diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index bba2bb1f9..171f51a50 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -376,6 +376,12 @@ sub process_zone( \$ ) {
     } else {
 	fatal_error "Invalid zone type ($type)" ;
     }
+
+    if ( $type eq IPSEC ) {
+	for ( @parents ) {
+	    fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC;
+	}
+    }
     
     for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index a79a179be..93da0ad75 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -6,6 +6,8 @@ Changes in Shorewall 4.4.0-RC2
 
 3)  Make 'any' a reserved zone name.
 
+4)  Issue a warning if an ipsec zone is nested in a non-ipsec zone.
+
 Changes in Shorewall 4.4.0-RC1
 
 1)  Delete duplicate Git macro.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 548104dcc..e75ec398f 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -121,6 +121,9 @@ Shorewall 4.4.0 RC2
 3)  'any' is now a reserved name. In RC1, 'any' could be defined as the
     name of a zone.
 
+4)  Previously, an IPSEC zone could be defined as a sub-zone of a
+    non-IPSEC zone. This invalid definition is now flagged with an error.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------