Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
title: IPsec downgrade protection (beta)
description: Cloudflare IPsec now supports the IKE_SA_INIT_FULL_TRANSCRIPT_AUTH extension to prevent quantum downgrade attacks on IKEv2 tunnels.
date: 2026-07-07
products:
- cloudflare-one
---

Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opinionated nits (feel free to ignore):

  1. I don't think we need to take credit in dev docs.
  2. not just quantum attacks
Suggested change
Cloudflare IPsec now supports the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` IKEv2 extension to protect against quantum downgrade attacks on IPsec tunnels. Cloudflare helped develop this extension in ([draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/)) with the IETF IPSECME Working Group.
Cloudflare IPsec now supports the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) IKEv2 extension to protect against downgrade attacks on IPsec tunnels.


IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection.
IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable [on-path attacker](https://www.cloudflare.com/learning/security/threats/on-path-attack/) can exploit this to bypass post-quantum key exchange by downgrading the connection to classical cryptography. The `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` extension addresses this by having both peers sign the entire handshake transcript during the authentication exchange, preventing an attacker from manipulating the negotiation without detection.


Key details:

- Available in beta for Cloudflare WAN and Magic Transit IPsec tunnels.
- Cloudflare sends the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification unconditionally as a responder when the feature flag is enabled.
- Both the initiator (your device) and responder (Cloudflare) must support the extension for downgrade protection to be effective.
- This feature is currently gated by a per-account feature flag. Contact your account team to enable it.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review suggestion

Suggested change
- This feature is currently gated by a per-account feature flag. Contact your account team to enable it.
- This feature is currently gated by a per-account feature flag. Contact your account team to turn it on.


Refer to [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) for more details.
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ Traffic leaves the Cloudflare network over a post-quantum Cloudflare IPsec link

The hybrid key agreement is negotiated using ML-KEM as an additional Key Exchange to classical Diffie-Hellman during the IKEv2 handshake, as defined in [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/) and [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). For the list of validated third-party platforms and their supported parameters, refer to [Tested third-party vendor interoperability](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability).

Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective, see [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI reviewer suggestion:

Suggested change
Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective, see [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta).
Cloudflare also supports downgrade protection for IPsec tunnels via the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) extension. Both the initiator and Cloudflare (responder) must support the extension for protection to be effective. Refer to [Downgrade protection](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta).


## Secure Web Gateway

A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,12 +135,13 @@ Reference: [Proxy endpoints](/cloudflare-one/networks/resolvers-and-proxies/prox

IKEv2 key exchange for IPsec tunnels between third-party branch connectors and Cloudflare's global network.

| Protection | Status |
| ------------- | ------------------------------------------------- |
| Key agreement | ✅ ML-KEM-768/1024 + DH Group 20 (P-384) in IKEv2 |
| Signatures | Not yet |
| Protection | Status |
| -------------------- | ------------------------------------------------- |
| Key agreement | ✅ ML-KEM-768/1024 + DH Group 20 (P-384) in IKEv2 |
| Downgrade protection | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'Protection' is already the column header, so maybe just 'Downgrades' here?

Suggested change
| Downgrade protection | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) |
| Downgrades | 🚧 [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](/cloudflare-wan/reference/gre-ipsec-tunnels/#downgrade-protection-beta) |

| Signatures | Not yet |

Reference: [PQC SASE](https://blog.cloudflare.com/post-quantum-sase/), [GRE and IPsec tunnels](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability), [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/).
Reference: [PQC SASE](https://blog.cloudflare.com/post-quantum-sase/), [GRE and IPsec tunnels](/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability), [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/), [draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/).

The IPsec ESP dataplane can alternatively be keyed using the [Cloudflare One Appliance](#cloudflare-one-appliance) control plane instead of IKEv2.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ For information on how to set up an IPsec tunnel, refer to <a href={props.tunnel

{props.productName} uses the following stages to establish an IPsec tunnel:

- **Initial Exchange** (`IKE_SA_INIT`): IKE peers negotiate parameters for the IKE Security Association (SA) and establish a shared secret for key derivation, and when relevant, signal support for post-quantum key exchange with [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/). After this exchange, the peers have a secure communication channel but they have not yet authenticated each other.
- **Initial Exchange** (`IKE_SA_INIT`): IKE peers negotiate parameters for the IKE Security Association (SA) and establish a shared secret for key derivation, and when relevant, signal support for post-quantum key exchange with [RFC 9370](https://datatracker.ietf.org/doc/rfc9370/). When [downgrade protection](#downgrade-protection-beta) is enabled, Cloudflare also sends an `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification during this exchange to signal support for full transcript authentication. After this exchange, the peers have a secure communication channel but they have not yet authenticated each other.
- **Intermediate Exchange** (`IKE_INTERMEDIATE`): If both peers support RFC 9370, they perform an additional key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), a post-quantum key exchange specified in [draft-ietf-ipsecme-ikev2-mlkem](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/). This creates a hybrid shared secret by combining a secret derived from classical Diffie-Hellman (established during the `IKE_SA_INIT`) with post-quantum ML-KEM to protect against [harvest-now, decrypt-later](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later) attacks.
- **Auth Exchange** (`IKE_AUTH`): Using the keys established from both the `IKE_SA_INIT` and the `IKE_INTERMEDIATE` exchange, IKE peers mutually authenticate each other. After authentication, they establish the IKE security association (SA). Next, the peers negotiate and establish an IPsec tunnel, known as a Child SA.
- **Rekeying**: Periodically, or through manual intervention, IKE SAs can be rekeyed to generate new SAs with fresh keys for the session. This rekey operation is performed for both the IKE SA (to refresh the control plane) and the Child SAs (to refresh the data plane). When a hybrid exchange is in use (RFC 9370), the rekey process for the IKE SA will once again perform the parallel classical (DH) and post-quantum (ML-KEM) exchanges to ensure continued quantum resistance.
Expand Down Expand Up @@ -258,6 +258,26 @@ If route-based VPNs are not an option and you must use policy-based VPNs, be awa
- A policy must cover reply-style health checks — that is, they must match traffic selectors — otherwise, Cloudflare drops them, just like any other traffic from an IPsec tunnel that does not match a policy.
- A single IPsec tunnel can only contain around 100 Child SAs. Therefore, there is effectively a limit on the number of different policies per tunnel.

### Downgrade protection (beta)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't want to have to change all of the anchor links later when we drop the '(beta)' from the title:

Suggested change
### Downgrade protection (beta)
### Downgrade protection (beta) {#downgrade-protection}


:::note[Beta]
This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review suggestion

Suggested change
This feature is in beta. Contact your account team to enable the `ipsec_downgrade_protection` flag on your account.
This feature is in beta. Contact your account team to turn on the `ipsec_downgrade_protection` flag for your account.

:::

IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inclusive language and all (https://www.cloudflare.com/learning/security/threats/man-in-the-middle-attack/ redirects to https://www.cloudflare.com/learning/security/threats/on-path-attack/)

Suggested change
IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable man-in-the-middle attacker can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange.
IKEv2's original authentication design has each endpoint sign only its own outbound messages, not the full handshake transcript. A quantum-capable [on-path attacker](https://www.cloudflare.com/learning/security/threats/on-path-attack/) can exploit this to create a "split view" of the handshake, tricking the endpoints into downgrading a post-quantum connection back to classical cryptography even when both sides support post-quantum key exchange.


To address this, Cloudflare supports the [`IKE_SA_INIT_FULL_TRANSCRIPT_AUTH`](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/) IKEv2 extension. When enabled, both IKEv2 peers sign the entire handshake transcript during the authentication exchange, rather than only their own messages. This prevents an attacker from downgrading the connection without being detected.

**How it works:**

- When the feature flag is enabled, Cloudflare (acting as IKE responder) unconditionally includes an `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification in its `IKE_SA_INIT` response.
- If the initiator also supports the extension, both sides use full transcript authentication, which prevents downgrade attacks.
- If the initiator does not support the extension, the handshake proceeds with standard IKEv2 authentication. Both parties must support the extension for downgrade protection to be effective.

**Requirements:**

- Your IKEv2 initiator must support the `IKE_SA_INIT_FULL_TRANSCRIPT_AUTH` notification as defined in [draft-ietf-ipsecme-ikev2-downgrade-prevention](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-downgrade-prevention/).

### Troubleshooting

For help resolving tunnel issues:
Expand Down
Loading