Comment 2 for bug 1302949

hipd.service and hipdnsproxy.service are trivial:

## hipd.service
[Unit]
Description=Host Identity Protocol IPsec Management Daemon

[Service]
Type=forking
Environment=HIPD_OPTS=-b
EnvironmentFile=-/etc/sysconfig/hipd
ExecStart=/usr/sbin/hipd $HIPD_OPTS

[Install]
WantedBy=multi-user.target
## EOF

## hipdnsproxy.service
[Unit]
Description=Host Identity Protocol DNS Proxy Daemon

[Service]
Type=forking
Environment=DNSPROXY_OPTS=-b
EnvironmentFile=-/etc/sysconfig/hipdnsproxy
ExecStart=/usr/sbin/hipdnsproxy $DNSPROXY_OPTS
## EOF

(For Debian, the only change is /etc/sysconfig → /etc/default. Though I'd really like to just put options directly in ExecStart, but, eh, compatibility.)

hipfw.service will need an additional script that would clear the rules before killing the daemon, since currently there is no ExecStopPre= (a feature request could be made), so it has to be put in ExecStop= instead.

## hipfw.service
[Unit]
Description=Host Identity Protocol Firewall Daemon

[Service]
Type=forking
Environment=HIPFW_OPTS=-blpF
EnvironmentFile=-/etc/sysconfig/hipfw
ExecStart=/usr/sbin/hipfw $HIPFW_OPTS
ExecStop=/usr/lib/hipl/flush-and-sigterm.sh
## EOF

## flush-and-sigterm.sh
#!/bin/sh
if [ "$MAINPID" ]; then
    iptables ...
    iptables ...
    iptables ...
    # use exactly 'kill $MAINPID', do not -9, do not read pidfiles,
    # DO NOT pkill, DO NOT killall – systemd will take care of it
    kill "$MAINPID"
else
    echo "error: \$MAINPID not set" >&2
    exit 1
fi
## EOF

Note: I used Type=forking and left the -b option enabled. You could remove both (the default is Type=simple which expects the process to stay in "foreground"), although the forking behaviour is probably more useful, as systemd knows when the service has finished initializing. (It would be nice to implement Type=notify though.)