This study addresses the post-quantum security challenges facing O-RAN under the threat of quantum computing, particularly the vulnerability of the E2 interface to “harvest now, decrypt later” attacks. For the first time, it empirically evaluates the feasibility of integrating the NIST-standardized ML-KEM (CRYSTALS-Kyber) into IPsec within a real-world O-RAN testbed. Leveraging an open-source platform built on srsRAN, Open5GS, FlexRIC, and strongSwan enhanced with liboqs, the authors implement ML-KEM-based key encapsulation via IKEv2/IPsec and compare three configurations: no IPsec, classical ECDH, and ML-KEM. Experimental results demonstrate that ML-KEM introduces only a 3–5 ms overhead in tunnel establishment latency while maintaining stable xApp execution and RIC control loop performance, thereby validating its practical deployability in O-RAN and providing critical empirical evidence for post-quantum security migration.

As Open Radio Access Network (O-RAN) deployments expand and adversaries adopt'store-now, decrypt-later'strategies, operators need empirical data on the cost of migrating critical control interfaces to post-quantum cryptography (PQC). This paper experimentally evaluates the impact of integrating a NIST-aligned module-lattice KEM (ML-KEM, CRYSTALS-Kyber) into IKEv2/IPsec protecting the E2 interface between the 5G Node B (gNB) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC). Using an open-source testbed built from srsRAN, Open5GS, FlexRIC and strongSwan (with liboqs), we compare three configurations: no IPsec, classical ECDH-based IPsec, and ML-KEM-based IPsec. The study focuses on IPsec tunnel-setup latency and the runtime behaviour of Near-RT RIC xApps under realistic signalling workloads. Results from repeated, automated runs show that ML-KEM integration adds a small overhead to tunnel establishment, which is approximately 3~5 ms in comparison to classical IPsec, while xApp operation and RIC control loops remain stable in our experiments. These findings indicate that ML-KEM based IPsec on the E2 interface is practically feasible and inform quantum-safe migration strategies for O-RAN deployments.