diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index b6b100fc2..fa643b70b 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -1680,7 +1680,11 @@ setup_ipsec() {
 		    ;;
 	    esac
 	done
-	eval ${zone}_ipsec_options=\"${newoptions# }\"	    
+	
+	if [ -n "$newoptions" ]; then
+	    eval ${zone}_is_complex=Yes
+	    eval ${zone}_ipsec_options=\"${newoptions# }\"
+	fi
     }
 
     strip_file ipsec $1
@@ -1688,6 +1692,8 @@ setup_ipsec() {
     while read zone ipsec options; do
 	expandv zone ipsec options
 
+	[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
+
 	validate_zone1 $zone || fatal_error "Unknown zone: $zone"
 
 	case $ipsec in
@@ -1695,6 +1701,7 @@ setup_ipsec() {
 		;;
 	    Yes|yes)
 		eval ${zone}_is_ipsec=Yes
+		eval ${zone}_is_complex=Yes
 		;;
 	    *)
 		fatal_error "Invalid IPSEC column value: $ipsec"
diff --git a/Shorewall2/ipsec b/Shorewall2/ipsec
index 2b290e91f..9413de096 100644
--- a/Shorewall2/ipsec
+++ b/Shorewall2/ipsec
@@ -21,7 +21,7 @@
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
-#				the SA.
+#				the SA used to encrypt/decrypt packets.
 #
 #				proto=ah|esp|ipcomp 
 #