POST-QUANTUM encryption for Cloudflare IPsec is generally available, with Cloudflare using hybrid ML-KEM to protect IPsec traffic and stop harvest-now-decrypt-later attacks. According to the article, ML-KEM is specified in the draft-ietf-ipsecme-ikev2-mlkem and combines classical Diffie-Hellman with the post-quantum ML-KEM in a single, standards-compliant handshake.
Interoperability has been tested and confirmed with Cisco and Fortinet, meaning Cisco’s 8000 Series Secure Routers after version 26.1.1 and Fortinet FortiOS 7.6.6 and later can establish post-quantum Cloudflare IPsec tunnels. The post-quantum move comes as Cloudflare notes that more than two-thirds of human-generated TLS traffic to its network is already protected with hybrid ML-KEM, and the company still targets full post-quantum security by 2029.
RFC 9370 influenced earlier work, but Cloudflare points out the need for interoperable standards like draft-ietf-ipsecme-ikev2-mlkem to avoid ciphersuite bloat and interop issues. 30 April 2026.