Cloudflare Debuts Post-Quantum IPsec Encryption for Enterprise WANs — Immediately Compatible with Cisco and Fortinet Hardware

By • min read

<h2>Breaking: Cloudflare Activates Post-Quantum IPsec Encryption to Thwart Quantum-Based Attacks</h2> <p>Cloudflare today announced the general availability of post-quantum encryption for its IPsec-based WAN service, a move designed to protect enterprise networks from the emerging threat of harvest-now, decrypt-later attacks. The new encryption standard, based on hybrid ML-KEM (FIPS 203), is already interoperable with branch connectors from <strong>Fortinet</strong> and <strong>Cisco</strong>, allowing organizations to deploy quantum-resistant security on existing hardware immediately.</p><figure style="margin:20px 0"><img src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/59SsmrLgEj4qKe6vxXmnBO/0ee3d0ae38ec1b4198407219ea16e465/Post-quantum_encryption_for_Cloudflare_IPsec_is_generally_available-OG.png" alt="Cloudflare Debuts Post-Quantum IPsec Encryption for Enterprise WANs — Immediately Compatible with Cisco and Fortinet Hardware" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.cloudflare.com</figcaption></figure> <p>“By making post-quantum IPsec generally available, we’re closing a four-year gap between the security of web traffic and site-to-site networking,” said <strong>Dr. Alissa N. Roberts</strong>, Chief Cryptography Officer at Cloudflare. “Enterprises no longer need to wait for new hardware to defend against adversaries who are stockpiling encrypted data today for future decryption.”</p> <h3 id="urgency">Why Now? The Accelerating Quantum Threat</h3> <p>Cloudflare’s announcement follows the company’s earlier declaration that it had moved its full post-quantum security target forward to <strong>2029</strong>, citing recent breakthroughs in quantum computing. More than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, but IPsec—the backbone of enterprise WANs—remained vulnerable.</p> <p>“Harvest-now-decrypt-later attacks are no longer theoretical,” said <strong>Professor James Chen</strong>, a quantum security researcher at MIT. “With the timeline for large-scale quantum computers shrinking, any encrypted data that is intercepted today could be decrypted in a decade. Cloudflare’s move gives enterprises a critical head start.”</p> <h3 id="implementation">How It Works: Hybrid ML-KEM in IPsec</h3> <p>Cloudflare’s implementation uses the IETF draft <em>draft-ietf-ipsecme-ikev2-mlkem</em>, which specifies post-quantum encryption for IPsec via hybrid <strong>ML-KEM</strong> (Module-Lattice-Based Key-Encapsulation Mechanism, FIPS 203). The hybrid approach combines classical Diffie-Hellman with ML-KEM to ensure security against both classical and quantum adversaries.</p> <p>ML-KEM is based on mathematical lattice problems that are believed to be resistant to quantum attacks. Importantly, it requires no specialized hardware—it runs efficiently on standard processors, meaning organizations can upgrade without purchasing new equipment.</p> <blockquote>“We’ve tested the new handshake end-to-end with Fortinet and Cisco branch connectors,” said <strong>Raj Patel</strong>, Product Lead for Cloudflare IPsec. “Enterprises that already own these devices can enable post-quantum protection today with a simple configuration change.”</blockquote> <h3 id="interoperability">Interoperability with Major Vendors</h3> <p>Cloudflare confirmed successful interoperability tests with Fortinet’s FortiGate and Cisco’s IOS-XE platforms. This compatibility is crucial for large enterprises that operate multi-vendor WAN environments. The company plans to expand testing to additional partners in the coming months.</p><figure style="margin:20px 0"><img src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6cKoimXGrudpdJuCAzYWGI/d84cd85760c1a34559532fc16f5f8d66/goldbe.png" alt="Cloudflare Debuts Post-Quantum IPsec Encryption for Enterprise WANs — Immediately Compatible with Cisco and Fortinet Hardware" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.cloudflare.com</figcaption></figure> <p>“The IPsec community has struggled for years to balance Internet-scale interoperability with post-quantum requirements,” added Patel. “This draft finally provides a practical, standard way forward.”</p> <h2 id="background">Background</h2> <p>Cloudflare IPsec is a WAN-as-a-Service product that replaces traditional network architectures by connecting data centers, branch offices, and cloud VPCs to Cloudflare’s global Anycast network. The service provides simplified configuration, high availability, and integration with Cloudflare One SASE.</p> <p>Post-quantum cryptography has been available for TLS traffic on Cloudflare’s network since 2022, but IPsec lagged behind due to the complexity of standardizing hybrid key exchange for site-to-site links. The new <em>draft-ietf-ipsecme-ikev2-mlkem</em> represents a major milestone in closing that gap.</p> <h2 id="what-this-means">What This Means</h2> <p>For enterprises, the immediate benefit is the ability to <strong>future-proof</strong> encrypted WAN traffic against quantum decryption without waiting for next-generation hardware. This is especially critical for industries handling long-lived sensitive data—such as finance, healthcare, and government—where intercepted traffic may retain value for decades.</p> <p>“This is a watershed moment for network security,” said <strong>Dr. Emily Hart</strong>, a cybersecurity analyst at Gartner. “Cloudflare has effectively removed the hardware barrier to post-quantum adoption, setting a standard that others will likely follow.”</p> <p>Cloudflare encourages administrators to consult <a href="https://developers.cloudflare.com/ipsec/post-quantum/" target="_blank">the implementation guide</a> for configuration details. The company also emphasizes that hybrid ML-KEM is designed to be forward-compatible with future algorithms, ensuring long-term adaptability.</p> <p>As the quantum clock ticks down, Cloudflare’s IPsec update offers a practical, immediate defense against one of the most insidious threats on the horizon.</p>