I have a road-warrior IKEv2 setup and it works flawlessly. Except that Unbound will answer DNS queries over IPv6 and UDP. All other combinations work (TCP over v4/v6, UDP over v4). All firewall rules are open in the IPSec interface. Could it be possible the unbound does some filtering and does not reply, or that some reverse routing for UDP is broken?
ICMPv6 pings work fine from the clients to the DNS server interface.
Found the culprit: There was a blackhole /56 route that matched the /64 of the VPN IPs. Apparently when a blackhole route exists, the traffic selector does not have the chance to match the traffic.
Deleting the blackhole route fixed the issue. Is this a known thing?