diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 9ed3c7798..aeb9cd213 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -737,15 +737,19 @@ sub cleanup() {
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
     #
-    # Delete termprary chains
+    # Delete temporary chains
     #
     if ( $sillyname ) {
+	#
+	# We went through determine_capabilities()
+	#
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
 	qt1( "$iptables -F $sillyname1" );
 	qt1( "$iptables -X $sillyname1" );
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
+	$sillyname = '';
     }
 }
 
@@ -2072,11 +2076,16 @@ sub Nat_Enabled() {
 sub Persistent_Snat() {
     have_capability 'NAT_ENABLED' || return '';
 
+    my $result = '';
+
     if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	$capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
+	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	qt1( "$iptables -t nat -F $sillyname" );
 	qt1( "$iptables -t nat -X $sillyname" );
+	
     }
+
+    $result;
 }
 
 sub Mangle_Enabled() {
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 8ad09c140..c34bb270c 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -402,6 +402,7 @@ sub process_zone( \$ ) {
     }
 
     if ( $type eq IPSEC ) {
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	for ( @parents ) {
 	    unless ( $zones{$_}{type} == IPSEC ) {
 		set_super( $zones{$_} );
@@ -1215,6 +1216,7 @@ sub process_host( ) {
 
 	for my $option ( @options ) {
 	    if ( $option eq 'ipsec' ) {
+		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
@@ -1274,8 +1276,6 @@ sub validate_hosts_file()
 
     $ipsec |= process_host while read_a_line;
 
-    require_capability( 'POLICY_MATCH', 'ipsec zones or hosts', '' ) if $have_ipsec = $ipsec || haveipseczones;
-
 }
 
 #