{"id":428,"date":"2026-04-30T00:00:00","date_gmt":"2026-04-30T00:00:00","guid":{"rendered":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/04\/30\/cloudflare-one-cloudflare-wan-post-quantum-ipsec-interoperability-with-third-party-devices-3\/"},"modified":"2026-04-30T00:00:00","modified_gmt":"2026-04-30T00:00:00","slug":"cloudflare-one-cloudflare-wan-post-quantum-ipsec-interoperability-with-third-party-devices-3","status":"publish","type":"post","link":"https:\/\/wordpress.securinsight.ca\/index.php\/2026\/04\/30\/cloudflare-one-cloudflare-wan-post-quantum-ipsec-interoperability-with-third-party-devices-3\/","title":{"rendered":"Cloudflare One, Cloudflare WAN &#8211; Post-quantum IPsec interoperability with third-party devices"},"content":{"rendered":"<p>Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. <a href=\"https:\/\/www.cisco.com\/\" target=\"_blank\">Cisco<\/a> and <a href=\"https:\/\/www.fortinet.com\/\" target=\"_blank\">Fortinet<\/a> are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).<\/p>\n<p>Post-quantum IPsec uses <a href=\"https:\/\/datatracker.ietf.org\/doc\/rfc9370\/\" target=\"_blank\">RFC 9370<\/a> and <a href=\"https:\/\/datatracker.ietf.org\/doc\/draft-ietf-ipsecme-ikev2-mlkem\/\" target=\"_blank\">draft-ietf-ipsecme-ikev2-mlkem<\/a> to negotiate hybrid key agreement during the IKEv2 <code>IKE_INTERMEDIATE<\/code> phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 or ML-KEM-1024 to protect against <a href=\"https:\/\/en.wikipedia.org\/wiki\/Harvest_now,_decrypt_later\" target=\"_blank\">harvest-now, decrypt-later<\/a> attacks.<\/p>\n<p>Key details:<\/p>\n<ul>\n<li>Compatible with Cisco 8000 Series Secure Routers with IOS XR Release 26.1.1 and Fortinet FortiOS 7.6.6 and later.<\/li>\n<li>Uses ML-KEM-768 or ML-KEM-1024 as an additional Key Exchange to DH Group 20.<\/li>\n<li>Follows RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem standards.<\/li>\n<li>No additional licensing required.<\/li>\n<\/ul>\n<p>Post-quantum IPsec with third-party devices is now generally available with confirmed interoperability for the platforms listed above. Cloudflare intends to support interoperability with more vendors as they build out support for draft-ietf-ipsecme-ikev2-mlkem. Contact your account team to discuss support for additional vendors.<\/p>\n<p>For supported key exchange methods and the list of validated platforms, refer to <a href=\"https:\/\/developers.cloudflare.com\/cloudflare-wan\/reference\/gre-ipsec-tunnels\/#tested-third-party-vendor-interoperability\">GRE and IPsec tunnels<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. Cisco and Fortinet are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Post-quantum IPsec uses RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem to negotiate hybrid key agreement during the IKEv2 IKE_INTERMEDIATE phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-428","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/comments?post=428"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/posts\/428\/revisions"}],"wp:attachment":[{"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/media?parent=428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/categories?post=428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.securinsight.ca\/index.php\/wp-json\/wp\/v2\/tags?post=428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}