diff --git a/run.sh b/run.sh
index 2049e9d3..9d2150bf 100755
--- a/run.sh
+++ b/run.sh
@@ -24,16 +24,17 @@ nospaces() { printf '%s' "$1" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//
 onespace() { printf '%s' "$1" | tr -s ' '; }
 noquotes() { printf '%s' "$1" | sed -e 's/^"\(.*\)"$/\1/' -e "s/^'\(.*\)'$/\1/"; }
 noquotes2() { printf '%s' "$1" | sed -e 's/" "/ /g' -e "s/' '/ /g"; }
-check_cidr() {
-  CIDR_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/(3[0-2]|[1-2][0-9]|[0-9]))$'
-  printf '%s' "$1" | tr -d '\n' | grep -Eq "$CIDR_REGEX"
-}
 
 check_ip() {
   IP_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'
   printf '%s' "$1" | tr -d '\n' | grep -Eq "$IP_REGEX"
 }
 
+check_cidr() {
+  CIDR_REGEX='^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(/(3[0-2]|[1-2][0-9]|[0-9]))$'
+  printf '%s' "$1" | tr -d '\n' | grep -Eq "$CIDR_REGEX"
+}
+
 check_dns_name() {
   FQDN_REGEX='^([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$'
   printf '%s' "$1" | tr -d '\n' | grep -Eq "$FQDN_REGEX"
@@ -137,10 +138,6 @@ if [ -n "$VPN_DNS_SRV1" ]; then
   VPN_DNS_SRV1=$(nospaces "$VPN_DNS_SRV1")
   VPN_DNS_SRV1=$(noquotes "$VPN_DNS_SRV1")
 fi
-if [ -n "$VPN_SPLIT_IKEV2" ]; then
-  VPN_SPLIT_IKEV2=$(nospaces "$VPN_SPLIT_IKEV2")
-  VPN_SPLIT_IKEV2=$(noquotes "$VPN_SPLIT_IKEV2")
-fi
 if [ -n "$VPN_DNS_SRV2" ]; then
   VPN_DNS_SRV2=$(nospaces "$VPN_DNS_SRV2")
   VPN_DNS_SRV2=$(noquotes "$VPN_DNS_SRV2")
@@ -169,6 +166,10 @@ if [ -n "$VPN_PROTECT_CONFIG" ]; then
   VPN_PROTECT_CONFIG=$(nospaces "$VPN_PROTECT_CONFIG")
   VPN_PROTECT_CONFIG=$(noquotes "$VPN_PROTECT_CONFIG")
 fi
+if [ -n "$VPN_SPLIT_IKEV2" ]; then
+  VPN_SPLIT_IKEV2=$(nospaces "$VPN_SPLIT_IKEV2")
+  VPN_SPLIT_IKEV2=$(noquotes "$VPN_SPLIT_IKEV2")
+fi
 if [ -n "$VPN_DISABLE_IPSEC_L2TP" ]; then
   VPN_DISABLE_IPSEC_L2TP=$(nospaces "$VPN_DISABLE_IPSEC_L2TP")
   VPN_DISABLE_IPSEC_L2TP=$(noquotes "$VPN_DISABLE_IPSEC_L2TP")
@@ -266,6 +267,15 @@ EOF
     VPN_DNS_NAME=""
   fi
 fi
+if [ -n "$VPN_SPLIT_IKEV2" ]; then
+  if ! check_cidr "$VPN_SPLIT_IKEV2"; then
+cat <<'EOF'
+
+Warning: Invalid split VPN subnet. Check VPN_SPLIT_IKEV2 in your 'env' file.
+EOF
+    VPN_SPLIT_IKEV2=""
+  fi
+fi
 
 if [ -n "$VPN_DNS_NAME" ]; then
   server_addr="$VPN_DNS_NAME"
@@ -675,19 +685,11 @@ ikev2_sh="/opt/src/ikev2.sh"
 ikev2_conf="/etc/ipsec.d/ikev2.conf"
 ikev2_log="/etc/ipsec.d/ikev2setup.log"
 if grep -q " /etc/ipsec.d " /proc/mounts && [ -s "$ikev2_sh" ] && [ ! -f "$ikev2_conf" ]; then
-if [ -n "$VPN_SPLIT_IKEV2" ]; then
-  if ! check_cidr "$VPN_SPLIT_IKEV2"; then
-  cat <<'EOF'
-
-Warning: Invalid split VPN subnet. Check VPN_SPLIT_IKEV2 in your 'env' file.
-EOF
-  else
-	sed -i "s|^  leftsubnet=.*|  leftsubnet=$VPN_SPLIT_IKEV2 |g" /opt/src/ikev2.sh
-  fi
-fi
-
   echo
   echo "Setting up IKEv2. This may take a few moments..."
+  if [ -n "$VPN_SPLIT_IKEV2" ]; then
+    sed -i "s|^  leftsubnet=0\.0\.0\.0/0$|  leftsubnet=$VPN_SPLIT_IKEV2|g" "$ikev2_sh"
+  fi
   if VPN_DNS_NAME="$VPN_DNS_NAME" VPN_PUBLIC_IP="$public_ip" \
     VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
     VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \