Little update:

I connected a notebook with an IP in the correct range directly to the "spare" (but already configered for use in another subnet) NIC on the DSS and succesfully received a ping reply.

I then tried to connect using "iscsicli qaddtargetportal <IP-address>, but still the result is "Authentication failure".

I don't think IP restrictions are the problem, since I've already tried to connect from within the range that the ESX machine is also in.
Nevertheless, just to get this straight: any IP restrictions on specific targets should NOT affect the targetportal on port 3260, should they?

Next step will be more close examination of the DSS logs, but for now I still have the d*** certificate issue...