Something I noticed when my Apple Watch was associated to the wrong SSID (and was placed on a vLAN different to that of its paired iPhone) was the repeated attempts it was making to set up an IPSEC connection to the iPhone.
I saw this in the logs of the firewall that sits between the vLANs:
2019-10-29T16:56:20+11:00 10.1.1.67 kernel: [5242514.662174] [ALEXT-Zone-Media-340-R] IN=eth0.6 OUT=eth0 MAC=00:50:56:00:00:00:08:f4:ab:00:00:00:08:00 SRC=192.0.2.1 DST=192.0.2.2 LEN=120 TOS=0x00 PREC=0x00 TT L=63 ID=64399 PROTO=ESP SPI=0xabd8402
Here the Watch is 192.0.2.1 and the iPhone 192.0.2.2
Apple’s iOS Security Guide https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf does not mention an IPSEC connection specifically but does discuss secure WiFi connections in case Bluetooth is unavailable.