`AES-GCM` algorithm family for `IPSEC` does not require authentication (i.e. hash) since authentication is part of the `GCM` scheme, however, when setting `set vpn ipsec ike ... proposal ...` or `set vpn ipsec esp ... proposal ...` and hash is not specified it defaults to `sha1` and added automatically. This is rather misleading.
A more appropriate solution would be is:
1) To not provide any default if hash is not specified.
2) Configuration validation should fail to commit if GCM mode (or any other authenticated algorithm) AND hash specified together. And the logic should be reversed for when CBC (or similar) algorithms are specified but no hash has been provided.