Index: sys/netipsec/ipsec.c
===================================================================
--- sys/netipsec/ipsec.c
+++ sys/netipsec/ipsec.c
@@ -666,10 +666,7 @@
 		return (0);
 	case IPSEC_CAP_OPERABLE:
 		/* Do we have active security policies? */
-		if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0)
-			return (1);
-		return (0);
+		return (key_havesp_any());
 	};
 	return (EOPNOTSUPP);
 }
@@ -835,10 +832,7 @@
 		return (0);
 	case IPSEC_CAP_OPERABLE:
 		/* Do we have active security policies? */
-		if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0)
-			return (1);
-		return (0);
+		return (key_havesp_any());
 	};
 	return (EOPNOTSUPP);
 }
Index: sys/netipsec/key.h
===================================================================
--- sys/netipsec/key.h
+++ sys/netipsec/key.h
@@ -56,6 +56,7 @@
 void key_freesp(struct secpolicy **);
 int key_spdacquire(struct secpolicy *);
 int key_havesp(u_int);
+int key_havesp_any(void);
 void key_bumpspgen(void);
 uint32_t key_getspgen(void);
 uint32_t key_newreqid(void);
Index: sys/netipsec/key.c
===================================================================
--- sys/netipsec/key.c
+++ sys/netipsec/key.c
@@ -804,8 +804,9 @@
 key_havesp(u_int dir)
 {
 
-	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
-		TAILQ_FIRST(&V_sptree[dir]) != NULL : 1);
+	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
+		("invalid direction %u", dir));
+	return (TAILQ_FIRST(&V_sptree[dir]) != NULL);
 }
 
 /* %%% IPsec policy management */
Index: sys/netipsec/subr_ipsec.c
===================================================================
--- sys/netipsec/subr_ipsec.c
+++ sys/netipsec/subr_ipsec.c
@@ -401,8 +401,7 @@
 	 * call key_havesp() without additional synchronizations.
 	 */
 	if (cap == IPSEC_CAP_OPERABLE)
-		return (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0);
+		return (key_havesp_any());
 	return (ipsec_kmod_caps(sc, m, cap));
 }