diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index d0217723bca..94eb68658e3 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -666,10 +666,7 @@ ipsec4_capability(struct mbuf *m, u_int cap)
 		return (0);
 	case IPSEC_CAP_OPERABLE:
 		/* Do we have active security policies? */
-		if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0)
-			return (1);
-		return (0);
+		return (key_havesp_any());
 	};
 	return (EOPNOTSUPP);
 }
@@ -835,10 +832,7 @@ ipsec6_capability(struct mbuf *m, u_int cap)
 		return (0);
 	case IPSEC_CAP_OPERABLE:
 		/* Do we have active security policies? */
-		if (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0)
-			return (1);
-		return (0);
+		return (key_havesp_any());
 	};
 	return (EOPNOTSUPP);
 }
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 093db4fb912..98bd97f465b 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -811,6 +811,13 @@ key_havesp(u_int dir)
 	return (TAILQ_FIRST(&V_sptree[dir]) != NULL);
 }
 
+int
+key_havesp_any(void)
+{
+
+	return (V_spd_size != 0);
+}
+
 /* %%% IPsec policy management */
 /*
  * Return current SPDB generation.
diff --git a/sys/netipsec/key.h b/sys/netipsec/key.h
index 4d0f4b1ea51..81e30ecdc01 100644
--- a/sys/netipsec/key.h
+++ b/sys/netipsec/key.h
@@ -56,6 +56,7 @@ void key_addref(struct secpolicy *);
 void key_freesp(struct secpolicy **);
 int key_spdacquire(struct secpolicy *);
 int key_havesp(u_int);
+int key_havesp_any(void);
 void key_bumpspgen(void);
 uint32_t key_getspgen(void);
 uint32_t key_newreqid(void);
diff --git a/sys/netipsec/subr_ipsec.c b/sys/netipsec/subr_ipsec.c
index 3eac9d6aaad..56ddf71ae87 100644
--- a/sys/netipsec/subr_ipsec.c
+++ b/sys/netipsec/subr_ipsec.c
@@ -401,8 +401,7 @@ ipsec_kmod_capability(struct ipsec_support * const sc, struct mbuf *m,
 	 * call key_havesp() without additional synchronizations.
 	 */
 	if (cap == IPSEC_CAP_OPERABLE)
-		return (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
-		    key_havesp(IPSEC_DIR_OUTBOUND) != 0);
+		return (key_havesp_any());
 	return (ipsec_kmod_caps(sc, m, cap));
 }