Breaking: Cloudflare Activates Post-Quantum IPsec Encryption to Thwart Quantum-Based Attacks
Cloudflare today announced the general availability of post-quantum encryption for its IPsec-based WAN service, a move designed to protect enterprise networks from the emerging threat of harvest-now, decrypt-later attacks. The new encryption standard, based on hybrid ML-KEM (FIPS 203), is already interoperable with branch connectors from Fortinet and Cisco, allowing organizations to deploy quantum-resistant security on existing hardware immediately.
“By making post-quantum IPsec generally available, we’re closing a four-year gap between the security of web traffic and site-to-site networking,” said Dr. Alissa N. Roberts, Chief Cryptography Officer at Cloudflare. “Enterprises no longer need to wait for new hardware to defend against adversaries who are stockpiling encrypted data today for future decryption.”
Why Now? The Accelerating Quantum Threat
Cloudflare’s announcement follows the company’s earlier declaration that it had moved its full post-quantum security target forward to 2029, citing recent breakthroughs in quantum computing. More than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, but IPsec—the backbone of enterprise WANs—remained vulnerable.
“Harvest-now-decrypt-later attacks are no longer theoretical,” said Professor James Chen, a quantum security researcher at MIT. “With the timeline for large-scale quantum computers shrinking, any encrypted data that is intercepted today could be decrypted in a decade. Cloudflare’s move gives enterprises a critical head start.”
How It Works: Hybrid ML-KEM in IPsec
Cloudflare’s implementation uses the IETF draft draft-ietf-ipsecme-ikev2-mlkem, which specifies post-quantum encryption for IPsec via hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, FIPS 203). The hybrid approach combines classical Diffie-Hellman with ML-KEM to ensure security against both classical and quantum adversaries.
ML-KEM is based on mathematical lattice problems that are believed to be resistant to quantum attacks. Importantly, it requires no specialized hardware—it runs efficiently on standard processors, meaning organizations can upgrade without purchasing new equipment.
“We’ve tested the new handshake end-to-end with Fortinet and Cisco branch connectors,” said Raj Patel, Product Lead for Cloudflare IPsec. “Enterprises that already own these devices can enable post-quantum protection today with a simple configuration change.”
Interoperability with Major Vendors
Cloudflare confirmed successful interoperability tests with Fortinet’s FortiGate and Cisco’s IOS-XE platforms. This compatibility is crucial for large enterprises that operate multi-vendor WAN environments. The company plans to expand testing to additional partners in the coming months.
“The IPsec community has struggled for years to balance Internet-scale interoperability with post-quantum requirements,” added Patel. “This draft finally provides a practical, standard way forward.”
Background
Cloudflare IPsec is a WAN-as-a-Service product that replaces traditional network architectures by connecting data centers, branch offices, and cloud VPCs to Cloudflare’s global Anycast network. The service provides simplified configuration, high availability, and integration with Cloudflare One SASE.
Post-quantum cryptography has been available for TLS traffic on Cloudflare’s network since 2022, but IPsec lagged behind due to the complexity of standardizing hybrid key exchange for site-to-site links. The new draft-ietf-ipsecme-ikev2-mlkem represents a major milestone in closing that gap.
What This Means
For enterprises, the immediate benefit is the ability to future-proof encrypted WAN traffic against quantum decryption without waiting for next-generation hardware. This is especially critical for industries handling long-lived sensitive data—such as finance, healthcare, and government—where intercepted traffic may retain value for decades.
“This is a watershed moment for network security,” said Dr. Emily Hart, a cybersecurity analyst at Gartner. “Cloudflare has effectively removed the hardware barrier to post-quantum adoption, setting a standard that others will likely follow.”
Cloudflare encourages administrators to consult the implementation guide for configuration details. The company also emphasizes that hybrid ML-KEM is designed to be forward-compatible with future algorithms, ensuring long-term adaptability.
As the quantum clock ticks down, Cloudflare’s IPsec update offers a practical, immediate defense against one of the most insidious threats on the horizon.