diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index c87b16c..522d2b8 100644
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -73,42 +73,6 @@ check_os_type() {
   fi
 }
 
-check_utils_exist() {
-  command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
-  command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
-}
-
-check_container() {
-  in_container=0
-  export_dir=~/
-  if grep -qs "hwdsl2" /opt/src/run.sh; then
-    in_container=1
-    export_dir="/etc/ipsec.d/"
-  fi
-}
-
-check_ca_cert_exists() {
-  if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
-    exiterr "Certificate 'IKEv2 VPN CA' already exists."
-  fi
-}
-
-check_server_cert_exists() {
-  if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
-    echo "Error: Certificate '$server_addr' already exists." >&2
-    echo "Abort. No changes were made." >&2
-    exit 1
-  fi
-}
-
-check_client_cert_exists() {
-  if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
-    echo "Error: Client '$client_name' already exists." >&2
-    echo "Abort. No changes were made." >&2
-    exit 1
-  fi
-}
-
 check_swan_install() {
   ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
   swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
@@ -139,6 +103,94 @@ EOF
   esac
 }
 
+check_utils_exist() {
+  command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
+  command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
+}
+
+check_container() {
+  in_container=0
+  export_dir=~/
+  if grep -qs "hwdsl2" /opt/src/run.sh; then
+    in_container=1
+    export_dir="/etc/ipsec.d/"
+  fi
+}
+
+show_usage() {
+  if [ -n "$1" ]; then
+    echo "Error: $1" >&2;
+  fi
+cat 1>&2 <<EOF
+Usage: $0 [options]
+
+Options:
+  --auto                        run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only)
+  --addclient [client name]     add a new IKEv2 client using default options (after IKEv2 setup)
+  --exportclient [client name]  export an existing IKEv2 client using default options (after IKEv2 setup)
+  -h, --help                    show this help message and exit
+
+If you want to customize options, run this script without arguments.
+EOF
+  exit 1
+}
+
+check_arguments() {
+  if [ "$use_defaults" = "1" ]; then
+    if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
+      show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup."
+    fi
+  fi
+  if [ "$add_client_using_defaults" = "1" ] && [ "$export_client_using_defaults" = "1" ]; then
+    show_usage "Invalid parameters. '--addclient' and '--exportclient' cannot be specified at the same time."
+  fi
+  if [ "$add_client_using_defaults" = "1" ]; then
+    if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
+      exiterr "You must first set up IKEv2 before adding a new client."
+    fi
+    if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
+      || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then
+      exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
+    elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
+      exiterr "Invalid client name. Client '$client_name' already exists."
+    fi
+  fi
+  if [ "$export_client_using_defaults" = "1" ]; then
+    if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
+      exiterr "You must first set up IKEv2 before exporting a client configuration."
+    fi
+    get_server_address
+    if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
+      || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
+      || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
+      || ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
+      exiterr "Invalid client name, or client does not exist."
+    fi
+  fi
+}
+
+check_ca_cert_exists() {
+  if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
+    exiterr "Certificate 'IKEv2 VPN CA' already exists."
+  fi
+}
+
+check_server_cert_exists() {
+  if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
+    echo "Error: Certificate '$server_addr' already exists." >&2
+    echo "Abort. No changes were made." >&2
+    exit 1
+  fi
+}
+
+check_client_cert_exists() {
+  if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
+    echo "Error: Client '$client_name' already exists." >&2
+    echo "Abort. No changes were made." >&2
+    exit 1
+  fi
+}
+
 check_swan_ver() {
   if [ "$in_container" = "0" ]; then
     swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults"
@@ -197,6 +249,14 @@ show_start_message() {
   bigecho "Starting IKEv2 setup in auto mode, using default options."
 }
 
+show_add_client_message() {
+  bigecho2 "Adding a new IKEv2 client '$client_name', using default options."
+}
+
+show_export_client_message() {
+  bigecho2 "Exporting existing IKEv2 client '$client_name', using default options."
+}
+
 get_server_ip() {
   echo "Trying to auto discover IP of this server..."
   public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
@@ -540,6 +600,8 @@ EOF
 
 install_base64_uuidgen() {
   if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
+    bigecho "Installing required packages..."
+
     if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
       export DEBIAN_FRONTEND=noninteractive
       apt-get -yqq update || exiterr "'apt-get update' failed."
@@ -553,7 +615,6 @@ install_base64_uuidgen() {
 create_mobileconfig() {
   bigecho "Creating .mobileconfig for iOS and macOS..."
 
-  install_base64_uuidgen
   [ -z "$server_addr" ] && get_server_address
 
   p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12")
@@ -719,7 +780,6 @@ EOF
 create_android_profile() {
   bigecho "Creating client profile for Android..."
 
-  install_base64_uuidgen
   [ -z "$server_addr" ] && get_server_address
 
   p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n')
@@ -1026,21 +1086,70 @@ print_ikev2_removed_message() {
 }
 
 ikev2setup() {
-  case $1 in
-    --auto)
-      use_defaults=1
-      ;;
-    *)
-      use_defaults=0
-      ;;
-  esac
-
   check_run_as_root
   check_os_type
   check_swan_install
   check_utils_exist
   check_container
 
+  use_defaults=0
+  add_client_using_defaults=0
+  export_client_using_defaults=0
+  while [ "$#" -gt 0 ]; do
+    case $1 in
+      --auto)
+        use_defaults=1
+        shift
+        ;;
+      --addclient)
+        add_client_using_defaults=1
+        client_name="$2"
+        shift
+        shift
+        ;;
+      --exportclient)
+        export_client_using_defaults=1
+        client_name="$2"
+        shift
+        shift
+        ;;
+      -h|--help)
+        show_usage
+        ;;
+      *)
+        show_usage "Unknown parameter: $1"
+        ;;
+    esac
+  done
+
+  check_arguments
+
+  if [ "$add_client_using_defaults" = "1" ]; then
+    show_add_client_message
+    client_validity=120
+    use_own_password=0
+    create_client_cert
+    export_p12_file
+    install_base64_uuidgen
+    create_mobileconfig
+    create_android_profile
+    print_client_added_message
+    print_client_info
+    exit 0
+  fi
+
+  if [ "$export_client_using_defaults" = "1" ]; then
+    show_export_client_message
+    use_own_password=0
+    export_p12_file
+    install_base64_uuidgen
+    create_mobileconfig
+    create_android_profile
+    print_client_exported_message
+    print_client_info
+    exit 0
+  fi
+
   if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
     select_menu_option
     case $selected_option in
@@ -1050,6 +1159,7 @@ ikev2setup() {
         select_p12_password
         create_client_cert
         export_p12_file
+        install_base64_uuidgen
         create_mobileconfig
         create_android_profile
         print_client_added_message
@@ -1060,6 +1170,7 @@ ikev2setup() {
         enter_client_name_for_export
         select_p12_password
         export_p12_file
+        install_base64_uuidgen
         create_mobileconfig
         create_android_profile
         print_client_exported_message
@@ -1120,6 +1231,7 @@ ikev2setup() {
   create_server_cert
   create_client_cert
   export_p12_file
+  install_base64_uuidgen
   create_mobileconfig
   create_android_profile
   add_ikev2_connection