Existing IKEv2 implementations face critical deployment bottlenecks under quantum computing threats, primarily due to incompatibility with large public keys and signatures of standardized post-quantum cryptography (PQC). Method: This work introduces the first software-hardware co-designed, scalable quantum-safe IPsec measurement platform, integrating CRYSTALS-Kyber (KEM) and Dilithium (signature), a customized IKEv2 protocol stack, and multi-scenario network impairment injection capabilities. Evaluation is conducted across cloud-based virtual networks, SDR-based hardware loops, and the national-scale FABRIC testbed. Contribution/Results: Empirical results reveal that all IETF-standardized PQC-enabled IKEv2 variants fail to establish connections in >90% of cases under packet loss rates exceeding 5% or bandwidth below 1 Mbps—exposing a fundamental robustness gap in resource-constrained environments. These findings shift the design paradigm for quantum-safe protocols from theoretical standard compliance toward deployment resilience, providing critical empirical evidence and concrete optimization directions for lightweight quantum-safe key exchange mechanisms.

Within 1-2 decades, quantum computers are expected to obsolesce current public-key cryptography, driving authorities such as IETF and NIST to push for adopting quantum-resistant cryptography (QRC) in ecosystems like Internet Protocol Security (IPsec). However, IPsec struggles to adopt QRC, primarily due to the limited ability of Internet Key Exchange Protocol Version 2 (IKEv2), which establishes IPsec connections, to tolerate the large public keys and digital signatures of QRC. Many solutions (e.g., IETF RFCs) are proposed to integrate QRC into IKEv2, but remain largely untested in practice. In this paper, we measure the performance of these proposals over the Internet by designing and implementing a novel, scalable, and flexible testbed for quantum-resistant IPsec, and we expose the serious shortcomings of existing proposals for quantum-resistant IKEv2 when deployed in constrained (e.g., lossy, rate-limited) networks. Through experimental deployments ranging from cloud-based virtual networks to hardware-in-the-loop wireless links between software-defined radios, as well as deployment on the international FABRIC testbed for next-generation networks, we show that today's solutions for quantum-resistant IPsec are insufficient, necessitating development of better approaches.