https://docs.openshift.com/container-platform/4.14/networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.html#configuring-ipsec-ovn-prerequisites

We started supporting runtime enablement of IPsec since 4.11 via https://issues.redhat.com/browse/SDN-1571 which takes care of migrating cluster network MTU to accomodate 46 bytes header size required for IPsec. So it was never a pre-requisite as runtime enablement takes care of it

We also need to exclaim on releases which supports Hypershift  (4.11+) that "IPSec EW is not supported on Hosted clusters but just management" 

    1.
    2.
    3.