Post-Quantum IPsec Gateway: Policy Decision Point

Quantum technologies are moving from theory to practice, promising significant advances in computation across science and industry. The same capabilities, however, undermine the cryptographic assumptions that underpin today’s secure communications. Public-key schemes such as Rivest-Shamir-Adleman (RSA) and Elliptic-Curve Cryptography (ECC), whose security relies on the hardness of integer factorisation and discrete logarithms, are susceptible to quantum algorithms that solve these problems efficiently. Anticipating this shift, the National Institute of Standards and Technology (NIST) has launched a post-quantum standardisation programme, culminating in the first FIPS for quantum-resistant primitives. In parallel, widely deployed security protocols are evolving: TLS at the application edge and IPsec at the network layer, with IKEv2 extensions enabling hybrid and post-quantum key establishment while preserving interoperability. Experience from early trials shows that migration cannot be reduced to a simple algorithm swap. Larger keys and payloads affect latency and device resources. New constructions introduce implementation subtleness and operational trade-offs. Secure deployment therefore demands governance mechanisms that can enforce cryptographic policy and sustain agility as standards mature. This thesis proposes a policy-driven gateway architecture that bridges legacy environments with post-quantum enabled networks. On one side the gateway terminates classical tunnels, on the other, it originates quantum-safe IPsec channels, translating traffic under centrally governed rules. Decision-making is delegated to an external Policy Decision Point built with Open Policy Agent, affording fine-grained control over permissible key-exchange, signature suites, certificate validation and context-aware access constraints. In such a rapidly evolving world, cryptographic agility is a strategic necessity. Systems must be sufficiently modular to rotate primitives without intrusive rewrites, with centrally defined rules selecting suites, key sizes and acceptable risk per peer, application, or segment. By externalising policy and coupling it with precise enforcement, the proposed gateway provides an agile, standards conformant path to post-quantum interoperability, delivering transparent and measurable protection during a period of rapid cryptographic transition.