centos – Site-to-Site VPN Routing / Rules Firewalld / Iptables

I have a site-to-site tunnel configured successfully. I have problems with the local network of SITE1 to access the local network of SITE2.

Hosts on LAN2 can ping the gateway on SITE1, while hosts on LAN1 can ping (and SSH) GW on LAN2. However, I can not send ping or SSH commands to hosts behind the GW.

Ipv4 transfer is enabled.

When I trace a LAN1 host route to the LAN2 host, the trace dies at the LAN2 network power level. This tells me that my roads are good at least for every GW, so what should I do on the LAN2 GW to allow ping and SSH through the tunnel?

The GW at LAN2 is Centos7 and here is the config:
ETH0 = LAN, firewall zone = INTERNAL
WLANO = WAN firewall zone = external
TUN0 = Tunnel firewall zone = TUNNEL

How to allow SSH between a LAN1 host via GW on LAN2 to a host on LAN2?

EDIT1: On the GW on SITE2, there is a route for LAN2 on ETH0 and on LAN1 on TUN0.