Cloudflare has long been a leader in post-quantum cryptography for TLS traffic, but site-to-site networking lagged behind. That changes now: post-quantum encryption for Cloudflare IPsec is generally available, using hybrid ML-KEM (FIPS 203). This Q&A covers how it works, why it took longer, and what it means for your network.

What is Cloudflare IPsec and how does it secure WAN connections?

Cloudflare IPsec is a WAN Network-as-a-Service that replaces traditional, complex architectures by connecting data centers, branch offices, and cloud VPCs to Cloudflare's global IP Anycast network. It uses encrypted IPsec tunnels to support site-to-site WAN, outbound internet, and connectivity to the Cloudflare One SASE platform. The big advantage is simplified configuration and automatic rerouting if a data center becomes unavailable—traffic moves to the nearest healthy one, ensuring high availability. Under the hood, these tunnels rely on classical cryptography—until now. With post-quantum encryption added, the same tunnels now resist attacks from quantum computers. This makes Cloudflare IPsec a future-proof solution for organizations that need to protect their wide-area networks against evolving threats.

Why did post-quantum encryption take longer for IPsec than for TLS?

TLS traffic to Cloudflare—over two-thirds of human-generated TLS—has been protected by post-quantum cryptography for years. IPsec had a tougher road. The IPsec community struggled to balance the high bar of Internet-scale interoperability with the niche requirements of specialized hardware. Many vendors use custom chipsets or firmware that made deploying new cryptographic algorithms complex. Standardization also took time: the IETF draft for hybrid ML-KEM in IPsec (draft-ietf-ipsecme-ikev2-mlkem) had to be carefully designed to work with existing IKEv2 handshakes. As a result, what was achieved in TLS in a few years took nearly four extra years for IPsec. Now, with the draft reaching maturity and hardware support from major vendors like Fortinet and Cisco, the gap is finally closed.

What is a harvest-now-decrypt-later attack, and why is it a growing concern?

In a harvest-now-decrypt-later attack, an adversary intercepts encrypted data today and stores it. Later, when powerful quantum computers (often called Q-Day) become available, they can break classical public-key cryptography and decrypt the stored data. This is a real threat for organizations that deal with long-lived secrets—like financial records, intellectual property, or government communications. As quantum computing advances faster than expected, Cloudflare moved its target for full post-quantum security to 2029. The risk is not just theoretical: any data encrypted with today's classical algorithms could be retroactively broken. Post-quantum encryption, like the hybrid ML-KEM used in Cloudflare IPsec, prevents this by ensuring that even a future quantum computer cannot decrypt the traffic.

How does Cloudflare IPsec now use post-quantum encryption?

Cloudflare IPsec has integrated post-quantum encryption into its IKEv2 handshake using hybrid ML-KEM (FIPS 203). This means that when two peers establish an IPsec tunnel, they perform a key exchange that combines classical Diffie-Hellman with the post-quantum ML-KEM algorithm. The result is a hybrid key: if the classical part were broken by a quantum computer, the ML-KEM part still provides security—and vice versa. This hybrid approach offers backward compatibility and gradual migration. The implementation follows the IETF draft and has been tested for interoperability with branch connectors from Fortinet and Cisco. So, if you already have compatible hardware, you can enable post-quantum encryption today without replacing your devices. It's a seamless upgrade that protects against harvest-now-decrypt-later attacks.

What is ML-KEM and why was it chosen?

ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a post-quantum cryptography algorithm standardized in FIPS 203. It relies on mathematical problems based on lattices, which are believed to be resistant to attacks by quantum computers. Importantly, ML-KEM does not require special hardware or dedicated physical links—it runs in software on standard processors. This made it an ideal candidate for wide deployment in IPsec, where hardware diversity is high. Cloudflare uses a hybrid variant that combines ML-KEM with classical Diffie-Hellman, ensuring security even if one of the two components is ever broken. The choice of ML-KEM reflects the consensus in the cryptographic community: it's efficient, well-studied, and ready for Internet-scale use. By adopting it now, Cloudflare helps industry convergence around a robust standard.

How does the new IPsec handshake work with existing hardware from Fortinet and Cisco?

Cloudflare tested the new hybrid ML-KEM draft with branch connectors from Fortinet and Cisco, and interoperability was successful. This means that if your organization uses these vendors' equipment, you can upgrade to post-quantum protection without replacing hardware. The IKEv2 handshake negotiates the use of the hybrid key exchange automatically: if both peers support it, they use it; otherwise, they fall back to classical cryptography. The implementation is designed to be backward-compatible. For network administrators, enabling post-quantum encryption often involves a simple configuration update on the Cloudflare side and on the branch connector. This low friction is crucial for accelerating adoption. As more vendors support the draft, the barrier to securing WAN traffic against future quantum threats continues to drop.

What does general availability of post-quantum IPsec mean for organizations?

With general availability, organizations can now protect their wide-area networks against harvest-now-decrypt-later attacks using Cloudflare IPsec with hybrid ML-KEM. This is a major milestone: it turns post-quantum security from a future goal into a present-day capability. For companies that handle sensitive data over long distances—like multi-national corporations, financial institutions, or government agencies—this is an immediate risk reduction. It also gives them a head start in complying with future regulatory requirements that may mandate post-quantum encryption. Cloudflare's move to 2029 for full post-quantum security shows urgency; adopting post-quantum IPsec now ensures that your data remains safe even after Q-Day. As the industry consolidates around standards like hybrid ML-KEM, interoperability will continue to improve, making it easier to secure every link in your network.