections to your SAP servers is unidirectional. SEEBURGER starts with the traffic initiation for building the RFC connection by firstly performing registration. When there is a successful RFC/tRFC connection between the BIS and SAP then SAP informs the BIS that there is a waiting invoice, and the data is being sent through the tunnel.
The general concept for the connection on network level means: Within the tunnel there needs to be only an outbound rule to your SAP system, and the rest is managed at application level.