Cloudflare Makes Post-Quantum Encryption for IPsec Generally Available, Interoperable with Cisco and Fortinet

Cloudflare has announced the general availability of post-quantum encryption for its IPsec product, marking a significant step in protecting site-to-site WAN traffic against harvest-now-decrypt-later attacks. The implementation uses hybrid ML-KEM (FIPS 203) as specified in the IETF draft draft-ietf-ipsecme-ikev2-mlkem, and has been tested for interoperability with Fortinet Fortinet FortiOS 7.6.6 and later, as well as Cisco 8000 Series Secure Routers running version 26.1.1 or higher. This allows organizations to Cloudflare's blog post, this enables organizations to secure their wide-area network connections using existing hardware, without requiring specialized equipment.

The new IPsec handshake combines classical Diffie-Hellman key exchange with ML-KEM in a hybrid approach. A classical Diffie-Hellman exchange runs first, its derived key encrypts a second exchange that runs ML-KEM, and the outputs of both are mixed into the session keys that secure IPsec data plane traffic sent using the Encapsulating Security Payload (ESP) protocol. This design ensures that even if quantum computers eventually break classical public-key cryptography, the session keys remain secure due to the ML-KEM component.

Harvest-now-decrypt-later attacks are a growing concern as the timeline for practical quantum computing accelerates. In these attacks, adversaries collect encrypted data today and store it, waiting for the day when quantum computers can decrypt it retroactively. Cloudflare's move to post-quantum IPsec directly addresses this threat, and the company has set a target of 2029 for fully transitioning its entire infrastructure to post-quantum cryptography.

The general availability follows a closed beta that tested the implementation against a reference strongSwan setup. The confirmed interoperability with Cisco and Fortinet is a critical milestone, as it demonstrates that the new standard can work across different vendors' hardware in real-world deployments. This is particularly important for enterprises that rely on multi-vendor environments for their WAN infrastructure.

The IPsec community has been slower than the TLS community to adopt post-quantum cryptography. While Cloudflare enabled hybrid post-quantum key agreement for TLS in 2022, the IPsec draft for hybrid ML-KEM only became available in late 2025. This four-year delay is partly attributed to continued interest in Quantum Key Distribution (QKD), which requires specialized hardware and dedicated physical links, making it unsuitable for Internet-scale deployment. The U.S. NSA, Germany's BSI, and the UK's NCSC have all warned against relying solely on QKD.

Cloudflare's IPsec product is a WAN Network-as-a-Service that connects data centers, branch offices, and cloud VPCs to Cloudflare's global IP Anycast network. It supports both site-to-site WAN connections and outbound Internet traffic, as well as connectivity to the Cloudflare One SASE platform. The addition of post-quantum encryption means that all IPsec tunnels established through Cloudflare's network can now be protected against future quantum threats.

For organizations already using Fortinet or Cisco branch connectors, enabling post-quantum IPsec requires upgrading to the specified firmware versions and configuring the hybrid ML-KEM handshake. Cloudflare has provided documentation and support for the transition. The company emphasizes that upgrading cryptography is hard and can take years, making early adoption critical for long-term data that must remain confidential for decades.

This announcement is part of a broader industry push toward post-quantum cryptography. NIST finalized the ML-KEM standard for ML-KEM in 2024, and the IETF is working on integrating it into various protocols. Cloudflare's general availability of post-quantum IPsec from a major cloud provider like Cloudflare signals that the technology is ready for production use, and it sets a precedent for other vendors to follow.