Cloudflare IPsec Now Supports Post-Quantum Encryption: What You Need to Know

By • min read

<p>Cloudflare has taken a major step in securing wide-area networks (WANs) against future quantum threats by making post-quantum encryption generally available for its IPsec service. This update protects data in transit from harvest-now-decrypt-later attacks, where adversaries collect encrypted traffic today with the intent to decrypt it once quantum computers become powerful enough to break classical cryptography. The implementation uses hybrid ML-KEM (FIPS 203), combining traditional Diffie-Hellman with a lattice-based key-encapsulation mechanism. Below, we explore the key questions surrounding this development, including how it works, why it took longer than TLS, and what it means for your network.</p> <h2 id="q1-what-is-cloudflare-ipsec">What is Cloudflare IPsec and why is post-quantum encryption important for it?</h2> <p>Cloudflare IPsec is a WAN Network-as-a-Service that replaces legacy network architectures by connecting data centers, branch offices, and cloud VPCs to Cloudflare's global IP Anycast network. It provides simplified configuration, high availability through automatic rerouting, and integration with the Cloudflare One SASE platform—all via encrypted IPsec tunnels. However, traditional IPsec relies on classical public-key cryptography (like Diffie-Hellman) that is vulnerable to quantum computers. With the rapid advancement of quantum computing, organizations face the risk of <a href="#q5-harvest-now-decrypt-later">harvest-now-decrypt-later attacks</a>—where encrypted data is captured today but decrypted after Q-Day. Post-quantum encryption ensures that even if an attacker collects IPsec traffic now, they cannot later break the encryption, protecting sensitive business data, remote office connections, and cloud communications.</p><figure style="margin:20px 0"><img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/59SsmrLgEj4qKe6vxXmnBO/0ee3d0ae38ec1b4198407219ea16e465/Post-quantum_encryption_for_Cloudflare_IPsec_is_generally_available-OG.png" alt="Cloudflare IPsec Now Supports Post-Quantum Encryption: What You Need to Know" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.cloudflare.com</figcaption></figure> <h2 id="q2-how-does-hybrid-ml-kem-work">How does the new hybrid ML-KEM work in IPsec?</h2> <p>The implementation follows the IETF draft <em>draft-ietf-ipsecme-ikev2-mlkem</em>, which specifies post-quantum encryption for IPsec using a hybrid approach that combines classical Diffie-Hellman (used in standard IKEv2) with ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). During the IPsec handshake, both key exchange methods run in parallel. The resulting shared secrets are combined to produce a final session key that inherits security from both: even if quantum computers break the Diffie-Hellman part, the ML-KEM component remains secure. ML-KEM is designed to run purely in software on standard processors, requiring no specialized hardware. This hybrid model ensures backward compatibility—if a peer does not support ML-KEM, the handshake falls back to classical Diffie-Hellman, making deployment incremental and interoperable.</p> <h2 id="q3-why-it-took-longer-than-tls">Why did post-quantum IPsec take longer to implement than TLS?</h2> <p>While more than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, IPsec lagged behind. The primary reason is the difference in standardization and ecosystem maturity. TLS benefited from early embedding of post-quantum key agreement in popular libraries (e.g., OpenSSL, BoringSSL), which accelerated deployment across browsers and CDNs. IPsec, on the other hand, is deeply integrated into a wide range of specialized hardware appliances from vendors like Cisco, Fortinet, and many others—each with its own proprietary implementation and upgrade cycles. Achieving Internet-scale interoperability in the IPsec community required consensus on a standard draft, extensive lab testing, and vendor coordination. The new hybrid ML-KEM draft finally provided a clear path, but the process of getting major hardware vendors to support it took four years longer than the TLS counterpart.</p> <h2 id="q4-interoperability-vendors">Which vendors have tested interoperability with Cloudflare's post-quantum IPsec?</h2> <p>Cloudflare has successfully tested interoperability of the new hybrid ML-KEM handshake with branch connectors from Fortinet and Cisco. This means customers can already deploy post-quantum protection using their existing hardware from these major vendors—no forklift upgrades needed. The testing covered end-to-end IPsec tunnel establishment using the IETF draft, confirming that the hybrid key exchange works seamlessly across different implementations. This is a critical milestone because it demonstrates that the standard is practical for heterogeneous enterprise networks. As more vendors adopt the draft, the barrier to post-quantum security in WANs will continue to drop, allowing organizations to protect their wide-area networks against future quantum threats today.</p><figure style="margin:20px 0"><img src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6cKoimXGrudpdJuCAzYWGI/d84cd85760c1a34559532fc16f5f8d66/goldbe.png" alt="Cloudflare IPsec Now Supports Post-Quantum Encryption: What You Need to Know" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.cloudflare.com</figcaption></figure> <h2 id="q5-harvest-now-decrypt-later">What are harvest-now-decrypt-later attacks and how does this protect against them?</h2> <p>Harvest-now-decrypt-later (HNDL) attacks are a strategic threat where an adversary collects encrypted network traffic over time—perhaps for months or years—with the intention of decrypting it later, once sufficiently powerful quantum computers become available. This is particularly concerning for IPsec tunnels that carry sensitive corporate data, financial records, or intellectual property. The protection offered by Cloudflare's post-quantum IPsec is straightforward: by incorporating ML-KEM into the key exchange, the encryption becomes resistant to both classical and quantum cryptanalysis. Even if an attacker records all the IKE handshake messages and encrypted data today, they cannot reverse the key agreement because ML-KEM relies on mathematical problems (lattice-based) that are not known to be solvable by quantum algorithms. This forward-thinking defense ensures that your WAN traffic remains confidential beyond Q-Day.</p> <h2 id="q6-what-is-ml-kem">What is ML-KEM and why was it chosen?</h2> <p>ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a post-quantum cryptography algorithm standardized as FIPS 203. It is based on the hardness of problems in lattice mathematics—specifically, the Module-LWE (Learning With Errors) problem—which is believed to be intractable for both classical and quantum computers. ML-KEM was chosen for IPsec because it is designed for software implementation on standard processors, requiring no dedicated hardware or physical link. It offers a good balance of security, performance, and key sizes. In the IPsec context, it is used in a hybrid mode alongside classical Diffie-Hellman, so that even if vulnerabilities are later found in the classical component, the post-quantum part remains secure. This choice aligns with industry consensus (NIST, IETF) and ensures long-term viability as quantum computing matures.</p> <h2 id="q7-cloudflare-roadmap">How does this fit into Cloudflare's broader post-quantum roadmap?</h2> <p>Earlier this month, Cloudflare announced it has moved its target for full post-quantum security forward to 2029, accelerating its timeline due to recent advances in quantum computing. Making post-quantum encryption generally available for IPsec is a key milestone on that roadmap. It complements Cloudflare's existing post-quantum support in TLS, which already protects a majority of human-generated traffic. For network and security teams, this means they can now extend quantum-safe protection to site-to-site IPsec tunnels, outbound Internet connections, and the Cloudflare One SASE platform. The company continues to work with the IETF and hardware vendors to standardize the hybrid IPsec handshake and drive adoption. Over the next few years, Cloudflare expects to integrate post-quantum cryptography into even more services, ensuring that the entire edge-to-cloud architecture remains secure through the quantum transition.</p>