diff --git a/Shorewall/compiler b/Shorewall/compiler
index a6ff19410..d57f4eff8 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -2213,13 +2213,11 @@ setup_ipsec() {
 
     do_options() # $1 = _in, _out or "" - $2 = option list
     {
-	local option opts newoptions= val
+	local option newoptions= val
 
 	[ x${2} = x- ] && return
 
-	opts=$(separate_list $2)
-
-	for option in $opts; do
+	for option in $(separate_list $2); do
 	    val=${option#*=}
 
 	    case $option in
diff --git a/Shorewall/functions b/Shorewall/functions
index bf4d134a0..3c9544fa7 100644
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1219,7 +1219,7 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
     qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT     && POLICY_MATCH=Yes
 
-    if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
+    if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
 	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
     fi