diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index d52c27f20..680053111 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -1075,9 +1075,9 @@ sub match_ipsec_in( $$ ) {
     my $optionsref = $zoneref->{options};
 
     if ( $zoneref->{type} eq 'ipsec4' ) {
-	$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
+	$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec} ";
     } elsif ( $capabilities{POLICY_MATCH} ) {
-	$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
+	$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec} ";
     } else {
 	'';
     }
@@ -1093,9 +1093,9 @@ sub match_ipsec_out( $$ ) {
     my $optionsref = $zoneref->{options};
 
     if ( $zoneref->{type} eq 'ipsec4' ) {
-	$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
+	$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec} ";
     } elsif ( $capabilities{POLICY_MATCH} ) {
-	$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
+	$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec} "
     } else {
 	'';
     }
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index c90ca2157..2871b929d 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1429,7 +1429,7 @@ sub generate_matrix() {
 			for my $net ( @{$hostref->{hosts}} ) {
 			    add_rule
 				$filter_table->{forward_chain $interface} ,
-				match_source_net join( '', $net, $ipsec_match, "-j $frwd_ref->{name}" );
+				join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" );
 			}
 		    }
 		}