From the ipsec.conf manpage:
How much Pluto debugging output should be logged. An empty value, or the magic value none, means no debugging output (the default). The magic value all means full output. Otherwise only the specified types of output (a quoted list, names without the --debug- prefix, separated by white space) are enabled; for details on available debugging types, see ipsec_pluto(8).
From the ipsec_pluto manpage:
When pluto is invoked, it may be given arguments to specify which classes to output. The current options are: --debug-raw - show the raw bytes of messages --debug-crypt - show the encryption and decryption of messages --debug-parsing - show the structure of input messages --debug-emitting - show the structure of output messages --debug-control - show pluto's decision making --debug-klips - show pluto's interaction with KLIPS --debug-all - all of the above --debug-private - allow debugging output with private keys. --debug-none - none of the above
This implies that the plutodebug option can be given a space separated list of any combination of the following options (descriptions above):
raw crypt parsing emitting control klips all private none
