Traffic not passed to the local TCP/IP stack for ipsec tun made with ip xfrm over netns

I have a simple netns setup

ip netns del ns1
ip netns del ns2

ip netns add ns1
ip netns add ns2

ip link add veth1 type veth peer name veth2
ip link set veth1 netns ns1
ip link set veth2 netns ns2

ip netns exec ns1 ip addr add 10.1.1.1/24 dev veth1
ip netns exec ns2 ip addr add 10.1.1.2/24 dev veth2

ip netns exec ns1 ip addr add 10.1.2.1/24 dev veth1
ip netns exec ns2 ip addr add 10.1.2.2/24 dev veth2

ip netns exec ns1 ip link set veth1 up
ip netns exec ns2 ip link set veth2 up

ip netns exec ns1 ip link set lo up
ip netns exec ns2 ip link set lo up

I need to send ICMP requests/replies over an IPsec tunnel I create with netlink socket apis (or equivalently ip xfrm):

ns2                             || ns1
                                ||
             10.1.2.2 TUN end   || 10.1.2.1 TUN end     
              |                 ||  |
10.1.1.2 ---> |=====================|----ICMP echo req----> 10.1.1.1
                                ||
                                ||
10.1.1.2  sudo ip netns exec ns1 tcpdump -nli veth1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:23:53.374316 IP 10.1.2.2 > 10.1.2.1: ESP(spi=0x00000001,seq=0x11), length 132
17:23:53.374316 IP 10.1.1.2 > 10.1.1.1: ICMP echo request, id 52684, seq 1, length 64

Unfortunately I can't see the ICMP echo reply, no matter what I do. I've also made the same attempts over TCP with netcat: again I see the incoming decoded "syn" packet, but this is not propagated locally to the application listening socket whatsoever. Can you help me figure what might be going wrong? I've checked all the forwarding flags in proc in either of the two net namespaces and the default one; everything seems ok so far. EDIT: I with the command sudo ip netns exec ns1 ip xfrm monitor, for every packet sent I see the following:

Async event  (0x20)  timer expired 
	src 10.1.2.2 dst 10.1.2.1  reqid 0x1 protocol esp  SPI 0x1

The xfrm_lifetime_cfg is configured like follows for both policy and sa:

pol->lft.soft_byte_limit = XFRM_INF;
    pol->lft.hard_byte_limit = XFRM_INF;
    pol->lft.soft_packet_limit = XFRM_INF;
    pol->lft.hard_packet_limit = XFRM_INF;
    pol->lft.soft_add_expires_seconds = 0;
    pol->lft.hard_add_expires_seconds = 0;
    pol->lft.soft_use_expires_seconds = 0;
    pol->lft.hard_use_expires_seconds = 0;
    
    sa->lft.soft_byte_limit = XFRM_INF;
    sa->lft.hard_byte_limit = XFRM_INF;
    sa->lft.soft_packet_limit = XFRM_INF;
    sa->lft.hard_packet_limit = XFRM_INF;
    sa->lft.soft_add_expires_seconds = 0;
    sa->lft.hard_add_expires_seconds = 0;
    sa->lft.soft_use_expires_seconds = 0;
    sa->lft.hard_use_expires_seconds = 0;

EDIT2: After trial and error, I managed to make it work by installing the policy with

sudo ip netns exec ns1 ip xfrm policy add dir in     src 10.1.1.2/32 dst 10.1.1.1/32     tmpl src 10.1.2.2 dst 10.1.2.1 proto esp mode tunnel reqid 1

The fun fact is that the resulting policy is IDENTICAL:

src 10.1.1.2/32 dst 10.1.1.1/32
        dir in priority 0 flag icmp
        tmpl src 10.1.2.2 dst 10.1.2.1
                proto esp reqid 1 mode tunnel