Cisco SD-WAN IPSec encapsulation on tunnel interface of vBond
When configuring Cisco SD-WAN, vBond only creates permanent DTLS tunnels with the vSmart and vManage and temporary DTLS tunnels with WAN Edge routers for discovery and authentication purposes. So at no point does the vBond actually need an IPSec encapsulation in its tunnel interface since it will never use IPSec.
However, the vBond orchestrator is the same image as the vEdge router. Technically, vBond doesn’t require the encapsulation ipsec
command but this is just the way you are required to configure it.