SYSTEM Cited by 1 source

Cloudflare Magic WAN IPsec

What

Cloudflare Magic WAN IPsec is Cloudflare's WAN Network-as-a- Service product: customer data centres, branch offices, and cloud VPCs connect to Cloudflare's global IP Anycast network via encrypted IPsec tunnels, which then serve as the transport for site-to-site WAN, outbound Internet connections, and connectivity into the Cloudflare One SASE platform.

Cloudflare IPsec replaces the traditional enterprise-WAN shape (MPLS circuits between sites, hub-and-spoke with on-prem concentrators, or mesh IPsec between site routers) with an anycast-edge model: every site's IPsec tunnel terminates at the nearest Cloudflare POP, and inter-site traffic rides Cloudflare's global backbone.

(Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Role in the wiki

Magic WAN IPsec is canonical on two axes:

1. Anycast-delivered enterprise VPN. The canonical shape of moving WAN / VPN transport from on-prem hardware (SD-WAN concentrators, IPsec appliances) to a global anycast edge, with automatic failover to the nearest healthy POP if one becomes unavailable. Shares the anycast-everywhere posture with Magic Transit (L3 DDoS scrubbing) but serves a different use case.
2. Post-quantum encryption rollout for site-to-site networking. Canonical wiki instance of hybrid ML-KEM in an IPsec / IKEv2 context as of the 2026-04-30 GA announcement. Implements draft-ietf-ipsecme-ikev2-mlkem.

What Cloudflare IPsec gets you (2026-04 framing)

Cloudflare's own framing:

"Customers get simplified configuration, high availability (if a data center becomes unavailable, traffic is automatically rerouted to the nearest healthy one), and the scale of Cloudflare's global network. This is done through encrypted IPsec tunnels that support both site-to-site WAN, outbound Internet connections, and connectivity to the Cloudflare One SASE platform." (Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Three structural properties:

• Simplified configuration. One tunnel per site to Cloudflare's anycast endpoints, not a mesh of N×(N-1)/2 tunnels between sites.
• Built-in high availability. Anycast routing means tunnel traffic naturally reroutes to the nearest healthy POP if one becomes unavailable — no operator intervention, no tunnel re-establishment.
• Global backbone between sites. Inter-site traffic rides Cloudflare's global network rather than the public Internet with its BGP-routed variability.

Post-quantum encryption GA (2026-04-30)

Cloudflare IPsec now establishes IPsec tunnels using hybrid ML-KEM per draft-ietf-ipsecme-ikev2-mlkem. The upgrade protects against harvest-now-decrypt-later attacks on site-to-site WAN traffic.

Interoperability verified

Branch-connector hardware confirmed interoperable at GA:

• Cisco 8000 Series Secure Routers — version 26.1.1 and later. Canonical enterprise-branch hardware supporting draft-ietf-ipsecme-ikev2-mlkem.
• Fortinet FortiOS — version 7.6.6 and later. FortiGate firewall / branch-connector appliances with the same draft implementation.
• strongswan — reference open-source IPsec implementation, used for Cloudflare's pre-GA closed-beta interoperability testing.

Not yet interoperable as of 2026-04:

• Palo Alto Networks — shipped an RFC 9370-based PQ IPsec implementation before draft-ietf-ipsecme-ikev2-mlkem was available; uses non-standard ciphersuites. Canonical wiki case study for concepts/ciphersuite-bloat. Cloudflare explicitly states expectation of convergence:

  "We hope to add Palo Alto Networks to the list of interoperable post-quantum branch connectors as the industry continues to consolidate around draft-ietf-ipsecme-ikev2-mlkem."

What's not yet post-quantum

• Post-quantum authentication for IPsec — not yet specified in IETF drafts. Cloudflare IPsec's IKEv2 authentication (cert-based, pre-shared key, EAP) still uses classical signatures. This is the remaining gap Cloudflare flags for future standards work; parallels the TLS → authentication story canonicalised in concepts/post-quantum-authentication.

Default-on security upgrade posture

Cloudflare IPsec PQ GA ties into Cloudflare's broader posture:

"At Cloudflare, we're helping make a secure and post-quantum Internet accessible to everyone, without specialized hardware and at no extra cost to our customers. Post-quantum Cloudflare IPsec is one more step on our path to full post-quantum security by 2029." (Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Third canonical instance of the default-on security upgrade at no additional cost pattern: 2014 Universal SSL → 2022 TLS PQ for all → 2026 IPsec PQ for all.

Relationship to other Cloudflare systems

• Cloudflare One (SASE) — Cloudflare IPsec is the WAN-transport layer feeding into the SASE platform's zero-trust access + gateway + CASB + DLP + email security surfaces. Early-2028 is the milestone for full PQ authentication across Cloudflare One.
• Magic Transit — sibling product at the L3 DDoS scrubbing layer. Magic Transit ingests IP-level traffic via anycast; Magic WAN IPsec ingests site-to-site WAN traffic via encrypted tunnels. Both use Cloudflare's anycast edge.
• IKEv2 — the key-exchange protocol the PQ rollout extends.
• ML-KEM — the NIST FIPS 203 PQ KEM running in parallel with classical DH inside Cloudflare IPsec's IKEv2 handshake.

Caveats

• Customer documentation at developers.cloudflare.com/magic-wan/reference/gre-ipsec-tunnels/ is linked but not summarised in the 2026-04 post — per-tunnel configuration options (GRE vs IPsec, IKEv2 parameters, BGP peering setup) not covered here.
• No performance numbers disclosed. Per-tunnel handshake latency, rekey frequency, MTU interactions, or aggregate throughput impact from the PQ upgrade are not quantified in the 2026-04 post. TLS hybrid ML-KEM's ~1 kB ClientHello overhead translates to similar IKE_INTERMEDIATE overhead in IPsec; operational impact unquantified here.
• Adoption numbers not disclosed. Unlike Cloudflare TLS (>65 % of human traffic PQ-encrypted per Radar), Cloudflare IPsec PQ uptake is not quantified in the 2026-04 post.
• Magic WAN IPsec's interaction with concepts/anycast- based tunnel failover is not deeply discussed. Anycast re- routing changes which POP terminates a tunnel, which affects IKE_SA state; presumably this is handled transparently via tunnel re-establishment.

Seen in

• sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga — canonical wiki instance. 2026-04-30 GA of hybrid ML-KEM for Cloudflare IPsec per draft-ietf-ipsecme-ikev2-mlkem. Interoperability verified against Cisco 8000 Series 26.1.1+ and Fortinet FortiOS 7.6.6+ branch connectors + strongswan reference implementation. Palo Alto Networks' RFC 9370-based early implementation does not interoperate, pending convergence on the draft. Post-quantum authentication for IPsec is explicitly flagged as the remaining gap.

Related

• systems/cloudflare-one-sase
• systems/magic-transit
• systems/ikev2-protocol
• systems/ml-kem
• systems/strongswan
• systems/cisco-8000-series-secure-routers
• systems/fortinet-fortios
• systems/palo-alto-networks-ipsec
• concepts/hybrid-key-encapsulation
• concepts/post-quantum-cryptography
• concepts/post-quantum-authentication
• concepts/harvest-now-decrypt-later
• concepts/anycast
• patterns/default-on-security-upgrade
• patterns/tls-first-pqc-rollout-as-blueprint
• companies/cloudflare