If you are planning to use this as a Gateway device, i.e PAT to Public IP for internal users, use the NAT mode. If you plan to use this behind an existing Firewall or gateway device, you can use the VPN concentrator mode, but NAT mode also works. I would recommend the NAT mode as most scenarios have the VPN concentrators as a routed hop between different internal and external zones. My Meraki device at home runs in NAT mode to build a Site to Site VPN to my HQ.