This paper addresses the fundamental mismatch between pre-distributed key paradigms in quantum key distribution (QKD) and dynamic key exchange in IPsec—particularly IKEv2—highlighting latency bottlenecks imposed by RFC 9370’s mandatory serial QKD-PQC integration. Method: We propose the first parallel hybrid QKD-PQC architecture, featuring an identity-based quantum key coordination mechanism, a unified QKD-KEM abstraction layer supporting both stateful and stateless QKD APIs, and an extended IKEv2 protocol compliant with ETSI QKD API specifications. Contribution/Results: Our work achieves the first low-latency, coordinated scheduling of QKD and post-quantum cryptography (PQC) within IPsec. Experimental evaluation shows a 62% reduction in end-to-end latency compared to serial integration, minimal bandwidth overhead in pure-QKD mode, and practical deployment feasibility validated on IDQuantique hardware within a Docker-based testbed under real network conditions—delivering a deployable quantum-enhanced IPsec solution for critical infrastructure.

Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.