Hi,
in Cisco SD-WAN there are only two encapsulation for tunnel enabled interface. It is either IPSec or GRE. This is used for the Edge routers between them and always BFD run over these protocols (BFD on the other hand is the only option and there is no way to disable it). If you don't want to use IPSec (to eliminate additional overhead), you can use GRE.
By the way, you can also have both GRE and IPSec, then both will be valid path if remote side also has GRE and IPSec. If remote has only one type of, then only tunnel over that type encapsulation will be created.
From config guide:
On Cisco IOS XE SD-WAN devices, you must configure the tunnel encapsulation. The encapsulation can be either IPsec or GRE. For IPsec encapsulation, the default MTU is
1442 bytes, and for GRE it is 1468 bytes, These values are a function of overhead required for BFD path MTU discovery, which is enabled by default on all TLOCs. (For more
information, see Configuring Control Plane and Data Plane High Availability Parameters .) You can configure both IPsec and GRE encapsulation by including two encapsulation
commands under the same tunnel-interface command. On the remote Cisco IOS XE SD-WAN device, you must configure the same tunnel encapsulation type or types so that
the two routers can exchange data traffic. Data transmitted out an IPsec tunnel can be received only by an IPsec tunnel, and data sent on a GRE tunnel can be received only by
a GRE tunnel. The Cisco SD-WAN software automatically selects the correct tunnel on the destination Cisco IOS XE SD-WAN device.
