Introduction
As quantum computing advances faster than anticipated, the threat of harvest-now-decrypt-later attacks grows for organizations relying on classical encryption. While over two-thirds of human-generated TLS traffic to Cloudflare already benefits from post-quantum protection, wide-area network (WAN) links – especially those using IPsec – have lagged behind. The gap was largely due to the challenge of harmonizing Internet-scale interoperability with specialized hardware requirements. That gap is now closed: Cloudflare has made post-quantum encryption for IPsec generally available, using the new IETF draft for hybrid ML-KEM (FIPS 203). This guide walks you through the steps to enable this protection on your WAN, so you can defend your data against future quantum decryption attacks – today.
What You Need
- Cloudflare IPsec subscription – as part of Cloudflare’s WAN Network-as-a-Service (NaaS).
- Branch connector hardware that supports hybrid ML-KEM – tested and validated with Fortinet and Cisco devices. Check your vendor’s firmware release notes for IKEv2 ML-KEM support.
- Network administrator access to both Cloudflare dashboard and branch connector CLI/GUI.
- Basic understanding of IPsec IKEv2, Diffie-Hellman, and key encapsulation mechanisms.
- Internet connectivity between your data centers, branch offices, and cloud VPCs.
Steps to Enable Post-Quantum Encryption in Cloudflare IPsec
Step 1: Verify Hardware and Firmware Compatibility
Before starting, confirm your branch connectors (e.g., Fortinet FortiGate, Cisco ASA/IOS-XE) run firmware that supports hybrid ML-KEM (draft-ietf-ipsecme-ikev2-mlkem). Cloudflare has successfully tested interoperability with these vendors. If your device doesn’t yet support it, contact your vendor or plan a firmware upgrade. Without this, post-quantum handshake will fail and fall back to classical Diffie-Hellman.
Step 2: Create or Modify Your Cloudflare IPsec Tunnel
In the Cloudflare dashboard, navigate to the IPsec tunnel configuration for your WAN. Under the encryption settings, enable Post-Quantum (ML-KEM) option. This tells Cloudflare to propose hybrid ML-KEM during IKEv2 negotiation. Save the tunnel settings. Note: Classical Diffie-Hellman will also be offered as a fallback – this ensures backward compatibility until all endpoints are upgraded.
Step 3: Configure the Remote Branch Connector
Access your branch connector’s configuration interface. Locate the IKEv2 proposal settings (often called “IKE proposal” or “phase 1” settings). Add a new proposal that includes:
- Encryption: AES-256-GCM (or similar standard).
- Integrity: SHA-256 or SHA-384.
- Diffie-Hellman group: Group 14 or Group 16 (classical) plus the new ML-KEM group (check your vendor’s documentation for the group number – typically group 1024 or custom).
Example CLI snippet for Fortinet (FortiGate):
config vpn ipsec phase1-interface
edit "cloudflare-pq"
set ike-version 2
set proposal aes256-gcm
set dhgrp 14 1024
set postquantum-encryption enable
next
end
Replace values as per your environment. For Cisco, use crypto ikev2 proposal and include postquantum keyword if supported.
Step 4: Bind the IKE Profile and IPsec Policy
After setting the IKE proposal, you need to bind it to the actual IPsec tunnel interface or policy. On the branch connector, create a tunnel interface that matches the Cloudflare tunnel (same encryption domain, remote gateway = Cloudflare Anycast IP). Apply the IKE profile from Step 3. For IPsec phase 2 (IPsec SA), use standard settings: AES-256-GCM, PFS with DH group 14 or higher. Do not force ML-KEM in phase 2 – it is used only during IKE key exchange.
Step 5: Verify the Post-Quantum Handshake
Initiate the IPsec tunnel (e.g., by pinging a remote subnet). Check the branch connector logs for IKE negotiation messages. Look for indications that ML-KEM was used: often logged as “post-quantum” or “hybrid key exchange successful.” On Cloudflare side, you can view tunnel status in the dashboard – it will show “Encrypted with Post-Quantum” if successful. If not, verify that both ends have the same IKE proposal and that firmware supports ML-KEM.
Step 6: Monitor for Harvest-Now-Decrypt-Later Risks
Even with post-quantum encryption, it’s important to monitor your tunnel health. Use Cloudflare’s analytics to check that the hybrid handshake is being used consistently. Set up alerts for any fallback to classical DH. Also, regularly review vendor updates for ML-KEM improvements – Q-Day is moving closer, and standards may evolve. For maximum protection, ensure that all your branch connectors also support the hybrid mode.
Tips for a Smooth Implementation
- Test in a lab before rolling out to production. Use one branch connector and a Cloudflare test IPsec endpoint to validate the handshake.
- Keep firmware updated on all branch connectors. Post-quantum algorithms are still maturing; vendors release patches for performance and security.
- Combine with Cloudflare One SASE to extend post-quantum protection beyond IPsec to all traffic, including Internet egress.
- Document configuration changes – include the exact IKE proposals and DH group numbers used. This helps troubleshooting if a tunnel fails after a firmware update.
- Plan for migration: If you have many branch offices, upgrade them gradually. Hybrid ML-KEM ensures that existing tunnels using classical DH still work; only new negotiations will use the stronger key exchange.
- Monitor industry standards: The IETF draft for IPsec ML-KEM is expected to become RFC. When it does, update your configurations to align with the final specification.
By following these steps, you can protect your WAN against harvest-now-decrypt-later attacks today. With Cloudflare’s global network, you get both simplified IPsec management and future‑ready cryptography – no specialized hardware required. Start securing your data before quantum computers can unlock it.