diff --git a/LrpN/etc/shorewall/masq b/LrpN/etc/shorewall/masq
index 0074c901a..34e81d93d 100644
--- a/LrpN/etc/shorewall/masq
+++ b/LrpN/etc/shorewall/masq
@@ -116,6 +116,10 @@
 #				matches these options will have their source address
 #				changed.
 #
+#					Yes or yes -- must be the only option listed
+#					and matches all outbound traffic that will be
+#					encrypted.
+#
 #					reqid=<number> where <number> is specified
 #					using setkey(8) using the 'unique:<number>
 #					option for the SPD level.
diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall
index 266d8be17..fd1d8ac0c 100755
--- a/LrpN/sbin/shorewall
+++ b/LrpN/sbin/shorewall
@@ -1018,6 +1018,13 @@ case "$1" in
 	    echo
 	    ip route ls table $table
 	done
+
+	if qt which lsmod; then
+	    echo
+	    echo "Modules"
+	    echo
+	    lsmod | grep -E '^ip_|^ipt_'
+	fi
 	;;
     hits)
     	[ -n "$debugging" ] && set -x
diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall
index b3aaa719d..66cd438a1 100755
--- a/LrpN/usr/share/shorewall/firewall
+++ b/LrpN/usr/share/shorewall/firewall
@@ -2162,7 +2162,7 @@ setup_nat() {
     }
 
     do_one_nat() {
-	local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*}
+	local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
 	
 	if [ -n "$add_ip_aliases" ]; then
 	    case $interface in
@@ -4879,12 +4879,12 @@ get_routed_networks() # $1 = interface name
 setup_masq()
 {
     do_ipsec_options() {
-	local options=$(separate_list $ipsec) option 
-	policy ="-m policy --pol ipsec --dir out"
+	local options="$(separate_list $ipsec)" option 
+	policy="-m policy --pol ipsec --dir out"
 
-	options=$(separate_list $options)
 	for option in $options; do
 	    case $option in
+		[Yy]es)         ;;
 		strict)         policy="$policy --strict" ;;
 		next)           policy="$policy --next" ;;
 		reqid=*)        policy="$policy --reqid ${option#*=}" ;;
@@ -4905,7 +4905,7 @@ setup_masq()
     }
 
     setup_one() {
-	local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy= destnets=
+	local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets=
 
 	[ "x$ipsec" = x- ] && ipsec=
 
@@ -4921,7 +4921,11 @@ setup_masq()
 		policy="-m policy --pol none --dir out"
 		;;
 	    *)
-		[ -n "$ipsec" ] && do_ipsec_options || [ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
+		if [ -n "$ipsec" ]; then
+		    do_ipsec_options
+		elif [ -n "$POLICY_MATCH" ]; then
+		    policy="-m policy --pol none --dir out"
+		fi
 		;;
 	esac
 
diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version
index 89cc14980..d8044ac71 100644
--- a/LrpN/usr/share/shorewall/version
+++ b/LrpN/usr/share/shorewall/version
@@ -1 +1 @@
-2.2.0-RC3
+2.2.0-RC4