diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8956bc8e0..86b7d64da 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1694,7 +1694,7 @@ sub generate_matrix() {
 			add_jump(
 				 $sourcechainref,
 				 source_exclusion( $hostref->{exclusions}, $frwd_ref ),
-				 1,
+				 ! @{$zoneref->{parents}},
 				 join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
 				);
 		    }
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index ebcd92365..de377eb39 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -16,6 +16,8 @@ Changes in Shorewall 4.4.1
 
 8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
 
+9)  Fix nested ipsec zones.
+
 Changes in Shorewall 4.4.0
 
 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 0e5c6ac91..540694905 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -173,6 +173,8 @@ Shorewall 4.4.1
     rules at the end of the INPUT and OUTPUT chains would still use the
     LOG target rather than ULOG.
 
+2)  Using CONTINUE policies with a nested IPSEC zone was broken.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------