Configure a LAN-to-LAN IPSec tunnel between R2 and the VPN3000 concentrator.
The VPN3000 concentrator is behind R1. Configure the default route to R1.
Configure Loopback1 on R2 with 192.168.2.1/24.
The IPSec tunnel is to protect the VPN3000 concentrator and R2 networks on 172.16.1.0/24 to 172.16.2.0/24, respectively.
Configure preshared authentication with all other parameters as appropriate.
The tricky part is that the VPN3000 concentrator should not peer to R2 with IP address 220.127.116.11.
You need to configure bidirectional NAT on PIX for R2 IP 18.104.22.168 to an IP in VLAN3:
pixfirewall(config)# show static static (inside,outside) 22.214.171.124 10.1.1.1 netmask 255.255.255.255 ...