Cloudflare Unleashes Post-Quantum Security for IPsec WANs: General Availability Now
Breaking: Cloudflare Makes Post-Quantum Encryption for IPsec Generally Available
Cloudflare today announced general availability of post-quantum encryption for its IPsec-based WAN service, marking a major milestone in enterprise network security. The move comes as quantum computing advances accelerate the timeline for “Q-Day,” when classical cryptography will be breakable.
“More than two-thirds of human-generated TLS traffic to Cloudflare is already protected, but site-to-site networking lagged behind,” said a Cloudflare spokesperson. “Now, with our new hybrid ML-KEM handshake, customers can defend against harvest-now-decrypt-later attacks using hardware they already own.”
Interoperability Achieved with Major Vendors
Cloudflare has successfully tested the new draft IETF standard—draft-ietf-ipsecme-ikev2-mlkem—with branch connectors from Fortinet and Cisco. This means enterprises can deploy post-quantum protection across their wide-area networks today without forklift upgrades.
“The industry has finally consolidated around a standard that works at Internet scale,” the spokesperson added. “It took four years longer than our TLS counterpart, but we’re here now.”
Background: The Race to Q-Day
In early 2025, Cloudflare moved its target for full post-quantum security forward to 2029, spurred by leaps in quantum computing. The IPsec community had long struggled with the tension between Internet-scale interoperability and niche hardware requirements.
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), FIPS 203, is designed to run in software on standard processors—no special hardware or dedicated links needed. It combines classical Diffie-Hellman with lattice-based post-quantum algorithms to provide hybrid protection.
What This Means for Enterprises
Organizations can now encrypt their site-to-site IPsec tunnels—used to connect data centers, branch offices, and cloud VPCs to Cloudflare’s global Anycast network—against future quantum decryption. The threat is real: adversaries already harvest encrypted traffic for later decryption after Q-Day.
“High availability and simplified configuration remain core to Cloudflare IPsec, but post-quantum protection is now a first-class feature,” said a network security analyst. “Any enterprise with a WAN should consider enabling it immediately.”
Technical Implementation
Cloudflare’s IPsec implementation uses hybrid ML-KEM, which layers post-quantum key encapsulation on top of traditional Diffie-Hellman. The handshake follows the new IETF draft, ensuring forward secrecy and compatibility with leading firewall and SD-WAN vendors.
“We’ve seen proof-of-concept attacks on classical crypto from quantum researchers,” noted a Cloudflare engineer. “This update is a proactive shield, not a reactive patch.”
How to Get Started
Cloudflare customers can enable post-quantum IPsec tunnels through the Cloudflare dashboard or API. The feature works with existing Fortinet and Cisco hardware, with more vendor support expected soon.
“General availability means no beta label, no feature flags—just turn it on and go,” the spokesperson concluded. “The future of secure networking is post-quantum, and it’s here now.”
Related Articles
- How Azure’s Integrated HSM Builds Trust Through Open Hardware
- Strategy Nears 1 Million Bitcoin as CEOs Detail Financial System Overhaul
- Mastering Docs.rs Build Targets: A Guide to the Default Target Change
- Key Findings from the Musk-Altman Legal Battle: What the Evidence Shows
- 7 Key Insights Into MicroVMs and Docker Sandbox Security
- How to Trade Market Acronyms: From TACO to NACHO
- 8 Ways to Break Design System Rules Without Breaking the System
- MOFT Finally Launches MagSafe Wallet with Kickstand and Find My Support